From: Tobias Brunner Date: Mon, 20 Sep 2021 14:31:33 +0000 (+0200) Subject: openssl: Remove workaround for Brainpool ECDH curves for older OpenSSL versions X-Git-Tag: 5.9.4dr3~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c463a14483dfb7a740d68510d6cfc06a10c84b10;p=thirdparty%2Fstrongswan.git openssl: Remove workaround for Brainpool ECDH curves for older OpenSSL versions Using the workaround with the EVP interface, which we use to derive shared keys since 74e02ff5e624 ("openssl: Mainly use EVP interface for ECDH"), would actually require us to register the OIDs of these curves as NID. Otherwise, the two EC_GROUPs used by private and public key objects are not considered the same and the key derivation fails. Since the curves are supported by OpenSSL since 1.0.2 it's probably rare to find a version without them nowadays. One exception is the old BoringSSL version we still use on Android, which defines the NIDs but not the curve data. However, that version also lacks support to register OIDs as NIDs, so the only option to support these groups there would be to got back to not using the EVP interface, which isn't in anyone's interest. If there really is a need for them there, we could probably patch BoringSSL or use OpenSSL. --- diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 9fb334c081..de0d94a3e5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -327,278 +327,6 @@ METHOD(diffie_hellman_t, destroy, void, free(this); } -/** - * ECC Brainpool curves are not available in OpenSSL releases < 1.0.2, but we - * don't check the version in case somebody backported them. - * - * BoringSSL defines the constants but not the curves. - */ -#if (!defined(NID_brainpoolP224r1) || !defined(NID_brainpoolP256r1) || \ - !defined(NID_brainpoolP384r1) || !defined(NID_brainpoolP512r1) || \ - defined(OPENSSL_IS_BORINGSSL)) - -/** - * Parameters for ECC Brainpool curves - */ -typedef struct { - /** DH group */ - diffie_hellman_group_t group; - - /** The prime p specifying the base field */ - const chunk_t p; - - /** Coefficient a of the elliptic curve E: y^2 = x^3 + ax + b (mod p) */ - const chunk_t a; - - /** Coefficient b */ - const chunk_t b; - - /** x coordinate of base point G (a point in E of prime order) */ - const chunk_t x; - - /** y coordinate of base point G */ - const chunk_t y; - - /** Prime order q of the group generated by G */ - const chunk_t q; - -} bp_curve; - -/** - * List of ECC Brainpool curves - */ -static bp_curve bp_curves[] = { - { - /* ECC Brainpool 224-bit curve (RFC 5639), brainpoolP224r1 */ - .group = ECP_224_BP, - .p = chunk_from_chars( - 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18,0x30,0x25,0x75,0xD1,0xD7,0x87, - 0xB0,0x9F,0x07,0x57,0x97,0xDA,0x89,0xF5,0x7E,0xC8,0xC0,0xFF), - .a = chunk_from_chars( - 0x68,0xA5,0xE6,0x2C,0xA9,0xCE,0x6C,0x1C,0x29,0x98,0x03,0xA6,0xC1,0x53,0x0B,0x51, - 0x4E,0x18,0x2A,0xD8,0xB0,0x04,0x2A,0x59,0xCA,0xD2,0x9F,0x43), - .b = chunk_from_chars( - 0x25,0x80,0xF6,0x3C,0xCF,0xE4,0x41,0x38,0x87,0x07,0x13,0xB1,0xA9,0x23,0x69,0xE3, - 0x3E,0x21,0x35,0xD2,0x66,0xDB,0xB3,0x72,0x38,0x6C,0x40,0x0B), - .x = chunk_from_chars( - 0x0D,0x90,0x29,0xAD,0x2C,0x7E,0x5C,0xF4,0x34,0x08,0x23,0xB2,0xA8,0x7D,0xC6,0x8C, - 0x9E,0x4C,0xE3,0x17,0x4C,0x1E,0x6E,0xFD,0xEE,0x12,0xC0,0x7D), - .y = chunk_from_chars( - 0x58,0xAA,0x56,0xF7,0x72,0xC0,0x72,0x6F,0x24,0xC6,0xB8,0x9E,0x4E,0xCD,0xAC,0x24, - 0x35,0x4B,0x9E,0x99,0xCA,0xA3,0xF6,0xD3,0x76,0x14,0x02,0xCD), - .q = chunk_from_chars( - 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18,0x30,0x25,0x75,0xD0,0xFB,0x98, - 0xD1,0x16,0xBC,0x4B,0x6D,0xDE,0xBC,0xA3,0xA5,0xA7,0x93,0x9F), - }, - { - /* ECC Brainpool 256-bit curve (RFC 5639), brainpoolP256r1 */ - .group = ECP_256_BP, - .p = chunk_from_chars( - 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66,0x0A,0x90,0x9D,0x83,0x8D,0x72, - 0x6E,0x3B,0xF6,0x23,0xD5,0x26,0x20,0x28,0x20,0x13,0x48,0x1D,0x1F,0x6E,0x53,0x77), - .a = chunk_from_chars( - 0x7D,0x5A,0x09,0x75,0xFC,0x2C,0x30,0x57,0xEE,0xF6,0x75,0x30,0x41,0x7A,0xFF,0xE7, - 0xFB,0x80,0x55,0xC1,0x26,0xDC,0x5C,0x6C,0xE9,0x4A,0x4B,0x44,0xF3,0x30,0xB5,0xD9), - .b = chunk_from_chars( - 0x26,0xDC,0x5C,0x6C,0xE9,0x4A,0x4B,0x44,0xF3,0x30,0xB5,0xD9,0xBB,0xD7,0x7C,0xBF, - 0x95,0x84,0x16,0x29,0x5C,0xF7,0xE1,0xCE,0x6B,0xCC,0xDC,0x18,0xFF,0x8C,0x07,0xB6), - .x = chunk_from_chars( - 0x8B,0xD2,0xAE,0xB9,0xCB,0x7E,0x57,0xCB,0x2C,0x4B,0x48,0x2F,0xFC,0x81,0xB7,0xAF, - 0xB9,0xDE,0x27,0xE1,0xE3,0xBD,0x23,0xC2,0x3A,0x44,0x53,0xBD,0x9A,0xCE,0x32,0x62), - .y = chunk_from_chars( - 0x54,0x7E,0xF8,0x35,0xC3,0xDA,0xC4,0xFD,0x97,0xF8,0x46,0x1A,0x14,0x61,0x1D,0xC9, - 0xC2,0x77,0x45,0x13,0x2D,0xED,0x8E,0x54,0x5C,0x1D,0x54,0xC7,0x2F,0x04,0x69,0x97), - .q = chunk_from_chars( - 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66,0x0A,0x90,0x9D,0x83,0x8D,0x71, - 0x8C,0x39,0x7A,0xA3,0xB5,0x61,0xA6,0xF7,0x90,0x1E,0x0E,0x82,0x97,0x48,0x56,0xA7), - }, - { - /* ECC Brainpool 384-bit curve (RFC 5639), brainpoolP384r1 */ - .group = ECP_384_BP, - .p = chunk_from_chars( - 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D,0x6F,0x7E,0x50,0xE6,0x41,0xDF, - 0x15,0x2F,0x71,0x09,0xED,0x54,0x56,0xB4,0x12,0xB1,0xDA,0x19,0x7F,0xB7,0x11,0x23, - 0xAC,0xD3,0xA7,0x29,0x90,0x1D,0x1A,0x71,0x87,0x47,0x00,0x13,0x31,0x07,0xEC,0x53), - .a = chunk_from_chars( - 0x7B,0xC3,0x82,0xC6,0x3D,0x8C,0x15,0x0C,0x3C,0x72,0x08,0x0A,0xCE,0x05,0xAF,0xA0, - 0xC2,0xBE,0xA2,0x8E,0x4F,0xB2,0x27,0x87,0x13,0x91,0x65,0xEF,0xBA,0x91,0xF9,0x0F, - 0x8A,0xA5,0x81,0x4A,0x50,0x3A,0xD4,0xEB,0x04,0xA8,0xC7,0xDD,0x22,0xCE,0x28,0x26), - .b = chunk_from_chars( - 0x04,0xA8,0xC7,0xDD,0x22,0xCE,0x28,0x26,0x8B,0x39,0xB5,0x54,0x16,0xF0,0x44,0x7C, - 0x2F,0xB7,0x7D,0xE1,0x07,0xDC,0xD2,0xA6,0x2E,0x88,0x0E,0xA5,0x3E,0xEB,0x62,0xD5, - 0x7C,0xB4,0x39,0x02,0x95,0xDB,0xC9,0x94,0x3A,0xB7,0x86,0x96,0xFA,0x50,0x4C,0x11), - .x = chunk_from_chars( - 0x1D,0x1C,0x64,0xF0,0x68,0xCF,0x45,0xFF,0xA2,0xA6,0x3A,0x81,0xB7,0xC1,0x3F,0x6B, - 0x88,0x47,0xA3,0xE7,0x7E,0xF1,0x4F,0xE3,0xDB,0x7F,0xCA,0xFE,0x0C,0xBD,0x10,0xE8, - 0xE8,0x26,0xE0,0x34,0x36,0xD6,0x46,0xAA,0xEF,0x87,0xB2,0xE2,0x47,0xD4,0xAF,0x1E), - .y = chunk_from_chars( - 0x8A,0xBE,0x1D,0x75,0x20,0xF9,0xC2,0xA4,0x5C,0xB1,0xEB,0x8E,0x95,0xCF,0xD5,0x52, - 0x62,0xB7,0x0B,0x29,0xFE,0xEC,0x58,0x64,0xE1,0x9C,0x05,0x4F,0xF9,0x91,0x29,0x28, - 0x0E,0x46,0x46,0x21,0x77,0x91,0x81,0x11,0x42,0x82,0x03,0x41,0x26,0x3C,0x53,0x15), - .q = chunk_from_chars( - 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D,0x6F,0x7E,0x50,0xE6,0x41,0xDF, - 0x15,0x2F,0x71,0x09,0xED,0x54,0x56,0xB3,0x1F,0x16,0x6E,0x6C,0xAC,0x04,0x25,0xA7, - 0xCF,0x3A,0xB6,0xAF,0x6B,0x7F,0xC3,0x10,0x3B,0x88,0x32,0x02,0xE9,0x04,0x65,0x65), - }, - { - /* ECC Brainpool 512-bit curve (RFC 5639), brainpoolP512r1 */ - .group = ECP_512_BP, - .p = chunk_from_chars( - 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4,0xE6,0xAE,0x33,0xC9,0xFC,0x07, - 0xCB,0x30,0x8D,0xB3,0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33,0x08,0x71, - 0x7D,0x4D,0x9B,0x00,0x9B,0xC6,0x68,0x42,0xAE,0xCD,0xA1,0x2A,0xE6,0xA3,0x80,0xE6, - 0x28,0x81,0xFF,0x2F,0x2D,0x82,0xC6,0x85,0x28,0xAA,0x60,0x56,0x58,0x3A,0x48,0xF3), - .a = chunk_from_chars( - 0x78,0x30,0xA3,0x31,0x8B,0x60,0x3B,0x89,0xE2,0x32,0x71,0x45,0xAC,0x23,0x4C,0xC5, - 0x94,0xCB,0xDD,0x8D,0x3D,0xF9,0x16,0x10,0xA8,0x34,0x41,0xCA,0xEA,0x98,0x63,0xBC, - 0x2D,0xED,0x5D,0x5A,0xA8,0x25,0x3A,0xA1,0x0A,0x2E,0xF1,0xC9,0x8B,0x9A,0xC8,0xB5, - 0x7F,0x11,0x17,0xA7,0x2B,0xF2,0xC7,0xB9,0xE7,0xC1,0xAC,0x4D,0x77,0xFC,0x94,0xCA), - .b = chunk_from_chars( - 0x3D,0xF9,0x16,0x10,0xA8,0x34,0x41,0xCA,0xEA,0x98,0x63,0xBC,0x2D,0xED,0x5D,0x5A, - 0xA8,0x25,0x3A,0xA1,0x0A,0x2E,0xF1,0xC9,0x8B,0x9A,0xC8,0xB5,0x7F,0x11,0x17,0xA7, - 0x2B,0xF2,0xC7,0xB9,0xE7,0xC1,0xAC,0x4D,0x77,0xFC,0x94,0xCA,0xDC,0x08,0x3E,0x67, - 0x98,0x40,0x50,0xB7,0x5E,0xBA,0xE5,0xDD,0x28,0x09,0xBD,0x63,0x80,0x16,0xF7,0x23), - .x = chunk_from_chars( - 0x81,0xAE,0xE4,0xBD,0xD8,0x2E,0xD9,0x64,0x5A,0x21,0x32,0x2E,0x9C,0x4C,0x6A,0x93, - 0x85,0xED,0x9F,0x70,0xB5,0xD9,0x16,0xC1,0xB4,0x3B,0x62,0xEE,0xF4,0xD0,0x09,0x8E, - 0xFF,0x3B,0x1F,0x78,0xE2,0xD0,0xD4,0x8D,0x50,0xD1,0x68,0x7B,0x93,0xB9,0x7D,0x5F, - 0x7C,0x6D,0x50,0x47,0x40,0x6A,0x5E,0x68,0x8B,0x35,0x22,0x09,0xBC,0xB9,0xF8,0x22), - .y = chunk_from_chars( - 0x7D,0xDE,0x38,0x5D,0x56,0x63,0x32,0xEC,0xC0,0xEA,0xBF,0xA9,0xCF,0x78,0x22,0xFD, - 0xF2,0x09,0xF7,0x00,0x24,0xA5,0x7B,0x1A,0xA0,0x00,0xC5,0x5B,0x88,0x1F,0x81,0x11, - 0xB2,0xDC,0xDE,0x49,0x4A,0x5F,0x48,0x5E,0x5B,0xCA,0x4B,0xD8,0x8A,0x27,0x63,0xAE, - 0xD1,0xCA,0x2B,0x2F,0xA8,0xF0,0x54,0x06,0x78,0xCD,0x1E,0x0F,0x3A,0xD8,0x08,0x92), - .q = chunk_from_chars( - 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4,0xE6,0xAE,0x33,0xC9,0xFC,0x07, - 0xCB,0x30,0x8D,0xB3,0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33,0x08,0x70, - 0x55,0x3E,0x5C,0x41,0x4C,0xA9,0x26,0x19,0x41,0x86,0x61,0x19,0x7F,0xAC,0x10,0x47, - 0x1D,0xB1,0xD3,0x81,0x08,0x5D,0xDA,0xDD,0xB5,0x87,0x96,0x82,0x9C,0xA9,0x00,0x69), - }, -}; - -/** - * Create an EC_GROUP object for an ECC Brainpool curve - */ -EC_GROUP *ec_group_new_brainpool(bp_curve *curve) -{ - BIGNUM *p, *a, *b, *x, *y, *q; - const BIGNUM *h; - EC_POINT *G = NULL; - EC_GROUP *group = NULL, *result = NULL; - BN_CTX *ctx = NULL; - - ctx = BN_CTX_new(); - p = BN_bin2bn(curve->p.ptr, curve->p.len, NULL); - a = BN_bin2bn(curve->a.ptr, curve->a.len, NULL); - b = BN_bin2bn(curve->b.ptr, curve->b.len, NULL); - x = BN_bin2bn(curve->x.ptr, curve->x.len, NULL); - y = BN_bin2bn(curve->y.ptr, curve->y.len, NULL); - q = BN_bin2bn(curve->q.ptr, curve->q.len, NULL); - /* all supported groups have a cofactor of 1 */ - h = BN_value_one(); - if (!ctx || !p || !a || !b || !x || !y || !q) - { - goto failed; - } - group = EC_GROUP_new_curve_GFp(p, a, b, ctx); - if (!group) - { - goto failed; - } - G = EC_POINT_new(group); -#if OPENSSL_VERSION_NUMBER >= 0x1010100fL - if (!G || !EC_POINT_set_affine_coordinates(group, G, x, y, ctx)) -#else - if (!G || !EC_POINT_set_affine_coordinates_GFp(group, G, x, y, ctx)) -#endif - { - goto failed; - } - if (!EC_GROUP_set_generator(group, G, q, h)) - { - goto failed; - } - result = group; - -failed: - if (!result && group) - { - EC_GROUP_free(group); - } - if (G) - { - EC_POINT_free(G); - } - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(x); - BN_free(y); - BN_free(q); - return result; -} - -/** - * Create an EC_KEY for ECC Brainpool curves as defined above - */ -static EC_KEY *ec_key_new_brainpool(diffie_hellman_group_t group) -{ - bp_curve *curve = NULL; - EC_GROUP *ec_group; - EC_KEY *key = NULL; - int i; - - for (i = 0; i < countof(bp_curves); i++) - { - if (bp_curves[i].group == group) - { - curve = &bp_curves[i]; - } - } - if (!curve) - { - return NULL; - } - ec_group = ec_group_new_brainpool(curve); - if (!ec_group) - { - return NULL; - } - key = EC_KEY_new(); - if (!key || !EC_KEY_set_group(key, ec_group)) - { - EC_KEY_free(key); - key = NULL; - } - EC_GROUP_free(ec_group); - return key; -} - -#else /* !NID_brainpoolP224r1 || ... */ - -/** - * Create an EC_KEY for ECC Brainpool curves as defined by OpenSSL - */ -static EC_KEY *ec_key_new_brainpool(diffie_hellman_group_t group) -{ - switch (group) - { - case ECP_224_BP: - return EC_KEY_new_by_curve_name(NID_brainpoolP224r1); - case ECP_256_BP: - return EC_KEY_new_by_curve_name(NID_brainpoolP256r1); - case ECP_384_BP: - return EC_KEY_new_by_curve_name(NID_brainpoolP384r1); - case ECP_512_BP: - return EC_KEY_new_by_curve_name(NID_brainpoolP512r1); - default: - return NULL; - } -} - -#endif /* !NID_brainpoolP224r1 || ... */ - /* * Described in header. */ @@ -624,12 +352,21 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro case ECP_521_BIT: key = EC_KEY_new_by_curve_name(NID_secp521r1); break; +/* added with 1.0.2 */ +#if OPENSSL_VERSION_NUMBER >= 0x10002000L case ECP_224_BP: + key = EC_KEY_new_by_curve_name(NID_brainpoolP224r1); + break; case ECP_256_BP: + key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1); + break; case ECP_384_BP: + key = EC_KEY_new_by_curve_name(NID_brainpoolP384r1); + break; case ECP_512_BP: - key = ec_key_new_brainpool(group); + key = EC_KEY_new_by_curve_name(NID_brainpoolP512r1); break; +#endif default: break; } diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 620a0b690e..bf6a3dad2e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -640,10 +640,12 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(DH, ECP_521_BIT), PLUGIN_PROVIDE(DH, ECP_224_BIT), PLUGIN_PROVIDE(DH, ECP_192_BIT), +#if OPENSSL_VERSION_NUMBER >= 0x10002000L PLUGIN_PROVIDE(DH, ECP_256_BP), PLUGIN_PROVIDE(DH, ECP_384_BP), PLUGIN_PROVIDE(DH, ECP_512_BP), PLUGIN_PROVIDE(DH, ECP_224_BP), +#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_DH /* MODP DH groups */