Make RFC8422 deprecated TLS EC curves disablable

author Viktor Dukhovni <openssl-users@dukhovni.org>

Sun, 23 Feb 2025 08:46:24 +0000 (19:46 +1100)

committer Tomas Mraz <tomas@openssl.org>

Wed, 26 Feb 2025 11:14:02 +0000 (12:14 +0100)
author Viktor Dukhovni <openssl-users@dukhovni.org>
Sun, 23 Feb 2025 08:46:24 +0000 (19:46 +1100)
committer Tomas Mraz <tomas@openssl.org>
Wed, 26 Feb 2025 11:14:02 +0000 (12:14 +0100)
diff --git a/CHANGES.md b/CHANGES.md

index 6eaeb760e28d2afee23755e495a94ad690d4d09d..cbf490ae470360a54ef207b767613b4f5da546b9 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,16 +30,30 @@ OpenSSL 3.5
  
  ### Changes between 3.4 and 3.5 [xx XXX xxxx]
  
+* Added a `no-tls-deprecated-ec-groups` configuration option.
+
+  The `no-tls-deprecated-ec-groups` option disables support for TLS elliptic
+  curve groups deprecated in RFC8422 at compile time.  This does not affect use
+  of the associated curves outside TLS.  By default support for these groups is
+  compiled in, but, as before, they are not included in the default run-time
+  list of supported groups.
+
+  With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
+  compile time even if the default configuration is changed, provided the
+  underlying EC curves remain implemented.
+
+  *Viktor Dukhovni*
+
  * Added new API to enable 0-RTT for 3rd party QUIC stacks.
  
    *Cheng Zhang*
  
-* Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb,
+* Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`,
    which allows for application notification of new connection SSL object
-  creation, which occurs independently of calls to SSL_accept_connection().
+  creation, which occurs independently of calls to `SSL_accept_connection()`.
    Note: QUIC objects passed through SSL callbacks should not have their state
    mutated via calls back into the SSL api until such time as they have been
-  received via a call to SSL_accept_connection().
+  received via a call to `SSL_accept_connection()`.
  
    *Neil Horman*
  
diff --git a/Configure b/Configure

index 8a860c3a7222de39c1c7f3654bfbbcea7b201f65..87c606f9fbb7d9ded101c9a21dfb545d7e106f8f 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -484,6 +484,7 @@ my @disablables = (
      "gost",
      "http",
      "idea",
+    "integrity-only-ciphers",
      "jitter",
      "ktls",
      "legacy",
@@ -541,7 +542,7 @@ my @disablables = (
      "thread-pool",
      "threads",
      "tls",
-    "integrity-only-ciphers",
+    "tls-deprecated-ec",
      "trace",
      "ts",
      "ubsan",
@@ -649,7 +650,8 @@ my @disable_cascades = (
      "brotli"            => [ "brotli-dynamic" ],
      "zstd"              => [ "zstd-dynamic" ],
      "des"               => [ "mdc2" ],
-    "ec"                => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ],
+    "deprecated"        => [ "tls-deprecated-ec" ],
+    "ec"                => [ qw(ec2m ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
      "dgram"             => [ "dtls", "quic", "sctp" ],
      "sock"              => [ "dgram", "tfo" ],
      "dtls"              => [ @dtls ],
diff --git a/INSTALL.md b/INSTALL.md

index 8599851ab46063274dbc5d024539c3bd9b306fc9..983f6aad136932f0d947e5d741936ee4f48227c5 100644 (file)
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -781,6 +781,12 @@ Don't build support for Elliptic Curves.
  
  Don't build support for binary Elliptic Curves
  
+### no-tls-deprecated-ec
+
+Disable legacy TLS EC groups that were deprecated in RFC8422.  These are the
+Koblitz curves, B<secp160r1>, B<secp160r2>, B<secp192r1>, B<secp224r1>, and the
+binary Elliptic curves that would also be disabled by C<no-ec2m>.
+
  ### enable-ec_nistp_64_gcc_128
  
  Enable support for optimised implementations of some commonly used NIST
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c

index f16e90ff0e1f2e2a9778e25c20e55f08fa0c166f..2a68f1b12cca869a3c1ede44f43c3da05ee93c63 100644 (file)
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -133,9 +133,73 @@ static const TLS_GROUP_CONSTANTS group_list[] = {
   *
   * - The 1st field is the TLS group name used in SSL_CTX_set_group_list(),
   *   aliases repeat everything but the first field.
+ *
+ * Curves 1..22 were deprecated in:
+ *
+ *   https://www.rfc-editor.org/rfc/rfc8422.html
+ *
+ * leaving just:
+ *
+ *   enum {
+ *       deprecated(1..22),
+ *       secp256r1 (23), secp384r1 (24), secp521r1 (25),
+ *       x25519(29), x448(30),
+ *       reserved (0xFE00..0xFEFF),
+ *       deprecated(0xFF01..0xFF02),
+ *       (0xFFFF)
+ *   } NamedCurve;
+ *
+ * and those added later (FFDHE, brainpool, ML-KEM)
   */
  static const OSSL_PARAM param_group_list[][11] = {
  # ifndef OPENSSL_NO_EC
+#  if !defined(OPENSSL_NO_ML_KEM)
+#   if !defined(OPENSSL_NO_ECX)
+    TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41),
+#   endif
+#  endif
+#  ifndef FIPS_MODULE
+    TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
+    TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+#  endif
+    TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
+    TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */
+    TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
+    TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */
+    TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
+    TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */
+# endif /* OPENSSL_NO_EC */
+# ifndef OPENSSL_NO_DH
+    /* Security bit values for FFDHE groups are as per RFC 7919 */
+    TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33),
+    TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34),
+# endif
+# if !defined(OPENSSL_NO_ML_KEM)
+    /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
+    TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38),
+    TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39),
+    TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40),
+# endif
+# ifndef OPENSSL_NO_EC
+#  ifndef FIPS_MODULE
+    TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
+    TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
+    TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
+    TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
+    TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
+    TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32),
+#  endif
+#  ifndef OPENSSL_NO_ML_KEM
+    TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42),
+    TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43),
+#  endif
+# endif
+# ifndef OPENSSL_NO_DH
+    TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35),
+    TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36),
+    TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37),
+# endif
+# ifndef OPENSSL_NO_TLS_DEPRECATED_EC
  #  ifndef OPENSSL_NO_EC2M
      TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0),
      TLS_GROUP_ENTRY("K-163", "sect163k1", "EC", 0), /* Alias of above */
@@ -190,44 +254,7 @@ static const OSSL_PARAM param_group_list[][11] = {
  #  ifndef FIPS_MODULE
      TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21),
  #  endif
-    TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
-    TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */
-    TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
-    TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */
-    TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
-    TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */
-#  ifndef FIPS_MODULE
-    TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
-    TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
-    TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
-    TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
-    TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
-    TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
-    TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
-    TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32),
-#  endif
-# endif /* OPENSSL_NO_EC */
-# ifndef OPENSSL_NO_DH
-    /* Security bit values for FFDHE groups are as per RFC 7919 */
-    TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33),
-    TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34),
-    TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35),
-    TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36),
-    TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37),
-# endif
-# if !defined(OPENSSL_NO_ML_KEM)
-    /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
-    TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38),
-    TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39),
-    TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40),
-# endif
-# if !defined(OPENSSL_NO_ML_KEM) && !defined(OPENSSL_NO_EC)
-#  if !defined(OPENSSL_NO_ECX)
-    TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41),
-#  endif
-    TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42),
-    TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43),
-# endif
+# endif /* !defined(OPENSSL_NO_TLS_DEPRECATED_EC) */
  };
  #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ML_KEM) */
  
diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t

index ef21146e0c796dd29c3202f322d8f60fa1f18d40..7ac169b14b3703772b80c291f839c4d3c13c2578 100644 (file)
--- a/test/recipes/70-test_key_share.t
+++ b/test/recipes/70-test_key_share.t
@@ -295,9 +295,9 @@ SKIP: {
      $proxy->clear();
      $direction = CLIENT_TO_SERVER;
      if (disabled("ecx")) {
-        $proxy->clientflags("-groups secp192r1:P-256:P-384");
+        $proxy->clientflags("-groups brainpoolP256r1:P-256:P-384");
      } else {
-        $proxy->clientflags("-groups secp192r1:P-256:X25519");
+        $proxy->clientflags("-groups brainpoolP256r1:P-256:X25519");
      }
      $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
      $testtype = NON_TLS1_3_KEY_SHARE;
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t

index 3b69775972024a7c5996acbc4787a2670fc26b5c..b6228455ed1e648ef51ed8b75ec35b3d4c95f7a4 100644 (file)
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -84,6 +84,7 @@ my %conf_dependent_tests = (
    "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
    "10-resumption.cnf" => !$is_default_tls || $no_ec,
    "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
+  "14-curves.cnf" => disabled("tls-deprecated-ec"),
    "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
    "17-renegotiate.cnf" => disabled("tls1_2"),
    "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in

index f8eb7572ad63b21fb308eddde3f9b1cb2d77bd4c..e50421d501dc78b69f5cace83eb6e05eed29358b 100644 (file)
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@@ -8,7 +8,7 @@ use strict;
  use warnings;
  
  use OpenSSL::Test;
-use OpenSSL::Test::Utils qw(anydisabled);
+use OpenSSL::Test::Utils;
  
  our $fips_mode;
  our $fips_3_4;
@@ -29,16 +29,19 @@ push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
  push @curves, @curves_tls_1_3;
  
  my @curves_tls_1_2 = ();
-
-@curves_tls_1_2 = ("sect233k1", "sect233r1",
-              "sect283k1", "sect283r1", "sect409k1", "sect409r1",
-              "sect571k1", "sect571r1", "secp224r1") unless $fips_3_4;
-
-my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
-                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
-                       "secp160k1", "secp160r1", "secp160r2", "secp192k1",
-                       "secp224k1",  "secp256k1", "brainpoolP256r1",
-                       "brainpoolP384r1", "brainpoolP512r1");
+push @curves_tls_1_2,
+    "sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1",
+    "sect409r1", "sect571k1", "sect571r1", "secp224r1"
+    unless ($fips_3_4 || disabled("tls-deprecated-ec"));
+
+my @curves_non_fips = ();
+push @curves_non_fips,
+    "sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1",
+    "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2",
+    "secp192k1", "secp224k1",  "secp256k1"
+    unless disabled("tls-deprecated-ec");
+push @curves_non_fips,
+    "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1";
  
  push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
author	Viktor Dukhovni <openssl-users@dukhovni.org>
	Sun, 23 Feb 2025 08:46:24 +0000 (19:46 +1100)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 26 Feb 2025 11:14:02 +0000 (12:14 +0100)
CHANGES.md		patch \| blob \| blame \| history
Configure		patch \| blob \| blame \| history
INSTALL.md		patch \| blob \| blame \| history
providers/common/capabilities.c		patch \| blob \| blame \| history
test/recipes/70-test_key_share.t		patch \| blob \| blame \| history
test/recipes/80-test_ssl_new.t		patch \| blob \| blame \| history
test/ssl-tests/14-curves.cnf.in		patch \| blob \| blame \| history