From fed9be39ffecc734abfa93fdd8399ccd738b4346 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sun, 23 Feb 2025 19:46:24 +1100 Subject: [PATCH] Make RFC8422 deprecated TLS EC curves disablable Also move the deprecated curves to the end of the list, and order the soon most preferred groups first. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26873) --- CHANGES.md | 20 +++++- Configure | 6 +- INSTALL.md | 6 ++ providers/common/capabilities.c | 103 +++++++++++++++++++------------ test/recipes/70-test_key_share.t | 4 +- test/recipes/80-test_ssl_new.t | 1 + test/ssl-tests/14-curves.cnf.in | 23 ++++--- 7 files changed, 108 insertions(+), 55 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6eaeb760e2..cbf490ae47 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,16 +30,30 @@ OpenSSL 3.5 ### Changes between 3.4 and 3.5 [xx XXX xxxx] +* Added a `no-tls-deprecated-ec-groups` configuration option. + + The `no-tls-deprecated-ec-groups` option disables support for TLS elliptic + curve groups deprecated in RFC8422 at compile time. This does not affect use + of the associated curves outside TLS. By default support for these groups is + compiled in, but, as before, they are not included in the default run-time + list of supported groups. + + With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at + compile time even if the default configuration is changed, provided the + underlying EC curves remain implemented. + + *Viktor Dukhovni* + * Added new API to enable 0-RTT for 3rd party QUIC stacks. *Cheng Zhang* -* Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb, +* Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`, which allows for application notification of new connection SSL object - creation, which occurs independently of calls to SSL_accept_connection(). + creation, which occurs independently of calls to `SSL_accept_connection()`. Note: QUIC objects passed through SSL callbacks should not have their state mutated via calls back into the SSL api until such time as they have been - received via a call to SSL_accept_connection(). + received via a call to `SSL_accept_connection()`. *Neil Horman* diff --git a/Configure b/Configure index 8a860c3a72..87c606f9fb 100755 --- a/Configure +++ b/Configure @@ -484,6 +484,7 @@ my @disablables = ( "gost", "http", "idea", + "integrity-only-ciphers", "jitter", "ktls", "legacy", @@ -541,7 +542,7 @@ my @disablables = ( "thread-pool", "threads", "tls", - "integrity-only-ciphers", + "tls-deprecated-ec", "trace", "ts", "ubsan", @@ -649,7 +650,8 @@ my @disable_cascades = ( "brotli" => [ "brotli-dynamic" ], "zstd" => [ "zstd-dynamic" ], "des" => [ "mdc2" ], - "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ], + "deprecated" => [ "tls-deprecated-ec" ], + "ec" => [ qw(ec2m ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ], "dgram" => [ "dtls", "quic", "sctp" ], "sock" => [ "dgram", "tfo" ], "dtls" => [ @dtls ], diff --git a/INSTALL.md b/INSTALL.md index 8599851ab4..983f6aad13 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -781,6 +781,12 @@ Don't build support for Elliptic Curves. Don't build support for binary Elliptic Curves +### no-tls-deprecated-ec + +Disable legacy TLS EC groups that were deprecated in RFC8422. These are the +Koblitz curves, B, B, B, B, and the +binary Elliptic curves that would also be disabled by C. + ### enable-ec_nistp_64_gcc_128 Enable support for optimised implementations of some commonly used NIST diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index f16e90ff0e..2a68f1b12c 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -133,9 +133,73 @@ static const TLS_GROUP_CONSTANTS group_list[] = { * * - The 1st field is the TLS group name used in SSL_CTX_set_group_list(), * aliases repeat everything but the first field. + * + * Curves 1..22 were deprecated in: + * + * https://www.rfc-editor.org/rfc/rfc8422.html + * + * leaving just: + * + * enum { + * deprecated(1..22), + * secp256r1 (23), secp384r1 (24), secp521r1 (25), + * x25519(29), x448(30), + * reserved (0xFE00..0xFEFF), + * deprecated(0xFF01..0xFF02), + * (0xFFFF) + * } NamedCurve; + * + * and those added later (FFDHE, brainpool, ML-KEM) */ static const OSSL_PARAM param_group_list[][11] = { # ifndef OPENSSL_NO_EC +# if !defined(OPENSSL_NO_ML_KEM) +# if !defined(OPENSSL_NO_ECX) + TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41), +# endif +# endif +# ifndef FIPS_MODULE + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), +# endif + TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22), + TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */ + TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23), + TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */ + TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24), + TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */ +# endif /* OPENSSL_NO_EC */ +# ifndef OPENSSL_NO_DH + /* Security bit values for FFDHE groups are as per RFC 7919 */ + TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33), + TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34), +# endif +# if !defined(OPENSSL_NO_ML_KEM) + /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */ + TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38), + TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39), + TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40), +# endif +# ifndef OPENSSL_NO_EC +# ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), + TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), + TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), + TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32), +# endif +# ifndef OPENSSL_NO_ML_KEM + TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42), + TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43), +# endif +# endif +# ifndef OPENSSL_NO_DH + TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35), + TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36), + TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37), +# endif +# ifndef OPENSSL_NO_TLS_DEPRECATED_EC # ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0), TLS_GROUP_ENTRY("K-163", "sect163k1", "EC", 0), /* Alias of above */ @@ -190,44 +254,7 @@ static const OSSL_PARAM param_group_list[][11] = { # ifndef FIPS_MODULE TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21), # endif - TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22), - TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */ - TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23), - TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */ - TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24), - TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */ -# ifndef FIPS_MODULE - TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), - TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), - TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), - TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), - TLS_GROUP_ENTRY("x448", "X448", "X448", 29), - TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), - TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), - TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32), -# endif -# endif /* OPENSSL_NO_EC */ -# ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are as per RFC 7919 */ - TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33), - TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34), - TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35), - TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36), - TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37), -# endif -# if !defined(OPENSSL_NO_ML_KEM) - /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */ - TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38), - TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39), - TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40), -# endif -# if !defined(OPENSSL_NO_ML_KEM) && !defined(OPENSSL_NO_EC) -# if !defined(OPENSSL_NO_ECX) - TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41), -# endif - TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42), - TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43), -# endif +# endif /* !defined(OPENSSL_NO_TLS_DEPRECATED_EC) */ }; #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ML_KEM) */ diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index ef21146e0c..7ac169b14b 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -295,9 +295,9 @@ SKIP: { $proxy->clear(); $direction = CLIENT_TO_SERVER; if (disabled("ecx")) { - $proxy->clientflags("-groups secp192r1:P-256:P-384"); + $proxy->clientflags("-groups brainpoolP256r1:P-256:P-384"); } else { - $proxy->clientflags("-groups secp192r1:P-256:X25519"); + $proxy->clientflags("-groups brainpoolP256r1:P-256:X25519"); } $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $testtype = NON_TLS1_3_KEY_SHARE; diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 3b69775972..b6228455ed 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -84,6 +84,7 @@ my %conf_dependent_tests = ( "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"), "10-resumption.cnf" => !$is_default_tls || $no_ec, "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"), + "14-curves.cnf" => disabled("tls-deprecated-ec"), "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"), "17-renegotiate.cnf" => disabled("tls1_2"), "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"), diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in index f8eb7572ad..e50421d501 100644 --- a/test/ssl-tests/14-curves.cnf.in +++ b/test/ssl-tests/14-curves.cnf.in @@ -8,7 +8,7 @@ use strict; use warnings; use OpenSSL::Test; -use OpenSSL::Test::Utils qw(anydisabled); +use OpenSSL::Test::Utils; our $fips_mode; our $fips_3_4; @@ -29,16 +29,19 @@ push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode; push @curves, @curves_tls_1_3; my @curves_tls_1_2 = (); +push @curves_tls_1_2, + "sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1", + "sect409r1", "sect571k1", "sect571r1", "secp224r1" + unless ($fips_3_4 || disabled("tls-deprecated-ec")); -@curves_tls_1_2 = ("sect233k1", "sect233r1", - "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "secp224r1") unless $fips_3_4; - -my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", - "sect163r1", "sect193r1", "sect193r2", "sect239k1", - "secp160k1", "secp160r1", "secp160r2", "secp192k1", - "secp224k1", "secp256k1", "brainpoolP256r1", - "brainpoolP384r1", "brainpoolP512r1"); +my @curves_non_fips = (); +push @curves_non_fips, + "sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1", + "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2", + "secp192k1", "secp224k1", "secp256k1" + unless disabled("tls-deprecated-ec"); +push @curves_non_fips, + "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"; push @curves_tls_1_2, @curves_non_fips if !$fips_mode;