Make RFC8422 deprecated TLS EC curves disablable

Also move the deprecated curves to the end of the list, and order the
soon most preferred groups first.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26873)

CHANGES.md

@@ -30,16 +30,30 @@ OpenSSL 3.5
 
 ### Changes between 3.4 and 3.5 [xx XXX xxxx]
 
+* Added a `no-tls-deprecated-ec-groups` configuration option.
+
+  The `no-tls-deprecated-ec-groups` option disables support for TLS elliptic
+  curve groups deprecated in RFC8422 at compile time.  This does not affect use
+  of the associated curves outside TLS.  By default support for these groups is
+  compiled in, but, as before, they are not included in the default run-time
+  list of supported groups.
+
+  With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
+  compile time even if the default configuration is changed, provided the
+  underlying EC curves remain implemented.
+
+  *Viktor Dukhovni*
+
 * Added new API to enable 0-RTT for 3rd party QUIC stacks.
 
   *Cheng Zhang*
 
-* Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb,
+* Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`,
   which allows for application notification of new connection SSL object
-  creation, which occurs independently of calls to SSL_accept_connection().
+  creation, which occurs independently of calls to `SSL_accept_connection()`.
   Note: QUIC objects passed through SSL callbacks should not have their state
   mutated via calls back into the SSL api until such time as they have been
-  received via a call to SSL_accept_connection().
+  received via a call to `SSL_accept_connection()`.
 
   *Neil Horman*
 

Configure

@@ -484,6 +484,7 @@ my @disablables = (
     "gost",
     "http",
     "idea",
+    "integrity-only-ciphers",
     "jitter",
     "ktls",
     "legacy",
@@ -541,7 +542,7 @@ my @disablables = (
     "thread-pool",
     "threads",
     "tls",
-    "integrity-only-ciphers",
+    "tls-deprecated-ec",
     "trace",
     "ts",
     "ubsan",
@@ -649,7 +650,8 @@ my @disable_cascades = (
     "brotli"            => [ "brotli-dynamic" ],
     "zstd"              => [ "zstd-dynamic" ],
     "des"               => [ "mdc2" ],
-    "ec"                => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ],
+    "deprecated"        => [ "tls-deprecated-ec" ],
+    "ec"                => [ qw(ec2m ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
     "dgram"             => [ "dtls", "quic", "sctp" ],
     "sock"              => [ "dgram", "tfo" ],
     "dtls"              => [ @dtls ],

INSTALL.md

@@ -781,6 +781,12 @@ Don't build support for Elliptic Curves.
 
 Don't build support for binary Elliptic Curves
 
+### no-tls-deprecated-ec
+
+Disable legacy TLS EC groups that were deprecated in RFC8422.  These are the
+Koblitz curves, B<secp160r1>, B<secp160r2>, B<secp192r1>, B<secp224r1>, and the
+binary Elliptic curves that would also be disabled by C<no-ec2m>.
+
 ### enable-ec_nistp_64_gcc_128
 
 Enable support for optimised implementations of some commonly used NIST

providers/common/capabilities.c

@@ -133,9 +133,73 @@ static const TLS_GROUP_CONSTANTS group_list[] = {
  *
  * - The 1st field is the TLS group name used in SSL_CTX_set_group_list(),
  *   aliases repeat everything but the first field.
+ *
+ * Curves 1..22 were deprecated in:
+ *
+ *   https://www.rfc-editor.org/rfc/rfc8422.html
+ *
+ * leaving just:
+ *
+ *   enum {
+ *       deprecated(1..22),
+ *       secp256r1 (23), secp384r1 (24), secp521r1 (25),
+ *       x25519(29), x448(30),
+ *       reserved (0xFE00..0xFEFF),
+ *       deprecated(0xFF01..0xFF02),
+ *       (0xFFFF)
+ *   } NamedCurve;
+ *
+ * and those added later (FFDHE, brainpool, ML-KEM)
  */
 static const OSSL_PARAM param_group_list[][11] = {
 # ifndef OPENSSL_NO_EC
+#  if !defined(OPENSSL_NO_ML_KEM)
+#   if !defined(OPENSSL_NO_ECX)
+    TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41),
+#   endif
+#  endif
+#  ifndef FIPS_MODULE
+    TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
+    TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+#  endif
+    TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
+    TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */
+    TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
+    TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */
+    TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
+    TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */
+# endif /* OPENSSL_NO_EC */
+# ifndef OPENSSL_NO_DH
+    /* Security bit values for FFDHE groups are as per RFC 7919 */
+    TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33),
+    TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34),
+# endif
+# if !defined(OPENSSL_NO_ML_KEM)
+    /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
+    TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38),
+    TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39),
+    TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40),
+# endif
+# ifndef OPENSSL_NO_EC
+#  ifndef FIPS_MODULE
+    TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
+    TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
+    TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
+    TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
+    TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
+    TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32),
+#  endif
+#  ifndef OPENSSL_NO_ML_KEM
+    TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42),
+    TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43),
+#  endif
+# endif
+# ifndef OPENSSL_NO_DH
+    TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35),
+    TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36),
+    TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37),
+# endif
+# ifndef OPENSSL_NO_TLS_DEPRECATED_EC
 #  ifndef OPENSSL_NO_EC2M
     TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0),
     TLS_GROUP_ENTRY("K-163", "sect163k1", "EC", 0), /* Alias of above */
@@ -190,44 +254,7 @@ static const OSSL_PARAM param_group_list[][11] = {
 #  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21),
 #  endif
-    TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
+# endif /* !defined(OPENSSL_NO_TLS_DEPRECATED_EC) */
-    TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */
-    TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
-    TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */
-    TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
-    TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */
-#  ifndef FIPS_MODULE
-    TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
-    TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
-    TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
-    TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
-    TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
-    TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
-    TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
-    TLS_GROUP_ENTRY("brainpoolP512r1tls13", "brainpoolP512r1", "EC", 32),
-#  endif
-# endif /* OPENSSL_NO_EC */
-# ifndef OPENSSL_NO_DH
-    /* Security bit values for FFDHE groups are as per RFC 7919 */
-    TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 33),
-    TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 34),
-    TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 35),
-    TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36),
-    TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37),
-# endif
-# if !defined(OPENSSL_NO_ML_KEM)
-    /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
-    TLS_GROUP_ENTRY("MLKEM512", "", "ML-KEM-512", 38),
-    TLS_GROUP_ENTRY("MLKEM768", "", "ML-KEM-768", 39),
-    TLS_GROUP_ENTRY("MLKEM1024", "", "ML-KEM-1024", 40),
-# endif
-# if !defined(OPENSSL_NO_ML_KEM) && !defined(OPENSSL_NO_EC)
-#  if !defined(OPENSSL_NO_ECX)
-    TLS_GROUP_ENTRY("X25519MLKEM768", "", "X25519MLKEM768", 41),
-#  endif
-    TLS_GROUP_ENTRY("SecP256r1MLKEM768", "", "SecP256r1MLKEM768", 42),
-    TLS_GROUP_ENTRY("SecP384r1MLKEM1024", "", "SecP384r1MLKEM1024", 43),
-# endif
 };
 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ML_KEM) */
 

test/recipes/70-test_key_share.t

@@ -295,9 +295,9 @@ SKIP: {
     $proxy->clear();
     $direction = CLIENT_TO_SERVER;
     if (disabled("ecx")) {
-        $proxy->clientflags("-groups secp192r1:P-256:P-384");
+        $proxy->clientflags("-groups brainpoolP256r1:P-256:P-384");
     } else {
-        $proxy->clientflags("-groups secp192r1:P-256:X25519");
+        $proxy->clientflags("-groups brainpoolP256r1:P-256:X25519");
     }
     $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
     $testtype = NON_TLS1_3_KEY_SHARE;

test/recipes/80-test_ssl_new.t

@@ -84,6 +84,7 @@ my %conf_dependent_tests = (
   "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
   "10-resumption.cnf" => !$is_default_tls || $no_ec,
   "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
+  "14-curves.cnf" => disabled("tls-deprecated-ec"),
   "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
   "17-renegotiate.cnf" => disabled("tls1_2"),
   "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),

test/ssl-tests/14-curves.cnf.in

@@ -8,7 +8,7 @@ use strict;
 use warnings;
 
 use OpenSSL::Test;
-use OpenSSL::Test::Utils qw(anydisabled);
+use OpenSSL::Test::Utils;
 
 our $fips_mode;
 our $fips_3_4;
@@ -29,16 +29,19 @@ push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
 push @curves, @curves_tls_1_3;
 
 my @curves_tls_1_2 = ();
+push @curves_tls_1_2,
+    "sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1",
+    "sect409r1", "sect571k1", "sect571r1", "secp224r1"
+    unless ($fips_3_4 || disabled("tls-deprecated-ec"));
 
-@curves_tls_1_2 = ("sect233k1", "sect233r1",
+my @curves_non_fips = ();
-              "sect283k1", "sect283r1", "sect409k1", "sect409r1",
+push @curves_non_fips,
-              "sect571k1", "sect571r1", "secp224r1") unless $fips_3_4;
+    "sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1",
-
+    "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2",
-my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
+    "secp192k1", "secp224k1",  "secp256k1"
-                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
+    unless disabled("tls-deprecated-ec");
-                       "secp160k1", "secp160r1", "secp160r2", "secp192k1",
+push @curves_non_fips,
-                       "secp224k1",  "secp256k1", "brainpoolP256r1",
+    "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1";
-                       "brainpoolP384r1", "brainpoolP512r1");
 
 push @curves_tls_1_2, @curves_non_fips if !$fips_mode;