diff options
| author | tb <> | 2024-11-24 10:12:05 +0000 |
|---|---|---|
| committer | tb <> | 2024-11-24 10:12:05 +0000 |
| commit | d0bd014cdc526e4c2c4d4a2c7cc7cc089664a114 (patch) | |
| tree | 37a632d9a0df6c2ffdb632ae8e58e31c9a65a967 /src | |
| parent | ee65f9388e2e3a70bf26a70fa1747948f88269dc (diff) | |
| download | openbsd-d0bd014cdc526e4c2c4d4a2c7cc7cc089664a114.tar.gz openbsd-d0bd014cdc526e4c2c4d4a2c7cc7cc089664a114.tar.bz2 openbsd-d0bd014cdc526e4c2c4d4a2c7cc7cc089664a114.zip | |
Disable small builtin curves
This disables all the curves over fields < 224 bits and a few others.
Specifically:
SECG: 112r1 112r2 128r1 128r2 160k1 160r1 160r2 192k1 192r1 192v{1,2,3}
WTLS: 6 7 8 9 12
Brainpool: P160r1 P160t1 P192r1 P192t1
These are below or at the limit of what is acceptable nowadays. This is
less aggressive than what some enterprise linux distributions are using
in their patched OpenSSL versions where everything over fields < 256 bits
is disabled with the exception of P-224, so interoperability should not
be a problem.
The curves are left in the tree for now and can be re-enabled by compiling
libcrypto with -DENABLE_SMALL_CURVES. They will be fully removed later.
One nice benefit of doing this is that the incorrect parameters for WTLS 7
are fixed (obviously nobody uses this one) and now all the builtin curves
have a unique corresponding OID (nid).
Something like this was suggested a while back by beck, makes sense to sthen
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_curve.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c index 3face800e4..fd7831598b 100644 --- a/src/lib/libcrypto/ec/ec_curve.c +++ b/src/lib/libcrypto/ec/ec_curve.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_curve.c,v 1.49 2024/10/23 10:41:51 tb Exp $ */ | 1 | /* $OpenBSD: ec_curve.c,v 1.50 2024/11/24 10:12:05 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project. | 3 | * Written by Nils Larsch for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -83,6 +83,8 @@ | |||
| 83 | 83 | ||
| 84 | #include "ec_local.h" | 84 | #include "ec_local.h" |
| 85 | 85 | ||
| 86 | #ifdef ENABLE_SMALL_CURVES | ||
| 87 | |||
| 86 | /* the nist prime curves */ | 88 | /* the nist prime curves */ |
| 87 | static const struct { | 89 | static const struct { |
| 88 | uint8_t seed[20]; | 90 | uint8_t seed[20]; |
| @@ -129,6 +131,8 @@ static const struct { | |||
| 129 | }, | 131 | }, |
| 130 | }; | 132 | }; |
| 131 | 133 | ||
| 134 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 135 | |||
| 132 | static const struct { | 136 | static const struct { |
| 133 | uint8_t seed[20]; | 137 | uint8_t seed[20]; |
| 134 | uint8_t p[28]; | 138 | uint8_t p[28]; |
| @@ -300,6 +304,8 @@ static const struct { | |||
| 300 | }, | 304 | }, |
| 301 | }; | 305 | }; |
| 302 | 306 | ||
| 307 | #ifdef ENABLE_SMALL_CURVES | ||
| 308 | |||
| 303 | /* the x9.62 prime curves (minus the nist prime curves) */ | 309 | /* the x9.62 prime curves (minus the nist prime curves) */ |
| 304 | static const struct { | 310 | static const struct { |
| 305 | uint8_t seed[20]; | 311 | uint8_t seed[20]; |
| @@ -391,6 +397,8 @@ static const struct { | |||
| 391 | }, | 397 | }, |
| 392 | }; | 398 | }; |
| 393 | 399 | ||
| 400 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 401 | |||
| 394 | static const struct { | 402 | static const struct { |
| 395 | uint8_t seed[20]; | 403 | uint8_t seed[20]; |
| 396 | uint8_t p[30]; | 404 | uint8_t p[30]; |
| @@ -577,6 +585,8 @@ static const struct { | |||
| 577 | }, | 585 | }, |
| 578 | }; | 586 | }; |
| 579 | 587 | ||
| 588 | #ifdef ENABLE_SMALL_CURVES | ||
| 589 | |||
| 580 | /* the secg prime curves (minus the nist and x9.62 prime curves) */ | 590 | /* the secg prime curves (minus the nist and x9.62 prime curves) */ |
| 581 | static const struct { | 591 | static const struct { |
| 582 | uint8_t seed[20]; | 592 | uint8_t seed[20]; |
| @@ -904,6 +914,8 @@ static const struct { | |||
| 904 | }, | 914 | }, |
| 905 | }; | 915 | }; |
| 906 | 916 | ||
| 917 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 918 | |||
| 907 | static const struct { | 919 | static const struct { |
| 908 | uint8_t p[29]; | 920 | uint8_t p[29]; |
| 909 | uint8_t a[29]; | 921 | uint8_t a[29]; |
| @@ -990,6 +1002,8 @@ static const struct { | |||
| 990 | }, | 1002 | }, |
| 991 | }; | 1003 | }; |
| 992 | 1004 | ||
| 1005 | #ifdef ENABLE_SMALL_CURVES | ||
| 1006 | |||
| 993 | /* some wap/wtls curves */ | 1007 | /* some wap/wtls curves */ |
| 994 | static const struct { | 1008 | static const struct { |
| 995 | uint8_t p[15]; | 1009 | uint8_t p[15]; |
| @@ -1253,6 +1267,8 @@ static const struct { | |||
| 1253 | }, | 1267 | }, |
| 1254 | }; | 1268 | }; |
| 1255 | 1269 | ||
| 1270 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 1271 | |||
| 1256 | static const struct { | 1272 | static const struct { |
| 1257 | uint8_t p[28]; | 1273 | uint8_t p[28]; |
| 1258 | uint8_t a[28]; | 1274 | uint8_t a[28]; |
| @@ -1810,6 +1826,7 @@ static const struct ec_curve { | |||
| 1810 | const uint8_t *order; | 1826 | const uint8_t *order; |
| 1811 | } ec_curve_list[] = { | 1827 | } ec_curve_list[] = { |
| 1812 | /* secg curves */ | 1828 | /* secg curves */ |
| 1829 | #ifdef ENABLE_SMALL_CURVES | ||
| 1813 | { | 1830 | { |
| 1814 | .comment = "SECG/WTLS curve over a 112 bit prime field", | 1831 | .comment = "SECG/WTLS curve over a 112 bit prime field", |
| 1815 | .nid = NID_secp112r1, | 1832 | .nid = NID_secp112r1, |
| @@ -1919,6 +1936,7 @@ static const struct ec_curve { | |||
| 1919 | .order = _EC_SECG_PRIME_192K1.order, | 1936 | .order = _EC_SECG_PRIME_192K1.order, |
| 1920 | .cofactor = 1, | 1937 | .cofactor = 1, |
| 1921 | }, | 1938 | }, |
| 1939 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 1922 | { | 1940 | { |
| 1923 | .comment = "SECG curve over a 224 bit prime field", | 1941 | .comment = "SECG curve over a 224 bit prime field", |
| 1924 | .nid = NID_secp224k1, | 1942 | .nid = NID_secp224k1, |
| @@ -1987,6 +2005,7 @@ static const struct ec_curve { | |||
| 1987 | .cofactor = 1, | 2005 | .cofactor = 1, |
| 1988 | }, | 2006 | }, |
| 1989 | /* X9.62 curves */ | 2007 | /* X9.62 curves */ |
| 2008 | #ifdef ENABLE_SMALL_CURVES | ||
| 1990 | { | 2009 | { |
| 1991 | .comment = "NIST/X9.62/SECG curve over a 192 bit prime field", | 2010 | .comment = "NIST/X9.62/SECG curve over a 192 bit prime field", |
| 1992 | .nid = NID_X9_62_prime192v1, | 2011 | .nid = NID_X9_62_prime192v1, |
| @@ -2029,6 +2048,7 @@ static const struct ec_curve { | |||
| 2029 | .order = _EC_X9_62_PRIME_192V3.order, | 2048 | .order = _EC_X9_62_PRIME_192V3.order, |
| 2030 | .cofactor = 1, | 2049 | .cofactor = 1, |
| 2031 | }, | 2050 | }, |
| 2051 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 2032 | { | 2052 | { |
| 2033 | .comment = "X9.62 curve over a 239 bit prime field", | 2053 | .comment = "X9.62 curve over a 239 bit prime field", |
| 2034 | .nid = NID_X9_62_prime239v1, | 2054 | .nid = NID_X9_62_prime239v1, |
| @@ -2085,6 +2105,7 @@ static const struct ec_curve { | |||
| 2085 | .order = _EC_X9_62_PRIME_256V1.order, | 2105 | .order = _EC_X9_62_PRIME_256V1.order, |
| 2086 | .cofactor = 1, | 2106 | .cofactor = 1, |
| 2087 | }, | 2107 | }, |
| 2108 | #ifdef ENABLE_SMALL_CURVES | ||
| 2088 | { | 2109 | { |
| 2089 | .comment = "SECG/WTLS curve over a 112 bit prime field", | 2110 | .comment = "SECG/WTLS curve over a 112 bit prime field", |
| 2090 | .nid = NID_wap_wsg_idm_ecid_wtls6, | 2111 | .nid = NID_wap_wsg_idm_ecid_wtls6, |
| @@ -2198,6 +2219,7 @@ static const struct ec_curve { | |||
| 2198 | .order = _EC_brainpoolP192t1.order, | 2219 | .order = _EC_brainpoolP192t1.order, |
| 2199 | .cofactor = 1, | 2220 | .cofactor = 1, |
| 2200 | }, | 2221 | }, |
| 2222 | #endif /* ENABLE_SMALL_CURVES */ | ||
| 2201 | { | 2223 | { |
| 2202 | .comment = "RFC 5639 curve over a 224 bit prime field", | 2224 | .comment = "RFC 5639 curve over a 224 bit prime field", |
| 2203 | .nid = NID_brainpoolP224r1, | 2225 | .nid = NID_brainpoolP224r1, |