Bug 1405843

Summary: Support Additional Elliptic Curves in OpenSSL
Product: [Fedora] Fedora Reporter: Mr. Jester <jester2.0>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: laolux, lemenkov, redhat-bugzilla, sergio, ssorce, tmraz, yselkowi
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 15:17:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 182235    

Description Mr. Jester 2016-12-18 21:46:21 UTC 
Description of problem:
Fedora 25 only support the 4 NIST curves.

Version-Release number of selected component (if applicable): 
F25 OpenSSL 1.0.2j-fips  26 Sep 2016


How reproducible:
100% consistent

Steps to Reproduce:
1. openssl ecparam -list_curves

Actual results:
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field


Expected results:
Something more like this, from Ubuntu.

  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
  sect113r1 : SECG curve over a 113 bit binary field
  sect113r2 : SECG curve over a 113 bit binary field
  sect131r1 : SECG/WTLS curve over a 131 bit binary field
  sect131r2 : SECG curve over a 131 bit binary field
  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
  sect163r1 : SECG curve over a 163 bit binary field
  sect163r2 : NIST/SECG curve over a 163 bit binary field
  sect193r1 : SECG curve over a 193 bit binary field
  sect193r2 : SECG curve over a 193 bit binary field
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect239k1 : SECG curve over a 239 bit binary field
  sect283k1 : NIST/SECG curve over a 283 bit binary field
  sect283r1 : NIST/SECG curve over a 283 bit binary field
  sect409k1 : NIST/SECG curve over a 409 bit binary field
  sect409r1 : NIST/SECG curve over a 409 bit binary field
  sect571k1 : NIST/SECG curve over a 571 bit binary field
  sect571r1 : NIST/SECG curve over a 571 bit binary field
  c2pnb163v1: X9.62 curve over a 163 bit binary field
  c2pnb163v2: X9.62 curve over a 163 bit binary field
  c2pnb163v3: X9.62 curve over a 163 bit binary field
  c2pnb176v1: X9.62 curve over a 176 bit binary field
  c2tnb191v1: X9.62 curve over a 191 bit binary field
  c2tnb191v2: X9.62 curve over a 191 bit binary field
  c2tnb191v3: X9.62 curve over a 191 bit binary field
  c2pnb208w1: X9.62 curve over a 208 bit binary field
  c2tnb239v1: X9.62 curve over a 239 bit binary field
  c2tnb239v2: X9.62 curve over a 239 bit binary field
  c2tnb239v3: X9.62 curve over a 239 bit binary field
  c2pnb272w1: X9.62 curve over a 272 bit binary field
  c2pnb304w1: X9.62 curve over a 304 bit binary field
  c2tnb359v1: X9.62 curve over a 359 bit binary field
  c2pnb368w1: X9.62 curve over a 368 bit binary field
  c2tnb431r1: X9.62 curve over a 431 bit binary field
  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field
  Oakley-EC2N-3:
        IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  Oakley-EC2N-4:
        IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field


Additional info:
If you won't support curves aside from the NIST approved ones by default, at least provide a means of getting the rest of the curves in a supported manner.  The NIST curves aren't exactly trusted by security professionals.  https://safecurves.cr.yp.to/
Comment 1 Tomas Mraz 2016-12-19 11:04:16 UTC 
Every curve supported has to be explicitly acked by Fedora legal.

The openssl-1.1.0 in rawhide adds support for the Curve25519
Comment 2 Mr. Jester 2016-12-19 18:33:22 UTC 
Is there any public explanation of this position?  I would like to understand the thoughts and constraints.
Comment 3 Tomas Mraz 2016-12-20 09:11:51 UTC 
I suggest you to contact Fedora legal for details.
Comment 4 Sergio Basto 2017-08-16 21:20:34 UTC 
Hi Mr. Jester this is not a new subject please take a look in this bug reports: 

https://bugzilla.redhat.com/show_bug.cgi?id=1067697
https://bugzilla.redhat.com/show_bug.cgi?id=1019390
https://bugzilla.redhat.com/show_bug.cgi?id=1413618
Comment 5 Sergio Basto 2017-08-20 23:39:35 UTC 
we ask to enable prime192v1, secp224r1 and sect233k1 elliptic curves  but [1] 
"I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug. " 
So, for me, this was complicated, I need support of these elliptic curves, to work with some applications but fedora won't ship it, not for a legal reason but because is a "secure regression". Meanwhile I built and use my openssl-freeworld [2] I only have packages for Fedora <= F25 because I hadn't time, yet, to ported to F26+ and openssl-1.1, and for legal reasons I couldn't use copr. That is a question at least we may enable and build all elliptic curves on corp ? 


[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1067697#c3

[2]
https://github.com/sergiomb2/openssl-freeworld

[3]
https://copr.fedorainfracloud.org/coprs/
Comment 6 Fedora End Of Life 2017-11-16 18:58:44 UTC 
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 7 Fedora End Of Life 2017-12-12 10:32:13 UTC 
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 8 Peter Lemenkov 2017-12-12 10:35:03 UTC 
Some EC algorithms are still disabled to let's keep it open.
Comment 9 laolux 2018-07-26 09:25:42 UTC 
(In reply to Tomas Mraz from comment #1)
> Every curve supported has to be explicitly acked by Fedora legal.
> 
> The openssl-1.1.0 in rawhide adds support for the Curve25519

Really? Somehow openssl still (Fedora 28) does not seem to support Curve25519.
Output of 'openssl ecparam -list_curves' does not show it.
I doubt it is for legal reasons, as openssh does support it.
'ssh -Q key' clearly says so.
So my guess is that support got added but not turned on. Or did I do something wrong?
Comment 10 Tomas Mraz 2018-07-26 09:43:57 UTC 
openssl ecparam won't show it because the Curve25519 is special and not implemented within the normal ec framework.

If you try openssl s_client -connect www.google.com:443 you will see that X25519 is used for the DH key exchange.
Comment 11 laolux 2018-07-26 16:07:25 UTC 
Ah, thanks a lot, so my mistake.
Tried your command, works well.
Still a bit confusing not to show it as supported curve, but I guess that needs to be fixed upstream.
Thanks again.
Comment 12 Simo Sorce 2020-11-30 15:17:52 UTC 
I am going to close this bug as it makes no sense to keep a bug like this open forever.
As legal issues are resolved over time we will add curves back as they are available upstream.