Bug 2141672 (openssl_brainpool_ecc) - Enable support of Brainpool ECC
Summary: Enable support of Brainpool ECC
Keywords:
Status: CLOSED ERRATA
Alias: openssl_brainpool_ecc
Product: Fedora
Classification: Fedora
Component: openssl
Version: 38
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Sahana Prasad
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1976662 (view as bug list)
Depends On:
Blocks: 1994459 2000306 2105754 2158943
TreeView+ depends on / blocked
 
Reported: 2022-11-10 12:34 UTC by Björn 'besser82' Esser
Modified: 2023-03-27 11:13 UTC (History)
10 users (show)

Fixed In Version: openssl-3.0.8-2.fc39 openssl-3.0.8-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-22 16:51:00 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-656 0 None None None 2022-11-10 12:42:13 UTC

Description Björn 'besser82' Esser 2022-11-10 12:34:34 UTC
Description of problem:

  For some reason ECC was limited to a subset of the NIST ECC.
  After some investigation of RH-legal Brainpool ECC is now allowed in Fedora.


Expected results:

  Brainpool ECC will be supported.


Additional info:

  Richard Fontana confirmed Brainpool ECC is allowed for Fedora in this RHBZ [1].
  Matthew Miller confirmed on Fedora legal mailinglist [2].

  [1]  https://bugzilla.redhat.com/show_bug.cgi?id=1413618#c14
  [2]  https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/752Z34MTHB6B4XRUW2TTAPEIUUK4O2LA/

Comment 1 Björn 'besser82' Esser 2022-11-10 12:35:30 UTC
*** Bug 1976662 has been marked as a duplicate of this bug. ***

Comment 2 Fabio Valentini 2023-01-18 17:26:46 UTC
I would like to enable the OpenSSL crypto backend in sequoia-openpgp v1.13.0 (which will be used for the RPM GPG backend in the future, instead of Nettle), but this assumes that OpenSSL was built with Brainpool curves enabled.

Comment 3 Dmitry Belyavskiy 2023-01-19 12:41:53 UTC
If I remember correctly, currently we disable Brainpool curves on the hobbling stage. Would you mind to submit a patch?

Comment 4 Ben Cotton 2023-02-07 14:58:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 5 Felix Schwarz 2023-02-23 10:25:40 UTC
I don't understand why this bug is closed: As far as I can see the hobble script still removes the brainpool curves.

On my rawhide machine I also don't see the brainpool curves:

# openssl ecparam -list_curves
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field


while I expected something like this (Debian output):

...
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
...

Am I missing something?

Comment 6 Dmitry Belyavskiy 2023-02-23 10:27:10 UTC
Whoops. Sorry, misclick. Thank you for your attention!

Comment 7 Fedora Update System 2023-03-22 16:51:00 UTC
FEDORA-2023-493fb6034b has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Felix Schwarz 2023-03-23 09:31:41 UTC
Sahana, thanks for your update. I can use brainpool in rawhide now. Any chance that we can also update F38?

Comment 9 Fedora Update System 2023-03-23 18:31:06 UTC
FEDORA-2023-931b7f44af has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af

Comment 10 Fedora Update System 2023-03-24 03:01:39 UTC
FEDORA-2023-931b7f44af has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-03-26 00:20:22 UTC
FEDORA-2023-931b7f44af has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.