diff options
author | Jack Lloyd <[email protected]> | 2015-12-02 08:34:52 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2015-12-02 08:34:52 -0500 |
commit | 44c1aa4a0213a16ea928de4285d2481410d194d3 (patch) | |
tree | 989a27df241b7c896d962274ad42064fecbe31df | |
parent | 4bc4cc6390f55d1eed65fe0d6b5170b5e65ae058 (diff) |
Remove support for broken 112 and 128 bit SECP ECC groups.
-rw-r--r-- | doc/news.rst | 3 | ||||
-rw-r--r-- | src/lib/asn1/oid_lookup/default.cpp | 6 | ||||
-rw-r--r-- | src/lib/pubkey/ec_group/named.cpp | 46 | ||||
-rw-r--r-- | src/tests/unit_ecc.cpp | 4 |
4 files changed, 5 insertions, 54 deletions
diff --git a/doc/news.rst b/doc/news.rst index bf6b91535..cce298ffd 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -15,6 +15,9 @@ Version 1.11.25, Not Yet Released by ensuring the table is loaded into memory at start and computing the table at runtime to avoid flush+reload based attacks due to shared VMM mappings. +* Support for the insecure ECC groups secp112r1, secp112r2, secp128r1, and + secp128r2 has been removed. + * The OpenSSL implementation of RC4 would return the wrong value from `name` if leading bytes of the keystream had been skipped in the output. diff --git a/src/lib/asn1/oid_lookup/default.cpp b/src/lib/asn1/oid_lookup/default.cpp index 0e23b18a2..2034ab25c 100644 --- a/src/lib/asn1/oid_lookup/default.cpp +++ b/src/lib/asn1/oid_lookup/default.cpp @@ -202,13 +202,9 @@ const char* default_oid_list() "1.3.6.1.5.5.7.48.1.1 = PKIX.OCSP.BasicResponse" "\n" // ECC param sets - "1.3.132.0.6 = secp112r1" "\n" - "1.3.132.0.7 = secp112r2" "\n" "1.3.132.0.8 = secp160r1" "\n" "1.3.132.0.9 = secp160k1" "\n" "1.3.132.0.10 = secp256k1" "\n" - "1.3.132.0.28 = secp128r1" "\n" - "1.3.132.0.29 = secp128r2" "\n" "1.3.132.0.30 = secp160r2" "\n" "1.3.132.0.31 = secp192k1" "\n" "1.3.132.0.32 = secp224k1" "\n" @@ -232,6 +228,8 @@ const char* default_oid_list() "1.3.36.3.3.2.8.1.1.11 = brainpool384r1" "\n" "1.3.36.3.3.2.8.1.1.13 = brainpool512r1" "\n" + "1.3.6.1.4.1.8301.3.1.2.9.0.38 = secp521r1" "\n" + "1.2.643.2.2.35.1 = gost_256A" "\n" "1.2.643.2.2.36.0 = gost_256A" "\n" diff --git a/src/lib/pubkey/ec_group/named.cpp b/src/lib/pubkey/ec_group/named.cpp index 9a2497c27..3ee791053 100644 --- a/src/lib/pubkey/ec_group/named.cpp +++ b/src/lib/pubkey/ec_group/named.cpp @@ -11,38 +11,6 @@ namespace Botan { const char* EC_Group::PEM_for_named_group(const std::string& name) { - if(name == "secp112r1") - return - "-----BEGIN EC PARAMETERS-----" - "MHQCAQEwGgYHKoZIzj0BAQIPANt8Kr9i415mgHa+rSCLMCAEDtt8Kr9i415mgHa+" - "rSCIBA5lnvi6BDkW7t6JEXArIgQdBAlIcjmZWl7na1X5wvCYqJzlr4ckwKI+Dg/3" - "dQACDwDbfCq/YuNedijfrGVhxQIBAQ==" - "-----END EC PARAMETERS-----"; - - if(name == "secp112r2") - return - "-----BEGIN EC PARAMETERS-----" - "MHMCAQEwGgYHKoZIzj0BAQIPANt8Kr9i415mgHa+rSCLMCAEDmEnwkwF84oKqvZc" - "DvAsBA5R3vGBXbXtdPzDTIXXCQQdBEujCrXokrThZJ3QkoZDrc1G9YguN0fe826V" - "bpcCDjbfCq/YuNdZfKEFINBLAgEB" - "-----END EC PARAMETERS-----"; - - if(name == "secp128r1") - return - "-----BEGIN EC PARAMETERS-----" - "MIGAAgEBMBwGByqGSM49AQECEQD////9////////////////MCQEEP////3/////" - "//////////wEEOh1ecEQefQ92CSZPCzuXtMEIQQWH/dSi4mbLQwoYHylLFuGz1rI" - "OVuv6xPALaKS3e16gwIRAP////4AAAAAdaMNG5A4oRUCAQE=" - "-----END EC PARAMETERS-----"; - - if(name == "secp128r2") - return - "-----BEGIN EC PARAMETERS-----" - "MH8CAQEwHAYHKoZIzj0BAQIRAP////3///////////////8wJAQQ1gMZmNGzu/6/" - "Wcybv/mu4QQQXu78o4DQKRncLGVYu22KXQQhBHtqpdheVymD5vsyp83rwUAntpFq" - "iU067nEG/oBfw0tEAhA/////f////74AJHIGE7WjAgEE" - "-----END EC PARAMETERS-----"; - if(name == "secp160k1") return "-----BEGIN EC PARAMETERS-----" @@ -154,20 +122,6 @@ const char* EC_Group::PEM_for_named_group(const std::string& name) "////////////////+lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEB" "-----END EC PARAMETERS-----"; - if(name == "1.3.6.1.4.1.8301.3.1.2.9.0.38") - return - "-----BEGIN EC PARAMETERS-----" - "MIIBrAIBATBNBgcqhkjOPQEBAkIB////////////////////////////////////" - "//////////////////////////////////////////////////8wgYgEQgH/////" - "////////////////////////////////////////////////////////////////" - "/////////////////ARCAFGVPrlhjhyaH5KaIaC2hUDuotpyW5mzFfO4tImRjvEJ" - "4VYZOVHsfpN7FlLAvTuxvwc1c9+IPSw08e9FH9RrUD8ABIGFBADGhY4GtwQE6c2e" - "PstmI5W0QpxkgTkFP7Uh+CivYGtNPbqhS1537+dZKP4dwSei/6jeM0izwYVqQpv5" - "fn4xwuW9ZgEYOSlqeJo7wARcil+0LH0b2Zj1RElXm0RoF6+9Fyc+ZiyX7nKZXvQm" - "QMVQuQE/rQdhNTxwhqJywkCIvpR2n9FmUAJCAf//////////////////////////" - "////////////////+lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEB" - "-----END EC PARAMETERS-----"; - if(name == "brainpool160r1") return "-----BEGIN EC PARAMETERS-----" diff --git a/src/tests/unit_ecc.cpp b/src/tests/unit_ecc.cpp index 0d6c34213..92dee8ba4 100644 --- a/src/tests/unit_ecc.cpp +++ b/src/tests/unit_ecc.cpp @@ -33,10 +33,6 @@ const std::vector<std::string> ec_groups = { "brainpool384r1", "brainpool512r1", "gost_256A", - "secp112r1", - "secp112r2", - "secp128r1", - "secp128r2", "secp160k1", "secp160r1", "secp160r2", |