Commit bff405c349 for strongswan.org
commit bff405c349f90d600586bcb119072ee79d0c6580
Author: Tobias Brunner <tobias@strongswan.org>
Date: Thu May 28 13:30:07 2026 +0200
oid: Fix confusing identifiers for elliptic curves over prime fields
SECT (indicating a binary field) was incorrectly used in constants for
the SECP (prime field) curves.
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
index 238f0bdc4e..f3e8c8fb48 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_cred.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -112,7 +112,7 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool,
}
else if (key.len == 96)
{
- curve = OID_SECT384R1;
+ curve = OID_SECP384R1;
}
if (curve)
{
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index c350910227..8fcfe53524 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -386,11 +386,11 @@
0x03 "sect239k1" OID_SECT239K1
0x04 "sect113r1" OID_SECT113R1
0x05 "sect113r2" OID_SECT113R2
- 0x06 "secp112r1" OID_SECT112R1
- 0x07 "secp112r2" OID_SECT112R2
- 0x08 "secp160r1" OID_SECT160R1
- 0x09 "secp160k1" OID_SECT160K1
- 0x0A "secp256k1" OID_SECT256K1
+ 0x06 "secp112r1" OID_SECP112R1
+ 0x07 "secp112r2" OID_SECP112R2
+ 0x08 "secp160r1" OID_SECP160R1
+ 0x09 "secp160k1" OID_SECP160K1
+ 0x0A "secp256k1" OID_SECP256K1
0x0F "sect163r2" OID_SECT163R2
0x10 "sect283k1" OID_SECT283K1
0x11 "sect283r1" OID_SECT283R1
@@ -400,14 +400,14 @@
0x19 "sect193r2" OID_SECT193R2
0x1A "sect233k1" OID_SECT233K1
0x1B "sect233r1" OID_SECT233R1
- 0x1C "secp128r1" OID_SECT128R1
- 0x1D "secp128r2" OID_SECT128R2
- 0x1E "secp160r2" OID_SECT160R2
- 0x1F "secp192k1" OID_SECT192K1
- 0x20 "secp224k1" OID_SECT224K1
- 0x21 "secp224r1" OID_SECT224R1
- 0x22 "secp384r1" OID_SECT384R1
- 0x23 "secp521r1" OID_SECT521R1
+ 0x1C "secp128r1" OID_SECP128R1
+ 0x1D "secp128r2" OID_SECP128R2
+ 0x1E "secp160r2" OID_SECP160R2
+ 0x1F "secp192k1" OID_SECP192K1
+ 0x20 "secp224k1" OID_SECP224K1
+ 0x21 "secp224r1" OID_SECP224R1
+ 0x22 "secp384r1" OID_SECP384R1
+ 0x23 "secp521r1" OID_SECP521R1
0x24 "sect409k1" OID_SECT409K1
0x25 "sect409r1" OID_SECT409R1
0x26 "sect571k1" OID_SECT571K1
diff --git a/src/libstrongswan/plugins/botan/botan_ec_private_key.c b/src/libstrongswan/plugins/botan/botan_ec_private_key.c
index 326d3eb1f6..79b7e81e29 100644
--- a/src/libstrongswan/plugins/botan/botan_ec_private_key.c
+++ b/src/libstrongswan/plugins/botan/botan_ec_private_key.c
@@ -316,11 +316,11 @@ botan_ec_private_key_t *botan_ec_private_key_gen(key_type_t type, va_list args)
break;
case 384:
curve = "secp384r1";
- oid = OID_SECT384R1;
+ oid = OID_SECP384R1;
break;
case 521:
curve = "secp521r1";
- oid = OID_SECT521R1;
+ oid = OID_SECP521R1;
break;
default:
DBG1(DBG_LIB, "EC private key size %d not supported via botan",
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index a75cec6746..892bb5b474 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -403,13 +403,13 @@ static chunk_t ecparams_lookup(key_exchange_method_t group)
case ECP_192_BIT:
return asn1_build_known_oid(OID_PRIME192V1);
case ECP_224_BIT:
- return asn1_build_known_oid(OID_SECT224R1);
+ return asn1_build_known_oid(OID_SECP224R1);
case ECP_256_BIT:
return asn1_build_known_oid(OID_PRIME256V1);
case ECP_384_BIT:
- return asn1_build_known_oid(OID_SECT384R1);
+ return asn1_build_known_oid(OID_SECP384R1);
case ECP_521_BIT:
- return asn1_build_known_oid(OID_SECT521R1);
+ return asn1_build_known_oid(OID_SECP521R1);
default:
break;
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index 1f06f83965..70dbbf56ca 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -90,13 +90,13 @@ static size_t basepoint_order_len(int oid)
{
case OID_PRIME192V1:
return 192;
- case OID_SECT224R1:
+ case OID_SECP224R1:
return 224;
case OID_PRIME256V1:
return 256;
- case OID_SECT384R1:
+ case OID_SECP384R1:
return 384;
- case OID_SECT521R1:
+ case OID_SECP521R1:
return 521;
default:
return 0;
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
index 728860ecbb..f806dd6fd6 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -41,11 +41,11 @@ static chunk_t parse_ec_identifier(chunk_t identifier)
}
else if (chunk_equals(identifier, chunk_from_str("nistp384")))
{
- oid = asn1_build_known_oid(OID_SECT384R1);
+ oid = asn1_build_known_oid(OID_SECP384R1);
}
else if (chunk_equals(identifier, chunk_from_str("nistp521")))
{
- oid = asn1_build_known_oid(OID_SECT521R1);
+ oid = asn1_build_known_oid(OID_SECP521R1);
}
else
{
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
index c12724dbfa..7bd4238c71 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
@@ -35,10 +35,10 @@ static void write_ec_identifier(bio_writer_t *writer, char *prefix, int oid,
case OID_PRIME256V1:
curve = strdup("nistp256");
break;
- case OID_SECT384R1:
+ case OID_SECP384R1:
curve = strdup("nistp384");
break;
- case OID_SECT521R1:
+ case OID_SECP521R1:
curve = strdup("nistp521");
break;
default:
diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
index 2d04d0764c..884bbe077a 100644
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
@@ -491,13 +491,13 @@ wolfssl_ec_private_key_t *wolfssl_ec_private_key_load(key_type_t type,
oid = OID_UNKNOWN;
}
break;
- case OID_SECT384R1:
+ case OID_SECP384R1:
if (this->ec.dp->id != ECC_SECP384R1)
{
oid = OID_UNKNOWN;
}
break;
- case OID_SECT521R1:
+ case OID_SECP521R1:
if (this->ec.dp->id != ECC_SECP521R1)
{
oid = OID_UNKNOWN;
diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c
index 162f10acd4..47073d9da7 100644
--- a/src/libtpmtss/tpm_tss_tss2_v1.c
+++ b/src/libtpmtss/tpm_tss_tss2_v1.c
@@ -642,7 +642,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EC_PUBLICKEY),
asn1_build_known_oid(ecc->x.t.size == 32 ?
- OID_PRIME256V1 : OID_SECT384R1)),
+ OID_PRIME256V1 : OID_SECP384R1)),
ecc_point);
break;
}
diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c
index 95fe05c032..c96fea3c4e 100644
--- a/src/libtpmtss/tpm_tss_tss2_v2.c
+++ b/src/libtpmtss/tpm_tss_tss2_v2.c
@@ -621,16 +621,16 @@ METHOD(tpm_tss_t, get_public, chunk_t,
curve_oid = OID_PRIME192V1;
break;
case TPM2_ECC_NIST_P224:
- curve_oid = OID_SECT224R1;
+ curve_oid = OID_SECP224R1;
break;
case TPM2_ECC_NIST_P256:
curve_oid = OID_PRIME256V1;
break;
case TPM2_ECC_NIST_P384:
- curve_oid = OID_SECT384R1;
+ curve_oid = OID_SECP384R1;
break;
case TPM2_ECC_NIST_P521:
- curve_oid = OID_SECT521R1;
+ curve_oid = OID_SECP521R1;
break;
default:
DBG1(DBG_PTS, "ECC curve type not supported");