From 13735cfef69dfac2d36229810ea0400e2bc6526d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 28 Feb 2018 14:59:44 +0000 Subject: [PATCH] Integrate X448 and Ed448 into libcrypto This adds all of the relevant EVP plumbing required to make X448 and Ed448 work. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/5481) --- crypto/asn1/standard_methods.h | 2 + crypto/ec/ec_err.c | 5 + crypto/ec/ec_lcl.h | 1 + crypto/ec/ecx_meth.c | 416 ++++++++++++++++++++++------- crypto/err/openssl.txt | 3 + crypto/evp/pmeth_lib.c | 2 + crypto/include/internal/asn1_int.h | 2 + crypto/include/internal/evp_int.h | 18 ++ crypto/objects/obj_xref.h | 3 +- crypto/objects/obj_xref.txt | 1 + crypto/x509/x509type.c | 1 + include/openssl/ecerr.h | 3 + 12 files changed, 353 insertions(+), 104 deletions(-) diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h index d366aa090a..7d1f97e360 100644 --- a/crypto/asn1/standard_methods.h +++ b/crypto/asn1/standard_methods.h @@ -42,6 +42,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #endif #ifndef OPENSSL_NO_EC &ecx25519_asn1_meth, + &ecx448_asn1_meth, #endif #ifndef OPENSSL_NO_POLY1305 &poly1305_asn1_meth, @@ -51,6 +52,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #endif #ifndef OPENSSL_NO_EC &ed25519_asn1_meth, + &ed448_asn1_meth, #endif }; diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 588e95c10d..fe90c01e16 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -242,6 +242,10 @@ static const ERR_STRING_DATA EC_str_functs[] = { "ossl_ecdsa_verify_sig"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_CTRL, 0), "pkey_ecd_ctrl"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN, 0), "pkey_ecd_digestsign"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN25519, 0), + "pkey_ecd_digestsign25519"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN448, 0), + "pkey_ecd_digestsign448"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECX_DERIVE, 0), "pkey_ecx_derive"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL, 0), "pkey_ec_ctrl"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL_STR, 0), "pkey_ec_ctrl_str"}, @@ -249,6 +253,7 @@ static const ERR_STRING_DATA EC_str_functs[] = { {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, {0, NULL} }; diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 421cd470e2..413a906883 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -14,6 +14,7 @@ #include #include #include "internal/refcount.h" +#include "curve448/curve448_lcl.h" #if defined(__SUNPRO_C) # if __SUNPRO_C >= 0x520 diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 4f7cfec728..272dfc6b2b 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -16,30 +16,39 @@ #include "internal/evp_int.h" #include "ec_lcl.h" -#define X25519_KEYLEN 32 #define X25519_BITS 253 #define X25519_SECURITY_BITS 128 #define ED25519_SIGSIZE 64 -typedef struct { - unsigned char pubkey[X25519_KEYLEN]; - unsigned char *privkey; -} X25519_KEY; +#define X448_BITS 448 +#define ED448_BITS 456 +#define X448_SECURITY_BITS 224 + +#define ED448_SIGSIZE 114 + +#define ISX448(id) ((id) == EVP_PKEY_X448) +#define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519) +#define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \ + : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \ + : ED448_KEYLEN)) +#define KEYLEN(p) KEYLENID((p)->ameth->pkey_id) + typedef enum { - X25519_PUBLIC, - X25519_PRIVATE, - X25519_KEYGEN + KEY_OP_PUBLIC, + KEY_OP_PRIVATE, + KEY_OP_KEYGEN } ecx_key_op_t; /* Setup EVP_PKEY using public, private or generation */ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, const unsigned char *p, int plen, ecx_key_op_t op) { - X25519_KEY *xkey; + ECX_KEY *key = NULL; + unsigned char *privkey, *pubkey; - if (op != X25519_KEYGEN) { + if (op != KEY_OP_KEYGEN) { if (palg != NULL) { int ptype; @@ -51,69 +60,85 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, } } - if (p == NULL || plen != X25519_KEYLEN) { + if (p == NULL || plen != KEYLENID(id)) { ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING); return 0; } } - xkey = OPENSSL_zalloc(sizeof(*xkey)); - if (xkey == NULL) { + key = OPENSSL_zalloc(sizeof(*key)); + if (key == NULL) { ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE); return 0; } + pubkey = key->pubkey; - if (op == X25519_PUBLIC) { - memcpy(xkey->pubkey, p, plen); + if (op == KEY_OP_PUBLIC) { + memcpy(pubkey, p, plen); } else { - xkey->privkey = OPENSSL_secure_malloc(X25519_KEYLEN); - if (xkey->privkey == NULL) { + privkey = key->privkey = OPENSSL_secure_malloc(KEYLENID(id)); + if (privkey == NULL) { ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE); - OPENSSL_free(xkey); - return 0; + goto err; } - if (op == X25519_KEYGEN) { - if (RAND_bytes(xkey->privkey, X25519_KEYLEN) <= 0) { - OPENSSL_secure_free(xkey->privkey); - OPENSSL_free(xkey); - return 0; + if (op == KEY_OP_KEYGEN) { + if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0) { + OPENSSL_secure_free(privkey); + key->privkey = NULL; + goto err; } if (id == EVP_PKEY_X25519) { - xkey->privkey[0] &= 248; - xkey->privkey[31] &= 127; - xkey->privkey[31] |= 64; + privkey[0] &= 248; + privkey[X25519_KEYLEN - 1] &= 127; + privkey[X25519_KEYLEN - 1] |= 64; + } else if (id == EVP_PKEY_X448) { + privkey[0] &= 252; + privkey[X448_KEYLEN - 1] |= 128; } } else { - memcpy(xkey->privkey, p, X25519_KEYLEN); + memcpy(privkey, p, KEYLENID(id)); + } + switch (id) { + case EVP_PKEY_X25519: + X25519_public_from_private(pubkey, privkey); + break; + case EVP_PKEY_ED25519: + ED25519_public_from_private(pubkey, privkey); + break; + case EVP_PKEY_X448: + X448_public_from_private(pubkey, privkey); + break; + case EVP_PKEY_ED448: + ED448_public_from_private(pubkey, privkey); + break; } - if (id == EVP_PKEY_X25519) - X25519_public_from_private(xkey->pubkey, xkey->privkey); - else - ED25519_public_from_private(xkey->pubkey, xkey->privkey); } - EVP_PKEY_assign(pkey, id, xkey); + EVP_PKEY_assign(pkey, id, key); return 1; + err: + OPENSSL_free(key); + return 0; } static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { - const X25519_KEY *xkey = pkey->pkey.ptr; + const ECX_KEY *ecxkey = pkey->pkey.ecx; unsigned char *penc; - if (xkey == NULL) { + if (ecxkey == NULL) { ECerr(EC_F_ECX_PUB_ENCODE, EC_R_INVALID_KEY); return 0; } - penc = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN); + penc = OPENSSL_memdup(ecxkey->pubkey, KEYLEN(pkey)); if (penc == NULL) { ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE); return 0; } if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), - V_ASN1_UNDEF, NULL, penc, X25519_KEYLEN)) { + V_ASN1_UNDEF, NULL, penc, KEYLEN(pkey))) { OPENSSL_free(penc); ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE); return 0; @@ -130,17 +155,18 @@ static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) return 0; return ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, pklen, - X25519_PUBLIC); + KEY_OP_PUBLIC); } static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - const X25519_KEY *akey = a->pkey.ptr; - const X25519_KEY *bkey = b->pkey.ptr; + const ECX_KEY *akey = a->pkey.ecx; + const ECX_KEY *bkey = b->pkey.ecx; if (akey == NULL || bkey == NULL) return -2; - return !CRYPTO_memcmp(akey->pubkey, bkey->pubkey, X25519_KEYLEN); + + return CRYPTO_memcmp(akey->pubkey, bkey->pubkey, KEYLEN(a)) == 0; } static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) @@ -163,25 +189,25 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) plen = ASN1_STRING_length(oct); } - rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, X25519_PRIVATE); + rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE); ASN1_OCTET_STRING_free(oct); return rv; } static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) { - const X25519_KEY *xkey = pkey->pkey.ptr; + const ECX_KEY *ecxkey = pkey->pkey.ecx; ASN1_OCTET_STRING oct; unsigned char *penc = NULL; int penclen; - if (xkey == NULL || xkey->privkey == NULL) { + if (ecxkey == NULL || ecxkey->privkey == NULL) { ECerr(EC_F_ECX_PRIV_ENCODE, EC_R_INVALID_PRIVATE_KEY); return 0; } - oct.data = xkey->privkey; - oct.length = X25519_KEYLEN; + oct.data = ecxkey->privkey; + oct.length = KEYLEN(pkey); oct.flags = 0; penclen = i2d_ASN1_OCTET_STRING(&oct, &penc); @@ -202,26 +228,34 @@ static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) static int ecx_size(const EVP_PKEY *pkey) { - return X25519_KEYLEN; + return KEYLEN(pkey); } static int ecx_bits(const EVP_PKEY *pkey) { - return X25519_BITS; + if (IS25519(pkey->ameth->pkey_id)) { + return X25519_BITS; + } else if(ISX448(pkey->ameth->pkey_id)) { + return X448_BITS; + } else { + return ED448_BITS; + } } static int ecx_security_bits(const EVP_PKEY *pkey) { - return X25519_SECURITY_BITS; + if (IS25519(pkey->ameth->pkey_id)) { + return X25519_SECURITY_BITS; + } else { + return X448_SECURITY_BITS; + } } static void ecx_free(EVP_PKEY *pkey) { - X25519_KEY *xkey = pkey->pkey.ptr; - - if (xkey) - OPENSSL_secure_clear_free(xkey->privkey, X25519_KEYLEN); - OPENSSL_free(xkey); + if (pkey->pkey.ecx != NULL) + OPENSSL_secure_clear_free(pkey->pkey.ecx->privkey, KEYLEN(pkey)); + OPENSSL_free(pkey->pkey.ecx); } /* "parameters" are always equal */ @@ -233,12 +267,11 @@ static int ecx_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx, ecx_key_op_t op) { - const X25519_KEY *xkey = pkey->pkey.ptr; - + const ECX_KEY *ecxkey = pkey->pkey.ecx; const char *nm = OBJ_nid2ln(pkey->ameth->pkey_id); - if (op == X25519_PRIVATE) { - if (xkey == NULL || xkey->privkey == NULL) { + if (op == KEY_OP_PRIVATE) { + if (ecxkey == NULL || ecxkey->privkey == NULL) { if (BIO_printf(bp, "%*s\n", indent, "") <= 0) return 0; return 1; @@ -247,10 +280,11 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent, return 0; if (BIO_printf(bp, "%*spriv:\n", indent, "") <= 0) return 0; - if (ASN1_buf_print(bp, xkey->privkey, X25519_KEYLEN, indent + 4) == 0) + if (ASN1_buf_print(bp, ecxkey->privkey, KEYLEN(pkey), + indent + 4) == 0) return 0; } else { - if (xkey == NULL) { + if (ecxkey == NULL) { if (BIO_printf(bp, "%*s\n", indent, "") <= 0) return 0; return 1; @@ -260,7 +294,9 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent, } if (BIO_printf(bp, "%*spub:\n", indent, "") <= 0) return 0; - if (ASN1_buf_print(bp, xkey->pubkey, X25519_KEYLEN, indent + 4) == 0) + + if (ASN1_buf_print(bp, ecxkey->pubkey, KEYLEN(pkey), + indent + 4) == 0) return 0; return 1; } @@ -268,13 +304,13 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent, static int ecx_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return ecx_key_print(bp, pkey, indent, ctx, X25519_PRIVATE); + return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PRIVATE); } static int ecx_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return ecx_key_print(bp, pkey, indent, ctx, X25519_PUBLIC); + return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PUBLIC); } static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) @@ -282,16 +318,16 @@ static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) switch (op) { case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: - return ecx_key_op(pkey, EVP_PKEY_X25519, NULL, arg2, arg1, - X25519_PUBLIC); + return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, arg2, arg1, + KEY_OP_PUBLIC); case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: - if (pkey->pkey.ptr != NULL) { - const X25519_KEY *xkey = pkey->pkey.ptr; + if (pkey->pkey.ecx != NULL) { unsigned char **ppt = arg2; - *ppt = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN); + + *ppt = OPENSSL_memdup(pkey->pkey.ecx->pubkey, KEYLEN(pkey)); if (*ppt != NULL) - return X25519_KEYLEN; + return KEYLEN(pkey); } return 0; @@ -335,21 +371,58 @@ const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = { NULL }; -static int ecd_size(const EVP_PKEY *pkey) +const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = { + EVP_PKEY_X448, + EVP_PKEY_X448, + 0, + "X448", + "OpenSSL X448 algorithm", + + ecx_pub_decode, + ecx_pub_encode, + ecx_pub_cmp, + ecx_pub_print, + + ecx_priv_decode, + ecx_priv_encode, + ecx_priv_print, + + ecx_size, + ecx_bits, + ecx_security_bits, + + 0, 0, 0, 0, + ecx_cmp_parameters, + 0, 0, + + ecx_free, + ecx_ctrl, + NULL, + NULL +}; + +static int ecd_size25519(const EVP_PKEY *pkey) { return ED25519_SIGSIZE; } +static int ecd_size448(const EVP_PKEY *pkey) +{ + return ED448_SIGSIZE; +} + static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, X509_ALGOR *sigalg, ASN1_BIT_STRING *str, EVP_PKEY *pkey) { const ASN1_OBJECT *obj; int ptype; + int nid; + /* Sanity check: make sure it is ED25519/ED448 with absent parameters */ X509_ALGOR_get0(&obj, &ptype, NULL, sigalg); - /* Sanity check: make sure it is ED25519 with absent parameters */ - if (OBJ_obj2nid(obj) != NID_ED25519 || ptype != V_ASN1_UNDEF) { + nid = OBJ_obj2nid(obj); + if ((nid != NID_ED25519 && nid != NID_ED448) || ptype != V_ASN1_UNDEF) { ECerr(EC_F_ECD_ITEM_VERIFY, EC_R_INVALID_ENCODING); return 0; } @@ -360,9 +433,9 @@ static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, return 2; } -static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, - X509_ALGOR *alg1, X509_ALGOR *alg2, - ASN1_BIT_STRING *str) +static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *alg1, X509_ALGOR *alg2, + ASN1_BIT_STRING *str) { /* Set algorithms identifiers */ X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL); @@ -372,14 +445,35 @@ static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, return 3; } -static int ecd_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *alg, - const ASN1_STRING *sig) +static int ecd_sig_info_set25519(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig) { X509_SIG_INFO_set(siginf, NID_undef, NID_ED25519, X25519_SECURITY_BITS, X509_SIG_INFO_TLS); return 1; } +static int ecd_item_sign448(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *alg1, X509_ALGOR *alg2, + ASN1_BIT_STRING *str) +{ + /* Set algorithm identifier */ + X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL); + if (alg2 != NULL) + X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL); + /* Algorithm identifier set: carry on as normal */ + return 3; +} + +static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig) +{ + X509_SIG_INFO_set(siginf, NID_undef, NID_ED448, X448_SECURITY_BITS, + X509_SIG_INFO_TLS); + return 1; +} + + const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { EVP_PKEY_ED25519, EVP_PKEY_ED25519, @@ -396,7 +490,40 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { ecx_priv_encode, ecx_priv_print, - ecd_size, + ecd_size25519, + ecx_bits, + ecx_security_bits, + + 0, 0, 0, 0, + ecx_cmp_parameters, + 0, 0, + + ecx_free, + 0, + NULL, + NULL, + ecd_item_verify, + ecd_item_sign25519, + ecd_sig_info_set25519 +}; + +const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = { + EVP_PKEY_ED448, + EVP_PKEY_ED448, + 0, + "ED448", + "OpenSSL ED448 algorithm", + + ecx_pub_decode, + ecx_pub_encode, + ecx_pub_cmp, + ecx_pub_print, + + ecx_priv_decode, + ecx_priv_encode, + ecx_priv_print, + + ecd_size448, ecx_bits, ecx_security_bits, @@ -409,37 +536,65 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { NULL, NULL, ecd_item_verify, - ecd_item_sign, - ecd_sig_info_set + ecd_item_sign448, + ecd_sig_info_set448 }; static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { - return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, X25519_KEYGEN); + return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN); } -static int pkey_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key, - size_t *keylen) +static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen, + const unsigned char **privkey, + const unsigned char **pubkey) { - const X25519_KEY *pkey, *peerkey; + const ECX_KEY *ecxkey, *peerkey; if (ctx->pkey == NULL || ctx->peerkey == NULL) { - ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_KEYS_NOT_SET); + ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_KEYS_NOT_SET); return 0; } - pkey = ctx->pkey->pkey.ptr; - peerkey = ctx->peerkey->pkey.ptr; - if (pkey == NULL || pkey->privkey == NULL) { - ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY); + ecxkey = ctx->pkey->pkey.ecx; + peerkey = ctx->peerkey->pkey.ecx; + if (ecxkey == NULL || ecxkey->privkey == NULL) { + ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY); return 0; } if (peerkey == NULL) { - ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PEER_KEY); + ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PEER_KEY); return 0; } + *privkey = ecxkey->privkey; + *pubkey = peerkey->pubkey; + + return 1; +} + +static int pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + const unsigned char *privkey, *pubkey; + + if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey) + || (key != NULL + && X25519(key, privkey, pubkey) == 0)) + return 0; *keylen = X25519_KEYLEN; - if (key != NULL && X25519(key, pkey->privkey, peerkey->pubkey) == 0) + return 1; +} + +static int pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + const unsigned char *privkey, *pubkey; + + if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey) + || (key != NULL + && X448(key, privkey, pubkey) == 0)) return 0; + *keylen = X448_KEYLEN; return 1; } @@ -456,23 +611,33 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth = { 0, 0, 0, 0, 0, 0, 0, pkey_ecx_keygen, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - pkey_ecx_derive, + pkey_ecx_derive25519, pkey_ecx_ctrl, 0 }; -static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig, - size_t *siglen, const unsigned char *tbs, - size_t tbslen) +const EVP_PKEY_METHOD ecx448_pkey_meth = { + EVP_PKEY_X448, + 0, 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + pkey_ecx_derive448, + pkey_ecx_ctrl, + 0 +}; + +static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig, + size_t *siglen, const unsigned char *tbs, + size_t tbslen) { - const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; if (sig == NULL) { *siglen = ED25519_SIGSIZE; return 1; } if (*siglen < ED25519_SIGSIZE) { - ECerr(EC_F_PKEY_ECD_DIGESTSIGN, EC_R_BUFFER_TOO_SMALL); + ECerr(EC_F_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL); return 0; } @@ -482,11 +647,33 @@ static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig, return 1; } -static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen, const unsigned char *tbs, - size_t tbslen) +static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig, + size_t *siglen, const unsigned char *tbs, + size_t tbslen) +{ + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + + if (sig == NULL) { + *siglen = ED448_SIGSIZE; + return 1; + } + if (*siglen < ED448_SIGSIZE) { + ECerr(EC_F_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL); + return 0; + } + + if (ED448_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL, + 0) == 0) + return 0; + *siglen = ED448_SIGSIZE; + return 1; +} + +static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen, const unsigned char *tbs, + size_t tbslen) { - const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; if (siglen != ED25519_SIGSIZE) return 0; @@ -494,6 +681,18 @@ static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig, return ED25519_verify(tbs, tbslen, sig, edkey->pubkey); } +static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen, const unsigned char *tbs, + size_t tbslen) +{ + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + + if (siglen != ED448_SIGSIZE) + return 0; + + return ED448_verify(tbs, tbslen, sig, edkey->pubkey, NULL, 0); +} + static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { switch (type) { @@ -517,6 +716,17 @@ const EVP_PKEY_METHOD ed25519_pkey_meth = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, pkey_ecd_ctrl, 0, - pkey_ecd_digestsign, - pkey_ecd_digestverify + pkey_ecd_digestsign25519, + pkey_ecd_digestverify25519 +}; + +const EVP_PKEY_METHOD ed448_pkey_meth = { + EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, + 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + pkey_ecd_ctrl, + 0, + pkey_ecd_digestsign448, + pkey_ecd_digestverify448 }; diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e406becddb..318b400e31 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -594,6 +594,8 @@ EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl EC_F_PKEY_ECD_DIGESTSIGN:272:pkey_ecd_digestsign +EC_F_PKEY_ECD_DIGESTSIGN25519:276:pkey_ecd_digestsign25519 +EC_F_PKEY_ECD_DIGESTSIGN448:277:pkey_ecd_digestsign448 EC_F_PKEY_ECX_DERIVE:269:pkey_ecx_derive EC_F_PKEY_EC_CTRL:197:pkey_ec_ctrl EC_F_PKEY_EC_CTRL_STR:198:pkey_ec_ctrl_str @@ -601,6 +603,7 @@ EC_F_PKEY_EC_DERIVE:217:pkey_ec_derive EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen EC_F_PKEY_EC_SIGN:218:pkey_ec_sign +EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive ENGINE_F_DIGEST_UPDATE:198:digest_update ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl ENGINE_F_DYNAMIC_GET_DATA_CTX:181:dynamic_get_data_ctx diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 2d9f4fc6dc..d3b8136765 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -51,6 +51,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = { &tls1_prf_pkey_meth, #ifndef OPENSSL_NO_EC &ecx25519_pkey_meth, + &ecx448_pkey_meth, #endif &hkdf_pkey_meth, #ifndef OPENSSL_NO_POLY1305 @@ -61,6 +62,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = { #endif #ifndef OPENSSL_NO_EC &ed25519_pkey_meth, + &ed448_pkey_meth, #endif }; diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h index 90d525aa8d..664d4d69cb 100644 --- a/crypto/include/internal/asn1_int.h +++ b/crypto/include/internal/asn1_int.h @@ -68,7 +68,9 @@ extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth; extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5]; extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth; extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD ed448_asn1_meth; extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth; extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index a838a2a319..77c8731355 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -90,7 +90,9 @@ extern const EVP_PKEY_METHOD dhx_pkey_meth; extern const EVP_PKEY_METHOD dsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth; extern const EVP_PKEY_METHOD ecx25519_pkey_meth; +extern const EVP_PKEY_METHOD ecx448_pkey_meth; extern const EVP_PKEY_METHOD ed25519_pkey_meth; +extern const EVP_PKEY_METHOD ed448_pkey_meth; extern const EVP_PKEY_METHOD hmac_pkey_meth; extern const EVP_PKEY_METHOD rsa_pkey_meth; extern const EVP_PKEY_METHOD rsa_pss_pkey_meth; @@ -361,6 +363,21 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } cipher##_init_key, NULL, NULL, NULL, NULL) +# ifndef OPENSSL_NO_EC + +#define X25519_KEYLEN 32 +#define X448_KEYLEN 56 +#define ED448_KEYLEN 57 + +#define MAX_KEYLEN ED448_KEYLEN + +typedef struct { + unsigned char pubkey[MAX_KEYLEN]; + unsigned char *privkey; +} ECX_KEY; + +#endif + /* * Type needs to be a bit field Sub-type needs to be for variations on the * method, as in, can it do arbitrary encryption.... @@ -385,6 +402,7 @@ struct evp_pkey_st { # endif # ifndef OPENSSL_NO_EC struct ec_key_st *ec; /* ECC */ + ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */ # endif } pkey; int save_parameters; diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index ebd5bf5a9f..9606e57d61 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -74,6 +74,7 @@ static const nid_triple sigoid_srt[] = { {NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512, NID_id_GostR3410_2012_512}, {NID_ED25519, NID_undef, NID_ED25519}, + {NID_ED448, NID_undef, NID_ED448}, {NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption}, {NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption}, {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption}, @@ -120,8 +121,8 @@ static const nid_triple *const sigoid_srt_xref[] = { &sigoid_srt[28], &sigoid_srt[40], &sigoid_srt[41], - &sigoid_srt[43], &sigoid_srt[44], &sigoid_srt[45], &sigoid_srt[46], + &sigoid_srt[47], }; diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt index c8dee7b880..ca3e74461d 100644 --- a/crypto/objects/obj_xref.txt +++ b/crypto/objects/obj_xref.txt @@ -22,6 +22,7 @@ RSA_SHA3_512 sha3_512 rsaEncryption # method should handle this explicitly. rsassaPss undef rsaEncryption ED25519 undef ED25519 +ED448 undef ED448 # Alternative deprecated OIDs. By using the older "rsa" OID this # type will be recognized by not normally used. diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 37f4d3128f..7eef1fb39b 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -41,6 +41,7 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) case EVP_PKEY_EC: ret = EVP_PK_EC | EVP_PKT_SIGN | EVP_PKT_EXCH; break; + case EVP_PKEY_ED448: case EVP_PKEY_ED25519: ret = EVP_PKT_SIGN; break; diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h index 289cd8c5ae..dbaa8d155c 100644 --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -167,6 +167,8 @@ int ERR_load_EC_strings(void); # define EC_F_OSSL_ECDSA_VERIFY_SIG 250 # define EC_F_PKEY_ECD_CTRL 271 # define EC_F_PKEY_ECD_DIGESTSIGN 272 +# define EC_F_PKEY_ECD_DIGESTSIGN25519 276 +# define EC_F_PKEY_ECD_DIGESTSIGN448 277 # define EC_F_PKEY_ECX_DERIVE 269 # define EC_F_PKEY_EC_CTRL 197 # define EC_F_PKEY_EC_CTRL_STR 198 @@ -174,6 +176,7 @@ int ERR_load_EC_strings(void); # define EC_F_PKEY_EC_KEYGEN 199 # define EC_F_PKEY_EC_PARAMGEN 219 # define EC_F_PKEY_EC_SIGN 218 +# define EC_F_VALIDATE_ECX_DERIVE 278 /* * EC reason codes. -- 2.25.1