TLS support for X25519

Add X25519 to TLS supported curve list. Reject attempts to configure keys which cannot be used for signing. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-25 17:46:14 +00:00 · 2016-02-25 17:46:14 +00:00 · 1db3107ada
commit 1db3107ada
parent db50c1da19
4 changed files with 16 additions and 3 deletions
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@ -1,4 +1,3 @@
-/* crypto/ec/ec_err.c */
 /* ====================================================================
 * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
 *
@ -275,6 +274,8 @@ static ERR_STRING_DATA EC_str_reasons[] = {
    {ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
    {ERR_REASON(EC_R_BUFFER_TOO_SMALL), "buffer too small"},
    {ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE), "coordinates out of range"},
+    {ERR_REASON(EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
+     "curve does not support signing"},
    {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),
     "d2i ecpkparameters failure"},
    {ERR_REASON(EC_R_DECODE_ERROR), "decode error"},
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@ -1569,6 +1569,7 @@ void ERR_load_EC_strings(void);
 # define EC_R_BIGNUM_OUT_OF_RANGE                         144
 # define EC_R_BUFFER_TOO_SMALL                            100
 # define EC_R_COORDINATES_OUT_OF_RANGE                    146
+# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING              159
 # define EC_R_D2I_ECPKPARAMETERS_FAILURE                  117
 # define EC_R_DECODE_ERROR                                142
 # define EC_R_DISCRIMINANT_IS_ZERO                        118
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@ -378,6 +378,11 @@ static int ssl_set_cert(CERT *c, X509 *x)
        return 0;
    }

+    if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {
+        SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
+        return 0;
+    }
+
    if (c->pkeys[i].privatekey != NULL) {
        /*
         * The return code from EVP_PKEY_copy_parameters is deliberately
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -222,9 +222,11 @@ typedef struct {
    unsigned int flags;         /* Flags: currently just field type */
 } tls_curve_info;

-# define TLS_CURVE_TYPE          0x1
-# define TLS_CURVE_CHAR2         0x1
+/* Mask for curve type */
+# define TLS_CURVE_TYPE          0x3
 # define TLS_CURVE_PRIME         0x0
+# define TLS_CURVE_CHAR2         0x1
+# define TLS_CURVE_CUSTOM        0x2

 /*
 * Table of curve information.
@ -261,6 +263,8 @@ static const tls_curve_info nid_list[] = {
    {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
    {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
    {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
+    /* X25519 (29) */
+    {NID_X25519, 128, TLS_CURVE_CUSTOM},
 };

 static const unsigned char ecformats_default[] = {
@ -271,6 +275,7 @@ static const unsigned char ecformats_default[] = {

 /* The default curves */
 static const unsigned char eccurves_default[] = {
+    0, 29,                      /* X25519 (29) */
    /* Prefer P-256 which has the fastest and most secure implementations. */
    0, 23,                      /* secp256r1 (23) */
    /* Other >= 256-bit prime curves. */
@ -290,6 +295,7 @@ static const unsigned char eccurves_default[] = {
 };

 static const unsigned char eccurves_all[] = {
+    0, 29,                      /* X25519 (29) */
    /* Prefer P-256 which has the fastest and most secure implementations. */
    0, 23,                      /* secp256r1 (23) */
    /* Other >= 256-bit prime curves. */