[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri Mar 2 10:27:17 UTC 2018


The branch master has been updated
       via  21c03ee534ffa78ac44325ca30e1cfc18c2888c0 (commit)
       via  92521a3ae789fcfed35790784c20f30b41651985 (commit)
       via  a2eecb5d2691d8a2e3481765683054f1edfcba36 (commit)
       via  13735cfef69dfac2d36229810ea0400e2bc6526d (commit)
       via  f7869f1be610aaec85f25351a50b52e8130a2421 (commit)
      from  4a56d2a3b3dca6f73e46b56625e1c0ac3634e62c (commit)


- Log -----------------------------------------------------------------
commit 21c03ee534ffa78ac44325ca30e1cfc18c2888c0
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 20 15:27:15 2018 +0000

    Update CHANGES for X448 and Ed448
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5481)

commit 92521a3ae789fcfed35790784c20f30b41651985
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Dec 1 17:59:23 2017 +0000

    Add test vectors for X448 and Ed448
    
    This adds the Ed448 test vectors from RFC8032 and the X448 test vectors
    from RFC7748.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5481)

commit a2eecb5d2691d8a2e3481765683054f1edfcba36
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 27 17:28:48 2018 +0000

    Update some documentation for X448/Ed448
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5481)

commit 13735cfef69dfac2d36229810ea0400e2bc6526d
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 28 14:59:44 2018 +0000

    Integrate X448 and Ed448 into libcrypto
    
    This adds all of the relevant EVP plumbing required to make
    X448 and Ed448 work.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5481)

commit f7869f1be610aaec85f25351a50b52e8130a2421
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Nov 28 16:27:07 2017 +0000

    Add pkey types for curve448
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5481)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                   |   4 +
 crypto/asn1/standard_methods.h            |   2 +
 crypto/ec/ec_err.c                        |   5 +
 crypto/ec/ec_lcl.h                        |   1 +
 crypto/ec/ecx_meth.c                      | 416 ++++++++++++++++++++++--------
 crypto/err/openssl.txt                    |   3 +
 crypto/evp/pmeth_lib.c                    |   2 +
 crypto/include/internal/asn1_int.h        |   2 +
 crypto/include/internal/evp_int.h         |  18 ++
 crypto/objects/obj_xref.h                 |   3 +-
 crypto/objects/obj_xref.txt               |   1 +
 crypto/x509/x509type.c                    |   1 +
 doc/HOWTO/keys.txt                        |   2 +-
 doc/man1/genpkey.pod                      |   6 +-
 doc/man1/pkeyutl.pod                      |   6 +-
 doc/man7/Ed25519.pod                      |  22 +-
 doc/man7/X25519.pod                       |  18 +-
 include/openssl/ecerr.h                   |   3 +
 include/openssl/evp.h                     |   2 +
 test/recipes/30-test_evp_data/evppkey.txt | 251 ++++++++++++++++++
 20 files changed, 643 insertions(+), 125 deletions(-)

diff --git a/CHANGES b/CHANGES
index e08644a..c835f6a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.0g and 1.1.1 [xx XXX xxxx]
 
+  *) Added support for X448 and Ed448. Currently this is only supported in
+     libcrypto (not libssl). Heavily based on original work by Mike Hamburg.
+     [Matt Caswell]
+
   *) Extend OSSL_STORE with capabilities to search and to narrow the set of
      objects loaded.  This adds the functions OSSL_STORE_expect() and
      OSSL_STORE_find() as well as needed tools to construct searches and
diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h
index d366aa0..7d1f97e 100644
--- a/crypto/asn1/standard_methods.h
+++ b/crypto/asn1/standard_methods.h
@@ -42,6 +42,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
 #endif
 #ifndef OPENSSL_NO_EC
     &ecx25519_asn1_meth,
+    &ecx448_asn1_meth,
 #endif
 #ifndef OPENSSL_NO_POLY1305
     &poly1305_asn1_meth,
@@ -51,6 +52,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
 #endif
 #ifndef OPENSSL_NO_EC
     &ed25519_asn1_meth,
+    &ed448_asn1_meth,
 #endif
 };
 
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 588e95c..fe90c01 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -242,6 +242,10 @@ static const ERR_STRING_DATA EC_str_functs[] = {
      "ossl_ecdsa_verify_sig"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_CTRL, 0), "pkey_ecd_ctrl"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN, 0), "pkey_ecd_digestsign"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN25519, 0),
+     "pkey_ecd_digestsign25519"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN448, 0),
+     "pkey_ecd_digestsign448"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECX_DERIVE, 0), "pkey_ecx_derive"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL, 0), "pkey_ec_ctrl"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL_STR, 0), "pkey_ec_ctrl_str"},
@@ -249,6 +253,7 @@ static const ERR_STRING_DATA EC_str_functs[] = {
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"},
     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"},
     {0, NULL}
 };
 
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 421cd47..413a906 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -14,6 +14,7 @@
 #include <openssl/ec.h>
 #include <openssl/bn.h>
 #include "internal/refcount.h"
+#include "curve448/curve448_lcl.h"
 
 #if defined(__SUNPRO_C)
 # if __SUNPRO_C >= 0x520
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index 4f7cfec..272dfc6 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -16,30 +16,39 @@
 #include "internal/evp_int.h"
 #include "ec_lcl.h"
 
-#define X25519_KEYLEN        32
 #define X25519_BITS          253
 #define X25519_SECURITY_BITS 128
 
 #define ED25519_SIGSIZE      64
 
-typedef struct {
-    unsigned char pubkey[X25519_KEYLEN];
-    unsigned char *privkey;
-} X25519_KEY;
+#define X448_BITS            448
+#define ED448_BITS           456
+#define X448_SECURITY_BITS   224
+
+#define ED448_SIGSIZE        114
+
+#define ISX448(id)      ((id) == EVP_PKEY_X448)
+#define IS25519(id)     ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519)
+#define KEYLENID(id)    (IS25519(id) ? X25519_KEYLEN \
+                                     : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \
+                                                              : ED448_KEYLEN))
+#define KEYLEN(p)       KEYLENID((p)->ameth->pkey_id)
+
 
 typedef enum {
-    X25519_PUBLIC,
-    X25519_PRIVATE,
-    X25519_KEYGEN
+    KEY_OP_PUBLIC,
+    KEY_OP_PRIVATE,
+    KEY_OP_KEYGEN
 } ecx_key_op_t;
 
 /* Setup EVP_PKEY using public, private or generation */
 static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
                       const unsigned char *p, int plen, ecx_key_op_t op)
 {
-    X25519_KEY *xkey;
+    ECX_KEY *key = NULL;
+    unsigned char *privkey, *pubkey;
 
-    if (op != X25519_KEYGEN) {
+    if (op != KEY_OP_KEYGEN) {
         if (palg != NULL) {
             int ptype;
 
@@ -51,69 +60,85 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
             }
         }
 
-        if (p == NULL || plen != X25519_KEYLEN) {
+        if (p == NULL || plen != KEYLENID(id)) {
             ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
             return 0;
         }
     }
 
-    xkey = OPENSSL_zalloc(sizeof(*xkey));
-    if (xkey == NULL) {
+    key = OPENSSL_zalloc(sizeof(*key));
+    if (key == NULL) {
         ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    pubkey = key->pubkey;
 
-    if (op == X25519_PUBLIC) {
-        memcpy(xkey->pubkey, p, plen);
+    if (op == KEY_OP_PUBLIC) {
+        memcpy(pubkey, p, plen);
     } else {
-        xkey->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
-        if (xkey->privkey == NULL) {
+        privkey = key->privkey = OPENSSL_secure_malloc(KEYLENID(id));
+        if (privkey == NULL) {
             ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
-            OPENSSL_free(xkey);
-            return 0;
+            goto err;
         }
-        if (op == X25519_KEYGEN) {
-            if (RAND_bytes(xkey->privkey, X25519_KEYLEN) <= 0) {
-                OPENSSL_secure_free(xkey->privkey);
-                OPENSSL_free(xkey);
-                return 0;
+        if (op == KEY_OP_KEYGEN) {
+            if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0) {
+                OPENSSL_secure_free(privkey);
+                key->privkey = NULL;
+                goto err;
             }
             if (id == EVP_PKEY_X25519) {
-                xkey->privkey[0] &= 248;
-                xkey->privkey[31] &= 127;
-                xkey->privkey[31] |= 64;
+                privkey[0] &= 248;
+                privkey[X25519_KEYLEN - 1] &= 127;
+                privkey[X25519_KEYLEN - 1] |= 64;
+            } else if (id == EVP_PKEY_X448) {
+                privkey[0] &= 252;
+                privkey[X448_KEYLEN - 1] |= 128;
             }
         } else {
-            memcpy(xkey->privkey, p, X25519_KEYLEN);
+            memcpy(privkey, p, KEYLENID(id));
+        }
+        switch (id) {
+        case EVP_PKEY_X25519:
+            X25519_public_from_private(pubkey, privkey);
+            break;
+        case EVP_PKEY_ED25519:
+            ED25519_public_from_private(pubkey, privkey);
+            break;
+        case EVP_PKEY_X448:
+            X448_public_from_private(pubkey, privkey);
+            break;
+        case EVP_PKEY_ED448:
+            ED448_public_from_private(pubkey, privkey);
+            break;
         }
-        if (id == EVP_PKEY_X25519)
-            X25519_public_from_private(xkey->pubkey, xkey->privkey);
-        else
-            ED25519_public_from_private(xkey->pubkey, xkey->privkey);
     }
 
-    EVP_PKEY_assign(pkey, id, xkey);
+    EVP_PKEY_assign(pkey, id, key);
     return 1;
+ err:
+    OPENSSL_free(key);
+    return 0;
 }
 
 static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
-    const X25519_KEY *xkey = pkey->pkey.ptr;
+    const ECX_KEY *ecxkey = pkey->pkey.ecx;
     unsigned char *penc;
 
-    if (xkey == NULL) {
+    if (ecxkey == NULL) {
         ECerr(EC_F_ECX_PUB_ENCODE, EC_R_INVALID_KEY);
         return 0;
     }
 
-    penc = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
+    penc = OPENSSL_memdup(ecxkey->pubkey, KEYLEN(pkey));
     if (penc == NULL) {
         ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
         return 0;
     }
 
     if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
-                                V_ASN1_UNDEF, NULL, penc, X25519_KEYLEN)) {
+                                V_ASN1_UNDEF, NULL, penc, KEYLEN(pkey))) {
         OPENSSL_free(penc);
         ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
         return 0;
@@ -130,17 +155,18 @@ static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
     if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
         return 0;
     return ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, pklen,
-                      X25519_PUBLIC);
+                      KEY_OP_PUBLIC);
 }
 
 static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 {
-    const X25519_KEY *akey = a->pkey.ptr;
-    const X25519_KEY *bkey = b->pkey.ptr;
+    const ECX_KEY *akey = a->pkey.ecx;
+    const ECX_KEY *bkey = b->pkey.ecx;
 
     if (akey == NULL || bkey == NULL)
         return -2;
-    return !CRYPTO_memcmp(akey->pubkey, bkey->pubkey, X25519_KEYLEN);
+
+    return CRYPTO_memcmp(akey->pubkey, bkey->pubkey, KEYLEN(a)) == 0;
 }
 
 static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
@@ -163,25 +189,25 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
         plen = ASN1_STRING_length(oct);
     }
 
-    rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, X25519_PRIVATE);
+    rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
     ASN1_OCTET_STRING_free(oct);
     return rv;
 }
 
 static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 {
-    const X25519_KEY *xkey = pkey->pkey.ptr;
+    const ECX_KEY *ecxkey = pkey->pkey.ecx;
     ASN1_OCTET_STRING oct;
     unsigned char *penc = NULL;
     int penclen;
 
-    if (xkey == NULL || xkey->privkey == NULL) {
+    if (ecxkey == NULL || ecxkey->privkey == NULL) {
         ECerr(EC_F_ECX_PRIV_ENCODE, EC_R_INVALID_PRIVATE_KEY);
         return 0;
     }
 
-    oct.data = xkey->privkey;
-    oct.length = X25519_KEYLEN;
+    oct.data = ecxkey->privkey;
+    oct.length = KEYLEN(pkey);
     oct.flags = 0;
 
     penclen = i2d_ASN1_OCTET_STRING(&oct, &penc);
@@ -202,26 +228,34 @@ static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
 static int ecx_size(const EVP_PKEY *pkey)
 {
-    return X25519_KEYLEN;
+    return KEYLEN(pkey);
 }
 
 static int ecx_bits(const EVP_PKEY *pkey)
 {
-    return X25519_BITS;
+    if (IS25519(pkey->ameth->pkey_id)) {
+        return X25519_BITS;
+    } else if(ISX448(pkey->ameth->pkey_id)) {
+        return X448_BITS;
+    } else {
+        return ED448_BITS;
+    }
 }
 
 static int ecx_security_bits(const EVP_PKEY *pkey)
 {
-    return X25519_SECURITY_BITS;
+    if (IS25519(pkey->ameth->pkey_id)) {
+        return X25519_SECURITY_BITS;
+    } else {
+        return X448_SECURITY_BITS;
+    }
 }
 
 static void ecx_free(EVP_PKEY *pkey)
 {
-    X25519_KEY *xkey = pkey->pkey.ptr;
-
-    if (xkey)
-        OPENSSL_secure_clear_free(xkey->privkey, X25519_KEYLEN);
-    OPENSSL_free(xkey);
+    if (pkey->pkey.ecx != NULL)
+        OPENSSL_secure_clear_free(pkey->pkey.ecx->privkey, KEYLEN(pkey));
+    OPENSSL_free(pkey->pkey.ecx);
 }
 
 /* "parameters" are always equal */
@@ -233,12 +267,11 @@ static int ecx_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
 static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                          ASN1_PCTX *ctx, ecx_key_op_t op)
 {
-    const X25519_KEY *xkey = pkey->pkey.ptr;
-
+    const ECX_KEY *ecxkey = pkey->pkey.ecx;
     const char *nm = OBJ_nid2ln(pkey->ameth->pkey_id);
 
-    if (op == X25519_PRIVATE) {
-        if (xkey == NULL || xkey->privkey == NULL) {
+    if (op == KEY_OP_PRIVATE) {
+        if (ecxkey == NULL || ecxkey->privkey == NULL) {
             if (BIO_printf(bp, "%*s<INVALID PRIVATE KEY>\n", indent, "") <= 0)
                 return 0;
             return 1;
@@ -247,10 +280,11 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
             return 0;
         if (BIO_printf(bp, "%*spriv:\n", indent, "") <= 0)
             return 0;
-        if (ASN1_buf_print(bp, xkey->privkey, X25519_KEYLEN, indent + 4) == 0)
+        if (ASN1_buf_print(bp, ecxkey->privkey, KEYLEN(pkey),
+                           indent + 4) == 0)
             return 0;
     } else {
-        if (xkey == NULL) {
+        if (ecxkey == NULL) {
             if (BIO_printf(bp, "%*s<INVALID PUBLIC KEY>\n", indent, "") <= 0)
                 return 0;
             return 1;
@@ -260,7 +294,9 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
     }
     if (BIO_printf(bp, "%*spub:\n", indent, "") <= 0)
         return 0;
-    if (ASN1_buf_print(bp, xkey->pubkey, X25519_KEYLEN, indent + 4) == 0)
+
+    if (ASN1_buf_print(bp, ecxkey->pubkey, KEYLEN(pkey),
+                       indent + 4) == 0)
         return 0;
     return 1;
 }
@@ -268,13 +304,13 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
 static int ecx_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                           ASN1_PCTX *ctx)
 {
-    return ecx_key_print(bp, pkey, indent, ctx, X25519_PRIVATE);
+    return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PRIVATE);
 }
 
 static int ecx_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                          ASN1_PCTX *ctx)
 {
-    return ecx_key_print(bp, pkey, indent, ctx, X25519_PUBLIC);
+    return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PUBLIC);
 }
 
 static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
@@ -282,16 +318,16 @@ static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
     switch (op) {
 
     case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
-        return ecx_key_op(pkey, EVP_PKEY_X25519, NULL, arg2, arg1,
-                          X25519_PUBLIC);
+        return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, arg2, arg1,
+                          KEY_OP_PUBLIC);
 
     case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
-        if (pkey->pkey.ptr != NULL) {
-            const X25519_KEY *xkey = pkey->pkey.ptr;
+        if (pkey->pkey.ecx != NULL) {
             unsigned char **ppt = arg2;
-            *ppt = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
+
+            *ppt = OPENSSL_memdup(pkey->pkey.ecx->pubkey, KEYLEN(pkey));
             if (*ppt != NULL)
-                return X25519_KEYLEN;
+                return KEYLEN(pkey);
         }
         return 0;
 
@@ -335,21 +371,58 @@ const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = {
     NULL
 };
 
-static int ecd_size(const EVP_PKEY *pkey)
+const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = {
+    EVP_PKEY_X448,
+    EVP_PKEY_X448,
+    0,
+    "X448",
+    "OpenSSL X448 algorithm",
+
+    ecx_pub_decode,
+    ecx_pub_encode,
+    ecx_pub_cmp,
+    ecx_pub_print,
+
+    ecx_priv_decode,
+    ecx_priv_encode,
+    ecx_priv_print,
+
+    ecx_size,
+    ecx_bits,
+    ecx_security_bits,
+
+    0, 0, 0, 0,
+    ecx_cmp_parameters,
+    0, 0,
+
+    ecx_free,
+    ecx_ctrl,
+    NULL,
+    NULL
+};
+
+static int ecd_size25519(const EVP_PKEY *pkey)
 {
     return ED25519_SIGSIZE;
 }
 
+static int ecd_size448(const EVP_PKEY *pkey)
+{
+    return ED448_SIGSIZE;
+}
+
 static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
                            X509_ALGOR *sigalg, ASN1_BIT_STRING *str,
                            EVP_PKEY *pkey)
 {
     const ASN1_OBJECT *obj;
     int ptype;
+    int nid;
 
+    /* Sanity check: make sure it is ED25519/ED448 with absent parameters */
     X509_ALGOR_get0(&obj, &ptype, NULL, sigalg);
-    /* Sanity check: make sure it is ED25519 with absent parameters */
-    if (OBJ_obj2nid(obj) != NID_ED25519 || ptype != V_ASN1_UNDEF) {
+    nid = OBJ_obj2nid(obj);
+    if ((nid != NID_ED25519 && nid != NID_ED448) || ptype != V_ASN1_UNDEF) {
         ECerr(EC_F_ECD_ITEM_VERIFY, EC_R_INVALID_ENCODING);
         return 0;
     }
@@ -360,9 +433,9 @@ static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
     return 2;
 }
 
-static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-                         X509_ALGOR *alg1, X509_ALGOR *alg2,
-                         ASN1_BIT_STRING *str)
+static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                              X509_ALGOR *alg1, X509_ALGOR *alg2,
+                              ASN1_BIT_STRING *str)
 {
     /* Set algorithms identifiers */
     X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
@@ -372,14 +445,35 @@ static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
     return 3;
 }
 
-static int ecd_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
-                            const ASN1_STRING *sig)
+static int ecd_sig_info_set25519(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+                                 const ASN1_STRING *sig)
 {
     X509_SIG_INFO_set(siginf, NID_undef, NID_ED25519, X25519_SECURITY_BITS,
                       X509_SIG_INFO_TLS);
     return 1;
 }
 
+static int ecd_item_sign448(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                            X509_ALGOR *alg1, X509_ALGOR *alg2,
+                            ASN1_BIT_STRING *str)
+{
+    /* Set algorithm identifier */
+    X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
+    if (alg2 != NULL)
+        X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
+    /* Algorithm identifier set: carry on as normal */
+    return 3;
+}
+
+static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+                               const ASN1_STRING *sig)
+{
+    X509_SIG_INFO_set(siginf, NID_undef, NID_ED448, X448_SECURITY_BITS,
+                      X509_SIG_INFO_TLS);
+    return 1;
+}
+
+
 const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     EVP_PKEY_ED25519,
     EVP_PKEY_ED25519,
@@ -396,7 +490,40 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     ecx_priv_encode,
     ecx_priv_print,
 
-    ecd_size,
+    ecd_size25519,
+    ecx_bits,
+    ecx_security_bits,
+
+    0, 0, 0, 0,
+    ecx_cmp_parameters,
+    0, 0,
+
+    ecx_free,
+    0,
+    NULL,
+    NULL,
+    ecd_item_verify,
+    ecd_item_sign25519,
+    ecd_sig_info_set25519
+};
+
+const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = {
+    EVP_PKEY_ED448,
+    EVP_PKEY_ED448,
+    0,
+    "ED448",
+    "OpenSSL ED448 algorithm",
+
+    ecx_pub_decode,
+    ecx_pub_encode,
+    ecx_pub_cmp,
+    ecx_pub_print,
+
+    ecx_priv_decode,
+    ecx_priv_encode,
+    ecx_priv_print,
+
+    ecd_size448,
     ecx_bits,
     ecx_security_bits,
 
@@ -409,37 +536,65 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     NULL,
     NULL,
     ecd_item_verify,
-    ecd_item_sign,
-    ecd_sig_info_set
+    ecd_item_sign448,
+    ecd_sig_info_set448
 };
 
 static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
-    return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, X25519_KEYGEN);
+    return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN);
 }
 
-static int pkey_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
-                           size_t *keylen)
+static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+                                          size_t *keylen,
+                                          const unsigned char **privkey,
+                                          const unsigned char **pubkey)
 {
-    const X25519_KEY *pkey, *peerkey;
+    const ECX_KEY *ecxkey, *peerkey;
 
     if (ctx->pkey == NULL || ctx->peerkey == NULL) {
-        ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_KEYS_NOT_SET);
+        ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_KEYS_NOT_SET);
         return 0;
     }
-    pkey = ctx->pkey->pkey.ptr;
-    peerkey = ctx->peerkey->pkey.ptr;
-    if (pkey == NULL || pkey->privkey == NULL) {
-        ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
+    ecxkey = ctx->pkey->pkey.ecx;
+    peerkey = ctx->peerkey->pkey.ecx;
+    if (ecxkey == NULL || ecxkey->privkey == NULL) {
+        ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
         return 0;
     }
     if (peerkey == NULL) {
-        ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
+        ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
         return 0;
     }
+    *privkey = ecxkey->privkey;
+    *pubkey = peerkey->pubkey;
+
+    return 1;
+}
+
+static int pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
+                                size_t *keylen)
+{
+    const unsigned char *privkey, *pubkey;
+
+    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
+            || (key != NULL
+                && X25519(key, privkey, pubkey) == 0))
+        return 0;
     *keylen = X25519_KEYLEN;
-    if (key != NULL && X25519(key, pkey->privkey, peerkey->pubkey) == 0)
+    return 1;
+}
+
+static int pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
+                              size_t *keylen)
+{
+    const unsigned char *privkey, *pubkey;
+
+    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
+            || (key != NULL
+                && X448(key, privkey, pubkey) == 0))
         return 0;
+    *keylen = X448_KEYLEN;
     return 1;
 }
 
@@ -456,23 +611,33 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth = {
     0, 0, 0, 0, 0, 0, 0,
     pkey_ecx_keygen,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    pkey_ecx_derive,
+    pkey_ecx_derive25519,
     pkey_ecx_ctrl,
     0
 };
 
-static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
-                               size_t *siglen, const unsigned char *tbs,
-                               size_t tbslen)
+const EVP_PKEY_METHOD ecx448_pkey_meth = {
+    EVP_PKEY_X448,
+    0, 0, 0, 0, 0, 0, 0,
+    pkey_ecx_keygen,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    pkey_ecx_derive448,
+    pkey_ecx_ctrl,
+    0
+};
+
+static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig,
+                                    size_t *siglen, const unsigned char *tbs,
+                                    size_t tbslen)
 {
-    const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
 
     if (sig == NULL) {
         *siglen = ED25519_SIGSIZE;
         return 1;
     }
     if (*siglen < ED25519_SIGSIZE) {
-        ECerr(EC_F_PKEY_ECD_DIGESTSIGN, EC_R_BUFFER_TOO_SMALL);
+        ECerr(EC_F_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
         return 0;
     }
 
@@ -482,11 +647,33 @@ static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
     return 1;
 }
 
-static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig,
-                                 size_t siglen, const unsigned char *tbs,
-                                 size_t tbslen)
+static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig,
+                                  size_t *siglen, const unsigned char *tbs,
+                                  size_t tbslen)
+{
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+    if (sig == NULL) {
+        *siglen = ED448_SIGSIZE;
+        return 1;
+    }
+    if (*siglen < ED448_SIGSIZE) {
+        ECerr(EC_F_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    if (ED448_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
+                   0) == 0)
+        return 0;
+    *siglen = ED448_SIGSIZE;
+    return 1;
+}
+
+static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig,
+                                      size_t siglen, const unsigned char *tbs,
+                                      size_t tbslen)
 {
-    const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
 
     if (siglen != ED25519_SIGSIZE)
         return 0;
@@ -494,6 +681,18 @@ static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig,
     return ED25519_verify(tbs, tbslen, sig, edkey->pubkey);
 }
 
+static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig,
+                                    size_t siglen, const unsigned char *tbs,
+                                    size_t tbslen)
+{
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+    if (siglen != ED448_SIGSIZE)
+        return 0;
+
+    return ED448_verify(tbs, tbslen, sig, edkey->pubkey, NULL, 0);
+}
+
 static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 {
     switch (type) {
@@ -517,6 +716,17 @@ const EVP_PKEY_METHOD ed25519_pkey_meth = {
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     pkey_ecd_ctrl,
     0,
-    pkey_ecd_digestsign,
-    pkey_ecd_digestverify
+    pkey_ecd_digestsign25519,
+    pkey_ecd_digestverify25519
+};
+
+const EVP_PKEY_METHOD ed448_pkey_meth = {
+    EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+    0, 0, 0, 0, 0, 0,
+    pkey_ecx_keygen,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    pkey_ecd_ctrl,
+    0,
+    pkey_ecd_digestsign448,
+    pkey_ecd_digestverify448
 };
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index e406bec..318b400 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -594,6 +594,8 @@ EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
 EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
 EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
 EC_F_PKEY_ECD_DIGESTSIGN:272:pkey_ecd_digestsign
+EC_F_PKEY_ECD_DIGESTSIGN25519:276:pkey_ecd_digestsign25519
+EC_F_PKEY_ECD_DIGESTSIGN448:277:pkey_ecd_digestsign448
 EC_F_PKEY_ECX_DERIVE:269:pkey_ecx_derive
 EC_F_PKEY_EC_CTRL:197:pkey_ec_ctrl
 EC_F_PKEY_EC_CTRL_STR:198:pkey_ec_ctrl_str
@@ -601,6 +603,7 @@ EC_F_PKEY_EC_DERIVE:217:pkey_ec_derive
 EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
 EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
 EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
+EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
 ENGINE_F_DIGEST_UPDATE:198:digest_update
 ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
 ENGINE_F_DYNAMIC_GET_DATA_CTX:181:dynamic_get_data_ctx
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2d9f4fc..d3b8136 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -51,6 +51,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = {
     &tls1_prf_pkey_meth,
 #ifndef OPENSSL_NO_EC
     &ecx25519_pkey_meth,
+    &ecx448_pkey_meth,
 #endif
     &hkdf_pkey_meth,
 #ifndef OPENSSL_NO_POLY1305
@@ -61,6 +62,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = {
 #endif
 #ifndef OPENSSL_NO_EC
     &ed25519_pkey_meth,
+    &ed448_pkey_meth,
 #endif
 };
 
diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
index 90d525a..664d4d6 100644
--- a/crypto/include/internal/asn1_int.h
+++ b/crypto/include/internal/asn1_int.h
@@ -68,7 +68,9 @@ extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5];
 extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed448_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth;
 
 extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
index a838a2a..77c8731 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -90,7 +90,9 @@ extern const EVP_PKEY_METHOD dhx_pkey_meth;
 extern const EVP_PKEY_METHOD dsa_pkey_meth;
 extern const EVP_PKEY_METHOD ec_pkey_meth;
 extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
+extern const EVP_PKEY_METHOD ecx448_pkey_meth;
 extern const EVP_PKEY_METHOD ed25519_pkey_meth;
+extern const EVP_PKEY_METHOD ed448_pkey_meth;
 extern const EVP_PKEY_METHOD hmac_pkey_meth;
 extern const EVP_PKEY_METHOD rsa_pkey_meth;
 extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
@@ -361,6 +363,21 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
                              cipher##_init_key, NULL, NULL, NULL, NULL)
 
 
+# ifndef OPENSSL_NO_EC
+
+#define X25519_KEYLEN        32
+#define X448_KEYLEN          56
+#define ED448_KEYLEN         57
+
+#define MAX_KEYLEN  ED448_KEYLEN
+
+typedef struct {
+    unsigned char pubkey[MAX_KEYLEN];
+    unsigned char *privkey;
+} ECX_KEY;
+
+#endif
+
 /*
  * Type needs to be a bit field Sub-type needs to be for variations on the
  * method, as in, can it do arbitrary encryption....
@@ -385,6 +402,7 @@ struct evp_pkey_st {
 # endif
 # ifndef OPENSSL_NO_EC
         struct ec_key_st *ec;   /* ECC */
+        ECX_KEY *ecx;           /* X25519, X448, Ed25519, Ed448 */
 # endif
     } pkey;
     int save_parameters;
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index ebd5bf5..9606e57 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -74,6 +74,7 @@ static const nid_triple sigoid_srt[] = {
     {NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512,
      NID_id_GostR3410_2012_512},
     {NID_ED25519, NID_undef, NID_ED25519},
+    {NID_ED448, NID_undef, NID_ED448},
     {NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption},
     {NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption},
     {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption},
@@ -120,8 +121,8 @@ static const nid_triple *const sigoid_srt_xref[] = {
     &sigoid_srt[28],
     &sigoid_srt[40],
     &sigoid_srt[41],
-    &sigoid_srt[43],
     &sigoid_srt[44],
     &sigoid_srt[45],
     &sigoid_srt[46],
+    &sigoid_srt[47],
 };
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index c8dee7b..ca3e744 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -22,6 +22,7 @@ RSA_SHA3_512		sha3_512 rsaEncryption
 # method should handle this explicitly.
 rsassaPss		undef	rsaEncryption
 ED25519		    undef	ED25519
+ED448		    undef	ED448
 
 # Alternative deprecated OIDs. By using the older "rsa" OID this
 # type will be recognized by not normally used.
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 37f4d31..7eef1fb 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -41,6 +41,7 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
     case EVP_PKEY_EC:
         ret = EVP_PK_EC | EVP_PKT_SIGN | EVP_PKT_EXCH;
         break;
+    case EVP_PKEY_ED448:
     case EVP_PKEY_ED25519:
         ret = EVP_PKT_SIGN;
         break;
diff --git a/doc/HOWTO/keys.txt b/doc/HOWTO/keys.txt
index 1662c17..9f0967c 100644
--- a/doc/HOWTO/keys.txt
+++ b/doc/HOWTO/keys.txt
@@ -98,7 +98,7 @@ it may be reasonable to avoid protecting it with a password, since
 otherwise someone would have to type in the password every time the
 server needs to access the key.
 
-For X25519, it's treated as a distinct algorithm but not as one of
+For X25519 and X448, it's treated as a distinct algorithm but not as one of
 the curves listed with 'ecparam -list_curves' option. You can use
 the following command to generate an X25519 key:
 
diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index d8f1c24..fc83efa 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -241,10 +241,10 @@ numeric OID. Following parameter sets are supported:
 
 =back
 
-=head1 X25519 KEY GENERATION OPTIONS
-
-The X25519 algorithm does not currently support any key generation options.
+=head1 X25519 and X448 KEY GENERATION OPTIONS
 
+The X25519 and X448 algorithms do not currently support any key generation
+options.
 
 =head1 NOTES
 
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 4c12f13..f693e22 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -282,10 +282,10 @@ verify operations use ECDSA and derive uses ECDH. Currently there are no
 additional options other than B<digest>. Only the SHA1 digest can be used and
 this digest is assumed by default.
 
-=head1 X25519 ALGORITHM
+=head1 X25519 and X448 ALGORITHMS
 
-The X25519 algorithm supports key derivation only. Currently there are no
-additional options.
+The X25519 and X448 algorithms support key derivation only. Currently there are
+no additional options.
 
 =head1 EXAMPLES
 
diff --git a/doc/man7/Ed25519.pod b/doc/man7/Ed25519.pod
index a75164a..da6cbc0 100644
--- a/doc/man7/Ed25519.pod
+++ b/doc/man7/Ed25519.pod
@@ -2,16 +2,18 @@
 
 =head1 NAME
 
-Ed25519 - EVP_PKEY Ed25519 support
+Ed25519,
+Ed448
+- EVP_PKEY Ed25519 and Ed448 support
 
 =head1 DESCRIPTION
 
-The B<Ed25519> EVP_PKEY implementation supports key generation, one shot
-digest sign and digest verify using PureEdDSA and B<Ed25519> (see RFC8032).
-It has associated private and public key formats compatible with
+The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key generation,
+one-shot digest sign and digest verify using PureEdDSA and B<Ed25519> or B<Ed448>
+(see RFC8032). It has associated private and public key formats compatible with
 draft-ietf-curdle-pkix-04.
 
-No additional parameters can be set during key generation one shot signing or
+No additional parameters can be set during key generation one-shot signing or
 verification. In particular, because PureEdDSA is used, when signing or
 verifying a digest must B<NOT> be specified.
 
@@ -19,20 +21,24 @@ verifying a digest must B<NOT> be specified.
 
 The PureEdDSA algorithm does not support the streaming mechanism
 of other signature algorithms using, for example, EVP_DigestUpdate().
-The message to sign or verify must be passed using the one shot
+The message to sign or verify must be passed using the one-shot
 EVP_DigestSign() asn EVP_DigestVerify() functions.
 
 When calling EVP_DigestSignInit() or EVP_DigestSignUpdate() the
 digest parameter B<MUST> be set to B<NULL>.
 
 Applications wishing to sign certificates (or other structures such as
-CRLs or certificate requests) using Ed25519 can either use X509_sign()
+CRLs or certificate requests) using Ed25519 or Ed448 can either use X509_sign()
 or X509_sign_ctx() in the usual way.
 
 A context for the B<Ed25519> algorithm can be obtained by calling:
 
  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
 
+For the B<Ed448> algorithm a context can be obtained by calling:
+
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL);
+
 =head1 EXAMPLE
 
 This example generates an B<ED25519> private key and writes it to standard
@@ -57,7 +63,7 @@ L<EVP_DigestVerifyInit(3)>,
 
 =head1 COPYRIGHT
 
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/X25519.pod b/doc/man7/X25519.pod
index 96522c5..69ab0b4 100644
--- a/doc/man7/X25519.pod
+++ b/doc/man7/X25519.pod
@@ -2,13 +2,15 @@
 
 =head1 NAME
 
-X25519 - EVP_PKEY X25519 support
+X25519,
+X448
+- EVP_PKEY X25519 and X448 support
 
 =head1 DESCRIPTION
 
-The B<X25519> EVP_PKEY implementation supports key generation and key
-derivation using B<X25519>. It has associated private and public key formats
-compatible with draft-ietf-curdle-pkix-03.
+The B<X25519> and B<X448> EVP_PKEY implementation supports key generation and
+key derivation using B<X25519> and B<X448>. It has associated private and public
+key formats compatible with draft-ietf-curdle-pkix-03.
 
 No additional parameters can be set during key generation.
 
@@ -21,6 +23,10 @@ A context for the B<X25519> algorithm can be obtained by calling:
 
  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
 
+For the B<X448> algorithm a context can be obtained by calling:
+
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL);
+
 =head1 EXAMPLE
 
 This example generates an B<X25519> private key and writes it to standard
@@ -37,7 +43,7 @@ output in PEM format:
  PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
 
 The key derivation example in L<EVP_PKEY_derive(3)> can be used with
-B<X25519>.
+B<X25519> and B<X448>.
 
 =head1 SEE ALSO
 
@@ -48,7 +54,7 @@ L<EVP_PKEY_derive_set_peer(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index 289cd8c..dbaa8d1 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -167,6 +167,8 @@ int ERR_load_EC_strings(void);
 #  define EC_F_OSSL_ECDSA_VERIFY_SIG                       250
 #  define EC_F_PKEY_ECD_CTRL                               271
 #  define EC_F_PKEY_ECD_DIGESTSIGN                         272
+#  define EC_F_PKEY_ECD_DIGESTSIGN25519                    276
+#  define EC_F_PKEY_ECD_DIGESTSIGN448                      277
 #  define EC_F_PKEY_ECX_DERIVE                             269
 #  define EC_F_PKEY_EC_CTRL                                197
 #  define EC_F_PKEY_EC_CTRL_STR                            198
@@ -174,6 +176,7 @@ int ERR_load_EC_strings(void);
 #  define EC_F_PKEY_EC_KEYGEN                              199
 #  define EC_F_PKEY_EC_PARAMGEN                            219
 #  define EC_F_PKEY_EC_SIGN                                218
+#  define EC_F_VALIDATE_ECX_DERIVE                         278
 
 /*
  * EC reason codes.
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index e135de6..9727e9d 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -59,6 +59,8 @@
 # define EVP_PKEY_SIPHASH NID_siphash
 # define EVP_PKEY_X25519 NID_X25519
 # define EVP_PKEY_ED25519 NID_ED25519
+# define EVP_PKEY_X448 NID_X448
+# define EVP_PKEY_ED448 NID_ED448
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
index 2e88c11..017ab41 100644
--- a/test/recipes/30-test_evp_data/evppkey.txt
+++ b/test/recipes/30-test_evp_data/evppkey.txt
@@ -748,6 +748,56 @@ Result = KEYOP_INIT_ERROR
 Function = EVP_PKEY_verify_init
 Reason = operation not supported for this keytype
 
+Title = X448 test vectors (from RFC7748 6.2)
+
+PrivateKey=Alice-448
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1
+dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr
+-----END PRIVATE KEY-----
+
+PublicKey=Alice-448-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEIwBQYDK2VvAzkAmwj3zDG34+Z9ItWuoSEHSic70rg94Jxj+qc9LCLF2bvINmRy
+QdlT1AxbEtqIEg1TF3+A5TLEH6A=
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = Alice-448:Alice-448-PUBLIC
+
+PrivateKey=Bob-448
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOBwwanrCoOLgmQspRHDLoznmRTdysHWBHY+tDR1pJ8Eg
+u17olysNPiE3TJySGwnRsDZvELZRc5kt
+-----END PRIVATE KEY-----
+
+PublicKey=Bob-448-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEIwBQYDK2VvAzkAPreoKbDNIPW8/AtZm2/sz22kYnEHvbDU80W0MCfYuXL8PjT7
+QjKhPKcG3LV67D2uB73BxnvzNgk=
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = Bob-448:Bob-448-PUBLIC
+
+Derive=Alice-448
+PeerKey=Bob-448-PUBLIC
+SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+
+Derive=Bob-448
+PeerKey=Alice-448-PUBLIC
+SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+
+# Illegal sign/verify operations with X448 key
+
+Sign=Alice-448
+Result = KEYOP_INIT_ERROR
+Function = EVP_PKEY_sign_init
+Reason = operation not supported for this keytype
+
+Verify=Alice-448
+Result = KEYOP_INIT_ERROR
+Function = EVP_PKEY_verify_init
+Reason = operation not supported for this keytype
+
 
 # Additional RSA-PSS and RSA-OAEP tests converted from
 # ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
@@ -17172,9 +17222,18 @@ Result = KEYPAIR_MISMATCH
 PrivPubKeyPair = Bob-25519:Alice-25519-PUBLIC
 Result = KEYPAIR_MISMATCH
 
+PrivPubKeyPair = Alice-448:Bob-448-PUBLIC
+Result = KEYPAIR_MISMATCH
+
+PrivPubKeyPair = Bob-448:Alice-448-PUBLIC
+Result = KEYPAIR_MISMATCH
+
 PrivPubKeyPair = Alice-25519:P-256-PUBLIC
 Result = KEYPAIR_TYPE_MISMATCH
 
+PrivPubKeyPair = Alice-448:P-256-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
 PrivPubKeyPair = RSA-2048:P-256-PUBLIC
 Result = KEYPAIR_TYPE_MISMATCH
 
@@ -17448,6 +17507,198 @@ DigestSign = SHA256
 Key = ED25519-1
 Result = DIGESTSIGNINIT_ERROR
 
+
+Title = ED448 tests from RFC8032
+
+PrivateKey=ED448-1
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOWyCpWLLgI0Q1jK+ichRPr9skp803fqMn2PJlg7240ij
+UoyKP8wvBE45o/xblEkvjwMudUmiAJj5Ww==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-2
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOcTqsF01cAfGMvPbtISJkk1VKwj+DDU6DUofAKzaLEY6
+++pnxejSh3xeO8OXplmUnvgCHpVOChInTg==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-3
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOc0j0k9xQnTnRDQyN7kykPUR9kJfmOZEWf8gPomFCD/9
+9gUAVTq8DgXNAhhL24nEzNZ+GHlRJn6zKA==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-4
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOSWM3UraMu2cn/VOY3Vq5YL7j6sqxyHyyOZ2pydoUT2T
+n2Pd21VgkTPymt+G7Jkp3MtSwcX9L/fiGw==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-5
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOX706EVEI2dS+7VrjzGiOhDkKBT19VygN83MEcZMmjsp
+ScG7YHADFGEXMqbC/qmO68AmahGpOXAQDg==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-6
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOdZd80GtE+AIVnaIuu3ajp3NwX3AJJdOpbQie2Uw4zm/
+8h+Z5oymlo88ym3+D7n0+rT6E11VQuo/AQ==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-7
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOS7F/jwXBFq9sTal5qkT4yq3WuaLU9L8FJt35QQTLTdW
+m352a6dKGb1hYjQ6IchZCqnOvKkBTGNt9Q==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-8
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOYctCTeA9dNzDffCEmZLN7ig8k9WgQ2qg4LNT6P3djTs
+RNxU8cLtm+qG+vt2Mti+GZ6hZfWtVd2c6A==
+-----END PRIVATE KEY-----
+
+PublicKey=ED448-1-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAX9dEm1m0Yf0s54fsYWrUah2hNCSFpw4fig6nXYDpZ3jt8SR2
+m0bHBhvWeD3x5Q9s0foavq/oJWGA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-2-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAQ7oo9DDN/0Vq5TFUX37NCsg0pV2TWMA3K/oMbGeYwIZq6gHr
+AHQoArhDjqTLghacI1FgYntMOpSA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-3-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoA3OqeePNaG/NJmoMbELhskKrAHNhLZ6AQm1WjbpMoseNl/OFh
+1xznExpUPqTLX36fHYsAaWRHABQA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-4-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAO6FtoMbyzB8wGHdAdW9eeY1rxfwBXXxjzJUQ7j/UStwk2Olo
+tuRub5TRm5RTYXJr114UnvCYF/WA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-5-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAs9oHmwqkk6V3ICnwRnuuvuWoES2dOiJTI2HaKU97s4FcXcWe
+F2tNnzgcoJOOE8bAexdL5l36V46A
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-6-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoA35cF9Y7bq4Asf4Njz+VWCrHGEywgqfHdFjSDom+KxTo51oCL
+9KHfvSYbCZuwOz+1CQbLKL2KCB8A
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-7-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAeXVvAU3P4gefXdnnGL5BceLvJIagjyUYb2v/Q6mTa5v+EkAr
+CK5leYo9geIunsgOdpCGLvPU7ToA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-8-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAqBsuinClrJT/28ybrfw/6wgB8lhXi7EUrUTs4ewOeZ2gjv+4
+HF1oXAxW9k7srvjN8RzDhzeDjPQA
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = ED448-1:ED448-1-PUBLIC
+
+PrivPubKeyPair = ED448-2:ED448-2-PUBLIC
+
+PrivPubKeyPair = ED448-3:ED448-3-PUBLIC
+
+PrivPubKeyPair = ED448-4:ED448-4-PUBLIC
+
+PrivPubKeyPair = ED448-5:ED448-5-PUBLIC
+
+PrivPubKeyPair = ED448-6:ED448-6-PUBLIC
+
+PrivPubKeyPair = ED448-7:ED448-7-PUBLIC
+
+PrivPubKeyPair = ED448-8:ED448-8-PUBLIC
+
+OneShotDigestSign = NULL
+Key = ED448-1
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+
+OneShotDigestSign = NULL
+Key = ED448-2
+Input = 03
+Output = 26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00
+
+OneShotDigestSign = NULL
+Key = ED448-3
+Input = 0c3e544074ec63b0265e0c
+Output = 1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00
+
+OneShotDigestSign = NULL
+Key = ED448-4
+Input = 64a65f3cdedcdd66811e2915
+Output = 7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00
+
+OneShotDigestSign = NULL
+Key = ED448-5
+Input = 64a65f3cdedcdd66811e2915e7
+Output = 6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100
+
+OneShotDigestSign = NULL
+Key = ED448-6
+Input = bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944
+Output = 554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900
+
+OneShotDigestSign = NULL
+Key = ED448-7
+Input = 15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11
+Output = c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00
+
+OneShotDigestSign = NULL
+Key = ED448-8
+Input = 6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff26306d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5caf9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87
+Output = e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00
+
+# Verify test
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+
+# Corrupted input
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = "bad"
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+Result = VERIFY_ERROR
+
+# Corrupted signature
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652601
+Result = VERIFY_ERROR
+
+# Make sure update calls return an error
+DigestSign = NULL
+Key = ED448-1
+Input = "Test"
+Result = DIGESTUPDATE_ERROR
+
+DigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = "Test"
+Result = DIGESTUPDATE_ERROR
+
+# Attempt to set invalid digest
+DigestSign = SHA256
+Key = ED448-1
+Result = DIGESTSIGNINIT_ERROR
+
+
 # Key generation tests
 KeyGen = rsaEncryption
 Ctrl = rsa_keygen_bits:128


More information about the openssl-commits mailing list