[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Mar 2 10:27:17 UTC 2018
The branch master has been updated
via 21c03ee534ffa78ac44325ca30e1cfc18c2888c0 (commit)
via 92521a3ae789fcfed35790784c20f30b41651985 (commit)
via a2eecb5d2691d8a2e3481765683054f1edfcba36 (commit)
via 13735cfef69dfac2d36229810ea0400e2bc6526d (commit)
via f7869f1be610aaec85f25351a50b52e8130a2421 (commit)
from 4a56d2a3b3dca6f73e46b56625e1c0ac3634e62c (commit)
- Log -----------------------------------------------------------------
commit 21c03ee534ffa78ac44325ca30e1cfc18c2888c0
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 20 15:27:15 2018 +0000
Update CHANGES for X448 and Ed448
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
commit 92521a3ae789fcfed35790784c20f30b41651985
Author: Matt Caswell <matt at openssl.org>
Date: Fri Dec 1 17:59:23 2017 +0000
Add test vectors for X448 and Ed448
This adds the Ed448 test vectors from RFC8032 and the X448 test vectors
from RFC7748.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
commit a2eecb5d2691d8a2e3481765683054f1edfcba36
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 27 17:28:48 2018 +0000
Update some documentation for X448/Ed448
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
commit 13735cfef69dfac2d36229810ea0400e2bc6526d
Author: Matt Caswell <matt at openssl.org>
Date: Wed Feb 28 14:59:44 2018 +0000
Integrate X448 and Ed448 into libcrypto
This adds all of the relevant EVP plumbing required to make
X448 and Ed448 work.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
commit f7869f1be610aaec85f25351a50b52e8130a2421
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 28 16:27:07 2017 +0000
Add pkey types for curve448
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 4 +
crypto/asn1/standard_methods.h | 2 +
crypto/ec/ec_err.c | 5 +
crypto/ec/ec_lcl.h | 1 +
crypto/ec/ecx_meth.c | 416 ++++++++++++++++++++++--------
crypto/err/openssl.txt | 3 +
crypto/evp/pmeth_lib.c | 2 +
crypto/include/internal/asn1_int.h | 2 +
crypto/include/internal/evp_int.h | 18 ++
crypto/objects/obj_xref.h | 3 +-
crypto/objects/obj_xref.txt | 1 +
crypto/x509/x509type.c | 1 +
doc/HOWTO/keys.txt | 2 +-
doc/man1/genpkey.pod | 6 +-
doc/man1/pkeyutl.pod | 6 +-
doc/man7/Ed25519.pod | 22 +-
doc/man7/X25519.pod | 18 +-
include/openssl/ecerr.h | 3 +
include/openssl/evp.h | 2 +
test/recipes/30-test_evp_data/evppkey.txt | 251 ++++++++++++++++++
20 files changed, 643 insertions(+), 125 deletions(-)
diff --git a/CHANGES b/CHANGES
index e08644a..c835f6a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
Changes between 1.1.0g and 1.1.1 [xx XXX xxxx]
+ *) Added support for X448 and Ed448. Currently this is only supported in
+ libcrypto (not libssl). Heavily based on original work by Mike Hamburg.
+ [Matt Caswell]
+
*) Extend OSSL_STORE with capabilities to search and to narrow the set of
objects loaded. This adds the functions OSSL_STORE_expect() and
OSSL_STORE_find() as well as needed tools to construct searches and
diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h
index d366aa0..7d1f97e 100644
--- a/crypto/asn1/standard_methods.h
+++ b/crypto/asn1/standard_methods.h
@@ -42,6 +42,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
#endif
#ifndef OPENSSL_NO_EC
&ecx25519_asn1_meth,
+ &ecx448_asn1_meth,
#endif
#ifndef OPENSSL_NO_POLY1305
&poly1305_asn1_meth,
@@ -51,6 +52,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
#endif
#ifndef OPENSSL_NO_EC
&ed25519_asn1_meth,
+ &ed448_asn1_meth,
#endif
};
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 588e95c..fe90c01 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -242,6 +242,10 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ossl_ecdsa_verify_sig"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_CTRL, 0), "pkey_ecd_ctrl"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN, 0), "pkey_ecd_digestsign"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN25519, 0),
+ "pkey_ecd_digestsign25519"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECD_DIGESTSIGN448, 0),
+ "pkey_ecd_digestsign448"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_ECX_DERIVE, 0), "pkey_ecx_derive"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL, 0), "pkey_ec_ctrl"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_CTRL_STR, 0), "pkey_ec_ctrl_str"},
@@ -249,6 +253,7 @@ static const ERR_STRING_DATA EC_str_functs[] = {
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"},
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"},
{0, NULL}
};
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 421cd47..413a906 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -14,6 +14,7 @@
#include <openssl/ec.h>
#include <openssl/bn.h>
#include "internal/refcount.h"
+#include "curve448/curve448_lcl.h"
#if defined(__SUNPRO_C)
# if __SUNPRO_C >= 0x520
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index 4f7cfec..272dfc6 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -16,30 +16,39 @@
#include "internal/evp_int.h"
#include "ec_lcl.h"
-#define X25519_KEYLEN 32
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
#define ED25519_SIGSIZE 64
-typedef struct {
- unsigned char pubkey[X25519_KEYLEN];
- unsigned char *privkey;
-} X25519_KEY;
+#define X448_BITS 448
+#define ED448_BITS 456
+#define X448_SECURITY_BITS 224
+
+#define ED448_SIGSIZE 114
+
+#define ISX448(id) ((id) == EVP_PKEY_X448)
+#define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519)
+#define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \
+ : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \
+ : ED448_KEYLEN))
+#define KEYLEN(p) KEYLENID((p)->ameth->pkey_id)
+
typedef enum {
- X25519_PUBLIC,
- X25519_PRIVATE,
- X25519_KEYGEN
+ KEY_OP_PUBLIC,
+ KEY_OP_PRIVATE,
+ KEY_OP_KEYGEN
} ecx_key_op_t;
/* Setup EVP_PKEY using public, private or generation */
static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
const unsigned char *p, int plen, ecx_key_op_t op)
{
- X25519_KEY *xkey;
+ ECX_KEY *key = NULL;
+ unsigned char *privkey, *pubkey;
- if (op != X25519_KEYGEN) {
+ if (op != KEY_OP_KEYGEN) {
if (palg != NULL) {
int ptype;
@@ -51,69 +60,85 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
}
}
- if (p == NULL || plen != X25519_KEYLEN) {
+ if (p == NULL || plen != KEYLENID(id)) {
ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
return 0;
}
}
- xkey = OPENSSL_zalloc(sizeof(*xkey));
- if (xkey == NULL) {
+ key = OPENSSL_zalloc(sizeof(*key));
+ if (key == NULL) {
ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
return 0;
}
+ pubkey = key->pubkey;
- if (op == X25519_PUBLIC) {
- memcpy(xkey->pubkey, p, plen);
+ if (op == KEY_OP_PUBLIC) {
+ memcpy(pubkey, p, plen);
} else {
- xkey->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
- if (xkey->privkey == NULL) {
+ privkey = key->privkey = OPENSSL_secure_malloc(KEYLENID(id));
+ if (privkey == NULL) {
ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
- OPENSSL_free(xkey);
- return 0;
+ goto err;
}
- if (op == X25519_KEYGEN) {
- if (RAND_bytes(xkey->privkey, X25519_KEYLEN) <= 0) {
- OPENSSL_secure_free(xkey->privkey);
- OPENSSL_free(xkey);
- return 0;
+ if (op == KEY_OP_KEYGEN) {
+ if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0) {
+ OPENSSL_secure_free(privkey);
+ key->privkey = NULL;
+ goto err;
}
if (id == EVP_PKEY_X25519) {
- xkey->privkey[0] &= 248;
- xkey->privkey[31] &= 127;
- xkey->privkey[31] |= 64;
+ privkey[0] &= 248;
+ privkey[X25519_KEYLEN - 1] &= 127;
+ privkey[X25519_KEYLEN - 1] |= 64;
+ } else if (id == EVP_PKEY_X448) {
+ privkey[0] &= 252;
+ privkey[X448_KEYLEN - 1] |= 128;
}
} else {
- memcpy(xkey->privkey, p, X25519_KEYLEN);
+ memcpy(privkey, p, KEYLENID(id));
+ }
+ switch (id) {
+ case EVP_PKEY_X25519:
+ X25519_public_from_private(pubkey, privkey);
+ break;
+ case EVP_PKEY_ED25519:
+ ED25519_public_from_private(pubkey, privkey);
+ break;
+ case EVP_PKEY_X448:
+ X448_public_from_private(pubkey, privkey);
+ break;
+ case EVP_PKEY_ED448:
+ ED448_public_from_private(pubkey, privkey);
+ break;
}
- if (id == EVP_PKEY_X25519)
- X25519_public_from_private(xkey->pubkey, xkey->privkey);
- else
- ED25519_public_from_private(xkey->pubkey, xkey->privkey);
}
- EVP_PKEY_assign(pkey, id, xkey);
+ EVP_PKEY_assign(pkey, id, key);
return 1;
+ err:
+ OPENSSL_free(key);
+ return 0;
}
static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
- const X25519_KEY *xkey = pkey->pkey.ptr;
+ const ECX_KEY *ecxkey = pkey->pkey.ecx;
unsigned char *penc;
- if (xkey == NULL) {
+ if (ecxkey == NULL) {
ECerr(EC_F_ECX_PUB_ENCODE, EC_R_INVALID_KEY);
return 0;
}
- penc = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
+ penc = OPENSSL_memdup(ecxkey->pubkey, KEYLEN(pkey));
if (penc == NULL) {
ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
- V_ASN1_UNDEF, NULL, penc, X25519_KEYLEN)) {
+ V_ASN1_UNDEF, NULL, penc, KEYLEN(pkey))) {
OPENSSL_free(penc);
ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
return 0;
@@ -130,17 +155,18 @@ static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
return 0;
return ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, pklen,
- X25519_PUBLIC);
+ KEY_OP_PUBLIC);
}
static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
- const X25519_KEY *akey = a->pkey.ptr;
- const X25519_KEY *bkey = b->pkey.ptr;
+ const ECX_KEY *akey = a->pkey.ecx;
+ const ECX_KEY *bkey = b->pkey.ecx;
if (akey == NULL || bkey == NULL)
return -2;
- return !CRYPTO_memcmp(akey->pubkey, bkey->pubkey, X25519_KEYLEN);
+
+ return CRYPTO_memcmp(akey->pubkey, bkey->pubkey, KEYLEN(a)) == 0;
}
static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
@@ -163,25 +189,25 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
plen = ASN1_STRING_length(oct);
}
- rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, X25519_PRIVATE);
+ rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
ASN1_OCTET_STRING_free(oct);
return rv;
}
static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
- const X25519_KEY *xkey = pkey->pkey.ptr;
+ const ECX_KEY *ecxkey = pkey->pkey.ecx;
ASN1_OCTET_STRING oct;
unsigned char *penc = NULL;
int penclen;
- if (xkey == NULL || xkey->privkey == NULL) {
+ if (ecxkey == NULL || ecxkey->privkey == NULL) {
ECerr(EC_F_ECX_PRIV_ENCODE, EC_R_INVALID_PRIVATE_KEY);
return 0;
}
- oct.data = xkey->privkey;
- oct.length = X25519_KEYLEN;
+ oct.data = ecxkey->privkey;
+ oct.length = KEYLEN(pkey);
oct.flags = 0;
penclen = i2d_ASN1_OCTET_STRING(&oct, &penc);
@@ -202,26 +228,34 @@ static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
static int ecx_size(const EVP_PKEY *pkey)
{
- return X25519_KEYLEN;
+ return KEYLEN(pkey);
}
static int ecx_bits(const EVP_PKEY *pkey)
{
- return X25519_BITS;
+ if (IS25519(pkey->ameth->pkey_id)) {
+ return X25519_BITS;
+ } else if(ISX448(pkey->ameth->pkey_id)) {
+ return X448_BITS;
+ } else {
+ return ED448_BITS;
+ }
}
static int ecx_security_bits(const EVP_PKEY *pkey)
{
- return X25519_SECURITY_BITS;
+ if (IS25519(pkey->ameth->pkey_id)) {
+ return X25519_SECURITY_BITS;
+ } else {
+ return X448_SECURITY_BITS;
+ }
}
static void ecx_free(EVP_PKEY *pkey)
{
- X25519_KEY *xkey = pkey->pkey.ptr;
-
- if (xkey)
- OPENSSL_secure_clear_free(xkey->privkey, X25519_KEYLEN);
- OPENSSL_free(xkey);
+ if (pkey->pkey.ecx != NULL)
+ OPENSSL_secure_clear_free(pkey->pkey.ecx->privkey, KEYLEN(pkey));
+ OPENSSL_free(pkey->pkey.ecx);
}
/* "parameters" are always equal */
@@ -233,12 +267,11 @@ static int ecx_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
ASN1_PCTX *ctx, ecx_key_op_t op)
{
- const X25519_KEY *xkey = pkey->pkey.ptr;
-
+ const ECX_KEY *ecxkey = pkey->pkey.ecx;
const char *nm = OBJ_nid2ln(pkey->ameth->pkey_id);
- if (op == X25519_PRIVATE) {
- if (xkey == NULL || xkey->privkey == NULL) {
+ if (op == KEY_OP_PRIVATE) {
+ if (ecxkey == NULL || ecxkey->privkey == NULL) {
if (BIO_printf(bp, "%*s<INVALID PRIVATE KEY>\n", indent, "") <= 0)
return 0;
return 1;
@@ -247,10 +280,11 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
return 0;
if (BIO_printf(bp, "%*spriv:\n", indent, "") <= 0)
return 0;
- if (ASN1_buf_print(bp, xkey->privkey, X25519_KEYLEN, indent + 4) == 0)
+ if (ASN1_buf_print(bp, ecxkey->privkey, KEYLEN(pkey),
+ indent + 4) == 0)
return 0;
} else {
- if (xkey == NULL) {
+ if (ecxkey == NULL) {
if (BIO_printf(bp, "%*s<INVALID PUBLIC KEY>\n", indent, "") <= 0)
return 0;
return 1;
@@ -260,7 +294,9 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
}
if (BIO_printf(bp, "%*spub:\n", indent, "") <= 0)
return 0;
- if (ASN1_buf_print(bp, xkey->pubkey, X25519_KEYLEN, indent + 4) == 0)
+
+ if (ASN1_buf_print(bp, ecxkey->pubkey, KEYLEN(pkey),
+ indent + 4) == 0)
return 0;
return 1;
}
@@ -268,13 +304,13 @@ static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
static int ecx_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
ASN1_PCTX *ctx)
{
- return ecx_key_print(bp, pkey, indent, ctx, X25519_PRIVATE);
+ return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PRIVATE);
}
static int ecx_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
ASN1_PCTX *ctx)
{
- return ecx_key_print(bp, pkey, indent, ctx, X25519_PUBLIC);
+ return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PUBLIC);
}
static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
@@ -282,16 +318,16 @@ static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
switch (op) {
case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
- return ecx_key_op(pkey, EVP_PKEY_X25519, NULL, arg2, arg1,
- X25519_PUBLIC);
+ return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, arg2, arg1,
+ KEY_OP_PUBLIC);
case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
- if (pkey->pkey.ptr != NULL) {
- const X25519_KEY *xkey = pkey->pkey.ptr;
+ if (pkey->pkey.ecx != NULL) {
unsigned char **ppt = arg2;
- *ppt = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
+
+ *ppt = OPENSSL_memdup(pkey->pkey.ecx->pubkey, KEYLEN(pkey));
if (*ppt != NULL)
- return X25519_KEYLEN;
+ return KEYLEN(pkey);
}
return 0;
@@ -335,21 +371,58 @@ const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = {
NULL
};
-static int ecd_size(const EVP_PKEY *pkey)
+const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = {
+ EVP_PKEY_X448,
+ EVP_PKEY_X448,
+ 0,
+ "X448",
+ "OpenSSL X448 algorithm",
+
+ ecx_pub_decode,
+ ecx_pub_encode,
+ ecx_pub_cmp,
+ ecx_pub_print,
+
+ ecx_priv_decode,
+ ecx_priv_encode,
+ ecx_priv_print,
+
+ ecx_size,
+ ecx_bits,
+ ecx_security_bits,
+
+ 0, 0, 0, 0,
+ ecx_cmp_parameters,
+ 0, 0,
+
+ ecx_free,
+ ecx_ctrl,
+ NULL,
+ NULL
+};
+
+static int ecd_size25519(const EVP_PKEY *pkey)
{
return ED25519_SIGSIZE;
}
+static int ecd_size448(const EVP_PKEY *pkey)
+{
+ return ED448_SIGSIZE;
+}
+
static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
X509_ALGOR *sigalg, ASN1_BIT_STRING *str,
EVP_PKEY *pkey)
{
const ASN1_OBJECT *obj;
int ptype;
+ int nid;
+ /* Sanity check: make sure it is ED25519/ED448 with absent parameters */
X509_ALGOR_get0(&obj, &ptype, NULL, sigalg);
- /* Sanity check: make sure it is ED25519 with absent parameters */
- if (OBJ_obj2nid(obj) != NID_ED25519 || ptype != V_ASN1_UNDEF) {
+ nid = OBJ_obj2nid(obj);
+ if ((nid != NID_ED25519 && nid != NID_ED448) || ptype != V_ASN1_UNDEF) {
ECerr(EC_F_ECD_ITEM_VERIFY, EC_R_INVALID_ENCODING);
return 0;
}
@@ -360,9 +433,9 @@ static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
return 2;
}
-static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
- X509_ALGOR *alg1, X509_ALGOR *alg2,
- ASN1_BIT_STRING *str)
+static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+ X509_ALGOR *alg1, X509_ALGOR *alg2,
+ ASN1_BIT_STRING *str)
{
/* Set algorithms identifiers */
X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
@@ -372,14 +445,35 @@ static int ecd_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
return 3;
}
-static int ecd_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
- const ASN1_STRING *sig)
+static int ecd_sig_info_set25519(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+ const ASN1_STRING *sig)
{
X509_SIG_INFO_set(siginf, NID_undef, NID_ED25519, X25519_SECURITY_BITS,
X509_SIG_INFO_TLS);
return 1;
}
+static int ecd_item_sign448(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+ X509_ALGOR *alg1, X509_ALGOR *alg2,
+ ASN1_BIT_STRING *str)
+{
+ /* Set algorithm identifier */
+ X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
+ if (alg2 != NULL)
+ X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
+ /* Algorithm identifier set: carry on as normal */
+ return 3;
+}
+
+static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+ const ASN1_STRING *sig)
+{
+ X509_SIG_INFO_set(siginf, NID_undef, NID_ED448, X448_SECURITY_BITS,
+ X509_SIG_INFO_TLS);
+ return 1;
+}
+
+
const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
EVP_PKEY_ED25519,
EVP_PKEY_ED25519,
@@ -396,7 +490,40 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
ecx_priv_encode,
ecx_priv_print,
- ecd_size,
+ ecd_size25519,
+ ecx_bits,
+ ecx_security_bits,
+
+ 0, 0, 0, 0,
+ ecx_cmp_parameters,
+ 0, 0,
+
+ ecx_free,
+ 0,
+ NULL,
+ NULL,
+ ecd_item_verify,
+ ecd_item_sign25519,
+ ecd_sig_info_set25519
+};
+
+const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = {
+ EVP_PKEY_ED448,
+ EVP_PKEY_ED448,
+ 0,
+ "ED448",
+ "OpenSSL ED448 algorithm",
+
+ ecx_pub_decode,
+ ecx_pub_encode,
+ ecx_pub_cmp,
+ ecx_pub_print,
+
+ ecx_priv_decode,
+ ecx_priv_encode,
+ ecx_priv_print,
+
+ ecd_size448,
ecx_bits,
ecx_security_bits,
@@ -409,37 +536,65 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
NULL,
NULL,
ecd_item_verify,
- ecd_item_sign,
- ecd_sig_info_set
+ ecd_item_sign448,
+ ecd_sig_info_set448
};
static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
- return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, X25519_KEYGEN);
+ return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN);
}
-static int pkey_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
- size_t *keylen)
+static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+ size_t *keylen,
+ const unsigned char **privkey,
+ const unsigned char **pubkey)
{
- const X25519_KEY *pkey, *peerkey;
+ const ECX_KEY *ecxkey, *peerkey;
if (ctx->pkey == NULL || ctx->peerkey == NULL) {
- ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_KEYS_NOT_SET);
+ ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_KEYS_NOT_SET);
return 0;
}
- pkey = ctx->pkey->pkey.ptr;
- peerkey = ctx->peerkey->pkey.ptr;
- if (pkey == NULL || pkey->privkey == NULL) {
- ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
+ ecxkey = ctx->pkey->pkey.ecx;
+ peerkey = ctx->peerkey->pkey.ecx;
+ if (ecxkey == NULL || ecxkey->privkey == NULL) {
+ ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
return 0;
}
if (peerkey == NULL) {
- ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
+ ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
return 0;
}
+ *privkey = ecxkey->privkey;
+ *pubkey = peerkey->pubkey;
+
+ return 1;
+}
+
+static int pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
+ size_t *keylen)
+{
+ const unsigned char *privkey, *pubkey;
+
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
+ || (key != NULL
+ && X25519(key, privkey, pubkey) == 0))
+ return 0;
*keylen = X25519_KEYLEN;
- if (key != NULL && X25519(key, pkey->privkey, peerkey->pubkey) == 0)
+ return 1;
+}
+
+static int pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
+ size_t *keylen)
+{
+ const unsigned char *privkey, *pubkey;
+
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
+ || (key != NULL
+ && X448(key, privkey, pubkey) == 0))
return 0;
+ *keylen = X448_KEYLEN;
return 1;
}
@@ -456,23 +611,33 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth = {
0, 0, 0, 0, 0, 0, 0,
pkey_ecx_keygen,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- pkey_ecx_derive,
+ pkey_ecx_derive25519,
pkey_ecx_ctrl,
0
};
-static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
- size_t *siglen, const unsigned char *tbs,
- size_t tbslen)
+const EVP_PKEY_METHOD ecx448_pkey_meth = {
+ EVP_PKEY_X448,
+ 0, 0, 0, 0, 0, 0, 0,
+ pkey_ecx_keygen,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ pkey_ecx_derive448,
+ pkey_ecx_ctrl,
+ 0
+};
+
+static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig,
+ size_t *siglen, const unsigned char *tbs,
+ size_t tbslen)
{
- const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
if (sig == NULL) {
*siglen = ED25519_SIGSIZE;
return 1;
}
if (*siglen < ED25519_SIGSIZE) {
- ECerr(EC_F_PKEY_ECD_DIGESTSIGN, EC_R_BUFFER_TOO_SMALL);
+ ECerr(EC_F_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -482,11 +647,33 @@ static int pkey_ecd_digestsign(EVP_MD_CTX *ctx, unsigned char *sig,
return 1;
}
-static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig,
- size_t siglen, const unsigned char *tbs,
- size_t tbslen)
+static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig,
+ size_t *siglen, const unsigned char *tbs,
+ size_t tbslen)
+{
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+ if (sig == NULL) {
+ *siglen = ED448_SIGSIZE;
+ return 1;
+ }
+ if (*siglen < ED448_SIGSIZE) {
+ ECerr(EC_F_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (ED448_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
+ 0) == 0)
+ return 0;
+ *siglen = ED448_SIGSIZE;
+ return 1;
+}
+
+static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen, const unsigned char *tbs,
+ size_t tbslen)
{
- const X25519_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ptr;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
if (siglen != ED25519_SIGSIZE)
return 0;
@@ -494,6 +681,18 @@ static int pkey_ecd_digestverify(EVP_MD_CTX *ctx, const unsigned char *sig,
return ED25519_verify(tbs, tbslen, sig, edkey->pubkey);
}
+static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen, const unsigned char *tbs,
+ size_t tbslen)
+{
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+ if (siglen != ED448_SIGSIZE)
+ return 0;
+
+ return ED448_verify(tbs, tbslen, sig, edkey->pubkey, NULL, 0);
+}
+
static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
switch (type) {
@@ -517,6 +716,17 @@ const EVP_PKEY_METHOD ed25519_pkey_meth = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
pkey_ecd_ctrl,
0,
- pkey_ecd_digestsign,
- pkey_ecd_digestverify
+ pkey_ecd_digestsign25519,
+ pkey_ecd_digestverify25519
+};
+
+const EVP_PKEY_METHOD ed448_pkey_meth = {
+ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+ 0, 0, 0, 0, 0, 0,
+ pkey_ecx_keygen,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ pkey_ecd_ctrl,
+ 0,
+ pkey_ecd_digestsign448,
+ pkey_ecd_digestverify448
};
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index e406bec..318b400 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -594,6 +594,8 @@ EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
EC_F_PKEY_ECD_DIGESTSIGN:272:pkey_ecd_digestsign
+EC_F_PKEY_ECD_DIGESTSIGN25519:276:pkey_ecd_digestsign25519
+EC_F_PKEY_ECD_DIGESTSIGN448:277:pkey_ecd_digestsign448
EC_F_PKEY_ECX_DERIVE:269:pkey_ecx_derive
EC_F_PKEY_EC_CTRL:197:pkey_ec_ctrl
EC_F_PKEY_EC_CTRL_STR:198:pkey_ec_ctrl_str
@@ -601,6 +603,7 @@ EC_F_PKEY_EC_DERIVE:217:pkey_ec_derive
EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
+EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
ENGINE_F_DIGEST_UPDATE:198:digest_update
ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
ENGINE_F_DYNAMIC_GET_DATA_CTX:181:dynamic_get_data_ctx
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2d9f4fc..d3b8136 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -51,6 +51,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = {
&tls1_prf_pkey_meth,
#ifndef OPENSSL_NO_EC
&ecx25519_pkey_meth,
+ &ecx448_pkey_meth,
#endif
&hkdf_pkey_meth,
#ifndef OPENSSL_NO_POLY1305
@@ -61,6 +62,7 @@ static const EVP_PKEY_METHOD *standard_methods[] = {
#endif
#ifndef OPENSSL_NO_EC
&ed25519_pkey_meth,
+ &ed448_pkey_meth,
#endif
};
diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
index 90d525a..664d4d6 100644
--- a/crypto/include/internal/asn1_int.h
+++ b/crypto/include/internal/asn1_int.h
@@ -68,7 +68,9 @@ extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5];
extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed448_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
index a838a2a..77c8731 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -90,7 +90,9 @@ extern const EVP_PKEY_METHOD dhx_pkey_meth;
extern const EVP_PKEY_METHOD dsa_pkey_meth;
extern const EVP_PKEY_METHOD ec_pkey_meth;
extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
+extern const EVP_PKEY_METHOD ecx448_pkey_meth;
extern const EVP_PKEY_METHOD ed25519_pkey_meth;
+extern const EVP_PKEY_METHOD ed448_pkey_meth;
extern const EVP_PKEY_METHOD hmac_pkey_meth;
extern const EVP_PKEY_METHOD rsa_pkey_meth;
extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
@@ -361,6 +363,21 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
cipher##_init_key, NULL, NULL, NULL, NULL)
+# ifndef OPENSSL_NO_EC
+
+#define X25519_KEYLEN 32
+#define X448_KEYLEN 56
+#define ED448_KEYLEN 57
+
+#define MAX_KEYLEN ED448_KEYLEN
+
+typedef struct {
+ unsigned char pubkey[MAX_KEYLEN];
+ unsigned char *privkey;
+} ECX_KEY;
+
+#endif
+
/*
* Type needs to be a bit field Sub-type needs to be for variations on the
* method, as in, can it do arbitrary encryption....
@@ -385,6 +402,7 @@ struct evp_pkey_st {
# endif
# ifndef OPENSSL_NO_EC
struct ec_key_st *ec; /* ECC */
+ ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */
# endif
} pkey;
int save_parameters;
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index ebd5bf5..9606e57 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -74,6 +74,7 @@ static const nid_triple sigoid_srt[] = {
{NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512,
NID_id_GostR3410_2012_512},
{NID_ED25519, NID_undef, NID_ED25519},
+ {NID_ED448, NID_undef, NID_ED448},
{NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption},
{NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption},
{NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption},
@@ -120,8 +121,8 @@ static const nid_triple *const sigoid_srt_xref[] = {
&sigoid_srt[28],
&sigoid_srt[40],
&sigoid_srt[41],
- &sigoid_srt[43],
&sigoid_srt[44],
&sigoid_srt[45],
&sigoid_srt[46],
+ &sigoid_srt[47],
};
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index c8dee7b..ca3e744 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -22,6 +22,7 @@ RSA_SHA3_512 sha3_512 rsaEncryption
# method should handle this explicitly.
rsassaPss undef rsaEncryption
ED25519 undef ED25519
+ED448 undef ED448
# Alternative deprecated OIDs. By using the older "rsa" OID this
# type will be recognized by not normally used.
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 37f4d31..7eef1fb 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -41,6 +41,7 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
case EVP_PKEY_EC:
ret = EVP_PK_EC | EVP_PKT_SIGN | EVP_PKT_EXCH;
break;
+ case EVP_PKEY_ED448:
case EVP_PKEY_ED25519:
ret = EVP_PKT_SIGN;
break;
diff --git a/doc/HOWTO/keys.txt b/doc/HOWTO/keys.txt
index 1662c17..9f0967c 100644
--- a/doc/HOWTO/keys.txt
+++ b/doc/HOWTO/keys.txt
@@ -98,7 +98,7 @@ it may be reasonable to avoid protecting it with a password, since
otherwise someone would have to type in the password every time the
server needs to access the key.
-For X25519, it's treated as a distinct algorithm but not as one of
+For X25519 and X448, it's treated as a distinct algorithm but not as one of
the curves listed with 'ecparam -list_curves' option. You can use
the following command to generate an X25519 key:
diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index d8f1c24..fc83efa 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -241,10 +241,10 @@ numeric OID. Following parameter sets are supported:
=back
-=head1 X25519 KEY GENERATION OPTIONS
-
-The X25519 algorithm does not currently support any key generation options.
+=head1 X25519 and X448 KEY GENERATION OPTIONS
+The X25519 and X448 algorithms do not currently support any key generation
+options.
=head1 NOTES
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 4c12f13..f693e22 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -282,10 +282,10 @@ verify operations use ECDSA and derive uses ECDH. Currently there are no
additional options other than B<digest>. Only the SHA1 digest can be used and
this digest is assumed by default.
-=head1 X25519 ALGORITHM
+=head1 X25519 and X448 ALGORITHMS
-The X25519 algorithm supports key derivation only. Currently there are no
-additional options.
+The X25519 and X448 algorithms support key derivation only. Currently there are
+no additional options.
=head1 EXAMPLES
diff --git a/doc/man7/Ed25519.pod b/doc/man7/Ed25519.pod
index a75164a..da6cbc0 100644
--- a/doc/man7/Ed25519.pod
+++ b/doc/man7/Ed25519.pod
@@ -2,16 +2,18 @@
=head1 NAME
-Ed25519 - EVP_PKEY Ed25519 support
+Ed25519,
+Ed448
+- EVP_PKEY Ed25519 and Ed448 support
=head1 DESCRIPTION
-The B<Ed25519> EVP_PKEY implementation supports key generation, one shot
-digest sign and digest verify using PureEdDSA and B<Ed25519> (see RFC8032).
-It has associated private and public key formats compatible with
+The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key generation,
+one-shot digest sign and digest verify using PureEdDSA and B<Ed25519> or B<Ed448>
+(see RFC8032). It has associated private and public key formats compatible with
draft-ietf-curdle-pkix-04.
-No additional parameters can be set during key generation one shot signing or
+No additional parameters can be set during key generation one-shot signing or
verification. In particular, because PureEdDSA is used, when signing or
verifying a digest must B<NOT> be specified.
@@ -19,20 +21,24 @@ verifying a digest must B<NOT> be specified.
The PureEdDSA algorithm does not support the streaming mechanism
of other signature algorithms using, for example, EVP_DigestUpdate().
-The message to sign or verify must be passed using the one shot
+The message to sign or verify must be passed using the one-shot
EVP_DigestSign() asn EVP_DigestVerify() functions.
When calling EVP_DigestSignInit() or EVP_DigestSignUpdate() the
digest parameter B<MUST> be set to B<NULL>.
Applications wishing to sign certificates (or other structures such as
-CRLs or certificate requests) using Ed25519 can either use X509_sign()
+CRLs or certificate requests) using Ed25519 or Ed448 can either use X509_sign()
or X509_sign_ctx() in the usual way.
A context for the B<Ed25519> algorithm can be obtained by calling:
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
+For the B<Ed448> algorithm a context can be obtained by calling:
+
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL);
+
=head1 EXAMPLE
This example generates an B<ED25519> private key and writes it to standard
@@ -57,7 +63,7 @@ L<EVP_DigestVerifyInit(3)>,
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man7/X25519.pod b/doc/man7/X25519.pod
index 96522c5..69ab0b4 100644
--- a/doc/man7/X25519.pod
+++ b/doc/man7/X25519.pod
@@ -2,13 +2,15 @@
=head1 NAME
-X25519 - EVP_PKEY X25519 support
+X25519,
+X448
+- EVP_PKEY X25519 and X448 support
=head1 DESCRIPTION
-The B<X25519> EVP_PKEY implementation supports key generation and key
-derivation using B<X25519>. It has associated private and public key formats
-compatible with draft-ietf-curdle-pkix-03.
+The B<X25519> and B<X448> EVP_PKEY implementation supports key generation and
+key derivation using B<X25519> and B<X448>. It has associated private and public
+key formats compatible with draft-ietf-curdle-pkix-03.
No additional parameters can be set during key generation.
@@ -21,6 +23,10 @@ A context for the B<X25519> algorithm can be obtained by calling:
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
+For the B<X448> algorithm a context can be obtained by calling:
+
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL);
+
=head1 EXAMPLE
This example generates an B<X25519> private key and writes it to standard
@@ -37,7 +43,7 @@ output in PEM format:
PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
The key derivation example in L<EVP_PKEY_derive(3)> can be used with
-B<X25519>.
+B<X25519> and B<X448>.
=head1 SEE ALSO
@@ -48,7 +54,7 @@ L<EVP_PKEY_derive_set_peer(3)>
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index 289cd8c..dbaa8d1 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -167,6 +167,8 @@ int ERR_load_EC_strings(void);
# define EC_F_OSSL_ECDSA_VERIFY_SIG 250
# define EC_F_PKEY_ECD_CTRL 271
# define EC_F_PKEY_ECD_DIGESTSIGN 272
+# define EC_F_PKEY_ECD_DIGESTSIGN25519 276
+# define EC_F_PKEY_ECD_DIGESTSIGN448 277
# define EC_F_PKEY_ECX_DERIVE 269
# define EC_F_PKEY_EC_CTRL 197
# define EC_F_PKEY_EC_CTRL_STR 198
@@ -174,6 +176,7 @@ int ERR_load_EC_strings(void);
# define EC_F_PKEY_EC_KEYGEN 199
# define EC_F_PKEY_EC_PARAMGEN 219
# define EC_F_PKEY_EC_SIGN 218
+# define EC_F_VALIDATE_ECX_DERIVE 278
/*
* EC reason codes.
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index e135de6..9727e9d 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -59,6 +59,8 @@
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
+# define EVP_PKEY_X448 NID_X448
+# define EVP_PKEY_ED448 NID_ED448
#ifdef __cplusplus
extern "C" {
diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
index 2e88c11..017ab41 100644
--- a/test/recipes/30-test_evp_data/evppkey.txt
+++ b/test/recipes/30-test_evp_data/evppkey.txt
@@ -748,6 +748,56 @@ Result = KEYOP_INIT_ERROR
Function = EVP_PKEY_verify_init
Reason = operation not supported for this keytype
+Title = X448 test vectors (from RFC7748 6.2)
+
+PrivateKey=Alice-448
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1
+dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr
+-----END PRIVATE KEY-----
+
+PublicKey=Alice-448-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEIwBQYDK2VvAzkAmwj3zDG34+Z9ItWuoSEHSic70rg94Jxj+qc9LCLF2bvINmRy
+QdlT1AxbEtqIEg1TF3+A5TLEH6A=
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = Alice-448:Alice-448-PUBLIC
+
+PrivateKey=Bob-448
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOBwwanrCoOLgmQspRHDLoznmRTdysHWBHY+tDR1pJ8Eg
+u17olysNPiE3TJySGwnRsDZvELZRc5kt
+-----END PRIVATE KEY-----
+
+PublicKey=Bob-448-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEIwBQYDK2VvAzkAPreoKbDNIPW8/AtZm2/sz22kYnEHvbDU80W0MCfYuXL8PjT7
+QjKhPKcG3LV67D2uB73BxnvzNgk=
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = Bob-448:Bob-448-PUBLIC
+
+Derive=Alice-448
+PeerKey=Bob-448-PUBLIC
+SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+
+Derive=Bob-448
+PeerKey=Alice-448-PUBLIC
+SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+
+# Illegal sign/verify operations with X448 key
+
+Sign=Alice-448
+Result = KEYOP_INIT_ERROR
+Function = EVP_PKEY_sign_init
+Reason = operation not supported for this keytype
+
+Verify=Alice-448
+Result = KEYOP_INIT_ERROR
+Function = EVP_PKEY_verify_init
+Reason = operation not supported for this keytype
+
# Additional RSA-PSS and RSA-OAEP tests converted from
# ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
@@ -17172,9 +17222,18 @@ Result = KEYPAIR_MISMATCH
PrivPubKeyPair = Bob-25519:Alice-25519-PUBLIC
Result = KEYPAIR_MISMATCH
+PrivPubKeyPair = Alice-448:Bob-448-PUBLIC
+Result = KEYPAIR_MISMATCH
+
+PrivPubKeyPair = Bob-448:Alice-448-PUBLIC
+Result = KEYPAIR_MISMATCH
+
PrivPubKeyPair = Alice-25519:P-256-PUBLIC
Result = KEYPAIR_TYPE_MISMATCH
+PrivPubKeyPair = Alice-448:P-256-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
PrivPubKeyPair = RSA-2048:P-256-PUBLIC
Result = KEYPAIR_TYPE_MISMATCH
@@ -17448,6 +17507,198 @@ DigestSign = SHA256
Key = ED25519-1
Result = DIGESTSIGNINIT_ERROR
+
+Title = ED448 tests from RFC8032
+
+PrivateKey=ED448-1
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOWyCpWLLgI0Q1jK+ichRPr9skp803fqMn2PJlg7240ij
+UoyKP8wvBE45o/xblEkvjwMudUmiAJj5Ww==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-2
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOcTqsF01cAfGMvPbtISJkk1VKwj+DDU6DUofAKzaLEY6
+++pnxejSh3xeO8OXplmUnvgCHpVOChInTg==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-3
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOc0j0k9xQnTnRDQyN7kykPUR9kJfmOZEWf8gPomFCD/9
+9gUAVTq8DgXNAhhL24nEzNZ+GHlRJn6zKA==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-4
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOSWM3UraMu2cn/VOY3Vq5YL7j6sqxyHyyOZ2pydoUT2T
+n2Pd21VgkTPymt+G7Jkp3MtSwcX9L/fiGw==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-5
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOX706EVEI2dS+7VrjzGiOhDkKBT19VygN83MEcZMmjsp
+ScG7YHADFGEXMqbC/qmO68AmahGpOXAQDg==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-6
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOdZd80GtE+AIVnaIuu3ajp3NwX3AJJdOpbQie2Uw4zm/
+8h+Z5oymlo88ym3+D7n0+rT6E11VQuo/AQ==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-7
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOS7F/jwXBFq9sTal5qkT4yq3WuaLU9L8FJt35QQTLTdW
+m352a6dKGb1hYjQ6IchZCqnOvKkBTGNt9Q==
+-----END PRIVATE KEY-----
+
+PrivateKey=ED448-8
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOYctCTeA9dNzDffCEmZLN7ig8k9WgQ2qg4LNT6P3djTs
+RNxU8cLtm+qG+vt2Mti+GZ6hZfWtVd2c6A==
+-----END PRIVATE KEY-----
+
+PublicKey=ED448-1-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAX9dEm1m0Yf0s54fsYWrUah2hNCSFpw4fig6nXYDpZ3jt8SR2
+m0bHBhvWeD3x5Q9s0foavq/oJWGA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-2-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAQ7oo9DDN/0Vq5TFUX37NCsg0pV2TWMA3K/oMbGeYwIZq6gHr
+AHQoArhDjqTLghacI1FgYntMOpSA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-3-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoA3OqeePNaG/NJmoMbELhskKrAHNhLZ6AQm1WjbpMoseNl/OFh
+1xznExpUPqTLX36fHYsAaWRHABQA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-4-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAO6FtoMbyzB8wGHdAdW9eeY1rxfwBXXxjzJUQ7j/UStwk2Olo
+tuRub5TRm5RTYXJr114UnvCYF/WA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-5-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAs9oHmwqkk6V3ICnwRnuuvuWoES2dOiJTI2HaKU97s4FcXcWe
+F2tNnzgcoJOOE8bAexdL5l36V46A
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-6-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoA35cF9Y7bq4Asf4Njz+VWCrHGEywgqfHdFjSDom+KxTo51oCL
+9KHfvSYbCZuwOz+1CQbLKL2KCB8A
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-7-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAeXVvAU3P4gefXdnnGL5BceLvJIagjyUYb2v/Q6mTa5v+EkAr
+CK5leYo9geIunsgOdpCGLvPU7ToA
+-----END PUBLIC KEY-----
+
+PublicKey=ED448-8-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAqBsuinClrJT/28ybrfw/6wgB8lhXi7EUrUTs4ewOeZ2gjv+4
+HF1oXAxW9k7srvjN8RzDhzeDjPQA
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = ED448-1:ED448-1-PUBLIC
+
+PrivPubKeyPair = ED448-2:ED448-2-PUBLIC
+
+PrivPubKeyPair = ED448-3:ED448-3-PUBLIC
+
+PrivPubKeyPair = ED448-4:ED448-4-PUBLIC
+
+PrivPubKeyPair = ED448-5:ED448-5-PUBLIC
+
+PrivPubKeyPair = ED448-6:ED448-6-PUBLIC
+
+PrivPubKeyPair = ED448-7:ED448-7-PUBLIC
+
+PrivPubKeyPair = ED448-8:ED448-8-PUBLIC
+
+OneShotDigestSign = NULL
+Key = ED448-1
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+
+OneShotDigestSign = NULL
+Key = ED448-2
+Input = 03
+Output = 26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00
+
+OneShotDigestSign = NULL
+Key = ED448-3
+Input = 0c3e544074ec63b0265e0c
+Output = 1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00
+
+OneShotDigestSign = NULL
+Key = ED448-4
+Input = 64a65f3cdedcdd66811e2915
+Output = 7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00
+
+OneShotDigestSign = NULL
+Key = ED448-5
+Input = 64a65f3cdedcdd66811e2915e7
+Output = 6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100
+
+OneShotDigestSign = NULL
+Key = ED448-6
+Input = bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944
+Output = 554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900
+
+OneShotDigestSign = NULL
+Key = ED448-7
+Input = 15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11
+Output = c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00
+
+OneShotDigestSign = NULL
+Key = ED448-8
+Input = 6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff26306d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5caf9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87
+Output = e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00
+
+# Verify test
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+
+# Corrupted input
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = "bad"
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+Result = VERIFY_ERROR
+
+# Corrupted signature
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652601
+Result = VERIFY_ERROR
+
+# Make sure update calls return an error
+DigestSign = NULL
+Key = ED448-1
+Input = "Test"
+Result = DIGESTUPDATE_ERROR
+
+DigestVerify = NULL
+Key = ED448-1-PUBLIC
+Input = "Test"
+Result = DIGESTUPDATE_ERROR
+
+# Attempt to set invalid digest
+DigestSign = SHA256
+Key = ED448-1
+Result = DIGESTSIGNINIT_ERROR
+
+
# Key generation tests
KeyGen = rsaEncryption
Ctrl = rsa_keygen_bits:128
More information about the openssl-commits
mailing list