algorithms: implement X448 key exchange and Ed448 signature scheme

Signed-off-by: Daiki Ueno <dueno@redhat.com>
author: Daiki Ueno <dueno@redhat.com> 2019-04-22 08:27:43 +0200
committer: Daiki Ueno <dueno@redhat.com> 2020-01-23 07:07:22 +0100
commit: 07596231f2e4b3c28d1587907ce51fe15c2d990a (patch)
tree: bc1b94b9ad3c1fe5548510580d05ca00b280b30d /lib
parent: af5e42aba4294ce09a263573febe840e804cf1ed (diff)
download: gnutls-07596231f2e4b3c28d1587907ce51fe15c2d990a.tar.gz
22 files changed, 348 insertions, 52 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h
index fadf269871..c68a266cc9 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -44,7 +44,9 @@
 		      ((x)==GNUTLS_PK_GOST_12_256)|| \
 		      ((x)==GNUTLS_PK_GOST_12_512))
 
-#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)||((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519))
+#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)|| \
+		  ((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)|| \
+		  ((x)==GNUTLS_PK_ECDH_X448)||((x)==GNUTLS_PK_EDDSA_ED448))
 
 #define SIG_SEM_PRE_TLS12 (1<<1)
 #define SIG_SEM_TLS13 (1<<2)
@@ -450,7 +452,8 @@ inline static int _curve_is_eddsa(const gnutls_ecc_curve_entry_st * e)
 {
 	if (unlikely(e == NULL))
 		return 0;
-	if (e->pk == GNUTLS_PK_EDDSA_ED25519)
+	if (e->pk == GNUTLS_PK_EDDSA_ED25519 ||
+	    e->pk == GNUTLS_PK_EDDSA_ED448)
 		return 1;
 	return 0;
 }
diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c
index 8b4b78f67d..14351b87ad 100644
--- a/lib/algorithms/ecc.c
+++ b/lib/algorithms/ecc.c
@@ -96,6 +96,22 @@ gnutls_ecc_curve_entry_st ecc_curves[] = {
 	 .sig_size = 64,
 	 .supported = 1,
 	},
+	{
+	 .name = "X448",
+	 .id = GNUTLS_ECC_CURVE_X448,
+	 .pk = GNUTLS_PK_ECDH_X448,
+	 .size = 56,
+	 .supported = 1,
+	},
+	{
+	 .name = "Ed448",
+	 .oid = SIG_ED448_OID,
+	 .id = GNUTLS_ECC_CURVE_ED448,
+	 .pk = GNUTLS_PK_EDDSA_ED448,
+	 .size = 57,
+	 .sig_size = 114,
+	 .supported = 1,
+	},
 #if ENABLE_GOST
 	/* Curves for usage in GOST digital signature algorithm (GOST R
 	 * 34.10-2001/-2012) and key agreement (VKO GOST R 34.10-2001/-2012).
diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
index 6e1326666a..d4b77beb2a 100644
--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
@@ -125,6 +125,13 @@ static const gnutls_group_entry_st supported_groups[] = {
 	 .tls_id = 40,
 	},
 #endif
+	{
+	 .name = "X448",
+	 .id = GNUTLS_GROUP_X448,
+	 .curve = GNUTLS_ECC_CURVE_X448,
+	 .tls_id = 30,
+	 .pk = GNUTLS_PK_ECDH_X448
+	},
 #ifdef ENABLE_DHE
 	{
 	 .name = "FFDHE2048",
diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
index 376c76df06..edd6e10acc 100644
--- a/lib/algorithms/mac.c
+++ b/lib/algorithms/mac.c
@@ -183,6 +183,14 @@ mac_entry_st hash_algorithms[] = {
 	 .key_size = 32,
 	 .block_size = 8,
 	 .flags = GNUTLS_MAC_FLAG_CONTINUOUS_MAC},
+	{.name = "SHAKE-128",
+	 .oid = HASH_OID_SHAKE_128,
+	 .id = GNUTLS_MAC_SHAKE_128,
+	 .block_size = 168},
+	{.name = "SHAKE-256",
+	 .oid = HASH_OID_SHAKE_256,
+	 .id = GNUTLS_MAC_SHAKE_256,
+	 .block_size = 136},
 	{.name = "MAC-NULL",
 	 .id = GNUTLS_MAC_NULL},
 	{0, 0, 0, 0, 0, 0, 0, 0, 0}
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
index dc535c2f65..c298a38936 100644
--- a/lib/algorithms/publickey.c
+++ b/lib/algorithms/publickey.c
@@ -51,6 +51,7 @@ static const gnutls_pk_map pk_mappings[] = {
 	{GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN},
 	{GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EC, CIPHER_SIGN},
 	{GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED25519, CIPHER_SIGN},
+	{GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED448, CIPHER_SIGN},
 	{GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN},
 	{GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN},
 	{GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN},
@@ -141,10 +142,14 @@ static const gnutls_pk_entry pk_algorithms[] = {
 	   .curve = GNUTLS_ECC_CURVE_INVALID },
 	{ .name = "EdDSA (Ed25519)", .oid = SIG_EDDSA_SHA512_OID, .id = GNUTLS_PK_EDDSA_ED25519, 
 	  .curve = GNUTLS_ECC_CURVE_ED25519, .no_prehashed = 1 },
+	{ .name = "EdDSA (Ed448)", .oid = SIG_ED448_OID, .id = GNUTLS_PK_EDDSA_ED448,
+	  .curve = GNUTLS_ECC_CURVE_ED448, .no_prehashed = 1 },
 	{ .name = "DH", .oid = NULL, .id = GNUTLS_PK_DH,
 	   .curve = GNUTLS_ECC_CURVE_INVALID },
 	{ .name = "ECDH (X25519)", .oid = "1.3.101.110", .id = GNUTLS_PK_ECDH_X25519,
 	  .curve = GNUTLS_ECC_CURVE_X25519 },
+	{ .name = "ECDH (X448)", .oid = "1.3.101.111", .id = GNUTLS_PK_ECDH_X448,
+	  .curve = GNUTLS_ECC_CURVE_X448 },
 	{ .name = "UNKNOWN", .oid = NULL, .id = GNUTLS_PK_UNKNOWN, 
 	  .curve = GNUTLS_ECC_CURVE_INVALID },
 	{0, 0, 0, 0}
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index 167c5fb51b..9c95e388ae 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -125,6 +125,17 @@ gnutls_sign_entry_st sign_algorithms[] = {
 	 .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
 	 .aid = {{8, 7}, SIG_SEM_DEFAULT}},
 
+	 /* Ed448: The hash algorithm here is set to be SHAKE256, although that is
+	  * an internal detail of Ed448; we set it, because CMS/PKCS#7 requires
+	  * that mapping. */
+	 {.name = "EdDSA-Ed448",
+	 .oid = SIG_ED448_OID,
+	 .id = GNUTLS_SIGN_EDDSA_ED448,
+	 .pk = GNUTLS_PK_EDDSA_ED448,
+	 .hash = GNUTLS_DIG_SHAKE_256,
+	 .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
+	 .aid = {{8, 8}, SIG_SEM_DEFAULT}},
+
 	 /* ECDSA */
 	 /* The following three signature algorithms
 	  * have different semantics when used under TLS 1.2
diff --git a/lib/auth/ecdhe.c b/lib/auth/ecdhe.c
index 8c20d6c1cc..883f6cd046 100644
--- a/lib/auth/ecdhe.c
+++ b/lib/auth/ecdhe.c
@@ -172,7 +172,8 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session,
 			gnutls_assert();
 			goto cleanup;
 		}
-	} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519 ||
+		   ecurve->pk == GNUTLS_PK_ECDH_X448) {
 		if (ecurve->size != point_size)
 			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
@@ -183,7 +184,8 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session,
 			goto cleanup;
 		}
 
-		/* RFC7748 requires to mask the MSB in the final byte */
+		/* RFC7748 requires to mask the MSB in the final byte
+		 * for X25519 (not X448) */
 		if (ecurve->id == GNUTLS_ECC_CURVE_X25519) {
 			session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f;
 		}
@@ -282,7 +284,7 @@ _gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session,
 			gnutls_assert();
 			goto cleanup;
 		}
-	} else if (pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448) {
 		ret =
 		    _gnutls_buffer_append_data_prefix(data, 8,
 					session->key.proto.tls12.ecdh.params.raw_pub.data,
@@ -382,7 +384,8 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
-	} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519 ||
+		   ecurve->pk == GNUTLS_PK_ECDH_X448) {
 		if (ecurve->size != point_size)
 			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
@@ -391,7 +394,8 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
-		/* RFC7748 requires to mask the MSB in the final byte */
+		/* RFC7748 requires to mask the MSB in the final byte
+		 * for X25519 (not X448) */
 		if (ecurve->id == GNUTLS_ECC_CURVE_X25519) {
 			session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f;
 		}
@@ -462,7 +466,8 @@ int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
-	} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (group->pk == GNUTLS_PK_ECDH_X25519 ||
+		   group->pk == GNUTLS_PK_ECDH_X448) {
 		ret =
 			_gnutls_buffer_append_data_prefix(data, 8,
 					session->key.proto.tls12.ecdh.params.raw_pub.data,
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 4ae12c96b5..41dd1b7326 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -75,6 +75,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
 	int ret;
 
 	if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 &&
+	    group->pk != GNUTLS_PK_ECDH_X448 &&
 	    group->pk != GNUTLS_PK_DH) {
 		_gnutls_debug_log("Cannot send key share for group %s!\n", group->name);
 		return GNUTLS_E_INT_RET_0;
@@ -115,7 +116,8 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
 
 		ret = 0;
 
-	} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (group->pk == GNUTLS_PK_ECDH_X25519 ||
+		   group->pk == GNUTLS_PK_ECDH_X448) {
 		gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
 		gnutls_pk_params_init(&session->key.kshare.ecdhx_params);
 
@@ -195,6 +197,7 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent
 	int ret;
 
 	if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 &&
+	    group->pk != GNUTLS_PK_ECDH_X448 &&
 	    group->pk != GNUTLS_PK_DH) {
 		_gnutls_debug_log("Cannot send key share for group %s!\n", group->name);
 		return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
@@ -224,7 +227,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent
 
 		ret = 0;
 
-	} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (group->pk == GNUTLS_PK_ECDH_X25519 ||
+		   group->pk == GNUTLS_PK_ECDH_X448) {
 		ret =
 		    _gnutls_buffer_append_data_prefix(extdata, 16,
 				session->key.kshare.ecdhx_params.raw_pub.data,
@@ -300,7 +304,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 
 		ret = 0;
 
-	} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (group->pk == GNUTLS_PK_ECDH_X25519 ||
+		   group->pk == GNUTLS_PK_ECDH_X448) {
 		gnutls_pk_params_st pub;
 
 		gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
@@ -438,7 +443,8 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 
 		ret = 0;
 
-	} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
+	} else if (group->pk == GNUTLS_PK_ECDH_X25519 ||
+		   group->pk == GNUTLS_PK_ECDH_X448) {
 		gnutls_pk_params_st pub;
 
 		curve = _gnutls_ecc_curve_get_params(group->curve);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 1d0f924c26..3f6faa2ec0 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -294,6 +294,8 @@ typedef enum {
  * @GNUTLS_MAC_SHA3_384: Reserved; unimplemented.
  * @GNUTLS_MAC_SHA3_512: Reserved; unimplemented.
  * @GNUTLS_MAC_GOST28147_TC26Z_IMIT: The GOST 28147-89 working in IMIT mode with TC26 Z S-box.
+ * @GNUTLS_MAC_SHAKE_128: Reserved; unimplemented.
+ * @GNUTLS_MAC_SHAKE_256: Reserved; unimplemented.
  *
  * Enumeration of different Message Authentication Code (MAC)
  * algorithms.
@@ -328,6 +330,8 @@ typedef enum {
 	GNUTLS_MAC_AES_GMAC_192 = 206,
 	GNUTLS_MAC_AES_GMAC_256 = 207,
 	GNUTLS_MAC_GOST28147_TC26Z_IMIT = 208,
+	GNUTLS_MAC_SHAKE_128 = 209,
+	GNUTLS_MAC_SHAKE_256 = 210
 } gnutls_mac_algorithm_t;
 
 /**
@@ -350,6 +354,8 @@ typedef enum {
  * @GNUTLS_DIG_GOSTR_94: GOST R 34.11-94 algorithm.
  * @GNUTLS_DIG_STREEBOG_256: GOST R 34.11-2001 (Streebog) algorithm, 256 bit.
  * @GNUTLS_DIG_STREEBOG_512: GOST R 34.11-2001 (Streebog) algorithm, 512 bit.
+ * @GNUTLS_DIG_SHAKE_128: Reserved; unimplemented.
+ * @GNUTLS_DIG_SHAKE_256: Reserved; unimplemented.
  *
  * Enumeration of different digest (hash) algorithms.
  */
@@ -371,7 +377,9 @@ typedef enum {
 	GNUTLS_DIG_MD5_SHA1 = GNUTLS_MAC_MD5_SHA1,
 	GNUTLS_DIG_GOSTR_94 = GNUTLS_MAC_GOSTR_94,
 	GNUTLS_DIG_STREEBOG_256 = GNUTLS_MAC_STREEBOG_256,
-	GNUTLS_DIG_STREEBOG_512 = GNUTLS_MAC_STREEBOG_512
+	GNUTLS_DIG_STREEBOG_512 = GNUTLS_MAC_STREEBOG_512,
+	GNUTLS_DIG_SHAKE_128 = GNUTLS_MAC_SHAKE_128,
+	GNUTLS_DIG_SHAKE_256 = GNUTLS_MAC_SHAKE_256
 	    /* If you add anything here, make sure you align with
 	       gnutls_mac_algorithm_t. */
 } gnutls_digest_algorithm_t;
@@ -833,6 +841,8 @@ typedef enum gnutls_certificate_print_formats {
  * @GNUTLS_PK_GOST_01: GOST R 34.10-2001 algorithm per rfc5832.
  * @GNUTLS_PK_GOST_12_256: GOST R 34.10-2012 algorithm, 256-bit key per rfc7091.
  * @GNUTLS_PK_GOST_12_512: GOST R 34.10-2012 algorithm, 512-bit key per rfc7091.
+ * @GNUTLS_PK_ECDH_X448: Elliptic curve algorithm, restricted to ECDH as per rfc7748.
+ * @GNUTLS_PK_EDDSA_ED448: Edwards curve Digital signature algorithm. Used with SHAKE256 on signatures.
  *
  * Enumeration of different public-key algorithms.
  */
@@ -848,7 +858,9 @@ typedef enum {
 	GNUTLS_PK_GOST_01 = 8,
 	GNUTLS_PK_GOST_12_256 = 9,
 	GNUTLS_PK_GOST_12_512 = 10,
-	GNUTLS_PK_MAX = GNUTLS_PK_GOST_12_512
+	GNUTLS_PK_ECDH_X448 = 11,
+	GNUTLS_PK_EDDSA_ED448 = 12,
+	GNUTLS_PK_MAX = GNUTLS_PK_EDDSA_ED448
 } gnutls_pk_algorithm_t;
 
 
@@ -912,6 +924,7 @@ const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm);
  * @GNUTLS_SIGN_GOST_94: Digital signature algorithm GOST R 34.10-2001 with GOST R 34.11-94
  * @GNUTLS_SIGN_GOST_256: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 256 bit
  * @GNUTLS_SIGN_GOST_512: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 512 bit
+ * @GNUTLS_SIGN_EDDSA_ED448: Digital signature algorithm EdDSA with Ed448 curve.
  *
  * Enumeration of different digital signature algorithms.
  */
@@ -968,7 +981,8 @@ typedef enum {
 	GNUTLS_SIGN_GOST_94 = 43,
 	GNUTLS_SIGN_GOST_256 = 44,
 	GNUTLS_SIGN_GOST_512 = 45,
-	GNUTLS_SIGN_MAX = GNUTLS_SIGN_GOST_512
+	GNUTLS_SIGN_EDDSA_ED448 = 46,
+	GNUTLS_SIGN_MAX = GNUTLS_SIGN_EDDSA_ED448
 } gnutls_sign_algorithm_t;
 
 /**
@@ -993,6 +1007,8 @@ typedef enum {
  * @GNUTLS_ECC_CURVE_GOST256B: GOST R 34.10 TC26 256 B curve
  * @GNUTLS_ECC_CURVE_GOST256C: GOST R 34.10 TC26 256 C curve
  * @GNUTLS_ECC_CURVE_GOST256D: GOST R 34.10 TC26 256 D curve
+ * @GNUTLS_ECC_CURVE_X448: the X448 curve (ECDH only)
+ * @GNUTLS_ECC_CURVE_ED448: the Ed448 curve
  *
  * Enumeration of ECC curves.
  */
@@ -1017,7 +1033,9 @@ typedef enum {
 	GNUTLS_ECC_CURVE_GOST256B,
 	GNUTLS_ECC_CURVE_GOST256C,
 	GNUTLS_ECC_CURVE_GOST256D,
-	GNUTLS_ECC_CURVE_MAX = GNUTLS_ECC_CURVE_GOST256D
+	GNUTLS_ECC_CURVE_X448,
+	GNUTLS_ECC_CURVE_ED448,
+	GNUTLS_ECC_CURVE_MAX = GNUTLS_ECC_CURVE_ED448
 } gnutls_ecc_curve_t;
 
 /**
@@ -1041,6 +1059,7 @@ typedef enum {
  * @GNUTLS_GROUP_FFDHE4096: the FFDHE4096 group
  * @GNUTLS_GROUP_FFDHE6144: the FFDHE6144 group
  * @GNUTLS_GROUP_FFDHE8192: the FFDHE8192 group
+ * @GNUTLS_GROUP_X448: the X448 curve group
  *
  * Enumeration of supported groups. It is intended to be backwards
  * compatible with the enumerations in %gnutls_ecc_curve_t for the groups
@@ -1054,6 +1073,7 @@ typedef enum {
 	GNUTLS_GROUP_SECP384R1 = GNUTLS_ECC_CURVE_SECP384R1,
 	GNUTLS_GROUP_SECP521R1 = GNUTLS_ECC_CURVE_SECP521R1,
 	GNUTLS_GROUP_X25519 = GNUTLS_ECC_CURVE_X25519,
+	GNUTLS_GROUP_X448 = GNUTLS_ECC_CURVE_X448,
 
 	GNUTLS_GROUP_GC256A = GNUTLS_ECC_CURVE_GOST256A,
 	GNUTLS_GROUP_GC256B = GNUTLS_ECC_CURVE_GOST256B,
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 823c9b9809..4be8dc7eda 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -48,6 +48,12 @@
 #include <nettle/ecdsa.h>
 #include <nettle/ecc-curve.h>
 #include <nettle/curve25519.h>
+#if HAVE_CURVE448
+#include <nettle/curve448.h>
+#else
+#include "curve448/curve448.h"
+#include "curve448/eddsa.h"
+#endif
 #include <nettle/eddsa.h>
 #include <nettle/version.h>
 #if ENABLE_GOST
@@ -235,6 +241,22 @@ ecc_shared_secret(struct ecc_scalar *private_key,
  */
 #define DH_EXPONENT_SIZE(p_size) (2*_gnutls_pk_bits_to_subgroup_bits(p_size))
 
+static inline int
+edwards_curve_mul(gnutls_pk_algorithm_t algo,
+		  uint8_t *q, const uint8_t *n, const uint8_t *p)
+{
+	switch (algo) {
+	case GNUTLS_PK_ECDH_X25519:
+		curve25519_mul(q, n, p);
+		return 0;
+	case GNUTLS_PK_ECDH_X448:
+		curve448_mul(q, n, p);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
+	}
+}
+
 /* This is used for DH or ECDH key derivation. In DH for example
  * it is given the peers Y and our x, and calculates Y^x
  */
@@ -388,6 +410,7 @@ dh_cleanup:
 			break;
 		}
 	case GNUTLS_PK_ECDH_X25519:
+	case GNUTLS_PK_ECDH_X448:
 		{
 			unsigned size = gnutls_ecc_curve_get_size(priv->curve);
 
@@ -407,7 +430,9 @@ dh_cleanup:
 
 			out->size = size;
 
-			curve25519_mul(out->data, priv->raw_priv.data, pub->raw_pub.data);
+			ret = edwards_curve_mul(algo, out->data, priv->raw_priv.data, pub->raw_pub.data);
+			if (ret < 0)
+				goto cleanup;
 
 			if (_gnutls_mem_is_zero(out->data, out->size)) {
 				gnutls_free(out->data);
@@ -739,11 +764,43 @@ _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
 	return ret;
 }
 
+static inline gnutls_ecc_curve_t
+get_eddsa_curve(gnutls_pk_algorithm_t algo)
+{
+	switch (algo) {
+	case GNUTLS_PK_EDDSA_ED25519:
+		return GNUTLS_ECC_CURVE_ED25519;
+	case GNUTLS_PK_EDDSA_ED448:
+		return GNUTLS_ECC_CURVE_ED448;
+	default:
+		return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID);
+	}
+}
+
+static inline int
+eddsa_sign(gnutls_pk_algorithm_t algo,
+	   const uint8_t *pub,
+	   const uint8_t *priv,
+	   size_t length, const uint8_t *msg,
+	   uint8_t *signature)
+{
+	switch (algo) {
+	case GNUTLS_PK_EDDSA_ED25519:
+		ed25519_sha512_sign(pub, priv, length, msg, signature);
+		return 0;
+	case GNUTLS_PK_EDDSA_ED448:
+		ed448_shake256_sign(pub, priv, length, msg, signature);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+	}
+}
+
 /* This is the lower-level part of privkey_sign_raw_data().
  *
  * It accepts data in the appropriate hash form, i.e., DigestInfo
  * for PK_RSA, hash for PK_ECDSA, PK_DSA, PK_RSA_PSS, and raw data
- * for Ed25519.
+ * for Ed25519 and Ed448.
  *
  * in case of EC/DSA, signed data are encoded into r,s values
  */
@@ -774,10 +831,11 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
 	switch (algo) {
 	case GNUTLS_PK_EDDSA_ED25519:	/* we do EdDSA */
+	case GNUTLS_PK_EDDSA_ED448:
 		{
 			const gnutls_ecc_curve_entry_st *e;
 
-			if (pk_params->curve != GNUTLS_ECC_CURVE_ED25519)
+			if (unlikely(get_eddsa_curve(algo) != pk_params->curve))
 				return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 
 			e = _gnutls_ecc_curve_get_params(pk_params->curve);
@@ -792,12 +850,18 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
 			signature->size = e->sig_size;
 
-			if (pk_params->raw_pub.size != e->size || pk_params->raw_priv.size != e->size)
-				return gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
+			if (pk_params->raw_pub.size != e->size || pk_params->raw_priv.size != e->size) {
+				ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
+				goto cleanup;
+			}
 
-			ed25519_sha512_sign(pk_params->raw_pub.data,
-			                    pk_params->raw_priv.data,
-			                    vdata->size, vdata->data, signature->data);
+			ret = eddsa_sign(algo,
+					 pk_params->raw_pub.data,
+					 pk_params->raw_priv.data,
+					 vdata->size, vdata->data,
+					 signature->data);
+			if (ret < 0)
+				goto cleanup;
 
 			break;
 		}
@@ -1130,6 +1194,30 @@ _rsa_pss_verify_digest(gnutls_digest_algorithm_t dig,
 	return verify_func(pub, salt_size, digest, s);
 }
 
+static inline int
+eddsa_verify(gnutls_pk_algorithm_t algo,
+	     const uint8_t *pub,
+	     size_t length, const uint8_t *msg,
+	     const uint8_t *signature)
+{
+	int ret;
+
+	switch (algo) {
+	case GNUTLS_PK_EDDSA_ED25519:
+		ret = ed25519_sha512_verify(pub, length, msg, signature);
+		if (ret == 0)
+			return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
+		return 0;
+	case GNUTLS_PK_EDDSA_ED448:
+		ret = ed448_shake256_verify(pub, length, msg, signature);
+		if (ret == 0)
+			return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+	}
+}
+
 static int
 _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		       const gnutls_datum_t * vdata,
@@ -1149,10 +1237,11 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 
 	switch (algo) {
 	case GNUTLS_PK_EDDSA_ED25519:	/* we do EdDSA */
+	case GNUTLS_PK_EDDSA_ED448:
 		{
 			const gnutls_ecc_curve_entry_st *e;
 
-			if (pk_params->curve != GNUTLS_ECC_CURVE_ED25519)
+			if (unlikely(get_eddsa_curve(algo) != pk_params->curve))
 				return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 
 			e = _gnutls_ecc_curve_get_params(pk_params->curve);
@@ -1165,13 +1254,10 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 			if (pk_params->raw_pub.size != e->size)
 				return gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
 
-			ret = ed25519_sha512_verify(pk_params->raw_pub.data, vdata->size, vdata->data, signature->data);
-			if (ret == 0) {
-				gnutls_assert();
-				ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
-			} else {
-				ret = 0;
-			}
+			ret = eddsa_verify(algo,
+					   pk_params->raw_pub.data,
+					   vdata->size, vdata->data,
+					   signature->data);
 			break;
 		}
 #if ENABLE_GOST
@@ -1431,6 +1517,8 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
 	switch (curve) {
 		case GNUTLS_ECC_CURVE_ED25519:
 		case GNUTLS_ECC_CURVE_X25519:
+		case GNUTLS_ECC_CURVE_ED448:
+		case GNUTLS_ECC_CURVE_X448:
 			return 1;
 		default:
 			return ((get_supported_nist_curve(curve)!=NULL ||
@@ -1556,6 +1644,7 @@ wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_RSA:
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 #if ENABLE_GOST
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
@@ -1914,6 +2003,7 @@ gnutls_x509_spki_st spki;
 		FALLTHROUGH;
 	case GNUTLS_PK_EC: /* we only do keys for ECDSA */
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 	case GNUTLS_PK_DSA:
 	case GNUTLS_PK_RSA_PSS:
 	case GNUTLS_PK_GOST_01:
@@ -1934,6 +2024,7 @@ gnutls_x509_spki_st spki;
 		break;
 	case GNUTLS_PK_DH:
 	case GNUTLS_PK_ECDH_X25519:
+	case GNUTLS_PK_ECDH_X448:
 		ret = 0;
 		goto cleanup;
 	default:
@@ -1953,6 +2044,38 @@ cleanup:
 }
 #endif
 
+static inline int
+eddsa_public_key(gnutls_pk_algorithm_t algo,
+		 uint8_t *pub, const uint8_t *priv)
+{
+	switch (algo) {
+	case GNUTLS_PK_EDDSA_ED25519:
+		ed25519_sha512_public_key(pub, priv);
+		return 0;
+	case GNUTLS_PK_EDDSA_ED448:
+		ed448_shake256_public_key(pub, priv);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+	}
+}
+
+static inline int
+edwards_curve_mul_g(gnutls_pk_algorithm_t algo,
+		    uint8_t *q, const uint8_t *n)
+{
+	switch (algo) {
+	case GNUTLS_PK_ECDH_X25519:
+		curve25519_mul_g(q, n);
+		return 0;
+	case GNUTLS_PK_ECDH_X448:
+		curve448_mul_g(q, n);
+		return 0;
+	default:
+		return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
+	}
+}
+
 /* To generate a DH key either q must be set in the params or
  * level should be set to the number of required bits.
  */
@@ -2190,13 +2313,14 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 			break;
 		}
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		{
 			unsigned size = gnutls_ecc_curve_get_size(level);
 
 			if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
 				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-			if (level != GNUTLS_ECC_CURVE_ED25519)
+			if (unlikely(get_eddsa_curve(algo) != level))
 				return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 
 			if (size == 0)
@@ -2222,7 +2346,11 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 			params->raw_pub.size = size;
 			params->raw_priv.size = size;
 
-			ed25519_sha512_public_key(params->raw_pub.data, params->raw_priv.data);
+			ret = eddsa_public_key(algo,
+					       params->raw_pub.data,
+					       params->raw_priv.data);
+			if (ret < 0)
+				goto fail;
 
 			break;
 		}
@@ -2335,6 +2463,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 		}
 #endif
 	case GNUTLS_PK_ECDH_X25519:
+	case GNUTLS_PK_ECDH_X448:
 		{
 			unsigned size = gnutls_ecc_curve_get_size(level);
 
@@ -2361,7 +2490,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 			params->raw_pub.size = size;
 			params->raw_priv.size = size;
 
-			curve25519_mul_g(params->raw_pub.data, params->raw_priv.data);
+			ret = edwards_curve_mul_g(algo, params->raw_pub.data, params->raw_priv.data);
+			if (ret < 0)
+				goto fail;
 			break;
 		}
 	default:
@@ -2595,18 +2726,29 @@ wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
 			mpz_clear(y2);
 		}
 		break;
-	case GNUTLS_PK_EDDSA_ED25519: {
-		uint8_t pub[32];
+	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448: {
+		gnutls_ecc_curve_t curve;
+		const gnutls_ecc_curve_entry_st *e;
+		uint8_t pub[57]; /* can accommodate both curves */
+
+		curve = get_eddsa_curve(algo);
+		e = _gnutls_ecc_curve_get_params(curve);
+		if (e == NULL)
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 		if (params->raw_pub.data == NULL) {
 			return 0; /* nothing to verify */
 		}
 
-		if (params->raw_pub.size != 32)
+		if (params->raw_pub.size != e->size)
 			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
-		ed25519_sha512_public_key(pub, params->raw_priv.data);
-		if (memcmp(params->raw_pub.data, pub, 32) != 0)
+		ret = eddsa_public_key(algo, pub, params->raw_priv.data);
+		if (ret < 0)
+			return ret;
+
+		if (memcmp(params->raw_pub.data, pub, e->size) != 0)
 			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
 		ret = 0;
@@ -2707,6 +2849,7 @@ wrap_nettle_pk_verify_pub_params(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_RSA_PSS:
 	case GNUTLS_PK_DSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		return 0;
 	case GNUTLS_PK_ECDSA:
 		{
@@ -2892,8 +3035,9 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
 		if (ret == 0) {
 			return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
 		}
-	} else if (algo == GNUTLS_PK_EDDSA_ED25519) {
-		if (params->curve != GNUTLS_ECC_CURVE_ED25519)
+	} else if (algo == GNUTLS_PK_EDDSA_ED25519 ||
+		   algo == GNUTLS_PK_EDDSA_ED448) {
+		if (unlikely(get_eddsa_curve(algo) != params->curve))
 			return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 
 		if (params->raw_priv.data == NULL)
@@ -2906,7 +3050,14 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
 		if (params->raw_pub.data == NULL)
 			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 
-		ed25519_sha512_public_key(params->raw_pub.data, params->raw_priv.data);
+		ret = eddsa_public_key(algo,
+				       params->raw_pub.data,
+				       params->raw_priv.data);
+		if (ret < 0) {
+			gnutls_free(params->raw_pub.data);
+			return ret;
+		}
+
 		params->raw_pub.size = params->raw_priv.size;
 	} else if (algo == GNUTLS_PK_RSA_PSS) {
 		if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
diff --git a/lib/pk.c b/lib/pk.c
index debcc2ac09..24f808000a 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -1215,6 +1215,7 @@ pk_prepare_hash(gnutls_pk_algorithm_t pk,
 	case GNUTLS_PK_DSA:
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
diff --git a/lib/priority.c b/lib/priority.c
index bcabee9018..ad99459adb 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -132,7 +132,8 @@ static const int _supported_groups_ecdh[] = {
 	GNUTLS_GROUP_SECP256R1,
 	GNUTLS_GROUP_SECP384R1,
 	GNUTLS_GROUP_SECP521R1,
-	GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */
+	GNUTLS_GROUP_X25519, /* RFC 8422 */
+	GNUTLS_GROUP_X448, /* RFC 8422 */
 	0
 };
 
@@ -153,7 +154,8 @@ static const int _supported_groups_normal[] = {
 	GNUTLS_GROUP_SECP256R1,
 	GNUTLS_GROUP_SECP384R1,
 	GNUTLS_GROUP_SECP521R1,
-	GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */
+	GNUTLS_GROUP_X25519, /* RFC 8422 */
+	GNUTLS_GROUP_X448, /* RFC 8422 */
 
 	/* These should stay last as our default behavior
 	 * is to send key shares for two top types (GNUTLS_KEY_SHARE_TOP2)
@@ -172,7 +174,8 @@ static const int _supported_groups_secure128[] = {
 	GNUTLS_GROUP_SECP256R1,
 	GNUTLS_GROUP_SECP384R1,
 	GNUTLS_GROUP_SECP521R1,
-	GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */
+	GNUTLS_GROUP_X25519, /* RFC 8422 */
+	GNUTLS_GROUP_X448, /* RFC 8422 */
 	GNUTLS_GROUP_FFDHE2048,
 	GNUTLS_GROUP_FFDHE3072,
 	GNUTLS_GROUP_FFDHE4096,
@@ -419,6 +422,8 @@ static const int _sign_priority_default[] = {
 	GNUTLS_SIGN_ECDSA_SHA384,
 	GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
 
+	GNUTLS_SIGN_EDDSA_ED448,
+
 	GNUTLS_SIGN_RSA_SHA512,
 	GNUTLS_SIGN_RSA_PSS_SHA512,
 	GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
@@ -455,6 +460,7 @@ static const int _sign_priority_secure128[] = {
 	GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
 	GNUTLS_SIGN_ECDSA_SHA256,
 	GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
+
 	GNUTLS_SIGN_EDDSA_ED25519,
 
 	GNUTLS_SIGN_RSA_SHA384,
@@ -463,6 +469,8 @@ static const int _sign_priority_secure128[] = {
 	GNUTLS_SIGN_ECDSA_SHA384,
 	GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
 
+	GNUTLS_SIGN_EDDSA_ED448,
+
 	GNUTLS_SIGN_RSA_SHA512,
 	GNUTLS_SIGN_RSA_PSS_SHA512,
 	GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
diff --git a/lib/privkey.c b/lib/privkey.c
index 425cc3e7c6..4114e2ca18 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -205,6 +205,7 @@ privkey_to_pubkey(gnutls_pk_algorithm_t pk,
 
 		break;
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		ret = _gnutls_set_datum(&pub->raw_pub, priv->raw_pub.data, priv->raw_pub.size);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 3b4d7f9003..eb7fdbaa82 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -61,6 +61,7 @@ unsigned pubkey_to_bits(const gnutls_pk_params_st * params)
 		return _gnutls_mpi_get_nbits(params->params[DSA_P]);
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
@@ -316,6 +317,12 @@ gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key,
 
 		ret = 0;
 		break;
+	case GNUTLS_PK_EDDSA_ED448:
+		if (hash)
+			*hash = GNUTLS_DIG_SHAKE_256;
+
+		ret = 0;
+		break;
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
@@ -891,7 +898,8 @@ gnutls_pubkey_export_ecc_raw2(gnutls_pubkey_t key,
 	if (curve)
 		*curve = key->params.curve;
 
-	if (key->params.algo == GNUTLS_PK_EDDSA_ED25519) {
+	if (key->params.algo == GNUTLS_PK_EDDSA_ED25519 ||
+	    key->params.algo == GNUTLS_PK_EDDSA_ED448) {
 		if (x) {
 			ret = _gnutls_set_datum(x, key->params.raw_pub.data, key->params.raw_pub.size);
 			if (ret < 0)
@@ -1429,7 +1437,16 @@ gnutls_pubkey_import_ecc_raw(gnutls_pubkey_t key,
 			goto cleanup;
 		}
 
-		key->params.algo = GNUTLS_PK_EDDSA_ED25519;
+		switch (curve) {
+		case GNUTLS_ECC_CURVE_ED25519:
+			key->params.algo = GNUTLS_PK_EDDSA_ED25519;
+			break;
+		case GNUTLS_ECC_CURVE_ED448:
+			key->params.algo = GNUTLS_PK_EDDSA_ED448;
+			break;
+		default:
+			break;
+		}
 		key->params.curve = curve;
 		key->bits = pubkey_to_bits(&key->params);
 
@@ -2232,6 +2249,7 @@ pubkey_verify_data(const gnutls_sign_entry_st *se,
 		break;
 
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		if (_gnutls_pk_verify(se->pk, data, signature, params, sign_params) != 0) {
 			gnutls_assert();
 			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index d36c263a58..498ccc4e97 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -98,6 +98,7 @@
 #define SIG_RSA_SHA3_512_OID "2.16.840.1.101.3.4.3.16"
 
 #define SIG_EDDSA_SHA512_OID "1.3.101.112"
+#define SIG_ED448_OID "1.3.101.113"
 
 #define XMPP_OID "1.3.6.1.5.5.7.8.5"
 #define KRB5_PRINCIPAL_OID "1.3.6.1.5.2.2"
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index e42f5e0962..c79f6eee37 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -565,6 +565,9 @@ int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t * der,
 	case GNUTLS_PK_EDDSA_ED25519:
 		ret = _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED25519, der, dersize, params);
 		break;
+	case GNUTLS_PK_EDDSA_ED448:
+		ret = _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED448, der, dersize, params);
+		break;
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
@@ -590,6 +593,7 @@ int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t algo,
 	switch (algo) {
 	case GNUTLS_PK_RSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		return 0;
 	case GNUTLS_PK_RSA_PSS:
 		return _gnutls_x509_read_rsa_pss_params(der, dersize, &params->spki);
@@ -634,6 +638,7 @@ int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params)
 	case GNUTLS_PK_DSA:
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c
index a589dd4f33..b9cbcff7bc 100644
--- a/lib/x509/key_encode.c
+++ b/lib/x509/key_encode.c
@@ -150,7 +150,8 @@ _gnutls_x509_write_eddsa_pubkey(const gnutls_pk_params_st * params,
 	if (params->raw_pub.size == 0)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	if (params->curve != GNUTLS_ECC_CURVE_ED25519)
+	if (params->curve != GNUTLS_ECC_CURVE_ED25519 &&
+	    params->curve != GNUTLS_ECC_CURVE_ED448)
 		return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
 
 	ret = _gnutls_set_datum(raw, params->raw_pub.data, params->raw_pub.size);
@@ -252,6 +253,7 @@ _gnutls_x509_write_pubkey_params(const gnutls_pk_params_st * params,
 	case GNUTLS_PK_ECDSA:
 		return _gnutls_x509_write_ecc_params(params->curve, der);
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		der->data = NULL;
 		der->size = 0;
 
@@ -278,6 +280,7 @@ _gnutls_x509_write_pubkey(const gnutls_pk_params_st * params,
 	case GNUTLS_PK_ECDSA:
 		return _gnutls_x509_write_ecc_pubkey(params, der);
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		return _gnutls_x509_write_eddsa_pubkey(params, der);
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
@@ -1031,6 +1034,7 @@ int _gnutls_asn1_encode_privkey(ASN1_TYPE * c2,
 		return _gnutls_asn1_encode_dsa(c2, params);
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		return _gnutls_asn1_encode_ecc(c2, params);
 	case GNUTLS_PK_GOST_01:
 	case GNUTLS_PK_GOST_12_256:
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 1be3da484e..a0bdfab9f7 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -134,7 +134,9 @@ _gnutls_get_asn_mpis(ASN1_TYPE asn, const char *root,
 	_asnstr_append_name(name, sizeof(name), root,
 			    ".algorithm.parameters");
 
-	if (pk_algorithm != GNUTLS_PK_RSA && pk_algorithm != GNUTLS_PK_EDDSA_ED25519 && pk_algorithm != GNUTLS_PK_ECDH_X25519) {
+	if (pk_algorithm != GNUTLS_PK_RSA &&
+	    pk_algorithm != GNUTLS_PK_EDDSA_ED25519 && pk_algorithm != GNUTLS_PK_ECDH_X25519 &&
+	    pk_algorithm != GNUTLS_PK_EDDSA_ED448 && pk_algorithm != GNUTLS_PK_ECDH_X448) {
 		/* RSA and EdDSA do not use parameters */
 		result = _gnutls_x509_read_value(asn, name, &tmp);
 		if (pk_algorithm == GNUTLS_PK_RSA_PSS && 
diff --git a/lib/x509/output.c b/lib/x509/output.c
index da45917753..2aa78b478b 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -1406,6 +1406,7 @@ print_pubkey(gnutls_buffer_st * str, const char *key_name,
 		break;
 
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 	case GNUTLS_PK_ECDSA:
 		{
 			gnutls_datum_t x, y;
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index a9579914f8..b26295e51b 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1116,7 +1116,17 @@ gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key,
 
 	if (curve_is_eddsa(curve)) {
 		unsigned size;
-		key->params.algo = GNUTLS_PK_EDDSA_ED25519;
+		switch (curve) {
+		case GNUTLS_ECC_CURVE_ED25519:
+			key->params.algo = GNUTLS_PK_EDDSA_ED25519;
+			break;
+		case GNUTLS_ECC_CURVE_ED448:
+			key->params.algo = GNUTLS_PK_EDDSA_ED448;
+			break;
+		default:
+			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+			goto cleanup;
+		}
 
 		size = gnutls_ecc_curve_get_size(curve);
 		if (x->size != size || k->size != size) {
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index bcc6dd24ec..f23008fbe5 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -69,6 +69,7 @@ _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
 
 	switch (pkey->params.algo) {
 	case GNUTLS_PK_EDDSA_ED25519:
+	case GNUTLS_PK_EDDSA_ED448:
 		/* we encode as octet string (which is going to be stored inside
 		 * another octet string). No comments. */
 		ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING,
@@ -1115,7 +1116,16 @@ _decode_pkcs8_eddsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey, const c
 			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 		}
 		gnutls_free(pkey->params.raw_priv.data);
-		pkey->params.algo = GNUTLS_PK_EDDSA_ED25519;
+		switch (curve) {
+		case GNUTLS_ECC_CURVE_ED25519:
+			pkey->params.algo = GNUTLS_PK_EDDSA_ED25519;
+			break;
+		case GNUTLS_ECC_CURVE_ED448:
+			pkey->params.algo = GNUTLS_PK_EDDSA_ED448;
+			break;
+		default:
+			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+		}
 		pkey->params.raw_priv.data = tmp.data;
 		pkey->params.raw_priv.size = tmp.size;
 		pkey->params.curve = curve;
@@ -1449,6 +1459,7 @@ decode_private_key_info(const gnutls_datum_t * der,
 			result = _decode_pkcs8_ecc_key(pkcs8_asn, pkey);
 			break;
 		case GNUTLS_PK_EDDSA_ED25519:
+		case GNUTLS_PK_EDDSA_ED448:
 			result = _decode_pkcs8_eddsa_key(pkcs8_asn, pkey, oid);
 			break;
 		case GNUTLS_PK_GOST_01:
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 39a25307a0..050e95059e 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -48,6 +48,8 @@
 #define HASH_OID_SHA3_256 "2.16.840.1.101.3.4.2.8"
 #define HASH_OID_SHA3_384 "2.16.840.1.101.3.4.2.9"
 #define HASH_OID_SHA3_512 "2.16.840.1.101.3.4.2.10"
+#define HASH_OID_SHAKE_128 "2.16.840.1.101.3.4.2.11"
+#define HASH_OID_SHAKE_256 "2.16.840.1.101.3.4.2.12"
 #define HASH_OID_GOST_R_3411_94 "1.2.643.2.2.9"
 #define HASH_OID_STREEBOG_256 "1.2.643.7.1.1.2.2"
 #define HASH_OID_STREEBOG_512 "1.2.643.7.1.1.2.3"
author	Daiki Ueno <dueno@redhat.com>	2019-04-22 08:27:43 +0200
committer	Daiki Ueno <dueno@redhat.com>	2020-01-23 07:07:22 +0100
commit	07596231f2e4b3c28d1587907ce51fe15c2d990a (patch)
tree	bc1b94b9ad3c1fe5548510580d05ca00b280b30d /lib
parent	af5e42aba4294ce09a263573febe840e804cf1ed (diff)
download	gnutls-07596231f2e4b3c28d1587907ce51fe15c2d990a.tar.gz