diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-04-22 08:27:43 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2020-01-23 07:07:22 +0100 |
commit | 07596231f2e4b3c28d1587907ce51fe15c2d990a (patch) | |
tree | bc1b94b9ad3c1fe5548510580d05ca00b280b30d /lib | |
parent | af5e42aba4294ce09a263573febe840e804cf1ed (diff) | |
download | gnutls-07596231f2e4b3c28d1587907ce51fe15c2d990a.tar.gz |
algorithms: implement X448 key exchange and Ed448 signature scheme
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/algorithms.h | 7 | ||||
-rw-r--r-- | lib/algorithms/ecc.c | 16 | ||||
-rw-r--r-- | lib/algorithms/groups.c | 7 | ||||
-rw-r--r-- | lib/algorithms/mac.c | 8 | ||||
-rw-r--r-- | lib/algorithms/publickey.c | 5 | ||||
-rw-r--r-- | lib/algorithms/sign.c | 11 | ||||
-rw-r--r-- | lib/auth/ecdhe.c | 17 | ||||
-rw-r--r-- | lib/ext/key_share.c | 14 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 28 | ||||
-rw-r--r-- | lib/nettle/pk.c | 205 | ||||
-rw-r--r-- | lib/pk.c | 1 | ||||
-rw-r--r-- | lib/priority.c | 14 | ||||
-rw-r--r-- | lib/privkey.c | 1 | ||||
-rw-r--r-- | lib/pubkey.c | 22 | ||||
-rw-r--r-- | lib/x509/common.h | 1 | ||||
-rw-r--r-- | lib/x509/key_decode.c | 5 | ||||
-rw-r--r-- | lib/x509/key_encode.c | 6 | ||||
-rw-r--r-- | lib/x509/mpi.c | 4 | ||||
-rw-r--r-- | lib/x509/output.c | 1 | ||||
-rw-r--r-- | lib/x509/privkey.c | 12 | ||||
-rw-r--r-- | lib/x509/privkey_pkcs8.c | 13 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 2 |
22 files changed, 348 insertions, 52 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h index fadf269871..c68a266cc9 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -44,7 +44,9 @@ ((x)==GNUTLS_PK_GOST_12_256)|| \ ((x)==GNUTLS_PK_GOST_12_512)) -#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)||((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)) +#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)|| \ + ((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)|| \ + ((x)==GNUTLS_PK_ECDH_X448)||((x)==GNUTLS_PK_EDDSA_ED448)) #define SIG_SEM_PRE_TLS12 (1<<1) #define SIG_SEM_TLS13 (1<<2) @@ -450,7 +452,8 @@ inline static int _curve_is_eddsa(const gnutls_ecc_curve_entry_st * e) { if (unlikely(e == NULL)) return 0; - if (e->pk == GNUTLS_PK_EDDSA_ED25519) + if (e->pk == GNUTLS_PK_EDDSA_ED25519 || + e->pk == GNUTLS_PK_EDDSA_ED448) return 1; return 0; } diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c index 8b4b78f67d..14351b87ad 100644 --- a/lib/algorithms/ecc.c +++ b/lib/algorithms/ecc.c @@ -96,6 +96,22 @@ gnutls_ecc_curve_entry_st ecc_curves[] = { .sig_size = 64, .supported = 1, }, + { + .name = "X448", + .id = GNUTLS_ECC_CURVE_X448, + .pk = GNUTLS_PK_ECDH_X448, + .size = 56, + .supported = 1, + }, + { + .name = "Ed448", + .oid = SIG_ED448_OID, + .id = GNUTLS_ECC_CURVE_ED448, + .pk = GNUTLS_PK_EDDSA_ED448, + .size = 57, + .sig_size = 114, + .supported = 1, + }, #if ENABLE_GOST /* Curves for usage in GOST digital signature algorithm (GOST R * 34.10-2001/-2012) and key agreement (VKO GOST R 34.10-2001/-2012). diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c index 6e1326666a..d4b77beb2a 100644 --- a/lib/algorithms/groups.c +++ b/lib/algorithms/groups.c @@ -125,6 +125,13 @@ static const gnutls_group_entry_st supported_groups[] = { .tls_id = 40, }, #endif + { + .name = "X448", + .id = GNUTLS_GROUP_X448, + .curve = GNUTLS_ECC_CURVE_X448, + .tls_id = 30, + .pk = GNUTLS_PK_ECDH_X448 + }, #ifdef ENABLE_DHE { .name = "FFDHE2048", diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c index 376c76df06..edd6e10acc 100644 --- a/lib/algorithms/mac.c +++ b/lib/algorithms/mac.c @@ -183,6 +183,14 @@ mac_entry_st hash_algorithms[] = { .key_size = 32, .block_size = 8, .flags = GNUTLS_MAC_FLAG_CONTINUOUS_MAC}, + {.name = "SHAKE-128", + .oid = HASH_OID_SHAKE_128, + .id = GNUTLS_MAC_SHAKE_128, + .block_size = 168}, + {.name = "SHAKE-256", + .oid = HASH_OID_SHAKE_256, + .id = GNUTLS_MAC_SHAKE_256, + .block_size = 136}, {.name = "MAC-NULL", .id = GNUTLS_MAC_NULL}, {0, 0, 0, 0, 0, 0, 0, 0, 0} diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c index dc535c2f65..c298a38936 100644 --- a/lib/algorithms/publickey.c +++ b/lib/algorithms/publickey.c @@ -51,6 +51,7 @@ static const gnutls_pk_map pk_mappings[] = { {GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EC, CIPHER_SIGN}, {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED25519, CIPHER_SIGN}, + {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED448, CIPHER_SIGN}, {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN}, {GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN}, @@ -141,10 +142,14 @@ static const gnutls_pk_entry pk_algorithms[] = { .curve = GNUTLS_ECC_CURVE_INVALID }, { .name = "EdDSA (Ed25519)", .oid = SIG_EDDSA_SHA512_OID, .id = GNUTLS_PK_EDDSA_ED25519, .curve = GNUTLS_ECC_CURVE_ED25519, .no_prehashed = 1 }, + { .name = "EdDSA (Ed448)", .oid = SIG_ED448_OID, .id = GNUTLS_PK_EDDSA_ED448, + .curve = GNUTLS_ECC_CURVE_ED448, .no_prehashed = 1 }, { .name = "DH", .oid = NULL, .id = GNUTLS_PK_DH, .curve = GNUTLS_ECC_CURVE_INVALID }, { .name = "ECDH (X25519)", .oid = "1.3.101.110", .id = GNUTLS_PK_ECDH_X25519, .curve = GNUTLS_ECC_CURVE_X25519 }, + { .name = "ECDH (X448)", .oid = "1.3.101.111", .id = GNUTLS_PK_ECDH_X448, + .curve = GNUTLS_ECC_CURVE_X448 }, { .name = "UNKNOWN", .oid = NULL, .id = GNUTLS_PK_UNKNOWN, .curve = GNUTLS_ECC_CURVE_INVALID }, {0, 0, 0, 0} diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index 167c5fb51b..9c95e388ae 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -125,6 +125,17 @@ gnutls_sign_entry_st sign_algorithms[] = { .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 7}, SIG_SEM_DEFAULT}}, + /* Ed448: The hash algorithm here is set to be SHAKE256, although that is + * an internal detail of Ed448; we set it, because CMS/PKCS#7 requires + * that mapping. */ + {.name = "EdDSA-Ed448", + .oid = SIG_ED448_OID, + .id = GNUTLS_SIGN_EDDSA_ED448, + .pk = GNUTLS_PK_EDDSA_ED448, + .hash = GNUTLS_DIG_SHAKE_256, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = {{8, 8}, SIG_SEM_DEFAULT}}, + /* ECDSA */ /* The following three signature algorithms * have different semantics when used under TLS 1.2 diff --git a/lib/auth/ecdhe.c b/lib/auth/ecdhe.c index 8c20d6c1cc..883f6cd046 100644 --- a/lib/auth/ecdhe.c +++ b/lib/auth/ecdhe.c @@ -172,7 +172,8 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, gnutls_assert(); goto cleanup; } - } else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) { + } else if (ecurve->pk == GNUTLS_PK_ECDH_X25519 || + ecurve->pk == GNUTLS_PK_ECDH_X448) { if (ecurve->size != point_size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); @@ -183,7 +184,8 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, goto cleanup; } - /* RFC7748 requires to mask the MSB in the final byte */ + /* RFC7748 requires to mask the MSB in the final byte + * for X25519 (not X448) */ if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; } @@ -282,7 +284,7 @@ _gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session, gnutls_assert(); goto cleanup; } - } else if (pk == GNUTLS_PK_ECDH_X25519) { + } else if (pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448) { ret = _gnutls_buffer_append_data_prefix(data, 8, session->key.proto.tls12.ecdh.params.raw_pub.data, @@ -382,7 +384,8 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - } else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) { + } else if (ecurve->pk == GNUTLS_PK_ECDH_X25519 || + ecurve->pk == GNUTLS_PK_ECDH_X448) { if (ecurve->size != point_size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); @@ -391,7 +394,8 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - /* RFC7748 requires to mask the MSB in the final byte */ + /* RFC7748 requires to mask the MSB in the final byte + * for X25519 (not X448) */ if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; } @@ -462,7 +466,8 @@ int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - } else if (group->pk == GNUTLS_PK_ECDH_X25519) { + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { ret = _gnutls_buffer_append_data_prefix(data, 8, session->key.proto.tls12.ecdh.params.raw_pub.data, diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c index 4ae12c96b5..41dd1b7326 100644 --- a/lib/ext/key_share.c +++ b/lib/ext/key_share.c @@ -75,6 +75,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent int ret; if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 && + group->pk != GNUTLS_PK_ECDH_X448 && group->pk != GNUTLS_PK_DH) { _gnutls_debug_log("Cannot send key share for group %s!\n", group->name); return GNUTLS_E_INT_RET_0; @@ -115,7 +116,8 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent ret = 0; - } else if (group->pk == GNUTLS_PK_ECDH_X25519) { + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { gnutls_pk_params_release(&session->key.kshare.ecdhx_params); gnutls_pk_params_init(&session->key.kshare.ecdhx_params); @@ -195,6 +197,7 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent int ret; if (group->pk != GNUTLS_PK_EC && group->pk != GNUTLS_PK_ECDH_X25519 && + group->pk != GNUTLS_PK_ECDH_X448 && group->pk != GNUTLS_PK_DH) { _gnutls_debug_log("Cannot send key share for group %s!\n", group->name); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; @@ -224,7 +227,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent ret = 0; - } else if (group->pk == GNUTLS_PK_ECDH_X25519) { + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { ret = _gnutls_buffer_append_data_prefix(extdata, 16, session->key.kshare.ecdhx_params.raw_pub.data, @@ -300,7 +304,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou ret = 0; - } else if (group->pk == GNUTLS_PK_ECDH_X25519) { + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { gnutls_pk_params_st pub; gnutls_pk_params_release(&session->key.kshare.ecdhx_params); @@ -438,7 +443,8 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou ret = 0; - } else if (group->pk == GNUTLS_PK_ECDH_X25519) { + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { gnutls_pk_params_st pub; curve = _gnutls_ecc_curve_get_params(group->curve); diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 1d0f924c26..3f6faa2ec0 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -294,6 +294,8 @@ typedef enum { * @GNUTLS_MAC_SHA3_384: Reserved; unimplemented. * @GNUTLS_MAC_SHA3_512: Reserved; unimplemented. * @GNUTLS_MAC_GOST28147_TC26Z_IMIT: The GOST 28147-89 working in IMIT mode with TC26 Z S-box. + * @GNUTLS_MAC_SHAKE_128: Reserved; unimplemented. + * @GNUTLS_MAC_SHAKE_256: Reserved; unimplemented. * * Enumeration of different Message Authentication Code (MAC) * algorithms. @@ -328,6 +330,8 @@ typedef enum { GNUTLS_MAC_AES_GMAC_192 = 206, GNUTLS_MAC_AES_GMAC_256 = 207, GNUTLS_MAC_GOST28147_TC26Z_IMIT = 208, + GNUTLS_MAC_SHAKE_128 = 209, + GNUTLS_MAC_SHAKE_256 = 210 } gnutls_mac_algorithm_t; /** @@ -350,6 +354,8 @@ typedef enum { * @GNUTLS_DIG_GOSTR_94: GOST R 34.11-94 algorithm. * @GNUTLS_DIG_STREEBOG_256: GOST R 34.11-2001 (Streebog) algorithm, 256 bit. * @GNUTLS_DIG_STREEBOG_512: GOST R 34.11-2001 (Streebog) algorithm, 512 bit. + * @GNUTLS_DIG_SHAKE_128: Reserved; unimplemented. + * @GNUTLS_DIG_SHAKE_256: Reserved; unimplemented. * * Enumeration of different digest (hash) algorithms. */ @@ -371,7 +377,9 @@ typedef enum { GNUTLS_DIG_MD5_SHA1 = GNUTLS_MAC_MD5_SHA1, GNUTLS_DIG_GOSTR_94 = GNUTLS_MAC_GOSTR_94, GNUTLS_DIG_STREEBOG_256 = GNUTLS_MAC_STREEBOG_256, - GNUTLS_DIG_STREEBOG_512 = GNUTLS_MAC_STREEBOG_512 + GNUTLS_DIG_STREEBOG_512 = GNUTLS_MAC_STREEBOG_512, + GNUTLS_DIG_SHAKE_128 = GNUTLS_MAC_SHAKE_128, + GNUTLS_DIG_SHAKE_256 = GNUTLS_MAC_SHAKE_256 /* If you add anything here, make sure you align with gnutls_mac_algorithm_t. */ } gnutls_digest_algorithm_t; @@ -833,6 +841,8 @@ typedef enum gnutls_certificate_print_formats { * @GNUTLS_PK_GOST_01: GOST R 34.10-2001 algorithm per rfc5832. * @GNUTLS_PK_GOST_12_256: GOST R 34.10-2012 algorithm, 256-bit key per rfc7091. * @GNUTLS_PK_GOST_12_512: GOST R 34.10-2012 algorithm, 512-bit key per rfc7091. + * @GNUTLS_PK_ECDH_X448: Elliptic curve algorithm, restricted to ECDH as per rfc7748. + * @GNUTLS_PK_EDDSA_ED448: Edwards curve Digital signature algorithm. Used with SHAKE256 on signatures. * * Enumeration of different public-key algorithms. */ @@ -848,7 +858,9 @@ typedef enum { GNUTLS_PK_GOST_01 = 8, GNUTLS_PK_GOST_12_256 = 9, GNUTLS_PK_GOST_12_512 = 10, - GNUTLS_PK_MAX = GNUTLS_PK_GOST_12_512 + GNUTLS_PK_ECDH_X448 = 11, + GNUTLS_PK_EDDSA_ED448 = 12, + GNUTLS_PK_MAX = GNUTLS_PK_EDDSA_ED448 } gnutls_pk_algorithm_t; @@ -912,6 +924,7 @@ const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm); * @GNUTLS_SIGN_GOST_94: Digital signature algorithm GOST R 34.10-2001 with GOST R 34.11-94 * @GNUTLS_SIGN_GOST_256: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 256 bit * @GNUTLS_SIGN_GOST_512: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 512 bit + * @GNUTLS_SIGN_EDDSA_ED448: Digital signature algorithm EdDSA with Ed448 curve. * * Enumeration of different digital signature algorithms. */ @@ -968,7 +981,8 @@ typedef enum { GNUTLS_SIGN_GOST_94 = 43, GNUTLS_SIGN_GOST_256 = 44, GNUTLS_SIGN_GOST_512 = 45, - GNUTLS_SIGN_MAX = GNUTLS_SIGN_GOST_512 + GNUTLS_SIGN_EDDSA_ED448 = 46, + GNUTLS_SIGN_MAX = GNUTLS_SIGN_EDDSA_ED448 } gnutls_sign_algorithm_t; /** @@ -993,6 +1007,8 @@ typedef enum { * @GNUTLS_ECC_CURVE_GOST256B: GOST R 34.10 TC26 256 B curve * @GNUTLS_ECC_CURVE_GOST256C: GOST R 34.10 TC26 256 C curve * @GNUTLS_ECC_CURVE_GOST256D: GOST R 34.10 TC26 256 D curve + * @GNUTLS_ECC_CURVE_X448: the X448 curve (ECDH only) + * @GNUTLS_ECC_CURVE_ED448: the Ed448 curve * * Enumeration of ECC curves. */ @@ -1017,7 +1033,9 @@ typedef enum { GNUTLS_ECC_CURVE_GOST256B, GNUTLS_ECC_CURVE_GOST256C, GNUTLS_ECC_CURVE_GOST256D, - GNUTLS_ECC_CURVE_MAX = GNUTLS_ECC_CURVE_GOST256D + GNUTLS_ECC_CURVE_X448, + GNUTLS_ECC_CURVE_ED448, + GNUTLS_ECC_CURVE_MAX = GNUTLS_ECC_CURVE_ED448 } gnutls_ecc_curve_t; /** @@ -1041,6 +1059,7 @@ typedef enum { * @GNUTLS_GROUP_FFDHE4096: the FFDHE4096 group * @GNUTLS_GROUP_FFDHE6144: the FFDHE6144 group * @GNUTLS_GROUP_FFDHE8192: the FFDHE8192 group + * @GNUTLS_GROUP_X448: the X448 curve group * * Enumeration of supported groups. It is intended to be backwards * compatible with the enumerations in %gnutls_ecc_curve_t for the groups @@ -1054,6 +1073,7 @@ typedef enum { GNUTLS_GROUP_SECP384R1 = GNUTLS_ECC_CURVE_SECP384R1, GNUTLS_GROUP_SECP521R1 = GNUTLS_ECC_CURVE_SECP521R1, GNUTLS_GROUP_X25519 = GNUTLS_ECC_CURVE_X25519, + GNUTLS_GROUP_X448 = GNUTLS_ECC_CURVE_X448, GNUTLS_GROUP_GC256A = GNUTLS_ECC_CURVE_GOST256A, GNUTLS_GROUP_GC256B = GNUTLS_ECC_CURVE_GOST256B, diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 823c9b9809..4be8dc7eda 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -48,6 +48,12 @@ #include <nettle/ecdsa.h> #include <nettle/ecc-curve.h> #include <nettle/curve25519.h> +#if HAVE_CURVE448 +#include <nettle/curve448.h> +#else +#include "curve448/curve448.h" +#include "curve448/eddsa.h" +#endif #include <nettle/eddsa.h> #include <nettle/version.h> #if ENABLE_GOST @@ -235,6 +241,22 @@ ecc_shared_secret(struct ecc_scalar *private_key, */ #define DH_EXPONENT_SIZE(p_size) (2*_gnutls_pk_bits_to_subgroup_bits(p_size)) +static inline int +edwards_curve_mul(gnutls_pk_algorithm_t algo, + uint8_t *q, const uint8_t *n, const uint8_t *p) +{ + switch (algo) { + case GNUTLS_PK_ECDH_X25519: + curve25519_mul(q, n, p); + return 0; + case GNUTLS_PK_ECDH_X448: + curve448_mul(q, n, p); + return 0; + default: + return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); + } +} + /* This is used for DH or ECDH key derivation. In DH for example * it is given the peers Y and our x, and calculates Y^x */ @@ -388,6 +410,7 @@ dh_cleanup: break; } case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: { unsigned size = gnutls_ecc_curve_get_size(priv->curve); @@ -407,7 +430,9 @@ dh_cleanup: out->size = size; - curve25519_mul(out->data, priv->raw_priv.data, pub->raw_pub.data); + ret = edwards_curve_mul(algo, out->data, priv->raw_priv.data, pub->raw_pub.data); + if (ret < 0) + goto cleanup; if (_gnutls_mem_is_zero(out->data, out->size)) { gnutls_free(out->data); @@ -739,11 +764,43 @@ _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig, return ret; } +static inline gnutls_ecc_curve_t +get_eddsa_curve(gnutls_pk_algorithm_t algo) +{ + switch (algo) { + case GNUTLS_PK_EDDSA_ED25519: + return GNUTLS_ECC_CURVE_ED25519; + case GNUTLS_PK_EDDSA_ED448: + return GNUTLS_ECC_CURVE_ED448; + default: + return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID); + } +} + +static inline int +eddsa_sign(gnutls_pk_algorithm_t algo, + const uint8_t *pub, + const uint8_t *priv, + size_t length, const uint8_t *msg, + uint8_t *signature) +{ + switch (algo) { + case GNUTLS_PK_EDDSA_ED25519: + ed25519_sha512_sign(pub, priv, length, msg, signature); + return 0; + case GNUTLS_PK_EDDSA_ED448: + ed448_shake256_sign(pub, priv, length, msg, signature); + return 0; + default: + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + } +} + /* This is the lower-level part of privkey_sign_raw_data(). * * It accepts data in the appropriate hash form, i.e., DigestInfo * for PK_RSA, hash for PK_ECDSA, PK_DSA, PK_RSA_PSS, and raw data - * for Ed25519. + * for Ed25519 and Ed448. * * in case of EC/DSA, signed data are encoded into r,s values */ @@ -774,10 +831,11 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, switch (algo) { case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */ + case GNUTLS_PK_EDDSA_ED448: { const gnutls_ecc_curve_entry_st *e; - if (pk_params->curve != GNUTLS_ECC_CURVE_ED25519) + if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); e = _gnutls_ecc_curve_get_params(pk_params->curve); @@ -792,12 +850,18 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, signature->size = e->sig_size; - if (pk_params->raw_pub.size != e->size || pk_params->raw_priv.size != e->size) - return gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED); + if (pk_params->raw_pub.size != e->size || pk_params->raw_priv.size != e->size) { + ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED); + goto cleanup; + } - ed25519_sha512_sign(pk_params->raw_pub.data, - pk_params->raw_priv.data, - vdata->size, vdata->data, signature->data); + ret = eddsa_sign(algo, + pk_params->raw_pub.data, + pk_params->raw_priv.data, + vdata->size, vdata->data, + signature->data); + if (ret < 0) + goto cleanup; break; } @@ -1130,6 +1194,30 @@ _rsa_pss_verify_digest(gnutls_digest_algorithm_t dig, return verify_func(pub, salt_size, digest, s); } +static inline int +eddsa_verify(gnutls_pk_algorithm_t algo, + const uint8_t *pub, + size_t length, const uint8_t *msg, + const uint8_t *signature) +{ + int ret; + + switch (algo) { + case GNUTLS_PK_EDDSA_ED25519: + ret = ed25519_sha512_verify(pub, length, msg, signature); + if (ret == 0) + return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED); + return 0; + case GNUTLS_PK_EDDSA_ED448: + ret = ed448_shake256_verify(pub, length, msg, signature); + if (ret == 0) + return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED); + return 0; + default: + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + } +} + static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, const gnutls_datum_t * vdata, @@ -1149,10 +1237,11 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, switch (algo) { case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */ + case GNUTLS_PK_EDDSA_ED448: { const gnutls_ecc_curve_entry_st *e; - if (pk_params->curve != GNUTLS_ECC_CURVE_ED25519) + if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); e = _gnutls_ecc_curve_get_params(pk_params->curve); @@ -1165,13 +1254,10 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, if (pk_params->raw_pub.size != e->size) return gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED); - ret = ed25519_sha512_verify(pk_params->raw_pub.data, vdata->size, vdata->data, signature->data); - if (ret == 0) { - gnutls_assert(); - ret = GNUTLS_E_PK_SIG_VERIFY_FAILED; - } else { - ret = 0; - } + ret = eddsa_verify(algo, + pk_params->raw_pub.data, + vdata->size, vdata->data, + signature->data); break; } #if ENABLE_GOST @@ -1431,6 +1517,8 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve) switch (curve) { case GNUTLS_ECC_CURVE_ED25519: case GNUTLS_ECC_CURVE_X25519: + case GNUTLS_ECC_CURVE_ED448: + case GNUTLS_ECC_CURVE_X448: return 1; default: return ((get_supported_nist_curve(curve)!=NULL || @@ -1556,6 +1644,7 @@ wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo, case GNUTLS_PK_RSA: case GNUTLS_PK_ECDSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: #if ENABLE_GOST case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: @@ -1914,6 +2003,7 @@ gnutls_x509_spki_st spki; FALLTHROUGH; case GNUTLS_PK_EC: /* we only do keys for ECDSA */ case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: case GNUTLS_PK_DSA: case GNUTLS_PK_RSA_PSS: case GNUTLS_PK_GOST_01: @@ -1934,6 +2024,7 @@ gnutls_x509_spki_st spki; break; case GNUTLS_PK_DH: case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: ret = 0; goto cleanup; default: @@ -1953,6 +2044,38 @@ cleanup: } #endif +static inline int +eddsa_public_key(gnutls_pk_algorithm_t algo, + uint8_t *pub, const uint8_t *priv) +{ + switch (algo) { + case GNUTLS_PK_EDDSA_ED25519: + ed25519_sha512_public_key(pub, priv); + return 0; + case GNUTLS_PK_EDDSA_ED448: + ed448_shake256_public_key(pub, priv); + return 0; + default: + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + } +} + +static inline int +edwards_curve_mul_g(gnutls_pk_algorithm_t algo, + uint8_t *q, const uint8_t *n) +{ + switch (algo) { + case GNUTLS_PK_ECDH_X25519: + curve25519_mul_g(q, n); + return 0; + case GNUTLS_PK_ECDH_X448: + curve448_mul_g(q, n); + return 0; + default: + return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); + } +} + /* To generate a DH key either q must be set in the params or * level should be set to the number of required bits. */ @@ -2190,13 +2313,14 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, break; } case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: { unsigned size = gnutls_ecc_curve_get_size(level); if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (level != GNUTLS_ECC_CURVE_ED25519) + if (unlikely(get_eddsa_curve(algo) != level)) return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); if (size == 0) @@ -2222,7 +2346,11 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, params->raw_pub.size = size; params->raw_priv.size = size; - ed25519_sha512_public_key(params->raw_pub.data, params->raw_priv.data); + ret = eddsa_public_key(algo, + params->raw_pub.data, + params->raw_priv.data); + if (ret < 0) + goto fail; break; } @@ -2335,6 +2463,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, } #endif case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: { unsigned size = gnutls_ecc_curve_get_size(level); @@ -2361,7 +2490,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, params->raw_pub.size = size; params->raw_priv.size = size; - curve25519_mul_g(params->raw_pub.data, params->raw_priv.data); + ret = edwards_curve_mul_g(algo, params->raw_pub.data, params->raw_priv.data); + if (ret < 0) + goto fail; break; } default: @@ -2595,18 +2726,29 @@ wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo, mpz_clear(y2); } break; - case GNUTLS_PK_EDDSA_ED25519: { - uint8_t pub[32]; + case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: { + gnutls_ecc_curve_t curve; + const gnutls_ecc_curve_entry_st *e; + uint8_t pub[57]; /* can accommodate both curves */ + + curve = get_eddsa_curve(algo); + e = _gnutls_ecc_curve_get_params(curve); + if (e == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); if (params->raw_pub.data == NULL) { return 0; /* nothing to verify */ } - if (params->raw_pub.size != 32) + if (params->raw_pub.size != e->size) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); - ed25519_sha512_public_key(pub, params->raw_priv.data); - if (memcmp(params->raw_pub.data, pub, 32) != 0) + ret = eddsa_public_key(algo, pub, params->raw_priv.data); + if (ret < 0) + return ret; + + if (memcmp(params->raw_pub.data, pub, e->size) != 0) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ret = 0; @@ -2707,6 +2849,7 @@ wrap_nettle_pk_verify_pub_params(gnutls_pk_algorithm_t algo, case GNUTLS_PK_RSA_PSS: case GNUTLS_PK_DSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: return 0; case GNUTLS_PK_ECDSA: { @@ -2892,8 +3035,9 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo, if (ret == 0) { return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY); } - } else if (algo == GNUTLS_PK_EDDSA_ED25519) { - if (params->curve != GNUTLS_ECC_CURVE_ED25519) + } else if (algo == GNUTLS_PK_EDDSA_ED25519 || + algo == GNUTLS_PK_EDDSA_ED448) { + if (unlikely(get_eddsa_curve(algo) != params->curve)) return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); if (params->raw_priv.data == NULL) @@ -2906,7 +3050,14 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo, if (params->raw_pub.data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - ed25519_sha512_public_key(params->raw_pub.data, params->raw_priv.data); + ret = eddsa_public_key(algo, + params->raw_pub.data, + params->raw_priv.data); + if (ret < 0) { + gnutls_free(params->raw_pub.data); + return ret; + } + params->raw_pub.size = params->raw_priv.size; } else if (algo == GNUTLS_PK_RSA_PSS) { if (params->params_nr < RSA_PRIVATE_PARAMS - 3) @@ -1215,6 +1215,7 @@ pk_prepare_hash(gnutls_pk_algorithm_t pk, case GNUTLS_PK_DSA: case GNUTLS_PK_ECDSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: diff --git a/lib/priority.c b/lib/priority.c index bcabee9018..ad99459adb 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -132,7 +132,8 @@ static const int _supported_groups_ecdh[] = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_SECP384R1, GNUTLS_GROUP_SECP521R1, - GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */ + GNUTLS_GROUP_X25519, /* RFC 8422 */ + GNUTLS_GROUP_X448, /* RFC 8422 */ 0 }; @@ -153,7 +154,8 @@ static const int _supported_groups_normal[] = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_SECP384R1, GNUTLS_GROUP_SECP521R1, - GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */ + GNUTLS_GROUP_X25519, /* RFC 8422 */ + GNUTLS_GROUP_X448, /* RFC 8422 */ /* These should stay last as our default behavior * is to send key shares for two top types (GNUTLS_KEY_SHARE_TOP2) @@ -172,7 +174,8 @@ static const int _supported_groups_secure128[] = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_SECP384R1, GNUTLS_GROUP_SECP521R1, - GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */ + GNUTLS_GROUP_X25519, /* RFC 8422 */ + GNUTLS_GROUP_X448, /* RFC 8422 */ GNUTLS_GROUP_FFDHE2048, GNUTLS_GROUP_FFDHE3072, GNUTLS_GROUP_FFDHE4096, @@ -419,6 +422,8 @@ static const int _sign_priority_default[] = { GNUTLS_SIGN_ECDSA_SHA384, GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, + GNUTLS_SIGN_EDDSA_ED448, + GNUTLS_SIGN_RSA_SHA512, GNUTLS_SIGN_RSA_PSS_SHA512, GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, @@ -455,6 +460,7 @@ static const int _sign_priority_secure128[] = { GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, + GNUTLS_SIGN_EDDSA_ED25519, GNUTLS_SIGN_RSA_SHA384, @@ -463,6 +469,8 @@ static const int _sign_priority_secure128[] = { GNUTLS_SIGN_ECDSA_SHA384, GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, + GNUTLS_SIGN_EDDSA_ED448, + GNUTLS_SIGN_RSA_SHA512, GNUTLS_SIGN_RSA_PSS_SHA512, GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, diff --git a/lib/privkey.c b/lib/privkey.c index 425cc3e7c6..4114e2ca18 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -205,6 +205,7 @@ privkey_to_pubkey(gnutls_pk_algorithm_t pk, break; case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: ret = _gnutls_set_datum(&pub->raw_pub, priv->raw_pub.data, priv->raw_pub.size); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/pubkey.c b/lib/pubkey.c index 3b4d7f9003..eb7fdbaa82 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -61,6 +61,7 @@ unsigned pubkey_to_bits(const gnutls_pk_params_st * params) return _gnutls_mpi_get_nbits(params->params[DSA_P]); case GNUTLS_PK_ECDSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: @@ -316,6 +317,12 @@ gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key, ret = 0; break; + case GNUTLS_PK_EDDSA_ED448: + if (hash) + *hash = GNUTLS_DIG_SHAKE_256; + + ret = 0; + break; case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: @@ -891,7 +898,8 @@ gnutls_pubkey_export_ecc_raw2(gnutls_pubkey_t key, if (curve) *curve = key->params.curve; - if (key->params.algo == GNUTLS_PK_EDDSA_ED25519) { + if (key->params.algo == GNUTLS_PK_EDDSA_ED25519 || + key->params.algo == GNUTLS_PK_EDDSA_ED448) { if (x) { ret = _gnutls_set_datum(x, key->params.raw_pub.data, key->params.raw_pub.size); if (ret < 0) @@ -1429,7 +1437,16 @@ gnutls_pubkey_import_ecc_raw(gnutls_pubkey_t key, goto cleanup; } - key->params.algo = GNUTLS_PK_EDDSA_ED25519; + switch (curve) { + case GNUTLS_ECC_CURVE_ED25519: + key->params.algo = GNUTLS_PK_EDDSA_ED25519; + break; + case GNUTLS_ECC_CURVE_ED448: + key->params.algo = GNUTLS_PK_EDDSA_ED448; + break; + default: + break; + } key->params.curve = curve; key->bits = pubkey_to_bits(&key->params); @@ -2232,6 +2249,7 @@ pubkey_verify_data(const gnutls_sign_entry_st *se, break; case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: if (_gnutls_pk_verify(se->pk, data, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; diff --git a/lib/x509/common.h b/lib/x509/common.h index d36c263a58..498ccc4e97 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -98,6 +98,7 @@ #define SIG_RSA_SHA3_512_OID "2.16.840.1.101.3.4.3.16" #define SIG_EDDSA_SHA512_OID "1.3.101.112" +#define SIG_ED448_OID "1.3.101.113" #define XMPP_OID "1.3.6.1.5.5.7.8.5" #define KRB5_PRINCIPAL_OID "1.3.6.1.5.2.2" diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c index e42f5e0962..c79f6eee37 100644 --- a/lib/x509/key_decode.c +++ b/lib/x509/key_decode.c @@ -565,6 +565,9 @@ int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t * der, case GNUTLS_PK_EDDSA_ED25519: ret = _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED25519, der, dersize, params); break; + case GNUTLS_PK_EDDSA_ED448: + ret = _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED448, der, dersize, params); + break; case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: @@ -590,6 +593,7 @@ int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t algo, switch (algo) { case GNUTLS_PK_RSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: return 0; case GNUTLS_PK_RSA_PSS: return _gnutls_x509_read_rsa_pss_params(der, dersize, ¶ms->spki); @@ -634,6 +638,7 @@ int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params) case GNUTLS_PK_DSA: case GNUTLS_PK_ECDSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c index a589dd4f33..b9cbcff7bc 100644 --- a/lib/x509/key_encode.c +++ b/lib/x509/key_encode.c @@ -150,7 +150,8 @@ _gnutls_x509_write_eddsa_pubkey(const gnutls_pk_params_st * params, if (params->raw_pub.size == 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (params->curve != GNUTLS_ECC_CURVE_ED25519) + if (params->curve != GNUTLS_ECC_CURVE_ED25519 && + params->curve != GNUTLS_ECC_CURVE_ED448) return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); ret = _gnutls_set_datum(raw, params->raw_pub.data, params->raw_pub.size); @@ -252,6 +253,7 @@ _gnutls_x509_write_pubkey_params(const gnutls_pk_params_st * params, case GNUTLS_PK_ECDSA: return _gnutls_x509_write_ecc_params(params->curve, der); case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: der->data = NULL; der->size = 0; @@ -278,6 +280,7 @@ _gnutls_x509_write_pubkey(const gnutls_pk_params_st * params, case GNUTLS_PK_ECDSA: return _gnutls_x509_write_ecc_pubkey(params, der); case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: return _gnutls_x509_write_eddsa_pubkey(params, der); case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: @@ -1031,6 +1034,7 @@ int _gnutls_asn1_encode_privkey(ASN1_TYPE * c2, return _gnutls_asn1_encode_dsa(c2, params); case GNUTLS_PK_ECDSA: case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: return _gnutls_asn1_encode_ecc(c2, params); case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 1be3da484e..a0bdfab9f7 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -134,7 +134,9 @@ _gnutls_get_asn_mpis(ASN1_TYPE asn, const char *root, _asnstr_append_name(name, sizeof(name), root, ".algorithm.parameters"); - if (pk_algorithm != GNUTLS_PK_RSA && pk_algorithm != GNUTLS_PK_EDDSA_ED25519 && pk_algorithm != GNUTLS_PK_ECDH_X25519) { + if (pk_algorithm != GNUTLS_PK_RSA && + pk_algorithm != GNUTLS_PK_EDDSA_ED25519 && pk_algorithm != GNUTLS_PK_ECDH_X25519 && + pk_algorithm != GNUTLS_PK_EDDSA_ED448 && pk_algorithm != GNUTLS_PK_ECDH_X448) { /* RSA and EdDSA do not use parameters */ result = _gnutls_x509_read_value(asn, name, &tmp); if (pk_algorithm == GNUTLS_PK_RSA_PSS && diff --git a/lib/x509/output.c b/lib/x509/output.c index da45917753..2aa78b478b 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -1406,6 +1406,7 @@ print_pubkey(gnutls_buffer_st * str, const char *key_name, break; case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: case GNUTLS_PK_ECDSA: { gnutls_datum_t x, y; diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index a9579914f8..b26295e51b 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1116,7 +1116,17 @@ gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key, if (curve_is_eddsa(curve)) { unsigned size; - key->params.algo = GNUTLS_PK_EDDSA_ED25519; + switch (curve) { + case GNUTLS_ECC_CURVE_ED25519: + key->params.algo = GNUTLS_PK_EDDSA_ED25519; + break; + case GNUTLS_ECC_CURVE_ED448: + key->params.algo = GNUTLS_PK_EDDSA_ED448; + break; + default: + ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + goto cleanup; + } size = gnutls_ecc_curve_get_size(curve); if (x->size != size || k->size != size) { diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index bcc6dd24ec..f23008fbe5 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -69,6 +69,7 @@ _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw) switch (pkey->params.algo) { case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: /* we encode as octet string (which is going to be stored inside * another octet string). No comments. */ ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING, @@ -1115,7 +1116,16 @@ _decode_pkcs8_eddsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey, const c return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); } gnutls_free(pkey->params.raw_priv.data); - pkey->params.algo = GNUTLS_PK_EDDSA_ED25519; + switch (curve) { + case GNUTLS_ECC_CURVE_ED25519: + pkey->params.algo = GNUTLS_PK_EDDSA_ED25519; + break; + case GNUTLS_ECC_CURVE_ED448: + pkey->params.algo = GNUTLS_PK_EDDSA_ED448; + break; + default: + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + } pkey->params.raw_priv.data = tmp.data; pkey->params.raw_priv.size = tmp.size; pkey->params.curve = curve; @@ -1449,6 +1459,7 @@ decode_private_key_info(const gnutls_datum_t * der, result = _decode_pkcs8_ecc_key(pkcs8_asn, pkey); break; case GNUTLS_PK_EDDSA_ED25519: + case GNUTLS_PK_EDDSA_ED448: result = _decode_pkcs8_eddsa_key(pkcs8_asn, pkey, oid); break; case GNUTLS_PK_GOST_01: diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 39a25307a0..050e95059e 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -48,6 +48,8 @@ #define HASH_OID_SHA3_256 "2.16.840.1.101.3.4.2.8" #define HASH_OID_SHA3_384 "2.16.840.1.101.3.4.2.9" #define HASH_OID_SHA3_512 "2.16.840.1.101.3.4.2.10" +#define HASH_OID_SHAKE_128 "2.16.840.1.101.3.4.2.11" +#define HASH_OID_SHAKE_256 "2.16.840.1.101.3.4.2.12" #define HASH_OID_GOST_R_3411_94 "1.2.643.2.2.9" #define HASH_OID_STREEBOG_256 "1.2.643.7.1.1.2.2" #define HASH_OID_STREEBOG_512 "1.2.643.7.1.1.2.3" |