-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support for X448 and Ed448 #5470
Conversation
Do you know about an other implementation that supports them and have you tried talking to it? |
No, I haven't tried. I'll look into it. |
https://gitlab.com/ilari_l/btls claims to support X448 and experimental Ed448, it's the only thing I could find. |
test/clienthellotest.c
Outdated
* Otherwise we need to make sure we have a small enough message to | ||
* not need padding. | ||
*/ | ||
else if (!TEST_true(SSL_CTX_set_cipher_list(ctx, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does that else belong to just the "currtest == TEST_ADD_PADDING"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, good catch. Fixed.
@@ -239,7 +239,7 @@ static int test_builtin(void) | |||
unsigned char dirt, offset; | |||
|
|||
nid = curves[n].nid; | |||
if (nid == NID_ipsec4 || nid == NID_X25519) | |||
if (nid == NID_ipsec4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should NID_ipsec3 get excluded here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It actually does get excluded a few lines below in the EC_GROUP_get_degree()
check.
"ExpectedServerCertType" =>, "Ed448", | ||
"ExpectedServerSignType" =>, "Ed448", | ||
# Note: certificate_authorities not sent for TLS < 1.3 | ||
"ExpectedServerCANames" =>, "empty", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have a TLS 1.3 check with it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean should we have a check with Ed448 signing in TLSv1.3? If so there is one a bit later on (in the TLSv1.3 group of tests).
9fe3208
to
cfdbc04
Compare
I rebased this now that #5481 is merged. Also made one change as per the comments above. |
Oh...and I took this out of WIP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd wait for @kroeckx, but I'm okay with this after the nits.
CHANGES
Outdated
@@ -9,8 +9,8 @@ | |||
|
|||
Changes between 1.1.0g and 1.1.1 [xx XXX xxxx] | |||
|
|||
*) Added support for X448 and Ed448. Currently this is only supported in | |||
libcrypto (not libssl). Heavily based on original work by Mike Hamburg. | |||
*) Added support for X448 and Ed448 to both libcrypto and libssl. Heavily |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get rid of "to both librypto and libssl"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok - done.
@@ -231,6 +231,9 @@ static const char *get_sigtype(int nid) | |||
case NID_ED25519: | |||
return "Ed25519"; | |||
|
|||
case NID_ED448: | |||
return "Ed448"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we call it X448 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this context we are specifically referring to it as a signature algorithm. Which means Ed448. We only use X448 if referring to it in the context of a Diffie-Hellman key exchange.
test/ossl_shim/ossl_shim.cc
Outdated
@@ -968,7 +968,7 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, | |||
} | |||
if (config->enable_all_curves) { | |||
static const int kAllCurves[] = { | |||
NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, | |||
NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, NID_X448 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If only to avoid questions like this one, should this be in the same order as eccurves_default
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok - done.
@@ -17,7 +17,7 @@ my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1", | |||
"secp160r2", "secp192k1", "prime192v1", "secp224k1", | |||
"secp224r1", "secp256k1", "prime256v1", "secp384r1", | |||
"secp521r1", "brainpoolP256r1", "brainpoolP384r1", | |||
"brainpoolP512r1", "X25519"); | |||
"brainpoolP512r1", "X25519", "X448"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same ordering question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is slightly different. It is a complete list of all the curves (not just default ones). Therefore it seems to make more sense to me to be in the order of the full nid_list (just above eccurves_default in t1_lib.c). This list is in that order.
I tested against that. Note this only supports TLSv1.2 (although it does seem to have some TLSv1.3 awareness as it validates the key_share extension - even though it doesn't use it (see below)). After much frustration (there are no instructions) I successfully created a connection using both X448 and Ed448 blts-clienttest -> s_server. Connections using Ed448 s_client -> btls-servertest also fine. Initially connections using X448 s_client -> btls-servertest failed. This seems to be due to a bug in btls. I forced X448 on s_client by using "-groups X448". This sends a supported_groups extension containing exactly one group. However the btls server always seems to fail if the key_share uses a group which is the last one listed in supported_groups. Looking at the btls source code I was able to find the erroneous code. Sending more than one group solves the issues and X448 s_client -> btls-servertest works. |
Ah. Although it only claims TLSv1.2 in the README, looking around the source code it does seem to know about TLSv1.3, but I think it is for a different draft version. Checking that out... |
It does support draft23/draft24. After hacking the source files to turn this on (surely there must be an easier way?) I encountered an OpenSSL bug that prevented a handshake from completing. This was nothing to do with X448/Ed448 - it was in our extension processing code (PR coming up). After fixing that I was able to confirm inter-operability for X448/Ed448 in both directions in TLSv1.3. |
I have also tested haskell client to s_server using X448. Also X448 in both directions for mint based on this PR: Note, in spite of the title of the PR, it only adds X448 support not Ed448. All of the above tests passed. |
Fix up commits pushed addressing @richsalz's nits (where appropriate). |
Your changes and comments make sense; reconfirmed. |
Pushed. Thanks. |
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
This PR adds support for X448 and Ed448 into libssl.
Note I'm planning to get all of this merged before beta1 (in 2 weeks!) if at all possible!!