Add TLS support for X448 and Ed448 #5470
Conversation
|
Do you know about an other implementation that supports them and have you tried talking to it? |
|
No, I haven't tried. I'll look into it. |
|
https://gitlab.com/ilari_l/btls claims to support X448 and experimental Ed448, it's the only thing I could find. |
test/clienthellotest.c
Outdated
| * Otherwise we need to make sure we have a small enough message to | ||
| * not need padding. | ||
| */ | ||
| else if (!TEST_true(SSL_CTX_set_cipher_list(ctx, |
There was a problem hiding this comment.
Does that else belong to just the "currtest == TEST_ADD_PADDING"?
There was a problem hiding this comment.
Yes, good catch. Fixed.
| @@ -239,7 +239,7 @@ static int test_builtin(void) | |||
| unsigned char dirt, offset; | |||
|
|
|||
| nid = curves[n].nid; | |||
| if (nid == NID_ipsec4 || nid == NID_X25519) | |||
| if (nid == NID_ipsec4) | |||
There was a problem hiding this comment.
Should NID_ipsec3 get excluded here too?
There was a problem hiding this comment.
It actually does get excluded a few lines below in the EC_GROUP_get_degree() check.
| "ExpectedServerCertType" =>, "Ed448", | ||
| "ExpectedServerSignType" =>, "Ed448", | ||
| # Note: certificate_authorities not sent for TLS < 1.3 | ||
| "ExpectedServerCANames" =>, "empty", |
There was a problem hiding this comment.
Should we have a TLS 1.3 check with it?
There was a problem hiding this comment.
Do you mean should we have a check with Ed448 signing in TLSv1.3? If so there is one a bit later on (in the TLSv1.3 group of tests).
mattcaswell
force-pushed
the
curve448-tls
branch
from
9fe3208
to
cfdbc04
Compare
mattcaswell
changed the title
|
I rebased this now that #5481 is merged. Also made one change as per the comments above. |
|
Oh...and I took this out of WIP. |
CHANGES
Outdated
| @@ -9,8 +9,8 @@ | |||
|
|
|||
| Changes between 1.1.0g and 1.1.1 [xx XXX xxxx] | |||
|
|
|||
| *) Added support for X448 and Ed448. Currently this is only supported in | |||
| libcrypto (not libssl). Heavily based on original work by Mike Hamburg. | |||
| *) Added support for X448 and Ed448 to both libcrypto and libssl. Heavily | |||
There was a problem hiding this comment.
get rid of "to both librypto and libssl"
| @@ -231,6 +231,9 @@ static const char *get_sigtype(int nid) | |||
| case NID_ED25519: | |||
| return "Ed25519"; | |||
|
|
|||
| case NID_ED448: | |||
| return "Ed448"; | |||
There was a problem hiding this comment.
I thought we call it X448 ?
There was a problem hiding this comment.
In this context we are specifically referring to it as a signature algorithm. Which means Ed448. We only use X448 if referring to it in the context of a Diffie-Hellman key exchange.
test/ossl_shim/ossl_shim.cc
Outdated
| @@ -968,7 +968,7 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, | |||
| } | |||
| if (config->enable_all_curves) { | |||
| static const int kAllCurves[] = { | |||
| NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, | |||
| NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, NID_X448 | |||
There was a problem hiding this comment.
If only to avoid questions like this one, should this be in the same order as eccurves_default?
| @@ -17,7 +17,7 @@ my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1", | |||
| "secp160r2", "secp192k1", "prime192v1", "secp224k1", | |||
| "secp224r1", "secp256k1", "prime256v1", "secp384r1", | |||
| "secp521r1", "brainpoolP256r1", "brainpoolP384r1", | |||
| "brainpoolP512r1", "X25519"); | |||
| "brainpoolP512r1", "X25519", "X448"); | |||
There was a problem hiding this comment.
This one is slightly different. It is a complete list of all the curves (not just default ones). Therefore it seems to make more sense to me to be in the order of the full nid_list (just above eccurves_default in t1_lib.c). This list is in that order.
I tested against that. Note this only supports TLSv1.2 (although it does seem to have some TLSv1.3 awareness as it validates the key_share extension - even though it doesn't use it (see below)). After much frustration (there are no instructions) I successfully created a connection using both X448 and Ed448 blts-clienttest -> s_server. Connections using Ed448 s_client -> btls-servertest also fine. Initially connections using X448 s_client -> btls-servertest failed. This seems to be due to a bug in btls. I forced X448 on s_client by using "-groups X448". This sends a supported_groups extension containing exactly one group. However the btls server always seems to fail if the key_share uses a group which is the last one listed in supported_groups. Looking at the btls source code I was able to find the erroneous code. Sending more than one group solves the issues and X448 s_client -> btls-servertest works. |
Ah. Although it only claims TLSv1.2 in the README, looking around the source code it does seem to know about TLSv1.3, but I think it is for a different draft version. Checking that out... |
It does support draft23/draft24. After hacking the source files to turn this on (surely there must be an easier way?) I encountered an OpenSSL bug that prevented a handshake from completing. This was nothing to do with X448/Ed448 - it was in our extension processing code (PR coming up). After fixing that I was able to confirm inter-operability for X448/Ed448 in both directions in TLSv1.3. |
|
I have also tested haskell client to s_server using X448. Also X448 in both directions for mint based on this PR: Note, in spite of the title of the PR, it only adds X448 support not Ed448. All of the above tests passed. |
|
Fix up commits pushed addressing @richsalz's nits (where appropriate). |
|
Your changes and comments make sense; reconfirmed. |
|
Pushed. Thanks. |
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl/openssl#5470)
This PR adds support for X448 and Ed448 into libssl.
Note I'm planning to get all of this merged before beta1 (in 2 weeks!) if at all possible!!