TLS support for X25519

Add X25519 to TLS supported curve list.
Reject attempts to configure keys which cannot be used
for signing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

4 files changed, 16 insertions, 3 deletions

diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index b4edc212f5..399e4c79fc 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -1,4 +1,3 @@
-/* crypto/ec/ec_err.c */
 /* ====================================================================
  * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
  *
@@ -275,6 +274,8 @@ static ERR_STRING_DATA EC_str_reasons[] = {
     {ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
     {ERR_REASON(EC_R_BUFFER_TOO_SMALL), "buffer too small"},
     {ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE), "coordinates out of range"},
+    {ERR_REASON(EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
+     "curve does not support signing"},
     {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),
      "d2i ecpkparameters failure"},
     {ERR_REASON(EC_R_DECODE_ERROR), "decode error"},
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index ccd410f772..b03b65d1ee 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -1569,6 +1569,7 @@ void ERR_load_EC_strings(void);
 # define EC_R_BIGNUM_OUT_OF_RANGE                         144
 # define EC_R_BUFFER_TOO_SMALL                            100
 # define EC_R_COORDINATES_OUT_OF_RANGE                    146
+# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING              159
 # define EC_R_D2I_ECPKPARAMETERS_FAILURE                  117
 # define EC_R_DECODE_ERROR                                142
 # define EC_R_DISCRIMINANT_IS_ZERO                        118
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index f93db31c77..abced26ae1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -378,6 +378,11 @@ static int ssl_set_cert(CERT *c, X509 *x)
         return 0;
     }
 
+    if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {
+        SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
+        return 0;
+    }
+
     if (c->pkeys[i].privatekey != NULL) {
         /*
          * The return code from EVP_PKEY_copy_parameters is deliberately
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index db5f0f6b44..f02317e09f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -222,9 +222,11 @@ typedef struct {
     unsigned int flags;         /* Flags: currently just field type */
 } tls_curve_info;
 
-# define TLS_CURVE_TYPE          0x1
-# define TLS_CURVE_CHAR2         0x1
+/* Mask for curve type */
+# define TLS_CURVE_TYPE          0x3
 # define TLS_CURVE_PRIME         0x0
+# define TLS_CURVE_CHAR2         0x1
+# define TLS_CURVE_CUSTOM        0x2
 
 /*
  * Table of curve information.
@@ -261,6 +263,8 @@ static const tls_curve_info nid_list[] = {
     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
+    /* X25519 (29) */
+    {NID_X25519, 128, TLS_CURVE_CUSTOM},
 };
 
 static const unsigned char ecformats_default[] = {
@@ -271,6 +275,7 @@ static const unsigned char ecformats_default[] = {
 
 /* The default curves */
 static const unsigned char eccurves_default[] = {
+    0, 29,                      /* X25519 (29) */
     /* Prefer P-256 which has the fastest and most secure implementations. */
     0, 23,                      /* secp256r1 (23) */
     /* Other >= 256-bit prime curves. */
@@ -290,6 +295,7 @@ static const unsigned char eccurves_default[] = {
 };
 
 static const unsigned char eccurves_all[] = {
+    0, 29,                      /* X25519 (29) */
     /* Prefer P-256 which has the fastest and most secure implementations. */
     0, 23,                      /* secp256r1 (23) */
     /* Other >= 256-bit prime curves. */