diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-02-25 17:46:14 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-02-28 22:54:54 +0000 |
commit | 1db3107ada6a93140b6b7deb59346b1c14e0adb8 (patch) | |
tree | d230476b2030aebfbf0be5fc4f6328ce5a6005bd /ssl | |
parent | db50c1da199145e0427ec5d3e457d5c2249cc078 (diff) |
TLS support for X25519
Add X25519 to TLS supported curve list.
Reject attempts to configure keys which cannot be used
for signing.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_rsa.c | 5 | ||||
-rw-r--r-- | ssl/t1_lib.c | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index f93db31c77..abced26ae1 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -378,6 +378,11 @@ static int ssl_set_cert(CERT *c, X509 *x) return 0; } + if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) { + SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING); + return 0; + } + if (c->pkeys[i].privatekey != NULL) { /* * The return code from EVP_PKEY_copy_parameters is deliberately diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index db5f0f6b44..f02317e09f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -222,9 +222,11 @@ typedef struct { unsigned int flags; /* Flags: currently just field type */ } tls_curve_info; -# define TLS_CURVE_TYPE 0x1 -# define TLS_CURVE_CHAR2 0x1 +/* Mask for curve type */ +# define TLS_CURVE_TYPE 0x3 # define TLS_CURVE_PRIME 0x0 +# define TLS_CURVE_CHAR2 0x1 +# define TLS_CURVE_CUSTOM 0x2 /* * Table of curve information. @@ -261,6 +263,8 @@ static const tls_curve_info nid_list[] = { {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ + /* X25519 (29) */ + {NID_X25519, 128, TLS_CURVE_CUSTOM}, }; static const unsigned char ecformats_default[] = { @@ -271,6 +275,7 @@ static const unsigned char ecformats_default[] = { /* The default curves */ static const unsigned char eccurves_default[] = { + 0, 29, /* X25519 (29) */ /* Prefer P-256 which has the fastest and most secure implementations. */ 0, 23, /* secp256r1 (23) */ /* Other >= 256-bit prime curves. */ @@ -290,6 +295,7 @@ static const unsigned char eccurves_default[] = { }; static const unsigned char eccurves_all[] = { + 0, 29, /* X25519 (29) */ /* Prefer P-256 which has the fastest and most secure implementations. */ 0, 23, /* secp256r1 (23) */ /* Other >= 256-bit prime curves. */ |