Ed25519 TLS support #3585
Ed25519 TLS support #3585
Conversation
BoringSSL has an implementation, though it's not exposed in Chrome yet. If using the command-line tool as a client, you'll need to pass the |
|
"openssl speed ecdsa" gives 0.0 sign/s and verify/s for X25519, not sure if it needs more hooking into that app |
| @@ -788,7 +792,8 @@ static const uint16_t tls_default_sigalg[] = { | |||
| TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ | |||
| TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ | |||
| TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ | |||
| TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 /* SSL_PKEY_GOST12_512 */ | |||
| TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ | |||
| 0 /* SSL_PKEY_ED25519 */ | |||
There was a problem hiding this comment.
Not sure I understand why this is 0 here.
There was a problem hiding this comment.
That table is the default signature algorithm associated with the certificate in the absence of a signature algorithms extension. That applies to TLS < 1.2 or TLS 1.2 if signature algorithms is not present only. It doesn't apply to TLS 1.3 because signature algorithms is mandatory.
Since Ed25519 can't be used with TLS < 1.3 it is zero.
There was a problem hiding this comment.
draft-ietf-tls-rfc4492bis-17 specifies it for TLS 1.2 as well, and is what we (BoringSSL) have implemented.
There was a problem hiding this comment.
Hmm... that makes it a bit more interesting. Will need to use the handshake record cache for Ed25519 and TLS 1.2. Looking into it.
There was a problem hiding this comment.
It's allowed with TLS 1.0 and 1.1 too.
There was a problem hiding this comment.
It's not only in the "signature_algorithms" extension but also the "Supported Elliptic Curves" extension. All previous 25 curves did not require distinct "signature_algorithms" entries after all.
I find nothing in the document that would restrict EdDSA to TLS >= 1.2. Otherwise I guess the introduction would not put ECDSA and EdDSA at the same level.
And EdDSA is explicitely mentioned as applicable before TLS 1.2 in section 5.10:
[...] Such standardization never took place, and as a result, SHA-1 is used in
TLS 1.1 and earlier (except for EdDSA, which uses identity function).
There was a problem hiding this comment.
The previous ECC curves could all be used for both ECDH and ECDSA. Ed25519 can be used for signing only and X25519 for ECDH: though there are similarities they're treated as distinct algorithms. The supported curves extension has an entry for x25519 but not Ed25519.
I'm not sure why that paragraph mentions TLS 1.1 and EdDSA. While it could theoretically be used there is no signalling mechanism for a client to indicate it supports Ed25519.
There was a problem hiding this comment.
Yes the curve assignments are named after the D-H functions and I agree that using them as a signal for signature support is my interpretation trying to make some sense from all of this.
I don't want to slow you down unnecessarily. I'll be happy to test EdDSA with TLS 1.2 in OpenSSL.
There was a problem hiding this comment.
The curve values have nothing to do with Ed25519 support. Ed25519 follows the TLS 1.3 negotiation mechanism where signing is purely determined by signature algorithms and curves/groups only affect (EC)DH. Plenty of clients today support X25519 without Ed25519 (including OpenSSL 1.1.0).
Re TLS 1.1 and below, we don't allow Ed25519 at those versions either for the same reason. It's rather silly without a signaling mechanism, and this is one less combination to worry about when thinking about downgrade possibilities, especially since you need TLS 1.2 to get a strong transcript hash.
There was a problem hiding this comment.
Anyway back to the original query. My comment still applies: the entry is 0 in tls_default_sigalg because there is no default signature algorithm for Ed25519: that is because we only use Ed25519 if the client explicitly indicates support for it.
|
Update: rebased against master, fixed signature algorithm print and setting, added a test. |
|
Update: rebased against master, experimental TLS 1.2 support, verified against BoringSSL. Updated tests. Note: to support the oneshot operation the data being signed/verified is first collected into a single malloced buffer. To simplify the code the oneshot API is always used though it is only needed with Ed25519. TODO: client auth currently untested. |
|
Thank you all for your explanations, I get it now. My manual tests run OK with both OpenSSL and BoringSSL. TLS 1.0 and 1.1 are rejected as expected. |
|
Update: added client auth tests. Rebased against master. Taking out of "WIP". |
crypto/x509/x509type.c
Outdated
| @@ -41,6 +41,9 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) | |||
| case EVP_PKEY_EC: | |||
| ret = EVP_PK_EC | EVP_PKT_SIGN | EVP_PKT_EXCH; | |||
| break; | |||
| case NID_ED25519: | |||
| ret = EVP_PKT_SIGN; | |||
There was a problem hiding this comment.
Why no specific certificate type for Ed25519, e.g. EVP_PK_ED25519
There was a problem hiding this comment.
We don't have one for X25519 either. Should I add a type for both?
There was a problem hiding this comment.
For completeness, I guess we should, although I can't imagine there are ever going to be too many X25519 certificates???
There was a problem hiding this comment.
OK added in separate commit. We might see X25519 certificates for CMS but I think they'll be pretty rare.
ssl/statem/statem_clnt.c
Outdated
| && (exp_idx != SSL_PKEY_GOST_EC || | ||
| (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256 | ||
| && i != SSL_PKEY_GOST01))) { | ||
| && (exp_idx != SSL_PKEY_ECC && i != SSL_PKEY_ED25519) |
There was a problem hiding this comment.
This doesn't look right to me. Should this be:
(exp_idx != SSL_PKEY_ECC || i != SSL_PKEY_ED25519)
There was a problem hiding this comment.
Yes it should. Fix coming up
Approved by Oracle. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from #3585)
|
Just for the record, the Oracle/Sun copyright change points here, and it should be #3685 |
| @@ -41,6 +41,9 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) | |||
| case EVP_PKEY_EC: | |||
| ret = EVP_PK_EC | EVP_PKT_SIGN | EVP_PKT_EXCH; | |||
| break; | |||
| case EVP_PKEY_ED25519: | |||
| ret = EVP_PKT_SIGN; | |||
There was a problem hiding this comment.
This still looks odd to me. So we've changed the NID_X25519 -> EVP_PKEY_ED25519, but should the return flags see a similar change? e.g. ret = EVP_PK_ED25519 | EVP_PKT_SIGN
There was a problem hiding this comment.
X509_certificate_type() is an ancient function. The only reason Ed25519 has an entry there is because some code in tls_process_cert_verify() needs it to function. The only other recent addition (GOST) only has the capabilities bits set and no algorithm bits. Also I just checked EVP_PK_EC is not referenced anywhere in OpenSSL.
TBH while looking through this it was clear that adding a new certificate type was far more complex than it should be. There are functions all over the place that need changing and obscre additions to if/switch statements which it is too easy to get wrong. The only way to find them all is to test it and see what breaks and then fix it hoping you catch everything.
I think the whole thing can be handled with a single table of certificate capabilities. I'd planned a follow up PR to do exactly that. I could instead do that first and convert this PR to use the new scheme.
There was a problem hiding this comment.
No, a follow on PR will be fine.
There was a problem hiding this comment.
TBH while looking through this it was clear that adding a new certificate type was far more complex than it should be. There are functions all over the place that need changing and obscre additions to if/switch statements which it is too easy to get wrong. The only way to find them all is to test it and see what breaks and then fix it hoping you catch everything.
+1
mattcaswell
added
the
approval: done
|
Pushed, thanks everyone. |
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
Reviewed-by: Matt Caswell <[email protected]> (Merged from #3585)
This imports the following changes from OpenSSL: * openssl/openssl@aa8f3d7 * openssl/openssl@5aba2b6 * openssl/openssl@c80149d See the following links for some related discussion in OpenSSL's repository: * openssl/openssl#3663 * openssl/openssl#3684 * openssl/openssl#3585 (comment) * openssl/openssl#3685 The copyright_summary script may be used to compare this CL. Note there is one change to ecdsa_test.cc to align with OpenSSL. See go/openssl-copyright-consolidation-comparison (internal-only). Bug: 364634028 Change-Id: I987c4e145d2ccd0c32bbf9e7bb2cc69e89019d35 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/74712 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>
This imports the following changes from OpenSSL: * openssl/openssl@aa8f3d7 * openssl/openssl@5aba2b6 * openssl/openssl@c80149d See the following links for some related discussion in OpenSSL's repository: * openssl/openssl#3663 * openssl/openssl#3684 * openssl/openssl#3585 (comment) * openssl/openssl#3685 The copyright_summary script may be used to compare this CL. Note there is one change to ecdsa_test.cc to align with OpenSSL. See go/openssl-copyright-consolidation-comparison (internal-only). Bug: 364634028 Change-Id: I987c4e145d2ccd0c32bbf9e7bb2cc69e89019d35 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/74712 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>
Checklist
This PR adds support for Ed25519 in TLS 1.3 and TLS 1.2 for OpenSSL. The code can connect to itself and can also interop with BoringSSL.