Support EVP_PKEY_{sign,verify}_message with Ed25519.
It's amazing how short p_ed25519.c is.
BUG=187
Change-Id: Ib2a5fa7a4acf2087ece954506f81e91a1ed483e1
Reviewed-on: https://boringssl-review.googlesource.com/14449
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/err/evp.errordata b/crypto/err/evp.errordata
index 991195c..7cad638 100644
--- a/crypto/err/evp.errordata
+++ b/crypto/err/evp.errordata
@@ -15,6 +15,7 @@
EVP,114,INVALID_OPERATION
EVP,115,INVALID_PADDING_MODE
EVP,116,INVALID_PSS_SALTLEN
+EVP,131,INVALID_SIGNATURE
EVP,117,KEYS_NOT_SET
EVP,118,MISSING_PARAMETERS
EVP,130,NOT_A_PRIVATE_KEY
diff --git a/crypto/evp/CMakeLists.txt b/crypto/evp/CMakeLists.txt
index fa26cfe..6e69a82 100644
--- a/crypto/evp/CMakeLists.txt
+++ b/crypto/evp/CMakeLists.txt
@@ -12,6 +12,7 @@
p_dsa_asn1.c
p_ec.c
p_ec_asn1.c
+ p_ed25519.c
p_ed25519_asn1.c
p_rsa.c
p_rsa_asn1.c
diff --git a/crypto/evp/evp_ctx.c b/crypto/evp/evp_ctx.c
index 0ccee36..3108cfb 100644
--- a/crypto/evp/evp_ctx.c
+++ b/crypto/evp/evp_ctx.c
@@ -69,6 +69,7 @@
static const EVP_PKEY_METHOD *const evp_methods[] = {
&rsa_pkey_meth,
&ec_pkey_meth,
+ &ed25519_pkey_meth,
};
static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) {
@@ -212,7 +213,8 @@
}
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) {
- if (!ctx || !ctx->pmeth || !ctx->pmeth->sign) {
+ if (ctx == NULL || ctx->pmeth == NULL ||
+ (ctx->pmeth->sign == NULL && ctx->pmeth->sign_message == NULL)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
@@ -250,7 +252,8 @@
int EVP_PKEY_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len,
const uint8_t *data, size_t data_len) {
- if (!ctx || !ctx->pmeth || !ctx->pmeth->sign) {
+ if (ctx == NULL || ctx->pmeth == NULL ||
+ (ctx->pmeth->sign == NULL && ctx->pmeth->sign_message == NULL)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
@@ -259,6 +262,10 @@
return 0;
}
+ if (ctx->pmeth->sign_message != NULL) {
+ return ctx->pmeth->sign_message(ctx, sig, sig_len, data, data_len);
+ }
+
/* Don't bother digesting if we are only sampling the length. */
if (sig == NULL) {
*sig_len = EVP_PKEY_size(EVP_PKEY_CTX_get0_pkey(ctx));
@@ -274,7 +281,8 @@
}
int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx) {
- if (!ctx || !ctx->pmeth || !ctx->pmeth->verify) {
+ if (ctx == NULL || ctx->pmeth == NULL ||
+ (ctx->pmeth->verify == NULL && ctx->pmeth->verify_message == NULL)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
@@ -298,7 +306,8 @@
int EVP_PKEY_verify_message(EVP_PKEY_CTX *ctx, const uint8_t *sig,
size_t sig_len, const uint8_t *data,
size_t data_len) {
- if (!ctx || !ctx->pmeth || !ctx->pmeth->verify) {
+ if (ctx == NULL || ctx->pmeth == NULL ||
+ (ctx->pmeth->verify == NULL && ctx->pmeth->verify_message == NULL)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
@@ -307,6 +316,10 @@
return 0;
}
+ if (ctx->pmeth->verify_message != NULL) {
+ return ctx->pmeth->verify_message(ctx, sig, sig_len, data, data_len);
+ }
+
uint8_t digest[EVP_MAX_MD_SIZE];
unsigned digest_len;
const EVP_MD *md = get_signature_md(ctx);
diff --git a/crypto/evp/evp_tests.txt b/crypto/evp/evp_tests.txt
index 6fb15fa..731b747 100644
--- a/crypto/evp/evp_tests.txt
+++ b/crypto/evp/evp_tests.txt
@@ -1335,3 +1335,47 @@
Input = "Hello world"
Output = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1
Error = NO_DEFAULT_DIGEST
+
+SignMessage = Ed25519
+Input = ""
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b
+
+SignMessage = Ed25519-SPKI
+Input = ""
+Error = NOT_A_PRIVATE_KEY
+
+VerifyMessage = Ed25519
+Input = ""
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b
+
+VerifyMessage = Ed25519-SPKI
+Input = ""
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b
+
+# Length is wrong.
+VerifyMessage = Ed25519-SPKI
+Input = ""
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10
+Error = INVALID_SIGNATURE
+
+# Message is wrong.
+VerifyMessage = Ed25519-SPKI
+Input = "Hello world"
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b
+Error = INVALID_SIGNATURE
+
+# Ed25519 does not support configuring a digest.
+SignMessage = Ed25519
+Input = ""
+Digest = SHA256
+Error = COMMAND_NOT_SUPPORTED
+
+# Ed25519 does not support signing a pre-hashed value.
+Sign = Ed25519
+Input = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+Error = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
+
+Verify = Ed25519
+Input = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b
+Error = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
diff --git a/crypto/evp/internal.h b/crypto/evp/internal.h
index 8971f0d..5e9aab0 100644
--- a/crypto/evp/internal.h
+++ b/crypto/evp/internal.h
@@ -164,7 +164,7 @@
#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3)
#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 4)
#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 5)
-#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 6)
+#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 6)
#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 7)
#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 8)
#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 9)
@@ -199,9 +199,15 @@
int (*sign)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
const uint8_t *tbs, size_t tbslen);
+ int (*sign_message)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
+ const uint8_t *tbs, size_t tbslen);
+
int (*verify)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
const uint8_t *tbs, size_t tbslen);
+ int (*verify_message)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
+ const uint8_t *tbs, size_t tbslen);
+
int (*verify_recover)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,
const uint8_t *sig, size_t sig_len);
@@ -216,6 +222,19 @@
int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
} /* EVP_PKEY_METHOD */;
+typedef struct {
+ union {
+ uint8_t priv[64];
+ struct {
+ /* Shift the location of the public key to align with where it is in the
+ * private key representation. */
+ uint8_t pad[32];
+ uint8_t value[32];
+ } pub;
+ } key;
+ char has_private;
+} ED25519_KEY;
+
extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth;
@@ -223,6 +242,7 @@
extern const EVP_PKEY_METHOD rsa_pkey_meth;
extern const EVP_PKEY_METHOD ec_pkey_meth;
+extern const EVP_PKEY_METHOD ed25519_pkey_meth;
#if defined(__cplusplus)
diff --git a/crypto/evp/p_ec.c b/crypto/evp/p_ec.c
index dc1ea6f..c5692e5 100644
--- a/crypto/evp/p_ec.c
+++ b/crypto/evp/p_ec.c
@@ -228,10 +228,12 @@
pkey_ec_cleanup,
pkey_ec_keygen,
pkey_ec_sign,
+ NULL /* sign_message */,
pkey_ec_verify,
- 0 /* verify_recover */,
- 0 /* encrypt */,
- 0 /* decrypt */,
+ NULL /* verify_message */,
+ NULL /* verify_recover */,
+ NULL /* encrypt */,
+ NULL /* decrypt */,
pkey_ec_derive,
pkey_ec_ctrl,
};
diff --git a/crypto/evp/p_ed25519.c b/crypto/evp/p_ed25519.c
new file mode 100644
index 0000000..0722624
--- /dev/null
+++ b/crypto/evp/p_ed25519.c
@@ -0,0 +1,71 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/evp.h>
+
+#include <openssl/curve25519.h>
+#include <openssl/err.h>
+
+#include "internal.h"
+
+
+/* Ed25519 has no parameters to copy. */
+static int pkey_ed25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }
+
+static int pkey_ed25519_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,
+ size_t *siglen, const uint8_t *tbs,
+ size_t tbslen) {
+ ED25519_KEY *key = ctx->pkey->pkey.ptr;
+ if (!key->has_private) {
+ OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
+ return 0;
+ }
+
+ *siglen = 64;
+ if (sig == NULL) {
+ return 1;
+ }
+
+ return ED25519_sign(sig, tbs, tbslen, key->key.priv);
+}
+
+static int pkey_ed25519_verify_message(EVP_PKEY_CTX *ctx, const uint8_t *sig,
+ size_t siglen, const uint8_t *tbs,
+ size_t tbslen) {
+ ED25519_KEY *key = ctx->pkey->pkey.ptr;
+ if (siglen != 64 ||
+ !ED25519_verify(tbs, tbslen, sig, key->key.pub.value)) {
+ OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE);
+ return 0;
+ }
+
+ return 1;
+}
+
+const EVP_PKEY_METHOD ed25519_pkey_meth = {
+ EVP_PKEY_ED25519,
+ NULL /* init */,
+ pkey_ed25519_copy,
+ NULL /* cleanup */,
+ NULL /* keygen */,
+ NULL /* sign */,
+ pkey_ed25519_sign_message,
+ NULL /* verify */,
+ pkey_ed25519_verify_message,
+ NULL /* verify_recover */,
+ NULL /* encrypt */,
+ NULL /* decrypt */,
+ NULL /* derive */,
+ NULL /* ctrl */,
+};
diff --git a/crypto/evp/p_ed25519_asn1.c b/crypto/evp/p_ed25519_asn1.c
index a4fcfcc..8cb359e 100644
--- a/crypto/evp/p_ed25519_asn1.c
+++ b/crypto/evp/p_ed25519_asn1.c
@@ -23,19 +23,6 @@
#include "../internal.h"
-typedef struct {
- union {
- uint8_t priv[64];
- struct {
- /* Shift the location of the public key to align with where it is in the
- * private key representation. */
- uint8_t pad[32];
- uint8_t value[32];
- } pub;
- } key;
- char has_private;
-} ED25519_KEY;
-
static void ed25519_free(EVP_PKEY *pkey) {
if (pkey->pkey.ptr != NULL) {
ED25519_KEY *key = pkey->pkey.ptr;
diff --git a/crypto/evp/p_rsa.c b/crypto/evp/p_rsa.c
index 6b25fa2..3b674cd 100644
--- a/crypto/evp/p_rsa.c
+++ b/crypto/evp/p_rsa.c
@@ -583,7 +583,9 @@
pkey_rsa_cleanup,
pkey_rsa_keygen,
pkey_rsa_sign,
+ NULL /* sign_message */,
pkey_rsa_verify,
+ NULL /* verify_message */,
pkey_rsa_verify_recover,
pkey_rsa_encrypt,
pkey_rsa_decrypt,
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 4ff8412..cb2731e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -841,5 +841,6 @@
#define EVP_R_UNSUPPORTED_ALGORITHM 128
#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 129
#define EVP_R_NOT_A_PRIVATE_KEY 130
+#define EVP_R_INVALID_SIGNATURE 131
#endif /* OPENSSL_HEADER_EVP_H */
