commit 69522117a6a16a568512821d18394c30aa4e6de6
author David Benjamin <davidben@google.com> Tue Mar 28 15:38:29 2017 -0500
committer Adam Langley <agl@google.com> Thu Apr 06 15:30:17 2017 +0000
tree 6111e4244bff90a1df35dab3d445f9df26dc85c6
parent 0aef1686dea574045984bb2adf9bc0e3d905ad75

Support Ed25519 in TLS.

This only works at TLS 1.2 and above as, before TLS 1.2, there is no way
to advertise support for Ed25519 or negotiate the correct signature
algorithm. Add tests for this accordingly.

For now, this is disabled by default on the verifying side but may be
enabled per SSL_CTX. Notably, projects like Chromium which use an
external verifier may need changes elsewhere before they can enable it.
(On the signing side, we can assume that if the caller gave us an
Ed25519 certificate, they mean for us to use it.)

BUG=187

Change-Id: Id25b0a677dcbe205ddd26d8dbba11c04bb520756
Reviewed-on: https://boringssl-review.googlesource.com/14450
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e47937d..fe038b8 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -446,7 +446,8 @@
  * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
  * restore them. */
 static const uint16_t kVerifySignatureAlgorithms[] = {
-    /* Prefer SHA-256 algorithms. */
+    /* List our preferred algorithms first. */
+    SSL_SIGN_ED25519,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
 #if !defined(BORINGSSL_ANDROID_SYSTEM)
     SSL_SIGN_RSA_PSS_SHA256,
@@ -481,7 +482,8 @@
  * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
  * restore them. */
 static const uint16_t kSignSignatureAlgorithms[] = {
-    /* Prefer SHA-256 algorithms. */
+    /* List our preferred algorithms first. */
+    SSL_SIGN_ED25519,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
 #if !defined(BORINGSSL_ANDROID_SYSTEM)
     SSL_SIGN_RSA_PSS_SHA256,
@@ -508,16 +510,31 @@
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
 
-size_t tls12_get_verify_sigalgs(const SSL *ssl, const uint16_t **out) {
-  *out = kVerifySignatureAlgorithms;
-  return OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
+void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->ed25519_enabled = !!enabled;
+}
+
+int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms); i++) {
+    if (kVerifySignatureAlgorithms[i] == SSL_SIGN_ED25519 &&
+        !ssl->ctx->ed25519_enabled) {
+      continue;
+    }
+    if (!CBB_add_u16(out, kVerifySignatureAlgorithms[i])) {
+      return 0;
+    }
+  }
+
+  return 1;
 }
 
 int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg) {
-  const uint16_t *verify_sigalgs;
-  size_t num_verify_sigalgs = tls12_get_verify_sigalgs(ssl, &verify_sigalgs);
-  for (size_t i = 0; i < num_verify_sigalgs; i++) {
-    if (sigalg == verify_sigalgs[i]) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms); i++) {
+    if (kVerifySignatureAlgorithms[i] == SSL_SIGN_ED25519 &&
+        !ssl->ctx->ed25519_enabled) {
+      continue;
+    }
+    if (sigalg == kVerifySignatureAlgorithms[i]) {
       return 1;
     }
   }
@@ -1031,23 +1048,12 @@
     return 1;
   }
 
-  const uint16_t *sigalgs;
-  const size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
-
   CBB contents, sigalgs_cbb;
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
-      !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb)) {
-    return 0;
-  }
-
-  for (size_t i = 0; i < num_sigalgs; i++) {
-    if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
-      return 0;
-    }
-  }
-
-  if (!CBB_flush(out)) {
+      !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
+      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
+      !CBB_flush(out)) {
     return 0;
   }