Put X25519 behind P256

Option to have X25519 prioritized. Show curve name and DH key size in TLS v1.3.
2017-05-19 10:58:43 +10:00
parent 63a6618feb
commit 5ef977aa3d
3 changed files with 67 additions and 28 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -628,6 +628,9 @@ static void Usage(void)
 #ifdef HAVE_ECC
    printf("-Y          Key Share with ECC named groups only\n");
 #endif
+#ifdef HAVE_CURVE25519
+    printf("-t          Use X25519 for key exchange\n");
+#endif
 #endif /* WOLFSSL_TLS13 */
 }

@ -732,6 +735,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    int    useOcsp  = 0;
    char*  ocspUrl  = NULL;
 #endif
+#ifdef HAVE_CURVE25519
+    int useX25519 = 0;
+#endif

 #ifdef HAVE_WNR
    const char* wnrConfigFile = wnrConfig;
@ -771,7 +777,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifndef WOLFSSL_VXWORKS
    /* Not used: t, Q */
    while ((ch = mygetopt(argc, argv, "?"
-            "ab:c:defgh:ijk:l:mnop:q:rsuv:wxyz"
+            "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
            "A:B:CDE:F:GHIJKL:M:NO:PRS:TUVW:XYZ:")) != -1) {
        switch (ch) {
            case '?' :
@ -1076,6 +1082,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                useVerifyCb = 1;
                break;

+            case 't' :
+                #ifdef HAVE_CURVE25519
+                    useX25519 = 1;
+                #endif
+                break;
+
            default:
                Usage();
                exit(MY_EX_USAGE);
@ -1493,16 +1505,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    wolfSSL_KeepArrays(ssl);
    #endif

+    #ifdef HAVE_CURVE25519
+    if (useX25519)
+        wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_X25519);
+    #endif
+
    #ifdef WOLFSSL_TLS13
    if (!helloRetry) {
-        if (onlyKeyShare == 0 || onlyKeyShare == 1) {
-        #ifdef HAVE_FFDHE_2048
-            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
-                err_sys("unable to use DH 2048-bit parameters");
-            }
-        #endif
-        }
        if (onlyKeyShare == 0 || onlyKeyShare == 2) {
+            if (useX25519) {
+                if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
+                        != SSL_SUCCESS) {
+                    err_sys("unable to use curve secp256r1");
+                }
+            }
            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1)
                    != SSL_SUCCESS) {
                err_sys("unable to use curve secp256r1");
@ -1512,6 +1528,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                err_sys("unable to use curve secp384r1");
            }
        }
+        if (onlyKeyShare == 0 || onlyKeyShare == 1) {
+        #ifdef HAVE_FFDHE_2048
+            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
+                err_sys("unable to use DH 2048-bit parameters");
+            }
+        #endif
+        }
    }
    else {
        wolfSSL_NoKeyShares(ssl);
@ -1920,12 +1943,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                                    (void*)"resumed session");
 #endif

+#ifdef HAVE_CURVE25519
+    if (useX25519)
+        wolfSSL_UseSupportedCurve(sslResume, WOLFSSL_ECC_X25519);
+#endif
+
    #ifdef WOLFSSL_TLS13
-        #ifdef HAVE_FFDHE_2048
-        if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
-            err_sys("unable to use DH 2048-bit parameters");
+        if (useX25519) {
+            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) {
+                err_sys("unable to use curve secp256r1");
+            }
        }
-        #endif
        if (wolfSSL_UseKeyShare(sslResume,
                                WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) {
            err_sys("unable to use curve secp256r1");
@ -1934,6 +1962,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                                WOLFSSL_ECC_SECP384R1) != SSL_SUCCESS) {
            err_sys("unable to use curve secp384r1");
        }
+        #ifdef HAVE_FFDHE_2048
+        if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
+            err_sys("unable to use DH 2048-bit parameters");
+        }
+        #endif
    #endif

 #ifndef WOLFSSL_CALLBACKS
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1598,6 +1598,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
        case WOLFSSL_ECC_BRAINPOOLP256R1:
        case WOLFSSL_ECC_BRAINPOOLP384R1:
        case WOLFSSL_ECC_BRAINPOOLP512R1:
+        case WOLFSSL_ECC_X25519:
            break;

 #ifdef WOLFSSL_TLS13
@ -14229,7 +14230,7 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
 {
    if (ssl == NULL)
        return NULL;
-    if (ssl->specs.kea != ecdhe_psk_kea &&
+    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->specs.kea != ecdhe_psk_kea &&
            ssl->specs.kea != ecc_diffie_hellman_kea)
        return NULL;
    if (ssl->ecdhCurveOID == 0)
--- a/src/tls.c
+++ b/src/tls.c
@ -3061,6 +3061,12 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
                octets = 32;
                break;
        #endif /* !NO_ECC_SECP */
+        #ifdef HAVE_CURVE25519
+            case WOLFSSL_ECC_X25519:
+                oid = ECC_X25519_OID;
+                octets = 32;
+                break;
+        #endif /* HAVE_CURVE25519 */
        #ifdef HAVE_ECC_KOBLITZ
            case WOLFSSL_ECC_SECP256K1:
                oid = ECC_SECP256K1_OID;
@ -3073,12 +3079,6 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
                octets = 32;
                break;
        #endif /* HAVE_ECC_BRAINPOOL */
-        #ifdef HAVE_CURVE25519
-            case WOLFSSL_ECC_X25519:
-                oid = ECC_X25519_OID;
-                octets = 32;
-                break;
-        #endif /* HAVE_ECC_BRAINPOOL */
    #endif
    #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
        #ifndef NO_ECC_SECP
@ -5083,6 +5083,7 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)

    if (params->p_len != keyShareEntry->keLen)
        return BUFFER_ERROR;
+    ssl->options.dhKeySz = params->p_len;

    /* TODO: [TLS13] move this check down into wolfcrypt. */
    /* Check that public DH key is not 0 or 1. */
@ -5221,6 +5222,7 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
                    EC25519_LITTLE_ENDIAN);
                wc_curve25519_free(peerEccKey);
                XFREE(peerEccKey, ssl->heap, DYNAMIC_TYPE_TLSX);
+                ssl->ecdhCurveOID = ECC_X25519_OID;
                return ret;
            }
    #endif
@ -5244,6 +5246,7 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
                              ssl->peerEccKey, curveId) != 0) {
        return ECC_PEERKEY_ERROR;
    }
+    ssl->ecdhCurveOID = ssl->peerEccKey->dp->oidSum;

    ssl->arrays->preMasterSz = ENCRYPT_LEN;
    do {
@ -5607,6 +5610,10 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
            break;
        #endif /* !NO_ECC_SECP */
    #endif
+    #ifdef HAVE_CURVE25519
+        case WOLFSSL_ECC_X25519:
+            break;
+    #endif
    #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
        #ifndef NO_ECC_SECP
        case WOLFSSL_ECC_SECP384R1:
@ -5619,10 +5626,6 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
            break;
        #endif /* !NO_ECC_SECP */
    #endif
-    #ifdef HAVE_CURVE25519
-        case WOLFSSL_ECC_X25519:
-            break;
-    #endif
    #ifdef HAVE_X448
        case WOLFSSL_ECC_X448:
            break;
@ -7033,16 +7036,16 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
            #endif
        #endif
        #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
-            #ifdef HAVE_CURVE25519
-                ret = TLSX_UseSupportedCurve(&ssl->extensions,
-                                        WOLFSSL_ECC_X25519, ssl->heap);
-                if (ret != SSL_SUCCESS) return ret;
-            #endif
            #ifndef NO_ECC_SECP
                ret = TLSX_UseSupportedCurve(&ssl->extensions,
                                              WOLFSSL_ECC_SECP256R1, ssl->heap);
                if (ret != SSL_SUCCESS) return ret;
            #endif
+            #ifdef HAVE_CURVE25519
+                ret = TLSX_UseSupportedCurve(&ssl->extensions,
+                                        WOLFSSL_ECC_X25519, ssl->heap);
+                if (ret != SSL_SUCCESS) return ret;
+            #endif
            #ifdef HAVE_ECC_KOBLITZ
                ret = TLSX_UseSupportedCurve(&ssl->extensions,
                                              WOLFSSL_ECC_SECP256K1, ssl->heap);
@ -7135,6 +7138,8 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
        !defined(NO_ECC_SECP)
                ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL,
                                        NULL);
+    #elif defined(HAVE_CURVE25519)
+                ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_X25519, 0, NULL, NULL);
    #elif (!defined(NO_ECC384)  || defined(HAVE_ALL_CURVES)) && \
          !defined(NO_ECC_SECP)
                ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL,