Merge branch 'openssl-25519/448'

Adds support for X25519/448 and Ed25519/448 via OpenSSL 1.1.1.

Author: tobiasbrunner

.travis.yml

@@ -38,7 +38,7 @@ env:
 matrix:
   include:
     - env: TEST=sonarcloud
-      if: type = push
+      if: type = push AND env(SONAR_TOKEN) IS present
       git:
         depth: false
       addons:
@@ -78,22 +78,13 @@ matrix:
     - env: TEST=printf-builtin LEAK_DETECTIVE=yes
     - env: TEST=printf-builtin LEAK_DETECTIVE=yes
       compiler: clang
+    # the crypto plugins are build-tested with clang via "all" above
     - env: TEST=botan
-    - env: TEST=botan
-      compiler: clang
-    - env: TEST=botan LEAK_DETECTIVE=yes
     - env: TEST=botan LEAK_DETECTIVE=yes
-      compiler: clang
-    - env: TEST=openssl
     - env: TEST=openssl
-      compiler: clang
     - env: TEST=openssl LEAK_DETECTIVE=yes
-    - env: TEST=openssl LEAK_DETECTIVE=yes
-      compiler: clang
-    - env: TEST=gcrypt
+    - env: TEST=openssl-1.0
+    - env: TEST=openssl-1.0 LEAK_DETECTIVE=yes
     - env: TEST=gcrypt
-      compiler: clang
-    - env: TEST=gcrypt LEAK_DETECTIVE=yes
     - env: TEST=gcrypt LEAK_DETECTIVE=yes
-      compiler: clang
     - env: TEST=apidoc

scripts/dh_speed.c

@@ -47,6 +47,7 @@ struct {
 	{"ecp192",			ECP_192_BIT},
 	{"ecp224",			ECP_224_BIT},
 	{"curve25519",		CURVE_25519},
+	{"curve448",		CURVE_448},
 };
 
 static void start_timing(struct timespec *start)

scripts/test.sh

@@ -11,6 +11,8 @@ build_botan()
 		return
 	fi
 
+	echo "$ build_botan()"
+
 	# if the leak detective is enabled we have to disable threading support
 	# (used for std::async) as that causes invalid frees somehow, the
 	# locking allocator causes a static leak via the first function that
@@ -43,7 +45,9 @@ build_tss2()
 		return
 	fi
 
-	# the default version of libgcrypt in Ubuntu 14.04 is too old
+	echo "$ build_tss2()"
+
+	# the default version of libgcrypt in Ubuntu 16.04 is too old
 	sudo apt-get update -qq && \
 	sudo apt-get install -qq libgcrypt20-dev &&
 	curl -L $TSS2_SRC | tar xz -C $TRAVIS_BUILD_DIR/.. &&
@@ -55,6 +59,42 @@ build_tss2()
 	cd -
 }
 
+build_openssl()
+{
+	SSL_REV=1.1.1a
+	SSL_PKG=openssl-$SSL_REV
+	SSL_DIR=$TRAVIS_BUILD_DIR/../$SSL_PKG
+	SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
+	SSL_INS=/usr/local/ssl
+	SSL_OPT="shared no-tls no-dtls no-ssl3 no-zlib no-comp no-idea no-psk no-srp
+			 no-stdio no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
+
+	if test -d "$SSL_DIR"; then
+		return
+	fi
+
+	echo "$ build_openssl()"
+
+	curl -L $SSL_SRC | tar xz -C $TRAVIS_BUILD_DIR/.. &&
+	cd $SSL_DIR &&
+	./config --prefix=$SSL_INS --openssldir=$SSL_INS $SSL_OPT &&
+	make -j4 >/dev/null &&
+	sudo make install_sw >/dev/null &&
+	echo $SSL_INS/lib | sudo tee /etc/ld.so.conf.d/openssl-$SSL_REV.conf >/dev/null &&
+	sudo ldconfig || exit $?
+	cd -
+}
+
+use_custom_openssl()
+{
+	CFLAGS="$CFLAGS -I/usr/local/ssl/include"
+	LDFLAGS="$LDFLAGS -L/usr/local/ssl/lib"
+	export LDFLAGS
+	if test "$1" = "deps"; then
+		build_openssl
+	fi
+}
+
 if test -z $TRAVIS_BUILD_DIR; then
 	TRAVIS_BUILD_DIR=$PWD
 fi
@@ -72,9 +112,13 @@ default)
 	# should be the default, but lets make sure
 	CONFIG="--with-printf-hooks=glibc"
 	;;
-openssl)
-	CONFIG="--disable-defaults --enable-pki --enable-openssl"
+openssl*)
+	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
 	DEPS="libssl-dev"
+	if test "$TEST" != "openssl-1.0"; then
+		DEPS=""
+		use_custom_openssl $1
+	fi
 	;;
 gcrypt)
 	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
@@ -119,6 +163,7 @@ all|coverage|sonarcloud)
 		build_botan
 		build_tss2
 	fi
+	use_custom_openssl $1
 	;;
 win*)
 	CONFIG="--disable-defaults --enable-svc --enable-ikev2

src/libstrongswan/plugins/curve25519/curve25519_public_key.c

@@ -49,6 +49,13 @@ METHOD(public_key_t, get_type, key_type_t,
 	return KEY_ED25519;
 }
 
+/* L = 2^252+27742317777372353535851937790883648493 in little-endian form */
+static chunk_t curve25519_order = chunk_from_chars(
+								0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+								0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10);
+
 METHOD(public_key_t, verify, bool,
 	private_curve25519_public_key_t *this, signature_scheme_t scheme,
 	void *params, chunk_t data, chunk_t signature)
@@ -94,6 +101,20 @@ METHOD(public_key_t, verify, bool,
 	{
 		return FALSE;
 	}
+	/* make sure 0 <= s < L, as per RFC 8032, section 5.1.7 to prevent signature
+	 * malleability.  Due to the three-bit check above (forces s < 2^253) there
+	 * is not that much room, but adding L once works with most signatures */
+	for (i = 31; ; i--)
+	{
+		if (sig[i+32] < curve25519_order.ptr[i])
+		{
+			break;
+		}
+		else if (sig[i+32] > curve25519_order.ptr[i] || i == 0)
+		{
+			return FALSE;
+		}
+	}
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
 	if (!hasher)

src/libstrongswan/plugins/openssl/Makefile.am

@@ -29,7 +29,10 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
-	openssl_gcm.c openssl_gcm.h
+	openssl_gcm.c openssl_gcm.h \
+	openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+	openssl_ed_private_key.c openssl_ed_private_key.h \
+	openssl_ed_public_key.c openssl_ed_public_key.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = $(OPENSSL_LIB)