Annotation of src/usr.bin/ssh/ssh-ecdsa.c, Revision 1.24
1.24 ! djm 1: /* $OpenBSD: ssh-ecdsa.c,v 1.23 2022/10/28 00:43:08 djm Exp $ */
1.1 djm 2: /*
3: * Copyright (c) 2000 Markus Friedl. All rights reserved.
4: * Copyright (c) 2010 Damien Miller. All rights reserved.
5: *
6: * Redistribution and use in source and binary forms, with or without
7: * modification, are permitted provided that the following conditions
8: * are met:
9: * 1. Redistributions of source code must retain the above copyright
10: * notice, this list of conditions and the following disclaimer.
11: * 2. Redistributions in binary form must reproduce the above copyright
12: * notice, this list of conditions and the following disclaimer in the
13: * documentation and/or other materials provided with the distribution.
14: *
15: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25: */
26:
27: #include <sys/types.h>
28:
29: #include <openssl/bn.h>
30: #include <openssl/ec.h>
31: #include <openssl/ecdsa.h>
32: #include <openssl/evp.h>
33:
34: #include <string.h>
35:
1.11 djm 36: #include "sshbuf.h"
37: #include "ssherr.h"
1.8 djm 38: #include "digest.h"
1.11 djm 39: #define SSHKEY_INTERNAL
40: #include "sshkey.h"
1.1 djm 41:
1.17 djm 42: static u_int
43: ssh_ecdsa_size(const struct sshkey *key)
44: {
45: switch (key->ecdsa_nid) {
46: case NID_X9_62_prime256v1:
47: return 256;
48: case NID_secp384r1:
49: return 384;
50: case NID_secp521r1:
51: return 521;
52: default:
53: return 0;
54: }
55: }
56:
57: static void
58: ssh_ecdsa_cleanup(struct sshkey *k)
59: {
60: EC_KEY_free(k->ecdsa);
61: k->ecdsa = NULL;
62: }
63:
1.18 djm 64: static int
65: ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b)
66: {
67: const EC_GROUP *grp_a, *grp_b;
68: const EC_POINT *pub_a, *pub_b;
69:
70: if (a->ecdsa == NULL || b->ecdsa == NULL)
71: return 0;
72: if ((grp_a = EC_KEY_get0_group(a->ecdsa)) == NULL ||
73: (grp_b = EC_KEY_get0_group(b->ecdsa)) == NULL)
74: return 0;
75: if ((pub_a = EC_KEY_get0_public_key(a->ecdsa)) == NULL ||
76: (pub_b = EC_KEY_get0_public_key(b->ecdsa)) == NULL)
77: return 0;
78: if (EC_GROUP_cmp(grp_a, grp_b, NULL) != 0)
79: return 0;
80: if (EC_POINT_cmp(grp_a, pub_a, pub_b, NULL) != 0)
81: return 0;
1.19 djm 82:
1.18 djm 83: return 1;
84: }
85:
1.19 djm 86: static int
87: ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b,
1.22 djm 88: enum sshkey_serialize_rep opts)
1.19 djm 89: {
90: int r;
91:
92: if (key->ecdsa == NULL)
93: return SSH_ERR_INVALID_ARGUMENT;
1.22 djm 94: if ((r = sshbuf_put_cstring(b,
1.19 djm 95: sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
96: (r = sshbuf_put_eckey(b, key->ecdsa)) != 0)
97: return r;
98:
99: return 0;
100: }
101:
1.20 djm 102: static int
1.24 ! djm 103: ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b,
! 104: enum sshkey_serialize_rep opts)
! 105: {
! 106: int r;
! 107:
! 108: if (!sshkey_is_cert(key)) {
! 109: if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0)
! 110: return r;
! 111: }
! 112: if ((r = sshbuf_put_bignum2(b,
! 113: EC_KEY_get0_private_key(key->ecdsa))) != 0)
! 114: return r;
! 115: return 0;
! 116: }
! 117:
! 118: static int
1.20 djm 119: ssh_ecdsa_generate(struct sshkey *k, int bits)
120: {
121: EC_KEY *private;
122:
123: if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
124: return SSH_ERR_KEY_LENGTH;
125: if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
126: return SSH_ERR_ALLOC_FAIL;
127: if (EC_KEY_generate_key(private) != 1) {
128: EC_KEY_free(private);
129: return SSH_ERR_LIBCRYPTO_ERROR;
130: }
131: EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
132: k->ecdsa = private;
133: return 0;
134: }
135:
1.21 djm 136: static int
137: ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to)
138: {
139: to->ecdsa_nid = from->ecdsa_nid;
140: if ((to->ecdsa = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL)
141: return SSH_ERR_ALLOC_FAIL;
142: if (EC_KEY_set_public_key(to->ecdsa,
143: EC_KEY_get0_public_key(from->ecdsa)) != 1)
144: return SSH_ERR_LIBCRYPTO_ERROR; /* caller will free k->ecdsa */
145: return 0;
146: }
147:
1.22 djm 148: static int
149: ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b,
150: struct sshkey *key)
151: {
152: int ret = SSH_ERR_INTERNAL_ERROR;
153: char *curve = NULL;
154: EC_POINT *q = NULL;
155:
156: key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
157: if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
158: ret = SSH_ERR_INVALID_FORMAT;
159: goto out;
160: }
161: if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
162: ret = SSH_ERR_EC_CURVE_MISMATCH;
163: goto out;
164: }
165: EC_KEY_free(key->ecdsa);
166: if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) {
167: ret = SSH_ERR_EC_CURVE_INVALID;
168: goto out;
169: }
170: if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
171: ret = SSH_ERR_ALLOC_FAIL;
172: goto out;
173: }
174: if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
175: ret = SSH_ERR_INVALID_FORMAT;
176: goto out;
177: }
178: if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
179: ret = SSH_ERR_KEY_INVALID_EC_VALUE;
180: goto out;
181: }
182: if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
183: /* XXX assume it is a allocation error */
184: ret = SSH_ERR_ALLOC_FAIL;
185: goto out;
186: }
187: #ifdef DEBUG_PK
188: sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
189: #endif
190: /* success */
191: ret = 0;
192: out:
193: free(curve);
194: EC_POINT_free(q);
195: return ret;
196: }
197:
1.11 djm 198: /* ARGSUSED */
1.23 djm 199: static int
200: ssh_ecdsa_sign(struct sshkey *key,
201: u_char **sigp, size_t *lenp,
202: const u_char *data, size_t dlen,
203: const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
1.1 djm 204: {
1.23 djm 205: ECDSA_SIG *esig = NULL;
1.15 djm 206: const BIGNUM *sig_r, *sig_s;
1.8 djm 207: int hash_alg;
208: u_char digest[SSH_DIGEST_MAX_LENGTH];
1.23 djm 209: size_t len, hlen;
1.11 djm 210: struct sshbuf *b = NULL, *bb = NULL;
211: int ret = SSH_ERR_INTERNAL_ERROR;
1.1 djm 212:
1.11 djm 213: if (lenp != NULL)
214: *lenp = 0;
215: if (sigp != NULL)
216: *sigp = NULL;
217:
218: if (key == NULL || key->ecdsa == NULL ||
219: sshkey_type_plain(key->type) != KEY_ECDSA)
220: return SSH_ERR_INVALID_ARGUMENT;
221:
222: if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
1.23 djm 223: (hlen = ssh_digest_bytes(hash_alg)) == 0)
1.11 djm 224: return SSH_ERR_INTERNAL_ERROR;
1.23 djm 225: if ((ret = ssh_digest_memory(hash_alg, data, dlen,
1.11 djm 226: digest, sizeof(digest))) != 0)
227: goto out;
228:
1.23 djm 229: if ((esig = ECDSA_do_sign(digest, hlen, key->ecdsa)) == NULL) {
1.11 djm 230: ret = SSH_ERR_LIBCRYPTO_ERROR;
231: goto out;
232: }
233:
234: if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
235: ret = SSH_ERR_ALLOC_FAIL;
236: goto out;
237: }
1.23 djm 238: ECDSA_SIG_get0(esig, &sig_r, &sig_s);
1.15 djm 239: if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 ||
240: (ret = sshbuf_put_bignum2(bb, sig_s)) != 0)
1.11 djm 241: goto out;
242: if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
243: (ret = sshbuf_put_stringb(b, bb)) != 0)
244: goto out;
245: len = sshbuf_len(b);
246: if (sigp != NULL) {
247: if ((*sigp = malloc(len)) == NULL) {
248: ret = SSH_ERR_ALLOC_FAIL;
249: goto out;
250: }
251: memcpy(*sigp, sshbuf_ptr(b), len);
1.1 djm 252: }
253: if (lenp != NULL)
254: *lenp = len;
1.11 djm 255: ret = 0;
256: out:
257: explicit_bzero(digest, sizeof(digest));
1.12 mmcc 258: sshbuf_free(b);
259: sshbuf_free(bb);
1.23 djm 260: ECDSA_SIG_free(esig);
1.11 djm 261: return ret;
262: }
1.1 djm 263:
1.11 djm 264: /* ARGSUSED */
1.23 djm 265: static int
1.11 djm 266: ssh_ecdsa_verify(const struct sshkey *key,
1.23 djm 267: const u_char *sig, size_t siglen,
268: const u_char *data, size_t dlen, const char *alg, u_int compat,
269: struct sshkey_sig_details **detailsp)
1.1 djm 270: {
1.23 djm 271: ECDSA_SIG *esig = NULL;
1.15 djm 272: BIGNUM *sig_r = NULL, *sig_s = NULL;
1.8 djm 273: int hash_alg;
1.11 djm 274: u_char digest[SSH_DIGEST_MAX_LENGTH];
1.23 djm 275: size_t hlen;
1.11 djm 276: int ret = SSH_ERR_INTERNAL_ERROR;
277: struct sshbuf *b = NULL, *sigbuf = NULL;
278: char *ktype = NULL;
279:
280: if (key == NULL || key->ecdsa == NULL ||
1.13 djm 281: sshkey_type_plain(key->type) != KEY_ECDSA ||
1.23 djm 282: sig == NULL || siglen == 0)
1.11 djm 283: return SSH_ERR_INVALID_ARGUMENT;
284:
285: if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
1.23 djm 286: (hlen = ssh_digest_bytes(hash_alg)) == 0)
1.11 djm 287: return SSH_ERR_INTERNAL_ERROR;
1.7 djm 288:
1.1 djm 289: /* fetch signature */
1.23 djm 290: if ((b = sshbuf_from(sig, siglen)) == NULL)
1.11 djm 291: return SSH_ERR_ALLOC_FAIL;
292: if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
293: sshbuf_froms(b, &sigbuf) != 0) {
294: ret = SSH_ERR_INVALID_FORMAT;
295: goto out;
296: }
297: if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
298: ret = SSH_ERR_KEY_TYPE_MISMATCH;
299: goto out;
300: }
301: if (sshbuf_len(b) != 0) {
302: ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
303: goto out;
1.1 djm 304: }
305:
306: /* parse signature */
1.16 djm 307: if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 ||
308: sshbuf_get_bignum2(sigbuf, &sig_s) != 0) {
309: ret = SSH_ERR_INVALID_FORMAT;
1.11 djm 310: goto out;
311: }
1.23 djm 312: if ((esig = ECDSA_SIG_new()) == NULL) {
1.16 djm 313: ret = SSH_ERR_ALLOC_FAIL;
1.11 djm 314: goto out;
315: }
1.23 djm 316: if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) {
1.15 djm 317: ret = SSH_ERR_LIBCRYPTO_ERROR;
318: goto out;
319: }
320: sig_r = sig_s = NULL; /* transferred */
321:
1.11 djm 322: if (sshbuf_len(sigbuf) != 0) {
323: ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
324: goto out;
325: }
1.23 djm 326: if ((ret = ssh_digest_memory(hash_alg, data, dlen,
1.11 djm 327: digest, sizeof(digest))) != 0)
328: goto out;
329:
1.23 djm 330: switch (ECDSA_do_verify(digest, hlen, esig, key->ecdsa)) {
1.11 djm 331: case 1:
332: ret = 0;
333: break;
334: case 0:
335: ret = SSH_ERR_SIGNATURE_INVALID;
336: goto out;
337: default:
338: ret = SSH_ERR_LIBCRYPTO_ERROR;
339: goto out;
1.8 djm 340: }
1.1 djm 341:
1.11 djm 342: out:
1.9 djm 343: explicit_bzero(digest, sizeof(digest));
1.12 mmcc 344: sshbuf_free(sigbuf);
345: sshbuf_free(b);
1.23 djm 346: ECDSA_SIG_free(esig);
1.15 djm 347: BN_clear_free(sig_r);
348: BN_clear_free(sig_s);
1.11 djm 349: free(ktype);
1.1 djm 350: return ret;
351: }
1.17 djm 352:
1.18 djm 353: /* NB. not static; used by ECDSA-SK */
354: const struct sshkey_impl_funcs sshkey_ecdsa_funcs = {
1.17 djm 355: /* .size = */ ssh_ecdsa_size,
356: /* .alloc = */ NULL,
357: /* .cleanup = */ ssh_ecdsa_cleanup,
1.18 djm 358: /* .equal = */ ssh_ecdsa_equal,
1.19 djm 359: /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public,
1.22 djm 360: /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public,
1.24 ! djm 361: /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private,
1.20 djm 362: /* .generate = */ ssh_ecdsa_generate,
1.21 djm 363: /* .copy_public = */ ssh_ecdsa_copy_public,
1.23 djm 364: /* .sign = */ ssh_ecdsa_sign,
365: /* .verify = */ ssh_ecdsa_verify,
1.17 djm 366: };
367:
368: const struct sshkey_impl sshkey_ecdsa_nistp256_impl = {
369: /* .name = */ "ecdsa-sha2-nistp256",
370: /* .shortname = */ "ECDSA",
371: /* .sigalg = */ NULL,
372: /* .type = */ KEY_ECDSA,
373: /* .nid = */ NID_X9_62_prime256v1,
374: /* .cert = */ 0,
375: /* .sigonly = */ 0,
376: /* .keybits = */ 0,
377: /* .funcs = */ &sshkey_ecdsa_funcs,
378: };
379:
380: const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = {
381: /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com",
382: /* .shortname = */ "ECDSA-CERT",
383: /* .sigalg = */ NULL,
384: /* .type = */ KEY_ECDSA_CERT,
385: /* .nid = */ NID_X9_62_prime256v1,
386: /* .cert = */ 1,
387: /* .sigonly = */ 0,
388: /* .keybits = */ 0,
389: /* .funcs = */ &sshkey_ecdsa_funcs,
390: };
391:
392: const struct sshkey_impl sshkey_ecdsa_nistp384_impl = {
393: /* .name = */ "ecdsa-sha2-nistp384",
394: /* .shortname = */ "ECDSA",
395: /* .sigalg = */ NULL,
396: /* .type = */ KEY_ECDSA,
397: /* .nid = */ NID_secp384r1,
398: /* .cert = */ 0,
399: /* .sigonly = */ 0,
400: /* .keybits = */ 0,
401: /* .funcs = */ &sshkey_ecdsa_funcs,
402: };
403:
404: const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = {
405: /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com",
406: /* .shortname = */ "ECDSA-CERT",
407: /* .sigalg = */ NULL,
408: /* .type = */ KEY_ECDSA_CERT,
409: /* .nid = */ NID_secp384r1,
410: /* .cert = */ 1,
411: /* .sigonly = */ 0,
412: /* .keybits = */ 0,
413: /* .funcs = */ &sshkey_ecdsa_funcs,
414: };
415:
416: const struct sshkey_impl sshkey_ecdsa_nistp521_impl = {
417: /* .name = */ "ecdsa-sha2-nistp521",
418: /* .shortname = */ "ECDSA",
419: /* .sigalg = */ NULL,
420: /* .type = */ KEY_ECDSA,
421: /* .nid = */ NID_secp521r1,
422: /* .cert = */ 0,
423: /* .sigonly = */ 0,
424: /* .keybits = */ 0,
425: /* .funcs = */ &sshkey_ecdsa_funcs,
426: };
427:
428: const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = {
429: /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com",
430: /* .shortname = */ "ECDSA-CERT",
431: /* .sigalg = */ NULL,
432: /* .type = */ KEY_ECDSA_CERT,
433: /* .nid = */ NID_secp521r1,
434: /* .cert = */ 1,
435: /* .sigonly = */ 0,
436: /* .keybits = */ 0,
437: /* .funcs = */ &sshkey_ecdsa_funcs,
438: };