1 /* $OpenBSD: ssh-ecdsa.c,v 1.25 2022/10/28 00:44:44 djm Exp $ */ 2 /* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/types.h> 28 29 #include <openssl/bn.h> 30 #include <openssl/ec.h> 31 #include <openssl/ecdsa.h> 32 #include <openssl/evp.h> 33 34 #include <string.h> 35 36 #include "sshbuf.h" 37 #include "ssherr.h" 38 #include "digest.h" 39 #define SSHKEY_INTERNAL 40 #include "sshkey.h" 41 42 static u_int 43 ssh_ecdsa_size(const struct sshkey *key) 44 { 45 switch (key->ecdsa_nid) { 46 case NID_X9_62_prime256v1: 47 return 256; 48 case NID_secp384r1: 49 return 384; 50 case NID_secp521r1: 51 return 521; 52 default: 53 return 0; 54 } 55 } 56 57 static void 58 ssh_ecdsa_cleanup(struct sshkey *k) 59 { 60 EC_KEY_free(k->ecdsa); 61 k->ecdsa = NULL; 62 } 63 64 static int 65 ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b) 66 { 67 const EC_GROUP *grp_a, *grp_b; 68 const EC_POINT *pub_a, *pub_b; 69 70 if (a->ecdsa == NULL || b->ecdsa == NULL) 71 return 0; 72 if ((grp_a = EC_KEY_get0_group(a->ecdsa)) == NULL || 73 (grp_b = EC_KEY_get0_group(b->ecdsa)) == NULL) 74 return 0; 75 if ((pub_a = EC_KEY_get0_public_key(a->ecdsa)) == NULL || 76 (pub_b = EC_KEY_get0_public_key(b->ecdsa)) == NULL) 77 return 0; 78 if (EC_GROUP_cmp(grp_a, grp_b, NULL) != 0) 79 return 0; 80 if (EC_POINT_cmp(grp_a, pub_a, pub_b, NULL) != 0) 81 return 0; 82 83 return 1; 84 } 85 86 static int 87 ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b, 88 enum sshkey_serialize_rep opts) 89 { 90 int r; 91 92 if (key->ecdsa == NULL) 93 return SSH_ERR_INVALID_ARGUMENT; 94 if ((r = sshbuf_put_cstring(b, 95 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 96 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0) 97 return r; 98 99 return 0; 100 } 101 102 static int 103 ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b, 104 enum sshkey_serialize_rep opts) 105 { 106 int r; 107 108 if (!sshkey_is_cert(key)) { 109 if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0) 110 return r; 111 } 112 if ((r = sshbuf_put_bignum2(b, 113 EC_KEY_get0_private_key(key->ecdsa))) != 0) 114 return r; 115 return 0; 116 } 117 118 static int 119 ssh_ecdsa_generate(struct sshkey *k, int bits) 120 { 121 EC_KEY *private; 122 123 if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 124 return SSH_ERR_KEY_LENGTH; 125 if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 126 return SSH_ERR_ALLOC_FAIL; 127 if (EC_KEY_generate_key(private) != 1) { 128 EC_KEY_free(private); 129 return SSH_ERR_LIBCRYPTO_ERROR; 130 } 131 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 132 k->ecdsa = private; 133 return 0; 134 } 135 136 static int 137 ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to) 138 { 139 to->ecdsa_nid = from->ecdsa_nid; 140 if ((to->ecdsa = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL) 141 return SSH_ERR_ALLOC_FAIL; 142 if (EC_KEY_set_public_key(to->ecdsa, 143 EC_KEY_get0_public_key(from->ecdsa)) != 1) 144 return SSH_ERR_LIBCRYPTO_ERROR; /* caller will free k->ecdsa */ 145 return 0; 146 } 147 148 static int 149 ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b, 150 struct sshkey *key) 151 { 152 int r; 153 char *curve = NULL; 154 155 if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1) 156 return SSH_ERR_INVALID_ARGUMENT; 157 if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0) 158 goto out; 159 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 160 r = SSH_ERR_EC_CURVE_MISMATCH; 161 goto out; 162 } 163 EC_KEY_free(key->ecdsa); 164 key->ecdsa = NULL; 165 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) { 166 r = SSH_ERR_LIBCRYPTO_ERROR; 167 goto out; 168 } 169 if ((r = sshbuf_get_eckey(b, key->ecdsa)) != 0) 170 goto out; 171 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 172 EC_KEY_get0_public_key(key->ecdsa)) != 0) { 173 r = SSH_ERR_KEY_INVALID_EC_VALUE; 174 goto out; 175 } 176 /* success */ 177 r = 0; 178 #ifdef DEBUG_PK 179 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), 180 EC_KEY_get0_public_key(key->ecdsa)); 181 #endif 182 out: 183 free(curve); 184 if (r != 0) { 185 EC_KEY_free(key->ecdsa); 186 key->ecdsa = NULL; 187 } 188 return r; 189 } 190 191 static int 192 ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, 193 struct sshkey *key) 194 { 195 int r; 196 BIGNUM *exponent = NULL; 197 198 if (!sshkey_is_cert(key)) { 199 if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0) 200 return r; 201 } 202 if ((r = sshbuf_get_bignum2(b, &exponent)) != 0) 203 goto out; 204 if (EC_KEY_set_private_key(key->ecdsa, exponent) != 1) { 205 r = SSH_ERR_LIBCRYPTO_ERROR; 206 goto out; 207 } 208 if ((r = sshkey_ec_validate_private(key->ecdsa)) != 0) 209 goto out; 210 /* success */ 211 r = 0; 212 out: 213 BN_clear_free(exponent); 214 return r; 215 } 216 217 /* ARGSUSED */ 218 static int 219 ssh_ecdsa_sign(struct sshkey *key, 220 u_char **sigp, size_t *lenp, 221 const u_char *data, size_t dlen, 222 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 223 { 224 ECDSA_SIG *esig = NULL; 225 const BIGNUM *sig_r, *sig_s; 226 int hash_alg; 227 u_char digest[SSH_DIGEST_MAX_LENGTH]; 228 size_t len, hlen; 229 struct sshbuf *b = NULL, *bb = NULL; 230 int ret = SSH_ERR_INTERNAL_ERROR; 231 232 if (lenp != NULL) 233 *lenp = 0; 234 if (sigp != NULL) 235 *sigp = NULL; 236 237 if (key == NULL || key->ecdsa == NULL || 238 sshkey_type_plain(key->type) != KEY_ECDSA) 239 return SSH_ERR_INVALID_ARGUMENT; 240 241 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 242 (hlen = ssh_digest_bytes(hash_alg)) == 0) 243 return SSH_ERR_INTERNAL_ERROR; 244 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 245 digest, sizeof(digest))) != 0) 246 goto out; 247 248 if ((esig = ECDSA_do_sign(digest, hlen, key->ecdsa)) == NULL) { 249 ret = SSH_ERR_LIBCRYPTO_ERROR; 250 goto out; 251 } 252 253 if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { 254 ret = SSH_ERR_ALLOC_FAIL; 255 goto out; 256 } 257 ECDSA_SIG_get0(esig, &sig_r, &sig_s); 258 if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 || 259 (ret = sshbuf_put_bignum2(bb, sig_s)) != 0) 260 goto out; 261 if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || 262 (ret = sshbuf_put_stringb(b, bb)) != 0) 263 goto out; 264 len = sshbuf_len(b); 265 if (sigp != NULL) { 266 if ((*sigp = malloc(len)) == NULL) { 267 ret = SSH_ERR_ALLOC_FAIL; 268 goto out; 269 } 270 memcpy(*sigp, sshbuf_ptr(b), len); 271 } 272 if (lenp != NULL) 273 *lenp = len; 274 ret = 0; 275 out: 276 explicit_bzero(digest, sizeof(digest)); 277 sshbuf_free(b); 278 sshbuf_free(bb); 279 ECDSA_SIG_free(esig); 280 return ret; 281 } 282 283 /* ARGSUSED */ 284 static int 285 ssh_ecdsa_verify(const struct sshkey *key, 286 const u_char *sig, size_t siglen, 287 const u_char *data, size_t dlen, const char *alg, u_int compat, 288 struct sshkey_sig_details **detailsp) 289 { 290 ECDSA_SIG *esig = NULL; 291 BIGNUM *sig_r = NULL, *sig_s = NULL; 292 int hash_alg; 293 u_char digest[SSH_DIGEST_MAX_LENGTH]; 294 size_t hlen; 295 int ret = SSH_ERR_INTERNAL_ERROR; 296 struct sshbuf *b = NULL, *sigbuf = NULL; 297 char *ktype = NULL; 298 299 if (key == NULL || key->ecdsa == NULL || 300 sshkey_type_plain(key->type) != KEY_ECDSA || 301 sig == NULL || siglen == 0) 302 return SSH_ERR_INVALID_ARGUMENT; 303 304 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 305 (hlen = ssh_digest_bytes(hash_alg)) == 0) 306 return SSH_ERR_INTERNAL_ERROR; 307 308 /* fetch signature */ 309 if ((b = sshbuf_from(sig, siglen)) == NULL) 310 return SSH_ERR_ALLOC_FAIL; 311 if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || 312 sshbuf_froms(b, &sigbuf) != 0) { 313 ret = SSH_ERR_INVALID_FORMAT; 314 goto out; 315 } 316 if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { 317 ret = SSH_ERR_KEY_TYPE_MISMATCH; 318 goto out; 319 } 320 if (sshbuf_len(b) != 0) { 321 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 322 goto out; 323 } 324 325 /* parse signature */ 326 if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || 327 sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { 328 ret = SSH_ERR_INVALID_FORMAT; 329 goto out; 330 } 331 if ((esig = ECDSA_SIG_new()) == NULL) { 332 ret = SSH_ERR_ALLOC_FAIL; 333 goto out; 334 } 335 if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) { 336 ret = SSH_ERR_LIBCRYPTO_ERROR; 337 goto out; 338 } 339 sig_r = sig_s = NULL; /* transferred */ 340 341 if (sshbuf_len(sigbuf) != 0) { 342 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 343 goto out; 344 } 345 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 346 digest, sizeof(digest))) != 0) 347 goto out; 348 349 switch (ECDSA_do_verify(digest, hlen, esig, key->ecdsa)) { 350 case 1: 351 ret = 0; 352 break; 353 case 0: 354 ret = SSH_ERR_SIGNATURE_INVALID; 355 goto out; 356 default: 357 ret = SSH_ERR_LIBCRYPTO_ERROR; 358 goto out; 359 } 360 361 out: 362 explicit_bzero(digest, sizeof(digest)); 363 sshbuf_free(sigbuf); 364 sshbuf_free(b); 365 ECDSA_SIG_free(esig); 366 BN_clear_free(sig_r); 367 BN_clear_free(sig_s); 368 free(ktype); 369 return ret; 370 } 371 372 /* NB. not static; used by ECDSA-SK */ 373 const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { 374 /* .size = */ ssh_ecdsa_size, 375 /* .alloc = */ NULL, 376 /* .cleanup = */ ssh_ecdsa_cleanup, 377 /* .equal = */ ssh_ecdsa_equal, 378 /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public, 379 /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public, 380 /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private, 381 /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private, 382 /* .generate = */ ssh_ecdsa_generate, 383 /* .copy_public = */ ssh_ecdsa_copy_public, 384 /* .sign = */ ssh_ecdsa_sign, 385 /* .verify = */ ssh_ecdsa_verify, 386 }; 387 388 const struct sshkey_impl sshkey_ecdsa_nistp256_impl = { 389 /* .name = */ "ecdsa-sha2-nistp256", 390 /* .shortname = */ "ECDSA", 391 /* .sigalg = */ NULL, 392 /* .type = */ KEY_ECDSA, 393 /* .nid = */ NID_X9_62_prime256v1, 394 /* .cert = */ 0, 395 /* .sigonly = */ 0, 396 /* .keybits = */ 0, 397 /* .funcs = */ &sshkey_ecdsa_funcs, 398 }; 399 400 const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = { 401 /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com", 402 /* .shortname = */ "ECDSA-CERT", 403 /* .sigalg = */ NULL, 404 /* .type = */ KEY_ECDSA_CERT, 405 /* .nid = */ NID_X9_62_prime256v1, 406 /* .cert = */ 1, 407 /* .sigonly = */ 0, 408 /* .keybits = */ 0, 409 /* .funcs = */ &sshkey_ecdsa_funcs, 410 }; 411 412 const struct sshkey_impl sshkey_ecdsa_nistp384_impl = { 413 /* .name = */ "ecdsa-sha2-nistp384", 414 /* .shortname = */ "ECDSA", 415 /* .sigalg = */ NULL, 416 /* .type = */ KEY_ECDSA, 417 /* .nid = */ NID_secp384r1, 418 /* .cert = */ 0, 419 /* .sigonly = */ 0, 420 /* .keybits = */ 0, 421 /* .funcs = */ &sshkey_ecdsa_funcs, 422 }; 423 424 const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = { 425 /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com", 426 /* .shortname = */ "ECDSA-CERT", 427 /* .sigalg = */ NULL, 428 /* .type = */ KEY_ECDSA_CERT, 429 /* .nid = */ NID_secp384r1, 430 /* .cert = */ 1, 431 /* .sigonly = */ 0, 432 /* .keybits = */ 0, 433 /* .funcs = */ &sshkey_ecdsa_funcs, 434 }; 435 436 const struct sshkey_impl sshkey_ecdsa_nistp521_impl = { 437 /* .name = */ "ecdsa-sha2-nistp521", 438 /* .shortname = */ "ECDSA", 439 /* .sigalg = */ NULL, 440 /* .type = */ KEY_ECDSA, 441 /* .nid = */ NID_secp521r1, 442 /* .cert = */ 0, 443 /* .sigonly = */ 0, 444 /* .keybits = */ 0, 445 /* .funcs = */ &sshkey_ecdsa_funcs, 446 }; 447 448 const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = { 449 /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com", 450 /* .shortname = */ "ECDSA-CERT", 451 /* .sigalg = */ NULL, 452 /* .type = */ KEY_ECDSA_CERT, 453 /* .nid = */ NID_secp521r1, 454 /* .cert = */ 1, 455 /* .sigonly = */ 0, 456 /* .keybits = */ 0, 457 /* .funcs = */ &sshkey_ecdsa_funcs, 458 }; 459