1 /* $OpenBSD: ssh-ecdsa.c,v 1.27 2024/08/15 00:51:51 djm Exp $ */
2 /*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include "includes.h"
28
29 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
30
31 #include <sys/types.h>
32
33 #include <openssl/bn.h>
34 #include <openssl/ec.h>
35 #include <openssl/ecdsa.h>
36 #include <openssl/evp.h>
37
38 #include <string.h>
39
40 #include "sshbuf.h"
41 #include "ssherr.h"
42 #include "digest.h"
43 #define SSHKEY_INTERNAL
44 #include "sshkey.h"
45
46 #include "openbsd-compat/openssl-compat.h"
47
48 int
sshkey_ecdsa_fixup_group(EVP_PKEY * k)49 sshkey_ecdsa_fixup_group(EVP_PKEY *k)
50 {
51 int nids[] = {
52 NID_X9_62_prime256v1,
53 NID_secp384r1,
54 #ifdef OPENSSL_HAS_NISTP521
55 NID_secp521r1,
56 #endif
57 -1
58 };
59 int nid = -1;
60 u_int i;
61 const EC_GROUP *g;
62 EC_KEY *ec = NULL;
63 EC_GROUP *eg = NULL;
64
65 if ((ec = EVP_PKEY_get1_EC_KEY(k)) == NULL ||
66 (g = EC_KEY_get0_group(ec)) == NULL)
67 goto out;
68 /*
69 * The group may be stored in a ASN.1 encoded private key in one of two
70 * ways: as a "named group", which is reconstituted by ASN.1 object ID
71 * or explicit group parameters encoded into the key blob. Only the
72 * "named group" case sets the group NID for us, but we can figure
73 * it out for the other case by comparing against all the groups that
74 * are supported.
75 */
76 if ((nid = EC_GROUP_get_curve_name(g)) > 0)
77 goto out;
78 nid = -1;
79 for (i = 0; nids[i] != -1; i++) {
80 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
81 goto out;
82 if (EC_GROUP_cmp(g, eg, NULL) == 0)
83 break;
84 EC_GROUP_free(eg);
85 eg = NULL;
86 }
87 if (nids[i] == -1)
88 goto out;
89
90 /* Use the group with the NID attached */
91 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
92 if (EC_KEY_set_group(ec, eg) != 1 ||
93 EVP_PKEY_set1_EC_KEY(k, ec) != 1)
94 goto out;
95 /* success */
96 nid = nids[i];
97 out:
98 EC_KEY_free(ec);
99 EC_GROUP_free(eg);
100 return nid;
101 }
102
103 static u_int
ssh_ecdsa_size(const struct sshkey * key)104 ssh_ecdsa_size(const struct sshkey *key)
105 {
106 switch (key->ecdsa_nid) {
107 case NID_X9_62_prime256v1:
108 return 256;
109 case NID_secp384r1:
110 return 384;
111 #ifdef OPENSSL_HAS_NISTP521
112 case NID_secp521r1:
113 return 521;
114 #endif
115 default:
116 return 0;
117 }
118 }
119
120 static void
ssh_ecdsa_cleanup(struct sshkey * k)121 ssh_ecdsa_cleanup(struct sshkey *k)
122 {
123 EVP_PKEY_free(k->pkey);
124 k->pkey = NULL;
125 }
126
127 static int
ssh_ecdsa_equal(const struct sshkey * a,const struct sshkey * b)128 ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b)
129 {
130 if (a->pkey == NULL || b->pkey == NULL)
131 return 0;
132 return EVP_PKEY_cmp(a->pkey, b->pkey) == 1;
133 }
134
135 static int
ssh_ecdsa_serialize_public(const struct sshkey * key,struct sshbuf * b,enum sshkey_serialize_rep opts)136 ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b,
137 enum sshkey_serialize_rep opts)
138 {
139 int r;
140
141 if (key->pkey == NULL)
142 return SSH_ERR_INVALID_ARGUMENT;
143 if ((r = sshbuf_put_cstring(b,
144 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
145 (r = sshbuf_put_ec_pkey(b, key->pkey)) != 0)
146 return r;
147
148 return 0;
149 }
150
151 static int
ssh_ecdsa_serialize_private(const struct sshkey * key,struct sshbuf * b,enum sshkey_serialize_rep opts)152 ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b,
153 enum sshkey_serialize_rep opts)
154 {
155 int r;
156
157 if (!sshkey_is_cert(key)) {
158 if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0)
159 return r;
160 }
161 if ((r = sshbuf_put_bignum2(b,
162 EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(key->pkey)))) != 0)
163 return r;
164 return 0;
165 }
166
167 static int
ssh_ecdsa_generate(struct sshkey * k,int bits)168 ssh_ecdsa_generate(struct sshkey *k, int bits)
169 {
170 EVP_PKEY *res = NULL;
171 EVP_PKEY_CTX *ctx = NULL;
172 int ret = SSH_ERR_INTERNAL_ERROR;
173
174 if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
175 return SSH_ERR_KEY_LENGTH;
176
177 if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL)
178 return SSH_ERR_ALLOC_FAIL;
179
180 if (EVP_PKEY_keygen_init(ctx) <= 0 ||
181 EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, k->ecdsa_nid) <= 0 ||
182 EVP_PKEY_keygen(ctx, &res) <= 0) {
183 ret = SSH_ERR_LIBCRYPTO_ERROR;
184 goto out;
185 }
186 /* success */
187 k->pkey = res;
188 res = NULL;
189 ret = 0;
190 out:
191 EVP_PKEY_free(res);
192 EVP_PKEY_CTX_free(ctx);
193 return ret;
194 }
195
196 static int
ssh_ecdsa_copy_public(const struct sshkey * from,struct sshkey * to)197 ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to)
198 {
199 const EC_KEY *ec_from;
200 EC_KEY *ec_to = NULL;
201 int ret = SSH_ERR_INTERNAL_ERROR;
202
203 ec_from = EVP_PKEY_get0_EC_KEY(from->pkey);
204 if (ec_from == NULL)
205 return SSH_ERR_LIBCRYPTO_ERROR;
206
207 to->ecdsa_nid = from->ecdsa_nid;
208 if ((ec_to = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL)
209 return SSH_ERR_ALLOC_FAIL;
210 if (EC_KEY_set_public_key(ec_to,
211 EC_KEY_get0_public_key(ec_from)) != 1) {
212 ret = SSH_ERR_LIBCRYPTO_ERROR;
213 goto out;
214 }
215 EVP_PKEY_free(to->pkey);
216 if ((to->pkey = EVP_PKEY_new()) == NULL) {
217 ret = SSH_ERR_ALLOC_FAIL;
218 goto out;
219 }
220 if (EVP_PKEY_set1_EC_KEY(to->pkey, ec_to) != 1) {
221 ret = SSH_ERR_LIBCRYPTO_ERROR;
222 goto out;
223 }
224 ret = 0;
225 out:
226 EC_KEY_free(ec_to);
227 return ret;
228 }
229
230 static int
ssh_ecdsa_deserialize_public(const char * ktype,struct sshbuf * b,struct sshkey * key)231 ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b,
232 struct sshkey *key)
233 {
234 int r;
235 char *curve = NULL;
236 EVP_PKEY *pkey = NULL;
237 EC_KEY *ec = NULL;
238
239 if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1)
240 return SSH_ERR_INVALID_ARGUMENT;
241 if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0)
242 goto out;
243 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
244 r = SSH_ERR_EC_CURVE_MISMATCH;
245 goto out;
246 }
247 if ((ec = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) {
248 r = SSH_ERR_LIBCRYPTO_ERROR;
249 goto out;
250 }
251 if ((r = sshbuf_get_eckey(b, ec)) != 0)
252 goto out;
253 if (sshkey_ec_validate_public(EC_KEY_get0_group(ec),
254 EC_KEY_get0_public_key(ec)) != 0) {
255 r = SSH_ERR_KEY_INVALID_EC_VALUE;
256 goto out;
257 }
258 if ((pkey = EVP_PKEY_new()) == NULL) {
259 r = SSH_ERR_ALLOC_FAIL;
260 goto out;
261 }
262 if (EVP_PKEY_set1_EC_KEY(pkey, ec) != 1) {
263 r = SSH_ERR_LIBCRYPTO_ERROR;
264 goto out;
265 }
266 EVP_PKEY_free(key->pkey);
267 key->pkey = pkey;
268 pkey = NULL;
269 /* success */
270 r = 0;
271 #ifdef DEBUG_PK
272 sshkey_dump_ec_point(
273 EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key->pkey)),
274 EC_KEY_get0_public_key(EVP_PKEY_get0_EC_KEY(key->pkey)));
275 #endif
276 out:
277 EC_KEY_free(ec);
278 EVP_PKEY_free(pkey);
279 free(curve);
280 return r;
281 }
282
283 static int
ssh_ecdsa_deserialize_private(const char * ktype,struct sshbuf * b,struct sshkey * key)284 ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b,
285 struct sshkey *key)
286 {
287 int r;
288 BIGNUM *exponent = NULL;
289 EC_KEY *ec = NULL;
290
291 if (!sshkey_is_cert(key)) {
292 if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0)
293 return r;
294 }
295 if ((r = sshbuf_get_bignum2(b, &exponent)) != 0)
296 goto out;
297 if ((ec = EVP_PKEY_get1_EC_KEY(key->pkey)) == NULL) {
298 r = SSH_ERR_LIBCRYPTO_ERROR;
299 goto out;
300 }
301 if (EC_KEY_set_private_key(ec, exponent) != 1) {
302 r = SSH_ERR_LIBCRYPTO_ERROR;
303 goto out;
304 }
305 if ((r = sshkey_ec_validate_private(ec)) != 0)
306 goto out;
307 if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1) {
308 r = SSH_ERR_LIBCRYPTO_ERROR;
309 goto out;
310 }
311 /* success */
312 r = 0;
313 out:
314 BN_clear_free(exponent);
315 EC_KEY_free(ec);
316 return r;
317 }
318
319 static int
ssh_ecdsa_sign(struct sshkey * key,u_char ** sigp,size_t * lenp,const u_char * data,size_t dlen,const char * alg,const char * sk_provider,const char * sk_pin,u_int compat)320 ssh_ecdsa_sign(struct sshkey *key,
321 u_char **sigp, size_t *lenp,
322 const u_char *data, size_t dlen,
323 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
324 {
325 ECDSA_SIG *esig = NULL;
326 unsigned char *sigb = NULL;
327 const unsigned char *psig;
328 const BIGNUM *sig_r, *sig_s;
329 int hash_alg;
330 size_t slen = 0;
331 struct sshbuf *b = NULL, *bb = NULL;
332 int len = 0, ret = SSH_ERR_INTERNAL_ERROR;
333
334 if (lenp != NULL)
335 *lenp = 0;
336 if (sigp != NULL)
337 *sigp = NULL;
338
339 if (key == NULL || key->pkey == NULL ||
340 sshkey_type_plain(key->type) != KEY_ECDSA)
341 return SSH_ERR_INVALID_ARGUMENT;
342
343 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
344 return SSH_ERR_INTERNAL_ERROR;
345
346 if ((ret = sshkey_pkey_digest_sign(key->pkey, hash_alg, &sigb, &slen,
347 data, dlen)) != 0)
348 goto out;
349
350 psig = sigb;
351 if ((esig = d2i_ECDSA_SIG(NULL, &psig, slen)) == NULL) {
352 ret = SSH_ERR_LIBCRYPTO_ERROR;
353 goto out;
354 }
355 if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
356 ret = SSH_ERR_ALLOC_FAIL;
357 goto out;
358 }
359 ECDSA_SIG_get0(esig, &sig_r, &sig_s);
360 if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 ||
361 (ret = sshbuf_put_bignum2(bb, sig_s)) != 0)
362 goto out;
363 if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
364 (ret = sshbuf_put_stringb(b, bb)) != 0)
365 goto out;
366 len = sshbuf_len(b);
367 if (sigp != NULL) {
368 if ((*sigp = malloc(len)) == NULL) {
369 ret = SSH_ERR_ALLOC_FAIL;
370 goto out;
371 }
372 memcpy(*sigp, sshbuf_ptr(b), len);
373 }
374 if (lenp != NULL)
375 *lenp = len;
376 ret = 0;
377 out:
378 freezero(sigb, slen);
379 sshbuf_free(b);
380 sshbuf_free(bb);
381 ECDSA_SIG_free(esig);
382 return ret;
383 }
384
385 static int
ssh_ecdsa_verify(const struct sshkey * key,const u_char * sig,size_t siglen,const u_char * data,size_t dlen,const char * alg,u_int compat,struct sshkey_sig_details ** detailsp)386 ssh_ecdsa_verify(const struct sshkey *key,
387 const u_char *sig, size_t siglen,
388 const u_char *data, size_t dlen, const char *alg, u_int compat,
389 struct sshkey_sig_details **detailsp)
390 {
391 ECDSA_SIG *esig = NULL;
392 BIGNUM *sig_r = NULL, *sig_s = NULL;
393 int hash_alg, len = 0;
394 int ret = SSH_ERR_INTERNAL_ERROR;
395 struct sshbuf *b = NULL, *sigbuf = NULL;
396 char *ktype = NULL;
397 unsigned char *sigb = NULL, *cp;
398
399 if (key == NULL || key->pkey == NULL ||
400 sshkey_type_plain(key->type) != KEY_ECDSA ||
401 sig == NULL || siglen == 0)
402 return SSH_ERR_INVALID_ARGUMENT;
403
404 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
405 return SSH_ERR_INTERNAL_ERROR;
406
407 /* fetch signature */
408 if ((b = sshbuf_from(sig, siglen)) == NULL)
409 return SSH_ERR_ALLOC_FAIL;
410 if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
411 sshbuf_froms(b, &sigbuf) != 0) {
412 ret = SSH_ERR_INVALID_FORMAT;
413 goto out;
414 }
415 if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
416 ret = SSH_ERR_KEY_TYPE_MISMATCH;
417 goto out;
418 }
419 if (sshbuf_len(b) != 0) {
420 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
421 goto out;
422 }
423
424 /* parse signature */
425 if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 ||
426 sshbuf_get_bignum2(sigbuf, &sig_s) != 0) {
427 ret = SSH_ERR_INVALID_FORMAT;
428 goto out;
429 }
430 if (sshbuf_len(sigbuf) != 0) {
431 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
432 goto out;
433 }
434
435 if ((esig = ECDSA_SIG_new()) == NULL) {
436 ret = SSH_ERR_ALLOC_FAIL;
437 goto out;
438 }
439 if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) {
440 ret = SSH_ERR_LIBCRYPTO_ERROR;
441 goto out;
442 }
443 sig_r = sig_s = NULL; /* transferred */
444
445 if ((len = i2d_ECDSA_SIG(esig, NULL)) <= 0) {
446 len = 0;
447 ret = SSH_ERR_LIBCRYPTO_ERROR;
448 goto out;
449 }
450 if ((sigb = calloc(1, len)) == NULL) {
451 ret = SSH_ERR_ALLOC_FAIL;
452 goto out;
453 }
454 cp = sigb; /* ASN1_item_i2d increments the pointer past the object */
455 if (i2d_ECDSA_SIG(esig, &cp) != len) {
456 ret = SSH_ERR_LIBCRYPTO_ERROR;
457 goto out;
458 }
459 if ((ret = sshkey_pkey_digest_verify(key->pkey, hash_alg,
460 data, dlen, sigb, len)) != 0)
461 goto out;
462 /* success */
463 out:
464 freezero(sigb, len);
465 sshbuf_free(sigbuf);
466 sshbuf_free(b);
467 ECDSA_SIG_free(esig);
468 BN_clear_free(sig_r);
469 BN_clear_free(sig_s);
470 free(ktype);
471 return ret;
472 }
473
474 /* NB. not static; used by ECDSA-SK */
475 const struct sshkey_impl_funcs sshkey_ecdsa_funcs = {
476 /* .size = */ ssh_ecdsa_size,
477 /* .alloc = */ NULL,
478 /* .cleanup = */ ssh_ecdsa_cleanup,
479 /* .equal = */ ssh_ecdsa_equal,
480 /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public,
481 /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public,
482 /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private,
483 /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private,
484 /* .generate = */ ssh_ecdsa_generate,
485 /* .copy_public = */ ssh_ecdsa_copy_public,
486 /* .sign = */ ssh_ecdsa_sign,
487 /* .verify = */ ssh_ecdsa_verify,
488 };
489
490 const struct sshkey_impl sshkey_ecdsa_nistp256_impl = {
491 /* .name = */ "ecdsa-sha2-nistp256",
492 /* .shortname = */ "ECDSA",
493 /* .sigalg = */ NULL,
494 /* .type = */ KEY_ECDSA,
495 /* .nid = */ NID_X9_62_prime256v1,
496 /* .cert = */ 0,
497 /* .sigonly = */ 0,
498 /* .keybits = */ 0,
499 /* .funcs = */ &sshkey_ecdsa_funcs,
500 };
501
502 const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = {
503 /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com",
504 /* .shortname = */ "ECDSA-CERT",
505 /* .sigalg = */ NULL,
506 /* .type = */ KEY_ECDSA_CERT,
507 /* .nid = */ NID_X9_62_prime256v1,
508 /* .cert = */ 1,
509 /* .sigonly = */ 0,
510 /* .keybits = */ 0,
511 /* .funcs = */ &sshkey_ecdsa_funcs,
512 };
513
514 const struct sshkey_impl sshkey_ecdsa_nistp384_impl = {
515 /* .name = */ "ecdsa-sha2-nistp384",
516 /* .shortname = */ "ECDSA",
517 /* .sigalg = */ NULL,
518 /* .type = */ KEY_ECDSA,
519 /* .nid = */ NID_secp384r1,
520 /* .cert = */ 0,
521 /* .sigonly = */ 0,
522 /* .keybits = */ 0,
523 /* .funcs = */ &sshkey_ecdsa_funcs,
524 };
525
526 const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = {
527 /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com",
528 /* .shortname = */ "ECDSA-CERT",
529 /* .sigalg = */ NULL,
530 /* .type = */ KEY_ECDSA_CERT,
531 /* .nid = */ NID_secp384r1,
532 /* .cert = */ 1,
533 /* .sigonly = */ 0,
534 /* .keybits = */ 0,
535 /* .funcs = */ &sshkey_ecdsa_funcs,
536 };
537
538 #ifdef OPENSSL_HAS_NISTP521
539 const struct sshkey_impl sshkey_ecdsa_nistp521_impl = {
540 /* .name = */ "ecdsa-sha2-nistp521",
541 /* .shortname = */ "ECDSA",
542 /* .sigalg = */ NULL,
543 /* .type = */ KEY_ECDSA,
544 /* .nid = */ NID_secp521r1,
545 /* .cert = */ 0,
546 /* .sigonly = */ 0,
547 /* .keybits = */ 0,
548 /* .funcs = */ &sshkey_ecdsa_funcs,
549 };
550
551 const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = {
552 /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com",
553 /* .shortname = */ "ECDSA-CERT",
554 /* .sigalg = */ NULL,
555 /* .type = */ KEY_ECDSA_CERT,
556 /* .nid = */ NID_secp521r1,
557 /* .cert = */ 1,
558 /* .sigonly = */ 0,
559 /* .keybits = */ 0,
560 /* .funcs = */ &sshkey_ecdsa_funcs,
561 };
562 #endif
563
564 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
565