1 /* $OpenBSD: ssh-ecdsa.c,v 1.25 2022/10/28 00:44:44 djm Exp $ */ 2 /* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 30 31 #include <sys/types.h> 32 33 #include <openssl/bn.h> 34 #include <openssl/ec.h> 35 #include <openssl/ecdsa.h> 36 #include <openssl/evp.h> 37 38 #include <string.h> 39 40 #include "sshbuf.h" 41 #include "ssherr.h" 42 #include "digest.h" 43 #define SSHKEY_INTERNAL 44 #include "sshkey.h" 45 46 #include "openbsd-compat/openssl-compat.h" 47 48 static u_int 49 ssh_ecdsa_size(const struct sshkey *key) 50 { 51 switch (key->ecdsa_nid) { 52 case NID_X9_62_prime256v1: 53 return 256; 54 case NID_secp384r1: 55 return 384; 56 #ifdef OPENSSL_HAS_NISTP521 57 case NID_secp521r1: 58 return 521; 59 #endif 60 default: 61 return 0; 62 } 63 } 64 65 static void 66 ssh_ecdsa_cleanup(struct sshkey *k) 67 { 68 EC_KEY_free(k->ecdsa); 69 k->ecdsa = NULL; 70 } 71 72 static int 73 ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b) 74 { 75 const EC_GROUP *grp_a, *grp_b; 76 const EC_POINT *pub_a, *pub_b; 77 78 if (a->ecdsa == NULL || b->ecdsa == NULL) 79 return 0; 80 if ((grp_a = EC_KEY_get0_group(a->ecdsa)) == NULL || 81 (grp_b = EC_KEY_get0_group(b->ecdsa)) == NULL) 82 return 0; 83 if ((pub_a = EC_KEY_get0_public_key(a->ecdsa)) == NULL || 84 (pub_b = EC_KEY_get0_public_key(b->ecdsa)) == NULL) 85 return 0; 86 if (EC_GROUP_cmp(grp_a, grp_b, NULL) != 0) 87 return 0; 88 if (EC_POINT_cmp(grp_a, pub_a, pub_b, NULL) != 0) 89 return 0; 90 91 return 1; 92 } 93 94 static int 95 ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b, 96 enum sshkey_serialize_rep opts) 97 { 98 int r; 99 100 if (key->ecdsa == NULL) 101 return SSH_ERR_INVALID_ARGUMENT; 102 if ((r = sshbuf_put_cstring(b, 103 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 104 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0) 105 return r; 106 107 return 0; 108 } 109 110 static int 111 ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b, 112 enum sshkey_serialize_rep opts) 113 { 114 int r; 115 116 if (!sshkey_is_cert(key)) { 117 if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0) 118 return r; 119 } 120 if ((r = sshbuf_put_bignum2(b, 121 EC_KEY_get0_private_key(key->ecdsa))) != 0) 122 return r; 123 return 0; 124 } 125 126 static int 127 ssh_ecdsa_generate(struct sshkey *k, int bits) 128 { 129 EC_KEY *private; 130 131 if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 132 return SSH_ERR_KEY_LENGTH; 133 if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 134 return SSH_ERR_ALLOC_FAIL; 135 if (EC_KEY_generate_key(private) != 1) { 136 EC_KEY_free(private); 137 return SSH_ERR_LIBCRYPTO_ERROR; 138 } 139 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 140 k->ecdsa = private; 141 return 0; 142 } 143 144 static int 145 ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to) 146 { 147 to->ecdsa_nid = from->ecdsa_nid; 148 if ((to->ecdsa = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL) 149 return SSH_ERR_ALLOC_FAIL; 150 if (EC_KEY_set_public_key(to->ecdsa, 151 EC_KEY_get0_public_key(from->ecdsa)) != 1) 152 return SSH_ERR_LIBCRYPTO_ERROR; /* caller will free k->ecdsa */ 153 return 0; 154 } 155 156 static int 157 ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b, 158 struct sshkey *key) 159 { 160 int r; 161 char *curve = NULL; 162 163 if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1) 164 return SSH_ERR_INVALID_ARGUMENT; 165 if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0) 166 goto out; 167 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 168 r = SSH_ERR_EC_CURVE_MISMATCH; 169 goto out; 170 } 171 EC_KEY_free(key->ecdsa); 172 key->ecdsa = NULL; 173 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) { 174 r = SSH_ERR_LIBCRYPTO_ERROR; 175 goto out; 176 } 177 if ((r = sshbuf_get_eckey(b, key->ecdsa)) != 0) 178 goto out; 179 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 180 EC_KEY_get0_public_key(key->ecdsa)) != 0) { 181 r = SSH_ERR_KEY_INVALID_EC_VALUE; 182 goto out; 183 } 184 /* success */ 185 r = 0; 186 #ifdef DEBUG_PK 187 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), 188 EC_KEY_get0_public_key(key->ecdsa)); 189 #endif 190 out: 191 free(curve); 192 if (r != 0) { 193 EC_KEY_free(key->ecdsa); 194 key->ecdsa = NULL; 195 } 196 return r; 197 } 198 199 static int 200 ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, 201 struct sshkey *key) 202 { 203 int r; 204 BIGNUM *exponent = NULL; 205 206 if (!sshkey_is_cert(key)) { 207 if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0) 208 return r; 209 } 210 if ((r = sshbuf_get_bignum2(b, &exponent)) != 0) 211 goto out; 212 if (EC_KEY_set_private_key(key->ecdsa, exponent) != 1) { 213 r = SSH_ERR_LIBCRYPTO_ERROR; 214 goto out; 215 } 216 if ((r = sshkey_ec_validate_private(key->ecdsa)) != 0) 217 goto out; 218 /* success */ 219 r = 0; 220 out: 221 BN_clear_free(exponent); 222 return r; 223 } 224 225 /* ARGSUSED */ 226 static int 227 ssh_ecdsa_sign(struct sshkey *key, 228 u_char **sigp, size_t *lenp, 229 const u_char *data, size_t dlen, 230 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 231 { 232 ECDSA_SIG *esig = NULL; 233 const BIGNUM *sig_r, *sig_s; 234 int hash_alg; 235 u_char digest[SSH_DIGEST_MAX_LENGTH]; 236 size_t len, hlen; 237 struct sshbuf *b = NULL, *bb = NULL; 238 int ret = SSH_ERR_INTERNAL_ERROR; 239 240 if (lenp != NULL) 241 *lenp = 0; 242 if (sigp != NULL) 243 *sigp = NULL; 244 245 if (key == NULL || key->ecdsa == NULL || 246 sshkey_type_plain(key->type) != KEY_ECDSA) 247 return SSH_ERR_INVALID_ARGUMENT; 248 249 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 250 (hlen = ssh_digest_bytes(hash_alg)) == 0) 251 return SSH_ERR_INTERNAL_ERROR; 252 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 253 digest, sizeof(digest))) != 0) 254 goto out; 255 256 if ((esig = ECDSA_do_sign(digest, hlen, key->ecdsa)) == NULL) { 257 ret = SSH_ERR_LIBCRYPTO_ERROR; 258 goto out; 259 } 260 261 if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { 262 ret = SSH_ERR_ALLOC_FAIL; 263 goto out; 264 } 265 ECDSA_SIG_get0(esig, &sig_r, &sig_s); 266 if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 || 267 (ret = sshbuf_put_bignum2(bb, sig_s)) != 0) 268 goto out; 269 if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || 270 (ret = sshbuf_put_stringb(b, bb)) != 0) 271 goto out; 272 len = sshbuf_len(b); 273 if (sigp != NULL) { 274 if ((*sigp = malloc(len)) == NULL) { 275 ret = SSH_ERR_ALLOC_FAIL; 276 goto out; 277 } 278 memcpy(*sigp, sshbuf_ptr(b), len); 279 } 280 if (lenp != NULL) 281 *lenp = len; 282 ret = 0; 283 out: 284 explicit_bzero(digest, sizeof(digest)); 285 sshbuf_free(b); 286 sshbuf_free(bb); 287 ECDSA_SIG_free(esig); 288 return ret; 289 } 290 291 /* ARGSUSED */ 292 static int 293 ssh_ecdsa_verify(const struct sshkey *key, 294 const u_char *sig, size_t siglen, 295 const u_char *data, size_t dlen, const char *alg, u_int compat, 296 struct sshkey_sig_details **detailsp) 297 { 298 ECDSA_SIG *esig = NULL; 299 BIGNUM *sig_r = NULL, *sig_s = NULL; 300 int hash_alg; 301 u_char digest[SSH_DIGEST_MAX_LENGTH]; 302 size_t hlen; 303 int ret = SSH_ERR_INTERNAL_ERROR; 304 struct sshbuf *b = NULL, *sigbuf = NULL; 305 char *ktype = NULL; 306 307 if (key == NULL || key->ecdsa == NULL || 308 sshkey_type_plain(key->type) != KEY_ECDSA || 309 sig == NULL || siglen == 0) 310 return SSH_ERR_INVALID_ARGUMENT; 311 312 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 313 (hlen = ssh_digest_bytes(hash_alg)) == 0) 314 return SSH_ERR_INTERNAL_ERROR; 315 316 /* fetch signature */ 317 if ((b = sshbuf_from(sig, siglen)) == NULL) 318 return SSH_ERR_ALLOC_FAIL; 319 if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || 320 sshbuf_froms(b, &sigbuf) != 0) { 321 ret = SSH_ERR_INVALID_FORMAT; 322 goto out; 323 } 324 if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { 325 ret = SSH_ERR_KEY_TYPE_MISMATCH; 326 goto out; 327 } 328 if (sshbuf_len(b) != 0) { 329 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 330 goto out; 331 } 332 333 /* parse signature */ 334 if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || 335 sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { 336 ret = SSH_ERR_INVALID_FORMAT; 337 goto out; 338 } 339 if ((esig = ECDSA_SIG_new()) == NULL) { 340 ret = SSH_ERR_ALLOC_FAIL; 341 goto out; 342 } 343 if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) { 344 ret = SSH_ERR_LIBCRYPTO_ERROR; 345 goto out; 346 } 347 sig_r = sig_s = NULL; /* transferred */ 348 349 if (sshbuf_len(sigbuf) != 0) { 350 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 351 goto out; 352 } 353 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 354 digest, sizeof(digest))) != 0) 355 goto out; 356 357 switch (ECDSA_do_verify(digest, hlen, esig, key->ecdsa)) { 358 case 1: 359 ret = 0; 360 break; 361 case 0: 362 ret = SSH_ERR_SIGNATURE_INVALID; 363 goto out; 364 default: 365 ret = SSH_ERR_LIBCRYPTO_ERROR; 366 goto out; 367 } 368 369 out: 370 explicit_bzero(digest, sizeof(digest)); 371 sshbuf_free(sigbuf); 372 sshbuf_free(b); 373 ECDSA_SIG_free(esig); 374 BN_clear_free(sig_r); 375 BN_clear_free(sig_s); 376 free(ktype); 377 return ret; 378 } 379 380 /* NB. not static; used by ECDSA-SK */ 381 const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { 382 /* .size = */ ssh_ecdsa_size, 383 /* .alloc = */ NULL, 384 /* .cleanup = */ ssh_ecdsa_cleanup, 385 /* .equal = */ ssh_ecdsa_equal, 386 /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public, 387 /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public, 388 /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private, 389 /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private, 390 /* .generate = */ ssh_ecdsa_generate, 391 /* .copy_public = */ ssh_ecdsa_copy_public, 392 /* .sign = */ ssh_ecdsa_sign, 393 /* .verify = */ ssh_ecdsa_verify, 394 }; 395 396 const struct sshkey_impl sshkey_ecdsa_nistp256_impl = { 397 /* .name = */ "ecdsa-sha2-nistp256", 398 /* .shortname = */ "ECDSA", 399 /* .sigalg = */ NULL, 400 /* .type = */ KEY_ECDSA, 401 /* .nid = */ NID_X9_62_prime256v1, 402 /* .cert = */ 0, 403 /* .sigonly = */ 0, 404 /* .keybits = */ 0, 405 /* .funcs = */ &sshkey_ecdsa_funcs, 406 }; 407 408 const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = { 409 /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com", 410 /* .shortname = */ "ECDSA-CERT", 411 /* .sigalg = */ NULL, 412 /* .type = */ KEY_ECDSA_CERT, 413 /* .nid = */ NID_X9_62_prime256v1, 414 /* .cert = */ 1, 415 /* .sigonly = */ 0, 416 /* .keybits = */ 0, 417 /* .funcs = */ &sshkey_ecdsa_funcs, 418 }; 419 420 const struct sshkey_impl sshkey_ecdsa_nistp384_impl = { 421 /* .name = */ "ecdsa-sha2-nistp384", 422 /* .shortname = */ "ECDSA", 423 /* .sigalg = */ NULL, 424 /* .type = */ KEY_ECDSA, 425 /* .nid = */ NID_secp384r1, 426 /* .cert = */ 0, 427 /* .sigonly = */ 0, 428 /* .keybits = */ 0, 429 /* .funcs = */ &sshkey_ecdsa_funcs, 430 }; 431 432 const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = { 433 /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com", 434 /* .shortname = */ "ECDSA-CERT", 435 /* .sigalg = */ NULL, 436 /* .type = */ KEY_ECDSA_CERT, 437 /* .nid = */ NID_secp384r1, 438 /* .cert = */ 1, 439 /* .sigonly = */ 0, 440 /* .keybits = */ 0, 441 /* .funcs = */ &sshkey_ecdsa_funcs, 442 }; 443 444 #ifdef OPENSSL_HAS_NISTP521 445 const struct sshkey_impl sshkey_ecdsa_nistp521_impl = { 446 /* .name = */ "ecdsa-sha2-nistp521", 447 /* .shortname = */ "ECDSA", 448 /* .sigalg = */ NULL, 449 /* .type = */ KEY_ECDSA, 450 /* .nid = */ NID_secp521r1, 451 /* .cert = */ 0, 452 /* .sigonly = */ 0, 453 /* .keybits = */ 0, 454 /* .funcs = */ &sshkey_ecdsa_funcs, 455 }; 456 457 const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = { 458 /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com", 459 /* .shortname = */ "ECDSA-CERT", 460 /* .sigalg = */ NULL, 461 /* .type = */ KEY_ECDSA_CERT, 462 /* .nid = */ NID_secp521r1, 463 /* .cert = */ 1, 464 /* .sigonly = */ 0, 465 /* .keybits = */ 0, 466 /* .funcs = */ &sshkey_ecdsa_funcs, 467 }; 468 #endif 469 470 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 471