1 /* $OpenBSD: ssh-ed25519.c,v 1.10 2022/08/26 08:12:56 djm Exp $ */ 2 /* 3 * Copyright (c) 2013 Markus Friedl <markus@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "includes.h" 19 20 #include <sys/types.h> 21 #include <limits.h> 22 23 #include "crypto_api.h" 24 25 #include <string.h> 26 #include <stdarg.h> 27 28 #include "log.h" 29 #include "sshbuf.h" 30 #define SSHKEY_INTERNAL 31 #include "sshkey.h" 32 #include "ssherr.h" 33 #include "ssh.h" 34 35 int 36 ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 37 const u_char *data, size_t datalen, u_int compat) 38 { 39 u_char *sig = NULL; 40 size_t slen = 0, len; 41 unsigned long long smlen; 42 int r, ret; 43 struct sshbuf *b = NULL; 44 45 if (lenp != NULL) 46 *lenp = 0; 47 if (sigp != NULL) 48 *sigp = NULL; 49 50 if (key == NULL || 51 sshkey_type_plain(key->type) != KEY_ED25519 || 52 key->ed25519_sk == NULL || 53 datalen >= INT_MAX - crypto_sign_ed25519_BYTES) 54 return SSH_ERR_INVALID_ARGUMENT; 55 smlen = slen = datalen + crypto_sign_ed25519_BYTES; 56 if ((sig = malloc(slen)) == NULL) 57 return SSH_ERR_ALLOC_FAIL; 58 59 if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen, 60 key->ed25519_sk)) != 0 || smlen <= datalen) { 61 r = SSH_ERR_INVALID_ARGUMENT; /* XXX better error? */ 62 goto out; 63 } 64 /* encode signature */ 65 if ((b = sshbuf_new()) == NULL) { 66 r = SSH_ERR_ALLOC_FAIL; 67 goto out; 68 } 69 if ((r = sshbuf_put_cstring(b, "ssh-ed25519")) != 0 || 70 (r = sshbuf_put_string(b, sig, smlen - datalen)) != 0) 71 goto out; 72 len = sshbuf_len(b); 73 if (sigp != NULL) { 74 if ((*sigp = malloc(len)) == NULL) { 75 r = SSH_ERR_ALLOC_FAIL; 76 goto out; 77 } 78 memcpy(*sigp, sshbuf_ptr(b), len); 79 } 80 if (lenp != NULL) 81 *lenp = len; 82 /* success */ 83 r = 0; 84 out: 85 sshbuf_free(b); 86 if (sig != NULL) 87 freezero(sig, slen); 88 89 return r; 90 } 91 92 int 93 ssh_ed25519_verify(const struct sshkey *key, 94 const u_char *signature, size_t signaturelen, 95 const u_char *data, size_t datalen, u_int compat) 96 { 97 struct sshbuf *b = NULL; 98 char *ktype = NULL; 99 const u_char *sigblob; 100 u_char *sm = NULL, *m = NULL; 101 size_t len; 102 unsigned long long smlen = 0, mlen = 0; 103 int r, ret; 104 105 if (key == NULL || 106 sshkey_type_plain(key->type) != KEY_ED25519 || 107 key->ed25519_pk == NULL || 108 datalen >= INT_MAX - crypto_sign_ed25519_BYTES || 109 signature == NULL || signaturelen == 0) 110 return SSH_ERR_INVALID_ARGUMENT; 111 112 if ((b = sshbuf_from(signature, signaturelen)) == NULL) 113 return SSH_ERR_ALLOC_FAIL; 114 if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 || 115 (r = sshbuf_get_string_direct(b, &sigblob, &len)) != 0) 116 goto out; 117 if (strcmp("ssh-ed25519", ktype) != 0) { 118 r = SSH_ERR_KEY_TYPE_MISMATCH; 119 goto out; 120 } 121 if (sshbuf_len(b) != 0) { 122 r = SSH_ERR_UNEXPECTED_TRAILING_DATA; 123 goto out; 124 } 125 if (len > crypto_sign_ed25519_BYTES) { 126 r = SSH_ERR_INVALID_FORMAT; 127 goto out; 128 } 129 if (datalen >= SIZE_MAX - len) { 130 r = SSH_ERR_INVALID_ARGUMENT; 131 goto out; 132 } 133 smlen = len + datalen; 134 mlen = smlen; 135 if ((sm = malloc(smlen)) == NULL || (m = malloc(mlen)) == NULL) { 136 r = SSH_ERR_ALLOC_FAIL; 137 goto out; 138 } 139 memcpy(sm, sigblob, len); 140 memcpy(sm+len, data, datalen); 141 if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen, 142 key->ed25519_pk)) != 0) { 143 debug2_f("crypto_sign_ed25519_open failed: %d", ret); 144 } 145 if (ret != 0 || mlen != datalen) { 146 r = SSH_ERR_SIGNATURE_INVALID; 147 goto out; 148 } 149 /* XXX compare 'm' and 'data' ? */ 150 /* success */ 151 r = 0; 152 out: 153 if (sm != NULL) 154 freezero(sm, smlen); 155 if (m != NULL) 156 freezero(m, smlen); /* NB mlen may be invalid if r != 0 */ 157 sshbuf_free(b); 158 free(ktype); 159 return r; 160 } 161