1 /* $OpenBSD: ssh-ecdsa.c,v 1.26 2023/03/08 04:43:12 guenther Exp $ */ 2 /* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/types.h> 28 29 #include <openssl/bn.h> 30 #include <openssl/ec.h> 31 #include <openssl/ecdsa.h> 32 #include <openssl/evp.h> 33 34 #include <string.h> 35 36 #include "sshbuf.h" 37 #include "ssherr.h" 38 #include "digest.h" 39 #define SSHKEY_INTERNAL 40 #include "sshkey.h" 41 42 static u_int 43 ssh_ecdsa_size(const struct sshkey *key) 44 { 45 switch (key->ecdsa_nid) { 46 case NID_X9_62_prime256v1: 47 return 256; 48 case NID_secp384r1: 49 return 384; 50 case NID_secp521r1: 51 return 521; 52 default: 53 return 0; 54 } 55 } 56 57 static void 58 ssh_ecdsa_cleanup(struct sshkey *k) 59 { 60 EC_KEY_free(k->ecdsa); 61 k->ecdsa = NULL; 62 } 63 64 static int 65 ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b) 66 { 67 const EC_GROUP *grp_a, *grp_b; 68 const EC_POINT *pub_a, *pub_b; 69 70 if (a->ecdsa == NULL || b->ecdsa == NULL) 71 return 0; 72 if ((grp_a = EC_KEY_get0_group(a->ecdsa)) == NULL || 73 (grp_b = EC_KEY_get0_group(b->ecdsa)) == NULL) 74 return 0; 75 if ((pub_a = EC_KEY_get0_public_key(a->ecdsa)) == NULL || 76 (pub_b = EC_KEY_get0_public_key(b->ecdsa)) == NULL) 77 return 0; 78 if (EC_GROUP_cmp(grp_a, grp_b, NULL) != 0) 79 return 0; 80 if (EC_POINT_cmp(grp_a, pub_a, pub_b, NULL) != 0) 81 return 0; 82 83 return 1; 84 } 85 86 static int 87 ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b, 88 enum sshkey_serialize_rep opts) 89 { 90 int r; 91 92 if (key->ecdsa == NULL) 93 return SSH_ERR_INVALID_ARGUMENT; 94 if ((r = sshbuf_put_cstring(b, 95 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 96 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0) 97 return r; 98 99 return 0; 100 } 101 102 static int 103 ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b, 104 enum sshkey_serialize_rep opts) 105 { 106 int r; 107 108 if (!sshkey_is_cert(key)) { 109 if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0) 110 return r; 111 } 112 if ((r = sshbuf_put_bignum2(b, 113 EC_KEY_get0_private_key(key->ecdsa))) != 0) 114 return r; 115 return 0; 116 } 117 118 static int 119 ssh_ecdsa_generate(struct sshkey *k, int bits) 120 { 121 EC_KEY *private; 122 123 if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 124 return SSH_ERR_KEY_LENGTH; 125 if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 126 return SSH_ERR_ALLOC_FAIL; 127 if (EC_KEY_generate_key(private) != 1) { 128 EC_KEY_free(private); 129 return SSH_ERR_LIBCRYPTO_ERROR; 130 } 131 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 132 k->ecdsa = private; 133 return 0; 134 } 135 136 static int 137 ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to) 138 { 139 to->ecdsa_nid = from->ecdsa_nid; 140 if ((to->ecdsa = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL) 141 return SSH_ERR_ALLOC_FAIL; 142 if (EC_KEY_set_public_key(to->ecdsa, 143 EC_KEY_get0_public_key(from->ecdsa)) != 1) 144 return SSH_ERR_LIBCRYPTO_ERROR; /* caller will free k->ecdsa */ 145 return 0; 146 } 147 148 static int 149 ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b, 150 struct sshkey *key) 151 { 152 int r; 153 char *curve = NULL; 154 155 if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1) 156 return SSH_ERR_INVALID_ARGUMENT; 157 if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0) 158 goto out; 159 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 160 r = SSH_ERR_EC_CURVE_MISMATCH; 161 goto out; 162 } 163 EC_KEY_free(key->ecdsa); 164 key->ecdsa = NULL; 165 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) { 166 r = SSH_ERR_LIBCRYPTO_ERROR; 167 goto out; 168 } 169 if ((r = sshbuf_get_eckey(b, key->ecdsa)) != 0) 170 goto out; 171 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 172 EC_KEY_get0_public_key(key->ecdsa)) != 0) { 173 r = SSH_ERR_KEY_INVALID_EC_VALUE; 174 goto out; 175 } 176 /* success */ 177 r = 0; 178 #ifdef DEBUG_PK 179 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), 180 EC_KEY_get0_public_key(key->ecdsa)); 181 #endif 182 out: 183 free(curve); 184 if (r != 0) { 185 EC_KEY_free(key->ecdsa); 186 key->ecdsa = NULL; 187 } 188 return r; 189 } 190 191 static int 192 ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, 193 struct sshkey *key) 194 { 195 int r; 196 BIGNUM *exponent = NULL; 197 198 if (!sshkey_is_cert(key)) { 199 if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0) 200 return r; 201 } 202 if ((r = sshbuf_get_bignum2(b, &exponent)) != 0) 203 goto out; 204 if (EC_KEY_set_private_key(key->ecdsa, exponent) != 1) { 205 r = SSH_ERR_LIBCRYPTO_ERROR; 206 goto out; 207 } 208 if ((r = sshkey_ec_validate_private(key->ecdsa)) != 0) 209 goto out; 210 /* success */ 211 r = 0; 212 out: 213 BN_clear_free(exponent); 214 return r; 215 } 216 217 static int 218 ssh_ecdsa_sign(struct sshkey *key, 219 u_char **sigp, size_t *lenp, 220 const u_char *data, size_t dlen, 221 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 222 { 223 ECDSA_SIG *esig = NULL; 224 const BIGNUM *sig_r, *sig_s; 225 int hash_alg; 226 u_char digest[SSH_DIGEST_MAX_LENGTH]; 227 size_t len, hlen; 228 struct sshbuf *b = NULL, *bb = NULL; 229 int ret = SSH_ERR_INTERNAL_ERROR; 230 231 if (lenp != NULL) 232 *lenp = 0; 233 if (sigp != NULL) 234 *sigp = NULL; 235 236 if (key == NULL || key->ecdsa == NULL || 237 sshkey_type_plain(key->type) != KEY_ECDSA) 238 return SSH_ERR_INVALID_ARGUMENT; 239 240 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 241 (hlen = ssh_digest_bytes(hash_alg)) == 0) 242 return SSH_ERR_INTERNAL_ERROR; 243 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 244 digest, sizeof(digest))) != 0) 245 goto out; 246 247 if ((esig = ECDSA_do_sign(digest, hlen, key->ecdsa)) == NULL) { 248 ret = SSH_ERR_LIBCRYPTO_ERROR; 249 goto out; 250 } 251 252 if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { 253 ret = SSH_ERR_ALLOC_FAIL; 254 goto out; 255 } 256 ECDSA_SIG_get0(esig, &sig_r, &sig_s); 257 if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 || 258 (ret = sshbuf_put_bignum2(bb, sig_s)) != 0) 259 goto out; 260 if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || 261 (ret = sshbuf_put_stringb(b, bb)) != 0) 262 goto out; 263 len = sshbuf_len(b); 264 if (sigp != NULL) { 265 if ((*sigp = malloc(len)) == NULL) { 266 ret = SSH_ERR_ALLOC_FAIL; 267 goto out; 268 } 269 memcpy(*sigp, sshbuf_ptr(b), len); 270 } 271 if (lenp != NULL) 272 *lenp = len; 273 ret = 0; 274 out: 275 explicit_bzero(digest, sizeof(digest)); 276 sshbuf_free(b); 277 sshbuf_free(bb); 278 ECDSA_SIG_free(esig); 279 return ret; 280 } 281 282 static int 283 ssh_ecdsa_verify(const struct sshkey *key, 284 const u_char *sig, size_t siglen, 285 const u_char *data, size_t dlen, const char *alg, u_int compat, 286 struct sshkey_sig_details **detailsp) 287 { 288 ECDSA_SIG *esig = NULL; 289 BIGNUM *sig_r = NULL, *sig_s = NULL; 290 int hash_alg; 291 u_char digest[SSH_DIGEST_MAX_LENGTH]; 292 size_t hlen; 293 int ret = SSH_ERR_INTERNAL_ERROR; 294 struct sshbuf *b = NULL, *sigbuf = NULL; 295 char *ktype = NULL; 296 297 if (key == NULL || key->ecdsa == NULL || 298 sshkey_type_plain(key->type) != KEY_ECDSA || 299 sig == NULL || siglen == 0) 300 return SSH_ERR_INVALID_ARGUMENT; 301 302 if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || 303 (hlen = ssh_digest_bytes(hash_alg)) == 0) 304 return SSH_ERR_INTERNAL_ERROR; 305 306 /* fetch signature */ 307 if ((b = sshbuf_from(sig, siglen)) == NULL) 308 return SSH_ERR_ALLOC_FAIL; 309 if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || 310 sshbuf_froms(b, &sigbuf) != 0) { 311 ret = SSH_ERR_INVALID_FORMAT; 312 goto out; 313 } 314 if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { 315 ret = SSH_ERR_KEY_TYPE_MISMATCH; 316 goto out; 317 } 318 if (sshbuf_len(b) != 0) { 319 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 320 goto out; 321 } 322 323 /* parse signature */ 324 if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || 325 sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { 326 ret = SSH_ERR_INVALID_FORMAT; 327 goto out; 328 } 329 if ((esig = ECDSA_SIG_new()) == NULL) { 330 ret = SSH_ERR_ALLOC_FAIL; 331 goto out; 332 } 333 if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) { 334 ret = SSH_ERR_LIBCRYPTO_ERROR; 335 goto out; 336 } 337 sig_r = sig_s = NULL; /* transferred */ 338 339 if (sshbuf_len(sigbuf) != 0) { 340 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 341 goto out; 342 } 343 if ((ret = ssh_digest_memory(hash_alg, data, dlen, 344 digest, sizeof(digest))) != 0) 345 goto out; 346 347 switch (ECDSA_do_verify(digest, hlen, esig, key->ecdsa)) { 348 case 1: 349 ret = 0; 350 break; 351 case 0: 352 ret = SSH_ERR_SIGNATURE_INVALID; 353 goto out; 354 default: 355 ret = SSH_ERR_LIBCRYPTO_ERROR; 356 goto out; 357 } 358 359 out: 360 explicit_bzero(digest, sizeof(digest)); 361 sshbuf_free(sigbuf); 362 sshbuf_free(b); 363 ECDSA_SIG_free(esig); 364 BN_clear_free(sig_r); 365 BN_clear_free(sig_s); 366 free(ktype); 367 return ret; 368 } 369 370 /* NB. not static; used by ECDSA-SK */ 371 const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { 372 /* .size = */ ssh_ecdsa_size, 373 /* .alloc = */ NULL, 374 /* .cleanup = */ ssh_ecdsa_cleanup, 375 /* .equal = */ ssh_ecdsa_equal, 376 /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public, 377 /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public, 378 /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private, 379 /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private, 380 /* .generate = */ ssh_ecdsa_generate, 381 /* .copy_public = */ ssh_ecdsa_copy_public, 382 /* .sign = */ ssh_ecdsa_sign, 383 /* .verify = */ ssh_ecdsa_verify, 384 }; 385 386 const struct sshkey_impl sshkey_ecdsa_nistp256_impl = { 387 /* .name = */ "ecdsa-sha2-nistp256", 388 /* .shortname = */ "ECDSA", 389 /* .sigalg = */ NULL, 390 /* .type = */ KEY_ECDSA, 391 /* .nid = */ NID_X9_62_prime256v1, 392 /* .cert = */ 0, 393 /* .sigonly = */ 0, 394 /* .keybits = */ 0, 395 /* .funcs = */ &sshkey_ecdsa_funcs, 396 }; 397 398 const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = { 399 /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com", 400 /* .shortname = */ "ECDSA-CERT", 401 /* .sigalg = */ NULL, 402 /* .type = */ KEY_ECDSA_CERT, 403 /* .nid = */ NID_X9_62_prime256v1, 404 /* .cert = */ 1, 405 /* .sigonly = */ 0, 406 /* .keybits = */ 0, 407 /* .funcs = */ &sshkey_ecdsa_funcs, 408 }; 409 410 const struct sshkey_impl sshkey_ecdsa_nistp384_impl = { 411 /* .name = */ "ecdsa-sha2-nistp384", 412 /* .shortname = */ "ECDSA", 413 /* .sigalg = */ NULL, 414 /* .type = */ KEY_ECDSA, 415 /* .nid = */ NID_secp384r1, 416 /* .cert = */ 0, 417 /* .sigonly = */ 0, 418 /* .keybits = */ 0, 419 /* .funcs = */ &sshkey_ecdsa_funcs, 420 }; 421 422 const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = { 423 /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com", 424 /* .shortname = */ "ECDSA-CERT", 425 /* .sigalg = */ NULL, 426 /* .type = */ KEY_ECDSA_CERT, 427 /* .nid = */ NID_secp384r1, 428 /* .cert = */ 1, 429 /* .sigonly = */ 0, 430 /* .keybits = */ 0, 431 /* .funcs = */ &sshkey_ecdsa_funcs, 432 }; 433 434 const struct sshkey_impl sshkey_ecdsa_nistp521_impl = { 435 /* .name = */ "ecdsa-sha2-nistp521", 436 /* .shortname = */ "ECDSA", 437 /* .sigalg = */ NULL, 438 /* .type = */ KEY_ECDSA, 439 /* .nid = */ NID_secp521r1, 440 /* .cert = */ 0, 441 /* .sigonly = */ 0, 442 /* .keybits = */ 0, 443 /* .funcs = */ &sshkey_ecdsa_funcs, 444 }; 445 446 const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = { 447 /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com", 448 /* .shortname = */ "ECDSA-CERT", 449 /* .sigalg = */ NULL, 450 /* .type = */ KEY_ECDSA_CERT, 451 /* .nid = */ NID_secp521r1, 452 /* .cert = */ 1, 453 /* .sigonly = */ 0, 454 /* .keybits = */ 0, 455 /* .funcs = */ &sshkey_ecdsa_funcs, 456 }; 457