/src/openssh/ed25519-openssl.c

Source
/* $OpenBSD: ed25519-openssl.c,v 1.1 2025/10/30 20:49:10 djm Exp $ */
/*
 * Copyright (c) 2025 OpenSSH
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * OpenSSL-based implementation of Ed25519 crypto_sign API
 * Alternative to the internal SUPERCOP-based implementation in ed25519.c
 */

#include "includes.h"

#ifdef OPENSSL_HAS_ED25519

#include <sys/types.h>

#include <string.h>
#include <stdint.h>
#include <limits.h>

#include <openssl/evp.h>

#include "crypto_api.h"
#include "log.h"

#if crypto_sign_ed25519_SECRETKEYBYTES <= crypto_sign_ed25519_PUBLICKEYBYTES
#error "crypto_sign_ed25519_SECRETKEYBYTES < crypto_sign_ed25519_PUBLICKEYBYTES"
#endif

#define SSH_ED25519_RAW_SECRET_KEY_LEN \
    (crypto_sign_ed25519_SECRETKEYBYTES - crypto_sign_ed25519_PUBLICKEYBYTES)

int
crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk)
{
  EVP_PKEY_CTX *ctx = NULL;
  EVP_PKEY *pkey = NULL;
  size_t pklen, sklen;
  int ret = -1;

  if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL)) == NULL) {
    debug3_f("EVP_PKEY_CTX_new_id failed");
    goto out;
  }
  if (EVP_PKEY_keygen_init(ctx) <= 0) {
    debug3_f("EVP_PKEY_keygen_init failed");
    goto out;
  }
  if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
    debug3_f("EVP_PKEY_keygen failed");
    goto out;
  }

  /* Extract public key */
  pklen = crypto_sign_ed25519_PUBLICKEYBYTES;
  if (!EVP_PKEY_get_raw_public_key(pkey, pk, &pklen)) {
    debug3_f("EVP_PKEY_get_raw_public_key failed");
    goto out;
  }
  if (pklen != crypto_sign_ed25519_PUBLICKEYBYTES) {
    debug3_f("public key length mismatch: %zu", pklen);
    goto out;
  }

  sklen = SSH_ED25519_RAW_SECRET_KEY_LEN;
  /* Extract private key (32 bytes seed) */
  if (!EVP_PKEY_get_raw_private_key(pkey, sk, &sklen)) {
    debug3_f("EVP_PKEY_get_raw_private_key failed");
    goto out;
  }
  if (sklen != SSH_ED25519_RAW_SECRET_KEY_LEN) {
    debug3_f("private key length mismatch: %zu", sklen);
    goto out;
  }

  /* Append public key to secret key (SUPERCOP format compatibility) */
  memcpy(sk + sklen, pk, crypto_sign_ed25519_PUBLICKEYBYTES);

  ret = 0;
out:
  EVP_PKEY_free(pkey);
  EVP_PKEY_CTX_free(ctx);
  return ret;
}

int
crypto_sign_ed25519(unsigned char *sm, unsigned long long *smlen,
    const unsigned char *m, unsigned long long mlen,
    const unsigned char *sk)
{
  EVP_PKEY *pkey = NULL;
  EVP_MD_CTX *mdctx = NULL;
  size_t siglen;
  int ret = -1;

  /* Create EVP_PKEY from secret key (first 32 bytes are the seed) */
  if ((pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
      sk, SSH_ED25519_RAW_SECRET_KEY_LEN)) == NULL) {
    debug3_f("EVP_PKEY_new_raw_private_key failed");
    goto out;
  }

  /* Sign the message */
  if ((mdctx = EVP_MD_CTX_new()) == NULL) {
    debug3_f("EVP_MD_CTX_new failed");
    goto out;
  }
  if (EVP_DigestSignInit(mdctx, NULL, NULL, NULL, pkey) != 1) {
    debug3_f("EVP_DigestSignInit failed");
    goto out;
  }
  siglen = crypto_sign_ed25519_BYTES;
  if (EVP_DigestSign(mdctx, sm, &siglen, m, mlen) != 1) {
    debug3_f("EVP_DigestSign failed");
    goto out;
  }
  if (siglen != crypto_sign_ed25519_BYTES) {
    debug3_f("signature length mismatch: %zu", siglen);
    goto out;
  }

  /* Append message after signature (SUPERCOP format) */
  if (mlen > ULLONG_MAX - siglen) {
    debug3_f("message length overflow: siglen=%zu mlen=%llu",
        siglen, mlen);
    goto out;
  }
  memmove(sm + siglen, m, mlen);
  *smlen = siglen + mlen;

  ret = 0;
out:
  EVP_MD_CTX_free(mdctx);
  EVP_PKEY_free(pkey);
  return ret;
}

int
crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen,
    const unsigned char *sm, unsigned long long smlen,
    const unsigned char *pk)
{
  EVP_PKEY *pkey = NULL;
  EVP_MD_CTX *mdctx = NULL;
  int ret = -1;
  const unsigned char *msg;
  size_t msglen;

  if (smlen < crypto_sign_ed25519_BYTES) {
    debug3_f("signed message bad length: %llu", smlen);
    return -1;
  }
  /* Signature is first crypto_sign_ed25519_BYTES, message follows */
  msg = sm + crypto_sign_ed25519_BYTES;
  msglen = smlen - crypto_sign_ed25519_BYTES;

  /* Make sure the message buffer is big enough. */
  if (*mlen < msglen) {
    debug_f("message bad length: %llu", *mlen);
    return -1;
  }

  /* Create EVP_PKEY from public key */
  if ((pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL,
      pk, crypto_sign_ed25519_PUBLICKEYBYTES)) == NULL) {
    debug3_f("EVP_PKEY_new_raw_public_key failed");
    goto out;
  }

  if ((mdctx = EVP_MD_CTX_new()) == NULL) {
    debug3_f("EVP_MD_CTX_new failed");
    goto out;
  }
  if (EVP_DigestVerifyInit(mdctx, NULL, NULL, NULL, pkey) <= 0) {
    debug3_f("EVP_DigestVerifyInit failed");
    goto out;
  }
  if (EVP_DigestVerify(mdctx, sm, crypto_sign_ed25519_BYTES,
      msg, msglen) != 1) {
    debug3_f("EVP_DigestVerify failed");
    goto out;
  }

  /* Copy message out */
  *mlen = msglen;
  memmove(m, msg, msglen);

  ret = 0;
out:
  EVP_MD_CTX_free(mdctx);
  EVP_PKEY_free(pkey);
  return ret;
}

#endif /* OPENSSL_HAS_ED25519 */

Coverage Report

Created: 2025-11-01 07:09

Line	Count	Source
1		/* $OpenBSD: ed25519-openssl.c,v 1.1 2025/10/30 20:49:10 djm Exp $ */
2		/*
3		* Copyright (c) 2025 OpenSSH
4		*
5		* Permission to use, copy, modify, and distribute this software for any
6		* purpose with or without fee is hereby granted, provided that the above
7		* copyright notice and this permission notice appear in all copies.
8		*
9		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		*/
17
18		/*
19		* OpenSSL-based implementation of Ed25519 crypto_sign API
20		* Alternative to the internal SUPERCOP-based implementation in ed25519.c
21		*/
22
23		#include "includes.h"
24
25		#ifdef OPENSSL_HAS_ED25519
26
27		#include <sys/types.h>
28
29		#include <string.h>
30		#include <stdint.h>
31		#include <limits.h>
32
33		#include <openssl/evp.h>
34
35		#include "crypto_api.h"
36		#include "log.h"
37
38		#if crypto_sign_ed25519_SECRETKEYBYTES <= crypto_sign_ed25519_PUBLICKEYBYTES
39		#error "crypto_sign_ed25519_SECRETKEYBYTES < crypto_sign_ed25519_PUBLICKEYBYTES"
40		#endif
41
42		#define SSH_ED25519_RAW_SECRET_KEY_LEN \
43	0	(crypto_sign_ed25519_SECRETKEYBYTES - crypto_sign_ed25519_PUBLICKEYBYTES)
44
45		int
46		crypto_sign_ed25519_keypair(unsigned char pk, unsigned char sk)
47	0	{
48	0	EVP_PKEY_CTX *ctx = NULL;
49	0	EVP_PKEY *pkey = NULL;
50	0	size_t pklen, sklen;
51	0	int ret = -1;
52
53	0	if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL)) == NULL) {
54	0	debug3_f("EVP_PKEY_CTX_new_id failed");
55	0	goto out;
56	0	}
57	0	if (EVP_PKEY_keygen_init(ctx) <= 0) {
58	0	debug3_f("EVP_PKEY_keygen_init failed");
59	0	goto out;
60	0	}
61	0	if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
62	0	debug3_f("EVP_PKEY_keygen failed");
63	0	goto out;
64	0	}
65
66		/* Extract public key */
67	0	pklen = crypto_sign_ed25519_PUBLICKEYBYTES;
68	0	if (!EVP_PKEY_get_raw_public_key(pkey, pk, &pklen)) {
69	0	debug3_f("EVP_PKEY_get_raw_public_key failed");
70	0	goto out;
71	0	}
72	0	if (pklen != crypto_sign_ed25519_PUBLICKEYBYTES) {
73	0	debug3_f("public key length mismatch: %zu", pklen);
74	0	goto out;
75	0	}
76
77	0	sklen = SSH_ED25519_RAW_SECRET_KEY_LEN;
78		/* Extract private key (32 bytes seed) */
79	0	if (!EVP_PKEY_get_raw_private_key(pkey, sk, &sklen)) {
80	0	debug3_f("EVP_PKEY_get_raw_private_key failed");
81	0	goto out;
82	0	}
83	0	if (sklen != SSH_ED25519_RAW_SECRET_KEY_LEN) {
84	0	debug3_f("private key length mismatch: %zu", sklen);
85	0	goto out;
86	0	}
87
88		/* Append public key to secret key (SUPERCOP format compatibility) */
89	0	memcpy(sk + sklen, pk, crypto_sign_ed25519_PUBLICKEYBYTES);
90
91	0	ret = 0;
92	0	out:
93	0	EVP_PKEY_free(pkey);
94	0	EVP_PKEY_CTX_free(ctx);
95	0	return ret;
96	0	}
97
98		int
99		crypto_sign_ed25519(unsigned char sm, unsigned long long smlen,
100		const unsigned char *m, unsigned long long mlen,
101		const unsigned char *sk)
102	0	{
103	0	EVP_PKEY *pkey = NULL;
104	0	EVP_MD_CTX *mdctx = NULL;
105	0	size_t siglen;
106	0	int ret = -1;
107
108		/* Create EVP_PKEY from secret key (first 32 bytes are the seed) */
109	0	if ((pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
110	0	sk, SSH_ED25519_RAW_SECRET_KEY_LEN)) == NULL) {
111	0	debug3_f("EVP_PKEY_new_raw_private_key failed");
112	0	goto out;
113	0	}
114
115		/* Sign the message */
116	0	if ((mdctx = EVP_MD_CTX_new()) == NULL) {
117	0	debug3_f("EVP_MD_CTX_new failed");
118	0	goto out;
119	0	}
120	0	if (EVP_DigestSignInit(mdctx, NULL, NULL, NULL, pkey) != 1) {
121	0	debug3_f("EVP_DigestSignInit failed");
122	0	goto out;
123	0	}
124	0	siglen = crypto_sign_ed25519_BYTES;
125	0	if (EVP_DigestSign(mdctx, sm, &siglen, m, mlen) != 1) {
126	0	debug3_f("EVP_DigestSign failed");
127	0	goto out;
128	0	}
129	0	if (siglen != crypto_sign_ed25519_BYTES) {
130	0	debug3_f("signature length mismatch: %zu", siglen);
131	0	goto out;
132	0	}
133
134		/* Append message after signature (SUPERCOP format) */
135	0	if (mlen > ULLONG_MAX - siglen) {
136	0	debug3_f("message length overflow: siglen=%zu mlen=%llu",
137	0	siglen, mlen);
138	0	goto out;
139	0	}
140	0	memmove(sm + siglen, m, mlen);
141	0	*smlen = siglen + mlen;
142
143	0	ret = 0;
144	0	out:
145	0	EVP_MD_CTX_free(mdctx);
146	0	EVP_PKEY_free(pkey);
147	0	return ret;
148	0	}
149
150		int
151		crypto_sign_ed25519_open(unsigned char m, unsigned long long mlen,
152		const unsigned char *sm, unsigned long long smlen,
153		const unsigned char *pk)
154	49	{
155	49	EVP_PKEY *pkey = NULL;
156	49	EVP_MD_CTX *mdctx = NULL;
157	49	int ret = -1;
158	49	const unsigned char *msg;
159	49	size_t msglen;
160
161	49	if (smlen < crypto_sign_ed25519_BYTES) {
162	0	debug3_f("signed message bad length: %llu", smlen);
163	0	return -1;
164	0	}
165		/* Signature is first crypto_sign_ed25519_BYTES, message follows */
166	49	msg = sm + crypto_sign_ed25519_BYTES;
167	49	msglen = smlen - crypto_sign_ed25519_BYTES;
168
169		/* Make sure the message buffer is big enough. */
170	49	if (*mlen < msglen) {
171	0	debug_f("message bad length: %llu", *mlen);
172	0	return -1;
173	0	}
174
175		/* Create EVP_PKEY from public key */
176	49	if ((pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL,
177	49	pk, crypto_sign_ed25519_PUBLICKEYBYTES)) == NULL) {
178	0	debug3_f("EVP_PKEY_new_raw_public_key failed");
179	0	goto out;
180	0	}
181
182	49	if ((mdctx = EVP_MD_CTX_new()) == NULL) {
183	0	debug3_f("EVP_MD_CTX_new failed");
184	0	goto out;
185	0	}
186	49	if (EVP_DigestVerifyInit(mdctx, NULL, NULL, NULL, pkey) <= 0) {
187	0	debug3_f("EVP_DigestVerifyInit failed");
188	0	goto out;
189	0	}
190	49	if (EVP_DigestVerify(mdctx, sm, crypto_sign_ed25519_BYTES,
191	49	msg, msglen) != 1) {
192	38	debug3_f("EVP_DigestVerify failed");
193	38	goto out;
194	38	}
195
196		/* Copy message out */
197	11	*mlen = msglen;
198	11	memmove(m, msg, msglen);
199
200	11	ret = 0;
201	49	out:
202	49	EVP_MD_CTX_free(mdctx);
203	49	EVP_PKEY_free(pkey);
204	49	return ret;
205	11	}
206
207		#endif /* OPENSSL_HAS_ED25519 */