Line | Count | Source |
1 | | /* $OpenBSD: ssh-ecdsa.c,v 1.29 2026/02/14 00:18:34 jsg Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | | * Copyright (c) 2010 Damien Miller. All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * |
15 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | | */ |
26 | | |
27 | | #include "includes.h" |
28 | | |
29 | | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | | #include "openbsd-compat/openssl-compat.h" |
31 | | |
32 | | #include <sys/types.h> |
33 | | |
34 | | #include <openssl/bn.h> |
35 | | #include <openssl/ec.h> |
36 | | #include <openssl/ecdsa.h> |
37 | | #include <openssl/evp.h> |
38 | | |
39 | | #include <string.h> |
40 | | |
41 | | #include "sshbuf.h" |
42 | | #include "ssherr.h" |
43 | | #define SSHKEY_INTERNAL |
44 | | #include "sshkey.h" |
45 | | |
46 | | int |
47 | | sshkey_ecdsa_fixup_group(EVP_PKEY *k) |
48 | 0 | { |
49 | 0 | int nids[] = { |
50 | 0 | NID_X9_62_prime256v1, |
51 | 0 | NID_secp384r1, |
52 | 0 | #ifdef OPENSSL_HAS_NISTP521 |
53 | 0 | NID_secp521r1, |
54 | 0 | #endif |
55 | 0 | -1 |
56 | 0 | }; |
57 | 0 | int nid = -1; |
58 | 0 | u_int i; |
59 | 0 | const EC_GROUP *g; |
60 | 0 | EC_KEY *ec = NULL; |
61 | 0 | EC_GROUP *eg = NULL; |
62 | |
|
63 | 0 | if ((ec = EVP_PKEY_get1_EC_KEY(k)) == NULL || |
64 | 0 | (g = EC_KEY_get0_group(ec)) == NULL) |
65 | 0 | goto out; |
66 | | /* |
67 | | * The group may be stored in a ASN.1 encoded private key in one of two |
68 | | * ways: as a "named group", which is reconstituted by ASN.1 object ID |
69 | | * or explicit group parameters encoded into the key blob. Only the |
70 | | * "named group" case sets the group NID for us, but we can figure |
71 | | * it out for the other case by comparing against all the groups that |
72 | | * are supported. |
73 | | */ |
74 | 0 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) |
75 | 0 | goto out; |
76 | 0 | nid = -1; |
77 | 0 | for (i = 0; nids[i] != -1; i++) { |
78 | 0 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) |
79 | 0 | goto out; |
80 | 0 | if (EC_GROUP_cmp(g, eg, NULL) == 0) |
81 | 0 | break; |
82 | 0 | EC_GROUP_free(eg); |
83 | 0 | eg = NULL; |
84 | 0 | } |
85 | 0 | if (nids[i] == -1) |
86 | 0 | goto out; |
87 | | |
88 | | /* Use the group with the NID attached */ |
89 | 0 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); |
90 | 0 | if (EC_KEY_set_group(ec, eg) != 1 || |
91 | 0 | EVP_PKEY_set1_EC_KEY(k, ec) != 1) |
92 | 0 | goto out; |
93 | | /* success */ |
94 | 0 | nid = nids[i]; |
95 | 0 | out: |
96 | 0 | EC_KEY_free(ec); |
97 | 0 | EC_GROUP_free(eg); |
98 | 0 | return nid; |
99 | 0 | } |
100 | | |
101 | | static u_int |
102 | | ssh_ecdsa_size(const struct sshkey *key) |
103 | 0 | { |
104 | 0 | switch (key->ecdsa_nid) { |
105 | 0 | case NID_X9_62_prime256v1: |
106 | 0 | return 256; |
107 | 0 | case NID_secp384r1: |
108 | 0 | return 384; |
109 | 0 | #ifdef OPENSSL_HAS_NISTP521 |
110 | 0 | case NID_secp521r1: |
111 | 0 | return 521; |
112 | 0 | #endif |
113 | 0 | default: |
114 | 0 | return 0; |
115 | 0 | } |
116 | 0 | } |
117 | | |
118 | | static void |
119 | | ssh_ecdsa_cleanup(struct sshkey *k) |
120 | 32.3k | { |
121 | 32.3k | EVP_PKEY_free(k->pkey); |
122 | 32.3k | k->pkey = NULL; |
123 | 32.3k | } |
124 | | |
125 | | static int |
126 | | ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b) |
127 | 131 | { |
128 | 131 | if (a->pkey == NULL || b->pkey == NULL) |
129 | 0 | return 0; |
130 | 131 | return EVP_PKEY_cmp(a->pkey, b->pkey) == 1; |
131 | 131 | } |
132 | | |
133 | | static int |
134 | | ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b, |
135 | | enum sshkey_serialize_rep opts) |
136 | 23 | { |
137 | 23 | int r; |
138 | | |
139 | 23 | if (key->pkey == NULL) |
140 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
141 | 23 | if ((r = sshbuf_put_cstring(b, |
142 | 23 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || |
143 | 23 | (r = sshbuf_put_ec_pkey(b, key->pkey)) != 0) |
144 | 0 | return r; |
145 | | |
146 | 23 | return 0; |
147 | 23 | } |
148 | | |
149 | | static int |
150 | | ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b, |
151 | | enum sshkey_serialize_rep opts) |
152 | 0 | { |
153 | 0 | int r; |
154 | |
|
155 | 0 | if (!sshkey_is_cert(key)) { |
156 | 0 | if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0) |
157 | 0 | return r; |
158 | 0 | } |
159 | 0 | if ((r = sshbuf_put_bignum2(b, |
160 | 0 | EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(key->pkey)))) != 0) |
161 | 0 | return r; |
162 | 0 | return 0; |
163 | 0 | } |
164 | | |
165 | | static int |
166 | | ssh_ecdsa_generate(struct sshkey *k, int bits) |
167 | 0 | { |
168 | 0 | EVP_PKEY *res = NULL; |
169 | 0 | EVP_PKEY_CTX *ctx = NULL; |
170 | 0 | int ret = SSH_ERR_INTERNAL_ERROR; |
171 | |
|
172 | 0 | if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) |
173 | 0 | return SSH_ERR_KEY_LENGTH; |
174 | | |
175 | 0 | if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) |
176 | 0 | return SSH_ERR_ALLOC_FAIL; |
177 | | |
178 | 0 | if (EVP_PKEY_keygen_init(ctx) <= 0 || |
179 | 0 | EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, k->ecdsa_nid) <= 0 || |
180 | 0 | EVP_PKEY_keygen(ctx, &res) <= 0) { |
181 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
182 | 0 | goto out; |
183 | 0 | } |
184 | | /* success */ |
185 | 0 | k->pkey = res; |
186 | 0 | res = NULL; |
187 | 0 | ret = 0; |
188 | 0 | out: |
189 | 0 | EVP_PKEY_free(res); |
190 | 0 | EVP_PKEY_CTX_free(ctx); |
191 | 0 | return ret; |
192 | 0 | } |
193 | | |
194 | | static int |
195 | | ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to) |
196 | 32.0k | { |
197 | 32.0k | const EC_KEY *ec_from; |
198 | 32.0k | EC_KEY *ec_to = NULL; |
199 | 32.0k | int ret = SSH_ERR_INTERNAL_ERROR; |
200 | | |
201 | 32.0k | ec_from = EVP_PKEY_get0_EC_KEY(from->pkey); |
202 | 32.0k | if (ec_from == NULL) |
203 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
204 | | |
205 | 32.0k | to->ecdsa_nid = from->ecdsa_nid; |
206 | 32.0k | if ((ec_to = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL) |
207 | 0 | return SSH_ERR_ALLOC_FAIL; |
208 | 32.0k | if (EC_KEY_set_public_key(ec_to, |
209 | 32.0k | EC_KEY_get0_public_key(ec_from)) != 1) { |
210 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
211 | 0 | goto out; |
212 | 0 | } |
213 | 32.0k | EVP_PKEY_free(to->pkey); |
214 | 32.0k | if ((to->pkey = EVP_PKEY_new()) == NULL) { |
215 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
216 | 0 | goto out; |
217 | 0 | } |
218 | 32.0k | if (EVP_PKEY_set1_EC_KEY(to->pkey, ec_to) != 1) { |
219 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
220 | 0 | goto out; |
221 | 0 | } |
222 | 32.0k | ret = 0; |
223 | 32.0k | out: |
224 | 32.0k | EC_KEY_free(ec_to); |
225 | 32.0k | return ret; |
226 | 32.0k | } |
227 | | |
228 | | static int |
229 | | ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b, |
230 | | struct sshkey *key) |
231 | 295 | { |
232 | 295 | int r; |
233 | 295 | char *curve = NULL; |
234 | 295 | EVP_PKEY *pkey = NULL; |
235 | 295 | EC_KEY *ec = NULL; |
236 | | |
237 | 295 | if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1) |
238 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
239 | 295 | if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0) |
240 | 4 | goto out; |
241 | 291 | if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { |
242 | 97 | r = SSH_ERR_EC_CURVE_MISMATCH; |
243 | 97 | goto out; |
244 | 97 | } |
245 | 194 | if ((ec = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) { |
246 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
247 | 0 | goto out; |
248 | 0 | } |
249 | 194 | if ((r = sshbuf_get_eckey(b, ec)) != 0) |
250 | 60 | goto out; |
251 | 134 | if (sshkey_ec_validate_public(EC_KEY_get0_group(ec), |
252 | 134 | EC_KEY_get0_public_key(ec)) != 0) { |
253 | 0 | r = SSH_ERR_KEY_INVALID_EC_VALUE; |
254 | 0 | goto out; |
255 | 0 | } |
256 | 134 | if ((pkey = EVP_PKEY_new()) == NULL) { |
257 | 0 | r = SSH_ERR_ALLOC_FAIL; |
258 | 0 | goto out; |
259 | 0 | } |
260 | 134 | if (EVP_PKEY_set1_EC_KEY(pkey, ec) != 1) { |
261 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
262 | 0 | goto out; |
263 | 0 | } |
264 | 134 | EVP_PKEY_free(key->pkey); |
265 | 134 | key->pkey = pkey; |
266 | 134 | pkey = NULL; |
267 | | /* success */ |
268 | 134 | r = 0; |
269 | | #ifdef DEBUG_PK |
270 | | sshkey_dump_ec_point( |
271 | | EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key->pkey)), |
272 | | EC_KEY_get0_public_key(EVP_PKEY_get0_EC_KEY(key->pkey))); |
273 | | #endif |
274 | 295 | out: |
275 | 295 | EC_KEY_free(ec); |
276 | 295 | EVP_PKEY_free(pkey); |
277 | 295 | free(curve); |
278 | 295 | return r; |
279 | 134 | } |
280 | | |
281 | | static int |
282 | | ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, |
283 | | struct sshkey *key) |
284 | 1 | { |
285 | 1 | int r; |
286 | 1 | BIGNUM *exponent = NULL; |
287 | 1 | EC_KEY *ec = NULL; |
288 | | |
289 | 1 | if (!sshkey_is_cert(key)) { |
290 | 1 | if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0) |
291 | 0 | return r; |
292 | 1 | } |
293 | 1 | if ((r = sshbuf_get_bignum2(b, &exponent)) != 0) |
294 | 0 | goto out; |
295 | 1 | if ((ec = EVP_PKEY_get1_EC_KEY(key->pkey)) == NULL) { |
296 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
297 | 0 | goto out; |
298 | 0 | } |
299 | 1 | if (EC_KEY_set_private_key(ec, exponent) != 1) { |
300 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
301 | 0 | goto out; |
302 | 0 | } |
303 | 1 | if ((r = sshkey_ec_validate_private(ec)) != 0) |
304 | 0 | goto out; |
305 | 1 | if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1) { |
306 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
307 | 0 | goto out; |
308 | 0 | } |
309 | | /* success */ |
310 | 1 | r = 0; |
311 | 1 | out: |
312 | 1 | BN_clear_free(exponent); |
313 | 1 | EC_KEY_free(ec); |
314 | 1 | return r; |
315 | 1 | } |
316 | | |
317 | | static int |
318 | | ssh_ecdsa_sign(struct sshkey *key, |
319 | | u_char **sigp, size_t *lenp, |
320 | | const u_char *data, size_t dlen, |
321 | | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
322 | 23 | { |
323 | 23 | ECDSA_SIG *esig = NULL; |
324 | 23 | unsigned char *sigb = NULL; |
325 | 23 | const unsigned char *psig; |
326 | 23 | const BIGNUM *sig_r, *sig_s; |
327 | 23 | int hash_alg; |
328 | 23 | size_t slen = 0; |
329 | 23 | int ret = SSH_ERR_INTERNAL_ERROR; |
330 | | |
331 | 23 | if (lenp != NULL) |
332 | 23 | *lenp = 0; |
333 | 23 | if (sigp != NULL) |
334 | 23 | *sigp = NULL; |
335 | | |
336 | 23 | if (key == NULL || key->pkey == NULL || |
337 | 23 | sshkey_type_plain(key->type) != KEY_ECDSA) |
338 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
339 | | |
340 | 23 | if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) |
341 | 0 | return SSH_ERR_INTERNAL_ERROR; |
342 | | |
343 | 23 | if ((ret = sshkey_pkey_digest_sign(key->pkey, hash_alg, &sigb, &slen, |
344 | 23 | data, dlen)) != 0) |
345 | 0 | goto out; |
346 | | |
347 | 23 | psig = sigb; |
348 | 23 | if ((esig = d2i_ECDSA_SIG(NULL, &psig, slen)) == NULL) { |
349 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
350 | 0 | goto out; |
351 | 0 | } |
352 | 23 | ECDSA_SIG_get0(esig, &sig_r, &sig_s); |
353 | | |
354 | 23 | if ((ret = ssh_ecdsa_encode_store_sig(key, sig_r, sig_s, |
355 | 23 | sigp, lenp)) != 0) |
356 | 0 | goto out; |
357 | | /* success */ |
358 | 23 | ret = 0; |
359 | 23 | out: |
360 | 23 | freezero(sigb, slen); |
361 | 23 | ECDSA_SIG_free(esig); |
362 | 23 | return ret; |
363 | 23 | } |
364 | | |
365 | | int |
366 | | ssh_ecdsa_encode_store_sig(const struct sshkey *key, |
367 | | const BIGNUM *sig_r, const BIGNUM *sig_s, |
368 | | u_char **sigp, size_t *lenp) |
369 | 23 | { |
370 | 23 | struct sshbuf *b = NULL, *bb = NULL; |
371 | 23 | int ret; |
372 | 23 | size_t len; |
373 | | |
374 | 23 | if (lenp != NULL) |
375 | 23 | *lenp = 0; |
376 | 23 | if (sigp != NULL) |
377 | 23 | *sigp = NULL; |
378 | | |
379 | 23 | if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { |
380 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
381 | 0 | goto out; |
382 | 0 | } |
383 | 23 | if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 || |
384 | 23 | (ret = sshbuf_put_bignum2(bb, sig_s)) != 0) |
385 | 0 | goto out; |
386 | 23 | if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || |
387 | 23 | (ret = sshbuf_put_stringb(b, bb)) != 0) |
388 | 0 | goto out; |
389 | 23 | len = sshbuf_len(b); |
390 | 23 | if (sigp != NULL) { |
391 | 23 | if ((*sigp = malloc(len)) == NULL) { |
392 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
393 | 0 | goto out; |
394 | 0 | } |
395 | 23 | memcpy(*sigp, sshbuf_ptr(b), len); |
396 | 23 | } |
397 | 23 | if (lenp != NULL) |
398 | 23 | *lenp = len; |
399 | 23 | ret = 0; |
400 | 23 | out: |
401 | 23 | sshbuf_free(b); |
402 | 23 | sshbuf_free(bb); |
403 | 23 | return ret; |
404 | 23 | } |
405 | | |
406 | | static int |
407 | | ssh_ecdsa_verify(const struct sshkey *key, |
408 | | const u_char *sig, size_t siglen, |
409 | | const u_char *data, size_t dlen, const char *alg, u_int compat, |
410 | | struct sshkey_sig_details **detailsp) |
411 | 129 | { |
412 | 129 | ECDSA_SIG *esig = NULL; |
413 | 129 | BIGNUM *sig_r = NULL, *sig_s = NULL; |
414 | 129 | int hash_alg, len = 0; |
415 | 129 | int ret = SSH_ERR_INTERNAL_ERROR; |
416 | 129 | struct sshbuf *b = NULL, *sigbuf = NULL; |
417 | 129 | char *ktype = NULL; |
418 | 129 | unsigned char *sigb = NULL, *cp; |
419 | | |
420 | 129 | if (key == NULL || key->pkey == NULL || |
421 | 129 | sshkey_type_plain(key->type) != KEY_ECDSA || |
422 | 129 | sig == NULL || siglen == 0) |
423 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
424 | | |
425 | 129 | if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) |
426 | 0 | return SSH_ERR_INTERNAL_ERROR; |
427 | | |
428 | | /* fetch signature */ |
429 | 129 | if ((b = sshbuf_from(sig, siglen)) == NULL) |
430 | 0 | return SSH_ERR_ALLOC_FAIL; |
431 | 129 | if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || |
432 | 127 | sshbuf_froms(b, &sigbuf) != 0) { |
433 | 4 | ret = SSH_ERR_INVALID_FORMAT; |
434 | 4 | goto out; |
435 | 4 | } |
436 | 125 | if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { |
437 | 112 | ret = SSH_ERR_KEY_TYPE_MISMATCH; |
438 | 112 | goto out; |
439 | 112 | } |
440 | 13 | if (sshbuf_len(b) != 0) { |
441 | 1 | ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; |
442 | 1 | goto out; |
443 | 1 | } |
444 | | |
445 | | /* parse signature */ |
446 | 12 | if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || |
447 | 10 | sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { |
448 | 4 | ret = SSH_ERR_INVALID_FORMAT; |
449 | 4 | goto out; |
450 | 4 | } |
451 | 8 | if (sshbuf_len(sigbuf) != 0) { |
452 | 1 | ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; |
453 | 1 | goto out; |
454 | 1 | } |
455 | | |
456 | 7 | if ((esig = ECDSA_SIG_new()) == NULL) { |
457 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
458 | 0 | goto out; |
459 | 0 | } |
460 | 7 | if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) { |
461 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
462 | 0 | goto out; |
463 | 0 | } |
464 | 7 | sig_r = sig_s = NULL; /* transferred */ |
465 | | |
466 | 7 | if ((len = i2d_ECDSA_SIG(esig, NULL)) <= 0) { |
467 | 0 | len = 0; |
468 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
469 | 0 | goto out; |
470 | 0 | } |
471 | 7 | if ((sigb = calloc(1, len)) == NULL) { |
472 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
473 | 0 | goto out; |
474 | 0 | } |
475 | 7 | cp = sigb; /* ASN1_item_i2d increments the pointer past the object */ |
476 | 7 | if (i2d_ECDSA_SIG(esig, &cp) != len) { |
477 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
478 | 0 | goto out; |
479 | 0 | } |
480 | 7 | if ((ret = sshkey_pkey_digest_verify(key->pkey, hash_alg, |
481 | 7 | data, dlen, sigb, len)) != 0) |
482 | 7 | goto out; |
483 | | /* success */ |
484 | 129 | out: |
485 | 129 | freezero(sigb, len); |
486 | 129 | sshbuf_free(sigbuf); |
487 | 129 | sshbuf_free(b); |
488 | 129 | ECDSA_SIG_free(esig); |
489 | 129 | BN_clear_free(sig_r); |
490 | 129 | BN_clear_free(sig_s); |
491 | 129 | free(ktype); |
492 | 129 | return ret; |
493 | 7 | } |
494 | | |
495 | | /* NB. not static; used by ECDSA-SK */ |
496 | | const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { |
497 | | /* .size = */ ssh_ecdsa_size, |
498 | | /* .alloc = */ NULL, |
499 | | /* .cleanup = */ ssh_ecdsa_cleanup, |
500 | | /* .equal = */ ssh_ecdsa_equal, |
501 | | /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public, |
502 | | /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public, |
503 | | /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private, |
504 | | /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private, |
505 | | /* .generate = */ ssh_ecdsa_generate, |
506 | | /* .copy_public = */ ssh_ecdsa_copy_public, |
507 | | /* .sign = */ ssh_ecdsa_sign, |
508 | | /* .verify = */ ssh_ecdsa_verify, |
509 | | }; |
510 | | |
511 | | const struct sshkey_impl sshkey_ecdsa_nistp256_impl = { |
512 | | /* .name = */ "ecdsa-sha2-nistp256", |
513 | | /* .shortname = */ "ECDSA", |
514 | | /* .sigalg = */ NULL, |
515 | | /* .type = */ KEY_ECDSA, |
516 | | /* .nid = */ NID_X9_62_prime256v1, |
517 | | /* .cert = */ 0, |
518 | | /* .sigonly = */ 0, |
519 | | /* .keybits = */ 0, |
520 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
521 | | }; |
522 | | |
523 | | const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = { |
524 | | /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com", |
525 | | /* .shortname = */ "ECDSA-CERT", |
526 | | /* .sigalg = */ NULL, |
527 | | /* .type = */ KEY_ECDSA_CERT, |
528 | | /* .nid = */ NID_X9_62_prime256v1, |
529 | | /* .cert = */ 1, |
530 | | /* .sigonly = */ 0, |
531 | | /* .keybits = */ 0, |
532 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
533 | | }; |
534 | | |
535 | | const struct sshkey_impl sshkey_ecdsa_nistp384_impl = { |
536 | | /* .name = */ "ecdsa-sha2-nistp384", |
537 | | /* .shortname = */ "ECDSA", |
538 | | /* .sigalg = */ NULL, |
539 | | /* .type = */ KEY_ECDSA, |
540 | | /* .nid = */ NID_secp384r1, |
541 | | /* .cert = */ 0, |
542 | | /* .sigonly = */ 0, |
543 | | /* .keybits = */ 0, |
544 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
545 | | }; |
546 | | |
547 | | const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = { |
548 | | /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com", |
549 | | /* .shortname = */ "ECDSA-CERT", |
550 | | /* .sigalg = */ NULL, |
551 | | /* .type = */ KEY_ECDSA_CERT, |
552 | | /* .nid = */ NID_secp384r1, |
553 | | /* .cert = */ 1, |
554 | | /* .sigonly = */ 0, |
555 | | /* .keybits = */ 0, |
556 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
557 | | }; |
558 | | |
559 | | #ifdef OPENSSL_HAS_NISTP521 |
560 | | const struct sshkey_impl sshkey_ecdsa_nistp521_impl = { |
561 | | /* .name = */ "ecdsa-sha2-nistp521", |
562 | | /* .shortname = */ "ECDSA", |
563 | | /* .sigalg = */ NULL, |
564 | | /* .type = */ KEY_ECDSA, |
565 | | /* .nid = */ NID_secp521r1, |
566 | | /* .cert = */ 0, |
567 | | /* .sigonly = */ 0, |
568 | | /* .keybits = */ 0, |
569 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
570 | | }; |
571 | | |
572 | | const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = { |
573 | | /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com", |
574 | | /* .shortname = */ "ECDSA-CERT", |
575 | | /* .sigalg = */ NULL, |
576 | | /* .type = */ KEY_ECDSA_CERT, |
577 | | /* .nid = */ NID_secp521r1, |
578 | | /* .cert = */ 1, |
579 | | /* .sigonly = */ 0, |
580 | | /* .keybits = */ 0, |
581 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
582 | | }; |
583 | | #endif |
584 | | |
585 | | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ |