Line | Count | Source |
1 | | /* $OpenBSD: ssh-ecdsa.c,v 1.28 2025/07/24 05:44:55 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | | * Copyright (c) 2010 Damien Miller. All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * |
15 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | | */ |
26 | | |
27 | | #include "includes.h" |
28 | | |
29 | | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | | |
31 | | #include <sys/types.h> |
32 | | |
33 | | #include <openssl/bn.h> |
34 | | #include <openssl/ec.h> |
35 | | #include <openssl/ecdsa.h> |
36 | | #include <openssl/evp.h> |
37 | | |
38 | | #include <string.h> |
39 | | |
40 | | #include "sshbuf.h" |
41 | | #include "ssherr.h" |
42 | | #include "digest.h" |
43 | | #define SSHKEY_INTERNAL |
44 | | #include "sshkey.h" |
45 | | |
46 | | #include "openbsd-compat/openssl-compat.h" |
47 | | |
48 | | int |
49 | | sshkey_ecdsa_fixup_group(EVP_PKEY *k) |
50 | 0 | { |
51 | 0 | int nids[] = { |
52 | 0 | NID_X9_62_prime256v1, |
53 | 0 | NID_secp384r1, |
54 | 0 | #ifdef OPENSSL_HAS_NISTP521 |
55 | 0 | NID_secp521r1, |
56 | 0 | #endif |
57 | 0 | -1 |
58 | 0 | }; |
59 | 0 | int nid = -1; |
60 | 0 | u_int i; |
61 | 0 | const EC_GROUP *g; |
62 | 0 | EC_KEY *ec = NULL; |
63 | 0 | EC_GROUP *eg = NULL; |
64 | |
|
65 | 0 | if ((ec = EVP_PKEY_get1_EC_KEY(k)) == NULL || |
66 | 0 | (g = EC_KEY_get0_group(ec)) == NULL) |
67 | 0 | goto out; |
68 | | /* |
69 | | * The group may be stored in a ASN.1 encoded private key in one of two |
70 | | * ways: as a "named group", which is reconstituted by ASN.1 object ID |
71 | | * or explicit group parameters encoded into the key blob. Only the |
72 | | * "named group" case sets the group NID for us, but we can figure |
73 | | * it out for the other case by comparing against all the groups that |
74 | | * are supported. |
75 | | */ |
76 | 0 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) |
77 | 0 | goto out; |
78 | 0 | nid = -1; |
79 | 0 | for (i = 0; nids[i] != -1; i++) { |
80 | 0 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) |
81 | 0 | goto out; |
82 | 0 | if (EC_GROUP_cmp(g, eg, NULL) == 0) |
83 | 0 | break; |
84 | 0 | EC_GROUP_free(eg); |
85 | 0 | eg = NULL; |
86 | 0 | } |
87 | 0 | if (nids[i] == -1) |
88 | 0 | goto out; |
89 | | |
90 | | /* Use the group with the NID attached */ |
91 | 0 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); |
92 | 0 | if (EC_KEY_set_group(ec, eg) != 1 || |
93 | 0 | EVP_PKEY_set1_EC_KEY(k, ec) != 1) |
94 | 0 | goto out; |
95 | | /* success */ |
96 | 0 | nid = nids[i]; |
97 | 0 | out: |
98 | 0 | EC_KEY_free(ec); |
99 | 0 | EC_GROUP_free(eg); |
100 | 0 | return nid; |
101 | 0 | } |
102 | | |
103 | | static u_int |
104 | | ssh_ecdsa_size(const struct sshkey *key) |
105 | 0 | { |
106 | 0 | switch (key->ecdsa_nid) { |
107 | 0 | case NID_X9_62_prime256v1: |
108 | 0 | return 256; |
109 | 0 | case NID_secp384r1: |
110 | 0 | return 384; |
111 | 0 | #ifdef OPENSSL_HAS_NISTP521 |
112 | 0 | case NID_secp521r1: |
113 | 0 | return 521; |
114 | 0 | #endif |
115 | 0 | default: |
116 | 0 | return 0; |
117 | 0 | } |
118 | 0 | } |
119 | | |
120 | | static void |
121 | | ssh_ecdsa_cleanup(struct sshkey *k) |
122 | 41.3k | { |
123 | 41.3k | EVP_PKEY_free(k->pkey); |
124 | 41.3k | k->pkey = NULL; |
125 | 41.3k | } |
126 | | |
127 | | static int |
128 | | ssh_ecdsa_equal(const struct sshkey *a, const struct sshkey *b) |
129 | 3.82k | { |
130 | 3.82k | if (a->pkey == NULL || b->pkey == NULL) |
131 | 0 | return 0; |
132 | 3.82k | return EVP_PKEY_cmp(a->pkey, b->pkey) == 1; |
133 | 3.82k | } |
134 | | |
135 | | static int |
136 | | ssh_ecdsa_serialize_public(const struct sshkey *key, struct sshbuf *b, |
137 | | enum sshkey_serialize_rep opts) |
138 | 52 | { |
139 | 52 | int r; |
140 | | |
141 | 52 | if (key->pkey == NULL) |
142 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
143 | 52 | if ((r = sshbuf_put_cstring(b, |
144 | 52 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || |
145 | 52 | (r = sshbuf_put_ec_pkey(b, key->pkey)) != 0) |
146 | 0 | return r; |
147 | | |
148 | 52 | return 0; |
149 | 52 | } |
150 | | |
151 | | static int |
152 | | ssh_ecdsa_serialize_private(const struct sshkey *key, struct sshbuf *b, |
153 | | enum sshkey_serialize_rep opts) |
154 | 0 | { |
155 | 0 | int r; |
156 | |
|
157 | 0 | if (!sshkey_is_cert(key)) { |
158 | 0 | if ((r = ssh_ecdsa_serialize_public(key, b, opts)) != 0) |
159 | 0 | return r; |
160 | 0 | } |
161 | 0 | if ((r = sshbuf_put_bignum2(b, |
162 | 0 | EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(key->pkey)))) != 0) |
163 | 0 | return r; |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | | static int |
168 | | ssh_ecdsa_generate(struct sshkey *k, int bits) |
169 | 3 | { |
170 | 3 | EVP_PKEY *res = NULL; |
171 | 3 | EVP_PKEY_CTX *ctx = NULL; |
172 | 3 | int ret = SSH_ERR_INTERNAL_ERROR; |
173 | | |
174 | 3 | if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) |
175 | 0 | return SSH_ERR_KEY_LENGTH; |
176 | | |
177 | 3 | if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) |
178 | 0 | return SSH_ERR_ALLOC_FAIL; |
179 | | |
180 | 3 | if (EVP_PKEY_keygen_init(ctx) <= 0 || |
181 | 3 | EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, k->ecdsa_nid) <= 0 || |
182 | 3 | EVP_PKEY_keygen(ctx, &res) <= 0) { |
183 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
184 | 0 | goto out; |
185 | 0 | } |
186 | | /* success */ |
187 | 3 | k->pkey = res; |
188 | 3 | res = NULL; |
189 | 3 | ret = 0; |
190 | 3 | out: |
191 | 3 | EVP_PKEY_free(res); |
192 | 3 | EVP_PKEY_CTX_free(ctx); |
193 | 3 | return ret; |
194 | 3 | } |
195 | | |
196 | | static int |
197 | | ssh_ecdsa_copy_public(const struct sshkey *from, struct sshkey *to) |
198 | 29.7k | { |
199 | 29.7k | const EC_KEY *ec_from; |
200 | 29.7k | EC_KEY *ec_to = NULL; |
201 | 29.7k | int ret = SSH_ERR_INTERNAL_ERROR; |
202 | | |
203 | 29.7k | ec_from = EVP_PKEY_get0_EC_KEY(from->pkey); |
204 | 29.7k | if (ec_from == NULL) |
205 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
206 | | |
207 | 29.7k | to->ecdsa_nid = from->ecdsa_nid; |
208 | 29.7k | if ((ec_to = EC_KEY_new_by_curve_name(from->ecdsa_nid)) == NULL) |
209 | 0 | return SSH_ERR_ALLOC_FAIL; |
210 | 29.7k | if (EC_KEY_set_public_key(ec_to, |
211 | 29.7k | EC_KEY_get0_public_key(ec_from)) != 1) { |
212 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
213 | 0 | goto out; |
214 | 0 | } |
215 | 29.7k | EVP_PKEY_free(to->pkey); |
216 | 29.7k | if ((to->pkey = EVP_PKEY_new()) == NULL) { |
217 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
218 | 0 | goto out; |
219 | 0 | } |
220 | 29.7k | if (EVP_PKEY_set1_EC_KEY(to->pkey, ec_to) != 1) { |
221 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
222 | 0 | goto out; |
223 | 0 | } |
224 | 29.7k | ret = 0; |
225 | 29.7k | out: |
226 | 29.7k | EC_KEY_free(ec_to); |
227 | 29.7k | return ret; |
228 | 29.7k | } |
229 | | |
230 | | static int |
231 | | ssh_ecdsa_deserialize_public(const char *ktype, struct sshbuf *b, |
232 | | struct sshkey *key) |
233 | 11.5k | { |
234 | 11.5k | int r; |
235 | 11.5k | char *curve = NULL; |
236 | 11.5k | EVP_PKEY *pkey = NULL; |
237 | 11.5k | EC_KEY *ec = NULL; |
238 | | |
239 | 11.5k | if ((key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype)) == -1) |
240 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
241 | 11.5k | if ((r = sshbuf_get_cstring(b, &curve, NULL)) != 0) |
242 | 39 | goto out; |
243 | 11.5k | if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { |
244 | 459 | r = SSH_ERR_EC_CURVE_MISMATCH; |
245 | 459 | goto out; |
246 | 459 | } |
247 | 11.0k | if ((ec = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL) { |
248 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
249 | 0 | goto out; |
250 | 0 | } |
251 | 11.0k | if ((r = sshbuf_get_eckey(b, ec)) != 0) |
252 | 427 | goto out; |
253 | 10.6k | if (sshkey_ec_validate_public(EC_KEY_get0_group(ec), |
254 | 10.6k | EC_KEY_get0_public_key(ec)) != 0) { |
255 | 0 | r = SSH_ERR_KEY_INVALID_EC_VALUE; |
256 | 0 | goto out; |
257 | 0 | } |
258 | 10.6k | if ((pkey = EVP_PKEY_new()) == NULL) { |
259 | 0 | r = SSH_ERR_ALLOC_FAIL; |
260 | 0 | goto out; |
261 | 0 | } |
262 | 10.6k | if (EVP_PKEY_set1_EC_KEY(pkey, ec) != 1) { |
263 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
264 | 0 | goto out; |
265 | 0 | } |
266 | 10.6k | EVP_PKEY_free(key->pkey); |
267 | 10.6k | key->pkey = pkey; |
268 | 10.6k | pkey = NULL; |
269 | | /* success */ |
270 | 10.6k | r = 0; |
271 | | #ifdef DEBUG_PK |
272 | | sshkey_dump_ec_point( |
273 | | EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key->pkey)), |
274 | | EC_KEY_get0_public_key(EVP_PKEY_get0_EC_KEY(key->pkey))); |
275 | | #endif |
276 | 11.5k | out: |
277 | 11.5k | EC_KEY_free(ec); |
278 | 11.5k | EVP_PKEY_free(pkey); |
279 | 11.5k | free(curve); |
280 | 11.5k | return r; |
281 | 10.6k | } |
282 | | |
283 | | static int |
284 | | ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, |
285 | | struct sshkey *key) |
286 | 2.15k | { |
287 | 2.15k | int r; |
288 | 2.15k | BIGNUM *exponent = NULL; |
289 | 2.15k | EC_KEY *ec = NULL; |
290 | | |
291 | 2.15k | if (!sshkey_is_cert(key)) { |
292 | 2.15k | if ((r = ssh_ecdsa_deserialize_public(ktype, b, key)) != 0) |
293 | 238 | return r; |
294 | 2.15k | } |
295 | 1.91k | if ((r = sshbuf_get_bignum2(b, &exponent)) != 0) |
296 | 11 | goto out; |
297 | 1.90k | if ((ec = EVP_PKEY_get1_EC_KEY(key->pkey)) == NULL) { |
298 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
299 | 0 | goto out; |
300 | 0 | } |
301 | 1.90k | if (EC_KEY_set_private_key(ec, exponent) != 1) { |
302 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
303 | 0 | goto out; |
304 | 0 | } |
305 | 1.90k | if ((r = sshkey_ec_validate_private(ec)) != 0) |
306 | 32 | goto out; |
307 | 1.87k | if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1) { |
308 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
309 | 0 | goto out; |
310 | 0 | } |
311 | | /* success */ |
312 | 1.87k | r = 0; |
313 | 1.91k | out: |
314 | 1.91k | BN_clear_free(exponent); |
315 | 1.91k | EC_KEY_free(ec); |
316 | 1.91k | return r; |
317 | 1.87k | } |
318 | | |
319 | | static int |
320 | | ssh_ecdsa_sign(struct sshkey *key, |
321 | | u_char **sigp, size_t *lenp, |
322 | | const u_char *data, size_t dlen, |
323 | | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
324 | 22 | { |
325 | 22 | ECDSA_SIG *esig = NULL; |
326 | 22 | unsigned char *sigb = NULL; |
327 | 22 | const unsigned char *psig; |
328 | 22 | const BIGNUM *sig_r, *sig_s; |
329 | 22 | int hash_alg; |
330 | 22 | size_t slen = 0; |
331 | 22 | int ret = SSH_ERR_INTERNAL_ERROR; |
332 | | |
333 | 22 | if (lenp != NULL) |
334 | 22 | *lenp = 0; |
335 | 22 | if (sigp != NULL) |
336 | 22 | *sigp = NULL; |
337 | | |
338 | 22 | if (key == NULL || key->pkey == NULL || |
339 | 22 | sshkey_type_plain(key->type) != KEY_ECDSA) |
340 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
341 | | |
342 | 22 | if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) |
343 | 0 | return SSH_ERR_INTERNAL_ERROR; |
344 | | |
345 | 22 | if ((ret = sshkey_pkey_digest_sign(key->pkey, hash_alg, &sigb, &slen, |
346 | 22 | data, dlen)) != 0) |
347 | 0 | goto out; |
348 | | |
349 | 22 | psig = sigb; |
350 | 22 | if ((esig = d2i_ECDSA_SIG(NULL, &psig, slen)) == NULL) { |
351 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
352 | 0 | goto out; |
353 | 0 | } |
354 | 22 | ECDSA_SIG_get0(esig, &sig_r, &sig_s); |
355 | | |
356 | 22 | if ((ret = ssh_ecdsa_encode_store_sig(key, sig_r, sig_s, |
357 | 22 | sigp, lenp)) != 0) |
358 | 0 | goto out; |
359 | | /* success */ |
360 | 22 | ret = 0; |
361 | 22 | out: |
362 | 22 | freezero(sigb, slen); |
363 | 22 | ECDSA_SIG_free(esig); |
364 | 22 | return ret; |
365 | 22 | } |
366 | | |
367 | | int |
368 | | ssh_ecdsa_encode_store_sig(const struct sshkey *key, |
369 | | const BIGNUM *sig_r, const BIGNUM *sig_s, |
370 | | u_char **sigp, size_t *lenp) |
371 | 22 | { |
372 | 22 | struct sshbuf *b = NULL, *bb = NULL; |
373 | 22 | int ret; |
374 | 22 | size_t len; |
375 | | |
376 | 22 | if (lenp != NULL) |
377 | 22 | *lenp = 0; |
378 | 22 | if (sigp != NULL) |
379 | 22 | *sigp = NULL; |
380 | | |
381 | 22 | if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { |
382 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
383 | 0 | goto out; |
384 | 0 | } |
385 | 22 | if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 || |
386 | 22 | (ret = sshbuf_put_bignum2(bb, sig_s)) != 0) |
387 | 0 | goto out; |
388 | 22 | if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || |
389 | 22 | (ret = sshbuf_put_stringb(b, bb)) != 0) |
390 | 0 | goto out; |
391 | 22 | len = sshbuf_len(b); |
392 | 22 | if (sigp != NULL) { |
393 | 22 | if ((*sigp = malloc(len)) == NULL) { |
394 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
395 | 0 | goto out; |
396 | 0 | } |
397 | 22 | memcpy(*sigp, sshbuf_ptr(b), len); |
398 | 22 | } |
399 | 22 | if (lenp != NULL) |
400 | 22 | *lenp = len; |
401 | 22 | ret = 0; |
402 | 22 | out: |
403 | 22 | sshbuf_free(b); |
404 | 22 | sshbuf_free(bb); |
405 | 22 | return ret; |
406 | 22 | } |
407 | | |
408 | | static int |
409 | | ssh_ecdsa_verify(const struct sshkey *key, |
410 | | const u_char *sig, size_t siglen, |
411 | | const u_char *data, size_t dlen, const char *alg, u_int compat, |
412 | | struct sshkey_sig_details **detailsp) |
413 | 3.79k | { |
414 | 3.79k | ECDSA_SIG *esig = NULL; |
415 | 3.79k | BIGNUM *sig_r = NULL, *sig_s = NULL; |
416 | 3.79k | int hash_alg, len = 0; |
417 | 3.79k | int ret = SSH_ERR_INTERNAL_ERROR; |
418 | 3.79k | struct sshbuf *b = NULL, *sigbuf = NULL; |
419 | 3.79k | char *ktype = NULL; |
420 | 3.79k | unsigned char *sigb = NULL, *cp; |
421 | | |
422 | 3.79k | if (key == NULL || key->pkey == NULL || |
423 | 3.79k | sshkey_type_plain(key->type) != KEY_ECDSA || |
424 | 3.79k | sig == NULL || siglen == 0) |
425 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
426 | | |
427 | 3.79k | if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) |
428 | 0 | return SSH_ERR_INTERNAL_ERROR; |
429 | | |
430 | | /* fetch signature */ |
431 | 3.79k | if ((b = sshbuf_from(sig, siglen)) == NULL) |
432 | 0 | return SSH_ERR_ALLOC_FAIL; |
433 | 3.79k | if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || |
434 | 3.57k | sshbuf_froms(b, &sigbuf) != 0) { |
435 | 1.37k | ret = SSH_ERR_INVALID_FORMAT; |
436 | 1.37k | goto out; |
437 | 1.37k | } |
438 | 2.42k | if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { |
439 | 2.19k | ret = SSH_ERR_KEY_TYPE_MISMATCH; |
440 | 2.19k | goto out; |
441 | 2.19k | } |
442 | 231 | if (sshbuf_len(b) != 0) { |
443 | 39 | ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; |
444 | 39 | goto out; |
445 | 39 | } |
446 | | |
447 | | /* parse signature */ |
448 | 192 | if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || |
449 | 140 | sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { |
450 | 140 | ret = SSH_ERR_INVALID_FORMAT; |
451 | 140 | goto out; |
452 | 140 | } |
453 | 52 | if (sshbuf_len(sigbuf) != 0) { |
454 | 22 | ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; |
455 | 22 | goto out; |
456 | 22 | } |
457 | | |
458 | 30 | if ((esig = ECDSA_SIG_new()) == NULL) { |
459 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
460 | 0 | goto out; |
461 | 0 | } |
462 | 30 | if (!ECDSA_SIG_set0(esig, sig_r, sig_s)) { |
463 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
464 | 0 | goto out; |
465 | 0 | } |
466 | 30 | sig_r = sig_s = NULL; /* transferred */ |
467 | | |
468 | 30 | if ((len = i2d_ECDSA_SIG(esig, NULL)) <= 0) { |
469 | 0 | len = 0; |
470 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
471 | 0 | goto out; |
472 | 0 | } |
473 | 30 | if ((sigb = calloc(1, len)) == NULL) { |
474 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
475 | 0 | goto out; |
476 | 0 | } |
477 | 30 | cp = sigb; /* ASN1_item_i2d increments the pointer past the object */ |
478 | 30 | if (i2d_ECDSA_SIG(esig, &cp) != len) { |
479 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
480 | 0 | goto out; |
481 | 0 | } |
482 | 30 | if ((ret = sshkey_pkey_digest_verify(key->pkey, hash_alg, |
483 | 30 | data, dlen, sigb, len)) != 0) |
484 | 30 | goto out; |
485 | | /* success */ |
486 | 3.79k | out: |
487 | 3.79k | freezero(sigb, len); |
488 | 3.79k | sshbuf_free(sigbuf); |
489 | 3.79k | sshbuf_free(b); |
490 | 3.79k | ECDSA_SIG_free(esig); |
491 | 3.79k | BN_clear_free(sig_r); |
492 | 3.79k | BN_clear_free(sig_s); |
493 | 3.79k | free(ktype); |
494 | 3.79k | return ret; |
495 | 30 | } |
496 | | |
497 | | /* NB. not static; used by ECDSA-SK */ |
498 | | const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { |
499 | | /* .size = */ ssh_ecdsa_size, |
500 | | /* .alloc = */ NULL, |
501 | | /* .cleanup = */ ssh_ecdsa_cleanup, |
502 | | /* .equal = */ ssh_ecdsa_equal, |
503 | | /* .ssh_serialize_public = */ ssh_ecdsa_serialize_public, |
504 | | /* .ssh_deserialize_public = */ ssh_ecdsa_deserialize_public, |
505 | | /* .ssh_serialize_private = */ ssh_ecdsa_serialize_private, |
506 | | /* .ssh_deserialize_private = */ ssh_ecdsa_deserialize_private, |
507 | | /* .generate = */ ssh_ecdsa_generate, |
508 | | /* .copy_public = */ ssh_ecdsa_copy_public, |
509 | | /* .sign = */ ssh_ecdsa_sign, |
510 | | /* .verify = */ ssh_ecdsa_verify, |
511 | | }; |
512 | | |
513 | | const struct sshkey_impl sshkey_ecdsa_nistp256_impl = { |
514 | | /* .name = */ "ecdsa-sha2-nistp256", |
515 | | /* .shortname = */ "ECDSA", |
516 | | /* .sigalg = */ NULL, |
517 | | /* .type = */ KEY_ECDSA, |
518 | | /* .nid = */ NID_X9_62_prime256v1, |
519 | | /* .cert = */ 0, |
520 | | /* .sigonly = */ 0, |
521 | | /* .keybits = */ 0, |
522 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
523 | | }; |
524 | | |
525 | | const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl = { |
526 | | /* .name = */ "ecdsa-sha2-nistp256-cert-v01@openssh.com", |
527 | | /* .shortname = */ "ECDSA-CERT", |
528 | | /* .sigalg = */ NULL, |
529 | | /* .type = */ KEY_ECDSA_CERT, |
530 | | /* .nid = */ NID_X9_62_prime256v1, |
531 | | /* .cert = */ 1, |
532 | | /* .sigonly = */ 0, |
533 | | /* .keybits = */ 0, |
534 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
535 | | }; |
536 | | |
537 | | const struct sshkey_impl sshkey_ecdsa_nistp384_impl = { |
538 | | /* .name = */ "ecdsa-sha2-nistp384", |
539 | | /* .shortname = */ "ECDSA", |
540 | | /* .sigalg = */ NULL, |
541 | | /* .type = */ KEY_ECDSA, |
542 | | /* .nid = */ NID_secp384r1, |
543 | | /* .cert = */ 0, |
544 | | /* .sigonly = */ 0, |
545 | | /* .keybits = */ 0, |
546 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
547 | | }; |
548 | | |
549 | | const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl = { |
550 | | /* .name = */ "ecdsa-sha2-nistp384-cert-v01@openssh.com", |
551 | | /* .shortname = */ "ECDSA-CERT", |
552 | | /* .sigalg = */ NULL, |
553 | | /* .type = */ KEY_ECDSA_CERT, |
554 | | /* .nid = */ NID_secp384r1, |
555 | | /* .cert = */ 1, |
556 | | /* .sigonly = */ 0, |
557 | | /* .keybits = */ 0, |
558 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
559 | | }; |
560 | | |
561 | | #ifdef OPENSSL_HAS_NISTP521 |
562 | | const struct sshkey_impl sshkey_ecdsa_nistp521_impl = { |
563 | | /* .name = */ "ecdsa-sha2-nistp521", |
564 | | /* .shortname = */ "ECDSA", |
565 | | /* .sigalg = */ NULL, |
566 | | /* .type = */ KEY_ECDSA, |
567 | | /* .nid = */ NID_secp521r1, |
568 | | /* .cert = */ 0, |
569 | | /* .sigonly = */ 0, |
570 | | /* .keybits = */ 0, |
571 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
572 | | }; |
573 | | |
574 | | const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl = { |
575 | | /* .name = */ "ecdsa-sha2-nistp521-cert-v01@openssh.com", |
576 | | /* .shortname = */ "ECDSA-CERT", |
577 | | /* .sigalg = */ NULL, |
578 | | /* .type = */ KEY_ECDSA_CERT, |
579 | | /* .nid = */ NID_secp521r1, |
580 | | /* .cert = */ 1, |
581 | | /* .sigonly = */ 0, |
582 | | /* .keybits = */ 0, |
583 | | /* .funcs = */ &sshkey_ecdsa_funcs, |
584 | | }; |
585 | | #endif |
586 | | |
587 | | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ |