/src/openssh/ed25519-openssl.c
Line | Count | Source |
1 | | /* $OpenBSD: ed25519-openssl.c,v 1.1 2025/10/30 20:49:10 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2025 OpenSSH |
4 | | * |
5 | | * Permission to use, copy, modify, and distribute this software for any |
6 | | * purpose with or without fee is hereby granted, provided that the above |
7 | | * copyright notice and this permission notice appear in all copies. |
8 | | * |
9 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | | */ |
17 | | |
18 | | /* |
19 | | * OpenSSL-based implementation of Ed25519 crypto_sign API |
20 | | * Alternative to the internal SUPERCOP-based implementation in ed25519.c |
21 | | */ |
22 | | |
23 | | #include "includes.h" |
24 | | |
25 | | #ifdef OPENSSL_HAS_ED25519 |
26 | | |
27 | | #include <sys/types.h> |
28 | | |
29 | | #include <string.h> |
30 | | #include <stdint.h> |
31 | | #include <limits.h> |
32 | | |
33 | | #include <openssl/evp.h> |
34 | | |
35 | | #include "crypto_api.h" |
36 | | #include "log.h" |
37 | | |
38 | | #if crypto_sign_ed25519_SECRETKEYBYTES <= crypto_sign_ed25519_PUBLICKEYBYTES |
39 | | #error "crypto_sign_ed25519_SECRETKEYBYTES < crypto_sign_ed25519_PUBLICKEYBYTES" |
40 | | #endif |
41 | | |
42 | | #define SSH_ED25519_RAW_SECRET_KEY_LEN \ |
43 | 103 | (crypto_sign_ed25519_SECRETKEYBYTES - crypto_sign_ed25519_PUBLICKEYBYTES) |
44 | | |
45 | | int |
46 | | crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk) |
47 | 1 | { |
48 | 1 | EVP_PKEY_CTX *ctx = NULL; |
49 | 1 | EVP_PKEY *pkey = NULL; |
50 | 1 | size_t pklen, sklen; |
51 | 1 | int ret = -1; |
52 | | |
53 | 1 | if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL)) == NULL) { |
54 | 0 | debug3_f("EVP_PKEY_CTX_new_id failed"); |
55 | 0 | goto out; |
56 | 0 | } |
57 | 1 | if (EVP_PKEY_keygen_init(ctx) <= 0) { |
58 | 0 | debug3_f("EVP_PKEY_keygen_init failed"); |
59 | 0 | goto out; |
60 | 0 | } |
61 | 1 | if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { |
62 | 0 | debug3_f("EVP_PKEY_keygen failed"); |
63 | 0 | goto out; |
64 | 0 | } |
65 | | |
66 | | /* Extract public key */ |
67 | 1 | pklen = crypto_sign_ed25519_PUBLICKEYBYTES; |
68 | 1 | if (!EVP_PKEY_get_raw_public_key(pkey, pk, &pklen)) { |
69 | 0 | debug3_f("EVP_PKEY_get_raw_public_key failed"); |
70 | 0 | goto out; |
71 | 0 | } |
72 | 1 | if (pklen != crypto_sign_ed25519_PUBLICKEYBYTES) { |
73 | 0 | debug3_f("public key length mismatch: %zu", pklen); |
74 | 0 | goto out; |
75 | 0 | } |
76 | | |
77 | 1 | sklen = SSH_ED25519_RAW_SECRET_KEY_LEN; |
78 | | /* Extract private key (32 bytes seed) */ |
79 | 1 | if (!EVP_PKEY_get_raw_private_key(pkey, sk, &sklen)) { |
80 | 0 | debug3_f("EVP_PKEY_get_raw_private_key failed"); |
81 | 0 | goto out; |
82 | 0 | } |
83 | 1 | if (sklen != SSH_ED25519_RAW_SECRET_KEY_LEN) { |
84 | 0 | debug3_f("private key length mismatch: %zu", sklen); |
85 | 0 | goto out; |
86 | 0 | } |
87 | | |
88 | | /* Append public key to secret key (SUPERCOP format compatibility) */ |
89 | 1 | memcpy(sk + sklen, pk, crypto_sign_ed25519_PUBLICKEYBYTES); |
90 | | |
91 | 1 | ret = 0; |
92 | 1 | out: |
93 | 1 | EVP_PKEY_free(pkey); |
94 | 1 | EVP_PKEY_CTX_free(ctx); |
95 | 1 | return ret; |
96 | 1 | } |
97 | | |
98 | | int |
99 | | crypto_sign_ed25519(unsigned char *sm, unsigned long long *smlen, |
100 | | const unsigned char *m, unsigned long long mlen, |
101 | | const unsigned char *sk) |
102 | 101 | { |
103 | 101 | EVP_PKEY *pkey = NULL; |
104 | 101 | EVP_MD_CTX *mdctx = NULL; |
105 | 101 | size_t siglen; |
106 | 101 | int ret = -1; |
107 | | |
108 | | /* Create EVP_PKEY from secret key (first 32 bytes are the seed) */ |
109 | 101 | if ((pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL, |
110 | 101 | sk, SSH_ED25519_RAW_SECRET_KEY_LEN)) == NULL) { |
111 | 0 | debug3_f("EVP_PKEY_new_raw_private_key failed"); |
112 | 0 | goto out; |
113 | 0 | } |
114 | | |
115 | | /* Sign the message */ |
116 | 101 | if ((mdctx = EVP_MD_CTX_new()) == NULL) { |
117 | 0 | debug3_f("EVP_MD_CTX_new failed"); |
118 | 0 | goto out; |
119 | 0 | } |
120 | 101 | if (EVP_DigestSignInit(mdctx, NULL, NULL, NULL, pkey) != 1) { |
121 | 0 | debug3_f("EVP_DigestSignInit failed"); |
122 | 0 | goto out; |
123 | 0 | } |
124 | 101 | siglen = crypto_sign_ed25519_BYTES; |
125 | 101 | if (EVP_DigestSign(mdctx, sm, &siglen, m, mlen) != 1) { |
126 | 0 | debug3_f("EVP_DigestSign failed"); |
127 | 0 | goto out; |
128 | 0 | } |
129 | 101 | if (siglen != crypto_sign_ed25519_BYTES) { |
130 | 0 | debug3_f("signature length mismatch: %zu", siglen); |
131 | 0 | goto out; |
132 | 0 | } |
133 | | |
134 | | /* Append message after signature (SUPERCOP format) */ |
135 | 101 | if (mlen > ULLONG_MAX - siglen) { |
136 | 0 | debug3_f("message length overflow: siglen=%zu mlen=%llu", |
137 | 0 | siglen, mlen); |
138 | 0 | goto out; |
139 | 0 | } |
140 | 101 | memmove(sm + siglen, m, mlen); |
141 | 101 | *smlen = siglen + mlen; |
142 | | |
143 | 101 | ret = 0; |
144 | 101 | out: |
145 | 101 | EVP_MD_CTX_free(mdctx); |
146 | 101 | EVP_PKEY_free(pkey); |
147 | 101 | return ret; |
148 | 101 | } |
149 | | |
150 | | int |
151 | | crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen, |
152 | | const unsigned char *sm, unsigned long long smlen, |
153 | | const unsigned char *pk) |
154 | 3.67k | { |
155 | 3.67k | EVP_PKEY *pkey = NULL; |
156 | 3.67k | EVP_MD_CTX *mdctx = NULL; |
157 | 3.67k | int ret = -1; |
158 | 3.67k | const unsigned char *msg; |
159 | 3.67k | size_t msglen; |
160 | | |
161 | 3.67k | if (smlen < crypto_sign_ed25519_BYTES) { |
162 | 0 | debug3_f("signed message bad length: %llu", smlen); |
163 | 0 | return -1; |
164 | 0 | } |
165 | | /* Signature is first crypto_sign_ed25519_BYTES, message follows */ |
166 | 3.67k | msg = sm + crypto_sign_ed25519_BYTES; |
167 | 3.67k | msglen = smlen - crypto_sign_ed25519_BYTES; |
168 | | |
169 | | /* Make sure the message buffer is big enough. */ |
170 | 3.67k | if (*mlen < msglen) { |
171 | 0 | debug_f("message bad length: %llu", *mlen); |
172 | 0 | return -1; |
173 | 0 | } |
174 | | |
175 | | /* Create EVP_PKEY from public key */ |
176 | 3.67k | if ((pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, |
177 | 3.67k | pk, crypto_sign_ed25519_PUBLICKEYBYTES)) == NULL) { |
178 | 0 | debug3_f("EVP_PKEY_new_raw_public_key failed"); |
179 | 0 | goto out; |
180 | 0 | } |
181 | | |
182 | 3.67k | if ((mdctx = EVP_MD_CTX_new()) == NULL) { |
183 | 0 | debug3_f("EVP_MD_CTX_new failed"); |
184 | 0 | goto out; |
185 | 0 | } |
186 | 3.67k | if (EVP_DigestVerifyInit(mdctx, NULL, NULL, NULL, pkey) <= 0) { |
187 | 0 | debug3_f("EVP_DigestVerifyInit failed"); |
188 | 0 | goto out; |
189 | 0 | } |
190 | 3.67k | if (EVP_DigestVerify(mdctx, sm, crypto_sign_ed25519_BYTES, |
191 | 3.67k | msg, msglen) != 1) { |
192 | 103 | debug3_f("EVP_DigestVerify failed"); |
193 | 103 | goto out; |
194 | 103 | } |
195 | | |
196 | | /* Copy message out */ |
197 | 3.57k | *mlen = msglen; |
198 | 3.57k | memmove(m, msg, msglen); |
199 | | |
200 | 3.57k | ret = 0; |
201 | 3.67k | out: |
202 | 3.67k | EVP_MD_CTX_free(mdctx); |
203 | 3.67k | EVP_PKEY_free(pkey); |
204 | 3.67k | return ret; |
205 | 3.57k | } |
206 | | |
207 | | #endif /* OPENSSL_HAS_ED25519 */ |