ssh-ecdsa.c revision 255767 
1255767Sdes/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */
2218767Sdes/*
3218767Sdes * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4218767Sdes * Copyright (c) 2010 Damien Miller.  All rights reserved.
5218767Sdes *
6218767Sdes * Redistribution and use in source and binary forms, with or without
7218767Sdes * modification, are permitted provided that the following conditions
8218767Sdes * are met:
9218767Sdes * 1. Redistributions of source code must retain the above copyright
10218767Sdes *    notice, this list of conditions and the following disclaimer.
11218767Sdes * 2. Redistributions in binary form must reproduce the above copyright
12218767Sdes *    notice, this list of conditions and the following disclaimer in the
13218767Sdes *    documentation and/or other materials provided with the distribution.
14218767Sdes *
15218767Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16218767Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17218767Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18218767Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19218767Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20218767Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21218767Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22218767Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23218767Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24218767Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25218767Sdes */
26218767Sdes
27218767Sdes#include "includes.h"
28218767Sdes
29218767Sdes#ifdef OPENSSL_HAS_ECC
30218767Sdes
31218767Sdes#include <sys/types.h>
32218767Sdes
33218767Sdes#include <openssl/bn.h>
34218767Sdes#include <openssl/ec.h>
35218767Sdes#include <openssl/ecdsa.h>
36218767Sdes#include <openssl/evp.h>
37218767Sdes
38218767Sdes#include <string.h>
39218767Sdes
40218767Sdes#include "xmalloc.h"
41218767Sdes#include "buffer.h"
42218767Sdes#include "compat.h"
43218767Sdes#include "log.h"
44218767Sdes#include "key.h"
45218767Sdes
46218767Sdesint
47218767Sdesssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
48218767Sdes    const u_char *data, u_int datalen)
49218767Sdes{
50218767Sdes	ECDSA_SIG *sig;
51218767Sdes	const EVP_MD *evp_md;
52218767Sdes	EVP_MD_CTX md;
53218767Sdes	u_char digest[EVP_MAX_MD_SIZE];
54218767Sdes	u_int len, dlen;
55218767Sdes	Buffer b, bb;
56218767Sdes
57218767Sdes	if (key == NULL || key->ecdsa == NULL ||
58218767Sdes	    (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) {
59218767Sdes		error("%s: no ECDSA key", __func__);
60218767Sdes		return -1;
61218767Sdes	}
62218767Sdes	evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid);
63218767Sdes	EVP_DigestInit(&md, evp_md);
64218767Sdes	EVP_DigestUpdate(&md, data, datalen);
65218767Sdes	EVP_DigestFinal(&md, digest, &dlen);
66218767Sdes
67218767Sdes	sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
68218767Sdes	memset(digest, 'd', sizeof(digest));
69218767Sdes
70218767Sdes	if (sig == NULL) {
71218767Sdes		error("%s: sign failed", __func__);
72218767Sdes		return -1;
73218767Sdes	}
74218767Sdes
75218767Sdes	buffer_init(&bb);
76218767Sdes	buffer_put_bignum2(&bb, sig->r);
77218767Sdes	buffer_put_bignum2(&bb, sig->s);
78218767Sdes	ECDSA_SIG_free(sig);
79218767Sdes
80218767Sdes	buffer_init(&b);
81218767Sdes	buffer_put_cstring(&b, key_ssh_name_plain(key));
82218767Sdes	buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb));
83218767Sdes	buffer_free(&bb);
84218767Sdes	len = buffer_len(&b);
85218767Sdes	if (lenp != NULL)
86218767Sdes		*lenp = len;
87218767Sdes	if (sigp != NULL) {
88218767Sdes		*sigp = xmalloc(len);
89218767Sdes		memcpy(*sigp, buffer_ptr(&b), len);
90218767Sdes	}
91218767Sdes	buffer_free(&b);
92218767Sdes
93218767Sdes	return 0;
94218767Sdes}
95218767Sdesint
96218767Sdesssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
97218767Sdes    const u_char *data, u_int datalen)
98218767Sdes{
99218767Sdes	ECDSA_SIG *sig;
100218767Sdes	const EVP_MD *evp_md;
101218767Sdes	EVP_MD_CTX md;
102218767Sdes	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
103218767Sdes	u_int len, dlen;
104218767Sdes	int rlen, ret;
105218767Sdes	Buffer b, bb;
106218767Sdes	char *ktype;
107218767Sdes
108218767Sdes	if (key == NULL || key->ecdsa == NULL ||
109218767Sdes	    (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) {
110218767Sdes		error("%s: no ECDSA key", __func__);
111218767Sdes		return -1;
112218767Sdes	}
113218767Sdes	evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid);
114218767Sdes
115218767Sdes	/* fetch signature */
116218767Sdes	buffer_init(&b);
117218767Sdes	buffer_append(&b, signature, signaturelen);
118218767Sdes	ktype = buffer_get_string(&b, NULL);
119218767Sdes	if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
120218767Sdes		error("%s: cannot handle type %s", __func__, ktype);
121218767Sdes		buffer_free(&b);
122255767Sdes		free(ktype);
123218767Sdes		return -1;
124218767Sdes	}
125255767Sdes	free(ktype);
126218767Sdes	sigblob = buffer_get_string(&b, &len);
127218767Sdes	rlen = buffer_len(&b);
128218767Sdes	buffer_free(&b);
129218767Sdes	if (rlen != 0) {
130218767Sdes		error("%s: remaining bytes in signature %d", __func__, rlen);
131255767Sdes		free(sigblob);
132218767Sdes		return -1;
133218767Sdes	}
134218767Sdes
135218767Sdes	/* parse signature */
136218767Sdes	if ((sig = ECDSA_SIG_new()) == NULL)
137218767Sdes		fatal("%s: ECDSA_SIG_new failed", __func__);
138218767Sdes	if ((sig->r = BN_new()) == NULL ||
139218767Sdes	    (sig->s = BN_new()) == NULL)
140218767Sdes		fatal("%s: BN_new failed", __func__);
141218767Sdes
142218767Sdes	buffer_init(&bb);
143218767Sdes	buffer_append(&bb, sigblob, len);
144218767Sdes	buffer_get_bignum2(&bb, sig->r);
145218767Sdes	buffer_get_bignum2(&bb, sig->s);
146218767Sdes	if (buffer_len(&bb) != 0)
147218767Sdes		fatal("%s: remaining bytes in inner sigblob", __func__);
148240075Sdes	buffer_free(&bb);
149218767Sdes
150218767Sdes	/* clean up */
151218767Sdes	memset(sigblob, 0, len);
152255767Sdes	free(sigblob);
153218767Sdes
154218767Sdes	/* hash the data */
155218767Sdes	EVP_DigestInit(&md, evp_md);
156218767Sdes	EVP_DigestUpdate(&md, data, datalen);
157218767Sdes	EVP_DigestFinal(&md, digest, &dlen);
158218767Sdes
159218767Sdes	ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
160218767Sdes	memset(digest, 'd', sizeof(digest));
161218767Sdes
162218767Sdes	ECDSA_SIG_free(sig);
163218767Sdes
164218767Sdes	debug("%s: signature %s", __func__,
165218767Sdes	    ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
166218767Sdes	return ret;
167218767Sdes}
168218767Sdes
169218767Sdes#endif /* OPENSSL_HAS_ECC */
170