ssh-ed25519.c revision 1.2 
1/* $OpenBSD: ssh-ed25519.c,v 1.4 2014/06/24 01:13:21 djm Exp $ */
2/*
3 * Copyright (c) 2013 Markus Friedl <markus@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17#define SSHKEY_INTERNAL
18#include "includes.h"
19__RCSID("$NetBSD: ssh-ed25519.c,v 1.2 2014/10/19 16:30:58 christos Exp $");
20
21#include <sys/types.h>
22#include <limits.h>
23
24#include "crypto_api.h"
25
26#include <string.h>
27#include <stdarg.h>
28
29#include "xmalloc.h"
30#include "log.h"
31#include "buffer.h"
32#include "sshkey.h"
33#include "ssherr.h"
34#include "ssh.h"
35
36int
37ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
38    const u_char *data, size_t datalen, u_int compat)
39{
40	u_char *sig = NULL;
41	size_t slen = 0, len;
42	unsigned long long smlen;
43	int r, ret;
44	struct sshbuf *b = NULL;
45
46	if (lenp != NULL)
47		*lenp = 0;
48	if (sigp != NULL)
49		*sigp = NULL;
50
51	if (key == NULL ||
52	    sshkey_type_plain(key->type) != KEY_ED25519 ||
53	    key->ed25519_sk == NULL ||
54	    datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
55		return SSH_ERR_INVALID_ARGUMENT;
56	smlen = slen = datalen + crypto_sign_ed25519_BYTES;
57	if ((sig = malloc(slen)) == NULL)
58		return SSH_ERR_ALLOC_FAIL;
59
60	if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen,
61	    key->ed25519_sk)) != 0 || smlen <= datalen) {
62		r = SSH_ERR_INVALID_ARGUMENT; /* XXX better error? */
63		goto out;
64	}
65	/* encode signature */
66	if ((b = sshbuf_new()) == NULL) {
67		r = SSH_ERR_ALLOC_FAIL;
68		goto out;
69	}
70	if ((r = sshbuf_put_cstring(b, "ssh-ed25519")) != 0 ||
71	    (r = sshbuf_put_string(b, sig, smlen - datalen)) != 0)
72		goto out;
73	len = sshbuf_len(b);
74	if (sigp != NULL) {
75		if ((*sigp = malloc(len)) == NULL) {
76			r = SSH_ERR_ALLOC_FAIL;
77			goto out;
78		}
79		memcpy(*sigp, sshbuf_ptr(b), len);
80	}
81	if (lenp != NULL)
82		*lenp = len;
83	/* success */
84	r = 0;
85 out:
86	sshbuf_free(b);
87	if (sig != NULL) {
88		explicit_bzero(sig, slen);
89		free(sig);
90	}
91
92	return r;
93}
94
95int
96ssh_ed25519_verify(const struct sshkey *key,
97    const u_char *signature, size_t signaturelen,
98    const u_char *data, size_t datalen, u_int compat)
99{
100	struct sshbuf *b = NULL;
101	char *ktype = NULL;
102	const u_char *sigblob;
103	u_char *sm = NULL, *m = NULL;
104	size_t len;
105	unsigned long long smlen = 0, mlen = 0;
106	int r, ret;
107
108	if (key == NULL ||
109	    sshkey_type_plain(key->type) != KEY_ED25519 ||
110	    key->ed25519_pk == NULL ||
111	    datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
112		return SSH_ERR_INVALID_ARGUMENT;
113
114	if ((b = sshbuf_from(signature, signaturelen)) == NULL)
115		return SSH_ERR_ALLOC_FAIL;
116	if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 ||
117	    (r = sshbuf_get_string_direct(b, &sigblob, &len)) != 0)
118		goto out;
119	if (strcmp("ssh-ed25519", ktype) != 0) {
120		r = SSH_ERR_KEY_TYPE_MISMATCH;
121		goto out;
122	}
123	if (sshbuf_len(b) != 0) {
124		r = SSH_ERR_UNEXPECTED_TRAILING_DATA;
125		goto out;
126	}
127	if (len > crypto_sign_ed25519_BYTES) {
128		r = SSH_ERR_INVALID_FORMAT;
129		goto out;
130	}
131	if (datalen >= SIZE_MAX - len)
132		return SSH_ERR_INVALID_ARGUMENT;
133	smlen = len + datalen;
134	mlen = smlen;
135	if ((sm = malloc(smlen)) == NULL || (m = xmalloc(mlen)) == NULL) {
136		r = SSH_ERR_ALLOC_FAIL;
137		goto out;
138	}
139	memcpy(sm, sigblob, len);
140	memcpy(sm+len, data, datalen);
141	if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen,
142	    key->ed25519_pk)) != 0) {
143		debug2("%s: crypto_sign_ed25519_open failed: %d",
144		    __func__, ret);
145	}
146	if (ret != 0 || mlen != datalen) {
147		r = SSH_ERR_SIGNATURE_INVALID;
148		goto out;
149	}
150	/* XXX compare 'm' and 'data' ? */
151	/* success */
152	r = 0;
153 out:
154	if (sm != NULL) {
155		explicit_bzero(sm, smlen);
156		free(sm);
157	}
158	if (m != NULL) {
159		explicit_bzero(m, smlen); /* NB mlen may be invalid if r != 0 */
160		free(m);
161	}
162	sshbuf_free(b);
163	free(ktype);
164	return r;
165}
166
167