1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
putty-source/sshecc.c
Chris Staite 2bf8688355 Elliptic-curve cryptography support.
This provides support for ECDSA public keys, for both hosts and users,
and also ECDH key exchange. Supported curves are currently just the
three NIST curves required by RFC 5656.
2014-11-02 18:16:54 +00:00

2105 lines
53 KiB
C

/*
* Elliptic-curve crypto module for PuTTY
* Implements the three required curves, no optional curves
* NOTE: Only curves on prime field are handled by the maths functions
*/
/*
* References:
*
* Elliptic curves in SSH are specified in RFC 5656:
* http://tools.ietf.org/html/rfc5656
*
* That specification delegates details of public key formatting and a
* lot of underlying mechanism to SEC 1:
* http://www.secg.org/sec1-v2.pdf
*/
#include <stdlib.h>
#include <assert.h>
#include "ssh.h"
/* ----------------------------------------------------------------------
* Elliptic curve definitions
*/
static int initialise_curve(struct ec_curve *curve, int bits, unsigned char *p,
unsigned char *a, unsigned char *b,
unsigned char *n, unsigned char *Gx,
unsigned char *Gy)
{
int length = bits / 8;
if (bits % 8) ++length;
curve->fieldBits = bits;
curve->p = bignum_from_bytes(p, length);
if (!curve->p) goto error;
/* Curve co-efficients */
curve->a = bignum_from_bytes(a, length);
if (!curve->a) goto error;
curve->b = bignum_from_bytes(b, length);
if (!curve->b) goto error;
/* Group order and generator */
curve->n = bignum_from_bytes(n, length);
if (!curve->n) goto error;
curve->G.x = bignum_from_bytes(Gx, length);
if (!curve->G.x) goto error;
curve->G.y = bignum_from_bytes(Gy, length);
if (!curve->G.y) goto error;
curve->G.curve = curve;
curve->G.infinity = 0;
return 1;
error:
if (curve->p) freebn(curve->p);
if (curve->a) freebn(curve->a);
if (curve->b) freebn(curve->b);
if (curve->n) freebn(curve->n);
if (curve->G.x) freebn(curve->G.x);
return 0;
}
unsigned char nistp256_oid[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
int nistp256_oid_len = 8;
unsigned char nistp384_oid[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
int nistp384_oid_len = 5;
unsigned char nistp521_oid[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
int nistp521_oid_len = 5;
struct ec_curve *ec_p256(void)
{
static struct ec_curve curve = { 0 };
static unsigned char initialised = 0;
if (!initialised)
{
unsigned char p[] = {
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
unsigned char a[] = {
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc
};
unsigned char b[] = {
0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7,
0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b
};
unsigned char n[] = {
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84,
0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51
};
unsigned char Gx[] = {
0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2,
0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0,
0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96
};
unsigned char Gy[] = {
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b,
0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16,
0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5
};
if (!initialise_curve(&curve, 256, p, a, b, n, Gx, Gy)) {
return NULL;
}
/* Now initialised, no need to do it again */
initialised = 1;
}
return &curve;
}
struct ec_curve *ec_p384(void)
{
static struct ec_curve curve = { 0 };
static unsigned char initialised = 0;
if (!initialised)
{
unsigned char p[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
};
unsigned char a[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfc
};
unsigned char b[] = {
0xb3, 0x31, 0x2f, 0xa7, 0xe2, 0x3e, 0xe7, 0xe4,
0x98, 0x8e, 0x05, 0x6b, 0xe3, 0xf8, 0x2d, 0x19,
0x18, 0x1d, 0x9c, 0x6e, 0xfe, 0x81, 0x41, 0x12,
0x03, 0x14, 0x08, 0x8f, 0x50, 0x13, 0x87, 0x5a,
0xc6, 0x56, 0x39, 0x8d, 0x8a, 0x2e, 0xd1, 0x9d,
0x2a, 0x85, 0xc8, 0xed, 0xd3, 0xec, 0x2a, 0xef
};
unsigned char n[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf,
0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a,
0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73
};
unsigned char Gx[] = {
0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x05, 0x37,
0x8e, 0xb1, 0xc7, 0x1e, 0xf3, 0x20, 0xad, 0x74,
0x6e, 0x1d, 0x3b, 0x62, 0x8b, 0xa7, 0x9b, 0x98,
0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, 0x2a, 0x38,
0x55, 0x02, 0xf2, 0x5d, 0xbf, 0x55, 0x29, 0x6c,
0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0x0a, 0xb7
};
unsigned char Gy[] = {
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f,
0x5d, 0x9e, 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29,
0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0,
0x0a, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d,
0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f
};
if (!initialise_curve(&curve, 384, p, a, b, n, Gx, Gy)) {
return NULL;
}
/* Now initialised, no need to do it again */
initialised = 1;
}
return &curve;
}
struct ec_curve *ec_p521(void)
{
static struct ec_curve curve = { 0 };
static unsigned char initialised = 0;
if (!initialised)
{
unsigned char p[] = {
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff
};
unsigned char a[] = {
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xfc
};
unsigned char b[] = {
0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c,
0x9a, 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85,
0x40, 0xee, 0xa2, 0xda, 0x72, 0x5b, 0x99, 0xb3,
0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1,
0x09, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e,
0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1,
0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c,
0x34, 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50,
0x3f, 0x00
};
unsigned char n[] = {
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xfa, 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f,
0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09,
0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c,
0x47, 0xae, 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38,
0x64, 0x09
};
unsigned char Gx[] = {
0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04,
0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95,
0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d,
0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7,
0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a,
0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5,
0xbd, 0x66
};
unsigned char Gy[] = {
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b,
0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d,
0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e,
0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72,
0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1,
0x66, 0x50
};
if (!initialise_curve(&curve, 521, p, a, b, n, Gx, Gy)) {
return NULL;
}
/* Now initialised, no need to do it again */
initialised = 1;
}
return &curve;
}
static struct ec_curve *ec_name_to_curve(char *name, int len) {
if (len == 8 && !memcmp(name, "nistp", 5)) {
name += 5;
if (!memcmp(name, "256", 3)) {
return ec_p256();
} else if (!memcmp(name, "384", 3)) {
return ec_p384();
} else if (!memcmp(name, "521", 3)) {
return ec_p521();
}
}
return NULL;
}
static int ec_curve_to_name(const struct ec_curve *curve, unsigned char *name, int len) {
/* Return length of string */
if (name == NULL) return 8;
/* Not enough space for the name */
if (len < 8) return 0;
/* Put the name in the buffer */
switch (curve->fieldBits) {
case 256:
memcpy(name+5, "256", 3);
break;
case 384:
memcpy(name+5, "384", 3);
break;
case 521:
memcpy(name+5, "521", 3);
break;
default:
return 0;
}
memcpy(name, "nistp", 5);
return 8;
}
/* Return 1 if a is -3 % p, otherwise return 0
* This is used because there are some maths optimisations */
static int ec_aminus3(const struct ec_curve *curve)
{
int ret;
Bignum _p;
_p = bignum_add_long(curve->a, 3);
if (!_p) return 0;
ret = !bignum_cmp(curve->p, _p);
freebn(_p);
return ret;
}
/* ----------------------------------------------------------------------
* Elliptic curve field maths
*/
static Bignum ecf_add(const Bignum a, const Bignum b,
const struct ec_curve *curve)
{
Bignum a1, b1, ab, ret;
a1 = bigmod(a, curve->p);
if (!a1) return NULL;
b1 = bigmod(b, curve->p);
if (!b1)
{
freebn(a1);
return NULL;
}
ab = bigadd(a1, b1);
freebn(a1);
freebn(b1);
if (!ab) return NULL;
ret = bigmod(ab, curve->p);
freebn(ab);
return ret;
}
static Bignum ecf_square(const Bignum a, const struct ec_curve *curve)
{
return modmul(a, a, curve->p);
}
static Bignum ecf_treble(const Bignum a, const struct ec_curve *curve)
{
Bignum ret, tmp;
/* Double */
tmp = bignum_lshift(a, 1);
if (!tmp) return NULL;
/* Add itself (i.e. treble) */
ret = bigadd(tmp, a);
freebn(tmp);
/* Normalise */
while (ret != NULL && bignum_cmp(ret, curve->p) >= 0)
{
tmp = bigsub(ret, curve->p);
freebn(ret);
ret = tmp;
}
return ret;
}
static Bignum ecf_double(const Bignum a, const struct ec_curve *curve)
{
Bignum ret = bignum_lshift(a, 1);
if (!ret) return NULL;
if (bignum_cmp(ret, curve->p) >= 0)
{
Bignum tmp = bigsub(ret, curve->p);
freebn(ret);
return tmp;
}
else
{
return ret;
}
}
/* ----------------------------------------------------------------------
* Memory functions
*/
void ec_point_free(struct ec_point *point)
{
if (point == NULL) return;
point->curve = 0;
if (point->x) freebn(point->x);
if (point->y) freebn(point->y);
if (point->z) freebn(point->z);
point->infinity = 0;
sfree(point);
}
static struct ec_point *ec_point_new(const struct ec_curve *curve,
const Bignum x, const Bignum y, const Bignum z,
unsigned char infinity)
{
struct ec_point *point = snewn(1, struct ec_point);
point->curve = curve;
point->x = x;
point->y = y;
point->z = z;
point->infinity = infinity ? 1 : 0;
return point;
}
static struct ec_point *ec_point_copy(const struct ec_point *a)
{
if (a == NULL) return NULL;
return ec_point_new(a->curve,
a->x ? copybn(a->x) : NULL,
a->y ? copybn(a->y) : NULL,
a->z ? copybn(a->z) : NULL,
a->infinity);
}
static int ec_point_verify(const struct ec_point *a)
{
if (a->infinity)
{
return 1;
}
else
{
/* Verify y^2 = x^3 + ax + b */
int ret = 0;
Bignum lhs = NULL, x3 = NULL, ax = NULL, x3ax = NULL, x3axm = NULL, x3axb = NULL, rhs = NULL;
Bignum Three = bignum_from_long(3);
if (!Three) return 0;
lhs = modmul(a->y, a->y, a->curve->p);
if (!lhs) goto error;
/* This uses montgomery multiplication to optimise */
x3 = modpow(a->x, Three, a->curve->p);
freebn(Three);
if (!x3) goto error;
ax = modmul(a->curve->a, a->x, a->curve->p);
if (!ax) goto error;
x3ax = bigadd(x3, ax);
if (!x3ax) goto error;
freebn(x3); x3 = NULL;
freebn(ax); ax = NULL;
x3axm = bigmod(x3ax, a->curve->p);
if (!x3axm) goto error;
freebn(x3ax); x3ax = NULL;
x3axb = bigadd(x3axm, a->curve->b);
if (!x3axb) goto error;
freebn(x3axm); x3axm = NULL;
rhs = bigmod(x3axb, a->curve->p);
if (!rhs) goto error;
freebn(x3axb);
ret = bignum_cmp(lhs, rhs) ? 0 : 1;
freebn(lhs);
freebn(rhs);
return ret;
error:
if (x3) freebn(x3);
if (ax) freebn(ax);
if (x3ax) freebn(x3ax);
if (x3axm) freebn(x3axm);
if (x3axb) freebn(x3axb);
if (lhs) freebn(lhs);
return 0;
}
}
/* ----------------------------------------------------------------------
* Elliptic curve point maths
*/
/* Returns 1 on success and 0 on memory error */
static int ecp_normalise(struct ec_point *a)
{
Bignum Z2, Z2inv, Z3, Z3inv, tx, ty;
/* In Jacobian Coordinates the triple (X, Y, Z) represents
the affine point (X / Z^2, Y / Z^3) */
if (!a) {
// No point
return 0;
}
if (a->infinity) {
// Point is at infinity - i.e. normalised
return 1;
} else if (!a->x || !a->y) {
// No point defined
return 0;
} else if (!a->z) {
// Already normalised
return 1;
}
Z2 = ecf_square(a->z, a->curve);
if (!Z2) {
return 0;
}
Z2inv = modinv(Z2, a->curve->p);
if (!Z2inv) {
freebn(Z2);
return 0;
}
tx = modmul(a->x, Z2inv, a->curve->p);
freebn(Z2inv);
if (!tx) {
freebn(Z2);
return 0;
}
Z3 = modmul(Z2, a->z, a->curve->p);
freebn(Z2);
if (!Z3) {
freebn(tx);
return 0;
}
Z3inv = modinv(Z3, a->curve->p);
freebn(Z3);
if (!Z3inv) {
freebn(tx);
return 0;
}
ty = modmul(a->y, Z3inv, a->curve->p);
freebn(Z3inv);
if (!ty) {
freebn(tx);
return 0;
}
freebn(a->x);
a->x = tx;
freebn(a->y);
a->y = ty;
freebn(a->z);
a->z = NULL;
return 1;
}
static struct ec_point *ecp_double(const struct ec_point *a, const int aminus3)
{
Bignum S, M, outx, outy, outz;
if (a->infinity || bignum_cmp(a->y, Zero) == 0)
{
/* Identity */
return ec_point_new(a->curve, NULL, NULL, NULL, 1);
}
/* S = 4*X*Y^2 */
{
Bignum Y2, XY2, _2XY2;
Y2 = ecf_square(a->y, a->curve);
if (!Y2) {
return NULL;
}
XY2 = modmul(a->x, Y2, a->curve->p);
freebn(Y2);
if (!XY2) {
return NULL;
}
_2XY2 = ecf_double(XY2, a->curve);
freebn(XY2);
if (!_2XY2) {
return NULL;
}
S = ecf_double(_2XY2, a->curve);
freebn(_2XY2);
if (!S) {
return NULL;
}
}
/* Faster calculation if a = -3 */
if (aminus3) {
/* if a = -3, then M can also be calculated as M = 3*(X + Z^2)*(X - Z^2) */
Bignum Z2, XpZ2, XmZ2, second;
if (a->z == NULL) {
Z2 = copybn(One);
} else {
Z2 = ecf_square(a->z, a->curve);
}
if (!Z2) {
freebn(S);
return NULL;
}
XpZ2 = ecf_add(a->x, Z2, a->curve);
if (!XpZ2) {
freebn(S);
freebn(Z2);
return NULL;
}
XmZ2 = modsub(a->x, Z2, a->curve->p);
freebn(Z2);
if (!XpZ2) {
freebn(S);
freebn(XpZ2);
return NULL;
}
second = modmul(XpZ2, XmZ2, a->curve->p);
freebn(XpZ2);
freebn(XmZ2);
if (!second) {
freebn(S);
return NULL;
}
M = ecf_treble(second, a->curve);
freebn(second);
if (!M) {
freebn(S);
return NULL;
}
} else {
/* M = 3*X^2 + a*Z^4 */
Bignum _3X2, X2, aZ4;
if (a->z == NULL) {
aZ4 = copybn(a->curve->a);
} else {
Bignum Z2, Z4;
Z2 = ecf_square(a->z, a->curve);
if (!Z2) {
freebn(S);
return NULL;
}
Z4 = ecf_square(Z2, a->curve);
freebn(Z2);
if (!Z4) {
freebn(S);
return NULL;
}
aZ4 = modmul(a->curve->a, Z4, a->curve->p);
freebn(Z4);
}
if (!aZ4) {
freebn(S);
return NULL;
}
X2 = modmul(a->x, a->x, a->curve->p);
if (!X2) {
freebn(S);
freebn(aZ4);
return NULL;
}
_3X2 = ecf_treble(X2, a->curve);
freebn(X2);
if (!_3X2) {
freebn(S);
freebn(aZ4);
return NULL;
}
M = ecf_add(_3X2, aZ4, a->curve);
freebn(_3X2);
freebn(aZ4);
if (!M) {
freebn(S);
return NULL;
}
}
/* X' = M^2 - 2*S */
{
Bignum M2, _2S;
M2 = ecf_square(M, a->curve);
if (!M2) {
freebn(S);
freebn(M);
return NULL;
}
_2S = ecf_double(S, a->curve);
if (!_2S) {
freebn(M2);
freebn(S);
freebn(M);
return NULL;
}
outx = modsub(M2, _2S, a->curve->p);
freebn(M2);
freebn(_2S);
if (!outx) {
freebn(S);
freebn(M);
return NULL;
}
}
/* Y' = M*(S - X') - 8*Y^4 */
{
Bignum SX, MSX, Eight, Y2, Y4, _8Y4;
SX = modsub(S, outx, a->curve->p);
freebn(S);
if (!SX) {
freebn(M);
freebn(outx);
return NULL;
}
MSX = modmul(M, SX, a->curve->p);
freebn(SX);
freebn(M);
if (!MSX) {
freebn(outx);
return NULL;
}
Y2 = ecf_square(a->y, a->curve);
if (!Y2) {
freebn(outx);
freebn(MSX);
return NULL;
}
Y4 = ecf_square(Y2, a->curve);
freebn(Y2);
if (!Y4) {
freebn(outx);
freebn(MSX);
return NULL;
}
Eight = bignum_from_long(8);
if (!Eight) {
freebn(outx);
freebn(MSX);
freebn(Y4);
return NULL;
}
_8Y4 = modmul(Eight, Y4, a->curve->p);
freebn(Eight);
freebn(Y4);
if (!_8Y4) {
freebn(outx);
freebn(MSX);
return NULL;
}
outy = modsub(MSX, _8Y4, a->curve->p);
freebn(MSX);
freebn(_8Y4);
if (!outy) {
freebn(outx);
return NULL;
}
}
/* Z' = 2*Y*Z */
{
Bignum YZ;
if (a->z == NULL) {
YZ = copybn(a->y);
} else {
YZ = modmul(a->y, a->z, a->curve->p);
}
if (!YZ) {
freebn(outx);
freebn(outy);
return NULL;
}
outz = ecf_double(YZ, a->curve);
freebn(YZ);
if (!outz) {
freebn(outx);
freebn(outy);
return NULL;
}
}
return ec_point_new(a->curve, outx, outy, outz, 0);
}
static struct ec_point *ecp_add(const struct ec_point *a,
const struct ec_point *b,
const int aminus3)
{
Bignum U1, U2, S1, S2, outx, outy, outz;
/* Check if multiplying by infinity */
if (a->infinity) return ec_point_copy(b);
if (b->infinity) return ec_point_copy(a);
/* U1 = X1*Z2^2 */
/* S1 = Y1*Z2^3 */
if (b->z) {
Bignum Z2, Z3;
Z2 = ecf_square(b->z, a->curve);
if (!Z2) {
return NULL;
}
U1 = modmul(a->x, Z2, a->curve->p);
if (!U1) {
freebn(Z2);
return NULL;
}
Z3 = modmul(Z2, b->z, a->curve->p);
freebn(Z2);
if (!Z3) {
freebn(U1);
return NULL;
}
S1 = modmul(a->y, Z3, a->curve->p);
freebn(Z3);
if (!S1) {
freebn(U1);
return NULL;
}
} else {
U1 = copybn(a->x);
if (!U1) {
return NULL;
}
S1 = copybn(a->y);
if (!S1) {
freebn(U1);
return NULL;
}
}
/* U2 = X2*Z1^2 */
/* S2 = Y2*Z1^3 */
if (a->z) {
Bignum Z2, Z3;
Z2 = ecf_square(a->z, b->curve);
if (!Z2) {
freebn(U1);
freebn(S1);
return NULL;
}
U2 = modmul(b->x, Z2, b->curve->p);
if (!U2) {
freebn(U1);
freebn(S1);
freebn(Z2);
return NULL;
}
Z3 = modmul(Z2, a->z, b->curve->p);
freebn(Z2);
if (!Z3) {
freebn(U1);
freebn(S1);
freebn(U2);
return NULL;
}
S2 = modmul(b->y, Z3, b->curve->p);
freebn(Z3);
if (!S2) {
freebn(U1);
freebn(S1);
freebn(U2);
return NULL;
}
} else {
U2 = copybn(b->x);
if (!U2) {
freebn(U1);
freebn(S1);
return NULL;
}
S2 = copybn(b->y);
if (!S2) {
freebn(U1);
freebn(S1);
freebn(U2);
return NULL;
}
}
/* Check if multiplying by self */
if (bignum_cmp(U1, U2) == 0)
{
freebn(U1);
freebn(U2);
if (bignum_cmp(S1, S2) == 0)
{
freebn(S1);
freebn(S2);
return ecp_double(a, aminus3);
}
else
{
freebn(S1);
freebn(S2);
/* Infinity */
return ec_point_new(a->curve, NULL, NULL, NULL, 1);
}
}
{
Bignum H, R, UH2, H3;
/* H = U2 - U1 */
H = modsub(U2, U1, a->curve->p);
freebn(U2);
if (!H) {
freebn(U1);
freebn(S1);
freebn(S2);
return NULL;
}
/* R = S2 - S1 */
R = modsub(S2, S1, a->curve->p);
freebn(S2);
if (!R) {
freebn(H);
freebn(S1);
freebn(U1);
return NULL;
}
/* X3 = R^2 - H^3 - 2*U1*H^2 */
{
Bignum R2, H2, _2UH2, first;
H2 = ecf_square(H, a->curve);
if (!H2) {
freebn(U1);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
UH2 = modmul(U1, H2, a->curve->p);
freebn(U1);
if (!UH2) {
freebn(H2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
H3 = modmul(H2, H, a->curve->p);
freebn(H2);
if (!H3) {
freebn(UH2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
R2 = ecf_square(R, a->curve);
if (!R2) {
freebn(H3);
freebn(UH2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
_2UH2 = ecf_double(UH2, a->curve);
if (!_2UH2) {
freebn(R2);
freebn(H3);
freebn(UH2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
first = modsub(R2, H3, a->curve->p);
freebn(R2);
if (!first) {
freebn(H3);
freebn(_2UH2);
freebn(UH2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
outx = modsub(first, _2UH2, a->curve->p);
freebn(first);
freebn(_2UH2);
if (!outx) {
freebn(H3);
freebn(UH2);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
}
/* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
{
Bignum RUH2mX, UH2mX, SH3;
UH2mX = modsub(UH2, outx, a->curve->p);
freebn(UH2);
if (!UH2mX) {
freebn(outx);
freebn(H3);
freebn(S1);
freebn(H);
freebn(R);
return NULL;
}
RUH2mX = modmul(R, UH2mX, a->curve->p);
freebn(UH2mX);
freebn(R);
if (!RUH2mX) {
freebn(outx);
freebn(H3);
freebn(S1);
freebn(H);
return NULL;
}
SH3 = modmul(S1, H3, a->curve->p);
freebn(S1);
freebn(H3);
if (!SH3) {
freebn(RUH2mX);
freebn(outx);
freebn(H);
return NULL;
}
outy = modsub(RUH2mX, SH3, a->curve->p);
freebn(RUH2mX);
freebn(SH3);
if (!outy) {
freebn(outx);
freebn(H);
return NULL;
}
}
/* Z3 = H*Z1*Z2 */
if (a->z && b->z) {
Bignum ZZ;
ZZ = modmul(a->z, b->z, a->curve->p);
if (!ZZ) {
freebn(outx);
freebn(outy);
freebn(H);
return NULL;
}
outz = modmul(H, ZZ, a->curve->p);
freebn(H);
freebn(ZZ);
if (!outz) {
freebn(outx);
freebn(outy);
return NULL;
}
} else if (a->z) {
outz = modmul(H, a->z, a->curve->p);
freebn(H);
if (!outz) {
freebn(outx);
freebn(outy);
return NULL;
}
} else if (b->z) {
outz = modmul(H, b->z, a->curve->p);
freebn(H);
if (!outz) {
freebn(outx);
freebn(outy);
return NULL;
}
} else {
outz = H;
}
}
return ec_point_new(a->curve, outx, outy, outz, 0);
}
static struct ec_point *ecp_mul_(const struct ec_point *a, const Bignum b, int aminus3)
{
struct ec_point *A, *ret;
int bits, i;
A = ec_point_copy(a);
ret = ec_point_new(a->curve, NULL, NULL, NULL, 1);
bits = bignum_bitcount(b);
for (i = 0; ret != NULL && A != NULL && i < bits; ++i)
{
if (bignum_bit(b, i))
{
struct ec_point *tmp = ecp_add(ret, A, aminus3);
ec_point_free(ret);
ret = tmp;
}
if (i+1 != bits)
{
struct ec_point *tmp = ecp_double(A, aminus3);
ec_point_free(A);
A = tmp;
}
}
if (!A) {
ec_point_free(ret);
ret = NULL;
} else {
ec_point_free(A);
}
return ret;
}
/* Not static because it is used by sshecdsag.c to generate a new key */
struct ec_point *ecp_mul(const struct ec_point *a, const Bignum b)
{
struct ec_point *ret = ecp_mul_(a, b, ec_aminus3(a->curve));
if (!ecp_normalise(ret)) {
ec_point_free(ret);
return NULL;
}
return ret;
}
static struct ec_point *ecp_summul(const Bignum a, const Bignum b,
const struct ec_point *point)
{
struct ec_point *aG, *bP, *ret;
int aminus3 = ec_aminus3(point->curve);
aG = ecp_mul_(&point->curve->G, a, aminus3);
if (!aG) return NULL;
bP = ecp_mul_(point, b, aminus3);
if (!bP) {
ec_point_free(aG);
return NULL;
}
ret = ecp_add(aG, bP, aminus3);
ec_point_free(aG);
ec_point_free(bP);
if (!ecp_normalise(ret)) {
ec_point_free(ret);
return NULL;
}
return ret;
}
/* ----------------------------------------------------------------------
* Basic sign and verify routines
*/
static int _ecdsa_verify(const struct ec_point *publicKey,
const unsigned char *data, const int dataLen,
const Bignum r, const Bignum s)
{
int z_bits, n_bits;
Bignum z;
int valid = 0;
/* Sanity checks */
if (bignum_cmp(r, Zero) == 0 || bignum_cmp(r, publicKey->curve->n) >= 0
|| bignum_cmp(s, Zero) == 0 || bignum_cmp(s, publicKey->curve->n) >= 0)
{
return 0;
}
/* z = left most bitlen(curve->n) of data */
z = bignum_from_bytes(data, dataLen);
if (!z) return 0;
n_bits = bignum_bitcount(publicKey->curve->n);
z_bits = bignum_bitcount(z);
if (z_bits > n_bits)
{
Bignum tmp = bignum_rshift(z, z_bits - n_bits);
freebn(z);
z = tmp;
if (!z) return 0;
}
/* Ensure z in range of n */
{
Bignum tmp = bigmod(z, publicKey->curve->n);
freebn(z);
z = tmp;
if (!z) return 0;
}
/* Calculate signature */
{
Bignum w, x, u1, u2;
struct ec_point *tmp;
w = modinv(s, publicKey->curve->n);
if (!w) {
freebn(z);
return 0;
}
u1 = modmul(z, w, publicKey->curve->n);
if (!u1) {
freebn(z);
freebn(w);
return 0;
}
u2 = modmul(r, w, publicKey->curve->n);
freebn(w);
if (!u2) {
freebn(z);
freebn(u1);
return 0;
}
tmp = ecp_summul(u1, u2, publicKey);
freebn(u1);
freebn(u2);
if (!tmp) {
freebn(z);
return 0;
}
x = bigmod(tmp->x, publicKey->curve->n);
ec_point_free(tmp);
if (!x) {
freebn(z);
return 0;
}
valid = (bignum_cmp(r, x) == 0) ? 1 : 0;
freebn(x);
}
freebn(z);
return valid;
}
static void _ecdsa_sign(const Bignum privateKey, const struct ec_curve *curve,
const unsigned char *data, const int dataLen,
Bignum *r, Bignum *s)
{
unsigned char digest[20];
int z_bits, n_bits;
Bignum z, k;
struct ec_point *kG;
*r = NULL;
*s = NULL;
/* z = left most bitlen(curve->n) of data */
z = bignum_from_bytes(data, dataLen);
if (!z) return;
n_bits = bignum_bitcount(curve->n);
z_bits = bignum_bitcount(z);
if (z_bits > n_bits)
{
Bignum tmp;
tmp = bignum_rshift(z, z_bits - n_bits);
freebn(z);
z = tmp;
if (!z) return;
}
/* Generate k between 1 and curve->n, using the same deterministic
* k generation system we use for conventional DSA. */
SHA_Simple(data, dataLen, digest);
k = dss_gen_k("ECDSA deterministic k generator", curve->n, privateKey,
digest, sizeof(digest));
if (!k) return;
kG = ecp_mul(&curve->G, k);
if (!kG) {
freebn(z);
freebn(k);
return;
}
/* r = kG.x mod n */
*r = bigmod(kG->x, curve->n);
ec_point_free(kG);
if (!*r) {
freebn(z);
freebn(k);
return;
}
/* s = (z + r * priv)/k mod n */
{
Bignum rPriv, zMod, first, firstMod, kInv;
rPriv = modmul(*r, privateKey, curve->n);
if (!rPriv) {
freebn(*r);
freebn(z);
freebn(k);
return;
}
zMod = bigmod(z, curve->n);
freebn(z);
if (!zMod) {
freebn(rPriv);
freebn(*r);
freebn(k);
return;
}
first = bigadd(rPriv, zMod);
freebn(rPriv);
freebn(zMod);
if (!first) {
freebn(*r);
freebn(k);
return;
}
firstMod = bigmod(first, curve->n);
freebn(first);
if (!firstMod) {
freebn(*r);
freebn(k);
return;
}
kInv = modinv(k, curve->n);
freebn(k);
if (!kInv) {
freebn(firstMod);
freebn(*r);
return;
}
*s = modmul(firstMod, kInv, curve->n);
freebn(firstMod);
freebn(kInv);
if (!*s) {
freebn(*r);
return;
}
}
}
/* ----------------------------------------------------------------------
* Misc functions
*/
static void getstring(char **data, int *datalen, char **p, int *length)
{
*p = NULL;
if (*datalen < 4)
return;
*length = toint(GET_32BIT(*data));
if (*length < 0)
return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
return;
*p = *data;
*data += *length;
*datalen -= *length;
}
static Bignum getmp(char **data, int *datalen)
{
char *p;
int length;
getstring(data, datalen, &p, &length);
if (!p)
return NULL;
if (p[0] & 0x80)
return NULL; /* negative mp */
return bignum_from_bytes((unsigned char *)p, length);
}
static int decodepoint(char *p, int length, struct ec_point *point)
{
if (length < 1 || p[0] != 0x04) /* Only support uncompressed point */
return 0;
/* Skip compression flag */
++p;
--length;
/* The two values must be equal length */
if (length % 2 != 0) {
point->x = NULL;
point->y = NULL;
point->z = NULL;
return 0;
}
length = length / 2;
point->x = bignum_from_bytes((unsigned char *)p, length);
if (!point->x) return 0;
p += length;
point->y = bignum_from_bytes((unsigned char *)p, length);
if (!point->y) {
freebn(point->x);
point->x = NULL;
return 0;
}
point->z = NULL;
/* Verify the point is on the curve */
if (!ec_point_verify(point)) {
ec_point_free(point);
return 0;
}
return 1;
}
static int getmppoint(char **data, int *datalen, struct ec_point *point)
{
char *p;
int length;
getstring(data, datalen, &p, &length);
if (!p) return 0;
return decodepoint(p, length, point);
}
/* ----------------------------------------------------------------------
* Exposed ECDSA interface
*/
static void ecdsa_freekey(void *key)
{
struct ec_key *ec = (struct ec_key *) key;
if (!ec) return;
if (ec->publicKey.x)
freebn(ec->publicKey.x);
if (ec->publicKey.y)
freebn(ec->publicKey.y);
if (ec->publicKey.z)
freebn(ec->publicKey.z);
if (ec->privateKey)
freebn(ec->privateKey);
sfree(ec);
}
static void *ecdsa_newkey(char *data, int len)
{
char *p;
int slen;
struct ec_key *ec;
struct ec_curve *curve;
getstring(&data, &len, &p, &slen);
if (!p || slen < 11 || memcmp(p, "ecdsa-sha2-", 11)) {
return NULL;
}
curve = ec_name_to_curve(p+11, slen-11);
if (!curve) return NULL;
getstring(&data, &len, &p, &slen);
if (curve != ec_name_to_curve(p, slen)) return NULL;
ec = snew(struct ec_key);
ec->publicKey.curve = curve;
ec->publicKey.infinity = 0;
ec->publicKey.x = NULL;
ec->publicKey.y = NULL;
ec->publicKey.z = NULL;
if (!getmppoint(&data, &len, &ec->publicKey)) {
ecdsa_freekey(ec);
return NULL;
}
ec->privateKey = NULL;
if (!ec->publicKey.x || !ec->publicKey.y ||
bignum_cmp(ec->publicKey.x, curve->p) >= 0 ||
bignum_cmp(ec->publicKey.y, curve->p) >= 0)
{
ecdsa_freekey(ec);
ec = NULL;
}
return ec;
}
static char *ecdsa_fmtkey(void *key)
{
struct ec_key *ec = (struct ec_key *) key;
char *p;
int len, i, pos, nibbles;
static const char hex[] = "0123456789abcdef";
if (!ec->publicKey.x || !ec->publicKey.y || !ec->publicKey.curve)
return NULL;
pos = ec_curve_to_name(ec->publicKey.curve, NULL, 0);
if (pos == 0) return NULL;
len = 4 + 2 + 1; /* 2 x "0x", punctuation, \0 */
len += pos; /* Curve name */
len += 4 * (bignum_bitcount(ec->publicKey.x) + 15) / 16;
len += 4 * (bignum_bitcount(ec->publicKey.y) + 15) / 16;
p = snewn(len, char);
pos = ec_curve_to_name(ec->publicKey.curve, (unsigned char*)p, pos);
pos += sprintf(p + pos, ",0x");
nibbles = (3 + bignum_bitcount(ec->publicKey.x)) / 4;
if (nibbles < 1)
nibbles = 1;
for (i = nibbles; i--;) {
p[pos++] =
hex[(bignum_byte(ec->publicKey.x, i / 2) >> (4 * (i % 2))) & 0xF];
}
pos += sprintf(p + pos, ",0x");
nibbles = (3 + bignum_bitcount(ec->publicKey.y)) / 4;
if (nibbles < 1)
nibbles = 1;
for (i = nibbles; i--;) {
p[pos++] =
hex[(bignum_byte(ec->publicKey.y, i / 2) >> (4 * (i % 2))) & 0xF];
}
p[pos] = '\0';
return p;
}
static unsigned char *ecdsa_public_blob(void *key, int *len)
{
struct ec_key *ec = (struct ec_key *) key;
int pointlen, bloblen, namelen;
int i;
unsigned char *blob, *p;
namelen = ec_curve_to_name(ec->publicKey.curve, NULL, 0);
if (namelen == 0) return NULL;
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
/*
* string "ecdsa-sha2-<name>", string "<name>", 0x04 point x, y.
*/
bloblen = 4 + 11 + namelen + 4 + namelen + 4 + 1 + (pointlen * 2);
blob = snewn(bloblen, unsigned char);
p = blob;
PUT_32BIT(p, 11 + namelen);
p += 4;
memcpy(p, "ecdsa-sha2-", 11);
p += 11;
p += ec_curve_to_name(ec->publicKey.curve, p, namelen);
PUT_32BIT(p, namelen);
p += 4;
p += ec_curve_to_name(ec->publicKey.curve, p, namelen);
PUT_32BIT(p, (2 * pointlen) + 1);
p += 4;
*p++ = 0x04;
for (i = pointlen; i--;)
*p++ = bignum_byte(ec->publicKey.x, i);
for (i = pointlen; i--;)
*p++ = bignum_byte(ec->publicKey.y, i);
assert(p == blob + bloblen);
*len = bloblen;
return blob;
}
static unsigned char *ecdsa_private_blob(void *key, int *len)
{
struct ec_key *ec = (struct ec_key *) key;
int keylen, bloblen;
int i;
unsigned char *blob, *p;
if (!ec->privateKey) return NULL;
keylen = (bignum_bitcount(ec->privateKey) + 8) / 8;
/*
* mpint privateKey. Total 4 + keylen.
*/
bloblen = 4 + keylen;
blob = snewn(bloblen, unsigned char);
p = blob;
PUT_32BIT(p, keylen);
p += 4;
for (i = keylen; i--;)
*p++ = bignum_byte(ec->privateKey, i);
assert(p == blob + bloblen);
*len = bloblen;
return blob;
}
static void *ecdsa_createkey(unsigned char *pub_blob, int pub_len,
unsigned char *priv_blob, int priv_len)
{
struct ec_key *ec;
struct ec_point *publicKey;
char *pb = (char *) priv_blob;
ec = (struct ec_key*)ecdsa_newkey((char *) pub_blob, pub_len);
if (!ec) {
return NULL;
}
ec->privateKey = getmp(&pb, &priv_len);
if (!ec->privateKey) {
ecdsa_freekey(ec);
return NULL;
}
/* Check that private key generates public key */
publicKey = ecp_mul(&ec->publicKey.curve->G, ec->privateKey);
if (!publicKey ||
bignum_cmp(publicKey->x, ec->publicKey.x) ||
bignum_cmp(publicKey->y, ec->publicKey.y))
{
ecdsa_freekey(ec);
ec = NULL;
}
ec_point_free(publicKey);
return ec;
}
static void *ecdsa_openssh_createkey(unsigned char **blob, int *len)
{
char **b = (char **) blob;
char *p;
int slen;
struct ec_key *ec;
struct ec_curve *curve;
struct ec_point *publicKey;
getstring(b, len, &p, &slen);
if (!p) {
return NULL;
}
curve = ec_name_to_curve(p, slen);
if (!curve) return NULL;
ec = snew(struct ec_key);
ec->publicKey.curve = curve;
ec->publicKey.infinity = 0;
ec->publicKey.x = NULL;
ec->publicKey.y = NULL;
ec->publicKey.z = NULL;
if (!getmppoint(b, len, &ec->publicKey)) {
ecdsa_freekey(ec);
return NULL;
}
ec->privateKey = NULL;
if (!ec->publicKey.x || !ec->publicKey.y ||
bignum_cmp(ec->publicKey.x, curve->p) >= 0 ||
bignum_cmp(ec->publicKey.y, curve->p) >= 0)
{
ecdsa_freekey(ec);
return NULL;
}
ec->privateKey = getmp(b, len);
if (ec->privateKey == NULL)
{
ecdsa_freekey(ec);
return NULL;
}
/* Now check that the private key makes the public key */
publicKey = ecp_mul(&ec->publicKey.curve->G, ec->privateKey);
if (!publicKey)
{
ecdsa_freekey(ec);
return NULL;
}
if (bignum_cmp(ec->publicKey.x, publicKey->x) ||
bignum_cmp(ec->publicKey.y, publicKey->y))
{
/* Private key doesn't make the public key on the given curve */
ecdsa_freekey(ec);
ec_point_free(publicKey);
}
ec_point_free(publicKey);
return ec;
}
static int ecdsa_openssh_fmtkey(void *key, unsigned char *blob, int len)
{
struct ec_key *ec = (struct ec_key *) key;
int pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
int namelen = ec_curve_to_name(ec->publicKey.curve, NULL, 0);
int bloblen =
4 + namelen /* <LEN> nistpXXX */
+ 4 + 1 + (pointlen * 2) /* <LEN> 0x04 pX pY */
+ ssh2_bignum_length(ec->privateKey);
int i;
if (bloblen > len)
return bloblen;
bloblen = 0;
PUT_32BIT(blob+bloblen, namelen);
bloblen += 4;
bloblen += ec_curve_to_name(ec->publicKey.curve, blob+bloblen, namelen);
PUT_32BIT(blob+bloblen, 1 + (pointlen * 2));
bloblen += 4;
blob[bloblen++] = 0x04;
for (i = pointlen; i--; )
blob[bloblen++] = bignum_byte(ec->publicKey.x, i);
for (i = pointlen; i--; )
blob[bloblen++] = bignum_byte(ec->publicKey.y, i);
pointlen = (bignum_bitcount(ec->privateKey) + 8) / 8;
PUT_32BIT(blob+bloblen, pointlen);
bloblen += 4;
for (i = pointlen; i--; )
blob[bloblen++] = bignum_byte(ec->privateKey, i);
return bloblen;
}
static int ecdsa_pubkey_bits(void *blob, int len)
{
struct ec_key *ec;
int ret;
ec = (struct ec_key*)ecdsa_newkey((char *) blob, len);
if (!ec)
return -1;
ret = ec->publicKey.curve->fieldBits;
ecdsa_freekey(ec);
return ret;
}
static char *ecdsa_fingerprint(void *key)
{
struct ec_key *ec = (struct ec_key *) key;
struct MD5Context md5c;
unsigned char digest[16], lenbuf[4];
char *ret;
unsigned char *name;
int pointlen, namelen, i, j;
namelen = ec_curve_to_name(ec->publicKey.curve, NULL, 0);
name = snewn(namelen, unsigned char);
ec_curve_to_name(ec->publicKey.curve, name, namelen);
MD5Init(&md5c);
PUT_32BIT(lenbuf, namelen + 11);
MD5Update(&md5c, lenbuf, 4);
MD5Update(&md5c, (const unsigned char *)"ecdsa-sha2-", 11);
MD5Update(&md5c, name, namelen);
PUT_32BIT(lenbuf, namelen);
MD5Update(&md5c, lenbuf, 4);
MD5Update(&md5c, name, namelen);
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
PUT_32BIT(lenbuf, 1 + (pointlen * 2));
MD5Update(&md5c, lenbuf, 4);
MD5Update(&md5c, (const unsigned char *)"\x04", 1);
for (i = pointlen; i--; ) {
unsigned char c = bignum_byte(ec->publicKey.x, i);
MD5Update(&md5c, &c, 1);
}
for (i = pointlen; i--; ) {
unsigned char c = bignum_byte(ec->publicKey.y, i);
MD5Update(&md5c, &c, 1);
}
MD5Final(digest, &md5c);
ret = snewn(11 + namelen + 1 + (16 * 3), char);
i = 11;
memcpy(ret, "ecdsa-sha2-", 11);
memcpy(ret+i, name, namelen);
i += namelen;
sfree(name);
ret[i++] = ' ';
for (j = 0; j < 16; j++)
i += sprintf(ret + i, "%s%02x", j ? ":" : "", digest[j]);
return ret;
}
static int ecdsa_verifysig(void *key, char *sig, int siglen,
char *data, int datalen)
{
struct ec_key *ec = (struct ec_key *) key;
char *p;
int slen;
unsigned char digest[512 / 8];
int digestLen;
Bignum r, s;
int ret;
if (!ec->publicKey.x || !ec->publicKey.y || !ec->publicKey.curve)
return 0;
/* Check the signature curve matches the key curve */
getstring(&sig, &siglen, &p, &slen);
if (!p || slen < 11 || memcmp(p, "ecdsa-sha2-", 11)) {
return 0;
}
if (ec->publicKey.curve != ec_name_to_curve(p+11, slen-11)) {
return 0;
}
getstring(&sig, &siglen, &p, &slen);
r = getmp(&p, &slen);
if (!r) return 0;
s = getmp(&p, &slen);
if (!s) {
freebn(r);
return 0;
}
/* Perform correct hash function depending on curve size */
if (ec->publicKey.curve->fieldBits <= 256) {
SHA256_Simple(data, datalen, digest);
digestLen = 256 / 8;
} else if (ec->publicKey.curve->fieldBits <= 384) {
SHA384_Simple(data, datalen, digest);
digestLen = 384 / 8;
} else {
SHA512_Simple(data, datalen, digest);
digestLen = 512 / 8;
}
/* Verify the signature */
if (!_ecdsa_verify(&ec->publicKey, digest, digestLen, r, s)) {
ret = 0;
} else {
ret = 1;
}
freebn(r);
freebn(s);
return ret;
}
static unsigned char *ecdsa_sign(void *key, char *data, int datalen,
int *siglen)
{
struct ec_key *ec = (struct ec_key *) key;
unsigned char digest[512 / 8];
int digestLen;
Bignum r = NULL, s = NULL;
unsigned char *buf, *p;
int rlen, slen, namelen;
int i;
if (!ec->privateKey || !ec->publicKey.curve) {
return NULL;
}
/* Perform correct hash function depending on curve size */
if (ec->publicKey.curve->fieldBits <= 256) {
SHA256_Simple(data, datalen, digest);
digestLen = 256 / 8;
} else if (ec->publicKey.curve->fieldBits <= 384) {
SHA384_Simple(data, datalen, digest);
digestLen = 384 / 8;
} else {
SHA512_Simple(data, datalen, digest);
digestLen = 512 / 8;
}
/* Do the signature */
_ecdsa_sign(ec->privateKey, ec->publicKey.curve, digest, digestLen, &r, &s);
if (!r || !s) {
if (r) freebn(r);
if (s) freebn(s);
return NULL;
}
rlen = (bignum_bitcount(r) + 8) / 8;
slen = (bignum_bitcount(s) + 8) / 8;
namelen = ec_curve_to_name(ec->publicKey.curve, NULL, 0);
/* Format the output */
*siglen = 8+11+namelen+rlen+slen+8;
buf = snewn(*siglen, unsigned char);
p = buf;
PUT_32BIT(p, 11+namelen);
p += 4;
memcpy(p, "ecdsa-sha2-", 11);
p += 11;
p += ec_curve_to_name(ec->publicKey.curve, p, namelen);
PUT_32BIT(p, rlen + slen + 8);
p += 4;
PUT_32BIT(p, rlen);
p += 4;
for (i = rlen; i--;)
*p++ = bignum_byte(r, i);
PUT_32BIT(p, slen);
p += 4;
for (i = slen; i--;)
*p++ = bignum_byte(s, i);
return buf;
}
const struct ssh_signkey ssh_ecdsa_nistp256 = {
ecdsa_newkey,
ecdsa_freekey,
ecdsa_fmtkey,
ecdsa_public_blob,
ecdsa_private_blob,
ecdsa_createkey,
ecdsa_openssh_createkey,
ecdsa_openssh_fmtkey,
ecdsa_pubkey_bits,
ecdsa_fingerprint,
ecdsa_verifysig,
ecdsa_sign,
"ecdsa-sha2-nistp256",
"ecdsa-sha2-nistp256",
};
const struct ssh_signkey ssh_ecdsa_nistp384 = {
ecdsa_newkey,
ecdsa_freekey,
ecdsa_fmtkey,
ecdsa_public_blob,
ecdsa_private_blob,
ecdsa_createkey,
ecdsa_openssh_createkey,
ecdsa_openssh_fmtkey,
ecdsa_pubkey_bits,
ecdsa_fingerprint,
ecdsa_verifysig,
ecdsa_sign,
"ecdsa-sha2-nistp384",
"ecdsa-sha2-nistp384",
};
const struct ssh_signkey ssh_ecdsa_nistp521 = {
ecdsa_newkey,
ecdsa_freekey,
ecdsa_fmtkey,
ecdsa_public_blob,
ecdsa_private_blob,
ecdsa_createkey,
ecdsa_openssh_createkey,
ecdsa_openssh_fmtkey,
ecdsa_pubkey_bits,
ecdsa_fingerprint,
ecdsa_verifysig,
ecdsa_sign,
"ecdsa-sha2-nistp521",
"ecdsa-sha2-nistp521",
};
/* ----------------------------------------------------------------------
* Exposed ECDH interface
*/
static Bignum ecdh_calculate(const Bignum private,
const struct ec_point *public)
{
struct ec_point *p;
Bignum ret;
p = ecp_mul(public, private);
if (!p) return NULL;
ret = p->x;
p->x = NULL;
ec_point_free(p);
return ret;
}
void *ssh_ecdhkex_newkey(struct ec_curve *curve)
{
struct ec_key *key = snew(struct ec_key);
struct ec_point *publicKey;
key->publicKey.curve = curve;
key->privateKey = bignum_random_in_range(One, key->publicKey.curve->n);
if (!key->privateKey) {
sfree(key);
return NULL;
}
publicKey = ecp_mul(&key->publicKey.curve->G, key->privateKey);
if (!publicKey) {
freebn(key->privateKey);
sfree(key);
return NULL;
}
key->publicKey.x = publicKey->x;
key->publicKey.y = publicKey->y;
key->publicKey.z = NULL;
sfree(publicKey);
return key;
}
char *ssh_ecdhkex_getpublic(void *key, int *len)
{
struct ec_key *ec = (struct ec_key*)key;
char *point, *p;
int i;
int pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
*len = 1 + pointlen * 2;
point = (char*)snewn(*len, char);
p = point;
*p++ = 0x04;
for (i = pointlen; i--;)
*p++ = bignum_byte(ec->publicKey.x, i);
for (i = pointlen; i--;)
*p++ = bignum_byte(ec->publicKey.y, i);
return point;
}
Bignum ssh_ecdhkex_getkey(void *key, char *remoteKey, int remoteKeyLen)
{
struct ec_key *ec = (struct ec_key*) key;
struct ec_point remote;
remote.curve = ec->publicKey.curve;
remote.infinity = 0;
if (!decodepoint(remoteKey, remoteKeyLen, &remote)) {
return NULL;
}
return ecdh_calculate(ec->privateKey, &remote);
}
void ssh_ecdhkex_freekey(void *key)
{
ecdsa_freekey(key);
}
static const struct ssh_kex ssh_ec_kex_nistp256 = {
"ecdh-sha2-nistp256", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha256
};
static const struct ssh_kex ssh_ec_kex_nistp384 = {
"ecdh-sha2-nistp384", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha384
};
static const struct ssh_kex ssh_ec_kex_nistp521 = {
"ecdh-sha2-nistp521", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha512
};
static const struct ssh_kex *const ec_kex_list[] = {
&ssh_ec_kex_nistp256,
&ssh_ec_kex_nistp384,
&ssh_ec_kex_nistp521
};
const struct ssh_kexes ssh_ecdh_kex = {
sizeof(ec_kex_list) / sizeof(*ec_kex_list),
ec_kex_list
};