Petr Šabata 81d24c
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
Petr Šabata 81d24c
From: Jakub Jelen <jjelen@redhat.com>
Petr Šabata 81d24c
Date: Tue, 14 May 2019 10:45:45 +0200
Petr Šabata 81d24c
Subject: [PATCH] Use high-level OpenSSL API for signatures
Petr Šabata 81d24c
Petr Šabata 81d24c
---
Petr Šabata 81d24c
 digest-openssl.c |  16 ++++
Petr Šabata 81d24c
 digest.h         |   6 ++
Petr Šabata 81d24c
 ssh-dss.c        |  65 ++++++++++------
Petr Šabata 81d24c
 ssh-ecdsa.c      |  69 ++++++++++-------
Petr Šabata 81d24c
 ssh-rsa.c        | 193 +++++++++--------------------------------------
Petr Šabata 81d24c
 sshkey.c         |  77 +++++++++++++++++++
Petr Šabata 81d24c
 sshkey.h         |   4 +
Petr Šabata 81d24c
 7 files changed, 221 insertions(+), 209 deletions(-)
Petr Šabata 81d24c
Petr Šabata 81d24c
diff --git a/digest-openssl.c b/digest-openssl.c
Petr Šabata 81d24c
index da7ed72bc..6a21d8adb 100644
Petr Šabata 81d24c
--- a/digest-openssl.c
Petr Šabata 81d24c
+++ b/digest-openssl.c
Petr Šabata 81d24c
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
Petr Šabata 81d24c
 	{ -1,			NULL,		0,	NULL },
Petr Šabata 81d24c
 };
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+const EVP_MD *
Petr Šabata 81d24c
+ssh_digest_to_md(int digest_type)
Petr Šabata 81d24c
+{
Petr Šabata 81d24c
+	switch (digest_type) {
Petr Šabata 81d24c
+	case SSH_DIGEST_SHA1:
Petr Šabata 81d24c
+		return EVP_sha1();
Petr Šabata 81d24c
+	case SSH_DIGEST_SHA256:
Petr Šabata 81d24c
+		return EVP_sha256();
Petr Šabata 81d24c
+	case SSH_DIGEST_SHA384:
Petr Šabata 81d24c
+		return EVP_sha384();
Petr Šabata 81d24c
+	case SSH_DIGEST_SHA512:
Petr Šabata 81d24c
+		return EVP_sha512();
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	return NULL;
Petr Šabata 81d24c
+}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 static const struct ssh_digest *
Petr Šabata 81d24c
 ssh_digest_by_alg(int alg)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
diff --git a/digest.h b/digest.h
Petr Šabata 81d24c
index 274574d0e..c7ceeb36f 100644
Petr Šabata 81d24c
--- a/digest.h
Petr Šabata 81d24c
+++ b/digest.h
Petr Šabata 81d24c
@@ -32,6 +32,12 @@
Petr Šabata 81d24c
 struct sshbuf;
Petr Šabata 81d24c
 struct ssh_digest_ctx;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+#ifdef WITH_OPENSSL
Petr Šabata 81d24c
+#include <openssl/evp.h>
Petr Šabata 81d24c
+/* Converts internal digest representation to the OpenSSL one */
Petr Šabata 81d24c
+const EVP_MD *ssh_digest_to_md(int digest_type);
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 /* Looks up a digest algorithm by name */
Petr Šabata 81d24c
 int ssh_digest_alg_by_name(const char *name);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
diff --git a/ssh-dss.c b/ssh-dss.c
Petr Šabata 81d24c
index a23c383dc..ea45e7275 100644
Petr Šabata 81d24c
--- a/ssh-dss.c
Petr Šabata 81d24c
+++ b/ssh-dss.c
Petr Šabata 81d24c
@@ -52,11 +52,15 @@ int
Petr Šabata 81d24c
 ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
     const u_char *data, size_t datalen, u_int compat)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
 	DSA_SIG *sig = NULL;
Petr Šabata 81d24c
 	const BIGNUM *sig_r, *sig_s;
Petr Šabata 81d24c
-	u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
Petr Šabata 81d24c
-	size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
Petr Šabata 81d24c
+	u_char sigblob[SIGBLOB_LEN];
Petr Šabata 81d24c
+	size_t rlen, slen;
Petr Šabata 81d24c
+	int len;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL;
Petr Šabata 81d24c
+	u_char *sigb = NULL;
Petr Šabata 81d24c
+	const u_char *psig = NULL;
Petr Šabata 81d24c
 	int ret = SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	if (lenp != NULL)
Petr Šabata 81d24c
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 	if (key == NULL || key->dsa == NULL ||
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_DSA)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-	if (dlen == 0)
Petr Šabata 81d24c
-		return SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
Petr Šabata 81d24c
+		return SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
Petr Šabata 81d24c
+	    data, datalen);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
+	if (ret < 0) {
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
Petr Šabata 81d24c
+	psig = sigb;
Petr Šabata 81d24c
+	if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
Petr Šabata 81d24c
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
+	free(sigb);
Petr Šabata 81d24c
+	sigb = NULL;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	DSA_SIG_get0(sig, &sig_r, &sig_s);
Petr Šabata 81d24c
 	rlen = BN_num_bytes(sig_r);
Petr Šabata 81d24c
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 		*lenp = len;
Petr Šabata 81d24c
 	ret = 0;
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
-	explicit_bzero(digest, sizeof(digest));
Petr Šabata 81d24c
+	free(sigb);
Petr Šabata 81d24c
 	DSA_SIG_free(sig);
Petr Šabata 81d24c
 	sshbuf_free(b);
Petr Šabata 81d24c
 	return ret;
Petr Šabata 81d24c
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
Petr Šabata 81d24c
     const u_char *signature, size_t signaturelen,
Petr Šabata 81d24c
     const u_char *data, size_t datalen, u_int compat)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
 	DSA_SIG *sig = NULL;
Petr Šabata 81d24c
 	BIGNUM *sig_r = NULL, *sig_s = NULL;
Petr Šabata 81d24c
-	u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
Petr Šabata 81d24c
-	size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
Petr Šabata 81d24c
+	u_char *sigblob = NULL;
Petr Šabata 81d24c
+	size_t len, slen;
Petr Šabata 81d24c
 	int ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL;
Petr Šabata 81d24c
 	char *ktype = NULL;
Petr Šabata 81d24c
+	u_char *sigb = NULL, *psig = NULL;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	if (key == NULL || key->dsa == NULL ||
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_DSA ||
Petr Šabata 81d24c
 	    signature == NULL || signaturelen == 0)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-	if (dlen == 0)
Petr Šabata 81d24c
-		return SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	/* fetch signature */
Petr Šabata 81d24c
 	if ((b = sshbuf_from(signature, signaturelen)) == NULL)
Petr Šabata 81d24c
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 	sig_r = sig_s = NULL; /* transferred */
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	/* sha1 the data */
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
+	if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-	switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
Petr Šabata 81d24c
-	case 1:
Petr Šabata 81d24c
-		ret = 0;
Petr Šabata 81d24c
-		break;
Petr Šabata 81d24c
-	case 0:
Petr Šabata 81d24c
-		ret = SSH_ERR_SIGNATURE_INVALID;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	if ((sigb = malloc(slen)) == NULL) {
Petr Šabata 81d24c
+		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
-	default:
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	psig = sigb;
Petr Šabata 81d24c
+	if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
Petr Šabata 81d24c
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
Petr Šabata 81d24c
+		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+		goto out;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
Petr Šabata 81d24c
+	    sigb, slen);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
+
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
-	explicit_bzero(digest, sizeof(digest));
Petr Šabata 81d24c
+	free(sigb);
Petr Šabata 81d24c
 	DSA_SIG_free(sig);
Petr Šabata 81d24c
 	BN_clear_free(sig_r);
Petr Šabata 81d24c
 	BN_clear_free(sig_s);
Petr Šabata 81d24c
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
Petr Šabata 81d24c
index 599c7199d..b036796e8 100644
Petr Šabata 81d24c
--- a/ssh-ecdsa.c
Petr Šabata 81d24c
+++ b/ssh-ecdsa.c
Petr Šabata 81d24c
@@ -50,11 +50,13 @@ int
Petr Šabata 81d24c
 ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
     const u_char *data, size_t datalen, u_int compat)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
 	ECDSA_SIG *sig = NULL;
Petr Šabata 81d24c
+	unsigned char *sigb = NULL;
Petr Šabata 81d24c
+	const unsigned char *psig;
Petr Šabata 81d24c
 	const BIGNUM *sig_r, *sig_s;
Petr Šabata 81d24c
 	int hash_alg;
Petr Šabata 81d24c
-	u_char digest[SSH_DIGEST_MAX_LENGTH];
Petr Šabata 81d24c
-	size_t len, dlen;
Petr Šabata 81d24c
+	int len;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL, *bb = NULL;
Petr Šabata 81d24c
 	int ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_ECDSA)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
Petr Šabata 81d24c
-	    (dlen = ssh_digest_bytes(hash_alg)) == 0)
Petr Šabata 81d24c
+	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
Petr Šabata 81d24c
 		return SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
Petr Šabata 81d24c
+		return SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
Petr Šabata 81d24c
+	    datalen);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
+	if (ret < 0) {
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
Petr Šabata 81d24c
+	psig = sigb;
Petr Šabata 81d24c
+	if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
Petr Šabata 81d24c
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
-
Petr Šabata 81d24c
 	if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
Petr Šabata 81d24c
 		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 		*lenp = len;
Petr Šabata 81d24c
 	ret = 0;
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
-	explicit_bzero(digest, sizeof(digest));
Petr Šabata 81d24c
+	free(sigb);
Petr Šabata 81d24c
 	sshbuf_free(b);
Petr Šabata 81d24c
 	sshbuf_free(bb);
Petr Šabata 81d24c
 	ECDSA_SIG_free(sig);
Petr Šabata 81d24c
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
     const u_char *signature, size_t signaturelen,
Petr Šabata 81d24c
     const u_char *data, size_t datalen, u_int compat)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
 	ECDSA_SIG *sig = NULL;
Petr Šabata 81d24c
 	BIGNUM *sig_r = NULL, *sig_s = NULL;
Petr Šabata 81d24c
-	int hash_alg;
Petr Šabata 81d24c
-	u_char digest[SSH_DIGEST_MAX_LENGTH];
Petr Šabata 81d24c
-	size_t dlen;
Petr Šabata 81d24c
+	int hash_alg, len;
Petr Šabata 81d24c
 	int ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL, *sigbuf = NULL;
Petr Šabata 81d24c
 	char *ktype = NULL;
Petr Šabata 81d24c
+	unsigned char *sigb = NULL, *psig = NULL;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	if (key == NULL || key->ecdsa == NULL ||
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_ECDSA ||
Petr Šabata 81d24c
 	    signature == NULL || signaturelen == 0)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
Petr Šabata 81d24c
-	    (dlen = ssh_digest_bytes(hash_alg)) == 0)
Petr Šabata 81d24c
+	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
Petr Šabata 81d24c
 		return SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	/* fetch signature */
Petr Šabata 81d24c
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 	sig_r = sig_s = NULL; /* transferred */
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if (sshbuf_len(sigbuf) != 0) {
Petr Šabata 81d24c
-		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
Petr Šabata 81d24c
+	/* Figure out the length */
Petr Šabata 81d24c
+	if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
+		goto out;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	if ((sigb = malloc(len)) == NULL) {
Petr Šabata 81d24c
+		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
+	psig = sigb;
Petr Šabata 81d24c
+	if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
Petr Šabata 81d24c
-	case 1:
Petr Šabata 81d24c
-		ret = 0;
Petr Šabata 81d24c
-		break;
Petr Šabata 81d24c
-	case 0:
Petr Šabata 81d24c
-		ret = SSH_ERR_SIGNATURE_INVALID;
Petr Šabata 81d24c
+	if (sshbuf_len(sigbuf) != 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
-	default:
Petr Šabata 81d24c
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
Petr Šabata 81d24c
+		ret =  SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
+	ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
-	explicit_bzero(digest, sizeof(digest));
Petr Šabata 81d24c
+	free(sigb);
Petr Šabata 81d24c
 	sshbuf_free(sigbuf);
Petr Šabata 81d24c
 	sshbuf_free(b);
Petr Šabata 81d24c
 	ECDSA_SIG_free(sig);
Petr Šabata 81d24c
diff --git a/ssh-rsa.c b/ssh-rsa.c
Petr Šabata 81d24c
index 9b14f9a9a..8ef3a6aca 100644
Petr Šabata 81d24c
--- a/ssh-rsa.c
Petr Šabata 81d24c
+++ b/ssh-rsa.c
Petr Šabata 81d24c
@@ -37,7 +37,7 @@
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 #include "openbsd-compat/openssl-compat.h"
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
Petr Šabata 81d24c
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 static const char *
Petr Šabata 81d24c
 rsa_hash_alg_ident(int hash_alg)
Petr Šabata 81d24c
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
Petr Šabata 81d24c
 	return -1;
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-static int
Petr Šabata 81d24c
-rsa_hash_alg_nid(int type)
Petr Šabata 81d24c
-{
Petr Šabata 81d24c
-	switch (type) {
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA1:
Petr Šabata 81d24c
-		return NID_sha1;
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA256:
Petr Šabata 81d24c
-		return NID_sha256;
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA512:
Petr Šabata 81d24c
-		return NID_sha512;
Petr Šabata 81d24c
-	default:
Petr Šabata 81d24c
-		return -1;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-}
Petr Šabata 81d24c
-
Petr Šabata 81d24c
 int
Petr Šabata 81d24c
 ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
@@ -164,11 +149,10 @@ int
Petr Šabata 81d24c
 ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
     const u_char *data, size_t datalen, const char *alg_ident)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
-	const BIGNUM *rsa_n;
Petr Šabata 81d24c
-	u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
Petr Šabata 81d24c
-	size_t slen = 0;
Petr Šabata 81d24c
-	u_int dlen, len;
Petr Šabata 81d24c
-	int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
+	u_char *sig = NULL;
Petr Šabata 81d24c
+	int len, slen = 0;
Petr Šabata 81d24c
+	int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	if (lenp != NULL)
Petr Šabata 81d24c
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 		hash_alg = SSH_DIGEST_SHA1;
Petr Šabata 81d24c
 	else
Petr Šabata 81d24c
 		hash_alg = rsa_hash_id_from_keyname(alg_ident);
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 	if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_RSA)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
Petr Šabata 81d24c
-	if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
Petr Šabata 81d24c
-		return SSH_ERR_KEY_LENGTH;
Petr Šabata 81d24c
 	slen = RSA_size(key->rsa);
Petr Šabata 81d24c
-	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
Petr Šabata 81d24c
-		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-	/* hash the data */
Petr Šabata 81d24c
-	nid = rsa_hash_alg_nid(hash_alg);
Petr Šabata 81d24c
-	if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
Petr Šabata 81d24c
-		return SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
-		goto out;
Petr Šabata 81d24c
+	if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
Petr Šabata 81d24c
+		return SSH_ERR_KEY_LENGTH;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if ((sig = malloc(slen)) == NULL) {
Petr Šabata 81d24c
-		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
Petr Šabata 81d24c
+		return SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
Petr Šabata 81d24c
+	    datalen);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
+	if (ret < 0) {
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
Petr Šabata 81d24c
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
-		goto out;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
 	if (len < slen) {
Petr Šabata 81d24c
 		size_t diff = slen - len;
Petr Šabata 81d24c
 		memmove(sig + diff, sig, len);
Petr Šabata 81d24c
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 		ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 	/* encode signature */
Petr Šabata 81d24c
 	if ((b = sshbuf_new()) == NULL) {
Petr Šabata 81d24c
 		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
Petr Šabata 81d24c
 		*lenp = len;
Petr Šabata 81d24c
 	ret = 0;
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
-	explicit_bzero(digest, sizeof(digest));
Petr Šabata 81d24c
 	freezero(sig, slen);
Petr Šabata 81d24c
 	sshbuf_free(b);
Petr Šabata 81d24c
 	return ret;
Petr Šabata 81d24c
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
     const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
Petr Šabata 81d24c
     const char *alg)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
-	const BIGNUM *rsa_n;
Petr Šabata 81d24c
+	EVP_PKEY *pkey = NULL;
Petr Šabata 81d24c
 	char *sigtype = NULL;
Petr Šabata 81d24c
 	int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
-	size_t len = 0, diff, modlen, dlen;
Petr Šabata 81d24c
+	size_t len = 0, diff, modlen;
Petr Šabata 81d24c
 	struct sshbuf *b = NULL;
Petr Šabata 81d24c
 	u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
 	    sshkey_type_plain(key->type) != KEY_RSA ||
Petr Šabata 81d24c
 	    sig == NULL || siglen == 0)
Petr Šabata 81d24c
 		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
Petr Šabata 81d24c
-	if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
Petr Šabata 81d24c
+	if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
Petr Šabata 81d24c
 		return SSH_ERR_KEY_LENGTH;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 	if ((b = sshbuf_from(sig, siglen)) == NULL)
Petr Šabata 81d24c
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
 		explicit_bzero(sigblob, diff);
Petr Šabata 81d24c
 		len = modlen;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
-	if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
Petr Šabata 81d24c
-		ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if ((pkey = EVP_PKEY_new()) == NULL ||
Petr Šabata 81d24c
+	    EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
Petr Šabata 81d24c
+		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
 		goto out;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
-	if ((ret = ssh_digest_memory(hash_alg, data, datalen,
Petr Šabata 81d24c
-	    digest, sizeof(digest))) != 0)
Petr Šabata 81d24c
-		goto out;
Petr Šabata 81d24c
+	ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
Petr Šabata 81d24c
+	EVP_PKEY_free(pkey);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
Petr Šabata 81d24c
-	    key->rsa);
Petr Šabata 81d24c
  out:
Petr Šabata 81d24c
 	freezero(sigblob, len);
Petr Šabata 81d24c
 	free(sigtype);
Petr Šabata 81d24c
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
Petr Šabata 81d24c
 	return ret;
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-/*
Petr Šabata 81d24c
- * See:
Petr Šabata 81d24c
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
Petr Šabata 81d24c
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
Petr Šabata 81d24c
- */
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-/*
Petr Šabata 81d24c
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
Petr Šabata 81d24c
- *	oiw(14) secsig(3) algorithms(2) 26 }
Petr Šabata 81d24c
- */
Petr Šabata 81d24c
-static const u_char id_sha1[] = {
Petr Šabata 81d24c
-	0x30, 0x21, /* type Sequence, length 0x21 (33) */
Petr Šabata 81d24c
-	0x30, 0x09, /* type Sequence, length 0x09 */
Petr Šabata 81d24c
-	0x06, 0x05, /* type OID, length 0x05 */
Petr Šabata 81d24c
-	0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
Petr Šabata 81d24c
-	0x05, 0x00, /* NULL */
Petr Šabata 81d24c
-	0x04, 0x14  /* Octet string, length 0x14 (20), followed by sha1 hash */
Petr Šabata 81d24c
-};
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-/*
Petr Šabata 81d24c
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
Petr Šabata 81d24c
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
Petr Šabata 81d24c
- *      organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
Petr Šabata 81d24c
- *      id-sha256(1) }
Petr Šabata 81d24c
- */
Petr Šabata 81d24c
-static const u_char id_sha256[] = {
Petr Šabata 81d24c
-	0x30, 0x31, /* type Sequence, length 0x31 (49) */
Petr Šabata 81d24c
-	0x30, 0x0d, /* type Sequence, length 0x0d (13) */
Petr Šabata 81d24c
-	0x06, 0x09, /* type OID, length 0x09 */
Petr Šabata 81d24c
-	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
Petr Šabata 81d24c
-	0x05, 0x00, /* NULL */
Petr Šabata 81d24c
-	0x04, 0x20  /* Octet string, length 0x20 (32), followed by sha256 hash */
Petr Šabata 81d24c
-};
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-/*
Petr Šabata 81d24c
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
Petr Šabata 81d24c
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
Petr Šabata 81d24c
- *      organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
Petr Šabata 81d24c
- *      id-sha256(3) }
Petr Šabata 81d24c
- */
Petr Šabata 81d24c
-static const u_char id_sha512[] = {
Petr Šabata 81d24c
-	0x30, 0x51, /* type Sequence, length 0x51 (81) */
Petr Šabata 81d24c
-	0x30, 0x0d, /* type Sequence, length 0x0d (13) */
Petr Šabata 81d24c
-	0x06, 0x09, /* type OID, length 0x09 */
Petr Šabata 81d24c
-	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
Petr Šabata 81d24c
-	0x05, 0x00, /* NULL */
Petr Šabata 81d24c
-	0x04, 0x40  /* Octet string, length 0x40 (64), followed by sha512 hash */
Petr Šabata 81d24c
-};
Petr Šabata 81d24c
-
Petr Šabata 81d24c
 static int
Petr Šabata 81d24c
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
Petr Šabata 81d24c
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
Petr Šabata 81d24c
+    u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
-	switch (hash_alg) {
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA1:
Petr Šabata 81d24c
-		*oidp = id_sha1;
Petr Šabata 81d24c
-		*oidlenp = sizeof(id_sha1);
Petr Šabata 81d24c
-		break;
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA256:
Petr Šabata 81d24c
-		*oidp = id_sha256;
Petr Šabata 81d24c
-		*oidlenp = sizeof(id_sha256);
Petr Šabata 81d24c
-		break;
Petr Šabata 81d24c
-	case SSH_DIGEST_SHA512:
Petr Šabata 81d24c
-		*oidp = id_sha512;
Petr Šabata 81d24c
-		*oidlenp = sizeof(id_sha512);
Petr Šabata 81d24c
-		break;
Petr Šabata 81d24c
-	default:
Petr Šabata 81d24c
-		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-	return 0;
Petr Šabata 81d24c
-}
Petr Šabata 81d24c
+	size_t rsasize = 0;
Petr Šabata 81d24c
+	const RSA *rsa;
Petr Šabata 81d24c
+	int ret;
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-static int
Petr Šabata 81d24c
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
Petr Šabata 81d24c
-    u_char *sigbuf, size_t siglen, RSA *rsa)
Petr Šabata 81d24c
-{
Petr Šabata 81d24c
-	size_t rsasize = 0, oidlen = 0, hlen = 0;
Petr Šabata 81d24c
-	int ret, len, oidmatch, hashmatch;
Petr Šabata 81d24c
-	const u_char *oid = NULL;
Petr Šabata 81d24c
-	u_char *decrypted = NULL;
Petr Šabata 81d24c
-
Petr Šabata 81d24c
-	if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
Petr Šabata 81d24c
-		return ret;
Petr Šabata 81d24c
-	ret = SSH_ERR_INTERNAL_ERROR;
Petr Šabata 81d24c
-	hlen = ssh_digest_bytes(hash_alg);
Petr Šabata 81d24c
-	if (hashlen != hlen) {
Petr Šabata 81d24c
-		ret = SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
-		goto done;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
+	rsa = EVP_PKEY_get0_RSA(pkey);
Petr Šabata 81d24c
 	rsasize = RSA_size(rsa);
Petr Šabata 81d24c
 	if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
Petr Šabata 81d24c
 	    siglen == 0 || siglen > rsasize) {
Petr Šabata 81d24c
 		ret = SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
 		goto done;
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
-	if ((decrypted = malloc(rsasize)) == NULL) {
Petr Šabata 81d24c
-		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
-		goto done;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-	if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
Petr Šabata 81d24c
-	    RSA_PKCS1_PADDING)) < 0) {
Petr Šabata 81d24c
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
-		goto done;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-	if (len < 0 || (size_t)len != hlen + oidlen) {
Petr Šabata 81d24c
-		ret = SSH_ERR_INVALID_FORMAT;
Petr Šabata 81d24c
-		goto done;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-	oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
Petr Šabata 81d24c
-	hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
Petr Šabata 81d24c
-	if (!oidmatch || !hashmatch) {
Petr Šabata 81d24c
-		ret = SSH_ERR_SIGNATURE_INVALID;
Petr Šabata 81d24c
-		goto done;
Petr Šabata 81d24c
-	}
Petr Šabata 81d24c
-	ret = 0;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
Petr Šabata 81d24c
+	    sigbuf, siglen);
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 done:
Petr Šabata 81d24c
-	freezero(decrypted, rsasize);
Petr Šabata 81d24c
 	return ret;
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
 #endif /* WITH_OPENSSL */
Petr Šabata 81d24c
diff --git a/sshkey.c b/sshkey.c
Petr Šabata 81d24c
index ad1957762..b95ed0b10 100644
Petr Šabata 81d24c
--- a/sshkey.c
Petr Šabata 81d24c
+++ b/sshkey.c
Petr Šabata 81d24c
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 #ifdef WITH_OPENSSL
Petr Šabata 81d24c
+int
Petr Šabata 81d24c
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
Petr Šabata 81d24c
+    int *lenp, const u_char *data, size_t datalen)
Petr Šabata 81d24c
+{
Petr Šabata 81d24c
+	EVP_MD_CTX *ctx = NULL;
Petr Šabata 81d24c
+	u_char *sig = NULL;
Petr Šabata 81d24c
+	int ret, slen, len;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if (sigp == NULL || lenp == NULL) {
Petr Šabata 81d24c
+		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	slen = EVP_PKEY_size(pkey);
Petr Šabata 81d24c
+	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
Petr Šabata 81d24c
+		return SSH_ERR_INVALID_ARGUMENT;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	len = slen;
Petr Šabata 81d24c
+	if ((sig = malloc(slen)) == NULL) {
Petr Šabata 81d24c
+		return SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if ((ctx = EVP_MD_CTX_new()) == NULL) {
Petr Šabata 81d24c
+		ret = SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+		goto error;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
Petr Šabata 81d24c
+	    EVP_SignUpdate(ctx, data, datalen) <= 0 ||
Petr Šabata 81d24c
+	    EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
+		goto error;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	*sigp = sig;
Petr Šabata 81d24c
+	*lenp = len;
Petr Šabata 81d24c
+	/* Now owned by the caller */
Petr Šabata 81d24c
+	sig = NULL;
Petr Šabata 81d24c
+	ret = 0;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+error:
Petr Šabata 81d24c
+	EVP_MD_CTX_free(ctx);
Petr Šabata 81d24c
+	free(sig);
Petr Šabata 81d24c
+	return ret;
Petr Šabata 81d24c
+}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+int
Petr Šabata 81d24c
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
Petr Šabata 81d24c
+    size_t datalen, u_char *sigbuf, int siglen)
Petr Šabata 81d24c
+{
Petr Šabata 81d24c
+	EVP_MD_CTX *ctx = NULL;
Petr Šabata 81d24c
+	int ret;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	if ((ctx = EVP_MD_CTX_new()) == NULL) {
Petr Šabata 81d24c
+		return SSH_ERR_ALLOC_FAIL;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
Petr Šabata 81d24c
+	    EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
+		goto done;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
Petr Šabata 81d24c
+	switch (ret) {
Petr Šabata 81d24c
+	case 1:
Petr Šabata 81d24c
+		ret = 0;
Petr Šabata 81d24c
+		break;
Petr Šabata 81d24c
+	case 0:
Petr Šabata 81d24c
+		ret = SSH_ERR_SIGNATURE_INVALID;
Petr Šabata 81d24c
+		break;
Petr Šabata 81d24c
+	default:
Petr Šabata 81d24c
+		ret = SSH_ERR_LIBCRYPTO_ERROR;
Petr Šabata 81d24c
+		break;
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+done:
Petr Šabata 81d24c
+	EVP_MD_CTX_free(ctx);
Petr Šabata 81d24c
+	return ret;
Petr Šabata 81d24c
+}
Petr Šabata 81d24c
+
Petr Šabata 81d24c
 /* XXX: these are really begging for a table-driven approach */
Petr Šabata 81d24c
 int
Petr Šabata 81d24c
 sshkey_curve_name_to_nid(const char *name)
Petr Šabata 81d24c
diff --git a/sshkey.h b/sshkey.h
Petr Šabata 81d24c
index a91e60436..270901a87 100644
Petr Šabata 81d24c
--- a/sshkey.h
Petr Šabata 81d24c
+++ b/sshkey.h
Petr Šabata 81d24c
@@ -179,6 +179,10 @@ const char	*sshkey_ssh_name(const struct sshkey *);
Petr Šabata 81d24c
 const char	*sshkey_ssh_name_plain(const struct sshkey *);
Petr Šabata 81d24c
 int		 sshkey_names_valid2(const char *, int);
Petr Šabata 81d24c
 char		*sshkey_alg_list(int, int, int, char);
Petr Šabata 81d24c
+int		 sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
Petr Šabata 81d24c
+    int *, const u_char *, size_t);
Petr Šabata 81d24c
+int		 sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
Petr Šabata 81d24c
+    size_t, u_char *, int);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 int	 sshkey_from_blob(const u_char *, size_t, struct sshkey **);
Petr Šabata 81d24c
 int	 sshkey_fromb(struct sshbuf *, struct sshkey **);
Petr Šabata 81d24c