From 5bc1a586896c3cd766a412eed06cee66c4e7d685 Mon Sep 17 00:00:00 2001
From: dkulwin <david.kulwin@pragmasys.com>
Date: Fri, 8 Jan 2016 13:42:08 -0600
Subject: [PATCH] Add CNG KEX hooks

Add conditional hooks to use CNG for KEX.  Switches based upon USE_MSCNG
define
---
 sshconnect2.c | 13 +++++++++++++
 sshd.c        | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/sshconnect2.c b/sshconnect2.c
index c153b2b..d7ede03 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -76,6 +76,12 @@
 #include "ssh-gss.h"
 #endif
 
+#ifdef USE_MSCNG
+/* CNG KEX imports */
+int cng_kexgex_client(struct ssh *ssh);
+int cng_kexdh_client(struct ssh *ssh);
+#endif
+
 /* import */
 extern char *client_version_string;
 extern char *server_version_string;
@@ -212,10 +218,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 		fatal("kex_setup: %s", ssh_err(r));
 	kex = active_state->kex;
 #ifdef WITH_OPENSSL
+#ifdef USE_MSCNG
+	kex->kex[KEX_DH_GRP1_SHA1] = cng_kexdh_client;
+	kex->kex[KEX_DH_GRP14_SHA1] = cng_kexdh_client;
+	kex->kex[KEX_DH_GEX_SHA1] = cng_kexgex_client;
+	kex->kex[KEX_DH_GEX_SHA256] = cng_kexgex_client;
+#else
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+#endif
 # ifdef OPENSSL_HAS_ECC
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
 # endif
diff --git a/sshd.c b/sshd.c
index 074e089..1075a2b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -145,6 +145,12 @@
 #define O_NOCTTY	0
 #endif
 
+#ifdef USE_MSCNG
+ /* CNG KEX imports */
+int cng_kexgex_server(struct ssh *ssh);
+int cng_kexdh_server(struct ssh *ssh);
+#endif
+
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
@@ -3379,10 +3385,17 @@ do_ssh2_kex(void)
 		fatal("kex_setup: %s", ssh_err(r));
 	kex = active_state->kex;
 #ifdef WITH_OPENSSL
+#ifdef USE_MSCNG
+	kex->kex[KEX_DH_GRP1_SHA1] = cng_kexdh_server;
+	kex->kex[KEX_DH_GRP14_SHA1] = cng_kexdh_server;
+	kex->kex[KEX_DH_GEX_SHA1] = cng_kexgex_server;
+	kex->kex[KEX_DH_GEX_SHA256] = cng_kexgex_server;
+#else
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#endif
 # ifdef OPENSSL_HAS_ECC
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 # endif