tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: use KEM API for vanilla ECDH 

from markus@ ok djm@

OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
This commit is contained in:
djm@openbsd.org 2019-01-21 10:29:56 +00:00 committed by Damien Miller
parent b72357217c
commit 92dda34e37
12 changed files with 194 additions and 453 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.in
View File

@ -98,8 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexecdhc.o \
kexgexs.o kexecdhs.o \
kexgexc.o kexgexs.o \
sntrup4591761.o kexsntrup4591761x25519.o kexkemc.o kexkems.o \
platform-pledge.o platform-tracing.o platform-misc.o

12
kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.101 2019/01/21 10:28:01 djm Exp $ */
/* $OpenBSD: kex.h,v 1.102 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -216,6 +216,11 @@ int kex_dh_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
struct sshbuf **);
int kex_dh_dec(struct kex *, const u_char *, size_t, struct sshbuf **);
int kex_ecdh_keypair(struct kex *);
int kex_ecdh_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
struct sshbuf **);
int kex_ecdh_dec(struct kex *, const u_char *, size_t, struct sshbuf **);
int kex_c25519_keypair(struct kex *);
int kex_c25519_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
struct sshbuf **);
@ -237,11 +242,6 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
const BIGNUM *, const u_char *, size_t,
u_char *, size_t *);
int kex_ecdh_hash(int, const EC_GROUP *,
const struct sshbuf *, const struct sshbuf *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
int kex_c25519_hash(int, const struct sshbuf *, const struct sshbuf *,
const u_char *, size_t, const u_char *, size_t,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,

215
kexecdh.c
View File

@ -1,7 +1,7 @@
/* $OpenBSD: kexecdh.c,v 1.7 2018/12/27 03:25:25 djm Exp $ */
/* $OpenBSD: kexecdh.c,v 1.8 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
* Copyright (c) 2019 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -30,71 +30,184 @@
#include <sys/types.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include "ssh2.h"
#include "sshkey.h"
#include "cipher.h"
#include "kex.h"
#include "sshbuf.h"
#include "digest.h"
#include "ssherr.h"
static int
kex_ecdh_dec_key_group(struct kex *, const u_char *, size_t, EC_KEY *key,
const EC_GROUP *, struct sshbuf **);
int
kex_ecdh_hash(
int hash_alg,
const EC_GROUP *ec_group,
const struct sshbuf *client_version,
const struct sshbuf *server_version,
const u_char *ckexinit, size_t ckexinitlen,
const u_char *skexinit, size_t skexinitlen,
const u_char *serverhostkeyblob, size_t sbloblen,
const EC_POINT *client_dh_pub,
const EC_POINT *server_dh_pub,
const BIGNUM *shared_secret,
u_char *hash, size_t *hashlen)
kex_ecdh_keypair(struct kex *kex)
{
struct sshbuf *b;
EC_KEY *client_key = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
struct sshbuf *buf = NULL;
int r;
if (*hashlen < ssh_digest_bytes(hash_alg))
return SSH_ERR_INVALID_ARGUMENT;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_put_stringb(b, client_version)) < 0 ||
(r = sshbuf_put_stringb(b, server_version)) < 0 ||
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
(r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
(r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
(r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
(r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 ||
(r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 ||
(r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
sshbuf_free(b);
return r;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
#ifdef DEBUG_KEX
sshbuf_dump(b, stderr);
#endif
if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
sshbuf_free(b);
return SSH_ERR_LIBCRYPTO_ERROR;
if (EC_KEY_generate_key(client_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
sshbuf_free(b);
*hashlen = ssh_digest_bytes(hash_alg);
#ifdef DEBUG_KEX
dump_digest("hash", hash, *hashlen);
group = EC_KEY_get0_group(client_key);
public_key = EC_KEY_get0_public_key(client_key);
if ((buf = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_put_ec(buf, public_key, group)) != 0 ||
(r = sshbuf_get_u32(buf, NULL)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
sshkey_dump_ec_key(client_key);
#endif
return 0;
kex->ec_client_key = client_key;
kex->ec_group = group;
client_key = NULL; /* owned by the kex */
kex->kem_client_pub = buf;
buf = NULL;
out:
EC_KEY_free(client_key);
sshbuf_free(buf);
return r;
}
int
kex_ecdh_enc(struct kex *kex, const u_char *pkblob, size_t pklen,
struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
{
const EC_GROUP *group;
const EC_POINT *pub_key;
EC_KEY *server_key = NULL;
struct sshbuf *server_blob = NULL;
int r;
*server_blobp = NULL;
*shared_secretp = NULL;
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(server_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
sshkey_dump_ec_key(server_key);
#endif
pub_key = EC_KEY_get0_public_key(server_key);
if ((server_blob = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_put_ec(server_blob, pub_key, group)) != 0 ||
(r = sshbuf_get_u32(server_blob, NULL)) != 0)
goto out;
if ((r = kex_ecdh_dec_key_group(kex, pkblob, pklen, server_key, group,
shared_secretp)) != 0)
goto out;
*server_blobp = server_blob;
server_blob = NULL;
out:
EC_KEY_free(server_key);
sshbuf_free(server_blob);
return r;
}
static int
kex_ecdh_dec_key_group(struct kex *kex, const u_char *pkblob, size_t pklen,
EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp)
{
struct sshbuf *buf = NULL;
BIGNUM *shared_secret = NULL;
EC_POINT *dh_pub = NULL;
u_char *kbuf = NULL;
size_t klen = 0;
int r;
*shared_secretp = NULL;
if ((buf = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_put_u32(buf, pklen)) != 0 ||
(r = sshbuf_put(buf, pkblob, pklen)) != 0) {
goto out;
}
if ((dh_pub = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
goto out;
}
sshbuf_reset(buf);
#ifdef DEBUG_KEXECDH
fputs("public key:\n", stderr);
sshkey_dump_ec_point(group, dh_pub);
#endif
if (sshkey_ec_validate_public(group, dh_pub) != 0) {
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
goto out;
*shared_secretp = buf;
buf = NULL;
out:
EC_POINT_clear_free(dh_pub);
BN_clear_free(shared_secret);
freezero(kbuf, klen);
sshbuf_free(buf);
return r;
}
int
kex_ecdh_dec(struct kex *kex, const u_char *pkblob, size_t pklen,
struct sshbuf **shared_secretp)
{
int r;
r = kex_ecdh_dec_key_group(kex, pkblob, pklen, kex->ec_client_key,
kex->ec_group, shared_secretp);
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
return r;
}
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

199
kexecdhc.c
View File

@ -1,199 +0,0 @@
/* $OpenBSD: kexecdhc.c,v 1.16 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <openssl/ecdh.h>
#include "sshkey.h"
#include "cipher.h"
#include "digest.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "dh.h"
#include "ssh2.h"
#include "dispatch.h"
#include "compat.h"
#include "ssherr.h"
#include "sshbuf.h"
static int input_kex_ecdh_reply(int, u_int32_t, struct ssh *);
int
kexecdh_client(struct ssh *ssh)
{
struct kex *kex = ssh->kex;
EC_KEY *client_key = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
int r;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(client_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
group = EC_KEY_get0_group(client_key);
public_key = EC_KEY_get0_public_key(client_key);
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
debug("sending SSH2_MSG_KEX_ECDH_INIT");
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
sshkey_dump_ec_key(client_key);
#endif
kex->ec_client_key = client_key;
kex->ec_group = group;
client_key = NULL; /* owned by the kex */
debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply);
r = 0;
out:
EC_KEY_free(client_key);
return r;
}
static int
input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
const EC_GROUP *group;
EC_POINT *server_public = NULL;
EC_KEY *client_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_key = NULL;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
group = kex->ec_group;
client_key = kex->ec_client_key;
/* hostkey */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
goto out;
/* Q_S, server public key */
/* signed H */
if ((server_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
sshkey_dump_ec_point(group, server_public);
#endif
if (sshkey_ec_validate_public(group, server_public) != 0) {
sshpkt_disconnect(ssh, "invalid server public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc and verify H */
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version,
kex->server_version,
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
hash, &hashlen)) != 0)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
hashlen, kex->hostkey_alg, ssh->compat)) != 0)
goto out;
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
EC_POINT_clear_free(server_public);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
return r;
}
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

182
kexecdhs.c
View File

@ -1,182 +0,0 @@
/* $OpenBSD: kexecdhs.c,v 1.21 2019/01/21 10:05:09 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <string.h>
#include <signal.h>
#include <openssl/ecdh.h>
#include "sshkey.h"
#include "cipher.h"
#include "digest.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "ssh2.h"
#include "dispatch.h"
#include "compat.h"
#include "ssherr.h"
#include "sshbuf.h"
static int input_kex_ecdh_init(int, u_int32_t, struct ssh *);
int
kexecdh_server(struct ssh *ssh)
{
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_ecdh_init);
return 0;
}
static int
input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
EC_POINT *client_public;
EC_KEY *server_key = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(server_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
sshkey_dump_ec_key(server_key);
#endif
if ((r = kex_load_hostkey(ssh, &server_host_private,
&server_host_public)) != 0)
goto out;
if ((client_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
sshkey_dump_ec_point(group, client_public);
#endif
if (sshkey_ec_validate_public(group, client_public) != 0) {
sshpkt_disconnect(ssh, "invalid client public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc H */
if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
&sbloblen)) != 0)
goto out;
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version,
kex->server_version,
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
hash, &hashlen)) != 0)
goto out;
/* sign H */
if ((r = kex->sign(ssh, server_host_private, server_host_public,
&signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
goto out;
/* destroy_sensitive_data(); */
public_key = EC_KEY_get0_public_key(server_key);
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
EC_KEY_free(server_key);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
}
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

8
kexkemc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexkemc.c,v 1.3 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: kexkemc.c,v 1.4 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl. All rights reserved.
*
@ -55,6 +55,9 @@ kex_kem_client(struct ssh *ssh)
case KEX_DH_GRP18_SHA512:
r = kex_dh_keypair(kex);
break;
case KEX_ECDH_SHA2:
r = kex_ecdh_keypair(kex);
break;
case KEX_C25519_SHA256:
r = kex_c25519_keypair(kex);
break;
@ -113,6 +116,9 @@ input_kex_kem_reply(int type, u_int32_t seq, struct ssh *ssh)
case KEX_DH_GRP18_SHA512:
r = kex_dh_dec(kex, server_pubkey, pklen, &shared_secret);
break;
case KEX_ECDH_SHA2:
r = kex_ecdh_dec(kex, server_pubkey, pklen, &shared_secret);
break;
case KEX_C25519_SHA256:
r = kex_c25519_dec(kex, server_pubkey, pklen, &shared_secret);
break;

6
kexkems.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexkems.c,v 1.3 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: kexkems.c,v 1.4 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl. All rights reserved.
*
@ -77,6 +77,10 @@ input_kex_kem_init(int type, u_int32_t seq, struct ssh *ssh)
r = kex_dh_enc(kex, client_pubkey, pklen, &server_pubkey,
&shared_secret);
break;
case KEX_ECDH_SHA2:
r = kex_ecdh_enc(kex, client_pubkey, pklen, &server_pubkey,
&shared_secret);
break;
case KEX_C25519_SHA256:
r = kex_c25519_enc(kex, client_pubkey, pklen, &server_pubkey,
&shared_secret);

4
monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.195 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.196 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -1685,7 +1685,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_kem_server;

4
ssh-keyscan.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keyscan.c,v 1.123 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: ssh-keyscan.c,v 1.124 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@ -268,7 +268,7 @@ keygrab_ssh2(con *c)
c->c_ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
# ifdef OPENSSL_HAS_ECC
c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
# endif
#endif
c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;

6
ssh_api.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh_api.c,v 1.13 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: ssh_api.c,v 1.14 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2012 Markus Friedl. All rights reserved.
*
@ -107,7 +107,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
# endif
#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_server;
@ -125,7 +125,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
# endif
#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;

4
sshconnect2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.299 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.300 2019/01/21 10:29:56 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@ -209,7 +209,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
# endif
#endif
ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;

4
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.530 2019/01/21 10:28:02 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.531 2019/01/21 10:29:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2215,7 +2215,7 @@ do_ssh2_kex(struct ssh *ssh)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kex_kem_server;