[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 3/3] ecdh: Implement ECDH using libgcrypt
[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
- Subject: [PATCH 3/3] ecdh: Implement ECDH using libgcrypt
- From: Justus Winter <justus@xxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 30 Mar 2016 11:53:26 +0200
- To: libssh@xxxxxxxxxx
- Cc: Justus Winter <justus@xxxxxxxxxxx>
* include/libssh/crypto.h (struct ssh_crypto_struct): Provide a
suitable 'ecdh_privkey'.
* include/libssh/ecdh.h: Also define 'HAVE_ECDH' if we do ECC using
libgcrypt.
(ecdh_build_k): New prototype.
* src/CMakeLists.txt (libssh_SRCS): Add backend-specific files.
* src/ecdh.c: Move backend-specific parts to...
* src/ecdh_crypto.c: ... this file.
* src/ecdh_gcrypt.c: New file.
* src/wrapper.c (crypto_free): Free 'ecdh_privkey'.
Signed-off-by: Justus Winter <justus@xxxxxxxxxxx>
---
include/libssh/crypto.h | 4 +
include/libssh/ecdh.h | 10 +-
src/CMakeLists.txt | 2 +
src/ecdh.c | 265 ----------------------------------------
src/ecdh_crypto.c | 298 +++++++++++++++++++++++++++++++++++++++++++++
src/ecdh_gcrypt.c | 314 ++++++++++++++++++++++++++++++++++++++++++++++++
src/wrapper.c | 4 +
7 files changed, 631 insertions(+), 266 deletions(-)
create mode 100644 src/ecdh_crypto.c
create mode 100644 src/ecdh_gcrypt.c
diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h
index e370c74..102c8d7 100644
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -76,7 +76,11 @@ enum ssh_cipher_e {
struct ssh_crypto_struct {
bignum e,f,x,k,y;
#ifdef HAVE_ECDH
+#ifdef HAVE_OPENSSL_ECC
EC_KEY *ecdh_privkey;
+#elif defined HAVE_GCRYPT_ECC
+ gcry_sexp_t ecdh_privkey;
+#endif
ssh_string ecdh_client_pubkey;
ssh_string ecdh_server_pubkey;
#endif
diff --git a/include/libssh/ecdh.h b/include/libssh/ecdh.h
index 8d1e751..9f94d69 100644
--- a/include/libssh/ecdh.h
+++ b/include/libssh/ecdh.h
@@ -33,9 +33,17 @@
#endif /* HAVE_OPENSSL_ECDH_H */
#endif /* HAVE_LIBCRYPTO */
-int ssh_client_ecdh_init(ssh_session session);
+#ifdef HAVE_GCRYPT_ECC
+#define HAVE_ECDH 1
+#endif
+
+/* Common functions. */
int ssh_client_ecdh_reply(ssh_session session, ssh_buffer packet);
+/* Backend-specific functions. */
+int ssh_client_ecdh_init(ssh_session session);
+int ecdh_build_k(ssh_session session);
+
#ifdef WITH_SERVER
int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet);
#endif /* WITH_SERVER */
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 1012ddf..3699f23 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -158,11 +158,13 @@ if (WITH_GCRYPT)
libgcrypt.c
gcrypt_missing.c
pki_gcrypt.c
+ ecdh_gcrypt.c
)
else (WITH_GCRYPT)
set(libssh_SRCS
${libssh_SRCS}
pki_crypto.c
+ ecdh_crypto.c
)
endif (WITH_GCRYPT)
diff --git a/src/ecdh.c b/src/ecdh.c
index 4dbb7b5..ada7b18 100644
--- a/src/ecdh.c
+++ b/src/ecdh.c
@@ -29,149 +29,11 @@
#include "libssh/bignum.h"
#ifdef HAVE_ECDH
-#include <openssl/ecdh.h>
-
-#define NISTP256 NID_X9_62_prime256v1
-#define NISTP384 NID_secp384r1
-#define NISTP521 NID_secp521r1
-
-/** @internal
- * @brief Starts ecdh-sha2-nistp256 key exchange
- */
-int ssh_client_ecdh_init(ssh_session session){
- EC_KEY *key;
- const EC_GROUP *group;
- const EC_POINT *pubkey;
- ssh_string client_pubkey;
- int len;
- int rc;
- bignum_CTX ctx = BN_CTX_new();
-
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
- if (rc < 0) {
- BN_CTX_free(ctx);
- return SSH_ERROR;
- }
-
- key = EC_KEY_new_by_curve_name(NISTP256);
- if (key == NULL) {
- BN_CTX_free(ctx);
- return SSH_ERROR;
- }
- group = EC_KEY_get0_group(key);
-
- EC_KEY_generate_key(key);
-
- pubkey=EC_KEY_get0_public_key(key);
- len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
- NULL,0,ctx);
-
- client_pubkey = ssh_string_new(len);
- if (client_pubkey == NULL) {
- BN_CTX_free(ctx);
- EC_KEY_free(key);
- return SSH_ERROR;
- }
-
- EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
- ssh_string_data(client_pubkey),len,ctx);
- BN_CTX_free(ctx);
-
- rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
- if (rc < 0) {
- EC_KEY_free(key);
- ssh_string_free(client_pubkey);
- return SSH_ERROR;
- }
-
- session->next_crypto->ecdh_privkey = key;
- session->next_crypto->ecdh_client_pubkey = client_pubkey;
-
- rc = ssh_packet_send(session);
-
- return rc;
-}
static void ecdh_import_pubkey(ssh_session session, ssh_string pubkey_string) {
session->next_crypto->server_pubkey = pubkey_string;
}
-static int ecdh_build_k(ssh_session session) {
- const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
- EC_POINT *pubkey;
- void *buffer;
- int rc;
- int len = (EC_GROUP_get_degree(group) + 7) / 8;
- bignum_CTX ctx = bignum_ctx_new();
- if (ctx == NULL) {
- return -1;
- }
-
- session->next_crypto->k = bignum_new();
- if (session->next_crypto->k == NULL) {
- bignum_ctx_free(ctx);
- return -1;
- }
-
- pubkey = EC_POINT_new(group);
- if (pubkey == NULL) {
- bignum_ctx_free(ctx);
- return -1;
- }
-
- if (session->server) {
- rc = EC_POINT_oct2point(group,
- pubkey,
- ssh_string_data(session->next_crypto->ecdh_client_pubkey),
- ssh_string_len(session->next_crypto->ecdh_client_pubkey),
- ctx);
- } else {
- rc = EC_POINT_oct2point(group,
- pubkey,
- ssh_string_data(session->next_crypto->ecdh_server_pubkey),
- ssh_string_len(session->next_crypto->ecdh_server_pubkey),
- ctx);
- }
- bignum_ctx_free(ctx);
- if (rc <= 0) {
- EC_POINT_clear_free(pubkey);
- return -1;
- }
-
- buffer = malloc(len);
- if (buffer == NULL) {
- EC_POINT_clear_free(pubkey);
- return -1;
- }
-
- rc = ECDH_compute_key(buffer,
- len,
- pubkey,
- session->next_crypto->ecdh_privkey,
- NULL);
- EC_POINT_clear_free(pubkey);
- if (rc <= 0) {
- free(buffer);
- return -1;
- }
-
- bignum_bin2bn(buffer, len, session->next_crypto->k);
- free(buffer);
-
- EC_KEY_free(session->next_crypto->ecdh_privkey);
- session->next_crypto->ecdh_privkey = NULL;
-
-#ifdef DEBUG_CRYPTO
- ssh_print_hexa("Session server cookie",
- session->next_crypto->server_kex.cookie, 16);
- ssh_print_hexa("Session client cookie",
- session->next_crypto->client_kex.cookie, 16);
- ssh_print_bignum("Shared secret key", session->next_crypto->k);
-#endif
-
- return 0;
-}
-
/** @internal
* @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back
* a SSH_MSG_NEWKEYS
@@ -219,131 +81,4 @@ error:
return SSH_ERROR;
}
-#ifdef WITH_SERVER
-
-/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
- * SSH_MSG_KEXDH_REPLY
- */
-
-int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
- /* ECDH keys */
- ssh_string q_c_string;
- ssh_string q_s_string;
- EC_KEY *ecdh_key;
- const EC_GROUP *group;
- const EC_POINT *ecdh_pubkey;
- bignum_CTX ctx;
- /* SSH host keys (rsa,dsa,ecdsa) */
- ssh_key privkey;
- ssh_string sig_blob = NULL;
- int len;
- int rc;
-
- /* Extract the client pubkey from the init packet */
- q_c_string = ssh_buffer_get_ssh_string(packet);
- if (q_c_string == NULL) {
- ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
- return SSH_ERROR;
- }
- session->next_crypto->ecdh_client_pubkey = q_c_string;
-
- /* Build server's keypair */
-
- ctx = BN_CTX_new();
- ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
- if (ecdh_key == NULL) {
- ssh_set_error_oom(session);
- BN_CTX_free(ctx);
- return SSH_ERROR;
- }
-
- group = EC_KEY_get0_group(ecdh_key);
- EC_KEY_generate_key(ecdh_key);
-
- ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
- len = EC_POINT_point2oct(group,
- ecdh_pubkey,
- POINT_CONVERSION_UNCOMPRESSED,
- NULL,
- 0,
- ctx);
-
- q_s_string = ssh_string_new(len);
- if (q_s_string == NULL) {
- EC_KEY_free(ecdh_key);
- BN_CTX_free(ctx);
- return SSH_ERROR;
- }
-
- EC_POINT_point2oct(group,
- ecdh_pubkey,
- POINT_CONVERSION_UNCOMPRESSED,
- ssh_string_data(q_s_string),
- len,
- ctx);
- BN_CTX_free(ctx);
-
- session->next_crypto->ecdh_privkey = ecdh_key;
- session->next_crypto->ecdh_server_pubkey = q_s_string;
-
- /* build k and session_id */
- rc = ecdh_build_k(session);
- if (rc < 0) {
- ssh_set_error(session, SSH_FATAL, "Cannot build k number");
- return SSH_ERROR;
- }
-
- /* privkey is not allocated */
- rc = ssh_get_key_params(session, &privkey);
- if (rc == SSH_ERROR) {
- return SSH_ERROR;
- }
-
- rc = ssh_make_sessionid(session);
- if (rc != SSH_OK) {
- ssh_set_error(session, SSH_FATAL, "Could not create a session id");
- return SSH_ERROR;
- }
-
- sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
- if (sig_blob == NULL) {
- ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
- return SSH_ERROR;
- }
-
- rc = ssh_buffer_pack(session->out_buffer,
- "bSSS",
- SSH2_MSG_KEXDH_REPLY,
- session->next_crypto->server_pubkey, /* host's pubkey */
- q_s_string, /* ecdh public key */
- sig_blob); /* signature blob */
-
- ssh_string_free(sig_blob);
-
- if (rc != SSH_OK) {
- ssh_set_error_oom(session);
- return SSH_ERROR;
- }
-
- SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
- rc = ssh_packet_send(session);
- if (rc == SSH_ERROR) {
- return SSH_ERROR;
- }
-
- /* Send the MSG_NEWKEYS */
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
- if (rc < 0) {
- return SSH_ERROR;;
- }
-
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
- rc = ssh_packet_send(session);
- SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
-
- return rc;
-}
-
-#endif /* WITH_SERVER */
-
#endif /* HAVE_ECDH */
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
new file mode 100644
index 0000000..e774e56
--- /dev/null
+++ b/src/ecdh_crypto.c
@@ -0,0 +1,298 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2011-2013 by Aris Adamantiadis
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+#include "libssh/session.h"
+#include "libssh/ecdh.h"
+#include "libssh/dh.h"
+#include "libssh/buffer.h"
+#include "libssh/ssh2.h"
+#include "libssh/pki.h"
+#include "libssh/bignum.h"
+
+#ifdef HAVE_ECDH
+#include <openssl/ecdh.h>
+
+#define NISTP256 NID_X9_62_prime256v1
+#define NISTP384 NID_secp384r1
+#define NISTP521 NID_secp521r1
+
+/** @internal
+ * @brief Starts ecdh-sha2-nistp256 key exchange
+ */
+int ssh_client_ecdh_init(ssh_session session){
+ EC_KEY *key;
+ const EC_GROUP *group;
+ const EC_POINT *pubkey;
+ ssh_string client_pubkey;
+ int len;
+ int rc;
+ bignum_CTX ctx = BN_CTX_new();
+
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
+ if (rc < 0) {
+ BN_CTX_free(ctx);
+ return SSH_ERROR;
+ }
+
+ key = EC_KEY_new_by_curve_name(NISTP256);
+ if (key == NULL) {
+ BN_CTX_free(ctx);
+ return SSH_ERROR;
+ }
+ group = EC_KEY_get0_group(key);
+
+ EC_KEY_generate_key(key);
+
+ pubkey=EC_KEY_get0_public_key(key);
+ len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
+ NULL,0,ctx);
+
+ client_pubkey = ssh_string_new(len);
+ if (client_pubkey == NULL) {
+ BN_CTX_free(ctx);
+ EC_KEY_free(key);
+ return SSH_ERROR;
+ }
+
+ EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
+ ssh_string_data(client_pubkey),len,ctx);
+ BN_CTX_free(ctx);
+
+ rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
+ if (rc < 0) {
+ EC_KEY_free(key);
+ ssh_string_free(client_pubkey);
+ return SSH_ERROR;
+ }
+
+ session->next_crypto->ecdh_privkey = key;
+ session->next_crypto->ecdh_client_pubkey = client_pubkey;
+
+ rc = ssh_packet_send(session);
+
+ return rc;
+}
+
+int ecdh_build_k(ssh_session session) {
+ const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
+ EC_POINT *pubkey;
+ void *buffer;
+ int rc;
+ int len = (EC_GROUP_get_degree(group) + 7) / 8;
+ bignum_CTX ctx = bignum_ctx_new();
+ if (ctx == NULL) {
+ return -1;
+ }
+
+ session->next_crypto->k = bignum_new();
+ if (session->next_crypto->k == NULL) {
+ bignum_ctx_free(ctx);
+ return -1;
+ }
+
+ pubkey = EC_POINT_new(group);
+ if (pubkey == NULL) {
+ bignum_ctx_free(ctx);
+ return -1;
+ }
+
+ if (session->server) {
+ rc = EC_POINT_oct2point(group,
+ pubkey,
+ ssh_string_data(session->next_crypto->ecdh_client_pubkey),
+ ssh_string_len(session->next_crypto->ecdh_client_pubkey),
+ ctx);
+ } else {
+ rc = EC_POINT_oct2point(group,
+ pubkey,
+ ssh_string_data(session->next_crypto->ecdh_server_pubkey),
+ ssh_string_len(session->next_crypto->ecdh_server_pubkey),
+ ctx);
+ }
+ bignum_ctx_free(ctx);
+ if (rc <= 0) {
+ EC_POINT_clear_free(pubkey);
+ return -1;
+ }
+
+ buffer = malloc(len);
+ if (buffer == NULL) {
+ EC_POINT_clear_free(pubkey);
+ return -1;
+ }
+
+ rc = ECDH_compute_key(buffer,
+ len,
+ pubkey,
+ session->next_crypto->ecdh_privkey,
+ NULL);
+ EC_POINT_clear_free(pubkey);
+ if (rc <= 0) {
+ free(buffer);
+ return -1;
+ }
+
+ bignum_bin2bn(buffer, len, session->next_crypto->k);
+ free(buffer);
+
+ EC_KEY_free(session->next_crypto->ecdh_privkey);
+ session->next_crypto->ecdh_privkey = NULL;
+
+#ifdef DEBUG_CRYPTO
+ ssh_print_hexa("Session server cookie",
+ session->next_crypto->server_kex.cookie, 16);
+ ssh_print_hexa("Session client cookie",
+ session->next_crypto->client_kex.cookie, 16);
+ ssh_print_bignum("Shared secret key", session->next_crypto->k);
+#endif
+
+ return 0;
+}
+
+#ifdef WITH_SERVER
+
+/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
+ * SSH_MSG_KEXDH_REPLY
+ */
+
+int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
+ /* ECDH keys */
+ ssh_string q_c_string;
+ ssh_string q_s_string;
+ EC_KEY *ecdh_key;
+ const EC_GROUP *group;
+ const EC_POINT *ecdh_pubkey;
+ bignum_CTX ctx;
+ /* SSH host keys (rsa,dsa,ecdsa) */
+ ssh_key privkey;
+ ssh_string sig_blob = NULL;
+ int len;
+ int rc;
+
+ /* Extract the client pubkey from the init packet */
+ q_c_string = ssh_buffer_get_ssh_string(packet);
+ if (q_c_string == NULL) {
+ ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
+ return SSH_ERROR;
+ }
+ session->next_crypto->ecdh_client_pubkey = q_c_string;
+
+ /* Build server's keypair */
+
+ ctx = BN_CTX_new();
+ ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
+ if (ecdh_key == NULL) {
+ ssh_set_error_oom(session);
+ BN_CTX_free(ctx);
+ return SSH_ERROR;
+ }
+
+ group = EC_KEY_get0_group(ecdh_key);
+ EC_KEY_generate_key(ecdh_key);
+
+ ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
+ len = EC_POINT_point2oct(group,
+ ecdh_pubkey,
+ POINT_CONVERSION_UNCOMPRESSED,
+ NULL,
+ 0,
+ ctx);
+
+ q_s_string = ssh_string_new(len);
+ if (q_s_string == NULL) {
+ EC_KEY_free(ecdh_key);
+ BN_CTX_free(ctx);
+ return SSH_ERROR;
+ }
+
+ EC_POINT_point2oct(group,
+ ecdh_pubkey,
+ POINT_CONVERSION_UNCOMPRESSED,
+ ssh_string_data(q_s_string),
+ len,
+ ctx);
+ BN_CTX_free(ctx);
+
+ session->next_crypto->ecdh_privkey = ecdh_key;
+ session->next_crypto->ecdh_server_pubkey = q_s_string;
+
+ /* build k and session_id */
+ rc = ecdh_build_k(session);
+ if (rc < 0) {
+ ssh_set_error(session, SSH_FATAL, "Cannot build k number");
+ return SSH_ERROR;
+ }
+
+ /* privkey is not allocated */
+ rc = ssh_get_key_params(session, &privkey);
+ if (rc == SSH_ERROR) {
+ return SSH_ERROR;
+ }
+
+ rc = ssh_make_sessionid(session);
+ if (rc != SSH_OK) {
+ ssh_set_error(session, SSH_FATAL, "Could not create a session id");
+ return SSH_ERROR;
+ }
+
+ sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
+ if (sig_blob == NULL) {
+ ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
+ return SSH_ERROR;
+ }
+
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bSSS",
+ SSH2_MSG_KEXDH_REPLY,
+ session->next_crypto->server_pubkey, /* host's pubkey */
+ q_s_string, /* ecdh public key */
+ sig_blob); /* signature blob */
+
+ ssh_string_free(sig_blob);
+
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ return SSH_ERROR;
+ }
+
+ SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
+ rc = ssh_packet_send(session);
+ if (rc == SSH_ERROR) {
+ return SSH_ERROR;
+ }
+
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+ if (rc < 0) {
+ return SSH_ERROR;;
+ }
+
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ rc = ssh_packet_send(session);
+ SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
+
+ return rc;
+}
+
+#endif /* WITH_SERVER */
+
+#endif /* HAVE_ECDH */
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
new file mode 100644
index 0000000..c011815
--- /dev/null
+++ b/src/ecdh_gcrypt.c
@@ -0,0 +1,314 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2011-2013 by Aris Adamantiadis
+ * Copyright (C) 2016 g10 Code GmbH
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+#include "libssh/session.h"
+#include "libssh/ecdh.h"
+#include "libssh/dh.h"
+#include "libssh/buffer.h"
+#include "libssh/ssh2.h"
+#include "libssh/pki.h"
+#include "libssh/bignum.h"
+#include "libssh/libgcrypt.h"
+
+#ifdef HAVE_ECDH
+#include <gcrypt.h>
+
+/** @internal
+ * @brief Starts ecdh-sha2-nistp256 key exchange
+ */
+int ssh_client_ecdh_init(ssh_session session) {
+ int rc;
+ gpg_error_t err;
+ ssh_string client_pubkey = NULL;
+ gcry_sexp_t param = NULL;
+ gcry_sexp_t key = NULL;
+
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
+ if (rc < 0) {
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ err = gcry_sexp_build(¶m, NULL, "(genkey(ecdh(curve %s)))",
+ "NIST P-256");
+ if (err) {
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ err = gcry_pk_genkey(&key, param);
+ if (err) {
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ client_pubkey = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG,
+ GCRYMPI_FMT_STD);
+ if (client_pubkey == NULL) {
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ rc = ssh_buffer_add_ssh_string(session->out_buffer, client_pubkey);
+ if (rc < 0) {
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ session->next_crypto->ecdh_privkey = key;
+ key = NULL;
+ session->next_crypto->ecdh_client_pubkey = client_pubkey;
+ client_pubkey = NULL;
+
+ rc = ssh_packet_send(session);
+
+ out:
+ gcry_sexp_release(param);
+ gcry_sexp_release(key);
+ ssh_string_free(client_pubkey);
+ return rc;
+}
+
+int ecdh_build_k(ssh_session session) {
+ gpg_error_t err;
+ gcry_sexp_t data = NULL;
+ gcry_sexp_t result = NULL;
+ /* We need to get the x coordinate. Libgcrypt 1.7 and above
+ offers a suitable API for that. */
+#if (GCRYPT_VERSION_NUMBER >= 0x010700)
+ gcry_mpi_t s = NULL;
+ gcry_mpi_point_t point;
+#else
+ ssh_string s;
+#endif
+ ssh_string pubkey_raw;
+ gcry_sexp_t pubkey = NULL;
+ ssh_string privkey = NULL;
+ int rc = SSH_ERROR;
+
+ pubkey_raw = session->server
+ ? session->next_crypto->ecdh_client_pubkey
+ : session->next_crypto->ecdh_server_pubkey;
+
+ err = gcry_sexp_build(&pubkey, NULL,
+ "(key-data(public-key(ecdh(curve %s)(q %b))))",
+ "NIST P-256",
+ ssh_string_len(pubkey_raw),
+ ssh_string_data(pubkey_raw));
+ if (err) {
+ goto out;
+ }
+
+ privkey = ssh_sexp_extract_mpi(session->next_crypto->ecdh_privkey,
+ "d", GCRYMPI_FMT_USG, GCRYMPI_FMT_STD);
+ if (privkey == NULL) {
+ goto out;
+ }
+
+ err = gcry_sexp_build(&data, NULL,
+ "(data(flags raw)(value %b))",
+ ssh_string_len(privkey),
+ ssh_string_data(privkey));
+ if (err) {
+ goto out;
+ }
+
+ err = gcry_pk_encrypt(&result, data, pubkey);
+ if (err) {
+ goto out;
+ }
+
+#if (GCRYPT_VERSION_NUMBER >= 0x010700)
+ err = gcry_sexp_extract_param(result, "", "s", &s, NULL);
+ if (err) {
+ goto out;
+ }
+
+ point = gcry_mpi_point_new(0);
+ if (point == NULL) {
+ gcry_mpi_release(s);
+ goto out;
+ }
+
+ err = gcry_mpi_ec_decode_point(point, s, NULL);
+ gcry_mpi_release(s);
+ if (err) {
+ goto out;
+ }
+
+ session->next_crypto->k = gcry_mpi_new(0);
+ gcry_mpi_point_snatch_get(session->next_crypto->k, NULL, NULL, point);
+#else
+ s = ssh_sexp_extract_mpi(result, "s", GCRYMPI_FMT_USG, GCRYMPI_FMT_USG);
+ if (s == NULL) {
+ goto out;
+ }
+
+ if (ssh_string_len(s) != 65) {
+ ssh_string_burn(s);
+ ssh_string_free(s);
+ goto out;
+ }
+
+ err = gcry_mpi_scan(&session->next_crypto->k, GCRYMPI_FMT_USG,
+ (const char *) ssh_string_data(s) + 1, 32, NULL);
+ ssh_string_burn(s);
+ ssh_string_free(s);
+ if (err) {
+ goto out;
+ }
+#endif
+
+ rc = SSH_OK;
+ gcry_sexp_release(session->next_crypto->ecdh_privkey);
+ session->next_crypto->ecdh_privkey = NULL;
+
+#ifdef DEBUG_CRYPTO
+ ssh_print_hexa("Session server cookie",
+ session->next_crypto->server_kex.cookie, 16);
+ ssh_print_hexa("Session client cookie",
+ session->next_crypto->client_kex.cookie, 16);
+ ssh_print_bignum("Shared secret key", session->next_crypto->k);
+#endif
+
+ out:
+ gcry_sexp_release(pubkey);
+ gcry_sexp_release(data);
+ gcry_sexp_release(result);
+ ssh_string_burn(privkey);
+ ssh_string_free(privkey);
+ return rc;
+}
+
+#ifdef WITH_SERVER
+
+/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
+ * SSH_MSG_KEXDH_REPLY
+ */
+int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) {
+ gpg_error_t err;
+ /* ECDH keys */
+ ssh_string q_c_string;
+ ssh_string q_s_string;
+ gcry_sexp_t param = NULL;
+ gcry_sexp_t key = NULL;
+ /* SSH host keys (rsa,dsa,ecdsa) */
+ ssh_key privkey;
+ ssh_string sig_blob = NULL;
+ int rc = SSH_ERROR;
+
+ /* Extract the client pubkey from the init packet */
+ q_c_string = ssh_buffer_get_ssh_string(packet);
+ if (q_c_string == NULL) {
+ ssh_set_error(session, SSH_FATAL, "No Q_C ECC point in packet");
+ goto out;
+ }
+ session->next_crypto->ecdh_client_pubkey = q_c_string;
+
+ /* Build server's keypair */
+ err = gcry_sexp_build(¶m, NULL, "(genkey(ecdh(curve %s)))",
+ "NIST P-256");
+ if (err) {
+ goto out;
+ }
+
+ err = gcry_pk_genkey(&key, param);
+ if (err)
+ goto out;
+
+ q_s_string = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG,
+ GCRYMPI_FMT_STD);
+ if (q_s_string == NULL) {
+ goto out;
+ }
+
+ session->next_crypto->ecdh_privkey = key;
+ key = NULL;
+ session->next_crypto->ecdh_server_pubkey = q_s_string;
+
+ /* build k and session_id */
+ rc = ecdh_build_k(session);
+ if (rc != SSH_OK) {
+ ssh_set_error(session, SSH_FATAL, "Cannot build k number");
+ goto out;
+ }
+
+ /* privkey is not allocated */
+ rc = ssh_get_key_params(session, &privkey);
+ if (rc != SSH_OK) {
+ goto out;
+ }
+
+ rc = ssh_make_sessionid(session);
+ if (rc != SSH_OK) {
+ ssh_set_error(session, SSH_FATAL, "Could not create a session id");
+ goto out;
+ }
+
+ sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
+ if (sig_blob == NULL) {
+ ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
+ rc = SSH_ERROR;
+ goto out;
+ }
+
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bSSS",
+ SSH2_MSG_KEXDH_REPLY,
+ session->next_crypto->server_pubkey, /* host's pubkey */
+ q_s_string, /* ecdh public key */
+ sig_blob); /* signature blob */
+
+ ssh_string_free(sig_blob);
+
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ goto out;
+ }
+
+ SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
+ rc = ssh_packet_send(session);
+ if (rc != SSH_OK) {
+ goto out;
+ }
+
+
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+ if (rc != SSH_OK) {
+ goto out;
+ }
+
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ rc = ssh_packet_send(session);
+ SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
+
+ out:
+ gcry_sexp_release(param);
+ gcry_sexp_release(key);
+ return rc;
+}
+
+#endif /* WITH_SERVER */
+
+#endif /* HAVE_ECDH */
diff --git a/src/wrapper.c b/src/wrapper.c
index 7686937..bb7660d 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -161,7 +161,11 @@ void crypto_free(struct ssh_crypto_struct *crypto){
SAFE_FREE(crypto->ecdh_client_pubkey);
SAFE_FREE(crypto->ecdh_server_pubkey);
if(crypto->ecdh_privkey != NULL){
+#ifdef HAVE_OPENSSL_ECC
EC_KEY_free(crypto->ecdh_privkey);
+#elif defined HAVE_GCRYPT_ECC
+ gcry_sexp_release(crypto->ecdh_privkey);
+#endif
crypto->ecdh_privkey = NULL;
}
#endif
--
2.1.4
| [PATCH 1/3] pki_gcrypt: Add primitive to read ASN.1 bit strings | Justus Winter <justus@xxxxxxxxxxx> |