[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 5/5] ecdh: Implement ECDH using libgcrypt
[Thread Prev] | [Thread Next]
- Subject: [PATCH 5/5] ecdh: Implement ECDH using libgcrypt
- From: Justus Winter <justus@xxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 2 May 2016 16:00:26 +0200
- To: libssh@xxxxxxxxxx
- Cc: Justus Winter <justus@xxxxxxxxxxx>
* include/libssh/crypto.h (struct ssh_crypto_struct): Provide a suitable 'ecdh_privkey'. * include/libssh/ecdh.h: Also define 'HAVE_ECDH' if we do ECC using libgcrypt. (ecdh_build_k): New prototype. * src/CMakeLists.txt (libssh_SRCS): Add backend-specific files. * src/ecdh.c: Move backend-specific parts to... * src/ecdh_crypto.c: ... this file. * src/ecdh_gcrypt.c: New file. * src/wrapper.c (crypto_free): Free 'ecdh_privkey'. Signed-off-by: Justus Winter <justus@xxxxxxxxxxx> --- include/libssh/crypto.h | 4 + include/libssh/ecdh.h | 10 +- src/CMakeLists.txt | 2 + src/ecdh.c | 265 ---------------------------------------- src/ecdh_crypto.c | 298 +++++++++++++++++++++++++++++++++++++++++++++ src/ecdh_gcrypt.c | 314 ++++++++++++++++++++++++++++++++++++++++++++++++ src/wrapper.c | 4 + 7 files changed, 631 insertions(+), 266 deletions(-) create mode 100644 src/ecdh_crypto.c create mode 100644 src/ecdh_gcrypt.c diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h index e370c74..102c8d7 100644 --- a/include/libssh/crypto.h +++ b/include/libssh/crypto.h @@ -76,7 +76,11 @@ enum ssh_cipher_e { struct ssh_crypto_struct { bignum e,f,x,k,y; #ifdef HAVE_ECDH +#ifdef HAVE_OPENSSL_ECC EC_KEY *ecdh_privkey; +#elif defined HAVE_GCRYPT_ECC + gcry_sexp_t ecdh_privkey; +#endif ssh_string ecdh_client_pubkey; ssh_string ecdh_server_pubkey; #endif diff --git a/include/libssh/ecdh.h b/include/libssh/ecdh.h index 8d1e751..9f94d69 100644 --- a/include/libssh/ecdh.h +++ b/include/libssh/ecdh.h @@ -33,9 +33,17 @@ #endif /* HAVE_OPENSSL_ECDH_H */ #endif /* HAVE_LIBCRYPTO */ -int ssh_client_ecdh_init(ssh_session session); +#ifdef HAVE_GCRYPT_ECC +#define HAVE_ECDH 1 +#endif + +/* Common functions. */ int ssh_client_ecdh_reply(ssh_session session, ssh_buffer packet); +/* Backend-specific functions. */ +int ssh_client_ecdh_init(ssh_session session); +int ecdh_build_k(ssh_session session); + #ifdef WITH_SERVER int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet); #endif /* WITH_SERVER */ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1012ddf..3699f23 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -158,11 +158,13 @@ if (WITH_GCRYPT) libgcrypt.c gcrypt_missing.c pki_gcrypt.c + ecdh_gcrypt.c ) else (WITH_GCRYPT) set(libssh_SRCS ${libssh_SRCS} pki_crypto.c + ecdh_crypto.c ) endif (WITH_GCRYPT) diff --git a/src/ecdh.c b/src/ecdh.c index 4dbb7b5..ada7b18 100644 --- a/src/ecdh.c +++ b/src/ecdh.c @@ -29,149 +29,11 @@ #include "libssh/bignum.h" #ifdef HAVE_ECDH -#include <openssl/ecdh.h> - -#define NISTP256 NID_X9_62_prime256v1 -#define NISTP384 NID_secp384r1 -#define NISTP521 NID_secp521r1 - -/** @internal - * @brief Starts ecdh-sha2-nistp256 key exchange - */ -int ssh_client_ecdh_init(ssh_session session){ - EC_KEY *key; - const EC_GROUP *group; - const EC_POINT *pubkey; - ssh_string client_pubkey; - int len; - int rc; - bignum_CTX ctx = BN_CTX_new(); - - rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT); - if (rc < 0) { - BN_CTX_free(ctx); - return SSH_ERROR; - } - - key = EC_KEY_new_by_curve_name(NISTP256); - if (key == NULL) { - BN_CTX_free(ctx); - return SSH_ERROR; - } - group = EC_KEY_get0_group(key); - - EC_KEY_generate_key(key); - - pubkey=EC_KEY_get0_public_key(key); - len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, - NULL,0,ctx); - - client_pubkey = ssh_string_new(len); - if (client_pubkey == NULL) { - BN_CTX_free(ctx); - EC_KEY_free(key); - return SSH_ERROR; - } - - EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, - ssh_string_data(client_pubkey),len,ctx); - BN_CTX_free(ctx); - - rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey); - if (rc < 0) { - EC_KEY_free(key); - ssh_string_free(client_pubkey); - return SSH_ERROR; - } - - session->next_crypto->ecdh_privkey = key; - session->next_crypto->ecdh_client_pubkey = client_pubkey; - - rc = ssh_packet_send(session); - - return rc; -} static void ecdh_import_pubkey(ssh_session session, ssh_string pubkey_string) { session->next_crypto->server_pubkey = pubkey_string; } -static int ecdh_build_k(ssh_session session) { - const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey); - EC_POINT *pubkey; - void *buffer; - int rc; - int len = (EC_GROUP_get_degree(group) + 7) / 8; - bignum_CTX ctx = bignum_ctx_new(); - if (ctx == NULL) { - return -1; - } - - session->next_crypto->k = bignum_new(); - if (session->next_crypto->k == NULL) { - bignum_ctx_free(ctx); - return -1; - } - - pubkey = EC_POINT_new(group); - if (pubkey == NULL) { - bignum_ctx_free(ctx); - return -1; - } - - if (session->server) { - rc = EC_POINT_oct2point(group, - pubkey, - ssh_string_data(session->next_crypto->ecdh_client_pubkey), - ssh_string_len(session->next_crypto->ecdh_client_pubkey), - ctx); - } else { - rc = EC_POINT_oct2point(group, - pubkey, - ssh_string_data(session->next_crypto->ecdh_server_pubkey), - ssh_string_len(session->next_crypto->ecdh_server_pubkey), - ctx); - } - bignum_ctx_free(ctx); - if (rc <= 0) { - EC_POINT_clear_free(pubkey); - return -1; - } - - buffer = malloc(len); - if (buffer == NULL) { - EC_POINT_clear_free(pubkey); - return -1; - } - - rc = ECDH_compute_key(buffer, - len, - pubkey, - session->next_crypto->ecdh_privkey, - NULL); - EC_POINT_clear_free(pubkey); - if (rc <= 0) { - free(buffer); - return -1; - } - - bignum_bin2bn(buffer, len, session->next_crypto->k); - free(buffer); - - EC_KEY_free(session->next_crypto->ecdh_privkey); - session->next_crypto->ecdh_privkey = NULL; - -#ifdef DEBUG_CRYPTO - ssh_print_hexa("Session server cookie", - session->next_crypto->server_kex.cookie, 16); - ssh_print_hexa("Session client cookie", - session->next_crypto->client_kex.cookie, 16); - ssh_print_bignum("Shared secret key", session->next_crypto->k); -#endif - - return 0; -} - /** @internal * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back * a SSH_MSG_NEWKEYS @@ -219,131 +81,4 @@ error: return SSH_ERROR; } -#ifdef WITH_SERVER - -/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a - * SSH_MSG_KEXDH_REPLY - */ - -int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){ - /* ECDH keys */ - ssh_string q_c_string; - ssh_string q_s_string; - EC_KEY *ecdh_key; - const EC_GROUP *group; - const EC_POINT *ecdh_pubkey; - bignum_CTX ctx; - /* SSH host keys (rsa,dsa,ecdsa) */ - ssh_key privkey; - ssh_string sig_blob = NULL; - int len; - int rc; - - /* Extract the client pubkey from the init packet */ - q_c_string = ssh_buffer_get_ssh_string(packet); - if (q_c_string == NULL) { - ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet"); - return SSH_ERROR; - } - session->next_crypto->ecdh_client_pubkey = q_c_string; - - /* Build server's keypair */ - - ctx = BN_CTX_new(); - ecdh_key = EC_KEY_new_by_curve_name(NISTP256); - if (ecdh_key == NULL) { - ssh_set_error_oom(session); - BN_CTX_free(ctx); - return SSH_ERROR; - } - - group = EC_KEY_get0_group(ecdh_key); - EC_KEY_generate_key(ecdh_key); - - ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key); - len = EC_POINT_point2oct(group, - ecdh_pubkey, - POINT_CONVERSION_UNCOMPRESSED, - NULL, - 0, - ctx); - - q_s_string = ssh_string_new(len); - if (q_s_string == NULL) { - EC_KEY_free(ecdh_key); - BN_CTX_free(ctx); - return SSH_ERROR; - } - - EC_POINT_point2oct(group, - ecdh_pubkey, - POINT_CONVERSION_UNCOMPRESSED, - ssh_string_data(q_s_string), - len, - ctx); - BN_CTX_free(ctx); - - session->next_crypto->ecdh_privkey = ecdh_key; - session->next_crypto->ecdh_server_pubkey = q_s_string; - - /* build k and session_id */ - rc = ecdh_build_k(session); - if (rc < 0) { - ssh_set_error(session, SSH_FATAL, "Cannot build k number"); - return SSH_ERROR; - } - - /* privkey is not allocated */ - rc = ssh_get_key_params(session, &privkey); - if (rc == SSH_ERROR) { - return SSH_ERROR; - } - - rc = ssh_make_sessionid(session); - if (rc != SSH_OK) { - ssh_set_error(session, SSH_FATAL, "Could not create a session id"); - return SSH_ERROR; - } - - sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey); - if (sig_blob == NULL) { - ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); - return SSH_ERROR; - } - - rc = ssh_buffer_pack(session->out_buffer, - "bSSS", - SSH2_MSG_KEXDH_REPLY, - session->next_crypto->server_pubkey, /* host's pubkey */ - q_s_string, /* ecdh public key */ - sig_blob); /* signature blob */ - - ssh_string_free(sig_blob); - - if (rc != SSH_OK) { - ssh_set_error_oom(session); - return SSH_ERROR; - } - - SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent"); - rc = ssh_packet_send(session); - if (rc == SSH_ERROR) { - return SSH_ERROR; - } - - /* Send the MSG_NEWKEYS */ - rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); - if (rc < 0) { - return SSH_ERROR;; - } - - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; - rc = ssh_packet_send(session); - SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent"); - - return rc; -} - -#endif /* WITH_SERVER */ - #endif /* HAVE_ECDH */ diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c new file mode 100644 index 0000000..e774e56 --- /dev/null +++ b/src/ecdh_crypto.c @@ -0,0 +1,298 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2011-2013 by Aris Adamantiadis + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#include "config.h" +#include "libssh/session.h" +#include "libssh/ecdh.h" +#include "libssh/dh.h" +#include "libssh/buffer.h" +#include "libssh/ssh2.h" +#include "libssh/pki.h" +#include "libssh/bignum.h" + +#ifdef HAVE_ECDH +#include <openssl/ecdh.h> + +#define NISTP256 NID_X9_62_prime256v1 +#define NISTP384 NID_secp384r1 +#define NISTP521 NID_secp521r1 + +/** @internal + * @brief Starts ecdh-sha2-nistp256 key exchange + */ +int ssh_client_ecdh_init(ssh_session session){ + EC_KEY *key; + const EC_GROUP *group; + const EC_POINT *pubkey; + ssh_string client_pubkey; + int len; + int rc; + bignum_CTX ctx = BN_CTX_new(); + + rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT); + if (rc < 0) { + BN_CTX_free(ctx); + return SSH_ERROR; + } + + key = EC_KEY_new_by_curve_name(NISTP256); + if (key == NULL) { + BN_CTX_free(ctx); + return SSH_ERROR; + } + group = EC_KEY_get0_group(key); + + EC_KEY_generate_key(key); + + pubkey=EC_KEY_get0_public_key(key); + len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, + NULL,0,ctx); + + client_pubkey = ssh_string_new(len); + if (client_pubkey == NULL) { + BN_CTX_free(ctx); + EC_KEY_free(key); + return SSH_ERROR; + } + + EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, + ssh_string_data(client_pubkey),len,ctx); + BN_CTX_free(ctx); + + rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey); + if (rc < 0) { + EC_KEY_free(key); + ssh_string_free(client_pubkey); + return SSH_ERROR; + } + + session->next_crypto->ecdh_privkey = key; + session->next_crypto->ecdh_client_pubkey = client_pubkey; + + rc = ssh_packet_send(session); + + return rc; +} + +int ecdh_build_k(ssh_session session) { + const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey); + EC_POINT *pubkey; + void *buffer; + int rc; + int len = (EC_GROUP_get_degree(group) + 7) / 8; + bignum_CTX ctx = bignum_ctx_new(); + if (ctx == NULL) { + return -1; + } + + session->next_crypto->k = bignum_new(); + if (session->next_crypto->k == NULL) { + bignum_ctx_free(ctx); + return -1; + } + + pubkey = EC_POINT_new(group); + if (pubkey == NULL) { + bignum_ctx_free(ctx); + return -1; + } + + if (session->server) { + rc = EC_POINT_oct2point(group, + pubkey, + ssh_string_data(session->next_crypto->ecdh_client_pubkey), + ssh_string_len(session->next_crypto->ecdh_client_pubkey), + ctx); + } else { + rc = EC_POINT_oct2point(group, + pubkey, + ssh_string_data(session->next_crypto->ecdh_server_pubkey), + ssh_string_len(session->next_crypto->ecdh_server_pubkey), + ctx); + } + bignum_ctx_free(ctx); + if (rc <= 0) { + EC_POINT_clear_free(pubkey); + return -1; + } + + buffer = malloc(len); + if (buffer == NULL) { + EC_POINT_clear_free(pubkey); + return -1; + } + + rc = ECDH_compute_key(buffer, + len, + pubkey, + session->next_crypto->ecdh_privkey, + NULL); + EC_POINT_clear_free(pubkey); + if (rc <= 0) { + free(buffer); + return -1; + } + + bignum_bin2bn(buffer, len, session->next_crypto->k); + free(buffer); + + EC_KEY_free(session->next_crypto->ecdh_privkey); + session->next_crypto->ecdh_privkey = NULL; + +#ifdef DEBUG_CRYPTO + ssh_print_hexa("Session server cookie", + session->next_crypto->server_kex.cookie, 16); + ssh_print_hexa("Session client cookie", + session->next_crypto->client_kex.cookie, 16); + ssh_print_bignum("Shared secret key", session->next_crypto->k); +#endif + + return 0; +} + +#ifdef WITH_SERVER + +/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a + * SSH_MSG_KEXDH_REPLY + */ + +int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){ + /* ECDH keys */ + ssh_string q_c_string; + ssh_string q_s_string; + EC_KEY *ecdh_key; + const EC_GROUP *group; + const EC_POINT *ecdh_pubkey; + bignum_CTX ctx; + /* SSH host keys (rsa,dsa,ecdsa) */ + ssh_key privkey; + ssh_string sig_blob = NULL; + int len; + int rc; + + /* Extract the client pubkey from the init packet */ + q_c_string = ssh_buffer_get_ssh_string(packet); + if (q_c_string == NULL) { + ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet"); + return SSH_ERROR; + } + session->next_crypto->ecdh_client_pubkey = q_c_string; + + /* Build server's keypair */ + + ctx = BN_CTX_new(); + ecdh_key = EC_KEY_new_by_curve_name(NISTP256); + if (ecdh_key == NULL) { + ssh_set_error_oom(session); + BN_CTX_free(ctx); + return SSH_ERROR; + } + + group = EC_KEY_get0_group(ecdh_key); + EC_KEY_generate_key(ecdh_key); + + ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key); + len = EC_POINT_point2oct(group, + ecdh_pubkey, + POINT_CONVERSION_UNCOMPRESSED, + NULL, + 0, + ctx); + + q_s_string = ssh_string_new(len); + if (q_s_string == NULL) { + EC_KEY_free(ecdh_key); + BN_CTX_free(ctx); + return SSH_ERROR; + } + + EC_POINT_point2oct(group, + ecdh_pubkey, + POINT_CONVERSION_UNCOMPRESSED, + ssh_string_data(q_s_string), + len, + ctx); + BN_CTX_free(ctx); + + session->next_crypto->ecdh_privkey = ecdh_key; + session->next_crypto->ecdh_server_pubkey = q_s_string; + + /* build k and session_id */ + rc = ecdh_build_k(session); + if (rc < 0) { + ssh_set_error(session, SSH_FATAL, "Cannot build k number"); + return SSH_ERROR; + } + + /* privkey is not allocated */ + rc = ssh_get_key_params(session, &privkey); + if (rc == SSH_ERROR) { + return SSH_ERROR; + } + + rc = ssh_make_sessionid(session); + if (rc != SSH_OK) { + ssh_set_error(session, SSH_FATAL, "Could not create a session id"); + return SSH_ERROR; + } + + sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey); + if (sig_blob == NULL) { + ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); + return SSH_ERROR; + } + + rc = ssh_buffer_pack(session->out_buffer, + "bSSS", + SSH2_MSG_KEXDH_REPLY, + session->next_crypto->server_pubkey, /* host's pubkey */ + q_s_string, /* ecdh public key */ + sig_blob); /* signature blob */ + + ssh_string_free(sig_blob); + + if (rc != SSH_OK) { + ssh_set_error_oom(session); + return SSH_ERROR; + } + + SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent"); + rc = ssh_packet_send(session); + if (rc == SSH_ERROR) { + return SSH_ERROR; + } + + /* Send the MSG_NEWKEYS */ + rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); + if (rc < 0) { + return SSH_ERROR;; + } + + session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; + rc = ssh_packet_send(session); + SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent"); + + return rc; +} + +#endif /* WITH_SERVER */ + +#endif /* HAVE_ECDH */ diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c new file mode 100644 index 0000000..c011815 --- /dev/null +++ b/src/ecdh_gcrypt.c @@ -0,0 +1,314 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2011-2013 by Aris Adamantiadis + * Copyright (C) 2016 g10 Code GmbH + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#include "config.h" +#include "libssh/session.h" +#include "libssh/ecdh.h" +#include "libssh/dh.h" +#include "libssh/buffer.h" +#include "libssh/ssh2.h" +#include "libssh/pki.h" +#include "libssh/bignum.h" +#include "libssh/libgcrypt.h" + +#ifdef HAVE_ECDH +#include <gcrypt.h> + +/** @internal + * @brief Starts ecdh-sha2-nistp256 key exchange + */ +int ssh_client_ecdh_init(ssh_session session) { + int rc; + gpg_error_t err; + ssh_string client_pubkey = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + + rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT); + if (rc < 0) { + rc = SSH_ERROR; + goto out; + } + + err = gcry_sexp_build(¶m, NULL, "(genkey(ecdh(curve %s)))", + "NIST P-256"); + if (err) { + rc = SSH_ERROR; + goto out; + } + + err = gcry_pk_genkey(&key, param); + if (err) { + rc = SSH_ERROR; + goto out; + } + + client_pubkey = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG, + GCRYMPI_FMT_STD); + if (client_pubkey == NULL) { + rc = SSH_ERROR; + goto out; + } + + rc = ssh_buffer_add_ssh_string(session->out_buffer, client_pubkey); + if (rc < 0) { + rc = SSH_ERROR; + goto out; + } + + session->next_crypto->ecdh_privkey = key; + key = NULL; + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + + rc = ssh_packet_send(session); + + out: + gcry_sexp_release(param); + gcry_sexp_release(key); + ssh_string_free(client_pubkey); + return rc; +} + +int ecdh_build_k(ssh_session session) { + gpg_error_t err; + gcry_sexp_t data = NULL; + gcry_sexp_t result = NULL; + /* We need to get the x coordinate. Libgcrypt 1.7 and above + offers a suitable API for that. */ +#if (GCRYPT_VERSION_NUMBER >= 0x010700) + gcry_mpi_t s = NULL; + gcry_mpi_point_t point; +#else + ssh_string s; +#endif + ssh_string pubkey_raw; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; + + pubkey_raw = session->server + ? session->next_crypto->ecdh_client_pubkey + : session->next_crypto->ecdh_server_pubkey; + + err = gcry_sexp_build(&pubkey, NULL, + "(key-data(public-key(ecdh(curve %s)(q %b))))", + "NIST P-256", + ssh_string_len(pubkey_raw), + ssh_string_data(pubkey_raw)); + if (err) { + goto out; + } + + privkey = ssh_sexp_extract_mpi(session->next_crypto->ecdh_privkey, + "d", GCRYMPI_FMT_USG, GCRYMPI_FMT_STD); + if (privkey == NULL) { + goto out; + } + + err = gcry_sexp_build(&data, NULL, + "(data(flags raw)(value %b))", + ssh_string_len(privkey), + ssh_string_data(privkey)); + if (err) { + goto out; + } + + err = gcry_pk_encrypt(&result, data, pubkey); + if (err) { + goto out; + } + +#if (GCRYPT_VERSION_NUMBER >= 0x010700) + err = gcry_sexp_extract_param(result, "", "s", &s, NULL); + if (err) { + goto out; + } + + point = gcry_mpi_point_new(0); + if (point == NULL) { + gcry_mpi_release(s); + goto out; + } + + err = gcry_mpi_ec_decode_point(point, s, NULL); + gcry_mpi_release(s); + if (err) { + goto out; + } + + session->next_crypto->k = gcry_mpi_new(0); + gcry_mpi_point_snatch_get(session->next_crypto->k, NULL, NULL, point); +#else + s = ssh_sexp_extract_mpi(result, "s", GCRYMPI_FMT_USG, GCRYMPI_FMT_USG); + if (s == NULL) { + goto out; + } + + if (ssh_string_len(s) != 65) { + ssh_string_burn(s); + ssh_string_free(s); + goto out; + } + + err = gcry_mpi_scan(&session->next_crypto->k, GCRYMPI_FMT_USG, + (const char *) ssh_string_data(s) + 1, 32, NULL); + ssh_string_burn(s); + ssh_string_free(s); + if (err) { + goto out; + } +#endif + + rc = SSH_OK; + gcry_sexp_release(session->next_crypto->ecdh_privkey); + session->next_crypto->ecdh_privkey = NULL; + +#ifdef DEBUG_CRYPTO + ssh_print_hexa("Session server cookie", + session->next_crypto->server_kex.cookie, 16); + ssh_print_hexa("Session client cookie", + session->next_crypto->client_kex.cookie, 16); + ssh_print_bignum("Shared secret key", session->next_crypto->k); +#endif + + out: + gcry_sexp_release(pubkey); + gcry_sexp_release(data); + gcry_sexp_release(result); + ssh_string_burn(privkey); + ssh_string_free(privkey); + return rc; +} + +#ifdef WITH_SERVER + +/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a + * SSH_MSG_KEXDH_REPLY + */ +int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) { + gpg_error_t err; + /* ECDH keys */ + ssh_string q_c_string; + ssh_string q_s_string; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ + ssh_key privkey; + ssh_string sig_blob = NULL; + int rc = SSH_ERROR; + + /* Extract the client pubkey from the init packet */ + q_c_string = ssh_buffer_get_ssh_string(packet); + if (q_c_string == NULL) { + ssh_set_error(session, SSH_FATAL, "No Q_C ECC point in packet"); + goto out; + } + session->next_crypto->ecdh_client_pubkey = q_c_string; + + /* Build server's keypair */ + err = gcry_sexp_build(¶m, NULL, "(genkey(ecdh(curve %s)))", + "NIST P-256"); + if (err) { + goto out; + } + + err = gcry_pk_genkey(&key, param); + if (err) + goto out; + + q_s_string = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG, + GCRYMPI_FMT_STD); + if (q_s_string == NULL) { + goto out; + } + + session->next_crypto->ecdh_privkey = key; + key = NULL; + session->next_crypto->ecdh_server_pubkey = q_s_string; + + /* build k and session_id */ + rc = ecdh_build_k(session); + if (rc != SSH_OK) { + ssh_set_error(session, SSH_FATAL, "Cannot build k number"); + goto out; + } + + /* privkey is not allocated */ + rc = ssh_get_key_params(session, &privkey); + if (rc != SSH_OK) { + goto out; + } + + rc = ssh_make_sessionid(session); + if (rc != SSH_OK) { + ssh_set_error(session, SSH_FATAL, "Could not create a session id"); + goto out; + } + + sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey); + if (sig_blob == NULL) { + ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); + rc = SSH_ERROR; + goto out; + } + + rc = ssh_buffer_pack(session->out_buffer, + "bSSS", + SSH2_MSG_KEXDH_REPLY, + session->next_crypto->server_pubkey, /* host's pubkey */ + q_s_string, /* ecdh public key */ + sig_blob); /* signature blob */ + + ssh_string_free(sig_blob); + + if (rc != SSH_OK) { + ssh_set_error_oom(session); + goto out; + } + + SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent"); + rc = ssh_packet_send(session); + if (rc != SSH_OK) { + goto out; + } + + + /* Send the MSG_NEWKEYS */ + rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); + if (rc != SSH_OK) { + goto out; + } + + session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; + rc = ssh_packet_send(session); + SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent"); + + out: + gcry_sexp_release(param); + gcry_sexp_release(key); + return rc; +} + +#endif /* WITH_SERVER */ + +#endif /* HAVE_ECDH */ diff --git a/src/wrapper.c b/src/wrapper.c index 7686937..bb7660d 100644 --- a/src/wrapper.c +++ b/src/wrapper.c @@ -161,7 +161,11 @@ void crypto_free(struct ssh_crypto_struct *crypto){ SAFE_FREE(crypto->ecdh_client_pubkey); SAFE_FREE(crypto->ecdh_server_pubkey); if(crypto->ecdh_privkey != NULL){ +#ifdef HAVE_OPENSSL_ECC EC_KEY_free(crypto->ecdh_privkey); +#elif defined HAVE_GCRYPT_ECC + gcry_sexp_release(crypto->ecdh_privkey); +#endif crypto->ecdh_privkey = NULL; } #endif -- 2.8.1
Re: [PATCH 2/3] pki_gcrypt: Handle ECDSA keys and signatures | Andreas Schneider <asn@xxxxxxxxxxxxxx> |
[PATCH 1/5] curve25519: Small libgcrypt bignum fix | Justus Winter <justus@xxxxxxxxxxx> |