[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 5/5] ecdh: Implement ECDH using libgcrypt


* include/libssh/crypto.h (struct ssh_crypto_struct): Provide a
suitable 'ecdh_privkey'.
* include/libssh/ecdh.h: Also define 'HAVE_ECDH' if we do ECC using
libgcrypt.
(ecdh_build_k): New prototype.
* src/CMakeLists.txt (libssh_SRCS): Add backend-specific files.
* src/ecdh.c: Move backend-specific parts to...
* src/ecdh_crypto.c: ... this file.
* src/ecdh_gcrypt.c: New file.
* src/wrapper.c (crypto_free): Free 'ecdh_privkey'.

Signed-off-by: Justus Winter <justus@xxxxxxxxxxx>
---
 include/libssh/crypto.h |   4 +
 include/libssh/ecdh.h   |  10 +-
 src/CMakeLists.txt      |   2 +
 src/ecdh.c              | 265 ----------------------------------------
 src/ecdh_crypto.c       | 298 +++++++++++++++++++++++++++++++++++++++++++++
 src/ecdh_gcrypt.c       | 314 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/wrapper.c           |   4 +
 7 files changed, 631 insertions(+), 266 deletions(-)
 create mode 100644 src/ecdh_crypto.c
 create mode 100644 src/ecdh_gcrypt.c

diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h
index e370c74..102c8d7 100644
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -76,7 +76,11 @@ enum ssh_cipher_e {
 struct ssh_crypto_struct {
     bignum e,f,x,k,y;
 #ifdef HAVE_ECDH
+#ifdef HAVE_OPENSSL_ECC
     EC_KEY *ecdh_privkey;
+#elif defined HAVE_GCRYPT_ECC
+    gcry_sexp_t ecdh_privkey;
+#endif
     ssh_string ecdh_client_pubkey;
     ssh_string ecdh_server_pubkey;
 #endif
diff --git a/include/libssh/ecdh.h b/include/libssh/ecdh.h
index 8d1e751..9f94d69 100644
--- a/include/libssh/ecdh.h
+++ b/include/libssh/ecdh.h
@@ -33,9 +33,17 @@
 #endif /* HAVE_OPENSSL_ECDH_H */
 #endif /* HAVE_LIBCRYPTO */
 
-int ssh_client_ecdh_init(ssh_session session);
+#ifdef HAVE_GCRYPT_ECC
+#define HAVE_ECDH 1
+#endif
+
+/* Common functions.  */
 int ssh_client_ecdh_reply(ssh_session session, ssh_buffer packet);
 
+/* Backend-specific functions.  */
+int ssh_client_ecdh_init(ssh_session session);
+int ecdh_build_k(ssh_session session);
+
 #ifdef WITH_SERVER
 int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet);
 #endif /* WITH_SERVER */
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 1012ddf..3699f23 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -158,11 +158,13 @@ if (WITH_GCRYPT)
         libgcrypt.c
         gcrypt_missing.c
         pki_gcrypt.c
+        ecdh_gcrypt.c
        )
 else (WITH_GCRYPT)
     set(libssh_SRCS
         ${libssh_SRCS}
         pki_crypto.c
+        ecdh_crypto.c
        )
 endif (WITH_GCRYPT)
 
diff --git a/src/ecdh.c b/src/ecdh.c
index 4dbb7b5..ada7b18 100644
--- a/src/ecdh.c
+++ b/src/ecdh.c
@@ -29,149 +29,11 @@
 #include "libssh/bignum.h"
 
 #ifdef HAVE_ECDH
-#include <openssl/ecdh.h>
-
-#define NISTP256 NID_X9_62_prime256v1
-#define NISTP384 NID_secp384r1
-#define NISTP521 NID_secp521r1
-
-/** @internal
- * @brief Starts ecdh-sha2-nistp256 key exchange
- */
-int ssh_client_ecdh_init(ssh_session session){
-  EC_KEY *key;
-  const EC_GROUP *group;
-  const EC_POINT *pubkey;
-  ssh_string client_pubkey;
-  int len;
-  int rc;
-  bignum_CTX ctx = BN_CTX_new();
-
-  rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
-  if (rc < 0) {
-      BN_CTX_free(ctx);
-      return SSH_ERROR;
-  }
-
-  key = EC_KEY_new_by_curve_name(NISTP256);
-  if (key == NULL) {
-      BN_CTX_free(ctx);
-      return SSH_ERROR;
-  }
-  group = EC_KEY_get0_group(key);
-
-  EC_KEY_generate_key(key);
-
-  pubkey=EC_KEY_get0_public_key(key);
-  len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
-      NULL,0,ctx);
-
-  client_pubkey = ssh_string_new(len);
-  if (client_pubkey == NULL) {
-      BN_CTX_free(ctx);
-      EC_KEY_free(key);
-      return SSH_ERROR;
-  }
-
-  EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
-      ssh_string_data(client_pubkey),len,ctx);
-  BN_CTX_free(ctx);
-
-  rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
-  if (rc < 0) {
-      EC_KEY_free(key);
-      ssh_string_free(client_pubkey);
-      return SSH_ERROR;
-  }
-
-  session->next_crypto->ecdh_privkey = key;
-  session->next_crypto->ecdh_client_pubkey = client_pubkey;
-
-  rc = ssh_packet_send(session);
-
-  return rc;
-}
 
 static void ecdh_import_pubkey(ssh_session session, ssh_string pubkey_string) {
   session->next_crypto->server_pubkey = pubkey_string;
 }
 
-static int ecdh_build_k(ssh_session session) {
-  const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
-  EC_POINT *pubkey;
-  void *buffer;
-  int rc;
-  int len = (EC_GROUP_get_degree(group) + 7) / 8;
-  bignum_CTX ctx = bignum_ctx_new();
-  if (ctx == NULL) {
-    return -1;
-  }
-
-  session->next_crypto->k = bignum_new();
-  if (session->next_crypto->k == NULL) {
-    bignum_ctx_free(ctx);
-    return -1;
-  }
-
-  pubkey = EC_POINT_new(group);
-  if (pubkey == NULL) {
-    bignum_ctx_free(ctx);
-    return -1;
-  }
-
-  if (session->server) {
-      rc = EC_POINT_oct2point(group,
-                              pubkey,
-                              ssh_string_data(session->next_crypto->ecdh_client_pubkey),
-                              ssh_string_len(session->next_crypto->ecdh_client_pubkey),
-                              ctx);
-  } else {
-      rc = EC_POINT_oct2point(group,
-                              pubkey,
-                              ssh_string_data(session->next_crypto->ecdh_server_pubkey),
-                              ssh_string_len(session->next_crypto->ecdh_server_pubkey),
-                              ctx);
-  }
-  bignum_ctx_free(ctx);
-  if (rc <= 0) {
-      EC_POINT_clear_free(pubkey);
-      return -1;
-  }
-
-  buffer = malloc(len);
-  if (buffer == NULL) {
-      EC_POINT_clear_free(pubkey);
-      return -1;
-  }
-
-  rc = ECDH_compute_key(buffer,
-                        len,
-                        pubkey,
-                        session->next_crypto->ecdh_privkey,
-                        NULL);
-  EC_POINT_clear_free(pubkey);
-  if (rc <= 0) {
-      free(buffer);
-      return -1;
-  }
-
-  bignum_bin2bn(buffer, len, session->next_crypto->k);
-  free(buffer);
-
-  EC_KEY_free(session->next_crypto->ecdh_privkey);
-  session->next_crypto->ecdh_privkey = NULL;
-
-#ifdef DEBUG_CRYPTO
-    ssh_print_hexa("Session server cookie",
-                   session->next_crypto->server_kex.cookie, 16);
-    ssh_print_hexa("Session client cookie",
-                   session->next_crypto->client_kex.cookie, 16);
-    ssh_print_bignum("Shared secret key", session->next_crypto->k);
-#endif
-
-  return 0;
-}
-
 /** @internal
  * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back
  * a SSH_MSG_NEWKEYS
@@ -219,131 +81,4 @@ error:
   return SSH_ERROR;
 }
 
-#ifdef WITH_SERVER
-
-/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
- * SSH_MSG_KEXDH_REPLY
- */
-
-int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
-    /* ECDH keys */
-    ssh_string q_c_string;
-    ssh_string q_s_string;
-    EC_KEY *ecdh_key;
-    const EC_GROUP *group;
-    const EC_POINT *ecdh_pubkey;
-    bignum_CTX ctx;
-    /* SSH host keys (rsa,dsa,ecdsa) */
-    ssh_key privkey;
-    ssh_string sig_blob = NULL;
-    int len;
-    int rc;
-
-    /* Extract the client pubkey from the init packet */
-    q_c_string = ssh_buffer_get_ssh_string(packet);
-    if (q_c_string == NULL) {
-        ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
-        return SSH_ERROR;
-    }
-    session->next_crypto->ecdh_client_pubkey = q_c_string;
-
-    /* Build server's keypair */
-
-    ctx = BN_CTX_new();
-    ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
-    if (ecdh_key == NULL) {
-        ssh_set_error_oom(session);
-        BN_CTX_free(ctx);
-        return SSH_ERROR;
-    }
-
-    group = EC_KEY_get0_group(ecdh_key);
-    EC_KEY_generate_key(ecdh_key);
-
-    ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
-    len = EC_POINT_point2oct(group,
-                             ecdh_pubkey,
-                             POINT_CONVERSION_UNCOMPRESSED,
-                             NULL,
-                             0,
-                             ctx);
-
-    q_s_string = ssh_string_new(len);
-    if (q_s_string == NULL) {
-        EC_KEY_free(ecdh_key);
-        BN_CTX_free(ctx);
-        return SSH_ERROR;
-    }
-
-    EC_POINT_point2oct(group,
-                       ecdh_pubkey,
-                       POINT_CONVERSION_UNCOMPRESSED,
-                       ssh_string_data(q_s_string),
-                       len,
-                       ctx);
-    BN_CTX_free(ctx);
-
-    session->next_crypto->ecdh_privkey = ecdh_key;
-    session->next_crypto->ecdh_server_pubkey = q_s_string;
-
-    /* build k and session_id */
-    rc = ecdh_build_k(session);
-    if (rc < 0) {
-        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
-        return SSH_ERROR;
-    }
-
-    /* privkey is not allocated */
-    rc = ssh_get_key_params(session, &privkey);
-    if (rc == SSH_ERROR) {
-        return SSH_ERROR;
-    }
-
-    rc = ssh_make_sessionid(session);
-    if (rc != SSH_OK) {
-        ssh_set_error(session, SSH_FATAL, "Could not create a session id");
-        return SSH_ERROR;
-    }
-
-    sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
-    if (sig_blob == NULL) {
-        ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
-        return SSH_ERROR;
-    }
-
-    rc = ssh_buffer_pack(session->out_buffer,
-                         "bSSS",
-                         SSH2_MSG_KEXDH_REPLY,
-                         session->next_crypto->server_pubkey, /* host's pubkey */
-                         q_s_string, /* ecdh public key */
-                         sig_blob); /* signature blob */
-
-    ssh_string_free(sig_blob);
-
-    if (rc != SSH_OK) {
-        ssh_set_error_oom(session);
-        return SSH_ERROR;
-    }
-
-    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
-    rc = ssh_packet_send(session);
-    if (rc == SSH_ERROR) {
-        return SSH_ERROR;
-    }
-
-    /* Send the MSG_NEWKEYS */
-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
-    if (rc < 0) {
-        return SSH_ERROR;;
-    }
-
-    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
-    rc = ssh_packet_send(session);
-    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
-
-    return rc;
-}
-
-#endif /* WITH_SERVER */
-
 #endif /* HAVE_ECDH */
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
new file mode 100644
index 0000000..e774e56
--- /dev/null
+++ b/src/ecdh_crypto.c
@@ -0,0 +1,298 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2011-2013 by Aris Adamantiadis
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+#include "libssh/session.h"
+#include "libssh/ecdh.h"
+#include "libssh/dh.h"
+#include "libssh/buffer.h"
+#include "libssh/ssh2.h"
+#include "libssh/pki.h"
+#include "libssh/bignum.h"
+
+#ifdef HAVE_ECDH
+#include <openssl/ecdh.h>
+
+#define NISTP256 NID_X9_62_prime256v1
+#define NISTP384 NID_secp384r1
+#define NISTP521 NID_secp521r1
+
+/** @internal
+ * @brief Starts ecdh-sha2-nistp256 key exchange
+ */
+int ssh_client_ecdh_init(ssh_session session){
+  EC_KEY *key;
+  const EC_GROUP *group;
+  const EC_POINT *pubkey;
+  ssh_string client_pubkey;
+  int len;
+  int rc;
+  bignum_CTX ctx = BN_CTX_new();
+
+  rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
+  if (rc < 0) {
+      BN_CTX_free(ctx);
+      return SSH_ERROR;
+  }
+
+  key = EC_KEY_new_by_curve_name(NISTP256);
+  if (key == NULL) {
+      BN_CTX_free(ctx);
+      return SSH_ERROR;
+  }
+  group = EC_KEY_get0_group(key);
+
+  EC_KEY_generate_key(key);
+
+  pubkey=EC_KEY_get0_public_key(key);
+  len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
+      NULL,0,ctx);
+
+  client_pubkey = ssh_string_new(len);
+  if (client_pubkey == NULL) {
+      BN_CTX_free(ctx);
+      EC_KEY_free(key);
+      return SSH_ERROR;
+  }
+
+  EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
+      ssh_string_data(client_pubkey),len,ctx);
+  BN_CTX_free(ctx);
+
+  rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
+  if (rc < 0) {
+      EC_KEY_free(key);
+      ssh_string_free(client_pubkey);
+      return SSH_ERROR;
+  }
+
+  session->next_crypto->ecdh_privkey = key;
+  session->next_crypto->ecdh_client_pubkey = client_pubkey;
+
+  rc = ssh_packet_send(session);
+
+  return rc;
+}
+
+int ecdh_build_k(ssh_session session) {
+  const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
+  EC_POINT *pubkey;
+  void *buffer;
+  int rc;
+  int len = (EC_GROUP_get_degree(group) + 7) / 8;
+  bignum_CTX ctx = bignum_ctx_new();
+  if (ctx == NULL) {
+    return -1;
+  }
+
+  session->next_crypto->k = bignum_new();
+  if (session->next_crypto->k == NULL) {
+    bignum_ctx_free(ctx);
+    return -1;
+  }
+
+  pubkey = EC_POINT_new(group);
+  if (pubkey == NULL) {
+    bignum_ctx_free(ctx);
+    return -1;
+  }
+
+  if (session->server) {
+      rc = EC_POINT_oct2point(group,
+                              pubkey,
+                              ssh_string_data(session->next_crypto->ecdh_client_pubkey),
+                              ssh_string_len(session->next_crypto->ecdh_client_pubkey),
+                              ctx);
+  } else {
+      rc = EC_POINT_oct2point(group,
+                              pubkey,
+                              ssh_string_data(session->next_crypto->ecdh_server_pubkey),
+                              ssh_string_len(session->next_crypto->ecdh_server_pubkey),
+                              ctx);
+  }
+  bignum_ctx_free(ctx);
+  if (rc <= 0) {
+      EC_POINT_clear_free(pubkey);
+      return -1;
+  }
+
+  buffer = malloc(len);
+  if (buffer == NULL) {
+      EC_POINT_clear_free(pubkey);
+      return -1;
+  }
+
+  rc = ECDH_compute_key(buffer,
+                        len,
+                        pubkey,
+                        session->next_crypto->ecdh_privkey,
+                        NULL);
+  EC_POINT_clear_free(pubkey);
+  if (rc <= 0) {
+      free(buffer);
+      return -1;
+  }
+
+  bignum_bin2bn(buffer, len, session->next_crypto->k);
+  free(buffer);
+
+  EC_KEY_free(session->next_crypto->ecdh_privkey);
+  session->next_crypto->ecdh_privkey = NULL;
+
+#ifdef DEBUG_CRYPTO
+    ssh_print_hexa("Session server cookie",
+                   session->next_crypto->server_kex.cookie, 16);
+    ssh_print_hexa("Session client cookie",
+                   session->next_crypto->client_kex.cookie, 16);
+    ssh_print_bignum("Shared secret key", session->next_crypto->k);
+#endif
+
+  return 0;
+}
+
+#ifdef WITH_SERVER
+
+/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
+ * SSH_MSG_KEXDH_REPLY
+ */
+
+int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
+    /* ECDH keys */
+    ssh_string q_c_string;
+    ssh_string q_s_string;
+    EC_KEY *ecdh_key;
+    const EC_GROUP *group;
+    const EC_POINT *ecdh_pubkey;
+    bignum_CTX ctx;
+    /* SSH host keys (rsa,dsa,ecdsa) */
+    ssh_key privkey;
+    ssh_string sig_blob = NULL;
+    int len;
+    int rc;
+
+    /* Extract the client pubkey from the init packet */
+    q_c_string = ssh_buffer_get_ssh_string(packet);
+    if (q_c_string == NULL) {
+        ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
+        return SSH_ERROR;
+    }
+    session->next_crypto->ecdh_client_pubkey = q_c_string;
+
+    /* Build server's keypair */
+
+    ctx = BN_CTX_new();
+    ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
+    if (ecdh_key == NULL) {
+        ssh_set_error_oom(session);
+        BN_CTX_free(ctx);
+        return SSH_ERROR;
+    }
+
+    group = EC_KEY_get0_group(ecdh_key);
+    EC_KEY_generate_key(ecdh_key);
+
+    ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
+    len = EC_POINT_point2oct(group,
+                             ecdh_pubkey,
+                             POINT_CONVERSION_UNCOMPRESSED,
+                             NULL,
+                             0,
+                             ctx);
+
+    q_s_string = ssh_string_new(len);
+    if (q_s_string == NULL) {
+        EC_KEY_free(ecdh_key);
+        BN_CTX_free(ctx);
+        return SSH_ERROR;
+    }
+
+    EC_POINT_point2oct(group,
+                       ecdh_pubkey,
+                       POINT_CONVERSION_UNCOMPRESSED,
+                       ssh_string_data(q_s_string),
+                       len,
+                       ctx);
+    BN_CTX_free(ctx);
+
+    session->next_crypto->ecdh_privkey = ecdh_key;
+    session->next_crypto->ecdh_server_pubkey = q_s_string;
+
+    /* build k and session_id */
+    rc = ecdh_build_k(session);
+    if (rc < 0) {
+        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
+        return SSH_ERROR;
+    }
+
+    /* privkey is not allocated */
+    rc = ssh_get_key_params(session, &privkey);
+    if (rc == SSH_ERROR) {
+        return SSH_ERROR;
+    }
+
+    rc = ssh_make_sessionid(session);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Could not create a session id");
+        return SSH_ERROR;
+    }
+
+    sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
+    if (sig_blob == NULL) {
+        ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
+        return SSH_ERROR;
+    }
+
+    rc = ssh_buffer_pack(session->out_buffer,
+                         "bSSS",
+                         SSH2_MSG_KEXDH_REPLY,
+                         session->next_crypto->server_pubkey, /* host's pubkey */
+                         q_s_string, /* ecdh public key */
+                         sig_blob); /* signature blob */
+
+    ssh_string_free(sig_blob);
+
+    if (rc != SSH_OK) {
+        ssh_set_error_oom(session);
+        return SSH_ERROR;
+    }
+
+    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
+    rc = ssh_packet_send(session);
+    if (rc == SSH_ERROR) {
+        return SSH_ERROR;
+    }
+
+    /* Send the MSG_NEWKEYS */
+    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+    if (rc < 0) {
+        return SSH_ERROR;;
+    }
+
+    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+    rc = ssh_packet_send(session);
+    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
+
+    return rc;
+}
+
+#endif /* WITH_SERVER */
+
+#endif /* HAVE_ECDH */
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
new file mode 100644
index 0000000..c011815
--- /dev/null
+++ b/src/ecdh_gcrypt.c
@@ -0,0 +1,314 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2011-2013 by Aris Adamantiadis
+ * Copyright (C) 2016 g10 Code GmbH
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+#include "libssh/session.h"
+#include "libssh/ecdh.h"
+#include "libssh/dh.h"
+#include "libssh/buffer.h"
+#include "libssh/ssh2.h"
+#include "libssh/pki.h"
+#include "libssh/bignum.h"
+#include "libssh/libgcrypt.h"
+
+#ifdef HAVE_ECDH
+#include <gcrypt.h>
+
+/** @internal
+ * @brief Starts ecdh-sha2-nistp256 key exchange
+ */
+int ssh_client_ecdh_init(ssh_session session) {
+    int rc;
+    gpg_error_t err;
+    ssh_string client_pubkey = NULL;
+    gcry_sexp_t param = NULL;
+    gcry_sexp_t key = NULL;
+
+    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
+    if (rc < 0) {
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    err = gcry_sexp_build(&param, NULL, "(genkey(ecdh(curve %s)))",
+                          "NIST P-256");
+    if (err) {
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    err = gcry_pk_genkey(&key, param);
+    if (err) {
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    client_pubkey = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG,
+                                         GCRYMPI_FMT_STD);
+    if (client_pubkey == NULL) {
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    rc = ssh_buffer_add_ssh_string(session->out_buffer, client_pubkey);
+    if (rc < 0) {
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    session->next_crypto->ecdh_privkey = key;
+    key = NULL;
+    session->next_crypto->ecdh_client_pubkey = client_pubkey;
+    client_pubkey = NULL;
+
+    rc = ssh_packet_send(session);
+
+ out:
+    gcry_sexp_release(param);
+    gcry_sexp_release(key);
+    ssh_string_free(client_pubkey);
+    return rc;
+}
+
+int ecdh_build_k(ssh_session session) {
+    gpg_error_t err;
+    gcry_sexp_t data = NULL;
+    gcry_sexp_t result = NULL;
+    /* We need to get the x coordinate.  Libgcrypt 1.7 and above
+       offers a suitable API for that.  */
+#if (GCRYPT_VERSION_NUMBER >= 0x010700)
+    gcry_mpi_t s = NULL;
+    gcry_mpi_point_t point;
+#else
+    ssh_string s;
+#endif
+    ssh_string pubkey_raw;
+    gcry_sexp_t pubkey = NULL;
+    ssh_string privkey = NULL;
+    int rc = SSH_ERROR;
+
+    pubkey_raw = session->server
+        ? session->next_crypto->ecdh_client_pubkey
+        : session->next_crypto->ecdh_server_pubkey;
+
+    err = gcry_sexp_build(&pubkey, NULL,
+                          "(key-data(public-key(ecdh(curve %s)(q %b))))",
+                          "NIST P-256",
+                          ssh_string_len(pubkey_raw),
+                          ssh_string_data(pubkey_raw));
+    if (err) {
+        goto out;
+    }
+
+    privkey = ssh_sexp_extract_mpi(session->next_crypto->ecdh_privkey,
+                                   "d", GCRYMPI_FMT_USG, GCRYMPI_FMT_STD);
+    if (privkey == NULL) {
+        goto out;
+    }
+
+    err = gcry_sexp_build(&data, NULL,
+                          "(data(flags raw)(value %b))",
+                          ssh_string_len(privkey),
+                          ssh_string_data(privkey));
+    if (err) {
+        goto out;
+    }
+
+    err = gcry_pk_encrypt(&result, data, pubkey);
+    if (err) {
+        goto out;
+    }
+
+#if (GCRYPT_VERSION_NUMBER >= 0x010700)
+    err = gcry_sexp_extract_param(result, "", "s", &s, NULL);
+    if (err) {
+        goto out;
+    }
+
+    point = gcry_mpi_point_new(0);
+    if (point == NULL) {
+        gcry_mpi_release(s);
+        goto out;
+    }
+
+    err = gcry_mpi_ec_decode_point(point, s, NULL);
+    gcry_mpi_release(s);
+    if (err) {
+        goto out;
+    }
+
+    session->next_crypto->k = gcry_mpi_new(0);
+    gcry_mpi_point_snatch_get(session->next_crypto->k, NULL, NULL, point);
+#else
+    s = ssh_sexp_extract_mpi(result, "s", GCRYMPI_FMT_USG, GCRYMPI_FMT_USG);
+    if (s == NULL) {
+        goto out;
+    }
+
+    if (ssh_string_len(s) != 65) {
+        ssh_string_burn(s);
+        ssh_string_free(s);
+        goto out;
+    }
+
+    err = gcry_mpi_scan(&session->next_crypto->k, GCRYMPI_FMT_USG,
+                        (const char *) ssh_string_data(s) + 1, 32, NULL);
+    ssh_string_burn(s);
+    ssh_string_free(s);
+    if (err) {
+        goto out;
+    }
+#endif
+
+    rc = SSH_OK;
+    gcry_sexp_release(session->next_crypto->ecdh_privkey);
+    session->next_crypto->ecdh_privkey = NULL;
+
+#ifdef DEBUG_CRYPTO
+    ssh_print_hexa("Session server cookie",
+                   session->next_crypto->server_kex.cookie, 16);
+    ssh_print_hexa("Session client cookie",
+                   session->next_crypto->client_kex.cookie, 16);
+    ssh_print_bignum("Shared secret key", session->next_crypto->k);
+#endif
+
+ out:
+    gcry_sexp_release(pubkey);
+    gcry_sexp_release(data);
+    gcry_sexp_release(result);
+    ssh_string_burn(privkey);
+    ssh_string_free(privkey);
+    return rc;
+}
+
+#ifdef WITH_SERVER
+
+/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
+ * SSH_MSG_KEXDH_REPLY
+ */
+int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) {
+    gpg_error_t err;
+    /* ECDH keys */
+    ssh_string q_c_string;
+    ssh_string q_s_string;
+    gcry_sexp_t param = NULL;
+    gcry_sexp_t key = NULL;
+    /* SSH host keys (rsa,dsa,ecdsa) */
+    ssh_key privkey;
+    ssh_string sig_blob = NULL;
+    int rc = SSH_ERROR;
+
+    /* Extract the client pubkey from the init packet */
+    q_c_string = ssh_buffer_get_ssh_string(packet);
+    if (q_c_string == NULL) {
+        ssh_set_error(session, SSH_FATAL, "No Q_C ECC point in packet");
+        goto out;
+    }
+    session->next_crypto->ecdh_client_pubkey = q_c_string;
+
+    /* Build server's keypair */
+    err = gcry_sexp_build(&param, NULL, "(genkey(ecdh(curve %s)))",
+                          "NIST P-256");
+    if (err) {
+        goto out;
+    }
+
+    err = gcry_pk_genkey(&key, param);
+    if (err)
+        goto out;
+
+    q_s_string = ssh_sexp_extract_mpi(key, "q", GCRYMPI_FMT_USG,
+                                      GCRYMPI_FMT_STD);
+    if (q_s_string == NULL) {
+        goto out;
+    }
+
+    session->next_crypto->ecdh_privkey = key;
+    key = NULL;
+    session->next_crypto->ecdh_server_pubkey = q_s_string;
+
+    /* build k and session_id */
+    rc = ecdh_build_k(session);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
+        goto out;
+    }
+
+    /* privkey is not allocated */
+    rc = ssh_get_key_params(session, &privkey);
+    if (rc != SSH_OK) {
+        goto out;
+    }
+
+    rc = ssh_make_sessionid(session);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Could not create a session id");
+        goto out;
+    }
+
+    sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
+    if (sig_blob == NULL) {
+        ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
+        rc = SSH_ERROR;
+        goto out;
+    }
+
+    rc = ssh_buffer_pack(session->out_buffer,
+                         "bSSS",
+                         SSH2_MSG_KEXDH_REPLY,
+                         session->next_crypto->server_pubkey, /* host's pubkey */
+                         q_s_string, /* ecdh public key */
+                         sig_blob); /* signature blob */
+
+    ssh_string_free(sig_blob);
+
+    if (rc != SSH_OK) {
+        ssh_set_error_oom(session);
+        goto out;
+    }
+
+    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
+    rc = ssh_packet_send(session);
+    if (rc != SSH_OK) {
+        goto out;
+    }
+
+
+    /* Send the MSG_NEWKEYS */
+    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+    if (rc != SSH_OK) {
+        goto out;
+    }
+
+    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+    rc = ssh_packet_send(session);
+    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
+
+ out:
+    gcry_sexp_release(param);
+    gcry_sexp_release(key);
+    return rc;
+}
+
+#endif /* WITH_SERVER */
+
+#endif /* HAVE_ECDH */
diff --git a/src/wrapper.c b/src/wrapper.c
index 7686937..bb7660d 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -161,7 +161,11 @@ void crypto_free(struct ssh_crypto_struct *crypto){
   SAFE_FREE(crypto->ecdh_client_pubkey);
   SAFE_FREE(crypto->ecdh_server_pubkey);
   if(crypto->ecdh_privkey != NULL){
+#ifdef HAVE_OPENSSL_ECC
     EC_KEY_free(crypto->ecdh_privkey);
+#elif defined HAVE_GCRYPT_ECC
+    gcry_sexp_release(crypto->ecdh_privkey);
+#endif
     crypto->ecdh_privkey = NULL;
   }
 #endif
-- 
2.8.1


References:
Re: [PATCH 2/3] pki_gcrypt: Handle ECDSA keys and signaturesAndreas Schneider <asn@xxxxxxxxxxxxxx>
[PATCH 1/5] curve25519: Small libgcrypt bignum fixJustus Winter <justus@xxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org