static void
bench_ecdh_impl(int nid, const char *name)
{
const int iters = 1<<10;
int i;
uint64_t start, end;
reset_perftime();
start = perftime();
for (i = 0; i < iters; ++i) {
char secret_a[DH_BYTES], secret_b[DH_BYTES];
ssize_t slen_a, slen_b;
EC_KEY *dh_a = EC_KEY_new_by_curve_name(nid);
EC_KEY *dh_b = EC_KEY_new_by_curve_name(nid);
EC_KEY_generate_key(dh_a);
EC_KEY_generate_key(dh_b);
slen_a = ECDH_compute_key(secret_a, DH_BYTES,
EC_KEY_get0_public_key(dh_b), dh_a,
NULL);
slen_b = ECDH_compute_key(secret_b, DH_BYTES,
EC_KEY_get0_public_key(dh_a), dh_b,
NULL);
tor_assert(slen_a == slen_b);
tor_assert(!memcmp(secret_a, secret_b, slen_a));
EC_KEY_free(dh_a);
EC_KEY_free(dh_b);
}
end = perftime();
printf("Complete ECDH %s handshakes (2 public and 2 private ops):\n"
" %f millisec each.\n", name, NANOCOUNT(start, end, iters)/1e6);
}
void openssl_ec_crypt()
{
BIO *berr;
EC_KEY *key1, *key2;
unsigned int sig_len;
int clen, len1, len2;
EC_builtin_curve *curves;
EC_GROUP *group1, *group2;
const EC_KEY *key3, *key4;
const EC_GROUP *group3, *group4;
const EC_POINT *pubkey1, *pubkey2;
unsigned char shareKey1[COMM_LEN], shareKey2[COMM_LEN];
unsigned char *signature, cont[COMM_LEN] = "123456";
key1 = EC_KEY_new();
key2 = EC_KEY_new();
clen = EC_get_builtin_curves(NULL, 0);
curves = (EC_builtin_curve *) malloc(sizeof(EC_builtin_curve) * clen);
EC_get_builtin_curves(curves, clen);
group1 = EC_GROUP_new_by_curve_name(curves[25].nid);
group2 = EC_GROUP_new_by_curve_name(curves[25].nid);
group3 = group1;
group4 = group2;
EC_KEY_set_group(key1, group3);
EC_KEY_set_group(key2, group4);
EC_KEY_generate_key(key1);
EC_KEY_generate_key(key2);
EC_KEY_check_key(key1);
key3 = key1;
key4 = key2;
printf("\nECDSA_size: %d\n", ECDSA_size(key3));
signature = (unsigned char *)malloc(ECDSA_size(key3));
ERR_load_crypto_strings();
berr = BIO_new(BIO_s_file());
BIO_set_fp(berr, stdout, BIO_NOCLOSE);
ECDSA_sign(0, cont, 8, signature, &sig_len, key1);
ECDSA_verify(0, cont, 8, signature, sig_len, key1);
pubkey1 = EC_KEY_get0_public_key(key1);
pubkey2 = EC_KEY_get0_public_key(key2);
len1 = ECDH_compute_key(shareKey1, COMM_LEN, pubkey2, key1, NULL);
len2 = ECDH_compute_key(shareKey2, COMM_LEN, pubkey1, key1, NULL);
if (len1 != len2 || memcmp(shareKey1, shareKey2, len1) != 0) {
printf("ECDH_compute_key err!\n");
return;
}
BIO_free(berr);
EC_KEY_free(key1);
EC_KEY_free(key2);
free(signature);
free(curves);
}
static int ecdh_kat(BIO *out, const ecdh_kat_t *kat)
{
int rv = 0;
EC_KEY *key1 = NULL, *key2 = NULL;
BIGNUM *bnz = NULL;
unsigned char *Ztmp = NULL, *Z = NULL;
size_t Ztmplen, Zlen;
BIO_puts(out, "Testing ECDH shared secret with ");
BIO_puts(out, OBJ_nid2sn(kat->nid));
if(!BN_hex2bn(&bnz, kat->Z))
goto err;
key1 = mk_eckey(kat->nid, kat->da);
key2 = mk_eckey(kat->nid, kat->db);
if (!key1 || !key2)
goto err;
Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
Zlen = BN_num_bytes(bnz);
if (Zlen > Ztmplen)
goto err;
if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
/* Z offset compensates for bn2bin stripping leading 0x00 bytes */
if(!BN_bn2bin(bnz, Z + Ztmplen - Zlen))
goto err;
if (!ECDH_compute_key(Ztmp, Ztmplen,
EC_KEY_get0_public_key(key2), key1, 0))
goto err;
if (memcmp(Ztmp, Z, Ztmplen))
goto err;
memset(Ztmp, 0, Ztmplen);
if (!ECDH_compute_key(Ztmp, Ztmplen,
EC_KEY_get0_public_key(key1), key2, 0))
goto err;
if (memcmp(Ztmp, Z, Ztmplen))
goto err;
rv = 1;
err:
EC_KEY_free(key1);
EC_KEY_free(key2);
OPENSSL_free(Ztmp);
OPENSSL_free(Z);
BN_free(bnz);
if (rv)
BIO_puts(out, " ok\n");
else {
fprintf(stderr, "Error in ECDH routines\n");
ERR_print_errors_fp(stderr);
}
return rv;
}
// returns a 32-byte secret unique to these two keys. At least one private key must be known.
static void getECIESSecret (const openssl::ec_key& secretKey, const openssl::ec_key& publicKey, ECIES_ENC_KEY_TYPE& enc_key, ECIES_HMAC_KEY_TYPE& hmac_key)
{
EC_KEY* privkey = (EC_KEY*) secretKey.get();
EC_KEY* pubkey = (EC_KEY*) publicKey.get();
// Retrieve a secret generated from an EC key pair. At least one private key must be known.
if (privkey == nullptr || pubkey == nullptr)
throw std::runtime_error ("missing key");
if (! EC_KEY_get0_private_key (privkey))
{
throw std::runtime_error ("not a private key");
}
unsigned char rawbuf[512];
int buflen = ECDH_compute_key (rawbuf, 512, EC_KEY_get0_public_key (pubkey), privkey, nullptr);
if (buflen < ECIES_MIN_SEC)
throw std::runtime_error ("ecdh key failed");
unsigned char hbuf[ECIES_KEY_LENGTH];
ECIES_KEY_HASH (rawbuf, buflen, hbuf);
memset (rawbuf, 0, ECIES_HMAC_KEY_SIZE);
assert ((ECIES_ENC_KEY_SIZE + ECIES_HMAC_KEY_SIZE) >= ECIES_KEY_LENGTH);
memcpy (enc_key.begin (), hbuf, ECIES_ENC_KEY_SIZE);
memcpy (hmac_key.begin (), hbuf + ECIES_ENC_KEY_SIZE, ECIES_HMAC_KEY_SIZE);
memset (hbuf, 0, ECIES_KEY_LENGTH);
}
void CKey::getECIESSecret (CKey& otherKey, ECIES_ENC_KEY_TYPE& enc_key, ECIES_HMAC_KEY_TYPE& hmac_key)
{
// Retrieve a secret generated from an EC key pair. At least one private key must be known.
if (!pkey || !otherKey.pkey)
throw std::runtime_error ("missing key");
EC_KEY* pubkey, *privkey;
if (EC_KEY_get0_private_key (pkey))
{
privkey = pkey;
pubkey = otherKey.pkey;
}
else if (EC_KEY_get0_private_key (otherKey.pkey))
{
privkey = otherKey.pkey;
pubkey = pkey;
}
else throw std::runtime_error ("no private key");
unsigned char rawbuf[512];
int buflen = ECDH_compute_key (rawbuf, 512, EC_KEY_get0_public_key (pubkey), privkey, NULL);
if (buflen < ECIES_MIN_SEC)
throw std::runtime_error ("ecdh key failed");
unsigned char hbuf[ECIES_KEY_LENGTH];
ECIES_KEY_HASH (rawbuf, buflen, hbuf);
memset (rawbuf, 0, ECIES_HMAC_KEY_SIZE);
assert ((ECIES_ENC_KEY_SIZE + ECIES_HMAC_KEY_SIZE) >= ECIES_KEY_LENGTH);
memcpy (enc_key.begin (), hbuf, ECIES_ENC_KEY_SIZE);
memcpy (hmac_key.begin (), hbuf + ECIES_ENC_KEY_SIZE, ECIES_HMAC_KEY_SIZE);
memset (hbuf, 0, ECIES_KEY_LENGTH);
}
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
size_t *keylen) {
int ret;
size_t outlen;
const EC_POINT *pubkey = NULL;
EC_KEY *eckey;
if (!ctx->pkey || !ctx->peerkey) {
OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);
return 0;
}
eckey = ctx->pkey->pkey.ec;
if (!key) {
const EC_GROUP *group;
group = EC_KEY_get0_group(eckey);
*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
return 1;
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
/* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
* not an error, the result is truncated. */
outlen = *keylen;
ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
if (ret < 0) {
return 0;
}
*keylen = ret;
return 1;
}
int
_libssh2_ecdh_gen_k(_libssh2_bn **k, _libssh2_ec_key *private_key,
const unsigned char *server_public_key, size_t server_public_key_len)
{
int ret = 0;
int rc;
size_t secret_len;
unsigned char *secret = NULL;
const EC_GROUP *private_key_group;
EC_POINT *server_public_key_point;
BN_CTX *bn_ctx = BN_CTX_new();
if(!bn_ctx)
return -1;
if(k == NULL)
return -1;
private_key_group = EC_KEY_get0_group(private_key);
server_public_key_point = EC_POINT_new(private_key_group);
if(server_public_key_point == NULL)
return -1;
rc = EC_POINT_oct2point(private_key_group, server_public_key_point, server_public_key, server_public_key_len, bn_ctx);
if(rc != 1) {
ret = -1;
goto clean_exit;
}
secret_len = (EC_GROUP_get_degree(private_key_group) + 7) / 8;
secret = malloc(secret_len);
if(!secret) {
ret = -1;
goto clean_exit;
}
secret_len = ECDH_compute_key(secret, secret_len, server_public_key_point, private_key, NULL);
if(secret_len <= 0 || secret_len > EC_MAX_POINT_LEN) {
ret = -1;
goto clean_exit;
}
BN_bin2bn(secret, secret_len, *k);
clean_exit:
if(server_public_key_point != NULL)
EC_POINT_free(server_public_key_point);
if(bn_ctx != NULL)
BN_CTX_free(bn_ctx);
if(secret != NULL)
free(secret);
return ret;
}
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{
int ret;
size_t outlen;
const EC_POINT *pubkey = NULL;
if (!ctx->pkey || !ctx->peerkey)
{
ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
return 0;
}
if (!key)
{
const EC_GROUP *group;
group = EC_KEY_get0_group(ctx->pkey->pkey.ec);
*keylen = (EC_GROUP_get_degree(group) + 7)/8;
return 1;
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
/* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
* not an error, the result is truncated.
*/
outlen = *keylen;
ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0);
if (ret < 0)
return ret;
*keylen = ret;
return 1;
}
static int ecdh_kat(BIO *out, const char *cname, int nid,
const unsigned char *k1, size_t k1_len,
const unsigned char *k2, size_t k2_len,
const unsigned char *Z, size_t Zlen)
{
int rv = 0;
EC_KEY *key1 = NULL, *key2 = NULL;
unsigned char *Ztmp = NULL;
size_t Ztmplen;
BIO_puts(out, "Testing ECDH shared secret with ");
BIO_puts(out, cname);
key1 = mk_eckey(nid, k1, k1_len);
key2 = mk_eckey(nid, k2, k2_len);
if (!key1 || !key2)
goto err;
Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
if (Ztmplen != Zlen)
goto err;
Ztmp = OPENSSL_malloc(Ztmplen);
if (!ECDH_compute_key(Ztmp, Ztmplen,
EC_KEY_get0_public_key(key2), key1, 0))
goto err;
if (memcmp(Ztmp, Z, Zlen))
goto err;
memset(Ztmp, 0, Zlen);
if (!ECDH_compute_key(Ztmp, Ztmplen,
EC_KEY_get0_public_key(key1), key2, 0))
goto err;
if (memcmp(Ztmp, Z, Zlen))
goto err;
rv = 1;
err:
if (key1)
EC_KEY_free(key1);
if (key2)
EC_KEY_free(key2);
if (Ztmp)
OPENSSL_free(Ztmp);
if (rv)
BIO_puts(out, " ok\n");
else {
fprintf(stderr, "Error in ECDH routines\n");
ERR_print_errors_fp(stderr);
}
return rv;
}
static int ecdh_build_k(ssh_session session) {
const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
EC_POINT *pubkey;
void *buffer;
int len = (EC_GROUP_get_degree(group) + 7) / 8;
bignum_CTX ctx = bignum_ctx_new();
if (ctx == NULL) {
return -1;
}
session->next_crypto->k = bignum_new();
if (session->next_crypto->k == NULL) {
bignum_ctx_free(ctx);
return -1;
}
pubkey = EC_POINT_new(group);
if (pubkey == NULL) {
bignum_ctx_free(ctx);
return -1;
}
if (session->server)
EC_POINT_oct2point(group,pubkey,ssh_string_data(session->next_crypto->ecdh_client_pubkey),
ssh_string_len(session->next_crypto->ecdh_client_pubkey),ctx);
else
EC_POINT_oct2point(group,pubkey,ssh_string_data(session->next_crypto->ecdh_server_pubkey),
ssh_string_len(session->next_crypto->ecdh_server_pubkey),ctx);
buffer = malloc(len);
ECDH_compute_key(buffer,len,pubkey,session->next_crypto->ecdh_privkey,NULL);
EC_POINT_free(pubkey);
BN_bin2bn(buffer,len,session->next_crypto->k);
free(buffer);
EC_KEY_free(session->next_crypto->ecdh_privkey);
session->next_crypto->ecdh_privkey=NULL;
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Session server cookie",
session->next_crypto->server_kex.cookie, 16);
ssh_print_hexa("Session client cookie",
session->next_crypto->client_kex.cookie, 16);
ssh_print_bignum("Shared secret key", session->next_crypto->k);
#endif
#ifdef HAVE_LIBCRYPTO
bignum_ctx_free(ctx);
#endif
return 0;
}
// Generate a Shared secret key from
BIGNUM * CAlphaCrypt::GenerateSharedSecretKey(BIGNUM * pMasterKey, EC_POINT * lpPeerPubKey) {
EC_KEY * lpFullCurve = NULL; // Full elliptic curve
EC_POINT * pubKey = NULL; // The peer public key (bad guys one)
ECDH_DATA * ecdh_data = NULL; // Elliptic Curve data structure
BYTE secretKey[0x20] = {0}; // Shared secret key
BIGNUM * pSecretBn = NULL; // Secret shared key BIGNUM
int iRet = 0;
if (!lpPeerPubKey)
// Get the default AlphaCrypt peer public key
pubKey = GetAlphaCryptPublicKey(); // DON'T forget to delete it, damn heck! :-)
else
// Don't delete the following one:
pubKey = lpPeerPubKey;
if (!pubKey) return NULL;
// Create the FULL curve that contains public/private key pair
lpFullCurve = EC_KEY_new_by_curve_name(NID_secp256k1);
//EC_KEY_set_public_key(lpFullCurve, pStartKey); // No my own public key (I need to calculate it)
iRet = SetPrivateKey(lpFullCurve, pMasterKey);
iRet = EC_KEY_check_key(lpFullCurve);
// Compute the shared secret key
ecdh_data = ecdh_check(lpFullCurve);
if (ecdh_data)
ecdh_data->meth = ECDH_OpenSSL();
// Calculate shared secret key: My private Key * Peer public key
iRet = ECDH_compute_key(secretKey, 0x20, pubKey, lpFullCurve, NULL);
// Convert the secret key in a BIGNUMBER
pSecretBn = BN_bin2bn(secretKey, 0x20, NULL);
/*////////////////////////////////////////////////////////////////////////
// Brief explaination: //
Here is what "ECDH_compute_key" does:
Calculate "da * Qb" (that is equal to "da * db * G"). Where:
da = my ownPrivate key (the master key)
Qb = the peer Public key (standard one inserted in AlphaCrypt)
*////////////////////////////////////////////////////////////////////////
// Cleanup
EC_KEY_free(lpFullCurve);
if (pubKey != lpPeerPubKey)
EC_POINT_free(pubKey);
return pSecretBn;
}
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
size_t *keylen)
{
int ret;
size_t outlen;
const EC_POINT *pubkey = NULL;
EC_KEY *eckey;
EC_PKEY_CTX *dctx = ctx->data;
if (!ctx->pkey || !ctx->peerkey) {
ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
return 0;
}
eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
if (!key) {
const EC_GROUP *group;
group = EC_KEY_get0_group(eckey);
*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
return 1;
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
/*
* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
* an error, the result is truncated.
*/
outlen = *keylen;
#ifndef OPENSSL_NO_SM2
/*
if (dctx->ec_scheme == NID_sm_scheme)
ret = SM2_compute_key(key, outlen, pubkey, eckey, 0);
else
*/
#endif
ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
if (ret <= 0)
return 0;
*keylen = ret;
return 1;
}
int crypt_ec_helper::ecdh(unsigned char **secret, EC_KEY *key, const EC_POINT *pPub)
{
int secretLen;
secretLen = EC_GROUP_get_degree(EC_KEY_get0_group(key));
secretLen = (secretLen + 7) / 8;
*secret = (unsigned char*)malloc(secretLen);
if (!(*secret))
{
fflush(stderr);
free(*secret);
throw std::runtime_error("Failed to allocate memory for secret.\n");
}
secretLen = ECDH_compute_key(*secret, secretLen, pPub, key, NULL);
return secretLen;
}
int CPK_PUBLIC_PARAMS_compute_share_key(CPK_PUBLIC_PARAMS *params,
void *out, size_t outlen, const char *id, EVP_PKEY *priv_key,
void *(*kdf)(const void *in, size_t inlen, void *out, size_t *outlen))
{
int ret = 0;
EVP_PKEY *pub_key = NULL;
int pkey_type = OBJ_obj2nid(params->pkey_algor->algorithm);
OPENSSL_assert(kdf != NULL);
printf("%d\n", __LINE__);
if (EVP_PKEY_id(priv_key) != pkey_type) {
CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY,
ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX
goto err;
}
if (!(pub_key = CPK_PUBLIC_PARAMS_extract_public_key(params, id))) {
CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY,
ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX
goto err;
}
if (pkey_type == EVP_PKEY_EC) {
if (!ECDH_compute_key(out, outlen,
EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pub_key)),
(EC_KEY *)EVP_PKEY_get0(priv_key), kdf)) {
CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY,
ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX
goto err;
}
} else if (pkey_type == EVP_PKEY_DH) {
// not supported yet
goto err;
}
ret = 1;
err:
return ret;
}
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
{
EC_KEY *a = NULL;
EC_KEY *b = NULL;
BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL;
char buf[12];
unsigned char *abuf = NULL, *bbuf = NULL;
int i, alen, blen, aout, bout, ret = 0;
const EC_GROUP *group;
a = EC_KEY_new_by_curve_name(nid);
b = EC_KEY_new_by_curve_name(nid);
if (a == NULL || b == NULL)
goto err;
group = EC_KEY_get0_group(a);
if ((x_a = BN_new()) == NULL)
goto err;
if ((y_a = BN_new()) == NULL)
goto err;
if ((x_b = BN_new()) == NULL)
goto err;
if ((y_b = BN_new()) == NULL)
goto err;
BIO_puts(out, "Testing key generation with ");
BIO_puts(out, text);
# ifdef NOISY
BIO_puts(out, "\n");
# else
(void)BIO_flush(out);
# endif
if (!EC_KEY_generate_key(a))
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx))
goto err;
}
# ifndef OPENSSL_NO_EC2M
else {
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(a),
x_a, y_a, ctx))
goto err;
}
# endif
# ifdef NOISY
BIO_puts(out, " pri 1=");
BN_print(out, a->priv_key);
BIO_puts(out, "\n pub 1=");
BN_print(out, x_a);
BIO_puts(out, ",");
BN_print(out, y_a);
BIO_puts(out, "\n");
# else
BIO_printf(out, " .");
(void)BIO_flush(out);
# endif
if (!EC_KEY_generate_key(b))
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx))
goto err;
}
# ifndef OPENSSL_NO_EC2M
else {
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(b),
x_b, y_b, ctx))
goto err;
}
# endif
# ifdef NOISY
BIO_puts(out, " pri 2=");
BN_print(out, b->priv_key);
BIO_puts(out, "\n pub 2=");
BN_print(out, x_b);
BIO_puts(out, ",");
BN_print(out, y_b);
BIO_puts(out, "\n");
# else
BIO_printf(out, ".");
(void)BIO_flush(out);
# endif
alen = KDF1_SHA1_len;
abuf = (unsigned char *)OPENSSL_malloc(alen);
aout =
ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1);
# ifdef NOISY
BIO_puts(out, " key1 =");
for (i = 0; i < aout; i++) {
sprintf(buf, "%02X", abuf[i]);
BIO_puts(out, buf);
}
BIO_puts(out, "\n");
# else
BIO_printf(out, ".");
(void)BIO_flush(out);
# endif
blen = KDF1_SHA1_len;
bbuf = (unsigned char *)OPENSSL_malloc(blen);
bout =
ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1);
# ifdef NOISY
BIO_puts(out, " key2 =");
for (i = 0; i < bout; i++) {
sprintf(buf, "%02X", bbuf[i]);
BIO_puts(out, buf);
}
BIO_puts(out, "\n");
# else
BIO_printf(out, ".");
(void)BIO_flush(out);
# endif
if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
# ifndef NOISY
BIO_printf(out, " failed\n\n");
BIO_printf(out, "key a:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(a));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_a);
BIO_printf(out, ",");
BN_print(out, y_a);
BIO_printf(out, "\nkey b:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(b));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_b);
BIO_printf(out, ",");
BN_print(out, y_b);
BIO_printf(out, "\n");
BIO_printf(out, "generated key a: ");
for (i = 0; i < bout; i++) {
sprintf(buf, "%02X", bbuf[i]);
BIO_puts(out, buf);
}
BIO_printf(out, "\n");
BIO_printf(out, "generated key b: ");
for (i = 0; i < aout; i++) {
sprintf(buf, "%02X", abuf[i]);
BIO_puts(out, buf);
}
BIO_printf(out, "\n");
# endif
fprintf(stderr, "Error in ECDH routines\n");
ret = 0;
} else {
# ifndef NOISY
BIO_printf(out, " ok\n");
# endif
ret = 1;
}
err:
ERR_print_errors_fp(stderr);
if (abuf != NULL)
OPENSSL_free(abuf);
if (bbuf != NULL)
OPENSSL_free(bbuf);
if (x_a)
BN_free(x_a);
if (y_a)
BN_free(y_a);
if (x_b)
BN_free(x_b);
if (y_b)
BN_free(y_b);
if (b)
EC_KEY_free(b);
if (a)
EC_KEY_free(a);
return (ret);
}
static krb5_error_code
generate_ecdh_keyblock(krb5_context context,
EC_KEY *ec_key_pk, /* the client's public key */
EC_KEY **ec_key_key, /* the KDC's ephemeral private */
unsigned char **dh_gen_key, /* shared secret */
size_t *dh_gen_keylen)
{
const EC_GROUP *group;
EC_KEY *ephemeral;
krb5_keyblock key;
krb5_error_code ret;
unsigned char *p;
size_t size;
int len;
*dh_gen_key = NULL;
*dh_gen_keylen = 0;
*ec_key_key = NULL;
memset(&key, 0, sizeof(key));
if (ec_key_pk == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
return ret;
}
group = EC_KEY_get0_group(ec_key_pk);
if (group == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "failed to get the group of "
"the client's public key");
return ret;
}
ephemeral = EC_KEY_new();
if (ephemeral == NULL)
return krb5_enomem(context);
EC_KEY_set_group(ephemeral, group);
if (EC_KEY_generate_key(ephemeral) != 1) {
EC_KEY_free(ephemeral);
return krb5_enomem(context);
}
size = (EC_GROUP_get_degree(group) + 7) / 8;
p = malloc(size);
if (p == NULL) {
EC_KEY_free(ephemeral);
return krb5_enomem(context);
}
len = ECDH_compute_key(p, size,
EC_KEY_get0_public_key(ec_key_pk),
ephemeral, NULL);
if (len <= 0) {
free(p);
EC_KEY_free(ephemeral);
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Failed to compute ECDH "
"public shared secret");
return ret;
}
*ec_key_key = ephemeral;
*dh_gen_key = p;
*dh_gen_keylen = len;
return 0;
}
static int
input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
EC_POINT *client_public;
EC_KEY *server_key = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(server_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
sshkey_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
server_host_public = kex->load_host_public_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
server_host_private = kex->load_host_private_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
if (server_host_public == NULL) {
r = SSH_ERR_NO_HOSTKEY_LOADED;
goto out;
}
if ((client_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
sshkey_dump_ec_point(group, client_public);
#endif
if (sshkey_ec_validate_public(group, client_public) != 0) {
sshpkt_disconnect(ssh, "invalid client public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc H */
if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
&sbloblen)) != 0)
goto out;
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
hash, &hashlen)) != 0)
goto out;
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if ((r = kex->sign(server_host_private, server_host_public, &signature,
&slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
public_key = EC_KEY_get0_public_key(server_key);
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
if (kex->ec_client_key) {
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
}
if (server_key)
EC_KEY_free(server_key);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
if (shared_secret)
BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
}
static krb5_error_code
generate_dh_keyblock(krb5_context context,
pk_client_params *client_params,
krb5_enctype enctype)
{
unsigned char *dh_gen_key = NULL;
krb5_keyblock key;
krb5_error_code ret;
size_t dh_gen_keylen, size;
memset(&key, 0, sizeof(key));
if (client_params->keyex == USE_DH) {
if (client_params->u.dh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
if (!DH_generate_key(client_params->u.dh.key)) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't generate Diffie-Hellman keys");
goto out;
}
dh_gen_keylen = DH_size(client_params->u.dh.key);
size = BN_num_bytes(client_params->u.dh.key->p);
if (size < dh_gen_keylen)
size = dh_gen_keylen;
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
memset(dh_gen_key, 0, size - dh_gen_keylen);
dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
client_params->u.dh.public_key,
client_params->u.dh.key);
if (dh_gen_keylen == -1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
goto out;
}
ret = 0;
#ifdef HAVE_OPENSSL
} else if (client_params->keyex == USE_ECDH) {
if (client_params->u.ecdh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
client_params->u.ecdh.key = EC_KEY_new();
if (client_params->u.ecdh.key == NULL) {
ret = ENOMEM;
goto out;
}
EC_KEY_set_group(client_params->u.ecdh.key,
EC_KEY_get0_group(client_params->u.ecdh.public_key));
if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
ret = ENOMEM;
goto out;
}
size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8;
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
client_params->u.ecdh.key, NULL);
#endif /* HAVE_OPENSSL */
} else {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Diffie-Hellman not selected keys");
goto out;
}
ret = _krb5_pk_octetstring2key(context,
enctype,
dh_gen_key, dh_gen_keylen,
NULL, NULL,
&client_params->reply_key);
out:
if (dh_gen_key)
free(dh_gen_key);
if (key.keyvalue.data)
krb5_free_keyblock_contents(context, &key);
return ret;
}
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) {
printf("in ecdh test\n");
EC_KEY *a = NULL; //EC_KEY is a structure
EC_KEY *b = NULL;
BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL;
char buf[12];
unsigned char *abuf = NULL, *bbuf = NULL;
int i, alen, blen, aout, bout, ret = 0;
const EC_GROUP *group;
a = EC_KEY_new_by_curve_name(nid);
// creates a new key according to the curve specified
//it fills in the EC_KEY structure // use function called EC_KEY *EC_KEY_new(void)
//also use a function called EC_GROUP_new_by_curve_name() creates a EC_GROUP structure specified by a curve name (in form of a NID) */
// the group returned is set in the EC_KEY structure.
b = EC_KEY_new_by_curve_name(nid);
if (a == NULL || b == NULL)
goto err;
group = EC_KEY_get0_group(a); //returns the EC_GROUP structure created by the EC_KEY structure
//EC_GROUP structure is present in the EC_KEY structure.
if ((x_a = BN_new()) == NULL)
goto err;
//BN_new returns a pointer to the bignum
if ((y_a = BN_new()) == NULL)
goto err;
if ((x_b = BN_new()) == NULL)
goto err;
if ((y_b = BN_new()) == NULL)
goto err;
BIO_puts(out, "Testing key generation with ");
BIO_puts(out, text);
#ifdef NOISY
printf ("noisy");
BIO_puts(out,"\n");
BIO_puts(out,"\n");
BIO_puts(out,"\n");
#else
BIO_flush(out);
#endif
//public key number one is created here
if (!EC_KEY_generate_key(a))
goto err;
//pass the filled EC_KEY structure and it will create a public or private ec key.
//it places the key in a->priv_key a->pub_key /// PUBLIC AND PVT KEYS ARE GENERATED BY THE SCALAR MULTIPLICATION
printf("\n1 ) generating keys\n");
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
== NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx))
goto err;
}
//returns the public key
else {
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx))
goto err;
}
//BN_print_fp(stdout, a->pub_key);
printf("private key is : ");
BN_print_fp(stdout, EC_KEY_get0_private_key(a));
printf("\nAffine cordinates x:");
BN_print_fp(stdout, x_a);
printf("\nAffine cordinates y:");
BN_print_fp(stdout, y_a);
printf(
"\n2 ) generated keys , generated affine points x and y , and also determided the primse brinary case\n");
#ifdef NOISY
printf("no generation");
BIO_puts(out," pri 1=");
BN_print(out,a->priv_key);
BIO_puts(out,"\n pub 1=");
BN_print(out,x_a);
BIO_puts(out,",");
BN_print(out,y_a);
BIO_puts(out,"\n");
#else
BIO_printf(out, " .");
BIO_flush(out);
#endif
//public key number two is created here
if (!EC_KEY_generate_key(b))
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
== NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx))
goto err;
// not well
} else {
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx))
goto err;
}
// printf("public key is : ");
// BN_print_fp(stdout, EC_KEY_get0_private_key(b));
// for public key they will exchange the whole EC_POINT structure
printf("private key is : ");
BN_print_fp(stdout, EC_KEY_get0_private_key(b));
printf("\nAffine cordinates x");
BN_print_fp(stdout, x_b);
printf("\nAffine cordinates y");
BN_print_fp(stdout, y_b);
#ifdef NOISY
BIO_puts(out," pri 2=");
BN_print(out,b->priv_key);
BIO_puts(out,"\n pub 2=");
BN_print(out,x_b);
BIO_puts(out,",");
BN_print(out,y_b);
BIO_puts(out,"\n");
#else
BIO_printf(out, ".");
BIO_flush(out);
#endif
alen = KDF1_SHA1_len; ///it is a static constant integer.
abuf = (unsigned char *) OPENSSL_malloc(alen);
aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a,
KDF1_SHA1); //generating session key
// BN_print(out, abuf);
//BIO_puts(out,"\n");
#ifdef NOISY
BIO_puts(out," key1 =");
for (i=0; i<aout; i++)
{
sprintf(buf,"%02X",abuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
#else
BIO_printf(out, ".");
BIO_flush(out);
#endif
blen = KDF1_SHA1_len;
bbuf = (unsigned char *) OPENSSL_malloc(blen);
bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b,
KDF1_SHA1);
// BN_print(out, bbuf);
// BIO_puts(out,"\n");
#ifdef NOISY
BIO_puts(out," key2 =");
for (i=0; i<bout; i++)
{
sprintf(buf,"%02X",bbuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
#else
BIO_printf(out, ".");
BIO_flush(out);
#endif
if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
#ifndef NOISY
BIO_printf(out, " failed\n\n");
BIO_printf(out, "key a:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(a));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_a);
BIO_printf(out, ",");
BN_print(out, y_a);
BIO_printf(out, "\nkey b:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(b));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_b);
BIO_printf(out, ",");
BN_print(out, y_b);
BIO_printf(out, "\n");
BIO_printf(out, "generated key a: ");
for (i = 0; i < bout; i++) {
sprintf(buf, "%02X", bbuf[i]);
BIO_puts(out, buf);
}
BIO_printf(out, "\n");
BIO_printf(out, "generated key b: ");
for (i = 0; i < aout; i++) {
sprintf(buf, "%02X", abuf[i]);
BIO_puts(out, buf);
}
BIO_printf(out, "\n");
#endif
fprintf(stderr, "Error in ECDH routines\n");
ret = 0;
} else {
#ifndef NOISY
BIO_printf(out, " ok\n");
#endif
ret = 1;
}
err: ERR_print_errors_fp(stderr);
if (abuf != NULL)
OPENSSL_free(abuf);
if (bbuf != NULL)
OPENSSL_free(bbuf);
if (x_a)
BN_free(x_a);
if (y_a)
BN_free(y_a);
if (x_b)
BN_free(x_b);
if (y_b)
BN_free(y_b);
if (b)
EC_KEY_free(b);
if (a)
EC_KEY_free(a);
return (ret);
}
static int
input_kex_ecdh_reply(int type, u_int32_t seq, void *ctxt)
{
struct ssh *ssh = ctxt;
struct kex *kex = ssh->kex;
const EC_GROUP *group;
EC_POINT *server_public = NULL;
EC_KEY *client_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_key = NULL;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
if (kex->verify_host_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
group = kex->ec_group;
client_key = kex->ec_client_key;
/* hostkey */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
if (server_host_key->type != kex->hostkey_type ||
(kex->hostkey_type == KEY_ECDSA &&
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
r = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (kex->verify_host_key(server_host_key, ssh) == -1) {
r = SSH_ERR_SIGNATURE_INVALID;
goto out;
}
/* Q_S, server public key */
/* signed H */
if ((server_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
sshkey_dump_ec_point(group, server_public);
#endif
if (sshkey_ec_validate_public(group, server_public) != 0) {
sshpkt_disconnect(ssh, "invalid server public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc and verify H */
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
hash, &hashlen)) != 0)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
hashlen, ssh->compat)) != 0)
goto out;
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
if (kex->ec_client_key) {
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
}
if (server_public)
EC_POINT_clear_free(server_public);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
if (shared_secret)
BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
return r;
}
void
kexecdh_client(Kex *kex)
{
EC_KEY *client_key;
EC_POINT *server_public;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(client_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(client_key);
packet_start(SSH2_MSG_KEX_ECDH_INIT);
packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key));
packet_send();
debug("sending SSH2_MSG_KEX_ECDH_INIT");
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
key_dump_ec_key(client_key);
#endif
debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
/* hostkey */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* Q_S, server public key */
if ((server_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, server_public);
if (key_ec_validate_public(group, server_public) != 0)
fatal("%s: invalid server public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
key_dump_ec_point(group, server_public);
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
free(kbuf);
/* calc and verify H */
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
&hash, &hashlen
);
free(server_host_key_blob);
EC_POINT_clear_free(server_public);
EC_KEY_free(client_key);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void
kexecdh_server(Kex *kex)
{
EC_POINT *client_public;
EC_KEY *server_key;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int curve_nid;
if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(server_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
key_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL)
fatal("Cannot load hostkey");
server_host_public = kex->load_host_public_key(kex->hostkey_type);
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
if ((client_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, client_public);
packet_check_eom();
if (key_ec_validate_public(group, client_public) != 0)
fatal("%s: invalid client public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
key_dump_ec_point(group, client_public);
#endif
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
xfree(kbuf);
/* calc H */
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
&hash, &hashlen
);
EC_POINT_clear_free(client_public);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen,
hash, hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
/* destroy_sensitive_data(); */
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
packet_start(SSH2_MSG_KEX_ECDH_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_ecpoint(group, EC_KEY_get0_public_key(server_key));
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
/* have keys, free server key */
EC_KEY_free(server_key);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
int main() {
srand((unsigned)time(NULL));
int i;
EC_KEY* key;
//key = EC_KEY_new_by_curve_name(415);
key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
const EC_GROUP *group = EC_KEY_get0_group(key);
if (EC_KEY_generate_key(key)==0) {
printf("Error generate key\n");
return -1;
}
unsigned char pk_b[33];
const EC_POINT *pub = EC_KEY_get0_public_key(key);
if (EC_POINT_point2oct(group, pub, POINT_CONVERSION_COMPRESSED, pk_b, 33, 0)!=33) {
printf("Error 2\n");
return -1;
}
unsigned char h1[16],h2[16];
printf("\x02");
for (i=0;i<16;i++) {
h1[i]=rand()%256;
printf("%c",h1[i]);
}
for (i=0;i<33;i++)
printf("%c",pk_b[i]);
fflush(stdout);
//get h2
for (i=0;i<16;i++)
h2[i]=rand()%256;
for (i=0;i<16;i++)
scanf("%c",&h2[i]);
//get peerpk_b
unsigned char peerpk_b[33]={2 , 30 , 25 , 50 , 17 , 242 , 232 , 55 , 157 , 18 , 106 , 115 , 214 , 193 , 192 , 39 , 207 , 226 , 184 , 216 , 244 , 147 , 111 , 188 , 125 , 230 , 38 , 125 , 231 , 50 , 56 , 152 , 148 };
for (i=0;i<33;i++)
scanf("%c",&peerpk_b[i]);
EC_POINT *peerpk = EC_POINT_new(group);
if (EC_POINT_oct2point(group, peerpk, peerpk_b, 33, 0)==0) {
printf("Error 3\n");
return -1;
}
unsigned char skey[33];
if (ECDH_compute_key(skey, 32, peerpk, key, NULL)==0) {
printf("Error 4\n");
return -1;
}
SHA512_CTX shactx;
unsigned char hash[SHA512_DIGEST_LENGTH];
SHA512_Init(&shactx);
SHA512_Update(&shactx, h2, 16);
SHA512_Update(&shactx, skey, 32);
SHA512_Update(&shactx, h1, 16);
SHA512_Final(hash, &shactx);
for (i=0;i<64;i++)
printf("%02x",hash[i]);
fflush(stdout);
struct cipher c;
c.recvfd=0;
c.sendfd=1;
for (i=0;i<16;i++)
c.sendkey[i]=hash[i];
for (i=0;i<4;i++)
c.sendiv[i]=hash[32+i];
for (i=0;i<16;i++)
c.recvkey[i]=hash[16+i];
for (i=0;i<4;i++)
c.recviv[i]=hash[36+i];
c.sendcnt=0;
c.recvcnt=0;
unsigned char d[1000];
unsigned char oiv[8];
int op;
char dlen;
while (true) {
scanf("%d",&op);
scanf("%c",&dlen);
scanf("%c",&dlen);
for (i=0;i<dlen;i++)
scanf("%c",&d[i]);
if (op==1) {
for (i=0;i<8;i++)
oiv[i]=rand()%256;
encrypt(c,d,dlen,oiv);
c.recvcnt+=1;
} else if (op==2) {
for (i=0;i<8;i++)
scanf("%c",&oiv[i]);
decrypt(c,d,dlen,oiv, NULL);
c.sendcnt+=1;
}
fflush(stdout);
}
return 0;
}
/*
* NIST SP800-56A co-factor ECDH tests.
* KATs taken from NIST documents with parameters:
*
* - (QCAVSx,QCAVSy) is the public key for CAVS.
* - dIUT is the private key for IUT.
* - (QIUTx,QIUTy) is the public key for IUT.
* - ZIUT is the shared secret KAT.
*
* CAVS: Cryptographic Algorithm Validation System
* IUT: Implementation Under Test
*
* This function tests two things:
*
* 1. dIUT * G = (QIUTx,QIUTy)
* i.e. public key for IUT computes correctly.
* 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT
* i.e. co-factor ECDH key computes correctly.
*
* returns zero on failure or unsupported curve. One otherwise.
*/
static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat)
{
int rv = 0, is_char_two = 0;
EC_KEY *key1 = NULL;
EC_POINT *pub = NULL;
const EC_GROUP *group = NULL;
BIGNUM *bnz = NULL, *x = NULL, *y = NULL;
unsigned char *Ztmp = NULL, *Z = NULL;
size_t Ztmplen, Zlen;
BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with ");
BIO_puts(out, OBJ_nid2sn(kat->nid));
/* dIUT is IUT's private key */
if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL)
goto err;
/* these are cofactor ECDH KATs */
EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH);
if ((group = EC_KEY_get0_group(key1)) == NULL)
goto err;
if ((pub = EC_POINT_new(group)) == NULL)
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field)
is_char_two = 1;
/* (QIUTx, QIUTy) is IUT's public key */
if(!BN_hex2bn(&x, kat->QIUTx))
goto err;
if(!BN_hex2bn(&y, kat->QIUTy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* dIUT * G = (QIUTx, QIUTy) should hold */
if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL))
goto err;
/* (QCAVSx, QCAVSy) is CAVS's public key */
if(!BN_hex2bn(&x, kat->QCAVSx))
goto err;
if(!BN_hex2bn(&y, kat->QCAVSy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* ZIUT is the shared secret */
if(!BN_hex2bn(&bnz, kat->ZIUT))
goto err;
Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
Zlen = BN_num_bytes(bnz);
if (Zlen > Ztmplen)
goto err;
if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if(!BN_bn2binpad(bnz, Z, Ztmplen))
goto err;
if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0))
goto err;
/* shared secrets should be identical */
if (memcmp(Ztmp, Z, Ztmplen))
goto err;
rv = 1;
err:
EC_KEY_free(key1);
EC_POINT_free(pub);
BN_free(bnz);
BN_free(x);
BN_free(y);
OPENSSL_free(Ztmp);
OPENSSL_free(Z);
if (rv) {
BIO_puts(out, " ok\n");
}
else {
fprintf(stderr, "Error in ECC CDH routines\n");
ERR_print_errors_fp(stderr);
}
return rv;
}
int FIPS_selftest_ecdh(void)
{
EC_KEY *ec1 = NULL, *ec2 = NULL;
const EC_POINT *ecp = NULL;
BIGNUM *x = NULL, *y = NULL, *d = NULL;
unsigned char *ztmp = NULL;
int rv = 1;
size_t i;
for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
continue;
ztmp = OPENSSL_malloc(ecd->zlen);
x = BN_bin2bn(ecd->x1, ecd->x1len, x);
y = BN_bin2bn(ecd->y1, ecd->y1len, y);
d = BN_bin2bn(ecd->d1, ecd->d1len, d);
if (!x || !y || !d || !ztmp) {
rv = -1;
goto err;
}
ec1 = EC_KEY_new_by_curve_name(ecd->curve);
if (!ec1) {
rv = -1;
goto err;
}
EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
rv = -1;
goto err;
}
if (!EC_KEY_set_private_key(ec1, d)) {
rv = -1;
goto err;
}
x = BN_bin2bn(ecd->x2, ecd->x2len, x);
y = BN_bin2bn(ecd->y2, ecd->y2len, y);
if (!x || !y) {
rv = -1;
goto err;
}
ec2 = EC_KEY_new_by_curve_name(ecd->curve);
if (!ec2) {
rv = -1;
goto err;
}
EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
rv = -1;
goto err;
}
ecp = EC_KEY_get0_public_key(ec2);
if (!ecp) {
rv = -1;
goto err;
}
if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
rv = -1;
goto err;
}
if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
ztmp[0] ^= 0x1;
if (memcmp(ztmp, ecd->z, ecd->zlen)) {
fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
rv = 0;
} else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
goto err;
EC_KEY_free(ec1);
ec1 = NULL;
EC_KEY_free(ec2);
ec2 = NULL;
OPENSSL_free(ztmp);
ztmp = NULL;
}
err:
if (x)
BN_clear_free(x);
if (y)
BN_clear_free(y);
if (d)
BN_clear_free(d);
if (ec1)
EC_KEY_free(ec1);
if (ec2)
EC_KEY_free(ec2);
if (ztmp)
OPENSSL_free(ztmp);
return rv;
}
