static void bench_ecdh_impl(int nid, const char *name) { const int iters = 1<<10; int i; uint64_t start, end; reset_perftime(); start = perftime(); for (i = 0; i < iters; ++i) { char secret_a[DH_BYTES], secret_b[DH_BYTES]; ssize_t slen_a, slen_b; EC_KEY *dh_a = EC_KEY_new_by_curve_name(nid); EC_KEY *dh_b = EC_KEY_new_by_curve_name(nid); EC_KEY_generate_key(dh_a); EC_KEY_generate_key(dh_b); slen_a = ECDH_compute_key(secret_a, DH_BYTES, EC_KEY_get0_public_key(dh_b), dh_a, NULL); slen_b = ECDH_compute_key(secret_b, DH_BYTES, EC_KEY_get0_public_key(dh_a), dh_b, NULL); tor_assert(slen_a == slen_b); tor_assert(!memcmp(secret_a, secret_b, slen_a)); EC_KEY_free(dh_a); EC_KEY_free(dh_b); } end = perftime(); printf("Complete ECDH %s handshakes (2 public and 2 private ops):\n" " %f millisec each.\n", name, NANOCOUNT(start, end, iters)/1e6); }
void openssl_ec_crypt() { BIO *berr; EC_KEY *key1, *key2; unsigned int sig_len; int clen, len1, len2; EC_builtin_curve *curves; EC_GROUP *group1, *group2; const EC_KEY *key3, *key4; const EC_GROUP *group3, *group4; const EC_POINT *pubkey1, *pubkey2; unsigned char shareKey1[COMM_LEN], shareKey2[COMM_LEN]; unsigned char *signature, cont[COMM_LEN] = "123456"; key1 = EC_KEY_new(); key2 = EC_KEY_new(); clen = EC_get_builtin_curves(NULL, 0); curves = (EC_builtin_curve *) malloc(sizeof(EC_builtin_curve) * clen); EC_get_builtin_curves(curves, clen); group1 = EC_GROUP_new_by_curve_name(curves[25].nid); group2 = EC_GROUP_new_by_curve_name(curves[25].nid); group3 = group1; group4 = group2; EC_KEY_set_group(key1, group3); EC_KEY_set_group(key2, group4); EC_KEY_generate_key(key1); EC_KEY_generate_key(key2); EC_KEY_check_key(key1); key3 = key1; key4 = key2; printf("\nECDSA_size: %d\n", ECDSA_size(key3)); signature = (unsigned char *)malloc(ECDSA_size(key3)); ERR_load_crypto_strings(); berr = BIO_new(BIO_s_file()); BIO_set_fp(berr, stdout, BIO_NOCLOSE); ECDSA_sign(0, cont, 8, signature, &sig_len, key1); ECDSA_verify(0, cont, 8, signature, sig_len, key1); pubkey1 = EC_KEY_get0_public_key(key1); pubkey2 = EC_KEY_get0_public_key(key2); len1 = ECDH_compute_key(shareKey1, COMM_LEN, pubkey2, key1, NULL); len2 = ECDH_compute_key(shareKey2, COMM_LEN, pubkey1, key1, NULL); if (len1 != len2 || memcmp(shareKey1, shareKey2, len1) != 0) { printf("ECDH_compute_key err!\n"); return; } BIO_free(berr); EC_KEY_free(key1); EC_KEY_free(key2); free(signature); free(curves); }
static int ecdh_kat(BIO *out, const ecdh_kat_t *kat) { int rv = 0; EC_KEY *key1 = NULL, *key2 = NULL; BIGNUM *bnz = NULL; unsigned char *Ztmp = NULL, *Z = NULL; size_t Ztmplen, Zlen; BIO_puts(out, "Testing ECDH shared secret with "); BIO_puts(out, OBJ_nid2sn(kat->nid)); if(!BN_hex2bn(&bnz, kat->Z)) goto err; key1 = mk_eckey(kat->nid, kat->da); key2 = mk_eckey(kat->nid, kat->db); if (!key1 || !key2) goto err; Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8; Zlen = BN_num_bytes(bnz); if (Zlen > Ztmplen) goto err; if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; if((Z = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; /* Z offset compensates for bn2bin stripping leading 0x00 bytes */ if(!BN_bn2bin(bnz, Z + Ztmplen - Zlen)) goto err; if (!ECDH_compute_key(Ztmp, Ztmplen, EC_KEY_get0_public_key(key2), key1, 0)) goto err; if (memcmp(Ztmp, Z, Ztmplen)) goto err; memset(Ztmp, 0, Ztmplen); if (!ECDH_compute_key(Ztmp, Ztmplen, EC_KEY_get0_public_key(key1), key2, 0)) goto err; if (memcmp(Ztmp, Z, Ztmplen)) goto err; rv = 1; err: EC_KEY_free(key1); EC_KEY_free(key2); OPENSSL_free(Ztmp); OPENSSL_free(Z); BN_free(bnz); if (rv) BIO_puts(out, " ok\n"); else { fprintf(stderr, "Error in ECDH routines\n"); ERR_print_errors_fp(stderr); } return rv; }
// returns a 32-byte secret unique to these two keys. At least one private key must be known. static void getECIESSecret (const openssl::ec_key& secretKey, const openssl::ec_key& publicKey, ECIES_ENC_KEY_TYPE& enc_key, ECIES_HMAC_KEY_TYPE& hmac_key) { EC_KEY* privkey = (EC_KEY*) secretKey.get(); EC_KEY* pubkey = (EC_KEY*) publicKey.get(); // Retrieve a secret generated from an EC key pair. At least one private key must be known. if (privkey == nullptr || pubkey == nullptr) throw std::runtime_error ("missing key"); if (! EC_KEY_get0_private_key (privkey)) { throw std::runtime_error ("not a private key"); } unsigned char rawbuf[512]; int buflen = ECDH_compute_key (rawbuf, 512, EC_KEY_get0_public_key (pubkey), privkey, nullptr); if (buflen < ECIES_MIN_SEC) throw std::runtime_error ("ecdh key failed"); unsigned char hbuf[ECIES_KEY_LENGTH]; ECIES_KEY_HASH (rawbuf, buflen, hbuf); memset (rawbuf, 0, ECIES_HMAC_KEY_SIZE); assert ((ECIES_ENC_KEY_SIZE + ECIES_HMAC_KEY_SIZE) >= ECIES_KEY_LENGTH); memcpy (enc_key.begin (), hbuf, ECIES_ENC_KEY_SIZE); memcpy (hmac_key.begin (), hbuf + ECIES_ENC_KEY_SIZE, ECIES_HMAC_KEY_SIZE); memset (hbuf, 0, ECIES_KEY_LENGTH); }
void CKey::getECIESSecret (CKey& otherKey, ECIES_ENC_KEY_TYPE& enc_key, ECIES_HMAC_KEY_TYPE& hmac_key) { // Retrieve a secret generated from an EC key pair. At least one private key must be known. if (!pkey || !otherKey.pkey) throw std::runtime_error ("missing key"); EC_KEY* pubkey, *privkey; if (EC_KEY_get0_private_key (pkey)) { privkey = pkey; pubkey = otherKey.pkey; } else if (EC_KEY_get0_private_key (otherKey.pkey)) { privkey = otherKey.pkey; pubkey = pkey; } else throw std::runtime_error ("no private key"); unsigned char rawbuf[512]; int buflen = ECDH_compute_key (rawbuf, 512, EC_KEY_get0_public_key (pubkey), privkey, NULL); if (buflen < ECIES_MIN_SEC) throw std::runtime_error ("ecdh key failed"); unsigned char hbuf[ECIES_KEY_LENGTH]; ECIES_KEY_HASH (rawbuf, buflen, hbuf); memset (rawbuf, 0, ECIES_HMAC_KEY_SIZE); assert ((ECIES_ENC_KEY_SIZE + ECIES_HMAC_KEY_SIZE) >= ECIES_KEY_LENGTH); memcpy (enc_key.begin (), hbuf, ECIES_ENC_KEY_SIZE); memcpy (hmac_key.begin (), hbuf + ECIES_ENC_KEY_SIZE, ECIES_HMAC_KEY_SIZE); memset (hbuf, 0, ECIES_KEY_LENGTH); }
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *keylen) { int ret; size_t outlen; const EC_POINT *pubkey = NULL; EC_KEY *eckey; if (!ctx->pkey || !ctx->peerkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET); return 0; } eckey = ctx->pkey->pkey.ec; if (!key) { const EC_GROUP *group; group = EC_KEY_get0_group(eckey); *keylen = (EC_GROUP_get_degree(group) + 7) / 8; return 1; } pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is * not an error, the result is truncated. */ outlen = *keylen; ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0); if (ret < 0) { return 0; } *keylen = ret; return 1; }
int _libssh2_ecdh_gen_k(_libssh2_bn **k, _libssh2_ec_key *private_key, const unsigned char *server_public_key, size_t server_public_key_len) { int ret = 0; int rc; size_t secret_len; unsigned char *secret = NULL; const EC_GROUP *private_key_group; EC_POINT *server_public_key_point; BN_CTX *bn_ctx = BN_CTX_new(); if(!bn_ctx) return -1; if(k == NULL) return -1; private_key_group = EC_KEY_get0_group(private_key); server_public_key_point = EC_POINT_new(private_key_group); if(server_public_key_point == NULL) return -1; rc = EC_POINT_oct2point(private_key_group, server_public_key_point, server_public_key, server_public_key_len, bn_ctx); if(rc != 1) { ret = -1; goto clean_exit; } secret_len = (EC_GROUP_get_degree(private_key_group) + 7) / 8; secret = malloc(secret_len); if(!secret) { ret = -1; goto clean_exit; } secret_len = ECDH_compute_key(secret, secret_len, server_public_key_point, private_key, NULL); if(secret_len <= 0 || secret_len > EC_MAX_POINT_LEN) { ret = -1; goto clean_exit; } BN_bin2bn(secret, secret_len, *k); clean_exit: if(server_public_key_point != NULL) EC_POINT_free(server_public_key_point); if(bn_ctx != NULL) BN_CTX_free(bn_ctx); if(secret != NULL) free(secret); return ret; }
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { int ret; size_t outlen; const EC_POINT *pubkey = NULL; if (!ctx->pkey || !ctx->peerkey) { ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET); return 0; } if (!key) { const EC_GROUP *group; group = EC_KEY_get0_group(ctx->pkey->pkey.ec); *keylen = (EC_GROUP_get_degree(group) + 7)/8; return 1; } pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is * not an error, the result is truncated. */ outlen = *keylen; ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0); if (ret < 0) return ret; *keylen = ret; return 1; }
static int ecdh_kat(BIO *out, const char *cname, int nid, const unsigned char *k1, size_t k1_len, const unsigned char *k2, size_t k2_len, const unsigned char *Z, size_t Zlen) { int rv = 0; EC_KEY *key1 = NULL, *key2 = NULL; unsigned char *Ztmp = NULL; size_t Ztmplen; BIO_puts(out, "Testing ECDH shared secret with "); BIO_puts(out, cname); key1 = mk_eckey(nid, k1, k1_len); key2 = mk_eckey(nid, k2, k2_len); if (!key1 || !key2) goto err; Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8; if (Ztmplen != Zlen) goto err; Ztmp = OPENSSL_malloc(Ztmplen); if (!ECDH_compute_key(Ztmp, Ztmplen, EC_KEY_get0_public_key(key2), key1, 0)) goto err; if (memcmp(Ztmp, Z, Zlen)) goto err; memset(Ztmp, 0, Zlen); if (!ECDH_compute_key(Ztmp, Ztmplen, EC_KEY_get0_public_key(key1), key2, 0)) goto err; if (memcmp(Ztmp, Z, Zlen)) goto err; rv = 1; err: if (key1) EC_KEY_free(key1); if (key2) EC_KEY_free(key2); if (Ztmp) OPENSSL_free(Ztmp); if (rv) BIO_puts(out, " ok\n"); else { fprintf(stderr, "Error in ECDH routines\n"); ERR_print_errors_fp(stderr); } return rv; }
static int ecdh_build_k(ssh_session session) { const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey); EC_POINT *pubkey; void *buffer; int len = (EC_GROUP_get_degree(group) + 7) / 8; bignum_CTX ctx = bignum_ctx_new(); if (ctx == NULL) { return -1; } session->next_crypto->k = bignum_new(); if (session->next_crypto->k == NULL) { bignum_ctx_free(ctx); return -1; } pubkey = EC_POINT_new(group); if (pubkey == NULL) { bignum_ctx_free(ctx); return -1; } if (session->server) EC_POINT_oct2point(group,pubkey,ssh_string_data(session->next_crypto->ecdh_client_pubkey), ssh_string_len(session->next_crypto->ecdh_client_pubkey),ctx); else EC_POINT_oct2point(group,pubkey,ssh_string_data(session->next_crypto->ecdh_server_pubkey), ssh_string_len(session->next_crypto->ecdh_server_pubkey),ctx); buffer = malloc(len); ECDH_compute_key(buffer,len,pubkey,session->next_crypto->ecdh_privkey,NULL); EC_POINT_free(pubkey); BN_bin2bn(buffer,len,session->next_crypto->k); free(buffer); EC_KEY_free(session->next_crypto->ecdh_privkey); session->next_crypto->ecdh_privkey=NULL; #ifdef DEBUG_CRYPTO ssh_print_hexa("Session server cookie", session->next_crypto->server_kex.cookie, 16); ssh_print_hexa("Session client cookie", session->next_crypto->client_kex.cookie, 16); ssh_print_bignum("Shared secret key", session->next_crypto->k); #endif #ifdef HAVE_LIBCRYPTO bignum_ctx_free(ctx); #endif return 0; }
// Generate a Shared secret key from BIGNUM * CAlphaCrypt::GenerateSharedSecretKey(BIGNUM * pMasterKey, EC_POINT * lpPeerPubKey) { EC_KEY * lpFullCurve = NULL; // Full elliptic curve EC_POINT * pubKey = NULL; // The peer public key (bad guys one) ECDH_DATA * ecdh_data = NULL; // Elliptic Curve data structure BYTE secretKey[0x20] = {0}; // Shared secret key BIGNUM * pSecretBn = NULL; // Secret shared key BIGNUM int iRet = 0; if (!lpPeerPubKey) // Get the default AlphaCrypt peer public key pubKey = GetAlphaCryptPublicKey(); // DON'T forget to delete it, damn heck! :-) else // Don't delete the following one: pubKey = lpPeerPubKey; if (!pubKey) return NULL; // Create the FULL curve that contains public/private key pair lpFullCurve = EC_KEY_new_by_curve_name(NID_secp256k1); //EC_KEY_set_public_key(lpFullCurve, pStartKey); // No my own public key (I need to calculate it) iRet = SetPrivateKey(lpFullCurve, pMasterKey); iRet = EC_KEY_check_key(lpFullCurve); // Compute the shared secret key ecdh_data = ecdh_check(lpFullCurve); if (ecdh_data) ecdh_data->meth = ECDH_OpenSSL(); // Calculate shared secret key: My private Key * Peer public key iRet = ECDH_compute_key(secretKey, 0x20, pubKey, lpFullCurve, NULL); // Convert the secret key in a BIGNUMBER pSecretBn = BN_bin2bn(secretKey, 0x20, NULL); /*//////////////////////////////////////////////////////////////////////// // Brief explaination: // Here is what "ECDH_compute_key" does: Calculate "da * Qb" (that is equal to "da * db * G"). Where: da = my ownPrivate key (the master key) Qb = the peer Public key (standard one inserted in AlphaCrypt) *//////////////////////////////////////////////////////////////////////// // Cleanup EC_KEY_free(lpFullCurve); if (pubKey != lpPeerPubKey) EC_POINT_free(pubKey); return pSecretBn; }
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { int ret; size_t outlen; const EC_POINT *pubkey = NULL; EC_KEY *eckey; EC_PKEY_CTX *dctx = ctx->data; if (!ctx->pkey || !ctx->peerkey) { ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET); return 0; } eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec; if (!key) { const EC_GROUP *group; group = EC_KEY_get0_group(eckey); *keylen = (EC_GROUP_get_degree(group) + 7) / 8; return 1; } pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); /* * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not * an error, the result is truncated. */ outlen = *keylen; #ifndef OPENSSL_NO_SM2 /* if (dctx->ec_scheme == NID_sm_scheme) ret = SM2_compute_key(key, outlen, pubkey, eckey, 0); else */ #endif ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0); if (ret <= 0) return 0; *keylen = ret; return 1; }
int crypt_ec_helper::ecdh(unsigned char **secret, EC_KEY *key, const EC_POINT *pPub) { int secretLen; secretLen = EC_GROUP_get_degree(EC_KEY_get0_group(key)); secretLen = (secretLen + 7) / 8; *secret = (unsigned char*)malloc(secretLen); if (!(*secret)) { fflush(stderr); free(*secret); throw std::runtime_error("Failed to allocate memory for secret.\n"); } secretLen = ECDH_compute_key(*secret, secretLen, pPub, key, NULL); return secretLen; }
int CPK_PUBLIC_PARAMS_compute_share_key(CPK_PUBLIC_PARAMS *params, void *out, size_t outlen, const char *id, EVP_PKEY *priv_key, void *(*kdf)(const void *in, size_t inlen, void *out, size_t *outlen)) { int ret = 0; EVP_PKEY *pub_key = NULL; int pkey_type = OBJ_obj2nid(params->pkey_algor->algorithm); OPENSSL_assert(kdf != NULL); printf("%d\n", __LINE__); if (EVP_PKEY_id(priv_key) != pkey_type) { CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY, ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX goto err; } if (!(pub_key = CPK_PUBLIC_PARAMS_extract_public_key(params, id))) { CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY, ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX goto err; } if (pkey_type == EVP_PKEY_EC) { if (!ECDH_compute_key(out, outlen, EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pub_key)), (EC_KEY *)EVP_PKEY_get0(priv_key), kdf)) { CPKerr(CPK_F_CPK_PUBLIC_PARAMS_COMPUTE_SHARE_KEY, ERR_R_MALLOC_FAILURE); //FIXME: ERR_R_XXX goto err; } } else if (pkey_type == EVP_PKEY_DH) { // not supported yet goto err; } ret = 1; err: return ret; }
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) { EC_KEY *a = NULL; EC_KEY *b = NULL; BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL; char buf[12]; unsigned char *abuf = NULL, *bbuf = NULL; int i, alen, blen, aout, bout, ret = 0; const EC_GROUP *group; a = EC_KEY_new_by_curve_name(nid); b = EC_KEY_new_by_curve_name(nid); if (a == NULL || b == NULL) goto err; group = EC_KEY_get0_group(a); if ((x_a = BN_new()) == NULL) goto err; if ((y_a = BN_new()) == NULL) goto err; if ((x_b = BN_new()) == NULL) goto err; if ((y_b = BN_new()) == NULL) goto err; BIO_puts(out, "Testing key generation with "); BIO_puts(out, text); # ifdef NOISY BIO_puts(out, "\n"); # else (void)BIO_flush(out); # endif if (!EC_KEY_generate_key(a)) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp (group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } # ifndef OPENSSL_NO_EC2M else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } # endif # ifdef NOISY BIO_puts(out, " pri 1="); BN_print(out, a->priv_key); BIO_puts(out, "\n pub 1="); BN_print(out, x_a); BIO_puts(out, ","); BN_print(out, y_a); BIO_puts(out, "\n"); # else BIO_printf(out, " ."); (void)BIO_flush(out); # endif if (!EC_KEY_generate_key(b)) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp (group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } # ifndef OPENSSL_NO_EC2M else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } # endif # ifdef NOISY BIO_puts(out, " pri 2="); BN_print(out, b->priv_key); BIO_puts(out, "\n pub 2="); BN_print(out, x_b); BIO_puts(out, ","); BN_print(out, y_b); BIO_puts(out, "\n"); # else BIO_printf(out, "."); (void)BIO_flush(out); # endif alen = KDF1_SHA1_len; abuf = (unsigned char *)OPENSSL_malloc(alen); aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1); # ifdef NOISY BIO_puts(out, " key1 ="); for (i = 0; i < aout; i++) { sprintf(buf, "%02X", abuf[i]); BIO_puts(out, buf); } BIO_puts(out, "\n"); # else BIO_printf(out, "."); (void)BIO_flush(out); # endif blen = KDF1_SHA1_len; bbuf = (unsigned char *)OPENSSL_malloc(blen); bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1); # ifdef NOISY BIO_puts(out, " key2 ="); for (i = 0; i < bout; i++) { sprintf(buf, "%02X", bbuf[i]); BIO_puts(out, buf); } BIO_puts(out, "\n"); # else BIO_printf(out, "."); (void)BIO_flush(out); # endif if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) { # ifndef NOISY BIO_printf(out, " failed\n\n"); BIO_printf(out, "key a:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(a)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_a); BIO_printf(out, ","); BN_print(out, y_a); BIO_printf(out, "\nkey b:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(b)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_b); BIO_printf(out, ","); BN_print(out, y_b); BIO_printf(out, "\n"); BIO_printf(out, "generated key a: "); for (i = 0; i < bout; i++) { sprintf(buf, "%02X", bbuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); BIO_printf(out, "generated key b: "); for (i = 0; i < aout; i++) { sprintf(buf, "%02X", abuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); # endif fprintf(stderr, "Error in ECDH routines\n"); ret = 0; } else { # ifndef NOISY BIO_printf(out, " ok\n"); # endif ret = 1; } err: ERR_print_errors_fp(stderr); if (abuf != NULL) OPENSSL_free(abuf); if (bbuf != NULL) OPENSSL_free(bbuf); if (x_a) BN_free(x_a); if (y_a) BN_free(y_a); if (x_b) BN_free(x_b); if (y_b) BN_free(y_b); if (b) EC_KEY_free(b); if (a) EC_KEY_free(a); return (ret); }
static krb5_error_code generate_ecdh_keyblock(krb5_context context, EC_KEY *ec_key_pk, /* the client's public key */ EC_KEY **ec_key_key, /* the KDC's ephemeral private */ unsigned char **dh_gen_key, /* shared secret */ size_t *dh_gen_keylen) { const EC_GROUP *group; EC_KEY *ephemeral; krb5_keyblock key; krb5_error_code ret; unsigned char *p; size_t size; int len; *dh_gen_key = NULL; *dh_gen_keylen = 0; *ec_key_key = NULL; memset(&key, 0, sizeof(key)); if (ec_key_pk == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "public_key"); return ret; } group = EC_KEY_get0_group(ec_key_pk); if (group == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "failed to get the group of " "the client's public key"); return ret; } ephemeral = EC_KEY_new(); if (ephemeral == NULL) return krb5_enomem(context); EC_KEY_set_group(ephemeral, group); if (EC_KEY_generate_key(ephemeral) != 1) { EC_KEY_free(ephemeral); return krb5_enomem(context); } size = (EC_GROUP_get_degree(group) + 7) / 8; p = malloc(size); if (p == NULL) { EC_KEY_free(ephemeral); return krb5_enomem(context); } len = ECDH_compute_key(p, size, EC_KEY_get0_public_key(ec_key_pk), ephemeral, NULL); if (len <= 0) { free(p); EC_KEY_free(ephemeral); ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Failed to compute ECDH " "public shared secret"); return ret; } *ec_key_key = ephemeral; *dh_gen_key = p; *dh_gen_keylen = len; return 0; }
static int input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh) { struct kex *kex = ssh->kex; EC_POINT *client_public; EC_KEY *server_key = NULL; const EC_GROUP *group; const EC_POINT *public_key; BIGNUM *shared_secret = NULL; struct sshkey *server_host_private, *server_host_public; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf = NULL; u_char hash[SSH_DIGEST_MAX_LENGTH]; size_t slen, sbloblen; size_t klen = 0, hashlen; int r; if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if (EC_KEY_generate_key(server_key) != 1) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } group = EC_KEY_get0_group(server_key); #ifdef DEBUG_KEXECDH fputs("server private key:\n", stderr); sshkey_dump_ec_key(server_key); #endif if (kex->load_host_public_key == NULL || kex->load_host_private_key == NULL) { r = SSH_ERR_INVALID_ARGUMENT; goto out; } server_host_public = kex->load_host_public_key(kex->hostkey_type, kex->hostkey_nid, ssh); server_host_private = kex->load_host_private_key(kex->hostkey_type, kex->hostkey_nid, ssh); if (server_host_public == NULL) { r = SSH_ERR_NO_HOSTKEY_LOADED; goto out; } if ((client_public = EC_POINT_new(group)) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 || (r = sshpkt_get_end(ssh)) != 0) goto out; #ifdef DEBUG_KEXECDH fputs("client public key:\n", stderr); sshkey_dump_ec_point(group, client_public); #endif if (sshkey_ec_validate_public(group, client_public) != 0) { sshpkt_disconnect(ssh, "invalid client public key"); r = SSH_ERR_MESSAGE_INCOMPLETE; goto out; } /* Calculate shared_secret */ klen = (EC_GROUP_get_degree(group) + 7) / 8; if ((kbuf = malloc(klen)) == NULL || (shared_secret = BN_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if (ECDH_compute_key(kbuf, klen, client_public, server_key, NULL) != (int)klen || BN_bin2bn(kbuf, klen, shared_secret) == NULL) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } #ifdef DEBUG_KEXECDH dump_digest("shared secret", kbuf, klen); #endif /* calc H */ if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob, &sbloblen)) != 0) goto out; hashlen = sizeof(hash); if ((r = kex_ecdh_hash( kex->hash_alg, group, kex->client_version_string, kex->server_version_string, sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), sshbuf_ptr(kex->my), sshbuf_len(kex->my), server_host_key_blob, sbloblen, client_public, EC_KEY_get0_public_key(server_key), shared_secret, hash, &hashlen)) != 0) goto out; /* save session id := H */ if (kex->session_id == NULL) { kex->session_id_len = hashlen; kex->session_id = malloc(kex->session_id_len); if (kex->session_id == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(kex->session_id, hash, kex->session_id_len); } /* sign H */ if ((r = kex->sign(server_host_private, server_host_public, &signature, &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) goto out; /* destroy_sensitive_data(); */ public_key = EC_KEY_get0_public_key(server_key); /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 || (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 || (r = sshpkt_put_ec(ssh, public_key, group)) != 0 || (r = sshpkt_put_string(ssh, signature, slen)) != 0 || (r = sshpkt_send(ssh)) != 0) goto out; if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); out: explicit_bzero(hash, sizeof(hash)); if (kex->ec_client_key) { EC_KEY_free(kex->ec_client_key); kex->ec_client_key = NULL; } if (server_key) EC_KEY_free(server_key); if (kbuf) { explicit_bzero(kbuf, klen); free(kbuf); } if (shared_secret) BN_clear_free(shared_secret); free(server_host_key_blob); free(signature); return r; }
static krb5_error_code generate_dh_keyblock(krb5_context context, pk_client_params *client_params, krb5_enctype enctype) { unsigned char *dh_gen_key = NULL; krb5_keyblock key; krb5_error_code ret; size_t dh_gen_keylen, size; memset(&key, 0, sizeof(key)); if (client_params->keyex == USE_DH) { if (client_params->u.dh.public_key == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "public_key"); goto out; } if (!DH_generate_key(client_params->u.dh.key)) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys"); goto out; } dh_gen_keylen = DH_size(client_params->u.dh.key); size = BN_num_bytes(client_params->u.dh.key->p); if (size < dh_gen_keylen) size = dh_gen_keylen; dh_gen_key = malloc(size); if (dh_gen_key == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } memset(dh_gen_key, 0, size - dh_gen_keylen); dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), client_params->u.dh.public_key, client_params->u.dh.key); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key"); goto out; } ret = 0; #ifdef HAVE_OPENSSL } else if (client_params->keyex == USE_ECDH) { if (client_params->u.ecdh.public_key == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "public_key"); goto out; } client_params->u.ecdh.key = EC_KEY_new(); if (client_params->u.ecdh.key == NULL) { ret = ENOMEM; goto out; } EC_KEY_set_group(client_params->u.ecdh.key, EC_KEY_get0_group(client_params->u.ecdh.public_key)); if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) { ret = ENOMEM; goto out; } size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8; dh_gen_key = malloc(size); if (dh_gen_key == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, EC_KEY_get0_public_key(client_params->u.ecdh.public_key), client_params->u.ecdh.key, NULL); #endif /* HAVE_OPENSSL */ } else { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Diffie-Hellman not selected keys"); goto out; } ret = _krb5_pk_octetstring2key(context, enctype, dh_gen_key, dh_gen_keylen, NULL, NULL, &client_params->reply_key); out: if (dh_gen_key) free(dh_gen_key); if (key.keyvalue.data) krb5_free_keyblock_contents(context, &key); return ret; }
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) { printf("in ecdh test\n"); EC_KEY *a = NULL; //EC_KEY is a structure EC_KEY *b = NULL; BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL; char buf[12]; unsigned char *abuf = NULL, *bbuf = NULL; int i, alen, blen, aout, bout, ret = 0; const EC_GROUP *group; a = EC_KEY_new_by_curve_name(nid); // creates a new key according to the curve specified //it fills in the EC_KEY structure // use function called EC_KEY *EC_KEY_new(void) //also use a function called EC_GROUP_new_by_curve_name() creates a EC_GROUP structure specified by a curve name (in form of a NID) */ // the group returned is set in the EC_KEY structure. b = EC_KEY_new_by_curve_name(nid); if (a == NULL || b == NULL) goto err; group = EC_KEY_get0_group(a); //returns the EC_GROUP structure created by the EC_KEY structure //EC_GROUP structure is present in the EC_KEY structure. if ((x_a = BN_new()) == NULL) goto err; //BN_new returns a pointer to the bignum if ((y_a = BN_new()) == NULL) goto err; if ((x_b = BN_new()) == NULL) goto err; if ((y_b = BN_new()) == NULL) goto err; BIO_puts(out, "Testing key generation with "); BIO_puts(out, text); #ifdef NOISY printf ("noisy"); BIO_puts(out,"\n"); BIO_puts(out,"\n"); BIO_puts(out,"\n"); #else BIO_flush(out); #endif //public key number one is created here if (!EC_KEY_generate_key(a)) goto err; //pass the filled EC_KEY structure and it will create a public or private ec key. //it places the key in a->priv_key a->pub_key /// PUBLIC AND PVT KEYS ARE GENERATED BY THE SCALAR MULTIPLICATION printf("\n1 ) generating keys\n"); if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } //returns the public key else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } //BN_print_fp(stdout, a->pub_key); printf("private key is : "); BN_print_fp(stdout, EC_KEY_get0_private_key(a)); printf("\nAffine cordinates x:"); BN_print_fp(stdout, x_a); printf("\nAffine cordinates y:"); BN_print_fp(stdout, y_a); printf( "\n2 ) generated keys , generated affine points x and y , and also determided the primse brinary case\n"); #ifdef NOISY printf("no generation"); BIO_puts(out," pri 1="); BN_print(out,a->priv_key); BIO_puts(out,"\n pub 1="); BN_print(out,x_a); BIO_puts(out,","); BN_print(out,y_a); BIO_puts(out,"\n"); #else BIO_printf(out, " ."); BIO_flush(out); #endif //public key number two is created here if (!EC_KEY_generate_key(b)) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; // not well } else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } // printf("public key is : "); // BN_print_fp(stdout, EC_KEY_get0_private_key(b)); // for public key they will exchange the whole EC_POINT structure printf("private key is : "); BN_print_fp(stdout, EC_KEY_get0_private_key(b)); printf("\nAffine cordinates x"); BN_print_fp(stdout, x_b); printf("\nAffine cordinates y"); BN_print_fp(stdout, y_b); #ifdef NOISY BIO_puts(out," pri 2="); BN_print(out,b->priv_key); BIO_puts(out,"\n pub 2="); BN_print(out,x_b); BIO_puts(out,","); BN_print(out,y_b); BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif alen = KDF1_SHA1_len; ///it is a static constant integer. abuf = (unsigned char *) OPENSSL_malloc(alen); aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1); //generating session key // BN_print(out, abuf); //BIO_puts(out,"\n"); #ifdef NOISY BIO_puts(out," key1 ="); for (i=0; i<aout; i++) { sprintf(buf,"%02X",abuf[i]); BIO_puts(out,buf); } BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif blen = KDF1_SHA1_len; bbuf = (unsigned char *) OPENSSL_malloc(blen); bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1); // BN_print(out, bbuf); // BIO_puts(out,"\n"); #ifdef NOISY BIO_puts(out," key2 ="); for (i=0; i<bout; i++) { sprintf(buf,"%02X",bbuf[i]); BIO_puts(out,buf); } BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) { #ifndef NOISY BIO_printf(out, " failed\n\n"); BIO_printf(out, "key a:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(a)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_a); BIO_printf(out, ","); BN_print(out, y_a); BIO_printf(out, "\nkey b:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(b)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_b); BIO_printf(out, ","); BN_print(out, y_b); BIO_printf(out, "\n"); BIO_printf(out, "generated key a: "); for (i = 0; i < bout; i++) { sprintf(buf, "%02X", bbuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); BIO_printf(out, "generated key b: "); for (i = 0; i < aout; i++) { sprintf(buf, "%02X", abuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); #endif fprintf(stderr, "Error in ECDH routines\n"); ret = 0; } else { #ifndef NOISY BIO_printf(out, " ok\n"); #endif ret = 1; } err: ERR_print_errors_fp(stderr); if (abuf != NULL) OPENSSL_free(abuf); if (bbuf != NULL) OPENSSL_free(bbuf); if (x_a) BN_free(x_a); if (y_a) BN_free(y_a); if (x_b) BN_free(x_b); if (y_b) BN_free(y_b); if (b) EC_KEY_free(b); if (a) EC_KEY_free(a); return (ret); }
static int input_kex_ecdh_reply(int type, u_int32_t seq, void *ctxt) { struct ssh *ssh = ctxt; struct kex *kex = ssh->kex; const EC_GROUP *group; EC_POINT *server_public = NULL; EC_KEY *client_key; BIGNUM *shared_secret = NULL; struct sshkey *server_host_key = NULL; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf = NULL; u_char hash[SSH_DIGEST_MAX_LENGTH]; size_t slen, sbloblen; size_t klen = 0, hashlen; int r; if (kex->verify_host_key == NULL) { r = SSH_ERR_INVALID_ARGUMENT; goto out; } group = kex->ec_group; client_key = kex->ec_client_key; /* hostkey */ if ((r = sshpkt_get_string(ssh, &server_host_key_blob, &sbloblen)) != 0 || (r = sshkey_from_blob(server_host_key_blob, sbloblen, &server_host_key)) != 0) goto out; if (server_host_key->type != kex->hostkey_type || (kex->hostkey_type == KEY_ECDSA && server_host_key->ecdsa_nid != kex->hostkey_nid)) { r = SSH_ERR_KEY_TYPE_MISMATCH; goto out; } if (kex->verify_host_key(server_host_key, ssh) == -1) { r = SSH_ERR_SIGNATURE_INVALID; goto out; } /* Q_S, server public key */ /* signed H */ if ((server_public = EC_POINT_new(group)) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 || (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || (r = sshpkt_get_end(ssh)) != 0) goto out; #ifdef DEBUG_KEXECDH fputs("server public key:\n", stderr); sshkey_dump_ec_point(group, server_public); #endif if (sshkey_ec_validate_public(group, server_public) != 0) { sshpkt_disconnect(ssh, "invalid server public key"); r = SSH_ERR_MESSAGE_INCOMPLETE; goto out; } klen = (EC_GROUP_get_degree(group) + 7) / 8; if ((kbuf = malloc(klen)) == NULL || (shared_secret = BN_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if (ECDH_compute_key(kbuf, klen, server_public, client_key, NULL) != (int)klen || BN_bin2bn(kbuf, klen, shared_secret) == NULL) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } #ifdef DEBUG_KEXECDH dump_digest("shared secret", kbuf, klen); #endif /* calc and verify H */ hashlen = sizeof(hash); if ((r = kex_ecdh_hash( kex->hash_alg, group, kex->client_version_string, kex->server_version_string, sshbuf_ptr(kex->my), sshbuf_len(kex->my), sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), server_host_key_blob, sbloblen, EC_KEY_get0_public_key(client_key), server_public, shared_secret, hash, &hashlen)) != 0) goto out; if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, ssh->compat)) != 0) goto out; /* save session id */ if (kex->session_id == NULL) { kex->session_id_len = hashlen; kex->session_id = malloc(kex->session_id_len); if (kex->session_id == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(kex->session_id, hash, kex->session_id_len); } if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); out: explicit_bzero(hash, sizeof(hash)); if (kex->ec_client_key) { EC_KEY_free(kex->ec_client_key); kex->ec_client_key = NULL; } if (server_public) EC_POINT_clear_free(server_public); if (kbuf) { explicit_bzero(kbuf, klen); free(kbuf); } if (shared_secret) BN_clear_free(shared_secret); sshkey_free(server_host_key); free(server_host_key_blob); free(signature); return r; }
void kexecdh_client(Kex *kex) { EC_KEY *client_key; EC_POINT *server_public; const EC_GROUP *group; BIGNUM *shared_secret; Key *server_host_key; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(client_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); group = EC_KEY_get0_group(client_key); packet_start(SSH2_MSG_KEX_ECDH_INIT); packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key)); packet_send(); debug("sending SSH2_MSG_KEX_ECDH_INIT"); #ifdef DEBUG_KEXECDH fputs("client private key:\n", stderr); key_dump_ec_key(client_key); #endif debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY); /* hostkey */ server_host_key_blob = packet_get_string(&sbloblen); server_host_key = key_from_blob(server_host_key_blob, sbloblen); if (server_host_key == NULL) fatal("cannot decode server_host_key_blob"); if (server_host_key->type != kex->hostkey_type) fatal("type mismatch for decoded server_host_key_blob"); if (kex->verify_host_key == NULL) fatal("cannot verify server_host_key"); if (kex->verify_host_key(server_host_key) == -1) fatal("server_host_key verification failed"); /* Q_S, server public key */ if ((server_public = EC_POINT_new(group)) == NULL) fatal("%s: EC_POINT_new failed", __func__); packet_get_ecpoint(group, server_public); if (key_ec_validate_public(group, server_public) != 0) fatal("%s: invalid server public key", __func__); #ifdef DEBUG_KEXECDH fputs("server public key:\n", stderr); key_dump_ec_point(group, server_public); #endif /* signed H */ signature = packet_get_string(&slen); packet_check_eom(); klen = (EC_GROUP_get_degree(group) + 7) / 8; kbuf = xmalloc(klen); if (ECDH_compute_key(kbuf, klen, server_public, client_key, NULL) != (int)klen) fatal("%s: ECDH_compute_key failed", __func__); #ifdef DEBUG_KEXECDH dump_digest("shared secret", kbuf, klen); #endif if ((shared_secret = BN_new()) == NULL) fatal("%s: BN_new failed", __func__); if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); free(kbuf); /* calc and verify H */ kex_ecdh_hash( kex->evp_md, group, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), buffer_ptr(&kex->peer), buffer_len(&kex->peer), server_host_key_blob, sbloblen, EC_KEY_get0_public_key(client_key), server_public, shared_secret, &hash, &hashlen ); free(server_host_key_blob); EC_POINT_clear_free(server_public); EC_KEY_free(client_key); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); free(signature); /* save session id */ if (kex->session_id == NULL) { kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); }
void kexecdh_server(Kex *kex) { EC_POINT *client_public; EC_KEY *server_key; const EC_GROUP *group; BIGNUM *shared_secret; Key *server_host_private, *server_host_public; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; int curve_nid; if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(server_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); group = EC_KEY_get0_group(server_key); #ifdef DEBUG_KEXECDH fputs("server private key:\n", stderr); key_dump_ec_key(server_key); #endif if (kex->load_host_public_key == NULL || kex->load_host_private_key == NULL) fatal("Cannot load hostkey"); server_host_public = kex->load_host_public_key(kex->hostkey_type); if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); if (server_host_private == NULL) fatal("Missing private key for hostkey type %d", kex->hostkey_type); debug("expecting SSH2_MSG_KEX_ECDH_INIT"); packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); if ((client_public = EC_POINT_new(group)) == NULL) fatal("%s: EC_POINT_new failed", __func__); packet_get_ecpoint(group, client_public); packet_check_eom(); if (key_ec_validate_public(group, client_public) != 0) fatal("%s: invalid client public key", __func__); #ifdef DEBUG_KEXECDH fputs("client public key:\n", stderr); key_dump_ec_point(group, client_public); #endif /* Calculate shared_secret */ klen = (EC_GROUP_get_degree(group) + 7) / 8; kbuf = xmalloc(klen); if (ECDH_compute_key(kbuf, klen, client_public, server_key, NULL) != (int)klen) fatal("%s: ECDH_compute_key failed", __func__); #ifdef DEBUG_KEXDH dump_digest("shared secret", kbuf, klen); #endif if ((shared_secret = BN_new()) == NULL) fatal("%s: BN_new failed", __func__); if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); xfree(kbuf); /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); kex_ecdh_hash( kex->evp_md, group, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), buffer_ptr(&kex->my), buffer_len(&kex->my), server_host_key_blob, sbloblen, client_public, EC_KEY_get0_public_key(server_key), shared_secret, &hash, &hashlen ); EC_POINT_clear_free(client_public); /* save session id := H */ if (kex->session_id == NULL) { kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } /* sign H */ if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, hashlen)) < 0) fatal("kexdh_server: key_sign failed"); /* destroy_sensitive_data(); */ /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ packet_start(SSH2_MSG_KEX_ECDH_REPLY); packet_put_string(server_host_key_blob, sbloblen); packet_put_ecpoint(group, EC_KEY_get0_public_key(server_key)); packet_put_string(signature, slen); packet_send(); xfree(signature); xfree(server_host_key_blob); /* have keys, free server key */ EC_KEY_free(server_key); kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); }
int main() { srand((unsigned)time(NULL)); int i; EC_KEY* key; //key = EC_KEY_new_by_curve_name(415); key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); const EC_GROUP *group = EC_KEY_get0_group(key); if (EC_KEY_generate_key(key)==0) { printf("Error generate key\n"); return -1; } unsigned char pk_b[33]; const EC_POINT *pub = EC_KEY_get0_public_key(key); if (EC_POINT_point2oct(group, pub, POINT_CONVERSION_COMPRESSED, pk_b, 33, 0)!=33) { printf("Error 2\n"); return -1; } unsigned char h1[16],h2[16]; printf("\x02"); for (i=0;i<16;i++) { h1[i]=rand()%256; printf("%c",h1[i]); } for (i=0;i<33;i++) printf("%c",pk_b[i]); fflush(stdout); //get h2 for (i=0;i<16;i++) h2[i]=rand()%256; for (i=0;i<16;i++) scanf("%c",&h2[i]); //get peerpk_b unsigned char peerpk_b[33]={2 , 30 , 25 , 50 , 17 , 242 , 232 , 55 , 157 , 18 , 106 , 115 , 214 , 193 , 192 , 39 , 207 , 226 , 184 , 216 , 244 , 147 , 111 , 188 , 125 , 230 , 38 , 125 , 231 , 50 , 56 , 152 , 148 }; for (i=0;i<33;i++) scanf("%c",&peerpk_b[i]); EC_POINT *peerpk = EC_POINT_new(group); if (EC_POINT_oct2point(group, peerpk, peerpk_b, 33, 0)==0) { printf("Error 3\n"); return -1; } unsigned char skey[33]; if (ECDH_compute_key(skey, 32, peerpk, key, NULL)==0) { printf("Error 4\n"); return -1; } SHA512_CTX shactx; unsigned char hash[SHA512_DIGEST_LENGTH]; SHA512_Init(&shactx); SHA512_Update(&shactx, h2, 16); SHA512_Update(&shactx, skey, 32); SHA512_Update(&shactx, h1, 16); SHA512_Final(hash, &shactx); for (i=0;i<64;i++) printf("%02x",hash[i]); fflush(stdout); struct cipher c; c.recvfd=0; c.sendfd=1; for (i=0;i<16;i++) c.sendkey[i]=hash[i]; for (i=0;i<4;i++) c.sendiv[i]=hash[32+i]; for (i=0;i<16;i++) c.recvkey[i]=hash[16+i]; for (i=0;i<4;i++) c.recviv[i]=hash[36+i]; c.sendcnt=0; c.recvcnt=0; unsigned char d[1000]; unsigned char oiv[8]; int op; char dlen; while (true) { scanf("%d",&op); scanf("%c",&dlen); scanf("%c",&dlen); for (i=0;i<dlen;i++) scanf("%c",&d[i]); if (op==1) { for (i=0;i<8;i++) oiv[i]=rand()%256; encrypt(c,d,dlen,oiv); c.recvcnt+=1; } else if (op==2) { for (i=0;i<8;i++) scanf("%c",&oiv[i]); decrypt(c,d,dlen,oiv, NULL); c.sendcnt+=1; } fflush(stdout); } return 0; }
/* * NIST SP800-56A co-factor ECDH tests. * KATs taken from NIST documents with parameters: * * - (QCAVSx,QCAVSy) is the public key for CAVS. * - dIUT is the private key for IUT. * - (QIUTx,QIUTy) is the public key for IUT. * - ZIUT is the shared secret KAT. * * CAVS: Cryptographic Algorithm Validation System * IUT: Implementation Under Test * * This function tests two things: * * 1. dIUT * G = (QIUTx,QIUTy) * i.e. public key for IUT computes correctly. * 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT * i.e. co-factor ECDH key computes correctly. * * returns zero on failure or unsupported curve. One otherwise. */ static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat) { int rv = 0, is_char_two = 0; EC_KEY *key1 = NULL; EC_POINT *pub = NULL; const EC_GROUP *group = NULL; BIGNUM *bnz = NULL, *x = NULL, *y = NULL; unsigned char *Ztmp = NULL, *Z = NULL; size_t Ztmplen, Zlen; BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with "); BIO_puts(out, OBJ_nid2sn(kat->nid)); /* dIUT is IUT's private key */ if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL) goto err; /* these are cofactor ECDH KATs */ EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH); if ((group = EC_KEY_get0_group(key1)) == NULL) goto err; if ((pub = EC_POINT_new(group)) == NULL) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field) is_char_two = 1; /* (QIUTx, QIUTy) is IUT's public key */ if(!BN_hex2bn(&x, kat->QIUTx)) goto err; if(!BN_hex2bn(&y, kat->QIUTy)) goto err; if (is_char_two) { #ifdef OPENSSL_NO_EC2M goto err; #else if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL)) goto err; #endif } else { if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL)) goto err; } /* dIUT * G = (QIUTx, QIUTy) should hold */ if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL)) goto err; /* (QCAVSx, QCAVSy) is CAVS's public key */ if(!BN_hex2bn(&x, kat->QCAVSx)) goto err; if(!BN_hex2bn(&y, kat->QCAVSy)) goto err; if (is_char_two) { #ifdef OPENSSL_NO_EC2M goto err; #else if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL)) goto err; #endif } else { if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL)) goto err; } /* ZIUT is the shared secret */ if(!BN_hex2bn(&bnz, kat->ZIUT)) goto err; Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8; Zlen = BN_num_bytes(bnz); if (Zlen > Ztmplen) goto err; if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; if((Z = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; if(!BN_bn2binpad(bnz, Z, Ztmplen)) goto err; if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0)) goto err; /* shared secrets should be identical */ if (memcmp(Ztmp, Z, Ztmplen)) goto err; rv = 1; err: EC_KEY_free(key1); EC_POINT_free(pub); BN_free(bnz); BN_free(x); BN_free(y); OPENSSL_free(Ztmp); OPENSSL_free(Z); if (rv) { BIO_puts(out, " ok\n"); } else { fprintf(stderr, "Error in ECC CDH routines\n"); ERR_print_errors_fp(stderr); } return rv; }
int FIPS_selftest_ecdh(void) { EC_KEY *ec1 = NULL, *ec2 = NULL; const EC_POINT *ecp = NULL; BIGNUM *x = NULL, *y = NULL, *d = NULL; unsigned char *ztmp = NULL; int rv = 1; size_t i; for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) continue; ztmp = OPENSSL_malloc(ecd->zlen); x = BN_bin2bn(ecd->x1, ecd->x1len, x); y = BN_bin2bn(ecd->y1, ecd->y1len, y); d = BN_bin2bn(ecd->d1, ecd->d1len, d); if (!x || !y || !d || !ztmp) { rv = -1; goto err; } ec1 = EC_KEY_new_by_curve_name(ecd->curve); if (!ec1) { rv = -1; goto err; } EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { rv = -1; goto err; } if (!EC_KEY_set_private_key(ec1, d)) { rv = -1; goto err; } x = BN_bin2bn(ecd->x2, ecd->x2len, x); y = BN_bin2bn(ecd->y2, ecd->y2len, y); if (!x || !y) { rv = -1; goto err; } ec2 = EC_KEY_new_by_curve_name(ecd->curve); if (!ec2) { rv = -1; goto err; } EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { rv = -1; goto err; } ecp = EC_KEY_get0_public_key(ec2); if (!ecp) { rv = -1; goto err; } if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { rv = -1; goto err; } if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) ztmp[0] ^= 0x1; if (memcmp(ztmp, ecd->z, ecd->zlen)) { fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); rv = 0; } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) goto err; EC_KEY_free(ec1); ec1 = NULL; EC_KEY_free(ec2); ec2 = NULL; OPENSSL_free(ztmp); ztmp = NULL; } err: if (x) BN_clear_free(x); if (y) BN_clear_free(y); if (d) BN_clear_free(d); if (ec1) EC_KEY_free(ec1); if (ec2) EC_KEY_free(ec2); if (ztmp) OPENSSL_free(ztmp); return rv; }