12 files changed, 193 insertions, 452 deletions
diff --git a/Makefile.in b/Makefile.in
index 3a179a66f..fd539184a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -98,8 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
        ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
        sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
-        kexgexc.o kexecdhc.o \
+        kexgexc.o kexgexs.o \
-        kexgexs.o kexecdhs.o \
        sntrup4591761.o kexsntrup4591761x25519.o kexkemc.o kexkems.o \
        platform-pledge.o platform-tracing.o platform-misc.o
diff --git a/kex.h b/kex.h
index de5e473e1..9b4c23670 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.101 2019/01/21 10:28:01 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.102 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -216,6 +216,11 @@ int	 kex_dh_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
    struct sshbuf **);
 int      kex_dh_dec(struct kex *, const u_char *, size_t, struct sshbuf **);
+int      kex_ecdh_keypair(struct kex *);
+int      kex_ecdh_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
+    struct sshbuf **);
+int      kex_ecdh_dec(struct kex *, const u_char *, size_t, struct sshbuf **);
 int      kex_c25519_keypair(struct kex *);
 int      kex_c25519_enc(struct kex *, const u_char *, size_t, struct sshbuf **,
    struct sshbuf **);
@@ -237,11 +242,6 @@ int	 kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
    const BIGNUM *, const u_char *, size_t,
    u_char *, size_t *);
-int kex_ecdh_hash(int, const EC_GROUP *,
-    const struct sshbuf *, const struct sshbuf *,
-    const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-    const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
 int      kex_c25519_hash(int, const struct sshbuf *, const struct sshbuf *,
    const u_char *, size_t, const u_char *, size_t,
    const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff --git a/kexecdh.c b/kexecdh.c
index 4380427ea..263f9fd87 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: kexecdh.c,v 1.7 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kexecdh.c,v 1.8 2019/01/21 10:29:56 djm Exp $ */
 /*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2010 Damien Miller.  All rights reserved.
+ * Copyright (c) 2019 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -30,71 +30,184 @@
 #include <sys/types.h>
-#include <signal.h>
+#include <stdio.h>
 #include <string.h>
+#include <signal.h>
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-#include <openssl/ec.h>
 #include <openssl/ecdh.h>
-#include "ssh2.h"
 #include "sshkey.h"
-#include "cipher.h"
 #include "kex.h"
 #include "sshbuf.h"
 #include "digest.h"
 #include "ssherr.h"
+static int
+kex_ecdh_dec_key_group(struct kex *, const u_char *, size_t, EC_KEY *key,
+    const EC_GROUP *, struct sshbuf **);
 int
-kex_ecdh_hash(
+kex_ecdh_keypair(struct kex *kex)
-    int hash_alg,
+{
-    const EC_GROUP *ec_group,
+        EC_KEY *client_key = NULL;
-    const struct sshbuf *client_version,
+        const EC_GROUP *group;
-    const struct sshbuf *server_version,
+        const EC_POINT *public_key;
-    const u_char *ckexinit, size_t ckexinitlen,
+        struct sshbuf *buf = NULL;
-    const u_char *skexinit, size_t skexinitlen,
+        int r;
-    const u_char *serverhostkeyblob, size_t sbloblen,
-    const EC_POINT *client_dh_pub,
+        if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
-    const EC_POINT *server_dh_pub,
+                r = SSH_ERR_ALLOC_FAIL;
-    const BIGNUM *shared_secret,
+                goto out;
-    u_char *hash, size_t *hashlen)
+        }
+        if (EC_KEY_generate_key(client_key) != 1) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        group = EC_KEY_get0_group(client_key);
+        public_key = EC_KEY_get0_public_key(client_key);
+        if ((buf = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_put_ec(buf, public_key, group)) != 0 ||
+            (r = sshbuf_get_u32(buf, NULL)) != 0)
+                goto out;
+#ifdef DEBUG_KEXECDH
+        fputs("client private key:\n", stderr);
+        sshkey_dump_ec_key(client_key);
+#endif
+        kex->ec_client_key = client_key;
+        kex->ec_group = group;
+        client_key = NULL;      /* owned by the kex */
+        kex->kem_client_pub = buf;
+        buf = NULL;
+ out:
+        EC_KEY_free(client_key);
+        sshbuf_free(buf);
+        return r;
+}
+int
+kex_ecdh_enc(struct kex *kex, const u_char *pkblob, size_t pklen,
+    struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
+{
+        const EC_GROUP *group;
+        const EC_POINT *pub_key;
+        EC_KEY *server_key = NULL;
+        struct sshbuf *server_blob = NULL;
+        int r;
+        *server_blobp = NULL;
+        *shared_secretp = NULL;
+        if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (EC_KEY_generate_key(server_key) != 1) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        group = EC_KEY_get0_group(server_key);
+#ifdef DEBUG_KEXECDH
+        fputs("server private key:\n", stderr);
+        sshkey_dump_ec_key(server_key);
+#endif
+        pub_key = EC_KEY_get0_public_key(server_key);
+        if ((server_blob = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_put_ec(server_blob, pub_key, group)) != 0 ||
+            (r = sshbuf_get_u32(server_blob, NULL)) != 0)
+                goto out;
+        if ((r = kex_ecdh_dec_key_group(kex, pkblob, pklen, server_key, group,
+            shared_secretp)) != 0)
+                goto out;
+        *server_blobp = server_blob;
+        server_blob = NULL;
+ out:
+        EC_KEY_free(server_key);
+        sshbuf_free(server_blob);
+        return r;
+}
+static int
+kex_ecdh_dec_key_group(struct kex *kex, const u_char *pkblob, size_t pklen,
+    EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp)
 {
-        struct sshbuf *b;
+        struct sshbuf *buf = NULL;
+        BIGNUM *shared_secret = NULL;
+        EC_POINT *dh_pub = NULL;
+        u_char *kbuf = NULL;
+        size_t klen = 0;
        int r;
-        if (*hashlen < ssh_digest_bytes(hash_alg))
+        *shared_secretp = NULL;
-                return SSH_ERR_INVALID_ARGUMENT;
-        if ((b = sshbuf_new()) == NULL)
+        if ((buf = sshbuf_new()) == NULL) {
-                return SSH_ERR_ALLOC_FAIL;
+                r = SSH_ERR_ALLOC_FAIL;
-        if ((r = sshbuf_put_stringb(b, client_version)) < 0 ||
+                goto out;
-            (r = sshbuf_put_stringb(b, server_version)) < 0 ||
+        }
-            /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+        if ((r = sshbuf_put_u32(buf, pklen)) != 0 ||
-            (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
+            (r = sshbuf_put(buf, pkblob, pklen)) != 0) {
-            (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+                goto out;
-            (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
+        }
-            (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
+        if ((dh_pub = EC_POINT_new(group)) == NULL) {
-            (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+                r = SSH_ERR_ALLOC_FAIL;
-            (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
+                goto out;
-            (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
+        }
-            (r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 ||
+        if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
-            (r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 ||
+                goto out;
-            (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
-                sshbuf_free(b);
-                return r;
        }
-#ifdef DEBUG_KEX
+        sshbuf_reset(buf);
-        sshbuf_dump(b, stderr);
+#ifdef DEBUG_KEXECDH
+        fputs("public key:\n", stderr);
+        sshkey_dump_ec_point(group, dh_pub);
 #endif
-        if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
+        if (sshkey_ec_validate_public(group, dh_pub) != 0) {
-                sshbuf_free(b);
+                r = SSH_ERR_MESSAGE_INCOMPLETE;
-                return SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        klen = (EC_GROUP_get_degree(group) + 7) / 8;
+        if ((kbuf = malloc(klen)) == NULL ||
+            (shared_secret = BN_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
+            BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
        }
-        sshbuf_free(b);
+#ifdef DEBUG_KEXECDH
-        *hashlen = ssh_digest_bytes(hash_alg);
+        dump_digest("shared secret", kbuf, klen);
-#ifdef DEBUG_KEX
-        dump_digest("hash", hash, *hashlen);
 #endif
-        return 0;
+        if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
+                goto out;
+        *shared_secretp = buf;
+        buf = NULL;
+ out:
+        EC_POINT_clear_free(dh_pub);
+        BN_clear_free(shared_secret);
+        freezero(kbuf, klen);
+        sshbuf_free(buf);
+        return r;
+}
+int
+kex_ecdh_dec(struct kex *kex, const u_char *pkblob, size_t pklen,
+    struct sshbuf **shared_secretp)
+{
+        int r;
+        r = kex_ecdh_dec_key_group(kex, pkblob, pklen, kex->ec_client_key,
+            kex->ec_group, shared_secretp);
+        EC_KEY_free(kex->ec_client_key);
+        kex->ec_client_key = NULL;
+        return r;
 }
 #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
diff --git a/kexecdhc.c b/kexecdhc.c
deleted file mode 100644
index bfb9f4707..000000000
--- a/kexecdhc.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/* $OpenBSD: kexecdhc.c,v 1.16 2019/01/21 10:07:22 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2010 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-#include <sys/types.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-#include <openssl/ecdh.h>
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-static int input_kex_ecdh_reply(int, u_int32_t, struct ssh *);
-int
-kexecdh_client(struct ssh *ssh)
-{
-        struct kex *kex = ssh->kex;
-        EC_KEY *client_key = NULL;
-        const EC_GROUP *group;
-        const EC_POINT *public_key;
-        int r;
-        if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if (EC_KEY_generate_key(client_key) != 1) {
-                r = SSH_ERR_LIBCRYPTO_ERROR;
-                goto out;
-        }
-        group = EC_KEY_get0_group(client_key);
-        public_key = EC_KEY_get0_public_key(client_key);
-        if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
-            (r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
-            (r = sshpkt_send(ssh)) != 0)
-                goto out;
-        debug("sending SSH2_MSG_KEX_ECDH_INIT");
-#ifdef DEBUG_KEXECDH
-        fputs("client private key:\n", stderr);
-        sshkey_dump_ec_key(client_key);
-#endif
-        kex->ec_client_key = client_key;
-        kex->ec_group = group;
-        client_key = NULL;      /* owned by the kex */
-        debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
-        ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply);
-        r = 0;
- out:
-        EC_KEY_free(client_key);
-        return r;
-}
-static int
-input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
-{
-        struct kex *kex = ssh->kex;
-        const EC_GROUP *group;
-        EC_POINT *server_public = NULL;
-        EC_KEY *client_key;
-        BIGNUM *shared_secret = NULL;
-        struct sshkey *server_host_key = NULL;
-        u_char *server_host_key_blob = NULL, *signature = NULL;
-        u_char *kbuf = NULL;
-        u_char hash[SSH_DIGEST_MAX_LENGTH];
-        size_t slen, sbloblen;
-        size_t klen = 0, hashlen;
-        int r;
-        group = kex->ec_group;
-        client_key = kex->ec_client_key;
-        /* hostkey */
-        if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
-            &sbloblen)) != 0 ||
-            (r = sshkey_from_blob(server_host_key_blob, sbloblen,
-            &server_host_key)) != 0)
-                goto out;
-        if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
-                goto out;
-        /* Q_S, server public key */
-        /* signed H */
-        if ((server_public = EC_POINT_new(group)) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 ||
-            (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
-            (r = sshpkt_get_end(ssh)) != 0)
-                goto out;
-#ifdef DEBUG_KEXECDH
-        fputs("server public key:\n", stderr);
-        sshkey_dump_ec_point(group, server_public);
-#endif
-        if (sshkey_ec_validate_public(group, server_public) != 0) {
-                sshpkt_disconnect(ssh, "invalid server public key");
-                r = SSH_ERR_MESSAGE_INCOMPLETE;
-                goto out;
-        }
-        klen = (EC_GROUP_get_degree(group) + 7) / 8;
-        if ((kbuf = malloc(klen)) == NULL ||
-            (shared_secret = BN_new()) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if (ECDH_compute_key(kbuf, klen, server_public,
-            client_key, NULL) != (int)klen ||
-            BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
-                r = SSH_ERR_LIBCRYPTO_ERROR;
-                goto out;
-        }
-#ifdef DEBUG_KEXECDH
-        dump_digest("shared secret", kbuf, klen);
-#endif
-        /* calc and verify H */
-        hashlen = sizeof(hash);
-        if ((r = kex_ecdh_hash(
-            kex->hash_alg,
-            group,
-            kex->client_version,
-            kex->server_version,
-            sshbuf_ptr(kex->my), sshbuf_len(kex->my),
-            sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
-            server_host_key_blob, sbloblen,
-            EC_KEY_get0_public_key(client_key),
-            server_public,
-            shared_secret,
-            hash, &hashlen)) != 0)
-                goto out;
-        if ((r = sshkey_verify(server_host_key, signature, slen, hash,
-            hashlen, kex->hostkey_alg, ssh->compat)) != 0)
-                goto out;
-        if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
-                r = kex_send_newkeys(ssh);
- out:
-        explicit_bzero(hash, sizeof(hash));
-        EC_KEY_free(kex->ec_client_key);
-        kex->ec_client_key = NULL;
-        EC_POINT_clear_free(server_public);
-        if (kbuf) {
-                explicit_bzero(kbuf, klen);
-                free(kbuf);
-        }
-        BN_clear_free(shared_secret);
-        sshkey_free(server_host_key);
-        free(server_host_key_blob);
-        free(signature);
-        return r;
-}
-#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
diff --git a/kexecdhs.c b/kexecdhs.c
deleted file mode 100644
index b9254eed7..000000000
--- a/kexecdhs.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/* $OpenBSD: kexecdhs.c,v 1.21 2019/01/21 10:05:09 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2010 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-#include <sys/types.h>
-#include <string.h>
-#include <signal.h>
-#include <openssl/ecdh.h>
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "ssh2.h"
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-static int input_kex_ecdh_init(int, u_int32_t, struct ssh *);
-int
-kexecdh_server(struct ssh *ssh)
-{
-        debug("expecting SSH2_MSG_KEX_ECDH_INIT");
-        ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_ecdh_init);
-        return 0;
-}
-static int
-input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
-{
-        struct kex *kex = ssh->kex;
-        EC_POINT *client_public;
-        EC_KEY *server_key = NULL;
-        const EC_GROUP *group;
-        const EC_POINT *public_key;
-        BIGNUM *shared_secret = NULL;
-        struct sshkey *server_host_private, *server_host_public;
-        u_char *server_host_key_blob = NULL, *signature = NULL;
-        u_char *kbuf = NULL;
-        u_char hash[SSH_DIGEST_MAX_LENGTH];
-        size_t slen, sbloblen;
-        size_t klen = 0, hashlen;
-        int r;
-        if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if (EC_KEY_generate_key(server_key) != 1) {
-                r = SSH_ERR_LIBCRYPTO_ERROR;
-                goto out;
-        }
-        group = EC_KEY_get0_group(server_key);
-#ifdef DEBUG_KEXECDH
-        fputs("server private key:\n", stderr);
-        sshkey_dump_ec_key(server_key);
-#endif
-        if ((r = kex_load_hostkey(ssh, &server_host_private,
-            &server_host_public)) != 0)
-                goto out;
-        if ((client_public = EC_POINT_new(group)) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 ||
-            (r = sshpkt_get_end(ssh)) != 0)
-                goto out;
-#ifdef DEBUG_KEXECDH
-        fputs("client public key:\n", stderr);
-        sshkey_dump_ec_point(group, client_public);
-#endif
-        if (sshkey_ec_validate_public(group, client_public) != 0) {
-                sshpkt_disconnect(ssh, "invalid client public key");
-                r = SSH_ERR_MESSAGE_INCOMPLETE;
-                goto out;
-        }
-        /* Calculate shared_secret */
-        klen = (EC_GROUP_get_degree(group) + 7) / 8;
-        if ((kbuf = malloc(klen)) == NULL ||
-            (shared_secret = BN_new()) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if (ECDH_compute_key(kbuf, klen, client_public,
-            server_key, NULL) != (int)klen ||
-            BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
-                r = SSH_ERR_LIBCRYPTO_ERROR;
-                goto out;
-        }
-#ifdef DEBUG_KEXECDH
-        dump_digest("shared secret", kbuf, klen);
-#endif
-        /* calc H */
-        if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
-            &sbloblen)) != 0)
-                goto out;
-        hashlen = sizeof(hash);
-        if ((r = kex_ecdh_hash(
-            kex->hash_alg,
-            group,
-            kex->client_version,
-            kex->server_version,
-            sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
-            sshbuf_ptr(kex->my), sshbuf_len(kex->my),
-            server_host_key_blob, sbloblen,
-            client_public,
-            EC_KEY_get0_public_key(server_key),
-            shared_secret,
-            hash, &hashlen)) != 0)
-                goto out;
-        /* sign H */
-        if ((r = kex->sign(ssh, server_host_private, server_host_public,
-            &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
-                goto out;
-        /* destroy_sensitive_data(); */
-        public_key = EC_KEY_get0_public_key(server_key);
-        /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
-        if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
-            (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
-            (r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
-            (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
-            (r = sshpkt_send(ssh)) != 0)
-                goto out;
-        if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
-                r = kex_send_newkeys(ssh);
- out:
-        explicit_bzero(hash, sizeof(hash));
-        EC_KEY_free(kex->ec_client_key);
-        kex->ec_client_key = NULL;
-        EC_KEY_free(server_key);
-        if (kbuf) {
-                explicit_bzero(kbuf, klen);
-                free(kbuf);
-        }
-        BN_clear_free(shared_secret);
-        free(server_host_key_blob);
-        free(signature);
-        return r;
-}
-#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
diff --git a/kexkemc.c b/kexkemc.c
index 384a4db59..55055de27 100644
--- a/kexkemc.c
+++ b/kexkemc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexkemc.c,v 1.3 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: kexkemc.c,v 1.4 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright (c) 2019 Markus Friedl.  All rights reserved.
 *
@@ -55,6 +55,9 @@ kex_kem_client(struct ssh *ssh)
        case KEX_DH_GRP18_SHA512:
                r = kex_dh_keypair(kex);
                break;
+        case KEX_ECDH_SHA2:
+                r = kex_ecdh_keypair(kex);
+                break;
        case KEX_C25519_SHA256:
                r = kex_c25519_keypair(kex);
                break;
@@ -113,6 +116,9 @@ input_kex_kem_reply(int type, u_int32_t seq, struct ssh *ssh)
        case KEX_DH_GRP18_SHA512:
                r = kex_dh_dec(kex, server_pubkey, pklen, &shared_secret);
                break;
+        case KEX_ECDH_SHA2:
+                r = kex_ecdh_dec(kex, server_pubkey, pklen, &shared_secret);
+                break;
        case KEX_C25519_SHA256:
                r = kex_c25519_dec(kex, server_pubkey, pklen, &shared_secret);
                break;
diff --git a/kexkems.c b/kexkems.c
index f35906d53..10ef12196 100644
--- a/kexkems.c
+++ b/kexkems.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexkems.c,v 1.3 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: kexkems.c,v 1.4 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright (c) 2019 Markus Friedl.  All rights reserved.
 *
@@ -77,6 +77,10 @@ input_kex_kem_init(int type, u_int32_t seq, struct ssh *ssh)
                r = kex_dh_enc(kex, client_pubkey, pklen, &server_pubkey,
                    &shared_secret);
                break;
+        case KEX_ECDH_SHA2:
+                r = kex_ecdh_enc(kex, client_pubkey, pklen, &server_pubkey,
+                    &shared_secret);
+                break;
        case KEX_C25519_SHA256:
                r = kex_c25519_enc(kex, client_pubkey, pklen, &server_pubkey,
                    &shared_secret);
diff --git a/monitor.c b/monitor.c
index 01204c2cd..d3357b73c 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.195 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.196 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1685,7 +1685,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
                kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
                kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
-                kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+                kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
 # endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kex_kem_server;
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 3d2760056..9541ecf4a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.123 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.124 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 *
@@ -268,7 +268,7 @@ keygrab_ssh2(con *c)
        c->c_ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
-        c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+        c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
 # endif
 #endif
        c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;
diff --git a/ssh_api.c b/ssh_api.c
index ac614e599..b21769d23 100644
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.13 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.14 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright (c) 2012 Markus Friedl.  All rights reserved.
 *
@@ -107,7 +107,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
                ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
                ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
-                ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+                ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
 # endif
 #endif /* WITH_OPENSSL */
                ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_server;
@@ -125,7 +125,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
                ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
                ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
-                ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+                ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
 # endif
 #endif /* WITH_OPENSSL */
                ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;
diff --git a/sshconnect2.c b/sshconnect2.c
index ebeff29bd..aa5160185 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.299 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.300 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -209,7 +209,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
        ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
-        ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+        ssh->kex->kex[KEX_ECDH_SHA2] = kex_kem_client;
 # endif
 #endif
        ssh->kex->kex[KEX_C25519_SHA256] = kex_kem_client;
diff --git a/sshd.c b/sshd.c
index eb92785bf..ddbedd6c6 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.530 2019/01/21 10:28:02 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.531 2019/01/21 10:29:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2215,7 +2215,7 @@ do_ssh2_kex(struct ssh *ssh)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
-        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+        kex->kex[KEX_ECDH_SHA2] = kex_kem_server;
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kex_kem_server;