1 files changed, 51 insertions, 30 deletions
diff --git a/kex.h b/kex.h
index 593de1208..6d446d1cc 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.91 2018/07/11 18:53:29 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.107 2019/01/23 00:30:41 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -27,6 +27,7 @@
 #define KEX_H
 #include "mac.h"
+#include "crypto_api.h"
 #ifdef WITH_LEAKMALLOC
 #include "leakmalloc.h"
@@ -62,6 +63,7 @@
 #define KEX_ECDH_SHA2_NISTP521          "ecdh-sha2-nistp521"
 #define KEX_CURVE25519_SHA256           "curve25519-sha256"
 #define KEX_CURVE25519_SHA256_OLD       "curve25519-sha256@libssh.org"
+#define KEX_SNTRUP4591761X25519_SHA512  "sntrup4591761x25519-sha512@tinyssh.org"
 #define COMP_NONE       0
 /* pre-auth compression (COMP_ZLIB) is only supported in the client */
@@ -100,10 +102,12 @@ enum kex_exchange {
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
        KEX_C25519_SHA256,
+        KEX_KEM_SNTRUP4591761X25519_SHA512,
        KEX_MAX
 };
 #define KEX_INIT_SENT   0x0001
+#define KEX_INITIAL     0x0002
 struct sshenc {
        char    *name;
@@ -144,27 +148,29 @@ struct kex {
        int     ext_info_c;
        struct sshbuf *my;
        struct sshbuf *peer;
+        struct sshbuf *client_version;
+        struct sshbuf *server_version;
        sig_atomic_t done;
        u_int   flags;
        int     hash_alg;
        int     ec_nid;
-        char    *client_version_string;
-        char    *server_version_string;
        char    *failed_choice;
        int     (*verify_host_key)(struct sshkey *, struct ssh *);
        struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
        struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
        int     (*host_key_index)(struct sshkey *, int, struct ssh *);
-        int     (*sign)(struct sshkey *, struct sshkey *, u_char **, size_t *,
+        int     (*sign)(struct ssh *, struct sshkey *, struct sshkey *,
-            const u_char *, size_t, const char *, u_int);
+            u_char **, size_t *, const u_char *, size_t, const char *);
        int     (*kex[KEX_MAX])(struct ssh *);
        /* kex specific state */
        DH      *dh;                    /* DH */
        u_int   min, max, nbits;        /* GEX */
        EC_KEY  *ec_client_key;         /* ECDH */
        const EC_GROUP *ec_group;       /* ECDH */
-        u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */
+        u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */
        u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
+        u_char sntrup4591761_client_key[crypto_kem_sntrup4591761_SECRETKEYBYTES]; /* KEM */
+        struct sshbuf *client_pub;
 };
 int      kex_names_valid(const char *);
@@ -172,7 +178,10 @@ char	*kex_alg_list(char);
 char    *kex_names_cat(const char *, const char *);
 int      kex_assemble_names(char **, const char *, const char *);
-int      kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
+int      kex_exchange_identification(struct ssh *, int, const char *);
+struct kex *kex_new(void);
+int      kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
 int      kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
 void     kex_free_newkeys(struct newkeys *);
 void     kex_free(struct kex *);
@@ -180,44 +189,52 @@ void	 kex_free(struct kex *);
 int      kex_buf2prop(struct sshbuf *, int *, char ***);
 int      kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]);
 void     kex_prop_free(char **);
+int      kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **);
+int      kex_verify_host_key(struct ssh *, struct sshkey *);
 int      kex_send_kexinit(struct ssh *);
 int      kex_input_kexinit(int, u_int32_t, struct ssh *);
 int      kex_input_ext_info(int, u_int32_t, struct ssh *);
 int      kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
-int      kex_derive_keys_bn(struct ssh *, u_char *, u_int, const BIGNUM *);
 int      kex_send_newkeys(struct ssh *);
 int      kex_start_rekex(struct ssh *);
-int      kexdh_client(struct ssh *);
-int      kexdh_server(struct ssh *);
 int      kexgex_client(struct ssh *);
 int      kexgex_server(struct ssh *);
-int      kexecdh_client(struct ssh *);
+int      kex_gen_client(struct ssh *);
-int      kexecdh_server(struct ssh *);
+int      kex_gen_server(struct ssh *);
-int      kexc25519_client(struct ssh *);
-int      kexc25519_server(struct ssh *);
+int      kex_dh_keypair(struct kex *);
+int      kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+    struct sshbuf **);
+int      kex_dh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+int      kex_ecdh_keypair(struct kex *);
+int      kex_ecdh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+    struct sshbuf **);
+int      kex_ecdh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+int      kex_c25519_keypair(struct kex *);
+int      kex_c25519_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+    struct sshbuf **);
+int      kex_c25519_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+int      kex_kem_sntrup4591761x25519_keypair(struct kex *);
+int      kex_kem_sntrup4591761x25519_enc(struct kex *, const struct sshbuf *,
+    struct sshbuf **, struct sshbuf **);
+int      kex_kem_sntrup4591761x25519_dec(struct kex *, const struct sshbuf *,
+    struct sshbuf **);
-int      kex_dh_hash(int, const char *, const char *,
+int      kex_dh_keygen(struct kex *);
-    const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+int      kex_dh_compute_key(struct kex *, BIGNUM *, struct sshbuf *);
-    const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
-int      kexgex_hash(int, const char *, const char *,
+int      kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
-    const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+    const struct sshbuf *, const struct sshbuf *, const struct sshbuf *,
    int, int, int,
    const BIGNUM *, const BIGNUM *, const BIGNUM *,
-    const BIGNUM *, const BIGNUM *,
+    const BIGNUM *, const u_char *, size_t,
    u_char *, size_t *);
-int kex_ecdh_hash(int, const EC_GROUP *, const char *, const char *,
-    const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-    const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
-int      kex_c25519_hash(int, const char *, const char *,
-    const u_char *, size_t, const u_char *, size_t,
-    const u_char *, size_t, const u_char *, const u_char *,
-    const u_char *, size_t, u_char *, size_t *);
 void    kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
        __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
        __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
@@ -225,9 +242,13 @@ int	kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
    const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
        __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
        __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
+int     kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
+    const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
+        __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+        __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
-void    dump_digest(char *, u_char *, int);
+void    dump_digest(const char *, const u_char *, int);
 #endif
 #if !defined(WITH_OPENSSL) || !defined(OPENSSL_HAS_ECC)

diff --git a/kex.h b/kex.h index 593de1208..6d446d1cc 100644 --- a/kex.h +++ b/kex.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: kex.h,v 1.91 2018/07/11 18:53:29 markus Exp $ */	1	/* $OpenBSD: kex.h,v 1.107 2019/01/23 00:30:41 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -27,6 +27,7 @@
27	#define KEX_H	27	#define KEX_H
28		28
29	#include "mac.h"	29	#include "mac.h"
		30	#include "crypto_api.h"
30		31
31	#ifdef WITH_LEAKMALLOC	32	#ifdef WITH_LEAKMALLOC
32	#include "leakmalloc.h"	33	#include "leakmalloc.h"
@@ -62,6 +63,7 @@
62	#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"	63	#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
63	#define KEX_CURVE25519_SHA256 "curve25519-sha256"	64	#define KEX_CURVE25519_SHA256 "curve25519-sha256"
64	#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"	65	#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
		66	#define KEX_SNTRUP4591761X25519_SHA512 "sntrup4591761x25519-sha512@tinyssh.org"
65		67
66	#define COMP_NONE 0	68	#define COMP_NONE 0
67	/* pre-auth compression (COMP_ZLIB) is only supported in the client */	69	/* pre-auth compression (COMP_ZLIB) is only supported in the client */
@@ -100,10 +102,12 @@ enum kex_exchange {
100	KEX_DH_GEX_SHA256,	102	KEX_DH_GEX_SHA256,
101	KEX_ECDH_SHA2,	103	KEX_ECDH_SHA2,
102	KEX_C25519_SHA256,	104	KEX_C25519_SHA256,
		105	KEX_KEM_SNTRUP4591761X25519_SHA512,
103	KEX_MAX	106	KEX_MAX
104	};	107	};
105		108
106	#define KEX_INIT_SENT 0x0001	109	#define KEX_INIT_SENT 0x0001
		110	#define KEX_INITIAL 0x0002
107		111
108	struct sshenc {	112	struct sshenc {
109	char *name;	113	char *name;
@@ -144,27 +148,29 @@ struct kex {
144	int ext_info_c;	148	int ext_info_c;
145	struct sshbuf *my;	149	struct sshbuf *my;
146	struct sshbuf *peer;	150	struct sshbuf *peer;
		151	struct sshbuf *client_version;
		152	struct sshbuf *server_version;
147	sig_atomic_t done;	153	sig_atomic_t done;
148	u_int flags;	154	u_int flags;
149	int hash_alg;	155	int hash_alg;
150	int ec_nid;	156	int ec_nid;
151	char *client_version_string;
152	char *server_version_string;
153	char *failed_choice;	157	char *failed_choice;
154	int (verify_host_key)(struct sshkey , struct ssh *);	158	int (verify_host_key)(struct sshkey , struct ssh *);
155	struct sshkey (load_host_public_key)(int, int, struct ssh *);	159	struct sshkey (load_host_public_key)(int, int, struct ssh *);
156	struct sshkey (load_host_private_key)(int, int, struct ssh *);	160	struct sshkey (load_host_private_key)(int, int, struct ssh *);
157	int (host_key_index)(struct sshkey , int, struct ssh *);	161	int (host_key_index)(struct sshkey , int, struct ssh *);
158	int (sign)(struct sshkey , struct sshkey , u_char , size_t ,	162	int (sign)(struct ssh , struct sshkey , struct sshkey ,
159	const u_char , size_t, const char , u_int);	163	u_char *, size_t , const u_char , size_t, const char );
160	int (kex[KEX_MAX])(struct ssh );	164	int (kex[KEX_MAX])(struct ssh );
161	/* kex specific state */	165	/* kex specific state */
162	DH dh; / DH */	166	DH dh; / DH */
163	u_int min, max, nbits; /* GEX */	167	u_int min, max, nbits; /* GEX */
164	EC_KEY ec_client_key; / ECDH */	168	EC_KEY ec_client_key; / ECDH */
165	const EC_GROUP ec_group; / ECDH */	169	const EC_GROUP ec_group; / ECDH */
166	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */	170	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */
167	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */	171	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
		172	u_char sntrup4591761_client_key[crypto_kem_sntrup4591761_SECRETKEYBYTES]; /* KEM */
		173	struct sshbuf *client_pub;
168	};	174	};
169		175
170	int kex_names_valid(const char *);	176	int kex_names_valid(const char *);
@@ -172,7 +178,10 @@ char *kex_alg_list(char);
172	char kex_names_cat(const char , const char *);	178	char kex_names_cat(const char , const char *);
173	int kex_assemble_names(char *, const char , const char *);	179	int kex_assemble_names(char *, const char , const char *);
174		180
175	int kex_new(struct ssh , char [PROPOSAL_MAX], struct kex **);	181	int kex_exchange_identification(struct ssh , int, const char );
		182
		183	struct kex *kex_new(void);
		184	int kex_ready(struct ssh , char [PROPOSAL_MAX]);
176	int kex_setup(struct ssh , char [PROPOSAL_MAX]);	185	int kex_setup(struct ssh , char [PROPOSAL_MAX]);
177	void kex_free_newkeys(struct newkeys *);	186	void kex_free_newkeys(struct newkeys *);
178	void kex_free(struct kex *);	187	void kex_free(struct kex *);
@@ -180,44 +189,52 @@ void kex_free(struct kex *);
180	int kex_buf2prop(struct sshbuf , int , char ***);	189	int kex_buf2prop(struct sshbuf , int , char ***);
181	int kex_prop2buf(struct sshbuf , char proposal[PROPOSAL_MAX]);	190	int kex_prop2buf(struct sshbuf , char proposal[PROPOSAL_MAX]);
182	void kex_prop_free(char **);	191	void kex_prop_free(char **);
		192	int kex_load_hostkey(struct ssh , struct sshkey , struct sshkey *);
		193	int kex_verify_host_key(struct ssh , struct sshkey );
183		194
184	int kex_send_kexinit(struct ssh *);	195	int kex_send_kexinit(struct ssh *);
185	int kex_input_kexinit(int, u_int32_t, struct ssh *);	196	int kex_input_kexinit(int, u_int32_t, struct ssh *);
186	int kex_input_ext_info(int, u_int32_t, struct ssh *);	197	int kex_input_ext_info(int, u_int32_t, struct ssh *);
187	int kex_derive_keys(struct ssh , u_char , u_int, const struct sshbuf *);	198	int kex_derive_keys(struct ssh , u_char , u_int, const struct sshbuf *);
188	int kex_derive_keys_bn(struct ssh , u_char , u_int, const BIGNUM *);
189	int kex_send_newkeys(struct ssh *);	199	int kex_send_newkeys(struct ssh *);
190	int kex_start_rekex(struct ssh *);	200	int kex_start_rekex(struct ssh *);
191		201
192	int kexdh_client(struct ssh *);
193	int kexdh_server(struct ssh *);
194	int kexgex_client(struct ssh *);	202	int kexgex_client(struct ssh *);
195	int kexgex_server(struct ssh *);	203	int kexgex_server(struct ssh *);
196	int kexecdh_client(struct ssh *);	204	int kex_gen_client(struct ssh *);
197	int kexecdh_server(struct ssh *);	205	int kex_gen_server(struct ssh *);
198	int kexc25519_client(struct ssh *);	206
199	int kexc25519_server(struct ssh *);	207	int kex_dh_keypair(struct kex *);
		208	int kex_dh_enc(struct kex , const struct sshbuf , struct sshbuf **,
		209	struct sshbuf **);
		210	int kex_dh_dec(struct kex , const struct sshbuf , struct sshbuf **);
		211
		212	int kex_ecdh_keypair(struct kex *);
		213	int kex_ecdh_enc(struct kex , const struct sshbuf , struct sshbuf **,
		214	struct sshbuf **);
		215	int kex_ecdh_dec(struct kex , const struct sshbuf , struct sshbuf **);
		216
		217	int kex_c25519_keypair(struct kex *);
		218	int kex_c25519_enc(struct kex , const struct sshbuf , struct sshbuf **,
		219	struct sshbuf **);
		220	int kex_c25519_dec(struct kex , const struct sshbuf , struct sshbuf **);
		221
		222	int kex_kem_sntrup4591761x25519_keypair(struct kex *);
		223	int kex_kem_sntrup4591761x25519_enc(struct kex , const struct sshbuf ,
		224	struct sshbuf , struct sshbuf );
		225	int kex_kem_sntrup4591761x25519_dec(struct kex , const struct sshbuf ,
		226	struct sshbuf **);
200		227
201	int kex_dh_hash(int, const char , const char ,	228	int kex_dh_keygen(struct kex *);
202	const u_char , size_t, const u_char , size_t, const u_char *, size_t,	229	int kex_dh_compute_key(struct kex , BIGNUM , struct sshbuf *);
203	const BIGNUM , const BIGNUM , const BIGNUM , u_char , size_t *);
204		230
205	int kexgex_hash(int, const char , const char ,	231	int kexgex_hash(int, const struct sshbuf , const struct sshbuf ,
206	const u_char , size_t, const u_char , size_t, const u_char *, size_t,	232	const struct sshbuf , const struct sshbuf , const struct sshbuf *,
207	int, int, int,	233	int, int, int,
208	const BIGNUM , const BIGNUM , const BIGNUM *,	234	const BIGNUM , const BIGNUM , const BIGNUM *,
209	const BIGNUM , const BIGNUM ,	235	const BIGNUM , const u_char , size_t,
210	u_char , size_t );	236	u_char , size_t );
211		237
212	int kex_ecdh_hash(int, const EC_GROUP , const char , const char *,
213	const u_char , size_t, const u_char , size_t, const u_char *, size_t,
214	const EC_POINT , const EC_POINT , const BIGNUM , u_char , size_t *);
215
216	int kex_c25519_hash(int, const char , const char ,
217	const u_char , size_t, const u_char , size_t,
218	const u_char , size_t, const u_char , const u_char *,
219	const u_char , size_t, u_char , size_t *);
220
221	void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])	238	void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
222	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))	239	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
223	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));	240	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
@@ -225,9 +242,13 @@ int kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
225	const u_char pub[CURVE25519_SIZE], struct sshbuf *out)	242	const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
226	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))	243	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
227	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));	244	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
		245	int kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
		246	const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
		247	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
		248	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
228		249
229	#if defined(DEBUG_KEX) \|\| defined(DEBUG_KEXDH) \|\| defined(DEBUG_KEXECDH)	250	#if defined(DEBUG_KEX) \|\| defined(DEBUG_KEXDH) \|\| defined(DEBUG_KEXECDH)
230	void dump_digest(char , u_char , int);	251	void dump_digest(const char , const u_char , int);
231	#endif	252	#endif
232		253
233	#if !defined(WITH_OPENSSL) \|\| !defined(OPENSSL_HAS_ECC)	254	#if !defined(WITH_OPENSSL) \|\| !defined(OPENSSL_HAS_ECC)