summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2013-11-02 21:59:16 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2013-11-02 21:59:16 +0000
commit622c12d519aa70371d0ccc36d1870912cac824fa (patch)
tree823ab889672d1f34fcd08b088f9000f028a60d25
parenta2ff54001bce44186e6c132552578dc5a643d973 (diff)
use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@
-rw-r--r--usr.bin/ssh/kex.c3
-rw-r--r--usr.bin/ssh/kex.h19
-rw-r--r--usr.bin/ssh/kexc25519.c124
-rw-r--r--usr.bin/ssh/kexc25519c.c125
-rw-r--r--usr.bin/ssh/kexc25519s.c120
-rw-r--r--usr.bin/ssh/lib/Makefile4
-rw-r--r--usr.bin/ssh/myproposal.h3
-rw-r--r--usr.bin/ssh/smult_curve25519_ref.c264
-rw-r--r--usr.bin/ssh/ssh-keyscan.c3
-rw-r--r--usr.bin/ssh/sshconnect2.c3
-rw-r--r--usr.bin/ssh/sshd.c3
-rw-r--r--usr.bin/ssh/sshd/Makefile5
12 files changed, 666 insertions, 10 deletions
diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c
index bc1d6f9ba61..d356a680882 100644
--- a/usr.bin/ssh/kex.c
+++ b/usr.bin/ssh/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.92 2013/11/02 21:59:15 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -65,6 +65,7 @@ static const struct kexalg kexalgs[] = {
{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 },
{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
+ { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, EVP_sha256 },
{ NULL, -1, -1, NULL},
};
diff --git a/usr.bin/ssh/kex.h b/usr.bin/ssh/kex.h
index 6d8252c1290..bab9c8d7324 100644
--- a/usr.bin/ssh/kex.h
+++ b/usr.bin/ssh/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.57 2013/11/02 21:59:15 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -40,6 +40,7 @@
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
+#define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org"
#define COMP_NONE 0
#define COMP_ZLIB 1
@@ -71,6 +72,7 @@ enum kex_exchange {
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
+ KEX_C25519_SHA256,
KEX_MAX
};
@@ -158,6 +160,8 @@ void kexgex_client(Kex *);
void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
+void kexc25519_client(Kex *);
+void kexc25519_server(Kex *);
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
@@ -170,6 +174,19 @@ void
kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int,
char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
const BIGNUM *, u_char **, u_int *);
+void
+kex_c25519_hash(const EVP_MD *, char *, char *, char *, int,
+ char *, int, u_char *, int, const u_char *, const u_char *,
+ const BIGNUM *, u_char **, u_int *);
+
+#define CURVE25519_SIZE 32
+void kexc25519_keygen(u_char[CURVE25519_SIZE], u_char[CURVE25519_SIZE])
+ __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+ __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
+BIGNUM *kexc25519_shared_key(const u_char[CURVE25519_SIZE],
+ const u_char[CURVE25519_SIZE])
+ __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+ __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
void
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff --git a/usr.bin/ssh/kexc25519.c b/usr.bin/ssh/kexc25519.c
new file mode 100644
index 00000000000..991a06f7c04
--- /dev/null
+++ b/usr.bin/ssh/kexc25519.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved.
+ * Copyright (c) 2010 Damien Miller. All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <signal.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+
+extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE],
+ const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE])
+ __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+ __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)))
+ __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE)));
+
+void
+kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
+{
+ static const u_char basepoint[CURVE25519_SIZE] = {9};
+
+ arc4random_buf(key, CURVE25519_SIZE);
+ crypto_scalarmult_curve25519(pub, key, basepoint);
+}
+
+BIGNUM *
+kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
+ const u_char pub[CURVE25519_SIZE])
+{
+ u_char shared_key[CURVE25519_SIZE];
+ BIGNUM *shared_secret;
+
+ crypto_scalarmult_curve25519(shared_key, key, pub);
+#ifdef DEBUG_KEXECDH
+ dump_digest("shared secret", shared_key, CURVE25519_SIZE);
+#endif
+ if ((shared_secret = BN_new()) == NULL)
+ fatal("%s: BN_new failed", __func__);
+ if (BN_bin2bn(shared_key, sizeof(shared_key), shared_secret) == NULL)
+ fatal("%s: BN_bin2bn failed", __func__);
+ memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */
+ return (shared_secret);
+}
+
+void
+kex_c25519_hash(
+ const EVP_MD *evp_md,
+ char *client_version_string,
+ char *server_version_string,
+ char *ckexinit, int ckexinitlen,
+ char *skexinit, int skexinitlen,
+ u_char *serverhostkeyblob, int sbloblen,
+ const u_char client_dh_pub[CURVE25519_SIZE],
+ const u_char server_dh_pub[CURVE25519_SIZE],
+ const BIGNUM *shared_secret,
+ u_char **hash, u_int *hashlen)
+{
+ Buffer b;
+ EVP_MD_CTX md;
+ static u_char digest[EVP_MAX_MD_SIZE];
+
+ buffer_init(&b);
+ buffer_put_cstring(&b, client_version_string);
+ buffer_put_cstring(&b, server_version_string);
+
+ /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+ buffer_put_int(&b, ckexinitlen+1);
+ buffer_put_char(&b, SSH2_MSG_KEXINIT);
+ buffer_append(&b, ckexinit, ckexinitlen);
+ buffer_put_int(&b, skexinitlen+1);
+ buffer_put_char(&b, SSH2_MSG_KEXINIT);
+ buffer_append(&b, skexinit, skexinitlen);
+
+ buffer_put_string(&b, serverhostkeyblob, sbloblen);
+ buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE);
+ buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE);
+ buffer_put_bignum2(&b, shared_secret);
+
+#ifdef DEBUG_KEX
+ buffer_dump(&b);
+#endif
+ EVP_DigestInit(&md, evp_md);
+ EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+ EVP_DigestFinal(&md, digest, NULL);
+
+ buffer_free(&b);
+
+#ifdef DEBUG_KEX
+ dump_digest("hash", digest, EVP_MD_size(evp_md));
+#endif
+ *hash = digest;
+ *hashlen = EVP_MD_size(evp_md);
+}
diff --git a/usr.bin/ssh/kexc25519c.c b/usr.bin/ssh/kexc25519c.c
new file mode 100644
index 00000000000..b208817bb1d
--- /dev/null
+++ b/usr.bin/ssh/kexc25519c.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2010 Damien Miller. All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+
+void
+kexc25519_client(Kex *kex)
+{
+ BIGNUM *shared_secret;
+ Key *server_host_key;
+ u_char client_key[CURVE25519_SIZE];
+ u_char client_pubkey[CURVE25519_SIZE];
+ u_char *server_pubkey = NULL;
+ u_char *server_host_key_blob = NULL, *signature = NULL;
+ u_char *hash;
+ u_int slen, sbloblen, hashlen;
+
+ kexc25519_keygen(client_key, client_pubkey);
+
+ packet_start(SSH2_MSG_KEX_ECDH_INIT);
+ packet_put_string(client_pubkey, sizeof(client_pubkey));
+ packet_send();
+ debug("sending SSH2_MSG_KEX_ECDH_INIT");
+
+#ifdef DEBUG_KEXECDH
+ dump_digest("client private key:", client_key, sizeof(client_key));
+#endif
+
+ debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
+ packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
+
+ /* hostkey */
+ server_host_key_blob = packet_get_string(&sbloblen);
+ server_host_key = key_from_blob(server_host_key_blob, sbloblen);
+ if (server_host_key == NULL)
+ fatal("cannot decode server_host_key_blob");
+ if (server_host_key->type != kex->hostkey_type)
+ fatal("type mismatch for decoded server_host_key_blob");
+ if (kex->verify_host_key == NULL)
+ fatal("cannot verify server_host_key");
+ if (kex->verify_host_key(server_host_key) == -1)
+ fatal("server_host_key verification failed");
+
+ /* Q_S, server public key */
+ server_pubkey = packet_get_string(&slen);
+ if (slen != CURVE25519_SIZE)
+ fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
+
+#ifdef DEBUG_KEXECDH
+ dump_digest("server public key:", server_pubkey, CURVE25519_SIZE);
+#endif
+
+ /* signed H */
+ signature = packet_get_string(&slen);
+ packet_check_eom();
+
+ shared_secret = kexc25519_shared_key(client_key, server_pubkey);
+
+ /* calc and verify H */
+ kex_c25519_hash(
+ kex->evp_md,
+ kex->client_version_string,
+ kex->server_version_string,
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+ server_host_key_blob, sbloblen,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ &hash, &hashlen
+ );
+ free(server_host_key_blob);
+ free(server_pubkey);
+ if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
+ fatal("key_verify failed for server_host_key");
+ key_free(server_host_key);
+ free(signature);
+
+ /* save session id */
+ if (kex->session_id == NULL) {
+ kex->session_id_len = hashlen;
+ kex->session_id = xmalloc(kex->session_id_len);
+ memcpy(kex->session_id, hash, kex->session_id_len);
+ }
+
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+}
diff --git a/usr.bin/ssh/kexc25519s.c b/usr.bin/ssh/kexc25519s.c
new file mode 100644
index 00000000000..28463d03f50
--- /dev/null
+++ b/usr.bin/ssh/kexc25519s.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2010 Damien Miller. All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
+ *
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <string.h>
+#include <signal.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+
+void
+kexc25519_server(Kex *kex)
+{
+ BIGNUM *shared_secret;
+ Key *server_host_private, *server_host_public;
+ u_char *server_host_key_blob = NULL, *signature = NULL;
+ u_char server_key[CURVE25519_SIZE];
+ u_char *client_pubkey = NULL;
+ u_char server_pubkey[CURVE25519_SIZE];
+ u_char *hash;
+ u_int slen, sbloblen, hashlen;
+
+ /* generate private key */
+ kexc25519_keygen(server_key, server_pubkey);
+#ifdef DEBUG_KEXECDH
+ dump_digest("server private key:", server_key, sizeof(server_key));
+#endif
+
+ if (kex->load_host_public_key == NULL ||
+ kex->load_host_private_key == NULL)
+ fatal("Cannot load hostkey");
+ server_host_public = kex->load_host_public_key(kex->hostkey_type);
+ if (server_host_public == NULL)
+ fatal("Unsupported hostkey type %d", kex->hostkey_type);
+ server_host_private = kex->load_host_private_key(kex->hostkey_type);
+
+ debug("expecting SSH2_MSG_KEX_ECDH_INIT");
+ packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
+ client_pubkey = packet_get_string(&slen);
+ if (slen != CURVE25519_SIZE)
+ fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
+ packet_check_eom();
+
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key:", client_pubkey, CURVE25519_SIZE);
+#endif
+
+ shared_secret = kexc25519_shared_key(server_key, client_pubkey);
+
+ /* calc H */
+ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
+ kex_c25519_hash(
+ kex->evp_md,
+ kex->client_version_string,
+ kex->server_version_string,
+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+ buffer_ptr(&kex->my), buffer_len(&kex->my),
+ server_host_key_blob, sbloblen,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ &hash, &hashlen
+ );
+
+ /* save session id := H */
+ if (kex->session_id == NULL) {
+ kex->session_id_len = hashlen;
+ kex->session_id = xmalloc(kex->session_id_len);
+ memcpy(kex->session_id, hash, kex->session_id_len);
+ }
+
+ /* sign H */
+ kex->sign(server_host_private, server_host_public, &signature, &slen,
+ hash, hashlen);
+
+ /* destroy_sensitive_data(); */
+
+ /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
+ packet_start(SSH2_MSG_KEX_ECDH_REPLY);
+ packet_put_string(server_host_key_blob, sbloblen);
+ packet_put_string(server_pubkey, sizeof(server_pubkey));
+ packet_put_string(signature, slen);
+ packet_send();
+
+ free(signature);
+ free(server_host_key_blob);
+ /* have keys, free server key */
+ free(client_pubkey);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ kex_finish(kex);
+}
diff --git a/usr.bin/ssh/lib/Makefile b/usr.bin/ssh/lib/Makefile
index c4bc546cd21..81f069f1a9a 100644
--- a/usr.bin/ssh/lib/Makefile
+++ b/usr.bin/ssh/lib/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.67 2013/01/17 23:00:01 djm Exp $
+# $OpenBSD: Makefile,v 1.68 2013/11/02 21:59:15 markus Exp $
.PATH: ${.CURDIR}/..
.include "${.CURDIR}/../Makefile.inc"
@@ -13,7 +13,7 @@ SRCS= authfd.c authfile.c bufaux.c bufec.c bufbn.c buffer.c canohost.c \
ssh-dss.c ssh-rsa.c ssh-ecdsa.c dh.c kexdh.c kexgex.c kexecdh.c \
kexdhc.c kexgexc.c kexecdhc.c msg.c progressmeter.c dns.c \
monitor_fdpass.c umac.c addrmatch.c schnorr.c jpake.c ssh-pkcs11.c \
- krl.c
+ krl.c smult_curve25519_ref.c kexc25519.c kexc25519c.c
SRCS+= umac128.c
CLEANFILES+= umac128.c
diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h
index 22a4f3998e7..9a0cc63d218 100644
--- a/usr.bin/ssh/myproposal.h
+++ b/usr.bin/ssh/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.33 2013/11/02 21:59:15 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -25,6 +25,7 @@
*/
#define KEX_DEFAULT_KEX \
+ "curve25519-sha256@libssh.org," \
"ecdh-sha2-nistp256," \
"ecdh-sha2-nistp384," \
"ecdh-sha2-nistp521," \
diff --git a/usr.bin/ssh/smult_curve25519_ref.c b/usr.bin/ssh/smult_curve25519_ref.c
new file mode 100644
index 00000000000..036d6e733d1
--- /dev/null
+++ b/usr.bin/ssh/smult_curve25519_ref.c
@@ -0,0 +1,264 @@
+/*
+version 20081011
+Matthew Dempsky
+Public domain.
+Derived from public domain code by D. J. Bernstein.
+*/
+
+int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
+
+static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
+{
+ unsigned int j;
+ unsigned int u;
+ u = 0;
+ for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; }
+ u += a[31] + b[31]; out[31] = u;
+}
+
+static void sub(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
+{
+ unsigned int j;
+ unsigned int u;
+ u = 218;
+ for (j = 0;j < 31;++j) {
+ u += a[j] + 65280 - b[j];
+ out[j] = u & 255;
+ u >>= 8;
+ }
+ u += a[31] - b[31];
+ out[31] = u;
+}
+
+static void squeeze(unsigned int a[32])
+{
+ unsigned int j;
+ unsigned int u;
+ u = 0;
+ for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
+ u += a[31]; a[31] = u & 127;
+ u = 19 * (u >> 7);
+ for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
+ u += a[31]; a[31] = u;
+}
+
+static const unsigned int minusp[32] = {
+ 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128
+} ;
+
+static void freeze(unsigned int a[32])
+{
+ unsigned int aorig[32];
+ unsigned int j;
+ unsigned int negative;
+
+ for (j = 0;j < 32;++j) aorig[j] = a[j];
+ add(a,a,minusp);
+ negative = -((a[31] >> 7) & 1);
+ for (j = 0;j < 32;++j) a[j] ^= negative & (aorig[j] ^ a[j]);
+}
+
+static void mult(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
+{
+ unsigned int i;
+ unsigned int j;
+ unsigned int u;
+
+ for (i = 0;i < 32;++i) {
+ u = 0;
+ for (j = 0;j <= i;++j) u += a[j] * b[i - j];
+ for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j];
+ out[i] = u;
+ }
+ squeeze(out);
+}
+
+static void mult121665(unsigned int out[32],const unsigned int a[32])
+{
+ unsigned int j;
+ unsigned int u;
+
+ u = 0;
+ for (j = 0;j < 31;++j) { u += 121665 * a[j]; out[j] = u & 255; u >>= 8; }
+ u += 121665 * a[31]; out[31] = u & 127;
+ u = 19 * (u >> 7);
+ for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; }
+ u += out[j]; out[j] = u;
+}
+
+static void square(unsigned int out[32],const unsigned int a[32])
+{
+ unsigned int i;
+ unsigned int j;
+ unsigned int u;
+
+ for (i = 0;i < 32;++i) {
+ u = 0;
+ for (j = 0;j < i - j;++j) u += a[j] * a[i - j];
+ for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j];
+ u *= 2;
+ if ((i & 1) == 0) {
+ u += a[i / 2] * a[i / 2];
+ u += 38 * a[i / 2 + 16] * a[i / 2 + 16];
+ }
+ out[i] = u;
+ }
+ squeeze(out);
+}
+
+static void select(unsigned int p[64],unsigned int q[64],const unsigned int r[64],const unsigned int s[64],unsigned int b)
+{
+ unsigned int j;
+ unsigned int t;
+ unsigned int bminus1;
+
+ bminus1 = b - 1;
+ for (j = 0;j < 64;++j) {
+ t = bminus1 & (r[j] ^ s[j]);
+ p[j] = s[j] ^ t;
+ q[j] = r[j] ^ t;
+ }
+}
+
+static void mainloop(unsigned int work[64],const unsigned char e[32])
+{
+ unsigned int xzm1[64];
+ unsigned int xzm[64];
+ unsigned int xzmb[64];
+ unsigned int xzm1b[64];
+ unsigned int xznb[64];
+ unsigned int xzn1b[64];
+ unsigned int a0[64];
+ unsigned int a1[64];
+ unsigned int b0[64];
+ unsigned int b1[64];
+ unsigned int c1[64];
+ unsigned int r[32];
+ unsigned int s[32];
+ unsigned int t[32];
+ unsigned int u[32];
+ unsigned int j;
+ unsigned int b;
+ int pos;
+
+ for (j = 0;j < 32;++j) xzm1[j] = work[j];
+ xzm1[32] = 1;
+ for (j = 33;j < 64;++j) xzm1[j] = 0;
+
+ xzm[0] = 1;
+ for (j = 1;j < 64;++j) xzm[j] = 0;
+
+ for (pos = 254;pos >= 0;--pos) {
+ b = e[pos / 8] >> (pos & 7);
+ b &= 1;
+ select(xzmb,xzm1b,xzm,xzm1,b);
+ add(a0,xzmb,xzmb + 32);
+ sub(a0 + 32,xzmb,xzmb + 32);
+ add(a1,xzm1b,xzm1b + 32);
+ sub(a1 + 32,xzm1b,xzm1b + 32);
+ square(b0,a0);
+ square(b0 + 32,a0 + 32);
+ mult(b1,a1,a0 + 32);
+ mult(b1 + 32,a1 + 32,a0);
+ add(c1,b1,b1 + 32);
+ sub(c1 + 32,b1,b1 + 32);
+ square(r,c1 + 32);
+ sub(s,b0,b0 + 32);
+ mult121665(t,s);
+ add(u,t,b0);
+ mult(xznb,b0,b0 + 32);
+ mult(xznb + 32,s,u);
+ square(xzn1b,c1);
+ mult(xzn1b + 32,r,work);
+ select(xzm,xzm1,xznb,xzn1b,b);
+ }
+
+ for (j = 0;j < 64;++j) work[j] = xzm[j];
+}
+
+static void recip(unsigned int out[32],const unsigned int z[32])
+{
+ unsigned int z2[32];
+ unsigned int z9[32];
+ unsigned int z11[32];
+ unsigned int z2_5_0[32];
+ unsigned int z2_10_0[32];
+ unsigned int z2_20_0[32];
+ unsigned int z2_50_0[32];
+ unsigned int z2_100_0[32];
+ unsigned int t0[32];
+ unsigned int t1[32];
+ int i;
+
+ /* 2 */ square(z2,z);
+ /* 4 */ square(t1,z2);
+ /* 8 */ square(t0,t1);
+ /* 9 */ mult(z9,t0,z);
+ /* 11 */ mult(z11,z9,z2);
+ /* 22 */ square(t0,z11);
+ /* 2^5 - 2^0 = 31 */ mult(z2_5_0,t0,z9);
+
+ /* 2^6 - 2^1 */ square(t0,z2_5_0);
+ /* 2^7 - 2^2 */ square(t1,t0);
+ /* 2^8 - 2^3 */ square(t0,t1);
+ /* 2^9 - 2^4 */ square(t1,t0);
+ /* 2^10 - 2^5 */ square(t0,t1);
+ /* 2^10 - 2^0 */ mult(z2_10_0,t0,z2_5_0);
+
+ /* 2^11 - 2^1 */ square(t0,z2_10_0);
+ /* 2^12 - 2^2 */ square(t1,t0);
+ /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t0,t1); square(t1,t0); }
+ /* 2^20 - 2^0 */ mult(z2_20_0,t1,z2_10_0);
+
+ /* 2^21 - 2^1 */ square(t0,z2_20_0);
+ /* 2^22 - 2^2 */ square(t1,t0);
+ /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { square(t0,t1); square(t1,t0); }
+ /* 2^40 - 2^0 */ mult(t0,t1,z2_20_0);
+
+ /* 2^41 - 2^1 */ square(t1,t0);
+ /* 2^42 - 2^2 */ square(t0,t1);
+ /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { square(t1,t0); square(t0,t1); }
+ /* 2^50 - 2^0 */ mult(z2_50_0,t0,z2_10_0);
+
+ /* 2^51 - 2^1 */ square(t0,z2_50_0);
+ /* 2^52 - 2^2 */ square(t1,t0);
+ /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); }
+ /* 2^100 - 2^0 */ mult(z2_100_0,t1,z2_50_0);
+
+ /* 2^101 - 2^1 */ square(t1,z2_100_0);
+ /* 2^102 - 2^2 */ square(t0,t1);
+ /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { square(t1,t0); square(t0,t1); }
+ /* 2^200 - 2^0 */ mult(t1,t0,z2_100_0);
+
+ /* 2^201 - 2^1 */ square(t0,t1);
+ /* 2^202 - 2^2 */ square(t1,t0);
+ /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { square(t0,t1); square(t1,t0); }
+ /* 2^250 - 2^0 */ mult(t0,t1,z2_50_0);
+
+ /* 2^251 - 2^1 */ square(t1,t0);
+ /* 2^252 - 2^2 */ square(t0,t1);
+ /* 2^253 - 2^3 */ square(t1,t0);
+ /* 2^254 - 2^4 */ square(t0,t1);
+ /* 2^255 - 2^5 */ square(t1,t0);
+ /* 2^255 - 21 */ mult(out,t1,z11);
+}
+
+int crypto_scalarmult_curve25519(unsigned char *q,
+ const unsigned char *n,
+ const unsigned char *p)
+{
+ unsigned int work[96];
+ unsigned char e[32];
+ unsigned int i;
+ for (i = 0;i < 32;++i) e[i] = n[i];
+ e[0] &= 248;
+ e[31] &= 127;
+ e[31] |= 64;
+ for (i = 0;i < 32;++i) work[i] = p[i];
+ mainloop(work,e);
+ recip(work + 32,work + 32);
+ mult(work + 64,work,work + 32);
+ freeze(work + 64);
+ for (i = 0;i < 32;++i) q[i] = work[64 + i];
+ return 0;
+}
diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 660e4e06efa..137674cf69b 100644
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.88 2013/11/02 21:59:15 markus Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@@ -239,6 +239,7 @@ keygrab_ssh2(con *c)
c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
c->c_kex->verify_host_key = hostjump;
if (!(j = setjmp(kexjmp))) {
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index a5e621ea81b..1572fe457f6 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.199 2013/11/02 21:59:15 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -202,6 +202,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ kex->kex[KEX_C25519_SHA256] = kexc25519_client;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 006a90a529e..09ba9d8c6d6 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.409 2013/10/23 23:35:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.410 2013/11/02 21:59:15 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2305,6 +2305,7 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index d59607c9417..c9f0b8e853c 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.79 2013/08/10 10:19:35 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.80 2013/11/02 21:59:15 markus Exp $
.PATH: ${.CURDIR}/..
@@ -16,7 +16,8 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-systrace.c
+ roaming_common.c roaming_serv.c sandbox-systrace.c \
+ kexc25519s.c
.include <bsd.own.mk> # for KERBEROS and AFS