mirror of
https://git.libssh.org/projects/libssh.git
synced 2026-02-07 02:39:48 +09:00
Get rid of the deprecated OpenSSL API
It turns out there is a way to get the uncompressed format from the low-level API, which is not (yet?) deprecated so this removes all of the TODO's for ECDSA keys and moves the EC_KEY structure in the high-level EVP_PKEY. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
Jakub Jelen
@@ -30,11 +30,7 @@
|
||||
|
||||
#ifdef HAVE_ECDH
|
||||
#include <openssl/ecdh.h>
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#define NISTP256 NID_X9_62_prime256v1
|
||||
#define NISTP384 NID_secp384r1
|
||||
#define NISTP521 NID_secp521r1
|
||||
@@ -48,11 +44,7 @@
|
||||
/** @internal
|
||||
* @brief Map the given key exchange enum value to its curve name.
|
||||
*/
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
static int ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
|
||||
#else
|
||||
static const char *ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
|
||||
@@ -64,183 +56,156 @@ static const char *ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
|
||||
} else if (kex_type == SSH_KEX_ECDH_SHA2_NISTP521) {
|
||||
return NISTP521;
|
||||
}
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
return SSH_ERROR;
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* @internal
|
||||
* @brief Generate ECDH key pair for ecdh key exchange and store it in the
|
||||
* session->next_crypto structure
|
||||
*/
|
||||
ssh_string ssh_ecdh_generate(ssh_session session)
|
||||
{
|
||||
ssh_string pubkey_string = NULL;
|
||||
const EC_GROUP *group = NULL;
|
||||
const EC_POINT *point = NULL;
|
||||
int rc;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY *key = NULL;
|
||||
int curve;
|
||||
#else
|
||||
const char *curve = NULL;
|
||||
EVP_PKEY *key = NULL;
|
||||
OSSL_PARAM *out_params = NULL;
|
||||
const OSSL_PARAM *pubkey_param = NULL;
|
||||
const void *pubkey = NULL;
|
||||
size_t pubkey_len;
|
||||
int nid;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type);
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (curve == SSH_ERROR) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to get curve name");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
key = EC_KEY_new_by_curve_name(curve);
|
||||
#else
|
||||
if (curve == NULL) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to get curve name");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
key = EVP_EC_gen(curve);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
if (key == NULL) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to generate key");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
group = EC_KEY_get0_group(key);
|
||||
|
||||
EC_KEY_generate_key(key);
|
||||
|
||||
point = EC_KEY_get0_public_key(key);
|
||||
#else
|
||||
rc = EVP_PKEY_todata(key, EVP_PKEY_PUBLIC_KEY, &out_params);
|
||||
if (rc != 1) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to export public key");
|
||||
EVP_PKEY_free(key);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
pubkey_param = OSSL_PARAM_locate_const(out_params, OSSL_PKEY_PARAM_PUB_KEY);
|
||||
if (pubkey_param == NULL) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to find public key");
|
||||
EVP_PKEY_free(key);
|
||||
OSSL_PARAM_free(out_params);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
rc = OSSL_PARAM_get_octet_string_ptr(pubkey_param,
|
||||
(const void**)&pubkey,
|
||||
&pubkey_len);
|
||||
OSSL_PARAM_free(out_params);
|
||||
if (rc != 1) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to read public key");
|
||||
EVP_PKEY_free(key);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Convert the data to low-level representation */
|
||||
nid = pki_key_ecgroup_name_to_nid(curve);
|
||||
group = EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
||||
point = EC_POINT_new(group);
|
||||
rc = EC_POINT_oct2point(group, (EC_POINT *)point, pubkey, pubkey_len, NULL);
|
||||
if (group == NULL || point == NULL || rc != 1) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to export public key");
|
||||
EVP_PKEY_free(key);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
pubkey_string = pki_key_make_ecpoint_string(group, point);
|
||||
if (pubkey_string == NULL) {
|
||||
SSH_LOG(SSH_LOG_TRACE, "Failed to convert public key");
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY_free(key);
|
||||
#else
|
||||
EVP_PKEY_free(key);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
return NULL;
|
||||
}
|
||||
session->next_crypto->ecdh_privkey = key;
|
||||
return pubkey_string;
|
||||
}
|
||||
|
||||
/** @internal
|
||||
* @brief Starts ecdh-sha2-nistp256 key exchange
|
||||
*/
|
||||
int ssh_client_ecdh_init(ssh_session session){
|
||||
int rc;
|
||||
ssh_string client_pubkey;
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
EC_KEY *key;
|
||||
const EC_GROUP *group;
|
||||
const EC_POINT *pubkey;
|
||||
int curve;
|
||||
int len;
|
||||
bignum_CTX ctx = BN_CTX_new();
|
||||
if (ctx == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
#else
|
||||
const char *curve = NULL;
|
||||
EVP_PKEY *key = NULL;
|
||||
OSSL_PARAM *out_params = NULL;
|
||||
const OSSL_PARAM *pubkey_param = NULL;
|
||||
const uint8_t *pubkey = NULL;
|
||||
size_t pubkey_len;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
int ssh_client_ecdh_init(ssh_session session)
|
||||
{
|
||||
ssh_string client_pubkey = NULL;
|
||||
int rc;
|
||||
|
||||
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
|
||||
if (rc < 0) {
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
BN_CTX_free(ctx);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
return SSH_ERROR;
|
||||
}
|
||||
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
|
||||
if (rc < 0) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type);
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
if (curve == SSH_ERROR) {
|
||||
BN_CTX_free(ctx);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
client_pubkey = ssh_ecdh_generate(session);
|
||||
if (client_pubkey == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
key = EC_KEY_new_by_curve_name(curve);
|
||||
#else
|
||||
if (curve == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
rc = ssh_buffer_add_ssh_string(session->out_buffer, client_pubkey);
|
||||
if (rc < 0) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
key = EVP_EC_gen(curve);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
session->next_crypto->ecdh_client_pubkey = client_pubkey;
|
||||
|
||||
if (key == NULL) {
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
BN_CTX_free(ctx);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
return SSH_ERROR;
|
||||
}
|
||||
/* register the packet callbacks */
|
||||
ssh_packet_set_callbacks(session, &ssh_ecdh_client_callbacks);
|
||||
session->dh_handshake_state = DH_STATE_INIT_SENT;
|
||||
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
group = EC_KEY_get0_group(key);
|
||||
rc = ssh_packet_send(session);
|
||||
|
||||
EC_KEY_generate_key(key);
|
||||
|
||||
pubkey=EC_KEY_get0_public_key(key);
|
||||
len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
|
||||
NULL,0,ctx);
|
||||
|
||||
client_pubkey = ssh_string_new(len);
|
||||
if (client_pubkey == NULL) {
|
||||
BN_CTX_free(ctx);
|
||||
EC_KEY_free(key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
|
||||
ssh_string_data(client_pubkey),len,ctx);
|
||||
BN_CTX_free(ctx);
|
||||
#else
|
||||
rc = EVP_PKEY_todata(key, EVP_PKEY_PUBLIC_KEY, &out_params);
|
||||
if (rc != 1) {
|
||||
EVP_PKEY_free(key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
pubkey_param = OSSL_PARAM_locate_const(out_params, OSSL_PKEY_PARAM_PUB_KEY);
|
||||
if (pubkey_param == NULL) {
|
||||
EVP_PKEY_free(key);
|
||||
OSSL_PARAM_free(out_params);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
rc = OSSL_PARAM_get_octet_string_ptr(pubkey_param,
|
||||
(const void**)&pubkey,
|
||||
&pubkey_len);
|
||||
if (rc != 1) {
|
||||
OSSL_PARAM_free(out_params);
|
||||
EVP_PKEY_free(key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
client_pubkey = ssh_string_new(pubkey_len);
|
||||
if (client_pubkey == NULL) {
|
||||
OSSL_PARAM_free(out_params);
|
||||
EVP_PKEY_free(key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
memcpy(ssh_string_data(client_pubkey), pubkey, pubkey_len);
|
||||
OSSL_PARAM_free(out_params);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
|
||||
if (rc < 0) {
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
EC_KEY_free(key);
|
||||
#else
|
||||
EVP_PKEY_free(key);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
SSH_STRING_FREE(client_pubkey);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
session->next_crypto->ecdh_privkey = key;
|
||||
session->next_crypto->ecdh_client_pubkey = client_pubkey;
|
||||
|
||||
/* register the packet callbacks */
|
||||
ssh_packet_set_callbacks(session, &ssh_ecdh_client_callbacks);
|
||||
session->dh_handshake_state = DH_STATE_INIT_SENT;
|
||||
|
||||
rc = ssh_packet_send(session);
|
||||
|
||||
return rc;
|
||||
return rc;
|
||||
}
|
||||
|
||||
int ecdh_build_k(ssh_session session) {
|
||||
int ecdh_build_k(ssh_session session)
|
||||
{
|
||||
struct ssh_crypto_struct *next_crypto = session->next_crypto;
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
const EC_GROUP *group = EC_KEY_get0_group(next_crypto->ecdh_privkey);
|
||||
EC_POINT *pubkey;
|
||||
void *buffer;
|
||||
EC_POINT *pubkey = NULL;
|
||||
void *buffer = NULL;
|
||||
int rc;
|
||||
int len = (EC_GROUP_get_degree(group) + 7) / 8;
|
||||
bignum_CTX ctx = bignum_ctx_new();
|
||||
@@ -292,11 +257,13 @@ int ecdh_build_k(ssh_session session) {
|
||||
bignum_bin2bn(buffer, len, &next_crypto->shared_secret);
|
||||
free(buffer);
|
||||
#else
|
||||
const char *curve = NULL;
|
||||
EVP_PKEY *pubkey = NULL;
|
||||
void *secret = NULL;
|
||||
size_t secret_len;
|
||||
int rc;
|
||||
OSSL_PARAM params[2];
|
||||
OSSL_PARAM params[3];
|
||||
ssh_string peer_pubkey = NULL;
|
||||
EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_from_pkey(NULL,
|
||||
next_crypto->ecdh_privkey,
|
||||
NULL);
|
||||
@@ -324,15 +291,18 @@ int ecdh_build_k(ssh_session session) {
|
||||
}
|
||||
|
||||
if (session->server) {
|
||||
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
|
||||
ssh_string_data(next_crypto->ecdh_client_pubkey),
|
||||
ssh_string_len(next_crypto->ecdh_client_pubkey));
|
||||
peer_pubkey = next_crypto->ecdh_client_pubkey;
|
||||
} else {
|
||||
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
|
||||
ssh_string_data(next_crypto->ecdh_server_pubkey),
|
||||
ssh_string_len(next_crypto->ecdh_server_pubkey));
|
||||
peer_pubkey = next_crypto->ecdh_server_pubkey;
|
||||
}
|
||||
params[1] = OSSL_PARAM_construct_end();
|
||||
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
|
||||
ssh_string_data(peer_pubkey),
|
||||
ssh_string_len(peer_pubkey));
|
||||
curve = ecdh_kex_type_to_curve(next_crypto->kex_type);
|
||||
params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
(char *)curve,
|
||||
strlen(curve));
|
||||
params[2] = OSSL_PARAM_construct_end();
|
||||
|
||||
rc = EVP_PKEY_fromdata(pubkey_ctx, &pubkey, EVP_PKEY_PUBLIC_KEY, params);
|
||||
if (rc != 1) {
|
||||
@@ -374,11 +344,7 @@ int ecdh_build_k(ssh_session session) {
|
||||
free(secret);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
if (next_crypto->shared_secret == NULL) {
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY_free(next_crypto->ecdh_privkey);
|
||||
#else
|
||||
EVP_PKEY_free(next_crypto->ecdh_privkey);
|
||||
@@ -386,11 +352,7 @@ int ecdh_build_k(ssh_session session) {
|
||||
next_crypto->ecdh_privkey = NULL;
|
||||
return -1;
|
||||
}
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY_free(next_crypto->ecdh_privkey);
|
||||
#else
|
||||
EVP_PKEY_free(next_crypto->ecdh_privkey);
|
||||
@@ -413,29 +375,11 @@ int ecdh_build_k(ssh_session session) {
|
||||
/** @brief Handle a SSH_MSG_KEXDH_INIT packet (server) and send a
|
||||
* SSH_MSG_KEXDH_REPLY
|
||||
*/
|
||||
SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||
SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init)
|
||||
{
|
||||
/* ECDH keys */
|
||||
ssh_string q_c_string;
|
||||
ssh_string q_s_string;
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
EC_KEY *ecdh_key;
|
||||
const EC_GROUP *group;
|
||||
const EC_POINT *ecdh_pubkey;
|
||||
bignum_CTX ctx;
|
||||
int curve;
|
||||
int len;
|
||||
#else
|
||||
EVP_PKEY *ecdh_key = NULL;
|
||||
const void *pubkey_ptr = NULL;
|
||||
size_t len;
|
||||
OSSL_PARAM *params = NULL;
|
||||
const OSSL_PARAM *pubkey = NULL;
|
||||
const char *curve = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
ssh_string q_c_string = NULL;
|
||||
ssh_string q_s_string = NULL;
|
||||
/* SSH host keys (rsa,dsa,ecdsa) */
|
||||
ssh_key privkey;
|
||||
enum ssh_digest_e digest = SSH_DIGEST_AUTO;
|
||||
@@ -445,125 +389,22 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||
(void)type;
|
||||
(void)user;
|
||||
|
||||
SSH_LOG(SSH_LOG_TRACE, "Processing SSH_MSG_KEXDH_INIT");
|
||||
|
||||
ssh_packet_remove_callbacks(session, &ssh_ecdh_server_callbacks);
|
||||
/* Extract the client pubkey from the init packet */
|
||||
q_c_string = ssh_buffer_get_ssh_string(packet);
|
||||
if (q_c_string == NULL) {
|
||||
ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
|
||||
ssh_set_error(session, SSH_FATAL, "No Q_C ECC point in packet");
|
||||
goto error;
|
||||
}
|
||||
session->next_crypto->ecdh_client_pubkey = q_c_string;
|
||||
|
||||
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type);
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
if (curve == SSH_ERROR) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
#else
|
||||
if (curve == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
ecdh_key = EC_KEY_new_by_curve_name(curve);
|
||||
#else
|
||||
ecdh_key = EVP_EC_gen(curve);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
if (ecdh_key == NULL) {
|
||||
ssh_set_error_oom(session);
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
/* Build server's keypair */
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL) {
|
||||
EC_KEY_free(ecdh_key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
group = EC_KEY_get0_group(ecdh_key);
|
||||
EC_KEY_generate_key(ecdh_key);
|
||||
|
||||
ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
|
||||
len = EC_POINT_point2oct(group,
|
||||
ecdh_pubkey,
|
||||
POINT_CONVERSION_UNCOMPRESSED,
|
||||
NULL,
|
||||
0,
|
||||
ctx);
|
||||
#else
|
||||
rc = EVP_PKEY_todata(ecdh_key, EVP_PKEY_PUBLIC_KEY, ¶ms);
|
||||
if (rc != 1) {
|
||||
EVP_PKEY_free(ecdh_key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
pubkey = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
|
||||
if (pubkey == NULL) {
|
||||
OSSL_PARAM_free(params);
|
||||
EVP_PKEY_free(ecdh_key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
rc = OSSL_PARAM_get_octet_string_ptr(pubkey, &pubkey_ptr, &len);
|
||||
if (rc != 1) {
|
||||
OSSL_PARAM_free(params);
|
||||
EVP_PKEY_free(ecdh_key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
q_s_string = ssh_string_new(len);
|
||||
q_s_string = ssh_ecdh_generate(session);
|
||||
if (q_s_string == NULL) {
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
EC_KEY_free(ecdh_key);
|
||||
BN_CTX_free(ctx);
|
||||
#else
|
||||
EVP_PKEY_free(ecdh_key);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
|
||||
* https://github.com/openssl/openssl/pull/16624
|
||||
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
*/
|
||||
#if 1
|
||||
EC_POINT_point2oct(group,
|
||||
ecdh_pubkey,
|
||||
POINT_CONVERSION_UNCOMPRESSED,
|
||||
ssh_string_data(q_s_string),
|
||||
len,
|
||||
ctx);
|
||||
BN_CTX_free(ctx);
|
||||
#else
|
||||
if (memcpy(ssh_string_data(q_s_string), pubkey_ptr, len)) {
|
||||
OSSL_PARAM_free(params);
|
||||
EVP_PKEY_free(ecdh_key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
OSSL_PARAM_free(params);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
session->next_crypto->ecdh_privkey = ecdh_key;
|
||||
session->next_crypto->ecdh_server_pubkey = q_s_string;
|
||||
|
||||
/* build k and session_id */
|
||||
|
||||
Reference in New Issue
Block a user