gssapi: Add support for ECDH GSSAPI KEX

In particular, gss-nistp256-sha256-* and gss-curve25519-sha256-*. Signed-off-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2025-11-25 11:52:48 +01:00
parent 5fed1bc8be
commit 88c2ea6752
16 changed files with 467 additions and 323 deletions
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -99,6 +99,10 @@ enum ssh_key_exchange_e {
    SSH_GSS_KEX_DH_GROUP14_SHA256,
    /* gss-group16-sha512-* */
    SSH_GSS_KEX_DH_GROUP16_SHA512,
+    /* gss-nistp256-sha256-* */
+    SSH_GSS_KEX_ECDH_NISTP256_SHA256,
+    /* gss-curve25519-sha256-* */
+    SSH_GSS_KEX_CURVE25519_SHA256,
 };

 enum ssh_cipher_e {
--- a/include/libssh/gssapi.h
+++ b/include/libssh/gssapi.h
@@ -29,7 +29,10 @@
 /* all OID begin with the tag identifier + length */
 #define SSH_OID_TAG 06

-#define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-,gss-group16-sha512-,"
+#define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-," \
+                                      "gss-group16-sha512-," \
+                                      "gss-nistp256-sha256-," \
+                                      "gss-curve25519-sha256-"

 typedef struct ssh_gssapi_struct *ssh_gssapi;

--- a/include/libssh/kex-gss.h
+++ b/include/libssh/kex-gss.h
@@ -1,5 +1,5 @@
 /*
- * dh-gss.h - diffie-hellman GSSAPI key exchange
+ * kex-gss.h - GSSAPI key exchange
 *
 * This file is part of the SSH Library
 *
@@ -20,17 +20,17 @@
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */
-#ifndef DH_GSS_H_
-#define DH_GSS_H_
+#ifndef KEX_GSS_H_
+#define KEX_GSS_H_

 #include "config.h"
 #ifdef WITH_GSSAPI

-int ssh_client_gss_dh_init(ssh_session session);
-void ssh_server_gss_dh_init(ssh_session session);
-int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet);
-void ssh_client_gss_dh_remove_callbacks(ssh_session session);
-void ssh_client_gss_dh_remove_callback_hostkey(ssh_session session);
+int ssh_client_gss_kex_init(ssh_session session);
+void ssh_server_gss_kex_init(ssh_session session);
+int ssh_server_gss_kex_process_init(ssh_session session, ssh_buffer packet);
+void ssh_client_gss_kex_remove_callbacks(ssh_session session);
+void ssh_client_gss_kex_remove_callback_hostkey(ssh_session session);

 #endif /* WITH_GSSAPI */
-#endif /* DH_GSS_H_ */
+#endif /* KEX_GSS_H_ */