ecdh-sha2-nistp{256,384,521} kex support (#282)

Adds support for ecdh-sha2-nistp{256,384,521} key exchange algorithms
using the
[elliptic-curve](https://docs.rs/elliptic-curve/latest/elliptic_curve/index.html),
[p256](https://docs.rs/p256/latest/p256/index.html),
[p384](https://docs.rs/p384/latest/p384/), and
[p521](https://docs.rs/p521/latest/p521/) crates.

Intentionally avoids adding these to the preferred Kex list as the
security of these curves is considered controversial. Users would need
to explicitly use the kex via config

Resolves #210

---------

Co-authored-by: Eugene <[email protected]>

russh/Cargo.toml

@@ -27,6 +27,7 @@ chacha20 = "0.9"
 ctr = "0.9"
 curve25519-dalek = "4.1.2"
 digest = { workspace = true }
+elliptic-curve = { version = "0.13", features = ["ecdh"] }
 flate2 = { version = "1.0", optional = true }
 futures = { workspace = true }
 generic-array = "0.14"
@@ -36,8 +37,12 @@ log = { workspace = true }
 num-bigint = { version = "0.4", features = ["rand"] }
 once_cell = "1.13"
 openssl = { workspace = true, optional = true }
+p256 = { version = "0.13", features = ["ecdh"] }
+p384 = { version = "0.13", features = ["ecdh"] }
+p521 = { version = "0.13", features = ["ecdh"] }
 poly1305 = "0.8"
 rand = { workspace = true }
+rand_core = { version = "0.6.4", features = ["getrandom"] }
 russh-cryptovec = { version = "0.7.0", path = "../cryptovec" }
 russh-keys = { version = "0.44.0-beta.1", path = "../russh-keys" }
 sha1 = { workspace = true }

russh/src/kex/ecdh_nistp.rs

@@ -0,0 +1,227 @@
+use byteorder::{BigEndian, ByteOrder};
+use elliptic_curve::ecdh::{EphemeralSecret, SharedSecret};
+use elliptic_curve::point::PointCompression;
+use elliptic_curve::sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint};
+use elliptic_curve::{AffinePoint, Curve, CurveArithmetic, FieldBytesSize};
+use log::debug;
+use p256::NistP256;
+use p384::NistP384;
+use p521::NistP521;
+use russh_cryptovec::CryptoVec;
+use russh_keys::encoding::Encoding;
+
+use crate::kex::{compute_keys, KexAlgorithm, KexType};
+use crate::mac::{self};
+use crate::session::Exchange;
+use crate::{cipher, msg};
+
+pub struct EcdhNistP256KexType {}
+
+impl KexType for EcdhNistP256KexType {
+ fn make(&self) -> Box<dyn KexAlgorithm + Send> {
+ Box::new(EcdhNistPKex::<NistP256> {
+ local_secret: None,
+ shared_secret: None,
+ }) as Box<dyn KexAlgorithm + Send>
+ }
+}
+
+pub struct EcdhNistP384KexType {}
+
+impl KexType for EcdhNistP384KexType {
+ fn make(&self) -> Box<dyn KexAlgorithm + Send> {
+ Box::new(EcdhNistPKex::<NistP384> {
+ local_secret: None,
+ shared_secret: None,
+ }) as Box<dyn KexAlgorithm + Send>
+ }
+}
+
+pub struct EcdhNistP521KexType {}
+
+impl KexType for EcdhNistP521KexType {
+ fn make(&self) -> Box<dyn KexAlgorithm + Send> {
+ Box::new(EcdhNistPKex::<NistP521> {
+ local_secret: None,
+ shared_secret: None,
+ }) as Box<dyn KexAlgorithm + Send>
+ }
+}
+
+#[doc(hidden)]
+pub struct EcdhNistPKex<C: Curve + CurveArithmetic> {
+ local_secret: Option<EphemeralSecret<C>>,
+ shared_secret: Option<SharedSecret<C>>,
+}
+
+impl<C: Curve + CurveArithmetic> std::fmt::Debug for EcdhNistPKex<C> {
+ fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+ write!(
+ f,
+ "Algorithm {{ local_secret: [hidden], shared_secret: [hidden] }}",
+ )
+ }
+}
+
+impl<C: Curve + CurveArithmetic> KexAlgorithm for EcdhNistPKex<C>
+where
+ C: PointCompression,
+ FieldBytesSize<C>: ModulusSize,
+ AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+{
+ fn skip_exchange(&self) -> bool {
+ false
+ }
+
+ #[doc(hidden)]
+ fn server_dh(&mut self, exchange: &mut Exchange, payload: &[u8]) -> Result<(), crate::Error> {
+ debug!("server_dh");
+
+ let client_pubkey = {
+ if payload.first() != Some(&msg::KEX_ECDH_INIT) {
+ return Err(crate::Error::Inconsistent);
+ }
+
+ #[allow(clippy::indexing_slicing)] // length checked
+ let pubkey_len = BigEndian::read_u32(&payload[1..]) as usize;
+
+ if payload.len() < 5 + pubkey_len {
+ return Err(crate::Error::Inconsistent);
+ }
+
+ #[allow(clippy::indexing_slicing)] // length checked
+ elliptic_curve::PublicKey::<C>::from_sec1_bytes(&payload[5..(5 + pubkey_len)])
+ .map_err(|_| crate::Error::Inconsistent)?
+ };
+
+ let server_secret =
+ elliptic_curve::ecdh::EphemeralSecret::<C>::random(&mut rand_core::OsRng);
+ let server_pubkey = server_secret.public_key();
+
+ // fill exchange.
+ exchange.server_ephemeral.clear();
+ exchange
+ .server_ephemeral
+ .extend(&server_pubkey.to_sec1_bytes());
+ let shared = server_secret.diffie_hellman(&client_pubkey);
+ self.shared_secret = Some(shared);
+ Ok(())
+ }
+
+ #[doc(hidden)]
+ fn client_dh(
+ &mut self,
+ client_ephemeral: &mut CryptoVec,
+ buf: &mut CryptoVec,
+ ) -> Result<(), crate::Error> {
+ let client_secret =
+ elliptic_curve::ecdh::EphemeralSecret::<C>::random(&mut rand_core::OsRng);
+ let client_pubkey = client_secret.public_key();
+
+ // fill exchange.
+ client_ephemeral.clear();
+ client_ephemeral.extend(&client_pubkey.to_sec1_bytes());
+
+ buf.push(msg::KEX_ECDH_INIT);
+ buf.extend_ssh_string(&client_pubkey.to_sec1_bytes());
+
+ self.local_secret = Some(client_secret);
+ Ok(())
+ }
+
+ fn compute_shared_secret(&mut self, remote_pubkey_: &[u8]) -> Result<(), crate::Error> {
+ let local_secret = self.local_secret.take().ok_or(crate::Error::KexInit)?;
+ let pubkey = elliptic_curve::PublicKey::<C>::from_sec1_bytes(remote_pubkey_)
+ .map_err(|_| crate::Error::KexInit)?;
+ self.shared_secret = Some(local_secret.diffie_hellman(&pubkey));
+ Ok(())
+ }
+
+ fn compute_exchange_hash(
+ &self,
+ key: &CryptoVec,
+ exchange: &Exchange,
+ buffer: &mut CryptoVec,
+ ) -> Result<CryptoVec, crate::Error> {
+ // Computing the exchange hash, see page 7 of RFC 5656.
+ buffer.clear();
+ buffer.extend_ssh_string(&exchange.client_id);
+ buffer.extend_ssh_string(&exchange.server_id);
+ buffer.extend_ssh_string(&exchange.client_kex_init);
+ buffer.extend_ssh_string(&exchange.server_kex_init);
+
+ buffer.extend(key);
+ buffer.extend_ssh_string(&exchange.client_ephemeral);
+ buffer.extend_ssh_string(&exchange.server_ephemeral);
+
+ if let Some(ref shared) = self.shared_secret {
+ buffer.extend_ssh_mpint(shared.raw_secret_bytes());
+ }
+
+ use sha2::Digest;
+ let mut hasher = sha2::Sha256::new();
+ hasher.update(&buffer);
+
+ let mut res = CryptoVec::new();
+ res.extend(hasher.finalize().as_slice());
+ Ok(res)
+ }
+
+ fn compute_keys(
+ &self,
+ session_id: &CryptoVec,
+ exchange_hash: &CryptoVec,
+ cipher: cipher::Name,
+ remote_to_local_mac: mac::Name,
+ local_to_remote_mac: mac::Name,
+ is_server: bool,
+ ) -> Result<crate::kex::cipher::CipherPair, crate::Error> {
+ compute_keys::<sha2::Sha256>(
+ self.shared_secret
+ .as_ref()
+ .map(|x| x.raw_secret_bytes() as &[u8]),
+ session_id,
+ exchange_hash,
+ cipher,
+ remote_to_local_mac,
+ local_to_remote_mac,
+ is_server,
+ )
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn test_shared_secret() {
+ let mut party1 = EcdhNistPKex::<NistP256> {
+ local_secret: Some(EphemeralSecret::<NistP256>::random(&mut rand_core::OsRng)),
+ shared_secret: None,
+ };
+ let p1_pubkey = party1.local_secret.as_ref().unwrap().public_key();
+
+ let mut party2 = EcdhNistPKex::<NistP256> {
+ local_secret: Some(EphemeralSecret::<NistP256>::random(&mut rand_core::OsRng)),
+ shared_secret: None,
+ };
+ let p2_pubkey = party2.local_secret.as_ref().unwrap().public_key();
+
+ party1
+ .compute_shared_secret(&p2_pubkey.to_sec1_bytes())
+ .unwrap();
+
+ party2
+ .compute_shared_secret(&p1_pubkey.to_sec1_bytes())
+ .unwrap();
+
+ let p1_shared_secret = party1.shared_secret.unwrap();
+ let p2_shared_secret = party2.shared_secret.unwrap();
+
+ assert_eq!(
+ p1_shared_secret.raw_secret_bytes(),
+ p2_shared_secret.raw_secret_bytes()
+ )
+ }
+}

russh/src/kex/mod.rs

@@ -17,6 +17,7 @@
 //! This module exports kex algorithm names for use with [Preferred].
 mod curve25519;
 mod dh;
+mod ecdh_nistp;
 mod none;
 use std::cell::RefCell;
 use std::collections::HashMap;
@@ -27,6 +28,7 @@ use dh::{
  DhGroup14Sha1KexType, DhGroup14Sha256KexType, DhGroup16Sha512KexType, DhGroup1Sha1KexType,
 };
 use digest::Digest;
+use ecdh_nistp::{EcdhNistP256KexType, EcdhNistP384KexType, EcdhNistP521KexType};
 use once_cell::sync::Lazy;
 use russh_cryptovec::CryptoVec;
 use russh_keys::encoding::Encoding;
@@ -97,6 +99,12 @@ pub const DH_G14_SHA1: Name = Name("diffie-hellman-group14-sha1");
 pub const DH_G14_SHA256: Name = Name("diffie-hellman-group14-sha256");
 /// `diffie-hellman-group16-sha512`
 pub const DH_G16_SHA512: Name = Name("diffie-hellman-group16-sha512");
+/// `ecdh-sha2-nistp256`
+pub const ECDH_SHA2_NISTP256: Name = Name("ecdh-sha2-nistp256");
+/// `ecdh-sha2-nistp384`
+pub const ECDH_SHA2_NISTP384: Name = Name("ecdh-sha2-nistp384");
+/// `ecdh-sha2-nistp521`
+pub const ECDH_SHA2_NISTP521: Name = Name("ecdh-sha2-nistp521");
 /// `none`
 pub const NONE: Name = Name("none");
 /// `ext-info-c`
@@ -113,6 +121,9 @@ const _DH_G1_SHA1: DhGroup1Sha1KexType = DhGroup1Sha1KexType {};
 const _DH_G14_SHA1: DhGroup14Sha1KexType = DhGroup14Sha1KexType {};
 const _DH_G14_SHA256: DhGroup14Sha256KexType = DhGroup14Sha256KexType {};
 const _DH_G16_SHA512: DhGroup16Sha512KexType = DhGroup16Sha512KexType {};
+const _ECDH_SHA2_NISTP256: EcdhNistP256KexType = EcdhNistP256KexType {};
+const _ECDH_SHA2_NISTP384: EcdhNistP384KexType = EcdhNistP384KexType {};
+const _ECDH_SHA2_NISTP521: EcdhNistP521KexType = EcdhNistP521KexType {};
 const _NONE: none::NoneKexType = none::NoneKexType {};
 
 pub(crate) static KEXES: Lazy<HashMap<&'static Name, &(dyn KexType + Send + Sync)>> =
@@ -124,6 +135,9 @@ pub(crate) static KEXES: Lazy<HashMap<&'static Name, &(dyn KexType + Send + Sync
  h.insert(&DH_G14_SHA256, &_DH_G14_SHA256);
  h.insert(&DH_G14_SHA1, &_DH_G14_SHA1);
  h.insert(&DH_G1_SHA1, &_DH_G1_SHA1);
+ h.insert(&ECDH_SHA2_NISTP256, &_ECDH_SHA2_NISTP256);
+ h.insert(&ECDH_SHA2_NISTP384, &_ECDH_SHA2_NISTP384);
+ h.insert(&ECDH_SHA2_NISTP521, &_ECDH_SHA2_NISTP521);
  h.insert(&NONE, &_NONE);
  h
  });