/src/libssh/src/sntrup761.c
Line | Count | Source |
1 | | /* |
2 | | * sntrup761.c - SNTRUP761x25519 ECDH functions for key exchange |
3 | | * sntrup761x25519-sha512@openssh.com - based on curve25519.c. |
4 | | * |
5 | | * This file is part of the SSH Library |
6 | | * |
7 | | * Copyright (c) 2013 by Aris Adamantiadis <aris@badcode.be> |
8 | | * Copyright (c) 2023 Simon Josefsson <simon@josefsson.org> |
9 | | * Copyright (c) 2025 Jakub Jelen <jjelen@redhat.com> |
10 | | * |
11 | | * The SSH Library is free software; you can redistribute it and/or modify |
12 | | * it under the terms of the GNU Lesser General Public License as published by |
13 | | * the Free Software Foundation, version 2.1 of the License. |
14 | | * |
15 | | * The SSH Library is distributed in the hope that it will be useful, but |
16 | | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
17 | | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public |
18 | | * License for more details. |
19 | | * |
20 | | * You should have received a copy of the GNU Lesser General Public License |
21 | | * along with the SSH Library; see the file COPYING. If not, write to |
22 | | * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
23 | | * MA 02111-1307, USA. |
24 | | */ |
25 | | |
26 | | #include "config.h" |
27 | | |
28 | | #include "libssh/sntrup761.h" |
29 | | #ifdef HAVE_SNTRUP761 |
30 | | |
31 | | #include "libssh/buffer.h" |
32 | | #include "libssh/crypto.h" |
33 | | #include "libssh/dh.h" |
34 | | #include "libssh/pki.h" |
35 | | #include "libssh/priv.h" |
36 | | #include "libssh/session.h" |
37 | | #include "libssh/ssh2.h" |
38 | | |
39 | | #ifndef HAVE_LIBGCRYPT |
40 | | static void crypto_random(void *ctx, size_t length, uint8_t *dst) |
41 | 0 | { |
42 | 0 | int *err = ctx; |
43 | 0 | *err = ssh_get_random(dst, length, 1); |
44 | 0 | } |
45 | | #endif /* HAVE_LIBGCRYPT */ |
46 | | |
47 | | static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply); |
48 | | |
49 | | static ssh_packet_callback dh_client_callbacks[] = { |
50 | | ssh_packet_client_sntrup761x25519_reply, |
51 | | }; |
52 | | |
53 | | static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_client_callbacks = |
54 | | { |
55 | | .start = SSH2_MSG_KEX_ECDH_REPLY, |
56 | | .n_callbacks = 1, |
57 | | .callbacks = dh_client_callbacks, |
58 | | .user = NULL, |
59 | | }; |
60 | | |
61 | | static int ssh_sntrup761x25519_init(ssh_session session) |
62 | 0 | { |
63 | 0 | int rc; |
64 | |
|
65 | 0 | rc = ssh_curve25519_init(session); |
66 | 0 | if (rc != SSH_OK) { |
67 | 0 | return rc; |
68 | 0 | } |
69 | | |
70 | 0 | if (!session->server) { |
71 | | #ifdef HAVE_LIBGCRYPT |
72 | | gcry_error_t err; |
73 | | |
74 | | err = gcry_kem_keypair(GCRY_KEM_SNTRUP761, |
75 | | session->next_crypto->sntrup761_client_pubkey, |
76 | | SNTRUP761_PUBLICKEY_SIZE, |
77 | | session->next_crypto->sntrup761_privkey, |
78 | | SNTRUP761_SECRETKEY_SIZE); |
79 | | if (err) { |
80 | | SSH_LOG(SSH_LOG_TRACE, |
81 | | "Failed to generate sntrup761 key: %s", |
82 | | gpg_strerror(err)); |
83 | | return SSH_ERROR; |
84 | | } |
85 | | #else |
86 | 0 | sntrup761_keypair(session->next_crypto->sntrup761_client_pubkey, |
87 | 0 | session->next_crypto->sntrup761_privkey, |
88 | 0 | &rc, |
89 | 0 | crypto_random); |
90 | 0 | if (rc != 1) { |
91 | 0 | SSH_LOG(SSH_LOG_TRACE, |
92 | 0 | "Failed to generate sntrup761 key: PRNG failure"); |
93 | 0 | return SSH_ERROR; |
94 | 0 | } |
95 | 0 | #endif /* HAVE_LIBGCRYPT */ |
96 | 0 | } |
97 | | |
98 | 0 | return SSH_OK; |
99 | 0 | } |
100 | | |
101 | | /** @internal |
102 | | * @brief Starts sntrup761x25519-sha512@openssh.com key exchange |
103 | | */ |
104 | | int ssh_client_sntrup761x25519_init(ssh_session session) |
105 | 0 | { |
106 | 0 | int rc; |
107 | |
|
108 | 0 | rc = ssh_sntrup761x25519_init(session); |
109 | 0 | if (rc != SSH_OK) { |
110 | 0 | return rc; |
111 | 0 | } |
112 | | |
113 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
114 | 0 | "bdPP", |
115 | 0 | SSH2_MSG_KEX_ECDH_INIT, |
116 | 0 | CURVE25519_PUBKEY_SIZE + SNTRUP761_PUBLICKEY_SIZE, |
117 | 0 | (size_t)SNTRUP761_PUBLICKEY_SIZE, |
118 | 0 | session->next_crypto->sntrup761_client_pubkey, |
119 | 0 | (size_t)CURVE25519_PUBKEY_SIZE, |
120 | 0 | session->next_crypto->curve25519_client_pubkey); |
121 | 0 | if (rc != SSH_OK) { |
122 | 0 | ssh_set_error_oom(session); |
123 | 0 | return SSH_ERROR; |
124 | 0 | } |
125 | | |
126 | | /* register the packet callbacks */ |
127 | 0 | ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_client_callbacks); |
128 | 0 | session->dh_handshake_state = DH_STATE_INIT_SENT; |
129 | 0 | rc = ssh_packet_send(session); |
130 | |
|
131 | 0 | return rc; |
132 | 0 | } |
133 | | |
134 | | void ssh_client_sntrup761x25519_remove_callbacks(ssh_session session) |
135 | 0 | { |
136 | 0 | ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_client_callbacks); |
137 | 0 | } |
138 | | |
139 | | static int ssh_sntrup761x25519_build_k(ssh_session session) |
140 | 0 | { |
141 | 0 | unsigned char ssk[SNTRUP761_SIZE + CURVE25519_PUBKEY_SIZE]; |
142 | 0 | unsigned char *k = ssk + SNTRUP761_SIZE; |
143 | 0 | void *shared_secret_data = NULL; |
144 | 0 | int rc; |
145 | |
|
146 | 0 | rc = ssh_curve25519_create_k(session, k); |
147 | 0 | if (rc != SSH_OK) { |
148 | 0 | goto cleanup; |
149 | 0 | } |
150 | | |
151 | | #ifdef DEBUG_CRYPTO |
152 | | ssh_log_hexdump("Curve25519 shared secret", k, CURVE25519_PUBKEY_SIZE); |
153 | | #endif |
154 | | |
155 | | #ifdef HAVE_LIBGCRYPT |
156 | | if (session->server) { |
157 | | gcry_error_t err; |
158 | | err = gcry_kem_encap(GCRY_KEM_SNTRUP761, |
159 | | session->next_crypto->sntrup761_client_pubkey, |
160 | | SNTRUP761_PUBLICKEY_SIZE, |
161 | | session->next_crypto->sntrup761_ciphertext, |
162 | | SNTRUP761_CIPHERTEXT_SIZE, |
163 | | ssk, |
164 | | SNTRUP761_SIZE, |
165 | | NULL, |
166 | | 0); |
167 | | if (err) { |
168 | | SSH_LOG(SSH_LOG_TRACE, |
169 | | "Failed to encapsulate sntrup761 shared secret: %s", |
170 | | gpg_strerror(err)); |
171 | | rc = SSH_ERROR; |
172 | | goto cleanup; |
173 | | } |
174 | | } else { |
175 | | gcry_error_t err; |
176 | | err = gcry_kem_decap(GCRY_KEM_SNTRUP761, |
177 | | session->next_crypto->sntrup761_privkey, |
178 | | SNTRUP761_SECRETKEY_SIZE, |
179 | | session->next_crypto->sntrup761_ciphertext, |
180 | | SNTRUP761_CIPHERTEXT_SIZE, |
181 | | ssk, |
182 | | SNTRUP761_SIZE, |
183 | | NULL, |
184 | | 0); |
185 | | if (err) { |
186 | | SSH_LOG(SSH_LOG_TRACE, |
187 | | "Failed to decapsulate sntrup761 shared secret: %s", |
188 | | gpg_strerror(err)); |
189 | | rc = SSH_ERROR; |
190 | | goto cleanup; |
191 | | } |
192 | | } |
193 | | #else |
194 | 0 | if (session->server) { |
195 | 0 | sntrup761_enc(session->next_crypto->sntrup761_ciphertext, |
196 | 0 | ssk, |
197 | 0 | session->next_crypto->sntrup761_client_pubkey, |
198 | 0 | &rc, |
199 | 0 | crypto_random); |
200 | 0 | if (rc != 1) { |
201 | 0 | rc = SSH_ERROR; |
202 | 0 | goto cleanup; |
203 | 0 | } |
204 | 0 | } else { |
205 | 0 | sntrup761_dec(ssk, |
206 | 0 | session->next_crypto->sntrup761_ciphertext, |
207 | 0 | session->next_crypto->sntrup761_privkey); |
208 | 0 | } |
209 | 0 | #endif /* HAVE_LIBGCRYPT */ |
210 | | |
211 | | #ifdef DEBUG_CRYPTO |
212 | | ssh_log_hexdump("server cipher text", |
213 | | session->next_crypto->sntrup761_ciphertext, |
214 | | SNTRUP761_CIPHERTEXT_SIZE); |
215 | | ssh_log_hexdump("kem key", ssk, SNTRUP761_SIZE); |
216 | | #endif |
217 | | |
218 | 0 | ssh_string_burn(session->next_crypto->hybrid_shared_secret); |
219 | 0 | ssh_string_free(session->next_crypto->hybrid_shared_secret); |
220 | 0 | session->next_crypto->hybrid_shared_secret = |
221 | 0 | ssh_string_new(SHA512_DIGEST_LEN); |
222 | 0 | if (session->next_crypto->hybrid_shared_secret == NULL) { |
223 | 0 | ssh_set_error_oom(session); |
224 | 0 | rc = SSH_ERROR; |
225 | 0 | goto cleanup; |
226 | 0 | } |
227 | 0 | shared_secret_data = |
228 | 0 | ssh_string_data(session->next_crypto->hybrid_shared_secret); |
229 | |
|
230 | 0 | sha512(ssk, sizeof ssk, shared_secret_data); |
231 | |
|
232 | | #ifdef DEBUG_CRYPTO |
233 | | ssh_log_hexdump("Shared secret key", shared_secret_data, SHA512_DIGEST_LEN); |
234 | | #endif |
235 | |
|
236 | 0 | return 0; |
237 | 0 | cleanup: |
238 | 0 | ssh_burn(ssk, sizeof ssk); |
239 | |
|
240 | 0 | return rc; |
241 | 0 | } |
242 | | |
243 | | /** @internal |
244 | | * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back |
245 | | * a SSH_MSG_NEWKEYS |
246 | | */ |
247 | | static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply) |
248 | 0 | { |
249 | 0 | ssh_string q_s_string = NULL; |
250 | 0 | ssh_string pubkey_blob = NULL; |
251 | 0 | ssh_string signature = NULL; |
252 | 0 | int rc; |
253 | 0 | (void)type; |
254 | 0 | (void)user; |
255 | |
|
256 | 0 | ssh_client_sntrup761x25519_remove_callbacks(session); |
257 | |
|
258 | 0 | pubkey_blob = ssh_buffer_get_ssh_string(packet); |
259 | 0 | if (pubkey_blob == NULL) { |
260 | 0 | ssh_set_error(session, SSH_FATAL, "No public key in packet"); |
261 | 0 | goto error; |
262 | 0 | } |
263 | | |
264 | 0 | rc = ssh_dh_import_next_pubkey_blob(session, pubkey_blob); |
265 | 0 | SSH_STRING_FREE(pubkey_blob); |
266 | 0 | if (rc != 0) { |
267 | 0 | ssh_set_error(session, SSH_FATAL, "Failed to import next public key"); |
268 | 0 | goto error; |
269 | 0 | } |
270 | | |
271 | 0 | q_s_string = ssh_buffer_get_ssh_string(packet); |
272 | 0 | if (q_s_string == NULL) { |
273 | 0 | ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_S in packet"); |
274 | 0 | goto error; |
275 | 0 | } |
276 | 0 | if (ssh_string_len(q_s_string) != (SNTRUP761_CIPHERTEXT_SIZE + CURVE25519_PUBKEY_SIZE)) { |
277 | 0 | ssh_set_error(session, |
278 | 0 | SSH_FATAL, |
279 | 0 | "Incorrect size for server sntrup761x25519 ciphertext+key: %d", |
280 | 0 | (int)ssh_string_len(q_s_string)); |
281 | 0 | SSH_STRING_FREE(q_s_string); |
282 | 0 | goto error; |
283 | 0 | } |
284 | 0 | memcpy(session->next_crypto->sntrup761_ciphertext, |
285 | 0 | ssh_string_data(q_s_string), |
286 | 0 | SNTRUP761_CIPHERTEXT_SIZE); |
287 | 0 | memcpy(session->next_crypto->curve25519_server_pubkey, |
288 | 0 | (char *)ssh_string_data(q_s_string) + SNTRUP761_CIPHERTEXT_SIZE, |
289 | 0 | CURVE25519_PUBKEY_SIZE); |
290 | 0 | SSH_STRING_FREE(q_s_string); |
291 | |
|
292 | 0 | signature = ssh_buffer_get_ssh_string(packet); |
293 | 0 | if (signature == NULL) { |
294 | 0 | ssh_set_error(session, SSH_FATAL, "No signature in packet"); |
295 | 0 | goto error; |
296 | 0 | } |
297 | 0 | session->next_crypto->dh_server_signature = signature; |
298 | 0 | signature = NULL; /* ownership changed */ |
299 | | /* TODO: verify signature now instead of waiting for NEWKEYS */ |
300 | 0 | if (ssh_sntrup761x25519_build_k(session) < 0) { |
301 | 0 | ssh_set_error(session, SSH_FATAL, "Cannot build k number"); |
302 | 0 | goto error; |
303 | 0 | } |
304 | | |
305 | | /* Send the MSG_NEWKEYS */ |
306 | 0 | if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) { |
307 | 0 | goto error; |
308 | 0 | } |
309 | | |
310 | 0 | rc = ssh_packet_send(session); |
311 | 0 | if (rc == SSH_ERROR) { |
312 | 0 | goto error; |
313 | 0 | } |
314 | | |
315 | 0 | SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent"); |
316 | 0 | session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; |
317 | |
|
318 | 0 | return SSH_PACKET_USED; |
319 | | |
320 | 0 | error: |
321 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
322 | 0 | return SSH_PACKET_USED; |
323 | 0 | } |
324 | | |
325 | | #ifdef WITH_SERVER |
326 | | |
327 | | static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init); |
328 | | |
329 | | static ssh_packet_callback dh_server_callbacks[] = { |
330 | | ssh_packet_server_sntrup761x25519_init, |
331 | | }; |
332 | | |
333 | | static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_server_callbacks = |
334 | | { |
335 | | .start = SSH2_MSG_KEX_ECDH_INIT, |
336 | | .n_callbacks = 1, |
337 | | .callbacks = dh_server_callbacks, |
338 | | .user = NULL, |
339 | | }; |
340 | | |
341 | | /** @internal |
342 | | * @brief sets up the sntrup761x25519-sha512@openssh.com kex callbacks |
343 | | */ |
344 | | void ssh_server_sntrup761x25519_init(ssh_session session) |
345 | 0 | { |
346 | | /* register the packet callbacks */ |
347 | 0 | ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_server_callbacks); |
348 | 0 | } |
349 | | |
350 | | /** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a |
351 | | * SSH_MSG_KEXDH_REPLY |
352 | | */ |
353 | | static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init) |
354 | 0 | { |
355 | | /* ECDH/SNTRUP761 keys */ |
356 | 0 | ssh_string q_c_string = NULL; |
357 | 0 | ssh_string q_s_string = NULL; |
358 | 0 | ssh_string server_pubkey_blob = NULL; |
359 | | |
360 | | /* SSH host keys (rsa, ed25519 and ecdsa) */ |
361 | 0 | ssh_key privkey = NULL; |
362 | 0 | enum ssh_digest_e digest = SSH_DIGEST_AUTO; |
363 | 0 | ssh_string sig_blob = NULL; |
364 | 0 | int rc; |
365 | 0 | (void)type; |
366 | 0 | (void)user; |
367 | |
|
368 | 0 | ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_server_callbacks); |
369 | | |
370 | | /* Extract the client pubkey from the init packet */ |
371 | 0 | q_c_string = ssh_buffer_get_ssh_string(packet); |
372 | 0 | if (q_c_string == NULL) { |
373 | 0 | ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_C in packet"); |
374 | 0 | goto error; |
375 | 0 | } |
376 | 0 | if (ssh_string_len(q_c_string) != (SNTRUP761_PUBLICKEY_SIZE + CURVE25519_PUBKEY_SIZE)) { |
377 | 0 | ssh_set_error(session, |
378 | 0 | SSH_FATAL, |
379 | 0 | "Incorrect size for server sntrup761x25519 public key: %zu", |
380 | 0 | ssh_string_len(q_c_string)); |
381 | 0 | goto error; |
382 | 0 | } |
383 | | |
384 | 0 | memcpy(session->next_crypto->sntrup761_client_pubkey, |
385 | 0 | ssh_string_data(q_c_string), |
386 | 0 | SNTRUP761_PUBLICKEY_SIZE); |
387 | 0 | memcpy(session->next_crypto->curve25519_client_pubkey, |
388 | 0 | ((char *)ssh_string_data(q_c_string)) + SNTRUP761_PUBLICKEY_SIZE, |
389 | 0 | CURVE25519_PUBKEY_SIZE); |
390 | 0 | SSH_STRING_FREE(q_c_string); |
391 | |
|
392 | | #ifdef DEBUG_CRYPTO |
393 | | ssh_log_hexdump("client public key sntrup761", |
394 | | session->next_crypto->sntrup761_client_pubkey, |
395 | | SNTRUP761_PUBLICKEY_SIZE); |
396 | | ssh_log_hexdump("client public key c25519", |
397 | | session->next_crypto->curve25519_client_pubkey, |
398 | | CURVE25519_PUBKEY_SIZE); |
399 | | #endif |
400 | | |
401 | | /* Build server's key pair */ |
402 | 0 | rc = ssh_sntrup761x25519_init(session); |
403 | 0 | if (rc != SSH_OK) { |
404 | 0 | ssh_set_error(session, SSH_FATAL, "Failed to generate sntrup761 keys"); |
405 | 0 | goto error; |
406 | 0 | } |
407 | | |
408 | 0 | rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_REPLY); |
409 | 0 | if (rc < 0) { |
410 | 0 | ssh_set_error_oom(session); |
411 | 0 | goto error; |
412 | 0 | } |
413 | | |
414 | | /* build k and session_id */ |
415 | 0 | rc = ssh_sntrup761x25519_build_k(session); |
416 | 0 | if (rc < 0) { |
417 | 0 | ssh_set_error(session, SSH_FATAL, "Cannot build k number"); |
418 | 0 | goto error; |
419 | 0 | } |
420 | | |
421 | | /* privkey is not allocated */ |
422 | 0 | rc = ssh_get_key_params(session, &privkey, &digest); |
423 | 0 | if (rc == SSH_ERROR) { |
424 | 0 | goto error; |
425 | 0 | } |
426 | | |
427 | 0 | rc = ssh_make_sessionid(session); |
428 | 0 | if (rc != SSH_OK) { |
429 | 0 | ssh_set_error(session, SSH_FATAL, "Could not create a session id"); |
430 | 0 | goto error; |
431 | 0 | } |
432 | | |
433 | 0 | rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob); |
434 | 0 | if (rc != 0) { |
435 | 0 | ssh_set_error(session, SSH_FATAL, "Could not export server public key"); |
436 | 0 | goto error; |
437 | 0 | } |
438 | | |
439 | | /* add host's public key */ |
440 | 0 | rc = ssh_buffer_add_ssh_string(session->out_buffer, server_pubkey_blob); |
441 | 0 | SSH_STRING_FREE(server_pubkey_blob); |
442 | 0 | if (rc < 0) { |
443 | 0 | ssh_set_error_oom(session); |
444 | 0 | goto error; |
445 | 0 | } |
446 | | |
447 | | /* add ecdh public key */ |
448 | 0 | rc = ssh_buffer_add_u32(session->out_buffer, |
449 | 0 | ntohl(SNTRUP761_CIPHERTEXT_SIZE |
450 | 0 | + CURVE25519_PUBKEY_SIZE)); |
451 | 0 | if (rc < 0) { |
452 | 0 | ssh_set_error_oom(session); |
453 | 0 | goto error; |
454 | 0 | } |
455 | | |
456 | 0 | rc = ssh_buffer_add_data(session->out_buffer, |
457 | 0 | session->next_crypto->sntrup761_ciphertext, |
458 | 0 | SNTRUP761_CIPHERTEXT_SIZE); |
459 | 0 | if (rc < 0) { |
460 | 0 | ssh_set_error_oom(session); |
461 | 0 | goto error; |
462 | 0 | } |
463 | | |
464 | 0 | rc = ssh_buffer_add_data(session->out_buffer, |
465 | 0 | session->next_crypto->curve25519_server_pubkey, |
466 | 0 | CURVE25519_PUBKEY_SIZE); |
467 | 0 | if (rc < 0) { |
468 | 0 | ssh_set_error_oom(session); |
469 | 0 | goto error; |
470 | 0 | } |
471 | | |
472 | | #ifdef DEBUG_CRYPTO |
473 | | ssh_log_hexdump("server public key c25519", |
474 | | session->next_crypto->curve25519_server_pubkey, |
475 | | CURVE25519_PUBKEY_SIZE); |
476 | | #endif |
477 | | |
478 | | /* add signature blob */ |
479 | 0 | sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey, digest); |
480 | 0 | if (sig_blob == NULL) { |
481 | 0 | ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); |
482 | 0 | goto error; |
483 | 0 | } |
484 | | |
485 | 0 | rc = ssh_buffer_add_ssh_string(session->out_buffer, sig_blob); |
486 | 0 | SSH_STRING_FREE(sig_blob); |
487 | 0 | if (rc < 0) { |
488 | 0 | ssh_set_error_oom(session); |
489 | 0 | goto error; |
490 | 0 | } |
491 | | |
492 | | #ifdef DEBUG_CRYPTO |
493 | | ssh_log_hexdump("ECDH_REPLY:", |
494 | | ssh_buffer_get(session->out_buffer), |
495 | | ssh_buffer_get_len(session->out_buffer)); |
496 | | #endif |
497 | | |
498 | 0 | SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_KEX_ECDH_REPLY sent"); |
499 | 0 | rc = ssh_packet_send(session); |
500 | 0 | if (rc == SSH_ERROR) { |
501 | 0 | return SSH_ERROR; |
502 | 0 | } |
503 | | |
504 | | /* Send the MSG_NEWKEYS */ |
505 | 0 | rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); |
506 | 0 | if (rc < 0) { |
507 | 0 | goto error; |
508 | 0 | } |
509 | | |
510 | 0 | session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; |
511 | 0 | rc = ssh_packet_send(session); |
512 | 0 | if (rc == SSH_ERROR) { |
513 | 0 | goto error; |
514 | 0 | } |
515 | 0 | SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent"); |
516 | |
|
517 | 0 | return SSH_PACKET_USED; |
518 | 0 | error: |
519 | 0 | SSH_STRING_FREE(q_c_string); |
520 | 0 | SSH_STRING_FREE(q_s_string); |
521 | 0 | ssh_buffer_reinit(session->out_buffer); |
522 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
523 | 0 | return SSH_PACKET_USED; |
524 | 0 | } |
525 | | |
526 | | #endif /* WITH_SERVER */ |
527 | | |
528 | | #endif /* HAVE_SNTRUP761 */ |