From 159b55f2fc7e61e1beebc904eec41a066c41508b Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 27 Jun 2018 13:44:07 +0200
Subject: ssh: Fix non-conforming key generation in kex for x25519 and x448

That is, curve25519-sha256, curve25519-sha256@libssh.org and curve448-sha512
---
 lib/ssh/src/ssh_message.erl   |  8 ++++----
 lib/ssh/src/ssh_transport.erl | 12 ++++++++++--
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl
index 55c0548c9b..da4027a763 100644
--- a/lib/ssh/src/ssh_message.erl
+++ b/lib/ssh/src/ssh_message.erl
@@ -289,12 +289,12 @@ encode(#ssh_msg_kex_dh_gex_reply{
     <<?Ebyte(?SSH_MSG_KEX_DH_GEX_REPLY), ?Ebinary(EncKey), ?Empint(F), ?Ebinary(EncSign)>>;
 
 encode(#ssh_msg_kex_ecdh_init{q_c = Q_c}) ->
-    <<?Ebyte(?SSH_MSG_KEX_ECDH_INIT), ?Empint(Q_c)>>;
+    <<?Ebyte(?SSH_MSG_KEX_ECDH_INIT), ?Ebinary(Q_c)>>;
 
 encode(#ssh_msg_kex_ecdh_reply{public_host_key = {Key,SigAlg}, q_s = Q_s, h_sig = Sign}) ->
     EncKey = public_key:ssh_encode(Key, ssh2_pubkey),
     EncSign = encode_signature(Key, SigAlg, Sign),
-    <<?Ebyte(?SSH_MSG_KEX_ECDH_REPLY), ?Ebinary(EncKey), ?Empint(Q_s), ?Ebinary(EncSign)>>;
+    <<?Ebyte(?SSH_MSG_KEX_ECDH_REPLY), ?Ebinary(EncKey), ?Ebinary(Q_s), ?Ebinary(EncSign)>>;
 
 encode(#ssh_msg_ignore{data = Data}) ->
     <<?Ebyte(?SSH_MSG_IGNORE), ?Estring_utf8(Data)>>;
@@ -504,13 +504,13 @@ decode(<<?BYTE(?SSH_MSG_KEX_DH_GEX_REPLY), ?DEC_BIN(Key,__0), ?DEC_MPINT(F,__1),
        h_sig = decode_signature(Hashsign)
       };
 
-decode(<<"ecdh",?BYTE(?SSH_MSG_KEX_ECDH_INIT), ?DEC_MPINT(Q_c,__0)>>) ->
+decode(<<"ecdh",?BYTE(?SSH_MSG_KEX_ECDH_INIT), ?DEC_BIN(Q_c,__0)>>) ->
     #ssh_msg_kex_ecdh_init{
        q_c = Q_c
       };
 
 decode(<<"ecdh",?BYTE(?SSH_MSG_KEX_ECDH_REPLY),
-	 ?DEC_BIN(Key,__1), ?DEC_MPINT(Q_s,__2), ?DEC_BIN(Sig,__3)>>) ->
+	 ?DEC_BIN(Key,__1), ?DEC_BIN(Q_s,__2), ?DEC_BIN(Sig,__3)>>) ->
     #ssh_msg_kex_ecdh_reply{
        public_host_key = public_key:ssh_decode(Key, ssh2_pubkey),
        q_s = Q_s,
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 4bef5e2cbb..9aebf4cb3c 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -1808,6 +1808,7 @@ hash(K, H, Ki, N, HashAlg) ->
 kex_hash(SSH, Key, HashAlg, Args) ->
     crypto:hash(HashAlg, kex_plaintext(SSH,Key,Args)).
 
+
 kex_plaintext(SSH, Key, Args) ->
     EncodedKey = public_key:ssh_encode(Key, ssh2_pubkey),
     <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version),
@@ -1815,8 +1816,13 @@ kex_plaintext(SSH, Key, Args) ->
       ?Ebinary(EncodedKey),
       (kex_alg_dependent(Args))/binary>>.
 
+
+kex_alg_dependent({Q_c, Q_s, K}) when is_binary(Q_c), is_binary(Q_s) ->
+    %% ecdh
+    <<?Ebinary(Q_c), ?Ebinary(Q_s), ?Empint(K)>>;
+
 kex_alg_dependent({E, F, K}) ->
-    %% diffie-hellman and ec diffie-hellman (with E = Q_c, F = Q_s)
+    %% diffie-hellman
     <<?Empint(E), ?Empint(F), ?Empint(K)>>;
 
 kex_alg_dependent({-1, NBits, -1, Prime, Gen, E, F, K}) ->
@@ -1933,11 +1939,13 @@ parallell_gen_key(Ssh = #ssh{keyex_key = {x, {G, P}},
     Ssh#ssh{keyex_key = {{Private, Public}, {G, P}}}.
 
 
+generate_key(ecdh = Algorithm, Args) ->
+    crypto:generate_key(Algorithm, Args);
 generate_key(Algorithm, Args) ->
     {Public,Private} = crypto:generate_key(Algorithm, Args),
     {crypto:bytes_to_integer(Public), crypto:bytes_to_integer(Private)}.
 
-      
+
 compute_key(Algorithm, OthersPublic, MyPrivate, Args) ->
     Shared = crypto:compute_key(Algorithm, OthersPublic, MyPrivate, Args),
     crypto:bytes_to_integer(Shared).
-- 
cgit v1.2.3