Implement Curve25519 (x25519) key exchange

2 files changed, 104 insertions, 0 deletions

diff --git a/paramiko/kex_curve25519.py b/paramiko/kex_curve25519.py
new file mode 100644
index 00000000..190a8600
--- /dev/null
+++ b/paramiko/kex_curve25519.py
@@ -0,0 +1,101 @@
+import binascii
+import hashlib
+
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.x25519 import (
+    X25519PrivateKey, X25519PublicKey
+)
+
+from paramiko.message import Message
+from paramiko.py3compat import byte_chr, long
+
+
+_MSG_KEXECDH_INIT, _MSG_KEXECDH_REPLY = range(30, 32)
+c_MSG_KEXECDH_INIT, c_MSG_KEXECDH_REPLY = [byte_chr(c) for c in range(30, 32)]
+
+class KexCurve25519(object):
+    def __init__(self, transport):
+        self.transport = transport
+
+    def start_kex(self):
+        self.key = X25519PrivateKey.generate()
+        if self.transport.server_mode:
+            self.transport._expect_packet(_MSG_KEXECDH_INIT)
+            return
+
+        m = Message()
+        m.add_byte(c_MSG_KEXECDH_INIT)
+        m.add_string(self.key.public_key().public_bytes(
+            serialization.Encoding.Raw, serialization.PublicFormat.Raw
+        ))
+        self.transport._send_message(m)
+        self.transport._expect_packet(_MSG_KEXECDH_REPLY)
+
+    def parse_next(self, ptype, m):
+        if self.transport.server_mode and (ptype == _MSG_KEXECDH_INIT):
+            return self._parse_kexecdh_init(m)
+        elif not self.transport.server_mode and (ptype == _MSG_KEXECDH_REPLY):
+            return self._parse_kexecdh_reply(m)
+        raise SSHException(
+            "KexCurve25519 asked to handle packet type {:d}".format(ptype)
+        )
+
+    def _parse_kexecdh_init(self, m):
+        peer_key_bytes = m.get_string()
+        peer_key = X25519PublicKey.from_public_bytes(peer_key_bytes)
+        K = self.key.exchange(peer_key)
+        K = long(binascii.hexlify(K), 16)
+        # compute exchange hash
+        hm = Message()
+        hm.add(
+            self.transport.remote_version,
+            self.transport.local_version,
+            self.transport.remote_kex_init,
+            self.transport.local_kex_init,
+        )
+        server_key_bytes = self.transport.get_server_key().asbytes()
+        exchange_key_bytes = self.key.public_key().public_bytes(
+            serialization.Encoding.Raw, serialization.PublicFormat.Raw,
+        )
+        hm.add_string(server_key_bytes)
+        hm.add_string(peer_key_bytes)
+        hm.add_string(exchange_key_bytes)
+        hm.add_mpint(K)
+        H = hashlib.sha256(hm.asbytes()).digest()
+        self.transport._set_K_H(K, H)
+        sig = self.transport.get_server_key().sign_ssh_data(H)
+        # construct reply
+        m = Message()
+        m.add_byte(c_MSG_KEXECDH_REPLY)
+        m.add_string(server_key_bytes)
+        m.add_string(exchange_key_bytes)
+        m.add_string(sig)
+        self.transport._send_message(m)
+        self.transport._activate_outbound()
+
+    def _parse_kexecdh_reply(self, m):
+        peer_host_key_bytes = m.get_string()
+        peer_key_bytes = m.get_string()
+        sig = m.get_binary()
+
+        peer_key = X25519PublicKey.from_public_bytes(peer_key_bytes)
+
+        K = self.key.exchange(peer_key)
+        K = long(binascii.hexlify(K), 16)
+        # compute exchange hash and verify signature
+        hm = Message()
+        hm.add(
+            self.transport.local_version,
+            self.transport.remote_version,
+            self.transport.local_kex_init,
+            self.transport.remote_kex_init,
+        )
+        hm.add_string(peer_host_key_bytes)
+        hm.add_string(self.key.public_key().public_bytes(
+            serialization.Encoding.Raw, serialization.PublicFormat.Raw
+        ))
+        hm.add_string(peer_key_bytes)
+        hm.add_mpint(K)
+        self.transport._set_K_H(K, hashlib.sha256(hm.asbytes()).digest())
+        self.transport._verify_key(peer_host_key_bytes, sig)
+        self.transport._activate_outbound()
diff --git a/paramiko/transport.py b/paramiko/transport.py
index f72eebaf..785da060 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -88,6 +88,7 @@ from paramiko.common import (
 from paramiko.compress import ZlibCompressor, ZlibDecompressor
 from paramiko.dsskey import DSSKey
 from paramiko.ed25519key import Ed25519Key
+from paramiko.kex_curve25519 import KexCurve25519
 from paramiko.kex_gex import KexGex, KexGexSHA256
 from paramiko.kex_group1 import KexGroup1
 from paramiko.kex_group14 import KexGroup14
@@ -170,6 +171,7 @@ class Transport(threading.Thread, ClosingContextManager):
         "ssh-dss",
     )
     _preferred_kex = (
+        "curve25519-sha256@libssh.org",
         "ecdh-sha2-nistp256",
         "ecdh-sha2-nistp384",
         "ecdh-sha2-nistp521",
@@ -271,6 +273,7 @@ class Transport(threading.Thread, ClosingContextManager):
         "ecdh-sha2-nistp256": KexNistp256,
         "ecdh-sha2-nistp384": KexNistp384,
         "ecdh-sha2-nistp521": KexNistp521,
+        "curve25519-sha256@libssh.org": KexCurve25519,
     }
 
     _compression_info = {