Subject: Re: [PATCH] Added Windows Cryptography API: Next Generation backend

Re: [PATCH] Added Windows Cryptography API: Next Generation backend

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sat, 1 Jun 2013 10:11:35 +0200

Hello again,

in order to assist you with reviewing this patch I am attaching a
temporary patch that allows the compilation of WinCNG using Visual
Studio project files. Please note that this part is not merge-ready
and the Win32 makefiles will need some work in order to support
different crypto backends. I would appreciate any help on this regard.

If you want to compile the new backend by using autotools on MinGW and
msys, you have to do the following from within an msys shell:

  ./buildconf
  ./configure --with-wincng
  make

Best regards,
Marc

2013/5/31 Marc Hoersken <info_at_marc-hoersken.de>:
> Hello everyone,
>
> during the last month I was working on getting a new Windows crypto
> backend ready for libssh2. Just like I promised nearly a year ago [1].
>
> I first started out to make it work based upon the classic Windows
> CryptoAPI, but I had to find a way to do one specific big number
> operation on Windows: Modular exponentiation [2]. Unfortunately there
> is no native big number support on Windows and no way to do modular
> exponentiation without external dependencies, like math libraries.
> That would have hindered my goal of making libssh2 run on Windows
> without any new dependencies.
>
> I figured that the RSA algorithm itself is based upon this operation,
> so I thought: why not use RSA encryption [3] in order to do it? That
> was the key idea to the whole implementation. I turned the arguments
> to the modular exponentiation into a public key by passing the
> exponent as public exponent and the modulus as public modulus. After
> that I only had to "encrypt" the base and the encrypted data would
> have represented the result of the exponentiation.
>
> After bypassing all kind of problems related to padding and endianness
> between the different API calls and structures it finally started to
> work for some big number operations. Unfortunately there was still one
> problem with the classic CryptoAPI: it only supported public exponents
> up to a length of 4 bytes, because it represents the public exponent
> of an RSA key as a DWORD [4].
>
> So I decided to scrap the code that I developed based upon the
> CryptoAPI and started taking a look into the new Windows Cryptography
> API: Next Generation which was introduced in Windows Vista and Windows
> Server 2008. This new API seems to be much cleaner and extensible as
> the old API. It also supports variable length key components like the
> public exponent of an RSA key.
>
> I went on to migrate most of the code to the new API and got the big
> number operations as well as RSA based authentication working without
> any third party dependency. After I got those two important aspects
> working I set out to add support for most of the ciphers and DSA based
> authentication.
>
> As of today my implementation which is referred to as "WinCNG"
> supports the following features:
> - Cryptophic functionality:
> - RSA authentication
> - DSA authentication
> - MD5 hash algorithm with HMAC support
> - SHA1 hash algorithm with HMAC support
> - AES CBC 128, 192 and 256 bit block cipher
> - RC4 128 bit stream cipher
> - 3DES 192 bit block cipher
> - Generic functionality:
> - Loading private key from file (currently plain-text only)
> - Extracting public key from private key file (currently plain-text only)
> - Overwrite memory allocated within the backend with random data (optional)
>
> Attached you will find a patch with a single commit which contains the
> first release candidate.
>
> The patch was compiled with MinGW and tested on Windows 7 SP1. The
> backend requires at least Windows Vista or Windows Server 2008.
> Windows XP or Windows Server 2003 are not supported.
>
> MinGW: In order to compile libssh2 after applying the patch, you will
> need to extract an updated bcrypt library to your MinGW installation.
> Those public domain files are taken from the updated mingw-w64 project
> and attached within bcrypt.tar.gz.
>
> There are still some features on my roadmap, but I would like to
> implement those in a generic way in order to also support them with
> libgcrypt (and future backends):
> - Loading encrypted private key from file with support for the
> following ciphers:
> - AES-128-CBC (by using existing cipher implementation)
> - AES-192-CBC (by using existing cipher implementation)
> - AES-256-CBC (by using existing cipher implementation)
> - DES-CBC
> - DES-EDE3-CBC (by using existing cipher implementation)
>
> Before I continue my work on generic functionality I would like to get
> the new backend merged into libssh2. It especially needs testing on
> different Windows versions and with different Windows compilers, e.g.
> Visual Studio. Right now I have only adapted the files used by
> autotools.
>
> I welcome your feedback and ask you to review this patch. Have fun and
> thanks in advance!
>
> Best regards,
> Marc
>
> [1] http://daniel.haxx.se/blog/2012/06/12/schannel-support-in-libcurl/
> [2] http://en.wikipedia.org/wiki/Modular_exponentiation
> [3] http://en.wikipedia.org/wiki/RSA_(algorithm)#Encryption
> [4] http://msdn.microsoft.com/library/windows/desktop/aa387685.aspx

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Received on 2013-06-01