Subject: RE: [PATCH] Added Windows Cryptography API: Next Generation backend

RE: [PATCH] Added Windows Cryptography API: Next Generation backend

From: Bob Kast <>
Date: Fri, 14 Mar 2014 14:26:01 -0400

Okay, I'm new to this and I didn't realize you had already done all the

I checked out the latest and applied your patches and got Visual Studio 2013
to work with it (notice .sln/.vcxproj files). I have 2 platforms (x64 and
x86), and 4 configurations (LIB Debug, LIB Release, DLL Debug, DLL Release).
I fixed the warnings for x86 compiles. There are lots more on x64 (the main
reason: on WIN64 size_t is a 64 bit type) and didn't deal with them yet.

In any case, I got them all to compile and link and I thought I was home
free but when I tested it for doing a SFTP Get file, the password
authorization fails. I stepped through it and it seems to format a request
packet correctly and waits for a response, and the response contains
SSH_MSG_USERAUTH_FAILURE as the first byte.

Not sure where to go from here. I did check out the latest version. Should I
check out some more stable version?

I attached my patches.

A couple of notes:

_LIBSSH2_SESSION::scpRecv_mode (long) is assigned to struct stat::st_mode
(unsigned short)
Are they supposed to be the same type?

In _libssh2_wincng_bignum_set_word() the local variable "bits" was never
initialized. I assume it is supposed to be initialized to 0.


-----Original Message-----
From: libssh2-devel [] On Behalf Of
Marc Hoersken
Sent: Thursday, March 13, 2014 4:40 PM
To: libssh2 development
Subject: Re: [PATCH] Added Windows Cryptography API: Next Generation backend

On 13.03.2014 15:18, Bob Kast wrote:
> Going through openssl.h to see what needed to be done, the hashes were
> pretty simple except that LIBSSH2_HMAC_RIPEMD is not supported by WinCNG.

Yes, that is true. There is currently no direct way to implement RIPEMD
using the CryptoAPI or WinCNG.

> Supporting encryption/signing was less clear to me.

RSA and DSA as well as AES, RC4 and 3DES are supported by WinCNG.

> The following are also not supported by WinCNG:

Yes, that is correct as well.

> Modes WinCNG supports for AES:
> - ECB
> - CBC
> - CFB
> - CCM
> - GCM

AES-CTR could probably be implemented on top of EBC, just like it's done if
OpenSSL was built without it.

> Not sure what _libssh2_bn would map to.

I found a way to use RSA encryption in order to implement the required math
functions (e.g. modular exponentiation) by using it with big numbers stored
as byte arrays.
This is also the reason why I had to use WinCNG instead of CryptoAPI, since
the later one is limited to a 4-byte exponent.
Please see my original mail for a longer explanation:

> My purpose for using libssh2 is to implement SFTP. What does WinCNG
> need to provide in order for SFTP to be fully implemented?

I tested my implementation against an OpenSSH and Bitvise SSH Server using
the implemented algorithms and everything worked fine.
It seems like all required functionality is implemented.


Received on 2014-03-14