Refactor ecdh_kex into an organised vtable.

This is already slightly nice because it lets me separate the
Weierstrass and Montgomery code more completely, without having to
have a vtable tucked into dh->extra. But more to the point, it will
allow completely different kex methods to fit into the same framework
later.

To that end, I've moved more of the descriptive message generation
into the vtable, and also provided the constructor with a flag that
will let it do different things in client and server.

Also, following on from a previous commit, I've arranged that the new
API returns arbitrary binary data for the exchange hash, rather than
an mp_int. An upcoming implementation of this interface will want to
return an encoded string instead of an encoded mp_int.

test/cryptsuite.py

@@ -1772,13 +1772,13 @@ class crypt(MyTestBase):
         ]
 
         with random_prng("doesn't matter"):
-            ecdh25519 = ssh_ecdhkex_newkey('curve25519')
-            ecdh448 = ssh_ecdhkex_newkey('curve448')
+            ecdh25519 = ecdh_key_new('curve25519', False)
+            ecdh448 = ecdh_key_new('curve448', False)
         for pub in bad_keys_25519:
-            key = ssh_ecdhkex_getkey(ecdh25519, unhex(pub))
+            key = ecdh_key_getkey(ecdh25519, unhex(pub))
             self.assertEqual(key, None)
         for pub in bad_keys_448:
-            key = ssh_ecdhkex_getkey(ecdh448, unhex(pub))
+            key = ecdh_key_getkey(ecdh448, unhex(pub))
             self.assertEqual(key, None)
 
     def testPRNG(self):
@@ -3107,9 +3107,9 @@ class standard_test_vectors(MyTestBase):
 
         for method, priv, pub, expected in rfc7748s5_2:
             with queued_specific_random_data(unhex(priv)):
-                ecdh = ssh_ecdhkex_newkey(method)
-            key = ssh_ecdhkex_getkey(ecdh, unhex(pub))
-            self.assertEqual(int(key), expected)
+                ecdh = ecdh_key_new(method, False)
+            key = ecdh_key_getkey(ecdh, unhex(pub))
+            self.assertEqual(key, ssh2_mpint(expected))
 
         # Bidirectional tests, consisting of the input random number
         # strings for both parties, and the expected public values and
@@ -3131,15 +3131,15 @@ class standard_test_vectors(MyTestBase):
 
         for method, apriv, apub, bpriv, bpub, expected in rfc7748s6:
             with queued_specific_random_data(unhex(apriv)):
-                alice = ssh_ecdhkex_newkey(method)
+                alice = ecdh_key_new(method, False)
             with queued_specific_random_data(unhex(bpriv)):
-                bob = ssh_ecdhkex_newkey(method)
-            self.assertEqualBin(ssh_ecdhkex_getpublic(alice), unhex(apub))
-            self.assertEqualBin(ssh_ecdhkex_getpublic(bob), unhex(bpub))
-            akey = ssh_ecdhkex_getkey(alice, unhex(bpub))
-            bkey = ssh_ecdhkex_getkey(bob, unhex(apub))
-            self.assertEqual(int(akey), expected)
-            self.assertEqual(int(bkey), expected)
+                bob = ecdh_key_new(method, False)
+            self.assertEqualBin(ecdh_key_getpublic(alice), unhex(apub))
+            self.assertEqualBin(ecdh_key_getpublic(bob), unhex(bpub))
+            akey = ecdh_key_getkey(alice, unhex(bpub))
+            bkey = ecdh_key_getkey(bob, unhex(apub))
+            self.assertEqual(akey, ssh2_mpint(expected))
+            self.assertEqual(bkey, ssh2_mpint(expected))
 
     def testCRC32(self):
         self.assertEqual(crc32_rfc1662("123456789"), 0xCBF43926)

test/testcrypt-func.h

@@ -346,11 +346,11 @@ FUNC(val_mpint, dh_find_K, ARG(val_dh, ctx), ARG(val_mpint, f))
 /*
  * Elliptic-curve Diffie-Hellman.
  */
-FUNC(val_ecdh, ssh_ecdhkex_newkey, ARG(ecdh_alg, alg))
-FUNC(void, ssh_ecdhkex_getpublic, ARG(val_ecdh, key),
+FUNC(val_ecdh, ecdh_key_new, ARG(ecdh_alg, alg), ARG(boolean, is_server))
+FUNC(void, ecdh_key_getpublic, ARG(val_ecdh, key),
      ARG(out_val_string_binarysink, pub))
-FUNC(opt_val_mpint, ssh_ecdhkex_getkey, ARG(val_ecdh, key),
-     ARG(val_string_ptrlen, pub))
+FUNC_WRAPPED(opt_val_string, ecdh_key_getkey, ARG(val_ecdh, key),
+             ARG(val_string_ptrlen, pub))
 
 /*
  * RSA key exchange, and also the BinarySource get function

test/testcrypt.c

@@ -87,7 +87,7 @@ uint64_t prng_reseed_time_ms(void)
     X(cipher, ssh_cipher *, ssh_cipher_free(v))                         \
     X(mac, ssh2_mac *, ssh2_mac_free(v))                                \
     X(dh, dh_ctx *, dh_cleanup(v))                                      \
-    X(ecdh, ecdh_key *, ssh_ecdhkex_freekey(v))                         \
+    X(ecdh, ecdh_key *, ecdh_key_free(v))                               \
     X(rsakex, RSAKey *, ssh_rsakex_freekey(v))                          \
     X(rsa, RSAKey *, rsa_free(v))                                       \
     X(prng, prng *, prng_free(v))                                       \
@@ -787,6 +787,18 @@ static RSAKey *rsa_new(void)
     return rsa;
 }
 
+strbuf *ecdh_key_getkey_wrapper(ecdh_key *ek, ptrlen remoteKey)
+{
+    /* Fold the boolean return value in C into the string return value
+     * for this purpose, by returning NULL on failure */
+    strbuf *sb = strbuf_new();
+    if (!ecdh_key_getkey(ek, remoteKey, BinarySink_UPCAST(sb))) {
+        strbuf_free(sb);
+        return NULL;
+    }
+    return sb;
+}
+
 strbuf *rsa_ssh1_encrypt_wrapper(ptrlen input, RSAKey *key)
 {
     /* Fold the boolean return value in C into the string return value