1 /* $NetBSD: kexsntrup761x25519.c,v 1.4 2024/09/24 21:32:18 christos Exp $ */ 2 /* $OpenBSD: kexsntrup761x25519.c,v 1.3 2024/09/15 02:20:51 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2019 Markus Friedl. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 __RCSID("$NetBSD: kexsntrup761x25519.c,v 1.4 2024/09/24 21:32:18 christos Exp $"); 30 31 #include <sys/types.h> 32 33 #include <stdio.h> 34 #include <string.h> 35 #include <signal.h> 36 37 #include "sshkey.h" 38 #include "kex.h" 39 #include "sshbuf.h" 40 #include "digest.h" 41 #include "ssherr.h" 42 43 volatile crypto_int16 crypto_int16_optblocker = 0; 44 volatile crypto_int32 crypto_int32_optblocker = 0; 45 volatile crypto_int64 crypto_int64_optblocker = 0; 46 47 int 48 kex_kem_sntrup761x25519_keypair(struct kex *kex) 49 { 50 struct sshbuf *buf = NULL; 51 u_char *cp = NULL; 52 size_t need; 53 int r; 54 55 if ((buf = sshbuf_new()) == NULL) 56 return SSH_ERR_ALLOC_FAIL; 57 need = crypto_kem_sntrup761_PUBLICKEYBYTES + CURVE25519_SIZE; 58 if ((r = sshbuf_reserve(buf, need, &cp)) != 0) 59 goto out; 60 crypto_kem_sntrup761_keypair(cp, kex->sntrup761_client_key); 61 #ifdef DEBUG_KEXECDH 62 dump_digest("client public key sntrup761:", cp, 63 crypto_kem_sntrup761_PUBLICKEYBYTES); 64 #endif 65 cp += crypto_kem_sntrup761_PUBLICKEYBYTES; 66 kexc25519_keygen(kex->c25519_client_key, cp); 67 #ifdef DEBUG_KEXECDH 68 dump_digest("client public key c25519:", cp, CURVE25519_SIZE); 69 #endif 70 kex->client_pub = buf; 71 buf = NULL; 72 out: 73 sshbuf_free(buf); 74 return r; 75 } 76 77 int 78 kex_kem_sntrup761x25519_enc(struct kex *kex, 79 const struct sshbuf *client_blob, struct sshbuf **server_blobp, 80 struct sshbuf **shared_secretp) 81 { 82 struct sshbuf *server_blob = NULL; 83 struct sshbuf *buf = NULL; 84 const u_char *client_pub; 85 u_char *kem_key, *ciphertext, *server_pub; 86 u_char server_key[CURVE25519_SIZE]; 87 u_char hash[SSH_DIGEST_MAX_LENGTH]; 88 size_t need; 89 int r; 90 91 *server_blobp = NULL; 92 *shared_secretp = NULL; 93 94 /* client_blob contains both KEM and ECDH client pubkeys */ 95 need = crypto_kem_sntrup761_PUBLICKEYBYTES + CURVE25519_SIZE; 96 if (sshbuf_len(client_blob) != need) { 97 r = SSH_ERR_SIGNATURE_INVALID; 98 goto out; 99 } 100 client_pub = sshbuf_ptr(client_blob); 101 #ifdef DEBUG_KEXECDH 102 dump_digest("client public key sntrup761:", client_pub, 103 crypto_kem_sntrup761_PUBLICKEYBYTES); 104 dump_digest("client public key 25519:", 105 client_pub + crypto_kem_sntrup761_PUBLICKEYBYTES, 106 CURVE25519_SIZE); 107 #endif 108 /* allocate buffer for concatenation of KEM key and ECDH shared key */ 109 /* the buffer will be hashed and the result is the shared secret */ 110 if ((buf = sshbuf_new()) == NULL) { 111 r = SSH_ERR_ALLOC_FAIL; 112 goto out; 113 } 114 if ((r = sshbuf_reserve(buf, crypto_kem_sntrup761_BYTES, 115 &kem_key)) != 0) 116 goto out; 117 /* allocate space for encrypted KEM key and ECDH pub key */ 118 if ((server_blob = sshbuf_new()) == NULL) { 119 r = SSH_ERR_ALLOC_FAIL; 120 goto out; 121 } 122 need = crypto_kem_sntrup761_CIPHERTEXTBYTES + CURVE25519_SIZE; 123 if ((r = sshbuf_reserve(server_blob, need, &ciphertext)) != 0) 124 goto out; 125 /* generate and encrypt KEM key with client key */ 126 crypto_kem_sntrup761_enc(ciphertext, kem_key, client_pub); 127 /* generate ECDH key pair, store server pubkey after ciphertext */ 128 server_pub = ciphertext + crypto_kem_sntrup761_CIPHERTEXTBYTES; 129 kexc25519_keygen(server_key, server_pub); 130 /* append ECDH shared key */ 131 client_pub += crypto_kem_sntrup761_PUBLICKEYBYTES; 132 if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0) 133 goto out; 134 if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) 135 goto out; 136 #ifdef DEBUG_KEXECDH 137 dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE); 138 dump_digest("server cipher text:", ciphertext, 139 crypto_kem_sntrup761_CIPHERTEXTBYTES); 140 dump_digest("server kem key:", kem_key, crypto_kem_sntrup761_BYTES); 141 dump_digest("concatenation of KEM key and ECDH shared key:", 142 sshbuf_ptr(buf), sshbuf_len(buf)); 143 #endif 144 /* string-encoded hash is resulting shared secret */ 145 sshbuf_reset(buf); 146 if ((r = sshbuf_put_string(buf, hash, 147 ssh_digest_bytes(kex->hash_alg))) != 0) 148 goto out; 149 #ifdef DEBUG_KEXECDH 150 dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); 151 #endif 152 *server_blobp = server_blob; 153 *shared_secretp = buf; 154 server_blob = NULL; 155 buf = NULL; 156 out: 157 explicit_bzero(hash, sizeof(hash)); 158 explicit_bzero(server_key, sizeof(server_key)); 159 sshbuf_free(server_blob); 160 sshbuf_free(buf); 161 return r; 162 } 163 164 int 165 kex_kem_sntrup761x25519_dec(struct kex *kex, 166 const struct sshbuf *server_blob, struct sshbuf **shared_secretp) 167 { 168 struct sshbuf *buf = NULL; 169 u_char *kem_key = NULL; 170 const u_char *ciphertext, *server_pub; 171 u_char hash[SSH_DIGEST_MAX_LENGTH]; 172 size_t need; 173 int r, decoded; 174 175 *shared_secretp = NULL; 176 177 need = crypto_kem_sntrup761_CIPHERTEXTBYTES + CURVE25519_SIZE; 178 if (sshbuf_len(server_blob) != need) { 179 r = SSH_ERR_SIGNATURE_INVALID; 180 goto out; 181 } 182 ciphertext = sshbuf_ptr(server_blob); 183 server_pub = ciphertext + crypto_kem_sntrup761_CIPHERTEXTBYTES; 184 #ifdef DEBUG_KEXECDH 185 dump_digest("server cipher text:", ciphertext, 186 crypto_kem_sntrup761_CIPHERTEXTBYTES); 187 dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE); 188 #endif 189 /* hash concatenation of KEM key and ECDH shared key */ 190 if ((buf = sshbuf_new()) == NULL) { 191 r = SSH_ERR_ALLOC_FAIL; 192 goto out; 193 } 194 if ((r = sshbuf_reserve(buf, crypto_kem_sntrup761_BYTES, 195 &kem_key)) != 0) 196 goto out; 197 decoded = crypto_kem_sntrup761_dec(kem_key, ciphertext, 198 kex->sntrup761_client_key); 199 if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub, 200 buf, 1)) < 0) 201 goto out; 202 if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) 203 goto out; 204 #ifdef DEBUG_KEXECDH 205 dump_digest("client kem key:", kem_key, crypto_kem_sntrup761_BYTES); 206 dump_digest("concatenation of KEM key and ECDH shared key:", 207 sshbuf_ptr(buf), sshbuf_len(buf)); 208 #endif 209 sshbuf_reset(buf); 210 if ((r = sshbuf_put_string(buf, hash, 211 ssh_digest_bytes(kex->hash_alg))) != 0) 212 goto out; 213 #ifdef DEBUG_KEXECDH 214 dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); 215 #endif 216 if (decoded != 0) { 217 r = SSH_ERR_SIGNATURE_INVALID; 218 goto out; 219 } 220 *shared_secretp = buf; 221 buf = NULL; 222 out: 223 explicit_bzero(hash, sizeof(hash)); 224 sshbuf_free(buf); 225 return r; 226 } 227
Indexes created Thu Jun 11 00:25:07 UTC 2026