/src/hpn-ssh/kexmlkem768x25519.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2023 Markus Friedl. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions |
7 | | * are met: |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * 2. Redistributions in binary form must reproduce the above copyright |
11 | | * notice, this list of conditions and the following disclaimer in the |
12 | | * documentation and/or other materials provided with the distribution. |
13 | | * |
14 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
15 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
16 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
17 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
18 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
19 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
20 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
21 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
22 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | | */ |
25 | | |
26 | | #include "includes.h" |
27 | | |
28 | | #include <sys/types.h> |
29 | | |
30 | | #include <stdio.h> |
31 | | #ifdef HAVE_STDINT_H |
32 | | #include <stdint.h> |
33 | | #endif |
34 | | #include <stdbool.h> |
35 | | #include <string.h> |
36 | | #include <signal.h> |
37 | | #ifdef HAVE_ENDIAN_H |
38 | | # include <endian.h> |
39 | | #endif |
40 | | |
41 | | #include "sshkey.h" |
42 | | #include "kex.h" |
43 | | #include "sshbuf.h" |
44 | | #include "digest.h" |
45 | | #include "ssherr.h" |
46 | | #include "log.h" |
47 | | |
48 | | #ifdef USE_MLKEM768X25519 |
49 | | |
50 | | #include "libcrux_mlkem768_sha3.h" |
51 | | |
52 | | int |
53 | | kex_kem_mlkem768x25519_keypair(struct kex *kex) |
54 | 0 | { |
55 | 0 | struct sshbuf *buf = NULL; |
56 | 0 | u_char rnd[LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN], *cp = NULL; |
57 | 0 | size_t need; |
58 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
59 | 0 | struct libcrux_mlkem768_keypair keypair; |
60 | |
|
61 | 0 | if ((buf = sshbuf_new()) == NULL) |
62 | 0 | return SSH_ERR_ALLOC_FAIL; |
63 | 0 | need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE; |
64 | 0 | if ((r = sshbuf_reserve(buf, need, &cp)) != 0) |
65 | 0 | goto out; |
66 | 0 | arc4random_buf(rnd, sizeof(rnd)); |
67 | 0 | keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(rnd); |
68 | 0 | memcpy(cp, keypair.pk.value, crypto_kem_mlkem768_PUBLICKEYBYTES); |
69 | 0 | memcpy(kex->mlkem768_client_key, keypair.sk.value, |
70 | 0 | sizeof(kex->mlkem768_client_key)); |
71 | | #ifdef DEBUG_KEXECDH |
72 | | dump_digest("client public key mlkem768:", cp, |
73 | | crypto_kem_mlkem768_PUBLICKEYBYTES); |
74 | | #endif |
75 | 0 | cp += crypto_kem_mlkem768_PUBLICKEYBYTES; |
76 | 0 | kexc25519_keygen(kex->c25519_client_key, cp); |
77 | | #ifdef DEBUG_KEXECDH |
78 | | dump_digest("client public key c25519:", cp, CURVE25519_SIZE); |
79 | | #endif |
80 | | /* success */ |
81 | 0 | r = 0; |
82 | 0 | kex->client_pub = buf; |
83 | 0 | buf = NULL; |
84 | 0 | out: |
85 | 0 | explicit_bzero(&keypair, sizeof(keypair)); |
86 | 0 | explicit_bzero(rnd, sizeof(rnd)); |
87 | 0 | sshbuf_free(buf); |
88 | 0 | return r; |
89 | 0 | } |
90 | | |
91 | | int |
92 | | kex_kem_mlkem768x25519_enc(struct kex *kex, |
93 | | const struct sshbuf *client_blob, struct sshbuf **server_blobp, |
94 | | struct sshbuf **shared_secretp) |
95 | 0 | { |
96 | 0 | struct sshbuf *server_blob = NULL; |
97 | 0 | struct sshbuf *buf = NULL; |
98 | 0 | const u_char *client_pub; |
99 | 0 | u_char rnd[LIBCRUX_ML_KEM_ENC_PRNG_LEN]; |
100 | 0 | u_char server_pub[CURVE25519_SIZE], server_key[CURVE25519_SIZE]; |
101 | 0 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
102 | 0 | size_t need; |
103 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
104 | 0 | struct libcrux_mlkem768_enc_result enc; |
105 | 0 | struct libcrux_mlkem768_pk mlkem_pub; |
106 | |
|
107 | 0 | *server_blobp = NULL; |
108 | 0 | *shared_secretp = NULL; |
109 | 0 | memset(&mlkem_pub, 0, sizeof(mlkem_pub)); |
110 | | |
111 | | /* client_blob contains both KEM and ECDH client pubkeys */ |
112 | 0 | need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE; |
113 | 0 | if (sshbuf_len(client_blob) != need) { |
114 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
115 | 0 | goto out; |
116 | 0 | } |
117 | 0 | client_pub = sshbuf_ptr(client_blob); |
118 | | #ifdef DEBUG_KEXECDH |
119 | | dump_digest("client public key mlkem768:", client_pub, |
120 | | crypto_kem_mlkem768_PUBLICKEYBYTES); |
121 | | dump_digest("client public key 25519:", |
122 | | client_pub + crypto_kem_mlkem768_PUBLICKEYBYTES, |
123 | | CURVE25519_SIZE); |
124 | | #endif |
125 | | /* check public key validity */ |
126 | 0 | memcpy(mlkem_pub.value, client_pub, crypto_kem_mlkem768_PUBLICKEYBYTES); |
127 | 0 | if (!libcrux_ml_kem_mlkem768_portable_validate_public_key(&mlkem_pub)) { |
128 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
129 | 0 | goto out; |
130 | 0 | } |
131 | | |
132 | | /* allocate buffer for concatenation of KEM key and ECDH shared key */ |
133 | | /* the buffer will be hashed and the result is the shared secret */ |
134 | 0 | if ((buf = sshbuf_new()) == NULL) { |
135 | 0 | r = SSH_ERR_ALLOC_FAIL; |
136 | 0 | goto out; |
137 | 0 | } |
138 | | /* allocate space for encrypted KEM key and ECDH pub key */ |
139 | 0 | if ((server_blob = sshbuf_new()) == NULL) { |
140 | 0 | r = SSH_ERR_ALLOC_FAIL; |
141 | 0 | goto out; |
142 | 0 | } |
143 | | /* generate and encrypt KEM key with client key */ |
144 | 0 | arc4random_buf(rnd, sizeof(rnd)); |
145 | 0 | enc = libcrux_ml_kem_mlkem768_portable_encapsulate(&mlkem_pub, rnd); |
146 | | /* generate ECDH key pair, store server pubkey after ciphertext */ |
147 | 0 | kexc25519_keygen(server_key, server_pub); |
148 | 0 | if ((r = sshbuf_put(buf, enc.snd, sizeof(enc.snd))) != 0 || |
149 | 0 | (r = sshbuf_put(server_blob, enc.fst.value, sizeof(enc.fst.value))) != 0 || |
150 | 0 | (r = sshbuf_put(server_blob, server_pub, sizeof(server_pub))) != 0) |
151 | 0 | goto out; |
152 | | /* append ECDH shared key */ |
153 | 0 | client_pub += crypto_kem_mlkem768_PUBLICKEYBYTES; |
154 | 0 | if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0) |
155 | 0 | goto out; |
156 | 0 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) |
157 | 0 | goto out; |
158 | | #ifdef DEBUG_KEXECDH |
159 | | dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE); |
160 | | dump_digest("server cipher text:", |
161 | | enc.fst.value, sizeof(enc.fst.value)); |
162 | | dump_digest("server kem key:", enc.snd, sizeof(enc.snd)); |
163 | | dump_digest("concatenation of KEM key and ECDH shared key:", |
164 | | sshbuf_ptr(buf), sshbuf_len(buf)); |
165 | | #endif |
166 | | /* string-encoded hash is resulting shared secret */ |
167 | 0 | sshbuf_reset(buf); |
168 | 0 | if ((r = sshbuf_put_string(buf, hash, |
169 | 0 | ssh_digest_bytes(kex->hash_alg))) != 0) |
170 | 0 | goto out; |
171 | | #ifdef DEBUG_KEXECDH |
172 | | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); |
173 | | #endif |
174 | | /* success */ |
175 | 0 | r = 0; |
176 | 0 | *server_blobp = server_blob; |
177 | 0 | *shared_secretp = buf; |
178 | 0 | server_blob = NULL; |
179 | 0 | buf = NULL; |
180 | 0 | out: |
181 | 0 | explicit_bzero(hash, sizeof(hash)); |
182 | 0 | explicit_bzero(server_key, sizeof(server_key)); |
183 | 0 | explicit_bzero(rnd, sizeof(rnd)); |
184 | 0 | explicit_bzero(&enc, sizeof(enc)); |
185 | 0 | sshbuf_free(server_blob); |
186 | 0 | sshbuf_free(buf); |
187 | 0 | return r; |
188 | 0 | } |
189 | | |
190 | | int |
191 | | kex_kem_mlkem768x25519_dec(struct kex *kex, |
192 | | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) |
193 | 0 | { |
194 | 0 | struct sshbuf *buf = NULL; |
195 | 0 | u_char mlkem_key[crypto_kem_mlkem768_BYTES]; |
196 | 0 | const u_char *ciphertext, *server_pub; |
197 | 0 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
198 | 0 | size_t need; |
199 | 0 | int r; |
200 | 0 | struct libcrux_mlkem768_sk mlkem_priv; |
201 | 0 | struct libcrux_mlkem768_ciphertext mlkem_ciphertext; |
202 | |
|
203 | 0 | *shared_secretp = NULL; |
204 | 0 | memset(&mlkem_priv, 0, sizeof(mlkem_priv)); |
205 | 0 | memset(&mlkem_ciphertext, 0, sizeof(mlkem_ciphertext)); |
206 | |
|
207 | 0 | need = crypto_kem_mlkem768_CIPHERTEXTBYTES + CURVE25519_SIZE; |
208 | 0 | if (sshbuf_len(server_blob) != need) { |
209 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
210 | 0 | goto out; |
211 | 0 | } |
212 | 0 | ciphertext = sshbuf_ptr(server_blob); |
213 | 0 | server_pub = ciphertext + crypto_kem_mlkem768_CIPHERTEXTBYTES; |
214 | | /* hash concatenation of KEM key and ECDH shared key */ |
215 | 0 | if ((buf = sshbuf_new()) == NULL) { |
216 | 0 | r = SSH_ERR_ALLOC_FAIL; |
217 | 0 | goto out; |
218 | 0 | } |
219 | 0 | memcpy(mlkem_priv.value, kex->mlkem768_client_key, |
220 | 0 | sizeof(kex->mlkem768_client_key)); |
221 | 0 | memcpy(mlkem_ciphertext.value, ciphertext, |
222 | 0 | sizeof(mlkem_ciphertext.value)); |
223 | | #ifdef DEBUG_KEXECDH |
224 | | dump_digest("server cipher text:", mlkem_ciphertext.value, |
225 | | sizeof(mlkem_ciphertext.value)); |
226 | | dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE); |
227 | | #endif |
228 | 0 | libcrux_ml_kem_mlkem768_portable_decapsulate(&mlkem_priv, |
229 | 0 | &mlkem_ciphertext, mlkem_key); |
230 | 0 | if ((r = sshbuf_put(buf, mlkem_key, sizeof(mlkem_key))) != 0) |
231 | 0 | goto out; |
232 | 0 | if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub, |
233 | 0 | buf, 1)) < 0) |
234 | 0 | goto out; |
235 | 0 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, |
236 | 0 | hash, sizeof(hash))) != 0) |
237 | 0 | goto out; |
238 | | #ifdef DEBUG_KEXECDH |
239 | | dump_digest("client kem key:", mlkem_key, sizeof(mlkem_key)); |
240 | | dump_digest("concatenation of KEM key and ECDH shared key:", |
241 | | sshbuf_ptr(buf), sshbuf_len(buf)); |
242 | | #endif |
243 | 0 | sshbuf_reset(buf); |
244 | 0 | if ((r = sshbuf_put_string(buf, hash, |
245 | 0 | ssh_digest_bytes(kex->hash_alg))) != 0) |
246 | 0 | goto out; |
247 | | #ifdef DEBUG_KEXECDH |
248 | | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); |
249 | | #endif |
250 | | /* success */ |
251 | 0 | r = 0; |
252 | 0 | *shared_secretp = buf; |
253 | 0 | buf = NULL; |
254 | 0 | out: |
255 | 0 | explicit_bzero(hash, sizeof(hash)); |
256 | 0 | explicit_bzero(&mlkem_priv, sizeof(mlkem_priv)); |
257 | 0 | explicit_bzero(&mlkem_ciphertext, sizeof(mlkem_ciphertext)); |
258 | 0 | explicit_bzero(mlkem_key, sizeof(mlkem_key)); |
259 | 0 | sshbuf_free(buf); |
260 | 0 | return r; |
261 | 0 | } |
262 | | #else /* USE_MLKEM768X25519 */ |
263 | | int |
264 | | kex_kem_mlkem768x25519_keypair(struct kex *kex) |
265 | | { |
266 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
267 | | } |
268 | | |
269 | | int |
270 | | kex_kem_mlkem768x25519_enc(struct kex *kex, |
271 | | const struct sshbuf *client_blob, struct sshbuf **server_blobp, |
272 | | struct sshbuf **shared_secretp) |
273 | | { |
274 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
275 | | } |
276 | | |
277 | | int |
278 | | kex_kem_mlkem768x25519_dec(struct kex *kex, |
279 | | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) |
280 | | { |
281 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
282 | | } |
283 | | #endif /* USE_MLKEM768X25519 */ |