/src/libssh/src/sntrup761.c

Source
/*
 * sntrup761.c - SNTRUP761x25519 ECDH functions for key exchange
 * sntrup761x25519-sha512@openssh.com - based on curve25519.c.
 *
 * This file is part of the SSH Library
 *
 * Copyright (c) 2013      by Aris Adamantiadis <aris@badcode.be>
 * Copyright (c) 2023 Simon Josefsson <simon@josefsson.org>
 * Copyright (c) 2025 Jakub Jelen <jjelen@redhat.com>
 *
 * The SSH Library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, version 2.1 of the License.
 *
 * The SSH Library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with the SSH Library; see the file COPYING.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#include "config.h"

#include "libssh/sntrup761.h"
#ifdef HAVE_SNTRUP761

#include "libssh/bignum.h"
#include "libssh/buffer.h"
#include "libssh/crypto.h"
#include "libssh/dh.h"
#include "libssh/pki.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/ssh2.h"

void crypto_hash_sha512(unsigned char *out,
                        const unsigned char *in,
                        unsigned long long inlen)
{
    sha512(in, inlen, out);
}

#ifndef HAVE_LIBGCRYPT
static void crypto_random(void *ctx, size_t length, uint8_t *dst)
{
    int *err = ctx;
    *err = ssh_get_random(dst, length, 1);
}
#endif /* HAVE_LIBGCRYPT */

static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply);

static ssh_packet_callback dh_client_callbacks[] = {
    ssh_packet_client_sntrup761x25519_reply,
};

static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_client_callbacks =
    {
        .start = SSH2_MSG_KEX_ECDH_REPLY,
        .n_callbacks = 1,
        .callbacks = dh_client_callbacks,
        .user = NULL,
};

static int ssh_sntrup761x25519_init(ssh_session session)
{
    int rc;

    rc = ssh_curve25519_init(session);
    if (rc != SSH_OK) {
        return rc;
    }

    if (!session->server) {
#ifdef HAVE_LIBGCRYPT
        gcry_error_t err;

        err = gcry_kem_keypair(GCRY_KEM_SNTRUP761,
                               session->next_crypto->sntrup761_client_pubkey,
                               SNTRUP761_PUBLICKEY_SIZE,
                               session->next_crypto->sntrup761_privkey,
                               SNTRUP761_SECRETKEY_SIZE);
        if (err) {
            SSH_LOG(SSH_LOG_TRACE,
                    "Failed to generate sntrup761 key: %s",
                    gpg_strerror(err));
            return SSH_ERROR;
        }
#else
        sntrup761_keypair(session->next_crypto->sntrup761_client_pubkey,
                          session->next_crypto->sntrup761_privkey,
                          &rc,
                          crypto_random);
        if (rc != 1) {
            SSH_LOG(SSH_LOG_TRACE,
                    "Failed to generate sntrup761 key: PRNG failure");
            return SSH_ERROR;
        }
#endif /* HAVE_LIBGCRYPT */
    }

    return SSH_OK;
}

/** @internal
 * @brief Starts sntrup761x25519-sha512@openssh.com key exchange
 */
int ssh_client_sntrup761x25519_init(ssh_session session)
{
    int rc;

    rc = ssh_sntrup761x25519_init(session);
    if (rc != SSH_OK) {
        return rc;
    }

    rc = ssh_buffer_pack(session->out_buffer,
                         "bdPP",
                         SSH2_MSG_KEX_ECDH_INIT,
                         CURVE25519_PUBKEY_SIZE + SNTRUP761_PUBLICKEY_SIZE,
                         (size_t)SNTRUP761_PUBLICKEY_SIZE,
                         session->next_crypto->sntrup761_client_pubkey,
                         (size_t)CURVE25519_PUBKEY_SIZE,
                         session->next_crypto->curve25519_client_pubkey);
    if (rc != SSH_OK) {
        ssh_set_error_oom(session);
        return SSH_ERROR;
    }

    /* register the packet callbacks */
    ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_client_callbacks);
    session->dh_handshake_state = DH_STATE_INIT_SENT;
    rc = ssh_packet_send(session);

    return rc;
}

void ssh_client_sntrup761x25519_remove_callbacks(ssh_session session)
{
    ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_client_callbacks);
}

static int ssh_sntrup761x25519_build_k(ssh_session session)
{
    unsigned char ssk[SNTRUP761_SIZE + CURVE25519_PUBKEY_SIZE];
    unsigned char *k = ssk + SNTRUP761_SIZE;
    unsigned char hss[SHA512_DIGEST_LEN];
    int rc;

    rc = ssh_curve25519_create_k(session, k);
    if (rc != SSH_OK) {
        goto cleanup;
    }

#ifdef DEBUG_CRYPTO
    ssh_log_hexdump("Curve25519 shared secret", k, CURVE25519_PUBKEY_SIZE);
#endif

#ifdef HAVE_LIBGCRYPT
    if (session->server) {
        gcry_error_t err;
        err = gcry_kem_encap(GCRY_KEM_SNTRUP761,
                             session->next_crypto->sntrup761_client_pubkey,
                             SNTRUP761_PUBLICKEY_SIZE,
                             session->next_crypto->sntrup761_ciphertext,
                             SNTRUP761_CIPHERTEXT_SIZE,
                             ssk,
                             SNTRUP761_SIZE,
                             NULL,
                             0);
        if (err) {
            SSH_LOG(SSH_LOG_TRACE,
                    "Failed to encapsulate sntrup761 shared secret: %s",
                    gpg_strerror(err));
            rc = SSH_ERROR;
            goto cleanup;
        }
    } else {
        gcry_error_t err;
        err = gcry_kem_decap(GCRY_KEM_SNTRUP761,
                             session->next_crypto->sntrup761_privkey,
                             SNTRUP761_SECRETKEY_SIZE,
                             session->next_crypto->sntrup761_ciphertext,
                             SNTRUP761_CIPHERTEXT_SIZE,
                             ssk,
                             SNTRUP761_SIZE,
                             NULL,
                             0);
        if (err) {
            SSH_LOG(SSH_LOG_TRACE,
                    "Failed to decapsulate sntrup761 shared secret: %s",
                    gpg_strerror(err));
            rc = SSH_ERROR;
            goto cleanup;
        }
    }
#else
    if (session->server) {
        sntrup761_enc(session->next_crypto->sntrup761_ciphertext,
                      ssk,
                      session->next_crypto->sntrup761_client_pubkey,
                      &rc,
                      crypto_random);
        if (rc != 1) {
            rc = SSH_ERROR;
            goto cleanup;
        }
    } else {
        sntrup761_dec(ssk,
                      session->next_crypto->sntrup761_ciphertext,
                      session->next_crypto->sntrup761_privkey);
    }
#endif /* HAVE_LIBGCRYPT */

#ifdef DEBUG_CRYPTO
    ssh_log_hexdump("server cipher text",
                    session->next_crypto->sntrup761_ciphertext,
                    SNTRUP761_CIPHERTEXT_SIZE);
    ssh_log_hexdump("kem key", ssk, SNTRUP761_SIZE);
#endif

    sha512(ssk, sizeof ssk, hss);

    bignum_bin2bn(hss, sizeof hss, &session->next_crypto->shared_secret);
    if (session->next_crypto->shared_secret == NULL) {
        rc = SSH_ERROR;
        goto cleanup;
    }

#ifdef DEBUG_CRYPTO
    ssh_print_bignum("Shared secret key", session->next_crypto->shared_secret);
#endif

    return 0;
cleanup:
    ssh_burn(ssk, sizeof ssk);
    ssh_burn(hss, sizeof hss);

    return rc;
}

/** @internal
 * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back
 * a SSH_MSG_NEWKEYS
 */
static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply)
{
    ssh_string q_s_string = NULL;
    ssh_string pubkey_blob = NULL;
    ssh_string signature = NULL;
    int rc;
    (void)type;
    (void)user;

    ssh_client_sntrup761x25519_remove_callbacks(session);

    pubkey_blob = ssh_buffer_get_ssh_string(packet);
    if (pubkey_blob == NULL) {
        ssh_set_error(session, SSH_FATAL, "No public key in packet");
        goto error;
    }

    rc = ssh_dh_import_next_pubkey_blob(session, pubkey_blob);
    SSH_STRING_FREE(pubkey_blob);
    if (rc != 0) {
        ssh_set_error(session, SSH_FATAL, "Failed to import next public key");
        goto error;
    }

    q_s_string = ssh_buffer_get_ssh_string(packet);
    if (q_s_string == NULL) {
        ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_S in packet");
        goto error;
    }
    if (ssh_string_len(q_s_string) != (SNTRUP761_CIPHERTEXT_SIZE + CURVE25519_PUBKEY_SIZE)) {
        ssh_set_error(session,
                      SSH_FATAL,
                      "Incorrect size for server sntrup761x25519 ciphertext+key: %d",
                      (int)ssh_string_len(q_s_string));
        SSH_STRING_FREE(q_s_string);
        goto error;
    }
    memcpy(session->next_crypto->sntrup761_ciphertext,
           ssh_string_data(q_s_string),
           SNTRUP761_CIPHERTEXT_SIZE);
    memcpy(session->next_crypto->curve25519_server_pubkey,
           (char *)ssh_string_data(q_s_string) + SNTRUP761_CIPHERTEXT_SIZE,
           CURVE25519_PUBKEY_SIZE);
    SSH_STRING_FREE(q_s_string);

    signature = ssh_buffer_get_ssh_string(packet);
    if (signature == NULL) {
        ssh_set_error(session, SSH_FATAL, "No signature in packet");
        goto error;
    }
    session->next_crypto->dh_server_signature = signature;
    signature = NULL; /* ownership changed */
    /* TODO: verify signature now instead of waiting for NEWKEYS */
    if (ssh_sntrup761x25519_build_k(session) < 0) {
        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
        goto error;
    }

    /* Send the MSG_NEWKEYS */
    if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
        goto error;
    }

    rc = ssh_packet_send(session);
    if (rc == SSH_ERROR) {
        goto error;
    }

    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;

    return SSH_PACKET_USED;

error:
    session->session_state = SSH_SESSION_STATE_ERROR;
    return SSH_PACKET_USED;
}

#ifdef WITH_SERVER

static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init);

static ssh_packet_callback dh_server_callbacks[] = {
    ssh_packet_server_sntrup761x25519_init,
};

static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_server_callbacks =
    {
        .start = SSH2_MSG_KEX_ECDH_INIT,
        .n_callbacks = 1,
        .callbacks = dh_server_callbacks,
        .user = NULL,
};

/** @internal
 * @brief sets up the sntrup761x25519-sha512@openssh.com kex callbacks
 */
void ssh_server_sntrup761x25519_init(ssh_session session)
{
    /* register the packet callbacks */
    ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_server_callbacks);
}

/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
 * SSH_MSG_KEXDH_REPLY
 */
static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init)
{
    /* ECDH/SNTRUP761 keys */
    ssh_string q_c_string = NULL;
    ssh_string q_s_string = NULL;
    ssh_string server_pubkey_blob = NULL;

    /* SSH host keys (rsa, ed25519 and ecdsa) */
    ssh_key privkey = NULL;
    enum ssh_digest_e digest = SSH_DIGEST_AUTO;
    ssh_string sig_blob = NULL;
    int rc;
    (void)type;
    (void)user;

    ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_server_callbacks);

    /* Extract the client pubkey from the init packet */
    q_c_string = ssh_buffer_get_ssh_string(packet);
    if (q_c_string == NULL) {
        ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_C in packet");
        goto error;
    }
    if (ssh_string_len(q_c_string) != (SNTRUP761_PUBLICKEY_SIZE + CURVE25519_PUBKEY_SIZE)) {
        ssh_set_error(session,
                      SSH_FATAL,
                      "Incorrect size for server sntrup761x25519 public key: %zu",
                      ssh_string_len(q_c_string));
        goto error;
    }

    memcpy(session->next_crypto->sntrup761_client_pubkey,
           ssh_string_data(q_c_string),
           SNTRUP761_PUBLICKEY_SIZE);
    memcpy(session->next_crypto->curve25519_client_pubkey,
           ((char *)ssh_string_data(q_c_string)) + SNTRUP761_PUBLICKEY_SIZE,
           CURVE25519_PUBKEY_SIZE);
    SSH_STRING_FREE(q_c_string);

#ifdef DEBUG_CRYPTO
    ssh_log_hexdump("client public key sntrup761",
                    session->next_crypto->sntrup761_client_pubkey,
                    SNTRUP761_PUBLICKEY_SIZE);
    ssh_log_hexdump("client public key c25519",
                    session->next_crypto->curve25519_client_pubkey,
                    CURVE25519_PUBKEY_SIZE);
#endif

    /* Build server's key pair */
    rc = ssh_sntrup761x25519_init(session);
    if (rc != SSH_OK) {
        ssh_set_error(session, SSH_FATAL, "Failed to generate sntrup761 keys");
        goto error;
    }

    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_REPLY);
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

    /* build k and session_id */
    rc = ssh_sntrup761x25519_build_k(session);
    if (rc < 0) {
        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
        goto error;
    }

    /* privkey is not allocated */
    rc = ssh_get_key_params(session, &privkey, &digest);
    if (rc == SSH_ERROR) {
        goto error;
    }

    rc = ssh_make_sessionid(session);
    if (rc != SSH_OK) {
        ssh_set_error(session, SSH_FATAL, "Could not create a session id");
        goto error;
    }

    rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
    if (rc != 0) {
        ssh_set_error(session, SSH_FATAL, "Could not export server public key");
        goto error;
    }

    /* add host's public key */
    rc = ssh_buffer_add_ssh_string(session->out_buffer, server_pubkey_blob);
    SSH_STRING_FREE(server_pubkey_blob);
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

    /* add ecdh public key */
    rc = ssh_buffer_add_u32(session->out_buffer,
                            ntohl(SNTRUP761_CIPHERTEXT_SIZE
                                  + CURVE25519_PUBKEY_SIZE));
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

    rc = ssh_buffer_add_data(session->out_buffer,
                             session->next_crypto->sntrup761_ciphertext,
                             SNTRUP761_CIPHERTEXT_SIZE);
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

    rc = ssh_buffer_add_data(session->out_buffer,
                             session->next_crypto->curve25519_server_pubkey,
                             CURVE25519_PUBKEY_SIZE);
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

#ifdef DEBUG_CRYPTO
    ssh_log_hexdump("server public key c25519",
                    session->next_crypto->curve25519_server_pubkey,
                    CURVE25519_PUBKEY_SIZE);
#endif

    /* add signature blob */
    sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey, digest);
    if (sig_blob == NULL) {
        ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
        goto error;
    }

    rc = ssh_buffer_add_ssh_string(session->out_buffer, sig_blob);
    SSH_STRING_FREE(sig_blob);
    if (rc < 0) {
        ssh_set_error_oom(session);
        goto error;
    }

#ifdef DEBUG_CRYPTO
    ssh_log_hexdump("ECDH_REPLY:",
                    ssh_buffer_get(session->out_buffer),
                    ssh_buffer_get_len(session->out_buffer));
#endif

    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_KEX_ECDH_REPLY sent");
    rc = ssh_packet_send(session);
    if (rc == SSH_ERROR) {
        return SSH_ERROR;
    }

    /* Send the MSG_NEWKEYS */
    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
    if (rc < 0) {
        goto error;
    }

    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
    rc = ssh_packet_send(session);
    if (rc == SSH_ERROR) {
        goto error;
    }
    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");

    return SSH_PACKET_USED;
error:
    SSH_STRING_FREE(q_c_string);
    SSH_STRING_FREE(q_s_string);
    ssh_buffer_reinit(session->out_buffer);
    session->session_state = SSH_SESSION_STATE_ERROR;
    return SSH_PACKET_USED;
}

#endif /* WITH_SERVER */

#endif /* HAVE_SNTRUP761 */

Coverage Report

Created: 2026-01-06 06:17

Line	Count	Source
1		/*
2		* sntrup761.c - SNTRUP761x25519 ECDH functions for key exchange
3		* sntrup761x25519-sha512@openssh.com - based on curve25519.c.
4		*
5		* This file is part of the SSH Library
6		*
7		* Copyright (c) 2013 by Aris Adamantiadis <aris@badcode.be>
8		* Copyright (c) 2023 Simon Josefsson <simon@josefsson.org>
9		* Copyright (c) 2025 Jakub Jelen <jjelen@redhat.com>
10		*
11		* The SSH Library is free software; you can redistribute it and/or modify
12		* it under the terms of the GNU Lesser General Public License as published by
13		* the Free Software Foundation, version 2.1 of the License.
14		*
15		* The SSH Library is distributed in the hope that it will be useful, but
16		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17		* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18		* License for more details.
19		*
20		* You should have received a copy of the GNU Lesser General Public License
21		* along with the SSH Library; see the file COPYING. If not, write to
22		* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
23		* MA 02111-1307, USA.
24		*/
25
26		#include "config.h"
27
28		#include "libssh/sntrup761.h"
29		#ifdef HAVE_SNTRUP761
30
31		#include "libssh/bignum.h"
32		#include "libssh/buffer.h"
33		#include "libssh/crypto.h"
34		#include "libssh/dh.h"
35		#include "libssh/pki.h"
36		#include "libssh/priv.h"
37		#include "libssh/session.h"
38		#include "libssh/ssh2.h"
39
40		void crypto_hash_sha512(unsigned char *out,
41		const unsigned char *in,
42		unsigned long long inlen)
43	75	{
44	75	sha512(in, inlen, out);
45	75	}
46
47		#ifndef HAVE_LIBGCRYPT
48		static void crypto_random(void ctx, size_t length, uint8_t dst)
49	11.4k	{
50	11.4k	int *err = ctx;
51	11.4k	*err = ssh_get_random(dst, length, 1);
52	11.4k	}
53		#endif /* HAVE_LIBGCRYPT */
54
55		static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply);
56
57		static ssh_packet_callback dh_client_callbacks[] = {
58		ssh_packet_client_sntrup761x25519_reply,
59		};
60
61		static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_client_callbacks =
62		{
63		.start = SSH2_MSG_KEX_ECDH_REPLY,
64		.n_callbacks = 1,
65		.callbacks = dh_client_callbacks,
66		.user = NULL,
67		};
68
69		static int ssh_sntrup761x25519_init(ssh_session session)
70	16	{
71	16	int rc;
72
73	16	rc = ssh_curve25519_init(session);
74	16	if (rc != SSH_OK) {
75	0	return rc;
76	0	}
77
78	16	if (!session->server) {
79		#ifdef HAVE_LIBGCRYPT
80		gcry_error_t err;
81
82		err = gcry_kem_keypair(GCRY_KEM_SNTRUP761,
83		session->next_crypto->sntrup761_client_pubkey,
84		SNTRUP761_PUBLICKEY_SIZE,
85		session->next_crypto->sntrup761_privkey,
86		SNTRUP761_SECRETKEY_SIZE);
87		if (err) {
88		SSH_LOG(SSH_LOG_TRACE,
89		"Failed to generate sntrup761 key: %s",
90		gpg_strerror(err));
91		return SSH_ERROR;
92		}
93		#else
94	0	sntrup761_keypair(session->next_crypto->sntrup761_client_pubkey,
95	0	session->next_crypto->sntrup761_privkey,
96	0	&rc,
97	0	crypto_random);
98	0	if (rc != 1) {
99	0	SSH_LOG(SSH_LOG_TRACE,
100	0	"Failed to generate sntrup761 key: PRNG failure");
101	0	return SSH_ERROR;
102	0	}
103	0	#endif /* HAVE_LIBGCRYPT */
104	0	}
105
106	16	return SSH_OK;
107	16	}
108
109		/** @internal
110		* @brief Starts sntrup761x25519-sha512@openssh.com key exchange
111		*/
112		int ssh_client_sntrup761x25519_init(ssh_session session)
113	0	{
114	0	int rc;
115
116	0	rc = ssh_sntrup761x25519_init(session);
117	0	if (rc != SSH_OK) {
118	0	return rc;
119	0	}
120
121	0	rc = ssh_buffer_pack(session->out_buffer,
122	0	"bdPP",
123	0	SSH2_MSG_KEX_ECDH_INIT,
124	0	CURVE25519_PUBKEY_SIZE + SNTRUP761_PUBLICKEY_SIZE,
125	0	(size_t)SNTRUP761_PUBLICKEY_SIZE,
126	0	session->next_crypto->sntrup761_client_pubkey,
127	0	(size_t)CURVE25519_PUBKEY_SIZE,
128	0	session->next_crypto->curve25519_client_pubkey);
129	0	if (rc != SSH_OK) {
130	0	ssh_set_error_oom(session);
131	0	return SSH_ERROR;
132	0	}
133
134		/* register the packet callbacks */
135	0	ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_client_callbacks);
136	0	session->dh_handshake_state = DH_STATE_INIT_SENT;
137	0	rc = ssh_packet_send(session);
138
139	0	return rc;
140	0	}
141
142		void ssh_client_sntrup761x25519_remove_callbacks(ssh_session session)
143	0	{
144	0	ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_client_callbacks);
145	0	}
146
147		static int ssh_sntrup761x25519_build_k(ssh_session session)
148	16	{
149	16	unsigned char ssk[SNTRUP761_SIZE + CURVE25519_PUBKEY_SIZE];
150	16	unsigned char *k = ssk + SNTRUP761_SIZE;
151	16	unsigned char hss[SHA512_DIGEST_LEN];
152	16	int rc;
153
154	16	rc = ssh_curve25519_create_k(session, k);
155	16	if (rc != SSH_OK) {
156	1	goto cleanup;
157	1	}
158
159		#ifdef DEBUG_CRYPTO
160		ssh_log_hexdump("Curve25519 shared secret", k, CURVE25519_PUBKEY_SIZE);
161		#endif
162
163		#ifdef HAVE_LIBGCRYPT
164		if (session->server) {
165		gcry_error_t err;
166		err = gcry_kem_encap(GCRY_KEM_SNTRUP761,
167		session->next_crypto->sntrup761_client_pubkey,
168		SNTRUP761_PUBLICKEY_SIZE,
169		session->next_crypto->sntrup761_ciphertext,
170		SNTRUP761_CIPHERTEXT_SIZE,
171		ssk,
172		SNTRUP761_SIZE,
173		NULL,
174		0);
175		if (err) {
176		SSH_LOG(SSH_LOG_TRACE,
177		"Failed to encapsulate sntrup761 shared secret: %s",
178		gpg_strerror(err));
179		rc = SSH_ERROR;
180		goto cleanup;
181		}
182		} else {
183		gcry_error_t err;
184		err = gcry_kem_decap(GCRY_KEM_SNTRUP761,
185		session->next_crypto->sntrup761_privkey,
186		SNTRUP761_SECRETKEY_SIZE,
187		session->next_crypto->sntrup761_ciphertext,
188		SNTRUP761_CIPHERTEXT_SIZE,
189		ssk,
190		SNTRUP761_SIZE,
191		NULL,
192		0);
193		if (err) {
194		SSH_LOG(SSH_LOG_TRACE,
195		"Failed to decapsulate sntrup761 shared secret: %s",
196		gpg_strerror(err));
197		rc = SSH_ERROR;
198		goto cleanup;
199		}
200		}
201		#else
202	15	if (session->server) {
203	15	sntrup761_enc(session->next_crypto->sntrup761_ciphertext,
204	15	ssk,
205	15	session->next_crypto->sntrup761_client_pubkey,
206	15	&rc,
207	15	crypto_random);
208	15	if (rc != 1) {
209	0	rc = SSH_ERROR;
210	0	goto cleanup;
211	0	}
212	15	} else {
213	0	sntrup761_dec(ssk,
214	0	session->next_crypto->sntrup761_ciphertext,
215	0	session->next_crypto->sntrup761_privkey);
216	0	}
217	15	#endif /* HAVE_LIBGCRYPT */
218
219		#ifdef DEBUG_CRYPTO
220		ssh_log_hexdump("server cipher text",
221		session->next_crypto->sntrup761_ciphertext,
222		SNTRUP761_CIPHERTEXT_SIZE);
223		ssh_log_hexdump("kem key", ssk, SNTRUP761_SIZE);
224		#endif
225
226	15	sha512(ssk, sizeof ssk, hss);
227
228	15	bignum_bin2bn(hss, sizeof hss, &session->next_crypto->shared_secret);
229	15	if (session->next_crypto->shared_secret == NULL) {
230	0	rc = SSH_ERROR;
231	0	goto cleanup;
232	0	}
233
234		#ifdef DEBUG_CRYPTO
235		ssh_print_bignum("Shared secret key", session->next_crypto->shared_secret);
236		#endif
237
238	15	return 0;
239	1	cleanup:
240	1	ssh_burn(ssk, sizeof ssk);
241	1	ssh_burn(hss, sizeof hss);
242
243	1	return rc;
244	15	}
245
246		/** @internal
247		* @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back
248		* a SSH_MSG_NEWKEYS
249		*/
250		static SSH_PACKET_CALLBACK(ssh_packet_client_sntrup761x25519_reply)
251	0	{
252	0	ssh_string q_s_string = NULL;
253	0	ssh_string pubkey_blob = NULL;
254	0	ssh_string signature = NULL;
255	0	int rc;
256	0	(void)type;
257	0	(void)user;
258
259	0	ssh_client_sntrup761x25519_remove_callbacks(session);
260
261	0	pubkey_blob = ssh_buffer_get_ssh_string(packet);
262	0	if (pubkey_blob == NULL) {
263	0	ssh_set_error(session, SSH_FATAL, "No public key in packet");
264	0	goto error;
265	0	}
266
267	0	rc = ssh_dh_import_next_pubkey_blob(session, pubkey_blob);
268	0	SSH_STRING_FREE(pubkey_blob);
269	0	if (rc != 0) {
270	0	ssh_set_error(session, SSH_FATAL, "Failed to import next public key");
271	0	goto error;
272	0	}
273
274	0	q_s_string = ssh_buffer_get_ssh_string(packet);
275	0	if (q_s_string == NULL) {
276	0	ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_S in packet");
277	0	goto error;
278	0	}
279	0	if (ssh_string_len(q_s_string) != (SNTRUP761_CIPHERTEXT_SIZE + CURVE25519_PUBKEY_SIZE)) {
280	0	ssh_set_error(session,
281	0	SSH_FATAL,
282	0	"Incorrect size for server sntrup761x25519 ciphertext+key: %d",
283	0	(int)ssh_string_len(q_s_string));
284	0	SSH_STRING_FREE(q_s_string);
285	0	goto error;
286	0	}
287	0	memcpy(session->next_crypto->sntrup761_ciphertext,
288	0	ssh_string_data(q_s_string),
289	0	SNTRUP761_CIPHERTEXT_SIZE);
290	0	memcpy(session->next_crypto->curve25519_server_pubkey,
291	0	(char *)ssh_string_data(q_s_string) + SNTRUP761_CIPHERTEXT_SIZE,
292	0	CURVE25519_PUBKEY_SIZE);
293	0	SSH_STRING_FREE(q_s_string);
294
295	0	signature = ssh_buffer_get_ssh_string(packet);
296	0	if (signature == NULL) {
297	0	ssh_set_error(session, SSH_FATAL, "No signature in packet");
298	0	goto error;
299	0	}
300	0	session->next_crypto->dh_server_signature = signature;
301	0	signature = NULL; /* ownership changed */
302		/* TODO: verify signature now instead of waiting for NEWKEYS */
303	0	if (ssh_sntrup761x25519_build_k(session) < 0) {
304	0	ssh_set_error(session, SSH_FATAL, "Cannot build k number");
305	0	goto error;
306	0	}
307
308		/* Send the MSG_NEWKEYS */
309	0	if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
310	0	goto error;
311	0	}
312
313	0	rc = ssh_packet_send(session);
314	0	if (rc == SSH_ERROR) {
315	0	goto error;
316	0	}
317
318	0	SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
319	0	session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
320
321	0	return SSH_PACKET_USED;
322
323	0	error:
324	0	session->session_state = SSH_SESSION_STATE_ERROR;
325	0	return SSH_PACKET_USED;
326	0	}
327
328		#ifdef WITH_SERVER
329
330		static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init);
331
332		static ssh_packet_callback dh_server_callbacks[] = {
333		ssh_packet_server_sntrup761x25519_init,
334		};
335
336		static struct ssh_packet_callbacks_struct ssh_sntrup761x25519_server_callbacks =
337		{
338		.start = SSH2_MSG_KEX_ECDH_INIT,
339		.n_callbacks = 1,
340		.callbacks = dh_server_callbacks,
341		.user = NULL,
342		};
343
344		/** @internal
345		* @brief sets up the sntrup761x25519-sha512@openssh.com kex callbacks
346		*/
347		void ssh_server_sntrup761x25519_init(ssh_session session)
348	36	{
349		/* register the packet callbacks */
350	36	ssh_packet_set_callbacks(session, &ssh_sntrup761x25519_server_callbacks);
351	36	}
352
353		/** @brief Parse a SSH_MSG_KEXDH_INIT packet (server) and send a
354		* SSH_MSG_KEXDH_REPLY
355		*/
356		static SSH_PACKET_CALLBACK(ssh_packet_server_sntrup761x25519_init)
357	34	{
358		/* ECDH/SNTRUP761 keys */
359	34	ssh_string q_c_string = NULL;
360	34	ssh_string q_s_string = NULL;
361	34	ssh_string server_pubkey_blob = NULL;
362
363		/* SSH host keys (rsa, ed25519 and ecdsa) */
364	34	ssh_key privkey = NULL;
365	34	enum ssh_digest_e digest = SSH_DIGEST_AUTO;
366	34	ssh_string sig_blob = NULL;
367	34	int rc;
368	34	(void)type;
369	34	(void)user;
370
371	34	ssh_packet_remove_callbacks(session, &ssh_sntrup761x25519_server_callbacks);
372
373		/* Extract the client pubkey from the init packet */
374	34	q_c_string = ssh_buffer_get_ssh_string(packet);
375	34	if (q_c_string == NULL) {
376	1	ssh_set_error(session, SSH_FATAL, "No sntrup761x25519 Q_C in packet");
377	1	goto error;
378	1	}
379	33	if (ssh_string_len(q_c_string) != (SNTRUP761_PUBLICKEY_SIZE + CURVE25519_PUBKEY_SIZE)) {
380	17	ssh_set_error(session,
381	17	SSH_FATAL,
382	17	"Incorrect size for server sntrup761x25519 public key: %zu",
383	17	ssh_string_len(q_c_string));
384	17	goto error;
385	17	}
386
387	16	memcpy(session->next_crypto->sntrup761_client_pubkey,
388	16	ssh_string_data(q_c_string),
389	16	SNTRUP761_PUBLICKEY_SIZE);
390	16	memcpy(session->next_crypto->curve25519_client_pubkey,
391	16	((char *)ssh_string_data(q_c_string)) + SNTRUP761_PUBLICKEY_SIZE,
392	16	CURVE25519_PUBKEY_SIZE);
393	16	SSH_STRING_FREE(q_c_string);
394
395		#ifdef DEBUG_CRYPTO
396		ssh_log_hexdump("client public key sntrup761",
397		session->next_crypto->sntrup761_client_pubkey,
398		SNTRUP761_PUBLICKEY_SIZE);
399		ssh_log_hexdump("client public key c25519",
400		session->next_crypto->curve25519_client_pubkey,
401		CURVE25519_PUBKEY_SIZE);
402		#endif
403
404		/* Build server's key pair */
405	16	rc = ssh_sntrup761x25519_init(session);
406	16	if (rc != SSH_OK) {
407	0	ssh_set_error(session, SSH_FATAL, "Failed to generate sntrup761 keys");
408	0	goto error;
409	0	}
410
411	16	rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_REPLY);
412	16	if (rc < 0) {
413	0	ssh_set_error_oom(session);
414	0	goto error;
415	0	}
416
417		/* build k and session_id */
418	16	rc = ssh_sntrup761x25519_build_k(session);
419	16	if (rc < 0) {
420	1	ssh_set_error(session, SSH_FATAL, "Cannot build k number");
421	1	goto error;
422	1	}
423
424		/* privkey is not allocated */
425	15	rc = ssh_get_key_params(session, &privkey, &digest);
426	15	if (rc == SSH_ERROR) {
427	0	goto error;
428	0	}
429
430	15	rc = ssh_make_sessionid(session);
431	15	if (rc != SSH_OK) {
432	0	ssh_set_error(session, SSH_FATAL, "Could not create a session id");
433	0	goto error;
434	0	}
435
436	15	rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
437	15	if (rc != 0) {
438	0	ssh_set_error(session, SSH_FATAL, "Could not export server public key");
439	0	goto error;
440	0	}
441
442		/* add host's public key */
443	15	rc = ssh_buffer_add_ssh_string(session->out_buffer, server_pubkey_blob);
444	15	SSH_STRING_FREE(server_pubkey_blob);
445	15	if (rc < 0) {
446	0	ssh_set_error_oom(session);
447	0	goto error;
448	0	}
449
450		/* add ecdh public key */
451	15	rc = ssh_buffer_add_u32(session->out_buffer,
452	15	ntohl(SNTRUP761_CIPHERTEXT_SIZE
453	15	+ CURVE25519_PUBKEY_SIZE));
454	15	if (rc < 0) {
455	0	ssh_set_error_oom(session);
456	0	goto error;
457	0	}
458
459	15	rc = ssh_buffer_add_data(session->out_buffer,
460	15	session->next_crypto->sntrup761_ciphertext,
461	15	SNTRUP761_CIPHERTEXT_SIZE);
462	15	if (rc < 0) {
463	0	ssh_set_error_oom(session);
464	0	goto error;
465	0	}
466
467	15	rc = ssh_buffer_add_data(session->out_buffer,
468	15	session->next_crypto->curve25519_server_pubkey,
469	15	CURVE25519_PUBKEY_SIZE);
470	15	if (rc < 0) {
471	0	ssh_set_error_oom(session);
472	0	goto error;
473	0	}
474
475		#ifdef DEBUG_CRYPTO
476		ssh_log_hexdump("server public key c25519",
477		session->next_crypto->curve25519_server_pubkey,
478		CURVE25519_PUBKEY_SIZE);
479		#endif
480
481		/* add signature blob */
482	15	sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey, digest);
483	15	if (sig_blob == NULL) {
484	0	ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
485	0	goto error;
486	0	}
487
488	15	rc = ssh_buffer_add_ssh_string(session->out_buffer, sig_blob);
489	15	SSH_STRING_FREE(sig_blob);
490	15	if (rc < 0) {
491	0	ssh_set_error_oom(session);
492	0	goto error;
493	0	}
494
495		#ifdef DEBUG_CRYPTO
496		ssh_log_hexdump("ECDH_REPLY:",
497		ssh_buffer_get(session->out_buffer),
498		ssh_buffer_get_len(session->out_buffer));
499		#endif
500
501	15	SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_KEX_ECDH_REPLY sent");
502	15	rc = ssh_packet_send(session);
503	15	if (rc == SSH_ERROR) {
504	0	return SSH_ERROR;
505	0	}
506
507		/* Send the MSG_NEWKEYS */
508	15	rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
509	15	if (rc < 0) {
510	0	goto error;
511	0	}
512
513	15	session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
514	15	rc = ssh_packet_send(session);
515	15	if (rc == SSH_ERROR) {
516	0	goto error;
517	0	}
518	15	SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
519
520	15	return SSH_PACKET_USED;
521	19	error:
522	19	SSH_STRING_FREE(q_c_string);
523	19	SSH_STRING_FREE(q_s_string);
524	19	ssh_buffer_reinit(session->out_buffer);
525	19	session->session_state = SSH_SESSION_STATE_ERROR;
526	19	return SSH_PACKET_USED;
527	15	}
528
529		#endif /* WITH_SERVER */
530
531		#endif /* HAVE_SNTRUP761 */