/src/openssh/kexmlkem768x25519.c
Line | Count | Source |
1 | | /* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2023 Markus Friedl. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions |
7 | | * are met: |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * 2. Redistributions in binary form must reproduce the above copyright |
11 | | * notice, this list of conditions and the following disclaimer in the |
12 | | * documentation and/or other materials provided with the distribution. |
13 | | * |
14 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
15 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
16 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
17 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
18 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
19 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
20 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
21 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
22 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | | */ |
25 | | |
26 | | #include "includes.h" |
27 | | |
28 | | #include <sys/types.h> |
29 | | |
30 | | #include <stdio.h> |
31 | | #include <stdint.h> |
32 | | #include <stdbool.h> |
33 | | #include <string.h> |
34 | | #include <signal.h> |
35 | | #include <endian.h> |
36 | | |
37 | | #include "sshkey.h" |
38 | | #include "kex.h" |
39 | | #include "sshbuf.h" |
40 | | #include "digest.h" |
41 | | #include "ssherr.h" |
42 | | #include "log.h" |
43 | | |
44 | | #ifdef USE_MLKEM768X25519 |
45 | | |
46 | | #include "libcrux_mlkem768_sha3.h" |
47 | | |
48 | | int |
49 | | kex_kem_mlkem768x25519_keypair(struct kex *kex) |
50 | 0 | { |
51 | 0 | struct sshbuf *buf = NULL; |
52 | 0 | u_char rnd[LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN], *cp = NULL; |
53 | 0 | size_t need; |
54 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
55 | 0 | struct libcrux_mlkem768_keypair keypair; |
56 | |
|
57 | 0 | if ((buf = sshbuf_new()) == NULL) |
58 | 0 | return SSH_ERR_ALLOC_FAIL; |
59 | 0 | need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE; |
60 | 0 | if ((r = sshbuf_reserve(buf, need, &cp)) != 0) |
61 | 0 | goto out; |
62 | 0 | arc4random_buf(rnd, sizeof(rnd)); |
63 | 0 | keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(rnd); |
64 | 0 | memcpy(cp, keypair.pk.value, crypto_kem_mlkem768_PUBLICKEYBYTES); |
65 | 0 | memcpy(kex->mlkem768_client_key, keypair.sk.value, |
66 | 0 | sizeof(kex->mlkem768_client_key)); |
67 | | #ifdef DEBUG_KEXECDH |
68 | | dump_digest("client public key mlkem768:", cp, |
69 | | crypto_kem_mlkem768_PUBLICKEYBYTES); |
70 | | #endif |
71 | 0 | cp += crypto_kem_mlkem768_PUBLICKEYBYTES; |
72 | 0 | kexc25519_keygen(kex->c25519_client_key, cp); |
73 | | #ifdef DEBUG_KEXECDH |
74 | | dump_digest("client public key c25519:", cp, CURVE25519_SIZE); |
75 | | #endif |
76 | | /* success */ |
77 | 0 | r = 0; |
78 | 0 | kex->client_pub = buf; |
79 | 0 | buf = NULL; |
80 | 0 | out: |
81 | 0 | explicit_bzero(&keypair, sizeof(keypair)); |
82 | 0 | explicit_bzero(rnd, sizeof(rnd)); |
83 | 0 | sshbuf_free(buf); |
84 | 0 | return r; |
85 | 0 | } |
86 | | |
87 | | int |
88 | | kex_kem_mlkem768x25519_enc(struct kex *kex, |
89 | | const struct sshbuf *client_blob, struct sshbuf **server_blobp, |
90 | | struct sshbuf **shared_secretp) |
91 | 0 | { |
92 | 0 | struct sshbuf *server_blob = NULL; |
93 | 0 | struct sshbuf *buf = NULL; |
94 | 0 | const u_char *client_pub; |
95 | 0 | u_char rnd[LIBCRUX_ML_KEM_ENC_PRNG_LEN]; |
96 | 0 | u_char server_pub[CURVE25519_SIZE], server_key[CURVE25519_SIZE]; |
97 | 0 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
98 | 0 | size_t need; |
99 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
100 | 0 | struct libcrux_mlkem768_enc_result enc; |
101 | 0 | struct libcrux_mlkem768_pk mlkem_pub; |
102 | |
|
103 | 0 | *server_blobp = NULL; |
104 | 0 | *shared_secretp = NULL; |
105 | 0 | memset(&mlkem_pub, 0, sizeof(mlkem_pub)); |
106 | | |
107 | | /* client_blob contains both KEM and ECDH client pubkeys */ |
108 | 0 | need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE; |
109 | 0 | if (sshbuf_len(client_blob) != need) { |
110 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
111 | 0 | goto out; |
112 | 0 | } |
113 | 0 | client_pub = sshbuf_ptr(client_blob); |
114 | | #ifdef DEBUG_KEXECDH |
115 | | dump_digest("client public key mlkem768:", client_pub, |
116 | | crypto_kem_mlkem768_PUBLICKEYBYTES); |
117 | | dump_digest("client public key 25519:", |
118 | | client_pub + crypto_kem_mlkem768_PUBLICKEYBYTES, |
119 | | CURVE25519_SIZE); |
120 | | #endif |
121 | | /* check public key validity */ |
122 | 0 | memcpy(mlkem_pub.value, client_pub, crypto_kem_mlkem768_PUBLICKEYBYTES); |
123 | 0 | if (!libcrux_ml_kem_mlkem768_portable_validate_public_key(&mlkem_pub)) { |
124 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
125 | 0 | goto out; |
126 | 0 | } |
127 | | |
128 | | /* allocate buffer for concatenation of KEM key and ECDH shared key */ |
129 | | /* the buffer will be hashed and the result is the shared secret */ |
130 | 0 | if ((buf = sshbuf_new()) == NULL) { |
131 | 0 | r = SSH_ERR_ALLOC_FAIL; |
132 | 0 | goto out; |
133 | 0 | } |
134 | | /* allocate space for encrypted KEM key and ECDH pub key */ |
135 | 0 | if ((server_blob = sshbuf_new()) == NULL) { |
136 | 0 | r = SSH_ERR_ALLOC_FAIL; |
137 | 0 | goto out; |
138 | 0 | } |
139 | | /* generate and encrypt KEM key with client key */ |
140 | 0 | arc4random_buf(rnd, sizeof(rnd)); |
141 | 0 | enc = libcrux_ml_kem_mlkem768_portable_encapsulate(&mlkem_pub, rnd); |
142 | | /* generate ECDH key pair, store server pubkey after ciphertext */ |
143 | 0 | kexc25519_keygen(server_key, server_pub); |
144 | 0 | if ((r = sshbuf_put(buf, enc.snd, sizeof(enc.snd))) != 0 || |
145 | 0 | (r = sshbuf_put(server_blob, enc.fst.value, sizeof(enc.fst.value))) != 0 || |
146 | 0 | (r = sshbuf_put(server_blob, server_pub, sizeof(server_pub))) != 0) |
147 | 0 | goto out; |
148 | | /* append ECDH shared key */ |
149 | 0 | client_pub += crypto_kem_mlkem768_PUBLICKEYBYTES; |
150 | 0 | if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0) |
151 | 0 | goto out; |
152 | 0 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) |
153 | 0 | goto out; |
154 | | #ifdef DEBUG_KEXECDH |
155 | | dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE); |
156 | | dump_digest("server cipher text:", |
157 | | enc.fst.value, sizeof(enc.fst.value)); |
158 | | dump_digest("server kem key:", enc.snd, sizeof(enc.snd)); |
159 | | dump_digest("concatenation of KEM key and ECDH shared key:", |
160 | | sshbuf_ptr(buf), sshbuf_len(buf)); |
161 | | #endif |
162 | | /* string-encoded hash is resulting shared secret */ |
163 | 0 | sshbuf_reset(buf); |
164 | 0 | if ((r = sshbuf_put_string(buf, hash, |
165 | 0 | ssh_digest_bytes(kex->hash_alg))) != 0) |
166 | 0 | goto out; |
167 | | #ifdef DEBUG_KEXECDH |
168 | | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); |
169 | | #endif |
170 | | /* success */ |
171 | 0 | r = 0; |
172 | 0 | *server_blobp = server_blob; |
173 | 0 | *shared_secretp = buf; |
174 | 0 | server_blob = NULL; |
175 | 0 | buf = NULL; |
176 | 0 | out: |
177 | 0 | explicit_bzero(hash, sizeof(hash)); |
178 | 0 | explicit_bzero(server_key, sizeof(server_key)); |
179 | 0 | explicit_bzero(rnd, sizeof(rnd)); |
180 | 0 | explicit_bzero(&enc, sizeof(enc)); |
181 | 0 | sshbuf_free(server_blob); |
182 | 0 | sshbuf_free(buf); |
183 | 0 | return r; |
184 | 0 | } |
185 | | |
186 | | int |
187 | | kex_kem_mlkem768x25519_dec(struct kex *kex, |
188 | | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) |
189 | 0 | { |
190 | 0 | struct sshbuf *buf = NULL; |
191 | 0 | u_char mlkem_key[crypto_kem_mlkem768_BYTES]; |
192 | 0 | const u_char *ciphertext, *server_pub; |
193 | 0 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
194 | 0 | size_t need; |
195 | 0 | int r; |
196 | 0 | struct libcrux_mlkem768_sk mlkem_priv; |
197 | 0 | struct libcrux_mlkem768_ciphertext mlkem_ciphertext; |
198 | |
|
199 | 0 | *shared_secretp = NULL; |
200 | 0 | memset(&mlkem_priv, 0, sizeof(mlkem_priv)); |
201 | 0 | memset(&mlkem_ciphertext, 0, sizeof(mlkem_ciphertext)); |
202 | |
|
203 | 0 | need = crypto_kem_mlkem768_CIPHERTEXTBYTES + CURVE25519_SIZE; |
204 | 0 | if (sshbuf_len(server_blob) != need) { |
205 | 0 | r = SSH_ERR_SIGNATURE_INVALID; |
206 | 0 | goto out; |
207 | 0 | } |
208 | 0 | ciphertext = sshbuf_ptr(server_blob); |
209 | 0 | server_pub = ciphertext + crypto_kem_mlkem768_CIPHERTEXTBYTES; |
210 | | /* hash concatenation of KEM key and ECDH shared key */ |
211 | 0 | if ((buf = sshbuf_new()) == NULL) { |
212 | 0 | r = SSH_ERR_ALLOC_FAIL; |
213 | 0 | goto out; |
214 | 0 | } |
215 | 0 | memcpy(mlkem_priv.value, kex->mlkem768_client_key, |
216 | 0 | sizeof(kex->mlkem768_client_key)); |
217 | 0 | memcpy(mlkem_ciphertext.value, ciphertext, |
218 | 0 | sizeof(mlkem_ciphertext.value)); |
219 | | #ifdef DEBUG_KEXECDH |
220 | | dump_digest("server cipher text:", mlkem_ciphertext.value, |
221 | | sizeof(mlkem_ciphertext.value)); |
222 | | dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE); |
223 | | #endif |
224 | 0 | libcrux_ml_kem_mlkem768_portable_decapsulate(&mlkem_priv, |
225 | 0 | &mlkem_ciphertext, mlkem_key); |
226 | 0 | if ((r = sshbuf_put(buf, mlkem_key, sizeof(mlkem_key))) != 0) |
227 | 0 | goto out; |
228 | 0 | if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub, |
229 | 0 | buf, 1)) < 0) |
230 | 0 | goto out; |
231 | 0 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, |
232 | 0 | hash, sizeof(hash))) != 0) |
233 | 0 | goto out; |
234 | | #ifdef DEBUG_KEXECDH |
235 | | dump_digest("client kem key:", mlkem_key, sizeof(mlkem_key)); |
236 | | dump_digest("concatenation of KEM key and ECDH shared key:", |
237 | | sshbuf_ptr(buf), sshbuf_len(buf)); |
238 | | #endif |
239 | 0 | sshbuf_reset(buf); |
240 | 0 | if ((r = sshbuf_put_string(buf, hash, |
241 | 0 | ssh_digest_bytes(kex->hash_alg))) != 0) |
242 | 0 | goto out; |
243 | | #ifdef DEBUG_KEXECDH |
244 | | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); |
245 | | #endif |
246 | | /* success */ |
247 | 0 | r = 0; |
248 | 0 | *shared_secretp = buf; |
249 | 0 | buf = NULL; |
250 | 0 | out: |
251 | 0 | explicit_bzero(hash, sizeof(hash)); |
252 | 0 | explicit_bzero(&mlkem_priv, sizeof(mlkem_priv)); |
253 | 0 | explicit_bzero(&mlkem_ciphertext, sizeof(mlkem_ciphertext)); |
254 | 0 | explicit_bzero(mlkem_key, sizeof(mlkem_key)); |
255 | 0 | sshbuf_free(buf); |
256 | 0 | return r; |
257 | 0 | } |
258 | | #else /* USE_MLKEM768X25519 */ |
259 | | int |
260 | | kex_kem_mlkem768x25519_keypair(struct kex *kex) |
261 | | { |
262 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
263 | | } |
264 | | |
265 | | int |
266 | | kex_kem_mlkem768x25519_enc(struct kex *kex, |
267 | | const struct sshbuf *client_blob, struct sshbuf **server_blobp, |
268 | | struct sshbuf **shared_secretp) |
269 | | { |
270 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
271 | | } |
272 | | |
273 | | int |
274 | | kex_kem_mlkem768x25519_dec(struct kex *kex, |
275 | | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) |
276 | | { |
277 | | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
278 | | } |
279 | | #endif /* USE_MLKEM768X25519 */ |