]>
Commit | Line | Data |
---|---|---|
a2188579 | 1 | /* $OpenBSD: kexsntrup761x25519.c,v 1.2 2021/12/05 12:28:27 jsg Exp $ */ |
dfd59161 | 2 | /* |
3 | * Copyright (c) 2019 Markus Friedl. All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * 1. Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * 2. Redistributions in binary form must reproduce the above copyright | |
11 | * notice, this list of conditions and the following disclaimer in the | |
12 | * documentation and/or other materials provided with the distribution. | |
13 | * | |
14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
15 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
16 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
17 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
18 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
19 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
20 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
21 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
22 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
24 | */ | |
25 | ||
d50ab3cd DM |
26 | #include "includes.h" |
27 | ||
48d0d7a4 DT |
28 | #ifdef USE_SNTRUP761X25519 |
29 | ||
dfd59161 | 30 | #include <sys/types.h> |
31 | ||
32 | #include <stdio.h> | |
33 | #include <string.h> | |
34 | #include <signal.h> | |
35 | ||
36 | #include "sshkey.h" | |
37 | #include "kex.h" | |
38 | #include "sshbuf.h" | |
39 | #include "digest.h" | |
40 | #include "ssherr.h" | |
41 | ||
42 | int | |
659864fe | 43 | kex_kem_sntrup761x25519_keypair(struct kex *kex) |
dfd59161 | 44 | { |
45 | struct sshbuf *buf = NULL; | |
46 | u_char *cp = NULL; | |
47 | size_t need; | |
48 | int r; | |
49 | ||
50 | if ((buf = sshbuf_new()) == NULL) | |
51 | return SSH_ERR_ALLOC_FAIL; | |
659864fe | 52 | need = crypto_kem_sntrup761_PUBLICKEYBYTES + CURVE25519_SIZE; |
dfd59161 | 53 | if ((r = sshbuf_reserve(buf, need, &cp)) != 0) |
54 | goto out; | |
659864fe | 55 | crypto_kem_sntrup761_keypair(cp, kex->sntrup761_client_key); |
dfd59161 | 56 | #ifdef DEBUG_KEXECDH |
659864fe | 57 | dump_digest("client public key sntrup761:", cp, |
58 | crypto_kem_sntrup761_PUBLICKEYBYTES); | |
dfd59161 | 59 | #endif |
659864fe | 60 | cp += crypto_kem_sntrup761_PUBLICKEYBYTES; |
dfd59161 | 61 | kexc25519_keygen(kex->c25519_client_key, cp); |
62 | #ifdef DEBUG_KEXECDH | |
63 | dump_digest("client public key c25519:", cp, CURVE25519_SIZE); | |
64 | #endif | |
aaca72d6 | 65 | kex->client_pub = buf; |
dfd59161 | 66 | buf = NULL; |
67 | out: | |
68 | sshbuf_free(buf); | |
69 | return r; | |
70 | } | |
71 | ||
72 | int | |
659864fe | 73 | kex_kem_sntrup761x25519_enc(struct kex *kex, |
71e67fff | 74 | const struct sshbuf *client_blob, struct sshbuf **server_blobp, |
75 | struct sshbuf **shared_secretp) | |
dfd59161 | 76 | { |
77 | struct sshbuf *server_blob = NULL; | |
78 | struct sshbuf *buf = NULL; | |
71e67fff | 79 | const u_char *client_pub; |
dfd59161 | 80 | u_char *kem_key, *ciphertext, *server_pub; |
81 | u_char server_key[CURVE25519_SIZE]; | |
82 | u_char hash[SSH_DIGEST_MAX_LENGTH]; | |
83 | size_t need; | |
84 | int r; | |
85 | ||
86 | *server_blobp = NULL; | |
87 | *shared_secretp = NULL; | |
88 | ||
71e67fff | 89 | /* client_blob contains both KEM and ECDH client pubkeys */ |
659864fe | 90 | need = crypto_kem_sntrup761_PUBLICKEYBYTES + CURVE25519_SIZE; |
71e67fff | 91 | if (sshbuf_len(client_blob) != need) { |
dfd59161 | 92 | r = SSH_ERR_SIGNATURE_INVALID; |
93 | goto out; | |
94 | } | |
71e67fff | 95 | client_pub = sshbuf_ptr(client_blob); |
dfd59161 | 96 | #ifdef DEBUG_KEXECDH |
659864fe | 97 | dump_digest("client public key sntrup761:", client_pub, |
98 | crypto_kem_sntrup761_PUBLICKEYBYTES); | |
dfd59161 | 99 | dump_digest("client public key 25519:", |
659864fe | 100 | client_pub + crypto_kem_sntrup761_PUBLICKEYBYTES, |
71e67fff | 101 | CURVE25519_SIZE); |
dfd59161 | 102 | #endif |
103 | /* allocate buffer for concatenation of KEM key and ECDH shared key */ | |
104 | /* the buffer will be hashed and the result is the shared secret */ | |
105 | if ((buf = sshbuf_new()) == NULL) { | |
106 | r = SSH_ERR_ALLOC_FAIL; | |
107 | goto out; | |
108 | } | |
659864fe | 109 | if ((r = sshbuf_reserve(buf, crypto_kem_sntrup761_BYTES, |
dfd59161 | 110 | &kem_key)) != 0) |
111 | goto out; | |
112 | /* allocate space for encrypted KEM key and ECDH pub key */ | |
113 | if ((server_blob = sshbuf_new()) == NULL) { | |
114 | r = SSH_ERR_ALLOC_FAIL; | |
115 | goto out; | |
116 | } | |
659864fe | 117 | need = crypto_kem_sntrup761_CIPHERTEXTBYTES + CURVE25519_SIZE; |
dfd59161 | 118 | if ((r = sshbuf_reserve(server_blob, need, &ciphertext)) != 0) |
119 | goto out; | |
120 | /* generate and encrypt KEM key with client key */ | |
659864fe | 121 | crypto_kem_sntrup761_enc(ciphertext, kem_key, client_pub); |
dfd59161 | 122 | /* generate ECDH key pair, store server pubkey after ciphertext */ |
659864fe | 123 | server_pub = ciphertext + crypto_kem_sntrup761_CIPHERTEXTBYTES; |
dfd59161 | 124 | kexc25519_keygen(server_key, server_pub); |
125 | /* append ECDH shared key */ | |
659864fe | 126 | client_pub += crypto_kem_sntrup761_PUBLICKEYBYTES; |
71e67fff | 127 | if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0) |
dfd59161 | 128 | goto out; |
129 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) | |
130 | goto out; | |
131 | #ifdef DEBUG_KEXECDH | |
132 | dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE); | |
133 | dump_digest("server cipher text:", ciphertext, | |
659864fe | 134 | crypto_kem_sntrup761_CIPHERTEXTBYTES); |
a2188579 | 135 | dump_digest("server kem key:", kem_key, crypto_kem_sntrup761_BYTES); |
dfd59161 | 136 | dump_digest("concatenation of KEM key and ECDH shared key:", |
137 | sshbuf_ptr(buf), sshbuf_len(buf)); | |
138 | #endif | |
139 | /* string-encoded hash is resulting shared secret */ | |
140 | sshbuf_reset(buf); | |
141 | if ((r = sshbuf_put_string(buf, hash, | |
142 | ssh_digest_bytes(kex->hash_alg))) != 0) | |
143 | goto out; | |
144 | #ifdef DEBUG_KEXECDH | |
145 | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); | |
146 | #endif | |
147 | *server_blobp = server_blob; | |
148 | *shared_secretp = buf; | |
149 | server_blob = NULL; | |
150 | buf = NULL; | |
151 | out: | |
152 | explicit_bzero(hash, sizeof(hash)); | |
153 | explicit_bzero(server_key, sizeof(server_key)); | |
154 | sshbuf_free(server_blob); | |
155 | sshbuf_free(buf); | |
156 | return r; | |
157 | } | |
158 | ||
159 | int | |
659864fe | 160 | kex_kem_sntrup761x25519_dec(struct kex *kex, |
71e67fff | 161 | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) |
dfd59161 | 162 | { |
163 | struct sshbuf *buf = NULL; | |
164 | u_char *kem_key = NULL; | |
165 | const u_char *ciphertext, *server_pub; | |
166 | u_char hash[SSH_DIGEST_MAX_LENGTH]; | |
167 | size_t need; | |
168 | int r, decoded; | |
169 | ||
170 | *shared_secretp = NULL; | |
171 | ||
659864fe | 172 | need = crypto_kem_sntrup761_CIPHERTEXTBYTES + CURVE25519_SIZE; |
71e67fff | 173 | if (sshbuf_len(server_blob) != need) { |
dfd59161 | 174 | r = SSH_ERR_SIGNATURE_INVALID; |
175 | goto out; | |
176 | } | |
71e67fff | 177 | ciphertext = sshbuf_ptr(server_blob); |
659864fe | 178 | server_pub = ciphertext + crypto_kem_sntrup761_CIPHERTEXTBYTES; |
dfd59161 | 179 | #ifdef DEBUG_KEXECDH |
180 | dump_digest("server cipher text:", ciphertext, | |
659864fe | 181 | crypto_kem_sntrup761_CIPHERTEXTBYTES); |
dfd59161 | 182 | dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE); |
183 | #endif | |
184 | /* hash concatenation of KEM key and ECDH shared key */ | |
185 | if ((buf = sshbuf_new()) == NULL) { | |
186 | r = SSH_ERR_ALLOC_FAIL; | |
187 | goto out; | |
188 | } | |
659864fe | 189 | if ((r = sshbuf_reserve(buf, crypto_kem_sntrup761_BYTES, |
dfd59161 | 190 | &kem_key)) != 0) |
191 | goto out; | |
659864fe | 192 | decoded = crypto_kem_sntrup761_dec(kem_key, ciphertext, |
193 | kex->sntrup761_client_key); | |
dfd59161 | 194 | if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub, |
195 | buf, 1)) < 0) | |
196 | goto out; | |
197 | if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0) | |
198 | goto out; | |
199 | #ifdef DEBUG_KEXECDH | |
659864fe | 200 | dump_digest("client kem key:", kem_key, crypto_kem_sntrup761_BYTES); |
dfd59161 | 201 | dump_digest("concatenation of KEM key and ECDH shared key:", |
202 | sshbuf_ptr(buf), sshbuf_len(buf)); | |
203 | #endif | |
204 | sshbuf_reset(buf); | |
205 | if ((r = sshbuf_put_string(buf, hash, | |
206 | ssh_digest_bytes(kex->hash_alg))) != 0) | |
207 | goto out; | |
208 | #ifdef DEBUG_KEXECDH | |
209 | dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf)); | |
210 | #endif | |
211 | if (decoded != 0) { | |
212 | r = SSH_ERR_SIGNATURE_INVALID; | |
213 | goto out; | |
214 | } | |
215 | *shared_secretp = buf; | |
216 | buf = NULL; | |
217 | out: | |
218 | explicit_bzero(hash, sizeof(hash)); | |
219 | sshbuf_free(buf); | |
220 | return r; | |
221 | } | |
48d0d7a4 DT |
222 | |
223 | #else | |
224 | ||
225 | #include "ssherr.h" | |
226 | ||
227 | struct kex; | |
228 | struct sshbuf; | |
229 | struct sshkey; | |
230 | ||
231 | int | |
232 | kex_kem_sntrup761x25519_keypair(struct kex *kex) | |
233 | { | |
234 | return SSH_ERR_SIGN_ALG_UNSUPPORTED; | |
235 | } | |
236 | ||
237 | int | |
238 | kex_kem_sntrup761x25519_enc(struct kex *kex, | |
239 | const struct sshbuf *client_blob, struct sshbuf **server_blobp, | |
240 | struct sshbuf **shared_secretp) | |
241 | { | |
242 | return SSH_ERR_SIGN_ALG_UNSUPPORTED; | |
243 | } | |
244 | ||
245 | int | |
246 | kex_kem_sntrup761x25519_dec(struct kex *kex, | |
247 | const struct sshbuf *server_blob, struct sshbuf **shared_secretp) | |
248 | { | |
249 | return SSH_ERR_SIGN_ALG_UNSUPPORTED; | |
250 | } | |
251 | #endif /* USE_SNTRUP761X25519 */ |