From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sat, 17 Oct 2020 09:58:58 +0000 (+0200)
Subject: key-exchange: Add identifiers for NIST round 3 submission KEM candidates
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd200d30e1f74f59d2d44e63960400aa592f4fd2;p=thirdparty%2Fstrongswan.git

key-exchange: Add identifiers for NIST round 3 submission KEM candidates
---

diff --git a/src/libstrongswan/crypto/key_exchange.c b/src/libstrongswan/crypto/key_exchange.c
index 74107cec4d..880db4cd8a 100644
--- a/src/libstrongswan/crypto/key_exchange.c
+++ b/src/libstrongswan/crypto/key_exchange.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2016-2020 Andreas Steffen
  * Copyright (C) 2010-2020 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -57,7 +58,30 @@ ENUM_NEXT(key_exchange_method_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
 	"NTRU_256");
 ENUM_NEXT(key_exchange_method_names, NH_128_BIT, NH_128_BIT, NTRU_256_BIT,
 	"NEWHOPE_128");
-ENUM_NEXT(key_exchange_method_names, MODP_CUSTOM, MODP_CUSTOM, NH_128_BIT,
+ENUM_NEXT(key_exchange_method_names, KE_KYBER_L1, KE_HQC_L5, NH_128_BIT,
+	"KYBER_L1",
+	"KYBER_L3",
+	"KYBER_L5",
+	"NTRU_HPS_L1",
+	"NTRU_HPS_L3",
+	"NTRU_HPS_L5",
+	"NTRU_HRSS_L3",
+	"SABER_L1",
+	"SABER_L3",
+	"SABER_L5",
+	"BIKE_L1",
+	"BIKE_L3",
+	"BIKE_L5",
+	"FRODO_AES_L1",
+	"FRODO_AES_L3",
+	"FRODO_AES_L5",
+	"FRODO_SHAKE_L1",
+	"FRODO_SHAKE_L3",
+	"FRODO_SHAKE_L5",
+	"HQC_L1",
+	"HQC_L3",
+	"HQC_L5");
+ENUM_NEXT(key_exchange_method_names, MODP_CUSTOM, MODP_CUSTOM, KE_HQC_L5,
 	"MODP_CUSTOM");
 ENUM_END(key_exchange_method_names, MODP_CUSTOM);
 
@@ -97,7 +121,30 @@ ENUM_NEXT(key_exchange_method_names_short, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL
 	"ntru256");
 ENUM_NEXT(key_exchange_method_names_short, NH_128_BIT, NH_128_BIT, NTRU_256_BIT,
 	"newhope128");
-ENUM_NEXT(key_exchange_method_names_short, MODP_CUSTOM, MODP_CUSTOM, NH_128_BIT,
+ENUM_NEXT(key_exchange_method_names_short, KE_KYBER_L1, KE_HQC_L5, NH_128_BIT,
+	"kyber1",
+	"kyber3",
+	"kyber5",
+	"ntrup1",
+	"ntrup3",
+	"ntrup5",
+	"ntrur3",
+	"saber1",
+	"saber3",
+	"saber5",
+	"bike1",
+	"bike3",
+	"bike5",
+	"frodoa1",
+	"frodoa3",
+	"frodoa5",
+	"frodos1",
+	"frodos3",
+	"frodos5",
+	"hqc1",
+	"hqc3",
+	"hqc5");
+ENUM_NEXT(key_exchange_method_names_short, MODP_CUSTOM, MODP_CUSTOM, KE_HQC_L5,
 	"modpcustom");
 ENUM_END(key_exchange_method_names_short, MODP_CUSTOM);
 
@@ -616,6 +663,41 @@ bool key_exchange_is_ecdh(key_exchange_method_t ke)
 	}
 }
 
+/*
+ * Described in header
+ */
+bool key_exchange_is_kem(key_exchange_method_t ke)
+{
+	switch (ke)
+	{
+		case KE_KYBER_L1:
+		case KE_KYBER_L3:
+		case KE_KYBER_L5:
+		case KE_NTRU_HPS_L1:
+		case KE_NTRU_HPS_L3:
+		case KE_NTRU_HPS_L5:
+		case KE_NTRU_HRSS_L3:
+		case KE_SABER_L1:
+		case KE_SABER_L3:
+		case KE_SABER_L5:
+		case KE_BIKE_L1:
+		case KE_BIKE_L3:
+		case KE_BIKE_L5:
+		case KE_HQC_L1:
+		case KE_HQC_L3:
+		case KE_HQC_L5:
+		case KE_FRODO_AES_L1:
+		case KE_FRODO_AES_L3:
+		case KE_FRODO_AES_L5:
+		case KE_FRODO_SHAKE_L1:
+		case KE_FRODO_SHAKE_L3:
+		case KE_FRODO_SHAKE_L5:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
 /*
  * Described in header
  */
@@ -675,6 +757,28 @@ bool key_exchange_verify_pubkey(key_exchange_method_t ke, chunk_t value)
 		case NTRU_192_BIT:
 		case NTRU_256_BIT:
 		case NH_128_BIT:
+		case KE_KYBER_L1:
+		case KE_KYBER_L3:
+		case KE_KYBER_L5:
+		case KE_NTRU_HPS_L1:
+		case KE_NTRU_HPS_L3:
+		case KE_NTRU_HPS_L5:
+		case KE_NTRU_HRSS_L3:
+		case KE_SABER_L1:
+		case KE_SABER_L3:
+		case KE_SABER_L5:
+		case KE_BIKE_L1:
+		case KE_BIKE_L3:
+		case KE_BIKE_L5:
+		case KE_FRODO_AES_L1:
+		case KE_FRODO_AES_L3:
+		case KE_FRODO_AES_L5:
+		case KE_FRODO_SHAKE_L1:
+		case KE_FRODO_SHAKE_L3:
+		case KE_FRODO_SHAKE_L5:
+		case KE_HQC_L1:
+		case KE_HQC_L3:
+		case KE_HQC_L5:
 			/* verification currently not supported, do in plugin */
 			valid = FALSE;
 			break;
diff --git a/src/libstrongswan/crypto/key_exchange.h b/src/libstrongswan/crypto/key_exchange.h
index 4aa4e264b2..d9d3cc9f9e 100644
--- a/src/libstrongswan/crypto/key_exchange.h
+++ b/src/libstrongswan/crypto/key_exchange.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2016-2020 Andreas Steffen
  * Copyright (C) 2010-2020 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -66,14 +67,38 @@ enum key_exchange_method_t {
 	CURVE_25519   = 31,
 	CURVE_448     = 32,
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
-	MODP_NULL = 1024,
-	/** MODP group with custom generator/prime */
+	MODP_NULL          = 1024,
 	/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
-	NTRU_112_BIT = 1030,
-	NTRU_128_BIT = 1031,
-	NTRU_192_BIT = 1032,
-	NTRU_256_BIT = 1033,
-	NH_128_BIT   = 1040,
+	NTRU_112_BIT       = 1030,
+	NTRU_128_BIT       = 1031,
+	NTRU_192_BIT       = 1032,
+	NTRU_256_BIT       = 1033,
+	NH_128_BIT         = 1040,
+	/** NIST round 3 KEM candidates, in PRIVATE USE */
+	KE_KYBER_L1        = 1050,
+	KE_KYBER_L3        = 1051,
+	KE_KYBER_L5        = 1052,
+	KE_NTRU_HPS_L1     = 1053,
+	KE_NTRU_HPS_L3     = 1054,
+	KE_NTRU_HPS_L5     = 1055,
+	KE_NTRU_HRSS_L3    = 1056,
+	KE_SABER_L1        = 1057,
+	KE_SABER_L3        = 1058,
+	KE_SABER_L5        = 1059,
+	/** NIST alternative KEM candidates, in PRIVATE USE */
+	KE_BIKE_L1         = 1060,
+	KE_BIKE_L3         = 1061,
+	KE_BIKE_L5         = 1062,
+	KE_FRODO_AES_L1    = 1063,
+	KE_FRODO_AES_L3    = 1064,
+	KE_FRODO_AES_L5    = 1065,
+	KE_FRODO_SHAKE_L1  = 1066,
+	KE_FRODO_SHAKE_L3  = 1067,
+	KE_FRODO_SHAKE_L5  = 1068,
+	KE_HQC_L1          = 1069,
+	KE_HQC_L3          = 1070,
+	KE_HQC_L5          = 1071,
+	/** MODP group with custom generator/prime */
 	/** internally used DH group with additional parameters g and p, outside
 	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
 	MODP_CUSTOM = 65536,
@@ -104,7 +129,7 @@ struct key_exchange_t {
 		__attribute__((warn_unused_result));
 
 	/**
-	 * Sets the public key from the peer.
+	 * Sets the public key received from the peer.
 	 *
 	 * @note This operation should be relatively quick. Costly public key
 	 * validation operations or key derivation should be implemented in
@@ -126,10 +151,10 @@ struct key_exchange_t {
 		__attribute__((warn_unused_result));
 
 	/**
-	 * Set an explicit own private key to use.
+	 * Set a seed used for the derivation of private key material.
 	 *
-	 * Calling this method is usually not required, as the DH backend generates
-	 * an appropriate private value itself. It is optional to implement, and
+	 * Calling this method is usually not required, as the key exchange objects
+	 * generate the private key material themselves. This is optional to implement, and
 	 * used mostly for testing purposes.  The private key may be the actual key
 	 * or a seed for a DRBG.
 	 *
@@ -206,6 +231,13 @@ diffie_hellman_params_t *diffie_hellman_get_params(key_exchange_method_t ke);
  */
 bool key_exchange_is_ecdh(key_exchange_method_t ke);
 
+/**
+ * Check if the key exchange method is a Key Encapsulation Mechanism (KEM)
+ *
+ * @return			TRUE if KEM used
+ */
+bool key_exchange_is_kem(key_exchange_method_t ke);
+
 /**
  * Check if a public key is valid for given key exchange method.
  *
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 8456fe4ea0..bcc49401ea 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (C) 2009-2013 Andreas Steffen
+ * Copyright (C) 2009-2020 Andreas Steffen
  *
  * Copyright (C) secunet Security Networks AG
  *
@@ -181,5 +181,27 @@ ntru128,          KEY_EXCHANGE_METHOD, NTRU_128_BIT,               0
 ntru192,          KEY_EXCHANGE_METHOD, NTRU_192_BIT,               0
 ntru256,          KEY_EXCHANGE_METHOD, NTRU_256_BIT,               0
 newhope128,       KEY_EXCHANGE_METHOD, NH_128_BIT,                 0
+kyber1,           KEY_EXCHANGE_METHOD, KE_KYBER_L1,                0
+kyber3,           KEY_EXCHANGE_METHOD, KE_KYBER_L3,                0
+kyber5,           KEY_EXCHANGE_METHOD, KE_KYBER_L5,                0
+ntrup1,           KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L1,             0
+ntrup3,           KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L3,             0
+ntrup5,           KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L5,             0
+ntrur3,           KEY_EXCHANGE_METHOD, KE_NTRU_HRSS_L3,            0
+saber1,           KEY_EXCHANGE_METHOD, KE_SABER_L1,                0
+saber3,           KEY_EXCHANGE_METHOD, KE_SABER_L3,                0
+saber5,           KEY_EXCHANGE_METHOD, KE_SABER_L5,                0
+bike1,            KEY_EXCHANGE_METHOD, KE_BIKE_L1,                 0
+bike3,            KEY_EXCHANGE_METHOD, KE_BIKE_L3,                 0
+bike5,            KEY_EXCHANGE_METHOD, KE_BIKE_L5,                 0
+frodoa1,          KEY_EXCHANGE_METHOD, KE_FRODO_AES_L1,            0
+frodoa3,          KEY_EXCHANGE_METHOD, KE_FRODO_AES_L3,            0
+frodoa5,          KEY_EXCHANGE_METHOD, KE_FRODO_AES_L5,            0
+frodos1,          KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L1,          0
+frodos3,          KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L3,          0
+frodos5,          KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L5,          0
+hqc1,             KEY_EXCHANGE_METHOD, KE_HQC_L1,                  0
+hqc3,             KEY_EXCHANGE_METHOD, KE_HQC_L3,                  0
+hqc5,             KEY_EXCHANGE_METHOD, KE_HQC_L5,                  0
 noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
 esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0