From: Andreas Steffen Date: Fri, 1 Nov 2019 18:41:46 +0000 (+0100) Subject: key-exchange: Added NIST round 2 submission KEM candidates X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e887956e462314e74bdd0b91a10e9e072f5e9fa2;p=thirdparty%2Fstrongswan.git key-exchange: Added NIST round 2 submission KEM candidates --- diff --git a/src/libstrongswan/crypto/key_exchange.c b/src/libstrongswan/crypto/key_exchange.c index b3fb9641fe..169b9a1a8d 100644 --- a/src/libstrongswan/crypto/key_exchange.c +++ b/src/libstrongswan/crypto/key_exchange.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2016-2019 Andreas Steffen * Copyright (C) 2010-2020 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -57,7 +58,39 @@ ENUM_NEXT(key_exchange_method_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL, "NTRU_256"); ENUM_NEXT(key_exchange_method_names, NH_128_BIT, NH_128_BIT, NTRU_256_BIT, "NEWHOPE_128"); -ENUM_NEXT(key_exchange_method_names, MODP_CUSTOM, MODP_CUSTOM, NH_128_BIT, +ENUM_NEXT(key_exchange_method_names, KE_BIKE1_L1, KE_SIKE_L5, NH_128_BIT, + "BIKE1_L1", + "BIKE1_L3", + "BIKE1_L5", + "BIKE2_L1", + "BIKE2_L3", + "BIKE2_L5", + "BIKE3_L1", + "BIKE3_L3", + "BIKE3_L5", + "FRODO_AES_L1", + "FRODO_AES_L3", + "FRODO_AES_L5", + "FRODO_SHAKE_L1", + "FRODO_SHAKE_L3", + "FRODO_SHAKE_L5", + "KYBER_L1", + "KYBER_L3", + "KYBER_L5", + "NEWHOPE_L1", + "NEWHOPE_L5", + "NTRU_HPS_L1", + "NTRU_HPS_L3", + "NTRU_HPS_L5", + "NTRU_HRSS_L3", + "SABER_L1", + "SABER_L3", + "SABER_L5", + "SIKE_L1", + "SIKE_L2", + "SIKE_L3", + "SIKE_L5"); +ENUM_NEXT(key_exchange_method_names, MODP_CUSTOM, MODP_CUSTOM, KE_SIKE_L5, "MODP_CUSTOM"); ENUM_END(key_exchange_method_names, MODP_CUSTOM); @@ -97,7 +130,39 @@ ENUM_NEXT(key_exchange_method_names_short, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL "ntru256"); ENUM_NEXT(key_exchange_method_names_short, NH_128_BIT, NH_128_BIT, NTRU_256_BIT, "newhope128"); -ENUM_NEXT(key_exchange_method_names_short, MODP_CUSTOM, MODP_CUSTOM, NH_128_BIT, +ENUM_NEXT(key_exchange_method_names_short, KE_BIKE1_L1, KE_SIKE_L5, NH_128_BIT, + "bike11", + "bike13", + "bike15", + "bike21", + "bike23", + "bike25", + "bike31", + "bike33", + "bike35", + "frodoa1", + "frodoa3", + "frodoa5", + "frodos1", + "frodos3", + "frodos5", + "kyber1", + "kyber3", + "kyber5", + "newhope1", + "newhope5", + "ntrup1", + "ntrup3", + "ntrup5", + "ntrur3", + "saber1", + "saber3", + "saber5", + "sike1", + "sike2", + "sike3", + "sike5"); +ENUM_NEXT(key_exchange_method_names_short, MODP_CUSTOM, MODP_CUSTOM, KE_SIKE_L5, "modpcustom"); ENUM_END(key_exchange_method_names_short, MODP_CUSTOM); @@ -616,6 +681,50 @@ bool key_exchange_is_ecdh(key_exchange_method_t ke) } } +/* + * Described in header + */ +bool key_exchange_is_kem(key_exchange_method_t ke) +{ + switch (ke) + { + case KE_BIKE1_L1: + case KE_BIKE1_L3: + case KE_BIKE1_L5: + case KE_BIKE2_L1: + case KE_BIKE2_L3: + case KE_BIKE2_L5: + case KE_BIKE3_L1: + case KE_BIKE3_L3: + case KE_BIKE3_L5: + case KE_FRODO_AES_L1: + case KE_FRODO_AES_L3: + case KE_FRODO_AES_L5: + case KE_FRODO_SHAKE_L1: + case KE_FRODO_SHAKE_L3: + case KE_FRODO_SHAKE_L5: + case KE_KYBER_L1: + case KE_KYBER_L3: + case KE_KYBER_L5: + case KE_NEWHOPE_L1: + case KE_NEWHOPE_L5: + case KE_NTRU_HPS_L1: + case KE_NTRU_HPS_L3: + case KE_NTRU_HPS_L5: + case KE_NTRU_HRSS_L3: + case KE_SABER_L1: + case KE_SABER_L3: + case KE_SABER_L5: + case KE_SIKE_L1: + case KE_SIKE_L2: + case KE_SIKE_L3: + case KE_SIKE_L5: + return TRUE; + default: + return FALSE; + } +} + /* * Described in header */ @@ -675,6 +784,37 @@ bool key_exchange_verify_pubkey(key_exchange_method_t ke, chunk_t value) case NTRU_192_BIT: case NTRU_256_BIT: case NH_128_BIT: + case KE_BIKE1_L1: + case KE_BIKE1_L3: + case KE_BIKE1_L5: + case KE_BIKE2_L1: + case KE_BIKE2_L3: + case KE_BIKE2_L5: + case KE_BIKE3_L1: + case KE_BIKE3_L3: + case KE_BIKE3_L5: + case KE_FRODO_AES_L1: + case KE_FRODO_AES_L3: + case KE_FRODO_AES_L5: + case KE_FRODO_SHAKE_L1: + case KE_FRODO_SHAKE_L3: + case KE_FRODO_SHAKE_L5: + case KE_KYBER_L1: + case KE_KYBER_L3: + case KE_KYBER_L5: + case KE_NEWHOPE_L1: + case KE_NEWHOPE_L5: + case KE_NTRU_HPS_L1: + case KE_NTRU_HPS_L3: + case KE_NTRU_HPS_L5: + case KE_NTRU_HRSS_L3: + case KE_SABER_L1: + case KE_SABER_L3: + case KE_SABER_L5: + case KE_SIKE_L1: + case KE_SIKE_L2: + case KE_SIKE_L3: + case KE_SIKE_L5: /* verification currently not supported, do in plugin */ valid = FALSE; break; diff --git a/src/libstrongswan/crypto/key_exchange.h b/src/libstrongswan/crypto/key_exchange.h index 4aa4e264b2..87a496988b 100644 --- a/src/libstrongswan/crypto/key_exchange.h +++ b/src/libstrongswan/crypto/key_exchange.h @@ -66,14 +66,46 @@ enum key_exchange_method_t { CURVE_25519 = 31, CURVE_448 = 32, /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ - MODP_NULL = 1024, - /** MODP group with custom generator/prime */ + MODP_NULL = 1024, /** Parameters defined by IEEE 1363.1, in PRIVATE USE */ - NTRU_112_BIT = 1030, - NTRU_128_BIT = 1031, - NTRU_192_BIT = 1032, - NTRU_256_BIT = 1033, - NH_128_BIT = 1040, + NTRU_112_BIT = 1030, + NTRU_128_BIT = 1031, + NTRU_192_BIT = 1032, + NTRU_256_BIT = 1033, + NH_128_BIT = 1040, + /** NIST round 2 KEM candidates, in PRIVATE USE */ + KE_BIKE1_L1 = 1050, + KE_BIKE1_L3 = 1051, + KE_BIKE1_L5 = 1052, + KE_BIKE2_L1 = 1053, + KE_BIKE2_L3 = 1054, + KE_BIKE2_L5 = 1055, + KE_BIKE3_L1 = 1056, + KE_BIKE3_L3 = 1057, + KE_BIKE3_L5 = 1058, + KE_FRODO_AES_L1 = 1059, + KE_FRODO_AES_L3 = 1060, + KE_FRODO_AES_L5 = 1061, + KE_FRODO_SHAKE_L1 = 1062, + KE_FRODO_SHAKE_L3 = 1063, + KE_FRODO_SHAKE_L5 = 1064, + KE_KYBER_L1 = 1065, + KE_KYBER_L3 = 1066, + KE_KYBER_L5 = 1067, + KE_NEWHOPE_L1 = 1068, + KE_NEWHOPE_L5 = 1069, + KE_NTRU_HPS_L1 = 1070, + KE_NTRU_HPS_L3 = 1071, + KE_NTRU_HPS_L5 = 1072, + KE_NTRU_HRSS_L3 = 1073, + KE_SABER_L1 = 1074, + KE_SABER_L3 = 1075, + KE_SABER_L5 = 1076, + KE_SIKE_L1 = 1077, + KE_SIKE_L2 = 1078, + KE_SIKE_L3 = 1079, + KE_SIKE_L5 = 1080, + /** MODP group with custom generator/prime */ /** internally used DH group with additional parameters g and p, outside * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ MODP_CUSTOM = 65536, @@ -104,7 +136,7 @@ struct key_exchange_t { __attribute__((warn_unused_result)); /** - * Sets the public key from the peer. + * Sets the public key received from the peer. * * @note This operation should be relatively quick. Costly public key * validation operations or key derivation should be implemented in @@ -126,10 +158,10 @@ struct key_exchange_t { __attribute__((warn_unused_result)); /** - * Set an explicit own private key to use. + * Set a seed used for the derivation of private key material. * - * Calling this method is usually not required, as the DH backend generates - * an appropriate private value itself. It is optional to implement, and + * Calling this method is usually not required, as the key exchange objects + * generate the private key material themselves. This is optional to implement, and * used mostly for testing purposes. The private key may be the actual key * or a seed for a DRBG. * @@ -206,6 +238,13 @@ diffie_hellman_params_t *diffie_hellman_get_params(key_exchange_method_t ke); */ bool key_exchange_is_ecdh(key_exchange_method_t ke); +/** + * Check if the key exchange method is a Key Encapsulation Mechanism (KEM) + * + * @return TRUE if KEM used + */ +bool key_exchange_is_kem(key_exchange_method_t ke); + /** * Check if a public key is valid for given key exchange method. * diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt index 8456fe4ea0..dbad571c27 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt @@ -181,5 +181,36 @@ ntru128, KEY_EXCHANGE_METHOD, NTRU_128_BIT, 0 ntru192, KEY_EXCHANGE_METHOD, NTRU_192_BIT, 0 ntru256, KEY_EXCHANGE_METHOD, NTRU_256_BIT, 0 newhope128, KEY_EXCHANGE_METHOD, NH_128_BIT, 0 +newhope1, KEY_EXCHANGE_METHOD, KE_NEWHOPE_L1, 0 +newhope5, KEY_EXCHANGE_METHOD, KE_NEWHOPE_L5, 0 +frodoa1, KEY_EXCHANGE_METHOD, KE_FRODO_AES_L1, 0 +frodoa3, KEY_EXCHANGE_METHOD, KE_FRODO_AES_L3, 0 +frodoa5, KEY_EXCHANGE_METHOD, KE_FRODO_AES_L5, 0 +frodos1, KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L1, 0 +frodos3, KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L3, 0 +frodos5, KEY_EXCHANGE_METHOD, KE_FRODO_SHAKE_L5, 0 +kyber1, KEY_EXCHANGE_METHOD, KE_KYBER_L1, 0 +kyber3, KEY_EXCHANGE_METHOD, KE_KYBER_L3, 0 +kyber5, KEY_EXCHANGE_METHOD, KE_KYBER_L5, 0 +bike11, KEY_EXCHANGE_METHOD, KE_BIKE1_L1, 0 +bike13, KEY_EXCHANGE_METHOD, KE_BIKE1_L3, 0 +bike15, KEY_EXCHANGE_METHOD, KE_BIKE1_L5, 0 +bike21, KEY_EXCHANGE_METHOD, KE_BIKE2_L1, 0 +bike23, KEY_EXCHANGE_METHOD, KE_BIKE2_L3, 0 +bike25, KEY_EXCHANGE_METHOD, KE_BIKE2_L5, 0 +bike31, KEY_EXCHANGE_METHOD, KE_BIKE3_L1, 0 +bike33, KEY_EXCHANGE_METHOD, KE_BIKE3_L3, 0 +bike35, KEY_EXCHANGE_METHOD, KE_BIKE3_L5, 0 +sike1, KEY_EXCHANGE_METHOD, KE_SIKE_L1, 0 +sike2, KEY_EXCHANGE_METHOD, KE_SIKE_L2, 0 +sike3, KEY_EXCHANGE_METHOD, KE_SIKE_L3, 0 +sike5, KEY_EXCHANGE_METHOD, KE_SIKE_L5, 0 +ntrup1, KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L1, 0 +ntrup3, KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L3, 0 +ntrup5, KEY_EXCHANGE_METHOD, KE_NTRU_HPS_L5, 0 +ntrur3, KEY_EXCHANGE_METHOD, KE_NTRU_HRSS_L3, 0 +saber1, KEY_EXCHANGE_METHOD, KE_SABER_L1, 0 +saber3, KEY_EXCHANGE_METHOD, KE_SABER_L3, 0 +saber5, KEY_EXCHANGE_METHOD, KE_SABER_L5, 0 noesn, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0 esn, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0