New upstream release (8.0p1)

author: Colin Watson <cjwatson@debian.org> 2019-06-05 06:41:44 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-06-09 22:09:07 +0100
commit: 865a97e05b6aab1619e1c8eeb33ccb8f9a9e48d3 (patch)
tree: 7bb2128eb663180bacfabca88f26d26bf0733824 /kexsntrup4591761x25519.c
parent: ba627ba172d6649919baedff5ba2789610da382a (diff)
parent: 7d50f9e5be88179325983a1f58c9d51bb58f025a (diff)
1 files changed, 219 insertions, 0 deletions
diff --git a/kexsntrup4591761x25519.c b/kexsntrup4591761x25519.c
new file mode 100644
index 000000000..3b9b664f8
--- /dev/null
+++ b/kexsntrup4591761x25519.c
@@ -0,0 +1,219 @@
+/* $OpenBSD: kexsntrup4591761x25519.c,v 1.3 2019/01/21 10:40:11 djm Exp $ */
+/*
+ * Copyright (c) 2019 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#include <sys/types.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include "sshkey.h"
+#include "kex.h"
+#include "sshbuf.h"
+#include "digest.h"
+#include "ssherr.h"
+int
+kex_kem_sntrup4591761x25519_keypair(struct kex *kex)
+{
+        struct sshbuf *buf = NULL;
+        u_char *cp = NULL;
+        size_t need;
+        int r;
+        if ((buf = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
+        if ((r = sshbuf_reserve(buf, need, &cp)) != 0)
+                goto out;
+        crypto_kem_sntrup4591761_keypair(cp, kex->sntrup4591761_client_key);
+#ifdef DEBUG_KEXECDH
+        dump_digest("client public key sntrup4591761:", cp,
+            crypto_kem_sntrup4591761_PUBLICKEYBYTES);
+#endif
+        cp += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
+        kexc25519_keygen(kex->c25519_client_key, cp);
+#ifdef DEBUG_KEXECDH
+        dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
+#endif
+        kex->client_pub = buf;
+        buf = NULL;
+ out:
+        sshbuf_free(buf);
+        return r;
+}
+int
+kex_kem_sntrup4591761x25519_enc(struct kex *kex,
+   const struct sshbuf *client_blob, struct sshbuf **server_blobp,
+   struct sshbuf **shared_secretp)
+{
+        struct sshbuf *server_blob = NULL;
+        struct sshbuf *buf = NULL;
+        const u_char *client_pub;
+        u_char *kem_key, *ciphertext, *server_pub;
+        u_char server_key[CURVE25519_SIZE];
+        u_char hash[SSH_DIGEST_MAX_LENGTH];
+        size_t need;
+        int r;
+        *server_blobp = NULL;
+        *shared_secretp = NULL;
+        /* client_blob contains both KEM and ECDH client pubkeys */
+        need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
+        if (sshbuf_len(client_blob) != need) {
+                r = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
+        }
+        client_pub = sshbuf_ptr(client_blob);
+#ifdef DEBUG_KEXECDH
+        dump_digest("client public key sntrup4591761:", client_pub,
+            crypto_kem_sntrup4591761_PUBLICKEYBYTES);
+        dump_digest("client public key 25519:",
+            client_pub + crypto_kem_sntrup4591761_PUBLICKEYBYTES,
+            CURVE25519_SIZE);
+#endif
+        /* allocate buffer for concatenation of KEM key and ECDH shared key */
+        /* the buffer will be hashed and the result is the shared secret */
+        if ((buf = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
+            &kem_key)) != 0)
+                goto out;
+        /* allocate space for encrypted KEM key and ECDH pub key */
+        if ((server_blob = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
+        if ((r = sshbuf_reserve(server_blob, need, &ciphertext)) != 0)
+                goto out;
+        /* generate and encrypt KEM key with client key */
+        crypto_kem_sntrup4591761_enc(ciphertext, kem_key, client_pub);
+        /* generate ECDH key pair, store server pubkey after ciphertext */
+        server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
+        kexc25519_keygen(server_key, server_pub);
+        /* append ECDH shared key */
+        client_pub += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
+        if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0)
+                goto out;
+        if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
+                goto out;
+#ifdef DEBUG_KEXECDH
+        dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
+        dump_digest("server cipher text:", ciphertext,
+            crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
+        dump_digest("server kem key:", kem_key, sizeof(kem_key));
+        dump_digest("concatenation of KEM key and ECDH shared key:",
+            sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+        /* string-encoded hash is resulting shared secret */
+        sshbuf_reset(buf);
+        if ((r = sshbuf_put_string(buf, hash,
+            ssh_digest_bytes(kex->hash_alg))) != 0)
+                goto out;
+#ifdef DEBUG_KEXECDH
+        dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+        *server_blobp = server_blob;
+        *shared_secretp = buf;
+        server_blob = NULL;
+        buf = NULL;
+ out:
+        explicit_bzero(hash, sizeof(hash));
+        explicit_bzero(server_key, sizeof(server_key));
+        sshbuf_free(server_blob);
+        sshbuf_free(buf);
+        return r;
+}
+int
+kex_kem_sntrup4591761x25519_dec(struct kex *kex,
+    const struct sshbuf *server_blob, struct sshbuf **shared_secretp)
+{
+        struct sshbuf *buf = NULL;
+        u_char *kem_key = NULL;
+        const u_char *ciphertext, *server_pub;
+        u_char hash[SSH_DIGEST_MAX_LENGTH];
+        size_t need;
+        int r, decoded;
+        *shared_secretp = NULL;
+        need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
+        if (sshbuf_len(server_blob) != need) {
+                r = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
+        }
+        ciphertext = sshbuf_ptr(server_blob);
+        server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
+#ifdef DEBUG_KEXECDH
+        dump_digest("server cipher text:", ciphertext,
+            crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
+        dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
+#endif
+        /* hash concatenation of KEM key and ECDH shared key */
+        if ((buf = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
+            &kem_key)) != 0)
+                goto out;
+        decoded = crypto_kem_sntrup4591761_dec(kem_key, ciphertext,
+            kex->sntrup4591761_client_key);
+        if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
+            buf, 1)) < 0)
+                goto out;
+        if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
+                goto out;
+#ifdef DEBUG_KEXECDH
+        dump_digest("client kem key:", kem_key, sizeof(kem_key));
+        dump_digest("concatenation of KEM key and ECDH shared key:",
+            sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+        sshbuf_reset(buf);
+        if ((r = sshbuf_put_string(buf, hash,
+            ssh_digest_bytes(kex->hash_alg))) != 0)
+                goto out;
+#ifdef DEBUG_KEXECDH
+        dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+        if (decoded != 0) {
+                r = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
+        }
+        *shared_secretp = buf;
+        buf = NULL;
+ out:
+        explicit_bzero(hash, sizeof(hash));
+        sshbuf_free(buf);
+        return r;
+}
author	Colin Watson <cjwatson@debian.org>	2019-06-05 06:41:44 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-06-09 22:09:07 +0100
commit	865a97e05b6aab1619e1c8eeb33ccb8f9a9e48d3 (patch)
tree	7bb2128eb663180bacfabca88f26d26bf0733824 /kexsntrup4591761x25519.c
parent	ba627ba172d6649919baedff5ba2789610da382a (diff)
parent	7d50f9e5be88179325983a1f58c9d51bb58f025a (diff)

diff --git a/kexsntrup4591761x25519.c b/kexsntrup4591761x25519.c new file mode 100644 index 000000000..3b9b664f8 --- /dev/null +++ b/kexsntrup4591761x25519.c
@@ -0,0 +1,219 @@
	1	/* $OpenBSD: kexsntrup4591761x25519.c,v 1.3 2019/01/21 10:40:11 djm Exp $ */
	2	/*
	3	* Copyright (c) 2019 Markus Friedl. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
	27
	28	#include <sys/types.h>
	29
	30	#include <stdio.h>
	31	#include <string.h>
	32	#include <signal.h>
	33
	34	#include "sshkey.h"
	35	#include "kex.h"
	36	#include "sshbuf.h"
	37	#include "digest.h"
	38	#include "ssherr.h"
	39
	40	int
	41	kex_kem_sntrup4591761x25519_keypair(struct kex *kex)
	42	{
	43	struct sshbuf *buf = NULL;
	44	u_char *cp = NULL;
	45	size_t need;
	46	int r;
	47
	48	if ((buf = sshbuf_new()) == NULL)
	49	return SSH_ERR_ALLOC_FAIL;
	50	need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
	51	if ((r = sshbuf_reserve(buf, need, &cp)) != 0)
	52	goto out;
	53	crypto_kem_sntrup4591761_keypair(cp, kex->sntrup4591761_client_key);
	54	#ifdef DEBUG_KEXECDH
	55	dump_digest("client public key sntrup4591761:", cp,
	56	crypto_kem_sntrup4591761_PUBLICKEYBYTES);
	57	#endif
	58	cp += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
	59	kexc25519_keygen(kex->c25519_client_key, cp);
	60	#ifdef DEBUG_KEXECDH
	61	dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
	62	#endif
	63	kex->client_pub = buf;
	64	buf = NULL;
	65	out:
	66	sshbuf_free(buf);
	67	return r;
	68	}
	69
	70	int
	71	kex_kem_sntrup4591761x25519_enc(struct kex *kex,
	72	const struct sshbuf client_blob, struct sshbuf *server_blobp,
	73	struct sshbuf **shared_secretp)
	74	{
	75	struct sshbuf *server_blob = NULL;
	76	struct sshbuf *buf = NULL;
	77	const u_char *client_pub;
	78	u_char kem_key, ciphertext, *server_pub;
	79	u_char server_key[CURVE25519_SIZE];
	80	u_char hash[SSH_DIGEST_MAX_LENGTH];
	81	size_t need;
	82	int r;
	83
	84	*server_blobp = NULL;
	85	*shared_secretp = NULL;
	86
	87	/* client_blob contains both KEM and ECDH client pubkeys */
	88	need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
	89	if (sshbuf_len(client_blob) != need) {
	90	r = SSH_ERR_SIGNATURE_INVALID;
	91	goto out;
	92	}
	93	client_pub = sshbuf_ptr(client_blob);
	94	#ifdef DEBUG_KEXECDH
	95	dump_digest("client public key sntrup4591761:", client_pub,
	96	crypto_kem_sntrup4591761_PUBLICKEYBYTES);
	97	dump_digest("client public key 25519:",
	98	client_pub + crypto_kem_sntrup4591761_PUBLICKEYBYTES,
	99	CURVE25519_SIZE);
	100	#endif
	101	/* allocate buffer for concatenation of KEM key and ECDH shared key */
	102	/* the buffer will be hashed and the result is the shared secret */
	103	if ((buf = sshbuf_new()) == NULL) {
	104	r = SSH_ERR_ALLOC_FAIL;
	105	goto out;
	106	}
	107	if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
	108	&kem_key)) != 0)
	109	goto out;
	110	/* allocate space for encrypted KEM key and ECDH pub key */
	111	if ((server_blob = sshbuf_new()) == NULL) {
	112	r = SSH_ERR_ALLOC_FAIL;
	113	goto out;
	114	}
	115	need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
	116	if ((r = sshbuf_reserve(server_blob, need, &ciphertext)) != 0)
	117	goto out;
	118	/* generate and encrypt KEM key with client key */
	119	crypto_kem_sntrup4591761_enc(ciphertext, kem_key, client_pub);
	120	/* generate ECDH key pair, store server pubkey after ciphertext */
	121	server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
	122	kexc25519_keygen(server_key, server_pub);
	123	/* append ECDH shared key */
	124	client_pub += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
	125	if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0)
	126	goto out;
	127	if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
	128	goto out;
	129	#ifdef DEBUG_KEXECDH
	130	dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
	131	dump_digest("server cipher text:", ciphertext,
	132	crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
	133	dump_digest("server kem key:", kem_key, sizeof(kem_key));
	134	dump_digest("concatenation of KEM key and ECDH shared key:",
	135	sshbuf_ptr(buf), sshbuf_len(buf));
	136	#endif
	137	/* string-encoded hash is resulting shared secret */
	138	sshbuf_reset(buf);
	139	if ((r = sshbuf_put_string(buf, hash,
	140	ssh_digest_bytes(kex->hash_alg))) != 0)
	141	goto out;
	142	#ifdef DEBUG_KEXECDH
	143	dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
	144	#endif
	145	*server_blobp = server_blob;
	146	*shared_secretp = buf;
	147	server_blob = NULL;
	148	buf = NULL;
	149	out:
	150	explicit_bzero(hash, sizeof(hash));
	151	explicit_bzero(server_key, sizeof(server_key));
	152	sshbuf_free(server_blob);
	153	sshbuf_free(buf);
	154	return r;
	155	}
	156
	157	int
	158	kex_kem_sntrup4591761x25519_dec(struct kex *kex,
	159	const struct sshbuf server_blob, struct sshbuf *shared_secretp)
	160	{
	161	struct sshbuf *buf = NULL;
	162	u_char *kem_key = NULL;
	163	const u_char ciphertext, server_pub;
	164	u_char hash[SSH_DIGEST_MAX_LENGTH];
	165	size_t need;
	166	int r, decoded;
	167
	168	*shared_secretp = NULL;
	169
	170	need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
	171	if (sshbuf_len(server_blob) != need) {
	172	r = SSH_ERR_SIGNATURE_INVALID;
	173	goto out;
	174	}
	175	ciphertext = sshbuf_ptr(server_blob);
	176	server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
	177	#ifdef DEBUG_KEXECDH
	178	dump_digest("server cipher text:", ciphertext,
	179	crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
	180	dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
	181	#endif
	182	/* hash concatenation of KEM key and ECDH shared key */
	183	if ((buf = sshbuf_new()) == NULL) {
	184	r = SSH_ERR_ALLOC_FAIL;
	185	goto out;
	186	}
	187	if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
	188	&kem_key)) != 0)
	189	goto out;
	190	decoded = crypto_kem_sntrup4591761_dec(kem_key, ciphertext,
	191	kex->sntrup4591761_client_key);
	192	if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
	193	buf, 1)) < 0)
	194	goto out;
	195	if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
	196	goto out;
	197	#ifdef DEBUG_KEXECDH
	198	dump_digest("client kem key:", kem_key, sizeof(kem_key));
	199	dump_digest("concatenation of KEM key and ECDH shared key:",
	200	sshbuf_ptr(buf), sshbuf_len(buf));
	201	#endif
	202	sshbuf_reset(buf);
	203	if ((r = sshbuf_put_string(buf, hash,
	204	ssh_digest_bytes(kex->hash_alg))) != 0)
	205	goto out;
	206	#ifdef DEBUG_KEXECDH
	207	dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
	208	#endif
	209	if (decoded != 0) {
	210	r = SSH_ERR_SIGNATURE_INVALID;
	211	goto out;
	212	}
	213	*shared_secretp = buf;
	214	buf = NULL;
	215	out:
	216	explicit_bzero(hash, sizeof(hash));
	217	sshbuf_free(buf);
	218	return r;
	219	}