1 /* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */
2 /*
3 * Copyright (c) 2023 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/types.h>
27
28 #include <stdio.h>
29 #include <stdint.h>
30 #include <stdbool.h>
31 #include <string.h>
32 #include <signal.h>
33 #include <endian.h>
34
35 #include "sshkey.h"
36 #include "kex.h"
37 #include "sshbuf.h"
38 #include "digest.h"
39 #include "ssherr.h"
40 #include "log.h"
41
42 #include "libcrux_mlkem768_sha3.h"
43
44 int
kex_kem_mlkem768x25519_keypair(struct kex * kex)45 kex_kem_mlkem768x25519_keypair(struct kex *kex)
46 {
47 struct sshbuf *buf = NULL;
48 u_char rnd[LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN], *cp = NULL;
49 size_t need;
50 int r = SSH_ERR_INTERNAL_ERROR;
51 struct libcrux_mlkem768_keypair keypair;
52
53 if ((buf = sshbuf_new()) == NULL)
54 return SSH_ERR_ALLOC_FAIL;
55 need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE;
56 if ((r = sshbuf_reserve(buf, need, &cp)) != 0)
57 goto out;
58 arc4random_buf(rnd, sizeof(rnd));
59 keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(rnd);
60 memcpy(cp, keypair.pk.value, crypto_kem_mlkem768_PUBLICKEYBYTES);
61 memcpy(kex->mlkem768_client_key, keypair.sk.value,
62 sizeof(kex->mlkem768_client_key));
63 #ifdef DEBUG_KEXECDH
64 dump_digest("client public key mlkem768:", cp,
65 crypto_kem_mlkem768_PUBLICKEYBYTES);
66 #endif
67 cp += crypto_kem_mlkem768_PUBLICKEYBYTES;
68 kexc25519_keygen(kex->c25519_client_key, cp);
69 #ifdef DEBUG_KEXECDH
70 dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
71 #endif
72 /* success */
73 r = 0;
74 kex->client_pub = buf;
75 buf = NULL;
76 out:
77 explicit_bzero(&keypair, sizeof(keypair));
78 explicit_bzero(rnd, sizeof(rnd));
79 sshbuf_free(buf);
80 return r;
81 }
82
83 int
kex_kem_mlkem768x25519_enc(struct kex * kex,const struct sshbuf * client_blob,struct sshbuf ** server_blobp,struct sshbuf ** shared_secretp)84 kex_kem_mlkem768x25519_enc(struct kex *kex,
85 const struct sshbuf *client_blob, struct sshbuf **server_blobp,
86 struct sshbuf **shared_secretp)
87 {
88 struct sshbuf *server_blob = NULL;
89 struct sshbuf *buf = NULL;
90 const u_char *client_pub;
91 u_char rnd[LIBCRUX_ML_KEM_ENC_PRNG_LEN];
92 u_char server_pub[CURVE25519_SIZE], server_key[CURVE25519_SIZE];
93 u_char hash[SSH_DIGEST_MAX_LENGTH];
94 size_t need;
95 int r = SSH_ERR_INTERNAL_ERROR;
96 struct libcrux_mlkem768_enc_result enc;
97 struct libcrux_mlkem768_pk mlkem_pub;
98
99 *server_blobp = NULL;
100 *shared_secretp = NULL;
101 memset(&mlkem_pub, 0, sizeof(mlkem_pub));
102
103 /* client_blob contains both KEM and ECDH client pubkeys */
104 need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE;
105 if (sshbuf_len(client_blob) != need) {
106 r = SSH_ERR_SIGNATURE_INVALID;
107 goto out;
108 }
109 client_pub = sshbuf_ptr(client_blob);
110 #ifdef DEBUG_KEXECDH
111 dump_digest("client public key mlkem768:", client_pub,
112 crypto_kem_mlkem768_PUBLICKEYBYTES);
113 dump_digest("client public key 25519:",
114 client_pub + crypto_kem_mlkem768_PUBLICKEYBYTES,
115 CURVE25519_SIZE);
116 #endif
117 /* check public key validity */
118 memcpy(mlkem_pub.value, client_pub, crypto_kem_mlkem768_PUBLICKEYBYTES);
119 if (!libcrux_ml_kem_mlkem768_portable_validate_public_key(&mlkem_pub)) {
120 r = SSH_ERR_SIGNATURE_INVALID;
121 goto out;
122 }
123
124 /* allocate buffer for concatenation of KEM key and ECDH shared key */
125 /* the buffer will be hashed and the result is the shared secret */
126 if ((buf = sshbuf_new()) == NULL) {
127 r = SSH_ERR_ALLOC_FAIL;
128 goto out;
129 }
130 /* allocate space for encrypted KEM key and ECDH pub key */
131 if ((server_blob = sshbuf_new()) == NULL) {
132 r = SSH_ERR_ALLOC_FAIL;
133 goto out;
134 }
135 /* generate and encrypt KEM key with client key */
136 arc4random_buf(rnd, sizeof(rnd));
137 enc = libcrux_ml_kem_mlkem768_portable_encapsulate(&mlkem_pub, rnd);
138 /* generate ECDH key pair, store server pubkey after ciphertext */
139 kexc25519_keygen(server_key, server_pub);
140 if ((r = sshbuf_put(buf, enc.snd, sizeof(enc.snd))) != 0 ||
141 (r = sshbuf_put(server_blob, enc.fst.value, sizeof(enc.fst.value))) != 0 ||
142 (r = sshbuf_put(server_blob, server_pub, sizeof(server_pub))) != 0)
143 goto out;
144 /* append ECDH shared key */
145 client_pub += crypto_kem_mlkem768_PUBLICKEYBYTES;
146 if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0)
147 goto out;
148 if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
149 goto out;
150 #ifdef DEBUG_KEXECDH
151 dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
152 dump_digest("server cipher text:",
153 enc.fst.value, sizeof(enc.fst.value));
154 dump_digest("server kem key:", enc.snd, sizeof(enc.snd));
155 dump_digest("concatenation of KEM key and ECDH shared key:",
156 sshbuf_ptr(buf), sshbuf_len(buf));
157 #endif
158 /* string-encoded hash is resulting shared secret */
159 sshbuf_reset(buf);
160 if ((r = sshbuf_put_string(buf, hash,
161 ssh_digest_bytes(kex->hash_alg))) != 0)
162 goto out;
163 #ifdef DEBUG_KEXECDH
164 dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
165 #endif
166 /* success */
167 r = 0;
168 *server_blobp = server_blob;
169 *shared_secretp = buf;
170 server_blob = NULL;
171 buf = NULL;
172 out:
173 explicit_bzero(hash, sizeof(hash));
174 explicit_bzero(server_key, sizeof(server_key));
175 explicit_bzero(rnd, sizeof(rnd));
176 explicit_bzero(&enc, sizeof(enc));
177 sshbuf_free(server_blob);
178 sshbuf_free(buf);
179 return r;
180 }
181
182 int
kex_kem_mlkem768x25519_dec(struct kex * kex,const struct sshbuf * server_blob,struct sshbuf ** shared_secretp)183 kex_kem_mlkem768x25519_dec(struct kex *kex,
184 const struct sshbuf *server_blob, struct sshbuf **shared_secretp)
185 {
186 struct sshbuf *buf = NULL;
187 u_char mlkem_key[crypto_kem_mlkem768_BYTES];
188 const u_char *ciphertext, *server_pub;
189 u_char hash[SSH_DIGEST_MAX_LENGTH];
190 size_t need;
191 int r;
192 struct libcrux_mlkem768_sk mlkem_priv;
193 struct libcrux_mlkem768_ciphertext mlkem_ciphertext;
194
195 *shared_secretp = NULL;
196 memset(&mlkem_priv, 0, sizeof(mlkem_priv));
197 memset(&mlkem_ciphertext, 0, sizeof(mlkem_ciphertext));
198
199 need = crypto_kem_mlkem768_CIPHERTEXTBYTES + CURVE25519_SIZE;
200 if (sshbuf_len(server_blob) != need) {
201 r = SSH_ERR_SIGNATURE_INVALID;
202 goto out;
203 }
204 ciphertext = sshbuf_ptr(server_blob);
205 server_pub = ciphertext + crypto_kem_mlkem768_CIPHERTEXTBYTES;
206 /* hash concatenation of KEM key and ECDH shared key */
207 if ((buf = sshbuf_new()) == NULL) {
208 r = SSH_ERR_ALLOC_FAIL;
209 goto out;
210 }
211 memcpy(mlkem_priv.value, kex->mlkem768_client_key,
212 sizeof(kex->mlkem768_client_key));
213 memcpy(mlkem_ciphertext.value, ciphertext,
214 sizeof(mlkem_ciphertext.value));
215 #ifdef DEBUG_KEXECDH
216 dump_digest("server cipher text:", mlkem_ciphertext.value,
217 sizeof(mlkem_ciphertext.value));
218 dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
219 #endif
220 libcrux_ml_kem_mlkem768_portable_decapsulate(&mlkem_priv,
221 &mlkem_ciphertext, mlkem_key);
222 if ((r = sshbuf_put(buf, mlkem_key, sizeof(mlkem_key))) != 0)
223 goto out;
224 if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
225 buf, 1)) < 0)
226 goto out;
227 if ((r = ssh_digest_buffer(kex->hash_alg, buf,
228 hash, sizeof(hash))) != 0)
229 goto out;
230 #ifdef DEBUG_KEXECDH
231 dump_digest("client kem key:", mlkem_key, sizeof(mlkem_key));
232 dump_digest("concatenation of KEM key and ECDH shared key:",
233 sshbuf_ptr(buf), sshbuf_len(buf));
234 #endif
235 sshbuf_reset(buf);
236 if ((r = sshbuf_put_string(buf, hash,
237 ssh_digest_bytes(kex->hash_alg))) != 0)
238 goto out;
239 #ifdef DEBUG_KEXECDH
240 dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
241 #endif
242 /* success */
243 r = 0;
244 *shared_secretp = buf;
245 buf = NULL;
246 out:
247 explicit_bzero(hash, sizeof(hash));
248 explicit_bzero(&mlkem_priv, sizeof(mlkem_priv));
249 explicit_bzero(&mlkem_ciphertext, sizeof(mlkem_ciphertext));
250 explicit_bzero(mlkem_key, sizeof(mlkem_key));
251 sshbuf_free(buf);
252 return r;
253 }
254