mirror of git://anongit.mindrot.org/openssh.git
upstream: pull post-quantum ML-KEM/x25519 key exchange out from
compile-time flag now than an IANA codepoint has been assigned for the algorithm. Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot. ok markus@ OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
This commit is contained in:
parent
a8ad7a2952
commit
62fb2b51bb
|
@ -2095,15 +2095,6 @@ AC_ARG_ENABLE([dsa-keys],
|
|||
]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE([ml-kem],
|
||||
[ --enable-ml-kem enable experimental ML-KEM/x25519 key exchange [no]],
|
||||
[
|
||||
if test "x$enableval" != "xno" ; then
|
||||
AC_DEFINE([WITH_MLKEM], [], [Enable for ML-KEM KEX support])
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
AC_CHECK_FUNCS([dlopen])
|
||||
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kex-names.c,v 1.3 2024/09/02 12:13:56 djm Exp $ */
|
||||
/* $OpenBSD: kex-names.c,v 1.4 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -82,10 +82,8 @@ static const struct kexalg kexalgs[] = {
|
|||
{ KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0,
|
||||
SSH_DIGEST_SHA512 },
|
||||
#endif
|
||||
#ifdef WITH_MLKEM
|
||||
{ KEX_MLKEM768X25519_SHA256, KEX_KEM_MLKEM768X25519_SHA256, 0,
|
||||
SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
|
8
kexgen.c
8
kexgen.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexgen.c,v 1.9 2024/09/02 12:13:56 djm Exp $ */
|
||||
/* $OpenBSD: kexgen.c,v 1.10 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -120,11 +120,9 @@ kex_gen_client(struct ssh *ssh)
|
|||
case KEX_KEM_SNTRUP761X25519_SHA512:
|
||||
r = kex_kem_sntrup761x25519_keypair(kex);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_keypair(kex);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
|
@ -197,12 +195,10 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
|
|||
r = kex_kem_sntrup761x25519_dec(kex, server_blob,
|
||||
&shared_secret);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_dec(kex, server_blob,
|
||||
&shared_secret);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
|
@ -323,12 +319,10 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
|
|||
r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
|
||||
&server_pubkey, &shared_secret);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
|
||||
&server_pubkey, &shared_secret);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
|
|
|
@ -25,8 +25,6 @@
|
|||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_MLKEM
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdio.h>
|
||||
|
@ -254,4 +252,3 @@ kex_kem_mlkem768x25519_dec(struct kex *kex,
|
|||
sshbuf_free(buf);
|
||||
return r;
|
||||
}
|
||||
#endif /* WITH_MLKEM */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor.c,v 1.241 2024/09/02 12:13:56 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -1763,9 +1763,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
|||
#endif /* WITH_OPENSSL */
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: myproposal.h,v 1.72 2024/08/22 23:11:30 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.73 2024/09/09 02:39:57 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
@ -27,6 +27,7 @@
|
|||
#define KEX_SERVER_KEX \
|
||||
"sntrup761x25519-sha512," \
|
||||
"sntrup761x25519-sha512@openssh.com," \
|
||||
"mlkem768x25519-sha256," \
|
||||
"curve25519-sha256," \
|
||||
"curve25519-sha256@libssh.org," \
|
||||
"ecdh-sha2-nistp256," \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keyscan.c,v 1.160 2024/09/04 05:33:34 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keyscan.c,v 1.161 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
*
|
||||
|
@ -303,9 +303,7 @@ keygrab_ssh2(con *c)
|
|||
#endif
|
||||
c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
c->c_ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
c->c_ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
|
||||
/*
|
||||
* do the key-exchange until an error occurs or until
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh_api.c,v 1.30 2024/09/02 12:13:56 djm Exp $ */
|
||||
/* $OpenBSD: ssh_api.c,v 1.31 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2012 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -134,9 +134,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
|
|||
#endif /* WITH_OPENSSL */
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
ssh->kex->load_host_public_key=&_ssh_host_public_key;
|
||||
ssh->kex->load_host_private_key=&_ssh_host_private_key;
|
||||
ssh->kex->sign=&_ssh_host_key_sign;
|
||||
|
@ -155,9 +153,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
|
|||
#endif /* WITH_OPENSSL */
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh->kex->verify_host_key =&_ssh_verify_host_key;
|
||||
}
|
||||
*sshp = ssh;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.374 2024/09/02 12:13:56 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.375 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
@ -274,9 +274,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
|
|||
#endif
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||
|
||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd-session.c,v 1.8 2024/09/02 12:18:35 djm Exp $ */
|
||||
/* $OpenBSD: sshd-session.c,v 1.9 2024/09/09 02:39:57 djm Exp $ */
|
||||
/*
|
||||
* SSH2 implementation:
|
||||
* Privilege Separation:
|
||||
|
@ -1465,9 +1465,7 @@ do_ssh2_kex(struct ssh *ssh)
|
|||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
|
|
Loading…
Reference in New Issue