Skip to content

Commit

Permalink
Add sntrup761x25519-sha512 post-quantum key exchange
Browse files Browse the repository at this point in the history
This follows draft-ietf-sshm-ntruprime-ssh-01, using the sntrup761
implementation from supercop. It is available under both
sntrup761x25519-sha512 and [email protected] names.

Interoperability has been tested against OpenSSH 9.8 (client/server) and
PuTTY 0.82 client.

sntrup761.sh is taken from OpenSSH, to extract the code from the
supercop distribution.

KEX hash buffer size calculation has been updated to current algorithm
limits, since sntrup761 was larger than the previous limit.

Code size increases by approx 9kB (209 to 218kB) for a 32-bit armv7 build.
  • Loading branch information
mkj committed Dec 14, 2024
1 parent 9051b69 commit 751f728
Show file tree
Hide file tree
Showing 8 changed files with 2,341 additions and 10 deletions.
5 changes: 4 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ jobs:
# enable all options
nondefault: 1
configure_flags: --enable-pam
# sntrup761.c is not c89 compliant
localoptions: |
#define DROPBEAR_SNTRUP761 0
- name: macos 14
os: macos-14
Expand Down Expand Up @@ -134,7 +137,7 @@ jobs:
#define DROPBEAR_USE_PASSWORD_ENV 0
#define DROPBEAR_SFTPSERVER 0
- name: other algo combos
- name: no sha1
runcheck: 'no'
# disables all sha1
localoptions: |
Expand Down
3 changes: 2 additions & 1 deletion Makefile.in
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,8 @@ _CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \
common-channel.o common-chansession.o termcodes.o loginrec.o \
tcp-accept.o listener.o process-packet.o dh_groups.o \
common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o \
kex-x25519.o kex-dh.o kex-ecdh.o kex-pqhybrid.o
kex-x25519.o kex-dh.o kex-ecdh.o kex-pqhybrid.o \
sntrup761.o
CLISVROBJS = $(patsubst %,$(OBJ_DIR)/%,$(_CLISVROBJS))

_KEYOBJS=dropbearkey.o
Expand Down
26 changes: 25 additions & 1 deletion src/common-algo.c
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
#include "gcm.h"
#include "chachapoly.h"
#include "ssh.h"
#include "sntrup761.h"

/* This file (algo.c) organises the ciphers which can be used, and is used to
* decide which ciphers/hashes/compression/signing to use during key exchange*/
Expand Down Expand Up @@ -266,12 +267,35 @@ static const struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0
#endif /* DROPBEAR_ECDH */

#if DROPBEAR_CURVE25519
/* Referred to directly */
static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
#endif


#if DROPBEAR_SNTRUP761
static const struct dropbear_kem_desc sntrup761_desc = {
.public_len = crypto_kem_sntrup761_PUBLICKEYBYTES,
.secret_len = crypto_kem_sntrup761_SECRETKEYBYTES,
.ciphertext_len = crypto_kem_sntrup761_CIPHERTEXTBYTES,
.output_len = crypto_kem_sntrup761_BYTES,
.kem_gen = crypto_kem_sntrup761_keypair,
.kem_enc = crypto_kem_sntrup761_enc,
.kem_dec = crypto_kem_sntrup761_dec,
};
static const struct dropbear_kex kex_sntrup761 = {DROPBEAR_KEX_PQHYBRID, NULL, 0, &sntrup761_desc, &sha512_desc };
#endif

/* For sntrup761 */
volatile int16_t crypto_int16_optblocker = 0;
volatile int32_t crypto_int32_optblocker = 0;
volatile int64_t crypto_int64_optblocker = 0;


/* data == NULL for non-kex algorithm identifiers */
algo_type sshkex[] = {
#if DROPBEAR_SNTRUP761
{"sntrup761x25519-sha512", 0, &kex_sntrup761, 1, NULL},
{"[email protected]", 0, &kex_sntrup761, 1, NULL},
#endif
#if DROPBEAR_CURVE25519
{"curve25519-sha256", 0, &kex_curve25519, 1, NULL},
{"[email protected]", 0, &kex_curve25519, 1, NULL},
Expand Down
6 changes: 6 additions & 0 deletions src/default_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,7 @@ IMPORTANT: Some options will require "make clean" after changes */
* group1 - 1024 bit, sha1
* curve25519 - elliptic curve DH
* ecdh - NIST elliptic curve DH (256, 384, 521)
* sntrup761 - post-quantum hybrid with x25519.
*
* group1 is too small for security though is necessary if you need
compatibility with some implementations such as Dropbear versions < 0.53
Expand All @@ -194,13 +195,18 @@ IMPORTANT: Some options will require "make clean" after changes */
* curve25519 increases binary size by ~2,5kB on x86-64
* including either ECDH or ECDSA increases binary size by ~30kB on x86-64
* sntrup761 is recommended to avoid possible decryption
* by future quantum computers.
* It is fast, but adds ~9kB code size (32-bit armv7)
* Small systems should generally include either curve25519 or ecdh for performance.
* curve25519 is less widely supported but is faster
*/
#define DROPBEAR_DH_GROUP14_SHA1 1
#define DROPBEAR_DH_GROUP14_SHA256 1
#define DROPBEAR_DH_GROUP16 0
#define DROPBEAR_CURVE25519 1
#define DROPBEAR_SNTRUP761 1
#define DROPBEAR_ECDH 1
#define DROPBEAR_DH_GROUP1 0

Expand Down
Loading

0 comments on commit 751f728

Please sign in to comment.