[openssh-commits] [openssh] branch master updated: upstream: pull post-quantum ML-KEM/x25519 key exchange out from
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Sep 9 12:45:58 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new 62fb2b51 upstream: pull post-quantum ML-KEM/x25519 key exchange out from
62fb2b51 is described below
commit 62fb2b51bb7f6863c3ab697f397b2068da1c993f
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Sep 9 02:39:57 2024 +0000
upstream: pull post-quantum ML-KEM/x25519 key exchange out from
compile-time flag now than an IANA codepoint has been assigned for the
algorithm.
Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.
ok markus@
OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
---
configure.ac | 9 ---------
kex-names.c | 4 +---
kexgen.c | 8 +-------
kexmlkem768x25519.c | 3 ---
monitor.c | 4 +---
myproposal.h | 3 ++-
ssh-keyscan.c | 4 +---
ssh_api.c | 6 +-----
sshconnect2.c | 4 +---
sshd-session.c | 4 +---
10 files changed, 9 insertions(+), 40 deletions(-)
diff --git a/configure.ac b/configure.ac
index d355c205..591d5a38 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2095,15 +2095,6 @@ AC_ARG_ENABLE([dsa-keys],
]
)
-AC_ARG_ENABLE([ml-kem],
- [ --enable-ml-kem enable experimental ML-KEM/x25519 key exchange [no]],
- [
- if test "x$enableval" != "xno" ; then
- AC_DEFINE([WITH_MLKEM], [], [Enable for ML-KEM KEX support])
- fi
- ]
-)
-
AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen])
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
diff --git a/kex-names.c b/kex-names.c
index 5fee8127..e5d513d5 100644
--- a/kex-names.c
+++ b/kex-names.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex-names.c,v 1.3 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: kex-names.c,v 1.4 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -82,10 +82,8 @@ static const struct kexalg kexalgs[] = {
{ KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0,
SSH_DIGEST_SHA512 },
#endif
-#ifdef WITH_MLKEM
{ KEX_MLKEM768X25519_SHA256, KEX_KEM_MLKEM768X25519_SHA256, 0,
SSH_DIGEST_SHA256 },
-#endif
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
diff --git a/kexgen.c b/kexgen.c
index 4af28dda..40d688d6 100644
--- a/kexgen.c
+++ b/kexgen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgen.c,v 1.9 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: kexgen.c,v 1.10 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl. All rights reserved.
*
@@ -120,11 +120,9 @@ kex_gen_client(struct ssh *ssh)
case KEX_KEM_SNTRUP761X25519_SHA512:
r = kex_kem_sntrup761x25519_keypair(kex);
break;
-#ifdef WITH_MLKEM
case KEX_KEM_MLKEM768X25519_SHA256:
r = kex_kem_mlkem768x25519_keypair(kex);
break;
-#endif
default:
r = SSH_ERR_INVALID_ARGUMENT;
break;
@@ -197,12 +195,10 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
r = kex_kem_sntrup761x25519_dec(kex, server_blob,
&shared_secret);
break;
-#ifdef WITH_MLKEM
case KEX_KEM_MLKEM768X25519_SHA256:
r = kex_kem_mlkem768x25519_dec(kex, server_blob,
&shared_secret);
break;
-#endif
default:
r = SSH_ERR_INVALID_ARGUMENT;
break;
@@ -323,12 +319,10 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
&server_pubkey, &shared_secret);
break;
-#ifdef WITH_MLKEM
case KEX_KEM_MLKEM768X25519_SHA256:
r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
&server_pubkey, &shared_secret);
break;
-#endif
default:
r = SSH_ERR_INVALID_ARGUMENT;
break;
diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c
index 352a43f1..1339fcf5 100644
--- a/kexmlkem768x25519.c
+++ b/kexmlkem768x25519.c
@@ -25,8 +25,6 @@
#include "includes.h"
-#ifdef WITH_MLKEM
-
#include <sys/types.h>
#include <stdio.h>
@@ -254,4 +252,3 @@ kex_kem_mlkem768x25519_dec(struct kex *kex,
sshbuf_free(buf);
return r;
}
-#endif /* WITH_MLKEM */
diff --git a/monitor.c b/monitor.c
index ddb0d791..f4a835ee 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.241 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos at citi.umich.edu>
* Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -1763,9 +1763,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
-#ifdef WITH_MLKEM
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
-#endif
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
diff --git a/myproposal.h b/myproposal.h
index bef65690..3bdc2e95 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.72 2024/08/22 23:11:30 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.73 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -27,6 +27,7 @@
#define KEX_SERVER_KEX \
"sntrup761x25519-sha512," \
"sntrup761x25519-sha512 at openssh.com," \
+ "mlkem768x25519-sha256," \
"curve25519-sha256," \
"curve25519-sha256 at libssh.org," \
"ecdh-sha2-nistp256," \
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 449adfc9..f34e0567 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.160 2024/09/04 05:33:34 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.161 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
*
@@ -303,9 +303,7 @@ keygrab_ssh2(con *c)
#endif
c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
c->c_ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
-#ifdef WITH_MLKEM
c->c_ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
-#endif
ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
/*
* do the key-exchange until an error occurs or until
diff --git a/ssh_api.c b/ssh_api.c
index 6bca584f..5faaffd1 100644
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.30 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.31 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright (c) 2012 Markus Friedl. All rights reserved.
*
@@ -134,9 +134,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
-#ifdef WITH_MLKEM
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
-#endif
ssh->kex->load_host_public_key=&_ssh_host_public_key;
ssh->kex->load_host_private_key=&_ssh_host_private_key;
ssh->kex->sign=&_ssh_host_key_sign;
@@ -155,9 +153,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
-#ifdef WITH_MLKEM
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
-#endif
ssh->kex->verify_host_key =&_ssh_verify_host_key;
}
*sshp = ssh;
diff --git a/sshconnect2.c b/sshconnect2.c
index dcdfa7d5..11fcdea8 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.374 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.375 2024/09/09 02:39:57 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -274,9 +274,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
#endif
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
-#ifdef WITH_MLKEM
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
-#endif
ssh->kex->verify_host_key=&verify_host_key_callback;
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
diff --git a/sshd-session.c b/sshd-session.c
index cfdbf7c1..4b79b9ba 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd-session.c,v 1.8 2024/09/02 12:18:35 djm Exp $ */
+/* $OpenBSD: sshd-session.c,v 1.9 2024/09/09 02:39:57 djm Exp $ */
/*
* SSH2 implementation:
* Privilege Separation:
@@ -1465,9 +1465,7 @@ do_ssh2_kex(struct ssh *ssh)
#endif
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
-#ifdef WITH_MLKEM
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
-#endif
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list