Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement Hybrid SSH Keys
Browse files Browse the repository at this point in the history
This finishes the work in PR open-quantum-safe#160 which applied the upstream `sshkey.c` refactor to the OQS fork by adding support for hybrid SSH keys. More importantly, this brings the `OQS-v9` branch up to parity with `OQS-v8` in terms of supported algorithms and functionality. Therefore, we can do more in depth and thorough validation to increase confidence in cutting over to this newer branch.

Speaking to the code changes for hybrid SSH key support, this works by adding logic to `ssh-oqs` which branches on hybrid SSH key implementations to handle the classical portion of the key and combine it with the PQ portion as-appropriate. The main trick is to introduce a small lookup table for the RSA/ECDSA implementation and exposing the symbols to `ssh-oqs` via an extern declaration. One notable oddity is that upstream OpenSSH multiplexes the underlying EC curves by placing a generic implementation behind the P-256 struct and allowing the implementation to fork based on the `bits` or `key->type` parameters. Depending on the context, this is how `sshkey` does things so I followed their convention.

Related to issue open-quantum-safe#135

Asserted that Circle CI jobs pass. These tests run through a subset of the OpenSSH unit tests that have been documented to pass against the OQS fork and skip tests that depend on missing/broken functionality. This demonstrates internal consistency and parity with the testing bar set by `OQS-v8`.

Performed interop testing between `OQS-v8` and `OQS-v9` to assert that we have no regressions from pulling in 2 years of upstream changes and re-implementing PQ+Hybrid SSH Keys. This was done by modifying `try_connection.py` which tests all PQ+Hybrid signatures and key exchanges by connecting the built SSH client to the SSHD server and explicitly specifying each algorithm. By adding CLI flags to override this test to use an SSH or SSHD binary from somewhere else, we can perform thorough interop testing between an `OQS-v8` server and `OQS-v9` client or vice versa. Detailed process/commands outlined below.

```
git clone [email protected]:open-quantum-safe/openssh.git oqs-openssh-clean
cd oqs-openssh-clean
git checkout OQS-v8
./oqs-scripts/clone_liboqs.sh
./oqs-scripts/build_liboqs.sh
./oqs-scripts/build_openssh.sh

python3 oqs-test/try_connection.py --sshd `readlink -f ../oqs-openssh-clean/sshd` doall
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-rsa3072-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp256-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon1024.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp521-falcon1024.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-dilithium2.
...

python3 oqs-test/try_connection.py --ssh `readlink -f ../oqs-openssh-clean/ssh` doall
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-rsa3072-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp256-falcon512.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon1024.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp521-falcon1024.
Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-dilithium2.
...
```
geedo0 committed Jul 23, 2024
1 parent 1173ecc commit faf03d7
Showing 12 changed files with 602 additions and 122 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{%- for kex in config['kexs'] %}
"{{ kex['pretty_name'] }}",
{%- for curve in kex['mix_with'] %}
# "{{ curve['pretty_name'] }}",
"{{ curve['pretty_name'] }}",
{%- endfor -%}
{%- endfor %}

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{%- for sig in config['sigs'] %}
"ssh-{{ sig['name']|replace('_','') }}",
{%- for alg in sig['mix_with'] %}
# "ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}",
"ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}",
{%- endfor -%}
{%- endfor %}

4 changes: 2 additions & 2 deletions oqs-template/ssh-keygen.c/define_key_types.fragment
Original file line number Diff line number Diff line change
@@ -4,13 +4,13 @@
#ifdef WITH_OPENSSL
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if alg['rsa'] %}
// { "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
{%- endfor %}
{%- endfor %}
#ifdef OPENSSL_HAS_ECC
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if not alg['rsa'] %}
// { "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
{%- endfor %}
{%- endfor %}
#endif /* OPENSSL_HAS_ECC */
55 changes: 44 additions & 11 deletions oqs-template/ssh-oqs.c/define_sig_functions.fragment
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@ static int ssh_{{ symbol_base_name }}_generate(struct sshkey *k, int bits)
return OQS_SIG_{{ sig['name'] }}_keypair(k->oqs_pk, k->oqs_sk);
}

int ssh_{{ symbol_base_name }}_sign(const struct sshkey *key,
int ssh_{{ symbol_base_name }}_sign(struct sshkey *key,
u_char **sigp,
size_t *lenp,
const u_char *data,
@@ -29,7 +29,7 @@ int ssh_{{ symbol_base_name }}_sign(const struct sshkey *key,
if (sig == NULL) {
return SSH_ERR_ALLOC_FAIL;
}
int r = ssh_generic_sign(sig, "{{ symbol_base_name }}", key, sigp, lenp, data, datalen, compat);
int r = oqs_sign(sig, "{{ symbol_base_name }}", key, sigp, lenp, data, datalen, compat);
OQS_SIG_free(sig);
return r;
}
@@ -40,13 +40,14 @@ int ssh_{{ symbol_base_name }}_verify(const struct sshkey *key,
const u_char *data,
size_t datalen,
const char *alg,
u_int compat)
u_int compat,
struct sshkey_sig_details **detailsp)
{
OQS_SIG *sig = OQS_SIG_new(OQS_SIG_alg_{{ sig['name'] }});
if (sig == NULL) {
return SSH_ERR_ALLOC_FAIL;
}
int r = ssh_generic_verify(sig, "{{ symbol_base_name }}", key, signature, signaturelen, data, datalen, compat);
int r = oqs_verify(sig, "{{ symbol_base_name }}", key, signature, signaturelen, data, datalen, compat);
OQS_SIG_free(sig);
return r;
}
@@ -79,8 +80,7 @@ const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
};
{%- endfor %}

#ifdef HYBRID_IMPLEMENTATION_EXISTS
// #ifdef WITH_OPENSSL
#ifdef WITH_OPENSSL
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if alg['rsa'] %}
{%- set symbol_base_name = alg['name']|replace('_','') + '_' + sig['name']|replace('_','') %}
@@ -93,17 +93,17 @@ static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
/* .ssh_deserialize_public = */ ssh_generic_deserialize_public,
/* .ssh_serialize_private = */ ssh_generic_serialize_private,
/* .ssh_deserialize_private = */ ssh_generic_deserialize_private,
/* .generate = */ ssh_{{ symbol_base_name }}_generate,
/* .generate = */ ssh_generic_generate,
/* .copy_public = */ ssh_generic_copy_public,
/* .sign = */ ssh_{{ symbol_base_name }}_sign,
/* .verify = */ ssh_{{ symbol_base_name }}_verify,
/* .sign = */ ssh_generic_sign,
/* .verify = */ ssh_generic_verify,
};

const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
/* .name = */ "ssh-{{ symbol_base_name }}",
/* .name = */ "ssh-{{ alg['name']|replace('_','') + '-' + sig['name']|replace('_','') }}",
/* .shortname = */ "{{ symbol_base_name|upper }}",
/* .sigalg = */ NULL,
/* .type = */ KEY_{{ sig['name']|upper }},
/* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
/* .nid = */ 0,
/* .cert = */ 0,
/* .sigonly = */ 0,
@@ -112,5 +112,38 @@ const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
};
{%- endfor %}
{%- endfor %}
#ifdef OPENSSL_HAS_ECC
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if not alg['rsa'] %}
{%- set symbol_base_name = alg['name']|replace('_','') + '_' + sig['name']|replace('_','') %}
static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
/* .size = */ ssh_generic_size,
/* .alloc = */ ssh_generic_alloc,
/* .cleanup = */ ssh_generic_cleanup,
/* .equal = */ ssh_generic_equal,
/* .ssh_serialize_public = */ ssh_generic_serialize_public,
/* .ssh_deserialize_public = */ ssh_generic_deserialize_public,
/* .ssh_serialize_private = */ ssh_generic_serialize_private,
/* .ssh_deserialize_private = */ ssh_generic_deserialize_private,
/* .generate = */ ssh_generic_generate,
/* .copy_public = */ ssh_generic_copy_public,
/* .sign = */ ssh_generic_sign,
/* .verify = */ ssh_generic_verify,
};

const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
/* .name = */ "ssh-{{ alg['name']|replace('_','-') + '-' + sig['name']|replace('_','') }}",
/* .shortname = */ "{{ alg['name']|upper + '_' + sig['name']|replace('_','')|upper }}",
/* .sigalg = */ NULL,
/* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
/* .nid = */ {{ alg['openssl_nid'] }},
/* .cert = */ 0,
/* .sigonly = */ 0,
/* .keybits = */ 256, // TODO - What should be here?
/* .funcs = */ &sshkey_{{ symbol_base_name }}_funcs,
};
{%- endfor %}
{%- endfor %}
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */

9 changes: 9 additions & 0 deletions oqs-template/ssh-oqs.c/impl_lookup_cases.fragment
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{% for sig in config['sigs'] %}
case KEY_{{ sig['name']|upper }}:
{%- for alg in sig['mix_with'] %}
case KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }}:
{%- endfor %}
impl = &sshkey_{{ sig['name']|replace('_','') }}_impl;
break;
{%- endfor %}

3 changes: 1 addition & 2 deletions oqs-template/sshkey.c/define_keytypes.fragment
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
{%- for sig in config['sigs'] %}
&sshkey_{{ sig['name']|replace('_','') }}_impl,
{%- endfor %}
#ifdef HYBRID_IMPLEMENTATION_EXISTS
// #ifdef WITH_OPENSSL
#ifdef WITH_OPENSSL
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if alg['rsa'] %}
&sshkey_{{ alg['name']|replace('_','') }}_{{ sig['name']|replace('_','') }}_impl,
3 changes: 1 addition & 2 deletions oqs-template/sshkey.c/extern_key_impls.fragment
Original file line number Diff line number Diff line change
@@ -2,8 +2,7 @@
extern const struct sshkey_impl sshkey_{{ sig['name']|replace('_','') }}_impl;
{%- endfor %}

#ifdef HYBRID_IMPLEMENTATION_EXISTS
// #ifdef WITH_OPENSSL
#ifdef WITH_OPENSSL
{%- for sig in config['sigs'] %}
{%- for alg in sig['mix_with'] if alg['rsa'] %}
extern const struct sshkey_impl sshkey_{{ alg['name']|replace('_','') }}_{{ sig['name']|replace('_','') }}_impl;
80 changes: 42 additions & 38 deletions oqs-test/try_connection.py
Original file line number Diff line number Diff line change
@@ -2,6 +2,7 @@
# and signature algorithm, and checks whether the stock BoringSSL
# client and server can establish a handshake with the choices.

import argparse
import os
import random
import subprocess
@@ -13,75 +14,75 @@
kexs = [
##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_START
"frodokem-640-aes-sha256",
# "[email protected]",
"[email protected]",
"frodokem-976-aes-sha384",
# "[email protected]",
"[email protected]",
"frodokem-1344-aes-sha512",
# "[email protected]",
"[email protected]",
"frodokem-640-shake-sha256",
# "[email protected]",
"[email protected]",
"frodokem-976-shake-sha384",
# "[email protected]",
"[email protected]",
"frodokem-1344-shake-sha512",
# "[email protected]",
"[email protected]",
"kyber-512-sha256",
# "[email protected]",
"[email protected]",
"kyber-768-sha384",
# "[email protected]",
"[email protected]",
"kyber-1024-sha512",
# "[email protected]",
"[email protected]",
"bike-l1-sha512",
# "[email protected]",
"[email protected]",
"bike-l3-sha512",
# "[email protected]",
"[email protected]",
"classic-mceliece-348864-sha256",
# "ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org",
"ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org",
"classic-mceliece-348864f-sha256",
# "ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org",
"ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org",
"classic-mceliece-460896-sha512",
# "ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org",
"ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org",
"classic-mceliece-460896f-sha512",
# "ecdh-nistp384-classic-mceliece-460896fr4-sha512@openquantumsafe.org",
"ecdh-nistp384-classic-mceliece-460896fr4-sha512@openquantumsafe.org",
"classic-mceliece-6688128-sha512",
# "ecdh-nistp521-classic-mceliece-6688128r4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-6688128r4-sha512@openquantumsafe.org",
"classic-mceliece-6688128f-sha512",
# "ecdh-nistp521-classic-mceliece-6688128fr4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-6688128fr4-sha512@openquantumsafe.org",
"classic-mceliece-6960119-sha512",
# "ecdh-nistp521-classic-mceliece-6960119r4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-6960119r4-sha512@openquantumsafe.org",
"classic-mceliece-6960119f-sha512",
# "ecdh-nistp521-classic-mceliece-6960119fr4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-6960119fr4-sha512@openquantumsafe.org",
"classic-mceliece-8192128-sha512",
# "ecdh-nistp521-classic-mceliece-8192128r4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-8192128r4-sha512@openquantumsafe.org",
"classic-mceliece-8192128f-sha512",
# "ecdh-nistp521-classic-mceliece-8192128fr4-sha512@openquantumsafe.org",
"ecdh-nistp521-classic-mceliece-8192128fr4-sha512@openquantumsafe.org",
"hqc-128-sha256",
# "[email protected]",
"[email protected]",
"hqc-192-sha384",
# "[email protected]",
"[email protected]",
"hqc-256-sha512",
# "[email protected]",
"[email protected]",
##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_END
]

sigs = [
##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_START
"ssh-falcon512",
# "ssh-rsa3072-falcon512",
# "ssh-ecdsa-nistp256-falcon512",
"ssh-rsa3072-falcon512",
"ssh-ecdsa-nistp256-falcon512",
"ssh-falcon1024",
# "ssh-ecdsa-nistp521-falcon1024",
"ssh-ecdsa-nistp521-falcon1024",
"ssh-dilithium2",
# "ssh-rsa3072-dilithium2",
# "ssh-ecdsa-nistp256-dilithium2",
"ssh-rsa3072-dilithium2",
"ssh-ecdsa-nistp256-dilithium2",
"ssh-dilithium3",
# "ssh-ecdsa-nistp384-dilithium3",
"ssh-ecdsa-nistp384-dilithium3",
"ssh-dilithium5",
# "ssh-ecdsa-nistp521-dilithium5",
"ssh-ecdsa-nistp521-dilithium5",
"ssh-sphincssha2128fsimple",
# "ssh-rsa3072-sphincssha2128fsimple",
# "ssh-ecdsa-nistp256-sphincssha2128fsimple",
"ssh-rsa3072-sphincssha2128fsimple",
"ssh-ecdsa-nistp256-sphincssha2128fsimple",
"ssh-sphincssha2256fsimple",
# "ssh-ecdsa-nistp521-sphincssha2256fsimple",
"ssh-ecdsa-nistp521-sphincssha2256fsimple",
##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_END
]

@@ -131,8 +132,11 @@ def try_handshake(ssh, sshd, dorandom="random"):
do_handshake(ssh, sshd, test_sig, test_kex)

if __name__ == '__main__':
if len(sys.argv)==1:
try_handshake(os.path.abspath('ssh'), os.path.abspath('sshd'))
else:
try_handshake(os.path.abspath('ssh'), os.path.abspath('sshd'), dorandom=sys.argv[1])
parser = argparse.ArgumentParser(description="Test connections between ssh and sshd using PQ algorithms.")
parser.add_argument("--ssh", default=os.path.abspath('ssh'), type=str, help="Override the ssh binary.")
parser.add_argument("--sshd", default=os.path.abspath('sshd'), type=str, help="Override the sshd binary.")
parser.add_argument("dorandom", type=str, default="random", choices=["doall", "doone", "random"],
help="Slice of test cases to run.")
args = parser.parse_args()
try_handshake(args.ssh, args.sshd, args.dorandom)

4 changes: 2 additions & 2 deletions ssh-ecdsa.c
Original file line number Diff line number Diff line change
@@ -305,8 +305,8 @@ ssh_ecdsa_verify(const struct sshkey *key,
char *ktype = NULL;

if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA &&
!oqs_utils_is_ecdsa_hybrid(sshkey_type_plain(key->type)) ||
(sshkey_type_plain(key->type) != KEY_ECDSA &&
!oqs_utils_is_ecdsa_hybrid(sshkey_type_plain(key->type))) ||
sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT;

20 changes: 10 additions & 10 deletions ssh-keygen.c
Original file line number Diff line number Diff line change
@@ -1170,17 +1170,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ "sphincssha2128fsimple", "SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
{ "sphincssha2256fsimple", "SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
#ifdef WITH_OPENSSL
// { "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
// { "rsa3072_dilithium2", "RSA3072_DILITHIUM_2", _PATH_HOST_RSA3072_DILITHIUM_2_KEY_FILE },
// { "rsa3072_sphincssha2128fsimple", "RSA3072_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_RSA3072_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
{ "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
{ "rsa3072_dilithium2", "RSA3072_DILITHIUM_2", _PATH_HOST_RSA3072_DILITHIUM_2_KEY_FILE },
{ "rsa3072_sphincssha2128fsimple", "RSA3072_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_RSA3072_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
#ifdef OPENSSL_HAS_ECC
// { "ecdsa_nistp256_falcon512", "ECDSA_NISTP256_FALCON_512", _PATH_HOST_ECDSA_NISTP256_FALCON_512_KEY_FILE },
// { "ecdsa_nistp521_falcon1024", "ECDSA_NISTP521_FALCON_1024", _PATH_HOST_ECDSA_NISTP521_FALCON_1024_KEY_FILE },
// { "ecdsa_nistp256_dilithium2", "ECDSA_NISTP256_DILITHIUM_2", _PATH_HOST_ECDSA_NISTP256_DILITHIUM_2_KEY_FILE },
// { "ecdsa_nistp384_dilithium3", "ECDSA_NISTP384_DILITHIUM_3", _PATH_HOST_ECDSA_NISTP384_DILITHIUM_3_KEY_FILE },
// { "ecdsa_nistp521_dilithium5", "ECDSA_NISTP521_DILITHIUM_5", _PATH_HOST_ECDSA_NISTP521_DILITHIUM_5_KEY_FILE },
// { "ecdsa_nistp256_sphincssha2128fsimple", "ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
// { "ecdsa_nistp521_sphincssha2256fsimple", "ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
{ "ecdsa_nistp256_falcon512", "ECDSA_NISTP256_FALCON_512", _PATH_HOST_ECDSA_NISTP256_FALCON_512_KEY_FILE },
{ "ecdsa_nistp521_falcon1024", "ECDSA_NISTP521_FALCON_1024", _PATH_HOST_ECDSA_NISTP521_FALCON_1024_KEY_FILE },
{ "ecdsa_nistp256_dilithium2", "ECDSA_NISTP256_DILITHIUM_2", _PATH_HOST_ECDSA_NISTP256_DILITHIUM_2_KEY_FILE },
{ "ecdsa_nistp384_dilithium3", "ECDSA_NISTP384_DILITHIUM_3", _PATH_HOST_ECDSA_NISTP384_DILITHIUM_3_KEY_FILE },
{ "ecdsa_nistp521_dilithium5", "ECDSA_NISTP521_DILITHIUM_5", _PATH_HOST_ECDSA_NISTP521_DILITHIUM_5_KEY_FILE },
{ "ecdsa_nistp256_sphincssha2128fsimple", "ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
{ "ecdsa_nistp521_sphincssha2256fsimple", "ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
///// OQS_TEMPLATE_FRAGMENT_DEFINE_KEY_TYPES_END
536 changes: 487 additions & 49 deletions ssh-oqs.c

Large diffs are not rendered by default.

6 changes: 2 additions & 4 deletions sshkey.c
Original file line number Diff line number Diff line change
@@ -142,8 +142,7 @@ extern const struct sshkey_impl sshkey_dilithium5_impl;
extern const struct sshkey_impl sshkey_sphincssha2128fsimple_impl;
extern const struct sshkey_impl sshkey_sphincssha2256fsimple_impl;

#ifdef HYBRID_IMPLEMENTATION_EXISTS
// #ifdef WITH_OPENSSL
#ifdef WITH_OPENSSL
extern const struct sshkey_impl sshkey_rsa3072_falcon512_impl;
extern const struct sshkey_impl sshkey_rsa3072_dilithium2_impl;
extern const struct sshkey_impl sshkey_rsa3072_sphincssha2128fsimple_impl;
@@ -205,8 +204,7 @@ const struct sshkey_impl * const keyimpls[] = {
&sshkey_dilithium5_impl,
&sshkey_sphincssha2128fsimple_impl,
&sshkey_sphincssha2256fsimple_impl,
#ifdef HYBRID_IMPLEMENTATION_EXISTS
// #ifdef WITH_OPENSSL
#ifdef WITH_OPENSSL
&sshkey_rsa3072_falcon512_impl,
&sshkey_rsa3072_dilithium2_impl,
&sshkey_rsa3072_sphincssha2128fsimple_impl,

0 comments on commit faf03d7

Please sign in to comment.