sntrup: Remove needless conversion of shared secret to bignum

The derived shared secret in SNTRUP761 is converted into a bignum, only to be converted back to binary during use in kex.c. Instead use field 'hybrid_shared_secret' in ssh_crypto_struct to store it, just like the Hybrid MLKEM implementation. Fixes #338 Signed-off-by: Shiva Kiran Koninty <shiva_kr@riseup.net> Reviewed-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-03-24 20:40:09 +09:00 · 2026-02-23 10:42:56 +05:30
parent 90b07e2c18
commit d680b8ea8a
2 changed files with 12 additions and 16 deletions
--- a/src/kex.c
+++ b/src/kex.c
@@ -1688,11 +1688,6 @@ int ssh_make_sessionid(ssh_session session)
    switch (session->next_crypto->kex_type) {
    case SSH_KEX_SNTRUP761X25519_SHA512:
    case SSH_KEX_SNTRUP761X25519_SHA512_OPENSSH_COM:
-        rc = ssh_buffer_pack(buf,
-                             "F",
-                             session->next_crypto->shared_secret,
-                             SHA512_DIGEST_LEN);
-        break;
    case SSH_KEX_MLKEM768X25519_SHA256:
    case SSH_KEX_MLKEM768NISTP256_SHA256:
 #ifdef HAVE_MLKEM1024
@@ -1919,9 +1914,6 @@ int ssh_generate_session_keys(ssh_session session)
    switch (session->next_crypto->kex_type) {
    case SSH_KEX_SNTRUP761X25519_SHA512:
    case SSH_KEX_SNTRUP761X25519_SHA512_OPENSSH_COM:
-        k_string = ssh_make_padded_bignum_string(crypto->shared_secret,
-                                                 crypto->digest_len);
-        break;
    case SSH_KEX_MLKEM768X25519_SHA256:
    case SSH_KEX_MLKEM768NISTP256_SHA256:
 #ifdef HAVE_MLKEM1024
--- a/src/sntrup761.c
+++ b/src/sntrup761.c
@@ -28,7 +28,6 @@
 #include "libssh/sntrup761.h"
 #ifdef HAVE_SNTRUP761

-#include "libssh/bignum.h"
 #include "libssh/buffer.h"
 #include "libssh/crypto.h"
 #include "libssh/dh.h"
@@ -141,7 +140,7 @@ static int ssh_sntrup761x25519_build_k(ssh_session session)
 {
    unsigned char ssk[SNTRUP761_SIZE + CURVE25519_PUBKEY_SIZE];
    unsigned char *k = ssk + SNTRUP761_SIZE;
-    unsigned char hss[SHA512_DIGEST_LEN];
+    void *shared_secret_data = NULL;
    int rc;

    rc = ssh_curve25519_create_k(session, k);
@@ -216,22 +215,27 @@ static int ssh_sntrup761x25519_build_k(ssh_session session)
    ssh_log_hexdump("kem key", ssk, SNTRUP761_SIZE);
 #endif

-    sha512(ssk, sizeof ssk, hss);
-
-    bignum_bin2bn(hss, sizeof hss, &session->next_crypto->shared_secret);
-    if (session->next_crypto->shared_secret == NULL) {
+    ssh_string_burn(session->next_crypto->hybrid_shared_secret);
+    ssh_string_free(session->next_crypto->hybrid_shared_secret);
+    session->next_crypto->hybrid_shared_secret =
+        ssh_string_new(SHA512_DIGEST_LEN);
+    if (session->next_crypto->hybrid_shared_secret == NULL) {
+        ssh_set_error_oom(session);
        rc = SSH_ERROR;
        goto cleanup;
    }
+    shared_secret_data =
+        ssh_string_data(session->next_crypto->hybrid_shared_secret);
+
+    sha512(ssk, sizeof ssk, shared_secret_data);

 #ifdef DEBUG_CRYPTO
-    ssh_print_bignum("Shared secret key", session->next_crypto->shared_secret);
+    ssh_log_hexdump("Shared secret key", shared_secret_data, SHA512_DIGEST_LEN);
 #endif

    return 0;
 cleanup:
    ssh_burn(ssk, sizeof ssk);
-    ssh_burn(hss, sizeof hss);

    return rc;
 }