Update KeyExchangeMLKem768X25519Sha256 and KeyExchangeSNtruP761X25519Sha512

scott-xu · scott-xu · commit f5486b50cd7b · 2025-09-22T21:44:14.000+08:00
diff --git a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.BouncyCastleImpl.cs b/src/Renci.SshNet/Security/KeyExchangeECCurve25519.BouncyCastleImpl.cs
@@ -8,7 +8,7 @@ namespace Renci.SshNet.Security
 {
     internal partial class KeyExchangeECCurve25519
     {
-        private sealed class BouncyCastleImpl : Impl
+        protected internal sealed class BouncyCastleImpl : Impl
         {
             private X25519Agreement _keyAgreement;
 
diff --git a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs b/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs
@@ -4,7 +4,7 @@
 
 namespace Renci.SshNet.Security
 {
-    internal sealed partial class KeyExchangeECCurve25519 : KeyExchangeEC
+    internal partial class KeyExchangeECCurve25519 : KeyExchangeEC
     {
 #if NET
         private Impl _impl;
diff --git a/src/Renci.SshNet/Security/KeyExchangeMLKem768X25519Sha256.cs b/src/Renci.SshNet/Security/KeyExchangeMLKem768X25519Sha256.cs
@@ -1,7 +1,6 @@
 ﻿using System.Globalization;
 using System.Linq;
 
-using Org.BouncyCastle.Crypto.Agreement;
 using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Kems;
 using Org.BouncyCastle.Crypto.Parameters;
@@ -12,10 +11,14 @@
 
 namespace Renci.SshNet.Security
 {
-    internal sealed class KeyExchangeMLKem768X25519Sha256 : KeyExchangeEC
+    internal sealed class KeyExchangeMLKem768X25519Sha256 : KeyExchangeECCurve25519
     {
         private MLKemDecapsulator _mlkemDecapsulator;
-        private X25519Agreement _x25519Agreement;
+#if NET
+        private Impl _impl;
+#else
+        private BouncyCastleImpl _impl;
+#endif
 
         /// <summary>
         /// Gets algorithm name.
@@ -52,15 +55,20 @@ public override void Start(Session session, KeyExchangeInitMessage message, bool
             _mlkemDecapsulator = new MLKemDecapsulator(MLKemParameters.ml_kem_768);
             _mlkemDecapsulator.Init(mlkem768KeyPair.Private);
 
-            var x25519KeyPairGenerator = new X25519KeyPairGenerator();
-            x25519KeyPairGenerator.Init(new X25519KeyGenerationParameters(CryptoAbstraction.SecureRandom));
-            var x25519KeyPair = x25519KeyPairGenerator.GenerateKeyPair();
-
-            _x25519Agreement = new X25519Agreement();
-            _x25519Agreement.Init(x25519KeyPair.Private);
-
             var mlkem768PublicKey = ((MLKemPublicKeyParameters)mlkem768KeyPair.Public).GetEncoded();
-            var x25519PublicKey = ((X25519PublicKeyParameters)x25519KeyPair.Public).GetEncoded();
+#if NET
+            if (System.OperatingSystem.IsWindowsVersionAtLeast(10))
+            {
+                var curve = System.Security.Cryptography.ECCurve.CreateFromFriendlyName("Curve25519");
+                _impl = new BclImpl(curve);
+            }
+            else
+#endif
+            {
+                _impl = new BouncyCastleImpl();
+            }
+
+            var x25519PublicKey = _impl.GenerateClientECPoint();
 
             _clientExchangeValue = mlkem768PublicKey.Concat(x25519PublicKey);
 
@@ -114,21 +122,31 @@ private void HandleServerHybridReply(byte[] hostKey, byte[] serverExchangeValue,
             _hostKey = hostKey;
             _signature = signature;
 
-            if (serverExchangeValue.Length != _mlkemDecapsulator.EncapsulationLength + _x25519Agreement.AgreementSize)
+            if (serverExchangeValue.Length != _mlkemDecapsulator.EncapsulationLength + X25519PublicKeyParameters.KeySize)
             {
                 throw new SshConnectionException(
                     string.Format(CultureInfo.CurrentCulture, "Bad S_Reply length: {0}.", serverExchangeValue.Length),
                     DisconnectReason.KeyExchangeFailed);
             }
 
-            var secret = new byte[_mlkemDecapsulator.SecretLength + _x25519Agreement.AgreementSize];
+            var mlkemSecret = new byte[_mlkemDecapsulator.SecretLength];
 
-            _mlkemDecapsulator.Decapsulate(serverExchangeValue, 0, _mlkemDecapsulator.EncapsulationLength, secret, 0, _mlkemDecapsulator.SecretLength);
+            _mlkemDecapsulator.Decapsulate(serverExchangeValue, 0, _mlkemDecapsulator.EncapsulationLength, mlkemSecret, 0, _mlkemDecapsulator.SecretLength);
 
-            var x25519PublicKey = new X25519PublicKeyParameters(serverExchangeValue, _mlkemDecapsulator.EncapsulationLength);
-            _x25519Agreement.CalculateAgreement(x25519PublicKey, secret, _mlkemDecapsulator.SecretLength);
+            var x25519Agreement = _impl.CalculateAgreement(serverExchangeValue.Take(_mlkemDecapsulator.EncapsulationLength, X25519PublicKeyParameters.KeySize));
 
-            SharedKey = CryptoAbstraction.HashSHA256(secret);
+            SharedKey = mlkemSecret.Concat(x25519Agreement);
+        }
+
+        /// <inheritdoc/>
+        protected override void Dispose(bool disposing)
+        {
+            base.Dispose(disposing);
+
+            if (disposing)
+            {
+                _impl?.Dispose();
+            }
         }
     }
 }
diff --git a/src/Renci.SshNet/Security/KeyExchangeSNtruP761X25519Sha512.cs b/src/Renci.SshNet/Security/KeyExchangeSNtruP761X25519Sha512.cs
@@ -1,9 +1,6 @@
-﻿using System;
-using System.Globalization;
+﻿using System.Globalization;
 using System.Linq;
 
-using Org.BouncyCastle.Crypto.Agreement;
-using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Pqc.Crypto.NtruPrime;
 
@@ -13,10 +10,14 @@
 
 namespace Renci.SshNet.Security
 {
-    internal sealed class KeyExchangeSNtruP761X25519Sha512 : KeyExchangeEC
+    internal sealed class KeyExchangeSNtruP761X25519Sha512 : KeyExchangeECCurve25519
     {
         private SNtruPrimeKemExtractor _sntrup761Extractor;
-        private X25519Agreement _x25519Agreement;
+#if NET
+        private Impl _impl;
+#else
+        private BouncyCastleImpl _impl;
+#endif
 
         /// <summary>
         /// Gets algorithm name.
@@ -52,15 +53,22 @@ public override void Start(Session session, KeyExchangeInitMessage message, bool
 
             _sntrup761Extractor = new SNtruPrimeKemExtractor((SNtruPrimePrivateKeyParameters)sntrup761KeyPair.Private);
 
-            var x25519KeyPairGenerator = new X25519KeyPairGenerator();
-            x25519KeyPairGenerator.Init(new X25519KeyGenerationParameters(CryptoAbstraction.SecureRandom));
-            var x25519KeyPair = x25519KeyPairGenerator.GenerateKeyPair();
+            var sntrup761PublicKey = ((SNtruPrimePublicKeyParameters)sntrup761KeyPair.Public).GetEncoded();
+#if NET
+            if (System.OperatingSystem.IsWindowsVersionAtLeast(10))
+            {
+                var curve = System.Security.Cryptography.ECCurve.CreateFromFriendlyName("Curve25519");
+                _impl = new BclImpl(curve);
+            }
+            else
+#endif
+            {
+                _impl = new BouncyCastleImpl();
+            }
 
-            _x25519Agreement = new X25519Agreement();
-            _x25519Agreement.Init(x25519KeyPair.Private);
+            var x25519PublicKey = _impl.GenerateClientECPoint();
 
-            var sntrup761PublicKey = ((SNtruPrimePublicKeyParameters)sntrup761KeyPair.Public).GetEncoded();
-            var x25519PublicKey = ((X25519PublicKeyParameters)x25519KeyPair.Public).GetEncoded();
+            _clientExchangeValue = sntrup761PublicKey.Concat(x25519PublicKey);
 
             _clientExchangeValue = sntrup761PublicKey.Concat(x25519PublicKey);
 
@@ -122,14 +130,23 @@ private void HandleServerEcdhReply(byte[] hostKey, byte[] serverExchangeValue, b
             }
 
             var sntrup761CipherText = serverExchangeValue.Take(_sntrup761Extractor.EncapsulationLength);
-            var secret = _sntrup761Extractor.ExtractSecret(sntrup761CipherText);
-            var sntrup761SecretLength = secret.Length;
 
-            var x25519PublicKey = new X25519PublicKeyParameters(serverExchangeValue, _sntrup761Extractor.EncapsulationLength);
-            Array.Resize(ref secret, sntrup761SecretLength + _x25519Agreement.AgreementSize);
-            _x25519Agreement.CalculateAgreement(x25519PublicKey, secret, sntrup761SecretLength);
+            var sntrup761Secret = _sntrup761Extractor.ExtractSecret(sntrup761CipherText);
+
+            var x25519Agreement = _impl.CalculateAgreement(serverExchangeValue.Take(_sntrup761Extractor.EncapsulationLength, X25519PublicKeyParameters.KeySize));
 
-            SharedKey = CryptoAbstraction.HashSHA512(secret);
+            SharedKey = CryptoAbstraction.HashSHA512(sntrup761Secret.Concat(x25519Agreement));
+        }
+
+        /// <inheritdoc/>
+        protected override void Dispose(bool disposing)
+        {
+            base.Dispose(disposing);
+
+            if (disposing)
+            {
+                _impl?.Dispose();
+            }
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ namespace Renci.SshNet.Security`
`8`	`8`	`{`
`9`	`9`	`internal partial class KeyExchangeECCurve25519`
`10`	`10`	`{`
`11`		`- private sealed class BouncyCastleImpl : Impl`
	`11`	`+ protected internal sealed class BouncyCastleImpl : Impl`
`12`	`12`	`{`
`13`	`13`	`private X25519Agreement _keyAgreement;`
`14`	`14`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`
`5`	`5`	`namespace Renci.SshNet.Security`
`6`	`6`	`{`
`7`		`- internal sealed partial class KeyExchangeECCurve25519 : KeyExchangeEC`
	`7`	`+ internal partial class KeyExchangeECCurve25519 : KeyExchangeEC`
`8`	`8`	`{`
`9`	`9`	`#if NET`
`10`	`10`	`private Impl _impl;`