Fix LibreSSL ML-KEM indexing and unsupported PQ fallback paths

daviduhden · daviduhden · commit 3dc9c92e52cb · 2026-06-08T20:57:44.000+02:00
diff --git a/libi2pd/NTCP2.cpp b/libi2pd/NTCP2.cpp
@@ -70,7 +70,11 @@ namespace transport
         switch (version)
         {
             case 3:
+#if defined(LIBRESSL_VERSION_NUMBER)
+                 m_CryptoType = i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD; // ML-KEM-512 is not available on LibreSSL
+#else
                  m_CryptoType = i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM512_X25519_AEAD;
+#endif
             break;
             case 4:
                  m_CryptoType = i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM768_X25519_AEAD;
@@ -173,13 +177,22 @@ namespace transport
 #if OPENSSL_MLKEM
         if (m_CryptoType > i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD)
         {
-            uint8_t pub[32];
-            memcpy (pub, GetPub (), 32);
-            pub[31] |= 0x80; // set highest bit
-            encryption.Encrypt (pub, 32, m_IV, m_Buffer); // X
-            //  ML-KEM encap_key
             m_PQKeys = i2p::crypto::CreateMLKEMKeys (m_CryptoType);
-            m_PQKeys->GenerateKeys ();
+            if (m_PQKeys)
+            {
+                m_PQKeys->GenerateKeys ();
+                uint8_t pub[32];
+                memcpy (pub, GetPub (), 32);
+                pub[31] |= 0x80; // set highest bit
+                encryption.Encrypt (pub, 32, m_IV, m_Buffer); // X
+            }
+            else
+            {
+                LogPrint (eLogWarning, "NTCP2: ML-KEM type ", (int)m_CryptoType, " is not available, fallback to X25519");
+                m_CryptoType = i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD;
+                m_IsLongPadding = false;
+                encryption.Encrypt (GetPub (), 32, m_IV, m_Buffer); // X
+            }
         }
         else
             encryption.Encrypt (GetPub (), 32, m_IV, m_Buffer); // X
@@ -398,6 +411,11 @@ namespace transport
                 MixHash (m_Buffer + offset, keyLen + 16);
                 offset += keyLen + 16;
                 m_PQKeys = i2p::crypto::CreateMLKEMKeys (m_CryptoType);
+                if (!m_PQKeys)
+                {
+                    LogPrint (eLogWarning, "NTCP2: ML-KEM type ", (int)m_CryptoType, " is not available");
+                    return false;
+                }
                 m_PQKeys->SetPublicKey (encapsKey.data ());
             }
         }
diff --git a/libi2pd/PostQuantum.h b/libi2pd/PostQuantum.h
@@ -45,6 +45,7 @@ namespace crypto
 #if defined(LIBRESSL_VERSION_NUMBER)
 	constexpr std::array MLKEMS =
 	{
+		std::make_tuple ("ML-KEM-512", MLKEM512_KEY_LENGTH, MLKEM512_CIPHER_TEXT_LENGTH),
 		std::make_tuple ("ML-KEM-768", MLKEM768_KEY_LENGTH, MLKEM768_CIPHER_TEXT_LENGTH),
 		std::make_tuple ("ML-KEM-1024", MLKEM1024_KEY_LENGTH, MLKEM1024_CIPHER_TEXT_LENGTH)
 	};
@@ -62,8 +63,8 @@ namespace crypto
 #if defined(LIBRESSL_VERSION_NUMBER)
 		switch (type)
 		{
-			case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM768_X25519_AEAD: return 0;
-			case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM1024_X25519_AEAD: return 1;
+			case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM768_X25519_AEAD: return 1;
+			case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM1024_X25519_AEAD: return 2;
 			default: return -1;
 		}
 #else
diff --git a/libi2pd/SSU2Session.cpp b/libi2pd/SSU2Session.cpp
@@ -743,9 +743,17 @@ namespace transport
 		{
 			i2p::data::CryptoKeyType cryptoType = (i2p::data::CryptoKeyType)(m_Version + 2);
 			m_PQKeys = i2p::crypto::CreateMLKEMKeys (cryptoType);
-            m_PQKeys->GenerateKeys ();
-            offset = m_PQKeys->GetKeyLen () + 16;
-			payloadSize += offset;
+			if (m_PQKeys)
+			{
+				m_PQKeys->GenerateKeys ();
+				offset = m_PQKeys->GetKeyLen () + 16;
+				payloadSize += offset;
+			}
+			else
+			{
+				LogPrint (eLogWarning, "SSU2: ML-KEM type ", (int)cryptoType, " is not available, fallback to version 2");
+				m_Version = 2;
+			}
 		}
 #endif
 		payload[payloadSize] = eSSU2BlkDateTime;
@@ -915,6 +923,11 @@ namespace transport
 			m_NoiseState->MixHash (buf + offset, keyLen + 16);
 			offset += keyLen + 16;
 			m_PQKeys = i2p::crypto::CreateMLKEMKeys (cryptoType);
+			if (!m_PQKeys)
+			{
+				LogPrint (eLogWarning, "SSU2: ML-KEM type ", (int)cryptoType, " is not available");
+				return false;
+			}
 			m_PQKeys->SetPublicKey (encapsKey.data ());
         }
 #endif
@@ -3460,7 +3473,11 @@ namespace transport
 		switch (version)
 		{
 			case 3:
+#if defined(LIBRESSL_VERSION_NUMBER)
+				m_Version = 2; // ML-KEM-512 is not available on LibreSSL
+#else
 				m_Version = 3;
+#endif
 			break;
 			case 4:
 				m_Version = (m_MaxPayloadSize >= SSU2_MLKEM768_MIN_PAYLOAD_SIZE) ? 4: 2;

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ namespace crypto`
`45`	`45`	`#if defined(LIBRESSL_VERSION_NUMBER)`
`46`	`46`	`constexpr std::array MLKEMS =`
`47`	`47`	`{`
	`48`	`+ std::make_tuple ("ML-KEM-512", MLKEM512_KEY_LENGTH, MLKEM512_CIPHER_TEXT_LENGTH),`
`48`	`49`	`std::make_tuple ("ML-KEM-768", MLKEM768_KEY_LENGTH, MLKEM768_CIPHER_TEXT_LENGTH),`
`49`	`50`	`std::make_tuple ("ML-KEM-1024", MLKEM1024_KEY_LENGTH, MLKEM1024_CIPHER_TEXT_LENGTH)`
`50`	`51`	`};`
`@@ -62,8 +63,8 @@ namespace crypto`
`62`	`63`	`#if defined(LIBRESSL_VERSION_NUMBER)`
`63`	`64`	`switch (type)`
`64`	`65`	`{`
`65`		`- case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM768_X25519_AEAD: return 0;`
`66`		`- case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM1024_X25519_AEAD: return 1;`
	`66`	`+ case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM768_X25519_AEAD: return 1;`
	`67`	`+ case i2p::data::CRYPTO_KEY_TYPE_ECIES_MLKEM1024_X25519_AEAD: return 2;`
`67`	`68`	`default: return -1;`
`68`	`69`	`}`
`69`	`70`	`#else`