From d31e2c358167859984405350c72cc490117b5e5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 20 Nov 2023 13:23:50 +0100 Subject: [PATCH 1/6] Added PQC support for the Zephyr port using liboqs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tobias Frauenschläger --- zephyr/CMakeLists.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index bf8fe1a77..4f088c9ee 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -45,6 +45,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/des3.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dh.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dilithium.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dsa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc_fp.c) @@ -52,6 +53,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ed25519.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ed448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/error.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ext_kyber.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/falcon.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_low_mem.c) @@ -95,6 +97,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_dsp32.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_int.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_x86_64.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sphincs.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/srp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/tfm.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_dsp.c) From 755c385b1ffde972ecc3b24331824e5996761fcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Thu, 30 Nov 2023 10:57:06 +0100 Subject: [PATCH 2/6] Liboqs: use WolfSSL RNG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improve the interface to liboqs by properly configuring and using the RNG provided by WolfSSL from within liboqs. Signed-off-by: Tobias Frauenschläger --- cmake/functions.cmake | 6 ++ src/include.am | 1 + wolfcrypt/src/ext_kyber.c | 11 ++- wolfcrypt/src/include.am | 3 +- wolfcrypt/src/port/liboqs/liboqs.c | 111 +++++++++++++++++++++++++ wolfcrypt/src/wc_port.c | 10 +++ wolfssl/wolfcrypt/include.am | 3 +- wolfssl/wolfcrypt/port/liboqs/liboqs.h | 60 +++++++++++++ zephyr/CMakeLists.txt | 1 + 9 files changed, 203 insertions(+), 3 deletions(-) create mode 100644 wolfcrypt/src/port/liboqs/liboqs.c create mode 100644 wolfssl/wolfcrypt/port/liboqs/liboqs.h diff --git a/cmake/functions.cmake b/cmake/functions.cmake index 6b5b9a7f9..a8f0c851d 100644 --- a/cmake/functions.cmake +++ b/cmake/functions.cmake @@ -198,6 +198,7 @@ function(generate_build_flags) set(BUILD_SPHINCS "yes" PARENT_SCOPE) set(BUILD_DILITHIUM "yes" PARENT_SCOPE) set(BUILD_EXT_KYBER "yes" PARENT_SCOPE) + set(BUILD_OQS_HELPER "yes" PARENT_SCOPE) endif() if(WOLFSSL_ARIA OR WOLFSSL_USER_SETTINGS) message(STATUS "ARIA functions.cmake found WOLFSSL_ARIA") @@ -587,6 +588,11 @@ function(generate_lib_src_list LIB_SOURCES) wolfcrypt/src/wc_port.c wolfcrypt/src/error.c) + if(BUILD_OQS_HELPER) + list(APPEND LIB_SOURCES + wolfcrypt/src/port/liboqs/liboqs.c) + endif() + if(BUILD_ARIA) list(APPEND LIB_SOURCES wolfcrypt/src/port/aria/aria-crypt.c diff --git a/src/include.am b/src/include.am index a69822fff..aa1885ef3 100644 --- a/src/include.am +++ b/src/include.am @@ -835,6 +835,7 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/falcon.c src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dilithium.c src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sphincs.c src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_kyber.c +src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/liboqs/liboqs.c endif if BUILD_LIBLMS diff --git a/wolfcrypt/src/ext_kyber.c b/wolfcrypt/src/ext_kyber.c index 834d98903..ea2ac83b1 100644 --- a/wolfcrypt/src/ext_kyber.c +++ b/wolfcrypt/src/ext_kyber.c @@ -39,6 +39,8 @@ #if defined (HAVE_LIBOQS) +#include + static const char* OQS_ID2name(int id) { switch (id) { case KYBER_LEVEL1: return OQS_KEM_alg_kyber_512; @@ -337,12 +339,16 @@ int wc_KyberKey_MakeKey(KyberKey* key, WC_RNG* rng) ret = BAD_FUNC_ARG; } } + if (ret == 0) { + ret = wolfSSL_liboqsRngMutexLock(rng); + } if (ret == 0) { if (OQS_KEM_keypair(kem, key->pub, key->priv) != OQS_SUCCESS) { ret = BAD_FUNC_ARG; } } + wolfSSL_liboqsRngMutexUnlock(); OQS_KEM_free(kem); #endif /* HAVE_LIBOQS */ #ifdef HAVE_PQM4 @@ -422,12 +428,15 @@ int wc_KyberKey_Encapsulate(KyberKey* key, unsigned char* ct, unsigned char* ss, ret = BAD_FUNC_ARG; } } + if (ret == 0) { + ret = wolfSSL_liboqsRngMutexLock(rng); + } if (ret == 0) { if (OQS_KEM_encaps(kem, ct, ss, key->pub) != OQS_SUCCESS) { ret = BAD_FUNC_ARG; } } - + wolfSSL_liboqsRngMutexUnlock(); OQS_KEM_free(kem); #endif /* HAVE_LIBOQS */ #ifdef HAVE_PQM4 diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 2a501411f..b944c4258 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -132,7 +132,8 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/Renesas/renesas_rx64_hw_sha.c \ wolfcrypt/src/port/Renesas/renesas_rx64_hw_util.c \ wolfcrypt/src/port/Renesas/README.md \ - wolfcrypt/src/port/cypress/psoc6_crypto.c + wolfcrypt/src/port/cypress/psoc6_crypto.c \ + wolfcrypt/src/port/liboqs/liboqs.c $(ASYNC_FILES): $(AM_V_at)touch $(srcdir)/$@ diff --git a/wolfcrypt/src/port/liboqs/liboqs.c b/wolfcrypt/src/port/liboqs/liboqs.c new file mode 100644 index 000000000..9fcd6c57d --- /dev/null +++ b/wolfcrypt/src/port/liboqs/liboqs.c @@ -0,0 +1,111 @@ +/* liboqs.c + * + * Copyright (C) 2006-2023 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* + +DESCRIPTION +This library provides the support interfaces to the liboqs library providing +implementations for Post-Quantum cryptography algorithms. + +*/ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include +#include + +#include + +#if defined(HAVE_LIBOQS) + +/* RNG for liboqs */ +static WC_RNG liboqsDefaultRNG; +static WC_RNG* liboqsCurrentRNG; + +static wolfSSL_Mutex liboqsRNGMutex; + +static int liboqs_init = 0; + + +static void wolfSSL_liboqsGetRandomData(uint8_t* buffer, size_t numOfBytes) +{ + int ret = wc_RNG_GenerateBlock(liboqsCurrentRNG, buffer, numOfBytes); + if (ret != 0) { + // ToDo: liboqs exits programm if RNG fails, not sure what to do here + } +} + +int wolfSSL_liboqsInit(void) +{ + int ret = 0; + + if (liboqs_init == 0) { + ret = wc_InitMutex(&liboqsRNGMutex); + if (ret != 0) { + return ret; + } + ret = wc_LockMutex(&liboqsRNGMutex); + if (ret != 0) { + return ret; + } + ret = wc_InitRng(&liboqsDefaultRNG); + if (ret == 0) { + OQS_init(); + liboqs_init = 1; + } + liboqsCurrentRNG = &liboqsDefaultRNG; + wc_UnLockMutex(&liboqsRNGMutex); + + OQS_randombytes_custom_algorithm(wolfSSL_liboqsGetRandomData); + } + + return ret; +} + +int wolfSSL_liboqsRngMutexLock(WC_RNG* rng) +{ + int ret = wolfSSL_liboqsInit(); + if (ret == 0) { + ret = wc_LockMutex(&liboqsRNGMutex); + } + if (ret == 0 && rng != NULL) { + /* Update the pointer with the RNG to use. This is safe as we locked the mutex */ + liboqsCurrentRNG = rng; + } + return ret; +} + +int wolfSSL_liboqsRngMutexUnlock(void) +{ + int ret = BAD_MUTEX_E; + + liboqsCurrentRNG = &liboqsDefaultRNG; + + if (liboqs_init) { + ret = wc_UnLockMutex(&liboqsRNGMutex); + } + return ret; +} + +#endif /* HAVE_LIBOQS */ diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index ef61df84f..d47e62655 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -127,6 +127,10 @@ #include #endif +#if defined(HAVE_LIBOQS) + #include +#endif + /* prevent multiple mutex initializations */ static volatile int initRefCount = 0; @@ -386,6 +390,12 @@ int wolfCrypt_Init(void) } rpcmem_init(); #endif + +#if defined(HAVE_LIBOQS) + if ((ret = wolfSSL_liboqsInit()) != 0) { + return ret; + } +#endif } initRefCount++; diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index dfdc80aca..373f09b22 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -115,7 +115,8 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/Renesas/renesas_sync.h \ wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h \ wolfssl/wolfcrypt/port/Renesas/renesas_tsip_types.h \ - wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h + wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h \ + wolfssl/wolfcrypt/port/liboqs/liboqs.h if BUILD_CRYPTOAUTHLIB nobase_include_HEADERS+= wolfssl/wolfcrypt/port/atmel/atmel.h diff --git a/wolfssl/wolfcrypt/port/liboqs/liboqs.h b/wolfssl/wolfcrypt/port/liboqs/liboqs.h new file mode 100644 index 000000000..b7a57ca0d --- /dev/null +++ b/wolfssl/wolfcrypt/port/liboqs/liboqs.h @@ -0,0 +1,60 @@ +/* liboqs.h + * + * Copyright (C) 2006-2023 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/*! + \file wolfssl/wolfcrypt/port/liboqs/liboqs.h +*/ +/* + +DESCRIPTION +This library provides the support interfaces to the liboqs library providing +implementations for Post-Quantum cryptography algorithms. +*/ + +#ifndef WOLF_CRYPT_LIBOQS_H +#define WOLF_CRYPT_LIBOQS_H + +#include +#include + + +#ifdef __cplusplus + extern "C" { +#endif + +#if defined(HAVE_LIBOQS) + +#include "oqs/oqs.h" + + +int wolfSSL_liboqsInit(void); + +int wolfSSL_liboqsRngMutexLock(WC_RNG* rng); + +int wolfSSL_liboqsRngMutexUnlock(void); + +#endif /* HAVE_LIBOQS */ + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLF_CRYPT_LIBOQS_H */ \ No newline at end of file diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index 4f088c9ee..ec6dcba2c 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -109,6 +109,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfevent.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfmath.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/liboqs/liboqs.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_aes.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_hash.c) From ec86a86096b85c43ead2fb1ba8b253c092fcdcc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Wed, 22 Nov 2023 17:16:13 +0100 Subject: [PATCH 3/6] liboqs: add RNG support for dilithium MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a RNG argument to the wc_dilithium_sign_msg method to properly generate necessary random data using the desired WolfSSL RNG object. Signed-off-by: Tobias Frauenschläger --- src/tls13.c | 2 +- wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfcrypt/src/dilithium.c | 8 +++++++- wolfssl/wolfcrypt/dilithium.h | 3 ++- 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index d16a5761f..82f3bce84 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8896,7 +8896,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) ret = wc_dilithium_sign_msg(args->sigData, args->sigDataSz, args->verify + HASH_SIG_SIZE + VERIFY_HEADER, (word32*)&sig->length, - (dilithium_key*)ssl->hsKey); + (dilithium_key*)ssl->hsKey, ssl->rng); args->length = (word16)sig->length; } #endif diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 49803d6d9..e3b98fef4 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -11909,7 +11909,7 @@ void bench_dilithiumKeySign(byte level) x = DILITHIUM_LEVEL5_SIG_SIZE; } - ret = wc_dilithium_sign_msg(msg, sizeof(msg), sig, &x, &key); + ret = wc_dilithium_sign_msg(msg, sizeof(msg), sig, &x, &key, GLOBAL_RNG); if (ret != 0) { printf("wc_dilithium_sign_msg failed\n"); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6147dea8c..cbbc962be 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -28906,7 +28906,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz, if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && !falconKey && dilithiumKey) { word32 outSz = sigSz; - ret = wc_dilithium_sign_msg(buf, sz, sig, &outSz, dilithiumKey); + ret = wc_dilithium_sign_msg(buf, sz, sig, &outSz, dilithiumKey, rng); if (ret == 0) ret = outSz; } diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c index d50b6db37..f03e8b6f4 100644 --- a/wolfcrypt/src/dilithium.c +++ b/wolfcrypt/src/dilithium.c @@ -59,7 +59,7 @@ */ int wc_dilithium_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - dilithium_key* key) + dilithium_key* key, WC_RNG* rng) { int ret = 0; #ifdef HAVE_LIBOQS @@ -107,6 +107,10 @@ int wc_dilithium_sign_msg(const byte* in, word32 inLen, localOutLen = *outLen; } + if (ret == 0) { + ret = wolfSSL_liboqsRngMutexLock(rng); + } + if ((ret == 0) && (OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k) == OQS_ERROR)) { @@ -117,6 +121,8 @@ int wc_dilithium_sign_msg(const byte* in, word32 inLen, *outLen = (word32)localOutLen; } + wolfSSL_liboqsRngMutexUnlock(); + if (oqssig != NULL) { OQS_SIG_free(oqssig); } diff --git a/wolfssl/wolfcrypt/dilithium.h b/wolfssl/wolfcrypt/dilithium.h index 896976c5f..896d06ac6 100644 --- a/wolfssl/wolfcrypt/dilithium.h +++ b/wolfssl/wolfcrypt/dilithium.h @@ -35,6 +35,7 @@ #ifdef HAVE_LIBOQS #include +#include #endif #ifdef __cplusplus @@ -84,7 +85,7 @@ struct dilithium_key { WOLFSSL_API int wc_dilithium_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - dilithium_key* key); + dilithium_key* key, WC_RNG* rng); WOLFSSL_API int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, word32 msgLen, int* res, dilithium_key* key); From 85c40b1728040b8ae836c644ccee3cec98e2d9a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Wed, 22 Nov 2023 18:37:17 +0100 Subject: [PATCH 4/6] liboqs: add RNG support for falcon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a RNG argument to the wc_falcon_sign_msg method to properly generate necessary random data using the desired WolfSSL RNG object. Signed-off-by: Tobias Frauenschläger --- src/tls13.c | 2 +- wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfcrypt/src/falcon.c | 8 +++++++- wolfssl/wolfcrypt/falcon.h | 3 ++- 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 82f3bce84..4c29fb467 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8887,7 +8887,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz, args->verify + HASH_SIG_SIZE + VERIFY_HEADER, (word32*)&sig->length, - (falcon_key*)ssl->hsKey); + (falcon_key*)ssl->hsKey, ssl->rng); args->length = (word16)sig->length; } #endif diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index e3b98fef4..224d55f3d 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -11788,7 +11788,7 @@ void bench_falconKeySign(byte level) x = FALCON_LEVEL5_SIG_SIZE; } - ret = wc_falcon_sign_msg(msg, sizeof(msg), sig, &x, &key); + ret = wc_falcon_sign_msg(msg, sizeof(msg), sig, &x, &key, GLOBAL_RNG); if (ret != 0) { printf("wc_falcon_sign_msg failed\n"); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cbbc962be..9ca3a0656 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -28897,7 +28897,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz, #if defined(HAVE_FALCON) if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && falconKey) { word32 outSz = sigSz; - ret = wc_falcon_sign_msg(buf, sz, sig, &outSz, falconKey); + ret = wc_falcon_sign_msg(buf, sz, sig, &outSz, falconKey, rng); if (ret == 0) ret = outSz; } diff --git a/wolfcrypt/src/falcon.c b/wolfcrypt/src/falcon.c index ea722a20b..b1cb22949 100644 --- a/wolfcrypt/src/falcon.c +++ b/wolfcrypt/src/falcon.c @@ -59,7 +59,7 @@ */ int wc_falcon_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - falcon_key* key) + falcon_key* key, WC_RNG* rng) { int ret = 0; #ifdef HAVE_LIBOQS @@ -101,6 +101,10 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen, localOutLen = *outLen; } + if (ret == 0) { + ret = wolfSSL_liboqsRngMutexLock(rng); + } + if ((ret == 0) && (OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k) == OQS_ERROR)) { @@ -111,6 +115,8 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen, *outLen = (word32)localOutLen; } + wolfSSL_liboqsRngMutexUnlock(); + if (oqssig != NULL) { OQS_SIG_free(oqssig); } diff --git a/wolfssl/wolfcrypt/falcon.h b/wolfssl/wolfcrypt/falcon.h index cced2b051..e15fc9544 100644 --- a/wolfssl/wolfcrypt/falcon.h +++ b/wolfssl/wolfcrypt/falcon.h @@ -35,6 +35,7 @@ #ifdef HAVE_LIBOQS #include +#include #endif #ifdef __cplusplus @@ -79,7 +80,7 @@ struct falcon_key { WOLFSSL_API int wc_falcon_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - falcon_key* key); + falcon_key* key, WC_RNG* rng); WOLFSSL_API int wc_falcon_verify_msg(const byte* sig, word32 sigLen, const byte* msg, word32 msgLen, int* res, falcon_key* key); From 0780fd9719ea695d8bb32aa274c1039832e02270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Wed, 22 Nov 2023 18:47:11 +0100 Subject: [PATCH 5/6] liboqs: add RNG support for sphincs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a RNG argument to the wc_sphincs_sign_msg method to properly generate necessary random data using the desired WolfSSL RNG object. Signed-off-by: Tobias Frauenschläger --- wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfcrypt/src/sphincs.c | 8 +++++++- wolfssl/wolfcrypt/sphincs.h | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 224d55f3d..0b4fe011c 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -12055,7 +12055,7 @@ void bench_sphincsKeySign(byte level, byte optim) x = SPHINCS_SMALL_LEVEL5_SIG_SIZE; } - ret = wc_sphincs_sign_msg(msg, sizeof(msg), sig, &x, &key); + ret = wc_sphincs_sign_msg(msg, sizeof(msg), sig, &x, &key, GLOBAL_RNG); if (ret != 0) { printf("wc_sphincs_sign_msg failed\n"); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ca3a0656..6b6cb4a06 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -28915,7 +28915,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz, if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && !falconKey && !dilithiumKey && sphincsKey) { word32 outSz = sigSz; - ret = wc_sphincs_sign_msg(buf, sz, sig, &outSz, sphincsKey); + ret = wc_sphincs_sign_msg(buf, sz, sig, &outSz, sphincsKey, rng); if (ret == 0) ret = outSz; } diff --git a/wolfcrypt/src/sphincs.c b/wolfcrypt/src/sphincs.c index 65bb57a9c..695e8aa8e 100644 --- a/wolfcrypt/src/sphincs.c +++ b/wolfcrypt/src/sphincs.c @@ -58,7 +58,7 @@ * 0 otherwise. */ int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - sphincs_key* key) + sphincs_key* key, WC_RNG* rng) { int ret = 0; #ifdef HAVE_LIBOQS @@ -135,6 +135,10 @@ int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, localOutLen = *outLen; } + if (ret == 0) { + ret = wolfSSL_liboqsRngMutexLock(rng); + } + if ((ret == 0) && (OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k) == OQS_ERROR)) { @@ -145,6 +149,8 @@ int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, *outLen = (word32)localOutLen; } + wolfSSL_liboqsRngMutexUnlock(); + if (oqssig != NULL) { OQS_SIG_free(oqssig); } diff --git a/wolfssl/wolfcrypt/sphincs.h b/wolfssl/wolfcrypt/sphincs.h index 958d8529b..b1533bee4 100644 --- a/wolfssl/wolfcrypt/sphincs.h +++ b/wolfssl/wolfcrypt/sphincs.h @@ -41,6 +41,7 @@ #ifdef HAVE_LIBOQS #include +#include #endif #ifdef __cplusplus @@ -99,7 +100,7 @@ struct sphincs_key { WOLFSSL_API int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen, - sphincs_key* key); + sphincs_key* key, WC_RNG* rng); WOLFSSL_API int wc_sphincs_verify_msg(const byte* sig, word32 sigLen, const byte* msg, word32 msgLen, int* res, sphincs_key* key); From 8a89470422e757de56b03b4b0788247d25a54864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Thu, 30 Nov 2023 10:05:40 +0100 Subject: [PATCH 6/6] Fix for liboqs on zephyr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using WolfSSL on zephyr, we need POSIX names for networking systems calls. This can either be enabled with CONFIG_NET_SOCKETS_POSIX_NAMES or with CONFIG_POSIX_API. This commit enables support for the latter. Signed-off-by: Tobias Frauenschläger --- wolfssl/wolfcrypt/settings.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 5eacd6c87..a03813ca9 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1908,7 +1908,7 @@ extern void uITRON4_free(void *p) ; void *z_realloc(void *ptr, size_t size); #define realloc z_realloc - #ifndef CONFIG_NET_SOCKETS_POSIX_NAMES + #if !defined(CONFIG_NET_SOCKETS_POSIX_NAMES) && !defined(CONFIG_POSIX_API) #define CONFIG_NET_SOCKETS_POSIX_NAMES #endif #endif