From 3fda99cbc4cca6fe54b9bfef41f512fc12c8886d Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 16 Aug 2017 14:19:38 -0600
Subject: [PATCH 1/2] seperate build of QSH from build of NTRU

---
 configure.ac | 23 +++++++++++++++++++++--
 src/tls.c    | 12 +++++-------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index f06822354..0f9606038 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2217,7 +2217,7 @@ AC_ARG_WITH([ntru],
     [AS_HELP_STRING([--with-ntru=PATH],[Path to NTRU install (default /usr/)])],
     [
         AC_MSG_CHECKING([for NTRU])
-        CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS"
+        CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS"
         LIBS="$LIBS -lntruencrypt"
 
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <libntruencrypt/ntru_crypto_drbg.h>]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ])
@@ -2245,7 +2245,7 @@ AC_ARG_WITH([ntru],
             AC_MSG_RESULT([yes])
         fi
 
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS"
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS"
         ENABLED_NTRU="yes"
     ]
 )
@@ -2253,6 +2253,24 @@ AC_ARG_WITH([ntru],
 AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"])
 
 
+# QSH
+AC_ARG_ENABLE([qsh],
+    [AS_HELP_STRING([--enable-qsh],[Enable QSH (default: disabled)])],
+    [ ENABLED_QSH=$enableval ],
+    [ ENABLED_QSH=no ]
+    )
+
+if test "x$ENABLED_QSH" = "xyes"
+then
+    if test "x$ENABLED_NTRU" = "xno"
+    then
+        AC_MSG_ERROR([cannot enable qsh without NTRU])
+    fi
+
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_QSH"
+fi
+
+
 # Whitewood netRandom client library
 ENABLED_WNR="no"
 trywnrdir=""
@@ -3898,6 +3916,7 @@ echo "   * Persistent cert    cache:   $ENABLED_SAVECERT"
 echo "   * Atomic User Record Layer:   $ENABLED_ATOMICUSER"
 echo "   * Public Key Callbacks:       $ENABLED_PKCALLBACKS"
 echo "   * NTRU:                       $ENABLED_NTRU"
+echo "   * QSH:                        $ENABLED_QSH"
 echo "   * Whitewood netRandom:        $ENABLED_WNR"
 echo "   * Server Name Indication:     $ENABLED_SNI"
 echo "   * ALPN:                       $ENABLED_ALPN"
diff --git a/src/tls.c b/src/tls.c
index c79523316..477860c3c 100755
--- a/src/tls.c
+++ b/src/tls.c
@@ -51,10 +51,10 @@
 #ifdef HAVE_QSH
     static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key);
     static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name);
-#endif
-#if defined(HAVE_NTRU) || defined(HAVE_QSH)
+#if defined(HAVE_NTRU)
     static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type);
 #endif
+#endif /* HAVE_QSH */
 
 
 #ifndef NO_TLS
@@ -3708,12 +3708,12 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
 /* Quantum-Safe-Hybrid                                                        */
 /******************************************************************************/
 
+#ifdef HAVE_QSH
 #if defined(HAVE_NTRU)
 static WC_RNG* gRng;
 static wolfSSL_Mutex* gRngMutex;
 #endif
 
-#ifdef HAVE_QSH
 static void TLSX_QSH_FreeAll(QSHScheme* list, void* heap)
 {
     QSHScheme* current;
@@ -7166,7 +7166,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
 }
 
 
-#ifdef HAVE_NTRU
+#if defined(HAVE_NTRU) && defined(HAVE_QSH)
 
 static word32 GetEntropy(unsigned char* out, word32 num_bytes)
 {
@@ -7253,11 +7253,10 @@ static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
 }
 
 
-#if defined(HAVE_NTRU) || defined(HAVE_QSH)
+#if defined(HAVE_NTRU)
 int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
 {
     int ret = -1;
-#ifdef HAVE_NTRU
     int ntruType;
 
     /* variable declarations for NTRU*/
@@ -7320,7 +7319,6 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
     temp->next = NULL;
 
     TLSX_AddQSHKey(&ssl->QSH_Key, temp);
-#endif
 
     (void)ssl;
     (void)type;

From f6ad5524ebd2b17ef3bcdf64460a78b28a1872cb Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 17 Aug 2017 11:27:47 -0600
Subject: [PATCH 2/2] remove invalid test-qsh version tests, revert if
 statement check in internal.c

---
 examples/client/client.c |  5 ++++
 src/internal.c           |  2 +-
 tests/test-qsh.conf      | 54 ----------------------------------------
 3 files changed, 6 insertions(+), 55 deletions(-)

diff --git a/examples/client/client.c b/examples/client/client.c
index 7004b2027..2c230153f 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -1321,6 +1321,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             done += 1;
         #endif
 
+        #if defined(HAVE_QSH)
+            /*currently google server rejects client hello with QSH extension.*/
+            done += 1;
+        #endif
+
         if (done) {
             printf("external test can't be run in this mode");
 
diff --git a/src/internal.c b/src/internal.c
index d7915572f..7ff4ae4e6 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -20597,7 +20597,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             case TLS_ASYNC_BEGIN:
             {
             #ifdef HAVE_QSH
-                if (ssl->peerQSHKeyPresent) {
+                if (ssl->peerQSHKeyPresent && ssl->options.haveQSH) {
                     args->qshSz = QSH_KeyGetSize(ssl);
                 }
             #endif
diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf
index 211ecabed..96cf62778 100644
--- a/tests/test-qsh.conf
+++ b/tests/test-qsh.conf
@@ -28,60 +28,6 @@
 -s
 -l QSH:PSK-CHACHA20-POLY1305
 
-# server TLSv1 DHE-RSA-CHACHA20-POLY1305
--v 1
--l QSH:DHE-RSA-CHACHA20-POLY1305
-
-# client TLSv1 DHE-RSA-CHACHA20-POLY1305
--v 1
--l QSH:DHE-RSA-CHACHA20-POLY1305
-
-# server TLSv1 ECDHE-EDCSA-CHACHA20-POLY1305
--v 1
--l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--c ./certs/server-ecc.pem
--k ./certs/ecc-key.pem
-
-# client TLSv1 ECDHE-ECDSA-CHACHA20-POLY1305
--v 1
--l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
-
-# server TLSv1 ECDHE-RSA-CHACHA20-POLY1305
--v 1
--l QSH:ECDHE-RSA-CHACHA20-POLY1305
-
-# client TLSv1 ECDHE-RSA-CHACHA20-POLY1305
--v 1
--l QSH:ECDHE-RSA-CHACHA20-POLY1305
-
-# server TLSv1.1 DHE-RSA-CHACHA20-POLY1305
--v 2
--l QSH:DHE-RSA-CHACHA20-POLY1305
-
-# client TLSv1.1 DHE-RSA-CHACHA20-POLY1305
--v 2
--l QSH:DHE-RSA-CHACHA20-POLY1305
-
-# server TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
--v 2
--l QSH:ECDHE-RSA-CHACHA20-POLY1305
-
-# client TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
--v 2
--l QSH:ECDHE-RSA-CHACHA20-POLY1305
-
-# server TLSv1.1 ECDHE-EDCSA-CHACHA20-POLY1305
--v 2
--l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--c ./certs/server-ecc.pem
--k ./certs/ecc-key.pem
-
-# client TLSv1.1 ECDHE-ECDSA-CHACHA20-POLY1305
--v 2
--l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
-
 # server TLSv1.2 DHE-RSA-CHACHA20-POLY1305-OLD
 -v 3
 -l QSH:DHE-RSA-CHACHA20-POLY1305-OLD