wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8143 from SparkiDev/kyber_plus_mlkem

Browse Source 
Kyber/ML-KEM: make both available
This commit is contained in:
Daniel Pouzzner
2024-11-09 00:09:51 -06:00
committed by GitHub
parent 23f46a1c3e 7d42ddae48
commit 165b4afbeb
19 changed files with 1395 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
IDE/STM32Cube/wolfssl_example.c
View File

@@ -1751,6 +1751,11 @@ static int tls13_uart_client(void)
wolfSSL_SetIOReadCtx(ssl, tbuf);
#ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_ML_KEM
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512) != WOLFSSL_SUCCESS) {
printf("wolfSSL_UseKeyShare Error!!");
}
#else
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_KYBER_LEVEL1) != WOLFSSL_SUCCESS) {
printf("wolfSSL_UseKeyShare Error!!");
}

22
configure.ac
View File

@@ -1309,6 +1309,7 @@ AC_ARG_ENABLE([kyber],
)
ENABLED_WC_KYBER=no
ENABLED_ML_KEM=yes
for v in `echo $ENABLED_KYBER | tr "," " "`
do
case $v in
@@ -1334,6 +1335,10 @@ do
original)
ENABLED_ORIGINAL=yes
;;
original-only)
ENABLED_ORIGINAL=yes
ENABLED_ML_KEM=no
;;
*)
AC_MSG_ERROR([Invalid choice for KYBER []: $ENABLED_KYBER.])
break;;
@@ -1350,6 +1355,8 @@ then
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_KYBER"
fi
if test "$ENABLED_ORIGINAL" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KYBER_ORIGINAL"
if test "$ENABLED_KYBER512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
fi
@@ -1359,8 +1366,19 @@ then
if test "$ENABLED_KYBER1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
fi
if test "$ENABLED_ORIGINAL" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KYBER_ORIGINAL"
fi
if test "$ENABLED_ML_KEM" = "yes"; then
if test "$ENABLED_KYBER512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512"
fi
if test "$ENABLED_KYBER768" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768"
fi
if test "$ENABLED_KYBER1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM"
fi
if test "$ENABLED_WC_KYBER" = "yes"

10
examples/benchmark/tls_bench.c
View File

@@ -291,12 +291,22 @@ static struct group_info groups[] = {
{ WOLFSSL_FFDHE_6144, "FFDHE_6144" },
{ WOLFSSL_FFDHE_8192, "FFDHE_8192" },
#ifdef HAVE_PQC
#ifndef WOLFSSL_NO_ML_KEM
{ WOLFSSL_ML_KEM_512, "ML_KEM_512" },
{ WOLFSSL_ML_KEM_768, "ML_KEM_768" },
{ WOLFSSL_ML_KEM_1024, "ML_KEM_1024" },
{ WOLFSSL_P256_ML_KEM_512, "P256_ML_KEM_512" },
{ WOLFSSL_P384_ML_KEM_768, "P384_ML_KEM_768" },
{ WOLFSSL_P521_ML_KEM_1024, "P521_ML_KEM_1024" },
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{ WOLFSSL_KYBER_LEVEL1, "KYBER_LEVEL1" },
{ WOLFSSL_KYBER_LEVEL3, "KYBER_LEVEL3" },
{ WOLFSSL_KYBER_LEVEL5, "KYBER_LEVEL5" },
{ WOLFSSL_P256_KYBER_LEVEL1, "P256_KYBER_LEVEL1" },
{ WOLFSSL_P384_KYBER_LEVEL3, "P384_KYBER_LEVEL3" },
{ WOLFSSL_P521_KYBER_LEVEL5, "P521_KYBER_LEVEL5" },
#endif
#endif
{ 0, NULL }
};

70
examples/client/client.c
View File

@@ -401,6 +401,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (usePqc) {
int group = 0;
#ifndef WOLFSSL_NO_ML_KEM
#ifndef WOLFSSL_NO_ML_KEM_512
if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) {
group = WOLFSSL_ML_KEM_512;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) {
group = WOLFSSL_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) {
group = WOLFSSL_ML_KEM_1024;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_512
if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) {
group = WOLFSSL_P256_ML_KEM_512;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) {
group = WOLFSSL_P384_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) {
group = WOLFSSL_P521_ML_KEM_1024;
}
else
#endif
#endif /* WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) {
group = WOLFSSL_KYBER_LEVEL1;
@@ -437,6 +476,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
}
else
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
{
err_sys("invalid post-quantum KEM specified");
}
@@ -1333,8 +1373,19 @@ static const char* client_usage_msg[][77] = {
" SSLv3(0) - TLS1.3(4)\n", /* 68 */
#endif
#ifdef HAVE_PQC
"--pqc <alg> Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n"
" KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */
"--pqc <alg> Key Share with specified post-quantum algorithm only:\n"
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
#endif
"",
/* 69 */
#endif
#ifdef WOLFSSL_SRTP
"--srtp <profile> (default is SRTP_AES128_CM_SHA1_80)\n", /* 70 */
@@ -1567,8 +1618,19 @@ static const char* client_usage_msg[][77] = {
" SSLv3(0) - TLS1.3(4)\n", /* 68 */
#endif
#ifdef HAVE_PQC
"--pqc <alg> post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n"
" KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */
"--pqc <alg> post-quantum 名前付きグループとの鍵共有のみ:\n"
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
#endif
"",
/* 69 */
#endif
#ifdef WOLFSSL_SRTP
"--srtp <profile> (デフォルトは SRTP_AES128_CM_SHA1_80)\n", /* 70 */

70
examples/server/server.c
View File

@@ -714,6 +714,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
else if (usePqc == 1) {
#ifdef HAVE_PQC
groups[count] = 0;
#ifndef WOLFSSL_NO_ML_KEM
#ifndef WOLFSSL_NO_ML_KEM_512
if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) {
groups[count] = WOLFSSL_ML_KEM_512;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) {
groups[count] = WOLFSSL_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) {
groups[count] = WOLFSSL_ML_KEM_1024;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_512
if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) {
groups[count] = WOLFSSL_P256_ML_KEM_512;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) {
groups[count] = WOLFSSL_P384_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) {
groups[count] = WOLFSSL_P521_ML_KEM_1024;
}
else
#endif
#endif /* WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) {
groups[count] = WOLFSSL_KYBER_LEVEL1;
@@ -749,6 +788,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
groups[count] = WOLFSSL_P521_KYBER_LEVEL5;
}
else
#endif
#endif
{
err_sys("invalid post-quantum KEM specified");
@@ -982,8 +1022,19 @@ static const char* server_usage_msg[][65] = {
" SSLv3(0) - TLS1.3(4)\n", /* 59 */
#endif
#ifdef HAVE_PQC
"--pqc <alg> Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n"
" KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5] \n", /* 60 */
"--pqc <alg> Key Share with specified post-quantum algorithm only:\n"
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
#endif
"",
/* 60 */
#endif
#ifdef WOLFSSL_SRTP
"--srtp <profile> (default is SRTP_AES128_CM_SHA1_80)\n", /* 61 */
@@ -1174,8 +1225,19 @@ static const char* server_usage_msg[][65] = {
" SSLv3(0) - TLS1.3(4)\n", /* 59 */
#endif
#ifdef HAVE_PQC
"--pqc <alg> post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n"
" KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 60 */
"--pqc <alg> post-quantum 名前付きグループとの鍵共有のみ:\n"
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
#endif
"",
/* 60 */
#endif
#ifdef WOLFSSL_SRTP
"--srtp <profile> (デフォルトはSRTP_AES128_CM_SHA1_80)\n", /* 61 */

66
src/ssl.c
View File

@@ -3297,6 +3297,17 @@ static int isValidCurveGroup(word16 name)
case WOLFSSL_FFDHE_8192:
#ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_ML_KEM
case WOLFSSL_ML_KEM_512:
case WOLFSSL_ML_KEM_768:
case WOLFSSL_ML_KEM_1024:
#if defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS)
case WOLFSSL_P256_ML_KEM_512:
case WOLFSSL_P384_ML_KEM_768:
case WOLFSSL_P521_ML_KEM_1024:
#endif
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
case WOLFSSL_KYBER_LEVEL1:
case WOLFSSL_KYBER_LEVEL3:
case WOLFSSL_KYBER_LEVEL5:
@@ -3305,6 +3316,7 @@ static int isValidCurveGroup(word16 name)
case WOLFSSL_P384_KYBER_LEVEL3:
case WOLFSSL_P521_KYBER_LEVEL5:
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
#endif
return 1;
@@ -14545,6 +14557,42 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
* check to override this result in the case of a hybrid. */
if (IsAtLeastTLSv1_3(ssl->version)) {
switch (ssl->namedGroup) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef HAVE_LIBOQS
case WOLFSSL_ML_KEM_512:
return "ML_KEM_512";
case WOLFSSL_ML_KEM_768:
return "ML_KEM_768";
case WOLFSSL_ML_KEM_1024:
return "ML_KEM_1024";
case WOLFSSL_P256_ML_KEM_512:
return "P256_ML_KEM_512";
case WOLFSSL_P384_ML_KEM_768:
return "P384_ML_KEM_768";
case WOLFSSL_P521_ML_KEM_1024:
return "P521_ML_KEM_1024";
#elif defined(WOLFSSL_WC_KYBER)
#ifdef WOLFSSL_WC_ML_KEM_512
case WOLFSSL_ML_KEM_512:
return "ML_KEM_512";
case WOLFSSL_P256_ML_KEM_512:
return "P256_ML_KEM_512";
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WOLFSSL_ML_KEM_768:
return "ML_KEM_768";
case WOLFSSL_P384_ML_KEM_768:
return "P384_ML_KEM_768";
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WOLFSSL_ML_KEM_1024:
return "ML_KEM_1024";
case WOLFSSL_P521_ML_KEM_1024:
return "P521_ML_KEM_1024";
#endif
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef HAVE_LIBOQS
case WOLFSSL_KYBER_LEVEL1:
return "KYBER_LEVEL1";
@@ -14577,6 +14625,7 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
case WOLFSSL_P521_KYBER_LEVEL5:
return "P521_KYBER_LEVEL5";
#endif
#endif
#endif
}
}
@@ -21911,6 +21960,20 @@ const WOLF_EC_NIST_NAME kNistCurves[] = {
{CURVE_NAME("X448"), WC_NID_X448, WOLFSSL_ECC_X448},
#endif
#ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_ML_KEM
{CURVE_NAME("ML_KEM_512"), WOLFSSL_ML_KEM_512, WOLFSSL_ML_KEM_512},
{CURVE_NAME("ML_KEM_768"), WOLFSSL_ML_KEM_768, WOLFSSL_ML_KEM_768},
{CURVE_NAME("ML_KEM_1024"), WOLFSSL_ML_KEM_1024, WOLFSSL_ML_KEM_1024},
#if (defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS)) && defined(HAVE_ECC)
{CURVE_NAME("P256_ML_KEM_512"), WOLFSSL_P256_ML_KEM_512,
WOLFSSL_P256_ML_KEM_512},
{CURVE_NAME("P384_ML_KEM_768"), WOLFSSL_P384_ML_KEM_768,
WOLFSSL_P384_ML_KEM_768},
{CURVE_NAME("P521_ML_KEM_1024"), WOLFSSL_P521_ML_KEM_1024,
WOLFSSL_P521_ML_KEM_1024},
#endif
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
{CURVE_NAME("KYBER_LEVEL1"), WOLFSSL_KYBER_LEVEL1, WOLFSSL_KYBER_LEVEL1},
{CURVE_NAME("KYBER_LEVEL3"), WOLFSSL_KYBER_LEVEL3, WOLFSSL_KYBER_LEVEL3},
{CURVE_NAME("KYBER_LEVEL5"), WOLFSSL_KYBER_LEVEL5, WOLFSSL_KYBER_LEVEL5},
@@ -21919,7 +21982,8 @@ const WOLF_EC_NIST_NAME kNistCurves[] = {
{CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P384_KYBER_LEVEL3},
{CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_P521_KYBER_LEVEL5},
#endif
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
#endif /* WOLFSSL_HAVE_KYBER */
#ifdef WOLFSSL_SM2
{CURVE_NAME("SM2"), WC_NID_sm2, WOLFSSL_ECC_SM2P256V1},
#endif

142
src/tls.c
View File

@@ -7983,6 +7983,24 @@ static int kyber_id2type(int id, int *type)
int ret = 0;
switch (id) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WOLFSSL_ML_KEM_512:
*type = WC_ML_KEM_512;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WOLFSSL_ML_KEM_768:
*type = WC_ML_KEM_768;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WOLFSSL_ML_KEM_1024:
*type = WC_ML_KEM_1024;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case WOLFSSL_KYBER_LEVEL1:
*type = KYBER512;
@@ -7997,6 +8015,7 @@ static int kyber_id2type(int id, int *type)
case WOLFSSL_KYBER_LEVEL5:
*type = KYBER1024;
break;
#endif
#endif
default:
ret = NOT_COMPILED_IN;
@@ -8013,12 +8032,22 @@ typedef struct PqcHybridMapping {
} PqcHybridMapping;
static const PqcHybridMapping pqc_hybrid_mapping[] = {
#ifndef WOLFSSL_NO_ML_KEM
{.hybrid = WOLFSSL_P256_ML_KEM_512, .ecc = WOLFSSL_ECC_SECP256R1,
.pqc = WOLFSSL_ML_KEM_512},
{.hybrid = WOLFSSL_P384_ML_KEM_768, .ecc = WOLFSSL_ECC_SECP384R1,
.pqc = WOLFSSL_ML_KEM_768},
{.hybrid = WOLFSSL_P521_ML_KEM_1024, .ecc = WOLFSSL_ECC_SECP521R1,
.pqc = WOLFSSL_ML_KEM_1024},
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{.hybrid = WOLFSSL_P256_KYBER_LEVEL1, .ecc = WOLFSSL_ECC_SECP256R1,
.pqc = WOLFSSL_KYBER_LEVEL1},
{.hybrid = WOLFSSL_P384_KYBER_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1,
.pqc = WOLFSSL_KYBER_LEVEL3},
{.hybrid = WOLFSSL_P521_KYBER_LEVEL5, .ecc = WOLFSSL_ECC_SECP521R1,
.pqc = WOLFSSL_KYBER_LEVEL5},
#endif
{.hybrid = 0, .ecc = 0, .pqc = 0}
};
@@ -9663,6 +9692,45 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
#endif
#endif
#ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_WC_ML_KEM_512
case WOLFSSL_ML_KEM_512:
case WOLFSSL_P256_ML_KEM_512:
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WOLFSSL_ML_KEM_768:
case WOLFSSL_P384_ML_KEM_768:
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WOLFSSL_ML_KEM_1024:
case WOLFSSL_P521_ML_KEM_1024:
#endif
break;
#elif defined(HAVE_LIBOQS)
case WOLFSSL_ML_KEM_512:
case WOLFSSL_ML_KEM_768:
case WOLFSSL_ML_KEM_1024:
case WOLFSSL_P256_ML_KEM_512:
case WOLFSSL_P384_ML_KEM_768:
case WOLFSSL_P521_ML_KEM_1024:
{
int ret;
int id;
findEccPqc(NULL, &namedGroup, namedGroup);
ret = kyber_id2type(namedGroup, &id);
if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) {
return 0;
}
if (! ext_kyber_enabled(id)) {
return 0;
}
break;
}
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_KYBER512
case WOLFSSL_KYBER_LEVEL1:
@@ -9700,6 +9768,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
}
#endif
#endif
#endif /* WOLFSSL_HAVE_KYBER */
default:
return 0;
}
@@ -9745,6 +9814,31 @@ static const word16 preferredGroup[] = {
#if defined(HAVE_FFDHE_8192)
WOLFSSL_FFDHE_8192,
#endif
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_WC_ML_KEM_512
WOLFSSL_ML_KEM_512,
WOLFSSL_P256_ML_KEM_512,
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
WOLFSSL_ML_KEM_768,
WOLFSSL_P384_ML_KEM_768,
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
WOLFSSL_ML_KEM_1024,
WOLFSSL_P521_ML_KEM_1024,
#endif
#elif defined(HAVE_LIBOQS)
/* These require a runtime call to TLSX_KeyShare_IsSupported to use */
WOLFSSL_ML_KEM_512,
WOLFSSL_ML_KEM_768,
WOLFSSL_ML_KEM_1024,
WOLFSSL_P256_ML_KEM_512,
WOLFSSL_P384_ML_KEM_768,
WOLFSSL_P521_ML_KEM_1024,
#endif
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_KYBER512
WOLFSSL_KYBER_LEVEL1,
@@ -9767,6 +9861,7 @@ static const word16 preferredGroup[] = {
WOLFSSL_P384_KYBER_LEVEL3,
WOLFSSL_P521_KYBER_LEVEL5,
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
WOLFSSL_NAMED_GROUP_INVALID
};
@@ -13387,6 +13482,52 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif
#ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_WC_ML_KEM_512
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512,
ssl->heap);
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768,
ssl->heap);
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024,
ssl->heap);
#endif
#elif defined(HAVE_LIBOQS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768,
ssl->heap);
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024,
ssl->heap);
#endif /* HAVE_LIBOQS */
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_KYBER512
if (ret == WOLFSSL_SUCCESS)
@@ -13430,6 +13571,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5,
ssl->heap);
#endif /* HAVE_LIBOQS */
#endif /* WOLFSSL_KYBER_ORIGINAL */
#endif /* WOLFSSL_HAVE_KYBER */
(void)ssl;

220
tests/api.c
View File

@@ -28107,10 +28107,10 @@ static int test_wc_kyber_make_key_kats(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \
!defined(WOLFSSL_KYBER_ORIGINAL)
!defined(WOLFSSL_NO_ML_KEM)
KyberKey* key;
#ifndef WOLFSSL_NO_KYBER512
static const byte seed_512[KYBER_MAKEKEY_RAND_SZ] = {
#ifndef WOLFSSL_NO_ML_KEM_512
static const byte seed_512[WC_ML_KEM_MAKEKEY_RAND_SZ] = {
/* d */
0x2C, 0xB8, 0x43, 0xA0, 0x2E, 0xF0, 0x2E, 0xE1,
0x09, 0x30, 0x5F, 0x39, 0x11, 0x9F, 0xAB, 0xF4,
@@ -28122,7 +28122,7 @@ static int test_wc_kyber_make_key_kats(void)
0x3B, 0xB8, 0x08, 0x43, 0x64, 0x52, 0x06, 0xBD,
0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7
};
static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = {
static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = {
0xA3, 0x24, 0x39, 0xF8, 0x5A, 0x3C, 0x21, 0xD2,
0x1A, 0x71, 0xB9, 0xB9, 0x2A, 0x9B, 0x64, 0xEA,
0x0A, 0xB8, 0x43, 0x12, 0xC7, 0x70, 0x23, 0x69,
@@ -28224,7 +28224,7 @@ static int test_wc_kyber_make_key_kats(void)
0x97, 0x37, 0x33, 0xC3, 0x98, 0xEA, 0xF0, 0x0E,
0x17, 0x02, 0xC6, 0x73, 0x4A, 0xD8, 0xEB, 0x3B
};
static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = {
static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = {
0x7F, 0xE4, 0x20, 0x6F, 0x26, 0xBE, 0xDB, 0x64,
0xC1, 0xED, 0x00, 0x09, 0x61, 0x52, 0x45, 0xDC,
0x98, 0x48, 0x3F, 0x66, 0x3A, 0xCC, 0x61, 0x7E,
@@ -28431,8 +28431,8 @@ static int test_wc_kyber_make_key_kats(void)
0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7
};
#endif
#ifndef WOLFSSL_NO_KYBER768
static const byte seed_768[KYBER_MAKEKEY_RAND_SZ] = {
#ifndef WOLFSSL_NO_ML_KEM_768
static const byte seed_768[WC_ML_KEM_MAKEKEY_RAND_SZ] = {
/* d */
0xE3, 0x4A, 0x70, 0x1C, 0x4C, 0x87, 0x58, 0x2F,
0x42, 0x26, 0x4E, 0xE4, 0x22, 0xD3, 0xC6, 0x84,
@@ -28444,7 +28444,7 @@ static int test_wc_kyber_make_key_kats(void)
0x64, 0x8E, 0xAE, 0x4E, 0x54, 0x48, 0xC3, 0x4C,
0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD
};
static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = {
static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = {
0x6D, 0x14, 0xA0, 0x71, 0xF7, 0xCC, 0x45, 0x25,
0x58, 0xD5, 0xE7, 0x1A, 0x7B, 0x08, 0x70, 0x62,
0xEC, 0xB1, 0x38, 0x68, 0x44, 0x58, 0x82, 0x46,
@@ -28594,7 +28594,7 @@ static int test_wc_kyber_make_key_kats(void)
0xA6, 0x0D, 0x04, 0xE8, 0xC1, 0x70, 0xD7, 0x41,
0xC7, 0xA2, 0xB0, 0xE1, 0xAB, 0xDA, 0xC9, 0x68
};
static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = {
static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = {
0x98, 0xA1, 0xB2, 0xDA, 0x4A, 0x65, 0xCF, 0xB5,
0x84, 0x5E, 0xA7, 0x31, 0x1E, 0x6A, 0x06, 0xDB,
0x73, 0x1F, 0x15, 0x90, 0xC4, 0x1E, 0xE7, 0x4B,
@@ -28897,8 +28897,8 @@ static int test_wc_kyber_make_key_kats(void)
0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD
};
#endif
#ifndef WOLFSSL_NO_KYBER1024
static const byte seed_1024[KYBER_MAKEKEY_RAND_SZ] = {
#ifndef WOLFSSL_NO_ML_KEM_1024
static const byte seed_1024[WC_ML_KEM_MAKEKEY_RAND_SZ] = {
/* d */
0x49, 0xAC, 0x8B, 0x99, 0xBB, 0x1E, 0x6A, 0x8E,
0xA8, 0x18, 0x26, 0x1F, 0x8B, 0xE6, 0x8B, 0xDE,
@@ -28910,7 +28910,7 @@ static int test_wc_kyber_make_key_kats(void)
0x30, 0x22, 0x1F, 0xD6, 0x7D, 0x9B, 0x7D, 0x6E,
0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7
};
static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = {
static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = {
0xA0, 0x41, 0x84, 0xD4, 0xBC, 0x7B, 0x53, 0x2A,
0x0F, 0x70, 0xA5, 0x4D, 0x77, 0x57, 0xCD, 0xE6,
0x17, 0x5A, 0x68, 0x43, 0xB8, 0x61, 0xCB, 0x2B,
@@ -29108,7 +29108,7 @@ static int test_wc_kyber_make_key_kats(void)
0x0A, 0x5A, 0x73, 0xC4, 0xDC, 0xFD, 0x75, 0x5E,
0x61, 0x0B, 0x4F, 0xC8, 0x1F, 0xF8, 0x4E, 0x21
};
static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = {
static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = {
0x8C, 0x8B, 0x37, 0x22, 0xA8, 0x2E, 0x55, 0x05,
0x65, 0x52, 0x16, 0x11, 0xEB, 0xBC, 0x63, 0x07,
0x99, 0x44, 0xC9, 0xB1, 0xAB, 0xB3, 0xB0, 0x02,
@@ -29507,8 +29507,8 @@ static int test_wc_kyber_make_key_kats(void)
0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7
};
#endif
static byte pubKey[KYBER_MAX_PUBLIC_KEY_SIZE];
static byte privKey[KYBER_MAX_PRIVATE_KEY_SIZE];
static byte pubKey[WC_ML_KEM_MAX_PUBLIC_KEY_SIZE];
static byte privKey[WC_ML_KEM_MAX_PRIVATE_KEY_SIZE];
key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
ExpectNotNull(key);
@@ -29516,40 +29516,40 @@ static int test_wc_kyber_make_key_kats(void)
XMEMSET(key, 0, sizeof(KyberKey));
}
#ifndef WOLFSSL_NO_KYBER512
ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_512
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)),
0);
ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey,
KYBER512_PUBLIC_KEY_SIZE), 0);
WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey,
KYBER512_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_512, KYBER512_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_512, KYBER512_PRIVATE_KEY_SIZE), 0);
WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_512, WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_512, WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER768
ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_768
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_768, sizeof(seed_768)),
0);
ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey,
KYBER768_PUBLIC_KEY_SIZE), 0);
WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey,
KYBER768_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_768, KYBER768_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_768, KYBER768_PRIVATE_KEY_SIZE), 0);
WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_768, WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_768, WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER1024
ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_1024
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_1024,
sizeof(seed_1024)), 0);
ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey,
KYBER1024_PUBLIC_KEY_SIZE), 0);
WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey,
KYBER1024_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_1024, KYBER1024_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_1024, KYBER1024_PRIVATE_KEY_SIZE), 0);
WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(pubKey, ek_1024, WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0);
ExpectIntEQ(XMEMCMP(privKey, dk_1024, WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0);
wc_KyberKey_Free(key);
#endif
@@ -29562,10 +29562,10 @@ static int test_wc_kyber_encapsulate_kats(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \
!defined(WOLFSSL_KYBER_ORIGINAL)
!defined(WOLFSSL_NO_ML_KEM)
KyberKey* key;
#ifndef WOLFSSL_NO_KYBER512
static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_512
static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = {
0xDD, 0x19, 0x24, 0x93, 0x5A, 0xA8, 0xE6, 0x17,
0xAF, 0x18, 0xB5, 0xA0, 0x65, 0xAC, 0x45, 0x72,
0x77, 0x67, 0xEE, 0x89, 0x7C, 0xF4, 0xF9, 0x44,
@@ -29667,13 +29667,13 @@ static int test_wc_kyber_encapsulate_kats(void)
0xA4, 0xD0, 0x31, 0xA0, 0x8A, 0xBF, 0x4F, 0x2E,
0x74, 0xF1, 0xA0, 0xBB, 0x8A, 0x0F, 0xD3, 0xCB
};
static const byte seed_512[KYBER_ENC_RAND_SZ] = {
static const byte seed_512[WC_ML_KEM_ENC_RAND_SZ] = {
0x6F, 0xF0, 0x2E, 0x1D, 0xC7, 0xFD, 0x91, 0x1B,
0xEE, 0xE0, 0xC6, 0x92, 0xC8, 0xBD, 0x10, 0x0C,
0x3E, 0x5C, 0x48, 0x96, 0x4D, 0x31, 0xDF, 0x92,
0x99, 0x42, 0x18, 0xE8, 0x06, 0x64, 0xA6, 0xCA
};
static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = {
static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = {
0x19, 0xC5, 0x92, 0x50, 0x59, 0x07, 0xC2, 0x4C,
0x5F, 0xA2, 0xEB, 0xFA, 0x93, 0x2D, 0x2C, 0xBB,
0x48, 0xF3, 0xE4, 0x34, 0x0A, 0x28, 0xF7, 0xEB,
@@ -29771,15 +29771,15 @@ static int test_wc_kyber_encapsulate_kats(void)
0xD1, 0x8C, 0x8C, 0xD9, 0x12, 0xF9, 0xA7, 0x7F,
0x8E, 0x6B, 0xF0, 0x20, 0x53, 0x74, 0xB4, 0x62
};
static const byte k_512[KYBER_SS_SZ] = {
static const byte k_512[WC_ML_KEM_SS_SZ] = {
0x0B, 0xF3, 0x23, 0x33, 0x8D, 0x6F, 0x0A, 0x21,
0xD5, 0x51, 0x4B, 0x67, 0x3C, 0xD1, 0x0B, 0x71,
0x4C, 0xE6, 0xE3, 0x6F, 0x35, 0xBC, 0xD1, 0xBF,
0x54, 0x41, 0x96, 0x36, 0x8E, 0xE5, 0x1A, 0x13
};
#endif
#ifndef WOLFSSL_NO_KYBER768
static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_768
static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = {
0x89, 0xD2, 0xCB, 0x65, 0xF9, 0x4D, 0xCB, 0xFC,
0x89, 0x0E, 0xFC, 0x7D, 0x0E, 0x5A, 0x7A, 0x38,
0x34, 0x4D, 0x16, 0x41, 0xA3, 0xD0, 0xB0, 0x24,
@@ -29929,13 +29929,13 @@ static int test_wc_kyber_encapsulate_kats(void)
0xFE, 0xD3, 0xC3, 0x9C, 0x1B, 0xBD, 0xDB, 0x08,
0x37, 0xD0, 0xD4, 0x70, 0x6B, 0x09, 0x22, 0xC4
};
static const byte seed_768[KYBER_ENC_RAND_SZ] = {
static const byte seed_768[WC_ML_KEM_ENC_RAND_SZ] = {
0x2C, 0xE7, 0x4A, 0xD2, 0x91, 0x13, 0x35, 0x18,
0xFE, 0x60, 0xC7, 0xDF, 0x5D, 0x25, 0x1B, 0x9D,
0x82, 0xAD, 0xD4, 0x84, 0x62, 0xFF, 0x50, 0x5C,
0x6E, 0x54, 0x7E, 0x94, 0x9E, 0x6B, 0x6B, 0xF7
};
static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = {
static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = {
0x56, 0xB4, 0x2D, 0x59, 0x3A, 0xAB, 0x8E, 0x87,
0x73, 0xBD, 0x92, 0xD7, 0x6E, 0xAB, 0xDD, 0xF3,
0xB1, 0x54, 0x6F, 0x83, 0x26, 0xF5, 0x7A, 0x7B,
@@ -30073,15 +30073,15 @@ static int test_wc_kyber_encapsulate_kats(void)
0xA2, 0x30, 0x19, 0x81, 0xA6, 0x41, 0x8F, 0x8B,
0xA7, 0xD7, 0xB0, 0xD7, 0xCA, 0x58, 0x75, 0xC6
};
static const byte k_768[KYBER_SS_SZ] = {
static const byte k_768[WC_ML_KEM_SS_SZ] = {
0x26, 0x96, 0xD2, 0x8E, 0x9C, 0x61, 0xC2, 0xA0,
0x1C, 0xE9, 0xB1, 0x60, 0x8D, 0xCB, 0x9D, 0x29,
0x27, 0x85, 0xA0, 0xCD, 0x58, 0xEF, 0xB7, 0xFE,
0x13, 0xB1, 0xDE, 0x95, 0xF0, 0xDB, 0x55, 0xB3
};
#endif
#ifndef WOLFSSL_NO_KYBER1024
static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_1024
static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = {
0x30, 0x7A, 0x4C, 0xEA, 0x41, 0x48, 0x21, 0x9B,
0x95, 0x8E, 0xA0, 0xB7, 0x88, 0x66, 0x59, 0x23,
0x5A, 0x4D, 0x19, 0x80, 0xB1, 0x92, 0x61, 0x08,
@@ -30279,13 +30279,13 @@ static int test_wc_kyber_encapsulate_kats(void)
0x3E, 0x30, 0x41, 0xE0, 0x5D, 0x90, 0x67, 0xAF,
0xF3, 0xB1, 0x24, 0x4F, 0x76, 0x3E, 0x79, 0x83
};
static const byte seed_1024[KYBER_ENC_RAND_SZ] = {
static const byte seed_1024[WC_ML_KEM_ENC_RAND_SZ] = {
0x59, 0xC5, 0x15, 0x4C, 0x04, 0xAE, 0x43, 0xAA,
0xFF, 0x32, 0x70, 0x0F, 0x08, 0x17, 0x00, 0x38,
0x9D, 0x54, 0xBE, 0xC4, 0xC3, 0x7C, 0x08, 0x8B,
0x1C, 0x53, 0xF6, 0x62, 0x12, 0xB1, 0x2C, 0x72
};
static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = {
static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = {
0xE2, 0xD5, 0xFD, 0x4C, 0x13, 0xCE, 0xA0, 0xB5,
0x2D, 0x87, 0x4F, 0xEA, 0x90, 0x12, 0xF3, 0xA5,
0x17, 0x43, 0xA1, 0x09, 0x37, 0x10, 0xBB, 0xF2,
@@ -30483,15 +30483,15 @@ static int test_wc_kyber_encapsulate_kats(void)
0x52, 0x35, 0xD6, 0x36, 0xC6, 0x5C, 0xD1, 0x02,
0xB0, 0x1E, 0x22, 0x78, 0x1A, 0x72, 0x91, 0x8C
};
static const byte k_1024[KYBER_SS_SZ] = {
static const byte k_1024[WC_ML_KEM_SS_SZ] = {
0x72, 0x64, 0xBD, 0xE5, 0xC6, 0xCE, 0xC1, 0x48,
0x49, 0x69, 0x3E, 0x2C, 0x3C, 0x86, 0xE4, 0x8F,
0x80, 0x95, 0x8A, 0x4F, 0x61, 0x86, 0xFC, 0x69,
0x33, 0x3A, 0x41, 0x48, 0xE6, 0xE4, 0x97, 0xF3
};
#endif
static byte ct[KYBER_MAX_CIPHER_TEXT_SIZE];
static byte ss[KYBER_SS_SZ];
static byte ct[WC_ML_KEM_MAX_CIPHER_TEXT_SIZE];
static byte ss[WC_ML_KEM_SS_SZ];
key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
ExpectNotNull(key);
@@ -30499,31 +30499,31 @@ static int test_wc_kyber_encapsulate_kats(void)
XMEMSET(key, 0, sizeof(KyberKey));
}
#ifndef WOLFSSL_NO_KYBER512
ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_512
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_512, sizeof(ek_512)), 0);
ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_512,
sizeof(seed_512)), 0);
ExpectIntEQ(XMEMCMP(ct, c_512, KYBER512_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_512, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ct, c_512, WC_ML_KEM_512_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_512, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER768
ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_768
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_768, sizeof(ek_768)), 0);
ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_768,
sizeof(seed_768)), 0);
ExpectIntEQ(XMEMCMP(ct, c_768, KYBER768_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_768, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ct, c_768, WC_ML_KEM_768_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_768, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER1024
ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_1024
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_1024, sizeof(ek_1024)), 0);
ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_1024,
sizeof(seed_1024)), 0);
ExpectIntEQ(XMEMCMP(ct, c_1024, KYBER1024_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_1024, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ct, c_1024, WC_ML_KEM_1024_CIPHER_TEXT_SIZE), 0);
ExpectIntEQ(XMEMCMP(ss, k_1024, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
@@ -30536,10 +30536,10 @@ static int test_wc_kyber_decapsulate_kats(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \
!defined(WOLFSSL_KYBER_ORIGINAL)
!defined(WOLFSSL_NO_ML_KEM)
KyberKey* key;
#ifndef WOLFSSL_NO_KYBER512
static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_512
static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = {
0x69, 0xF9, 0xCB, 0xFD, 0x12, 0x37, 0xBA, 0x16,
0x1C, 0xF6, 0xE6, 0xC1, 0x8F, 0x48, 0x8F, 0xC6,
0xE3, 0x9A, 0xB4, 0xA5, 0xC9, 0xE6, 0xC2, 0x2E,
@@ -30745,7 +30745,7 @@ static int test_wc_kyber_decapsulate_kats(void)
0x09, 0x8A, 0x3F, 0x35, 0x17, 0x78, 0xB0, 0x88,
0x8C, 0x95, 0x90, 0xA9, 0x09, 0x0C, 0xD4, 0x04
};
static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = {
static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = {
0x16, 0x1C, 0xD2, 0x59, 0xFE, 0xAA, 0x7E, 0xC6,
0xB2, 0x86, 0x49, 0x8A, 0x9A, 0x6F, 0x69, 0xF8,
0xB2, 0x62, 0xA2, 0xE2, 0x09, 0x3D, 0x0F, 0xBD,
@@ -30843,15 +30843,15 @@ static int test_wc_kyber_decapsulate_kats(void)
0x34, 0x6B, 0xAF, 0xCD, 0xD0, 0x6D, 0x40, 0x2F,
0xF2, 0x4D, 0x6C, 0x1E, 0x5F, 0x61, 0xA8, 0x5D
};
static const byte kprime_512[KYBER_SS_SZ] = {
static const byte kprime_512[WC_ML_KEM_SS_SZ] = {
0xDF, 0x46, 0x2A, 0xD6, 0x8F, 0x1E, 0xC8, 0x97,
0x2E, 0xD9, 0xB0, 0x2D, 0x6D, 0xE0, 0x60, 0x4B,
0xDE, 0xC7, 0x57, 0x20, 0xE0, 0x50, 0x49, 0x73,
0x51, 0xE6, 0xEC, 0x93, 0x3E, 0x71, 0xF8, 0x82
};
#endif
#ifndef WOLFSSL_NO_KYBER768
static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_768
static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = {
0x1E, 0x4A, 0xC8, 0x7B, 0x1A, 0x69, 0x2A, 0x52,
0x9F, 0xDB, 0xBA, 0xB9, 0x33, 0x74, 0xC5, 0x7D,
0x11, 0x0B, 0x10, 0xF2, 0xB1, 0xDD, 0xEB, 0xAC,
@@ -31153,7 +31153,7 @@ static int test_wc_kyber_decapsulate_kats(void)
0xB4, 0xAB, 0x82, 0xE5, 0xFC, 0xA1, 0x35, 0xE8,
0xD2, 0x6A, 0x6B, 0x3A, 0x89, 0xFA, 0x5B, 0x6F
};
static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = {
static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = {
0xA5, 0xC8, 0x1C, 0x76, 0xC2, 0x43, 0x05, 0xE1,
0xCE, 0x5D, 0x81, 0x35, 0xD4, 0x15, 0x23, 0x68,
0x2E, 0x9E, 0xE6, 0xD7, 0xB4, 0x0A, 0xD4, 0x1D,
@@ -31291,15 +31291,15 @@ static int test_wc_kyber_decapsulate_kats(void)
0xA5, 0x9A, 0x1F, 0xD2, 0x8A, 0xF3, 0x5C, 0x00,
0xD1, 0x8A, 0x40, 0x6A, 0x28, 0xFC, 0x79, 0xBA
};
static const byte kprime_768[KYBER_SS_SZ] = {
static const byte kprime_768[WC_ML_KEM_SS_SZ] = {
0xDC, 0x5B, 0x88, 0x88, 0xBC, 0x1E, 0xBA, 0x5C,
0x19, 0x69, 0xC2, 0x11, 0x64, 0xEA, 0x43, 0xE2,
0x2E, 0x7A, 0xC0, 0xCD, 0x01, 0x2A, 0x2F, 0x26,
0xCB, 0x8C, 0x48, 0x7E, 0x69, 0xEF, 0x7C, 0xE4
};
#endif
#ifndef WOLFSSL_NO_KYBER1024
static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = {
#ifndef WOLFSSL_NO_ML_KEM_1024
static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = {
0x84, 0x45, 0xC3, 0x36, 0xF3, 0x51, 0x8B, 0x29,
0x81, 0x63, 0xDC, 0xBB, 0x63, 0x57, 0x59, 0x79,
0x83, 0xCA, 0x2E, 0x87, 0x3D, 0xCB, 0x49, 0x61,
@@ -31697,7 +31697,7 @@ static int test_wc_kyber_decapsulate_kats(void)
0x0D, 0xE1, 0xB7, 0xA4, 0x81, 0xB8, 0x3E, 0x58,
0x3B, 0x6A, 0xF1, 0x6F, 0x63, 0xCB, 0x00, 0xC6
};
static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = {
static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = {
0x0C, 0x68, 0x1B, 0x4A, 0xA8, 0x1F, 0x26, 0xAD,
0xFB, 0x64, 0x5E, 0xC2, 0x4B, 0x37, 0x52, 0xF6,
0xB3, 0x2C, 0x68, 0x64, 0x5A, 0xA5, 0xE7, 0xA9,
@@ -31895,14 +31895,14 @@ static int test_wc_kyber_decapsulate_kats(void)
0x7B, 0x12, 0x43, 0x33, 0x43, 0xA6, 0x58, 0xF1,
0x98, 0x0C, 0x81, 0x24, 0xEA, 0x6D, 0xD8, 0x1F
};
static const byte kprime_1024[KYBER_SS_SZ] = {
static const byte kprime_1024[WC_ML_KEM_SS_SZ] = {
0x8F, 0x33, 0x6E, 0x9C, 0x28, 0xDF, 0x34, 0x9E,
0x03, 0x22, 0x0A, 0xF0, 0x1C, 0x42, 0x83, 0x2F,
0xEF, 0xAB, 0x1F, 0x2A, 0x74, 0xC1, 0x6F, 0xAF,
0x6F, 0x64, 0xAD, 0x07, 0x1C, 0x1A, 0x33, 0x94
};
#endif
static byte ss[KYBER_SS_SZ];
static byte ss[WC_ML_KEM_SS_SZ];
key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
ExpectNotNull(key);
@@ -31910,25 +31910,25 @@ static int test_wc_kyber_decapsulate_kats(void)
XMEMSET(key, 0, sizeof(KyberKey));
}
#ifndef WOLFSSL_NO_KYBER512
ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_512
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0);
ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_512, sizeof(c_512)), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_512, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_512, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER768
ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_768
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_768, sizeof(dk_768)), 0);
ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_768, sizeof(c_768)), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_768, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_768, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
#ifndef WOLFSSL_NO_KYBER1024
ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0);
#ifndef WOLFSSL_NO_ML_KEM_1024
ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_1024, sizeof(dk_1024)), 0);
ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_1024, sizeof(c_1024)), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_1024, KYBER_SS_SZ), 0);
ExpectIntEQ(XMEMCMP(ss, kprime_1024, WC_ML_KEM_SS_SZ), 0);
wc_KyberKey_Free(key);
#endif
@@ -79230,6 +79230,7 @@ static int test_tls13_apis(void)
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
int groups[2] = { WOLFSSL_ECC_SECP256R1,
#ifdef WOLFSSL_HAVE_KYBER
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_KYBER512
WOLFSSL_KYBER_LEVEL1
#elif !defined(WOLFSSL_NO_KYBER768)
@@ -79237,6 +79238,15 @@ static int test_tls13_apis(void)
#else
WOLFSSL_KYBER_LEVEL5
#endif
#else
#ifndef WOLFSSL_NO_ML_KEM_512
WOLFSSL_ML_KEM_512
#elif !defined(WOLFSSL_NO_ML_KEM_768)
WOLFSSL_ML_KEM_768
#else
WOLFSSL_ML_KEM_1024
#endif
#endif
#else
WOLFSSL_ECC_SECP256R1
#endif
@@ -79264,6 +79274,7 @@ static int test_tls13_apis(void)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
"P-256:secp256r1"
#if defined(WOLFSSL_HAVE_KYBER)
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_KYBER512
":P256_KYBER_LEVEL1"
#elif !defined(WOLFSSL_NO_KYBER768)
@@ -79271,10 +79282,20 @@ static int test_tls13_apis(void)
#else
":P256_KYBER_LEVEL5"
#endif
#else
#ifndef WOLFSSL_NO_KYBER512
":P256_ML_KEM_512"
#elif !defined(WOLFSSL_NO_KYBER768)
":P256_ML_KEM_768"
#else
":P256_ML_KEM_1024"
#endif
#endif
#endif
#endif
#endif /* !defined(NO_ECC_SECP) */
#if defined(WOLFSSL_HAVE_KYBER)
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_KYBER512
":KYBER_LEVEL1"
#elif !defined(WOLFSSL_NO_KYBER768)
@@ -79282,6 +79303,15 @@ static int test_tls13_apis(void)
#else
":KYBER_LEVEL5"
#endif
#else
#ifndef WOLFSSL_NO_KYBER512
":ML_KEM_512"
#elif !defined(WOLFSSL_NO_KYBER768)
":ML_KEM_768"
#else
":ML_KEM_1024"
#endif
#endif
#endif
"";
#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
@@ -79417,12 +79447,22 @@ static int test_tls13_apis(void)
#endif
#if defined(WOLFSSL_HAVE_KYBER)
#ifndef WOLFSSL_NO_ML_KEM
#ifndef WOLFSSL_NO_ML_KEM_768
kyberLevel = WOLFSSL_ML_KEM_768;
#elif !defined(WOLFSSL_NO_ML_KEM_1024)
kyberLevel = WOLFSSL_ML_KEM_1024;
#else
kyberLevel = WOLFSSL_ML_KEM_512;
#endif
#else
#ifndef WOLFSSL_NO_KYBER768
kyberLevel = WOLFSSL_KYBER_LEVEL3;
#elif !defined(WOLFSSL_NO_KYBER1024)
kyberLevel = WOLFSSL_KYBER_LEVEL5;
#else
kyberLevel = WOLFSSL_KYBER_LEVEL1;
#endif
#endif
ExpectIntEQ(wolfSSL_UseKeyShare(NULL, kyberLevel), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#ifndef NO_WOLFSSL_SERVER
@@ -96280,13 +96320,21 @@ static int test_dtls13_basic_connection_id(void)
defined(HAVE_LIBOQS)
static void test_tls13_pq_groups_ctx_ready(WOLFSSL_CTX* ctx)
{
#ifdef WOLFSSL_KYBER_ORIGINAL
int group = WOLFSSL_KYBER_LEVEL5;
#else
int group = WOLFSSL_ML_KEM_1024;
#endif
AssertIntEQ(wolfSSL_CTX_set_groups(ctx, &group, 1), WOLFSSL_SUCCESS);
}
static void test_tls13_pq_groups_on_result(WOLFSSL* ssl)
{
#ifdef WOLFSSL_KYBER_ORIGINAL
AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL5");
#else
AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_1024");
#endif
}
#endif

23
tests/suites.c
View File

@@ -180,6 +180,28 @@ static int IsKyberLevelAvailable(const char* line)
begin += 6;
end = XSTRSTR(begin, " ");
#ifndef WOLFSSL_NO_ML_KEM
if ((size_t)end - (size_t)begin == 10) {
#ifndef WOLFSSL_NO_ML_KEM_512
if (XSTRNCMP(begin, "ML_KEM_512", 10) == 0) {
available = 1;
}
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
if (XSTRNCMP(begin, "ML_KEM_768", 10) == 0) {
available = 1;
}
#endif
}
#ifndef WOLFSSL_NO_ML_KEM_1024
if ((size_t)end - (size_t)begin == 11) {
if (XSTRNCMP(begin, "ML_KEM_1024", 11) == 0) {
available = 1;
}
}
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
if ((size_t)end - (size_t)begin == 12) {
#ifndef WOLFSSL_NO_KYBER512
if (XSTRNCMP(begin, "KYBER_LEVEL1", 12) == 0) {
@@ -197,6 +219,7 @@ static int IsKyberLevelAvailable(const char* line)
}
#endif
}
#endif
}
return (begin == NULL) || available;

14
tests/test-dtls13-pq-2.conf
View File

@@ -1,3 +1,17 @@
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# P384_ML_KEM_768 and P521_ML_KEM_1024 would fragment the ClientHello.
# server DTLSv1.3 with post-quantum group
-u
-v 4

18
tests/test-dtls13-pq.conf
View File

@@ -2,12 +2,26 @@
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc KYBER_LEVEL1
--pqc ML_KEM_512
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc KYBER_LEVEL1
--pqc ML_KEM_512
# ML_KEM_768 and ML_KEM_1024 would fragment the ClientHello.
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
# KYBER_LEVEL3 and KYBER_LEVEL5 would fragment the ClientHello.

30
tests/test-tls13-pq-2.conf
View File

@@ -1,3 +1,33 @@
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM1024
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM1024
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384

30
tests/test-tls13-pq.conf
View File

@@ -1,3 +1,33 @@
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_768
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_768
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_1024
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_1024
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384

55
wolfcrypt/src/ext_kyber.c
View File

@@ -43,9 +43,16 @@
static const char* OQS_ID2name(int id) {
switch (id) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512: return OQS_KEM_alg_ml_kem_512;
case WC_ML_KEM_768: return OQS_KEM_alg_ml_kem_768;
case WC_ML_KEM_1024: return OQS_KEM_alg_ml_kem_1024;
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER_LEVEL1: return OQS_KEM_alg_kyber_512;
case KYBER_LEVEL3: return OQS_KEM_alg_kyber_768;
case KYBER_LEVEL5: return OQS_KEM_alg_kyber_1024;
#endif
default: break;
}
return NULL;
@@ -83,11 +90,20 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId)
if (ret == 0) {
/* Validate type. */
switch (type) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512:
#ifdef HAVE_LIBOQS
case WC_ML_KEM_768:
case WC_ML_KEM_1024:
#endif /* HAVE_LIBOQS */
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER_LEVEL1:
#ifdef HAVE_LIBOQS
case KYBER_LEVEL3:
case KYBER_LEVEL5:
#endif /* HAVE_LIBOQS */
#endif
break;
default:
/* No other values supported. */
@@ -152,6 +168,18 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len)
/* NOTE: SHAKE and AES variants have the same length private key. */
if (ret == 0) {
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512:
*len = OQS_KEM_ml_kem_512_length_secret_key;
break;
case WC_ML_KEM_768:
*len = OQS_KEM_ml_kem_768_length_secret_key;
break;
case WC_ML_KEM_1024:
*len = OQS_KEM_ml_kem_1024_length_secret_key;
break;
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER_LEVEL1:
*len = OQS_KEM_kyber_512_length_secret_key;
break;
@@ -161,6 +189,7 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len)
case KYBER_LEVEL5:
*len = OQS_KEM_kyber_1024_length_secret_key;
break;
#endif
default:
/* No other values supported. */
ret = BAD_FUNC_ARG;
@@ -194,6 +223,18 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len)
/* NOTE: SHAKE and AES variants have the same length public key. */
if (ret == 0) {
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512:
*len = OQS_KEM_ml_kem_512_length_public_key;
break;
case WC_ML_KEM_768:
*len = OQS_KEM_ml_kem_768_length_public_key;
break;
case WC_ML_KEM_1024:
*len = OQS_KEM_ml_kem_1024_length_public_key;
break;
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER_LEVEL1:
*len = OQS_KEM_kyber_512_length_public_key;
break;
@@ -203,6 +244,7 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len)
case KYBER_LEVEL5:
*len = OQS_KEM_kyber_1024_length_public_key;
break;
#endif
default:
/* No other values supported. */
ret = BAD_FUNC_ARG;
@@ -236,6 +278,18 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len)
/* NOTE: SHAKE and AES variants have the same length ciphertext. */
if (ret == 0) {
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512:
*len = OQS_KEM_ml_kem_512_length_ciphertext;
break;
case WC_ML_KEM_768:
*len = OQS_KEM_ml_kem_768_length_ciphertext;
break;
case WC_ML_KEM_1024:
*len = OQS_KEM_ml_kem_1024_length_ciphertext;
break;
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER_LEVEL1:
*len = OQS_KEM_kyber_512_length_ciphertext;
break;
@@ -245,6 +299,7 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len)
case KYBER_LEVEL5:
*len = OQS_KEM_kyber_1024_length_ciphertext;
break;
#endif
default:
/* No other values supported. */
ret = BAD_FUNC_ARG;

367
wolfcrypt/src/wc_kyber.c
View File

@@ -68,7 +68,9 @@ volatile sword16 kyber_opt_blocker = 0;
/**
* Initialize the Kyber key.
*
* @param [in] type Type of key: KYBER512, KYBER768, KYBER1024.
* @param [in] type Type of key:
* WC_ML_KEM_512, WC_ML_KEM_768, WC_ML_KEM_1024,
* KYBER512, KYBER768, KYBER1024.
* @param [out] key Kyber key object to initialize.
* @param [in] heap Dynamic memory hint.
* @param [in] devId Device Id.
@@ -87,6 +89,27 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId)
if (ret == 0) {
/* Validate type. */
switch (type) {
#ifndef WOLFSSL_NO_ML_KEM
case WC_ML_KEM_512:
#ifndef WOLFSSL_WC_ML_KEM_512
/* Code not compiled in for Kyber-512. */
ret = NOT_COMPILED_IN;
#endif
break;
case WC_ML_KEM_768:
#ifndef WOLFSSL_WC_ML_KEM_768
/* Code not compiled in for Kyber-768. */
ret = NOT_COMPILED_IN;
#endif
break;
case WC_ML_KEM_1024:
#ifndef WOLFSSL_WC_ML_KEM_1024
/* Code not compiled in for Kyber-1024. */
ret = NOT_COMPILED_IN;
#endif
break;
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case KYBER512:
#ifndef WOLFSSL_KYBER512
/* Code not compiled in for Kyber-512. */
@@ -105,6 +128,7 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId)
ret = NOT_COMPILED_IN;
#endif
break;
#endif
default:
/* No other values supported. */
ret = BAD_FUNC_ARG;
@@ -230,6 +254,24 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand,
if (ret == 0) {
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
kp = WC_ML_KEM_512_K;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
kp = WC_ML_KEM_768_K;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
kp = WC_ML_KEM_1024_K;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
kp = KYBER512_K;
@@ -244,6 +286,7 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand,
case KYBER1024:
kp = KYBER1024_K;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -266,13 +309,24 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand,
/* Error vector allocated at end of a. */
e = a + (kp * kp * KYBER_N);
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
if (key->type & KYBER_ORIGINAL)
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{
/* Expand 32 bytes of random to 32. */
ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, NULL, 0, buf);
#else
}
#endif
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
else
#endif
#ifndef WOLFSSL_NO_ML_KEM
{
buf[0] = kp;
/* Expand 33 bytes of random to 32. */
ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, buf, 1, buf);
}
#endif
}
if (ret == 0) {
@@ -333,6 +387,24 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len)
if (ret == 0) {
/* Return in 'len' size of the cipher text for the type of this key. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
*len = WC_ML_KEM_512_CIPHER_TEXT_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
*len = WC_ML_KEM_768_CIPHER_TEXT_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
*len = WC_ML_KEM_1024_CIPHER_TEXT_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
*len = KYBER512_CIPHER_TEXT_SIZE;
@@ -347,6 +419,7 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len)
case KYBER1024:
*len = KYBER1024_CIPHER_TEXT_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -398,6 +471,27 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins,
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
kp = WC_ML_KEM_512_K;
compVecSz = WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
kp = WC_ML_KEM_768_K;
compVecSz = WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
kp = WC_ML_KEM_1024_K;
compVecSz = WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
kp = KYBER512_K;
@@ -415,6 +509,7 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins,
kp = KYBER1024_K;
compVecSz = KYBER1024_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -463,19 +558,19 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins,
/* Perform encapsulation maths. */
kyber_encapsulate(key->pub, bp, v, at, sp, ep, epp, k, kp);
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
if (kp == KYBER512_K) {
kyber_vec_compress_10(ct, bp, kp);
kyber_compress_4(ct + compVecSz, v);
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
if (kp == KYBER768_K) {
kyber_vec_compress_10(ct, bp, kp);
kyber_compress_4(ct + compVecSz, v);
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
if (kp == KYBER1024_K) {
kyber_vec_compress_11(ct, bp);
kyber_compress_5(ct + compVecSz, v);
@@ -562,6 +657,18 @@ int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct,
if (ret == 0) {
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
#endif
break;
#endif
#ifdef WOLFSSL_KYBER512
case KYBER512:
ctSz = KYBER512_CIPHER_TEXT_SIZE;
@@ -614,31 +721,62 @@ int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct,
#ifdef WOLFSSL_KYBER_ORIGINAL
if (ret == 0) {
#ifndef WOLFSSL_NO_ML_KEM
if (key->type & KYBER_ORIGINAL)
#endif
{
/* Hash random to anonymize as seed data. */
ret = KYBER_HASH_H(&key->hash, rand, KYBER_SYM_SZ, msg);
}
}
#endif
if (ret == 0) {
/* Hash message into seed buffer. */
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
if (key->type & KYBER_ORIGINAL)
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
ret = KYBER_HASH_G(&key->hash, msg, KYBER_SYM_SZ, key->h, KYBER_SYM_SZ,
kr);
#else
ret = KYBER_HASH_G(&key->hash, rand, KYBER_SYM_SZ, key->h, KYBER_SYM_SZ,
kr);
{
ret = KYBER_HASH_G(&key->hash, msg, KYBER_SYM_SZ, key->h,
KYBER_SYM_SZ, kr);
}
#endif
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
else
#endif
#ifndef WOLFSSL_NO_ML_KEM
{
ret = KYBER_HASH_G(&key->hash, rand, KYBER_SYM_SZ, key->h,
KYBER_SYM_SZ, kr);
}
#endif
}
if (ret == 0) {
/* Encapsulate the message using the key and the seed (coins). */
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
if (key->type & KYBER_ORIGINAL)
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{
ret = kyberkey_encapsulate(key, msg, kr + KYBER_SYM_SZ, ct);
#else
}
#endif
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
else
#endif
#ifndef WOLFSSL_NO_ML_KEM
{
ret = kyberkey_encapsulate(key, rand, kr + KYBER_SYM_SZ, ct);
}
#endif
}
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
if (key->type & KYBER_ORIGINAL)
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{
if (ret == 0) {
/* Hash the cipher text after the seed. */
ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ);
@@ -647,10 +785,17 @@ int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct,
/* Derive the secret from the seed and hash of cipher text. */
ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ);
}
#else
}
#endif
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
else
#endif
#ifndef WOLFSSL_NO_ML_KEM
{
if (ret == 0) {
XMEMCPY(ss, kr, KYBER_SS_SZ);
}
}
#endif
return ret;
@@ -683,6 +828,27 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key,
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
kp = WC_ML_KEM_512_K;
compVecSz = WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
kp = WC_ML_KEM_768_K;
compVecSz = WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
kp = WC_ML_KEM_1024_K;
compVecSz = WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
kp = KYBER512_K;
@@ -700,6 +866,7 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key,
kp = KYBER1024_K;
compVecSz = KYBER1024_POLY_VEC_COMPRESSED_SZ;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -723,19 +890,19 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key,
v = bp + kp * KYBER_N;
mp = v + KYBER_N;
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
if (kp == KYBER512_K) {
kyber_vec_decompress_10(bp, ct, kp);
kyber_decompress_4(v, ct + compVecSz);
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
if (kp == KYBER768_K) {
kyber_vec_decompress_10(bp, ct, kp);
kyber_decompress_4(v, ct + compVecSz);
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
if (kp == KYBER1024_K) {
kyber_vec_decompress_11(bp, ct);
kyber_decompress_5(v, ct + compVecSz);
@@ -757,7 +924,7 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key,
return ret;
}
#ifndef WOLFSSL_KYBER_ORIGINAL
#ifndef WOLFSSL_NO_ML_KEM
/* Derive the secret from z and cipher text.
*
* @param [in] z Implicit rejection value.
@@ -828,6 +995,24 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss,
if (ret == 0) {
/* Establish cipher text size based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
ctSz = WC_ML_KEM_512_CIPHER_TEXT_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
ctSz = WC_ML_KEM_768_CIPHER_TEXT_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
ctSz = WC_ML_KEM_1024_CIPHER_TEXT_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
ctSz = KYBER512_CIPHER_TEXT_SIZE;
@@ -842,6 +1027,7 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss,
case KYBER1024:
ctSz = KYBER1024_CIPHER_TEXT_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -882,10 +1068,13 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss,
/* Compare generated cipher text with that passed in. */
fail = kyber_cmp(ct, cmp, ctSz);
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
if (key->type & KYBER_ORIGINAL)
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{
/* Hash the cipher text after the seed. */
ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ);
}
if (ret == 0) {
/* Change seed to z on comparison failure. */
for (i = 0; i < KYBER_SYM_SZ; i++) {
@@ -894,14 +1083,22 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss,
/* Derive the secret from the seed and hash of cipher text. */
ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ);
#else
ret = kyber_derive_secret(key->z, ct, ctSz, msg);
}
}
#endif
#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM)
else
#endif
#ifndef WOLFSSL_NO_ML_KEM
{
ret = kyber_derive_secret(key->z, ct, ctSz, msg);
if (ret == 0) {
/* Change seed to z on comparison failure. */
for (i = 0; i < KYBER_SYM_SZ; i++) {
ss[i] = kr[i] ^ ((kr[i] ^ msg[i]) & fail);
}
}
}
#endif
}
@@ -947,6 +1144,30 @@ int wc_KyberKey_DecodePrivateKey(KyberKey* key, const unsigned char* in,
if (ret == 0) {
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
k = WC_ML_KEM_512_K;
privLen = WC_ML_KEM_512_PRIVATE_KEY_SIZE;
pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
k = WC_ML_KEM_768_K;
privLen = WC_ML_KEM_768_PRIVATE_KEY_SIZE;
pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
k = WC_ML_KEM_1024_K;
privLen = WC_ML_KEM_1024_PRIVATE_KEY_SIZE;
pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
k = KYBER512_K;
@@ -967,6 +1188,7 @@ int wc_KyberKey_DecodePrivateKey(KyberKey* key, const unsigned char* in,
privLen = KYBER1024_PRIVATE_KEY_SIZE;
pubLen = KYBER1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -1030,6 +1252,27 @@ int wc_KyberKey_DecodePublicKey(KyberKey* key, const unsigned char* in,
if (ret == 0) {
/* Establish parameters based on key type. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
k = WC_ML_KEM_512_K;
pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
k = WC_ML_KEM_768_K;
pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
k = WC_ML_KEM_1024_K;
pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
k = KYBER512_K;
@@ -1047,6 +1290,7 @@ int wc_KyberKey_DecodePublicKey(KyberKey* key, const unsigned char* in,
k = KYBER1024_K;
pubLen = KYBER1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -1103,6 +1347,24 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len)
/* Return in 'len' size of the encoded private key for the type of this
* key. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
*len = WC_ML_KEM_512_PRIVATE_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
*len = WC_ML_KEM_768_PRIVATE_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
*len = WC_ML_KEM_1024_PRIVATE_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
*len = KYBER512_PRIVATE_KEY_SIZE;
@@ -1117,6 +1379,7 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len)
case KYBER1024:
*len = KYBER1024_PRIVATE_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -1150,6 +1413,24 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len)
/* Return in 'len' size of the encoded public key for the type of this
* key. */
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
*len = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
*len = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
*len = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
*len = KYBER512_PUBLIC_KEY_SIZE;
@@ -1164,6 +1445,7 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len)
case KYBER1024:
*len = KYBER1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -1206,6 +1488,30 @@ int wc_KyberKey_EncodePrivateKey(KyberKey* key, unsigned char* out, word32 len)
if (ret == 0) {
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
k = WC_ML_KEM_512_K;
pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
privLen = WC_ML_KEM_512_PRIVATE_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
k = WC_ML_KEM_768_K;
pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
privLen = WC_ML_KEM_768_PRIVATE_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
k = WC_ML_KEM_1024_K;
pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
privLen = WC_ML_KEM_1024_PRIVATE_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
k = KYBER512_K;
@@ -1226,6 +1532,7 @@ int wc_KyberKey_EncodePrivateKey(KyberKey* key, unsigned char* out, word32 len)
pubLen = KYBER1024_PUBLIC_KEY_SIZE;
privLen = KYBER1024_PRIVATE_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */
@@ -1293,6 +1600,27 @@ int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, word32 len)
if (ret == 0) {
switch (key->type) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
case WC_ML_KEM_512:
k = WC_ML_KEM_512_K;
pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
case WC_ML_KEM_768:
k = WC_ML_KEM_768_K;
pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
break;
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
case WC_ML_KEM_1024:
k = WC_ML_KEM_1024_K;
pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
case KYBER512:
k = KYBER512_K;
@@ -1310,6 +1638,7 @@ int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, word32 len)
k = KYBER1024_K;
pubLen = KYBER1024_PUBLIC_KEY_SIZE;
break;
#endif
#endif
default:
/* No other values supported. */

71
wolfcrypt/src/wc_kyber_poly.c
View File

@@ -33,6 +33,12 @@
* WOLFSSL_WC_KYBER Default: OFF
* Enables this code, wolfSSL implementation, to be built.
*
* WOLFSSL_WC_ML_KEM_512 Default: OFF
* Enables the ML-KEM 512 parameter implementations.
* WOLFSSL_WC_ML_KEM_768 Default: OFF
* Enables the ML-KEM 768 parameter implementations.
* WOLFSSL_WC_ML_KEM_1024 Default: OFF
* Enables the ML-KEM 1024 parameter implementations.
* WOLFSSL_KYBER512 Default: OFF
* Enables the KYBER512 parameter implementations.
* WOLFSSL_KYBER768 Default: OFF
@@ -1402,7 +1408,7 @@ void kyber_decapsulate(const sword16* priv, sword16* mp, sword16* bp,
/******************************************************************************/
#ifdef USE_INTEL_SPEEDUP
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -1492,7 +1498,7 @@ static int kyber_gen_matrix_k2_avx2(sword16* a, byte* seed, int transposed)
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -1617,7 +1623,7 @@ static int kyber_gen_matrix_k3_avx2(sword16* a, byte* seed, int transposed)
return 0;
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -1706,9 +1712,9 @@ static int kyber_gen_matrix_k4_avx2(sword16* a, byte* seed, int transposed)
return 0;
}
#endif /* KYBER1024 */
#endif /* WOLFSSL_KYBER1024 || WOLFSSL_WC_ML_KEM_1024 */
#elif defined(WOLFSSL_ARMASM) && defined(__aarch64__)
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -1782,7 +1788,7 @@ static int kyber_gen_matrix_k2_aarch64(sword16* a, byte* seed, int transposed)
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -1848,7 +1854,7 @@ static int kyber_gen_matrix_k3_aarch64(sword16* a, byte* seed, int transposed)
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Deterministically generate a matrix (or transpose) of uniform integers mod q.
*
* Seed used with XOF to generate random bytes.
@@ -2381,7 +2387,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed,
{
int ret;
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
if (kp == KYBER512_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_gen_matrix_k2_aarch64(a, seed, transposed);
@@ -2400,7 +2406,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed,
}
else
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
if (kp == KYBER768_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_gen_matrix_k3_aarch64(a, seed, transposed);
@@ -2419,7 +2425,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed,
}
else
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
if (kp == KYBER1024_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_gen_matrix_k4_aarch64(a, seed, transposed);
@@ -2556,7 +2562,7 @@ static void kyber_cbd_eta2(sword16* p, const byte* r)
#endif
}
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
/* Subtract one 3 bit value from another out of a larger number.
*
* @param [in] d Value containing sequential 3 bit values.
@@ -2726,7 +2732,7 @@ static int kyber_get_noise_eta1_c(KYBER_PRF_T* prf, sword16* p,
(void)eta1;
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
if (eta1 == KYBER_CBD_ETA3) {
byte rand[ETA3_RAND_SIZE];
@@ -2781,7 +2787,8 @@ static int kyber_get_noise_eta2_c(KYBER_PRF_T* prf, sword16* p,
#ifdef USE_INTEL_SPEEDUP
#define PRF_RAND_SZ (2 * SHA3_256_BYTES)
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_KYBER1024)
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) || \
defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Get the noise/error by calculating random bytes.
*
* @param [out] rand Random number byte array.
@@ -2804,7 +2811,7 @@ static void kyber_get_noise_x4_eta2_avx2(byte* rand, byte* seed, byte o)
}
#endif
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
/* Get the noise/error by calculating random bytes.
*
* @param [out] rand Random number byte array.
@@ -2890,7 +2897,7 @@ static int kyber_get_noise_k2_avx2(KYBER_PRF_T* prf, sword16* vec1,
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Get the noise/error by calculating random bytes and sampling to a binomial
* distribution.
*
@@ -2921,7 +2928,7 @@ static int kyber_get_noise_k3_avx2(sword16* vec1, sword16* vec2, sword16* poly,
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Get the noise/error by calculating random bytes and sampling to a binomial
* distribution.
*
@@ -2981,7 +2988,7 @@ static void kyber_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o)
kyber_shake256_blocksx3_seed_neon(state, seed);
}
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
/* Get the noise/error by calculating random bytes.
*
* @param [out] rand Random number byte array.
@@ -3068,7 +3075,7 @@ static int kyber_get_noise_k2_aarch64(sword16* vec1, sword16* vec2,
}
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Get the noise/error by calculating random bytes.
*
* @param [out] rand Random number byte array.
@@ -3122,7 +3129,7 @@ static int kyber_get_noise_k3_aarch64(sword16* vec1, sword16* vec2,
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Get the noise/error by calculating random bytes and sampling to a binomial
* distribution.
*
@@ -3221,7 +3228,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1,
{
int ret;
#ifdef WOLFSSL_KYBER512
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
if (kp == KYBER512_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_get_noise_k2_aarch64(vec1, vec2, poly, seed);
@@ -3245,7 +3252,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1,
}
else
#endif
#ifdef WOLFSSL_KYBER768
#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
if (kp == KYBER768_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_get_noise_k3_aarch64(vec1, vec2, poly, seed);
@@ -3265,7 +3272,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1,
}
else
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
if (kp == KYBER1024_K) {
#if defined(WOLFSSL_ARMASM) && defined(__aarch64__)
ret = kyber_get_noise_k4_aarch64(vec1, vec2, poly, seed);
@@ -3475,7 +3482,8 @@ static KYBER_NOINLINE void kyber_csubq_c(sword16* p)
#endif /* CONV_WITH_DIV */
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768)
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \
defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Compress the vector of polynomials into a byte array with 10 bits each.
*
* @param [out] b Array of bytes.
@@ -3593,7 +3601,7 @@ void kyber_vec_compress_10(byte* r, sword16* v, unsigned int kp)
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Compress the vector of polynomials into a byte array with 11 bits each.
*
* @param [out] b Array of bytes.
@@ -3713,7 +3721,8 @@ void kyber_vec_compress_11(byte* r, sword16* v)
v[(i) * KYBER_N + 8 * (j) + (k)] = \
(word16)((((word32)((t) & 0x7ff) * KYBER_Q) + 1024) >> 11)
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768)
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \
defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Decompress the byte array of packed 10 bits into vector of polynomials.
*
* @param [out] v Vector of polynomials.
@@ -3785,7 +3794,7 @@ void kyber_vec_decompress_10(sword16* v, const unsigned char* b,
}
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Decompress the byte array of packed 11 bits into vector of polynomials.
*
* @param [out] v Vector of polynomials.
@@ -3948,7 +3957,8 @@ void kyber_vec_decompress_11(sword16* v, const unsigned char* b)
#endif /* CONV_WITH_DIV */
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768)
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \
defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Compress a polynomial into byte array - on coefficients into 4 bits.
*
* @param [out] b Array of bytes.
@@ -4020,7 +4030,7 @@ void kyber_compress_4(byte* b, sword16* p)
}
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Compress a polynomial into byte array - on coefficients into 5 bits.
*
* @param [out] b Array of bytes.
@@ -4117,7 +4127,8 @@ void kyber_compress_5(byte* b, sword16* p)
#define DECOMP_5(p, i, j, t) \
p[(i) + (j)] = (((word32)((t) & 0x1f) * KYBER_Q) + 16) >> 5
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768)
#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \
defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768)
/* Decompress the byte array of packed 4 bits into polynomial.
*
* @param [out] p Polynomial.
@@ -4155,7 +4166,7 @@ void kyber_decompress_4(sword16* p, const unsigned char* b)
}
}
#endif
#ifdef WOLFSSL_KYBER1024
#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024)
/* Decompress the byte array of packed 5 bits into polynomial.
*
* @param [out] p Polynomial.

277
wolfcrypt/test/test.c
View File

@@ -38295,7 +38295,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed448_test(void)
#ifdef WOLFSSL_HAVE_KYBER
#ifdef WOLFSSL_WC_KYBER /* OQS does not support KATs */
#ifdef WOLFSSL_KYBER512
#if !defined(WOLFSSL_NO_KYBER512) && !defined(WOLFSSL_NO_ML_KEM_512)
static wc_test_ret_t kyber512_kat(void)
{
wc_test_ret_t ret;
@@ -38331,8 +38331,8 @@ static wc_test_ret_t kyber512_kat(void)
0xc8, 0x0e, 0xfe, 0x79, 0xa3, 0xa9, 0xa8, 0x74,
0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_pk[] = {
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_pk[] = {
0x11, 0x5A, 0xCE, 0x0E, 0x64, 0x67, 0x7C, 0xBB,
0x7D, 0xCF, 0xC9, 0x3C, 0x16, 0xD3, 0xA3, 0x05,
0xF6, 0x76, 0x15, 0xA4, 0x88, 0xD7, 0x11, 0xAA,
@@ -38433,7 +38433,10 @@ static wc_test_ret_t kyber512_kat(void)
0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15,
0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C,
0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_pk[] = {
0x40, 0x08, 0x65, 0xed, 0x10, 0xb6, 0x19, 0xaa,
0x58, 0x11, 0x13, 0x9b, 0xc0, 0x86, 0x82, 0x57,
0x82, 0xb2, 0xb7, 0x12, 0x4f, 0x75, 0x7c, 0x83,
@@ -38534,10 +38537,10 @@ static wc_test_ret_t kyber512_kat(void)
0x43, 0x29, 0x86, 0xae, 0x4b, 0xc1, 0xa2, 0x42,
0xce, 0x99, 0x21, 0xaa, 0x9e, 0x22, 0x44, 0x88,
0x19, 0x58, 0x5d, 0xea, 0x30, 0x8e, 0xb0, 0x39
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_sk[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_sk[] = {
0x6C, 0x89, 0x2B, 0x02, 0x97, 0xA9, 0xC7, 0x64,
0x14, 0x93, 0xF8, 0x7D, 0xAF, 0x35, 0x33, 0xEE,
0xD6, 0x1F, 0x07, 0xF4, 0x65, 0x20, 0x66, 0x33,
@@ -38742,7 +38745,10 @@ static wc_test_ret_t kyber512_kat(void)
0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21,
0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC,
0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_sk[] = {
0x9c, 0xda, 0x16, 0x86, 0xa3, 0x39, 0x6a, 0x7c,
0x10, 0x9b, 0x41, 0x52, 0x89, 0xf5, 0x6a, 0x9e,
0xc4, 0x4c, 0xd5, 0xb9, 0xb6, 0x74, 0xc3, 0x8a,
@@ -38947,10 +38953,10 @@ static wc_test_ret_t kyber512_kat(void)
0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21,
0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc,
0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ct[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ct[] = {
0xED, 0xF2, 0x41, 0x45, 0xE4, 0x3B, 0x4F, 0x6D,
0xC6, 0xBF, 0x83, 0x32, 0xF5, 0x4E, 0x02, 0xCA,
0xB0, 0x2D, 0xBF, 0x3B, 0x56, 0x05, 0xDD, 0xC9,
@@ -39047,7 +39053,10 @@ static wc_test_ret_t kyber512_kat(void)
0x80, 0x5B, 0x9C, 0xFE, 0x8F, 0xE9, 0xB1, 0x23,
0x7C, 0x80, 0xF9, 0x67, 0x87, 0xCD, 0x92, 0x81,
0xCC, 0xF2, 0x70, 0xC1, 0xAF, 0xC0, 0x67, 0x0D
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_ct[] = {
0x11, 0x3d, 0xb2, 0xdd, 0x06, 0x87, 0x12, 0x35,
0xe7, 0xbc, 0x36, 0xc9, 0xdc, 0xaa, 0x52, 0x8f,
0xc2, 0x6c, 0xe5, 0xdb, 0x9e, 0xcc, 0x1d, 0xc3,
@@ -39144,21 +39153,24 @@ static wc_test_ret_t kyber512_kat(void)
0x7f, 0x19, 0xb6, 0x00, 0x0e, 0x18, 0xf8, 0xfe,
0xad, 0xda, 0x7e, 0xde, 0x8f, 0xe8, 0x0a, 0xa6,
0x62, 0xd6, 0x94, 0xc6, 0xd8, 0xc3, 0x3b, 0x52
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ss[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ss[] = {
0x0A, 0x69, 0x25, 0x67, 0x6F, 0x24, 0xB2, 0x2C,
0x28, 0x6F, 0x4C, 0x81, 0xA4, 0x22, 0x4C, 0xEC,
0x50, 0x6C, 0x9B, 0x25, 0x7D, 0x48, 0x0E, 0x02,
0xE3, 0xB4, 0x9F, 0x44, 0xCA, 0xA3, 0x23, 0x7F
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_ss[] = {
0x31, 0x98, 0x39, 0xe8, 0x2a, 0xb6, 0xb2, 0x22,
0xde, 0x7b, 0x61, 0x9e, 0x80, 0xda, 0x83, 0x91,
0x52, 0x2b, 0xbb, 0x37, 0x67, 0x70, 0x18, 0x49,
0x4a, 0x47, 0x42, 0xc5, 0x3f, 0x9a, 0xbf, 0xdf
#endif
};
#endif
#ifdef WOLFSSL_SMALL_STACK
key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT,
@@ -39178,6 +39190,7 @@ static wc_test_ret_t kyber512_kat(void)
ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out);
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
ret = wc_KyberKey_Init(KYBER512, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
@@ -39220,6 +39233,52 @@ static wc_test_ret_t kyber512_kat(void)
if (XMEMCMP(ss_dec, kyber512_ss, sizeof(kyber512_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
#ifndef WOLFSSL_NO_ML_KEM
ret = wc_KyberKey_Init(WC_ML_KEM_512, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
else
key_inited = 1;
ret = wc_KyberKey_MakeKeyWithRandom(key, kyber512_rand,
sizeof(kyber512_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_512_PUBLIC_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePrivateKey(key, priv,
WC_ML_KEM_512_PRIVATE_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(pub, ml_kem_512_pk, sizeof(ml_kem_512_pk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(priv, ml_kem_512_sk, sizeof(ml_kem_512_sk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber512enc_rand,
sizeof(kyber512enc_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ct, ml_kem_512_ct, sizeof(ml_kem_512_ct)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(ss, ml_kem_512_ss, sizeof(ml_kem_512_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_512_ct));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ss_dec, ml_kem_512_ss, sizeof(ml_kem_512_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
out:
@@ -39239,7 +39298,7 @@ out:
}
#endif /* WOLFSSL_KYBER512 */
#ifdef WOLFSSL_KYBER768
#if !defined(WOLFSSL_NO_KYBER768) && !defined(WOLFSSL_NO_ML_KEM_768)
static wc_test_ret_t kyber768_kat(void)
{
wc_test_ret_t ret;
@@ -39276,8 +39335,8 @@ static wc_test_ret_t kyber768_kat(void)
0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_pk[] = {
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_pk[] = {
0xA7, 0x2C, 0x2D, 0x9C, 0x84, 0x3E, 0xE9, 0xF8,
0x31, 0x3E, 0xCC, 0x7F, 0x86, 0xD6, 0x29, 0x4D,
0x59, 0x15, 0x9D, 0x9A, 0x87, 0x9A, 0x54, 0x2E,
@@ -39426,7 +39485,10 @@ static wc_test_ret_t kyber768_kat(void)
0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15,
0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C,
0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_pk[] = {
0xa8, 0xe6, 0x51, 0xa1, 0xe6, 0x85, 0xf2, 0x24,
0x78, 0xa8, 0x95, 0x4f, 0x00, 0x7b, 0xc7, 0x71,
0x1b, 0x93, 0x07, 0x72, 0xc7, 0x8f, 0x09, 0x2e,
@@ -39575,10 +39637,10 @@ static wc_test_ret_t kyber768_kat(void)
0xd8, 0xfa, 0xbb, 0xfb, 0x3f, 0xe8, 0xcb, 0x1d,
0xc4, 0xe8, 0x31, 0x5f, 0x2a, 0xf0, 0xd3, 0x2f,
0x00, 0x17, 0xae, 0x13, 0x6e, 0x19, 0xf0, 0x28
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_sk[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_sk[] = {
0x07, 0x63, 0x8F, 0xB6, 0x98, 0x68, 0xF3, 0xD3,
0x20, 0xE5, 0x86, 0x2B, 0xD9, 0x69, 0x33, 0xFE,
0xB3, 0x11, 0xB3, 0x62, 0x09, 0x3C, 0x9B, 0x5D,
@@ -39879,7 +39941,10 @@ static wc_test_ret_t kyber768_kat(void)
0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21,
0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC,
0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_sk[] = {
0xda, 0x0a, 0xc7, 0xb6, 0x60, 0x40, 0x4e, 0x61,
0x3a, 0xa1, 0xf9, 0x80, 0x38, 0x0c, 0xb3, 0x6d,
0xba, 0x18, 0xd2, 0x32, 0x56, 0xc7, 0x26, 0x7a,
@@ -40180,10 +40245,10 @@ static wc_test_ret_t kyber768_kat(void)
0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21,
0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc,
0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ct[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ct[] = {
0xB5, 0x2C, 0x56, 0xB9, 0x2A, 0x4B, 0x7C, 0xE9,
0xE4, 0xCB, 0x7C, 0x5B, 0x1B, 0x16, 0x31, 0x67,
0xA8, 0xA1, 0x67, 0x5B, 0x2F, 0xDE, 0xF8, 0x4A,
@@ -40320,7 +40385,10 @@ static wc_test_ret_t kyber768_kat(void)
0x24, 0x62, 0xDC, 0x44, 0xD3, 0x49, 0x65, 0x10,
0x24, 0x82, 0xA8, 0xED, 0x9E, 0x4E, 0x96, 0x4D,
0x56, 0x83, 0xE5, 0xD4, 0x5D, 0x0C, 0x82, 0x69
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_ct[] = {
0xc8, 0x39, 0x10, 0x85, 0xb8, 0xd3, 0xea, 0x97,
0x94, 0x21, 0x25, 0x41, 0xb2, 0x91, 0x4f, 0x08,
0x96, 0x4d, 0x33, 0x52, 0x1d, 0x3f, 0x67, 0xad,
@@ -40457,21 +40525,24 @@ static wc_test_ret_t kyber768_kat(void)
0x1b, 0xc6, 0xd6, 0x3c, 0x16, 0x93, 0xc1, 0x84,
0x78, 0x52, 0xf8, 0xe9, 0x7f, 0x50, 0xa1, 0x33,
0x53, 0x2a, 0xc3, 0xee, 0x1e, 0x52, 0xd4, 0x64
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ss[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ss[] = {
0x91, 0x4C, 0xB6, 0x7F, 0xE5, 0xC3, 0x8E, 0x73,
0xBF, 0x74, 0x18, 0x1C, 0x0A, 0xC5, 0x04, 0x28,
0xDE, 0xDF, 0x77, 0x50, 0xA9, 0x80, 0x58, 0xF7,
0xD5, 0x36, 0x70, 0x87, 0x74, 0x53, 0x5B, 0x29
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_ss[] = {
0xe7, 0x18, 0x4a, 0x09, 0x75, 0xee, 0x34, 0x70,
0x87, 0x8d, 0x2d, 0x15, 0x9e, 0xc8, 0x31, 0x29,
0xc8, 0xae, 0xc2, 0x53, 0xd4, 0xee, 0x17, 0xb4,
0x81, 0x03, 0x11, 0xd1, 0x98, 0xcd, 0x03, 0x68
#endif
};
#endif
#ifdef WOLFSSL_SMALL_STACK
key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT,
@@ -40491,6 +40562,7 @@ static wc_test_ret_t kyber768_kat(void)
ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out);
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
ret = wc_KyberKey_Init(KYBER768, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
@@ -40533,6 +40605,52 @@ static wc_test_ret_t kyber768_kat(void)
if (XMEMCMP(ss_dec, kyber768_ss, sizeof(kyber768_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
#ifndef WOLFSSL_NO_ML_KEM
ret = wc_KyberKey_Init(WC_ML_KEM_768, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
else
key_inited = 1;
ret = wc_KyberKey_MakeKeyWithRandom(key, kyber768_rand,
sizeof(kyber768_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_768_PUBLIC_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePrivateKey(key, priv,
WC_ML_KEM_768_PRIVATE_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(pub, ml_kem_768_pk, sizeof(ml_kem_768_pk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(priv, ml_kem_768_sk, sizeof(ml_kem_768_sk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber768enc_rand,
sizeof(kyber768enc_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ct, ml_kem_768_ct, sizeof(ml_kem_768_ct)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(ss, ml_kem_768_ss, sizeof(ml_kem_768_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_768_ct));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ss_dec, ml_kem_768_ss, sizeof(ml_kem_768_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
out:
@@ -40552,7 +40670,7 @@ out:
}
#endif /* WOLFSSL_KYBER768 */
#ifdef WOLFSSL_KYBER1024
#if !defined(WOLFSSL_NO_KYBER1024) && !defined(WOLFSSL_NO_ML_KEM_1024)
static wc_test_ret_t kyber1024_kat(void)
{
wc_test_ret_t ret;
@@ -40588,8 +40706,8 @@ static wc_test_ret_t kyber1024_kat(void)
0xc8, 0x0e, 0xfe, 0x79, 0xa3, 0xa9, 0xa8, 0x74,
0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_pk[] = {
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_pk[] = {
0xD2, 0x23, 0x02, 0xCB, 0xD3, 0x39, 0x9F, 0xAC,
0xC6, 0x30, 0x99, 0x1F, 0xC8, 0xF2, 0x8B, 0xDB,
0x43, 0x54, 0x76, 0x25, 0x41, 0x52, 0x76, 0x78,
@@ -40786,7 +40904,10 @@ static wc_test_ret_t kyber1024_kat(void)
0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15,
0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C,
0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_pk[] = {
0x53, 0x79, 0x11, 0x95, 0x7c, 0x12, 0x51, 0x48,
0xa8, 0x7f, 0x41, 0x58, 0x9c, 0xb2, 0x22, 0xd0,
0xd1, 0x92, 0x29, 0xe2, 0xcb, 0x55, 0xe1, 0xa0,
@@ -40983,10 +41104,10 @@ static wc_test_ret_t kyber1024_kat(void)
0x41, 0x86, 0x9a, 0xbf, 0xba, 0xd1, 0x07, 0x38,
0xad, 0x04, 0xcc, 0x75, 0x2b, 0xc2, 0x0c, 0x39,
0x47, 0x46, 0x85, 0x0e, 0x0c, 0x48, 0x47, 0xdb
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_sk[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_sk[] = {
0x07, 0x63, 0x8F, 0xB6, 0x98, 0x68, 0xF3, 0xD3,
0x20, 0xE5, 0x86, 0x2B, 0xD9, 0x69, 0x33, 0xFE,
0xB3, 0x11, 0xB3, 0x62, 0x09, 0x3C, 0x9B, 0x5D,
@@ -41383,7 +41504,10 @@ static wc_test_ret_t kyber1024_kat(void)
0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21,
0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC,
0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_sk[] = {
0x43, 0x3a, 0x70, 0xee, 0x69, 0x50, 0xf9, 0x88,
0x2a, 0xcd, 0xd5, 0xa4, 0x78, 0x20, 0xa6, 0xa8,
0x16, 0x37, 0x08, 0xf0, 0x4d, 0x45, 0x7c, 0x77,
@@ -41780,10 +41904,10 @@ static wc_test_ret_t kyber1024_kat(void)
0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21,
0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc,
0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ct[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ct[] = {
0xA6, 0xAF, 0x29, 0xD5, 0xF5, 0xB8, 0x0B, 0xD1,
0x30, 0xF5, 0x18, 0xBA, 0xDD, 0xD6, 0xC8, 0xF1,
0x75, 0x45, 0x41, 0x3D, 0x86, 0x0F, 0xB3, 0xDE,
@@ -41980,7 +42104,10 @@ static wc_test_ret_t kyber1024_kat(void)
0x93, 0x23, 0x93, 0x29, 0x98, 0xD5, 0x6E, 0xF4,
0x30, 0xC7, 0x3B, 0xC2, 0x4F, 0x5D, 0x95, 0xF7,
0x37, 0x85, 0x8D, 0xDC, 0x4F, 0x32, 0xC0, 0x13
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_ct[] = {
0xc9, 0xbe, 0xad, 0x6b, 0x0c, 0x11, 0x14, 0x38,
0x9b, 0xd4, 0x76, 0x1c, 0x73, 0xab, 0x90, 0x95,
0xb5, 0x80, 0x9d, 0xaa, 0xc9, 0xf6, 0x59, 0xbb,
@@ -42177,21 +42304,24 @@ static wc_test_ret_t kyber1024_kat(void)
0xa9, 0xae, 0x11, 0x0a, 0xaf, 0x4d, 0x68, 0xbf,
0x4e, 0x27, 0x41, 0x0d, 0x43, 0xce, 0xef, 0x3e,
0x88, 0xe9, 0xc7, 0x17, 0xdd, 0x44, 0xc9, 0xee
#endif
};
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ss[] = {
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ss[] = {
0xB1, 0x0F, 0x73, 0x94, 0x92, 0x6A, 0xD3, 0xB4,
0x9C, 0x5D, 0x62, 0xD5, 0xAE, 0xB5, 0x31, 0xD5,
0x75, 0x75, 0x38, 0xBC, 0xC0, 0xDA, 0x9E, 0x55,
0x0D, 0x43, 0x8F, 0x1B, 0x61, 0xBD, 0x74, 0x19
#else
};
#endif
#ifndef WOLFSSL_NO_ML_KEM
WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_ss[] = {
0x48, 0x9d, 0xd1, 0xe9, 0xc2, 0xbe, 0x4a, 0xf3,
0x48, 0x2b, 0xdb, 0x35, 0xbb, 0x26, 0xce, 0x76,
0x0e, 0x6e, 0x41, 0x4d, 0xa6, 0xec, 0xbe, 0x48,
0x99, 0x85, 0x74, 0x8a, 0x82, 0x5f, 0x1c, 0xd6
#endif
};
#endif
#ifdef WOLFSSL_SMALL_STACK
key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT,
@@ -42211,6 +42341,7 @@ static wc_test_ret_t kyber1024_kat(void)
ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out);
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
ret = wc_KyberKey_Init(KYBER1024, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
@@ -42253,6 +42384,52 @@ static wc_test_ret_t kyber1024_kat(void)
if (XMEMCMP(ss_dec, kyber1024_ss, sizeof(kyber1024_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
#ifndef WOLFSSL_NO_ML_KEM
ret = wc_KyberKey_Init(WC_ML_KEM_1024, key, HEAP_HINT, INVALID_DEVID);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
else
key_inited = 1;
ret = wc_KyberKey_MakeKeyWithRandom(key, kyber1024_rand,
sizeof(kyber1024_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_MAX_PUBLIC_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_KyberKey_EncodePrivateKey(key, priv,
WC_ML_KEM_MAX_PRIVATE_KEY_SIZE);
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(pub, ml_kem_1024_pk, sizeof(ml_kem_1024_pk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(priv, ml_kem_1024_sk, sizeof(ml_kem_1024_sk)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber1024enc_rand,
sizeof(kyber1024enc_rand));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ct, ml_kem_1024_ct, sizeof(ml_kem_1024_ct)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (XMEMCMP(ss, ml_kem_1024_ss, sizeof(ml_kem_1024_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_1024_ct));
if (ret != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
if (XMEMCMP(ss_dec, ml_kem_1024_ss, sizeof(ml_kem_1024_ss)) != 0)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#endif
out:
@@ -42299,6 +42476,21 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void)
#endif
int key_inited = 0;
static const int testData[][4] = {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef WOLFSSL_WC_ML_KEM_512
{ WC_ML_KEM_512, WC_ML_KEM_512_PRIVATE_KEY_SIZE,
WC_ML_KEM_512_PUBLIC_KEY_SIZE, WC_ML_KEM_512_CIPHER_TEXT_SIZE },
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
{ WC_ML_KEM_768, WC_ML_KEM_768_PRIVATE_KEY_SIZE,
WC_ML_KEM_768_PUBLIC_KEY_SIZE, WC_ML_KEM_768_CIPHER_TEXT_SIZE },
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
{ WC_ML_KEM_1024, WC_ML_KEM_1024_PRIVATE_KEY_SIZE,
WC_ML_KEM_1024_PUBLIC_KEY_SIZE, WC_ML_KEM_1024_CIPHER_TEXT_SIZE },
#endif
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef WOLFSSL_KYBER512
{ KYBER512, KYBER512_PRIVATE_KEY_SIZE, KYBER512_PUBLIC_KEY_SIZE,
KYBER512_CIPHER_TEXT_SIZE },
@@ -42311,6 +42503,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void)
{ KYBER1024, KYBER1024_PRIVATE_KEY_SIZE, KYBER1024_PUBLIC_KEY_SIZE,
KYBER1024_CIPHER_TEXT_SIZE },
#endif
#endif
};
WOLFSSL_ENTER("kyber_test");
@@ -42408,17 +42601,17 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void)
wc_FreeRng(&rng);
#ifdef WOLFSSL_WC_KYBER
#ifdef WOLFSSL_KYBER512
#if !defined(WOLFSSL_NO_KYBER512) && !defined(WOLFSSL_NO_ML_KEM_512)
ret = kyber512_kat();
if (ret != 0)
goto out;
#endif
#ifdef WOLFSSL_KYBER768
#if !defined(WOLFSSL_NO_KYBER768) && !defined(WOLFSSL_NO_ML_KEM_768)
ret = kyber768_kat();
if (ret != 0)
goto out;
#endif
#ifdef WOLFSSL_KYBER1024
#if !defined(WOLFSSL_NO_KYBER1024) && !defined(WOLFSSL_NO_ML_KEM_1024)
ret = kyber1024_kat();
if (ret != 0)
goto out;

27
wolfssl/ssl.h
View File

@@ -4306,35 +4306,44 @@ enum {
* algorithms have LEVEL2 and LEVEL4 because none of these submissions
* included them. */
#ifndef WOLFSSL_ML_KEM
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_MIN = 570,
WOLFSSL_PQC_SIMPLE_MIN = 570,
WOLFSSL_KYBER_LEVEL1 = 570, /* KYBER_512 */
WOLFSSL_KYBER_LEVEL3 = 572, /* KYBER_768 */
WOLFSSL_KYBER_LEVEL5 = 573, /* KYBER_1024 */
#ifdef WOLFSSL_NO_ML_KEM
WOLFSSL_PQC_SIMPLE_MAX = 573,
#endif
WOLFSSL_PQC_HYBRID_MIN = 12090,
WOLFSSL_P256_KYBER_LEVEL1 = 12090,
WOLFSSL_P384_KYBER_LEVEL3 = 12092,
WOLFSSL_P521_KYBER_LEVEL5 = 12093,
#ifdef WOLFSSL_NO_ML_KEM
WOLFSSL_PQC_HYBRID_MAX = 12093,
WOLFSSL_PQC_MAX = 12093,
#else
#endif
#endif
#ifndef WOLFSSL_NO_ML_KEM
#ifndef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_MIN = 583,
WOLFSSL_PQC_SIMPLE_MIN = 583,
WOLFSSL_KYBER_LEVEL1 = 583, /* ML-KEM 512 */
WOLFSSL_KYBER_LEVEL3 = 584, /* ML-KEM 768 */
WOLFSSL_KYBER_LEVEL5 = 585, /* ML-KEM 1024 */
#endif
WOLFSSL_ML_KEM_512 = 583, /* ML-KEM 512 */
WOLFSSL_ML_KEM_768 = 584, /* ML-KEM 768 */
WOLFSSL_ML_KEM_1024 = 585, /* ML-KEM 1024 */
WOLFSSL_PQC_SIMPLE_MAX = 585,
#ifndef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_HYBRID_MIN = 12103,
WOLFSSL_P256_KYBER_LEVEL1 = 12103,
WOLFSSL_P384_KYBER_LEVEL3 = 12104,
WOLFSSL_P521_KYBER_LEVEL5 = 12105,
#endif
WOLFSSL_P256_ML_KEM_512 = 12103,
WOLFSSL_P384_ML_KEM_768 = 12104,
WOLFSSL_P521_ML_KEM_1024 = 12105,
WOLFSSL_PQC_HYBRID_MAX = 12105,
WOLFSSL_PQC_MAX = 12105,
#endif /* WOLFSSL_ML_KEM */
#endif /* !WOLFSSL_NO_ML_KEM */
#endif /* HAVE_PQC */
WOLF_ENUM_DUMMY_LAST_ELEMENT(SSL_H)
};

49
wolfssl/wolfcrypt/kyber.h
View File

@@ -153,9 +153,14 @@
enum {
/* Types of Kyber keys. */
KYBER512 = 0,
KYBER768 = 1,
KYBER1024 = 2,
WC_ML_KEM_512 = 0,
WC_ML_KEM_768 = 1,
WC_ML_KEM_1024 = 2,
KYBER_ORIGINAL = 0x10,
KYBER512 = 0 | KYBER_ORIGINAL,
KYBER768 = 1 | KYBER_ORIGINAL,
KYBER1024 = 2 | KYBER_ORIGINAL,
KYBER_LEVEL1 = KYBER512,
KYBER_LEVEL3 = KYBER768,
@@ -215,30 +220,48 @@ WOLFSSL_API int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out,
#if !defined(WOLFSSL_NO_ML_KEM_512) && !defined(WOLFSSL_NO_ML_KEM)
#define WOLFSSL_WC_ML_KEM_512
#endif
#if !defined(WOLFSSL_NO_ML_KEM_768) && !defined(WOLFSSL_NO_ML_KEM)
#define WOLFSSL_WC_ML_KEM_768
#endif
#if !defined(WOLFSSL_NO_ML_KEM_1024) && !defined(WOLFSSL_NO_ML_KEM)
#define WOLFSSL_WC_ML_KEM_1024
#endif
#ifdef WOLFSSL_WC_ML_KEM_512
#define WC_ML_KEM_512_K KYBER512_K
#define WC_ML_KEM_512_PUBLIC_KEY_SIZE KYBER512_PUBLIC_KEY_SIZE
#define wC_ML_KEM_512_PRIVATE_KEY_SIZE KYBER512_PRIVATE_KEY_SIZE
#define wC_ML_KEM_512_CIPHER_TEXT_SIZE KYBER512_CIPHER_TEXT_SIZE
#define WC_ML_KEM_512_PRIVATE_KEY_SIZE KYBER512_PRIVATE_KEY_SIZE
#define WC_ML_KEM_512_CIPHER_TEXT_SIZE KYBER512_CIPHER_TEXT_SIZE
#define WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ \
KYBER512_POLY_VEC_COMPRESSED_SZ
#endif
#ifdef WOLFSSL_WC_ML_KEM_768
#define WC_ML_KEM_768_K KYBER768_K
#define WC_ML_KEM_768_PUBLIC_KEY_SIZE KYBER768_PUBLIC_KEY_SIZE
#define wC_ML_KEM_768_PRIVATE_KEY_SIZE KYBER768_PRIVATE_KEY_SIZE
#define wC_ML_KEM_768_CIPHER_TEXT_SIZE KYBER768_CIPHER_TEXT_SIZE
#define WC_ML_KEM_768_PRIVATE_KEY_SIZE KYBER768_PRIVATE_KEY_SIZE
#define WC_ML_KEM_768_CIPHER_TEXT_SIZE KYBER768_CIPHER_TEXT_SIZE
#define WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ \
KYBER768_POLY_VEC_COMPRESSED_SZ
#endif
#ifdef WOLFSSL_WC_ML_KEM_1024
#define WC_ML_KEM_1024_K KYBER1024_K
#define WC_ML_KEM_1024_PUBLIC_KEY_SIZE KYBER1024_PUBLIC_KEY_SIZE
#define wC_ML_KEM_1024_PRIVATE_KEY_SIZE KYBER1024_PRIVATE_KEY_SIZE
#define wC_ML_KEM_1024_CIPHER_TEXT_SIZE KYBER1024_CIPHER_TEXT_SIZE
#define WC_ML_KEM_1024_PRIVATE_KEY_SIZE KYBER1024_PRIVATE_KEY_SIZE
#define WC_ML_KEM_1024_CIPHER_TEXT_SIZE KYBER1024_CIPHER_TEXT_SIZE
#define WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ \
KYBER1024_POLY_VEC_COMPRESSED_SZ
#endif
#define WC_ML_KEM_MAX_K KYBER_MAX_K
#define WC_ML_KEM_MAX_PRIVATE_KEY_SIZE KYBER_MAX_PRIVATE_KEY_SIZE
#define WC_ML_KEM_MAX_PUBLIC_KEY_SIZE KYBER_MAX_PUBLIC_KEY_SIZE
#define WC_ML_KEM_MAX_CIPHER_TEXT_SIZE KYBER_MAX_CIPHER_TEXT_SIZE
#define WC_ML_KEM_512 KYBER512
#define WC_ML_KEM_768 KYBER768
#define WC_ML_KEM_1024 KYBER1024
#define WC_ML_KEM_SYM_SZ KYBER_SYM_SZ
#define WC_ML_KEM_SS_SZ KYBER_SS_SZ
#define WC_ML_KEM_MAKEKEY_RAND_SZ KYBER_MAKEKEY_RAND_SZ