In d2iGenericKey(), if a falcon key is encountered, make a dummy pkey.

This allows apache-httpd to work without PQ-specific patch along with a previous pull request.
2025-07-30 02:37:28 +02:00 · 2021-12-10 14:11:52 -05:00
parent dde8cd9039
commit 1d8ff70900
2 changed files with 65 additions and 0 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -8522,6 +8522,70 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out,
    #endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
    #endif /* !NO_DH &&  OPENSSL_EXTRA && WOLFSSL_DH_EXTRA */

+    #ifdef HAVE_LIBOQS
+    {
+        int isFalcon;
+    #ifdef WOLFSSL_SMALL_STACK
+        falcon_key *falcon = (falcon_key *)MALLOC(sizeof(falcon_key), NULL,
+                                                  DYNAMIC_TYPE_FALCON);
+        if (falcon == NULL) {
+            return NULL;
+        }
+    #else
+        falcon_key falcon[1];
+    #endif
+        XMEMSET(falcon, 0, sizeof(falcon_key));
+
+        /* test if Falcon key */
+        if (priv) {
+            /* Try level 1 */
+            isFalcon = wc_falcon_init(falcon) == 0 &&
+                       wc_falcon_set_level(falcon, 1) == 0 &&
+                       wc_falcon_import_private_only(mem, (word32)memSz,
+                                                     falcon) == 0;
+            if (!isFalcon) {
+                /* Try level 5 */
+                isFalcon = wc_falcon_init(falcon) == 0 &&
+                           wc_falcon_set_level(falcon, 5) == 0 &&
+                           wc_falcon_import_private_only(mem, (word32)memSz,
+                                                         falcon) == 0;
+            }
+        } else {
+            /* Try level 1 */
+            isFalcon = wc_falcon_init(falcon) == 0 &&
+                       wc_falcon_set_level(falcon, 1) == 0 &&
+                       wc_falcon_import_public(mem, (word32)memSz, falcon) == 0;
+
+            if (!isFalcon) {
+                /* Try level 5 */
+                isFalcon = wc_falcon_init(falcon) == 0 &&
+                           wc_falcon_set_level(falcon, 5) == 0 &&
+                           wc_falcon_import_public(mem, (word32)memSz,
+                                                         falcon) == 0;
+            }
+        }
+
+        wc_falcon_free(falcon);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(falcon, NULL, DYNAMIC_TYPE_FALCON);
+    #endif
+        if (isFalcon) {
+            /* Create a fake Falcon EVP_PKEY. In the future, we might integrate
+             * Falcon into the compatibility layer. */
+            pkey = wolfSSL_EVP_PKEY_new();
+            if (pkey == NULL) {
+                WOLFSSL_MSG("Falcon wolfSSL_EVP_PKEY_new error");
+                return NULL;
+            }
+            pkey->type = EVP_PKEY_FALCON;
+            pkey->pkey.ptr = NULL;
+            pkey->pkey_sz = 0;
+            return pkey;
+        }
+
+    }
+    #endif /* HAVE_LIBOQS */
+
    if (pkey == NULL) {
        WOLFSSL_MSG("wolfSSL_d2i_PUBKEY couldn't determine key type");
    }
--- a/wolfssl/openssl/evp.h
+++ b/wolfssl/openssl/evp.h
@ -247,6 +247,7 @@ enum {
    NID_rc4           = 5,
    EVP_PKEY_DH       = NID_dhKeyAgreement,
    EVP_PKEY_HMAC     = NID_hmac,
+    EVP_PKEY_FALCON = 300,
    AES_128_CFB1_TYPE = 24,
    AES_192_CFB1_TYPE = 25,
    AES_256_CFB1_TYPE = 26,