wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 12:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improvements for PQC hybrid key exchange

Browse Source 
Add support for X25519 and X448 based hybrid PQC + ECC key exchange
groups. Furthermore, two new combinations with SECP curves are added to
match OQS combinations.

This also incorporates the changed order of X25519 and X448 based
combinations to place the PQC material before the ECDH material. This is
motivated by the necessity to always have material of a FIPS approved
algorithm first.

Also, codepoints are updated to reflect the latest draft standards for
pure ML-KEM and some of the hybrids. With these changes and based on the
recent additions to both enable ML-KEM final and draft versions
simultaneously, a WolfSSL TLS server is now compatible with all recent
browsers that support either the draft version of ML-KEM (Chromium based
browsers and Firefox < version 132; only when the draft version is
enabled in the build) or the final version already (Firefox > version 132).

In the process of extending support, some code and logic cleanup
happened. Furthermore, some memory leaks within the hybrid code path have
been fixed.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
This commit is contained in:
Tobias Frauenschläger
2024-08-01 10:01:32 +02:00
parent 8ae122584c
commit 89491c7e36
20 changed files with 1876 additions and 654 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
examples/benchmark/tls_bench.c
View File

@@ -296,17 +296,26 @@ static struct group_info groups[] = {
{ WOLFSSL_ML_KEM_512, "ML_KEM_512" },
{ WOLFSSL_ML_KEM_768, "ML_KEM_768" },
{ WOLFSSL_ML_KEM_1024, "ML_KEM_1024" },
{ WOLFSSL_P256_ML_KEM_512, "P256_ML_KEM_512" },
{ WOLFSSL_P384_ML_KEM_768, "P384_ML_KEM_768" },
{ WOLFSSL_P521_ML_KEM_1024, "P521_ML_KEM_1024" },
{ WOLFSSL_P256_ML_KEM_512, "P256_ML_KEM_512" },
{ WOLFSSL_P384_ML_KEM_768, "P384_ML_KEM_768" },
{ WOLFSSL_P256_ML_KEM_768, "P256_ML_KEM_768" },
{ WOLFSSL_P521_ML_KEM_1024, "P521_ML_KEM_1024" },
{ WOLFSSL_P384_ML_KEM_1024, "P384_ML_KEM_1024" },
{ WOLFSSL_X25519_ML_KEM_512, "X25519_ML_KEM_512" },
{ WOLFSSL_X448_ML_KEM_768, "X448_ML_KEM_768" },
{ WOLFSSL_X25519_ML_KEM_768, "X25519_ML_KEM_768" },
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
{ WOLFSSL_KYBER_LEVEL1, "KYBER_LEVEL1" },
{ WOLFSSL_KYBER_LEVEL3, "KYBER_LEVEL3" },
{ WOLFSSL_KYBER_LEVEL5, "KYBER_LEVEL5" },
{ WOLFSSL_P256_KYBER_LEVEL1, "P256_KYBER_LEVEL1" },
{ WOLFSSL_P384_KYBER_LEVEL3, "P384_KYBER_LEVEL3" },
{ WOLFSSL_P521_KYBER_LEVEL5, "P521_KYBER_LEVEL5" },
{ WOLFSSL_P256_KYBER_LEVEL1, "P256_KYBER_LEVEL1" },
{ WOLFSSL_P384_KYBER_LEVEL3, "P384_KYBER_LEVEL3" },
{ WOLFSSL_P256_KYBER_LEVEL3, "P256_KYBER_LEVEL3" },
{ WOLFSSL_P521_KYBER_LEVEL5, "P521_KYBER_LEVEL5" },
{ WOLFSSL_X25519_KYBER_LEVEL1, "X25519_KYBER_LEVEL1" },
{ WOLFSSL_X448_KYBER_LEVEL3, "X448_KYBER_LEVEL3" },
{ WOLFSSL_X25519_KYBER_LEVEL3, "X25519_KYBER_LEVEL3" },
#endif
#endif
{ 0, NULL }

55
examples/client/client.c
View File

@@ -431,12 +431,36 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) {
group = WOLFSSL_P384_ML_KEM_768;
}
else if (XSTRCMP(pqcAlg, "P256_ML_KEM_768") == 0) {
group = WOLFSSL_P256_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) {
group = WOLFSSL_P521_ML_KEM_1024;
}
else if (XSTRCMP(pqcAlg, "P384_ML_KEM_1024") == 0) {
group = WOLFSSL_P384_ML_KEM_1024;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_ML_KEM_512") == 0) {
group = WOLFSSL_X25519_ML_KEM_512;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_ML_KEM_768") == 0) {
group = WOLFSSL_X25519_ML_KEM_768;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448)
if (XSTRCMP(pqcAlg, "X448_ML_KEM_768") == 0) {
group = WOLFSSL_X448_ML_KEM_768;
}
else
#endif
#endif /* WOLFSSL_NO_ML_KEM */
@@ -469,6 +493,9 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) {
group = WOLFSSL_P384_KYBER_LEVEL3;
}
else if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL3") == 0) {
group = WOLFSSL_P256_KYBER_LEVEL3;
}
else
#endif
#ifndef WOLFSSL_NO_KYBER1024
@@ -477,6 +504,24 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER512) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_KYBER_LEVEL1") == 0) {
group = WOLFSSL_X25519_KYBER_LEVEL1;
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER768) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_KYBER_LEVEL3") == 0) {
group = WOLFSSL_X25519_KYBER_LEVEL3;
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER768) && defined(HAVE_CURVE448)
if (XSTRCMP(pqcAlg, "X448_KYBER_LEVEL3") == 0) {
group = WOLFSSL_X448_KYBER_LEVEL3;
}
else
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
{
err_sys("invalid post-quantum KEM specified");
@@ -1378,12 +1423,18 @@ static const char* client_usage_msg[][78] = {
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
" P384_ML_KEM_768, P256_ML_KEM_768, P521_ML_KEM_1024,\n"
" P384_ML_KEM_1024, X25519_ML_KEM_512, "
"X25519_ML_KEM_768,\n"
" X448_ML_KEM_768\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
" P384_KYBER_LEVEL3, P256_KYBER_LEVEL3, "
"P521_KYBER_LEVEL5,\n"
" X25519_KYBER_LEVEL1, X25519_KYBER_LEVEL3, "
"X448_KYBER_LEVEL3\n"
#endif
"",
/* 69 */

55
examples/server/server.c
View File

@@ -744,12 +744,36 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) {
groups[count] = WOLFSSL_P384_ML_KEM_768;
}
else if (XSTRCMP(pqcAlg, "P256_ML_KEM_768") == 0) {
groups[count] = WOLFSSL_P256_ML_KEM_768;
}
else
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) {
groups[count] = WOLFSSL_P521_ML_KEM_1024;
}
else if (XSTRCMP(pqcAlg, "P384_ML_KEM_1024") == 0) {
groups[count] = WOLFSSL_P384_ML_KEM_1024;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_ML_KEM_512") == 0) {
groups[count] = WOLFSSL_X25519_ML_KEM_512;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_ML_KEM_768") == 0) {
groups[count] = WOLFSSL_X25519_ML_KEM_768;
}
else
#endif
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448)
if (XSTRCMP(pqcAlg, "X448_ML_KEM_768") == 0) {
groups[count] = WOLFSSL_X448_ML_KEM_768;
}
else
#endif
#endif /* WOLFSSL_NO_ML_KEM */
@@ -782,6 +806,9 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_P384_KYBER_LEVEL3;
}
else if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_P256_KYBER_LEVEL3;
}
else
#endif
#ifndef WOLFSSL_NO_KYBER1024
@@ -790,6 +817,24 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER512) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_KYBER_LEVEL1") == 0) {
groups[count] = WOLFSSL_X25519_KYBER_LEVEL1;
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER768) && defined(HAVE_CURVE25519)
if (XSTRCMP(pqcAlg, "X25519_KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_X25519_KYBER_LEVEL3;
}
else
#endif
#if !defined(WOLFSSL_NO_KYBER768) && defined(HAVE_CURVE448)
if (XSTRCMP(pqcAlg, "X448_KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_X448_KYBER_LEVEL3;
}
else
#endif
#endif
{
err_sys("invalid post-quantum KEM specified");
@@ -1027,12 +1072,18 @@ static const char* server_usage_msg[][66] = {
#ifndef WOLFSSL_NO_ML_KEM
" ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512,"
"\n"
" P384_ML_KEM_768, P521_ML_KEM_1024\n"
" P384_ML_KEM_768, P256_ML_KEM_768, P521_ML_KEM_1024,\n"
" P384_ML_KEM_1024, X25519_ML_KEM_512, "
"X25519_ML_KEM_768,\n"
" X448_ML_KEM_768\n"
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
" KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, "
"P256_KYBER_LEVEL1,\n"
" P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n"
" P384_KYBER_LEVEL3, P256_KYBER_LEVEL3, "
"P521_KYBER_LEVEL5,\n"
" X25519_KYBER_LEVEL1, X25519_KYBER_LEVEL3, "
"X448_KYBER_LEVEL3\n"
#endif
"",
/* 60 */

51
src/internal.c
View File

@@ -35136,6 +35136,57 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
#endif /* HAVE_ECC */
#ifdef WOLFSSL_HAVE_KYBER
/* Returns 1 when the given group is a PQC group, 0 otherwise. */
int NamedGroupIsPqc(int group)
{
switch (group) {
#ifndef WOLFSSL_NO_ML_KEM
case WOLFSSL_ML_KEM_512:
case WOLFSSL_ML_KEM_768:
case WOLFSSL_ML_KEM_1024:
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case WOLFSSL_KYBER_LEVEL1:
case WOLFSSL_KYBER_LEVEL3:
case WOLFSSL_KYBER_LEVEL5:
#endif
return 1;
default:
return 0;
}
}
/* Returns 1 when the given group is a PQC hybrid group, 0 otherwise. */
int NamedGroupIsPqcHybrid(int group)
{
switch (group) {
#ifndef WOLFSSL_NO_ML_KEM
case WOLFSSL_P256_ML_KEM_768:
case WOLFSSL_X25519_ML_KEM_768:
case WOLFSSL_P384_ML_KEM_1024:
case WOLFSSL_P256_ML_KEM_512:
case WOLFSSL_P384_ML_KEM_768:
case WOLFSSL_P521_ML_KEM_1024:
case WOLFSSL_X25519_ML_KEM_512:
case WOLFSSL_X448_ML_KEM_768:
#endif
#ifdef WOLFSSL_KYBER_ORIGINAL
case WOLFSSL_P256_KYBER_LEVEL3:
case WOLFSSL_X25519_KYBER_LEVEL3:
case WOLFSSL_P256_KYBER_LEVEL1:
case WOLFSSL_P384_KYBER_LEVEL3:
case WOLFSSL_P521_KYBER_LEVEL5:
case WOLFSSL_X25519_KYBER_LEVEL1:
case WOLFSSL_X448_KYBER_LEVEL3:
#endif
return 1;
default:
return 0;
}
}
#endif /* WOLFSSL_HAVE_KYBER */
int TranslateErrorToAlert(int err)
{
switch (err) {

156
src/ssl.c
View File

@@ -3601,6 +3601,11 @@ static int isValidCurveGroup(word16 name)
case WOLFSSL_P256_ML_KEM_512:
case WOLFSSL_P384_ML_KEM_768:
case WOLFSSL_P521_ML_KEM_1024:
case WOLFSSL_P384_ML_KEM_1024:
case WOLFSSL_X25519_ML_KEM_512:
case WOLFSSL_X448_ML_KEM_768:
case WOLFSSL_X25519_ML_KEM_768:
case WOLFSSL_P256_ML_KEM_768:
#endif
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
@@ -3611,6 +3616,10 @@ static int isValidCurveGroup(word16 name)
case WOLFSSL_P256_KYBER_LEVEL1:
case WOLFSSL_P384_KYBER_LEVEL3:
case WOLFSSL_P521_KYBER_LEVEL5:
case WOLFSSL_X25519_KYBER_LEVEL1:
case WOLFSSL_X448_KYBER_LEVEL3:
case WOLFSSL_X25519_KYBER_LEVEL3:
case WOLFSSL_P256_KYBER_LEVEL3:
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
#endif
@@ -15381,66 +15390,97 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
if (IsAtLeastTLSv1_3(ssl->version)) {
switch (ssl->namedGroup) {
#ifndef WOLFSSL_NO_ML_KEM
#ifdef HAVE_LIBOQS
case WOLFSSL_ML_KEM_512:
return "ML_KEM_512";
case WOLFSSL_ML_KEM_768:
return "ML_KEM_768";
case WOLFSSL_ML_KEM_1024:
return "ML_KEM_1024";
case WOLFSSL_P256_ML_KEM_512:
return "P256_ML_KEM_512";
case WOLFSSL_P384_ML_KEM_768:
return "P384_ML_KEM_768";
case WOLFSSL_P521_ML_KEM_1024:
return "P521_ML_KEM_1024";
#elif defined(WOLFSSL_WC_KYBER)
#if defined(WOLFSSL_WC_KYBER)
#ifndef WOLFSSL_NO_ML_KEM_512
case WOLFSSL_ML_KEM_512:
return "ML_KEM_512";
case WOLFSSL_P256_ML_KEM_512:
return "P256_ML_KEM_512";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_ML_KEM_512:
return "X25519_ML_KEM_512";
#endif
#endif
#ifndef WOLFSSL_NO_ML_KEM_768
case WOLFSSL_ML_KEM_768:
return "ML_KEM_768";
case WOLFSSL_P384_ML_KEM_768:
return "P384_ML_KEM_768";
case WOLFSSL_P256_ML_KEM_768:
return "P256_ML_KEM_768";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_ML_KEM_768:
return "X25519_ML_KEM_768";
#endif
#ifdef HAVE_CURVE448
case WOLFSSL_X448_ML_KEM_768:
return "X448_ML_KEM_768";
#endif
#endif
#ifndef WOLFSSL_NO_ML_KEM_1024
case WOLFSSL_ML_KEM_1024:
return "ML_KEM_1024";
case WOLFSSL_P521_ML_KEM_1024:
return "P521_ML_KEM_1024";
case WOLFSSL_P384_ML_KEM_1024:
return "P384_ML_KEM_1024";
#endif
#endif
#endif
#elif defined(HAVE_LIBOQS)
case WOLFSSL_ML_KEM_512:
return "ML_KEM_512";
case WOLFSSL_ML_KEM_768:
return "ML_KEM_768";
case WOLFSSL_ML_KEM_1024:
return "ML_KEM_1024";
case WOLFSSL_P256_ML_KEM_512:
return "P256_ML_KEM_512";
case WOLFSSL_P384_ML_KEM_768:
return "P384_ML_KEM_768";
case WOLFSSL_P256_ML_KEM_768:
return "P256_ML_KEM_768";
case WOLFSSL_P521_ML_KEM_1024:
return "P521_ML_KEM_1024";
case WOLFSSL_P384_ML_KEM_1024:
return "P384_ML_KEM_1024";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_ML_KEM_512:
return "X25519_ML_KEM_512";
case WOLFSSL_X25519_ML_KEM_768:
return "X25519_ML_KEM_768";
#endif
#ifdef HAVE_CURVE448
case WOLFSSL_X448_ML_KEM_768:
return "X448_ML_KEM_768";
#endif
#endif /* WOLFSSL_WC_KYBER */
#endif /* WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
#ifdef HAVE_LIBOQS
case WOLFSSL_KYBER_LEVEL1:
return "KYBER_LEVEL1";
case WOLFSSL_KYBER_LEVEL3:
return "KYBER_LEVEL3";
case WOLFSSL_KYBER_LEVEL5:
return "KYBER_LEVEL5";
case WOLFSSL_P256_KYBER_LEVEL1:
return "P256_KYBER_LEVEL1";
case WOLFSSL_P384_KYBER_LEVEL3:
return "P384_KYBER_LEVEL3";
case WOLFSSL_P521_KYBER_LEVEL5:
return "P521_KYBER_LEVEL5";
#elif defined(WOLFSSL_WC_KYBER)
#if defined(WOLFSSL_WC_KYBER)
#ifndef WOLFSSL_NO_KYBER512
case WOLFSSL_KYBER_LEVEL1:
return "KYBER_LEVEL1";
case WOLFSSL_P256_KYBER_LEVEL1:
return "P256_KYBER_LEVEL1";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_KYBER_LEVEL1:
return "X25519_KYBER_LEVEL1";
#endif
#endif
#ifndef WOLFSSL_NO_KYBER768
case WOLFSSL_KYBER_LEVEL3:
return "KYBER_LEVEL3";
case WOLFSSL_P384_KYBER_LEVEL3:
return "P384_KYBER_LEVEL3";
case WOLFSSL_P256_KYBER_LEVEL3:
return "P256_KYBER_LEVEL3";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_KYBER_LEVEL3:
return "X25519_KYBER_LEVEL3";
#endif
#ifdef HAVE_CURVE448
case WOLFSSL_X448_KYBER_LEVEL3:
return "X448_KYBER_LEVEL3";
#endif
#endif
#ifndef WOLFSSL_NO_KYBER1024
case WOLFSSL_KYBER_LEVEL5:
@@ -15448,8 +15488,33 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
case WOLFSSL_P521_KYBER_LEVEL5:
return "P521_KYBER_LEVEL5";
#endif
#endif
#endif
#elif defined (HAVE_LIBOQS)
case WOLFSSL_KYBER_LEVEL1:
return "KYBER_LEVEL1";
case WOLFSSL_KYBER_LEVEL3:
return "KYBER_LEVEL3";
case WOLFSSL_KYBER_LEVEL5:
return "KYBER_LEVEL5";
case WOLFSSL_P256_KYBER_LEVEL1:
return "P256_KYBER_LEVEL1";
case WOLFSSL_P384_KYBER_LEVEL3:
return "P384_KYBER_LEVEL3";
case WOLFSSL_P256_KYBER_LEVEL3:
return "P256_KYBER_LEVEL3";
case WOLFSSL_P521_KYBER_LEVEL5:
return "P521_KYBER_LEVEL5";
#ifdef HAVE_CURVE25519
case WOLFSSL_X25519_KYBER_LEVEL1:
return "X25519_KYBER_LEVEL1";
case WOLFSSL_X25519_KYBER_LEVEL3:
return "X25519_KYBER_LEVEL3";
#endif
#ifdef HAVE_CURVE448
case WOLFSSL_X448_KYBER_LEVEL3:
return "X448_KYBER_LEVEL3";
#endif
#endif /* WOLFSSL_WC_KYBER */
#endif /* WOLFSSL_KYBER_ORIGINAL */
}
}
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_KYBER */
@@ -22934,8 +22999,18 @@ const WOLF_EC_NIST_NAME kNistCurves[] = {
WOLFSSL_P256_ML_KEM_512},
{CURVE_NAME("P384_ML_KEM_768"), WOLFSSL_P384_ML_KEM_768,
WOLFSSL_P384_ML_KEM_768},
{CURVE_NAME("P256_ML_KEM_768"), WOLFSSL_P256_ML_KEM_768,
WOLFSSL_P256_ML_KEM_768},
{CURVE_NAME("P521_ML_KEM_1024"), WOLFSSL_P521_ML_KEM_1024,
WOLFSSL_P521_ML_KEM_1024},
{CURVE_NAME("P384_ML_KEM_1024"), WOLFSSL_P384_ML_KEM_1024,
WOLFSSL_P384_ML_KEM_1024},
{CURVE_NAME("X25519_ML_KEM_512"), WOLFSSL_X25519_ML_KEM_512,
WOLFSSL_X25519_ML_KEM_512},
{CURVE_NAME("X448_ML_KEM_768"), WOLFSSL_X448_ML_KEM_768,
WOLFSSL_X448_ML_KEM_768},
{CURVE_NAME("X25519_ML_KEM_768"), WOLFSSL_X25519_ML_KEM_768,
WOLFSSL_X25519_ML_KEM_768},
#endif
#endif /* !WOLFSSL_NO_ML_KEM */
#ifdef WOLFSSL_KYBER_ORIGINAL
@@ -22943,9 +23018,20 @@ const WOLF_EC_NIST_NAME kNistCurves[] = {
{CURVE_NAME("KYBER_LEVEL3"), WOLFSSL_KYBER_LEVEL3, WOLFSSL_KYBER_LEVEL3},
{CURVE_NAME("KYBER_LEVEL5"), WOLFSSL_KYBER_LEVEL5, WOLFSSL_KYBER_LEVEL5},
#if (defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS)) && defined(HAVE_ECC)
{CURVE_NAME("P256_KYBER_LEVEL1"), WOLFSSL_P256_KYBER_LEVEL1, WOLFSSL_P256_KYBER_LEVEL1},
{CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P384_KYBER_LEVEL3},
{CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_P521_KYBER_LEVEL5},
{CURVE_NAME("P256_KYBER_LEVEL1"), WOLFSSL_P256_KYBER_LEVEL1,
WOLFSSL_P256_KYBER_LEVEL1},
{CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3,
WOLFSSL_P384_KYBER_LEVEL3},
{CURVE_NAME("P256_KYBER_LEVEL3"), WOLFSSL_P256_KYBER_LEVEL3,
WOLFSSL_P256_KYBER_LEVEL3},
{CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5,
WOLFSSL_P521_KYBER_LEVEL5},
{CURVE_NAME("X25519_KYBER_LEVEL1"), WOLFSSL_X25519_KYBER_LEVEL1,
WOLFSSL_X25519_KYBER_LEVEL1},
{CURVE_NAME("X448_KYBER_LEVEL3"), WOLFSSL_X448_KYBER_LEVEL3,
WOLFSSL_X448_KYBER_LEVEL3},
{CURVE_NAME("X25519_KYBER_LEVEL3"), WOLFSSL_X25519_KYBER_LEVEL3,
WOLFSSL_X25519_KYBER_LEVEL3},
#endif
#endif /* WOLFSSL_KYBER_ORIGINAL */
#endif /* WOLFSSL_HAVE_KYBER */

1560
src/tls.c
View File

File diff suppressed because it is too large Load Diff

3
src/tls13.c
View File

@@ -13607,7 +13607,8 @@ int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
#endif
#if defined(WOLFSSL_HAVE_KYBER)
if (WOLFSSL_NAMED_GROUP_IS_PQC(group)) {
if (WOLFSSL_NAMED_GROUP_IS_PQC(group) ||
WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) {
if (ssl->ctx != NULL && ssl->ctx->method != NULL &&
!IsAtLeastTLSv1_3(ssl->version)) {

6
tests/include.am
View File

@@ -30,11 +30,11 @@ EXTRA_DIST += tests/unit.h \
tests/test-tls13-ecc.conf \
tests/test-tls13-psk.conf \
tests/test-tls13-pq.conf \
tests/test-tls13-pq-2.conf \
tests/test-tls13-pq-hybrid.conf \
tests/test-dtls13-pq.conf \
tests/test-dtls13-pq-frag.conf \
tests/test-dtls13-pq-2.conf \
tests/test-dtls13-pq-2-frag.conf \
tests/test-dtls13-pq-hybrid.conf \
tests/test-dtls13-pq-hybrid-frag.conf \
tests/test-psk.conf \
tests/test-psk-no-id.conf \
tests/test-psk-no-id-sha2.conf \

54
tests/suites.c
View File

@@ -992,9 +992,8 @@ int SuiteTest(int argc, char** argv)
args.return_code = EXIT_FAILURE;
goto exit;
}
#ifdef HAVE_LIBOQS
/* add TLSv13 pq tests */
XSTRLCPY(argv0[1], "tests/test-tls13-pq-2.conf", sizeof(argv0[1]));
/* add TLSv13 pq hybrid tests */
XSTRLCPY(argv0[1], "tests/test-tls13-pq-hybrid.conf", sizeof(argv0[1]));
printf("starting TLSv13 post-quantum groups tests\n");
test_harness(&args);
if (args.return_code != 0) {
@@ -1003,29 +1002,6 @@ int SuiteTest(int argc, char** argv)
goto exit;
}
#endif
#endif
#ifdef HAVE_PQC
/* add TLSv13 pq tests */
XSTRLCPY(argv0[1], "tests/test-tls13-pq.conf", sizeof(argv0[1]));
printf("starting TLSv13 post-quantum groups tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#ifdef HAVE_LIBOQS
/* add TLSv13 pq tests */
XSTRLCPY(argv0[1], "tests/test-tls13-pq-2.conf", sizeof(argv0[1]));
printf("starting TLSv13 post-quantum groups tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#endif
#endif
#if defined(HAVE_PQC) && defined(WOLFSSL_DTLS13)
/* add DTLSv13 pq tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq.conf", sizeof(argv0[1]));
@@ -1036,6 +1012,15 @@ int SuiteTest(int argc, char** argv)
args.return_code = EXIT_FAILURE;
goto exit;
}
/* add DTLSv13 pq hybrid tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq-hybrid.conf", sizeof(argv0[1]));
printf("starting DTLSv13 post-quantum 2 groups tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#ifdef WOLFSSL_DTLS_CH_FRAG
/* add DTLSv13 pq frag tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq-frag.conf", sizeof(argv0[1]));
@@ -1046,20 +1031,8 @@ int SuiteTest(int argc, char** argv)
args.return_code = EXIT_FAILURE;
goto exit;
}
#endif
#ifdef HAVE_LIBOQS
/* add DTLSv13 pq 2 tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq-2.conf", sizeof(argv0[1]));
printf("starting DTLSv13 post-quantum 2 groups tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#ifdef WOLFSSL_DTLS_CH_FRAG
/* add DTLSv13 pq 2 frag tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq-2-frag.conf", sizeof(argv0[1]));
/* add DTLSv13 pq hybrid frag tests */
XSTRLCPY(argv0[1], "tests/test-dtls13-pq-hybrid-frag.conf", sizeof(argv0[1]));
printf("starting DTLSv13 post-quantum 2 groups tests with fragmentation\n");
test_harness(&args);
if (args.return_code != 0) {
@@ -1069,7 +1042,6 @@ int SuiteTest(int argc, char** argv)
}
#endif
#endif
#endif
#endif
#if defined(WC_RSA_PSS) && (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \

23
tests/test-dtls13-pq-2-frag.conf
View File

@@ -1,23 +0,0 @@
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5

27
tests/test-dtls13-pq-2.conf
View File

@@ -1,27 +0,0 @@
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# P384_ML_KEM_768 and P521_ML_KEM_1024 would fragment the ClientHello.
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# P384_KYBER_LEVEL3 and P521_KYBER_LEVEL5 would fragment the ClientHello.

25
tests/test-dtls13-pq-frag.conf
View File

@@ -1,3 +1,27 @@
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_768
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_768
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_1024
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_1024
# server DTLSv1.3 with post-quantum group
-u
-v 4
@@ -21,4 +45,3 @@
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc KYBER_LEVEL5

131
tests/test-dtls13-pq-hybrid-frag.conf Normal file
View File

@@ -0,0 +1,131 @@
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_768
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_768
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM_1024
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM_1024
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_1024
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_1024
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_768
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_768
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_ML_KEM_768
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_ML_KEM_768
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL3
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL3
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL3
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL3
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_KYBER_LEVEL3
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_KYBER_LEVEL3

51
tests/test-dtls13-pq-hybrid.conf Normal file
View File

@@ -0,0 +1,51 @@
# server DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_512
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_512
# Hybrids with ML_KEM_768 and ML_KEM_1024 would fragment the ClientHello.
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# server DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL1
# client DTLSv1.3 with post-quantum hybrid group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL1
# Hybrids with KYBER_LEVEL3 and KYBER_LEVEL5 would fragment the ClientHello.

4
tests/test-dtls13-pq.conf
View File

@@ -16,12 +16,12 @@
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
--pqc KYBER_LEVEL1
# client DTLSv1.3 with post-quantum group
-u
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc ML_KEM_512
--pqc KYBER_LEVEL1
# KYBER_LEVEL3 and KYBER_LEVEL5 would fragment the ClientHello.

59
tests/test-tls13-pq-2.conf
View File

@@ -1,59 +0,0 @@
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM1024
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM1024
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# server TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# client TLSv1.3 with post-quantum group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5

149
tests/test-tls13-pq-hybrid.conf Normal file
View File

@@ -0,0 +1,149 @@
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_512
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_768
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_768
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_ML_KEM_768
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM_1024
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_ML_KEM_1024
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_1024
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_ML_KEM_1024
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_512
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_512
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_768
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_ML_KEM_768
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_ML_KEM_768
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_ML_KEM_768
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL1
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P384_KYBER_LEVEL3
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL3
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P256_KYBER_LEVEL3
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc P521_KYBER_LEVEL5
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL1
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL1
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL3
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X25519_KYBER_LEVEL3
# server TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_KYBER_LEVEL3
# client TLSv1.3 with post-quantum hybrid group
-v 4
-l TLS13-AES256-GCM-SHA384
--pqc X448_KYBER_LEVEL3

18
wolfssl/internal.h
View File

@@ -1906,14 +1906,16 @@ enum Misc {
#define AEAD_AUTH_DATA_SZ 13
#endif
#define WOLFSSL_NAMED_GROUP_IS_FFHDE(group) \
(MIN_FFHDE_GROUP <= (group) && (group) <= MAX_FFHDE_GROUP)
#define WOLFSSL_NAMED_GROUP_IS_FFDHE(group) \
(WOLFSSL_FFDHE_START <= (group) && (group) <= WOLFSSL_FFDHE_END)
#ifdef WOLFSSL_HAVE_KYBER
#define WOLFSSL_NAMED_GROUP_IS_PQC(group) \
((WOLFSSL_PQC_SIMPLE_MIN <= (group) && (group) <= WOLFSSL_PQC_SIMPLE_MAX) || \
(WOLFSSL_PQC_HYBRID_MIN <= (group) && (group) <= WOLFSSL_PQC_HYBRID_MAX))
WOLFSSL_LOCAL int NamedGroupIsPqc(int group);
WOLFSSL_LOCAL int NamedGroupIsPqcHybrid(int group);
#define WOLFSSL_NAMED_GROUP_IS_PQC(group) NamedGroupIsPqc(group)
#define WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group) NamedGroupIsPqcHybrid(group)
#else
#define WOLFSSL_NAMED_GROUP_IS_PQC(group) ((void)(group), 0)
#define WOLFSSL_NAMED_GROUP_IS_PQC(group) ((void)(group), 0)
#define WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group) ((void)(group), 0)
#endif /* WOLFSSL_HAVE_KYBER */
/* minimum Downgrade Minor version */
@@ -3603,8 +3605,8 @@ typedef struct KeyShareEntry {
byte* pubKey; /* Public key */
word32 pubKeyLen; /* Public key length */
#if !defined(NO_DH) || defined(WOLFSSL_HAVE_KYBER)
byte* privKey; /* Private key - DH and PQ KEMs only */
word32 privKeyLen;/* Only for PQ KEMs. */
byte* privKey; /* Private key */
word32 privKeyLen;/* Private key length - PQC only */
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
int lastRet;

72
wolfssl/ssl.h
View File

@@ -4568,62 +4568,54 @@ enum {
WOLFSSL_FFDHE_4096 = 258,
WOLFSSL_FFDHE_6144 = 259,
WOLFSSL_FFDHE_8192 = 260,
WOLFSSL_FFDHE_END = 511,
#ifdef HAVE_PQC
/* These group numbers were taken from OQS's openssl provider, see:
* https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/
* oqs-kem-info.md.
*
* The levels in the group name refer to the claimed NIST level of each
* parameter set. The associated parameter set name is listed as a comment
* beside the group number. Please see the NIST PQC Competition's submitted
* papers for more details.
*
* LEVEL1 means that an attack on that parameter set would require the same
* or more resources as a key search on AES 128. LEVEL3 would require the
* same or more resources as a key search on AES 192. LEVEL5 would require
* the same or more resources as a key search on AES 256. None of the
* algorithms have LEVEL2 and LEVEL4 because none of these submissions
* included them. */
#ifdef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_MIN = 570,
WOLFSSL_PQC_SIMPLE_MIN = 570,
/* Old code points to keep compatibility with Kyber Round 3.
* Taken from OQS's openssl provider, see:
* https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/
* oqs-kem-info.md
*/
WOLFSSL_KYBER_LEVEL1 = 570, /* KYBER_512 */
WOLFSSL_KYBER_LEVEL3 = 572, /* KYBER_768 */
WOLFSSL_KYBER_LEVEL5 = 573, /* KYBER_1024 */
#ifdef WOLFSSL_NO_ML_KEM
WOLFSSL_PQC_SIMPLE_MAX = 573,
#endif
WOLFSSL_PQC_HYBRID_MIN = 12090,
WOLFSSL_P256_KYBER_LEVEL1 = 12090,
WOLFSSL_P384_KYBER_LEVEL3 = 12092,
WOLFSSL_P521_KYBER_LEVEL5 = 12093,
#ifdef WOLFSSL_NO_ML_KEM
WOLFSSL_PQC_HYBRID_MAX = 12093,
WOLFSSL_PQC_MAX = 12093,
#endif
#endif
WOLFSSL_X25519_KYBER_LEVEL1 = 12089,
WOLFSSL_X448_KYBER_LEVEL3 = 12176,
WOLFSSL_X25519_KYBER_LEVEL3 = 25497,
WOLFSSL_P256_KYBER_LEVEL3 = 25498,
#endif /* WOLFSSL_KYBER_ORIGINAL */
#ifndef WOLFSSL_NO_ML_KEM
#ifndef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_MIN = 512,
WOLFSSL_PQC_SIMPLE_MIN = 512,
#endif
WOLFSSL_ML_KEM_512 = 512, /* ML-KEM 512 */
WOLFSSL_ML_KEM_768 = 513, /* ML-KEM 768 */
WOLFSSL_ML_KEM_1024 = 514, /* ML-KEM 1024 */
WOLFSSL_PQC_SIMPLE_MAX = 514,
/* Taken from draft-connolly-tls-mlkem-key-agreement, see:
* https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/
*/
WOLFSSL_ML_KEM_512 = 512,
WOLFSSL_ML_KEM_768 = 513,
WOLFSSL_ML_KEM_1024 = 514,
#ifndef WOLFSSL_KYBER_ORIGINAL
WOLFSSL_PQC_HYBRID_MIN = 12107,
#endif
/* Taken from draft-kwiatkowski-tls-ecdhe-mlkem. see:
* https://github.com/post-quantum-cryptography/
* draft-kwiatkowski-tls-ecdhe-mlkem/
*/
WOLFSSL_P256_ML_KEM_768 = 4587,
WOLFSSL_X25519_ML_KEM_768 = 4588,
WOLFSSL_P384_ML_KEM_1024 = 4589,
/* Taken from OQS's openssl provider, see:
* https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/
* oqs-kem-info.md
*/
WOLFSSL_P256_ML_KEM_512 = 12107,
WOLFSSL_P384_ML_KEM_768 = 12108,
WOLFSSL_P521_ML_KEM_1024 = 12109,
WOLFSSL_PQC_HYBRID_MAX = 12109,
WOLFSSL_PQC_MAX = 12109,
#endif /* !WOLFSSL_NO_ML_KEM */
WOLFSSL_X25519_ML_KEM_512 = 12214,
WOLFSSL_X448_ML_KEM_768 = 12215,
#endif /* WOLFSSL_NO_ML_KEM */
#endif /* HAVE_PQC */
WOLF_ENUM_DUMMY_LAST_ELEMENT(SSL_H)
};

10
wolfssl/wolfcrypt/ext_kyber.h
View File

@@ -39,8 +39,14 @@
#if defined (HAVE_LIBOQS)
#include <oqs/kem.h>
#define EXT_KYBER_MAX_PRIV_SZ OQS_KEM_kyber_1024_length_secret_key
#define EXT_KYBER_MAX_PUB_SZ OQS_KEM_kyber_1024_length_public_key
#ifndef WOLFSSL_NO_ML_KEM
#define EXT_KYBER_MAX_PRIV_SZ OQS_KEM_ml_kem_1024_length_secret_key
#define EXT_KYBER_MAX_PUB_SZ OQS_KEM_ml_kem_1024_length_public_key
#elif defined(WOLFSSL_KYBER_ORIGINAL)
#define EXT_KYBER_MAX_PRIV_SZ OQS_KEM_kyber_1024_length_secret_key
#define EXT_KYBER_MAX_PUB_SZ OQS_KEM_kyber_1024_length_public_key
#endif
#endif
struct KyberKey {