From 1d8ff7090067d294be4e6a8586f856dff561efa4 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 10 Dec 2021 14:11:52 -0500 Subject: [PATCH 1/2] In d2iGenericKey(), if a falcon key is encountered, make a dummy pkey. This allows apache-httpd to work without PQ-specific patch along with a previous pull request. --- src/ssl.c | 64 +++++++++++++++++++++++++++++++++++++++++++ wolfssl/openssl/evp.h | 1 + 2 files changed, 65 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 6ea2c1355..e1f6befd6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8522,6 +8522,70 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out, #endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* !NO_DH && OPENSSL_EXTRA && WOLFSSL_DH_EXTRA */ + #ifdef HAVE_LIBOQS + { + int isFalcon; + #ifdef WOLFSSL_SMALL_STACK + falcon_key *falcon = (falcon_key *)MALLOC(sizeof(falcon_key), NULL, + DYNAMIC_TYPE_FALCON); + if (falcon == NULL) { + return NULL; + } + #else + falcon_key falcon[1]; + #endif + XMEMSET(falcon, 0, sizeof(falcon_key)); + + /* test if Falcon key */ + if (priv) { + /* Try level 1 */ + isFalcon = wc_falcon_init(falcon) == 0 && + wc_falcon_set_level(falcon, 1) == 0 && + wc_falcon_import_private_only(mem, (word32)memSz, + falcon) == 0; + if (!isFalcon) { + /* Try level 5 */ + isFalcon = wc_falcon_init(falcon) == 0 && + wc_falcon_set_level(falcon, 5) == 0 && + wc_falcon_import_private_only(mem, (word32)memSz, + falcon) == 0; + } + } else { + /* Try level 1 */ + isFalcon = wc_falcon_init(falcon) == 0 && + wc_falcon_set_level(falcon, 1) == 0 && + wc_falcon_import_public(mem, (word32)memSz, falcon) == 0; + + if (!isFalcon) { + /* Try level 5 */ + isFalcon = wc_falcon_init(falcon) == 0 && + wc_falcon_set_level(falcon, 5) == 0 && + wc_falcon_import_public(mem, (word32)memSz, + falcon) == 0; + } + } + + wc_falcon_free(falcon); + #ifdef WOLFSSL_SMALL_STACK + XFREE(falcon, NULL, DYNAMIC_TYPE_FALCON); + #endif + if (isFalcon) { + /* Create a fake Falcon EVP_PKEY. In the future, we might integrate + * Falcon into the compatibility layer. */ + pkey = wolfSSL_EVP_PKEY_new(); + if (pkey == NULL) { + WOLFSSL_MSG("Falcon wolfSSL_EVP_PKEY_new error"); + return NULL; + } + pkey->type = EVP_PKEY_FALCON; + pkey->pkey.ptr = NULL; + pkey->pkey_sz = 0; + return pkey; + } + + } + #endif /* HAVE_LIBOQS */ + if (pkey == NULL) { WOLFSSL_MSG("wolfSSL_d2i_PUBKEY couldn't determine key type"); } diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 871fcf8bc..61f7108ff 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -247,6 +247,7 @@ enum { NID_rc4 = 5, EVP_PKEY_DH = NID_dhKeyAgreement, EVP_PKEY_HMAC = NID_hmac, + EVP_PKEY_FALCON = 300, AES_128_CFB1_TYPE = 24, AES_192_CFB1_TYPE = 25, AES_256_CFB1_TYPE = 26, From 4c12f0be95626b205ca6d1e015c04f2e30bb0ef0 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 10 Dec 2021 16:40:41 -0500 Subject: [PATCH 2/2] Only one call to wc_falcon_init() and comment on 300. --- src/ssl.c | 48 +++++++++++++++++++++---------------------- wolfssl/openssl/evp.h | 2 +- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index e1f6befd6..4880c48ec 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8534,38 +8534,36 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out, #else falcon_key falcon[1]; #endif - XMEMSET(falcon, 0, sizeof(falcon_key)); - /* test if Falcon key */ - if (priv) { - /* Try level 1 */ - isFalcon = wc_falcon_init(falcon) == 0 && - wc_falcon_set_level(falcon, 1) == 0 && - wc_falcon_import_private_only(mem, (word32)memSz, - falcon) == 0; - if (!isFalcon) { - /* Try level 5 */ - isFalcon = wc_falcon_init(falcon) == 0 && - wc_falcon_set_level(falcon, 5) == 0 && + if (wc_falcon_init(falcon) == 0) { + /* test if Falcon key */ + if (priv) { + /* Try level 1 */ + isFalcon = wc_falcon_set_level(falcon, 1) == 0 && wc_falcon_import_private_only(mem, (word32)memSz, falcon) == 0; - } - } else { - /* Try level 1 */ - isFalcon = wc_falcon_init(falcon) == 0 && - wc_falcon_set_level(falcon, 1) == 0 && - wc_falcon_import_public(mem, (word32)memSz, falcon) == 0; + if (!isFalcon) { + /* Try level 5 */ + isFalcon = wc_falcon_set_level(falcon, 5) == 0 && + wc_falcon_import_private_only(mem, (word32)memSz, + falcon) == 0; + } + } else { + /* Try level 1 */ + isFalcon = wc_falcon_set_level(falcon, 1) == 0 && + wc_falcon_import_public(mem, (word32)memSz, falcon) + == 0; - if (!isFalcon) { - /* Try level 5 */ - isFalcon = wc_falcon_init(falcon) == 0 && - wc_falcon_set_level(falcon, 5) == 0 && - wc_falcon_import_public(mem, (word32)memSz, - falcon) == 0; + if (!isFalcon) { + /* Try level 5 */ + isFalcon = wc_falcon_set_level(falcon, 5) == 0 && + wc_falcon_import_public(mem, (word32)memSz, + falcon) == 0; + } } + wc_falcon_free(falcon); } - wc_falcon_free(falcon); #ifdef WOLFSSL_SMALL_STACK XFREE(falcon, NULL, DYNAMIC_TYPE_FALCON); #endif diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 61f7108ff..19cbce481 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -247,7 +247,7 @@ enum { NID_rc4 = 5, EVP_PKEY_DH = NID_dhKeyAgreement, EVP_PKEY_HMAC = NID_hmac, - EVP_PKEY_FALCON = 300, + EVP_PKEY_FALCON = 300, /* Randomly picked value. */ AES_128_CFB1_TYPE = 24, AES_192_CFB1_TYPE = 25, AES_256_CFB1_TYPE = 26,