Merge pull request #7026 from Frauschi/liboqs

Improve liboqs integration
This commit is contained in:
Daniel Pouzzner
2024-01-03 16:20:26 -05:00
committed by GitHub
19 changed files with 242 additions and 18 deletions
+3 -3
View File
@@ -28901,7 +28901,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz,
#if defined(HAVE_FALCON)
if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && falconKey) {
word32 outSz = sigSz;
ret = wc_falcon_sign_msg(buf, sz, sig, &outSz, falconKey);
ret = wc_falcon_sign_msg(buf, sz, sig, &outSz, falconKey, rng);
if (ret == 0)
ret = outSz;
}
@@ -28910,7 +28910,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz,
if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && !falconKey &&
dilithiumKey) {
word32 outSz = sigSz;
ret = wc_dilithium_sign_msg(buf, sz, sig, &outSz, dilithiumKey);
ret = wc_dilithium_sign_msg(buf, sz, sig, &outSz, dilithiumKey, rng);
if (ret == 0)
ret = outSz;
}
@@ -28919,7 +28919,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz,
if (!rsaKey && !eccKey && !ed25519Key && !ed448Key && !falconKey &&
!dilithiumKey && sphincsKey) {
word32 outSz = sigSz;
ret = wc_sphincs_sign_msg(buf, sz, sig, &outSz, sphincsKey);
ret = wc_sphincs_sign_msg(buf, sz, sig, &outSz, sphincsKey, rng);
if (ret == 0)
ret = outSz;
}
+7 -1
View File
@@ -59,7 +59,7 @@
*/
int wc_dilithium_sign_msg(const byte* in, word32 inLen,
byte* out, word32 *outLen,
dilithium_key* key)
dilithium_key* key, WC_RNG* rng)
{
int ret = 0;
#ifdef HAVE_LIBOQS
@@ -107,6 +107,10 @@ int wc_dilithium_sign_msg(const byte* in, word32 inLen,
localOutLen = *outLen;
}
if (ret == 0) {
ret = wolfSSL_liboqsRngMutexLock(rng);
}
if ((ret == 0) &&
(OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k)
== OQS_ERROR)) {
@@ -117,6 +121,8 @@ int wc_dilithium_sign_msg(const byte* in, word32 inLen,
*outLen = (word32)localOutLen;
}
wolfSSL_liboqsRngMutexUnlock();
if (oqssig != NULL) {
OQS_SIG_free(oqssig);
}
+10 -1
View File
@@ -39,6 +39,8 @@
#if defined (HAVE_LIBOQS)
#include <wolfssl/wolfcrypt/port/liboqs/liboqs.h>
static const char* OQS_ID2name(int id) {
switch (id) {
case KYBER_LEVEL1: return OQS_KEM_alg_kyber_512;
@@ -337,12 +339,16 @@ int wc_KyberKey_MakeKey(KyberKey* key, WC_RNG* rng)
ret = BAD_FUNC_ARG;
}
}
if (ret == 0) {
ret = wolfSSL_liboqsRngMutexLock(rng);
}
if (ret == 0) {
if (OQS_KEM_keypair(kem, key->pub, key->priv) !=
OQS_SUCCESS) {
ret = BAD_FUNC_ARG;
}
}
wolfSSL_liboqsRngMutexUnlock();
OQS_KEM_free(kem);
#endif /* HAVE_LIBOQS */
#ifdef HAVE_PQM4
@@ -422,12 +428,15 @@ int wc_KyberKey_Encapsulate(KyberKey* key, unsigned char* ct, unsigned char* ss,
ret = BAD_FUNC_ARG;
}
}
if (ret == 0) {
ret = wolfSSL_liboqsRngMutexLock(rng);
}
if (ret == 0) {
if (OQS_KEM_encaps(kem, ct, ss, key->pub) != OQS_SUCCESS) {
ret = BAD_FUNC_ARG;
}
}
wolfSSL_liboqsRngMutexUnlock();
OQS_KEM_free(kem);
#endif /* HAVE_LIBOQS */
#ifdef HAVE_PQM4
+7 -1
View File
@@ -59,7 +59,7 @@
*/
int wc_falcon_sign_msg(const byte* in, word32 inLen,
byte* out, word32 *outLen,
falcon_key* key)
falcon_key* key, WC_RNG* rng)
{
int ret = 0;
#ifdef HAVE_LIBOQS
@@ -101,6 +101,10 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen,
localOutLen = *outLen;
}
if (ret == 0) {
ret = wolfSSL_liboqsRngMutexLock(rng);
}
if ((ret == 0) &&
(OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k)
== OQS_ERROR)) {
@@ -111,6 +115,8 @@ int wc_falcon_sign_msg(const byte* in, word32 inLen,
*outLen = (word32)localOutLen;
}
wolfSSL_liboqsRngMutexUnlock();
if (oqssig != NULL) {
OQS_SIG_free(oqssig);
}
+2 -1
View File
@@ -132,7 +132,8 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
wolfcrypt/src/port/Renesas/renesas_rx64_hw_sha.c \
wolfcrypt/src/port/Renesas/renesas_rx64_hw_util.c \
wolfcrypt/src/port/Renesas/README.md \
wolfcrypt/src/port/cypress/psoc6_crypto.c
wolfcrypt/src/port/cypress/psoc6_crypto.c \
wolfcrypt/src/port/liboqs/liboqs.c
$(ASYNC_FILES):
$(AM_V_at)touch $(srcdir)/$@
+111
View File
@@ -0,0 +1,111 @@
/* liboqs.c
*
* Copyright (C) 2006-2023 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
DESCRIPTION
This library provides the support interfaces to the liboqs library providing
implementations for Post-Quantum cryptography algorithms.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/port/liboqs/liboqs.h>
#if defined(HAVE_LIBOQS)
/* RNG for liboqs */
static WC_RNG liboqsDefaultRNG;
static WC_RNG* liboqsCurrentRNG;
static wolfSSL_Mutex liboqsRNGMutex;
static int liboqs_init = 0;
static void wolfSSL_liboqsGetRandomData(uint8_t* buffer, size_t numOfBytes)
{
int ret = wc_RNG_GenerateBlock(liboqsCurrentRNG, buffer, numOfBytes);
if (ret != 0) {
// ToDo: liboqs exits programm if RNG fails, not sure what to do here
}
}
int wolfSSL_liboqsInit(void)
{
int ret = 0;
if (liboqs_init == 0) {
ret = wc_InitMutex(&liboqsRNGMutex);
if (ret != 0) {
return ret;
}
ret = wc_LockMutex(&liboqsRNGMutex);
if (ret != 0) {
return ret;
}
ret = wc_InitRng(&liboqsDefaultRNG);
if (ret == 0) {
OQS_init();
liboqs_init = 1;
}
liboqsCurrentRNG = &liboqsDefaultRNG;
wc_UnLockMutex(&liboqsRNGMutex);
OQS_randombytes_custom_algorithm(wolfSSL_liboqsGetRandomData);
}
return ret;
}
int wolfSSL_liboqsRngMutexLock(WC_RNG* rng)
{
int ret = wolfSSL_liboqsInit();
if (ret == 0) {
ret = wc_LockMutex(&liboqsRNGMutex);
}
if (ret == 0 && rng != NULL) {
/* Update the pointer with the RNG to use. This is safe as we locked the mutex */
liboqsCurrentRNG = rng;
}
return ret;
}
int wolfSSL_liboqsRngMutexUnlock(void)
{
int ret = BAD_MUTEX_E;
liboqsCurrentRNG = &liboqsDefaultRNG;
if (liboqs_init) {
ret = wc_UnLockMutex(&liboqsRNGMutex);
}
return ret;
}
#endif /* HAVE_LIBOQS */
+7 -1
View File
@@ -58,7 +58,7 @@
* 0 otherwise.
*/
int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen,
sphincs_key* key)
sphincs_key* key, WC_RNG* rng)
{
int ret = 0;
#ifdef HAVE_LIBOQS
@@ -135,6 +135,10 @@ int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen,
localOutLen = *outLen;
}
if (ret == 0) {
ret = wolfSSL_liboqsRngMutexLock(rng);
}
if ((ret == 0) &&
(OQS_SIG_sign(oqssig, out, &localOutLen, in, inLen, key->k)
== OQS_ERROR)) {
@@ -145,6 +149,8 @@ int wc_sphincs_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen,
*outLen = (word32)localOutLen;
}
wolfSSL_liboqsRngMutexUnlock();
if (oqssig != NULL) {
OQS_SIG_free(oqssig);
}
+10
View File
@@ -127,6 +127,10 @@
#include <wolfssl/wolfcrypt/port/psa/psa.h>
#endif
#if defined(HAVE_LIBOQS)
#include <wolfssl/wolfcrypt/port/liboqs/liboqs.h>
#endif
#if defined(FREERTOS) && defined(WOLFSSL_ESPIDF)
#include <freertos/FreeRTOS.h>
#include <freertos/task.h>
@@ -392,6 +396,12 @@ int wolfCrypt_Init(void)
}
rpcmem_init();
#endif
#if defined(HAVE_LIBOQS)
if ((ret = wolfSSL_liboqsInit()) != 0) {
return ret;
}
#endif
}
initRefCount++;