wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7904 from SparkiDev/kyber_tls_fixes

Browse Source 
Kyber: fix TLS usage
This commit is contained in:
Daniel Pouzzner
2024-08-27 00:44:56 -05:00
committed by GitHub
parent 90152fedda 893a486ae1
commit e164bcb24d
5 changed files with 127 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
examples/client/client.c
View File

@ -398,24 +398,43 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
if (usePqc) { if (usePqc) {
int group = 0; int group = 0;
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) {
group = WOLFSSL_KYBER_LEVEL1; group = WOLFSSL_KYBER_LEVEL1;
} }
else if (XSTRCMP(pqcAlg, "KYBER_LEVEL3") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER768
if (XSTRCMP(pqcAlg, "KYBER_LEVEL3") == 0) {
group = WOLFSSL_KYBER_LEVEL3; group = WOLFSSL_KYBER_LEVEL3;
} }
else if (XSTRCMP(pqcAlg, "KYBER_LEVEL5") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER1024
if (XSTRCMP(pqcAlg, "KYBER_LEVEL5") == 0) {
group = WOLFSSL_KYBER_LEVEL5; group = WOLFSSL_KYBER_LEVEL5;
} }
else if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL1") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL1") == 0) {
group = WOLFSSL_P256_KYBER_LEVEL1; group = WOLFSSL_P256_KYBER_LEVEL1;
} }
else if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER768
if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) {
group = WOLFSSL_P384_KYBER_LEVEL3; group = WOLFSSL_P384_KYBER_LEVEL3;
} }
else if (XSTRCMP(pqcAlg, "P521_KYBER_LEVEL5") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER1024
if (XSTRCMP(pqcAlg, "P521_KYBER_LEVEL5") == 0) {
group = WOLFSSL_P521_KYBER_LEVEL5; group = WOLFSSL_P521_KYBER_LEVEL5;
} else { }
else
#endif
{
err_sys("invalid post-quantum KEM specified"); err_sys("invalid post-quantum KEM specified");
} }

31
examples/server/server.c
View File

@ -710,24 +710,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
else if (usePqc == 1) { else if (usePqc == 1) {
#ifdef HAVE_PQC #ifdef HAVE_PQC
groups[count] = 0; groups[count] = 0;
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) {
groups[count] = WOLFSSL_KYBER_LEVEL1; groups[count] = WOLFSSL_KYBER_LEVEL1;
} }
else if (XSTRCMP(pqcAlg, "KYBER_LEVEL3") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER768
if (XSTRCMP(pqcAlg, "KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_KYBER_LEVEL3; groups[count] = WOLFSSL_KYBER_LEVEL3;
} }
else if (XSTRCMP(pqcAlg, "KYBER_LEVEL5") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER1024
if (XSTRCMP(pqcAlg, "KYBER_LEVEL5") == 0) {
groups[count] = WOLFSSL_KYBER_LEVEL5; groups[count] = WOLFSSL_KYBER_LEVEL5;
} }
else if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL1") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER512
if (XSTRCMP(pqcAlg, "P256_KYBER_LEVEL1") == 0) {
groups[count] = WOLFSSL_P256_KYBER_LEVEL1; groups[count] = WOLFSSL_P256_KYBER_LEVEL1;
} }
else if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER768
if (XSTRCMP(pqcAlg, "P384_KYBER_LEVEL3") == 0) {
groups[count] = WOLFSSL_P384_KYBER_LEVEL3; groups[count] = WOLFSSL_P384_KYBER_LEVEL3;
} }
else if (XSTRCMP(pqcAlg, "P521_KYBER_LEVEL5") == 0) { else
#endif
#ifndef WOLFSSL_NO_KYBER1024
if (XSTRCMP(pqcAlg, "P521_KYBER_LEVEL5") == 0) {
groups[count] = WOLFSSL_P521_KYBER_LEVEL5; groups[count] = WOLFSSL_P521_KYBER_LEVEL5;
} }
else
#endif
{
err_sys("invalid post-quantum KEM specified");
}
if (groups[count] == 0) { if (groups[count] == 0) {
err_sys("invalid post-quantum KEM specified"); err_sys("invalid post-quantum KEM specified");

2
src/tls.c
View File

@ -13141,7 +13141,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_KYBER_LEVEL3, ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_KYBER_LEVEL3,
ssl->heap); ssl->heap);
#endif #endif
#ifdef WOLFSSL_KYBER768 #ifdef WOLFSSL_KYBER1024
if (ret == WOLFSSL_SUCCESS) if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL5, ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL5,
ssl->heap); ssl->heap);

36
tests/api.c
View File

@ -72803,7 +72803,13 @@ static int test_tls13_apis(void)
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
int groups[2] = { WOLFSSL_ECC_SECP256R1, int groups[2] = { WOLFSSL_ECC_SECP256R1,
#ifdef WOLFSSL_HAVE_KYBER #ifdef WOLFSSL_HAVE_KYBER
#ifndef WOLFSSL_NO_KYBER512
WOLFSSL_KYBER_LEVEL1 WOLFSSL_KYBER_LEVEL1
#elif !defined(WOLFSSL_NO_KYBER768)
WOLFSSL_KYBER_LEVEL3
#else
WOLFSSL_KYBER_LEVEL5
#endif
#else #else
WOLFSSL_ECC_SECP256R1 WOLFSSL_ECC_SECP256R1
#endif #endif
@ -72831,15 +72837,30 @@ static int test_tls13_apis(void)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
"P-256:secp256r1" "P-256:secp256r1"
#if defined(WOLFSSL_HAVE_KYBER) #if defined(WOLFSSL_HAVE_KYBER)
#ifndef WOLFSSL_NO_KYBER512
":P256_KYBER_LEVEL1" ":P256_KYBER_LEVEL1"
#elif !defined(WOLFSSL_NO_KYBER768)
":P256_KYBER_LEVEL3"
#else
":P256_KYBER_LEVEL5"
#endif
#endif #endif
#endif #endif
#endif /* !defined(NO_ECC_SECP) */ #endif /* !defined(NO_ECC_SECP) */
#if defined(WOLFSSL_HAVE_KYBER) #if defined(WOLFSSL_HAVE_KYBER)
#ifndef WOLFSSL_NO_KYBER512
":KYBER_LEVEL1" ":KYBER_LEVEL1"
#elif !defined(WOLFSSL_NO_KYBER768)
":KYBER_LEVEL3"
#else
":KYBER_LEVEL5"
#endif
#endif #endif
""; "";
#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */ #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
#if defined(WOLFSSL_HAVE_KYBER)
int kyberLevel;
#endif
(void)ret; (void)ret;
@ -72969,17 +72990,24 @@ static int test_tls13_apis(void)
#endif #endif
#if defined(WOLFSSL_HAVE_KYBER) #if defined(WOLFSSL_HAVE_KYBER)
ExpectIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_KYBER_LEVEL3), BAD_FUNC_ARG); #ifndef WOLFSSL_NO_KYBER768
kyberLevel = WOLFSSL_KYBER_LEVEL3;
#elif !defined(WOLFSSL_NO_KYBER1024)
kyberLevel = WOLFSSL_KYBER_LEVEL5;
#else
kyberLevel = WOLFSSL_KYBER_LEVEL1;
#endif
ExpectIntEQ(wolfSSL_UseKeyShare(NULL, kyberLevel), BAD_FUNC_ARG);
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
ExpectIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_KYBER_LEVEL3), ExpectIntEQ(wolfSSL_UseKeyShare(serverSsl, kyberLevel),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
#endif #endif
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_KYBER_LEVEL3), ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, kyberLevel),
BAD_FUNC_ARG); BAD_FUNC_ARG);
#endif #endif
ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_KYBER_LEVEL3), ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, kyberLevel),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
#endif #endif
#endif #endif

43
tests/suites.c
View File

@ -172,6 +172,41 @@ static int IsValidCipherSuite(const char* line, char *suite, size_t suite_spc)
return valid; return valid;
} }
#ifdef WOLFSSL_HAVE_KYBER
static int IsKyberLevelAvailable(const char* line)
{
int available = 0;
const char* find = "--pqc ";
const char* begin = strstr(line, find);
const char* end;
if (begin != NULL) {
begin += 6;
end = XSTRSTR(begin, " ");
if ((size_t)end - (size_t)begin == 12) {
#ifndef WOLFSSL_NO_KYBER512
if (XSTRNCMP(begin, "KYBER_LEVEL1", 12) == 0) {
available = 1;
}
#endif
#ifndef WOLFSSL_NO_KYBER768
if (XSTRNCMP(begin, "KYBER_LEVEL3", 12) == 0) {
available = 1;
}
#endif
#ifndef WOLFSSL_NO_KYBER1024
if (XSTRNCMP(begin, "KYBER_LEVEL5", 12) == 0) {
available = 1;
}
#endif
}
}
return (begin == NULL) || available;
}
#endif
static int IsValidCert(const char* line) static int IsValidCert(const char* line)
{ {
int ret = 1; int ret = 1;
@ -356,6 +391,14 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif #endif
return NOT_BUILT_IN; return NOT_BUILT_IN;
} }
#ifdef WOLFSSL_HAVE_KYBER
if (!IsKyberLevelAvailable(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("Kyber level not supported in build: %s\n", commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
if (!IsValidCert(commandLine)) { if (!IsValidCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS #ifdef DEBUG_SUITE_TESTS
printf("certificate %s not supported in build\n", commandLine); printf("certificate %s not supported in build\n", commandLine);