Skip to content

Commit ac81d9d

Browse files
dgarskedgarske
authored
Merge pull request #7110 from Frauschi/pq_secure_element
PQC: add CryptoCb support for PQC algorithms
2 parents 9be3902 + 68ea31c commit ac81d9d

14 files changed

Lines changed: 1049 additions & 83 deletions

File tree

src/internal.c

Lines changed: 108 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7807,13 +7807,13 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
78077807
#if defined(HAVE_PQC)
78087808
#if defined(HAVE_FALCON)
78097809
case DYNAMIC_TYPE_FALCON:
7810-
wc_falcon_init((falcon_key*)*pKey);
7810+
wc_falcon_init_ex((falcon_key*)*pKey, ssl->heap, ssl->devId);
78117811
ret = 0;
78127812
break;
78137813
#endif /* HAVE_FALCON */
78147814
#if defined(HAVE_DILITHIUM)
78157815
case DYNAMIC_TYPE_DILITHIUM:
7816-
wc_dilithium_init((dilithium_key*)*pKey);
7816+
wc_dilithium_init_ex((dilithium_key*)*pKey, ssl->heap, ssl->devId);
78177817
ret = 0;
78187818
break;
78197819
#endif /* HAVE_DILITHIUM */
@@ -27534,6 +27534,55 @@ int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
2753427534
}
2753527535
#endif
2753627536
}
27537+
else if (hsType == DYNAMIC_TYPE_DILITHIUM) {
27538+
#if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
27539+
dilithium_key* dilithiumKey;
27540+
27541+
dilithiumKey = (dilithium_key*)XMALLOC(sizeof(dilithium_key), heap,
27542+
DYNAMIC_TYPE_DILITHIUM);
27543+
if (dilithiumKey == NULL) {
27544+
return MEMORY_E;
27545+
}
27546+
27547+
if (label) {
27548+
ret = wc_dilithium_init_label(dilithiumKey, (char*)data,
27549+
heap, devId);
27550+
}
27551+
else if (id) {
27552+
ret = wc_dilithium_init_id(dilithiumKey, data, length, heap, devId);
27553+
}
27554+
if (ret == 0) {
27555+
*pkey = (void*)dilithiumKey;
27556+
}
27557+
else {
27558+
XFREE(dilithiumKey, heap, DYNAMIC_TYPE_DILITHIUM);
27559+
}
27560+
#endif
27561+
}
27562+
else if (hsType == DYNAMIC_TYPE_FALCON) {
27563+
#if defined(HAVE_PQC) && defined(HAVE_FALCON)
27564+
falcon_key* falconKey;
27565+
27566+
falconKey = (falcon_key*)XMALLOC(sizeof(falcon_key), heap,
27567+
DYNAMIC_TYPE_FALCON);
27568+
if (falconKey == NULL) {
27569+
return MEMORY_E;
27570+
}
27571+
27572+
if (label) {
27573+
ret = wc_falcon_init_label(falconKey, (char*)data, heap, devId);
27574+
}
27575+
else if (id) {
27576+
ret = wc_falcon_init_id(falconKey, data, length, heap, devId);
27577+
}
27578+
if (ret == 0) {
27579+
*pkey = (void*)falconKey;
27580+
}
27581+
else {
27582+
XFREE(falconKey, heap, DYNAMIC_TYPE_FALCON);
27583+
}
27584+
#endif
27585+
}
2753727586

2753827587
return ret;
2753927588
}
@@ -27582,6 +27631,10 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
2758227631
ssl->hsType = DYNAMIC_TYPE_RSA;
2758327632
else if (ssl->buffers.keyType == ecc_dsa_sa_algo)
2758427633
ssl->hsType = DYNAMIC_TYPE_ECC;
27634+
else if (ssl->buffers.keyType == falcon_level5_sa_algo)
27635+
ssl->hsType = DYNAMIC_TYPE_FALCON;
27636+
else if (ssl->buffers.keyType == dilithium_level5_sa_algo)
27637+
ssl->hsType = DYNAMIC_TYPE_DILITHIUM;
2758527638
ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
2758627639
if (ret != 0) {
2758727640
goto exit_dpk;
@@ -27637,6 +27690,59 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
2763727690
}
2763827691
#else
2763927692
ret = NOT_COMPILED_IN;
27693+
#endif
27694+
}
27695+
else if (ssl->buffers.keyType == falcon_level5_sa_algo) {
27696+
#if defined(HAVE_PQC) && defined(HAVE_FALCON)
27697+
if (ssl->buffers.keyLabel) {
27698+
ret = wc_falcon_init_label((falcon_key*)ssl->hsKey,
27699+
(char*)ssl->buffers.key->buffer,
27700+
ssl->heap, ssl->buffers.keyDevId);
27701+
}
27702+
else if (ssl->buffers.keyId) {
27703+
ret = wc_falcon_init_id((falcon_key*)ssl->hsKey,
27704+
ssl->buffers.key->buffer,
27705+
ssl->buffers.key->length, ssl->heap,
27706+
ssl->buffers.keyDevId);
27707+
}
27708+
if (ret == 0) {
27709+
if (ssl->buffers.keySz < ssl->options.minFalconKeySz) {
27710+
WOLFSSL_MSG("Falcon key size too small");
27711+
ERROR_OUT(FALCON_KEY_SIZE_E, exit_dpk);
27712+
}
27713+
27714+
/* Return the maximum signature length. */
27715+
*length = (word16)wc_falcon_sig_size((falcon_key*)ssl->hsKey);
27716+
}
27717+
#else
27718+
ret = NOT_COMPILED_IN;
27719+
#endif
27720+
}
27721+
else if (ssl->buffers.keyType == dilithium_level5_sa_algo) {
27722+
#if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
27723+
if (ssl->buffers.keyLabel) {
27724+
ret = wc_dilithium_init_label((dilithium_key*)ssl->hsKey,
27725+
(char*)ssl->buffers.key->buffer,
27726+
ssl->heap, ssl->buffers.keyDevId);
27727+
}
27728+
else if (ssl->buffers.keyId) {
27729+
ret = wc_dilithium_init_id((dilithium_key*)ssl->hsKey,
27730+
ssl->buffers.key->buffer,
27731+
ssl->buffers.key->length, ssl->heap,
27732+
ssl->buffers.keyDevId);
27733+
}
27734+
if (ret == 0) {
27735+
if (ssl->buffers.keySz < ssl->options.minDilithiumKeySz) {
27736+
WOLFSSL_MSG("Dilithium key size too small");
27737+
ERROR_OUT(DILITHIUM_KEY_SIZE_E, exit_dpk);
27738+
}
27739+
27740+
/* Return the maximum signature length. */
27741+
*length = (word16)wc_dilithium_sig_size(
27742+
(dilithium_key*)ssl->hsKey);
27743+
}
27744+
#else
27745+
ret = NOT_COMPILED_IN;
2764027746
#endif
2764127747
}
2764227748
goto exit_dpk;

src/ssl.c

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7838,6 +7838,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
78387838
#if defined(HAVE_FALCON)
78397839
case FALCON_LEVEL1k:
78407840
case FALCON_LEVEL5k:
7841+
#ifdef WOLF_PRIVATE_KEY_ID
7842+
keyType = falcon_level5_sa_algo;
7843+
#endif
78417844
/* Falcon is fixed key size */
78427845
keySz = FALCON_MAX_KEY_SIZE;
78437846
if (ssl && !ssl->options.verifyNone) {
@@ -7860,6 +7863,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
78607863
case DILITHIUM_LEVEL2k:
78617864
case DILITHIUM_LEVEL3k:
78627865
case DILITHIUM_LEVEL5k:
7866+
#ifdef WOLF_PRIVATE_KEY_ID
7867+
keyType = dilithium_level5_sa_algo;
7868+
#endif
78637869
/* Dilithium is fixed key size */
78647870
keySz = DILITHIUM_MAX_KEY_SIZE;
78657871
if (ssl && !ssl->options.verifyNone) {
@@ -9207,6 +9213,19 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap,
92079213
type = DYNAMIC_TYPE_ECC;
92089214
}
92099215
#endif
9216+
#if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
9217+
if ((der->keyOID == DILITHIUM_LEVEL2k) ||
9218+
(der->keyOID == DILITHIUM_LEVEL3k) ||
9219+
(der->keyOID == DILITHIUM_LEVEL5k)) {
9220+
type = DYNAMIC_TYPE_DILITHIUM;
9221+
}
9222+
#endif
9223+
#if defined(HAVE_PQC) && defined(HAVE_FALCON)
9224+
if ((der->keyOID == FALCON_LEVEL1k) ||
9225+
(der->keyOID == FALCON_LEVEL5k)) {
9226+
type = DYNAMIC_TYPE_FALCON;
9227+
}
9228+
#endif
92109229

92119230
ret = CreateDevPrivateKey(&pkey, buff, size, type,
92129231
isKeyLabel, isKeyId, heap, devId);
@@ -9228,6 +9247,23 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap,
92289247
der->publicKey, der->pubKeySize);
92299248
}
92309249
#endif
9250+
#if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
9251+
if ((der->keyOID == DILITHIUM_LEVEL2k) ||
9252+
(der->keyOID == DILITHIUM_LEVEL3k) ||
9253+
(der->keyOID == DILITHIUM_LEVEL5k)) {
9254+
ret = wc_CryptoCb_PqcSignatureCheckPrivKey(pkey,
9255+
WC_PQC_SIG_TYPE_DILITHIUM,
9256+
der->publicKey, der->pubKeySize);
9257+
}
9258+
#endif
9259+
#if defined(HAVE_PQC) && defined(HAVE_FALCON)
9260+
if ((der->keyOID == FALCON_LEVEL1k) ||
9261+
(der->keyOID == FALCON_LEVEL5k)) {
9262+
ret = wc_CryptoCb_PqcSignatureCheckPrivKey(pkey,
9263+
WC_PQC_SIG_TYPE_FALCON,
9264+
der->publicKey, der->pubKeySize);
9265+
}
9266+
#endif
92319267
}
92329268
#else
92339269
/* devId was set, don't check, for now */
@@ -9247,6 +9283,19 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap,
92479283
if (der->keyOID == ECDSAk) {
92489284
wc_ecc_free((ecc_key*)pkey);
92499285
}
9286+
#endif
9287+
#if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
9288+
if ((der->keyOID == DILITHIUM_LEVEL2k) ||
9289+
(der->keyOID == DILITHIUM_LEVEL3k) ||
9290+
(der->keyOID == DILITHIUM_LEVEL5k)) {
9291+
wc_dilithium_free((dilithium_key*)pkey);
9292+
}
9293+
#endif
9294+
#if defined(HAVE_PQC) && defined(HAVE_FALCON)
9295+
if ((der->keyOID == FALCON_LEVEL1k) ||
9296+
(der->keyOID == FALCON_LEVEL5k)) {
9297+
wc_falcon_free((falcon_key*)pkey);
9298+
}
92509299
#endif
92519300
XFREE(pkey, heap, type);
92529301
}

src/tls.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8419,7 +8419,7 @@ static int TLSX_KeyShare_ProcessPqc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
84198419
return BAD_FUNC_ARG;
84208420
}
84218421

8422-
ret = wc_KyberKey_Init(type, kem, ssl->heap, INVALID_DEVID);
8422+
ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId);
84238423
if (ret != 0) {
84248424
wc_ecc_free(&eccpubkey);
84258425
WOLFSSL_MSG("Error creating Kyber KEM");
@@ -8911,7 +8911,7 @@ static int server_generate_pqc_ciphertext(WOLFSSL* ssl,
89118911
return MEMORY_E;
89128912
}
89138913

8914-
ret = wc_KyberKey_Init(type, kem, ssl->heap, INVALID_DEVID);
8914+
ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId);
89158915
if (ret != 0) {
89168916
wc_ecc_free(&eccpubkey);
89178917
WOLFSSL_MSG("Error creating Kyber KEM");

wolfcrypt/src/asn.c

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16441,7 +16441,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
1644116441
if (sigCtx->key.falcon == NULL) {
1644216442
ERROR_OUT(MEMORY_E, exit_cs);
1644316443
}
16444-
if ((ret = wc_falcon_init(sigCtx->key.falcon)) < 0) {
16444+
if ((ret = wc_falcon_init_ex(sigCtx->key.falcon,
16445+
sigCtx->heap, sigCtx->devId)) < 0) {
1644516446
goto exit_cs;
1644616447
}
1644716448
if ((ret = wc_falcon_set_level(sigCtx->key.falcon, 1))
@@ -16467,7 +16468,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
1646716468
if (sigCtx->key.falcon == NULL) {
1646816469
ERROR_OUT(MEMORY_E, exit_cs);
1646916470
}
16470-
if ((ret = wc_falcon_init(sigCtx->key.falcon)) < 0) {
16471+
if ((ret = wc_falcon_init_ex(sigCtx->key.falcon,
16472+
sigCtx->heap, sigCtx->devId)) < 0) {
1647116473
goto exit_cs;
1647216474
}
1647316475
if ((ret = wc_falcon_set_level(sigCtx->key.falcon, 5))
@@ -16495,7 +16497,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
1649516497
if (sigCtx->key.dilithium == NULL) {
1649616498
ERROR_OUT(MEMORY_E, exit_cs);
1649716499
}
16498-
if ((ret = wc_dilithium_init(sigCtx->key.dilithium)) < 0) {
16500+
if ((ret = wc_dilithium_init_ex(sigCtx->key.dilithium,
16501+
sigCtx->heap, sigCtx->devId)) < 0) {
1649916502
goto exit_cs;
1650016503
}
1650116504
if ((ret = wc_dilithium_set_level(
@@ -16521,7 +16524,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
1652116524
if (sigCtx->key.dilithium == NULL) {
1652216525
ERROR_OUT(MEMORY_E, exit_cs);
1652316526
}
16524-
if ((ret = wc_dilithium_init(sigCtx->key.dilithium)) < 0) {
16527+
if ((ret = wc_dilithium_init_ex(sigCtx->key.dilithium,
16528+
sigCtx->heap, sigCtx->devId)) < 0) {
1652516529
goto exit_cs;
1652616530
}
1652716531
if ((ret = wc_dilithium_set_level(
@@ -16547,7 +16551,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
1654716551
if (sigCtx->key.dilithium == NULL) {
1654816552
ERROR_OUT(MEMORY_E, exit_cs);
1654916553
}
16550-
if ((ret = wc_dilithium_init(sigCtx->key.dilithium)) < 0) {
16554+
if ((ret = wc_dilithium_init_ex(sigCtx->key.dilithium,
16555+
sigCtx->heap, sigCtx->devId)) < 0) {
1655116556
goto exit_cs;
1655216557
}
1655316558
if ((ret = wc_dilithium_set_level(

0 commit comments

Comments
 (0)