Skip to content

Commit

Permalink
ML-DSA: update more ssl code.
Browse files Browse the repository at this point in the history
  • Loading branch information
@philljj
philljj committed Jan 21, 2025
1 parent f485696 commit 10a7c16
Show file tree
Hide file tree
Showing 6 changed files with 251 additions and 67 deletions.
105 changes: 85 additions & 20 deletions src/internal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14889,6 +14889,7 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
break;
#endif /* HAVE_FALCON */
#if defined(HAVE_DILITHIUM)
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
case DILITHIUM_LEVEL2k:
if (ssl->options.minDilithiumKeySz < 0 ||
DILITHIUM_LEVEL2_KEY_SIZE
Expand All @@ -14913,6 +14914,31 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
ret = DILITHIUM_KEY_SIZE_E;
}
break;
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
case ML_DSA_LEVEL2k:
if (ssl->options.minDilithiumKeySz < 0 ||
ML_DSA_LEVEL2_KEY_SIZE
< (word16)ssl->options.minDilithiumKeySz) {
WOLFSSL_MSG("Dilithium key size in cert chain error");
ret = DILITHIUM_KEY_SIZE_E;
}
break;
case ML_DSA_LEVEL3k:
if (ssl->options.minDilithiumKeySz < 0 ||
ML_DSA_LEVEL3_KEY_SIZE
< (word16)ssl->options.minDilithiumKeySz) {
WOLFSSL_MSG( "Dilithium key size in cert chain error");
ret = DILITHIUM_KEY_SIZE_E;
}
break;
case ML_DSA_LEVEL5k:
if (ssl->options.minDilithiumKeySz < 0 ||
ML_DSA_LEVEL5_KEY_SIZE
< (word16)ssl->options.minDilithiumKeySz) {
WOLFSSL_MSG("Dilithium key size in cert chain error");
ret = DILITHIUM_KEY_SIZE_E;
}
break;
#endif /* HAVE_DILITHIUM */
default:
WOLFSSL_MSG("Key size not checked");
Expand Down Expand Up @@ -16541,9 +16567,14 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_FALCON */
#if defined(HAVE_DILITHIUM) && \
!defined(WOLFSSL_DILITHIUM_NO_VERIFY)
case ML_DSA_LEVEL2k:
case ML_DSA_LEVEL3k:
case ML_DSA_LEVEL5k:
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
case DILITHIUM_LEVEL2k:
case DILITHIUM_LEVEL3k:
case DILITHIUM_LEVEL5k:
#endif
{
int keyRet = 0;
if (ssl->peerDilithiumKey == NULL) {
Expand All @@ -16557,18 +16588,32 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}

if (keyRet == 0) {
if (args->dCert->keyOID == DILITHIUM_LEVEL2k) {
if (args->dCert->keyOID == ML_DSA_LEVEL2k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, WC_ML_DSA_44);
}
else if (args->dCert->keyOID == ML_DSA_LEVEL3k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, WC_ML_DSA_65);
}
else if (args->dCert->keyOID == ML_DSA_LEVEL5k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, WC_ML_DSA_87);
}
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
else if (args->dCert->keyOID == DILITHIUM_LEVEL2k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, 2);
ssl->peerDilithiumKey, WC_ML_DSA_44_DRAFT);
}
else if (args->dCert->keyOID == DILITHIUM_LEVEL3k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, 3);
ssl->peerDilithiumKey, WC_ML_DSA_65_DRAFT);
}
else if (args->dCert->keyOID == DILITHIUM_LEVEL5k) {
keyRet = wc_dilithium_set_level(
ssl->peerDilithiumKey, 5);
ssl->peerDilithiumKey, WC_ML_DSA_87_DRAFT);
}
#endif
}

if (keyRet != 0 ||
Expand Down Expand Up @@ -28487,6 +28532,7 @@ static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo)
}
#endif /* HAVE_FALCON */
#ifdef HAVE_DILITHIUM
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2) {
/* Certificate has Dilithium level 2 key, only match with it. */
return sigAlgo == dilithium_level2_sa_algo;
Expand All @@ -28499,6 +28545,19 @@ static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo)
/* Certificate has Dilithium level 5 key, only match with it. */
return sigAlgo == dilithium_level5_sa_algo;
}
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL2) {
/* Certificate has ML-DSA level 2 key, only match with it. */
return sigAlgo == dilithium_level2_sa_algo;
}
if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL3) {
/* Certificate has ML-DSA level 3 key, only match with it. */
return sigAlgo == dilithium_level3_sa_algo;
}
if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL5) {
/* Certificate has ML-DSA level 5 key, only match with it. */
return sigAlgo == dilithium_level5_sa_algo;
}
#endif /* HAVE_DILITHIUM */
#ifdef WC_RSA_PSS
/* RSA certificate and PSS sig alg. */
Expand Down Expand Up @@ -28661,10 +28720,16 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz,
}
#endif /* HAVE_FALCON */
#if defined(HAVE_DILITHIUM)
if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2 ||
ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3 ||
ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5) {
/* Matched Dilithium - set chosen and finished. */
if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL2 ||
ssl->pkCurveOID == CTC_ML_DSA_LEVEL3 ||
ssl->pkCurveOID == CTC_ML_DSA_LEVEL5
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
|| ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2
|| ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3
|| ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
) {
/* Matched ML-DSA or Dilithium - set chosen and finished. */
ssl->options.sigAlgo = sigAlgo;
ssl->options.hashAlgo = hashAlgo;
ret = 0;
Expand Down Expand Up @@ -29292,13 +29357,13 @@ int DecodePrivateKey(WOLFSSL *ssl, word32* length)
}
if (ret == 0) {
if (ssl->buffers.keyType == dilithium_level2_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 2);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_44);
}
else if (ssl->buffers.keyType == dilithium_level3_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 3);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_65);
}
else if (ssl->buffers.keyType == dilithium_level5_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 5);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_87);
}
}
if (ret == 0) {
Expand Down Expand Up @@ -29632,13 +29697,13 @@ int DecodePrivateKey(WOLFSSL *ssl, word32* length)
}

if (ssl->buffers.keyType == dilithium_level2_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 2);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_44);
}
else if (ssl->buffers.keyType == dilithium_level3_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 3);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_65);
}
else if (ssl->buffers.keyType == dilithium_level5_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 5);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_87);
}
else {
/* What if ssl->buffers.keyType is 0? We might want to do something
Expand Down Expand Up @@ -29845,15 +29910,15 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length)
if (ret == 0) {
if (ssl->buffers.altKeyType == dilithium_level2_sa_algo) {
ret = wc_dilithium_set_level(
(dilithium_key*)ssl->hsAltKey, 2);
(dilithium_key*)ssl->hsAltKey, WC_ML_DSA_44);
}
else if (ssl->buffers.altKeyType == dilithium_level3_sa_algo) {
ret = wc_dilithium_set_level(
(dilithium_key*)ssl->hsAltKey, 3);
(dilithium_key*)ssl->hsAltKey, WC_ML_DSA_65);
}
else if (ssl->buffers.altKeyType == dilithium_level5_sa_algo) {
ret = wc_dilithium_set_level(
(dilithium_key*)ssl->hsAltKey, 5);
(dilithium_key*)ssl->hsAltKey, WC_ML_DSA_87);
}
}
if (ret == 0) {
Expand Down Expand Up @@ -30064,13 +30129,13 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length)
}

if (ssl->buffers.altKeyType == dilithium_level2_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 2);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_44);
}
else if (ssl->buffers.altKeyType == dilithium_level3_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 3);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_65);
}
else if (ssl->buffers.altKeyType == dilithium_level5_sa_algo) {
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 5);
ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_87);
}
else {
/* What if ssl->buffers.keyType is 0? We might want to do something
Expand Down
91 changes: 70 additions & 21 deletions src/ssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5808,6 +5808,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
break;
#endif /* HAVE_FALCON */
#if defined(HAVE_DILITHIUM)
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
case DILITHIUM_LEVEL2k:
if (cm->minDilithiumKeySz < 0 ||
DILITHIUM_LEVEL2_KEY_SIZE < (word16)cm->minDilithiumKeySz) {
Expand All @@ -5829,6 +5830,28 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
WOLFSSL_MSG("\tCA Dilithium level 5 key size error");
}
break;
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
case ML_DSA_LEVEL2k:
if (cm->minDilithiumKeySz < 0 ||
ML_DSA_LEVEL2_KEY_SIZE < (word16)cm->minDilithiumKeySz) {
ret = DILITHIUM_KEY_SIZE_E;
WOLFSSL_MSG("\tCA Dilithium level 2 key size error");
}
break;
case ML_DSA_LEVEL3k:
if (cm->minDilithiumKeySz < 0 ||
ML_DSA_LEVEL3_KEY_SIZE < (word16)cm->minDilithiumKeySz) {
ret = DILITHIUM_KEY_SIZE_E;
WOLFSSL_MSG("\tCA Dilithium level 3 key size error");
}
break;
case ML_DSA_LEVEL5k:
if (cm->minDilithiumKeySz < 0 ||
ML_DSA_LEVEL5_KEY_SIZE < (word16)cm->minDilithiumKeySz) {
ret = DILITHIUM_KEY_SIZE_E;
WOLFSSL_MSG("\tCA Dilithium level 5 key size error");
}
break;
#endif /* HAVE_DILITHIUM */

default:
Expand Down Expand Up @@ -6847,9 +6870,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz,
}
#endif
#if defined(HAVE_DILITHIUM)
if ((keyOID == DILITHIUM_LEVEL2k) ||
(keyOID == DILITHIUM_LEVEL3k) ||
(keyOID == DILITHIUM_LEVEL5k)) {
if ((keyOID == ML_DSA_LEVEL2k) ||
(keyOID == ML_DSA_LEVEL3k) ||
(keyOID == ML_DSA_LEVEL5k)
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
|| (keyOID == DILITHIUM_LEVEL2k)
|| (keyOID == DILITHIUM_LEVEL3k)
|| (keyOID == DILITHIUM_LEVEL5k)
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
) {
type = DYNAMIC_TYPE_DILITHIUM;
}
#endif
Expand Down Expand Up @@ -6879,9 +6908,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz,
}
#endif
#if defined(HAVE_DILITHIUM)
if ((keyOID == DILITHIUM_LEVEL2k) ||
(keyOID == DILITHIUM_LEVEL3k) ||
(keyOID == DILITHIUM_LEVEL5k)) {
if ((keyOID == ML_DSA_LEVEL2k) ||
(keyOID == ML_DSA_LEVEL3k) ||
(keyOID == ML_DSA_LEVEL5k)
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
|| (keyOID == DILITHIUM_LEVEL2k)
|| (keyOID == DILITHIUM_LEVEL3k)
|| (keyOID == DILITHIUM_LEVEL5k)
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
) {
ret = wc_CryptoCb_PqcSignatureCheckPrivKey(pkey,
WC_PQC_SIG_TYPE_DILITHIUM,
pubKey, pubSz);
Expand Down Expand Up @@ -6918,9 +6953,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz,
}
#endif
#if defined(HAVE_DILITHIUM)
if ((keyOID == DILITHIUM_LEVEL2k) ||
(keyOID == DILITHIUM_LEVEL3k) ||
(keyOID == DILITHIUM_LEVEL5k)) {
if ((keyOID == ML_DSA_LEVEL2k) ||
(keyOID == ML_DSA_LEVEL3k) ||
(keyOID == ML_DSA_LEVEL5k)
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
|| (keyOID == DILITHIUM_LEVEL2k) ||
|| (keyOID == DILITHIUM_LEVEL3k) ||
|| (keyOID == DILITHIUM_LEVEL5k)
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
) {
wc_dilithium_free((dilithium_key*)pkey);
}
#endif
Expand Down Expand Up @@ -7745,31 +7786,31 @@ static int d2iTryDilithiumKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem,

/* Test if Dilithium key. Try all levels. */
if (priv) {
isDilithium = ((wc_dilithium_set_level(dilithium, 2) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_44) == 0) &&
(wc_dilithium_import_private(mem,
(word32)memSz, dilithium) == 0));
if (!isDilithium) {
isDilithium = ((wc_dilithium_set_level(dilithium, 3) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_65) == 0) &&
(wc_dilithium_import_private(mem,
(word32)memSz, dilithium) == 0));
}
if (!isDilithium) {
isDilithium = ((wc_dilithium_set_level(dilithium, 5) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_87) == 0) &&
(wc_dilithium_import_private(mem,
(word32)memSz, dilithium) == 0));
}
}
else {
isDilithium = ((wc_dilithium_set_level(dilithium, 2) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_44) == 0) &&
(wc_dilithium_import_public(mem, (word32)memSz,
dilithium) == 0));
if (!isDilithium) {
isDilithium = ((wc_dilithium_set_level(dilithium, 3) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_65) == 0) &&
(wc_dilithium_import_public(mem, (word32)memSz,
dilithium) == 0));
}
if (!isDilithium) {
isDilithium = ((wc_dilithium_set_level(dilithium, 5) == 0) &&
isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_87) == 0) &&
(wc_dilithium_import_public(mem, (word32)memSz,
dilithium) == 0));
}
Expand Down Expand Up @@ -12097,13 +12138,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
*sigAlgo = FALCON_LEVEL5k;
break;
case dilithium_level2_sa_algo:
*sigAlgo = DILITHIUM_LEVEL2k;
*sigAlgo = ML_DSA_LEVEL2k;
break;
case dilithium_level3_sa_algo:
*sigAlgo = DILITHIUM_LEVEL3k;
*sigAlgo = ML_DSA_LEVEL3k;
break;
case dilithium_level5_sa_algo:
*sigAlgo = DILITHIUM_LEVEL5k;
*sigAlgo = ML_DSA_LEVEL5k;
break;
case sm2_sa_algo:
*sigAlgo = SM2k;
Expand Down Expand Up @@ -18354,12 +18395,20 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
"Falcon Level 5"},
#endif /* HAVE_FALCON */
#ifdef HAVE_DILITHIUM
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
{ CTC_DILITHIUM_LEVEL2, DILITHIUM_LEVEL2k, oidKeyType,
"Dilithium Level 2", "Dilithium Level 2"},
{ CTC_DILITHIUM_LEVEL3, DILITHIUM_LEVEL3k, oidKeyType,
"Dilithium Level 3", "Dilithium Level 3"},
{ CTC_DILITHIUM_LEVEL5, DILITHIUM_LEVEL5k, oidKeyType,
"Dilithium Level 5", "Dilithium Level 5"},
#endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */
{ CTC_ML_DSA_LEVEL2, ML_DSA_LEVEL2k, oidKeyType,
"ML_DSA Level 2", "ML_DSA Level 2"},
{ CTC_ML_DSA_LEVEL3, ML_DSA_LEVEL3k, oidKeyType,
"ML_DSA Level 3", "ML_DSA Level 3"},
{ CTC_ML_DSA_LEVEL5, ML_DSA_LEVEL5k, oidKeyType,
"ML_DSA Level 5", "ML_DSA Level 5"},
#endif /* HAVE_DILITHIUM */

/* oidCurveType */
Expand Down Expand Up @@ -18742,13 +18791,13 @@ static int SaToNid(byte sa, int* nid)
*nid = CTC_FALCON_LEVEL5;
break;
case dilithium_level2_sa_algo:
*nid = CTC_DILITHIUM_LEVEL2;
*nid = CTC_ML_DSA_LEVEL2;
break;
case dilithium_level3_sa_algo:
*nid = CTC_DILITHIUM_LEVEL3;
*nid = CTC_ML_DSA_LEVEL3;
break;
case dilithium_level5_sa_algo:
*nid = CTC_DILITHIUM_LEVEL5;
*nid = CTC_ML_DSA_LEVEL5;
break;
case sm2_sa_algo:
*nid = WC_NID_sm2;
Expand Down
Loading

0 comments on commit 10a7c16

Please sign in to comment.