diff --git a/src/internal.c b/src/internal.c index 666de86455..6e623233b2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14889,6 +14889,7 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args) break; #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT case DILITHIUM_LEVEL2k: if (ssl->options.minDilithiumKeySz < 0 || DILITHIUM_LEVEL2_KEY_SIZE @@ -14913,6 +14914,31 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args) ret = DILITHIUM_KEY_SIZE_E; } break; + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + case ML_DSA_LEVEL2k: + if (ssl->options.minDilithiumKeySz < 0 || + ML_DSA_LEVEL2_KEY_SIZE + < (word16)ssl->options.minDilithiumKeySz) { + WOLFSSL_MSG("Dilithium key size in cert chain error"); + ret = DILITHIUM_KEY_SIZE_E; + } + break; + case ML_DSA_LEVEL3k: + if (ssl->options.minDilithiumKeySz < 0 || + ML_DSA_LEVEL3_KEY_SIZE + < (word16)ssl->options.minDilithiumKeySz) { + WOLFSSL_MSG( "Dilithium key size in cert chain error"); + ret = DILITHIUM_KEY_SIZE_E; + } + break; + case ML_DSA_LEVEL5k: + if (ssl->options.minDilithiumKeySz < 0 || + ML_DSA_LEVEL5_KEY_SIZE + < (word16)ssl->options.minDilithiumKeySz) { + WOLFSSL_MSG("Dilithium key size in cert chain error"); + ret = DILITHIUM_KEY_SIZE_E; + } + break; #endif /* HAVE_DILITHIUM */ default: WOLFSSL_MSG("Key size not checked"); @@ -16541,9 +16567,14 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) && \ !defined(WOLFSSL_DILITHIUM_NO_VERIFY) + case ML_DSA_LEVEL2k: + case ML_DSA_LEVEL3k: + case ML_DSA_LEVEL5k: + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT case DILITHIUM_LEVEL2k: case DILITHIUM_LEVEL3k: case DILITHIUM_LEVEL5k: + #endif { int keyRet = 0; if (ssl->peerDilithiumKey == NULL) { @@ -16557,18 +16588,32 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } if (keyRet == 0) { - if (args->dCert->keyOID == DILITHIUM_LEVEL2k) { + if (args->dCert->keyOID == ML_DSA_LEVEL2k) { + keyRet = wc_dilithium_set_level( + ssl->peerDilithiumKey, WC_ML_DSA_44); + } + else if (args->dCert->keyOID == ML_DSA_LEVEL3k) { + keyRet = wc_dilithium_set_level( + ssl->peerDilithiumKey, WC_ML_DSA_65); + } + else if (args->dCert->keyOID == ML_DSA_LEVEL5k) { + keyRet = wc_dilithium_set_level( + ssl->peerDilithiumKey, WC_ML_DSA_87); + } + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + else if (args->dCert->keyOID == DILITHIUM_LEVEL2k) { keyRet = wc_dilithium_set_level( - ssl->peerDilithiumKey, 2); + ssl->peerDilithiumKey, WC_ML_DSA_44_DRAFT); } else if (args->dCert->keyOID == DILITHIUM_LEVEL3k) { keyRet = wc_dilithium_set_level( - ssl->peerDilithiumKey, 3); + ssl->peerDilithiumKey, WC_ML_DSA_65_DRAFT); } else if (args->dCert->keyOID == DILITHIUM_LEVEL5k) { keyRet = wc_dilithium_set_level( - ssl->peerDilithiumKey, 5); + ssl->peerDilithiumKey, WC_ML_DSA_87_DRAFT); } + #endif } if (keyRet != 0 || @@ -28487,6 +28532,7 @@ static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo) } #endif /* HAVE_FALCON */ #ifdef HAVE_DILITHIUM + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2) { /* Certificate has Dilithium level 2 key, only match with it. */ return sigAlgo == dilithium_level2_sa_algo; @@ -28499,6 +28545,19 @@ static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo) /* Certificate has Dilithium level 5 key, only match with it. */ return sigAlgo == dilithium_level5_sa_algo; } + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL2) { + /* Certificate has ML-DSA level 2 key, only match with it. */ + return sigAlgo == dilithium_level2_sa_algo; + } + if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL3) { + /* Certificate has ML-DSA level 3 key, only match with it. */ + return sigAlgo == dilithium_level3_sa_algo; + } + if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL5) { + /* Certificate has ML-DSA level 5 key, only match with it. */ + return sigAlgo == dilithium_level5_sa_algo; + } #endif /* HAVE_DILITHIUM */ #ifdef WC_RSA_PSS /* RSA certificate and PSS sig alg. */ @@ -28661,10 +28720,16 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz, } #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) - if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2 || - ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3 || - ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5) { - /* Matched Dilithium - set chosen and finished. */ + if (ssl->pkCurveOID == CTC_ML_DSA_LEVEL2 || + ssl->pkCurveOID == CTC_ML_DSA_LEVEL3 || + ssl->pkCurveOID == CTC_ML_DSA_LEVEL5 + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2 + || ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3 + || ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5 + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + ) { + /* Matched ML-DSA or Dilithium - set chosen and finished. */ ssl->options.sigAlgo = sigAlgo; ssl->options.hashAlgo = hashAlgo; ret = 0; @@ -29292,13 +29357,13 @@ int DecodePrivateKey(WOLFSSL *ssl, word32* length) } if (ret == 0) { if (ssl->buffers.keyType == dilithium_level2_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 2); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_44); } else if (ssl->buffers.keyType == dilithium_level3_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 3); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_65); } else if (ssl->buffers.keyType == dilithium_level5_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 5); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_87); } } if (ret == 0) { @@ -29632,13 +29697,13 @@ int DecodePrivateKey(WOLFSSL *ssl, word32* length) } if (ssl->buffers.keyType == dilithium_level2_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 2); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_44); } else if (ssl->buffers.keyType == dilithium_level3_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 3); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_65); } else if (ssl->buffers.keyType == dilithium_level5_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 5); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, WC_ML_DSA_87); } else { /* What if ssl->buffers.keyType is 0? We might want to do something @@ -29845,15 +29910,15 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length) if (ret == 0) { if (ssl->buffers.altKeyType == dilithium_level2_sa_algo) { ret = wc_dilithium_set_level( - (dilithium_key*)ssl->hsAltKey, 2); + (dilithium_key*)ssl->hsAltKey, WC_ML_DSA_44); } else if (ssl->buffers.altKeyType == dilithium_level3_sa_algo) { ret = wc_dilithium_set_level( - (dilithium_key*)ssl->hsAltKey, 3); + (dilithium_key*)ssl->hsAltKey, WC_ML_DSA_65); } else if (ssl->buffers.altKeyType == dilithium_level5_sa_algo) { ret = wc_dilithium_set_level( - (dilithium_key*)ssl->hsAltKey, 5); + (dilithium_key*)ssl->hsAltKey, WC_ML_DSA_87); } } if (ret == 0) { @@ -30064,13 +30129,13 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length) } if (ssl->buffers.altKeyType == dilithium_level2_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 2); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_44); } else if (ssl->buffers.altKeyType == dilithium_level3_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 3); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_65); } else if (ssl->buffers.altKeyType == dilithium_level5_sa_algo) { - ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, 5); + ret = wc_dilithium_set_level((dilithium_key*)ssl->hsAltKey, WC_ML_DSA_87); } else { /* What if ssl->buffers.keyType is 0? We might want to do something diff --git a/src/ssl.c b/src/ssl.c index 9072b8436a..ff1fdbc226 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5808,6 +5808,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) break; #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT case DILITHIUM_LEVEL2k: if (cm->minDilithiumKeySz < 0 || DILITHIUM_LEVEL2_KEY_SIZE < (word16)cm->minDilithiumKeySz) { @@ -5829,6 +5830,28 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) WOLFSSL_MSG("\tCA Dilithium level 5 key size error"); } break; + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + case ML_DSA_LEVEL2k: + if (cm->minDilithiumKeySz < 0 || + ML_DSA_LEVEL2_KEY_SIZE < (word16)cm->minDilithiumKeySz) { + ret = DILITHIUM_KEY_SIZE_E; + WOLFSSL_MSG("\tCA Dilithium level 2 key size error"); + } + break; + case ML_DSA_LEVEL3k: + if (cm->minDilithiumKeySz < 0 || + ML_DSA_LEVEL3_KEY_SIZE < (word16)cm->minDilithiumKeySz) { + ret = DILITHIUM_KEY_SIZE_E; + WOLFSSL_MSG("\tCA Dilithium level 3 key size error"); + } + break; + case ML_DSA_LEVEL5k: + if (cm->minDilithiumKeySz < 0 || + ML_DSA_LEVEL5_KEY_SIZE < (word16)cm->minDilithiumKeySz) { + ret = DILITHIUM_KEY_SIZE_E; + WOLFSSL_MSG("\tCA Dilithium level 5 key size error"); + } + break; #endif /* HAVE_DILITHIUM */ default: @@ -6847,9 +6870,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz, } #endif #if defined(HAVE_DILITHIUM) - if ((keyOID == DILITHIUM_LEVEL2k) || - (keyOID == DILITHIUM_LEVEL3k) || - (keyOID == DILITHIUM_LEVEL5k)) { + if ((keyOID == ML_DSA_LEVEL2k) || + (keyOID == ML_DSA_LEVEL3k) || + (keyOID == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (keyOID == DILITHIUM_LEVEL2k) + || (keyOID == DILITHIUM_LEVEL3k) + || (keyOID == DILITHIUM_LEVEL5k) + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + ) { type = DYNAMIC_TYPE_DILITHIUM; } #endif @@ -6879,9 +6908,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz, } #endif #if defined(HAVE_DILITHIUM) - if ((keyOID == DILITHIUM_LEVEL2k) || - (keyOID == DILITHIUM_LEVEL3k) || - (keyOID == DILITHIUM_LEVEL5k)) { + if ((keyOID == ML_DSA_LEVEL2k) || + (keyOID == ML_DSA_LEVEL3k) || + (keyOID == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (keyOID == DILITHIUM_LEVEL2k) + || (keyOID == DILITHIUM_LEVEL3k) + || (keyOID == DILITHIUM_LEVEL5k) + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + ) { ret = wc_CryptoCb_PqcSignatureCheckPrivKey(pkey, WC_PQC_SIG_TYPE_DILITHIUM, pubKey, pubSz); @@ -6918,9 +6953,15 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz, } #endif #if defined(HAVE_DILITHIUM) - if ((keyOID == DILITHIUM_LEVEL2k) || - (keyOID == DILITHIUM_LEVEL3k) || - (keyOID == DILITHIUM_LEVEL5k)) { + if ((keyOID == ML_DSA_LEVEL2k) || + (keyOID == ML_DSA_LEVEL3k) || + (keyOID == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (keyOID == DILITHIUM_LEVEL2k) || + || (keyOID == DILITHIUM_LEVEL3k) || + || (keyOID == DILITHIUM_LEVEL5k) + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + ) { wc_dilithium_free((dilithium_key*)pkey); } #endif @@ -7745,31 +7786,31 @@ static int d2iTryDilithiumKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, /* Test if Dilithium key. Try all levels. */ if (priv) { - isDilithium = ((wc_dilithium_set_level(dilithium, 2) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_44) == 0) && (wc_dilithium_import_private(mem, (word32)memSz, dilithium) == 0)); if (!isDilithium) { - isDilithium = ((wc_dilithium_set_level(dilithium, 3) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_65) == 0) && (wc_dilithium_import_private(mem, (word32)memSz, dilithium) == 0)); } if (!isDilithium) { - isDilithium = ((wc_dilithium_set_level(dilithium, 5) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_87) == 0) && (wc_dilithium_import_private(mem, (word32)memSz, dilithium) == 0)); } } else { - isDilithium = ((wc_dilithium_set_level(dilithium, 2) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_44) == 0) && (wc_dilithium_import_public(mem, (word32)memSz, dilithium) == 0)); if (!isDilithium) { - isDilithium = ((wc_dilithium_set_level(dilithium, 3) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_65) == 0) && (wc_dilithium_import_public(mem, (word32)memSz, dilithium) == 0)); } if (!isDilithium) { - isDilithium = ((wc_dilithium_set_level(dilithium, 5) == 0) && + isDilithium = ((wc_dilithium_set_level(dilithium, WC_ML_DSA_87) == 0) && (wc_dilithium_import_public(mem, (word32)memSz, dilithium) == 0)); } @@ -12097,13 +12138,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) *sigAlgo = FALCON_LEVEL5k; break; case dilithium_level2_sa_algo: - *sigAlgo = DILITHIUM_LEVEL2k; + *sigAlgo = ML_DSA_LEVEL2k; break; case dilithium_level3_sa_algo: - *sigAlgo = DILITHIUM_LEVEL3k; + *sigAlgo = ML_DSA_LEVEL3k; break; case dilithium_level5_sa_algo: - *sigAlgo = DILITHIUM_LEVEL5k; + *sigAlgo = ML_DSA_LEVEL5k; break; case sm2_sa_algo: *sigAlgo = SM2k; @@ -18354,12 +18395,20 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "Falcon Level 5"}, #endif /* HAVE_FALCON */ #ifdef HAVE_DILITHIUM + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT { CTC_DILITHIUM_LEVEL2, DILITHIUM_LEVEL2k, oidKeyType, "Dilithium Level 2", "Dilithium Level 2"}, { CTC_DILITHIUM_LEVEL3, DILITHIUM_LEVEL3k, oidKeyType, "Dilithium Level 3", "Dilithium Level 3"}, { CTC_DILITHIUM_LEVEL5, DILITHIUM_LEVEL5k, oidKeyType, "Dilithium Level 5", "Dilithium Level 5"}, + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + { CTC_ML_DSA_LEVEL2, ML_DSA_LEVEL2k, oidKeyType, + "ML_DSA Level 2", "ML_DSA Level 2"}, + { CTC_ML_DSA_LEVEL3, ML_DSA_LEVEL3k, oidKeyType, + "ML_DSA Level 3", "ML_DSA Level 3"}, + { CTC_ML_DSA_LEVEL5, ML_DSA_LEVEL5k, oidKeyType, + "ML_DSA Level 5", "ML_DSA Level 5"}, #endif /* HAVE_DILITHIUM */ /* oidCurveType */ @@ -18742,13 +18791,13 @@ static int SaToNid(byte sa, int* nid) *nid = CTC_FALCON_LEVEL5; break; case dilithium_level2_sa_algo: - *nid = CTC_DILITHIUM_LEVEL2; + *nid = CTC_ML_DSA_LEVEL2; break; case dilithium_level3_sa_algo: - *nid = CTC_DILITHIUM_LEVEL3; + *nid = CTC_ML_DSA_LEVEL3; break; case dilithium_level5_sa_algo: - *nid = CTC_DILITHIUM_LEVEL5; + *nid = CTC_ML_DSA_LEVEL5; break; case sm2_sa_algo: *nid = WC_NID_sm2; diff --git a/src/ssl_load.c b/src/ssl_load.c index 16921f7d91..c6562124bd 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -961,21 +961,38 @@ static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl, ret = wc_dilithium_init(key); if (ret == 0) { /* Set up key to parse the format specified. */ - if ((*keyFormat == DILITHIUM_LEVEL2k) || ((*keyFormat == 0) && + if ((*keyFormat == ML_DSA_LEVEL2k) || ((*keyFormat == 0) && + ((der->length == ML_DSA_LEVEL2_KEY_SIZE) || + (der->length == ML_DSA_LEVEL2_PRV_KEY_SIZE)))) { + ret = wc_dilithium_set_level(key, WC_ML_DSA_44); + } + else if ((*keyFormat == ML_DSA_LEVEL3k) || ((*keyFormat == 0) && + ((der->length == ML_DSA_LEVEL3_KEY_SIZE) || + (der->length == ML_DSA_LEVEL3_PRV_KEY_SIZE)))) { + ret = wc_dilithium_set_level(key, WC_ML_DSA_65); + } + else if ((*keyFormat == ML_DSA_LEVEL5k) || ((*keyFormat == 0) && + ((der->length == ML_DSA_LEVEL5_KEY_SIZE) || + (der->length == ML_DSA_LEVEL5_PRV_KEY_SIZE)))) { + ret = wc_dilithium_set_level(key, WC_ML_DSA_87); + } + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + else if ((*keyFormat == DILITHIUM_LEVEL2k) || ((*keyFormat == 0) && ((der->length == DILITHIUM_LEVEL2_KEY_SIZE) || (der->length == DILITHIUM_LEVEL2_PRV_KEY_SIZE)))) { - ret = wc_dilithium_set_level(key, 2); + ret = wc_dilithium_set_level(key, WC_ML_DSA_44_DRAFT); } else if ((*keyFormat == DILITHIUM_LEVEL3k) || ((*keyFormat == 0) && ((der->length == DILITHIUM_LEVEL3_KEY_SIZE) || (der->length == DILITHIUM_LEVEL3_PRV_KEY_SIZE)))) { - ret = wc_dilithium_set_level(key, 3); + ret = wc_dilithium_set_level(key, WC_ML_DSA_65_DRAFT); } else if ((*keyFormat == DILITHIUM_LEVEL5k) || ((*keyFormat == 0) && ((der->length == DILITHIUM_LEVEL5_KEY_SIZE) || (der->length == DILITHIUM_LEVEL5_PRV_KEY_SIZE)))) { - ret = wc_dilithium_set_level(key, 5); + ret = wc_dilithium_set_level(key, WC_ML_DSA_87_DRAFT); } + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ else { wc_dilithium_free(key); ret = ALGO_ID_E; @@ -993,7 +1010,20 @@ static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl, ctx->minDilithiumKeySz; /* Format is known. */ - if (*keyFormat == DILITHIUM_LEVEL2k) { + if (*keyFormat == ML_DSA_LEVEL2k) { + *keyType = dilithium_level2_sa_algo; + *keySize = ML_DSA_LEVEL2_KEY_SIZE; + } + else if (*keyFormat == ML_DSA_LEVEL3k) { + *keyType = dilithium_level3_sa_algo; + *keySize = ML_DSA_LEVEL3_KEY_SIZE; + } + else if (*keyFormat == ML_DSA_LEVEL5k) { + *keyType = dilithium_level5_sa_algo; + *keySize = ML_DSA_LEVEL5_KEY_SIZE; + } + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + else if (*keyFormat == DILITHIUM_LEVEL2k) { *keyType = dilithium_level2_sa_algo; *keySize = DILITHIUM_LEVEL2_KEY_SIZE; } @@ -1005,6 +1035,7 @@ static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl, *keyType = dilithium_level5_sa_algo; *keySize = DILITHIUM_LEVEL5_KEY_SIZE; } + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ /* Check that the size of the Dilithium key is enough. */ if (*keySize < minKeySz) { @@ -1147,9 +1178,17 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, !defined(WOLFSSL_DILITHIUM_NO_ASN1) /* Try Falcon if key format is Dilithium level 2k, 3k or 5k or yet unknown. */ - if ((ret == 0) && ((*keyFormat == 0) || (*keyFormat == DILITHIUM_LEVEL2k) || - (*keyFormat == DILITHIUM_LEVEL3k) || - (*keyFormat == DILITHIUM_LEVEL5k))) { + if ((ret == 0) && + ((*keyFormat == 0) || + (*keyFormat == ML_DSA_LEVEL2k) || + (*keyFormat == ML_DSA_LEVEL3k) || + (*keyFormat == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (*keyFormat == DILITHIUM_LEVEL2k) || + || (*keyFormat == DILITHIUM_LEVEL3k) || + || (*keyFormat == DILITHIUM_LEVEL5k) + #endif + )) { ret = ProcessBufferTryDecodeDilithium(ctx, ssl, der, keyFormat, heap, keyType, keySz); } @@ -1461,9 +1500,14 @@ static void wolfssl_set_have_from_key_oid(WOLFSSL_CTX* ctx, WOLFSSL* ssl, break; #endif /* HAVE_FALCON */ #ifdef HAVE_DILITHIUM + case ML_DSA_LEVEL2k: + case ML_DSA_LEVEL3k: + case ML_DSA_LEVEL5k: + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT case DILITHIUM_LEVEL2k: case DILITHIUM_LEVEL3k: case DILITHIUM_LEVEL5k: + #endif if (ssl != NULL) { ssl->options.haveDilithiumSig = 1; } @@ -1532,14 +1576,14 @@ static void ProcessBufferCertSetHave(WOLFSSL_CTX* ctx, WOLFSSL* ssl, break; #endif #ifdef HAVE_DILITHIUM + case CTC_ML_DSA_LEVEL2: + case CTC_ML_DSA_LEVEL3: + case CTC_ML_DSA_LEVEL5: #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT case CTC_DILITHIUM_LEVEL2: case CTC_DILITHIUM_LEVEL3: case CTC_DILITHIUM_LEVEL5: - #endif - case CTC_ML_DSA_LEVEL2: - case CTC_ML_DSA_LEVEL3: - case CTC_ML_DSA_LEVEL5: + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ WOLFSSL_MSG("Dilithium cert signature"); if (ssl) { ssl->options.haveDilithiumSig = 1; diff --git a/src/tls13.c b/src/tls13.c index ec9bc83e31..ec8b1a4e05 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -10149,13 +10149,13 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, #endif #ifdef HAVE_DILITHIUM case dilithium_level2_sa_algo: - ret = decodeDilithiumKey(ssl, 2); + ret = decodeDilithiumKey(ssl, WC_ML_DSA_44); break; case dilithium_level3_sa_algo: - ret = decodeDilithiumKey(ssl, 3); + ret = decodeDilithiumKey(ssl, WC_ML_DSA_65); break; case dilithium_level5_sa_algo: - ret = decodeDilithiumKey(ssl, 5); + ret = decodeDilithiumKey(ssl, WC_ML_DSA_87); break; #endif #ifdef HAVE_FALCON diff --git a/src/x509.c b/src/x509.c index ddc973b72e..1e2d646a0b 100644 --- a/src/x509.c +++ b/src/x509.c @@ -11051,9 +11051,15 @@ static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) } #endif #if defined(HAVE_DILITHIUM) - if ((x509->pubKeyOID == DILITHIUM_LEVEL2k) || - (x509->pubKeyOID == DILITHIUM_LEVEL3k) || - (x509->pubKeyOID == DILITHIUM_LEVEL5k)) { + if ((x509->pubKeyOID == ML_DSA_LEVEL2k) || + (x509->pubKeyOID == ML_DSA_LEVEL3k) || + (x509->pubKeyOID == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (x509->pubKeyOID == DILITHIUM_LEVEL2k) + || (x509->pubKeyOID == DILITHIUM_LEVEL3k) + || (x509->pubKeyOID == DILITHIUM_LEVEL5k) + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + ) { dilithium = (dilithium_key*)XMALLOC(sizeof(dilithium_key), NULL, DYNAMIC_TYPE_DILITHIUM); if (dilithium == NULL) { @@ -11069,18 +11075,32 @@ static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) return ret; } - if (x509->pubKeyOID == DILITHIUM_LEVEL2k) { + if (x509->pubKeyOID == ML_DSA_LEVEL2k) { + type = ML_DSA_LEVEL2_TYPE; + wc_dilithium_set_level(dilithium, WC_ML_DSA_44); + } + else if (x509->pubKeyOID == ML_DSA_LEVEL3k) { + type = ML_DSA_LEVEL3_TYPE; + wc_dilithium_set_level(dilithium, WC_ML_DSA_65); + } + else if (x509->pubKeyOID == ML_DSA_LEVEL5k) { + type = ML_DSA_LEVEL5_TYPE; + wc_dilithium_set_level(dilithium, WC_ML_DSA_87); + } + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + else if (x509->pubKeyOID == DILITHIUM_LEVEL2k) { type = DILITHIUM_LEVEL2_TYPE; - wc_dilithium_set_level(dilithium, 2); + wc_dilithium_set_level(dilithium, WC_ML_DSA_44_DRAFT); } else if (x509->pubKeyOID == DILITHIUM_LEVEL3k) { type = DILITHIUM_LEVEL3_TYPE; - wc_dilithium_set_level(dilithium, 3); + wc_dilithium_set_level(dilithium, WC_ML_DSA_65_DRAFT); } else if (x509->pubKeyOID == DILITHIUM_LEVEL5k) { type = DILITHIUM_LEVEL5_TYPE; - wc_dilithium_set_level(dilithium, 5); + wc_dilithium_set_level(dilithium, WC_ML_DSA_87_DRAFT); } + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ ret = wc_Dilithium_PublicKeyDecode(x509->pubKey.buffer, &idx, dilithium, x509->pubKey.length); @@ -11261,9 +11281,15 @@ static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) } #endif #if defined(HAVE_DILITHIUM) - if ((x509->pubKeyOID == DILITHIUM_LEVEL2k) || - (x509->pubKeyOID == DILITHIUM_LEVEL3k) || - (x509->pubKeyOID == DILITHIUM_LEVEL5k)) { + if ((x509->pubKeyOID == ML_DSA_LEVEL2k) || + (x509->pubKeyOID == ML_DSA_LEVEL3k) || + (x509->pubKeyOID == ML_DSA_LEVEL5k) + #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + || (x509->pubKeyOID == DILITHIUM_LEVEL2k) + || (x509->pubKeyOID == DILITHIUM_LEVEL3k) + || (x509->pubKeyOID == DILITHIUM_LEVEL5k) + #endif + ) { wc_dilithium_free(dilithium); XFREE(dilithium, NULL, DYNAMIC_TYPE_DILITHIUM); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 917859e055..39e06368dd 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -17833,7 +17833,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, case DILITHIUM_LEVEL2k: case DILITHIUM_LEVEL3k: case DILITHIUM_LEVEL5k: - #endif + #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ case ML_DSA_LEVEL2k: case ML_DSA_LEVEL3k: case ML_DSA_LEVEL5k: