From 7d42ddae486e5982f139c1a798480f8a12ed9c0f Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 4 Nov 2024 16:31:18 +1000 Subject: [PATCH] Kyber/ML-KEM: make both available Make Kyber and ML-KEM individually available as well as at the same time. Modified TLS layer to support both Kyber and ML-KEM. Added new identifiers in TLS layer for ML-KEM. --- IDE/STM32Cube/wolfssl_example.c | 5 + configure.ac | 36 ++- examples/benchmark/tls_bench.c | 10 + examples/client/client.c | 70 +++++- examples/server/server.c | 70 +++++- src/ssl.c | 66 ++++- src/tls.c | 142 +++++++++++ tests/api.c | 220 +++++++++------- tests/suites.c | 23 ++ tests/test-dtls13-pq-2.conf | 14 ++ tests/test-dtls13-pq.conf | 18 +- tests/test-tls13-pq-2.conf | 30 +++ tests/test-tls13-pq.conf | 30 +++ wolfcrypt/src/ext_kyber.c | 59 ++++- wolfcrypt/src/wc_kyber.c | 431 ++++++++++++++++++++++++++++---- wolfcrypt/src/wc_kyber_poly.c | 71 +++--- wolfcrypt/test/test.c | 277 ++++++++++++++++---- wolfssl/ssl.h | 27 +- wolfssl/wolfcrypt/kyber.h | 49 +++- 19 files changed, 1395 insertions(+), 253 deletions(-) diff --git a/IDE/STM32Cube/wolfssl_example.c b/IDE/STM32Cube/wolfssl_example.c index 342e8ee9d0..be6195a60a 100644 --- a/IDE/STM32Cube/wolfssl_example.c +++ b/IDE/STM32Cube/wolfssl_example.c @@ -1751,6 +1751,11 @@ static int tls13_uart_client(void) wolfSSL_SetIOReadCtx(ssl, tbuf); #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512) != WOLFSSL_SUCCESS) { + printf("wolfSSL_UseKeyShare Error!!"); + } +#else if (wolfSSL_UseKeyShare(ssl, WOLFSSL_KYBER_LEVEL1) != WOLFSSL_SUCCESS) { printf("wolfSSL_UseKeyShare Error!!"); } diff --git a/configure.ac b/configure.ac index 67298c4cd1..94a1d33e02 100644 --- a/configure.ac +++ b/configure.ac @@ -1276,6 +1276,7 @@ AC_ARG_ENABLE([kyber], ) ENABLED_WC_KYBER=no +ENABLED_ML_KEM=yes for v in `echo $ENABLED_KYBER | tr "," " "` do case $v in @@ -1301,6 +1302,10 @@ do original) ENABLED_ORIGINAL=yes ;; + original-only) + ENABLED_ORIGINAL=yes + ENABLED_ML_KEM=no + ;; *) AC_MSG_ERROR([Invalid choice for KYBER []: $ENABLED_KYBER.]) break;; @@ -1317,17 +1322,30 @@ then AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_KYBER" fi - if test "$ENABLED_KYBER512" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512" - fi - if test "$ENABLED_KYBER768" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768" - fi - if test "$ENABLED_KYBER1024" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024" - fi if test "$ENABLED_ORIGINAL" = "yes"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KYBER_ORIGINAL" + if test "$ENABLED_KYBER512" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512" + fi + if test "$ENABLED_KYBER768" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768" + fi + if test "$ENABLED_KYBER1024" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024" + fi + fi + if test "$ENABLED_ML_KEM" = "yes"; then + if test "$ENABLED_KYBER512" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512" + fi + if test "$ENABLED_KYBER768" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768" + fi + if test "$ENABLED_KYBER1024" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024" + fi + else + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM" fi if test "$ENABLED_WC_KYBER" = "yes" diff --git a/examples/benchmark/tls_bench.c b/examples/benchmark/tls_bench.c index 609481a3e0..321ab5c066 100644 --- a/examples/benchmark/tls_bench.c +++ b/examples/benchmark/tls_bench.c @@ -288,12 +288,22 @@ static struct group_info groups[] = { { WOLFSSL_FFDHE_6144, "FFDHE_6144" }, { WOLFSSL_FFDHE_8192, "FFDHE_8192" }, #ifdef HAVE_PQC +#ifndef WOLFSSL_NO_ML_KEM + { WOLFSSL_ML_KEM_512, "ML_KEM_512" }, + { WOLFSSL_ML_KEM_768, "ML_KEM_768" }, + { WOLFSSL_ML_KEM_1024, "ML_KEM_1024" }, + { WOLFSSL_P256_ML_KEM_512, "P256_ML_KEM_512" }, + { WOLFSSL_P384_ML_KEM_768, "P384_ML_KEM_768" }, + { WOLFSSL_P521_ML_KEM_1024, "P521_ML_KEM_1024" }, +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL { WOLFSSL_KYBER_LEVEL1, "KYBER_LEVEL1" }, { WOLFSSL_KYBER_LEVEL3, "KYBER_LEVEL3" }, { WOLFSSL_KYBER_LEVEL5, "KYBER_LEVEL5" }, { WOLFSSL_P256_KYBER_LEVEL1, "P256_KYBER_LEVEL1" }, { WOLFSSL_P384_KYBER_LEVEL3, "P384_KYBER_LEVEL3" }, { WOLFSSL_P521_KYBER_LEVEL5, "P521_KYBER_LEVEL5" }, +#endif #endif { 0, NULL } }; diff --git a/examples/client/client.c b/examples/client/client.c index f50f67fbb4..44306454b1 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -398,6 +398,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, if (usePqc) { int group = 0; + #ifndef WOLFSSL_NO_ML_KEM + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) { + group = WOLFSSL_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) { + group = WOLFSSL_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) { + group = WOLFSSL_ML_KEM_1024; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) { + group = WOLFSSL_P256_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) { + group = WOLFSSL_P384_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) { + group = WOLFSSL_P521_ML_KEM_1024; + } + else + #endif + #endif /* WOLFSSL_NO_ML_KEM */ + #ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { group = WOLFSSL_KYBER_LEVEL1; @@ -434,6 +473,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, } else #endif + #endif /* WOLFSSL_KYBER_ORIGINAL */ { err_sys("invalid post-quantum KEM specified"); } @@ -1330,8 +1370,19 @@ static const char* client_usage_msg[][77] = { " SSLv3(0) - TLS1.3(4)\n", /* 68 */ #endif #ifdef HAVE_PQC - "--pqc Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */ + "--pqc Key Share with specified post-quantum algorithm only:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 69 */ #endif #ifdef WOLFSSL_SRTP "--srtp (default is SRTP_AES128_CM_SHA1_80)\n", /* 70 */ @@ -1564,8 +1615,19 @@ static const char* client_usage_msg[][77] = { " SSLv3(0) - TLS1.3(4)\n", /* 68 */ #endif #ifdef HAVE_PQC - "--pqc post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */ + "--pqc post-quantum 名前付きグループとの鍵共有のみ:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 69 */ #endif #ifdef WOLFSSL_SRTP "--srtp (デフォルトは SRTP_AES128_CM_SHA1_80)\n", /* 70 */ diff --git a/examples/server/server.c b/examples/server/server.c index bc3e1509f7..1592a1d1eb 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -712,6 +712,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, else if (usePqc == 1) { #ifdef HAVE_PQC groups[count] = 0; + #ifndef WOLFSSL_NO_ML_KEM + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) { + groups[count] = WOLFSSL_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) { + groups[count] = WOLFSSL_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) { + groups[count] = WOLFSSL_ML_KEM_1024; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) { + groups[count] = WOLFSSL_P256_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) { + groups[count] = WOLFSSL_P384_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) { + groups[count] = WOLFSSL_P521_ML_KEM_1024; + } + else + #endif + #endif /* WOLFSSL_NO_ML_KEM */ + #ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { groups[count] = WOLFSSL_KYBER_LEVEL1; @@ -748,6 +787,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, } else #endif + #endif { err_sys("invalid post-quantum KEM specified"); } @@ -980,8 +1020,19 @@ static const char* server_usage_msg[][65] = { " SSLv3(0) - TLS1.3(4)\n", /* 59 */ #endif #ifdef HAVE_PQC - "--pqc Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5] \n", /* 60 */ + "--pqc Key Share with specified post-quantum algorithm only:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 60 */ #endif #ifdef WOLFSSL_SRTP "--srtp (default is SRTP_AES128_CM_SHA1_80)\n", /* 61 */ @@ -1172,8 +1223,19 @@ static const char* server_usage_msg[][65] = { " SSLv3(0) - TLS1.3(4)\n", /* 59 */ #endif #ifdef HAVE_PQC - "--pqc post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 60 */ + "--pqc post-quantum 名前付きグループとの鍵共有のみ:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 60 */ #endif #ifdef WOLFSSL_SRTP "--srtp (デフォルトはSRTP_AES128_CM_SHA1_80)\n", /* 61 */ diff --git a/src/ssl.c b/src/ssl.c index 4c3e361a79..5cacf44466 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3297,6 +3297,17 @@ static int isValidCurveGroup(word16 name) case WOLFSSL_FFDHE_8192: #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + case WOLFSSL_ML_KEM_512: + case WOLFSSL_ML_KEM_768: + case WOLFSSL_ML_KEM_1024: + #if defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS) + case WOLFSSL_P256_ML_KEM_512: + case WOLFSSL_P384_ML_KEM_768: + case WOLFSSL_P521_ML_KEM_1024: + #endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL case WOLFSSL_KYBER_LEVEL1: case WOLFSSL_KYBER_LEVEL3: case WOLFSSL_KYBER_LEVEL5: @@ -3305,6 +3316,7 @@ static int isValidCurveGroup(word16 name) case WOLFSSL_P384_KYBER_LEVEL3: case WOLFSSL_P521_KYBER_LEVEL5: #endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ #endif return 1; @@ -14541,6 +14553,42 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl) * check to override this result in the case of a hybrid. */ if (IsAtLeastTLSv1_3(ssl->version)) { switch (ssl->namedGroup) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef HAVE_LIBOQS + case WOLFSSL_ML_KEM_512: + return "ML_KEM_512"; + case WOLFSSL_ML_KEM_768: + return "ML_KEM_768"; + case WOLFSSL_ML_KEM_1024: + return "ML_KEM_1024"; + case WOLFSSL_P256_ML_KEM_512: + return "P256_ML_KEM_512"; + case WOLFSSL_P384_ML_KEM_768: + return "P384_ML_KEM_768"; + case WOLFSSL_P521_ML_KEM_1024: + return "P521_ML_KEM_1024"; +#elif defined(WOLFSSL_WC_KYBER) + #ifdef WOLFSSL_WC_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + return "ML_KEM_512"; + case WOLFSSL_P256_ML_KEM_512: + return "P256_ML_KEM_512"; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + return "ML_KEM_768"; + case WOLFSSL_P384_ML_KEM_768: + return "P384_ML_KEM_768"; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + return "ML_KEM_1024"; + case WOLFSSL_P521_ML_KEM_1024: + return "P521_ML_KEM_1024"; + #endif +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef HAVE_LIBOQS case WOLFSSL_KYBER_LEVEL1: return "KYBER_LEVEL1"; @@ -14573,6 +14621,7 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl) case WOLFSSL_P521_KYBER_LEVEL5: return "P521_KYBER_LEVEL5"; #endif +#endif #endif } } @@ -21899,6 +21948,20 @@ const WOLF_EC_NIST_NAME kNistCurves[] = { {CURVE_NAME("X448"), NID_X448, WOLFSSL_ECC_X448}, #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + {CURVE_NAME("ML_KEM_512"), WOLFSSL_ML_KEM_512, WOLFSSL_ML_KEM_512}, + {CURVE_NAME("ML_KEM_768"), WOLFSSL_ML_KEM_768, WOLFSSL_ML_KEM_768}, + {CURVE_NAME("ML_KEM_1024"), WOLFSSL_ML_KEM_1024, WOLFSSL_ML_KEM_1024}, +#if (defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS)) && defined(HAVE_ECC) + {CURVE_NAME("P256_ML_KEM_512"), WOLFSSL_P256_ML_KEM_512, + WOLFSSL_P256_ML_KEM_512}, + {CURVE_NAME("P384_ML_KEM_768"), WOLFSSL_P384_ML_KEM_768, + WOLFSSL_P384_ML_KEM_768}, + {CURVE_NAME("P521_ML_KEM_1024"), WOLFSSL_P521_ML_KEM_1024, + WOLFSSL_P521_ML_KEM_1024}, +#endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL {CURVE_NAME("KYBER_LEVEL1"), WOLFSSL_KYBER_LEVEL1, WOLFSSL_KYBER_LEVEL1}, {CURVE_NAME("KYBER_LEVEL3"), WOLFSSL_KYBER_LEVEL3, WOLFSSL_KYBER_LEVEL3}, {CURVE_NAME("KYBER_LEVEL5"), WOLFSSL_KYBER_LEVEL5, WOLFSSL_KYBER_LEVEL5}, @@ -21907,7 +21970,8 @@ const WOLF_EC_NIST_NAME kNistCurves[] = { {CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P384_KYBER_LEVEL3}, {CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_P521_KYBER_LEVEL5}, #endif -#endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ +#endif /* WOLFSSL_HAVE_KYBER */ #ifdef WOLFSSL_SM2 {CURVE_NAME("SM2"), NID_sm2, WOLFSSL_ECC_SM2P256V1}, #endif diff --git a/src/tls.c b/src/tls.c index a42db1d516..756c02edd1 100644 --- a/src/tls.c +++ b/src/tls.c @@ -7982,6 +7982,24 @@ static int kyber_id2type(int id, int *type) int ret = 0; switch (id) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + *type = WC_ML_KEM_512; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + *type = WC_ML_KEM_768; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + *type = WC_ML_KEM_1024; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case WOLFSSL_KYBER_LEVEL1: *type = KYBER512; @@ -7997,6 +8015,7 @@ static int kyber_id2type(int id, int *type) *type = KYBER1024; break; #endif +#endif default: ret = NOT_COMPILED_IN; break; @@ -8012,12 +8031,22 @@ typedef struct PqcHybridMapping { } PqcHybridMapping; static const PqcHybridMapping pqc_hybrid_mapping[] = { +#ifndef WOLFSSL_NO_ML_KEM + {.hybrid = WOLFSSL_P256_ML_KEM_512, .ecc = WOLFSSL_ECC_SECP256R1, + .pqc = WOLFSSL_ML_KEM_512}, + {.hybrid = WOLFSSL_P384_ML_KEM_768, .ecc = WOLFSSL_ECC_SECP384R1, + .pqc = WOLFSSL_ML_KEM_768}, + {.hybrid = WOLFSSL_P521_ML_KEM_1024, .ecc = WOLFSSL_ECC_SECP521R1, + .pqc = WOLFSSL_ML_KEM_1024}, +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL {.hybrid = WOLFSSL_P256_KYBER_LEVEL1, .ecc = WOLFSSL_ECC_SECP256R1, .pqc = WOLFSSL_KYBER_LEVEL1}, {.hybrid = WOLFSSL_P384_KYBER_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1, .pqc = WOLFSSL_KYBER_LEVEL3}, {.hybrid = WOLFSSL_P521_KYBER_LEVEL5, .ecc = WOLFSSL_ECC_SECP521R1, .pqc = WOLFSSL_KYBER_LEVEL5}, +#endif {.hybrid = 0, .ecc = 0, .pqc = 0} }; @@ -9662,6 +9691,45 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) #endif #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_KYBER + #ifdef WOLFSSL_WC_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + case WOLFSSL_P256_ML_KEM_512: + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + case WOLFSSL_P384_ML_KEM_768: + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + case WOLFSSL_P521_ML_KEM_1024: + #endif + break; + #elif defined(HAVE_LIBOQS) + case WOLFSSL_ML_KEM_512: + case WOLFSSL_ML_KEM_768: + case WOLFSSL_ML_KEM_1024: + case WOLFSSL_P256_ML_KEM_512: + case WOLFSSL_P384_ML_KEM_768: + case WOLFSSL_P521_ML_KEM_1024: + { + int ret; + int id; + findEccPqc(NULL, &namedGroup, namedGroup); + ret = kyber_id2type(namedGroup, &id); + if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) { + return 0; + } + + if (! ext_kyber_enabled(id)) { + return 0; + } + break; + } + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 case WOLFSSL_KYBER_LEVEL1: @@ -9699,6 +9767,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) } #endif #endif +#endif /* WOLFSSL_HAVE_KYBER */ default: return 0; } @@ -9744,6 +9813,31 @@ static const word16 preferredGroup[] = { #if defined(HAVE_FFDHE_8192) WOLFSSL_FFDHE_8192, #endif +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_KYBER + #ifdef WOLFSSL_WC_ML_KEM_512 + WOLFSSL_ML_KEM_512, + WOLFSSL_P256_ML_KEM_512, + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + WOLFSSL_ML_KEM_768, + WOLFSSL_P384_ML_KEM_768, + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + WOLFSSL_ML_KEM_1024, + WOLFSSL_P521_ML_KEM_1024, + #endif +#elif defined(HAVE_LIBOQS) + /* These require a runtime call to TLSX_KeyShare_IsSupported to use */ + WOLFSSL_ML_KEM_512, + WOLFSSL_ML_KEM_768, + WOLFSSL_ML_KEM_1024, + WOLFSSL_P256_ML_KEM_512, + WOLFSSL_P384_ML_KEM_768, + WOLFSSL_P521_ML_KEM_1024, +#endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 WOLFSSL_KYBER_LEVEL1, @@ -9766,6 +9860,7 @@ static const word16 preferredGroup[] = { WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P521_KYBER_LEVEL5, #endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ WOLFSSL_NAMED_GROUP_INVALID }; @@ -13386,6 +13481,52 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_KYBER +#ifdef WOLFSSL_WC_ML_KEM_512 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512, + ssl->heap); +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768, + ssl->heap); +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024, + ssl->heap); +#endif +#elif defined(HAVE_LIBOQS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024, + ssl->heap); +#endif /* HAVE_LIBOQS */ +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 if (ret == WOLFSSL_SUCCESS) @@ -13429,6 +13570,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5, ssl->heap); #endif /* HAVE_LIBOQS */ +#endif /* WOLFSSL_KYBER_ORIGINAL */ #endif /* WOLFSSL_HAVE_KYBER */ (void)ssl; diff --git a/tests/api.c b/tests/api.c index b18aaeb849..bbf8005960 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28113,10 +28113,10 @@ static int test_wc_kyber_make_key_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte seed_512[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte seed_512[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0x2C, 0xB8, 0x43, 0xA0, 0x2E, 0xF0, 0x2E, 0xE1, 0x09, 0x30, 0x5F, 0x39, 0x11, 0x9F, 0xAB, 0xF4, @@ -28128,7 +28128,7 @@ static int test_wc_kyber_make_key_kats(void) 0x3B, 0xB8, 0x08, 0x43, 0x64, 0x52, 0x06, 0xBD, 0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7 }; - static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = { + static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = { 0xA3, 0x24, 0x39, 0xF8, 0x5A, 0x3C, 0x21, 0xD2, 0x1A, 0x71, 0xB9, 0xB9, 0x2A, 0x9B, 0x64, 0xEA, 0x0A, 0xB8, 0x43, 0x12, 0xC7, 0x70, 0x23, 0x69, @@ -28230,7 +28230,7 @@ static int test_wc_kyber_make_key_kats(void) 0x97, 0x37, 0x33, 0xC3, 0x98, 0xEA, 0xF0, 0x0E, 0x17, 0x02, 0xC6, 0x73, 0x4A, 0xD8, 0xEB, 0x3B }; - static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = { + static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = { 0x7F, 0xE4, 0x20, 0x6F, 0x26, 0xBE, 0xDB, 0x64, 0xC1, 0xED, 0x00, 0x09, 0x61, 0x52, 0x45, 0xDC, 0x98, 0x48, 0x3F, 0x66, 0x3A, 0xCC, 0x61, 0x7E, @@ -28437,8 +28437,8 @@ static int test_wc_kyber_make_key_kats(void) 0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte seed_768[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte seed_768[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0xE3, 0x4A, 0x70, 0x1C, 0x4C, 0x87, 0x58, 0x2F, 0x42, 0x26, 0x4E, 0xE4, 0x22, 0xD3, 0xC6, 0x84, @@ -28450,7 +28450,7 @@ static int test_wc_kyber_make_key_kats(void) 0x64, 0x8E, 0xAE, 0x4E, 0x54, 0x48, 0xC3, 0x4C, 0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD }; - static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = { + static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = { 0x6D, 0x14, 0xA0, 0x71, 0xF7, 0xCC, 0x45, 0x25, 0x58, 0xD5, 0xE7, 0x1A, 0x7B, 0x08, 0x70, 0x62, 0xEC, 0xB1, 0x38, 0x68, 0x44, 0x58, 0x82, 0x46, @@ -28600,7 +28600,7 @@ static int test_wc_kyber_make_key_kats(void) 0xA6, 0x0D, 0x04, 0xE8, 0xC1, 0x70, 0xD7, 0x41, 0xC7, 0xA2, 0xB0, 0xE1, 0xAB, 0xDA, 0xC9, 0x68 }; - static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = { + static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = { 0x98, 0xA1, 0xB2, 0xDA, 0x4A, 0x65, 0xCF, 0xB5, 0x84, 0x5E, 0xA7, 0x31, 0x1E, 0x6A, 0x06, 0xDB, 0x73, 0x1F, 0x15, 0x90, 0xC4, 0x1E, 0xE7, 0x4B, @@ -28903,8 +28903,8 @@ static int test_wc_kyber_make_key_kats(void) 0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte seed_1024[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte seed_1024[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0x49, 0xAC, 0x8B, 0x99, 0xBB, 0x1E, 0x6A, 0x8E, 0xA8, 0x18, 0x26, 0x1F, 0x8B, 0xE6, 0x8B, 0xDE, @@ -28916,7 +28916,7 @@ static int test_wc_kyber_make_key_kats(void) 0x30, 0x22, 0x1F, 0xD6, 0x7D, 0x9B, 0x7D, 0x6E, 0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7 }; - static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = { + static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = { 0xA0, 0x41, 0x84, 0xD4, 0xBC, 0x7B, 0x53, 0x2A, 0x0F, 0x70, 0xA5, 0x4D, 0x77, 0x57, 0xCD, 0xE6, 0x17, 0x5A, 0x68, 0x43, 0xB8, 0x61, 0xCB, 0x2B, @@ -29114,7 +29114,7 @@ static int test_wc_kyber_make_key_kats(void) 0x0A, 0x5A, 0x73, 0xC4, 0xDC, 0xFD, 0x75, 0x5E, 0x61, 0x0B, 0x4F, 0xC8, 0x1F, 0xF8, 0x4E, 0x21 }; - static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = { + static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = { 0x8C, 0x8B, 0x37, 0x22, 0xA8, 0x2E, 0x55, 0x05, 0x65, 0x52, 0x16, 0x11, 0xEB, 0xBC, 0x63, 0x07, 0x99, 0x44, 0xC9, 0xB1, 0xAB, 0xB3, 0xB0, 0x02, @@ -29513,8 +29513,8 @@ static int test_wc_kyber_make_key_kats(void) 0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7 }; #endif - static byte pubKey[KYBER_MAX_PUBLIC_KEY_SIZE]; - static byte privKey[KYBER_MAX_PRIVATE_KEY_SIZE]; + static byte pubKey[WC_ML_KEM_MAX_PUBLIC_KEY_SIZE]; + static byte privKey[WC_ML_KEM_MAX_PRIVATE_KEY_SIZE]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -29522,40 +29522,40 @@ static int test_wc_kyber_make_key_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER512_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER512_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_512, KYBER512_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_512, KYBER512_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_512, WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_512, WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_768, sizeof(seed_768)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER768_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER768_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_768, KYBER768_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_768, KYBER768_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_768, WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_768, WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_1024, sizeof(seed_1024)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER1024_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER1024_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_1024, KYBER1024_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_1024, KYBER1024_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_1024, WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_1024, WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif @@ -29568,10 +29568,10 @@ static int test_wc_kyber_encapsulate_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = { 0xDD, 0x19, 0x24, 0x93, 0x5A, 0xA8, 0xE6, 0x17, 0xAF, 0x18, 0xB5, 0xA0, 0x65, 0xAC, 0x45, 0x72, 0x77, 0x67, 0xEE, 0x89, 0x7C, 0xF4, 0xF9, 0x44, @@ -29673,13 +29673,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0xA4, 0xD0, 0x31, 0xA0, 0x8A, 0xBF, 0x4F, 0x2E, 0x74, 0xF1, 0xA0, 0xBB, 0x8A, 0x0F, 0xD3, 0xCB }; - static const byte seed_512[KYBER_ENC_RAND_SZ] = { + static const byte seed_512[WC_ML_KEM_ENC_RAND_SZ] = { 0x6F, 0xF0, 0x2E, 0x1D, 0xC7, 0xFD, 0x91, 0x1B, 0xEE, 0xE0, 0xC6, 0x92, 0xC8, 0xBD, 0x10, 0x0C, 0x3E, 0x5C, 0x48, 0x96, 0x4D, 0x31, 0xDF, 0x92, 0x99, 0x42, 0x18, 0xE8, 0x06, 0x64, 0xA6, 0xCA }; - static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = { + static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = { 0x19, 0xC5, 0x92, 0x50, 0x59, 0x07, 0xC2, 0x4C, 0x5F, 0xA2, 0xEB, 0xFA, 0x93, 0x2D, 0x2C, 0xBB, 0x48, 0xF3, 0xE4, 0x34, 0x0A, 0x28, 0xF7, 0xEB, @@ -29777,15 +29777,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0xD1, 0x8C, 0x8C, 0xD9, 0x12, 0xF9, 0xA7, 0x7F, 0x8E, 0x6B, 0xF0, 0x20, 0x53, 0x74, 0xB4, 0x62 }; - static const byte k_512[KYBER_SS_SZ] = { + static const byte k_512[WC_ML_KEM_SS_SZ] = { 0x0B, 0xF3, 0x23, 0x33, 0x8D, 0x6F, 0x0A, 0x21, 0xD5, 0x51, 0x4B, 0x67, 0x3C, 0xD1, 0x0B, 0x71, 0x4C, 0xE6, 0xE3, 0x6F, 0x35, 0xBC, 0xD1, 0xBF, 0x54, 0x41, 0x96, 0x36, 0x8E, 0xE5, 0x1A, 0x13 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = { 0x89, 0xD2, 0xCB, 0x65, 0xF9, 0x4D, 0xCB, 0xFC, 0x89, 0x0E, 0xFC, 0x7D, 0x0E, 0x5A, 0x7A, 0x38, 0x34, 0x4D, 0x16, 0x41, 0xA3, 0xD0, 0xB0, 0x24, @@ -29935,13 +29935,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0xFE, 0xD3, 0xC3, 0x9C, 0x1B, 0xBD, 0xDB, 0x08, 0x37, 0xD0, 0xD4, 0x70, 0x6B, 0x09, 0x22, 0xC4 }; - static const byte seed_768[KYBER_ENC_RAND_SZ] = { + static const byte seed_768[WC_ML_KEM_ENC_RAND_SZ] = { 0x2C, 0xE7, 0x4A, 0xD2, 0x91, 0x13, 0x35, 0x18, 0xFE, 0x60, 0xC7, 0xDF, 0x5D, 0x25, 0x1B, 0x9D, 0x82, 0xAD, 0xD4, 0x84, 0x62, 0xFF, 0x50, 0x5C, 0x6E, 0x54, 0x7E, 0x94, 0x9E, 0x6B, 0x6B, 0xF7 }; - static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = { + static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = { 0x56, 0xB4, 0x2D, 0x59, 0x3A, 0xAB, 0x8E, 0x87, 0x73, 0xBD, 0x92, 0xD7, 0x6E, 0xAB, 0xDD, 0xF3, 0xB1, 0x54, 0x6F, 0x83, 0x26, 0xF5, 0x7A, 0x7B, @@ -30079,15 +30079,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0xA2, 0x30, 0x19, 0x81, 0xA6, 0x41, 0x8F, 0x8B, 0xA7, 0xD7, 0xB0, 0xD7, 0xCA, 0x58, 0x75, 0xC6 }; - static const byte k_768[KYBER_SS_SZ] = { + static const byte k_768[WC_ML_KEM_SS_SZ] = { 0x26, 0x96, 0xD2, 0x8E, 0x9C, 0x61, 0xC2, 0xA0, 0x1C, 0xE9, 0xB1, 0x60, 0x8D, 0xCB, 0x9D, 0x29, 0x27, 0x85, 0xA0, 0xCD, 0x58, 0xEF, 0xB7, 0xFE, 0x13, 0xB1, 0xDE, 0x95, 0xF0, 0xDB, 0x55, 0xB3 }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = { 0x30, 0x7A, 0x4C, 0xEA, 0x41, 0x48, 0x21, 0x9B, 0x95, 0x8E, 0xA0, 0xB7, 0x88, 0x66, 0x59, 0x23, 0x5A, 0x4D, 0x19, 0x80, 0xB1, 0x92, 0x61, 0x08, @@ -30285,13 +30285,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0x3E, 0x30, 0x41, 0xE0, 0x5D, 0x90, 0x67, 0xAF, 0xF3, 0xB1, 0x24, 0x4F, 0x76, 0x3E, 0x79, 0x83 }; - static const byte seed_1024[KYBER_ENC_RAND_SZ] = { + static const byte seed_1024[WC_ML_KEM_ENC_RAND_SZ] = { 0x59, 0xC5, 0x15, 0x4C, 0x04, 0xAE, 0x43, 0xAA, 0xFF, 0x32, 0x70, 0x0F, 0x08, 0x17, 0x00, 0x38, 0x9D, 0x54, 0xBE, 0xC4, 0xC3, 0x7C, 0x08, 0x8B, 0x1C, 0x53, 0xF6, 0x62, 0x12, 0xB1, 0x2C, 0x72 }; - static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = { + static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = { 0xE2, 0xD5, 0xFD, 0x4C, 0x13, 0xCE, 0xA0, 0xB5, 0x2D, 0x87, 0x4F, 0xEA, 0x90, 0x12, 0xF3, 0xA5, 0x17, 0x43, 0xA1, 0x09, 0x37, 0x10, 0xBB, 0xF2, @@ -30489,15 +30489,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0x52, 0x35, 0xD6, 0x36, 0xC6, 0x5C, 0xD1, 0x02, 0xB0, 0x1E, 0x22, 0x78, 0x1A, 0x72, 0x91, 0x8C }; - static const byte k_1024[KYBER_SS_SZ] = { + static const byte k_1024[WC_ML_KEM_SS_SZ] = { 0x72, 0x64, 0xBD, 0xE5, 0xC6, 0xCE, 0xC1, 0x48, 0x49, 0x69, 0x3E, 0x2C, 0x3C, 0x86, 0xE4, 0x8F, 0x80, 0x95, 0x8A, 0x4F, 0x61, 0x86, 0xFC, 0x69, 0x33, 0x3A, 0x41, 0x48, 0xE6, 0xE4, 0x97, 0xF3 }; #endif - static byte ct[KYBER_MAX_CIPHER_TEXT_SIZE]; - static byte ss[KYBER_SS_SZ]; + static byte ct[WC_ML_KEM_MAX_CIPHER_TEXT_SIZE]; + static byte ss[WC_ML_KEM_SS_SZ]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -30505,31 +30505,31 @@ static int test_wc_kyber_encapsulate_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_512, sizeof(ek_512)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_512, sizeof(seed_512)), 0); - ExpectIntEQ(XMEMCMP(ct, c_512, KYBER512_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_512, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_512, WC_ML_KEM_512_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_512, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_768, sizeof(ek_768)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_768, sizeof(seed_768)), 0); - ExpectIntEQ(XMEMCMP(ct, c_768, KYBER768_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_768, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_768, WC_ML_KEM_768_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_768, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_1024, sizeof(ek_1024)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_1024, sizeof(seed_1024)), 0); - ExpectIntEQ(XMEMCMP(ct, c_1024, KYBER1024_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_1024, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_1024, WC_ML_KEM_1024_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_1024, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif @@ -30542,10 +30542,10 @@ static int test_wc_kyber_decapsulate_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = { 0x69, 0xF9, 0xCB, 0xFD, 0x12, 0x37, 0xBA, 0x16, 0x1C, 0xF6, 0xE6, 0xC1, 0x8F, 0x48, 0x8F, 0xC6, 0xE3, 0x9A, 0xB4, 0xA5, 0xC9, 0xE6, 0xC2, 0x2E, @@ -30751,7 +30751,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0x09, 0x8A, 0x3F, 0x35, 0x17, 0x78, 0xB0, 0x88, 0x8C, 0x95, 0x90, 0xA9, 0x09, 0x0C, 0xD4, 0x04 }; - static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = { + static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = { 0x16, 0x1C, 0xD2, 0x59, 0xFE, 0xAA, 0x7E, 0xC6, 0xB2, 0x86, 0x49, 0x8A, 0x9A, 0x6F, 0x69, 0xF8, 0xB2, 0x62, 0xA2, 0xE2, 0x09, 0x3D, 0x0F, 0xBD, @@ -30849,15 +30849,15 @@ static int test_wc_kyber_decapsulate_kats(void) 0x34, 0x6B, 0xAF, 0xCD, 0xD0, 0x6D, 0x40, 0x2F, 0xF2, 0x4D, 0x6C, 0x1E, 0x5F, 0x61, 0xA8, 0x5D }; - static const byte kprime_512[KYBER_SS_SZ] = { + static const byte kprime_512[WC_ML_KEM_SS_SZ] = { 0xDF, 0x46, 0x2A, 0xD6, 0x8F, 0x1E, 0xC8, 0x97, 0x2E, 0xD9, 0xB0, 0x2D, 0x6D, 0xE0, 0x60, 0x4B, 0xDE, 0xC7, 0x57, 0x20, 0xE0, 0x50, 0x49, 0x73, 0x51, 0xE6, 0xEC, 0x93, 0x3E, 0x71, 0xF8, 0x82 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = { 0x1E, 0x4A, 0xC8, 0x7B, 0x1A, 0x69, 0x2A, 0x52, 0x9F, 0xDB, 0xBA, 0xB9, 0x33, 0x74, 0xC5, 0x7D, 0x11, 0x0B, 0x10, 0xF2, 0xB1, 0xDD, 0xEB, 0xAC, @@ -31159,7 +31159,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0xB4, 0xAB, 0x82, 0xE5, 0xFC, 0xA1, 0x35, 0xE8, 0xD2, 0x6A, 0x6B, 0x3A, 0x89, 0xFA, 0x5B, 0x6F }; - static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = { + static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = { 0xA5, 0xC8, 0x1C, 0x76, 0xC2, 0x43, 0x05, 0xE1, 0xCE, 0x5D, 0x81, 0x35, 0xD4, 0x15, 0x23, 0x68, 0x2E, 0x9E, 0xE6, 0xD7, 0xB4, 0x0A, 0xD4, 0x1D, @@ -31297,15 +31297,15 @@ static int test_wc_kyber_decapsulate_kats(void) 0xA5, 0x9A, 0x1F, 0xD2, 0x8A, 0xF3, 0x5C, 0x00, 0xD1, 0x8A, 0x40, 0x6A, 0x28, 0xFC, 0x79, 0xBA }; - static const byte kprime_768[KYBER_SS_SZ] = { + static const byte kprime_768[WC_ML_KEM_SS_SZ] = { 0xDC, 0x5B, 0x88, 0x88, 0xBC, 0x1E, 0xBA, 0x5C, 0x19, 0x69, 0xC2, 0x11, 0x64, 0xEA, 0x43, 0xE2, 0x2E, 0x7A, 0xC0, 0xCD, 0x01, 0x2A, 0x2F, 0x26, 0xCB, 0x8C, 0x48, 0x7E, 0x69, 0xEF, 0x7C, 0xE4 }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = { 0x84, 0x45, 0xC3, 0x36, 0xF3, 0x51, 0x8B, 0x29, 0x81, 0x63, 0xDC, 0xBB, 0x63, 0x57, 0x59, 0x79, 0x83, 0xCA, 0x2E, 0x87, 0x3D, 0xCB, 0x49, 0x61, @@ -31703,7 +31703,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0x0D, 0xE1, 0xB7, 0xA4, 0x81, 0xB8, 0x3E, 0x58, 0x3B, 0x6A, 0xF1, 0x6F, 0x63, 0xCB, 0x00, 0xC6 }; - static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = { + static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = { 0x0C, 0x68, 0x1B, 0x4A, 0xA8, 0x1F, 0x26, 0xAD, 0xFB, 0x64, 0x5E, 0xC2, 0x4B, 0x37, 0x52, 0xF6, 0xB3, 0x2C, 0x68, 0x64, 0x5A, 0xA5, 0xE7, 0xA9, @@ -31901,14 +31901,14 @@ static int test_wc_kyber_decapsulate_kats(void) 0x7B, 0x12, 0x43, 0x33, 0x43, 0xA6, 0x58, 0xF1, 0x98, 0x0C, 0x81, 0x24, 0xEA, 0x6D, 0xD8, 0x1F }; - static const byte kprime_1024[KYBER_SS_SZ] = { + static const byte kprime_1024[WC_ML_KEM_SS_SZ] = { 0x8F, 0x33, 0x6E, 0x9C, 0x28, 0xDF, 0x34, 0x9E, 0x03, 0x22, 0x0A, 0xF0, 0x1C, 0x42, 0x83, 0x2F, 0xEF, 0xAB, 0x1F, 0x2A, 0x74, 0xC1, 0x6F, 0xAF, 0x6F, 0x64, 0xAD, 0x07, 0x1C, 0x1A, 0x33, 0x94 }; #endif - static byte ss[KYBER_SS_SZ]; + static byte ss[WC_ML_KEM_SS_SZ]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -31916,25 +31916,25 @@ static int test_wc_kyber_decapsulate_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_512, sizeof(c_512)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_512, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_512, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_768, sizeof(dk_768)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_768, sizeof(c_768)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_768, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_768, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_1024, sizeof(dk_1024)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_1024, sizeof(c_1024)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_1024, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_1024, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif @@ -79236,6 +79236,7 @@ static int test_tls13_apis(void) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) int groups[2] = { WOLFSSL_ECC_SECP256R1, #ifdef WOLFSSL_HAVE_KYBER +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 WOLFSSL_KYBER_LEVEL1 #elif !defined(WOLFSSL_NO_KYBER768) @@ -79243,6 +79244,15 @@ static int test_tls13_apis(void) #else WOLFSSL_KYBER_LEVEL5 #endif +#else + #ifndef WOLFSSL_NO_ML_KEM_512 + WOLFSSL_ML_KEM_512 + #elif !defined(WOLFSSL_NO_ML_KEM_768) + WOLFSSL_ML_KEM_768 + #else + WOLFSSL_ML_KEM_1024 + #endif +#endif #else WOLFSSL_ECC_SECP256R1 #endif @@ -79270,6 +79280,7 @@ static int test_tls13_apis(void) #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 "P-256:secp256r1" #if defined(WOLFSSL_HAVE_KYBER) +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 ":P256_KYBER_LEVEL1" #elif !defined(WOLFSSL_NO_KYBER768) @@ -79277,10 +79288,20 @@ static int test_tls13_apis(void) #else ":P256_KYBER_LEVEL5" #endif +#else + #ifndef WOLFSSL_NO_KYBER512 + ":P256_ML_KEM_512" + #elif !defined(WOLFSSL_NO_KYBER768) + ":P256_ML_KEM_768" + #else + ":P256_ML_KEM_1024" + #endif +#endif #endif #endif #endif /* !defined(NO_ECC_SECP) */ #if defined(WOLFSSL_HAVE_KYBER) +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 ":KYBER_LEVEL1" #elif !defined(WOLFSSL_NO_KYBER768) @@ -79288,6 +79309,15 @@ static int test_tls13_apis(void) #else ":KYBER_LEVEL5" #endif +#else + #ifndef WOLFSSL_NO_KYBER512 + ":ML_KEM_512" + #elif !defined(WOLFSSL_NO_KYBER768) + ":ML_KEM_768" + #else + ":ML_KEM_1024" + #endif +#endif #endif ""; #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */ @@ -79423,12 +79453,22 @@ static int test_tls13_apis(void) #endif #if defined(WOLFSSL_HAVE_KYBER) +#ifndef WOLFSSL_NO_ML_KEM +#ifndef WOLFSSL_NO_ML_KEM_768 + kyberLevel = WOLFSSL_ML_KEM_768; +#elif !defined(WOLFSSL_NO_ML_KEM_1024) + kyberLevel = WOLFSSL_ML_KEM_1024; +#else + kyberLevel = WOLFSSL_ML_KEM_512; +#endif +#else #ifndef WOLFSSL_NO_KYBER768 kyberLevel = WOLFSSL_KYBER_LEVEL3; #elif !defined(WOLFSSL_NO_KYBER1024) kyberLevel = WOLFSSL_KYBER_LEVEL5; #else kyberLevel = WOLFSSL_KYBER_LEVEL1; +#endif #endif ExpectIntEQ(wolfSSL_UseKeyShare(NULL, kyberLevel), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); #ifndef NO_WOLFSSL_SERVER @@ -96286,13 +96326,21 @@ static int test_dtls13_basic_connection_id(void) defined(HAVE_LIBOQS) static void test_tls13_pq_groups_ctx_ready(WOLFSSL_CTX* ctx) { +#ifdef WOLFSSL_KYBER_ORIGINAL int group = WOLFSSL_KYBER_LEVEL5; +#else + int group = WOLFSSL_ML_KEM_1024; +#endif AssertIntEQ(wolfSSL_CTX_set_groups(ctx, &group, 1), WOLFSSL_SUCCESS); } static void test_tls13_pq_groups_on_result(WOLFSSL* ssl) { +#ifdef WOLFSSL_KYBER_ORIGINAL AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL5"); +#else + AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_1024"); +#endif } #endif diff --git a/tests/suites.c b/tests/suites.c index 7328789f46..a22002036d 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -184,6 +184,28 @@ static int IsKyberLevelAvailable(const char* line) begin += 6; end = XSTRSTR(begin, " "); + #ifndef WOLFSSL_NO_ML_KEM + if ((size_t)end - (size_t)begin == 10) { + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRNCMP(begin, "ML_KEM_512", 10) == 0) { + available = 1; + } + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRNCMP(begin, "ML_KEM_768", 10) == 0) { + available = 1; + } + #endif + } + #ifndef WOLFSSL_NO_ML_KEM_1024 + if ((size_t)end - (size_t)begin == 11) { + if (XSTRNCMP(begin, "ML_KEM_1024", 11) == 0) { + available = 1; + } + } + #endif + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL if ((size_t)end - (size_t)begin == 12) { #ifndef WOLFSSL_NO_KYBER512 if (XSTRNCMP(begin, "KYBER_LEVEL1", 12) == 0) { @@ -201,6 +223,7 @@ static int IsKyberLevelAvailable(const char* line) } #endif } + #endif } return (begin == NULL) || available; diff --git a/tests/test-dtls13-pq-2.conf b/tests/test-dtls13-pq-2.conf index 6a4bfac084..bd5e32697d 100644 --- a/tests/test-dtls13-pq-2.conf +++ b/tests/test-dtls13-pq-2.conf @@ -1,3 +1,17 @@ +# server DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# client DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# P384_ML_KEM_768 and P521_ML_KEM_1024 would fragment the ClientHello. + # server DTLSv1.3 with post-quantum group -u -v 4 diff --git a/tests/test-dtls13-pq.conf b/tests/test-dtls13-pq.conf index c84ab819dd..37abf2c77a 100644 --- a/tests/test-dtls13-pq.conf +++ b/tests/test-dtls13-pq.conf @@ -2,12 +2,26 @@ -u -v 4 -l TLS13-AES256-GCM-SHA384 ---pqc KYBER_LEVEL1 +--pqc ML_KEM_512 # client DTLSv1.3 with post-quantum group -u -v 4 -l TLS13-AES256-GCM-SHA384 ---pqc KYBER_LEVEL1 +--pqc ML_KEM_512 + +# ML_KEM_768 and ML_KEM_1024 would fragment the ClientHello. + +# server DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# client DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 # KYBER_LEVEL3 and KYBER_LEVEL5 would fragment the ClientHello. diff --git a/tests/test-tls13-pq-2.conf b/tests/test-tls13-pq-2.conf index ff09d72a71..26f5f525d8 100644 --- a/tests/test-tls13-pq-2.conf +++ b/tests/test-tls13-pq-2.conf @@ -1,3 +1,33 @@ +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P384_ML_KEM_768 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P384_ML_KEM_768 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P521_ML_KEM1024 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P521_ML_KEM1024 + # server TLSv1.3 with post-quantum group -v 4 -l TLS13-AES256-GCM-SHA384 diff --git a/tests/test-tls13-pq.conf b/tests/test-tls13-pq.conf index 9d2b218deb..ac8164e995 100644 --- a/tests/test-tls13-pq.conf +++ b/tests/test-tls13-pq.conf @@ -1,3 +1,33 @@ +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_768 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_768 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_1024 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_1024 + # server TLSv1.3 with post-quantum group -v 4 -l TLS13-AES256-GCM-SHA384 diff --git a/wolfcrypt/src/ext_kyber.c b/wolfcrypt/src/ext_kyber.c index 0c2cb2b437..44ec893ffc 100644 --- a/wolfcrypt/src/ext_kyber.c +++ b/wolfcrypt/src/ext_kyber.c @@ -43,9 +43,16 @@ static const char* OQS_ID2name(int id) { switch (id) { + #ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: return OQS_KEM_alg_ml_kem_512; + case WC_ML_KEM_768: return OQS_KEM_alg_ml_kem_768; + case WC_ML_KEM_1024: return OQS_KEM_alg_ml_kem_1024; + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL case KYBER_LEVEL1: return OQS_KEM_alg_kyber_512; case KYBER_LEVEL3: return OQS_KEM_alg_kyber_768; case KYBER_LEVEL5: return OQS_KEM_alg_kyber_1024; + #endif default: break; } return NULL; @@ -83,11 +90,20 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId) if (ret == 0) { /* Validate type. */ switch (type) { +#ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: + #ifdef HAVE_LIBOQS + case WC_ML_KEM_768: + case WC_ML_KEM_1024: + #endif /* HAVE_LIBOQS */ +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL case KYBER_LEVEL1: -#ifdef HAVE_LIBOQS + #ifdef HAVE_LIBOQS case KYBER_LEVEL3: case KYBER_LEVEL5: -#endif /* HAVE_LIBOQS */ + #endif /* HAVE_LIBOQS */ +#endif break; default: /* No other values supported. */ @@ -152,6 +168,18 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len) /* NOTE: SHAKE and AES variants have the same length private key. */ if (ret == 0) { switch (key->type) { + #ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: + *len = OQS_KEM_ml_kem_512_length_secret_key; + break; + case WC_ML_KEM_768: + *len = OQS_KEM_ml_kem_768_length_secret_key; + break; + case WC_ML_KEM_1024: + *len = OQS_KEM_ml_kem_1024_length_secret_key; + break; + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL case KYBER_LEVEL1: *len = OQS_KEM_kyber_512_length_secret_key; break; @@ -161,6 +189,7 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len) case KYBER_LEVEL5: *len = OQS_KEM_kyber_1024_length_secret_key; break; + #endif default: /* No other values supported. */ ret = BAD_FUNC_ARG; @@ -194,6 +223,18 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len) /* NOTE: SHAKE and AES variants have the same length public key. */ if (ret == 0) { switch (key->type) { + #ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: + *len = OQS_KEM_ml_kem_512_length_public_key; + break; + case WC_ML_KEM_768: + *len = OQS_KEM_ml_kem_768_length_public_key; + break; + case WC_ML_KEM_1024: + *len = OQS_KEM_ml_kem_1024_length_public_key; + break; + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL case KYBER_LEVEL1: *len = OQS_KEM_kyber_512_length_public_key; break; @@ -203,6 +244,7 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len) case KYBER_LEVEL5: *len = OQS_KEM_kyber_1024_length_public_key; break; + #endif default: /* No other values supported. */ ret = BAD_FUNC_ARG; @@ -236,6 +278,18 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len) /* NOTE: SHAKE and AES variants have the same length ciphertext. */ if (ret == 0) { switch (key->type) { + #ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: + *len = OQS_KEM_ml_kem_512_length_ciphertext; + break; + case WC_ML_KEM_768: + *len = OQS_KEM_ml_kem_768_length_ciphertext; + break; + case WC_ML_KEM_1024: + *len = OQS_KEM_ml_kem_1024_length_ciphertext; + break; + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL case KYBER_LEVEL1: *len = OQS_KEM_kyber_512_length_ciphertext; break; @@ -245,6 +299,7 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len) case KYBER_LEVEL5: *len = OQS_KEM_kyber_1024_length_ciphertext; break; + #endif default: /* No other values supported. */ ret = BAD_FUNC_ARG; diff --git a/wolfcrypt/src/wc_kyber.c b/wolfcrypt/src/wc_kyber.c index bca5e1ff8b..040c4f0123 100644 --- a/wolfcrypt/src/wc_kyber.c +++ b/wolfcrypt/src/wc_kyber.c @@ -68,7 +68,9 @@ volatile sword16 kyber_opt_blocker = 0; /** * Initialize the Kyber key. * - * @param [in] type Type of key: KYBER512, KYBER768, KYBER1024. + * @param [in] type Type of key: + * WC_ML_KEM_512, WC_ML_KEM_768, WC_ML_KEM_1024, + * KYBER512, KYBER768, KYBER1024. * @param [out] key Kyber key object to initialize. * @param [in] heap Dynamic memory hint. * @param [in] devId Device Id. @@ -87,6 +89,27 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId) if (ret == 0) { /* Validate type. */ switch (type) { + #ifndef WOLFSSL_NO_ML_KEM + case WC_ML_KEM_512: + #ifndef WOLFSSL_WC_ML_KEM_512 + /* Code not compiled in for Kyber-512. */ + ret = NOT_COMPILED_IN; + #endif + break; + case WC_ML_KEM_768: + #ifndef WOLFSSL_WC_ML_KEM_768 + /* Code not compiled in for Kyber-768. */ + ret = NOT_COMPILED_IN; + #endif + break; + case WC_ML_KEM_1024: + #ifndef WOLFSSL_WC_ML_KEM_1024 + /* Code not compiled in for Kyber-1024. */ + ret = NOT_COMPILED_IN; + #endif + break; + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL case KYBER512: #ifndef WOLFSSL_KYBER512 /* Code not compiled in for Kyber-512. */ @@ -105,6 +128,7 @@ int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId) ret = NOT_COMPILED_IN; #endif break; + #endif default: /* No other values supported. */ ret = BAD_FUNC_ARG; @@ -230,6 +254,24 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand, if (ret == 0) { /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + kp = WC_ML_KEM_512_K; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + kp = WC_ML_KEM_768_K; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + kp = WC_ML_KEM_1024_K; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: kp = KYBER512_K; @@ -245,6 +287,7 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand, kp = KYBER1024_K; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -266,13 +309,24 @@ int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand, /* Error vector allocated at end of a. */ e = a + (kp * kp * KYBER_N); +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + if (key->type & KYBER_ORIGINAL) +#endif #ifdef WOLFSSL_KYBER_ORIGINAL - /* Expand 32 bytes of random to 32. */ - ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, NULL, 0, buf); -#else - buf[0] = kp; - /* Expand 33 bytes of random to 32. */ - ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, buf, 1, buf); + { + /* Expand 32 bytes of random to 32. */ + ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, NULL, 0, buf); + } +#endif +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + else +#endif +#ifndef WOLFSSL_NO_ML_KEM + { + buf[0] = kp; + /* Expand 33 bytes of random to 32. */ + ret = KYBER_HASH_G(&key->hash, d, KYBER_SYM_SZ, buf, 1, buf); + } #endif } if (ret == 0) { @@ -333,6 +387,24 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len) if (ret == 0) { /* Return in 'len' size of the cipher text for the type of this key. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + *len = WC_ML_KEM_512_CIPHER_TEXT_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + *len = WC_ML_KEM_768_CIPHER_TEXT_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + *len = WC_ML_KEM_1024_CIPHER_TEXT_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: *len = KYBER512_CIPHER_TEXT_SIZE; @@ -348,6 +420,7 @@ int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len) *len = KYBER1024_CIPHER_TEXT_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -398,6 +471,27 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins, /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + kp = WC_ML_KEM_512_K; + compVecSz = WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + kp = WC_ML_KEM_768_K; + compVecSz = WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + kp = WC_ML_KEM_1024_K; + compVecSz = WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: kp = KYBER512_K; @@ -415,6 +509,7 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins, kp = KYBER1024_K; compVecSz = KYBER1024_POLY_VEC_COMPRESSED_SZ; break; +#endif #endif default: /* No other values supported. */ @@ -463,19 +558,19 @@ static int kyberkey_encapsulate(KyberKey* key, const byte* msg, byte* coins, /* Perform encapsulation maths. */ kyber_encapsulate(key->pub, bp, v, at, sp, ep, epp, k, kp); - #ifdef WOLFSSL_KYBER512 + #if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) if (kp == KYBER512_K) { kyber_vec_compress_10(ct, bp, kp); kyber_compress_4(ct + compVecSz, v); } #endif - #ifdef WOLFSSL_KYBER768 + #if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) if (kp == KYBER768_K) { kyber_vec_compress_10(ct, bp, kp); kyber_compress_4(ct + compVecSz, v); } #endif - #ifdef WOLFSSL_KYBER1024 + #if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) if (kp == KYBER1024_K) { kyber_vec_compress_11(ct, bp); kyber_compress_5(ct + compVecSz, v); @@ -562,6 +657,18 @@ int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct, if (ret == 0) { /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + #endif + break; +#endif #ifdef WOLFSSL_KYBER512 case KYBER512: ctSz = KYBER512_CIPHER_TEXT_SIZE; @@ -614,42 +721,80 @@ int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct, #ifdef WOLFSSL_KYBER_ORIGINAL if (ret == 0) { - /* Hash random to anonymize as seed data. */ - ret = KYBER_HASH_H(&key->hash, rand, KYBER_SYM_SZ, msg); +#ifndef WOLFSSL_NO_ML_KEM + if (key->type & KYBER_ORIGINAL) +#endif + { + /* Hash random to anonymize as seed data. */ + ret = KYBER_HASH_H(&key->hash, rand, KYBER_SYM_SZ, msg); + } } #endif if (ret == 0) { /* Hash message into seed buffer. */ +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + if (key->type & KYBER_ORIGINAL) +#endif #ifdef WOLFSSL_KYBER_ORIGINAL - ret = KYBER_HASH_G(&key->hash, msg, KYBER_SYM_SZ, key->h, KYBER_SYM_SZ, - kr); -#else - ret = KYBER_HASH_G(&key->hash, rand, KYBER_SYM_SZ, key->h, KYBER_SYM_SZ, - kr); + { + ret = KYBER_HASH_G(&key->hash, msg, KYBER_SYM_SZ, key->h, + KYBER_SYM_SZ, kr); + } +#endif +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + else +#endif +#ifndef WOLFSSL_NO_ML_KEM + { + ret = KYBER_HASH_G(&key->hash, rand, KYBER_SYM_SZ, key->h, + KYBER_SYM_SZ, kr); + } #endif } if (ret == 0) { /* Encapsulate the message using the key and the seed (coins). */ +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + if (key->type & KYBER_ORIGINAL) +#endif #ifdef WOLFSSL_KYBER_ORIGINAL - ret = kyberkey_encapsulate(key, msg, kr + KYBER_SYM_SZ, ct); -#else - ret = kyberkey_encapsulate(key, rand, kr + KYBER_SYM_SZ, ct); + { + ret = kyberkey_encapsulate(key, msg, kr + KYBER_SYM_SZ, ct); + } +#endif +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + else +#endif +#ifndef WOLFSSL_NO_ML_KEM + { + ret = kyberkey_encapsulate(key, rand, kr + KYBER_SYM_SZ, ct); + } #endif } +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + if (key->type & KYBER_ORIGINAL) +#endif #ifdef WOLFSSL_KYBER_ORIGINAL - if (ret == 0) { - /* Hash the cipher text after the seed. */ - ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ); - } - if (ret == 0) { - /* Derive the secret from the seed and hash of cipher text. */ - ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ); + { + if (ret == 0) { + /* Hash the cipher text after the seed. */ + ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ); + } + if (ret == 0) { + /* Derive the secret from the seed and hash of cipher text. */ + ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ); + } } -#else - if (ret == 0) { - XMEMCPY(ss, kr, KYBER_SS_SZ); +#endif +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + else +#endif +#ifndef WOLFSSL_NO_ML_KEM + { + if (ret == 0) { + XMEMCPY(ss, kr, KYBER_SS_SZ); + } } #endif @@ -683,6 +828,27 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key, /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + kp = WC_ML_KEM_512_K; + compVecSz = WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + kp = WC_ML_KEM_768_K; + compVecSz = WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + kp = WC_ML_KEM_1024_K; + compVecSz = WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ; + break; +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: kp = KYBER512_K; @@ -700,6 +866,7 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key, kp = KYBER1024_K; compVecSz = KYBER1024_POLY_VEC_COMPRESSED_SZ; break; +#endif #endif default: /* No other values supported. */ @@ -723,19 +890,19 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key, v = bp + kp * KYBER_N; mp = v + KYBER_N; - #ifdef WOLFSSL_KYBER512 + #if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) if (kp == KYBER512_K) { kyber_vec_decompress_10(bp, ct, kp); kyber_decompress_4(v, ct + compVecSz); } #endif - #ifdef WOLFSSL_KYBER768 + #if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) if (kp == KYBER768_K) { kyber_vec_decompress_10(bp, ct, kp); kyber_decompress_4(v, ct + compVecSz); } #endif - #ifdef WOLFSSL_KYBER1024 + #if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) if (kp == KYBER1024_K) { kyber_vec_decompress_11(bp, ct); kyber_decompress_5(v, ct + compVecSz); @@ -757,7 +924,7 @@ static KYBER_NOINLINE int kyberkey_decapsulate(KyberKey* key, return ret; } -#ifndef WOLFSSL_KYBER_ORIGINAL +#ifndef WOLFSSL_NO_ML_KEM /* Derive the secret from z and cipher text. * * @param [in] z Implicit rejection value. @@ -828,6 +995,24 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss, if (ret == 0) { /* Establish cipher text size based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + ctSz = WC_ML_KEM_512_CIPHER_TEXT_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + ctSz = WC_ML_KEM_768_CIPHER_TEXT_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + ctSz = WC_ML_KEM_1024_CIPHER_TEXT_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: ctSz = KYBER512_CIPHER_TEXT_SIZE; @@ -843,6 +1028,7 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss, ctSz = KYBER1024_CIPHER_TEXT_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -882,25 +1068,36 @@ int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss, /* Compare generated cipher text with that passed in. */ fail = kyber_cmp(ct, cmp, ctSz); +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + if (key->type & KYBER_ORIGINAL) +#endif #ifdef WOLFSSL_KYBER_ORIGINAL - /* Hash the cipher text after the seed. */ - ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ); - } - if (ret == 0) { - /* Change seed to z on comparison failure. */ - for (i = 0; i < KYBER_SYM_SZ; i++) { - kr[i] ^= (kr[i] ^ key->z[i]) & fail; + { + /* Hash the cipher text after the seed. */ + ret = KYBER_HASH_H(&key->hash, ct, ctSz, kr + KYBER_SYM_SZ); + if (ret == 0) { + /* Change seed to z on comparison failure. */ + for (i = 0; i < KYBER_SYM_SZ; i++) { + kr[i] ^= (kr[i] ^ key->z[i]) & fail; + } + + /* Derive the secret from the seed and hash of cipher text. */ + ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ); + } } - - /* Derive the secret from the seed and hash of cipher text. */ - ret = KYBER_KDF(kr, 2 * KYBER_SYM_SZ, ss, KYBER_SS_SZ); -#else - ret = kyber_derive_secret(key->z, ct, ctSz, msg); - } - if (ret == 0) { - /* Change seed to z on comparison failure. */ - for (i = 0; i < KYBER_SYM_SZ; i++) { - ss[i] = kr[i] ^ ((kr[i] ^ msg[i]) & fail); +#endif +#if defined(WOLFSSL_KYBER_ORIGINAL) && !defined(WOLFSSL_NO_ML_KEM) + else +#endif +#ifndef WOLFSSL_NO_ML_KEM + { + ret = kyber_derive_secret(key->z, ct, ctSz, msg); + if (ret == 0) { + /* Change seed to z on comparison failure. */ + for (i = 0; i < KYBER_SYM_SZ; i++) { + ss[i] = kr[i] ^ ((kr[i] ^ msg[i]) & fail); + } + } } #endif } @@ -947,6 +1144,30 @@ int wc_KyberKey_DecodePrivateKey(KyberKey* key, const unsigned char* in, if (ret == 0) { /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + k = WC_ML_KEM_512_K; + privLen = WC_ML_KEM_512_PRIVATE_KEY_SIZE; + pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + k = WC_ML_KEM_768_K; + privLen = WC_ML_KEM_768_PRIVATE_KEY_SIZE; + pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + k = WC_ML_KEM_1024_K; + privLen = WC_ML_KEM_1024_PRIVATE_KEY_SIZE; + pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: k = KYBER512_K; @@ -968,6 +1189,7 @@ int wc_KyberKey_DecodePrivateKey(KyberKey* key, const unsigned char* in, pubLen = KYBER1024_PUBLIC_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -1030,6 +1252,27 @@ int wc_KyberKey_DecodePublicKey(KyberKey* key, const unsigned char* in, if (ret == 0) { /* Establish parameters based on key type. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + k = WC_ML_KEM_512_K; + pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + k = WC_ML_KEM_768_K; + pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + k = WC_ML_KEM_1024_K; + pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: k = KYBER512_K; @@ -1048,6 +1291,7 @@ int wc_KyberKey_DecodePublicKey(KyberKey* key, const unsigned char* in, pubLen = KYBER1024_PUBLIC_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -1103,6 +1347,24 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len) /* Return in 'len' size of the encoded private key for the type of this * key. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + *len = WC_ML_KEM_512_PRIVATE_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + *len = WC_ML_KEM_768_PRIVATE_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + *len = WC_ML_KEM_1024_PRIVATE_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: *len = KYBER512_PRIVATE_KEY_SIZE; @@ -1118,6 +1380,7 @@ int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len) *len = KYBER1024_PRIVATE_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -1150,6 +1413,24 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len) /* Return in 'len' size of the encoded public key for the type of this * key. */ switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + *len = WC_ML_KEM_512_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + *len = WC_ML_KEM_768_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + *len = WC_ML_KEM_1024_PUBLIC_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: *len = KYBER512_PUBLIC_KEY_SIZE; @@ -1165,6 +1446,7 @@ int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len) *len = KYBER1024_PUBLIC_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -1206,6 +1488,30 @@ int wc_KyberKey_EncodePrivateKey(KyberKey* key, unsigned char* out, word32 len) if (ret == 0) { switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + k = WC_ML_KEM_512_K; + pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE; + privLen = WC_ML_KEM_512_PRIVATE_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + k = WC_ML_KEM_768_K; + pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE; + privLen = WC_ML_KEM_768_PRIVATE_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + k = WC_ML_KEM_1024_K; + pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE; + privLen = WC_ML_KEM_1024_PRIVATE_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: k = KYBER512_K; @@ -1227,6 +1533,7 @@ int wc_KyberKey_EncodePrivateKey(KyberKey* key, unsigned char* out, word32 len) privLen = KYBER1024_PRIVATE_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; @@ -1293,6 +1600,27 @@ int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, word32 len) if (ret == 0) { switch (key->type) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + k = WC_ML_KEM_512_K; + pubLen = WC_ML_KEM_512_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + k = WC_ML_KEM_768_K; + pubLen = WC_ML_KEM_768_PUBLIC_KEY_SIZE; + break; + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + k = WC_ML_KEM_1024_K; + pubLen = WC_ML_KEM_1024_PUBLIC_KEY_SIZE; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: k = KYBER512_K; @@ -1311,6 +1639,7 @@ int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, word32 len) pubLen = KYBER1024_PUBLIC_KEY_SIZE; break; #endif +#endif default: /* No other values supported. */ ret = NOT_COMPILED_IN; diff --git a/wolfcrypt/src/wc_kyber_poly.c b/wolfcrypt/src/wc_kyber_poly.c index 52c8af356f..f7cb6056c7 100644 --- a/wolfcrypt/src/wc_kyber_poly.c +++ b/wolfcrypt/src/wc_kyber_poly.c @@ -33,6 +33,12 @@ * WOLFSSL_WC_KYBER Default: OFF * Enables this code, wolfSSL implementation, to be built. * + * WOLFSSL_WC_ML_KEM_512 Default: OFF + * Enables the ML-KEM 512 parameter implementations. + * WOLFSSL_WC_ML_KEM_768 Default: OFF + * Enables the ML-KEM 768 parameter implementations. + * WOLFSSL_WC_ML_KEM_1024 Default: OFF + * Enables the ML-KEM 1024 parameter implementations. * WOLFSSL_KYBER512 Default: OFF * Enables the KYBER512 parameter implementations. * WOLFSSL_KYBER768 Default: OFF @@ -1402,7 +1408,7 @@ void kyber_decapsulate(const sword16* priv, sword16* mp, sword16* bp, /******************************************************************************/ #ifdef USE_INTEL_SPEEDUP -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -1492,7 +1498,7 @@ static int kyber_gen_matrix_k2_avx2(sword16* a, byte* seed, int transposed) } #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -1617,7 +1623,7 @@ static int kyber_gen_matrix_k3_avx2(sword16* a, byte* seed, int transposed) return 0; } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -1706,9 +1712,9 @@ static int kyber_gen_matrix_k4_avx2(sword16* a, byte* seed, int transposed) return 0; } -#endif /* KYBER1024 */ +#endif /* WOLFSSL_KYBER1024 || WOLFSSL_WC_ML_KEM_1024 */ #elif defined(WOLFSSL_ARMASM) && defined(__aarch64__) -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -1782,7 +1788,7 @@ static int kyber_gen_matrix_k2_aarch64(sword16* a, byte* seed, int transposed) } #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -1848,7 +1854,7 @@ static int kyber_gen_matrix_k3_aarch64(sword16* a, byte* seed, int transposed) } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Deterministically generate a matrix (or transpose) of uniform integers mod q. * * Seed used with XOF to generate random bytes. @@ -2381,7 +2387,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed, { int ret; -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) if (kp == KYBER512_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_gen_matrix_k2_aarch64(a, seed, transposed); @@ -2400,7 +2406,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed, } else #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) if (kp == KYBER768_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_gen_matrix_k3_aarch64(a, seed, transposed); @@ -2419,7 +2425,7 @@ int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed, } else #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) if (kp == KYBER1024_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_gen_matrix_k4_aarch64(a, seed, transposed); @@ -2556,7 +2562,7 @@ static void kyber_cbd_eta2(sword16* p, const byte* r) #endif } -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) /* Subtract one 3 bit value from another out of a larger number. * * @param [in] d Value containing sequential 3 bit values. @@ -2726,7 +2732,7 @@ static int kyber_get_noise_eta1_c(KYBER_PRF_T* prf, sword16* p, (void)eta1; -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) if (eta1 == KYBER_CBD_ETA3) { byte rand[ETA3_RAND_SIZE]; @@ -2781,7 +2787,8 @@ static int kyber_get_noise_eta2_c(KYBER_PRF_T* prf, sword16* p, #ifdef USE_INTEL_SPEEDUP #define PRF_RAND_SZ (2 * SHA3_256_BYTES) -#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_KYBER1024) +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) || \ + defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Get the noise/error by calculating random bytes. * * @param [out] rand Random number byte array. @@ -2804,7 +2811,7 @@ static void kyber_get_noise_x4_eta2_avx2(byte* rand, byte* seed, byte o) } #endif -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) /* Get the noise/error by calculating random bytes. * * @param [out] rand Random number byte array. @@ -2890,7 +2897,7 @@ static int kyber_get_noise_k2_avx2(KYBER_PRF_T* prf, sword16* vec1, } #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Get the noise/error by calculating random bytes and sampling to a binomial * distribution. * @@ -2921,7 +2928,7 @@ static int kyber_get_noise_k3_avx2(sword16* vec1, sword16* vec2, sword16* poly, } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Get the noise/error by calculating random bytes and sampling to a binomial * distribution. * @@ -2981,7 +2988,7 @@ static void kyber_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o) kyber_shake256_blocksx3_seed_neon(state, seed); } -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) /* Get the noise/error by calculating random bytes. * * @param [out] rand Random number byte array. @@ -3068,7 +3075,7 @@ static int kyber_get_noise_k2_aarch64(sword16* vec1, sword16* vec2, } #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Get the noise/error by calculating random bytes. * * @param [out] rand Random number byte array. @@ -3122,7 +3129,7 @@ static int kyber_get_noise_k3_aarch64(sword16* vec1, sword16* vec2, } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Get the noise/error by calculating random bytes and sampling to a binomial * distribution. * @@ -3221,7 +3228,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1, { int ret; -#ifdef WOLFSSL_KYBER512 +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) if (kp == KYBER512_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_get_noise_k2_aarch64(vec1, vec2, poly, seed); @@ -3245,7 +3252,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1, } else #endif -#ifdef WOLFSSL_KYBER768 +#if defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) if (kp == KYBER768_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_get_noise_k3_aarch64(vec1, vec2, poly, seed); @@ -3265,7 +3272,7 @@ int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1, } else #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) if (kp == KYBER1024_K) { #if defined(WOLFSSL_ARMASM) && defined(__aarch64__) ret = kyber_get_noise_k4_aarch64(vec1, vec2, poly, seed); @@ -3475,7 +3482,8 @@ static KYBER_NOINLINE void kyber_csubq_c(sword16* p) #endif /* CONV_WITH_DIV */ -#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768) +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \ + defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Compress the vector of polynomials into a byte array with 10 bits each. * * @param [out] b Array of bytes. @@ -3593,7 +3601,7 @@ void kyber_vec_compress_10(byte* r, sword16* v, unsigned int kp) } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Compress the vector of polynomials into a byte array with 11 bits each. * * @param [out] b Array of bytes. @@ -3713,7 +3721,8 @@ void kyber_vec_compress_11(byte* r, sword16* v) v[(i) * KYBER_N + 8 * (j) + (k)] = \ (word16)((((word32)((t) & 0x7ff) * KYBER_Q) + 1024) >> 11) -#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768) +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \ + defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Decompress the byte array of packed 10 bits into vector of polynomials. * * @param [out] v Vector of polynomials. @@ -3785,7 +3794,7 @@ void kyber_vec_decompress_10(sword16* v, const unsigned char* b, } } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Decompress the byte array of packed 11 bits into vector of polynomials. * * @param [out] v Vector of polynomials. @@ -3948,7 +3957,8 @@ void kyber_vec_decompress_11(sword16* v, const unsigned char* b) #endif /* CONV_WITH_DIV */ -#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768) +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \ + defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Compress a polynomial into byte array - on coefficients into 4 bits. * * @param [out] b Array of bytes. @@ -4020,7 +4030,7 @@ void kyber_compress_4(byte* b, sword16* p) } } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Compress a polynomial into byte array - on coefficients into 5 bits. * * @param [out] b Array of bytes. @@ -4117,7 +4127,8 @@ void kyber_compress_5(byte* b, sword16* p) #define DECOMP_5(p, i, j, t) \ p[(i) + (j)] = (((word32)((t) & 0x1f) * KYBER_Q) + 16) >> 5 -#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_KYBER768) +#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) || \ + defined(WOLFSSL_KYBER768) || defined(WOLFSSL_WC_ML_KEM_768) /* Decompress the byte array of packed 4 bits into polynomial. * * @param [out] p Polynomial. @@ -4155,7 +4166,7 @@ void kyber_decompress_4(sword16* p, const unsigned char* b) } } #endif -#ifdef WOLFSSL_KYBER1024 +#if defined(WOLFSSL_KYBER1024) || defined(WOLFSSL_WC_ML_KEM_1024) /* Decompress the byte array of packed 5 bits into polynomial. * * @param [out] p Polynomial. diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 4da05c864a..56ffa5bb11 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -38295,7 +38295,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed448_test(void) #ifdef WOLFSSL_HAVE_KYBER #ifdef WOLFSSL_WC_KYBER /* OQS does not support KATs */ -#ifdef WOLFSSL_KYBER512 +#if !defined(WOLFSSL_NO_KYBER512) && !defined(WOLFSSL_NO_ML_KEM_512) static wc_test_ret_t kyber512_kat(void) { wc_test_ret_t ret; @@ -38331,8 +38331,8 @@ static wc_test_ret_t kyber512_kat(void) 0xc8, 0x0e, 0xfe, 0x79, 0xa3, 0xa9, 0xa8, 0x74, 0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15 }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber512_pk[] = { #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber512_pk[] = { 0x11, 0x5A, 0xCE, 0x0E, 0x64, 0x67, 0x7C, 0xBB, 0x7D, 0xCF, 0xC9, 0x3C, 0x16, 0xD3, 0xA3, 0x05, 0xF6, 0x76, 0x15, 0xA4, 0x88, 0xD7, 0x11, 0xAA, @@ -38433,7 +38433,10 @@ static wc_test_ret_t kyber512_kat(void) 0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15, 0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C, 0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_pk[] = { 0x40, 0x08, 0x65, 0xed, 0x10, 0xb6, 0x19, 0xaa, 0x58, 0x11, 0x13, 0x9b, 0xc0, 0x86, 0x82, 0x57, 0x82, 0xb2, 0xb7, 0x12, 0x4f, 0x75, 0x7c, 0x83, @@ -38534,10 +38537,10 @@ static wc_test_ret_t kyber512_kat(void) 0x43, 0x29, 0x86, 0xae, 0x4b, 0xc1, 0xa2, 0x42, 0xce, 0x99, 0x21, 0xaa, 0x9e, 0x22, 0x44, 0x88, 0x19, 0x58, 0x5d, 0xea, 0x30, 0x8e, 0xb0, 0x39 -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber512_sk[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber512_sk[] = { 0x6C, 0x89, 0x2B, 0x02, 0x97, 0xA9, 0xC7, 0x64, 0x14, 0x93, 0xF8, 0x7D, 0xAF, 0x35, 0x33, 0xEE, 0xD6, 0x1F, 0x07, 0xF4, 0x65, 0x20, 0x66, 0x33, @@ -38742,7 +38745,10 @@ static wc_test_ret_t kyber512_kat(void) 0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21, 0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC, 0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_sk[] = { 0x9c, 0xda, 0x16, 0x86, 0xa3, 0x39, 0x6a, 0x7c, 0x10, 0x9b, 0x41, 0x52, 0x89, 0xf5, 0x6a, 0x9e, 0xc4, 0x4c, 0xd5, 0xb9, 0xb6, 0x74, 0xc3, 0x8a, @@ -38947,10 +38953,10 @@ static wc_test_ret_t kyber512_kat(void) 0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21, 0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc, 0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ct[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ct[] = { 0xED, 0xF2, 0x41, 0x45, 0xE4, 0x3B, 0x4F, 0x6D, 0xC6, 0xBF, 0x83, 0x32, 0xF5, 0x4E, 0x02, 0xCA, 0xB0, 0x2D, 0xBF, 0x3B, 0x56, 0x05, 0xDD, 0xC9, @@ -39047,7 +39053,10 @@ static wc_test_ret_t kyber512_kat(void) 0x80, 0x5B, 0x9C, 0xFE, 0x8F, 0xE9, 0xB1, 0x23, 0x7C, 0x80, 0xF9, 0x67, 0x87, 0xCD, 0x92, 0x81, 0xCC, 0xF2, 0x70, 0xC1, 0xAF, 0xC0, 0x67, 0x0D -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_ct[] = { 0x11, 0x3d, 0xb2, 0xdd, 0x06, 0x87, 0x12, 0x35, 0xe7, 0xbc, 0x36, 0xc9, 0xdc, 0xaa, 0x52, 0x8f, 0xc2, 0x6c, 0xe5, 0xdb, 0x9e, 0xcc, 0x1d, 0xc3, @@ -39144,21 +39153,24 @@ static wc_test_ret_t kyber512_kat(void) 0x7f, 0x19, 0xb6, 0x00, 0x0e, 0x18, 0xf8, 0xfe, 0xad, 0xda, 0x7e, 0xde, 0x8f, 0xe8, 0x0a, 0xa6, 0x62, 0xd6, 0x94, 0xc6, 0xd8, 0xc3, 0x3b, 0x52 -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ss[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber512_ss[] = { 0x0A, 0x69, 0x25, 0x67, 0x6F, 0x24, 0xB2, 0x2C, 0x28, 0x6F, 0x4C, 0x81, 0xA4, 0x22, 0x4C, 0xEC, 0x50, 0x6C, 0x9B, 0x25, 0x7D, 0x48, 0x0E, 0x02, 0xE3, 0xB4, 0x9F, 0x44, 0xCA, 0xA3, 0x23, 0x7F -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_512_ss[] = { 0x31, 0x98, 0x39, 0xe8, 0x2a, 0xb6, 0xb2, 0x22, 0xde, 0x7b, 0x61, 0x9e, 0x80, 0xda, 0x83, 0x91, 0x52, 0x2b, 0xbb, 0x37, 0x67, 0x70, 0x18, 0x49, 0x4a, 0x47, 0x42, 0xc5, 0x3f, 0x9a, 0xbf, 0xdf -#endif }; +#endif #ifdef WOLFSSL_SMALL_STACK key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT, @@ -39178,6 +39190,7 @@ static wc_test_ret_t kyber512_kat(void) ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out); #endif +#ifdef WOLFSSL_KYBER_ORIGINAL ret = wc_KyberKey_Init(KYBER512, key, HEAP_HINT, INVALID_DEVID); if (ret != 0) ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); @@ -39220,6 +39233,52 @@ static wc_test_ret_t kyber512_kat(void) if (XMEMCMP(ss_dec, kyber512_ss, sizeof(kyber512_ss)) != 0) ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif +#ifndef WOLFSSL_NO_ML_KEM + ret = wc_KyberKey_Init(WC_ML_KEM_512, key, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + else + key_inited = 1; + + ret = wc_KyberKey_MakeKeyWithRandom(key, kyber512_rand, + sizeof(kyber512_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_512_PUBLIC_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePrivateKey(key, priv, + WC_ML_KEM_512_PRIVATE_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(pub, ml_kem_512_pk, sizeof(ml_kem_512_pk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(priv, ml_kem_512_sk, sizeof(ml_kem_512_sk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber512enc_rand, + sizeof(kyber512enc_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ct, ml_kem_512_ct, sizeof(ml_kem_512_ct)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(ss, ml_kem_512_ss, sizeof(ml_kem_512_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_512_ct)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ss_dec, ml_kem_512_ss, sizeof(ml_kem_512_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif out: @@ -39239,7 +39298,7 @@ static wc_test_ret_t kyber512_kat(void) } #endif /* WOLFSSL_KYBER512 */ -#ifdef WOLFSSL_KYBER768 +#if !defined(WOLFSSL_NO_KYBER768) && !defined(WOLFSSL_NO_ML_KEM_768) static wc_test_ret_t kyber768_kat(void) { wc_test_ret_t ret; @@ -39276,8 +39335,8 @@ static wc_test_ret_t kyber768_kat(void) 0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15 }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber768_pk[] = { #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber768_pk[] = { 0xA7, 0x2C, 0x2D, 0x9C, 0x84, 0x3E, 0xE9, 0xF8, 0x31, 0x3E, 0xCC, 0x7F, 0x86, 0xD6, 0x29, 0x4D, 0x59, 0x15, 0x9D, 0x9A, 0x87, 0x9A, 0x54, 0x2E, @@ -39426,7 +39485,10 @@ static wc_test_ret_t kyber768_kat(void) 0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15, 0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C, 0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_pk[] = { 0xa8, 0xe6, 0x51, 0xa1, 0xe6, 0x85, 0xf2, 0x24, 0x78, 0xa8, 0x95, 0x4f, 0x00, 0x7b, 0xc7, 0x71, 0x1b, 0x93, 0x07, 0x72, 0xc7, 0x8f, 0x09, 0x2e, @@ -39575,10 +39637,10 @@ static wc_test_ret_t kyber768_kat(void) 0xd8, 0xfa, 0xbb, 0xfb, 0x3f, 0xe8, 0xcb, 0x1d, 0xc4, 0xe8, 0x31, 0x5f, 0x2a, 0xf0, 0xd3, 0x2f, 0x00, 0x17, 0xae, 0x13, 0x6e, 0x19, 0xf0, 0x28 -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber768_sk[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber768_sk[] = { 0x07, 0x63, 0x8F, 0xB6, 0x98, 0x68, 0xF3, 0xD3, 0x20, 0xE5, 0x86, 0x2B, 0xD9, 0x69, 0x33, 0xFE, 0xB3, 0x11, 0xB3, 0x62, 0x09, 0x3C, 0x9B, 0x5D, @@ -39879,7 +39941,10 @@ static wc_test_ret_t kyber768_kat(void) 0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21, 0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC, 0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_sk[] = { 0xda, 0x0a, 0xc7, 0xb6, 0x60, 0x40, 0x4e, 0x61, 0x3a, 0xa1, 0xf9, 0x80, 0x38, 0x0c, 0xb3, 0x6d, 0xba, 0x18, 0xd2, 0x32, 0x56, 0xc7, 0x26, 0x7a, @@ -40180,10 +40245,10 @@ static wc_test_ret_t kyber768_kat(void) 0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21, 0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc, 0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ct[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ct[] = { 0xB5, 0x2C, 0x56, 0xB9, 0x2A, 0x4B, 0x7C, 0xE9, 0xE4, 0xCB, 0x7C, 0x5B, 0x1B, 0x16, 0x31, 0x67, 0xA8, 0xA1, 0x67, 0x5B, 0x2F, 0xDE, 0xF8, 0x4A, @@ -40320,7 +40385,10 @@ static wc_test_ret_t kyber768_kat(void) 0x24, 0x62, 0xDC, 0x44, 0xD3, 0x49, 0x65, 0x10, 0x24, 0x82, 0xA8, 0xED, 0x9E, 0x4E, 0x96, 0x4D, 0x56, 0x83, 0xE5, 0xD4, 0x5D, 0x0C, 0x82, 0x69 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_ct[] = { 0xc8, 0x39, 0x10, 0x85, 0xb8, 0xd3, 0xea, 0x97, 0x94, 0x21, 0x25, 0x41, 0xb2, 0x91, 0x4f, 0x08, 0x96, 0x4d, 0x33, 0x52, 0x1d, 0x3f, 0x67, 0xad, @@ -40457,21 +40525,24 @@ static wc_test_ret_t kyber768_kat(void) 0x1b, 0xc6, 0xd6, 0x3c, 0x16, 0x93, 0xc1, 0x84, 0x78, 0x52, 0xf8, 0xe9, 0x7f, 0x50, 0xa1, 0x33, 0x53, 0x2a, 0xc3, 0xee, 0x1e, 0x52, 0xd4, 0x64 -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ss[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber768_ss[] = { 0x91, 0x4C, 0xB6, 0x7F, 0xE5, 0xC3, 0x8E, 0x73, 0xBF, 0x74, 0x18, 0x1C, 0x0A, 0xC5, 0x04, 0x28, 0xDE, 0xDF, 0x77, 0x50, 0xA9, 0x80, 0x58, 0xF7, 0xD5, 0x36, 0x70, 0x87, 0x74, 0x53, 0x5B, 0x29 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_768_ss[] = { 0xe7, 0x18, 0x4a, 0x09, 0x75, 0xee, 0x34, 0x70, 0x87, 0x8d, 0x2d, 0x15, 0x9e, 0xc8, 0x31, 0x29, 0xc8, 0xae, 0xc2, 0x53, 0xd4, 0xee, 0x17, 0xb4, 0x81, 0x03, 0x11, 0xd1, 0x98, 0xcd, 0x03, 0x68 -#endif }; +#endif #ifdef WOLFSSL_SMALL_STACK key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT, @@ -40491,6 +40562,7 @@ static wc_test_ret_t kyber768_kat(void) ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out); #endif +#ifdef WOLFSSL_KYBER_ORIGINAL ret = wc_KyberKey_Init(KYBER768, key, HEAP_HINT, INVALID_DEVID); if (ret != 0) ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); @@ -40533,6 +40605,52 @@ static wc_test_ret_t kyber768_kat(void) if (XMEMCMP(ss_dec, kyber768_ss, sizeof(kyber768_ss)) != 0) ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif +#ifndef WOLFSSL_NO_ML_KEM + ret = wc_KyberKey_Init(WC_ML_KEM_768, key, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + else + key_inited = 1; + + ret = wc_KyberKey_MakeKeyWithRandom(key, kyber768_rand, + sizeof(kyber768_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_768_PUBLIC_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePrivateKey(key, priv, + WC_ML_KEM_768_PRIVATE_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(pub, ml_kem_768_pk, sizeof(ml_kem_768_pk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(priv, ml_kem_768_sk, sizeof(ml_kem_768_sk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber768enc_rand, + sizeof(kyber768enc_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ct, ml_kem_768_ct, sizeof(ml_kem_768_ct)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(ss, ml_kem_768_ss, sizeof(ml_kem_768_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_768_ct)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ss_dec, ml_kem_768_ss, sizeof(ml_kem_768_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif out: @@ -40552,7 +40670,7 @@ static wc_test_ret_t kyber768_kat(void) } #endif /* WOLFSSL_KYBER768 */ -#ifdef WOLFSSL_KYBER1024 +#if !defined(WOLFSSL_NO_KYBER1024) && !defined(WOLFSSL_NO_ML_KEM_1024) static wc_test_ret_t kyber1024_kat(void) { wc_test_ret_t ret; @@ -40588,8 +40706,8 @@ static wc_test_ret_t kyber1024_kat(void) 0xc8, 0x0e, 0xfe, 0x79, 0xa3, 0xa9, 0xa8, 0x74, 0xcc, 0x09, 0xfe, 0x76, 0xf6, 0x99, 0x76, 0x15 }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_pk[] = { #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_pk[] = { 0xD2, 0x23, 0x02, 0xCB, 0xD3, 0x39, 0x9F, 0xAC, 0xC6, 0x30, 0x99, 0x1F, 0xC8, 0xF2, 0x8B, 0xDB, 0x43, 0x54, 0x76, 0x25, 0x41, 0x52, 0x76, 0x78, @@ -40786,7 +40904,10 @@ static wc_test_ret_t kyber1024_kat(void) 0x5F, 0x8F, 0x3F, 0x90, 0x03, 0x48, 0x94, 0x15, 0x89, 0x9D, 0x59, 0xA5, 0x43, 0xD8, 0x20, 0x8C, 0x54, 0xA3, 0x16, 0x65, 0x29, 0xB5, 0x39, 0x22 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_pk[] = { 0x53, 0x79, 0x11, 0x95, 0x7c, 0x12, 0x51, 0x48, 0xa8, 0x7f, 0x41, 0x58, 0x9c, 0xb2, 0x22, 0xd0, 0xd1, 0x92, 0x29, 0xe2, 0xcb, 0x55, 0xe1, 0xa0, @@ -40983,10 +41104,10 @@ static wc_test_ret_t kyber1024_kat(void) 0x41, 0x86, 0x9a, 0xbf, 0xba, 0xd1, 0x07, 0x38, 0xad, 0x04, 0xcc, 0x75, 0x2b, 0xc2, 0x0c, 0x39, 0x47, 0x46, 0x85, 0x0e, 0x0c, 0x48, 0x47, 0xdb -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_sk[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_sk[] = { 0x07, 0x63, 0x8F, 0xB6, 0x98, 0x68, 0xF3, 0xD3, 0x20, 0xE5, 0x86, 0x2B, 0xD9, 0x69, 0x33, 0xFE, 0xB3, 0x11, 0xB3, 0x62, 0x09, 0x3C, 0x9B, 0x5D, @@ -41383,7 +41504,10 @@ static wc_test_ret_t kyber1024_kat(void) 0x00, 0xE0, 0x3B, 0x59, 0xB9, 0x56, 0xF8, 0x21, 0x0E, 0x55, 0x60, 0x67, 0x40, 0x7D, 0x13, 0xDC, 0x90, 0xFA, 0x9E, 0x8B, 0x87, 0x2B, 0xFB, 0x8F -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_sk[] = { 0x43, 0x3a, 0x70, 0xee, 0x69, 0x50, 0xf9, 0x88, 0x2a, 0xcd, 0xd5, 0xa4, 0x78, 0x20, 0xa6, 0xa8, 0x16, 0x37, 0x08, 0xf0, 0x4d, 0x45, 0x7c, 0x77, @@ -41780,10 +41904,10 @@ static wc_test_ret_t kyber1024_kat(void) 0x00, 0xe0, 0x3b, 0x59, 0xb9, 0x56, 0xf8, 0x21, 0x0e, 0x55, 0x60, 0x67, 0x40, 0x7d, 0x13, 0xdc, 0x90, 0xfa, 0x9e, 0x8b, 0x87, 0x2b, 0xfb, 0x8f -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ct[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ct[] = { 0xA6, 0xAF, 0x29, 0xD5, 0xF5, 0xB8, 0x0B, 0xD1, 0x30, 0xF5, 0x18, 0xBA, 0xDD, 0xD6, 0xC8, 0xF1, 0x75, 0x45, 0x41, 0x3D, 0x86, 0x0F, 0xB3, 0xDE, @@ -41980,7 +42104,10 @@ static wc_test_ret_t kyber1024_kat(void) 0x93, 0x23, 0x93, 0x29, 0x98, 0xD5, 0x6E, 0xF4, 0x30, 0xC7, 0x3B, 0xC2, 0x4F, 0x5D, 0x95, 0xF7, 0x37, 0x85, 0x8D, 0xDC, 0x4F, 0x32, 0xC0, 0x13 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_ct[] = { 0xc9, 0xbe, 0xad, 0x6b, 0x0c, 0x11, 0x14, 0x38, 0x9b, 0xd4, 0x76, 0x1c, 0x73, 0xab, 0x90, 0x95, 0xb5, 0x80, 0x9d, 0xaa, 0xc9, 0xf6, 0x59, 0xbb, @@ -42177,21 +42304,24 @@ static wc_test_ret_t kyber1024_kat(void) 0xa9, 0xae, 0x11, 0x0a, 0xaf, 0x4d, 0x68, 0xbf, 0x4e, 0x27, 0x41, 0x0d, 0x43, 0xce, 0xef, 0x3e, 0x88, 0xe9, 0xc7, 0x17, 0xdd, 0x44, 0xc9, 0xee -#endif }; - WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ss[] = { +#endif #ifdef WOLFSSL_KYBER_ORIGINAL + WOLFSSL_SMALL_STACK_STATIC const byte kyber1024_ss[] = { 0xB1, 0x0F, 0x73, 0x94, 0x92, 0x6A, 0xD3, 0xB4, 0x9C, 0x5D, 0x62, 0xD5, 0xAE, 0xB5, 0x31, 0xD5, 0x75, 0x75, 0x38, 0xBC, 0xC0, 0xDA, 0x9E, 0x55, 0x0D, 0x43, 0x8F, 0x1B, 0x61, 0xBD, 0x74, 0x19 -#else + }; +#endif +#ifndef WOLFSSL_NO_ML_KEM + WOLFSSL_SMALL_STACK_STATIC const byte ml_kem_1024_ss[] = { 0x48, 0x9d, 0xd1, 0xe9, 0xc2, 0xbe, 0x4a, 0xf3, 0x48, 0x2b, 0xdb, 0x35, 0xbb, 0x26, 0xce, 0x76, 0x0e, 0x6e, 0x41, 0x4d, 0xa6, 0xec, 0xbe, 0x48, 0x99, 0x85, 0x74, 0x8a, 0x82, 0x5f, 0x1c, 0xd6 -#endif }; +#endif #ifdef WOLFSSL_SMALL_STACK key = (KyberKey *)XMALLOC(sizeof(KyberKey), HEAP_HINT, @@ -42211,6 +42341,7 @@ static wc_test_ret_t kyber1024_kat(void) ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out); #endif +#ifdef WOLFSSL_KYBER_ORIGINAL ret = wc_KyberKey_Init(KYBER1024, key, HEAP_HINT, INVALID_DEVID); if (ret != 0) ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); @@ -42253,6 +42384,52 @@ static wc_test_ret_t kyber1024_kat(void) if (XMEMCMP(ss_dec, kyber1024_ss, sizeof(kyber1024_ss)) != 0) ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif +#ifndef WOLFSSL_NO_ML_KEM + ret = wc_KyberKey_Init(WC_ML_KEM_1024, key, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + else + key_inited = 1; + + ret = wc_KyberKey_MakeKeyWithRandom(key, kyber1024_rand, + sizeof(kyber1024_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePublicKey(key, pub, WC_ML_KEM_MAX_PUBLIC_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + ret = wc_KyberKey_EncodePrivateKey(key, priv, + WC_ML_KEM_MAX_PRIVATE_KEY_SIZE); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(pub, ml_kem_1024_pk, sizeof(ml_kem_1024_pk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(priv, ml_kem_1024_sk, sizeof(ml_kem_1024_sk)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_EncapsulateWithRandom(key, ct, ss, kyber1024enc_rand, + sizeof(kyber1024enc_rand)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ct, ml_kem_1024_ct, sizeof(ml_kem_1024_ct)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + if (XMEMCMP(ss, ml_kem_1024_ss, sizeof(ml_kem_1024_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); + + ret = wc_KyberKey_Decapsulate(key, ss_dec, ct, sizeof(ml_kem_1024_ct)); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); + + if (XMEMCMP(ss_dec, ml_kem_1024_ss, sizeof(ml_kem_1024_ss)) != 0) + ERROR_OUT(WC_TEST_RET_ENC_NC, out); +#endif out: @@ -42299,6 +42476,21 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void) #endif int key_inited = 0; static const int testData[][4] = { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_ML_KEM_512 + { WC_ML_KEM_512, WC_ML_KEM_512_PRIVATE_KEY_SIZE, + WC_ML_KEM_512_PUBLIC_KEY_SIZE, WC_ML_KEM_512_CIPHER_TEXT_SIZE }, + #endif + #ifdef WOLFSSL_WC_ML_KEM_768 + { WC_ML_KEM_768, WC_ML_KEM_768_PRIVATE_KEY_SIZE, + WC_ML_KEM_768_PUBLIC_KEY_SIZE, WC_ML_KEM_768_CIPHER_TEXT_SIZE }, + #endif + #ifdef WOLFSSL_WC_ML_KEM_1024 + { WC_ML_KEM_1024, WC_ML_KEM_1024_PRIVATE_KEY_SIZE, + WC_ML_KEM_1024_PUBLIC_KEY_SIZE, WC_ML_KEM_1024_CIPHER_TEXT_SIZE }, + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 { KYBER512, KYBER512_PRIVATE_KEY_SIZE, KYBER512_PUBLIC_KEY_SIZE, KYBER512_CIPHER_TEXT_SIZE }, @@ -42311,6 +42503,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void) { KYBER1024, KYBER1024_PRIVATE_KEY_SIZE, KYBER1024_PUBLIC_KEY_SIZE, KYBER1024_CIPHER_TEXT_SIZE }, #endif +#endif }; WOLFSSL_ENTER("kyber_test"); @@ -42408,17 +42601,17 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t kyber_test(void) wc_FreeRng(&rng); #ifdef WOLFSSL_WC_KYBER -#ifdef WOLFSSL_KYBER512 +#if !defined(WOLFSSL_NO_KYBER512) && !defined(WOLFSSL_NO_ML_KEM_512) ret = kyber512_kat(); if (ret != 0) goto out; #endif -#ifdef WOLFSSL_KYBER768 +#if !defined(WOLFSSL_NO_KYBER768) && !defined(WOLFSSL_NO_ML_KEM_768) ret = kyber768_kat(); if (ret != 0) goto out; #endif -#ifdef WOLFSSL_KYBER1024 +#if !defined(WOLFSSL_NO_KYBER1024) && !defined(WOLFSSL_NO_ML_KEM_1024) ret = kyber1024_kat(); if (ret != 0) goto out; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 4bbdf6565c..d0efd488df 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4177,35 +4177,44 @@ enum { * algorithms have LEVEL2 and LEVEL4 because none of these submissions * included them. */ -#ifndef WOLFSSL_ML_KEM +#ifdef WOLFSSL_KYBER_ORIGINAL WOLFSSL_PQC_MIN = 570, WOLFSSL_PQC_SIMPLE_MIN = 570, WOLFSSL_KYBER_LEVEL1 = 570, /* KYBER_512 */ WOLFSSL_KYBER_LEVEL3 = 572, /* KYBER_768 */ WOLFSSL_KYBER_LEVEL5 = 573, /* KYBER_1024 */ +#ifdef WOLFSSL_NO_ML_KEM WOLFSSL_PQC_SIMPLE_MAX = 573, +#endif WOLFSSL_PQC_HYBRID_MIN = 12090, WOLFSSL_P256_KYBER_LEVEL1 = 12090, WOLFSSL_P384_KYBER_LEVEL3 = 12092, WOLFSSL_P521_KYBER_LEVEL5 = 12093, +#ifdef WOLFSSL_NO_ML_KEM WOLFSSL_PQC_HYBRID_MAX = 12093, WOLFSSL_PQC_MAX = 12093, -#else +#endif +#endif +#ifndef WOLFSSL_NO_ML_KEM +#ifndef WOLFSSL_KYBER_ORIGINAL WOLFSSL_PQC_MIN = 583, WOLFSSL_PQC_SIMPLE_MIN = 583, - WOLFSSL_KYBER_LEVEL1 = 583, /* ML-KEM 512 */ - WOLFSSL_KYBER_LEVEL3 = 584, /* ML-KEM 768 */ - WOLFSSL_KYBER_LEVEL5 = 585, /* ML-KEM 1024 */ +#endif + WOLFSSL_ML_KEM_512 = 583, /* ML-KEM 512 */ + WOLFSSL_ML_KEM_768 = 584, /* ML-KEM 768 */ + WOLFSSL_ML_KEM_1024 = 585, /* ML-KEM 1024 */ WOLFSSL_PQC_SIMPLE_MAX = 585, +#ifndef WOLFSSL_KYBER_ORIGINAL WOLFSSL_PQC_HYBRID_MIN = 12103, - WOLFSSL_P256_KYBER_LEVEL1 = 12103, - WOLFSSL_P384_KYBER_LEVEL3 = 12104, - WOLFSSL_P521_KYBER_LEVEL5 = 12105, +#endif + WOLFSSL_P256_ML_KEM_512 = 12103, + WOLFSSL_P384_ML_KEM_768 = 12104, + WOLFSSL_P521_ML_KEM_1024 = 12105, WOLFSSL_PQC_HYBRID_MAX = 12105, WOLFSSL_PQC_MAX = 12105, -#endif /* WOLFSSL_ML_KEM */ +#endif /* !WOLFSSL_NO_ML_KEM */ #endif /* HAVE_PQC */ }; diff --git a/wolfssl/wolfcrypt/kyber.h b/wolfssl/wolfcrypt/kyber.h index 93b502223a..3fb1a231ee 100644 --- a/wolfssl/wolfcrypt/kyber.h +++ b/wolfssl/wolfcrypt/kyber.h @@ -153,9 +153,14 @@ enum { /* Types of Kyber keys. */ - KYBER512 = 0, - KYBER768 = 1, - KYBER1024 = 2, + WC_ML_KEM_512 = 0, + WC_ML_KEM_768 = 1, + WC_ML_KEM_1024 = 2, + + KYBER_ORIGINAL = 0x10, + KYBER512 = 0 | KYBER_ORIGINAL, + KYBER768 = 1 | KYBER_ORIGINAL, + KYBER1024 = 2 | KYBER_ORIGINAL, KYBER_LEVEL1 = KYBER512, KYBER_LEVEL3 = KYBER768, @@ -215,30 +220,48 @@ WOLFSSL_API int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, +#if !defined(WOLFSSL_NO_ML_KEM_512) && !defined(WOLFSSL_NO_ML_KEM) +#define WOLFSSL_WC_ML_KEM_512 +#endif +#if !defined(WOLFSSL_NO_ML_KEM_768) && !defined(WOLFSSL_NO_ML_KEM) +#define WOLFSSL_WC_ML_KEM_768 +#endif +#if !defined(WOLFSSL_NO_ML_KEM_1024) && !defined(WOLFSSL_NO_ML_KEM) +#define WOLFSSL_WC_ML_KEM_1024 +#endif + +#ifdef WOLFSSL_WC_ML_KEM_512 #define WC_ML_KEM_512_K KYBER512_K #define WC_ML_KEM_512_PUBLIC_KEY_SIZE KYBER512_PUBLIC_KEY_SIZE -#define wC_ML_KEM_512_PRIVATE_KEY_SIZE KYBER512_PRIVATE_KEY_SIZE -#define wC_ML_KEM_512_CIPHER_TEXT_SIZE KYBER512_CIPHER_TEXT_SIZE +#define WC_ML_KEM_512_PRIVATE_KEY_SIZE KYBER512_PRIVATE_KEY_SIZE +#define WC_ML_KEM_512_CIPHER_TEXT_SIZE KYBER512_CIPHER_TEXT_SIZE +#define WC_ML_KEM_512_POLY_VEC_COMPRESSED_SZ \ + KYBER512_POLY_VEC_COMPRESSED_SZ +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 #define WC_ML_KEM_768_K KYBER768_K #define WC_ML_KEM_768_PUBLIC_KEY_SIZE KYBER768_PUBLIC_KEY_SIZE -#define wC_ML_KEM_768_PRIVATE_KEY_SIZE KYBER768_PRIVATE_KEY_SIZE -#define wC_ML_KEM_768_CIPHER_TEXT_SIZE KYBER768_CIPHER_TEXT_SIZE +#define WC_ML_KEM_768_PRIVATE_KEY_SIZE KYBER768_PRIVATE_KEY_SIZE +#define WC_ML_KEM_768_CIPHER_TEXT_SIZE KYBER768_CIPHER_TEXT_SIZE +#define WC_ML_KEM_768_POLY_VEC_COMPRESSED_SZ \ + KYBER768_POLY_VEC_COMPRESSED_SZ +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 #define WC_ML_KEM_1024_K KYBER1024_K #define WC_ML_KEM_1024_PUBLIC_KEY_SIZE KYBER1024_PUBLIC_KEY_SIZE -#define wC_ML_KEM_1024_PRIVATE_KEY_SIZE KYBER1024_PRIVATE_KEY_SIZE -#define wC_ML_KEM_1024_CIPHER_TEXT_SIZE KYBER1024_CIPHER_TEXT_SIZE +#define WC_ML_KEM_1024_PRIVATE_KEY_SIZE KYBER1024_PRIVATE_KEY_SIZE +#define WC_ML_KEM_1024_CIPHER_TEXT_SIZE KYBER1024_CIPHER_TEXT_SIZE +#define WC_ML_KEM_1024_POLY_VEC_COMPRESSED_SZ \ + KYBER1024_POLY_VEC_COMPRESSED_SZ +#endif #define WC_ML_KEM_MAX_K KYBER_MAX_K #define WC_ML_KEM_MAX_PRIVATE_KEY_SIZE KYBER_MAX_PRIVATE_KEY_SIZE #define WC_ML_KEM_MAX_PUBLIC_KEY_SIZE KYBER_MAX_PUBLIC_KEY_SIZE #define WC_ML_KEM_MAX_CIPHER_TEXT_SIZE KYBER_MAX_CIPHER_TEXT_SIZE -#define WC_ML_KEM_512 KYBER512 -#define WC_ML_KEM_768 KYBER768 -#define WC_ML_KEM_1024 KYBER1024 - #define WC_ML_KEM_SYM_SZ KYBER_SYM_SZ #define WC_ML_KEM_SS_SZ KYBER_SS_SZ #define WC_ML_KEM_MAKEKEY_RAND_SZ KYBER_MAKEKEY_RAND_SZ