Merge pull request #8393 from anhu/draft-tls-westerbaan-mldsa

New codepoint for MLDSA

src/internal.c

@@ -4582,14 +4582,11 @@ void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
             }
             break;
     #endif
-#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
-        case PQC_SA_MAJOR:
-            /* Hash performed as part of sign/verify operation.
-             * However, if we want a dual alg signature with a
-             * classic algorithm as alternative, we need an explicit
-             * hash algo here.
-             */
+    /* Hash performed as part of sign/verify operation.
+     * However, if we want a dual alg signature with a classic algorithm as
+     * alternative, we need an explicit hash algo here. */
     #ifdef HAVE_FALCON
+        case FALCON_SA_MAJOR:
             if (input[1] == FALCON_LEVEL1_SA_MINOR) {
                 *hsType = falcon_level1_sa_algo;
                 *hashAlgo = sha256_mac;
@@ -4598,8 +4595,10 @@ void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
                 *hsType = falcon_level5_sa_algo;
                 *hashAlgo = sha512_mac;
             }
+            break;
     #endif /* HAVE_FALCON */
     #ifdef HAVE_DILITHIUM
+        case DILITHIUM_SA_MAJOR:
             if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
                 *hsType = dilithium_level2_sa_algo;
                 *hashAlgo = sha256_mac;
@@ -4612,9 +4611,8 @@ void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
                 *hsType = dilithium_level5_sa_algo;
                 *hashAlgo = sha512_mac;
             }
-    #endif /* HAVE_DILITHIUM */
             break;
-#endif
+    #endif /* HAVE_DILITHIUM */
         default:
             *hashAlgo = input[0];
             *hsType   = input[1];

src/tls13.c

@@ -8015,9 +8015,8 @@ static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
             else
                 ret = INVALID_PARAMETER;
             break;
-#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
-        case PQC_SA_MAJOR:
 #if defined(HAVE_FALCON)
+        case FALCON_SA_MAJOR:
             if (input[1] == FALCON_LEVEL1_SA_MINOR) {
                 *hsType = falcon_level1_sa_algo;
                 /* Hash performed as part of sign/verify operation. */
@@ -8028,8 +8027,11 @@ static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
                 *hashAlgo = sha512_mac;
             }
             else
+                ret = INVALID_PARAMETER;
+            break;
 #endif /* HAVE_FALCON */
 #if defined(HAVE_DILITHIUM)
+        case DILITHIUM_SA_MAJOR:
             if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
                 *hsType = dilithium_level2_sa_algo;
                 /* Hash performed as part of sign/verify operation. */
@@ -8044,12 +8046,11 @@ static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
                 *hashAlgo = sha512_mac;
             }
             else
-#endif /* HAVE_DILITHIUM */
             {
                 ret = INVALID_PARAMETER;
             }
             break;
-#endif
+#endif /* HAVE_DILITHIUM */
         default:
             *hashAlgo = input[0];
             *hsType   = input[1];

wolfssl/internal.h

@@ -1837,20 +1837,23 @@ enum Misc {
     SM2_SA_MAJOR        = 7,   /* Most significant byte for SM2 with SM3 */
     SM2_SA_MINOR        = 8,   /* Least significant byte for SM2 with SM3 */
 
-    PQC_SA_MAJOR        = 0xFE,/* Most significant byte used with PQC sig algs */
+    FALCON_SA_MAJOR     = 0xFE,/* Most significant byte used with falcon sig algs */
+    DILITHIUM_SA_MAJOR  = 0x09,/* Most significant byte used with dilithium sig algs */
 
-    /* These values for falcon and dilithium match what OQS has defined. */
+    /* These values for falcon match what OQS has defined. */
     FALCON_LEVEL1_SA_MAJOR = 0xFE,
     FALCON_LEVEL1_SA_MINOR = 0xAE,
     FALCON_LEVEL5_SA_MAJOR = 0xFE,
     FALCON_LEVEL5_SA_MINOR = 0xB1,
 
-    DILITHIUM_LEVEL2_SA_MAJOR = 0xFE,
-    DILITHIUM_LEVEL2_SA_MINOR = 0xD0,
-    DILITHIUM_LEVEL3_SA_MAJOR = 0xFE,
-    DILITHIUM_LEVEL3_SA_MINOR = 0xD1,
-    DILITHIUM_LEVEL5_SA_MAJOR = 0xFE,
-    DILITHIUM_LEVEL5_SA_MINOR = 0xD2,
+    /* these values for MLDSA (Dilithium) correspond to what is proposed in the
+     * IETF. */
+    DILITHIUM_LEVEL2_SA_MAJOR = 0x09,
+    DILITHIUM_LEVEL2_SA_MINOR = 0x04,
+    DILITHIUM_LEVEL3_SA_MAJOR = 0x09,
+    DILITHIUM_LEVEL3_SA_MINOR = 0x05,
+    DILITHIUM_LEVEL5_SA_MAJOR = 0x09,
+    DILITHIUM_LEVEL5_SA_MINOR = 0x06,
 
     MIN_RSA_SHA512_PSS_BITS = 512 * 2 + 8 * 8, /* Min key size */
     MIN_RSA_SHA384_PSS_BITS = 384 * 2 + 8 * 8, /* Min key size */

wolfssl/ssl.h

@@ -4602,22 +4602,22 @@ enum {
 #endif
 #ifndef WOLFSSL_NO_ML_KEM
 #ifndef WOLFSSL_KYBER_ORIGINAL
-    WOLFSSL_PQC_MIN               = 583,
-    WOLFSSL_PQC_SIMPLE_MIN        = 583,
+    WOLFSSL_PQC_MIN               = 512,
+    WOLFSSL_PQC_SIMPLE_MIN        = 512,
 #endif
-    WOLFSSL_ML_KEM_512            = 583, /* ML-KEM 512 */
-    WOLFSSL_ML_KEM_768            = 584, /* ML-KEM 768 */
-    WOLFSSL_ML_KEM_1024           = 585, /* ML-KEM 1024 */
-    WOLFSSL_PQC_SIMPLE_MAX        = 585,
+    WOLFSSL_ML_KEM_512            = 512, /* ML-KEM 512 */
+    WOLFSSL_ML_KEM_768            = 513, /* ML-KEM 768 */
+    WOLFSSL_ML_KEM_1024           = 514, /* ML-KEM 1024 */
+    WOLFSSL_PQC_SIMPLE_MAX        = 514,
 
 #ifndef WOLFSSL_KYBER_ORIGINAL
-    WOLFSSL_PQC_HYBRID_MIN        = 12103,
+    WOLFSSL_PQC_HYBRID_MIN        = 12107,
 #endif
-    WOLFSSL_P256_ML_KEM_512       = 12103,
-    WOLFSSL_P384_ML_KEM_768       = 12104,
-    WOLFSSL_P521_ML_KEM_1024      = 12105,
-    WOLFSSL_PQC_HYBRID_MAX        = 12105,
-    WOLFSSL_PQC_MAX               = 12105,
+    WOLFSSL_P256_ML_KEM_512       = 12107,
+    WOLFSSL_P384_ML_KEM_768       = 12108,
+    WOLFSSL_P521_ML_KEM_1024      = 12109,
+    WOLFSSL_PQC_HYBRID_MAX        = 12109,
+    WOLFSSL_PQC_MAX               = 12109,
 #endif /* !WOLFSSL_NO_ML_KEM */
 #endif /* HAVE_PQC */
     WOLF_ENUM_DUMMY_LAST_ELEMENT(SSL_H)