gate dilithium OID autodetection on FIPS 204 draft mode

bigbrett · bigbrett · commit cceeb776f7d4 · 2024-11-21T09:38:11.000-08:00
diff --git a/tests/api.c b/tests/api.c
@@ -35003,10 +35003,20 @@ static int test_wc_dilithium_der(void)
      * the supplied DER is invalid, this should fail with ASN parsing error */
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PublicKeyDecode(der, &idx, key, pubDerLen),
-        WC_NO_ERR_TRACE(ASN_PARSE_E));
+#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG)
+#else
+        WC_NO_ERR_TRACE(ASN_PARSE_E)
+#endif
+    );
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, privDerLen),
-        WC_NO_ERR_TRACE(ASN_PARSE_E));
+#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG)
+#else
+        WC_NO_ERR_TRACE(ASN_PARSE_E)
+#endif
+    );
 
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c
@@ -9532,14 +9532,15 @@ static int mapOidToSecLevel(word32 oid)
  * @param [in, out] inOutIdx  On in, index into array of start of DER encoding.
  *                            On out, index into array after DER encoding.
  * @param [in, out] key       Dilithium key structure to hold the decoded key.
- *                            If the security level is set in the key structure on
- *                            input, the DER key will be decoded as such and will
- *                            fail if there is a mismatch. If the level and
- *                            parameters are not set in the key structure on
+ *                            If the security level is set in the key structure
+ *                            on input, the DER key will be decoded as such and
+ *                            will fail if there is a mismatch. If the level
+ *                            and parameters are not set in the key structure on
  *                            input, the level will be detected from the DER
  *                            file based on the algorithm OID, appropriately
  *                            decoded, then updated in the key structure on
- *                            output.
+ *                            output. Auto-detection of the security level is
+ *                            not supported if compiled for FIPS 204 draft mode.
  * @param [in]      inSz      Total size of the input DER buffer array.
  * @return  0 on success.
  * @return  BAD_FUNC_ARG when input, inOutIdx or key is NULL or inSz is 0.
@@ -9803,10 +9804,12 @@ static int dilithium_check_type(const byte* input, word32* inOutIdx, byte type,
  *                            on input, the DER key will be decoded as such
  *                            and will fail if there is a mismatch. If the level
  *                            and parameters are not set in the key structure on
- *                            input, the level will be detected from the DER file
- *                            based on the algorithm OID, appropriately decoded,
- *                            then updated in the key structure on output.
- *                            updated in the key structure on output.
+ *                            input, the level will be detected from the DER
+ *                            file based on the algorithm OID, appropriately
+ *                            decoded, then updated in the key structure on
+ *                            output. Auto-detection of the security level is
+ *                            not supported if compiled for FIPS 204
+ *                            draft mode.
  * @param [in]      inSz      Total size of data in array.
  * @return  0 on success.
  * @return  BAD_FUNC_ARG when input, inOutIdx or key is NULL or inSz is 0.
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -45952,6 +45952,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,
         ret = wc_dilithium_init(&key);
     }
 
+#ifndef WOLFSSL_DILITHIUM_FIPS204_DRAFT
     /* Test decoding without setting security level - should auto-detect */
     if (ret == 0) {
         idx = 0;
@@ -45974,6 +45975,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,
                expectedLevel, key.level);
         ret = WC_TEST_RET_ENC_NC;
     }
+#endif /* !WOLFSSL_DILITHIUM_FIPS204_DRAFT */
 
     /* Cleanup */
     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);

Original file line number	Diff line number	Diff line change
`@@ -45952,6 +45952,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,`
`45952`	`45952`	`ret = wc_dilithium_init(&key);`
`45953`	`45953`	`}`
`45954`	`45954`
	`45955`	`+#ifndef WOLFSSL_DILITHIUM_FIPS204_DRAFT`
`45955`	`45956`	`/* Test decoding without setting security level - should auto-detect */`
`45956`	`45957`	`if (ret == 0) {`
`45957`	`45958`	`idx = 0;`
`@@ -45974,6 +45975,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,`
`45974`	`45975`	`expectedLevel, key.level);`
`45975`	`45976`	`ret = WC_TEST_RET_ENC_NC;`
`45976`	`45977`	`}`
	`45978`	`+#endif /* !WOLFSSL_DILITHIUM_FIPS204_DRAFT */`
`45977`	`45979`
`45978`	`45980`	`/* Cleanup */`
`45979`	`45981`	`XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);`