ML-KEM fixes

* DTLS 1.3 cookie and CH frag handling
* static memory handling
* Fix memory leak in TLS server PQC handling in case of ECH
* Make sure hybrids are actually tested in testsuite

Author: Frauschi

examples/client/client.c

@@ -557,6 +557,18 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
             else {
                 err_sys("unable to use post-quantum KEM");
             }
+
+        #ifdef WOLFSSL_DTLS13
+            if (wolfSSL_dtls(ssl)) {
+                /* When the KeyShare is too large for an unfragmented
+                 * ClientHello, DTLS sends an empty KeyShare extension to
+                 * use the Hello Retry Request to enable fragmentation.
+                 * In order to enforce our desired PQC algorithm in the
+                 * second ClientHello, we need to set it as the only one
+                 * allowed in the SupportedGroups extension. */
+                setGroups = 1;
+            }
+        #endif /* WOLFSSL_DTLS13 */
         }
     }
     #endif
@@ -2299,8 +2311,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 
 #ifdef WOLFSSL_STATIC_MEMORY
-    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
-        || defined(SESSION_CERTS)
+    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
+        defined(SESSION_CERTS) || defined(WOLFSSL_HAVE_MLKEM)
         /* big enough to handle most cases including session certs */
         byte memory[320000];
     #else

examples/server/server.c

@@ -1763,8 +1763,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     /* Note: Actual memory used is much less, this is the entire buffer buckets,
      * which is partitioned into pools of common sizes. To adjust the buckets
      * sizes see WOLFMEM_BUCKETS in memory.h */
-    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
-        || defined(SESSION_CERTS)
+    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
+        defined(SESSION_CERTS) || defined(WOLFSSL_HAVE_MLKEM)
         /* big enough to handle most cases including session certs */
         #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
                ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \

src/internal.c

@@ -2251,6 +2251,26 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side)
             WOLFSSL_MSG("DTLS Cookie Secret error");
             return ret;
         }
+    #if defined(WOLFSSL_DTLS13)
+        if (IsAtLeastTLSv1_3(ssl->version)) {
+        #if defined(WOLFSSL_SEND_HRR_COOKIE)
+            ret = wolfSSL_send_hrr_cookie(ssl, NULL, 0);
+            if (ret != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("DTLS1.3 Cookie secret error");
+                return ret;
+            }
+        #endif /* WOLFSSL_SEND_HRR_COOKIE */
+        #if defined(WOLFSSL_DTLS_CH_FRAG) && defined(WOLFSSL_HAVE_MLKEM)
+            /* Allow fragmentation of the second ClientHello due to the
+             * large PQC key share. */
+            ret = wolfSSL_dtls13_allow_ch_frag(ssl, 1);
+            if (ret != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("DTLS1.3 CH frag error");
+                return ret;
+            }
+        #endif /* WOLFSSL_DTLS_CH_FRAG && WOLFSSL_HAVE_MLKEM */
+        }
+    #endif /* WOLFSSL_DTLS13 */
     }
 #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
 
@@ -8006,15 +8026,26 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
             WOLFSSL_MSG("DTLS Cookie Secret error");
             return ret;
         }
-#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
+    #if defined(WOLFSSL_DTLS13)
         if (IsAtLeastTLSv1_3(ssl->version)) {
+        #if defined(WOLFSSL_SEND_HRR_COOKIE)
             ret = wolfSSL_send_hrr_cookie(ssl, NULL, 0);
             if (ret != WOLFSSL_SUCCESS) {
                 WOLFSSL_MSG("DTLS1.3 Cookie secret error");
                 return ret;
             }
+        #endif /* WOLFSSL_SEND_HRR_COOKIE */
+        #if defined(WOLFSSL_DTLS_CH_FRAG) && defined(WOLFSSL_HAVE_MLKEM)
+            /* Allow fragmentation of the second ClientHello due to the
+             * large PQC key share. */
+            ret = wolfSSL_dtls13_allow_ch_frag(ssl, 1);
+            if (ret != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("DTLS1.3 CH frag error");
+                return ret;
+            }
+        #endif /* WOLFSSL_DTLS_CH_FRAG && WOLFSSL_HAVE_MLKEM */
         }
-#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
+    #endif /* WOLFSSL_DTLS13 */
     }
 #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
 

src/tls.c

@@ -10531,6 +10531,7 @@ static int TLSX_KeyShare_HandlePqcKeyServer(WOLFSSL* ssl,
         keyShareEntry->ke = NULL;
         keyShareEntry->keLen = 0;
 
+        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         keyShareEntry->pubKey = ciphertext;
         keyShareEntry->pubKeyLen = ctSz;
         ciphertext = NULL;
@@ -10767,6 +10768,7 @@ static int TLSX_KeyShare_HandlePqcHybridKeyServer(WOLFSSL* ssl,
             XMEMCPY(ciphertext + ecc_kse->pubKeyLen, pqc_kse->pubKey, ctSz);
         }
 
+        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         keyShareEntry->pubKey = ciphertext;
         keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen + ctSz;
         ciphertext = NULL;
@@ -10856,13 +10858,20 @@ int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data,
 #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
     if (ssl->options.side == WOLFSSL_SERVER_END &&
             WOLFSSL_NAMED_GROUP_IS_PQC(group)) {
-        ret = TLSX_KeyShare_HandlePqcKeyServer((WOLFSSL*)ssl,
-                                               keyShareEntry,
-                                               data, len,
-                                               ssl->arrays->preMasterSecret,
-                                               &ssl->arrays->preMasterSz);
-        if (ret != 0)
-            return ret;
+        if (TLSX_IsGroupSupported(group)) {
+            ret = TLSX_KeyShare_HandlePqcKeyServer((WOLFSSL*)ssl,
+                                                   keyShareEntry,
+                                                   data, len,
+                                                   ssl->arrays->preMasterSecret,
+                                                   &ssl->arrays->preMasterSz);
+            if (ret != 0)
+                return ret;
+        }
+        else {
+            XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+            keyShareEntry->ke = NULL;
+            keyShareEntry->keLen = 0;
+        }
     }
     else if (ssl->options.side == WOLFSSL_SERVER_END &&
              WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) {

tests/api.c

@@ -259,7 +259,8 @@
 #endif
 
 #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY)
-    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || defined(SESSION_CERTS)
+    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
+        defined(SESSION_CERTS) || defined(WOLFSSL_HAVE_MLKEM)
         #ifdef OPENSSL_EXTRA
             #define TEST_TLS_STATIC_MEMSZ (400000)
         #else
@@ -31980,7 +31981,7 @@ static int test_dtls13_frag_ch_pq(void)
 {
     EXPECT_DECLS;
 #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS13) \
-    && defined(WOLFSSL_DTLS_CH_FRAG) && defined(HAVE_LIBOQS)
+    && defined(WOLFSSL_DTLS_CH_FRAG) && defined(WOLFSSL_HAVE_MLKEM)
     WOLFSSL_CTX *ctx_c = NULL;
     WOLFSSL_CTX *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL;

tests/suites.c

@@ -180,7 +180,7 @@ static int IsKyberLevelAvailable(const char* line)
         begin += 6;
         end = XSTRSTR(begin, " ");
 
-    #ifndef WOLFSSL_NO_ML_KEM
+#ifndef WOLFSSL_NO_ML_KEM
         if ((size_t)end - (size_t)begin == 10) {
         #ifndef WOLFSSL_NO_ML_KEM_512
             if (XSTRNCMP(begin, "ML_KEM_512", 10) == 0) {
@@ -200,8 +200,64 @@ static int IsKyberLevelAvailable(const char* line)
             }
         }
         #endif
-    #endif
-    #ifdef WOLFSSL_MLKEM_KYBER
+        #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC)
+        if ((size_t)end - (size_t)begin == 17) {
+            if (XSTRNCMP(begin, "SecP256r1MLKEM768", 17) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_768 && HAVE_ECC */
+        #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519)
+        if ((size_t)end - (size_t)begin == 14) {
+            if (XSTRNCMP(begin, "X25519MLKEM768", 14) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_768 && HAVE_CURVE25519 */
+        #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC384)
+        if ((size_t)end - (size_t)begin == 18) {
+            if (XSTRNCMP(begin, "SecP384r1MLKEM1024", 18) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_1024 && HAVE_ECC384 */
+        #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC)
+        if ((size_t)end - (size_t)begin == 17) {
+            if (XSTRNCMP(begin, "SecP256r1MLKEM512", 17) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_512 && HAVE_ECC */
+        #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519)
+        if ((size_t)end - (size_t)begin == 14) {
+            if (XSTRNCMP(begin, "X25519MLKEM512", 14) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_512 && HAVE_CURVE25519 */
+        #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC384)
+        if ((size_t)end - (size_t)begin == 17) {
+            if (XSTRNCMP(begin, "SecP384r1MLKEM768", 17) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_768 && HAVE_ECC384 */
+        #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448)
+        if ((size_t)end - (size_t)begin == 12) {
+            if (XSTRNCMP(begin, "X448MLKEM768", 12) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_768 && HAVE_CURVE448 */
+        #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC521)
+        if ((size_t)end - (size_t)begin == 18) {
+            if (XSTRNCMP(begin, "SecP521r1MLKEM1024", 18) == 0) {
+                available = 1;
+            }
+        }
+        #endif /* !WOLFSSL_NO_ML_KEM_1024 */
+#endif /* !WOLFSSL_NO_ML_KEM */
+#ifdef WOLFSSL_MLKEM_KYBER
         if ((size_t)end - (size_t)begin == 12) {
         #ifndef WOLFSSL_NO_KYBER512
             if (XSTRNCMP(begin, "KYBER_LEVEL1", 12) == 0) {
@@ -219,7 +275,8 @@ static int IsKyberLevelAvailable(const char* line)
             }
         #endif
         }
-    #endif
+#endif /* WOLFSSL_MLKEM_KYBER */
+        (void) end;
     }
 
 #if defined(WOLFSSL_MLKEM_NO_MAKE_KEY) || \
@@ -910,7 +967,7 @@ int SuiteTest(int argc, char** argv)
     char* myArgv[3];
 
 #ifdef WOLFSSL_STATIC_MEMORY
-    byte memory[200000];
+    byte memory[320000];
 #endif
 
     printf(" Begin Cipher Suite Tests\n");

wolfssl/ssl.h

@@ -4750,16 +4750,15 @@ enum {
     WOLFSSL_P256_KYBER_LEVEL3     = 25498,
 #endif /* WOLFSSL_MLKEM_KYBER */
 #ifndef WOLFSSL_NO_ML_KEM
-    /* Taken from draft-connolly-tls-mlkem-key-agreement, see:
-     * https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/
+    /* Taken from draft-ietf-tls-mlkem, see:
+     * https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/07/
      */
     WOLFSSL_ML_KEM_512            = 512,
     WOLFSSL_ML_KEM_768            = 513,
     WOLFSSL_ML_KEM_1024           = 514,
 
-    /* Taken from draft-kwiatkowski-tls-ecdhe-mlkem. see:
-     * https://github.com/post-quantum-cryptography/
-     *      draft-kwiatkowski-tls-ecdhe-mlkem/
+    /* Taken from draft-ietf-tls-ecdhe-mlkem. see:
+     * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/04/
      */
     WOLFSSL_SECP256R1MLKEM768     = 4587,
     WOLFSSL_X25519MLKEM768        = 4588,

wolfssl/wolfcrypt/memory.h

@@ -175,15 +175,25 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf,
                     #define WOLFMEM_BUCKETS 64,128,256,512,1024,8192,32768,\
                                             65536,LARGEST_MEM_BUCKET
                 #endif
+            #elif defined(WOLFSSL_HAVE_MLKEM)
+                /* extra storage in structs for multiple attributes and order */
+                #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,4096,8192,\
+                                        LARGEST_MEM_BUCKET
             #else
                 /* default size of chunks of memory to separate into */
                 #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,\
                                         LARGEST_MEM_BUCKET
             #endif
         #elif defined(OPENSSL_EXTRA)
-            /* extra storage in structs for multiple attributes and order */
-            #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
-                                    LARGEST_MEM_BUCKET
+            #ifdef WOLFSSL_HAVE_MLKEM
+                /* extra storage in structs for multiple attributes and order */
+                #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,4096,8192,\
+                                        LARGEST_MEM_BUCKET
+            #else
+                /* extra storage in structs for multiple attributes and order */
+                #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
+                                        LARGEST_MEM_BUCKET
+            #endif
         #elif defined(WOLFSSL_CERT_EXT)
             #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,\
                                     LARGEST_MEM_BUCKET
@@ -204,7 +214,7 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf,
                 #define WOLFMEM_DIST    30,10,8,15,8,10,8,5,1
             #endif
         #elif !defined(WOLFSSL_STATIC_MEMORY_SMALL)
-            #define WOLFMEM_DIST    49,10,6,14,5,6,9,1,1
+            #define WOLFMEM_DIST    49,10,6,14,5,6,14,1,1
         #else
             /* Low resource and not RSA */
             #define WOLFMEM_DIST    29, 7,6, 9,4,4,0,0,0

wolfssl/wolfcrypt/settings.h

@@ -4549,10 +4549,9 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC
 #endif
 
-#if defined(HAVE_PQC) && defined(WOLFSSL_DTLS13) && \
-    !defined(WOLFSSL_DTLS_CH_FRAG)
-#warning "Using DTLS 1.3 + pqc without WOLFSSL_DTLS_CH_FRAG will probably" \
-         "fail.Use --enable-dtls-frag-ch to enable it."
+#if defined(HAVE_PQC) && defined(WOLFSSL_HAVE_MLKEM) && \
+    defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS_CH_FRAG)
+#define WOLFSSL_DTLS_CH_FRAG
 #endif
 #if !defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CH_FRAG)
 #error "WOLFSSL_DTLS_CH_FRAG only works with DTLS 1.3"