move hpke-esque code out of tls

Author: sebastian-carpenter

src/ssl_ech.c

@@ -338,23 +338,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
     totalLen += 2;
 
     /* hpke_pub_key */
-    switch (config->kemId) {
-        case DHKEM_P256_HKDF_SHA256:
-            totalLen += DHKEM_P256_ENC_LEN;
-            break;
-        case DHKEM_P384_HKDF_SHA384:
-            totalLen += DHKEM_P384_ENC_LEN;
-            break;
-        case DHKEM_P521_HKDF_SHA512:
-            totalLen += DHKEM_P521_ENC_LEN;
-            break;
-        case DHKEM_X25519_HKDF_SHA256:
-            totalLen += DHKEM_X25519_ENC_LEN;
-            break;
-        case DHKEM_X448_HKDF_SHA512:
-            totalLen += DHKEM_X448_ENC_LEN;
-            break;
-    }
+    totalLen += wc_HpkeKemGetEncLen(config->kemId);
 
     /* cipherSuitesLen */
     totalLen += 2;
@@ -693,16 +677,9 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
             break;
         }
 
-        /* check that we support this config */
-        for (j = 0; j < HPKE_SUPPORTED_KEM_LEN; j++) {
-            if (hpkeSupportedKem[j] == workingConfig->kemId)
-                break;
-        }
-
         /* KEM or ciphersuite not supported, free this config and then try to
          * parse another */
-        if (j >= HPKE_SUPPORTED_KEM_LEN ||
-                EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
+        if (EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
             XFREE(workingConfig->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);
             XFREE(workingConfig->publicName, heap, DYNAMIC_TYPE_TMP_BUFFER);
             XFREE(workingConfig->raw, heap, DYNAMIC_TYPE_TMP_BUFFER);

src/tls.c

@@ -13259,24 +13259,7 @@ static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
     /* configId */
     ech->configId = echConfig->configId;
     /* encLen */
-    switch (echConfig->kemId)
-    {
-        case DHKEM_P256_HKDF_SHA256:
-            ech->encLen = DHKEM_P256_ENC_LEN;
-            break;
-        case DHKEM_P384_HKDF_SHA384:
-            ech->encLen = DHKEM_P384_ENC_LEN;
-            break;
-        case DHKEM_P521_HKDF_SHA512:
-            ech->encLen = DHKEM_P521_ENC_LEN;
-            break;
-        case DHKEM_X25519_HKDF_SHA256:
-            ech->encLen = DHKEM_X25519_ENC_LEN;
-            break;
-        case DHKEM_X448_HKDF_SHA512:
-            ech->encLen = DHKEM_X448_ENC_LEN;
-            break;
-    }
+    ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId);
     /* setup hpke */
     ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (ech->hpke == NULL) {
@@ -13288,8 +13271,13 @@ static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
     /* setup the ephemeralKey */
     if (ret == 0)
         ret = wc_HpkeGenerateKeyPair(ech->hpke, &ech->ephemeralKey, rng);
-    if (ret == 0)
+    if (ret == 0) {
         ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
+        if (ret != 0) {
+            wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
+                ech->hpke->heap);
+        }
+    }
     if (ret != 0) {
         XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
         XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -13916,36 +13904,14 @@ static int TLSX_ExtractEch(WOLFSSL_ECH* ech, WOLFSSL_EchConfig* echConfig,
     byte* aad, word32 aadLen, void* heap)
 {
     int ret = 0;
-    int expectedEncLen;
     int i;
     word32 rawConfigLen = 0;
     byte* info = NULL;
     word32 infoLen = 0;
     if (ech == NULL || echConfig == NULL || aad == NULL)
         return BAD_FUNC_ARG;
     /* verify the kem and key len */
-    switch (echConfig->kemId)
-    {
-        case DHKEM_P256_HKDF_SHA256:
-            expectedEncLen = DHKEM_P256_ENC_LEN;
-            break;
-        case DHKEM_P384_HKDF_SHA384:
-            expectedEncLen = DHKEM_P384_ENC_LEN;
-            break;
-        case DHKEM_P521_HKDF_SHA512:
-            expectedEncLen = DHKEM_P521_ENC_LEN;
-            break;
-        case DHKEM_X25519_HKDF_SHA256:
-            expectedEncLen = DHKEM_X25519_ENC_LEN;
-            break;
-        case DHKEM_X448_HKDF_SHA512:
-            expectedEncLen = DHKEM_X448_ENC_LEN;
-            break;
-        default:
-            expectedEncLen = 0;
-            break;
-    }
-    if (expectedEncLen != ech->encLen)
+    if (wc_HpkeKemGetEncLen(echConfig->kemId) != ech->encLen)
         return BAD_FUNC_ARG;
     /* verify the cipher suite */
     for (i = 0; i < echConfig->numCipherSuites; i++) {
@@ -14229,11 +14195,12 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
 static void TLSX_ECH_Free(WOLFSSL_ECH* ech, void* heap)
 {
     XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
-    if (ech->ephemeralKey != NULL)
-        wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
-            ech->hpke->heap);
-    if (ech->hpke != NULL)
+    if (ech->hpke != NULL) {
+        if (ech->ephemeralKey != NULL)
+            wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
+                ech->hpke->heap);
         XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
     if (ech->hpkeContext != NULL)
         XFREE(ech->hpkeContext, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (ech->privateName != NULL)

src/tls13.c

@@ -3782,26 +3782,17 @@ static byte helloRetryRequestRandom[] = {
 /* returns the index of the first supported cipher suite, -1 if none */
 int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
 {
-    int i, j, supported = 0;
+    int i = 0;
 
-    for (i = 0; i < config->numCipherSuites; i++) {
-        supported = 0;
-
-        for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
-            if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
-                break;
-        }
-
-        if (j < HPKE_SUPPORTED_KDF_LEN)
-            for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
-                if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
-                    supported = 1;
-                    break;
-                }
-            }
+    if (!wc_HpkeKemIsSupported(config->kemId)) {
+        return WOLFSSL_FATAL_ERROR;
+    }
 
-        if (supported)
+    for (i = 0; i < config->numCipherSuites; i++) {
+        if (wc_HpkeKdfIsSupported(config->cipherSuites[i].kdfId) &&
+                wc_HpkeAeadIsSupported(config->cipherSuites[i].aeadId)) {
             return i;
+        }
     }
 
     return WOLFSSL_FATAL_ERROR;

tests/api.c

@@ -14547,15 +14547,41 @@ static int test_wolfSSL_Tls13_ECH_all_algos(void)
     int j;
     int k;
     static const word16 kems[] = {
+#if defined(HAVE_ECC)
+#if (defined(WOLFSSL_SHA224) || !defined(NO_SHA256))
         DHKEM_P256_HKDF_SHA256,
+#endif
+#if defined(WOLFSSL_SHA384)
         DHKEM_P384_HKDF_SHA384,
+#endif
+#if (defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512))
         DHKEM_P521_HKDF_SHA512,
+#endif
+#endif /* HAVE_ECC */
+#if defined(HAVE_CURVE25519) && (defined(WOLFSSL_SHA224) || !defined(NO_SHA256))
         DHKEM_X25519_HKDF_SHA256,
+#endif
+    };
+    static const word16 kdfs[] = {
+#if defined(WOLFSSL_SHA224) || !defined(NO_SHA256)
+        HKDF_SHA256,
+#endif
+#ifdef WOLFSSL_SHA384
+        HKDF_SHA384,
+#endif
+#ifdef WOLFSSL_SHA512
+        HKDF_SHA512,
+#endif
+    };
+    static const word16 aeads[] = {
+#ifdef WOLFSSL_AES_128
+        HPKE_AES_128_GCM,
+#endif
+#ifdef WOLFSSL_AES_256
+        HPKE_AES_256_GCM,
+#endif
     };
-    static const word16 kdfs[] = { HKDF_SHA256, HKDF_SHA384, HKDF_SHA512 };
-    static const word16 aeads[] = { HPKE_AES_128_GCM, HPKE_AES_256_GCM };
 
-    /* test each KEM with default KDF and AEAD */
     for (i = 0; i < (int)(sizeof(kems) / sizeof(*kems)); i++) {
         echCbTestKemID = kems[i];
         for (j = 0; j < (int)(sizeof(kdfs) / sizeof(*kdfs)); j++) {