Fix: Improved support for combinations of HPKE algos#9999
Open
sebastian-carpenter wants to merge 5 commits intowolfSSL:masterfrom
Open
Fix: Improved support for combinations of HPKE algos#9999sebastian-carpenter wants to merge 5 commits intowolfSSL:masterfrom
sebastian-carpenter wants to merge 5 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes HPKE algorithm combination handling (separating KEM vs KDF digest usage) and refactors ECH/HPKE integration to reduce duplication, while expanding CI and API tests for suite permutations.
Changes:
- Correct HPKE digest selection by tracking and using separate KEM and KDF digests.
- Replace global “supported algos” arrays with internal support/query helpers used by TLS/ECH code.
- Add/extend tests and CI interop scripting to exercise multiple HPKE/ECH suite combinations.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/hpke.h |
Updates Hpke fields and exposes internal helpers for TLS/ECH to query HPKE support/details. |
wolfcrypt/src/hpke.c |
Implements split KEM/KDF digest handling and adds support/helper functions for ECH/TLS. |
src/tls13.c |
Switches ECH cipher-suite support checks to new HPKE helper functions. |
src/tls.c |
Uses centralized KEM enc length helper; tightens cleanup on TLSX push failure and free paths. |
src/ssl_ech.c |
Uses centralized KEM enc length helper when building ECHConfig output; adjusts config generation defaults. |
wolfcrypt/test/test.c |
Adds HPKE tests for mismatched KEM/KDF digest combinations. |
tests/api.c |
Adds TLS 1.3 ECH tests iterating through supported (KEM,KDF,AEAD) combinations and verifying negotiated IDs. |
examples/server/server.c |
Adds --ech-suite parsing to generate ECH configs with specific HPKE suite IDs. |
.github/workflows/openssl-ech.yml |
Refactors OpenSSL ECH workflow to use a script and tests “default” + “weird” suites. |
.github/scripts/openssl-ech.sh |
New helper script to run OpenSSL↔wolfSSL ECH interop in both directions with optional suite selection. |
Comments suppressed due to low confidence (1)
tests/api.c:1
test_wolfSSL_Tls13_ECH_all_algos_ex()returnsEXPECT_RESULT(), but the loop asserts it equalsWOLFSSL_SUCCESS. In this test file, helper tests typically compare againstTEST_SUCCESS/TEST_FAILsemantics rather than wolfSSL API return codes, so this assertion is very likely wrong and may fail even when the EXPECTs pass. Update the expected value to match the return convention ofEXPECT_RESULT()(typicallyTEST_SUCCESS), or change_ex()to returnWOLFSSL_SUCCESS/WOLFSSL_FAILUREconsistently if that’s the intended convention for this specific test.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
sebastian-carpenter
force-pushed
the
hpke-fix
branch
from
4bd1a84 to
f135f4d
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves HPKE/ECH interoperability across algorithm combinations by correctly separating KEM vs KDF digest handling, consolidating HPKE support checks, and expanding test and CI coverage for more suite permutations.
Changes:
- Fix HPKE digest selection so DHKEM uses the KEM’s KDF (kemDigest) while the HPKE key schedule uses the chosen KDF (kdfDigest).
- Refactor ECH/HPKE support and length checks into shared helper functions, removing prior global “supported” arrays.
- Add ECH “all algorithms” testing and update OpenSSL interop workflow to exercise multiple suites (including a “weird” suite).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/hpke.h | Updates Hpke struct fields (digest split + word16 IDs) and declares new HPKE support/length helpers. |
| wolfcrypt/src/hpke.c | Implements digest split through HKDF calls and adds Kem/Kdf/Aead support + enc length helper functions. |
| src/tls13.c | Uses new HPKE support helpers when selecting an ECH cipher suite. |
| src/tls.c | Uses new enc length helper and improves cleanup when pushing ECH extension fails. |
| src/ssl_ech.c | Refactors ECH config size calculation to use HPKE enc length helper. |
| tests/api.c | Adds a test that iterates all compiled ECH HPKE algorithm combinations and validates negotiated IDs. |
| wolfcrypt/test/test.c | Adds HPKE tests for mismatched KEM vs KDF digest sizes. |
| examples/server/server.c | Adds --ech-suite option and updates usage output accordingly. |
| .github/workflows/openssl-ech.yml | Refactors OpenSSL ECH workflow to run a script and test multiple suites. |
| .github/scripts/openssl-ech.sh | New script to run OpenSSL↔wolfSSL ECH interop in both client/server directions with optional suites. |
Comments suppressed due to low confidence (1)
tests/api.c:1
- If the build configuration results in any of
kems,kdfs, oraeadsbeing empty, this test will become a no-op and still pass. Consider adding an explicit assertion that each array has at least one entry (or return a clear 'skipped' result if the test framework supports it) to avoid silently losing coverage under certain build flag combinations.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- shrink ech interop workflow - x448 macro now unused in hpke WOLFSSL_LOCAL functions - bug fixes in added tests
sebastian-carpenter
force-pushed
the
hpke-fix
branch
from
f135f4d to
fcedc91
Compare
Contributor
Author
|
Jenkins retest this please. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
hpke used wrong kdf/kem digest:
HPKE code incorrectly used the KDF digest length for the KEM. Per RFC 9180:
Basically, the KDF used does not need to match the KEM's. So I reworked the code to keep track of both the KEM and KDF digests.
LabeledExtractAndExpandis the KEM route so that uses the KEM digest now. And thewc_HpkeKeyScheduleBaseis the KDF route so that uses the KDF digest.move hpke-eque code out of tls:
There were several areas in tls and ech with duplicated code related to hpke, or code that should be broken out into hpke. Fixed this issue by creating new WOLFSSL_LOCAL functions. Because of these functions I was able to remove the global array we had for hpke before.
Restricted the kem, kdf, and aead fields of the hpke struct from word32 to word16. The RFC only uses two bytes for these values (and so do we in the ECH code) so I made them smaller.
refactor openssl-ech workflow + add suite testing:
Broke openssl-ech.yml into a script. Mainly this was to streamline testing ciphersuites in the workflow. But it is very nice for locally testing ech interop too.
Also updated
examples/server/server.cto support different ech ciphersuite through--ech-suite. The parsing for this is pretty optimistic.Testing
Added tests to check all algorithm combinations for ECH (this may be extreme?). This comes out to 24 combinations each doing a full handshake.
Added tests to wolfcrypt for a bigger and smaller KDF compared to the KEM.
Interop testing with OpenSSL using a weird hpke suite.
Checklist