Fix: Improved support for combinations of HPKE algos

[sebastian-carpenter]

Description

hpke used wrong kdf/kem digest:

HPKE code incorrectly used the KDF digest length for the KEM. Per RFC 9180:

The KDF used in DHKEM can be equal to or different from the KDF used in the remainder of HPKE, depending on the chosen variant. Implementations MUST make sure to use the constants (Nh) and function calls (LabeledExtract and LabeledExpand) of the appropriate KDF when implementing DHKEM.

Basically, the KDF used does not need to match the KEM's. So I reworked the code to keep track of both the KEM and KDF digests. LabeledExtractAndExpand is the KEM route so that uses the KEM digest now. And the wc_HpkeKeyScheduleBase is the KDF route so that uses the KDF digest.

move hpke-eque code out of tls:

There were several areas in tls and ech with duplicated code related to hpke, or code that should be broken out into hpke. Fixed this issue by creating new WOLFSSL_LOCAL functions. Because of these functions I was able to remove the global array we had for hpke before.

Restricted the kem, kdf, and aead fields of the hpke struct from word32 to word16. The RFC only uses two bytes for these values (and so do we in the ECH code) so I made them smaller.

refactor openssl-ech workflow + add suite testing:

Broke openssl-ech.yml into a script. Mainly this was to streamline testing ciphersuites in the workflow. But it is very nice for locally testing ech interop too.

Also updated examples/server/server.c to support different ech ciphersuite through --ech-suite. The parsing for this is pretty optimistic.

Testing

Added tests to check all algorithm combinations for ECH (this may be extreme?). This comes out to 24 combinations each doing a full handshake.

Added tests to wolfcrypt for a bigger and smaller KDF compared to the KEM.

Interop testing with OpenSSL using a weird hpke suite.

Checklist

• [ X] added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

This PR fixes HPKE algorithm combination handling (separating KEM vs KDF digest usage) and refactors ECH/HPKE integration to reduce duplication, while expanding CI and API tests for suite permutations.

Changes:

• Correct HPKE digest selection by tracking and using separate KEM and KDF digests.
• Replace global “supported algos” arrays with internal support/query helpers used by TLS/ECH code.
• Add/extend tests and CI interop scripting to exercise multiple HPKE/ECH suite combinations.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
wolfssl/wolfcrypt/hpke.h	Updates Hpke fields and exposes internal helpers for TLS/ECH to query HPKE support/details.
wolfcrypt/src/hpke.c	Implements split KEM/KDF digest handling and adds support/helper functions for ECH/TLS.
src/tls13.c	Switches ECH cipher-suite support checks to new HPKE helper functions.
src/tls.c	Uses centralized KEM enc length helper; tightens cleanup on TLSX push failure and free paths.
src/ssl_ech.c	Uses centralized KEM enc length helper when building ECHConfig output; adjusts config generation defaults.
wolfcrypt/test/test.c	Adds HPKE tests for mismatched KEM/KDF digest combinations.
tests/api.c	Adds TLS 1.3 ECH tests iterating through supported (KEM,KDF,AEAD) combinations and verifying negotiated IDs.
examples/server/server.c	Adds --ech-suite parsing to generate ECH configs with specific HPKE suite IDs.
.github/workflows/openssl-ech.yml	Refactors OpenSSL ECH workflow to use a script and tests “default” + “weird” suites.
.github/scripts/openssl-ech.sh	New helper script to run OpenSSL↔wolfSSL ECH interop in both directions with optional suite selection.

Comments suppressed due to low confidence (1)

tests/api.c:1

• test_wolfSSL_Tls13_ECH_all_algos_ex() returns EXPECT_RESULT(), but the loop asserts it equals WOLFSSL_SUCCESS. In this test file, helper tests typically compare against TEST_SUCCESS / TEST_FAIL semantics rather than wolfSSL API return codes, so this assertion is very likely wrong and may fail even when the EXPECTs pass. Update the expected value to match the return convention of EXPECT_RESULT() (typically TEST_SUCCESS), or change _ex() to return WOLFSSL_SUCCESS/WOLFSSL_FAILURE consistently if that’s the intended convention for this specific test.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.