diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 101ebf2fa8..bdd02a9fd4 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -816,7 +816,6 @@ WOLFSSL_MANUALLY_SELECT_DEVICE_CONFIG WOLFSSL_MDK5 WOLFSSL_MEM_FAIL_COUNT WOLFSSL_MICROCHIP_AESGCM -WOLFSSL_MLKEM_DYNAMIC_KEYS WOLFSSL_MLKEM_INVNTT_UNROLL WOLFSSL_MLKEM_NO_MALLOC WOLFSSL_MLKEM_NTT_UNROLL @@ -948,6 +947,7 @@ WOLFSSL_TICKET_ENC_CBC_HMAC WOLFSSL_TICKET_ENC_CHACHA20_POLY1305 WOLFSSL_TICKET_ENC_HMAC_SHA384 WOLFSSL_TICKET_ENC_HMAC_SHA512 +WOLFSSL_TINY_TLS13_NO_DEFAULT_CURVE WOLFSSL_TI_CURRTIME WOLFSSL_TLS13_DRAFT WOLFSSL_TLS13_IGNORE_AEAD_LIMITS diff --git a/certs/mldsa/ecc-leaf-mldsa44.pem b/certs/mldsa/ecc-leaf-mldsa44.pem new file mode 100644 index 0000000000..3cdb1fb184 --- /dev/null +++ b/certs/mldsa/ecc-leaf-mldsa44.pem @@ -0,0 +1,61 @@ +-----BEGIN CERTIFICATE----- +MIIK4zCCAVmgAwIBAgIURMREBesDbhFE7MTpbJAhFuwlmNgwCwYJYIZIAWUDBAMR +MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl +bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNDQwHhcN +MjYwNjI0MTkyODM5WhcNMzYwNjIxMTkyODM5WjAUMRIwEAYDVQQDDAlsb2NhbGhv +c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It +zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw +QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUswU7 +xg6AYh+iTpNtmT4TaDnG/DIwCwYJYIZIAWUDBAMRA4IJdQBp2TdyejDOdGyPgB2n +c4X+/TQ1EhPeHNs4dZ3gxtmRmYtilgonNPtuEm31DNp0RrcB4BXK6PKhJP27fTAR +wuwtfdoU7SnC8tsGr1eX3IKGq3+GCMzunJJgMN0zz6mDi25K3c025AxWFxdHOhhQ +QguUxoZ/GWJsH/e2LJL5qTyeJvHNi/30cNjImsZXFeatQlv87/f1vcwCK4T5/ajd +GWn4g1ktgRxzvtozBhg7Hw0CbOj0jXFIA+3k/GDCw9RxckBJ8Yn/ddMZNbljduZk +zLykzjZsrX9badyy8pFgJaGsptgo/SOcxBhHIpjjGu9rTmi1QxAl1yliNoJXBxJR +RmZijJ619Vmq6w00PSJnM4hP8O7DN8WZ/dZ9f78/WJsNXsv6s036QFwcpj5wo7ex +OB6ZJSEXkIM9w4mPNpPUyAXfl9GauLGiXANFyqPmm/31CV5nL5INAON5Ft2vbOG8 +RGQySPVV4Cb9WuTtn0iMYgwqdYMxZJbgFUD4RvXiAl5fsLE8N7AHf7Cuua/k+mgZ +PfH04f2Harzt100Y5J365x5b2ia7QpqRgYeubbCuW8Zd8nVT7+Imo3mgVwNWM9c8 +nskP0uHq51y5qrY3s0DSb8FKcZnZD7zQ70l8EVnlTD2G3QeiE8Id0XqubtrEO+DT +vyZuMwU4x5NQKGyPUL6tHeUkt7hEWom9sCvIFkeOa4OadGuktxOdDc3f3w2VgG5/ +4nzlP/Y0PSziTw5RuV/G+f4V3VpWlSPCn2CfoTxjoVak/abCiWrijZ8lR3c4ERAl +AevDEIxpvq5jIlv506vXw2CZeq6195KtsPGhrNkaax7ThZJQPFH/NR5Tu0Y2EBJG +0lth79qhKKgQDmhf5VNkomblrqW2R6Dm8CvYRuHwmGSk+FfH4ULavv/fuVXaW+h4 +MYjTV8wq4Jdl9qi9G+rfncUzZc2L8/zKisGjuzK0AoWVhs5UgS+/3xjCbsuWkYHG +siJ2kuZvl7KWR7Oc5OWfaRvAokNtglYWCtUzpD86V08X4l3U77Xi5UFJMjGcVVW6 +2F/WRyhq653vxvclDtkVyBaYDCcnHND7jGpqBcbJDTJyFE/Z3/GPFiYr1mYkVL/v +jPZ9qklFeWPXCKRVAHESMfFPozMNvdOpWqW0nxZ4P4rjcSKDfXX5wsQC4tW53pK/ +0fpqGrNVY5xsIu8zV6OYpvbaPoaDxHS+clvDB9PrJlvjZUFBWPAiCzjYJNgcVFqU +39/aAKWj24dbDarp5QEM8rReQiLvCjzD8ARb1zVAnaeyhaMaxCgwp5v/IEcSShH6 +mNX2dcsht10lic5DxJ8Up9ZFNTZhDSD+1E0tX4Vt0DPR8ZVYbW56rnXHTdYiwKhm +4lXia11zR2f4pl3JD23yYRvSfPJTilWkUO+wAazmP5vRPELyodO4vvqDL+lOkwff +7IV6JFCLdOV22RpwMHlO7YZkWpoauocljvfZBLLTOqlmcxKGN+T1na9D39jly5oi +9Aqb4dK6AFaFw5k78kcei3OLNdCDD8dssY1sReMeLM7ENuj4T7XjJh3PVDBDhRS7 +0WPjztBAsVkqOvIRxINjoXTIRvTL0u8P/NUWKhduSDKe+NIvHChuF5VycgAS6G2p +C3ZqsVM0D3D4s2AvalPJfyhhBN6c9dVeUfjBCNPWk8z7v+d38VHSAPkq5C4Sp5W3 +dD2Wm4ohgkDe1AkvcTtCHSK5tyo8mV0NyObbuMw5YnYyJ5h2CS/PaEfRME+VOsTI +FLhgy0EZwRfxV+3Q6pTRA3DC0NR50F3teF50HbcmuXxae4FL3F/4qGjErubs6tbD +M8QzgBLjALl82UrbtFItELLfTjQC7HtOZgwIGqOwd00Eoy6pqwe2AWzYz63A4F1z +1PPYPAsjfWtfkQmjFeMcljAYaY0YUGox8139lcL8m/7l+2fLhv62m940rRrg41D1 +DTiCIqJTe070lq20iJZ/zWUnrWM/Vhn5PVnc4mgQ7d0uIAJ9j8wxgqw5UYNGYKRw +Vf3IqsAyYxPsBo9iibBUy4qPMtPA/wN25B22gorjda2Cp0pQWdBjGSRrFjaO8Bx1 +oFJ8nOuzPbG5Q5VJbwGrCxDt7kSueh1ernEAsNAXCWf0L9v+dgJBsYreytCFO7hO +N+29BKEUh0qXwXmO45gc5Lzw0l19NiBbkm2vYBpW/xh6QHzk22WvPTzMilasDOZK +aNDiIOXFqKBi4JcmVpJK04BPCiY69pbSL/OpJS+4oR2tKqYo2+U3z89AHNaiLvuB +v+37j1Z8jMjyZNm+Ex+cKh6PaVTv+sk72goCTfx6hex0WrSDMiU+A9nHho002/oj +jH3cokwIrpUWd0UpEpMvoNPlCaX9j3s2mL1RxGSy4nd+oabobtGuRRcPDxMK6eRY +nd3Bksk05pAVqOnAYZNLIYc3ZypXu6ayK4fOL69Ke41OfbWWHZz+or3htceDwZet +4sAuvL86l1LjFF3kq/G9Z/OxwITrWjocLJemWC32spgelsmOcKV0p6K70JkVFQY6 +c9wl2I360F2oP09wVKd+U7cPvHIMUsQyl0xXR3+bqTVdG4fDqRMksD1nkAQEJvyb +Tiinf9pUV9raJN/h6fYKu9tis9GRcdy7XPS0t/uLsVHhmhQv+drlCvaigJadpGUN +79I5WKsFtxXjTLuCxQ9mQspNm9QX8aMnvZLUM7v1oLVxywyWucWSsHBvRM5LP4Kk +ZrReaVsxyrNHZlfZ0UZoVpoE79FzpYOHj9jh081rY6frEM2a1wYNZFb/hKoN/6FM +VVKB19glO7oh1AknhueGaDcbAUuVYhHCEpOZVWbD+uQt4FiI1NNjAJSVzsd2Y6Gw +2/BbAyrdf7lAOopyY4bzJPQsuNCM+kdWNUBrkceWl7d+r3nJUN+g94sMtPIUVQRq +HWweWk8ZZK167I+/3jPE32H73Dp/8GRuzF8UquAZ0TtBepzaP8BRn2LMUiycqXU9 +Buq9TC2XpyEBGWN3/ferZ8bBURKKSOJk8GRcElIsXc7e8XgAVCCT8D11ZQgKhAjM +dq6UyK8ufg6jpfx19QvCxduGNZb1KhRSfuGUQXJZMJ6/iOhLqvGSTxCE7sPIk91v +SAIuxvNEjgFeVFaKn3ETUt51lgANHykqPUJOUWNqgZOaq67HyNHa8PQKFhwnOUZM +Zm2Fhqby9PgUNz0/U1aCj5G91OIMDSEoSnF0gITBAAAAAAAAAAAAAAAAAAAAAAAA +AAAAFiUxOw== +-----END CERTIFICATE----- diff --git a/certs/mldsa/ecc-leaf-mldsa65.pem b/certs/mldsa/ecc-leaf-mldsa65.pem deleted file mode 100644 index 08a35bb195..0000000000 --- a/certs/mldsa/ecc-leaf-mldsa65.pem +++ /dev/null @@ -1,79 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIOXDCCAVmgAwIBAgIUHkXMjMS80gZRjcfzBuyuhnlS9yEwCwYJYIZIAWUDBAMS -MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl -bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNjUwHhcN -MjYwNjIyMTgyNjQwWhcNMzYwNjE5MTgyNjQwWjAUMRIwEAYDVQQDDAlsb2NhbGhv -c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It -zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw -QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAU0X7s -9Um6d4uq1MDByuLMZZkKhxIwCwYJYIZIAWUDBAMSA4IM7gA9PW9GacDhmkuLlT+C -a7WbLvUQDQh1o7x2+gkqNN9aYFnWM3FgafeDHJGfJOmGk7RWNh7RHCnT6MmUJFXL -qlnC6Q0p7rQpIE/RmkfGcuLRvZyZkLhhgHMKQRhStjzzUYVUW74JKNhc7mp7nD2i -xCGeO77hy2VP65AoioniSyg71x83eqnEvUAjjtaWYwc3SoDEoSYSf0E6emIjYvvh -KMUXlnLxah5X3mw6ZQXp1FspKY8VY1UkXakz/rSamEd4gmv7/cow6eObAQilHrRX -OSiVL4E/uv6qfCjTlWBvpjCDGQP6PTJKYGX3RgzVDptXtlFgRw5QCzBVRQdrUdxR -nZjbbtQUn7bXyKEEQtDQ32aMqlvOkdrHpDg6Nto0MTdUv0YDfA+iM4KEKItoCvNm -fyO9AMQj7+BrK8hgXSAooACq2cDdELpE0PqUAdVboLFcCOu69D2cZjM8G5IhEqZG -aeCTchyGD6dOtpGP7uRdYj+b+4rF1gWUNLxvkwBM7DdeSGV//00zIfiVOpZNs8BG -0TAe5mVIgE4WEnp9Z0n/zesh5HLhW6d8V8rpqAikcZMOBslzEcpZS4KZIID1A5It -NnNGd5u69LyE3vbjjNpif0/75ns/P+z73iO2FJQ8PnRSlPwwhd8BEpSl6lrk5/ZY -L7XjyROaFZz3Iwt/mvtZrYcFaUHcMmZY/y3SKfsuyueld38XP87vRmpDk98VsUgL -dBr9+QgqZLKscADMQq3f6W66ziVQY5/gzTbRt/xSCf3hazi9/TTLqQvaUpckAdqD -HHr4/mTQ/zXxmXNAXwan4OKQBqy26zgIjMbATincEwDSWvFNJwDcHyYt0Pg/+tqK -fXAbkvaSF0BO64nW/EGtxHa2b8EkG9n9ivvYyzVLc8D6OF+wBuxTegF8tYTavKCP -UzW11/fEh+xEnIgMQ2EzK6ElxiggvJvH/AH3GAJR4C34u+IjKHm7915hCti1C6yv -6NmIfvwWRHMC+2XdyLe9mmVcw8uNsAV1OpbgyNGIP+nghBhunZ23Kk8jv/LjADkA -5SCOZZuM8/PEMAA98kN4CcUcSyGh1+ZcG6ArtCWIeUzlECEZ8jq0TRoj/M+pJZ8J -Ll50p+wGB+maJeiFD05gKmtfAlKqgHH+TxqnTr8q+pVOlEnCMrEL6tNqWTkRwQ16 -t0EHstwfOjGuu+JA/1ENlfLDTHKYcmVFQv64MPHFGWknS5arj7A2Z63sxln1eCHH -zzgN/eY+G5zjyYvSesCWc5MDz1JpHu8QUfO93PEVxovH/KBWcpPWI+9tNkfwPgZM -dlJMalwyhvsPz45XMbpqP4UcIQlzLztk6J7KMfSYvbAUCR4aDo5HqLflHuM6MiS6 -saigxzmXNjomMOCM10HyHmfUSpVB5CLa9xG4ImGAFSz5eP2XTmxXQquGxf1dQlON -6hfT9JW2KTNmhyjSbAmddRCXHCpUpa23GxJtw5zWelotzOYD3fN8OsSsv3Za3Exa -zI6NzQ3qwZoz/7rpOAxENcZ6zA7qDs36ieqKVviaEO4Pb0ReudyE1WHoTlcUNbYK -VnnFSnw8wewKxVbVCa2ic1F/x7wiDBh0BqC4biHTtJcC6iUPjKvO5JNITokuFeC9 -lTfRJg4Q2LWTEgfLh0wEMBhsUxRzA9MghDxfzA5BZa70//pm9pGCy6FDdVStbIxe -FgGaVqHLtV47XHT2P8cHn6UszRGET4odF1S3J/Lqe9rk9p2JJECt6WhLRHUryie2 -hB+SfG00xmfP4eGyJEndd6ElqQ7grinVWikv9bq0MqVH3uvb8ZMLdK98gF7yZMyx -xFXIOogdu0fn5qm43yrizuCLRiw1DXroS2X131ggTLJpObqauYx+gvReqma8fPX/ -LImlDAfgrUEGAMka3DaULRGWNNF5z5PyaIGyOokIWGvvN20ArM4J7DMzBQMzUZdz -IgugrVwxzGlAW3By14S3talrdywbpdbrH/wMi7j6H/VHqyw3bx4cLydQlbjxb1d3 -B3wm2NgOKYIfvsqw9mHOh16XInqamwCys9LhoRiqR5DwFGyEElWuFZJq9uKQvoyo -Vx1P++TDoGP6f4ycmF1kkZaKNDK7Awj+ugmGMVu95Ij74x533kfNgvUDK7ChcJfX -1a3VwmBGvB51AZWzaDqqa7d6OWQkoE0NE3gPnDgbNo+vZ6+ElMSK2P9G53kBA50H -UbU+T/++QF6m69d02hq7yyiSgaXpVeLtAGEHTswmx3HWzxEE1o3PIsa322xizUsJ -JHmHdIpFVDvaYz4A7Per42qRfXahHAqzp0UrqERQQROuzfJAWltp35LBbJIr2BXk -l1JYDvjP5plOJgeDGvl1lY+cblsuV1OzSCuXAi//ziFXTpvhrQ0r5zE96NwNl6Fm -L09mVZfd0Ic+sBaB9Mw6fN9QpSGHj2P/F9+UePU981qv93PqZv2ZGKrbbRMQg9Hh -DsXNddZZduhR91xS6gVXN2IMsRKTRh/zD06oVOZxq9ZCO+NtCYYtMwzgi1By4Wx6 -R+UBg/t/rqXuui4cFEwUgS2R66VGXKzenhq5fQl1xYJPTRn0fMZBa77QLs90D1Bw -qIY0BggeSxJ0u1hR3D2opXq1bjJ/mkjki6xwzVVI/cnWB3BwKdzmVcQJesDzhCkc -+kghJygggyyk2T6qYc/nIGf+2fe1vu8DuL969SVcW3WOzOgzzCEVCiGdD/3wMWL8 -2CLXUS6XBOTzEiahVB2u4ljuTe3pymRP8G3JLNNBvlpGAYxml/BbaKwJKJloO7Xy -M1JZ7tno/yTCsvtY2OIMmlfkgaPQhOVwSSlXEZeHxGZZ9pe0QLYsKdBQCfoAFXpq -YXdXtzaC3virEUKLkAp4vUGez6bMMjw1LfL8Lp6eW3szPmFrwzU3fMCGQPq7Clsw -E2ZzrgM6Tdt4YsXp0ZLmaNbGtTi0WuQikSor4QZjr1zH2jWFs9kVW9T+1iKkKGUC -AVwV+PbVtQsyp0gCA9mGFDdrZBH+U8KVn9wGF6I8+UwToWPnDNTYM2jVRpl8DWui -xSBq1TxArIZD7T2xX2988zevcYDKs4w1AHj+27j6kmGZW2NGDVvdmHj/xxRuw9WV -4tZAlLzavkGEo6/ngGJkdmPW1OAyGhKhpvGqjABMM1HfppvFNHxfyXQfLVroEog3 -/q+U1RsEs5mfHfWc1wNdL0FBYqTvgkarxUwKZzm48yeGVdO5GE4bTXgCxHLGi3Av -aIzMEYJ5qNBIOhp629i2AV14CgPhQjaTZq+OkI3Gr7gKkTDZrJiU/THEUZs08KpJ -8FUnWTzkZ0fZoMx8jnx2QXGmii/79S1PnzGzvxN5f8rM5xG/br9g3qEpJ23Yi9PH -QqCtm7GVeKEcx1WLd7gZ4UMu4MpXhOmrDKG6du245KVq20AdzEckVWOq5ObGmBV7 -IYrhrfjojculsXuYse/+q3+vzlSevsz9f/N42pEITGGeAkaUdL6aQrxqjsLW7gNY -82H9BbpCqw2UEGX44+sAMViszTrpy34Px16+svZfzdbhsUJdCpoi49Yuf7IdH4iY -DJMVN9TNrTEUOZCB6trzbK8I0NDWYOvEBVHl5D0qB1LDqdN9Sc0Fj1dVgaC2Ihx9 -6c3+9m43zJTIstS+YTQbyZ67ADFnCxY8/eRN0ZDRymWnlTnR7r+ceNvzprUaF3XN -ihpVNN3fGsWaejbCWND8YHDj+F5hLTXJLZ5sqzk/CU0doHbkhnai8WHUFdKYVZRl -6PDML7snxqobWGv690ECgixrqQkdBtiEKIAOGk0wwJfDIyzyhB1lFRT8bafOnKCX -DiHFSfDjVIg0rLANtivOXUCXctv07JoL+jCqpC0WOHe5ch5BNRDnruXhErbu4ZJw -xZxrafS7+79U0MQAum2SSTCYnJE96VzNUzDdZg9z1ZKEVjhp9eAEfzQdZf0JwmQs -gZvaPyOdJ+i1bndol4NOstjx3QHsiPimvkInYlPwaaRvaUDwmucIRAIWAk0X3ZkU -X6iC7zLeLPiGUNpsI2FJHVD5eG1bivhsWFLRvHC6pHfCMSfCcw8wLTsbx0rwrQaA -YntZeGqc45E7f+Ef6d+6Yg80O73F9iZBHrCwVg4E4wMxzDw91xoKtbMdOoWIRTn4 -BGR9+HjGK8tH7lpj5vP2EAoNFW+m25vu6tvCebUdZyWuGgnFQc7WyvLiCiNoCo5K -DJb+XcYkOSb0YGt1HCcZCkZ0jjUN9qH1YQfCAoOI98/YhUiL4z9FAVfdM3OhUopT -MZGUffqI1C+OZeSvGE4GZDdIUxznJ6JURSxS93X/BUyD89U1I86Jn5wAkRH4sjKO -lipqwbk8EY1UkfszCSFkQJTXjDxciY7CDBpYaXHG5fJCYpPX2NoEUFR+hKy0uCxM -bYCvvMX5/h8xU1Rof5WptbzH6wAAAAAAAAAFDRMbJDA= ------END CERTIFICATE----- diff --git a/certs/mldsa/include.am b/certs/mldsa/include.am index 19c0c57b84..405a085950 100644 --- a/certs/mldsa/include.am +++ b/certs/mldsa/include.am @@ -28,10 +28,10 @@ EXTRA_DIST += \ certs/mldsa/mldsa44-key.pem \ certs/mldsa/mldsa44-cert.pem \ certs/mldsa/mldsa44-cert.der \ + certs/mldsa/ecc-leaf-mldsa44.pem \ certs/mldsa/mldsa65-key.pem \ certs/mldsa/mldsa65-cert.pem \ certs/mldsa/mldsa65-cert.der \ - certs/mldsa/ecc-leaf-mldsa65.pem \ certs/mldsa/mldsa87-key.pem \ certs/mldsa/mldsa87-cert.pem \ certs/mldsa/mldsa87-cert.der \ diff --git a/configure.ac b/configure.ac index 1af3b156f5..f900607b2a 100644 --- a/configure.ac +++ b/configure.ac @@ -2950,7 +2950,7 @@ then rsaverify) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13_RSA_VERIFY" ;; sha384) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384" ;; mldsa) tinytls13_mldsa=yes - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_DILITHIUM_VERIFY_ONLY -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_NO_ML_DSA_44 -DWOLFSSL_NO_ML_DSA_87" ;; + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_MLDSA_VERIFY_ONLY -DWOLFSSL_MLDSA_VERIFY_SMALL_MEM -DWOLFSSL_NO_ML_DSA_65 -DWOLFSSL_NO_ML_DSA_87" ;; no) ;; *) AC_MSG_ERROR([Invalid --enable-tinytls13 value: $v. Valid: psk cert server mutualauth staticmem asm p256 sha384 mldsa rsaverify.]) ;; esac @@ -2961,7 +2961,7 @@ then # verify ML-DSA certificates, so keep ASN.1 there. if test "$tinytls13_mldsa" = "yes" && test "$tinytls13_base" != "cert" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_ASN1" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_ASN1" fi if test "$tinytls13_base" = "cert" diff --git a/examples/configs/tinytls13_smoke.c b/examples/configs/tinytls13_smoke.c index feb1485396..422c3c776d 100644 --- a/examples/configs/tinytls13_smoke.c +++ b/examples/configs/tinytls13_smoke.c @@ -123,7 +123,8 @@ int main(int argc, char** argv) membuf c2s; /* client writes, server reads */ membuf s2c; /* server writes, client reads */ int i, cdone = 0, sdone = 0, ret = 1; - int cret = WOLFSSL_FATAL_ERROR, sret = WOLFSSL_FATAL_ERROR; + int cret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR); + int sret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR); const char* cipher = (argc > 1) ? argv[1] : "-"; const char* group = (argc > 2) ? argv[2] : "-"; int mlkemGroup[1]; @@ -156,11 +157,11 @@ int main(int argc, char** argv) #ifdef WOLFSSL_TINY_TLS13_CERT /* Server presents a P-256 ECDSA leaf; the client validates it against the * CA. The leaf is signed by the CA whose algorithm this profile verifies, - * so a completed handshake drives that verify path (ECDSA, ML-DSA-65, or + * so a completed handshake drives that verify path (ECDSA, ML-DSA-44, or * RSA-PSS). */ #if defined(WOLFSSL_HAVE_MLDSA) - XSNPRINTF(sCert, sizeof(sCert), "%s/mldsa/ecc-leaf-mldsa65.pem", certDir); - XSNPRINTF(cCa, sizeof(cCa), "%s/mldsa/mldsa65-cert.pem", certDir); + XSNPRINTF(sCert, sizeof(sCert), "%s/mldsa/ecc-leaf-mldsa44.pem", certDir); + XSNPRINTF(cCa, sizeof(cCa), "%s/mldsa/mldsa44-cert.pem", certDir); #elif defined(WOLFSSL_TINY_TLS13_RSA_VERIFY) XSNPRINTF(sCert, sizeof(sCert), "%s/rsapss/ecc-leaf-rsapss.pem", certDir); XSNPRINTF(cCa, sizeof(cCa), "%s/rsapss/ca-rsapss.pem", certDir); diff --git a/examples/configs/user_settings_tinytls13.h b/examples/configs/user_settings_tinytls13.h index 83d8821f40..e2de2706f1 100644 --- a/examples/configs/user_settings_tinytls13.h +++ b/examples/configs/user_settings_tinytls13.h @@ -75,6 +75,16 @@ extern "C" { * static memory pool above. */ #define WOLFSSL_NO_MALLOC #endif +#if 0 /* Static-memory pool buckets for a tinytls13 PSK handshake, measured with + * wolfSSL's memory-bucket-optimizer. The distribution sets the minimum + * pool size (~320 KB for client+server, ~half a single role), so enable + * these only once your buffer matches; re-run the optimizer for your own + * role/adders. Left out of the floor because forcing a large distribution + * breaks consumers that load a smaller buffer. */ + #define WOLFMEM_BUCKETS 64,96,160,288,816,3408,5088,6176,10784 + #define WOLFMEM_DIST 92,34,36,421,63,20,3,1,2 + #define WOLFMEM_DEF_BUCKETS 9 +#endif /* ===== SPEED ============================================================ */ #if 0 /* tiny+fast: assembly crypto instead of small-C (size up, speed up) */ @@ -103,23 +113,28 @@ extern "C" { #endif /* ===== PQC ADDERS (valid on either profile; SHA-3/SHAKE pulled in auto) = */ -#if 0 /* ML-DSA-65 verify-only. Use with the cert profile (Profile B) for TLS +#if 0 /* ML-DSA-44 verify-only. Use with the cert profile (Profile B) for TLS * auth: the PSK floor has no certificate to verify, so on Profile A - * this only confirms the umbrella builds. */ + * this only confirms the umbrella builds. ML-DSA-44 is the right tier + * for a tiny stack paired with X25519/P-256 + AES-128; higher levels + * add no security against that classical floor. */ #define WOLFSSL_HAVE_MLDSA - #define WOLFSSL_DILITHIUM_VERIFY_ONLY - #define WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM + #define WOLFSSL_MLDSA_VERIFY_ONLY + #define WOLFSSL_MLDSA_VERIFY_SMALL_MEM #ifndef WOLFSSL_TINY_TLS13_CERT /* PSK floor never parses a cert; the cert profile needs ML-DSA ASN.1 * to decode and verify ML-DSA certificates, so keep it there. */ - #define WOLFSSL_DILITHIUM_NO_ASN1 + #define WOLFSSL_MLDSA_NO_ASN1 #endif - #define WOLFSSL_NO_ML_DSA_44 + #define WOLFSSL_NO_ML_DSA_65 #define WOLFSSL_NO_ML_DSA_87 #endif -#if 0 /* ML-KEM-768 + X25519MLKEM768 hybrid */ +#if 0 /* ML-KEM-768 + X25519MLKEM768 hybrid (768 is the widely-adopted tier; + * disable 512/1024) */ #define WOLFSSL_HAVE_MLKEM - #define WOLFSSL_WC_MLKEM + #define WOLFSSL_NO_ML_KEM_512 + #define WOLFSSL_NO_ML_KEM_1024 + #define WOLFSSL_MLKEM_DYNAMIC_KEYS #endif /* ===== PLATFORM (bare-metal defaults; adjust for your target) ========== */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 1a83263ba3..9d53d875c4 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2028,13 +2028,19 @@ #undef NO_PWDBASED #define NO_PWDBASED - /* Footprint hygiene. */ + /* Footprint hygiene. NO_FILESYSTEM stays template-only so examples link. */ #undef NO_ERROR_STRINGS #define NO_ERROR_STRINGS #undef WOLFSSL_SMALL_STACK #define WOLFSSL_SMALL_STACK #undef NO_SESSION_CACHE #define NO_SESSION_CACHE + #undef NO_CLIENT_CACHE + #define NO_CLIENT_CACHE + #undef NO_HANDSHAKE_DONE_CB + #define NO_HANDSHAKE_DONE_CB + #undef NO_SIG_WRAPPER + #define NO_SIG_WRAPPER #undef SINGLE_THREADED #define SINGLE_THREADED @@ -2053,6 +2059,8 @@ #ifdef WOLFSSL_TINY_TLS13_STATIC_MEM #undef WOLFSSL_STATIC_MEMORY #define WOLFSSL_STATIC_MEMORY + /* Size a tiny WOLFMEM_* pool with the memory-bucket-optimizer; see the + * measured starting point in user_settings_tinytls13.h. */ #endif /* Profile A: no X.509 at all (the cert variant keeps ASN/certs). */