Merge pull request #9843 from kaleb-himes/PQ-FS-2026-Part2

Phase 2: PQ in boundary and SHA512 DRBG
This commit is contained in:
JacobBarthelmeh
2026-04-24 10:55:36 -06:00
committed by GitHub
50 changed files with 14675 additions and 1094 deletions
+2
View File
@@ -733,6 +733,7 @@ WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
WOLFSSL_DRBG_SHA256
WOLFSSL_DTLS_DISALLOW_FUTURE
WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS
WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
@@ -1133,3 +1134,4 @@ ssize_t
sun
versal
wc_Tls13_HKDF_Expand_Label
WOLFSSL_NO_LMS_SHAKE256_256
+6
View File
@@ -318,6 +318,12 @@
<ClCompile Include="..\..\wolfcrypt\src\wolfmath.c" />
<ClCompile Include="..\..\wolfcrypt\src\wolfevent.c" />
<ClCompile Include="..\..\wolfcrypt\src\pkcs12.c" />
<ClCompile Include="..\..\wolfcrypt\src\dilithium.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_lms.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_lms_impl.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_xmss.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_xmss_impl.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_slhdsa.c" />
</ItemGroup>
<ItemGroup>
<CustomBuild Include="..\..\wolfcrypt\src\aes_asm.asm">
+713 -127
View File
@@ -623,10 +623,8 @@ AS_CASE([$ENABLED_FIPS],
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
# Should always remain one ahead of the latest so as not to be confused with
# the latest
[ready],[
FIPS_VERSION="ready"
[v7],[
FIPS_VERSION="v7"
HAVE_FIPS_VERSION=7
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MINOR=0
@@ -635,9 +633,21 @@ AS_CASE([$ENABLED_FIPS],
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[dev],[
# Should always remain one ahead of the latest so as not to be confused with
# the latest
[ready|v7-ready],[
FIPS_VERSION="ready"
HAVE_FIPS_VERSION=8
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[dev|v7-dev],[
FIPS_VERSION="dev"
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
@@ -645,14 +655,14 @@ AS_CASE([$ENABLED_FIPS],
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
FIPS_VERSION="$ENABLED_FIPS"
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
],
[
AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, lean-aesgcm, no, disabled)])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, v7, ready, dev, rand, lean-aesgcm, no, disabled)])
])
if test -z "$HAVE_FIPS_VERSION_MAJOR"
@@ -1828,39 +1838,6 @@ do
esac
done
if test "$ENABLED_DILITHIUM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM"
if test "$ENABLED_MLDSA44" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
fi
if test "$ENABLED_MLDSA65" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
fi
if test "$ENABLED_MLDSA87" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
fi
if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY"
fi
if test "$ENABLED_DILITHIUM_SIGN" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN"
fi
if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY"
fi
if test "$ENABLED_LIBOQS" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_DILITHIUM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_DILITHIUM"
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
fi
ENABLED_CERTS=yes
fi
# XMSS
ENABLED_WC_XMSS=no
AC_ARG_ENABLE([xmss],
@@ -1940,19 +1917,6 @@ AC_ARG_WITH([libxmss],
[XMSS_ROOT=""]
)
if test "$ENABLED_XMSS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
# Use hash-sigs XMSS lib if enabled.
if test "$ENABLED_LIBXMSS" = "yes"; then
ENABLED_WC_XMSS=no
else
ENABLED_WC_XMSS=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
fi
fi
# LMS
ENABLED_WC_LMS=no
AC_ARG_ENABLE([lms],
@@ -1980,6 +1944,9 @@ do
sha256-192)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192"
;;
shake256)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHAKE256"
;;
*)
AC_MSG_ERROR([Invalid choice for LMS []: $ENABLED_LMS.])
break;;
@@ -2054,19 +2021,6 @@ AC_ARG_WITH([liblms],
]
)
if test "$ENABLED_LMS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
# Use hash-sigs LMS lib if enabled.
if test "$ENABLED_LIBLMS" = "yes"; then
ENABLED_WC_LMS=no
else
ENABLED_WC_LMS=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS"
fi
fi
# SLH-DSA
ENABLED_SLHDSA=yes
AC_ARG_ENABLE([slhdsa],
@@ -2121,59 +2075,50 @@ do
no-f)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_FAST"
;;
sha2)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128S=yes
SLHDSA_PARAM_SHA2_128F=yes
SLHDSA_PARAM_SHA2_192S=yes
SLHDSA_PARAM_SHA2_192F=yes
SLHDSA_PARAM_SHA2_256S=yes
SLHDSA_PARAM_SHA2_256F=yes
;;
sha2-128s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128S=yes
;;
sha2-128f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128F=yes
;;
sha2-192s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_192S=yes
;;
sha2-192f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_192F=yes
;;
sha2-256s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_256S=yes
;;
sha2-256f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_256F=yes
;;
no-sha2-s)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL"
;;
no-sha2-f)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST"
;;
*)
AC_MSG_ERROR([Invalid choice for SLH-DSA []: $ENABLED_SLHDSA.])
break;;
esac
done
if test "$ENABLED_SLHDSA" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
if test "$SLHDSA_PARAM_128S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
fi
if test "$SLHDSA_PARAM_128F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
fi
if test "$SLHDSA_PARAM_192S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
fi
if test "$SLHDSA_PARAM_192F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
fi
if test "$SLHDSA_PARAM_256S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
fi
if test "$SLHDSA_PARAM_256F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
fi
enable_shake256=yes
fi
# SINGLE THREADED
AC_ARG_ENABLE([singlethreaded],
[AS_HELP_STRING([--enable-singlethreaded],[Enable wolfSSL single threaded (default: disabled)])],
@@ -4557,6 +4502,17 @@ AC_ARG_ENABLE([shake128],
[ ENABLED_SHAKE128=$SHAKE_DEFAULT ]
)
# MLKEM requires SHAKE128. Force-enable when MLKEM is enabled.
if test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_SHAKE128" = "no"
then
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
ENABLED_SHAKE128=yes
enable_shake128=yes
fi
fi
# SHAKE256
AC_ARG_ENABLE([shake256],
[AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])],
@@ -4564,6 +4520,17 @@ AC_ARG_ENABLE([shake256],
[ ENABLED_SHAKE256=$SHAKE_DEFAULT ]
)
# MLKEM requires SHAKE256. Force-enable when MLKEM is enabled.
if test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_SHAKE256" = "no"
then
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
ENABLED_SHAKE256=yes
enable_shake256=yes
fi
fi
# SHA512
AC_ARG_ENABLE([sha512],
[AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled)])],
@@ -4589,6 +4556,25 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512"
fi
# SHA-256 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
AC_ARG_ENABLE([sha256-drbg],
[AS_HELP_STRING([--enable-sha256-drbg],[Enable SHA-256 Hash DRBG (default: enabled)])],
[ ENABLED_SHA256_DRBG=$enableval ],
[ ENABLED_SHA256_DRBG=yes ]
)
# SHA-512 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
AC_ARG_ENABLE([sha512-drbg],
[AS_HELP_STRING([--enable-sha512-drbg],[Enable SHA-512 Hash DRBG (default: enabled)])],
[ ENABLED_SHA512_DRBG=$enableval ],
[ ENABLED_SHA512_DRBG=yes ]
)
# SHA-512 DRBG requires SHA-512
if test "$ENABLED_SHA512" != "yes"
then
ENABLED_SHA512_DRBG=no
fi
# SHA384
AC_ARG_ENABLE([sha384],
@@ -6132,12 +6118,12 @@ AC_ARG_ENABLE([aeskeywrap],
# FIPS feature and macro setup
AS_CASE([$FIPS_VERSION],
[v6|ready|dev],[ # FIPS 140-3 SRTP-KDF
[v7|ready|dev],[ # FIPS 140-3 PQ-FS
AS_IF([test "$FIPS_VERSION" = "dev"],
ENABLED_FIPS_DEV=yes
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready"],
AS_IF([test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "v7"],
ENABLED_FIPS_READY=yes
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
@@ -6253,8 +6239,248 @@ AS_CASE([$FIPS_VERSION],
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
# SHA512-224 and SHA512-256 enabled for FIPS v7+ (needed for ML-DSA
# HashML-DSA ACVP test vectors with SHA2-512/224 and SHA2-512/256)
# Shake128 because we're testing SHAKE256
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
[ENABLED_SHAKE128="yes"])
# Shake256 mandated for ED448
AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
[ENABLED_SHAKE256="yes"])
# Aes section
AS_IF([test "$ENABLED_AESCCM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
[ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
[ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
[ENABLED_AESXTS_STREAM="yes"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
[ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
# Post-Quantum section
AS_IF([test "$ENABLED_MLKEM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_mlkem" != "no")],
[ENABLED_MLKEM="yes"
ENABLED_MLKEM512="yes"
ENABLED_MLKEM768="yes"
ENABLED_MLKEM1024="yes"
ENABLED_MLKEM_MAKE_KEY="yes"
ENABLED_MLKEM_ENCAPSULATE="yes"
ENABLED_MLKEM_DECAPSULATE="yes"])
AS_IF([test "$ENABLED_DILITHIUM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_dilithium" != "no")],
[ENABLED_DILITHIUM="yes"
ENABLED_MLDSA44="yes"
ENABLED_MLDSA65="yes"
ENABLED_MLDSA87="yes"
ENABLED_DILITHIUM_MAKE_KEY="yes"
ENABLED_DILITHIUM_SIGN="yes"
ENABLED_DILITHIUM_VERIFY="yes"])
AS_IF([test "$ENABLED_XMSS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_xmss" != "no")],
[ENABLED_XMSS="yes"])
AS_IF([test "$ENABLED_LMS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_lms" != "no")],
[ENABLED_LMS="yes"])
# LMS: enable SHA-256/192 and SHAKE256 parameter sets for FIPS v7
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192 -DWOLFSSL_LMS_SHAKE256"
AS_IF([test "$ENABLED_SLHDSA" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_slhdsa" != "no")],
[ENABLED_SLHDSA="yes"
SLHDSA_PARAM_128S="yes"
SLHDSA_PARAM_128F="yes"
SLHDSA_PARAM_192S="yes"
SLHDSA_PARAM_192F="yes"
SLHDSA_PARAM_256S="yes"
SLHDSA_PARAM_256F="yes"
SLHDSA_SHA2="yes"
SLHDSA_PARAM_SHA2_128S="yes"
SLHDSA_PARAM_SHA2_128F="yes"
SLHDSA_PARAM_SHA2_192S="yes"
SLHDSA_PARAM_SHA2_192F="yes"
SLHDSA_PARAM_SHA2_256S="yes"
SLHDSA_PARAM_SHA2_256F="yes"])
# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$enable_sha256_drbg" = "no"],
[AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
ENABLED_SHA256_DRBG="yes"
# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$enable_sha512_drbg" = "no"],
[AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
ENABLED_SHA512_DRBG="yes"
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[v6],[ # FIPS 140-3 SRTP-KDF (frozen)
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DECC_USER_CURVES \
-DHAVE_ECC384 \
-DHAVE_ECC521 \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \
-DHAVE_FFDHE_4096 \
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \
-DWOLFSSL_VALIDATE_ECC_KEYGEN \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256"])
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
# optimizations section
# protocol section
AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
[enable_ssh="yes"])
AS_IF([test "$ENABLED_HKDF" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
[ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_SRTP" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
[ENABLED_SRTP="yes"])
AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
[ENABLED_SRTP_KDF="yes"])
# public key section
AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
# AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
# (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
# [ENABLED_COMPKEY="yes"])
AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "$ENABLED_ECC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
AS_IF([test "$ENABLED_ED25519" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
[ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
[ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED448" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
[ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
[ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
[ENABLED_ED25519_STREAM="yes"])
AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
[ENABLED_ED448_STREAM="yes"])
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
[ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHA224" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA512" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are needed for HashML-DSA (FIPS 204)
# Shake128 because we're testing SHAKE256
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
@@ -6990,6 +7216,10 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
fi
# Selftest uses its own random.c which doesn't support SHA-512 DRBG
# or runtime DRBG disable/enable APIs
AS_IF([test "x$ENABLED_SELFTEST" = "xyes"],
[ENABLED_SHA512_DRBG=no])
AS_IF([test "x$ENABLED_AESXTS" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS -DWOLFSSL_AES_DIRECT"])
@@ -7096,6 +7326,21 @@ then
AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
fi
# ML-KEM and Dilithium require SHA-3 and SHAKE -- force them on before flag
# processing so that the correct -D flags are emitted.
if test "$ENABLED_MLKEM" != "no" && test "$ENABLED_LIBOQS" = "no"
then
ENABLED_SHA3=yes
ENABLED_SHAKE128=yes
ENABLED_SHAKE256=yes
fi
if test "$ENABLED_DILITHIUM" != "no" && test "$ENABLED_LIBOQS" = "no"
then
ENABLED_SHA3=yes
ENABLED_SHAKE128=yes
ENABLED_SHAKE256=yes
fi
# Set SHA-3 flags
if test "$ENABLED_SHA3" != "no"
then
@@ -7134,6 +7379,305 @@ else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
fi
# MLKEM CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_MLKEM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLKEM"
# Use liboqs if specified.
if test "$ENABLED_LIBOQS" = "no"; then
ENABLED_WC_MLKEM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_MLKEM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_MLKEM"
fi
if test "$ENABLED_ORIGINAL" = "yes"; then
# FIPS 203 (ML-KEM) and Kyber use different implicit rejection.
# Kyber mode must not be used in FIPS v7+ builds.
AS_IF([test "$HAVE_FIPS_VERSION" -ge 7],
[AC_MSG_ERROR([Kyber (--enable-mlkem=original) is not compatible with FIPS v7+. Use ML-KEM (FIPS 203) instead.])])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_KYBER"
if test "$ENABLED_MLKEM512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
fi
if test "$ENABLED_MLKEM768" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768"
fi
if test "$ENABLED_MLKEM1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
fi
if test "$ENABLED_ML_KEM" = "unset"; then
ENABLED_ML_KEM=no
fi
fi
if test "$ENABLED_ML_KEM" = "unset"; then
ENABLED_ML_KEM=yes
fi
if test "$ENABLED_ML_KEM" = "yes"; then
if test "$ENABLED_MLKEM512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512"
fi
if test "$ENABLED_MLKEM768" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768"
fi
if test "$ENABLED_MLKEM1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM"
fi
if test "$ENABLED_MLKEM_MAKE_KEY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_MAKE_KEY"
fi
if test "$ENABLED_MLKEM_ENCAPSULATE" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_ENCAPSULATE"
fi
if test "$ENABLED_MLKEM_DECAPSULATE" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_DECAPSULATE"
fi
if test "$ENABLED_WC_MLKEM" = "yes"
then
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
fi
fi
AC_ARG_ENABLE([tls-mlkem-standalone],
[AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
[ ENABLED_MLKEM_STANDALONE=$enableval ],
[ ENABLED_MLKEM_STANDALONE=no ]
)
AS_IF([ test "$ENABLED_MLKEM_STANDALONE" = "yes" && test "$ENABLED_ML_KEM" = "no" ],[AC_MSG_ERROR([ML-KEM as standalone TLS key exchange (non-hybrid) requires ML-KEM.])])
if test "$ENABLED_MLKEM_STANDALONE" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
fi
AC_ARG_ENABLE([pqc-hybrids],
[AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
[ ENABLED_PQC_HYBRIDS=$enableval ],
[ ENABLED_PQC_HYBRIDS=yes ]
)
if test "$ENABLED_PQC_HYBRIDS" = "yes"
then
if test "$ENABLED_ML_KEM" = "no" || test "$ENABLED_MLKEM" = "no"
then
ENABLED_PQC_HYBRIDS=no
elif test "$ENABLED_MLKEM768" = "" && test "$ENABLED_MLKEM1024" = ""; then
AC_MSG_NOTICE([PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024, but both disabled.])
ENABLED_PQC_HYBRIDS=no
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PQC_HYBRIDS"
fi
fi
if test "$ENABLED_ML_KEM" != "no" && test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_PQC_HYBRIDS" = "no" && test "$ENABLED_MLKEM_STANDALONE" = "no" && test "$ENABLED_CRYPTONLY" = "no"
then
AC_MSG_ERROR([Both hybrid PQ/T and standalone ML-KEM are disabled, so no PQC hybrid combinations will be available.])
fi
fi
# Extra PQ/T Hybrid combinations
AC_ARG_ENABLE([extra-pqc-hybrids],
[AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
[ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
[ ENABLED_EXTRA_PQC_HYBRIDS=no ]
)
if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
then
AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
AS_IF([ test "$ENABLED_ML_KEM" = "no" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires ML-KEM.]) ])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
fi
# Dilithium CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_DILITHIUM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM"
if test "$ENABLED_MLDSA44" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
fi
if test "$ENABLED_MLDSA65" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
fi
if test "$ENABLED_MLDSA87" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
fi
if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY"
fi
if test "$ENABLED_DILITHIUM_SIGN" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN"
fi
if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY"
fi
if test "$ENABLED_LIBOQS" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_DILITHIUM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_DILITHIUM"
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
fi
ENABLED_CERTS=yes
fi
# XMSS CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_XMSS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
# Use hash-sigs XMSS lib if enabled.
if test "$ENABLED_LIBXMSS" = "yes"; then
ENABLED_WC_XMSS=no
else
ENABLED_WC_XMSS=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
fi
fi
# LMS CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_LMS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
# Use hash-sigs LMS lib if enabled.
if test "$ENABLED_LIBLMS" = "yes"; then
ENABLED_WC_LMS=no
else
ENABLED_WC_LMS=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS"
fi
fi
# SLH-DSA CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_SLHDSA" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
if test "$SLHDSA_PARAM_128S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
fi
if test "$SLHDSA_PARAM_128F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
fi
if test "$SLHDSA_PARAM_192S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
fi
if test "$SLHDSA_PARAM_192F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
fi
if test "$SLHDSA_PARAM_256S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
fi
if test "$SLHDSA_PARAM_256F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
fi
# SHA2 parameter set support
if test "$SLHDSA_SHA2" = "yes"
then
# Dependency checks for SHA2 SLH-DSA
if test "$ENABLED_SHA256" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-256 (--enable-sha256)])
fi
if test "$ENABLED_SHA512" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-512 (--enable-sha512)])
fi
if test "$ENABLED_HMAC" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires HMAC (--enable-hmac)])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_SHA2"
if test "$SLHDSA_PARAM_SHA2_128S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128S"
fi
if test "$SLHDSA_PARAM_SHA2_128F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128F"
fi
if test "$SLHDSA_PARAM_SHA2_192S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192S"
fi
if test "$SLHDSA_PARAM_SHA2_192F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192F"
fi
if test "$SLHDSA_PARAM_SHA2_256S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256S"
fi
if test "$SLHDSA_PARAM_SHA2_256F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256F"
fi
fi
# SLH-DSA requires SHAKE-256 (and SHA-3 as its dependency).
# This runs after the SHAKE256 flags section, so we must set both the
# ENABLED variable and emit the CFLAGS ourselves.
if test "$ENABLED_SHAKE256" = "no" || test "$ENABLED_SHAKE256" = ""
then
ENABLED_SHAKE256=yes
if test "$ENABLED_SHA3" = "no"
then
ENABLED_SHA3=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
fi
# Remove -DWOLFSSL_NO_SHAKE256 if it was already added and add the
# positive define.
AM_CFLAGS=$(echo "$AM_CFLAGS" | sed 's/-DWOLFSSL_NO_SHAKE256//g')
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
fi
fi
# set POLY1305 default
POLY1305_DEFAULT=yes
@@ -7248,27 +7792,60 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF_TEST"
fi
# Hash DRBG
# Hash DRBG (master switch for all Hash DRBGs)
AC_ARG_ENABLE([hashdrbg],
[AS_HELP_STRING([--enable-hashdrbg],[Enable Hash DRBG support (default: enabled)])],
[ ENABLED_HASHDRBG=$enableval ],
[ ENABLED_HASHDRBG=yes ]
)
# If hashdrbg is explicitly disabled, force both sub-options off
if test "x$ENABLED_HASHDRBG" = "xno"
then
ENABLED_SHA256_DRBG=no
ENABLED_SHA512_DRBG=no
fi
# If both sub-options are off, treat hashdrbg as off
if test "x$ENABLED_SHA256_DRBG" != "xyes" && test "x$ENABLED_SHA512_DRBG" != "xyes"
then
ENABLED_HASHDRBG=no
fi
# FIPS override: Hash DRBG is mandatory
if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
then
if test "$enable_hashdrbg" = "no"
then
AC_MSG_WARN([SHA256-DRBG required in FIPS build])
fi
ENABLED_HASHDRBG=yes
ENABLED_SHA256_DRBG=yes
fi
# SHA-512 DRBG and runtime DRBG disable/enable APIs are v7+ only
if test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 7
then
ENABLED_SHA512_DRBG=no
fi
# Set Hash DRBG compiler flags
if test "x$ENABLED_HASHDRBG" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
else
# turn on Hash DRBG if FIPS is on (don't force on for KCAPI)
if test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
if test "x$ENABLED_SHA256_DRBG" != "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
ENABLED_HASHDRBG=yes
else
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHA256_DRBG"
fi
if test "x$ENABLED_SHA512_DRBG" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DRBG_SHA512"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
fi
# MemUse Entropy (AKA wolfEntropy)
if test "x$ENABLED_ENTROPY_MEMUSE" != "xno"
then
@@ -10860,6 +11437,11 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
test "x$ENABLED_LEANPSK" = "xyes"],
[AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])])
AS_IF([test "x$ENABLED_CRYPTONLY" = "xno" && \
test "x$ENABLED_PSK" = "xno" && \
test "x$ENABLED_ASN" = "xno"],
[AC_MSG_ERROR([please enable psk if disabling asn.])])
AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
test "x$ENABLED_ASN" = "xno"],
[AC_MSG_ERROR([please enable asn if enabling ocsp.])])
@@ -11625,6 +12207,8 @@ AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5])
AM_CONDITIONAL([BUILD_FIPS_V5_PLUS],[test "$HAVE_FIPS_VERSION" -ge 5])
AM_CONDITIONAL([BUILD_FIPS_V6],[test $HAVE_FIPS_VERSION = 6])
AM_CONDITIONAL([BUILD_FIPS_V6_PLUS],[test $HAVE_FIPS_VERSION -ge 6])
AM_CONDITIONAL([BUILD_FIPS_V7],[test $HAVE_FIPS_VERSION = 7])
AM_CONDITIONAL([BUILD_FIPS_V7_PLUS],[test $HAVE_FIPS_VERSION -ge 7])
AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended" || test "x$ENABLED_USERSETTINGS" = "xyes"])
@@ -12115,6 +12699,8 @@ echo " * certgencache: $ENABLED_certgencache"
echo " * CHACHA: $ENABLED_CHACHA"
echo " * XCHACHA: $ENABLED_XCHACHA"
echo " * Hash DRBG: $ENABLED_HASHDRBG"
echo " * SHA-256 Hash DRBG: $ENABLED_SHA256_DRBG"
echo " * SHA-512 Hash DRBG: $ENABLED_SHA512_DRBG"
echo " * MmemUse Entropy:"
echo " * (AKA: wolfEntropy): $ENABLED_ENTROPY_MEMUSE"
echo " * PWDBASED: $ENABLED_PWDBASED"
+237
View File
@@ -583,3 +583,240 @@ int wc_Entropy_Get(int bits, unsigned char* entropy, word32 len);
\sa wc_Entropy_Get
*/
int wc_Entropy_OnDemandTest(void);
/*!
\ingroup Random
\brief Runs the SHA-512 Hash_DRBG Known Answer Test (KAT) per
SP 800-90A. Instantiates a SHA-512 DRBG with seedA, optionally
reseeds with seedB, generates output, and compares against known
test vectors. Available when WOLFSSL_DRBG_SHA512 is defined.
\return 0 On success
\return BAD_FUNC_ARG If seedA or output is NULL, or if reseed is
set and seedB is NULL
\return -1 Test failed
\param reseed Non-zero to test reseeding
\param seedA Initial entropy seed
\param seedASz Size of seedA in bytes
\param seedB Reseed entropy (required if reseed is set)
\param seedBSz Size of seedB in bytes
\param output Buffer to receive generated output
\param outputSz Size of output in bytes
_Example_
\code
byte output[WC_SHA512_DIGEST_SIZE * 4];
const byte seedA[] = { ... };
const byte seedB[] = { ... };
ret = wc_RNG_HealthTest_SHA512(0, seedA, sizeof(seedA), NULL, 0,
output, sizeof(output));
if (ret != 0)
return -1;
ret = wc_RNG_HealthTest_SHA512(1, seedA, sizeof(seedA),
seedB, sizeof(seedB),
output, sizeof(output));
if (ret != 0)
return -1;
\endcode
\sa wc_RNG_HealthTest
\sa wc_RNG_HealthTest_SHA512_ex
*/
int wc_RNG_HealthTest_SHA512(int reseed, const byte* seedA, word32 seedASz,
const byte* seedB, word32 seedBSz,
byte* output, word32 outputSz);
/*!
\ingroup Random
\brief Extended SHA-512 Hash_DRBG health test with nonce,
personalization string, and additional input support. Suitable
for full ACVP / CAVP test vector validation. Available when
WOLFSSL_DRBG_SHA512 is defined.
\return 0 On success
\return BAD_FUNC_ARG If required params are NULL
\return -1 Test failed
\param reseed Non-zero to test reseeding
\param nonce Nonce buffer (can be NULL)
\param nonceSz Nonce size
\param persoString Personalization string (can be NULL)
\param persoStringSz Personalization string size
\param seedA Initial entropy seed
\param seedASz Initial seed size
\param seedB Reseed entropy (required if reseed is set)
\param seedBSz Reseed size
\param additionalA Additional input for first generate (can be NULL)
\param additionalASz Additional input A size
\param additionalB Additional input for second generate (can be NULL)
\param additionalBSz Additional input B size
\param output Output buffer
\param outputSz Output size
\param heap Heap hint (can be NULL)
\param devId Device ID (INVALID_DEVID for software)
_Example_
\code
byte output[WC_SHA512_DIGEST_SIZE * 4];
const byte seedA[] = { ... };
const byte nonce[] = { ... };
int ret = wc_RNG_HealthTest_SHA512_ex(0, nonce, sizeof(nonce),
NULL, 0,
seedA, sizeof(seedA),
NULL, 0,
NULL, 0, NULL, 0,
output, sizeof(output),
NULL, INVALID_DEVID);
\endcode
\sa wc_RNG_HealthTest_SHA512
\sa wc_RNG_HealthTest_ex
*/
int wc_RNG_HealthTest_SHA512_ex(int reseed, const byte* nonce, word32 nonceSz,
const byte* persoString, word32 persoStringSz,
const byte* seedA, word32 seedASz,
const byte* seedB, word32 seedBSz,
const byte* additionalA, word32 additionalASz,
const byte* additionalB, word32 additionalBSz,
byte* output, word32 outputSz,
void* heap, int devId);
/*!
\ingroup Random
\brief Disables the SHA-256 Hash_DRBG at runtime. When disabled,
newly initialized WC_RNG instances will not use the SHA-256 DRBG.
If the SHA-512 DRBG is enabled (WOLFSSL_DRBG_SHA512), new RNG
instances will use SHA-512 instead. Requires HAVE_HASHDRBG.
\return 0 On success
_Example_
\code
wc_Sha256Drbg_Disable();
// New WC_RNG instances will now use SHA-512 DRBG if available
WC_RNG rng;
wc_InitRng(&rng);
\endcode
\sa wc_Sha256Drbg_Enable
\sa wc_Sha256Drbg_IsDisabled
\sa wc_Sha512Drbg_Disable
*/
int wc_Sha256Drbg_Disable(void);
/*!
\ingroup Random
\brief Re-enables the SHA-256 Hash_DRBG at runtime after a prior
call to wc_Sha256Drbg_Disable(). Requires HAVE_HASHDRBG.
\return 0 On success
_Example_
\code
wc_Sha256Drbg_Disable();
// ... use SHA-512 DRBG only ...
wc_Sha256Drbg_Enable();
// New WC_RNG instances can use SHA-256 DRBG again
\endcode
\sa wc_Sha256Drbg_Disable
\sa wc_Sha256Drbg_IsDisabled
*/
int wc_Sha256Drbg_Enable(void);
/*!
\ingroup Random
\brief Returns whether the SHA-256 Hash_DRBG is currently disabled.
Requires HAVE_HASHDRBG.
\return 1 SHA-256 DRBG is disabled
\return 0 SHA-256 DRBG is enabled (not disabled)
_Example_
\code
if (wc_Sha256Drbg_IsDisabled()) {
printf("SHA-256 DRBG is off\n");
}
\endcode
\sa wc_Sha256Drbg_Disable
\sa wc_Sha256Drbg_Enable
*/
int wc_Sha256Drbg_IsDisabled(void);
/*!
\ingroup Random
\brief Disables the SHA-512 Hash_DRBG at runtime. When disabled,
newly initialized WC_RNG instances will not use the SHA-512 DRBG.
If the SHA-256 DRBG is still enabled, new RNG instances will fall
back to SHA-256. Available when WOLFSSL_DRBG_SHA512 is defined.
Requires HAVE_HASHDRBG.
\return 0 On success
_Example_
\code
wc_Sha512Drbg_Disable();
// New WC_RNG instances will now use SHA-256 DRBG
WC_RNG rng;
wc_InitRng(&rng);
\endcode
\sa wc_Sha512Drbg_Enable
\sa wc_Sha512Drbg_IsDisabled
\sa wc_Sha256Drbg_Disable
*/
int wc_Sha512Drbg_Disable(void);
/*!
\ingroup Random
\brief Re-enables the SHA-512 Hash_DRBG at runtime after a prior
call to wc_Sha512Drbg_Disable(). Available when WOLFSSL_DRBG_SHA512
is defined. Requires HAVE_HASHDRBG.
\return 0 On success
_Example_
\code
wc_Sha512Drbg_Disable();
// ... use SHA-256 DRBG only ...
wc_Sha512Drbg_Enable();
// New WC_RNG instances can use SHA-512 DRBG again
\endcode
\sa wc_Sha512Drbg_Disable
\sa wc_Sha512Drbg_IsDisabled
*/
int wc_Sha512Drbg_Enable(void);
/*!
\ingroup Random
\brief Returns whether the SHA-512 Hash_DRBG is currently disabled.
Available when WOLFSSL_DRBG_SHA512 is defined. Requires HAVE_HASHDRBG.
\return 1 SHA-512 DRBG is disabled
\return 0 SHA-512 DRBG is enabled (not disabled)
_Example_
\code
if (wc_Sha512Drbg_IsDisabled()) {
printf("SHA-512 DRBG is off\n");
}
\endcode
\sa wc_Sha512Drbg_Disable
\sa wc_Sha512Drbg_Enable
*/
int wc_Sha512Drbg_IsDisabled(void);
+793
View File
@@ -0,0 +1,793 @@
/*!
\ingroup SLH_DSA
\brief Initializes an SLH-DSA key object with the specified parameter set.
Must be called before any other SLH-DSA operation. Use wc_SlhDsaKey_Free()
to release resources when done.
SLH-DSA (FIPS 205) is a stateless hash-based digital signature algorithm.
Parameter sets control the hash function (SHAKE or SHA2), security level
(128, 192, 256), and speed/size tradeoff (s = small signatures,
f = fast signing).
\return 0 on success.
\return BAD_FUNC_ARG if key is NULL or param is invalid.
\param [in,out] key Pointer to the SlhDsaKey to initialize.
\param [in] param Parameter set to use. One of: SLHDSA_SHAKE128S,
SLHDSA_SHAKE128F, SLHDSA_SHAKE192S, SLHDSA_SHAKE192F, SLHDSA_SHAKE256S,
SLHDSA_SHAKE256F, SLHDSA_SHA2_128S, SLHDSA_SHA2_128F, SLHDSA_SHA2_192S,
SLHDSA_SHA2_192F, SLHDSA_SHA2_256S, SLHDSA_SHA2_256F.
\param [in] heap Pointer to heap hint for dynamic memory allocation.
May be NULL.
\param [in] devId Device identifier for hardware crypto callbacks.
Use INVALID_DEVID for software-only.
_Example_
\code
SlhDsaKey key;
int ret;
ret = wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
if (ret != 0) {
// error initializing key
}
// ... use key ...
wc_SlhDsaKey_Free(&key);
\endcode
\sa wc_SlhDsaKey_Free
\sa wc_SlhDsaKey_MakeKey
*/
int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param,
void* heap, int devId);
/*!
\ingroup SLH_DSA
\brief Frees resources associated with an SLH-DSA key object.
\param [in,out] key Pointer to the SlhDsaKey to free. May be NULL.
_Example_
\code
SlhDsaKey key;
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
// ... use key ...
wc_SlhDsaKey_Free(&key);
\endcode
\sa wc_SlhDsaKey_Init
*/
void wc_SlhDsaKey_Free(SlhDsaKey* key);
/*!
\ingroup SLH_DSA
\brief Generates a new SLH-DSA key pair using the RNG for randomness.
The key must have been initialized with wc_SlhDsaKey_Init() first.
\return 0 on success.
\return BAD_FUNC_ARG if key or rng is NULL, or key is not initialized.
\param [in,out] key Pointer to an initialized SlhDsaKey.
\param [in] rng Pointer to an initialized WC_RNG.
_Example_
\code
SlhDsaKey key;
WC_RNG rng;
int ret;
wc_InitRng(&rng);
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_MakeKey(&key, &rng);
if (ret != 0) {
// error generating key
}
\endcode
\sa wc_SlhDsaKey_Init
\sa wc_SlhDsaKey_MakeKeyWithRandom
*/
int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng);
/*!
\ingroup SLH_DSA
\brief Generates an SLH-DSA key pair from caller-provided seed material.
This is the deterministic key generation interface — given the same seeds,
the same key pair is produced.
\return 0 on success.
\return BAD_FUNC_ARG if key or any seed pointer is NULL, or lengths
do not match the parameter set's n value.
\param [in,out] key Pointer to an initialized SlhDsaKey.
\param [in] sk_seed Secret key seed (n bytes).
\param [in] sk_seed_len Length of sk_seed.
\param [in] sk_prf Secret key PRF seed (n bytes).
\param [in] sk_prf_len Length of sk_prf.
\param [in] pk_seed Public key seed (n bytes).
\param [in] pk_seed_len Length of pk_seed.
_Example_
\code
SlhDsaKey key;
byte sk_seed[16], sk_prf[16], pk_seed[16]; // n=16 for 128-bit params
int ret;
// fill seeds with known values (e.g. from NIST test vectors)
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_MakeKeyWithRandom(&key,
sk_seed, sizeof(sk_seed),
sk_prf, sizeof(sk_prf),
pk_seed, sizeof(pk_seed));
\endcode
\sa wc_SlhDsaKey_MakeKey
*/
int wc_SlhDsaKey_MakeKeyWithRandom(SlhDsaKey* key,
const byte* sk_seed, word32 sk_seed_len,
const byte* sk_prf, word32 sk_prf_len,
const byte* pk_seed, word32 pk_seed_len);
/*!
\ingroup SLH_DSA
\brief Signs a message using the SLH-DSA external (pure) interface with
deterministic randomness. This is FIPS 205 Algorithm 22 with opt_rand set
to PK.seed. The message M is wrapped internally as
M' = 0x00 || len(ctx) || ctx || M before signing.
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, or sigSz is NULL.
\return BUFFER_E if the output buffer is too small.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string for domain separation. May be NULL if
ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to sign.
\param [in] msgSz Length of the message.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
_Example_
\code
SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
int ret;
// key already generated via wc_SlhDsaKey_MakeKey()
ret = wc_SlhDsaKey_SignDeterministic(&key, NULL, 0,
msg, sizeof(msg), sig, &sigSz);
\endcode
\sa wc_SlhDsaKey_SignWithRandom
\sa wc_SlhDsaKey_Sign
\sa wc_SlhDsaKey_Verify
*/
int wc_SlhDsaKey_SignDeterministic(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz);
/*!
\ingroup SLH_DSA
\brief Signs a message using the SLH-DSA external (pure) interface with
caller-provided additional randomness. This is FIPS 205 Algorithm 22 with
an explicit opt_rand value.
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or addRnd is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to sign.
\param [in] msgSz Length of the message.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
\param [in] addRnd Additional randomness (n bytes, where n is the
parameter set's security parameter).
_Example_
\code
SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
byte addRnd[16]; // n=16 for 128-bit params
int ret;
wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
ret = wc_SlhDsaKey_SignWithRandom(&key, NULL, 0,
msg, sizeof(msg), sig, &sigSz, addRnd);
\endcode
\sa wc_SlhDsaKey_SignDeterministic
\sa wc_SlhDsaKey_Sign
*/
int wc_SlhDsaKey_SignWithRandom(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
const byte* addRnd);
/*!
\ingroup SLH_DSA
\brief Signs a message using the SLH-DSA external (pure) interface with
RNG-provided randomness. This is the general-purpose signing function
that uses the WC_RNG for opt_rand.
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or rng is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to sign.
\param [in] msgSz Length of the message.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
\param [in] rng Pointer to an initialized WC_RNG.
_Example_
\code
SlhDsaKey key;
WC_RNG rng;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
int ret;
ret = wc_SlhDsaKey_Sign(&key, NULL, 0,
msg, sizeof(msg), sig, &sigSz, &rng);
\endcode
\sa wc_SlhDsaKey_SignDeterministic
\sa wc_SlhDsaKey_Verify
*/
int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
WC_RNG* rng);
/*!
\ingroup SLH_DSA
\brief Verifies an SLH-DSA signature over a message using the external
(pure) interface. This is FIPS 205 Algorithm 23. The message is wrapped
internally as M' = 0x00 || len(ctx) || ctx || M before verification.
\return 0 on success (signature valid).
\return BAD_FUNC_ARG if key, msg, or sig is NULL.
\return SIG_VERIFY_E if the signature is invalid.
\param [in] key Pointer to a public SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to verify.
\param [in] msgSz Length of the message.
\param [in] sig Pointer to the signature to verify.
\param [in] sigSz Length of the signature.
_Example_
\code
SlhDsaKey key;
byte sig[...]; // previously generated signature
word32 sigSz;
byte msg[] = "Hello World!";
int ret;
ret = wc_SlhDsaKey_Verify(&key, NULL, 0,
msg, sizeof(msg), sig, sigSz);
if (ret == 0) {
// signature is valid
}
\endcode
\sa wc_SlhDsaKey_Sign
\sa wc_SlhDsaKey_SignDeterministic
*/
int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, const byte* sig,
word32 sigSz);
/*!
\ingroup SLH_DSA
\brief Signs using the SLH-DSA internal interface with deterministic
randomness. Unlike the external interface, M' is provided directly by
the caller — no 0x00||len(ctx)||ctx||M wrapping is performed. This
corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with opt_rand
set to PK.seed.
Use this when the CAVP test framework or protocol layer has already
constructed M'.
\return 0 on success.
\return BAD_FUNC_ARG if key, mprime, sig, or sigSz is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] mprime Pointer to the pre-constructed M' message.
\param [in] mprimeSz Length of M'.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
_Example_
\code
SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte mprime[] = { ... }; // pre-constructed M'
int ret;
ret = wc_SlhDsaKey_SignMsgDeterministic(&key,
mprime, sizeof(mprime), sig, &sigSz);
\endcode
\sa wc_SlhDsaKey_SignMsgWithRandom
\sa wc_SlhDsaKey_VerifyMsg
\sa wc_SlhDsaKey_SignDeterministic
*/
int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey* key,
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz);
/*!
\ingroup SLH_DSA
\brief Signs using the SLH-DSA internal interface with caller-provided
additional randomness. M' is provided directly — no wrapping is performed.
This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with an
explicit opt_rand value.
\return 0 on success.
\return BAD_FUNC_ARG if key, mprime, sig, sigSz, or addRnd is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] mprime Pointer to the pre-constructed M' message.
\param [in] mprimeSz Length of M'.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
\param [in] addRnd Additional randomness (n bytes).
_Example_
\code
SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte mprime[] = { ... };
byte addRnd[16];
int ret;
wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
ret = wc_SlhDsaKey_SignMsgWithRandom(&key,
mprime, sizeof(mprime), sig, &sigSz, addRnd);
\endcode
\sa wc_SlhDsaKey_SignMsgDeterministic
\sa wc_SlhDsaKey_VerifyMsg
*/
int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey* key,
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz,
const byte* addRnd);
/*!
\ingroup SLH_DSA
\brief Verifies an SLH-DSA signature using the internal interface. M' is
provided directly — no wrapping is performed. This corresponds to FIPS 205
Algorithm 20 (slh_verify_internal).
\return 0 on success (signature valid).
\return BAD_FUNC_ARG if key, mprime, or sig is NULL.
\return SIG_VERIFY_E if the signature is invalid.
\param [in] key Pointer to a public SlhDsaKey.
\param [in] mprime Pointer to the pre-constructed M' message.
\param [in] mprimeSz Length of M'.
\param [in] sig Pointer to the signature to verify.
\param [in] sigSz Length of the signature.
_Example_
\code
SlhDsaKey key;
byte sig[...]; // previously generated signature
word32 sigSz;
byte mprime[] = { ... };
int ret;
ret = wc_SlhDsaKey_VerifyMsg(&key,
mprime, sizeof(mprime), sig, sigSz);
if (ret == 0) {
// signature is valid
}
\endcode
\sa wc_SlhDsaKey_SignMsgDeterministic
\sa wc_SlhDsaKey_Verify
*/
int wc_SlhDsaKey_VerifyMsg(SlhDsaKey* key, const byte* mprime,
word32 mprimeSz, const byte* sig, word32 sigSz);
/*!
\ingroup SLH_DSA
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
interface with deterministic randomness. The message is hashed with the
specified hash algorithm, then signed per FIPS 205 Algorithm 22 with the
pre-hash domain separator (0x01).
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, or sigSz is NULL, or hashType
is unsupported.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to hash and sign.
\param [in] msgSz Length of the message.
\param [in] hashType Hash algorithm to use for pre-hashing. Supported:
WC_HASH_TYPE_SHA256, WC_HASH_TYPE_SHA384, WC_HASH_TYPE_SHA512,
WC_HASH_TYPE_SHAKE128, WC_HASH_TYPE_SHAKE256, WC_HASH_TYPE_SHA3_224,
WC_HASH_TYPE_SHA3_256, WC_HASH_TYPE_SHA3_384, WC_HASH_TYPE_SHA3_512.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
_Example_
\code
SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
int ret;
ret = wc_SlhDsaKey_SignHashDeterministic(&key, NULL, 0,
msg, sizeof(msg), WC_HASH_TYPE_SHA256, sig, &sigSz);
\endcode
\sa wc_SlhDsaKey_SignHashWithRandom
\sa wc_SlhDsaKey_SignHash
\sa wc_SlhDsaKey_VerifyHash
*/
int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey* key,
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
enum wc_HashType hashType, byte* sig, word32* sigSz);
/*!
\ingroup SLH_DSA
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
interface with caller-provided additional randomness.
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or addRnd is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to hash and sign.
\param [in] msgSz Length of the message.
\param [in] hashType Hash algorithm to use for pre-hashing.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
\param [in] addRnd Additional randomness (n bytes).
\sa wc_SlhDsaKey_SignHashDeterministic
\sa wc_SlhDsaKey_VerifyHash
*/
int wc_SlhDsaKey_SignHashWithRandom(SlhDsaKey* key,
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
enum wc_HashType hashType, byte* sig, word32* sigSz, byte* addRnd);
/*!
\ingroup SLH_DSA
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
interface with RNG-provided randomness.
\return 0 on success.
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or rng is NULL.
\param [in] key Pointer to a private SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to hash and sign.
\param [in] msgSz Length of the message.
\param [in] hashType Hash algorithm to use for pre-hashing.
\param [out] sig Buffer to receive the signature.
\param [in,out] sigSz On input, size of sig buffer. On output, actual
signature length.
\param [in] rng Pointer to an initialized WC_RNG.
\sa wc_SlhDsaKey_SignHashDeterministic
\sa wc_SlhDsaKey_VerifyHash
*/
int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, enum wc_HashType hashType,
byte* sig, word32* sigSz, WC_RNG* rng);
/*!
\ingroup SLH_DSA
\brief Verifies an SLH-DSA signature over a pre-hashed message
(HashSLH-DSA). The message is hashed with the specified hash algorithm
before verification.
\return 0 on success (signature valid).
\return BAD_FUNC_ARG if key, msg, or sig is NULL.
\return SIG_VERIFY_E if the signature is invalid.
\param [in] key Pointer to a public SlhDsaKey.
\param [in] ctx Context string. May be NULL if ctxSz is 0.
\param [in] ctxSz Length of the context string (0-255).
\param [in] msg Pointer to the message to hash and verify.
\param [in] msgSz Length of the message.
\param [in] hashType Hash algorithm used for pre-hashing. Must match the
hash used during signing.
\param [in] sig Pointer to the signature to verify.
\param [in] sigSz Length of the signature.
_Example_
\code
SlhDsaKey key;
byte sig[...];
word32 sigSz;
byte msg[] = "Hello World!";
int ret;
ret = wc_SlhDsaKey_VerifyHash(&key, NULL, 0,
msg, sizeof(msg), WC_HASH_TYPE_SHA256, sig, sigSz);
if (ret == 0) {
// signature is valid
}
\endcode
\sa wc_SlhDsaKey_SignHashDeterministic
\sa wc_SlhDsaKey_Verify
*/
int wc_SlhDsaKey_VerifyHash(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, enum wc_HashType hashType,
const byte* sig, word32 sigSz);
/*!
\ingroup SLH_DSA
\brief Imports an SLH-DSA private key from a raw byte buffer. The buffer
must contain the full private key (4*n bytes: SK.seed || SK.prf ||
PK.seed || PK.root). After import, the key can be used for signing.
\return 0 on success.
\return BAD_FUNC_ARG if key or in is NULL, or inLen does not match the
expected private key size for the parameter set.
\param [in,out] key Pointer to an initialized SlhDsaKey.
\param [in] in Buffer containing the raw private key bytes.
\param [in] inLen Length of the input buffer.
_Example_
\code
SlhDsaKey key;
byte privKey[...]; // 4*n bytes
int ret;
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_ImportPrivate(&key, privKey, sizeof(privKey));
\endcode
\sa wc_SlhDsaKey_ExportPrivate
\sa wc_SlhDsaKey_ImportPublic
*/
int wc_SlhDsaKey_ImportPrivate(SlhDsaKey* key, const byte* in,
word32 inLen);
/*!
\ingroup SLH_DSA
\brief Imports an SLH-DSA public key from a raw byte buffer. The buffer
must contain PK.seed || PK.root (2*n bytes). After import, the key can
be used for verification.
\return 0 on success.
\return BAD_FUNC_ARG if key or in is NULL, or inLen does not match the
expected public key size.
\param [in,out] key Pointer to an initialized SlhDsaKey.
\param [in] in Buffer containing the raw public key bytes.
\param [in] inLen Length of the input buffer.
_Example_
\code
SlhDsaKey key;
byte pubKey[...]; // 2*n bytes
int ret;
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_ImportPublic(&key, pubKey, sizeof(pubKey));
\endcode
\sa wc_SlhDsaKey_ExportPublic
\sa wc_SlhDsaKey_ImportPrivate
*/
int wc_SlhDsaKey_ImportPublic(SlhDsaKey* key, const byte* in,
word32 inLen);
/*!
\ingroup SLH_DSA
\brief Checks the consistency of an SLH-DSA key. For a key with both
private and public components, verifies that the public key matches the
private key.
\return 0 on success (key is valid).
\return BAD_FUNC_ARG if key is NULL.
\param [in] key Pointer to the SlhDsaKey to check.
\sa wc_SlhDsaKey_MakeKey
\sa wc_SlhDsaKey_ImportPrivate
*/
int wc_SlhDsaKey_CheckKey(SlhDsaKey* key);
/*!
\ingroup SLH_DSA
\brief Exports the private key from an SLH-DSA key object into a raw
byte buffer (4*n bytes).
\return 0 on success.
\return BAD_FUNC_ARG if key, out, or outLen is NULL.
\return BUFFER_E if the output buffer is too small.
\param [in] key Pointer to the SlhDsaKey containing a private key.
\param [out] out Buffer to receive the raw private key bytes.
\param [in,out] outLen On input, size of out buffer. On output, bytes
written.
_Example_
\code
SlhDsaKey key;
byte privKey[4 * 32]; // 4*n for 256-bit params
word32 privKeySz = sizeof(privKey);
int ret;
ret = wc_SlhDsaKey_ExportPrivate(&key, privKey, &privKeySz);
\endcode
\sa wc_SlhDsaKey_ImportPrivate
\sa wc_SlhDsaKey_ExportPublic
*/
int wc_SlhDsaKey_ExportPrivate(SlhDsaKey* key, byte* out,
word32* outLen);
/*!
\ingroup SLH_DSA
\brief Exports the public key from an SLH-DSA key object into a raw
byte buffer (2*n bytes: PK.seed || PK.root).
\return 0 on success.
\return BAD_FUNC_ARG if key, out, or outLen is NULL.
\return BUFFER_E if the output buffer is too small.
\param [in] key Pointer to the SlhDsaKey containing a public key.
\param [out] out Buffer to receive the raw public key bytes.
\param [in,out] outLen On input, size of out buffer. On output, bytes
written.
_Example_
\code
SlhDsaKey key;
byte pubKey[2 * 32];
word32 pubKeySz = sizeof(pubKey);
int ret;
ret = wc_SlhDsaKey_ExportPublic(&key, pubKey, &pubKeySz);
\endcode
\sa wc_SlhDsaKey_ImportPublic
\sa wc_SlhDsaKey_ExportPrivate
*/
int wc_SlhDsaKey_ExportPublic(SlhDsaKey* key, byte* out,
word32* outLen);
/*!
\ingroup SLH_DSA
\brief Returns the private key size in bytes for the key's parameter set.
\return Private key size in bytes (4*n) on success.
\return BAD_FUNC_ARG if key is NULL or not initialized.
\param [in] key Pointer to an initialized SlhDsaKey.
\sa wc_SlhDsaKey_PublicSize
\sa wc_SlhDsaKey_SigSize
\sa wc_SlhDsaKey_PrivateSizeFromParam
*/
int wc_SlhDsaKey_PrivateSize(SlhDsaKey* key);
/*!
\ingroup SLH_DSA
\brief Returns the public key size in bytes for the key's parameter set.
\return Public key size in bytes (2*n) on success.
\return BAD_FUNC_ARG if key is NULL or not initialized.
\param [in] key Pointer to an initialized SlhDsaKey.
\sa wc_SlhDsaKey_PrivateSize
\sa wc_SlhDsaKey_SigSize
\sa wc_SlhDsaKey_PublicSizeFromParam
*/
int wc_SlhDsaKey_PublicSize(SlhDsaKey* key);
/*!
\ingroup SLH_DSA
\brief Returns the signature size in bytes for the key's parameter set.
\return Signature size in bytes on success.
\return BAD_FUNC_ARG if key is NULL or not initialized.
\param [in] key Pointer to an initialized SlhDsaKey.
\sa wc_SlhDsaKey_PrivateSize
\sa wc_SlhDsaKey_PublicSize
\sa wc_SlhDsaKey_SigSizeFromParam
*/
int wc_SlhDsaKey_SigSize(SlhDsaKey* key);
/*!
\ingroup SLH_DSA
\brief Returns the private key size in bytes for the given parameter set
without needing an initialized key object.
\return Private key size in bytes (4*n) on success.
\return BAD_FUNC_ARG if param is invalid.
\param [in] param The SLH-DSA parameter set.
\sa wc_SlhDsaKey_PrivateSize
*/
int wc_SlhDsaKey_PrivateSizeFromParam(enum SlhDsaParam param);
/*!
\ingroup SLH_DSA
\brief Returns the public key size in bytes for the given parameter set
without needing an initialized key object.
\return Public key size in bytes (2*n) on success.
\return BAD_FUNC_ARG if param is invalid.
\param [in] param The SLH-DSA parameter set.
\sa wc_SlhDsaKey_PublicSize
*/
int wc_SlhDsaKey_PublicSizeFromParam(enum SlhDsaParam param);
/*!
\ingroup SLH_DSA
\brief Returns the signature size in bytes for the given parameter set
without needing an initialized key object.
\return Signature size in bytes on success.
\return BAD_FUNC_ARG if param is invalid.
\param [in] param The SLH-DSA parameter set.
\sa wc_SlhDsaKey_SigSize
*/
int wc_SlhDsaKey_SigSizeFromParam(enum SlhDsaParam param);
+389 -2
View File
@@ -439,7 +439,7 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
endif BUILD_FIPS_V5
if BUILD_FIPS_V6_PLUS
if BUILD_FIPS_V6
# FIPS 140-3 SRTP-KDF first file
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
wolfcrypt/src/wolfcrypt_first.c
@@ -782,7 +782,390 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
# fips last file
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
endif BUILD_FIPS_V6_PLUS
endif BUILD_FIPS_V6
if BUILD_FIPS_V7_PLUS
# FIPS 140-3 v7.0.0+ first file
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
wolfcrypt/src/wolfcrypt_first.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/random.c
if BUILD_MEMUSE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfentropy.c
endif
if BUILD_RNG_BANK
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/rng_bank.c
endif
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/kdf.c
if BUILD_RSA
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/rsa.c
endif
if BUILD_ECC
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ecc.c
endif
if BUILD_AES
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes.c
if BUILD_ARMASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_AES_C)
endif BUILD_ARMASM
if BUILD_ARMASM_NEON
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_AES_ASM_C)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_AES_ASM_S)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm.S
endif !BUILD_ARMASM_INLINE
else
if BUILD_ARMASM
if BUILD_ARMASM_INLINE
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-aes-asm_c.c
endif
else
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm.S
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-aes-asm.S
endif
endif !BUILD_ARMASM_INLINE
endif BUILD_ARMASM
endif !BUILD_ARMASM_NEON
endif BUILD_AES
if BUILD_AESNI
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_asm.S
if BUILD_X86_ASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_x86_asm.S
else
if BUILD_AESGCM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
endif
if BUILD_AESXTS
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_xts_asm.S
endif
endif
endif
if BUILD_SHA
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha.c
endif
if BUILD_ARMASM_NEON
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(ARMASM_SHA256_C)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA256_C)
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_SHA256_ASM_C)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_SHA256_ASM_S)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
endif !BUILD_ARMASM_INLINE
else
if BUILD_ARMASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(ARMASM_SHA256_C)
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA256_C)
if BUILD_ARMASM_INLINE
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c
endif
else
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha256-asm.S
endif
endif !BUILD_ARMASM_INLINE
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha256.c
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha256_asm.S
endif BUILD_INTELASM
endif !BUILD_ARMASM
endif !BUILD_ARMASM_NEON
if BUILD_RISCV_ASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha256.c
endif BUILD_RISCV_ASM
if BUILD_PPC32_ASM
if BUILD_PPC32_ASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm_c.c
else
if BUILD_PPC32_ASM_INLINE_REG
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm_cr.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm.S
endif !BUILD_PPC32_ASM_INLINE_REG
endif !BUILD_PPC32_ASM_INLINE
endif BUILD_PPC32_ASM
if BUILD_SHA512
if BUILD_RISCV_ASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha512.c
else
if !BUILD_FIPS_V5
if !BUILD_FIPS_V6
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
endif !BUILD_FIPS_V6
endif !BUILD_FIPS_V5
if BUILD_ARMASM_NEON
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA512_C)
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm_c.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
endif !BUILD_ARMASM_INLINE
else
if BUILD_ARMASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA512_C)
if BUILD_ARMASM_INLINE
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c
endif
else
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha512-asm.S
endif
endif !BUILD_ARMASM_INLINE
else
if BUILD_FIPS_V5
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
else
if BUILD_FIPS_V6
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
endif BUILD_FIPS_V6
endif !BUILD_FIPS_V5
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512_asm.S
endif BUILD_INTELASM
endif !BUILD_ARMASM
endif !BUILD_ARMASM_NEON
endif !BUILD_RISCV_ASM
endif BUILD_SHA512
if BUILD_SHA3
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha3.c
if BUILD_ARMASM_NEON
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha3-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha3-asm.S
endif !BUILD_ARMASM_INLINE
endif BUILD_ARMASM_NEON
if BUILD_ARMASM
if BUILD_ARMASM_INLINE
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha3-asm_c.c
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha3-asm_c.c
endif
else
if BUILD_ARM_NONTHUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha3-asm.S
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha3-asm.S
endif
endif !BUILD_ARMASM_INLINE
endif BUILD_ARMASM
if BUILD_RISCV_ASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha3.c
endif BUILD_RISCV_ASM
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha3_asm.S
endif
endif
if BUILD_DH
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dh.c
endif
if BUILD_CMAC
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/cmac.c
endif
if BUILD_CURVE448
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/curve448.c
endif
if BUILD_ED448
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ed448.c
endif
if BUILD_CURVE25519
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/curve25519.c
endif
if BUILD_ED25519
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ed25519.c
endif
if BUILD_ARMASM
if BUILD_ARMASM_NEON
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519_c.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519.S
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519.S
endif !BUILD_ARMASM_INLINE
else
if BUILD_ARMASM_INLINE
if BUILD_ARM_NONTHUMB
if BUILD_ARM_32
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519_c.c
endif
if BUILD_ARM_64
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519_c.c
endif
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-curve25519_c.c
endif
else
if BUILD_ARM_NONTHUMB
if BUILD_ARM_32
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519.S
endif
if BUILD_ARM_64
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519.S
endif
endif
if BUILD_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-curve25519.S
endif
endif !BUILD_ARMASM_INLINE
endif !BUILD_ARMASM_NEON
endif BUILD_ARMASM
if BUILD_PWDBASED
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/pwdbased.c
endif BUILD_PWDBASED
if BUILD_SP
if BUILD_SP_C32
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_c32.c
endif
if BUILD_SP_C64
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_c64.c
endif
if BUILD_SP_X86_64
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_x86_64.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_x86_64_asm.S
endif
if !BUILD_FIPS_V2
if BUILD_SP_ARM32
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_arm32.c
endif
endif
if BUILD_SP_ARM_THUMB
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_armthumb.c
endif
if !BUILD_FIPS_V2
if BUILD_SP_ARM64
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_arm64.c
endif
endif
if BUILD_SP_ARM_CORTEX
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_cortexm.c
endif
endif BUILD_SP
# PQ Algorithms (FIPS v7.0.0+)
if BUILD_WC_MLKEM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_poly.c
if BUILD_ARMASM
if BUILD_ARM_THUMB
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-mlkem-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-mlkem-asm.S
endif !BUILD_ARMASM_INLINE
else
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-mlkem-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-mlkem-asm.S
endif !BUILD_ARMASM_INLINE
endif !BUILD_ARM_THUMB
endif BUILD_ARMASM
if !BUILD_X86_ASM
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_asm.S
endif
endif
if BUILD_ARMASM_NEON
if BUILD_ARMASM_INLINE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-mlkem-asm_c.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-mlkem-asm.S
endif !BUILD_ARMASM_INLINE
endif BUILD_ARMASM_NEON
endif
if BUILD_DILITHIUM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dilithium.c
if !BUILD_X86_ASM
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa_asm.S
endif BUILD_INTELASM
endif !BUILD_X86_ASM
endif
if BUILD_WC_LMS
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms_impl.c
endif
if BUILD_WC_XMSS
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss_impl.c
endif
if BUILD_WC_SLHDSA
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_slhdsa.c
endif
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
wolfcrypt/src/fips_test.c
# fips last file
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
endif BUILD_FIPS_V7_PLUS
endif BUILD_FIPS
@@ -1401,6 +1784,7 @@ if BUILD_SAKKE
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sakke.c
endif
if !BUILD_FIPS_V7_PLUS
if BUILD_WC_MLKEM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_poly.c
@@ -1451,10 +1835,13 @@ if BUILD_WC_XMSS
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss.c
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss_impl.c
endif
endif !BUILD_FIPS_V7_PLUS
if !BUILD_FIPS_V7_PLUS
if BUILD_WC_SLHDSA
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_slhdsa.c
endif
endif !BUILD_FIPS_V7_PLUS
if !BUILD_FIPS_V6_PLUS
if BUILD_CURVE25519
+6
View File
@@ -8892,7 +8892,9 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = wc_KyberKey_EncodePrivateKey(kem, privKey, privSz);
PRIVATE_KEY_LOCK();
}
#endif
@@ -9975,7 +9977,9 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = wc_KyberKey_DecodePrivateKey(kem, keyShareEntry->privKey, privSz);
PRIVATE_KEY_LOCK();
}
#endif
@@ -9984,8 +9988,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
ret = BUFFER_E;
}
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = wc_KyberKey_Decapsulate(kem, ssOutput,
keyShareEntry->ke, ctSz);
PRIVATE_KEY_LOCK();
if (ret != 0) {
WOLFSSL_MSG("wc_KyberKey decapsulation failure.");
ret = BAD_FUNC_ARG;
-2
View File
@@ -28101,8 +28101,6 @@ static int error_test(void)
{63, 63},
#endif
{ -9, WC_SPAN1_FIRST_E + 1 },
{ -124, -124 },
{ -167, -169 },
{ -300, -300 },
{ -335, -336 },
{ -346, -349 },
+21 -5
View File
@@ -68,6 +68,12 @@ static const enum wc_HashType supportedHash[] = {
WC_HASH_TYPE_SHA3_256,
WC_HASH_TYPE_SHA3_384,
WC_HASH_TYPE_SHA3_512,
#if defined(WOLFSSL_SHAKE128)
WC_HASH_TYPE_SHAKE128,
#endif
#if defined(WOLFSSL_SHAKE256)
WC_HASH_TYPE_SHAKE256,
#endif
#endif
#ifdef WOLFSSL_SM3
WC_HASH_TYPE_SM3,
@@ -126,14 +132,14 @@ static const enum wc_HashType notCompiledHash[] = {
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
};
static const int notCompiledHashLen = (sizeof(notCompiledHash) /
sizeof(enum wc_HashType)) - 1;
sizeof(notCompiledHash[0])) - 1;
static const int notSupportedHash[] = {
WC_HASH_TYPE_NONE,
WC_HASH_TYPE_MAX + 1
};
static const int notSupportedHashLen = (sizeof(notSupportedHash) /
sizeof(enum wc_HashType));
sizeof(notSupportedHash[0]));
static const enum wc_HashType sizeSupportedHash[] = {
#if !defined(NO_MD5) && !defined(NO_SHA)
@@ -150,11 +156,17 @@ static const enum wc_HashType sizeSupportedHash[] = {
#endif
#ifdef HAVE_BLAKE2S
WC_HASH_TYPE_BLAKE2S,
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
WC_HASH_TYPE_SHAKE128,
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
WC_HASH_TYPE_SHAKE256,
#endif
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
};
static const int sizeSupportedHashLen = (sizeof(sizeSupportedHash) /
sizeof(enum wc_HashType)) - 1;
sizeof(sizeSupportedHash[0])) - 1;
static const enum wc_HashType sizeNotCompiledHash[] = {
#if defined(NO_MD5) || defined(NO_SHA)
WC_HASH_TYPE_MD5_SHA,
@@ -171,18 +183,22 @@ static const enum wc_HashType sizeNotCompiledHash[] = {
#ifndef HAVE_BLAKE2S
WC_HASH_TYPE_BLAKE2S,
#endif
#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE128)
WC_HASH_TYPE_SHAKE128,
#endif
#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE256)
WC_HASH_TYPE_SHAKE256,
#endif
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
};
static const int sizeNotCompiledHashLen = (sizeof(sizeNotCompiledHash) /
sizeof(enum wc_HashType)) - 1;
sizeof(sizeNotCompiledHash[0])) - 1;
static const int sizeNotSupportedHash[] = {
WC_HASH_TYPE_NONE,
WC_HASH_TYPE_MAX + 1
};
static const int sizeNotSupportedHashLen = (sizeof(sizeNotSupportedHash) /
sizeof(enum wc_HashType));
sizeof(sizeNotSupportedHash[0]));
#endif /* NO_HASH_WRAPPER */
int test_wc_HashInit(void)
File diff suppressed because it is too large Load Diff
+4
View File
@@ -38,6 +38,8 @@ int test_wc_dilithium_sig_kats(void);
int test_wc_dilithium_sign_ctx_kats(void);
int test_wc_dilithium_verify_ctx_kats(void);
int test_wc_dilithium_verify_kats(void);
int test_wc_dilithium_sign_mu_kats(void);
int test_wc_dilithium_verify_mu_kats(void);
int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void);
int test_mldsa_pkcs8_import_OpenSSL_form(void);
int test_mldsa_pkcs8_export_import_wolfSSL_form(void);
@@ -59,6 +61,8 @@ int test_mldsa_pkcs12(void);
TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_ctx_kats), \
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_ctx_kats), \
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_kats), \
TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_mu_kats), \
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_mu_kats), \
TEST_DECL_GROUP("mldsa", test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form), \
TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_import_OpenSSL_form), \
TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_export_import_wolfSSL_form), \
+21 -2
View File
@@ -1451,6 +1451,8 @@ int test_wc_mlkem_make_key_kats(void)
XMEMSET(key, 0, sizeof(MlKemKey));
}
PRIVATE_KEY_UNLOCK();
#ifndef WOLFSSL_NO_ML_KEM_512
ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_MlKemKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)),
@@ -1488,6 +1490,8 @@ int test_wc_mlkem_make_key_kats(void)
wc_MlKemKey_Free(key);
#endif
PRIVATE_KEY_LOCK();
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return EXPECT_RESULT();
@@ -3845,6 +3849,8 @@ int test_wc_mlkem_decapsulate_kats(void)
XMEMSET(key, 0, sizeof(MlKemKey));
}
PRIVATE_KEY_UNLOCK();
#ifndef WOLFSSL_NO_ML_KEM_512
ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0);
@@ -3867,6 +3873,8 @@ int test_wc_mlkem_decapsulate_kats(void)
wc_MlKemKey_Free(key);
#endif
PRIVATE_KEY_LOCK();
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return EXPECT_RESULT();
@@ -3937,8 +3945,10 @@ int test_wc_mlkem_decapsulate_pubonly_fails(void)
ExpectIntEQ(wc_MlKemKey_DecodePublicKey(pubOnlyKey, pubBuf, pubLen), 0);
/* Decapsulating with a public-key-only object must fail. */
PRIVATE_KEY_UNLOCK();
ExpectIntEQ(wc_MlKemKey_Decapsulate(pubOnlyKey, ssDec, ct, ctLen),
WC_NO_ERR_TRACE(BAD_STATE_E));
PRIVATE_KEY_LOCK();
DoExpectIntEQ(wc_FreeRng(&rng), 0);
wc_MlKemKey_Free(pubOnlyKey);
@@ -3993,22 +4003,31 @@ int test_wc_mlkem_decap_fo_reject(void)
/* Untampered ciphertext recovers the original ss. */
XMEMSET(ssDec, 0, sizeof(ssDec));
PRIVATE_KEY_UNLOCK();
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssDec, ct, ctLen), 0);
PRIVATE_KEY_LOCK();
ExpectIntEQ(XMEMCMP(ssDec, ss, WC_ML_KEM_SS_SZ), 0);
/* Tamper at byte 32: implicit rejection must fire. */
XMEMCPY(ctTampered, ct, ctLen);
ctTampered[32] ^= 0x01;
XMEMSET(ssTampered, 0, sizeof(ssTampered));
PRIVATE_KEY_UNLOCK();
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssTampered, ctTampered, ctLen), 0);
PRIVATE_KEY_LOCK();
ExpectIntNE(XMEMCMP(ssTampered, ss, WC_ML_KEM_SS_SZ), 0);
/* Tamper at byte 0: also must be rejected. */
/* Tamper at byte 0: decapsulation must still return 0. We do NOT assert
* ssTampered != ss here: byte 0 sits in the lossy-compressed u portion of
* the ciphertext, so a single-bit flip can be absorbed by Decompress and
* yield the original shared secret. The byte-32 case above already covers
* the "rejection produces a different secret" property. */
XMEMCPY(ctTampered, ct, ctLen);
ctTampered[0] ^= 0x01;
XMEMSET(ssTampered, 0, sizeof(ssTampered));
PRIVATE_KEY_UNLOCK();
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssTampered, ctTampered, ctLen), 0);
ExpectIntNE(XMEMCMP(ssTampered, ss, WC_ML_KEM_SS_SZ), 0);
PRIVATE_KEY_LOCK();
DoExpectIntEQ(wc_FreeRng(&rng), 0);
wc_MlKemKey_Free(key);
+143
View File
@@ -530,3 +530,146 @@ int test_wc_RNG_HealthTest(void)
return EXPECT_RESULT();
}
/*
* Testing wc_RNG_HealthTest_SHA512()
* Test vectors from NIST CAVP drbgtestvectors.zip, Hash_DRBG.rsp, [SHA-512].
* Source: https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-
* Validation-Program/documents/drbg/drbgtestvectors.zip
*/
int test_wc_RNG_HealthTest_SHA512(void)
{
EXPECT_DECLS;
#if defined(HAVE_HASHDRBG) && defined(WOLFSSL_DRBG_SHA512) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
/* No-reseed test: drbgvectors_no_reseed/Hash_DRBG.rsp, [SHA-512],
* COUNT=0 */
const byte test1Seed[] =
{
/* EntropyInput (32 bytes) */
0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
/* Nonce (16 bytes) */
0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25
};
const byte test1Output[] =
{
0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2
};
/* Reseed test: drbgvectors_pr_false/Hash_DRBG.rsp, [SHA-512], COUNT=0 */
const byte test2SeedA[] =
{
/* EntropyInput (32 bytes) */
0x31, 0x44, 0xe1, 0x7a, 0x10, 0xc8, 0x56, 0x12,
0x97, 0x64, 0xf5, 0x8f, 0xd8, 0xe4, 0x23, 0x10,
0x20, 0x54, 0x69, 0x96, 0xc0, 0xbf, 0x6c, 0xff,
0x8e, 0x91, 0xc2, 0x4e, 0xe0, 0x9b, 0xe3, 0x33,
/* Nonce (16 bytes) */
0xb1, 0x6f, 0xcb, 0x1c, 0xf0, 0xc0, 0x10, 0xf3,
0x1f, 0xea, 0xb7, 0x33, 0x58, 0x8b, 0x8e, 0x04
};
const byte test2SeedB[] =
{
/* EntropyInputReseed (32 bytes) */
0xa0, 0xb3, 0x58, 0x4c, 0x2c, 0x84, 0x12, 0xf6,
0x18, 0x40, 0x68, 0x34, 0x40, 0x4d, 0x1e, 0xb0,
0xce, 0x99, 0x9b, 0xa2, 0x89, 0x66, 0x05, 0x4d,
0x7e, 0x49, 0x7e, 0x0d, 0xb6, 0x08, 0xb9, 0x67
};
const byte test2Output[] =
{
0xef, 0xa3, 0x5d, 0xd0, 0x36, 0x2a, 0xdb, 0x76,
0x26, 0x45, 0x6b, 0x36, 0xfa, 0xc7, 0x4d, 0x3c,
0x28, 0xd0, 0x1d, 0x92, 0x64, 0x20, 0x27, 0x5a,
0x28, 0xbe, 0xa9, 0xc9, 0xdd, 0x75, 0x47, 0xc1,
0x5e, 0x79, 0x31, 0x85, 0x2a, 0xc1, 0x27, 0x70,
0x76, 0x56, 0x75, 0x35, 0x23, 0x9c, 0x1f, 0x42,
0x9c, 0x7f, 0x75, 0xcf, 0x74, 0xc2, 0x26, 0x7d,
0xeb, 0x6a, 0x3e, 0x59, 0x6c, 0xf3, 0x26, 0x15,
0x6c, 0x79, 0x69, 0x41, 0x28, 0x3b, 0x8d, 0x58,
0x3f, 0x17, 0x1c, 0x2f, 0x6e, 0x33, 0x23, 0xf7,
0x55, 0x5e, 0x1b, 0x18, 0x1f, 0xfd, 0xa3, 0x05,
0x07, 0x21, 0x0c, 0xb1, 0xf5, 0x89, 0xb2, 0x3c,
0xd7, 0x18, 0x80, 0xfd, 0x44, 0x37, 0x0c, 0xac,
0xf4, 0x33, 0x75, 0xb0, 0xdb, 0x7e, 0x33, 0x6f,
0x12, 0xb3, 0x09, 0xbf, 0xd4, 0xf6, 0x10, 0xbb,
0x8f, 0x20, 0xe1, 0xa1, 0x5e, 0x25, 0x3a, 0x4f,
0xe5, 0x11, 0xa0, 0x27, 0x96, 0x8d, 0xf0, 0xb1,
0x05, 0xa1, 0xd7, 0x3a, 0xff, 0x7c, 0x7a, 0x82,
0x6d, 0x39, 0xf6, 0x40, 0xdf, 0xb8, 0xf5, 0x22,
0x25, 0x9e, 0xd4, 0x02, 0x28, 0x2e, 0x2c, 0x2e,
0x9d, 0x3a, 0x49, 0x8f, 0x51, 0x72, 0x5f, 0xe4,
0x14, 0x1b, 0x06, 0xda, 0x55, 0x98, 0xa4, 0x2a,
0xc1, 0xe0, 0x49, 0x4e, 0x99, 0x7d, 0x56, 0x6a,
0x1a, 0x39, 0xb6, 0x76, 0xb9, 0x6a, 0x60, 0x03,
0xa4, 0xc5, 0xdb, 0x84, 0xf2, 0x46, 0x58, 0x4e,
0xe6, 0x5a, 0xf7, 0x0f, 0xf2, 0x16, 0x02, 0x78,
0x16, 0x6d, 0xa1, 0x6d, 0x91, 0xc9, 0xb8, 0xf2,
0xde, 0xb0, 0x27, 0x51, 0xa1, 0x08, 0x8a, 0xd6,
0xbe, 0x4e, 0x80, 0xef, 0x96, 0x6e, 0xb7, 0x3e,
0x66, 0xbc, 0x87, 0xca, 0xd8, 0x7c, 0x77, 0xc0,
0xb3, 0x4a, 0x21, 0xba, 0x1d, 0xa0, 0xba, 0x6d,
0x16, 0xca, 0x50, 0x46, 0xdc, 0x4a, 0xbd, 0xa0
};
byte output[WC_SHA512_DIGEST_SIZE * 4]; /* 256 bytes */
/* Bad parameter tests */
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, NULL, sizeof(test1Seed),
NULL, 0, output, sizeof(output)), 0);
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
NULL, 0, NULL, sizeof(output)), 0);
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
NULL, 0, output, 42), 0); /* wrong output size */
/* Good parameter tests */
/* No-reseed */
ExpectIntEQ(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
NULL, 0, output, sizeof(output)), 0);
ExpectBufEQ(test1Output, output, sizeof(output));
/* With reseed */
ExpectIntEQ(wc_RNG_HealthTest_SHA512(1, test2SeedA, sizeof(test2SeedA),
test2SeedB, sizeof(test2SeedB), output, sizeof(output)), 0);
ExpectBufEQ(test2Output, output, sizeof(output));
#endif /* HAVE_HASHDRBG && WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
return EXPECT_RESULT();
}
+3 -1
View File
@@ -35,6 +35,7 @@ int test_wc_rng_new(void);
int test_wc_RNG_DRBG_Reseed(void);
int test_wc_RNG_TestSeed(void);
int test_wc_RNG_HealthTest(void);
int test_wc_RNG_HealthTest_SHA512(void);
#define TEST_RANDOM_DECLS \
TEST_DECL_GROUP("random", test_wc_InitRng), \
@@ -47,6 +48,7 @@ int test_wc_RNG_HealthTest(void);
TEST_DECL_GROUP("random", test_wc_rng_new), \
TEST_DECL_GROUP("random", test_wc_RNG_DRBG_Reseed), \
TEST_DECL_GROUP("random", test_wc_RNG_TestSeed), \
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest)
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest), \
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest_SHA512)
#endif /* WOLFCRYPT_TEST_RANDOM_H */
+553 -14
View File
@@ -976,16 +976,37 @@ static WC_INLINE void bench_append_memory_info(char* buffer, size_t size,
#define BENCH_SLHDSA_SHAKE192F 0x00000100
#define BENCH_SLHDSA_SHAKE256S 0x00000200
#define BENCH_SLHDSA_SHAKE256F 0x00000400
#define BENCH_SLHDSA_SHA2_128S 0x00000800
#define BENCH_SLHDSA_SHA2_128F 0x00001000
#define BENCH_SLHDSA_SHA2_192S 0x00002000
#define BENCH_SLHDSA_SHA2_192F 0x00004000
#define BENCH_SLHDSA_SHA2_256S 0x00008000
#define BENCH_SLHDSA_SHA2_256F 0x00010000
#define BENCH_SLHDSA (BENCH_SLHDSA_SHAKE128S | \
BENCH_SLHDSA_SHAKE128F | \
BENCH_SLHDSA_SHAKE192S | \
BENCH_SLHDSA_SHAKE192F | \
BENCH_SLHDSA_SHAKE256S | \
BENCH_SLHDSA_SHAKE256F)
BENCH_SLHDSA_SHAKE256F | \
BENCH_SLHDSA_SHA2_128S | \
BENCH_SLHDSA_SHA2_128F | \
BENCH_SLHDSA_SHA2_192S | \
BENCH_SLHDSA_SHA2_192F | \
BENCH_SLHDSA_SHA2_256S | \
BENCH_SLHDSA_SHA2_256F)
/* Other */
#define BENCH_RNG 0x00000001
#define BENCH_SCRYPT 0x00000002
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
#define BENCH_RNG_SHA512 0x00000004
#endif
#define BENCH_RNG_INIT 0x00000008
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
#define BENCH_RNG_SHA512_INIT 0x00000010
#endif
#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \
(defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
@@ -1293,6 +1314,17 @@ static const bench_alg bench_other_opt[] = {
#ifndef WC_NO_RNG
{ "-rng", BENCH_RNG },
#endif
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
{ "-rng-sha512", BENCH_RNG_SHA512 },
#endif
#ifndef WC_NO_RNG
{ "-rng-init", BENCH_RNG_INIT },
#endif
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
{ "-rng-sha512-init", BENCH_RNG_SHA512_INIT },
#endif
#ifdef HAVE_SCRYPT
{ "-scrypt", BENCH_SCRYPT },
#endif
@@ -1341,6 +1373,12 @@ static const bench_pq_hash_sig_alg bench_pq_hash_sig_opt[] = {
{ "-slhdsa-shake192f", BENCH_SLHDSA_SHAKE192F},
{ "-slhdsa-shake256s", BENCH_SLHDSA_SHAKE256S},
{ "-slhdsa-shake256f", BENCH_SLHDSA_SHAKE256F},
{ "-slhdsa-sha2-128s", BENCH_SLHDSA_SHA2_128S},
{ "-slhdsa-sha2-128f", BENCH_SLHDSA_SHA2_128F},
{ "-slhdsa-sha2-192s", BENCH_SLHDSA_SHA2_192S},
{ "-slhdsa-sha2-192f", BENCH_SLHDSA_SHA2_192F},
{ "-slhdsa-sha2-256s", BENCH_SLHDSA_SHA2_256S},
{ "-slhdsa-sha2-256f", BENCH_SLHDSA_SHA2_256F},
{ "-slhdsa", BENCH_SLHDSA },
#endif
{ NULL, 0}
@@ -2058,12 +2096,7 @@ static const char* bench_result_words3[][5] = {
#define BENCH_ASYM
#endif
#if defined(BENCH_ASYM)
#if ((defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DH) || \
defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
defined(HAVE_DILITHIUM) || defined(WOLFSSL_HAVE_LMS)) && \
!defined(WC_NO_RNG)) || defined(WOLFSSL_HAVE_MLKEM)
#if !defined(WC_NO_RNG) || defined(WOLFSSL_HAVE_MLKEM)
static const char* bench_result_words2[][6] = {
#ifdef BENCH_MICROSECOND
{ "ops took", "μsec" , "avg" , "ops/μsec", "cycles/op",
@@ -2077,8 +2110,7 @@ static const char* bench_result_words2[][6] = {
NULL }, /* 1 Japanese */
#endif
};
#endif
#endif
#endif /* !WC_NO_RNG || WOLFSSL_HAVE_MLKEM */
#ifdef WOLFSSL_CAAM
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
@@ -3202,6 +3234,102 @@ static void bench_stats_sym_finish(const char* desc, int useDeviceID,
TEST_SLEEP();
} /* bench_stats_sym_finish */
#ifndef WC_NO_RNG
/* Report ops/sec in the same format as bench_stats_asym_finish, but without
* requiring BENCH_ASYM to be defined. Used for benchmarks like RNG init/free
* that measure operation counts rather than byte throughput. */
static void bench_stats_ops_finish(const char* algo, int strength,
const char* desc, int count, double start, int ret)
{
double total, each = 0, opsSec, milliEach;
const char **word = bench_result_words2[lng_index];
char msg[256];
#ifdef BENCH_MICROSECOND
const int digits = 5;
#else
const int digits = 3;
#endif
XMEMSET(msg, 0, sizeof(msg));
total = current_time(0) - start;
#ifdef WOLFSSL_ESPIDF
END_ESP_CYCLES
#else
END_CYCLES
#endif
if (count > 0)
each = total / count;
if (total > 0)
opsSec = count / total;
else
opsSec = 0;
#ifdef BENCH_MICROSECOND
milliEach = each / 1000;
#else
milliEach = each * 1000;
#endif
SLEEP_ON_ERROR(ret);
if (csv_format == 1) {
(void)XSNPRINTF(msg, sizeof(msg), "%s,%d,%s," FLT_FMT_PREC ","
FLT_FMT_PREC "," STATS_CLAUSE_SEPARATOR,
algo, strength, desc,
FLT_FMT_PREC_ARGS(3, milliEach),
FLT_FMT_PREC_ARGS(digits, opsSec));
}
else {
#ifdef HAVE_GET_CYCLES
(void)XSNPRINTF(msg, sizeof(msg),
"%-6s %5d %8s %6d %s " FLT_FMT_PREC2 " %s, %s "
FLT_FMT_PREC2 " ms, " FLT_FMT_PREC2 " %s, %lu cycles",
algo, strength, desc,
count, word[0],
FLT_FMT_PREC2_ARGS(5, 3, total), word[1], word[2],
FLT_FMT_PREC2_ARGS(5, 3, milliEach),
FLT_FMT_PREC2_ARGS(digits + 6, digits, opsSec),
word[3], (unsigned long)total_cycles);
#else
(void)XSNPRINTF(msg, sizeof(msg),
"%-6s %5d %8s %6d %s " FLT_FMT_PREC2 " %s, %s "
FLT_FMT_PREC2 " ms, " FLT_FMT_PREC2 " %s",
algo, strength, desc,
count, word[0],
FLT_FMT_PREC2_ARGS(5, 3, total), word[1], word[2],
FLT_FMT_PREC2_ARGS(5, 3, milliEach),
FLT_FMT_PREC2_ARGS(digits + 6, digits, opsSec),
word[3]);
#endif
#ifdef WOLFSSL_ESPIDF
SHOW_ESP_CYCLES_OPS(msg, sizeof(msg));
#else
SHOW_CYCLES_OPS(msg, sizeof(msg));
#endif
}
printf("%s", msg);
if (ret < 0) {
printf("%sBenchmark %s %s %d failed: %d\n",
err_prefix, algo, desc, strength, ret);
}
#ifndef WOLFSSL_SGX
XFFLUSH(stdout);
#endif
(void)ret;
bench_stats_prepare();
TEST_SLEEP();
} /* bench_stats_ops_finish */
#endif /* !WC_NO_RNG */
#ifdef BENCH_ASYM
#if ((defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DH) || \
defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
@@ -3839,6 +3967,12 @@ static void* benchmarks_do(void* args)
if (bench_all || (bench_other_algs & BENCH_RNG))
bench_rng();
#endif /* WC_NO_RNG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
if (bench_all || (bench_other_algs & BENCH_RNG_SHA512))
bench_rng_sha512();
#endif
#ifndef NO_AES
#ifdef HAVE_AES_CBC
if (bench_all || (bench_cipher_algs & BENCH_AES_CBC)) {
@@ -4401,6 +4535,36 @@ static void* benchmarks_do(void* args)
bench_slhdsa(SLHDSA_SHAKE256F);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128S
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_128S) {
bench_slhdsa(SLHDSA_SHA2_128S);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128F
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_128F) {
bench_slhdsa(SLHDSA_SHA2_128F);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192S
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_192S) {
bench_slhdsa(SLHDSA_SHA2_192S);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192F
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_192F) {
bench_slhdsa(SLHDSA_SHA2_192F);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256S
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_256S) {
bench_slhdsa(SLHDSA_SHA2_256S);
}
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256F
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_256F) {
bench_slhdsa(SLHDSA_SHA2_256F);
}
#endif
#endif
(void)bench_pq_hash_sig_algs;
@@ -4601,6 +4765,16 @@ static void* benchmarks_do(void* args)
bench_sphincsKeySign(5, SMALL_VARIANT);
#endif
#ifndef WC_NO_RNG
if (bench_all || (bench_other_algs & BENCH_RNG_INIT))
bench_rng_init();
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
if (bench_all || (bench_other_algs & BENCH_RNG_SHA512_INIT))
bench_rng_sha512_init();
#endif
#endif
exit:
/* free benchmark buffers */
XFREE(bench_plain, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
@@ -4733,6 +4907,19 @@ int benchmark_init(void)
wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT);
#endif
#if defined(HAVE_FIPS) && FIPS_VERSION3_GE(7,0,0)
/* Pre-run all CASTs so their overhead is not captured in benchmark
* metrics. Without this, the first use of each algorithm triggers
* its CAST on-demand, inflating that algorithm's benchmark numbers. */
{
int castRet = wc_RunAllCast_fips();
if (castRet != 0) {
printf("%swc_RunAllCast_fips: %d CAST(s) failed, module in "
"DEGRADED mode\n", err_prefix, castRet);
}
}
#endif
bench_stats_init();
#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
@@ -4947,6 +5134,21 @@ void bench_rng(void)
WC_RNG myrng;
DECLARE_MULTI_VALUE_STATS_VARS()
/* Force SHA-256 DRBG by temporarily disabling SHA-512 DRBG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
#if !defined(NO_SHA256)
ret = wc_Sha512Drbg_Disable();
if (ret != 0) {
printf("wc_Sha512Drbg_Disable failed %d\n", ret);
return;
}
#else
printf("RNG SHA-256 DRBG (Skipped: Disabled)\n");
return;
#endif
#endif
bench_stats_prepare();
#ifndef HAVE_FIPS
@@ -4955,7 +5157,11 @@ void bench_rng(void)
ret = wc_InitRng(&myrng);
#endif
if (ret < 0) {
printf("InitRNG failed %d\n", ret);
printf("InitRNG (SHA-256) failed %d\n", ret);
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
wc_Sha512Drbg_Enable();
#endif
return;
}
@@ -4986,15 +5192,204 @@ void bench_rng(void)
#endif
);
exit_rng:
bench_stats_sym_finish("RNG", 0, count, bench_size, start, ret);
bench_stats_sym_finish("RNG SHA-256 DRBG", 0, count, bench_size, start,
ret);
#ifdef MULTI_VALUE_STATISTICS
bench_multi_value_stats(max, min, sum, squareSum, runs);
#endif
wc_FreeRng(&myrng);
/* Restore SHA-512 DRBG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
wc_Sha512Drbg_Enable();
#endif
}
#endif /* WC_NO_RNG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
void bench_rng_sha512(void)
{
int ret, i, count;
double start;
long pos, len, remain;
WC_RNG myrng;
DECLARE_MULTI_VALUE_STATS_VARS()
/* Force SHA-512 DRBG by temporarily disabling SHA-256 DRBG */
#ifndef NO_SHA256
ret = wc_Sha256Drbg_Disable();
if (ret != 0) {
printf("wc_Sha256Drbg_Disable failed %d\n", ret);
return;
}
#endif
bench_stats_prepare();
#ifndef HAVE_FIPS
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
#else
ret = wc_InitRng(&myrng);
#endif
if (ret < 0) {
printf("InitRNG (SHA-512) failed %d\n", ret);
#ifndef NO_SHA256
wc_Sha256Drbg_Enable();
#endif
return;
}
bench_stats_start(&count, &start);
do {
for (i = 0; i < numBlocks; i++) {
/* Split request to handle large RNG request */
pos = 0;
remain = (int)bench_size;
while (remain > 0) {
len = remain;
if (len > RNG_MAX_BLOCK_LEN)
len = RNG_MAX_BLOCK_LEN;
ret = wc_RNG_GenerateBlock(&myrng, &bench_plain[pos],
(word32)len);
if (ret < 0)
goto exit_rng_sha512;
remain -= len;
pos += len;
}
RECORD_MULTI_VALUE_STATS();
}
count += i;
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
exit_rng_sha512:
bench_stats_sym_finish("RNG SHA-512 DRBG", 0, count, bench_size, start,
ret);
#ifdef MULTI_VALUE_STATISTICS
bench_multi_value_stats(max, min, sum, squareSum, runs);
#endif
wc_FreeRng(&myrng);
/* Restore SHA-256 DRBG */
#ifndef NO_SHA256
wc_Sha256Drbg_Enable();
#endif
}
#endif /* WOLFSSL_DRBG_SHA512 && !WC_NO_RNG && !HAVE_SELFTEST && FIPS v7+ */
#ifndef WC_NO_RNG
void bench_rng_init(void)
{
int ret, count;
double start;
WC_RNG myrng;
DECLARE_MULTI_VALUE_STATS_VARS()
/* Force SHA-256 DRBG by temporarily disabling SHA-512 DRBG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
#if !defined(NO_SHA256)
ret = wc_Sha512Drbg_Disable();
if (ret != 0) {
printf("wc_Sha512Drbg_Disable failed %d\n", ret);
return;
}
#else
printf("RNG SHA-256 Init/Free (Skipped: Disabled)\n");
return;
#endif
#endif
bench_stats_start(&count, &start);
do {
#ifndef HAVE_FIPS
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
#else
ret = wc_InitRng(&myrng);
#endif
if (ret < 0) {
printf("InitRNG (SHA-256 init bench) failed %d\n", ret);
goto exit_rng_init;
}
wc_FreeRng(&myrng);
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
exit_rng_init:
bench_stats_ops_finish("RNG", 256, "SHA256 Init/Free", count, start, ret);
#ifdef MULTI_VALUE_STATISTICS
bench_multi_value_stats(max, min, sum, squareSum, runs);
#endif
/* Restore SHA-512 DRBG */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
wc_Sha512Drbg_Enable();
#endif
}
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
void bench_rng_sha512_init(void)
{
int ret, count;
double start;
WC_RNG myrng;
DECLARE_MULTI_VALUE_STATS_VARS()
/* Force SHA-512 DRBG by temporarily disabling SHA-256 DRBG */
#ifndef NO_SHA256
ret = wc_Sha256Drbg_Disable();
if (ret != 0) {
printf("wc_Sha256Drbg_Disable failed %d\n", ret);
return;
}
#endif
bench_stats_start(&count, &start);
do {
#ifndef HAVE_FIPS
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
#else
ret = wc_InitRng(&myrng);
#endif
if (ret < 0) {
printf("InitRNG (SHA-512 init bench) failed %d\n", ret);
goto exit_rng_sha512_init;
}
wc_FreeRng(&myrng);
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
exit_rng_sha512_init:
bench_stats_ops_finish("RNG", 512, "SHA512 Init/Free", count, start, ret);
#ifdef MULTI_VALUE_STATISTICS
bench_multi_value_stats(max, min, sum, squareSum, runs);
#endif
/* Restore SHA-256 DRBG */
#ifndef NO_SHA256
wc_Sha256Drbg_Enable();
#endif
}
#endif /* WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
#endif /* !WC_NO_RNG */
/* ============================================================================
* Benchmark init helpers -- use id[] when WC_TEST_*_ID is defined and
@@ -10851,6 +11246,7 @@ exit_encap:
RESET_MULTI_VALUE_STATS_VARS();
/* MLKEM Decapsulate */
PRIVATE_KEY_UNLOCK();
bench_stats_start(&count, &start);
do {
/* while free pending slots in queue, submit ops */
@@ -10868,6 +11264,7 @@ exit_encap:
);
exit_decap:
PRIVATE_KEY_LOCK();
bench_stats_asym_finish(name, keySize, desc[13], 0, count, start, ret);
#ifdef MULTI_VALUE_STATISTICS
bench_multi_value_stats(max, min, sum, squareSum, runs);
@@ -11360,6 +11757,13 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
case WC_LMS_PARM_L4_H5_W4:
case WC_LMS_PARM_L4_H10_W4:
case WC_LMS_PARM_L4_H10_W8:
case WC_LMS_PARM_L1_H25_W1:
case WC_LMS_PARM_L1_H25_W2:
case WC_LMS_PARM_L1_H25_W4:
case WC_LMS_PARM_L1_H25_W8:
case WC_LMS_PARM_L1_H10_W1:
case WC_LMS_PARM_L1_H15_W1:
case WC_LMS_PARM_L1_H20_W1:
#endif
#ifdef WOLFSSL_LMS_SHA256_192
@@ -11383,6 +11787,57 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
case WC_LMS_PARM_SHA256_192_L3_H5_W8:
case WC_LMS_PARM_SHA256_192_L3_H10_W4:
case WC_LMS_PARM_SHA256_192_L4_H5_W8:
case WC_LMS_PARM_SHA256_192_L1_H25_W1:
case WC_LMS_PARM_SHA256_192_L1_H25_W2:
case WC_LMS_PARM_SHA256_192_L1_H25_W4:
case WC_LMS_PARM_SHA256_192_L1_H25_W8:
case WC_LMS_PARM_SHA256_192_L1_H10_W1:
case WC_LMS_PARM_SHA256_192_L1_H15_W1:
case WC_LMS_PARM_SHA256_192_L1_H20_W1:
case WC_LMS_PARM_SHA256_192_L1_H15_W8:
#endif
#ifdef WOLFSSL_LMS_SHAKE256
case WC_LMS_PARM_SHAKE_L1_H5_W1:
case WC_LMS_PARM_SHAKE_L1_H5_W2:
case WC_LMS_PARM_SHAKE_L1_H5_W4:
case WC_LMS_PARM_SHAKE_L1_H5_W8:
case WC_LMS_PARM_SHAKE_L1_H10_W1:
case WC_LMS_PARM_SHAKE_L1_H10_W2:
case WC_LMS_PARM_SHAKE_L1_H10_W4:
case WC_LMS_PARM_SHAKE_L1_H10_W8:
case WC_LMS_PARM_SHAKE_L1_H15_W1:
case WC_LMS_PARM_SHAKE_L1_H15_W2:
case WC_LMS_PARM_SHAKE_L1_H15_W4:
case WC_LMS_PARM_SHAKE_L1_H15_W8:
case WC_LMS_PARM_SHAKE_L1_H20_W1:
case WC_LMS_PARM_SHAKE_L1_H20_W2:
case WC_LMS_PARM_SHAKE_L1_H20_W4:
case WC_LMS_PARM_SHAKE_L1_H20_W8:
case WC_LMS_PARM_SHAKE_L1_H25_W1:
case WC_LMS_PARM_SHAKE_L1_H25_W2:
case WC_LMS_PARM_SHAKE_L1_H25_W4:
case WC_LMS_PARM_SHAKE_L1_H25_W8:
case WC_LMS_PARM_SHAKE192_L1_H5_W1:
case WC_LMS_PARM_SHAKE192_L1_H5_W2:
case WC_LMS_PARM_SHAKE192_L1_H5_W4:
case WC_LMS_PARM_SHAKE192_L1_H5_W8:
case WC_LMS_PARM_SHAKE192_L1_H10_W1:
case WC_LMS_PARM_SHAKE192_L1_H10_W2:
case WC_LMS_PARM_SHAKE192_L1_H10_W4:
case WC_LMS_PARM_SHAKE192_L1_H10_W8:
case WC_LMS_PARM_SHAKE192_L1_H15_W1:
case WC_LMS_PARM_SHAKE192_L1_H15_W2:
case WC_LMS_PARM_SHAKE192_L1_H15_W4:
case WC_LMS_PARM_SHAKE192_L1_H15_W8:
case WC_LMS_PARM_SHAKE192_L1_H20_W1:
case WC_LMS_PARM_SHAKE192_L1_H20_W2:
case WC_LMS_PARM_SHAKE192_L1_H20_W4:
case WC_LMS_PARM_SHAKE192_L1_H20_W8:
case WC_LMS_PARM_SHAKE192_L1_H25_W1:
case WC_LMS_PARM_SHAKE192_L1_H25_W2:
case WC_LMS_PARM_SHAKE192_L1_H25_W4:
case WC_LMS_PARM_SHAKE192_L1_H25_W8:
#endif
default:
@@ -12207,9 +12662,17 @@ void bench_slhdsa(enum SlhDsaParam param)
}
len = wc_SlhDsaKey_PublicSize(key) / 2 * 8;
XMEMCPY(name, "SLH-DSA-S", 10);
if ((param & 1) == 1) {
name[8] = 'F';
if (SLHDSA_IS_SHA2(param)) {
XMEMCPY(name, "SLH-DSA-SHA2-S", 15);
if ((param & 1) == 1) {
name[13] = 'F';
}
}
else {
XMEMCPY(name, "SLH-DSA-S", 10);
if ((param & 1) == 1) {
name[8] = 'F';
}
}
bench_stats_start(&count, &start);
@@ -12227,6 +12690,7 @@ void bench_slhdsa(enum SlhDsaParam param)
);
bench_stats_asym_finish(name, len, "gen", 0, count, start, ret);
PRIVATE_KEY_UNLOCK();
bench_stats_start(&count, &start);
do {
sigLen = WC_SLHDSA_MAX_SIG_LEN;
@@ -12242,6 +12706,7 @@ void bench_slhdsa(enum SlhDsaParam param)
|| runs < minimum_runs
#endif
);
PRIVATE_KEY_LOCK();
bench_stats_asym_finish(name, len, "sign", 0, count, start, ret);
outLen = (word32)sizeof(pk);
@@ -12274,6 +12739,78 @@ void bench_slhdsa(enum SlhDsaParam param)
);
bench_stats_asym_finish(name, len, "verify", 0, count, start, ret);
/* Internal interface: sign M' directly (no M' construction). */
PRIVATE_KEY_UNLOCK();
bench_stats_start(&count, &start);
do {
sigLen = WC_SLHDSA_MAX_SIG_LEN;
ret = wc_SlhDsaKey_SignMsgDeterministic(key, msg,
(word32)sizeof(msg), sig, &sigLen);
if (ret != 0) {
goto exit;
}
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
PRIVATE_KEY_LOCK();
bench_stats_asym_finish(name, len, "sign-msg", 0, count, start, ret);
bench_stats_start(&count, &start);
do {
ret = wc_SlhDsaKey_VerifyMsg(key_vfy, msg, (word32)sizeof(msg),
sig, sigLen);
if (ret != 0) {
goto exit;
}
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
bench_stats_asym_finish(name, len, "vrfy-msg", 0, count, start, ret);
/* Pre-hash interface: hash message, then sign the hash. */
PRIVATE_KEY_UNLOCK();
bench_stats_start(&count, &start);
do {
sigLen = WC_SLHDSA_MAX_SIG_LEN;
ret = wc_SlhDsaKey_SignHashDeterministic(key, ctx, 0, msg,
(word32)sizeof(msg), WC_HASH_TYPE_SHA256, sig, &sigLen);
if (ret != 0) {
goto exit;
}
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
PRIVATE_KEY_LOCK();
bench_stats_asym_finish(name, len, "sign-pre", 0, count, start, ret);
bench_stats_start(&count, &start);
do {
ret = wc_SlhDsaKey_VerifyHash(key_vfy, ctx, 0, msg,
(word32)sizeof(msg), WC_HASH_TYPE_SHA256, sig, sigLen);
if (ret != 0) {
goto exit;
}
count++;
RECORD_MULTI_VALUE_STATS();
} while (bench_stats_check(start)
#ifdef MULTI_VALUE_STATISTICS
|| runs < minimum_runs
#endif
);
bench_stats_asym_finish(name, len, "vrfy-pre", 0, count, start, ret);
exit:
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
if (key_vfy)
@@ -15663,6 +16200,7 @@ void bench_dilithiumKeySign(byte level)
#elif !defined WOLFSSL_DILITHIUM_NO_SIGN
PRIVATE_KEY_UNLOCK();
#ifndef WOLFSSL_NO_ML_DSA_44
if (level == 2) {
ret = wc_dilithium_import_private(bench_dilithium_level2_key,
@@ -15681,6 +16219,7 @@ void bench_dilithiumKeySign(byte level)
sizeof_bench_dilithium_level5_key, key);
}
#endif
PRIVATE_KEY_LOCK();
if (ret != 0) {
printf("Failed to load private key\n");
goto out;
+7
View File
@@ -130,6 +130,13 @@ void bench_sakkeRskGen(void);
void bench_sakkeValidate(void);
void bench_sakke(void);
void bench_rng(void);
void bench_rng_init(void);
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
void bench_rng_sha512(void);
void bench_rng_sha512_init(void);
#endif
void bench_blake2b(void);
void bench_blake2s(void);
void bench_ascon_hash(void);
+18
View File
@@ -4466,6 +4466,12 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32* inOutI
#ifndef WOLFSSL_NOSHA3_512
static const byte hashSha3_512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 10};
#endif /* WOLFSSL_NOSHA3_512 */
#ifdef WOLFSSL_SHAKE128
static const byte hashShake128hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 11};
#endif /* WOLFSSL_SHAKE128 */
#ifdef WOLFSSL_SHAKE256
static const byte hashShake256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 12};
#endif /* WOLFSSL_SHAKE256 */
#endif /* WOLFSSL_SHA3 */
/* hmacType */
@@ -5339,6 +5345,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
*oidSz = sizeof(hashSha3_512hOid);
break;
#endif /* WOLFSSL_NOSHA3_512 */
#ifdef WOLFSSL_SHAKE128
case SHAKE128h:
oid = hashShake128hOid;
*oidSz = sizeof(hashShake128hOid);
break;
#endif /* WOLFSSL_SHAKE128 */
#ifdef WOLFSSL_SHAKE256
case SHAKE256h:
oid = hashShake256hOid;
*oidSz = sizeof(hashShake256hOid);
break;
#endif /* WOLFSSL_SHAKE256 */
#endif /* WOLFSSL_SHA3 */
default:
break;
+5
View File
@@ -1063,6 +1063,11 @@ static int CheckDhLN(word32 modLen, word32 divLen)
if (divLen == 224 || divLen == 256)
ret = 0;
break;
/* Per SP 800-56Ar3 Table 2 */
case 3072:
if (divLen == 256)
ret = 0;
break;
default:
break;
}
+162 -5
View File
@@ -138,6 +138,11 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if FIPS_VERSION3_GE(2,0,0)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#ifndef WOLFSSL_DILITHIUM_NO_ASN1
#include <wolfssl/wolfcrypt/asn.h>
#endif
@@ -814,6 +819,15 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen)
oid = sha512Oid;
}
else
#ifndef WOLFSSL_NOSHA512_224
if (hash == WC_HASH_TYPE_SHA512_224) {
static byte sha512_224Oid[DILITHIUM_HASH_OID_LEN] = {
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05
};
oid = sha512_224Oid;
}
else
#endif
#ifndef WOLFSSL_NOSHA512_256
if (hash == WC_HASH_TYPE_SHA512_256) {
static byte sha512_256Oid[DILITHIUM_HASH_OID_LEN] = {
@@ -9520,7 +9534,7 @@ static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1)
* @return MEMORY_E when memory allocation fails.
* @return Other negative when an error occurs.
*/
static int dilithium_verify_mu(dilithium_key* key, const byte* mu,
static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu,
const byte* sig, word32 sigLen, int* res)
{
#ifndef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
@@ -9979,7 +9993,7 @@ static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx,
ctx, (byte)ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ);
}
if (ret == 0) {
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
}
return ret;
@@ -10023,7 +10037,7 @@ static int dilithium_verify_msg(dilithium_key* key, const byte* msg,
mu, DILITHIUM_MU_SZ);
}
if (ret == 0) {
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
}
return ret;
@@ -10085,7 +10099,7 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
ctx, (byte)ctxLen, oidMsgHash, oidMsgHashLen, mu, DILITHIUM_MU_SZ);
}
if (ret == 0) {
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
}
return ret;
@@ -10310,6 +10324,45 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng)
#endif
}
#ifdef HAVE_FIPS
/* Pairwise Consistency Test (PCT) per FIPS 140-3 / ISO 19790:2012
* Section 7.10.3.3 (TE10.35.02): sign with new sk, verify with pk.
* Runs on every key generation. */
if (ret == 0) {
static const byte pct_msg[] = "wolfSSL ML-DSA PCT";
WC_DECLARE_VAR(pct_sig, byte, DILITHIUM_MAX_SIG_SIZE, key->heap);
word32 pct_sigSz = DILITHIUM_MAX_SIG_SIZE;
int pct_res = 0;
WC_ALLOC_VAR_EX(pct_sig, byte, DILITHIUM_MAX_SIG_SIZE, key->heap,
DYNAMIC_TYPE_DILITHIUM, ret = MEMORY_E);
if (ret == 0) {
ret = wc_dilithium_sign_ctx_msg(NULL, 0, pct_msg, sizeof(pct_msg),
pct_sig, &pct_sigSz, key, rng);
}
if (ret == 0)
ret = wc_dilithium_verify_ctx_msg(pct_sig, pct_sigSz,
NULL, 0, pct_msg, sizeof(pct_msg), &pct_res, key);
if (ret == 0 && pct_res != 1)
ret = ML_DSA_PCT_E;
if (WC_VAR_OK(pct_sig))
ForceZero(pct_sig, DILITHIUM_MAX_SIG_SIZE);
WC_FREE_VAR_EX(pct_sig, key->heap, DYNAMIC_TYPE_DILITHIUM);
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails the PCT
* must be rendered unusable. Zeroize the generated key material so
* a caller that ignores the return value cannot use it. */
if (ret != 0) {
wc_dilithium_free(key);
}
}
#endif /* HAVE_FIPS */
return ret;
}
@@ -10338,6 +10391,9 @@ int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed)
#endif
}
/* Note: PCT is performed in wc_dilithium_make_key() which calls this
* function and has the RNG parameter needed for signing. */
return ret;
}
#endif
@@ -10627,7 +10683,8 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
int ret = 0;
/* Validate parameters. */
if ((hash == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL)) {
if ((hash == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL) ||
(seed == NULL)) {
ret = BAD_FUNC_ARG;
}
if ((ret == 0) && (ctx == NULL) && (ctxLen > 0)) {
@@ -10650,6 +10707,60 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
return ret;
}
/* Sign using the ML-DSA internal interface with a pre-computed mu value.
*
* This implements ML-DSA.Sign_internal from FIPS 204 Section 6.2.
* The caller provides mu directly (already computed from tr||M'), bypassing
* the external message hashing step. Used by ACVP internal interface tests.
*
* mu [in] Pre-computed mu value (64 bytes).
* muLen [in] Length of mu in bytes (must be 64).
* sig [out] Buffer to write signature into.
* sigLen [in/out] On in, size of buffer.
* On out, the length of the signature in bytes.
* key [in] Dilithium key to use when signing.
* seed [in] 32-byte random seed (rnd).
* returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
* BUFFER_E when sigLen is too small,
* 0 otherwise.
*/
int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen,
byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed)
{
#ifdef WOLFSSL_WC_DILITHIUM
int ret = 0;
/* Validate parameters. */
if ((mu == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL) ||
(seed == NULL)) {
ret = BAD_FUNC_ARG;
}
if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
/* Build [seed||mu] buffer and call internal sign function. */
byte seedMu[DILITHIUM_RND_SZ + DILITHIUM_MU_SZ];
XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ);
XMEMCPY(seedMu + DILITHIUM_RND_SZ, mu, DILITHIUM_MU_SZ);
ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen);
ForceZero(seedMu, sizeof(seedMu));
}
return ret;
#else
/* Internal interface not supported with liboqs backend. */
(void)mu;
(void)muLen;
(void)sig;
(void)sigLen;
(void)key;
(void)seed;
return NOT_COMPILED_IN;
#endif
}
#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */
#ifndef WOLFSSL_DILITHIUM_NO_VERIFY
@@ -10830,6 +10941,52 @@ int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen,
return ret;
}
/* Verify using the ML-DSA internal interface with a pre-computed mu value.
*
* This implements ML-DSA.Verify_internal from FIPS 204 Section 6.3.
* The caller provides mu directly (already computed from tr||M'), bypassing
* the external message hashing step. Used by ACVP internal interface tests.
*
* sig [in] Signature to verify.
* sigLen [in] Size of signature in bytes.
* mu [in] Pre-computed mu value (64 bytes).
* muLen [in] Length of mu in bytes (must be 64).
* res [out] *res is set to 1 on successful verification.
* key [in] Dilithium key to use to verify.
* returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
* 0 otherwise.
*/
int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu,
word32 muLen, int* res, dilithium_key* key)
{
#ifdef WOLFSSL_WC_DILITHIUM
int ret = 0;
/* Validate parameters. */
if ((key == NULL) || (sig == NULL) || (mu == NULL) || (res == NULL)) {
ret = BAD_FUNC_ARG;
}
if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
}
return ret;
#else
/* Internal interface not supported with liboqs backend. */
(void)sig;
(void)sigLen;
(void)mu;
(void)muLen;
(void)res;
(void)key;
return NOT_COMPILED_IN;
#endif
}
#endif /* WOLFSSL_DILITHIUM_NO_VERIFY */
#ifndef WC_NO_CONSTRUCTORS
+6
View File
@@ -6091,6 +6091,12 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
) {
err = _ecc_pairwise_consistency_test(key, rng);
}
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails post-
* generation validation or PCT must be rendered unusable so a caller
* that ignores the return value cannot use it. */
if (err != MP_OKAY) {
wc_ecc_free(key);
}
#endif
RESTORE_VECTOR_REGISTERS();
+24
View File
@@ -668,6 +668,30 @@ const char* wc_GetErrorString(int error)
case ALREADY_E:
return "Operation was redundant or preempted";
case ML_KEM_KAT_FIPS_E:
return "wolfCrypt FIPS ML-KEM Known Answer Test Failure";
case ML_DSA_KAT_FIPS_E:
return "wolfCrypt FIPS ML-DSA Known Answer Test Failure";
case LMS_KAT_FIPS_E:
return "wolfCrypt FIPS LMS Known Answer Test Failure";
case XMSS_KAT_FIPS_E:
return "wolfCrypt FIPS XMSS Known Answer Test Failure";
case ML_KEM_PCT_E:
return "wolfcrypt ML-KEM Pairwise Consistency Test Failure";
case ML_DSA_PCT_E:
return "wolfcrypt ML-DSA Pairwise Consistency Test Failure";
case DRBG_SHA512_KAT_FIPS_E:
return "SHA-512 DRBG Known Answer Test check FIPS error";
case SLH_DSA_KAT_FIPS_E:
return "SLH-DSA Known Answer Test check FIPS error";
case SEQ_OVERFLOW_E:
return "Sequence counter would overflow";
+28 -18
View File
@@ -5809,8 +5809,9 @@ void wolfSSL_EVP_init(void)
#endif /* WOLFSSL_SHA512 */
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wc_Sha512_224Copy((wc_Sha512*)&src->hash.digest,
(wc_Sha512*)&des->hash.digest);
#else
@@ -5818,8 +5819,9 @@ void wolfSSL_EVP_init(void)
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wc_Sha512_256Copy((wc_Sha512*)&src->hash.digest,
(wc_Sha512*)&des->hash.digest);
#else
@@ -10765,14 +10767,16 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
#endif /* WOLFSSL_SHA512 */
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
wc_Sha512_224Free((wc_Sha512*)&ctx->hash.digest);
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
wc_Sha512_256Free((wc_Sha512*)&ctx->hash.digest);
#endif
break;
@@ -10872,13 +10876,15 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
ret = wolfSSL_SHA384_Init(&(ctx->hash.digest.sha384));
} else
#endif
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
if (XSTRCMP(md, WC_SN_sha512_224) == 0) {
ret = wolfSSL_SHA512_224_Init(&(ctx->hash.digest.sha512));
} else
#endif
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
if (XSTRCMP(md, WC_SN_sha512_256) == 0) {
ret = wolfSSL_SHA512_256_Init(&(ctx->hash.digest.sha512));
@@ -11028,8 +11034,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wolfSSL_SHA512_224_Update((WOLFSSL_SHA512_CTX*)&ctx->hash, data,
(unsigned long)sz);
#else
@@ -11038,8 +11045,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wolfSSL_SHA512_256_Update((WOLFSSL_SHA512_CTX*)&ctx->hash, data,
(unsigned long)sz);
#else
@@ -11188,8 +11196,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
#endif /* WOLFSSL_SHA512 */
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wolfSSL_SHA512_224_Final(md, (WOLFSSL_SHA512_CTX*)&ctx->hash);
if (s) *s = WC_SHA512_224_DIGEST_SIZE;
#else
@@ -11197,8 +11206,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wolfSSL_SHA512_256_Final(md, (WOLFSSL_SHA512_CTX*)&ctx->hash);
if (s) *s = WC_SHA512_256_DIGEST_SIZE;
#else
+28
View File
@@ -226,6 +226,20 @@ const char * wc_LmsKey_ParmToStr(enum wc_LmsParm lmsParm)
return "LMS/HSS L4_H10_W4";
case WC_LMS_PARM_L4_H10_W8:
return "LMS/HSS L4_H10_W8";
case WC_LMS_PARM_L1_H25_W1:
return "LMS/HSS L1_H25_W1";
case WC_LMS_PARM_L1_H25_W2:
return "LMS/HSS L1_H25_W2";
case WC_LMS_PARM_L1_H25_W4:
return "LMS/HSS L1_H25_W4";
case WC_LMS_PARM_L1_H25_W8:
return "LMS/HSS L1_H25_W8";
case WC_LMS_PARM_L1_H10_W1:
return "LMS/HSS L1_H10_W1";
case WC_LMS_PARM_L1_H15_W1:
return "LMS/HSS L1_H15_W1";
case WC_LMS_PARM_L1_H20_W1:
return "LMS/HSS L1_H20_W1";
default:
WOLFSSL_MSG("error: invalid LMS parameter");
break;
@@ -383,6 +397,20 @@ int wc_LmsKey_SetLmsParm(LmsKey * key, enum wc_LmsParm lmsParm)
return wc_LmsKey_SetParameters(key, 4, 10, 4);
case WC_LMS_PARM_L4_H10_W8:
return wc_LmsKey_SetParameters(key, 4, 10, 8);
case WC_LMS_PARM_L1_H25_W1:
return wc_LmsKey_SetParameters(key, 1, 25, 1);
case WC_LMS_PARM_L1_H25_W2:
return wc_LmsKey_SetParameters(key, 1, 25, 2);
case WC_LMS_PARM_L1_H25_W4:
return wc_LmsKey_SetParameters(key, 1, 25, 4);
case WC_LMS_PARM_L1_H25_W8:
return wc_LmsKey_SetParameters(key, 1, 25, 8);
case WC_LMS_PARM_L1_H10_W1:
return wc_LmsKey_SetParameters(key, 1, 10, 1);
case WC_LMS_PARM_L1_H15_W1:
return wc_LmsKey_SetParameters(key, 1, 15, 1);
case WC_LMS_PARM_L1_H20_W1:
return wc_LmsKey_SetParameters(key, 1, 20, 1);
default:
WOLFSSL_MSG("error: invalid LMS parameter set");
break;
+6
View File
@@ -22,6 +22,12 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_WC_MLKEM)
#if FIPS_VERSION3_GE(2,0,0)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#include <wolfssl/wolfcrypt/ext_mlkem.h>
#ifdef NO_INLINE
+249 -139
View File
@@ -79,7 +79,16 @@ enum wc_HashType wc_HashTypeConvert(int hashType)
case WC_SHA512:
eHashType = WC_HASH_TYPE_SHA512;
break;
#if !defined(WOLFSSL_NOSHA512_224)
case WC_SHA512_224:
eHashType = WC_HASH_TYPE_SHA512_224;
break;
#endif
#if !defined(WOLFSSL_NOSHA512_256)
case WC_SHA512_256:
eHashType = WC_HASH_TYPE_SHA512_256;
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
case WC_SHA3_224:
@@ -424,16 +433,18 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type)
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
dig_size = WC_SHA512_224_DIGEST_SIZE;
#else
dig_size = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
dig_size = WC_SHA512_256_DIGEST_SIZE;
#else
dig_size = HASH_TYPE_E;
@@ -498,14 +509,29 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type)
#endif
break;
/* Not Supported */
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
/* SHAKE is an XOF; default output here is 2x the security level
* (256 bits for SHAKE128, 512 bits for SHAKE256). The SHA3 digest
* macros are reused only for their bit-length value. */
case WC_HASH_TYPE_SHAKE128:
dig_size = WC_SHA3_256_DIGEST_SIZE;
break;
#else
case WC_HASH_TYPE_SHAKE128:
dig_size = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
dig_size = WC_SHA3_512_DIGEST_SIZE;
break;
#else
case WC_HASH_TYPE_SHAKE256:
dig_size = HASH_TYPE_E;
break;
#endif
/* Not Supported */
case WC_HASH_TYPE_NONE:
dig_size = BAD_FUNC_ARG;
break;
@@ -580,16 +606,18 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
block_size = WC_SHA512_224_BLOCK_SIZE;
#else
block_size = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
block_size = WC_SHA512_256_BLOCK_SIZE;
#else
block_size = HASH_TYPE_E;
@@ -654,14 +682,30 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
#endif
break;
/* Not Supported */
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
/* WC_SHA3_*_BLOCK_SIZE names the Keccak rate by capacity, not a
* specific SHA-3 hash. SHAKE128 uses the 1344-bit rate (168 B);
* SHAKE256 uses the 1088-bit rate (136 B), shared with SHA3-256.
* Per FIPS 202. */
case WC_HASH_TYPE_SHAKE128:
block_size = WC_SHA3_128_BLOCK_SIZE;
break;
#else
case WC_HASH_TYPE_SHAKE128:
block_size = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
block_size = WC_SHA3_256_BLOCK_SIZE;
break;
#else
case WC_HASH_TYPE_SHAKE256:
block_size = HASH_TYPE_E;
break;
#endif
/* Not Supported */
case WC_HASH_TYPE_NONE:
block_size = BAD_FUNC_ARG;
break;
@@ -740,16 +784,18 @@ int wc_Hash_ex(enum wc_HashType hash_type, const byte* data,
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wc_Sha512_224Hash_ex(data, data_len, hash, heap, devId);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wc_Sha512_256Hash_ex(data, data_len, hash, heap, devId);
#else
ret = HASH_TYPE_E;
@@ -804,26 +850,62 @@ int wc_Hash_ex(enum wc_HashType hash_type, const byte* data,
#endif
break;
/* Not Supported */
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_HASH_TYPE_SHAKE128:
{
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
ret = MEMORY_E);
if (WC_VAR_OK(shake)) {
ret = wc_InitShake128(shake, heap, devId);
if (ret == 0) {
ret = wc_Shake128_Update(shake, data, data_len);
if (ret == 0)
ret = wc_Shake128_Final(shake, hash,
WC_SHA3_256_DIGEST_SIZE);
wc_Shake128_Free(shake);
}
}
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
break;
}
#else
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
{
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
ret = MEMORY_E);
if (WC_VAR_OK(shake)) {
ret = wc_InitShake256(shake, heap, devId);
if (ret == 0) {
ret = wc_Shake256_Update(shake, data, data_len);
if (ret == 0)
ret = wc_Shake256_Final(shake, hash,
WC_SHA3_512_DIGEST_SIZE);
wc_Shake256_Free(shake);
}
}
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
break;
}
#else
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
#endif
/* Not Supported */
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -940,16 +1022,18 @@ int wc_HashInit_ex(wc_HashAlg* hash, enum wc_HashType type, void* heap,
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wc_InitSha512_224_ex(&hash->alg.sha512, heap, devId);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wc_InitSha512_256_ex(&hash->alg.sha512, heap, devId);
#else
ret = HASH_TYPE_E;
@@ -992,29 +1076,33 @@ int wc_HashInit_ex(wc_HashAlg* hash, enum wc_HashType type, void* heap,
#endif
break;
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_HASH_TYPE_SHAKE128:
ret = wc_InitShake128(&hash->alg.sha3, heap, devId);
break;
#else
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
ret = wc_InitShake256(&hash->alg.sha3, heap, devId);
break;
#else
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
#endif
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -1091,16 +1179,18 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wc_Sha512_224Update(&hash->alg.sha512, data, dataSz);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wc_Sha512_256Update(&hash->alg.sha512, data, dataSz);
#else
ret = HASH_TYPE_E;
@@ -1143,29 +1233,33 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
#endif
break;
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_HASH_TYPE_SHAKE128:
ret = wc_Shake128_Update(&hash->alg.sha3, data, dataSz);
break;
#else
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
ret = wc_Shake256_Update(&hash->alg.sha3, data, dataSz);
break;
#else
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
#endif
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -1234,16 +1328,18 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
ret = wc_Sha512_224Final(&hash->alg.sha512, out);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
ret = wc_Sha512_256Final(&hash->alg.sha512, out);
#else
ret = HASH_TYPE_E;
@@ -1286,29 +1382,35 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
#endif
break;
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_HASH_TYPE_SHAKE128:
ret = wc_Shake128_Final(&hash->alg.sha3, out,
WC_SHA3_256_DIGEST_SIZE);
break;
#else
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
ret = wc_Shake256_Final(&hash->alg.sha3, out,
WC_SHA3_512_DIGEST_SIZE);
break;
#else
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
#endif
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -1383,8 +1485,9 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
#endif
break;
case WC_HASH_TYPE_SHA512_224:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_224)
wc_Sha512_224Free(&hash->alg.sha512);
ret = 0;
#else
@@ -1392,8 +1495,9 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
#endif
break;
case WC_HASH_TYPE_SHA512_256:
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
!defined(WOLFSSL_NOSHA512_256)
wc_Sha512_256Free(&hash->alg.sha512);
ret = 0;
#else
@@ -1442,29 +1546,35 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
#endif
break;
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_HASH_TYPE_SHAKE128:
wc_Shake128_Free(&hash->alg.sha3);
ret = 0;
break;
#else
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_HASH_TYPE_SHAKE256:
wc_Shake256_Free(&hash->alg.sha3);
ret = 0;
break;
#else
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
#endif
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -1554,6 +1664,22 @@ int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
#endif
break;
case WC_HASH_TYPE_SHAKE128:
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
ret = wc_Sha3_SetFlags(&hash->alg.sha3, flags);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHAKE256:
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
ret = wc_Sha3_SetFlags(&hash->alg.sha3, flags);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SM3:
#ifdef WOLFSSL_SM3
ret = wc_Sm3SetFlags(&hash->alg.sm3, flags);
@@ -1564,30 +1690,13 @@ int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
default:
ret = BAD_FUNC_ARG;
};
@@ -1670,6 +1779,22 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
#endif
break;
case WC_HASH_TYPE_SHAKE128:
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
ret = wc_Sha3_GetFlags(&hash->alg.sha3, flags);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SHAKE256:
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
ret = wc_Sha3_GetFlags(&hash->alg.sha3, flags);
#else
ret = HASH_TYPE_E;
#endif
break;
case WC_HASH_TYPE_SM3:
#ifdef WOLFSSL_SM3
ret = wc_Sm3GetFlags(&hash->alg.sm3, flags);
@@ -1680,27 +1805,12 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
/* not supported */
case WC_HASH_TYPE_MD5_SHA:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD2:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_MD4:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2B:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_BLAKE2S:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_SHAKE128:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_SHAKE256:
ret = HASH_TYPE_E;
break;
case WC_HASH_TYPE_NONE:
ret = BAD_FUNC_ARG;
break;
@@ -1927,7 +2037,7 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
#endif
return wc_Sha512Hash_ex(data, len, hash, NULL, devId);
}
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && !defined(HAVE_SELFTEST)
#ifndef WOLFSSL_NOSHA512_224
int wc_Sha512_224Hash_ex(const byte* data, word32 len, byte* hash,
void* heap, int devId)
@@ -1967,9 +2077,9 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
return wc_Sha512_224Hash_ex(data, len, hash, NULL, devId);
}
#endif /* !WOLFSSL_NOSHA512_224 */
#endif /* !HAVE_FIPS && !HAVE_SELFTEST */
#endif /* (!HAVE_FIPS || FIPS v7+) && !HAVE_SELFTEST */
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && !defined(HAVE_SELFTEST)
#ifndef WOLFSSL_NOSHA512_256
int wc_Sha512_256Hash_ex(const byte* data, word32 len, byte* hash,
void* heap, int devId)
@@ -2009,7 +2119,7 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
return wc_Sha512_256Hash_ex(data, len, hash, NULL, devId);
}
#endif /* !WOLFSSL_NOSHA512_256 */
#endif /* !HAVE_FIPS && !HAVE_SELFTEST */
#endif /* (!HAVE_FIPS || FIPS v7+) && !HAVE_SELFTEST */
#endif /* WOLFSSL_SHA512 */
+164
View File
@@ -87,6 +87,12 @@ int wc_HmacSizeByType(int type)
if (!(type == WC_MD5 || type == WC_SHA ||
#ifdef WOLFSSL_SM3
type == WC_SM3 ||
#endif
#ifndef WOLFSSL_NOSHA512_224
type == WC_SHA512_224 ||
#endif
#ifndef WOLFSSL_NOSHA512_256
type == WC_SHA512_256 ||
#endif
type == WC_SHA224 || type == WC_SHA256 ||
type == WC_SHA384 || type == WC_SHA512 ||
@@ -129,6 +135,16 @@ int wc_HmacSizeByType(int type)
case WC_SHA512:
ret = WC_SHA512_DIGEST_SIZE;
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = WC_SHA512_224_DIGEST_SIZE;
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = WC_SHA512_256_DIGEST_SIZE;
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -201,6 +217,16 @@ static int HmacKeyInitHash(wc_HmacHash* hash, int type, void* heap, int devId)
case WC_SHA512:
ret = wc_InitSha512_ex(&hash->sha512, heap, devId);
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = wc_InitSha512_224_ex(&hash->sha512, heap, devId);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = wc_InitSha512_256_ex(&hash->sha512, heap, devId);
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -300,6 +326,16 @@ static int HmacKeyCopyHash(byte macType, wc_HmacHash* src, wc_HmacHash* dst)
case WC_SHA512:
ret = wc_Sha512Copy(&src->sha512, &dst->sha512);
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = wc_Sha512_224Copy(&src->sha512, &dst->sha512);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = wc_Sha512_256Copy(&src->sha512, &dst->sha512);
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -395,6 +431,18 @@ static int HmacKeyHashUpdate(byte macType, wc_HmacHash* hash, byte* pad)
case WC_SHA512:
ret = wc_Sha512Update(&hash->sha512, pad, WC_SHA512_BLOCK_SIZE);
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = wc_Sha512_224Update(&hash->sha512, pad,
WC_SHA512_224_BLOCK_SIZE);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = wc_Sha512_256Update(&hash->sha512, pad,
WC_SHA512_256_BLOCK_SIZE);
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -478,6 +526,12 @@ int wc_HmacSetKey_ex(Hmac* hmac, int type, const byte* key, word32 length,
!(type == WC_MD5 || type == WC_SHA ||
#ifdef WOLFSSL_SM3
type == WC_SM3 ||
#endif
#ifndef WOLFSSL_NOSHA512_224
type == WC_SHA512_224 ||
#endif
#ifndef WOLFSSL_NOSHA512_256
type == WC_SHA512_256 ||
#endif
type == WC_SHA224 || type == WC_SHA256 ||
type == WC_SHA384 || type == WC_SHA512 ||
@@ -747,6 +801,46 @@ int wc_HmacSetKey_ex(Hmac* hmac, int type, const byte* key, word32 length,
length = WC_SHA512_DIGEST_SIZE;
}
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
hmac_block_size = WC_SHA512_224_BLOCK_SIZE;
if (length <= WC_SHA512_224_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha512_224Update(&hmac->hash.sha512, key, length);
if (ret != 0)
break;
ret = wc_Sha512_224Final(&hmac->hash.sha512, ip);
if (ret != 0)
break;
length = WC_SHA512_224_DIGEST_SIZE;
}
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
hmac_block_size = WC_SHA512_256_BLOCK_SIZE;
if (length <= WC_SHA512_256_BLOCK_SIZE) {
if (key != NULL) {
XMEMCPY(ip, key, length);
}
}
else {
ret = wc_Sha512_256Update(&hmac->hash.sha512, key, length);
if (ret != 0)
break;
ret = wc_Sha512_256Final(&hmac->hash.sha512, ip);
if (ret != 0)
break;
length = WC_SHA512_256_DIGEST_SIZE;
}
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -999,6 +1093,16 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
case WC_SHA512:
ret = wc_Sha512Update(&hmac->hash.sha512, msg, length);
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = wc_Sha512_224Update(&hmac->hash.sha512, msg, length);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = wc_Sha512_256Update(&hmac->hash.sha512, msg, length);
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -1226,6 +1330,48 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
break;
ret = wc_Sha512Final(&hmac->hash.sha512, hash);
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
ret = wc_Sha512_224Final(&hmac->hash.sha512,
(byte*)hmac->innerHash);
if (ret != 0)
break;
#ifndef WOLFSSL_HMAC_COPY_HASH
ret = wc_Sha512_224Update(&hmac->hash.sha512, (byte*)hmac->opad,
WC_SHA512_224_BLOCK_SIZE);
#else
ret = HmacKeyCopyHash(WC_SHA512_224, &hmac->o_hash, &hmac->hash);
#endif
if (ret != 0)
break;
ret = wc_Sha512_224Update(&hmac->hash.sha512,
(byte*)hmac->innerHash, WC_SHA512_224_DIGEST_SIZE);
if (ret != 0)
break;
ret = wc_Sha512_224Final(&hmac->hash.sha512, hash);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
ret = wc_Sha512_256Final(&hmac->hash.sha512,
(byte*)hmac->innerHash);
if (ret != 0)
break;
#ifndef WOLFSSL_HMAC_COPY_HASH
ret = wc_Sha512_256Update(&hmac->hash.sha512, (byte*)hmac->opad,
WC_SHA512_256_BLOCK_SIZE);
#else
ret = HmacKeyCopyHash(WC_SHA512_256, &hmac->o_hash, &hmac->hash);
#endif
if (ret != 0)
break;
ret = wc_Sha512_256Update(&hmac->hash.sha512,
(byte*)hmac->innerHash, WC_SHA512_256_DIGEST_SIZE);
if (ret != 0)
break;
ret = wc_Sha512_256Final(&hmac->hash.sha512, hash);
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
@@ -1505,6 +1651,24 @@ void wc_HmacFree(Hmac* hmac)
wc_Sha512Free(&hmac->o_hash.sha512);
#endif
break;
#ifndef WOLFSSL_NOSHA512_224
case WC_SHA512_224:
wc_Sha512_224Free(&hmac->hash.sha512);
#ifdef WOLFSSL_HMAC_COPY_HASH
wc_Sha512_224Free(&hmac->i_hash.sha512);
wc_Sha512_224Free(&hmac->o_hash.sha512);
#endif
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_SHA512_256:
wc_Sha512_256Free(&hmac->hash.sha512);
#ifdef WOLFSSL_HMAC_COPY_HASH
wc_Sha512_256Free(&hmac->i_hash.sha512);
wc_Sha512_256Free(&hmac->o_hash.sha512);
#endif
break;
#endif
#endif /* WOLFSSL_SHA512 */
#ifdef WOLFSSL_SHA3
+1634 -99
View File
File diff suppressed because it is too large Load Diff
+51 -6
View File
@@ -26,6 +26,51 @@
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/rng_bank.h>
/* Helpers to access reseedCtr / null-check the active DRBG. The shape of
* struct WC_RNG and the DRBG_*_internal types varies by which DRBGs are
* compiled in; random.h gates the SHA-256 side on !NO_SHA256 and the SHA-512
* side on WOLFSSL_DRBG_SHA512, so all three live combinations are handled
* separately here. */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(NO_SHA256)
/* Both DRBGs compiled in: dispatch on the runtime drbgType. */
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
(((rng_ptr)->drbgType == WC_DRBG_SHA512) \
? ((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
: ((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr)
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
do { \
if ((rng_ptr)->drbgType == WC_DRBG_SHA512) \
((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
= (val); \
else \
((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr = (val); \
} while (0)
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
((rng_ptr)->drbg == NULL && (rng_ptr)->drbg512 == NULL)
#elif defined(WOLFSSL_DRBG_SHA512)
/* SHA-512 DRBG only (NO_SHA256 defined); the SHA-256 struct and
* rng->drbg field do not exist in this build. */
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
(((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr)
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
do { \
((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
= (val); \
} while (0)
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
((rng_ptr)->drbg512 == NULL)
#else
/* SHA-256 DRBG only (the historical default). */
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
(((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr)
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
do { \
((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr = (val); \
} while (0)
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
((rng_ptr)->drbg == NULL)
#endif
WOLFSSL_API int wc_rng_bank_init(
struct wc_rng_bank *ctx,
int n_rngs,
@@ -472,7 +517,7 @@ WOLFSSL_API int wc_rng_bank_checkout(
*rng_inst = &bank->rngs[preferred_inst_offset];
if ((! (flags & WC_RNG_BANK_FLAG_CAN_WAIT)) &&
(((struct DRBG_internal *)(*rng_inst)->rng.drbg)->reseedCtr >=
(WC_RNG_BANK_RESEED_CTR(&(*rng_inst)->rng) >=
WC_RESEED_INTERVAL) &&
(flags & WC_RNG_BANK_FLAG_CAN_FAIL_OVER_INST) &&
(n_rngs_tried < bank->n_rngs))
@@ -482,7 +527,7 @@ WOLFSSL_API int wc_rng_bank_checkout(
else {
#ifdef WC_VERBOSE_RNG
if ((! (flags & WC_RNG_BANK_FLAG_CAN_WAIT)) &&
(((struct DRBG_internal *)(*rng_inst)->rng.drbg)->reseedCtr >=
(WC_RNG_BANK_RESEED_CTR(&(*rng_inst)->rng) >=
WC_RESEED_INTERVAL))
{
WOLFSSL_DEBUG_PRINTF(
@@ -648,11 +693,12 @@ WOLFSSL_API int wc_rng_bank_inst_reinit(
bank = default_rng_bank;
#endif
/* rng_inst NULL check handled by rng_inst_matches_bank() */
ret = rng_inst_matches_bank(bank, rng_inst);
if (ret < 0)
return BAD_FUNC_ARG;
if (rng_inst->rng.drbg == NULL)
if (WC_RNG_BANK_DRBG_NULL(&rng_inst->rng))
{
return BAD_FUNC_ARG;
}
@@ -734,7 +780,7 @@ WOLFSSL_API int wc_rng_bank_seed(struct wc_rng_bank *bank,
#endif
break;
}
else if (drbg->rng.drbg == NULL) {
else if (WC_RNG_BANK_DRBG_NULL(&drbg->rng)) {
#ifdef WC_VERBOSE_RNG
WOLFSSL_DEBUG_PRINTF(
"WARNING: wc_rng_bank_seed(): inst#%d has null .drbg.\n", n);
@@ -793,8 +839,7 @@ WOLFSSL_API int wc_rng_bank_reseed(struct wc_rng_bank *bank,
if (ret != 0)
return ret;
((struct DRBG_internal *)drbg->rng.drbg)->reseedCtr =
WC_RESEED_INTERVAL;
WC_RNG_BANK_SET_RESEED_CTR(&drbg->rng, WC_RESEED_INTERVAL);
if (flags & WC_RNG_BANK_FLAG_CAN_WAIT) {
byte scratch[4];
+147 -2
View File
@@ -1137,6 +1137,62 @@ static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
}
#endif /* SHA2 Hashes */
#if defined(WOLFSSL_SHA3) && \
(defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256))
/* SHAKE XOF used directly as mask generation function (not MGF1).
* Per FIPS 186-5, SHAKE can be used as the MGF for RSA-PSS. */
static int RsaMGF_SHAKE(enum wc_HashType shakeType, byte* seed, word32 seedSz,
byte* out, word32 outSz, void* heap)
{
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
int ret;
(void)heap;
(void)shakeType;
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
return MEMORY_E);
#ifdef WOLFSSL_SHAKE128
if (shakeType == WC_HASH_TYPE_SHAKE128)
ret = wc_InitShake128(shake, heap, INVALID_DEVID);
else
#endif
#ifdef WOLFSSL_SHAKE256
if (shakeType == WC_HASH_TYPE_SHAKE256)
ret = wc_InitShake256(shake, heap, INVALID_DEVID);
else
#endif
ret = BAD_FUNC_ARG;
if (ret == 0) {
#ifdef WOLFSSL_SHAKE128
if (shakeType == WC_HASH_TYPE_SHAKE128) {
ret = wc_Shake128_Update(shake, seed, seedSz);
if (ret == 0)
ret = wc_Shake128_Final(shake, out, outSz);
wc_Shake128_Free(shake);
}
else
#endif
#ifdef WOLFSSL_SHAKE256
if (shakeType == WC_HASH_TYPE_SHAKE256) {
ret = wc_Shake256_Update(shake, seed, seedSz);
if (ret == 0)
ret = wc_Shake256_Final(shake, out, outSz);
wc_Shake256_Free(shake);
}
else
#endif
{
ret = BAD_FUNC_ARG;
}
}
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
#endif /* WOLFSSL_SHA3 && (WOLFSSL_SHAKE128 || WOLFSSL_SHAKE256) */
/* helper function to direct which mask generation function is used
switched on type input
*/
@@ -1182,6 +1238,52 @@ static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
heap);
break;
#endif
#endif
#ifdef WOLFSSL_SHA3
#ifndef WOLFSSL_NOSHA3_224
case WC_MGF1SHA3_224:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_224, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_256
case WC_MGF1SHA3_256:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_256, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_384
case WC_MGF1SHA3_384:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_384, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_512
case WC_MGF1SHA3_512:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_512, seed, seedSz, out, outSz,
heap);
break;
#endif
#endif /* WOLFSSL_SHA3 */
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_MGF1SHAKE128:
ret = RsaMGF1(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
heap);
break;
case WC_MGFSHAKE128:
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
heap);
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_MGF1SHAKE256:
ret = RsaMGF1(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
heap);
break;
case WC_MGFSHAKE256:
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
heap);
break;
#endif
default:
WOLFSSL_MSG("Unknown MGF type: check build options");
@@ -2115,22 +2217,65 @@ int wc_hash2mgf(enum wc_HashType hType)
return WC_MGF1SHA512;
#else
break;
#endif
case WC_HASH_TYPE_SHA512_224:
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
return WC_MGF1SHA512_224;
#else
break;
#endif
case WC_HASH_TYPE_SHA512_256:
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
return WC_MGF1SHA512_256;
#else
break;
#endif
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_MD5:
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_SHA512_224:
case WC_HASH_TYPE_SHA512_256:
case WC_HASH_TYPE_SHA3_224:
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
return WC_MGF1SHA3_224;
#else
break;
#endif
case WC_HASH_TYPE_SHA3_256:
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
return WC_MGF1SHA3_256;
#else
break;
#endif
case WC_HASH_TYPE_SHA3_384:
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
return WC_MGF1SHA3_384;
#else
break;
#endif
case WC_HASH_TYPE_SHA3_512:
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
return WC_MGF1SHA3_512;
#else
break;
#endif
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
case WC_HASH_TYPE_SM3:
break;
#ifdef WOLFSSL_SHAKE128
case WC_HASH_TYPE_SHAKE128:
return WC_MGF1SHAKE128;
#else
case WC_HASH_TYPE_SHAKE128:
break;
#endif
#ifdef WOLFSSL_SHAKE256
case WC_HASH_TYPE_SHAKE256:
return WC_MGF1SHAKE256;
#else
case WC_HASH_TYPE_SHAKE256:
break;
#endif
default:
break;
}
+2
View File
@@ -252,6 +252,7 @@ static int InitSha256(wc_Sha256* sha256)
sha256->digest[7] = 0x5BE0CD19L;
sha256->buffLen = 0;
XMEMSET(sha256->buffer, 0, sizeof(sha256->buffer));
sha256->loLen = 0;
sha256->hiLen = 0;
#ifdef WOLFSSL_HASH_FLAGS
@@ -2101,6 +2102,7 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
sha224->digest[7] = 0xbefa4fa4;
sha224->buffLen = 0;
XMEMSET(sha224->buffer, 0, sizeof(sha224->buffer));
sha224->loLen = 0;
sha224->hiLen = 0;
+1
View File
@@ -642,6 +642,7 @@ static int InitSha3(wc_Sha3* sha3)
for (i = 0; i < 25; i++)
sha3->s[i] = 0;
XMEMSET(sha3->t, 0, sizeof(sha3->t));
sha3->i = 0;
#ifdef WOLFSSL_HASH_FLAGS
sha3->flags = 0;
+4
View File
@@ -348,6 +348,7 @@ static int InitSha512(wc_Sha512* sha512)
sha512->digest[7] = W64LIT(0x5be0cd19137e2179);
sha512->buffLen = 0;
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
sha512->loLen = 0;
sha512->hiLen = 0;
@@ -403,6 +404,7 @@ static int InitSha512_224(wc_Sha512* sha512)
sha512->digest[7] = W64LIT(0x1112e6ad91d692a1);
sha512->buffLen = 0;
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
sha512->loLen = 0;
sha512->hiLen = 0;
@@ -460,6 +462,7 @@ static int InitSha512_256(wc_Sha512* sha512)
sha512->digest[7] = W64LIT(0x0eb72ddc81c52ca2);
sha512->buffLen = 0;
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
sha512->loLen = 0;
sha512->hiLen = 0;
@@ -1967,6 +1970,7 @@ static int InitSha384(wc_Sha384* sha384)
sha384->digest[7] = W64LIT(0x47b5481dbefa4fa4);
sha384->buffLen = 0;
XMEMSET(sha384->buffer, 0, sizeof(sha384->buffer));
sha384->loLen = 0;
sha384->hiLen = 0;
+246 -6
View File
@@ -22,6 +22,11 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if defined(WOLFSSL_HAVE_LMS) && defined(WOLFSSL_WC_LMS)
#if FIPS_VERSION3_GE(2,0,0)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#include <wolfssl/wolfcrypt/wc_lms.h>
#ifdef NO_INLINE
@@ -109,12 +114,25 @@ static int wc_lmskey_state_init(LmsState* state, const LmsParams* params)
/* Keep a reference to the parameters for use in operations. */
state->params = params;
#ifdef WOLFSSL_LMS_SHAKE256
if (LMS_IS_SHAKE(params->lmOtsType)) {
ret = wc_InitShake256(LMS_STATE_SHAKE(state), NULL, INVALID_DEVID);
if (ret == 0) {
ret = wc_InitShake256(LMS_STATE_SHAKE_K(state), NULL, INVALID_DEVID);
if (ret != 0) {
wc_Shake256_Free(LMS_STATE_SHAKE(state));
}
}
return ret;
}
#endif
/* Initialize the two hash algorithms. */
ret = wc_InitSha256(&state->hash);
ret = wc_InitSha256(LMS_STATE_HASH(state));
if (ret == 0) {
ret = wc_InitSha256(&state->hash_k);
ret = wc_InitSha256(LMS_STATE_HASH_K(state));
if (ret != 0) {
wc_Sha256Free(&state->hash);
wc_Sha256Free(LMS_STATE_HASH(state));
}
}
@@ -127,8 +145,15 @@ static int wc_lmskey_state_init(LmsState* state, const LmsParams* params)
*/
static void wc_lmskey_state_free(LmsState* state)
{
wc_Sha256Free(&state->hash_k);
wc_Sha256Free(&state->hash);
#ifdef WOLFSSL_LMS_SHAKE256
if (LMS_IS_SHAKE(state->params->lmOtsType)) {
wc_Shake256_Free(LMS_STATE_SHAKE_K(state));
wc_Shake256_Free(LMS_STATE_SHAKE(state));
return;
}
#endif
wc_Sha256Free(LMS_STATE_HASH_K(state));
wc_Sha256Free(LMS_STATE_HASH(state));
}
/* Supported LMS parameters. */
@@ -276,6 +301,35 @@ static const wc_LmsParamsMap wc_lms_map[] = {
WC_SHA256_DIGEST_SIZE) },
#endif
#endif
#if LMS_MAX_HEIGHT >= 25
{ WC_LMS_PARM_L1_H25_W1 , "LMS/HSS_L1_H25_W1",
LMS_PARAMS(1, 25, 1, 1, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_L1_H25_W2 , "LMS/HSS_L1_H25_W2",
LMS_PARAMS(1, 25, 2, 1, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_L1_H25_W4 , "LMS/HSS_L1_H25_W4",
LMS_PARAMS(1, 25, 4, 2, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_L1_H25_W8 , "LMS/HSS_L1_H25_W8",
LMS_PARAMS(1, 25, 8, 3, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 10
{ WC_LMS_PARM_L1_H10_W1 , "LMS/HSS_L1_H10_W1",
LMS_PARAMS(1, 10, 1, 1, LMS_SHA256_M32_H10, LMOTS_SHA256_N32_W1,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 15
{ WC_LMS_PARM_L1_H15_W1 , "LMS/HSS_L1_H15_W1",
LMS_PARAMS(1, 15, 1, 1, LMS_SHA256_M32_H15, LMOTS_SHA256_N32_W1,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 20
{ WC_LMS_PARM_L1_H20_W1 , "LMS/HSS_L1_H20_W1",
LMS_PARAMS(1, 20, 1, 1, LMS_SHA256_M32_H20, LMOTS_SHA256_N32_W1,
WC_SHA256_DIGEST_SIZE) },
#endif
#endif /* !WOLFSSL_NO_LMS_SHA256_256 */
#ifdef WOLFSSL_LMS_SHA256_192
@@ -356,7 +410,193 @@ static const wc_LmsParamsMap wc_lms_map[] = {
LMS_PARAMS(1, 20, 8, 4, LMS_SHA256_M24_H20, LMOTS_SHA256_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 25
{ WC_LMS_PARM_SHA256_192_L1_H25_W1 , "LMS/HSS_SHA256/192_L1_H25_W1",
LMS_PARAMS(1, 25, 1, 2, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHA256_192_L1_H25_W2 , "LMS/HSS_SHA256/192_L1_H25_W2",
LMS_PARAMS(1, 25, 2, 2, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHA256_192_L1_H25_W4 , "LMS/HSS_SHA256/192_L1_H25_W4",
LMS_PARAMS(1, 25, 4, 3, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHA256_192_L1_H25_W8 , "LMS/HSS_SHA256/192_L1_H25_W8",
LMS_PARAMS(1, 25, 8, 4, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 10
{ WC_LMS_PARM_SHA256_192_L1_H10_W1 , "LMS/HSS_SHA256/192_L1_H10_W1",
LMS_PARAMS(1, 10, 1, 2, LMS_SHA256_M24_H10, LMOTS_SHA256_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 15
{ WC_LMS_PARM_SHA256_192_L1_H15_W1 , "LMS/HSS_SHA256/192_L1_H15_W1",
LMS_PARAMS(1, 15, 1, 2, LMS_SHA256_M24_H15, LMOTS_SHA256_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHA256_192_L1_H15_W8 , "LMS/HSS_SHA256/192_L1_H15_W8",
LMS_PARAMS(1, 15, 8, 4, LMS_SHA256_M24_H15, LMOTS_SHA256_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 20
{ WC_LMS_PARM_SHA256_192_L1_H20_W1 , "LMS/HSS_SHA256/192_L1_H20_W1",
LMS_PARAMS(1, 20, 1, 2, LMS_SHA256_M24_H20, LMOTS_SHA256_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#endif /* WOLFSSL_LMS_SHA256_192 */
#ifdef WOLFSSL_LMS_SHAKE256
#ifndef WOLFSSL_NO_LMS_SHAKE256_256
/* SHAKE256/256 L1 H5 */
{ WC_LMS_PARM_SHAKE_L1_H5_W1 , "LMS/HSS_SHAKE256/256_L1_H5_W1",
LMS_PARAMS(1, 5, 1, 1, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H5_W2 , "LMS/HSS_SHAKE256/256_L1_H5_W2",
LMS_PARAMS(1, 5, 2, 1, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H5_W4 , "LMS/HSS_SHAKE256/256_L1_H5_W4",
LMS_PARAMS(1, 5, 4, 2, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H5_W8 , "LMS/HSS_SHAKE256/256_L1_H5_W8",
LMS_PARAMS(1, 5, 8, 3, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#if LMS_MAX_HEIGHT >= 10
/* SHAKE256/256 L1 H10 */
{ WC_LMS_PARM_SHAKE_L1_H10_W1 , "LMS/HSS_SHAKE256/256_L1_H10_W1",
LMS_PARAMS(1, 10, 1, 1, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H10_W2 , "LMS/HSS_SHAKE256/256_L1_H10_W2",
LMS_PARAMS(1, 10, 2, 1, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H10_W4 , "LMS/HSS_SHAKE256/256_L1_H10_W4",
LMS_PARAMS(1, 10, 4, 2, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H10_W8 , "LMS/HSS_SHAKE256/256_L1_H10_W8",
LMS_PARAMS(1, 10, 8, 3, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 15
/* SHAKE256/256 L1 H15 */
{ WC_LMS_PARM_SHAKE_L1_H15_W1 , "LMS/HSS_SHAKE256/256_L1_H15_W1",
LMS_PARAMS(1, 15, 1, 1, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H15_W2 , "LMS/HSS_SHAKE256/256_L1_H15_W2",
LMS_PARAMS(1, 15, 2, 1, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H15_W4 , "LMS/HSS_SHAKE256/256_L1_H15_W4",
LMS_PARAMS(1, 15, 4, 2, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H15_W8 , "LMS/HSS_SHAKE256/256_L1_H15_W8",
LMS_PARAMS(1, 15, 8, 3, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 20
/* SHAKE256/256 L1 H20 */
{ WC_LMS_PARM_SHAKE_L1_H20_W1 , "LMS/HSS_SHAKE256/256_L1_H20_W1",
LMS_PARAMS(1, 20, 1, 1, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H20_W2 , "LMS/HSS_SHAKE256/256_L1_H20_W2",
LMS_PARAMS(1, 20, 2, 1, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H20_W4 , "LMS/HSS_SHAKE256/256_L1_H20_W4",
LMS_PARAMS(1, 20, 4, 2, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H20_W8 , "LMS/HSS_SHAKE256/256_L1_H20_W8",
LMS_PARAMS(1, 20, 8, 3, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 25
/* SHAKE256/256 L1 H25 */
{ WC_LMS_PARM_SHAKE_L1_H25_W1 , "LMS/HSS_SHAKE256/256_L1_H25_W1",
LMS_PARAMS(1, 25, 1, 1, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W1,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H25_W2 , "LMS/HSS_SHAKE256/256_L1_H25_W2",
LMS_PARAMS(1, 25, 2, 1, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W2,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H25_W4 , "LMS/HSS_SHAKE256/256_L1_H25_W4",
LMS_PARAMS(1, 25, 4, 2, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W4,
WC_SHA256_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE_L1_H25_W8 , "LMS/HSS_SHAKE256/256_L1_H25_W8",
LMS_PARAMS(1, 25, 8, 3, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W8,
WC_SHA256_DIGEST_SIZE) },
#endif
#endif /* !WOLFSSL_NO_LMS_SHAKE256_256 */
#ifdef WOLFSSL_LMS_SHAKE256
/* SHAKE256/192 L1 H5 */
{ WC_LMS_PARM_SHAKE192_L1_H5_W1 , "LMS/HSS_SHAKE256/192_L1_H5_W1",
LMS_PARAMS(1, 5, 1, 2, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H5_W2 , "LMS/HSS_SHAKE256/192_L1_H5_W2",
LMS_PARAMS(1, 5, 2, 2, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H5_W4 , "LMS/HSS_SHAKE256/192_L1_H5_W4",
LMS_PARAMS(1, 5, 4, 3, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H5_W8 , "LMS/HSS_SHAKE256/192_L1_H5_W8",
LMS_PARAMS(1, 5, 8, 4, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#if LMS_MAX_HEIGHT >= 10
/* SHAKE256/192 L1 H10 */
{ WC_LMS_PARM_SHAKE192_L1_H10_W1 , "LMS/HSS_SHAKE256/192_L1_H10_W1",
LMS_PARAMS(1, 10, 1, 2, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H10_W2 , "LMS/HSS_SHAKE256/192_L1_H10_W2",
LMS_PARAMS(1, 10, 2, 2, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H10_W4 , "LMS/HSS_SHAKE256/192_L1_H10_W4",
LMS_PARAMS(1, 10, 4, 3, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H10_W8 , "LMS/HSS_SHAKE256/192_L1_H10_W8",
LMS_PARAMS(1, 10, 8, 4, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 15
/* SHAKE256/192 L1 H15 */
{ WC_LMS_PARM_SHAKE192_L1_H15_W1 , "LMS/HSS_SHAKE256/192_L1_H15_W1",
LMS_PARAMS(1, 15, 1, 2, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H15_W2 , "LMS/HSS_SHAKE256/192_L1_H15_W2",
LMS_PARAMS(1, 15, 2, 2, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H15_W4 , "LMS/HSS_SHAKE256/192_L1_H15_W4",
LMS_PARAMS(1, 15, 4, 3, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H15_W8 , "LMS/HSS_SHAKE256/192_L1_H15_W8",
LMS_PARAMS(1, 15, 8, 4, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 20
/* SHAKE256/192 L1 H20 */
{ WC_LMS_PARM_SHAKE192_L1_H20_W1 , "LMS/HSS_SHAKE256/192_L1_H20_W1",
LMS_PARAMS(1, 20, 1, 2, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H20_W2 , "LMS/HSS_SHAKE256/192_L1_H20_W2",
LMS_PARAMS(1, 20, 2, 2, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H20_W4 , "LMS/HSS_SHAKE256/192_L1_H20_W4",
LMS_PARAMS(1, 20, 4, 3, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H20_W8 , "LMS/HSS_SHAKE256/192_L1_H20_W8",
LMS_PARAMS(1, 20, 8, 4, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#if LMS_MAX_HEIGHT >= 25
/* SHAKE256/192 L1 H25 */
{ WC_LMS_PARM_SHAKE192_L1_H25_W1 , "LMS/HSS_SHAKE256/192_L1_H25_W1",
LMS_PARAMS(1, 25, 1, 2, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W1,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H25_W2 , "LMS/HSS_SHAKE256/192_L1_H25_W2",
LMS_PARAMS(1, 25, 2, 2, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W2,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H25_W4 , "LMS/HSS_SHAKE256/192_L1_H25_W4",
LMS_PARAMS(1, 25, 4, 3, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W4,
WC_SHA256_192_DIGEST_SIZE) },
{ WC_LMS_PARM_SHAKE192_L1_H25_W8 , "LMS/HSS_SHAKE256/192_L1_H25_W8",
LMS_PARAMS(1, 25, 8, 4, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W8,
WC_SHA256_192_DIGEST_SIZE) },
#endif
#endif /* WOLFSSL_LMS_SHAKE256 (M24 entries) */
#endif /* WOLFSSL_LMS_SHAKE256 */
};
/* Number of parameter sets supported. */
#define WC_LMS_MAP_LEN ((int)(sizeof(wc_lms_map) / sizeof(*wc_lms_map)))
@@ -1292,7 +1532,7 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
ret = wc_lmskey_state_init(state, key->params);
if (ret == 0) {
/* Verify signature of message with public key. */
ret = wc_hss_verify(state, key->pub, msg, msgSz, sig);
ret = wc_hss_verify(state, key->pub, msg, msgSz, sig, sigSz);
wc_lmskey_state_free(state);
}
ForceZero(state, sizeof(LmsState));
File diff suppressed because it is too large Load Diff
+52
View File
@@ -78,6 +78,11 @@
#undef WOLFSSL_RISCV_ASM
#endif
#if FIPS_VERSION3_GE(2,0,0)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#include <wolfssl/wolfcrypt/mlkem.h>
#include <wolfssl/wolfcrypt/wc_mlkem.h>
#include <wolfssl/wolfcrypt/hash.h>
@@ -636,6 +641,50 @@ int wc_MlKemKey_MakeKey(MlKemKey* key, WC_RNG* rng)
ret = wc_KyberKey_MakeKeyWithRandom(key, rand, sizeof(rand));
}
#ifdef HAVE_FIPS
/* Pairwise Consistency Test (PCT) per FIPS 140-3 / ISO 19790:2012
* Section 7.10.3.3: encapsulate with ek, decapsulate with dk,
* verify shared secrets match. */
if (ret == 0) {
WC_DECLARE_VAR(pct_ct, byte, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE,
key->heap);
byte pct_ss1[WC_ML_KEM_SS_SZ];
byte pct_ss2[WC_ML_KEM_SS_SZ];
word32 ctSz = 0;
WC_ALLOC_VAR_EX(pct_ct, byte, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE,
key->heap, DYNAMIC_TYPE_TMP_BUFFER, ret = MEMORY_E);
if (ret == 0)
ret = wc_MlKemKey_CipherTextSize(key, &ctSz);
if (ret == 0)
ret = wc_MlKemKey_Encapsulate(key, pct_ct, pct_ss1, rng);
if (ret == 0)
ret = wc_MlKemKey_Decapsulate(key, pct_ss2, pct_ct, ctSz);
if (ret == 0) {
if (XMEMCMP(pct_ss1, pct_ss2, WC_ML_KEM_SS_SZ) != 0)
ret = ML_KEM_PCT_E;
}
ForceZero(pct_ss1, sizeof(pct_ss1));
ForceZero(pct_ss2, sizeof(pct_ss2));
if (WC_VAR_OK(pct_ct))
ForceZero(pct_ct, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE);
WC_FREE_VAR_EX(pct_ct, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails the PCT
* must be rendered unusable. Zeroize the generated key material so
* a caller that ignores the return value cannot use it. */
if (ret != 0) {
wc_MlKemKey_Free(key);
}
}
#endif /* HAVE_FIPS */
/* Ensure seeds are zeroized. */
ForceZero((void*)rand, (word32)sizeof(rand));
@@ -868,6 +917,9 @@ int wc_MlKemKey_MakeKeyWithRandom(MlKemKey* key, const unsigned char* rand,
}
#endif
/* Note: PCT is performed in wc_MlKemKey_MakeKey() which calls this
* function and has the RNG parameter needed for encapsulation. */
return ret;
}
#endif /* !WOLFSSL_MLKEM_NO_MAKE_KEY */
+19
View File
@@ -106,6 +106,9 @@ Threading/Mutex options:
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>
#endif
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG)
#include <wolfssl/wolfcrypt/random.h>
#endif
#ifdef FREESCALE_LTC_TFM
#include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
@@ -334,6 +337,16 @@ int wolfCrypt_Init(void)
}
#endif
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
ret = wc_DrbgState_MutexInit();
if (ret != 0) {
WOLFSSL_MSG("DRBG state mutex init failed");
return ret;
}
#endif
#if defined(FREESCALE_LTC_TFM) || defined(FREESCALE_LTC_ECC)
ret = ksdk_port_init();
if (ret != 0) {
@@ -641,6 +654,12 @@ int wolfCrypt_Cleanup(void)
wc_CryptoCb_Cleanup();
#endif
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG) && \
!defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
wc_DrbgState_MutexFree();
#endif
#if defined(WOLFSSL_MEM_FAIL_COUNT) && defined(WOLFCRYPT_ONLY)
wc_MemFailCount_Free();
#endif
+1491 -375
View File
File diff suppressed because it is too large Load Diff
+5
View File
@@ -22,6 +22,11 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef WOLFSSL_HAVE_XMSS
#if FIPS_VERSION3_GE(2,0,0)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#include <wolfssl/wolfcrypt/wc_xmss.h>
#ifdef NO_INLINE
+53 -16
View File
@@ -354,19 +354,37 @@ static word64 entropy_state[ENTROPY_NUM_WORDS + EXTRA_ENTROPY_WORDS] = {0};
/* Using memory will take different amount of times depending on the CPU's
* caches and business.
*
* Returns int (not void) because the SHA-3 conditioning calls go through
* FIPS wrappers. When the FIPS module is in FAILED state (e.g. integrity
* hash mismatch during first build before fips-hash.sh), every SHA-3 call
* returns FIPS_NOT_ALLOWED_E. Without checking these returns, this function
* would silently loop through all ENTROPY_NUM_UPDATES iterations on every
* noise sample, each iteration firing the FIPS error callback -- producing
* tens of thousands of spurious error reports during Entropy_Init().
*
* Non-FIPS builds never hit this path because SHA-3 calls always succeed
* without a CAST gate. We use int returns unconditionally (rather than
* void in non-FIPS, int in FIPS) to maintain a common ABI in case these
* functions become public API as wolfentropy matures.
*/
static void Entropy_MemUse(void)
static int Entropy_MemUse(void)
{
int i;
static byte d[WC_SHA3_256_DIGEST_SIZE];
int j;
int ret;
for (j = 0; j < ENTROPY_NUM_UPDATES; j++) {
/* Hash the first 32 64-bit words of state. */
wc_Sha3_256_Update(&entropyHash, (byte*)entropy_state,
ret = wc_Sha3_256_Update(&entropyHash, (byte*)entropy_state,
sizeof(*entropy_state) * ENTROPY_NUM_64BIT_WORDS);
if (ret != 0)
return ret;
/* Get pseudo-random indices. */
wc_Sha3_256_Final(&entropyHash, d);
ret = wc_Sha3_256_Final(&entropyHash, d);
if (ret != 0)
return ret;
for (i = 0; i < ENTROPY_NUM_64BIT_WORDS; i++) {
/* Choose a 64-bit word from a pseudo-random block.*/
@@ -378,6 +396,8 @@ static void Entropy_MemUse(void)
entropy_state[i] += entropy_state[idx];
}
}
return 0;
}
@@ -390,34 +410,40 @@ static word64 entropy_last_time = 0;
*
* Called to test raw entropy.
*
* @return 64-bit value that is the noise.
* @param [out] sample 64-bit noise value (time delta).
* @return 0 on success.
* @return Negative on failure (e.g. FIPS module not operational).
*/
static word64 Entropy_GetSample(void)
static int Entropy_GetSample(word64* sample)
{
word64 now;
word64 ret;
int ret = 0;
#ifdef HAVE_FIPS
/* First sample must be disregard when in FIPS. */
if (entropy_last_time == 0) {
/* Get sample which triggers CAST in FIPS mode. */
Entropy_MemUse();
ret = Entropy_MemUse();
if (ret != 0)
return ret;
/* Start entropy time after CASTs. */
entropy_last_time = Entropy_TimeHiRes();
}
#endif
/* Use memory such that it will take an unpredictable amount of time. */
Entropy_MemUse();
ret = Entropy_MemUse();
if (ret != 0)
return ret;
/* Get the time now to subtract from previous end time. */
now = Entropy_TimeHiRes();
/* Calculate time diff since last sampling. */
ret = now - entropy_last_time;
*sample = now - entropy_last_time;
/* Store last time. */
entropy_last_time = now;
return ret;
return 0;
}
/* Get as many samples of noise as required.
@@ -426,18 +452,29 @@ static word64 Entropy_GetSample(void)
*
* @param [out] noise Buffer to hold samples.
* @param [in] samples Number of one byte samples to get.
* @return 0 on success.
* @return Negative on hash failure (e.g. FIPS module not operational).
*/
static void Entropy_GetNoise(unsigned char* noise, int samples)
static int Entropy_GetNoise(unsigned char* noise, int samples)
{
int i;
int ret;
word64 sample;
/* Do it once to get things going. */
Entropy_MemUse();
ret = Entropy_MemUse();
if (ret != 0)
return ret;
/* Get as many samples as required. */
for (i = 0; i < samples; i++) {
noise[i] = (byte)Entropy_GetSample();
ret = Entropy_GetSample(&sample);
if (ret != 0)
return ret;
noise[i] = (byte)sample;
}
return 0;
}
/* Generate raw entropy for performing assessment.
@@ -458,7 +495,7 @@ int wc_Entropy_GetRawEntropy(unsigned char* raw, int cnt)
if (ret == 0)
#endif
{
Entropy_GetNoise(raw, cnt);
ret = Entropy_GetNoise(raw, cnt);
}
#ifdef ENTROPY_MEMUSE_THREADED
/* Stop the counter thread to avoid thrashing the system. */
@@ -670,7 +707,7 @@ static int Entropy_HealthTest_Startup(void)
Entropy_HealthTest_Reset();
/* Fill initial sample buffer with noise. */
Entropy_GetNoise(initial, ENTROPY_INITIAL_COUNT);
ret = Entropy_GetNoise(initial, ENTROPY_INITIAL_COUNT);
/* Health check initial noise. */
for (i = 0; (ret == 0) && (i < ENTROPY_INITIAL_COUNT); i++) {
ret = Entropy_HealthTest_Repetition(initial[i]);
@@ -799,7 +836,7 @@ int wc_Entropy_Get(int bits, unsigned char* entropy, word32 len)
}
/* Get raw entropy noise. */
Entropy_GetNoise(noise, noise_len);
ret = Entropy_GetNoise(noise, noise_len);
/* Health check each noise value. */
for (i = 0; (ret == 0) && (i < noise_len); i++) {
ret = Entropy_HealthTest_Repetition(noise[i]);
+997 -16
View File
File diff suppressed because it is too large Load Diff
+7
View File
@@ -189,6 +189,12 @@ enum {
#include <wolfssl/wolfcrypt/async.h>
#endif
/* Undefine the settings.h compat macro so it doesn't collide with the enum
* member below (settings.h may pre-define WC_AES_BLOCK_SIZE for old FIPS). */
#ifdef WC_AES_BLOCK_SIZE
#undef WC_AES_BLOCK_SIZE
#endif
enum {
AES_ENC_TYPE = WC_CIPHER_AES, /* cipher unique type */
AES_ENCRYPTION = 0,
@@ -777,6 +783,7 @@ WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap,
#endif
WOLFSSL_API void wc_AesFree(Aes* aes);
#ifndef WC_NO_CONSTRUCTORS
#define WC_AES_NEW_API_AVAILABLE
WOLFSSL_API Aes* wc_AesNew(void* heap, int devId, int *result_code);
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API Aes* wc_AesNew_Id(unsigned char* id, int len, void* heap,
+6
View File
@@ -856,6 +856,9 @@ WOLFSSL_API
int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen,
dilithium_key* key, const byte* seed);
WOLFSSL_API
int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen,
byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed);
#endif /* !WOLFSSL_DILITHIUM_VERIFY_ONLY */
/* Legacy verify API without context parameter (pre-FIPS 204).
* Only available when WOLFSSL_DILITHIUM_NO_CTX is defined.
@@ -874,6 +877,9 @@ WOLFSSL_API
int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen,
const byte* ctx, byte ctxLen, int hashAlg, const byte* hash,
word32 hashLen, int* res, dilithium_key* key);
WOLFSSL_API
int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu,
word32 muLen, int* res, dilithium_key* key);
#ifndef WC_NO_CONSTRUCTORS
WOLFSSL_API
+11 -5
View File
@@ -89,7 +89,7 @@ enum wolfCrypt_ErrorCodes {
AES_EAX_AUTH_E = -122, /* AES-EAX Authentication check failure */
KEY_EXHAUSTED_E = -123, /* No longer usable for operation. */
/* -124 unused. */
ML_KEM_KAT_FIPS_E = -124, /* ML-KEM KAT failure */
MEMORY_E = -125, /* out of memory error */
VAR_STATE_CHANGE_E = -126, /* var state modified by different thread */
@@ -137,7 +137,9 @@ enum wolfCrypt_ErrorCodes {
ED448_KAT_FIPS_E = -164, /* Ed448 Known answer test failure */
PBKDF2_KAT_FIPS_E = -165, /* PBKDF2 Known answer test failure */
WC_KEY_MISMATCH_E = -166, /* Error for private/public key mismatch */
/* -167..-169 unused. */
ML_DSA_KAT_FIPS_E = -167, /* ML-DSA KAT failure */
LMS_KAT_FIPS_E = -168, /* LMS KAT failure */
XMSS_KAT_FIPS_E = -169, /* XMSS KAT failure */
ECC_BAD_ARG_E = -170, /* ECC input argument of wrong type */
ASN_ECC_KEY_E = -171, /* ASN ECC bad input */
@@ -312,7 +314,6 @@ enum wolfCrypt_ErrorCodes {
* not match stored hash*/
BUSY_E = -1006, /* Object is busy */
ALREADY_E = -1007, /* Operation was redundant or preempted */
SEQ_OVERFLOW_E = -1008, /* Sequence counter would overflow */
PUF_INIT_E = -1009, /* PUF initialization failed (reserved) */
@@ -322,8 +323,13 @@ enum wolfCrypt_ErrorCodes {
PUF_DERIVE_KEY_E = -1013, /* PUF key derivation failed */
PUF_IDENTITY_E = -1014, /* PUF identity retrieval failed */
WC_SPAN2_LAST_E = -1014, /* Update to indicate last used error code */
WC_LAST_E = -1014, /* the last code used either here or in
ML_KEM_PCT_E = -1015, /* ML-KEM Pairwise Consistency Test failure */
ML_DSA_PCT_E = -1016, /* ML-DSA Pairwise Consistency Test failure */
DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */
SLH_DSA_KAT_FIPS_E = -1018, /* SLH-DSA CAST KAT failure */
WC_SPAN2_LAST_E = -1018, /* Update to indicate last used error code */
WC_LAST_E = -1018, /* the last code used either here or in
* error-ssl.h */
WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
+7 -1
View File
@@ -74,7 +74,13 @@ enum FipsCastId {
FIPS_CAST_PBKDF2 = 18,
/* v7.0.0 + */
FIPS_CAST_AES_ECB = 19,
FIPS_CAST_COUNT = 20
FIPS_CAST_ML_KEM = 20,
FIPS_CAST_ML_DSA = 21,
FIPS_CAST_LMS = 22,
FIPS_CAST_XMSS = 23,
FIPS_CAST_DRBG_SHA512 = 24,
FIPS_CAST_SLH_DSA = 25,
FIPS_CAST_COUNT = 26
};
enum FipsCastStateId {
+64
View File
@@ -118,6 +118,15 @@ enum wc_LmsParm {
WC_LMS_PARM_L4_H5_W8 = 33,
WC_LMS_PARM_L4_H10_W4 = 34,
WC_LMS_PARM_L4_H10_W8 = 35,
/* H25 parameter sets for SHA-256/256 */
WC_LMS_PARM_L1_H25_W1 = 56,
WC_LMS_PARM_L1_H25_W2 = 57,
WC_LMS_PARM_L1_H25_W4 = 58,
WC_LMS_PARM_L1_H25_W8 = 59,
/* W1 for non-H5 heights */
WC_LMS_PARM_L1_H10_W1 = 60,
WC_LMS_PARM_L1_H15_W1 = 61,
WC_LMS_PARM_L1_H20_W1 = 62,
#endif
#ifdef WOLFSSL_LMS_SHA256_192
@@ -141,6 +150,61 @@ enum wc_LmsParm {
WC_LMS_PARM_SHA256_192_L3_H5_W8 = 50,
WC_LMS_PARM_SHA256_192_L3_H10_W4 = 51,
WC_LMS_PARM_SHA256_192_L4_H5_W8 = 52,
/* H25 for SHA-256/192 */
WC_LMS_PARM_SHA256_192_L1_H25_W1 = 63,
WC_LMS_PARM_SHA256_192_L1_H25_W2 = 64,
WC_LMS_PARM_SHA256_192_L1_H25_W4 = 65,
WC_LMS_PARM_SHA256_192_L1_H25_W8 = 66,
/* W1 for non-H5 heights (SHA-256/192) */
WC_LMS_PARM_SHA256_192_L1_H10_W1 = 67,
WC_LMS_PARM_SHA256_192_L1_H15_W1 = 68,
WC_LMS_PARM_SHA256_192_L1_H20_W1 = 69,
WC_LMS_PARM_SHA256_192_L1_H15_W8 = 70,
#endif
#ifdef WOLFSSL_LMS_SHAKE256
/* SHAKE256/256, 32-byte output */
WC_LMS_PARM_SHAKE_L1_H5_W1 = 100,
WC_LMS_PARM_SHAKE_L1_H5_W2 = 101,
WC_LMS_PARM_SHAKE_L1_H5_W4 = 102,
WC_LMS_PARM_SHAKE_L1_H5_W8 = 103,
WC_LMS_PARM_SHAKE_L1_H10_W1 = 104,
WC_LMS_PARM_SHAKE_L1_H10_W2 = 105,
WC_LMS_PARM_SHAKE_L1_H10_W4 = 106,
WC_LMS_PARM_SHAKE_L1_H10_W8 = 107,
WC_LMS_PARM_SHAKE_L1_H15_W1 = 108,
WC_LMS_PARM_SHAKE_L1_H15_W2 = 109,
WC_LMS_PARM_SHAKE_L1_H15_W4 = 110,
WC_LMS_PARM_SHAKE_L1_H15_W8 = 111,
WC_LMS_PARM_SHAKE_L1_H20_W1 = 112,
WC_LMS_PARM_SHAKE_L1_H20_W2 = 113,
WC_LMS_PARM_SHAKE_L1_H20_W4 = 114,
WC_LMS_PARM_SHAKE_L1_H20_W8 = 115,
WC_LMS_PARM_SHAKE_L1_H25_W1 = 116,
WC_LMS_PARM_SHAKE_L1_H25_W2 = 117,
WC_LMS_PARM_SHAKE_L1_H25_W4 = 118,
WC_LMS_PARM_SHAKE_L1_H25_W8 = 119,
/* SHAKE256/192, 24-byte output */
WC_LMS_PARM_SHAKE192_L1_H5_W1 = 120,
WC_LMS_PARM_SHAKE192_L1_H5_W2 = 121,
WC_LMS_PARM_SHAKE192_L1_H5_W4 = 122,
WC_LMS_PARM_SHAKE192_L1_H5_W8 = 123,
WC_LMS_PARM_SHAKE192_L1_H10_W1 = 124,
WC_LMS_PARM_SHAKE192_L1_H10_W2 = 125,
WC_LMS_PARM_SHAKE192_L1_H10_W4 = 126,
WC_LMS_PARM_SHAKE192_L1_H10_W8 = 127,
WC_LMS_PARM_SHAKE192_L1_H15_W1 = 128,
WC_LMS_PARM_SHAKE192_L1_H15_W2 = 129,
WC_LMS_PARM_SHAKE192_L1_H15_W4 = 130,
WC_LMS_PARM_SHAKE192_L1_H15_W8 = 131,
WC_LMS_PARM_SHAKE192_L1_H20_W1 = 132,
WC_LMS_PARM_SHAKE192_L1_H20_W2 = 133,
WC_LMS_PARM_SHAKE192_L1_H20_W4 = 134,
WC_LMS_PARM_SHAKE192_L1_H20_W8 = 135,
WC_LMS_PARM_SHAKE192_L1_H25_W1 = 136,
WC_LMS_PARM_SHAKE192_L1_H25_W2 = 137,
WC_LMS_PARM_SHAKE192_L1_H25_W4 = 138,
WC_LMS_PARM_SHAKE192_L1_H25_W8 = 139,
#endif
};
+194 -8
View File
@@ -52,11 +52,15 @@
#endif
#endif
/* Size of the BRBG seed */
/* Size of the DRBG seed (SHA-256) */
#ifndef DRBG_SEED_LEN
#define DRBG_SEED_LEN (440/8)
#endif
#ifdef WOLFSSL_DRBG_SHA512
#define DRBG_SHA512_SEED_LEN (888/8) /* 111 bytes per SP 800-90A Table 2 */
#endif
#if !defined(CUSTOM_RAND_TYPE)
/* To maintain compatibility the default is byte */
@@ -104,9 +108,16 @@
#endif
#elif defined(HAVE_HASHDRBG)
#ifdef NO_SHA256
#error "Hash DRBG requires SHA-256."
#ifndef WOLFSSL_DRBG_SHA512
#error "Hash DRBG requires SHA-256 or SHA-512."
#endif
#endif /* NO_SHA256 */
#include <wolfssl/wolfcrypt/sha256.h>
#ifndef NO_SHA256
#include <wolfssl/wolfcrypt/sha256.h>
#endif
#ifdef WOLFSSL_DRBG_SHA512
#include <wolfssl/wolfcrypt/sha512.h>
#endif
#elif defined(HAVE_WNR)
/* allow whitewood as direct RNG source using wc_GenerateSeed directly */
#elif defined(HAVE_INTEL_RDRAND)
@@ -141,8 +152,11 @@
#endif
#endif
#ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */
#ifndef WC_OS_SEED_TYPE_DEFINED
typedef struct OS_Seed OS_Seed;
#define WC_OS_SEED_TYPE_DEFINED
#endif
#ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */
typedef struct WC_RNG WC_RNG;
#ifdef WC_RNG_SEED_CB
typedef int (*wc_RngSeed_Cb)(OS_Seed* os, byte* seed, word32 sz);
@@ -239,7 +253,33 @@ struct OS_Seed {
#define WC_DRBG_SEED_BLOCK_SZ SEED_BLOCK_SZ
#define WC_DRBG_SEED_SZ (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
/* WC_DRBG_SEED_SZ is the number of bytes of raw entropy gathered from the
* NDRNG at instantiation and reseed. We deliberately "overseed" beyond the
* NIST minimum (security_strength bits) to account for entropy sources that
* may deliver fewer than 1 bit of real entropy per bit of output. With the
* default FIPS ENTROPY_SCALE_FACTOR of 4 this yields 256*4/8 = 128 bytes =
* 1024 bits of raw seed material, guaranteeing at least 256 bits of real
* entropy even if the source provides only 1 good bit per 4.
*
* Hash_df then compresses this seed material into the internal V and C state
* vectors (seedlen = 440 bits for SHA-256, 888 bits for SHA-512 per
* SP 800-90A Table 2).
*
* In FIPS mode (ENTROPY_SCALE_FACTOR >= 4) the base is already >= 128 bytes
* which exceeds DRBG_SHA512_SEED_LEN (111), so both DRBGs use the same
* seed size. In non-FIPS mode we use the base for both DRBGs so that
* enabling SHA-512 DRBG does not inflate the per-init entropy cost.
* SP 800-90A requires only security_strength bits (256 = 32 bytes) of
* entropy regardless of hash size; hash_df compresses the seed material
* into the internal V/C state vectors. */
#define WC_DRBG_SEED_SZ_BASE (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
#if defined(HAVE_FIPS) && defined(WOLFSSL_DRBG_SHA512) && \
(WC_DRBG_SEED_SZ_BASE < DRBG_SHA512_SEED_LEN)
#define WC_DRBG_SEED_SZ DRBG_SHA512_SEED_LEN
#else
#define WC_DRBG_SEED_SZ WC_DRBG_SEED_SZ_BASE
#endif
/* The maximum seed size will be the seed size plus a seed block for the
* test, and an additional half of the seed size. This additional half
@@ -248,8 +288,14 @@ struct OS_Seed {
#define WC_DRBG_MAX_SEED_SZ (WC_DRBG_SEED_SZ + WC_DRBG_SEED_SZ/2 + \
SEED_BLOCK_SZ)
#define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
#ifndef NO_SHA256
#define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
#endif
#ifdef WOLFSSL_DRBG_SHA512
#define RNG_HEALTH_TEST_CHECK_SIZE_SHA512 (WC_SHA512_DIGEST_SIZE * 4)
#endif
#ifndef NO_SHA256
struct DRBG_internal {
#ifdef WORD64_AVAILABLE
word64 reseedCtr;
@@ -268,8 +314,34 @@ struct DRBG_internal {
byte digest_scratch[WC_SHA256_DIGEST_SIZE];
#endif
};
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_DRBG_SHA512
struct DRBG_SHA512_internal {
word64 reseedCtr;
byte V[DRBG_SHA512_SEED_LEN];
byte C[DRBG_SHA512_SEED_LEN];
void* heap;
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
int devId;
#endif
#ifdef WOLFSSL_SMALL_STACK_CACHE
wc_Sha512 sha512;
byte seed_scratch[DRBG_SHA512_SEED_LEN];
byte digest_scratch[WC_SHA512_DIGEST_SIZE];
#endif
};
#endif /* WOLFSSL_DRBG_SHA512 */
#endif /* HAVE_HASHDRBG */
/* DRBG type enum */
#ifdef HAVE_HASHDRBG
enum wc_DrbgType {
WC_DRBG_SHA256 = 0,
WC_DRBG_SHA512 = 1,
};
#endif
/* RNG health states */
#define WC_DRBG_NOT_INIT 0
#define WC_DRBG_OK 1
@@ -301,17 +373,35 @@ struct WC_RNG {
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
struct {
#endif
/* Hash-based Deterministic Random Bit Generator */
#ifndef NO_SHA256
/* SHA-256 Hash-based Deterministic Random Bit Generator */
struct DRBG* drbg;
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
struct DRBG_internal drbg_data;
#endif
#ifdef WOLFSSL_SMALL_STACK_CACHE
/* Scratch buffers -- all preallocated by _InitRng(). */
/* SHA-256 scratch buffers -- preallocated by _InitRng(). */
struct DRBG_internal *drbg_scratch;
byte *health_check_scratch;
#endif
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SMALL_STACK_CACHE
/* Seed buffer for PollAndReSeed -- shared by both DRBG types */
byte *newSeed_buf;
#endif
#ifdef WOLFSSL_DRBG_SHA512
/* SHA-512 Hash-based Deterministic Random Bit Generator */
struct DRBG_SHA512* drbg512;
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
struct DRBG_SHA512_internal drbg512_data;
#endif
#ifdef WOLFSSL_SMALL_STACK_CACHE
/* SHA-512 scratch buffers -- preallocated by _InitRng(). */
struct DRBG_SHA512_internal *drbg512_scratch;
byte *health_check_scratch_512;
#endif
#endif /* WOLFSSL_DRBG_SHA512 */
byte drbgType; /* WC_DRBG_SHA256 or WC_DRBG_SHA512 */
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
};
#endif
@@ -397,6 +487,10 @@ WOLFSSL_API int wc_FreeRng(WC_RNG* rng);
WOLFSSL_API int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* seed,
word32 seedSz);
WOLFSSL_API int wc_RNG_TestSeed(const byte* seed, word32 seedSz);
#ifndef NO_SHA256
/* SHA-256 Hash_DRBG health test entry points. SHA-512-only builds
* (NO_SHA256 + WOLFSSL_DRBG_SHA512) use wc_RNG_HealthTest_SHA512_ex
* declared below. */
WOLFSSL_API int wc_RNG_HealthTest(int reseed,
const byte* seedA, word32 seedASz,
const byte* seedB, word32 seedBSz,
@@ -407,6 +501,98 @@ WOLFSSL_API int wc_FreeRng(WC_RNG* rng);
const byte* seedB, word32 seedBSz,
byte* output, word32 outputSz,
void* heap, int devId);
#endif /* !NO_SHA256 */
#if !defined(NO_SHA256) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
/* Extended SHA-256 Hash_DRBG health test per SP 800-90A.
* Flexible output size, prediction resistance, personalization
* strings, and additional input support. */
WOLFSSL_API int wc_RNG_HealthTest_SHA256_ex(
int predResistance,
const byte* nonce, word32 nonceSz,
const byte* persoString,
word32 persoStringSz,
const byte* entropyA,
word32 entropyASz,
const byte* entropyB,
word32 entropyBSz,
const byte* entropyC,
word32 entropyCsz,
const byte* additionalA,
word32 additionalASz,
const byte* additionalB,
word32 additionalBSz,
const byte* additionalReseed,
word32 additionalReseedSz,
byte* output, word32 outputSz,
void* heap, int devId);
#endif /* !NO_SHA256 && !HAVE_SELFTEST && FIPS v7+ */
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
WOLFSSL_API int wc_RNG_HealthTest_SHA512(int reseed,
const byte* seedA, word32 seedASz,
const byte* seedB, word32 seedBSz,
byte* output, word32 outputSz);
WOLFSSL_API int wc_RNG_HealthTest_SHA512_ex(int reseed,
const byte* nonce, word32 nonceSz,
const byte* persoString,
word32 persoStringSz,
const byte* seedA, word32 seedASz,
const byte* seedB, word32 seedBSz,
const byte* additionalA,
word32 additionalASz,
const byte* additionalB,
word32 additionalBSz,
byte* output, word32 outputSz,
void* heap, int devId);
/* Extended SHA-512 Hash_DRBG health test per SP 800-90A.
* Flexible output size, prediction resistance support.
* predResistance=1: additionalA/B go to Reseed per SP 800-90A 9.3.1,
* Generate gets NULL additional input.
* predResistance=0: additionalReseed goes to Reseed, additionalA/B go
* to Generate calls 1 and 2 respectively. */
WOLFSSL_API int wc_RNG_HealthTest_SHA512_ex2(
int predResistance,
const byte* nonce, word32 nonceSz,
const byte* persoString,
word32 persoStringSz,
const byte* entropyA,
word32 entropyASz,
const byte* entropyB,
word32 entropyBSz,
const byte* entropyC,
word32 entropyCsz,
const byte* additionalA,
word32 additionalASz,
const byte* additionalB,
word32 additionalBSz,
const byte* additionalReseed,
word32 additionalReseedSz,
byte* output, word32 outputSz,
void* heap, int devId);
#endif /* WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
/* Runtime DRBG disable/enable API */
#if !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
WOLFSSL_API int wc_Sha256Drbg_Disable(void);
WOLFSSL_API int wc_Sha256Drbg_Enable(void);
WOLFSSL_API int wc_Sha256Drbg_IsDisabled(void);
#ifdef WOLFSSL_DRBG_SHA512
WOLFSSL_API int wc_Sha512Drbg_Disable(void);
WOLFSSL_API int wc_Sha512Drbg_Enable(void);
WOLFSSL_API int wc_Sha512Drbg_IsDisabled(void);
#endif
#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS v7+) */
/* DRBG state mutex init/free, called from wolfCrypt_Init/Cleanup.
* Only in v7+ or non-FIPS/non-selftest; older modules lack these. */
#if !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
WOLFSSL_LOCAL int wc_DrbgState_MutexInit(void);
WOLFSSL_LOCAL int wc_DrbgState_MutexFree(void);
#endif
#endif /* HAVE_HASHDRBG */
#ifdef __cplusplus
+9
View File
@@ -299,6 +299,7 @@ WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap);
WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId);
WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
#ifndef WC_NO_CONSTRUCTORS
#define WC_RSA_NEW_API_AVAILABLE
WOLFSSL_API RsaKey* wc_NewRsaKey(void* heap, int devId, int *result_code);
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API RsaKey* wc_NewRsaKey_Id(unsigned char* id, int len, void* heap,
@@ -432,6 +433,14 @@ WOLFSSL_API int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz,
#define WC_MGF1SHA512 3
#define WC_MGF1SHA512_224 5
#define WC_MGF1SHA512_256 6
#define WC_MGF1SHA3_224 7
#define WC_MGF1SHA3_256 8
#define WC_MGF1SHA3_384 9
#define WC_MGF1SHA3_512 10
#define WC_MGF1SHAKE128 11
#define WC_MGF1SHAKE256 12
#define WC_MGFSHAKE128 13
#define WC_MGFSHAKE256 14
/* Padding types */
#define WC_RSA_PKCSV15_PAD 0
+1 -1
View File
@@ -513,7 +513,7 @@
/* old FIPS has only AES_BLOCK_SIZE. */
#if !defined(NO_AES) && (defined(HAVE_SELFTEST) || \
(defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
#define WC_AES_BLOCK_SIZE AES_BLOCK_SIZE
#define WC_AES_BLOCK_SIZE 16
#endif /* !NO_AES && (HAVE_SELFTEST || FIPS_VERSION3_LT(6,0,0)) */
#ifdef WOLFSSL_HARDEN_TLS
+91 -10
View File
@@ -94,6 +94,9 @@
#include <wolfssl/wolfcrypt/lms.h>
#include <wolfssl/wolfcrypt/sha256.h>
#ifdef WOLFSSL_LMS_SHAKE256
#include <wolfssl/wolfcrypt/sha3.h>
#endif
/* When raw hash access APIs are disabled or unavailable (WOLFSSL_NO_HASH_RAW),
* fall back to using the full hash API calls. */
@@ -122,10 +125,10 @@
#define LMS_MAX_HEIGHT WOLFSSL_LMS_MAX_HEIGHT
#else
/* Maximum height of a tree supported by implementation. */
#define LMS_MAX_HEIGHT 20
#define LMS_MAX_HEIGHT 25
#endif
#if (LMS_MAX_HEIGHT < 5) || (LMS_MAX_HEIGHT > 20)
#error "LMS parameters only support heights 5-20."
#if (LMS_MAX_HEIGHT < 5) || (LMS_MAX_HEIGHT > 25)
#error "LMS parameters only support heights 5-25."
#endif
/* Length of I in bytes. */
@@ -312,10 +315,16 @@
#define LMS_SHA256 0x0000
/* Indicates using SHA-256/192 for hashing. */
#define LMS_SHA256_192 0x1000
/* Indicates using SHAKE256/256 for hashing. */
#define LMS_SHAKE256 0x2000
/* Indicates using SHAKE256/192 for hashing. */
#define LMS_SHAKE256_192 0x3000
/* Mask to get hashing algorithm from type. */
#define LMS_HASH_MASK 0xf000
/* Mask to get height or Winternitz width from type. */
#define LMS_H_W_MASK 0x0fff
/* Bit test: non-zero if type uses SHAKE256. */
#define LMS_IS_SHAKE(type) (((type) & 0x2000) != 0)
/* LMS Parameters. */
/* SHA-256 hash, 32-bytes of hash used, tree height of 5. */
@@ -349,15 +358,55 @@
/* SHA-256 hash, 32-bytes of hash used, tree height of 25. */
#define LMS_SHA256_M24_H25 (0x0e | LMS_SHA256_192)
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 1 bit. */
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 1 bit. */
#define LMOTS_SHA256_N24_W1 (0x05 | LMS_SHA256_192)
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 2 bits. */
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 2 bits. */
#define LMOTS_SHA256_N24_W2 (0x06 | LMS_SHA256_192)
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 4 bits. */
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 4 bits. */
#define LMOTS_SHA256_N24_W4 (0x07 | LMS_SHA256_192)
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 8 bits. */
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 8 bits. */
#define LMOTS_SHA256_N24_W8 (0x08 | LMS_SHA256_192)
/* SHAKE256 hash, 32-bytes of hash used, tree height of 5. */
#define LMS_SHAKE_M32_H5 (0x0f | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, tree height of 10. */
#define LMS_SHAKE_M32_H10 (0x10 | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, tree height of 15. */
#define LMS_SHAKE_M32_H15 (0x11 | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, tree height of 20. */
#define LMS_SHAKE_M32_H20 (0x12 | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, tree height of 25. */
#define LMS_SHAKE_M32_H25 (0x13 | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 1 bit. */
#define LMOTS_SHAKE_N32_W1 (0x09 | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 2 bits. */
#define LMOTS_SHAKE_N32_W2 (0x0a | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 4 bits. */
#define LMOTS_SHAKE_N32_W4 (0x0b | LMS_SHAKE256)
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 8 bits. */
#define LMOTS_SHAKE_N32_W8 (0x0c | LMS_SHAKE256)
/* SHAKE256 hash, 24-bytes of hash used, tree height of 5. */
#define LMS_SHAKE_M24_H5 (0x14 | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, tree height of 10. */
#define LMS_SHAKE_M24_H10 (0x15 | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, tree height of 15. */
#define LMS_SHAKE_M24_H15 (0x16 | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, tree height of 20. */
#define LMS_SHAKE_M24_H20 (0x17 | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, tree height of 25. */
#define LMS_SHAKE_M24_H25 (0x18 | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 1 bit. */
#define LMOTS_SHAKE_N24_W1 (0x0d | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 2 bits. */
#define LMOTS_SHAKE_N24_W2 (0x0e | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 4 bits. */
#define LMOTS_SHAKE_N24_W4 (0x0f | LMS_SHAKE256_192)
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 8 bits. */
#define LMOTS_SHAKE_N24_W8 (0x10 | LMS_SHAKE256_192)
typedef struct LmsParams {
/* Number of tree levels. */
word8 levels;
@@ -408,12 +457,43 @@ typedef struct LmsState {
#endif
/* LMS parameters. */
const LmsParams* params;
/* Hash algorithm. */
#ifdef WOLFSSL_LMS_SHAKE256
/* The LMS instance uses exactly one hash family at a time, selected at
* init time by params->lmOtsType (see wc_lms.c LMS_IS_SHAKE dispatch).
* The two contexts are unionized to shrink LmsState; access via the
* LMS_STATE_HASH / LMS_STATE_SHAKE macros below. Anonymous unions
* would avoid the macros but require C11 (HAVE_ANONYMOUS_INLINE_AGGREGATES)
* gating that ends up uglier than the named form here. */
union {
wc_Sha256 sha256;
wc_Shake shake;
} hash;
union {
wc_Sha256 sha256;
wc_Shake shake;
} hash_k;
#else
/* Hash algorithm (SHA-256). */
wc_Sha256 hash;
/* Hash algorithm for calculating K. */
/* Hash algorithm for calculating K (SHA-256). */
wc_Sha256 hash_k;
#endif
} LmsState;
/* Access macros for the LmsState hash contexts. All call sites use the
* address-of form, so the macros yield pointers directly. In the
* SHAKE-disabled build the SHAKE macros are intentionally undefined --
* the only callers are themselves under #ifdef WOLFSSL_LMS_SHAKE256. */
#ifdef WOLFSSL_LMS_SHAKE256
#define LMS_STATE_HASH(state) (&(state)->hash.sha256)
#define LMS_STATE_HASH_K(state) (&(state)->hash_k.sha256)
#define LMS_STATE_SHAKE(state) (&(state)->hash.shake)
#define LMS_STATE_SHAKE_K(state) (&(state)->hash_k.shake)
#else
#define LMS_STATE_HASH(state) (&(state)->hash)
#define LMS_STATE_HASH_K(state) (&(state)->hash_k)
#endif
#ifndef WOLFSSL_WC_LMS_SMALL
/* Stack of interior node hashes. */
typedef struct LmsStack {
@@ -504,8 +584,9 @@ int wc_hss_reload_key(LmsState* state, const byte* priv_raw,
int wc_hss_sign(LmsState* state, byte* priv_raw, HssPrivKey* priv_key,
byte* priv_data, const byte* msg, word32 msgSz, byte* sig);
int wc_hss_sigsleft(const LmsParams* params, const byte* priv_raw);
WOLFSSL_API
int wc_hss_verify(LmsState* state, const byte* pub, const byte* msg,
word32 msgSz, const byte* sig);
word32 msgSz, const byte* sig, word32 sigSz);
#endif /* WOLFSSL_HAVE_LMS && WOLFSSL_WC_LMS */
+281 -9
View File
@@ -26,8 +26,20 @@
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/sha3.h>
#ifdef WOLFSSL_SLHDSA_SHA2
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/sha512.h>
#include <wolfssl/wolfcrypt/hmac.h>
#endif
#if FIPS_VERSION3_GE(7,0,0)
#include <wolfssl/wolfcrypt/fips.h>
#endif
#ifdef WOLFSSL_HAVE_SLHDSA
/* ======== SHAKE parameter guards ======== */
/* When a bits/opt is defined then ensure 'NO' defines are off. */
#ifdef WOLFSSL_SLHDSA_PARAM_128S
#undef WOLFSSL_SLHDSA_PARAM_NO_128S
@@ -155,12 +167,159 @@
#define WOLFSSL_SLHDSA_PARAM_NO_256
#endif
/* ======== SHA2 parameter guards ======== */
#ifdef WOLFSSL_SLHDSA_SHA2
/* When a SHA2 param is defined, ensure 'NO' defines are off. */
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#endif
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#endif
/* Derive aggregate 'NO' defines for SHA2. */
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#endif
/* Turn on SHA2 parameter set based on 'NO' defines. */
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_128S
#define WOLFSSL_SLHDSA_PARAM_SHA2_128S
#endif
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_128F
#define WOLFSSL_SLHDSA_PARAM_SHA2_128F
#endif
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_192S
#define WOLFSSL_SLHDSA_PARAM_SHA2_192S
#endif
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_192F
#define WOLFSSL_SLHDSA_PARAM_SHA2_192F
#endif
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_256S
#define WOLFSSL_SLHDSA_PARAM_SHA2_256S
#endif
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256) && \
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
#undef WOLFSSL_SLHDSA_PARAM_SHA2_256F
#define WOLFSSL_SLHDSA_PARAM_SHA2_256F
#endif
/* Re-derive aggregate NOs for SHA2. */
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
#endif
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
#endif
#endif /* WOLFSSL_SLHDSA_SHA2 */
/* ======== Security parameter (n) per FIPS 205 Table 2 ======== */
/* Security parameter n, in bytes. SLH-DSA seed length, public key half,
* and other primitive sizes are derived from n. The SHA2 hash dispatch
* also keys off n: n = 128 uses SHA-256, n = 192/256 use SHA-512. */
/* Category 1, 128-bit classical security. */
#define WC_SLHDSA_N_128 16
/* Category 3, 192-bit classical security. */
#define WC_SLHDSA_N_192 24
/* Category 5, 256-bit classical security. */
#define WC_SLHDSA_N_256 32
/* ======== SHAKE size defines ======== */
/* Seed length for SLH-DSA SHAKE-128s/f. */
#define WC_SLHDSA_SHAKE128_SEED_LEN 16
#define WC_SLHDSA_SHAKE128_SEED_LEN WC_SLHDSA_N_128
/* Seed length for SLH-DSA SHAKE-192s/f. */
#define WC_SLHDSA_SHAKE192_SEED_LEN 24
#define WC_SLHDSA_SHAKE192_SEED_LEN WC_SLHDSA_N_192
/* Seed length for SLH-DSA SHAKE-256s/f. */
#define WC_SLHDSA_SHAKE256_SEED_LEN 32
#define WC_SLHDSA_SHAKE256_SEED_LEN WC_SLHDSA_N_256
/* Private key length for SLH-DSA SHAKE-128s. */
#define WC_SLHDSA_SHAKE128S_PRIV_LEN (4 * 16)
@@ -216,8 +375,76 @@
/* Seed length for SLH-DSA SHAKE-256f. */
#define WC_SLHDSA_SHAKE256F_SEED_LEN WC_SLHDSA_SHAKE256_SEED_LEN
/* Determine maximum private and public key lengths based on maximum SHAKE-256
* output length. */
/* ======== SHA2 size defines ======== */
#ifdef WOLFSSL_SLHDSA_SHA2
/* Seed length for SLH-DSA SHA2-128s/f. */
#define WC_SLHDSA_SHA2_128_SEED_LEN WC_SLHDSA_N_128
/* Seed length for SLH-DSA SHA2-192s/f. */
#define WC_SLHDSA_SHA2_192_SEED_LEN WC_SLHDSA_N_192
/* Seed length for SLH-DSA SHA2-256s/f. */
#define WC_SLHDSA_SHA2_256_SEED_LEN WC_SLHDSA_N_256
/* Private key length for SLH-DSA SHA2-128s. */
#define WC_SLHDSA_SHA2_128S_PRIV_LEN (4 * 16)
/* Public key length for SLH-DSA SHA2-128s. */
#define WC_SLHDSA_SHA2_128S_PUB_LEN (2 * 16)
/* Signature length for SLH-DSA SHA2-128s. */
#define WC_SLHDSA_SHA2_128S_SIG_LEN 7856
/* Seed length for SLH-DSA SHA2-128s. */
#define WC_SLHDSA_SHA2_128S_SEED_LEN WC_SLHDSA_SHA2_128_SEED_LEN
/* Private key length for SLH-DSA SHA2-128f. */
#define WC_SLHDSA_SHA2_128F_PRIV_LEN (4 * 16)
/* Public key length for SLH-DSA SHA2-128f. */
#define WC_SLHDSA_SHA2_128F_PUB_LEN (2 * 16)
/* Signature length for SLH-DSA SHA2-128f. */
#define WC_SLHDSA_SHA2_128F_SIG_LEN 17088
/* Seed length for SLH-DSA SHA2-128f. */
#define WC_SLHDSA_SHA2_128F_SEED_LEN WC_SLHDSA_SHA2_128_SEED_LEN
/* Private key length for SLH-DSA SHA2-192s. */
#define WC_SLHDSA_SHA2_192S_PRIV_LEN (4 * 24)
/* Public key length for SLH-DSA SHA2-192s. */
#define WC_SLHDSA_SHA2_192S_PUB_LEN (2 * 24)
/* Signature length for SLH-DSA SHA2-192s. */
#define WC_SLHDSA_SHA2_192S_SIG_LEN 16224
/* Seed length for SLH-DSA SHA2-192s. */
#define WC_SLHDSA_SHA2_192S_SEED_LEN WC_SLHDSA_SHA2_192_SEED_LEN
/* Private key length for SLH-DSA SHA2-192f. */
#define WC_SLHDSA_SHA2_192F_PRIV_LEN (4 * 24)
/* Public key length for SLH-DSA SHA2-192f. */
#define WC_SLHDSA_SHA2_192F_PUB_LEN (2 * 24)
/* Signature length for SLH-DSA SHA2-192f. */
#define WC_SLHDSA_SHA2_192F_SIG_LEN 35664
/* Seed length for SLH-DSA SHA2-192f. */
#define WC_SLHDSA_SHA2_192F_SEED_LEN WC_SLHDSA_SHA2_192_SEED_LEN
/* Private key length for SLH-DSA SHA2-256s. */
#define WC_SLHDSA_SHA2_256S_PRIV_LEN (4 * 32)
/* Public key length for SLH-DSA SHA2-256s. */
#define WC_SLHDSA_SHA2_256S_PUB_LEN (2 * 32)
/* Signature length for SLH-DSA SHA2-256s. */
#define WC_SLHDSA_SHA2_256S_SIG_LEN 29792
/* Seed length for SLH-DSA SHA2-256s. */
#define WC_SLHDSA_SHA2_256S_SEED_LEN WC_SLHDSA_SHA2_256_SEED_LEN
/* Private key length for SLH-DSA SHA2-256f. */
#define WC_SLHDSA_SHA2_256F_PRIV_LEN (4 * 32)
/* Public key length for SLH-DSA SHA2-256f. */
#define WC_SLHDSA_SHA2_256F_PUB_LEN (2 * 32)
/* Signature length for SLH-DSA SHA2-256f. */
#define WC_SLHDSA_SHA2_256F_SIG_LEN 49856
/* Seed length for SLH-DSA SHA2-256f. */
#define WC_SLHDSA_SHA2_256F_SEED_LEN WC_SLHDSA_SHA2_256_SEED_LEN
#endif /* WOLFSSL_SLHDSA_SHA2 */
/* ======== Maximum size defines ======== */
/* Determine maximum private and public key lengths based on maximum 256-bit
* output length. SHA2 variants have identical sizes to SHAKE counterparts. */
#ifndef WOLFSSL_SLHDSA_PARAM_NO_256
/* Maximum private key length. */
#define WC_SLHDSA_MAX_PRIV_LEN WC_SLHDSA_SHAKE256F_PRIV_LEN
@@ -279,8 +506,23 @@ enum SlhDsaParam {
SLHDSA_SHAKE192F = 3, /* SLH-DSA SHAKE192f */
SLHDSA_SHAKE256S = 4, /* SLH-DSA SHAKE256s */
SLHDSA_SHAKE256F = 5, /* SLH-DSA SHAKE256f */
#ifdef WOLFSSL_SLHDSA_SHA2
SLHDSA_SHA2_128S = 6, /* SLH-DSA SHA2-128s */
SLHDSA_SHA2_128F = 7, /* SLH-DSA SHA2-128f */
SLHDSA_SHA2_192S = 8, /* SLH-DSA SHA2-192s */
SLHDSA_SHA2_192F = 9, /* SLH-DSA SHA2-192f */
SLHDSA_SHA2_256S = 10, /* SLH-DSA SHA2-256s */
SLHDSA_SHA2_256F = 11, /* SLH-DSA SHA2-256f */
#endif
};
/* Helper macro to detect SHA2 parameter sets. */
#ifdef WOLFSSL_SLHDSA_SHA2
#define SLHDSA_IS_SHA2(p) ((p) >= SLHDSA_SHA2_128S)
#else
#define SLHDSA_IS_SHA2(p) (0)
#endif
/* Pre-defined parameter values. */
typedef struct SlhDsaParameters {
enum SlhDsaParam param; /* Parameter set id. */
@@ -317,10 +559,31 @@ typedef struct SlhDsaKey {
/* sk_seed | sk_prf | pk_seed, pk_root */
byte sk[32 * 4];
/* First SHAKE-256 object. */
wc_Shake shake;
/* Second SHAKE-256 object. */
wc_Shake shake2;
/* Hash objects for SHAKE or SHA2. */
union {
struct {
/* Primary SHAKE-256 object. */
wc_Shake shake;
/* Secondary SHAKE-256 object (T_l streaming). */
wc_Shake shake2;
} shk;
#ifdef WOLFSSL_SLHDSA_SHA2
struct {
/* F, PRF (all cats) + H, T_l (cat 1). */
wc_Sha256 sha256;
/* T_l streaming (cat 1), H_msg scratch. */
wc_Sha256 sha256_2;
/* H, T_l (cats 3, 5). */
wc_Sha512 sha512;
/* H_msg streaming (cats 3, 5). */
wc_Sha512 sha512_2;
/* Pre-computed midstate: PK.seed || pad(64 - n). */
wc_Sha256 sha256_mid;
/* Pre-computed midstate: PK.seed || pad(128 - n). */
wc_Sha512 sha512_mid;
} sha2;
#endif
} hash;
} SlhDsaKey;
WOLFSSL_API int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param,
@@ -344,6 +607,15 @@ WOLFSSL_API int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx,
WOLFSSL_API int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx,
byte ctxSz, const byte* msg, word32 msgSz, const byte* sig, word32 sigSz);
/* Internal interface: M' provided directly (no M' construction). */
WOLFSSL_API int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey* key,
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz);
WOLFSSL_API int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey* key,
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz,
const byte* addRnd);
WOLFSSL_API int wc_SlhDsaKey_VerifyMsg(SlhDsaKey* key, const byte* mprime,
word32 mprimeSz, const byte* sig, word32 sigSz);
WOLFSSL_API int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey* key,
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
enum wc_HashType hashType, byte* sig, word32* sigSz);