mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 15:00:49 +02:00
Merge pull request #9843 from kaleb-himes/PQ-FS-2026-Part2
Phase 2: PQ in boundary and SHA512 DRBG
This commit is contained in:
@@ -733,6 +733,7 @@ WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
|
||||
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
|
||||
WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
|
||||
WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
|
||||
WOLFSSL_DRBG_SHA256
|
||||
WOLFSSL_DTLS_DISALLOW_FUTURE
|
||||
WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS
|
||||
WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
|
||||
@@ -1133,3 +1134,4 @@ ssize_t
|
||||
sun
|
||||
versal
|
||||
wc_Tls13_HKDF_Expand_Label
|
||||
WOLFSSL_NO_LMS_SHAKE256_256
|
||||
|
||||
@@ -318,6 +318,12 @@
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wolfmath.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wolfevent.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\pkcs12.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\dilithium.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wc_lms.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wc_lms_impl.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wc_xmss.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wc_xmss_impl.c" />
|
||||
<ClCompile Include="..\..\wolfcrypt\src\wc_slhdsa.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<CustomBuild Include="..\..\wolfcrypt\src\aes_asm.asm">
|
||||
|
||||
+713
-127
@@ -623,10 +623,8 @@ AS_CASE([$ENABLED_FIPS],
|
||||
DEF_SP_MATH="yes"
|
||||
DEF_FAST_MATH="no"
|
||||
],
|
||||
# Should always remain one ahead of the latest so as not to be confused with
|
||||
# the latest
|
||||
[ready],[
|
||||
FIPS_VERSION="ready"
|
||||
[v7],[
|
||||
FIPS_VERSION="v7"
|
||||
HAVE_FIPS_VERSION=7
|
||||
HAVE_FIPS_VERSION_MAJOR=7
|
||||
HAVE_FIPS_VERSION_MINOR=0
|
||||
@@ -635,9 +633,21 @@ AS_CASE([$ENABLED_FIPS],
|
||||
DEF_SP_MATH="yes"
|
||||
DEF_FAST_MATH="no"
|
||||
],
|
||||
[dev],[
|
||||
# Should always remain one ahead of the latest so as not to be confused with
|
||||
# the latest
|
||||
[ready|v7-ready],[
|
||||
FIPS_VERSION="ready"
|
||||
HAVE_FIPS_VERSION=8
|
||||
HAVE_FIPS_VERSION_MAJOR=8
|
||||
HAVE_FIPS_VERSION_MINOR=0
|
||||
HAVE_FIPS_VERSION_PATCH=0
|
||||
ENABLED_FIPS="yes"
|
||||
DEF_SP_MATH="yes"
|
||||
DEF_FAST_MATH="no"
|
||||
],
|
||||
[dev|v7-dev],[
|
||||
FIPS_VERSION="dev"
|
||||
HAVE_FIPS_VERSION_MAJOR=7
|
||||
HAVE_FIPS_VERSION_MAJOR=8
|
||||
HAVE_FIPS_VERSION_MINOR=0
|
||||
HAVE_FIPS_VERSION_PATCH=0
|
||||
ENABLED_FIPS="yes"
|
||||
@@ -645,14 +655,14 @@ AS_CASE([$ENABLED_FIPS],
|
||||
],
|
||||
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
|
||||
FIPS_VERSION="$ENABLED_FIPS"
|
||||
HAVE_FIPS_VERSION_MAJOR=7
|
||||
HAVE_FIPS_VERSION_MAJOR=8
|
||||
HAVE_FIPS_VERSION_MINOR=0
|
||||
HAVE_FIPS_VERSION_PATCH=0
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[
|
||||
AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
|
||||
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, lean-aesgcm, no, disabled)])
|
||||
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, v7, ready, dev, rand, lean-aesgcm, no, disabled)])
|
||||
])
|
||||
|
||||
if test -z "$HAVE_FIPS_VERSION_MAJOR"
|
||||
@@ -1828,39 +1838,6 @@ do
|
||||
esac
|
||||
done
|
||||
|
||||
if test "$ENABLED_DILITHIUM" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM"
|
||||
|
||||
if test "$ENABLED_MLDSA44" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
|
||||
fi
|
||||
if test "$ENABLED_MLDSA65" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
|
||||
fi
|
||||
if test "$ENABLED_MLDSA87" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_SIGN" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_LIBOQS" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_DILITHIUM"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_DILITHIUM"
|
||||
test "$enable_sha3" = "" && enable_sha3=yes
|
||||
test "$enable_shake128" = "" && enable_shake128=yes
|
||||
test "$enable_shake256" = "" && enable_shake256=yes
|
||||
fi
|
||||
ENABLED_CERTS=yes
|
||||
fi
|
||||
|
||||
# XMSS
|
||||
ENABLED_WC_XMSS=no
|
||||
AC_ARG_ENABLE([xmss],
|
||||
@@ -1940,19 +1917,6 @@ AC_ARG_WITH([libxmss],
|
||||
[XMSS_ROOT=""]
|
||||
)
|
||||
|
||||
if test "$ENABLED_XMSS" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
|
||||
|
||||
# Use hash-sigs XMSS lib if enabled.
|
||||
if test "$ENABLED_LIBXMSS" = "yes"; then
|
||||
ENABLED_WC_XMSS=no
|
||||
else
|
||||
ENABLED_WC_XMSS=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
|
||||
fi
|
||||
fi
|
||||
|
||||
# LMS
|
||||
ENABLED_WC_LMS=no
|
||||
AC_ARG_ENABLE([lms],
|
||||
@@ -1980,6 +1944,9 @@ do
|
||||
sha256-192)
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192"
|
||||
;;
|
||||
shake256)
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHAKE256"
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Invalid choice for LMS []: $ENABLED_LMS.])
|
||||
break;;
|
||||
@@ -2054,19 +2021,6 @@ AC_ARG_WITH([liblms],
|
||||
]
|
||||
)
|
||||
|
||||
if test "$ENABLED_LMS" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
|
||||
|
||||
# Use hash-sigs LMS lib if enabled.
|
||||
if test "$ENABLED_LIBLMS" = "yes"; then
|
||||
ENABLED_WC_LMS=no
|
||||
else
|
||||
ENABLED_WC_LMS=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS"
|
||||
fi
|
||||
fi
|
||||
|
||||
# SLH-DSA
|
||||
ENABLED_SLHDSA=yes
|
||||
AC_ARG_ENABLE([slhdsa],
|
||||
@@ -2121,59 +2075,50 @@ do
|
||||
no-f)
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_FAST"
|
||||
;;
|
||||
sha2)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_128S=yes
|
||||
SLHDSA_PARAM_SHA2_128F=yes
|
||||
SLHDSA_PARAM_SHA2_192S=yes
|
||||
SLHDSA_PARAM_SHA2_192F=yes
|
||||
SLHDSA_PARAM_SHA2_256S=yes
|
||||
SLHDSA_PARAM_SHA2_256F=yes
|
||||
;;
|
||||
sha2-128s)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_128S=yes
|
||||
;;
|
||||
sha2-128f)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_128F=yes
|
||||
;;
|
||||
sha2-192s)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_192S=yes
|
||||
;;
|
||||
sha2-192f)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_192F=yes
|
||||
;;
|
||||
sha2-256s)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_256S=yes
|
||||
;;
|
||||
sha2-256f)
|
||||
SLHDSA_SHA2=yes
|
||||
SLHDSA_PARAM_SHA2_256F=yes
|
||||
;;
|
||||
no-sha2-s)
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL"
|
||||
;;
|
||||
no-sha2-f)
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST"
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Invalid choice for SLH-DSA []: $ENABLED_SLHDSA.])
|
||||
break;;
|
||||
esac
|
||||
done
|
||||
|
||||
if test "$ENABLED_SLHDSA" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
|
||||
|
||||
if test "$SLHDSA_PARAM_128S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_128F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_192S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_192F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_256S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_256F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
|
||||
fi
|
||||
|
||||
enable_shake256=yes
|
||||
fi
|
||||
|
||||
# SINGLE THREADED
|
||||
AC_ARG_ENABLE([singlethreaded],
|
||||
[AS_HELP_STRING([--enable-singlethreaded],[Enable wolfSSL single threaded (default: disabled)])],
|
||||
@@ -4557,6 +4502,17 @@ AC_ARG_ENABLE([shake128],
|
||||
[ ENABLED_SHAKE128=$SHAKE_DEFAULT ]
|
||||
)
|
||||
|
||||
# MLKEM requires SHAKE128. Force-enable when MLKEM is enabled.
|
||||
if test "$ENABLED_MLKEM" != "no"
|
||||
then
|
||||
if test "$ENABLED_SHAKE128" = "no"
|
||||
then
|
||||
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
|
||||
ENABLED_SHAKE128=yes
|
||||
enable_shake128=yes
|
||||
fi
|
||||
fi
|
||||
|
||||
# SHAKE256
|
||||
AC_ARG_ENABLE([shake256],
|
||||
[AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])],
|
||||
@@ -4564,6 +4520,17 @@ AC_ARG_ENABLE([shake256],
|
||||
[ ENABLED_SHAKE256=$SHAKE_DEFAULT ]
|
||||
)
|
||||
|
||||
# MLKEM requires SHAKE256. Force-enable when MLKEM is enabled.
|
||||
if test "$ENABLED_MLKEM" != "no"
|
||||
then
|
||||
if test "$ENABLED_SHAKE256" = "no"
|
||||
then
|
||||
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
|
||||
ENABLED_SHAKE256=yes
|
||||
enable_shake256=yes
|
||||
fi
|
||||
fi
|
||||
|
||||
# SHA512
|
||||
AC_ARG_ENABLE([sha512],
|
||||
[AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled)])],
|
||||
@@ -4589,6 +4556,25 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512"
|
||||
fi
|
||||
|
||||
# SHA-256 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
|
||||
AC_ARG_ENABLE([sha256-drbg],
|
||||
[AS_HELP_STRING([--enable-sha256-drbg],[Enable SHA-256 Hash DRBG (default: enabled)])],
|
||||
[ ENABLED_SHA256_DRBG=$enableval ],
|
||||
[ ENABLED_SHA256_DRBG=yes ]
|
||||
)
|
||||
|
||||
# SHA-512 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
|
||||
AC_ARG_ENABLE([sha512-drbg],
|
||||
[AS_HELP_STRING([--enable-sha512-drbg],[Enable SHA-512 Hash DRBG (default: enabled)])],
|
||||
[ ENABLED_SHA512_DRBG=$enableval ],
|
||||
[ ENABLED_SHA512_DRBG=yes ]
|
||||
)
|
||||
|
||||
# SHA-512 DRBG requires SHA-512
|
||||
if test "$ENABLED_SHA512" != "yes"
|
||||
then
|
||||
ENABLED_SHA512_DRBG=no
|
||||
fi
|
||||
|
||||
# SHA384
|
||||
AC_ARG_ENABLE([sha384],
|
||||
@@ -6132,12 +6118,12 @@ AC_ARG_ENABLE([aeskeywrap],
|
||||
# FIPS feature and macro setup
|
||||
|
||||
AS_CASE([$FIPS_VERSION],
|
||||
[v6|ready|dev],[ # FIPS 140-3 SRTP-KDF
|
||||
[v7|ready|dev],[ # FIPS 140-3 PQ-FS
|
||||
|
||||
AS_IF([test "$FIPS_VERSION" = "dev"],
|
||||
ENABLED_FIPS_DEV=yes
|
||||
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
|
||||
AS_IF([test "$FIPS_VERSION" = "ready"],
|
||||
AS_IF([test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "v7"],
|
||||
ENABLED_FIPS_READY=yes
|
||||
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
|
||||
|
||||
@@ -6253,8 +6239,248 @@ AS_CASE([$FIPS_VERSION],
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
|
||||
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
|
||||
|
||||
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
|
||||
# SHA512-224 and SHA512-256 enabled for FIPS v7+ (needed for ML-DSA
|
||||
# HashML-DSA ACVP test vectors with SHA2-512/224 and SHA2-512/256)
|
||||
|
||||
# Shake128 because we're testing SHAKE256
|
||||
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
|
||||
[ENABLED_SHAKE128="yes"])
|
||||
|
||||
# Shake256 mandated for ED448
|
||||
AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
|
||||
[ENABLED_SHAKE256="yes"])
|
||||
|
||||
# Aes section
|
||||
AS_IF([test "$ENABLED_AESCCM" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
|
||||
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
|
||||
|
||||
AS_IF([test "$ENABLED_AESCTR" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
|
||||
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
|
||||
|
||||
AS_IF([test "$ENABLED_CMAC" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
|
||||
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
|
||||
|
||||
AS_IF([test "$ENABLED_AESGCM" = "no" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
|
||||
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
|
||||
|
||||
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
|
||||
[ENABLED_AESGCM_STREAM="yes"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
|
||||
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
|
||||
[ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
|
||||
[ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
|
||||
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
|
||||
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
|
||||
[ENABLED_AESXTS_STREAM="yes"])
|
||||
|
||||
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
|
||||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
|
||||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
|
||||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
|
||||
[ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
|
||||
|
||||
# Post-Quantum section
|
||||
AS_IF([test "$ENABLED_MLKEM" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_mlkem" != "no")],
|
||||
[ENABLED_MLKEM="yes"
|
||||
ENABLED_MLKEM512="yes"
|
||||
ENABLED_MLKEM768="yes"
|
||||
ENABLED_MLKEM1024="yes"
|
||||
ENABLED_MLKEM_MAKE_KEY="yes"
|
||||
ENABLED_MLKEM_ENCAPSULATE="yes"
|
||||
ENABLED_MLKEM_DECAPSULATE="yes"])
|
||||
|
||||
AS_IF([test "$ENABLED_DILITHIUM" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_dilithium" != "no")],
|
||||
[ENABLED_DILITHIUM="yes"
|
||||
ENABLED_MLDSA44="yes"
|
||||
ENABLED_MLDSA65="yes"
|
||||
ENABLED_MLDSA87="yes"
|
||||
ENABLED_DILITHIUM_MAKE_KEY="yes"
|
||||
ENABLED_DILITHIUM_SIGN="yes"
|
||||
ENABLED_DILITHIUM_VERIFY="yes"])
|
||||
|
||||
AS_IF([test "$ENABLED_XMSS" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_xmss" != "no")],
|
||||
[ENABLED_XMSS="yes"])
|
||||
|
||||
AS_IF([test "$ENABLED_LMS" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_lms" != "no")],
|
||||
[ENABLED_LMS="yes"])
|
||||
# LMS: enable SHA-256/192 and SHAKE256 parameter sets for FIPS v7
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192 -DWOLFSSL_LMS_SHAKE256"
|
||||
|
||||
AS_IF([test "$ENABLED_SLHDSA" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_slhdsa" != "no")],
|
||||
[ENABLED_SLHDSA="yes"
|
||||
SLHDSA_PARAM_128S="yes"
|
||||
SLHDSA_PARAM_128F="yes"
|
||||
SLHDSA_PARAM_192S="yes"
|
||||
SLHDSA_PARAM_192F="yes"
|
||||
SLHDSA_PARAM_256S="yes"
|
||||
SLHDSA_PARAM_256F="yes"
|
||||
SLHDSA_SHA2="yes"
|
||||
SLHDSA_PARAM_SHA2_128S="yes"
|
||||
SLHDSA_PARAM_SHA2_128F="yes"
|
||||
SLHDSA_PARAM_SHA2_192S="yes"
|
||||
SLHDSA_PARAM_SHA2_192F="yes"
|
||||
SLHDSA_PARAM_SHA2_256S="yes"
|
||||
SLHDSA_PARAM_SHA2_256F="yes"])
|
||||
|
||||
# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
|
||||
AS_IF([test "$enable_sha256_drbg" = "no"],
|
||||
[AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
|
||||
ENABLED_SHA256_DRBG="yes"
|
||||
|
||||
# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
|
||||
AS_IF([test "$enable_sha512_drbg" = "no"],
|
||||
[AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
|
||||
ENABLED_SHA512_DRBG="yes"
|
||||
|
||||
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
|
||||
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
|
||||
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
|
||||
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
|
||||
|
||||
],
|
||||
|
||||
[v6],[ # FIPS 140-3 SRTP-KDF (frozen)
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS \
|
||||
-DHAVE_FIPS \
|
||||
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
|
||||
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
|
||||
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
|
||||
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
|
||||
-DHAVE_ECC_CDH \
|
||||
-DWC_RSA_NO_PADDING \
|
||||
-DECC_USER_CURVES \
|
||||
-DHAVE_ECC384 \
|
||||
-DHAVE_ECC521 \
|
||||
-DWOLFSSL_VALIDATE_FFC_IMPORT \
|
||||
-DHAVE_FFDHE_Q \
|
||||
-DHAVE_FFDHE_3072 \
|
||||
-DHAVE_FFDHE_4096 \
|
||||
-DHAVE_FFDHE_6144 \
|
||||
-DHAVE_FFDHE_8192"
|
||||
|
||||
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
|
||||
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
|
||||
[AM_CFLAGS="$AM_CFLAGS \
|
||||
-DWC_RNG_SEED_CB \
|
||||
-DWOLFSSL_ECDSA_SET_K \
|
||||
-DWOLFSSL_VALIDATE_ECC_IMPORT \
|
||||
-DWOLFSSL_VALIDATE_ECC_KEYGEN \
|
||||
-DHAVE_ECC192 \
|
||||
-DHAVE_ECC224 \
|
||||
-DHAVE_ECC256"])
|
||||
|
||||
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
|
||||
# optimizations section
|
||||
|
||||
# protocol section
|
||||
AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
|
||||
[enable_ssh="yes"])
|
||||
|
||||
AS_IF([test "$ENABLED_HKDF" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
|
||||
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
|
||||
|
||||
AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
|
||||
[ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
|
||||
|
||||
AS_IF([test "x$ENABLED_SRTP" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
|
||||
[ENABLED_SRTP="yes"])
|
||||
AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
|
||||
[ENABLED_SRTP_KDF="yes"])
|
||||
|
||||
# public key section
|
||||
AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
|
||||
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
|
||||
|
||||
# AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
|
||||
# (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
|
||||
# [ENABLED_COMPKEY="yes"])
|
||||
|
||||
AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
|
||||
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
|
||||
|
||||
AS_IF([test "$ENABLED_ECC" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
|
||||
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
|
||||
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
|
||||
|
||||
AS_IF([test "$ENABLED_ED25519" = "no" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
|
||||
[ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
|
||||
|
||||
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
|
||||
[ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
|
||||
|
||||
AS_IF([test "x$ENABLED_ED448" != "xyes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
|
||||
[ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
|
||||
|
||||
AS_IF([test "$ENABLED_CURVE448" != "no" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
|
||||
[ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
|
||||
|
||||
AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
|
||||
[ENABLED_ED25519_STREAM="yes"])
|
||||
AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
|
||||
[ENABLED_ED448_STREAM="yes"])
|
||||
|
||||
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
|
||||
test "$FIPS_VERSION" != "dev"],
|
||||
[AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
|
||||
ENABLED_ECCCUSTCURVES="no"])
|
||||
|
||||
# Hashing section
|
||||
AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
|
||||
[ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
|
||||
|
||||
AS_IF([test "$ENABLED_SHA224" != "yes" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
|
||||
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
|
||||
|
||||
AS_IF([test "$ENABLED_SHA512" = "no" &&
|
||||
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
|
||||
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
|
||||
|
||||
# SHA512-224 and SHA512-256 are needed for HashML-DSA (FIPS 204)
|
||||
|
||||
# Shake128 because we're testing SHAKE256
|
||||
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
|
||||
@@ -6990,6 +7216,10 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
|
||||
fi
|
||||
|
||||
# Selftest uses its own random.c which doesn't support SHA-512 DRBG
|
||||
# or runtime DRBG disable/enable APIs
|
||||
AS_IF([test "x$ENABLED_SELFTEST" = "xyes"],
|
||||
[ENABLED_SHA512_DRBG=no])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESXTS" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS -DWOLFSSL_AES_DIRECT"])
|
||||
@@ -7096,6 +7326,21 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
|
||||
fi
|
||||
|
||||
# ML-KEM and Dilithium require SHA-3 and SHAKE -- force them on before flag
|
||||
# processing so that the correct -D flags are emitted.
|
||||
if test "$ENABLED_MLKEM" != "no" && test "$ENABLED_LIBOQS" = "no"
|
||||
then
|
||||
ENABLED_SHA3=yes
|
||||
ENABLED_SHAKE128=yes
|
||||
ENABLED_SHAKE256=yes
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM" != "no" && test "$ENABLED_LIBOQS" = "no"
|
||||
then
|
||||
ENABLED_SHA3=yes
|
||||
ENABLED_SHAKE128=yes
|
||||
ENABLED_SHAKE256=yes
|
||||
fi
|
||||
|
||||
# Set SHA-3 flags
|
||||
if test "$ENABLED_SHA3" != "no"
|
||||
then
|
||||
@@ -7134,6 +7379,305 @@ else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
|
||||
fi
|
||||
|
||||
# MLKEM CFLAG processing (after FIPS section for sandwich pattern)
|
||||
if test "$ENABLED_MLKEM" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLKEM"
|
||||
# Use liboqs if specified.
|
||||
if test "$ENABLED_LIBOQS" = "no"; then
|
||||
ENABLED_WC_MLKEM=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_MLKEM"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_MLKEM"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_ORIGINAL" = "yes"; then
|
||||
# FIPS 203 (ML-KEM) and Kyber use different implicit rejection.
|
||||
# Kyber mode must not be used in FIPS v7+ builds.
|
||||
AS_IF([test "$HAVE_FIPS_VERSION" -ge 7],
|
||||
[AC_MSG_ERROR([Kyber (--enable-mlkem=original) is not compatible with FIPS v7+. Use ML-KEM (FIPS 203) instead.])])
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_KYBER"
|
||||
if test "$ENABLED_MLKEM512" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM768" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM1024" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
|
||||
fi
|
||||
if test "$ENABLED_ML_KEM" = "unset"; then
|
||||
ENABLED_ML_KEM=no
|
||||
fi
|
||||
fi
|
||||
if test "$ENABLED_ML_KEM" = "unset"; then
|
||||
ENABLED_ML_KEM=yes
|
||||
fi
|
||||
if test "$ENABLED_ML_KEM" = "yes"; then
|
||||
if test "$ENABLED_MLKEM512" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM768" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM1024" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024"
|
||||
fi
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM_MAKE_KEY" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_MAKE_KEY"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM_ENCAPSULATE" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_ENCAPSULATE"
|
||||
fi
|
||||
if test "$ENABLED_MLKEM_DECAPSULATE" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_DECAPSULATE"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_WC_MLKEM" = "yes"
|
||||
then
|
||||
test "$enable_sha3" = "" && enable_sha3=yes
|
||||
test "$enable_shake128" = "" && enable_shake128=yes
|
||||
test "$enable_shake256" = "" && enable_shake256=yes
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE([tls-mlkem-standalone],
|
||||
[AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
|
||||
[ ENABLED_MLKEM_STANDALONE=$enableval ],
|
||||
[ ENABLED_MLKEM_STANDALONE=no ]
|
||||
)
|
||||
|
||||
AS_IF([ test "$ENABLED_MLKEM_STANDALONE" = "yes" && test "$ENABLED_ML_KEM" = "no" ],[AC_MSG_ERROR([ML-KEM as standalone TLS key exchange (non-hybrid) requires ML-KEM.])])
|
||||
if test "$ENABLED_MLKEM_STANDALONE" != "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE([pqc-hybrids],
|
||||
[AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
|
||||
[ ENABLED_PQC_HYBRIDS=$enableval ],
|
||||
[ ENABLED_PQC_HYBRIDS=yes ]
|
||||
)
|
||||
|
||||
if test "$ENABLED_PQC_HYBRIDS" = "yes"
|
||||
then
|
||||
if test "$ENABLED_ML_KEM" = "no" || test "$ENABLED_MLKEM" = "no"
|
||||
then
|
||||
ENABLED_PQC_HYBRIDS=no
|
||||
elif test "$ENABLED_MLKEM768" = "" && test "$ENABLED_MLKEM1024" = ""; then
|
||||
AC_MSG_NOTICE([PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024, but both disabled.])
|
||||
ENABLED_PQC_HYBRIDS=no
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PQC_HYBRIDS"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "$ENABLED_ML_KEM" != "no" && test "$ENABLED_MLKEM" != "no"
|
||||
then
|
||||
if test "$ENABLED_PQC_HYBRIDS" = "no" && test "$ENABLED_MLKEM_STANDALONE" = "no" && test "$ENABLED_CRYPTONLY" = "no"
|
||||
then
|
||||
AC_MSG_ERROR([Both hybrid PQ/T and standalone ML-KEM are disabled, so no PQC hybrid combinations will be available.])
|
||||
fi
|
||||
fi
|
||||
|
||||
# Extra PQ/T Hybrid combinations
|
||||
AC_ARG_ENABLE([extra-pqc-hybrids],
|
||||
[AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
|
||||
[ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
|
||||
[ ENABLED_EXTRA_PQC_HYBRIDS=no ]
|
||||
)
|
||||
|
||||
if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
|
||||
then
|
||||
AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
|
||||
AS_IF([ test "$ENABLED_ML_KEM" = "no" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires ML-KEM.]) ])
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
|
||||
fi
|
||||
|
||||
# Dilithium CFLAG processing (after FIPS section for sandwich pattern)
|
||||
if test "$ENABLED_DILITHIUM" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM"
|
||||
|
||||
if test "$ENABLED_MLDSA44" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
|
||||
fi
|
||||
if test "$ENABLED_MLDSA65" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
|
||||
fi
|
||||
if test "$ENABLED_MLDSA87" = ""; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_SIGN" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN"
|
||||
fi
|
||||
if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_LIBOQS" = "no"; then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_DILITHIUM"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_DILITHIUM"
|
||||
test "$enable_sha3" = "" && enable_sha3=yes
|
||||
test "$enable_shake128" = "" && enable_shake128=yes
|
||||
test "$enable_shake256" = "" && enable_shake256=yes
|
||||
fi
|
||||
ENABLED_CERTS=yes
|
||||
fi
|
||||
|
||||
# XMSS CFLAG processing (after FIPS section for sandwich pattern)
|
||||
if test "$ENABLED_XMSS" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
|
||||
|
||||
# Use hash-sigs XMSS lib if enabled.
|
||||
if test "$ENABLED_LIBXMSS" = "yes"; then
|
||||
ENABLED_WC_XMSS=no
|
||||
else
|
||||
ENABLED_WC_XMSS=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
|
||||
fi
|
||||
fi
|
||||
|
||||
# LMS CFLAG processing (after FIPS section for sandwich pattern)
|
||||
if test "$ENABLED_LMS" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
|
||||
|
||||
# Use hash-sigs LMS lib if enabled.
|
||||
if test "$ENABLED_LIBLMS" = "yes"; then
|
||||
ENABLED_WC_LMS=no
|
||||
else
|
||||
ENABLED_WC_LMS=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS"
|
||||
fi
|
||||
fi
|
||||
|
||||
# SLH-DSA CFLAG processing (after FIPS section for sandwich pattern)
|
||||
if test "$ENABLED_SLHDSA" != "no"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
|
||||
|
||||
if test "$SLHDSA_PARAM_128S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_128F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_192S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_192F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_256S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_256F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
|
||||
fi
|
||||
|
||||
# SHA2 parameter set support
|
||||
if test "$SLHDSA_SHA2" = "yes"
|
||||
then
|
||||
# Dependency checks for SHA2 SLH-DSA
|
||||
if test "$ENABLED_SHA256" = "no"
|
||||
then
|
||||
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-256 (--enable-sha256)])
|
||||
fi
|
||||
if test "$ENABLED_SHA512" = "no"
|
||||
then
|
||||
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-512 (--enable-sha512)])
|
||||
fi
|
||||
if test "$ENABLED_HMAC" = "no"
|
||||
then
|
||||
AC_MSG_ERROR([SLH-DSA SHA2 requires HMAC (--enable-hmac)])
|
||||
fi
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_SHA2"
|
||||
|
||||
if test "$SLHDSA_PARAM_SHA2_128S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_SHA2_128F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_SHA2_192S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_SHA2_192F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192F"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_SHA2_256S" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256S"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256S"
|
||||
fi
|
||||
if test "$SLHDSA_PARAM_SHA2_256F" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256F"
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256F"
|
||||
fi
|
||||
fi
|
||||
|
||||
# SLH-DSA requires SHAKE-256 (and SHA-3 as its dependency).
|
||||
# This runs after the SHAKE256 flags section, so we must set both the
|
||||
# ENABLED variable and emit the CFLAGS ourselves.
|
||||
if test "$ENABLED_SHAKE256" = "no" || test "$ENABLED_SHAKE256" = ""
|
||||
then
|
||||
ENABLED_SHAKE256=yes
|
||||
if test "$ENABLED_SHA3" = "no"
|
||||
then
|
||||
ENABLED_SHA3=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
|
||||
fi
|
||||
# Remove -DWOLFSSL_NO_SHAKE256 if it was already added and add the
|
||||
# positive define.
|
||||
AM_CFLAGS=$(echo "$AM_CFLAGS" | sed 's/-DWOLFSSL_NO_SHAKE256//g')
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
|
||||
fi
|
||||
fi
|
||||
|
||||
# set POLY1305 default
|
||||
POLY1305_DEFAULT=yes
|
||||
|
||||
@@ -7248,27 +7792,60 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF_TEST"
|
||||
fi
|
||||
|
||||
# Hash DRBG
|
||||
# Hash DRBG (master switch for all Hash DRBGs)
|
||||
AC_ARG_ENABLE([hashdrbg],
|
||||
[AS_HELP_STRING([--enable-hashdrbg],[Enable Hash DRBG support (default: enabled)])],
|
||||
[ ENABLED_HASHDRBG=$enableval ],
|
||||
[ ENABLED_HASHDRBG=yes ]
|
||||
)
|
||||
|
||||
# If hashdrbg is explicitly disabled, force both sub-options off
|
||||
if test "x$ENABLED_HASHDRBG" = "xno"
|
||||
then
|
||||
ENABLED_SHA256_DRBG=no
|
||||
ENABLED_SHA512_DRBG=no
|
||||
fi
|
||||
|
||||
# If both sub-options are off, treat hashdrbg as off
|
||||
if test "x$ENABLED_SHA256_DRBG" != "xyes" && test "x$ENABLED_SHA512_DRBG" != "xyes"
|
||||
then
|
||||
ENABLED_HASHDRBG=no
|
||||
fi
|
||||
|
||||
# FIPS override: Hash DRBG is mandatory
|
||||
if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
|
||||
then
|
||||
if test "$enable_hashdrbg" = "no"
|
||||
then
|
||||
AC_MSG_WARN([SHA256-DRBG required in FIPS build])
|
||||
fi
|
||||
ENABLED_HASHDRBG=yes
|
||||
ENABLED_SHA256_DRBG=yes
|
||||
fi
|
||||
|
||||
# SHA-512 DRBG and runtime DRBG disable/enable APIs are v7+ only
|
||||
if test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 7
|
||||
then
|
||||
ENABLED_SHA512_DRBG=no
|
||||
fi
|
||||
|
||||
# Set Hash DRBG compiler flags
|
||||
if test "x$ENABLED_HASHDRBG" = "xyes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
|
||||
else
|
||||
# turn on Hash DRBG if FIPS is on (don't force on for KCAPI)
|
||||
if test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
|
||||
if test "x$ENABLED_SHA256_DRBG" != "xyes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
|
||||
ENABLED_HASHDRBG=yes
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHA256_DRBG"
|
||||
fi
|
||||
if test "x$ENABLED_SHA512_DRBG" = "xyes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DRBG_SHA512"
|
||||
fi
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
|
||||
fi
|
||||
|
||||
|
||||
# MemUse Entropy (AKA wolfEntropy)
|
||||
if test "x$ENABLED_ENTROPY_MEMUSE" != "xno"
|
||||
then
|
||||
@@ -10860,6 +11437,11 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
|
||||
test "x$ENABLED_LEANPSK" = "xyes"],
|
||||
[AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])])
|
||||
|
||||
AS_IF([test "x$ENABLED_CRYPTONLY" = "xno" && \
|
||||
test "x$ENABLED_PSK" = "xno" && \
|
||||
test "x$ENABLED_ASN" = "xno"],
|
||||
[AC_MSG_ERROR([please enable psk if disabling asn.])])
|
||||
|
||||
AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
|
||||
test "x$ENABLED_ASN" = "xno"],
|
||||
[AC_MSG_ERROR([please enable asn if enabling ocsp.])])
|
||||
@@ -11625,6 +12207,8 @@ AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V5_PLUS],[test "$HAVE_FIPS_VERSION" -ge 5])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V6],[test $HAVE_FIPS_VERSION = 6])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V6_PLUS],[test $HAVE_FIPS_VERSION -ge 6])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V7],[test $HAVE_FIPS_VERSION = 7])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V7_PLUS],[test $HAVE_FIPS_VERSION -ge 7])
|
||||
AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
@@ -12115,6 +12699,8 @@ echo " * certgencache: $ENABLED_certgencache"
|
||||
echo " * CHACHA: $ENABLED_CHACHA"
|
||||
echo " * XCHACHA: $ENABLED_XCHACHA"
|
||||
echo " * Hash DRBG: $ENABLED_HASHDRBG"
|
||||
echo " * SHA-256 Hash DRBG: $ENABLED_SHA256_DRBG"
|
||||
echo " * SHA-512 Hash DRBG: $ENABLED_SHA512_DRBG"
|
||||
echo " * MmemUse Entropy:"
|
||||
echo " * (AKA: wolfEntropy): $ENABLED_ENTROPY_MEMUSE"
|
||||
echo " * PWDBASED: $ENABLED_PWDBASED"
|
||||
|
||||
@@ -583,3 +583,240 @@ int wc_Entropy_Get(int bits, unsigned char* entropy, word32 len);
|
||||
\sa wc_Entropy_Get
|
||||
*/
|
||||
int wc_Entropy_OnDemandTest(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Runs the SHA-512 Hash_DRBG Known Answer Test (KAT) per
|
||||
SP 800-90A. Instantiates a SHA-512 DRBG with seedA, optionally
|
||||
reseeds with seedB, generates output, and compares against known
|
||||
test vectors. Available when WOLFSSL_DRBG_SHA512 is defined.
|
||||
|
||||
\return 0 On success
|
||||
\return BAD_FUNC_ARG If seedA or output is NULL, or if reseed is
|
||||
set and seedB is NULL
|
||||
\return -1 Test failed
|
||||
|
||||
\param reseed Non-zero to test reseeding
|
||||
\param seedA Initial entropy seed
|
||||
\param seedASz Size of seedA in bytes
|
||||
\param seedB Reseed entropy (required if reseed is set)
|
||||
\param seedBSz Size of seedB in bytes
|
||||
\param output Buffer to receive generated output
|
||||
\param outputSz Size of output in bytes
|
||||
|
||||
_Example_
|
||||
\code
|
||||
byte output[WC_SHA512_DIGEST_SIZE * 4];
|
||||
const byte seedA[] = { ... };
|
||||
const byte seedB[] = { ... };
|
||||
|
||||
ret = wc_RNG_HealthTest_SHA512(0, seedA, sizeof(seedA), NULL, 0,
|
||||
output, sizeof(output));
|
||||
if (ret != 0)
|
||||
return -1;
|
||||
|
||||
ret = wc_RNG_HealthTest_SHA512(1, seedA, sizeof(seedA),
|
||||
seedB, sizeof(seedB),
|
||||
output, sizeof(output));
|
||||
if (ret != 0)
|
||||
return -1;
|
||||
\endcode
|
||||
|
||||
\sa wc_RNG_HealthTest
|
||||
\sa wc_RNG_HealthTest_SHA512_ex
|
||||
*/
|
||||
int wc_RNG_HealthTest_SHA512(int reseed, const byte* seedA, word32 seedASz,
|
||||
const byte* seedB, word32 seedBSz,
|
||||
byte* output, word32 outputSz);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Extended SHA-512 Hash_DRBG health test with nonce,
|
||||
personalization string, and additional input support. Suitable
|
||||
for full ACVP / CAVP test vector validation. Available when
|
||||
WOLFSSL_DRBG_SHA512 is defined.
|
||||
|
||||
\return 0 On success
|
||||
\return BAD_FUNC_ARG If required params are NULL
|
||||
\return -1 Test failed
|
||||
|
||||
\param reseed Non-zero to test reseeding
|
||||
\param nonce Nonce buffer (can be NULL)
|
||||
\param nonceSz Nonce size
|
||||
\param persoString Personalization string (can be NULL)
|
||||
\param persoStringSz Personalization string size
|
||||
\param seedA Initial entropy seed
|
||||
\param seedASz Initial seed size
|
||||
\param seedB Reseed entropy (required if reseed is set)
|
||||
\param seedBSz Reseed size
|
||||
\param additionalA Additional input for first generate (can be NULL)
|
||||
\param additionalASz Additional input A size
|
||||
\param additionalB Additional input for second generate (can be NULL)
|
||||
\param additionalBSz Additional input B size
|
||||
\param output Output buffer
|
||||
\param outputSz Output size
|
||||
\param heap Heap hint (can be NULL)
|
||||
\param devId Device ID (INVALID_DEVID for software)
|
||||
|
||||
_Example_
|
||||
\code
|
||||
byte output[WC_SHA512_DIGEST_SIZE * 4];
|
||||
const byte seedA[] = { ... };
|
||||
const byte nonce[] = { ... };
|
||||
|
||||
int ret = wc_RNG_HealthTest_SHA512_ex(0, nonce, sizeof(nonce),
|
||||
NULL, 0,
|
||||
seedA, sizeof(seedA),
|
||||
NULL, 0,
|
||||
NULL, 0, NULL, 0,
|
||||
output, sizeof(output),
|
||||
NULL, INVALID_DEVID);
|
||||
\endcode
|
||||
|
||||
\sa wc_RNG_HealthTest_SHA512
|
||||
\sa wc_RNG_HealthTest_ex
|
||||
*/
|
||||
int wc_RNG_HealthTest_SHA512_ex(int reseed, const byte* nonce, word32 nonceSz,
|
||||
const byte* persoString, word32 persoStringSz,
|
||||
const byte* seedA, word32 seedASz,
|
||||
const byte* seedB, word32 seedBSz,
|
||||
const byte* additionalA, word32 additionalASz,
|
||||
const byte* additionalB, word32 additionalBSz,
|
||||
byte* output, word32 outputSz,
|
||||
void* heap, int devId);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Disables the SHA-256 Hash_DRBG at runtime. When disabled,
|
||||
newly initialized WC_RNG instances will not use the SHA-256 DRBG.
|
||||
If the SHA-512 DRBG is enabled (WOLFSSL_DRBG_SHA512), new RNG
|
||||
instances will use SHA-512 instead. Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 0 On success
|
||||
|
||||
_Example_
|
||||
\code
|
||||
wc_Sha256Drbg_Disable();
|
||||
// New WC_RNG instances will now use SHA-512 DRBG if available
|
||||
WC_RNG rng;
|
||||
wc_InitRng(&rng);
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha256Drbg_Enable
|
||||
\sa wc_Sha256Drbg_IsDisabled
|
||||
\sa wc_Sha512Drbg_Disable
|
||||
*/
|
||||
int wc_Sha256Drbg_Disable(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Re-enables the SHA-256 Hash_DRBG at runtime after a prior
|
||||
call to wc_Sha256Drbg_Disable(). Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 0 On success
|
||||
|
||||
_Example_
|
||||
\code
|
||||
wc_Sha256Drbg_Disable();
|
||||
// ... use SHA-512 DRBG only ...
|
||||
wc_Sha256Drbg_Enable();
|
||||
// New WC_RNG instances can use SHA-256 DRBG again
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha256Drbg_Disable
|
||||
\sa wc_Sha256Drbg_IsDisabled
|
||||
*/
|
||||
int wc_Sha256Drbg_Enable(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Returns whether the SHA-256 Hash_DRBG is currently disabled.
|
||||
Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 1 SHA-256 DRBG is disabled
|
||||
\return 0 SHA-256 DRBG is enabled (not disabled)
|
||||
|
||||
_Example_
|
||||
\code
|
||||
if (wc_Sha256Drbg_IsDisabled()) {
|
||||
printf("SHA-256 DRBG is off\n");
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha256Drbg_Disable
|
||||
\sa wc_Sha256Drbg_Enable
|
||||
*/
|
||||
int wc_Sha256Drbg_IsDisabled(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Disables the SHA-512 Hash_DRBG at runtime. When disabled,
|
||||
newly initialized WC_RNG instances will not use the SHA-512 DRBG.
|
||||
If the SHA-256 DRBG is still enabled, new RNG instances will fall
|
||||
back to SHA-256. Available when WOLFSSL_DRBG_SHA512 is defined.
|
||||
Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 0 On success
|
||||
|
||||
_Example_
|
||||
\code
|
||||
wc_Sha512Drbg_Disable();
|
||||
// New WC_RNG instances will now use SHA-256 DRBG
|
||||
WC_RNG rng;
|
||||
wc_InitRng(&rng);
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha512Drbg_Enable
|
||||
\sa wc_Sha512Drbg_IsDisabled
|
||||
\sa wc_Sha256Drbg_Disable
|
||||
*/
|
||||
int wc_Sha512Drbg_Disable(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Re-enables the SHA-512 Hash_DRBG at runtime after a prior
|
||||
call to wc_Sha512Drbg_Disable(). Available when WOLFSSL_DRBG_SHA512
|
||||
is defined. Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 0 On success
|
||||
|
||||
_Example_
|
||||
\code
|
||||
wc_Sha512Drbg_Disable();
|
||||
// ... use SHA-256 DRBG only ...
|
||||
wc_Sha512Drbg_Enable();
|
||||
// New WC_RNG instances can use SHA-512 DRBG again
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha512Drbg_Disable
|
||||
\sa wc_Sha512Drbg_IsDisabled
|
||||
*/
|
||||
int wc_Sha512Drbg_Enable(void);
|
||||
|
||||
/*!
|
||||
\ingroup Random
|
||||
|
||||
\brief Returns whether the SHA-512 Hash_DRBG is currently disabled.
|
||||
Available when WOLFSSL_DRBG_SHA512 is defined. Requires HAVE_HASHDRBG.
|
||||
|
||||
\return 1 SHA-512 DRBG is disabled
|
||||
\return 0 SHA-512 DRBG is enabled (not disabled)
|
||||
|
||||
_Example_
|
||||
\code
|
||||
if (wc_Sha512Drbg_IsDisabled()) {
|
||||
printf("SHA-512 DRBG is off\n");
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_Sha512Drbg_Disable
|
||||
\sa wc_Sha512Drbg_Enable
|
||||
*/
|
||||
int wc_Sha512Drbg_IsDisabled(void);
|
||||
|
||||
@@ -0,0 +1,793 @@
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Initializes an SLH-DSA key object with the specified parameter set.
|
||||
Must be called before any other SLH-DSA operation. Use wc_SlhDsaKey_Free()
|
||||
to release resources when done.
|
||||
|
||||
SLH-DSA (FIPS 205) is a stateless hash-based digital signature algorithm.
|
||||
Parameter sets control the hash function (SHAKE or SHA2), security level
|
||||
(128, 192, 256), and speed/size tradeoff (s = small signatures,
|
||||
f = fast signing).
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key is NULL or param is invalid.
|
||||
|
||||
\param [in,out] key Pointer to the SlhDsaKey to initialize.
|
||||
\param [in] param Parameter set to use. One of: SLHDSA_SHAKE128S,
|
||||
SLHDSA_SHAKE128F, SLHDSA_SHAKE192S, SLHDSA_SHAKE192F, SLHDSA_SHAKE256S,
|
||||
SLHDSA_SHAKE256F, SLHDSA_SHA2_128S, SLHDSA_SHA2_128F, SLHDSA_SHA2_192S,
|
||||
SLHDSA_SHA2_192F, SLHDSA_SHA2_256S, SLHDSA_SHA2_256F.
|
||||
\param [in] heap Pointer to heap hint for dynamic memory allocation.
|
||||
May be NULL.
|
||||
\param [in] devId Device identifier for hardware crypto callbacks.
|
||||
Use INVALID_DEVID for software-only.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
if (ret != 0) {
|
||||
// error initializing key
|
||||
}
|
||||
// ... use key ...
|
||||
wc_SlhDsaKey_Free(&key);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_Free
|
||||
\sa wc_SlhDsaKey_MakeKey
|
||||
*/
|
||||
int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param,
|
||||
void* heap, int devId);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Frees resources associated with an SLH-DSA key object.
|
||||
|
||||
\param [in,out] key Pointer to the SlhDsaKey to free. May be NULL.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
// ... use key ...
|
||||
wc_SlhDsaKey_Free(&key);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_Init
|
||||
*/
|
||||
void wc_SlhDsaKey_Free(SlhDsaKey* key);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Generates a new SLH-DSA key pair using the RNG for randomness.
|
||||
The key must have been initialized with wc_SlhDsaKey_Init() first.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key or rng is NULL, or key is not initialized.
|
||||
|
||||
\param [in,out] key Pointer to an initialized SlhDsaKey.
|
||||
\param [in] rng Pointer to an initialized WC_RNG.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
WC_RNG rng;
|
||||
int ret;
|
||||
|
||||
wc_InitRng(&rng);
|
||||
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
ret = wc_SlhDsaKey_MakeKey(&key, &rng);
|
||||
if (ret != 0) {
|
||||
// error generating key
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_Init
|
||||
\sa wc_SlhDsaKey_MakeKeyWithRandom
|
||||
*/
|
||||
int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Generates an SLH-DSA key pair from caller-provided seed material.
|
||||
This is the deterministic key generation interface — given the same seeds,
|
||||
the same key pair is produced.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key or any seed pointer is NULL, or lengths
|
||||
do not match the parameter set's n value.
|
||||
|
||||
\param [in,out] key Pointer to an initialized SlhDsaKey.
|
||||
\param [in] sk_seed Secret key seed (n bytes).
|
||||
\param [in] sk_seed_len Length of sk_seed.
|
||||
\param [in] sk_prf Secret key PRF seed (n bytes).
|
||||
\param [in] sk_prf_len Length of sk_prf.
|
||||
\param [in] pk_seed Public key seed (n bytes).
|
||||
\param [in] pk_seed_len Length of pk_seed.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sk_seed[16], sk_prf[16], pk_seed[16]; // n=16 for 128-bit params
|
||||
int ret;
|
||||
|
||||
// fill seeds with known values (e.g. from NIST test vectors)
|
||||
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
ret = wc_SlhDsaKey_MakeKeyWithRandom(&key,
|
||||
sk_seed, sizeof(sk_seed),
|
||||
sk_prf, sizeof(sk_prf),
|
||||
pk_seed, sizeof(pk_seed));
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_MakeKey
|
||||
*/
|
||||
int wc_SlhDsaKey_MakeKeyWithRandom(SlhDsaKey* key,
|
||||
const byte* sk_seed, word32 sk_seed_len,
|
||||
const byte* sk_prf, word32 sk_prf_len,
|
||||
const byte* pk_seed, word32 pk_seed_len);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a message using the SLH-DSA external (pure) interface with
|
||||
deterministic randomness. This is FIPS 205 Algorithm 22 with opt_rand set
|
||||
to PK.seed. The message M is wrapped internally as
|
||||
M' = 0x00 || len(ctx) || ctx || M before signing.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, or sigSz is NULL.
|
||||
\return BUFFER_E if the output buffer is too small.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string for domain separation. May be NULL if
|
||||
ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte msg[] = "Hello World!";
|
||||
int ret;
|
||||
|
||||
// key already generated via wc_SlhDsaKey_MakeKey()
|
||||
ret = wc_SlhDsaKey_SignDeterministic(&key, NULL, 0,
|
||||
msg, sizeof(msg), sig, &sigSz);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignWithRandom
|
||||
\sa wc_SlhDsaKey_Sign
|
||||
\sa wc_SlhDsaKey_Verify
|
||||
*/
|
||||
int wc_SlhDsaKey_SignDeterministic(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a message using the SLH-DSA external (pure) interface with
|
||||
caller-provided additional randomness. This is FIPS 205 Algorithm 22 with
|
||||
an explicit opt_rand value.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or addRnd is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
\param [in] addRnd Additional randomness (n bytes, where n is the
|
||||
parameter set's security parameter).
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte msg[] = "Hello World!";
|
||||
byte addRnd[16]; // n=16 for 128-bit params
|
||||
int ret;
|
||||
|
||||
wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
|
||||
ret = wc_SlhDsaKey_SignWithRandom(&key, NULL, 0,
|
||||
msg, sizeof(msg), sig, &sigSz, addRnd);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignDeterministic
|
||||
\sa wc_SlhDsaKey_Sign
|
||||
*/
|
||||
int wc_SlhDsaKey_SignWithRandom(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
|
||||
const byte* addRnd);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a message using the SLH-DSA external (pure) interface with
|
||||
RNG-provided randomness. This is the general-purpose signing function
|
||||
that uses the WC_RNG for opt_rand.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or rng is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
\param [in] rng Pointer to an initialized WC_RNG.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
WC_RNG rng;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte msg[] = "Hello World!";
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_Sign(&key, NULL, 0,
|
||||
msg, sizeof(msg), sig, &sigSz, &rng);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignDeterministic
|
||||
\sa wc_SlhDsaKey_Verify
|
||||
*/
|
||||
int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
|
||||
WC_RNG* rng);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Verifies an SLH-DSA signature over a message using the external
|
||||
(pure) interface. This is FIPS 205 Algorithm 23. The message is wrapped
|
||||
internally as M' = 0x00 || len(ctx) || ctx || M before verification.
|
||||
|
||||
\return 0 on success (signature valid).
|
||||
\return BAD_FUNC_ARG if key, msg, or sig is NULL.
|
||||
\return SIG_VERIFY_E if the signature is invalid.
|
||||
|
||||
\param [in] key Pointer to a public SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to verify.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [in] sig Pointer to the signature to verify.
|
||||
\param [in] sigSz Length of the signature.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[...]; // previously generated signature
|
||||
word32 sigSz;
|
||||
byte msg[] = "Hello World!";
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_Verify(&key, NULL, 0,
|
||||
msg, sizeof(msg), sig, sigSz);
|
||||
if (ret == 0) {
|
||||
// signature is valid
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_Sign
|
||||
\sa wc_SlhDsaKey_SignDeterministic
|
||||
*/
|
||||
int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, const byte* sig,
|
||||
word32 sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs using the SLH-DSA internal interface with deterministic
|
||||
randomness. Unlike the external interface, M' is provided directly by
|
||||
the caller — no 0x00||len(ctx)||ctx||M wrapping is performed. This
|
||||
corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with opt_rand
|
||||
set to PK.seed.
|
||||
|
||||
Use this when the CAVP test framework or protocol layer has already
|
||||
constructed M'.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, mprime, sig, or sigSz is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] mprime Pointer to the pre-constructed M' message.
|
||||
\param [in] mprimeSz Length of M'.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte mprime[] = { ... }; // pre-constructed M'
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_SignMsgDeterministic(&key,
|
||||
mprime, sizeof(mprime), sig, &sigSz);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignMsgWithRandom
|
||||
\sa wc_SlhDsaKey_VerifyMsg
|
||||
\sa wc_SlhDsaKey_SignDeterministic
|
||||
*/
|
||||
int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey* key,
|
||||
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs using the SLH-DSA internal interface with caller-provided
|
||||
additional randomness. M' is provided directly — no wrapping is performed.
|
||||
This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with an
|
||||
explicit opt_rand value.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, mprime, sig, sigSz, or addRnd is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] mprime Pointer to the pre-constructed M' message.
|
||||
\param [in] mprimeSz Length of M'.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
\param [in] addRnd Additional randomness (n bytes).
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte mprime[] = { ... };
|
||||
byte addRnd[16];
|
||||
int ret;
|
||||
|
||||
wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
|
||||
ret = wc_SlhDsaKey_SignMsgWithRandom(&key,
|
||||
mprime, sizeof(mprime), sig, &sigSz, addRnd);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignMsgDeterministic
|
||||
\sa wc_SlhDsaKey_VerifyMsg
|
||||
*/
|
||||
int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey* key,
|
||||
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz,
|
||||
const byte* addRnd);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Verifies an SLH-DSA signature using the internal interface. M' is
|
||||
provided directly — no wrapping is performed. This corresponds to FIPS 205
|
||||
Algorithm 20 (slh_verify_internal).
|
||||
|
||||
\return 0 on success (signature valid).
|
||||
\return BAD_FUNC_ARG if key, mprime, or sig is NULL.
|
||||
\return SIG_VERIFY_E if the signature is invalid.
|
||||
|
||||
\param [in] key Pointer to a public SlhDsaKey.
|
||||
\param [in] mprime Pointer to the pre-constructed M' message.
|
||||
\param [in] mprimeSz Length of M'.
|
||||
\param [in] sig Pointer to the signature to verify.
|
||||
\param [in] sigSz Length of the signature.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[...]; // previously generated signature
|
||||
word32 sigSz;
|
||||
byte mprime[] = { ... };
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_VerifyMsg(&key,
|
||||
mprime, sizeof(mprime), sig, sigSz);
|
||||
if (ret == 0) {
|
||||
// signature is valid
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignMsgDeterministic
|
||||
\sa wc_SlhDsaKey_Verify
|
||||
*/
|
||||
int wc_SlhDsaKey_VerifyMsg(SlhDsaKey* key, const byte* mprime,
|
||||
word32 mprimeSz, const byte* sig, word32 sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
|
||||
interface with deterministic randomness. The message is hashed with the
|
||||
specified hash algorithm, then signed per FIPS 205 Algorithm 22 with the
|
||||
pre-hash domain separator (0x01).
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, or sigSz is NULL, or hashType
|
||||
is unsupported.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to hash and sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [in] hashType Hash algorithm to use for pre-hashing. Supported:
|
||||
WC_HASH_TYPE_SHA256, WC_HASH_TYPE_SHA384, WC_HASH_TYPE_SHA512,
|
||||
WC_HASH_TYPE_SHAKE128, WC_HASH_TYPE_SHAKE256, WC_HASH_TYPE_SHA3_224,
|
||||
WC_HASH_TYPE_SHA3_256, WC_HASH_TYPE_SHA3_384, WC_HASH_TYPE_SHA3_512.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[WC_SLHDSA_MAX_SIG_LEN];
|
||||
word32 sigSz = sizeof(sig);
|
||||
byte msg[] = "Hello World!";
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_SignHashDeterministic(&key, NULL, 0,
|
||||
msg, sizeof(msg), WC_HASH_TYPE_SHA256, sig, &sigSz);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignHashWithRandom
|
||||
\sa wc_SlhDsaKey_SignHash
|
||||
\sa wc_SlhDsaKey_VerifyHash
|
||||
*/
|
||||
int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey* key,
|
||||
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
|
||||
enum wc_HashType hashType, byte* sig, word32* sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
|
||||
interface with caller-provided additional randomness.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or addRnd is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to hash and sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [in] hashType Hash algorithm to use for pre-hashing.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
\param [in] addRnd Additional randomness (n bytes).
|
||||
|
||||
\sa wc_SlhDsaKey_SignHashDeterministic
|
||||
\sa wc_SlhDsaKey_VerifyHash
|
||||
*/
|
||||
int wc_SlhDsaKey_SignHashWithRandom(SlhDsaKey* key,
|
||||
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
|
||||
enum wc_HashType hashType, byte* sig, word32* sigSz, byte* addRnd);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Signs a pre-hashed message using the SLH-DSA external (HashSLH-DSA)
|
||||
interface with RNG-provided randomness.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, msg, sig, sigSz, or rng is NULL.
|
||||
|
||||
\param [in] key Pointer to a private SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to hash and sign.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [in] hashType Hash algorithm to use for pre-hashing.
|
||||
\param [out] sig Buffer to receive the signature.
|
||||
\param [in,out] sigSz On input, size of sig buffer. On output, actual
|
||||
signature length.
|
||||
\param [in] rng Pointer to an initialized WC_RNG.
|
||||
|
||||
\sa wc_SlhDsaKey_SignHashDeterministic
|
||||
\sa wc_SlhDsaKey_VerifyHash
|
||||
*/
|
||||
int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, enum wc_HashType hashType,
|
||||
byte* sig, word32* sigSz, WC_RNG* rng);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Verifies an SLH-DSA signature over a pre-hashed message
|
||||
(HashSLH-DSA). The message is hashed with the specified hash algorithm
|
||||
before verification.
|
||||
|
||||
\return 0 on success (signature valid).
|
||||
\return BAD_FUNC_ARG if key, msg, or sig is NULL.
|
||||
\return SIG_VERIFY_E if the signature is invalid.
|
||||
|
||||
\param [in] key Pointer to a public SlhDsaKey.
|
||||
\param [in] ctx Context string. May be NULL if ctxSz is 0.
|
||||
\param [in] ctxSz Length of the context string (0-255).
|
||||
\param [in] msg Pointer to the message to hash and verify.
|
||||
\param [in] msgSz Length of the message.
|
||||
\param [in] hashType Hash algorithm used for pre-hashing. Must match the
|
||||
hash used during signing.
|
||||
\param [in] sig Pointer to the signature to verify.
|
||||
\param [in] sigSz Length of the signature.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte sig[...];
|
||||
word32 sigSz;
|
||||
byte msg[] = "Hello World!";
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_VerifyHash(&key, NULL, 0,
|
||||
msg, sizeof(msg), WC_HASH_TYPE_SHA256, sig, sigSz);
|
||||
if (ret == 0) {
|
||||
// signature is valid
|
||||
}
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_SignHashDeterministic
|
||||
\sa wc_SlhDsaKey_Verify
|
||||
*/
|
||||
int wc_SlhDsaKey_VerifyHash(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, enum wc_HashType hashType,
|
||||
const byte* sig, word32 sigSz);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Imports an SLH-DSA private key from a raw byte buffer. The buffer
|
||||
must contain the full private key (4*n bytes: SK.seed || SK.prf ||
|
||||
PK.seed || PK.root). After import, the key can be used for signing.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key or in is NULL, or inLen does not match the
|
||||
expected private key size for the parameter set.
|
||||
|
||||
\param [in,out] key Pointer to an initialized SlhDsaKey.
|
||||
\param [in] in Buffer containing the raw private key bytes.
|
||||
\param [in] inLen Length of the input buffer.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte privKey[...]; // 4*n bytes
|
||||
int ret;
|
||||
|
||||
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
ret = wc_SlhDsaKey_ImportPrivate(&key, privKey, sizeof(privKey));
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_ExportPrivate
|
||||
\sa wc_SlhDsaKey_ImportPublic
|
||||
*/
|
||||
int wc_SlhDsaKey_ImportPrivate(SlhDsaKey* key, const byte* in,
|
||||
word32 inLen);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Imports an SLH-DSA public key from a raw byte buffer. The buffer
|
||||
must contain PK.seed || PK.root (2*n bytes). After import, the key can
|
||||
be used for verification.
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key or in is NULL, or inLen does not match the
|
||||
expected public key size.
|
||||
|
||||
\param [in,out] key Pointer to an initialized SlhDsaKey.
|
||||
\param [in] in Buffer containing the raw public key bytes.
|
||||
\param [in] inLen Length of the input buffer.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte pubKey[...]; // 2*n bytes
|
||||
int ret;
|
||||
|
||||
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
|
||||
ret = wc_SlhDsaKey_ImportPublic(&key, pubKey, sizeof(pubKey));
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_ExportPublic
|
||||
\sa wc_SlhDsaKey_ImportPrivate
|
||||
*/
|
||||
int wc_SlhDsaKey_ImportPublic(SlhDsaKey* key, const byte* in,
|
||||
word32 inLen);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Checks the consistency of an SLH-DSA key. For a key with both
|
||||
private and public components, verifies that the public key matches the
|
||||
private key.
|
||||
|
||||
\return 0 on success (key is valid).
|
||||
\return BAD_FUNC_ARG if key is NULL.
|
||||
|
||||
\param [in] key Pointer to the SlhDsaKey to check.
|
||||
|
||||
\sa wc_SlhDsaKey_MakeKey
|
||||
\sa wc_SlhDsaKey_ImportPrivate
|
||||
*/
|
||||
int wc_SlhDsaKey_CheckKey(SlhDsaKey* key);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Exports the private key from an SLH-DSA key object into a raw
|
||||
byte buffer (4*n bytes).
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, out, or outLen is NULL.
|
||||
\return BUFFER_E if the output buffer is too small.
|
||||
|
||||
\param [in] key Pointer to the SlhDsaKey containing a private key.
|
||||
\param [out] out Buffer to receive the raw private key bytes.
|
||||
\param [in,out] outLen On input, size of out buffer. On output, bytes
|
||||
written.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte privKey[4 * 32]; // 4*n for 256-bit params
|
||||
word32 privKeySz = sizeof(privKey);
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_ExportPrivate(&key, privKey, &privKeySz);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_ImportPrivate
|
||||
\sa wc_SlhDsaKey_ExportPublic
|
||||
*/
|
||||
int wc_SlhDsaKey_ExportPrivate(SlhDsaKey* key, byte* out,
|
||||
word32* outLen);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Exports the public key from an SLH-DSA key object into a raw
|
||||
byte buffer (2*n bytes: PK.seed || PK.root).
|
||||
|
||||
\return 0 on success.
|
||||
\return BAD_FUNC_ARG if key, out, or outLen is NULL.
|
||||
\return BUFFER_E if the output buffer is too small.
|
||||
|
||||
\param [in] key Pointer to the SlhDsaKey containing a public key.
|
||||
\param [out] out Buffer to receive the raw public key bytes.
|
||||
\param [in,out] outLen On input, size of out buffer. On output, bytes
|
||||
written.
|
||||
|
||||
_Example_
|
||||
\code
|
||||
SlhDsaKey key;
|
||||
byte pubKey[2 * 32];
|
||||
word32 pubKeySz = sizeof(pubKey);
|
||||
int ret;
|
||||
|
||||
ret = wc_SlhDsaKey_ExportPublic(&key, pubKey, &pubKeySz);
|
||||
\endcode
|
||||
|
||||
\sa wc_SlhDsaKey_ImportPublic
|
||||
\sa wc_SlhDsaKey_ExportPrivate
|
||||
*/
|
||||
int wc_SlhDsaKey_ExportPublic(SlhDsaKey* key, byte* out,
|
||||
word32* outLen);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the private key size in bytes for the key's parameter set.
|
||||
|
||||
\return Private key size in bytes (4*n) on success.
|
||||
\return BAD_FUNC_ARG if key is NULL or not initialized.
|
||||
|
||||
\param [in] key Pointer to an initialized SlhDsaKey.
|
||||
|
||||
\sa wc_SlhDsaKey_PublicSize
|
||||
\sa wc_SlhDsaKey_SigSize
|
||||
\sa wc_SlhDsaKey_PrivateSizeFromParam
|
||||
*/
|
||||
int wc_SlhDsaKey_PrivateSize(SlhDsaKey* key);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the public key size in bytes for the key's parameter set.
|
||||
|
||||
\return Public key size in bytes (2*n) on success.
|
||||
\return BAD_FUNC_ARG if key is NULL or not initialized.
|
||||
|
||||
\param [in] key Pointer to an initialized SlhDsaKey.
|
||||
|
||||
\sa wc_SlhDsaKey_PrivateSize
|
||||
\sa wc_SlhDsaKey_SigSize
|
||||
\sa wc_SlhDsaKey_PublicSizeFromParam
|
||||
*/
|
||||
int wc_SlhDsaKey_PublicSize(SlhDsaKey* key);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the signature size in bytes for the key's parameter set.
|
||||
|
||||
\return Signature size in bytes on success.
|
||||
\return BAD_FUNC_ARG if key is NULL or not initialized.
|
||||
|
||||
\param [in] key Pointer to an initialized SlhDsaKey.
|
||||
|
||||
\sa wc_SlhDsaKey_PrivateSize
|
||||
\sa wc_SlhDsaKey_PublicSize
|
||||
\sa wc_SlhDsaKey_SigSizeFromParam
|
||||
*/
|
||||
int wc_SlhDsaKey_SigSize(SlhDsaKey* key);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the private key size in bytes for the given parameter set
|
||||
without needing an initialized key object.
|
||||
|
||||
\return Private key size in bytes (4*n) on success.
|
||||
\return BAD_FUNC_ARG if param is invalid.
|
||||
|
||||
\param [in] param The SLH-DSA parameter set.
|
||||
|
||||
\sa wc_SlhDsaKey_PrivateSize
|
||||
*/
|
||||
int wc_SlhDsaKey_PrivateSizeFromParam(enum SlhDsaParam param);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the public key size in bytes for the given parameter set
|
||||
without needing an initialized key object.
|
||||
|
||||
\return Public key size in bytes (2*n) on success.
|
||||
\return BAD_FUNC_ARG if param is invalid.
|
||||
|
||||
\param [in] param The SLH-DSA parameter set.
|
||||
|
||||
\sa wc_SlhDsaKey_PublicSize
|
||||
*/
|
||||
int wc_SlhDsaKey_PublicSizeFromParam(enum SlhDsaParam param);
|
||||
|
||||
/*!
|
||||
\ingroup SLH_DSA
|
||||
|
||||
\brief Returns the signature size in bytes for the given parameter set
|
||||
without needing an initialized key object.
|
||||
|
||||
\return Signature size in bytes on success.
|
||||
\return BAD_FUNC_ARG if param is invalid.
|
||||
|
||||
\param [in] param The SLH-DSA parameter set.
|
||||
|
||||
\sa wc_SlhDsaKey_SigSize
|
||||
*/
|
||||
int wc_SlhDsaKey_SigSizeFromParam(enum SlhDsaParam param);
|
||||
+389
-2
@@ -439,7 +439,7 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
|
||||
endif BUILD_FIPS_V5
|
||||
|
||||
if BUILD_FIPS_V6_PLUS
|
||||
if BUILD_FIPS_V6
|
||||
# FIPS 140-3 SRTP-KDF first file
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
|
||||
wolfcrypt/src/wolfcrypt_first.c
|
||||
@@ -782,7 +782,390 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
|
||||
|
||||
# fips last file
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
|
||||
endif BUILD_FIPS_V6_PLUS
|
||||
endif BUILD_FIPS_V6
|
||||
|
||||
if BUILD_FIPS_V7_PLUS
|
||||
# FIPS 140-3 v7.0.0+ first file
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
|
||||
wolfcrypt/src/wolfcrypt_first.c
|
||||
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += \
|
||||
wolfcrypt/src/hmac.c \
|
||||
wolfcrypt/src/random.c
|
||||
|
||||
if BUILD_MEMUSE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfentropy.c
|
||||
endif
|
||||
|
||||
if BUILD_RNG_BANK
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/rng_bank.c
|
||||
endif
|
||||
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/kdf.c
|
||||
|
||||
if BUILD_RSA
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/rsa.c
|
||||
endif
|
||||
|
||||
if BUILD_ECC
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ecc.c
|
||||
endif
|
||||
|
||||
if BUILD_AES
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes.c
|
||||
|
||||
if BUILD_ARMASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_AES_C)
|
||||
endif BUILD_ARMASM
|
||||
|
||||
if BUILD_ARMASM_NEON
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_AES_ASM_C)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_AES_ASM_S)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
if BUILD_ARMASM
|
||||
if BUILD_ARMASM_INLINE
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-aes-asm_c.c
|
||||
endif
|
||||
else
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-aes-asm.S
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-aes-asm.S
|
||||
endif
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif BUILD_ARMASM
|
||||
endif !BUILD_ARMASM_NEON
|
||||
endif BUILD_AES
|
||||
|
||||
if BUILD_AESNI
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_asm.S
|
||||
if BUILD_X86_ASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_x86_asm.S
|
||||
else
|
||||
if BUILD_AESGCM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
|
||||
endif
|
||||
if BUILD_AESXTS
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_xts_asm.S
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
if BUILD_SHA
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha.c
|
||||
endif
|
||||
|
||||
if BUILD_ARMASM_NEON
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(ARMASM_SHA256_C)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA256_C)
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_SHA256_ASM_C)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(NEW_ARMASM_SHA256_ASM_S)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
if BUILD_ARMASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(ARMASM_SHA256_C)
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA256_C)
|
||||
if BUILD_ARMASM_INLINE
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c
|
||||
endif
|
||||
else
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha256-asm.S
|
||||
endif
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha256.c
|
||||
if BUILD_INTELASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha256_asm.S
|
||||
endif BUILD_INTELASM
|
||||
endif !BUILD_ARMASM
|
||||
endif !BUILD_ARMASM_NEON
|
||||
|
||||
if BUILD_RISCV_ASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha256.c
|
||||
endif BUILD_RISCV_ASM
|
||||
|
||||
if BUILD_PPC32_ASM
|
||||
if BUILD_PPC32_ASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm_c.c
|
||||
else
|
||||
if BUILD_PPC32_ASM_INLINE_REG
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm_cr.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/ppc32/ppc32-sha256-asm.S
|
||||
endif !BUILD_PPC32_ASM_INLINE_REG
|
||||
endif !BUILD_PPC32_ASM_INLINE
|
||||
endif BUILD_PPC32_ASM
|
||||
|
||||
if BUILD_SHA512
|
||||
if BUILD_RISCV_ASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha512.c
|
||||
else
|
||||
|
||||
if !BUILD_FIPS_V5
|
||||
if !BUILD_FIPS_V6
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
|
||||
endif !BUILD_FIPS_V6
|
||||
endif !BUILD_FIPS_V5
|
||||
|
||||
if BUILD_ARMASM_NEON
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA512_C)
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm_c.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
if BUILD_ARMASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(LEGACY_ARMASM_SHA512_C)
|
||||
if BUILD_ARMASM_INLINE
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c
|
||||
endif
|
||||
else
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha512-asm.S
|
||||
endif
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
|
||||
if BUILD_FIPS_V5
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
|
||||
else
|
||||
if BUILD_FIPS_V6
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512.c
|
||||
endif BUILD_FIPS_V6
|
||||
endif !BUILD_FIPS_V5
|
||||
|
||||
if BUILD_INTELASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha512_asm.S
|
||||
endif BUILD_INTELASM
|
||||
endif !BUILD_ARMASM
|
||||
endif !BUILD_ARMASM_NEON
|
||||
endif !BUILD_RISCV_ASM
|
||||
endif BUILD_SHA512
|
||||
|
||||
if BUILD_SHA3
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha3.c
|
||||
if BUILD_ARMASM_NEON
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha3-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha3-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif BUILD_ARMASM_NEON
|
||||
if BUILD_ARMASM
|
||||
if BUILD_ARMASM_INLINE
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha3-asm_c.c
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha3-asm_c.c
|
||||
endif
|
||||
else
|
||||
if BUILD_ARM_NONTHUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha3-asm.S
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-sha3-asm.S
|
||||
endif
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif BUILD_ARMASM
|
||||
if BUILD_RISCV_ASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-sha3.c
|
||||
endif BUILD_RISCV_ASM
|
||||
if BUILD_INTELASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sha3_asm.S
|
||||
endif
|
||||
endif
|
||||
|
||||
if BUILD_DH
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dh.c
|
||||
endif
|
||||
|
||||
if BUILD_CMAC
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/cmac.c
|
||||
endif
|
||||
|
||||
if BUILD_CURVE448
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/curve448.c
|
||||
endif
|
||||
|
||||
if BUILD_ED448
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ed448.c
|
||||
endif
|
||||
|
||||
if BUILD_CURVE25519
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/curve25519.c
|
||||
endif
|
||||
|
||||
if BUILD_ED25519
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ed25519.c
|
||||
endif
|
||||
|
||||
if BUILD_ARMASM
|
||||
if BUILD_ARMASM_NEON
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519_c.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519.S
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
if BUILD_ARMASM_INLINE
|
||||
if BUILD_ARM_NONTHUMB
|
||||
if BUILD_ARM_32
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519_c.c
|
||||
endif
|
||||
if BUILD_ARM_64
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519_c.c
|
||||
endif
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-curve25519_c.c
|
||||
endif
|
||||
else
|
||||
if BUILD_ARM_NONTHUMB
|
||||
if BUILD_ARM_32
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-curve25519.S
|
||||
endif
|
||||
if BUILD_ARM_64
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-curve25519.S
|
||||
endif
|
||||
endif
|
||||
if BUILD_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-curve25519.S
|
||||
endif
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif !BUILD_ARMASM_NEON
|
||||
endif BUILD_ARMASM
|
||||
|
||||
if BUILD_PWDBASED
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/pwdbased.c
|
||||
endif BUILD_PWDBASED
|
||||
|
||||
if BUILD_SP
|
||||
if BUILD_SP_C32
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_c32.c
|
||||
endif
|
||||
if BUILD_SP_C64
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_c64.c
|
||||
endif
|
||||
|
||||
if BUILD_SP_X86_64
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_x86_64.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_x86_64_asm.S
|
||||
endif
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_SP_ARM32
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_arm32.c
|
||||
endif
|
||||
endif
|
||||
if BUILD_SP_ARM_THUMB
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_armthumb.c
|
||||
endif
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_SP_ARM64
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_arm64.c
|
||||
endif
|
||||
endif
|
||||
if BUILD_SP_ARM_CORTEX
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sp_cortexm.c
|
||||
endif
|
||||
endif BUILD_SP
|
||||
|
||||
# PQ Algorithms (FIPS v7.0.0+)
|
||||
if BUILD_WC_MLKEM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_poly.c
|
||||
if BUILD_ARMASM
|
||||
if BUILD_ARM_THUMB
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-mlkem-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/thumb2-mlkem-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
else
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-mlkem-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-mlkem-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif !BUILD_ARM_THUMB
|
||||
endif BUILD_ARMASM
|
||||
if !BUILD_X86_ASM
|
||||
if BUILD_INTELASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_asm.S
|
||||
endif
|
||||
endif
|
||||
if BUILD_ARMASM_NEON
|
||||
if BUILD_ARMASM_INLINE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-mlkem-asm_c.c
|
||||
else
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-mlkem-asm.S
|
||||
endif !BUILD_ARMASM_INLINE
|
||||
endif BUILD_ARMASM_NEON
|
||||
endif
|
||||
|
||||
if BUILD_DILITHIUM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dilithium.c
|
||||
if !BUILD_X86_ASM
|
||||
if BUILD_INTELASM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa_asm.S
|
||||
endif BUILD_INTELASM
|
||||
endif !BUILD_X86_ASM
|
||||
endif
|
||||
|
||||
if BUILD_WC_LMS
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms_impl.c
|
||||
endif
|
||||
|
||||
if BUILD_WC_XMSS
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss_impl.c
|
||||
endif
|
||||
|
||||
if BUILD_WC_SLHDSA
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_slhdsa.c
|
||||
endif
|
||||
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fips.c \
|
||||
wolfcrypt/src/fips_test.c
|
||||
|
||||
# fips last file
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
|
||||
endif BUILD_FIPS_V7_PLUS
|
||||
|
||||
|
||||
endif BUILD_FIPS
|
||||
@@ -1401,6 +1784,7 @@ if BUILD_SAKKE
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/sakke.c
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V7_PLUS
|
||||
if BUILD_WC_MLKEM
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mlkem_poly.c
|
||||
@@ -1451,10 +1835,13 @@ if BUILD_WC_XMSS
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss.c
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss_impl.c
|
||||
endif
|
||||
endif !BUILD_FIPS_V7_PLUS
|
||||
|
||||
if !BUILD_FIPS_V7_PLUS
|
||||
if BUILD_WC_SLHDSA
|
||||
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_slhdsa.c
|
||||
endif
|
||||
endif !BUILD_FIPS_V7_PLUS
|
||||
|
||||
if !BUILD_FIPS_V6_PLUS
|
||||
if BUILD_CURVE25519
|
||||
|
||||
@@ -8892,7 +8892,9 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
|
||||
|
||||
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = wc_KyberKey_EncodePrivateKey(kem, privKey, privSz);
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -9975,7 +9977,9 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = wc_KyberKey_DecodePrivateKey(kem, keyShareEntry->privKey, privSz);
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -9984,8 +9988,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = wc_KyberKey_Decapsulate(kem, ssOutput,
|
||||
keyShareEntry->ke, ctSz);
|
||||
PRIVATE_KEY_LOCK();
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("wc_KyberKey decapsulation failure.");
|
||||
ret = BAD_FUNC_ARG;
|
||||
|
||||
@@ -28101,8 +28101,6 @@ static int error_test(void)
|
||||
{63, 63},
|
||||
#endif
|
||||
{ -9, WC_SPAN1_FIRST_E + 1 },
|
||||
{ -124, -124 },
|
||||
{ -167, -169 },
|
||||
{ -300, -300 },
|
||||
{ -335, -336 },
|
||||
{ -346, -349 },
|
||||
|
||||
+21
-5
@@ -68,6 +68,12 @@ static const enum wc_HashType supportedHash[] = {
|
||||
WC_HASH_TYPE_SHA3_256,
|
||||
WC_HASH_TYPE_SHA3_384,
|
||||
WC_HASH_TYPE_SHA3_512,
|
||||
#if defined(WOLFSSL_SHAKE128)
|
||||
WC_HASH_TYPE_SHAKE128,
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHAKE256)
|
||||
WC_HASH_TYPE_SHAKE256,
|
||||
#endif
|
||||
#endif
|
||||
#ifdef WOLFSSL_SM3
|
||||
WC_HASH_TYPE_SM3,
|
||||
@@ -126,14 +132,14 @@ static const enum wc_HashType notCompiledHash[] = {
|
||||
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
|
||||
};
|
||||
static const int notCompiledHashLen = (sizeof(notCompiledHash) /
|
||||
sizeof(enum wc_HashType)) - 1;
|
||||
sizeof(notCompiledHash[0])) - 1;
|
||||
|
||||
static const int notSupportedHash[] = {
|
||||
WC_HASH_TYPE_NONE,
|
||||
WC_HASH_TYPE_MAX + 1
|
||||
};
|
||||
static const int notSupportedHashLen = (sizeof(notSupportedHash) /
|
||||
sizeof(enum wc_HashType));
|
||||
sizeof(notSupportedHash[0]));
|
||||
|
||||
static const enum wc_HashType sizeSupportedHash[] = {
|
||||
#if !defined(NO_MD5) && !defined(NO_SHA)
|
||||
@@ -150,11 +156,17 @@ static const enum wc_HashType sizeSupportedHash[] = {
|
||||
#endif
|
||||
#ifdef HAVE_BLAKE2S
|
||||
WC_HASH_TYPE_BLAKE2S,
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
WC_HASH_TYPE_SHAKE128,
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
WC_HASH_TYPE_SHAKE256,
|
||||
#endif
|
||||
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
|
||||
};
|
||||
static const int sizeSupportedHashLen = (sizeof(sizeSupportedHash) /
|
||||
sizeof(enum wc_HashType)) - 1;
|
||||
sizeof(sizeSupportedHash[0])) - 1;
|
||||
static const enum wc_HashType sizeNotCompiledHash[] = {
|
||||
#if defined(NO_MD5) || defined(NO_SHA)
|
||||
WC_HASH_TYPE_MD5_SHA,
|
||||
@@ -171,18 +183,22 @@ static const enum wc_HashType sizeNotCompiledHash[] = {
|
||||
#ifndef HAVE_BLAKE2S
|
||||
WC_HASH_TYPE_BLAKE2S,
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE128)
|
||||
WC_HASH_TYPE_SHAKE128,
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE256)
|
||||
WC_HASH_TYPE_SHAKE256,
|
||||
#endif
|
||||
WC_HASH_TYPE_NONE /* Dummy value to ensure list is non-zero. */
|
||||
};
|
||||
static const int sizeNotCompiledHashLen = (sizeof(sizeNotCompiledHash) /
|
||||
sizeof(enum wc_HashType)) - 1;
|
||||
sizeof(sizeNotCompiledHash[0])) - 1;
|
||||
static const int sizeNotSupportedHash[] = {
|
||||
WC_HASH_TYPE_NONE,
|
||||
WC_HASH_TYPE_MAX + 1
|
||||
};
|
||||
static const int sizeNotSupportedHashLen = (sizeof(sizeNotSupportedHash) /
|
||||
sizeof(enum wc_HashType));
|
||||
sizeof(sizeNotSupportedHash[0]));
|
||||
#endif /* NO_HASH_WRAPPER */
|
||||
|
||||
int test_wc_HashInit(void)
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -38,6 +38,8 @@ int test_wc_dilithium_sig_kats(void);
|
||||
int test_wc_dilithium_sign_ctx_kats(void);
|
||||
int test_wc_dilithium_verify_ctx_kats(void);
|
||||
int test_wc_dilithium_verify_kats(void);
|
||||
int test_wc_dilithium_sign_mu_kats(void);
|
||||
int test_wc_dilithium_verify_mu_kats(void);
|
||||
int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void);
|
||||
int test_mldsa_pkcs8_import_OpenSSL_form(void);
|
||||
int test_mldsa_pkcs8_export_import_wolfSSL_form(void);
|
||||
@@ -59,6 +61,8 @@ int test_mldsa_pkcs12(void);
|
||||
TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_ctx_kats), \
|
||||
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_ctx_kats), \
|
||||
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_kats), \
|
||||
TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_mu_kats), \
|
||||
TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_mu_kats), \
|
||||
TEST_DECL_GROUP("mldsa", test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form), \
|
||||
TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_import_OpenSSL_form), \
|
||||
TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_export_import_wolfSSL_form), \
|
||||
|
||||
+21
-2
@@ -1451,6 +1451,8 @@ int test_wc_mlkem_make_key_kats(void)
|
||||
XMEMSET(key, 0, sizeof(MlKemKey));
|
||||
}
|
||||
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
|
||||
#ifndef WOLFSSL_NO_ML_KEM_512
|
||||
ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
|
||||
ExpectIntEQ(wc_MlKemKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)),
|
||||
@@ -1488,6 +1490,8 @@ int test_wc_mlkem_make_key_kats(void)
|
||||
wc_MlKemKey_Free(key);
|
||||
#endif
|
||||
|
||||
PRIVATE_KEY_LOCK();
|
||||
|
||||
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
@@ -3845,6 +3849,8 @@ int test_wc_mlkem_decapsulate_kats(void)
|
||||
XMEMSET(key, 0, sizeof(MlKemKey));
|
||||
}
|
||||
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
|
||||
#ifndef WOLFSSL_NO_ML_KEM_512
|
||||
ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
|
||||
ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0);
|
||||
@@ -3867,6 +3873,8 @@ int test_wc_mlkem_decapsulate_kats(void)
|
||||
wc_MlKemKey_Free(key);
|
||||
#endif
|
||||
|
||||
PRIVATE_KEY_LOCK();
|
||||
|
||||
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
@@ -3937,8 +3945,10 @@ int test_wc_mlkem_decapsulate_pubonly_fails(void)
|
||||
ExpectIntEQ(wc_MlKemKey_DecodePublicKey(pubOnlyKey, pubBuf, pubLen), 0);
|
||||
|
||||
/* Decapsulating with a public-key-only object must fail. */
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ExpectIntEQ(wc_MlKemKey_Decapsulate(pubOnlyKey, ssDec, ct, ctLen),
|
||||
WC_NO_ERR_TRACE(BAD_STATE_E));
|
||||
PRIVATE_KEY_LOCK();
|
||||
|
||||
DoExpectIntEQ(wc_FreeRng(&rng), 0);
|
||||
wc_MlKemKey_Free(pubOnlyKey);
|
||||
@@ -3993,22 +4003,31 @@ int test_wc_mlkem_decap_fo_reject(void)
|
||||
|
||||
/* Untampered ciphertext recovers the original ss. */
|
||||
XMEMSET(ssDec, 0, sizeof(ssDec));
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssDec, ct, ctLen), 0);
|
||||
PRIVATE_KEY_LOCK();
|
||||
ExpectIntEQ(XMEMCMP(ssDec, ss, WC_ML_KEM_SS_SZ), 0);
|
||||
|
||||
/* Tamper at byte 32: implicit rejection must fire. */
|
||||
XMEMCPY(ctTampered, ct, ctLen);
|
||||
ctTampered[32] ^= 0x01;
|
||||
XMEMSET(ssTampered, 0, sizeof(ssTampered));
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssTampered, ctTampered, ctLen), 0);
|
||||
PRIVATE_KEY_LOCK();
|
||||
ExpectIntNE(XMEMCMP(ssTampered, ss, WC_ML_KEM_SS_SZ), 0);
|
||||
|
||||
/* Tamper at byte 0: also must be rejected. */
|
||||
/* Tamper at byte 0: decapsulation must still return 0. We do NOT assert
|
||||
* ssTampered != ss here: byte 0 sits in the lossy-compressed u portion of
|
||||
* the ciphertext, so a single-bit flip can be absorbed by Decompress and
|
||||
* yield the original shared secret. The byte-32 case above already covers
|
||||
* the "rejection produces a different secret" property. */
|
||||
XMEMCPY(ctTampered, ct, ctLen);
|
||||
ctTampered[0] ^= 0x01;
|
||||
XMEMSET(ssTampered, 0, sizeof(ssTampered));
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ExpectIntEQ(wc_MlKemKey_Decapsulate(key, ssTampered, ctTampered, ctLen), 0);
|
||||
ExpectIntNE(XMEMCMP(ssTampered, ss, WC_ML_KEM_SS_SZ), 0);
|
||||
PRIVATE_KEY_LOCK();
|
||||
|
||||
DoExpectIntEQ(wc_FreeRng(&rng), 0);
|
||||
wc_MlKemKey_Free(key);
|
||||
|
||||
@@ -530,3 +530,146 @@ int test_wc_RNG_HealthTest(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/*
|
||||
* Testing wc_RNG_HealthTest_SHA512()
|
||||
* Test vectors from NIST CAVP drbgtestvectors.zip, Hash_DRBG.rsp, [SHA-512].
|
||||
* Source: https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-
|
||||
* Validation-Program/documents/drbg/drbgtestvectors.zip
|
||||
*/
|
||||
int test_wc_RNG_HealthTest_SHA512(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_HASHDRBG) && defined(WOLFSSL_DRBG_SHA512) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
|
||||
/* No-reseed test: drbgvectors_no_reseed/Hash_DRBG.rsp, [SHA-512],
|
||||
* COUNT=0 */
|
||||
const byte test1Seed[] =
|
||||
{
|
||||
/* EntropyInput (32 bytes) */
|
||||
0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
|
||||
0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
|
||||
0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
|
||||
0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
|
||||
/* Nonce (16 bytes) */
|
||||
0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
|
||||
0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25
|
||||
};
|
||||
const byte test1Output[] =
|
||||
{
|
||||
0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
|
||||
0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
|
||||
0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
|
||||
0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
|
||||
0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
|
||||
0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
|
||||
0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
|
||||
0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
|
||||
0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
|
||||
0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
|
||||
0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
|
||||
0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
|
||||
0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
|
||||
0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
|
||||
0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
|
||||
0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
|
||||
0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
|
||||
0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
|
||||
0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
|
||||
0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
|
||||
0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
|
||||
0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
|
||||
0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
|
||||
0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
|
||||
0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
|
||||
0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
|
||||
0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
|
||||
0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
|
||||
0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
|
||||
0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
|
||||
0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
|
||||
0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2
|
||||
};
|
||||
|
||||
/* Reseed test: drbgvectors_pr_false/Hash_DRBG.rsp, [SHA-512], COUNT=0 */
|
||||
const byte test2SeedA[] =
|
||||
{
|
||||
/* EntropyInput (32 bytes) */
|
||||
0x31, 0x44, 0xe1, 0x7a, 0x10, 0xc8, 0x56, 0x12,
|
||||
0x97, 0x64, 0xf5, 0x8f, 0xd8, 0xe4, 0x23, 0x10,
|
||||
0x20, 0x54, 0x69, 0x96, 0xc0, 0xbf, 0x6c, 0xff,
|
||||
0x8e, 0x91, 0xc2, 0x4e, 0xe0, 0x9b, 0xe3, 0x33,
|
||||
/* Nonce (16 bytes) */
|
||||
0xb1, 0x6f, 0xcb, 0x1c, 0xf0, 0xc0, 0x10, 0xf3,
|
||||
0x1f, 0xea, 0xb7, 0x33, 0x58, 0x8b, 0x8e, 0x04
|
||||
};
|
||||
const byte test2SeedB[] =
|
||||
{
|
||||
/* EntropyInputReseed (32 bytes) */
|
||||
0xa0, 0xb3, 0x58, 0x4c, 0x2c, 0x84, 0x12, 0xf6,
|
||||
0x18, 0x40, 0x68, 0x34, 0x40, 0x4d, 0x1e, 0xb0,
|
||||
0xce, 0x99, 0x9b, 0xa2, 0x89, 0x66, 0x05, 0x4d,
|
||||
0x7e, 0x49, 0x7e, 0x0d, 0xb6, 0x08, 0xb9, 0x67
|
||||
};
|
||||
const byte test2Output[] =
|
||||
{
|
||||
0xef, 0xa3, 0x5d, 0xd0, 0x36, 0x2a, 0xdb, 0x76,
|
||||
0x26, 0x45, 0x6b, 0x36, 0xfa, 0xc7, 0x4d, 0x3c,
|
||||
0x28, 0xd0, 0x1d, 0x92, 0x64, 0x20, 0x27, 0x5a,
|
||||
0x28, 0xbe, 0xa9, 0xc9, 0xdd, 0x75, 0x47, 0xc1,
|
||||
0x5e, 0x79, 0x31, 0x85, 0x2a, 0xc1, 0x27, 0x70,
|
||||
0x76, 0x56, 0x75, 0x35, 0x23, 0x9c, 0x1f, 0x42,
|
||||
0x9c, 0x7f, 0x75, 0xcf, 0x74, 0xc2, 0x26, 0x7d,
|
||||
0xeb, 0x6a, 0x3e, 0x59, 0x6c, 0xf3, 0x26, 0x15,
|
||||
0x6c, 0x79, 0x69, 0x41, 0x28, 0x3b, 0x8d, 0x58,
|
||||
0x3f, 0x17, 0x1c, 0x2f, 0x6e, 0x33, 0x23, 0xf7,
|
||||
0x55, 0x5e, 0x1b, 0x18, 0x1f, 0xfd, 0xa3, 0x05,
|
||||
0x07, 0x21, 0x0c, 0xb1, 0xf5, 0x89, 0xb2, 0x3c,
|
||||
0xd7, 0x18, 0x80, 0xfd, 0x44, 0x37, 0x0c, 0xac,
|
||||
0xf4, 0x33, 0x75, 0xb0, 0xdb, 0x7e, 0x33, 0x6f,
|
||||
0x12, 0xb3, 0x09, 0xbf, 0xd4, 0xf6, 0x10, 0xbb,
|
||||
0x8f, 0x20, 0xe1, 0xa1, 0x5e, 0x25, 0x3a, 0x4f,
|
||||
0xe5, 0x11, 0xa0, 0x27, 0x96, 0x8d, 0xf0, 0xb1,
|
||||
0x05, 0xa1, 0xd7, 0x3a, 0xff, 0x7c, 0x7a, 0x82,
|
||||
0x6d, 0x39, 0xf6, 0x40, 0xdf, 0xb8, 0xf5, 0x22,
|
||||
0x25, 0x9e, 0xd4, 0x02, 0x28, 0x2e, 0x2c, 0x2e,
|
||||
0x9d, 0x3a, 0x49, 0x8f, 0x51, 0x72, 0x5f, 0xe4,
|
||||
0x14, 0x1b, 0x06, 0xda, 0x55, 0x98, 0xa4, 0x2a,
|
||||
0xc1, 0xe0, 0x49, 0x4e, 0x99, 0x7d, 0x56, 0x6a,
|
||||
0x1a, 0x39, 0xb6, 0x76, 0xb9, 0x6a, 0x60, 0x03,
|
||||
0xa4, 0xc5, 0xdb, 0x84, 0xf2, 0x46, 0x58, 0x4e,
|
||||
0xe6, 0x5a, 0xf7, 0x0f, 0xf2, 0x16, 0x02, 0x78,
|
||||
0x16, 0x6d, 0xa1, 0x6d, 0x91, 0xc9, 0xb8, 0xf2,
|
||||
0xde, 0xb0, 0x27, 0x51, 0xa1, 0x08, 0x8a, 0xd6,
|
||||
0xbe, 0x4e, 0x80, 0xef, 0x96, 0x6e, 0xb7, 0x3e,
|
||||
0x66, 0xbc, 0x87, 0xca, 0xd8, 0x7c, 0x77, 0xc0,
|
||||
0xb3, 0x4a, 0x21, 0xba, 0x1d, 0xa0, 0xba, 0x6d,
|
||||
0x16, 0xca, 0x50, 0x46, 0xdc, 0x4a, 0xbd, 0xa0
|
||||
};
|
||||
|
||||
byte output[WC_SHA512_DIGEST_SIZE * 4]; /* 256 bytes */
|
||||
|
||||
/* Bad parameter tests */
|
||||
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, NULL, sizeof(test1Seed),
|
||||
NULL, 0, output, sizeof(output)), 0);
|
||||
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
|
||||
NULL, 0, NULL, sizeof(output)), 0);
|
||||
ExpectIntNE(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
|
||||
NULL, 0, output, 42), 0); /* wrong output size */
|
||||
|
||||
/* Good parameter tests */
|
||||
/* No-reseed */
|
||||
ExpectIntEQ(wc_RNG_HealthTest_SHA512(0, test1Seed, sizeof(test1Seed),
|
||||
NULL, 0, output, sizeof(output)), 0);
|
||||
ExpectBufEQ(test1Output, output, sizeof(output));
|
||||
|
||||
/* With reseed */
|
||||
ExpectIntEQ(wc_RNG_HealthTest_SHA512(1, test2SeedA, sizeof(test2SeedA),
|
||||
test2SeedB, sizeof(test2SeedB), output, sizeof(output)), 0);
|
||||
ExpectBufEQ(test2Output, output, sizeof(output));
|
||||
|
||||
#endif /* HAVE_HASHDRBG && WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
|
||||
@@ -35,6 +35,7 @@ int test_wc_rng_new(void);
|
||||
int test_wc_RNG_DRBG_Reseed(void);
|
||||
int test_wc_RNG_TestSeed(void);
|
||||
int test_wc_RNG_HealthTest(void);
|
||||
int test_wc_RNG_HealthTest_SHA512(void);
|
||||
|
||||
#define TEST_RANDOM_DECLS \
|
||||
TEST_DECL_GROUP("random", test_wc_InitRng), \
|
||||
@@ -47,6 +48,7 @@ int test_wc_RNG_HealthTest(void);
|
||||
TEST_DECL_GROUP("random", test_wc_rng_new), \
|
||||
TEST_DECL_GROUP("random", test_wc_RNG_DRBG_Reseed), \
|
||||
TEST_DECL_GROUP("random", test_wc_RNG_TestSeed), \
|
||||
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest)
|
||||
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest), \
|
||||
TEST_DECL_GROUP("random", test_wc_RNG_HealthTest_SHA512)
|
||||
|
||||
#endif /* WOLFCRYPT_TEST_RANDOM_H */
|
||||
|
||||
+553
-14
@@ -976,16 +976,37 @@ static WC_INLINE void bench_append_memory_info(char* buffer, size_t size,
|
||||
#define BENCH_SLHDSA_SHAKE192F 0x00000100
|
||||
#define BENCH_SLHDSA_SHAKE256S 0x00000200
|
||||
#define BENCH_SLHDSA_SHAKE256F 0x00000400
|
||||
#define BENCH_SLHDSA_SHA2_128S 0x00000800
|
||||
#define BENCH_SLHDSA_SHA2_128F 0x00001000
|
||||
#define BENCH_SLHDSA_SHA2_192S 0x00002000
|
||||
#define BENCH_SLHDSA_SHA2_192F 0x00004000
|
||||
#define BENCH_SLHDSA_SHA2_256S 0x00008000
|
||||
#define BENCH_SLHDSA_SHA2_256F 0x00010000
|
||||
#define BENCH_SLHDSA (BENCH_SLHDSA_SHAKE128S | \
|
||||
BENCH_SLHDSA_SHAKE128F | \
|
||||
BENCH_SLHDSA_SHAKE192S | \
|
||||
BENCH_SLHDSA_SHAKE192F | \
|
||||
BENCH_SLHDSA_SHAKE256S | \
|
||||
BENCH_SLHDSA_SHAKE256F)
|
||||
BENCH_SLHDSA_SHAKE256F | \
|
||||
BENCH_SLHDSA_SHA2_128S | \
|
||||
BENCH_SLHDSA_SHA2_128F | \
|
||||
BENCH_SLHDSA_SHA2_192S | \
|
||||
BENCH_SLHDSA_SHA2_192F | \
|
||||
BENCH_SLHDSA_SHA2_256S | \
|
||||
BENCH_SLHDSA_SHA2_256F)
|
||||
|
||||
/* Other */
|
||||
#define BENCH_RNG 0x00000001
|
||||
#define BENCH_SCRYPT 0x00000002
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
#define BENCH_RNG_SHA512 0x00000004
|
||||
#endif
|
||||
#define BENCH_RNG_INIT 0x00000008
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
#define BENCH_RNG_SHA512_INIT 0x00000010
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \
|
||||
(defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
|
||||
@@ -1293,6 +1314,17 @@ static const bench_alg bench_other_opt[] = {
|
||||
#ifndef WC_NO_RNG
|
||||
{ "-rng", BENCH_RNG },
|
||||
#endif
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
{ "-rng-sha512", BENCH_RNG_SHA512 },
|
||||
#endif
|
||||
#ifndef WC_NO_RNG
|
||||
{ "-rng-init", BENCH_RNG_INIT },
|
||||
#endif
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
{ "-rng-sha512-init", BENCH_RNG_SHA512_INIT },
|
||||
#endif
|
||||
#ifdef HAVE_SCRYPT
|
||||
{ "-scrypt", BENCH_SCRYPT },
|
||||
#endif
|
||||
@@ -1341,6 +1373,12 @@ static const bench_pq_hash_sig_alg bench_pq_hash_sig_opt[] = {
|
||||
{ "-slhdsa-shake192f", BENCH_SLHDSA_SHAKE192F},
|
||||
{ "-slhdsa-shake256s", BENCH_SLHDSA_SHAKE256S},
|
||||
{ "-slhdsa-shake256f", BENCH_SLHDSA_SHAKE256F},
|
||||
{ "-slhdsa-sha2-128s", BENCH_SLHDSA_SHA2_128S},
|
||||
{ "-slhdsa-sha2-128f", BENCH_SLHDSA_SHA2_128F},
|
||||
{ "-slhdsa-sha2-192s", BENCH_SLHDSA_SHA2_192S},
|
||||
{ "-slhdsa-sha2-192f", BENCH_SLHDSA_SHA2_192F},
|
||||
{ "-slhdsa-sha2-256s", BENCH_SLHDSA_SHA2_256S},
|
||||
{ "-slhdsa-sha2-256f", BENCH_SLHDSA_SHA2_256F},
|
||||
{ "-slhdsa", BENCH_SLHDSA },
|
||||
#endif
|
||||
{ NULL, 0}
|
||||
@@ -2058,12 +2096,7 @@ static const char* bench_result_words3[][5] = {
|
||||
#define BENCH_ASYM
|
||||
#endif
|
||||
|
||||
#if defined(BENCH_ASYM)
|
||||
#if ((defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DH) || \
|
||||
defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_DILITHIUM) || defined(WOLFSSL_HAVE_LMS)) && \
|
||||
!defined(WC_NO_RNG)) || defined(WOLFSSL_HAVE_MLKEM)
|
||||
#if !defined(WC_NO_RNG) || defined(WOLFSSL_HAVE_MLKEM)
|
||||
static const char* bench_result_words2[][6] = {
|
||||
#ifdef BENCH_MICROSECOND
|
||||
{ "ops took", "μsec" , "avg" , "ops/μsec", "cycles/op",
|
||||
@@ -2077,8 +2110,7 @@ static const char* bench_result_words2[][6] = {
|
||||
NULL }, /* 1 Japanese */
|
||||
#endif
|
||||
};
|
||||
#endif
|
||||
#endif
|
||||
#endif /* !WC_NO_RNG || WOLFSSL_HAVE_MLKEM */
|
||||
|
||||
#ifdef WOLFSSL_CAAM
|
||||
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
|
||||
@@ -3202,6 +3234,102 @@ static void bench_stats_sym_finish(const char* desc, int useDeviceID,
|
||||
TEST_SLEEP();
|
||||
} /* bench_stats_sym_finish */
|
||||
|
||||
#ifndef WC_NO_RNG
|
||||
/* Report ops/sec in the same format as bench_stats_asym_finish, but without
|
||||
* requiring BENCH_ASYM to be defined. Used for benchmarks like RNG init/free
|
||||
* that measure operation counts rather than byte throughput. */
|
||||
static void bench_stats_ops_finish(const char* algo, int strength,
|
||||
const char* desc, int count, double start, int ret)
|
||||
{
|
||||
double total, each = 0, opsSec, milliEach;
|
||||
const char **word = bench_result_words2[lng_index];
|
||||
char msg[256];
|
||||
#ifdef BENCH_MICROSECOND
|
||||
const int digits = 5;
|
||||
#else
|
||||
const int digits = 3;
|
||||
#endif
|
||||
|
||||
XMEMSET(msg, 0, sizeof(msg));
|
||||
|
||||
total = current_time(0) - start;
|
||||
|
||||
#ifdef WOLFSSL_ESPIDF
|
||||
END_ESP_CYCLES
|
||||
#else
|
||||
END_CYCLES
|
||||
#endif
|
||||
|
||||
if (count > 0)
|
||||
each = total / count;
|
||||
if (total > 0)
|
||||
opsSec = count / total;
|
||||
else
|
||||
opsSec = 0;
|
||||
|
||||
#ifdef BENCH_MICROSECOND
|
||||
milliEach = each / 1000;
|
||||
#else
|
||||
milliEach = each * 1000;
|
||||
#endif
|
||||
|
||||
SLEEP_ON_ERROR(ret);
|
||||
|
||||
if (csv_format == 1) {
|
||||
(void)XSNPRINTF(msg, sizeof(msg), "%s,%d,%s," FLT_FMT_PREC ","
|
||||
FLT_FMT_PREC "," STATS_CLAUSE_SEPARATOR,
|
||||
algo, strength, desc,
|
||||
FLT_FMT_PREC_ARGS(3, milliEach),
|
||||
FLT_FMT_PREC_ARGS(digits, opsSec));
|
||||
}
|
||||
else {
|
||||
#ifdef HAVE_GET_CYCLES
|
||||
(void)XSNPRINTF(msg, sizeof(msg),
|
||||
"%-6s %5d %8s %6d %s " FLT_FMT_PREC2 " %s, %s "
|
||||
FLT_FMT_PREC2 " ms, " FLT_FMT_PREC2 " %s, %lu cycles",
|
||||
algo, strength, desc,
|
||||
count, word[0],
|
||||
FLT_FMT_PREC2_ARGS(5, 3, total), word[1], word[2],
|
||||
FLT_FMT_PREC2_ARGS(5, 3, milliEach),
|
||||
FLT_FMT_PREC2_ARGS(digits + 6, digits, opsSec),
|
||||
word[3], (unsigned long)total_cycles);
|
||||
#else
|
||||
(void)XSNPRINTF(msg, sizeof(msg),
|
||||
"%-6s %5d %8s %6d %s " FLT_FMT_PREC2 " %s, %s "
|
||||
FLT_FMT_PREC2 " ms, " FLT_FMT_PREC2 " %s",
|
||||
algo, strength, desc,
|
||||
count, word[0],
|
||||
FLT_FMT_PREC2_ARGS(5, 3, total), word[1], word[2],
|
||||
FLT_FMT_PREC2_ARGS(5, 3, milliEach),
|
||||
FLT_FMT_PREC2_ARGS(digits + 6, digits, opsSec),
|
||||
word[3]);
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_ESPIDF
|
||||
SHOW_ESP_CYCLES_OPS(msg, sizeof(msg));
|
||||
#else
|
||||
SHOW_CYCLES_OPS(msg, sizeof(msg));
|
||||
#endif
|
||||
}
|
||||
|
||||
printf("%s", msg);
|
||||
|
||||
if (ret < 0) {
|
||||
printf("%sBenchmark %s %s %d failed: %d\n",
|
||||
err_prefix, algo, desc, strength, ret);
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_SGX
|
||||
XFFLUSH(stdout);
|
||||
#endif
|
||||
|
||||
(void)ret;
|
||||
|
||||
bench_stats_prepare();
|
||||
TEST_SLEEP();
|
||||
} /* bench_stats_ops_finish */
|
||||
#endif /* !WC_NO_RNG */
|
||||
|
||||
#ifdef BENCH_ASYM
|
||||
#if ((defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DH) || \
|
||||
defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
|
||||
@@ -3839,6 +3967,12 @@ static void* benchmarks_do(void* args)
|
||||
if (bench_all || (bench_other_algs & BENCH_RNG))
|
||||
bench_rng();
|
||||
#endif /* WC_NO_RNG */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
if (bench_all || (bench_other_algs & BENCH_RNG_SHA512))
|
||||
bench_rng_sha512();
|
||||
#endif
|
||||
#ifndef NO_AES
|
||||
#ifdef HAVE_AES_CBC
|
||||
if (bench_all || (bench_cipher_algs & BENCH_AES_CBC)) {
|
||||
@@ -4401,6 +4535,36 @@ static void* benchmarks_do(void* args)
|
||||
bench_slhdsa(SLHDSA_SHAKE256F);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128S
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_128S) {
|
||||
bench_slhdsa(SLHDSA_SHA2_128S);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128F
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_128F) {
|
||||
bench_slhdsa(SLHDSA_SHA2_128F);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192S
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_192S) {
|
||||
bench_slhdsa(SLHDSA_SHA2_192S);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192F
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_192F) {
|
||||
bench_slhdsa(SLHDSA_SHA2_192F);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256S
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_256S) {
|
||||
bench_slhdsa(SLHDSA_SHA2_256S);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256F
|
||||
if (bench_pq_hash_sig_algs & BENCH_SLHDSA_SHA2_256F) {
|
||||
bench_slhdsa(SLHDSA_SHA2_256F);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
(void)bench_pq_hash_sig_algs;
|
||||
|
||||
@@ -4601,6 +4765,16 @@ static void* benchmarks_do(void* args)
|
||||
bench_sphincsKeySign(5, SMALL_VARIANT);
|
||||
#endif
|
||||
|
||||
#ifndef WC_NO_RNG
|
||||
if (bench_all || (bench_other_algs & BENCH_RNG_INIT))
|
||||
bench_rng_init();
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
if (bench_all || (bench_other_algs & BENCH_RNG_SHA512_INIT))
|
||||
bench_rng_sha512_init();
|
||||
#endif
|
||||
#endif
|
||||
|
||||
exit:
|
||||
/* free benchmark buffers */
|
||||
XFREE(bench_plain, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
|
||||
@@ -4733,6 +4907,19 @@ int benchmark_init(void)
|
||||
wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT);
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_FIPS) && FIPS_VERSION3_GE(7,0,0)
|
||||
/* Pre-run all CASTs so their overhead is not captured in benchmark
|
||||
* metrics. Without this, the first use of each algorithm triggers
|
||||
* its CAST on-demand, inflating that algorithm's benchmark numbers. */
|
||||
{
|
||||
int castRet = wc_RunAllCast_fips();
|
||||
if (castRet != 0) {
|
||||
printf("%swc_RunAllCast_fips: %d CAST(s) failed, module in "
|
||||
"DEGRADED mode\n", err_prefix, castRet);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
bench_stats_init();
|
||||
|
||||
#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
|
||||
@@ -4947,6 +5134,21 @@ void bench_rng(void)
|
||||
WC_RNG myrng;
|
||||
DECLARE_MULTI_VALUE_STATS_VARS()
|
||||
|
||||
/* Force SHA-256 DRBG by temporarily disabling SHA-512 DRBG */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
#if !defined(NO_SHA256)
|
||||
ret = wc_Sha512Drbg_Disable();
|
||||
if (ret != 0) {
|
||||
printf("wc_Sha512Drbg_Disable failed %d\n", ret);
|
||||
return;
|
||||
}
|
||||
#else
|
||||
printf("RNG SHA-256 DRBG (Skipped: Disabled)\n");
|
||||
return;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
bench_stats_prepare();
|
||||
|
||||
#ifndef HAVE_FIPS
|
||||
@@ -4955,7 +5157,11 @@ void bench_rng(void)
|
||||
ret = wc_InitRng(&myrng);
|
||||
#endif
|
||||
if (ret < 0) {
|
||||
printf("InitRNG failed %d\n", ret);
|
||||
printf("InitRNG (SHA-256) failed %d\n", ret);
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
wc_Sha512Drbg_Enable();
|
||||
#endif
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -4986,15 +5192,204 @@ void bench_rng(void)
|
||||
#endif
|
||||
);
|
||||
exit_rng:
|
||||
bench_stats_sym_finish("RNG", 0, count, bench_size, start, ret);
|
||||
bench_stats_sym_finish("RNG SHA-256 DRBG", 0, count, bench_size, start,
|
||||
ret);
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
bench_multi_value_stats(max, min, sum, squareSum, runs);
|
||||
#endif
|
||||
|
||||
wc_FreeRng(&myrng);
|
||||
|
||||
/* Restore SHA-512 DRBG */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
wc_Sha512Drbg_Enable();
|
||||
#endif
|
||||
}
|
||||
#endif /* WC_NO_RNG */
|
||||
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
void bench_rng_sha512(void)
|
||||
{
|
||||
int ret, i, count;
|
||||
double start;
|
||||
long pos, len, remain;
|
||||
WC_RNG myrng;
|
||||
DECLARE_MULTI_VALUE_STATS_VARS()
|
||||
|
||||
/* Force SHA-512 DRBG by temporarily disabling SHA-256 DRBG */
|
||||
#ifndef NO_SHA256
|
||||
ret = wc_Sha256Drbg_Disable();
|
||||
if (ret != 0) {
|
||||
printf("wc_Sha256Drbg_Disable failed %d\n", ret);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
bench_stats_prepare();
|
||||
|
||||
#ifndef HAVE_FIPS
|
||||
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
|
||||
#else
|
||||
ret = wc_InitRng(&myrng);
|
||||
#endif
|
||||
if (ret < 0) {
|
||||
printf("InitRNG (SHA-512) failed %d\n", ret);
|
||||
#ifndef NO_SHA256
|
||||
wc_Sha256Drbg_Enable();
|
||||
#endif
|
||||
return;
|
||||
}
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
for (i = 0; i < numBlocks; i++) {
|
||||
/* Split request to handle large RNG request */
|
||||
pos = 0;
|
||||
remain = (int)bench_size;
|
||||
while (remain > 0) {
|
||||
len = remain;
|
||||
if (len > RNG_MAX_BLOCK_LEN)
|
||||
len = RNG_MAX_BLOCK_LEN;
|
||||
ret = wc_RNG_GenerateBlock(&myrng, &bench_plain[pos],
|
||||
(word32)len);
|
||||
if (ret < 0)
|
||||
goto exit_rng_sha512;
|
||||
|
||||
remain -= len;
|
||||
pos += len;
|
||||
}
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
}
|
||||
count += i;
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
exit_rng_sha512:
|
||||
bench_stats_sym_finish("RNG SHA-512 DRBG", 0, count, bench_size, start,
|
||||
ret);
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
bench_multi_value_stats(max, min, sum, squareSum, runs);
|
||||
#endif
|
||||
|
||||
wc_FreeRng(&myrng);
|
||||
|
||||
/* Restore SHA-256 DRBG */
|
||||
#ifndef NO_SHA256
|
||||
wc_Sha256Drbg_Enable();
|
||||
#endif
|
||||
}
|
||||
#endif /* WOLFSSL_DRBG_SHA512 && !WC_NO_RNG && !HAVE_SELFTEST && FIPS v7+ */
|
||||
|
||||
#ifndef WC_NO_RNG
|
||||
void bench_rng_init(void)
|
||||
{
|
||||
int ret, count;
|
||||
double start;
|
||||
WC_RNG myrng;
|
||||
DECLARE_MULTI_VALUE_STATS_VARS()
|
||||
|
||||
/* Force SHA-256 DRBG by temporarily disabling SHA-512 DRBG */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
#if !defined(NO_SHA256)
|
||||
ret = wc_Sha512Drbg_Disable();
|
||||
if (ret != 0) {
|
||||
printf("wc_Sha512Drbg_Disable failed %d\n", ret);
|
||||
return;
|
||||
}
|
||||
#else
|
||||
printf("RNG SHA-256 Init/Free (Skipped: Disabled)\n");
|
||||
return;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
#ifndef HAVE_FIPS
|
||||
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
|
||||
#else
|
||||
ret = wc_InitRng(&myrng);
|
||||
#endif
|
||||
if (ret < 0) {
|
||||
printf("InitRNG (SHA-256 init bench) failed %d\n", ret);
|
||||
goto exit_rng_init;
|
||||
}
|
||||
wc_FreeRng(&myrng);
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
exit_rng_init:
|
||||
bench_stats_ops_finish("RNG", 256, "SHA256 Init/Free", count, start, ret);
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
bench_multi_value_stats(max, min, sum, squareSum, runs);
|
||||
#endif
|
||||
|
||||
/* Restore SHA-512 DRBG */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
wc_Sha512Drbg_Enable();
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
void bench_rng_sha512_init(void)
|
||||
{
|
||||
int ret, count;
|
||||
double start;
|
||||
WC_RNG myrng;
|
||||
DECLARE_MULTI_VALUE_STATS_VARS()
|
||||
|
||||
/* Force SHA-512 DRBG by temporarily disabling SHA-256 DRBG */
|
||||
#ifndef NO_SHA256
|
||||
ret = wc_Sha256Drbg_Disable();
|
||||
if (ret != 0) {
|
||||
printf("wc_Sha256Drbg_Disable failed %d\n", ret);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
#ifndef HAVE_FIPS
|
||||
ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
|
||||
#else
|
||||
ret = wc_InitRng(&myrng);
|
||||
#endif
|
||||
if (ret < 0) {
|
||||
printf("InitRNG (SHA-512 init bench) failed %d\n", ret);
|
||||
goto exit_rng_sha512_init;
|
||||
}
|
||||
wc_FreeRng(&myrng);
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
exit_rng_sha512_init:
|
||||
bench_stats_ops_finish("RNG", 512, "SHA512 Init/Free", count, start, ret);
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
bench_multi_value_stats(max, min, sum, squareSum, runs);
|
||||
#endif
|
||||
|
||||
/* Restore SHA-256 DRBG */
|
||||
#ifndef NO_SHA256
|
||||
wc_Sha256Drbg_Enable();
|
||||
#endif
|
||||
}
|
||||
#endif /* WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
|
||||
#endif /* !WC_NO_RNG */
|
||||
|
||||
/* ============================================================================
|
||||
* Benchmark init helpers -- use id[] when WC_TEST_*_ID is defined and
|
||||
@@ -10851,6 +11246,7 @@ exit_encap:
|
||||
RESET_MULTI_VALUE_STATS_VARS();
|
||||
|
||||
/* MLKEM Decapsulate */
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
/* while free pending slots in queue, submit ops */
|
||||
@@ -10868,6 +11264,7 @@ exit_encap:
|
||||
);
|
||||
|
||||
exit_decap:
|
||||
PRIVATE_KEY_LOCK();
|
||||
bench_stats_asym_finish(name, keySize, desc[13], 0, count, start, ret);
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
bench_multi_value_stats(max, min, sum, squareSum, runs);
|
||||
@@ -11360,6 +11757,13 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
|
||||
case WC_LMS_PARM_L4_H5_W4:
|
||||
case WC_LMS_PARM_L4_H10_W4:
|
||||
case WC_LMS_PARM_L4_H10_W8:
|
||||
case WC_LMS_PARM_L1_H25_W1:
|
||||
case WC_LMS_PARM_L1_H25_W2:
|
||||
case WC_LMS_PARM_L1_H25_W4:
|
||||
case WC_LMS_PARM_L1_H25_W8:
|
||||
case WC_LMS_PARM_L1_H10_W1:
|
||||
case WC_LMS_PARM_L1_H15_W1:
|
||||
case WC_LMS_PARM_L1_H20_W1:
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHA256_192
|
||||
@@ -11383,6 +11787,57 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
|
||||
case WC_LMS_PARM_SHA256_192_L3_H5_W8:
|
||||
case WC_LMS_PARM_SHA256_192_L3_H10_W4:
|
||||
case WC_LMS_PARM_SHA256_192_L4_H5_W8:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H25_W1:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H25_W2:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H25_W4:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H25_W8:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H10_W1:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H15_W1:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H20_W1:
|
||||
case WC_LMS_PARM_SHA256_192_L1_H15_W8:
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
case WC_LMS_PARM_SHAKE_L1_H5_W1:
|
||||
case WC_LMS_PARM_SHAKE_L1_H5_W2:
|
||||
case WC_LMS_PARM_SHAKE_L1_H5_W4:
|
||||
case WC_LMS_PARM_SHAKE_L1_H5_W8:
|
||||
case WC_LMS_PARM_SHAKE_L1_H10_W1:
|
||||
case WC_LMS_PARM_SHAKE_L1_H10_W2:
|
||||
case WC_LMS_PARM_SHAKE_L1_H10_W4:
|
||||
case WC_LMS_PARM_SHAKE_L1_H10_W8:
|
||||
case WC_LMS_PARM_SHAKE_L1_H15_W1:
|
||||
case WC_LMS_PARM_SHAKE_L1_H15_W2:
|
||||
case WC_LMS_PARM_SHAKE_L1_H15_W4:
|
||||
case WC_LMS_PARM_SHAKE_L1_H15_W8:
|
||||
case WC_LMS_PARM_SHAKE_L1_H20_W1:
|
||||
case WC_LMS_PARM_SHAKE_L1_H20_W2:
|
||||
case WC_LMS_PARM_SHAKE_L1_H20_W4:
|
||||
case WC_LMS_PARM_SHAKE_L1_H20_W8:
|
||||
case WC_LMS_PARM_SHAKE_L1_H25_W1:
|
||||
case WC_LMS_PARM_SHAKE_L1_H25_W2:
|
||||
case WC_LMS_PARM_SHAKE_L1_H25_W4:
|
||||
case WC_LMS_PARM_SHAKE_L1_H25_W8:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H5_W1:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H5_W2:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H5_W4:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H5_W8:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H10_W1:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H10_W2:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H10_W4:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H10_W8:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H15_W1:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H15_W2:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H15_W4:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H15_W8:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H20_W1:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H20_W2:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H20_W4:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H20_W8:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H25_W1:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H25_W2:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H25_W4:
|
||||
case WC_LMS_PARM_SHAKE192_L1_H25_W8:
|
||||
#endif
|
||||
|
||||
default:
|
||||
@@ -12207,9 +12662,17 @@ void bench_slhdsa(enum SlhDsaParam param)
|
||||
}
|
||||
|
||||
len = wc_SlhDsaKey_PublicSize(key) / 2 * 8;
|
||||
XMEMCPY(name, "SLH-DSA-S", 10);
|
||||
if ((param & 1) == 1) {
|
||||
name[8] = 'F';
|
||||
if (SLHDSA_IS_SHA2(param)) {
|
||||
XMEMCPY(name, "SLH-DSA-SHA2-S", 15);
|
||||
if ((param & 1) == 1) {
|
||||
name[13] = 'F';
|
||||
}
|
||||
}
|
||||
else {
|
||||
XMEMCPY(name, "SLH-DSA-S", 10);
|
||||
if ((param & 1) == 1) {
|
||||
name[8] = 'F';
|
||||
}
|
||||
}
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
@@ -12227,6 +12690,7 @@ void bench_slhdsa(enum SlhDsaParam param)
|
||||
);
|
||||
bench_stats_asym_finish(name, len, "gen", 0, count, start, ret);
|
||||
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
sigLen = WC_SLHDSA_MAX_SIG_LEN;
|
||||
@@ -12242,6 +12706,7 @@ void bench_slhdsa(enum SlhDsaParam param)
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
PRIVATE_KEY_LOCK();
|
||||
bench_stats_asym_finish(name, len, "sign", 0, count, start, ret);
|
||||
|
||||
outLen = (word32)sizeof(pk);
|
||||
@@ -12274,6 +12739,78 @@ void bench_slhdsa(enum SlhDsaParam param)
|
||||
);
|
||||
bench_stats_asym_finish(name, len, "verify", 0, count, start, ret);
|
||||
|
||||
/* Internal interface: sign M' directly (no M' construction). */
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
sigLen = WC_SLHDSA_MAX_SIG_LEN;
|
||||
ret = wc_SlhDsaKey_SignMsgDeterministic(key, msg,
|
||||
(word32)sizeof(msg), sig, &sigLen);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
PRIVATE_KEY_LOCK();
|
||||
bench_stats_asym_finish(name, len, "sign-msg", 0, count, start, ret);
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
ret = wc_SlhDsaKey_VerifyMsg(key_vfy, msg, (word32)sizeof(msg),
|
||||
sig, sigLen);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
bench_stats_asym_finish(name, len, "vrfy-msg", 0, count, start, ret);
|
||||
|
||||
/* Pre-hash interface: hash message, then sign the hash. */
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
sigLen = WC_SLHDSA_MAX_SIG_LEN;
|
||||
ret = wc_SlhDsaKey_SignHashDeterministic(key, ctx, 0, msg,
|
||||
(word32)sizeof(msg), WC_HASH_TYPE_SHA256, sig, &sigLen);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
PRIVATE_KEY_LOCK();
|
||||
bench_stats_asym_finish(name, len, "sign-pre", 0, count, start, ret);
|
||||
|
||||
bench_stats_start(&count, &start);
|
||||
do {
|
||||
ret = wc_SlhDsaKey_VerifyHash(key_vfy, ctx, 0, msg,
|
||||
(word32)sizeof(msg), WC_HASH_TYPE_SHA256, sig, sigLen);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
count++;
|
||||
RECORD_MULTI_VALUE_STATS();
|
||||
} while (bench_stats_check(start)
|
||||
#ifdef MULTI_VALUE_STATISTICS
|
||||
|| runs < minimum_runs
|
||||
#endif
|
||||
);
|
||||
bench_stats_asym_finish(name, len, "vrfy-pre", 0, count, start, ret);
|
||||
|
||||
exit:
|
||||
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
|
||||
if (key_vfy)
|
||||
@@ -15663,6 +16200,7 @@ void bench_dilithiumKeySign(byte level)
|
||||
|
||||
#elif !defined WOLFSSL_DILITHIUM_NO_SIGN
|
||||
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
#ifndef WOLFSSL_NO_ML_DSA_44
|
||||
if (level == 2) {
|
||||
ret = wc_dilithium_import_private(bench_dilithium_level2_key,
|
||||
@@ -15681,6 +16219,7 @@ void bench_dilithiumKeySign(byte level)
|
||||
sizeof_bench_dilithium_level5_key, key);
|
||||
}
|
||||
#endif
|
||||
PRIVATE_KEY_LOCK();
|
||||
if (ret != 0) {
|
||||
printf("Failed to load private key\n");
|
||||
goto out;
|
||||
|
||||
@@ -130,6 +130,13 @@ void bench_sakkeRskGen(void);
|
||||
void bench_sakkeValidate(void);
|
||||
void bench_sakke(void);
|
||||
void bench_rng(void);
|
||||
void bench_rng_init(void);
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(WC_NO_RNG) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
void bench_rng_sha512(void);
|
||||
void bench_rng_sha512_init(void);
|
||||
#endif
|
||||
void bench_blake2b(void);
|
||||
void bench_blake2s(void);
|
||||
void bench_ascon_hash(void);
|
||||
|
||||
@@ -4466,6 +4466,12 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32* inOutI
|
||||
#ifndef WOLFSSL_NOSHA3_512
|
||||
static const byte hashSha3_512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 10};
|
||||
#endif /* WOLFSSL_NOSHA3_512 */
|
||||
#ifdef WOLFSSL_SHAKE128
|
||||
static const byte hashShake128hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 11};
|
||||
#endif /* WOLFSSL_SHAKE128 */
|
||||
#ifdef WOLFSSL_SHAKE256
|
||||
static const byte hashShake256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 12};
|
||||
#endif /* WOLFSSL_SHAKE256 */
|
||||
#endif /* WOLFSSL_SHA3 */
|
||||
|
||||
/* hmacType */
|
||||
@@ -5339,6 +5345,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
|
||||
*oidSz = sizeof(hashSha3_512hOid);
|
||||
break;
|
||||
#endif /* WOLFSSL_NOSHA3_512 */
|
||||
#ifdef WOLFSSL_SHAKE128
|
||||
case SHAKE128h:
|
||||
oid = hashShake128hOid;
|
||||
*oidSz = sizeof(hashShake128hOid);
|
||||
break;
|
||||
#endif /* WOLFSSL_SHAKE128 */
|
||||
#ifdef WOLFSSL_SHAKE256
|
||||
case SHAKE256h:
|
||||
oid = hashShake256hOid;
|
||||
*oidSz = sizeof(hashShake256hOid);
|
||||
break;
|
||||
#endif /* WOLFSSL_SHAKE256 */
|
||||
#endif /* WOLFSSL_SHA3 */
|
||||
default:
|
||||
break;
|
||||
|
||||
@@ -1063,6 +1063,11 @@ static int CheckDhLN(word32 modLen, word32 divLen)
|
||||
if (divLen == 224 || divLen == 256)
|
||||
ret = 0;
|
||||
break;
|
||||
/* Per SP 800-56Ar3 Table 2 */
|
||||
case 3072:
|
||||
if (divLen == 256)
|
||||
ret = 0;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
+162
-5
@@ -138,6 +138,11 @@
|
||||
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#if FIPS_VERSION3_GE(2,0,0)
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
#endif
|
||||
|
||||
#ifndef WOLFSSL_DILITHIUM_NO_ASN1
|
||||
#include <wolfssl/wolfcrypt/asn.h>
|
||||
#endif
|
||||
@@ -814,6 +819,15 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen)
|
||||
oid = sha512Oid;
|
||||
}
|
||||
else
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
if (hash == WC_HASH_TYPE_SHA512_224) {
|
||||
static byte sha512_224Oid[DILITHIUM_HASH_OID_LEN] = {
|
||||
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05
|
||||
};
|
||||
oid = sha512_224Oid;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
if (hash == WC_HASH_TYPE_SHA512_256) {
|
||||
static byte sha512_256Oid[DILITHIUM_HASH_OID_LEN] = {
|
||||
@@ -9520,7 +9534,7 @@ static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1)
|
||||
* @return MEMORY_E when memory allocation fails.
|
||||
* @return Other negative when an error occurs.
|
||||
*/
|
||||
static int dilithium_verify_mu(dilithium_key* key, const byte* mu,
|
||||
static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu,
|
||||
const byte* sig, word32 sigLen, int* res)
|
||||
{
|
||||
#ifndef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
|
||||
@@ -9979,7 +9993,7 @@ static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx,
|
||||
ctx, (byte)ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ);
|
||||
}
|
||||
if (ret == 0) {
|
||||
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
|
||||
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -10023,7 +10037,7 @@ static int dilithium_verify_msg(dilithium_key* key, const byte* msg,
|
||||
mu, DILITHIUM_MU_SZ);
|
||||
}
|
||||
if (ret == 0) {
|
||||
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
|
||||
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -10085,7 +10099,7 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
|
||||
ctx, (byte)ctxLen, oidMsgHash, oidMsgHashLen, mu, DILITHIUM_MU_SZ);
|
||||
}
|
||||
if (ret == 0) {
|
||||
ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
|
||||
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -10310,6 +10324,45 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng)
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
/* Pairwise Consistency Test (PCT) per FIPS 140-3 / ISO 19790:2012
|
||||
* Section 7.10.3.3 (TE10.35.02): sign with new sk, verify with pk.
|
||||
* Runs on every key generation. */
|
||||
if (ret == 0) {
|
||||
static const byte pct_msg[] = "wolfSSL ML-DSA PCT";
|
||||
WC_DECLARE_VAR(pct_sig, byte, DILITHIUM_MAX_SIG_SIZE, key->heap);
|
||||
word32 pct_sigSz = DILITHIUM_MAX_SIG_SIZE;
|
||||
int pct_res = 0;
|
||||
|
||||
WC_ALLOC_VAR_EX(pct_sig, byte, DILITHIUM_MAX_SIG_SIZE, key->heap,
|
||||
DYNAMIC_TYPE_DILITHIUM, ret = MEMORY_E);
|
||||
|
||||
if (ret == 0) {
|
||||
ret = wc_dilithium_sign_ctx_msg(NULL, 0, pct_msg, sizeof(pct_msg),
|
||||
pct_sig, &pct_sigSz, key, rng);
|
||||
}
|
||||
|
||||
if (ret == 0)
|
||||
ret = wc_dilithium_verify_ctx_msg(pct_sig, pct_sigSz,
|
||||
NULL, 0, pct_msg, sizeof(pct_msg), &pct_res, key);
|
||||
|
||||
if (ret == 0 && pct_res != 1)
|
||||
ret = ML_DSA_PCT_E;
|
||||
|
||||
if (WC_VAR_OK(pct_sig))
|
||||
ForceZero(pct_sig, DILITHIUM_MAX_SIG_SIZE);
|
||||
|
||||
WC_FREE_VAR_EX(pct_sig, key->heap, DYNAMIC_TYPE_DILITHIUM);
|
||||
|
||||
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails the PCT
|
||||
* must be rendered unusable. Zeroize the generated key material so
|
||||
* a caller that ignores the return value cannot use it. */
|
||||
if (ret != 0) {
|
||||
wc_dilithium_free(key);
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_FIPS */
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -10338,6 +10391,9 @@ int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed)
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Note: PCT is performed in wc_dilithium_make_key() which calls this
|
||||
* function and has the RNG parameter needed for signing. */
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
@@ -10627,7 +10683,8 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
|
||||
int ret = 0;
|
||||
|
||||
/* Validate parameters. */
|
||||
if ((hash == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL)) {
|
||||
if ((hash == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL) ||
|
||||
(seed == NULL)) {
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
if ((ret == 0) && (ctx == NULL) && (ctxLen > 0)) {
|
||||
@@ -10650,6 +10707,60 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Sign using the ML-DSA internal interface with a pre-computed mu value.
|
||||
*
|
||||
* This implements ML-DSA.Sign_internal from FIPS 204 Section 6.2.
|
||||
* The caller provides mu directly (already computed from tr||M'), bypassing
|
||||
* the external message hashing step. Used by ACVP internal interface tests.
|
||||
*
|
||||
* mu [in] Pre-computed mu value (64 bytes).
|
||||
* muLen [in] Length of mu in bytes (must be 64).
|
||||
* sig [out] Buffer to write signature into.
|
||||
* sigLen [in/out] On in, size of buffer.
|
||||
* On out, the length of the signature in bytes.
|
||||
* key [in] Dilithium key to use when signing.
|
||||
* seed [in] 32-byte random seed (rnd).
|
||||
* returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
|
||||
* BUFFER_E when sigLen is too small,
|
||||
* 0 otherwise.
|
||||
*/
|
||||
int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen,
|
||||
byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed)
|
||||
{
|
||||
#ifdef WOLFSSL_WC_DILITHIUM
|
||||
int ret = 0;
|
||||
|
||||
/* Validate parameters. */
|
||||
if ((mu == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL) ||
|
||||
(seed == NULL)) {
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
/* Build [seed||mu] buffer and call internal sign function. */
|
||||
byte seedMu[DILITHIUM_RND_SZ + DILITHIUM_MU_SZ];
|
||||
XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ);
|
||||
XMEMCPY(seedMu + DILITHIUM_RND_SZ, mu, DILITHIUM_MU_SZ);
|
||||
ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen);
|
||||
ForceZero(seedMu, sizeof(seedMu));
|
||||
}
|
||||
|
||||
return ret;
|
||||
#else
|
||||
/* Internal interface not supported with liboqs backend. */
|
||||
(void)mu;
|
||||
(void)muLen;
|
||||
(void)sig;
|
||||
(void)sigLen;
|
||||
(void)key;
|
||||
(void)seed;
|
||||
return NOT_COMPILED_IN;
|
||||
#endif
|
||||
}
|
||||
#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */
|
||||
|
||||
#ifndef WOLFSSL_DILITHIUM_NO_VERIFY
|
||||
@@ -10830,6 +10941,52 @@ int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen,
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Verify using the ML-DSA internal interface with a pre-computed mu value.
|
||||
*
|
||||
* This implements ML-DSA.Verify_internal from FIPS 204 Section 6.3.
|
||||
* The caller provides mu directly (already computed from tr||M'), bypassing
|
||||
* the external message hashing step. Used by ACVP internal interface tests.
|
||||
*
|
||||
* sig [in] Signature to verify.
|
||||
* sigLen [in] Size of signature in bytes.
|
||||
* mu [in] Pre-computed mu value (64 bytes).
|
||||
* muLen [in] Length of mu in bytes (must be 64).
|
||||
* res [out] *res is set to 1 on successful verification.
|
||||
* key [in] Dilithium key to use to verify.
|
||||
* returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
|
||||
* 0 otherwise.
|
||||
*/
|
||||
int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu,
|
||||
word32 muLen, int* res, dilithium_key* key)
|
||||
{
|
||||
#ifdef WOLFSSL_WC_DILITHIUM
|
||||
int ret = 0;
|
||||
|
||||
/* Validate parameters. */
|
||||
if ((key == NULL) || (sig == NULL) || (mu == NULL) || (res == NULL)) {
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
|
||||
}
|
||||
|
||||
return ret;
|
||||
#else
|
||||
/* Internal interface not supported with liboqs backend. */
|
||||
(void)sig;
|
||||
(void)sigLen;
|
||||
(void)mu;
|
||||
(void)muLen;
|
||||
(void)res;
|
||||
(void)key;
|
||||
return NOT_COMPILED_IN;
|
||||
#endif
|
||||
}
|
||||
#endif /* WOLFSSL_DILITHIUM_NO_VERIFY */
|
||||
|
||||
#ifndef WC_NO_CONSTRUCTORS
|
||||
|
||||
@@ -6091,6 +6091,12 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
|
||||
) {
|
||||
err = _ecc_pairwise_consistency_test(key, rng);
|
||||
}
|
||||
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails post-
|
||||
* generation validation or PCT must be rendered unusable so a caller
|
||||
* that ignores the return value cannot use it. */
|
||||
if (err != MP_OKAY) {
|
||||
wc_ecc_free(key);
|
||||
}
|
||||
#endif
|
||||
|
||||
RESTORE_VECTOR_REGISTERS();
|
||||
|
||||
@@ -668,6 +668,30 @@ const char* wc_GetErrorString(int error)
|
||||
case ALREADY_E:
|
||||
return "Operation was redundant or preempted";
|
||||
|
||||
case ML_KEM_KAT_FIPS_E:
|
||||
return "wolfCrypt FIPS ML-KEM Known Answer Test Failure";
|
||||
|
||||
case ML_DSA_KAT_FIPS_E:
|
||||
return "wolfCrypt FIPS ML-DSA Known Answer Test Failure";
|
||||
|
||||
case LMS_KAT_FIPS_E:
|
||||
return "wolfCrypt FIPS LMS Known Answer Test Failure";
|
||||
|
||||
case XMSS_KAT_FIPS_E:
|
||||
return "wolfCrypt FIPS XMSS Known Answer Test Failure";
|
||||
|
||||
case ML_KEM_PCT_E:
|
||||
return "wolfcrypt ML-KEM Pairwise Consistency Test Failure";
|
||||
|
||||
case ML_DSA_PCT_E:
|
||||
return "wolfcrypt ML-DSA Pairwise Consistency Test Failure";
|
||||
|
||||
case DRBG_SHA512_KAT_FIPS_E:
|
||||
return "SHA-512 DRBG Known Answer Test check FIPS error";
|
||||
|
||||
case SLH_DSA_KAT_FIPS_E:
|
||||
return "SLH-DSA Known Answer Test check FIPS error";
|
||||
|
||||
case SEQ_OVERFLOW_E:
|
||||
return "Sequence counter would overflow";
|
||||
|
||||
|
||||
+28
-18
@@ -5809,8 +5809,9 @@ void wolfSSL_EVP_init(void)
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wc_Sha512_224Copy((wc_Sha512*)&src->hash.digest,
|
||||
(wc_Sha512*)&des->hash.digest);
|
||||
#else
|
||||
@@ -5818,8 +5819,9 @@ void wolfSSL_EVP_init(void)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wc_Sha512_256Copy((wc_Sha512*)&src->hash.digest,
|
||||
(wc_Sha512*)&des->hash.digest);
|
||||
#else
|
||||
@@ -10765,14 +10767,16 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
wc_Sha512_224Free((wc_Sha512*)&ctx->hash.digest);
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
wc_Sha512_256Free((wc_Sha512*)&ctx->hash.digest);
|
||||
#endif
|
||||
break;
|
||||
@@ -10872,13 +10876,15 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
ret = wolfSSL_SHA384_Init(&(ctx->hash.digest.sha384));
|
||||
} else
|
||||
#endif
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
if (XSTRCMP(md, WC_SN_sha512_224) == 0) {
|
||||
ret = wolfSSL_SHA512_224_Init(&(ctx->hash.digest.sha512));
|
||||
} else
|
||||
#endif
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
if (XSTRCMP(md, WC_SN_sha512_256) == 0) {
|
||||
ret = wolfSSL_SHA512_256_Init(&(ctx->hash.digest.sha512));
|
||||
@@ -11028,8 +11034,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wolfSSL_SHA512_224_Update((WOLFSSL_SHA512_CTX*)&ctx->hash, data,
|
||||
(unsigned long)sz);
|
||||
#else
|
||||
@@ -11038,8 +11045,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wolfSSL_SHA512_256_Update((WOLFSSL_SHA512_CTX*)&ctx->hash, data,
|
||||
(unsigned long)sz);
|
||||
#else
|
||||
@@ -11188,8 +11196,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wolfSSL_SHA512_224_Final(md, (WOLFSSL_SHA512_CTX*)&ctx->hash);
|
||||
if (s) *s = WC_SHA512_224_DIGEST_SIZE;
|
||||
#else
|
||||
@@ -11197,8 +11206,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wolfSSL_SHA512_256_Final(md, (WOLFSSL_SHA512_CTX*)&ctx->hash);
|
||||
if (s) *s = WC_SHA512_256_DIGEST_SIZE;
|
||||
#else
|
||||
|
||||
@@ -226,6 +226,20 @@ const char * wc_LmsKey_ParmToStr(enum wc_LmsParm lmsParm)
|
||||
return "LMS/HSS L4_H10_W4";
|
||||
case WC_LMS_PARM_L4_H10_W8:
|
||||
return "LMS/HSS L4_H10_W8";
|
||||
case WC_LMS_PARM_L1_H25_W1:
|
||||
return "LMS/HSS L1_H25_W1";
|
||||
case WC_LMS_PARM_L1_H25_W2:
|
||||
return "LMS/HSS L1_H25_W2";
|
||||
case WC_LMS_PARM_L1_H25_W4:
|
||||
return "LMS/HSS L1_H25_W4";
|
||||
case WC_LMS_PARM_L1_H25_W8:
|
||||
return "LMS/HSS L1_H25_W8";
|
||||
case WC_LMS_PARM_L1_H10_W1:
|
||||
return "LMS/HSS L1_H10_W1";
|
||||
case WC_LMS_PARM_L1_H15_W1:
|
||||
return "LMS/HSS L1_H15_W1";
|
||||
case WC_LMS_PARM_L1_H20_W1:
|
||||
return "LMS/HSS L1_H20_W1";
|
||||
default:
|
||||
WOLFSSL_MSG("error: invalid LMS parameter");
|
||||
break;
|
||||
@@ -383,6 +397,20 @@ int wc_LmsKey_SetLmsParm(LmsKey * key, enum wc_LmsParm lmsParm)
|
||||
return wc_LmsKey_SetParameters(key, 4, 10, 4);
|
||||
case WC_LMS_PARM_L4_H10_W8:
|
||||
return wc_LmsKey_SetParameters(key, 4, 10, 8);
|
||||
case WC_LMS_PARM_L1_H25_W1:
|
||||
return wc_LmsKey_SetParameters(key, 1, 25, 1);
|
||||
case WC_LMS_PARM_L1_H25_W2:
|
||||
return wc_LmsKey_SetParameters(key, 1, 25, 2);
|
||||
case WC_LMS_PARM_L1_H25_W4:
|
||||
return wc_LmsKey_SetParameters(key, 1, 25, 4);
|
||||
case WC_LMS_PARM_L1_H25_W8:
|
||||
return wc_LmsKey_SetParameters(key, 1, 25, 8);
|
||||
case WC_LMS_PARM_L1_H10_W1:
|
||||
return wc_LmsKey_SetParameters(key, 1, 10, 1);
|
||||
case WC_LMS_PARM_L1_H15_W1:
|
||||
return wc_LmsKey_SetParameters(key, 1, 15, 1);
|
||||
case WC_LMS_PARM_L1_H20_W1:
|
||||
return wc_LmsKey_SetParameters(key, 1, 20, 1);
|
||||
default:
|
||||
WOLFSSL_MSG("error: invalid LMS parameter set");
|
||||
break;
|
||||
|
||||
@@ -22,6 +22,12 @@
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_WC_MLKEM)
|
||||
|
||||
#if FIPS_VERSION3_GE(2,0,0)
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/ext_mlkem.h>
|
||||
|
||||
#ifdef NO_INLINE
|
||||
|
||||
+249
-139
@@ -79,7 +79,16 @@ enum wc_HashType wc_HashTypeConvert(int hashType)
|
||||
case WC_SHA512:
|
||||
eHashType = WC_HASH_TYPE_SHA512;
|
||||
break;
|
||||
|
||||
#if !defined(WOLFSSL_NOSHA512_224)
|
||||
case WC_SHA512_224:
|
||||
eHashType = WC_HASH_TYPE_SHA512_224;
|
||||
break;
|
||||
#endif
|
||||
#if !defined(WOLFSSL_NOSHA512_256)
|
||||
case WC_SHA512_256:
|
||||
eHashType = WC_HASH_TYPE_SHA512_256;
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
#ifdef WOLFSSL_SHA3
|
||||
case WC_SHA3_224:
|
||||
@@ -424,16 +433,18 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
dig_size = WC_SHA512_224_DIGEST_SIZE;
|
||||
#else
|
||||
dig_size = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
dig_size = WC_SHA512_256_DIGEST_SIZE;
|
||||
#else
|
||||
dig_size = HASH_TYPE_E;
|
||||
@@ -498,14 +509,29 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type)
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* Not Supported */
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
/* SHAKE is an XOF; default output here is 2x the security level
|
||||
* (256 bits for SHAKE128, 512 bits for SHAKE256). The SHA3 digest
|
||||
* macros are reused only for their bit-length value. */
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
dig_size = WC_SHA3_256_DIGEST_SIZE;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
dig_size = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
dig_size = WC_SHA3_512_DIGEST_SIZE;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
dig_size = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* Not Supported */
|
||||
case WC_HASH_TYPE_NONE:
|
||||
dig_size = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -580,16 +606,18 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
block_size = WC_SHA512_224_BLOCK_SIZE;
|
||||
#else
|
||||
block_size = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
block_size = WC_SHA512_256_BLOCK_SIZE;
|
||||
#else
|
||||
block_size = HASH_TYPE_E;
|
||||
@@ -654,14 +682,30 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* Not Supported */
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
/* WC_SHA3_*_BLOCK_SIZE names the Keccak rate by capacity, not a
|
||||
* specific SHA-3 hash. SHAKE128 uses the 1344-bit rate (168 B);
|
||||
* SHAKE256 uses the 1088-bit rate (136 B), shared with SHA3-256.
|
||||
* Per FIPS 202. */
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
block_size = WC_SHA3_128_BLOCK_SIZE;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
block_size = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
block_size = WC_SHA3_256_BLOCK_SIZE;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
block_size = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* Not Supported */
|
||||
case WC_HASH_TYPE_NONE:
|
||||
block_size = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -740,16 +784,18 @@ int wc_Hash_ex(enum wc_HashType hash_type, const byte* data,
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wc_Sha512_224Hash_ex(data, data_len, hash, heap, devId);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wc_Sha512_256Hash_ex(data, data_len, hash, heap, devId);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
@@ -804,26 +850,62 @@ int wc_Hash_ex(enum wc_HashType hash_type, const byte* data,
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* Not Supported */
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
{
|
||||
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
|
||||
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
|
||||
ret = MEMORY_E);
|
||||
if (WC_VAR_OK(shake)) {
|
||||
ret = wc_InitShake128(shake, heap, devId);
|
||||
if (ret == 0) {
|
||||
ret = wc_Shake128_Update(shake, data, data_len);
|
||||
if (ret == 0)
|
||||
ret = wc_Shake128_Final(shake, hash,
|
||||
WC_SHA3_256_DIGEST_SIZE);
|
||||
wc_Shake128_Free(shake);
|
||||
}
|
||||
}
|
||||
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
{
|
||||
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
|
||||
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
|
||||
ret = MEMORY_E);
|
||||
if (WC_VAR_OK(shake)) {
|
||||
ret = wc_InitShake256(shake, heap, devId);
|
||||
if (ret == 0) {
|
||||
ret = wc_Shake256_Update(shake, data, data_len);
|
||||
if (ret == 0)
|
||||
ret = wc_Shake256_Final(shake, hash,
|
||||
WC_SHA3_512_DIGEST_SIZE);
|
||||
wc_Shake256_Free(shake);
|
||||
}
|
||||
}
|
||||
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* Not Supported */
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -940,16 +1022,18 @@ int wc_HashInit_ex(wc_HashAlg* hash, enum wc_HashType type, void* heap,
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wc_InitSha512_224_ex(&hash->alg.sha512, heap, devId);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wc_InitSha512_256_ex(&hash->alg.sha512, heap, devId);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
@@ -992,29 +1076,33 @@ int wc_HashInit_ex(wc_HashAlg* hash, enum wc_HashType type, void* heap,
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = wc_InitShake128(&hash->alg.sha3, heap, devId);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = wc_InitShake256(&hash->alg.sha3, heap, devId);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -1091,16 +1179,18 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wc_Sha512_224Update(&hash->alg.sha512, data, dataSz);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wc_Sha512_256Update(&hash->alg.sha512, data, dataSz);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
@@ -1143,29 +1233,33 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = wc_Shake128_Update(&hash->alg.sha3, data, dataSz);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = wc_Shake256_Update(&hash->alg.sha3, data, dataSz);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -1234,16 +1328,18 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
ret = wc_Sha512_224Final(&hash->alg.sha512, out);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
ret = wc_Sha512_256Final(&hash->alg.sha512, out);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
@@ -1286,29 +1382,35 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = wc_Shake128_Final(&hash->alg.sha3, out,
|
||||
WC_SHA3_256_DIGEST_SIZE);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = wc_Shake256_Final(&hash->alg.sha3, out,
|
||||
WC_SHA3_512_DIGEST_SIZE);
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -1383,8 +1485,9 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_224)
|
||||
wc_Sha512_224Free(&hash->alg.sha512);
|
||||
ret = 0;
|
||||
#else
|
||||
@@ -1392,8 +1495,9 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
|
||||
#endif
|
||||
break;
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
|
||||
defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
|
||||
!defined(HAVE_SELFTEST) && defined(WOLFSSL_SHA512) && \
|
||||
!defined(WOLFSSL_NOSHA512_256)
|
||||
wc_Sha512_256Free(&hash->alg.sha512);
|
||||
ret = 0;
|
||||
#else
|
||||
@@ -1442,29 +1546,35 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
|
||||
#endif
|
||||
break;
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
wc_Shake128_Free(&hash->alg.sha3);
|
||||
ret = 0;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
wc_Shake256_Free(&hash->alg.sha3);
|
||||
ret = 0;
|
||||
break;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -1554,6 +1664,22 @@ int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
ret = wc_Sha3_SetFlags(&hash->alg.sha3, flags);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
ret = wc_Sha3_SetFlags(&hash->alg.sha3, flags);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SM3:
|
||||
#ifdef WOLFSSL_SM3
|
||||
ret = wc_Sm3SetFlags(&hash->alg.sm3, flags);
|
||||
@@ -1564,30 +1690,13 @@ int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
default:
|
||||
ret = BAD_FUNC_ARG;
|
||||
};
|
||||
@@ -1670,6 +1779,22 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
ret = wc_Sha3_GetFlags(&hash->alg.sha3, flags);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
ret = wc_Sha3_GetFlags(&hash->alg.sha3, flags);
|
||||
#else
|
||||
ret = HASH_TYPE_E;
|
||||
#endif
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_SM3:
|
||||
#ifdef WOLFSSL_SM3
|
||||
ret = wc_Sm3GetFlags(&hash->alg.sm3, flags);
|
||||
@@ -1680,27 +1805,12 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
|
||||
|
||||
/* not supported */
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD2:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_MD4:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
ret = HASH_TYPE_E;
|
||||
break;
|
||||
|
||||
case WC_HASH_TYPE_NONE:
|
||||
ret = BAD_FUNC_ARG;
|
||||
break;
|
||||
@@ -1927,7 +2037,7 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
|
||||
#endif
|
||||
return wc_Sha512Hash_ex(data, len, hash, NULL, devId);
|
||||
}
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && !defined(HAVE_SELFTEST)
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
int wc_Sha512_224Hash_ex(const byte* data, word32 len, byte* hash,
|
||||
void* heap, int devId)
|
||||
@@ -1967,9 +2077,9 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
|
||||
return wc_Sha512_224Hash_ex(data, len, hash, NULL, devId);
|
||||
}
|
||||
#endif /* !WOLFSSL_NOSHA512_224 */
|
||||
#endif /* !HAVE_FIPS && !HAVE_SELFTEST */
|
||||
#endif /* (!HAVE_FIPS || FIPS v7+) && !HAVE_SELFTEST */
|
||||
|
||||
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
|
||||
#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && !defined(HAVE_SELFTEST)
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
int wc_Sha512_256Hash_ex(const byte* data, word32 len, byte* hash,
|
||||
void* heap, int devId)
|
||||
@@ -2009,7 +2119,7 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
|
||||
return wc_Sha512_256Hash_ex(data, len, hash, NULL, devId);
|
||||
}
|
||||
#endif /* !WOLFSSL_NOSHA512_256 */
|
||||
#endif /* !HAVE_FIPS && !HAVE_SELFTEST */
|
||||
#endif /* (!HAVE_FIPS || FIPS v7+) && !HAVE_SELFTEST */
|
||||
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
|
||||
@@ -87,6 +87,12 @@ int wc_HmacSizeByType(int type)
|
||||
if (!(type == WC_MD5 || type == WC_SHA ||
|
||||
#ifdef WOLFSSL_SM3
|
||||
type == WC_SM3 ||
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
type == WC_SHA512_224 ||
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
type == WC_SHA512_256 ||
|
||||
#endif
|
||||
type == WC_SHA224 || type == WC_SHA256 ||
|
||||
type == WC_SHA384 || type == WC_SHA512 ||
|
||||
@@ -129,6 +135,16 @@ int wc_HmacSizeByType(int type)
|
||||
case WC_SHA512:
|
||||
ret = WC_SHA512_DIGEST_SIZE;
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = WC_SHA512_224_DIGEST_SIZE;
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = WC_SHA512_256_DIGEST_SIZE;
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -201,6 +217,16 @@ static int HmacKeyInitHash(wc_HmacHash* hash, int type, void* heap, int devId)
|
||||
case WC_SHA512:
|
||||
ret = wc_InitSha512_ex(&hash->sha512, heap, devId);
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = wc_InitSha512_224_ex(&hash->sha512, heap, devId);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = wc_InitSha512_256_ex(&hash->sha512, heap, devId);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -300,6 +326,16 @@ static int HmacKeyCopyHash(byte macType, wc_HmacHash* src, wc_HmacHash* dst)
|
||||
case WC_SHA512:
|
||||
ret = wc_Sha512Copy(&src->sha512, &dst->sha512);
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = wc_Sha512_224Copy(&src->sha512, &dst->sha512);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = wc_Sha512_256Copy(&src->sha512, &dst->sha512);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -395,6 +431,18 @@ static int HmacKeyHashUpdate(byte macType, wc_HmacHash* hash, byte* pad)
|
||||
case WC_SHA512:
|
||||
ret = wc_Sha512Update(&hash->sha512, pad, WC_SHA512_BLOCK_SIZE);
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = wc_Sha512_224Update(&hash->sha512, pad,
|
||||
WC_SHA512_224_BLOCK_SIZE);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = wc_Sha512_256Update(&hash->sha512, pad,
|
||||
WC_SHA512_256_BLOCK_SIZE);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -478,6 +526,12 @@ int wc_HmacSetKey_ex(Hmac* hmac, int type, const byte* key, word32 length,
|
||||
!(type == WC_MD5 || type == WC_SHA ||
|
||||
#ifdef WOLFSSL_SM3
|
||||
type == WC_SM3 ||
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
type == WC_SHA512_224 ||
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
type == WC_SHA512_256 ||
|
||||
#endif
|
||||
type == WC_SHA224 || type == WC_SHA256 ||
|
||||
type == WC_SHA384 || type == WC_SHA512 ||
|
||||
@@ -747,6 +801,46 @@ int wc_HmacSetKey_ex(Hmac* hmac, int type, const byte* key, word32 length,
|
||||
length = WC_SHA512_DIGEST_SIZE;
|
||||
}
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
hmac_block_size = WC_SHA512_224_BLOCK_SIZE;
|
||||
if (length <= WC_SHA512_224_BLOCK_SIZE) {
|
||||
if (key != NULL) {
|
||||
XMEMCPY(ip, key, length);
|
||||
}
|
||||
}
|
||||
else {
|
||||
ret = wc_Sha512_224Update(&hmac->hash.sha512, key, length);
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_224Final(&hmac->hash.sha512, ip);
|
||||
if (ret != 0)
|
||||
break;
|
||||
|
||||
length = WC_SHA512_224_DIGEST_SIZE;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
hmac_block_size = WC_SHA512_256_BLOCK_SIZE;
|
||||
if (length <= WC_SHA512_256_BLOCK_SIZE) {
|
||||
if (key != NULL) {
|
||||
XMEMCPY(ip, key, length);
|
||||
}
|
||||
}
|
||||
else {
|
||||
ret = wc_Sha512_256Update(&hmac->hash.sha512, key, length);
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_256Final(&hmac->hash.sha512, ip);
|
||||
if (ret != 0)
|
||||
break;
|
||||
|
||||
length = WC_SHA512_256_DIGEST_SIZE;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -999,6 +1093,16 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
|
||||
case WC_SHA512:
|
||||
ret = wc_Sha512Update(&hmac->hash.sha512, msg, length);
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = wc_Sha512_224Update(&hmac->hash.sha512, msg, length);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = wc_Sha512_256Update(&hmac->hash.sha512, msg, length);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -1226,6 +1330,48 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
|
||||
break;
|
||||
ret = wc_Sha512Final(&hmac->hash.sha512, hash);
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
ret = wc_Sha512_224Final(&hmac->hash.sha512,
|
||||
(byte*)hmac->innerHash);
|
||||
if (ret != 0)
|
||||
break;
|
||||
#ifndef WOLFSSL_HMAC_COPY_HASH
|
||||
ret = wc_Sha512_224Update(&hmac->hash.sha512, (byte*)hmac->opad,
|
||||
WC_SHA512_224_BLOCK_SIZE);
|
||||
#else
|
||||
ret = HmacKeyCopyHash(WC_SHA512_224, &hmac->o_hash, &hmac->hash);
|
||||
#endif
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_224Update(&hmac->hash.sha512,
|
||||
(byte*)hmac->innerHash, WC_SHA512_224_DIGEST_SIZE);
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_224Final(&hmac->hash.sha512, hash);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
ret = wc_Sha512_256Final(&hmac->hash.sha512,
|
||||
(byte*)hmac->innerHash);
|
||||
if (ret != 0)
|
||||
break;
|
||||
#ifndef WOLFSSL_HMAC_COPY_HASH
|
||||
ret = wc_Sha512_256Update(&hmac->hash.sha512, (byte*)hmac->opad,
|
||||
WC_SHA512_256_BLOCK_SIZE);
|
||||
#else
|
||||
ret = HmacKeyCopyHash(WC_SHA512_256, &hmac->o_hash, &hmac->hash);
|
||||
#endif
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_256Update(&hmac->hash.sha512,
|
||||
(byte*)hmac->innerHash, WC_SHA512_256_DIGEST_SIZE);
|
||||
if (ret != 0)
|
||||
break;
|
||||
ret = wc_Sha512_256Final(&hmac->hash.sha512, hash);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
@@ -1505,6 +1651,24 @@ void wc_HmacFree(Hmac* hmac)
|
||||
wc_Sha512Free(&hmac->o_hash.sha512);
|
||||
#endif
|
||||
break;
|
||||
#ifndef WOLFSSL_NOSHA512_224
|
||||
case WC_SHA512_224:
|
||||
wc_Sha512_224Free(&hmac->hash.sha512);
|
||||
#ifdef WOLFSSL_HMAC_COPY_HASH
|
||||
wc_Sha512_224Free(&hmac->i_hash.sha512);
|
||||
wc_Sha512_224Free(&hmac->o_hash.sha512);
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA512_256
|
||||
case WC_SHA512_256:
|
||||
wc_Sha512_256Free(&hmac->hash.sha512);
|
||||
#ifdef WOLFSSL_HMAC_COPY_HASH
|
||||
wc_Sha512_256Free(&hmac->i_hash.sha512);
|
||||
wc_Sha512_256Free(&hmac->o_hash.sha512);
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA512 */
|
||||
|
||||
#ifdef WOLFSSL_SHA3
|
||||
|
||||
+1634
-99
File diff suppressed because it is too large
Load Diff
@@ -26,6 +26,51 @@
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#include <wolfssl/wolfcrypt/rng_bank.h>
|
||||
|
||||
/* Helpers to access reseedCtr / null-check the active DRBG. The shape of
|
||||
* struct WC_RNG and the DRBG_*_internal types varies by which DRBGs are
|
||||
* compiled in; random.h gates the SHA-256 side on !NO_SHA256 and the SHA-512
|
||||
* side on WOLFSSL_DRBG_SHA512, so all three live combinations are handled
|
||||
* separately here. */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(NO_SHA256)
|
||||
/* Both DRBGs compiled in: dispatch on the runtime drbgType. */
|
||||
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
|
||||
(((rng_ptr)->drbgType == WC_DRBG_SHA512) \
|
||||
? ((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
|
||||
: ((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr)
|
||||
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
|
||||
do { \
|
||||
if ((rng_ptr)->drbgType == WC_DRBG_SHA512) \
|
||||
((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
|
||||
= (val); \
|
||||
else \
|
||||
((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr = (val); \
|
||||
} while (0)
|
||||
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
|
||||
((rng_ptr)->drbg == NULL && (rng_ptr)->drbg512 == NULL)
|
||||
#elif defined(WOLFSSL_DRBG_SHA512)
|
||||
/* SHA-512 DRBG only (NO_SHA256 defined); the SHA-256 struct and
|
||||
* rng->drbg field do not exist in this build. */
|
||||
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
|
||||
(((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr)
|
||||
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
|
||||
do { \
|
||||
((struct DRBG_SHA512_internal *)(rng_ptr)->drbg512)->reseedCtr \
|
||||
= (val); \
|
||||
} while (0)
|
||||
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
|
||||
((rng_ptr)->drbg512 == NULL)
|
||||
#else
|
||||
/* SHA-256 DRBG only (the historical default). */
|
||||
#define WC_RNG_BANK_RESEED_CTR(rng_ptr) \
|
||||
(((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr)
|
||||
#define WC_RNG_BANK_SET_RESEED_CTR(rng_ptr, val) \
|
||||
do { \
|
||||
((struct DRBG_internal *)(rng_ptr)->drbg)->reseedCtr = (val); \
|
||||
} while (0)
|
||||
#define WC_RNG_BANK_DRBG_NULL(rng_ptr) \
|
||||
((rng_ptr)->drbg == NULL)
|
||||
#endif
|
||||
|
||||
WOLFSSL_API int wc_rng_bank_init(
|
||||
struct wc_rng_bank *ctx,
|
||||
int n_rngs,
|
||||
@@ -472,7 +517,7 @@ WOLFSSL_API int wc_rng_bank_checkout(
|
||||
*rng_inst = &bank->rngs[preferred_inst_offset];
|
||||
|
||||
if ((! (flags & WC_RNG_BANK_FLAG_CAN_WAIT)) &&
|
||||
(((struct DRBG_internal *)(*rng_inst)->rng.drbg)->reseedCtr >=
|
||||
(WC_RNG_BANK_RESEED_CTR(&(*rng_inst)->rng) >=
|
||||
WC_RESEED_INTERVAL) &&
|
||||
(flags & WC_RNG_BANK_FLAG_CAN_FAIL_OVER_INST) &&
|
||||
(n_rngs_tried < bank->n_rngs))
|
||||
@@ -482,7 +527,7 @@ WOLFSSL_API int wc_rng_bank_checkout(
|
||||
else {
|
||||
#ifdef WC_VERBOSE_RNG
|
||||
if ((! (flags & WC_RNG_BANK_FLAG_CAN_WAIT)) &&
|
||||
(((struct DRBG_internal *)(*rng_inst)->rng.drbg)->reseedCtr >=
|
||||
(WC_RNG_BANK_RESEED_CTR(&(*rng_inst)->rng) >=
|
||||
WC_RESEED_INTERVAL))
|
||||
{
|
||||
WOLFSSL_DEBUG_PRINTF(
|
||||
@@ -648,11 +693,12 @@ WOLFSSL_API int wc_rng_bank_inst_reinit(
|
||||
bank = default_rng_bank;
|
||||
#endif
|
||||
|
||||
/* rng_inst NULL check handled by rng_inst_matches_bank() */
|
||||
ret = rng_inst_matches_bank(bank, rng_inst);
|
||||
if (ret < 0)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (rng_inst->rng.drbg == NULL)
|
||||
if (WC_RNG_BANK_DRBG_NULL(&rng_inst->rng))
|
||||
{
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
@@ -734,7 +780,7 @@ WOLFSSL_API int wc_rng_bank_seed(struct wc_rng_bank *bank,
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
else if (drbg->rng.drbg == NULL) {
|
||||
else if (WC_RNG_BANK_DRBG_NULL(&drbg->rng)) {
|
||||
#ifdef WC_VERBOSE_RNG
|
||||
WOLFSSL_DEBUG_PRINTF(
|
||||
"WARNING: wc_rng_bank_seed(): inst#%d has null .drbg.\n", n);
|
||||
@@ -793,8 +839,7 @@ WOLFSSL_API int wc_rng_bank_reseed(struct wc_rng_bank *bank,
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
((struct DRBG_internal *)drbg->rng.drbg)->reseedCtr =
|
||||
WC_RESEED_INTERVAL;
|
||||
WC_RNG_BANK_SET_RESEED_CTR(&drbg->rng, WC_RESEED_INTERVAL);
|
||||
|
||||
if (flags & WC_RNG_BANK_FLAG_CAN_WAIT) {
|
||||
byte scratch[4];
|
||||
|
||||
+147
-2
@@ -1137,6 +1137,62 @@ static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
|
||||
}
|
||||
#endif /* SHA2 Hashes */
|
||||
|
||||
#if defined(WOLFSSL_SHA3) && \
|
||||
(defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256))
|
||||
/* SHAKE XOF used directly as mask generation function (not MGF1).
|
||||
* Per FIPS 186-5, SHAKE can be used as the MGF for RSA-PSS. */
|
||||
static int RsaMGF_SHAKE(enum wc_HashType shakeType, byte* seed, word32 seedSz,
|
||||
byte* out, word32 outSz, void* heap)
|
||||
{
|
||||
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
|
||||
int ret;
|
||||
|
||||
(void)heap;
|
||||
(void)shakeType;
|
||||
|
||||
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
|
||||
return MEMORY_E);
|
||||
|
||||
#ifdef WOLFSSL_SHAKE128
|
||||
if (shakeType == WC_HASH_TYPE_SHAKE128)
|
||||
ret = wc_InitShake128(shake, heap, INVALID_DEVID);
|
||||
else
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHAKE256
|
||||
if (shakeType == WC_HASH_TYPE_SHAKE256)
|
||||
ret = wc_InitShake256(shake, heap, INVALID_DEVID);
|
||||
else
|
||||
#endif
|
||||
ret = BAD_FUNC_ARG;
|
||||
|
||||
if (ret == 0) {
|
||||
#ifdef WOLFSSL_SHAKE128
|
||||
if (shakeType == WC_HASH_TYPE_SHAKE128) {
|
||||
ret = wc_Shake128_Update(shake, seed, seedSz);
|
||||
if (ret == 0)
|
||||
ret = wc_Shake128_Final(shake, out, outSz);
|
||||
wc_Shake128_Free(shake);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHAKE256
|
||||
if (shakeType == WC_HASH_TYPE_SHAKE256) {
|
||||
ret = wc_Shake256_Update(shake, seed, seedSz);
|
||||
if (ret == 0)
|
||||
ret = wc_Shake256_Final(shake, out, outSz);
|
||||
wc_Shake256_Free(shake);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
ret = BAD_FUNC_ARG;
|
||||
}
|
||||
}
|
||||
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
return ret;
|
||||
}
|
||||
#endif /* WOLFSSL_SHA3 && (WOLFSSL_SHAKE128 || WOLFSSL_SHAKE256) */
|
||||
|
||||
/* helper function to direct which mask generation function is used
|
||||
switched on type input
|
||||
*/
|
||||
@@ -1182,6 +1238,52 @@ static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHA3
|
||||
#ifndef WOLFSSL_NOSHA3_224
|
||||
case WC_MGF1SHA3_224:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHA3_224, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA3_256
|
||||
case WC_MGF1SHA3_256:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHA3_256, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA3_384
|
||||
case WC_MGF1SHA3_384:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHA3_384, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#ifndef WOLFSSL_NOSHA3_512
|
||||
case WC_MGF1SHA3_512:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHA3_512, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#endif /* WOLFSSL_SHA3 */
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
|
||||
case WC_MGF1SHAKE128:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
case WC_MGFSHAKE128:
|
||||
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
|
||||
case WC_MGF1SHAKE256:
|
||||
ret = RsaMGF1(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
case WC_MGFSHAKE256:
|
||||
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
|
||||
heap);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
WOLFSSL_MSG("Unknown MGF type: check build options");
|
||||
@@ -2115,22 +2217,65 @@ int wc_hash2mgf(enum wc_HashType hType)
|
||||
return WC_MGF1SHA512;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
|
||||
return WC_MGF1SHA512_224;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
|
||||
return WC_MGF1SHA512_256;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_MD2:
|
||||
case WC_HASH_TYPE_MD4:
|
||||
case WC_HASH_TYPE_MD5:
|
||||
case WC_HASH_TYPE_MD5_SHA:
|
||||
case WC_HASH_TYPE_SHA512_224:
|
||||
case WC_HASH_TYPE_SHA512_256:
|
||||
case WC_HASH_TYPE_SHA3_224:
|
||||
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
|
||||
return WC_MGF1SHA3_224;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_SHA3_256:
|
||||
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
|
||||
return WC_MGF1SHA3_256;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_SHA3_384:
|
||||
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
|
||||
return WC_MGF1SHA3_384;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_SHA3_512:
|
||||
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
|
||||
return WC_MGF1SHA3_512;
|
||||
#else
|
||||
break;
|
||||
#endif
|
||||
case WC_HASH_TYPE_BLAKE2B:
|
||||
case WC_HASH_TYPE_BLAKE2S:
|
||||
case WC_HASH_TYPE_SM3:
|
||||
break;
|
||||
#ifdef WOLFSSL_SHAKE128
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
return WC_MGF1SHAKE128;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE128:
|
||||
break;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHAKE256
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
return WC_MGF1SHAKE256;
|
||||
#else
|
||||
case WC_HASH_TYPE_SHAKE256:
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -252,6 +252,7 @@ static int InitSha256(wc_Sha256* sha256)
|
||||
sha256->digest[7] = 0x5BE0CD19L;
|
||||
|
||||
sha256->buffLen = 0;
|
||||
XMEMSET(sha256->buffer, 0, sizeof(sha256->buffer));
|
||||
sha256->loLen = 0;
|
||||
sha256->hiLen = 0;
|
||||
#ifdef WOLFSSL_HASH_FLAGS
|
||||
@@ -2101,6 +2102,7 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
|
||||
sha224->digest[7] = 0xbefa4fa4;
|
||||
|
||||
sha224->buffLen = 0;
|
||||
XMEMSET(sha224->buffer, 0, sizeof(sha224->buffer));
|
||||
sha224->loLen = 0;
|
||||
sha224->hiLen = 0;
|
||||
|
||||
|
||||
@@ -642,6 +642,7 @@ static int InitSha3(wc_Sha3* sha3)
|
||||
|
||||
for (i = 0; i < 25; i++)
|
||||
sha3->s[i] = 0;
|
||||
XMEMSET(sha3->t, 0, sizeof(sha3->t));
|
||||
sha3->i = 0;
|
||||
#ifdef WOLFSSL_HASH_FLAGS
|
||||
sha3->flags = 0;
|
||||
|
||||
@@ -348,6 +348,7 @@ static int InitSha512(wc_Sha512* sha512)
|
||||
sha512->digest[7] = W64LIT(0x5be0cd19137e2179);
|
||||
|
||||
sha512->buffLen = 0;
|
||||
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
|
||||
sha512->loLen = 0;
|
||||
sha512->hiLen = 0;
|
||||
|
||||
@@ -403,6 +404,7 @@ static int InitSha512_224(wc_Sha512* sha512)
|
||||
sha512->digest[7] = W64LIT(0x1112e6ad91d692a1);
|
||||
|
||||
sha512->buffLen = 0;
|
||||
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
|
||||
sha512->loLen = 0;
|
||||
sha512->hiLen = 0;
|
||||
|
||||
@@ -460,6 +462,7 @@ static int InitSha512_256(wc_Sha512* sha512)
|
||||
sha512->digest[7] = W64LIT(0x0eb72ddc81c52ca2);
|
||||
|
||||
sha512->buffLen = 0;
|
||||
XMEMSET(sha512->buffer, 0, sizeof(sha512->buffer));
|
||||
sha512->loLen = 0;
|
||||
sha512->hiLen = 0;
|
||||
|
||||
@@ -1967,6 +1970,7 @@ static int InitSha384(wc_Sha384* sha384)
|
||||
sha384->digest[7] = W64LIT(0x47b5481dbefa4fa4);
|
||||
|
||||
sha384->buffLen = 0;
|
||||
XMEMSET(sha384->buffer, 0, sizeof(sha384->buffer));
|
||||
sha384->loLen = 0;
|
||||
sha384->hiLen = 0;
|
||||
|
||||
|
||||
+246
-6
@@ -22,6 +22,11 @@
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#if defined(WOLFSSL_HAVE_LMS) && defined(WOLFSSL_WC_LMS)
|
||||
|
||||
#if FIPS_VERSION3_GE(2,0,0)
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
#endif
|
||||
#include <wolfssl/wolfcrypt/wc_lms.h>
|
||||
|
||||
#ifdef NO_INLINE
|
||||
@@ -109,12 +114,25 @@ static int wc_lmskey_state_init(LmsState* state, const LmsParams* params)
|
||||
/* Keep a reference to the parameters for use in operations. */
|
||||
state->params = params;
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
if (LMS_IS_SHAKE(params->lmOtsType)) {
|
||||
ret = wc_InitShake256(LMS_STATE_SHAKE(state), NULL, INVALID_DEVID);
|
||||
if (ret == 0) {
|
||||
ret = wc_InitShake256(LMS_STATE_SHAKE_K(state), NULL, INVALID_DEVID);
|
||||
if (ret != 0) {
|
||||
wc_Shake256_Free(LMS_STATE_SHAKE(state));
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Initialize the two hash algorithms. */
|
||||
ret = wc_InitSha256(&state->hash);
|
||||
ret = wc_InitSha256(LMS_STATE_HASH(state));
|
||||
if (ret == 0) {
|
||||
ret = wc_InitSha256(&state->hash_k);
|
||||
ret = wc_InitSha256(LMS_STATE_HASH_K(state));
|
||||
if (ret != 0) {
|
||||
wc_Sha256Free(&state->hash);
|
||||
wc_Sha256Free(LMS_STATE_HASH(state));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -127,8 +145,15 @@ static int wc_lmskey_state_init(LmsState* state, const LmsParams* params)
|
||||
*/
|
||||
static void wc_lmskey_state_free(LmsState* state)
|
||||
{
|
||||
wc_Sha256Free(&state->hash_k);
|
||||
wc_Sha256Free(&state->hash);
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
if (LMS_IS_SHAKE(state->params->lmOtsType)) {
|
||||
wc_Shake256_Free(LMS_STATE_SHAKE_K(state));
|
||||
wc_Shake256_Free(LMS_STATE_SHAKE(state));
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
wc_Sha256Free(LMS_STATE_HASH_K(state));
|
||||
wc_Sha256Free(LMS_STATE_HASH(state));
|
||||
}
|
||||
|
||||
/* Supported LMS parameters. */
|
||||
@@ -276,6 +301,35 @@ static const wc_LmsParamsMap wc_lms_map[] = {
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 25
|
||||
{ WC_LMS_PARM_L1_H25_W1 , "LMS/HSS_L1_H25_W1",
|
||||
LMS_PARAMS(1, 25, 1, 1, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_L1_H25_W2 , "LMS/HSS_L1_H25_W2",
|
||||
LMS_PARAMS(1, 25, 2, 1, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_L1_H25_W4 , "LMS/HSS_L1_H25_W4",
|
||||
LMS_PARAMS(1, 25, 4, 2, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_L1_H25_W8 , "LMS/HSS_L1_H25_W8",
|
||||
LMS_PARAMS(1, 25, 8, 3, LMS_SHA256_M32_H25, LMOTS_SHA256_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 10
|
||||
{ WC_LMS_PARM_L1_H10_W1 , "LMS/HSS_L1_H10_W1",
|
||||
LMS_PARAMS(1, 10, 1, 1, LMS_SHA256_M32_H10, LMOTS_SHA256_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 15
|
||||
{ WC_LMS_PARM_L1_H15_W1 , "LMS/HSS_L1_H15_W1",
|
||||
LMS_PARAMS(1, 15, 1, 1, LMS_SHA256_M32_H15, LMOTS_SHA256_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 20
|
||||
{ WC_LMS_PARM_L1_H20_W1 , "LMS/HSS_L1_H20_W1",
|
||||
LMS_PARAMS(1, 20, 1, 1, LMS_SHA256_M32_H20, LMOTS_SHA256_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#endif /* !WOLFSSL_NO_LMS_SHA256_256 */
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHA256_192
|
||||
@@ -356,7 +410,193 @@ static const wc_LmsParamsMap wc_lms_map[] = {
|
||||
LMS_PARAMS(1, 20, 8, 4, LMS_SHA256_M24_H20, LMOTS_SHA256_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 25
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H25_W1 , "LMS/HSS_SHA256/192_L1_H25_W1",
|
||||
LMS_PARAMS(1, 25, 1, 2, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H25_W2 , "LMS/HSS_SHA256/192_L1_H25_W2",
|
||||
LMS_PARAMS(1, 25, 2, 2, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H25_W4 , "LMS/HSS_SHA256/192_L1_H25_W4",
|
||||
LMS_PARAMS(1, 25, 4, 3, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H25_W8 , "LMS/HSS_SHA256/192_L1_H25_W8",
|
||||
LMS_PARAMS(1, 25, 8, 4, LMS_SHA256_M24_H25, LMOTS_SHA256_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 10
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H10_W1 , "LMS/HSS_SHA256/192_L1_H10_W1",
|
||||
LMS_PARAMS(1, 10, 1, 2, LMS_SHA256_M24_H10, LMOTS_SHA256_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 15
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H15_W1 , "LMS/HSS_SHA256/192_L1_H15_W1",
|
||||
LMS_PARAMS(1, 15, 1, 2, LMS_SHA256_M24_H15, LMOTS_SHA256_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H15_W8 , "LMS/HSS_SHA256/192_L1_H15_W8",
|
||||
LMS_PARAMS(1, 15, 8, 4, LMS_SHA256_M24_H15, LMOTS_SHA256_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 20
|
||||
{ WC_LMS_PARM_SHA256_192_L1_H20_W1 , "LMS/HSS_SHA256/192_L1_H20_W1",
|
||||
LMS_PARAMS(1, 20, 1, 2, LMS_SHA256_M24_H20, LMOTS_SHA256_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#endif /* WOLFSSL_LMS_SHA256_192 */
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
#ifndef WOLFSSL_NO_LMS_SHAKE256_256
|
||||
/* SHAKE256/256 L1 H5 */
|
||||
{ WC_LMS_PARM_SHAKE_L1_H5_W1 , "LMS/HSS_SHAKE256/256_L1_H5_W1",
|
||||
LMS_PARAMS(1, 5, 1, 1, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H5_W2 , "LMS/HSS_SHAKE256/256_L1_H5_W2",
|
||||
LMS_PARAMS(1, 5, 2, 1, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H5_W4 , "LMS/HSS_SHAKE256/256_L1_H5_W4",
|
||||
LMS_PARAMS(1, 5, 4, 2, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H5_W8 , "LMS/HSS_SHAKE256/256_L1_H5_W8",
|
||||
LMS_PARAMS(1, 5, 8, 3, LMS_SHAKE_M32_H5 , LMOTS_SHAKE_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#if LMS_MAX_HEIGHT >= 10
|
||||
/* SHAKE256/256 L1 H10 */
|
||||
{ WC_LMS_PARM_SHAKE_L1_H10_W1 , "LMS/HSS_SHAKE256/256_L1_H10_W1",
|
||||
LMS_PARAMS(1, 10, 1, 1, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H10_W2 , "LMS/HSS_SHAKE256/256_L1_H10_W2",
|
||||
LMS_PARAMS(1, 10, 2, 1, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H10_W4 , "LMS/HSS_SHAKE256/256_L1_H10_W4",
|
||||
LMS_PARAMS(1, 10, 4, 2, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H10_W8 , "LMS/HSS_SHAKE256/256_L1_H10_W8",
|
||||
LMS_PARAMS(1, 10, 8, 3, LMS_SHAKE_M32_H10, LMOTS_SHAKE_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 15
|
||||
/* SHAKE256/256 L1 H15 */
|
||||
{ WC_LMS_PARM_SHAKE_L1_H15_W1 , "LMS/HSS_SHAKE256/256_L1_H15_W1",
|
||||
LMS_PARAMS(1, 15, 1, 1, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H15_W2 , "LMS/HSS_SHAKE256/256_L1_H15_W2",
|
||||
LMS_PARAMS(1, 15, 2, 1, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H15_W4 , "LMS/HSS_SHAKE256/256_L1_H15_W4",
|
||||
LMS_PARAMS(1, 15, 4, 2, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H15_W8 , "LMS/HSS_SHAKE256/256_L1_H15_W8",
|
||||
LMS_PARAMS(1, 15, 8, 3, LMS_SHAKE_M32_H15, LMOTS_SHAKE_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 20
|
||||
/* SHAKE256/256 L1 H20 */
|
||||
{ WC_LMS_PARM_SHAKE_L1_H20_W1 , "LMS/HSS_SHAKE256/256_L1_H20_W1",
|
||||
LMS_PARAMS(1, 20, 1, 1, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H20_W2 , "LMS/HSS_SHAKE256/256_L1_H20_W2",
|
||||
LMS_PARAMS(1, 20, 2, 1, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H20_W4 , "LMS/HSS_SHAKE256/256_L1_H20_W4",
|
||||
LMS_PARAMS(1, 20, 4, 2, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H20_W8 , "LMS/HSS_SHAKE256/256_L1_H20_W8",
|
||||
LMS_PARAMS(1, 20, 8, 3, LMS_SHAKE_M32_H20, LMOTS_SHAKE_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 25
|
||||
/* SHAKE256/256 L1 H25 */
|
||||
{ WC_LMS_PARM_SHAKE_L1_H25_W1 , "LMS/HSS_SHAKE256/256_L1_H25_W1",
|
||||
LMS_PARAMS(1, 25, 1, 1, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W1,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H25_W2 , "LMS/HSS_SHAKE256/256_L1_H25_W2",
|
||||
LMS_PARAMS(1, 25, 2, 1, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W2,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H25_W4 , "LMS/HSS_SHAKE256/256_L1_H25_W4",
|
||||
LMS_PARAMS(1, 25, 4, 2, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W4,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE_L1_H25_W8 , "LMS/HSS_SHAKE256/256_L1_H25_W8",
|
||||
LMS_PARAMS(1, 25, 8, 3, LMS_SHAKE_M32_H25, LMOTS_SHAKE_N32_W8,
|
||||
WC_SHA256_DIGEST_SIZE) },
|
||||
#endif
|
||||
#endif /* !WOLFSSL_NO_LMS_SHAKE256_256 */
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
/* SHAKE256/192 L1 H5 */
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H5_W1 , "LMS/HSS_SHAKE256/192_L1_H5_W1",
|
||||
LMS_PARAMS(1, 5, 1, 2, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H5_W2 , "LMS/HSS_SHAKE256/192_L1_H5_W2",
|
||||
LMS_PARAMS(1, 5, 2, 2, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H5_W4 , "LMS/HSS_SHAKE256/192_L1_H5_W4",
|
||||
LMS_PARAMS(1, 5, 4, 3, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H5_W8 , "LMS/HSS_SHAKE256/192_L1_H5_W8",
|
||||
LMS_PARAMS(1, 5, 8, 4, LMS_SHAKE_M24_H5 , LMOTS_SHAKE_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#if LMS_MAX_HEIGHT >= 10
|
||||
/* SHAKE256/192 L1 H10 */
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H10_W1 , "LMS/HSS_SHAKE256/192_L1_H10_W1",
|
||||
LMS_PARAMS(1, 10, 1, 2, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H10_W2 , "LMS/HSS_SHAKE256/192_L1_H10_W2",
|
||||
LMS_PARAMS(1, 10, 2, 2, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H10_W4 , "LMS/HSS_SHAKE256/192_L1_H10_W4",
|
||||
LMS_PARAMS(1, 10, 4, 3, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H10_W8 , "LMS/HSS_SHAKE256/192_L1_H10_W8",
|
||||
LMS_PARAMS(1, 10, 8, 4, LMS_SHAKE_M24_H10, LMOTS_SHAKE_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 15
|
||||
/* SHAKE256/192 L1 H15 */
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H15_W1 , "LMS/HSS_SHAKE256/192_L1_H15_W1",
|
||||
LMS_PARAMS(1, 15, 1, 2, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H15_W2 , "LMS/HSS_SHAKE256/192_L1_H15_W2",
|
||||
LMS_PARAMS(1, 15, 2, 2, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H15_W4 , "LMS/HSS_SHAKE256/192_L1_H15_W4",
|
||||
LMS_PARAMS(1, 15, 4, 3, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H15_W8 , "LMS/HSS_SHAKE256/192_L1_H15_W8",
|
||||
LMS_PARAMS(1, 15, 8, 4, LMS_SHAKE_M24_H15, LMOTS_SHAKE_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 20
|
||||
/* SHAKE256/192 L1 H20 */
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H20_W1 , "LMS/HSS_SHAKE256/192_L1_H20_W1",
|
||||
LMS_PARAMS(1, 20, 1, 2, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H20_W2 , "LMS/HSS_SHAKE256/192_L1_H20_W2",
|
||||
LMS_PARAMS(1, 20, 2, 2, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H20_W4 , "LMS/HSS_SHAKE256/192_L1_H20_W4",
|
||||
LMS_PARAMS(1, 20, 4, 3, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H20_W8 , "LMS/HSS_SHAKE256/192_L1_H20_W8",
|
||||
LMS_PARAMS(1, 20, 8, 4, LMS_SHAKE_M24_H20, LMOTS_SHAKE_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#if LMS_MAX_HEIGHT >= 25
|
||||
/* SHAKE256/192 L1 H25 */
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H25_W1 , "LMS/HSS_SHAKE256/192_L1_H25_W1",
|
||||
LMS_PARAMS(1, 25, 1, 2, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W1,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H25_W2 , "LMS/HSS_SHAKE256/192_L1_H25_W2",
|
||||
LMS_PARAMS(1, 25, 2, 2, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W2,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H25_W4 , "LMS/HSS_SHAKE256/192_L1_H25_W4",
|
||||
LMS_PARAMS(1, 25, 4, 3, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W4,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
{ WC_LMS_PARM_SHAKE192_L1_H25_W8 , "LMS/HSS_SHAKE256/192_L1_H25_W8",
|
||||
LMS_PARAMS(1, 25, 8, 4, LMS_SHAKE_M24_H25, LMOTS_SHAKE_N24_W8,
|
||||
WC_SHA256_192_DIGEST_SIZE) },
|
||||
#endif
|
||||
#endif /* WOLFSSL_LMS_SHAKE256 (M24 entries) */
|
||||
#endif /* WOLFSSL_LMS_SHAKE256 */
|
||||
};
|
||||
/* Number of parameter sets supported. */
|
||||
#define WC_LMS_MAP_LEN ((int)(sizeof(wc_lms_map) / sizeof(*wc_lms_map)))
|
||||
@@ -1292,7 +1532,7 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
|
||||
ret = wc_lmskey_state_init(state, key->params);
|
||||
if (ret == 0) {
|
||||
/* Verify signature of message with public key. */
|
||||
ret = wc_hss_verify(state, key->pub, msg, msgSz, sig);
|
||||
ret = wc_hss_verify(state, key->pub, msg, msgSz, sig, sigSz);
|
||||
wc_lmskey_state_free(state);
|
||||
}
|
||||
ForceZero(state, sizeof(LmsState));
|
||||
|
||||
+602
-225
File diff suppressed because it is too large
Load Diff
@@ -78,6 +78,11 @@
|
||||
#undef WOLFSSL_RISCV_ASM
|
||||
#endif
|
||||
|
||||
#if FIPS_VERSION3_GE(2,0,0)
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/mlkem.h>
|
||||
#include <wolfssl/wolfcrypt/wc_mlkem.h>
|
||||
#include <wolfssl/wolfcrypt/hash.h>
|
||||
@@ -636,6 +641,50 @@ int wc_MlKemKey_MakeKey(MlKemKey* key, WC_RNG* rng)
|
||||
ret = wc_KyberKey_MakeKeyWithRandom(key, rand, sizeof(rand));
|
||||
}
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
/* Pairwise Consistency Test (PCT) per FIPS 140-3 / ISO 19790:2012
|
||||
* Section 7.10.3.3: encapsulate with ek, decapsulate with dk,
|
||||
* verify shared secrets match. */
|
||||
if (ret == 0) {
|
||||
WC_DECLARE_VAR(pct_ct, byte, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE,
|
||||
key->heap);
|
||||
byte pct_ss1[WC_ML_KEM_SS_SZ];
|
||||
byte pct_ss2[WC_ML_KEM_SS_SZ];
|
||||
word32 ctSz = 0;
|
||||
|
||||
WC_ALLOC_VAR_EX(pct_ct, byte, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE,
|
||||
key->heap, DYNAMIC_TYPE_TMP_BUFFER, ret = MEMORY_E);
|
||||
|
||||
if (ret == 0)
|
||||
ret = wc_MlKemKey_CipherTextSize(key, &ctSz);
|
||||
|
||||
if (ret == 0)
|
||||
ret = wc_MlKemKey_Encapsulate(key, pct_ct, pct_ss1, rng);
|
||||
|
||||
if (ret == 0)
|
||||
ret = wc_MlKemKey_Decapsulate(key, pct_ss2, pct_ct, ctSz);
|
||||
|
||||
if (ret == 0) {
|
||||
if (XMEMCMP(pct_ss1, pct_ss2, WC_ML_KEM_SS_SZ) != 0)
|
||||
ret = ML_KEM_PCT_E;
|
||||
}
|
||||
|
||||
ForceZero(pct_ss1, sizeof(pct_ss1));
|
||||
ForceZero(pct_ss2, sizeof(pct_ss2));
|
||||
if (WC_VAR_OK(pct_ct))
|
||||
ForceZero(pct_ct, WC_ML_KEM_MAX_CIPHER_TEXT_SIZE);
|
||||
|
||||
WC_FREE_VAR_EX(pct_ct, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
|
||||
/* FIPS 140-3 IG 10.3.A (TE10.35.02): a key pair that fails the PCT
|
||||
* must be rendered unusable. Zeroize the generated key material so
|
||||
* a caller that ignores the return value cannot use it. */
|
||||
if (ret != 0) {
|
||||
wc_MlKemKey_Free(key);
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_FIPS */
|
||||
|
||||
/* Ensure seeds are zeroized. */
|
||||
ForceZero((void*)rand, (word32)sizeof(rand));
|
||||
|
||||
@@ -868,6 +917,9 @@ int wc_MlKemKey_MakeKeyWithRandom(MlKemKey* key, const unsigned char* rand,
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Note: PCT is performed in wc_MlKemKey_MakeKey() which calls this
|
||||
* function and has the RNG parameter needed for encapsulation. */
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* !WOLFSSL_MLKEM_NO_MAKE_KEY */
|
||||
|
||||
@@ -106,6 +106,9 @@ Threading/Mutex options:
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
#endif
|
||||
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG)
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#endif
|
||||
|
||||
#ifdef FREESCALE_LTC_TFM
|
||||
#include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
|
||||
@@ -334,6 +337,16 @@ int wolfCrypt_Init(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
ret = wc_DrbgState_MutexInit();
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("DRBG state mutex init failed");
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(FREESCALE_LTC_TFM) || defined(FREESCALE_LTC_ECC)
|
||||
ret = ksdk_port_init();
|
||||
if (ret != 0) {
|
||||
@@ -641,6 +654,12 @@ int wolfCrypt_Cleanup(void)
|
||||
wc_CryptoCb_Cleanup();
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_HASHDRBG) && !defined(WC_NO_RNG) && \
|
||||
!defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
wc_DrbgState_MutexFree();
|
||||
#endif
|
||||
|
||||
#if defined(WOLFSSL_MEM_FAIL_COUNT) && defined(WOLFCRYPT_ONLY)
|
||||
wc_MemFailCount_Free();
|
||||
#endif
|
||||
|
||||
+1491
-375
File diff suppressed because it is too large
Load Diff
@@ -22,6 +22,11 @@
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#ifdef WOLFSSL_HAVE_XMSS
|
||||
|
||||
#if FIPS_VERSION3_GE(2,0,0)
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
#endif
|
||||
#include <wolfssl/wolfcrypt/wc_xmss.h>
|
||||
|
||||
#ifdef NO_INLINE
|
||||
|
||||
+53
-16
@@ -354,19 +354,37 @@ static word64 entropy_state[ENTROPY_NUM_WORDS + EXTRA_ENTROPY_WORDS] = {0};
|
||||
|
||||
/* Using memory will take different amount of times depending on the CPU's
|
||||
* caches and business.
|
||||
*
|
||||
* Returns int (not void) because the SHA-3 conditioning calls go through
|
||||
* FIPS wrappers. When the FIPS module is in FAILED state (e.g. integrity
|
||||
* hash mismatch during first build before fips-hash.sh), every SHA-3 call
|
||||
* returns FIPS_NOT_ALLOWED_E. Without checking these returns, this function
|
||||
* would silently loop through all ENTROPY_NUM_UPDATES iterations on every
|
||||
* noise sample, each iteration firing the FIPS error callback -- producing
|
||||
* tens of thousands of spurious error reports during Entropy_Init().
|
||||
*
|
||||
* Non-FIPS builds never hit this path because SHA-3 calls always succeed
|
||||
* without a CAST gate. We use int returns unconditionally (rather than
|
||||
* void in non-FIPS, int in FIPS) to maintain a common ABI in case these
|
||||
* functions become public API as wolfentropy matures.
|
||||
*/
|
||||
static void Entropy_MemUse(void)
|
||||
static int Entropy_MemUse(void)
|
||||
{
|
||||
int i;
|
||||
static byte d[WC_SHA3_256_DIGEST_SIZE];
|
||||
int j;
|
||||
int ret;
|
||||
|
||||
for (j = 0; j < ENTROPY_NUM_UPDATES; j++) {
|
||||
/* Hash the first 32 64-bit words of state. */
|
||||
wc_Sha3_256_Update(&entropyHash, (byte*)entropy_state,
|
||||
ret = wc_Sha3_256_Update(&entropyHash, (byte*)entropy_state,
|
||||
sizeof(*entropy_state) * ENTROPY_NUM_64BIT_WORDS);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
/* Get pseudo-random indices. */
|
||||
wc_Sha3_256_Final(&entropyHash, d);
|
||||
ret = wc_Sha3_256_Final(&entropyHash, d);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
for (i = 0; i < ENTROPY_NUM_64BIT_WORDS; i++) {
|
||||
/* Choose a 64-bit word from a pseudo-random block.*/
|
||||
@@ -378,6 +396,8 @@ static void Entropy_MemUse(void)
|
||||
entropy_state[i] += entropy_state[idx];
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -390,34 +410,40 @@ static word64 entropy_last_time = 0;
|
||||
*
|
||||
* Called to test raw entropy.
|
||||
*
|
||||
* @return 64-bit value that is the noise.
|
||||
* @param [out] sample 64-bit noise value (time delta).
|
||||
* @return 0 on success.
|
||||
* @return Negative on failure (e.g. FIPS module not operational).
|
||||
*/
|
||||
static word64 Entropy_GetSample(void)
|
||||
static int Entropy_GetSample(word64* sample)
|
||||
{
|
||||
word64 now;
|
||||
word64 ret;
|
||||
int ret = 0;
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
/* First sample must be disregard when in FIPS. */
|
||||
if (entropy_last_time == 0) {
|
||||
/* Get sample which triggers CAST in FIPS mode. */
|
||||
Entropy_MemUse();
|
||||
ret = Entropy_MemUse();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
/* Start entropy time after CASTs. */
|
||||
entropy_last_time = Entropy_TimeHiRes();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Use memory such that it will take an unpredictable amount of time. */
|
||||
Entropy_MemUse();
|
||||
ret = Entropy_MemUse();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
/* Get the time now to subtract from previous end time. */
|
||||
now = Entropy_TimeHiRes();
|
||||
/* Calculate time diff since last sampling. */
|
||||
ret = now - entropy_last_time;
|
||||
*sample = now - entropy_last_time;
|
||||
/* Store last time. */
|
||||
entropy_last_time = now;
|
||||
|
||||
return ret;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Get as many samples of noise as required.
|
||||
@@ -426,18 +452,29 @@ static word64 Entropy_GetSample(void)
|
||||
*
|
||||
* @param [out] noise Buffer to hold samples.
|
||||
* @param [in] samples Number of one byte samples to get.
|
||||
* @return 0 on success.
|
||||
* @return Negative on hash failure (e.g. FIPS module not operational).
|
||||
*/
|
||||
static void Entropy_GetNoise(unsigned char* noise, int samples)
|
||||
static int Entropy_GetNoise(unsigned char* noise, int samples)
|
||||
{
|
||||
int i;
|
||||
int ret;
|
||||
word64 sample;
|
||||
|
||||
/* Do it once to get things going. */
|
||||
Entropy_MemUse();
|
||||
ret = Entropy_MemUse();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
/* Get as many samples as required. */
|
||||
for (i = 0; i < samples; i++) {
|
||||
noise[i] = (byte)Entropy_GetSample();
|
||||
ret = Entropy_GetSample(&sample);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
noise[i] = (byte)sample;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Generate raw entropy for performing assessment.
|
||||
@@ -458,7 +495,7 @@ int wc_Entropy_GetRawEntropy(unsigned char* raw, int cnt)
|
||||
if (ret == 0)
|
||||
#endif
|
||||
{
|
||||
Entropy_GetNoise(raw, cnt);
|
||||
ret = Entropy_GetNoise(raw, cnt);
|
||||
}
|
||||
#ifdef ENTROPY_MEMUSE_THREADED
|
||||
/* Stop the counter thread to avoid thrashing the system. */
|
||||
@@ -670,7 +707,7 @@ static int Entropy_HealthTest_Startup(void)
|
||||
Entropy_HealthTest_Reset();
|
||||
|
||||
/* Fill initial sample buffer with noise. */
|
||||
Entropy_GetNoise(initial, ENTROPY_INITIAL_COUNT);
|
||||
ret = Entropy_GetNoise(initial, ENTROPY_INITIAL_COUNT);
|
||||
/* Health check initial noise. */
|
||||
for (i = 0; (ret == 0) && (i < ENTROPY_INITIAL_COUNT); i++) {
|
||||
ret = Entropy_HealthTest_Repetition(initial[i]);
|
||||
@@ -799,7 +836,7 @@ int wc_Entropy_Get(int bits, unsigned char* entropy, word32 len)
|
||||
}
|
||||
|
||||
/* Get raw entropy noise. */
|
||||
Entropy_GetNoise(noise, noise_len);
|
||||
ret = Entropy_GetNoise(noise, noise_len);
|
||||
/* Health check each noise value. */
|
||||
for (i = 0; (ret == 0) && (i < noise_len); i++) {
|
||||
ret = Entropy_HealthTest_Repetition(noise[i]);
|
||||
|
||||
+997
-16
File diff suppressed because it is too large
Load Diff
@@ -189,6 +189,12 @@ enum {
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
#endif
|
||||
|
||||
/* Undefine the settings.h compat macro so it doesn't collide with the enum
|
||||
* member below (settings.h may pre-define WC_AES_BLOCK_SIZE for old FIPS). */
|
||||
#ifdef WC_AES_BLOCK_SIZE
|
||||
#undef WC_AES_BLOCK_SIZE
|
||||
#endif
|
||||
|
||||
enum {
|
||||
AES_ENC_TYPE = WC_CIPHER_AES, /* cipher unique type */
|
||||
AES_ENCRYPTION = 0,
|
||||
@@ -777,6 +783,7 @@ WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap,
|
||||
#endif
|
||||
WOLFSSL_API void wc_AesFree(Aes* aes);
|
||||
#ifndef WC_NO_CONSTRUCTORS
|
||||
#define WC_AES_NEW_API_AVAILABLE
|
||||
WOLFSSL_API Aes* wc_AesNew(void* heap, int devId, int *result_code);
|
||||
#ifdef WOLF_PRIVATE_KEY_ID
|
||||
WOLFSSL_API Aes* wc_AesNew_Id(unsigned char* id, int len, void* heap,
|
||||
|
||||
@@ -856,6 +856,9 @@ WOLFSSL_API
|
||||
int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
|
||||
int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen,
|
||||
dilithium_key* key, const byte* seed);
|
||||
WOLFSSL_API
|
||||
int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen,
|
||||
byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed);
|
||||
#endif /* !WOLFSSL_DILITHIUM_VERIFY_ONLY */
|
||||
/* Legacy verify API without context parameter (pre-FIPS 204).
|
||||
* Only available when WOLFSSL_DILITHIUM_NO_CTX is defined.
|
||||
@@ -874,6 +877,9 @@ WOLFSSL_API
|
||||
int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen,
|
||||
const byte* ctx, byte ctxLen, int hashAlg, const byte* hash,
|
||||
word32 hashLen, int* res, dilithium_key* key);
|
||||
WOLFSSL_API
|
||||
int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu,
|
||||
word32 muLen, int* res, dilithium_key* key);
|
||||
|
||||
#ifndef WC_NO_CONSTRUCTORS
|
||||
WOLFSSL_API
|
||||
|
||||
@@ -89,7 +89,7 @@ enum wolfCrypt_ErrorCodes {
|
||||
AES_EAX_AUTH_E = -122, /* AES-EAX Authentication check failure */
|
||||
KEY_EXHAUSTED_E = -123, /* No longer usable for operation. */
|
||||
|
||||
/* -124 unused. */
|
||||
ML_KEM_KAT_FIPS_E = -124, /* ML-KEM KAT failure */
|
||||
|
||||
MEMORY_E = -125, /* out of memory error */
|
||||
VAR_STATE_CHANGE_E = -126, /* var state modified by different thread */
|
||||
@@ -137,7 +137,9 @@ enum wolfCrypt_ErrorCodes {
|
||||
ED448_KAT_FIPS_E = -164, /* Ed448 Known answer test failure */
|
||||
PBKDF2_KAT_FIPS_E = -165, /* PBKDF2 Known answer test failure */
|
||||
WC_KEY_MISMATCH_E = -166, /* Error for private/public key mismatch */
|
||||
/* -167..-169 unused. */
|
||||
ML_DSA_KAT_FIPS_E = -167, /* ML-DSA KAT failure */
|
||||
LMS_KAT_FIPS_E = -168, /* LMS KAT failure */
|
||||
XMSS_KAT_FIPS_E = -169, /* XMSS KAT failure */
|
||||
|
||||
ECC_BAD_ARG_E = -170, /* ECC input argument of wrong type */
|
||||
ASN_ECC_KEY_E = -171, /* ASN ECC bad input */
|
||||
@@ -312,7 +314,6 @@ enum wolfCrypt_ErrorCodes {
|
||||
* not match stored hash*/
|
||||
BUSY_E = -1006, /* Object is busy */
|
||||
ALREADY_E = -1007, /* Operation was redundant or preempted */
|
||||
|
||||
SEQ_OVERFLOW_E = -1008, /* Sequence counter would overflow */
|
||||
|
||||
PUF_INIT_E = -1009, /* PUF initialization failed (reserved) */
|
||||
@@ -322,8 +323,13 @@ enum wolfCrypt_ErrorCodes {
|
||||
PUF_DERIVE_KEY_E = -1013, /* PUF key derivation failed */
|
||||
PUF_IDENTITY_E = -1014, /* PUF identity retrieval failed */
|
||||
|
||||
WC_SPAN2_LAST_E = -1014, /* Update to indicate last used error code */
|
||||
WC_LAST_E = -1014, /* the last code used either here or in
|
||||
ML_KEM_PCT_E = -1015, /* ML-KEM Pairwise Consistency Test failure */
|
||||
ML_DSA_PCT_E = -1016, /* ML-DSA Pairwise Consistency Test failure */
|
||||
DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */
|
||||
SLH_DSA_KAT_FIPS_E = -1018, /* SLH-DSA CAST KAT failure */
|
||||
|
||||
WC_SPAN2_LAST_E = -1018, /* Update to indicate last used error code */
|
||||
WC_LAST_E = -1018, /* the last code used either here or in
|
||||
* error-ssl.h */
|
||||
|
||||
WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
|
||||
|
||||
@@ -74,7 +74,13 @@ enum FipsCastId {
|
||||
FIPS_CAST_PBKDF2 = 18,
|
||||
/* v7.0.0 + */
|
||||
FIPS_CAST_AES_ECB = 19,
|
||||
FIPS_CAST_COUNT = 20
|
||||
FIPS_CAST_ML_KEM = 20,
|
||||
FIPS_CAST_ML_DSA = 21,
|
||||
FIPS_CAST_LMS = 22,
|
||||
FIPS_CAST_XMSS = 23,
|
||||
FIPS_CAST_DRBG_SHA512 = 24,
|
||||
FIPS_CAST_SLH_DSA = 25,
|
||||
FIPS_CAST_COUNT = 26
|
||||
};
|
||||
|
||||
enum FipsCastStateId {
|
||||
|
||||
@@ -118,6 +118,15 @@ enum wc_LmsParm {
|
||||
WC_LMS_PARM_L4_H5_W8 = 33,
|
||||
WC_LMS_PARM_L4_H10_W4 = 34,
|
||||
WC_LMS_PARM_L4_H10_W8 = 35,
|
||||
/* H25 parameter sets for SHA-256/256 */
|
||||
WC_LMS_PARM_L1_H25_W1 = 56,
|
||||
WC_LMS_PARM_L1_H25_W2 = 57,
|
||||
WC_LMS_PARM_L1_H25_W4 = 58,
|
||||
WC_LMS_PARM_L1_H25_W8 = 59,
|
||||
/* W1 for non-H5 heights */
|
||||
WC_LMS_PARM_L1_H10_W1 = 60,
|
||||
WC_LMS_PARM_L1_H15_W1 = 61,
|
||||
WC_LMS_PARM_L1_H20_W1 = 62,
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHA256_192
|
||||
@@ -141,6 +150,61 @@ enum wc_LmsParm {
|
||||
WC_LMS_PARM_SHA256_192_L3_H5_W8 = 50,
|
||||
WC_LMS_PARM_SHA256_192_L3_H10_W4 = 51,
|
||||
WC_LMS_PARM_SHA256_192_L4_H5_W8 = 52,
|
||||
/* H25 for SHA-256/192 */
|
||||
WC_LMS_PARM_SHA256_192_L1_H25_W1 = 63,
|
||||
WC_LMS_PARM_SHA256_192_L1_H25_W2 = 64,
|
||||
WC_LMS_PARM_SHA256_192_L1_H25_W4 = 65,
|
||||
WC_LMS_PARM_SHA256_192_L1_H25_W8 = 66,
|
||||
/* W1 for non-H5 heights (SHA-256/192) */
|
||||
WC_LMS_PARM_SHA256_192_L1_H10_W1 = 67,
|
||||
WC_LMS_PARM_SHA256_192_L1_H15_W1 = 68,
|
||||
WC_LMS_PARM_SHA256_192_L1_H20_W1 = 69,
|
||||
WC_LMS_PARM_SHA256_192_L1_H15_W8 = 70,
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
/* SHAKE256/256, 32-byte output */
|
||||
WC_LMS_PARM_SHAKE_L1_H5_W1 = 100,
|
||||
WC_LMS_PARM_SHAKE_L1_H5_W2 = 101,
|
||||
WC_LMS_PARM_SHAKE_L1_H5_W4 = 102,
|
||||
WC_LMS_PARM_SHAKE_L1_H5_W8 = 103,
|
||||
WC_LMS_PARM_SHAKE_L1_H10_W1 = 104,
|
||||
WC_LMS_PARM_SHAKE_L1_H10_W2 = 105,
|
||||
WC_LMS_PARM_SHAKE_L1_H10_W4 = 106,
|
||||
WC_LMS_PARM_SHAKE_L1_H10_W8 = 107,
|
||||
WC_LMS_PARM_SHAKE_L1_H15_W1 = 108,
|
||||
WC_LMS_PARM_SHAKE_L1_H15_W2 = 109,
|
||||
WC_LMS_PARM_SHAKE_L1_H15_W4 = 110,
|
||||
WC_LMS_PARM_SHAKE_L1_H15_W8 = 111,
|
||||
WC_LMS_PARM_SHAKE_L1_H20_W1 = 112,
|
||||
WC_LMS_PARM_SHAKE_L1_H20_W2 = 113,
|
||||
WC_LMS_PARM_SHAKE_L1_H20_W4 = 114,
|
||||
WC_LMS_PARM_SHAKE_L1_H20_W8 = 115,
|
||||
WC_LMS_PARM_SHAKE_L1_H25_W1 = 116,
|
||||
WC_LMS_PARM_SHAKE_L1_H25_W2 = 117,
|
||||
WC_LMS_PARM_SHAKE_L1_H25_W4 = 118,
|
||||
WC_LMS_PARM_SHAKE_L1_H25_W8 = 119,
|
||||
/* SHAKE256/192, 24-byte output */
|
||||
WC_LMS_PARM_SHAKE192_L1_H5_W1 = 120,
|
||||
WC_LMS_PARM_SHAKE192_L1_H5_W2 = 121,
|
||||
WC_LMS_PARM_SHAKE192_L1_H5_W4 = 122,
|
||||
WC_LMS_PARM_SHAKE192_L1_H5_W8 = 123,
|
||||
WC_LMS_PARM_SHAKE192_L1_H10_W1 = 124,
|
||||
WC_LMS_PARM_SHAKE192_L1_H10_W2 = 125,
|
||||
WC_LMS_PARM_SHAKE192_L1_H10_W4 = 126,
|
||||
WC_LMS_PARM_SHAKE192_L1_H10_W8 = 127,
|
||||
WC_LMS_PARM_SHAKE192_L1_H15_W1 = 128,
|
||||
WC_LMS_PARM_SHAKE192_L1_H15_W2 = 129,
|
||||
WC_LMS_PARM_SHAKE192_L1_H15_W4 = 130,
|
||||
WC_LMS_PARM_SHAKE192_L1_H15_W8 = 131,
|
||||
WC_LMS_PARM_SHAKE192_L1_H20_W1 = 132,
|
||||
WC_LMS_PARM_SHAKE192_L1_H20_W2 = 133,
|
||||
WC_LMS_PARM_SHAKE192_L1_H20_W4 = 134,
|
||||
WC_LMS_PARM_SHAKE192_L1_H20_W8 = 135,
|
||||
WC_LMS_PARM_SHAKE192_L1_H25_W1 = 136,
|
||||
WC_LMS_PARM_SHAKE192_L1_H25_W2 = 137,
|
||||
WC_LMS_PARM_SHAKE192_L1_H25_W4 = 138,
|
||||
WC_LMS_PARM_SHAKE192_L1_H25_W8 = 139,
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
+194
-8
@@ -52,11 +52,15 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* Size of the BRBG seed */
|
||||
/* Size of the DRBG seed (SHA-256) */
|
||||
#ifndef DRBG_SEED_LEN
|
||||
#define DRBG_SEED_LEN (440/8)
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
#define DRBG_SHA512_SEED_LEN (888/8) /* 111 bytes per SP 800-90A Table 2 */
|
||||
#endif
|
||||
|
||||
|
||||
#if !defined(CUSTOM_RAND_TYPE)
|
||||
/* To maintain compatibility the default is byte */
|
||||
@@ -104,9 +108,16 @@
|
||||
#endif
|
||||
#elif defined(HAVE_HASHDRBG)
|
||||
#ifdef NO_SHA256
|
||||
#error "Hash DRBG requires SHA-256."
|
||||
#ifndef WOLFSSL_DRBG_SHA512
|
||||
#error "Hash DRBG requires SHA-256 or SHA-512."
|
||||
#endif
|
||||
#endif /* NO_SHA256 */
|
||||
#include <wolfssl/wolfcrypt/sha256.h>
|
||||
#ifndef NO_SHA256
|
||||
#include <wolfssl/wolfcrypt/sha256.h>
|
||||
#endif
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
#include <wolfssl/wolfcrypt/sha512.h>
|
||||
#endif
|
||||
#elif defined(HAVE_WNR)
|
||||
/* allow whitewood as direct RNG source using wc_GenerateSeed directly */
|
||||
#elif defined(HAVE_INTEL_RDRAND)
|
||||
@@ -141,8 +152,11 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */
|
||||
#ifndef WC_OS_SEED_TYPE_DEFINED
|
||||
typedef struct OS_Seed OS_Seed;
|
||||
#define WC_OS_SEED_TYPE_DEFINED
|
||||
#endif
|
||||
#ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */
|
||||
typedef struct WC_RNG WC_RNG;
|
||||
#ifdef WC_RNG_SEED_CB
|
||||
typedef int (*wc_RngSeed_Cb)(OS_Seed* os, byte* seed, word32 sz);
|
||||
@@ -239,7 +253,33 @@ struct OS_Seed {
|
||||
|
||||
#define WC_DRBG_SEED_BLOCK_SZ SEED_BLOCK_SZ
|
||||
|
||||
#define WC_DRBG_SEED_SZ (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
|
||||
/* WC_DRBG_SEED_SZ is the number of bytes of raw entropy gathered from the
|
||||
* NDRNG at instantiation and reseed. We deliberately "overseed" beyond the
|
||||
* NIST minimum (security_strength bits) to account for entropy sources that
|
||||
* may deliver fewer than 1 bit of real entropy per bit of output. With the
|
||||
* default FIPS ENTROPY_SCALE_FACTOR of 4 this yields 256*4/8 = 128 bytes =
|
||||
* 1024 bits of raw seed material, guaranteeing at least 256 bits of real
|
||||
* entropy even if the source provides only 1 good bit per 4.
|
||||
*
|
||||
* Hash_df then compresses this seed material into the internal V and C state
|
||||
* vectors (seedlen = 440 bits for SHA-256, 888 bits for SHA-512 per
|
||||
* SP 800-90A Table 2).
|
||||
*
|
||||
* In FIPS mode (ENTROPY_SCALE_FACTOR >= 4) the base is already >= 128 bytes
|
||||
* which exceeds DRBG_SHA512_SEED_LEN (111), so both DRBGs use the same
|
||||
* seed size. In non-FIPS mode we use the base for both DRBGs so that
|
||||
* enabling SHA-512 DRBG does not inflate the per-init entropy cost.
|
||||
* SP 800-90A requires only security_strength bits (256 = 32 bytes) of
|
||||
* entropy regardless of hash size; hash_df compresses the seed material
|
||||
* into the internal V/C state vectors. */
|
||||
#define WC_DRBG_SEED_SZ_BASE (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
|
||||
|
||||
#if defined(HAVE_FIPS) && defined(WOLFSSL_DRBG_SHA512) && \
|
||||
(WC_DRBG_SEED_SZ_BASE < DRBG_SHA512_SEED_LEN)
|
||||
#define WC_DRBG_SEED_SZ DRBG_SHA512_SEED_LEN
|
||||
#else
|
||||
#define WC_DRBG_SEED_SZ WC_DRBG_SEED_SZ_BASE
|
||||
#endif
|
||||
|
||||
/* The maximum seed size will be the seed size plus a seed block for the
|
||||
* test, and an additional half of the seed size. This additional half
|
||||
@@ -248,8 +288,14 @@ struct OS_Seed {
|
||||
#define WC_DRBG_MAX_SEED_SZ (WC_DRBG_SEED_SZ + WC_DRBG_SEED_SZ/2 + \
|
||||
SEED_BLOCK_SZ)
|
||||
|
||||
#define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
|
||||
#ifndef NO_SHA256
|
||||
#define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
|
||||
#endif
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
#define RNG_HEALTH_TEST_CHECK_SIZE_SHA512 (WC_SHA512_DIGEST_SIZE * 4)
|
||||
#endif
|
||||
|
||||
#ifndef NO_SHA256
|
||||
struct DRBG_internal {
|
||||
#ifdef WORD64_AVAILABLE
|
||||
word64 reseedCtr;
|
||||
@@ -268,8 +314,34 @@ struct DRBG_internal {
|
||||
byte digest_scratch[WC_SHA256_DIGEST_SIZE];
|
||||
#endif
|
||||
};
|
||||
#endif /* !NO_SHA256 */
|
||||
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
struct DRBG_SHA512_internal {
|
||||
word64 reseedCtr;
|
||||
byte V[DRBG_SHA512_SEED_LEN];
|
||||
byte C[DRBG_SHA512_SEED_LEN];
|
||||
void* heap;
|
||||
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
|
||||
int devId;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SMALL_STACK_CACHE
|
||||
wc_Sha512 sha512;
|
||||
byte seed_scratch[DRBG_SHA512_SEED_LEN];
|
||||
byte digest_scratch[WC_SHA512_DIGEST_SIZE];
|
||||
#endif
|
||||
};
|
||||
#endif /* WOLFSSL_DRBG_SHA512 */
|
||||
#endif /* HAVE_HASHDRBG */
|
||||
|
||||
/* DRBG type enum */
|
||||
#ifdef HAVE_HASHDRBG
|
||||
enum wc_DrbgType {
|
||||
WC_DRBG_SHA256 = 0,
|
||||
WC_DRBG_SHA512 = 1,
|
||||
};
|
||||
#endif
|
||||
|
||||
/* RNG health states */
|
||||
#define WC_DRBG_NOT_INIT 0
|
||||
#define WC_DRBG_OK 1
|
||||
@@ -301,17 +373,35 @@ struct WC_RNG {
|
||||
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
|
||||
struct {
|
||||
#endif
|
||||
/* Hash-based Deterministic Random Bit Generator */
|
||||
#ifndef NO_SHA256
|
||||
/* SHA-256 Hash-based Deterministic Random Bit Generator */
|
||||
struct DRBG* drbg;
|
||||
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
|
||||
struct DRBG_internal drbg_data;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SMALL_STACK_CACHE
|
||||
/* Scratch buffers -- all preallocated by _InitRng(). */
|
||||
/* SHA-256 scratch buffers -- preallocated by _InitRng(). */
|
||||
struct DRBG_internal *drbg_scratch;
|
||||
byte *health_check_scratch;
|
||||
#endif
|
||||
#endif /* !NO_SHA256 */
|
||||
#ifdef WOLFSSL_SMALL_STACK_CACHE
|
||||
/* Seed buffer for PollAndReSeed -- shared by both DRBG types */
|
||||
byte *newSeed_buf;
|
||||
#endif
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
/* SHA-512 Hash-based Deterministic Random Bit Generator */
|
||||
struct DRBG_SHA512* drbg512;
|
||||
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
|
||||
struct DRBG_SHA512_internal drbg512_data;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SMALL_STACK_CACHE
|
||||
/* SHA-512 scratch buffers -- preallocated by _InitRng(). */
|
||||
struct DRBG_SHA512_internal *drbg512_scratch;
|
||||
byte *health_check_scratch_512;
|
||||
#endif
|
||||
#endif /* WOLFSSL_DRBG_SHA512 */
|
||||
byte drbgType; /* WC_DRBG_SHA256 or WC_DRBG_SHA512 */
|
||||
#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES
|
||||
};
|
||||
#endif
|
||||
@@ -397,6 +487,10 @@ WOLFSSL_API int wc_FreeRng(WC_RNG* rng);
|
||||
WOLFSSL_API int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* seed,
|
||||
word32 seedSz);
|
||||
WOLFSSL_API int wc_RNG_TestSeed(const byte* seed, word32 seedSz);
|
||||
#ifndef NO_SHA256
|
||||
/* SHA-256 Hash_DRBG health test entry points. SHA-512-only builds
|
||||
* (NO_SHA256 + WOLFSSL_DRBG_SHA512) use wc_RNG_HealthTest_SHA512_ex
|
||||
* declared below. */
|
||||
WOLFSSL_API int wc_RNG_HealthTest(int reseed,
|
||||
const byte* seedA, word32 seedASz,
|
||||
const byte* seedB, word32 seedBSz,
|
||||
@@ -407,6 +501,98 @@ WOLFSSL_API int wc_FreeRng(WC_RNG* rng);
|
||||
const byte* seedB, word32 seedBSz,
|
||||
byte* output, word32 outputSz,
|
||||
void* heap, int devId);
|
||||
#endif /* !NO_SHA256 */
|
||||
#if !defined(NO_SHA256) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
/* Extended SHA-256 Hash_DRBG health test per SP 800-90A.
|
||||
* Flexible output size, prediction resistance, personalization
|
||||
* strings, and additional input support. */
|
||||
WOLFSSL_API int wc_RNG_HealthTest_SHA256_ex(
|
||||
int predResistance,
|
||||
const byte* nonce, word32 nonceSz,
|
||||
const byte* persoString,
|
||||
word32 persoStringSz,
|
||||
const byte* entropyA,
|
||||
word32 entropyASz,
|
||||
const byte* entropyB,
|
||||
word32 entropyBSz,
|
||||
const byte* entropyC,
|
||||
word32 entropyCsz,
|
||||
const byte* additionalA,
|
||||
word32 additionalASz,
|
||||
const byte* additionalB,
|
||||
word32 additionalBSz,
|
||||
const byte* additionalReseed,
|
||||
word32 additionalReseedSz,
|
||||
byte* output, word32 outputSz,
|
||||
void* heap, int devId);
|
||||
#endif /* !NO_SHA256 && !HAVE_SELFTEST && FIPS v7+ */
|
||||
#if defined(WOLFSSL_DRBG_SHA512) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
WOLFSSL_API int wc_RNG_HealthTest_SHA512(int reseed,
|
||||
const byte* seedA, word32 seedASz,
|
||||
const byte* seedB, word32 seedBSz,
|
||||
byte* output, word32 outputSz);
|
||||
WOLFSSL_API int wc_RNG_HealthTest_SHA512_ex(int reseed,
|
||||
const byte* nonce, word32 nonceSz,
|
||||
const byte* persoString,
|
||||
word32 persoStringSz,
|
||||
const byte* seedA, word32 seedASz,
|
||||
const byte* seedB, word32 seedBSz,
|
||||
const byte* additionalA,
|
||||
word32 additionalASz,
|
||||
const byte* additionalB,
|
||||
word32 additionalBSz,
|
||||
byte* output, word32 outputSz,
|
||||
void* heap, int devId);
|
||||
/* Extended SHA-512 Hash_DRBG health test per SP 800-90A.
|
||||
* Flexible output size, prediction resistance support.
|
||||
* predResistance=1: additionalA/B go to Reseed per SP 800-90A 9.3.1,
|
||||
* Generate gets NULL additional input.
|
||||
* predResistance=0: additionalReseed goes to Reseed, additionalA/B go
|
||||
* to Generate calls 1 and 2 respectively. */
|
||||
WOLFSSL_API int wc_RNG_HealthTest_SHA512_ex2(
|
||||
int predResistance,
|
||||
const byte* nonce, word32 nonceSz,
|
||||
const byte* persoString,
|
||||
word32 persoStringSz,
|
||||
const byte* entropyA,
|
||||
word32 entropyASz,
|
||||
const byte* entropyB,
|
||||
word32 entropyBSz,
|
||||
const byte* entropyC,
|
||||
word32 entropyCsz,
|
||||
const byte* additionalA,
|
||||
word32 additionalASz,
|
||||
const byte* additionalB,
|
||||
word32 additionalBSz,
|
||||
const byte* additionalReseed,
|
||||
word32 additionalReseedSz,
|
||||
byte* output, word32 outputSz,
|
||||
void* heap, int devId);
|
||||
#endif /* WOLFSSL_DRBG_SHA512 && !HAVE_SELFTEST && FIPS v7+ */
|
||||
|
||||
/* Runtime DRBG disable/enable API */
|
||||
#if !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
WOLFSSL_API int wc_Sha256Drbg_Disable(void);
|
||||
WOLFSSL_API int wc_Sha256Drbg_Enable(void);
|
||||
WOLFSSL_API int wc_Sha256Drbg_IsDisabled(void);
|
||||
#ifdef WOLFSSL_DRBG_SHA512
|
||||
WOLFSSL_API int wc_Sha512Drbg_Disable(void);
|
||||
WOLFSSL_API int wc_Sha512Drbg_Enable(void);
|
||||
WOLFSSL_API int wc_Sha512Drbg_IsDisabled(void);
|
||||
#endif
|
||||
#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS v7+) */
|
||||
|
||||
/* DRBG state mutex init/free, called from wolfCrypt_Init/Cleanup.
|
||||
* Only in v7+ or non-FIPS/non-selftest; older modules lack these. */
|
||||
#if !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
WOLFSSL_LOCAL int wc_DrbgState_MutexInit(void);
|
||||
WOLFSSL_LOCAL int wc_DrbgState_MutexFree(void);
|
||||
#endif
|
||||
|
||||
#endif /* HAVE_HASHDRBG */
|
||||
|
||||
#ifdef __cplusplus
|
||||
|
||||
@@ -299,6 +299,7 @@ WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap);
|
||||
WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId);
|
||||
WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
|
||||
#ifndef WC_NO_CONSTRUCTORS
|
||||
#define WC_RSA_NEW_API_AVAILABLE
|
||||
WOLFSSL_API RsaKey* wc_NewRsaKey(void* heap, int devId, int *result_code);
|
||||
#ifdef WOLF_PRIVATE_KEY_ID
|
||||
WOLFSSL_API RsaKey* wc_NewRsaKey_Id(unsigned char* id, int len, void* heap,
|
||||
@@ -432,6 +433,14 @@ WOLFSSL_API int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz,
|
||||
#define WC_MGF1SHA512 3
|
||||
#define WC_MGF1SHA512_224 5
|
||||
#define WC_MGF1SHA512_256 6
|
||||
#define WC_MGF1SHA3_224 7
|
||||
#define WC_MGF1SHA3_256 8
|
||||
#define WC_MGF1SHA3_384 9
|
||||
#define WC_MGF1SHA3_512 10
|
||||
#define WC_MGF1SHAKE128 11
|
||||
#define WC_MGF1SHAKE256 12
|
||||
#define WC_MGFSHAKE128 13
|
||||
#define WC_MGFSHAKE256 14
|
||||
|
||||
/* Padding types */
|
||||
#define WC_RSA_PKCSV15_PAD 0
|
||||
|
||||
@@ -513,7 +513,7 @@
|
||||
/* old FIPS has only AES_BLOCK_SIZE. */
|
||||
#if !defined(NO_AES) && (defined(HAVE_SELFTEST) || \
|
||||
(defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
|
||||
#define WC_AES_BLOCK_SIZE AES_BLOCK_SIZE
|
||||
#define WC_AES_BLOCK_SIZE 16
|
||||
#endif /* !NO_AES && (HAVE_SELFTEST || FIPS_VERSION3_LT(6,0,0)) */
|
||||
|
||||
#ifdef WOLFSSL_HARDEN_TLS
|
||||
|
||||
+91
-10
@@ -94,6 +94,9 @@
|
||||
|
||||
#include <wolfssl/wolfcrypt/lms.h>
|
||||
#include <wolfssl/wolfcrypt/sha256.h>
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
#include <wolfssl/wolfcrypt/sha3.h>
|
||||
#endif
|
||||
|
||||
/* When raw hash access APIs are disabled or unavailable (WOLFSSL_NO_HASH_RAW),
|
||||
* fall back to using the full hash API calls. */
|
||||
@@ -122,10 +125,10 @@
|
||||
#define LMS_MAX_HEIGHT WOLFSSL_LMS_MAX_HEIGHT
|
||||
#else
|
||||
/* Maximum height of a tree supported by implementation. */
|
||||
#define LMS_MAX_HEIGHT 20
|
||||
#define LMS_MAX_HEIGHT 25
|
||||
#endif
|
||||
#if (LMS_MAX_HEIGHT < 5) || (LMS_MAX_HEIGHT > 20)
|
||||
#error "LMS parameters only support heights 5-20."
|
||||
#if (LMS_MAX_HEIGHT < 5) || (LMS_MAX_HEIGHT > 25)
|
||||
#error "LMS parameters only support heights 5-25."
|
||||
#endif
|
||||
|
||||
/* Length of I in bytes. */
|
||||
@@ -312,10 +315,16 @@
|
||||
#define LMS_SHA256 0x0000
|
||||
/* Indicates using SHA-256/192 for hashing. */
|
||||
#define LMS_SHA256_192 0x1000
|
||||
/* Indicates using SHAKE256/256 for hashing. */
|
||||
#define LMS_SHAKE256 0x2000
|
||||
/* Indicates using SHAKE256/192 for hashing. */
|
||||
#define LMS_SHAKE256_192 0x3000
|
||||
/* Mask to get hashing algorithm from type. */
|
||||
#define LMS_HASH_MASK 0xf000
|
||||
/* Mask to get height or Winternitz width from type. */
|
||||
#define LMS_H_W_MASK 0x0fff
|
||||
/* Bit test: non-zero if type uses SHAKE256. */
|
||||
#define LMS_IS_SHAKE(type) (((type) & 0x2000) != 0)
|
||||
|
||||
/* LMS Parameters. */
|
||||
/* SHA-256 hash, 32-bytes of hash used, tree height of 5. */
|
||||
@@ -349,15 +358,55 @@
|
||||
/* SHA-256 hash, 32-bytes of hash used, tree height of 25. */
|
||||
#define LMS_SHA256_M24_H25 (0x0e | LMS_SHA256_192)
|
||||
|
||||
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 1 bit. */
|
||||
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 1 bit. */
|
||||
#define LMOTS_SHA256_N24_W1 (0x05 | LMS_SHA256_192)
|
||||
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 2 bits. */
|
||||
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 2 bits. */
|
||||
#define LMOTS_SHA256_N24_W2 (0x06 | LMS_SHA256_192)
|
||||
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 4 bits. */
|
||||
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 4 bits. */
|
||||
#define LMOTS_SHA256_N24_W4 (0x07 | LMS_SHA256_192)
|
||||
/* SHA-256 hash, 32-bytes of hash used, Winternitz width of 8 bits. */
|
||||
/* SHA-256 hash, 24-bytes of hash used, Winternitz width of 8 bits. */
|
||||
#define LMOTS_SHA256_N24_W8 (0x08 | LMS_SHA256_192)
|
||||
|
||||
/* SHAKE256 hash, 32-bytes of hash used, tree height of 5. */
|
||||
#define LMS_SHAKE_M32_H5 (0x0f | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, tree height of 10. */
|
||||
#define LMS_SHAKE_M32_H10 (0x10 | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, tree height of 15. */
|
||||
#define LMS_SHAKE_M32_H15 (0x11 | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, tree height of 20. */
|
||||
#define LMS_SHAKE_M32_H20 (0x12 | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, tree height of 25. */
|
||||
#define LMS_SHAKE_M32_H25 (0x13 | LMS_SHAKE256)
|
||||
|
||||
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 1 bit. */
|
||||
#define LMOTS_SHAKE_N32_W1 (0x09 | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 2 bits. */
|
||||
#define LMOTS_SHAKE_N32_W2 (0x0a | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 4 bits. */
|
||||
#define LMOTS_SHAKE_N32_W4 (0x0b | LMS_SHAKE256)
|
||||
/* SHAKE256 hash, 32-bytes of hash used, Winternitz width of 8 bits. */
|
||||
#define LMOTS_SHAKE_N32_W8 (0x0c | LMS_SHAKE256)
|
||||
|
||||
/* SHAKE256 hash, 24-bytes of hash used, tree height of 5. */
|
||||
#define LMS_SHAKE_M24_H5 (0x14 | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, tree height of 10. */
|
||||
#define LMS_SHAKE_M24_H10 (0x15 | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, tree height of 15. */
|
||||
#define LMS_SHAKE_M24_H15 (0x16 | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, tree height of 20. */
|
||||
#define LMS_SHAKE_M24_H20 (0x17 | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, tree height of 25. */
|
||||
#define LMS_SHAKE_M24_H25 (0x18 | LMS_SHAKE256_192)
|
||||
|
||||
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 1 bit. */
|
||||
#define LMOTS_SHAKE_N24_W1 (0x0d | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 2 bits. */
|
||||
#define LMOTS_SHAKE_N24_W2 (0x0e | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 4 bits. */
|
||||
#define LMOTS_SHAKE_N24_W4 (0x0f | LMS_SHAKE256_192)
|
||||
/* SHAKE256 hash, 24-bytes of hash used, Winternitz width of 8 bits. */
|
||||
#define LMOTS_SHAKE_N24_W8 (0x10 | LMS_SHAKE256_192)
|
||||
|
||||
typedef struct LmsParams {
|
||||
/* Number of tree levels. */
|
||||
word8 levels;
|
||||
@@ -408,12 +457,43 @@ typedef struct LmsState {
|
||||
#endif
|
||||
/* LMS parameters. */
|
||||
const LmsParams* params;
|
||||
/* Hash algorithm. */
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
/* The LMS instance uses exactly one hash family at a time, selected at
|
||||
* init time by params->lmOtsType (see wc_lms.c LMS_IS_SHAKE dispatch).
|
||||
* The two contexts are unionized to shrink LmsState; access via the
|
||||
* LMS_STATE_HASH / LMS_STATE_SHAKE macros below. Anonymous unions
|
||||
* would avoid the macros but require C11 (HAVE_ANONYMOUS_INLINE_AGGREGATES)
|
||||
* gating that ends up uglier than the named form here. */
|
||||
union {
|
||||
wc_Sha256 sha256;
|
||||
wc_Shake shake;
|
||||
} hash;
|
||||
union {
|
||||
wc_Sha256 sha256;
|
||||
wc_Shake shake;
|
||||
} hash_k;
|
||||
#else
|
||||
/* Hash algorithm (SHA-256). */
|
||||
wc_Sha256 hash;
|
||||
/* Hash algorithm for calculating K. */
|
||||
/* Hash algorithm for calculating K (SHA-256). */
|
||||
wc_Sha256 hash_k;
|
||||
#endif
|
||||
} LmsState;
|
||||
|
||||
/* Access macros for the LmsState hash contexts. All call sites use the
|
||||
* address-of form, so the macros yield pointers directly. In the
|
||||
* SHAKE-disabled build the SHAKE macros are intentionally undefined --
|
||||
* the only callers are themselves under #ifdef WOLFSSL_LMS_SHAKE256. */
|
||||
#ifdef WOLFSSL_LMS_SHAKE256
|
||||
#define LMS_STATE_HASH(state) (&(state)->hash.sha256)
|
||||
#define LMS_STATE_HASH_K(state) (&(state)->hash_k.sha256)
|
||||
#define LMS_STATE_SHAKE(state) (&(state)->hash.shake)
|
||||
#define LMS_STATE_SHAKE_K(state) (&(state)->hash_k.shake)
|
||||
#else
|
||||
#define LMS_STATE_HASH(state) (&(state)->hash)
|
||||
#define LMS_STATE_HASH_K(state) (&(state)->hash_k)
|
||||
#endif
|
||||
|
||||
#ifndef WOLFSSL_WC_LMS_SMALL
|
||||
/* Stack of interior node hashes. */
|
||||
typedef struct LmsStack {
|
||||
@@ -504,8 +584,9 @@ int wc_hss_reload_key(LmsState* state, const byte* priv_raw,
|
||||
int wc_hss_sign(LmsState* state, byte* priv_raw, HssPrivKey* priv_key,
|
||||
byte* priv_data, const byte* msg, word32 msgSz, byte* sig);
|
||||
int wc_hss_sigsleft(const LmsParams* params, const byte* priv_raw);
|
||||
WOLFSSL_API
|
||||
int wc_hss_verify(LmsState* state, const byte* pub, const byte* msg,
|
||||
word32 msgSz, const byte* sig);
|
||||
word32 msgSz, const byte* sig, word32 sigSz);
|
||||
|
||||
#endif /* WOLFSSL_HAVE_LMS && WOLFSSL_WC_LMS */
|
||||
|
||||
|
||||
@@ -26,8 +26,20 @@
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#include <wolfssl/wolfcrypt/sha3.h>
|
||||
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
#include <wolfssl/wolfcrypt/sha256.h>
|
||||
#include <wolfssl/wolfcrypt/sha512.h>
|
||||
#include <wolfssl/wolfcrypt/hmac.h>
|
||||
#endif
|
||||
|
||||
#if FIPS_VERSION3_GE(7,0,0)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_HAVE_SLHDSA
|
||||
|
||||
/* ======== SHAKE parameter guards ======== */
|
||||
|
||||
/* When a bits/opt is defined then ensure 'NO' defines are off. */
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_128S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_128S
|
||||
@@ -155,12 +167,159 @@
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_256
|
||||
#endif
|
||||
|
||||
/* ======== SHA2 parameter guards ======== */
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
|
||||
/* When a SHA2 param is defined, ensure 'NO' defines are off. */
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_128F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_192F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#endif
|
||||
#ifdef WOLFSSL_SLHDSA_PARAM_SHA2_256F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#endif
|
||||
|
||||
/* Derive aggregate 'NO' defines for SHA2. */
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#endif
|
||||
|
||||
/* Turn on SHA2 parameter set based on 'NO' defines. */
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_128S
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_128S
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_128F
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_128F
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_192S
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_192S
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_192F
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_192F
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_256S
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_256S
|
||||
#endif
|
||||
#if !defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256) && \
|
||||
!defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_SHA2_256F
|
||||
#define WOLFSSL_SLHDSA_PARAM_SHA2_256F
|
||||
#endif
|
||||
|
||||
/* Re-derive aggregate NOs for SHA2. */
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_128F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_128
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_192F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_192
|
||||
#endif
|
||||
#if defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256S) && \
|
||||
defined(WOLFSSL_SLHDSA_PARAM_NO_SHA2_256F)
|
||||
#undef WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#define WOLFSSL_SLHDSA_PARAM_NO_SHA2_256
|
||||
#endif
|
||||
|
||||
#endif /* WOLFSSL_SLHDSA_SHA2 */
|
||||
|
||||
/* ======== Security parameter (n) per FIPS 205 Table 2 ======== */
|
||||
|
||||
/* Security parameter n, in bytes. SLH-DSA seed length, public key half,
|
||||
* and other primitive sizes are derived from n. The SHA2 hash dispatch
|
||||
* also keys off n: n = 128 uses SHA-256, n = 192/256 use SHA-512. */
|
||||
/* Category 1, 128-bit classical security. */
|
||||
#define WC_SLHDSA_N_128 16
|
||||
/* Category 3, 192-bit classical security. */
|
||||
#define WC_SLHDSA_N_192 24
|
||||
/* Category 5, 256-bit classical security. */
|
||||
#define WC_SLHDSA_N_256 32
|
||||
|
||||
/* ======== SHAKE size defines ======== */
|
||||
|
||||
/* Seed length for SLH-DSA SHAKE-128s/f. */
|
||||
#define WC_SLHDSA_SHAKE128_SEED_LEN 16
|
||||
#define WC_SLHDSA_SHAKE128_SEED_LEN WC_SLHDSA_N_128
|
||||
/* Seed length for SLH-DSA SHAKE-192s/f. */
|
||||
#define WC_SLHDSA_SHAKE192_SEED_LEN 24
|
||||
#define WC_SLHDSA_SHAKE192_SEED_LEN WC_SLHDSA_N_192
|
||||
/* Seed length for SLH-DSA SHAKE-256s/f. */
|
||||
#define WC_SLHDSA_SHAKE256_SEED_LEN 32
|
||||
#define WC_SLHDSA_SHAKE256_SEED_LEN WC_SLHDSA_N_256
|
||||
|
||||
/* Private key length for SLH-DSA SHAKE-128s. */
|
||||
#define WC_SLHDSA_SHAKE128S_PRIV_LEN (4 * 16)
|
||||
@@ -216,8 +375,76 @@
|
||||
/* Seed length for SLH-DSA SHAKE-256f. */
|
||||
#define WC_SLHDSA_SHAKE256F_SEED_LEN WC_SLHDSA_SHAKE256_SEED_LEN
|
||||
|
||||
/* Determine maximum private and public key lengths based on maximum SHAKE-256
|
||||
* output length. */
|
||||
/* ======== SHA2 size defines ======== */
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
|
||||
/* Seed length for SLH-DSA SHA2-128s/f. */
|
||||
#define WC_SLHDSA_SHA2_128_SEED_LEN WC_SLHDSA_N_128
|
||||
/* Seed length for SLH-DSA SHA2-192s/f. */
|
||||
#define WC_SLHDSA_SHA2_192_SEED_LEN WC_SLHDSA_N_192
|
||||
/* Seed length for SLH-DSA SHA2-256s/f. */
|
||||
#define WC_SLHDSA_SHA2_256_SEED_LEN WC_SLHDSA_N_256
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-128s. */
|
||||
#define WC_SLHDSA_SHA2_128S_PRIV_LEN (4 * 16)
|
||||
/* Public key length for SLH-DSA SHA2-128s. */
|
||||
#define WC_SLHDSA_SHA2_128S_PUB_LEN (2 * 16)
|
||||
/* Signature length for SLH-DSA SHA2-128s. */
|
||||
#define WC_SLHDSA_SHA2_128S_SIG_LEN 7856
|
||||
/* Seed length for SLH-DSA SHA2-128s. */
|
||||
#define WC_SLHDSA_SHA2_128S_SEED_LEN WC_SLHDSA_SHA2_128_SEED_LEN
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-128f. */
|
||||
#define WC_SLHDSA_SHA2_128F_PRIV_LEN (4 * 16)
|
||||
/* Public key length for SLH-DSA SHA2-128f. */
|
||||
#define WC_SLHDSA_SHA2_128F_PUB_LEN (2 * 16)
|
||||
/* Signature length for SLH-DSA SHA2-128f. */
|
||||
#define WC_SLHDSA_SHA2_128F_SIG_LEN 17088
|
||||
/* Seed length for SLH-DSA SHA2-128f. */
|
||||
#define WC_SLHDSA_SHA2_128F_SEED_LEN WC_SLHDSA_SHA2_128_SEED_LEN
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-192s. */
|
||||
#define WC_SLHDSA_SHA2_192S_PRIV_LEN (4 * 24)
|
||||
/* Public key length for SLH-DSA SHA2-192s. */
|
||||
#define WC_SLHDSA_SHA2_192S_PUB_LEN (2 * 24)
|
||||
/* Signature length for SLH-DSA SHA2-192s. */
|
||||
#define WC_SLHDSA_SHA2_192S_SIG_LEN 16224
|
||||
/* Seed length for SLH-DSA SHA2-192s. */
|
||||
#define WC_SLHDSA_SHA2_192S_SEED_LEN WC_SLHDSA_SHA2_192_SEED_LEN
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-192f. */
|
||||
#define WC_SLHDSA_SHA2_192F_PRIV_LEN (4 * 24)
|
||||
/* Public key length for SLH-DSA SHA2-192f. */
|
||||
#define WC_SLHDSA_SHA2_192F_PUB_LEN (2 * 24)
|
||||
/* Signature length for SLH-DSA SHA2-192f. */
|
||||
#define WC_SLHDSA_SHA2_192F_SIG_LEN 35664
|
||||
/* Seed length for SLH-DSA SHA2-192f. */
|
||||
#define WC_SLHDSA_SHA2_192F_SEED_LEN WC_SLHDSA_SHA2_192_SEED_LEN
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-256s. */
|
||||
#define WC_SLHDSA_SHA2_256S_PRIV_LEN (4 * 32)
|
||||
/* Public key length for SLH-DSA SHA2-256s. */
|
||||
#define WC_SLHDSA_SHA2_256S_PUB_LEN (2 * 32)
|
||||
/* Signature length for SLH-DSA SHA2-256s. */
|
||||
#define WC_SLHDSA_SHA2_256S_SIG_LEN 29792
|
||||
/* Seed length for SLH-DSA SHA2-256s. */
|
||||
#define WC_SLHDSA_SHA2_256S_SEED_LEN WC_SLHDSA_SHA2_256_SEED_LEN
|
||||
|
||||
/* Private key length for SLH-DSA SHA2-256f. */
|
||||
#define WC_SLHDSA_SHA2_256F_PRIV_LEN (4 * 32)
|
||||
/* Public key length for SLH-DSA SHA2-256f. */
|
||||
#define WC_SLHDSA_SHA2_256F_PUB_LEN (2 * 32)
|
||||
/* Signature length for SLH-DSA SHA2-256f. */
|
||||
#define WC_SLHDSA_SHA2_256F_SIG_LEN 49856
|
||||
/* Seed length for SLH-DSA SHA2-256f. */
|
||||
#define WC_SLHDSA_SHA2_256F_SEED_LEN WC_SLHDSA_SHA2_256_SEED_LEN
|
||||
|
||||
#endif /* WOLFSSL_SLHDSA_SHA2 */
|
||||
|
||||
/* ======== Maximum size defines ======== */
|
||||
|
||||
/* Determine maximum private and public key lengths based on maximum 256-bit
|
||||
* output length. SHA2 variants have identical sizes to SHAKE counterparts. */
|
||||
#ifndef WOLFSSL_SLHDSA_PARAM_NO_256
|
||||
/* Maximum private key length. */
|
||||
#define WC_SLHDSA_MAX_PRIV_LEN WC_SLHDSA_SHAKE256F_PRIV_LEN
|
||||
@@ -279,8 +506,23 @@ enum SlhDsaParam {
|
||||
SLHDSA_SHAKE192F = 3, /* SLH-DSA SHAKE192f */
|
||||
SLHDSA_SHAKE256S = 4, /* SLH-DSA SHAKE256s */
|
||||
SLHDSA_SHAKE256F = 5, /* SLH-DSA SHAKE256f */
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
SLHDSA_SHA2_128S = 6, /* SLH-DSA SHA2-128s */
|
||||
SLHDSA_SHA2_128F = 7, /* SLH-DSA SHA2-128f */
|
||||
SLHDSA_SHA2_192S = 8, /* SLH-DSA SHA2-192s */
|
||||
SLHDSA_SHA2_192F = 9, /* SLH-DSA SHA2-192f */
|
||||
SLHDSA_SHA2_256S = 10, /* SLH-DSA SHA2-256s */
|
||||
SLHDSA_SHA2_256F = 11, /* SLH-DSA SHA2-256f */
|
||||
#endif
|
||||
};
|
||||
|
||||
/* Helper macro to detect SHA2 parameter sets. */
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
#define SLHDSA_IS_SHA2(p) ((p) >= SLHDSA_SHA2_128S)
|
||||
#else
|
||||
#define SLHDSA_IS_SHA2(p) (0)
|
||||
#endif
|
||||
|
||||
/* Pre-defined parameter values. */
|
||||
typedef struct SlhDsaParameters {
|
||||
enum SlhDsaParam param; /* Parameter set id. */
|
||||
@@ -317,10 +559,31 @@ typedef struct SlhDsaKey {
|
||||
|
||||
/* sk_seed | sk_prf | pk_seed, pk_root */
|
||||
byte sk[32 * 4];
|
||||
/* First SHAKE-256 object. */
|
||||
wc_Shake shake;
|
||||
/* Second SHAKE-256 object. */
|
||||
wc_Shake shake2;
|
||||
/* Hash objects for SHAKE or SHA2. */
|
||||
union {
|
||||
struct {
|
||||
/* Primary SHAKE-256 object. */
|
||||
wc_Shake shake;
|
||||
/* Secondary SHAKE-256 object (T_l streaming). */
|
||||
wc_Shake shake2;
|
||||
} shk;
|
||||
#ifdef WOLFSSL_SLHDSA_SHA2
|
||||
struct {
|
||||
/* F, PRF (all cats) + H, T_l (cat 1). */
|
||||
wc_Sha256 sha256;
|
||||
/* T_l streaming (cat 1), H_msg scratch. */
|
||||
wc_Sha256 sha256_2;
|
||||
/* H, T_l (cats 3, 5). */
|
||||
wc_Sha512 sha512;
|
||||
/* H_msg streaming (cats 3, 5). */
|
||||
wc_Sha512 sha512_2;
|
||||
/* Pre-computed midstate: PK.seed || pad(64 - n). */
|
||||
wc_Sha256 sha256_mid;
|
||||
/* Pre-computed midstate: PK.seed || pad(128 - n). */
|
||||
wc_Sha512 sha512_mid;
|
||||
} sha2;
|
||||
#endif
|
||||
} hash;
|
||||
} SlhDsaKey;
|
||||
|
||||
WOLFSSL_API int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param,
|
||||
@@ -344,6 +607,15 @@ WOLFSSL_API int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx,
|
||||
WOLFSSL_API int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx,
|
||||
byte ctxSz, const byte* msg, word32 msgSz, const byte* sig, word32 sigSz);
|
||||
|
||||
/* Internal interface: M' provided directly (no M' construction). */
|
||||
WOLFSSL_API int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey* key,
|
||||
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz);
|
||||
WOLFSSL_API int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey* key,
|
||||
const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz,
|
||||
const byte* addRnd);
|
||||
WOLFSSL_API int wc_SlhDsaKey_VerifyMsg(SlhDsaKey* key, const byte* mprime,
|
||||
word32 mprimeSz, const byte* sig, word32 sigSz);
|
||||
|
||||
WOLFSSL_API int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey* key,
|
||||
const byte* ctx, byte ctxSz, const byte* msg, word32 msgSz,
|
||||
enum wc_HashType hashType, byte* sig, word32* sigSz);
|
||||
|
||||
Reference in New Issue
Block a user