411 Commits

Author SHA1 Message Date
Daniel Pouzzner 64a0f384a4 Merge pull request #10780 from holtrop-wolfssl/rust-rename-dilithium-mldsa
Rust wrapper: rename dilithium to mldsa
2026-07-01 16:30:28 -05:00
Daniel Pouzzner 36437417b6 Merge pull request #10703 from holtrop-wolfssl/rust-validate-prefix-env-var
Rust wrapper: validate WOLFSSL_PREFIX in build.rs
2026-07-01 16:29:36 -05:00
Daniel Pouzzner a66b87b926 Merge pull request #10645 from holtrop-wolfssl/rust-ed-verify-result-codes
Rust wrapper: fix signature incorrect return value from Ed448 and Ed25519 verify functions.
2026-07-01 16:28:44 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
Josh Holtrop b6d962350d Rust wrapper: rename dilithium to mldsa 2026-06-25 10:31:44 -04:00
jordan 0fe21bbcd5 prepare for release 5.9.2 2026-06-24 12:01:51 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
Josh Holtrop d523e463a5 Rust wrapper: validate WOLFSSL_PREFIX in build.rs 2026-06-16 15:22:04 -04:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Josh Holtrop f8c86ce227 Rust wrapper: fix Ed25519/Ed448 signature verify failed return values 2026-06-09 11:31:25 -04:00
Josh Holtrop 243926f5da Update wolfssl-wolfcrypt Rust crate to v2.0.0 2026-06-08 10:14:24 -04:00
Josh Holtrop 226f96db33 Rust wrapper: add comments about label pointer casts in rsa.rs 2026-06-01 14:57:58 -04:00
Josh Holtrop b737370ac4 Rust wrapper: add new files to include.am 2026-05-29 14:51:50 -04:00
Josh Holtrop bdd70dd3e3 Rust wrapper: zeroize XTSStream.xtsaesstreamdata
Fix F-4467
2026-05-29 14:51:50 -04:00
Josh Holtrop 364e883941 Rust wrapper: handle MAC_CMP_FAILED_E from CMAC::verify{,_ex}()
Fix F-4468
2026-05-29 14:51:50 -04:00
Josh Holtrop 685a6632a9 Rust wrapper: zeroize mlkem_kem seeds after use 2026-05-29 14:51:50 -04:00
Josh Holtrop 904975d5a9 Rust wrapper: add null check for kid_ptr returned from C in Lms::get_kid() 2026-05-29 14:51:50 -04:00
Josh Holtrop e3f57d5f92 Rust wrapper: fix ParamInvalid error in hash_password_customized() 2026-05-29 14:51:50 -04:00
Josh Holtrop f7a5df3489 Rust wrapper: support older non-const RSA API in rsa_pkcs1v15.rs 2026-05-29 14:51:50 -04:00
Josh Holtrop 830aa7f7b6 Rust wrapper: fix CFB::encrypt1 and CFB::decrypt1 to take size in bits 2026-05-29 14:51:50 -04:00
Josh Holtrop 014925d37b Rust wrapper: Add RSA-OAEP API 2026-05-29 14:51:50 -04:00
Josh Holtrop 056d548467 Rust wrapper: add scrypt kdf support and scrypt_password_hash trait impl module 2026-05-29 14:51:50 -04:00
Josh Holtrop 8c11a8e028 Rust wrapper: gate RSA doc tests that use set_shared_rng() on alloc feature 2026-05-18 12:49:29 -07:00
Josh Holtrop 735d00d3d7 Rust wrapper: check slice lengths in ECC::import_unsigned 2026-05-18 12:40:17 -07:00
Josh Holtrop a2b9a24082 Rust wrapper: test more empty slices in test_ecc 2026-05-18 12:27:45 -07:00
Josh Holtrop 9696cf26eb Rust wrapper: use Rc instead of Arc for RNG references
WC_RNG has no internal locking so it is not safe to share a single
WC_RNG across threads without locking.
2026-05-18 12:27:45 -07:00
Josh Holtrop 67bb40be42 Rust wrapper: fix RSA::set_rng() doc test to actually call set_rng() 2026-05-18 12:27:45 -07:00
Josh Holtrop 5e65a12b62 Rust wrapper: drop mut from rng in ecc doc tests 2026-05-18 12:27:45 -07:00
Josh Holtrop 076144cd9c Rust wrapper: avoid double wc_ecc_init_ex() call 2026-05-18 12:27:45 -07:00
Josh Holtrop f6e279ab42 Rust wrapper: test for null-terminated C-style strings in ECC import_raw APIs 2026-05-18 12:27:45 -07:00
Josh Holtrop 0117baf011 Rust wrapper: document wolfSSL version requirement 2026-05-18 12:27:45 -07:00
Josh Holtrop 93db87e4ed Rust wrapper: remove outdated set_rng safety contract comments 2026-05-18 12:27:45 -07:00
Josh Holtrop 5a45fabb0d Rust wrapper: add blake2_digest module 2026-05-18 12:27:45 -07:00
Josh Holtrop cfc600977a Rust wrapper: add blake2_mac module 2026-05-18 12:27:45 -07:00
Josh Holtrop d88d5702e5 Rust wrapper: implement Clone for HMAC types 2026-05-18 12:27:45 -07:00
Josh Holtrop b3aa7ef260 Rust wrapper: add Aes192Ccm and Aes192Gcm 2026-05-18 12:27:45 -07:00
Josh Holtrop 4ed0a0a90d Rust wrapper: store pointer to C ECC key struct instead of instance
This fixes internal pointers breaking if Rust moves the ECC struct (with
some build configurations).
2026-05-18 12:27:45 -07:00
Josh Holtrop 54cb1d8d38 Rust wrapper: ensure memory safety for C RNG struct
- store pointer to WC_RNG instead of full struct
- enforce RNG is not dropped before consumer structs

The C library stores a pointer via the set_rng() methods on a few
structs (e.g. RSA). This change holds a reference (or instance) of RNG
within the consumer structs to ensure it is kept alive if set_rng (or
now set_shared_rng) is used.
2026-05-18 12:27:44 -07:00
Tobias Frauenschläger 2832df2139 Update C# wrapper to new ML-DSA names 2026-05-16 09:48:35 -05:00
Tobias Frauenschläger fb6b62dd8e Rename Dilithium to canonical ML-DSA (FIPS 204) names
NIST standardized the pre-standardization Dilithium signature scheme as
ML-DSA in FIPS 204. Migrate the provider's user-visible surface to
canonical spellings, with a temporary shim that preserves source-level
backward compatibility for existing consumers.

Renames
-------
* File: wolfcrypt/src/dilithium.c -> wolfcrypt/src/wc_mldsa.c
* New canonical header: wolfssl/wolfcrypt/wc_mldsa.h
* Types: dilithium_key -> MlDsaKey, wc_dilithium_params -> MlDsaParams
* Functions: wc_dilithium_* / wc_Dilithium_* -> wc_MlDsaKey_*
* Build gates: HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA,
  WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> WOLFSSL_MLDSA_* / WC_MLDSA_*
* Configure flag: --enable-mldsa (legacy --enable-dilithium still works)
* CMake option: WOLFSSL_MLDSA (legacy WOLFSSL_DILITHIUM emits a
  DEPRECATION message)

Backward compatibility
----------------------
wolfssl/wolfcrypt/dilithium.h is now a temporary compatibility shim:
* Forward-translates legacy build gates to canonical (the two sub-gates
  read by certs_test.h are translated in settings.h so the auto-generated
  header is reachable without including dilithium.h; the remainder lives
  in dilithium.h itself).
* Reverse-translates canonical gates back to legacy so unmigrated
  consumer code keying off HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* keeps
  compiling.
* Provides macro / static-inline aliases for the legacy type and
  function names so source-level callers compile unchanged. Sets
  WC_DILITHIUMKEY_TYPE_DEFINED to suppress strict-C99 typedef
  redefinition in asn_public.h.

Two opt-outs are honored: WOLFSSL_NO_DILITHIUM_LEGACY_GATES disables
build-gate translation; WOLFSSL_NO_DILITHIUM_LEGACY_NAMES disables the
symbol aliases. Both are temporary and the shim will be removed in a
future release. doc/dilithium-to-mldsa-migration.md describes the
migration path for downstream consumers.

ABI note
--------
The library now exports wc_MlDsaKey_* instead of wc_dilithium_*.
Pre-built binaries that linked against the legacy symbols need to
recompile against the shim header (which resolves to the new symbols at
compile time) or migrate to the canonical names directly. Source code
keeps building unchanged.

Other changes
-------------
* wolfssl/wolfcrypt/memory.h: drop ML-DSA sub-gate branching for static
  memory pool sizing; WOLFSSL_HAVE_MLDSA builds now pick the larger
  LARGEST_MEM_BUCKET / WOLFMEM_BUCKETS / WOLFMEM_DIST unconditionally.
  Override these macros for small-mem builds.
* gencertbuf.pl + wolfssl/certs_test.h: outer guards migrated to the
  canonical WOLFSSL_HAVE_MLDSA spelling.
* tests/api/test_mldsa.c: adds compile-time API surface validators
  (canonical wc_MlDsaKey_* surface plus legacy alias surface) so
  signature drift produces a build error during make check.
* IDE files (Xcode, INTIME-RTOS, WIN10, VS2022, CSharp wrapper), Zephyr
  CMakeLists.txt, and autotools include.am updated for the rename.
* DYNAMIC_TYPE_DILITHIUM and ML_DSA_PCT_E retained as internal symbols;
  scheduled to be renamed alongside the eventual shim removal.
2026-05-16 09:48:35 -05:00
Sean Parkinson 69027c2445 LMS: fixes and improvements
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.

Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
2026-05-11 16:18:12 +10:00
David Garske 63bda771fe Merge pull request #10305 from holtrop-wolfssl/rust-crate-updates
Rust wrapper: add password-hash, kem, mac traits; fix a few Fenrir findings
2026-05-05 12:05:29 -07:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Josh Holtrop b38d7bf630 Rust wrapper: guard sha384 pbkdf2 unit test 2026-04-28 13:49:16 -04:00
Josh Holtrop 1e35f94f04 Rust wrapper: guard a couple unit tests that require sha512 2026-04-28 11:08:09 -04:00
Josh Holtrop 81435c8a01 Rust wrapper: restrict RNG generic type parameters to be integers
Fixes F-3350
2026-04-28 11:08:09 -04:00
Josh Holtrop 6bb8f8f5cd Rust wrapper: address Copilot review comments 2026-04-28 11:08:09 -04:00
Josh Holtrop ca3c779182 Rust wrapper: use consistent rc check in ECC::shared_secret
Fixes F-2676
2026-04-28 11:08:09 -04:00
Josh Holtrop cf199c9ab8 Rust wrapper: replace Lms::sigs_left() with Lms::has_sigs_left()
Fixes F-3094
2026-04-28 11:08:08 -04:00