Commit Graph

370 Commits

Author SHA1 Message Date
David Garske 63bda771fe Merge pull request #10305 from holtrop-wolfssl/rust-crate-updates
Rust wrapper: add password-hash, kem, mac traits; fix a few Fenrir findings
2026-05-05 12:05:29 -07:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Josh Holtrop b38d7bf630 Rust wrapper: guard sha384 pbkdf2 unit test 2026-04-28 13:49:16 -04:00
Josh Holtrop 1e35f94f04 Rust wrapper: guard a couple unit tests that require sha512 2026-04-28 11:08:09 -04:00
Josh Holtrop 81435c8a01 Rust wrapper: restrict RNG generic type parameters to be integers
Fixes F-3350
2026-04-28 11:08:09 -04:00
Josh Holtrop 6bb8f8f5cd Rust wrapper: address Copilot review comments 2026-04-28 11:08:09 -04:00
Josh Holtrop ca3c779182 Rust wrapper: use consistent rc check in ECC::shared_secret
Fixes F-2676
2026-04-28 11:08:09 -04:00
Josh Holtrop cf199c9ab8 Rust wrapper: replace Lms::sigs_left() with Lms::has_sigs_left()
Fixes F-3094
2026-04-28 11:08:08 -04:00
Josh Holtrop 135110232f Rust wrapper: make ECC::verify_hash C result check more strict
Fixes F-1989
2026-04-28 11:08:08 -04:00
Josh Holtrop 40bc5d09f7 Rust wrapper: remove return value from MlKem::encode_{public,private}_key()
Fixes F-3093
2026-04-28 11:08:08 -04:00
Josh Holtrop 0cddbb25b2 Rust wrapper: check for NUL-terminated slice in ECC::rs_hex_to_sig
Fixes F-3092
2026-04-28 11:08:08 -04:00
Josh Holtrop 79358fea80 Rust wrapper: add mac feature and implement digest/mac traits 2026-04-28 11:08:08 -04:00
Josh Holtrop 84f8b5fa13 Rust wrapper: implement kem traits 2026-04-28 11:08:08 -04:00
Josh Holtrop c08c16ee8f Rust wrapper: implement password-hash traits 2026-04-28 11:08:08 -04:00
JacobBarthelmeh 1da353b516 Merge pull request #10248 from holtrop-wolfssl/rust-digest-signature
Rust wrapper: add digest and signature crate trait implementations
2026-04-24 11:15:40 -06:00
Josh Holtrop 9c506896c6 Rust wrapper: add doc comment for MAX_E_LEN 2026-04-22 00:23:02 -04:00
Josh Holtrop d5957e6247 Rust wrapper: tweak wc_RsaFlattenPublicKey error message in RSA SigningKey::verifying_key() 2026-04-22 00:19:59 -04:00
Josh Holtrop a2b1f580c6 Rust wrapper: add buffer size checks in Rust wrapper for ChaCha20_Poly1305 one-shot encrypt/decrypt wrappers 2026-04-20 13:58:36 -04:00
Josh Holtrop e8ae1536af Mark sha_digest module public 2026-04-20 08:58:21 -04:00
Josh Holtrop fccced4935 Rust wrapper: verify RSA lengths in verifying_key() 2026-04-20 08:57:41 -04:00
Josh Holtrop 3ca90b1904 Rust wrapper: add signature implementations 2026-04-17 15:52:07 -04:00
Josh Holtrop 7f33de0882 Rust wrapper: add digest implementations 2026-04-17 15:52:07 -04:00
Josh Holtrop 4f31ff95f7 Rust wrapper: require fixed length index buffers for SRTP/SRTCP 2026-04-15 11:36:02 -04:00
Josh Holtrop 4fb4b3c0c8 Rust wrapper: test BLAKE2 finalize() returns error for empty output buffer 2026-04-14 20:50:08 -04:00
Josh Holtrop ca362a4e8f Rust wrapper: also check usize to u32 conversions for digest_size 2026-04-14 20:50:08 -04:00
Josh Holtrop e1a01926bc Rust wrapper: check length returned by Lms.get_kid() in unit test 2026-04-14 20:50:08 -04:00
Josh Holtrop 15ac0718a3 Rust wrapper: make zeroize functions private 2026-04-14 20:50:08 -04:00
Josh Holtrop 2f94121078 Rust wrapper: require caller supplied buffer for Lms.get_kid()
Fixes F-1073.
2026-04-14 20:50:08 -04:00
Josh Holtrop 10fbc95241 Rust wrapper: add comment to MlKem about not implementing Send/Sync
Fixes F-1072.
2026-04-14 20:50:08 -04:00
Josh Holtrop 85ad08a50a Rust wrapper: avoid as_ptr() to *mut u8 casts
Fixes F-1065.
2026-04-14 20:50:08 -04:00
Josh Holtrop 884b882afe Rust wrapper: remove generic types for AES buffers
Fixes F-1071.
This is an API-breaking change, so will lead to a new crate major
version.
2026-04-14 20:50:08 -04:00
Josh Holtrop db1aab959c Rust wrapper: zeroize structs on drop 2026-04-14 20:50:08 -04:00
Josh Holtrop f1a041a216 Rust wrapper: add zeroizing Drop impl for ChaCha20Poly1305
Fix F-1069
2026-04-14 20:50:08 -04:00
Josh Holtrop 2c981d67e6 Rust wrapper: check all buffer lengths when converting to u32/i32
Fix F-1068
2026-04-14 20:50:08 -04:00
Josh Holtrop f00636919e Rust wrapper: check kdr_index range in srtp_kdf() and srtcp_kdf()
Fix F-1257
2026-04-14 20:50:08 -04:00
Josh Holtrop 5c10fe9a58 Rust wrapper: BLAKE2: check for non-empty hash buffer in finalize()
This is related to F-1070 but not the same. We do not need to check
that hash_size being passed in matches the initialized digest size
because the C function will use the passed-in size as long as it is
non-zero.
2026-04-14 20:50:08 -04:00
Josh Holtrop 56c20aeda0 Rust wrapper: dilithium: remove unnecessary size define presence checks
Fix F-1256
2026-04-14 20:50:08 -04:00
Josh Holtrop 5959aa2b58 Rust wrapper: ed448: add check for context buffers too long
Fix F-1064
2026-04-14 20:50:08 -04:00
Josh Holtrop 4f42ba9aa7 Rust wrapper: ed25519: add check for context buffers too long
Fix F-1063
2026-04-14 20:50:08 -04:00
Josh Holtrop 337dfc323e Rust wrapper: avoid uninitialized sys::XtsAesStreamData
Fix F-1066
2026-04-14 20:50:08 -04:00
Josh Holtrop 9843f0365a Rust wrapper: avoid creating a MaybeUninit<RNG>
Fix F-1067
2026-04-14 20:50:08 -04:00
Josh Holtrop a8fa845fa9 Rust wrapper: ecc: fix possible resource leak in some error cases
Fix F-1062.

If wolfSSL returns an error after initializing ECC struct with
wc_ecc_init_ex(), wc_ecc_free() might not have been called in all cases.

Move construction of the ECC struct earlier ahead of further wolfSSL
calls after wc_ecc_init_ex() so if those subsequent wolfSSL calls return
an error the Drop impl for ECC will be called to deinitialize.
2026-04-14 20:50:07 -04:00
David Garske d692f99631 More peer review fixes (Use ML-DSA naming) 2026-04-13 15:55:31 -07:00
David Garske 5f124a9ae9 Peer review fixes 2026-04-13 15:30:58 -07:00
David Garske 72c57dc127 Improvements to C# PQC 2026-04-13 15:30:57 -07:00
Masaki Iwai 21be3776bd add ML-KEM/ML-DSA support for C# wrapper 2026-04-13 15:29:57 -07:00
Sean Parkinson 9176185d66 Merge pull request #10171 from dgarske/hpke_csharp
Add HPKE (RFC 9180) C# wrapper
2026-04-14 08:27:03 +10:00
David Garske c4e7198686 Merge pull request #10070 from holtrop-wolfssl/rust-rand_core-aead-cipher
Rust wrapper: add rand_core, aead, cipher trait implementations
2026-04-13 10:00:26 -07:00
David Garske a82583d50b Add HPKE (RFC 9180) C# wrapper and test 2026-04-12 14:50:11 -07:00