wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.
This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.
Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();
wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
Copilot fixes:
- atmel.c: ATCA_ENABLE_DEPRECATED I2C path now uses ATECC_I2C_ADDR
instead of slave_address=1 (matches the non-deprecated path).
- atmel.c: capture and propagate atmel_createHandles() return value;
abort init via WC_HW_E if handle creation fails.
- atmel.h: include calib_aes_gcm.h with the same <calib/...> form used
for calib_command.h so a single -I (.../include or
.../include/cryptoauthlib) resolves both.
- configure.ac: drop the duplicated AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB])
(kept only in the consolidated section near the end).
- settings.h: remove leftover commented-out '#ifdef WOLFSSL_ATECC508A'.
- benchmark.c: drop the broken TA100 wc_RsaSSL_Verify branch (it passed
message/enc as if they were sig/out).
- test.c: stop calling atmel_ecc_free() with the slot-TYPE enum
constants; wc_ecc_free(userA/userB) already releases the allocated
slots.
- ecc.c (microchip_curve_id_for_key): switch on key->dp->id, not size,
so SECP256K1 / BRAINPOOLP256R1 are not silently mapped to SECP256R1.
Helper is now defined for ATECC508A/608A as well, fixing the
TA100-only gating that broke ATECC builds.
- ecc.c (_ecc_make_key_ex): keep ATECC508A/608A's curve check at
SECP256R1-only (hardware does not support the wider curve set);
TA100 retains the multi-curve list.
Fenrir fixes:
- ecc.c (wc_ecc_init_ex): under TA100 + ALT_ECC_SIZE the pubkey x/y/z
pointers must be aimed at key->pubkey.xyz[] (with alt_fp_init) before
mp_init_multi - otherwise mp_init_multi dereferenced NULL.
- atmel.c (atmel_get_rev_info): check atcab_wakeup return and bail out
via atmel_ecc_translate_err before calling atcab_info.
- atmel.c (atmel_ecc_create_pms, TA100+ECDH_ENC): pass
MAP_TO_HANDLE(slotId) (the ephemeral private-key handle) into
talib_ecdh_compat instead of MAP_TO_HANDLE(slotIdEnc).
- atmel.c (wc_Microchip_rsa_create_key): on any failure after the first
talib_create_element succeeds, delete the previously created
handle(s) and clear rKeyH/uKeyH so device elements are not leaked.
- aes.c (wc_AesGcmEncrypt / wc_AesGcmDecrypt TA100 fast paths): replace
'(authInSz + sz) <= MAX' with bounds on each operand individually so
word32 wraparound cannot bypass the 996-byte hardware limit.
- rsa.c (RsaPrivateDecryptEx): drop the TA100 RSA_PUBLIC_DECRYPT
short-circuit. wc_Microchip_rsa_verify expects (digest, digestLen,
sig, sigLen, ...) and the verified flag must be honored; the proper
TA100 fast-path already lives in wc_RsaPSS_CheckPadding_ex2.
- atmel.c: restore the closing #endif for the outer
WOLFSSL_ATMEL/ATECC/TA100 block. The previous "duplicate
ATCA_TFLEX_SUPPORT" cleanup removed the real closer because the
trailing-comment was misleading, leaving the file with an
unterminated #if from line 35.
- ecc.c: drop !defined(WOLFSSL_MICROCHIP_TA100) from the guard around
wc_ecc_point_is_at_infinity. The function is generic
(mp_iszero(x) && mp_iszero(y)) and call sites in
_ecc_import_x963_ex2 and friends don't exclude TA100, so the
TA100 build was failing to link.