wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.
This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.
Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();
wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
Copilot fixes:
- atmel.c: ATCA_ENABLE_DEPRECATED I2C path now uses ATECC_I2C_ADDR
instead of slave_address=1 (matches the non-deprecated path).
- atmel.c: capture and propagate atmel_createHandles() return value;
abort init via WC_HW_E if handle creation fails.
- atmel.h: include calib_aes_gcm.h with the same <calib/...> form used
for calib_command.h so a single -I (.../include or
.../include/cryptoauthlib) resolves both.
- configure.ac: drop the duplicated AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB])
(kept only in the consolidated section near the end).
- settings.h: remove leftover commented-out '#ifdef WOLFSSL_ATECC508A'.
- benchmark.c: drop the broken TA100 wc_RsaSSL_Verify branch (it passed
message/enc as if they were sig/out).
- test.c: stop calling atmel_ecc_free() with the slot-TYPE enum
constants; wc_ecc_free(userA/userB) already releases the allocated
slots.
- ecc.c (microchip_curve_id_for_key): switch on key->dp->id, not size,
so SECP256K1 / BRAINPOOLP256R1 are not silently mapped to SECP256R1.
Helper is now defined for ATECC508A/608A as well, fixing the
TA100-only gating that broke ATECC builds.
- ecc.c (_ecc_make_key_ex): keep ATECC508A/608A's curve check at
SECP256R1-only (hardware does not support the wider curve set);
TA100 retains the multi-curve list.
Fenrir fixes:
- ecc.c (wc_ecc_init_ex): under TA100 + ALT_ECC_SIZE the pubkey x/y/z
pointers must be aimed at key->pubkey.xyz[] (with alt_fp_init) before
mp_init_multi - otherwise mp_init_multi dereferenced NULL.
- atmel.c (atmel_get_rev_info): check atcab_wakeup return and bail out
via atmel_ecc_translate_err before calling atcab_info.
- atmel.c (atmel_ecc_create_pms, TA100+ECDH_ENC): pass
MAP_TO_HANDLE(slotId) (the ephemeral private-key handle) into
talib_ecdh_compat instead of MAP_TO_HANDLE(slotIdEnc).
- atmel.c (wc_Microchip_rsa_create_key): on any failure after the first
talib_create_element succeeds, delete the previously created
handle(s) and clear rKeyH/uKeyH so device elements are not leaked.
- aes.c (wc_AesGcmEncrypt / wc_AesGcmDecrypt TA100 fast paths): replace
'(authInSz + sz) <= MAX' with bounds on each operand individually so
word32 wraparound cannot bypass the 996-byte hardware limit.
- rsa.c (RsaPrivateDecryptEx): drop the TA100 RSA_PUBLIC_DECRYPT
short-circuit. wc_Microchip_rsa_verify expects (digest, digestLen,
sig, sigLen, ...) and the verified flag must be honored; the proper
TA100 fast-path already lives in wc_RsaPSS_CheckPadding_ex2.
- atmel.c: restore the closing #endif for the outer
WOLFSSL_ATMEL/ATECC/TA100 block. The previous "duplicate
ATCA_TFLEX_SUPPORT" cleanup removed the real closer because the
trailing-comment was misleading, leaving the file with an
unterminated #if from line 35.
- ecc.c: drop !defined(WOLFSSL_MICROCHIP_TA100) from the guard around
wc_ecc_point_is_at_infinity. The function is generic
(mp_iszero(x) && mp_iszero(y)) and call sites in
_ecc_import_x963_ex2 and friends don't exclude TA100, so the
TA100 build was failing to link.
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.
asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
(1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
"AlgorithmIdentifier omits NULL parameters" since PQC algos were
added, and HSS/LMS + XMSS only made the original name more
misleading.
wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
4-byte OID prefix at the start of the raw public key, taking an
is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
u32str(L) || lmsType || lmOtsType when key->params is NULL; this
also fixes a latent NULL-deref when the legacy precondition was
violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
matching wc_LmsKey_Verify and the documented contract of using
wc_XmssKey_GetSigLen for the buffer size.
tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
every supported parameter set, plus CA->leaf chains per family
and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
signature bytes, exercise the wolfCrypt-level negative paths
(NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
mismatch, partial-write invariants, lenient VERIFYONLY re-import,
strict sigLen check) and confirm the outer signatureAlgorithm
OID is rejected when it disagrees with the SPKI in both
XMSS<->XMSS^MT directions.
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);
scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.