Commit Graph

95 Commits

Author SHA1 Message Date
David Garske 10e2afa20a Merge pull request #10595 from miyazakh/f5381_RSASSA-PSS_trailerField
f5381 enforce trailerField==1 in DecodeRsaPssParams
2026-06-10 10:05:22 -07:00
Hideki Miyazaki 7d74caac6d Addressed review comments 2026-06-10 07:02:46 +09:00
Ruby Martin 08a7c4590e Remove CheckOcspResponderChain and related references. Function is not compliant with RFC 6960, 4.2.2.2.
remove unused vp parameter

Update ChangeLog.md to include OCSP responder change
2026-06-02 16:20:32 -06:00
Tobias Frauenschläger fb6b62dd8e Rename Dilithium to canonical ML-DSA (FIPS 204) names
NIST standardized the pre-standardization Dilithium signature scheme as
ML-DSA in FIPS 204. Migrate the provider's user-visible surface to
canonical spellings, with a temporary shim that preserves source-level
backward compatibility for existing consumers.

Renames
-------
* File: wolfcrypt/src/dilithium.c -> wolfcrypt/src/wc_mldsa.c
* New canonical header: wolfssl/wolfcrypt/wc_mldsa.h
* Types: dilithium_key -> MlDsaKey, wc_dilithium_params -> MlDsaParams
* Functions: wc_dilithium_* / wc_Dilithium_* -> wc_MlDsaKey_*
* Build gates: HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA,
  WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> WOLFSSL_MLDSA_* / WC_MLDSA_*
* Configure flag: --enable-mldsa (legacy --enable-dilithium still works)
* CMake option: WOLFSSL_MLDSA (legacy WOLFSSL_DILITHIUM emits a
  DEPRECATION message)

Backward compatibility
----------------------
wolfssl/wolfcrypt/dilithium.h is now a temporary compatibility shim:
* Forward-translates legacy build gates to canonical (the two sub-gates
  read by certs_test.h are translated in settings.h so the auto-generated
  header is reachable without including dilithium.h; the remainder lives
  in dilithium.h itself).
* Reverse-translates canonical gates back to legacy so unmigrated
  consumer code keying off HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* keeps
  compiling.
* Provides macro / static-inline aliases for the legacy type and
  function names so source-level callers compile unchanged. Sets
  WC_DILITHIUMKEY_TYPE_DEFINED to suppress strict-C99 typedef
  redefinition in asn_public.h.

Two opt-outs are honored: WOLFSSL_NO_DILITHIUM_LEGACY_GATES disables
build-gate translation; WOLFSSL_NO_DILITHIUM_LEGACY_NAMES disables the
symbol aliases. Both are temporary and the shim will be removed in a
future release. doc/dilithium-to-mldsa-migration.md describes the
migration path for downstream consumers.

ABI note
--------
The library now exports wc_MlDsaKey_* instead of wc_dilithium_*.
Pre-built binaries that linked against the legacy symbols need to
recompile against the shim header (which resolves to the new symbols at
compile time) or migrate to the canonical names directly. Source code
keeps building unchanged.

Other changes
-------------
* wolfssl/wolfcrypt/memory.h: drop ML-DSA sub-gate branching for static
  memory pool sizing; WOLFSSL_HAVE_MLDSA builds now pick the larger
  LARGEST_MEM_BUCKET / WOLFMEM_BUCKETS / WOLFMEM_DIST unconditionally.
  Override these macros for small-mem builds.
* gencertbuf.pl + wolfssl/certs_test.h: outer guards migrated to the
  canonical WOLFSSL_HAVE_MLDSA spelling.
* tests/api/test_mldsa.c: adds compile-time API surface validators
  (canonical wc_MlDsaKey_* surface plus legacy alias surface) so
  signature drift produces a build error during make check.
* IDE files (Xcode, INTIME-RTOS, WIN10, VS2022, CSharp wrapper), Zephyr
  CMakeLists.txt, and autotools include.am updated for the rename.
* DYNAMIC_TYPE_DILITHIUM and ML_DSA_PCT_E retained as internal symbols;
  scheduled to be renamed alongside the eventual shim removal.
2026-05-16 09:48:35 -05:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
Sameeh Jubran ba51fbd30b Zero TLS 1.3 traffic keys after AES SE offload
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.

The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).

Scope: TLS 1.3, non-DTLS, non-QUIC.  DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.

Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-04-20 10:45:23 +03:00
JacobBarthelmeh 43f06851f1 update changelog notes 2026-04-09 20:45:59 -06:00
JacobBarthelmeh 719e98f717 prepare for release 5.9.1 2026-04-08 07:34:41 -06:00
JacobBarthelmeh 396d0719cd minor formatting fixes to changelog 2026-03-20 12:07:39 -06:00
JacobBarthelmeh 1df1236230 remove trailing white space in ChangeLog.md 2026-03-18 21:17:26 -06:00
JacobBarthelmeh a08fa98adc prepare for release 5.9.0 2026-03-18 16:18:12 -06:00
JacobBarthelmeh 1d448ec3b4 public disclosure of CVE-2025-13912 2025-12-11 10:22:22 -07:00
JacobBarthelmeh ab98c150c6 prepare for release 5.8.4 2025-11-20 10:57:50 -07:00
Eric Blankenhorn 6ab6634efc Fix markdown in docs 2025-08-25 09:28:08 -05:00
JacobBarthelmeh 3759c6f1a1 fix changelog formatting 2025-07-22 09:21:26 -06:00
JacobBarthelmeh c34e6ab8d9 prepare for release 5.8.2 2025-07-17 10:26:19 -06:00
JacobBarthelmeh e4cb69caef remove trailing space character in changelog 2025-04-24 12:20:23 -07:00
JacobBarthelmeh 9be6a81bab prepare for release 5.8.0 2025-04-24 10:41:40 -07:00
JacobBarthelmeh 70e41d1ed1 prepare for release 5.7.6 2024-12-31 08:27:53 -07:00
JacobBarthelmeh 8c5e188dd4 remove trailing white space in README 2024-10-24 13:04:00 -06:00
JacobBarthelmeh 8604024b95 prepare for release 5.7.4 2024-10-24 11:32:33 -06:00
JacobBarthelmeh 4893017005 feature support will be listed in the next release notes 2024-09-25 15:54:59 -06:00
Joshua Okeleke 337456cc1e Add support for (DevkitPro)libnds 2024-09-18 21:27:53 +02:00
Daniel Pouzzner a3fb5029f8 clean up trailing whitespace and misplaced CRLFs, add missing final newlines, remove stray UTF8 nonprintables (BOMs) and ASCIIfy stray homoglyphs (spaces and apostrophes), guided by expanded coverage in wolfssl-multi-test check-source-text. 2024-09-05 14:52:18 -05:00
JacobBarthelmeh 26756da925 update CVE listed in changelog 2024-08-29 16:45:23 -06:00
JacobBarthelmeh a26476b8b2 update changelog for kyber fix, thanks to Antoon Purnal 2024-07-11 09:01:11 -06:00
JacobBarthelmeh c8aa0fa351 remove * in changelog created from search and replace 2024-07-08 10:31:13 -06:00
JacobBarthelmeh 203f65a636 prepare for release 5.7.2 2024-07-08 09:47:46 -06:00
JacobBarthelmeh e80deece82 adjust ChangeLog text 2024-03-21 00:18:44 +07:00
JacobBarthelmeh e5914effab prepare for release 5.7.0 2024-03-20 19:32:22 +07:00
Lealem Amedie 63f7298be2 Default to ASN TEMPLATE library 2024-02-01 14:52:06 -07:00
Chris Conlon 5046e577d3 update ChangeLog/README with 5.6.6 release information 2023-12-18 15:24:14 -07:00
Eric Blankenhorn 7223b5a708 Fix spelling warnings 2023-11-22 12:34:56 -06:00
JacobBarthelmeh 6cf75a7d42 prepare for release 5.6.4 2023-10-30 07:59:00 -06:00
Dimitri Papadopoulos 52f91e4ab9 Fix residual typos found by codespell 2023-07-28 09:29:28 +02:00
John Safranek 42e934b251 Update read-me and change-log for the release. 2023-06-16 09:47:35 -07:00
JacobBarthelmeh 72536e0e10 prepare for 5.6.3 2023-06-13 14:47:06 -06:00
JacobBarthelmeh 032ac405db prepare for release 5.6.2 2023-06-09 05:51:18 -07:00
JacobBarthelmeh 877e026da4 prepare for release 5.6.0 2023-03-23 21:44:18 -07:00
Jacob Barthelmeh cca63a465d prepare for release 5.5.4 2022-12-20 14:19:59 -07:00
JacobBarthelmeh 9b895b74bf update for version 5.5.3 2022-11-02 13:58:37 -07:00
JacobBarthelmeh eb52083afd update version to 5.5.2 2022-10-28 06:25:33 -07:00
Jacob Barthelmeh e720d4ab3b update changelog notes 2022-10-06 14:31:25 -06:00
Jacob Barthelmeh eb5076bb89 update changelog for release 5.5.1 2022-09-27 13:40:00 -06:00
Jacob Barthelmeh d75ce08d75 update readme for release 5.5.0 2022-08-30 09:31:28 -06:00
JacobBarthelmeh a48129eb99 update README for release 2022-07-11 07:28:15 -07:00
Jacob Barthelmeh a9c7bc9d00 fix markdown in readme notes 2022-05-05 17:12:55 -06:00
Jacob Barthelmeh 29401334d3 prepare for release 5.3.0 2022-05-02 17:08:38 -06:00
John Safranek ad8bf40b5e Update readme for release. 2022-02-20 13:05:04 -08:00