Commit Graph

530 Commits

Author SHA1 Message Date
Daniel Pouzzner d8797f59c4 Merge pull request #10261 from Frauschi/slh-dsa
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
JacobBarthelmeh fc51a38094 Merge pull request #10135 from lealem47/nid_ED
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Daniel Pouzzner c782db3cc9 Merge pull request #10158 from Roy-Carter/feature/libevent_integration
Libevent integration for OpenSSL compatibility layer
2026-04-29 18:22:07 -05:00
David Garske 07ea48673a Merge pull request #10073 from anhu/certmgr
Ensure certificates are getting into cert manager
2026-04-29 09:58:45 -07:00
Daniel Pouzzner f81f8479d5 fixes for SLH-DSA verifyonly:
wolfssl/wolfcrypt/wc_slhdsa.h: implement WOLFSSL_SLHDSA_NO_SHAKE and WOLFSSL_SLHDSA_NO_SHA2, and fix WC_SLHDSA_MAX_SIG_LEN setup to reflect SHA2 variants;

wolfssl/wolfcrypt/settings.h: if WOLFSSL_KERNEL_MODE, set WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_NO_VERIFY_ONLY;

wolfcrypt/src/wc_slhdsa.c: fix WOLFSSL_SLHDSA_VERIFY_ONLY to work with --enable-slhdsa=sha2,verifyonly;

fix -Wunused-variables in slhdsakey_wots_pk_from_sig_x4();

wolfcrypt/test/test.c: in slhdsa_test(), fix gating for compatibility with --enable-slhdsa=sha2,verifyonly;

tests/api/test_slhdsa.c: fix gating in test_wc_slhdsa() and test_wc_slhdsa_sizes().
2026-04-28 18:06:00 -05:00
Daniel Pouzzner 91f66fb9c0 tests/api/test_pkcs7.c: in test_wc_PKCS7_BER(), in expected-failure wc_PKCS7_DecodeEnvelopedData() in WOLFSSL_SP_MATH build, allow failure with either WC_KEY_SIZE_E or BUFFER_E, to accommodate blinding added by #10128 / 589feabc0c. 2026-04-25 11:47:24 -05:00
David Garske 21921408b9 Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh 734a71180c Merge pull request #10220 from embhorn/zd21596
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh c6953b868a Merge pull request #10260 from Frauschi/ecc_fix
Fix ECC validation regression
2026-04-24 14:39:50 -06:00
JacobBarthelmeh b9514e70be Merge pull request #10148 from julek-wolfssl/openvpn-master-bn2binpad
Add BN_bn2binpad API and enable OpenVPN master CI testing
2026-04-24 13:54:06 -06:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn 412c428b0a Fix TLS ext bounds checking 2026-04-24 07:23:07 -05:00
Juliusz Sosinowicz 31278ee8bd Merge pull request #10296 from JacobBarthelmeh/hostap 2026-04-24 14:13:02 +02:00
JacobBarthelmeh 29f674e5b6 avoid glitch hardening false positive byte collision with small messages and adjust test case 2026-04-24 01:08:00 -06:00
Sean Parkinson 936f8e5423 Merge pull request #10203 from Frauschi/pkcs7_fixes
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
Daniel Pouzzner 9d46b57af3 Merge pull request #10246 from sameehj/aes-gcm-fix
Zero TLS 1.3 traffic keys after AES SE offload
2026-04-23 13:26:59 -05:00
Tobias Frauenschläger 6c5de29758 Fix ECC validation regression 2026-04-23 11:26:33 +02:00
Tobias Frauenschläger 22d1441331 Bounds-check the RecipientInfo SET length in wc_PKCS7_ParseToRecipientInfoSet() 2026-04-23 11:03:24 +02:00
Tobias Frauenschläger b7f6e77a95 Reject PKCS#7 SignedData signer-identity forgery 2026-04-23 09:36:32 +02:00
Tobias Frauenschläger 589feabc0c Harden PKCS#7 EnvelopedData key unwrap 2026-04-23 09:36:32 +02:00
Tobias Frauenschläger 3fd4060458 Add more PKCS#7 tests 2026-04-23 09:36:32 +02:00
Tobias Frauenschläger 5634cfd67c Fix PKCS#7 regression with --enable-all and NO_PKCS7_STREAM 2026-04-23 09:36:32 +02:00
JacobBarthelmeh b5738236d9 Merge pull request #10187 from embhorn/zd21587
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
Roy Carter 6353ad3683 Feat: support openssl compatibility layer functionality for libevent integration
Cosmetic: remove empty whitespace
2026-04-21 19:05:26 +03:00
Mattia Moffa c3e5f19643 Address Copilot suggestions 2026-04-21 02:35:57 +02:00
Sean Parkinson 967780f1b7 Merge pull request #10239 from gasbytes/crl-idp-extension-fix
reject crls with unrecognized critical extensions
2026-04-21 10:21:31 +10:00
Lealem Amedie 8b762301ef Add EVP_PKEY_new_raw_public_key and EVP_PKEY_new_raw_private_key 2026-04-20 09:31:42 -06:00
Sameeh Jubran ba51fbd30b Zero TLS 1.3 traffic keys after AES SE offload
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.

The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).

Scope: TLS 1.3, non-DTLS, non-QUIC.  DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.

Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-04-20 10:45:23 +03:00
Sean Parkinson fa9f24ff27 Merge pull request #10223 from rlm2002/zd21611
CN constraints fix
2026-04-19 21:28:29 +10:00
Ruby Martin 797ba3f03b test DNS name constraints on CA are applied against Subject CN name when SAN name is unavailable
test correct CN with no SAN available is accepted
2026-04-17 12:10:25 -06:00
Reda Chouk 857141da35 reject crls with unrecognized critical extensions per rfc 5280 section 5.2 2026-04-17 19:36:55 +02:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Sean Parkinson 460463aa8f Merge pull request #10166 from JeremiahM37/test-coverage
Add negative tests for TLS handshake verification paths
2026-04-17 10:41:53 +10:00
Sean Parkinson 9d1fe652b1 Merge pull request #10224 from embhorn/zd21594
Various fixes in internal.c
2026-04-17 09:44:33 +10:00
Brett Nicholas 4bf334c299 Merge pull request #10009 from night1rider/SHE-update
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Jeremiah Mackey a0614dd3c0 add negative tests for TLS handshake verification paths 2026-04-16 14:37:07 +00:00
Daniel Pouzzner 4cd7126092 tests/api/test_aes.c: fix gating for test_wc_AesGcm_MonteCarlo() to exclude WOLFSSL_AFALG and WOLFSSL_DEVCRYPTO. 2026-04-15 21:29:17 -05:00
night1rider 64a1ac8dd2 wc_SHE_ImportM1M2M3: fix guard from || to && so it gates on WOLF_CRYPTO_CB 2026-04-15 18:03:39 -06:00
Sean Parkinson cd6b062847 Merge pull request #10136 from JeremiahM37/fenrir-issues-2
Fenrir fixes
2026-04-16 08:51:17 +10:00
Sean Parkinson d2175f3b42 Merge pull request #10222 from embhorn/zd21597
Report cert verify failure with MD5
2026-04-16 08:45:15 +10:00
Sean Parkinson 1fab25301f Merge pull request #10221 from julek-wolfssl/gh/10197
TLS 1.3: evict session from cache after accepted 0-RTT resumption
2026-04-16 08:16:31 +10:00
David Garske faa6e985a5 Merge pull request #10226 from SparkiDev/api_test_cipher_algs_3
API tests: more cipher tests
2026-04-15 14:32:11 -07:00
Eric Blankenhorn c429a41121 Fix from review 2026-04-15 15:26:46 -05:00
night1rider 1078e797f8 Fix CMake SHE deps, const-correctness in CryptoCb uid, stale comment, XSTRLEN double call, configure.ac AES-CBC guard, and add LoadKey/LoadKey_Verify test coverage 2026-04-15 11:28:03 -06:00
night1rider f081a08c5c Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir 2026-04-15 11:28:03 -06:00
night1rider 802c34018c Add more in depth comments in header file for she.h 2026-04-15 11:28:03 -06:00
night1rider ee7fe9e1b1 SHE API: remove key storage from context, add direct output params 2026-04-15 11:28:03 -06:00
night1rider eeedc470e9 Add SHE (Secure Hardware Extension) support to wolfCrypt 2026-04-15 11:27:44 -06:00