Commit Graph

71 Commits

Author SHA1 Message Date
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Sean Parkinson 39b34333d6 FIPS 205, SLH-DSA: implementation
Adding implementation of SLH-DSA.
Included optimizations for Intel x64.
Some tests added.
2026-03-09 19:06:34 +10:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Marco Oliverio b767d8218a wolfcrypt: benchmark: use WC_USE_DEVID to benchmark ed25519 if defined 2026-02-11 15:25:28 +01:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Sean Parkinson a7690ca24b ML-KEM/Kyber: finish name change 2025-03-10 08:37:14 +10:00
Juliusz Sosinowicz 0e7bee9577 ascon-aead: add benchmarking 2025-01-29 11:02:47 +01:00
Juliusz Sosinowicz e3a612300b Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
2025-01-29 11:02:47 +01:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Sean Parkinson a5961907b0 XMSS implementation
Supporting code for wolfSSL C implementation of XMSS.
2024-01-25 11:21:39 +10:00
Sean Parkinson 8c3e1dbf48 SRTP/SRTCP KDF: add implementation
Add implementation of SRTP KDF and SRTCP KDF.
One shot APIs compatible with SP 800-135 and ACVP testing.
Tests added to test.c.
Benchmarking added.
Doxygen added.
2023-11-07 10:33:14 +10:00
jordan 33d4b331fb Add XMSS/XMSSMT wolfCrypt hooks. 2023-10-05 09:18:50 -05:00
Hideki Miyazaki 1c9afb8b12 initial commit for RZN2L board Support 2023-09-13 09:22:55 +09:00
jordan 67bef21185 Add LMS/HSS wolfCrypt hooks. 2023-07-06 10:55:53 -05:00
Sean Parkinson e2424e6744 SM2/SM3/SM4: Chinese cipher support
Add support for:
 - SM2 elliptic curve and SM2 sign/verify
 - SM3 digest
 - SM4 cipher with modes ECB/CBC/CTR/GCM/CCM

Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
2023-07-04 13:36:28 +10:00
Daniel Pouzzner fffff657de cleanups: line length, WOLFSSL_SMALL_STACK_STATIC, and SAVE_VECTOR_REGISTERS() failure trap in benchmark.c, proper path to benchmark.c in linuxkm/module_hooks.c, and proper casting in aes.c. also harmonized semantics and prototype of bench_ripemd(). 2023-05-17 13:00:46 -05:00
Daniel Pouzzner ed11669f3c more fixes for implicit casts, including asn=template. 2023-04-12 01:37:09 -05:00
JacobBarthelmeh 30adcd58d8 IMX6Q CAAM Port 2023-04-03 16:41:08 -06:00
gojimmypi 821120e31c Add SHA512/224 and SHA512/256 benchmarks (#6113) 2023-02-21 09:27:03 -08:00
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Anthony Hu 0787ab1131 don't call external implemenation of kyber from benchmark anymore. 2022-12-29 11:48:54 -05:00
Anthony Hu b3e99348cd Purge the AES variant of Dilithium 2022-12-27 14:37:47 -05:00
JacobBarthelmeh 9f77210b0b update benchmark for devID builds 2022-12-14 15:20:03 -08:00
Steffen Jaeckel f24cf38f01 Update benchmarks
* add option to run benchmarks with and w/o AAD
   This adds the possibility to benchmark AES-GCM and AES-CCM both with and
   w/o AAD, with the option to also run both.
   The default behavior when wolfSSL provides the `main()` function is
   unchanged.
   The default behavior when wolfSSL doesn't provide the `main()` function has
   been changed to "run both benchmarks - with and w/o ADD".
* add option to run benchmarks against 4096bit RSA&DH keys
* remove `BENCH_SIZE` macro from benchmark.c
* pre-define benchmark sizes in a single place, before it had to be done in two places
* improve `benchmark_static_init()`
   - static variable doesn't need to be in global scope
   - add option to force re-init
   - add more static variables to be reset
* add `-blocks` option to benchmarks
* expose benchmark `main()` as `wolfcrypt_benchmark_main()`
* fix benchmark `-?` output
* use correct SI/Binary prefix in benchmarks
* use a separate column per detail in CSV output of benchmark
* add `-aad_size` option to benchmark
* don't always print symmetric CSV headers
* always use M[i]B/s when output format is CSV
* Versal specific patches for benchmarks
   This also removes the default define for `COUNTS_PER_SECOND` for Xilinx
   targets, since I prefer to have a build failure over wrongly calculated
   output.

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2022-09-29 09:39:57 -06:00
Sean Parkinson 8c1e2c52e7 Kyber: Add option to build Kyber API
wolfSSL Kyber implementation not included.
Added tests and benchmarking.
2022-09-13 10:07:27 -04:00
Sean Parkinson f153e65102 SHA-3: check BMI1 availablity for ASM
Added benchmarking of SHAKE128 and SHAK256.
2022-09-05 14:11:02 +10:00
Anthony Hu 10ce703d71 Add sphincs to wolfCrypt.
Note that we will not support sphincs in TLS so nothing above wolfcrypt changes.
2022-09-02 11:53:55 -04:00
Anthony Hu 82a900b438 Initial commit to add Dilithium NIST PQC winner.
Also:

* added HAVE_FALCON guards as needed.
* corrected minor falcon bugs as I found them.
* handling OID sum collision between DILITHIUM_LEVEL5 and DILITHIUM_AES_LEVEL3

Tested with the following commands:

examples/server/server -v 4 -l TLS_AES_256_GCM_SHA384 \
    -c ~/tmp/dilithium_aes_level5_entity_cert.pem \
    -k ~/tmp/dilithium_aes_level5_entity_key.pem \
    -A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5

examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
    -c ~/tmp/dilithium_aes_level5_entity_cert.pem \
    -k ~/tmp/dilithium_aes_level5_entity_key.pem \
    -A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5

with permutations of SHAKE,AES variants and levels 2,3,5
2022-08-11 11:38:31 -04:00
Jacob Barthelmeh 8eaa85e412 update copyright year to 2022 2022-07-19 10:44:31 -06:00
kaleb-himes 9d11e9092f Add necessary includes for cross-builds 2022-06-27 13:50:27 -06:00
Daniel Pouzzner 4efd06fdc1 fix readability-inconsistent-declaration-parameter-name. 2022-04-07 07:59:59 -05:00
Anthony Hu 9ea40f3a9c Purge IDEA cipher 2022-01-31 15:29:25 -05:00
Anthony Hu b957a6e872 Purge Rabbit cipher 2022-01-28 13:13:53 -05:00
Daniel Pouzzner b7cecbacb2 update headers to resolve clang-tidy carping (mostly bugprone-macro-parentheses and readability-named-parameter). also disables MSC C4028 because incompatible with readability-avoid-const-params-in-decls. 2022-01-26 02:06:37 -06:00
David Garske 609d6442b1 Merge pull request #4753 from SparkiDev/siphash
Add SipHash algorithm
2022-01-19 18:51:44 -08:00
Sean Parkinson a6485a228d Add SipHash algorithm 2022-01-20 09:41:18 +10:00
Hayden Roche 62b07d8806 Add AES-SIV (RFC 5297).
This commit adds functions to encrypt and decrypt data using AES in SIV mode, as
described in RFC 5297. This was added in the process of porting chrony to
wolfSSL. chrony is an NTP implementation that can use NTS (network time
security), which requires AES-SIV.
2022-01-19 14:32:33 -08:00
Anthony Hu c2860cb311 Get rid of HC-128 2022-01-17 18:11:54 -05:00
Anthony Hu 7d4c13b9a4 --with-liboqs now defines HAVE_LIBOQS and HAVE_PQC
AKA: The Great Rename of December 2021
2021-12-20 11:48:03 -05:00
Anthony Hu fea438d07f Use wolfCrypt's benchmarking app to run the PQ algorithms. 2021-11-26 15:15:23 -05:00
Anthony Hu 237b098ba5 Add Falcon benchmarking. 2021-11-10 14:53:35 -05:00
Anthony Hu 33cb823148 Remove legacy NTRU and OQS (#4418)
* Remove NTRU and OQS

* Keep the DTLS serialization format backwards compatible.

* Remove n from mygetopt_long() call.

* Fix over-zealous deletion.

* Resolve problems found by @SparkiDev
2021-09-24 08:37:53 +10:00
toddouska 3ac03d3d66 Merge pull request #3805 from JacobBarthelmeh/copyright
update copyright date to 2021
2021-03-15 16:16:50 -07:00
Sean Parkinson a55e94cf6f ECCSI and SAKKE: add support
Fixes for static code analysis included.
Added const to function parameters.
Zeroise some temporaries.
2021-03-12 09:31:22 +10:00
Jacob Barthelmeh c729318ddd update copyright date 2021-03-11 13:42:46 +07:00
toddouska 920c443864 Merge pull request #3250 from JacobBarthelmeh/Benchmark
add brainpool benchmark
2021-01-22 10:08:21 -08:00
Jacob Barthelmeh 177f4aecb6 add all curves to benchmark 2021-01-22 03:20:41 +07:00
Jacob Barthelmeh e3fa462d72 add brainpool benchmark of key generation 2021-01-22 02:55:26 +07:00