Commit Graph

371 Commits

Author SHA1 Message Date
Sean Parkinson 69027c2445 LMS: fixes and improvements
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.

Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
2026-05-11 16:18:12 +10:00
David Garske 63bda771fe Merge pull request #10305 from holtrop-wolfssl/rust-crate-updates
Rust wrapper: add password-hash, kem, mac traits; fix a few Fenrir findings
2026-05-05 12:05:29 -07:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Josh Holtrop b38d7bf630 Rust wrapper: guard sha384 pbkdf2 unit test 2026-04-28 13:49:16 -04:00
Josh Holtrop 1e35f94f04 Rust wrapper: guard a couple unit tests that require sha512 2026-04-28 11:08:09 -04:00
Josh Holtrop 81435c8a01 Rust wrapper: restrict RNG generic type parameters to be integers
Fixes F-3350
2026-04-28 11:08:09 -04:00
Josh Holtrop 6bb8f8f5cd Rust wrapper: address Copilot review comments 2026-04-28 11:08:09 -04:00
Josh Holtrop ca3c779182 Rust wrapper: use consistent rc check in ECC::shared_secret
Fixes F-2676
2026-04-28 11:08:09 -04:00
Josh Holtrop cf199c9ab8 Rust wrapper: replace Lms::sigs_left() with Lms::has_sigs_left()
Fixes F-3094
2026-04-28 11:08:08 -04:00
Josh Holtrop 135110232f Rust wrapper: make ECC::verify_hash C result check more strict
Fixes F-1989
2026-04-28 11:08:08 -04:00
Josh Holtrop 40bc5d09f7 Rust wrapper: remove return value from MlKem::encode_{public,private}_key()
Fixes F-3093
2026-04-28 11:08:08 -04:00
Josh Holtrop 0cddbb25b2 Rust wrapper: check for NUL-terminated slice in ECC::rs_hex_to_sig
Fixes F-3092
2026-04-28 11:08:08 -04:00
Josh Holtrop 79358fea80 Rust wrapper: add mac feature and implement digest/mac traits 2026-04-28 11:08:08 -04:00
Josh Holtrop 84f8b5fa13 Rust wrapper: implement kem traits 2026-04-28 11:08:08 -04:00
Josh Holtrop c08c16ee8f Rust wrapper: implement password-hash traits 2026-04-28 11:08:08 -04:00
JacobBarthelmeh 1da353b516 Merge pull request #10248 from holtrop-wolfssl/rust-digest-signature
Rust wrapper: add digest and signature crate trait implementations
2026-04-24 11:15:40 -06:00
Josh Holtrop 9c506896c6 Rust wrapper: add doc comment for MAX_E_LEN 2026-04-22 00:23:02 -04:00
Josh Holtrop d5957e6247 Rust wrapper: tweak wc_RsaFlattenPublicKey error message in RSA SigningKey::verifying_key() 2026-04-22 00:19:59 -04:00
Josh Holtrop a2b1f580c6 Rust wrapper: add buffer size checks in Rust wrapper for ChaCha20_Poly1305 one-shot encrypt/decrypt wrappers 2026-04-20 13:58:36 -04:00
Josh Holtrop e8ae1536af Mark sha_digest module public 2026-04-20 08:58:21 -04:00
Josh Holtrop fccced4935 Rust wrapper: verify RSA lengths in verifying_key() 2026-04-20 08:57:41 -04:00
Josh Holtrop 3ca90b1904 Rust wrapper: add signature implementations 2026-04-17 15:52:07 -04:00
Josh Holtrop 7f33de0882 Rust wrapper: add digest implementations 2026-04-17 15:52:07 -04:00
Josh Holtrop 4f31ff95f7 Rust wrapper: require fixed length index buffers for SRTP/SRTCP 2026-04-15 11:36:02 -04:00
Josh Holtrop 4fb4b3c0c8 Rust wrapper: test BLAKE2 finalize() returns error for empty output buffer 2026-04-14 20:50:08 -04:00
Josh Holtrop ca362a4e8f Rust wrapper: also check usize to u32 conversions for digest_size 2026-04-14 20:50:08 -04:00
Josh Holtrop e1a01926bc Rust wrapper: check length returned by Lms.get_kid() in unit test 2026-04-14 20:50:08 -04:00
Josh Holtrop 15ac0718a3 Rust wrapper: make zeroize functions private 2026-04-14 20:50:08 -04:00
Josh Holtrop 2f94121078 Rust wrapper: require caller supplied buffer for Lms.get_kid()
Fixes F-1073.
2026-04-14 20:50:08 -04:00
Josh Holtrop 10fbc95241 Rust wrapper: add comment to MlKem about not implementing Send/Sync
Fixes F-1072.
2026-04-14 20:50:08 -04:00
Josh Holtrop 85ad08a50a Rust wrapper: avoid as_ptr() to *mut u8 casts
Fixes F-1065.
2026-04-14 20:50:08 -04:00
Josh Holtrop 884b882afe Rust wrapper: remove generic types for AES buffers
Fixes F-1071.
This is an API-breaking change, so will lead to a new crate major
version.
2026-04-14 20:50:08 -04:00
Josh Holtrop db1aab959c Rust wrapper: zeroize structs on drop 2026-04-14 20:50:08 -04:00
Josh Holtrop f1a041a216 Rust wrapper: add zeroizing Drop impl for ChaCha20Poly1305
Fix F-1069
2026-04-14 20:50:08 -04:00
Josh Holtrop 2c981d67e6 Rust wrapper: check all buffer lengths when converting to u32/i32
Fix F-1068
2026-04-14 20:50:08 -04:00
Josh Holtrop f00636919e Rust wrapper: check kdr_index range in srtp_kdf() and srtcp_kdf()
Fix F-1257
2026-04-14 20:50:08 -04:00
Josh Holtrop 5c10fe9a58 Rust wrapper: BLAKE2: check for non-empty hash buffer in finalize()
This is related to F-1070 but not the same. We do not need to check
that hash_size being passed in matches the initialized digest size
because the C function will use the passed-in size as long as it is
non-zero.
2026-04-14 20:50:08 -04:00
Josh Holtrop 56c20aeda0 Rust wrapper: dilithium: remove unnecessary size define presence checks
Fix F-1256
2026-04-14 20:50:08 -04:00
Josh Holtrop 5959aa2b58 Rust wrapper: ed448: add check for context buffers too long
Fix F-1064
2026-04-14 20:50:08 -04:00
Josh Holtrop 4f42ba9aa7 Rust wrapper: ed25519: add check for context buffers too long
Fix F-1063
2026-04-14 20:50:08 -04:00
Josh Holtrop 337dfc323e Rust wrapper: avoid uninitialized sys::XtsAesStreamData
Fix F-1066
2026-04-14 20:50:08 -04:00
Josh Holtrop 9843f0365a Rust wrapper: avoid creating a MaybeUninit<RNG>
Fix F-1067
2026-04-14 20:50:08 -04:00
Josh Holtrop a8fa845fa9 Rust wrapper: ecc: fix possible resource leak in some error cases
Fix F-1062.

If wolfSSL returns an error after initializing ECC struct with
wc_ecc_init_ex(), wc_ecc_free() might not have been called in all cases.

Move construction of the ECC struct earlier ahead of further wolfSSL
calls after wc_ecc_init_ex() so if those subsequent wolfSSL calls return
an error the Drop impl for ECC will be called to deinitialize.
2026-04-14 20:50:07 -04:00
David Garske d692f99631 More peer review fixes (Use ML-DSA naming) 2026-04-13 15:55:31 -07:00
David Garske 5f124a9ae9 Peer review fixes 2026-04-13 15:30:58 -07:00
David Garske 72c57dc127 Improvements to C# PQC 2026-04-13 15:30:57 -07:00
Masaki Iwai 21be3776bd add ML-KEM/ML-DSA support for C# wrapper 2026-04-13 15:29:57 -07:00
Sean Parkinson 9176185d66 Merge pull request #10171 from dgarske/hpke_csharp
Add HPKE (RFC 9180) C# wrapper
2026-04-14 08:27:03 +10:00
David Garske c4e7198686 Merge pull request #10070 from holtrop-wolfssl/rust-rand_core-aead-cipher
Rust wrapper: add rand_core, aead, cipher trait implementations
2026-04-13 10:00:26 -07:00