Commit Graph

299 Commits

Author SHA1 Message Date
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Daniel Pouzzner a057975347 Merge pull request #10293 from Frauschi/liboqs_removal
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Tobias Frauenschläger e1fefcca4f Remove deprecated liblms and libxmss 2026-04-29 19:52:09 +02:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00
David Garske e05ce26fc9 wolfCrypt SRAM PUF Support
Add SRAM PUF (Physically Unclonable Function) support to wolfCrypt. Derives device-unique cryptographic keys from the power-on state of SRAM memory using a BCH(127,64,t=10) fuzzy extractor with HKDF key derivation.

- **wolfCrypt PUF API** (`wolfcrypt/src/puf.c`, `wolfssl/wolfcrypt/puf.h`)
  - `wc_PufInit`, `wc_PufReadSram`, `wc_PufEnroll`, `wc_PufReconstruct`
  - `wc_PufDeriveKey` (HKDF-SHA256), `wc_PufGetIdentity` (SHA-256 device fingerprint)
  - `wc_PufZeroize` (secure context cleanup)
  - `wc_PufSetTestData` (synthetic SRAM for testing without hardware)
- **BCH(127,64,t=10) error-correcting codec** - corrects up to 10 bit flips per 127-bit codeword across 16 codewords
- **`WC_PUF_SHA3` build option** - select SHA3-256 instead of SHA-256 for identity hash and HKDF (default: SHA-256)
- **Precomputed GF(2^7) tables** - `const` arrays in `.rodata` (no runtime init, thread-safe, flash-resident on embedded)
- `./configure --enable-puf` (auto-enables HKDF dependency)
- CMake: `WOLFSSL_PUF=yes`
- `WOLFSSL_USER_SETTINGS`: define `WOLFSSL_PUF` and `WOLFSSL_PUF_SRAM`
- See wolfssl-examples/puf for example implementation on STM32 NUCLEO-H563ZI (Cortex-M33, STM32H563ZI)
- Supports test mode (synthetic SRAM)
- Builds to ~13KB `.elf`
- Tested on NUCLEO-H563ZI: enrollment, noisy reconstruction, key derivation all pass
- `.github/workflows/puf.yml`: host build + test workflow for PUF feature
- Doxygen API docs for all 8 public functions
- PUF group added to `doxygen_groups.h`
2026-04-22 11:39:39 -07:00
night1rider f081a08c5c Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir 2026-04-15 11:28:03 -06:00
night1rider eeedc470e9 Add SHE (Secure Hardware Extension) support to wolfCrypt 2026-04-15 11:27:44 -06:00
Daniel Pouzzner c4c2d8fafe src/include.am, wolfcrypt/src/aes.c, wolfcrypt/src/port/riscv/riscv-64-aes.c: initial buildability of fips-dev with --enable-riscv-asm. 2026-04-13 18:57:20 -05:00
Daniel Pouzzner 60d1e222b2 globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
Daniel Pouzzner e8a53c2e6d Merge pull request #9941 from kaleb-himes/v6-wolfentropy-combofix
Ensure user-space wolfentropy builds of the v6 module compile the cor…
2026-03-10 19:36:52 -05:00
kaleb-himes b2520f120f Ensure user-space wolfentropy builds of the v6 module compile the correct resource 2026-03-10 10:48:43 -06:00
Sean Parkinson 39b34333d6 FIPS 205, SLH-DSA: implementation
Adding implementation of SLH-DSA.
Included optimizations for Intel x64.
Some tests added.
2026-03-09 19:06:34 +10:00
Sean Parkinson be4584784c Split out code form ssl.c and pk.c
Move EC and RSA code out of pk.c into separate file.

Move out of ssl.c into separate files:
  - Certificate APIs
  - CRL/OCSP APIs
  - Public Key APIs
  - ECH

Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.

Fix formatting.
2026-01-29 18:49:56 +10:00
Daniel Pouzzner 0059f1647e move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
wolfcrypt/src/rng_bank.c:

  * add wc_local_rng_bank_checkout_for_bankref, wc_BankRef_Release(), wc_rng_bank_new(), and wc_rng_bank_free();

  * in wc_rng_bank_checkin(), take a struct wc_rng_bank_inst **rng_inst and NULL it before return;

  * in wc_rng_bank_init(), add a devId arg, and handle devId in wc_rng_bank_inst_reinit();

  * add WC_RNG_BANK_INST_LOCK_* and use them in wc_rng_bank_checkout() and wc_rng_bank_checkin();

  * fix order of operations in wc_rng_bank_checkout() re DISABLE_VECTOR_REGISTERS();

wolfcrypt/src/random.c:

  * refactor per-instance salting for wc_rng_bank_inst: remove changes in Hash_df(), Hash_DRBG_Instantiate(), and _InitRng(), and in wc_rng_bank_init() and wc_rng_bank_inst_reinit(), use wc_InitRngNonce_ex() and pass the wc_rng_bank_inst pointer as the nonce;

  * simplify the WC_RNG_BANK_SUPPORT variant of wc_RNG_GenerateBlock() -- delegate to wc_local_rng_bank_checkout_for_bankref() and remove supplementary error checking;

  * in wc_FreeRng(), call wc_BankRef_Release() when WC_DRBG_BANKREF, and in wc_BankRef_Release(), fix refcount flub (not wolfSSL_RefFree, rather wolfSSL_RefDec);

  * streamline the WOLFSSL_LINUXKM wc_GenerateSeed();

wolfcrypt/test/test.c: add random_bank_test();

linuxkm/lkcapi_sha_glue.c: use WC_RNG_BANK_INST_TO_RNG() opportunistically;

configure.ac: add --enable-amdrdseed as a synonym for --enable-amdrand;

linuxkm/linuxkm_wc_port.h: when LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, don't include get_random_bytes() in struct wolfssl_linuxkm_pie_redirect_table;

add various comments for clarity.
2026-01-07 22:54:07 -06:00
Sean Parkinson 99692003d4 PPC32 ASM: alternative C code with registers prepended
C implementation with registers prepended with letter 'r'.
2026-01-05 21:12:10 +10:00
Sean Parkinson f54266c2c6 Curve25519: improved smul
Use the Ed25519 base smul in Curve25519 base mul and covert to
Montogmery curve for a faster implementation.
Only when Ed25519 is compiled in or WOLFSSL_CURVE25519_USE_ED25519 is
defined.
When compiling Intel x64 assembly and Aarch64 assembly, always define
WOLFSSL_CURVE25519_USE_ED25519.
Can't use with blinding - normal C implementation.

Optimized the Curve25519 smul slightly for Intel x64 and Aarch64.
Improved the conditional table lookup on Intel x64 to use AVX2 when
available.
2025-12-17 13:25:36 +10:00
kaleb-himes dc6fa0ad4e De-couple ESV from DRBG 2025-11-20 09:38:13 -07:00
Sean Parkinson 093cc04076 Stack API: Pull out implementation into separate file
General stack APIs pulled out into ssl_sk.c.
Other simple APIs also pulled out into ssl_sk.c.
wolfSSL_lh_retrieve also pulled out into ssl_sk.c.

Added tests of public APIs that weren't already tested.
2025-10-27 17:08:41 +10:00
Daniel Pouzzner c145b7ee81 wolfcrypt/src/aes.c: define GCM_GMULT_LEN() when WOLFSSL_ARMASM, and fix gating on wolfCrypt_FIPS_AES_sanity (always gate in for FIPS v7+);
wolfcrypt/src/port/af_alg/afalg_aes.c: check for null key arg;

configure.ac: rename BUILD_FIPS_CURRENT to BUILD_FIPS_V2_PLUS (no functional change), and remove unused ARMASM_DIST_SOURCES set up code added in #9332;

src/include.am:
* set up $(ARMASM_SHA256_C), and use it to properly include wolfcrypt/src/sha256.c alongside armasm when appropriate;
* fix gating on Curved25519 armasm (BUILD_FIPS_V6_PLUS, not BUILD_FIPS_V6);

tests/api/test_aes.c and wolfcrypt/test/test.c: gate out incompatible coverage for WOLFSSL_AFALG and WOLFSSL_KCAPI (test_wc_AesCbcEncryptDecrypt_MultiBlocks(), test_wc_AesCtrSetKey*(), test_wc_AesCtrEncrypt*(), test_wc_AesGcmEncryptDecrypt_Sizes()).
2025-10-24 15:08:56 -05:00
Daniel Pouzzner 6ff47a7a4c src/include.am: fix gate flub, !BUILD_FIPS_V6 -> !BUILD_FIPS_V6_PLUS, around sp-asm files (covered earlier for FIPS). 2025-10-23 16:57:39 -05:00
Daniel Pouzzner be301f93da fixes for autotools config around armasm AES/SHA refactor in #9284: in configure.ac, add BUILD_FIPS_V5_PLUS and BUILD_FIPS_V6_PLUS conditionals, and fix BUILD_FIPS_V6 conditional to match v6 only;
in src/include.am, add LEGACY_ARMASM_foo and NEW_ARMASM_foo helper variables, restore pre-PR9284 armasm clauses, and add or update several FIPS gates as needed;

add empty wolfcrypt/src/port/arm/{armv8-aes.c,armv8-sha256.c,armv8-sha512.c} to mollify autotools, and in wolfcrypt/src/include.am, restore them to EXTRA_DIST if FIPS v5 or v6.
2025-10-22 22:52:24 -05:00
Sean Parkinson 9c1462a9ec Aarch64 asm: convert to generated
Algorithms now generated:
  SHA-256
  SHA-512
  ChaCha20
  Poly1305
  AES-ECB
  AES-CBC
  AES-CTR
  AES-GCM + streaming
  AES-XTS
  AES SetKey

ARM32 asm algorithms generated now too:
  SHA-256
  SHA-512
  ChaCha20
  AES-ECB
  AES-CBC
  AES-CTR
  AES-GCM
  AES-XTS
  AES SetKey

Removed use of ARM specific implementations of algorithms. (armv8-aes.c)
2025-10-21 17:03:39 +10:00
JacobBarthelmeh 2445af9308 compile both fe_operations.c and low_mem version and rely on macro defines to choose which code gets compiled 2025-10-07 10:42:08 -06:00
Sean Parkinson 648a057147 ML-DSA/Dilithium: Intel x64 ASM
Optimize code knowing it is for Intel x64.
Change signing to calculate one polynomial at a time so that if it isn't
valid then we fail early.
Other minor improvements.
Move the SHA-3 4 blocks at a time assembly into SHA-3 asm file.
Make constants in assembly the same length (front pad with zeros).
2025-08-07 14:01:50 +10:00
Sean Parkinson c39f1fe721 PPC 32 ASM: SHA-256
Pure and inline  ASM for the PowerPC 32-bit.
2025-06-18 21:23:15 +10:00
Daniel Pouzzner 6d92dae632 configure.ac: add support for --enable-aesni-with-avx/USE_INTEL_SPEEDUP_FOR_AES (AESNI+AVX, but only for AES modes).
linuxkm/lkcapi_glue.c: implement WC_LINUXKM_C_FALLBACK_IN_SHIMS, km_AesGet(), and km_AesFree().

src/include.am: add missing gates for AES-GCM and AES-XTS asm.

wolfcrypt/src/aes_xts_asm.S and wolfssl/wolfcrypt/sp_int.h: don't redefine HAVE_INTEL_AVX2.
2025-04-02 17:00:48 -05:00
David Garske 2c36ae268f Merge pull request #8536 from SparkiDev/kyber_to_mlkem
Update Kyber APIs to ML-KEM APIs
2025-03-20 11:07:53 -07:00
Daniel Pouzzner 87c0ac90b8 configure.ac:
* sense assert.h and define WOLFSSL_HAVE_ASSERT_H accordingly.
* force off enable_aesgcm_stream if 32 bit armasm or riscv-asm (not yet implemented or buildable).
* add AM_CONDITIONAL([BUILD_CHACHA_NOASM, ...]) when --enable-chacha=noasm.

src/include.am: gate armasm/riscv_asm chacha files on !BUILD_CHACHA_NOASM.

tests/api.c: add missing HAVE_CHACHA&&HAVE_POLY1305 gate around test_TLSX_CA_NAMES_bad_extension().

wolfcrypt/src/chacha.c: tweak WOLFSSL_ARMASM and WOLFSSL_RISCV_ASM codepaths to also depend on !NO_CHACHA_ASM.

wolfssl/wolfcrypt/types.h: in setup for wc_static_assert(), #include <assert.h> if WOLFSSL_HAVE_ASSERT_H, >=C11, or >=C++11.
2025-03-13 23:17:57 -05:00
Sean Parkinson a7690ca24b ML-KEM/Kyber: finish name change 2025-03-10 08:37:14 +10:00
Juliusz Sosinowicz e3a612300b Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
2025-01-29 11:02:47 +01:00
Sean Parkinson f7afc47d98 Kyber ARM32 ASM: add assembly using base instructions
Support ARMv4 up to ARMv8.
Base instructions only - faster implemenation will use NEON.
2024-10-04 11:06:18 +10:00
Sean Parkinson d2047986d9 Kyber ASM ARMv7E-M/ARMv7-M: added assembly code
Improved performance by reworking kyber_ntt, kyber_invtt,
kyber_basemul_mont, kyber_basemul_mont_add, kyber_rej_uniform_c to be
in assembly.
Replace WOLFSSL_SP_NO_UMAAL with WOLFSSL_ARM_ARCH_7M
2024-10-03 18:11:31 +10:00
Daniel Pouzzner a04871f153 examples/pem/pem.c: fix double-free introduced in 65853a41b9;
configure.ac and src/include.am: add ENABLED_ARM_THUMB, BUILD_ARM_THUMB, BUILD_ARM_NONTHUMB, ENABLED_ARM_64, BUILD_ARM_64, ENABLED_ARM_32. and BUILD_ARM_32, and use them to gate building of ARM asm files, to fix "ISO C forbids an empty translation unit" warnings (the warning only affects inline asm files, but the gating is deployed more widely).
2024-10-01 16:03:37 -05:00
David Garske 47add7e9e2 Merge pull request #8020 from SparkiDev/arm32_base_chacha20_poly1305
ARM32 ChaCha20, Poly1305: assembly code
2024-09-30 06:53:37 -07:00
Sean Parkinson e4301bc554 ARM32 generated files: fix line lengths
Generated ARM32 assembly files no longer have lines with more than 80
characters.
2024-09-30 08:50:31 +10:00
Sean Parkinson 2323a5cf59 ARM32 ChaCha20, Poly1305: assembly code
Add assembly code for ChaCha20 and Poly1305 on ARM32 when no NEON
available.
2024-09-26 20:24:58 +10:00
Sean Parkinson de657787cf Kyber Aarch64: assembly implementations of functions
Aarch64 assembly implementation of Kyber functions.
SHA-3 assembly implementations when not hardware crypto.
2024-09-26 09:10:05 +10:00
Sean Parkinson 27033c225f Thumb-2 ChaCha, Poly1305: implemention in assembly
Implementation of ChaCha algorithm for ARM Thumb-2.
Implementation of Poly1305 algorithm for ARM Thumb-2.
2024-09-12 10:59:01 +10:00
Sean Parkinson 5f40f9a140 Thumb-2 ChaCha: implemention in assembly
Implementation of ChaCha algorithm for ARM Thumb-2.
2024-09-06 10:16:45 +10:00
David Garske b7a6c6c314 Fixes for building RISCV ASM with enable-all.
* Fix type warning for SHA512 ByteReverseWords call
* Fix issue with riscv-asm and xchacha.
2024-09-03 09:37:01 -07:00
Sean Parkinson 7c3d66ecd6 RISC-V ASM: SHA-3
Add assembly implementations of SHA-3.
Use VSRL_VX instead of two VSRL_VI operations as immediate is only 5
bits.
2024-08-29 17:58:02 +10:00
Sean Parkinson 3ade7a875e RISC-V 64 ASM: Add Poly1305 implementation
Implementation using standard and vector instructions.
2024-08-15 09:01:34 +10:00
Sean Parkinson 4062b94fb3 RISC-V 64: Add assembly code for SHA-512
Cleanup RISC-V 64 SHA-256 by removing unused rev_idx.
2024-08-06 10:21:48 +10:00
Sean Parkinson ebb49b6e68 RISC-V ChaCha20: assembly implementations
ChaCha20:
  scalar and vector implementations
  vector implementations doing 6, 4, 2, 1 block at a time.
  scalar implemetations using roriw and pack
  vector implementations using VROR_VI and roriw.

RISC-V SHA-256: avoid using s0 if it can be helped.
2024-08-01 17:51:59 +10:00
David Garske 6a1139a6ee Merge pull request #7758 from SparkiDev/riscv-sha256-asm
RISC-V 64: Add assembly code for SHA-256
2024-07-30 16:23:57 -07:00
Sean Parkinson f1e01e4636 RISC-V 64: Add assembly code for SHA-256
Move common defines out of AES file to header file.
2024-07-30 12:21:13 +10:00
Anthony Hu 181c408d17 Allow kyber to be built with FIPS 2024-07-24 20:36:51 -04:00
Sean Parkinson 8734f1251d SHA-3 Thumb2, ARM32 ASM: Add assembly implemention
Add SHA-3 assembly implementation for Thumb2 and ARM32.
2024-06-21 14:38:51 +10:00
Sean Parkinson 3e3a00dafd Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87
Impemented FIPS 204 (Draft) Module-Lattice-Based Signature Standard.
Implementation include making a key, signing and verification.
Make key API added.
Updated liboqs calls to use ML-DSA implementation instead of Dilithium.
2024-06-19 21:27:01 +10:00