mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 22:20:49 +02:00
9393d62591
Replace the liboqs-based pre-standardization SPHINCS+ implementation with the native FIPS 205 SLH-DSA implementation across the certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test certificates plus TLS 1.3 .conf scenarios that exercise the new verification path. All liboqs SPHINCS+ code is removed. This enables SLH-DSA for certificate chain authentication: CA certificates signed with SLH-DSA, certificate signature verification against an SLH-DSA root. TLS 1.3 entity authentication via CertificateVerify with SLH-DSA will be added in a follow-up PR. Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families across all twelve standardized variants. DER codec: - New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer, PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing 4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants. - PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode and wc_Dilithium_PublicKeyDecode so callers (notably wolfssl_x509_make_der and ConfirmSignature, which pass the raw BIT STRING contents stashed by StoreKey) decode correctly. Honours the caller's *inOutIdx start offset. - Error paths in Private/PublicKeyDecode preserve params/flags/ inOutIdx and only ForceZero the buffer half each helper actually writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched). - ImportPublic uses |= on flags so a Private-then-Public import sequence retains FLAG_PRIVATE. OID dispatch: - 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The pre-standardization OID-collision mechanism is removed since NIST OIDs do not collide. - wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN (rather than -1) for recognised SLH-DSA OIDs whose parameter set isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch surfaces this as a precise diagnostic instead of the generic "No public key found". - wc_GetKeyOID picks a placeholder parameter from whatever variant is compiled in and #errors at compile time if none is. - asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes alongside SHAKE. Tests and fixtures: - Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44 entity keys (server + client), plus the gen script (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5). - New TLS 1.3 .conf scenarios under tests/suites.c dispatch: test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a wrong-CA negative test test-tls13-slhdsa-fail.conf. - DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der fixtures regenerated with wolfSSL's own encoder so the codec is pinned to RFC 9909. - New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw PublicKeyDecode entry point that wolfssl_x509_make_der relies on. - test_wc_slhdsa_check_key now tests both Public-then-Private and Private-then-Public import orderings. Build / ABI: - DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107). - All build system / IDE project files updated; SPHINCS+ sources, headers, and test data removed. - Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and certs_test.h; the .der files on disk drive the decode tests.
165 lines
5.6 KiB
Plaintext
165 lines
5.6 KiB
Plaintext
Summary: Embedded SSL Library
|
|
Name: @PACKAGE@
|
|
Version: @VERSION@
|
|
Release: 1
|
|
License: GPLv3
|
|
Group: System Environment/Libraries
|
|
BuildRequires: gcc
|
|
BuildRequires: glibc
|
|
BuildRequires: glibc-common
|
|
BuildRequires: glibc-devel
|
|
BuildRequires: glibc-headers
|
|
BuildRequires: make
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: sed
|
|
BuildRequires: tar
|
|
URL: http://www.wolfssl.com/
|
|
|
|
Packager: wolfSSL <support@wolfssl.com>
|
|
|
|
Source: http://wolfssl.com/%{name}-%{version}.tar.gz
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
|
|
|
|
%description
|
|
Misc tools for wolfSSL.
|
|
|
|
%package devel
|
|
Summary: Header files and development libraries for %{name}
|
|
Group: Development/Libraries
|
|
Requires: %{name} = %{version}-%{release}
|
|
|
|
%description devel
|
|
This package contains the header files and development libraries
|
|
for %{name}. If you like to develop programs using %{name},
|
|
you will need to install %{name}-devel.
|
|
|
|
%prep
|
|
%setup -q
|
|
|
|
%build
|
|
%configure @WOLFSSL_CONFIG_ARGS@
|
|
%{__make} %{?_smp_mflags}
|
|
if [ "@ENABLED_FIPS@" = "yes" ]
|
|
then
|
|
echo Updating wolfSSL FIPS hash
|
|
./fips-hash.sh
|
|
%{__make} %{?_smp_mflags}
|
|
fi
|
|
|
|
%install
|
|
%{__rm} -rf %{buildroot}
|
|
%{__make} install DESTDIR="%{buildroot}" AM_INSTALL_PROGRAM_FLAGS=""
|
|
%{__rm} -f %{buildroot}/%{_libdir}/libwolfssl@LIBSUFFIX@.la
|
|
%{__rm} -f %{buildroot}/%{_libdir}/libwolfssl.a
|
|
%{__cp} wolfssl/options.h %{buildroot}/%{_includedir}/%{name}/
|
|
|
|
%check
|
|
|
|
|
|
%clean
|
|
%{__rm} -rf %{buildroot}
|
|
|
|
%post -p /sbin/ldconfig
|
|
|
|
%postun -p /sbin/ldconfig
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%doc AUTHORS ChangeLog.md COPYING README README.md
|
|
%{_docdir}/wolfssl/taoCert.txt
|
|
%{_docdir}/wolfssl/example/client.c
|
|
%{_docdir}/wolfssl/example/server.c
|
|
%{_docdir}/wolfssl/example/echoclient.c
|
|
%{_docdir}/wolfssl/example/echoserver.c
|
|
%{_docdir}/wolfssl/example/sctp-client.c
|
|
%{_docdir}/wolfssl/example/sctp-server.c
|
|
%{_docdir}/wolfssl/example/sctp-client-dtls.c
|
|
%{_docdir}/wolfssl/example/sctp-server-dtls.c
|
|
%{_docdir}/wolfssl/example/tls_bench.c
|
|
%{_docdir}/wolfssl/example/ocsp_responder.c
|
|
%{_docdir}/wolfssl/README.txt
|
|
%{_docdir}/wolfssl/QUIC.md
|
|
%{_libdir}/libwolfssl@LIBSUFFIX@.so.*
|
|
|
|
%files devel
|
|
%defattr(-,root,root,-)
|
|
%doc AUTHORS ChangeLog.md COPYING README README.md
|
|
%{_bindir}/wolfssl-config
|
|
%{_includedir}/wolfssl/*.h
|
|
%{_includedir}/wolfssl/wolfcrypt/*.h
|
|
%{_includedir}/wolfssl/openssl/*.h
|
|
%{_libdir}/pkgconfig/wolfssl.pc
|
|
%{_libdir}/libwolfssl@LIBSUFFIX@.so
|
|
%{_libdir}/cmake/wolfssl
|
|
|
|
%changelog
|
|
* Mon Oct 17 2022 Juliusz Sosinowicz <juliusz@wolfssl.com>
|
|
- Updates for building FIPS packages and general maintenance
|
|
* Tue Sep 27 2022 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add include of kyber headers
|
|
* Tue Aug 30 2022 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add include of QUIC documentation
|
|
* Wed Jul 20 2022 Anthony Hu <anthony@wolfssl.com>
|
|
- Add a new header dilithium.h.
|
|
* Fri Jul 8 2022 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add missing sp_int.h file
|
|
* Mon May 2 2022 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add missing kdf.h file
|
|
* Wed Feb 16 2022 John Safranek <john@wolfssl.com>
|
|
- Update for new release.
|
|
* Mon Dec 27 2021 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add a missing headers camellia.h, modes.h from compat layer.
|
|
- Add a missing header falcon.h.
|
|
* Mon Nov 01 2021 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add a missing headers cmac.h, compat_types.h from compat layer.
|
|
* Thu Jul 08 2021 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add a missing header eccsi, sakke.
|
|
* Thu Mar 25 2021 John Safranek <john@wolfssl.com>
|
|
- Add new header kdf.h
|
|
* Mon Aug 17 2020 John Safranek <john@wolfssl.com>
|
|
- Add a missing header.
|
|
- Update for release.
|
|
* Thu Apr 16 2020 John Safranek <john@wolfssl.com>
|
|
- Add some missing headers.
|
|
- Sort the file list.
|
|
* Thu Dec 19 2019 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Add wolfssl/openssl/tls1.h, wolfssl/openssl/x509_vfy.h
|
|
* Fri Mar 15 2019 John Safranek <john@wolfssl.com>
|
|
- Updates for the v4 release.
|
|
* Thu Dec 20 2018 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Remove wolfssl/wolfcrypt/fips.h, add wolfssl/openssl/pkcs7.h
|
|
* Wed Jun 20 2018 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Remove NEWS, update ChangeLog to ChangeLog.md, remove wolfssl/wolfcrypt/fips.h, add wolfssl/wolfcrypt/cryptocb.h
|
|
* Thu May 31 2018 John Safranek <john@wolfssl.com>
|
|
- Update the version number on the library SO file.
|
|
* Fri Mar 02 2018 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header files fips.h, buffer.h, objects.h, rc4.h and example tls_bench.c
|
|
* Fri Sep 08 2017 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Change name for header wolfssl/io.h to wolfssl/wolfio.h
|
|
* Fri Aug 04 2017 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for wolfssl/wolfcrypt/cpuid.h, wolfssl/wolfcrypt/sha3.h
|
|
* Thu May 04 2017 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for wolfssl/io.h, wolfssl/openssl/ssl23.h, cyassl/openssl/ssl23.h
|
|
* Thu Feb 09 2017 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for wolfssl/wolfcrypt/wolfmath.h
|
|
* Fri Nov 11 2016 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for wolfssl/openssl/aes.h
|
|
* Fri Oct 28 2016 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for pkcs12
|
|
* Fri Sep 23 2016 John Safranek <john@wolfssl.com>
|
|
- Add the dtls-sctp example sources
|
|
* Tue Jun 14 2016 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Change location for mem_track.h header
|
|
- Added header for cmac.h
|
|
* Thu Mar 17 2016 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added header for mem_track.h
|
|
* Wed Dec 30 2015 Jacob Barthelmeh <jacob@wolfssl.com>
|
|
- Added headers for curve25519 and ed25519 openssl compatibility
|
|
- Added headers for Idea, srp, signature, and wc_encrypt
|
|
* Tue Mar 31 2015 John Safranek <john@wolfssl.com>
|
|
- Added recent new wolfcrypt headers for curve25519
|
|
* Fri Jan 09 2015 John Safranek <john@wolfssl.com>
|
|
- Update for cyassl->wolfssl name change
|
|
* Sat Oct 20 2012 Brian Aker <brian@tangent.org>
|
|
- Initial package
|