Files
wolfssl/rpm/spec.in
T
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00

165 lines
5.6 KiB
Plaintext

Summary: Embedded SSL Library
Name: @PACKAGE@
Version: @VERSION@
Release: 1
License: GPLv3
Group: System Environment/Libraries
BuildRequires: gcc
BuildRequires: glibc
BuildRequires: glibc-common
BuildRequires: glibc-devel
BuildRequires: glibc-headers
BuildRequires: make
BuildRequires: pkgconfig
BuildRequires: sed
BuildRequires: tar
URL: http://www.wolfssl.com/
Packager: wolfSSL <support@wolfssl.com>
Source: http://wolfssl.com/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
%description
Misc tools for wolfSSL.
%package devel
Summary: Header files and development libraries for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
This package contains the header files and development libraries
for %{name}. If you like to develop programs using %{name},
you will need to install %{name}-devel.
%prep
%setup -q
%build
%configure @WOLFSSL_CONFIG_ARGS@
%{__make} %{?_smp_mflags}
if [ "@ENABLED_FIPS@" = "yes" ]
then
echo Updating wolfSSL FIPS hash
./fips-hash.sh
%{__make} %{?_smp_mflags}
fi
%install
%{__rm} -rf %{buildroot}
%{__make} install DESTDIR="%{buildroot}" AM_INSTALL_PROGRAM_FLAGS=""
%{__rm} -f %{buildroot}/%{_libdir}/libwolfssl@LIBSUFFIX@.la
%{__rm} -f %{buildroot}/%{_libdir}/libwolfssl.a
%{__cp} wolfssl/options.h %{buildroot}/%{_includedir}/%{name}/
%check
%clean
%{__rm} -rf %{buildroot}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root,-)
%doc AUTHORS ChangeLog.md COPYING README README.md
%{_docdir}/wolfssl/taoCert.txt
%{_docdir}/wolfssl/example/client.c
%{_docdir}/wolfssl/example/server.c
%{_docdir}/wolfssl/example/echoclient.c
%{_docdir}/wolfssl/example/echoserver.c
%{_docdir}/wolfssl/example/sctp-client.c
%{_docdir}/wolfssl/example/sctp-server.c
%{_docdir}/wolfssl/example/sctp-client-dtls.c
%{_docdir}/wolfssl/example/sctp-server-dtls.c
%{_docdir}/wolfssl/example/tls_bench.c
%{_docdir}/wolfssl/example/ocsp_responder.c
%{_docdir}/wolfssl/README.txt
%{_docdir}/wolfssl/QUIC.md
%{_libdir}/libwolfssl@LIBSUFFIX@.so.*
%files devel
%defattr(-,root,root,-)
%doc AUTHORS ChangeLog.md COPYING README README.md
%{_bindir}/wolfssl-config
%{_includedir}/wolfssl/*.h
%{_includedir}/wolfssl/wolfcrypt/*.h
%{_includedir}/wolfssl/openssl/*.h
%{_libdir}/pkgconfig/wolfssl.pc
%{_libdir}/libwolfssl@LIBSUFFIX@.so
%{_libdir}/cmake/wolfssl
%changelog
* Mon Oct 17 2022 Juliusz Sosinowicz <juliusz@wolfssl.com>
- Updates for building FIPS packages and general maintenance
* Tue Sep 27 2022 Jacob Barthelmeh <jacob@wolfssl.com>
- Add include of kyber headers
* Tue Aug 30 2022 Jacob Barthelmeh <jacob@wolfssl.com>
- Add include of QUIC documentation
* Wed Jul 20 2022 Anthony Hu <anthony@wolfssl.com>
- Add a new header dilithium.h.
* Fri Jul 8 2022 Jacob Barthelmeh <jacob@wolfssl.com>
- Add missing sp_int.h file
* Mon May 2 2022 Jacob Barthelmeh <jacob@wolfssl.com>
- Add missing kdf.h file
* Wed Feb 16 2022 John Safranek <john@wolfssl.com>
- Update for new release.
* Mon Dec 27 2021 Jacob Barthelmeh <jacob@wolfssl.com>
- Add a missing headers camellia.h, modes.h from compat layer.
- Add a missing header falcon.h.
* Mon Nov 01 2021 Jacob Barthelmeh <jacob@wolfssl.com>
- Add a missing headers cmac.h, compat_types.h from compat layer.
* Thu Jul 08 2021 Jacob Barthelmeh <jacob@wolfssl.com>
- Add a missing header eccsi, sakke.
* Thu Mar 25 2021 John Safranek <john@wolfssl.com>
- Add new header kdf.h
* Mon Aug 17 2020 John Safranek <john@wolfssl.com>
- Add a missing header.
- Update for release.
* Thu Apr 16 2020 John Safranek <john@wolfssl.com>
- Add some missing headers.
- Sort the file list.
* Thu Dec 19 2019 Jacob Barthelmeh <jacob@wolfssl.com>
- Add wolfssl/openssl/tls1.h, wolfssl/openssl/x509_vfy.h
* Fri Mar 15 2019 John Safranek <john@wolfssl.com>
- Updates for the v4 release.
* Thu Dec 20 2018 Jacob Barthelmeh <jacob@wolfssl.com>
- Remove wolfssl/wolfcrypt/fips.h, add wolfssl/openssl/pkcs7.h
* Wed Jun 20 2018 Jacob Barthelmeh <jacob@wolfssl.com>
- Remove NEWS, update ChangeLog to ChangeLog.md, remove wolfssl/wolfcrypt/fips.h, add wolfssl/wolfcrypt/cryptocb.h
* Thu May 31 2018 John Safranek <john@wolfssl.com>
- Update the version number on the library SO file.
* Fri Mar 02 2018 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header files fips.h, buffer.h, objects.h, rc4.h and example tls_bench.c
* Fri Sep 08 2017 Jacob Barthelmeh <jacob@wolfssl.com>
- Change name for header wolfssl/io.h to wolfssl/wolfio.h
* Fri Aug 04 2017 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for wolfssl/wolfcrypt/cpuid.h, wolfssl/wolfcrypt/sha3.h
* Thu May 04 2017 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for wolfssl/io.h, wolfssl/openssl/ssl23.h, cyassl/openssl/ssl23.h
* Thu Feb 09 2017 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for wolfssl/wolfcrypt/wolfmath.h
* Fri Nov 11 2016 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for wolfssl/openssl/aes.h
* Fri Oct 28 2016 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for pkcs12
* Fri Sep 23 2016 John Safranek <john@wolfssl.com>
- Add the dtls-sctp example sources
* Tue Jun 14 2016 Jacob Barthelmeh <jacob@wolfssl.com>
- Change location for mem_track.h header
- Added header for cmac.h
* Thu Mar 17 2016 Jacob Barthelmeh <jacob@wolfssl.com>
- Added header for mem_track.h
* Wed Dec 30 2015 Jacob Barthelmeh <jacob@wolfssl.com>
- Added headers for curve25519 and ed25519 openssl compatibility
- Added headers for Idea, srp, signature, and wc_encrypt
* Tue Mar 31 2015 John Safranek <john@wolfssl.com>
- Added recent new wolfcrypt headers for curve25519
* Fri Jan 09 2015 John Safranek <john@wolfssl.com>
- Update for cyassl->wolfssl name change
* Sat Oct 20 2012 Brian Aker <brian@tangent.org>
- Initial package