-Wdeclaration-after-statement to .github/workflows/pq-all.yml.
rearrange code/gating in wolfcrypt/src/wc_mlkem.c:mlkemkey_encapsulate() for
clarity and to fix a -Wdeclaration-after-statement.
also, made mlkem_encapsulate_c() and mlkem_encapsulate() return error code
(currently always zero) rather than void, for consistency.
configure.ac: fix Kyber/ML-KEM option setup.
defined, and issue a #error if no MPI backend gate is defined and NO_BIG_INT
is not defined either.
configure.ac:
* add support for FIPS lean-aesgcm[-{ready,dev}].
* implement handler for --enable-sha256.
* move setup for WOLFSSL_FIPS_DEV and WOLFSSL_FIPS_READY into the applicable
per-flavor sections.
* fix sensing of $ENABLED_AESGCM in FIPS setup clauses to pivot on `!= "no"`
rather than `= "yes"`, to accommodate "4bit" and other non-"yes" values.
* fix SNI_DEFAULT to be "no" if $ENABLED_TLS = no.
* fix ENABLED_DHDEFAULTPARAMS default to be $ENABLED_DH rather than yes.
wc_encrypt.c: add missing gates in wc_CryptKey() for NO_SHA256.
wolfcrypt/test/test.c: gating fixes for NO_SHA256.
wolfcrypt/benchmark/benchmark.c: basic fixes for building/running with
--disable-rng (-DWC_NO_RNG).
With the above additions and fixes, it's now a clean build, test, and benchmark,
with --disable-sha256 --enable-cryptonly --disable-hashdrbg --disable-rng
--disable-hmac, though RSA/DH/ECC benches are disabled.
ML-KEM/Kyber:
MakeKey call generate random once only for all data.
Allow MakeKey/Encapsulate/Decapsulate to be compiled separately.
Pull out public key decoding common to public and private key decode.
Put references to FIPS 140-3 into code. Rename variables to match FIPS
140-3.
Fix InvNTT assembly code for x64 - more reductions.
Split out ML-KEM/Kyber tests from api.c.
TLSX:
Store the object instead of the private key when WOLFSSL_MLKEM_CACHE_A
is defined or WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ. Faster decapsulation
when A is cached and object stored.
To store private key as normal define
WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY.
misc.c: when Intel x64 build, assume able to read/write unaligned
Matrix A is expensive to calculate.
Usage of ML-KEM/Kyber is
1. First peer generates a key and sends public to second peer.
2. Second peer encapsulates secret with public key and sends to first
peer.
3. First peer decapsulates (including encapsulating to ensure same as
seen) with key from key generation.
Caching A keeps the matrix A for encapsulation part of decapsulation.
The matrix needs to be transposed for encapsulation.
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
XOR in random value to scalar and perform special scalar multiplication.
Multiply x3 and z3 by random value to randomize co-ordinates.
Add new APIs to support passing in an RNG.
Old APIs create a new RNG.
Only needed for the C implementations that are not small.
Modified TLS and OpenSSL compat API implementations to pass in RNG.
Fixed tests and benchmark program to pass in RNG.
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
* Correct cmake script to support Open Watcom toolchain (#8167)
* Fix thread start callback prototype for Open Watcom toolchain (#8175)
* Added GitHub CI action for Windows/Linux/OS2
* Improvements for C89 compliance.
Thank you @jmalak for your contributions.
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
Add assembly for Poly1305 using ARM32 NEON instruction set.
For Poly1305 ARM32 Base:
Change name from poly1305_blocks_arm32_16 to poly1305_arm32_blocks_16
poly1305.c:
ARM32 NEON - buffer up to 4 blocks
x86_64 - only calculate powers of r once after key is set.
test.c: poly1305 testing with multiple updates.
benchmark: chacha20-poly1305 now uses AAD
* activate WOLFSSL_NO_OPTIONS_H in linuxkm/Kbuild for in-module test.o and benchmark.o.
* refine explanatory comments in settings.h re WOLFSSL_USE_OPTIONS_H, WOLFSSL_NO_OPTIONS_H, and WOLFSSL_CUSTOM_CONFIG.
* add safety catch to options.h/options.h.in to inhibit inclusion if defined(WOLFSSL_NO_OPTIONS_H).
* for good measure, add explicit check for WOLFSSL_NO_OPTIONS_H to wolfcrypt/benchmark/benchmark.c and wolfcrypt/test/test.c.
* Fix to properly set configure.ac LMS/XMSS enables and build of those code files.
* Remove duplicate aes.c `wc_AesSetKeyLocal` call to `wc_AesSetIV`. Moved earlier in function in commit a10260ca5f.
* Benchmark missing time.h with NO_ASN_TIME.
* Added option to support disabling AES CFB 1/8 `WOLFSSL_NO_AES_CFB_1_8`.
* Fixes for building with combinations of `WOLFSSL_RSA_VERIFY_ONLY` and `WOLFSSL_RSA_PUBLIC_ONLY`.
* Fix for building `--enable-stacksize=verbose` with single threaded.
* Various tab and formatting cleanups.
ZD 18996
Daniel Pouzzner
David Garske
Anthony Hu
Alex Lanzano
Hideki Miyazaki
Kaleb Himes
JacobBarthelmeh
Sean Parkinson
Jiri Malak
Anthony Hu
Juliusz Sosinowicz
Andrew Hutchings
night1rider