Commit bb40201
committed
SLH-DSA cert layer: address review feedback (round 2)
Addresses the second-round review of fac240d:
ConfirmSignature SLH-DSA arm: deleted the orphaned word32 idx
declaration and (void)idx cast. Tightened the comment to flag that
this changes verify behaviour for ALL SLH-DSA variants (SHAKE +
SHA-2), since the prior code path was never working in either case.
Dispatch gating in slhdsa_keytype_to_param() and
slhdsa_param_to_keytype() now uses per-variant macros
(WOLFSSL_SLHDSA_PARAM_NO_SHA2_*S/F) matching the SlhDsaParams[] table,
not the axis macros (_128/_192/_256/_SMALL/_FAST). A user_settings.h
that disables a single SHA-2 variant via the per-variant macro alone
no longer leaves the dispatch pointing at a parameter set that
slhdsa_find_params() will not find.
Added SLHDSA_SHA2_OID_CASE_LABELS to wolfssl/wolfcrypt/asn.h so the
six SHA-2 OID case labels exist as a single definition. Used at the
four sites that previously open-coded the list (NOT_COMPILED_IN tail
in slhdsa_keytype_to_param; SIG_STATE_KEY / SIG_STATE_DO /
SIG_STATE_CHECK arms in ConfirmSignature).
scripts/gen-slhdsa-fixtures.c: deterministic. Switched from
wc_SlhDsaKey_MakeKey(rng) to MakeKeyWithRandom() with fixed
per-variant fill bytes for SK.seed, SK.prf, PK.seed. Re-running the
generator now produces byte-identical .der files. Wired into
autotools as a noinst_PROGRAMS target so it builds with `make` (no
more bespoke gcc invocation in the header) under
--enable-slhdsa --enable-keygen --enable-certgen. All twelve
bench_slhdsa_*_key.der fixtures regenerated deterministically.
scripts/slhdsa-interop.test:
- Honours $(top_builddir) / $(top_srcdir) when run from automake
so out-of-tree builds find the helper binary.
- Counts PROBE-OK in the summary so totals balance to 24 (12
variants x 2 stages) when the OQS path runs successfully.
- Aborts on rc=99 (framework error) from the helper rather than
treating it as a regular FAIL.
- Comment on the note_* helpers warns the next maintainer that the
counters are shell-local and a subshell wrapper would zero them.
wolfcrypt/test/slhdsa_interop_one: returns 99 (automake hard error)
for unknown-variant or wrong-arg-count, so a typo in a future driver
won't be misclassified as a per-variant test FAIL. Added a sister-
function pointer to test_wc_slhdsa_cert_roundtrip so future API
changes can find both copies.
DISTCLEANFILES: added wolfcrypt/test/.libs/slhdsa_interop_one and
scripts/.libs/gen-slhdsa-fixtures so `make distclean` sweeps them.
tests/api/test_slhdsa.c: removed the leftover <wolfssl/ssl.h>
include (the CertManager attempt was abandoned in the previous round
but the include lingered).
Verified: all 13 SLH-DSA unit tests pass; scripts/slhdsa-interop.test
reports 12 PASS / 0 FAIL / 0 SKIP-LOCAL / 0 PROBE-OK / 12 SKIP-EXTERNAL
with balanced totals; gen-slhdsa-fixtures produces byte-stable
fixtures across re-runs.
https://claude.ai/code/session_01QV3GAEfzRSTiGsptuh8kdD1 parent b0f7c15 commit bb40201
22 files changed
Lines changed: 210 additions & 117 deletions
File tree
- certs/slhdsa
- scripts
- tests/api
- wolfcrypt
- src
- test
- wolfssl/wolfcrypt
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
| 61 | + | |
61 | 62 | | |
62 | 63 | | |
63 | 64 | | |
| |||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
0 commit comments