wolfSSL
diff --git a/‎INSTALL‎
Lines changed: 42 additions & 1 deletion b/‎INSTALL‎
Lines changed: 42 additions & 1 deletion
diff --git a/‎configure.ac‎
Lines changed: 80 additions & 0 deletions b/‎configure.ac‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎src/include.am‎
Lines changed: 12 additions & 0 deletions b/‎src/include.am‎
Lines changed: 12 additions & 0 deletions
@@ -371,7 +371,7 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
     resulting packages are placed in the root directory of the
     project.
 
-18. Building for RHEL, Fedora, CentOS, SUSE, and openSUSE
+19. Building for RHEL, Fedora, CentOS, SUSE, and openSUSE
 
     To generate a .rpm package, configure wolfSSL with the desired
     configuration. Then run `make rpm` to generate a .rpm package
@@ -380,3 +380,44 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
     resulting packages are placed in the root directory of the
     project.
 
+20. Building with xmss-reference lib for XMSS/XMSS^MT support [EXPERIMENTAL]
+
+    Experimental support for XMSS/XMSS^MT has been achieved by integration
+    with the xmss-reference implementation from RFC 8391 (XMSS: eXtended
+    Merkle Signature Scheme). We support a patched version of xmss-reference
+    based on this git commit:
+      171ccbd26f098542a67eb5d2b128281c80bd71a6
+    At the time of writing this, this is the HEAD of the master branch of
+    the xmss-reference project.
+
+    How to get the xmss-reference library:
+      $ mkdir ~/xmss
+      $ cd ~/xmss
+      $ git clone https://github.com/XMSS/xmss-reference.git src
+      $ cd src
+      $ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6
+      $ git apply <path to xmss reference patch>
+
+    The patch may be found in the wolfssl-examples repo here:
+      pq/stateful_hash_sig/0001-Patch-to-support-xmss-reference-integration.patch
+
+    Note that this patch adds wolfCrypt SHA256 hashing to xmss-reference, and
+    thus benefits from all the same asm speedups as wolfCrypt SHA hashing.
+    Depending on architecture you may build with --enable-intelasm, or
+    and --enable-armasm, and see 30-50% speedups in XMSS/XMSS^MT.
+
+    For full keygen, signing, verifying, and benchmarking support, build
+    wolfSSL with:
+      $ ./configure \
+          --enable-xmss \
+          --with-libxmss=<path to xmss src dir>
+      $ make
+
+    Run the benchmark against XMSS/XMSS^MT with:
+      $ ./wolfcrypt/benchmark/benchmark -xmss_xmssmt
+
+    For a leaner xmss verify-only build, build with
+      $ ./configure \
+          --enable-xmss=verify-only \
+          --with-libxmss=<path to xmss src dir>
+      $ make
@@ -1141,6 +1141,79 @@ then
 fi
 
 
+# XMSS
+AC_ARG_ENABLE([xmss],
+    [AS_HELP_STRING([--enable-xmss],[Enable stateful XMSS/XMSS^MT signatures (default: disabled)])],
+    [ ENABLED_XMSS=$enableval ],
+    [ ENABLED_XMSS=no ]
+    )
+
+ENABLED_WC_XMSS=no
+for v in `echo $ENABLED_XMSS | tr "," " "`
+do
+  case $v in
+  yes)
+    ;;
+  no)
+    ;;
+  verify-only)
+    XMSS_VERIFY_ONLY=yes
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_XMSS_VERIFY_ONLY -DXMSS_VERIFY_ONLY"
+    ;;
+  wolfssl)
+    ENABLED_WC_XMSS=yes
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
+    ;;
+  *)
+    AC_MSG_ERROR([Invalid choice for XMSS []: $ENABLED_XMSS.])
+    break;;
+  esac
+done
+
+if test "$ENABLED_XMSS" != "no"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
+
+    if test "$ENABLED_WC_XMSS" = "no";
+    then
+        # Default is to use hash-sigs XMSS lib. Make sure it's enabled.
+        if test "$ENABLED_LIBXMSS" = "no"; then
+            AC_MSG_ERROR([The default implementation for XMSS is the xmss-reference lib.
+            Please use --with-libxmss.])
+        fi
+    fi
+fi
+
+# libxmss
+# Get the path to xmss-reference.
+ENABLED_LIBXMSS="no"
+trylibxmssdir=""
+AC_ARG_WITH([libxmss],
+    [AS_HELP_STRING([--with-libxmss=PATH],[PATH to xmss-reference root dir. EXPERIMENTAL!])],
+    [
+        AC_MSG_CHECKING([for libxmss])
+
+        trylibxmssdir=$withval
+
+        if test -e $trylibxmssdir; then
+            libxmss_linked=yes
+        else
+            AC_MSG_ERROR([libxmss isn't found.
+            If it's already installed, specify its path using --with-libxmss=/dir/])
+        fi
+
+        XMSS_ROOT=$trylibxmssdir
+
+        AC_MSG_RESULT([yes])
+
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBXMSS -I$trylibxmssdir"
+        ENABLED_LIBXMSS="yes"
+        AC_SUBST([XMSS_ROOT])
+    ],
+    [XMSS_ROOT=""]
+)
+
+
 # LMS
 AC_ARG_ENABLE([lms],
     [AS_HELP_STRING([--enable-lms],[Enable stateful LMS/HSS signatures (default: disabled)])],
@@ -8999,6 +9072,7 @@ AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
 AM_CONDITIONAL([BUILD_USER_RSA],[test "x$ENABLED_USER_RSA" = "xyes"] )
 AM_CONDITIONAL([BUILD_USER_CRYPTO],[test "x$ENABLED_USER_CRYPTO" = "xyes"])
 AM_CONDITIONAL([BUILD_LIBLMS],[test "x$ENABLED_LIBLMS" = "xyes"])
+AM_CONDITIONAL([BUILD_LIBXMSS],[test "x$ENABLED_LIBXMSS" = "xyes"])
 AM_CONDITIONAL([BUILD_LIBOQS],[test "x$ENABLED_LIBOQS" = "xyes"])
 AM_CONDITIONAL([BUILD_WNR],[test "x$ENABLED_WNR" = "xyes"])
 AM_CONDITIONAL([BUILD_SRP],[test "x$ENABLED_SRP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
@@ -9431,6 +9505,11 @@ echo "   * ED448:                      $ENABLED_ED448"
 echo "   * ED448 streaming:            $ENABLED_ED448_STREAM"
 echo "   * LMS:                        $ENABLED_LMS"
 echo "   * LMS wolfSSL impl:           $ENABLED_WC_LMS"
+echo "   * XMSS:                       $ENABLED_XMSS"
+echo "   * XMSS wolfSSL impl:          $ENABLED_WC_XMSS"
+if test "$ENABLED_LIBXMSS" = "yes"; then
+echo "   * XMSS_ROOT:                  $XMSS_ROOT"
+fi
 echo "   * KYBER:                      $ENABLED_KYBER"
 echo "   * KYBER wolfSSL impl:         $ENABLED_WC_KYBER"
 echo "   * ECCSI                       $ENABLED_ECCSI"
@@ -9486,6 +9565,7 @@ echo "   * Persistent session cache:   $ENABLED_SAVESESSION"
 echo "   * Persistent cert    cache:   $ENABLED_SAVECERT"
 echo "   * Atomic User Record Layer:   $ENABLED_ATOMICUSER"
 echo "   * Public Key Callbacks:       $ENABLED_PKCALLBACKS"
+echo "   * libxmss:                    $ENABLED_LIBXMSS"
 echo "   * liblms:                     $ENABLED_LIBLMS"
 echo "   * liboqs:                     $ENABLED_LIBOQS"
 echo "   * Whitewood netRandom:        $ENABLED_WNR"
 
@@ -807,6 +807,18 @@ if BUILD_LIBLMS
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_lms.c
 endif
 
+if BUILD_LIBXMSS
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_xmss.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/params.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/thash.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/hash_address.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/wots.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/xmss.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/xmss_core_fast.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/xmss_commons.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += $(XMSS_ROOT)/utils.c
+endif
+
 if BUILD_LIBZ
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/compress.c
 endif