Remove deprecated liblms and libxmss

CMakeLists.txt

@@ -700,10 +700,8 @@ add_option(WOLFSSL_LMSSHA256192
 
 if (WOLFSSL_LMS)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_LMS")
-    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_LMS")
 
     set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
-    set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
 
     if (WOLFSSL_LMSSHA256192)
         list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_LMS_SHA256_192")

Docker/Dockerfile

@@ -34,10 +34,6 @@ RUN git clone --single-branch https://github.com/open-quantum-safe/liboqs.git &&
 
 RUN mkdir /opt/sources
 
-# install liblms
-RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-sigs.git && cd hash-sigs && git checkout b0631b8891295bf2929e68761205337b7c031726 \
-    && sed -i 's/USE_OPENSSL 1/USE_OPENSSL 0/g' sha256.h && make -j4 hss_lib_thread.a
-
 # Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH
 RUN mkdir /var/empty
 RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install

IDE/INTIME-RTOS/wolfssl-lib.vcxproj

@@ -87,8 +87,6 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|INtime'">true</ExcludedFromBuild>
     </ClCompile>
     <ClCompile Include="..\..\wolfcrypt\src\ext_kyber.c" />
-    <ClCompile Include="..\..\wolfcrypt\src\ext_lms.c" />
-    <ClCompile Include="..\..\wolfcrypt\src\ext_xmss.c" />
     <ClCompile Include="..\..\wolfcrypt\src\falcon.c" />
     <ClCompile Include="..\..\wolfcrypt\src\fe_448.c" />
     <ClCompile Include="..\..\wolfcrypt\src\fips.c" />

INSTALL

@@ -296,11 +296,7 @@ The wolfssl port in vcpkg is kept up to date by wolfSSL.
 
 We also have vcpkg ports for wolftpm, wolfmqtt and curl.
 
-17. Building with hash-sigs lib for LMS/HSS support [EXPERIMENTAL]
-
-    Deprecated. wolfSSL now has its own LMS/HSS implementation in wolfCrypt.
-
-18. Building for Debian, Ubuntu, Linux Mint, and derivatives
+17. Building for Debian, Ubuntu, Linux Mint, and derivatives
 
     To generate a .deb package, configure wolfSSL with the desired
     configuration. Then run `make deb` to generate a Debian package
@@ -309,16 +305,11 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
     resulting packages are placed in the root directory of the
     project.
 
-19. Building for RHEL, Fedora, CentOS, SUSE, and openSUSE
+18. Building for RHEL, Fedora, CentOS, SUSE, and openSUSE
 
     To generate a .rpm package, configure wolfSSL with the desired
     configuration. Then run `make rpm` to generate a .rpm package
     with the current configuration. To build the package inside a
     Docker container, use `make rpm-docker`. In both cases the
     resulting packages are placed in the root directory of the
     project.
-
-20. Building with xmss-reference lib for XMSS/XMSS^MT support [EXPERIMENTAL]
-
-    Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in
-    wolfCrypt.

configure.ac

@@ -1862,7 +1862,6 @@ then
 fi
 
 # XMSS
-ENABLED_WC_XMSS=no
 AC_ARG_ENABLE([xmss],
     [AS_HELP_STRING([--enable-xmss],[Enable stateful XMSS/XMSS^MT signatures (default: disabled)])],
     [ ENABLED_XMSS=$enableval ],
@@ -1888,73 +1887,12 @@ do
   esac
 done
 
-# libxmss
-# Get the path to xmss-reference.
-ENABLED_LIBXMSS="no"
-trylibxmssdir=""
-AC_ARG_WITH([libxmss],
-    [AS_HELP_STRING([--with-libxmss=PATH],[PATH to xmss-reference root dir. (requires --enable-experimental)!])],
-    [
-        AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([libxmss requires --enable-experimental.]) ])
-        AC_MSG_CHECKING([for libxmss])
-
-        trylibxmssdir=$withval
-
-        if test -e $trylibxmssdir; then
-            libxmss_linked=yes
-        else
-            AC_MSG_ERROR([libxmss isn't found.
-            If it's already installed, specify its path using --with-libxmss=/dir/])
-        fi
-        if test "$XMSS_VERIFY_ONLY" = "yes"; then
-            if test -e $trylibxmssdir/xmss_verify_lib.a; then
-                CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBXMSS -I$trylibxmssdir"
-                LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibxmssdir/xmss_verify_lib.a"
-                enable_shared=no
-                enable_static=yes
-                libxmss_linked=yes
-            else
-                AC_MSG_ERROR([xmss_verify_lib.a isn't found.
-                If it's already installed, specify its path using --with-libxmss=/dir/])
-            fi
-        elif test -e $trylibxmssdir/xmss_lib.a; then
-            CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBXMSS -I$trylibxmssdir"
-            LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibxmssdir/xmss_lib.a"
-            enable_shared=no
-            enable_static=yes
-            libxmss_linked=yes
-        else
-            AC_MSG_ERROR([libxmss isn't found.
-            If it's already installed, specify its path using --with-libxmss=/dir/])
-        fi
-
-        XMSS_ROOT=$trylibxmssdir
-
-        AC_MSG_RESULT([yes])
-        AM_CPPFLAGS="$CPPFLAGS"
-
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBXMSS -I$trylibxmssdir"
-        ENABLED_LIBXMSS="yes"
-        AC_SUBST([XMSS_ROOT])
-    ],
-    [XMSS_ROOT=""]
-)
-
 if test "$ENABLED_XMSS" != "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
-
-    # Use hash-sigs XMSS lib if enabled.
-    if test "$ENABLED_LIBXMSS" = "yes"; then
-        ENABLED_WC_XMSS=no
-    else
-        ENABLED_WC_XMSS=yes
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS"
-    fi
 fi
 
 # LMS
-ENABLED_WC_LMS=no
 AC_ARG_ENABLE([lms],
     [AS_HELP_STRING([--enable-lms],[Enable stateful LMS/HSS signatures (default: disabled)])],
     [ ENABLED_LMS=$enableval ],
@@ -1986,85 +1924,9 @@ do
   esac
 done
 
-# liblms
-# Get the path to the hash-sigs LMS HSS lib.
-ENABLED_LIBLMS="no"
-tryliblmsdir=""
-AC_ARG_WITH([liblms],
-    [AS_HELP_STRING([--with-liblms=PATH],[PATH to hash-sigs LMS/HSS install (default /usr/local) (requires --enable-experimental)!])],
-    [
-        AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([liblms requires --enable-experimental.]) ])
-        AC_MSG_CHECKING([for liblms])
-
-        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <hss.h>]], [[ param_set_t lm_type; param_set_t lm_ots_type; hss_get_public_key_len(4, &lm_type, &lm_ots_type); ]])], [ liblms_linked=yes ],[ liblms_linked=no ])
-
-        if test "x$liblms_linked" = "xno" ; then
-            if test "x$withval" != "xno" ; then
-                tryliblmsdir=$withval
-            fi
-            if test "x$withval" = "xyes" ; then
-                tryliblmsdir="/usr/local"
-            fi
-
-            # 1. If verify only build, use hss_verify.a
-            # 2. If normal build, by default use single-threaded hss_lib.a
-            # 3. If 2 not found, then use the multi-threaded hss_lib_thread.a
-            if test "$LMS_VERIFY_ONLY" = "yes"; then
-                if test -e $tryliblmsdir/hss_verify.a; then
-                    CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBLMS -I$tryliblmsdir"
-                    LIB_STATIC_ADD="$LIB_STATIC_ADD $tryliblmsdir/hss_verify.a"
-                    enable_shared=no
-                    enable_static=yes
-                    liblms_linked=yes
-                else
-                    AC_MSG_ERROR([hss_verify.a isn't found.
-                    If it's already installed, specify its path using --with-liblms=/dir/])
-                fi
-            elif test -e $tryliblmsdir/hss_lib.a; then
-                CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBLMS -I$tryliblmsdir"
-                LIB_STATIC_ADD="$LIB_STATIC_ADD $tryliblmsdir/hss_lib.a"
-                enable_shared=no
-                enable_static=yes
-                liblms_linked=yes
-            elif test -e $tryliblmsdir/hss_lib_thread.a; then
-                CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBLMS -I$tryliblmsdir"
-                LIB_STATIC_ADD="$LIB_STATIC_ADD $tryliblmsdir/hss_lib_thread.a"
-                enable_shared=no
-                enable_static=yes
-                liblms_linked=yes
-            else
-                AC_MSG_ERROR([liblms isn't found.
-                If it's already installed, specify its path using --with-liblms=/dir/])
-            fi
-
-            if test "x$liblms_linked" = "xno" ; then
-                AC_MSG_ERROR([liblms isn't found.
-                If it's already installed, specify its path using --with-liblms=/dir/])
-            fi
-
-            AC_MSG_RESULT([yes])
-            AM_CPPFLAGS="$CPPFLAGS"
-            AM_LDFLAGS="$LDFLAGS"
-        else
-            AC_MSG_RESULT([yes])
-        fi
-
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBLMS"
-        ENABLED_LIBLMS="yes"
-    ]
-)
-
 if test "$ENABLED_LMS" != "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
-
-    # Use hash-sigs LMS lib if enabled.
-    if test "$ENABLED_LIBLMS" = "yes"; then
-        ENABLED_WC_LMS=no
-    else
-        ENABLED_WC_LMS=yes
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS"
-    fi
 fi
 
 # SLH-DSA
@@ -11597,8 +11459,8 @@ AM_CONDITIONAL([BUILD_FE448], [test "x$ENABLED_FE448" = "xyes" || test "x$ENABLE
 AM_CONDITIONAL([BUILD_GE448], [test "x$ENABLED_GE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CURVE448],[test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CURVE448_SMALL],[test "x$ENABLED_CURVE448_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
-AM_CONDITIONAL([BUILD_WC_LMS],[test "x$ENABLED_WC_LMS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
-AM_CONDITIONAL([BUILD_WC_XMSS],[test "x$ENABLED_WC_XMSS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
+AM_CONDITIONAL([BUILD_LMS],[test "x$ENABLED_LMS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
+AM_CONDITIONAL([BUILD_XMSS],[test "x$ENABLED_XMSS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_WC_SLHDSA],[test "x$ENABLED_SLHDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_WC_MLKEM],[test "x$ENABLED_WC_MLKEM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_DILITHIUM],[test "x$ENABLED_DILITHIUM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
@@ -11647,8 +11509,6 @@ AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_R
 AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
-AM_CONDITIONAL([BUILD_LIBLMS],[test "x$ENABLED_LIBLMS" = "xyes"])
-AM_CONDITIONAL([BUILD_LIBXMSS],[test "x$ENABLED_LIBXMSS" = "xyes"])
 AM_CONDITIONAL([BUILD_LIBOQS],[test "x$ENABLED_LIBOQS" = "xyes"])
 AM_CONDITIONAL([BUILD_WNR],[test "x$ENABLED_WNR" = "xyes"])
 AM_CONDITIONAL([BUILD_SRP],[test "x$ENABLED_SRP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
@@ -12148,12 +12008,7 @@ echo "   * CURVE448:                   $ENABLED_CURVE448"
 echo "   * ED448:                      $ENABLED_ED448"
 echo "   * ED448 streaming:            $ENABLED_ED448_STREAM"
 echo "   * LMS:                        $ENABLED_LMS"
-echo "   * LMS wolfSSL impl:           $ENABLED_WC_LMS"
 echo "   * XMSS:                       $ENABLED_XMSS"
-echo "   * XMSS wolfSSL impl:          $ENABLED_WC_XMSS"
-if test "$ENABLED_LIBXMSS" = "yes"; then
-echo "   * XMSS_ROOT:                  $XMSS_ROOT"
-fi
 echo "   * SLH-DSA                     $ENABLED_SLHDSA"
 echo "   * MLKEM:                      $ENABLED_MLKEM"
 echo "   * MLKEM wolfSSL impl:         $ENABLED_WC_MLKEM"
@@ -12214,8 +12069,6 @@ echo "   * Persistent session cache:   $ENABLED_SAVESESSION"
 echo "   * Persistent cert    cache:   $ENABLED_SAVECERT"
 echo "   * Atomic User Record Layer:   $ENABLED_ATOMICUSER"
 echo "   * Public Key Callbacks:       $ENABLED_PKCALLBACKS"
-echo "   * libxmss:                    $ENABLED_LIBXMSS"
-echo "   * liblms:                     $ENABLED_LIBLMS"
 echo "   * liboqs:                     $ENABLED_LIBOQS"
 echo "   * Whitewood netRandom:        $ENABLED_WNR"
 echo "   * Server Name Indication:     $ENABLED_SNI"

examples/configs/user_settings_pq.h

@@ -105,7 +105,6 @@ extern "C" {
 /* ------------------------------------------------- */
 #if 0 /* LMS signatures */
     #define WOLFSSL_HAVE_LMS
-    #define WOLFSSL_WC_LMS
     #ifndef LMS_LEVELS
         #define LMS_LEVELS 2
     #endif
@@ -122,7 +121,6 @@ extern "C" {
 /* ------------------------------------------------- */
 #if 0 /* XMSS signatures */
     #define WOLFSSL_HAVE_XMSS
-    #define WOLFSSL_WC_XMSS
     #ifndef WOLFSSL_XMSS_MAX_HEIGHT
         #define WOLFSSL_XMSS_MAX_HEIGHT 20
     #endif

examples/configs/user_settings_wolfboot_keytools.h

@@ -131,7 +131,6 @@ extern "C" {
 
 #if 1 /* LMS */
     #define WOLFSSL_HAVE_LMS
-    #define WOLFSSL_WC_LMS
     #ifndef LMS_LEVELS
         #define LMS_LEVELS 1
     #endif
@@ -145,7 +144,6 @@ extern "C" {
 
 #if 1 /* XMSS */
     #define WOLFSSL_HAVE_XMSS
-    #define WOLFSSL_WC_XMSS
     #ifndef WOLFSSL_XMSS_MAX_HEIGHT
         #define WOLFSSL_XMSS_MAX_HEIGHT 32
     #endif

linuxkm/module_exports.c.template

@@ -159,20 +159,12 @@
 #endif
 #if defined(WOLFSSL_HAVE_XMSS)
     #include <wolfssl/wolfcrypt/xmss.h>
-#ifdef HAVE_LIBXMSS
-    #include <wolfssl/wolfcrypt/ext_xmss.h>
-#else
     #include <wolfssl/wolfcrypt/wc_xmss.h>
 #endif
-#endif
 #if defined(WOLFSSL_HAVE_LMS)
     #include <wolfssl/wolfcrypt/lms.h>
-#ifdef HAVE_LIBLMS
-    #include <wolfssl/wolfcrypt/ext_lms.h>
-#else
     #include <wolfssl/wolfcrypt/wc_lms.h>
 #endif
-#endif
 #ifdef HAVE_DILITHIUM
     #include <wolfssl/wolfcrypt/dilithium.h>
 #endif

src/include.am

@@ -1442,12 +1442,12 @@ endif BUILD_INTELASM
 endif !BUILD_X86_ASM
 endif
 
-if BUILD_WC_LMS
+if BUILD_LMS
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms.c
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_lms_impl.c
 endif
 
-if BUILD_WC_XMSS
+if BUILD_XMSS
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss.c
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_xmss_impl.c
 endif
@@ -1597,14 +1597,6 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_mlkem.c
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/liboqs/liboqs.c
 endif
 
-if BUILD_LIBLMS
-src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_lms.c
-endif
-
-if BUILD_LIBXMSS
-src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ext_xmss.c
-endif
-
 if BUILD_LIBZ
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/compress.c
 endif

tests/api.c

@@ -35399,8 +35399,7 @@ int stopOnFail = 0;
 int test_wc_LmsKey_sign_verify(void);
 int test_wc_LmsKey_reload_cache(void);
 
-#if defined(WOLFSSL_HAVE_LMS) && defined(WOLFSSL_WC_LMS) && \
-    !defined(WOLFSSL_LMS_VERIFY_ONLY)
+#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_VERIFY_ONLY)
 
 #include <wolfssl/wolfcrypt/wc_lms.h>
 #include <wolfssl/wolfcrypt/lms.h>
@@ -35456,7 +35455,7 @@ static int test_lms_init_key(LmsKey* key, WC_RNG* rng)
     return 0;
 }
 
-#endif /* WOLFSSL_HAVE_LMS && WOLFSSL_WC_LMS && !WOLFSSL_LMS_VERIFY_ONLY */
+#endif /* WOLFSSL_HAVE_LMS && !WOLFSSL_LMS_VERIFY_ONLY */
 
 /*
  * Test basic LMS sign/verify with multiple signings.
@@ -35465,8 +35464,7 @@ static int test_lms_init_key(LmsKey* key, WC_RNG* rng)
 int test_wc_LmsKey_sign_verify(void)
 {
     EXPECT_DECLS;
-#if defined(WOLFSSL_HAVE_LMS) && defined(WOLFSSL_WC_LMS) && \
-    !defined(WOLFSSL_LMS_VERIFY_ONLY)
+#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_VERIFY_ONLY)
     LmsKey  key;
     WC_RNG  rng;
     byte    msg[] = "test message for LMS signing";
@@ -35515,8 +35513,7 @@ int test_wc_LmsKey_sign_verify(void)
 int test_wc_LmsKey_reload_cache(void)
 {
     EXPECT_DECLS;
-#if defined(WOLFSSL_HAVE_LMS) && defined(WOLFSSL_WC_LMS) && \
-    !defined(WOLFSSL_LMS_VERIFY_ONLY)
+#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_VERIFY_ONLY)
     LmsKey  key;
     LmsKey  vkey;
     WC_RNG  rng;