Add support for LMS and XMSS#352
Conversation
padelsbach
force-pushed
the
lms-xmss
branch
2 times, most recently
from
e01c4e8 to
322c2ba
Compare
padelsbach
force-pushed
the
lms-xmss
branch
2 times, most recently
from
d524cee to
c9dad02
Compare
|
wolfSSL/wolfssl#10488 is required for CI to pass |
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #352
Scan targets checked: wolfhsm-core-bugs, wolfhsm-crypto-bugs, wolfhsm-src
Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| res.keyId = wh_KeyId_TranslateToClient(keyId); | ||
| res.pubSize = pubLen32; | ||
| } | ||
| (void)wh_Server_DmaProcessClientAddress( |
There was a problem hiding this comment.
🟠 [Medium] DMA WRITE_POST called when WRITE_PRE failed or was skipped in LMS/XMSS handlers · Incorrect error handling
_HandleLmsKeyGenDma/_HandleXmssKeyGenDma unconditionally call wh_Server_DmaProcessClientAddress with WH_DMA_OPER_CLIENT_WRITE_POST and a NULL clientPubAddr whenever any earlier step (Init/SetParameters/MakeKey/Import/Commit/GetPubLen/WRITE_PRE) fails. The _HandleMlDsaSignDma pattern (line 5754) explicitly guards POST with if (sigAddr != NULL).
Fix: Guard the POST cleanup with if (clientPubAddr != NULL) to match the existing _HandleMlDsa*Dma pattern.
| } | ||
| } | ||
|
|
||
| (void)wh_Server_DmaProcessClientAddress( |
There was a problem hiding this comment.
🟠 [Medium] Sign DMA POST cleanup called even when corresponding PRE failed · Incorrect error handling
_HandleLmsSignDma and _HandleXmssSignDma always invoke WH_DMA_OPER_CLIENT_WRITE_POST/READ_POST for sig/msg even when their PRE failed (sig PRE skipped if msg PRE failed; sig POST then runs with sigAddr == NULL). MlDsa equivalent guards each POST with a NULL check on the translated address.
Fix: Guard each POST cleanup with if (sigAddr != NULL) / if (msgAddr != NULL) so cache/DMA hooks only run for buffers that were successfully translated.
| * supported XMSS variant. The variants enabled in user_settings.h all | ||
| * fit in 4 KiB, but use the wolfCrypt-reported priv length to be | ||
| * exact. */ | ||
| byte sk_buf[4096]; |
There was a problem hiding this comment.
🟠 [Medium] XMSS private key copied into stack buffer is never zeroized · Missing ForceZero
sk_buf[4096] captures the freshly generated XMSS private key via _XmssKeygenWriteCb, but the local buffer is never zeroized before the function returns, leaving the secret on the stack to be observed by subsequent stack frames or in a crash dump.
Fix: Call ForceZero(sk_buf, sizeof(sk_buf)) (and clear sk_cap) on every exit path after the capture callback may have populated the buffer.
3 participants
Requires wolfSSL/wolfssl#10380 to be merged first (done).
Adds support for "stateful" PQC using crypto callbacks added to wolfssl.