RFC 9802: tighten ImportPubRaw_ex, doc fixes, more negative tests

Tightening
  * wc_XmssKey_ImportPubRaw_ex now rejects an is_xmssmt hint that
    contradicts a pre-set key->is_xmssmt with BAD_FUNC_ARG, instead
    of silently ignoring it. The OID-only check that already exists
    catches a wrong-numeric-OID case but cannot distinguish XMSS oid
    1 from XMSS^MT oid 1.
  * The MIN/MAX_HEIGHT compile-time guards in the auto-derive branch
    now have explicit #else arms that document the dead-code path
    (and silence -Wunused on the local oid).

Docs
  * Update doxygen on wc_LmsKey_ImportPubRaw to describe the
    auto-derive behaviour and its return codes.
  * Update doxygen on wc_LmsKey_GetSigLen to mention the
    key->params == NULL precondition.
  * Cross-reference wc_XmssKey_ImportPubRaw_ex from the plain
    wc_XmssKey_ImportPubRaw doxygen.

Tests
  * New PARMSET-mismatch test for wc_XmssKey_ImportPubRaw_ex covers
    both an OID-prefix mismatch and an is_xmssmt-hint mismatch
    (locks in the new tightening).
  * New partial-write invariant test for wc_LmsKey_ImportPubRaw
    builds a buffer with valid type bytes but truncated length, and
    asserts key->params is still NULL after the BUFFER_E return.
  * rfc9802_load_file gains a named RFC9802_TEST_MAX_CERT_SIZE
    constant, uses size_t for the XFREAD return compare, and the
    junk[] buffer in rfc9802_xmss_import_negative is XMEMSET-zeroed
    (project convention) instead of using {0}.

https://claude.ai/code/session_01SnSQMb145Hkyyf7hQQQ8cq

Author: claude

tests/api.c

@@ -35807,13 +35807,19 @@ int test_wc_LmsKey_reload_cache(void)
  * STRING, so the fixtures were produced with a small generator that
  * overrides the AlgorithmIdentifier and SPKI to match RFC 9802. */
 #if defined(WOLFSSL_HAVE_LMS) || defined(WOLFSSL_HAVE_XMSS)
+/* Sanity bound on a test fixture cert. The largest BC-generated
+ * fixture we ship (XMSS^MT 40/8) is ~19 KiB; 1 MiB is well above
+ * any realistic RFC 9802 cert and catches a wild XFTELL. */
+#define RFC9802_TEST_MAX_CERT_SIZE (1 << 20)
+
 /* Load a whole file into a freshly-allocated buffer. Caller frees. */
 static int rfc9802_load_file(const char* path, byte** out, int* outLen)
 {
     EXPECT_DECLS;
-    XFILE f = XBADFILE;
-    long  sz = 0;
-    byte* buf = NULL;
+    XFILE  f = XBADFILE;
+    long   sz = 0;
+    size_t got = 0;
+    byte*  buf = NULL;
 
     *out = NULL;
     *outLen = 0;
@@ -35824,11 +35830,12 @@ static int rfc9802_load_file(const char* path, byte** out, int* outLen)
         sz = XFTELL(f);
     (void)XFSEEK(f, 0, XSEEK_SET);
     ExpectIntGT(sz, 0);
-    ExpectIntLT(sz, 1 << 20);  /* sanity: certs are smaller than 1 MiB */
+    ExpectIntLT(sz, RFC9802_TEST_MAX_CERT_SIZE);
     ExpectNotNull(buf = (byte*)XMALLOC((size_t)sz, NULL,
         DYNAMIC_TYPE_TMP_BUFFER));
     if (buf != NULL) {
-        ExpectIntEQ((long)XFREAD(buf, 1, (size_t)sz, f), sz);
+        got = XFREAD(buf, 1, (size_t)sz, f);
+        ExpectIntEQ(got, (size_t)sz);
     }
     XFCLOSE(f);
     *out = buf;
@@ -35984,6 +35991,25 @@ static int rfc9802_lms_import_negative(void)
         wc_LmsKey_Free(&key);
     }
 
+    /* Partial-write invariant: a length mismatch after a successful
+     * auto-derive must leave key->params NULL. Build a buffer whose
+     * leading u32str(L) || lmsType || lmOtsType identifies a known
+     * parameter set, but truncate to one byte less than the real pub
+     * key length so the post-derive length check fails. */
+    {
+        byte truncated[59];   /* HSS_PUBLIC_KEY_LEN(32) is 60 */
+        XMEMSET(truncated, 0, sizeof(truncated));
+        truncated[3] = 1;     /* L = 1 */
+        truncated[7] = 5;     /* lmsType = LMS_SHA256_M32_H5 */
+        truncated[11] = 4;    /* lmOtsType = LMOTS_SHA256_N32_W4 */
+        ExpectIntEQ(wc_LmsKey_Init(&key, NULL, INVALID_DEVID), 0);
+        ExpectNull(key.params);
+        ExpectIntEQ(wc_LmsKey_ImportPubRaw(&key, truncated,
+            sizeof(truncated)), WC_NO_ERR_TRACE(BUFFER_E));
+        ExpectNull(key.params);
+        wc_LmsKey_Free(&key);
+    }
+
     return EXPECT_RESULT();
 }
 #endif
@@ -35993,7 +36019,9 @@ static int rfc9802_xmss_import_negative(void)
 {
     EXPECT_DECLS;
     XmssKey key;
-    byte    junk[8] = {0};
+    byte    junk[8];
+
+    XMEMSET(junk, 0, sizeof(junk));
 
     /* Too-short buffer. */
     ExpectIntEQ(wc_XmssKey_Init(&key, NULL, INVALID_DEVID), 0);
@@ -36029,6 +36057,26 @@ static int rfc9802_xmss_import_negative(void)
         wc_XmssKey_Free(&key);
     }
 
+    /* Once params have been configured (state != INITED), the OID
+     * prefix in the raw key MUST match key->oid and is_xmssmt MUST
+     * match key->is_xmssmt. Set XMSS-SHA2_10_256 and feed a valid-
+     * sized buffer whose 4-byte OID prefix is bogus -> BAD_FUNC_ARG. */
+    {
+        byte mismatch[XMSS_SHA256_PUBLEN];
+        ExpectIntEQ(wc_XmssKey_Init(&key, NULL, INVALID_DEVID), 0);
+        ExpectIntEQ(wc_XmssKey_SetParamStr(&key, "XMSS-SHA2_10_256"), 0);
+        XMEMSET(mismatch, 0, sizeof(mismatch));
+        mismatch[3] = 0x77; /* nonsense OID */
+        ExpectIntEQ(wc_XmssKey_ImportPubRaw_ex(&key, mismatch,
+            sizeof(mismatch), 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        /* Same buffer with the correct OID, but is_xmssmt hint
+         * contradicts the configured family -> BAD_FUNC_ARG. */
+        mismatch[3] = 0x01; /* WC_XMSS_OID_SHA2_10_256 */
+        ExpectIntEQ(wc_XmssKey_ImportPubRaw_ex(&key, mismatch,
+            sizeof(mismatch), 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        wc_XmssKey_Free(&key);
+    }
+
     return EXPECT_RESULT();
 }
 #endif

wolfcrypt/src/wc_lms.c

@@ -1418,18 +1418,28 @@ int wc_LmsKey_ExportPubRaw(const LmsKey* key, byte* out, word32* outLen)
 
 /* Imports a raw public key buffer from in array to LmsKey key.
  *
- * The LMS parameters must be set first with wc_LmsKey_SetLmsParm or
- * wc_LmsKey_SetParameters, and inLen must match the length returned
- * by wc_LmsKey_GetPubLen.
+ * If the LMS parameters have already been configured (via
+ * wc_LmsKey_SetLmsParm or wc_LmsKey_SetParameters), the levels /
+ * lms_algorithm_type / lmots_algorithm_type encoded in the raw key are
+ * checked for consistency and inLen must match wc_LmsKey_GetPubLen.
  *
- * Call wc_LmsKey_GetPubLen beforehand to determine pubLen.
+ * If the parameters have not yet been set (key->params == NULL), they
+ * are derived from the raw public key prefix (RFC 8554 sec 3.3 / sec
+ * 6.1: u32str(L) || lms_algorithm_type || lmots_algorithm_type) and
+ * matched against the static parameter map. The candidate is held in
+ * a local until the length check passes, so a length mismatch leaves
+ * key->params NULL.
  *
  * @param [in, out] key    LMS key to put public key in.
  * @param [in]      in     Buffer holding encoded public key.
  * @param [in]      inLen  Length of encoded public key in bytes.
  * @return  0 on success.
- * @return  BAD_FUNC_ARG when key or in is NULL.
- * @return  BUFFER_E when inLen does not match public key length by parameters.
+ * @return  BAD_FUNC_ARG when key or in is NULL, or when the raw key's
+ *          levels / lmsType / lmOtsType disagree with pre-set params.
+ * @return  BUFFER_E when inLen is too small to contain the LMS type
+ *          fields, or doesn't match the public key length determined
+ *          by parameters.
+ * @return  NOT_COMPILED_IN when the derived parameter set isn't built in.
  */
 int wc_LmsKey_ImportPubRaw(LmsKey* key, const byte* in, word32 inLen)
 {
@@ -1515,7 +1525,8 @@ int wc_LmsKey_ImportPubRaw(LmsKey* key, const byte* in, word32 inLen)
  * @param [in]  key  LMS key.
  * @param [out] len  Length of a signature in bytes.
  * @return  0 on success.
- * @return  BAD_FUNC_ARG when key or len is NULL.
+ * @return  BAD_FUNC_ARG when key or len is NULL, or when the LMS
+ *          parameters have not been configured on the key.
  */
 int wc_LmsKey_GetSigLen(const LmsKey* key, word32* len)
 {

wolfcrypt/src/wc_xmss.c

@@ -1556,6 +1556,9 @@ int wc_XmssKey_ImportPubRaw_ex(XmssKey* key, const byte* in, word32 inLen,
                         break;
                     }
                 }
+            #else
+                /* XMSS^MT compiled out; ret stays at NOT_COMPILED_IN. */
+                (void)oid;
             #endif
             }
             else {
@@ -1568,6 +1571,9 @@ int wc_XmssKey_ImportPubRaw_ex(XmssKey* key, const byte* in, word32 inLen,
                         break;
                     }
                 }
+            #else
+                /* XMSS compiled out; ret stays at NOT_COMPILED_IN. */
+                (void)oid;
             #endif
             }
 
@@ -1581,11 +1587,15 @@ int wc_XmssKey_ImportPubRaw_ex(XmssKey* key, const byte* in, word32 inLen,
             }
         }
         else {
-            /* Params already set; OID prefix must match. */
+            /* Params already set; OID prefix and family must match. */
             if (oid != key->oid) {
                 WOLFSSL_MSG("error: XMSS pub OID doesn't match set params");
                 ret = BAD_FUNC_ARG;
             }
+            else if ((is_xmssmt ? 1 : 0) != (int)key->is_xmssmt) {
+                WOLFSSL_MSG("error: XMSS is_xmssmt hint contradicts set params");
+                ret = BAD_FUNC_ARG;
+            }
         }
     }
 
@@ -1612,6 +1622,9 @@ int wc_XmssKey_ImportPubRaw_ex(XmssKey* key, const byte* in, word32 inLen,
  *
  * The XMSS parameters must be set first with wc_XmssKey_SetParamStr,
  * and inLen must match the length returned by wc_XmssKey_GetPubLen.
+ * If the caller only has the raw public-key bytes and has not yet
+ * configured the parameter set, use wc_XmssKey_ImportPubRaw_ex which
+ * derives parameters from the OID prefix at the start of the buffer.
  *
  * @param [in, out] key     XMSS key.
  * @param [in]      in      Array holding public key.