Fixes for ML-DSA

Frauschi · Frauschi · commit 58682a2468b8 · 2026-04-11T08:34:22.000+02:00
When the input hash data in sized invalidly, the operations now fail
with an error.

Replace the dynamically-allocated `byte* ctx` pointer in WP11_MldsaParams
with an inline `byte ctx[256]` array. PKCS#11 v3.2 (§2.3.12) caps the
ML-DSA context length at 255 bytes, so heap allocation is unnecessary and
introduced several memory-management hazards:

- ctx was freed at the end of WP11_Mldsa_Sign/Verify before session
  teardown, leaving a dangling pointer if the session was reused
- the cleanup in wp11_Session_Final checked the wrong mechanism set,
  meaning it could free ctx a second time
- WP11_Session_SetMldsaParams freed ctx before re-initialising, which
  was safe only if the pointer was always valid (it wasn't on first call)
  Embedding the buffer in the struct eliminates all manual lifetime
  tracking.
diff --git a/src/crypto.c b/src/crypto.c
@@ -5923,10 +5923,6 @@ CK_RV C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 
             ret = WP11_Mldsa_Verify(pSignature, (int)ulSignatureLen, pData,
                                     (int)ulDataLen, &stat, obj, session);
-            if (ret < 0) {
-                stat = 0;
-                ret = 0;
-            }
             break;
 #endif
 #ifndef NO_HMAC
diff --git a/src/internal.c b/src/internal.c
@@ -356,7 +356,7 @@ typedef struct WP11_PssParams {
 typedef struct WP11_MldsaParams {
     enum wc_HashType preHashType;
     word32 hedgeType;
-    byte* ctx;
+    byte ctx[256];
     byte ctxSz;
 } WP11_MldsaParams;
 #endif
@@ -911,14 +911,6 @@ static void wp11_Session_Final(WP11_Session* session)
         session->params.oaep.label = NULL;
     }
 #endif
-#ifdef WOLFPKCS11_MLDSA
-    if ((session->mechanism == CKM_ML_DSA ||
-         session->mechanism == CKM_HASH_ML_DSA) &&
-                                            session->params.mldsa.ctx != NULL) {
-        XFREE(session->params.mldsa.ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        session->params.mldsa.ctx = NULL;
-    }
-#endif
 #ifndef NO_AES
 #ifdef HAVE_AES_CBC
     if ((session->mechanism == CKM_AES_CBC ||
@@ -2858,6 +2850,76 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest)
                     break;
                 }
 #endif
+#ifdef WOLFPKCS11_MLDSA
+                case CKK_ML_DSA: {
+                    byte* buf = NULL;
+                    word32 bufSz = 0;
+                    byte level = 0;
+
+                    /* Get the level from the source key */
+                    ret = wc_MlDsaKey_GetParams(src->data.mldsaKey, &level);
+
+                    /* Determine raw key size */
+                    if (ret == 0) {
+                        if (src->objClass == CKO_PRIVATE_KEY) {
+                            ret = wc_MlDsaKey_GetPrivLen(src->data.mldsaKey,
+                                (int*)&bufSz);
+                        }
+                        else {
+                            ret = wc_MlDsaKey_GetPubLen(src->data.mldsaKey,
+                                (int*)&bufSz);
+                        }
+                    }
+                    if (ret == 0) {
+                        buf = (byte*)XMALLOC(bufSz, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+                        if (buf == NULL)
+                            ret = MEMORY_E;
+                    }
+
+                    /* Export raw key from source */
+                    if (ret == 0) {
+                        if (src->objClass == CKO_PRIVATE_KEY) {
+                            ret = wc_MlDsaKey_ExportPrivRaw(src->data.mldsaKey,
+                                buf, &bufSz);
+                        }
+                        else {
+                            ret = wc_MlDsaKey_ExportPubRaw(src->data.mldsaKey,
+                                buf, &bufSz);
+                        }
+                    }
+
+                    /* Init destination key and import */
+                    if (ret == 0) {
+                        ret = wc_MlDsaKey_Init(dest->data.mldsaKey, NULL,
+                            dest->devId);
+                    }
+                    if (ret == 0) {
+                        ret = wc_MlDsaKey_SetParams(dest->data.mldsaKey, level);
+                        if (ret != 0)
+                            wc_MlDsaKey_Free(dest->data.mldsaKey);
+                    }
+                    if (ret == 0) {
+                        if (src->objClass == CKO_PRIVATE_KEY) {
+                            ret = wc_MlDsaKey_ImportPrivRaw(dest->data.mldsaKey,
+                                buf, bufSz);
+                        }
+                        else {
+                            ret = wc_MlDsaKey_ImportPubRaw(dest->data.mldsaKey,
+                                buf, bufSz);
+                        }
+                        if (ret != 0)
+                            wc_MlDsaKey_Free(dest->data.mldsaKey);
+                    }
+
+                    if (buf != NULL) {
+                        wc_ForceZero(buf, bufSz);
+                        XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                    }
+
+                    break;
+                }
+#endif
 #ifdef WOLFPKCS11_MLKEM
                 case CKK_ML_KEM: {
                     byte* buf = NULL;
@@ -8025,7 +8087,6 @@ int WP11_Session_SetMldsaParams(WP11_Session* session, CK_VOID_PTR params,
     int ret = 0;
     WP11_MldsaParams* mldsa = &session->params.mldsa;
 
-    XFREE(mldsa->ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XMEMSET(mldsa, 0, sizeof(*mldsa));
 
     if (params != NULL) {
@@ -8039,19 +8100,12 @@ int WP11_Session_SetMldsaParams(WP11_Session* session, CK_VOID_PTR params,
                 if (ctx->ulContextLen > 255) {
                     ret = BAD_FUNC_ARG;
                 }
-                if (ret == 0) {
-                    mldsa->ctx = (byte*)XMALLOC(ctx->ulContextLen, NULL,
-                                                DYNAMIC_TYPE_TMP_BUFFER);
-                    if (mldsa->ctx == NULL)
-                        ret = MEMORY_E;
-                }
                 if (ret == 0) {
                     XMEMCPY(mldsa->ctx, ctx->pContext, ctx->ulContextLen);
                     mldsa->ctxSz = ctx->ulContextLen;
                 }
             }
             else {
-                mldsa->ctx = NULL;
                 mldsa->ctxSz = 0;
             }
 
@@ -8068,19 +8122,12 @@ int WP11_Session_SetMldsaParams(WP11_Session* session, CK_VOID_PTR params,
                 if (ctx->ulContextLen > 255) {
                     ret = BAD_FUNC_ARG;
                 }
-                if (ret == 0) {
-                    mldsa->ctx = (byte*)XMALLOC(ctx->ulContextLen, NULL,
-                                                DYNAMIC_TYPE_TMP_BUFFER);
-                    if (mldsa->ctx == NULL)
-                        ret = MEMORY_E;
-                }
                 if (ret == 0) {
                     XMEMCPY(mldsa->ctx, ctx->pContext, ctx->ulContextLen);
                     mldsa->ctxSz = ctx->ulContextLen;
                 }
             }
             else {
-                mldsa->ctx = NULL;
                 mldsa->ctxSz = 0;
             }
 
@@ -8097,7 +8144,6 @@ int WP11_Session_SetMldsaParams(WP11_Session* session, CK_VOID_PTR params,
     else {
         mldsa->preHashType = WC_HASH_TYPE_NONE;
         mldsa->hedgeType = CKH_HEDGE_PREFERRED;
-        mldsa->ctx = NULL;
         mldsa->ctxSz = 0;
     }
 
@@ -13041,8 +13087,6 @@ int WP11_Mldsa_Sign(unsigned char* data, word32 dataLen, unsigned char* sig,
         Rng_Free(&rng);
     }
 
-    XFREE(params->ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    params->ctx = NULL;
     params->ctxSz = 0;
 
     if (priv->onToken)
@@ -13091,8 +13135,6 @@ int WP11_Mldsa_Verify(unsigned char* sig, word32 sigLen, unsigned char* data,
         }
     }
 
-    XFREE(params->ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    params->ctx = NULL;
     params->ctxSz = 0;
 
     if (pub->onToken)
diff --git a/tests/pkcs11v3test.c b/tests/pkcs11v3test.c
@@ -669,7 +669,13 @@ static CK_RV mldsa_sign_verify(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privK
     }
     if (ret == CKR_OK) {
         ret = funcList->C_Verify(session, data, dataSz - 1, sig, sigSz);
-        CHECK_CKR_FAIL(ret, CKR_SIGNATURE_INVALID, "ML-DSA Verify bad data");
+        if (mech->mechanism == CKM_HASH_ML_DSA) {
+            /* Invalid hash digest size is not allowed, so operation fails */
+            CHECK_CKR_FAIL(ret, CKR_FUNCTION_FAILED, "ML-DSA Verify bad data");
+        } else {
+            /* Invalid data size results in invalid signature*/
+            CHECK_CKR_FAIL(ret, CKR_SIGNATURE_INVALID, "ML-DSA Verify bad data");
+        }
     }
     if (ret == CKR_OK) {
         XMEMCPY(sigBad, sig, sigSz);
