PQC: address skoll review (empty msg, NULL-key reinit, KEM mixed-NULL, get_params, KEM op name, debian pqc)

Author: aidangarske

debian/install-wolfssl.sh

@@ -40,6 +40,7 @@ install_wolfssl_from_git() {
     local debug_mode="$3"
     local reinstall_mode="$4"
     local no_install="$5"
+    local pqc_mode="$6"
     local main_branch="master"
 
     # If no working directory specified, create one using mktemp
@@ -173,6 +174,11 @@ AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])' configure.ac
         echo "Debug mode enabled"
     fi
 
+    if [ "$pqc_mode" = "true" ]; then
+        configure_opts="$configure_opts --enable-mlkem --enable-mldsa"
+        echo "PQC (ML-KEM/ML-DSA) enabled"
+    fi
+
     ./configure $configure_opts \
         CFLAGS="-DWOLFSSL_OLD_OID_SUM \
             -DWOLFSSL_PUBLIC_ASN \
@@ -220,6 +226,7 @@ main() {
     local debug_mode="false"
     local reinstall_mode="false"
     local no_install="false"
+    local pqc_mode="false"
 
     # Parse command line arguments
     while [[ $# -gt 0 ]]; do
@@ -233,6 +240,7 @@ main() {
                 echo "  -d, --debug          Enable debug build mode (adds --enable-debug)"
                 echo "  -r, --reinstall      Force reinstall even if packages are already installed"
                 echo "  -n, --no-install     Build only, do not install packages"
+                echo "  --enable-pqc         Enable ML-KEM and ML-DSA (FIPS 203/204)"
                 echo "  -h, --help           Show this help message"
                 echo ""
                 echo "Arguments:"
@@ -264,6 +272,10 @@ main() {
                 no_install="true"
                 shift
                 ;;
+            --enable-pqc)
+                pqc_mode="true"
+                shift
+                ;;
             -*)
                 echo "Unknown option: $1" >&2
                 echo "Use --help for usage information" >&2
@@ -300,7 +312,7 @@ main() {
         echo "Building wolfSSL master branch"
     fi
 
-    install_wolfssl_from_git "$work_dir" "$git_tag" "$debug_mode" "$reinstall_mode" "$no_install"
+    install_wolfssl_from_git "$work_dir" "$git_tag" "$debug_mode" "$reinstall_mode" "$no_install" "$pqc_mode"
 
     echo "WolfSSL installation completed successfully"
 }

scripts/build-wolfprovider.sh

@@ -216,6 +216,9 @@ if [ -n "$build_debian" ]; then
     if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
         OPENSSL_OPTS+=" --replace-default"
     fi
+    if [ "$WOLFPROV_PQC" = "1" ]; then
+        WOLFSSL_OPTS+=" --enable-pqc"
+    fi
 
     # wolfSSL and OpenSSL are independent and must be built first
     debian/install-wolfssl.sh $WOLFSSL_OPTS --no-install -r $DEB_OUTPUT_DIR

src/wp_mldsa_kmgmt.c

@@ -774,8 +774,10 @@ static int wp_mldsa_get_params(wp_MlDsa* mldsa, OSSL_PARAM params[])
                 p->return_size = outLen;
             }
             else if (p->data_size < outLen) {
-                /* Buffer too small: report required size, let caller retry. */
+                /* Buffer too small: report required size and fail so the
+                 * caller can retry; do not claim a completed export. */
                 p->return_size = outLen;
+                ok = 0;
             }
             else {
                 outLen = (word32)p->data_size;
@@ -802,6 +804,7 @@ static int wp_mldsa_get_params(wp_MlDsa* mldsa, OSSL_PARAM params[])
             }
             else if (p->data_size < outLen) {
                 p->return_size = outLen;
+                ok = 0;
             }
             else {
                 outLen = (word32)p->data_size;

src/wp_mldsa_sig.c

@@ -224,15 +224,24 @@ static int wp_mldsa_init(wp_MlDsaSigCtx* ctx, wp_MlDsa* mldsa,
 
     (void)params;
 
-    if ((ctx == NULL) || (mldsa == NULL)) {
+    if (ctx == NULL) {
         ok = 0;
     }
-    if (ok && !wp_mldsa_up_ref(mldsa)) {
+    /* NULL key means "reinit, reuse the key already on the context" -- only
+     * valid if the context actually has one. */
+    if (ok && (mldsa == NULL) && (ctx->mldsa == NULL)) {
         ok = 0;
     }
+    if (ok && (mldsa != NULL)) {
+        if (!wp_mldsa_up_ref(mldsa)) {
+            ok = 0;
+        }
+        if (ok) {
+            wp_mldsa_free(ctx->mldsa);
+            ctx->mldsa = mldsa;
+        }
+    }
     if (ok) {
-        wp_mldsa_free(ctx->mldsa);
-        ctx->mldsa = mldsa;
         wp_mldsa_buf_reset(ctx);
     }
     return ok;
@@ -269,12 +278,22 @@ static int wp_mldsa_sign(wp_MlDsaSigCtx* ctx, unsigned char* sig,
     int ok = 1;
     int rc;
     word32 sigSz;
+    /* FIPS 204 permits an empty message; give wolfSSL a valid pointer so a
+     * NULL+0 message does not become a backend-dependent NULL deref. */
+    unsigned char dummy = 0;
+    const unsigned char* m = msg;
 
     (void)sigSize;
 
     if ((ctx == NULL) || (ctx->mldsa == NULL) || (sigLen == NULL)) {
         return 0;
     }
+    if ((msg == NULL) && (msgLen != 0)) {
+        return 0;
+    }
+    if (m == NULL) {
+        m = &dummy;
+    }
 
     sigSz = (word32)wp_mldsa_get_sig_size(ctx->mldsa);
 
@@ -297,7 +316,7 @@ static int wp_mldsa_sign(wp_MlDsaSigCtx* ctx, unsigned char* sig,
          * default; use the ctx variant with empty ctx to interop. */
         rc = wc_MlDsaKey_SignCtx(
             (wc_MlDsaKey*)wp_mldsa_get_key(ctx->mldsa), NULL, 0, sig, &outLen,
-            msg, (word32)msgLen, &ctx->rng);
+            m, (word32)msgLen, &ctx->rng);
         if (rc != 0) {
             ok = 0;
         }
@@ -324,11 +343,19 @@ static int wp_mldsa_verify(wp_MlDsaSigCtx* ctx, const unsigned char* sig,
     int ok = 1;
     int rc;
     int res = 0;
+    /* FIPS 204 permits an empty message; give wolfSSL a valid pointer. */
+    unsigned char dummy = 0;
+    const unsigned char* m = msg;
 
-    if ((ctx == NULL) || (ctx->mldsa == NULL) || (sig == NULL) ||
-            (msg == NULL)) {
+    if ((ctx == NULL) || (ctx->mldsa == NULL) || (sig == NULL)) {
         return 0;
     }
+    if ((msg == NULL) && (msgLen != 0)) {
+        return 0;
+    }
+    if (m == NULL) {
+        m = &dummy;
+    }
     /* wolfSSL's ML-DSA API takes 32-bit lengths. Reject oversize inputs
      * explicitly rather than silently truncating. */
     if ((sigLen > 0xFFFFFFFFU) || (msgLen > 0xFFFFFFFFU)) {
@@ -338,7 +365,7 @@ static int wp_mldsa_verify(wp_MlDsaSigCtx* ctx, const unsigned char* sig,
     /* Match the sign path: FIPS 204 pure ML-DSA with empty context. */
     rc = wc_MlDsaKey_VerifyCtx(
         (wc_MlDsaKey*)wp_mldsa_get_key(ctx->mldsa), sig, (word32)sigLen,
-        NULL, 0, msg, (word32)msgLen, &res);
+        NULL, 0, m, (word32)msgLen, &res);
     if ((rc != 0) || (res != 1)) {
         ok = 0;
     }

src/wp_mlkem_kem.c

@@ -181,10 +181,9 @@ static int wp_mlkem_kem_encapsulate(wp_MlKemCtx* ctx, unsigned char* out,
     ctSize = wp_mlkem_data_ct_size(data);
     ssSize = WP_MLKEM_SS_SIZE;
 
-    /* Size-only query: out == NULL with outLen/secretLen set per OpenSSL
-     * KEM encapsulate contract. Mixed-NULL is a caller bug, not a size
-     * query, so reject it explicitly. */
-    if (out == NULL) {
+    /* Size-only query: both output buffers NULL. A mixed-NULL request (one
+     * buffer NULL, the other not) is a caller bug, not a size query. */
+    if ((out == NULL) && (secret == NULL)) {
         if (outLen != NULL) {
             *outLen = ctSize;
         }
@@ -193,7 +192,8 @@ static int wp_mlkem_kem_encapsulate(wp_MlKemCtx* ctx, unsigned char* out,
         }
         return 1;
     }
-    if ((secret == NULL) || (outLen == NULL) || (secretLen == NULL)) {
+    if ((out == NULL) || (secret == NULL) || (outLen == NULL) ||
+            (secretLen == NULL)) {
         return 0;
     }
 

src/wp_mlkem_kmgmt.c

@@ -754,8 +754,10 @@ static int wp_mlkem_get_params(wp_MlKem* mlkem, OSSL_PARAM params[])
                 p->return_size = outLen;
             }
             else if (p->data_size < outLen) {
-                /* Buffer too small: report required size, let caller retry. */
+                /* Buffer too small: report required size and fail so the
+                 * caller can retry; do not claim a completed export. */
                 p->return_size = outLen;
+                ok = 0;
             }
             else {
                 rc = wc_MlKemKey_EncodePublicKey(&mlkem->key,
@@ -781,6 +783,7 @@ static int wp_mlkem_get_params(wp_MlKem* mlkem, OSSL_PARAM params[])
             }
             else if (p->data_size < outLen) {
                 p->return_size = outLen;
+                ok = 0;
             }
             else {
                 rc = wc_MlKemKey_EncodePrivateKey(&mlkem->key,
@@ -949,19 +952,24 @@ static void wp_mlkem_gen_cleanup(wp_MlKemGenCtx* ctx)
     }
 }
 
-/**
- * Return the algorithm name for OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME.
- *
- * ML-KEM has no associated operation name lookup; return NULL so OpenSSL
- * falls back to the algorithm name from the dispatch table.
- *
- * @param [in] op  Operation type. Unused.
- * @return  NULL.
- */
-static const char* wp_mlkem_query_operation_name(int op)
+/* Map each ML-KEM key type to its KEM operation name so OpenSSL fetches the
+ * matching KEM implementation without relying on fallback lookup. */
+static const char* wp_mlkem512_query_operation_name(int op)
+{
+    (void)op;
+    return WP_NAMES_ML_KEM_512;
+}
+
+static const char* wp_mlkem768_query_operation_name(int op)
+{
+    (void)op;
+    return WP_NAMES_ML_KEM_768;
+}
+
+static const char* wp_mlkem1024_query_operation_name(int op)
 {
     (void)op;
-    return NULL;
+    return WP_NAMES_ML_KEM_1024;
 }
 
 /* Per-level new() and gen_init() trampolines. */
@@ -1036,7 +1044,7 @@ const OSSL_DISPATCH wp_##alg##_keymgmt_functions[] = {                         \
     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,                                          \
         (DFUNC)wp_mlkem_export_types                           },              \
     { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,                                  \
-        (DFUNC)wp_mlkem_query_operation_name                   },              \
+        (DFUNC)wp_##alg##_query_operation_name                 },              \
     { 0, NULL }                                                                \
 };
 

test/test_mldsa.c

@@ -838,4 +838,101 @@ int test_mldsa_import_mismatched_pubpriv(void* data)
     return err;
 }
 
+/* FIPS 204 permits an empty message: sign and verify zero-length input. */
+int test_mldsa_empty_message(void* data)
+{
+    int err = 0;
+    size_t i;
+    EVP_PKEY* k = NULL;
+    EVP_MD_CTX* mdctx = NULL;
+    unsigned char* sig = NULL;
+    size_t sigLen = 0;
+
+    (void)data;
+    for (i = 0; (err == 0) && (i < MLDSA_LEVEL_COUNT); i++) {
+        PRINT_MSG("Empty message %s", mldsa_levels[i].name);
+
+        err = mldsa_keygen(mldsa_levels[i].name, &k);
+        if (err == 0) {
+            mdctx = EVP_MD_CTX_new();
+            err = (mdctx == NULL);
+        }
+        if (err == 0) {
+            err = EVP_DigestSignInit_ex(mdctx, NULL, NULL, wpLibCtx, NULL, k,
+                NULL) != 1;
+        }
+        /* No update calls: message is the empty string. */
+        if (err == 0) {
+            err = EVP_DigestSign(mdctx, NULL, &sigLen, NULL, 0) != 1;
+        }
+        if (err == 0) {
+            sig = (unsigned char*)OPENSSL_malloc(sigLen);
+            err = (sig == NULL);
+        }
+        if (err == 0) {
+            err = EVP_DigestSign(mdctx, sig, &sigLen, NULL, 0) != 1;
+            if (err) PRINT_ERR_MSG("Empty-message sign failed");
+        }
+        if (err == 0) {
+            err = mldsa_verify_msg(k, NULL, 0, sig, sigLen) != 1;
+            if (err) PRINT_ERR_MSG("Empty-message verify failed");
+        }
+
+        OPENSSL_free(sig); sig = NULL; sigLen = 0;
+        EVP_MD_CTX_free(mdctx); mdctx = NULL;
+        EVP_PKEY_free(k); k = NULL;
+    }
+    return err;
+}
+
+/* Reinitialize a sign context with a NULL key: the key already on the
+ * context must be reused (OpenSSL reinit contract). */
+int test_mldsa_reinit_null_key(void* data)
+{
+    static const unsigned char msg[16] = "mldsa-reinit-msg";
+    int err = 0;
+    EVP_PKEY* k = NULL;
+    EVP_MD_CTX* mdctx = NULL;
+    unsigned char* sig = NULL;
+    size_t sigLen = 0;
+
+    (void)data;
+    PRINT_MSG("Reinit with NULL key reuses context key");
+
+    err = mldsa_keygen("ML-DSA-44", &k);
+    if (err == 0) {
+        mdctx = EVP_MD_CTX_new();
+        err = (mdctx == NULL);
+    }
+    if (err == 0) {
+        err = EVP_DigestSignInit_ex(mdctx, NULL, NULL, wpLibCtx, NULL, k,
+            NULL) != 1;
+    }
+    /* Reinit with NULL pkey: reuse the key already attached. */
+    if (err == 0) {
+        err = EVP_DigestSignInit_ex(mdctx, NULL, NULL, wpLibCtx, NULL, NULL,
+            NULL) != 1;
+        if (err) PRINT_ERR_MSG("Reinit with NULL key failed");
+    }
+    if (err == 0) {
+        err = EVP_DigestSign(mdctx, NULL, &sigLen, msg, sizeof(msg)) != 1;
+    }
+    if (err == 0) {
+        sig = (unsigned char*)OPENSSL_malloc(sigLen);
+        err = (sig == NULL);
+    }
+    if (err == 0) {
+        err = EVP_DigestSign(mdctx, sig, &sigLen, msg, sizeof(msg)) != 1;
+    }
+    if (err == 0) {
+        err = mldsa_verify_msg(k, msg, sizeof(msg), sig, sigLen) != 1;
+        if (err) PRINT_ERR_MSG("Sign after NULL-key reinit did not verify");
+    }
+
+    OPENSSL_free(sig);
+    EVP_MD_CTX_free(mdctx);
+    EVP_PKEY_free(k);
+    return err;
+}
+
 #endif /* WP_HAVE_MLDSA */

test/unit.c

@@ -506,6 +506,8 @@ TEST_CASE test_case[] = {
     TEST_DECL(test_mldsa_get_params, NULL),
     TEST_DECL(test_mldsa_digest_sign_init_rejects_md, NULL),
     TEST_DECL(test_mldsa_import_mismatched_pubpriv, NULL),
+    TEST_DECL(test_mldsa_empty_message, NULL),
+    TEST_DECL(test_mldsa_reinit_null_key, NULL),
 #endif
 };
 #define TEST_CASE_CNT   (int)(sizeof(test_case) / sizeof(*test_case))

test/unit.h

@@ -504,6 +504,8 @@ int test_mldsa_oneshot_sign_verify(void *data);
 int test_mldsa_get_params(void *data);
 int test_mldsa_digest_sign_init_rejects_md(void *data);
 int test_mldsa_import_mismatched_pubpriv(void *data);
+int test_mldsa_empty_message(void *data);
+int test_mldsa_reinit_null_key(void *data);
 #endif
 
 #endif /* UNIT_H */