Skip to content

Fix for ML-DSA to fall back when no context is provided#320

Draft
padelsbach wants to merge 1 commit intowolfSSL:mainfrom
padelsbach:fix-mldsa-fallback
Draft

Fix for ML-DSA to fall back when no context is provided#320
padelsbach wants to merge 1 commit intowolfSSL:mainfrom
padelsbach:fix-mldsa-fallback

Conversation

@padelsbach
Copy link
Contributor

@padelsbach padelsbach commented Mar 20, 2026

Found while integrating latest wolfHSM and wolfBoot. wolfBoot uses the older ML-DSA functions in wolfcrypt, while wolfHSM has updated to the new versions with a context param. The previous wolfHSM update did not cleanly fallback to the legacy version that wolfBoot uses. This change adds a simple fallback when the context is not present, and associated unit test.

wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Mar 20, 2026
View reviewed changes
Copy link

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #320

Scan targets checked: wolfhsm-crypto-bugs, wolfhsm-src
Findings: 1

Medium (1)

Ambiguous context semantics may silently downgrade FIPS 204 operations to legacy mode

File: src/wh_server_crypto.c:4219-4229
Function: _HandleMlDsaSign, _HandleMlDsaVerify, _HandleMlDsaSignDma, _HandleMlDsaVerifyDma
Category: Cryptographic operation flaws

The new branching logic uses contextSz > 0 to decide between wc_MlDsaKey_SignCtx/wc_MlDsaKey_VerifyCtx and the legacy wc_MlDsaKey_Sign/wc_MlDsaKey_Verify. In FIPS 204, signing with an explicitly empty context string (contextSz == 0) is a defined and valid operation that includes a domain separator byte in the internal message format (M' = 0x00 || 0x00 || M). The legacy wc_MlDsaKey_Sign API may not include this domain separator, producing cryptographically different signatures. A client that intentionally sends contextSz == 0 expecting FIPS 204 empty-context behavior will now silently receive legacy (potentially non-FIPS-204) behavior instead. This affects all four modified functions identically. The change means there is no way for a client to request FIPS 204 signing/verification with an empty context string through the HSM server — that code path is now unreachable.

else if (contextSz > 0) {
    ret = wc_MlDsaKey_SignCtx(
        key, req_context, (byte)contextSz, res_out, &res_len,
        in, in_len, ctx->crypto->rng);
}
else {
    /* Fall back to legacy method if no context is provided */
    ret = wc_MlDsaKey_Sign(
        key, res_out, &res_len,
        in, in_len, ctx->crypto->rng);
}

Recommendation: Introduce an explicit flag or field in the request message to distinguish between 'legacy mode (no FIPS 204 context)' and 'FIPS 204 with empty context.' For example, a boolean useContext field would allow contextSz == 0 with useContext == true to call wc_MlDsaKey_SignCtx with an empty context, while useContext == false would call the legacy wc_MlDsaKey_Sign. Alternatively, if the legacy API is confirmed to be internally equivalent to SignCtx with empty context in the wolfCrypt version used, document this equivalence and add an assertion or test verifying it.

This review was generated automatically by Fenrir. Findings are non-blocking.

@padelsbach padelsbach mentioned this pull request Mar 21, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@padelsbach @wolfSSL-Fenrir-bot