[Bug]: The default type of the LmsParams.sig_len field is word16, which will overflow when using LMS_SHA256_M32_H5 and LMOTS_SHA256_N32_W1, level:8.

[feedline]

Contact Details

No response

Version

WolfSSL version: 5.8.4

Description

When I cross-tested the signature generated by my self-implemented LMS_SHA256_M32_H5 LMOTS_SHA256_N32_W1 algorithm with wolfssl, I encountered a BUFF_E error. The test results for levels 1-7 were all PASS, with the error only occurring in level 8. I checked and found that my sig_len was actually 69868, and wolfssl's LmsParams was 4332. Therefore, I believe this is a bug caused by type overflow.

Reproduction steps

./configure --enable-lms --enable-xmss --enable-mlkem --enable-mldsa --enable-dsa --enable-all --enable-static

Relevant log output

Testing HSS *generate private key case#0, lms: MBEDTLS_LMS_SHA256_M32_H5, lmots: MBEDTLS_LMOTS_SHA256_N32_W1, level:5............................{*Wolfssl*}My sig_len:43648Wolfssl sig_len:43648[PASSED]
Testing HSS *generate private key case#0, lms: MBEDTLS_LMS_SHA256_M32_H5, lmots: MBEDTLS_LMOTS_SHA256_N32_W1, level:6............................{*Wolfssl*}My sig_len:52388Wolfssl sig_len:52388[PASSED]
Testing HSS *generate private key case#0, lms: MBEDTLS_LMS_SHA256_M32_H5, lmots: MBEDTLS_LMOTS_SHA256_N32_W1, level:7............................{*Wolfssl*}My sig_len:61128Wolfssl sig_len:61128[PASSED]
Testing HSS *generate private key case#0, lms: MBEDTLS_LMS_SHA256_M32_H5, lmots: MBEDTLS_LMOTS_SHA256_N32_W1, level:8............................{*Wolfssl*}My sig_len:69868Wolfssl sig_len:4332[FAILED]

[kareem-wolfssl]

Hi @feedline,

Thanks for the report, I see this is still a word16 on master. I'm looking into this with the team.
Can you share your code/a reproducer which is causing sig_len to reach this value?

[kareem-wolfssl]

Hi @feedline,

I've received word that we don't currently support 8 levels in our LMS implementation. Supporting this may require further changes beyond just increasing the size of sig_len.
Can you provide some more information on your use case and why you need 8 levels?

[feedline]

Our developers extended the PQC algorithm based on mbedtls' encoding rules and have their own HSS algorithm implementation. However, during testing, a more authoritative software implementation is needed to verify its correctness. Therefore, we chose a well-known tool that supports the PQC algorithm as the signature verifier.

I tested all configuration combinations based on LMS_ALG_SHA_M32 and LMOTS_ALG_SHA256_N32, levels 1-8. Errors only occurred with LMS_SHA256_M32_H5 and LMOTS_SHA256_N32_W1, level:8, so this issue was reported.