Pass raw message through CryptoCb; expose HashMsg helpers

claude · claude · commit 07f5f326b40f · 2026-04-27T18:13:31.000Z
Reverts the dispatcher-side pre-hashing introduced in 958c5f4 so the crypto-callback receives the raw message and can decide for itself whether to operate on the message (wolfHSM-style) or on a pre-computed digest (PKCS#11 v3.2 CKM_HSS / CKM_XMSS / CKM_XMSSMT). - wc_CryptoInfo.pk.pqc_stateful_sig_sign / _verify go back to msg / msgSz fields. - wc_CryptoCb_PqcStatefulSigSign / _Verify take msg / msgSz again. - wc_lms.c / wc_xmss.c stop hashing before dispatch. The hashing helpers are kept and promoted to public API so a PKCS#11-style callback can produce the right digest from inside the callback when needed: - wc_LmsKey_HashMsg(key, msg, msgSz, hash, *hashSz) declared in wolfssl/wolfcrypt/lms.h. - wc_XmssKey_HashMsg(key, msg, msgSz, hash, *hashSz) declared in wolfssl/wolfcrypt/xmss.h. Both honour the parameter set's hash family (SHA-256 / SHA-256-192 / SHAKE256 / SHAKE256-192 for LMS; SHA-256 / SHA-512 / SHAKE128 / SHAKE256 for XMSS) and now live outside the WOLF_CRYPTO_CB ifdef so they remain available when CryptoCb is disabled. All three config combinations (lms+xmss+cryptocb, lms+xmss, cryptocb alone) build and pass testwolfcrypt. https://claude.ai/code/session_01MixzJP9kPWkS8bhfDDDBnX
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
@@ -1068,7 +1068,7 @@ int wc_CryptoCb_PqcStatefulSigKeyGen(int type, void* key, WC_RNG* rng)
     return wc_CryptoCb_TranslateErrorCode(ret);
 }
 
-int wc_CryptoCb_PqcStatefulSigSign(const byte* hash, word32 hashSz, byte* out,
+int wc_CryptoCb_PqcStatefulSigSign(const byte* msg, word32 msgSz, byte* out,
     word32* outSz, int type, void* key)
 {
     int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
@@ -1088,8 +1088,8 @@ int wc_CryptoCb_PqcStatefulSigSign(const byte* hash, word32 hashSz, byte* out,
         XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
         cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
         cryptoInfo.pk.type = WC_PK_TYPE_PQC_STATEFUL_SIG_SIGN;
-        cryptoInfo.pk.pqc_stateful_sig_sign.hash = hash;
-        cryptoInfo.pk.pqc_stateful_sig_sign.hashSz = hashSz;
+        cryptoInfo.pk.pqc_stateful_sig_sign.msg = msg;
+        cryptoInfo.pk.pqc_stateful_sig_sign.msgSz = msgSz;
         cryptoInfo.pk.pqc_stateful_sig_sign.out = out;
         cryptoInfo.pk.pqc_stateful_sig_sign.outSz = outSz;
         cryptoInfo.pk.pqc_stateful_sig_sign.key = key;
@@ -1102,7 +1102,7 @@ int wc_CryptoCb_PqcStatefulSigSign(const byte* hash, word32 hashSz, byte* out,
 }
 
 int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig, word32 sigSz,
-    const byte* hash, word32 hashSz, int* res, int type, void* key)
+    const byte* msg, word32 msgSz, int* res, int type, void* key)
 {
     int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
     int devId = INVALID_DEVID;
@@ -1123,8 +1123,8 @@ int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig, word32 sigSz,
         cryptoInfo.pk.type = WC_PK_TYPE_PQC_STATEFUL_SIG_VERIFY;
         cryptoInfo.pk.pqc_stateful_sig_verify.sig = sig;
         cryptoInfo.pk.pqc_stateful_sig_verify.sigSz = sigSz;
-        cryptoInfo.pk.pqc_stateful_sig_verify.hash = hash;
-        cryptoInfo.pk.pqc_stateful_sig_verify.hashSz = hashSz;
+        cryptoInfo.pk.pqc_stateful_sig_verify.msg = msg;
+        cryptoInfo.pk.pqc_stateful_sig_verify.msgSz = msgSz;
         cryptoInfo.pk.pqc_stateful_sig_verify.res = res;
         cryptoInfo.pk.pqc_stateful_sig_verify.key = key;
         cryptoInfo.pk.pqc_stateful_sig_verify.type = type;
diff --git a/wolfcrypt/src/wc_lms.c b/wolfcrypt/src/wc_lms.c
@@ -38,28 +38,47 @@
 
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 
-/* Pre-compute the message digest with the hash function dictated by the LMS
- * parameter set. PKCS#11 v3.2 section 6.65 specifies that CKM_HSS takes the
- * pre-computed digest, not the raw message, so every Sign/Verify dispatch
- * through the crypto-callback layer funnels through this helper. */
-static int wc_lms_hash_msg(const LmsParams* params, const byte* msg,
-    word32 msgSz, byte* hash, word32 hashSz)
+/* Compute the digest of msg using the hash function dictated by the LMS
+ * parameter set. Crypto-callback / HSM backends that follow PKCS#11 v3.2
+ * CKM_HSS semantics (pre-computed digest input) can call this from within
+ * their callback; backends that take the raw message (e.g. wolfHSM) can
+ * ignore it. *hashSz is in/out: it must be at least params->hash_len on
+ * entry and is set to the actual digest length on success.
+ *
+ * @param [in]      key     LMS key (must have a parameter set bound).
+ * @param [in]      msg     Message to hash.
+ * @param [in]      msgSz   Length of msg in bytes.
+ * @param [out]     hash    Buffer receiving the digest.
+ * @param [in,out]  hashSz  On entry, size of hash buffer. On success,
+ *                          the digest length.
+ * @return  0 on success.
+ * @return  BAD_FUNC_ARG when an argument is NULL or the buffer is too
+ *          small for the digest.
+ * @return  NOT_COMPILED_IN when the param set's hash family is disabled.
+ */
+int wc_LmsKey_HashMsg(const LmsKey* key, const byte* msg, word32 msgSz,
+    byte* hash, word32* hashSz)
 {
     int ret = 0;
+    word32 needSz;
 
-    if ((params == NULL) || (msg == NULL) || (hash == NULL))
+    if ((key == NULL) || (msg == NULL) || (hash == NULL) || (hashSz == NULL))
+        return BAD_FUNC_ARG;
+    if (key->params == NULL)
         return BAD_FUNC_ARG;
-    if (hashSz != params->hash_len)
+    needSz = (word32)key->params->hash_len;
+    if (*hashSz < needSz)
         return BAD_FUNC_ARG;
 
-    switch (params->lmsType & 0xF000) {
+    switch (key->params->lmsType & 0xF000) {
         case LMS_SHA256:      /* 32-byte SHA-256 */
         case LMS_SHA256_192:  /* SHA-256 truncated to 24 bytes */ {
             byte full[WC_SHA256_DIGEST_SIZE];
             ret = wc_Sha256Hash(msg, msgSz, full);
             if (ret == 0)
-                XMEMCPY(hash, full, hashSz);
+                XMEMCPY(hash, full, needSz);
             break;
         }
     #ifdef WOLFSSL_LMS_SHAKE256
@@ -70,21 +89,23 @@ static int wc_lms_hash_msg(const LmsParams* params, const byte* msg,
             if (ret == 0) {
                 ret = wc_Shake256_Update(&shake, msg, msgSz);
                 if (ret == 0)
-                    ret = wc_Shake256_Final(&shake, hash, hashSz);
+                    ret = wc_Shake256_Final(&shake, hash, needSz);
                 wc_Shake256_Free(&shake);
             }
             break;
         }
     #endif
         default:
-            WOLFSSL_MSG("LMS: unsupported hash family for CryptoCb pre-hash");
+            WOLFSSL_MSG("LMS: unsupported hash family for HashMsg");
             ret = NOT_COMPILED_IN;
             break;
     }
 
+    if (ret == 0)
+        *hashSz = needSz;
+
     return ret;
 }
-#endif
 
 
 /* Calculate u. Appendix B. Works for w of 1, 2, 4, or 8.
@@ -1318,13 +1339,8 @@ int wc_LmsKey_Sign(LmsKey* key, byte* sig, word32* sigSz, const byte* msg,
      * device owns the private state. On CRYPTOCB_UNAVAILABLE fall-through the
      * software checks below still run. */
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        byte hash[LMS_MAX_NODE_LEN];
-        word32 hashSz = key->params->hash_len;
-        ret = wc_lms_hash_msg(key->params, msg, (word32)msgSz, hash, hashSz);
-        if (ret == 0) {
-            ret = wc_CryptoCb_PqcStatefulSigSign(hash, hashSz, sig, sigSz,
-                WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
-        }
+        ret = wc_CryptoCb_PqcStatefulSigSign(msg, (word32)msgSz, sig, sigSz,
+            WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
             return ret;
         ret = 0; /* fall through to software path */
@@ -1645,14 +1661,9 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
 
 #ifdef WOLF_CRYPTO_CB
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        byte hash[LMS_MAX_NODE_LEN];
-        word32 hashSz = key->params->hash_len;
         int res = 0;
-        ret = wc_lms_hash_msg(key->params, msg, (word32)msgSz, hash, hashSz);
-        if (ret == 0) {
-            ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigSz, hash, hashSz,
-                &res, WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
-        }
+        ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigSz, msg, (word32)msgSz,
+            &res, WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
             if (ret == 0 && res != 1)
                 ret = SIG_VERIFY_E;
diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c
@@ -38,31 +38,50 @@
 
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 
-/* Pre-compute the message digest with the hash function dictated by the XMSS
- * parameter set. PKCS#11 v3.2 section 6.66 specifies that CKM_XMSS and
- * CKM_XMSSMT take the pre-computed digest, not the raw message (the section
- * is titled "XMSS and XMSSMT without hashing"), so every Sign/Verify
- * dispatch through the crypto-callback layer funnels through this helper. */
-static int wc_xmss_hash_msg(const XmssParams* params, const byte* msg,
-    word32 msgSz, byte* hash, word32 hashSz)
+/* Compute the digest of msg using the hash function dictated by the XMSS
+ * parameter set. Crypto-callback / HSM backends that follow PKCS#11 v3.2
+ * CKM_XMSS / CKM_XMSSMT semantics (pre-computed digest input, see section
+ * 6.66.8 "XMSS and XMSSMT without hashing") can call this from within
+ * their callback; backends that take the raw message (e.g. wolfHSM) can
+ * ignore it. *hashSz is in/out: it must be at least params->n on entry
+ * and is set to the actual digest length on success.
+ *
+ * @param [in]      key     XMSS key (must have a parameter set bound).
+ * @param [in]      msg     Message to hash.
+ * @param [in]      msgSz   Length of msg in bytes.
+ * @param [out]     hash    Buffer receiving the digest.
+ * @param [in,out]  hashSz  On entry, size of hash buffer. On success,
+ *                          the digest length.
+ * @return  0 on success.
+ * @return  BAD_FUNC_ARG when an argument is NULL or the buffer is too
+ *          small for the digest.
+ * @return  NOT_COMPILED_IN when the param set's hash family is disabled.
+ */
+int wc_XmssKey_HashMsg(const XmssKey* key, const byte* msg, word32 msgSz,
+    byte* hash, word32* hashSz)
 {
     int ret = 0;
+    word32 needSz;
 
-    if ((params == NULL) || (msg == NULL) || (hash == NULL))
+    if ((key == NULL) || (msg == NULL) || (hash == NULL) || (hashSz == NULL))
+        return BAD_FUNC_ARG;
+    if (key->params == NULL)
         return BAD_FUNC_ARG;
-    if (hashSz != params->n)
+    needSz = (word32)key->params->n;
+    if (*hashSz < needSz)
         return BAD_FUNC_ARG;
 
-    switch (params->hash) {
+    switch (key->params->hash) {
     #ifdef WC_XMSS_SHA256
         case WC_HASH_TYPE_SHA256:
-            ret = wc_Hash(WC_HASH_TYPE_SHA256, msg, msgSz, hash, hashSz);
+            ret = wc_Hash(WC_HASH_TYPE_SHA256, msg, msgSz, hash, needSz);
             break;
     #endif
     #ifdef WC_XMSS_SHA512
         case WC_HASH_TYPE_SHA512:
-            ret = wc_Hash(WC_HASH_TYPE_SHA512, msg, msgSz, hash, hashSz);
+            ret = wc_Hash(WC_HASH_TYPE_SHA512, msg, msgSz, hash, needSz);
             break;
     #endif
     #ifdef WC_XMSS_SHAKE128
@@ -72,7 +91,7 @@ static int wc_xmss_hash_msg(const XmssParams* params, const byte* msg,
             if (ret == 0) {
                 ret = wc_Shake128_Update(&shake, msg, msgSz);
                 if (ret == 0)
-                    ret = wc_Shake128_Final(&shake, hash, hashSz);
+                    ret = wc_Shake128_Final(&shake, hash, needSz);
                 wc_Shake128_Free(&shake);
             }
             break;
@@ -85,21 +104,23 @@ static int wc_xmss_hash_msg(const XmssParams* params, const byte* msg,
             if (ret == 0) {
                 ret = wc_Shake256_Update(&shake, msg, msgSz);
                 if (ret == 0)
-                    ret = wc_Shake256_Final(&shake, hash, hashSz);
+                    ret = wc_Shake256_Final(&shake, hash, needSz);
                 wc_Shake256_Free(&shake);
             }
             break;
         }
     #endif
         default:
-            WOLFSSL_MSG("XMSS: unsupported hash for CryptoCb pre-hash");
+            WOLFSSL_MSG("XMSS: unsupported hash for HashMsg");
             ret = NOT_COMPILED_IN;
             break;
     }
 
+    if (ret == 0)
+        *hashSz = needSz;
+
     return ret;
 }
-#endif
 
 
 /***************************
@@ -1412,13 +1433,8 @@ int wc_XmssKey_Sign(XmssKey* key, byte* sig, word32* sigLen, const byte* msg,
      * device owns the private state. On CRYPTOCB_UNAVAILABLE fall-through the
      * software checks below still run. */
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        byte hash[WC_XMSS_MAX_N];
-        word32 hashSz = key->params->n;
-        ret = wc_xmss_hash_msg(key->params, msg, (word32)msgLen, hash, hashSz);
-        if (ret == 0) {
-            ret = wc_CryptoCb_PqcStatefulSigSign(hash, hashSz, sig, sigLen,
-                WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
-        }
+        ret = wc_CryptoCb_PqcStatefulSigSign(msg, (word32)msgLen, sig, sigLen,
+            WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
             return ret;
         ret = 0; /* fall through to software path */
@@ -1765,14 +1781,9 @@ int wc_XmssKey_Verify(XmssKey* key, const byte* sig, word32 sigLen,
 
 #ifdef WOLF_CRYPTO_CB
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        byte hash[WC_XMSS_MAX_N];
-        word32 hashSz = key->params->n;
         int res = 0;
-        ret = wc_xmss_hash_msg(key->params, m, (word32)mLen, hash, hashSz);
-        if (ret == 0) {
-            ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigLen, hash, hashSz,
-                &res, WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
-        }
+        ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigLen, m, (word32)mLen,
+            &res, WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
             if (ret == 0 && res != 1)
                 ret = SIG_VERIFY_E;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -68286,19 +68286,14 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
         else if (info->pk.type == WC_PK_TYPE_PQC_STATEFUL_SIG_SIGN) {
             int pqcType = info->pk.pqc_stateful_sig_sign.type;
             word32 sigSz = *info->pk.pqc_stateful_sig_sign.outSz;
-            /* The dispatcher pre-hashed the message per PKCS#11 v3.2
-             * CKM_HSS / CKM_XMSS semantics. Feed that digest back into
-             * the software API as the "message"; both Sign and Verify
-             * paths do the same pre-hashing so the resulting signature
-             * self-verifies within this harness. */
         #if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_VERIFY_ONLY)
             if (pqcType == WC_PQC_STATEFUL_SIG_TYPE_LMS) {
                 LmsKey* lk = (LmsKey*)info->pk.pqc_stateful_sig_sign.key;
                 lk->devId = INVALID_DEVID;
                 ret = wc_LmsKey_Sign(lk,
                     info->pk.pqc_stateful_sig_sign.out, &sigSz,
-                    info->pk.pqc_stateful_sig_sign.hash,
-                    (int)info->pk.pqc_stateful_sig_sign.hashSz);
+                    info->pk.pqc_stateful_sig_sign.msg,
+                    (int)info->pk.pqc_stateful_sig_sign.msgSz);
                 lk->devId = devIdArg;
             }
         #endif
@@ -68308,8 +68303,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 xk->devId = INVALID_DEVID;
                 ret = wc_XmssKey_Sign(xk,
                     info->pk.pqc_stateful_sig_sign.out, &sigSz,
-                    info->pk.pqc_stateful_sig_sign.hash,
-                    (int)info->pk.pqc_stateful_sig_sign.hashSz);
+                    info->pk.pqc_stateful_sig_sign.msg,
+                    (int)info->pk.pqc_stateful_sig_sign.msgSz);
                 xk->devId = devIdArg;
             }
         #endif
@@ -68325,8 +68320,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 verifyRet = wc_LmsKey_Verify(lk,
                     info->pk.pqc_stateful_sig_verify.sig,
                     info->pk.pqc_stateful_sig_verify.sigSz,
-                    info->pk.pqc_stateful_sig_verify.hash,
-                    (int)info->pk.pqc_stateful_sig_verify.hashSz);
+                    info->pk.pqc_stateful_sig_verify.msg,
+                    (int)info->pk.pqc_stateful_sig_verify.msgSz);
                 lk->devId = devIdArg;
             }
         #endif
@@ -68337,8 +68332,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 verifyRet = wc_XmssKey_Verify(xk,
                     info->pk.pqc_stateful_sig_verify.sig,
                     info->pk.pqc_stateful_sig_verify.sigSz,
-                    info->pk.pqc_stateful_sig_verify.hash,
-                    (int)info->pk.pqc_stateful_sig_verify.hashSz);
+                    info->pk.pqc_stateful_sig_verify.msg,
+                    (int)info->pk.pqc_stateful_sig_verify.msgSz);
                 xk->devId = devIdArg;
             }
         #endif
diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h
@@ -362,12 +362,13 @@ typedef struct wc_CryptoInfo {
                 int         type; /* enum wc_PqcStatefulSignatureType */
             } pqc_stateful_sig_kg;
             struct {
-                /* Pre-computed digest of the message. PKCS#11 v3.2
-                 * section 6.65/6.66 ("HSS" / "XMSS and XMSSMT without
-                 * hashing") specifies that CKM_HSS, CKM_XMSS and
-                 * CKM_XMSSMT take a hash, not the raw message. */
-                const byte* hash;
-                word32      hashSz;
+                /* Raw message. Backends following the PKCS#11 v3.2
+                 * CKM_HSS / CKM_XMSS convention of operating on a
+                 * pre-computed digest can call wc_LmsKey_HashMsg /
+                 * wc_XmssKey_HashMsg from inside the callback to obtain
+                 * the algorithm-dictated digest of msg. */
+                const byte* msg;
+                word32      msgSz;
                 byte*       out;
                 word32*     outSz;
                 void*       key;
@@ -376,9 +377,9 @@ typedef struct wc_CryptoInfo {
             struct {
                 const byte* sig;
                 word32      sigSz;
-                /* Pre-computed digest of the message. See sign note. */
-                const byte* hash;
-                word32      hashSz;
+                /* Raw message. See sign note. */
+                const byte* msg;
+                word32      msgSz;
                 int*        res;
                 void*       key;
                 int         type; /* enum wc_PqcStatefulSignatureType */
@@ -761,12 +762,13 @@ WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigGetDevId(int type, void* key);
 
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigKeyGen(int type, void* key,
     WC_RNG* rng);
-/* hash is the pre-computed digest of the message; CKM_HSS, CKM_XMSS and
- * CKM_XMSSMT all take the digest, not the raw message (PKCS#11 v3.2). */
-WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSign(const byte* hash,
-    word32 hashSz, byte* out, word32* outSz, int type, void* key);
+/* The raw message is forwarded to the callback. Backends that follow the
+ * PKCS#11 v3.2 CKM_HSS / CKM_XMSS convention (digest input) can call
+ * wc_LmsKey_HashMsg / wc_XmssKey_HashMsg from inside the callback. */
+WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSign(const byte* msg,
+    word32 msgSz, byte* out, word32* outSz, int type, void* key);
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig,
-    word32 sigSz, const byte* hash, word32 hashSz, int* res, int type,
+    word32 sigSz, const byte* msg, word32 msgSz, int* res, int type,
     void* key);
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSigsLeft(int type, void* key,
     word32* sigsLeft);
diff --git a/wolfssl/wolfcrypt/lms.h b/wolfssl/wolfcrypt/lms.h
diff --git a/wolfssl/wolfcrypt/xmss.h b/wolfssl/wolfcrypt/xmss.h
