LMS/XMSS CryptoCb: sign/verify now take the pre-computed digest

claude · claude · commit 958c5f42b3f0 · 2026-04-24T22:37:15.000Z
PKCS#11 v3.2 section 6.65 (CKM_HSS) and section 6.66.8 ("XMSS and XMSSMT without hashing") specify that CKM_HSS, CKM_XMSS and CKM_XMSSMT take the pre-computed message digest, not the raw message. Align the crypto-callback layer with that semantic so a future wolfHSM or PKCS#11 provider hooking into the CryptoCb surface receives exactly the bytes PKCS#11 expects. - wc_CryptoInfo.pk.pqc_stateful_sig_sign / _verify rename in/inSz/msg/msgSz fields to hash/hashSz. - wc_CryptoCb_PqcStatefulSigSign / _Verify take hash/hashSz. - wc_lms.c and wc_xmss.c pre-hash the message with the algorithm dictated by the parameter set (SHA-256 or SHAKE256 for LMS; SHA-256/SHA-512/SHAKE128/SHAKE256 for XMSS) before dispatching through the callback. New static helpers wc_lms_hash_msg / wc_xmss_hash_msg encapsulate the param -> hash-type mapping. - myCryptoDevCb feeds the pre-computed digest back into the software API as the "message" when it bounces the op back to software; both Sign and Verify pre-hash the same way, so the round-trip self-verifies inside the harness. - wc_LmsKey_ExportPub / wc_XmssKey_ExportPub now preserve the source key's devId so a verify-only copy still dispatches through the same device. Previously ForceZero left the destination devId at 0 (a valid non-INVALID_DEVID value) which caused a spurious software fallback after ExportPub when sign was done via CryptoCb. All three config combinations (lms+xmss+cryptocb, lms+xmss, cryptocb alone) build and pass testwolfcrypt. https://claude.ai/code/session_01MixzJP9kPWkS8bhfDDDBnX
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
@@ -1068,7 +1068,7 @@ int wc_CryptoCb_PqcStatefulSigKeyGen(int type, void* key, WC_RNG* rng)
     return wc_CryptoCb_TranslateErrorCode(ret);
 }
 
-int wc_CryptoCb_PqcStatefulSigSign(const byte* in, word32 inSz, byte* out,
+int wc_CryptoCb_PqcStatefulSigSign(const byte* hash, word32 hashSz, byte* out,
     word32* outSz, int type, void* key)
 {
     int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
@@ -1088,8 +1088,8 @@ int wc_CryptoCb_PqcStatefulSigSign(const byte* in, word32 inSz, byte* out,
         XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
         cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
         cryptoInfo.pk.type = WC_PK_TYPE_PQC_STATEFUL_SIG_SIGN;
-        cryptoInfo.pk.pqc_stateful_sig_sign.in = in;
-        cryptoInfo.pk.pqc_stateful_sig_sign.inSz = inSz;
+        cryptoInfo.pk.pqc_stateful_sig_sign.hash = hash;
+        cryptoInfo.pk.pqc_stateful_sig_sign.hashSz = hashSz;
         cryptoInfo.pk.pqc_stateful_sig_sign.out = out;
         cryptoInfo.pk.pqc_stateful_sig_sign.outSz = outSz;
         cryptoInfo.pk.pqc_stateful_sig_sign.key = key;
@@ -1102,7 +1102,7 @@ int wc_CryptoCb_PqcStatefulSigSign(const byte* in, word32 inSz, byte* out,
 }
 
 int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig, word32 sigSz,
-    const byte* msg, word32 msgSz, int* res, int type, void* key)
+    const byte* hash, word32 hashSz, int* res, int type, void* key)
 {
     int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
     int devId = INVALID_DEVID;
@@ -1123,8 +1123,8 @@ int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig, word32 sigSz,
         cryptoInfo.pk.type = WC_PK_TYPE_PQC_STATEFUL_SIG_VERIFY;
         cryptoInfo.pk.pqc_stateful_sig_verify.sig = sig;
         cryptoInfo.pk.pqc_stateful_sig_verify.sigSz = sigSz;
-        cryptoInfo.pk.pqc_stateful_sig_verify.msg = msg;
-        cryptoInfo.pk.pqc_stateful_sig_verify.msgSz = msgSz;
+        cryptoInfo.pk.pqc_stateful_sig_verify.hash = hash;
+        cryptoInfo.pk.pqc_stateful_sig_verify.hashSz = hashSz;
         cryptoInfo.pk.pqc_stateful_sig_verify.res = res;
         cryptoInfo.pk.pqc_stateful_sig_verify.key = key;
         cryptoInfo.pk.pqc_stateful_sig_verify.type = type;
diff --git a/wolfcrypt/src/wc_lms.c b/wolfcrypt/src/wc_lms.c
@@ -38,6 +38,52 @@
 
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+
+/* Pre-compute the message digest with the hash function dictated by the LMS
+ * parameter set. PKCS#11 v3.2 section 6.65 specifies that CKM_HSS takes the
+ * pre-computed digest, not the raw message, so every Sign/Verify dispatch
+ * through the crypto-callback layer funnels through this helper. */
+static int wc_lms_hash_msg(const LmsParams* params, const byte* msg,
+    word32 msgSz, byte* hash, word32 hashSz)
+{
+    int ret = 0;
+
+    if ((params == NULL) || (msg == NULL) || (hash == NULL))
+        return BAD_FUNC_ARG;
+    if (hashSz != params->hash_len)
+        return BAD_FUNC_ARG;
+
+    switch (params->lmsType & 0xF000) {
+        case LMS_SHA256:      /* 32-byte SHA-256 */
+        case LMS_SHA256_192:  /* SHA-256 truncated to 24 bytes */ {
+            byte full[WC_SHA256_DIGEST_SIZE];
+            ret = wc_Sha256Hash(msg, msgSz, full);
+            if (ret == 0)
+                XMEMCPY(hash, full, hashSz);
+            break;
+        }
+    #ifdef WOLFSSL_LMS_SHAKE256
+        case LMS_SHAKE256:      /* SHAKE256 with 32-byte output */
+        case LMS_SHAKE256_192:  /* SHAKE256 with 24-byte output */ {
+            wc_Shake shake;
+            ret = wc_InitShake256(&shake, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&shake, msg, msgSz);
+                if (ret == 0)
+                    ret = wc_Shake256_Final(&shake, hash, hashSz);
+                wc_Shake256_Free(&shake);
+            }
+            break;
+        }
+    #endif
+        default:
+            WOLFSSL_MSG("LMS: unsupported hash family for CryptoCb pre-hash");
+            ret = NOT_COMPILED_IN;
+            break;
+    }
+
+    return ret;
+}
 #endif
 
 
@@ -1272,8 +1318,13 @@ int wc_LmsKey_Sign(LmsKey* key, byte* sig, word32* sigSz, const byte* msg,
      * device owns the private state. On CRYPTOCB_UNAVAILABLE fall-through the
      * software checks below still run. */
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        ret = wc_CryptoCb_PqcStatefulSigSign(msg, (word32)msgSz, sig, sigSz,
-            WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
+        byte hash[LMS_MAX_NODE_LEN];
+        word32 hashSz = key->params->hash_len;
+        ret = wc_lms_hash_msg(key->params, msg, (word32)msgSz, hash, hashSz);
+        if (ret == 0) {
+            ret = wc_CryptoCb_PqcStatefulSigSign(hash, hashSz, sig, sigSz,
+                WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
+        }
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
             return ret;
         ret = 0; /* fall through to software path */
@@ -1436,6 +1487,12 @@ int wc_LmsKey_ExportPub(LmsKey* keyDst, const LmsKey* keySrc)
         keyDst->params = keySrc->params;
         XMEMCPY(keyDst->pub, keySrc->pub, sizeof(keySrc->pub));
 
+    #ifdef WOLF_CRYPTO_CB
+        /* Preserve the source key's device binding so the verify-only
+         * copy dispatches through the same crypto callback. */
+        keyDst->devId = keySrc->devId;
+    #endif
+
         /* Mark this key as verify only, to prevent misuse. */
         keyDst->state = WC_LMS_STATE_VERIFYONLY;
     }
@@ -1588,9 +1645,14 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
 
 #ifdef WOLF_CRYPTO_CB
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
+        byte hash[LMS_MAX_NODE_LEN];
+        word32 hashSz = key->params->hash_len;
         int res = 0;
-        ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigSz, msg, (word32)msgSz,
-            &res, WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
+        ret = wc_lms_hash_msg(key->params, msg, (word32)msgSz, hash, hashSz);
+        if (ret == 0) {
+            ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigSz, hash, hashSz,
+                &res, WC_PQC_STATEFUL_SIG_TYPE_LMS, key);
+        }
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
             if (ret == 0 && res != 1)
                 ret = SIG_VERIFY_E;
diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c
@@ -38,6 +38,67 @@
 
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+
+/* Pre-compute the message digest with the hash function dictated by the XMSS
+ * parameter set. PKCS#11 v3.2 section 6.66 specifies that CKM_XMSS and
+ * CKM_XMSSMT take the pre-computed digest, not the raw message (the section
+ * is titled "XMSS and XMSSMT without hashing"), so every Sign/Verify
+ * dispatch through the crypto-callback layer funnels through this helper. */
+static int wc_xmss_hash_msg(const XmssParams* params, const byte* msg,
+    word32 msgSz, byte* hash, word32 hashSz)
+{
+    int ret = 0;
+
+    if ((params == NULL) || (msg == NULL) || (hash == NULL))
+        return BAD_FUNC_ARG;
+    if (hashSz != params->n)
+        return BAD_FUNC_ARG;
+
+    switch (params->hash) {
+    #ifdef WC_XMSS_SHA256
+        case WC_HASH_TYPE_SHA256:
+            ret = wc_Hash(WC_HASH_TYPE_SHA256, msg, msgSz, hash, hashSz);
+            break;
+    #endif
+    #ifdef WC_XMSS_SHA512
+        case WC_HASH_TYPE_SHA512:
+            ret = wc_Hash(WC_HASH_TYPE_SHA512, msg, msgSz, hash, hashSz);
+            break;
+    #endif
+    #ifdef WC_XMSS_SHAKE128
+        case WC_HASH_TYPE_SHAKE128: {
+            wc_Shake shake;
+            ret = wc_InitShake128(&shake, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_Shake128_Update(&shake, msg, msgSz);
+                if (ret == 0)
+                    ret = wc_Shake128_Final(&shake, hash, hashSz);
+                wc_Shake128_Free(&shake);
+            }
+            break;
+        }
+    #endif
+    #ifdef WC_XMSS_SHAKE256
+        case WC_HASH_TYPE_SHAKE256: {
+            wc_Shake shake;
+            ret = wc_InitShake256(&shake, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&shake, msg, msgSz);
+                if (ret == 0)
+                    ret = wc_Shake256_Final(&shake, hash, hashSz);
+                wc_Shake256_Free(&shake);
+            }
+            break;
+        }
+    #endif
+        default:
+            WOLFSSL_MSG("XMSS: unsupported hash for CryptoCb pre-hash");
+            ret = NOT_COMPILED_IN;
+            break;
+    }
+
+    return ret;
+}
 #endif
 
 
@@ -1351,8 +1412,13 @@ int wc_XmssKey_Sign(XmssKey* key, byte* sig, word32* sigLen, const byte* msg,
      * device owns the private state. On CRYPTOCB_UNAVAILABLE fall-through the
      * software checks below still run. */
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
-        ret = wc_CryptoCb_PqcStatefulSigSign(msg, (word32)msgLen, sig, sigLen,
-            WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
+        byte hash[WC_XMSS_MAX_N];
+        word32 hashSz = key->params->n;
+        ret = wc_xmss_hash_msg(key->params, msg, (word32)msgLen, hash, hashSz);
+        if (ret == 0) {
+            ret = wc_CryptoCb_PqcStatefulSigSign(hash, hashSz, sig, sigLen,
+                WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
+        }
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
             return ret;
         ret = 0; /* fall through to software path */
@@ -1498,6 +1564,12 @@ int wc_XmssKey_ExportPub(XmssKey* keyDst, const XmssKey* keySrc)
         keyDst->oid = keySrc->oid;
         keyDst->is_xmssmt = keySrc->is_xmssmt;
         keyDst->params = keySrc->params;
+
+    #ifdef WOLF_CRYPTO_CB
+        /* Preserve the source key's device binding so the verify-only
+         * copy dispatches through the same crypto callback. */
+        keyDst->devId = keySrc->devId;
+    #endif
     }
     if (ret == 0) {
         /* Mark keyDst as verify only, to prevent misuse. */
@@ -1693,9 +1765,14 @@ int wc_XmssKey_Verify(XmssKey* key, const byte* sig, word32 sigLen,
 
 #ifdef WOLF_CRYPTO_CB
     if ((ret == 0) && (key->devId != INVALID_DEVID)) {
+        byte hash[WC_XMSS_MAX_N];
+        word32 hashSz = key->params->n;
         int res = 0;
-        ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigLen, m, (word32)mLen,
-            &res, WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
+        ret = wc_xmss_hash_msg(key->params, m, (word32)mLen, hash, hashSz);
+        if (ret == 0) {
+            ret = wc_CryptoCb_PqcStatefulSigVerify(sig, sigLen, hash, hashSz,
+                &res, WC_PQC_STATEFUL_SIG_TYPE_XMSS, key);
+        }
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
             if (ret == 0 && res != 1)
                 ret = SIG_VERIFY_E;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -68286,14 +68286,19 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
         else if (info->pk.type == WC_PK_TYPE_PQC_STATEFUL_SIG_SIGN) {
             int pqcType = info->pk.pqc_stateful_sig_sign.type;
             word32 sigSz = *info->pk.pqc_stateful_sig_sign.outSz;
+            /* The dispatcher pre-hashed the message per PKCS#11 v3.2
+             * CKM_HSS / CKM_XMSS semantics. Feed that digest back into
+             * the software API as the "message"; both Sign and Verify
+             * paths do the same pre-hashing so the resulting signature
+             * self-verifies within this harness. */
         #if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_VERIFY_ONLY)
             if (pqcType == WC_PQC_STATEFUL_SIG_TYPE_LMS) {
                 LmsKey* lk = (LmsKey*)info->pk.pqc_stateful_sig_sign.key;
                 lk->devId = INVALID_DEVID;
                 ret = wc_LmsKey_Sign(lk,
                     info->pk.pqc_stateful_sig_sign.out, &sigSz,
-                    info->pk.pqc_stateful_sig_sign.in,
-                    (int)info->pk.pqc_stateful_sig_sign.inSz);
+                    info->pk.pqc_stateful_sig_sign.hash,
+                    (int)info->pk.pqc_stateful_sig_sign.hashSz);
                 lk->devId = devIdArg;
             }
         #endif
@@ -68303,8 +68308,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 xk->devId = INVALID_DEVID;
                 ret = wc_XmssKey_Sign(xk,
                     info->pk.pqc_stateful_sig_sign.out, &sigSz,
-                    info->pk.pqc_stateful_sig_sign.in,
-                    (int)info->pk.pqc_stateful_sig_sign.inSz);
+                    info->pk.pqc_stateful_sig_sign.hash,
+                    (int)info->pk.pqc_stateful_sig_sign.hashSz);
                 xk->devId = devIdArg;
             }
         #endif
@@ -68320,8 +68325,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 verifyRet = wc_LmsKey_Verify(lk,
                     info->pk.pqc_stateful_sig_verify.sig,
                     info->pk.pqc_stateful_sig_verify.sigSz,
-                    info->pk.pqc_stateful_sig_verify.msg,
-                    (int)info->pk.pqc_stateful_sig_verify.msgSz);
+                    info->pk.pqc_stateful_sig_verify.hash,
+                    (int)info->pk.pqc_stateful_sig_verify.hashSz);
                 lk->devId = devIdArg;
             }
         #endif
@@ -68332,8 +68337,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 verifyRet = wc_XmssKey_Verify(xk,
                     info->pk.pqc_stateful_sig_verify.sig,
                     info->pk.pqc_stateful_sig_verify.sigSz,
-                    info->pk.pqc_stateful_sig_verify.msg,
-                    (int)info->pk.pqc_stateful_sig_verify.msgSz);
+                    info->pk.pqc_stateful_sig_verify.hash,
+                    (int)info->pk.pqc_stateful_sig_verify.hashSz);
                 xk->devId = devIdArg;
             }
         #endif
diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h
@@ -362,8 +362,12 @@ typedef struct wc_CryptoInfo {
                 int         type; /* enum wc_PqcStatefulSignatureType */
             } pqc_stateful_sig_kg;
             struct {
-                const byte* in;
-                word32      inSz;
+                /* Pre-computed digest of the message. PKCS#11 v3.2
+                 * section 6.65/6.66 ("HSS" / "XMSS and XMSSMT without
+                 * hashing") specifies that CKM_HSS, CKM_XMSS and
+                 * CKM_XMSSMT take a hash, not the raw message. */
+                const byte* hash;
+                word32      hashSz;
                 byte*       out;
                 word32*     outSz;
                 void*       key;
@@ -372,8 +376,9 @@ typedef struct wc_CryptoInfo {
             struct {
                 const byte* sig;
                 word32      sigSz;
-                const byte* msg;
-                word32      msgSz;
+                /* Pre-computed digest of the message. See sign note. */
+                const byte* hash;
+                word32      hashSz;
                 int*        res;
                 void*       key;
                 int         type; /* enum wc_PqcStatefulSignatureType */
@@ -756,10 +761,12 @@ WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigGetDevId(int type, void* key);
 
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigKeyGen(int type, void* key,
     WC_RNG* rng);
-WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSign(const byte* in, word32 inSz,
-    byte* out, word32* outSz, int type, void* key);
+/* hash is the pre-computed digest of the message; CKM_HSS, CKM_XMSS and
+ * CKM_XMSSMT all take the digest, not the raw message (PKCS#11 v3.2). */
+WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSign(const byte* hash,
+    word32 hashSz, byte* out, word32* outSz, int type, void* key);
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigVerify(const byte* sig,
-    word32 sigSz, const byte* msg, word32 msgSz, int* res, int type,
+    word32 sigSz, const byte* hash, word32 hashSz, int* res, int type,
     void* key);
 WOLFSSL_LOCAL int wc_CryptoCb_PqcStatefulSigSigsLeft(int type, void* key,
     word32* sigsLeft);
