Improve CertificateVerify record fragmentation for large PQC sigs

claude · claude · commit c9d8dae0ca20 · 2026-04-13T21:46:07.000Z
Refine the record fragmentation approach for CertificateVerify messages that exceed MAX_RECORD_SIZE (16384 bytes). Each fragment is encrypted via BuildTls13Message with hashOutput=1, matching the per-fragment incremental hashing approach used by SendTls13Certificate. This correctly handles SLH-DSA-SHAKE-128s (7856-byte sig, single record) and sends SLH-DSA-SHAKE-128f (17088-byte sig) across two records. However, the client-side signature verification still fails for the 128f case - the signature and transcript data arrive correctly (verified via debug logging) but wc_SlhDsaKey_Verify returns error. Further investigation needed into whether the client-side handshake message reassembly corrupts the signature bytes or the peer public key extraction from fragmented Certificate messages is affected. The 128s variant and all OQS interop tests continue to work correctly. https://claude.ai/code/session_019gqvW3ZMKGGyi6zCRNPDYV
diff --git a/src/tls13.c b/src/tls13.c
@@ -10258,30 +10258,36 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
 #endif /* WOLFSSL_DTLS13 */
 
             {
-                /* The handshake message (after record header) may exceed the
-                 * TLS record size limit (MAX_RECORD_SIZE = 16384).  Large PQC
-                 * signatures (e.g. SLH-DSA) can produce CertificateVerify
-                 * messages > 16KB.  Split into multiple encrypted records,
-                 * each within the limit.  TLS 1.3 allows handshake messages
-                 * to be fragmented across records (RFC 8446 Section 5.1).
+                /* The CertificateVerify handshake message may exceed
+                 * MAX_RECORD_SIZE for large PQC signatures (e.g. SLH-DSA
+                 * SHAKE-128f = 17088 bytes). Split into multiple encrypted
+                 * records, each within the limit.
                  *
-                 * The handshake transcript hash must cover the entire
-                 * plaintext handshake message.  Hash it once up front, then
-                 * encrypt each fragment without re-hashing. */
+                 * Each fragment is hashed into the transcript via
+                 * BuildTls13Message(hashOutput=1), matching the approach
+                 * used by SendTls13Certificate for large cert chains. The
+                 * client-side receiver hashes each decrypted record
+                 * independently in the same incremental order. */
                 int hsLen = args->sendSz - RECORD_HEADER_SZ;
                 byte* hsData = args->output + RECORD_HEADER_SZ;
-                /* Max plaintext per record: leave room for content type byte
-                 * and AEAD tag so the ciphertext stays within the limit. */
                 int maxPlain = MAX_RECORD_SIZE - 1
                                              - ssl->specs.aead_mac_size;
 
-                /* Hash the entire handshake message into the transcript
-                 * before splitting into records. */
-                ret = HashOutput(ssl, args->output, args->sendSz, 0);
-                if (ret != 0)
-                    goto exit_scv;
-
-                {
+                if (hsLen <= maxPlain) {
+                    /* Fits in a single record — standard path. */
+                    ret = BuildTls13Message(ssl, args->output,
+                                WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
+                                hsData, hsLen, handshake, 1, 0, 0);
+                    if (ret < 0)
+                        goto exit_scv;
+                    args->sendSz = ret;
+                    ret = 0;
+                    ssl->buffers.outputBuffer.length += (word32)args->sendSz;
+                }
+                else {
+                    /* Fragment across multiple records. Each fragment is
+                     * hashed with hashOutput=1 so the transcript accumulates
+                     * incrementally, matching what the receiver does. */
                     int hsOff = 0;
                     int totalSent = 0;
 
@@ -10293,18 +10299,15 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                         if (fragSz > maxPlain)
                             fragSz = maxPlain;
 
-                        /* Ensure output buffer has room for this record. */
                         if ((ret = CheckAvailableSize(ssl,
-                                    fragSz + MAX_MSG_EXTRA)) != 0) {
+                                    fragSz + MAX_MSG_EXTRA)) != 0)
                             goto exit_scv;
-                        }
                         out = GetOutputBuffer(ssl);
 
-                        /* hashOutput=0: already hashed above. */
                         builtSz = BuildTls13Message(ssl, out,
                                         fragSz + MAX_MSG_EXTRA,
                                         hsData + hsOff, fragSz, handshake,
-                                        0, 0, 0);
+                                        1, 0, 0);
                         if (builtSz < 0) {
                             ret = builtSz;
                             goto exit_scv;
@@ -10314,7 +10317,6 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                         totalSent += builtSz;
                         hsOff += fragSz;
                     }
-
                     args->sendSz = totalSent;
                     ret = 0;
                 }
