SLH-DSA Wconversion: review fixes

claude · claude · commit e1f546851d80 · 2026-05-03T22:46:06.000Z
Address review findings from the previous commit: - wc_slhdsa.c:1681: replace the (incorrect) mask comment with a comment on the actual word16 cast. baseb is word16* and FORS values reach 14 bits (parameter a), so the original (byte) cast silently truncated. - wc_slhdsa.c:57-59: revert SLHDSA_W / SLHDSA_WM1 to plain int. The U suffix forced cascaded (int)SLHDSA_WM1, (sword8)SLHDSA_WM1 and (byte)(SLHDSA_WM1 - x) casts at every signed-comparison site without saving anything. The (word16) cast at the WOTS+ csum / mask assignment is sufficient. - wc_slhdsa.c: drop (int)SLHDSA_WM1 at three call sites in slhdsakey_chain_idx_to_max_{16,24,32}, made redundant by the WM1 revert. - wc_slhdsa.c: unify (word32)1U shift form across all eight call sites; the previous commit changed only four of them. - wc_slhdsa.c:8305, 8340: switch ExportPrivate / ExportPublic n back to byte to match every other internal use of params->n. - wc_slhdsa.c:127: add wc_static_assert(SLHDSA_MAX_MSG_SZ <= 255) to document the invariant that the WOTS+ chain helpers' (byte)i and (byte)j casts depend on (max len for current parameter sets is 2*32+3 = 67). - wc_slhdsa.c:4315-4320: deduplicate the csum-word16 explanatory comment; the second copy now defers to the first. - wolfCrypt-Wconversion.yml: bump build_library and test_slhdsa_runtime timeout-minutes from 6 to 10. SLH-DSA adds ~9 kLoC to every row and the 32-bit multilib + smallstack rows need headroom. All five representative build rows still compile clean (default, intelasm, smallstack, sha2, small-mem, verify-only-32bit). All five test_slhdsa_runtime configs still pass slhdsa_test(). https://claude.ai/code/session_01EJmy1bKDgHseTwZ5Qqpu1g
diff --git a/.github/workflows/wolfCrypt-Wconversion.yml b/.github/workflows/wolfCrypt-Wconversion.yml
@@ -38,8 +38,9 @@ jobs:
     name: build library
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
-    # This should be a safe limit for the tests to run.
-    timeout-minutes: 6
+    # SLH-DSA adds ~9 kLoC to every row; the 32-bit multilib + smallstack
+    # rows need extra headroom to stay clear of CI flakes.
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
         name: Checkout wolfSSL
@@ -73,7 +74,7 @@ jobs:
     name: test SLH-DSA runtime
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
-    timeout-minutes: 6
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
         name: Checkout wolfSSL
diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c
@@ -54,9 +54,9 @@ static cpuid_flags_t cpuid_flags = WC_CPUID_INITIALIZER;
 
 
 /* Winternitz number. */
-#define SLHDSA_W                16U
+#define SLHDSA_W                16
 /* Number of iterations of hashing itself from Winternitz number. */
-#define SLHDSA_WM1              (SLHDSA_W - 1U)
+#define SLHDSA_WM1              (SLHDSA_W - 1)
 
 
 #ifndef WOLFSSL_SLHDSA_PARAM_NO_256
@@ -126,6 +126,11 @@ static cpuid_flags_t cpuid_flags = WC_CPUID_INITIALIZER;
 /* Maximum message size in nibbles. */
 #define SLHDSA_MAX_MSG_SZ       ((2 * SLHDSA_MAX_N) + 3)
 
+/* SLH-DSA WOTS+ length: len = len_1 + len_2 = 2*n + 3 (for w=16). The chain
+ * helpers below pass loop indices and chain steps through (byte) casts; this
+ * assertion documents the invariant they rely on. */
+wc_static_assert(SLHDSA_MAX_MSG_SZ <= 255);
+
 #ifndef WOLFSSL_SLHDSA_PARAM_NO_256F
     /* Maximum number of bytes to produce from digest of message. */
     #define SLHDSA_MAX_MD               49
@@ -1666,17 +1671,18 @@ static void slhdsakey_base_2b(const byte* x, byte b, byte outLen, word16* baseb)
     int i = 0;
     int bits = 0;
     int total = 0;
-    /* mask is word16: b is small (<= 8 in valid call sites), so the mask
-     * fits in 16 bits. Cast at the assignment to keep -Wconversion quiet
-     * without changing the algorithm. */
-    word16 mask = (word16)((1U << b) - 1U);
+    word16 mask = (word16)((1 << b) - 1);
 
     for (j = 0; j < outLen; j++) {
         while (bits < b) {
             total = (total << 8) + x[i++];
             bits += 8;
         }
         bits -= b;
+        /* baseb is word16*: b can be up to a (the FORS height parameter),
+         * which reaches 14 for the 256-bit parameter sets. A (byte) cast
+         * here would silently truncate any value > 255 and break FORS
+         * verification. Cast to word16 to match the destination width. */
         baseb[j] = (word16)((total >> bits) & mask);
     }
 }
@@ -3800,8 +3806,8 @@ static int slhdsakey_chain_idx_to_max_16(SlhDsaKey* key, const byte* sig,
         if (cnt > 3) {
             XMEMCPY(node + 3 * 16, sig + idx[3] * 16, 16);
         }
-        if (j != (int)SLHDSA_WM1) {
-            ret = slhdsakey_chain_idx_x4_16(node, (word32)j, (word32)((int)SLHDSA_WM1 - j), pk_seed,
+        if (j != SLHDSA_WM1) {
+            ret = slhdsakey_chain_idx_x4_16(node, (word32)j, (word32)(SLHDSA_WM1 - j), pk_seed,
                 addr, idx, key->heap);
         }
     }
@@ -3874,8 +3880,8 @@ static int slhdsakey_chain_idx_to_max_24(SlhDsaKey* key, const byte* sig,
         if (cnt > 3) {
             XMEMCPY(node + 3 * 24, sig + idx[3] * 24, 24);
         }
-        if (j != (int)SLHDSA_WM1) {
-            ret = slhdsakey_chain_idx_x4_24(node, (word32)j, (word32)((int)SLHDSA_WM1 - j), pk_seed,
+        if (j != SLHDSA_WM1) {
+            ret = slhdsakey_chain_idx_x4_24(node, (word32)j, (word32)(SLHDSA_WM1 - j), pk_seed,
                 addr, idx, key->heap);
         }
     }
@@ -3948,8 +3954,8 @@ static int slhdsakey_chain_idx_to_max_32(SlhDsaKey* key, const byte* sig,
         if (cnt > 3) {
             XMEMCPY(node + 3 * 32, sig + idx[3] * 32, 32);
         }
-        if (j != (int)SLHDSA_WM1) {
-            ret = slhdsakey_chain_idx_x4_32(node, (word32)j, (word32)((int)SLHDSA_WM1 - j), pk_seed,
+        if (j != SLHDSA_WM1) {
+            ret = slhdsakey_chain_idx_x4_32(node, (word32)j, (word32)(SLHDSA_WM1 - j), pk_seed,
                 addr, idx, key->heap);
         }
     }
@@ -4311,11 +4317,8 @@ static int slhdsakey_wots_pk_from_sig(SlhDsaKey* key, const byte* sig,
     int i;
     byte msg[SLHDSA_MAX_MSG_SZ];
 
-    /* Step 1: Start csum at 0
-     *
-     * csum is word16: per FIPS 205 Algorithm 7 the WOTS+ checksum field
-     * is a fixed-width 16-bit integer. Cast at every assignment to
-     * silence -Wconversion without changing semantics. */
+    /* Step 1: Start csum at 0. See slhdsakey_wots_sign() for the rationale
+     * behind the (word16) casts on each csum / msg assignment. */
     csum = 0;
     /* Step 3: For each byte in message. */
     for (i = 0; i < n * 2; i += 2) {
@@ -4746,7 +4749,7 @@ static int slhdsakey_ht_sign(SlhDsaKey* key, const byte* pk_fors,
     byte len = key->params->len;
     byte d = key->params->d;
     int j;
-    word32 mask = ((word32)1 << h_m) - 1;
+    word32 mask = ((word32)1U << h_m) - 1U;
 
     /* Step 1: Set address to all zeros. */
     HA_Init(adrs);
@@ -4846,7 +4849,7 @@ static int slhdsakey_ht_verify(SlhDsaKey* key, const byte* m,
     byte d = key->params->d;
     int j;
     /* For Step 6. */
-    word32 mask = ((word32)1 << h_m) - 1;
+    word32 mask = ((word32)1U << h_m) - 1U;
 
     /* Step 1: Set address to all zeros. */
     HA_Init(adrs);
@@ -6663,7 +6666,7 @@ static void slhdsakey_set_ha_from_md(SlhDsaKey* key, const byte* md,
     /* Step 9/12: Mask off any extra high bits. */
     bits = key->params->h  - (key->params->h / key->params->d);
     if (bits < 64) {
-        t[1] &= ((word32)1 << (bits - 32)) - 1;
+        t[1] &= ((word32)1U << (bits - 32)) - 1U;
     }
 
     /* Step 8/11: Get pointer to tree leaf index data. */
@@ -6672,7 +6675,7 @@ static void slhdsakey_set_ha_from_md(SlhDsaKey* key, const byte* md,
     ato32(p, l);
     /* Step 10/13: Mask off any extra high bits. */
     bits = key->params->h / key->params->d;
-    *l &= ((word32)1 << bits) - 1;
+    *l &= ((word32)1U << bits) - 1U;
 
     /* Step 11/14: Set the tree index into address. */
     HA_SetTreeAddress(adrs, t);
@@ -8301,11 +8304,11 @@ int wc_SlhDsaKey_ExportPrivate(SlhDsaKey* key, byte* priv, word32* privLen)
         ret = BAD_LENGTH_E;
     }
     else {
-        word32 n = key->params->n;
+        byte n = key->params->n;
 
         /* Copy data out and return length. */
-        XMEMCPY(priv, key->sk, n * 4U);
-        *privLen = n * 4U;
+        XMEMCPY(priv, key->sk, (word32)n * 4U);
+        *privLen = (word32)n * 4U;
     }
 
     return ret;
@@ -8336,11 +8339,11 @@ int wc_SlhDsaKey_ExportPublic(SlhDsaKey* key, byte* pub, word32* pubLen)
         ret = BAD_LENGTH_E;
     }
     else {
-        word32 n = key->params->n;
+        byte n = key->params->n;
 
         /* Copy data out and return length. */
-        XMEMCPY(pub, key->sk + n * 2U, n * 2U);
-        *pubLen = n * 2U;
+        XMEMCPY(pub, key->sk + (word32)n * 2U, (word32)n * 2U);
+        *pubLen = (word32)n * 2U;
     }
 
     return ret;
