Fail fast when ML-KEM KEY_EXCHANGE exceeds responder DataTransferSize (no CHUNK_SEND)

aidangarske · aidangarske · commit 99bd13394d7e · 2026-06-11T09:00:21.000-07:00
diff --git a/docs/Message-Chunking.md b/docs/Message-Chunking.md
@@ -79,14 +79,21 @@ The mechanism has two directions, controlled by different endpoints:
   the requester decides to chunk its own outbound request; a responder cannot
   force it.
 
-Every request wolfSPDM builds (GET_VERSION through GET_MEASUREMENTS,
-KEY_EXCHANGE, FINISH) is small and fixed, well under any responder's
-`DataTransferSize`, so `CHUNK_SEND` is never needed — it is not applicable to
-this library's traffic rather than missing. `CHUNK_CAP` advertises support for
-the large-message mechanism; it does not obligate an endpoint to chunk requests
-it never sends, so a requester that only emits small requests is fully
-conformant supporting `CHUNK_GET` alone. `CHUNK_SEND` / `CHUNK_SEND_ACK` are
-defined in `spdm_types.h` for completeness but intentionally unimplemented.
+Almost every request wolfSPDM builds (GET_VERSION through GET_MEASUREMENTS,
+FINISH) is small and fixed, well under any responder's `DataTransferSize`. The
+one exception is an **ML-KEM** KEY_EXCHANGE, whose `ExchangeData` carries the
+encapsulation key `ek` (800/1184/1568 B for ML-KEM-512/768/1024) — a request of
+~870–1640 B. This still fits common responders (e.g. spdm-emu advertises
+4608 B), but a constrained responder could advertise a smaller
+`DataTransferSize`. Because `CHUNK_SEND` is unimplemented, `wolfSPDM_KeyExchange`
+**fails fast** (`WOLFSPDM_E_BUFFER_SMALL`) when the built request exceeds the
+responder's `DataTransferSize` rather than emit a non-conformant oversized
+message — so the library never sends something it cannot chunk.
+
+`CHUNK_CAP` advertises support for the large-message mechanism; it does not
+obligate an endpoint to chunk requests it never sends. `CHUNK_SEND` /
+`CHUNK_SEND_ACK` are defined in `spdm_types.h` for completeness but intentionally
+unimplemented; the fail-fast guard keeps that conformant.
 
 ## References
 
diff --git a/src/spdm_session.c b/src/spdm_session.c
@@ -306,6 +306,20 @@ int wolfSPDM_KeyExchange(WOLFSPDM_CTX* ctx)
         return rc;
     }
 
+    /* An ML-KEM encapsulation key makes this request large (up to ~1.6 KB for
+     * ML-KEM-1024), unlike the ~158-byte ECDHE request. wolfSPDM implements
+     * CHUNK_GET (response reassembly) but not CHUNK_SEND (request
+     * fragmentation), so if the request exceeds the responder's advertised
+     * DataTransferSize, fail fast with a clear error rather than transmit a
+     * non-conformant oversized request (DSP0274 Sec. 10.27). */
+    if (ctx->dataTransferSize != 0 && txSz > ctx->dataTransferSize) {
+        wolfSPDM_DebugPrint(ctx,
+            "KEY_EXCHANGE %u B exceeds responder DataTransferSize %u "
+            "(no CHUNK_SEND)\n",
+            (unsigned)txSz, (unsigned)ctx->dataTransferSize);
+        return WOLFSPDM_E_BUFFER_SMALL;
+    }
+
     rc = wolfSPDM_TranscriptAdd(ctx, txBuf, txSz);
     if (rc != WOLFSPDM_SUCCESS) {
         return rc;
