Skip to content

ML-DSA Composite Signature Support#1109

Draft
stenslae wants to merge 2 commits into
wolfSSL:masterfrom
stenslae:ml-dsa-hybrid-support-rebased
Draft

ML-DSA Composite Signature Support#1109
stenslae wants to merge 2 commits into
wolfSSL:masterfrom
stenslae:ml-dsa-hybrid-support-rebased

Conversation

@stenslae

Copy link
Copy Markdown
Member

Introduced support for ML-DSA composite signatures for hybrid post-quantum authentication.

  • Added ML-DSA44-Ed25519 as per draft-miller-sshm-mldsa44-ed25519-composite-sigs
  • Added mldsa44-es256, mldsa65-ed25519, mldsa65-es256, mldsa87-ed448, mldsa87-es384 as per draft-ietf-lamps-pq-composite-sigs-19

@stenslae stenslae self-assigned this Jul 16, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1109

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/internal.c
#ifdef WOLFSSL_SHAKE256
if (hashId == WC_HASH_TYPE_SHAKE256) {
wc_Shake shake;
ret = wc_InitShake256(&shake, NULL, INVALID_DEVID);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Missing wc_Shake256_Free in WS_Hash_Helper leaks context resources · Resource leaks

wc_InitShake256 allocates a wc_Shake context that is never released via wc_Shake256_Free. On any wolfSSL build that allocates heap resources in the SHA-3/SHAKE state (hardware-accelerated or device-keyed configurations), every Ed448 composite auth request leaks that allocation, enabling a DoS through heap exhaustion.

Fix: Call wc_Shake256_Free(&shake) before each return in the #ifdef WOLFSSL_SHAKE256 branch.

fprintf(stderr, "Couldn't use %s key buffer.\n", label);
return -1;
}
WFREE(compBuf, NULL, 0);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Composite host-key buffer freed without ForceZero in LoadMlDsaCompositeHostKey · Missing ForceZero

compBuf holds the raw OpenSSH composite private key (ML-DSA seed + traditional private key) and is freed with bare WFREE on both the success and error paths, leaving private-key material in the freed heap.

Fix: Call ForceZero(compBuf, compBufSz) before every WFREE(compBuf, ...) call in this function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants