ML-DSA Composite Signature Support#1109
Conversation
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1109
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| #ifdef WOLFSSL_SHAKE256 | ||
| if (hashId == WC_HASH_TYPE_SHAKE256) { | ||
| wc_Shake shake; | ||
| ret = wc_InitShake256(&shake, NULL, INVALID_DEVID); |
There was a problem hiding this comment.
🟠 [Medium] Missing wc_Shake256_Free in WS_Hash_Helper leaks context resources · Resource leaks
wc_InitShake256 allocates a wc_Shake context that is never released via wc_Shake256_Free. On any wolfSSL build that allocates heap resources in the SHA-3/SHAKE state (hardware-accelerated or device-keyed configurations), every Ed448 composite auth request leaks that allocation, enabling a DoS through heap exhaustion.
Fix: Call wc_Shake256_Free(&shake) before each return in the #ifdef WOLFSSL_SHAKE256 branch.
| fprintf(stderr, "Couldn't use %s key buffer.\n", label); | ||
| return -1; | ||
| } | ||
| WFREE(compBuf, NULL, 0); |
There was a problem hiding this comment.
🔵 [Low] Composite host-key buffer freed without ForceZero in LoadMlDsaCompositeHostKey · Missing ForceZero
compBuf holds the raw OpenSSH composite private key (ML-DSA seed + traditional private key) and is freed with bare WFREE on both the success and error paths, leaving private-key material in the freed heap.
Fix: Call ForceZero(compBuf, compBufSz) before every WFREE(compBuf, ...) call in this function.
Introduced support for ML-DSA composite signatures for hybrid post-quantum authentication.