openssl compat errors and mldsa oid fix#10785
Conversation
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10785
Scan targets checked: wolfssl-bugs, wolfssl-src
No new issues found in the changed files. ✅
|
Frauschi
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 1 total — 1 posted, 0 skipped
Posted findings
- [Medium] ML-DSA verify uses subject key OID instead of the verifying key's OID for parameter-set selection —
src/x509.c:8959
Review generated by Skoll via Claude/Codex
3df61a4 to
dec7330
Compare
dec7330 to
6da132a
Compare
dgarske
left a comment
There was a problem hiding this comment.
Still seeing CI failures "make check failed for: mldsa-no-asn1-fips204-draft-opensslextra (1 config(s) aborted by fail-fast)"
fd7f182 to
aa9d16d
Compare
|
Consider folding the new ML-DSA fixtures into
Worth wiring the chain into the script: it's the regression fixture for the OID-selection fix here, and since it isn't scripted, the next I'd leave |
aa9d16d to
5799ac6
Compare
Description
verifyX509orX509REQ() was missing a case for ML-DSA public keys, so they returned errors. Added an mldsaOID field that is from the cert's OID in wolfSSL_X509_get_pubkey(). With pkeys with no backing cert, the OID is cached and used for level recognition.
Also fixed the wc_MlDsaKey_PublicKeyDecode() so that auto-detect is checked before the draft mode.
When WOLFSSL_HAVE_ERROR_QUEUE is not defined, all three functions returned (unsigned long)(0 - NOT_COMPILED_IN) (= 174), a non-zero value. This is non-OpenSSL-compatible, so changed all three #else branches to return 0.