wolfcrypt/src/wc_slhdsa.c: fixes for uninited data reads in slhdsakey_wots_sign_chain_x4_*() and slhdsakey_wots_pk_from_sig_x4;

douzzer · douzzer · commit 2ad5afaf4d41 · 2026-03-10T17:51:18.000-05:00
CMakeLists.txt, cmake/functions.cmake, cmake/options.h.in: fixes for -DWOLFSSL_SLHDSA.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -778,6 +778,10 @@ add_option(WOLFSSL_XMSS
     "no" "yes;no")
 
 # SLH-DSA
+add_option(WOLFSSL_SLHDSA
+    "Enable the wolfSSL SLH-DSA implementation (default: disabled)"
+    "no" "yes;no")
+
 if (WOLFSSL_SLHDSA)
     message(STATUS "Automatically set related requirements for SLH-DSA")
     add_definitions("-DWOLFSSL_HAVE_SLHDSA")
@@ -790,10 +794,6 @@ if (WOLFSSL_SLHDSA)
     message(STATUS "Looking for WOLFSSL_SLHDSA - found")
 endif()
 
-add_option(WOLFSSL_SLHDSA
-    "Enable the wolfSSL SLH-DSA implementation (default: disabled)"
-    "no" "yes;no")
-
 # TODO: - Lean PSK
 #       - Lean TLS
 #       - Low resource
diff --git a/cmake/functions.cmake b/cmake/functions.cmake
@@ -226,6 +226,9 @@ function(generate_build_flags)
     if(WOLFSSL_XMSS OR WOLFSSL_USER_SETTINGS)
         set(BUILD_WC_XMSS "yes" PARENT_SCOPE)
     endif()
+    if(WOLFSSL_SLHDSA OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_WC_SLHDSA "yes" PARENT_SCOPE)
+    endif()
     if(WOLFSSL_ARIA OR WOLFSSL_USER_SETTINGS)
         message(STATUS "ARIA functions.cmake found WOLFSSL_ARIA")
         # we cannot actually build, as we only have pre-compiled bin
@@ -1078,6 +1081,10 @@ function(generate_lib_src_list LIB_SOURCES)
             list(APPEND LIB_SOURCES wolfcrypt/src/wc_xmss_impl.c)
         endif()
 
+        if(BUILD_WC_SLHDSA)
+            list(APPEND LIB_SOURCES wolfcrypt/src/wc_slhdsa.c)
+        endif()
+
         if(BUILD_LIBZ)
             list(APPEND LIB_SOURCES wolfcrypt/src/compress.c)
         endif()
diff --git a/cmake/options.h.in b/cmake/options.h.in
@@ -410,6 +410,10 @@ extern "C" {
 #cmakedefine HAVE_SECRET_CALLBACK
 #undef WC_RSA_DIRECT
 #cmakedefine WC_RSA_DIRECT
+#undef WOLFSSL_HAVE_SLHDSA
+#cmakedefine WOLFSSL_HAVE_SLHDSA
+#undef WOLFSSL_WC_SLHDSA
+#cmakedefine WOLFSSL_WC_SLHDSA
 
 #ifdef __cplusplus
 }
diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c
@@ -2547,7 +2547,7 @@ static int slhdsakey_wots_sign_chain_x4_16(SlhDsaKey* key, const byte* msg,
     int i;
     sword8 j;
     byte ii;
-    byte idx[4];
+    byte idx[4] = {0};
     byte n = key->params->n;
     byte len = key->params->len;
     WC_DECLARE_VAR(sk, byte, 4 * 16, key->heap);
@@ -2627,7 +2627,7 @@ static int slhdsakey_wots_sign_chain_x4_24(SlhDsaKey* key, const byte* msg,
     int i;
     sword8 j;
     byte ii;
-    byte idx[4];
+    byte idx[4] = {0};
     byte n = key->params->n;
     byte len = key->params->len;
     WC_DECLARE_VAR(sk, byte, 4 * 24, key->heap);
@@ -2707,7 +2707,7 @@ static int slhdsakey_wots_sign_chain_x4_32(SlhDsaKey* key, const byte* msg,
     int i;
     sword8 j;
     byte ii;
-    byte idx[4];
+    byte idx[4] = {0};
     byte n = key->params->n;
     byte len = key->params->len;
     WC_DECLARE_VAR(sk, byte, 4 * 32, key->heap);
@@ -3183,7 +3183,7 @@ static int slhdsakey_wots_pk_from_sig_x4(SlhDsaKey* key, const byte* sig,
     const byte* msg, const byte* pk_seed, word32* adrs, byte* pk_sig)
 {
     int ret = 0;
-    byte idx[4];
+    byte idx[4] = {0};
     int i;
     byte ii;
     sword8 j;
