On Wed, Nov 26, 2025 at 09:29:10PM +0000, Elliott, Robert (Servers) wrote: > > > > -----Original Message----- > > From: Eric Biggers <[email protected]> > > Subject: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support > ... > > > +++ b/lib/crypto/mldsa.c > > > +} mldsa_parameter_sets[] = { > > + [MLDSA44] = { > > + .ctilde_len = 32, > > + .pk_len = MLDSA44_PUBLIC_KEY_SIZE, > > + .sig_len = MLDSA44_SIGNATURE_SIZE, > > + }, > > + [MLDSA65] = { > > + .ctilde_len = 48, > > + .pk_len = MLDSA65_PUBLIC_KEY_SIZE, > > + .sig_len = MLDSA65_SIGNATURE_SIZE, > > + }, > > + [MLDSA87] = { > > + .ctilde_len = 64, > > + .pk_len = MLDSA87_PUBLIC_KEY_SIZE, > > + .sig_len = MLDSA87_SIGNATURE_SIZE, > > + }, > ... > > + union { > ... > > + /* The commitment hash. Real length is params->ctilde_len */ > > + u8 ctildeprime[64]; > > + }; > ... > > + /* Recreate the challenge c from the signer's commitment hash. */ > > + sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau, > > + &ws->shake); > ... > > + /* Finish computing ctildeprime. */ > > + shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len); > ... > > + /* Verify that ctilde == ctildeprime. */ > > + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0) > > + return -EKEYREJECTED; > > Is there any way to ensure that each ctilde_len value is <= 64 > and <= the corresponding .sig_size value at compile time so there's > no risk of overflowing any buffers?
Not at compile time, unless we do some fancy validation of each of the three ctilde_len values against the max3() of the signature lengths using macros. It could be checked at runtime in a module_init function. Seems pointless though, given that these parameters are fixed in the ML-DSA specification. The specification uses parameters that make sense and are consistent with each other. - Eric
