> -----Original Message-----
> From: Eric Biggers <[email protected]>
> Subject: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support
...
> +++ b/lib/crypto/mldsa.c
> +} mldsa_parameter_sets[] = {
> + [MLDSA44] = {
> + .ctilde_len = 32,
> + .pk_len = MLDSA44_PUBLIC_KEY_SIZE,
> + .sig_len = MLDSA44_SIGNATURE_SIZE,
> + },
> + [MLDSA65] = {
> + .ctilde_len = 48,
> + .pk_len = MLDSA65_PUBLIC_KEY_SIZE,
> + .sig_len = MLDSA65_SIGNATURE_SIZE,
> + },
> + [MLDSA87] = {
> + .ctilde_len = 64,
> + .pk_len = MLDSA87_PUBLIC_KEY_SIZE,
> + .sig_len = MLDSA87_SIGNATURE_SIZE,
> + },
...
> + union {
...
> + /* The commitment hash. Real length is params->ctilde_len */
> + u8 ctildeprime[64];
> + };
...
> + /* Recreate the challenge c from the signer's commitment hash. */
> + sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau,
> + &ws->shake);
...
> + /* Finish computing ctildeprime. */
> + shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len);
...
> + /* Verify that ctilde == ctildeprime. */
> + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> + return -EKEYREJECTED;
Is there any way to ensure that each ctilde_len value is <= 64
and <= the corresponding .sig_size value at compile time so there's
no risk of overflowing any buffers?
