Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support

Next message: Alexei Starovoitov: "Re: [PATCH 06/44] bpf: Verifier, remove some unusual uses of min_t() and max_t()"
Previous message: Dave Hansen: "Re: [PATCH v4 04/11] x86/bhi: Make clear_bhb_loop() effective on newer CPUs"
In reply to: David Howells: "Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support"
Next in thread: Eric Biggers: "Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Fri Nov 21 2025 - 16:39:44 EST

Eric Biggers <ebiggers@xxxxxxxxxx> wrote:

> > > + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> > > + return -EBADMSG;
> >
> > Actually, this should return -EKEYREJECTED, not -EBADMSG.
>
> Who/what decided that?

I did. When I added RSA support in 2012 for module signing. Note that it
was originally added as part of crypto/asymmetric_keys/ and was not covered by
a crypto API. The RSA code has since been moved to crypto/ and is now
accessed through the crypto API, but it has retained this error code and this
is also used by other public key algos.

> A lot of the crypto code uses -EBADMSG already.
> crypto_aead uses it, for example.

ecdsa.c:60: return -EKEYREJECTED;
ecrdsa.c:111: return -EKEYREJECTED;
ecrdsa.c:139: return -EKEYREJECTED;
ecrdsa.c:239: return -EKEYREJECTED;
rsassa-pkcs1.c:293: return -EKEYREJECTED;
rsassa-pkcs1.c:295: return -EKEYREJECTED;

David