Re: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support
From: Eric Biggers
Date: Wed Nov 26 2025 - 16:42:16 EST
On Wed, Nov 26, 2025 at 09:29:10PM +0000, Elliott, Robert (Servers) wrote:
>
>
> > -----Original Message-----
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > Subject: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support
> ...
>
> > +++ b/lib/crypto/mldsa.c
>
> > +} mldsa_parameter_sets[] = {
> > + [MLDSA44] = {
> > + .ctilde_len = 32,
> > + .pk_len = MLDSA44_PUBLIC_KEY_SIZE,
> > + .sig_len = MLDSA44_SIGNATURE_SIZE,
> > + },
> > + [MLDSA65] = {
> > + .ctilde_len = 48,
> > + .pk_len = MLDSA65_PUBLIC_KEY_SIZE,
> > + .sig_len = MLDSA65_SIGNATURE_SIZE,
> > + },
> > + [MLDSA87] = {
> > + .ctilde_len = 64,
> > + .pk_len = MLDSA87_PUBLIC_KEY_SIZE,
> > + .sig_len = MLDSA87_SIGNATURE_SIZE,
> > + },
> ...
> > + union {
> ...
> > + /* The commitment hash. Real length is params->ctilde_len */
> > + u8 ctildeprime[64];
> > + };
> ...
> > + /* Recreate the challenge c from the signer's commitment hash. */
> > + sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau,
> > + &ws->shake);
> ...
> > + /* Finish computing ctildeprime. */
> > + shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len);
> ...
> > + /* Verify that ctilde == ctildeprime. */
> > + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> > + return -EKEYREJECTED;
>
> Is there any way to ensure that each ctilde_len value is <= 64
> and <= the corresponding .sig_size value at compile time so there's
> no risk of overflowing any buffers?
Not at compile time, unless we do some fancy validation of each of the
three ctilde_len values against the max3() of the signature lengths
using macros. It could be checked at runtime in a module_init function.
Seems pointless though, given that these parameters are fixed in the
ML-DSA specification. The specification uses parameters that make sense
and are consistent with each other.
- Eric