lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <IA4PR84MB4011F4D5B7EF52901829AD94ABDEA@IA4PR84MB4011.NAMPRD84.PROD.OUTLOOK.COM>
Date: Wed, 26 Nov 2025 21:29:10 +0000
From: "Elliott, Robert (Servers)" <elliott@....com>
To: Eric Biggers <ebiggers@...nel.org>,
        "linux-crypto@...r.kernel.org"
	<linux-crypto@...r.kernel.org>,
        David Howells <dhowells@...hat.com>
CC: Herbert Xu <herbert@...dor.apana.org.au>,
        Luis Chamberlain
	<mcgrof@...nel.org>,
        Petr Pavlu <petr.pavlu@...e.com>, Daniel Gomez
	<da.gomez@...nel.org>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        "Jason A .
 Donenfeld" <Jason@...c4.com>,
        Ard Biesheuvel <ardb@...nel.org>,
        "Stephan
 Mueller" <smueller@...onox.de>,
        Lukas Wunner <lukas@...ner.de>,
        "Ignat
 Korchagin" <ignat@...udflare.com>,
        "keyrings@...r.kernel.org"
	<keyrings@...r.kernel.org>,
        "linux-modules@...r.kernel.org"
	<linux-modules@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support



> -----Original Message-----
> From: Eric Biggers <ebiggers@...nel.org>
> Subject: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support
...

> +++ b/lib/crypto/mldsa.c

> +} mldsa_parameter_sets[] = {
> +	[MLDSA44] = {
> +		.ctilde_len = 32,
> +		.pk_len = MLDSA44_PUBLIC_KEY_SIZE,
> +		.sig_len = MLDSA44_SIGNATURE_SIZE,
> +	},
> +	[MLDSA65] = {
> +		.ctilde_len = 48,
> +		.pk_len = MLDSA65_PUBLIC_KEY_SIZE,
> +		.sig_len = MLDSA65_SIGNATURE_SIZE,
> +	},
> +	[MLDSA87] = {
> +		.ctilde_len = 64,
> +		.pk_len = MLDSA87_PUBLIC_KEY_SIZE,
> +		.sig_len = MLDSA87_SIGNATURE_SIZE,
> +	},
...
> +	union {
...
> +		/* The commitment hash.  Real length is params->ctilde_len */
> +		u8 ctildeprime[64];
> +	};
...
> +	/* Recreate the challenge c from the signer's commitment hash. */
> +	sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau,
> +		       &ws->shake);
...
> +	/* Finish computing ctildeprime. */
> +	shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len);
...
> +	/* Verify that ctilde == ctildeprime. */
> +	if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> +		return -EKEYREJECTED;

Is there any way to ensure that each ctilde_len value is <= 64
and <= the corresponding .sig_size value at compile time so there's
no risk of overflowing any buffers?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ