ML-DSA: Validate signature length before decoding

Page 27 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf mentions
the Input: Signature length depending on the parameters, so the signature
length should be checked before we proceed with decode.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28093)

diff --git a/crypto/ml_dsa/ml_dsa_sign.c b/crypto/ml_dsa/ml_dsa_sign.c
index dd67ef5cc3bf1869e27cf4df45a18d381c2e808c..599897bab90c7ab440e8971525ff6981266523da 100644 (file)
--- a/crypto/ml_dsa/ml_dsa_sign.c
+++ b/crypto/ml_dsa/ml_dsa_sign.c
@@ -340,7 +340,8 @@ static int ml_dsa_verify_internal(const ML_DSA_KEY *pub,
     size_t c_tilde_len = params->bit_strength >> 2;
     uint32_t z_max;
 
-    if (mu_len != ML_DSA_MU_BYTES) {
+    /* FIPS 204 compliance: Also validate signature length before decoding */
+    if (mu_len != ML_DSA_MU_BYTES || sig_enc_len != params->sig_len) {
         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
         return 0;
     }