From: Łukasz 'sil2100' Zemczak <lukasz.zemczak@gmail.com>
Date: Thu, 24 Jul 2025 08:30:31 +0000 (+0200)
Subject: ML-DSA: Validate signature length before decoding
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dac3ed3e033f0bf4768ac5f300ca0636d3f8d09f;p=thirdparty%2Fopenssl.git

ML-DSA: Validate signature length before decoding

Page 27 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf mentions
the Input: Signature length depending on the parameters, so the signature
length should be checked before we proceed with decode.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28093)
---

diff --git a/crypto/ml_dsa/ml_dsa_sign.c b/crypto/ml_dsa/ml_dsa_sign.c
index dd67ef5cc3b..599897bab90 100644
--- a/crypto/ml_dsa/ml_dsa_sign.c
+++ b/crypto/ml_dsa/ml_dsa_sign.c
@@ -340,7 +340,8 @@ static int ml_dsa_verify_internal(const ML_DSA_KEY *pub,
     size_t c_tilde_len = params->bit_strength >> 2;
     uint32_t z_max;
 
-    if (mu_len != ML_DSA_MU_BYTES) {
+    /* FIPS 204 compliance: Also validate signature length before decoding */
+    if (mu_len != ML_DSA_MU_BYTES || sig_enc_len != params->sig_len) {
         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
         return 0;
     }