Skip to content

Commit 7320306

Browse files
mkannwischerhanno-becker
mkannwischer
authored and
hanno-becker
committed
Add missing MLD_ALIGN to buffers in sign.c
Buffers in sign.c are not currently forced to be aligned. This may harm performance and it may also lead to problems if a FIPS202 backend is used that requires alignment (e.g., in OpenTitan). This commit adds alignment. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
1 parent 1263728 commit 7320306

File tree

1 file changed

+20
-19
lines changed

1 file changed

+20
-19
lines changed

mldsa/src/sign.c

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -76,9 +76,9 @@ __contract__(
7676
static int mld_check_pct(uint8_t const pk[CRYPTO_PUBLICKEYBYTES],
7777
uint8_t const sk[CRYPTO_SECRETKEYBYTES])
7878
{
79-
uint8_t message[1] = {0};
80-
uint8_t signature[CRYPTO_BYTES];
81-
uint8_t pk_test[CRYPTO_PUBLICKEYBYTES];
79+
MLD_ALIGN uint8_t message[1] = {0};
80+
MLD_ALIGN uint8_t signature[CRYPTO_BYTES];
81+
MLD_ALIGN uint8_t pk_test[CRYPTO_PUBLICKEYBYTES];
8282
size_t siglen;
8383
int ret;
8484

@@ -179,9 +179,9 @@ int crypto_sign_keypair_internal(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
179179
uint8_t sk[CRYPTO_SECRETKEYBYTES],
180180
const uint8_t seed[MLDSA_SEEDBYTES])
181181
{
182-
uint8_t seedbuf[2 * MLDSA_SEEDBYTES + MLDSA_CRHBYTES];
183-
uint8_t inbuf[MLDSA_SEEDBYTES + 2];
184-
uint8_t tr[MLDSA_TRBYTES];
182+
MLD_ALIGN uint8_t seedbuf[2 * MLDSA_SEEDBYTES + MLDSA_CRHBYTES];
183+
MLD_ALIGN uint8_t inbuf[MLDSA_SEEDBYTES + 2];
184+
MLD_ALIGN uint8_t tr[MLDSA_TRBYTES];
185185
const uint8_t *rho, *rhoprime, *key;
186186
mld_polyvecl mat[MLDSA_K];
187187
mld_polyvecl s1, s1hat;
@@ -263,7 +263,7 @@ MLD_EXTERNAL_API
263263
int crypto_sign_keypair(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
264264
uint8_t sk[CRYPTO_SECRETKEYBYTES])
265265
{
266-
uint8_t seed[MLDSA_SEEDBYTES];
266+
MLD_ALIGN uint8_t seed[MLDSA_SEEDBYTES];
267267
int result;
268268
mld_randombytes(seed, MLDSA_SEEDBYTES);
269269
MLD_CT_TESTING_SECRET(seed, sizeof(seed));
@@ -388,7 +388,7 @@ __contract__(
388388
ensures(return_value == 0 || return_value == -1)
389389
)
390390
{
391-
uint8_t challenge_bytes[MLDSA_CTILDEBYTES];
391+
MLD_ALIGN uint8_t challenge_bytes[MLDSA_CTILDEBYTES];
392392
unsigned int n;
393393
mld_polyvecl y, z;
394394
mld_polyveck w, w1, w0, h;
@@ -526,7 +526,8 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
526526
int externalmu)
527527
{
528528
int result;
529-
uint8_t seedbuf[2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES + 2 * MLDSA_CRHBYTES];
529+
MLD_ALIGN uint8_t
530+
seedbuf[2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES + 2 * MLDSA_CRHBYTES];
530531
uint8_t *rho, *tr, *key, *mu, *rhoprime;
531532
mld_polyvecl mat[MLDSA_K], s1;
532533
mld_polyveck t0, s2;
@@ -632,8 +633,8 @@ int crypto_sign_signature(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
632633
size_t ctxlen,
633634
const uint8_t sk[CRYPTO_SECRETKEYBYTES])
634635
{
635-
uint8_t pre[257];
636-
uint8_t rnd[MLDSA_RNDBYTES];
636+
MLD_ALIGN uint8_t pre[257];
637+
MLD_ALIGN uint8_t rnd[MLDSA_RNDBYTES];
637638
int result;
638639

639640
if (ctxlen > 255)
@@ -678,7 +679,7 @@ int crypto_sign_signature_extmu(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
678679
const uint8_t mu[MLDSA_CRHBYTES],
679680
const uint8_t sk[CRYPTO_SECRETKEYBYTES])
680681
{
681-
uint8_t rnd[MLDSA_RNDBYTES];
682+
MLD_ALIGN uint8_t rnd[MLDSA_RNDBYTES];
682683
int result;
683684

684685
/* Randomized variant of ML-DSA. If you need the deterministic variant,
@@ -731,11 +732,11 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
731732
{
732733
unsigned int i;
733734
int res;
734-
uint8_t buf[MLDSA_K * MLDSA_POLYW1_PACKEDBYTES];
735-
uint8_t rho[MLDSA_SEEDBYTES];
736-
uint8_t mu[MLDSA_CRHBYTES];
737-
uint8_t c[MLDSA_CTILDEBYTES];
738-
uint8_t c2[MLDSA_CTILDEBYTES];
735+
MLD_ALIGN uint8_t buf[MLDSA_K * MLDSA_POLYW1_PACKEDBYTES];
736+
MLD_ALIGN uint8_t rho[MLDSA_SEEDBYTES];
737+
MLD_ALIGN uint8_t mu[MLDSA_CRHBYTES];
738+
MLD_ALIGN uint8_t c[MLDSA_CTILDEBYTES];
739+
MLD_ALIGN uint8_t c2[MLDSA_CTILDEBYTES];
739740
mld_poly cp;
740741
mld_polyvecl mat[MLDSA_K], z;
741742
mld_polyveck t1, w1, tmp, h;
@@ -761,7 +762,7 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
761762
if (!externalmu)
762763
{
763764
/* Compute CRH(H(rho, t1), pre, msg) */
764-
uint8_t hpk[MLDSA_CRHBYTES];
765+
MLD_ALIGN uint8_t hpk[MLDSA_CRHBYTES];
765766
mld_H(hpk, MLDSA_TRBYTES, pk, CRYPTO_PUBLICKEYBYTES, NULL, 0, NULL, 0);
766767
mld_H(mu, MLDSA_CRHBYTES, hpk, MLDSA_TRBYTES, pre, prelen, m, mlen);
767768

@@ -844,7 +845,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m,
844845
size_t mlen, const uint8_t *ctx, size_t ctxlen,
845846
const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
846847
{
847-
uint8_t pre[257];
848+
MLD_ALIGN uint8_t pre[257];
848849
int result;
849850

850851
if (ctxlen > 255)

0 commit comments

Comments
 (0)