From 80b9396baa54c92520155f52e73c86417e49b8e4 Mon Sep 17 00:00:00 2001
From: Hanno Becker <beckphan@amazon.co.uk>
Date: Fri, 31 Oct 2025 05:22:30 +0000
Subject: [PATCH] [TEST] Merge two validity checks during signing

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
---
 mldsa/sign.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mldsa/sign.c b/mldsa/sign.c
index 763d4e01e..2cf977290 100644
--- a/mldsa/sign.c
+++ b/mldsa/sign.c
@@ -383,18 +383,13 @@ __contract__(
   mld_polyvecl_add(&z, &y);
   mld_polyvecl_reduce(&z);
 
-  z_invalid = mld_polyvecl_chknorm(&z, MLDSA_GAMMA1 - MLDSA_BETA);
+  z_invalid = mld_value_barrier_u32(mld_polyvecl_chknorm(&z, MLDSA_GAMMA1 - MLDSA_BETA));
   /* Constant time: It is fine (and prohibitively expensive to avoid)
    * leaking the result of the norm check. In case of rejection it
    * would even be okay to leak which coefficient led to rejection
    * as the candidate signature will be discarded anyway.
    * See Section 5.5 of @[Round3_Spec]. */
   MLD_CT_TESTING_DECLASSIFY(&z_invalid, sizeof(uint32_t));
-  if (z_invalid)
-  {
-    res = -1; /* reject */
-    goto cleanup;
-  }
 
   /* If z is valid, then its coefficients are bounded by  */
   /* MLDSA_GAMMA1 - MLDSA_BETA. This will be needed below */
@@ -408,10 +403,10 @@ __contract__(
   mld_polyveck_sub(&w0, &h);
   mld_polyveck_reduce(&w0);
 
-  w0_invalid = mld_polyveck_chknorm(&w0, MLDSA_GAMMA2 - MLDSA_BETA);
+  w0_invalid = mld_value_barrier_u32(mld_polyveck_chknorm(&w0, MLDSA_GAMMA2 - MLDSA_BETA));
   /* Constant time: w0_invalid may be leaked - see comment for z_invalid. */
   MLD_CT_TESTING_DECLASSIFY(&w0_invalid, sizeof(uint32_t));
-  if (w0_invalid)
+  if (mld_value_barrier_u32(z_invalid | w0_invalid))
   {
     res = -1; /* reject */
     goto cleanup;