Harden length validation for compressed det1024 signatures#16
Open
nullun wants to merge 3 commits into
Open
Conversation
Add a couple of small length checks when working with compressed det1024 signatures, and tidy up the ordering of the bounds check in falcon_det1024_verify_compressed. Mirrors the existing checks on both the C and Go sides. falcon_det1024_convert_compressed_to_ct only checked that comp_decode succeeded, not that it consumed the entire signature, so a valid compressed signature with arbitrary trailing bytes would still convert to a valid CT signature. Enforce exact consumption, matching the check falcon_verify applies to compressed signatures. Add tests covering the rejection paths for signatures too short to contain a header and salt version, and for signatures with trailing bytes, in both Verify and ConvertToCT.
The ~769 KiB sigs_ct array was a non-static tentative definition, so clang emitted it as a common symbol and ld64 requested 32 KiB alignment for it, exceeding the 16 KiB segment maximum on arm64 macOS: ld: warning: reducing alignment of section __DATA,__common from 0x8000 to 0x4000 because it exceeds segment maximum alignment The array is only used in this file, so make it static, which places it in __bss with ordinary alignment and avoids the warning.
cce
reviewed
Jun 17, 2026
cce
reviewed
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tightens length/bounds handling on the compressed det1024 signature paths so malformed or oversized inputs are rejected cleanly.
Changes
convert_compressed_to_ct: reject inputs shorter than the 2-byte header + salt-version prefix, and reject trailing bytes after the decoded signature, matching the exact-consumption checkfalcon_verifyalready applies.verify_compressed: perform the max-size check assig_len - 1 > MAXSIZE - 40before computingsalted_sig_len, avoiding a potentialsize_toverflow insig_len + 40 - 1for very largesig_len.CompressedSignature.ConvertToCT(Go): guard against signatures shorter than 2 bytes before taking&(*sig)[0], preventing a panic on empty input (mirrors the existing guard inVerify).TestFalconMalformedSignatures, exercising different malformed signatures against bothVerifyandConvertToCT.sigs_ctstaticintest_deterministic.cto silence a macOS linker alignment warning.Testing
go test ./...— passmake tests/test_deterministic && ./tests/test_deterministic— all KATs pass, clean build