Skip to content

Use byte ctxLen in wc_dilithium_verify_ctx_msg cdef (F-4014)#141

Draft
julek-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
julek-wolfssl:fenrir-dilithium-ctxlen-fix
Draft

Use byte ctxLen in wc_dilithium_verify_ctx_msg cdef (F-4014)#141
julek-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
julek-wolfssl:fenrir-dilithium-ctxlen-fix

Conversation

@julek-wolfssl

Copy link
Copy Markdown
Member

Description

The CFFI cdef for wc_dilithium_verify_ctx_msg declared ctxLen as word32, while the sign variants (wc_dilithium_sign_ctx_msg, wc_dilithium_sign_ctx_msg_with_seed) declare it as byte.

wolfSSL's real API is wc_MlDsaKey_VerifyCtx (wolfssl/wolfcrypt/wc_mldsa.h), which the wc_dilithium_verify_ctx_msg macro forwards to, and it takes byte ctxLen — matching FIPS 204's 255-byte context cap.

The mismatched cdef made CFFI marshal a 4-byte word32 into a 1-byte slot, silently truncating any ctxLen > 255 to its low byte.

This declares ctxLen as byte so the cdef matches both the sign cdefs and the underlying API.

Fixes

F-4014

The CFFI cdef declared wc_dilithium_verify_ctx_msg with word32 ctxLen while the
sign variants use byte ctxLen. wolfSSL's real API (wc_MlDsaKey_VerifyCtx in
wolfcrypt/wc_mldsa.h, which the wc_dilithium_verify_ctx_msg macro forwards to)
takes byte ctxLen, matching FIPS 204's 255-byte context cap. The mismatched
cdef made CFFI marshal a 4-byte word32 into a 1-byte slot, silently truncating
any ctxLen > 255 to its low byte.

Declare ctxLen as byte to match the sign cdef and the underlying API.
Copilot AI review requested due to automatic review settings July 16, 2026 13:36
@julek-wolfssl julek-wolfssl self-assigned this Jul 16, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes an FFI type mismatch for ML-DSA (Dilithium) context-length handling so the Python CFFI binding matches wolfSSL’s underlying API and FIPS 204’s 255-byte context limit.

Changes:

  • Update the CFFI cdef for wc_dilithium_verify_ctx_msg so ctxLen is declared as byte (not word32).
  • Align the verify cdef with the existing sign cdefs and the underlying forwarded wolfSSL API to avoid silent truncation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/build_ffi.py
int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, WC_RNG* rng);
int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, const byte* seed);
int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, word32 ctxLen, const byte* msg, word32 msgLen, int* res, dilithium_key* key);
int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, int* res, dilithium_key* key);
MlDsa.sign/sign_with_seed reject a context longer than 255 bytes with
ValueError, but verify did not. With ctxLen now correctly declared as byte in
the cdef, an over-long ctx would surface as a low-level CFFI OverflowError
instead of the consistent ValueError callers get from the signing paths.

Reject len(ctx) > 255 with ValueError in verify, matching sign.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants