The public unstable HashML-DSA APIs signature_pre_hash_internal and
verify_pre_hash_internal accept MLD_PREHASH_NONE even though their supported
prehash algorithm list only includes real hash/XOF algorithms. When hashalg is
MLD_PREHASH_NONE, the supplied prehash buffer ph and phlen are not
validated or incorporated into the formatted message. A signature produced over
one digest therefore verifies against a different digest as long as both calls use
MLD_PREHASH_NONE.
This breaks message binding for callers that accidentally pass the exported
MLD_PREHASH_NONE constant to the prehash API, for example through an
uninitialized/default algorithm selector or a configuration mapping bug.
The public unstable HashML-DSA APIs
signature_pre_hash_internalandverify_pre_hash_internalacceptMLD_PREHASH_NONEeven though their supportedprehash algorithm list only includes real hash/XOF algorithms. When
hashalgisMLD_PREHASH_NONE, the supplied prehash bufferphandphlenare notvalidated or incorporated into the formatted message. A signature produced over
one digest therefore verifies against a different digest as long as both calls use
MLD_PREHASH_NONE.This breaks message binding for callers that accidentally pass the exported
MLD_PREHASH_NONEconstant to the prehash API, for example through anuninitialized/default algorithm selector or a configuration mapping bug.