sign stack usage: Re-use y/h buffer

This commit is the second commit working towards bringing down the memory
consumption of signature_internal. It combines the y and h buffer as those
lifetime does not overlap.

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

mldsa/src/sign.c

@@ -486,20 +486,27 @@ __contract__(
   uint32_t z_invalid, w0_invalid, h_invalid;
   int ret;
   MLD_ALLOC(challenge_bytes, uint8_t, MLDSA_CTILDEBYTES);
-  MLD_ALLOC(y, mld_polyvecl, 1);
+  MLD_ALLOC(yh, mld_polyveck, 1);
   MLD_ALLOC(z, mld_polyvecl, 1);
   MLD_ALLOC(w1, mld_polyveck, 1);
   MLD_ALLOC(w0, mld_polyveck, 1);
-  MLD_ALLOC(h, mld_polyveck, 1);
   MLD_ALLOC(cp, mld_poly, 1);
+  mld_polyvecl *y;
+  mld_polyveck *h;
 
-  if (challenge_bytes == NULL || y == NULL || z == NULL || w1 == NULL ||
-      w0 == NULL || h == NULL || cp == NULL)
+  if (challenge_bytes == NULL || yh == NULL || z == NULL || w1 == NULL ||
+      w0 == NULL || cp == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
 
+  /* TODO: Change yh to a union once CBMC issue
+   * https://github.com/diffblue/cbmc/issues/8813 is resolved */
+  y = (mld_polyvecl *)yh;
+  h = yh;
+
+
   /* Sample intermediate vector y */
   mld_polyvecl_uniform_gamma1(y, rhoprime, nonce);
 
@@ -611,11 +618,10 @@ __contract__(
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   MLD_FREE(challenge_bytes, uint8_t, MLDSA_CTILDEBYTES);
-  MLD_FREE(y, mld_polyvecl, 1);
+  MLD_FREE(yh, mld_polyveck, 1);
   MLD_FREE(z, mld_polyvecl, 1);
   MLD_FREE(w1, mld_polyveck, 1);
   MLD_FREE(w0, mld_polyveck, 1);
-  MLD_FREE(h, mld_polyveck, 1);
   MLD_FREE(cp, mld_poly, 1);
 
   return ret;