/src/openssl/providers/implementations/signature/ml_dsa_sig.c

Source (jump to first uncovered line)
/*
 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/deprecated.h"

#include <assert.h>
#include <string.h> /* memset */
#include <openssl/core_names.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/der_ml_dsa.h"
#include "crypto/ml_dsa.h"
#include "internal/packet.h"
#include "internal/sizes.h"

#define ML_DSA_MESSAGE_ENCODE_RAW  0
#define ML_DSA_MESSAGE_ENCODE_PURE 1

static OSSL_FUNC_signature_sign_message_init_fn ml_dsa_sign_msg_init;
static OSSL_FUNC_signature_sign_message_update_fn ml_dsa_signverify_msg_update;
static OSSL_FUNC_signature_sign_message_final_fn ml_dsa_sign_msg_final;
static OSSL_FUNC_signature_sign_fn ml_dsa_sign;
static OSSL_FUNC_signature_verify_message_init_fn ml_dsa_verify_msg_init;
static OSSL_FUNC_signature_verify_message_update_fn ml_dsa_signverify_msg_update;
static OSSL_FUNC_signature_verify_message_final_fn ml_dsa_verify_msg_final;
static OSSL_FUNC_signature_verify_fn ml_dsa_verify;
static OSSL_FUNC_signature_digest_sign_init_fn ml_dsa_digest_signverify_init;
static OSSL_FUNC_signature_digest_sign_fn ml_dsa_digest_sign;
static OSSL_FUNC_signature_digest_verify_fn ml_dsa_digest_verify;
static OSSL_FUNC_signature_freectx_fn ml_dsa_freectx;
static OSSL_FUNC_signature_set_ctx_params_fn ml_dsa_set_ctx_params;
static OSSL_FUNC_signature_settable_ctx_params_fn ml_dsa_settable_ctx_params;
static OSSL_FUNC_signature_get_ctx_params_fn ml_dsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ml_dsa_gettable_ctx_params;
static OSSL_FUNC_signature_dupctx_fn ml_dsa_dupctx;

typedef struct {
    ML_DSA_KEY *key;
    OSSL_LIB_CTX *libctx;
    uint8_t context_string[ML_DSA_MAX_CONTEXT_STRING_LEN];
    size_t context_string_len;
    uint8_t test_entropy[ML_DSA_ENTROPY_LEN];
    size_t test_entropy_len;
    int msg_encode;
    int deterministic;
    int evp_type;
    /* The Algorithm Identifier of the signature algorithm */
    uint8_t aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    size_t  aid_len;
    int mu;     /* Flag indicating we should begin from \mu, not the message */

    int operation;
    EVP_MD_CTX *md_ctx; /* Ctx for msg_init/update/final interface */
    unsigned char *sig; /* Signature, for verification */
    size_t siglen;
} PROV_ML_DSA_CTX;

static void ml_dsa_freectx(void *vctx)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;

    EVP_MD_CTX_free(ctx->md_ctx);
    OPENSSL_cleanse(ctx->test_entropy, ctx->test_entropy_len);
    OPENSSL_free(ctx->sig);
    OPENSSL_free(ctx);
}

static void *ml_dsa_newctx(void *provctx, int evp_type, const char *propq)
{
    PROV_ML_DSA_CTX *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(PROV_ML_DSA_CTX));
    if (ctx == NULL)
        return NULL;

    ctx->libctx = PROV_LIBCTX_OF(provctx);
    ctx->msg_encode = ML_DSA_MESSAGE_ENCODE_PURE;
    ctx->evp_type = evp_type;
    return ctx;
}

static void *ml_dsa_dupctx(void *vctx)
{
    PROV_ML_DSA_CTX *srcctx = (PROV_ML_DSA_CTX *)vctx;
    PROV_ML_DSA_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    /*
     * Note that the ML_DSA_KEY is ref counted via EVP_PKEY so we can just copy
     * the key here.
     */
    dstctx = OPENSSL_memdup(srcctx, sizeof(*srcctx));

    if (dstctx == NULL)
        return NULL;

    if (srcctx->sig != NULL) {
        dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen);
        if (dstctx->sig == NULL) {
            /*
             * Can't call ml_dsa_freectx() here, as it would free
             * md_ctx which has not been duplicated yet.
             */
            OPENSSL_free(dstctx);
            return NULL;
        }
    }

    if (srcctx->md_ctx != NULL) {
        dstctx->md_ctx = EVP_MD_CTX_dup(srcctx->md_ctx);
        if (dstctx->md_ctx == NULL) {
            ml_dsa_freectx(dstctx);
            return NULL;
        }
    }

    return dstctx;
}

static int set_alg_id_buffer(PROV_ML_DSA_CTX *ctx)
{
    int ret;
    WPACKET pkt;
    uint8_t *aid = NULL;

    /*
     * We do not care about DER writing errors.
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    ctx->aid_len = 0;
    ret = WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf));
    ret = ret && ossl_DER_w_algorithmIdentifier_ML_DSA(&pkt, -1, ctx->key);
    if (ret && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &ctx->aid_len);
        aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);
    if (aid != NULL && ctx->aid_len != 0)
        memmove(ctx->aid_buf, aid, ctx->aid_len);
    return 1;
}

static int ml_dsa_signverify_msg_init(void *vctx, void *vkey,
                                      const OSSL_PARAM params[], int operation,
                                      const char *desc)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
    ML_DSA_KEY *key = vkey;

    if (!ossl_prov_is_running()
            || ctx == NULL)
        return 0;

    if (vkey == NULL && ctx->key == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
        return 0;
    }

    if (key != NULL)
        ctx->key = vkey;
    if (!ossl_ml_dsa_key_matches(ctx->key, ctx->evp_type))
        return 0;

    set_alg_id_buffer(ctx);
    ctx->mu = 0;
    ctx->operation = operation;

    return ml_dsa_set_ctx_params(ctx, params);
}

static int ml_dsa_sign_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[])
{
    return ml_dsa_signverify_msg_init(vctx, vkey, params,
                                      EVP_PKEY_OP_SIGNMSG, "ML_DSA Sign Init");
}

static int ml_dsa_digest_signverify_init(void *vctx, const char *mdname,
                                         void *vkey, const OSSL_PARAM params[])
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;

    if (mdname != NULL && mdname[0] != '\0') {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
                       "Explicit digest not supported for ML-DSA operations");
        return 0;
    }

    ctx->mu = 0;

    if (vkey == NULL && ctx->key != NULL)
        return ml_dsa_set_ctx_params(ctx, params);

    return ml_dsa_signverify_msg_init(vctx, vkey, params,
                                      EVP_PKEY_OP_SIGN, "ML_DSA Sign Init");
}

static int ml_dsa_signverify_msg_update(void *vctx,
                                        const unsigned char *data,
                                        size_t datalen)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;

    if (ctx == NULL)
        return 0;

    if (!ossl_prov_is_running())
        return 0;

    if (ctx->mu)
        return 0;

    if (ctx->md_ctx == NULL) {
        ctx->md_ctx = ossl_ml_dsa_mu_init(ctx->key, ctx->msg_encode,
                                          ctx->context_string,
                                          ctx->context_string_len);
        if (ctx->md_ctx == NULL)
            return 0;
    }

    return ossl_ml_dsa_mu_update(ctx->md_ctx, data, datalen);
}

static int ml_dsa_sign_msg_final(void *vctx, unsigned char *sig,
                                 size_t *siglen, size_t sigsize)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
    uint8_t rand_tmp[ML_DSA_ENTROPY_LEN], *rnd = NULL;
    uint8_t mu[ML_DSA_MU_BYTES];
    int ret = 0;

    if (ctx == NULL)
        return 0;

    if (!ossl_prov_is_running())
        return 0;

    if (ctx->md_ctx == NULL)
        return 0;

    if (sig != NULL) {
        if (ctx->test_entropy_len != 0) {
            rnd = ctx->test_entropy;
        } else {
            rnd = rand_tmp;

            if (ctx->deterministic == 1)
                memset(rnd, 0, sizeof(rand_tmp));
            else if (RAND_priv_bytes_ex(ctx->libctx, rnd, sizeof(rand_tmp), 0) <= 0)
                return 0;
        }

        if (!ossl_ml_dsa_mu_finalize(ctx->md_ctx, mu, sizeof(mu)))
            return 0;
    }

    ret = ossl_ml_dsa_sign(ctx->key, 1, mu, sizeof(mu), NULL, 0, rnd,
                           sizeof(rand_tmp), 0, sig, siglen, sigsize);
    if (rnd != ctx->test_entropy)
        OPENSSL_cleanse(rand_tmp, sizeof(rand_tmp));
    return ret;
}

static int ml_dsa_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize,
                       const uint8_t *msg, size_t msg_len)
{
    int ret = 0;
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
    uint8_t rand_tmp[ML_DSA_ENTROPY_LEN], *rnd = NULL;

    if (!ossl_prov_is_running())
        return 0;

    if (sig != NULL) {
        if (ctx->test_entropy_len != 0) {
            rnd = ctx->test_entropy;
        } else {
            rnd = rand_tmp;

            if (ctx->deterministic == 1)
                memset(rnd, 0, sizeof(rand_tmp));
            else if (RAND_priv_bytes_ex(ctx->libctx, rnd, sizeof(rand_tmp), 0) <= 0)
                return 0;
        }
    }
    ret = ossl_ml_dsa_sign(ctx->key, ctx->mu, msg, msg_len,
                           ctx->context_string, ctx->context_string_len,
                           rnd, sizeof(rand_tmp), ctx->msg_encode,
                           sig, siglen, sigsize);
    if (rnd != ctx->test_entropy)
        OPENSSL_cleanse(rand_tmp, sizeof(rand_tmp));
    return ret;
}

static int ml_dsa_digest_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize,
                              const uint8_t *tbs, size_t tbslen)
{
    return ml_dsa_sign(vctx, sig, siglen, sigsize, tbs, tbslen);
}

static int ml_dsa_verify_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[])
{
    return ml_dsa_signverify_msg_init(vctx, vkey, params, EVP_PKEY_OP_VERIFYMSG,
                                      "ML_DSA Verify Init");
}

static int ml_dsa_verify_msg_final(void *vctx)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
    uint8_t mu[ML_DSA_MU_BYTES];

    if (!ossl_prov_is_running())
        return 0;

    if (ctx->md_ctx == NULL)
        return 0;

    if (!ossl_ml_dsa_mu_finalize(ctx->md_ctx, mu, sizeof(mu)))
        return 0;

    return ossl_ml_dsa_verify(ctx->key, 1, mu, sizeof(mu), NULL, 0, 0,
                              ctx->sig, ctx->siglen);
}

static int ml_dsa_verify(void *vctx, const uint8_t *sig, size_t siglen,
                         const uint8_t *msg, size_t msg_len)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;
    return ossl_ml_dsa_verify(ctx->key, ctx->mu, msg, msg_len,
                              ctx->context_string, ctx->context_string_len,
                              ctx->msg_encode, sig, siglen);
}
static int ml_dsa_digest_verify(void *vctx,
                                const uint8_t *sig, size_t siglen,
                                const uint8_t *tbs, size_t tbslen)
{
    return ml_dsa_verify(vctx, sig, siglen, tbs, tbslen);
}

static int ml_dsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ML_DSA_CTX *pctx = (PROV_ML_DSA_CTX *)vctx;
    const OSSL_PARAM *p;

    if (pctx == NULL)
        return 0;
    if (ossl_param_is_empty(params))
        return 1;

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
    if (p != NULL) {
        void *vp = pctx->context_string;

        if (!OSSL_PARAM_get_octet_string(p, &vp, sizeof(pctx->context_string),
                                         &(pctx->context_string_len))) {
            pctx->context_string_len = 0;
            return 0;
        }
    }
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_TEST_ENTROPY);
    if (p != NULL) {
        void *vp = pctx->test_entropy;

        pctx->test_entropy_len = 0;
        if (!OSSL_PARAM_get_octet_string(p, &vp, sizeof(pctx->test_entropy),
                                         &(pctx->test_entropy_len)))
                return 0;
        if (pctx->test_entropy_len != sizeof(pctx->test_entropy)) {
            pctx->test_entropy_len = 0;
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);
            return 0;
        }
    }
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DETERMINISTIC);
    if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->deterministic))
        return 0;

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING);
    if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->msg_encode))
        return 0;

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MU);
    if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->mu))
        return 0;

    if (pctx->operation == EVP_PKEY_OP_VERIFYMSG) {
        p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
        if (p != NULL) {
            OPENSSL_free(pctx->sig);
            pctx->sig = NULL;
            pctx->siglen = 0;
            if (!OSSL_PARAM_get_octet_string(p, (void **)&pctx->sig,
                                             0, &pctx->siglen))
                return 0;
        }
    }

    return 1;
}

#define MLDSA_COMMON_SETTABLE_CTX_PARAMS                                   \
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), \
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_TEST_ENTROPY, NULL, 0),   \
    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_DETERMINISTIC, 0),                 \
    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MU, 0),                            \
    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING, 0),              \
    OSSL_PARAM_END

static const OSSL_PARAM *ml_dsa_settable_ctx_params(void *vctx,
                                                    ossl_unused void *provctx)
{
    PROV_ML_DSA_CTX *pctx = (PROV_ML_DSA_CTX *)vctx;

    static const OSSL_PARAM settable_ctx_params[] = {
        MLDSA_COMMON_SETTABLE_CTX_PARAMS
    };

    static const OSSL_PARAM settable_verifymsg_ctx_params[] = {
        OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
        MLDSA_COMMON_SETTABLE_CTX_PARAMS
    };

    if (pctx != NULL && pctx->operation == EVP_PKEY_OP_VERIFYMSG)
        return settable_verifymsg_ctx_params;
    else
        return settable_ctx_params;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ml_dsa_gettable_ctx_params(ossl_unused void *vctx,
                                                    ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

static int ml_dsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
    OSSL_PARAM *p;

    if (ctx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL
        && !OSSL_PARAM_set_octet_string(p,
                                        ctx->aid_len == 0 ? NULL : ctx->aid_buf,
                                        ctx->aid_len))
        return 0;

    return 1;
}

#define MAKE_SIGNATURE_FUNCTIONS(alg)                                          \
    static OSSL_FUNC_signature_newctx_fn ml_dsa_##alg##_newctx;                \
    static void *ml_dsa_##alg##_newctx(void *provctx, const char *propq)       \
    {                                                                          \
        return ml_dsa_newctx(provctx, EVP_PKEY_ML_DSA_##alg, propq);           \
    }                                                                          \
    const OSSL_DISPATCH ossl_ml_dsa_##alg##_signature_functions[] = {          \
        { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ml_dsa_##alg##_newctx }, \
        { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT,                               \
          (void (*)(void))ml_dsa_sign_msg_init },                              \
        { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE,                             \
          (void (*)(void))ml_dsa_signverify_msg_update },                      \
        { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL,                              \
          (void (*)(void))ml_dsa_sign_msg_final },                             \
        { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ml_dsa_sign },             \
        { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                             \
          (void (*)(void))ml_dsa_verify_msg_init },                            \
        { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE,                           \
          (void (*)(void))ml_dsa_signverify_msg_update },                      \
        { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL,                            \
          (void (*)(void))ml_dsa_verify_msg_final },                           \
        { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ml_dsa_verify },         \
        { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                                \
          (void (*)(void))ml_dsa_digest_signverify_init },                     \
        { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                     \
          (void (*)(void))ml_dsa_digest_sign },                                \
        { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                              \
          (void (*)(void))ml_dsa_digest_signverify_init },                     \
        { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                   \
          (void (*)(void))ml_dsa_digest_verify },                              \
        { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ml_dsa_freectx },       \
        { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                                  \
          (void (*)(void))ml_dsa_set_ctx_params },                             \
        { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                             \
          (void (*)(void))ml_dsa_settable_ctx_params },                        \
        { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                                  \
          (void (*)(void))ml_dsa_get_ctx_params },                             \
        { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                             \
          (void (*)(void))ml_dsa_gettable_ctx_params },                        \
        { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ml_dsa_dupctx },         \
        OSSL_DISPATCH_END                                                      \
    }

MAKE_SIGNATURE_FUNCTIONS(44);
MAKE_SIGNATURE_FUNCTIONS(65);
MAKE_SIGNATURE_FUNCTIONS(87);

Coverage Report

Created: 2025-06-22 06:56

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include "internal/deprecated.h"
11
12		#include <assert.h>
13		#include <string.h> /* memset */
14		#include <openssl/core_names.h>
15		#include <openssl/err.h>
16		#include <openssl/rand.h>
17		#include <openssl/proverr.h>
18		#include "prov/implementations.h"
19		#include "prov/providercommon.h"
20		#include "prov/provider_ctx.h"
21		#include "prov/der_ml_dsa.h"
22		#include "crypto/ml_dsa.h"
23		#include "internal/packet.h"
24		#include "internal/sizes.h"
25
26		#define ML_DSA_MESSAGE_ENCODE_RAW 0
27	0	#define ML_DSA_MESSAGE_ENCODE_PURE 1
28
29		static OSSL_FUNC_signature_sign_message_init_fn ml_dsa_sign_msg_init;
30		static OSSL_FUNC_signature_sign_message_update_fn ml_dsa_signverify_msg_update;
31		static OSSL_FUNC_signature_sign_message_final_fn ml_dsa_sign_msg_final;
32		static OSSL_FUNC_signature_sign_fn ml_dsa_sign;
33		static OSSL_FUNC_signature_verify_message_init_fn ml_dsa_verify_msg_init;
34		static OSSL_FUNC_signature_verify_message_update_fn ml_dsa_signverify_msg_update;
35		static OSSL_FUNC_signature_verify_message_final_fn ml_dsa_verify_msg_final;
36		static OSSL_FUNC_signature_verify_fn ml_dsa_verify;
37		static OSSL_FUNC_signature_digest_sign_init_fn ml_dsa_digest_signverify_init;
38		static OSSL_FUNC_signature_digest_sign_fn ml_dsa_digest_sign;
39		static OSSL_FUNC_signature_digest_verify_fn ml_dsa_digest_verify;
40		static OSSL_FUNC_signature_freectx_fn ml_dsa_freectx;
41		static OSSL_FUNC_signature_set_ctx_params_fn ml_dsa_set_ctx_params;
42		static OSSL_FUNC_signature_settable_ctx_params_fn ml_dsa_settable_ctx_params;
43		static OSSL_FUNC_signature_get_ctx_params_fn ml_dsa_get_ctx_params;
44		static OSSL_FUNC_signature_gettable_ctx_params_fn ml_dsa_gettable_ctx_params;
45		static OSSL_FUNC_signature_dupctx_fn ml_dsa_dupctx;
46
47		typedef struct {
48		ML_DSA_KEY *key;
49		OSSL_LIB_CTX *libctx;
50		uint8_t context_string[ML_DSA_MAX_CONTEXT_STRING_LEN];
51		size_t context_string_len;
52		uint8_t test_entropy[ML_DSA_ENTROPY_LEN];
53		size_t test_entropy_len;
54		int msg_encode;
55		int deterministic;
56		int evp_type;
57		/* The Algorithm Identifier of the signature algorithm */
58		uint8_t aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
59		size_t aid_len;
60		int mu; /* Flag indicating we should begin from \mu, not the message */
61
62		int operation;
63		EVP_MD_CTX md_ctx; / Ctx for msg_init/update/final interface */
64		unsigned char sig; / Signature, for verification */
65		size_t siglen;
66		} PROV_ML_DSA_CTX;
67
68		static void ml_dsa_freectx(void *vctx)
69	0	{
70	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
71
72	0	EVP_MD_CTX_free(ctx->md_ctx);
73	0	OPENSSL_cleanse(ctx->test_entropy, ctx->test_entropy_len);
74	0	OPENSSL_free(ctx->sig);
75	0	OPENSSL_free(ctx);
76	0	}
77
78		static void ml_dsa_newctx(void provctx, int evp_type, const char *propq)
79	0	{
80	0	PROV_ML_DSA_CTX *ctx;
81
82	0	if (!ossl_prov_is_running())
83	0	return NULL;
84
85	0	ctx = OPENSSL_zalloc(sizeof(PROV_ML_DSA_CTX));
86	0	if (ctx == NULL)
87	0	return NULL;
88
89	0	ctx->libctx = PROV_LIBCTX_OF(provctx);
90	0	ctx->msg_encode = ML_DSA_MESSAGE_ENCODE_PURE;
91	0	ctx->evp_type = evp_type;
92	0	return ctx;
93	0	}
94
95		static void ml_dsa_dupctx(void vctx)
96	0	{
97	0	PROV_ML_DSA_CTX srcctx = (PROV_ML_DSA_CTX )vctx;
98	0	PROV_ML_DSA_CTX *dstctx;
99
100	0	if (!ossl_prov_is_running())
101	0	return NULL;
102
103		/*
104		* Note that the ML_DSA_KEY is ref counted via EVP_PKEY so we can just copy
105		* the key here.
106		*/
107	0	dstctx = OPENSSL_memdup(srcctx, sizeof(*srcctx));
108
109	0	if (dstctx == NULL)
110	0	return NULL;
111
112	0	if (srcctx->sig != NULL) {
113	0	dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen);
114	0	if (dstctx->sig == NULL) {
115		/*
116		* Can't call ml_dsa_freectx() here, as it would free
117		* md_ctx which has not been duplicated yet.
118		*/
119	0	OPENSSL_free(dstctx);
120	0	return NULL;
121	0	}
122	0	}
123
124	0	if (srcctx->md_ctx != NULL) {
125	0	dstctx->md_ctx = EVP_MD_CTX_dup(srcctx->md_ctx);
126	0	if (dstctx->md_ctx == NULL) {
127	0	ml_dsa_freectx(dstctx);
128	0	return NULL;
129	0	}
130	0	}
131
132	0	return dstctx;
133	0	}
134
135		static int set_alg_id_buffer(PROV_ML_DSA_CTX *ctx)
136	0	{
137	0	int ret;
138	0	WPACKET pkt;
139	0	uint8_t *aid = NULL;
140
141		/*
142		* We do not care about DER writing errors.
143		* All it really means is that for some reason, there's no
144		* AlgorithmIdentifier to be had, but the operation itself is
145		* still valid, just as long as it's not used to construct
146		* anything that needs an AlgorithmIdentifier.
147		*/
148	0	ctx->aid_len = 0;
149	0	ret = WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf));
150	0	ret = ret && ossl_DER_w_algorithmIdentifier_ML_DSA(&pkt, -1, ctx->key);
151	0	if (ret && WPACKET_finish(&pkt)) {
152	0	WPACKET_get_total_written(&pkt, &ctx->aid_len);
153	0	aid = WPACKET_get_curr(&pkt);
154	0	}
155	0	WPACKET_cleanup(&pkt);
156	0	if (aid != NULL && ctx->aid_len != 0)
157	0	memmove(ctx->aid_buf, aid, ctx->aid_len);
158	0	return 1;
159	0	}
160
161		static int ml_dsa_signverify_msg_init(void vctx, void vkey,
162		const OSSL_PARAM params[], int operation,
163		const char *desc)
164	0	{
165	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
166	0	ML_DSA_KEY *key = vkey;
167
168	0	if (!ossl_prov_is_running()
169	0	\|\| ctx == NULL)
170	0	return 0;
171
172	0	if (vkey == NULL && ctx->key == NULL) {
173	0	ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
174	0	return 0;
175	0	}
176
177	0	if (key != NULL)
178	0	ctx->key = vkey;
179	0	if (!ossl_ml_dsa_key_matches(ctx->key, ctx->evp_type))
180	0	return 0;
181
182	0	set_alg_id_buffer(ctx);
183	0	ctx->mu = 0;
184	0	ctx->operation = operation;
185
186	0	return ml_dsa_set_ctx_params(ctx, params);
187	0	}
188
189		static int ml_dsa_sign_msg_init(void vctx, void vkey, const OSSL_PARAM params[])
190	0	{
191	0	return ml_dsa_signverify_msg_init(vctx, vkey, params,
192	0	EVP_PKEY_OP_SIGNMSG, "ML_DSA Sign Init");
193	0	}
194
195		static int ml_dsa_digest_signverify_init(void vctx, const char mdname,
196		void *vkey, const OSSL_PARAM params[])
197	0	{
198	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
199
200	0	if (mdname != NULL && mdname[0] != '\0') {
201	0	ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
202	0	"Explicit digest not supported for ML-DSA operations");
203	0	return 0;
204	0	}
205
206	0	ctx->mu = 0;
207
208	0	if (vkey == NULL && ctx->key != NULL)
209	0	return ml_dsa_set_ctx_params(ctx, params);
210
211	0	return ml_dsa_signverify_msg_init(vctx, vkey, params,
212	0	EVP_PKEY_OP_SIGN, "ML_DSA Sign Init");
213	0	}
214
215		static int ml_dsa_signverify_msg_update(void *vctx,
216		const unsigned char *data,
217		size_t datalen)
218	0	{
219	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
220
221	0	if (ctx == NULL)
222	0	return 0;
223
224	0	if (!ossl_prov_is_running())
225	0	return 0;
226
227	0	if (ctx->mu)
228	0	return 0;
229
230	0	if (ctx->md_ctx == NULL) {
231	0	ctx->md_ctx = ossl_ml_dsa_mu_init(ctx->key, ctx->msg_encode,
232	0	ctx->context_string,
233	0	ctx->context_string_len);
234	0	if (ctx->md_ctx == NULL)
235	0	return 0;
236	0	}
237
238	0	return ossl_ml_dsa_mu_update(ctx->md_ctx, data, datalen);
239	0	}
240
241		static int ml_dsa_sign_msg_final(void vctx, unsigned char sig,
242		size_t *siglen, size_t sigsize)
243	0	{
244	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
245	0	uint8_t rand_tmp[ML_DSA_ENTROPY_LEN], *rnd = NULL;
246	0	uint8_t mu[ML_DSA_MU_BYTES];
247	0	int ret = 0;
248
249	0	if (ctx == NULL)
250	0	return 0;
251
252	0	if (!ossl_prov_is_running())
253	0	return 0;
254
255	0	if (ctx->md_ctx == NULL)
256	0	return 0;
257
258	0	if (sig != NULL) {
259	0	if (ctx->test_entropy_len != 0) {
260	0	rnd = ctx->test_entropy;
261	0	} else {
262	0	rnd = rand_tmp;
263
264	0	if (ctx->deterministic == 1)
265	0	memset(rnd, 0, sizeof(rand_tmp));
266	0	else if (RAND_priv_bytes_ex(ctx->libctx, rnd, sizeof(rand_tmp), 0) <= 0)
267	0	return 0;
268	0	}
269
270	0	if (!ossl_ml_dsa_mu_finalize(ctx->md_ctx, mu, sizeof(mu)))
271	0	return 0;
272	0	}
273
274	0	ret = ossl_ml_dsa_sign(ctx->key, 1, mu, sizeof(mu), NULL, 0, rnd,
275	0	sizeof(rand_tmp), 0, sig, siglen, sigsize);
276	0	if (rnd != ctx->test_entropy)
277	0	OPENSSL_cleanse(rand_tmp, sizeof(rand_tmp));
278	0	return ret;
279	0	}
280
281		static int ml_dsa_sign(void vctx, uint8_t sig, size_t *siglen, size_t sigsize,
282		const uint8_t *msg, size_t msg_len)
283	0	{
284	0	int ret = 0;
285	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
286	0	uint8_t rand_tmp[ML_DSA_ENTROPY_LEN], *rnd = NULL;
287
288	0	if (!ossl_prov_is_running())
289	0	return 0;
290
291	0	if (sig != NULL) {
292	0	if (ctx->test_entropy_len != 0) {
293	0	rnd = ctx->test_entropy;
294	0	} else {
295	0	rnd = rand_tmp;
296
297	0	if (ctx->deterministic == 1)
298	0	memset(rnd, 0, sizeof(rand_tmp));
299	0	else if (RAND_priv_bytes_ex(ctx->libctx, rnd, sizeof(rand_tmp), 0) <= 0)
300	0	return 0;
301	0	}
302	0	}
303	0	ret = ossl_ml_dsa_sign(ctx->key, ctx->mu, msg, msg_len,
304	0	ctx->context_string, ctx->context_string_len,
305	0	rnd, sizeof(rand_tmp), ctx->msg_encode,
306	0	sig, siglen, sigsize);
307	0	if (rnd != ctx->test_entropy)
308	0	OPENSSL_cleanse(rand_tmp, sizeof(rand_tmp));
309	0	return ret;
310	0	}
311
312		static int ml_dsa_digest_sign(void vctx, uint8_t sig, size_t *siglen, size_t sigsize,
313		const uint8_t *tbs, size_t tbslen)
314	0	{
315	0	return ml_dsa_sign(vctx, sig, siglen, sigsize, tbs, tbslen);
316	0	}
317
318		static int ml_dsa_verify_msg_init(void vctx, void vkey, const OSSL_PARAM params[])
319	0	{
320	0	return ml_dsa_signverify_msg_init(vctx, vkey, params, EVP_PKEY_OP_VERIFYMSG,
321	0	"ML_DSA Verify Init");
322	0	}
323
324		static int ml_dsa_verify_msg_final(void *vctx)
325	0	{
326	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
327	0	uint8_t mu[ML_DSA_MU_BYTES];
328
329	0	if (!ossl_prov_is_running())
330	0	return 0;
331
332	0	if (ctx->md_ctx == NULL)
333	0	return 0;
334
335	0	if (!ossl_ml_dsa_mu_finalize(ctx->md_ctx, mu, sizeof(mu)))
336	0	return 0;
337
338	0	return ossl_ml_dsa_verify(ctx->key, 1, mu, sizeof(mu), NULL, 0, 0,
339	0	ctx->sig, ctx->siglen);
340	0	}
341
342		static int ml_dsa_verify(void vctx, const uint8_t sig, size_t siglen,
343		const uint8_t *msg, size_t msg_len)
344	0	{
345	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
346
347	0	if (!ossl_prov_is_running())
348	0	return 0;
349	0	return ossl_ml_dsa_verify(ctx->key, ctx->mu, msg, msg_len,
350	0	ctx->context_string, ctx->context_string_len,
351	0	ctx->msg_encode, sig, siglen);
352	0	}
353		static int ml_dsa_digest_verify(void *vctx,
354		const uint8_t *sig, size_t siglen,
355		const uint8_t *tbs, size_t tbslen)
356	0	{
357	0	return ml_dsa_verify(vctx, sig, siglen, tbs, tbslen);
358	0	}
359
360		static int ml_dsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
361	0	{
362	0	PROV_ML_DSA_CTX pctx = (PROV_ML_DSA_CTX )vctx;
363	0	const OSSL_PARAM *p;
364
365	0	if (pctx == NULL)
366	0	return 0;
367	0	if (ossl_param_is_empty(params))
368	0	return 1;
369
370	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
371	0	if (p != NULL) {
372	0	void *vp = pctx->context_string;
373
374	0	if (!OSSL_PARAM_get_octet_string(p, &vp, sizeof(pctx->context_string),
375	0	&(pctx->context_string_len))) {
376	0	pctx->context_string_len = 0;
377	0	return 0;
378	0	}
379	0	}
380	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_TEST_ENTROPY);
381	0	if (p != NULL) {
382	0	void *vp = pctx->test_entropy;
383
384	0	pctx->test_entropy_len = 0;
385	0	if (!OSSL_PARAM_get_octet_string(p, &vp, sizeof(pctx->test_entropy),
386	0	&(pctx->test_entropy_len)))
387	0	return 0;
388	0	if (pctx->test_entropy_len != sizeof(pctx->test_entropy)) {
389	0	pctx->test_entropy_len = 0;
390	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);
391	0	return 0;
392	0	}
393	0	}
394	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DETERMINISTIC);
395	0	if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->deterministic))
396	0	return 0;
397
398	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING);
399	0	if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->msg_encode))
400	0	return 0;
401
402	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MU);
403	0	if (p != NULL && !OSSL_PARAM_get_int(p, &pctx->mu))
404	0	return 0;
405
406	0	if (pctx->operation == EVP_PKEY_OP_VERIFYMSG) {
407	0	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
408	0	if (p != NULL) {
409	0	OPENSSL_free(pctx->sig);
410	0	pctx->sig = NULL;
411	0	pctx->siglen = 0;
412	0	if (!OSSL_PARAM_get_octet_string(p, (void **)&pctx->sig,
413	0	0, &pctx->siglen))
414	0	return 0;
415	0	}
416	0	}
417
418	0	return 1;
419	0	}
420
421		#define MLDSA_COMMON_SETTABLE_CTX_PARAMS \
422	0	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), \
423	0	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_TEST_ENTROPY, NULL, 0), \
424	0	OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_DETERMINISTIC, 0), \
425	0	OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MU, 0), \
426	0	OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING, 0), \
427	0	OSSL_PARAM_END
428
429		static const OSSL_PARAM ml_dsa_settable_ctx_params(void vctx,
430		ossl_unused void *provctx)
431	0	{
432	0	PROV_ML_DSA_CTX pctx = (PROV_ML_DSA_CTX )vctx;
433
434	0	static const OSSL_PARAM settable_ctx_params[] = {
435	0	MLDSA_COMMON_SETTABLE_CTX_PARAMS
436	0	};
437
438	0	static const OSSL_PARAM settable_verifymsg_ctx_params[] = {
439	0	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
440	0	MLDSA_COMMON_SETTABLE_CTX_PARAMS
441	0	};
442
443	0	if (pctx != NULL && pctx->operation == EVP_PKEY_OP_VERIFYMSG)
444	0	return settable_verifymsg_ctx_params;
445	0	else
446	0	return settable_ctx_params;
447	0	}
448
449		static const OSSL_PARAM known_gettable_ctx_params[] = {
450		OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
451		OSSL_PARAM_END
452		};
453
454		static const OSSL_PARAM ml_dsa_gettable_ctx_params(ossl_unused void vctx,
455		ossl_unused void *provctx)
456	0	{
457	0	return known_gettable_ctx_params;
458	0	}
459
460		static int ml_dsa_get_ctx_params(void vctx, OSSL_PARAM params)
461	0	{
462	0	PROV_ML_DSA_CTX ctx = (PROV_ML_DSA_CTX )vctx;
463	0	OSSL_PARAM *p;
464
465	0	if (ctx == NULL)
466	0	return 0;
467
468	0	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
469	0	if (p != NULL
470	0	&& !OSSL_PARAM_set_octet_string(p,
471	0	ctx->aid_len == 0 ? NULL : ctx->aid_buf,
472	0	ctx->aid_len))
473	0	return 0;
474
475	0	return 1;
476	0	}
477
478		#define MAKE_SIGNATURE_FUNCTIONS(alg) \
479		static OSSL_FUNC_signature_newctx_fn ml_dsa_##alg##_newctx; \
480		static void ml_dsa_##alg##_newctx(void provctx, const char *propq) \
481	0	{ \
482	0	return ml_dsa_newctx(provctx, EVP_PKEY_ML_DSA_##alg, propq); \
483	0	} \ Unexecuted instantiation: ml_dsa_sig.c:ml_dsa_44_newctx Unexecuted instantiation: ml_dsa_sig.c:ml_dsa_65_newctx Unexecuted instantiation: ml_dsa_sig.c:ml_dsa_87_newctx
484		const OSSL_DISPATCH ossl_ml_dsa_##alg##_signature_functions[] = { \
485		{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ml_dsa_##alg##_newctx }, \
486		{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
487		(void (*)(void))ml_dsa_sign_msg_init }, \
488		{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
489		(void (*)(void))ml_dsa_signverify_msg_update }, \
490		{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
491		(void (*)(void))ml_dsa_sign_msg_final }, \
492		{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ml_dsa_sign }, \
493		{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
494		(void (*)(void))ml_dsa_verify_msg_init }, \
495		{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
496		(void (*)(void))ml_dsa_signverify_msg_update }, \
497		{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
498		(void (*)(void))ml_dsa_verify_msg_final }, \
499		{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ml_dsa_verify }, \
500		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, \
501		(void (*)(void))ml_dsa_digest_signverify_init }, \
502		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN, \
503		(void (*)(void))ml_dsa_digest_sign }, \
504		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, \
505		(void (*)(void))ml_dsa_digest_signverify_init }, \
506		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, \
507		(void (*)(void))ml_dsa_digest_verify }, \
508		{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ml_dsa_freectx }, \
509		{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
510		(void (*)(void))ml_dsa_set_ctx_params }, \
511		{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
512		(void (*)(void))ml_dsa_settable_ctx_params }, \
513		{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
514		(void (*)(void))ml_dsa_get_ctx_params }, \
515		{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
516		(void (*)(void))ml_dsa_gettable_ctx_params }, \
517		{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ml_dsa_dupctx }, \
518		OSSL_DISPATCH_END \
519		}
520
521		MAKE_SIGNATURE_FUNCTIONS(44);
522		MAKE_SIGNATURE_FUNCTIONS(65);
523		MAKE_SIGNATURE_FUNCTIONS(87);