/src/openssl/crypto/ml_dsa/ml_dsa_sign.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/core_dispatch.h> |
11 | | #include <openssl/core_names.h> |
12 | | #include <openssl/params.h> |
13 | | #include <openssl/rand.h> |
14 | | #include <openssl/err.h> |
15 | | #include <openssl/proverr.h> |
16 | | #include "internal/common.h" |
17 | | #include "ml_dsa_local.h" |
18 | | #include "ml_dsa_key.h" |
19 | | #include "ml_dsa_matrix.h" |
20 | | #include "ml_dsa_sign.h" |
21 | | #include "ml_dsa_hash.h" |
22 | | |
23 | | #define ML_DSA_MAX_LAMBDA 256 /* bit strength for ML-DSA-87 */ |
24 | | |
25 | | /* |
26 | | * @brief Initialize a Signature object by pointing all of its objects to |
27 | | * preallocated blocks. The values passed for hint, z and |
28 | | * c_tilde values are not owned/freed by the |sig| object. |
29 | | * |
30 | | * @param sig The ML_DSA_SIG to initialize. |
31 | | * @param hint A preallocated array of |k| polynomial blocks |
32 | | * @param k The number of |hint| polynomials |
33 | | * @param z A preallocated array of |l| polynomial blocks |
34 | | * @param l The number of |z| polynomials |
35 | | * @param c_tilde A preallocated buffer |
36 | | * @param c_tilde_len The size of |c_tilde| |
37 | | */ |
38 | | static void signature_init(ML_DSA_SIG *sig, |
39 | | POLY *hint, uint32_t k, POLY *z, uint32_t l, |
40 | | uint8_t *c_tilde, size_t c_tilde_len) |
41 | 0 | { |
42 | 0 | vector_init(&sig->z, z, l); |
43 | 0 | vector_init(&sig->hint, hint, k); |
44 | 0 | sig->c_tilde = c_tilde; |
45 | 0 | sig->c_tilde_len = c_tilde_len; |
46 | 0 | } |
47 | | |
48 | | /* |
49 | | * @brief: Auxiliary functions to compute ML-DSA's MU. |
50 | | * This combines the steps of creating M' and concatenating it |
51 | | * to the Public Key Hash to obtain MU. |
52 | | * See FIPS 204 Algorithm 2 Step 10 (and algorithm 3 Step 5) as |
53 | | * well as Algorithm 7 Step 6 (and algorithm 8 Step 7) |
54 | | * |
55 | | * ML_DSA pure signatures are encoded as M' = 00 || ctx_len || ctx || msg |
56 | | * Where ctx is the empty string by default and ctx_len <= 255. |
57 | | * The message is appended to the encoded context. |
58 | | * Finally a public key hash is prepended, and the whole is hashed |
59 | | * to derive the mu value. |
60 | | * |
61 | | * @param key: A public or private ML-DSA key; |
62 | | * @param encode: if not set, assumes that M' is provided raw and the |
63 | | * following parameters are ignored. |
64 | | * @param ctx An optional context to add to the message encoding. |
65 | | * @param ctx_len The size of |ctx|. It must be in the range 0..255 |
66 | | * @returns an EVP_MD_CTX if the operation is successful, NULL otherwise. |
67 | | */ |
68 | | |
69 | | EVP_MD_CTX *ossl_ml_dsa_mu_init(const ML_DSA_KEY *key, int encode, |
70 | | const uint8_t *ctx, size_t ctx_len) |
71 | 0 | { |
72 | 0 | EVP_MD_CTX *md_ctx; |
73 | 0 | uint8_t itb[2]; |
74 | |
|
75 | 0 | if (key == NULL) |
76 | 0 | return NULL; |
77 | | |
78 | 0 | md_ctx = EVP_MD_CTX_new(); |
79 | 0 | if (md_ctx == NULL) |
80 | 0 | return NULL; |
81 | | |
82 | | /* H(.. */ |
83 | 0 | if (!EVP_DigestInit_ex2(md_ctx, key->shake256_md, NULL)) |
84 | 0 | goto err; |
85 | | /* ..pk (= key->tr) */ |
86 | 0 | if (!EVP_DigestUpdate(md_ctx, key->tr, sizeof(key->tr))) |
87 | 0 | goto err; |
88 | | /* M' = .. */ |
89 | 0 | if (encode) { |
90 | 0 | if (ctx_len > ML_DSA_MAX_CONTEXT_STRING_LEN) |
91 | 0 | goto err; |
92 | | /* IntegerToBytes(0, 1) .. */ |
93 | 0 | itb[0] = 0; |
94 | | /* || IntegerToBytes(|ctx|, 1) || .. */ |
95 | 0 | itb[1] = (uint8_t)ctx_len; |
96 | 0 | if (!EVP_DigestUpdate(md_ctx, itb, 2)) |
97 | 0 | goto err; |
98 | | /* ctx || .. */ |
99 | 0 | if (!EVP_DigestUpdate(md_ctx, ctx, ctx_len)) |
100 | 0 | goto err; |
101 | | /* .. msg) will follow in update and final functions */ |
102 | 0 | } |
103 | | |
104 | 0 | return md_ctx; |
105 | | |
106 | 0 | err: |
107 | 0 | EVP_MD_CTX_free(md_ctx); |
108 | 0 | return NULL; |
109 | 0 | } |
110 | | |
111 | | /* |
112 | | * @brief: updates the internal ML-DSA hash with an additional message chunk. |
113 | | * |
114 | | * @param md_ctx: The hashing context |
115 | | * @param msg: The next message chunk |
116 | | * @param msg_len: The length of the msg buffer to process |
117 | | * @returns 1 on success, 0 on error |
118 | | */ |
119 | | int ossl_ml_dsa_mu_update(EVP_MD_CTX *md_ctx, const uint8_t *msg, size_t msg_len) |
120 | 0 | { |
121 | 0 | return EVP_DigestUpdate(md_ctx, msg, msg_len); |
122 | 0 | } |
123 | | |
124 | | /* |
125 | | * @brief: finalizes the internal ML-DSA hash |
126 | | * |
127 | | * @param md_ctx: The hashing context |
128 | | * @param mu: The output buffer for Mu |
129 | | * @param mu_len: The size of the output buffer |
130 | | * @returns 1 on success, 0 on error |
131 | | */ |
132 | | int ossl_ml_dsa_mu_finalize(EVP_MD_CTX *md_ctx, uint8_t *mu, size_t mu_len) |
133 | 0 | { |
134 | 0 | if (!ossl_assert(mu_len == ML_DSA_MU_BYTES)) { |
135 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
136 | 0 | return 0; |
137 | 0 | } |
138 | 0 | return EVP_DigestSqueeze(md_ctx, mu, mu_len); |
139 | 0 | } |
140 | | |
141 | | /* |
142 | | * @brief FIPS 204, Algorithm 7, ML-DSA.Sign_internal() |
143 | | * |
144 | | * This algorithm is decomposed in 2 steps, a set of functions to compute mu |
145 | | * and then the actual signing function. |
146 | | * |
147 | | * @param priv: The private ML-DSA key |
148 | | * @param mu: The pre-computed mu hash |
149 | | * @param mu_len: The length of the mu buffer |
150 | | * @param rnd: The random buffer |
151 | | * @param rnd_len: The length of the random buffer |
152 | | * @param out_sig: The output signature buffer |
153 | | * @returns 1 on success, 0 on error |
154 | | */ |
155 | | static int ml_dsa_sign_internal(const ML_DSA_KEY *priv, |
156 | | const uint8_t *mu, size_t mu_len, |
157 | | const uint8_t *rnd, size_t rnd_len, |
158 | | uint8_t *out_sig) |
159 | 0 | { |
160 | 0 | int ret = 0; |
161 | 0 | const ML_DSA_PARAMS *params = priv->params; |
162 | 0 | EVP_MD_CTX *md_ctx = NULL; |
163 | 0 | uint32_t k = (uint32_t)params->k, l = (uint32_t)params->l; |
164 | 0 | uint32_t gamma1 = params->gamma1, gamma2 = params->gamma2; |
165 | 0 | uint8_t *alloc = NULL, *w1_encoded; |
166 | 0 | size_t alloc_len, w1_encoded_len; |
167 | 0 | size_t num_polys_sig_k = 2 * k; |
168 | 0 | size_t num_polys_k = 5 * k; |
169 | 0 | size_t num_polys_l = 3 * l; |
170 | 0 | size_t num_polys_k_by_l = k * l; |
171 | 0 | POLY *p, *c_ntt; |
172 | 0 | VECTOR s1_ntt, s2_ntt, t0_ntt, w, w1, cs1, cs2, y; |
173 | 0 | MATRIX a_ntt; |
174 | 0 | ML_DSA_SIG sig; |
175 | 0 | uint8_t rho_prime[ML_DSA_RHO_PRIME_BYTES]; |
176 | 0 | uint8_t c_tilde[ML_DSA_MAX_LAMBDA / 4]; |
177 | 0 | size_t c_tilde_len = params->bit_strength >> 2; |
178 | 0 | size_t kappa; |
179 | |
|
180 | 0 | if (mu_len != ML_DSA_MU_BYTES) { |
181 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
182 | 0 | return 0; |
183 | 0 | } |
184 | | |
185 | | /* |
186 | | * Allocate a single blob for most of the variable size temporary variables. |
187 | | * Mostly used for VECTOR POLYNOMIALS (every POLY is 1K). |
188 | | */ |
189 | 0 | w1_encoded_len = k * (gamma2 == ML_DSA_GAMMA2_Q_MINUS1_DIV88 ? 192 : 128); |
190 | 0 | alloc_len = w1_encoded_len |
191 | 0 | + sizeof(*p) * (1 + num_polys_k + num_polys_l + num_polys_k_by_l + num_polys_sig_k); |
192 | 0 | alloc = OPENSSL_malloc(alloc_len); |
193 | 0 | if (alloc == NULL) |
194 | 0 | return 0; |
195 | 0 | md_ctx = EVP_MD_CTX_new(); |
196 | 0 | if (md_ctx == NULL) |
197 | 0 | goto err; |
198 | | |
199 | 0 | w1_encoded = alloc; |
200 | | /* Init the temp vectors to point to the allocated polys blob */ |
201 | 0 | p = (POLY *)(w1_encoded + w1_encoded_len); |
202 | 0 | c_ntt = p++; |
203 | 0 | matrix_init(&a_ntt, p, k, l); |
204 | 0 | p += num_polys_k_by_l; |
205 | 0 | vector_init(&s2_ntt, p, k); |
206 | 0 | vector_init(&t0_ntt, s2_ntt.poly + k, k); |
207 | 0 | vector_init(&w, t0_ntt.poly + k, k); |
208 | 0 | vector_init(&w1, w.poly + k, k); |
209 | 0 | vector_init(&cs2, w1.poly + k, k); |
210 | 0 | p += num_polys_k; |
211 | 0 | vector_init(&s1_ntt, p, l); |
212 | 0 | vector_init(&y, p + l, l); |
213 | 0 | vector_init(&cs1, p + 2 * l, l); |
214 | 0 | p += num_polys_l; |
215 | 0 | signature_init(&sig, p, k, p + k, l, c_tilde, c_tilde_len); |
216 | | /* End of the allocated blob setup */ |
217 | |
|
218 | 0 | if (!matrix_expand_A(md_ctx, priv->shake128_md, priv->rho, &a_ntt)) |
219 | 0 | goto err; |
220 | | |
221 | 0 | if (!shake_xof_3(md_ctx, priv->shake256_md, priv->K, sizeof(priv->K), |
222 | 0 | rnd, rnd_len, mu, mu_len, |
223 | 0 | rho_prime, sizeof(rho_prime))) |
224 | 0 | goto err; |
225 | | |
226 | 0 | vector_copy(&s1_ntt, &priv->s1); |
227 | 0 | vector_ntt(&s1_ntt); |
228 | 0 | vector_copy(&s2_ntt, &priv->s2); |
229 | 0 | vector_ntt(&s2_ntt); |
230 | 0 | vector_copy(&t0_ntt, &priv->t0); |
231 | 0 | vector_ntt(&t0_ntt); |
232 | | |
233 | | /* |
234 | | * kappa must not exceed 2^16. But the probability of it |
235 | | * exceeding even 1000 iterations is vanishingly small. |
236 | | */ |
237 | 0 | for (kappa = 0;; kappa += l) { |
238 | 0 | VECTOR *y_ntt = &cs1; |
239 | 0 | VECTOR *r0 = &w1; |
240 | 0 | VECTOR *ct0 = &w1; |
241 | 0 | uint32_t z_max, r0_max, ct0_max, h_ones; |
242 | |
|
243 | 0 | vector_expand_mask(&y, rho_prime, sizeof(rho_prime), (uint32_t)kappa, |
244 | 0 | gamma1, md_ctx, priv->shake256_md); |
245 | 0 | vector_copy(y_ntt, &y); |
246 | 0 | vector_ntt(y_ntt); |
247 | |
|
248 | 0 | matrix_mult_vector(&a_ntt, y_ntt, &w); |
249 | 0 | vector_ntt_inverse(&w); |
250 | |
|
251 | 0 | vector_high_bits(&w, gamma2, &w1); |
252 | 0 | ossl_ml_dsa_w1_encode(&w1, gamma2, w1_encoded, w1_encoded_len); |
253 | |
|
254 | 0 | if (!shake_xof_2(md_ctx, priv->shake256_md, mu, mu_len, |
255 | 0 | w1_encoded, w1_encoded_len, c_tilde, c_tilde_len)) |
256 | 0 | break; |
257 | | |
258 | 0 | if (!poly_sample_in_ball_ntt(c_ntt, c_tilde, (int)c_tilde_len, |
259 | 0 | md_ctx, priv->shake256_md, params->tau)) |
260 | 0 | break; |
261 | | |
262 | 0 | vector_mult_scalar(&s1_ntt, c_ntt, &cs1); |
263 | 0 | vector_ntt_inverse(&cs1); |
264 | 0 | vector_mult_scalar(&s2_ntt, c_ntt, &cs2); |
265 | 0 | vector_ntt_inverse(&cs2); |
266 | |
|
267 | 0 | vector_add(&y, &cs1, &sig.z); |
268 | | |
269 | | /* r0 = lowbits(w - cs2) */ |
270 | 0 | vector_sub(&w, &cs2, r0); |
271 | 0 | vector_low_bits(r0, gamma2, r0); |
272 | | |
273 | | /* |
274 | | * Leaking that the signature is rejected is fine as the next attempt at a |
275 | | * signature will be (indistinguishable from) independent of this one. |
276 | | */ |
277 | 0 | z_max = vector_max(&sig.z); |
278 | 0 | r0_max = vector_max_signed(r0); |
279 | 0 | if (value_barrier_32(constant_time_ge(z_max, gamma1 - params->beta) |
280 | 0 | | constant_time_ge(r0_max, gamma2 - params->beta))) |
281 | 0 | continue; |
282 | | |
283 | 0 | vector_mult_scalar(&t0_ntt, c_ntt, ct0); |
284 | 0 | vector_ntt_inverse(ct0); |
285 | 0 | vector_make_hint(ct0, &cs2, &w, gamma2, &sig.hint); |
286 | |
|
287 | 0 | ct0_max = vector_max(ct0); |
288 | 0 | h_ones = (uint32_t)vector_count_ones(&sig.hint); |
289 | | /* Same reasoning applies to the leak as above */ |
290 | 0 | if (value_barrier_32(constant_time_ge(ct0_max, gamma2) |
291 | 0 | | constant_time_lt(params->omega, h_ones))) |
292 | 0 | continue; |
293 | 0 | ret = ossl_ml_dsa_sig_encode(&sig, params, out_sig); |
294 | 0 | break; |
295 | 0 | } |
296 | 0 | err: |
297 | 0 | EVP_MD_CTX_free(md_ctx); |
298 | 0 | OPENSSL_clear_free(alloc, alloc_len); |
299 | 0 | OPENSSL_cleanse(rho_prime, sizeof(rho_prime)); |
300 | 0 | return ret; |
301 | 0 | } |
302 | | |
303 | | /* |
304 | | * @brief FIPS 204, Algorithm 8, ML-DSA.Verify_internal(). |
305 | | * |
306 | | * This algorithm is decomposed in 2 steps, a set of functions to compute mu |
307 | | * and then the actual verification function. |
308 | | * |
309 | | * @param pub: The public ML-DSA key |
310 | | * @param mu: The pre-computed mu hash |
311 | | * @param mu_len: The length of the mu buffer |
312 | | * @param sig_enc: The encoded signature to be verified |
313 | | * @param sig_enc_len: the encoded csignature length |
314 | | * @returns 1 on success, 0 on error |
315 | | */ |
316 | | static int ml_dsa_verify_internal(const ML_DSA_KEY *pub, |
317 | | const uint8_t *mu, size_t mu_len, |
318 | | const uint8_t *sig_enc, |
319 | | size_t sig_enc_len) |
320 | 0 | { |
321 | 0 | int ret = 0; |
322 | 0 | uint8_t *alloc = NULL, *w1_encoded; |
323 | 0 | POLY *p, *c_ntt; |
324 | 0 | MATRIX a_ntt; |
325 | 0 | VECTOR az_ntt, ct1_ntt, *z_ntt, *w1, *w_approx; |
326 | 0 | ML_DSA_SIG sig; |
327 | 0 | const ML_DSA_PARAMS *params = pub->params; |
328 | 0 | uint32_t k = (uint32_t)pub->params->k; |
329 | 0 | uint32_t l = (uint32_t)pub->params->l; |
330 | 0 | uint32_t gamma2 = params->gamma2; |
331 | 0 | size_t w1_encoded_len; |
332 | 0 | size_t num_polys_sig = k + l; |
333 | 0 | size_t num_polys_k = 2 * k; |
334 | 0 | size_t num_polys_l = 1 * l; |
335 | 0 | size_t num_polys_k_by_l = k * l; |
336 | 0 | uint8_t c_tilde[ML_DSA_MAX_LAMBDA / 4]; |
337 | 0 | uint8_t c_tilde_sig[ML_DSA_MAX_LAMBDA / 4]; |
338 | 0 | EVP_MD_CTX *md_ctx = NULL; |
339 | 0 | size_t c_tilde_len = params->bit_strength >> 2; |
340 | 0 | uint32_t z_max; |
341 | | |
342 | | /* FIPS 204 compliance: Also validate signature length before decoding */ |
343 | 0 | if (mu_len != ML_DSA_MU_BYTES || sig_enc_len != params->sig_len) { |
344 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
345 | 0 | return 0; |
346 | 0 | } |
347 | | |
348 | | /* Allocate space for all the POLYNOMIALS used by temporary VECTORS */ |
349 | 0 | w1_encoded_len = k * (gamma2 == ML_DSA_GAMMA2_Q_MINUS1_DIV88 ? 192 : 128); |
350 | 0 | alloc = OPENSSL_malloc(w1_encoded_len |
351 | 0 | + sizeof(*p) * (1 + num_polys_k + num_polys_l + num_polys_k_by_l + num_polys_sig)); |
352 | 0 | if (alloc == NULL) |
353 | 0 | return 0; |
354 | 0 | md_ctx = EVP_MD_CTX_new(); |
355 | 0 | if (md_ctx == NULL) |
356 | 0 | goto err; |
357 | | |
358 | 0 | w1_encoded = alloc; |
359 | | /* Init the temp vectors to point to the allocated polys blob */ |
360 | 0 | p = (POLY *)(w1_encoded + w1_encoded_len); |
361 | 0 | c_ntt = p++; |
362 | 0 | matrix_init(&a_ntt, p, k, l); |
363 | 0 | p += num_polys_k_by_l; |
364 | 0 | signature_init(&sig, p, k, p + k, l, c_tilde_sig, c_tilde_len); |
365 | 0 | p += num_polys_sig; |
366 | 0 | vector_init(&az_ntt, p, k); |
367 | 0 | vector_init(&ct1_ntt, p + k, k); |
368 | |
|
369 | 0 | if (!ossl_ml_dsa_sig_decode(&sig, sig_enc, sig_enc_len, pub->params) |
370 | 0 | || !matrix_expand_A(md_ctx, pub->shake128_md, pub->rho, &a_ntt)) |
371 | 0 | goto err; |
372 | | |
373 | | /* Compute verifiers challenge c_ntt = NTT(SampleInBall(c_tilde)) */ |
374 | 0 | if (!poly_sample_in_ball_ntt(c_ntt, c_tilde_sig, (int)c_tilde_len, |
375 | 0 | md_ctx, pub->shake256_md, params->tau)) |
376 | 0 | goto err; |
377 | | |
378 | | /* ct1_ntt = NTT(c) * NTT(t1 * 2^d) */ |
379 | 0 | vector_scale_power2_round_ntt(&pub->t1, &ct1_ntt); |
380 | 0 | vector_mult_scalar(&ct1_ntt, c_ntt, &ct1_ntt); |
381 | | |
382 | | /* compute z_max early in order to reuse sig.z */ |
383 | 0 | z_max = vector_max(&sig.z); |
384 | | |
385 | | /* w_approx = NTT_inverse(A * NTT(z) - ct1_ntt) */ |
386 | 0 | z_ntt = &sig.z; |
387 | 0 | vector_ntt(z_ntt); |
388 | 0 | matrix_mult_vector(&a_ntt, z_ntt, &az_ntt); |
389 | 0 | w_approx = &az_ntt; |
390 | 0 | vector_sub(&az_ntt, &ct1_ntt, w_approx); |
391 | 0 | vector_ntt_inverse(w_approx); |
392 | | |
393 | | /* compute w1_encoded */ |
394 | 0 | w1 = w_approx; |
395 | 0 | vector_use_hint(&sig.hint, w_approx, gamma2, w1); |
396 | 0 | ossl_ml_dsa_w1_encode(w1, gamma2, w1_encoded, w1_encoded_len); |
397 | |
|
398 | 0 | if (!shake_xof_3(md_ctx, pub->shake256_md, mu, mu_len, |
399 | 0 | w1_encoded, w1_encoded_len, NULL, 0, c_tilde, c_tilde_len)) |
400 | 0 | goto err; |
401 | | |
402 | 0 | ret = (z_max < (uint32_t)(params->gamma1 - params->beta)) |
403 | 0 | && memcmp(c_tilde, sig.c_tilde, c_tilde_len) == 0; |
404 | 0 | err: |
405 | 0 | OPENSSL_free(alloc); |
406 | 0 | EVP_MD_CTX_free(md_ctx); |
407 | 0 | return ret; |
408 | 0 | } |
409 | | |
410 | | /** |
411 | | * See FIPS 204 Section 5.2 Algorithm 2 ML-DSA.Sign() |
412 | | * |
413 | | * @returns 1 on success, or 0 on error. |
414 | | */ |
415 | | int ossl_ml_dsa_sign(const ML_DSA_KEY *priv, int msg_is_mu, |
416 | | const uint8_t *msg, size_t msg_len, |
417 | | const uint8_t *context, size_t context_len, |
418 | | const uint8_t *rand, size_t rand_len, int encode, |
419 | | unsigned char *sig, size_t *sig_len, size_t sig_size) |
420 | 0 | { |
421 | 0 | EVP_MD_CTX *md_ctx = NULL; |
422 | 0 | uint8_t mu[ML_DSA_MU_BYTES]; |
423 | 0 | const uint8_t *mu_ptr = mu; |
424 | 0 | size_t mu_len = sizeof(mu); |
425 | 0 | int ret = 0; |
426 | |
|
427 | 0 | if (ossl_ml_dsa_key_get_priv(priv) == NULL) |
428 | 0 | return 0; |
429 | | |
430 | 0 | if (sig_len != NULL) |
431 | 0 | *sig_len = priv->params->sig_len; |
432 | |
|
433 | 0 | if (sig == NULL) |
434 | 0 | return (sig_len != NULL) ? 1 : 0; |
435 | | |
436 | 0 | if (sig_size < priv->params->sig_len) |
437 | 0 | return 0; |
438 | | |
439 | 0 | if (msg_is_mu) { |
440 | 0 | mu_ptr = msg; |
441 | 0 | mu_len = msg_len; |
442 | 0 | } else { |
443 | 0 | md_ctx = ossl_ml_dsa_mu_init(priv, encode, context, context_len); |
444 | 0 | if (md_ctx == NULL) |
445 | 0 | return 0; |
446 | | |
447 | 0 | if (!ossl_ml_dsa_mu_update(md_ctx, msg, msg_len)) |
448 | 0 | goto err; |
449 | | |
450 | 0 | if (!ossl_ml_dsa_mu_finalize(md_ctx, mu, mu_len)) |
451 | 0 | goto err; |
452 | 0 | } |
453 | | |
454 | 0 | ret = ml_dsa_sign_internal(priv, mu_ptr, mu_len, rand, rand_len, sig); |
455 | |
|
456 | 0 | err: |
457 | 0 | EVP_MD_CTX_free(md_ctx); |
458 | 0 | return ret; |
459 | 0 | } |
460 | | |
461 | | /** |
462 | | * See FIPS 203 Section 5.3 Algorithm 3 ML-DSA.Verify() |
463 | | * @returns 1 on success, or 0 on error. |
464 | | */ |
465 | | int ossl_ml_dsa_verify(const ML_DSA_KEY *pub, int msg_is_mu, |
466 | | const uint8_t *msg, size_t msg_len, |
467 | | const uint8_t *context, size_t context_len, int encode, |
468 | | const uint8_t *sig, size_t sig_len) |
469 | 0 | { |
470 | 0 | EVP_MD_CTX *md_ctx = NULL; |
471 | 0 | uint8_t mu[ML_DSA_MU_BYTES]; |
472 | 0 | const uint8_t *mu_ptr = mu; |
473 | 0 | size_t mu_len = sizeof(mu); |
474 | 0 | int ret = 0; |
475 | |
|
476 | 0 | if (ossl_ml_dsa_key_get_pub(pub) == NULL) |
477 | 0 | return 0; |
478 | | |
479 | 0 | if (msg_is_mu) { |
480 | 0 | mu_ptr = msg; |
481 | 0 | mu_len = msg_len; |
482 | 0 | } else { |
483 | 0 | md_ctx = ossl_ml_dsa_mu_init(pub, encode, context, context_len); |
484 | 0 | if (md_ctx == NULL) |
485 | 0 | return 0; |
486 | | |
487 | 0 | if (!ossl_ml_dsa_mu_update(md_ctx, msg, msg_len)) |
488 | 0 | goto err; |
489 | | |
490 | 0 | if (!ossl_ml_dsa_mu_finalize(md_ctx, mu, mu_len)) |
491 | 0 | goto err; |
492 | 0 | } |
493 | | |
494 | 0 | ret = ml_dsa_verify_internal(pub, mu_ptr, mu_len, sig, sig_len); |
495 | 0 | err: |
496 | 0 | EVP_MD_CTX_free(md_ctx); |
497 | 0 | return ret; |
498 | 0 | } |