Merge branch 'main' into sha1-cli

Author: justsmth

util/fipstools/acvp/acvptool/subprocess/ml_dsa.go

@@ -100,7 +100,7 @@ type mlDsaSigGenTestGroup struct {
 	ParameterSet       string `json:"parameterSet"`
 	Deterministic      bool   `json:"deterministic"`
 	SignatureInterface string `json:"signatureInterface"`
-	ExternalMu         bool   `json:"externalMu`
+	ExternalMu         *bool   `json:"externalMu`
 	Tests              []struct {
 		ID      uint64               `json:"tcId"`
 		Message hexEncodedByteString `json:"message"`
@@ -123,8 +123,11 @@ type mlDsaSigGenTestCaseResponse struct {
 }
 
 // Convert boolean to byte slice (using 1 for true, 0 for false)
-func boolToBytes(b bool) []byte {
-	if b {
+func boolToBytes(b *bool) []byte {
+	if b == nil {
+		return nil  // Field doesn't exist
+	}
+	if *b {
 		return []byte{1}
 	}
 	return []byte{0}
@@ -174,7 +177,7 @@ type mlDsaSigVerTestGroup struct {
 	ParameterSet       string `json:"parameterSet"`
 	Deterministic      bool   `json:"deterministic"`
 	SignatureInterface string `json:"signatureInterface"`
-	ExternalMu         bool   `json:"externalMu`
+	ExternalMu         *bool   `json:"externalMu`
 	Tests              []struct {
 		ID        uint64               `json:"tcId"`
 		PK        hexEncodedByteString `json:"pk"`

util/fipstools/acvp/acvptool/test/expected/ML-DSA.bz2

@@ -3380,31 +3380,29 @@ static bool ML_DSA_SIGGEN(const Span<const uint8_t> args[],
   const Span<const uint8_t> context = args[4];
   const Span<const uint8_t> extmu = args[5];
 
-  using SignFunc = int (*)(const uint8_t*, uint8_t*, size_t*,
-                           const uint8_t*, size_t, const uint8_t*, size_t);
   using SignInternalFunc = int (*)(const uint8_t*, uint8_t*, size_t*,
                                    const uint8_t*, size_t,
                                    const uint8_t*, size_t, const uint8_t*);
 
   // Group all related functions for each variant
   struct MLDSA_functions {
     void (*params_init)(ml_dsa_params*);
-    SignFunc sign;
     SignInternalFunc sign_internal;
     SignInternalFunc extmu_sign_internal;
   };
 
-  // Select function set based on NID
+  // Select function set based on NID. We must use |ml_dsa_*_sign_internal| here,
+  // to account for the random inputs (rnd).
   MLDSA_functions mldsa_funcs;
   if (nid == NID_MLDSA44) {
-    mldsa_funcs = {ml_dsa_44_params_init, ml_dsa_44_sign,
-                   ml_dsa_44_sign_internal, ml_dsa_extmu_44_sign_internal};
+    mldsa_funcs = {ml_dsa_44_params_init, ml_dsa_44_sign_internal,
+                   ml_dsa_extmu_44_sign_internal};
   } else if (nid == NID_MLDSA65) {
-    mldsa_funcs = {ml_dsa_65_params_init, ml_dsa_65_sign,
-                   ml_dsa_65_sign_internal, ml_dsa_extmu_65_sign_internal};
+    mldsa_funcs = {ml_dsa_65_params_init, ml_dsa_65_sign_internal,
+                   ml_dsa_extmu_65_sign_internal};
   } else if (nid == NID_MLDSA87) {
-    mldsa_funcs = {ml_dsa_87_params_init, ml_dsa_87_sign,
-                   ml_dsa_87_sign_internal, ml_dsa_extmu_87_sign_internal};
+    mldsa_funcs = {ml_dsa_87_params_init, ml_dsa_87_sign_internal,
+                   ml_dsa_extmu_87_sign_internal};
   } else {
     return false;
   }
@@ -3415,12 +3413,8 @@ static bool ML_DSA_SIGGEN(const Span<const uint8_t> args[],
   size_t signature_len = params.bytes;
   std::vector<uint8_t> signature(signature_len);
 
-  if (!context.empty()) {
-    if (!mldsa_funcs.sign(sk.data(), signature.data(), &signature_len,
-                        msg.data(), msg.size(), context.data(), context.size())) {
-      return false;
-    }
-  } else {
+  if (!extmu.empty()) {
+    // Only signatureInterface: internal contains the externalMu field.
     if (extmu.data()[0] == 0) {
       // generate the signatures raw sign mode
       if (!mldsa_funcs.sign_internal(sk.data(), signature.data(), &signature_len,
@@ -3434,6 +3428,20 @@ static bool ML_DSA_SIGGEN(const Span<const uint8_t> args[],
         return false;
       }
     }
+  } else {
+    // |context| is unique to signatureInterface: external.
+    //
+    // Prepare |pre| exactly how |ml_dsa_sign| is doing. The maximum |context| size
+    // for ML-DSA is 255 bytes. We append a 0 and the size as two additional bytes
+    // before |context| to become the prefix string.
+    uint8_t pre[257];
+    pre[0] = 0;
+    pre[1] = context.size();
+    OPENSSL_memcpy(pre + 2 , context.data(), context.size());
+    if (!mldsa_funcs.sign_internal(sk.data(), signature.data(), &signature_len,
+                        msg.data(), msg.size(), pre, 2 + context.size(), rnd.data())) {
+      return false;
+    }
   }
 
   return write_reply({Span<const uint8_t>(signature)});
@@ -3476,12 +3484,8 @@ static bool ML_DSA_SIGVER(const Span<const uint8_t> args[], ReplyCallback write_
   }
 
   uint8_t reply[1] = {0};
-  if (!context.empty()) {
-    if (mldsa_funcs.verify(pk.data(), sig.data(), sig.size(), msg.data(),
-                          msg.size(), context.data(), context.size())) {
-      reply[0] = 1;
-    }
-  } else {
+  if (!extmu.empty()) {
+    // Only signatureInterface: internal contains the externalMu field.
     if (extmu.data()[0] == 0) {
       // verify the signatures raw sign mode
       if (mldsa_funcs.verify_internal(pk.data(), sig.data(), sig.size(), msg.data(),
@@ -3495,6 +3499,12 @@ static bool ML_DSA_SIGVER(const Span<const uint8_t> args[], ReplyCallback write_
         reply[0] = 1;
       }
     }
+  } else {
+    // |context| is unique to signatureInterface: external.
+    if (mldsa_funcs.verify(pk.data(), sig.data(), sig.size(), msg.data(),
+                          msg.size(), context.data(), context.size())) {
+      reply[0] = 1;
+    }
   }
 
   return write_reply({Span<const uint8_t>(reply)});