Support non-empty context strings in ML-DSA EVP sign/verify#3135
Open
Support non-empty context strings in ML-DSA EVP sign/verify#3135
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3135 +/- ##
==========================================
- Coverage 77.95% 77.95% -0.01%
==========================================
Files 689 689
Lines 122506 122554 +48
Branches 17095 17092 -3
==========================================
+ Hits 95505 95538 +33
- Misses 26102 26120 +18
+ Partials 899 896 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Plumb FIPS 204 context strings through the EVP_DigestSign/EVP_DigestVerify code path for ML-DSA. The lower-level ml_dsa_*_sign/verify functions already accept ctx_string parameters but they were hardcoded to (NULL, 0) in the EVP layer. Changes: - Extend PQDSA_PKEY_CTX with a context[255] buffer and context_len - Add pkey_pqdsa_ctrl handling EVP_PKEY_CTRL_SIGNING_CONTEXT and EVP_PKEY_CTRL_GET_SIGNING_CONTEXT (reusing the existing generic EVP_PKEY_CTX_set_signature_context API from Ed25519ph) - Add pkey_pqdsa_copy to support EVP_PKEY_CTX_dup with context state - Pass dctx->context/context_len to pqdsa_sign_message and pqdsa_verify_message instead of NULL, 0 - Update Wycheproof test helpers to use EVP_PKEY_CTX_set_signature_context via EVP_DigestSign/Verify instead of manually computing ExternalMu - Add ContextString unit test covering: round-trip sign+verify with context, mismatched context failure, empty-context backward compatibility, >255 byte rejection, and max-length (255 byte) acceptance All three ML-DSA variants (44, 65, 87) are covered. Default behavior (empty context string) is unchanged.
jakemas
force-pushed
the
mldsa-evp-context-string
branch
from
de832df to
8676c3d
Compare
jakemas
added a commit
to jakemas/aws-lc-rs
that referenced
this pull request
Mar 31, 2026
Add sign_with_context and verify_sig_with_context methods to PqdsaKeyPair and PqdsaVerificationAlgorithm respectively, allowing callers to specify FIPS 204 context strings (up to 255 bytes) for ML-DSA operations. These methods use the existing EVP_PKEY_CTX_set_signature_context FFI binding (already available in aws-lc-sys) via the EVP_PKEY_CTX_consumer closure pattern. Empty contexts are equivalent to the existing context-free sign/verify methods. Update the mldsa_sigver_test macro to exercise verify_sig_with_context with test vector context strings. Add dedicated test covering round-trip sign+verify with context, mismatched context failure, empty context backward compatibility, >255 byte rejection, and max-length (255 byte) acceptance. Depends on aws/aws-lc#3135.
| GUARD_PTR(dctx); | ||
| GUARD_PTR(sctx); | ||
|
|
||
| dctx->pqdsa = sctx->pqdsa; |
Contributor
There was a problem hiding this comment.
This does a shallow copy. It works in this case because the object has static-storage (returned by PQDSA_find_dsa_by_nid()). But in general this pattern doesn't work.
Can leave as-is, but it's worth making a code comment about it - which would also help guide agents and silence bad tooling.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
Addresses:
Description of changes:
Plumb FIPS 204 context strings through the
EVP_DigestSign/EVP_DigestVerifycode path for ML-DSA. The lower-levelml_dsa_*_sign/verifyfunctions already acceptctx_stringparameters but they were hardcoded to(NULL, 0)in the EVP layer.Call-outs:
PQDSA_PKEY_CTXwith acontext[255]buffer andcontext_lenpkey_pqdsa_ctrlhandlingEVP_PKEY_CTRL_SIGNING_CONTEXTandEVP_PKEY_CTRL_GET_SIGNING_CONTEXT(reusing the existing genericEVP_PKEY_CTX_set_signature_contextAPI from Ed25519ph)pkey_pqdsa_copyto supportEVP_PKEY_CTX_dupwith context statedctx->context/context_lentopqdsa_sign_messageandpqdsa_verify_messageinstead ofNULL, 0EVP_PKEY_CTX_set_signature_contextvia EVP_DigestSign/Verify instead of manually computing ExternalMuContextStringunit test covering: round-trip sign+verify with context, mismatched context failure, empty-context backward compatibility, >255 byte rejection, and max-length (255 byte) acceptanceAll three ML-DSA variants (44, 65, 87) are covered. Default behavior (empty context string) is unchanged.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.