diff --git a/mldsa/mldsa_native.h b/mldsa/mldsa_native.h index 4310f2aae..7d4dc9c9f 100644 --- a/mldsa/mldsa_native.h +++ b/mldsa/mldsa_native.h @@ -637,6 +637,7 @@ int MLD_API_NAMESPACE(open)( * MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256, * MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384, * MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256. + * MLD_PREHASH_NONE is rejected by this HashML-DSA API. * * @warning This is an unstable API that may change in the future. If you need * a stable API use crypto_sign_signature_pre_hash_shake256. @@ -689,6 +690,7 @@ int MLD_API_NAMESPACE(signature_pre_hash_internal)( * MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256, * MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384, * MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256. + * MLD_PREHASH_NONE is rejected by this HashML-DSA API. * * @warning This is an unstable API that may change in the future. If you need * a stable API use crypto_sign_verify_pre_hash_shake256. diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c index 276c5a5f5..bd9f4edb4 100644 --- a/mldsa/src/sign.c +++ b/mldsa/src/sign.c @@ -1411,6 +1411,12 @@ int mld_sign_signature_pre_hash_internal( size_t pre_len; int ret; + if (hashalg == MLD_PREHASH_NONE) + { + ret = MLD_ERR_FAIL; + goto cleanup; + } + pre_len = mld_prepare_domain_separation_prefix(pre, ph, phlen, ctx, ctxlen, hashalg); if (pre_len == 0) @@ -1453,6 +1459,12 @@ int mld_sign_verify_pre_hash_internal( size_t pre_len; int ret; + if (hashalg == MLD_PREHASH_NONE) + { + ret = MLD_ERR_FAIL; + goto cleanup; + } + pre_len = mld_prepare_domain_separation_prefix(pre, ph, phlen, ctx, ctxlen, hashalg); if (pre_len == 0) diff --git a/mldsa/src/sign.h b/mldsa/src/sign.h index cc2ddc6dc..9de7c4771 100644 --- a/mldsa/src/sign.h +++ b/mldsa/src/sign.h @@ -558,6 +558,7 @@ __contract__( * MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256, * MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384, * MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256. + * MLD_PREHASH_NONE is rejected by this HashML-DSA API. * * @warning This is an unstable API that may change in the future. If you need * a stable API use mld_sign_signature_pre_hash_shake256. @@ -619,6 +620,7 @@ __contract__( * MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256, * MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384, * MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256. + * MLD_PREHASH_NONE is rejected by this HashML-DSA API. * * @warning This is an unstable API that may change in the future. If you need * a stable API use mld_sign_verify_pre_hash_shake256. diff --git a/test/src/test_mldsa.c b/test/src/test_mldsa.c index 63a18d62a..2bb9aa978 100644 --- a/test/src/test_mldsa.c +++ b/test/src/test_mldsa.c @@ -19,6 +19,10 @@ MLD_API_NAMESPACE(signature_pre_hash_shake256) #define crypto_sign_verify_pre_hash_shake256 \ MLD_API_NAMESPACE(verify_pre_hash_shake256) +#define crypto_sign_signature_pre_hash_internal \ + MLD_API_NAMESPACE(signature_pre_hash_internal) +#define crypto_sign_verify_pre_hash_internal \ + MLD_API_NAMESPACE(verify_pre_hash_internal) #define crypto_sign_pk_from_sk MLD_API_NAMESPACE(pk_from_sk) #ifndef NTESTS @@ -179,6 +183,62 @@ static int test_sign_pre_hash(void) return 0; } + +static int test_sign_prehash_none_rejected(void) +{ + uint8_t pk[CRYPTO_PUBLICKEYBYTES]; + uint8_t sk[CRYPTO_SECRETKEYBYTES]; + uint8_t sig[CRYPTO_BYTES]; + uint8_t ph1[MLDSA_CRHBYTES]; + uint8_t ph2[MLDSA_CRHBYTES]; + uint8_t ctx[CTXLEN]; + uint8_t rnd[MLDSA_RNDBYTES]; + size_t siglen = CRYPTO_BYTES; + int rc; + + CHECK(crypto_sign_keypair(pk, sk) == 0); + CHECK(randombytes(ctx, sizeof(ctx)) == 0); + MLD_CT_TESTING_SECRET(ctx, sizeof(ctx)); + CHECK(randombytes(ph1, sizeof(ph1)) == 0); + MLD_CT_TESTING_SECRET(ph1, sizeof(ph1)); + CHECK(randombytes(ph2, sizeof(ph2)) == 0); + MLD_CT_TESTING_SECRET(ph2, sizeof(ph2)); + CHECK(randombytes(rnd, sizeof(rnd)) == 0); + MLD_CT_TESTING_SECRET(rnd, sizeof(rnd)); + CHECK(randombytes(sig, sizeof(sig)) == 0); + MLD_CT_TESTING_SECRET(sig, sizeof(sig)); + + rc = crypto_sign_signature_pre_hash_internal(sig, &siglen, ph1, sizeof(ph1), + ctx, sizeof(ctx), rnd, sk, + MLD_PREHASH_NONE); + MLD_CT_TESTING_DECLASSIFY(&rc, sizeof(rc)); + MLD_CT_TESTING_DECLASSIFY(&siglen, sizeof(siglen)); + CHECK(rc == MLD_ERR_FAIL); + CHECK(siglen == 0); + + siglen = CRYPTO_BYTES; + rc = crypto_sign_signature_pre_hash_internal(sig, &siglen, ph2, sizeof(ph2), + ctx, sizeof(ctx), rnd, sk, + MLD_PREHASH_NONE); + MLD_CT_TESTING_DECLASSIFY(&rc, sizeof(rc)); + MLD_CT_TESTING_DECLASSIFY(&siglen, sizeof(siglen)); + CHECK(rc == MLD_ERR_FAIL); + CHECK(siglen == 0); + + rc = crypto_sign_verify_pre_hash_internal(sig, CRYPTO_BYTES, ph1, sizeof(ph1), + ctx, sizeof(ctx), pk, + MLD_PREHASH_NONE); + MLD_CT_TESTING_DECLASSIFY(&rc, sizeof(rc)); + CHECK(rc == MLD_ERR_FAIL); + + rc = crypto_sign_verify_pre_hash_internal(sig, CRYPTO_BYTES, ph2, sizeof(ph2), + ctx, sizeof(ctx), pk, + MLD_PREHASH_NONE); + MLD_CT_TESTING_DECLASSIFY(&rc, sizeof(rc)); + CHECK(rc == MLD_ERR_FAIL); + + return 0; +} #endif /* !MLD_CONFIG_NO_KEYPAIR_API && !MLD_CONFIG_NO_SIGN_API && \ !MLD_CONFIG_NO_VERIFY_API */ @@ -514,6 +574,7 @@ int main(void) r |= test_wrong_ctx(); r |= test_sign_extmu(); r |= test_sign_pre_hash(); + r |= test_sign_prehash_none_rejected(); #endif /* !MLD_CONFIG_NO_KEYPAIR_API && !MLD_CONFIG_NO_SIGN_API && \ !MLD_CONFIG_NO_VERIFY_API */ #if !defined(MLD_CONFIG_NO_KEYPAIR_API)