From: slontis Date: Wed, 29 Jan 2025 00:58:00 +0000 (+1100) Subject: ML-DSA Add digestsign tests - The digest must be NULL X-Git-Tag: openssl-3.5.0-alpha1~588 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cacc56137e7c5be05b95d43126b88f1a6c31fe7;p=thirdparty%2Fopenssl.git ML-DSA Add digestsign tests - The digest must be NULL Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/26575) --- diff --git a/doc/designs/ml-dsa.md b/doc/designs/ml-dsa.md index 4fd13fedcbd..3e321c953d2 100644 --- a/doc/designs/ml-dsa.md +++ b/doc/designs/ml-dsa.md @@ -99,7 +99,7 @@ OpenSSL command line support For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(), EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest -passed in `mdname` must be NULL (i.e. It effectively behaves the same as above). +passed in `mdname` must be NULL (i.e. it effectively behaves the same as above). Passing a non NULL digest results in an error. OSSL_PKEY_PARAM_MANDATORY_DIGEST must return "" in the key manager getter and diff --git a/doc/man7/EVP_SIGNATURE-ML-DSA.pod b/doc/man7/EVP_SIGNATURE-ML-DSA.pod index e94cbf8ca40..1c7895da827 100644 --- a/doc/man7/EVP_SIGNATURE-ML-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-ML-DSA.pod @@ -74,7 +74,7 @@ See L for information related to B keys. For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(), EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest -passed in |mdname| must be NULL. +passed in I must be NULL. =head1 EXAMPLES diff --git a/providers/implementations/signature/ml_dsa_sig.c b/providers/implementations/signature/ml_dsa_sig.c index d2c23abe3d7..abbdd984681 100644 --- a/providers/implementations/signature/ml_dsa_sig.c +++ b/providers/implementations/signature/ml_dsa_sig.c @@ -35,7 +35,6 @@ static OSSL_FUNC_signature_verify_fn ml_dsa_verify; static OSSL_FUNC_signature_digest_sign_init_fn ml_dsa_digest_signverify_init; static OSSL_FUNC_signature_digest_sign_fn ml_dsa_digest_sign; static OSSL_FUNC_signature_digest_verify_fn ml_dsa_digest_verify; - static OSSL_FUNC_signature_freectx_fn ml_dsa_freectx; static OSSL_FUNC_signature_set_ctx_params_fn ml_dsa_set_ctx_params; static OSSL_FUNC_signature_settable_ctx_params_fn ml_dsa_settable_ctx_params; diff --git a/test/ml_dsa_test.c b/test/ml_dsa_test.c index 4c67a5010ae..6205c34ef37 100644 --- a/test/ml_dsa_test.c +++ b/test/ml_dsa_test.c @@ -419,7 +419,6 @@ err: EVP_PKEY_CTX_free(vctx); return ret; } - static int ml_dsa_44_sign_verify_test(int tstid) { return do_ml_dsa_sign_verify("ML-DSA-44", tstid); @@ -433,6 +432,66 @@ static int ml_dsa_87_sign_verify_test(int tstid) return do_ml_dsa_sign_verify("ML-DSA-87", tstid); } +static int ml_dsa_digest_sign_verify_test(void) +{ + int ret = 0; + const struct sig_params_st *sp = &sig_params[0]; + EVP_PKEY *key = NULL; + uint8_t *sig = NULL; + size_t sig_len = 0; + OSSL_PARAM params[3], *p = params; + const char *alg = "ML-DSA-44"; + EVP_MD_CTX *mctx = NULL; + + if (!TEST_ptr(key = do_gen_key(alg, NULL, 0))) + goto err; + + *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING, + (int *)&sp->encoded); + if (sp->ctx != NULL) + *p++ = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, + sp->ctx, sp->ctx_len); + *p++ = OSSL_PARAM_construct_end(); + + if (!TEST_ptr(mctx = EVP_MD_CTX_new()) + || !TEST_int_eq(EVP_DigestSignInit_ex(mctx, NULL, "SHA256", + lib_ctx, "?fips=true", + key, params), 0) + || !TEST_int_eq(EVP_DigestSignInit_ex(mctx, NULL, NULL, lib_ctx, + "?fips=true", key, params), 1)) + goto err; + if (sp->expected == 0) { + ret = 1; /* return true as we expected to fail */ + goto err; + } + if (!TEST_int_eq(EVP_DigestSign(mctx, NULL, &sig_len, sp->msg, sp->msg_len), 1) + || !TEST_ptr(sig = OPENSSL_zalloc(sig_len))) + goto err; + sig_len--; + if (!TEST_int_eq(EVP_DigestSign(mctx, sig, &sig_len, sp->msg, sp->msg_len), 0)) + goto err; + sig_len++; + if (!TEST_int_eq(EVP_DigestSignInit_ex(mctx, NULL, NULL, lib_ctx, "?fips=true", + key, params), 1) + || !TEST_int_eq(EVP_DigestSign(mctx, sig, &sig_len, + sp->msg, sp->msg_len), 1) + || !TEST_int_eq(EVP_DigestVerifyInit_ex(mctx, NULL, "SHA256", + lib_ctx, "?fips=true", + key, params), 0) + || !TEST_int_eq(EVP_DigestVerifyInit_ex(mctx, NULL, NULL, + lib_ctx, "?fips=true", + key, params), 1) + || !TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, + sp->msg, sp->msg_len), 1)) + goto err; + ret = 1; +err: + EVP_PKEY_free(key); + EVP_MD_CTX_free(mctx); + OPENSSL_free(sig); + return ret; +} + const OPTIONS *test_get_options(void) { static const OPTIONS options[] = { @@ -475,6 +534,7 @@ int setup_tests(void) ADD_ALL_TESTS(ml_dsa_87_sign_verify_test, OSSL_NELEM(sig_params)); ADD_TEST(from_data_invalid_public_test); ADD_TEST(from_data_bad_input_test); + ADD_TEST(ml_dsa_digest_sign_verify_test); return 1; } diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 72234feb2c2..ce85f996495 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 111; +plan tests => 112; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -355,6 +355,43 @@ subtest "generating SM2 certificate requests" => sub { } }; +subtest "generating certificate requests with ML-DSA" => sub { + plan tests => 3; + + SKIP: { + skip "ML-DSA is not supported by this OpenSSL build", 3 + if disabled("ml-dsa"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-x509", "-sha256", "-nodes", "-days", "365", + "-newkey", "ML-DSA-44", + "-keyout", "privatekey_ml_dsa_44.pem", + "-out", "cert_ml_dsa_44.pem", + "-subj", "/CN=test-self-signed", + "-addext","keyUsage=digitalSignature"])), + "Generating self signed ML-DSA-44 cert and private key"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-x509", "-sha256", "-nodes", "-days", "365", + "-newkey", "ML-DSA-65", + "-keyout", "privatekey_ml_dsa_65.pem", + "-out", "cert_ml_dsa_65.pem", + "-subj", "/CN=test-self-signed", + "-addext","keyUsage=digitalSignature"])), + "Generating self signed ML-DSA-65 cert and private key"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-x509", "-sha256", "-nodes", "-days", "365", + "-newkey", "ML-DSA-44", + "-keyout", "privatekey_ml_dsa_87.pem", + "-out", "cert_ml_dsa_87.pem", + "-subj", "/CN=test-self-signed", + "-addext","keyUsage=digitalSignature"])), + "Generating self signed ML-DSA-87 cert and private key"); + } +}; + subtest "generating certificate requests with -cipher flag" => sub { plan tests => 6;