From 3c1f50ad6f3d9dbbce095e83a59e6cd64cabe65e Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Fri, 21 Mar 2025 15:46:52 +1100
Subject: [PATCH] ML_DSA - Fix bug in OSSL_PKEY_PARAM_SECURITY_BITS getter.

Reported by @romen

It was off by a factor of 8.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27110)
---
 providers/implementations/keymgmt/ml_dsa_kmgmt.c |  2 +-
 test/ml_dsa_test.c                               | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/providers/implementations/keymgmt/ml_dsa_kmgmt.c
index ba39ae9479d..9105847e6dc 100644
--- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c
@@ -316,7 +316,7 @@ static int ml_dsa_get_params(void *keydata, OSSL_PARAM params[])
             && !OSSL_PARAM_set_int(p, 8 * ossl_ml_dsa_key_get_pub_len(key)))
         return 0;
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
-            && !OSSL_PARAM_set_int(p, 8 * ossl_ml_dsa_key_get_collision_strength_bits(key)))
+            && !OSSL_PARAM_set_int(p, ossl_ml_dsa_key_get_collision_strength_bits(key)))
         return 0;
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
             && !OSSL_PARAM_set_int(p, ossl_ml_dsa_key_get_sig_len(key)))
diff --git a/test/ml_dsa_test.c b/test/ml_dsa_test.c
index 9e23887d907..895bc7394a4 100644
--- a/test/ml_dsa_test.c
+++ b/test/ml_dsa_test.c
@@ -89,6 +89,7 @@ static int ml_dsa_keygen_test(int tst_id)
     EVP_PKEY *pkey = NULL;
     uint8_t priv[5 * 1024], pub[3 * 1024], seed[ML_DSA_SEED_BYTES];
     size_t priv_len, pub_len, seed_len;
+    int bits = 0, sec_bits = 0, sig_len = 0;
 
     if (!TEST_ptr(pkey = do_gen_key(tst->name, tst->seed, tst->seed_len))
             || !TEST_true(EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ML_DSA_SEED,
@@ -99,7 +100,16 @@ static int ml_dsa_keygen_test(int tst_id)
                                                           pub, sizeof(pub), &pub_len))
             || !TEST_mem_eq(pub, pub_len, tst->pub, tst->pub_len)
             || !TEST_mem_eq(priv, priv_len, tst->priv, tst->priv_len)
-            || !TEST_mem_eq(seed, seed_len, tst->seed, tst->seed_len))
+            || !TEST_mem_eq(seed, seed_len, tst->seed, tst->seed_len)
+            /* The following checks assume that algorithm is ML-DSA-65 */
+            || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_BITS, &bits))
+            || !TEST_int_eq(bits, 1952 * 8)
+            || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_SECURITY_BITS,
+                                                 &sec_bits))
+            || !TEST_int_eq(sec_bits, 192)
+            || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_MAX_SIZE,
+                                                 &sig_len))
+            || !TEST_int_ge(sig_len, 3309))
         goto err;
     ret = 1;
 err:
-- 
2.47.2