Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Deconstruct the functions into 2 parts:
- mu computation (if needed)
- actual signing/verification
Adds helper to compute mu that is split in 3 parts
(init/update/finalize) where the update part can be used to feed the message
to be signed or verified in chunks of any size.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27175)
- Check seed/key consistency when generating from a seed and the private
key is also given.
- Improve error reporting when the private key does not match an
explicit public key.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26865)
decoded value of t0 matches the calculated value of t0.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26681)
Added to 'bulk' group and CI
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)
The μ value replaces the message and avoids some of the preliminary
processes. This is part of FIPS 204.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)
- Same UX as ML-KEM. The main ASN.1 private key syntax is the one from
Russ Housley's post on the LAMPS list, subsequently amended to tag the
seed instead of the key (each of the three parameter sets will have a
fixed size for the `expandedKey`):
ML-DSA-PrivateKey ::= CHOICE {
seed [0] IMPLICIT OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896)
both SEQUENCE {
seed OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896) } }
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26638)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)
The ossl_ml_dsa_key_get0_libctx() and the various size macros are better in the intneral header
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)
branch.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)
The encoded hint data consists of omega + k bytes.
The bytes at the end of omega section of the buffer may be 0,
so the buffer must be cleared initially.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
- Make data encoding work on big-endian systems.
- Fix some ML-DSA-44 specific bugs related to w1-vector bits
per-coefficient, overall size and high-bits rounding.
- Use "do { ... } while (pointer < end)" style consistently.
- Drop redundant reference counting of provided keys.
- Add parameter blocks for ML-DSA-44 and ML-DSA-87 and turn on
associated provider glue. These now pass both keygen and
siggen tests (to be added separately).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
A DSA_KEY when created will alloc enough space to hold its k & l
vectors and then just set the vectors to point to the allocated blob.
Local Vectors and Matricies can then be initialised in a similar way by
passing them an array of Polnomials that are on the local stack.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
The key generation algorithm requires a significant portion of the many
algorithms present in FIPS 204.
This work is derived from the BoringSSL code located at
https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc
Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l.
To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a
prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object.
The ML_DSA_KEY object stores the encoded public and/or private key
whenever a key is loaded or generated. A public key is always present
if the private key component exists.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
Pauli
Simo Sorce
Viktor Dukhovni
openssl-machine
slontis