LCOV - code coverage report
Current view: top level - crypto - s2n_mldsa.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 4 23 17.4 %
Date: 2025-08-15 07:28:39 Functions: 1 2 50.0 %
Branches: 0 30 0.0 % 

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "crypto/s2n_mldsa.h"
      17                 :            : 
      18                 :            : #include "crypto/s2n_hash.h"
      19                 :            : #include "utils/s2n_safety.h"
      20                 :            : 
      21                 :            : bool s2n_mldsa_is_supported()
      22                 :         20 : {
      23                 :            : #if S2N_LIBCRYPTO_SUPPORTS_MLDSA
      24                 :            :     return s2n_hash_supports_shake();
      25                 :            : #else
      26                 :         20 :     return false;
      27                 :         20 : #endif
      28                 :         20 : }
      29                 :            : 
      30                 :            : /*
      31                 :            :  * TLS uses pure ML-DSA, as opposed to pre-hash ML-DSA. However, pure ML-DSA
      32                 :            :  * still supports a form of pre-hashing referred to as "external mu".
      33                 :            :  *
      34                 :            :  * "ExternalMu-ML-DSA" is defined in Appendix D of the ML-DSA PKI RFC:
      35                 :            :  * https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-07.html#appendix-D
      36                 :            :  *
      37                 :            :  * However, the AWS-LC codebase includes a much clearer description:
      38                 :            :  * https://github.com/aws/aws-lc/blob/07e2e1e9ccce0a1101f14e453dbdb1304c2f3472/crypto/fipsmodule/evp/p_pqdsa.c#L172-L177
      39                 :            :  *
      40                 :            :  * So in summary:
      41                 :            :  * mu = SHAKE256(SHAKE256(pk, 64) || 0 || ctx_len || ctx || M, 64)
      42                 :            :  * where:
      43                 :            :  *  pk is the raw bytes of the public key.
      44                 :            :  *  0 represents the "mode" of pure ML-DSA, as opposed to pre-hash ML-DSA.
      45                 :            :  *  ctx_len is the length of the context, which is zero for TLS.
      46                 :            :  *  ctx is the context, which is zero-length for TLS.
      47                 :            :  *  M is the data to be hashed.
      48                 :            :  *  64 is the length of the SHAKE256 digest.
      49                 :            :  */
      50                 :            : #define S2N_MLDSA_DIGEST_LENGTH 64
      51                 :            : const uint8_t mode_and_ctx[] = { 0, 0 };
      52                 :            : S2N_RESULT s2n_mldsa_init_mu_hash(struct s2n_hash_state *state, const struct s2n_pkey *pub_key)
      53                 :          0 : {
      54 [ #  # ][ #  # ]:          0 :     RESULT_ENSURE_REF(state);
      55 [ #  # ][ #  # ]:          0 :     RESULT_ENSURE_REF(pub_key);
      56 [ #  # ][ #  # ]:          0 :     RESULT_ENSURE_REF(pub_key->pkey);
      57                 :            : 
      58                 :            :     /* The required prefix must be the first data added to the hash */
      59                 :          0 :     uint64_t currently_in_hash = 0;
      60         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_get_currently_in_hash_total(state, &currently_in_hash));
      61 [ #  # ][ #  # ]:          0 :     RESULT_ENSURE(currently_in_hash == 0, S2N_ERR_HASH_NOT_READY);
      62                 :            : 
      63                 :            :     /* Get the raw bytes of the public key */
      64                 :          0 :     uint8_t public_key_bytes[S2N_MLDSA_MAX_PUB_KEY_SIZE] = { 0 };
      65                 :          0 :     size_t public_key_size = sizeof(public_key_bytes);
      66                 :            : #if S2N_LIBCRYPTO_SUPPORTS_MLDSA
      67                 :            :     RESULT_GUARD_OSSL(EVP_PKEY_get_raw_public_key(pub_key->pkey, public_key_bytes, &public_key_size),
      68                 :            :             S2N_ERR_HASH_INIT_FAILED);
      69                 :            : #else
      70         [ #  # ]:          0 :     RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
      71                 :          0 : #endif
      72                 :            : 
      73                 :            :     /* Get the digest of the raw bytes of the public key.
      74                 :            :      * We can use the current hash state. We'll reset it afterwards. */
      75                 :          0 :     uint8_t public_key_digest[S2N_MLDSA_DIGEST_LENGTH] = { 0 };
      76         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_update(state, public_key_bytes, public_key_size));
      77         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_digest(state, public_key_digest, S2N_MLDSA_DIGEST_LENGTH));
      78         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_reset(state));
      79                 :            : 
      80                 :            :     /* Add all the required prefix data */
      81         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_update(state, public_key_digest, S2N_MLDSA_DIGEST_LENGTH));
      82         [ #  # ]:          0 :     RESULT_GUARD_POSIX(s2n_hash_update(state, mode_and_ctx, sizeof(mode_and_ctx)));
      83                 :            : 
      84                 :          0 :     return S2N_RESULT_OK;
      85                 :          0 : }

Generated by: LCOV version 1.14