Skip to content

Commit bc4af2c

Browse files
L-seriesL-series
committed
API: add failure mode support for randombytes()
1 parent 9bad988 commit bc4af2c

File tree

7 files changed

+72
-48
lines changed

7 files changed

+72
-48
lines changed

mldsa/src/randombytes.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@
1313

1414
#if !defined(MLD_CONFIG_NO_RANDOMIZED_API)
1515
#if !defined(MLD_CONFIG_CUSTOM_RANDOMBYTES)
16-
void randombytes(uint8_t *out, size_t outlen);
17-
static MLD_INLINE void mld_randombytes(uint8_t *out, size_t outlen)
16+
int randombytes(uint8_t *out, size_t outlen);
17+
static MLD_INLINE int mld_randombytes(uint8_t *out, size_t outlen)
1818
__contract__(
1919
requires(memory_no_alias(out, outlen))
2020
assigns(memory_slice(out, outlen))
21-
) { randombytes(out, outlen); }
21+
) { return randombytes(out, outlen); }
2222
#endif /* !MLD_CONFIG_CUSTOM_RANDOMBYTES */
2323
#endif /* !MLD_CONFIG_NO_RANDOMIZED_API */
2424
#endif /* !MLD_RANDOMBYTES_H */

mldsa/src/sign.c

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,10 @@ int crypto_sign_keypair(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
265265
{
266266
MLD_ALIGN uint8_t seed[MLDSA_SEEDBYTES];
267267
int result;
268-
mld_randombytes(seed, MLDSA_SEEDBYTES);
268+
if (mld_randombytes(seed, MLDSA_SEEDBYTES) != 0)
269+
{
270+
return -1;
271+
}
269272
MLD_CT_TESTING_SECRET(seed, sizeof(seed));
270273
result = crypto_sign_keypair_internal(pk, sk, seed);
271274

@@ -657,7 +660,11 @@ int crypto_sign_signature(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
657660

658661
/* Randomized variant of ML-DSA. If you need the deterministic variant,
659662
* call crypto_sign_signature_internal directly with all-zero rnd. */
660-
mld_randombytes(rnd, MLDSA_RNDBYTES);
663+
if (mld_randombytes(rnd, MLDSA_RNDBYTES) != 0)
664+
{
665+
*siglen = 0;
666+
return -1;
667+
}
661668
MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
662669

663670
result = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, 2 + ctxlen,
@@ -684,7 +691,11 @@ int crypto_sign_signature_extmu(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
684691

685692
/* Randomized variant of ML-DSA. If you need the deterministic variant,
686693
* call crypto_sign_signature_internal directly with all-zero rnd. */
687-
mld_randombytes(rnd, MLDSA_RNDBYTES);
694+
if (mld_randombytes(rnd, MLDSA_RNDBYTES) != 0)
695+
{
696+
*siglen = 0;
697+
return -1;
698+
}
688699
MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
689700

690701
result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL,

test/bench_components_mldsa.c

Lines changed: 33 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -18,32 +18,44 @@
1818
#define NITERATIONS 300
1919
#define NTESTS 20
2020

21+
#define CHECK(x) \
22+
do \
23+
{ \
24+
int rc; \
25+
rc = (x); \
26+
if (!rc) \
27+
{ \
28+
fprintf(stderr, "ERROR (%s,%d)\n", __FILE__, __LINE__); \
29+
return 1; \
30+
} \
31+
} while (0)
32+
2133
static int cmp_uint64_t(const void *a, const void *b)
2234
{
2335
return (int)((*((const uint64_t *)a)) - (*((const uint64_t *)b)));
2436
}
2537

26-
#define BENCH(txt, code) \
27-
for (i = 0; i < NTESTS; i++) \
28-
{ \
29-
mld_randombytes((uint8_t *)data0, sizeof(data0)); \
30-
mld_randombytes((uint8_t *)&polyvecl_a, sizeof(polyvecl_a)); \
31-
mld_randombytes((uint8_t *)&polyvecl_b, sizeof(polyvecl_b)); \
32-
mld_randombytes((uint8_t *)polyvecl_mat, sizeof(polyvecl_mat)); \
33-
for (j = 0; j < NWARMUP; j++) \
34-
{ \
35-
code; \
36-
} \
37-
\
38-
t0 = get_cyclecounter(); \
39-
for (j = 0; j < NITERATIONS; j++) \
40-
{ \
41-
code; \
42-
} \
43-
t1 = get_cyclecounter(); \
44-
(cyc)[i] = t1 - t0; \
45-
} \
46-
qsort((cyc), NTESTS, sizeof(uint64_t), cmp_uint64_t); \
38+
#define BENCH(txt, code) \
39+
for (i = 0; i < NTESTS; i++) \
40+
{ \
41+
CHECK(mld_randombytes((uint8_t *)data0, sizeof(data0)) == 0); \
42+
CHECK(mld_randombytes((uint8_t *)&polyvecl_a, sizeof(polyvecl_a)) == 0); \
43+
CHECK(mld_randombytes((uint8_t *)&polyvecl_b, sizeof(polyvecl_b)) == 0); \
44+
CHECK(mld_randombytes((uint8_t *)polyvecl_mat, sizeof(polyvecl_mat)) == 0);\
45+
for (j = 0; j < NWARMUP; j++) \
46+
{ \
47+
code; \
48+
} \
49+
\
50+
t0 = get_cyclecounter(); \
51+
for (j = 0; j < NITERATIONS; j++) \
52+
{ \
53+
code; \
54+
} \
55+
t1 = get_cyclecounter(); \
56+
(cyc)[i] = t1 - t0; \
57+
} \
58+
qsort((cyc), NTESTS, sizeof(uint64_t), cmp_uint64_t); \
4759
printf(txt " cycles=%" PRIu64 "\n", (cyc)[NTESTS >> 1] / NITERATIONS);
4860

4961
static int bench(void)

test/bench_mldsa.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,8 @@ static int bench(void)
9191
for (i = 0; i < NTESTS; i++)
9292
{
9393
int ret = 0;
94-
mld_randombytes(kg_rand, sizeof(kg_rand));
95-
mld_randombytes(sig_rand, sizeof(sig_rand));
94+
CHECK(mld_randombytes(kg_rand, sizeof(kg_rand)) == 0);
95+
CHECK(mld_randombytes(sig_rand, sizeof(sig_rand)) == 0);
9696

9797

9898
/* Key-pair generation */
@@ -111,8 +111,8 @@ static int bench(void)
111111

112112

113113
/* Signing */
114-
mld_randombytes(ctx, CTXLEN);
115-
mld_randombytes(m, MLEN);
114+
CHECK(mld_randombytes(ctx, CTXLEN) == 0);
115+
CHECK(mld_randombytes(m, MLEN) == 0);
116116

117117
pre[0] = 0;
118118
pre[1] = CTXLEN;

test/notrandombytes/notrandombytes.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ static void surf(void)
9090
}
9191
}
9292

93-
void randombytes(uint8_t *buf, size_t n)
93+
int randombytes(uint8_t *buf, size_t n)
9494
{
9595
#ifdef ENABLE_CT_TESTING
9696
uint8_t *buf_orig = buf;
@@ -126,4 +126,5 @@ void randombytes(uint8_t *buf, size_t n)
126126
*/
127127
VALGRIND_MAKE_MEM_UNDEFINED(buf_orig, n_orig);
128128
#endif /* ENABLE_CT_TESTING */
129+
return 0;
129130
}

test/notrandombytes/notrandombytes.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,6 @@
2929
*/
3030

3131
void randombytes_reset(void);
32-
void randombytes(uint8_t *buf, size_t n);
32+
int randombytes(uint8_t *buf, size_t n);
3333

3434
#endif /* !NOTRANDOMBYTES_H */

test/test_mldsa.c

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,9 @@ static int test_sign_core(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
4040

4141

4242
CHECK(crypto_sign_keypair(pk, sk) == 0);
43-
randombytes(ctx, CTXLEN);
43+
CHECK(randombytes(ctx, CTXLEN) == 0);
4444
MLD_CT_TESTING_SECRET(ctx, CTXLEN);
45-
randombytes(m, MLEN);
45+
CHECK(randombytes(m, MLEN) == 0);
4646
MLD_CT_TESTING_SECRET(m, MLEN);
4747

4848
CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
@@ -114,7 +114,7 @@ static int test_sign_extmu(void)
114114
size_t siglen;
115115

116116
CHECK(crypto_sign_keypair(pk, sk) == 0);
117-
randombytes(mu, MLDSA_CRHBYTES);
117+
CHECK(randombytes(mu, MLDSA_CRHBYTES) == 0);
118118
MLD_CT_TESTING_SECRET(mu, sizeof(mu));
119119

120120
CHECK(crypto_sign_signature_extmu(sig, &siglen, mu, sk) == 0);
@@ -136,11 +136,11 @@ static int test_sign_pre_hash(void)
136136

137137

138138
CHECK(crypto_sign_keypair(pk, sk) == 0);
139-
randombytes(ctx, CTXLEN);
139+
CHECK(randombytes(ctx, CTXLEN) == 0);
140140
MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
141-
randombytes(m, MLEN);
141+
CHECK(randombytes(m, MLEN) == 0);
142142
MLD_CT_TESTING_SECRET(m, sizeof(m));
143-
randombytes(rnd, MLDSA_RNDBYTES);
143+
CHECK(randombytes(rnd, MLDSA_RNDBYTES) == 0);
144144
MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
145145

146146
CHECK(crypto_sign_signature_pre_hash_shake256(sig, &siglen, m, MLEN, ctx,
@@ -166,15 +166,15 @@ static int test_wrong_pk(void)
166166
size_t i;
167167

168168
CHECK(crypto_sign_keypair(pk, sk) == 0);
169-
randombytes(ctx, CTXLEN);
169+
CHECK(randombytes(ctx, CTXLEN) == 0);
170170
MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
171-
randombytes(m, MLEN);
171+
CHECK(randombytes(m, MLEN) == 0);
172172
MLD_CT_TESTING_SECRET(m, sizeof(m));
173173

174174
CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
175175

176176
/* flip bit in public key */
177-
randombytes((uint8_t *)&idx, sizeof(size_t));
177+
CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
178178
idx %= CRYPTO_PUBLICKEYBYTES;
179179

180180
pk[idx] ^= 1;
@@ -217,15 +217,15 @@ static int test_wrong_sig(void)
217217
size_t i;
218218

219219
CHECK(crypto_sign_keypair(pk, sk) == 0);
220-
randombytes(ctx, CTXLEN);
220+
CHECK(randombytes(ctx, CTXLEN) == 0);
221221
MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
222-
randombytes(m, MLEN);
222+
CHECK(randombytes(m, MLEN) == 0);
223223
MLD_CT_TESTING_SECRET(m, sizeof(m));
224224

225225
CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
226226

227227
/* flip bit in signed message */
228-
randombytes((uint8_t *)&idx, sizeof(size_t));
228+
CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
229229
idx %= MLEN + CRYPTO_BYTES;
230230

231231
sm[idx] ^= 1;
@@ -269,15 +269,15 @@ static int test_wrong_ctx(void)
269269
size_t i;
270270

271271
CHECK(crypto_sign_keypair(pk, sk) == 0);
272-
randombytes(ctx, CTXLEN);
272+
CHECK(randombytes(ctx, CTXLEN) == 0);
273273
MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
274-
randombytes(m, MLEN);
274+
CHECK(randombytes(m, MLEN) == 0);
275275
MLD_CT_TESTING_SECRET(m, sizeof(m));
276276

277277
CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
278278

279279
/* flip bit in ctx */
280-
randombytes((uint8_t *)&idx, sizeof(size_t));
280+
CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
281281
idx %= CTXLEN;
282282

283283
ctx[idx] ^= 1;

0 commit comments

Comments
 (0)