API: add failure mode support for randombytes()

L-series · L-series · commit bfe68e4d7340 · 2025-11-28T14:11:10.000-05:00
Change randombytes() to return int (0 on success, non-zero on failure)
instead of void, allowing callers to detect and handle RNG failures.

Updated function signature, all call sites to check return
values and test files to use CHECK macro.

Signed-off-by: Andreas Hatziiliou &lt;andreas.hatziiliou@savoirfairelinux.com&gt;
diff --git a/examples/basic/test_only_rng/notrandombytes.c b/examples/basic/test_only_rng/notrandombytes.c
@@ -87,7 +87,7 @@ static void surf(void)
   }
 }
 
-void randombytes(uint8_t *buf, size_t n)
+int randombytes(uint8_t *buf, size_t n)
 {
   while (n > 0)
   {
@@ -110,4 +110,5 @@ void randombytes(uint8_t *buf, size_t n)
     ++buf;
     --n;
   }
+  return 0;
 }
diff --git a/examples/basic/test_only_rng/notrandombytes.h b/examples/basic/test_only_rng/notrandombytes.h
@@ -30,6 +30,6 @@
  */
 
 void randombytes_reset(void);
-void randombytes(uint8_t *buf, size_t n);
+int randombytes(uint8_t *buf, size_t n);
 
 #endif /* !NOTRANDOMBYTES_H */
diff --git a/examples/bring_your_own_fips202/test_only_rng/notrandombytes.c b/examples/bring_your_own_fips202/test_only_rng/notrandombytes.c
@@ -87,7 +87,7 @@ static void surf(void)
   }
 }
 
-void randombytes(uint8_t *buf, size_t n)
+int randombytes(uint8_t *buf, size_t n)
 {
   while (n > 0)
   {
@@ -110,4 +110,5 @@ void randombytes(uint8_t *buf, size_t n)
     ++buf;
     --n;
   }
+  return 0;
 }
diff --git a/examples/bring_your_own_fips202/test_only_rng/notrandombytes.h b/examples/bring_your_own_fips202/test_only_rng/notrandombytes.h
@@ -30,6 +30,6 @@
  */
 
 void randombytes_reset(void);
-void randombytes(uint8_t *buf, size_t n);
+int randombytes(uint8_t *buf, size_t n);
 
 #endif /* !NOTRANDOMBYTES_H */
diff --git a/examples/bring_your_own_fips202_static/test_only_rng/notrandombytes.c b/examples/bring_your_own_fips202_static/test_only_rng/notrandombytes.c
@@ -87,7 +87,7 @@ static void surf(void)
   }
 }
 
-void randombytes(uint8_t *buf, size_t n)
+int randombytes(uint8_t *buf, size_t n)
 {
   while (n > 0)
   {
@@ -110,4 +110,5 @@ void randombytes(uint8_t *buf, size_t n)
     ++buf;
     --n;
   }
+  return 0;
 }
diff --git a/examples/bring_your_own_fips202_static/test_only_rng/notrandombytes.h b/examples/bring_your_own_fips202_static/test_only_rng/notrandombytes.h
@@ -30,6 +30,6 @@
  */
 
 void randombytes_reset(void);
-void randombytes(uint8_t *buf, size_t n);
+int randombytes(uint8_t *buf, size_t n);
 
 #endif /* !NOTRANDOMBYTES_H */
diff --git a/integration/liboqs/config_aarch64.h b/integration/liboqs/config_aarch64.h
@@ -174,9 +174,10 @@
 #include <oqs/rand.h>
 #include <stdint.h>
 #include "../../mldsa/src/sys.h"
-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)
 {
   OQS_randombytes(ptr, len);
+  return 0;
 }
 #endif /* !__ASSEMBLER__ */
 
diff --git a/integration/liboqs/config_c.h b/integration/liboqs/config_c.h
@@ -178,9 +178,10 @@
 #include <oqs/rand.h>
 #include <stdint.h>
 #include "../../mldsa/src/sys.h"
-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)
 {
   OQS_randombytes(ptr, len);
+  return 0;
 }
 #endif /* !__ASSEMBLER__ */
 
diff --git a/integration/liboqs/config_x86_64.h b/integration/liboqs/config_x86_64.h
@@ -176,9 +176,10 @@
 #include <oqs/rand.h>
 #include <stdint.h>
 #include "../../mldsa/src/sys.h"
-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)
 {
   OQS_randombytes(ptr, len);
+  return 0;
 }
 #endif /* !__ASSEMBLER__ */
 
diff --git a/mldsa/src/randombytes.h b/mldsa/src/randombytes.h
@@ -13,12 +13,12 @@
 
 #if !defined(MLD_CONFIG_NO_RANDOMIZED_API)
 #if !defined(MLD_CONFIG_CUSTOM_RANDOMBYTES)
-void randombytes(uint8_t *out, size_t outlen);
-static MLD_INLINE void mld_randombytes(uint8_t *out, size_t outlen)
+int randombytes(uint8_t *out, size_t outlen);
+static MLD_INLINE int mld_randombytes(uint8_t *out, size_t outlen)
 __contract__(
   requires(memory_no_alias(out, outlen))
   assigns(memory_slice(out, outlen))
-) { randombytes(out, outlen); }
+) { return randombytes(out, outlen); }
 #endif /* !MLD_CONFIG_CUSTOM_RANDOMBYTES */
 #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */
 #endif /* !MLD_RANDOMBYTES_H */
diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c
@@ -320,7 +320,10 @@ int crypto_sign_keypair(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
 {
   MLD_ALIGN uint8_t seed[MLDSA_SEEDBYTES];
   int result;
-  mld_randombytes(seed, MLDSA_SEEDBYTES);
+  if (mld_randombytes(seed, MLDSA_SEEDBYTES) != 0)
+  {
+    return -1;
+  }
   MLD_CT_TESTING_SECRET(seed, sizeof(seed));
   result = crypto_sign_keypair_internal(pk, sk, seed);
 
@@ -707,7 +710,11 @@ int crypto_sign_signature(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
 
   /* Randomized variant of ML-DSA. If you need the deterministic variant,
    * call crypto_sign_signature_internal directly with all-zero rnd. */
-  mld_randombytes(rnd, MLDSA_RNDBYTES);
+  if (mld_randombytes(rnd, MLDSA_RNDBYTES) != 0)
+  {
+    *siglen = 0;
+    return -1;
+  }
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
 
   result = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, pre_len,
@@ -734,7 +741,11 @@ int crypto_sign_signature_extmu(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
 
   /* Randomized variant of ML-DSA. If you need the deterministic variant,
    * call crypto_sign_signature_internal directly with all-zero rnd. */
-  mld_randombytes(rnd, MLDSA_RNDBYTES);
+  if (mld_randombytes(rnd, MLDSA_RNDBYTES) != 0)
+  {
+    *siglen = 0;
+    return -1;
+  }
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
 
   result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL,
diff --git a/test/bench_components_mldsa.c b/test/bench_components_mldsa.c
@@ -18,32 +18,45 @@
 #define NITERATIONS 300
 #define NTESTS 20
 
+#define CHECK(x)                                              \
+  do                                                          \
+  {                                                           \
+    int rc;                                                   \
+    rc = (x);                                                 \
+    if (!rc)                                                  \
+    {                                                         \
+      fprintf(stderr, "ERROR (%s,%d)\n", __FILE__, __LINE__); \
+      return 1;                                               \
+    }                                                         \
+  } while (0)
+
 static int cmp_uint64_t(const void *a, const void *b)
 {
   return (int)((*((const uint64_t *)a)) - (*((const uint64_t *)b)));
 }
 
-#define BENCH(txt, code)                                            \
-  for (i = 0; i < NTESTS; i++)                                      \
-  {                                                                 \
-    mld_randombytes((uint8_t *)data0, sizeof(data0));               \
-    mld_randombytes((uint8_t *)&polyvecl_a, sizeof(polyvecl_a));    \
-    mld_randombytes((uint8_t *)&polyvecl_b, sizeof(polyvecl_b));    \
-    mld_randombytes((uint8_t *)polyvecl_mat, sizeof(polyvecl_mat)); \
-    for (j = 0; j < NWARMUP; j++)                                   \
-    {                                                               \
-      code;                                                         \
-    }                                                               \
-                                                                    \
-    t0 = get_cyclecounter();                                        \
-    for (j = 0; j < NITERATIONS; j++)                               \
-    {                                                               \
-      code;                                                         \
-    }                                                               \
-    t1 = get_cyclecounter();                                        \
-    (cyc)[i] = t1 - t0;                                             \
-  }                                                                 \
-  qsort((cyc), NTESTS, sizeof(uint64_t), cmp_uint64_t);             \
+#define BENCH(txt, code)                                                     \
+  for (i = 0; i < NTESTS; i++)                                               \
+  {                                                                          \
+    CHECK(mld_randombytes((uint8_t *)data0, sizeof(data0)) == 0);            \
+    CHECK(mld_randombytes((uint8_t *)&polyvecl_a, sizeof(polyvecl_a)) == 0); \
+    CHECK(mld_randombytes((uint8_t *)&polyvecl_b, sizeof(polyvecl_b)) == 0); \
+    CHECK(mld_randombytes((uint8_t *)polyvecl_mat, sizeof(polyvecl_mat)) ==  \
+          0);                                                                \
+    for (j = 0; j < NWARMUP; j++)                                            \
+    {                                                                        \
+      code;                                                                  \
+    }                                                                        \
+                                                                             \
+    t0 = get_cyclecounter();                                                 \
+    for (j = 0; j < NITERATIONS; j++)                                        \
+    {                                                                        \
+      code;                                                                  \
+    }                                                                        \
+    t1 = get_cyclecounter();                                                 \
+    (cyc)[i] = t1 - t0;                                                      \
+  }                                                                          \
+  qsort((cyc), NTESTS, sizeof(uint64_t), cmp_uint64_t);                      \
   printf(txt " cycles=%" PRIu64 "\n", (cyc)[NTESTS >> 1] / NITERATIONS);
 
 static int bench(void)
diff --git a/test/bench_mldsa.c b/test/bench_mldsa.c
@@ -91,8 +91,8 @@ static int bench(void)
   for (i = 0; i < NTESTS; i++)
   {
     int ret = 0;
-    mld_randombytes(kg_rand, sizeof(kg_rand));
-    mld_randombytes(sig_rand, sizeof(sig_rand));
+    CHECK(mld_randombytes(kg_rand, sizeof(kg_rand)) == 0);
+    CHECK(mld_randombytes(sig_rand, sizeof(sig_rand)) == 0);
 
 
     /* Key-pair generation */
@@ -111,8 +111,8 @@ static int bench(void)
 
 
     /* Signing */
-    mld_randombytes(ctx, CTXLEN);
-    mld_randombytes(m, MLEN);
+    CHECK(mld_randombytes(ctx, CTXLEN) == 0);
+    CHECK(mld_randombytes(m, MLEN) == 0);
 
     pre[0] = 0;
     pre[1] = CTXLEN;
diff --git a/test/configs.yml b/test/configs.yml
@@ -38,9 +38,9 @@ configs:
           #include <stdint.h>
           #include "../mldsa/src/sys.h"
           #include "notrandombytes/notrandombytes.h"
-          static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
+          static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)
           {
-            randombytes(ptr, len);
+            return randombytes(ptr, len);
           }
           #endif /* !__ASSEMBLER__ */
 
@@ -373,9 +373,9 @@ configs:
           #include <stdint.h>
           #include "sys.h"
           #include "test_only_rng/notrandombytes.h"
-          static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
+          static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)
           {
-            randombytes(ptr, len);
+            return randombytes(ptr, len);
           }
           #endif /* !__ASSEMBLER__ */
 
diff --git a/test/notrandombytes/notrandombytes.c b/test/notrandombytes/notrandombytes.c
@@ -90,7 +90,7 @@ static void surf(void)
   }
 }
 
-void randombytes(uint8_t *buf, size_t n)
+int randombytes(uint8_t *buf, size_t n)
 {
 #ifdef ENABLE_CT_TESTING
   uint8_t *buf_orig = buf;
@@ -126,4 +126,5 @@ void randombytes(uint8_t *buf, size_t n)
    */
   VALGRIND_MAKE_MEM_UNDEFINED(buf_orig, n_orig);
 #endif /* ENABLE_CT_TESTING */
+  return 0;
 }
diff --git a/test/notrandombytes/notrandombytes.h b/test/notrandombytes/notrandombytes.h
@@ -29,6 +29,6 @@
  */
 
 void randombytes_reset(void);
-void randombytes(uint8_t *buf, size_t n);
+int randombytes(uint8_t *buf, size_t n);
 
 #endif /* !NOTRANDOMBYTES_H */
diff --git a/test/test_mldsa.c b/test/test_mldsa.c
@@ -40,9 +40,9 @@ static int test_sign_core(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
 
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(ctx, CTXLEN);
+  CHECK(randombytes(ctx, CTXLEN) == 0);
   MLD_CT_TESTING_SECRET(ctx, CTXLEN);
-  randombytes(m, MLEN);
+  CHECK(randombytes(m, MLEN) == 0);
   MLD_CT_TESTING_SECRET(m, MLEN);
 
   CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
@@ -114,7 +114,7 @@ static int test_sign_extmu(void)
   size_t siglen;
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(mu, MLDSA_CRHBYTES);
+  CHECK(randombytes(mu, MLDSA_CRHBYTES) == 0);
   MLD_CT_TESTING_SECRET(mu, sizeof(mu));
 
   CHECK(crypto_sign_signature_extmu(sig, &siglen, mu, sk) == 0);
@@ -136,11 +136,11 @@ static int test_sign_pre_hash(void)
 
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(ctx, CTXLEN);
+  CHECK(randombytes(ctx, CTXLEN) == 0);
   MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
-  randombytes(m, MLEN);
+  CHECK(randombytes(m, MLEN) == 0);
   MLD_CT_TESTING_SECRET(m, sizeof(m));
-  randombytes(rnd, MLDSA_RNDBYTES);
+  CHECK(randombytes(rnd, MLDSA_RNDBYTES) == 0);
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
 
   CHECK(crypto_sign_signature_pre_hash_shake256(sig, &siglen, m, MLEN, ctx,
@@ -225,15 +225,15 @@ static int test_wrong_pk(void)
   size_t i;
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(ctx, CTXLEN);
+  CHECK(randombytes(ctx, CTXLEN) == 0);
   MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
-  randombytes(m, MLEN);
+  CHECK(randombytes(m, MLEN) == 0);
   MLD_CT_TESTING_SECRET(m, sizeof(m));
 
   CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
 
   /* flip bit in public key */
-  randombytes((uint8_t *)&idx, sizeof(size_t));
+  CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
   idx %= CRYPTO_PUBLICKEYBYTES;
 
   pk[idx] ^= 1;
@@ -276,15 +276,15 @@ static int test_wrong_sig(void)
   size_t i;
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(ctx, CTXLEN);
+  CHECK(randombytes(ctx, CTXLEN) == 0);
   MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
-  randombytes(m, MLEN);
+  CHECK(randombytes(m, MLEN) == 0);
   MLD_CT_TESTING_SECRET(m, sizeof(m));
 
   CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
 
   /* flip bit in signed message */
-  randombytes((uint8_t *)&idx, sizeof(size_t));
+  CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
   idx %= MLEN + CRYPTO_BYTES;
 
   sm[idx] ^= 1;
@@ -328,15 +328,15 @@ static int test_wrong_ctx(void)
   size_t i;
 
   CHECK(crypto_sign_keypair(pk, sk) == 0);
-  randombytes(ctx, CTXLEN);
+  CHECK(randombytes(ctx, CTXLEN) == 0);
   MLD_CT_TESTING_SECRET(ctx, sizeof(ctx));
-  randombytes(m, MLEN);
+  CHECK(randombytes(m, MLEN) == 0);
   MLD_CT_TESTING_SECRET(m, sizeof(m));
 
   CHECK(crypto_sign(sm, &smlen, m, MLEN, ctx, CTXLEN, sk) == 0);
 
   /* flip bit in ctx */
-  randombytes((uint8_t *)&idx, sizeof(size_t));
+  CHECK(randombytes((uint8_t *)&idx, sizeof(size_t)) == 0);
   idx %= CTXLEN;
 
   ctx[idx] ^= 1;

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ static void surf(void)`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`
`90`		`-void randombytes(uint8_t *buf, size_t n)`
	`90`	`+int randombytes(uint8_t *buf, size_t n)`
`91`	`91`	`{`
`92`	`92`	`while (n > 0)`
`93`	`93`	`{`
`@@ -110,4 +110,5 @@ void randombytes(uint8_t *buf, size_t n)`
`110`	`110`	`++buf;`
`111`	`111`	`--n;`
`112`	`112`	`}`
	`113`	`+ return 0;`
`113`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -174,9 +174,10 @@`
`174`	`174`	`#include <oqs/rand.h>`
`175`	`175`	`#include <stdint.h>`
`176`	`176`	`#include "../../mldsa/src/sys.h"`
`177`		`-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)`
	`177`	`+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)`
`178`	`178`	`{`
`179`	`179`	`OQS_randombytes(ptr, len);`
	`180`	`+ return 0;`
`180`	`181`	`}`
`181`	`182`	`#endif /* !__ASSEMBLER__ */`
`182`	`183`
Original file line number	Diff line number	Diff line change
`@@ -178,9 +178,10 @@`
`178`	`178`	`#include <oqs/rand.h>`
`179`	`179`	`#include <stdint.h>`
`180`	`180`	`#include "../../mldsa/src/sys.h"`
`181`		`-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)`
	`181`	`+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)`
`182`	`182`	`{`
`183`	`183`	`OQS_randombytes(ptr, len);`
	`184`	`+ return 0;`
`184`	`185`	`}`
`185`	`186`	`#endif /* !__ASSEMBLER__ */`
`186`	`187`
Original file line number	Diff line number	Diff line change
`@@ -176,9 +176,10 @@`
`176`	`176`	`#include <oqs/rand.h>`
`177`	`177`	`#include <stdint.h>`
`178`	`178`	`#include "../../mldsa/src/sys.h"`
`179`		`-static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)`
	`179`	`+static MLD_INLINE int mld_randombytes(uint8_t *ptr, size_t len)`
`180`	`180`	`{`
`181`	`181`	`OQS_randombytes(ptr, len);`
	`182`	`+ return 0;`
`182`	`183`	`}`
`183`	`184`	`#endif /* !__ASSEMBLER__ */`
`184`	`185`