Verify size of mlen in ML-DSA external mu mode

[jakemas]

Issues:

Resolves #N/A

Description of changes:

When signing/verifying in ML-DSA the caller provides mlen the the length of the message m that is being signed/verified. Currently, we do no validation on the size of mlen when in pre-hash mode (called "external mu" in ML-DSA). Since the pre-hash is the output of a SHAKE256 hash function, it is of fixed size ML_DSA_CRHBYTES. This adds validation to check that, returning -1 if not true to match the case where the context ctx has length too large.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[dkostic]

you'll skip the destruction of intermediate values with this.

[jakemas]

Thank you, great spot, added in 2185013

[dkostic]

same as above

[jakemas]

Thank you, great spot, added in 2185013

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: call to undeclared function 'SHAKE_Final'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]

    SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
    ^

Additional context

crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c:204: did you mean 'SHA1_Final'?

    SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
    ^

include/openssl/sha.h:84: 'SHA1_Final' declared here

OPENSSL_EXPORT int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha);
                   ^

[github-actions]

warning: use of undeclared identifier 'state' [clang-diagnostic-error]

    SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
                     ^

[codecov-commenter]

Codecov Report

❌ Patch coverage is 75.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.24%. Comparing base (60e61bc) to head (f4128f8).

Files with missing lines	Patch %	Lines
crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c	75.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2841      +/-   ##
==========================================
- Coverage   78.24%   78.24%   -0.01%     
==========================================
  Files         683      683              
  Lines      117354   117358       +4     
  Branches    16492    16492              
==========================================
- Hits        91826    91822       -4     
- Misses      24640    24648       +8     
  Partials      888      888              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[manastasova]

Why not checking for the correctness of the length at the beginning of these two functions and, thus, avoid the memory allocations and function calls?

[jakemas]

Why not checking for the correctness of the length at the beginning of these two functions and, thus, avoid the memory allocations and function calls?

Ahh yeah that could work too, follow the exisiting siglen check with an mlen check... I'm happy with either

  if(siglen != params->bytes) {
    return -1;
  }
  
  if (mlen != ML_DSA_CRHBYTES) {
      return -1;
  }

[manastasova]

I can see it being at the very beginning of the functions (along with the external mu check):

if (external_mu && mlen != ML_DSA_CRHBYTES) {
       return -1;
}

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: use of undeclared identifier 'KECCAK1600_CTX' [clang-diagnostic-error]

  KECCAK1600_CTX state;
  ^

[manastasova]

Or too short? I could not see where the length of context is checked.

[jakemas]

addressed in 5b1c5a5

[manastasova]

alignment here is off

[jakemas]

ty fixed in ff7fbb9

[manastasova]

we could add space here if <space> ( ....

[jakemas]

There is a mix of if's with and without -- for now I can live with this