commit 571c76e919c0c48219ced35bef83e1fc83b00eed
author Adam Langley <agl@chromium.org> Wed Nov 06 15:33:44 2024 -0800
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Nov 08 22:44:00 2024 +0000
tree 2288692ca97fda438207452f9d44856a45cf71b6
parent 52a2c003d9622a78d6b791c10ea456eabaf6f52a

SLH-DSA: support SHA-384 as the prehash function instead.

Change-Id: I931e660d6ad8e6fae0e17b414a40bb0a0ea7e9c3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/72967
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

rust/bssl-crypto/src/slhdsa.rs

diff --git a/rust/bssl-crypto/src/slhdsa.rs b/rust/bssl-crypto/src/slhdsa.rs
index 47185f2..193db57 100644
--- a/rust/bssl-crypto/src/slhdsa.rs
+++ b/rust/bssl-crypto/src/slhdsa.rs
@@ -46,9 +46,7 @@
 //! assert!(public_key.verify_with_context(message, &signature2, context).is_ok());
 //! ```
 
-use crate::{
-    digest, sealed, with_output_vec_fallible, FfiSlice, ForeignTypeRef, InvalidSignatureError,
-};
+use crate::{with_output_vec_fallible, FfiSlice, InvalidSignatureError};
 use alloc::vec::Vec;
 
 /// The number of bytes in an SLH-DSA-SHA2-128s public key.
@@ -132,48 +130,6 @@
             })
         }
     }
-
-    /// Signs a prehashed message using this private key.
-    ///
-    /// This function returns None if `context` is longer than 255 bytes, if
-    /// the hash function is not supported, or if `hashed_msg` is the wrong length.
-    ///
-    /// This function generally should not be used. The general functions are
-    /// perfectly capable of signing a hash if you wish. These functions should
-    /// only be used when:
-    ///
-    /// 1. Compatibility with an external system that uses prehashed messages is
-    /// required. (The general signature of a hash is not compatible with a
-    /// "prehash" signature of the same hash.)
-    /// 2. A single private key is used to sign both prehashed and raw messages,
-    /// and there's no other way to prevent ambiguity.
-    pub fn prehash_sign<Hash: digest::Algorithm>(
-        &self,
-        hashed_msg: &[u8],
-        context: &[u8],
-    ) -> Option<Vec<u8>> {
-        unsafe {
-            with_output_vec_fallible(SIGNATURE_BYTES, |signature| {
-                let hash_nid = bssl_sys::EVP_MD_nid(Hash::get_md(sealed::Sealed).as_ptr());
-                // Safety: the FFI function always writes exactly `SIGNATURE_BYTES` to
-                // the first argument if it succeeds. Otherwise, all buffers are valid.
-                if bssl_sys::SLHDSA_SHA2_128S_prehash_sign(
-                    signature,
-                    self.0.as_ptr(),
-                    hashed_msg.as_ffi_ptr(),
-                    hashed_msg.len(),
-                    hash_nid,
-                    context.as_ffi_ptr(),
-                    context.len(),
-                ) == 1
-                {
-                    Some(SIGNATURE_BYTES)
-                } else {
-                    None
-                }
-            })
-        }
-    }
 }
 
 impl AsRef<[u8]> for PrivateKey {
@@ -221,40 +177,6 @@
             Err(InvalidSignatureError)
         }
     }
-
-    /// Verifies a signature for a prehashed message using this public key and
-    /// the given context.
-    ///
-    /// This function returns `InvalidSignatureError` if `context` is longer
-    /// than 255 bytes, if the hash function is not supported, or if
-    /// `hashed_msg` is the wrong length.
-    pub fn prehash_verify<Hash: digest::Algorithm>(
-        &self,
-        hashed_msg: &[u8],
-        signature: &[u8],
-        context: &[u8],
-    ) -> Result<(), InvalidSignatureError> {
-        let ok = unsafe {
-            let hash_nid = bssl_sys::EVP_MD_nid(Hash::get_md(sealed::Sealed).as_ptr());
-            // Safety: all buffers are valid
-            bssl_sys::SLHDSA_SHA2_128S_prehash_verify(
-                signature.as_ffi_ptr(),
-                signature.len(),
-                self.0.as_ptr(),
-                hashed_msg.as_ffi_ptr(),
-                hashed_msg.len(),
-                hash_nid,
-                context.as_ffi_ptr(),
-                context.len(),
-            )
-        };
-
-        if ok == 1 {
-            Ok(())
-        } else {
-            Err(InvalidSignatureError)
-        }
-    }
 }
 
 impl AsRef<[u8]> for PublicKey {
@@ -301,38 +223,6 @@
     }
 
     #[test]
-    fn test_sign_and_verify_prehashed() {
-        let (public_key, private_key) = PrivateKey::generate();
-        let digest = [42u8; 32];
-        let context = b"test context";
-
-        let sig = private_key
-            .prehash_sign::<digest::Sha256>(&digest, context)
-            .unwrap();
-        assert!(public_key
-            .prehash_verify::<digest::Sha256>(&digest, &sig, context)
-            .is_ok());
-
-        let mut incorrect_digest = digest;
-        incorrect_digest[0] ^= 1;
-        assert!(public_key
-            .prehash_verify::<digest::Sha256>(&incorrect_digest, &sig, context)
-            .is_err());
-
-        assert!(public_key
-            .prehash_verify::<digest::Sha256>(&digest, &sig, b"wrong context")
-            .is_err());
-
-        let incorrect_length_digest = [42u8; 16];
-        assert!(private_key
-            .prehash_sign::<digest::Sha256>(&incorrect_length_digest, context)
-            .is_none());
-        assert!(public_key
-            .prehash_verify::<digest::Sha256>(&incorrect_length_digest, &sig, context)
-            .is_err());
-    }
-
-    #[test]
     fn test_public_key_from_private() {
         let (public_key, private_key) = PrivateKey::generate();
         let derived_public_key = private_key.to_public_key();