1 files changed, 57 insertions, 30 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem1024.c
index ce6f26e66c..04e106299a 100644
--- a/src/lib/libcrypto/mlkem/mlkem1024.c
+++ b/src/lib/libcrypto/mlkem/mlkem1024.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mlkem1024.c,v 1.7 2025/05/03 08:39:33 tb Exp $ */
+/* $OpenBSD: mlkem1024.c,v 1.8 2025/05/19 06:47:40 beck Exp $ */
 /*
 * Copyright (c) 2024, Google Inc.
 * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -819,7 +819,7 @@ private_key_1024_from_external(const struct MLKEM1024_private_key *external)
 * Calls |MLKEM1024_generate_key_external_entropy| with random bytes from
 * |RAND_bytes|.
 */
-void
+int
 MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
    struct MLKEM1024_private_key *out_private_key)
@@ -829,7 +829,7 @@ MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES
            entropy_buf;
        arc4random_buf(entropy, MLKEM_SEED_BYTES);
-        MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
+        return MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
            out_private_key, entropy);
 }
 LCRYPTO_ALIAS(MLKEM1024_generate_key);
@@ -843,10 +843,8 @@ MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key,
        if (seed_len != MLKEM_SEED_BYTES) {
                return 0;
        }
-        MLKEM1024_generate_key_external_entropy(public_key_bytes,
+        return MLKEM1024_generate_key_external_entropy(public_key_bytes,
            out_private_key, seed);
-        return 1;
 }
 LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed);
@@ -865,7 +863,7 @@ mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
        return 1;
 }
-void
+int
 MLKEM1024_generate_key_external_entropy(
    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
    struct MLKEM1024_private_key *out_private_key,
@@ -879,7 +877,9 @@ MLKEM1024_generate_key_external_entropy(
        uint8_t hashed[64];
        vector error;
        CBB cbb;
+        int ret = 0;
+        memset(&cbb, 0, sizeof(CBB));
        memcpy(augmented_seed, entropy, 32);
        augmented_seed[32] = RANK1024;
        hash_g(hashed, augmented_seed, 33);
@@ -894,16 +894,23 @@ MLKEM1024_generate_key_external_entropy(
        matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
        vector_add(&priv->pub.t, &error);
-        /* XXX - error checking. */
+        if (!CBB_init_fixed(&cbb, out_encoded_public_key,
-        CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM1024_PUBLIC_KEY_BYTES);
+            MLKEM1024_PUBLIC_KEY_BYTES))
-        if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {
+                goto err;
-                abort();
-        }
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
-        CBB_cleanup(&cbb);
+                goto err;
        hash_h(priv->pub.public_key_hash, out_encoded_public_key,
            MLKEM1024_PUBLIC_KEY_BYTES);
        memcpy(priv->fo_failure_secret, entropy + 32, 32);
+        ret = 1;
+ err:
+        CBB_cleanup(&cbb);
+        return ret;
 }
 void
@@ -1049,11 +1056,26 @@ MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
 LCRYPTO_ALIAS(MLKEM1024_decap);
 int
-MLKEM1024_marshal_public_key(CBB *out,
+MLKEM1024_marshal_public_key(uint8_t **output, size_t *output_len,
    const struct MLKEM1024_public_key *public_key)
 {
-        return mlkem_marshal_public_key(out,
+        int ret = 0;
-            public_key_1024_from_external(public_key));
+        CBB cbb;
+        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
+                goto err;
+        if (!mlkem_marshal_public_key(&cbb,
+            public_key_1024_from_external(public_key)))
+                goto err;
+        if (!CBB_finish(&cbb, output, output_len))
+                goto err;
+        ret = 1;
+ err:
+        CBB_cleanup(&cbb);
+        return ret;
 }
 LCRYPTO_ALIAS(MLKEM1024_marshal_public_key);
@@ -1078,16 +1100,19 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
 }
 int
-MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, CBS *in)
+MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key,
+    const uint8_t *input, size_t input_len)
 {
        struct public_key *pub = public_key_1024_from_external(public_key);
-        CBS orig_in = *in;
+        CBS cbs;
-        if (!mlkem_parse_public_key_no_hash(pub, in) ||
+        CBS_init(&cbs, input, input_len);
-            CBS_len(in) != 0) {
+        if (!mlkem_parse_public_key_no_hash(pub, &cbs) ||
+            CBS_len(&cbs) != 0) {
                return 0;
        }
-        hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
+        hash_h(pub->public_key_hash, input, input_len);
        return 1;
 }
 LCRYPTO_ALIAS(MLKEM1024_parse_public_key);
@@ -1116,26 +1141,28 @@ MLKEM1024_marshal_private_key(CBB *out,
 int
 MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
-    CBS *in)
+    const uint8_t *input, size_t input_len)
 {
        struct private_key *const priv = private_key_1024_from_external(
            out_private_key);
-        CBS s_bytes;
+        CBS cbs, s_bytes;
+        CBS_init(&cbs, input, input_len);
-        if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||
+        if (!CBS_get_bytes(&cbs, &s_bytes, kEncodedVectorSize) ||
            !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
-            !mlkem_parse_public_key_no_hash(&priv->pub, in)) {
+            !mlkem_parse_public_key_no_hash(&priv->pub, &cbs)) {
                return 0;
        }
-        memcpy(priv->pub.public_key_hash, CBS_data(in),
+        memcpy(priv->pub.public_key_hash, CBS_data(&cbs),
            sizeof(priv->pub.public_key_hash));
-        if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))
+        if (!CBS_skip(&cbs, sizeof(priv->pub.public_key_hash)))
                return 0;
-        memcpy(priv->fo_failure_secret, CBS_data(in),
+        memcpy(priv->fo_failure_secret, CBS_data(&cbs),
            sizeof(priv->fo_failure_secret));
-        if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))
+        if (!CBS_skip(&cbs, sizeof(priv->fo_failure_secret)))
                return 0;
-        if (CBS_len(in) != 0)
+        if (CBS_len(&cbs) != 0)
                return 0;
        return 1;

diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem1024.c index ce6f26e66c..04e106299a 100644 --- a/src/lib/libcrypto/mlkem/mlkem1024.c +++ b/src/lib/libcrypto/mlkem/mlkem1024.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem1024.c,v 1.7 2025/05/03 08:39:33 tb Exp $ */	1	/* $OpenBSD: mlkem1024.c,v 1.8 2025/05/19 06:47:40 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2024, Google Inc.	3	* Copyright (c) 2024, Google Inc.
4	* Copyright (c) 2024, Bob Beck <beck@obtuse.com>	4	* Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -819,7 +819,7 @@ private_key_1024_from_external(const struct MLKEM1024_private_key *external)
819	* Calls \|MLKEM1024_generate_key_external_entropy\| with random bytes from	819	* Calls \|MLKEM1024_generate_key_external_entropy\| with random bytes from
820	* \|RAND_bytes\|.	820	* \|RAND_bytes\|.
821	*/	821	*/
822	void	822	int
823	MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],	823	MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
824	uint8_t optional_out_seed[MLKEM_SEED_BYTES],	824	uint8_t optional_out_seed[MLKEM_SEED_BYTES],
825	struct MLKEM1024_private_key *out_private_key)	825	struct MLKEM1024_private_key *out_private_key)
@@ -829,7 +829,7 @@ MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES
829	entropy_buf;	829	entropy_buf;
830		830
831	arc4random_buf(entropy, MLKEM_SEED_BYTES);	831	arc4random_buf(entropy, MLKEM_SEED_BYTES);
832	MLKEM1024_generate_key_external_entropy(out_encoded_public_key,	832	return MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
833	out_private_key, entropy);	833	out_private_key, entropy);
834	}	834	}
835	LCRYPTO_ALIAS(MLKEM1024_generate_key);	835	LCRYPTO_ALIAS(MLKEM1024_generate_key);
@@ -843,10 +843,8 @@ MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key,
843	if (seed_len != MLKEM_SEED_BYTES) {	843	if (seed_len != MLKEM_SEED_BYTES) {
844	return 0;	844	return 0;
845	}	845	}
846	MLKEM1024_generate_key_external_entropy(public_key_bytes,	846	return MLKEM1024_generate_key_external_entropy(public_key_bytes,
847	out_private_key, seed);	847	out_private_key, seed);
848
849	return 1;
850	}	848	}
851	LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed);	849	LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed);
852		850
@@ -865,7 +863,7 @@ mlkem_marshal_public_key(CBB out, const struct public_key pub)
865	return 1;	863	return 1;
866	}	864	}
867		865
868	void	866	int
869	MLKEM1024_generate_key_external_entropy(	867	MLKEM1024_generate_key_external_entropy(
870	uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],	868	uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
871	struct MLKEM1024_private_key *out_private_key,	869	struct MLKEM1024_private_key *out_private_key,
@@ -879,7 +877,9 @@ MLKEM1024_generate_key_external_entropy(
879	uint8_t hashed[64];	877	uint8_t hashed[64];
880	vector error;	878	vector error;
881	CBB cbb;	879	CBB cbb;
		880	int ret = 0;
882		881
		882	memset(&cbb, 0, sizeof(CBB));
883	memcpy(augmented_seed, entropy, 32);	883	memcpy(augmented_seed, entropy, 32);
884	augmented_seed[32] = RANK1024;	884	augmented_seed[32] = RANK1024;
885	hash_g(hashed, augmented_seed, 33);	885	hash_g(hashed, augmented_seed, 33);
@@ -894,16 +894,23 @@ MLKEM1024_generate_key_external_entropy(
894	matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);	894	matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
895	vector_add(&priv->pub.t, &error);	895	vector_add(&priv->pub.t, &error);
896		896
897	/* XXX - error checking. */	897	if (!CBB_init_fixed(&cbb, out_encoded_public_key,
898	CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM1024_PUBLIC_KEY_BYTES);	898	MLKEM1024_PUBLIC_KEY_BYTES))
899	if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {	899	goto err;
900	abort();	900
901	}	901	if (!mlkem_marshal_public_key(&cbb, &priv->pub))
902	CBB_cleanup(&cbb);	902	goto err;
903		903
904	hash_h(priv->pub.public_key_hash, out_encoded_public_key,	904	hash_h(priv->pub.public_key_hash, out_encoded_public_key,
905	MLKEM1024_PUBLIC_KEY_BYTES);	905	MLKEM1024_PUBLIC_KEY_BYTES);
906	memcpy(priv->fo_failure_secret, entropy + 32, 32);	906	memcpy(priv->fo_failure_secret, entropy + 32, 32);
		907
		908	ret = 1;
		909
		910	err:
		911	CBB_cleanup(&cbb);
		912
		913	return ret;
907	}	914	}
908		915
909	void	916	void
@@ -1049,11 +1056,26 @@ MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
1049	LCRYPTO_ALIAS(MLKEM1024_decap);	1056	LCRYPTO_ALIAS(MLKEM1024_decap);
1050		1057
1051	int	1058	int
1052	MLKEM1024_marshal_public_key(CBB *out,	1059	MLKEM1024_marshal_public_key(uint8_t *output, size_t output_len,
1053	const struct MLKEM1024_public_key *public_key)	1060	const struct MLKEM1024_public_key *public_key)
1054	{	1061	{
1055	return mlkem_marshal_public_key(out,	1062	int ret = 0;
1056	public_key_1024_from_external(public_key));	1063	CBB cbb;
		1064
		1065	if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
		1066	goto err;
		1067	if (!mlkem_marshal_public_key(&cbb,
		1068	public_key_1024_from_external(public_key)))
		1069	goto err;
		1070	if (!CBB_finish(&cbb, output, output_len))
		1071	goto err;
		1072
		1073	ret = 1;
		1074
		1075	err:
		1076	CBB_cleanup(&cbb);
		1077
		1078	return ret;
1057	}	1079	}
1058	LCRYPTO_ALIAS(MLKEM1024_marshal_public_key);	1080	LCRYPTO_ALIAS(MLKEM1024_marshal_public_key);
1059		1081
@@ -1078,16 +1100,19 @@ mlkem_parse_public_key_no_hash(struct public_key pub, CBS in)
1078	}	1100	}
1079		1101
1080	int	1102	int
1081	MLKEM1024_parse_public_key(struct MLKEM1024_public_key public_key, CBS in)	1103	MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key,
		1104	const uint8_t *input, size_t input_len)
1082	{	1105	{
1083	struct public_key *pub = public_key_1024_from_external(public_key);	1106	struct public_key *pub = public_key_1024_from_external(public_key);
1084	CBS orig_in = *in;	1107	CBS cbs;
1085		1108
1086	if (!mlkem_parse_public_key_no_hash(pub, in) \|\|	1109	CBS_init(&cbs, input, input_len);
1087	CBS_len(in) != 0) {	1110	if (!mlkem_parse_public_key_no_hash(pub, &cbs) \|\|
		1111	CBS_len(&cbs) != 0) {
1088	return 0;	1112	return 0;
1089	}	1113	}
1090	hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));	1114	hash_h(pub->public_key_hash, input, input_len);
		1115
1091	return 1;	1116	return 1;
1092	}	1117	}
1093	LCRYPTO_ALIAS(MLKEM1024_parse_public_key);	1118	LCRYPTO_ALIAS(MLKEM1024_parse_public_key);
@@ -1116,26 +1141,28 @@ MLKEM1024_marshal_private_key(CBB *out,
1116		1141
1117	int	1142	int
1118	MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,	1143	MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
1119	CBS *in)	1144	const uint8_t *input, size_t input_len)
1120	{	1145	{
1121	struct private_key *const priv = private_key_1024_from_external(	1146	struct private_key *const priv = private_key_1024_from_external(
1122	out_private_key);	1147	out_private_key);
1123	CBS s_bytes;	1148	CBS cbs, s_bytes;
		1149
		1150	CBS_init(&cbs, input, input_len);
1124		1151
1125	if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) \|\|	1152	if (!CBS_get_bytes(&cbs, &s_bytes, kEncodedVectorSize) \|\|
1126	!vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) \|\|	1153	!vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) \|\|
1127	!mlkem_parse_public_key_no_hash(&priv->pub, in)) {	1154	!mlkem_parse_public_key_no_hash(&priv->pub, &cbs)) {
1128	return 0;	1155	return 0;
1129	}	1156	}
1130	memcpy(priv->pub.public_key_hash, CBS_data(in),	1157	memcpy(priv->pub.public_key_hash, CBS_data(&cbs),
1131	sizeof(priv->pub.public_key_hash));	1158	sizeof(priv->pub.public_key_hash));
1132	if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))	1159	if (!CBS_skip(&cbs, sizeof(priv->pub.public_key_hash)))
1133	return 0;	1160	return 0;
1134	memcpy(priv->fo_failure_secret, CBS_data(in),	1161	memcpy(priv->fo_failure_secret, CBS_data(&cbs),
1135	sizeof(priv->fo_failure_secret));	1162	sizeof(priv->fo_failure_secret));
1136	if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))	1163	if (!CBS_skip(&cbs, sizeof(priv->fo_failure_secret)))
1137	return 0;	1164	return 0;
1138	if (CBS_len(in) != 0)	1165	if (CBS_len(&cbs) != 0)
1139	return 0;	1166	return 0;
1140		1167
1141	return 1;	1168	return 1;