HashML-DSA: REplace enum by define to pick pre-hash function

Currently we have an enum for the 12 different pre-hash functions for
HashML-DSA. This leads to problems in multi-level builds as we must only
define the enum once. Currently we work around this by guarding the enum
definition with a pre-processor conditional.
However, there is also a (theoretical) concern about the type of the enum
being implementation-defined in C90:
#537 (comment)

It seems cleaner to not use an enum here, but instead use #defines avoiding all
the above problems.
This commit implements that change.

We also eliminate the camel case hashAlg - that was inconsistent with the
remaining code base from the start.

Resolves
#591

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

mldsa/mldsa_native.c

@@ -163,7 +163,18 @@
 #undef MLD_API_MUST_CHECK_RETURN_VALUE
 #undef MLD_API_NAMESPACE
 #undef MLD_H
-#undef MLD_PRE_HASH_ENUM
+#undef MLD_PREHASH_SHA2_224
+#undef MLD_PREHASH_SHA2_256
+#undef MLD_PREHASH_SHA2_384
+#undef MLD_PREHASH_SHA2_512
+#undef MLD_PREHASH_SHA2_512_224
+#undef MLD_PREHASH_SHA2_512_256
+#undef MLD_PREHASH_SHA3_224
+#undef MLD_PREHASH_SHA3_256
+#undef MLD_PREHASH_SHA3_384
+#undef MLD_PREHASH_SHA3_512
+#undef MLD_PREHASH_SHAKE_128
+#undef MLD_PREHASH_SHAKE_256
 #undef crypto_sign
 #undef crypto_sign_keypair
 #undef crypto_sign_open
@@ -284,6 +295,18 @@
 #undef mld_power2round
 #undef mld_use_hint
 /* mldsa/src/sign.h */
+#undef MLD_PREHASH_SHA2_224
+#undef MLD_PREHASH_SHA2_256
+#undef MLD_PREHASH_SHA2_384
+#undef MLD_PREHASH_SHA2_512
+#undef MLD_PREHASH_SHA2_512_224
+#undef MLD_PREHASH_SHA2_512_256
+#undef MLD_PREHASH_SHA3_224
+#undef MLD_PREHASH_SHA3_256
+#undef MLD_PREHASH_SHA3_384
+#undef MLD_PREHASH_SHA3_512
+#undef MLD_PREHASH_SHAKE_128
+#undef MLD_PREHASH_SHAKE_256
 #undef MLD_SIGN_H
 #undef crypto_sign
 #undef crypto_sign_keypair

mldsa/mldsa_native.h

@@ -422,27 +422,20 @@ int MLD_API_NAMESPACE(open)(
     const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]);
 
 /*************************************************
- * Hash algorithm enumeration for pre-hash functions
+ * Hash algorithm constants for pre-hash functions
  **************************************************/
-#ifndef MLD_PRE_HASH_ENUM
-#define MLD_PRE_HASH_ENUM
-typedef enum
-{
-  MLD_SHA2_224,
-  MLD_SHA2_256,
-  MLD_SHA2_384,
-  MLD_SHA2_512,
-  MLD_SHA2_512_224,
-  MLD_SHA2_512_256,
-  MLD_SHA3_224,
-  MLD_SHA3_256,
-  MLD_SHA3_384,
-  MLD_SHA3_512,
-  MLD_SHAKE_128,
-  MLD_SHAKE_256
-} mld_hash_alg_t;
-
-#endif /* !MLD_PRE_HASH_ENUM */
+#define MLD_PREHASH_SHA2_224 1
+#define MLD_PREHASH_SHA2_256 2
+#define MLD_PREHASH_SHA2_384 3
+#define MLD_PREHASH_SHA2_512 4
+#define MLD_PREHASH_SHA2_512_224 5
+#define MLD_PREHASH_SHA2_512_256 6
+#define MLD_PREHASH_SHA3_224 7
+#define MLD_PREHASH_SHA3_256 8
+#define MLD_PREHASH_SHA3_384 9
+#define MLD_PREHASH_SHA3_512 10
+#define MLD_PREHASH_SHAKE_128 11
+#define MLD_PREHASH_SHAKE_256 12
 
 /*************************************************
  * Name:        crypto_sign_signature_pre_hash_internal
@@ -462,12 +455,13 @@ typedef enum
  *                               random seed
  *     - const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]:
  *                               bit-packed secret key
- *     - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *     - int hashalg:            hash algorithm constant (one of MLD_PREHASH_*)
  *
- * The supported hash functions are: "SHA2-224", "SHA2-256", "SHA2-384",
- *                                   "SHA2-512", "SHA2-512/224", "SHA2-512/256",
- *                                   "SHA3-224", "SHA3-256", "SHA3-384",
- *                                   "SHA3-512", "SHAKE-128", "SHAKE-256"
+ * Supported hash algorithm constants:
+ *   MLD_PREHASH_SHA2_224, MLD_PREHASH_SHA2_256, MLD_PREHASH_SHA2_384,
+ *   MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256,
+ *   MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384,
+ *   MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256
  *
  * Warning: This is an unstable API that may change in the future. If you need
  * a stable API use crypto_sign_signature_pre_hash_shake256.
@@ -481,7 +475,7 @@ int MLD_API_NAMESPACE(signature_pre_hash_internal)(
     const uint8_t *ph, size_t phlen, const uint8_t *ctx, size_t ctxlen,
     const uint8_t rnd[MLDSA_RNDBYTES],
     const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)],
-    mld_hash_alg_t hashAlg);
+    int hashalg);
 
 /*************************************************
  * Name:        crypto_sign_verify_pre_hash_internal
@@ -498,12 +492,13 @@ int MLD_API_NAMESPACE(signature_pre_hash_internal)(
  *     - size_t ctxlen:          length of context string
  *     - const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]:
  *                               bit-packed public key
- *     - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *     - int hashalg:            hash algorithm constant (one of MLD_PREHASH_*)
  *
- * The supported hash functions are: "SHA2-224", "SHA2-256", "SHA2-384",
- *                                   "SHA2-512", "SHA2-512/224", "SHA2-512/256",
- *                                   "SHA3-224", "SHA3-256", "SHA3-384",
- *                                   "SHA3-512", "SHAKE-128", "SHAKE-256"
+ * Supported hash algorithm constants:
+ *   MLD_PREHASH_SHA2_224, MLD_PREHASH_SHA2_256, MLD_PREHASH_SHA2_384,
+ *   MLD_PREHASH_SHA2_512, MLD_PREHASH_SHA2_512_224, MLD_PREHASH_SHA2_512_256,
+ *   MLD_PREHASH_SHA3_224, MLD_PREHASH_SHA3_256, MLD_PREHASH_SHA3_384,
+ *   MLD_PREHASH_SHA3_512, MLD_PREHASH_SHAKE_128, MLD_PREHASH_SHAKE_256
  *
  * Warning: This is an unstable API that may change in the future. If you need
  * a stable API use crypto_sign_verify_pre_hash_shake256.
@@ -515,7 +510,7 @@ int MLD_API_NAMESPACE(verify_pre_hash_internal)(
     const uint8_t *sig, size_t siglen, const uint8_t *ph, size_t phlen,
     const uint8_t *ctx, size_t ctxlen,
     const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)],
-    mld_hash_alg_t hashAlg);
+    int hashalg);
 
 /*************************************************
  * Name:        crypto_sign_signature_pre_hash_shake256

mldsa/src/prehash.c

@@ -15,91 +15,90 @@
  * Description: Returns the OID of a given SHA-2/SHA-3 hash function.
  *
  * Arguments:   - uint8_t oid[11]: pointer to output oid
- *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *              - int hashalg: hash algorithm constant (MLD_PREHASH_*)
  *
- **************************************************/
-static void mld_get_hash_oid(uint8_t oid[MLD_PRE_HASH_OID_LEN],
-                             mld_hash_alg_t hashAlg)
+ ***************************************************/
+static void mld_get_hash_oid(uint8_t oid[MLD_PRE_HASH_OID_LEN], int hashalg)
 {
   unsigned int i;
   static const struct
   {
-    mld_hash_alg_t alg;
+    int alg;
     uint8_t oid[MLD_PRE_HASH_OID_LEN];
   } oid_map[] = {
-      {MLD_SHA2_224,
+      {MLD_PREHASH_SHA2_224,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}},
-      {MLD_SHA2_256,
+      {MLD_PREHASH_SHA2_256,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}},
-      {MLD_SHA2_384,
+      {MLD_PREHASH_SHA2_384,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}},
-      {MLD_SHA2_512,
+      {MLD_PREHASH_SHA2_512,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}},
-      {MLD_SHA2_512_224,
+      {MLD_PREHASH_SHA2_512_224,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05}},
-      {MLD_SHA2_512_256,
+      {MLD_PREHASH_SHA2_512_256,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06}},
-      {MLD_SHA3_224,
+      {MLD_PREHASH_SHA3_224,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07}},
-      {MLD_SHA3_256,
+      {MLD_PREHASH_SHA3_256,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08}},
-      {MLD_SHA3_384,
+      {MLD_PREHASH_SHA3_384,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09}},
-      {MLD_SHA3_512,
+      {MLD_PREHASH_SHA3_512,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0A}},
-      {MLD_SHAKE_128,
+      {MLD_PREHASH_SHAKE_128,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0B}},
-      {MLD_SHAKE_256,
+      {MLD_PREHASH_SHAKE_256,
        {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0C}}};
 
   for (i = 0; i < sizeof(oid_map) / sizeof(oid_map[0]); i++)
   __loop__(
     invariant(i <= sizeof(oid_map) / sizeof(oid_map[0]))
   )
   {
-    if (oid_map[i].alg == hashAlg)
+    if (oid_map[i].alg == hashalg)
     {
       mld_memcpy(oid, oid_map[i].oid, MLD_PRE_HASH_OID_LEN);
       return;
     }
   }
 }
 
-int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len)
+int mld_validate_hash_length(int hashalg, size_t len)
 {
-  switch (hashAlg)
+  switch (hashalg)
   {
-    case MLD_SHA2_224:
+    case MLD_PREHASH_SHA2_224:
       return (len == 224 / 8) ? 0 : -1;
-    case MLD_SHA2_256:
+    case MLD_PREHASH_SHA2_256:
       return (len == 256 / 8) ? 0 : -1;
-    case MLD_SHA2_384:
+    case MLD_PREHASH_SHA2_384:
       return (len == 384 / 8) ? 0 : -1;
-    case MLD_SHA2_512:
+    case MLD_PREHASH_SHA2_512:
       return (len == 512 / 8) ? 0 : -1;
-    case MLD_SHA2_512_224:
+    case MLD_PREHASH_SHA2_512_224:
       return (len == 224 / 8) ? 0 : -1;
-    case MLD_SHA2_512_256:
+    case MLD_PREHASH_SHA2_512_256:
       return (len == 256 / 8) ? 0 : -1;
-    case MLD_SHA3_224:
+    case MLD_PREHASH_SHA3_224:
       return (len == 224 / 8) ? 0 : -1;
-    case MLD_SHA3_256:
+    case MLD_PREHASH_SHA3_256:
       return (len == 256 / 8) ? 0 : -1;
-    case MLD_SHA3_384:
+    case MLD_PREHASH_SHA3_384:
       return (len == 384 / 8) ? 0 : -1;
-    case MLD_SHA3_512:
+    case MLD_PREHASH_SHA3_512:
       return (len == 512 / 8) ? 0 : -1;
-    case MLD_SHAKE_128:
+    case MLD_PREHASH_SHAKE_128:
       return (len == 256 / 8) ? 0 : -1;
-    case MLD_SHAKE_256:
+    case MLD_PREHASH_SHAKE_256:
       return (len == 512 / 8) ? 0 : -1;
   }
   return -1;
 }
 
 size_t mld_format_pre_hash_message(
     uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
-    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg)
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, int hashalg)
 {
   /* Format: 0x01 || ctxlen (1 byte) || ctx || oid (11 bytes) || ph */
   fmsg[0] = 1;
@@ -112,7 +111,7 @@ size_t mld_format_pre_hash_message(
   }
 
   /* Write OID */
-  mld_get_hash_oid(fmsg + 2 + ctxlen, hashAlg);
+  mld_get_hash_oid(fmsg + 2 + ctxlen, hashalg);
 
   /* Copy pre-hash */
   mld_memcpy(fmsg + 2 + ctxlen + MLD_PRE_HASH_OID_LEN, ph, phlen);

mldsa/src/prehash.h

@@ -22,15 +22,15 @@
  * Description: Validates that the given hash length matches the expected
  *              length for the given hash algorithm.
  *
- * Arguments:   - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ * Arguments:   - int hashalg: hash algorithm constant (MLD_PREHASH_*)
  *              - size_t len: Hash length to be checked
  *
  * Returns 0 if hash algorithm is known and the hash length matches
  * and -1 otherwise.
  **************************************************/
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_INTERNAL_API
-int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len);
+int mld_validate_hash_length(int hashalg, size_t len);
 
 #define mld_format_pre_hash_message MLD_NAMESPACE(format_pre_hash_message)
 /*************************************************
@@ -45,13 +45,13 @@ int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len);
  *              - size_t phlen: length of pre-hashed message
  *              - const uint8_t *ctx: pointer to context string (may be NULL)
  *              - size_t ctxlen: length of context string
- *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *              - int hashalg: hash algorithm constant (MLD_PREHASH_*)
  *
  * Returns the total length of the formatted message (2 + ctxlen + 11 + phlen).
  **************************************************/
 MLD_INTERNAL_API
 size_t mld_format_pre_hash_message(
     uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
-    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg);
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, int hashalg);
 
 #endif /* !MLD_PREHASH_H */

mldsa/src/sign.c

@@ -887,7 +887,7 @@ MLD_EXTERNAL_API
 int crypto_sign_signature_pre_hash_internal(
     uint8_t sig[CRYPTO_BYTES], size_t *siglen, const uint8_t *ph, size_t phlen,
     const uint8_t *ctx, size_t ctxlen, const uint8_t rnd[MLDSA_RNDBYTES],
-    const uint8_t sk[CRYPTO_SECRETKEYBYTES], mld_hash_alg_t hashAlg)
+    const uint8_t sk[CRYPTO_SECRETKEYBYTES], int hashalg)
 {
   MLD_ALIGN uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES];
   size_t fmsg_len;
@@ -899,13 +899,13 @@ int crypto_sign_signature_pre_hash_internal(
     return -1;
   }
 
-  if (mld_validate_hash_length(hashAlg, phlen))
+  if (mld_validate_hash_length(hashalg, phlen))
   {
     *siglen = 0;
     return -1;
   }
 
-  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashAlg);
+  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashalg);
 
   result = crypto_sign_signature_internal(sig, siglen, fmsg, fmsg_len, NULL, 0,
                                           rnd, sk, 0);
@@ -919,7 +919,7 @@ MLD_EXTERNAL_API
 int crypto_sign_verify_pre_hash_internal(
     const uint8_t *sig, size_t siglen, const uint8_t *ph, size_t phlen,
     const uint8_t *ctx, size_t ctxlen, const uint8_t pk[CRYPTO_PUBLICKEYBYTES],
-    mld_hash_alg_t hashAlg)
+    int hashalg)
 {
   MLD_ALIGN uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES];
   size_t fmsg_len;
@@ -930,12 +930,12 @@ int crypto_sign_verify_pre_hash_internal(
     return -1;
   }
 
-  if (mld_validate_hash_length(hashAlg, phlen))
+  if (mld_validate_hash_length(hashalg, phlen))
   {
     return -1;
   }
 
-  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashAlg);
+  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashalg);
 
   result =
       crypto_sign_verify_internal(sig, siglen, fmsg, fmsg_len, NULL, 0, pk, 0);
@@ -955,7 +955,7 @@ int crypto_sign_signature_pre_hash_shake256(
   int result;
   mld_shake256(ph, sizeof(ph), m, mlen);
   result = crypto_sign_signature_pre_hash_internal(
-      sig, siglen, ph, sizeof(ph), ctx, ctxlen, rnd, sk, MLD_SHAKE_256);
+      sig, siglen, ph, sizeof(ph), ctx, ctxlen, rnd, sk, MLD_PREHASH_SHAKE_256);
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(ph, sizeof(ph));
   return result;
@@ -970,8 +970,8 @@ int crypto_sign_verify_pre_hash_shake256(
   MLD_ALIGN uint8_t ph[64];
   int result;
   mld_shake256(ph, sizeof(ph), m, mlen);
-  result = crypto_sign_verify_pre_hash_internal(sig, siglen, ph, sizeof(ph),
-                                                ctx, ctxlen, pk, MLD_SHAKE_256);
+  result = crypto_sign_verify_pre_hash_internal(
+      sig, siglen, ph, sizeof(ph), ctx, ctxlen, pk, MLD_PREHASH_SHAKE_256);
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(ph, sizeof(ph));
   return result;