Support non-empty context strings in ML-DSA EVP sign/verify

Plumb FIPS 204 context strings through the EVP_DigestSign/EVP_DigestVerify
code path for ML-DSA. The lower-level ml_dsa_*_sign/verify functions already
accept ctx_string parameters but they were hardcoded to (NULL, 0) in the
EVP layer.

Changes:
- Extend PQDSA_PKEY_CTX with a context[255] buffer and context_len
- Add pkey_pqdsa_ctrl handling EVP_PKEY_CTRL_SIGNING_CONTEXT and
  EVP_PKEY_CTRL_GET_SIGNING_CONTEXT (reusing the existing generic
  EVP_PKEY_CTX_set_signature_context API from Ed25519ph)
- Add pkey_pqdsa_copy to support EVP_PKEY_CTX_dup with context state
- Pass dctx->context/context_len to pqdsa_sign_message and
  pqdsa_verify_message instead of NULL, 0
- Update Wycheproof test helpers to use EVP_PKEY_CTX_set_signature_context
  via EVP_DigestSign/Verify instead of manually computing ExternalMu
- Add ContextString unit test covering: round-trip sign+verify with context,
  mismatched context failure, empty-context backward compatibility,
  >255 byte rejection, and max-length (255 byte) acceptance

All three ML-DSA variants (44, 65, 87) are covered. Default behavior
(empty context string) is unchanged.

Author: Ubuntu

crypto/evp_extra/p_pqdsa_test.cc

@@ -2061,6 +2061,92 @@ TEST_P(PQDSAParameterTest, SIGOperations) {
   md_ctx_verify.Reset();
 }
 
+TEST_P(PQDSAParameterTest, ContextString) {
+  // ---- 1. Setup: generate key pair ----
+  bssl::UniquePtr<EVP_PKEY> pkey(generate_key_pair(GetParam().nid));
+  ASSERT_TRUE(pkey);
+
+  std::vector<uint8_t> msg = {0x48, 0x65, 0x6c, 0x6c, 0x6f};  // "Hello"
+  uint8_t ctx_bytes[] = {0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74};  // "Context"
+
+  // ---- 2. Sign with context, verify with same context ----
+  bssl::ScopedEVP_MD_CTX md_ctx;
+  EVP_PKEY_CTX *pkey_ctx = nullptr;
+  ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, nullptr, nullptr,
+                                 pkey.get()));
+  ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(pkey_ctx, ctx_bytes,
+                                                  sizeof(ctx_bytes)));
+
+  size_t sig_len = 0;
+  ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, msg.data(),
+                             msg.size()));
+  std::vector<uint8_t> sig(sig_len);
+  ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig.data(), &sig_len, msg.data(),
+                             msg.size()));
+
+  bssl::ScopedEVP_MD_CTX md_ctx_verify;
+  EVP_PKEY_CTX *verify_pkey_ctx = nullptr;
+  ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), &verify_pkey_ctx,
+                                   nullptr, nullptr, pkey.get()));
+  ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(verify_pkey_ctx, ctx_bytes,
+                                                  sizeof(ctx_bytes)));
+  ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig.data(), sig_len,
+                               msg.data(), msg.size()));
+
+  // ---- 3. Mismatched context string causes verification failure ----
+  md_ctx_verify.Reset();
+  verify_pkey_ctx = nullptr;
+  uint8_t wrong_ctx[] = {0x57, 0x72, 0x6f, 0x6e, 0x67};  // "Wrong"
+  ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), &verify_pkey_ctx,
+                                   nullptr, nullptr, pkey.get()));
+  ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(verify_pkey_ctx, wrong_ctx,
+                                                  sizeof(wrong_ctx)));
+  ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig.data(), sig_len,
+                                msg.data(), msg.size()));
+
+  // ---- 4. Verify with no context fails for signature made with context ----
+  md_ctx_verify.Reset();
+  ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr,
+                                   nullptr, pkey.get()));
+  ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig.data(), sig_len,
+                                msg.data(), msg.size()));
+
+  // ---- 5. Default (empty context) remains unchanged ----
+  md_ctx.Reset();
+  ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr,
+                                 pkey.get()));
+  std::vector<uint8_t> sig_no_ctx(sig_len);
+  size_t sig_no_ctx_len = sig_len;
+  ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig_no_ctx.data(), &sig_no_ctx_len,
+                             msg.data(), msg.size()));
+
+  md_ctx_verify.Reset();
+  ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr,
+                                   nullptr, pkey.get()));
+  ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig_no_ctx.data(),
+                               sig_no_ctx_len, msg.data(), msg.size()));
+
+  // ---- 6. Context string > 255 bytes is rejected ----
+  md_ctx.Reset();
+  pkey_ctx = nullptr;
+  ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, nullptr, nullptr,
+                                 pkey.get()));
+  uint8_t long_ctx[256];
+  OPENSSL_memset(long_ctx, 0x41, sizeof(long_ctx));
+  ASSERT_FALSE(EVP_PKEY_CTX_set_signature_context(pkey_ctx, long_ctx,
+                                                   sizeof(long_ctx)));
+
+  // ---- 7. Max length context (255 bytes) is accepted ----
+  md_ctx.Reset();
+  pkey_ctx = nullptr;
+  ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, nullptr, nullptr,
+                                 pkey.get()));
+  uint8_t max_ctx[255];
+  OPENSSL_memset(max_ctx, 0x42, sizeof(max_ctx));
+  ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(pkey_ctx, max_ctx,
+                                                  sizeof(max_ctx)));
+}
+
 TEST_P(PQDSAParameterTest, ParsePublicKey) {
   // Test the example public key kPublicKey encodes correctly as kPublicKeySPKI
   // Public key version of d2i_PrivateKey as part of the EVPExtraTest Gtest
@@ -2551,125 +2637,47 @@ INSTANTIATE_TEST_SUITE_P(
       return params.param.name;
     });
 
-// ComputeMLDSAExternalMu formats |pk|, |ctx|, and |msg_ctx| to the ExternalMu
-// format expected by |EVP_PKEY_verify|. For more information, see the docstring
-// for |EVP_PKEY_verify|.
-//
-// It returns true on success and false on error.
-static bool ComputeMLDSAExternalMu(const std::vector<uint8_t> &pk,
-                                   const std::vector<uint8_t> &msg_ctx,
-                                   const std::vector<uint8_t> &msg,
-                                   std::vector<uint8_t> &mu_out) {
-  // Ensure |msg_ctx| <= 255 to be representable by a uint8
-  // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#algorithm.4
-  if (msg_ctx.size() > 255) {
-    return false;
-  }
-
-  // Compute tr = SHAKE256(pk)
-  // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#algorithm.8
-  std::vector<uint8_t> tr(64);
-  bssl::ScopedEVP_MD_CTX md_ctx_pk;
-  if (!EVP_DigestInit_ex(md_ctx_pk.get(), EVP_shake256(), nullptr) ||
-      !EVP_DigestUpdate(md_ctx_pk.get(), pk.data(), pk.size()) ||
-      !EVP_DigestFinalXOF(md_ctx_pk.get(), tr.data(), tr.size())) {
-    return false;
-  }
-
-  // Compute mu = SHAKE256(tr || 0 || |msg_ctx| || msg_ctx || M)
-  // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.5.3
-  mu_out.resize(64);
-  bssl::ScopedEVP_MD_CTX md_ctx_mu;
-  if (!EVP_DigestInit_ex(md_ctx_mu.get(), EVP_shake256(), nullptr) ||
-      !EVP_DigestUpdate(md_ctx_mu.get(), tr.data(), tr.size())) {
-    return false;
-  }
-
-  // Add 0 byte for "pure" mode, distinguished from "pre-hash" mode
-  // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.5.4
-  uint8_t zero = 0;
-  if (!EVP_DigestUpdate(md_ctx_mu.get(), &zero, 1)) {
-    return false;
-  }
-
-  // Add |msg_ctx|, msg_ctx, and msg, in that order
-  uint8_t ctx_len = static_cast<uint8_t>(msg_ctx.size());
-  if (!EVP_DigestUpdate(md_ctx_mu.get(), &ctx_len, 1)) {
-    return false;
-  }
-  if (!msg_ctx.empty() &&
-      !EVP_DigestUpdate(md_ctx_mu.get(), msg_ctx.data(), msg_ctx.size())) {
-    return false;
-  }
-  if (!EVP_DigestUpdate(md_ctx_mu.get(), msg.data(), msg.size()) ||
-      !EVP_DigestFinalXOF(md_ctx_mu.get(), mu_out.data(), mu_out.size())) {
-    return false;
-  }
-
-  return true;
-}
-
 // VerifyMLDSAWithContext verifies that |sig| is a valid signature for |msg|
-// with context |msg_ctx|. We need this wrapper because |EVP_DigestVerify| does
-// not support verification with contexts.
+// with context |msg_ctx| using the EVP_DigestVerify path with
+// EVP_PKEY_CTX_set_signature_context.
 //
 // It returns one on success and zero on error.
 static int VerifyMLDSAWithContext(EVP_PKEY *pkey,
                                   const std::vector<uint8_t> &pk,
                                   const std::vector<uint8_t> &sig,
                                   const std::vector<uint8_t> &msg,
                                   const std::vector<uint8_t> &msg_ctx) {
-  // If there's a non-empty context string, do ExternalMu verification
-  if (!msg_ctx.empty()) {
-    std::vector<uint8_t> mu;
-    if (!ComputeMLDSAExternalMu(pk, msg_ctx, msg, mu)) {
-      return 0;
-    }
-    bssl::UniquePtr<EVP_PKEY_CTX> pkey_ctx(EVP_PKEY_CTX_new(pkey, nullptr));
-    if (!pkey_ctx || !EVP_PKEY_verify_init(pkey_ctx.get())) {
-      return 0;
-    }
-    return EVP_PKEY_verify(pkey_ctx.get(), sig.data(), sig.size(), mu.data(),
-                           mu.size());
-  }
-
-  // Otherwise, do standard verification
   bssl::ScopedEVP_MD_CTX md_ctx;
-  if (!EVP_DigestVerifyInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey)) {
+  EVP_PKEY_CTX *pkey_ctx = nullptr;
+  if (!EVP_DigestVerifyInit(md_ctx.get(), &pkey_ctx, nullptr, nullptr, pkey)) {
+    return 0;
+  }
+  if (!msg_ctx.empty() &&
+      !EVP_PKEY_CTX_set_signature_context(pkey_ctx, msg_ctx.data(),
+                                          msg_ctx.size())) {
     return 0;
   }
   return EVP_DigestVerify(md_ctx.get(), sig.data(), sig.size(), msg.data(),
                           msg.size());
 }
 
 // SignMLDSAWithContext produces a signature |sig| for message |msg| with
-// context |msg_ctx|. We need this wrapper because |EVP_DigestSign| does not
-// support signing with contexts.
+// context |msg_ctx| using the EVP_DigestSign path with
+// EVP_PKEY_CTX_set_signature_context.
 //
 // It returns one on success and zero on error.
 static int SignMLDSAWithContext(EVP_PKEY *pkey, std::vector<uint8_t> &sig,
                                 const std::vector<uint8_t> &pk,
                                 const std::vector<uint8_t> &msg,
                                 const std::vector<uint8_t> &msg_ctx) {
-  // If there's a non-empty context string, do ExternalMu signing
-  if (!msg_ctx.empty()) {
-    std::vector<uint8_t> mu;
-    if (!ComputeMLDSAExternalMu(pk, msg_ctx, msg, mu)) {
-      return 0;
-    }
-    bssl::UniquePtr<EVP_PKEY_CTX> pkey_ctx(EVP_PKEY_CTX_new(pkey, nullptr));
-    if (!pkey_ctx || !EVP_PKEY_sign_init(pkey_ctx.get())) {
-      return 0;
-    }
-
-    size_t sig_len = sig.size();
-    return EVP_PKEY_sign(pkey_ctx.get(), sig.data(), &sig_len, mu.data(),
-                         mu.size());
-  }
-
-  // Otherwise, do standard signing
   bssl::ScopedEVP_MD_CTX md_ctx;
-  if (!EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey)) {
+  EVP_PKEY_CTX *pkey_ctx = nullptr;
+  if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, nullptr, nullptr, pkey)) {
+    return 0;
+  }
+  if (!msg_ctx.empty() &&
+      !EVP_PKEY_CTX_set_signature_context(pkey_ctx, msg_ctx.data(),
+                                          msg_ctx.size())) {
     return 0;
   }
   size_t sig_len = sig.size();

crypto/fipsmodule/evp/p_pqdsa.c

@@ -15,6 +15,8 @@
 
 typedef struct {
   const PQDSA *pqdsa;
+  uint8_t context[255];
+  size_t context_len;
 } PQDSA_PKEY_CTX;
 
 static int pkey_pqdsa_init(EVP_PKEY_CTX *ctx) {
@@ -33,6 +35,58 @@ static void pkey_pqdsa_cleanup(EVP_PKEY_CTX *ctx) {
   OPENSSL_free(ctx->data);
 }
 
+static int pkey_pqdsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
+  if (!pkey_pqdsa_init(dst)) {
+    return 0;
+  }
+
+  PQDSA_PKEY_CTX *dctx = dst->data;
+  PQDSA_PKEY_CTX *sctx = src->data;
+  GUARD_PTR(dctx);
+  GUARD_PTR(sctx);
+
+  dctx->pqdsa = sctx->pqdsa;
+  OPENSSL_memcpy(dctx->context, sctx->context, sizeof(sctx->context));
+  dctx->context_len = sctx->context_len;
+
+  return 1;
+}
+
+static int pkey_pqdsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
+  GUARD_PTR(ctx);
+  PQDSA_PKEY_CTX *dctx = (PQDSA_PKEY_CTX *)ctx->data;
+  switch (type) {
+    case EVP_PKEY_CTRL_SIGNING_CONTEXT: {
+      EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS *params = p2;
+      if (!params || !dctx || params->context_len > sizeof(dctx->context)) {
+        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+        return 0;
+      }
+      OPENSSL_memcpy(dctx->context, params->context, params->context_len);
+      dctx->context_len = params->context_len;
+      break;
+    }
+    case EVP_PKEY_CTRL_GET_SIGNING_CONTEXT: {
+      EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS *params = p2;
+      if (!params || !dctx) {
+        return 0;
+      }
+      if (dctx->context_len == 0) {
+        params->context = NULL;
+        params->context_len = 0;
+      } else {
+        params->context = dctx->context;
+        params->context_len = dctx->context_len;
+      }
+      return 1;
+    }
+    default:
+      OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+      return 0;
+  }
+  return 1;
+}
+
 static int pkey_pqdsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
   GUARD_PTR(ctx);
   PQDSA_PKEY_CTX *dctx = ctx->data;
@@ -108,7 +162,7 @@ static int pkey_pqdsa_sign_generic(EVP_PKEY_CTX *ctx, uint8_t *sig,
 
   // RAW sign mode
   if (!sign_digest) {
-    if (!pqdsa->method->pqdsa_sign_message(key->private_key, sig, sig_len, message, message_len, NULL, 0)) {
+    if (!pqdsa->method->pqdsa_sign_message(key->private_key, sig, sig_len, message, message_len, dctx->context_len > 0 ? dctx->context : NULL, dctx->context_len)) {
       OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
       return 0;
     }
@@ -187,7 +241,7 @@ static int pkey_pqdsa_verify_generic(EVP_PKEY_CTX *ctx, const uint8_t *sig,
   // RAW verify mode
   if(!verify_digest) {
     if (sig_len != pqdsa->signature_len ||
-    !pqdsa->method->pqdsa_verify_message(key->public_key, sig, sig_len, message, message_len, NULL, 0)) {
+    !pqdsa->method->pqdsa_verify_message(key->public_key, sig, sig_len, message, message_len, dctx->context_len > 0 ? dctx->context : NULL, dctx->context_len)) {
       OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE);
       return 0;
     }
@@ -357,7 +411,7 @@ EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t
 DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_pqdsa_pkey_meth) {
   out->pkey_id = EVP_PKEY_PQDSA;
   out->init = pkey_pqdsa_init;
-  out->copy = NULL;
+  out->copy = pkey_pqdsa_copy;
   out->cleanup = pkey_pqdsa_cleanup;
   out->keygen = pkey_pqdsa_keygen;
   out->sign_init = NULL;
@@ -371,7 +425,7 @@ DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_pqdsa_pkey_meth) {
   out->decrypt = NULL;
   out->derive = NULL;
   out->paramgen = NULL;
-  out->ctrl = NULL;
+  out->ctrl = pkey_pqdsa_ctrl;
   out->ctrl_str = NULL;
   out->keygen_deterministic = NULL;
   out->encapsulate_deterministic = NULL;

include/openssl/evp.h

@@ -833,8 +833,10 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,
 // be copied to an internal buffer allowing for the caller to free it
 // afterwards.
 //
-// EVP_PKEY_ED25519PH is the only key type that currently supports setting a
-// a signature context that is used in computing the HashEdDSA signature.
+// EVP_PKEY_ED25519PH and EVP_PKEY_PQDSA are the key types that currently
+// support setting a signature context. For Ed25519ph, the context is used in
+// computing the HashEdDSA signature. For ML-DSA (PQDSA), the context string is
+// used per FIPS 204 sections 5.2-5.3. The maximum context length is 255 bytes.
 //
 // It returns one on success or zero on error.
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_context(EVP_PKEY_CTX *ctx,
@@ -845,8 +847,8 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_context(EVP_PKEY_CTX *ctx,
 // buffer containing the signing context octet string (which may be NULL) and
 // writes the length to |*context_len|.
 //
-// EVP_PKEY_ED25519PH is the only key type that currently supports retrieving a
-// a signature context that is used in computing the HashEdDSA signature.
+// EVP_PKEY_ED25519PH and EVP_PKEY_PQDSA are the key types that currently
+// support retrieving a signature context.
 //
 // It returns one on success or zero on error.
 OPENSSL_EXPORT int EVP_PKEY_CTX_get0_signature_context(EVP_PKEY_CTX *ctx,