Support all five EdDSA instances from RFC 8032

Fixes #6277

Description:
Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519,
Ed25519ctx, Ed25519ph, Ed448, Ed448ph -- available via the EVP APIs.

The desired EdDSA instance is specified via an OSSL_PARAM.

All instances, except for Ed25519, allow context strings as input.
Context strings are passed via an OSSL_PARAM.  For Ed25519ctx, the
context string must be nonempty.

Ed25519, Ed25519ctx, Ed448 are PureEdDSA instances, which means that
the full message (not a digest) must be passed to sign and verify
operations.

Ed25519ph, Ed448ph are HashEdDSA instances, which means that the input
message is hashed before sign and verify.

Testing:
All 21 test vectors from RFC 8032 have been added to evppkey_ecx.txt
(thanks to Shane Lontis for showing how to do that).  Those 21 test
vectors are exercised by evp_test.c and cover all five instances.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19705)

crypto/ec/curve25519.c

@@ -5434,9 +5434,47 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
     s[31] = (uint8_t) (s11 >> 17);
 }
 
+static int hash_init_with_dom(EVP_MD_CTX *hash_ctx,
+                              EVP_MD *sha512,
+                              const uint8_t dom2flag,
+                              const uint8_t phflag,
+                              const uint8_t *context,
+                              const size_t context_len)
+{
+    /* ASCII: "SigEd25519 no Ed25519 collisions", in hex for EBCDIC compatibility */
+    const char dom_s[] =
+            "\x53\x69\x67\x45\x64\x32\x35\x35\x31\x39\x20\x6e"
+            "\x6f\x20\x45\x64\x32\x35\x35\x31\x39\x20\x63\x6f"
+            "\x6c\x6c\x69\x73\x69\x6f\x6e\x73";
+    uint8_t dom[2];
+
+    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL))
+        return 0;
+
+    /* return early if dom2flag is not set */
+    if (!dom2flag)
+        return 1;
+
+    if (context_len > UINT8_MAX)
+        return 0;
+
+    dom[0] = (uint8_t)(phflag >= 1 ? 1 : 0);
+    dom[1] = (uint8_t)context_len;
+
+    if (!EVP_DigestUpdate(hash_ctx, dom_s, sizeof(dom_s)-1)
+        || !EVP_DigestUpdate(hash_ctx, dom, sizeof(dom))
+        || !EVP_DigestUpdate(hash_ctx, context, context_len)) {
+        return 0;
+    }
+
+    return 1;
+}
+
 int
-ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len,
                   const uint8_t public_key[32], const uint8_t private_key[32],
+                  const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag,
+                  const uint8_t *context, size_t context_len,
                   OSSL_LIB_CTX *libctx, const char *propq)
 {
     uint8_t az[SHA512_DIGEST_LENGTH];
@@ -5448,6 +5486,17 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
     unsigned int sz;
     int res = 0;
 
+    if (context == NULL)
+        context_len = 0;
+
+    /* if csflag is set, then a non-empty context-string is required */
+    if (csflag && context_len == 0)
+        goto err;
+
+    /* if dom2flag is not set, then an empty context-string is required */
+    if (!dom2flag && context_len > 0)
+        goto err;
+
     if (sha512 == NULL || hash_ctx == NULL)
         goto err;
 
@@ -5460,9 +5509,9 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
     az[31] &= 63;
     az[31] |= 64;
 
-    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+    if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len)
         || !EVP_DigestUpdate(hash_ctx, az + 32, 32)
-        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len)
         || !EVP_DigestFinal_ex(hash_ctx, nonce, &sz))
         goto err;
 
@@ -5470,10 +5519,10 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
     ge_scalarmult_base(&R, nonce);
     ge_p3_tobytes(out_sig, &R);
 
-    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+    if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len)
         || !EVP_DigestUpdate(hash_ctx, out_sig, 32)
         || !EVP_DigestUpdate(hash_ctx, public_key, 32)
-        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len)
         || !EVP_DigestFinal_ex(hash_ctx, hram, &sz))
         goto err;
 
@@ -5492,8 +5541,10 @@ err:
 static const char allzeroes[15];
 
 int
-ossl_ed25519_verify(const uint8_t *message, size_t message_len,
+ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len,
                     const uint8_t signature[64], const uint8_t public_key[32],
+                    const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag,
+                    const uint8_t *context, size_t context_len,
                     OSSL_LIB_CTX *libctx, const char *propq)
 {
     int i;
@@ -5512,6 +5563,17 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len,
         0xDE, 0xF9, 0xDE, 0x14
     };
 
+    if (context == NULL)
+        context_len = 0;
+
+    /* if csflag is set, then a non-empty context-string is required */
+    if (csflag && context_len == 0)
+        return 0;
+
+    /* if dom2flag is not set, then an empty context-string is required */
+    if (!dom2flag && context_len > 0)
+        return 0;
+
     r = signature;
     s = signature + 32;
 
@@ -5556,10 +5618,10 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len,
     if (hash_ctx == NULL)
         goto err;
 
-    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+    if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len)
         || !EVP_DigestUpdate(hash_ctx, r, 32)
         || !EVP_DigestUpdate(hash_ctx, public_key, 32)
-        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len)
         || !EVP_DigestFinal_ex(hash_ctx, h, &sz))
         goto err;
 
@@ -5570,6 +5632,14 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len,
     ge_tobytes(rcheck, &R);
 
     res = CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0;
+
+    /* note that we have used the strict verification equation here.
+     * we checked that  ENC( [h](-A) + [s]B ) == r
+     * B is the base point.
+     *
+     * the less strict verification equation uses the curve cofactor:
+     *          [h*8](-A) + [s*8]B == [8]R
+     */
 err:
     EVP_MD_free(sha512);
     EVP_MD_CTX_free(hash_ctx);

crypto/ec/curve448/curve448_local.h

@@ -10,15 +10,4 @@
 # define OSSL_CRYPTO_EC_CURVE448_LOCAL_H
 # include "curve448utils.h"
 
-int
-ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64],
-                  const uint8_t public_key[57], const uint8_t private_key[57],
-                  const uint8_t *context, size_t context_len, const char *propq);
-
-int
-ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64],
-                    const uint8_t signature[114], const uint8_t public_key[57],
-                    const uint8_t *context, size_t context_len,
-                    const char *propq);
-
 #endif              /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */

crypto/ec/curve448/eddsa.c

@@ -61,12 +61,8 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
                                        size_t context_len,
                                        const char *propq)
 {
-#ifdef CHARSET_EBCDIC
-    const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
-                          0x64, 0x34, 0x34, 0x38, 0x00};
-#else
-    const char dom_s[] = "SigEd448";
-#endif
+    /* ASCII: "SigEd448", in hex for EBCDIC compatibility */
+    const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
     uint8_t dom[2];
     EVP_MD *shake256 = NULL;
 
@@ -82,7 +78,7 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
         return C448_FAILURE;
 
     if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
-            || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
+            || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1)
             || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
             || !EVP_DigestUpdate(hashctx, context, context_len)) {
         EVP_MD_free(shake256);
@@ -373,47 +369,29 @@ ossl_c448_ed448_verify_prehash(
 }
 
 int
-ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message,
-                size_t message_len, const uint8_t public_key[57],
-                const uint8_t private_key[57], const uint8_t *context,
-                size_t context_len, const char *propq)
+ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig,
+                const uint8_t *message, size_t message_len,
+                const uint8_t public_key[57], const uint8_t private_key[57],
+                const uint8_t *context, size_t context_len,
+                const uint8_t phflag, const char *propq)
 {
     return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
-                                message_len, 0, context, context_len,
+                                message_len, phflag, context, context_len,
                                 propq) == C448_SUCCESS;
 }
 
 int
-ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len,
+ossl_ed448_verify(OSSL_LIB_CTX *ctx,
+                  const uint8_t *message, size_t message_len,
                   const uint8_t signature[114], const uint8_t public_key[57],
-                  const uint8_t *context, size_t context_len, const char *propq)
+                  const uint8_t *context, size_t context_len,
+                  const uint8_t phflag, const char *propq)
 {
     return ossl_c448_ed448_verify(ctx, signature, public_key, message,
-                                  message_len, 0, context, (uint8_t)context_len,
+                                  message_len, phflag, context, (uint8_t)context_len,
                                   propq) == C448_SUCCESS;
 }
 
-int
-ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64],
-                  const uint8_t public_key[57], const uint8_t private_key[57],
-                  const uint8_t *context, size_t context_len, const char *propq)
-{
-    return ossl_c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key,
-                                        hash, context, context_len,
-                                        propq) == C448_SUCCESS;
-}
-
-int
-ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64],
-                    const uint8_t signature[114], const uint8_t public_key[57],
-                    const uint8_t *context, size_t context_len,
-                    const char *propq)
-{
-    return ossl_c448_ed448_verify_prehash(ctx, signature, public_key, hash,
-                                          context, (uint8_t)context_len,
-                                          propq) == C448_SUCCESS;
-}
-
 int
 ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
                                const uint8_t private_key[57], const char *propq)

crypto/ec/ecx_meth.c

@@ -821,8 +821,10 @@ static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig,
         return 0;
     }
 
-    if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
-                          NULL) == 0)
+    if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey,
+                          0, 0, 0,
+                          NULL, 0,
+                          NULL, NULL) == 0)
         return 0;
     *siglen = ED25519_SIGSIZE;
     return 1;
@@ -849,7 +851,7 @@ static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig,
     }
 
     if (ossl_ed448_sign(edkey->libctx, sig, tbs, tbslen, edkey->pubkey,
-                        edkey->privkey, NULL, 0, edkey->propq) == 0)
+                        edkey->privkey, NULL, 0, 0, edkey->propq) == 0)
         return 0;
     *siglen = ED448_SIGSIZE;
     return 1;
@@ -870,6 +872,8 @@ static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig,
         return 0;
 
     return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
+                               0, 0, 0,
+                               NULL, 0,
                                edkey->libctx, edkey->propq);
 }
 
@@ -888,7 +892,7 @@ static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig,
         return 0;
 
     return ossl_ed448_verify(edkey->libctx, tbs, tbslen, sig, edkey->pubkey,
-                             NULL, 0, edkey->propq);
+                             NULL, 0, 0, edkey->propq);
 }
 
 static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)

doc/man7/EVP_SIGNATURE-ED25519.pod

@@ -10,16 +10,65 @@ Ed448
 
 =head1 DESCRIPTION
 
-The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key generation,
-one-shot digest sign and digest verify using PureEdDSA and B<Ed25519> or B<Ed448>
-(see RFC8032). It has associated private and public key formats compatible with
-RFC 8410.
+The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key
+generation, one-shot digest-sign and digest-verify using the EdDSA
+signature scheme described in RFC 8032. It has associated private and
+public key formats compatible with RFC 8410.
+
+=head2 EdDSA Instances
+
+RFC 8032 describes five EdDSA instances: Ed25519, Ed25519ctx,
+Ed25519ph, Ed448, Ed448ph.
+
+The instances Ed25519, Ed25519ctx, Ed448 are referred to as B<PureEdDSA>
+schemes.  For these three instances, the sign and verify procedures
+require access to the complete message (not a digest of the message).
+
+The instances Ed25519ph, Ed448ph are referred to as B<HashEdDSA>
+schemes.  For these two instances, the sign and verify procedures do
+not require access to the complete message; they operate on a hash of
+the message.  For Ed25519ph, the hash function is SHA512.  For
+Ed448ph, the hash function is SHAKE256 with an output length of 512
+bits.
+
+The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional
+B<context-string> as input to sign and verify operations (and for
+Ed25519ctx, the context-string must be nonempty).  For the Ed25519
+instance, a nonempty context-string is not permitted.
 
 =head2 ED25519 and ED448 Signature Parameters
 
-No additional parameters can be set during one-shot signing or verification.
-In particular, because PureEdDSA is used, a digest must B<NOT> be specified when
-signing or verifying.
+Two parameters can be set during signing or verification: the EdDSA
+B<instance name> and the B<context-string value>.  They can be set by
+passing an OSSL_PARAM array to EVP_DigestSignInit_ex().
+
+=over 4
+
+=item * "instance" (B<OSSL_SIGNATURE_PARAM_INSTANCE>) <utf8 string>
+
+One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph".
+
+"Ed25519", "Ed25519ctx", "Ed25519ph" are valid only for an Ed25519 EVP_PKEY.
+
+"Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY.
+
+=item * "context-string" (B<OSSL_SIGNATURE_PARAM_CONTEXT_STRING>) <octet string>
+
+A string of octets with length at most 255.
+
+=back
+
+Both of these parameters are optional.
+
+If the instance name is not specified, then the default "Ed25519" or
+"Ed448" is used.
+
+If a context-string is not specified, then an empty context-string is
+used.
+
+Note that a message digest name must B<NOT> be specified when signing
+or verifying.
+
 See L<EVP_PKEY-X25519(7)> for information related to B<X25519> and B<X448> keys.
 
 The following signature parameters can be retrieved using
@@ -27,19 +76,26 @@ EVP_PKEY_CTX_get_params().
 
 =over 4
 
-=item "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string>
+=item * "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string>
 
-The parameters are described in L<provider-signature(7)>.
+=item * "instance" (B<OSSL_SIGNATURE_PARAM_INSTANCE>) <utf8 string>
+
+=item * "context-string" (B<OSSL_SIGNATURE_PARAM_CONTEXT_STRING>) <octet string>
 
 =back
 
+The parameters are described in L<provider-signature(7)>.
+
 =head1 NOTES
 
-The PureEdDSA algorithm does not support the streaming mechanism
-of other signature algorithms using, for example, EVP_DigestUpdate().
+The PureEdDSA instances do not support the streaming mechanism of
+other signature algorithms using, for example, EVP_DigestUpdate().
 The message to sign or verify must be passed using the one-shot
 EVP_DigestSign() and EVP_DigestVerify() functions.
 
+The HashEdDSA instances do not yet support the streaming mechanisms
+(so the one-shot functions must be used with HashEdDSA as well).
+
 When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the
 digest I<type> parameter B<MUST> be set to NULL.
 
@@ -64,7 +120,7 @@ specified, then both Ed25519 and Ed448 are benchmarked.
 
 =head1 EXAMPLES
 
-To sign a message using a ED25519 or ED448 key:
+To sign a message using an ED25519 EVP_PKEY structure:
 
     void do_sign(EVP_PKEY *ed_key, unsigned char *msg, size_t msg_len)
     {
@@ -72,8 +128,16 @@ To sign a message using a ED25519 or ED448 key:
         unsigned char *sig = NULL;
         EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
 
-        EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, ed_key);
-        /* Calculate the requires size for the signature by passing a NULL buffer */
+        const OSSL_PARAM params[] = {
+            OSSL_PARAM_utf8_string ("instance", "Ed25519ctx", 10),
+            OSSL_PARAM_octet_string("context-string", (unsigned char *)"A protocol defined context string", 33),
+            OSSL_PARAM_END
+        };
+
+        /* The input "params" is not needed if default options are acceptable.
+           Use NULL in place of "params" in that case. */
+        EVP_DigestSignInit_ex(md_ctx, NULL, NULL, NULL, NULL, ed_key, params);
+        /* Calculate the required size for the signature by passing a NULL buffer. */
         EVP_DigestSign(md_ctx, NULL, &sig_len, msg, msg_len);
         sig = OPENSSL_zalloc(sig_len);
 

include/crypto/ecx.h

@@ -97,27 +97,33 @@ ossl_ed25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32],
                                  const uint8_t private_key[32],
                                  const char *propq);
 int
-ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len,
                   const uint8_t public_key[32], const uint8_t private_key[32],
+                  const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag,
+                  const uint8_t *context, size_t context_len,
                   OSSL_LIB_CTX *libctx, const char *propq);
 int
-ossl_ed25519_verify(const uint8_t *message, size_t message_len,
+ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len,
                     const uint8_t signature[64], const uint8_t public_key[32],
+                    const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag,
+                    const uint8_t *context, size_t context_len,
                     OSSL_LIB_CTX *libctx, const char *propq);
-
 int
 ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
                                const uint8_t private_key[57], const char *propq);
 int
-ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message,
-                size_t message_len, const uint8_t public_key[57],
-                const uint8_t private_key[57], const uint8_t *context,
-                size_t context_len, const char *propq);
+ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig,
+                const uint8_t *message, size_t message_len,
+                const uint8_t public_key[57], const uint8_t private_key[57],
+                const uint8_t *context, size_t context_len,
+                const uint8_t phflag, const char *propq);
 
 int
-ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len,
+ossl_ed448_verify(OSSL_LIB_CTX *ctx,
+                  const uint8_t *message, size_t message_len,
                   const uint8_t signature[114], const uint8_t public_key[57],
-                  const uint8_t *context, size_t context_len, const char *propq);
+                  const uint8_t *context, size_t context_len,
+                  const uint8_t phflag, const char *propq);
 
 int
 ossl_x448(uint8_t out_shared_key[56], const uint8_t private_key[56],

include/openssl/core_names.h

@@ -467,6 +467,8 @@ extern "C" {
     OSSL_PKEY_PARAM_MGF1_PROPERTIES
 #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE        OSSL_PKEY_PARAM_DIGEST_SIZE
 #define OSSL_SIGNATURE_PARAM_NONCE_TYPE         "nonce-type"
+#define OSSL_SIGNATURE_PARAM_INSTANCE           "instance"
+#define OSSL_SIGNATURE_PARAM_CONTEXT_STRING     "context-string"
 
 /* Asym cipher parameters */
 #define OSSL_ASYM_CIPHER_PARAM_DIGEST                   OSSL_PKEY_PARAM_DIGEST

providers/implementations/signature/eddsa_sig.c

@@ -43,6 +43,24 @@ static int s390x_ed448_digestverify(const ECX_KEY *edkey,
 
 #endif /* S390X_EC_ASM */
 
+enum ID_EdDSA_INSTANCE {
+    ID_NOT_SET = 0,
+    ID_Ed25519,
+    ID_Ed25519ctx,
+    ID_Ed25519ph,
+    ID_Ed448,
+    ID_Ed448ph
+};
+
+#define SN_Ed25519    "Ed25519"
+#define SN_Ed25519ph  "Ed25519ph"
+#define SN_Ed25519ctx "Ed25519ctx"
+#define SN_Ed448      "Ed448"
+#define SN_Ed448ph    "Ed448ph"
+
+#define EDDSA_MAX_CONTEXT_STRING_LEN 255
+#define EDDSA_PREHASH_OUTPUT_LEN 64
+
 static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
 static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
 static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
@@ -53,6 +71,55 @@ static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
 static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
 static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
 static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
+static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_ctx_params;
+static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_ctx_params;
+
+/* there are five EdDSA instances:
+
+         Ed25519
+         Ed25519ph
+         Ed25519ctx
+         Ed448
+         Ed448ph
+
+   Quoting from RFC 8032, Section 5.1:
+
+     For Ed25519, dom2(f,c) is the empty string.  The phflag value is
+     irrelevant.  The context (if present at all) MUST be empty.  This
+     causes the scheme to be one and the same with the Ed25519 scheme
+     published earlier.
+
+     For Ed25519ctx, phflag=0.  The context input SHOULD NOT be empty.
+
+     For Ed25519ph, phflag=1 and PH is SHA512 instead.  That is, the input
+     is hashed using SHA-512 before signing with Ed25519.
+
+   Quoting from RFC 8032, Section 5.2:
+
+     Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag
+     being 1, i.e., the input is hashed before signing with Ed448 with a
+     hash constant modified.
+
+     Value of context is set by signer and verifier (maximum of 255
+     octets; the default is empty string) and has to match octet by octet
+     for verification to be successful.
+
+   Quoting from RFC 8032, Section 2:
+
+     dom2(x, y)     The blank octet string when signing or verifying
+                    Ed25519.  Otherwise, the octet string: "SigEd25519 no
+                    Ed25519 collisions" || octet(x) || octet(OLEN(y)) ||
+                    y, where x is in range 0-255 and y is an octet string
+                    of at most 255 octets.  "SigEd25519 no Ed25519
+                    collisions" is in ASCII (32 octets).
+
+     dom4(x, y)     The octet string "SigEd448" || octet(x) ||
+                    octet(OLEN(y)) || y, where x is in range 0-255 and y
+                    is an octet string of at most 255 octets.  "SigEd448"
+                    is in ASCII (8 octets).
+
+   Note above that x is the pre-hash flag, and y is the context string.
+*/
 
 typedef struct {
     OSSL_LIB_CTX *libctx;
@@ -62,6 +129,19 @@ typedef struct {
     unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
     unsigned char *aid;
     size_t  aid_len;
+
+    /* id indicating the EdDSA instance */
+    int instance_id;
+
+    unsigned int dom2_flag : 1;
+    unsigned int prehash_flag : 1;
+
+    /* indicates that a non-empty context string is required, as in Ed25519ctx */
+    unsigned int context_string_flag : 1;
+
+    unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN];
+    size_t context_string_len;
+
 } PROV_EDDSA_CTX;
 
 static void *eddsa_newctx(void *provctx, const char *propq_unused)
@@ -82,7 +162,7 @@ static void *eddsa_newctx(void *provctx, const char *propq_unused)
 
 static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
                                         void *vedkey,
-                                        ossl_unused const OSSL_PARAM params[])
+                                        const OSSL_PARAM params[])
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     ECX_KEY *edkey = (ECX_KEY *)vedkey;
@@ -99,8 +179,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
 
     if (edkey == NULL) {
         if (peddsactx->key != NULL)
-            /* there is nothing to do on reinit */
-            return 1;
+            return eddsa_set_ctx_params(peddsactx, params);
         ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
         return 0;
     }
@@ -110,6 +189,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
         return 0;
     }
 
+    peddsactx->dom2_flag = 0;
+    peddsactx->prehash_flag = 0;
+    peddsactx->context_string_flag = 0;
+    peddsactx->context_string_len = 0;
+
     /*
      * We do not care about DER writing errors.
      * All it really means is that for some reason, there's no
@@ -122,9 +206,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
     switch (edkey->type) {
     case ECX_KEY_TYPE_ED25519:
         ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
+        peddsactx->instance_id = ID_Ed25519;
         break;
     case ECX_KEY_TYPE_ED448:
         ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
+        peddsactx->instance_id = ID_Ed448;
         break;
     default:
         /* Should never happen */
@@ -140,6 +226,9 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
 
     peddsactx->key = edkey;
 
+    if (!eddsa_set_ctx_params(peddsactx, params))
+        return 0;
+
     return 1;
 }
 
@@ -149,6 +238,8 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     const ECX_KEY *edkey = peddsactx->key;
+    uint8_t md[EVP_MAX_MD_SIZE];
+    size_t mdlen;
 
     if (!ossl_prov_is_running())
         return 0;
@@ -166,17 +257,33 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
         return 0;
     }
 #ifdef S390X_EC_ASM
-    if (S390X_CAN_SIGN(ED25519)) {
-	    if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
-		    ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
-		    return 0;
-	    }
-	    *siglen = ED25519_SIGSIZE;
-	    return 1;
+    /* s390x_ed25519_digestsign() does not yet support dom2 or context-strings.
+       fall back to non-accelerated sign if those options are set. */
+    if (S390X_CAN_SIGN(ED25519)
+            && !peddsactx->dom2_flag
+            && !peddsactx->context_string_flag
+            && peddsactx->context_string_len == 0) {
+        if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
+            return 0;
+        }
+        *siglen = ED25519_SIGSIZE;
+        return 1;
     }
 #endif /* S390X_EC_ASM */
+
+    if (peddsactx->prehash_flag) {
+        if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen)
+                || mdlen != EDDSA_PREHASH_OUTPUT_LEN)
+            return 0;
+        tbs = md;
+        tbslen = mdlen;
+    }
+
     if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
-                          peddsactx->libctx, NULL) == 0) {
+            peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
+            peddsactx->context_string, peddsactx->context_string_len,
+            peddsactx->libctx, NULL) == 0) {
         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
         return 0;
     }
@@ -184,12 +291,41 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
     return 1;
 }
 
+/* EVP_Q_digest() does not allow variable output length for XOFs,
+   so we use this function */
+static int ed448_shake256(OSSL_LIB_CTX *libctx,
+                          const char *propq,
+                          const uint8_t *in, size_t inlen,
+                          uint8_t *out, size_t outlen)
+{
+    int ret = 0;
+    EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new();
+    EVP_MD *shake256 = EVP_MD_fetch(libctx, SN_shake256, propq);
+
+    if (hash_ctx == NULL || shake256 == NULL)
+        goto err;
+
+    if (!EVP_DigestInit_ex(hash_ctx, shake256, NULL)
+            || !EVP_DigestUpdate(hash_ctx, in, inlen)
+            || !EVP_DigestFinalXOF(hash_ctx, out, outlen))
+        goto err;
+
+    ret = 1;
+
+ err:
+    EVP_MD_CTX_free(hash_ctx);
+    EVP_MD_free(shake256);
+    return ret;
+}
+
 int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret,
                       size_t *siglen, size_t sigsize,
                       const unsigned char *tbs, size_t tbslen)
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     const ECX_KEY *edkey = peddsactx->key;
+    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
+    size_t mdlen = sizeof(md);
 
     if (!ossl_prov_is_running())
         return 0;
@@ -207,17 +343,30 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret,
         return 0;
     }
 #ifdef S390X_EC_ASM
-    if (S390X_CAN_SIGN(ED448)) {
+    /* s390x_ed448_digestsign() does not yet support context-strings.
+       fall back to non-accelerated sign if a context-string is provided. */
+    if (S390X_CAN_SIGN(ED448)
+            && peddsactx->context_string_len == 0) {
         if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
-		ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
-		return 0;
-	}
-	*siglen = ED448_SIGSIZE;
-	return 1;
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
+            return 0;
+        }
+        *siglen = ED448_SIGSIZE;
+        return 1;
     }
 #endif /* S390X_EC_ASM */
-    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
-                        edkey->privkey, NULL, 0, edkey->propq) == 0) {
+
+    if (peddsactx->prehash_flag) {
+        if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
+            return 0;
+        tbs = md;
+        tbslen = mdlen;
+    }
+
+    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen,
+                        edkey->pubkey, edkey->privkey,
+                        peddsactx->context_string, peddsactx->context_string_len,
+                        peddsactx->prehash_flag, edkey->propq) == 0) {
         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
         return 0;
     }
@@ -231,16 +380,34 @@ int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig,
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     const ECX_KEY *edkey = peddsactx->key;
+    uint8_t md[EVP_MAX_MD_SIZE];
+    size_t mdlen;
 
     if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
         return 0;
 
 #ifdef S390X_EC_ASM
-    if (S390X_CAN_SIGN(ED25519))
+    /* s390x_ed25519_digestverify() does not yet support dom2 or context-strings.
+       fall back to non-accelerated verify if those options are set. */
+    if (S390X_CAN_SIGN(ED25519)
+            && !peddsactx->dom2_flag
+            && !peddsactx->context_string_flag
+            && peddsactx->context_string_len == 0) {
         return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
+    }
 #endif /* S390X_EC_ASM */
 
+    if (peddsactx->prehash_flag) {
+        if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen)
+                || mdlen != EDDSA_PREHASH_OUTPUT_LEN)
+            return 0;
+        tbs = md;
+        tbslen = mdlen;
+    }
+
     return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
+                               peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
+                               peddsactx->context_string, peddsactx->context_string_len,
                                peddsactx->libctx, edkey->propq);
 }
 
@@ -250,17 +417,31 @@ int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig,
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     const ECX_KEY *edkey = peddsactx->key;
+    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
+    size_t mdlen = sizeof(md);
 
     if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
         return 0;
 
 #ifdef S390X_EC_ASM
-    if (S390X_CAN_SIGN(ED448))
+    /* s390x_ed448_digestverify() does not yet support context-strings.
+       fall back to non-accelerated verify if a context-string is provided. */
+    if (S390X_CAN_SIGN(ED448)
+            && peddsactx->context_string_len == 0) {
         return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
+    }
 #endif /* S390X_EC_ASM */
 
+    if (peddsactx->prehash_flag) {
+        if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
+            return 0;
+        tbs = md;
+        tbslen = mdlen;
+    }
+
     return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
-                             NULL, 0, edkey->propq);
+                             peddsactx->context_string, peddsactx->context_string_len,
+                             peddsactx->prehash_flag, edkey->propq);
 }
 
 static void eddsa_freectx(void *vpeddsactx)
@@ -317,6 +498,8 @@ static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
 
 static const OSSL_PARAM known_gettable_ctx_params[] = {
     OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -326,6 +509,84 @@ static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx,
     return known_gettable_ctx_params;
 }
 
+static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[])
+{
+    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
+    const OSSL_PARAM *p;
+
+    if (peddsactx == NULL)
+        return 0;
+    if (params == NULL)
+        return 1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_INSTANCE);
+    if (p != NULL) {
+        char instance_name[OSSL_MAX_NAME_SIZE] = "";
+        char *pinstance_name = instance_name;
+
+        if (!OSSL_PARAM_get_utf8_string(p, &pinstance_name, sizeof(instance_name)))
+            return 0;
+
+        if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519) == 0) {
+            peddsactx->instance_id = ID_Ed25519;
+            if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0;
+            peddsactx->dom2_flag = 0;
+            peddsactx->prehash_flag = 0;
+            peddsactx->context_string_flag = 0;
+        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ctx) == 0) {
+            peddsactx->instance_id = ID_Ed25519ctx;
+            if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0;
+            peddsactx->dom2_flag = 1;
+            peddsactx->prehash_flag = 0;
+            peddsactx->context_string_flag = 1;
+        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ph) == 0) {
+            peddsactx->instance_id = ID_Ed25519ph;
+            if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0;
+            peddsactx->dom2_flag = 1;
+            peddsactx->prehash_flag = 1;
+            peddsactx->context_string_flag = 0;
+        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448) == 0) {
+            peddsactx->instance_id = ID_Ed448;
+            if (peddsactx->key->type != ECX_KEY_TYPE_ED448) return 0;
+            peddsactx->prehash_flag = 0;
+            peddsactx->context_string_flag = 0;
+        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448ph) == 0) {
+            peddsactx->instance_id = ID_Ed448ph;
+            if (peddsactx->key->type != ECX_KEY_TYPE_ED448) return 0;
+            peddsactx->prehash_flag = 1;
+            peddsactx->context_string_flag = 0;
+        } else {
+            /* we did not recognize the instance */
+            return 0;
+        }
+
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
+    if (p != NULL) {
+        void *vp_context_string = peddsactx->context_string;
+
+        if (!OSSL_PARAM_get_octet_string(p, &vp_context_string, sizeof(peddsactx->context_string), &(peddsactx->context_string_len))) {
+            peddsactx->context_string_len = 0;
+            return 0;
+        }
+    }
+
+    return 1;
+}
+
+static const OSSL_PARAM settable_ctx_params[] = {
+    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *eddsa_settable_ctx_params(ossl_unused void *vpeddsactx,
+                                                   ossl_unused void *provctx)
+{
+    return settable_ctx_params;
+}
+
 const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
@@ -341,6 +602,9 @@ const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
     { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
       (void (*)(void))eddsa_gettable_ctx_params },
+    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))eddsa_set_ctx_params },
+    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
+      (void (*)(void))eddsa_settable_ctx_params },
     { 0, NULL }
 };
 
@@ -359,6 +623,9 @@ const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
     { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
       (void (*)(void))eddsa_gettable_ctx_params },
+    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))eddsa_set_ctx_params },
+    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
+      (void (*)(void))eddsa_settable_ctx_params },
     { 0, NULL }
 };
 

test/curve448_internal_test.c

@@ -602,43 +602,43 @@ static int test_ed448(void)
 
     if (!TEST_ptr(hashctx)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, NULL, 0, pubkey1,
-                                          privkey1, NULL, 0, NULL))
+                                          privkey1, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig1, outsig, sizeof(sig1)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg2, sizeof(msg2),
-                                          pubkey2, privkey2, NULL, 0, NULL))
+                                          pubkey2, privkey2, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig2, outsig, sizeof(sig2)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg3, sizeof(msg3),
                                           pubkey3, privkey3, context3,
-                                          sizeof(context3), NULL))
+                                          sizeof(context3), 0, NULL))
             || !TEST_int_eq(memcmp(sig3, outsig, sizeof(sig3)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg4, sizeof(msg4),
-                                          pubkey4, privkey4, NULL, 0, NULL))
+                                          pubkey4, privkey4, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig4, outsig, sizeof(sig4)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg5, sizeof(msg5),
-                                          pubkey5, privkey5, NULL, 0, NULL))
+                                          pubkey5, privkey5, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig5, outsig, sizeof(sig5)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg6, sizeof(msg6),
-                                          pubkey6, privkey6, NULL, 0, NULL))
+                                          pubkey6, privkey6, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig6, outsig, sizeof(sig6)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg7, sizeof(msg7),
-                                          pubkey7, privkey7, NULL, 0, NULL))
+                                          pubkey7, privkey7, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig7, outsig, sizeof(sig7)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg8, sizeof(msg8),
-                                          pubkey8, privkey8, NULL, 0, NULL))
+                                          pubkey8, privkey8, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig8, outsig, sizeof(sig8)), 0)
             || !TEST_true(ossl_ed448_sign(NULL, outsig, msg9, sizeof(msg9),
-                                          pubkey9, privkey9, NULL, 0, NULL))
+                                          pubkey9, privkey9, NULL, 0, 0, NULL))
             || !TEST_int_eq(memcmp(sig9, outsig, sizeof(sig9)), 0)
-            || !TEST_true(ossl_ed448ph_sign(NULL, outsig,
-                                            dohash(hashctx, phmsg1,
-                                                   sizeof(phmsg1)), phpubkey1,
-                                                   phprivkey1, NULL, 0, NULL))
+            || !TEST_true(ossl_ed448_sign(NULL, outsig,
+                                          dohash(hashctx, phmsg1,
+                                                 sizeof(phmsg1)), 64, phpubkey1,
+                                                 phprivkey1, NULL, 0, 1, NULL))
             || !TEST_int_eq(memcmp(phsig1, outsig, sizeof(phsig1)), 0)
-            || !TEST_true(ossl_ed448ph_sign(NULL, outsig,
-                                            dohash(hashctx, phmsg2,
-                                                   sizeof(phmsg2)), phpubkey2,
-                                                   phprivkey2, phcontext2,
-                                                   sizeof(phcontext2), NULL))
+            || !TEST_true(ossl_ed448_sign(NULL, outsig,
+                                          dohash(hashctx, phmsg2,
+                                                 sizeof(phmsg2)), 64, phpubkey2,
+                                                 phprivkey2, phcontext2,
+                                                 sizeof(phcontext2), 1, NULL))
             || !TEST_int_eq(memcmp(phsig2, outsig, sizeof(phsig2)), 0)) {
         EVP_MD_CTX_free(hashctx);
         return 0;