1 /*
2 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9 #include <stddef.h>
10 #include <string.h>
11 #include <openssl/err.h>
12 #include <openssl/proverr.h>
13 #include "slh_dsa_local.h"
14 #include "slh_dsa_key.h"
15
16 #define SLH_MAX_M 49 /* See slh_params.c */
17 /* The size of md is (21..40 bytes) - since a is in bits round up to nearest byte */
18 #define MD_LEN(params) (((params)->k * (params)->a + 7) >> 3)
19
20 static int get_tree_ids(PACKET *pkt, const SLH_DSA_PARAMS *params,
21 uint64_t *tree_id, uint32_t *leaf_id);
22
23 /**
24 * @brief SLH-DSA Signature generation
25 * See FIPS 205 Section 9.2 Algorithm 19
26 *
27 * A signature consists of
28 * r[n] random bytes
29 * [k]*[1+a][n] FORS signature bytes
30 * [h + d*len][n] Hyper tree signature bytes
31 *
32 * @param ctx Contains SLH_DSA algorithm functions and constants, and the
33 * private SLH_DSA key to use for signing.
34 * @param msg The message to sign. This may be encoded beforehand.
35 * @param msg_len The size of |msg|
36 * @param sig The returned signature
37 * @param sig_len The size of the returned |sig|
38 * @param sig_size The maximum size of |sig|
39 * @param opt_rand An optional random value to use of size |n|. It can be NULL.
40 * @returns 1 if the signature generation succeeded or 0 otherwise.
41 */
slh_sign_internal(SLH_DSA_HASH_CTX * hctx,const uint8_t * msg,size_t msg_len,uint8_t * sig,size_t * sig_len,size_t sig_size,const uint8_t * opt_rand)42 static int slh_sign_internal(SLH_DSA_HASH_CTX *hctx,
43 const uint8_t *msg, size_t msg_len,
44 uint8_t *sig, size_t *sig_len, size_t sig_size,
45 const uint8_t *opt_rand)
46 {
47 int ret = 0;
48 const SLH_DSA_KEY *priv = hctx->key;
49 const SLH_DSA_PARAMS *params = priv->params;
50 size_t sig_len_expected = params->sig_len;
51 uint8_t m_digest[SLH_MAX_M];
52 const uint8_t *md; /* The first md_len bytes of m_digest */
53 size_t md_len = MD_LEN(params); /* The size of the digest |md| */
54 /* Points to |m_digest| buffer, it is also reused to point to |sig_fors| */
55 PACKET r_packet, *rpkt = &r_packet;
56 uint8_t *r, *sig_fors; /* Pointers into buffer inside |wpkt| */
57 WPACKET w_packet, *wpkt = &w_packet; /* Points to output |sig| buffer */
58 const uint8_t *pk_seed, *sk_seed; /* pointers to elements within |priv| */
59 uint8_t pk_fors[SLH_MAX_N];
60 uint64_t tree_id;
61 uint32_t leaf_id;
62
63 SLH_ADRS_DECLARE(adrs);
64 SLH_HASH_FUNC_DECLARE(priv, hashf);
65 SLH_ADRS_FUNC_DECLARE(priv, adrsf);
66
67 if (sig == NULL) {
68 *sig_len = sig_len_expected;
69 return 1;
70 }
71
72 if (sig_size < sig_len_expected) {
73 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
74 "is %zu, should be at least %zu", sig_size, sig_len_expected);
75 return 0;
76 }
77 /* Exit if private key is not set */
78 if (priv->has_priv == 0) {
79 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
80 return 0;
81 }
82
83 if (!WPACKET_init_static_len(wpkt, sig, sig_len_expected, 0))
84 return 0;
85 if (!PACKET_buf_init(rpkt, m_digest, params->m))
86 return 0;
87
88 pk_seed = SLH_DSA_PK_SEED(priv);
89 sk_seed = SLH_DSA_SK_SEED(priv);
90
91 if (opt_rand == NULL)
92 opt_rand = pk_seed;
93
94 adrsf->zero(adrs);
95 /* calculate Randomness value r, and output to the SLH-DSA signature */
96 r = WPACKET_get_curr(wpkt);
97 if (!hashf->PRF_MSG(hctx, SLH_DSA_SK_PRF(priv), opt_rand, msg, msg_len, wpkt)
98 /* generate a digest of size |params->m| bytes where m is (30..49) */
99 || !hashf->H_MSG(hctx, r, pk_seed, SLH_DSA_PK_ROOT(priv), msg, msg_len,
100 m_digest, sizeof(m_digest))
101 /* Grab the first md_len bytes of m_digest to use in fors_sign() */
102 || !PACKET_get_bytes(rpkt, &md, md_len)
103 /* Grab remaining bytes from m_digest to select tree and leaf id's */
104 || !get_tree_ids(rpkt, params, &tree_id, &leaf_id))
105 goto err;
106
107 adrsf->set_tree_address(adrs, tree_id);
108 adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE);
109 adrsf->set_keypair_address(adrs, leaf_id);
110
111 sig_fors = WPACKET_get_curr(wpkt);
112 /* generate the FORS signature and append it to the SLH-DSA signature */
113 ret = ossl_slh_fors_sign(hctx, md, sk_seed, pk_seed, adrs, wpkt)
114 /* Reuse rpkt to point to the FORS signature that was just generated */
115 && PACKET_buf_init(rpkt, sig_fors, WPACKET_get_curr(wpkt) - sig_fors)
116 /* Calculate the FORS public key using the generated FORS signature */
117 && ossl_slh_fors_pk_from_sig(hctx, rpkt, md, pk_seed, adrs,
118 pk_fors, sizeof(pk_fors))
119 /* Generate ht signature and append to the SLH-DSA signature */
120 && ossl_slh_ht_sign(hctx, pk_fors, sk_seed, pk_seed, tree_id, leaf_id,
121 wpkt);
122 *sig_len = sig_len_expected;
123 ret = 1;
124 err:
125 if (!WPACKET_finish(wpkt))
126 ret = 0;
127 return ret;
128 }
129
130 /**
131 * @brief SLH-DSA Signature verification
132 * See FIPS 205 Section 9.3 Algorithm 20
133 *
134 * A signature consists of
135 * r[n] random bytes
136 * [k]*[1+a][n] FORS signature bytes
137 * [h + d*len][n] Hyper tree signature bytes
138 *
139 * @param hctx Contains SLH_DSA algorithm functions and constants and the
140 * public SLH_DSA key to use for verification.
141 * @param msg The message to verify. This may be encoded beforehand.
142 * @param msg_len The size of |msg|
143 * @param sig A signature to verify
144 * @param sig_len The size of |sig|
145 * @returns 1 if the signature verification succeeded or 0 otherwise.
146 */
slh_verify_internal(SLH_DSA_HASH_CTX * hctx,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len)147 static int slh_verify_internal(SLH_DSA_HASH_CTX *hctx,
148 const uint8_t *msg, size_t msg_len,
149 const uint8_t *sig, size_t sig_len)
150 {
151 const SLH_DSA_KEY *pub = hctx->key;
152 SLH_HASH_FUNC_DECLARE(pub, hashf);
153 SLH_ADRS_FUNC_DECLARE(pub, adrsf);
154 SLH_ADRS_DECLARE(adrs);
155 const SLH_DSA_PARAMS *params = pub->params;
156 uint32_t n = params->n;
157 const uint8_t *pk_seed, *pk_root; /* Pointers to elements in |pub| */
158 PACKET pkt, *sig_rpkt = &pkt; /* Points to the |sig| buffer */
159 uint8_t m_digest[SLH_MAX_M];
160 const uint8_t *md; /* This is a pointer into the buffer in m_digest_rpkt */
161 size_t md_len = MD_LEN(params); /* 21..40 bytes */
162 PACKET pkt2, *m_digest_rpkt = &pkt2; /* Points to m_digest buffer */
163 const uint8_t *r; /* Pointer to |sig_rpkt| buffer */
164 uint8_t pk_fors[SLH_MAX_N];
165 uint64_t tree_id;
166 uint32_t leaf_id;
167
168 /* Exit if public key is not set */
169 if (pub->pub == NULL) {
170 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
171 return 0;
172 }
173
174 /* Exit if signature is invalid size */
175 if (sig_len != params->sig_len
176 || !PACKET_buf_init(sig_rpkt, sig, sig_len))
177 return 0;
178 if (!PACKET_get_bytes(sig_rpkt, &r, n))
179 return 0;
180
181 adrsf->zero(adrs);
182
183 pk_seed = SLH_DSA_PK_SEED(pub);
184 pk_root = SLH_DSA_PK_ROOT(pub);
185
186 if (!hashf->H_MSG(hctx, r, pk_seed, pk_root, msg, msg_len,
187 m_digest, sizeof(m_digest)))
188 return 0;
189
190 /*
191 * Get md (the first md_len bytes of m_digest to use in
192 * ossl_slh_fors_pk_from_sig(), and then retrieve the tree id and leaf id
193 * from the remaining bytes in m_digest.
194 */
195 if (!PACKET_buf_init(m_digest_rpkt, m_digest, sizeof(m_digest))
196 || !PACKET_get_bytes(m_digest_rpkt, &md, md_len)
197 || !get_tree_ids(m_digest_rpkt, params, &tree_id, &leaf_id))
198 return 0;
199
200 adrsf->set_tree_address(adrs, tree_id);
201 adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE);
202 adrsf->set_keypair_address(adrs, leaf_id);
203 return ossl_slh_fors_pk_from_sig(hctx, sig_rpkt, md, pk_seed, adrs,
204 pk_fors, sizeof(pk_fors))
205 && ossl_slh_ht_verify(hctx, pk_fors, sig_rpkt, pk_seed,
206 tree_id, leaf_id, pk_root)
207 && PACKET_remaining(sig_rpkt) == 0;
208 }
209
210 /**
211 * @brief Encode a message
212 * See FIPS 205 Algorithm 22 Step 8 (and algorithm 24 Step 4).
213 *
214 * SLH_DSA pure signatures are encoded as M' = 00 || ctx_len || ctx || msg
215 * Where ctx is the empty string by default and ctx_len <= 255.
216 *
217 * @param msg A message to encode
218 * @param msg_len The size of |msg|
219 * @param ctx An optional context to add to the message encoding.
220 * @param ctx_len The size of |ctx|. It must be in the range 0..255
221 * @param encode Use the Pure signature encoding if this is 1, and dont encode
222 * if this value is 0.
223 * @param tmp A small buffer that may be used if the message is small.
224 * @param tmp_len The size of |tmp|
225 * @param out_len The size of the returned encoded buffer.
226 * @returns A buffer containing the encoded message. If the passed in
227 * |tmp| buffer is big enough to hold the encoded message then it returns |tmp|
228 * otherwise it allocates memory which must be freed by the caller. If |encode|
229 * is 0 then it returns |msg|. NULL is returned if there is a failure.
230 */
msg_encode(const uint8_t * msg,size_t msg_len,const uint8_t * ctx,size_t ctx_len,int encode,uint8_t * tmp,size_t tmp_len,size_t * out_len)231 static uint8_t *msg_encode(const uint8_t *msg, size_t msg_len,
232 const uint8_t *ctx, size_t ctx_len, int encode,
233 uint8_t *tmp, size_t tmp_len, size_t *out_len)
234 {
235 uint8_t *encoded = NULL;
236 size_t encoded_len;
237
238 if (encode == 0) {
239 /* Raw message */
240 *out_len = msg_len;
241 return (uint8_t *)msg;
242 }
243 if (ctx_len > SLH_DSA_MAX_CONTEXT_STRING_LEN)
244 return NULL;
245
246 /* Pure encoding */
247 encoded_len = 1 + 1 + ctx_len + msg_len;
248 *out_len = encoded_len;
249 if (encoded_len <= tmp_len) {
250 encoded = tmp;
251 } else {
252 encoded = OPENSSL_zalloc(encoded_len);
253 if (encoded == NULL)
254 return NULL;
255 }
256 encoded[0] = 0;
257 encoded[1] = (uint8_t)ctx_len;
258 memcpy(&encoded[2], ctx, ctx_len);
259 memcpy(&encoded[2 + ctx_len], msg, msg_len);
260 return encoded;
261 }
262
263 /**
264 * See FIPS 205 Section 10.2.1 Algorithm 22
265 * @returns 1 on success, or 0 on error.
266 */
ossl_slh_dsa_sign(SLH_DSA_HASH_CTX * slh_ctx,const uint8_t * msg,size_t msg_len,const uint8_t * ctx,size_t ctx_len,const uint8_t * add_rand,int encode,unsigned char * sig,size_t * siglen,size_t sigsize)267 int ossl_slh_dsa_sign(SLH_DSA_HASH_CTX *slh_ctx,
268 const uint8_t *msg, size_t msg_len,
269 const uint8_t *ctx, size_t ctx_len,
270 const uint8_t *add_rand, int encode,
271 unsigned char *sig, size_t *siglen, size_t sigsize)
272 {
273 uint8_t m_tmp[1024], *m = m_tmp;
274 size_t m_len = 0;
275 int ret = 0;
276
277 if (sig != NULL) {
278 m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp),
279 &m_len);
280 if (m == NULL)
281 return 0;
282 }
283 ret = slh_sign_internal(slh_ctx, m, m_len, sig, siglen, sigsize, add_rand);
284 if (m != msg && m != m_tmp)
285 OPENSSL_free(m);
286 return ret;
287 }
288
289 /**
290 * See FIPS 205 Section 10.3 Algorithm 24
291 * @returns 1 on success, or 0 on error.
292 */
ossl_slh_dsa_verify(SLH_DSA_HASH_CTX * slh_ctx,const uint8_t * msg,size_t msg_len,const uint8_t * ctx,size_t ctx_len,int encode,const uint8_t * sig,size_t sig_len)293 int ossl_slh_dsa_verify(SLH_DSA_HASH_CTX *slh_ctx,
294 const uint8_t *msg, size_t msg_len,
295 const uint8_t *ctx, size_t ctx_len, int encode,
296 const uint8_t *sig, size_t sig_len)
297 {
298 uint8_t *m;
299 size_t m_len;
300 uint8_t m_tmp[1024];
301 int ret = 0;
302
303 m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp),
304 &m_len);
305 if (m == NULL)
306 return 0;
307
308 ret = slh_verify_internal(slh_ctx, m, m_len, sig, sig_len);
309 if (m != msg && m != m_tmp)
310 OPENSSL_free(m);
311 return ret;
312 }
313
314 /*
315 * See FIPS 205 Algorithm 2 toInt(X, n)
316 * OPENSSL_load_u64_be() cant be used here as the |in_len| may be < 8
317 */
bytes_to_u64_be(const uint8_t * in,size_t in_len)318 static uint64_t bytes_to_u64_be(const uint8_t *in, size_t in_len)
319 {
320
321 size_t i;
322 uint64_t total = 0;
323
324 for (i = 0; i < in_len; i++)
325 total = (total << 8) + *in++;
326 return total;
327 }
328
329 /*
330 * See Algorithm 19 Steps 7..10 (also Algorithm 20 Step 10..13).
331 * Converts digested bytes into a tree index, and leaf index within the tree.
332 * The sizes are determined by the |params| parameter set.
333 */
get_tree_ids(PACKET * rpkt,const SLH_DSA_PARAMS * params,uint64_t * tree_id,uint32_t * leaf_id)334 static int get_tree_ids(PACKET *rpkt, const SLH_DSA_PARAMS *params,
335 uint64_t *tree_id, uint32_t *leaf_id)
336 {
337 const uint8_t *tree_id_bytes, *leaf_id_bytes;
338 uint32_t tree_id_len, leaf_id_len;
339 uint64_t tree_id_mask, leaf_id_mask;
340
341 tree_id_len = ((params->h - params->hm + 7) >> 3); /* 7 or 8 bytes */
342 leaf_id_len = ((params->hm + 7) >> 3); /* 1 or 2 bytes */
343
344 if (!PACKET_get_bytes(rpkt, &tree_id_bytes, tree_id_len)
345 || !PACKET_get_bytes(rpkt, &leaf_id_bytes, leaf_id_len))
346 return 0;
347
348 /*
349 * In order to calculate A mod (2^X) where X is in the range of (54..64)
350 * This is equivalent to A & (2^x - 1) which is just a sequence of X ones
351 * that must fit into a 64 bit value.
352 * e.g when X = 64 it would be A & (0xFFFF_FFFF_FFFF_FFFF)
353 * when X = 54 it would be A & (0x3F_FFFF_FFFF_FFFF)
354 * i.e. A & (0xFFFF_FFFF_FFFF_FFFF >> (64 - X))
355 */
356 tree_id_mask = (~(uint64_t)0) >> (64 - (params->h - params->hm));
357 leaf_id_mask = ((uint64_t)1 << params->hm) - 1; /* max value is 0x1FF when hm = 9 */
358 *tree_id = bytes_to_u64_be(tree_id_bytes, tree_id_len) & tree_id_mask;
359 *leaf_id = (uint32_t)(bytes_to_u64_be(leaf_id_bytes, leaf_id_len) & leaf_id_mask);
360 return 1;
361 }
362