1 /*
2 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/core_dispatch.h>
11 #include <openssl/core_names.h>
12 #include <openssl/param_build.h>
13 #include <openssl/self_test.h>
14 #include "crypto/slh_dsa.h"
15 #include "internal/fips.h"
16 #include "internal/param_build_set.h"
17 #include "prov/implementations.h"
18 #include "prov/providercommon.h"
19 #include "prov/provider_ctx.h"
20
21 static OSSL_FUNC_keymgmt_free_fn slh_dsa_free_key;
22 static OSSL_FUNC_keymgmt_has_fn slh_dsa_has;
23 static OSSL_FUNC_keymgmt_match_fn slh_dsa_match;
24 static OSSL_FUNC_keymgmt_import_fn slh_dsa_import;
25 static OSSL_FUNC_keymgmt_export_fn slh_dsa_export;
26 static OSSL_FUNC_keymgmt_import_types_fn slh_dsa_imexport_types;
27 static OSSL_FUNC_keymgmt_export_types_fn slh_dsa_imexport_types;
28 static OSSL_FUNC_keymgmt_load_fn slh_dsa_load;
29 static OSSL_FUNC_keymgmt_get_params_fn slh_dsa_get_params;
30 static OSSL_FUNC_keymgmt_gettable_params_fn slh_dsa_gettable_params;
31 static OSSL_FUNC_keymgmt_validate_fn slh_dsa_validate;
32 static OSSL_FUNC_keymgmt_gen_init_fn slh_dsa_gen_init;
33 static OSSL_FUNC_keymgmt_gen_cleanup_fn slh_dsa_gen_cleanup;
34 static OSSL_FUNC_keymgmt_gen_set_params_fn slh_dsa_gen_set_params;
35 static OSSL_FUNC_keymgmt_gen_settable_params_fn slh_dsa_gen_settable_params;
36 static OSSL_FUNC_keymgmt_dup_fn slh_dsa_dup_key;
37
38 #define SLH_DSA_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR)
39
40 struct slh_dsa_gen_ctx {
41 SLH_DSA_HASH_CTX *ctx;
42 OSSL_LIB_CTX *libctx;
43 char *propq;
44 uint8_t entropy[SLH_DSA_MAX_N * 3];
45 size_t entropy_len;
46 };
47
slh_dsa_new_key(void * provctx,const char * alg)48 static void *slh_dsa_new_key(void *provctx, const char *alg)
49 {
50 if (!ossl_prov_is_running())
51 return 0;
52
53 return ossl_slh_dsa_key_new(PROV_LIBCTX_OF(provctx), NULL, alg);
54 }
55
slh_dsa_free_key(void * keydata)56 static void slh_dsa_free_key(void *keydata)
57 {
58 ossl_slh_dsa_key_free((SLH_DSA_KEY *)keydata);
59 }
60
slh_dsa_dup_key(const void * keydata_from,int selection)61 static void *slh_dsa_dup_key(const void *keydata_from, int selection)
62 {
63 if (ossl_prov_is_running())
64 return ossl_slh_dsa_key_dup(keydata_from, selection);
65 return NULL;
66 }
67
slh_dsa_has(const void * keydata,int selection)68 static int slh_dsa_has(const void *keydata, int selection)
69 {
70 const SLH_DSA_KEY *key = keydata;
71
72 if (!ossl_prov_is_running() || key == NULL)
73 return 0;
74 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
75 return 1; /* the selection is not missing */
76
77 return ossl_slh_dsa_key_has(key, selection);
78 }
79
slh_dsa_match(const void * keydata1,const void * keydata2,int selection)80 static int slh_dsa_match(const void *keydata1, const void *keydata2, int selection)
81 {
82 const SLH_DSA_KEY *key1 = keydata1;
83 const SLH_DSA_KEY *key2 = keydata2;
84
85 if (!ossl_prov_is_running())
86 return 0;
87 if (key1 == NULL || key2 == NULL)
88 return 0;
89 return ossl_slh_dsa_key_equal(key1, key2, selection);
90 }
91
slh_dsa_validate(const void * key_data,int selection,int check_type)92 static int slh_dsa_validate(const void *key_data, int selection, int check_type)
93 {
94 const SLH_DSA_KEY *key = key_data;
95
96 if (!slh_dsa_has(key, selection))
97 return 0;
98
99 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR)
100 return ossl_slh_dsa_key_pairwise_check(key);
101 return 1;
102 }
103
slh_dsa_import(void * keydata,int selection,const OSSL_PARAM params[])104 static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
105 {
106 SLH_DSA_KEY *key = keydata;
107 int include_priv;
108
109 if (!ossl_prov_is_running() || key == NULL)
110 return 0;
111
112 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
113 return 0;
114
115 include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
116 return ossl_slh_dsa_key_fromdata(key, params, include_priv);
117 }
118
119 #define SLH_DSA_IMEXPORTABLE_PARAMETERS \
120 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0), \
121 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
122
123 static const OSSL_PARAM slh_dsa_key_types[] = {
124 SLH_DSA_IMEXPORTABLE_PARAMETERS,
125 OSSL_PARAM_END
126 };
slh_dsa_imexport_types(int selection)127 static const OSSL_PARAM *slh_dsa_imexport_types(int selection)
128 {
129 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
130 return NULL;
131 return slh_dsa_key_types;
132 }
133
134 static const OSSL_PARAM slh_dsa_params[] = {
135 OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
136 OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
137 OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
138 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
139 SLH_DSA_IMEXPORTABLE_PARAMETERS,
140 OSSL_PARAM_END
141 };
slh_dsa_gettable_params(void * provctx)142 static const OSSL_PARAM *slh_dsa_gettable_params(void *provctx)
143 {
144 return slh_dsa_params;
145 }
146
key_to_params(SLH_DSA_KEY * key,OSSL_PARAM_BLD * tmpl,int selection)147 static int key_to_params(SLH_DSA_KEY *key, OSSL_PARAM_BLD *tmpl,
148 int selection)
149 {
150 /* Error if there is no key or public key */
151 if (key == NULL || ossl_slh_dsa_key_get_pub(key) == NULL)
152 return 0;
153
154 if (((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
155 && ossl_slh_dsa_key_get_priv(key) != NULL)
156 if (ossl_param_build_set_octet_string(tmpl, NULL,
157 OSSL_PKEY_PARAM_PRIV_KEY,
158 ossl_slh_dsa_key_get_priv(key),
159 ossl_slh_dsa_key_get_priv_len(key)) != 1)
160 return 0;
161
162 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
163 return 1;
164
165 return ossl_param_build_set_octet_string(tmpl, NULL,
166 OSSL_PKEY_PARAM_PUB_KEY,
167 ossl_slh_dsa_key_get_pub(key),
168 ossl_slh_dsa_key_get_pub_len(key));
169 }
170
slh_dsa_get_params(void * keydata,OSSL_PARAM params[])171 static int slh_dsa_get_params(void *keydata, OSSL_PARAM params[])
172 {
173 SLH_DSA_KEY *key = keydata;
174 OSSL_PARAM *p;
175 const uint8_t *pub, *priv;
176
177 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
178 && !OSSL_PARAM_set_int(p, 8 * ossl_slh_dsa_key_get_pub_len(key)))
179 return 0;
180 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
181 && !OSSL_PARAM_set_int(p, 8 * ossl_slh_dsa_key_get_n(key)))
182 return 0;
183 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
184 && !OSSL_PARAM_set_int(p, ossl_slh_dsa_key_get_sig_len(key)))
185 return 0;
186
187 priv = ossl_slh_dsa_key_get_priv(key);
188 if (priv != NULL) {
189 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY);
190 /* Note: ossl_slh_dsa_key_get_priv_len() includes the public key */
191 if (p != NULL
192 && !OSSL_PARAM_set_octet_string(p, priv,
193 ossl_slh_dsa_key_get_priv_len(key)))
194 return 0;
195 }
196 pub = ossl_slh_dsa_key_get_pub(key);
197 if (pub != NULL) {
198 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PUB_KEY);
199 if (p != NULL
200 && !OSSL_PARAM_set_octet_string(p, pub,
201 ossl_slh_dsa_key_get_pub_len(key)))
202 return 0;
203 }
204 /*
205 * This allows apps to use an empty digest, so that the old API
206 * for digest signing can be used.
207 */
208 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MANDATORY_DIGEST);
209 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ""))
210 return 0;
211 return 1;
212 }
213
slh_dsa_export(void * keydata,int selection,OSSL_CALLBACK * param_cb,void * cbarg)214 static int slh_dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
215 void *cbarg)
216 {
217 SLH_DSA_KEY *key = keydata;
218 OSSL_PARAM_BLD *tmpl;
219 OSSL_PARAM *params = NULL;
220 int ret = 0;
221
222 if (!ossl_prov_is_running() || key == NULL)
223 return 0;
224
225 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
226 return 0;
227
228 tmpl = OSSL_PARAM_BLD_new();
229 if (tmpl == NULL)
230 return 0;
231
232 if (!key_to_params(key, tmpl, selection))
233 goto err;
234
235 params = OSSL_PARAM_BLD_to_param(tmpl);
236 if (params == NULL)
237 goto err;
238
239 ret = param_cb(params, cbarg);
240 OSSL_PARAM_free(params);
241 err:
242 OSSL_PARAM_BLD_free(tmpl);
243 return ret;
244 }
245
slh_dsa_load(const void * reference,size_t reference_sz)246 static void *slh_dsa_load(const void *reference, size_t reference_sz)
247 {
248 SLH_DSA_KEY *key = NULL;
249
250 if (ossl_prov_is_running() && reference_sz == sizeof(key)) {
251 /* The contents of the reference is the address to our object */
252 key = *(SLH_DSA_KEY **)reference;
253 /* We grabbed, so we detach it */
254 *(SLH_DSA_KEY **)reference = NULL;
255 return key;
256 }
257 return NULL;
258 }
259
slh_dsa_gen_init(void * provctx,int selection,const OSSL_PARAM params[])260 static void *slh_dsa_gen_init(void *provctx, int selection,
261 const OSSL_PARAM params[])
262 {
263 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
264 struct slh_dsa_gen_ctx *gctx = NULL;
265
266 if (!ossl_prov_is_running())
267 return NULL;
268
269 if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
270 gctx->libctx = libctx;
271 if (!slh_dsa_gen_set_params(gctx, params)) {
272 OPENSSL_free(gctx);
273 gctx = NULL;
274 }
275 }
276 return gctx;
277 }
278
279 #ifdef FIPS_MODULE
280 /*
281 * Refer to FIPS 140-3 IG 10.3.A Additional Comment 1
282 * Perform a pairwise test for SLH_DSA by signing and verifying a signature.
283 */
slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX * ctx,const SLH_DSA_KEY * key,OSSL_LIB_CTX * lib_ctx)284 static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx,
285 const SLH_DSA_KEY *key,
286 OSSL_LIB_CTX *lib_ctx)
287 {
288 int ret = 0;
289 OSSL_SELF_TEST *st = NULL;
290 OSSL_CALLBACK *cb = NULL;
291 void *cb_arg = NULL;
292 uint8_t msg[16] = {0};
293 size_t msg_len = sizeof(msg);
294 uint8_t *sig = NULL;
295 size_t sig_len;
296
297 /* During self test, it is a waste to do this test */
298 if (ossl_fips_self_testing())
299 return 1;
300
301 OSSL_SELF_TEST_get_callback(lib_ctx, &cb, &cb_arg);
302 st = OSSL_SELF_TEST_new(cb, cb_arg);
303 if (st == NULL)
304 return 0;
305
306 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
307 OSSL_SELF_TEST_DESC_PCT_SLH_DSA);
308
309 sig_len = ossl_slh_dsa_key_get_sig_len(key);
310 sig = OPENSSL_malloc(sig_len);
311 if (sig == NULL)
312 goto err;
313
314 if (ossl_slh_dsa_sign(ctx, msg, msg_len, NULL, 0, NULL, 0,
315 sig, &sig_len, sig_len) != 1)
316 goto err;
317
318 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
319
320 if (ossl_slh_dsa_verify(ctx, msg, msg_len, NULL, 0, 0, sig, sig_len) != 1)
321 goto err;
322
323 ret = 1;
324 err:
325 OPENSSL_free(sig);
326 OSSL_SELF_TEST_onend(st, ret);
327 OSSL_SELF_TEST_free(st);
328 return ret;
329 }
330 #endif /* FIPS_MODULE */
331
slh_dsa_gen(void * genctx,const char * alg)332 static void *slh_dsa_gen(void *genctx, const char *alg)
333 {
334 struct slh_dsa_gen_ctx *gctx = genctx;
335 SLH_DSA_KEY *key = NULL;
336 SLH_DSA_HASH_CTX *ctx = NULL;
337
338 if (!ossl_prov_is_running())
339 return NULL;
340 key = ossl_slh_dsa_key_new(gctx->libctx, gctx->propq, alg);
341 if (key == NULL)
342 return NULL;
343 ctx = ossl_slh_dsa_hash_ctx_new(key);
344 if (ctx == NULL)
345 return NULL;
346 if (!ossl_slh_dsa_generate_key(ctx, key, gctx->libctx,
347 gctx->entropy, gctx->entropy_len))
348 goto err;
349 #ifdef FIPS_MODULE
350 if (!slh_dsa_fips140_pairwise_test(ctx, key, gctx->libctx)) {
351 ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
352 goto err;
353 }
354 #endif /* FIPS_MODULE */
355 ossl_slh_dsa_hash_ctx_free(ctx);
356 return key;
357 err:
358 ossl_slh_dsa_hash_ctx_free(ctx);
359 ossl_slh_dsa_key_free(key);
360 return NULL;
361 }
362
slh_dsa_gen_set_params(void * genctx,const OSSL_PARAM params[])363 static int slh_dsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
364 {
365 struct slh_dsa_gen_ctx *gctx = genctx;
366 const OSSL_PARAM *p;
367
368 if (gctx == NULL)
369 return 0;
370
371 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_SLH_DSA_SEED);
372 if (p != NULL) {
373 void *vp = gctx->entropy;
374 size_t len = sizeof(gctx->entropy);
375
376 if (!OSSL_PARAM_get_octet_string(p, &vp, len, &(gctx->entropy_len))) {
377 gctx->entropy_len = 0;
378 return 0;
379 }
380 }
381
382 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PROPERTIES);
383 if (p != NULL) {
384 if (p->data_type != OSSL_PARAM_UTF8_STRING)
385 return 0;
386 OPENSSL_free(gctx->propq);
387 gctx->propq = OPENSSL_strdup(p->data);
388 if (gctx->propq == NULL)
389 return 0;
390 }
391 return 1;
392 }
393
slh_dsa_gen_settable_params(ossl_unused void * genctx,ossl_unused void * provctx)394 static const OSSL_PARAM *slh_dsa_gen_settable_params(ossl_unused void *genctx,
395 ossl_unused void *provctx)
396 {
397 static OSSL_PARAM settable[] = {
398 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_PROPERTIES, NULL, 0),
399 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_SLH_DSA_SEED, NULL, 0),
400 OSSL_PARAM_END
401 };
402 return settable;
403 }
404
slh_dsa_gen_cleanup(void * genctx)405 static void slh_dsa_gen_cleanup(void *genctx)
406 {
407 struct slh_dsa_gen_ctx *gctx = genctx;
408
409 if (gctx == NULL)
410 return;
411
412 OPENSSL_cleanse(gctx->entropy, gctx->entropy_len);
413 OPENSSL_free(gctx->propq);
414 OPENSSL_free(gctx);
415 }
416
417 #define MAKE_KEYMGMT_FUNCTIONS(alg, fn) \
418 static OSSL_FUNC_keymgmt_new_fn slh_dsa_##fn##_new_key; \
419 static OSSL_FUNC_keymgmt_gen_fn slh_dsa_##fn##_gen; \
420 static void *slh_dsa_##fn##_new_key(void *provctx) \
421 { \
422 return slh_dsa_new_key(provctx, alg); \
423 } \
424 static void *slh_dsa_##fn##_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)\
425 { \
426 return slh_dsa_gen(genctx, alg); \
427 } \
428 const OSSL_DISPATCH ossl_slh_dsa_##fn##_keymgmt_functions[] = { \
429 { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))slh_dsa_##fn##_new_key }, \
430 { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))slh_dsa_free_key }, \
431 { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))slh_dsa_dup_key }, \
432 { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))slh_dsa_has }, \
433 { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))slh_dsa_match }, \
434 { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))slh_dsa_import }, \
435 { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))slh_dsa_imexport_types },\
436 { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))slh_dsa_export }, \
437 { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))slh_dsa_imexport_types },\
438 { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))slh_dsa_load }, \
439 { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))slh_dsa_get_params }, \
440 { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))slh_dsa_gettable_params },\
441 { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))slh_dsa_validate }, \
442 { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))slh_dsa_gen_init }, \
443 { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))slh_dsa_##fn##_gen }, \
444 { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))slh_dsa_gen_cleanup },\
445 { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, \
446 (void (*)(void))slh_dsa_gen_set_params }, \
447 { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, \
448 (void (*)(void))slh_dsa_gen_settable_params }, \
449 OSSL_DISPATCH_END \
450 }
451
452 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-128s", sha2_128s);
453 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-128f", sha2_128f);
454 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-192s", sha2_192s);
455 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-192f", sha2_192f);
456 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-256s", sha2_256s);
457 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-256f", sha2_256f);
458 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-128s", shake_128s);
459 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-128f", shake_128f);
460 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-192s", shake_192s);
461 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-192f", shake_192f);
462 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-256s", shake_256s);
463 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-256f", shake_256f);
464