1 /*
2 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/core_dispatch.h>
11 #include <openssl/core_names.h>
12 #include <openssl/param_build.h>
13 #include <openssl/self_test.h>
14 #include <openssl/proverr.h>
15 #include "crypto/slh_dsa.h"
16 #include "internal/fips.h"
17 #include "internal/param_build_set.h"
18 #include "prov/implementations.h"
19 #include "prov/providercommon.h"
20 #include "prov/provider_ctx.h"
21
22 #ifdef FIPS_MODULE
23 static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key,
24 SLH_DSA_HASH_CTX *ctx);
25 #endif /* FIPS_MODULE */
26
27 static OSSL_FUNC_keymgmt_free_fn slh_dsa_free_key;
28 static OSSL_FUNC_keymgmt_has_fn slh_dsa_has;
29 static OSSL_FUNC_keymgmt_match_fn slh_dsa_match;
30 static OSSL_FUNC_keymgmt_import_fn slh_dsa_import;
31 static OSSL_FUNC_keymgmt_export_fn slh_dsa_export;
32 static OSSL_FUNC_keymgmt_import_types_fn slh_dsa_imexport_types;
33 static OSSL_FUNC_keymgmt_export_types_fn slh_dsa_imexport_types;
34 static OSSL_FUNC_keymgmt_load_fn slh_dsa_load;
35 static OSSL_FUNC_keymgmt_get_params_fn slh_dsa_get_params;
36 static OSSL_FUNC_keymgmt_gettable_params_fn slh_dsa_gettable_params;
37 static OSSL_FUNC_keymgmt_validate_fn slh_dsa_validate;
38 static OSSL_FUNC_keymgmt_gen_init_fn slh_dsa_gen_init;
39 static OSSL_FUNC_keymgmt_gen_cleanup_fn slh_dsa_gen_cleanup;
40 static OSSL_FUNC_keymgmt_gen_set_params_fn slh_dsa_gen_set_params;
41 static OSSL_FUNC_keymgmt_gen_settable_params_fn slh_dsa_gen_settable_params;
42 static OSSL_FUNC_keymgmt_dup_fn slh_dsa_dup_key;
43
44 #define SLH_DSA_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR)
45
46 struct slh_dsa_gen_ctx {
47 SLH_DSA_HASH_CTX *ctx;
48 OSSL_LIB_CTX *libctx;
49 char *propq;
50 uint8_t entropy[SLH_DSA_MAX_N * 3];
51 size_t entropy_len;
52 };
53
slh_dsa_new_key(void * provctx,const char * alg)54 static void *slh_dsa_new_key(void *provctx, const char *alg)
55 {
56 if (!ossl_prov_is_running())
57 return 0;
58
59 return ossl_slh_dsa_key_new(PROV_LIBCTX_OF(provctx), NULL, alg);
60 }
61
slh_dsa_free_key(void * keydata)62 static void slh_dsa_free_key(void *keydata)
63 {
64 ossl_slh_dsa_key_free((SLH_DSA_KEY *)keydata);
65 }
66
slh_dsa_dup_key(const void * keydata_from,int selection)67 static void *slh_dsa_dup_key(const void *keydata_from, int selection)
68 {
69 if (ossl_prov_is_running())
70 return ossl_slh_dsa_key_dup(keydata_from, selection);
71 return NULL;
72 }
73
slh_dsa_has(const void * keydata,int selection)74 static int slh_dsa_has(const void *keydata, int selection)
75 {
76 const SLH_DSA_KEY *key = keydata;
77
78 if (!ossl_prov_is_running() || key == NULL)
79 return 0;
80 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
81 return 1; /* the selection is not missing */
82
83 return ossl_slh_dsa_key_has(key, selection);
84 }
85
slh_dsa_match(const void * keydata1,const void * keydata2,int selection)86 static int slh_dsa_match(const void *keydata1, const void *keydata2, int selection)
87 {
88 const SLH_DSA_KEY *key1 = keydata1;
89 const SLH_DSA_KEY *key2 = keydata2;
90
91 if (!ossl_prov_is_running())
92 return 0;
93 if (key1 == NULL || key2 == NULL)
94 return 0;
95 return ossl_slh_dsa_key_equal(key1, key2, selection);
96 }
97
slh_dsa_validate(const void * key_data,int selection,int check_type)98 static int slh_dsa_validate(const void *key_data, int selection, int check_type)
99 {
100 const SLH_DSA_KEY *key = key_data;
101
102 if (!slh_dsa_has(key, selection))
103 return 0;
104
105 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR)
106 return ossl_slh_dsa_key_pairwise_check(key);
107 return 1;
108 }
109
slh_dsa_import(void * keydata,int selection,const OSSL_PARAM params[])110 static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
111 {
112 SLH_DSA_KEY *key = keydata;
113 int include_priv;
114
115 if (!ossl_prov_is_running() || key == NULL)
116 return 0;
117
118 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
119 return 0;
120
121 include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
122 return ossl_slh_dsa_key_fromdata(key, params, include_priv);
123 }
124
125 #define SLH_DSA_IMEXPORTABLE_PARAMETERS \
126 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0), \
127 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
128
129 static const OSSL_PARAM slh_dsa_key_types[] = {
130 SLH_DSA_IMEXPORTABLE_PARAMETERS,
131 OSSL_PARAM_END
132 };
slh_dsa_imexport_types(int selection)133 static const OSSL_PARAM *slh_dsa_imexport_types(int selection)
134 {
135 if ((selection & SLH_DSA_POSSIBLE_SELECTIONS) == 0)
136 return NULL;
137 return slh_dsa_key_types;
138 }
139
140 static const OSSL_PARAM slh_dsa_params[] = {
141 OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
142 OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
143 OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
144 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
145 SLH_DSA_IMEXPORTABLE_PARAMETERS,
146 OSSL_PARAM_END
147 };
slh_dsa_gettable_params(void * provctx)148 static const OSSL_PARAM *slh_dsa_gettable_params(void *provctx)
149 {
150 return slh_dsa_params;
151 }
152
key_to_params(SLH_DSA_KEY * key,OSSL_PARAM_BLD * tmpl,int selection)153 static int key_to_params(SLH_DSA_KEY *key, OSSL_PARAM_BLD *tmpl,
154 int selection)
155 {
156 /* Error if there is no key or public key */
157 if (key == NULL || ossl_slh_dsa_key_get_pub(key) == NULL)
158 return 0;
159
160 if (((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
161 && ossl_slh_dsa_key_get_priv(key) != NULL)
162 if (ossl_param_build_set_octet_string(tmpl, NULL,
163 OSSL_PKEY_PARAM_PRIV_KEY,
164 ossl_slh_dsa_key_get_priv(key),
165 ossl_slh_dsa_key_get_priv_len(key)) != 1)
166 return 0;
167
168 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
169 return 1;
170
171 return ossl_param_build_set_octet_string(tmpl, NULL,
172 OSSL_PKEY_PARAM_PUB_KEY,
173 ossl_slh_dsa_key_get_pub(key),
174 ossl_slh_dsa_key_get_pub_len(key));
175 }
176
slh_dsa_get_params(void * keydata,OSSL_PARAM params[])177 static int slh_dsa_get_params(void *keydata, OSSL_PARAM params[])
178 {
179 SLH_DSA_KEY *key = keydata;
180 OSSL_PARAM *p;
181 const uint8_t *pub, *priv;
182
183 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
184 && !OSSL_PARAM_set_int(p, 8 * ossl_slh_dsa_key_get_pub_len(key)))
185 return 0;
186 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
187 && !OSSL_PARAM_set_int(p, 8 * ossl_slh_dsa_key_get_n(key)))
188 return 0;
189 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
190 && !OSSL_PARAM_set_int(p, ossl_slh_dsa_key_get_sig_len(key)))
191 return 0;
192
193 priv = ossl_slh_dsa_key_get_priv(key);
194 if (priv != NULL) {
195 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY);
196 /* Note: ossl_slh_dsa_key_get_priv_len() includes the public key */
197 if (p != NULL
198 && !OSSL_PARAM_set_octet_string(p, priv,
199 ossl_slh_dsa_key_get_priv_len(key)))
200 return 0;
201 }
202 pub = ossl_slh_dsa_key_get_pub(key);
203 if (pub != NULL) {
204 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PUB_KEY);
205 if (p != NULL
206 && !OSSL_PARAM_set_octet_string(p, pub,
207 ossl_slh_dsa_key_get_pub_len(key)))
208 return 0;
209 }
210 /*
211 * This allows apps to use an empty digest, so that the old API
212 * for digest signing can be used.
213 */
214 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MANDATORY_DIGEST);
215 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ""))
216 return 0;
217 return 1;
218 }
219
slh_dsa_export(void * keydata,int selection,OSSL_CALLBACK * param_cb,void * cbarg)220 static int slh_dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
221 void *cbarg)
222 {
223 SLH_DSA_KEY *key = keydata;
224 OSSL_PARAM_BLD *tmpl;
225 OSSL_PARAM *params = NULL;
226 int ret = 0;
227
228 if (!ossl_prov_is_running() || key == NULL)
229 return 0;
230
231 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
232 return 0;
233
234 tmpl = OSSL_PARAM_BLD_new();
235 if (tmpl == NULL)
236 return 0;
237
238 if (!key_to_params(key, tmpl, selection))
239 goto err;
240
241 params = OSSL_PARAM_BLD_to_param(tmpl);
242 if (params == NULL)
243 goto err;
244
245 ret = param_cb(params, cbarg);
246 OSSL_PARAM_free(params);
247 err:
248 OSSL_PARAM_BLD_free(tmpl);
249 return ret;
250 }
251
slh_dsa_load(const void * reference,size_t reference_sz)252 static void *slh_dsa_load(const void *reference, size_t reference_sz)
253 {
254 SLH_DSA_KEY *key = NULL;
255
256 if (ossl_prov_is_running() && reference_sz == sizeof(key)) {
257 /* The contents of the reference is the address to our object */
258 key = *(SLH_DSA_KEY **)reference;
259 /* We grabbed, so we detach it */
260 *(SLH_DSA_KEY **)reference = NULL;
261 return key;
262 }
263 return NULL;
264 }
265
slh_dsa_gen_init(void * provctx,int selection,const OSSL_PARAM params[])266 static void *slh_dsa_gen_init(void *provctx, int selection,
267 const OSSL_PARAM params[])
268 {
269 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
270 struct slh_dsa_gen_ctx *gctx = NULL;
271
272 if (!ossl_prov_is_running())
273 return NULL;
274
275 if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
276 gctx->libctx = libctx;
277 if (!slh_dsa_gen_set_params(gctx, params)) {
278 OPENSSL_free(gctx);
279 gctx = NULL;
280 }
281 }
282 return gctx;
283 }
284
285 #ifdef FIPS_MODULE
286 /*
287 * Refer to FIPS 140-3 IG 10.3.A Additional Comment 1
288 * Perform a pairwise test for SLH_DSA by signing and verifying a signature.
289 */
slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY * key,SLH_DSA_HASH_CTX * ctx)290 static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key,
291 SLH_DSA_HASH_CTX *ctx)
292 {
293 int ret = 0;
294 OSSL_SELF_TEST *st = NULL;
295 OSSL_CALLBACK *cb = NULL;
296 void *cb_arg = NULL;
297 uint8_t msg[16] = {0};
298 size_t msg_len = sizeof(msg);
299 uint8_t *sig = NULL;
300 size_t sig_len;
301 OSSL_LIB_CTX *lib_ctx;
302 int alloc_ctx = 0;
303
304 /* During self test, it is a waste to do this test */
305 if (ossl_fips_self_testing())
306 return 1;
307
308 if (ctx == NULL) {
309 ctx = ossl_slh_dsa_hash_ctx_new(key);
310 if (ctx == NULL)
311 return 0;
312 alloc_ctx = 1;
313 }
314 lib_ctx = ossl_slh_dsa_key_get0_libctx(key);
315
316 OSSL_SELF_TEST_get_callback(lib_ctx, &cb, &cb_arg);
317 st = OSSL_SELF_TEST_new(cb, cb_arg);
318 if (st == NULL)
319 goto err;
320
321 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
322 OSSL_SELF_TEST_DESC_PCT_SLH_DSA);
323
324 sig_len = ossl_slh_dsa_key_get_sig_len(key);
325 sig = OPENSSL_malloc(sig_len);
326 if (sig == NULL)
327 goto err;
328
329 if (ossl_slh_dsa_sign(ctx, msg, msg_len, NULL, 0, NULL, 0,
330 sig, &sig_len, sig_len) != 1)
331 goto err;
332
333 OSSL_SELF_TEST_oncorrupt_byte(st, sig);
334
335 if (ossl_slh_dsa_verify(ctx, msg, msg_len, NULL, 0, 0, sig, sig_len) != 1)
336 goto err;
337
338 ret = 1;
339 err:
340 if (alloc_ctx)
341 ossl_slh_dsa_hash_ctx_free(ctx);
342 OPENSSL_free(sig);
343 OSSL_SELF_TEST_onend(st, ret);
344 OSSL_SELF_TEST_free(st);
345 return ret;
346 }
347 #endif /* FIPS_MODULE */
348
slh_dsa_gen(void * genctx,const char * alg)349 static void *slh_dsa_gen(void *genctx, const char *alg)
350 {
351 struct slh_dsa_gen_ctx *gctx = genctx;
352 SLH_DSA_KEY *key = NULL;
353 SLH_DSA_HASH_CTX *ctx = NULL;
354
355 if (!ossl_prov_is_running())
356 return NULL;
357 key = ossl_slh_dsa_key_new(gctx->libctx, gctx->propq, alg);
358 if (key == NULL)
359 return NULL;
360 ctx = ossl_slh_dsa_hash_ctx_new(key);
361 if (ctx == NULL)
362 goto err;
363 if (!ossl_slh_dsa_generate_key(ctx, key, gctx->libctx,
364 gctx->entropy, gctx->entropy_len))
365 goto err;
366 #ifdef FIPS_MODULE
367 if (!slh_dsa_fips140_pairwise_test(key, ctx)) {
368 ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
369 goto err;
370 }
371 #endif /* FIPS_MODULE */
372 ossl_slh_dsa_hash_ctx_free(ctx);
373 return key;
374 err:
375 ossl_slh_dsa_hash_ctx_free(ctx);
376 ossl_slh_dsa_key_free(key);
377 return NULL;
378 }
379
slh_dsa_gen_set_params(void * genctx,const OSSL_PARAM params[])380 static int slh_dsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
381 {
382 struct slh_dsa_gen_ctx *gctx = genctx;
383 const OSSL_PARAM *p;
384
385 if (gctx == NULL)
386 return 0;
387
388 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_SLH_DSA_SEED);
389 if (p != NULL) {
390 void *vp = gctx->entropy;
391 size_t len = sizeof(gctx->entropy);
392
393 if (!OSSL_PARAM_get_octet_string(p, &vp, len, &(gctx->entropy_len))) {
394 gctx->entropy_len = 0;
395 return 0;
396 }
397 }
398
399 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PROPERTIES);
400 if (p != NULL) {
401 if (p->data_type != OSSL_PARAM_UTF8_STRING)
402 return 0;
403 OPENSSL_free(gctx->propq);
404 gctx->propq = OPENSSL_strdup(p->data);
405 if (gctx->propq == NULL)
406 return 0;
407 }
408 return 1;
409 }
410
slh_dsa_gen_settable_params(ossl_unused void * genctx,ossl_unused void * provctx)411 static const OSSL_PARAM *slh_dsa_gen_settable_params(ossl_unused void *genctx,
412 ossl_unused void *provctx)
413 {
414 static OSSL_PARAM settable[] = {
415 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_PROPERTIES, NULL, 0),
416 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_SLH_DSA_SEED, NULL, 0),
417 OSSL_PARAM_END
418 };
419 return settable;
420 }
421
slh_dsa_gen_cleanup(void * genctx)422 static void slh_dsa_gen_cleanup(void *genctx)
423 {
424 struct slh_dsa_gen_ctx *gctx = genctx;
425
426 if (gctx == NULL)
427 return;
428
429 OPENSSL_cleanse(gctx->entropy, gctx->entropy_len);
430 OPENSSL_free(gctx->propq);
431 OPENSSL_free(gctx);
432 }
433
434 #define MAKE_KEYMGMT_FUNCTIONS(alg, fn) \
435 static OSSL_FUNC_keymgmt_new_fn slh_dsa_##fn##_new_key; \
436 static OSSL_FUNC_keymgmt_gen_fn slh_dsa_##fn##_gen; \
437 static void *slh_dsa_##fn##_new_key(void *provctx) \
438 { \
439 return slh_dsa_new_key(provctx, alg); \
440 } \
441 static void *slh_dsa_##fn##_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)\
442 { \
443 return slh_dsa_gen(genctx, alg); \
444 } \
445 const OSSL_DISPATCH ossl_slh_dsa_##fn##_keymgmt_functions[] = { \
446 { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))slh_dsa_##fn##_new_key }, \
447 { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))slh_dsa_free_key }, \
448 { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))slh_dsa_dup_key }, \
449 { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))slh_dsa_has }, \
450 { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))slh_dsa_match }, \
451 { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))slh_dsa_import }, \
452 { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))slh_dsa_imexport_types },\
453 { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))slh_dsa_export }, \
454 { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))slh_dsa_imexport_types },\
455 { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))slh_dsa_load }, \
456 { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))slh_dsa_get_params }, \
457 { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))slh_dsa_gettable_params },\
458 { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))slh_dsa_validate }, \
459 { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))slh_dsa_gen_init }, \
460 { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))slh_dsa_##fn##_gen }, \
461 { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))slh_dsa_gen_cleanup },\
462 { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, \
463 (void (*)(void))slh_dsa_gen_set_params }, \
464 { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, \
465 (void (*)(void))slh_dsa_gen_settable_params }, \
466 OSSL_DISPATCH_END \
467 }
468
469 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-128s", sha2_128s);
470 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-128f", sha2_128f);
471 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-192s", sha2_192s);
472 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-192f", sha2_192f);
473 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-256s", sha2_256s);
474 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHA2-256f", sha2_256f);
475 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-128s", shake_128s);
476 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-128f", shake_128f);
477 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-192s", shake_192s);
478 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-192f", shake_192f);
479 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-256s", shake_256s);
480 MAKE_KEYMGMT_FUNCTIONS("SLH-DSA-SHAKE-256f", shake_256f);
481