Coverage Report

Created: 2024-11-21 07:03

/src/openssl/providers/implementations/signature/eddsa_sig.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <openssl/crypto.h>
11
#include <openssl/core_dispatch.h>
12
#include <openssl/core_names.h>
13
#include <openssl/err.h>
14
#include <openssl/params.h>
15
#include <openssl/evp.h>
16
#include <openssl/proverr.h>
17
#include "internal/nelem.h"
18
#include "internal/sizes.h"
19
#include "prov/providercommon.h"
20
#include "prov/implementations.h"
21
#include "prov/securitycheck.h"
22
#include "prov/provider_ctx.h"
23
#include "prov/der_ecx.h"
24
#include "crypto/ecx.h"
25
26
#ifdef S390X_EC_ASM
27
# include "s390x_arch.h"
28
29
# define S390X_CAN_SIGN(edtype)                                                \
30
((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype))    \
31
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype))      \
32
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))
33
34
static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
35
                                    const unsigned char *tbs, size_t tbslen);
36
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
37
                                  const unsigned char *tbs, size_t tbslen);
38
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
39
                                      const unsigned char *sig,
40
                                      const unsigned char *tbs, size_t tbslen);
41
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
42
                                    const unsigned char *sig,
43
                                    const unsigned char *tbs, size_t tbslen);
44
45
#endif /* S390X_EC_ASM */
46
47
enum ID_EdDSA_INSTANCE {
48
    ID_NOT_SET = 0,
49
    ID_Ed25519,
50
    ID_Ed25519ctx,
51
    ID_Ed25519ph,
52
    ID_Ed448,
53
    ID_Ed448ph
54
};
55
56
0
#define SN_Ed25519    "Ed25519"
57
0
#define SN_Ed25519ph  "Ed25519ph"
58
0
#define SN_Ed25519ctx "Ed25519ctx"
59
0
#define SN_Ed448      "Ed448"
60
0
#define SN_Ed448ph    "Ed448ph"
61
62
#define EDDSA_MAX_CONTEXT_STRING_LEN 255
63
0
#define EDDSA_PREHASH_OUTPUT_LEN 64
64
65
static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
66
static OSSL_FUNC_signature_sign_message_init_fn ed25519_signverify_message_init;
67
static OSSL_FUNC_signature_sign_message_init_fn ed25519ph_signverify_message_init;
68
static OSSL_FUNC_signature_sign_message_init_fn ed25519ctx_signverify_message_init;
69
static OSSL_FUNC_signature_sign_message_init_fn ed448_signverify_message_init;
70
static OSSL_FUNC_signature_sign_message_init_fn ed448ph_signverify_message_init;
71
static OSSL_FUNC_signature_sign_fn ed25519_sign;
72
static OSSL_FUNC_signature_sign_fn ed448_sign;
73
static OSSL_FUNC_signature_verify_fn ed25519_verify;
74
static OSSL_FUNC_signature_verify_fn ed448_verify;
75
static OSSL_FUNC_signature_digest_sign_init_fn ed25519_digest_signverify_init;
76
static OSSL_FUNC_signature_digest_sign_init_fn ed448_digest_signverify_init;
77
static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
78
static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
79
static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
80
static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
81
static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
82
static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
83
static OSSL_FUNC_signature_query_key_types_fn ed25519_sigalg_query_key_types;
84
static OSSL_FUNC_signature_query_key_types_fn ed448_sigalg_query_key_types;
85
static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
86
static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
87
static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_ctx_params;
88
static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_ctx_params;
89
static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_variant_ctx_params;
90
91
/* there are five EdDSA instances:
92
93
         Ed25519
94
         Ed25519ph
95
         Ed25519ctx
96
         Ed448
97
         Ed448ph
98
99
   Quoting from RFC 8032, Section 5.1:
100
101
     For Ed25519, dom2(f,c) is the empty string.  The phflag value is
102
     irrelevant.  The context (if present at all) MUST be empty.  This
103
     causes the scheme to be one and the same with the Ed25519 scheme
104
     published earlier.
105
106
     For Ed25519ctx, phflag=0.  The context input SHOULD NOT be empty.
107
108
     For Ed25519ph, phflag=1 and PH is SHA512 instead.  That is, the input
109
     is hashed using SHA-512 before signing with Ed25519.
110
111
   Quoting from RFC 8032, Section 5.2:
112
113
     Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag
114
     being 1, i.e., the input is hashed before signing with Ed448 with a
115
     hash constant modified.
116
117
     Value of context is set by signer and verifier (maximum of 255
118
     octets; the default is empty string) and has to match octet by octet
119
     for verification to be successful.
120
121
   Quoting from RFC 8032, Section 2:
122
123
     dom2(x, y)     The blank octet string when signing or verifying
124
                    Ed25519.  Otherwise, the octet string: "SigEd25519 no
125
                    Ed25519 collisions" || octet(x) || octet(OLEN(y)) ||
126
                    y, where x is in range 0-255 and y is an octet string
127
                    of at most 255 octets.  "SigEd25519 no Ed25519
128
                    collisions" is in ASCII (32 octets).
129
130
     dom4(x, y)     The octet string "SigEd448" || octet(x) ||
131
                    octet(OLEN(y)) || y, where x is in range 0-255 and y
132
                    is an octet string of at most 255 octets.  "SigEd448"
133
                    is in ASCII (8 octets).
134
135
   Note above that x is the pre-hash flag, and y is the context string.
136
*/
137
138
typedef struct {
139
    OSSL_LIB_CTX *libctx;
140
    ECX_KEY *key;
141
142
    /* The Algorithm Identifier of the signature algorithm */
143
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
144
    size_t  aid_len;
145
146
    /* id indicating the EdDSA instance */
147
    int instance_id;
148
    /* indicates that instance_id and associated flags are preset / hardcoded */
149
    unsigned int instance_id_preset_flag : 1;
150
    /* for ph instances, this indicates whether the caller is expected to prehash */
151
    unsigned int prehash_by_caller_flag : 1;
152
153
    unsigned int dom2_flag : 1;
154
    unsigned int prehash_flag : 1;
155
156
    /* indicates that a non-empty context string is required, as in Ed25519ctx */
157
    unsigned int context_string_flag : 1;
158
159
    unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN];
160
    size_t context_string_len;
161
162
} PROV_EDDSA_CTX;
163
164
static void *eddsa_newctx(void *provctx, const char *propq_unused)
165
0
{
166
0
    PROV_EDDSA_CTX *peddsactx;
167
168
0
    if (!ossl_prov_is_running())
169
0
        return NULL;
170
171
0
    peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
172
0
    if (peddsactx == NULL)
173
0
        return NULL;
174
175
0
    peddsactx->libctx = PROV_LIBCTX_OF(provctx);
176
177
0
    return peddsactx;
178
0
}
179
180
static int eddsa_setup_instance(void *vpeddsactx, int instance_id,
181
                                unsigned int instance_id_preset,
182
                                unsigned int prehash_by_caller)
183
0
{
184
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
185
186
0
    switch (instance_id) {
187
0
    case ID_Ed25519:
188
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
189
0
            return 0;
190
0
        peddsactx->dom2_flag = 0;
191
0
        peddsactx->prehash_flag = 0;
192
0
        peddsactx->context_string_flag = 0;
193
0
        break;
194
0
    case ID_Ed25519ctx:
195
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
196
0
            return 0;
197
0
        peddsactx->dom2_flag = 1;
198
0
        peddsactx->prehash_flag = 0;
199
0
        peddsactx->context_string_flag = 1;
200
0
        break;
201
0
    case ID_Ed25519ph:
202
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
203
0
            return 0;
204
0
        peddsactx->dom2_flag = 1;
205
0
        peddsactx->prehash_flag = 1;
206
0
        peddsactx->context_string_flag = 0;
207
0
        break;
208
0
    case ID_Ed448:
209
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED448)
210
0
            return 0;
211
0
        peddsactx->prehash_flag = 0;
212
0
        peddsactx->context_string_flag = 0;
213
0
        break;
214
0
    case ID_Ed448ph:
215
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED448)
216
0
            return 0;
217
0
        peddsactx->prehash_flag = 1;
218
0
        peddsactx->context_string_flag = 0;
219
0
        break;
220
0
    default:
221
        /* we did not recognize the instance */
222
0
        return 0;
223
0
    }
224
0
    peddsactx->instance_id = instance_id;
225
0
    peddsactx->instance_id_preset_flag = instance_id_preset;
226
0
    peddsactx->prehash_by_caller_flag = prehash_by_caller;
227
0
    return 1;
228
0
}
229
230
static int eddsa_signverify_init(void *vpeddsactx, void *vedkey)
231
0
{
232
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
233
0
    ECX_KEY *edkey = (ECX_KEY *)vedkey;
234
0
    WPACKET pkt;
235
0
    int ret;
236
0
    unsigned char *aid = NULL;
237
238
0
    if (!ossl_prov_is_running())
239
0
        return 0;
240
241
0
    if (edkey == NULL) {
242
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
243
0
        return 0;
244
0
    }
245
246
0
    if (!ossl_ecx_key_up_ref(edkey)) {
247
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
248
0
        return 0;
249
0
    }
250
251
0
    peddsactx->instance_id_preset_flag = 0;
252
0
    peddsactx->dom2_flag = 0;
253
0
    peddsactx->prehash_flag = 0;
254
0
    peddsactx->context_string_flag = 0;
255
0
    peddsactx->context_string_len = 0;
256
257
0
    peddsactx->key = edkey;
258
259
    /*
260
     * We do not care about DER writing errors.
261
     * All it really means is that for some reason, there's no
262
     * AlgorithmIdentifier to be had, but the operation itself is
263
     * still valid, just as long as it's not used to construct
264
     * anything that needs an AlgorithmIdentifier.
265
     */
266
0
    peddsactx->aid_len = 0;
267
0
    ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
268
0
    switch (edkey->type) {
269
0
    case ECX_KEY_TYPE_ED25519:
270
0
        ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
271
0
        break;
272
0
    case ECX_KEY_TYPE_ED448:
273
0
        ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
274
0
        break;
275
0
    default:
276
        /* Should never happen */
277
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
278
0
        ossl_ecx_key_free(edkey);
279
0
        peddsactx->key = NULL;
280
0
        return 0;
281
0
    }
282
0
    if (ret && WPACKET_finish(&pkt)) {
283
0
        WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
284
0
        aid = WPACKET_get_curr(&pkt);
285
0
    }
286
0
    WPACKET_cleanup(&pkt);
287
0
    if (aid != NULL && peddsactx->aid_len != 0)
288
0
        memmove(peddsactx->aid_buf, aid, peddsactx->aid_len);
289
290
0
    return 1;
291
0
}
292
293
static int ed25519_signverify_message_init(void *vpeddsactx, void *vedkey,
294
                                             const OSSL_PARAM params[])
295
0
{
296
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
297
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 1, 0)
298
0
        && eddsa_set_ctx_params(vpeddsactx, params);
299
0
}
300
301
static int ed25519ph_signverify_message_init(void *vpeddsactx, void *vedkey,
302
                                             const OSSL_PARAM params[])
303
0
{
304
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
305
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ph, 1, 0)
306
0
        && eddsa_set_ctx_params(vpeddsactx, params);
307
0
}
308
309
static int ed25519ph_signverify_init(void *vpeddsactx, void *vedkey,
310
                                     const OSSL_PARAM params[])
311
0
{
312
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
313
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ph, 1, 1)
314
0
        && eddsa_set_ctx_params(vpeddsactx, params);
315
0
}
316
317
/*
318
 * This supports using ED25519 with EVP_PKEY_{sign,verify}_init_ex() and
319
 * EVP_PKEY_{sign,verify}_init_ex2(), under the condition that the caller
320
 * explicitly sets the Ed25519ph instance (this is verified by ed25519_sign()
321
 * and ed25519_verify())
322
 */
323
static int ed25519_signverify_init(void *vpeddsactx, void *vedkey,
324
                                   const OSSL_PARAM params[])
325
0
{
326
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
327
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 0, 1)
328
0
        && eddsa_set_ctx_params(vpeddsactx, params);
329
0
}
330
331
static int ed25519ctx_signverify_message_init(void *vpeddsactx, void *vedkey,
332
                                             const OSSL_PARAM params[])
333
0
{
334
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
335
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ctx, 1, 0)
336
0
        && eddsa_set_ctx_params(vpeddsactx, params);
337
0
}
338
339
static int ed448_signverify_message_init(void *vpeddsactx, void *vedkey,
340
                                         const OSSL_PARAM params[])
341
0
{
342
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
343
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 1, 0)
344
0
        && eddsa_set_ctx_params(vpeddsactx, params);
345
0
}
346
347
static int ed448ph_signverify_message_init(void *vpeddsactx, void *vedkey,
348
                                           const OSSL_PARAM params[])
349
0
{
350
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
351
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448ph, 1, 0)
352
0
        && eddsa_set_ctx_params(vpeddsactx, params);
353
0
}
354
355
static int ed448ph_signverify_init(void *vpeddsactx, void *vedkey,
356
                                   const OSSL_PARAM params[])
357
0
{
358
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
359
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448ph, 1, 1)
360
0
        && eddsa_set_ctx_params(vpeddsactx, params);
361
0
}
362
363
/*
364
 * This supports using ED448 with EVP_PKEY_{sign,verify}_init_ex() and
365
 * EVP_PKEY_{sign,verify}_init_ex2(), under the condition that the caller
366
 * explicitly sets the Ed448ph instance (this is verified by ed448_sign()
367
 * and ed448_verify())
368
 */
369
static int ed448_signverify_init(void *vpeddsactx, void *vedkey,
370
                                   const OSSL_PARAM params[])
371
0
{
372
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
373
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 0, 1)
374
0
        && eddsa_set_ctx_params(vpeddsactx, params);
375
0
}
376
377
/*
378
 * This is used directly for OSSL_FUNC_SIGNATURE_SIGN and indirectly
379
 * for OSSL_FUNC_SIGNATURE_DIGEST_SIGN
380
 */
381
static int ed25519_sign(void *vpeddsactx,
382
                        unsigned char *sigret, size_t *siglen, size_t sigsize,
383
                        const unsigned char *tbs, size_t tbslen)
384
0
{
385
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
386
0
    const ECX_KEY *edkey = peddsactx->key;
387
0
    uint8_t md[EVP_MAX_MD_SIZE];
388
0
    size_t mdlen;
389
390
0
    if (!ossl_prov_is_running())
391
0
        return 0;
392
393
0
    if (sigret == NULL) {
394
0
        *siglen = ED25519_SIGSIZE;
395
0
        return 1;
396
0
    }
397
0
    if (sigsize < ED25519_SIGSIZE) {
398
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
399
0
        return 0;
400
0
    }
401
0
    if (edkey->privkey == NULL) {
402
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
403
0
        return 0;
404
0
    }
405
#ifdef S390X_EC_ASM
406
    /*
407
     * s390x_ed25519_digestsign() does not yet support dom2 or context-strings.
408
     * fall back to non-accelerated sign if those options are set, or pre-hasing
409
     * is provided.
410
     */
411
    if (S390X_CAN_SIGN(ED25519)
412
            && !peddsactx->dom2_flag
413
            && !peddsactx->context_string_flag
414
            && peddsactx->context_string_len == 0
415
            && !peddsactx->prehash_flag
416
            && !peddsactx->prehash_by_caller_flag) {
417
        if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
418
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
419
            return 0;
420
        }
421
        *siglen = ED25519_SIGSIZE;
422
        return 1;
423
    }
424
#endif /* S390X_EC_ASM */
425
426
0
    if (peddsactx->prehash_flag) {
427
0
        if (!peddsactx->prehash_by_caller_flag) {
428
0
            if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL,
429
0
                              tbs, tbslen, md, &mdlen)
430
0
                || mdlen != EDDSA_PREHASH_OUTPUT_LEN) {
431
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PREHASHED_DIGEST_LENGTH);
432
0
                return 0;
433
0
            }
434
0
            tbs = md;
435
0
            tbslen = mdlen;
436
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
437
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
438
0
            return 0;
439
0
        }
440
0
    } else if (peddsactx->prehash_by_caller_flag) {
441
        /* The caller is supposed to set up a ph instance! */
442
0
        ERR_raise(ERR_LIB_PROV,
443
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
444
0
        return 0;
445
0
    }
446
447
0
    if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
448
0
            peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
449
0
            peddsactx->context_string, peddsactx->context_string_len,
450
0
            peddsactx->libctx, NULL) == 0) {
451
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
452
0
        return 0;
453
0
    }
454
0
    *siglen = ED25519_SIGSIZE;
455
0
    return 1;
456
0
}
457
458
/* EVP_Q_digest() does not allow variable output length for XOFs,
459
   so we use this function */
460
static int ed448_shake256(OSSL_LIB_CTX *libctx,
461
                          const char *propq,
462
                          const uint8_t *in, size_t inlen,
463
                          uint8_t *out, size_t outlen)
464
0
{
465
0
    int ret = 0;
466
0
    EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new();
467
0
    EVP_MD *shake256 = EVP_MD_fetch(libctx, SN_shake256, propq);
468
469
0
    if (hash_ctx == NULL || shake256 == NULL)
470
0
        goto err;
471
472
0
    if (!EVP_DigestInit_ex(hash_ctx, shake256, NULL)
473
0
            || !EVP_DigestUpdate(hash_ctx, in, inlen)
474
0
            || !EVP_DigestFinalXOF(hash_ctx, out, outlen))
475
0
        goto err;
476
477
0
    ret = 1;
478
479
0
 err:
480
0
    EVP_MD_CTX_free(hash_ctx);
481
0
    EVP_MD_free(shake256);
482
0
    return ret;
483
0
}
484
485
/*
486
 * This is used directly for OSSL_FUNC_SIGNATURE_SIGN and indirectly
487
 * for OSSL_FUNC_SIGNATURE_DIGEST_SIGN
488
 */
489
static int ed448_sign(void *vpeddsactx,
490
                      unsigned char *sigret, size_t *siglen, size_t sigsize,
491
                      const unsigned char *tbs, size_t tbslen)
492
0
{
493
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
494
0
    const ECX_KEY *edkey = peddsactx->key;
495
0
    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
496
0
    size_t mdlen = sizeof(md);
497
498
0
    if (!ossl_prov_is_running())
499
0
        return 0;
500
501
0
    if (sigret == NULL) {
502
0
        *siglen = ED448_SIGSIZE;
503
0
        return 1;
504
0
    }
505
0
    if (sigsize < ED448_SIGSIZE) {
506
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
507
0
        return 0;
508
0
    }
509
0
    if (edkey->privkey == NULL) {
510
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
511
0
        return 0;
512
0
    }
513
#ifdef S390X_EC_ASM
514
    /*
515
     * s390x_ed448_digestsign() does not yet support context-strings or
516
     * pre-hashing. Fall back to non-accelerated sign if a context-string or
517
     * pre-hasing is provided.
518
     */
519
    if (S390X_CAN_SIGN(ED448)
520
            && peddsactx->context_string_len == 0
521
            && !peddsactx->prehash_flag
522
            && !peddsactx->prehash_by_caller_flag) {
523
        if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
524
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
525
            return 0;
526
        }
527
        *siglen = ED448_SIGSIZE;
528
        return 1;
529
    }
530
#endif /* S390X_EC_ASM */
531
532
0
    if (peddsactx->prehash_flag) {
533
0
        if (!peddsactx->prehash_by_caller_flag) {
534
0
            if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
535
0
                return 0;
536
0
            tbs = md;
537
0
            tbslen = mdlen;
538
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
539
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
540
0
            return 0;
541
0
        }
542
0
    } else if (peddsactx->prehash_by_caller_flag) {
543
        /* The caller is supposed to set up a ph instance! */
544
0
        ERR_raise(ERR_LIB_PROV,
545
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
546
0
        return 0;
547
0
    }
548
549
0
    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen,
550
0
                        edkey->pubkey, edkey->privkey,
551
0
                        peddsactx->context_string, peddsactx->context_string_len,
552
0
                        peddsactx->prehash_flag, edkey->propq) == 0) {
553
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
554
0
        return 0;
555
0
    }
556
0
    *siglen = ED448_SIGSIZE;
557
0
    return 1;
558
0
}
559
560
/*
561
 * This is used directly for OSSL_FUNC_SIGNATURE_VERIFY and indirectly
562
 * for OSSL_FUNC_SIGNATURE_DIGEST_VERIFY
563
 */
564
static int ed25519_verify(void *vpeddsactx,
565
                          const unsigned char *sig, size_t siglen,
566
                          const unsigned char *tbs, size_t tbslen)
567
0
{
568
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
569
0
    const ECX_KEY *edkey = peddsactx->key;
570
0
    uint8_t md[EVP_MAX_MD_SIZE];
571
0
    size_t mdlen;
572
573
0
    if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
574
0
        return 0;
575
576
#ifdef S390X_EC_ASM
577
    /*
578
     * s390x_ed25519_digestverify() does not yet support dom2 or context-strings.
579
     * fall back to non-accelerated verify if those options are set, or
580
     * pre-hasing is provided.
581
     */
582
    if (S390X_CAN_SIGN(ED25519)
583
            && !peddsactx->dom2_flag
584
            && !peddsactx->context_string_flag
585
            && peddsactx->context_string_len == 0
586
            && !peddsactx->prehash_flag
587
            && !peddsactx->prehash_by_caller_flag)
588
        return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
589
#endif /* S390X_EC_ASM */
590
591
0
    if (peddsactx->prehash_flag) {
592
0
        if (!peddsactx->prehash_by_caller_flag) {
593
0
            if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL,
594
0
                              tbs, tbslen, md, &mdlen)
595
0
                || mdlen != EDDSA_PREHASH_OUTPUT_LEN) {
596
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PREHASHED_DIGEST_LENGTH);
597
0
                return 0;
598
0
            }
599
0
            tbs = md;
600
0
            tbslen = mdlen;
601
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
602
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
603
0
            return 0;
604
0
        }
605
0
    } else if (peddsactx->prehash_by_caller_flag) {
606
        /* The caller is supposed to set up a ph instance! */
607
0
        ERR_raise(ERR_LIB_PROV,
608
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
609
0
        return 0;
610
0
    }
611
612
0
    return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
613
0
                               peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
614
0
                               peddsactx->context_string, peddsactx->context_string_len,
615
0
                               peddsactx->libctx, edkey->propq);
616
0
}
617
618
/*
619
 * This is used directly for OSSL_FUNC_SIGNATURE_VERIFY and indirectly
620
 * for OSSL_FUNC_SIGNATURE_DIGEST_VERIFY
621
 */
622
static int ed448_verify(void *vpeddsactx,
623
                        const unsigned char *sig, size_t siglen,
624
                        const unsigned char *tbs, size_t tbslen)
625
0
{
626
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
627
0
    const ECX_KEY *edkey = peddsactx->key;
628
0
    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
629
0
    size_t mdlen = sizeof(md);
630
631
0
    if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
632
0
        return 0;
633
634
#ifdef S390X_EC_ASM
635
    /*
636
     * s390x_ed448_digestverify() does not yet support context-strings or
637
     * pre-hashing. Fall back to non-accelerated verify if a context-string or
638
     * pre-hasing is provided.
639
     */
640
    if (S390X_CAN_SIGN(ED448)
641
            && peddsactx->context_string_len == 0
642
            && !peddsactx->prehash_flag
643
            && !peddsactx->prehash_by_caller_flag)
644
        return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
645
#endif /* S390X_EC_ASM */
646
647
0
    if (peddsactx->prehash_flag) {
648
0
        if (!peddsactx->prehash_by_caller_flag) {
649
0
            if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
650
0
                return 0;
651
0
            tbs = md;
652
0
            tbslen = mdlen;
653
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
654
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
655
0
            return 0;
656
0
        }
657
0
    } else if (peddsactx->prehash_by_caller_flag) {
658
        /* The caller is supposed to set up a ph instance! */
659
0
        ERR_raise(ERR_LIB_PROV,
660
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
661
0
        return 0;
662
0
    }
663
664
0
    return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
665
0
                             peddsactx->context_string, peddsactx->context_string_len,
666
0
                             peddsactx->prehash_flag, edkey->propq);
667
0
}
668
669
/* All digest_{sign,verify} are simple wrappers around the functions above */
670
671
static int ed25519_digest_signverify_init(void *vpeddsactx, const char *mdname,
672
                                          void *vedkey,
673
                                          const OSSL_PARAM params[])
674
0
{
675
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
676
677
0
    if (mdname != NULL && mdname[0] != '\0') {
678
0
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
679
0
                        "Explicit digest not allowed with EdDSA operations");
680
0
        return 0;
681
0
    }
682
683
0
    if (vedkey == NULL && peddsactx->key != NULL)
684
0
        return eddsa_set_ctx_params(peddsactx, params);
685
686
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
687
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 0, 0)
688
0
        && eddsa_set_ctx_params(vpeddsactx, params);
689
0
}
690
691
static int ed25519_digest_sign(void *vpeddsactx,
692
                               unsigned char *sigret, size_t *siglen, size_t sigsize,
693
                               const unsigned char *tbs, size_t tbslen)
694
0
{
695
0
    return ed25519_sign(vpeddsactx, sigret, siglen, sigsize, tbs, tbslen);
696
0
}
697
698
static int ed25519_digest_verify(void *vpeddsactx,
699
                                 const unsigned char *sigret, size_t siglen,
700
                                 const unsigned char *tbs, size_t tbslen)
701
0
{
702
0
    return ed25519_verify(vpeddsactx, sigret, siglen, tbs, tbslen);
703
0
}
704
705
static int ed448_digest_signverify_init(void *vpeddsactx, const char *mdname,
706
                                        void *vedkey,
707
                                        const OSSL_PARAM params[])
708
0
{
709
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
710
711
0
    if (mdname != NULL && mdname[0] != '\0') {
712
0
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
713
0
                        "Explicit digest not allowed with EdDSA operations");
714
0
        return 0;
715
0
    }
716
717
0
    if (vedkey == NULL && peddsactx->key != NULL)
718
0
        return eddsa_set_ctx_params(peddsactx, params);
719
720
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
721
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 0, 0)
722
0
        && eddsa_set_ctx_params(vpeddsactx, params);
723
0
}
724
725
static int ed448_digest_sign(void *vpeddsactx,
726
                             unsigned char *sigret, size_t *siglen, size_t sigsize,
727
                             const unsigned char *tbs, size_t tbslen)
728
0
{
729
0
    return ed448_sign(vpeddsactx, sigret, siglen, sigsize, tbs, tbslen);
730
0
}
731
732
static int ed448_digest_verify(void *vpeddsactx,
733
                               const unsigned char *sigret, size_t siglen,
734
                               const unsigned char *tbs, size_t tbslen)
735
0
{
736
0
    return ed448_verify(vpeddsactx, sigret, siglen, tbs, tbslen);
737
0
}
738
739
static void eddsa_freectx(void *vpeddsactx)
740
0
{
741
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
742
743
0
    ossl_ecx_key_free(peddsactx->key);
744
745
0
    OPENSSL_free(peddsactx);
746
0
}
747
748
static void *eddsa_dupctx(void *vpeddsactx)
749
0
{
750
0
    PROV_EDDSA_CTX *srcctx = (PROV_EDDSA_CTX *)vpeddsactx;
751
0
    PROV_EDDSA_CTX *dstctx;
752
753
0
    if (!ossl_prov_is_running())
754
0
        return NULL;
755
756
0
    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
757
0
    if (dstctx == NULL)
758
0
        return NULL;
759
760
0
    *dstctx = *srcctx;
761
0
    dstctx->key = NULL;
762
763
0
    if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
764
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
765
0
        goto err;
766
0
    }
767
0
    dstctx->key = srcctx->key;
768
769
0
    return dstctx;
770
0
 err:
771
0
    eddsa_freectx(dstctx);
772
0
    return NULL;
773
0
}
774
775
static const char **ed25519_sigalg_query_key_types(void)
776
0
{
777
0
    static const char *keytypes[] = { "ED25519", NULL };
778
779
0
    return keytypes;
780
0
}
781
782
static const char **ed448_sigalg_query_key_types(void)
783
0
{
784
0
    static const char *keytypes[] = { "ED448", NULL };
785
786
0
    return keytypes;
787
0
}
788
789
790
791
static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
792
0
{
793
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
794
0
    OSSL_PARAM *p;
795
796
0
    if (peddsactx == NULL)
797
0
        return 0;
798
799
0
    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
800
0
    if (p != NULL
801
0
        && !OSSL_PARAM_set_octet_string(p,
802
0
                                        peddsactx->aid_len == 0 ? NULL : peddsactx->aid_buf,
803
0
                                        peddsactx->aid_len))
804
0
        return 0;
805
806
0
    return 1;
807
0
}
808
809
static const OSSL_PARAM known_gettable_ctx_params[] = {
810
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
811
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
812
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
813
    OSSL_PARAM_END
814
};
815
816
static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx,
817
                                                   ossl_unused void *provctx)
818
0
{
819
0
    return known_gettable_ctx_params;
820
0
}
821
822
static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[])
823
0
{
824
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
825
0
    const OSSL_PARAM *p;
826
827
0
    if (peddsactx == NULL)
828
0
        return 0;
829
0
    if (ossl_param_is_empty(params))
830
0
        return 1;
831
832
0
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_INSTANCE);
833
0
    if (p != NULL) {
834
0
        char instance_name[OSSL_MAX_NAME_SIZE] = "";
835
0
        char *pinstance_name = instance_name;
836
837
0
        if (peddsactx->instance_id_preset_flag) {
838
            /* When the instance is preset, the caller must no try to set it */
839
0
            ERR_raise_data(ERR_LIB_PROV, PROV_R_NO_INSTANCE_ALLOWED,
840
0
                           "the EdDSA instance is preset, you may not try to specify it",
841
0
                           NULL);
842
0
            return 0;
843
0
        }
844
845
0
        if (!OSSL_PARAM_get_utf8_string(p, &pinstance_name, sizeof(instance_name)))
846
0
            return 0;
847
848
        /*
849
         * When setting the new instance, we're careful not to change the
850
         * prehash_by_caller flag, as that's always preset by the init
851
         * functions.  The sign functions will determine if the instance
852
         * matches this flag.
853
         */
854
0
        if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519) == 0) {
855
0
            eddsa_setup_instance(peddsactx, ID_Ed25519, 0,
856
0
                                 peddsactx->prehash_by_caller_flag);
857
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ctx) == 0) {
858
0
            eddsa_setup_instance(peddsactx, ID_Ed25519ctx, 0,
859
0
                                 peddsactx->prehash_by_caller_flag);
860
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ph) == 0) {
861
0
            eddsa_setup_instance(peddsactx, ID_Ed25519ph, 0,
862
0
                                 peddsactx->prehash_by_caller_flag);
863
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448) == 0) {
864
0
            eddsa_setup_instance(peddsactx, ID_Ed448, 0,
865
0
                                 peddsactx->prehash_by_caller_flag);
866
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448ph) == 0) {
867
0
            eddsa_setup_instance(peddsactx, ID_Ed448ph, 0,
868
0
                                 peddsactx->prehash_by_caller_flag);
869
0
        } else {
870
            /* we did not recognize the instance */
871
0
            return 0;
872
0
        }
873
874
0
    }
875
876
0
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING);
877
0
    if (p != NULL) {
878
0
        void *vp_context_string = peddsactx->context_string;
879
880
0
        if (!OSSL_PARAM_get_octet_string(p, &vp_context_string, sizeof(peddsactx->context_string), &(peddsactx->context_string_len))) {
881
0
            peddsactx->context_string_len = 0;
882
0
            return 0;
883
0
        }
884
0
    }
885
886
0
    return 1;
887
0
}
888
889
static const OSSL_PARAM settable_ctx_params[] = {
890
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
891
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
892
    OSSL_PARAM_END
893
};
894
895
static const OSSL_PARAM *eddsa_settable_ctx_params(ossl_unused void *vpeddsactx,
896
                                                   ossl_unused void *provctx)
897
0
{
898
0
    return settable_ctx_params;
899
0
}
900
901
static const OSSL_PARAM settable_variant_ctx_params[] = {
902
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
903
    OSSL_PARAM_END
904
};
905
906
static const OSSL_PARAM *
907
eddsa_settable_variant_ctx_params(ossl_unused void *vpeddsactx,
908
                                  ossl_unused void *provctx)
909
0
{
910
0
    return settable_variant_ctx_params;
911
0
}
912
913
/*
914
 * Ed25519 can be used with:
915
 * - EVP_PKEY_sign_init_ex2()   [ instance and prehash assumed done by caller ]
916
 * - EVP_PKEY_verify_init_ex2() [ instance and prehash assumed done by caller ]
917
 * - EVP_PKEY_sign_message_init()
918
 * - EVP_PKEY_verify_message_init()
919
 * - EVP_DigestSignInit_ex()
920
 * - EVP_DigestVerifyInit_ex()
921
 * Ed25519ph can be used with:
922
 * - EVP_PKEY_sign_init_ex2()   [ prehash assumed done by caller ]
923
 * - EVP_PKEY_verify_init_ex2() [ prehash assumed done by caller ]
924
 * - EVP_PKEY_sign_message_init()
925
 * - EVP_PKEY_verify_message_init()
926
 * Ed25519ctx can be used with:
927
 * - EVP_PKEY_sign_message_init()
928
 * - EVP_PKEY_verify_message_init()
929
 * Ed448 can be used with:
930
 * - EVP_PKEY_sign_init_ex2()   [ instance and prehash assumed done by caller ]
931
 * - EVP_PKEY_verify_init_ex2() [ instance and prehash assumed done by caller ]
932
 * - EVP_PKEY_sign_message_init()
933
 * - EVP_PKEY_verify_message_init()
934
 * - EVP_DigestSignInit_ex()
935
 * - EVP_DigestVerifyInit_ex()
936
 * Ed448ph can be used with:
937
 * - EVP_PKEY_sign_init_ex2()   [ prehash assumed done by caller ]
938
 * - EVP_PKEY_verify_init_ex2() [ prehash assumed done by caller ]
939
 * - EVP_PKEY_sign_message_init()
940
 * - EVP_PKEY_verify_message_init()
941
 */
942
943
#define ed25519_DISPATCH_END                                            \
944
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
945
        (void (*)(void))ed25519_signverify_init },                      \
946
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
947
        (void (*)(void))ed25519_signverify_init },                      \
948
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                             \
949
        (void (*)(void))ed25519_digest_signverify_init },               \
950
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                  \
951
        (void (*)(void))ed25519_digest_sign },                          \
952
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                           \
953
        (void (*)(void))ed25519_digest_signverify_init },               \
954
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                \
955
        (void (*)(void))ed25519_digest_verify },                        \
956
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
957
        (void (*)(void))eddsa_get_ctx_params },                         \
958
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
959
        (void (*)(void))eddsa_gettable_ctx_params },                    \
960
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
961
        (void (*)(void))eddsa_set_ctx_params },                         \
962
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
963
        (void (*)(void))eddsa_settable_ctx_params },                    \
964
    OSSL_DISPATCH_END
965
966
#define eddsa_variant_DISPATCH_END(v)                                   \
967
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
968
        (void (*)(void))v##_signverify_message_init },                  \
969
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
970
        (void (*)(void))v##_signverify_message_init },                  \
971
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
972
        (void (*)(void))eddsa_get_ctx_params },                         \
973
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
974
        (void (*)(void))eddsa_gettable_ctx_params },                    \
975
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
976
        (void (*)(void))eddsa_set_ctx_params },                         \
977
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
978
        (void (*)(void))eddsa_settable_variant_ctx_params },            \
979
    OSSL_DISPATCH_END
980
981
#define ed25519ph_DISPATCH_END                                          \
982
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
983
        (void (*)(void))ed25519ph_signverify_init },                    \
984
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
985
        (void (*)(void))ed25519ph_signverify_init },                    \
986
    eddsa_variant_DISPATCH_END(ed25519ph)
987
988
#define ed25519ctx_DISPATCH_END eddsa_variant_DISPATCH_END(ed25519ctx)
989
990
#define ed448_DISPATCH_END                                              \
991
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
992
        (void (*)(void))ed448_signverify_init },                        \
993
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
994
        (void (*)(void))ed448_signverify_init },                        \
995
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                             \
996
        (void (*)(void))ed448_digest_signverify_init },                 \
997
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                  \
998
        (void (*)(void))ed448_digest_sign },                            \
999
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                           \
1000
        (void (*)(void))ed448_digest_signverify_init },                 \
1001
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                \
1002
        (void (*)(void))ed448_digest_verify },                          \
1003
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
1004
        (void (*)(void))eddsa_get_ctx_params },                         \
1005
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
1006
        (void (*)(void))eddsa_gettable_ctx_params },                    \
1007
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
1008
        (void (*)(void))eddsa_set_ctx_params },                         \
1009
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
1010
        (void (*)(void))eddsa_settable_ctx_params },                    \
1011
    OSSL_DISPATCH_END
1012
1013
#define ed448ph_DISPATCH_END                                            \
1014
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1015
        (void (*)(void))ed448ph_signverify_init },                      \
1016
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1017
        (void (*)(void))ed448ph_signverify_init },                      \
1018
    eddsa_variant_DISPATCH_END(ed448ph)
1019
1020
/* vn = variant name, bn = base name */
1021
#define IMPL_EDDSA_DISPATCH(vn,bn)                                      \
1022
    const OSSL_DISPATCH ossl_##vn##_signature_functions[] = {           \
1023
        { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },   \
1024
        { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT,                        \
1025
          (void (*)(void))vn##_signverify_message_init },               \
1026
        { OSSL_FUNC_SIGNATURE_SIGN,                                     \
1027
          (void (*)(void))bn##_sign },                                  \
1028
        { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                      \
1029
          (void (*)(void))vn##_signverify_message_init },               \
1030
        { OSSL_FUNC_SIGNATURE_VERIFY,                                   \
1031
          (void (*)(void))bn##_verify },                                \
1032
        { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx }, \
1033
        { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },   \
1034
        { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES,                          \
1035
          (void (*)(void))bn##_sigalg_query_key_types },                \
1036
        vn##_DISPATCH_END                                               \
1037
    }
1038
1039
IMPL_EDDSA_DISPATCH(ed25519,ed25519);
1040
IMPL_EDDSA_DISPATCH(ed25519ph,ed25519);
1041
IMPL_EDDSA_DISPATCH(ed25519ctx,ed25519);
1042
IMPL_EDDSA_DISPATCH(ed448,ed448);
1043
IMPL_EDDSA_DISPATCH(ed448ph,ed448);
1044
1045
#ifdef S390X_EC_ASM
1046
1047
static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
1048
                                    const unsigned char *tbs, size_t tbslen)
1049
{
1050
    int rc;
1051
    union {
1052
        struct {
1053
            unsigned char sig[64];
1054
            unsigned char priv[32];
1055
        } ed25519;
1056
        unsigned long long buff[512];
1057
    } param;
1058
1059
    memset(&param, 0, sizeof(param));
1060
    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
1061
1062
    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
1063
    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
1064
    if (rc != 0)
1065
        return 0;
1066
1067
    s390x_flip_endian32(sig, param.ed25519.sig);
1068
    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
1069
    return 1;
1070
}
1071
1072
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
1073
                                  const unsigned char *tbs, size_t tbslen)
1074
{
1075
    int rc;
1076
    union {
1077
        struct {
1078
            unsigned char sig[128];
1079
            unsigned char priv[64];
1080
        } ed448;
1081
        unsigned long long buff[512];
1082
    } param;
1083
1084
    memset(&param, 0, sizeof(param));
1085
    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
1086
1087
    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
1088
    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
1089
    if (rc != 0)
1090
        return 0;
1091
1092
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
1093
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
1094
    memcpy(sig, param.ed448.sig, 57);
1095
    memcpy(sig + 57, param.ed448.sig + 64, 57);
1096
    return 1;
1097
}
1098
1099
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
1100
                                      const unsigned char *sig,
1101
                                      const unsigned char *tbs, size_t tbslen)
1102
{
1103
    union {
1104
        struct {
1105
            unsigned char sig[64];
1106
            unsigned char pub[32];
1107
        } ed25519;
1108
        unsigned long long buff[512];
1109
    } param;
1110
1111
    memset(&param, 0, sizeof(param));
1112
    s390x_flip_endian32(param.ed25519.sig, sig);
1113
    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
1114
    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
1115
1116
    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
1117
                      &param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
1118
}
1119
1120
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
1121
                                    const unsigned char *sig,
1122
                                    const unsigned char *tbs,
1123
                                    size_t tbslen)
1124
{
1125
    union {
1126
        struct {
1127
            unsigned char sig[128];
1128
            unsigned char pub[64];
1129
        } ed448;
1130
        unsigned long long buff[512];
1131
    } param;
1132
1133
    memset(&param, 0, sizeof(param));
1134
    memcpy(param.ed448.sig, sig, 57);
1135
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
1136
    memcpy(param.ed448.sig + 64, sig + 57, 57);
1137
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
1138
    memcpy(param.ed448.pub, edkey->pubkey, 57);
1139
    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
1140
1141
    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
1142
                      &param.ed448, tbs, tbslen) == 0 ? 1 : 0;
1143
}
1144
1145
#endif /* S390X_EC_ASM */