/src/openssl31/providers/implementations/signature/eddsa_sig.c

Source (jump to first uncovered line)
/*
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/crypto.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/err.h>
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/proverr.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/der_ecx.h"
#include "crypto/ecx.h"

#ifdef S390X_EC_ASM
# include "s390x_arch.h"

# define S390X_CAN_SIGN(edtype)                                                \
((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype))    \
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype))      \
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))

static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
                                    const unsigned char *tbs, size_t tbslen);
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
                                  const unsigned char *tbs, size_t tbslen);
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
                                      const unsigned char *sig,
                                      const unsigned char *tbs, size_t tbslen);
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
                                    const unsigned char *sig,
                                    const unsigned char *tbs, size_t tbslen);

#endif /* S390X_EC_ASM */

static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;

typedef struct {
    OSSL_LIB_CTX *libctx;
    ECX_KEY *key;

    /* The Algorithm Identifier of the signature algorithm */
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    unsigned char *aid;
    size_t  aid_len;
} PROV_EDDSA_CTX;

static void *eddsa_newctx(void *provctx, const char *propq_unused)
{
    PROV_EDDSA_CTX *peddsactx;

    if (!ossl_prov_is_running())
        return NULL;

    peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
    if (peddsactx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    peddsactx->libctx = PROV_LIBCTX_OF(provctx);

    return peddsactx;
}

static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
                                        void *vedkey,
                                        ossl_unused const OSSL_PARAM params[])
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    ECX_KEY *edkey = (ECX_KEY *)vedkey;
    WPACKET pkt;
    int ret;

    if (!ossl_prov_is_running())
        return 0;

    if (mdname != NULL && mdname[0] != '\0') {
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
        return 0;
    }

    if (edkey == NULL) {
        if (peddsactx->key != NULL)
            /* there is nothing to do on reinit */
            return 1;
        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
        return 0;
    }

    if (!ossl_ecx_key_up_ref(edkey)) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    /*
     * We do not care about DER writing errors.
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    peddsactx->aid_len = 0;
    ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
    switch (edkey->type) {
    case ECX_KEY_TYPE_ED25519:
        ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
        break;
    case ECX_KEY_TYPE_ED448:
        ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
        break;
    default:
        /* Should never happen */
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        ossl_ecx_key_free(edkey);
        WPACKET_cleanup(&pkt);
        return 0;
    }
    if (ret && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
        peddsactx->aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);

    peddsactx->key = edkey;

    return 1;
}

int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
                        size_t *siglen, size_t sigsize,
                        const unsigned char *tbs, size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running())
        return 0;

    if (sigret == NULL) {
        *siglen = ED25519_SIGSIZE;
        return 1;
    }
    if (sigsize < ED25519_SIGSIZE) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (edkey->privkey == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
        return 0;
    }
#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED25519)) {
      if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
        return 0;
      }
      *siglen = ED25519_SIGSIZE;
      return 1;
    }
#endif /* S390X_EC_ASM */
    if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
                          peddsactx->libctx, NULL) == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
        return 0;
    }
    *siglen = ED25519_SIGSIZE;
    return 1;
}

int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret,
                      size_t *siglen, size_t sigsize,
                      const unsigned char *tbs, size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running())
        return 0;

    if (sigret == NULL) {
        *siglen = ED448_SIGSIZE;
        return 1;
    }
    if (sigsize < ED448_SIGSIZE) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (edkey->privkey == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
        return 0;
    }
#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED448)) {
        if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
    ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
    return 0;
  }
  *siglen = ED448_SIGSIZE;
  return 1;
    }
#endif /* S390X_EC_ASM */
    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
                        edkey->privkey, NULL, 0, edkey->propq) == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
        return 0;
    }
    *siglen = ED448_SIGSIZE;
    return 1;
}

int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig,
                          size_t siglen, const unsigned char *tbs,
                          size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
        return 0;

#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED25519))
        return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
#endif /* S390X_EC_ASM */

    return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
                               peddsactx->libctx, edkey->propq);
}

int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig,
                        size_t siglen, const unsigned char *tbs,
                        size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
        return 0;

#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED448))
        return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
#endif /* S390X_EC_ASM */

    return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
                             NULL, 0, edkey->propq);
}

static void eddsa_freectx(void *vpeddsactx)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;

    ossl_ecx_key_free(peddsactx->key);

    OPENSSL_free(peddsactx);
}

static void *eddsa_dupctx(void *vpeddsactx)
{
    PROV_EDDSA_CTX *srcctx = (PROV_EDDSA_CTX *)vpeddsactx;
    PROV_EDDSA_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->key = NULL;

    if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    dstctx->key = srcctx->key;

    return dstctx;
 err:
    eddsa_freectx(dstctx);
    return NULL;
}

static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    OSSL_PARAM *p;

    if (peddsactx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL && !OSSL_PARAM_set_octet_string(p, peddsactx->aid,
                                                  peddsactx->aid_len))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx,
                                                   ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
      (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
      (void (*)(void))ed25519_digest_sign },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
      (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
      (void (*)(void))ed25519_digest_verify },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
      (void (*)(void))eddsa_gettable_ctx_params },
    { 0, NULL }
};

const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
      (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
      (void (*)(void))ed448_digest_sign },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
      (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
      (void (*)(void))ed448_digest_verify },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
      (void (*)(void))eddsa_gettable_ctx_params },
    { 0, NULL }
};

#ifdef S390X_EC_ASM

static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
                                    const unsigned char *tbs, size_t tbslen)
{
    int rc;
    union {
        struct {
            unsigned char sig[64];
            unsigned char priv[32];
        } ed25519;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));

    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
    if (rc != 0)
        return 0;

    s390x_flip_endian32(sig, param.ed25519.sig);
    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
    return 1;
}

static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
                                  const unsigned char *tbs, size_t tbslen)
{
    int rc;
    union {
        struct {
            unsigned char sig[128];
            unsigned char priv[64];
        } ed448;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);

    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
    if (rc != 0)
        return 0;

    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
    memcpy(sig, param.ed448.sig, 57);
    memcpy(sig + 57, param.ed448.sig + 64, 57);
    return 1;
}

static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
                                      const unsigned char *sig,
                                      const unsigned char *tbs, size_t tbslen)
{
    union {
        struct {
            unsigned char sig[64];
            unsigned char pub[32];
        } ed25519;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    s390x_flip_endian32(param.ed25519.sig, sig);
    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);

    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
                      &param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
}

static int s390x_ed448_digestverify(const ECX_KEY *edkey,
                                    const unsigned char *sig,
                                    const unsigned char *tbs,
                                    size_t tbslen)
{
    union {
        struct {
            unsigned char sig[128];
            unsigned char pub[64];
        } ed448;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed448.sig, sig, 57);
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
    memcpy(param.ed448.sig + 64, sig + 57, 57);
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
    memcpy(param.ed448.pub, edkey->pubkey, 57);
    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);

    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
                      &param.ed448, tbs, tbslen) == 0 ? 1 : 0;
}

#endif /* S390X_EC_ASM */

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <openssl/crypto.h>
11		#include <openssl/core_dispatch.h>
12		#include <openssl/core_names.h>
13		#include <openssl/err.h>
14		#include <openssl/params.h>
15		#include <openssl/evp.h>
16		#include <openssl/proverr.h>
17		#include "internal/nelem.h"
18		#include "internal/sizes.h"
19		#include "prov/providercommon.h"
20		#include "prov/implementations.h"
21		#include "prov/provider_ctx.h"
22		#include "prov/der_ecx.h"
23		#include "crypto/ecx.h"
24
25		#ifdef S390X_EC_ASM
26		# include "s390x_arch.h"
27
28		# define S390X_CAN_SIGN(edtype) \
29		((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype)) \
30		&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype)) \
31		&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))
32
33		static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
34		const unsigned char *tbs, size_t tbslen);
35		static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
36		const unsigned char *tbs, size_t tbslen);
37		static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
38		const unsigned char *sig,
39		const unsigned char *tbs, size_t tbslen);
40		static int s390x_ed448_digestverify(const ECX_KEY *edkey,
41		const unsigned char *sig,
42		const unsigned char *tbs, size_t tbslen);
43
44		#endif /* S390X_EC_ASM */
45
46		static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
47		static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
48		static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
49		static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
50		static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
51		static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
52		static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
53		static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
54		static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
55		static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
56
57		typedef struct {
58		OSSL_LIB_CTX *libctx;
59		ECX_KEY *key;
60
61		/* The Algorithm Identifier of the signature algorithm */
62		unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
63		unsigned char *aid;
64		size_t aid_len;
65		} PROV_EDDSA_CTX;
66
67		static void eddsa_newctx(void provctx, const char *propq_unused)
68	198	{
69	198	PROV_EDDSA_CTX *peddsactx;
70
71	198	if (!ossl_prov_is_running())
72	0	return NULL;
73
74	198	peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
75	198	if (peddsactx == NULL) {
76	0	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
77	0	return NULL;
78	0	}
79
80	198	peddsactx->libctx = PROV_LIBCTX_OF(provctx);
81
82	198	return peddsactx;
83	198	}
84
85		static int eddsa_digest_signverify_init(void vpeddsactx, const char mdname,
86		void *vedkey,
87		ossl_unused const OSSL_PARAM params[])
88	124	{
89	124	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
90	124	ECX_KEY edkey = (ECX_KEY )vedkey;
91	124	WPACKET pkt;
92	124	int ret;
93
94	124	if (!ossl_prov_is_running())
95	0	return 0;
96
97	124	if (mdname != NULL && mdname[0] != '\0') {
98	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
99	0	return 0;
100	0	}
101
102	124	if (edkey == NULL) {
103	0	if (peddsactx->key != NULL)
104		/* there is nothing to do on reinit */
105	0	return 1;
106	0	ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
107	0	return 0;
108	0	}
109
110	124	if (!ossl_ecx_key_up_ref(edkey)) {
111	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
112	0	return 0;
113	0	}
114
115		/*
116		* We do not care about DER writing errors.
117		* All it really means is that for some reason, there's no
118		* AlgorithmIdentifier to be had, but the operation itself is
119		* still valid, just as long as it's not used to construct
120		* anything that needs an AlgorithmIdentifier.
121		*/
122	124	peddsactx->aid_len = 0;
123	124	ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
124	124	switch (edkey->type) {
125	124	case ECX_KEY_TYPE_ED25519:
126	124	ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
127	124	break;
128	0	case ECX_KEY_TYPE_ED448:
129	0	ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
130	0	break;
131	0	default:
132		/* Should never happen */
133	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
134	0	ossl_ecx_key_free(edkey);
135	0	WPACKET_cleanup(&pkt);
136	0	return 0;
137	124	}
138	124	if (ret && WPACKET_finish(&pkt)) {
139	124	WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
140	124	peddsactx->aid = WPACKET_get_curr(&pkt);
141	124	}
142	124	WPACKET_cleanup(&pkt);
143
144	124	peddsactx->key = edkey;
145
146	124	return 1;
147	124	}
148
149		int ed25519_digest_sign(void vpeddsactx, unsigned char sigret,
150		size_t *siglen, size_t sigsize,
151		const unsigned char *tbs, size_t tbslen)
152	0	{
153	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
154	0	const ECX_KEY *edkey = peddsactx->key;
155
156	0	if (!ossl_prov_is_running())
157	0	return 0;
158
159	0	if (sigret == NULL) {
160	0	*siglen = ED25519_SIGSIZE;
161	0	return 1;
162	0	}
163	0	if (sigsize < ED25519_SIGSIZE) {
164	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
165	0	return 0;
166	0	}
167	0	if (edkey->privkey == NULL) {
168	0	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
169	0	return 0;
170	0	}
171		#ifdef S390X_EC_ASM
172		if (S390X_CAN_SIGN(ED25519)) {
173		if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
174		ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
175		return 0;
176		}
177		*siglen = ED25519_SIGSIZE;
178		return 1;
179		}
180		#endif /* S390X_EC_ASM */
181	0	if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
182	0	peddsactx->libctx, NULL) == 0) {
183	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
184	0	return 0;
185	0	}
186	0	*siglen = ED25519_SIGSIZE;
187	0	return 1;
188	0	}
189
190		int ed448_digest_sign(void vpeddsactx, unsigned char sigret,
191		size_t *siglen, size_t sigsize,
192		const unsigned char *tbs, size_t tbslen)
193	0	{
194	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
195	0	const ECX_KEY *edkey = peddsactx->key;
196
197	0	if (!ossl_prov_is_running())
198	0	return 0;
199
200	0	if (sigret == NULL) {
201	0	*siglen = ED448_SIGSIZE;
202	0	return 1;
203	0	}
204	0	if (sigsize < ED448_SIGSIZE) {
205	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
206	0	return 0;
207	0	}
208	0	if (edkey->privkey == NULL) {
209	0	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
210	0	return 0;
211	0	}
212		#ifdef S390X_EC_ASM
213		if (S390X_CAN_SIGN(ED448)) {
214		if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
215		ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
216		return 0;
217		}
218		*siglen = ED448_SIGSIZE;
219		return 1;
220		}
221		#endif /* S390X_EC_ASM */
222	0	if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
223	0	edkey->privkey, NULL, 0, edkey->propq) == 0) {
224	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
225	0	return 0;
226	0	}
227	0	*siglen = ED448_SIGSIZE;
228	0	return 1;
229	0	}
230
231		int ed25519_digest_verify(void vpeddsactx, const unsigned char sig,
232		size_t siglen, const unsigned char *tbs,
233		size_t tbslen)
234	124	{
235	124	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
236	124	const ECX_KEY *edkey = peddsactx->key;
237
238	124	if (!ossl_prov_is_running() \|\| siglen != ED25519_SIGSIZE)
239	13	return 0;
240
241		#ifdef S390X_EC_ASM
242		if (S390X_CAN_SIGN(ED25519))
243		return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
244		#endif /* S390X_EC_ASM */
245
246	111	return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
247	111	peddsactx->libctx, edkey->propq);
248	124	}
249
250		int ed448_digest_verify(void vpeddsactx, const unsigned char sig,
251		size_t siglen, const unsigned char *tbs,
252		size_t tbslen)
253		{
254		PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
255		const ECX_KEY *edkey = peddsactx->key;
256
257		if (!ossl_prov_is_running() \|\| siglen != ED448_SIGSIZE)
258		return 0;
259
260		#ifdef S390X_EC_ASM
261		if (S390X_CAN_SIGN(ED448))
262		return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
263		#endif /* S390X_EC_ASM */
264
265		return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
266		NULL, 0, edkey->propq);
267		}
268
269		static void eddsa_freectx(void *vpeddsactx)
270	198	{
271	198	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
272
273	198	ossl_ecx_key_free(peddsactx->key);
274
275	198	OPENSSL_free(peddsactx);
276	198	}
277
278		static void eddsa_dupctx(void vpeddsactx)
279	0	{
280	0	PROV_EDDSA_CTX srcctx = (PROV_EDDSA_CTX )vpeddsactx;
281	0	PROV_EDDSA_CTX *dstctx;
282
283	0	if (!ossl_prov_is_running())
284	0	return NULL;
285
286	0	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
287	0	if (dstctx == NULL)
288	0	return NULL;
289
290	0	dstctx = srcctx;
291	0	dstctx->key = NULL;
292
293	0	if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
294	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
295	0	goto err;
296	0	}
297	0	dstctx->key = srcctx->key;
298
299	0	return dstctx;
300	0	err:
301	0	eddsa_freectx(dstctx);
302	0	return NULL;
303	0	}
304
305		static int eddsa_get_ctx_params(void vpeddsactx, OSSL_PARAM params)
306	0	{
307	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
308	0	OSSL_PARAM *p;
309
310	0	if (peddsactx == NULL)
311	0	return 0;
312
313	0	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
314	0	if (p != NULL && !OSSL_PARAM_set_octet_string(p, peddsactx->aid,
315	0	peddsactx->aid_len))
316	0	return 0;
317
318	0	return 1;
319	0	}
320
321		static const OSSL_PARAM known_gettable_ctx_params[] = {
322		OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
323		OSSL_PARAM_END
324		};
325
326		static const OSSL_PARAM eddsa_gettable_ctx_params(ossl_unused void vpeddsactx,
327		ossl_unused void *provctx)
328	0	{
329	0	return known_gettable_ctx_params;
330	0	}
331
332		const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
333		{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
334		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
335		(void (*)(void))eddsa_digest_signverify_init },
336		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
337		(void (*)(void))ed25519_digest_sign },
338		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
339		(void (*)(void))eddsa_digest_signverify_init },
340		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
341		(void (*)(void))ed25519_digest_verify },
342		{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
343		{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
344		{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
345		{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
346		(void (*)(void))eddsa_gettable_ctx_params },
347		{ 0, NULL }
348		};
349
350		const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
351		{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
352		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
353		(void (*)(void))eddsa_digest_signverify_init },
354		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
355		(void (*)(void))ed448_digest_sign },
356		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
357		(void (*)(void))eddsa_digest_signverify_init },
358		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
359		(void (*)(void))ed448_digest_verify },
360		{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
361		{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
362		{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
363		{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
364		(void (*)(void))eddsa_gettable_ctx_params },
365		{ 0, NULL }
366		};
367
368		#ifdef S390X_EC_ASM
369
370		static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
371		const unsigned char *tbs, size_t tbslen)
372		{
373		int rc;
374		union {
375		struct {
376		unsigned char sig[64];
377		unsigned char priv[32];
378		} ed25519;
379		unsigned long long buff[512];
380		} param;
381
382		memset(&param, 0, sizeof(param));
383		memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
384
385		rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
386		OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
387		if (rc != 0)
388		return 0;
389
390		s390x_flip_endian32(sig, param.ed25519.sig);
391		s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
392		return 1;
393		}
394
395		static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
396		const unsigned char *tbs, size_t tbslen)
397		{
398		int rc;
399		union {
400		struct {
401		unsigned char sig[128];
402		unsigned char priv[64];
403		} ed448;
404		unsigned long long buff[512];
405		} param;
406
407		memset(&param, 0, sizeof(param));
408		memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
409
410		rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
411		OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
412		if (rc != 0)
413		return 0;
414
415		s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
416		s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
417		memcpy(sig, param.ed448.sig, 57);
418		memcpy(sig + 57, param.ed448.sig + 64, 57);
419		return 1;
420		}
421
422		static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
423		const unsigned char *sig,
424		const unsigned char *tbs, size_t tbslen)
425		{
426		union {
427		struct {
428		unsigned char sig[64];
429		unsigned char pub[32];
430		} ed25519;
431		unsigned long long buff[512];
432		} param;
433
434		memset(&param, 0, sizeof(param));
435		s390x_flip_endian32(param.ed25519.sig, sig);
436		s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
437		s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
438
439		return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
440		&param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
441		}
442
443		static int s390x_ed448_digestverify(const ECX_KEY *edkey,
444		const unsigned char *sig,
445		const unsigned char *tbs,
446		size_t tbslen)
447		{
448		union {
449		struct {
450		unsigned char sig[128];
451		unsigned char pub[64];
452		} ed448;
453		unsigned long long buff[512];
454		} param;
455
456		memset(&param, 0, sizeof(param));
457		memcpy(param.ed448.sig, sig, 57);
458		s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
459		memcpy(param.ed448.sig + 64, sig + 57, 57);
460		s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
461		memcpy(param.ed448.pub, edkey->pubkey, 57);
462		s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
463
464		return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
465		&param.ed448, tbs, tbslen) == 0 ? 1 : 0;
466		}
467
468		#endif /* S390X_EC_ASM */