Coverage Report

Created: 2025-12-04 06:33

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/openssl36/providers/implementations/signature/eddsa_sig.c
Line
Count
Source
1
/*
2
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
11
#include <openssl/crypto.h>
12
#include <openssl/core_dispatch.h>
13
#include <openssl/core_names.h>
14
#include <openssl/err.h>
15
#include <openssl/params.h>
16
#include <openssl/evp.h>
17
#include <openssl/proverr.h>
18
#include "internal/common.h"
19
#include "internal/nelem.h"
20
#include "internal/sizes.h"
21
#include "prov/providercommon.h"
22
#include "prov/implementations.h"
23
#include "prov/securitycheck.h"
24
#include "prov/provider_ctx.h"
25
#include "prov/der_ecx.h"
26
#include "crypto/ecx.h"
27
28
#ifdef S390X_EC_ASM
29
# include "s390x_arch.h"
30
31
# define S390X_CAN_SIGN(edtype)                                                \
32
((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype))    \
33
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype))      \
34
&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))
35
36
static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
37
                                    const unsigned char *tbs, size_t tbslen);
38
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
39
                                  const unsigned char *tbs, size_t tbslen);
40
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
41
                                      const unsigned char *sig,
42
                                      const unsigned char *tbs, size_t tbslen);
43
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
44
                                    const unsigned char *sig,
45
                                    const unsigned char *tbs, size_t tbslen);
46
47
#endif /* S390X_EC_ASM */
48
49
enum ID_EdDSA_INSTANCE {
50
    ID_NOT_SET = 0,
51
    ID_Ed25519,
52
    ID_Ed25519ctx,
53
    ID_Ed25519ph,
54
    ID_Ed448,
55
    ID_Ed448ph
56
};
57
58
0
#define SN_Ed25519    "Ed25519"
59
0
#define SN_Ed25519ph  "Ed25519ph"
60
0
#define SN_Ed25519ctx "Ed25519ctx"
61
0
#define SN_Ed448      "Ed448"
62
0
#define SN_Ed448ph    "Ed448ph"
63
64
#define EDDSA_MAX_CONTEXT_STRING_LEN 255
65
0
#define EDDSA_PREHASH_OUTPUT_LEN 64
66
67
static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
68
static OSSL_FUNC_signature_sign_message_init_fn ed25519_signverify_message_init;
69
static OSSL_FUNC_signature_sign_message_init_fn ed25519ph_signverify_message_init;
70
static OSSL_FUNC_signature_sign_message_init_fn ed25519ctx_signverify_message_init;
71
static OSSL_FUNC_signature_sign_message_init_fn ed448_signverify_message_init;
72
static OSSL_FUNC_signature_sign_message_init_fn ed448ph_signverify_message_init;
73
static OSSL_FUNC_signature_sign_fn ed25519_sign;
74
static OSSL_FUNC_signature_sign_fn ed448_sign;
75
static OSSL_FUNC_signature_verify_fn ed25519_verify;
76
static OSSL_FUNC_signature_verify_fn ed448_verify;
77
static OSSL_FUNC_signature_digest_sign_init_fn ed25519_digest_signverify_init;
78
static OSSL_FUNC_signature_digest_sign_init_fn ed448_digest_signverify_init;
79
static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
80
static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
81
static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
82
static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
83
static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
84
static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
85
static OSSL_FUNC_signature_query_key_types_fn ed25519_sigalg_query_key_types;
86
static OSSL_FUNC_signature_query_key_types_fn ed448_sigalg_query_key_types;
87
static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
88
static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
89
static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_ctx_params;
90
static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_ctx_params;
91
static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_variant_ctx_params;
92
static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_variant_ctx_params;
93
94
/* there are five EdDSA instances:
95
96
         Ed25519
97
         Ed25519ph
98
         Ed25519ctx
99
         Ed448
100
         Ed448ph
101
102
   Quoting from RFC 8032, Section 5.1:
103
104
     For Ed25519, dom2(f,c) is the empty string.  The phflag value is
105
     irrelevant.  The context (if present at all) MUST be empty.  This
106
     causes the scheme to be one and the same with the Ed25519 scheme
107
     published earlier.
108
109
     For Ed25519ctx, phflag=0.  The context input SHOULD NOT be empty.
110
111
     For Ed25519ph, phflag=1 and PH is SHA512 instead.  That is, the input
112
     is hashed using SHA-512 before signing with Ed25519.
113
114
   Quoting from RFC 8032, Section 5.2:
115
116
     Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag
117
     being 1, i.e., the input is hashed before signing with Ed448 with a
118
     hash constant modified.
119
120
     Value of context is set by signer and verifier (maximum of 255
121
     octets; the default is empty string) and has to match octet by octet
122
     for verification to be successful.
123
124
   Quoting from RFC 8032, Section 2:
125
126
     dom2(x, y)     The blank octet string when signing or verifying
127
                    Ed25519.  Otherwise, the octet string: "SigEd25519 no
128
                    Ed25519 collisions" || octet(x) || octet(OLEN(y)) ||
129
                    y, where x is in range 0-255 and y is an octet string
130
                    of at most 255 octets.  "SigEd25519 no Ed25519
131
                    collisions" is in ASCII (32 octets).
132
133
     dom4(x, y)     The octet string "SigEd448" || octet(x) ||
134
                    octet(OLEN(y)) || y, where x is in range 0-255 and y
135
                    is an octet string of at most 255 octets.  "SigEd448"
136
                    is in ASCII (8 octets).
137
138
   Note above that x is the pre-hash flag, and y is the context string.
139
*/
140
141
typedef struct {
142
    OSSL_LIB_CTX *libctx;
143
    ECX_KEY *key;
144
145
    /* The Algorithm Identifier of the signature algorithm */
146
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
147
    size_t  aid_len;
148
149
    /* id indicating the EdDSA instance */
150
    int instance_id;
151
    /* indicates that instance_id and associated flags are preset / hardcoded */
152
    unsigned int instance_id_preset_flag : 1;
153
    /* for ph instances, this indicates whether the caller is expected to prehash */
154
    unsigned int prehash_by_caller_flag : 1;
155
156
    unsigned int dom2_flag : 1;
157
    unsigned int prehash_flag : 1;
158
159
    /* indicates that a non-empty context string is required, as in Ed25519ctx */
160
    unsigned int context_string_flag : 1;
161
162
    unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN];
163
    size_t context_string_len;
164
165
} PROV_EDDSA_CTX;
166
167
static void *eddsa_newctx(void *provctx, const char *propq_unused)
168
212
{
169
212
    PROV_EDDSA_CTX *peddsactx;
170
171
212
    if (!ossl_prov_is_running())
172
0
        return NULL;
173
174
212
    peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
175
212
    if (peddsactx == NULL)
176
0
        return NULL;
177
178
212
    peddsactx->libctx = PROV_LIBCTX_OF(provctx);
179
180
212
    return peddsactx;
181
212
}
182
183
static int eddsa_setup_instance(void *vpeddsactx, int instance_id,
184
                                unsigned int instance_id_preset,
185
                                unsigned int prehash_by_caller)
186
0
{
187
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
188
189
0
    switch (instance_id) {
190
0
    case ID_Ed25519:
191
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
192
0
            return 0;
193
0
        peddsactx->dom2_flag = 0;
194
0
        peddsactx->prehash_flag = 0;
195
0
        peddsactx->context_string_flag = 0;
196
0
        break;
197
0
#ifndef FIPS_MODULE
198
0
    case ID_Ed25519ctx:
199
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
200
0
            return 0;
201
0
        peddsactx->dom2_flag = 1;
202
0
        peddsactx->prehash_flag = 0;
203
0
        peddsactx->context_string_flag = 1;
204
0
        break;
205
0
#endif
206
0
    case ID_Ed25519ph:
207
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED25519)
208
0
            return 0;
209
0
        peddsactx->dom2_flag = 1;
210
0
        peddsactx->prehash_flag = 1;
211
0
        peddsactx->context_string_flag = 0;
212
0
        break;
213
0
    case ID_Ed448:
214
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED448)
215
0
            return 0;
216
0
        peddsactx->prehash_flag = 0;
217
0
        peddsactx->context_string_flag = 0;
218
0
        break;
219
0
    case ID_Ed448ph:
220
0
        if (peddsactx->key->type != ECX_KEY_TYPE_ED448)
221
0
            return 0;
222
0
        peddsactx->prehash_flag = 1;
223
0
        peddsactx->context_string_flag = 0;
224
0
        break;
225
0
    default:
226
        /* we did not recognize the instance */
227
0
        return 0;
228
0
    }
229
0
    peddsactx->instance_id = instance_id;
230
0
    peddsactx->instance_id_preset_flag = instance_id_preset;
231
0
    peddsactx->prehash_by_caller_flag = prehash_by_caller;
232
0
    return 1;
233
0
}
234
235
static int eddsa_signverify_init(void *vpeddsactx, void *vedkey)
236
0
{
237
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
238
0
    ECX_KEY *edkey = (ECX_KEY *)vedkey;
239
0
    WPACKET pkt;
240
0
    int ret;
241
0
    unsigned char *aid = NULL;
242
243
0
    if (!ossl_prov_is_running())
244
0
        return 0;
245
246
0
    if (edkey == NULL) {
247
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
248
0
        return 0;
249
0
    }
250
251
0
    if (!ossl_ecx_key_up_ref(edkey)) {
252
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
253
0
        return 0;
254
0
    }
255
256
0
    peddsactx->instance_id_preset_flag = 0;
257
0
    peddsactx->dom2_flag = 0;
258
0
    peddsactx->prehash_flag = 0;
259
0
    peddsactx->context_string_flag = 0;
260
0
    peddsactx->context_string_len = 0;
261
262
0
    peddsactx->key = edkey;
263
264
    /*
265
     * We do not care about DER writing errors.
266
     * All it really means is that for some reason, there's no
267
     * AlgorithmIdentifier to be had, but the operation itself is
268
     * still valid, just as long as it's not used to construct
269
     * anything that needs an AlgorithmIdentifier.
270
     */
271
0
    peddsactx->aid_len = 0;
272
0
    ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
273
0
    switch (edkey->type) {
274
0
    case ECX_KEY_TYPE_ED25519:
275
0
        ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
276
0
        break;
277
0
    case ECX_KEY_TYPE_ED448:
278
0
        ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
279
0
        break;
280
0
    default:
281
        /* Should never happen */
282
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
283
0
        ossl_ecx_key_free(edkey);
284
0
        peddsactx->key = NULL;
285
0
        WPACKET_cleanup(&pkt);
286
0
        return 0;
287
0
    }
288
0
    if (ret && WPACKET_finish(&pkt)) {
289
0
        WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
290
0
        aid = WPACKET_get_curr(&pkt);
291
0
    }
292
0
    WPACKET_cleanup(&pkt);
293
0
    if (aid != NULL && peddsactx->aid_len != 0)
294
0
        memmove(peddsactx->aid_buf, aid, peddsactx->aid_len);
295
296
0
    return 1;
297
0
}
298
299
static int ed25519_signverify_message_init(void *vpeddsactx, void *vedkey,
300
                                             const OSSL_PARAM params[])
301
0
{
302
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
303
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 1, 0)
304
0
        && eddsa_set_ctx_params(vpeddsactx, params);
305
0
}
306
307
static int ed25519ph_signverify_message_init(void *vpeddsactx, void *vedkey,
308
                                             const OSSL_PARAM params[])
309
0
{
310
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
311
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ph, 1, 0)
312
0
        && eddsa_set_ctx_params(vpeddsactx, params);
313
0
}
314
315
static int ed25519ph_signverify_init(void *vpeddsactx, void *vedkey,
316
                                     const OSSL_PARAM params[])
317
0
{
318
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
319
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ph, 1, 1)
320
0
        && eddsa_set_ctx_params(vpeddsactx, params);
321
0
}
322
323
/*
324
 * This supports using ED25519 with EVP_PKEY_{sign,verify}_init_ex() and
325
 * EVP_PKEY_{sign,verify}_init_ex2(), under the condition that the caller
326
 * explicitly sets the Ed25519ph instance (this is verified by ed25519_sign()
327
 * and ed25519_verify())
328
 */
329
static int ed25519_signverify_init(void *vpeddsactx, void *vedkey,
330
                                   const OSSL_PARAM params[])
331
0
{
332
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
333
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 0, 1)
334
0
        && eddsa_set_ctx_params(vpeddsactx, params);
335
0
}
336
337
static int ed25519ctx_signverify_message_init(void *vpeddsactx, void *vedkey,
338
                                             const OSSL_PARAM params[])
339
0
{
340
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
341
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519ctx, 1, 0)
342
0
        && eddsa_set_ctx_params(vpeddsactx, params);
343
0
}
344
345
static int ed448_signverify_message_init(void *vpeddsactx, void *vedkey,
346
                                         const OSSL_PARAM params[])
347
0
{
348
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
349
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 1, 0)
350
0
        && eddsa_set_ctx_params(vpeddsactx, params);
351
0
}
352
353
static int ed448ph_signverify_message_init(void *vpeddsactx, void *vedkey,
354
                                           const OSSL_PARAM params[])
355
0
{
356
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
357
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448ph, 1, 0)
358
0
        && eddsa_set_ctx_params(vpeddsactx, params);
359
0
}
360
361
static int ed448ph_signverify_init(void *vpeddsactx, void *vedkey,
362
                                   const OSSL_PARAM params[])
363
0
{
364
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
365
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448ph, 1, 1)
366
0
        && eddsa_set_ctx_params(vpeddsactx, params);
367
0
}
368
369
/*
370
 * This supports using ED448 with EVP_PKEY_{sign,verify}_init_ex() and
371
 * EVP_PKEY_{sign,verify}_init_ex2(), under the condition that the caller
372
 * explicitly sets the Ed448ph instance (this is verified by ed448_sign()
373
 * and ed448_verify())
374
 */
375
static int ed448_signverify_init(void *vpeddsactx, void *vedkey,
376
                                   const OSSL_PARAM params[])
377
0
{
378
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
379
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 0, 1)
380
0
        && eddsa_set_ctx_params(vpeddsactx, params);
381
0
}
382
383
/*
384
 * This is used directly for OSSL_FUNC_SIGNATURE_SIGN and indirectly
385
 * for OSSL_FUNC_SIGNATURE_DIGEST_SIGN
386
 */
387
static int ed25519_sign(void *vpeddsactx,
388
                        unsigned char *sigret, size_t *siglen, size_t sigsize,
389
                        const unsigned char *tbs, size_t tbslen)
390
0
{
391
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
392
0
    const ECX_KEY *edkey = peddsactx->key;
393
0
    uint8_t md[EVP_MAX_MD_SIZE];
394
0
    size_t mdlen;
395
396
0
    if (!ossl_prov_is_running())
397
0
        return 0;
398
399
0
    if (sigret == NULL) {
400
0
        *siglen = ED25519_SIGSIZE;
401
0
        return 1;
402
0
    }
403
0
    if (sigsize < ED25519_SIGSIZE) {
404
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
405
0
        return 0;
406
0
    }
407
0
    if (edkey->privkey == NULL) {
408
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
409
0
        return 0;
410
0
    }
411
#ifdef S390X_EC_ASM
412
    /*
413
     * s390x_ed25519_digestsign() does not yet support dom2 or context-strings.
414
     * fall back to non-accelerated sign if those options are set, or pre-hasing
415
     * is provided.
416
     */
417
    if (S390X_CAN_SIGN(ED25519)
418
            && !peddsactx->dom2_flag
419
            && !peddsactx->context_string_flag
420
            && peddsactx->context_string_len == 0
421
            && !peddsactx->prehash_flag
422
            && !peddsactx->prehash_by_caller_flag) {
423
        if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
424
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
425
            return 0;
426
        }
427
        *siglen = ED25519_SIGSIZE;
428
        return 1;
429
    }
430
#endif /* S390X_EC_ASM */
431
432
0
    if (peddsactx->prehash_flag) {
433
0
        if (!peddsactx->prehash_by_caller_flag) {
434
0
            if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL,
435
0
                              tbs, tbslen, md, &mdlen)
436
0
                || mdlen != EDDSA_PREHASH_OUTPUT_LEN) {
437
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PREHASHED_DIGEST_LENGTH);
438
0
                return 0;
439
0
            }
440
0
            tbs = md;
441
0
            tbslen = mdlen;
442
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
443
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
444
0
            return 0;
445
0
        }
446
0
    } else if (peddsactx->prehash_by_caller_flag) {
447
        /* The caller is supposed to set up a ph instance! */
448
0
        ERR_raise(ERR_LIB_PROV,
449
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
450
0
        return 0;
451
0
    }
452
453
0
    if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
454
0
            peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
455
0
            peddsactx->context_string, peddsactx->context_string_len,
456
0
            peddsactx->libctx, NULL) == 0) {
457
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
458
0
        return 0;
459
0
    }
460
0
    *siglen = ED25519_SIGSIZE;
461
0
    return 1;
462
0
}
463
464
/* EVP_Q_digest() does not allow variable output length for XOFs,
465
   so we use this function */
466
static int ed448_shake256(OSSL_LIB_CTX *libctx,
467
                          const char *propq,
468
                          const uint8_t *in, size_t inlen,
469
                          uint8_t *out, size_t outlen)
470
0
{
471
0
    int ret = 0;
472
0
    EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new();
473
0
    EVP_MD *shake256 = EVP_MD_fetch(libctx, SN_shake256, propq);
474
475
0
    if (hash_ctx == NULL || shake256 == NULL)
476
0
        goto err;
477
478
0
    if (!EVP_DigestInit_ex(hash_ctx, shake256, NULL)
479
0
            || !EVP_DigestUpdate(hash_ctx, in, inlen)
480
0
            || !EVP_DigestFinalXOF(hash_ctx, out, outlen))
481
0
        goto err;
482
483
0
    ret = 1;
484
485
0
 err:
486
0
    EVP_MD_CTX_free(hash_ctx);
487
0
    EVP_MD_free(shake256);
488
0
    return ret;
489
0
}
490
491
/*
492
 * This is used directly for OSSL_FUNC_SIGNATURE_SIGN and indirectly
493
 * for OSSL_FUNC_SIGNATURE_DIGEST_SIGN
494
 */
495
static int ed448_sign(void *vpeddsactx,
496
                      unsigned char *sigret, size_t *siglen, size_t sigsize,
497
                      const unsigned char *tbs, size_t tbslen)
498
0
{
499
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
500
0
    const ECX_KEY *edkey = peddsactx->key;
501
0
    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
502
0
    size_t mdlen = sizeof(md);
503
504
0
    if (!ossl_prov_is_running())
505
0
        return 0;
506
507
0
    if (sigret == NULL) {
508
0
        *siglen = ED448_SIGSIZE;
509
0
        return 1;
510
0
    }
511
0
    if (sigsize < ED448_SIGSIZE) {
512
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
513
0
        return 0;
514
0
    }
515
0
    if (edkey->privkey == NULL) {
516
0
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
517
0
        return 0;
518
0
    }
519
#ifdef S390X_EC_ASM
520
    /*
521
     * s390x_ed448_digestsign() does not yet support context-strings or
522
     * pre-hashing. Fall back to non-accelerated sign if a context-string or
523
     * pre-hasing is provided.
524
     */
525
    if (S390X_CAN_SIGN(ED448)
526
            && peddsactx->context_string_len == 0
527
            && !peddsactx->prehash_flag
528
            && !peddsactx->prehash_by_caller_flag) {
529
        if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
530
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
531
            return 0;
532
        }
533
        *siglen = ED448_SIGSIZE;
534
        return 1;
535
    }
536
#endif /* S390X_EC_ASM */
537
538
0
    if (peddsactx->prehash_flag) {
539
0
        if (!peddsactx->prehash_by_caller_flag) {
540
0
            if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
541
0
                return 0;
542
0
            tbs = md;
543
0
            tbslen = mdlen;
544
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
545
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
546
0
            return 0;
547
0
        }
548
0
    } else if (peddsactx->prehash_by_caller_flag) {
549
        /* The caller is supposed to set up a ph instance! */
550
0
        ERR_raise(ERR_LIB_PROV,
551
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
552
0
        return 0;
553
0
    }
554
555
0
    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen,
556
0
                        edkey->pubkey, edkey->privkey,
557
0
                        peddsactx->context_string, peddsactx->context_string_len,
558
0
                        peddsactx->prehash_flag, edkey->propq) == 0) {
559
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
560
0
        return 0;
561
0
    }
562
0
    *siglen = ED448_SIGSIZE;
563
0
    return 1;
564
0
}
565
566
/*
567
 * This is used directly for OSSL_FUNC_SIGNATURE_VERIFY and indirectly
568
 * for OSSL_FUNC_SIGNATURE_DIGEST_VERIFY
569
 */
570
static int ed25519_verify(void *vpeddsactx,
571
                          const unsigned char *sig, size_t siglen,
572
                          const unsigned char *tbs, size_t tbslen)
573
0
{
574
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
575
0
    const ECX_KEY *edkey = peddsactx->key;
576
0
    uint8_t md[EVP_MAX_MD_SIZE];
577
0
    size_t mdlen;
578
579
0
    if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
580
0
        return 0;
581
582
#ifdef S390X_EC_ASM
583
    /*
584
     * s390x_ed25519_digestverify() does not yet support dom2 or context-strings.
585
     * fall back to non-accelerated verify if those options are set, or
586
     * pre-hasing is provided.
587
     */
588
    if (S390X_CAN_SIGN(ED25519)
589
            && !peddsactx->dom2_flag
590
            && !peddsactx->context_string_flag
591
            && peddsactx->context_string_len == 0
592
            && !peddsactx->prehash_flag
593
            && !peddsactx->prehash_by_caller_flag)
594
        return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
595
#endif /* S390X_EC_ASM */
596
597
0
    if (peddsactx->prehash_flag) {
598
0
        if (!peddsactx->prehash_by_caller_flag) {
599
0
            if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL,
600
0
                              tbs, tbslen, md, &mdlen)
601
0
                || mdlen != EDDSA_PREHASH_OUTPUT_LEN) {
602
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PREHASHED_DIGEST_LENGTH);
603
0
                return 0;
604
0
            }
605
0
            tbs = md;
606
0
            tbslen = mdlen;
607
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
608
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
609
0
            return 0;
610
0
        }
611
0
    } else if (peddsactx->prehash_by_caller_flag) {
612
        /* The caller is supposed to set up a ph instance! */
613
0
        ERR_raise(ERR_LIB_PROV,
614
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
615
0
        return 0;
616
0
    }
617
618
0
    return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
619
0
                               peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag,
620
0
                               peddsactx->context_string, peddsactx->context_string_len,
621
0
                               peddsactx->libctx, edkey->propq);
622
0
}
623
624
/*
625
 * This is used directly for OSSL_FUNC_SIGNATURE_VERIFY and indirectly
626
 * for OSSL_FUNC_SIGNATURE_DIGEST_VERIFY
627
 */
628
static int ed448_verify(void *vpeddsactx,
629
                        const unsigned char *sig, size_t siglen,
630
                        const unsigned char *tbs, size_t tbslen)
631
0
{
632
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
633
0
    const ECX_KEY *edkey = peddsactx->key;
634
0
    uint8_t md[EDDSA_PREHASH_OUTPUT_LEN];
635
0
    size_t mdlen = sizeof(md);
636
637
0
    if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
638
0
        return 0;
639
640
#ifdef S390X_EC_ASM
641
    /*
642
     * s390x_ed448_digestverify() does not yet support context-strings or
643
     * pre-hashing. Fall back to non-accelerated verify if a context-string or
644
     * pre-hasing is provided.
645
     */
646
    if (S390X_CAN_SIGN(ED448)
647
            && peddsactx->context_string_len == 0
648
            && !peddsactx->prehash_flag
649
            && !peddsactx->prehash_by_caller_flag)
650
        return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
651
#endif /* S390X_EC_ASM */
652
653
0
    if (peddsactx->prehash_flag) {
654
0
        if (!peddsactx->prehash_by_caller_flag) {
655
0
            if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen))
656
0
                return 0;
657
0
            tbs = md;
658
0
            tbslen = mdlen;
659
0
        } else if (tbslen != EDDSA_PREHASH_OUTPUT_LEN) {
660
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
661
0
            return 0;
662
0
        }
663
0
    } else if (peddsactx->prehash_by_caller_flag) {
664
        /* The caller is supposed to set up a ph instance! */
665
0
        ERR_raise(ERR_LIB_PROV,
666
0
                  PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION);
667
0
        return 0;
668
0
    }
669
670
0
    return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
671
0
                             peddsactx->context_string, peddsactx->context_string_len,
672
0
                             peddsactx->prehash_flag, edkey->propq);
673
0
}
674
675
/* All digest_{sign,verify} are simple wrappers around the functions above */
676
677
static int ed25519_digest_signverify_init(void *vpeddsactx, const char *mdname,
678
                                          void *vedkey,
679
                                          const OSSL_PARAM params[])
680
0
{
681
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
682
683
0
    if (mdname != NULL && mdname[0] != '\0') {
684
0
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
685
0
                        "Explicit digest not allowed with EdDSA operations");
686
0
        return 0;
687
0
    }
688
689
0
    if (vedkey == NULL && peddsactx->key != NULL)
690
0
        return eddsa_set_ctx_params(peddsactx, params);
691
692
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
693
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed25519, 0, 0)
694
0
        && eddsa_set_ctx_params(vpeddsactx, params);
695
0
}
696
697
static int ed25519_digest_sign(void *vpeddsactx,
698
                               unsigned char *sigret, size_t *siglen, size_t sigsize,
699
                               const unsigned char *tbs, size_t tbslen)
700
0
{
701
0
    return ed25519_sign(vpeddsactx, sigret, siglen, sigsize, tbs, tbslen);
702
0
}
703
704
static int ed25519_digest_verify(void *vpeddsactx,
705
                                 const unsigned char *sigret, size_t siglen,
706
                                 const unsigned char *tbs, size_t tbslen)
707
{
708
    return ed25519_verify(vpeddsactx, sigret, siglen, tbs, tbslen);
709
}
710
711
static int ed448_digest_signverify_init(void *vpeddsactx, const char *mdname,
712
                                        void *vedkey,
713
                                        const OSSL_PARAM params[])
714
0
{
715
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
716
717
0
    if (mdname != NULL && mdname[0] != '\0') {
718
0
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
719
0
                        "Explicit digest not allowed with EdDSA operations");
720
0
        return 0;
721
0
    }
722
723
0
    if (vedkey == NULL && peddsactx->key != NULL)
724
0
        return eddsa_set_ctx_params(peddsactx, params);
725
726
0
    return eddsa_signverify_init(vpeddsactx, vedkey)
727
0
        && eddsa_setup_instance(vpeddsactx, ID_Ed448, 0, 0)
728
0
        && eddsa_set_ctx_params(vpeddsactx, params);
729
0
}
730
731
static int ed448_digest_sign(void *vpeddsactx,
732
                             unsigned char *sigret, size_t *siglen, size_t sigsize,
733
                             const unsigned char *tbs, size_t tbslen)
734
0
{
735
0
    return ed448_sign(vpeddsactx, sigret, siglen, sigsize, tbs, tbslen);
736
0
}
737
738
static int ed448_digest_verify(void *vpeddsactx,
739
                               const unsigned char *sigret, size_t siglen,
740
                               const unsigned char *tbs, size_t tbslen)
741
{
742
    return ed448_verify(vpeddsactx, sigret, siglen, tbs, tbslen);
743
}
744
745
static void eddsa_freectx(void *vpeddsactx)
746
212
{
747
212
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
748
749
212
    ossl_ecx_key_free(peddsactx->key);
750
751
212
    OPENSSL_free(peddsactx);
752
212
}
753
754
static void *eddsa_dupctx(void *vpeddsactx)
755
0
{
756
0
    PROV_EDDSA_CTX *srcctx = (PROV_EDDSA_CTX *)vpeddsactx;
757
0
    PROV_EDDSA_CTX *dstctx;
758
759
0
    if (!ossl_prov_is_running())
760
0
        return NULL;
761
762
0
    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
763
0
    if (dstctx == NULL)
764
0
        return NULL;
765
766
0
    *dstctx = *srcctx;
767
0
    dstctx->key = NULL;
768
769
0
    if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
770
0
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
771
0
        goto err;
772
0
    }
773
0
    dstctx->key = srcctx->key;
774
775
0
    return dstctx;
776
0
 err:
777
0
    eddsa_freectx(dstctx);
778
0
    return NULL;
779
0
}
780
781
static const char **ed25519_sigalg_query_key_types(void)
782
0
{
783
0
    static const char *keytypes[] = { "ED25519", NULL };
784
785
0
    return keytypes;
786
0
}
787
788
static const char **ed448_sigalg_query_key_types(void)
789
0
{
790
0
    static const char *keytypes[] = { "ED448", NULL };
791
792
0
    return keytypes;
793
0
}
794
795
/* Machine generated by util/perl/OpenSSL/paramnames.pm */
796
#ifndef eddsa_get_ctx_params_list
797
static const OSSL_PARAM eddsa_get_ctx_params_list[] = {
798
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
799
    OSSL_PARAM_END
800
};
801
#endif
802
803
#ifndef eddsa_get_ctx_params_st
804
struct eddsa_get_ctx_params_st {
805
    OSSL_PARAM *id;
806
};
807
#endif
808
809
#ifndef eddsa_get_ctx_params_decoder
810
static int eddsa_get_ctx_params_decoder
811
    (const OSSL_PARAM *p, struct eddsa_get_ctx_params_st *r)
812
0
{
813
0
    const char *s;
814
815
0
    memset(r, 0, sizeof(*r));
816
0
    if (p != NULL)
817
0
        for (; (s = p->key) != NULL; p++)
818
0
            if (ossl_likely(strcmp("algorithm-id", s + 0) == 0)) {
819
                /* OSSL_SIGNATURE_PARAM_ALGORITHM_ID */
820
0
                if (ossl_unlikely(r->id != NULL)) {
821
0
                    ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER,
822
0
                                   "param %s is repeated", s);
823
0
                    return 0;
824
0
                }
825
0
                r->id = (OSSL_PARAM *)p;
826
0
            }
827
0
    return 1;
828
0
}
829
#endif
830
/* End of machine generated */
831
832
static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
833
0
{
834
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
835
0
    struct eddsa_get_ctx_params_st p;
836
837
0
    if (peddsactx == NULL || !eddsa_get_ctx_params_decoder(params, &p))
838
0
        return 0;
839
840
0
    if (p.id != NULL
841
0
        && !OSSL_PARAM_set_octet_string(p.id,
842
0
                                        peddsactx->aid_len == 0 ? NULL : peddsactx->aid_buf,
843
0
                                        peddsactx->aid_len))
844
0
        return 0;
845
846
0
    return 1;
847
0
}
848
849
static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx,
850
                                                   ossl_unused void *provctx)
851
0
{
852
0
    return eddsa_get_ctx_params_list;
853
0
}
854
855
/* Machine generated by util/perl/OpenSSL/paramnames.pm */
856
#ifndef eddsa_set_ctx_params_list
857
static const OSSL_PARAM eddsa_set_ctx_params_list[] = {
858
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0),
859
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
860
    OSSL_PARAM_END
861
};
862
#endif
863
864
#ifndef eddsa_set_ctx_params_st
865
struct eddsa_set_ctx_params_st {
866
    OSSL_PARAM *ctx;
867
    OSSL_PARAM *inst;
868
};
869
#endif
870
871
#ifndef eddsa_set_ctx_params_decoder
872
static int eddsa_set_ctx_params_decoder
873
    (const OSSL_PARAM *p, struct eddsa_set_ctx_params_st *r)
874
0
{
875
0
    const char *s;
876
877
0
    memset(r, 0, sizeof(*r));
878
0
    if (p != NULL)
879
0
        for (; (s = p->key) != NULL; p++)
880
0
            switch(s[0]) {
881
0
            default:
882
0
                break;
883
0
            case 'c':
884
0
                if (ossl_likely(strcmp("ontext-string", s + 1) == 0)) {
885
                    /* OSSL_SIGNATURE_PARAM_CONTEXT_STRING */
886
0
                    if (ossl_unlikely(r->ctx != NULL)) {
887
0
                        ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER,
888
0
                                       "param %s is repeated", s);
889
0
                        return 0;
890
0
                    }
891
0
                    r->ctx = (OSSL_PARAM *)p;
892
0
                }
893
0
                break;
894
0
            case 'i':
895
0
                if (ossl_likely(strcmp("nstance", s + 1) == 0)) {
896
                    /* OSSL_SIGNATURE_PARAM_INSTANCE */
897
0
                    if (ossl_unlikely(r->inst != NULL)) {
898
0
                        ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER,
899
0
                                       "param %s is repeated", s);
900
0
                        return 0;
901
0
                    }
902
0
                    r->inst = (OSSL_PARAM *)p;
903
0
                }
904
0
            }
905
0
    return 1;
906
0
}
907
#endif
908
/* End of machine generated */
909
910
static int eddsa_set_ctx_params_internal
911
        (PROV_EDDSA_CTX *peddsactx, const struct eddsa_set_ctx_params_st *p)
912
0
{
913
0
    if (p->inst != NULL) {
914
0
        char instance_name[OSSL_MAX_NAME_SIZE] = "";
915
0
        char *pinstance_name = instance_name;
916
917
0
        if (peddsactx->instance_id_preset_flag) {
918
            /* When the instance is preset, the caller must not try to set it */
919
0
            ERR_raise_data(ERR_LIB_PROV, PROV_R_NO_INSTANCE_ALLOWED,
920
0
                           "the EdDSA instance is preset, you may not try to specify it",
921
0
                           NULL);
922
0
            return 0;
923
0
        }
924
925
0
        if (!OSSL_PARAM_get_utf8_string(p->inst, &pinstance_name,
926
0
                                        sizeof(instance_name)))
927
0
            return 0;
928
929
        /*
930
         * When setting the new instance, we're careful not to change the
931
         * prehash_by_caller flag, as that's always preset by the init
932
         * functions.  The sign functions will determine if the instance
933
         * matches this flag.
934
         */
935
0
        if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519) == 0) {
936
0
            eddsa_setup_instance(peddsactx, ID_Ed25519, 0,
937
0
                                 peddsactx->prehash_by_caller_flag);
938
0
#ifndef FIPS_MODULE
939
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ctx) == 0) {
940
0
            eddsa_setup_instance(peddsactx, ID_Ed25519ctx, 0,
941
0
                                 peddsactx->prehash_by_caller_flag);
942
0
#endif
943
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ph) == 0) {
944
0
            eddsa_setup_instance(peddsactx, ID_Ed25519ph, 0,
945
0
                                 peddsactx->prehash_by_caller_flag);
946
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448) == 0) {
947
0
            eddsa_setup_instance(peddsactx, ID_Ed448, 0,
948
0
                                 peddsactx->prehash_by_caller_flag);
949
0
        } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448ph) == 0) {
950
0
            eddsa_setup_instance(peddsactx, ID_Ed448ph, 0,
951
0
                                 peddsactx->prehash_by_caller_flag);
952
0
        } else {
953
            /* we did not recognize the instance */
954
0
            ERR_raise_data(ERR_LIB_PROV,
955
0
                           PROV_R_INVALID_EDDSA_INSTANCE_FOR_ATTEMPTED_OPERATION,
956
0
                           "unknown INSTANCE name: %s",
957
0
                           pinstance_name != NULL ? pinstance_name : "<null>");
958
0
            return 0;
959
0
        }
960
961
0
    }
962
963
0
    if (p->ctx != NULL) {
964
0
        void *vp_context_string = peddsactx->context_string;
965
966
0
        if (!OSSL_PARAM_get_octet_string(p->ctx, &vp_context_string,
967
0
                                         sizeof(peddsactx->context_string),
968
0
                                         &(peddsactx->context_string_len))) {
969
0
            peddsactx->context_string_len = 0;
970
0
            return 0;
971
0
        }
972
0
    }
973
974
0
    return 1;
975
0
}
976
977
static const OSSL_PARAM *eddsa_settable_ctx_params(ossl_unused void *vpeddsactx,
978
                                                   ossl_unused void *provctx)
979
7
{
980
7
    return eddsa_set_ctx_params_list;
981
7
}
982
983
984
static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[])
985
0
{
986
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
987
0
    struct eddsa_set_ctx_params_st p;
988
989
0
    if (peddsactx == NULL || !eddsa_set_ctx_params_decoder(params, &p))
990
0
        return 0;
991
0
    return eddsa_set_ctx_params_internal(peddsactx, &p);
992
0
}
993
994
#define eddsa_set_variant_ctx_params_st         eddsa_set_ctx_params_st
995
/* Machine generated by util/perl/OpenSSL/paramnames.pm */
996
#ifndef eddsa_set_variant_ctx_params_list
997
static const OSSL_PARAM eddsa_set_variant_ctx_params_list[] = {
998
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0),
999
    OSSL_PARAM_END
1000
};
1001
#endif
1002
1003
#ifndef eddsa_set_variant_ctx_params_st
1004
struct eddsa_set_variant_ctx_params_st {
1005
    OSSL_PARAM *ctx;
1006
};
1007
#endif
1008
1009
#ifndef eddsa_set_variant_ctx_params_decoder
1010
static int eddsa_set_variant_ctx_params_decoder
1011
    (const OSSL_PARAM *p, struct eddsa_set_variant_ctx_params_st *r)
1012
0
{
1013
0
    const char *s;
1014
1015
0
    memset(r, 0, sizeof(*r));
1016
0
    if (p != NULL)
1017
0
        for (; (s = p->key) != NULL; p++)
1018
0
            if (ossl_likely(strcmp("context-string", s + 0) == 0)) {
1019
                /* OSSL_SIGNATURE_PARAM_CONTEXT_STRING */
1020
0
                if (ossl_unlikely(r->ctx != NULL)) {
1021
0
                    ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER,
1022
0
                                   "param %s is repeated", s);
1023
0
                    return 0;
1024
0
                }
1025
0
                r->ctx = (OSSL_PARAM *)p;
1026
0
            }
1027
0
    return 1;
1028
0
}
1029
#endif
1030
/* End of machine generated */
1031
1032
static const OSSL_PARAM *
1033
eddsa_settable_variant_ctx_params(ossl_unused void *vpeddsactx,
1034
                                  ossl_unused void *provctx)
1035
5
{
1036
5
    return eddsa_set_variant_ctx_params_list;
1037
5
}
1038
1039
static int eddsa_set_variant_ctx_params(void *vpeddsactx,
1040
                                        const OSSL_PARAM params[])
1041
0
{
1042
0
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
1043
0
    struct eddsa_set_ctx_params_st p;
1044
1045
0
    if (peddsactx == NULL || !eddsa_set_variant_ctx_params_decoder(params, &p))
1046
0
        return 0;
1047
0
    return eddsa_set_ctx_params_internal(peddsactx, &p);
1048
0
}
1049
1050
/*
1051
 * Ed25519 can be used with:
1052
 * - EVP_PKEY_sign_init_ex2()   [ instance and prehash assumed done by caller ]
1053
 * - EVP_PKEY_verify_init_ex2() [ instance and prehash assumed done by caller ]
1054
 * - EVP_PKEY_sign_message_init()
1055
 * - EVP_PKEY_verify_message_init()
1056
 * - EVP_DigestSignInit_ex()
1057
 * - EVP_DigestVerifyInit_ex()
1058
 * Ed25519ph can be used with:
1059
 * - EVP_PKEY_sign_init_ex2()   [ prehash assumed done by caller ]
1060
 * - EVP_PKEY_verify_init_ex2() [ prehash assumed done by caller ]
1061
 * - EVP_PKEY_sign_message_init()
1062
 * - EVP_PKEY_verify_message_init()
1063
 * Ed25519ctx can be used with:
1064
 * - EVP_PKEY_sign_message_init()
1065
 * - EVP_PKEY_verify_message_init()
1066
 * Ed448 can be used with:
1067
 * - EVP_PKEY_sign_init_ex2()   [ instance and prehash assumed done by caller ]
1068
 * - EVP_PKEY_verify_init_ex2() [ instance and prehash assumed done by caller ]
1069
 * - EVP_PKEY_sign_message_init()
1070
 * - EVP_PKEY_verify_message_init()
1071
 * - EVP_DigestSignInit_ex()
1072
 * - EVP_DigestVerifyInit_ex()
1073
 * Ed448ph can be used with:
1074
 * - EVP_PKEY_sign_init_ex2()   [ prehash assumed done by caller ]
1075
 * - EVP_PKEY_verify_init_ex2() [ prehash assumed done by caller ]
1076
 * - EVP_PKEY_sign_message_init()
1077
 * - EVP_PKEY_verify_message_init()
1078
 */
1079
1080
#define ed25519_DISPATCH_END                                            \
1081
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1082
        (void (*)(void))ed25519_signverify_init },                      \
1083
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1084
        (void (*)(void))ed25519_signverify_init },                      \
1085
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                             \
1086
        (void (*)(void))ed25519_digest_signverify_init },               \
1087
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                  \
1088
        (void (*)(void))ed25519_digest_sign },                          \
1089
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                           \
1090
        (void (*)(void))ed25519_digest_signverify_init },               \
1091
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                \
1092
        (void (*)(void))ed25519_digest_verify },                        \
1093
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
1094
        (void (*)(void))eddsa_get_ctx_params },                         \
1095
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
1096
        (void (*)(void))eddsa_gettable_ctx_params },                    \
1097
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
1098
        (void (*)(void))eddsa_set_ctx_params },                         \
1099
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
1100
        (void (*)(void))eddsa_settable_ctx_params },                    \
1101
    OSSL_DISPATCH_END
1102
1103
#define eddsa_variant_DISPATCH_END(v)                                   \
1104
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1105
        (void (*)(void))v##_signverify_message_init },                  \
1106
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1107
        (void (*)(void))v##_signverify_message_init },                  \
1108
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
1109
        (void (*)(void))eddsa_get_ctx_params },                         \
1110
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
1111
        (void (*)(void))eddsa_gettable_ctx_params },                    \
1112
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
1113
        (void (*)(void))eddsa_set_variant_ctx_params },                 \
1114
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
1115
        (void (*)(void))eddsa_settable_variant_ctx_params },            \
1116
    OSSL_DISPATCH_END
1117
1118
#define ed25519ph_DISPATCH_END                                          \
1119
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1120
        (void (*)(void))ed25519ph_signverify_init },                    \
1121
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1122
        (void (*)(void))ed25519ph_signverify_init },                    \
1123
    eddsa_variant_DISPATCH_END(ed25519ph)
1124
1125
#define ed25519ctx_DISPATCH_END eddsa_variant_DISPATCH_END(ed25519ctx)
1126
1127
#define ed448_DISPATCH_END                                              \
1128
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1129
        (void (*)(void))ed448_signverify_init },                        \
1130
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1131
        (void (*)(void))ed448_signverify_init },                        \
1132
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                             \
1133
        (void (*)(void))ed448_digest_signverify_init },                 \
1134
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                  \
1135
        (void (*)(void))ed448_digest_sign },                            \
1136
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                           \
1137
        (void (*)(void))ed448_digest_signverify_init },                 \
1138
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                \
1139
        (void (*)(void))ed448_digest_verify },                          \
1140
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                               \
1141
        (void (*)(void))eddsa_get_ctx_params },                         \
1142
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                          \
1143
        (void (*)(void))eddsa_gettable_ctx_params },                    \
1144
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                               \
1145
        (void (*)(void))eddsa_set_ctx_params },                         \
1146
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                          \
1147
        (void (*)(void))eddsa_settable_ctx_params },                    \
1148
    OSSL_DISPATCH_END
1149
1150
#define ed448ph_DISPATCH_END                                            \
1151
    { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                    \
1152
        (void (*)(void))ed448ph_signverify_init },                      \
1153
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                                  \
1154
        (void (*)(void))ed448ph_signverify_init },                      \
1155
    eddsa_variant_DISPATCH_END(ed448ph)
1156
1157
/* vn = variant name, bn = base name */
1158
#define IMPL_EDDSA_DISPATCH(vn,bn)                                      \
1159
    const OSSL_DISPATCH ossl_##vn##_signature_functions[] = {           \
1160
        { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },   \
1161
        { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT,                        \
1162
          (void (*)(void))vn##_signverify_message_init },               \
1163
        { OSSL_FUNC_SIGNATURE_SIGN,                                     \
1164
          (void (*)(void))bn##_sign },                                  \
1165
        { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                      \
1166
          (void (*)(void))vn##_signverify_message_init },               \
1167
        { OSSL_FUNC_SIGNATURE_VERIFY,                                   \
1168
          (void (*)(void))bn##_verify },                                \
1169
        { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx }, \
1170
        { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },   \
1171
        { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES,                          \
1172
          (void (*)(void))bn##_sigalg_query_key_types },                \
1173
        vn##_DISPATCH_END                                               \
1174
    }
1175
1176
IMPL_EDDSA_DISPATCH(ed25519,ed25519);
1177
IMPL_EDDSA_DISPATCH(ed25519ph,ed25519);
1178
IMPL_EDDSA_DISPATCH(ed25519ctx,ed25519);
1179
IMPL_EDDSA_DISPATCH(ed448,ed448);
1180
IMPL_EDDSA_DISPATCH(ed448ph,ed448);
1181
1182
#ifdef S390X_EC_ASM
1183
1184
static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
1185
                                    const unsigned char *tbs, size_t tbslen)
1186
{
1187
    int rc;
1188
    union {
1189
        struct {
1190
            unsigned char sig[64];
1191
            unsigned char priv[32];
1192
        } ed25519;
1193
        unsigned long long buff[512];
1194
    } param;
1195
1196
    memset(&param, 0, sizeof(param));
1197
    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
1198
1199
    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
1200
    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
1201
    if (rc != 0)
1202
        return 0;
1203
1204
    s390x_flip_endian32(sig, param.ed25519.sig);
1205
    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
1206
    return 1;
1207
}
1208
1209
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
1210
                                  const unsigned char *tbs, size_t tbslen)
1211
{
1212
    int rc;
1213
    union {
1214
        struct {
1215
            unsigned char sig[128];
1216
            unsigned char priv[64];
1217
        } ed448;
1218
        unsigned long long buff[512];
1219
    } param;
1220
1221
    memset(&param, 0, sizeof(param));
1222
    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
1223
1224
    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
1225
    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
1226
    if (rc != 0)
1227
        return 0;
1228
1229
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
1230
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
1231
    memcpy(sig, param.ed448.sig, 57);
1232
    memcpy(sig + 57, param.ed448.sig + 64, 57);
1233
    return 1;
1234
}
1235
1236
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
1237
                                      const unsigned char *sig,
1238
                                      const unsigned char *tbs, size_t tbslen)
1239
{
1240
    union {
1241
        struct {
1242
            unsigned char sig[64];
1243
            unsigned char pub[32];
1244
        } ed25519;
1245
        unsigned long long buff[512];
1246
    } param;
1247
1248
    memset(&param, 0, sizeof(param));
1249
    s390x_flip_endian32(param.ed25519.sig, sig);
1250
    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
1251
    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
1252
1253
    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
1254
                      &param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
1255
}
1256
1257
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
1258
                                    const unsigned char *sig,
1259
                                    const unsigned char *tbs,
1260
                                    size_t tbslen)
1261
{
1262
    union {
1263
        struct {
1264
            unsigned char sig[128];
1265
            unsigned char pub[64];
1266
        } ed448;
1267
        unsigned long long buff[512];
1268
    } param;
1269
1270
    memset(&param, 0, sizeof(param));
1271
    memcpy(param.ed448.sig, sig, 57);
1272
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
1273
    memcpy(param.ed448.sig + 64, sig + 57, 57);
1274
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
1275
    memcpy(param.ed448.pub, edkey->pubkey, 57);
1276
    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
1277
1278
    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
1279
                      &param.ed448, tbs, tbslen) == 0 ? 1 : 0;
1280
}
1281
1282
#endif /* S390X_EC_ASM */