/src/openssl30/providers/implementations/signature/eddsa_sig.c

Source
/*
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/crypto.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/err.h>
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/der_ecx.h"
#include "crypto/ecx.h"

#ifdef S390X_EC_ASM
#include "s390x_arch.h"

#define S390X_CAN_SIGN(edtype)                                                    \
    ((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype))   \
        && (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype)) \
        && (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))

static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
    const unsigned char *tbs, size_t tbslen);
static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
    const unsigned char *tbs, size_t tbslen);
static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
    const unsigned char *sig,
    const unsigned char *tbs, size_t tbslen);
static int s390x_ed448_digestverify(const ECX_KEY *edkey,
    const unsigned char *sig,
    const unsigned char *tbs, size_t tbslen);

#endif /* S390X_EC_ASM */

static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;

typedef struct {
    OSSL_LIB_CTX *libctx;
    ECX_KEY *key;

    /* The Algorithm Identifier of the signature algorithm */
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    unsigned char *aid;
    size_t aid_len;
} PROV_EDDSA_CTX;

static void *eddsa_newctx(void *provctx, const char *propq_unused)
{
    PROV_EDDSA_CTX *peddsactx;

    if (!ossl_prov_is_running())
        return NULL;

    peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
    if (peddsactx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    peddsactx->libctx = PROV_LIBCTX_OF(provctx);

    return peddsactx;
}

static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
    void *vedkey,
    ossl_unused const OSSL_PARAM params[])
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    ECX_KEY *edkey = (ECX_KEY *)vedkey;
    WPACKET pkt;
    int ret;

    if (!ossl_prov_is_running())
        return 0;

    if (mdname != NULL && mdname[0] != '\0') {
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
        return 0;
    }

    if (edkey == NULL) {
        if (peddsactx->key != NULL)
            /* there is nothing to do on reinit */
            return 1;
        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
        return 0;
    }

    if (!ossl_ecx_key_up_ref(edkey)) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    /*
     * We do not care about DER writing errors.
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    peddsactx->aid_len = 0;
    ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
    switch (edkey->type) {
    case ECX_KEY_TYPE_ED25519:
        ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
        break;
    case ECX_KEY_TYPE_ED448:
        ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
        break;
    default:
        /* Should never happen */
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        ossl_ecx_key_free(edkey);
        WPACKET_cleanup(&pkt);
        return 0;
    }
    if (ret && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
        peddsactx->aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);

    peddsactx->key = edkey;

    return 1;
}

int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
    size_t *siglen, size_t sigsize,
    const unsigned char *tbs, size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running())
        return 0;

    if (sigret == NULL) {
        *siglen = ED25519_SIGSIZE;
        return 1;
    }
    if (sigsize < ED25519_SIGSIZE) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (edkey->privkey == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
        return 0;
    }
#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED25519)) {
        if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
            return 0;
        }
        *siglen = ED25519_SIGSIZE;
        return 1;
    }
#endif /* S390X_EC_ASM */
    if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
            peddsactx->libctx, NULL)
        == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
        return 0;
    }
    *siglen = ED25519_SIGSIZE;
    return 1;
}

int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret,
    size_t *siglen, size_t sigsize,
    const unsigned char *tbs, size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running())
        return 0;

    if (sigret == NULL) {
        *siglen = ED448_SIGSIZE;
        return 1;
    }
    if (sigsize < ED448_SIGSIZE) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (edkey->privkey == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
        return 0;
    }
#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED448)) {
        if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
            return 0;
        }
        *siglen = ED448_SIGSIZE;
        return 1;
    }
#endif /* S390X_EC_ASM */
    if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
            edkey->privkey, NULL, 0, edkey->propq)
        == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
        return 0;
    }
    *siglen = ED448_SIGSIZE;
    return 1;
}

int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig,
    size_t siglen, const unsigned char *tbs,
    size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
        return 0;

#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED25519))
        return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
#endif /* S390X_EC_ASM */

    return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
        peddsactx->libctx, edkey->propq);
}

int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig,
    size_t siglen, const unsigned char *tbs,
    size_t tbslen)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    const ECX_KEY *edkey = peddsactx->key;

    if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
        return 0;

#ifdef S390X_EC_ASM
    if (S390X_CAN_SIGN(ED448))
        return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
#endif /* S390X_EC_ASM */

    return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
        NULL, 0, edkey->propq);
}

static void eddsa_freectx(void *vpeddsactx)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;

    ossl_ecx_key_free(peddsactx->key);

    OPENSSL_free(peddsactx);
}

static void *eddsa_dupctx(void *vpeddsactx)
{
    PROV_EDDSA_CTX *srcctx = (PROV_EDDSA_CTX *)vpeddsactx;
    PROV_EDDSA_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->key = NULL;

    if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    dstctx->key = srcctx->key;

    return dstctx;
err:
    eddsa_freectx(dstctx);
    return NULL;
}

static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
{
    PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
    OSSL_PARAM *p;

    if (peddsactx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL && !OSSL_PARAM_set_octet_string(p, peddsactx->aid, peddsactx->aid_len))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx,
    ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
        (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
        (void (*)(void))ed25519_digest_sign },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
        (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
        (void (*)(void))ed25519_digest_verify },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
        (void (*)(void))eddsa_gettable_ctx_params },
    { 0, NULL }
};

const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
        (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
        (void (*)(void))ed448_digest_sign },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
        (void (*)(void))eddsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
        (void (*)(void))ed448_digest_verify },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
        (void (*)(void))eddsa_gettable_ctx_params },
    { 0, NULL }
};

#ifdef S390X_EC_ASM

static int s390x_ed25519_digestsign(const ECX_KEY *edkey, unsigned char *sig,
    const unsigned char *tbs, size_t tbslen)
{
    int rc;
    union {
        struct {
            unsigned char sig[64];
            unsigned char priv[32];
        } ed25519;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));

    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
    if (rc != 0)
        return 0;

    s390x_flip_endian32(sig, param.ed25519.sig);
    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
    return 1;
}

static int s390x_ed448_digestsign(const ECX_KEY *edkey, unsigned char *sig,
    const unsigned char *tbs, size_t tbslen)
{
    int rc;
    union {
        struct {
            unsigned char sig[128];
            unsigned char priv[64];
        } ed448;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);

    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
    if (rc != 0)
        return 0;

    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
    memcpy(sig, param.ed448.sig, 57);
    memcpy(sig + 57, param.ed448.sig + 64, 57);
    return 1;
}

static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
    const unsigned char *sig,
    const unsigned char *tbs, size_t tbslen)
{
    union {
        struct {
            unsigned char sig[64];
            unsigned char pub[32];
        } ed25519;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    s390x_flip_endian32(param.ed25519.sig, sig);
    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);

    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
               &param.ed25519, tbs, tbslen)
            == 0
        ? 1
        : 0;
}

static int s390x_ed448_digestverify(const ECX_KEY *edkey,
    const unsigned char *sig,
    const unsigned char *tbs,
    size_t tbslen)
{
    union {
        struct {
            unsigned char sig[128];
            unsigned char pub[64];
        } ed448;
        unsigned long long buff[512];
    } param;

    memset(&param, 0, sizeof(param));
    memcpy(param.ed448.sig, sig, 57);
    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
    memcpy(param.ed448.sig + 64, sig + 57, 57);
    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
    memcpy(param.ed448.pub, edkey->pubkey, 57);
    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);

    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
               &param.ed448, tbs, tbslen)
            == 0
        ? 1
        : 0;
}

#endif /* S390X_EC_ASM */

Coverage Report

Created: 2025-12-31 06:58

Line	Count	Source
1		/*
2		* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <openssl/crypto.h>
11		#include <openssl/core_dispatch.h>
12		#include <openssl/core_names.h>
13		#include <openssl/err.h>
14		#include <openssl/params.h>
15		#include <openssl/evp.h>
16		#include <openssl/err.h>
17		#include <openssl/proverr.h>
18		#include "internal/nelem.h"
19		#include "internal/sizes.h"
20		#include "prov/providercommon.h"
21		#include "prov/implementations.h"
22		#include "prov/provider_ctx.h"
23		#include "prov/der_ecx.h"
24		#include "crypto/ecx.h"
25
26		#ifdef S390X_EC_ASM
27		#include "s390x_arch.h"
28
29		#define S390X_CAN_SIGN(edtype) \
30		((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype)) \
31		&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype)) \
32		&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))
33
34		static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
35		const unsigned char *tbs, size_t tbslen);
36		static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
37		const unsigned char *tbs, size_t tbslen);
38		static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
39		const unsigned char *sig,
40		const unsigned char *tbs, size_t tbslen);
41		static int s390x_ed448_digestverify(const ECX_KEY *edkey,
42		const unsigned char *sig,
43		const unsigned char *tbs, size_t tbslen);
44
45		#endif /* S390X_EC_ASM */
46
47		static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
48		static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
49		static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
50		static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
51		static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
52		static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
53		static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
54		static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
55		static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
56		static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
57
58		typedef struct {
59		OSSL_LIB_CTX *libctx;
60		ECX_KEY *key;
61
62		/* The Algorithm Identifier of the signature algorithm */
63		unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
64		unsigned char *aid;
65		size_t aid_len;
66		} PROV_EDDSA_CTX;
67
68		static void eddsa_newctx(void provctx, const char *propq_unused)
69	192	{
70	192	PROV_EDDSA_CTX *peddsactx;
71
72	192	if (!ossl_prov_is_running())
73	0	return NULL;
74
75	192	peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
76	192	if (peddsactx == NULL) {
77	0	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
78	0	return NULL;
79	0	}
80
81	192	peddsactx->libctx = PROV_LIBCTX_OF(provctx);
82
83	192	return peddsactx;
84	192	}
85
86		static int eddsa_digest_signverify_init(void vpeddsactx, const char mdname,
87		void *vedkey,
88		ossl_unused const OSSL_PARAM params[])
89	192	{
90	192	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
91	192	ECX_KEY edkey = (ECX_KEY )vedkey;
92	192	WPACKET pkt;
93	192	int ret;
94
95	192	if (!ossl_prov_is_running())
96	0	return 0;
97
98	192	if (mdname != NULL && mdname[0] != '\0') {
99	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
100	0	return 0;
101	0	}
102
103	192	if (edkey == NULL) {
104	0	if (peddsactx->key != NULL)
105		/* there is nothing to do on reinit */
106	0	return 1;
107	0	ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
108	0	return 0;
109	0	}
110
111	192	if (!ossl_ecx_key_up_ref(edkey)) {
112	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
113	0	return 0;
114	0	}
115
116		/*
117		* We do not care about DER writing errors.
118		* All it really means is that for some reason, there's no
119		* AlgorithmIdentifier to be had, but the operation itself is
120		* still valid, just as long as it's not used to construct
121		* anything that needs an AlgorithmIdentifier.
122		*/
123	192	peddsactx->aid_len = 0;
124	192	ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
125	192	switch (edkey->type) {
126	139	case ECX_KEY_TYPE_ED25519:
127	139	ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
128	139	break;
129	53	case ECX_KEY_TYPE_ED448:
130	53	ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
131	53	break;
132	0	default:
133		/* Should never happen */
134	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
135	0	ossl_ecx_key_free(edkey);
136	0	WPACKET_cleanup(&pkt);
137	0	return 0;
138	192	}
139	192	if (ret && WPACKET_finish(&pkt)) {
140	192	WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
141	192	peddsactx->aid = WPACKET_get_curr(&pkt);
142	192	}
143	192	WPACKET_cleanup(&pkt);
144
145	192	peddsactx->key = edkey;
146
147	192	return 1;
148	192	}
149
150		int ed25519_digest_sign(void vpeddsactx, unsigned char sigret,
151		size_t *siglen, size_t sigsize,
152		const unsigned char *tbs, size_t tbslen)
153	0	{
154	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
155	0	const ECX_KEY *edkey = peddsactx->key;
156
157	0	if (!ossl_prov_is_running())
158	0	return 0;
159
160	0	if (sigret == NULL) {
161	0	*siglen = ED25519_SIGSIZE;
162	0	return 1;
163	0	}
164	0	if (sigsize < ED25519_SIGSIZE) {
165	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
166	0	return 0;
167	0	}
168	0	if (edkey->privkey == NULL) {
169	0	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
170	0	return 0;
171	0	}
172		#ifdef S390X_EC_ASM
173		if (S390X_CAN_SIGN(ED25519)) {
174		if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
175		ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
176		return 0;
177		}
178		*siglen = ED25519_SIGSIZE;
179		return 1;
180		}
181		#endif /* S390X_EC_ASM */
182	0	if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
183	0	peddsactx->libctx, NULL)
184	0	== 0) {
185	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
186	0	return 0;
187	0	}
188	0	*siglen = ED25519_SIGSIZE;
189	0	return 1;
190	0	}
191
192		int ed448_digest_sign(void vpeddsactx, unsigned char sigret,
193		size_t *siglen, size_t sigsize,
194		const unsigned char *tbs, size_t tbslen)
195	0	{
196	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
197	0	const ECX_KEY *edkey = peddsactx->key;
198
199	0	if (!ossl_prov_is_running())
200	0	return 0;
201
202	0	if (sigret == NULL) {
203	0	*siglen = ED448_SIGSIZE;
204	0	return 1;
205	0	}
206	0	if (sigsize < ED448_SIGSIZE) {
207	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
208	0	return 0;
209	0	}
210	0	if (edkey->privkey == NULL) {
211	0	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
212	0	return 0;
213	0	}
214		#ifdef S390X_EC_ASM
215		if (S390X_CAN_SIGN(ED448)) {
216		if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
217		ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
218		return 0;
219		}
220		*siglen = ED448_SIGSIZE;
221		return 1;
222		}
223		#endif /* S390X_EC_ASM */
224	0	if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
225	0	edkey->privkey, NULL, 0, edkey->propq)
226	0	== 0) {
227	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
228	0	return 0;
229	0	}
230	0	*siglen = ED448_SIGSIZE;
231	0	return 1;
232	0	}
233
234		int ed25519_digest_verify(void vpeddsactx, const unsigned char sig,
235		size_t siglen, const unsigned char *tbs,
236		size_t tbslen)
237	139	{
238	139	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
239	139	const ECX_KEY *edkey = peddsactx->key;
240
241	139	if (!ossl_prov_is_running() \|\| siglen != ED25519_SIGSIZE)
242	2	return 0;
243
244		#ifdef S390X_EC_ASM
245		if (S390X_CAN_SIGN(ED25519))
246		return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
247		#endif /* S390X_EC_ASM */
248
249	137	return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
250	137	peddsactx->libctx, edkey->propq);
251	139	}
252
253		int ed448_digest_verify(void vpeddsactx, const unsigned char sig,
254		size_t siglen, const unsigned char *tbs,
255		size_t tbslen)
256	53	{
257	53	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
258	53	const ECX_KEY *edkey = peddsactx->key;
259
260	53	if (!ossl_prov_is_running() \|\| siglen != ED448_SIGSIZE)
261	8	return 0;
262
263		#ifdef S390X_EC_ASM
264		if (S390X_CAN_SIGN(ED448))
265		return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
266		#endif /* S390X_EC_ASM */
267
268	45	return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
269	45	NULL, 0, edkey->propq);
270	53	}
271
272		static void eddsa_freectx(void *vpeddsactx)
273	192	{
274	192	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
275
276	192	ossl_ecx_key_free(peddsactx->key);
277
278	192	OPENSSL_free(peddsactx);
279	192	}
280
281		static void eddsa_dupctx(void vpeddsactx)
282	0	{
283	0	PROV_EDDSA_CTX srcctx = (PROV_EDDSA_CTX )vpeddsactx;
284	0	PROV_EDDSA_CTX *dstctx;
285
286	0	if (!ossl_prov_is_running())
287	0	return NULL;
288
289	0	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
290	0	if (dstctx == NULL)
291	0	return NULL;
292
293	0	dstctx = srcctx;
294	0	dstctx->key = NULL;
295
296	0	if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
297	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
298	0	goto err;
299	0	}
300	0	dstctx->key = srcctx->key;
301
302	0	return dstctx;
303	0	err:
304	0	eddsa_freectx(dstctx);
305	0	return NULL;
306	0	}
307
308		static int eddsa_get_ctx_params(void vpeddsactx, OSSL_PARAM params)
309	0	{
310	0	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
311	0	OSSL_PARAM *p;
312
313	0	if (peddsactx == NULL)
314	0	return 0;
315
316	0	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
317	0	if (p != NULL && !OSSL_PARAM_set_octet_string(p, peddsactx->aid, peddsactx->aid_len))
318	0	return 0;
319
320	0	return 1;
321	0	}
322
323		static const OSSL_PARAM known_gettable_ctx_params[] = {
324		OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
325		OSSL_PARAM_END
326		};
327
328		static const OSSL_PARAM eddsa_gettable_ctx_params(ossl_unused void vpeddsactx,
329		ossl_unused void *provctx)
330	0	{
331	0	return known_gettable_ctx_params;
332	0	}
333
334		const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
335		{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
336		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
337		(void (*)(void))eddsa_digest_signverify_init },
338		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
339		(void (*)(void))ed25519_digest_sign },
340		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
341		(void (*)(void))eddsa_digest_signverify_init },
342		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
343		(void (*)(void))ed25519_digest_verify },
344		{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
345		{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
346		{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
347		{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
348		(void (*)(void))eddsa_gettable_ctx_params },
349		{ 0, NULL }
350		};
351
352		const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
353		{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
354		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
355		(void (*)(void))eddsa_digest_signverify_init },
356		{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
357		(void (*)(void))ed448_digest_sign },
358		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
359		(void (*)(void))eddsa_digest_signverify_init },
360		{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
361		(void (*)(void))ed448_digest_verify },
362		{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
363		{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
364		{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
365		{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
366		(void (*)(void))eddsa_gettable_ctx_params },
367		{ 0, NULL }
368		};
369
370		#ifdef S390X_EC_ASM
371
372		static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
373		const unsigned char *tbs, size_t tbslen)
374		{
375		int rc;
376		union {
377		struct {
378		unsigned char sig[64];
379		unsigned char priv[32];
380		} ed25519;
381		unsigned long long buff[512];
382		} param;
383
384		memset(&param, 0, sizeof(param));
385		memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
386
387		rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
388		OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
389		if (rc != 0)
390		return 0;
391
392		s390x_flip_endian32(sig, param.ed25519.sig);
393		s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
394		return 1;
395		}
396
397		static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
398		const unsigned char *tbs, size_t tbslen)
399		{
400		int rc;
401		union {
402		struct {
403		unsigned char sig[128];
404		unsigned char priv[64];
405		} ed448;
406		unsigned long long buff[512];
407		} param;
408
409		memset(&param, 0, sizeof(param));
410		memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
411
412		rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
413		OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
414		if (rc != 0)
415		return 0;
416
417		s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
418		s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
419		memcpy(sig, param.ed448.sig, 57);
420		memcpy(sig + 57, param.ed448.sig + 64, 57);
421		return 1;
422		}
423
424		static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
425		const unsigned char *sig,
426		const unsigned char *tbs, size_t tbslen)
427		{
428		union {
429		struct {
430		unsigned char sig[64];
431		unsigned char pub[32];
432		} ed25519;
433		unsigned long long buff[512];
434		} param;
435
436		memset(&param, 0, sizeof(param));
437		s390x_flip_endian32(param.ed25519.sig, sig);
438		s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
439		s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
440
441		return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
442		&param.ed25519, tbs, tbslen)
443		== 0
444		? 1
445		: 0;
446		}
447
448		static int s390x_ed448_digestverify(const ECX_KEY *edkey,
449		const unsigned char *sig,
450		const unsigned char *tbs,
451		size_t tbslen)
452		{
453		union {
454		struct {
455		unsigned char sig[128];
456		unsigned char pub[64];
457		} ed448;
458		unsigned long long buff[512];
459		} param;
460
461		memset(&param, 0, sizeof(param));
462		memcpy(param.ed448.sig, sig, 57);
463		s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
464		memcpy(param.ed448.sig + 64, sig + 57, 57);
465		s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
466		memcpy(param.ed448.pub, edkey->pubkey, 57);
467		s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
468
469		return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
470		&param.ed448, tbs, tbslen)
471		== 0
472		? 1
473		: 0;
474		}
475
476		#endif /* S390X_EC_ASM */