/src/openssl/crypto/slh_dsa/slh_dsa.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | #include <stddef.h> |
10 | | #include <string.h> |
11 | | #include <openssl/err.h> |
12 | | #include <openssl/proverr.h> |
13 | | #include "slh_dsa_local.h" |
14 | | #include "slh_dsa_key.h" |
15 | | |
16 | | #define SLH_MAX_M 49 /* See slh_params.c */ |
17 | | /* The size of md is (21..40 bytes) - since a is in bits round up to nearest byte */ |
18 | 0 | #define MD_LEN(params) (((params)->k * (params)->a + 7) >> 3) |
19 | | |
20 | | static int get_tree_ids(PACKET *pkt, const SLH_DSA_PARAMS *params, |
21 | | uint64_t *tree_id, uint32_t *leaf_id); |
22 | | |
23 | | /** |
24 | | * @brief SLH-DSA Signature generation |
25 | | * See FIPS 205 Section 9.2 Algorithm 19 |
26 | | * |
27 | | * A signature consists of |
28 | | * r[n] random bytes |
29 | | * [k]*[1+a][n] FORS signature bytes |
30 | | * [h + d*len][n] Hyper tree signature bytes |
31 | | * |
32 | | * @param ctx Contains SLH_DSA algorithm functions and constants, and the |
33 | | * private SLH_DSA key to use for signing. |
34 | | * @param msg The message to sign. This may be encoded beforehand. |
35 | | * @param msg_len The size of |msg| |
36 | | * @param sig The returned signature |
37 | | * @param sig_len The size of the returned |sig| |
38 | | * @param sig_size The maximum size of |sig| |
39 | | * @param opt_rand An optional random value to use of size |n|. It can be NULL. |
40 | | * @returns 1 if the signature generation succeeded or 0 otherwise. |
41 | | */ |
42 | | static int slh_sign_internal(SLH_DSA_HASH_CTX *hctx, |
43 | | const uint8_t *msg, size_t msg_len, |
44 | | uint8_t *sig, size_t *sig_len, size_t sig_size, |
45 | | const uint8_t *opt_rand) |
46 | 0 | { |
47 | 0 | int ret = 0; |
48 | 0 | const SLH_DSA_KEY *priv = hctx->key; |
49 | 0 | const SLH_DSA_PARAMS *params = priv->params; |
50 | 0 | size_t sig_len_expected = params->sig_len; |
51 | 0 | uint8_t m_digest[SLH_MAX_M]; |
52 | 0 | const uint8_t *md; /* The first md_len bytes of m_digest */ |
53 | 0 | size_t md_len = MD_LEN(params); /* The size of the digest |md| */ |
54 | | /* Points to |m_digest| buffer, it is also reused to point to |sig_fors| */ |
55 | 0 | PACKET r_packet, *rpkt = &r_packet; |
56 | 0 | uint8_t *r, *sig_fors; /* Pointers into buffer inside |wpkt| */ |
57 | 0 | WPACKET w_packet, *wpkt = &w_packet; /* Points to output |sig| buffer */ |
58 | 0 | const uint8_t *pk_seed, *sk_seed; /* pointers to elements within |priv| */ |
59 | 0 | uint8_t pk_fors[SLH_MAX_N]; |
60 | 0 | uint64_t tree_id; |
61 | 0 | uint32_t leaf_id; |
62 | |
|
63 | 0 | SLH_ADRS_DECLARE(adrs); |
64 | 0 | SLH_HASH_FUNC_DECLARE(priv, hashf); |
65 | 0 | SLH_ADRS_FUNC_DECLARE(priv, adrsf); |
66 | |
|
67 | 0 | if (sig == NULL) { |
68 | 0 | *sig_len = sig_len_expected; |
69 | 0 | return 1; |
70 | 0 | } |
71 | | |
72 | 0 | if (sig_size < sig_len_expected) { |
73 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, |
74 | 0 | "is %zu, should be at least %zu", sig_size, sig_len_expected); |
75 | 0 | return 0; |
76 | 0 | } |
77 | | /* Exit if private key is not set */ |
78 | 0 | if (priv->has_priv == 0) { |
79 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); |
80 | 0 | return 0; |
81 | 0 | } |
82 | | |
83 | 0 | if (!WPACKET_init_static_len(wpkt, sig, sig_len_expected, 0)) |
84 | 0 | return 0; |
85 | 0 | if (!PACKET_buf_init(rpkt, m_digest, params->m)) |
86 | 0 | return 0; |
87 | | |
88 | 0 | pk_seed = SLH_DSA_PK_SEED(priv); |
89 | 0 | sk_seed = SLH_DSA_SK_SEED(priv); |
90 | |
|
91 | 0 | if (opt_rand == NULL) |
92 | 0 | opt_rand = pk_seed; |
93 | |
|
94 | 0 | adrsf->zero(adrs); |
95 | | /* calculate Randomness value r, and output to the SLH-DSA signature */ |
96 | 0 | r = WPACKET_get_curr(wpkt); |
97 | 0 | if (!hashf->PRF_MSG(hctx, SLH_DSA_SK_PRF(priv), opt_rand, msg, msg_len, wpkt) |
98 | | /* generate a digest of size |params->m| bytes where m is (30..49) */ |
99 | 0 | || !hashf->H_MSG(hctx, r, pk_seed, SLH_DSA_PK_ROOT(priv), msg, msg_len, |
100 | 0 | m_digest, sizeof(m_digest)) |
101 | | /* Grab the first md_len bytes of m_digest to use in fors_sign() */ |
102 | 0 | || !PACKET_get_bytes(rpkt, &md, md_len) |
103 | | /* Grab remaining bytes from m_digest to select tree and leaf id's */ |
104 | 0 | || !get_tree_ids(rpkt, params, &tree_id, &leaf_id)) |
105 | 0 | goto err; |
106 | | |
107 | 0 | adrsf->set_tree_address(adrs, tree_id); |
108 | 0 | adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE); |
109 | 0 | adrsf->set_keypair_address(adrs, leaf_id); |
110 | |
|
111 | 0 | sig_fors = WPACKET_get_curr(wpkt); |
112 | | /* generate the FORS signature and append it to the SLH-DSA signature */ |
113 | 0 | ret = ossl_slh_fors_sign(hctx, md, sk_seed, pk_seed, adrs, wpkt) |
114 | | /* Reuse rpkt to point to the FORS signature that was just generated */ |
115 | 0 | && PACKET_buf_init(rpkt, sig_fors, WPACKET_get_curr(wpkt) - sig_fors) |
116 | | /* Calculate the FORS public key using the generated FORS signature */ |
117 | 0 | && ossl_slh_fors_pk_from_sig(hctx, rpkt, md, pk_seed, adrs, |
118 | 0 | pk_fors, sizeof(pk_fors)) |
119 | | /* Generate ht signature and append to the SLH-DSA signature */ |
120 | 0 | && ossl_slh_ht_sign(hctx, pk_fors, sk_seed, pk_seed, tree_id, leaf_id, |
121 | 0 | wpkt); |
122 | 0 | *sig_len = sig_len_expected; |
123 | 0 | ret = 1; |
124 | 0 | err: |
125 | 0 | if (!WPACKET_finish(wpkt)) |
126 | 0 | ret = 0; |
127 | 0 | return ret; |
128 | 0 | } |
129 | | |
130 | | /** |
131 | | * @brief SLH-DSA Signature verification |
132 | | * See FIPS 205 Section 9.3 Algorithm 20 |
133 | | * |
134 | | * A signature consists of |
135 | | * r[n] random bytes |
136 | | * [k]*[1+a][n] FORS signature bytes |
137 | | * [h + d*len][n] Hyper tree signature bytes |
138 | | * |
139 | | * @param hctx Contains SLH_DSA algorithm functions and constants and the |
140 | | * public SLH_DSA key to use for verification. |
141 | | * @param msg The message to verify. This may be encoded beforehand. |
142 | | * @param msg_len The size of |msg| |
143 | | * @param sig A signature to verify |
144 | | * @param sig_len The size of |sig| |
145 | | * @returns 1 if the signature verification succeeded or 0 otherwise. |
146 | | */ |
147 | | static int slh_verify_internal(SLH_DSA_HASH_CTX *hctx, |
148 | | const uint8_t *msg, size_t msg_len, |
149 | | const uint8_t *sig, size_t sig_len) |
150 | 0 | { |
151 | 0 | const SLH_DSA_KEY *pub = hctx->key; |
152 | 0 | SLH_HASH_FUNC_DECLARE(pub, hashf); |
153 | 0 | SLH_ADRS_FUNC_DECLARE(pub, adrsf); |
154 | 0 | SLH_ADRS_DECLARE(adrs); |
155 | 0 | const SLH_DSA_PARAMS *params = pub->params; |
156 | 0 | uint32_t n = params->n; |
157 | 0 | const uint8_t *pk_seed, *pk_root; /* Pointers to elements in |pub| */ |
158 | 0 | PACKET pkt, *sig_rpkt = &pkt; /* Points to the |sig| buffer */ |
159 | 0 | uint8_t m_digest[SLH_MAX_M]; |
160 | 0 | const uint8_t *md; /* This is a pointer into the buffer in m_digest_rpkt */ |
161 | 0 | size_t md_len = MD_LEN(params); /* 21..40 bytes */ |
162 | 0 | PACKET pkt2, *m_digest_rpkt = &pkt2; /* Points to m_digest buffer */ |
163 | 0 | const uint8_t *r; /* Pointer to |sig_rpkt| buffer */ |
164 | 0 | uint8_t pk_fors[SLH_MAX_N]; |
165 | 0 | uint64_t tree_id; |
166 | 0 | uint32_t leaf_id; |
167 | | |
168 | | /* Exit if public key is not set */ |
169 | 0 | if (pub->pub == NULL) { |
170 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); |
171 | 0 | return 0; |
172 | 0 | } |
173 | | |
174 | | /* Exit if signature is invalid size */ |
175 | 0 | if (sig_len != params->sig_len |
176 | 0 | || !PACKET_buf_init(sig_rpkt, sig, sig_len)) |
177 | 0 | return 0; |
178 | 0 | if (!PACKET_get_bytes(sig_rpkt, &r, n)) |
179 | 0 | return 0; |
180 | | |
181 | 0 | adrsf->zero(adrs); |
182 | |
|
183 | 0 | pk_seed = SLH_DSA_PK_SEED(pub); |
184 | 0 | pk_root = SLH_DSA_PK_ROOT(pub); |
185 | |
|
186 | 0 | if (!hashf->H_MSG(hctx, r, pk_seed, pk_root, msg, msg_len, |
187 | 0 | m_digest, sizeof(m_digest))) |
188 | 0 | return 0; |
189 | | |
190 | | /* |
191 | | * Get md (the first md_len bytes of m_digest to use in |
192 | | * ossl_slh_fors_pk_from_sig(), and then retrieve the tree id and leaf id |
193 | | * from the remaining bytes in m_digest. |
194 | | */ |
195 | 0 | if (!PACKET_buf_init(m_digest_rpkt, m_digest, sizeof(m_digest)) |
196 | 0 | || !PACKET_get_bytes(m_digest_rpkt, &md, md_len) |
197 | 0 | || !get_tree_ids(m_digest_rpkt, params, &tree_id, &leaf_id)) |
198 | 0 | return 0; |
199 | | |
200 | 0 | adrsf->set_tree_address(adrs, tree_id); |
201 | 0 | adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE); |
202 | 0 | adrsf->set_keypair_address(adrs, leaf_id); |
203 | 0 | return ossl_slh_fors_pk_from_sig(hctx, sig_rpkt, md, pk_seed, adrs, |
204 | 0 | pk_fors, sizeof(pk_fors)) |
205 | 0 | && ossl_slh_ht_verify(hctx, pk_fors, sig_rpkt, pk_seed, |
206 | 0 | tree_id, leaf_id, pk_root) |
207 | 0 | && PACKET_remaining(sig_rpkt) == 0; |
208 | 0 | } |
209 | | |
210 | | /** |
211 | | * @brief Encode a message |
212 | | * See FIPS 205 Algorithm 22 Step 8 (and algorithm 24 Step 4). |
213 | | * |
214 | | * SLH_DSA pure signatures are encoded as M' = 00 || ctx_len || ctx || msg |
215 | | * Where ctx is the empty string by default and ctx_len <= 255. |
216 | | * |
217 | | * @param msg A message to encode |
218 | | * @param msg_len The size of |msg| |
219 | | * @param ctx An optional context to add to the message encoding. |
220 | | * @param ctx_len The size of |ctx|. It must be in the range 0..255 |
221 | | * @param encode Use the Pure signature encoding if this is 1, and dont encode |
222 | | * if this value is 0. |
223 | | * @param tmp A small buffer that may be used if the message is small. |
224 | | * @param tmp_len The size of |tmp| |
225 | | * @param out_len The size of the returned encoded buffer. |
226 | | * @returns A buffer containing the encoded message. If the passed in |
227 | | * |tmp| buffer is big enough to hold the encoded message then it returns |tmp| |
228 | | * otherwise it allocates memory which must be freed by the caller. If |encode| |
229 | | * is 0 then it returns |msg|. NULL is returned if there is a failure. |
230 | | */ |
231 | | static uint8_t *msg_encode(const uint8_t *msg, size_t msg_len, |
232 | | const uint8_t *ctx, size_t ctx_len, int encode, |
233 | | uint8_t *tmp, size_t tmp_len, size_t *out_len) |
234 | 0 | { |
235 | 0 | uint8_t *encoded = NULL; |
236 | 0 | size_t encoded_len; |
237 | |
|
238 | 0 | if (encode == 0) { |
239 | | /* Raw message */ |
240 | 0 | *out_len = msg_len; |
241 | 0 | return (uint8_t *)msg; |
242 | 0 | } |
243 | 0 | if (ctx_len > SLH_DSA_MAX_CONTEXT_STRING_LEN) |
244 | 0 | return NULL; |
245 | | |
246 | | /* Pure encoding */ |
247 | 0 | encoded_len = 1 + 1 + ctx_len + msg_len; |
248 | 0 | *out_len = encoded_len; |
249 | 0 | if (encoded_len <= tmp_len) { |
250 | 0 | encoded = tmp; |
251 | 0 | } else { |
252 | 0 | encoded = OPENSSL_zalloc(encoded_len); |
253 | 0 | if (encoded == NULL) |
254 | 0 | return NULL; |
255 | 0 | } |
256 | 0 | encoded[0] = 0; |
257 | 0 | encoded[1] = (uint8_t)ctx_len; |
258 | 0 | memcpy(&encoded[2], ctx, ctx_len); |
259 | 0 | memcpy(&encoded[2 + ctx_len], msg, msg_len); |
260 | 0 | return encoded; |
261 | 0 | } |
262 | | |
263 | | /** |
264 | | * See FIPS 205 Section 10.2.1 Algorithm 22 |
265 | | * @returns 1 on success, or 0 on error. |
266 | | */ |
267 | | int ossl_slh_dsa_sign(SLH_DSA_HASH_CTX *slh_ctx, |
268 | | const uint8_t *msg, size_t msg_len, |
269 | | const uint8_t *ctx, size_t ctx_len, |
270 | | const uint8_t *add_rand, int encode, |
271 | | unsigned char *sig, size_t *siglen, size_t sigsize) |
272 | 0 | { |
273 | 0 | uint8_t m_tmp[1024], *m = m_tmp; |
274 | 0 | size_t m_len = 0; |
275 | 0 | int ret = 0; |
276 | |
|
277 | 0 | if (sig != NULL) { |
278 | 0 | m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp), |
279 | 0 | &m_len); |
280 | 0 | if (m == NULL) |
281 | 0 | return 0; |
282 | 0 | } |
283 | 0 | ret = slh_sign_internal(slh_ctx, m, m_len, sig, siglen, sigsize, add_rand); |
284 | 0 | if (m != msg && m != m_tmp) |
285 | 0 | OPENSSL_free(m); |
286 | 0 | return ret; |
287 | 0 | } |
288 | | |
289 | | /** |
290 | | * See FIPS 205 Section 10.3 Algorithm 24 |
291 | | * @returns 1 on success, or 0 on error. |
292 | | */ |
293 | | int ossl_slh_dsa_verify(SLH_DSA_HASH_CTX *slh_ctx, |
294 | | const uint8_t *msg, size_t msg_len, |
295 | | const uint8_t *ctx, size_t ctx_len, int encode, |
296 | | const uint8_t *sig, size_t sig_len) |
297 | 0 | { |
298 | 0 | uint8_t *m; |
299 | 0 | size_t m_len; |
300 | 0 | uint8_t m_tmp[1024]; |
301 | 0 | int ret = 0; |
302 | |
|
303 | 0 | m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp), |
304 | 0 | &m_len); |
305 | 0 | if (m == NULL) |
306 | 0 | return 0; |
307 | | |
308 | 0 | ret = slh_verify_internal(slh_ctx, m, m_len, sig, sig_len); |
309 | 0 | if (m != msg && m != m_tmp) |
310 | 0 | OPENSSL_free(m); |
311 | 0 | return ret; |
312 | 0 | } |
313 | | |
314 | | /* |
315 | | * See FIPS 205 Algorithm 2 toInt(X, n) |
316 | | * OPENSSL_load_u64_be() cant be used here as the |in_len| may be < 8 |
317 | | */ |
318 | | static uint64_t bytes_to_u64_be(const uint8_t *in, size_t in_len) |
319 | 0 | { |
320 | |
|
321 | 0 | size_t i; |
322 | 0 | uint64_t total = 0; |
323 | |
|
324 | 0 | for (i = 0; i < in_len; i++) |
325 | 0 | total = (total << 8) + *in++; |
326 | 0 | return total; |
327 | 0 | } |
328 | | |
329 | | /* |
330 | | * See Algorithm 19 Steps 7..10 (also Algorithm 20 Step 10..13). |
331 | | * Converts digested bytes into a tree index, and leaf index within the tree. |
332 | | * The sizes are determined by the |params| parameter set. |
333 | | */ |
334 | | static int get_tree_ids(PACKET *rpkt, const SLH_DSA_PARAMS *params, |
335 | | uint64_t *tree_id, uint32_t *leaf_id) |
336 | 0 | { |
337 | 0 | const uint8_t *tree_id_bytes, *leaf_id_bytes; |
338 | 0 | uint32_t tree_id_len, leaf_id_len; |
339 | 0 | uint64_t tree_id_mask, leaf_id_mask; |
340 | |
|
341 | 0 | tree_id_len = ((params->h - params->hm + 7) >> 3); /* 7 or 8 bytes */ |
342 | 0 | leaf_id_len = ((params->hm + 7) >> 3); /* 1 or 2 bytes */ |
343 | |
|
344 | 0 | if (!PACKET_get_bytes(rpkt, &tree_id_bytes, tree_id_len) |
345 | 0 | || !PACKET_get_bytes(rpkt, &leaf_id_bytes, leaf_id_len)) |
346 | 0 | return 0; |
347 | | |
348 | | /* |
349 | | * In order to calculate A mod (2^X) where X is in the range of (54..64) |
350 | | * This is equivalent to A & (2^x - 1) which is just a sequence of X ones |
351 | | * that must fit into a 64 bit value. |
352 | | * e.g when X = 64 it would be A & (0xFFFF_FFFF_FFFF_FFFF) |
353 | | * when X = 54 it would be A & (0x3F_FFFF_FFFF_FFFF) |
354 | | * i.e. A & (0xFFFF_FFFF_FFFF_FFFF >> (64 - X)) |
355 | | */ |
356 | 0 | tree_id_mask = (~(uint64_t)0) >> (64 - (params->h - params->hm)); |
357 | 0 | leaf_id_mask = ((uint64_t)1 << params->hm) - 1; /* max value is 0x1FF when hm = 9 */ |
358 | 0 | *tree_id = bytes_to_u64_be(tree_id_bytes, tree_id_len) & tree_id_mask; |
359 | 0 | *leaf_id = (uint32_t)(bytes_to_u64_be(leaf_id_bytes, leaf_id_len) & leaf_id_mask); |
360 | 0 | return 1; |
361 | 0 | } |