/* * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include #include #include "slh_dsa_local.h" #include "slh_dsa_key.h" #define SLH_MAX_M 49 /* See slh_params.c */ /* The size of md is (21..40 bytes) - since a is in bits round up to nearest byte */ #define MD_LEN(params) (((params)->k * (params)->a + 7) >> 3) static int get_tree_ids(PACKET *pkt, const SLH_DSA_PARAMS *params, uint64_t *tree_id, uint32_t *leaf_id); /** * @brief SLH-DSA Signature generation * See FIPS 205 Section 9.2 Algorithm 19 * * A signature consists of * r[n] random bytes * [k]*[1+a][n] FORS signature bytes * [h + d*len][n] Hyper tree signature bytes * * @param ctx Contains SLH_DSA algorithm functions and constants, and the * private SLH_DSA key to use for signing. * @param msg The message to sign. This may be encoded beforehand. * @param msg_len The size of |msg| * @param sig The returned signature * @param sig_len The size of the returned |sig| * @param sig_size The maximum size of |sig| * @param opt_rand An optional random value to use of size |n|. It can be NULL. * @returns 1 if the signature generation succeeded or 0 otherwise. */ static int slh_sign_internal(SLH_DSA_HASH_CTX *hctx, const uint8_t *msg, size_t msg_len, uint8_t *sig, size_t *sig_len, size_t sig_size, const uint8_t *opt_rand) { int ret = 0; const SLH_DSA_KEY *priv = hctx->key; const SLH_DSA_PARAMS *params = priv->params; size_t sig_len_expected = params->sig_len; uint8_t m_digest[SLH_MAX_M]; const uint8_t *md; /* The first md_len bytes of m_digest */ size_t md_len = MD_LEN(params); /* The size of the digest |md| */ /* Points to |m_digest| buffer, it is also reused to point to |sig_fors| */ PACKET r_packet, *rpkt = &r_packet; uint8_t *r, *sig_fors; /* Pointers into buffer inside |wpkt| */ WPACKET w_packet, *wpkt = &w_packet; /* Points to output |sig| buffer */ const uint8_t *pk_seed, *sk_seed; /* pointers to elements within |priv| */ uint8_t pk_fors[SLH_MAX_N]; uint64_t tree_id; uint32_t leaf_id; SLH_ADRS_DECLARE(adrs); SLH_HASH_FUNC_DECLARE(priv, hashf); SLH_ADRS_FUNC_DECLARE(priv, adrsf); if (sig == NULL) { *sig_len = sig_len_expected; return 1; } if (sig_size < sig_len_expected) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, "is %zu, should be at least %zu", sig_size, sig_len_expected); return 0; } /* Exit if private key is not set */ if (priv->has_priv == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; } if (!WPACKET_init_static_len(wpkt, sig, sig_len_expected, 0)) return 0; if (!PACKET_buf_init(rpkt, m_digest, params->m)) return 0; pk_seed = SLH_DSA_PK_SEED(priv); sk_seed = SLH_DSA_SK_SEED(priv); if (opt_rand == NULL) opt_rand = pk_seed; adrsf->zero(adrs); /* calculate Randomness value r, and output to the SLH-DSA signature */ r = WPACKET_get_curr(wpkt); if (!hashf->PRF_MSG(hctx, SLH_DSA_SK_PRF(priv), opt_rand, msg, msg_len, wpkt) /* generate a digest of size |params->m| bytes where m is (30..49) */ || !hashf->H_MSG(hctx, r, pk_seed, SLH_DSA_PK_ROOT(priv), msg, msg_len, m_digest, sizeof(m_digest)) /* Grab the first md_len bytes of m_digest to use in fors_sign() */ || !PACKET_get_bytes(rpkt, &md, md_len) /* Grab remaining bytes from m_digest to select tree and leaf id's */ || !get_tree_ids(rpkt, params, &tree_id, &leaf_id)) goto err; adrsf->set_tree_address(adrs, tree_id); adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE); adrsf->set_keypair_address(adrs, leaf_id); sig_fors = WPACKET_get_curr(wpkt); /* generate the FORS signature and append it to the SLH-DSA signature */ ret = ossl_slh_fors_sign(hctx, md, sk_seed, pk_seed, adrs, wpkt) /* Reuse rpkt to point to the FORS signature that was just generated */ && PACKET_buf_init(rpkt, sig_fors, WPACKET_get_curr(wpkt) - sig_fors) /* Calculate the FORS public key using the generated FORS signature */ && ossl_slh_fors_pk_from_sig(hctx, rpkt, md, pk_seed, adrs, pk_fors, sizeof(pk_fors)) /* Generate ht signature and append to the SLH-DSA signature */ && ossl_slh_ht_sign(hctx, pk_fors, sk_seed, pk_seed, tree_id, leaf_id, wpkt); *sig_len = sig_len_expected; ret = 1; err: if (!WPACKET_finish(wpkt)) ret = 0; return ret; } /** * @brief SLH-DSA Signature verification * See FIPS 205 Section 9.3 Algorithm 20 * * A signature consists of * r[n] random bytes * [k]*[1+a][n] FORS signature bytes * [h + d*len][n] Hyper tree signature bytes * * @param hctx Contains SLH_DSA algorithm functions and constants and the * public SLH_DSA key to use for verification. * @param msg The message to verify. This may be encoded beforehand. * @param msg_len The size of |msg| * @param sig A signature to verify * @param sig_len The size of |sig| * @returns 1 if the signature verification succeeded or 0 otherwise. */ static int slh_verify_internal(SLH_DSA_HASH_CTX *hctx, const uint8_t *msg, size_t msg_len, const uint8_t *sig, size_t sig_len) { const SLH_DSA_KEY *pub = hctx->key; SLH_HASH_FUNC_DECLARE(pub, hashf); SLH_ADRS_FUNC_DECLARE(pub, adrsf); SLH_ADRS_DECLARE(adrs); const SLH_DSA_PARAMS *params = pub->params; uint32_t n = params->n; const uint8_t *pk_seed, *pk_root; /* Pointers to elements in |pub| */ PACKET pkt, *sig_rpkt = &pkt; /* Points to the |sig| buffer */ uint8_t m_digest[SLH_MAX_M]; const uint8_t *md; /* This is a pointer into the buffer in m_digest_rpkt */ size_t md_len = MD_LEN(params); /* 21..40 bytes */ PACKET pkt2, *m_digest_rpkt = &pkt2; /* Points to m_digest buffer */ const uint8_t *r; /* Pointer to |sig_rpkt| buffer */ uint8_t pk_fors[SLH_MAX_N]; uint64_t tree_id; uint32_t leaf_id; /* Exit if public key is not set */ if (pub->pub == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; } /* Exit if signature is invalid size */ if (sig_len != params->sig_len || !PACKET_buf_init(sig_rpkt, sig, sig_len)) return 0; if (!PACKET_get_bytes(sig_rpkt, &r, n)) return 0; adrsf->zero(adrs); pk_seed = SLH_DSA_PK_SEED(pub); pk_root = SLH_DSA_PK_ROOT(pub); if (!hashf->H_MSG(hctx, r, pk_seed, pk_root, msg, msg_len, m_digest, sizeof(m_digest))) return 0; /* * Get md (the first md_len bytes of m_digest to use in * ossl_slh_fors_pk_from_sig(), and then retrieve the tree id and leaf id * from the remaining bytes in m_digest. */ if (!PACKET_buf_init(m_digest_rpkt, m_digest, sizeof(m_digest)) || !PACKET_get_bytes(m_digest_rpkt, &md, md_len) || !get_tree_ids(m_digest_rpkt, params, &tree_id, &leaf_id)) return 0; adrsf->set_tree_address(adrs, tree_id); adrsf->set_type_and_clear(adrs, SLH_ADRS_TYPE_FORS_TREE); adrsf->set_keypair_address(adrs, leaf_id); return ossl_slh_fors_pk_from_sig(hctx, sig_rpkt, md, pk_seed, adrs, pk_fors, sizeof(pk_fors)) && ossl_slh_ht_verify(hctx, pk_fors, sig_rpkt, pk_seed, tree_id, leaf_id, pk_root) && PACKET_remaining(sig_rpkt) == 0; } /** * @brief Encode a message * See FIPS 205 Algorithm 22 Step 8 (and algorithm 24 Step 4). * * SLH_DSA pure signatures are encoded as M' = 00 || ctx_len || ctx || msg * Where ctx is the empty string by default and ctx_len <= 255. * * @param msg A message to encode * @param msg_len The size of |msg| * @param ctx An optional context to add to the message encoding. * @param ctx_len The size of |ctx|. It must be in the range 0..255 * @param encode Use the Pure signature encoding if this is 1, and dont encode * if this value is 0. * @param tmp A small buffer that may be used if the message is small. * @param tmp_len The size of |tmp| * @param out_len The size of the returned encoded buffer. * @returns A buffer containing the encoded message. If the passed in * |tmp| buffer is big enough to hold the encoded message then it returns |tmp| * otherwise it allocates memory which must be freed by the caller. If |encode| * is 0 then it returns |msg|. NULL is returned if there is a failure. */ static uint8_t *msg_encode(const uint8_t *msg, size_t msg_len, const uint8_t *ctx, size_t ctx_len, int encode, uint8_t *tmp, size_t tmp_len, size_t *out_len) { uint8_t *encoded = NULL; size_t encoded_len; if (encode == 0) { /* Raw message */ *out_len = msg_len; return (uint8_t *)msg; } if (ctx_len > SLH_DSA_MAX_CONTEXT_STRING_LEN) return NULL; /* Pure encoding */ encoded_len = 1 + 1 + ctx_len + msg_len; *out_len = encoded_len; if (encoded_len <= tmp_len) { encoded = tmp; } else { encoded = OPENSSL_zalloc(encoded_len); if (encoded == NULL) return NULL; } encoded[0] = 0; encoded[1] = (uint8_t)ctx_len; memcpy(&encoded[2], ctx, ctx_len); memcpy(&encoded[2 + ctx_len], msg, msg_len); return encoded; } /** * See FIPS 205 Section 10.2.1 Algorithm 22 * @returns 1 on success, or 0 on error. */ int ossl_slh_dsa_sign(SLH_DSA_HASH_CTX *slh_ctx, const uint8_t *msg, size_t msg_len, const uint8_t *ctx, size_t ctx_len, const uint8_t *add_rand, int encode, unsigned char *sig, size_t *siglen, size_t sigsize) { uint8_t m_tmp[1024], *m = m_tmp; size_t m_len = 0; int ret = 0; if (sig != NULL) { m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp), &m_len); if (m == NULL) return 0; } ret = slh_sign_internal(slh_ctx, m, m_len, sig, siglen, sigsize, add_rand); if (m != msg && m != m_tmp) OPENSSL_free(m); return ret; } /** * See FIPS 205 Section 10.3 Algorithm 24 * @returns 1 on success, or 0 on error. */ int ossl_slh_dsa_verify(SLH_DSA_HASH_CTX *slh_ctx, const uint8_t *msg, size_t msg_len, const uint8_t *ctx, size_t ctx_len, int encode, const uint8_t *sig, size_t sig_len) { uint8_t *m; size_t m_len; uint8_t m_tmp[1024]; int ret = 0; m = msg_encode(msg, msg_len, ctx, ctx_len, encode, m_tmp, sizeof(m_tmp), &m_len); if (m == NULL) return 0; ret = slh_verify_internal(slh_ctx, m, m_len, sig, sig_len); if (m != msg && m != m_tmp) OPENSSL_free(m); return ret; } /* * See FIPS 205 Algorithm 2 toInt(X, n) * OPENSSL_load_u64_be() cant be used here as the |in_len| may be < 8 */ static uint64_t bytes_to_u64_be(const uint8_t *in, size_t in_len) { size_t i; uint64_t total = 0; for (i = 0; i < in_len; i++) total = (total << 8) + *in++; return total; } /* * See Algorithm 19 Steps 7..10 (also Algorithm 20 Step 10..13). * Converts digested bytes into a tree index, and leaf index within the tree. * The sizes are determined by the |params| parameter set. */ static int get_tree_ids(PACKET *rpkt, const SLH_DSA_PARAMS *params, uint64_t *tree_id, uint32_t *leaf_id) { const uint8_t *tree_id_bytes, *leaf_id_bytes; uint32_t tree_id_len, leaf_id_len; uint64_t tree_id_mask, leaf_id_mask; tree_id_len = ((params->h - params->hm + 7) >> 3); /* 7 or 8 bytes */ leaf_id_len = ((params->hm + 7) >> 3); /* 1 or 2 bytes */ if (!PACKET_get_bytes(rpkt, &tree_id_bytes, tree_id_len) || !PACKET_get_bytes(rpkt, &leaf_id_bytes, leaf_id_len)) return 0; /* * In order to calculate A mod (2^X) where X is in the range of (54..64) * This is equivalent to A & (2^x - 1) which is just a sequence of X ones * that must fit into a 64 bit value. * e.g when X = 64 it would be A & (0xFFFF_FFFF_FFFF_FFFF) * when X = 54 it would be A & (0x3F_FFFF_FFFF_FFFF) * i.e. A & (0xFFFF_FFFF_FFFF_FFFF >> (64 - X)) */ tree_id_mask = (~(uint64_t)0) >> (64 - (params->h - params->hm)); leaf_id_mask = ((uint64_t)1 << params->hm) - 1; /* max value is 0x1FF when hm = 9 */ *tree_id = bytes_to_u64_be(tree_id_bytes, tree_id_len) & tree_id_mask; *leaf_id = (uint32_t)(bytes_to_u64_be(leaf_id_bytes, leaf_id_len) & leaf_id_mask); return 1; }