diff options
| -rw-r--r-- | crypto/ec/curve25519.c | 86 | ||||
| -rw-r--r-- | crypto/ec/curve448/curve448_local.h | 11 | ||||
| -rw-r--r-- | crypto/ec/curve448/eddsa.c | 50 | ||||
| -rw-r--r-- | crypto/ec/ecx_meth.c | 12 | ||||
| -rw-r--r-- | doc/man7/EVP_SIGNATURE-ED25519.pod | 92 | ||||
| -rw-r--r-- | include/crypto/ecx.h | 24 | ||||
| -rw-r--r-- | include/openssl/core_names.h | 2 | ||||
| -rw-r--r-- | providers/implementations/signature/eddsa_sig.c | 311 | ||||
| -rw-r--r-- | test/curve448_internal_test.c | 36 | ||||
| -rw-r--r-- | test/recipes/30-test_evp_data/evppkey_ecx.txt | 339 |
10 files changed, 841 insertions, 122 deletions
diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index 286d6bff80..4f033d74d0 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -5434,9 +5434,47 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s[31] = (uint8_t) (s11 >> 17); } +static int hash_init_with_dom(EVP_MD_CTX *hash_ctx, + EVP_MD *sha512, + const uint8_t dom2flag, + const uint8_t phflag, + const uint8_t *context, + const size_t context_len) +{ + /* ASCII: "SigEd25519 no Ed25519 collisions", in hex for EBCDIC compatibility */ + const char dom_s[] = + "\x53\x69\x67\x45\x64\x32\x35\x35\x31\x39\x20\x6e" + "\x6f\x20\x45\x64\x32\x35\x35\x31\x39\x20\x63\x6f" + "\x6c\x6c\x69\x73\x69\x6f\x6e\x73"; + uint8_t dom[2]; + + if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)) + return 0; + + /* return early if dom2flag is not set */ + if (!dom2flag) + return 1; + + if (context_len > UINT8_MAX) + return 0; + + dom[0] = (uint8_t)(phflag >= 1 ? 1 : 0); + dom[1] = (uint8_t)context_len; + + if (!EVP_DigestUpdate(hash_ctx, dom_s, sizeof(dom_s)-1) + || !EVP_DigestUpdate(hash_ctx, dom, sizeof(dom)) + || !EVP_DigestUpdate(hash_ctx, context, context_len)) { + return 0; + } + + return 1; +} + int -ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, +ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len, const uint8_t public_key[32], const uint8_t private_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq) { uint8_t az[SHA512_DIGEST_LENGTH]; @@ -5448,6 +5486,17 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, unsigned int sz; int res = 0; + if (context == NULL) + context_len = 0; + + /* if csflag is set, then a non-empty context-string is required */ + if (csflag && context_len == 0) + goto err; + + /* if dom2flag is not set, then an empty context-string is required */ + if (!dom2flag && context_len > 0) + goto err; + if (sha512 == NULL || hash_ctx == NULL) goto err; @@ -5460,9 +5509,9 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, az[31] &= 63; az[31] |= 64; - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, az + 32, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, nonce, &sz)) goto err; @@ -5470,10 +5519,10 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, ge_scalarmult_base(&R, nonce); ge_p3_tobytes(out_sig, &R); - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, out_sig, 32) || !EVP_DigestUpdate(hash_ctx, public_key, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, hram, &sz)) goto err; @@ -5492,8 +5541,10 @@ err: static const char allzeroes[15]; int -ossl_ed25519_verify(const uint8_t *message, size_t message_len, +ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len, const uint8_t signature[64], const uint8_t public_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq) { int i; @@ -5512,6 +5563,17 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, 0xDE, 0xF9, 0xDE, 0x14 }; + if (context == NULL) + context_len = 0; + + /* if csflag is set, then a non-empty context-string is required */ + if (csflag && context_len == 0) + return 0; + + /* if dom2flag is not set, then an empty context-string is required */ + if (!dom2flag && context_len > 0) + return 0; + r = signature; s = signature + 32; @@ -5556,10 +5618,10 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, if (hash_ctx == NULL) goto err; - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, r, 32) || !EVP_DigestUpdate(hash_ctx, public_key, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, h, &sz)) goto err; @@ -5570,6 +5632,14 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, ge_tobytes(rcheck, &R); res = CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0; + + /* note that we have used the strict verification equation here. + * we checked that ENC( [h](-A) + [s]B ) == r + * B is the base point. + * + * the less strict verification equation uses the curve cofactor: + * [h*8](-A) + [s*8]B == [8]R + */ err: EVP_MD_free(sha512); EVP_MD_CTX_free(hash_ctx); diff --git a/crypto/ec/curve448/curve448_local.h b/crypto/ec/curve448/curve448_local.h index 3410f091a6..f118d851ee 100644 --- a/crypto/ec/curve448/curve448_local.h +++ b/crypto/ec/curve448/curve448_local.h @@ -10,15 +10,4 @@ # define OSSL_CRYPTO_EC_CURVE448_LOCAL_H # include "curve448utils.h" -int -ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], - const uint8_t public_key[57], const uint8_t private_key[57], - const uint8_t *context, size_t context_len, const char *propq); - -int -ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, - const char *propq); - #endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 6648692ff3..cbef27d9bb 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -61,12 +61,8 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx, size_t context_len, const char *propq) { -#ifdef CHARSET_EBCDIC - const char dom_s[] = {0x53, 0x69, 0x67, 0x45, - 0x64, 0x34, 0x34, 0x38, 0x00}; -#else - const char dom_s[] = "SigEd448"; -#endif + /* ASCII: "SigEd448", in hex for EBCDIC compatibility */ + const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38"; uint8_t dom[2]; EVP_MD *shake256 = NULL; @@ -82,7 +78,7 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx, return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, shake256, NULL) - || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) + || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) || !EVP_DigestUpdate(hashctx, context, context_len)) { EVP_MD_free(shake256); @@ -373,48 +369,30 @@ ossl_c448_ed448_verify_prehash( } int -ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, - size_t message_len, const uint8_t public_key[57], - const uint8_t private_key[57], const uint8_t *context, - size_t context_len, const char *propq) +ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, + const uint8_t *message, size_t message_len, + const uint8_t public_key[57], const uint8_t private_key[57], + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq) { return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message, - message_len, 0, context, context_len, + message_len, phflag, context, context_len, propq) == C448_SUCCESS; } int -ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, +ossl_ed448_verify(OSSL_LIB_CTX *ctx, + const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq) + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq) { return ossl_c448_ed448_verify(ctx, signature, public_key, message, - message_len, 0, context, (uint8_t)context_len, + message_len, phflag, context, (uint8_t)context_len, propq) == C448_SUCCESS; } int -ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], - const uint8_t public_key[57], const uint8_t private_key[57], - const uint8_t *context, size_t context_len, const char *propq) -{ - return ossl_c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key, - hash, context, context_len, - propq) == C448_SUCCESS; -} - -int -ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, - const char *propq) -{ - return ossl_c448_ed448_verify_prehash(ctx, signature, public_key, hash, - context, (uint8_t)context_len, - propq) == C448_SUCCESS; -} - -int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57], const uint8_t private_key[57], const char *propq) { diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index e83a2d7172..45531b86a1 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -821,8 +821,10 @@ static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig, return 0; } - if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL, - NULL) == 0) + if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, + 0, 0, 0, + NULL, 0, + NULL, NULL) == 0) return 0; *siglen = ED25519_SIGSIZE; return 1; @@ -849,7 +851,7 @@ static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig, } if (ossl_ed448_sign(edkey->libctx, sig, tbs, tbslen, edkey->pubkey, - edkey->privkey, NULL, 0, edkey->propq) == 0) + edkey->privkey, NULL, 0, 0, edkey->propq) == 0) return 0; *siglen = ED448_SIGSIZE; return 1; @@ -870,6 +872,8 @@ static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig, return 0; return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey, + 0, 0, 0, + NULL, 0, edkey->libctx, edkey->propq); } @@ -888,7 +892,7 @@ static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig, return 0; return ossl_ed448_verify(edkey->libctx, tbs, tbslen, sig, edkey->pubkey, - NULL, 0, edkey->propq); + NULL, 0, 0, edkey->propq); } static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index 2183d83c2e..dbb7de3279 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -10,16 +10,65 @@ Ed448 =head1 DESCRIPTION -The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key generation, -one-shot digest sign and digest verify using PureEdDSA and B<Ed25519> or B<Ed448> -(see RFC8032). It has associated private and public key formats compatible with -RFC 8410. +The B<Ed25519> and B<Ed448> EVP_PKEY implementation supports key +generation, one-shot digest-sign and digest-verify using the EdDSA +signature scheme described in RFC 8032. It has associated private and +public key formats compatible with RFC 8410. + +=head2 EdDSA Instances + +RFC 8032 describes five EdDSA instances: Ed25519, Ed25519ctx, +Ed25519ph, Ed448, Ed448ph. + +The instances Ed25519, Ed25519ctx, Ed448 are referred to as B<PureEdDSA> +schemes. For these three instances, the sign and verify procedures +require access to the complete message (not a digest of the message). + +The instances Ed25519ph, Ed448ph are referred to as B<HashEdDSA> +schemes. For these two instances, the sign and verify procedures do +not require access to the complete message; they operate on a hash of +the message. For Ed25519ph, the hash function is SHA512. For +Ed448ph, the hash function is SHAKE256 with an output length of 512 +bits. + +The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional +B<context-string> as input to sign and verify operations (and for +Ed25519ctx, the context-string must be nonempty). For the Ed25519 +instance, a nonempty context-string is not permitted. =head2 ED25519 and ED448 Signature Parameters -No additional parameters can be set during one-shot signing or verification. -In particular, because PureEdDSA is used, a digest must B<NOT> be specified when -signing or verifying. +Two parameters can be set during signing or verification: the EdDSA +B<instance name> and the B<context-string value>. They can be set by +passing an OSSL_PARAM array to EVP_DigestSignInit_ex(). + +=over 4 + +=item * "instance" (B<OSSL_SIGNATURE_PARAM_INSTANCE>) <utf8 string> + +One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph". + +"Ed25519", "Ed25519ctx", "Ed25519ph" are valid only for an Ed25519 EVP_PKEY. + +"Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY. + +=item * "context-string" (B<OSSL_SIGNATURE_PARAM_CONTEXT_STRING>) <octet string> + +A string of octets with length at most 255. + +=back + +Both of these parameters are optional. + +If the instance name is not specified, then the default "Ed25519" or +"Ed448" is used. + +If a context-string is not specified, then an empty context-string is +used. + +Note that a message digest name must B<NOT> be specified when signing +or verifying. + See L<EVP_PKEY-X25519(7)> for information related to B<X25519> and B<X448> keys. The following signature parameters can be retrieved using @@ -27,19 +76,26 @@ EVP_PKEY_CTX_get_params(). =over 4 -=item "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string> +=item * "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string> -The parameters are described in L<provider-signature(7)>. +=item * "instance" (B<OSSL_SIGNATURE_PARAM_INSTANCE>) <utf8 string> + +=item * "context-string" (B<OSSL_SIGNATURE_PARAM_CONTEXT_STRING>) <octet string> =back +The parameters are described in L<provider-signature(7)>. + =head1 NOTES -The PureEdDSA algorithm does not support the streaming mechanism -of other signature algorithms using, for example, EVP_DigestUpdate(). +The PureEdDSA instances do not support the streaming mechanism of +other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions. +The HashEdDSA instances do not yet support the streaming mechanisms +(so the one-shot functions must be used with HashEdDSA as well). + When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest I<type> parameter B<MUST> be set to NULL. @@ -64,7 +120,7 @@ specified, then both Ed25519 and Ed448 are benchmarked. =head1 EXAMPLES -To sign a message using a ED25519 or ED448 key: +To sign a message using an ED25519 EVP_PKEY structure: void do_sign(EVP_PKEY *ed_key, unsigned char *msg, size_t msg_len) { @@ -72,8 +128,16 @@ To sign a message using a ED25519 or ED448 key: unsigned char *sig = NULL; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); - EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, ed_key); - /* Calculate the requires size for the signature by passing a NULL buffer */ + const OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string ("instance", "Ed25519ctx", 10), + OSSL_PARAM_octet_string("context-string", (unsigned char *)"A protocol defined context string", 33), + OSSL_PARAM_END + }; + + /* The input "params" is not needed if default options are acceptable. + Use NULL in place of "params" in that case. */ + EVP_DigestSignInit_ex(md_ctx, NULL, NULL, NULL, NULL, ed_key, params); + /* Calculate the required size for the signature by passing a NULL buffer. */ EVP_DigestSign(md_ctx, NULL, &sig_len, msg, msg_len); sig = OPENSSL_zalloc(sig_len); diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 79026b6c41..e6b61b5a79 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -97,27 +97,33 @@ ossl_ed25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32], const uint8_t private_key[32], const char *propq); int -ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, +ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len, const uint8_t public_key[32], const uint8_t private_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq); int -ossl_ed25519_verify(const uint8_t *message, size_t message_len, +ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len, const uint8_t signature[64], const uint8_t public_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq); - int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57], const uint8_t private_key[57], const char *propq); int -ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, - size_t message_len, const uint8_t public_key[57], - const uint8_t private_key[57], const uint8_t *context, - size_t context_len, const char *propq); +ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, + const uint8_t *message, size_t message_len, + const uint8_t public_key[57], const uint8_t private_key[57], + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq); int -ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, +ossl_ed448_verify(OSSL_LIB_CTX *ctx, + const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq); + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq); int ossl_x448(uint8_t out_shared_key[56], const uint8_t private_key[56], diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 1b19ef74d0..2cde6cdb94 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -467,6 +467,8 @@ extern "C" { OSSL_PKEY_PARAM_MGF1_PROPERTIES #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE #define OSSL_SIGNATURE_PARAM_NONCE_TYPE "nonce-type" +#define OSSL_SIGNATURE_PARAM_INSTANCE "instance" +#define OSSL_SIGNATURE_PARAM_CONTEXT_STRING "context-string" /* Asym cipher parameters */ #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index f678e64cf8..e3d5c5a7c8 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -43,6 +43,24 @@ static int s390x_ed448_digestverify(const ECX_KEY *edkey, #endif /* S390X_EC_ASM */ +enum ID_EdDSA_INSTANCE { + ID_NOT_SET = 0, + ID_Ed25519, + ID_Ed25519ctx, + ID_Ed25519ph, + ID_Ed448, + ID_Ed448ph +}; + +#define SN_Ed25519 "Ed25519" +#define SN_Ed25519ph "Ed25519ph" +#define SN_Ed25519ctx "Ed25519ctx" +#define SN_Ed448 "Ed448" +#define SN_Ed448ph "Ed448ph" + +#define EDDSA_MAX_CONTEXT_STRING_LEN 255 +#define EDDSA_PREHASH_OUTPUT_LEN 64 + static OSSL_FUNC_signature_newctx_fn eddsa_newctx; static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init; static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign; @@ -53,6 +71,55 @@ static OSSL_FUNC_signature_freectx_fn eddsa_freectx; static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx; static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params; +static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_ctx_params; +static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_ctx_params; + +/* there are five EdDSA instances: + + Ed25519 + Ed25519ph + Ed25519ctx + Ed448 + Ed448ph + + Quoting from RFC 8032, Section 5.1: + + For Ed25519, dom2(f,c) is the empty string. The phflag value is + irrelevant. The context (if present at all) MUST be empty. This + causes the scheme to be one and the same with the Ed25519 scheme + published earlier. + + For Ed25519ctx, phflag=0. The context input SHOULD NOT be empty. + + For Ed25519ph, phflag=1 and PH is SHA512 instead. That is, the input + is hashed using SHA-512 before signing with Ed25519. + + Quoting from RFC 8032, Section 5.2: + + Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag + being 1, i.e., the input is hashed before signing with Ed448 with a + hash constant modified. + + Value of context is set by signer and verifier (maximum of 255 + octets; the default is empty string) and has to match octet by octet + for verification to be successful. + + Quoting from RFC 8032, Section 2: + + dom2(x, y) The blank octet string when signing or verifying + Ed25519. Otherwise, the octet string: "SigEd25519 no + Ed25519 collisions" || octet(x) || octet(OLEN(y)) || + y, where x is in range 0-255 and y is an octet string + of at most 255 octets. "SigEd25519 no Ed25519 + collisions" is in ASCII (32 octets). + + dom4(x, y) The octet string "SigEd448" || octet(x) || + octet(OLEN(y)) || y, where x is in range 0-255 and y + is an octet string of at most 255 octets. "SigEd448" + is in ASCII (8 octets). + + Note above that x is the pre-hash flag, and y is the context string. +*/ typedef struct { OSSL_LIB_CTX *libctx; @@ -62,6 +129,19 @@ typedef struct { unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE]; unsigned char *aid; size_t aid_len; + + /* id indicating the EdDSA instance */ + int instance_id; + + unsigned int dom2_flag : 1; + unsigned int prehash_flag : 1; + + /* indicates that a non-empty context string is required, as in Ed25519ctx */ + unsigned int context_string_flag : 1; + + unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN]; + size_t context_string_len; + } PROV_EDDSA_CTX; static void *eddsa_newctx(void *provctx, const char *propq_unused) @@ -82,7 +162,7 @@ static void *eddsa_newctx(void *provctx, const char *propq_unused) static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, void *vedkey, - ossl_unused const OSSL_PARAM params[]) + const OSSL_PARAM params[]) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; ECX_KEY *edkey = (ECX_KEY *)vedkey; @@ -99,8 +179,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, if (edkey == NULL) { if (peddsactx->key != NULL) - /* there is nothing to do on reinit */ - return 1; + return eddsa_set_ctx_params(peddsactx, params); ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; } @@ -110,6 +189,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } + peddsactx->dom2_flag = 0; + peddsactx->prehash_flag = 0; + peddsactx->context_string_flag = 0; + peddsactx->context_string_len = 0; + /* * We do not care about DER writing errors. * All it really means is that for some reason, there's no @@ -122,9 +206,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, switch (edkey->type) { case ECX_KEY_TYPE_ED25519: ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey); + peddsactx->instance_id = ID_Ed25519; break; case ECX_KEY_TYPE_ED448: ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey); + peddsactx->instance_id = ID_Ed448; break; default: /* Should never happen */ @@ -140,6 +226,9 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, peddsactx->key = edkey; + if (!eddsa_set_ctx_params(peddsactx, params)) + return 0; + return 1; } @@ -149,6 +238,8 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EVP_MAX_MD_SIZE]; + size_t mdlen; if (!ossl_prov_is_running()) return 0; @@ -166,17 +257,33 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, return 0; } #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED25519)) { - if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); - return 0; - } - *siglen = ED25519_SIGSIZE; - return 1; + /* s390x_ed25519_digestsign() does not yet support dom2 or context-strings. + fall back to non-accelerated sign if those options are set. */ + if (S390X_CAN_SIGN(ED25519) + && !peddsactx->dom2_flag + && !peddsactx->context_string_flag + && peddsactx->context_string_len == 0) { + if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); + return 0; + } + *siglen = ED25519_SIGSIZE; + return 1; } #endif /* S390X_EC_ASM */ + + if (peddsactx->prehash_flag) { + if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen) + || mdlen != EDDSA_PREHASH_OUTPUT_LEN) + return 0; + tbs = md; + tbslen = mdlen; + } + if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey, - peddsactx->libctx, NULL) == 0) { + peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag, + peddsactx->context_string, peddsactx->context_string_len, + peddsactx->libctx, NULL) == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); return 0; } @@ -184,12 +291,41 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, return 1; } +/* EVP_Q_digest() does not allow variable output length for XOFs, + so we use this function */ +static int ed448_shake256(OSSL_LIB_CTX *libctx, + const char *propq, + const uint8_t *in, size_t inlen, + uint8_t *out, size_t outlen) +{ + int ret = 0; + EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new(); + EVP_MD *shake256 = EVP_MD_fetch(libctx, SN_shake256, propq); + + if (hash_ctx == NULL || shake256 == NULL) + goto err; + + if (!EVP_DigestInit_ex(hash_ctx, shake256, NULL) + || !EVP_DigestUpdate(hash_ctx, in, inlen) + || !EVP_DigestFinalXOF(hash_ctx, out, outlen)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(hash_ctx); + EVP_MD_free(shake256); + return ret; +} + int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, size_t *siglen, size_t sigsize, const unsigned char *tbs, size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EDDSA_PREHASH_OUTPUT_LEN]; + size_t mdlen = sizeof(md); if (!ossl_prov_is_running()) return 0; @@ -207,17 +343,30 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, return 0; } #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED448)) { + /* s390x_ed448_digestsign() does not yet support context-strings. + fall back to non-accelerated sign if a context-string is provided. */ + if (S390X_CAN_SIGN(ED448) + && peddsactx->context_string_len == 0) { if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); - return 0; - } - *siglen = ED448_SIGSIZE; - return 1; + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); + return 0; + } + *siglen = ED448_SIGSIZE; + return 1; } #endif /* S390X_EC_ASM */ - if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey, - edkey->privkey, NULL, 0, edkey->propq) == 0) { + + if (peddsactx->prehash_flag) { + if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen)) + return 0; + tbs = md; + tbslen = mdlen; + } + + if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, + edkey->pubkey, edkey->privkey, + peddsactx->context_string, peddsactx->context_string_len, + peddsactx->prehash_flag, edkey->propq) == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); return 0; } @@ -231,16 +380,34 @@ int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EVP_MAX_MD_SIZE]; + size_t mdlen; if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE) return 0; #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED25519)) + /* s390x_ed25519_digestverify() does not yet support dom2 or context-strings. + fall back to non-accelerated verify if those options are set. */ + if (S390X_CAN_SIGN(ED25519) + && !peddsactx->dom2_flag + && !peddsactx->context_string_flag + && peddsactx->context_string_len == 0) { return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen); + } #endif /* S390X_EC_ASM */ + if (peddsactx->prehash_flag) { + if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen) + || mdlen != EDDSA_PREHASH_OUTPUT_LEN) + return 0; + tbs = md; + tbslen = mdlen; + } + return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey, + peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag, + peddsactx->context_string, peddsactx->context_string_len, peddsactx->libctx, edkey->propq); } @@ -250,17 +417,31 @@ int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EDDSA_PREHASH_OUTPUT_LEN]; + size_t mdlen = sizeof(md); if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE) return 0; #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED448)) + /* s390x_ed448_digestverify() does not yet support context-strings. + fall back to non-accelerated verify if a context-string is provided. */ + if (S390X_CAN_SIGN(ED448) + && peddsactx->context_string_len == 0) { return s390x_ed448_digestverify(edkey, sig, tbs, tbslen); + } #endif /* S390X_EC_ASM */ + if (peddsactx->prehash_flag) { + if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen)) + return 0; + tbs = md; + tbslen = mdlen; + } + return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, |