eddsa_sig.c@ 100947

Last change on this file since 100947 was 99366, checked in by vboxsync, 22 months ago
openssl-3.1.0: Applied and adjusted our OpenSSL changes to 3.0.7. bugref:10418
File size: 14.8 KB

Line
1	/*
2	* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <openssl/crypto.h>
11	#include <openssl/core_dispatch.h>
12	#include <openssl/core_names.h>
13	#include <openssl/err.h>
14	#include <openssl/params.h>
15	#include <openssl/evp.h>
16	#include <openssl/proverr.h>
17	#include "internal/nelem.h"
18	#include "internal/sizes.h"
19	#include "prov/providercommon.h"
20	#include "prov/implementations.h"
21	#include "prov/provider_ctx.h"
22	#include "prov/der_ecx.h"
23	#include "crypto/ecx.h"
24
25	#ifdef S390X_EC_ASM
26	# include "s390x_arch.h"
27
28	# define S390X_CAN_SIGN(edtype) \
29	((OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_##edtype)) \
30	&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_##edtype)) \
31	&& (OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_##edtype)))
32
33	static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
34	const unsigned char *tbs, size_t tbslen);
35	static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
36	const unsigned char *tbs, size_t tbslen);
37	static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
38	const unsigned char *sig,
39	const unsigned char *tbs, size_t tbslen);
40	static int s390x_ed448_digestverify(const ECX_KEY *edkey,
41	const unsigned char *sig,
42	const unsigned char *tbs, size_t tbslen);
43
44	#endif /* S390X_EC_ASM */
45
46	static OSSL_FUNC_signature_newctx_fn eddsa_newctx;
47	static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init;
48	static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign;
49	static OSSL_FUNC_signature_digest_sign_fn ed448_digest_sign;
50	static OSSL_FUNC_signature_digest_verify_fn ed25519_digest_verify;
51	static OSSL_FUNC_signature_digest_verify_fn ed448_digest_verify;
52	static OSSL_FUNC_signature_freectx_fn eddsa_freectx;
53	static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx;
54	static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params;
55	static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params;
56
57	typedef struct {
58	OSSL_LIB_CTX *libctx;
59	ECX_KEY *key;
60
61	/* The Algorithm Identifier of the signature algorithm */
62	unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
63	unsigned char *aid;
64	size_t aid_len;
65	} PROV_EDDSA_CTX;
66
67	static void eddsa_newctx(void provctx, const char *propq_unused)
68	{
69	PROV_EDDSA_CTX *peddsactx;
70
71	if (!ossl_prov_is_running())
72	return NULL;
73
74	peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
75	if (peddsactx == NULL) {
76	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
77	return NULL;
78	}
79
80	peddsactx->libctx = PROV_LIBCTX_OF(provctx);
81
82	return peddsactx;
83	}
84
85	static int eddsa_digest_signverify_init(void vpeddsactx, const char mdname,
86	void *vedkey,
87	ossl_unused const OSSL_PARAM params[])
88	{
89	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
90	ECX_KEY edkey = (ECX_KEY )vedkey;
91	WPACKET pkt;
92	int ret;
93
94	if (!ossl_prov_is_running())
95	return 0;
96
97	if (mdname != NULL && mdname[0] != '\0') {
98	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
99	return 0;
100	}
101
102	if (edkey == NULL) {
103	if (peddsactx->key != NULL)
104	/* there is nothing to do on reinit */
105	return 1;
106	ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
107	return 0;
108	}
109
110	if (!ossl_ecx_key_up_ref(edkey)) {
111	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
112	return 0;
113	}
114
115	/*
116	* We do not care about DER writing errors.
117	* All it really means is that for some reason, there's no
118	* AlgorithmIdentifier to be had, but the operation itself is
119	* still valid, just as long as it's not used to construct
120	* anything that needs an AlgorithmIdentifier.
121	*/
122	peddsactx->aid_len = 0;
123	ret = WPACKET_init_der(&pkt, peddsactx->aid_buf, sizeof(peddsactx->aid_buf));
124	switch (edkey->type) {
125	case ECX_KEY_TYPE_ED25519:
126	ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey);
127	break;
128	case ECX_KEY_TYPE_ED448:
129	ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey);
130	break;
131	default:
132	/* Should never happen */
133	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
134	ossl_ecx_key_free(edkey);
135	return 0;
136	}
137	if (ret && WPACKET_finish(&pkt)) {
138	WPACKET_get_total_written(&pkt, &peddsactx->aid_len);
139	peddsactx->aid = WPACKET_get_curr(&pkt);
140	}
141	WPACKET_cleanup(&pkt);
142
143	peddsactx->key = edkey;
144
145	return 1;
146	}
147
148	int ed25519_digest_sign(void vpeddsactx, unsigned char sigret,
149	size_t *siglen, size_t sigsize,
150	const unsigned char *tbs, size_t tbslen)
151	{
152	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
153	const ECX_KEY *edkey = peddsactx->key;
154
155	if (!ossl_prov_is_running())
156	return 0;
157
158	if (sigret == NULL) {
159	*siglen = ED25519_SIGSIZE;
160	return 1;
161	}
162	if (sigsize < ED25519_SIGSIZE) {
163	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
164	return 0;
165	}
166	if (edkey->privkey == NULL) {
167	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
168	return 0;
169	}
170	#ifdef S390X_EC_ASM
171	if (S390X_CAN_SIGN(ED25519)) {
172	if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) {
173	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
174	return 0;
175	}
176	*siglen = ED25519_SIGSIZE;
177	return 1;
178	}
179	#endif /* S390X_EC_ASM */
180	if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey,
181	peddsactx->libctx, NULL) == 0) {
182	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
183	return 0;
184	}
185	*siglen = ED25519_SIGSIZE;
186	return 1;
187	}
188
189	int ed448_digest_sign(void vpeddsactx, unsigned char sigret,
190	size_t *siglen, size_t sigsize,
191	const unsigned char *tbs, size_t tbslen)
192	{
193	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
194	const ECX_KEY *edkey = peddsactx->key;
195
196	if (!ossl_prov_is_running())
197	return 0;
198
199	if (sigret == NULL) {
200	*siglen = ED448_SIGSIZE;
201	return 1;
202	}
203	if (sigsize < ED448_SIGSIZE) {
204	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
205	return 0;
206	}
207	if (edkey->privkey == NULL) {
208	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
209	return 0;
210	}
211	#ifdef S390X_EC_ASM
212	if (S390X_CAN_SIGN(ED448)) {
213	if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) {
214	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
215	return 0;
216	}
217	*siglen = ED448_SIGSIZE;
218	return 1;
219	}
220	#endif /* S390X_EC_ASM */
221	if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey,
222	edkey->privkey, NULL, 0, edkey->propq) == 0) {
223	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN);
224	return 0;
225	}
226	*siglen = ED448_SIGSIZE;
227	return 1;
228	}
229
230	int ed25519_digest_verify(void vpeddsactx, const unsigned char sig,
231	size_t siglen, const unsigned char *tbs,
232	size_t tbslen)
233	{
234	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
235	const ECX_KEY *edkey = peddsactx->key;
236
237	if (!ossl_prov_is_running() \|\| siglen != ED25519_SIGSIZE)
238	return 0;
239
240	#ifdef S390X_EC_ASM
241	if (S390X_CAN_SIGN(ED25519))
242	return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen);
243	#endif /* S390X_EC_ASM */
244
245	return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey,
246	peddsactx->libctx, edkey->propq);
247	}
248
249	int ed448_digest_verify(void vpeddsactx, const unsigned char sig,
250	size_t siglen, const unsigned char *tbs,
251	size_t tbslen)
252	{
253	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
254	const ECX_KEY *edkey = peddsactx->key;
255
256	if (!ossl_prov_is_running() \|\| siglen != ED448_SIGSIZE)
257	return 0;
258
259	#ifdef S390X_EC_ASM
260	if (S390X_CAN_SIGN(ED448))
261	return s390x_ed448_digestverify(edkey, sig, tbs, tbslen);
262	#endif /* S390X_EC_ASM */
263
264	return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
265	NULL, 0, edkey->propq);
266	}
267
268	static void eddsa_freectx(void *vpeddsactx)
269	{
270	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
271
272	ossl_ecx_key_free(peddsactx->key);
273
274	OPENSSL_free(peddsactx);
275	}
276
277	static void eddsa_dupctx(void vpeddsactx)
278	{
279	PROV_EDDSA_CTX srcctx = (PROV_EDDSA_CTX )vpeddsactx;
280	PROV_EDDSA_CTX *dstctx;
281
282	if (!ossl_prov_is_running())
283	return NULL;
284
285	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
286	if (dstctx == NULL)
287	return NULL;
288
289	dstctx = srcctx;
290	dstctx->key = NULL;
291
292	if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) {
293	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
294	goto err;
295	}
296	dstctx->key = srcctx->key;
297
298	return dstctx;
299	err:
300	eddsa_freectx(dstctx);
301	return NULL;
302	}
303
304	static int eddsa_get_ctx_params(void vpeddsactx, OSSL_PARAM params)
305	{
306	PROV_EDDSA_CTX peddsactx = (PROV_EDDSA_CTX )vpeddsactx;
307	OSSL_PARAM *p;
308
309	if (peddsactx == NULL)
310	return 0;
311
312	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
313	if (p != NULL && !OSSL_PARAM_set_octet_string(p, peddsactx->aid,
314	peddsactx->aid_len))
315	return 0;
316
317	return 1;
318	}
319
320	static const OSSL_PARAM known_gettable_ctx_params[] = {
321	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
322	OSSL_PARAM_END
323	};
324
325	static const OSSL_PARAM eddsa_gettable_ctx_params(ossl_unused void vpeddsactx,
326	ossl_unused void *provctx)
327	{
328	return known_gettable_ctx_params;
329	}
330
331	const OSSL_DISPATCH ossl_ed25519_signature_functions[] = {
332	{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
333	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
334	(void (*)(void))eddsa_digest_signverify_init },
335	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
336	(void (*)(void))ed25519_digest_sign },
337	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
338	(void (*)(void))eddsa_digest_signverify_init },
339	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
340	(void (*)(void))ed25519_digest_verify },
341	{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
342	{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
343	{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
344	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
345	(void (*)(void))eddsa_gettable_ctx_params },
346	{ 0, NULL }
347	};
348
349	const OSSL_DISPATCH ossl_ed448_signature_functions[] = {
350	{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx },
351	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
352	(void (*)(void))eddsa_digest_signverify_init },
353	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN,
354	(void (*)(void))ed448_digest_sign },
355	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
356	(void (*)(void))eddsa_digest_signverify_init },
357	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,
358	(void (*)(void))ed448_digest_verify },
359	{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))eddsa_freectx },
360	{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))eddsa_dupctx },
361	{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params },
362	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
363	(void (*)(void))eddsa_gettable_ctx_params },
364	{ 0, NULL }
365	};
366
367	#ifdef S390X_EC_ASM
368
369	static int s390x_ed25519_digestsign(const ECX_KEY edkey, unsigned char sig,
370	const unsigned char *tbs, size_t tbslen)
371	{
372	int rc;
373	union {
374	struct {
375	unsigned char sig[64];
376	unsigned char priv[32];
377	} ed25519;
378	unsigned long long buff[512];
379	} param;
380
381	memset(&param, 0, sizeof(param));
382	memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
383
384	rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
385	OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
386	if (rc != 0)
387	return 0;
388
389	s390x_flip_endian32(sig, param.ed25519.sig);
390	s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
391	return 1;
392	}
393
394	static int s390x_ed448_digestsign(const ECX_KEY edkey, unsigned char sig,
395	const unsigned char *tbs, size_t tbslen)
396	{
397	int rc;
398	union {
399	struct {
400	unsigned char sig[128];
401	unsigned char priv[64];
402	} ed448;
403	unsigned long long buff[512];
404	} param;
405
406	memset(&param, 0, sizeof(param));
407	memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
408
409	rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
410	OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
411	if (rc != 0)
412	return 0;
413
414	s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
415	s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
416	memcpy(sig, param.ed448.sig, 57);
417	memcpy(sig + 57, param.ed448.sig + 64, 57);
418	return 1;
419	}
420
421	static int s390x_ed25519_digestverify(const ECX_KEY *edkey,
422	const unsigned char *sig,
423	const unsigned char *tbs, size_t tbslen)
424	{
425	union {
426	struct {
427	unsigned char sig[64];
428	unsigned char pub[32];
429	} ed25519;
430	unsigned long long buff[512];
431	} param;
432
433	memset(&param, 0, sizeof(param));
434	s390x_flip_endian32(param.ed25519.sig, sig);
435	s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
436	s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
437
438	return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
439	&param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
440	}
441
442	static int s390x_ed448_digestverify(const ECX_KEY *edkey,
443	const unsigned char *sig,
444	const unsigned char *tbs,
445	size_t tbslen)
446	{
447	union {
448	struct {
449	unsigned char sig[128];
450	unsigned char pub[64];
451	} ed448;
452	unsigned long long buff[512];
453	} param;
454
455	memset(&param, 0, sizeof(param));
456	memcpy(param.ed448.sig, sig, 57);
457	s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
458	memcpy(param.ed448.sig + 64, sig + 57, 57);
459	s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
460	memcpy(param.ed448.pub, edkey->pubkey, 57);
461	s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
462
463	return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
464	&param.ed448, tbs, tbslen) == 0 ? 1 : 0;
465	}
466
467	#endif /* S390X_EC_ASM */

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.0/providers/implementations/signature/eddsa_sig.c@ 100947

Download in other formats: