diff --git a/INSTALL.md b/INSTALL.md index 1b3feb2b7a..8599851ab4 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -2061,5 +2061,8 @@ is used, as it is the version of the GNU assembler that will be checked. [SP 800-90B]: +[jitterentropy-library]: + + [FIPS 205]: diff --git a/crypto/slh_dsa/slh_adrs.c b/crypto/slh_dsa/slh_adrs.c index d03b442fd5..d6a0e7f8e8 100644 --- a/crypto/slh_dsa/slh_adrs.c +++ b/crypto/slh_dsa/slh_adrs.c @@ -65,11 +65,11 @@ static OSSL_SLH_ADRS_FUNC_copy slh_adrsc_copy; * The non compressed versions of the ADRS functions use 32 bytes * This is only used by SHAKE. */ -static void slh_adrs_set_layer_address(SLH_ADRS adrs, uint32_t layer) +static void slh_adrs_set_layer_address(uint8_t *adrs, uint32_t layer) { OPENSSL_store_u32_be(adrs + SLH_ADRS_OFF_LAYER_ADR, layer); } -static void slh_adrs_set_tree_address(SLH_ADRS adrs, uint64_t address) +static void slh_adrs_set_tree_address(uint8_t *adrs, uint64_t address) { /* * There are 12 bytes reserved for this - but the largest number @@ -79,73 +79,73 @@ static void slh_adrs_set_tree_address(SLH_ADRS adrs, uint64_t address) */ OPENSSL_store_u64_be(adrs + SLH_ADRS_OFF_TREE_ADR + 4, address); } -static void slh_adrs_set_type_and_clear(SLH_ADRS adrs, uint32_t type) +static void slh_adrs_set_type_and_clear(uint8_t *adrs, uint32_t type) { OPENSSL_store_u32_be(adrs + SLH_ADRS_OFF_TYPE, type); memset(adrs + SLH_ADRS_OFF_TYPE + SLH_ADRS_SIZE_TYPE, 0, SLH_ADRS_SIZE_TYPECLEAR); } -static void slh_adrs_set_keypair_address(SLH_ADRS adrs, uint32_t in) +static void slh_adrs_set_keypair_address(uint8_t *adrs, uint32_t in) { OPENSSL_store_u32_be(adrs + SLH_ADRS_OFF_KEYPAIR_ADDR, in); } -static void slh_adrs_copy_keypair_address(SLH_ADRS dst, const SLH_ADRS src) +static void slh_adrs_copy_keypair_address(uint8_t *dst, const uint8_t *src) { memcpy(dst + SLH_ADRS_OFF_KEYPAIR_ADDR, src + SLH_ADRS_OFF_KEYPAIR_ADDR, SLH_ADRS_SIZE_KEYPAIR_ADDR); } -static void slh_adrs_set_chain_address(SLH_ADRS adrs, uint32_t in) +static void slh_adrs_set_chain_address(uint8_t *adrs, uint32_t in) { OPENSSL_store_u32_be(adrs + SLH_ADRS_OFF_CHAIN_ADDR, in); } -static void slh_adrs_set_hash_address(SLH_ADRS adrs, uint32_t in) +static void slh_adrs_set_hash_address(uint8_t *adrs, uint32_t in) { OPENSSL_store_u32_be(adrs + SLH_ADRS_OFF_HASH_ADDR, in); } -static void slh_adrs_zero(SLH_ADRS adrs) +static void slh_adrs_zero(uint8_t *adrs) { memset(adrs, 0, SLH_ADRS_SIZE); } -static void slh_adrs_copy(SLH_ADRS dst, const SLH_ADRS src) +static void slh_adrs_copy(uint8_t *dst, const uint8_t *src) { memcpy(dst, src, SLH_ADRS_SIZE); } /* Compressed versions of ADRS functions See Table 3 */ -static void slh_adrsc_set_layer_address(SLH_ADRS adrsc, uint32_t layer) +static void slh_adrsc_set_layer_address(uint8_t *adrsc, uint32_t layer) { adrsc[SLH_ADRSC_OFF_LAYER_ADR] = (uint8_t)layer; } -static void slh_adrsc_set_tree_address(SLH_ADRS adrsc, uint64_t in) +static void slh_adrsc_set_tree_address(uint8_t *adrsc, uint64_t in) { OPENSSL_store_u64_be(adrsc + SLH_ADRSC_OFF_TREE_ADR, in); } -static void slh_adrsc_set_type_and_clear(SLH_ADRS adrsc, uint32_t type) +static void slh_adrsc_set_type_and_clear(uint8_t *adrsc, uint32_t type) { adrsc[SLH_ADRSC_OFF_TYPE] = (uint8_t)type; memset(adrsc + SLH_ADRSC_OFF_TYPE + SLH_ADRSC_SIZE_TYPE, 0, SLH_ADRSC_SIZE_TYPECLEAR); } -static void slh_adrsc_set_keypair_address(SLH_ADRS adrsc, uint32_t in) +static void slh_adrsc_set_keypair_address(uint8_t *adrsc, uint32_t in) { OPENSSL_store_u32_be(adrsc + SLH_ADRSC_OFF_KEYPAIR_ADDR, in); } -static void slh_adrsc_copy_keypair_address(SLH_ADRS dst, const SLH_ADRS src) +static void slh_adrsc_copy_keypair_address(uint8_t *dst, const uint8_t *src) { memcpy(dst + SLH_ADRSC_OFF_KEYPAIR_ADDR, src + SLH_ADRSC_OFF_KEYPAIR_ADDR, SLH_ADRSC_SIZE_KEYPAIR_ADDR); } -static void slh_adrsc_set_chain_address(SLH_ADRS adrsc, uint32_t in) +static void slh_adrsc_set_chain_address(uint8_t *adrsc, uint32_t in) { OPENSSL_store_u32_be(adrsc + SLH_ADRSC_OFF_CHAIN_ADDR, in); } -static void slh_adrsc_set_hash_address(SLH_ADRS adrsc, uint32_t in) +static void slh_adrsc_set_hash_address(uint8_t *adrsc, uint32_t in) { OPENSSL_store_u32_be(adrsc + SLH_ADRSC_OFF_HASH_ADDR, in); } -static void slh_adrsc_zero(SLH_ADRS adrsc) +static void slh_adrsc_zero(uint8_t *adrsc) { memset(adrsc, 0, SLH_ADRSC_SIZE); } -static void slh_adrsc_copy(SLH_ADRS dst, const SLH_ADRS src) +static void slh_adrsc_copy(uint8_t *dst, const uint8_t *src) { memcpy(dst, src, SLH_ADRSC_SIZE); } diff --git a/crypto/slh_dsa/slh_adrs.h b/crypto/slh_dsa/slh_adrs.h index 2c7acf8de2..0107fc4b77 100644 --- a/crypto/slh_dsa/slh_adrs.h +++ b/crypto/slh_dsa/slh_adrs.h @@ -33,28 +33,26 @@ #define SLH_ADRS_TYPE_WOTS_PRF 5 #define SLH_ADRS_TYPE_FORS_PRF 6 -typedef uint8_t *SLH_ADRS; - #define SLH_ADRS_DECLARE(a) uint8_t a[SLH_ADRS_SIZE_MAX] #define SLH_ADRS_FUNC_DECLARE(ctx, adrsf) \ const SLH_ADRS_FUNC *adrsf = ctx->adrs_func #define SLH_ADRS_FN_DECLARE(adrsf, t) OSSL_SLH_ADRS_FUNC_##t *t = adrsf->t -typedef void (OSSL_SLH_ADRS_FUNC_zero)(SLH_ADRS adrs); -typedef void (OSSL_SLH_ADRS_FUNC_copy)(SLH_ADRS dst, const SLH_ADRS src); -typedef void (OSSL_SLH_ADRS_FUNC_copy_keypair_address)(SLH_ADRS dst, const SLH_ADRS src); +typedef void (OSSL_SLH_ADRS_FUNC_zero)(uint8_t *adrs); +typedef void (OSSL_SLH_ADRS_FUNC_copy)(uint8_t *dst, const uint8_t *src); +typedef void (OSSL_SLH_ADRS_FUNC_copy_keypair_address)(uint8_t *dst, const uint8_t *src); /* * Note that the tree address is actually 12 bytes in uncompressed format, * but we only use 8 bytes */ -typedef void (OSSL_SLH_ADRS_FUNC_set_tree_address)(SLH_ADRS adrs, uint64_t in); -typedef void (OSSL_SLH_ADRS_FUNC_set_layer_address)(SLH_ADRS adrs, uint32_t layer); -typedef void (OSSL_SLH_ADRS_FUNC_set_type_and_clear)(SLH_ADRS adrs, uint32_t type); -typedef void (OSSL_SLH_ADRS_FUNC_set_keypair_address)(SLH_ADRS adrs, uint32_t in); -typedef void (OSSL_SLH_ADRS_FUNC_set_chain_address)(SLH_ADRS adrs, uint32_t in); -typedef void (OSSL_SLH_ADRS_FUNC_set_tree_height)(SLH_ADRS adrs, uint32_t in); -typedef void (OSSL_SLH_ADRS_FUNC_set_hash_address)(SLH_ADRS adrs, uint32_t in); -typedef void (OSSL_SLH_ADRS_FUNC_set_tree_index)(SLH_ADRS adrs, uint32_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_tree_address)(uint8_t *adrs, uint64_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_layer_address)(uint8_t *adrs, uint32_t layer); +typedef void (OSSL_SLH_ADRS_FUNC_set_type_and_clear)(uint8_t *adrs, uint32_t type); +typedef void (OSSL_SLH_ADRS_FUNC_set_keypair_address)(uint8_t *adrs, uint32_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_chain_address)(uint8_t *adrs, uint32_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_tree_height)(uint8_t *adrs, uint32_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_hash_address)(uint8_t *adrs, uint32_t in); +typedef void (OSSL_SLH_ADRS_FUNC_set_tree_index)(uint8_t *adrs, uint32_t in); typedef struct slh_adrs_func_st { OSSL_SLH_ADRS_FUNC_set_layer_address *set_layer_address; diff --git a/crypto/slh_dsa/slh_dsa.c b/crypto/slh_dsa/slh_dsa.c index 560b7f32df..c961883537 100644 --- a/crypto/slh_dsa/slh_dsa.c +++ b/crypto/slh_dsa/slh_dsa.c @@ -6,7 +6,6 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -#include #include #include #include @@ -65,14 +64,16 @@ static int slh_sign_internal(SLH_DSA_HASH_CTX *hctx, SLH_HASH_FUNC_DECLARE(priv, hashf); SLH_ADRS_FUNC_DECLARE(priv, adrsf); - if (sig_len != NULL) + if (sig == NULL) { *sig_len = sig_len_expected; + return 1; + } - if (sig == NULL) - return (sig_len != NULL); - - if (sig_size < sig_len_expected) + if (sig_size < sig_len_expected) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, + "is %zu, should be at least %zu", sig_size, sig_len_expected); return 0; + } /* Exit if private key is not set */ if (priv->has_priv == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); @@ -118,6 +119,7 @@ static int slh_sign_internal(SLH_DSA_HASH_CTX *hctx, /* Generate ht signature and append to the SLH-DSA signature */ && ossl_slh_ht_sign(hctx, pk_fors, sk_seed, pk_seed, tree_id, leaf_id, wpkt); + *sig_len = sig_len_expected; ret = 1; err: if (!WPACKET_finish(wpkt)) @@ -309,7 +311,10 @@ int ossl_slh_dsa_verify(SLH_DSA_HASH_CTX *slh_ctx, return ret; } -/* See FIPS 205 Algorithm 2 toInt(X, n) */ +/* + * See FIPS 205 Algorithm 2 toInt(X, n) + * OPENSSL_load_u64_be() cant be used here as the |in_len| may be < 8 + */ static uint64_t bytes_to_u64_be(const uint8_t *in, size_t in_len) { @@ -348,7 +353,7 @@ static int get_tree_ids(PACKET *rpkt, const SLH_DSA_PARAMS *params, * when X = 54 it would be A & (0x3F_FFFF_FFFF_FFFF) * i.e. A & (0xFFFF_FFFF_FFFF_FFFF >> (64 - X)) */ - tree_id_mask = ((uint64_t)-1) >> (64 - (params->h - params->hm)); + tree_id_mask = (~(uint64_t)0) >> (64 - (params->h - params->hm)); leaf_id_mask = (1 << params->hm) - 1; /* max value is 0x1FF when hm = 9 */ *tree_id = bytes_to_u64_be(tree_id_bytes, tree_id_len) & tree_id_mask; *leaf_id = (uint32_t)(bytes_to_u64_be(leaf_id_bytes, leaf_id_len) & leaf_id_mask); diff --git a/crypto/slh_dsa/slh_dsa_key.c b/crypto/slh_dsa/slh_dsa_key.c index 4fb6a495a9..ebe1dc0754 100644 --- a/crypto/slh_dsa/slh_dsa_key.c +++ b/crypto/slh_dsa/slh_dsa_key.c @@ -7,12 +7,13 @@ * https://www.openssl.org/source/license.html */ -#include #include +#include #include #include #include #include +#include #include "slh_dsa_local.h" #include "slh_dsa_key.h" #include "internal/encoder.h" @@ -453,6 +454,7 @@ int ossl_slh_dsa_set_pub(SLH_DSA_KEY *key, const uint8_t *pub, size_t pub_len) return 1; } +#ifndef FIPS_MODULE int ossl_slh_dsa_key_to_text(BIO *out, const SLH_DSA_KEY *key, int selection) { const char *name; @@ -491,3 +493,4 @@ int ossl_slh_dsa_key_to_text(BIO *out, const SLH_DSA_KEY *key, int selection) return 1; } +#endif /* FIPS_MODULE */ diff --git a/crypto/slh_dsa/slh_dsa_local.h b/crypto/slh_dsa/slh_dsa_local.h index d1a8472349..40d26f6720 100644 --- a/crypto/slh_dsa/slh_dsa_local.h +++ b/crypto/slh_dsa/slh_dsa_local.h @@ -26,7 +26,7 @@ #define SLH_WOTS_LEN(n) (2 * (n) + 3) /* - * FIPS 205 SLH_DSA algorithms have many different parameters which includes + * FIPS 205 SLH-DSA algorithms have many different parameters which includes * the following constants that are stored into a |key|: * - A set of constants (Section 11. contains 12 parameter sets) * such as tree heights and security parameters associated with a algorithm @@ -51,27 +51,27 @@ struct slh_dsa_hash_ctx_st { }; __owur int ossl_slh_wots_pk_gen(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len); __owur int ossl_slh_wots_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, const uint8_t *pk_seed, - SLH_ADRS adrs, WPACKET *sig_wpkt); + uint8_t *adrs, WPACKET *sig_wpkt); __owur int ossl_slh_wots_pk_from_sig(SLH_DSA_HASH_CTX *ctx, PACKET *sig_rpkt, const uint8_t *msg, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len); __owur int ossl_slh_xmss_node(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, uint32_t node_id, uint32_t height, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len); __owur int ossl_slh_xmss_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, uint32_t node_id, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, WPACKET *sig_wpkt); __owur int ossl_slh_xmss_pk_from_sig(SLH_DSA_HASH_CTX *ctx, uint32_t node_id, PACKET *sig_rpkt, const uint8_t *msg, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len); __owur int ossl_slh_ht_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, @@ -85,8 +85,8 @@ __owur int ossl_slh_ht_verify(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, __owur int ossl_slh_fors_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *md, const uint8_t *sk_seed, const uint8_t *pk_seed, - SLH_ADRS adrs, WPACKET *sig_wpkt); + uint8_t *adrs, WPACKET *sig_wpkt); __owur int ossl_slh_fors_pk_from_sig(SLH_DSA_HASH_CTX *ctx, PACKET *sig_rpkt, const uint8_t *md, const uint8_t *pk_seed, - SLH_ADRS adrs, + uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len); diff --git a/crypto/slh_dsa/slh_fors.c b/crypto/slh_dsa/slh_fors.c index b6c3b633ae..49fb67a862 100644 --- a/crypto/slh_dsa/slh_fors.c +++ b/crypto/slh_dsa/slh_fors.c @@ -7,7 +7,6 @@ * https://www.openssl.org/source/license.html */ -#include #include #include #include "slh_dsa_local.h" @@ -40,7 +39,7 @@ static void slh_base_2b(const uint8_t *in, uint32_t b, uint32_t *out, size_t out * @returns 1 on success, or 0 on error. */ static int slh_fors_sk_gen(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, - const uint8_t *pk_seed, SLH_ADRS adrs, uint32_t id, + const uint8_t *pk_seed, uint8_t *adrs, uint32_t id, uint8_t *pk_out, size_t pk_out_len) { const SLH_DSA_KEY *key = ctx->key; @@ -76,7 +75,7 @@ static int slh_fors_sk_gen(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, * @returns 1 on success, or 0 on error. */ static int slh_fors_node(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, - const uint8_t *pk_seed, SLH_ADRS adrs, uint32_t node_id, + const uint8_t *pk_seed, uint8_t *adrs, uint32_t node_id, uint32_t height, uint8_t *node, size_t node_len) { int ret = 0; @@ -131,7 +130,7 @@ static int slh_fors_node(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, */ int ossl_slh_fors_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *md, const uint8_t *sk_seed, const uint8_t *pk_seed, - SLH_ADRS adrs, WPACKET *sig_wpkt) + uint8_t *adrs, WPACKET *sig_wpkt) { const SLH_DSA_KEY *key = ctx->key; uint32_t tree_id, layer, s, tree_offset; @@ -171,7 +170,7 @@ int ossl_slh_fors_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *md, /* * Traverse from the bottom of the tree (layer = 0) * up to the root (layer = a - 1). - * TODO - This is a really inefficient way of doing this, since at + * NOTE: This is a really inefficient way of doing this, since at * layer a - 1 it calculates most of the hashes of the entire tree as * well as all the leaf nodes. So it is calculating nodes multiple times. */ @@ -209,7 +208,7 @@ int ossl_slh_fors_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *md, */ int ossl_slh_fors_pk_from_sig(SLH_DSA_HASH_CTX *ctx, PACKET *fors_sig_rpkt, const uint8_t *md, const uint8_t *pk_seed, - SLH_ADRS adrs, uint8_t *pk_out, size_t pk_out_len) + uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { const SLH_DSA_KEY *key = ctx->key; int ret = 0; diff --git a/crypto/slh_dsa/slh_hash.c b/crypto/slh_dsa/slh_hash.c index 5b5b4d1956..ca41f16605 100644 --- a/crypto/slh_dsa/slh_hash.c +++ b/crypto/slh_dsa/slh_hash.c @@ -9,7 +9,6 @@ #include "internal/deprecated.h" /* PKCS1_MGF1() */ -#include #include #include #include @@ -79,7 +78,7 @@ slh_hmsg_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *r, static int slh_prf_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const uint8_t *sk_seed, - const SLH_ADRS adrs, uint8_t *out, size_t out_len) + const uint8_t *adrs, uint8_t *out, size_t out_len) { const SLH_DSA_PARAMS *params = ctx->key->params; size_t n = params->n; @@ -102,7 +101,7 @@ slh_prf_msg_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_prf, } static int -slh_f_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_f_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *m1, size_t m1_len, uint8_t *out, size_t out_len) { const SLH_DSA_PARAMS *params = ctx->key->params; @@ -112,7 +111,7 @@ slh_f_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const SLH_ADRS adrs, } static int -slh_h_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_h_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *m1, const uint8_t *m2, uint8_t *out, size_t out_len) { const SLH_DSA_PARAMS *params = ctx->key->params; @@ -122,7 +121,7 @@ slh_h_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const SLH_ADRS adrs, } static int -slh_t_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_t_shake(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *ml, size_t ml_len, uint8_t *out, size_t out_len) { const SLH_DSA_PARAMS *params = ctx->key->params; @@ -159,10 +158,6 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed, int sz = EVP_MD_get_size(hctx->key->md_big); size_t seed_len = (size_t)sz + 2 * n; - assert(m <= out_len); - assert(sz > 0); - assert(seed_len <= sizeof(seed)); - memcpy(seed, r, n); memcpy(seed + n, pk_seed, n); return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len, @@ -211,16 +206,13 @@ slh_prf_msg_sha2(SLH_DSA_HASH_CTX *hctx, } static ossl_inline int -do_hash(EVP_MD_CTX *ctx, size_t n, const uint8_t *pk_seed, const SLH_ADRS adrs, +do_hash(EVP_MD_CTX *ctx, size_t n, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *m, size_t m_len, size_t b, uint8_t *out, size_t out_len) { int ret; uint8_t zeros[128] = { 0 }; uint8_t digest[MAX_DIGEST_SIZE]; - assert(n <= out_len); - assert(b - n < sizeof(zeros)); - ret = digest_4(ctx, pk_seed, n, zeros, b - n, adrs, SLH_ADRSC_SIZE, m, m_len, digest); /* Truncated returned value is n = 16 bytes */ @@ -230,7 +222,7 @@ do_hash(EVP_MD_CTX *ctx, size_t n, const uint8_t *pk_seed, const SLH_ADRS adrs, static int slh_prf_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, - const uint8_t *sk_seed, const SLH_ADRS adrs, + const uint8_t *sk_seed, const uint8_t *adrs, uint8_t *out, size_t out_len) { size_t n = hctx->key->params->n; @@ -240,7 +232,7 @@ slh_prf_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, } static int -slh_f_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_f_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *m1, size_t m1_len, uint8_t *out, size_t out_len) { return do_hash(hctx->md_ctx, hctx->key->params->n, pk_seed, adrs, m1, m1_len, @@ -248,7 +240,7 @@ slh_f_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const SLH_ADRS adrs, } static int -slh_h_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_h_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *m1, const uint8_t *m2, uint8_t *out, size_t out_len) { uint8_t m[SLH_MAX_N * 2]; @@ -262,7 +254,7 @@ slh_h_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const SLH_ADRS adrs, } static int -slh_t_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const SLH_ADRS adrs, +slh_t_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *pk_seed, const uint8_t *adrs, const uint8_t *ml, size_t ml_len, uint8_t *out, size_t out_len) { const SLH_DSA_PARAMS *prms = hctx->key->params; diff --git a/crypto/slh_dsa/slh_hash.h b/crypto/slh_dsa/slh_hash.h index bcb3cbaca6..60969968a4 100644 --- a/crypto/slh_dsa/slh_hash.h +++ b/crypto/slh_dsa/slh_hash.h @@ -29,7 +29,7 @@ typedef int (OSSL_SLH_HASHFUNC_H_MSG)(SLH_DSA_HASH_CTX *ctx, const uint8_t *r, uint8_t *out, size_t out_len); typedef int (OSSL_SLH_HASHFUNC_PRF)(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, - const uint8_t *sk_seed, const SLH_ADRS adrs, + const uint8_t *sk_seed, const uint8_t *adrs, uint8_t *out, size_t out_len); typedef int (OSSL_SLH_HASHFUNC_PRF_MSG)(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_prf, @@ -38,17 +38,17 @@ typedef int (OSSL_SLH_HASHFUNC_PRF_MSG)(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk WPACKET *pkt); typedef int (OSSL_SLH_HASHFUNC_F)(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, - const SLH_ADRS adrs, + const uint8_t *adrs, const uint8_t *m1, size_t m1_len, uint8_t *out, size_t out_len); typedef int (OSSL_SLH_HASHFUNC_H)(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, - const SLH_ADRS adrs, + const uint8_t *adrs, const uint8_t *m1, const uint8_t *m2, uint8_t *out, size_t out_len); typedef int (OSSL_SLH_HASHFUNC_T)(SLH_DSA_HASH_CTX *ctx, const uint8_t *pk_seed, - const SLH_ADRS adrs, + const uint8_t *adrs, const uint8_t *m1, size_t m1_len, uint8_t *out, size_t out_len); diff --git a/crypto/slh_dsa/slh_hypertree.c b/crypto/slh_dsa/slh_hypertree.c index 185e891f6c..a0d802d874 100644 --- a/crypto/slh_dsa/slh_hypertree.c +++ b/crypto/slh_dsa/slh_hypertree.c @@ -7,7 +7,6 @@ * https://www.openssl.org/source/license.html */ -#include #include #include "slh_dsa_local.h" #include "slh_dsa_key.h" diff --git a/crypto/slh_dsa/slh_wots.c b/crypto/slh_dsa/slh_wots.c index 7eb60b0c63..37895fed87 100644 --- a/crypto/slh_dsa/slh_wots.c +++ b/crypto/slh_dsa/slh_wots.c @@ -7,7 +7,6 @@ * https://www.openssl.org/source/license.html */ -#include #include #include #include "slh_dsa_local.h" @@ -138,7 +137,7 @@ static int slh_wots_chain(SLH_DSA_HASH_CTX *ctx, const uint8_t *in, */ int ossl_slh_wots_pk_gen(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, const uint8_t *pk_seed, - SLH_ADRS adrs, uint8_t *pk_out, size_t pk_out_len) + uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { int ret = 0; const SLH_DSA_KEY *key = ctx->key; @@ -203,7 +202,7 @@ end: */ int ossl_slh_wots_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, const uint8_t *pk_seed, - SLH_ADRS adrs, WPACKET *sig_wpkt) + uint8_t *adrs, WPACKET *sig_wpkt) { int ret = 0; const SLH_DSA_KEY *key = ctx->key; diff --git a/crypto/slh_dsa/slh_xmss.c b/crypto/slh_dsa/slh_xmss.c index d6bdabe27c..82303bc7d3 100644 --- a/crypto/slh_dsa/slh_xmss.c +++ b/crypto/slh_dsa/slh_xmss.c @@ -7,7 +7,6 @@ * https://www.openssl.org/source/license.html */ -#include #include #include "slh_dsa_local.h" #include "slh_dsa_key.h" @@ -35,7 +34,7 @@ */ int ossl_slh_xmss_node(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, uint32_t node_id, uint32_t h, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { const SLH_DSA_KEY *key = ctx->key; @@ -85,7 +84,7 @@ int ossl_slh_xmss_node(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, */ int ossl_slh_xmss_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, uint32_t node_id, - const uint8_t *pk_seed, SLH_ADRS adrs, WPACKET *sig_wpkt) + const uint8_t *pk_seed, uint8_t *adrs, WPACKET *sig_wpkt) { const SLH_DSA_KEY *key = ctx->key; SLH_ADRS_FUNC_DECLARE(key, adrsf); @@ -139,7 +138,7 @@ int ossl_slh_xmss_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, */ int ossl_slh_xmss_pk_from_sig(SLH_DSA_HASH_CTX *ctx, uint32_t node_id, PACKET *sig_rpkt, const uint8_t *msg, - const uint8_t *pk_seed, SLH_ADRS adrs, + const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { const SLH_DSA_KEY *key = ctx->key; diff --git a/doc/designs/slh-dsa.md b/doc/designs/slh-dsa.md index c3684c362c..f8abf4793e 100644 --- a/doc/designs/slh-dsa.md +++ b/doc/designs/slh-dsa.md @@ -19,7 +19,7 @@ The names used are of the form "SLH-DSA-SHA2-128s" and "SLH-DSA-SHAKE-128f". There are 7 hash functions used. The algorithms using SHAKE have a much simpler set of 7 functions as they just use SHAKE-256 XOF (Even for the SHAKE-128 names). -The SHA2 algorithms are much more complex and require HMAC, MGF1, and well as digests. +The SHA2 algorithms are much more complex and require HMAC, MGF1, as well as digests. There are 2 sets of functions for the SHA2 case. Some of the hash functions use an ADRS object. This is 32 bytes for SHAKE algorithms @@ -36,12 +36,12 @@ the ADRS functions, and the parameter constants. It also contains pre fetched al A SLH_DSA_HASH_CTX object is also created, that references the key, as well as containing per operation hash context objects. This SLH_DSA_HASH_CTX is then passed to all functions. This context is allocated in the -providers SLH_DSA signature context. +provider's SLH_DSA signature context. SLH-DSA keys ------------ -SLH-DSA keys have 2 elements of size n for both the public and private keys. +SLH-DSA keys have 2 elements of size `n` for both the public and private keys. Since different algorithms have different key sizes, buffers of the maximum size will be used to hold the keys (since the keys are only a maximum of 64 bytes each) @@ -57,9 +57,9 @@ struct slh_dsa_key_st { ... }; -The fields 'key_len' and 'has_priv' are used to determine if a key has loaded +The fields `key_len` and `has_priv` are used to determine if a key has loaded the public and private key elements. -The 'params' field is the parameter set which is resolved via the algorithm name. +The `params` field is the parameter set which is resolved via the algorithm name. In FIPS 205 the SLH_DSA private key contains the public key. In OpenSSL these components are stored separately, so there must always be a @@ -76,24 +76,27 @@ Pure vs Pre Hashed Signature Generation The normal signing process (called Pure SLH-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. -where B is some optional value of size 0x00..0xFF. +where `ctx` is some optional value of size 0x00..0xFF. ACVP Testing requires the ability for the message to not be encoded also. This will be controlled by settable parameters. Pre Hash SLH-DSA Signature Generation encode the message as + +```c 0x01 || len(ctx) || ctx || digest_OID || H(message). +``` + The scenario that is stated that this is useful for is when this encoded message is supplied from an external source. -Currently I do not support the Pre Hash variant as this does not sit well with the -OpenSSL API's. The user could do the encoding themselves and then set the settable -to not encode the passed in message. +Currently we do not support the Pre Hash variant as this does not sit well with the +OpenSSL API's. Signing API ------------- -As only the one shot implementation is required and the message is not digested +As only the one-shot implementation is required and the message is not digested the API's used should be EVP_PKEY_sign_message_init(), EVP_PKEY_sign(), @@ -102,7 +105,7 @@ EVP_PKEY_verify_message_init(), EVP_PKEY_verify(). Buffers ------- -There are many functions pass buffers of size |n| Where n is one of 16,24,32 +There are many functions pass buffers of size `n` Where n is one of 16,24,32 depending on the algorithm name. These are used for key elements and hashes, so PACKETS are not used for these. @@ -112,7 +115,7 @@ and PACKET for reading signature data. Constant Time Considerations ---------------------------- -As the security of SLH-DSA depends only on hash functions, I do not foresee +As the security of SLH-DSA depends only on hash functions, we do not foresee there being any constant time issues. Some if statements have been added to detect failures in hash operations, and these errors are propagated all the way up the function call stack. These errors should not happen in general so should diff --git a/doc/man7/EVP_PKEY-SLH-DSA.pod b/doc/man7/EVP_PKEY-SLH-DSA.pod index 7a0d2ad7a0..1ebce2996c 100644 --- a/doc/man7/EVP_PKEY-SLH-DSA.pod +++ b/doc/man7/EVP_PKEY-SLH-DSA.pod @@ -25,7 +25,7 @@ private key I. Each of the different key types has an associated security parameter B. This value is one of 16, 24 or 32 for key types B, B -and B respectively. +and B, respectively. Both the public and private key contain 2 elements of size B. Key generation generates the private key elements and one of the public key @@ -53,8 +53,8 @@ Use EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init(). =head2 Common SLH-DSA parameters In addition to the common parameters that all keytypes should support (see -L), the implementation of these key types -support the following. +L), the implementation of +these key types support the following. The following parameters are gettable using EVP_PKEY_get_octet_string_param(), and settable when using EVP_PKEY_fromdata(). diff --git a/doc/man7/EVP_SIGNATURE-SLH-DSA.pod b/doc/man7/EVP_SIGNATURE-SLH-DSA.pod index 5501771b37..e3f7020f41 100644 --- a/doc/man7/EVP_SIGNATURE-SLH-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-SLH-DSA.pod @@ -24,14 +24,14 @@ signature schemes described in FIPS 205. The different algorithms names correspond to the parameter sets defined in FIPS 205 Section 11 Table 2. -'s' types have smaller signature sizes, and the 'f' variants are faster, +C types have smaller signature sizes, and the C variants are faster, (The signatures range from ~8K to ~50K depending on the type chosen). There are 3 different security categories also depending on the type. L can be used to explicitely fetch one of the 12 algorithms which can then be used with L, L, L, and -L to sign or verify one-shot messages. +L to perform one-shot message signing or verification. The normal signing process (called Pure SLH-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. @@ -43,8 +43,9 @@ the option to not encode the message. =head2 SLH-DSA Signature Parameters -The following parameter can be used for both signing and verification. -it may be set by passing an OSSL_PARAM array to L or +The C parameter, described below, can be used for both signing +and verification. +It may be set by passing an OSSL_PARAM array to L or L =over 4 diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 3869cb4c36..6272fda578 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -364,45 +364,6 @@ ECX_KEY *ossl_d2i_X448_PUBKEY(ECX_KEY **a, int ossl_i2d_X448_PUBKEY(const ECX_KEY *a, unsigned char **pp); # endif /* OPENSSL_NO_EC */ -# ifndef OPENSSL_NO_SLH_DSA -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_128S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_128F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_192S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_192F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_256S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHA2_256F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_128S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_128F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_192S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_192F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_256S_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -SLH_DSA_KEY *ossl_d2i_SLH_DSA_SHAKE_256F_PUBKEY(SLH_DSA_KEY **a, - const uint8_t **pp, long length); -int ossl_i2d_SLH_DSA_SHA2_128S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHA2_128F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHA2_192S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHA2_192F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHA2_256S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHA2_256F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_128S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_128F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_192S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_192F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_256S_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -int ossl_i2d_SLH_DSA_SHAKE_256F_PUBKEY(const SLH_DSA_KEY *a, uint8_t **pp); -# endif /* OPENSSL_NO_SLH_DSA */ - EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a, const unsigned char **pp, long length); int ossl_x509_check_private_key(const EVP_PKEY *k, const EVP_PKEY *pkey); diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 7fe74585b4..c9c0357f3e 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -697,7 +697,7 @@ static ossl_inline void *slh_dsa_d2i_PUBKEY(const uint8_t **der, long der_len, /*- * The DER ASN.1 encoding of SLH-DSA public keys prepends 18 bytes to the - * encoded public key (since the large public key size is 64 bytes): + * encoded public key (since the largest public key size is 64 bytes): * * - 2 byte outer sequence tag and length * - 2 byte algorithm sequence tag and length diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 42fd74dc65..6763535b67 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1026,7 +1026,8 @@ static int rsa_check_key_type(const void *rsa, int expected_type) #ifndef OPENSSL_NO_SLH_DSA # define prepare_slh_dsa_params NULL -static int slh_dsa_spki_pub_to_der(const void *vkey, unsigned char **pder) +static int slh_dsa_spki_pub_to_der(const void *vkey, unsigned char **pder, + ossl_unused void *ctx) { const SLH_DSA_KEY *key = vkey; uint8_t *key_blob; @@ -1045,7 +1046,8 @@ static int slh_dsa_spki_pub_to_der(const void *vkey, unsigned char **pder) return key_len; } -static int slh_dsa_pki_priv_to_der(const void *vkey, unsigned char **pder) +static int slh_dsa_pki_priv_to_der(const void *vkey, unsigned char **pder, + ossl_unused void *ctx) { const SLH_DSA_KEY *key = vkey; size_t len; @@ -1596,78 +1598,78 @@ MAKE_ENCODER(x448, ecx, SubjectPublicKeyInfo, pem); # endif #endif #ifndef OPENSSL_NO_SLH_DSA -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, EncryptedPrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, EncryptedPrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, PrivateKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, PrivateKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_128F, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_192F, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHA2_256F, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, SubjectPublicKeyInfo, der); -MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_128F, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_192F, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256S, SubjectPublicKeyInfo, pem); -MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EVP_PKEY_SLH_DSA_SHAKE_256F, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, EncryptedPrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, PrivateKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, PrivateKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_sha2_128s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_128f, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_192f, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_sha2_256f, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, SubjectPublicKeyInfo, der); +MAKE_ENCODER(slh_dsa_shake_128s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_128f, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_192f, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256s, slh_dsa, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(slh_dsa_shake_256f, slh_dsa, SubjectPublicKeyInfo, pem); #endif /* OPENSSL_NO_SLH_DSA */ #ifndef OPENSSL_NO_ML_KEM