Update SLH-DSAto use EVP_PKEY_sign_message_init() instead of using the

prehashed variant.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)

doc/designs/slh-dsa.md

@@ -89,6 +89,15 @@ Currently I do not support the Pre Hash variant as this does not sit well with t
 OpenSSL API's. The user could do the encoding themselves and then set the settable
 to not encode the passed in message.
 
+Signing API
+-------------
+
+As only the one shot implementation is required and the message is not digested
+the API's used should be
+
+EVP_PKEY_sign_message_init(), EVP_PKEY_sign(),
+EVP_PKEY_verify_message_init(), EVP_PKEY_verify().
+
 Buffers
 -------
 
@@ -97,3 +106,12 @@ various sizes which are often updated in loops in parts, all of these sizes
 are known quantities. Currently there is no attempt to use wpacket to pass
 around these sizes. asserts are currently done by the child functions to check
 that the expected size does not exceed the size passed in by the parent.
+
+Constant Time Considerations
+----------------------------
+
+As the security of SLH-DSA depends only on hash functions, I do not foresee
+there being any constant time issues. Some if statements have been added to
+detect failures in hash operations, and these errors are propagated all the way
+up the function call stack. These errors should not happen in general so should
+not affect the security of the algorithms.

doc/man7/EVP_SIGNATURE-SLH-DSA.pod

@@ -29,8 +29,8 @@ FIPS 205 Section 11 Table 2.
 3 different security categories also depending on the type.
 
 L<EVP_SIGNATURE_fetch(3)> can be used to explicitely fetch one of the 12
-algorithms which can then be used with L<EVP_PKEY_sign_init_ex2(3)>,
-L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify_init_ex2(3)>, and
+algorithms which can then be used with L<EVP_PKEY_sign_message_init(3)>,
+L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify_message_init(3)>, and
 L<EVP_PKEY_verify(3)> to sign or verify one-shot messages.
 
 The normal signing process (called Pure SLH-DSA Signature Generation)
@@ -96,7 +96,7 @@ To sign a message using an SLH-DSA EVP_PKEY structure:
         EVP_PKEY_CTX *sctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL);
         EVP_SIGNATURE *sig_alg = EVP_SIGNATURE_fetch(NULL, "SLH-DSA-SHA2-128s", NULL);
 
-        EVP_PKEY_sign_init_ex2(sctx, sig_alg, params);
+        EVP_PKEY_sign_message_init(sctx, sig_alg, params);
         /* Calculate the required size for the signature by passing a NULL buffer. */
         EVP_PKEY_sign(sctx, NULL, &sig_len, msg, msg_len);
         sig = OPENSSL_zalloc(sig_len);

providers/implementations/signature/slh_dsa_sig.c

@@ -24,9 +24,9 @@
 #define SLH_DSA_MESSAGE_ENCODE_RAW  0
 #define SLH_DSA_MESSAGE_ENCODE_PURE 1
 
-static OSSL_FUNC_signature_sign_init_fn slh_sign_init;
+static OSSL_FUNC_signature_sign_message_init_fn slh_sign_msg_init;
 static OSSL_FUNC_signature_sign_fn slh_sign;
-static OSSL_FUNC_signature_verify_init_fn slh_verify_init;
+static OSSL_FUNC_signature_verify_message_init_fn slh_verify_msg_init;
 static OSSL_FUNC_signature_verify_fn slh_verify;
 static OSSL_FUNC_signature_freectx_fn slh_freectx;
 static OSSL_FUNC_signature_set_ctx_params_fn slh_set_ctx_params;
@@ -81,9 +81,9 @@ static void *slh_newctx(void *provctx, const char *alg, const char *propq)
     return NULL;
 }
 
-static int slh_signverify_init(void *vctx, void *vkey,
-                               const OSSL_PARAM params[], int operation,
-                               const char *desc)
+static int slh_signverify_msg_init(void *vctx, void *vkey,
+                                   const OSSL_PARAM params[], int operation,
+                                   const char *desc)
 {
     PROV_SLH_DSA_CTX *ctx = (PROV_SLH_DSA_CTX *)vctx;
     SLH_DSA_KEY *key = vkey;
@@ -111,10 +111,10 @@ static int slh_signverify_init(void *vctx, void *vkey,
     return 1;
 }
 
-static int slh_sign_init(void *vctx, void *vkey, const OSSL_PARAM params[])
+static int slh_sign_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[])
 {
-    return slh_signverify_init(vctx, vkey, params,
-                               EVP_PKEY_OP_SIGN, "SLH_DSA Sign Init");
+    return slh_signverify_msg_init(vctx, vkey, params,
+                                   EVP_PKEY_OP_SIGN, "SLH_DSA Sign Init");
 }
 
 static int slh_sign(void *vctx, unsigned char *sig, size_t *siglen,
@@ -147,11 +147,11 @@ static int slh_sign(void *vctx, unsigned char *sig, size_t *siglen,
     return ret;
 }
 
-static int slh_verify_init(void *vctx, void *vkey,
+static int slh_verify_msg_init(void *vctx, void *vkey,
                            const OSSL_PARAM params[])
 {
-    return slh_signverify_init(vctx, vkey, params, EVP_PKEY_OP_VERIFY,
-                               "SLH_DSA Verify Init");
+    return slh_signverify_msg_init(vctx, vkey, params, EVP_PKEY_OP_VERIFY,
+                                   "SLH_DSA Verify Init");
 }
 
 static int slh_verify(void *vctx,
@@ -233,9 +233,11 @@ static void *slh_##fn##_newctx(void *provctx, const char *propq)               \
 }                                                                              \
 const OSSL_DISPATCH ossl_slh_dsa_##fn##_signature_functions[] = {              \
     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))slh_##fn##_newctx },         \
-    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))slh_sign_init },          \
+    { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT,                                   \
+      (void (*)(void))slh_sign_msg_init },                                     \
     { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))slh_sign },                    \
-    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))slh_verify_init },      \
+    { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                                 \
+      (void (*)(void))slh_verify_msg_init },                                   \
     { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))slh_verify },                \
     { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))slh_freectx },              \
     { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))slh_set_ctx_params },\

test/slh_dsa_test.c

@@ -187,7 +187,7 @@ static int do_slh_dsa_verify(const SLH_DSA_SIG_TEST_DATA *td,
         goto err;
     if (!TEST_ptr(sig_alg = EVP_SIGNATURE_fetch(lib_ctx, td->alg, NULL)))
         goto err;
-    if (!TEST_int_eq(EVP_PKEY_verify_init_ex2(vctx, sig_alg, params), 1)
+    if (!TEST_int_eq(EVP_PKEY_verify_message_init(vctx, sig_alg, params), 1)
             || !TEST_int_eq(EVP_PKEY_verify(vctx, sig, sig_len,
                                             td->msg, td->msg_len), 1))
         goto err;
@@ -233,7 +233,7 @@ static int slh_dsa_sign_verify_test(int tst_id)
         goto err;
     if (!TEST_ptr(sig_alg = EVP_SIGNATURE_fetch(lib_ctx, td->alg, NULL)))
         goto err;
-    if (!TEST_int_eq(EVP_PKEY_sign_init_ex2(sctx, sig_alg, params), 1)
+    if (!TEST_int_eq(EVP_PKEY_sign_message_init(sctx, sig_alg, params), 1)
             || !TEST_int_eq(EVP_PKEY_sign(sctx, NULL, &psig_len,
                                           td->msg, td->msg_len), 1)
             || !TEST_true(EVP_PKEY_get_size_t_param(pkey, OSSL_PKEY_PARAM_MAX_SIZE,