1 /* Copyright (c) 2024, Google LLC
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H
16 #define OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H
17
18 #include <openssl/mem.h>
19
20 #include "../internal.h"
21
22 #if defined(__cplusplus)
23 extern "C" {
24 #endif
25
26
27 // Offsets of various fields in the address structure for SLH-DSA-SHA2-128s.
28
29 // The byte used to specify the Merkle tree layer.
30 #define SLHDSA_SHA2_128S_OFFSET_LAYER 0
31
32 // The start of the 8 byte field used to specify the tree.
33 #define SLHDSA_SHA2_128S_OFFSET_TREE 1
34
35 // The byte used to specify the hash type (reason).
36 #define SLHDSA_SHA2_128S_OFFSET_TYPE 9
37
38 // The high byte used to specify the key pair (which one-time signature).
39 #define SLHDSA_SHA2_128S_OFFSET_KP_ADDR2 12
40
41 // The low byte used to specific the key pair.
42 #define SLHDSA_SHA2_128S_OFFSET_KP_ADDR1 13
43
44 // The byte used to specify the chain address (which Winternitz chain).
45 #define SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR 17
46
47 // The byte used to specify the hash address (where in the Winternitz chain).
48 #define SLHDSA_SHA2_128S_OFFSET_HASH_ADDR 21
49
50 // The byte used to specify the height of this node in the FORS or Merkle tree.
51 #define SLHDSA_SHA2_128S_OFFSET_TREE_HGT 17
52
53 // The start of the 4 byte field used to specify the node in the FORS or Merkle
54 // tree.
55 #define SLHDSA_SHA2_128S_OFFSET_TREE_INDEX 18
56
57
slhdsa_set_chain_addr(uint8_t addr[32],uint32_t chain)58 OPENSSL_INLINE void slhdsa_set_chain_addr(uint8_t addr[32], uint32_t chain) {
59 addr[SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR] = (uint8_t)chain;
60 }
61
slhdsa_set_hash_addr(uint8_t addr[32],uint32_t hash)62 OPENSSL_INLINE void slhdsa_set_hash_addr(uint8_t addr[32], uint32_t hash) {
63 addr[SLHDSA_SHA2_128S_OFFSET_HASH_ADDR] = (uint8_t)hash;
64 }
65
slhdsa_set_keypair_addr(uint8_t addr[32],uint32_t keypair)66 OPENSSL_INLINE void slhdsa_set_keypair_addr(uint8_t addr[32],
67 uint32_t keypair) {
68 addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8);
69 addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = (uint8_t)keypair;
70 }
71
slhdsa_copy_keypair_addr(uint8_t out[32],const uint8_t in[32])72 OPENSSL_INLINE void slhdsa_copy_keypair_addr(uint8_t out[32],
73 const uint8_t in[32]) {
74 OPENSSL_memcpy(out, in, SLHDSA_SHA2_128S_OFFSET_TREE + 8);
75 out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2];
76 out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1];
77 }
78
slhdsa_set_layer_addr(uint8_t addr[32],uint32_t layer)79 OPENSSL_INLINE void slhdsa_set_layer_addr(uint8_t addr[32], uint32_t layer) {
80 addr[SLHDSA_SHA2_128S_OFFSET_LAYER] = (uint8_t)layer;
81 }
82
slhdsa_set_tree_addr(uint8_t addr[32],uint64_t tree)83 OPENSSL_INLINE void slhdsa_set_tree_addr(uint8_t addr[32], uint64_t tree) {
84 CRYPTO_store_u64_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE], tree);
85 }
86
87 #define SLHDSA_SHA2_128S_ADDR_TYPE_WOTS 0
88 #define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK 1
89 #define SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE 2
90 #define SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE 3
91 #define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK 4
92 #define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF 5
93 #define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF 6
94
slhdsa_set_type(uint8_t addr[32],uint32_t type)95 OPENSSL_INLINE void slhdsa_set_type(uint8_t addr[32], uint32_t type) {
96 // FIPS 205 relies on this setting parts of the address to 0, so we do it
97 // here to avoid confusion.
98 //
99 // The behavior here is only correct for the SHA-2 instantiations.
100 OPENSSL_memset(addr + 10, 0, 12);
101 addr[SLHDSA_SHA2_128S_OFFSET_TYPE] = (uint8_t)type;
102 }
103
slhdsa_set_tree_height(uint8_t addr[32],uint32_t tree_height)104 OPENSSL_INLINE void slhdsa_set_tree_height(uint8_t addr[32],
105 uint32_t tree_height) {
106 addr[SLHDSA_SHA2_128S_OFFSET_TREE_HGT] = (uint8_t)tree_height;
107 }
108
slhdsa_set_tree_index(uint8_t addr[32],uint32_t tree_index)109 OPENSSL_INLINE void slhdsa_set_tree_index(uint8_t addr[32],
110 uint32_t tree_index) {
111 CRYPTO_store_u32_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE_INDEX], tree_index);
112 }
113
slhdsa_get_tree_index(uint8_t addr[32])114 OPENSSL_INLINE uint32_t slhdsa_get_tree_index(uint8_t addr[32]) {
115 return CRYPTO_load_u32_be(addr + SLHDSA_SHA2_128S_OFFSET_TREE_INDEX);
116 }
117
118
119 #if defined(__cplusplus)
120 } // extern C
121 #endif
122
123 #endif // OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H
124