Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c
109501 views
1
/*

2
 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 */

9


10
#include <openssl/core_dispatch.h>

11
#include <openssl/core_names.h>

12
#include <openssl/params.h>

13
#include <openssl/err.h>

14
#include <openssl/proverr.h>

15
#include <openssl/provider.h>

16
#include <openssl/rand.h>

17
#include <openssl/self_test.h>

18
#include <openssl/param_build.h>

19
#include "crypto/ml_kem.h"

20
#include "internal/fips.h"

21
#include "internal/param_build_set.h"

22
#include "prov/implementations.h"

23
#include "prov/providercommon.h"

24
#include "prov/provider_ctx.h"

25
#include "prov/securitycheck.h"

26
#include "prov/ml_kem.h"

27


28
static OSSL_FUNC_keymgmt_new_fn ml_kem_512_new;

29
static OSSL_FUNC_keymgmt_new_fn ml_kem_768_new;

30
static OSSL_FUNC_keymgmt_new_fn ml_kem_1024_new;

31
static OSSL_FUNC_keymgmt_gen_fn ml_kem_gen;

32
static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_512_gen_init;

33
static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_768_gen_init;

34
static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_1024_gen_init;

35
static OSSL_FUNC_keymgmt_gen_cleanup_fn ml_kem_gen_cleanup;

36
static OSSL_FUNC_keymgmt_gen_set_params_fn ml_kem_gen_set_params;

37
static OSSL_FUNC_keymgmt_gen_settable_params_fn ml_kem_gen_settable_params;

38
#ifndef FIPS_MODULE

39
static OSSL_FUNC_keymgmt_load_fn ml_kem_load;

40
#endif

41
static OSSL_FUNC_keymgmt_get_params_fn ml_kem_get_params;

42
static OSSL_FUNC_keymgmt_gettable_params_fn ml_kem_gettable_params;

43
static OSSL_FUNC_keymgmt_set_params_fn ml_kem_set_params;

44
static OSSL_FUNC_keymgmt_settable_params_fn ml_kem_settable_params;

45
static OSSL_FUNC_keymgmt_has_fn ml_kem_has;

46
static OSSL_FUNC_keymgmt_match_fn ml_kem_match;

47
static OSSL_FUNC_keymgmt_validate_fn ml_kem_validate;

48
static OSSL_FUNC_keymgmt_import_fn ml_kem_import;

49
static OSSL_FUNC_keymgmt_export_fn ml_kem_export;

50
static OSSL_FUNC_keymgmt_import_types_fn ml_kem_imexport_types;

51
static OSSL_FUNC_keymgmt_export_types_fn ml_kem_imexport_types;

52
static OSSL_FUNC_keymgmt_dup_fn ml_kem_dup;

53


54
static const int minimal_selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS

55
    | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;

56


57
typedef struct ml_kem_gen_ctx_st {

58
    PROV_CTX *provctx;

59
    char *propq;

60
    int selection;

61
    int evp_type;

62
    uint8_t seedbuf[ML_KEM_SEED_BYTES];

63
    uint8_t *seed;

64
} PROV_ML_KEM_GEN_CTX;

65


66
static int ml_kem_pairwise_test(const ML_KEM_KEY *key, int key_flags)

67
{

68
#ifdef FIPS_MODULE

69
    OSSL_SELF_TEST *st = NULL;

70
    OSSL_CALLBACK *cb = NULL;

71
    void *cbarg = NULL;

72
#endif

73
    unsigned char entropy[ML_KEM_RANDOM_BYTES];

74
    unsigned char secret[ML_KEM_SHARED_SECRET_BYTES];

75
    unsigned char out[ML_KEM_SHARED_SECRET_BYTES];

76
    unsigned char *ctext = NULL;

77
    const ML_KEM_VINFO *v = ossl_ml_kem_key_vinfo(key);

78
    int operation_result = 0;

79
    int ret = 0;

80


81
    /* Unless we have both a public and private key, we can't do the test */

82
    if (!ossl_ml_kem_have_prvkey(key)

83
        || !ossl_ml_kem_have_pubkey(key)

84
        || (key_flags & ML_KEM_KEY_PCT_TYPE) == 0)

85
        return 1;

86
#ifdef FIPS_MODULE

87
    /* During self test, it is a waste to do this test */

88
    if (ossl_fips_self_testing())

89
        return 1;

90


91
    /*

92
     * The functions `OSSL_SELF_TEST_*` will return directly if parameter `st`

93
     * is NULL.

94
     */

95
    OSSL_SELF_TEST_get_callback(key->libctx, &cb, &cbarg);

96


97
    st = OSSL_SELF_TEST_new(cb, cbarg);

98
    if (st == NULL)

99
        return 0;

100


101
    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,

102
        OSSL_SELF_TEST_DESC_PCT_ML_KEM);

103
#endif /* FIPS_MODULE */

104


105
    ctext = OPENSSL_malloc(v->ctext_bytes);

106
    if (ctext == NULL)

107
        goto err;

108


109
    memset(out, 0, sizeof(out));

110


111
    /*

112
     * The pairwise test is skipped unless either RANDOM or FIXED entropy PCTs

113
     * are enabled.

114
     */

115
    if (key_flags & ML_KEM_KEY_RANDOM_PCT) {

116
        operation_result = ossl_ml_kem_encap_rand(ctext, v->ctext_bytes,

117
            secret, sizeof(secret), key);

118
    } else {

119
        memset(entropy, 0125, sizeof(entropy));

120
        operation_result = ossl_ml_kem_encap_seed(ctext, v->ctext_bytes,

121
            secret, sizeof(secret),

122
            entropy, sizeof(entropy),

123
            key);

124
    }

125
    if (operation_result != 1)

126
        goto err;

127


128
#ifdef FIPS_MODULE

129
    OSSL_SELF_TEST_oncorrupt_byte(st, ctext);

130
#endif

131


132
    operation_result = ossl_ml_kem_decap(out, sizeof(out), ctext, v->ctext_bytes,

133
        key);

134
    if (operation_result != 1 || memcmp(out, secret, sizeof(out)) != 0)

135
        goto err;

136


137
    ret = 1;

138
err:

139
#ifdef FIPS_MODULE

140
    OSSL_SELF_TEST_onend(st, ret);

141
    OSSL_SELF_TEST_free(st);

142
#else

143
    if (ret == 0) {

144
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,

145
            "public part of %s private key fails to match private",

146
            v->algorithm_name);

147
    }

148
#endif

149
    OPENSSL_free(ctext);

150
    return ret;

151
}

152


153
ML_KEM_KEY *ossl_prov_ml_kem_new(PROV_CTX *ctx, const char *propq, int evp_type)

154
{

155
    ML_KEM_KEY *key;

156


157
    if (!ossl_prov_is_running())

158
        return NULL;

159
    /*

160
     * When decoding, if the key ends up "loaded" into the same provider, these

161
     * are the correct config settings, otherwise, new values will be assigned

162
     * on import into a different provider.  The "load" API does not pass along

163
     * the provider context.

164
     */

165
    if ((key = ossl_ml_kem_key_new(PROV_LIBCTX_OF(ctx), propq, evp_type)) != NULL) {

166
        const char *pct_type = ossl_prov_ctx_get_param(

167
            ctx, OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE, "random");

168


169
        if (ossl_prov_ctx_get_bool_param(

170
                ctx, OSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED, 1))

171
            key->prov_flags |= ML_KEM_KEY_RETAIN_SEED;

172
        else

173
            key->prov_flags &= ~ML_KEM_KEY_RETAIN_SEED;

174
        if (ossl_prov_ctx_get_bool_param(

175
                ctx, OSSL_PKEY_PARAM_ML_KEM_PREFER_SEED, 1))

176
            key->prov_flags |= ML_KEM_KEY_PREFER_SEED;

177
        else

178
            key->prov_flags &= ~ML_KEM_KEY_PREFER_SEED;

179
        if (OPENSSL_strcasecmp(pct_type, "random") == 0)

180
            key->prov_flags |= ML_KEM_KEY_RANDOM_PCT;

181
        else if (OPENSSL_strcasecmp(pct_type, "fixed") == 0)

182
            key->prov_flags |= ML_KEM_KEY_FIXED_PCT;

183
        else

184
            key->prov_flags &= ~ML_KEM_KEY_PCT_TYPE;

185
    }

186
    return key;

187
}

188


189
static int ml_kem_has(const void *vkey, int selection)

190
{

191
    const ML_KEM_KEY *key = vkey;

192


193
    /* A NULL key MUST fail to have anything */

194
    if (!ossl_prov_is_running() || key == NULL)

195
        return 0;

196


197
    switch (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) {

198
    case 0:

199
        return 1;

200
    case OSSL_KEYMGMT_SELECT_PUBLIC_KEY:

201
        return ossl_ml_kem_have_pubkey(key);

202
    default:

203
        return ossl_ml_kem_have_prvkey(key);

204
    }

205
}

206


207
static int ml_kem_match(const void *vkey1, const void *vkey2, int selection)

208
{

209
    const ML_KEM_KEY *key1 = vkey1;

210
    const ML_KEM_KEY *key2 = vkey2;

211


212
    if (!ossl_prov_is_running())

213
        return 0;

214


215
    /* All we have that can be compared is key material */

216
    if (!(selection & OSSL_KEYMGMT_SELECT_KEYPAIR))

217
        return 1;

218


219
    return ossl_ml_kem_pubkey_cmp(key1, key2);

220
}

221


222
static int ml_kem_validate(const void *vkey, int selection, int check_type)

223
{

224
    const ML_KEM_KEY *key = vkey;

225


226
    if (!ml_kem_has(key, selection))

227
        return 0;

228


229
    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR)

230
        return ml_kem_pairwise_test(key, ML_KEM_KEY_RANDOM_PCT);

231
    return 1;

232
}

233


234
static int ml_kem_export(void *vkey, int selection, OSSL_CALLBACK *param_cb,

235
    void *cbarg)

236
{

237
    ML_KEM_KEY *key = vkey;

238
    OSSL_PARAM_BLD *tmpl = NULL;

239
    OSSL_PARAM *params = NULL;

240
    const ML_KEM_VINFO *v;

241
    uint8_t *pubenc = NULL, *prvenc = NULL, *seedenc = NULL;

242
    size_t prvlen = 0, seedlen = 0;

243
    int ret = 0;

244


245
    if (!ossl_prov_is_running() || key == NULL)

246
        return 0;

247


248
    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)

249
        return 0;

250


251
    v = ossl_ml_kem_key_vinfo(key);

252
    if (!ossl_ml_kem_have_pubkey(key)) {

253
        /* Fail when no key material can be returned */

254
        if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0

255
            || !ossl_ml_kem_decoded_key(key)) {

256
            ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);

257
            return 0;

258
        }

259
    } else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {

260
        pubenc = OPENSSL_malloc(v->pubkey_bytes);

261
        if (pubenc == NULL

262
            || !ossl_ml_kem_encode_public_key(pubenc, v->pubkey_bytes, key))

263
            goto err;

264
    }

265


266
    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {

267
        /*

268
         * The seed and/or private key material are allocated on the secure

269
         * heap if configured, ossl_param_build_set_octet_string(), will then

270
         * also use the secure heap.

271
         */

272
        if (ossl_ml_kem_have_seed(key)) {

273
            seedlen = ML_KEM_SEED_BYTES;

274
            if ((seedenc = OPENSSL_secure_zalloc(seedlen)) == NULL

275
                || !ossl_ml_kem_encode_seed(seedenc, seedlen, key))

276
                goto err;

277
        }

278
        if (ossl_ml_kem_have_prvkey(key)) {

279
            prvlen = v->prvkey_bytes;

280
            if ((prvenc = OPENSSL_secure_zalloc(prvlen)) == NULL

281
                || !ossl_ml_kem_encode_private_key(prvenc, prvlen, key))

282
                goto err;

283
        } else if (ossl_ml_kem_have_dkenc(key)) {

284
            prvlen = v->prvkey_bytes;

285
            if ((prvenc = OPENSSL_secure_zalloc(prvlen)) == NULL)

286
                goto err;

287
            memcpy(prvenc, key->encoded_dk, prvlen);

288
        }

289
    }

290


291
    tmpl = OSSL_PARAM_BLD_new();

292
    if (tmpl == NULL)

293
        goto err;

294


295
    /* The (d, z) seed, when available and private keys are requested. */

296
    if (seedenc != NULL

297
        && !ossl_param_build_set_octet_string(

298
            tmpl, params, OSSL_PKEY_PARAM_ML_KEM_SEED, seedenc, seedlen))

299
        goto err;

300


301
    /* The private key in the FIPS 203 |dk| format, when requested. */

302
    if (prvenc != NULL

303
        && !ossl_param_build_set_octet_string(

304
            tmpl, params, OSSL_PKEY_PARAM_PRIV_KEY, prvenc, prvlen))

305
        goto err;

306


307
    /* The public key on request; it is always available when either is */

308
    if (pubenc != NULL

309
        && !ossl_param_build_set_octet_string(

310
            tmpl, params, OSSL_PKEY_PARAM_PUB_KEY, pubenc, v->pubkey_bytes))

311
        goto err;

312


313
    params = OSSL_PARAM_BLD_to_param(tmpl);

314
    if (params == NULL)

315
        goto err;

316


317
    ret = param_cb(params, cbarg);

318
    OSSL_PARAM_free(params);

319


320
err:

321
    OSSL_PARAM_BLD_free(tmpl);

322
    OPENSSL_secure_clear_free(seedenc, seedlen);

323
    OPENSSL_secure_clear_free(prvenc, prvlen);

324
    OPENSSL_free(pubenc);

325
    return ret;

326
}

327


328
static const OSSL_PARAM *ml_kem_imexport_types(int selection)

329
{

330
    static const OSSL_PARAM key_types[] = {

331
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),

332
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0),

333
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0),

334
        OSSL_PARAM_END

335
    };

336


337
    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)

338
        return key_types;

339
    return NULL;

340
}

341


342
static int check_seed(const uint8_t *seed, const uint8_t *prvenc,

343
    ML_KEM_KEY *key)

344
{

345
    size_t zlen = ML_KEM_RANDOM_BYTES;

346


347
    if (memcmp(seed + ML_KEM_SEED_BYTES - zlen,

348
            prvenc + key->vinfo->prvkey_bytes - zlen, zlen)

349
        == 0)

350
        return 1;

351
    ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,

352
        "private %s key implicit rejection secret does"

353
        " not match seed",

354
        key->vinfo->algorithm_name);

355
    return 0;

356
}

357


358
static int check_prvenc(const uint8_t *prvenc, ML_KEM_KEY *key)

359
{

360
    size_t len = key->vinfo->prvkey_bytes;

361
    uint8_t *buf = OPENSSL_malloc(len);

362
    int ret = 0;

363


364
    if (buf != NULL

365
        && ossl_ml_kem_encode_private_key(buf, len, key))

366
        ret = memcmp(buf, prvenc, len) == 0;

367
    OPENSSL_clear_free(buf, len);

368
    if (ret)

369
        return 1;

370


371
    if (buf != NULL)

372
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,

373
            "explicit %s private key does not match seed",

374
            key->vinfo->algorithm_name);

375
    ossl_ml_kem_key_reset(key);

376
    return 0;

377
}

378


379
static int ml_kem_key_fromdata(ML_KEM_KEY *key,

380
    const OSSL_PARAM params[],

381
    int include_private)

382
{

383
    const OSSL_PARAM *p = NULL;

384
    const void *pubenc = NULL, *prvenc = NULL, *seedenc = NULL;

385
    size_t publen = 0, prvlen = 0, seedlen = 0, puboff;

386
    const ML_KEM_VINFO *v;

387


388
    /* Invalid attempt to mutate a key, what is the right error to report? */

389
    if (key == NULL || ossl_ml_kem_have_pubkey(key))

390
        return 0;

391
    v = ossl_ml_kem_key_vinfo(key);

392


393
    /*

394
     * When a private key is provided, without a seed, any public key also

395
     * provided will be ignored (apart from length), just as with the seed.

396
     */

397
    if (include_private) {

398
        /*

399
         * When a seed is provided, the private and public keys may be ignored,

400
         * after validating just their lengths.  Comparing encodings or hashes

401
         * when applicable is possible, but not currently implemented.

402
         */

403
        p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ML_KEM_SEED);

404
        if (p != NULL

405
            && OSSL_PARAM_get_octet_string_ptr(p, &seedenc, &seedlen) != 1)

406
            return 0;

407
        if (seedlen != 0 && seedlen != ML_KEM_SEED_BYTES) {

408
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);

409
            return 0;

410
        }

411
        p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);

412
        if (p != NULL

413
            && OSSL_PARAM_get_octet_string_ptr(p, &prvenc, &prvlen) != 1)

414
            return 0;

415
        if (prvlen != 0 && prvlen != v->prvkey_bytes) {

416
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);

417
            return 0;

418
        }

419
    }

420


421
    /* Used only when no seed or private key is provided. */

422
    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);

423
    if (p != NULL

424
        && OSSL_PARAM_get_octet_string_ptr(p, &pubenc, &publen) != 1)

425
        return 0;

426
    if (publen != 0 && publen != v->pubkey_bytes) {

427
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);

428
        return 0;

429
    }

430


431
    /* The caller MUST specify at least one of seed, private or public keys. */

432
    if (seedlen == 0 && publen == 0 && prvlen == 0) {

433
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);

434
        return 0;

435
    }

436


437
    /* Check any explicit public key against embedded value in private key */

438
    if (publen > 0 && prvlen > 0) {

439
        /* point to the ek offset in dk = DKpke||ek||H(ek)||z */

440
        puboff = prvlen - ML_KEM_RANDOM_BYTES - ML_KEM_PKHASH_BYTES - publen;

441
        if (memcmp(pubenc, (unsigned char *)prvenc + puboff, publen) != 0) {

442
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,

443
                "explicit %s public key does not match private",

444
                v->algorithm_name);

445
            return 0;

446
        }

447
    }

448


449
    if (seedlen != 0

450
        && (prvlen == 0 || (key->prov_flags & ML_KEM_KEY_PREFER_SEED))) {

451
        if (prvlen != 0 && !check_seed(seedenc, prvenc, key))

452
            return 0;

453
        if (!ossl_ml_kem_set_seed(seedenc, seedlen, key)

454
            || !ossl_ml_kem_genkey(NULL, 0, key))

455
            return 0;

456
        return prvlen == 0 || check_prvenc(prvenc, key);

457
    } else if (prvlen != 0) {

458
        return ossl_ml_kem_parse_private_key(prvenc, prvlen, key);

459
    }

460
    return ossl_ml_kem_parse_public_key(pubenc, publen, key);

461
}

462


463
static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[])

464
{

465
    ML_KEM_KEY *key = vkey;

466
    int include_private;

467
    int res;

468


469
    if (!ossl_prov_is_running() || key == NULL)

470
        return 0;

471


472
    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)

473
        return 0;

474


475
    include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;

476
    res = ml_kem_key_fromdata(key, params, include_private);

477
    if (res > 0 && include_private

478
        && !ml_kem_pairwise_test(key, key->prov_flags)) {

479
#ifdef FIPS_MODULE

480
        ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);

481
#endif

482
        ossl_ml_kem_key_reset(key);

483
        res = 0;

484
    }

485
    return res;

486
}

487


488
static const OSSL_PARAM *ml_kem_gettable_params(void *provctx)

489
{

490
    static const OSSL_PARAM arr[] = {

491
        OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),

492
        OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),

493
        OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),

494
        /* Exported for import */

495
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),

496
        /* Exported to EVP_PKEY_get_raw_private_key() */

497
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0),

498
        /* Exported to EVP_PKEY_get_raw_public_key() */

499
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0),

500
        /* Needed by EVP_PKEY_get1_encoded_public_key() */

501
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),

502
        OSSL_PARAM_END

503
    };

504


505
    return arr;

506
}

507


508
#ifndef FIPS_MODULE

509
static void *ml_kem_load(const void *reference, size_t reference_sz)

510
{

511
    ML_KEM_KEY *key = NULL;

512
    uint8_t *encoded_dk = NULL;

513
    uint8_t seed[ML_KEM_SEED_BYTES];

514


515
    if (ossl_prov_is_running() && reference_sz == sizeof(key)) {

516
        /* The contents of the reference is the address to our object */

517
        key = *(ML_KEM_KEY **)reference;

518
        encoded_dk = key->encoded_dk;

519
        key->encoded_dk = NULL;

520
        /* We grabbed, so we detach it */

521
        *(ML_KEM_KEY **)reference = NULL;

522
        if (encoded_dk != NULL

523
            && ossl_ml_kem_encode_seed(seed, sizeof(seed), key)

524
            && !check_seed(seed, encoded_dk, key))

525
            goto err;

526
        /* Generate the key now, if it holds only a stashed seed. */

527
        if (ossl_ml_kem_have_seed(key)

528
            && (encoded_dk == NULL

529
                || (key->prov_flags & ML_KEM_KEY_PREFER_SEED))) {

530
            if (!ossl_ml_kem_genkey(NULL, 0, key)

531
                || (encoded_dk != NULL && !check_prvenc(encoded_dk, key)))

532
                goto err;

533
        } else if (encoded_dk != NULL) {

534
            if (!ossl_ml_kem_parse_private_key(encoded_dk,

535
                    key->vinfo->prvkey_bytes, key)) {

536
                ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,

537
                    "error parsing %s private key",

538
                    key->vinfo->algorithm_name);

539
                goto err;

540
            }

541
            if (!ml_kem_pairwise_test(key, key->prov_flags))

542
                goto err;

543
        }

544
        OPENSSL_free(encoded_dk);

545
        return key;

546
    }

547


548
err:

549
    OPENSSL_free(encoded_dk);

550
    ossl_ml_kem_key_free(key);

551
    return NULL;

552
}

553
#endif

554


555
/*

556
 * It is assumed the key is guaranteed non-NULL here, and is from this provider

557
 */

558
static int ml_kem_get_params(void *vkey, OSSL_PARAM params[])

559
{

560
    ML_KEM_KEY *key = vkey;

561
    const ML_KEM_VINFO *v = ossl_ml_kem_key_vinfo(key);

562
    OSSL_PARAM *p;

563
    const char *pubparams[] = {

564
        OSSL_PKEY_PARAM_PUB_KEY,

565
        OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY

566
    };

567
    int i;

568


569
    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS);

570
    if (p != NULL)

571
        if (!OSSL_PARAM_set_int(p, v->bits))

572
            return 0;

573


574
    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS);

575
    if (p != NULL)

576
        if (!OSSL_PARAM_set_int(p, v->secbits))

577
            return 0;

578


579
    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE);

580
    if (p != NULL)

581
        if (!OSSL_PARAM_set_int(p, v->ctext_bytes))

582
            return 0;

583


584
    if (ossl_ml_kem_have_pubkey(key)) {

585
        uint8_t *pubenc = NULL;

586


587
        for (i = 0; i < 2; ++i) {

588
            p = OSSL_PARAM_locate(params, pubparams[i]);

589
            if (p == NULL)

590
                continue;

591
            if (p->data_type != OSSL_PARAM_OCTET_STRING)

592
                return 0;

593
            p->return_size = v->pubkey_bytes;

594
            if (p->data == NULL)

595
                continue;

596
            if (p->data_size < p->return_size)

597
                return 0;

598
            if (pubenc != NULL) {

599
                memcpy(p->data, pubenc, p->return_size);

600
                continue;

601
            }

602
            if (!ossl_ml_kem_encode_public_key(p->data, p->return_size, key))

603
                return 0;

604
            pubenc = p->data;

605
        }

606
    }

607


608
    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY);

609
    if (p != NULL && ossl_ml_kem_have_prvkey(key)) {

610
        if (p->data_type != OSSL_PARAM_OCTET_STRING)

611
            return 0;

612
        p->return_size = v->prvkey_bytes;

613
        if (p->data != NULL) {

614
            if (p->data_size < p->return_size)

615
                return 0;

616
            if (!ossl_ml_kem_encode_private_key(p->data, p->return_size, key))

617
                return 0;

618
        }

619
    }

620


621
    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ML_KEM_SEED);

622
    if (p != NULL && ossl_ml_kem_have_seed(key)) {

623
        if (p->data_type != OSSL_PARAM_OCTET_STRING)

624
            return 0;

625
        p->return_size = ML_KEM_SEED_BYTES;

626
        if (p->data != NULL) {

627
            if (p->data_size < p->return_size)

628
                return 0;

629
            if (!ossl_ml_kem_encode_seed(p->data, p->return_size, key))

630
                return 0;

631
        }

632
    }

633


634
    return 1;

635
}

636


637
static const OSSL_PARAM *ml_kem_settable_params(void *provctx)

638
{

639
    static const OSSL_PARAM arr[] = {

640
        /* Used in TLS via EVP_PKEY_set1_encoded_public_key(). */

641
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),

642
        OSSL_PARAM_END

643
    };

644


645
    return arr;

646
}

647


648
static int ml_kem_set_params(void *vkey, const OSSL_PARAM params[])

649
{

650
    ML_KEM_KEY *key = vkey;

651
    const OSSL_PARAM *p;

652
    const void *pubenc = NULL;

653
    size_t publen = 0;

654


655
    if (ossl_param_is_empty(params))

656
        return 1;

657


658
    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);

659
    if (p != NULL

660
        && (OSSL_PARAM_get_octet_string_ptr(p, &pubenc, &publen) != 1

661
            || publen != key->vinfo->pubkey_bytes)) {

662
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);

663
        return 0;

664
    }

665


666
    if (publen == 0)

667
        return 1;

668


669
    /* Key mutation is reportedly generally not allowed */

670
    if (ossl_ml_kem_have_pubkey(key)) {

671
        ERR_raise_data(ERR_LIB_PROV,

672
            PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,

673
            "ML-KEM keys cannot be mutated");

674
        return 0;

675
    }

676


677
    return ossl_ml_kem_parse_public_key(pubenc, publen, key);

678
}

679


680
static int ml_kem_gen_set_params(void *vgctx, const OSSL_PARAM params[])

681
{

682
    PROV_ML_KEM_GEN_CTX *gctx = vgctx;

683
    const OSSL_PARAM *p;

684


685
    if (gctx == NULL)

686
        return 0;

687
    if (ossl_param_is_empty(params))

688
        return 1;

689


690
    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PROPERTIES);

691
    if (p != NULL) {

692
        if (p->data_type != OSSL_PARAM_UTF8_STRING)

693
            return 0;

694
        OPENSSL_free(gctx->propq);

695
        if ((gctx->propq = OPENSSL_strdup(p->data)) == NULL)

696
            return 0;

697
    }

698


699
    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ML_KEM_SEED);

700
    if (p != NULL) {

701
        size_t len = ML_KEM_SEED_BYTES;

702


703
        gctx->seed = gctx->seedbuf;

704
        if (OSSL_PARAM_get_octet_string(p, (void **)&gctx->seed, len, &len)

705
            && len == ML_KEM_SEED_BYTES)

706
            return 1;

707


708
        /* Possibly, but less likely wrong data type */

709
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);

710
        gctx->seed = NULL;

711
        return 0;

712
    }

713


714
    return 1;

715
}

716


717
static void *ml_kem_gen_init(void *provctx, int selection,

718
    const OSSL_PARAM params[], int evp_type)

719
{

720
    PROV_ML_KEM_GEN_CTX *gctx = NULL;

721


722
    /*

723
     * We can only generate private keys, check that the selection is

724
     * appropriate.

725
     */

726
    if (!ossl_prov_is_running()

727
        || (selection & minimal_selection) == 0

728
        || (gctx = OPENSSL_zalloc(sizeof(*gctx))) == NULL)

729
        return NULL;

730


731
    gctx->selection = selection;

732
    gctx->evp_type = evp_type;

733
    gctx->provctx = provctx;

734
    if (ml_kem_gen_set_params(gctx, params))

735
        return gctx;

736


737
    ml_kem_gen_cleanup(gctx);

738
    return NULL;

739
}

740


741
static const OSSL_PARAM *ml_kem_gen_settable_params(ossl_unused void *vgctx,

742
    ossl_unused void *provctx)

743
{

744
    static OSSL_PARAM settable[] = {

745
        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),

746
        OSSL_PARAM_END

747
    };

748
    return settable;

749
}

750


751
static void *ml_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)

752
{

753
    PROV_ML_KEM_GEN_CTX *gctx = vgctx;

754
    ML_KEM_KEY *key;

755
    uint8_t *nopub = NULL;

756
    uint8_t *seed;

757
    int genok = 0;

758


759
    if (gctx == NULL

760
        || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_PUBLIC_KEY)

761
        return NULL;

762
    seed = gctx->seed;

763
    key = ossl_prov_ml_kem_new(gctx->provctx, gctx->propq, gctx->evp_type);

764
    if (key == NULL)

765
        return NULL;

766


767
    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)

768
        return key;

769


770
    if (seed != NULL && !ossl_ml_kem_set_seed(seed, ML_KEM_SEED_BYTES, key))

771
        return NULL;

772
    genok = ossl_ml_kem_genkey(nopub, 0, key);

773


774
    /* Erase the single-use seed */

775
    if (seed != NULL)

776
        OPENSSL_cleanse(seed, ML_KEM_SEED_BYTES);

777
    gctx->seed = NULL;

778


779
    if (genok) {

780
#ifdef FIPS_MODULE

781
        if (!ml_kem_pairwise_test(key, ML_KEM_KEY_FIXED_PCT)) {

782
            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);

783
            ossl_ml_kem_key_free(key);

784
            return NULL;

785
        }

786
#endif /* FIPS_MODULE */

787
        return key;

788
    }

789


790
    ossl_ml_kem_key_free(key);

791
    return NULL;

792
}

793


794
static void ml_kem_gen_cleanup(void *vgctx)

795
{

796
    PROV_ML_KEM_GEN_CTX *gctx = vgctx;

797


798
    if (gctx == NULL)

799
        return;

800


801
    if (gctx->seed != NULL)

802
        OPENSSL_cleanse(gctx->seed, ML_KEM_RANDOM_BYTES);

803
    OPENSSL_free(gctx->propq);

804
    OPENSSL_free(gctx);

805
}

806


807
static void *ml_kem_dup(const void *vkey, int selection)

808
{

809
    const ML_KEM_KEY *key = vkey;

810


811
    if (!ossl_prov_is_running())

812
        return NULL;

813


814
    return ossl_ml_kem_key_dup(key, selection);

815
}

816


817
#ifndef FIPS_MODULE

818
#define DISPATCH_LOAD_FN \

819
    { OSSL_FUNC_KEYMGMT_LOAD, (OSSL_FUNC)ml_kem_load },

820
#else

821
#define DISPATCH_LOAD_FN /* Non-FIPS only */

822
#endif

823


824
#define DECLARE_VARIANT(bits)                                                             \

825
    static void *ml_kem_##bits##_new(void *provctx)                                       \

826
    {                                                                                     \

827
        return ossl_prov_ml_kem_new(provctx, NULL, EVP_PKEY_ML_KEM_##bits);               \

828
    }                                                                                     \

829
    static void *ml_kem_##bits##_gen_init(void *provctx, int selection,                   \

830
        const OSSL_PARAM params[])                                                        \

831
    {                                                                                     \

832
        return ml_kem_gen_init(provctx, selection, params,                                \

833
            EVP_PKEY_ML_KEM_##bits);                                                      \

834
    }                                                                                     \

835
    const OSSL_DISPATCH ossl_ml_kem_##bits##_keymgmt_functions[] = {                      \

836
        { OSSL_FUNC_KEYMGMT_NEW, (OSSL_FUNC)ml_kem_##bits##_new },                        \

837
        { OSSL_FUNC_KEYMGMT_FREE, (OSSL_FUNC)ossl_ml_kem_key_free },                      \

838
        { OSSL_FUNC_KEYMGMT_GET_PARAMS, (OSSL_FUNC)ml_kem_get_params },                   \

839
        { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (OSSL_FUNC)ml_kem_gettable_params },         \

840
        { OSSL_FUNC_KEYMGMT_SET_PARAMS, (OSSL_FUNC)ml_kem_set_params },                   \

841
        { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (OSSL_FUNC)ml_kem_settable_params },         \

842
        { OSSL_FUNC_KEYMGMT_HAS, (OSSL_FUNC)ml_kem_has },                                 \

843
        { OSSL_FUNC_KEYMGMT_MATCH, (OSSL_FUNC)ml_kem_match },                             \

844
        { OSSL_FUNC_KEYMGMT_VALIDATE, (OSSL_FUNC)ml_kem_validate },                       \

845
        { OSSL_FUNC_KEYMGMT_GEN_INIT, (OSSL_FUNC)ml_kem_##bits##_gen_init },              \

846
        { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (OSSL_FUNC)ml_kem_gen_set_params },           \

847
        { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, (OSSL_FUNC)ml_kem_gen_settable_params }, \

848
        { OSSL_FUNC_KEYMGMT_GEN, (OSSL_FUNC)ml_kem_gen },                                 \

849
        { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (OSSL_FUNC)ml_kem_gen_cleanup },                 \

850
        DISPATCH_LOAD_FN { OSSL_FUNC_KEYMGMT_DUP, (OSSL_FUNC)ml_kem_dup },                \

851
        { OSSL_FUNC_KEYMGMT_IMPORT, (OSSL_FUNC)ml_kem_import },                           \

852
        { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (OSSL_FUNC)ml_kem_imexport_types },             \

853
        { OSSL_FUNC_KEYMGMT_EXPORT, (OSSL_FUNC)ml_kem_export },                           \

854
        { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (OSSL_FUNC)ml_kem_imexport_types },             \

855
        OSSL_DISPATCH_END                                                                 \

856
    }

857
DECLARE_VARIANT(512);

858
DECLARE_VARIANT(768);

859
DECLARE_VARIANT(1024);

860


861