Path: blob/main/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c
48292 views
/*1* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include <openssl/core_dispatch.h>10#include <openssl/core_names.h>11#include <openssl/params.h>12#include <openssl/err.h>13#include <openssl/proverr.h>14#include <openssl/provider.h>15#include <openssl/rand.h>16#include <openssl/self_test.h>17#include <openssl/param_build.h>18#include "crypto/ml_kem.h"19#include "internal/fips.h"20#include "internal/param_build_set.h"21#include "prov/implementations.h"22#include "prov/providercommon.h"23#include "prov/provider_ctx.h"24#include "prov/securitycheck.h"25#include "prov/ml_kem.h"2627static OSSL_FUNC_keymgmt_new_fn ml_kem_512_new;28static OSSL_FUNC_keymgmt_new_fn ml_kem_768_new;29static OSSL_FUNC_keymgmt_new_fn ml_kem_1024_new;30static OSSL_FUNC_keymgmt_gen_fn ml_kem_gen;31static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_512_gen_init;32static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_768_gen_init;33static OSSL_FUNC_keymgmt_gen_init_fn ml_kem_1024_gen_init;34static OSSL_FUNC_keymgmt_gen_cleanup_fn ml_kem_gen_cleanup;35static OSSL_FUNC_keymgmt_gen_set_params_fn ml_kem_gen_set_params;36static OSSL_FUNC_keymgmt_gen_settable_params_fn ml_kem_gen_settable_params;37#ifndef FIPS_MODULE38static OSSL_FUNC_keymgmt_load_fn ml_kem_load;39#endif40static OSSL_FUNC_keymgmt_get_params_fn ml_kem_get_params;41static OSSL_FUNC_keymgmt_gettable_params_fn ml_kem_gettable_params;42static OSSL_FUNC_keymgmt_set_params_fn ml_kem_set_params;43static OSSL_FUNC_keymgmt_settable_params_fn ml_kem_settable_params;44static OSSL_FUNC_keymgmt_has_fn ml_kem_has;45static OSSL_FUNC_keymgmt_match_fn ml_kem_match;46static OSSL_FUNC_keymgmt_validate_fn ml_kem_validate;47static OSSL_FUNC_keymgmt_import_fn ml_kem_import;48static OSSL_FUNC_keymgmt_export_fn ml_kem_export;49static OSSL_FUNC_keymgmt_import_types_fn ml_kem_imexport_types;50static OSSL_FUNC_keymgmt_export_types_fn ml_kem_imexport_types;51static OSSL_FUNC_keymgmt_dup_fn ml_kem_dup;5253static const int minimal_selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS54| OSSL_KEYMGMT_SELECT_PRIVATE_KEY;5556typedef struct ml_kem_gen_ctx_st {57PROV_CTX *provctx;58char *propq;59int selection;60int evp_type;61uint8_t seedbuf[ML_KEM_SEED_BYTES];62uint8_t *seed;63} PROV_ML_KEM_GEN_CTX;6465static int ml_kem_pairwise_test(const ML_KEM_KEY *key, int key_flags)66{67#ifdef FIPS_MODULE68OSSL_SELF_TEST *st = NULL;69OSSL_CALLBACK *cb = NULL;70void *cbarg = NULL;71#endif72unsigned char entropy[ML_KEM_RANDOM_BYTES];73unsigned char secret[ML_KEM_SHARED_SECRET_BYTES];74unsigned char out[ML_KEM_SHARED_SECRET_BYTES];75unsigned char *ctext = NULL;76const ML_KEM_VINFO *v = ossl_ml_kem_key_vinfo(key);77int operation_result = 0;78int ret = 0;7980/* Unless we have both a public and private key, we can't do the test */81if (!ossl_ml_kem_have_prvkey(key)82|| !ossl_ml_kem_have_pubkey(key)83|| (key_flags & ML_KEM_KEY_PCT_TYPE) == 0)84return 1;85#ifdef FIPS_MODULE86/* During self test, it is a waste to do this test */87if (ossl_fips_self_testing())88return 1;8990/*91* The functions `OSSL_SELF_TEST_*` will return directly if parameter `st`92* is NULL.93*/94OSSL_SELF_TEST_get_callback(key->libctx, &cb, &cbarg);9596st = OSSL_SELF_TEST_new(cb, cbarg);97if (st == NULL)98return 0;99100OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,101OSSL_SELF_TEST_DESC_PCT_ML_KEM);102#endif /* FIPS_MODULE */103104ctext = OPENSSL_malloc(v->ctext_bytes);105if (ctext == NULL)106goto err;107108memset(out, 0, sizeof(out));109110/*111* The pairwise test is skipped unless either RANDOM or FIXED entropy PCTs112* are enabled.113*/114if (key_flags & ML_KEM_KEY_RANDOM_PCT) {115operation_result = ossl_ml_kem_encap_rand(ctext, v->ctext_bytes,116secret, sizeof(secret), key);117} else {118memset(entropy, 0125, sizeof(entropy));119operation_result = ossl_ml_kem_encap_seed(ctext, v->ctext_bytes,120secret, sizeof(secret),121entropy, sizeof(entropy),122key);123}124if (operation_result != 1)125goto err;126127#ifdef FIPS_MODULE128OSSL_SELF_TEST_oncorrupt_byte(st, ctext);129#endif130131operation_result = ossl_ml_kem_decap(out, sizeof(out), ctext, v->ctext_bytes,132key);133if (operation_result != 1 || memcmp(out, secret, sizeof(out)) != 0)134goto err;135136ret = 1;137err:138#ifdef FIPS_MODULE139OSSL_SELF_TEST_onend(st, ret);140OSSL_SELF_TEST_free(st);141#else142if (ret == 0) {143ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,144"public part of %s private key fails to match private",145v->algorithm_name);146}147#endif148OPENSSL_free(ctext);149return ret;150}151152ML_KEM_KEY *ossl_prov_ml_kem_new(PROV_CTX *ctx, const char *propq, int evp_type)153{154ML_KEM_KEY *key;155156if (!ossl_prov_is_running())157return NULL;158/*159* When decoding, if the key ends up "loaded" into the same provider, these160* are the correct config settings, otherwise, new values will be assigned161* on import into a different provider. The "load" API does not pass along162* the provider context.163*/164if ((key = ossl_ml_kem_key_new(PROV_LIBCTX_OF(ctx), propq, evp_type)) != NULL) {165const char *pct_type = ossl_prov_ctx_get_param(166ctx, OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE, "random");167168if (ossl_prov_ctx_get_bool_param(169ctx, OSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED, 1))170key->prov_flags |= ML_KEM_KEY_RETAIN_SEED;171else172key->prov_flags &= ~ML_KEM_KEY_RETAIN_SEED;173if (ossl_prov_ctx_get_bool_param(174ctx, OSSL_PKEY_PARAM_ML_KEM_PREFER_SEED, 1))175key->prov_flags |= ML_KEM_KEY_PREFER_SEED;176else177key->prov_flags &= ~ML_KEM_KEY_PREFER_SEED;178if (OPENSSL_strcasecmp(pct_type, "random") == 0)179key->prov_flags |= ML_KEM_KEY_RANDOM_PCT;180else if (OPENSSL_strcasecmp(pct_type, "fixed") == 0)181key->prov_flags |= ML_KEM_KEY_FIXED_PCT;182else183key->prov_flags &= ~ML_KEM_KEY_PCT_TYPE;184}185return key;186}187188static int ml_kem_has(const void *vkey, int selection)189{190const ML_KEM_KEY *key = vkey;191192/* A NULL key MUST fail to have anything */193if (!ossl_prov_is_running() || key == NULL)194return 0;195196switch (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) {197case 0:198return 1;199case OSSL_KEYMGMT_SELECT_PUBLIC_KEY:200return ossl_ml_kem_have_pubkey(key);201default:202return ossl_ml_kem_have_prvkey(key);203}204}205206static int ml_kem_match(const void *vkey1, const void *vkey2, int selection)207{208const ML_KEM_KEY *key1 = vkey1;209const ML_KEM_KEY *key2 = vkey2;210211if (!ossl_prov_is_running())212return 0;213214/* All we have that can be compared is key material */215if (!(selection & OSSL_KEYMGMT_SELECT_KEYPAIR))216return 1;217218return ossl_ml_kem_pubkey_cmp(key1, key2);219}220221static int ml_kem_validate(const void *vkey, int selection, int check_type)222{223const ML_KEM_KEY *key = vkey;224225if (!ml_kem_has(key, selection))226return 0;227228if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR)229return ml_kem_pairwise_test(key, ML_KEM_KEY_RANDOM_PCT);230return 1;231}232233static int ml_kem_export(void *vkey, int selection, OSSL_CALLBACK *param_cb,234void *cbarg)235{236ML_KEM_KEY *key = vkey;237OSSL_PARAM_BLD *tmpl = NULL;238OSSL_PARAM *params = NULL;239const ML_KEM_VINFO *v;240uint8_t *pubenc = NULL, *prvenc = NULL, *seedenc = NULL;241size_t prvlen = 0, seedlen = 0;242int ret = 0;243244if (!ossl_prov_is_running() || key == NULL)245return 0;246247if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)248return 0;249250v = ossl_ml_kem_key_vinfo(key);251if (!ossl_ml_kem_have_pubkey(key)) {252/* Fail when no key material can be returned */253if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0254|| !ossl_ml_kem_decoded_key(key)) {255ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);256return 0;257}258} else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {259pubenc = OPENSSL_malloc(v->pubkey_bytes);260if (pubenc == NULL261|| !ossl_ml_kem_encode_public_key(pubenc, v->pubkey_bytes, key))262goto err;263}264265if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {266/*267* The seed and/or private key material are allocated on the secure268* heap if configured, ossl_param_build_set_octet_string(), will then269* also use the secure heap.270*/271if (ossl_ml_kem_have_seed(key)) {272seedlen = ML_KEM_SEED_BYTES;273if ((seedenc = OPENSSL_secure_zalloc(seedlen)) == NULL274|| !ossl_ml_kem_encode_seed(seedenc, seedlen, key))275goto err;276}277if (ossl_ml_kem_have_prvkey(key)) {278prvlen = v->prvkey_bytes;279if ((prvenc = OPENSSL_secure_zalloc(prvlen)) == NULL280|| !ossl_ml_kem_encode_private_key(prvenc, prvlen, key))281goto err;282} else if (ossl_ml_kem_have_dkenc(key)) {283prvlen = v->prvkey_bytes;284if ((prvenc = OPENSSL_secure_zalloc(prvlen)) == NULL)285goto err;286memcpy(prvenc, key->encoded_dk, prvlen);287}288}289290tmpl = OSSL_PARAM_BLD_new();291if (tmpl == NULL)292goto err;293294/* The (d, z) seed, when available and private keys are requested. */295if (seedenc != NULL296&& !ossl_param_build_set_octet_string(297tmpl, params, OSSL_PKEY_PARAM_ML_KEM_SEED, seedenc, seedlen))298goto err;299300/* The private key in the FIPS 203 |dk| format, when requested. */301if (prvenc != NULL302&& !ossl_param_build_set_octet_string(303tmpl, params, OSSL_PKEY_PARAM_PRIV_KEY, prvenc, prvlen))304goto err;305306/* The public key on request; it is always available when either is */307if (pubenc != NULL308&& !ossl_param_build_set_octet_string(309tmpl, params, OSSL_PKEY_PARAM_PUB_KEY, pubenc, v->pubkey_bytes))310goto err;311312params = OSSL_PARAM_BLD_to_param(tmpl);313if (params == NULL)314goto err;315316ret = param_cb(params, cbarg);317OSSL_PARAM_free(params);318319err:320OSSL_PARAM_BLD_free(tmpl);321OPENSSL_secure_clear_free(seedenc, seedlen);322OPENSSL_secure_clear_free(prvenc, prvlen);323OPENSSL_free(pubenc);324return ret;325}326327static const OSSL_PARAM *ml_kem_imexport_types(int selection)328{329static const OSSL_PARAM key_types[] = {330OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),331OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0),332OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0),333OSSL_PARAM_END334};335336if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)337return key_types;338return NULL;339}340341static int check_seed(const uint8_t *seed, const uint8_t *prvenc,342ML_KEM_KEY *key)343{344size_t zlen = ML_KEM_RANDOM_BYTES;345346if (memcmp(seed + ML_KEM_SEED_BYTES - zlen,347prvenc + key->vinfo->prvkey_bytes - zlen, zlen) == 0)348return 1;349ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,350"private %s key implicit rejection secret does"351" not match seed", key->vinfo->algorithm_name);352return 0;353}354355static int check_prvenc(const uint8_t *prvenc, ML_KEM_KEY *key)356{357size_t len = key->vinfo->prvkey_bytes;358uint8_t *buf = OPENSSL_malloc(len);359int ret = 0;360361if (buf != NULL362&& ossl_ml_kem_encode_private_key(buf, len, key))363ret = memcmp(buf, prvenc, len) == 0;364OPENSSL_clear_free(buf, len);365if (ret)366return 1;367368if (buf != NULL)369ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,370"explicit %s private key does not match seed",371key->vinfo->algorithm_name);372ossl_ml_kem_key_reset(key);373return 0;374}375376static int ml_kem_key_fromdata(ML_KEM_KEY *key,377const OSSL_PARAM params[],378int include_private)379{380const OSSL_PARAM *p = NULL;381const void *pubenc = NULL, *prvenc = NULL, *seedenc = NULL;382size_t publen = 0, prvlen = 0, seedlen = 0, puboff;383const ML_KEM_VINFO *v;384385/* Invalid attempt to mutate a key, what is the right error to report? */386if (key == NULL || ossl_ml_kem_have_pubkey(key))387return 0;388v = ossl_ml_kem_key_vinfo(key);389390/*391* When a private key is provided, without a seed, any public key also392* provided will be ignored (apart from length), just as with the seed.393*/394if (include_private) {395/*396* When a seed is provided, the private and public keys may be ignored,397* after validating just their lengths. Comparing encodings or hashes398* when applicable is possible, but not currently implemented.399*/400p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ML_KEM_SEED);401if (p != NULL402&& OSSL_PARAM_get_octet_string_ptr(p, &seedenc, &seedlen) != 1)403return 0;404if (seedlen != 0 && seedlen != ML_KEM_SEED_BYTES) {405ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);406return 0;407}408p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);409if (p != NULL410&& OSSL_PARAM_get_octet_string_ptr(p, &prvenc, &prvlen) != 1)411return 0;412if (prvlen != 0 && prvlen != v->prvkey_bytes) {413ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);414return 0;415}416}417418/* Used only when no seed or private key is provided. */419p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);420if (p != NULL421&& OSSL_PARAM_get_octet_string_ptr(p, &pubenc, &publen) != 1)422return 0;423if (publen != 0 && publen != v->pubkey_bytes) {424ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);425return 0;426}427428/* The caller MUST specify at least one of seed, private or public keys. */429if (seedlen == 0 && publen == 0 && prvlen == 0) {430ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);431return 0;432}433434/* Check any explicit public key against embedded value in private key */435if (publen > 0 && prvlen > 0) {436/* point to the ek offset in dk = DKpke||ek||H(ek)||z */437puboff = prvlen - ML_KEM_RANDOM_BYTES - ML_KEM_PKHASH_BYTES - publen;438if (memcmp(pubenc, (unsigned char *)prvenc + puboff, publen) != 0) {439ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,440"explicit %s public key does not match private",441v->algorithm_name);442return 0;443}444}445446if (seedlen != 0447&& (prvlen == 0 || (key->prov_flags & ML_KEM_KEY_PREFER_SEED))) {448if (prvlen != 0 && !check_seed(seedenc, prvenc, key))449return 0;450if (!ossl_ml_kem_set_seed(seedenc, seedlen, key)451|| !ossl_ml_kem_genkey(NULL, 0, key))452return 0;453return prvlen == 0 || check_prvenc(prvenc, key);454} else if (prvlen != 0) {455return ossl_ml_kem_parse_private_key(prvenc, prvlen, key);456}457return ossl_ml_kem_parse_public_key(pubenc, publen, key);458}459460static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[])461{462ML_KEM_KEY *key = vkey;463int include_private;464int res;465466if (!ossl_prov_is_running() || key == NULL)467return 0;468469if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)470return 0;471472include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;473res = ml_kem_key_fromdata(key, params, include_private);474if (res > 0 && include_private475&& !ml_kem_pairwise_test(key, key->prov_flags)) {476#ifdef FIPS_MODULE477ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);478#endif479ossl_ml_kem_key_reset(key);480res = 0;481}482return res;483}484485static const OSSL_PARAM *ml_kem_gettable_params(void *provctx)486{487static const OSSL_PARAM arr[] = {488OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),489OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),490OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),491/* Exported for import */492OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),493/* Exported to EVP_PKEY_get_raw_private_key() */494OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0),495/* Exported to EVP_PKEY_get_raw_public_key() */496OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0),497/* Needed by EVP_PKEY_get1_encoded_public_key() */498OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),499OSSL_PARAM_END500};501502return arr;503}504505#ifndef FIPS_MODULE506static void *ml_kem_load(const void *reference, size_t reference_sz)507{508ML_KEM_KEY *key = NULL;509uint8_t *encoded_dk = NULL;510uint8_t seed[ML_KEM_SEED_BYTES];511512if (ossl_prov_is_running() && reference_sz == sizeof(key)) {513/* The contents of the reference is the address to our object */514key = *(ML_KEM_KEY **)reference;515encoded_dk = key->encoded_dk;516key->encoded_dk = NULL;517/* We grabbed, so we detach it */518*(ML_KEM_KEY **)reference = NULL;519if (encoded_dk != NULL520&& ossl_ml_kem_encode_seed(seed, sizeof(seed), key)521&& !check_seed(seed, encoded_dk, key))522goto err;523/* Generate the key now, if it holds only a stashed seed. */524if (ossl_ml_kem_have_seed(key)525&& (encoded_dk == NULL526|| (key->prov_flags & ML_KEM_KEY_PREFER_SEED))) {527if (!ossl_ml_kem_genkey(NULL, 0, key)528|| (encoded_dk != NULL && !check_prvenc(encoded_dk, key)))529goto err;530} else if (encoded_dk != NULL) {531if (!ossl_ml_kem_parse_private_key(encoded_dk,532key->vinfo->prvkey_bytes, key)) {533ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,534"error parsing %s private key",535key->vinfo->algorithm_name);536goto err;537}538if (!ml_kem_pairwise_test(key, key->prov_flags))539goto err;540}541OPENSSL_free(encoded_dk);542return key;543}544545err:546OPENSSL_free(encoded_dk);547ossl_ml_kem_key_free(key);548return NULL;549}550#endif551552/*553* It is assumed the key is guaranteed non-NULL here, and is from this provider554*/555static int ml_kem_get_params(void *vkey, OSSL_PARAM params[])556{557ML_KEM_KEY *key = vkey;558const ML_KEM_VINFO *v = ossl_ml_kem_key_vinfo(key);559OSSL_PARAM *p;560const char *pubparams[] = {561OSSL_PKEY_PARAM_PUB_KEY,562OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY563};564int i;565566p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS);567if (p != NULL)568if (!OSSL_PARAM_set_int(p, v->bits))569return 0;570571p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS);572if (p != NULL)573if (!OSSL_PARAM_set_int(p, v->secbits))574return 0;575576p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE);577if (p != NULL)578if (!OSSL_PARAM_set_int(p, v->ctext_bytes))579return 0;580581if (ossl_ml_kem_have_pubkey(key)) {582uint8_t *pubenc = NULL;583584for (i = 0; i < 2; ++i) {585p = OSSL_PARAM_locate(params, pubparams[i]);586if (p == NULL)587continue;588if (p->data_type != OSSL_PARAM_OCTET_STRING)589return 0;590p->return_size = v->pubkey_bytes;591if (p->data == NULL)592continue;593if (p->data_size < p->return_size)594return 0;595if (pubenc != NULL) {596memcpy(p->data, pubenc, p->return_size);597continue;598}599if (!ossl_ml_kem_encode_public_key(p->data, p->return_size, key))600return 0;601pubenc = p->data;602}603}604605p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY);606if (p != NULL && ossl_ml_kem_have_prvkey(key)) {607if (p->data_type != OSSL_PARAM_OCTET_STRING)608return 0;609p->return_size = v->prvkey_bytes;610if (p->data != NULL) {611if (p->data_size < p->return_size)612return 0;613if (!ossl_ml_kem_encode_private_key(p->data, p->return_size, key))614return 0;615}616}617618p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ML_KEM_SEED);619if (p != NULL && ossl_ml_kem_have_seed(key)) {620if (p->data_type != OSSL_PARAM_OCTET_STRING)621return 0;622p->return_size = ML_KEM_SEED_BYTES;623if (p->data != NULL) {624if (p->data_size < p->return_size)625return 0;626if (!ossl_ml_kem_encode_seed(p->data, p->return_size, key))627return 0;628}629}630631return 1;632}633634static const OSSL_PARAM *ml_kem_settable_params(void *provctx)635{636static const OSSL_PARAM arr[] = {637/* Used in TLS via EVP_PKEY_set1_encoded_public_key(). */638OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),639OSSL_PARAM_END640};641642return arr;643}644645static int ml_kem_set_params(void *vkey, const OSSL_PARAM params[])646{647ML_KEM_KEY *key = vkey;648const OSSL_PARAM *p;649const void *pubenc = NULL;650size_t publen = 0;651652if (ossl_param_is_empty(params))653return 1;654655p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);656if (p != NULL657&& (OSSL_PARAM_get_octet_string_ptr(p, &pubenc, &publen) != 1658|| publen != key->vinfo->pubkey_bytes)) {659ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);660return 0;661}662663if (publen == 0)664return 1;665666/* Key mutation is reportedly generally not allowed */667if (ossl_ml_kem_have_pubkey(key)) {668ERR_raise_data(ERR_LIB_PROV,669PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,670"ML-KEM keys cannot be mutated");671return 0;672}673674return ossl_ml_kem_parse_public_key(pubenc, publen, key);675}676677static int ml_kem_gen_set_params(void *vgctx, const OSSL_PARAM params[])678{679PROV_ML_KEM_GEN_CTX *gctx = vgctx;680const OSSL_PARAM *p;681682if (gctx == NULL)683return 0;684if (ossl_param_is_empty(params))685return 1;686687p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PROPERTIES);688if (p != NULL) {689if (p->data_type != OSSL_PARAM_UTF8_STRING)690return 0;691OPENSSL_free(gctx->propq);692if ((gctx->propq = OPENSSL_strdup(p->data)) == NULL)693return 0;694}695696p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ML_KEM_SEED);697if (p != NULL) {698size_t len = ML_KEM_SEED_BYTES;699700gctx->seed = gctx->seedbuf;701if (OSSL_PARAM_get_octet_string(p, (void **)&gctx->seed, len, &len)702&& len == ML_KEM_SEED_BYTES)703return 1;704705/* Possibly, but less likely wrong data type */706ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);707gctx->seed = NULL;708return 0;709}710711return 1;712}713714static void *ml_kem_gen_init(void *provctx, int selection,715const OSSL_PARAM params[], int evp_type)716{717PROV_ML_KEM_GEN_CTX *gctx = NULL;718719/*720* We can only generate private keys, check that the selection is721* appropriate.722*/723if (!ossl_prov_is_running()724|| (selection & minimal_selection) == 0725|| (gctx = OPENSSL_zalloc(sizeof(*gctx))) == NULL)726return NULL;727728gctx->selection = selection;729gctx->evp_type = evp_type;730gctx->provctx = provctx;731if (ml_kem_gen_set_params(gctx, params))732return gctx;733734ml_kem_gen_cleanup(gctx);735return NULL;736}737738static const OSSL_PARAM *ml_kem_gen_settable_params(ossl_unused void *vgctx,739ossl_unused void *provctx)740{741static OSSL_PARAM settable[] = {742OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, NULL, 0),743OSSL_PARAM_END744};745return settable;746}747748static void *ml_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)749{750PROV_ML_KEM_GEN_CTX *gctx = vgctx;751ML_KEM_KEY *key;752uint8_t *nopub = NULL;753uint8_t *seed;754int genok = 0;755756if (gctx == NULL757|| (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==758OSSL_KEYMGMT_SELECT_PUBLIC_KEY)759return NULL;760seed = gctx->seed;761key = ossl_prov_ml_kem_new(gctx->provctx, gctx->propq, gctx->evp_type);762if (key == NULL)763return NULL;764765if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)766return key;767768if (seed != NULL && !ossl_ml_kem_set_seed(seed, ML_KEM_SEED_BYTES, key))769return NULL;770genok = ossl_ml_kem_genkey(nopub, 0, key);771772/* Erase the single-use seed */773if (seed != NULL)774OPENSSL_cleanse(seed, ML_KEM_SEED_BYTES);775gctx->seed = NULL;776777if (genok) {778#ifdef FIPS_MODULE779if (!ml_kem_pairwise_test(key, ML_KEM_KEY_FIXED_PCT)) {780ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);781ossl_ml_kem_key_free(key);782return NULL;783}784#endif /* FIPS_MODULE */785return key;786}787788ossl_ml_kem_key_free(key);789return NULL;790}791792static void ml_kem_gen_cleanup(void *vgctx)793{794PROV_ML_KEM_GEN_CTX *gctx = vgctx;795796if (gctx == NULL)797return;798799if (gctx->seed != NULL)800OPENSSL_cleanse(gctx->seed, ML_KEM_RANDOM_BYTES);801OPENSSL_free(gctx->propq);802OPENSSL_free(gctx);803}804805static void *ml_kem_dup(const void *vkey, int selection)806{807const ML_KEM_KEY *key = vkey;808809if (!ossl_prov_is_running())810return NULL;811812return ossl_ml_kem_key_dup(key, selection);813}814815#ifndef FIPS_MODULE816# define DISPATCH_LOAD_FN \817{ OSSL_FUNC_KEYMGMT_LOAD, (OSSL_FUNC) ml_kem_load },818#else819# define DISPATCH_LOAD_FN /* Non-FIPS only */820#endif821822#define DECLARE_VARIANT(bits) \823static void *ml_kem_##bits##_new(void *provctx) \824{ \825return ossl_prov_ml_kem_new(provctx, NULL, EVP_PKEY_ML_KEM_##bits); \826} \827static void *ml_kem_##bits##_gen_init(void *provctx, int selection, \828const OSSL_PARAM params[]) \829{ \830return ml_kem_gen_init(provctx, selection, params, \831EVP_PKEY_ML_KEM_##bits); \832} \833const OSSL_DISPATCH ossl_ml_kem_##bits##_keymgmt_functions[] = { \834{ OSSL_FUNC_KEYMGMT_NEW, (OSSL_FUNC) ml_kem_##bits##_new }, \835{ OSSL_FUNC_KEYMGMT_FREE, (OSSL_FUNC) ossl_ml_kem_key_free }, \836{ OSSL_FUNC_KEYMGMT_GET_PARAMS, (OSSL_FUNC) ml_kem_get_params }, \837{ OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (OSSL_FUNC) ml_kem_gettable_params }, \838{ OSSL_FUNC_KEYMGMT_SET_PARAMS, (OSSL_FUNC) ml_kem_set_params }, \839{ OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (OSSL_FUNC) ml_kem_settable_params }, \840{ OSSL_FUNC_KEYMGMT_HAS, (OSSL_FUNC) ml_kem_has }, \841{ OSSL_FUNC_KEYMGMT_MATCH, (OSSL_FUNC) ml_kem_match }, \842{ OSSL_FUNC_KEYMGMT_VALIDATE, (OSSL_FUNC) ml_kem_validate }, \843{ OSSL_FUNC_KEYMGMT_GEN_INIT, (OSSL_FUNC) ml_kem_##bits##_gen_init }, \844{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (OSSL_FUNC) ml_kem_gen_set_params }, \845{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, (OSSL_FUNC) ml_kem_gen_settable_params }, \846{ OSSL_FUNC_KEYMGMT_GEN, (OSSL_FUNC) ml_kem_gen }, \847{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (OSSL_FUNC) ml_kem_gen_cleanup }, \848DISPATCH_LOAD_FN \849{ OSSL_FUNC_KEYMGMT_DUP, (OSSL_FUNC) ml_kem_dup }, \850{ OSSL_FUNC_KEYMGMT_IMPORT, (OSSL_FUNC) ml_kem_import }, \851{ OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (OSSL_FUNC) ml_kem_imexport_types }, \852{ OSSL_FUNC_KEYMGMT_EXPORT, (OSSL_FUNC) ml_kem_export }, \853{ OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (OSSL_FUNC) ml_kem_imexport_types }, \854OSSL_DISPATCH_END \855}856DECLARE_VARIANT(512);857DECLARE_VARIANT(768);858DECLARE_VARIANT(1024);859860861