implement SLH-DSA signing and verification using OpenSSL

.gitignore

@@ -50,6 +50,7 @@ test-results.xml
 
 # Temporary files
 *~
+*.orig
 
 # Building directories
 build

CMAKE-NOTES.md

@@ -12,6 +12,7 @@ Some options (more can be found in CMakeLists.txt):
 	-DDISABLE_NON_PAGED_MEMORY=ON	Disable non-paged memory for secure storage
 	-DENABLE_EDDSA=ON		Enable support for EDDSA
 	-DENABLE_MLDSA=ON		Enable support for ML-DSA
+	-DENABLE_SLHDSA=ON		Enable support for SLH-DSA
 	-DWITH_MIGRATE=ON		Build migration tool
 	-DWITH_CRYPTO_BACKEND=openssl	Select crypto backend (openssl|botan)
 

CMAKE-WIN-NOTES.md

@@ -53,6 +53,7 @@ Some options (more can be found in CMakeLists.txt):
 	-DBUILD_TESTS=ON                Compile tests along with libraries
 	-DENABLE_EDDSA=ON               Enable support for EDDSA
     -DENABLE_MLDSA=ON               Enable support for ML-DSA
+    -DENABLE_SLHDSA=ON              Enable support for SLH-DSA
 	-DWITH_MIGRATE=ON               Build migration tool
 	-DWITH_CRYPTO_BACKEND=          Select crypto backend (openssl|botan)
 	-DDISABLE_NON_PAGED_MEMORY=ON   Disable non-paged memory for secure storage

CMakeLists.txt

@@ -9,6 +9,7 @@ option(ENABLE_64bit "Enable 64-bit compiling" OFF)
 option(ENABLE_ECC "Enable support for ECC" ON)
 option(ENABLE_EDDSA "Enable support for EDDSA" ON)
 option(ENABLE_MLDSA "Enable support for ML-DSA" OFF)
+option(ENABLE_SLHDSA "Enable support for SLH-DSA" OFF)
 option(ENABLE_GOST "Enable support for GOST" OFF)
 option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF)
 option(ENABLE_P11_KIT "Enable p11-kit integration" ON)

README.md

@@ -83,6 +83,7 @@ Options:
 	--enable-gost		Enable support for GOST (default detect)
 	--enable-eddsa		Enable support for EDDSA (default detect)
     --enable-mldsa		Enable support for ML-DSA (default detect)
+    --enable-slhdsa		Enable support for SLH-DSA (default detect)
 	--disable-visibility	Disable hidden visibilty link mode [enabled]
 	--with-crypto-backend	Select crypto backend (openssl|botan)
 	--with-openssl=PATH	Specify prefix of path of OpenSSL

cmake/modules/CompilerOptions.cmake

@@ -391,6 +391,26 @@ elseif(WITH_CRYPTO_BACKEND STREQUAL "openssl")
         message(STATUS "OpenSSL: Support for ML-DSA is disabled")
     endif(ENABLE_MLDSA)
 
+    # acx_openssl_slhdsa.m4
+    if(ENABLE_SLHDSA)
+        # SLH-DSA
+        set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_slhdsa.c)
+        try_run(RUN_SLHDSA COMPILE_RESULT
+                "${CMAKE_BINARY_DIR}/prebuild_santity_tests" ${testfile}
+                LINK_LIBRARIES ${CRYPTO_LIBS}
+                CMAKE_FLAGS
+                    "-DINCLUDE_DIRECTORIES=${CRYPTO_INCLUDES}"
+                )
+        if(COMPILE_RESULT AND RUN_SLHDSA EQUAL 0)
+            set(WITH_SLH_DSA 1)
+            message(STATUS "OpenSSL: Found SLH-DSA")
+        else()
+            set(error_msg "OpenSSL: Cannot find SLH-DSA! OpenSSL library has no SLH-DSA support!")
+            message(FATAL_ERROR ${error_msg})
+        endif()
+    else(ENABLE_SLHDSA)
+        message(STATUS "OpenSSL: Support for SLH-DSA is disabled")
+    endif(ENABLE_SLHDSA)
     # acx_openssl_gost.m4
     if(ENABLE_GOST)
         set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_gost.c)

cmake/modules/tests/test_openssl_slhdsa.c

@@ -0,0 +1,12 @@
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main()
+{
+    EVP_PKEY_CTX *ctx;
+    ctx = EVP_PKEY_CTX_new_from_name(NULL, "SLH-DSA-SHA2-128s", NULL);
+
+    if (ctx == NULL)
+        return 1;
+    EVP_PKEY_CTX_free(ctx);
+    return 0;
+}

config.h.in.cmake

@@ -154,6 +154,9 @@
 /* Compile with ML-DSA support */
 #cmakedefine WITH_ML_DSA @WITH_ML_DSA@
 
+/* Compile with SLH-DSA support */
+#cmakedefine WITH_SLH_DSA @WITH_SLH_DSA@
+
 /* Compile with FIPS 140-2 mode */
 #cmakedefine WITH_FIPS @WITH_FIPS@
 

m4/acx_crypto_backend.m4

@@ -38,6 +38,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		[enable_mldsa="detect"]
 	)
 
+	# Add SLH-DSA check
+
+	AC_ARG_ENABLE(slhdsa,
+		AS_HELP_STRING([--enable-slhdsa],
+			[Enable support for SLH-DSA (default detect)]
+		),
+		[enable_slhdsa="${enableval}"],
+		[enable_slhdsa="detect"]
+	)
+
 	# Second check for the FIPS 140-2 mode
 
 	AC_ARG_ENABLE(fips,
@@ -119,6 +129,15 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			detect-no) enable_mldsa="no";;
 		esac
 
+		case "${enable_slhdsa}" in
+			yes|detect) ACX_OPENSSL_SLHDSA;;
+		esac
+		case "${enable_slhdsa}-${have_lib_openssl_slhdsa_support}" in
+			yes-no) AC_MSG_ERROR([OpenSSL library has no SLH-DSA support]);;
+			detect-yes) enable_slhdsa="yes";;
+			detect-no) enable_slhdsa="no";;
+		esac
+
 		case "${enable_gost}-${enable_fips}" in
 			yes-yes) AC_MSG_ERROR([GOST is not FIPS approved]);;
 			yes-no|detect-no) ACX_OPENSSL_GOST;;
@@ -189,6 +208,10 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
             AC_MSG_ERROR([Botan does not support ML-DSA])
         fi
 
+		if test	"x${enable_slhdsa}" = "xyes"; then
+            AC_MSG_ERROR([Botan does not support SLH-DSA])
+        fi
+
 		case "${enable_gost}" in
 			yes|detect) ACX_BOTAN_GOST;;
 		esac
@@ -267,6 +290,19 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 	fi
 	AM_CONDITIONAL([WITH_ML_DSA], [test "x${enable_mldsa}" = "xyes"])
 
+	AC_MSG_CHECKING(for SLH-DSA support)
+	if test "x${enable_slhdsa}" = "xyes"; then
+		AC_MSG_RESULT(yes)
+		AC_DEFINE_UNQUOTED(
+			[WITH_SLH_DSA],
+			[],
+			[Compile with SLH-DSA support]
+		)
+	else
+		AC_MSG_RESULT(no)
+	fi
+	AM_CONDITIONAL([WITH_SLH_DSA], [test "x${enable_slhdsa}" = "xyes"])
+
 
 	AC_SUBST(CRYPTO_INCLUDES)
 	AC_SUBST(CRYPTO_LIBS)

m4/acx_openssl_slhdsa.m4

@@ -0,0 +1,44 @@
+AC_DEFUN([ACX_OPENSSL_SLHDSA],[
+	AC_MSG_CHECKING(for OpenSSL SLH-DSA support)
+
+	tmp_CPPFLAGS=$CPPFLAGS
+	tmp_LIBS=$LIBS
+
+	CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+	LIBS="$CRYPTO_LIBS $LIBS"
+
+	AC_LANG_PUSH([C])
+	AC_CACHE_VAL([acx_cv_lib_openssl_slhdsa_support],[
+		acx_cv_lib_openssl_slhdsa_support=no
+		AC_RUN_IFELSE([
+			AC_LANG_SOURCE([[
+				#include <openssl/evp.h>
+				#include <openssl/objects.h>
+				int main()
+				{
+					EVP_PKEY_CTX *pctx =
+    					EVP_PKEY_CTX_new_from_name(NULL, "SLH-DSA-SHA2-128s", NULL);
+						if (pctx == NULL)
+							return 1;
+						EVP_PKEY_CTX_free(pctx);
+						return 0;
+				}
+			]])
+		],[
+			AC_MSG_RESULT([yes])
+			acx_cv_lib_openssl_slhdsa_support=yes
+		],[
+			AC_MSG_RESULT([no])
+			acx_cv_lib_openssl_slhdsa_support=no
+		],[
+			AC_MSG_WARN([Cannot test, SLH-DSA])
+			acx_cv_lib_openssl_slhdsa_support=no
+		])
+	])
+
+	AC_LANG_POP([C])
+
+	CPPFLAGS=$tmp_CPPFLAGS
+	LIBS=$tmp_LIBS
+	have_lib_openssl_slhdsa_support="${acx_cv_lib_openssl_slhdsa_support}"
+])

src/lib/P11Objects.cpp

@@ -1989,3 +1989,83 @@ bool P11DHDomainObj::init(OSObject *inobject)
 	initialized = true;
 	return true;
 }
+
+// Constructor
+P11SLHDSAPublicKeyObj::P11SLHDSAPublicKeyObj()
+{
+	initialized = false;
+}
+
+// Add attributes
+bool P11SLHDSAPublicKeyObj::init(OSObject *inobject)
+{
+	if (initialized) return true;
+	if (inobject == NULL) return false;
+
+	if (!inobject->attributeExists(CKA_KEY_TYPE) || inobject->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_SLH_DSA) {
+		OSAttribute setKeyType((unsigned long)CKK_SLH_DSA);
+		inobject->setAttribute(CKA_KEY_TYPE, setKeyType);
+	}
+
+	// Create parent
+	if (!P11PublicKeyObj::init(inobject)) return false;
+
+	// Create attributes
+	P11Attribute* attrParameterSet = new P11AttrParameterSet(osobject, P11Attribute::ck3);
+	P11Attribute* attrValue = new P11AttrValue(osobject, P11Attribute::ck1 | P11Attribute::ck4);
+
+	// Initialize the attributes
+	if (!attrParameterSet->init() || !attrValue->init()) {
+		ERROR_MSG("Could not initialize the attribute");
+		delete attrParameterSet;
+		delete attrValue;
+		return false;
+	}
+
+	// Add them to the map
+	attributes[attrParameterSet->getType()] = attrParameterSet;
+	attributes[attrValue->getType()] = attrValue;
+
+	initialized = true;
+	return true;
+}
+
+// Constructor
+P11SLHDSAPrivateKeyObj::P11SLHDSAPrivateKeyObj()
+{
+	initialized = false;
+}
+
+// Add attributes
+bool P11SLHDSAPrivateKeyObj::init(OSObject *inobject)
+{
+	if (initialized) return true;
+	if (inobject == NULL) return false;
+
+	if (!inobject->attributeExists(CKA_KEY_TYPE) || inobject->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_SLH_DSA) {
+		OSAttribute setKeyType((unsigned long)CKK_SLH_DSA);
+		inobject->setAttribute(CKA_KEY_TYPE, setKeyType);
+	}
+
+	// Create parent
+	if (!P11PrivateKeyObj::init(inobject)) return false;
+
+	// Create attributes
+	P11Attribute* attrParameterSet = new P11AttrParameterSet(osobject, P11Attribute::ck4 | P11Attribute::ck6);
+	P11Attribute* attrValue = new P11AttrValue(osobject, P11Attribute::ck1 | P11Attribute::ck4 | P11Attribute::ck6 | P11Attribute::ck7);
+
+	// Initialize the attributes
+	if (!attrParameterSet->init() || !attrValue->init()) {
+		ERROR_MSG("Could not initialize the attribute");
+		delete attrParameterSet;
+		delete attrValue;
+		return false;
+	}
+
+	// Add them to the map
+	attributes[attrParameterSet->getType()] = attrParameterSet;
+	attributes[attrValue->getType()] = attrValue;
+
+	initialized = true;
+	return true;
+}

src/lib/P11Objects.h

@@ -447,4 +447,35 @@ class P11DHDomainObj : public P11DomainObj
 	bool initialized;
 };
 
+/** \brief SLH-DSA public key object */
+class P11SLHDSAPublicKeyObj : public P11PublicKeyObj
+{
+public:
+	/** \brief Constructor */
+	P11SLHDSAPublicKeyObj();
+
+	/** \brief Initialize the object */
+	virtual bool init(OSObject *inobject);
+
+protected:
+	/** \brief Is the object initialized? */
+	bool initialized;
+};
+
+/** \brief SLH-DSA private key object */
+class P11SLHDSAPrivateKeyObj : public P11PrivateKeyObj
+{
+public:
+	/** \brief Constructor */
+	P11SLHDSAPrivateKeyObj();
+
+	/** \brief Initialize the object */
+	virtual bool init(OSObject *inobject);
+
+protected:
+	/** \brief Is the object initialized? */
+	bool initialized;
+};
+
 #endif // !_SOFTHSM_V2_P11OBJECTS_H
+