fix pqc signature hash binding

TJ-91 · TJ-91 · commit 3fe4fb5140e3 · 2024-11-04T16:44:11.000+01:00
diff --git a/src/lib/crypto/dilithium.cpp b/src/lib/crypto/dilithium.cpp
@@ -25,6 +25,8 @@
  */
 
 #include "dilithium.h"
+#include "logging.h"
+#include "types.h"
 #include <cassert>
 
 namespace {
@@ -119,19 +121,45 @@ pgp_dilithium_private_key_t::is_valid(rnp::RNG *rng) const
 }
 
 bool
-dilithium_hash_allowed(pgp_hash_alg_t hash_alg)
+dilithium_hash_allowed(pgp_pubkey_alg_t pk_alg, pgp_hash_alg_t hash_alg)
 {
-    switch (hash_alg) {
-    case PGP_HASH_SHA3_256:
-    case PGP_HASH_SHA3_512:
-        return true;
+    switch (pk_alg) {
+    case PGP_PKA_DILITHIUM3_ED25519:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM3_P256:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM3_BP256:
+        return hash_alg == PGP_HASH_SHA3_256;
+    case PGP_PKA_DILITHIUM5_ED448:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM5_P384:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM5_BP384:
+        return hash_alg == PGP_HASH_SHA3_512;
     default:
-        return false;
+        RNP_LOG("invalid algorithm ID given");
+        throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
     }
 }
 
 pgp_hash_alg_t
-dilithium_default_hash_alg()
+dilithium_default_hash_alg(pgp_pubkey_alg_t pk_alg)
 {
-    return PGP_HASH_SHA3_256;
+    switch (pk_alg) {
+    case PGP_PKA_DILITHIUM3_ED25519:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM3_P256:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM3_BP256:
+        return PGP_HASH_SHA3_256;
+    case PGP_PKA_DILITHIUM5_ED448:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM5_P384:
+        FALLTHROUGH_STATEMENT;
+    case PGP_PKA_DILITHIUM5_BP384:
+        return PGP_HASH_SHA3_512;
+    default:
+        RNP_LOG("invalid algorithm ID given");
+        throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+    }
 }
diff --git a/src/lib/crypto/dilithium.h b/src/lib/crypto/dilithium.h
@@ -109,8 +109,8 @@ class pgp_dilithium_public_key_t {
 std::pair<pgp_dilithium_public_key_t, pgp_dilithium_private_key_t> dilithium_generate_keypair(
   rnp::RNG *rng, dilithium_parameter_e dilithium_param);
 
-bool dilithium_hash_allowed(pgp_hash_alg_t hash_alg);
+bool dilithium_hash_allowed(pgp_pubkey_alg_t pk_alg, pgp_hash_alg_t hash_alg);
 
-pgp_hash_alg_t dilithium_default_hash_alg();
+pgp_hash_alg_t dilithium_default_hash_alg(pgp_pubkey_alg_t pk_alg);
 
 #endif
diff --git a/src/lib/crypto/sphincsplus.cpp b/src/lib/crypto/sphincsplus.cpp
@@ -148,14 +148,6 @@ pgp_sphincsplus_generate(rnp::RNG *rng, pgp_sphincsplus_key_t *material, pgp_pub
     return RNP_SUCCESS;
 }
 
-bool
-pgp_sphincsplus_public_key_t::validate_signature_hash_requirements(
-  pgp_hash_alg_t hash_alg) const
-{
-    /* check if key is allowed with the hash algorithm */
-    return sphincsplus_hash_allowed(pk_alg_, hash_alg);
-}
-
 bool
 pgp_sphincsplus_public_key_t::is_valid(rnp::RNG *rng) const
 {
@@ -244,7 +236,7 @@ sphincsplus_hash_allowed(pgp_pubkey_alg_t pk_alg, pgp_hash_alg_t hash_alg)
         return hash_alg == PGP_HASH_SHA3_512;
     default:
         RNP_LOG("invalid algorithm ID given");
-        throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+        throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
     }
 }
 
@@ -260,6 +252,6 @@ sphincsplus_default_hash_alg(pgp_pubkey_alg_t alg)
         return PGP_HASH_SHA3_512;
     default:
         RNP_LOG("invalid algorithm ID given");
-        throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+        throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
     }
 }
diff --git a/src/lib/crypto/sphincsplus.h b/src/lib/crypto/sphincsplus.h
@@ -105,8 +105,6 @@ class pgp_sphincsplus_public_key_t {
 
     bool is_valid(rnp::RNG *rng) const;
 
-    bool validate_signature_hash_requirements(pgp_hash_alg_t hash_alg) const;
-
     pgp_pubkey_alg_t
     alg() const
     {
diff --git a/src/lib/generate-key.cpp b/src/lib/generate-key.cpp
@@ -232,7 +232,7 @@ pgp_check_key_hash_requirements(const rnp_keygen_crypto_params_t &crypto)
     case PGP_PKA_DILITHIUM3_BP256:
         FALLTHROUGH_STATEMENT;
     case PGP_PKA_DILITHIUM5_BP384:
-        if (!dilithium_hash_allowed(crypto.hash_alg)) {
+        if (!dilithium_hash_allowed(crypto.key_alg, crypto.hash_alg)) {
             return false;
         }
         break;
diff --git a/src/lib/key_material.cpp b/src/lib/key_material.cpp
@@ -2016,7 +2016,13 @@ DilithiumEccKeyMaterial::sign(rnp::SecurityContext &             ctx,
 pgp_hash_alg_t
 DilithiumEccKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
 {
-    return dilithium_default_hash_alg();
+    return dilithium_default_hash_alg(alg());
+}
+
+bool
+DilithiumEccKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return dilithium_hash_allowed(alg(), hash);
 }
 
 size_t
@@ -2150,7 +2156,7 @@ SlhdsaKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
 bool
 SlhdsaKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
 {
-    return key_.pub.validate_signature_hash_requirements(hash);
+    return sphincsplus_hash_allowed(alg(), hash);
 }
 
 size_t
diff --git a/src/lib/key_material.hpp b/src/lib/key_material.hpp
@@ -529,6 +529,7 @@ class DilithiumEccKeyMaterial : public KeyMaterial {
                         pgp_signature_material_t &         sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
     pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
+    bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
     size_t         bits() const noexcept override;
 
     const pgp_dilithium_exdsa_composite_public_key_t & pub() const noexcept;
diff --git a/src/rnpkeys/tui.cpp b/src/rnpkeys/tui.cpp
@@ -348,7 +348,7 @@ rnpkeys_ask_generate_params(rnp_cfg &cfg, FILE *input_fp)
             break;
         case 26:
             cfg.set_str(CFG_KG_PRIMARY_ALG, RNP_ALGNAME_DILITHIUM5_ED448);
-            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_256);
+            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_512);
             cfg.set_str(CFG_KG_SUBKEY_ALG, RNP_ALGNAME_KYBER1024_X448);
             cfg.set_str(CFG_KG_V6_KEY, "true");
             break;
@@ -360,7 +360,7 @@ rnpkeys_ask_generate_params(rnp_cfg &cfg, FILE *input_fp)
             break;
         case 28:
             cfg.set_str(CFG_KG_PRIMARY_ALG, RNP_ALGNAME_DILITHIUM5_P384);
-            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_256);
+            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_512);
             cfg.set_str(CFG_KG_SUBKEY_ALG, RNP_ALGNAME_KYBER1024_P384);
             cfg.set_str(CFG_KG_V6_KEY, "true");
             break;
@@ -372,7 +372,7 @@ rnpkeys_ask_generate_params(rnp_cfg &cfg, FILE *input_fp)
             break;
         case 30:
             cfg.set_str(CFG_KG_PRIMARY_ALG, RNP_ALGNAME_DILITHIUM5_BP384);
-            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_256);
+            cfg.set_str(CFG_KG_HASH, RNP_ALGNAME_SHA3_512);
             cfg.set_str(CFG_KG_SUBKEY_ALG, RNP_ALGNAME_KYBER1024_BP384);
             cfg.set_str(CFG_KG_V6_KEY, "true");
             break;

Original file line number	Diff line number	Diff line change
`@@ -148,14 +148,6 @@ pgp_sphincsplus_generate(rnp::RNG rng, pgp_sphincsplus_key_t material, pgp_pub`
`148`	`148`	`return RNP_SUCCESS;`
`149`	`149`	`}`
`150`	`150`
`151`		`-bool`
`152`		`-pgp_sphincsplus_public_key_t::validate_signature_hash_requirements(`
`153`		`- pgp_hash_alg_t hash_alg) const`
`154`		`-{`
`155`		`- /* check if key is allowed with the hash algorithm */`
`156`		`- return sphincsplus_hash_allowed(pk_alg_, hash_alg);`
`157`		`-}`
`158`		`-`
`159`	`151`	`bool`
`160`	`152`	`pgp_sphincsplus_public_key_t::is_valid(rnp::RNG *rng) const`
`161`	`153`	`{`
`@@ -244,7 +236,7 @@ sphincsplus_hash_allowed(pgp_pubkey_alg_t pk_alg, pgp_hash_alg_t hash_alg)`
`244`	`236`	`return hash_alg == PGP_HASH_SHA3_512;`
`245`	`237`	`default:`
`246`	`238`	`RNP_LOG("invalid algorithm ID given");`
`247`		`- throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);`
	`239`	`+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);`
`248`	`240`	`}`
`249`	`241`	`}`
`250`	`242`
`@@ -260,6 +252,6 @@ sphincsplus_default_hash_alg(pgp_pubkey_alg_t alg)`
`260`	`252`	`return PGP_HASH_SHA3_512;`
`261`	`253`	`default:`
`262`	`254`	`RNP_LOG("invalid algorithm ID given");`
`263`		`- throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);`
	`255`	`+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);`
`264`	`256`	`}`
`265`	`257`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,6 @@ class pgp_sphincsplus_public_key_t {`
`105`	`105`
`106`	`106`	`bool is_valid(rnp::RNG *rng) const;`
`107`	`107`
`108`		`- bool validate_signature_hash_requirements(pgp_hash_alg_t hash_alg) const;`
`109`		`-`
`110`	`108`	`pgp_pubkey_alg_t`
`111`	`109`	`alg() const`
`112`	`110`	`{`
Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ pgp_check_key_hash_requirements(const rnp_keygen_crypto_params_t &crypto)`
`232`	`232`	`case PGP_PKA_DILITHIUM3_BP256:`
`233`	`233`	`FALLTHROUGH_STATEMENT;`
`234`	`234`	`case PGP_PKA_DILITHIUM5_BP384:`
`235`		`- if (!dilithium_hash_allowed(crypto.hash_alg)) {`
	`235`	`+ if (!dilithium_hash_allowed(crypto.key_alg, crypto.hash_alg)) {`
`236`	`236`	`return false;`
`237`	`237`	`}`
`238`	`238`	`break;`
Original file line number	Diff line number	Diff line change
`@@ -2016,7 +2016,13 @@ DilithiumEccKeyMaterial::sign(rnp::SecurityContext & ctx,`
`2016`	`2016`	`pgp_hash_alg_t`
`2017`	`2017`	`DilithiumEccKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const`
`2018`	`2018`	`{`
`2019`		`- return dilithium_default_hash_alg();`
	`2019`	`+ return dilithium_default_hash_alg(alg());`
	`2020`	`+}`
	`2021`	`+`
	`2022`	`+bool`
	`2023`	`+DilithiumEccKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const`
	`2024`	`+{`
	`2025`	`+ return dilithium_hash_allowed(alg(), hash);`
`2020`	`2026`	`}`
`2021`	`2027`
`2022`	`2028`	`size_t`
`@@ -2150,7 +2156,7 @@ SlhdsaKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const`
`2150`	`2156`	`bool`
`2151`	`2157`	`SlhdsaKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const`
`2152`	`2158`	`{`
`2153`		`- return key_.pub.validate_signature_hash_requirements(hash);`
	`2159`	`+ return sphincsplus_hash_allowed(alg(), hash);`
`2154`	`2160`	`}`
`2155`	`2161`
`2156`	`2162`	`size_t`