update the composite to draft-ietf-lamps-pq-composite-sigs-02 (#454)

* update the composite to draft-ietf-lamps-pq-composite-sigs-02

Signed-off-by: venturf <[email protected]>

* fixed mgf1 to match values in -02

Signed-off-by: feventura <[email protected]>

* changing the condition on pss salt and mgf1, and raising an error if the right pss is not found

Signed-off-by: feventura <[email protected]>

---------

Signed-off-by: venturf <[email protected]>
Signed-off-by: feventura <[email protected]>
Co-authored-by: venturf <[email protected]>

README.md

@@ -71,7 +71,7 @@ this provider also provides different hybrid algorithms, combining classic
 and quantum-safe methods.
 There are two types of combinations:
 The Hybrids are listed above with a prefix denoting a classic algorithm, e.g., for elliptic curve: "p256_".
-The [Composite](https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/) are listed above with a suffix denoting a
+The [Composite](https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/) are listed above with a suffix denoting a
 classic algorithm, e.g., for elliptic curve: "_p256".
 
 A full list of algorithms, their interoperability code points and OIDs as well

oqs-template/generate.yml

@@ -429,7 +429,7 @@ sigs:
     #                'oid': '2.16.840.1.114027.80.1.8'}]
   -
     # The Composite OIDs are kept up to date by @feventura (Entrust)
-    # These are prototype OIDs and are in line with draft-ounsworth-pq-composite-sigs-13
+    # These are prototype OIDs and are in line with draft-ietf-lamps-pq-composite-sigs-02
     # OID scheme for composite variants:
     # joint-iso-itu-t (2)
     # country (16)

oqs-template/generate.yml-0.10.0

@@ -429,7 +429,7 @@ sigs:
     #                'oid': '2.16.840.1.114027.80.1.8'}]
   -
     # The Composite OIDs are kept up to date by @feventura (Entrust)
-    # These are prototype OIDs and are in line with draft-ounsworth-pq-composite-sigs-13
+    # These are prototype OIDs and are in line with draft-ietf-lamps-pq-composite-sigs-02
     # OID scheme for composite variants:
     # joint-iso-itu-t (2)
     # country (16)

oqsprov/oqs_sig.c

@@ -515,14 +515,32 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
                     }
 
                     if (!strncmp(name, "pss", 3)) {
+                        int salt;
+                        const EVP_MD *pss_mgf1;
+                        if (!strncmp(name, "pss3072", 7)) {
+                            salt = 64;
+                            pss_mgf1 = EVP_sha512();
+                        } else {
+                            if (!strncmp(name, "pss2048", 7)) {
+                                salt = 32;
+                                pss_mgf1 = EVP_sha256();
+                            } else {
+                                ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
+                                CompositeSignature_free(compsig);
+                                OPENSSL_free(final_tbs);
+                                OPENSSL_free(name);
+                                OPENSSL_free(buf);
+                                goto endsign;
+                            }
+                        }
                         if ((EVP_PKEY_CTX_set_rsa_padding(classical_ctx_sign,
                                                           RSA_PKCS1_PSS_PADDING)
                              <= 0)
                             || (EVP_PKEY_CTX_set_rsa_pss_saltlen(
-                                    classical_ctx_sign, 64)
+                                    classical_ctx_sign, salt)
                                 <= 0)
                             || (EVP_PKEY_CTX_set_rsa_mgf1_md(classical_ctx_sign,
-                                                             EVP_sha256())
+                                                             pss_mgf1)
                                 <= 0)) {
                             ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
                             CompositeSignature_free(compsig);
@@ -860,13 +878,31 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig,
                         goto endverify;
                     }
                     if (!strncmp(name, "pss", 3)) {
+                        int salt;
+                        const EVP_MD *pss_mgf1;
+                        if (!strncmp(name, "pss3072", 7)) {
+                            salt = 64;
+                            pss_mgf1 = EVP_sha512();
+                        } else {
+                            if (!strncmp(name, "pss2048", 7)) {
+                                salt = 32;
+                                pss_mgf1 = EVP_sha256();
+                            } else {
+                                ERR_raise(ERR_LIB_USER, OQSPROV_R_VERIFY_ERROR);
+                                OPENSSL_free(name);
+                                CompositeSignature_free(compsig);
+                                OPENSSL_free(final_tbs);
+                                goto endverify;
+                            }
+                        }
                         if ((EVP_PKEY_CTX_set_rsa_padding(ctx_verify,
                                                           RSA_PKCS1_PSS_PADDING)
                              <= 0)
-                            || (EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx_verify, 64)
+                            || (EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx_verify,
+                                                                 salt)
                                 <= 0)
                             || (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx_verify,
-                                                             EVP_sha256())
+                                                             pss_mgf1)
                                 <= 0)) {
                             ERR_raise(ERR_LIB_USER, OQSPROV_R_WRONG_PARAMETERS);
                             OPENSSL_free(name);