crypto: Add SLH-DSA algorithms for sign/verify

lib/crypto/c_src/algorithms.c

@@ -26,6 +26,7 @@
 #include "mac.h"
 #ifdef HAS_3_0_API
 #include "digest.h"
+#include "pkey.h"
 #endif
 
 #ifdef HAS_3_0_API
@@ -36,7 +37,7 @@ void init_hash_types(ErlNifEnv* env);
 #endif
 
 static unsigned int algo_pubkey_cnt, algo_pubkey_fips_cnt;
-static ERL_NIF_TERM algo_pubkey[12]; /* increase when extending the list */
+static ERL_NIF_TERM algo_pubkey[16]; /* increase when extending the list */
 void init_pubkey_types(ErlNifEnv* env);
 
 static ERL_NIF_TERM algo_curve[2][89]; /* increase when extending the list */
@@ -160,10 +161,14 @@ void init_hash_types(ErlNifEnv* env) {
 
 ERL_NIF_TERM pubkey_algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {
-    unsigned int cnt  =
-        FIPS_MODE() ? algo_pubkey_fips_cnt : algo_pubkey_cnt;
+    const bool fips = FIPS_MODE();
+    unsigned int cnt  = fips ? algo_pubkey_fips_cnt : algo_pubkey_cnt;
+    ERL_NIF_TERM list = enif_make_list_from_array(env, algo_pubkey, cnt);
 
-    return enif_make_list_from_array(env, algo_pubkey, cnt);
+#ifdef HAS_3_0_API
+    list = build_pkey_type_list(env, list, fips);
+#endif
+    return list;
 }
 
 void init_pubkey_types(ErlNifEnv* env) {
@@ -193,11 +198,6 @@ void init_pubkey_types(ErlNifEnv* env) {
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "eddh");
 #endif
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "srp");
-#ifdef HAVE_ML_DSA
-    algo_pubkey[algo_pubkey_cnt++] = atom_mldsa44;
-    algo_pubkey[algo_pubkey_cnt++] = atom_mldsa65;
-    algo_pubkey[algo_pubkey_cnt++] = atom_mldsa87;
-#endif
     ASSERT(algo_pubkey_cnt <= sizeof(algo_pubkey)/sizeof(ERL_NIF_TERM));
 }
 

lib/crypto/c_src/atoms.c

@@ -151,13 +151,8 @@ ERL_NIF_TERM atom_key_id;
 ERL_NIF_TERM atom_password;
 #endif
 
-#ifdef HAVE_ML_DSA
-ERL_NIF_TERM atom_mldsa44;
-ERL_NIF_TERM atom_mldsa65;
-ERL_NIF_TERM atom_mldsa87;
 ERL_NIF_TERM atom_seed;
 ERL_NIF_TERM atom_expandedkey;
-#endif
 
 #ifdef HAVE_ML_KEM
 ERL_NIF_TERM atom_mlkem512;
@@ -288,13 +283,8 @@ int init_atoms(ErlNifEnv *env) {
     atom_password = enif_make_atom(env,"password");
 #endif
 
-#ifdef HAVE_ML_DSA
-    atom_mldsa44 = enif_make_atom(env,"mldsa44");
-    atom_mldsa65 = enif_make_atom(env,"mldsa65");
-    atom_mldsa87 = enif_make_atom(env,"mldsa87");
     atom_seed = enif_make_atom(env,"seed");
     atom_expandedkey = enif_make_atom(env,"expandedkey");
-#endif
 #ifdef HAVE_ML_KEM
     atom_mlkem512  = enif_make_atom(env,"mlkem512");
     atom_mlkem768  = enif_make_atom(env,"mlkem768");

lib/crypto/c_src/atoms.h

@@ -150,13 +150,8 @@ extern ERL_NIF_TERM atom_key_id;
 extern ERL_NIF_TERM atom_password;
 #endif
 
-#ifdef HAVE_ML_DSA
-extern ERL_NIF_TERM atom_mldsa44;
-extern ERL_NIF_TERM atom_mldsa65;
-extern ERL_NIF_TERM atom_mldsa87;
 extern ERL_NIF_TERM atom_seed;
 extern ERL_NIF_TERM atom_expandedkey;
-#endif
 #ifdef HAVE_ML_KEM
 extern ERL_NIF_TERM atom_mlkem512;
 extern ERL_NIF_TERM atom_mlkem768;

lib/crypto/c_src/crypto.c

@@ -102,6 +102,7 @@ static ErlNifFunc nif_funcs[] = {
 
     {"pbkdf2_hmac_nif", 5, pbkdf2_hmac_nif, 0},
     {"pkey_sign_nif", 5, pkey_sign_nif, 0},
+    {"pkey_sign_heavy_nif", 5, pkey_sign_heavy_nif, ERL_NIF_DIRTY_JOB_CPU_BOUND},
     {"pkey_verify_nif", 6, pkey_verify_nif, 0},
     {"pkey_crypt_nif", 6, pkey_crypt_nif, 0},
     {"encapsulate_key_nif", 2, encapsulate_key_nif, 0},
@@ -275,9 +276,8 @@ static int initialize(ErlNifEnv* env, ERL_NIF_TERM load_info)
         /* Don't fail loading if the legacy provider is missing */
         prov_cnt++;
     }
-    prefetched_sign_algo_init();
-
 #endif
+    prefetched_sign_algo_init(env);
 
     if (!init_atoms(env)) {
         ret = __LINE__; goto done;

lib/crypto/c_src/evp.c

@@ -38,7 +38,7 @@ ERL_NIF_TERM encapsulate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
     ERL_NIF_TERM ret;
 
     if (!get_pkey_from_octet_string(env, argv[0], argv[1], PKEY_PUB,
-                                    &peer_pkey, &ret)) {
+                                    NULL, &peer_pkey, &ret)) {
         goto err;
     }
 
@@ -92,7 +92,7 @@ ERL_NIF_TERM decapsulate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
         assign_goto(ret, err, EXCP_ERROR_N(env, 2, "Invalid encapsulated secret"));
     }
     if (!get_pkey_from_octet_string(env, argv[0], argv[1], PKEY_PRIV,
-                                    &my_pkey, &ret)) {
+                                    NULL, &my_pkey, &ret)) {
         goto err;
     }
 
@@ -229,8 +229,12 @@ ERL_NIF_TERM evp_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
     ErlNifBinary prv_key;
     size_t key_len;
     unsigned char *out_pub = NULL, *out_priv = NULL;
+    struct pkey_type_t *pkey_type = get_pkey_type(argv[0]);
 
-    if (argv[0] == atom_x25519)
+    if (pkey_type) {
+        type = pkey_type->evp_pkey_id;
+    }
+    else if (argv[0] == atom_x25519)
         type = EVP_PKEY_X25519;
 #ifdef HAVE_X448
     else if (argv[0] == atom_x448)
@@ -242,15 +246,6 @@ ERL_NIF_TERM evp_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
     else if (argv[0] == atom_ed448)
         type = EVP_PKEY_ED448;
 #endif
-#ifdef HAVE_ML_DSA
-    else if (argv[0] == atom_mldsa44) {
-        type = EVP_PKEY_ML_DSA_44;
-    } else if (argv[0] == atom_mldsa65) {
-        type = EVP_PKEY_ML_DSA_65;
-    } else if (argv[0] == atom_mldsa87) {
-        type = EVP_PKEY_ML_DSA_87;
-    }
-#endif
 #ifdef HAVE_ML_KEM
     else if (argv[0] == atom_mlkem512) {
         type = NID_ML_KEM_512;

lib/crypto/c_src/openssl_config.h

@@ -389,13 +389,20 @@
 #endif
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(3,4,0)
+#  define HAS_PREFETCH_SIGN_INIT
+#endif
+
 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(3,5,0)
 #  ifndef OPENSSL_NO_ML_KEM
 #    define HAVE_ML_KEM
 #  endif
 #  ifndef OPENSSL_NO_ML_DSA
 #    define HAVE_ML_DSA
 #  endif
+#  ifndef OPENSSL_NO_SLH_DSA
+#    define HAVE_SLH_DSA
+#  endif
 #endif
 
 #if defined(HAS_ENGINE_SUPPORT)