| /* |
| * The LM-OTS one-time public-key signature scheme |
| * |
| * Copyright The Mbed TLS Contributors |
| * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
| */ |
| |
| /* |
| * The following sources were referenced in the design of this implementation |
| * of the LM-OTS algorithm: |
| * |
| * [1] IETF RFC8554 |
| * D. McGrew, M. Curcio, S.Fluhrer |
| * https://datatracker.ietf.org/doc/html/rfc8554 |
| * |
| * [2] NIST Special Publication 800-208 |
| * David A. Cooper et. al. |
| * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf |
| */ |
| |
| #include "common.h" |
| |
| #if defined(MBEDTLS_LMS_C) |
| |
| #include <string.h> |
| |
| #include "lmots.h" |
| |
| #include "mbedtls/lms.h" |
| #include "mbedtls/platform_util.h" |
| #include "mbedtls/error.h" |
| #include "psa_util_internal.h" |
| |
| #include "psa/crypto.h" |
| |
| /* Define a local translating function to save code size by not using too many |
| * arguments in each translating place. */ |
| static int local_err_translation(psa_status_t status) |
| { |
| return psa_status_to_mbedtls(status, psa_to_lms_errors, |
| ARRAY_LENGTH(psa_to_lms_errors), |
| psa_generic_status_to_mbedtls); |
| } |
| #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) |
| |
| #define PUBLIC_KEY_TYPE_OFFSET (0) |
| #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ |
| MBEDTLS_LMOTS_TYPE_LEN) |
| #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \ |
| MBEDTLS_LMOTS_I_KEY_ID_LEN) |
| #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \ |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN) |
| |
| /* We only support parameter sets that use 8-bit digits, as it does not require |
| * translation logic between digits and bytes */ |
| #define W_WINTERNITZ_PARAMETER (8u) |
| #define CHECKSUM_LEN (2) |
| #define I_DIGIT_IDX_LEN (2) |
| #define J_HASH_IDX_LEN (1) |
| #define D_CONST_LEN (2) |
| |
| #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u) |
| |
| #define D_CONST_LEN (2) |
| static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 }; |
| static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 }; |
| |
| #if defined(MBEDTLS_TEST_HOOKS) |
| int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL; |
| #endif /* defined(MBEDTLS_TEST_HOOKS) */ |
| |
| /* Calculate the checksum digits that are appended to the end of the LMOTS digit |
| * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of |
| * the checksum algorithm. |
| * |
| * params The LMOTS parameter set, I and q values which |
| * describe the key being used. |
| * |
| * digest The digit string to create the digest from. As |
| * this does not contain a checksum, it is the same |
| * size as a hash output. |
| */ |
| static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params, |
| const unsigned char *digest) |
| { |
| size_t idx; |
| unsigned sum = 0; |
| |
| for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) { |
| sum += DIGIT_MAX_VALUE - digest[idx]; |
| } |
| |
| return sum; |
| } |
| |
| /* Create the string of digest digits (in the base determined by the Winternitz |
| * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST |
| * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm |
| * 4b step 3) for details. |
| * |
| * params The LMOTS parameter set, I and q values which |
| * describe the key being used. |
| * |
| * msg The message that will be hashed to create the |
| * digest. |
| * |
| * msg_size The size of the message. |
| * |
| * C_random_value The random value that will be combined with the |
| * message digest. This is always the same size as a |
| * hash output for whichever hash algorithm is |
| * determined by the parameter set. |
| * |
| * output An output containing the digit string (+ |
| * checksum) of length P digits (in the case of |
| * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of |
| * size P bytes). |
| */ |
| static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params, |
| const unsigned char *msg, |
| size_t msg_len, |
| const unsigned char *C_random_value, |
| unsigned char *out) |
| { |
| psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t output_hash_len; |
| unsigned short checksum; |
| |
| status = psa_hash_setup(&op, PSA_ALG_SHA_256); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, C_random_value, |
| MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type)); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, msg, msg_len); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_finish(&op, out, |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type), |
| &output_hash_len); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| checksum = lmots_checksum_calculate(params, out); |
| MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type)); |
| |
| exit: |
| psa_hash_abort(&op); |
| |
| return PSA_TO_MBEDTLS_ERR(status); |
| } |
| |
| /* Hash each element of the string of digits (+ checksum), producing a hash |
| * output for each element. This is used in several places (by varying the |
| * hash_idx_min/max_values) in order to calculate a public key from a private |
| * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554 |
| * Algorithm 3 step 5), and to calculate a public key candidate from a |
| * signature and message (RFC8554 Algorithm 4b step 3). |
| * |
| * params The LMOTS parameter set, I and q values which |
| * describe the key being used. |
| * |
| * x_digit_array The array of digits (of size P, 34 in the case of |
| * MBEDTLS_LMOTS_SHA256_N32_W8). |
| * |
| * hash_idx_min_values An array of the starting values of the j iterator |
| * for each of the members of the digit array. If |
| * this value in NULL, then all iterators will start |
| * at 0. |
| * |
| * hash_idx_max_values An array of the upper bound values of the j |
| * iterator for each of the members of the digit |
| * array. If this value in NULL, then iterator is |
| * bounded to be less than 2^w - 1 (255 in the case |
| * of MBEDTLS_LMOTS_SHA256_N32_W8) |
| * |
| * output An array containing a hash output for each member |
| * of the digit string P. In the case of |
| * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 * |
| * 34. |
| */ |
| static int hash_digit_array(const mbedtls_lmots_parameters_t *params, |
| const unsigned char *x_digit_array, |
| const unsigned char *hash_idx_min_values, |
| const unsigned char *hash_idx_max_values, |
| unsigned char *output) |
| { |
| unsigned int i_digit_idx; |
| unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN]; |
| unsigned int j_hash_idx; |
| unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN]; |
| unsigned int j_hash_idx_min; |
| unsigned int j_hash_idx_max; |
| psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t output_hash_len; |
| unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| |
| for (i_digit_idx = 0; |
| i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type); |
| i_digit_idx++) { |
| |
| memcpy(tmp_hash, |
| &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type)); |
| |
| j_hash_idx_min = hash_idx_min_values != NULL ? |
| hash_idx_min_values[i_digit_idx] : 0; |
| j_hash_idx_max = hash_idx_max_values != NULL ? |
| hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE; |
| |
| for (j_hash_idx = j_hash_idx_min; |
| j_hash_idx < j_hash_idx_max; |
| j_hash_idx++) { |
| status = psa_hash_setup(&op, PSA_ALG_SHA_256); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, |
| params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, |
| params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0); |
| status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| j_hash_idx_bytes[0] = (uint8_t) j_hash_idx; |
| status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, tmp_hash, |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type)); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash), |
| &output_hash_len); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| psa_hash_abort(&op); |
| } |
| |
| memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], |
| tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type)); |
| } |
| |
| exit: |
| psa_hash_abort(&op); |
| mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash)); |
| |
| return PSA_TO_MBEDTLS_ERR(status); |
| } |
| |
| /* Combine the hashes of the digit array into a public key. This is used in |
| * in order to calculate a public key from a private key (RFC8554 Algorithm 1 |
| * step 4), and to calculate a public key candidate from a signature and message |
| * (RFC8554 Algorithm 4b step 3). |
| * |
| * params The LMOTS parameter set, I and q values which describe |
| * the key being used. |
| * y_hashed_digits The array of hashes, one hash for each digit of the |
| * symbol array (which is of size P, 34 in the case of |
| * MBEDTLS_LMOTS_SHA256_N32_W8) |
| * |
| * pub_key The output public key (or candidate public key in |
| * case this is being run as part of signature |
| * verification), in the form of a hash output. |
| */ |
| static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params, |
| const unsigned char *y_hashed_digits, |
| unsigned char *pub_key) |
| { |
| psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t output_hash_len; |
| |
| status = psa_hash_setup(&op, PSA_ALG_SHA_256); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, |
| params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, y_hashed_digits, |
| MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) * |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type)); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_finish(&op, pub_key, |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type), |
| &output_hash_len); |
| if (status != PSA_SUCCESS) { |
| |
| exit: |
| psa_hash_abort(&op); |
| } |
| |
| return PSA_TO_MBEDTLS_ERR(status); |
| } |
| |
| #if !defined(MBEDTLS_DEPRECATED_REMOVED) |
| int mbedtls_lms_error_from_psa(psa_status_t status) |
| { |
| switch (status) { |
| case PSA_SUCCESS: |
| return 0; |
| case PSA_ERROR_HARDWARE_FAILURE: |
| return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| case PSA_ERROR_NOT_SUPPORTED: |
| return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; |
| case PSA_ERROR_BUFFER_TOO_SMALL: |
| return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; |
| case PSA_ERROR_INVALID_ARGUMENT: |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| default: |
| return MBEDTLS_ERR_ERROR_GENERIC_ERROR; |
| } |
| } |
| #endif /* !MBEDTLS_DEPRECATED_REMOVED */ |
| |
| void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx) |
| { |
| memset(ctx, 0, sizeof(*ctx)); |
| } |
| |
| void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx) |
| { |
| mbedtls_platform_zeroize(ctx, sizeof(*ctx)); |
| } |
| |
| int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx, |
| const unsigned char *key, size_t key_len) |
| { |
| if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| ctx->params.type = (mbedtls_lmots_algorithm_type_t) |
| MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); |
| |
| if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| memcpy(ctx->params.I_key_identifier, |
| key + PUBLIC_KEY_I_KEY_ID_OFFSET, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN); |
| |
| memcpy(ctx->params.q_leaf_identifier, |
| key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| |
| memcpy(ctx->public_key, |
| key + PUBLIC_KEY_KEY_HASH_OFFSET, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); |
| |
| ctx->have_public_key = 1; |
| |
| return 0; |
| } |
| |
| int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx, |
| unsigned char *key, size_t key_size, |
| size_t *key_len) |
| { |
| if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) { |
| return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; |
| } |
| |
| if (!ctx->have_public_key) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); |
| |
| memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET, |
| ctx->params.I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN); |
| |
| memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, |
| ctx->params.q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| |
| memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); |
| |
| if (key_len != NULL) { |
| *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type); |
| } |
| |
| return 0; |
| } |
| |
| int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params, |
| const unsigned char *msg, |
| size_t msg_size, |
| const unsigned char *sig, |
| size_t sig_size, |
| unsigned char *out, |
| size_t out_size, |
| size_t *out_len) |
| { |
| unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; |
| unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if (msg == NULL && msg_size != 0) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) || |
| out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| ret = create_digit_array_with_checksum(params, msg, msg_size, |
| sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, |
| tmp_digit_array); |
| if (ret) { |
| return ret; |
| } |
| |
| ret = hash_digit_array(params, |
| sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type), |
| tmp_digit_array, NULL, (unsigned char *) y_hashed_digits); |
| if (ret) { |
| return ret; |
| } |
| |
| ret = public_key_from_hashed_digit_array(params, |
| (unsigned char *) y_hashed_digits, |
| out); |
| if (ret) { |
| return ret; |
| } |
| |
| if (out_len != NULL) { |
| *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type); |
| } |
| |
| return 0; |
| } |
| |
| int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx, |
| const unsigned char *msg, size_t msg_size, |
| const unsigned char *sig, size_t sig_size) |
| { |
| unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if (msg == NULL && msg_size != 0) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (!ctx->have_public_key) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) { |
| return MBEDTLS_ERR_LMS_VERIFY_FAILED; |
| } |
| |
| if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) { |
| return MBEDTLS_ERR_LMS_VERIFY_FAILED; |
| } |
| |
| ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params, |
| msg, msg_size, sig, sig_size, |
| Kc_public_key_candidate, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), |
| NULL); |
| if (ret) { |
| return MBEDTLS_ERR_LMS_VERIFY_FAILED; |
| } |
| |
| if (memcmp(&Kc_public_key_candidate, ctx->public_key, |
| sizeof(ctx->public_key))) { |
| return MBEDTLS_ERR_LMS_VERIFY_FAILED; |
| } |
| |
| return 0; |
| } |
| |
| #if defined(MBEDTLS_LMS_PRIVATE) |
| |
| void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx) |
| { |
| memset(ctx, 0, sizeof(*ctx)); |
| } |
| |
| void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx) |
| { |
| mbedtls_platform_zeroize(ctx, |
| sizeof(*ctx)); |
| } |
| |
| int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx, |
| mbedtls_lmots_algorithm_type_t type, |
| const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], |
| uint32_t q_leaf_identifier, |
| const unsigned char *seed, |
| size_t seed_size) |
| { |
| psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t output_hash_len; |
| unsigned int i_digit_idx; |
| unsigned char i_digit_idx_bytes[2]; |
| unsigned char const_bytes[1] = { 0xFF }; |
| |
| if (ctx->have_private_key) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (type != MBEDTLS_LMOTS_SHA256_N32_W8) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| ctx->params.type = type; |
| |
| memcpy(ctx->params.I_key_identifier, |
| I_key_identifier, |
| sizeof(ctx->params.I_key_identifier)); |
| |
| MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0); |
| |
| for (i_digit_idx = 0; |
| i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type); |
| i_digit_idx++) { |
| status = psa_hash_setup(&op, PSA_ALG_SHA_256); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, |
| ctx->params.I_key_identifier, |
| sizeof(ctx->params.I_key_identifier)); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, |
| ctx->params.q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0); |
| status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, const_bytes, sizeof(const_bytes)); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_update(&op, seed, seed_size); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| status = psa_hash_finish(&op, |
| ctx->private_key[i_digit_idx], |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), |
| &output_hash_len); |
| if (status != PSA_SUCCESS) { |
| goto exit; |
| } |
| |
| psa_hash_abort(&op); |
| } |
| |
| ctx->have_private_key = 1; |
| |
| exit: |
| psa_hash_abort(&op); |
| |
| return PSA_TO_MBEDTLS_ERR(status); |
| } |
| |
| int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx, |
| const mbedtls_lmots_private_t *priv_ctx) |
| { |
| unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| /* Check that a private key is loaded */ |
| if (!priv_ctx->have_private_key) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| ret = hash_digit_array(&priv_ctx->params, |
| (unsigned char *) priv_ctx->private_key, NULL, |
| NULL, (unsigned char *) y_hashed_digits); |
| if (ret) { |
| goto exit; |
| } |
| |
| ret = public_key_from_hashed_digit_array(&priv_ctx->params, |
| (unsigned char *) y_hashed_digits, |
| ctx->public_key); |
| if (ret) { |
| goto exit; |
| } |
| |
| memcpy(&ctx->params, &priv_ctx->params, |
| sizeof(ctx->params)); |
| |
| ctx->have_public_key = 1; |
| |
| exit: |
| mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits)); |
| |
| return ret; |
| } |
| |
| int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx, |
| int (*f_rng)(void *, unsigned char *, size_t), |
| void *p_rng, const unsigned char *msg, size_t msg_size, |
| unsigned char *sig, size_t sig_size, size_t *sig_len) |
| { |
| unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; |
| /* Create a temporary buffer to prepare the signature in. This allows us to |
| * finish creating a signature (ensuring the process doesn't fail), and then |
| * erase the private key **before** writing any data into the sig parameter |
| * buffer. If data were directly written into the sig buffer, it might leak |
| * a partial signature on failure, which effectively compromises the private |
| * key. |
| */ |
| unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if (msg == NULL && msg_size != 0) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) { |
| return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; |
| } |
| |
| /* Check that a private key is loaded */ |
| if (!ctx->have_private_key) { |
| return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; |
| } |
| |
| ret = f_rng(p_rng, tmp_c_random, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); |
| if (ret) { |
| return ret; |
| } |
| |
| ret = create_digit_array_with_checksum(&ctx->params, |
| msg, msg_size, |
| tmp_c_random, |
| tmp_digit_array); |
| if (ret) { |
| goto exit; |
| } |
| |
| ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key, |
| NULL, tmp_digit_array, (unsigned char *) tmp_sig); |
| if (ret) { |
| goto exit; |
| } |
| |
| MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); |
| |
| /* Test hook to check if sig is being written to before we invalidate the |
| * private key. |
| */ |
| #if defined(MBEDTLS_TEST_HOOKS) |
| if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) { |
| ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig); |
| if (ret != 0) { |
| return ret; |
| } |
| } |
| #endif /* defined(MBEDTLS_TEST_HOOKS) */ |
| |
| /* We've got a valid signature now, so it's time to make sure the private |
| * key can't be reused. |
| */ |
| ctx->have_private_key = 0; |
| mbedtls_platform_zeroize(ctx->private_key, |
| sizeof(ctx->private_key)); |
| |
| memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random, |
| MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type)); |
| |
| memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig, |
| MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type) |
| * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); |
| |
| if (sig_len != NULL) { |
| *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type); |
| } |
| |
| ret = 0; |
| |
| exit: |
| mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array)); |
| mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig)); |
| |
| return ret; |
| } |
| |
| #endif /* defined(MBEDTLS_LMS_PRIVATE) */ |
| #endif /* defined(MBEDTLS_LMS_C) */ |