首頁 探索 說明
登入
kindring
/
libpeer
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: de2c325705
分支列表 標籤列表
libpeer
/
third_party
/
mbedtls
/
library
/
lmots.c

lmots.c 29 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825 
  1. /*
    2. 

  2.  * The LM-OTS one-time public-key signature scheme
    3. 

  3.  *
    4. 

  4.  * Copyright The Mbed TLS Contributors
    5. 

  5.  *  SPDX-License-Identifier: Apache-2.0
    6. 

  6.  *
    7. 

  7.  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
    8. 

  8.  *  not use this file except in compliance with the License.
    9. 

  9.  *  You may obtain a copy of the License at
    10. 

  10.  *
    11. 

  11.  *  http://www.apache.org/licenses/LICENSE-2.0
    12. 

  12.  *
    13. 

  13.  *  Unless required by applicable law or agreed to in writing, software
    14. 

  14.  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    15. 

  15.  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16. 

  16.  *  See the License for the specific language governing permissions and
    17. 

  17.  *  limitations under the License.
    18. 

  18.  */
    19. 

  19. 

  20. /*
    21. 

  21.  *  The following sources were referenced in the design of this implementation
    22. 

  22.  *  of the LM-OTS algorithm:
    23. 

  23.  *
    24. 

  24.  *  [1] IETF RFC8554
    25. 

  25.  *      D. McGrew, M. Curcio, S.Fluhrer
    26. 

  26.  *      https://datatracker.ietf.org/doc/html/rfc8554
    27. 

  27.  *
    28. 

  28.  *  [2] NIST Special Publication 800-208
    29. 

  29.  *      David A. Cooper et. al.
    30. 

  30.  *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
    31. 

  31.  */
    32. 

  32. 

  33. #include "common.h"
    34. 

  34. 

  35. #if defined(MBEDTLS_LMS_C)
    36. 

  36. 

  37. #include <string.h>
    38. 

  38. 

  39. #include "lmots.h"
    40. 

  40. 

  41. #include "mbedtls/lms.h"
    42. 

  42. #include "mbedtls/platform_util.h"
    43. 

  43. #include "mbedtls/error.h"
    44. 

  44. #include "mbedtls/psa_util.h"
    45. 

  45. 

  46. #include "psa/crypto.h"
    47. 

  47. 

  48. #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
    49. 

  49.                                                            psa_to_lms_errors,             \
    50. 

  50.                                                            psa_generic_status_to_mbedtls)
    51. 

  51. 

  52. #define PUBLIC_KEY_TYPE_OFFSET     (0)
    53. 

  53. #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
    54. 

  54.                                     MBEDTLS_LMOTS_TYPE_LEN)
    55. 

  55. #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
    56. 

  56.                                      MBEDTLS_LMOTS_I_KEY_ID_LEN)
    57. 

  57. #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
    58. 

  58.                                     MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
    59. 

  59. 

  60. /* We only support parameter sets that use 8-bit digits, as it does not require
    61. 

  61.  * translation logic between digits and bytes */
    62. 

  62. #define W_WINTERNITZ_PARAMETER (8u)
    63. 

  63. #define CHECKSUM_LEN           (2)
    64. 

  64. #define I_DIGIT_IDX_LEN        (2)
    65. 

  65. #define J_HASH_IDX_LEN         (1)
    66. 

  66. #define D_CONST_LEN            (2)
    67. 

  67. 

  68. #define DIGIT_MAX_VALUE        ((1u << W_WINTERNITZ_PARAMETER) - 1u)
    69. 

  69. 

  70. #define D_CONST_LEN            (2)
    71. 

  71. static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
    72. 

  72. static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
    73. 

  73. 

  74. #if defined(MBEDTLS_TEST_HOOKS)
    75. 

  75. int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
    76. 

  76. #endif /* defined(MBEDTLS_TEST_HOOKS) */
    77. 

  77. 

  78. void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
    79. 

  79.                                                unsigned char *bytes)
    80. 

  80. {
    81. 

  81.     size_t idx;
    82. 

  82. 

  83.     for (idx = 0; idx < len; idx++) {
    84. 

  84.         bytes[idx] = (val >> ((len - 1 - idx) * 8)) & 0xFF;
    85. 

  85.     }
    86. 

  86. }
    87. 

  87. 

  88. unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
    89. 

  89.                                                        const unsigned char *bytes)
    90. 

  90. {
    91. 

  91.     size_t idx;
    92. 

  92.     unsigned int val = 0;
    93. 

  93. 

  94.     for (idx = 0; idx < len; idx++) {
    95. 

  95.         val |= ((unsigned int) bytes[idx]) << (8 * (len - 1 - idx));
    96. 

  96.     }
    97. 

  97. 

  98.     return val;
    99. 

  99. }
    100. 

  100. 

  101. /* Calculate the checksum digits that are appended to the end of the LMOTS digit
    102. 

  102.  * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
    103. 

  103.  * the checksum algorithm.
    104. 

  104.  *
    105. 

  105.  *  params              The LMOTS parameter set, I and q values which
    106. 

  106.  *                      describe the key being used.
    107. 

  107.  *
    108. 

  108.  *  digest              The digit string to create the digest from. As
    109. 

  109.  *                      this does not contain a checksum, it is the same
    110. 

  110.  *                      size as a hash output.
    111. 

  111.  */
    112. 

  112. static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
    113. 

  113.                                                const unsigned char *digest)
    114. 

  114. {
    115. 

  115.     size_t idx;
    116. 

  116.     unsigned sum = 0;
    117. 

  117. 

  118.     for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
    119. 

  119.         sum += DIGIT_MAX_VALUE - digest[idx];
    120. 

  120.     }
    121. 

  121. 

  122.     return sum;
    123. 

  123. }
    124. 

  124. 

  125. /* Create the string of digest digits (in the base determined by the Winternitz
    126. 

  126.  * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
    127. 

  127.  * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
    128. 

  128.  * 4b step 3) for details.
    129. 

  129.  *
    130. 

  130.  *  params              The LMOTS parameter set, I and q values which
    131. 

  131.  *                      describe the key being used.
    132. 

  132.  *
    133. 

  133.  *  msg                 The message that will be hashed to create the
    134. 

  134.  *                      digest.
    135. 

  135.  *
    136. 

  136.  *  msg_size            The size of the message.
    137. 

  137.  *
    138. 

  138.  *  C_random_value      The random value that will be combined with the
    139. 

  139.  *                      message digest. This is always the same size as a
    140. 

  140.  *                      hash output for whichever hash algorithm is
    141. 

  141.  *                      determined by the parameter set.
    142. 

  142.  *
    143. 

  143.  *  output              An output containing the digit string (+
    144. 

  144.  *                      checksum) of length P digits (in the case of
    145. 

  145.  *                      MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
    146. 

  146.  *                      size P bytes).
    147. 

  147.  */
    148. 

  148. static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
    149. 

  149.                                             const unsigned char *msg,
    150. 

  150.                                             size_t msg_len,
    151. 

  151.                                             const unsigned char *C_random_value,
    152. 

  152.                                             unsigned char *out)
    153. 

  153. {
    154. 

  154.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    155. 

  155.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    156. 

  156.     size_t output_hash_len;
    157. 

  157.     unsigned short checksum;
    158. 

  158. 

  159.     status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    160. 

  160.     if (status != PSA_SUCCESS) {
    161. 

  161.         goto exit;
    162. 

  162.     }
    163. 

  163. 

  164.     status = psa_hash_update(&op, params->I_key_identifier,
    165. 

  165.                              MBEDTLS_LMOTS_I_KEY_ID_LEN);
    166. 

  166.     if (status != PSA_SUCCESS) {
    167. 

  167.         goto exit;
    168. 

  168.     }
    169. 

  169. 

  170.     status = psa_hash_update(&op, params->q_leaf_identifier,
    171. 

  171.                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    172. 

  172.     if (status != PSA_SUCCESS) {
    173. 

  173.         goto exit;
    174. 

  174.     }
    175. 

  175. 

  176.     status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
    177. 

  177.     if (status != PSA_SUCCESS) {
    178. 

  178.         goto exit;
    179. 

  179.     }
    180. 

  180. 

  181.     status = psa_hash_update(&op, C_random_value,
    182. 

  182.                              MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
    183. 

  183.     if (status != PSA_SUCCESS) {
    184. 

  184.         goto exit;
    185. 

  185.     }
    186. 

  186. 

  187.     status = psa_hash_update(&op, msg, msg_len);
    188. 

  188.     if (status != PSA_SUCCESS) {
    189. 

  189.         goto exit;
    190. 

  190.     }
    191. 

  191. 

  192.     status = psa_hash_finish(&op, out,
    193. 

  193.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type),
    194. 

  194.                              &output_hash_len);
    195. 

  195.     if (status != PSA_SUCCESS) {
    196. 

  196.         goto exit;
    197. 

  197.     }
    198. 

  198. 

  199.     checksum = lmots_checksum_calculate(params, out);
    200. 

  200.     mbedtls_lms_unsigned_int_to_network_bytes(checksum, CHECKSUM_LEN,
    201. 

  201.                                               out + MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    202. 

  202. 

  203. exit:
    204. 

  204.     psa_hash_abort(&op);
    205. 

  205. 

  206.     return PSA_TO_MBEDTLS_ERR(status);
    207. 

  207. }
    208. 

  208. 

  209. /* Hash each element of the string of digits (+ checksum), producing a hash
    210. 

  210.  * output for each element. This is used in several places (by varying the
    211. 

  211.  * hash_idx_min/max_values) in order to calculate a public key from a private
    212. 

  212.  * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
    213. 

  213.  * Algorithm 3 step 5), and to calculate a public key candidate from a
    214. 

  214.  * signature and message (RFC8554 Algorithm 4b step 3).
    215. 

  215.  *
    216. 

  216.  *  params              The LMOTS parameter set, I and q values which
    217. 

  217.  *                      describe the key being used.
    218. 

  218.  *
    219. 

  219.  *  x_digit_array       The array of digits (of size P, 34 in the case of
    220. 

  220.  *                      MBEDTLS_LMOTS_SHA256_N32_W8).
    221. 

  221.  *
    222. 

  222.  *  hash_idx_min_values An array of the starting values of the j iterator
    223. 

  223.  *                      for each of the members of the digit array. If
    224. 

  224.  *                      this value in NULL, then all iterators will start
    225. 

  225.  *                      at 0.
    226. 

  226.  *
    227. 

  227.  *  hash_idx_max_values An array of the upper bound values of the j
    228. 

  228.  *                      iterator for each of the members of the digit
    229. 

  229.  *                      array. If this value in NULL, then iterator is
    230. 

  230.  *                      bounded to be less than 2^w - 1 (255 in the case
    231. 

  231.  *                      of MBEDTLS_LMOTS_SHA256_N32_W8)
    232. 

  232.  *
    233. 

  233.  *  output              An array containing a hash output for each member
    234. 

  234.  *                      of the digit string P. In the case of
    235. 

  235.  *                      MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
    236. 

  236.  *                      34.
    237. 

  237.  */
    238. 

  238. static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
    239. 

  239.                             const unsigned char *x_digit_array,
    240. 

  240.                             const unsigned char *hash_idx_min_values,
    241. 

  241.                             const unsigned char *hash_idx_max_values,
    242. 

  242.                             unsigned char *output)
    243. 

  243. {
    244. 

  244.     unsigned int i_digit_idx;
    245. 

  245.     unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
    246. 

  246.     unsigned int j_hash_idx;
    247. 

  247.     unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
    248. 

  248.     unsigned int j_hash_idx_min;
    249. 

  249.     unsigned int j_hash_idx_max;
    250. 

  250.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    251. 

  251.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    252. 

  252.     size_t output_hash_len;
    253. 

  253.     unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    254. 

  254. 

  255.     for (i_digit_idx = 0;
    256. 

  256.          i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
    257. 

  257.          i_digit_idx++) {
    258. 

  258. 

  259.         memcpy(tmp_hash,
    260. 

  260.                &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
    261. 

  261.                MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    262. 

  262. 

  263.         j_hash_idx_min = hash_idx_min_values != NULL ?
    264. 

  264.                          hash_idx_min_values[i_digit_idx] : 0;
    265. 

  265.         j_hash_idx_max = hash_idx_max_values != NULL ?
    266. 

  266.                          hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
    267. 

  267. 

  268.         for (j_hash_idx = j_hash_idx_min;
    269. 

  269.              j_hash_idx < j_hash_idx_max;
    270. 

  270.              j_hash_idx++) {
    271. 

  271.             status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    272. 

  272.             if (status != PSA_SUCCESS) {
    273. 

  273.                 goto exit;
    274. 

  274.             }
    275. 

  275. 

  276.             status = psa_hash_update(&op,
    277. 

  277.                                      params->I_key_identifier,
    278. 

  278.                                      MBEDTLS_LMOTS_I_KEY_ID_LEN);
    279. 

  279.             if (status != PSA_SUCCESS) {
    280. 

  280.                 goto exit;
    281. 

  281.             }
    282. 

  282. 

  283.             status = psa_hash_update(&op,
    284. 

  284.                                      params->q_leaf_identifier,
    285. 

  285.                                      MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    286. 

  286.             if (status != PSA_SUCCESS) {
    287. 

  287.                 goto exit;
    288. 

  288.             }
    289. 

  289. 

  290.             mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx,
    291. 

  291.                                                       I_DIGIT_IDX_LEN,
    292. 

  292.                                                       i_digit_idx_bytes);
    293. 

  293.             status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
    294. 

  294.             if (status != PSA_SUCCESS) {
    295. 

  295.                 goto exit;
    296. 

  296.             }
    297. 

  297. 

  298.             mbedtls_lms_unsigned_int_to_network_bytes(j_hash_idx,
    299. 

  299.                                                       J_HASH_IDX_LEN,
    300. 

  300.                                                       j_hash_idx_bytes);
    301. 

  301.             status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
    302. 

  302.             if (status != PSA_SUCCESS) {
    303. 

  303.                 goto exit;
    304. 

  304.             }
    305. 

  305. 

  306.             status = psa_hash_update(&op, tmp_hash,
    307. 

  307.                                      MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    308. 

  308.             if (status != PSA_SUCCESS) {
    309. 

  309.                 goto exit;
    310. 

  310.             }
    311. 

  311. 

  312.             status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
    313. 

  313.                                      &output_hash_len);
    314. 

  314.             if (status != PSA_SUCCESS) {
    315. 

  315.                 goto exit;
    316. 

  316.             }
    317. 

  317. 

  318.             psa_hash_abort(&op);
    319. 

  319.         }
    320. 

  320. 

  321.         memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
    322. 

  322.                tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    323. 

  323.     }
    324. 

  324. 

  325. exit:
    326. 

  326.     psa_hash_abort(&op);
    327. 

  327.     mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
    328. 

  328. 

  329.     return PSA_TO_MBEDTLS_ERR(status);
    330. 

  330. }
    331. 

  331. 

  332. /* Combine the hashes of the digit array into a public key. This is used in
    333. 

  333.  * in order to calculate a public key from a private key (RFC8554 Algorithm 1
    334. 

  334.  * step 4), and to calculate a public key candidate from a signature and message
    335. 

  335.  * (RFC8554 Algorithm 4b step 3).
    336. 

  336.  *
    337. 

  337.  *  params           The LMOTS parameter set, I and q values which describe
    338. 

  338.  *                   the key being used.
    339. 

  339.  *  y_hashed_digits  The array of hashes, one hash for each digit of the
    340. 

  340.  *                   symbol array (which is of size P, 34 in the case of
    341. 

  341.  *                   MBEDTLS_LMOTS_SHA256_N32_W8)
    342. 

  342.  *
    343. 

  343.  *  pub_key          The output public key (or candidate public key in
    344. 

  344.  *                   case this is being run as part of signature
    345. 

  345.  *                   verification), in the form of a hash output.
    346. 

  346.  */
    347. 

  347. static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
    348. 

  348.                                               const unsigned char *y_hashed_digits,
    349. 

  349.                                               unsigned char *pub_key)
    350. 

  350. {
    351. 

  351.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    352. 

  352.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    353. 

  353.     size_t output_hash_len;
    354. 

  354. 

  355.     status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    356. 

  356.     if (status != PSA_SUCCESS) {
    357. 

  357.         goto exit;
    358. 

  358.     }
    359. 

  359. 

  360.     status = psa_hash_update(&op,
    361. 

  361.                              params->I_key_identifier,
    362. 

  362.                              MBEDTLS_LMOTS_I_KEY_ID_LEN);
    363. 

  363.     if (status != PSA_SUCCESS) {
    364. 

  364.         goto exit;
    365. 

  365.     }
    366. 

  366. 

  367.     status = psa_hash_update(&op, params->q_leaf_identifier,
    368. 

  368.                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    369. 

  369.     if (status != PSA_SUCCESS) {
    370. 

  370.         goto exit;
    371. 

  371.     }
    372. 

  372. 

  373.     status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
    374. 

  374.     if (status != PSA_SUCCESS) {
    375. 

  375.         goto exit;
    376. 

  376.     }
    377. 

  377. 

  378.     status = psa_hash_update(&op, y_hashed_digits,
    379. 

  379.                              MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
    380. 

  380.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    381. 

  381.     if (status != PSA_SUCCESS) {
    382. 

  382.         goto exit;
    383. 

  383.     }
    384. 

  384. 

  385.     status = psa_hash_finish(&op, pub_key,
    386. 

  386.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type),
    387. 

  387.                              &output_hash_len);
    388. 

  388.     if (status != PSA_SUCCESS) {
    389. 

  389. 

  390. exit:
    391. 

  391.         psa_hash_abort(&op);
    392. 

  392.     }
    393. 

  393. 

  394.     return PSA_TO_MBEDTLS_ERR(status);
    395. 

  395. }
    396. 

  396. 

  397. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
    398. 

  398. int mbedtls_lms_error_from_psa(psa_status_t status)
    399. 

  399. {
    400. 

  400.     switch (status) {
    401. 

  401.         case PSA_SUCCESS:
    402. 

  402.             return 0;
    403. 

  403.         case PSA_ERROR_HARDWARE_FAILURE:
    404. 

  404.             return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
    405. 

  405.         case PSA_ERROR_NOT_SUPPORTED:
    406. 

  406.             return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
    407. 

  407.         case PSA_ERROR_BUFFER_TOO_SMALL:
    408. 

  408.             return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    409. 

  409.         case PSA_ERROR_INVALID_ARGUMENT:
    410. 

  410.             return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    411. 

  411.         default:
    412. 

  412.             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
    413. 

  413.     }
    414. 

  414. }
    415. 

  415. #endif /* !MBEDTLS_DEPRECATED_REMOVED */
    416. 

  416. 

  417. void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
    418. 

  418. {
    419. 

  419.     memset(ctx, 0, sizeof(*ctx));
    420. 

  420. }
    421. 

  421. 

  422. void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
    423. 

  423. {
    424. 

  424.     mbedtls_platform_zeroize(ctx, sizeof(*ctx));
    425. 

  425. }
    426. 

  426. 

  427. int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
    428. 

  428.                                     const unsigned char *key, size_t key_len)
    429. 

  429. {
    430. 

  430.     if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
    431. 

  431.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    432. 

  432.     }
    433. 

  433. 

  434.     ctx->params.type =
    435. 

  435.         mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
    436. 

  436.                                                   key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    437. 

  437. 

  438.     if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
    439. 

  439.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    440. 

  440.     }
    441. 

  441. 

  442.     memcpy(ctx->params.I_key_identifier,
    443. 

  443.            key + PUBLIC_KEY_I_KEY_ID_OFFSET,
    444. 

  444.            MBEDTLS_LMOTS_I_KEY_ID_LEN);
    445. 

  445. 

  446.     memcpy(ctx->params.q_leaf_identifier,
    447. 

  447.            key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
    448. 

  448.            MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    449. 

  449. 

  450.     memcpy(ctx->public_key,
    451. 

  451.            key + PUBLIC_KEY_KEY_HASH_OFFSET,
    452. 

  452.            MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    453. 

  453. 

  454.     ctx->have_public_key = 1;
    455. 

  455. 

  456.     return 0;
    457. 

  457. }
    458. 

  458. 

  459. int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
    460. 

  460.                                     unsigned char *key, size_t key_size,
    461. 

  461.                                     size_t *key_len)
    462. 

  462. {
    463. 

  463.     if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
    464. 

  464.         return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    465. 

  465.     }
    466. 

  466. 

  467.     if (!ctx->have_public_key) {
    468. 

  468.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    469. 

  469.     }
    470. 

  470. 

  471.     mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
    472. 

  472.                                               MBEDTLS_LMOTS_TYPE_LEN,
    473. 

  473.                                               key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    474. 

  474. 

  475.     memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
    476. 

  476.            ctx->params.I_key_identifier,
    477. 

  477.            MBEDTLS_LMOTS_I_KEY_ID_LEN);
    478. 

  478. 

  479.     memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
    480. 

  480.            ctx->params.q_leaf_identifier,
    481. 

  481.            MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    482. 

  482. 

  483.     memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
    484. 

  484.            MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    485. 

  485. 

  486.     if (key_len != NULL) {
    487. 

  487.         *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
    488. 

  488.     }
    489. 

  489. 

  490.     return 0;
    491. 

  491. }
    492. 

  492. 

  493. int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
    494. 

  494.                                                  const unsigned char  *msg,
    495. 

  495.                                                  size_t msg_size,
    496. 

  496.                                                  const unsigned char *sig,
    497. 

  497.                                                  size_t sig_size,
    498. 

  498.                                                  unsigned char *out,
    499. 

  499.                                                  size_t out_size,
    500. 

  500.                                                  size_t *out_len)
    501. 

  501. {
    502. 

  502.     unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
    503. 

  503.     unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    504. 

  504.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    505. 

  505. 

  506.     if (msg == NULL && msg_size != 0) {
    507. 

  507.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    508. 

  508.     }
    509. 

  509. 

  510.     if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
    511. 

  511.         out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
    512. 

  512.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    513. 

  513.     }
    514. 

  514. 

  515.     ret = create_digit_array_with_checksum(params, msg, msg_size,
    516. 

  516.                                            sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
    517. 

  517.                                            tmp_digit_array);
    518. 

  518.     if (ret) {
    519. 

  519.         return ret;
    520. 

  520.     }
    521. 

  521. 

  522.     ret = hash_digit_array(params,
    523. 

  523.                            sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
    524. 

  524.                            tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
    525. 

  525.     if (ret) {
    526. 

  526.         return ret;
    527. 

  527.     }
    528. 

  528. 

  529.     ret = public_key_from_hashed_digit_array(params,
    530. 

  530.                                              (unsigned char *) y_hashed_digits,
    531. 

  531.                                              out);
    532. 

  532.     if (ret) {
    533. 

  533.         return ret;
    534. 

  534.     }
    535. 

  535. 

  536.     if (out_len != NULL) {
    537. 

  537.         *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
    538. 

  538.     }
    539. 

  539. 

  540.     return 0;
    541. 

  541. }
    542. 

  542. 

  543. int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
    544. 

  544.                          const unsigned char *msg, size_t msg_size,
    545. 

  545.                          const unsigned char *sig, size_t sig_size)
    546. 

  546. {
    547. 

  547.     unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    548. 

  548.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    549. 

  549. 

  550.     if (msg == NULL && msg_size != 0) {
    551. 

  551.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    552. 

  552.     }
    553. 

  553. 

  554.     if (!ctx->have_public_key) {
    555. 

  555.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    556. 

  556.     }
    557. 

  557. 

  558.     if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
    559. 

  559.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    560. 

  560.     }
    561. 

  561. 

  562.     if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
    563. 

  563.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    564. 

  564.     }
    565. 

  565. 

  566.     if (mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
    567. 

  567.                                                   sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET) !=
    568. 

  568.         MBEDTLS_LMOTS_SHA256_N32_W8) {
    569. 

  569.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    570. 

  570.     }
    571. 

  571. 

  572.     ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
    573. 

  573.                                                        msg, msg_size, sig, sig_size,
    574. 

  574.                                                        Kc_public_key_candidate,
    575. 

  575.                                                        MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
    576. 

  576.                                                        NULL);
    577. 

  577.     if (ret) {
    578. 

  578.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    579. 

  579.     }
    580. 

  580. 

  581.     if (memcmp(&Kc_public_key_candidate, ctx->public_key,
    582. 

  582.                sizeof(ctx->public_key))) {
    583. 

  583.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    584. 

  584.     }
    585. 

  585. 

  586.     return 0;
    587. 

  587. }
    588. 

  588. 

  589. #if defined(MBEDTLS_LMS_PRIVATE)
    590. 

  590. 

  591. void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
    592. 

  592. {
    593. 

  593.     memset(ctx, 0, sizeof(*ctx));
    594. 

  594. }
    595. 

  595. 

  596. void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
    597. 

  597. {
    598. 

  598.     mbedtls_platform_zeroize(ctx,
    599. 

  599.                              sizeof(*ctx));
    600. 

  600. }
    601. 

  601. 

  602. int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
    603. 

  603.                                        mbedtls_lmots_algorithm_type_t type,
    604. 

  604.                                        const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
    605. 

  605.                                        uint32_t q_leaf_identifier,
    606. 

  606.                                        const unsigned char *seed,
    607. 

  607.                                        size_t seed_size)
    608. 

  608. {
    609. 

  609.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    610. 

  610.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    611. 

  611.     size_t output_hash_len;
    612. 

  612.     unsigned int i_digit_idx;
    613. 

  613.     unsigned char i_digit_idx_bytes[2];
    614. 

  614.     unsigned char const_bytes[1];
    615. 

  615. 

  616.     if (ctx->have_private_key) {
    617. 

  617.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    618. 

  618.     }
    619. 

  619. 

  620.     if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
    621. 

  621.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    622. 

  622.     }
    623. 

  623. 

  624.     ctx->params.type = type;
    625. 

  625. 

  626.     memcpy(ctx->params.I_key_identifier,
    627. 

  627.            I_key_identifier,
    628. 

  628.            sizeof(ctx->params.I_key_identifier));
    629. 

  629. 

  630.     mbedtls_lms_unsigned_int_to_network_bytes(q_leaf_identifier,
    631. 

  631.                                               MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
    632. 

  632.                                               ctx->params.q_leaf_identifier);
    633. 

  633. 

  634.     mbedtls_lms_unsigned_int_to_network_bytes(0xFF, sizeof(const_bytes),
    635. 

  635.                                               const_bytes);
    636. 

  636. 

  637.     for (i_digit_idx = 0;
    638. 

  638.          i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
    639. 

  639.          i_digit_idx++) {
    640. 

  640.         status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    641. 

  641.         if (status != PSA_SUCCESS) {
    642. 

  642.             goto exit;
    643. 

  643.         }
    644. 

  644. 

  645.         status = psa_hash_update(&op,
    646. 

  646.                                  ctx->params.I_key_identifier,
    647. 

  647.                                  sizeof(ctx->params.I_key_identifier));
    648. 

  648.         if (status != PSA_SUCCESS) {
    649. 

  649.             goto exit;
    650. 

  650.         }
    651. 

  651. 

  652.         status = psa_hash_update(&op,
    653. 

  653.                                  ctx->params.q_leaf_identifier,
    654. 

  654.                                  MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    655. 

  655.         if (status != PSA_SUCCESS) {
    656. 

  656.             goto exit;
    657. 

  657.         }
    658. 

  658. 

  659.         mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx, I_DIGIT_IDX_LEN,
    660. 

  660.                                                   i_digit_idx_bytes);
    661. 

  661.         status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
    662. 

  662.         if (status != PSA_SUCCESS) {
    663. 

  663.             goto exit;
    664. 

  664.         }
    665. 

  665. 

  666.         status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
    667. 

  667.         if (status != PSA_SUCCESS) {
    668. 

  668.             goto exit;
    669. 

  669.         }
    670. 

  670. 

  671.         status = psa_hash_update(&op, seed, seed_size);
    672. 

  672.         if (status != PSA_SUCCESS) {
    673. 

  673.             goto exit;
    674. 

  674.         }
    675. 

  675. 

  676.         status = psa_hash_finish(&op,
    677. 

  677.                                  ctx->private_key[i_digit_idx],
    678. 

  678.                                  MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
    679. 

  679.                                  &output_hash_len);
    680. 

  680.         if (status != PSA_SUCCESS) {
    681. 

  681.             goto exit;
    682. 

  682.         }
    683. 

  683. 

  684.         psa_hash_abort(&op);
    685. 

  685.     }
    686. 

  686. 

  687.     ctx->have_private_key = 1;
    688. 

  688. 

  689. exit:
    690. 

  690.     psa_hash_abort(&op);
    691. 

  691. 

  692.     return PSA_TO_MBEDTLS_ERR(status);
    693. 

  693. }
    694. 

  694. 

  695. int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
    696. 

  696.                                        const mbedtls_lmots_private_t *priv_ctx)
    697. 

  697. {
    698. 

  698.     unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    699. 

  699.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    700. 

  700. 

  701.     /* Check that a private key is loaded */
    702. 

  702.     if (!priv_ctx->have_private_key) {
    703. 

  703.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    704. 

  704.     }
    705. 

  705. 

  706.     ret = hash_digit_array(&priv_ctx->params,
    707. 

  707.                            (unsigned char *) priv_ctx->private_key, NULL,
    708. 

  708.                            NULL, (unsigned char *) y_hashed_digits);
    709. 

  709.     if (ret) {
    710. 

  710.         goto exit;
    711. 

  711.     }
    712. 

  712. 

  713.     ret = public_key_from_hashed_digit_array(&priv_ctx->params,
    714. 

  714.                                              (unsigned char *) y_hashed_digits,
    715. 

  715.                                              ctx->public_key);
    716. 

  716.     if (ret) {
    717. 

  717.         goto exit;
    718. 

  718.     }
    719. 

  719. 

  720.     memcpy(&ctx->params, &priv_ctx->params,
    721. 

  721.            sizeof(ctx->params));
    722. 

  722. 

  723.     ctx->have_public_key = 1;
    724. 

  724. 

  725. exit:
    726. 

  726.     mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
    727. 

  727. 

  728.     return ret;
    729. 

  729. }
    730. 

  730. 

  731. int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
    732. 

  732.                        int (*f_rng)(void *, unsigned char *, size_t),
    733. 

  733.                        void *p_rng, const unsigned char *msg, size_t msg_size,
    734. 

  734.                        unsigned char *sig, size_t sig_size, size_t *sig_len)
    735. 

  735. {
    736. 

  736.     unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
    737. 

  737.     /* Create a temporary buffer to prepare the signature in. This allows us to
    738. 

  738.      * finish creating a signature (ensuring the process doesn't fail), and then
    739. 

  739.      * erase the private key **before** writing any data into the sig parameter
    740. 

  740.      * buffer. If data were directly written into the sig buffer, it might leak
    741. 

  741.      * a partial signature on failure, which effectively compromises the private
    742. 

  742.      * key.
    743. 

  743.      */
    744. 

  744.     unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    745. 

  745.     unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    746. 

  746.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    747. 

  747. 

  748.     if (msg == NULL && msg_size != 0) {
    749. 

  749.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    750. 

  750.     }
    751. 

  751. 

  752.     if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
    753. 

  753.         return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    754. 

  754.     }
    755. 

  755. 

  756.     /* Check that a private key is loaded */
    757. 

  757.     if (!ctx->have_private_key) {
    758. 

  758.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    759. 

  759.     }
    760. 

  760. 

  761.     ret = f_rng(p_rng, tmp_c_random,
    762. 

  762.                 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    763. 

  763.     if (ret) {
    764. 

  764.         return ret;
    765. 

  765.     }
    766. 

  766. 

  767.     ret = create_digit_array_with_checksum(&ctx->params,
    768. 

  768.                                            msg, msg_size,
    769. 

  769.                                            tmp_c_random,
    770. 

  770.                                            tmp_digit_array);
    771. 

  771.     if (ret) {
    772. 

  772.         goto exit;
    773. 

  773.     }
    774. 

  774. 

  775.     ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
    776. 

  776.                            NULL, tmp_digit_array, (unsigned char *) tmp_sig);
    777. 

  777.     if (ret) {
    778. 

  778.         goto exit;
    779. 

  779.     }
    780. 

  780. 

  781.     mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
    782. 

  782.                                               MBEDTLS_LMOTS_TYPE_LEN,
    783. 

  783.                                               sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    784. 

  784. 

  785.     /* Test hook to check if sig is being written to before we invalidate the
    786. 

  786.      * private key.
    787. 

  787.      */
    788. 

  788. #if defined(MBEDTLS_TEST_HOOKS)
    789. 

  789.     if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
    790. 

  790.         ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
    791. 

  791.         if (ret != 0) {
    792. 

  792.             return ret;
    793. 

  793.         }
    794. 

  794.     }
    795. 

  795. #endif /* defined(MBEDTLS_TEST_HOOKS) */
    796. 

  796. 

  797.     /* We've got a valid signature now, so it's time to make sure the private
    798. 

  798.      * key can't be reused.
    799. 

  799.      */
    800. 

  800.     ctx->have_private_key = 0;
    801. 

  801.     mbedtls_platform_zeroize(ctx->private_key,
    802. 

  802.                              sizeof(ctx->private_key));
    803. 

  803. 

  804.     memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
    805. 

  805.            MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
    806. 

  806. 

  807.     memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
    808. 

  808.            MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
    809. 

  809.            * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    810. 

  810. 

  811.     if (sig_len != NULL) {
    812. 

  812.         *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
    813. 

  813.     }
    814. 

  814. 

  815.     ret = 0;
    816. 

  816. 

  817. exit:
    818. 

  818.     mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
    819. 

  819.     mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
    820. 

  820. 

  821.     return ret;
    822. 

  822. }
    823. 

  823. 

  824. #endif /* defined(MBEDTLS_LMS_PRIVATE) */
    825. 

  825. #endif /* defined(MBEDTLS_LMS_C) */
    826.