Acasă Explorează Ajutor
Autentificare
haxe
/
HaxeFoundation.hashlink
oglindă de https://github.com/HaxeFoundation/hashlink.git
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: master
Ramuri Etichete
HaxeFoundation....
/
include
/
mbedtls
/
library
/
lmots.c

lmots.c 27 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786 
  1. /*
    2. 

  2.  * The LM-OTS one-time public-key signature scheme
    3. 

  3.  *
    4. 

  4.  * Copyright The Mbed TLS Contributors
    5. 

  5.  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
    6. 

  6.  */
    7. 

  7. 

  8. /*
    9. 

  9.  *  The following sources were referenced in the design of this implementation
    10. 

  10.  *  of the LM-OTS algorithm:
    11. 

  11.  *
    12. 

  12.  *  [1] IETF RFC8554
    13. 

  13.  *      D. McGrew, M. Curcio, S.Fluhrer
    14. 

  14.  *      https://datatracker.ietf.org/doc/html/rfc8554
    15. 

  15.  *
    16. 

  16.  *  [2] NIST Special Publication 800-208
    17. 

  17.  *      David A. Cooper et. al.
    18. 

  18.  *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
    19. 

  19.  */
    20. 

  20. 

  21. #include "common.h"
    22. 

  22. 

  23. #if defined(MBEDTLS_LMS_C)
    24. 

  24. 

  25. #include <string.h>
    26. 

  26. 

  27. #include "lmots.h"
    28. 

  28. 

  29. #include "mbedtls/lms.h"
    30. 

  30. #include "mbedtls/platform_util.h"
    31. 

  31. #include "mbedtls/error.h"
    32. 

  32. #include "psa_util_internal.h"
    33. 

  33. 

  34. #include "psa/crypto.h"
    35. 

  35. 

  36. /* Define a local translating function to save code size by not using too many
    37. 

  37.  * arguments in each translating place. */
    38. 

  38. static int local_err_translation(psa_status_t status)
    39. 

  39. {
    40. 

  40.     return psa_status_to_mbedtls(status, psa_to_lms_errors,
    41. 

  41.                                  ARRAY_LENGTH(psa_to_lms_errors),
    42. 

  42.                                  psa_generic_status_to_mbedtls);
    43. 

  43. }
    44. 

  44. #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
    45. 

  45. 

  46. #define PUBLIC_KEY_TYPE_OFFSET     (0)
    47. 

  47. #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
    48. 

  48.                                     MBEDTLS_LMOTS_TYPE_LEN)
    49. 

  49. #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
    50. 

  50.                                      MBEDTLS_LMOTS_I_KEY_ID_LEN)
    51. 

  51. #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
    52. 

  52.                                     MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
    53. 

  53. 

  54. /* We only support parameter sets that use 8-bit digits, as it does not require
    55. 

  55.  * translation logic between digits and bytes */
    56. 

  56. #define W_WINTERNITZ_PARAMETER (8u)
    57. 

  57. #define CHECKSUM_LEN           (2)
    58. 

  58. #define I_DIGIT_IDX_LEN        (2)
    59. 

  59. #define J_HASH_IDX_LEN         (1)
    60. 

  60. #define D_CONST_LEN            (2)
    61. 

  61. 

  62. #define DIGIT_MAX_VALUE        ((1u << W_WINTERNITZ_PARAMETER) - 1u)
    63. 

  63. 

  64. #define D_CONST_LEN            (2)
    65. 

  65. static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
    66. 

  66. static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
    67. 

  67. 

  68. #if defined(MBEDTLS_TEST_HOOKS)
    69. 

  69. int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
    70. 

  70. #endif /* defined(MBEDTLS_TEST_HOOKS) */
    71. 

  71. 

  72. /* Calculate the checksum digits that are appended to the end of the LMOTS digit
    73. 

  73.  * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
    74. 

  74.  * the checksum algorithm.
    75. 

  75.  *
    76. 

  76.  *  params              The LMOTS parameter set, I and q values which
    77. 

  77.  *                      describe the key being used.
    78. 

  78.  *
    79. 

  79.  *  digest              The digit string to create the digest from. As
    80. 

  80.  *                      this does not contain a checksum, it is the same
    81. 

  81.  *                      size as a hash output.
    82. 

  82.  */
    83. 

  83. static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
    84. 

  84.                                                const unsigned char *digest)
    85. 

  85. {
    86. 

  86.     size_t idx;
    87. 

  87.     unsigned sum = 0;
    88. 

  88. 

  89.     for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
    90. 

  90.         sum += DIGIT_MAX_VALUE - digest[idx];
    91. 

  91.     }
    92. 

  92. 

  93.     return sum;
    94. 

  94. }
    95. 

  95. 

  96. /* Create the string of digest digits (in the base determined by the Winternitz
    97. 

  97.  * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
    98. 

  98.  * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
    99. 

  99.  * 4b step 3) for details.
    100. 

  100.  *
    101. 

  101.  *  params              The LMOTS parameter set, I and q values which
    102. 

  102.  *                      describe the key being used.
    103. 

  103.  *
    104. 

  104.  *  msg                 The message that will be hashed to create the
    105. 

  105.  *                      digest.
    106. 

  106.  *
    107. 

  107.  *  msg_size            The size of the message.
    108. 

  108.  *
    109. 

  109.  *  C_random_value      The random value that will be combined with the
    110. 

  110.  *                      message digest. This is always the same size as a
    111. 

  111.  *                      hash output for whichever hash algorithm is
    112. 

  112.  *                      determined by the parameter set.
    113. 

  113.  *
    114. 

  114.  *  output              An output containing the digit string (+
    115. 

  115.  *                      checksum) of length P digits (in the case of
    116. 

  116.  *                      MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
    117. 

  117.  *                      size P bytes).
    118. 

  118.  */
    119. 

  119. static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
    120. 

  120.                                             const unsigned char *msg,
    121. 

  121.                                             size_t msg_len,
    122. 

  122.                                             const unsigned char *C_random_value,
    123. 

  123.                                             unsigned char *out)
    124. 

  124. {
    125. 

  125.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    126. 

  126.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    127. 

  127.     size_t output_hash_len;
    128. 

  128.     unsigned short checksum;
    129. 

  129. 

  130.     status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    131. 

  131.     if (status != PSA_SUCCESS) {
    132. 

  132.         goto exit;
    133. 

  133.     }
    134. 

  134. 

  135.     status = psa_hash_update(&op, params->I_key_identifier,
    136. 

  136.                              MBEDTLS_LMOTS_I_KEY_ID_LEN);
    137. 

  137.     if (status != PSA_SUCCESS) {
    138. 

  138.         goto exit;
    139. 

  139.     }
    140. 

  140. 

  141.     status = psa_hash_update(&op, params->q_leaf_identifier,
    142. 

  142.                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    143. 

  143.     if (status != PSA_SUCCESS) {
    144. 

  144.         goto exit;
    145. 

  145.     }
    146. 

  146. 

  147.     status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
    148. 

  148.     if (status != PSA_SUCCESS) {
    149. 

  149.         goto exit;
    150. 

  150.     }
    151. 

  151. 

  152.     status = psa_hash_update(&op, C_random_value,
    153. 

  153.                              MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
    154. 

  154.     if (status != PSA_SUCCESS) {
    155. 

  155.         goto exit;
    156. 

  156.     }
    157. 

  157. 

  158.     status = psa_hash_update(&op, msg, msg_len);
    159. 

  159.     if (status != PSA_SUCCESS) {
    160. 

  160.         goto exit;
    161. 

  161.     }
    162. 

  162. 

  163.     status = psa_hash_finish(&op, out,
    164. 

  164.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type),
    165. 

  165.                              &output_hash_len);
    166. 

  166.     if (status != PSA_SUCCESS) {
    167. 

  167.         goto exit;
    168. 

  168.     }
    169. 

  169. 

  170.     checksum = lmots_checksum_calculate(params, out);
    171. 

  171.     MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    172. 

  172. 

  173. exit:
    174. 

  174.     psa_hash_abort(&op);
    175. 

  175. 

  176.     return PSA_TO_MBEDTLS_ERR(status);
    177. 

  177. }
    178. 

  178. 

  179. /* Hash each element of the string of digits (+ checksum), producing a hash
    180. 

  180.  * output for each element. This is used in several places (by varying the
    181. 

  181.  * hash_idx_min/max_values) in order to calculate a public key from a private
    182. 

  182.  * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
    183. 

  183.  * Algorithm 3 step 5), and to calculate a public key candidate from a
    184. 

  184.  * signature and message (RFC8554 Algorithm 4b step 3).
    185. 

  185.  *
    186. 

  186.  *  params              The LMOTS parameter set, I and q values which
    187. 

  187.  *                      describe the key being used.
    188. 

  188.  *
    189. 

  189.  *  x_digit_array       The array of digits (of size P, 34 in the case of
    190. 

  190.  *                      MBEDTLS_LMOTS_SHA256_N32_W8).
    191. 

  191.  *
    192. 

  192.  *  hash_idx_min_values An array of the starting values of the j iterator
    193. 

  193.  *                      for each of the members of the digit array. If
    194. 

  194.  *                      this value in NULL, then all iterators will start
    195. 

  195.  *                      at 0.
    196. 

  196.  *
    197. 

  197.  *  hash_idx_max_values An array of the upper bound values of the j
    198. 

  198.  *                      iterator for each of the members of the digit
    199. 

  199.  *                      array. If this value in NULL, then iterator is
    200. 

  200.  *                      bounded to be less than 2^w - 1 (255 in the case
    201. 

  201.  *                      of MBEDTLS_LMOTS_SHA256_N32_W8)
    202. 

  202.  *
    203. 

  203.  *  output              An array containing a hash output for each member
    204. 

  204.  *                      of the digit string P. In the case of
    205. 

  205.  *                      MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
    206. 

  206.  *                      34.
    207. 

  207.  */
    208. 

  208. static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
    209. 

  209.                             const unsigned char *x_digit_array,
    210. 

  210.                             const unsigned char *hash_idx_min_values,
    211. 

  211.                             const unsigned char *hash_idx_max_values,
    212. 

  212.                             unsigned char *output)
    213. 

  213. {
    214. 

  214.     unsigned int i_digit_idx;
    215. 

  215.     unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
    216. 

  216.     unsigned int j_hash_idx;
    217. 

  217.     unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
    218. 

  218.     unsigned int j_hash_idx_min;
    219. 

  219.     unsigned int j_hash_idx_max;
    220. 

  220.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    221. 

  221.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    222. 

  222.     size_t output_hash_len;
    223. 

  223.     unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    224. 

  224. 

  225.     for (i_digit_idx = 0;
    226. 

  226.          i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
    227. 

  227.          i_digit_idx++) {
    228. 

  228. 

  229.         memcpy(tmp_hash,
    230. 

  230.                &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
    231. 

  231.                MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    232. 

  232. 

  233.         j_hash_idx_min = hash_idx_min_values != NULL ?
    234. 

  234.                          hash_idx_min_values[i_digit_idx] : 0;
    235. 

  235.         j_hash_idx_max = hash_idx_max_values != NULL ?
    236. 

  236.                          hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
    237. 

  237. 

  238.         for (j_hash_idx = j_hash_idx_min;
    239. 

  239.              j_hash_idx < j_hash_idx_max;
    240. 

  240.              j_hash_idx++) {
    241. 

  241.             status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    242. 

  242.             if (status != PSA_SUCCESS) {
    243. 

  243.                 goto exit;
    244. 

  244.             }
    245. 

  245. 

  246.             status = psa_hash_update(&op,
    247. 

  247.                                      params->I_key_identifier,
    248. 

  248.                                      MBEDTLS_LMOTS_I_KEY_ID_LEN);
    249. 

  249.             if (status != PSA_SUCCESS) {
    250. 

  250.                 goto exit;
    251. 

  251.             }
    252. 

  252. 

  253.             status = psa_hash_update(&op,
    254. 

  254.                                      params->q_leaf_identifier,
    255. 

  255.                                      MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    256. 

  256.             if (status != PSA_SUCCESS) {
    257. 

  257.                 goto exit;
    258. 

  258.             }
    259. 

  259. 

  260.             MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
    261. 

  261.             status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
    262. 

  262.             if (status != PSA_SUCCESS) {
    263. 

  263.                 goto exit;
    264. 

  264.             }
    265. 

  265. 

  266.             j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
    267. 

  267.             status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
    268. 

  268.             if (status != PSA_SUCCESS) {
    269. 

  269.                 goto exit;
    270. 

  270.             }
    271. 

  271. 

  272.             status = psa_hash_update(&op, tmp_hash,
    273. 

  273.                                      MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    274. 

  274.             if (status != PSA_SUCCESS) {
    275. 

  275.                 goto exit;
    276. 

  276.             }
    277. 

  277. 

  278.             status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
    279. 

  279.                                      &output_hash_len);
    280. 

  280.             if (status != PSA_SUCCESS) {
    281. 

  281.                 goto exit;
    282. 

  282.             }
    283. 

  283. 

  284.             psa_hash_abort(&op);
    285. 

  285.         }
    286. 

  286. 

  287.         memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
    288. 

  288.                tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    289. 

  289.     }
    290. 

  290. 

  291. exit:
    292. 

  292.     psa_hash_abort(&op);
    293. 

  293.     mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
    294. 

  294. 

  295.     return PSA_TO_MBEDTLS_ERR(status);
    296. 

  296. }
    297. 

  297. 

  298. /* Combine the hashes of the digit array into a public key. This is used in
    299. 

  299.  * in order to calculate a public key from a private key (RFC8554 Algorithm 1
    300. 

  300.  * step 4), and to calculate a public key candidate from a signature and message
    301. 

  301.  * (RFC8554 Algorithm 4b step 3).
    302. 

  302.  *
    303. 

  303.  *  params           The LMOTS parameter set, I and q values which describe
    304. 

  304.  *                   the key being used.
    305. 

  305.  *  y_hashed_digits  The array of hashes, one hash for each digit of the
    306. 

  306.  *                   symbol array (which is of size P, 34 in the case of
    307. 

  307.  *                   MBEDTLS_LMOTS_SHA256_N32_W8)
    308. 

  308.  *
    309. 

  309.  *  pub_key          The output public key (or candidate public key in
    310. 

  310.  *                   case this is being run as part of signature
    311. 

  311.  *                   verification), in the form of a hash output.
    312. 

  312.  */
    313. 

  313. static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
    314. 

  314.                                               const unsigned char *y_hashed_digits,
    315. 

  315.                                               unsigned char *pub_key)
    316. 

  316. {
    317. 

  317.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    318. 

  318.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    319. 

  319.     size_t output_hash_len;
    320. 

  320. 

  321.     status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    322. 

  322.     if (status != PSA_SUCCESS) {
    323. 

  323.         goto exit;
    324. 

  324.     }
    325. 

  325. 

  326.     status = psa_hash_update(&op,
    327. 

  327.                              params->I_key_identifier,
    328. 

  328.                              MBEDTLS_LMOTS_I_KEY_ID_LEN);
    329. 

  329.     if (status != PSA_SUCCESS) {
    330. 

  330.         goto exit;
    331. 

  331.     }
    332. 

  332. 

  333.     status = psa_hash_update(&op, params->q_leaf_identifier,
    334. 

  334.                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    335. 

  335.     if (status != PSA_SUCCESS) {
    336. 

  336.         goto exit;
    337. 

  337.     }
    338. 

  338. 

  339.     status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
    340. 

  340.     if (status != PSA_SUCCESS) {
    341. 

  341.         goto exit;
    342. 

  342.     }
    343. 

  343. 

  344.     status = psa_hash_update(&op, y_hashed_digits,
    345. 

  345.                              MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
    346. 

  346.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type));
    347. 

  347.     if (status != PSA_SUCCESS) {
    348. 

  348.         goto exit;
    349. 

  349.     }
    350. 

  350. 

  351.     status = psa_hash_finish(&op, pub_key,
    352. 

  352.                              MBEDTLS_LMOTS_N_HASH_LEN(params->type),
    353. 

  353.                              &output_hash_len);
    354. 

  354.     if (status != PSA_SUCCESS) {
    355. 

  355. 

  356. exit:
    357. 

  357.         psa_hash_abort(&op);
    358. 

  358.     }
    359. 

  359. 

  360.     return PSA_TO_MBEDTLS_ERR(status);
    361. 

  361. }
    362. 

  362. 

  363. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
    364. 

  364. int mbedtls_lms_error_from_psa(psa_status_t status)
    365. 

  365. {
    366. 

  366.     switch (status) {
    367. 

  367.         case PSA_SUCCESS:
    368. 

  368.             return 0;
    369. 

  369.         case PSA_ERROR_HARDWARE_FAILURE:
    370. 

  370.             return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
    371. 

  371.         case PSA_ERROR_NOT_SUPPORTED:
    372. 

  372.             return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
    373. 

  373.         case PSA_ERROR_BUFFER_TOO_SMALL:
    374. 

  374.             return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    375. 

  375.         case PSA_ERROR_INVALID_ARGUMENT:
    376. 

  376.             return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    377. 

  377.         default:
    378. 

  378.             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
    379. 

  379.     }
    380. 

  380. }
    381. 

  381. #endif /* !MBEDTLS_DEPRECATED_REMOVED */
    382. 

  382. 

  383. void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
    384. 

  384. {
    385. 

  385.     memset(ctx, 0, sizeof(*ctx));
    386. 

  386. }
    387. 

  387. 

  388. void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
    389. 

  389. {
    390. 

  390.     if (ctx == NULL) {
    391. 

  391.         return;
    392. 

  392.     }
    393. 

  393. 

  394.     mbedtls_platform_zeroize(ctx, sizeof(*ctx));
    395. 

  395. }
    396. 

  396. 

  397. int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
    398. 

  398.                                     const unsigned char *key, size_t key_len)
    399. 

  399. {
    400. 

  400.     if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
    401. 

  401.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    402. 

  402.     }
    403. 

  403. 

  404.     ctx->params.type = (mbedtls_lmots_algorithm_type_t)
    405. 

  405.                        MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    406. 

  406. 

  407.     if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
    408. 

  408.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    409. 

  409.     }
    410. 

  410. 

  411.     memcpy(ctx->params.I_key_identifier,
    412. 

  412.            key + PUBLIC_KEY_I_KEY_ID_OFFSET,
    413. 

  413.            MBEDTLS_LMOTS_I_KEY_ID_LEN);
    414. 

  414. 

  415.     memcpy(ctx->params.q_leaf_identifier,
    416. 

  416.            key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
    417. 

  417.            MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    418. 

  418. 

  419.     memcpy(ctx->public_key,
    420. 

  420.            key + PUBLIC_KEY_KEY_HASH_OFFSET,
    421. 

  421.            MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    422. 

  422. 

  423.     ctx->have_public_key = 1;
    424. 

  424. 

  425.     return 0;
    426. 

  426. }
    427. 

  427. 

  428. int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
    429. 

  429.                                     unsigned char *key, size_t key_size,
    430. 

  430.                                     size_t *key_len)
    431. 

  431. {
    432. 

  432.     if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
    433. 

  433.         return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    434. 

  434.     }
    435. 

  435. 

  436.     if (!ctx->have_public_key) {
    437. 

  437.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    438. 

  438.     }
    439. 

  439. 

  440.     MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    441. 

  441. 

  442.     memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
    443. 

  443.            ctx->params.I_key_identifier,
    444. 

  444.            MBEDTLS_LMOTS_I_KEY_ID_LEN);
    445. 

  445. 

  446.     memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
    447. 

  447.            ctx->params.q_leaf_identifier,
    448. 

  448.            MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    449. 

  449. 

  450.     memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
    451. 

  451.            MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    452. 

  452. 

  453.     if (key_len != NULL) {
    454. 

  454.         *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
    455. 

  455.     }
    456. 

  456. 

  457.     return 0;
    458. 

  458. }
    459. 

  459. 

  460. int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
    461. 

  461.                                                  const unsigned char  *msg,
    462. 

  462.                                                  size_t msg_size,
    463. 

  463.                                                  const unsigned char *sig,
    464. 

  464.                                                  size_t sig_size,
    465. 

  465.                                                  unsigned char *out,
    466. 

  466.                                                  size_t out_size,
    467. 

  467.                                                  size_t *out_len)
    468. 

  468. {
    469. 

  469.     unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
    470. 

  470.     unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    471. 

  471.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    472. 

  472. 

  473.     if (msg == NULL && msg_size != 0) {
    474. 

  474.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    475. 

  475.     }
    476. 

  476. 

  477.     if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
    478. 

  478.         out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
    479. 

  479.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    480. 

  480.     }
    481. 

  481. 

  482.     ret = create_digit_array_with_checksum(params, msg, msg_size,
    483. 

  483.                                            sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
    484. 

  484.                                            tmp_digit_array);
    485. 

  485.     if (ret) {
    486. 

  486.         return ret;
    487. 

  487.     }
    488. 

  488. 

  489.     ret = hash_digit_array(params,
    490. 

  490.                            sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
    491. 

  491.                            tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
    492. 

  492.     if (ret) {
    493. 

  493.         return ret;
    494. 

  494.     }
    495. 

  495. 

  496.     ret = public_key_from_hashed_digit_array(params,
    497. 

  497.                                              (unsigned char *) y_hashed_digits,
    498. 

  498.                                              out);
    499. 

  499.     if (ret) {
    500. 

  500.         return ret;
    501. 

  501.     }
    502. 

  502. 

  503.     if (out_len != NULL) {
    504. 

  504.         *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
    505. 

  505.     }
    506. 

  506. 

  507.     return 0;
    508. 

  508. }
    509. 

  509. 

  510. int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
    511. 

  511.                          const unsigned char *msg, size_t msg_size,
    512. 

  512.                          const unsigned char *sig, size_t sig_size)
    513. 

  513. {
    514. 

  514.     unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    515. 

  515.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    516. 

  516. 

  517.     if (msg == NULL && msg_size != 0) {
    518. 

  518.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    519. 

  519.     }
    520. 

  520. 

  521.     if (!ctx->have_public_key) {
    522. 

  522.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    523. 

  523.     }
    524. 

  524. 

  525.     if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
    526. 

  526.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    527. 

  527.     }
    528. 

  528. 

  529.     if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
    530. 

  530.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    531. 

  531.     }
    532. 

  532. 

  533.     if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
    534. 

  534.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    535. 

  535.     }
    536. 

  536. 

  537.     ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
    538. 

  538.                                                        msg, msg_size, sig, sig_size,
    539. 

  539.                                                        Kc_public_key_candidate,
    540. 

  540.                                                        MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
    541. 

  541.                                                        NULL);
    542. 

  542.     if (ret) {
    543. 

  543.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    544. 

  544.     }
    545. 

  545. 

  546.     if (memcmp(&Kc_public_key_candidate, ctx->public_key,
    547. 

  547.                sizeof(ctx->public_key))) {
    548. 

  548.         return MBEDTLS_ERR_LMS_VERIFY_FAILED;
    549. 

  549.     }
    550. 

  550. 

  551.     return 0;
    552. 

  552. }
    553. 

  553. 

  554. #if defined(MBEDTLS_LMS_PRIVATE)
    555. 

  555. 

  556. void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
    557. 

  557. {
    558. 

  558.     memset(ctx, 0, sizeof(*ctx));
    559. 

  559. }
    560. 

  560. 

  561. void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
    562. 

  562. {
    563. 

  563.     if (ctx == NULL) {
    564. 

  564.         return;
    565. 

  565.     }
    566. 

  566. 

  567.     mbedtls_platform_zeroize(ctx,
    568. 

  568.                              sizeof(*ctx));
    569. 

  569. }
    570. 

  570. 

  571. int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
    572. 

  572.                                        mbedtls_lmots_algorithm_type_t type,
    573. 

  573.                                        const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
    574. 

  574.                                        uint32_t q_leaf_identifier,
    575. 

  575.                                        const unsigned char *seed,
    576. 

  576.                                        size_t seed_size)
    577. 

  577. {
    578. 

  578.     psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
    579. 

  579.     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    580. 

  580.     size_t output_hash_len;
    581. 

  581.     unsigned int i_digit_idx;
    582. 

  582.     unsigned char i_digit_idx_bytes[2];
    583. 

  583.     unsigned char const_bytes[1] = { 0xFF };
    584. 

  584. 

  585.     if (ctx->have_private_key) {
    586. 

  586.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    587. 

  587.     }
    588. 

  588. 

  589.     if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
    590. 

  590.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    591. 

  591.     }
    592. 

  592. 

  593.     ctx->params.type = type;
    594. 

  594. 

  595.     memcpy(ctx->params.I_key_identifier,
    596. 

  596.            I_key_identifier,
    597. 

  597.            sizeof(ctx->params.I_key_identifier));
    598. 

  598. 

  599.     MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
    600. 

  600. 

  601.     for (i_digit_idx = 0;
    602. 

  602.          i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
    603. 

  603.          i_digit_idx++) {
    604. 

  604.         status = psa_hash_setup(&op, PSA_ALG_SHA_256);
    605. 

  605.         if (status != PSA_SUCCESS) {
    606. 

  606.             goto exit;
    607. 

  607.         }
    608. 

  608. 

  609.         status = psa_hash_update(&op,
    610. 

  610.                                  ctx->params.I_key_identifier,
    611. 

  611.                                  sizeof(ctx->params.I_key_identifier));
    612. 

  612.         if (status != PSA_SUCCESS) {
    613. 

  613.             goto exit;
    614. 

  614.         }
    615. 

  615. 

  616.         status = psa_hash_update(&op,
    617. 

  617.                                  ctx->params.q_leaf_identifier,
    618. 

  618.                                  MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
    619. 

  619.         if (status != PSA_SUCCESS) {
    620. 

  620.             goto exit;
    621. 

  621.         }
    622. 

  622. 

  623.         MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
    624. 

  624.         status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
    625. 

  625.         if (status != PSA_SUCCESS) {
    626. 

  626.             goto exit;
    627. 

  627.         }
    628. 

  628. 

  629.         status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
    630. 

  630.         if (status != PSA_SUCCESS) {
    631. 

  631.             goto exit;
    632. 

  632.         }
    633. 

  633. 

  634.         status = psa_hash_update(&op, seed, seed_size);
    635. 

  635.         if (status != PSA_SUCCESS) {
    636. 

  636.             goto exit;
    637. 

  637.         }
    638. 

  638. 

  639.         status = psa_hash_finish(&op,
    640. 

  640.                                  ctx->private_key[i_digit_idx],
    641. 

  641.                                  MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
    642. 

  642.                                  &output_hash_len);
    643. 

  643.         if (status != PSA_SUCCESS) {
    644. 

  644.             goto exit;
    645. 

  645.         }
    646. 

  646. 

  647.         psa_hash_abort(&op);
    648. 

  648.     }
    649. 

  649. 

  650.     ctx->have_private_key = 1;
    651. 

  651. 

  652. exit:
    653. 

  653.     psa_hash_abort(&op);
    654. 

  654. 

  655.     return PSA_TO_MBEDTLS_ERR(status);
    656. 

  656. }
    657. 

  657. 

  658. int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
    659. 

  659.                                        const mbedtls_lmots_private_t *priv_ctx)
    660. 

  660. {
    661. 

  661.     unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    662. 

  662.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    663. 

  663. 

  664.     /* Check that a private key is loaded */
    665. 

  665.     if (!priv_ctx->have_private_key) {
    666. 

  666.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    667. 

  667.     }
    668. 

  668. 

  669.     ret = hash_digit_array(&priv_ctx->params,
    670. 

  670.                            (unsigned char *) priv_ctx->private_key, NULL,
    671. 

  671.                            NULL, (unsigned char *) y_hashed_digits);
    672. 

  672.     if (ret) {
    673. 

  673.         goto exit;
    674. 

  674.     }
    675. 

  675. 

  676.     ret = public_key_from_hashed_digit_array(&priv_ctx->params,
    677. 

  677.                                              (unsigned char *) y_hashed_digits,
    678. 

  678.                                              ctx->public_key);
    679. 

  679.     if (ret) {
    680. 

  680.         goto exit;
    681. 

  681.     }
    682. 

  682. 

  683.     memcpy(&ctx->params, &priv_ctx->params,
    684. 

  684.            sizeof(ctx->params));
    685. 

  685. 

  686.     ctx->have_public_key = 1;
    687. 

  687. 

  688. exit:
    689. 

  689.     mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
    690. 

  690. 

  691.     return ret;
    692. 

  692. }
    693. 

  693. 

  694. int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
    695. 

  695.                        int (*f_rng)(void *, unsigned char *, size_t),
    696. 

  696.                        void *p_rng, const unsigned char *msg, size_t msg_size,
    697. 

  697.                        unsigned char *sig, size_t sig_size, size_t *sig_len)
    698. 

  698. {
    699. 

  699.     unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
    700. 

  700.     /* Create a temporary buffer to prepare the signature in. This allows us to
    701. 

  701.      * finish creating a signature (ensuring the process doesn't fail), and then
    702. 

  702.      * erase the private key **before** writing any data into the sig parameter
    703. 

  703.      * buffer. If data were directly written into the sig buffer, it might leak
    704. 

  704.      * a partial signature on failure, which effectively compromises the private
    705. 

  705.      * key.
    706. 

  706.      */
    707. 

  707.     unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    708. 

  708.     unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
    709. 

  709.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    710. 

  710. 

  711.     if (msg == NULL && msg_size != 0) {
    712. 

  712.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    713. 

  713.     }
    714. 

  714. 

  715.     if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
    716. 

  716.         return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
    717. 

  717.     }
    718. 

  718. 

  719.     /* Check that a private key is loaded */
    720. 

  720.     if (!ctx->have_private_key) {
    721. 

  721.         return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
    722. 

  722.     }
    723. 

  723. 

  724.     ret = f_rng(p_rng, tmp_c_random,
    725. 

  725.                 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    726. 

  726.     if (ret) {
    727. 

  727.         return ret;
    728. 

  728.     }
    729. 

  729. 

  730.     ret = create_digit_array_with_checksum(&ctx->params,
    731. 

  731.                                            msg, msg_size,
    732. 

  732.                                            tmp_c_random,
    733. 

  733.                                            tmp_digit_array);
    734. 

  734.     if (ret) {
    735. 

  735.         goto exit;
    736. 

  736.     }
    737. 

  737. 

  738.     ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
    739. 

  739.                            NULL, tmp_digit_array, (unsigned char *) tmp_sig);
    740. 

  740.     if (ret) {
    741. 

  741.         goto exit;
    742. 

  742.     }
    743. 

  743. 

  744.     MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
    745. 

  745. 

  746.     /* Test hook to check if sig is being written to before we invalidate the
    747. 

  747.      * private key.
    748. 

  748.      */
    749. 

  749. #if defined(MBEDTLS_TEST_HOOKS)
    750. 

  750.     if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
    751. 

  751.         ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
    752. 

  752.         if (ret != 0) {
    753. 

  753.             return ret;
    754. 

  754.         }
    755. 

  755.     }
    756. 

  756. #endif /* defined(MBEDTLS_TEST_HOOKS) */
    757. 

  757. 

  758.     /* We've got a valid signature now, so it's time to make sure the private
    759. 

  759.      * key can't be reused.
    760. 

  760.      */
    761. 

  761.     ctx->have_private_key = 0;
    762. 

  762.     mbedtls_platform_zeroize(ctx->private_key,
    763. 

  763.                              sizeof(ctx->private_key));
    764. 

  764. 

  765.     memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
    766. 

  766.            MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
    767. 

  767. 

  768.     memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
    769. 

  769.            MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
    770. 

  770.            * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
    771. 

  771. 

  772.     if (sig_len != NULL) {
    773. 

  773.         *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
    774. 

  774.     }
    775. 

  775. 

  776.     ret = 0;
    777. 

  777. 

  778. exit:
    779. 

  779.     mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
    780. 

  780.     mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
    781. 

  781. 

  782.     return ret;
    783. 

  783. }
    784. 

  784. 

  785. #endif /* defined(MBEDTLS_LMS_PRIVATE) */
    786. 

  786. #endif /* defined(MBEDTLS_LMS_C) */
    787.