TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 16fbd46d245d634778b9df729e3909d6bfd9a79b / . / lib / libmbedtls / mbedtls / library / lmots.h
blob: 98d1941d5343d13149887e53e4b4080ac47bb5a6 [file] [log] [blame]
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1/**
2 * \file lmots.h
3 *
4 * \brief This file provides an API for the LM-OTS post-quantum-safe one-time
5 * public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
6 * This implementation currently only supports a single parameter set
7 * MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity.
8 */
9/*
10 * Copyright The Mbed TLS Contributors
11 * SPDX-License-Identifier: Apache-2.0
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 */
25
26#ifndef MBEDTLS_LMOTS_H
27#define MBEDTLS_LMOTS_H
28
29#include "mbedtls/build_info.h"
30
31#include "psa/crypto.h"
32
33#include "mbedtls/lms.h"
34
35#include <stdint.h>
36#include <stddef.h>
37
38
39#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
40 MBEDTLS_LMOTS_I_KEY_ID_LEN + \
41 MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
42 MBEDTLS_LMOTS_N_HASH_LEN(type))
43
44#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0)
45#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
46 MBEDTLS_LMOTS_TYPE_LEN)
47#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
48 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
49
50#ifdef __cplusplus
51extern "C" {
52#endif
53
54
55#if defined(MBEDTLS_TEST_HOOKS)
56extern int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *);
57#endif /* defined(MBEDTLS_TEST_HOOKS) */
58
59/**
60 * \brief This function converts an unsigned int into a
61 * network-byte-order (big endian) string.
62 *
63 * \param val The unsigned integer value
64 * \param len The length of the string.
65 * \param bytes The string to output into.
66 */
67void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
68 unsigned char *bytes);
69
70/**
71 * \brief This function converts a network-byte-order
72 * (big endian) string into an unsigned integer.
73 *
74 * \param len The length of the string.
75 * \param bytes The string.
76 *
77 * \return The corresponding LMS error code.
78 */
79unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
80 const unsigned char *bytes);
81
82#if !defined(MBEDTLS_DEPRECATED_REMOVED)
83/**
84 * \brief This function converts a \ref psa_status_t to a
85 * low-level LMS error code.
86 *
87 * \param status The psa_status_t to convert
88 *
89 * \return The corresponding LMS error code.
90 */
91int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status);
92#endif
93
94/**
95 * \brief This function initializes a public LMOTS context
96 *
97 * \param ctx The uninitialized LMOTS context that will then be
98 * initialized.
99 */
100void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx);
101
102/**
103 * \brief This function uninitializes a public LMOTS context
104 *
105 * \param ctx The initialized LMOTS context that will then be
106 * uninitialized.
107 */
108void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx);
109
110/**
111 * \brief This function imports an LMOTS public key into a
112 * LMOTS context.
113 *
114 * \note Before this function is called, the context must
115 * have been initialized.
116 *
117 * \note See IETF RFC8554 for details of the encoding of
118 * this public key.
119 *
120 * \param ctx The initialized LMOTS context store the key in.
121 * \param key The buffer from which the key will be read.
122 * #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read
123 * from this.
124 *
125 * \return \c 0 on success.
126 * \return A non-zero error code on failure.
127 */
128int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
129 const unsigned char *key, size_t key_size);
130
131/**
132 * \brief This function exports an LMOTS public key from a
133 * LMOTS context that already contains a public key.
134 *
135 * \note Before this function is called, the context must
136 * have been initialized and the context must contain
137 * a public key.
138 *
139 * \note See IETF RFC8554 for details of the encoding of
140 * this public key.
141 *
142 * \param ctx The initialized LMOTS context that contains the
143 * public key.
144 * \param key The buffer into which the key will be output. Must
145 * be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
146 *
147 * \return \c 0 on success.
148 * \return A non-zero error code on failure.
149 */
150int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
151 unsigned char *key, size_t key_size,
152 size_t *key_len);
153
154/**
155 * \brief This function creates a candidate public key from
156 * an LMOTS signature. This can then be compared to
157 * the real public key to determine the validity of
158 * the signature.
159 *
160 * \note This function is exposed publicly to be used in LMS
161 * signature verification, it is expected that
162 * mbedtls_lmots_verify will be used for LMOTS
163 * signature verification.
164 *
165 * \param params The LMOTS parameter set, q and I values as an
166 * mbedtls_lmots_parameters_t struct.
167 * \param msg The buffer from which the message will be read.
168 * \param msg_size The size of the message that will be read.
169 * \param sig The buffer from which the signature will be read.
170 * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
171 * this.
172 * \param out The buffer where the candidate public key will be
173 * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN
174 * bytes in size.
175 *
176 * \return \c 0 on success.
177 * \return A non-zero error code on failure.
178 */
179int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
180 const unsigned char *msg,
181 size_t msg_size,
182 const unsigned char *sig,
183 size_t sig_size,
184 unsigned char *out,
185 size_t out_size,
186 size_t *out_len);
187
188/**
189 * \brief This function verifies a LMOTS signature, using a
190 * LMOTS context that contains a public key.
191 *
192 * \warning This function is **not intended for use in
193 * production**, due to as-yet unsolved problems with
194 * handling stateful keys. The API for this function
195 * may change considerably in future versions.
196 *
197 * \note Before this function is called, the context must
198 * have been initialized and must contain a public key
199 * (either by import or calculation from a private
200 * key).
201 *
202 * \param ctx The initialized LMOTS context from which the public
203 * key will be read.
204 * \param msg The buffer from which the message will be read.
205 * \param msg_size The size of the message that will be read.
206 * \param sig The buf from which the signature will be read.
207 * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
208 * this.
209 *
210 * \return \c 0 on successful verification.
211 * \return A non-zero error code on failure.
212 */
213int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
214 const unsigned char *msg,
215 size_t msg_size, const unsigned char *sig,
216 size_t sig_size);
217
218#if defined(MBEDTLS_LMS_PRIVATE)
219
220/**
221 * \brief This function initializes a private LMOTS context
222 *
223 * \param ctx The uninitialized LMOTS context that will then be
224 * initialized.
225 */
226void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx);
227
228/**
229 * \brief This function uninitializes a private LMOTS context
230 *
231 * \param ctx The initialized LMOTS context that will then be
232 * uninitialized.
233 */
234void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx);
235
236/**
237 * \brief This function calculates an LMOTS private key, and
238 * stores in into an LMOTS context.
239 *
240 * \warning This function is **not intended for use in
241 * production**, due to as-yet unsolved problems with
242 * handling stateful keys. The API for this function
243 * may change considerably in future versions.
244 *
245 * \note The seed must have at least 256 bits of entropy.
246 *
247 * \param ctx The initialized LMOTS context to generate the key
248 * into.
249 * \param I_key_identifier The key identifier of the key, as a 16-byte string.
250 * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is
251 * not being used as part of an LMS key, this should
252 * be set to 0.
253 * \param seed The seed used to deterministically generate the
254 * key.
255 * \param seed_size The length of the seed.
256 *
257 * \return \c 0 on success.
258 * \return A non-zero error code on failure.
259 */
260int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
261 mbedtls_lmots_algorithm_type_t type,
262 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
263 uint32_t q_leaf_identifier,
264 const unsigned char *seed,
265 size_t seed_size);
266
267/**
268 * \brief This function generates an LMOTS public key from a
269 * LMOTS context that already contains a private key.
270 *
271 * \note Before this function is called, the context must
272 * have been initialized and the context must contain
273 * a private key.
274 *
275 * \param ctx The initialized LMOTS context to generate the key
276 * from and store it into.
277 *
278 * \return \c 0 on success.
279 * \return A non-zero error code on failure.
280 */
281int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
282 const mbedtls_lmots_private_t *priv_ctx);
283
284/**
285 * \brief This function creates a LMOTS signature, using a
286 * LMOTS context that contains a private key.
287 *
288 * \note Before this function is called, the context must
289 * have been initialized and must contain a private
290 * key.
291 *
292 * \note LMOTS private keys can only be used once, otherwise
293 * attackers may be able to create forged signatures.
294 * If the signing operation is successful, the private
295 * key in the context will be erased, and no further
296 * signing will be possible until another private key
297 * is loaded
298 *
299 * \param ctx The initialized LMOTS context from which the
300 * private key will be read.
301 * \param f_rng The RNG function to be used for signature
302 * generation.
303 * \param p_rng The RNG context to be passed to f_rng
304 * \param msg The buffer from which the message will be read.
305 * \param msg_size The size of the message that will be read.
306 * \param sig The buf into which the signature will be stored.
307 * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size.
308 *
309 * \return \c 0 on success.
310 * \return A non-zero error code on failure.
311 */
312int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
313 int (*f_rng)(void *, unsigned char *, size_t),
314 void *p_rng, const unsigned char *msg, size_t msg_size,
315 unsigned char *sig, size_t sig_size, size_t *sig_len);
316
317#endif /* defined(MBEDTLS_LMS_PRIVATE) */
318
319#ifdef __cplusplus
320}
321#endif
322
323#endif /* MBEDTLS_LMOTS_H */