| /* |
| * The LM-OTS one-time public-key signature scheme |
| * |
| * Copyright The Mbed TLS Contributors |
| * SPDX-License-Identifier: Apache-2.0 |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| * not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /* |
| * The following sources were referenced in the design of this implementation |
| * of the LM-OTS algorithm: |
| * |
| * [1] IETF RFC8554 |
| * D. McGrew, M. Curcio, S.Fluhrer |
| * https://datatracker.ietf.org/doc/html/rfc8554 |
| * |
| * [2] NIST Special Publication 800-208 |
| * David A. Cooper et. al. |
| * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf |
| */ |
| |
| #include "common.h" |
| |
| #ifdef MBEDTLS_LMS_C |
| |
| #include <string.h> |
| |
| #include "lmots.h" |
| |
| #include "mbedtls/lms.h" |
| #include "mbedtls/platform_util.h" |
| #include "mbedtls/error.h" |
| |
| #include "psa/crypto.h" |
| |
| #define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \ |
| MBEDTLS_LMOTS_TYPE_LEN) |
| #define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \ |
| MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type)) |
| |
| #define MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET (0) |
| #define MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET + \ |
| MBEDTLS_LMOTS_TYPE_LEN) |
| #define MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET + \ |
| MBEDTLS_LMOTS_I_KEY_ID_LEN) |
| #define MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET + \ |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN) |
| |
| /* We only support parameter sets that use 8-bit digits, as it does not require |
| * translation logic between digits and bytes */ |
| #define W_WINTERNITZ_PARAMETER (8u) |
| #define CHECKSUM_LEN (2) |
| #define I_DIGIT_IDX_LEN (2) |
| #define J_HASH_IDX_LEN (1) |
| #define D_CONST_LEN (2) |
| |
| /* Currently only defined for SHA256, 32 is the max hash output size */ |
| #define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX (MBEDTLS_LMOTS_N_HASH_LEN_MAX) |
| |
| #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u) |
| |
| #define D_CONST_LEN (2) |
| static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80}; |
| static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81}; |
| |
| void unsigned_int_to_network_bytes(unsigned int val, size_t len, |
| unsigned char *bytes) |
| { |
| size_t idx; |
| |
| for (idx = 0; idx < len; idx++) { |
| bytes[idx] = (val >> ((len - 1 - idx) * 8)) & 0xFF; |
| } |
| } |
| |
| unsigned int network_bytes_to_unsigned_int(size_t len, |
| const unsigned char *bytes) |
| { |
| size_t idx; |
| unsigned int val = 0; |
| |
| for (idx = 0; idx < len; idx++) { |
| val |= ((unsigned int)bytes[idx]) << (8 * (len - 1 - idx)); |
| } |
| |
| return val; |
| } |
| |
| static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params, |
| const unsigned char* digest ) |
| { |
| size_t idx; |
| unsigned sum = 0; |
| |
| for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ ) |
| { |
| sum += DIGIT_MAX_VALUE - digest[idx]; |
| } |
| |
| return sum; |
| } |
| |
| static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params, |
| const unsigned char *msg, |
| size_t msg_len, |
| const unsigned char *C_random_value, |
| unsigned char *out ) |
| { |
| psa_hash_operation_t op; |
| psa_status_t status; |
| size_t output_hash_len; |
| unsigned short checksum; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| op = psa_hash_operation_init(); |
| status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, C_random_value, |
| MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, msg, msg_len ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_finish( &op, out, |
| MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type), |
| &output_hash_len ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| checksum = lmots_checksum_calculate( params, out ); |
| unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN, |
| out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); |
| |
| exit: |
| psa_hash_abort( &op ); |
| |
| return( ret ); |
| } |
| |
| static int hash_digit_array( const mbedtls_lmots_parameters_t *params, |
| const unsigned char *x_digit_array, |
| const unsigned char *hash_idx_min_values, |
| const unsigned char *hash_idx_max_values, |
| unsigned char *output ) |
| { |
| unsigned char i_digit_idx; |
| unsigned char j_hash_idx; |
| unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN]; |
| unsigned char j_hash_idx_bytes[1]; |
| /* These can't be unsigned chars, because they are sometimes set to |
| * #DIGIT_MAX_VALUE, which has a value of 256 |
| */ |
| unsigned int j_hash_idx_min; |
| unsigned int j_hash_idx_max; |
| psa_hash_operation_t op; |
| psa_status_t status; |
| size_t output_hash_len; |
| unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| op = psa_hash_operation_init(); |
| |
| for ( i_digit_idx = 0; |
| i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type); |
| i_digit_idx++ ) |
| { |
| |
| memcpy( tmp_hash, |
| &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); |
| |
| j_hash_idx_min = hash_idx_min_values != NULL ? |
| hash_idx_min_values[i_digit_idx] : 0; |
| j_hash_idx_max = hash_idx_max_values != NULL ? |
| hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE; |
| |
| for ( j_hash_idx = (unsigned char)j_hash_idx_min; |
| j_hash_idx < j_hash_idx_max; |
| j_hash_idx++ ) |
| { |
| status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, |
| params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, |
| params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN, |
| i_digit_idx_bytes ); |
| status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| unsigned_int_to_network_bytes( j_hash_idx, J_HASH_IDX_LEN, |
| j_hash_idx_bytes ); |
| status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, tmp_hash, |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ), |
| &output_hash_len ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| psa_hash_abort( &op ); |
| } |
| |
| memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], |
| tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); |
| } |
| |
| exit: |
| if( ret ) |
| { |
| psa_hash_abort( &op ); |
| return( ret ); |
| } |
| |
| mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) ); |
| |
| return ret; |
| } |
| |
| static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params, |
| const unsigned char *y_hashed_digits, |
| unsigned char *pub_key ) |
| { |
| psa_hash_operation_t op; |
| psa_status_t status; |
| size_t output_hash_len; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| op = psa_hash_operation_init( ); |
| status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, |
| params->I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, params->q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_update( &op, y_hashed_digits, |
| MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) * |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| status = psa_hash_finish( &op, pub_key, |
| MBEDTLS_LMOTS_N_HASH_LEN(params->type), |
| &output_hash_len ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| |
| exit: |
| psa_hash_abort( &op ); |
| return( ret ); |
| } |
| |
| int mbedtls_lms_error_from_psa(psa_status_t status) |
| { |
| switch( status ) { |
| case PSA_SUCCESS: |
| return( 0 ); |
| case PSA_ERROR_HARDWARE_FAILURE: |
| return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); |
| case PSA_ERROR_NOT_SUPPORTED: |
| return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ); |
| case PSA_ERROR_BUFFER_TOO_SMALL: |
| return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); |
| case PSA_ERROR_INVALID_ARGUMENT: |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| default: |
| return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); |
| } |
| } |
| |
| void mbedtls_lmots_init_public( mbedtls_lmots_public_t *ctx ) |
| { |
| mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ; |
| } |
| |
| void mbedtls_lmots_free_public( mbedtls_lmots_public_t *ctx ) |
| { |
| mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ; |
| } |
| |
| int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx, |
| const unsigned char *key, size_t key_len ) |
| { |
| ctx->params.type = |
| network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, |
| key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); |
| |
| if ( key_len < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| memcpy( ctx->params.I_key_identifier, |
| key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN ); |
| |
| memcpy( ctx->params.q_leaf_identifier, |
| key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); |
| |
| memcpy( ctx->public_key, |
| key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); |
| |
| ctx->have_public_key = 1; |
| |
| return( 0 ); |
| } |
| |
| int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params, |
| const unsigned char *msg, |
| size_t msg_size, |
| const unsigned char *sig, |
| size_t sig_size, |
| unsigned char *out, |
| size_t out_size, |
| size_t *out_len) |
| { |
| unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; |
| unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if ( msg == NULL && msg_size != 0 ) |
| { |
| return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if ( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) || |
| out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| ret = create_digit_array_with_checksum( params, msg, msg_size, |
| sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, |
| tmp_digit_array ); |
| if ( ret ) |
| { |
| return ( ret ); |
| } |
| |
| ret = hash_digit_array( params, |
| sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type), |
| tmp_digit_array, NULL, (unsigned char *)y_hashed_digits ); |
| if ( ret ) |
| { |
| return ( ret ); |
| } |
| |
| ret = public_key_from_hashed_digit_array( params, |
| (unsigned char *)y_hashed_digits, |
| out ); |
| if ( ret ) |
| { |
| return ( ret ); |
| } |
| |
| if ( out_len != NULL ) |
| { |
| *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type); |
| } |
| |
| return( 0 ); |
| } |
| |
| int mbedtls_lmots_verify( mbedtls_lmots_public_t *ctx, const unsigned char *msg, |
| size_t msg_size, const unsigned char *sig, |
| size_t sig_size ) |
| { |
| unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if ( msg == NULL && msg_size != 0 ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if ( !ctx->have_public_key ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if( ctx->params.MBEDTLS_PRIVATE( type ) |
| != MBEDTLS_LMOTS_SHA256_N32_W8 ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if ( network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, |
| sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 ) |
| { |
| return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); |
| } |
| |
| ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params, |
| msg, msg_size, sig, sig_size, |
| Kc_public_key_candidate, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), |
| NULL); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| if ( memcmp( &Kc_public_key_candidate, ctx->public_key, |
| sizeof( ctx->public_key ) ) ) |
| { |
| return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); |
| } |
| |
| return( 0 ); |
| } |
| |
| #ifdef MBEDTLS_LMS_PRIVATE |
| |
| void mbedtls_lmots_init_private( mbedtls_lmots_private_t *ctx ) |
| { |
| mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ; |
| } |
| |
| void mbedtls_lmots_free_private( mbedtls_lmots_private_t *ctx ) |
| { |
| mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ; |
| } |
| |
| int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx, |
| mbedtls_lmots_algorithm_type_t type, |
| const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], |
| uint32_t q_leaf_identifier, |
| const unsigned char *seed, |
| size_t seed_size ) |
| { |
| psa_hash_operation_t op; |
| psa_status_t status; |
| size_t output_hash_len; |
| unsigned int i_digit_idx; |
| unsigned char i_digit_idx_bytes[2]; |
| unsigned char const_bytes[1]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if ( ctx->have_private_key ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if ( type != MBEDTLS_LMOTS_SHA256_N32_W8 ) { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| op = psa_hash_operation_init( ); |
| |
| ctx->params.type = type; |
| |
| memcpy( ctx->params.I_key_identifier, |
| I_key_identifier, |
| sizeof( ctx->params.I_key_identifier ) ); |
| |
| unsigned_int_to_network_bytes(q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN, |
| ctx->params.q_leaf_identifier ); |
| |
| unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ), const_bytes ); |
| |
| for ( i_digit_idx = 0; |
| i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type); |
| i_digit_idx++ ) |
| { |
| status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret != 0 ) |
| goto exit; |
| |
| ret = psa_hash_update( &op, |
| ctx->params.I_key_identifier, |
| sizeof( ctx->params.I_key_identifier ) ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| status = psa_hash_update( &op, |
| ctx->params.q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN, |
| i_digit_idx_bytes ); |
| status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| status = psa_hash_update( &op, const_bytes, sizeof( const_bytes) ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| status = psa_hash_update( &op, seed, seed_size ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| status = psa_hash_finish( &op, |
| ctx->private_key[i_digit_idx], |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), |
| &output_hash_len ); |
| ret = mbedtls_lms_error_from_psa( status ); |
| if ( ret ) |
| goto exit; |
| |
| psa_hash_abort( &op ); |
| } |
| |
| ctx->have_private_key = 1; |
| |
| exit: |
| if( ret ) |
| { |
| psa_hash_abort( &op ); |
| return( ret ); |
| } |
| |
| return ret; |
| } |
| |
| int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx, |
| mbedtls_lmots_private_t *priv_ctx) |
| { |
| unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| /* Check that a private key is loaded */ |
| if ( !priv_ctx->have_private_key ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| ret = hash_digit_array( &priv_ctx->params, |
| (unsigned char *)priv_ctx->private_key, NULL, |
| NULL, (unsigned char *)y_hashed_digits ); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| ret = public_key_from_hashed_digit_array( &priv_ctx->params, |
| (unsigned char *)y_hashed_digits, |
| ctx->public_key ); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| memcpy( &ctx->params, &priv_ctx->params, |
| sizeof( ctx->params ) ); |
| |
| ctx->MBEDTLS_PRIVATE(have_public_key = 1); |
| |
| return( ret ); |
| } |
| |
| |
| int mbedtls_lmots_export_public_key( mbedtls_lmots_public_t *ctx, |
| unsigned char *key, size_t key_size, |
| size_t *key_len ) |
| { |
| if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) |
| { |
| return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); |
| } |
| |
| if( ! ctx->have_public_key ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| unsigned_int_to_network_bytes( ctx->params.type, |
| MBEDTLS_LMOTS_TYPE_LEN, |
| key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); |
| |
| memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET, |
| ctx->params.I_key_identifier, |
| MBEDTLS_LMOTS_I_KEY_ID_LEN ); |
| |
| memcpy(key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET, |
| ctx->params.q_leaf_identifier, |
| MBEDTLS_LMOTS_Q_LEAF_ID_LEN); |
| |
| memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); |
| |
| if( key_len != NULL ) |
| { |
| *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type); |
| } |
| |
| return( 0 ); |
| } |
| |
| int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx, |
| int (*f_rng)(void *, unsigned char *, size_t), |
| void *p_rng, const unsigned char *msg, size_t msg_size, |
| unsigned char *sig, size_t sig_size, size_t* sig_len ) |
| { |
| unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; |
| /* Create a temporary buffer to prepare the signature in. This allows us to |
| * finish creating a signature (ensuring the process doesn't fail), and then |
| * erase the private key **before** writing any data into the sig parameter |
| * buffer. If data were directly written into the sig buffer, it might leak |
| * a partial signature on failure, which effectively compromises the private |
| * key. |
| */ |
| unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; |
| unsigned char tmp_c_random[MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX]; |
| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| |
| if ( msg == NULL && msg_size != 0 ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) ) |
| { |
| return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); |
| } |
| |
| /* Check that a private key is loaded */ |
| if ( !ctx->have_private_key ) |
| { |
| return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| } |
| |
| ret = f_rng( p_rng, tmp_c_random, |
| MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| ret = create_digit_array_with_checksum( &ctx->params, |
| msg, msg_size, |
| tmp_c_random, |
| tmp_digit_array ); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| ret = hash_digit_array( &ctx->params, (unsigned char *)ctx->private_key, |
| NULL, tmp_digit_array, (unsigned char *)tmp_sig ); |
| if ( ret ) |
| { |
| return( ret ); |
| } |
| |
| unsigned_int_to_network_bytes( ctx->params.type, |
| MBEDTLS_LMOTS_TYPE_LEN, |
| sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); |
| |
| /* We've got a valid signature now, so it's time to make sure the private |
| * key can't be reused. |
| */ |
| ctx->have_private_key = 0; |
| mbedtls_platform_zeroize(ctx->private_key, |
| sizeof(ctx->private_key)); |
| |
| memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random, |
| MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) ); |
| |
| memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig, |
| MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type) |
| * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); |
| |
| if( sig_len != NULL ) |
| { |
| *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type); |
| } |
| |
| return( 0 ); |
| } |
| |
| #endif /* MBEDTLS_LMS_PRIVATE */ |
| #endif /* MBEDTLS_LMS_C */ |