e0a17610d1
Signed-off-by: Raef Coles <raef.coles@arm.com>
766 lines
25 KiB
C
766 lines
25 KiB
C
/*
|
|
* The LM-OTS one-time public-key signature scheme
|
|
*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/*
|
|
* The following sources were referenced in the design of this implementation
|
|
* of the LM-OTS algorithm:
|
|
*
|
|
* [1] IETF RFC8554
|
|
* D. McGrew, M. Curcio, S.Fluhrer
|
|
* https://datatracker.ietf.org/doc/html/rfc8554
|
|
*
|
|
* [2] NIST Special Publication 800-208
|
|
* David A. Cooper et. al.
|
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
|
|
*/
|
|
|
|
#include "common.h"
|
|
|
|
#ifdef MBEDTLS_LMS_C
|
|
|
|
#include <string.h>
|
|
|
|
#include "lmots.h"
|
|
|
|
#include "mbedtls/lms.h"
|
|
#include "mbedtls/platform_util.h"
|
|
#include "mbedtls/error.h"
|
|
|
|
#include "psa/crypto.h"
|
|
|
|
#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
|
|
MBEDTLS_LMOTS_TYPE_LEN)
|
|
#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
|
|
MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
|
|
|
|
#define MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET (0)
|
|
#define MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET + \
|
|
MBEDTLS_LMOTS_TYPE_LEN)
|
|
#define MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET + \
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN)
|
|
#define MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
|
|
|
|
/* We only support parameter sets that use 8-bit digits, as it does not require
|
|
* translation logic between digits and bytes */
|
|
#define W_WINTERNITZ_PARAMETER (8u)
|
|
#define CHECKSUM_LEN (2)
|
|
#define I_DIGIT_IDX_LEN (2)
|
|
#define J_HASH_IDX_LEN (1)
|
|
#define D_CONST_LEN (2)
|
|
|
|
/* Currently only defined for SHA256, 32 is the max hash output size */
|
|
#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX (MBEDTLS_LMOTS_N_HASH_LEN_MAX)
|
|
|
|
#define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
|
|
|
|
#define D_CONST_LEN (2)
|
|
static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80};
|
|
static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81};
|
|
|
|
void unsigned_int_to_network_bytes( unsigned int val, size_t len,
|
|
unsigned char *bytes )
|
|
{
|
|
size_t idx;
|
|
|
|
for ( idx = 0; idx < len; idx++ )
|
|
{
|
|
bytes[idx] = ( val >> ( ( len - 1 - idx ) * 8 ) ) & 0xFF;
|
|
}
|
|
}
|
|
|
|
unsigned int network_bytes_to_unsigned_int( size_t len,
|
|
const unsigned char *bytes )
|
|
{
|
|
size_t idx;
|
|
unsigned int val = 0;
|
|
|
|
for ( idx = 0; idx < len; idx++ )
|
|
{
|
|
val |= ( ( unsigned int )bytes[idx] ) << (8 * ( len - 1 - idx ) );
|
|
}
|
|
|
|
return val;
|
|
}
|
|
|
|
static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params,
|
|
const unsigned char* digest )
|
|
{
|
|
size_t idx;
|
|
unsigned sum = 0;
|
|
|
|
for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ )
|
|
{
|
|
sum += DIGIT_MAX_VALUE - digest[idx];
|
|
}
|
|
|
|
return sum;
|
|
}
|
|
|
|
static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params,
|
|
const unsigned char *msg,
|
|
size_t msg_len,
|
|
const unsigned char *C_random_value,
|
|
unsigned char *out )
|
|
{
|
|
psa_hash_operation_t op;
|
|
psa_status_t status;
|
|
size_t output_hash_len;
|
|
unsigned short checksum;
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
op = psa_hash_operation_init( );
|
|
status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, params->I_key_identifier,
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, params->q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, C_random_value,
|
|
MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, msg, msg_len );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_finish( &op, out,
|
|
MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type),
|
|
&output_hash_len );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
checksum = lmots_checksum_calculate( params, out );
|
|
unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN,
|
|
out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
|
|
|
|
exit:
|
|
psa_hash_abort( &op );
|
|
|
|
return( ret );
|
|
}
|
|
|
|
static int hash_digit_array( const mbedtls_lmots_parameters_t *params,
|
|
const unsigned char *x_digit_array,
|
|
const unsigned char *hash_idx_min_values,
|
|
const unsigned char *hash_idx_max_values,
|
|
unsigned char *output )
|
|
{
|
|
unsigned char i_digit_idx;
|
|
unsigned char j_hash_idx;
|
|
unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
|
|
unsigned char j_hash_idx_bytes[1];
|
|
/* These can't be unsigned chars, because they are sometimes set to
|
|
* #DIGIT_MAX_VALUE, which has a value of 256
|
|
*/
|
|
unsigned int j_hash_idx_min;
|
|
unsigned int j_hash_idx_max;
|
|
psa_hash_operation_t op;
|
|
psa_status_t status;
|
|
size_t output_hash_len;
|
|
unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
op = psa_hash_operation_init( );
|
|
|
|
for ( i_digit_idx = 0;
|
|
i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
|
|
i_digit_idx++ )
|
|
{
|
|
|
|
memcpy( tmp_hash,
|
|
&x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
|
|
MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
|
|
|
|
j_hash_idx_min = hash_idx_min_values != NULL ?
|
|
hash_idx_min_values[i_digit_idx] : 0;
|
|
j_hash_idx_max = hash_idx_max_values != NULL ?
|
|
hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
|
|
|
|
for ( j_hash_idx = ( unsigned char )j_hash_idx_min;
|
|
j_hash_idx < j_hash_idx_max;
|
|
j_hash_idx++ )
|
|
{
|
|
status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op,
|
|
params->I_key_identifier,
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op,
|
|
params->q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN,
|
|
i_digit_idx_bytes );
|
|
status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
unsigned_int_to_network_bytes( j_hash_idx, J_HASH_IDX_LEN,
|
|
j_hash_idx_bytes );
|
|
status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, tmp_hash,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ),
|
|
&output_hash_len );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
psa_hash_abort( &op );
|
|
}
|
|
|
|
memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
|
|
tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
|
|
}
|
|
|
|
exit:
|
|
if( ret != 0 )
|
|
{
|
|
psa_hash_abort( &op );
|
|
return( ret );
|
|
}
|
|
|
|
mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) );
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params,
|
|
const unsigned char *y_hashed_digits,
|
|
unsigned char *pub_key )
|
|
{
|
|
psa_hash_operation_t op;
|
|
psa_status_t status;
|
|
size_t output_hash_len;
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
op = psa_hash_operation_init( );
|
|
status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op,
|
|
params->I_key_identifier,
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, params->q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, y_hashed_digits,
|
|
MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
|
|
MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
status = psa_hash_finish( &op, pub_key,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(params->type),
|
|
&output_hash_len );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
|
|
exit:
|
|
psa_hash_abort( &op );
|
|
return( ret );
|
|
}
|
|
|
|
int mbedtls_lms_error_from_psa( psa_status_t status )
|
|
{
|
|
switch( status )
|
|
{
|
|
case PSA_SUCCESS:
|
|
return( 0 );
|
|
case PSA_ERROR_HARDWARE_FAILURE:
|
|
return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
|
|
case PSA_ERROR_NOT_SUPPORTED:
|
|
return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED );
|
|
case PSA_ERROR_BUFFER_TOO_SMALL:
|
|
return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
|
|
case PSA_ERROR_INVALID_ARGUMENT:
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
default:
|
|
return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
|
|
}
|
|
}
|
|
|
|
void mbedtls_lmots_init_public( mbedtls_lmots_public_t *ctx )
|
|
{
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ;
|
|
}
|
|
|
|
void mbedtls_lmots_free_public( mbedtls_lmots_public_t *ctx )
|
|
{
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ;
|
|
}
|
|
|
|
int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx,
|
|
const unsigned char *key, size_t key_len )
|
|
{
|
|
ctx->params.type =
|
|
network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
|
|
key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
|
|
|
|
if( key_len < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
memcpy( ctx->params.I_key_identifier,
|
|
key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET,
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN );
|
|
|
|
memcpy( ctx->params.q_leaf_identifier,
|
|
key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
|
|
memcpy( ctx->public_key,
|
|
key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
|
|
|
|
ctx->have_public_key = 1;
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params,
|
|
const unsigned char *msg,
|
|
size_t msg_size,
|
|
const unsigned char *sig,
|
|
size_t sig_size,
|
|
unsigned char *out,
|
|
size_t out_size,
|
|
size_t *out_len )
|
|
{
|
|
unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
|
|
unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
if( msg == NULL && msg_size != 0 )
|
|
{
|
|
return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
|
|
out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
ret = create_digit_array_with_checksum( params, msg, msg_size,
|
|
sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
|
|
tmp_digit_array );
|
|
if( ret )
|
|
{
|
|
return ( ret );
|
|
}
|
|
|
|
ret = hash_digit_array( params,
|
|
sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
|
|
tmp_digit_array, NULL, ( unsigned char * )y_hashed_digits );
|
|
if( ret )
|
|
{
|
|
return ( ret );
|
|
}
|
|
|
|
ret = public_key_from_hashed_digit_array( params,
|
|
( unsigned char * )y_hashed_digits,
|
|
out );
|
|
if( ret )
|
|
{
|
|
return ( ret );
|
|
}
|
|
|
|
if( out_len != NULL )
|
|
{
|
|
*out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
int mbedtls_lmots_verify( mbedtls_lmots_public_t *ctx, const unsigned char *msg,
|
|
size_t msg_size, const unsigned char *sig,
|
|
size_t sig_size )
|
|
{
|
|
unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
if( msg == NULL && msg_size != 0 )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( !ctx->have_public_key )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8 )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
|
|
sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
|
|
}
|
|
|
|
ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params,
|
|
msg, msg_size, sig, sig_size,
|
|
Kc_public_key_candidate,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
|
|
NULL );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
if( memcmp( &Kc_public_key_candidate, ctx->public_key,
|
|
sizeof( ctx->public_key ) ) )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
#ifdef MBEDTLS_LMS_PRIVATE
|
|
|
|
void mbedtls_lmots_init_private( mbedtls_lmots_private_t *ctx )
|
|
{
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ;
|
|
}
|
|
|
|
void mbedtls_lmots_free_private( mbedtls_lmots_private_t *ctx )
|
|
{
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ;
|
|
}
|
|
|
|
int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx,
|
|
mbedtls_lmots_algorithm_type_t type,
|
|
const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
|
|
uint32_t q_leaf_identifier,
|
|
const unsigned char *seed,
|
|
size_t seed_size )
|
|
{
|
|
psa_hash_operation_t op;
|
|
psa_status_t status;
|
|
size_t output_hash_len;
|
|
unsigned int i_digit_idx;
|
|
unsigned char i_digit_idx_bytes[2];
|
|
unsigned char const_bytes[1];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
if( ctx->have_private_key )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( type != MBEDTLS_LMOTS_SHA256_N32_W8 )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
op = psa_hash_operation_init( );
|
|
|
|
ctx->params.type = type;
|
|
|
|
memcpy( ctx->params.I_key_identifier,
|
|
I_key_identifier,
|
|
sizeof( ctx->params.I_key_identifier ) );
|
|
|
|
unsigned_int_to_network_bytes( q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
|
|
ctx->params.q_leaf_identifier );
|
|
|
|
unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ), const_bytes );
|
|
|
|
for ( i_digit_idx = 0;
|
|
i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
|
|
i_digit_idx++ )
|
|
{
|
|
status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret != 0 )
|
|
goto exit;
|
|
|
|
ret = psa_hash_update( &op,
|
|
ctx->params.I_key_identifier,
|
|
sizeof( ctx->params.I_key_identifier ) );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op,
|
|
ctx->params.q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN,
|
|
i_digit_idx_bytes );
|
|
status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, const_bytes, sizeof( const_bytes ) );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
status = psa_hash_update( &op, seed, seed_size );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
status = psa_hash_finish( &op,
|
|
ctx->private_key[i_digit_idx],
|
|
MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
|
|
&output_hash_len );
|
|
ret = mbedtls_lms_error_from_psa( status );
|
|
if( ret )
|
|
goto exit;
|
|
|
|
psa_hash_abort( &op );
|
|
}
|
|
|
|
ctx->have_private_key = 1;
|
|
|
|
exit:
|
|
if( ret != 0 )
|
|
{
|
|
psa_hash_abort( &op );
|
|
return( ret );
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx,
|
|
mbedtls_lmots_private_t *priv_ctx )
|
|
{
|
|
unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
/* Check that a private key is loaded */
|
|
if( !priv_ctx->have_private_key )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
ret = hash_digit_array( &priv_ctx->params,
|
|
( unsigned char * )priv_ctx->private_key, NULL,
|
|
NULL, ( unsigned char * )y_hashed_digits );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
ret = public_key_from_hashed_digit_array( &priv_ctx->params,
|
|
( unsigned char * )y_hashed_digits,
|
|
ctx->public_key );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
memcpy( &ctx->params, &priv_ctx->params,
|
|
sizeof( ctx->params ) );
|
|
|
|
ctx->have_public_key = 1;
|
|
|
|
return( ret );
|
|
}
|
|
|
|
|
|
int mbedtls_lmots_export_public_key( mbedtls_lmots_public_t *ctx,
|
|
unsigned char *key, size_t key_size,
|
|
size_t *key_len )
|
|
{
|
|
if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
|
|
}
|
|
|
|
if( ! ctx->have_public_key )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
unsigned_int_to_network_bytes( ctx->params.type,
|
|
MBEDTLS_LMOTS_TYPE_LEN,
|
|
key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
|
|
|
|
memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET,
|
|
ctx->params.I_key_identifier,
|
|
MBEDTLS_LMOTS_I_KEY_ID_LEN );
|
|
|
|
memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET,
|
|
ctx->params.q_leaf_identifier,
|
|
MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
|
|
|
|
memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
|
|
|
|
if( key_len != NULL )
|
|
{
|
|
*key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng, const unsigned char *msg, size_t msg_size,
|
|
unsigned char *sig, size_t sig_size, size_t* sig_len )
|
|
{
|
|
unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
|
|
/* Create a temporary buffer to prepare the signature in. This allows us to
|
|
* finish creating a signature (ensuring the process doesn't fail), and then
|
|
* erase the private key **before** writing any data into the sig parameter
|
|
* buffer. If data were directly written into the sig buffer, it might leak
|
|
* a partial signature on failure, which effectively compromises the private
|
|
* key.
|
|
*/
|
|
unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
|
|
unsigned char tmp_c_random[MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX];
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
if( msg == NULL && msg_size != 0 )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
|
|
}
|
|
|
|
/* Check that a private key is loaded */
|
|
if( !ctx->have_private_key )
|
|
{
|
|
return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
|
|
}
|
|
|
|
ret = f_rng( p_rng, tmp_c_random,
|
|
MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
ret = create_digit_array_with_checksum( &ctx->params,
|
|
msg, msg_size,
|
|
tmp_c_random,
|
|
tmp_digit_array );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
ret = hash_digit_array( &ctx->params, ( unsigned char * )ctx->private_key,
|
|
NULL, tmp_digit_array, ( unsigned char * )tmp_sig );
|
|
if( ret )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
unsigned_int_to_network_bytes( ctx->params.type,
|
|
MBEDTLS_LMOTS_TYPE_LEN,
|
|
sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
|
|
|
|
/* We've got a valid signature now, so it's time to make sure the private
|
|
* key can't be reused.
|
|
*/
|
|
ctx->have_private_key = 0;
|
|
mbedtls_platform_zeroize( ctx->private_key,
|
|
sizeof( ctx->private_key ) );
|
|
|
|
memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
|
|
MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) );
|
|
|
|
memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
|
|
MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
|
|
* MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
|
|
|
|
if( sig_len != NULL )
|
|
{
|
|
*sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
#endif /* MBEDTLS_LMS_PRIVATE */
|
|
#endif /* MBEDTLS_LMS_C */
|