1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this implementation
10 * of the LM-OTS algorithm:
11 *
12 * [1] IETF RFC8554
13 * D. McGrew, M. Curcio, S.Fluhrer
14 * https://datatracker.ietf.org/doc/html/rfc8554
15 *
16 * [2] NIST Special Publication 800-208
17 * David A. Cooper et. al.
18 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_LMS_C)
24
25 #include <string.h>
26
27 #include "lmots.h"
28
29 #include "mbedtls/lms.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "psa_util_internal.h"
33
34 #include "psa/crypto.h"
35
36 /* Define a local translating function to save code size by not using too many
37 * arguments in each translating place. */
local_err_translation(psa_status_t status)38 static int local_err_translation(psa_status_t status)
39 {
40 return psa_status_to_mbedtls(status, psa_to_lms_errors,
41 ARRAY_LENGTH(psa_to_lms_errors),
42 psa_generic_status_to_mbedtls);
43 }
44 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
45
46 #define PUBLIC_KEY_TYPE_OFFSET (0)
47 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
48 MBEDTLS_LMOTS_TYPE_LEN)
49 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
50 MBEDTLS_LMOTS_I_KEY_ID_LEN)
51 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
52 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
53
54 /* We only support parameter sets that use 8-bit digits, as it does not require
55 * translation logic between digits and bytes */
56 #define W_WINTERNITZ_PARAMETER (8u)
57 #define CHECKSUM_LEN (2)
58 #define I_DIGIT_IDX_LEN (2)
59 #define J_HASH_IDX_LEN (1)
60 #define D_CONST_LEN (2)
61
62 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
63
64 #define D_CONST_LEN (2)
65 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
66 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
67
68 #if defined(MBEDTLS_TEST_HOOKS)
69 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
70 #endif /* defined(MBEDTLS_TEST_HOOKS) */
71
72 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
73 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
74 * the checksum algorithm.
75 *
76 * params The LMOTS parameter set, I and q values which
77 * describe the key being used.
78 *
79 * digest The digit string to create the digest from. As
80 * this does not contain a checksum, it is the same
81 * size as a hash output.
82 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)83 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
84 const unsigned char *digest)
85 {
86 size_t idx;
87 unsigned sum = 0;
88
89 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
90 sum += DIGIT_MAX_VALUE - digest[idx];
91 }
92
93 return sum;
94 }
95
96 /* Create the string of digest digits (in the base determined by the Winternitz
97 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
98 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
99 * 4b step 3) for details.
100 *
101 * params The LMOTS parameter set, I and q values which
102 * describe the key being used.
103 *
104 * msg The message that will be hashed to create the
105 * digest.
106 *
107 * msg_size The size of the message.
108 *
109 * C_random_value The random value that will be combined with the
110 * message digest. This is always the same size as a
111 * hash output for whichever hash algorithm is
112 * determined by the parameter set.
113 *
114 * output An output containing the digit string (+
115 * checksum) of length P digits (in the case of
116 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
117 * size P bytes).
118 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)119 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
120 const unsigned char *msg,
121 size_t msg_len,
122 const unsigned char *C_random_value,
123 unsigned char *out)
124 {
125 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
126 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
127 size_t output_hash_len;
128 unsigned short checksum;
129
130 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
131 if (status != PSA_SUCCESS) {
132 goto exit;
133 }
134
135 status = psa_hash_update(&op, params->I_key_identifier,
136 MBEDTLS_LMOTS_I_KEY_ID_LEN);
137 if (status != PSA_SUCCESS) {
138 goto exit;
139 }
140
141 status = psa_hash_update(&op, params->q_leaf_identifier,
142 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
143 if (status != PSA_SUCCESS) {
144 goto exit;
145 }
146
147 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
148 if (status != PSA_SUCCESS) {
149 goto exit;
150 }
151
152 status = psa_hash_update(&op, C_random_value,
153 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
154 if (status != PSA_SUCCESS) {
155 goto exit;
156 }
157
158 status = psa_hash_update(&op, msg, msg_len);
159 if (status != PSA_SUCCESS) {
160 goto exit;
161 }
162
163 status = psa_hash_finish(&op, out,
164 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
165 &output_hash_len);
166 if (status != PSA_SUCCESS) {
167 goto exit;
168 }
169
170 checksum = lmots_checksum_calculate(params, out);
171 MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
172
173 exit:
174 psa_hash_abort(&op);
175
176 return PSA_TO_MBEDTLS_ERR(status);
177 }
178
179 /* Hash each element of the string of digits (+ checksum), producing a hash
180 * output for each element. This is used in several places (by varying the
181 * hash_idx_min/max_values) in order to calculate a public key from a private
182 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
183 * Algorithm 3 step 5), and to calculate a public key candidate from a
184 * signature and message (RFC8554 Algorithm 4b step 3).
185 *
186 * params The LMOTS parameter set, I and q values which
187 * describe the key being used.
188 *
189 * x_digit_array The array of digits (of size P, 34 in the case of
190 * MBEDTLS_LMOTS_SHA256_N32_W8).
191 *
192 * hash_idx_min_values An array of the starting values of the j iterator
193 * for each of the members of the digit array. If
194 * this value in NULL, then all iterators will start
195 * at 0.
196 *
197 * hash_idx_max_values An array of the upper bound values of the j
198 * iterator for each of the members of the digit
199 * array. If this value in NULL, then iterator is
200 * bounded to be less than 2^w - 1 (255 in the case
201 * of MBEDTLS_LMOTS_SHA256_N32_W8)
202 *
203 * output An array containing a hash output for each member
204 * of the digit string P. In the case of
205 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
206 * 34.
207 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)208 static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
209 const unsigned char *x_digit_array,
210 const unsigned char *hash_idx_min_values,
211 const unsigned char *hash_idx_max_values,
212 unsigned char *output)
213 {
214 unsigned int i_digit_idx;
215 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
216 unsigned int j_hash_idx;
217 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
218 unsigned int j_hash_idx_min;
219 unsigned int j_hash_idx_max;
220 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
222 size_t output_hash_len;
223 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
224
225 for (i_digit_idx = 0;
226 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
227 i_digit_idx++) {
228
229 memcpy(tmp_hash,
230 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
231 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
232
233 j_hash_idx_min = hash_idx_min_values != NULL ?
234 hash_idx_min_values[i_digit_idx] : 0;
235 j_hash_idx_max = hash_idx_max_values != NULL ?
236 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
237
238 for (j_hash_idx = j_hash_idx_min;
239 j_hash_idx < j_hash_idx_max;
240 j_hash_idx++) {
241 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
242 if (status != PSA_SUCCESS) {
243 goto exit;
244 }
245
246 status = psa_hash_update(&op,
247 params->I_key_identifier,
248 MBEDTLS_LMOTS_I_KEY_ID_LEN);
249 if (status != PSA_SUCCESS) {
250 goto exit;
251 }
252
253 status = psa_hash_update(&op,
254 params->q_leaf_identifier,
255 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
256 if (status != PSA_SUCCESS) {
257 goto exit;
258 }
259
260 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
261 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
262 if (status != PSA_SUCCESS) {
263 goto exit;
264 }
265
266 j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
267 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
268 if (status != PSA_SUCCESS) {
269 goto exit;
270 }
271
272 status = psa_hash_update(&op, tmp_hash,
273 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
274 if (status != PSA_SUCCESS) {
275 goto exit;
276 }
277
278 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
279 &output_hash_len);
280 if (status != PSA_SUCCESS) {
281 goto exit;
282 }
283
284 psa_hash_abort(&op);
285 }
286
287 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
288 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
289 }
290
291 exit:
292 psa_hash_abort(&op);
293 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
294
295 return PSA_TO_MBEDTLS_ERR(status);
296 }
297
298 /* Combine the hashes of the digit array into a public key. This is used in
299 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
300 * step 4), and to calculate a public key candidate from a signature and message
301 * (RFC8554 Algorithm 4b step 3).
302 *
303 * params The LMOTS parameter set, I and q values which describe
304 * the key being used.
305 * y_hashed_digits The array of hashes, one hash for each digit of the
306 * symbol array (which is of size P, 34 in the case of
307 * MBEDTLS_LMOTS_SHA256_N32_W8)
308 *
309 * pub_key The output public key (or candidate public key in
310 * case this is being run as part of signature
311 * verification), in the form of a hash output.
312 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)313 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
314 const unsigned char *y_hashed_digits,
315 unsigned char *pub_key)
316 {
317 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
318 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
319 size_t output_hash_len;
320
321 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
322 if (status != PSA_SUCCESS) {
323 goto exit;
324 }
325
326 status = psa_hash_update(&op,
327 params->I_key_identifier,
328 MBEDTLS_LMOTS_I_KEY_ID_LEN);
329 if (status != PSA_SUCCESS) {
330 goto exit;
331 }
332
333 status = psa_hash_update(&op, params->q_leaf_identifier,
334 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
335 if (status != PSA_SUCCESS) {
336 goto exit;
337 }
338
339 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
340 if (status != PSA_SUCCESS) {
341 goto exit;
342 }
343
344 status = psa_hash_update(&op, y_hashed_digits,
345 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
346 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
347 if (status != PSA_SUCCESS) {
348 goto exit;
349 }
350
351 status = psa_hash_finish(&op, pub_key,
352 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
353 &output_hash_len);
354 if (status != PSA_SUCCESS) {
355
356 exit:
357 psa_hash_abort(&op);
358 }
359
360 return PSA_TO_MBEDTLS_ERR(status);
361 }
362
363 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_lms_error_from_psa(psa_status_t status)364 int mbedtls_lms_error_from_psa(psa_status_t status)
365 {
366 switch (status) {
367 case PSA_SUCCESS:
368 return 0;
369 case PSA_ERROR_HARDWARE_FAILURE:
370 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
371 case PSA_ERROR_NOT_SUPPORTED:
372 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
373 case PSA_ERROR_BUFFER_TOO_SMALL:
374 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
375 case PSA_ERROR_INVALID_ARGUMENT:
376 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
377 default:
378 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
379 }
380 }
381 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
382
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)383 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
384 {
385 memset(ctx, 0, sizeof(*ctx));
386 }
387
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)388 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
389 {
390 mbedtls_platform_zeroize(ctx, sizeof(*ctx));
391 }
392
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)393 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
394 const unsigned char *key, size_t key_len)
395 {
396 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
397 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
398 }
399
400 uint32_t type = MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
401 if (type != (uint32_t) MBEDTLS_LMOTS_SHA256_N32_W8) {
402 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
403 }
404 ctx->params.type = (mbedtls_lmots_algorithm_type_t) type;
405
406 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
407 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
408 }
409
410 memcpy(ctx->params.I_key_identifier,
411 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
412 MBEDTLS_LMOTS_I_KEY_ID_LEN);
413
414 memcpy(ctx->params.q_leaf_identifier,
415 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
416 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
417
418 memcpy(ctx->public_key,
419 key + PUBLIC_KEY_KEY_HASH_OFFSET,
420 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
421
422 ctx->have_public_key = 1;
423
424 return 0;
425 }
426
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)427 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
428 unsigned char *key, size_t key_size,
429 size_t *key_len)
430 {
431 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
432 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
433 }
434
435 if (!ctx->have_public_key) {
436 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
437 }
438
439 MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
440
441 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
442 ctx->params.I_key_identifier,
443 MBEDTLS_LMOTS_I_KEY_ID_LEN);
444
445 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
446 ctx->params.q_leaf_identifier,
447 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
448
449 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
450 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
451
452 if (key_len != NULL) {
453 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
454 }
455
456 return 0;
457 }
458
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)459 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
460 const unsigned char *msg,
461 size_t msg_size,
462 const unsigned char *sig,
463 size_t sig_size,
464 unsigned char *out,
465 size_t out_size,
466 size_t *out_len)
467 {
468 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
469 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
471
472 if (msg == NULL && msg_size != 0) {
473 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
474 }
475
476 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
477 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
478 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
479 }
480
481 ret = create_digit_array_with_checksum(params, msg, msg_size,
482 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
483 tmp_digit_array);
484 if (ret) {
485 return ret;
486 }
487
488 ret = hash_digit_array(params,
489 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
490 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
491 if (ret) {
492 return ret;
493 }
494
495 ret = public_key_from_hashed_digit_array(params,
496 (unsigned char *) y_hashed_digits,
497 out);
498 if (ret) {
499 return ret;
500 }
501
502 if (out_len != NULL) {
503 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
504 }
505
506 return 0;
507 }
508
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)509 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
510 const unsigned char *msg, size_t msg_size,
511 const unsigned char *sig, size_t sig_size)
512 {
513 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
514 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
515
516 if (msg == NULL && msg_size != 0) {
517 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
518 }
519
520 if (!ctx->have_public_key) {
521 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
522 }
523
524 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
525 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
526 }
527
528 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
529 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
530 }
531
532 if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
533 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
534 }
535
536 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
537 msg, msg_size, sig, sig_size,
538 Kc_public_key_candidate,
539 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
540 NULL);
541 if (ret) {
542 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
543 }
544
545 if (memcmp(&Kc_public_key_candidate, ctx->public_key,
546 sizeof(ctx->public_key))) {
547 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
548 }
549
550 return 0;
551 }
552
553 #if defined(MBEDTLS_LMS_PRIVATE)
554
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)555 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
556 {
557 memset(ctx, 0, sizeof(*ctx));
558 }
559
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)560 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
561 {
562 mbedtls_platform_zeroize(ctx,
563 sizeof(*ctx));
564 }
565
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)566 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
567 mbedtls_lmots_algorithm_type_t type,
568 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
569 uint32_t q_leaf_identifier,
570 const unsigned char *seed,
571 size_t seed_size)
572 {
573 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
574 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
575 size_t output_hash_len;
576 unsigned int i_digit_idx;
577 unsigned char i_digit_idx_bytes[2];
578 unsigned char const_bytes[1] = { 0xFF };
579
580 if (ctx->have_private_key) {
581 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
582 }
583
584 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
585 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
586 }
587
588 ctx->params.type = type;
589
590 memcpy(ctx->params.I_key_identifier,
591 I_key_identifier,
592 sizeof(ctx->params.I_key_identifier));
593
594 MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
595
596 for (i_digit_idx = 0;
597 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
598 i_digit_idx++) {
599 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
600 if (status != PSA_SUCCESS) {
601 goto exit;
602 }
603
604 status = psa_hash_update(&op,
605 ctx->params.I_key_identifier,
606 sizeof(ctx->params.I_key_identifier));
607 if (status != PSA_SUCCESS) {
608 goto exit;
609 }
610
611 status = psa_hash_update(&op,
612 ctx->params.q_leaf_identifier,
613 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
614 if (status != PSA_SUCCESS) {
615 goto exit;
616 }
617
618 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
619 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
620 if (status != PSA_SUCCESS) {
621 goto exit;
622 }
623
624 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
625 if (status != PSA_SUCCESS) {
626 goto exit;
627 }
628
629 status = psa_hash_update(&op, seed, seed_size);
630 if (status != PSA_SUCCESS) {
631 goto exit;
632 }
633
634 status = psa_hash_finish(&op,
635 ctx->private_key[i_digit_idx],
636 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
637 &output_hash_len);
638 if (status != PSA_SUCCESS) {
639 goto exit;
640 }
641
642 psa_hash_abort(&op);
643 }
644
645 ctx->have_private_key = 1;
646
647 exit:
648 psa_hash_abort(&op);
649
650 return PSA_TO_MBEDTLS_ERR(status);
651 }
652
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)653 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
654 const mbedtls_lmots_private_t *priv_ctx)
655 {
656 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
657 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
658
659 /* Check that a private key is loaded */
660 if (!priv_ctx->have_private_key) {
661 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
662 }
663
664 ret = hash_digit_array(&priv_ctx->params,
665 (unsigned char *) priv_ctx->private_key, NULL,
666 NULL, (unsigned char *) y_hashed_digits);
667 if (ret) {
668 goto exit;
669 }
670
671 ret = public_key_from_hashed_digit_array(&priv_ctx->params,
672 (unsigned char *) y_hashed_digits,
673 ctx->public_key);
674 if (ret) {
675 goto exit;
676 }
677
678 memcpy(&ctx->params, &priv_ctx->params,
679 sizeof(ctx->params));
680
681 ctx->have_public_key = 1;
682
683 exit:
684 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
685
686 return ret;
687 }
688
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)689 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
690 int (*f_rng)(void *, unsigned char *, size_t),
691 void *p_rng, const unsigned char *msg, size_t msg_size,
692 unsigned char *sig, size_t sig_size, size_t *sig_len)
693 {
694 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
695 /* Create a temporary buffer to prepare the signature in. This allows us to
696 * finish creating a signature (ensuring the process doesn't fail), and then
697 * erase the private key **before** writing any data into the sig parameter
698 * buffer. If data were directly written into the sig buffer, it might leak
699 * a partial signature on failure, which effectively compromises the private
700 * key.
701 */
702 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
703 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
704 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
705
706 if (msg == NULL && msg_size != 0) {
707 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
708 }
709
710 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
711 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
712 }
713
714 /* Check that a private key is loaded */
715 if (!ctx->have_private_key) {
716 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
717 }
718
719 ret = f_rng(p_rng, tmp_c_random,
720 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
721 if (ret) {
722 return ret;
723 }
724
725 ret = create_digit_array_with_checksum(&ctx->params,
726 msg, msg_size,
727 tmp_c_random,
728 tmp_digit_array);
729 if (ret) {
730 goto exit;
731 }
732
733 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
734 NULL, tmp_digit_array, (unsigned char *) tmp_sig);
735 if (ret) {
736 goto exit;
737 }
738
739 MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
740
741 /* Test hook to check if sig is being written to before we invalidate the
742 * private key.
743 */
744 #if defined(MBEDTLS_TEST_HOOKS)
745 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
746 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
747 if (ret != 0) {
748 return ret;
749 }
750 }
751 #endif /* defined(MBEDTLS_TEST_HOOKS) */
752
753 /* We've got a valid signature now, so it's time to make sure the private
754 * key can't be reused.
755 */
756 ctx->have_private_key = 0;
757 mbedtls_platform_zeroize(ctx->private_key,
758 sizeof(ctx->private_key));
759
760 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
761 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
762
763 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
764 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
765 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
766
767 if (sig_len != NULL) {
768 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
769 }
770
771 ret = 0;
772
773 exit:
774 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
775 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
776
777 return ret;
778 }
779
780 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
781 #endif /* defined(MBEDTLS_LMS_C) */
782