1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this implementation
22 * of the LM-OTS algorithm:
23 *
24 * [1] IETF RFC8554
25 * D. McGrew, M. Curcio, S.Fluhrer
26 * https://datatracker.ietf.org/doc/html/rfc8554
27 *
28 * [2] NIST Special Publication 800-208
29 * David A. Cooper et. al.
30 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
31 */
32
33 #include "common.h"
34
35 #if defined(MBEDTLS_LMS_C)
36
37 #include <string.h>
38
39 #include "lmots.h"
40
41 #include "mbedtls/lms.h"
42 #include "mbedtls/platform_util.h"
43 #include "mbedtls/error.h"
44
45 #include "psa/crypto.h"
46
47 #define PUBLIC_KEY_TYPE_OFFSET (0)
48 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
49 MBEDTLS_LMOTS_TYPE_LEN)
50 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
51 MBEDTLS_LMOTS_I_KEY_ID_LEN)
52 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
53 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
54
55 /* We only support parameter sets that use 8-bit digits, as it does not require
56 * translation logic between digits and bytes */
57 #define W_WINTERNITZ_PARAMETER (8u)
58 #define CHECKSUM_LEN (2)
59 #define I_DIGIT_IDX_LEN (2)
60 #define J_HASH_IDX_LEN (1)
61 #define D_CONST_LEN (2)
62
63 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
64
65 #define D_CONST_LEN (2)
66 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80};
67 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81};
68
69 #if defined(MBEDTLS_TEST_HOOKS)
70 int( *mbedtls_lmots_sign_private_key_invalidated_hook )( unsigned char * ) = NULL;
71 #endif /* defined(MBEDTLS_TEST_HOOKS) */
72
mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val,size_t len,unsigned char * bytes)73 void mbedtls_lms_unsigned_int_to_network_bytes( unsigned int val, size_t len,
74 unsigned char *bytes )
75 {
76 size_t idx;
77
78 for ( idx = 0; idx < len; idx++ )
79 {
80 bytes[idx] = ( val >> ( ( len - 1 - idx ) * 8 ) ) & 0xFF;
81 }
82 }
83
mbedtls_lms_network_bytes_to_unsigned_int(size_t len,const unsigned char * bytes)84 unsigned int mbedtls_lms_network_bytes_to_unsigned_int( size_t len,
85 const unsigned char *bytes )
86 {
87 size_t idx;
88 unsigned int val = 0;
89
90 for ( idx = 0; idx < len; idx++ )
91 {
92 val |= ( ( unsigned int )bytes[idx] ) << (8 * ( len - 1 - idx ) );
93 }
94
95 return ( val );
96 }
97
98 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
99 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
100 * the checksum algorithm.
101 *
102 * params The LMOTS parameter set, I and q values which
103 * describe the key being used.
104 *
105 * digest The digit string to create the digest from. As
106 * this does not contain a checksum, it is the same
107 * size as a hash output.
108 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)109 static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params,
110 const unsigned char* digest )
111 {
112 size_t idx;
113 unsigned sum = 0;
114
115 for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ )
116 {
117 sum += DIGIT_MAX_VALUE - digest[idx];
118 }
119
120 return ( sum );
121 }
122
123 /* Create the string of digest digits (in the base determined by the Winternitz
124 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
125 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
126 * 4b step 3) for details.
127 *
128 * params The LMOTS parameter set, I and q values which
129 * describe the key being used.
130 *
131 * msg The message that will be hashed to create the
132 * digest.
133 *
134 * msg_size The size of the message.
135 *
136 * C_random_value The random value that will be combined with the
137 * message digest. This is always the same size as a
138 * hash output for whichever hash algorithm is
139 * determined by the parameter set.
140 *
141 * output An output containing the digit string (+
142 * checksum) of length P digits (in the case of
143 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
144 * size P bytes).
145 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)146 static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params,
147 const unsigned char *msg,
148 size_t msg_len,
149 const unsigned char *C_random_value,
150 unsigned char *out )
151 {
152 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
153 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
154 size_t output_hash_len;
155 unsigned short checksum;
156
157 status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
158 if( status != PSA_SUCCESS )
159 goto exit;
160
161 status = psa_hash_update( &op, params->I_key_identifier,
162 MBEDTLS_LMOTS_I_KEY_ID_LEN );
163 if( status != PSA_SUCCESS )
164 goto exit;
165
166 status = psa_hash_update( &op, params->q_leaf_identifier,
167 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
168 if( status != PSA_SUCCESS )
169 goto exit;
170
171 status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN );
172 if( status != PSA_SUCCESS )
173 goto exit;
174
175 status = psa_hash_update( &op, C_random_value,
176 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) );
177 if( status != PSA_SUCCESS )
178 goto exit;
179
180 status = psa_hash_update( &op, msg, msg_len );
181 if( status != PSA_SUCCESS )
182 goto exit;
183
184 status = psa_hash_finish( &op, out,
185 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
186 &output_hash_len );
187 if( status != PSA_SUCCESS )
188 goto exit;
189
190 checksum = lmots_checksum_calculate( params, out );
191 mbedtls_lms_unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN,
192 out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
193
194 exit:
195 psa_hash_abort( &op );
196
197 return( mbedtls_lms_error_from_psa( status ) );
198 }
199
200 /* Hash each element of the string of digits (+ checksum), producing a hash
201 * output for each element. This is used in several places (by varying the
202 * hash_idx_min/max_values) in order to calculate a public key from a private
203 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
204 * Algorithm 3 step 5), and to calculate a public key candidate from a
205 * signature and message (RFC8554 Algorithm 4b step 3).
206 *
207 * params The LMOTS parameter set, I and q values which
208 * describe the key being used.
209 *
210 * x_digit_array The array of digits (of size P, 34 in the case of
211 * MBEDTLS_LMOTS_SHA256_N32_W8).
212 *
213 * hash_idx_min_values An array of the starting values of the j iterator
214 * for each of the members of the digit array. If
215 * this value in NULL, then all iterators will start
216 * at 0.
217 *
218 * hash_idx_max_values An array of the upper bound values of the j
219 * iterator for each of the members of the digit
220 * array. If this value in NULL, then iterator is
221 * bounded to be less than 2^w - 1 (255 in the case
222 * of MBEDTLS_LMOTS_SHA256_N32_W8)
223 *
224 * output An array containing a hash output for each member
225 * of the digit string P. In the case of
226 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
227 * 34.
228 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)229 static int hash_digit_array( const mbedtls_lmots_parameters_t *params,
230 const unsigned char *x_digit_array,
231 const unsigned char *hash_idx_min_values,
232 const unsigned char *hash_idx_max_values,
233 unsigned char *output )
234 {
235 unsigned int i_digit_idx;
236 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
237 unsigned int j_hash_idx;
238 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
239 unsigned int j_hash_idx_min;
240 unsigned int j_hash_idx_max;
241 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
242 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
243 size_t output_hash_len;
244 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
245
246 for ( i_digit_idx = 0;
247 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
248 i_digit_idx++ )
249 {
250
251 memcpy( tmp_hash,
252 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
253 MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
254
255 j_hash_idx_min = hash_idx_min_values != NULL ?
256 hash_idx_min_values[i_digit_idx] : 0;
257 j_hash_idx_max = hash_idx_max_values != NULL ?
258 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
259
260 for ( j_hash_idx = j_hash_idx_min;
261 j_hash_idx < j_hash_idx_max;
262 j_hash_idx++ )
263 {
264 status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
265 if( status != PSA_SUCCESS )
266 goto exit;
267
268 status = psa_hash_update( &op,
269 params->I_key_identifier,
270 MBEDTLS_LMOTS_I_KEY_ID_LEN );
271 if( status != PSA_SUCCESS )
272 goto exit;
273
274 status = psa_hash_update( &op,
275 params->q_leaf_identifier,
276 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
277 if( status != PSA_SUCCESS )
278 goto exit;
279
280 mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx,
281 I_DIGIT_IDX_LEN,
282 i_digit_idx_bytes );
283 status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
284 if( status != PSA_SUCCESS )
285 goto exit;
286
287 mbedtls_lms_unsigned_int_to_network_bytes( j_hash_idx,
288 J_HASH_IDX_LEN,
289 j_hash_idx_bytes );
290 status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN );
291 if( status != PSA_SUCCESS )
292 goto exit;
293
294 status = psa_hash_update( &op, tmp_hash,
295 MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
296 if( status != PSA_SUCCESS )
297 goto exit;
298
299 status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ),
300 &output_hash_len );
301 if( status != PSA_SUCCESS )
302 goto exit;
303
304 psa_hash_abort( &op );
305 }
306
307 memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
308 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
309 }
310
311 exit:
312 psa_hash_abort( &op );
313 mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) );
314
315 return( mbedtls_lms_error_from_psa( status ) );
316 }
317
318 /* Combine the hashes of the digit array into a public key. This is used in
319 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
320 * step 4), and to calculate a public key candidate from a signature and message
321 * (RFC8554 Algorithm 4b step 3).
322 *
323 * params The LMOTS parameter set, I and q values which describe
324 * the key being used.
325 * y_hashed_digits The array of hashes, one hash for each digit of the
326 * symbol array (which is of size P, 34 in the case of
327 * MBEDTLS_LMOTS_SHA256_N32_W8)
328 *
329 * pub_key The output public key (or candidate public key in
330 * case this is being run as part of signature
331 * verification), in the form of a hash output.
332 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)333 static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params,
334 const unsigned char *y_hashed_digits,
335 unsigned char *pub_key )
336 {
337 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
338 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
339 size_t output_hash_len;
340
341 status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
342 if( status != PSA_SUCCESS )
343 goto exit;
344
345 status = psa_hash_update( &op,
346 params->I_key_identifier,
347 MBEDTLS_LMOTS_I_KEY_ID_LEN );
348 if( status != PSA_SUCCESS )
349 goto exit;
350
351 status = psa_hash_update( &op, params->q_leaf_identifier,
352 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
353 if( status != PSA_SUCCESS )
354 goto exit;
355
356 status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN );
357 if( status != PSA_SUCCESS )
358 goto exit;
359
360 status = psa_hash_update( &op, y_hashed_digits,
361 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
362 MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
363 if( status != PSA_SUCCESS )
364 goto exit;
365
366 status = psa_hash_finish( &op, pub_key,
367 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
368 &output_hash_len );
369 if( status != PSA_SUCCESS )
370
371 exit:
372 psa_hash_abort( &op );
373
374 return( mbedtls_lms_error_from_psa( status ) );
375 }
376
mbedtls_lms_error_from_psa(psa_status_t status)377 int mbedtls_lms_error_from_psa( psa_status_t status )
378 {
379 switch( status )
380 {
381 case PSA_SUCCESS:
382 return( 0 );
383 case PSA_ERROR_HARDWARE_FAILURE:
384 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
385 case PSA_ERROR_NOT_SUPPORTED:
386 return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED );
387 case PSA_ERROR_BUFFER_TOO_SMALL:
388 return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
389 case PSA_ERROR_INVALID_ARGUMENT:
390 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
391 default:
392 return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
393 }
394 }
395
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)396 void mbedtls_lmots_public_init( mbedtls_lmots_public_t *ctx )
397 {
398 memset( ctx, 0, sizeof( *ctx ) ) ;
399 }
400
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)401 void mbedtls_lmots_public_free( mbedtls_lmots_public_t *ctx )
402 {
403 mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ;
404 }
405
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)406 int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx,
407 const unsigned char *key, size_t key_len )
408 {
409 if( key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
410 {
411 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
412 }
413
414 ctx->params.type =
415 mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
416 key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
417
418 if( key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
419 {
420 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
421 }
422
423 memcpy( ctx->params.I_key_identifier,
424 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
425 MBEDTLS_LMOTS_I_KEY_ID_LEN );
426
427 memcpy( ctx->params.q_leaf_identifier,
428 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
429 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
430
431 memcpy( ctx->public_key,
432 key + PUBLIC_KEY_KEY_HASH_OFFSET,
433 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
434
435 ctx->have_public_key = 1;
436
437 return( 0 );
438 }
439
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)440 int mbedtls_lmots_export_public_key( const mbedtls_lmots_public_t *ctx,
441 unsigned char *key, size_t key_size,
442 size_t *key_len )
443 {
444 if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
445 {
446 return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
447 }
448
449 if( ! ctx->have_public_key )
450 {
451 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
452 }
453
454 mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type,
455 MBEDTLS_LMOTS_TYPE_LEN,
456 key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
457
458 memcpy( key + PUBLIC_KEY_I_KEY_ID_OFFSET,
459 ctx->params.I_key_identifier,
460 MBEDTLS_LMOTS_I_KEY_ID_LEN );
461
462 memcpy( key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
463 ctx->params.q_leaf_identifier,
464 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
465
466 memcpy( key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
467 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
468
469 if( key_len != NULL )
470 {
471 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
472 }
473
474 return( 0 );
475 }
476
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)477 int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params,
478 const unsigned char *msg,
479 size_t msg_size,
480 const unsigned char *sig,
481 size_t sig_size,
482 unsigned char *out,
483 size_t out_size,
484 size_t *out_len )
485 {
486 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
487 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
489
490 if( msg == NULL && msg_size != 0 )
491 {
492 return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
493 }
494
495 if( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
496 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) )
497 {
498 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
499 }
500
501 ret = create_digit_array_with_checksum( params, msg, msg_size,
502 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
503 tmp_digit_array );
504 if( ret )
505 {
506 return ( ret );
507 }
508
509 ret = hash_digit_array( params,
510 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
511 tmp_digit_array, NULL, ( unsigned char * )y_hashed_digits );
512 if( ret )
513 {
514 return ( ret );
515 }
516
517 ret = public_key_from_hashed_digit_array( params,
518 ( unsigned char * )y_hashed_digits,
519 out );
520 if( ret )
521 {
522 return ( ret );
523 }
524
525 if( out_len != NULL )
526 {
527 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
528 }
529
530 return( 0 );
531 }
532
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)533 int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx,
534 const unsigned char *msg, size_t msg_size,
535 const unsigned char *sig, size_t sig_size )
536 {
537 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
538 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
539
540 if( msg == NULL && msg_size != 0 )
541 {
542 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
543 }
544
545 if( !ctx->have_public_key )
546 {
547 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
548 }
549
550 if( ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8 )
551 {
552 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
553 }
554
555 if( sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
556 {
557 return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
558 }
559
560 if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
561 sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 )
562 {
563 return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
564 }
565
566 ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params,
567 msg, msg_size, sig, sig_size,
568 Kc_public_key_candidate,
569 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
570 NULL );
571 if( ret )
572 {
573 return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
574 }
575
576 if( memcmp( &Kc_public_key_candidate, ctx->public_key,
577 sizeof( ctx->public_key ) ) )
578 {
579 return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
580 }
581
582 return( 0 );
583 }
584
585 #if defined(MBEDTLS_LMS_PRIVATE)
586
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)587 void mbedtls_lmots_private_init( mbedtls_lmots_private_t *ctx )
588 {
589 memset( ctx, 0, sizeof( *ctx ) ) ;
590 }
591
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)592 void mbedtls_lmots_private_free( mbedtls_lmots_private_t *ctx )
593 {
594 mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ;
595 }
596
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)597 int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx,
598 mbedtls_lmots_algorithm_type_t type,
599 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
600 uint32_t q_leaf_identifier,
601 const unsigned char *seed,
602 size_t seed_size )
603 {
604 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
605 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
606 size_t output_hash_len;
607 unsigned int i_digit_idx;
608 unsigned char i_digit_idx_bytes[2];
609 unsigned char const_bytes[1];
610
611 if( ctx->have_private_key )
612 {
613 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
614 }
615
616 if( type != MBEDTLS_LMOTS_SHA256_N32_W8 )
617 {
618 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
619 }
620
621 ctx->params.type = type;
622
623 memcpy( ctx->params.I_key_identifier,
624 I_key_identifier,
625 sizeof( ctx->params.I_key_identifier ) );
626
627 mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier,
628 MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
629 ctx->params.q_leaf_identifier );
630
631 mbedtls_lms_unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ),
632 const_bytes );
633
634 for ( i_digit_idx = 0;
635 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
636 i_digit_idx++ )
637 {
638 status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
639 if( status != PSA_SUCCESS )
640 goto exit;
641
642 status = psa_hash_update( &op,
643 ctx->params.I_key_identifier,
644 sizeof( ctx->params.I_key_identifier ) );
645 if( status != PSA_SUCCESS )
646 goto exit;
647
648 status = psa_hash_update( &op,
649 ctx->params.q_leaf_identifier,
650 MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
651 if( status != PSA_SUCCESS )
652 goto exit;
653
654 mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN,
655 i_digit_idx_bytes );
656 status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
657 if( status != PSA_SUCCESS )
658 goto exit;
659
660 status = psa_hash_update( &op, const_bytes, sizeof( const_bytes ) );
661 if( status != PSA_SUCCESS )
662 goto exit;
663
664 status = psa_hash_update( &op, seed, seed_size );
665 if( status != PSA_SUCCESS )
666 goto exit;
667
668 status = psa_hash_finish( &op,
669 ctx->private_key[i_digit_idx],
670 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
671 &output_hash_len );
672 if( status != PSA_SUCCESS )
673 goto exit;
674
675 psa_hash_abort( &op );
676 }
677
678 ctx->have_private_key = 1;
679
680 exit:
681 psa_hash_abort( &op );
682
683 return ( mbedtls_lms_error_from_psa( status ) );
684 }
685
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)686 int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx,
687 const mbedtls_lmots_private_t *priv_ctx )
688 {
689 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
690 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
691
692 /* Check that a private key is loaded */
693 if( !priv_ctx->have_private_key )
694 {
695 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
696 }
697
698 ret = hash_digit_array( &priv_ctx->params,
699 ( unsigned char * )priv_ctx->private_key, NULL,
700 NULL, ( unsigned char * )y_hashed_digits );
701 if( ret )
702 {
703 goto exit;
704 }
705
706 ret = public_key_from_hashed_digit_array( &priv_ctx->params,
707 ( unsigned char * )y_hashed_digits,
708 ctx->public_key );
709 if( ret )
710 {
711 goto exit;
712 }
713
714 memcpy( &ctx->params, &priv_ctx->params,
715 sizeof( ctx->params ) );
716
717 ctx->have_public_key = 1;
718
719 exit:
720 mbedtls_platform_zeroize( y_hashed_digits, sizeof( y_hashed_digits ) );
721
722 return( ret );
723 }
724
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)725 int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx,
726 int (*f_rng)(void *, unsigned char *, size_t),
727 void *p_rng, const unsigned char *msg, size_t msg_size,
728 unsigned char *sig, size_t sig_size, size_t* sig_len )
729 {
730 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
731 /* Create a temporary buffer to prepare the signature in. This allows us to
732 * finish creating a signature (ensuring the process doesn't fail), and then
733 * erase the private key **before** writing any data into the sig parameter
734 * buffer. If data were directly written into the sig buffer, it might leak
735 * a partial signature on failure, which effectively compromises the private
736 * key.
737 */
738 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
739 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
740 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
741
742 if( msg == NULL && msg_size != 0 )
743 {
744 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
745 }
746
747 if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) )
748 {
749 return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
750 }
751
752 /* Check that a private key is loaded */
753 if( !ctx->have_private_key )
754 {
755 return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
756 }
757
758 ret = f_rng( p_rng, tmp_c_random,
759 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
760 if( ret )
761 {
762 return( ret );
763 }
764
765 ret = create_digit_array_with_checksum( &ctx->params,
766 msg, msg_size,
767 tmp_c_random,
768 tmp_digit_array );
769 if( ret )
770 {
771 goto exit;
772 }
773
774 ret = hash_digit_array( &ctx->params, ( unsigned char * )ctx->private_key,
775 NULL, tmp_digit_array, ( unsigned char * )tmp_sig );
776 if( ret )
777 {
778 goto exit;
779 }
780
781 mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type,
782 MBEDTLS_LMOTS_TYPE_LEN,
783 sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
784
785 /* Test hook to check if sig is being written to before we invalidate the
786 * private key.
787 */
788 #if defined(MBEDTLS_TEST_HOOKS)
789 if( mbedtls_lmots_sign_private_key_invalidated_hook != NULL )
790 {
791 ret = ( *mbedtls_lmots_sign_private_key_invalidated_hook )( sig );
792 if( ret != 0 )
793 return( ret );
794 }
795 #endif /* defined(MBEDTLS_TEST_HOOKS) */
796
797 /* We've got a valid signature now, so it's time to make sure the private
798 * key can't be reused.
799 */
800 ctx->have_private_key = 0;
801 mbedtls_platform_zeroize( ctx->private_key,
802 sizeof( ctx->private_key ) );
803
804 memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
805 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) );
806
807 memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
808 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
809 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
810
811 if( sig_len != NULL )
812 {
813 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
814 }
815
816 ret = 0;
817
818 exit:
819 mbedtls_platform_zeroize( tmp_digit_array, sizeof( tmp_digit_array ) );
820 mbedtls_platform_zeroize( tmp_sig, sizeof( tmp_sig ) );
821
822 return ( ret );
823 }
824
825 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
826 #endif /* defined(MBEDTLS_LMS_C) */
827