1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this implementation
22 * of the LM-OTS algorithm:
23 *
24 * [1] IETF RFC8554
25 * D. McGrew, M. Curcio, S.Fluhrer
26 * https://datatracker.ietf.org/doc/html/rfc8554
27 *
28 * [2] NIST Special Publication 800-208
29 * David A. Cooper et. al.
30 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
31 */
32
33 #include "common.h"
34
35 #if defined(MBEDTLS_LMS_C)
36
37 #include <string.h>
38
39 #include "lmots.h"
40
41 #include "mbedtls/lms.h"
42 #include "mbedtls/platform_util.h"
43 #include "mbedtls/error.h"
44 #include "mbedtls/psa_util.h"
45
46 #include "psa/crypto.h"
47
48 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
49 psa_to_lms_errors, \
50 psa_generic_status_to_mbedtls)
51
52 #define PUBLIC_KEY_TYPE_OFFSET (0)
53 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
54 MBEDTLS_LMOTS_TYPE_LEN)
55 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
56 MBEDTLS_LMOTS_I_KEY_ID_LEN)
57 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
58 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
59
60 /* We only support parameter sets that use 8-bit digits, as it does not require
61 * translation logic between digits and bytes */
62 #define W_WINTERNITZ_PARAMETER (8u)
63 #define CHECKSUM_LEN (2)
64 #define I_DIGIT_IDX_LEN (2)
65 #define J_HASH_IDX_LEN (1)
66 #define D_CONST_LEN (2)
67
68 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
69
70 #define D_CONST_LEN (2)
71 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
72 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
73
74 #if defined(MBEDTLS_TEST_HOOKS)
75 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
76 #endif /* defined(MBEDTLS_TEST_HOOKS) */
77
mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val,size_t len,unsigned char * bytes)78 void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
79 unsigned char *bytes)
80 {
81 size_t idx;
82
83 for (idx = 0; idx < len; idx++) {
84 bytes[idx] = (val >> ((len - 1 - idx) * 8)) & 0xFF;
85 }
86 }
87
mbedtls_lms_network_bytes_to_unsigned_int(size_t len,const unsigned char * bytes)88 unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
89 const unsigned char *bytes)
90 {
91 size_t idx;
92 unsigned int val = 0;
93
94 for (idx = 0; idx < len; idx++) {
95 val |= ((unsigned int) bytes[idx]) << (8 * (len - 1 - idx));
96 }
97
98 return val;
99 }
100
101 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
102 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
103 * the checksum algorithm.
104 *
105 * params The LMOTS parameter set, I and q values which
106 * describe the key being used.
107 *
108 * digest The digit string to create the digest from. As
109 * this does not contain a checksum, it is the same
110 * size as a hash output.
111 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)112 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
113 const unsigned char *digest)
114 {
115 size_t idx;
116 unsigned sum = 0;
117
118 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
119 sum += DIGIT_MAX_VALUE - digest[idx];
120 }
121
122 return sum;
123 }
124
125 /* Create the string of digest digits (in the base determined by the Winternitz
126 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
127 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
128 * 4b step 3) for details.
129 *
130 * params The LMOTS parameter set, I and q values which
131 * describe the key being used.
132 *
133 * msg The message that will be hashed to create the
134 * digest.
135 *
136 * msg_size The size of the message.
137 *
138 * C_random_value The random value that will be combined with the
139 * message digest. This is always the same size as a
140 * hash output for whichever hash algorithm is
141 * determined by the parameter set.
142 *
143 * output An output containing the digit string (+
144 * checksum) of length P digits (in the case of
145 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
146 * size P bytes).
147 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)148 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
149 const unsigned char *msg,
150 size_t msg_len,
151 const unsigned char *C_random_value,
152 unsigned char *out)
153 {
154 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
155 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
156 size_t output_hash_len;
157 unsigned short checksum;
158
159 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
160 if (status != PSA_SUCCESS) {
161 goto exit;
162 }
163
164 status = psa_hash_update(&op, params->I_key_identifier,
165 MBEDTLS_LMOTS_I_KEY_ID_LEN);
166 if (status != PSA_SUCCESS) {
167 goto exit;
168 }
169
170 status = psa_hash_update(&op, params->q_leaf_identifier,
171 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
172 if (status != PSA_SUCCESS) {
173 goto exit;
174 }
175
176 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
177 if (status != PSA_SUCCESS) {
178 goto exit;
179 }
180
181 status = psa_hash_update(&op, C_random_value,
182 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
183 if (status != PSA_SUCCESS) {
184 goto exit;
185 }
186
187 status = psa_hash_update(&op, msg, msg_len);
188 if (status != PSA_SUCCESS) {
189 goto exit;
190 }
191
192 status = psa_hash_finish(&op, out,
193 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
194 &output_hash_len);
195 if (status != PSA_SUCCESS) {
196 goto exit;
197 }
198
199 checksum = lmots_checksum_calculate(params, out);
200 mbedtls_lms_unsigned_int_to_network_bytes(checksum, CHECKSUM_LEN,
201 out + MBEDTLS_LMOTS_N_HASH_LEN(params->type));
202
203 exit:
204 psa_hash_abort(&op);
205
206 return PSA_TO_MBEDTLS_ERR(status);
207 }
208
209 /* Hash each element of the string of digits (+ checksum), producing a hash
210 * output for each element. This is used in several places (by varying the
211 * hash_idx_min/max_values) in order to calculate a public key from a private
212 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
213 * Algorithm 3 step 5), and to calculate a public key candidate from a
214 * signature and message (RFC8554 Algorithm 4b step 3).
215 *
216 * params The LMOTS parameter set, I and q values which
217 * describe the key being used.
218 *
219 * x_digit_array The array of digits (of size P, 34 in the case of
220 * MBEDTLS_LMOTS_SHA256_N32_W8).
221 *
222 * hash_idx_min_values An array of the starting values of the j iterator
223 * for each of the members of the digit array. If
224 * this value in NULL, then all iterators will start
225 * at 0.
226 *
227 * hash_idx_max_values An array of the upper bound values of the j
228 * iterator for each of the members of the digit
229 * array. If this value in NULL, then iterator is
230 * bounded to be less than 2^w - 1 (255 in the case
231 * of MBEDTLS_LMOTS_SHA256_N32_W8)
232 *
233 * output An array containing a hash output for each member
234 * of the digit string P. In the case of
235 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
236 * 34.
237 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)238 static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
239 const unsigned char *x_digit_array,
240 const unsigned char *hash_idx_min_values,
241 const unsigned char *hash_idx_max_values,
242 unsigned char *output)
243 {
244 unsigned int i_digit_idx;
245 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
246 unsigned int j_hash_idx;
247 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
248 unsigned int j_hash_idx_min;
249 unsigned int j_hash_idx_max;
250 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
251 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
252 size_t output_hash_len;
253 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
254
255 for (i_digit_idx = 0;
256 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
257 i_digit_idx++) {
258
259 memcpy(tmp_hash,
260 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
261 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
262
263 j_hash_idx_min = hash_idx_min_values != NULL ?
264 hash_idx_min_values[i_digit_idx] : 0;
265 j_hash_idx_max = hash_idx_max_values != NULL ?
266 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
267
268 for (j_hash_idx = j_hash_idx_min;
269 j_hash_idx < j_hash_idx_max;
270 j_hash_idx++) {
271 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
272 if (status != PSA_SUCCESS) {
273 goto exit;
274 }
275
276 status = psa_hash_update(&op,
277 params->I_key_identifier,
278 MBEDTLS_LMOTS_I_KEY_ID_LEN);
279 if (status != PSA_SUCCESS) {
280 goto exit;
281 }
282
283 status = psa_hash_update(&op,
284 params->q_leaf_identifier,
285 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
286 if (status != PSA_SUCCESS) {
287 goto exit;
288 }
289
290 mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx,
291 I_DIGIT_IDX_LEN,
292 i_digit_idx_bytes);
293 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
294 if (status != PSA_SUCCESS) {
295 goto exit;
296 }
297
298 mbedtls_lms_unsigned_int_to_network_bytes(j_hash_idx,
299 J_HASH_IDX_LEN,
300 j_hash_idx_bytes);
301 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
302 if (status != PSA_SUCCESS) {
303 goto exit;
304 }
305
306 status = psa_hash_update(&op, tmp_hash,
307 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
308 if (status != PSA_SUCCESS) {
309 goto exit;
310 }
311
312 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
313 &output_hash_len);
314 if (status != PSA_SUCCESS) {
315 goto exit;
316 }
317
318 psa_hash_abort(&op);
319 }
320
321 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
322 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
323 }
324
325 exit:
326 psa_hash_abort(&op);
327 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
328
329 return PSA_TO_MBEDTLS_ERR(status);
330 }
331
332 /* Combine the hashes of the digit array into a public key. This is used in
333 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
334 * step 4), and to calculate a public key candidate from a signature and message
335 * (RFC8554 Algorithm 4b step 3).
336 *
337 * params The LMOTS parameter set, I and q values which describe
338 * the key being used.
339 * y_hashed_digits The array of hashes, one hash for each digit of the
340 * symbol array (which is of size P, 34 in the case of
341 * MBEDTLS_LMOTS_SHA256_N32_W8)
342 *
343 * pub_key The output public key (or candidate public key in
344 * case this is being run as part of signature
345 * verification), in the form of a hash output.
346 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)347 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
348 const unsigned char *y_hashed_digits,
349 unsigned char *pub_key)
350 {
351 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
352 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
353 size_t output_hash_len;
354
355 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
356 if (status != PSA_SUCCESS) {
357 goto exit;
358 }
359
360 status = psa_hash_update(&op,
361 params->I_key_identifier,
362 MBEDTLS_LMOTS_I_KEY_ID_LEN);
363 if (status != PSA_SUCCESS) {
364 goto exit;
365 }
366
367 status = psa_hash_update(&op, params->q_leaf_identifier,
368 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
369 if (status != PSA_SUCCESS) {
370 goto exit;
371 }
372
373 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
374 if (status != PSA_SUCCESS) {
375 goto exit;
376 }
377
378 status = psa_hash_update(&op, y_hashed_digits,
379 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
380 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
381 if (status != PSA_SUCCESS) {
382 goto exit;
383 }
384
385 status = psa_hash_finish(&op, pub_key,
386 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
387 &output_hash_len);
388 if (status != PSA_SUCCESS) {
389
390 exit:
391 psa_hash_abort(&op);
392 }
393
394 return PSA_TO_MBEDTLS_ERR(status);
395 }
396
397 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_lms_error_from_psa(psa_status_t status)398 int mbedtls_lms_error_from_psa(psa_status_t status)
399 {
400 switch (status) {
401 case PSA_SUCCESS:
402 return 0;
403 case PSA_ERROR_HARDWARE_FAILURE:
404 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
405 case PSA_ERROR_NOT_SUPPORTED:
406 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
407 case PSA_ERROR_BUFFER_TOO_SMALL:
408 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
409 case PSA_ERROR_INVALID_ARGUMENT:
410 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
411 default:
412 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
413 }
414 }
415 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
416
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)417 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
418 {
419 memset(ctx, 0, sizeof(*ctx));
420 }
421
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)422 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
423 {
424 mbedtls_platform_zeroize(ctx, sizeof(*ctx));
425 }
426
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)427 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
428 const unsigned char *key, size_t key_len)
429 {
430 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
431 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
432 }
433
434 ctx->params.type =
435 mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
436 key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
437
438 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
439 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
440 }
441
442 memcpy(ctx->params.I_key_identifier,
443 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
444 MBEDTLS_LMOTS_I_KEY_ID_LEN);
445
446 memcpy(ctx->params.q_leaf_identifier,
447 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
448 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
449
450 memcpy(ctx->public_key,
451 key + PUBLIC_KEY_KEY_HASH_OFFSET,
452 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
453
454 ctx->have_public_key = 1;
455
456 return 0;
457 }
458
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)459 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
460 unsigned char *key, size_t key_size,
461 size_t *key_len)
462 {
463 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
464 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
465 }
466
467 if (!ctx->have_public_key) {
468 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
469 }
470
471 mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
472 MBEDTLS_LMOTS_TYPE_LEN,
473 key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
474
475 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
476 ctx->params.I_key_identifier,
477 MBEDTLS_LMOTS_I_KEY_ID_LEN);
478
479 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
480 ctx->params.q_leaf_identifier,
481 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
482
483 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
484 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
485
486 if (key_len != NULL) {
487 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
488 }
489
490 return 0;
491 }
492
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)493 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
494 const unsigned char *msg,
495 size_t msg_size,
496 const unsigned char *sig,
497 size_t sig_size,
498 unsigned char *out,
499 size_t out_size,
500 size_t *out_len)
501 {
502 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
503 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
504 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
505
506 if (msg == NULL && msg_size != 0) {
507 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
508 }
509
510 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
511 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
512 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
513 }
514
515 ret = create_digit_array_with_checksum(params, msg, msg_size,
516 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
517 tmp_digit_array);
518 if (ret) {
519 return ret;
520 }
521
522 ret = hash_digit_array(params,
523 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
524 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
525 if (ret) {
526 return ret;
527 }
528
529 ret = public_key_from_hashed_digit_array(params,
530 (unsigned char *) y_hashed_digits,
531 out);
532 if (ret) {
533 return ret;
534 }
535
536 if (out_len != NULL) {
537 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
538 }
539
540 return 0;
541 }
542
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)543 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
544 const unsigned char *msg, size_t msg_size,
545 const unsigned char *sig, size_t sig_size)
546 {
547 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
548 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
549
550 if (msg == NULL && msg_size != 0) {
551 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
552 }
553
554 if (!ctx->have_public_key) {
555 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
556 }
557
558 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
559 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
560 }
561
562 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
563 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
564 }
565
566 if (mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
567 sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET) !=
568 MBEDTLS_LMOTS_SHA256_N32_W8) {
569 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
570 }
571
572 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
573 msg, msg_size, sig, sig_size,
574 Kc_public_key_candidate,
575 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
576 NULL);
577 if (ret) {
578 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
579 }
580
581 if (memcmp(&Kc_public_key_candidate, ctx->public_key,
582 sizeof(ctx->public_key))) {
583 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
584 }
585
586 return 0;
587 }
588
589 #if defined(MBEDTLS_LMS_PRIVATE)
590
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)591 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
592 {
593 memset(ctx, 0, sizeof(*ctx));
594 }
595
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)596 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
597 {
598 mbedtls_platform_zeroize(ctx,
599 sizeof(*ctx));
600 }
601
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)602 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
603 mbedtls_lmots_algorithm_type_t type,
604 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
605 uint32_t q_leaf_identifier,
606 const unsigned char *seed,
607 size_t seed_size)
608 {
609 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
610 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
611 size_t output_hash_len;
612 unsigned int i_digit_idx;
613 unsigned char i_digit_idx_bytes[2];
614 unsigned char const_bytes[1];
615
616 if (ctx->have_private_key) {
617 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
618 }
619
620 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
621 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
622 }
623
624 ctx->params.type = type;
625
626 memcpy(ctx->params.I_key_identifier,
627 I_key_identifier,
628 sizeof(ctx->params.I_key_identifier));
629
630 mbedtls_lms_unsigned_int_to_network_bytes(q_leaf_identifier,
631 MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
632 ctx->params.q_leaf_identifier);
633
634 mbedtls_lms_unsigned_int_to_network_bytes(0xFF, sizeof(const_bytes),
635 const_bytes);
636
637 for (i_digit_idx = 0;
638 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
639 i_digit_idx++) {
640 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
641 if (status != PSA_SUCCESS) {
642 goto exit;
643 }
644
645 status = psa_hash_update(&op,
646 ctx->params.I_key_identifier,
647 sizeof(ctx->params.I_key_identifier));
648 if (status != PSA_SUCCESS) {
649 goto exit;
650 }
651
652 status = psa_hash_update(&op,
653 ctx->params.q_leaf_identifier,
654 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
655 if (status != PSA_SUCCESS) {
656 goto exit;
657 }
658
659 mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx, I_DIGIT_IDX_LEN,
660 i_digit_idx_bytes);
661 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
662 if (status != PSA_SUCCESS) {
663 goto exit;
664 }
665
666 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
667 if (status != PSA_SUCCESS) {
668 goto exit;
669 }
670
671 status = psa_hash_update(&op, seed, seed_size);
672 if (status != PSA_SUCCESS) {
673 goto exit;
674 }
675
676 status = psa_hash_finish(&op,
677 ctx->private_key[i_digit_idx],
678 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
679 &output_hash_len);
680 if (status != PSA_SUCCESS) {
681 goto exit;
682 }
683
684 psa_hash_abort(&op);
685 }
686
687 ctx->have_private_key = 1;
688
689 exit:
690 psa_hash_abort(&op);
691
692 return PSA_TO_MBEDTLS_ERR(status);
693 }
694
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)695 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
696 const mbedtls_lmots_private_t *priv_ctx)
697 {
698 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
700
701 /* Check that a private key is loaded */
702 if (!priv_ctx->have_private_key) {
703 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
704 }
705
706 ret = hash_digit_array(&priv_ctx->params,
707 (unsigned char *) priv_ctx->private_key, NULL,
708 NULL, (unsigned char *) y_hashed_digits);
709 if (ret) {
710 goto exit;
711 }
712
713 ret = public_key_from_hashed_digit_array(&priv_ctx->params,
714 (unsigned char *) y_hashed_digits,
715 ctx->public_key);
716 if (ret) {
717 goto exit;
718 }
719
720 memcpy(&ctx->params, &priv_ctx->params,
721 sizeof(ctx->params));
722
723 ctx->have_public_key = 1;
724
725 exit:
726 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
727
728 return ret;
729 }
730
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)731 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
732 int (*f_rng)(void *, unsigned char *, size_t),
733 void *p_rng, const unsigned char *msg, size_t msg_size,
734 unsigned char *sig, size_t sig_size, size_t *sig_len)
735 {
736 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
737 /* Create a temporary buffer to prepare the signature in. This allows us to
738 * finish creating a signature (ensuring the process doesn't fail), and then
739 * erase the private key **before** writing any data into the sig parameter
740 * buffer. If data were directly written into the sig buffer, it might leak
741 * a partial signature on failure, which effectively compromises the private
742 * key.
743 */
744 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
745 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
746 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
747
748 if (msg == NULL && msg_size != 0) {
749 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
750 }
751
752 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
753 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
754 }
755
756 /* Check that a private key is loaded */
757 if (!ctx->have_private_key) {
758 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
759 }
760
761 ret = f_rng(p_rng, tmp_c_random,
762 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
763 if (ret) {
764 return ret;
765 }
766
767 ret = create_digit_array_with_checksum(&ctx->params,
768 msg, msg_size,
769 tmp_c_random,
770 tmp_digit_array);
771 if (ret) {
772 goto exit;
773 }
774
775 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
776 NULL, tmp_digit_array, (unsigned char *) tmp_sig);
777 if (ret) {
778 goto exit;
779 }
780
781 mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
782 MBEDTLS_LMOTS_TYPE_LEN,
783 sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
784
785 /* Test hook to check if sig is being written to before we invalidate the
786 * private key.
787 */
788 #if defined(MBEDTLS_TEST_HOOKS)
789 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
790 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
791 if (ret != 0) {
792 return ret;
793 }
794 }
795 #endif /* defined(MBEDTLS_TEST_HOOKS) */
796
797 /* We've got a valid signature now, so it's time to make sure the private
798 * key can't be reused.
799 */
800 ctx->have_private_key = 0;
801 mbedtls_platform_zeroize(ctx->private_key,
802 sizeof(ctx->private_key));
803
804 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
805 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
806
807 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
808 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
809 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
810
811 if (sig_len != NULL) {
812 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
813 }
814
815 ret = 0;
816
817 exit:
818 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
819 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
820
821 return ret;
822 }
823
824 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
825 #endif /* defined(MBEDTLS_LMS_C) */
826
