1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this implementation
10 * of the LM-OTS algorithm:
11 *
12 * [1] IETF RFC8554
13 * D. McGrew, M. Curcio, S.Fluhrer
14 * https://datatracker.ietf.org/doc/html/rfc8554
15 *
16 * [2] NIST Special Publication 800-208
17 * David A. Cooper et. al.
18 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_LMS_C)
24
25 #include <string.h>
26
27 #include "lmots.h"
28
29 #include "mbedtls/lms.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "psa_util_internal.h"
33
34 #include "psa/crypto.h"
35
36 /* Define a local translating function to save code size by not using too many
37 * arguments in each translating place. */
local_err_translation(psa_status_t status)38 static int local_err_translation(psa_status_t status)
39 {
40 return psa_status_to_mbedtls(status, psa_to_lms_errors,
41 ARRAY_LENGTH(psa_to_lms_errors),
42 psa_generic_status_to_mbedtls);
43 }
44 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
45
46 #define PUBLIC_KEY_TYPE_OFFSET (0)
47 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
48 MBEDTLS_LMOTS_TYPE_LEN)
49 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
50 MBEDTLS_LMOTS_I_KEY_ID_LEN)
51 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
52 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
53
54 /* We only support parameter sets that use 8-bit digits, as it does not require
55 * translation logic between digits and bytes */
56 #define W_WINTERNITZ_PARAMETER (8u)
57 #define CHECKSUM_LEN (2)
58 #define I_DIGIT_IDX_LEN (2)
59 #define J_HASH_IDX_LEN (1)
60 #define D_CONST_LEN (2)
61
62 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
63
64 #define D_CONST_LEN (2)
65 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
66 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
67
68 #if defined(MBEDTLS_TEST_HOOKS)
69 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
70 #endif /* defined(MBEDTLS_TEST_HOOKS) */
71
72 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
73 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
74 * the checksum algorithm.
75 *
76 * params The LMOTS parameter set, I and q values which
77 * describe the key being used.
78 *
79 * digest The digit string to create the digest from. As
80 * this does not contain a checksum, it is the same
81 * size as a hash output.
82 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)83 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
84 const unsigned char *digest)
85 {
86 size_t idx;
87 unsigned sum = 0;
88
89 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
90 sum += DIGIT_MAX_VALUE - digest[idx];
91 }
92
93 return sum;
94 }
95
96 /* Create the string of digest digits (in the base determined by the Winternitz
97 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
98 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
99 * 4b step 3) for details.
100 *
101 * params The LMOTS parameter set, I and q values which
102 * describe the key being used.
103 *
104 * msg The message that will be hashed to create the
105 * digest.
106 *
107 * msg_size The size of the message.
108 *
109 * C_random_value The random value that will be combined with the
110 * message digest. This is always the same size as a
111 * hash output for whichever hash algorithm is
112 * determined by the parameter set.
113 *
114 * output An output containing the digit string (+
115 * checksum) of length P digits (in the case of
116 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
117 * size P bytes).
118 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)119 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
120 const unsigned char *msg,
121 size_t msg_len,
122 const unsigned char *C_random_value,
123 unsigned char *out)
124 {
125 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
126 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
127 size_t output_hash_len;
128 unsigned short checksum;
129
130 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
131 if (status != PSA_SUCCESS) {
132 goto exit;
133 }
134
135 status = psa_hash_update(&op, params->I_key_identifier,
136 MBEDTLS_LMOTS_I_KEY_ID_LEN);
137 if (status != PSA_SUCCESS) {
138 goto exit;
139 }
140
141 status = psa_hash_update(&op, params->q_leaf_identifier,
142 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
143 if (status != PSA_SUCCESS) {
144 goto exit;
145 }
146
147 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
148 if (status != PSA_SUCCESS) {
149 goto exit;
150 }
151
152 status = psa_hash_update(&op, C_random_value,
153 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
154 if (status != PSA_SUCCESS) {
155 goto exit;
156 }
157
158 status = psa_hash_update(&op, msg, msg_len);
159 if (status != PSA_SUCCESS) {
160 goto exit;
161 }
162
163 status = psa_hash_finish(&op, out,
164 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
165 &output_hash_len);
166 if (status != PSA_SUCCESS) {
167 goto exit;
168 }
169
170 checksum = lmots_checksum_calculate(params, out);
171 MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
172
173 exit:
174 psa_hash_abort(&op);
175
176 return PSA_TO_MBEDTLS_ERR(status);
177 }
178
179 /* Hash each element of the string of digits (+ checksum), producing a hash
180 * output for each element. This is used in several places (by varying the
181 * hash_idx_min/max_values) in order to calculate a public key from a private
182 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
183 * Algorithm 3 step 5), and to calculate a public key candidate from a
184 * signature and message (RFC8554 Algorithm 4b step 3).
185 *
186 * params The LMOTS parameter set, I and q values which
187 * describe the key being used.
188 *
189 * x_digit_array The array of digits (of size P, 34 in the case of
190 * MBEDTLS_LMOTS_SHA256_N32_W8).
191 *
192 * hash_idx_min_values An array of the starting values of the j iterator
193 * for each of the members of the digit array. If
194 * this value in NULL, then all iterators will start
195 * at 0.
196 *
197 * hash_idx_max_values An array of the upper bound values of the j
198 * iterator for each of the members of the digit
199 * array. If this value in NULL, then iterator is
200 * bounded to be less than 2^w - 1 (255 in the case
201 * of MBEDTLS_LMOTS_SHA256_N32_W8)
202 *
203 * output An array containing a hash output for each member
204 * of the digit string P. In the case of
205 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
206 * 34.
207 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)208 static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
209 const unsigned char *x_digit_array,
210 const unsigned char *hash_idx_min_values,
211 const unsigned char *hash_idx_max_values,
212 unsigned char *output)
213 {
214 unsigned int i_digit_idx;
215 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
216 unsigned int j_hash_idx;
217 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
218 unsigned int j_hash_idx_min;
219 unsigned int j_hash_idx_max;
220 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
222 size_t output_hash_len;
223 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
224
225 for (i_digit_idx = 0;
226 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
227 i_digit_idx++) {
228
229 memcpy(tmp_hash,
230 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
231 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
232
233 j_hash_idx_min = hash_idx_min_values != NULL ?
234 hash_idx_min_values[i_digit_idx] : 0;
235 j_hash_idx_max = hash_idx_max_values != NULL ?
236 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
237
238 for (j_hash_idx = j_hash_idx_min;
239 j_hash_idx < j_hash_idx_max;
240 j_hash_idx++) {
241 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
242 if (status != PSA_SUCCESS) {
243 goto exit;
244 }
245
246 status = psa_hash_update(&op,
247 params->I_key_identifier,
248 MBEDTLS_LMOTS_I_KEY_ID_LEN);
249 if (status != PSA_SUCCESS) {
250 goto exit;
251 }
252
253 status = psa_hash_update(&op,
254 params->q_leaf_identifier,
255 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
256 if (status != PSA_SUCCESS) {
257 goto exit;
258 }
259
260 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
261 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
262 if (status != PSA_SUCCESS) {
263 goto exit;
264 }
265
266 j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
267 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
268 if (status != PSA_SUCCESS) {
269 goto exit;
270 }
271
272 status = psa_hash_update(&op, tmp_hash,
273 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
274 if (status != PSA_SUCCESS) {
275 goto exit;
276 }
277
278 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
279 &output_hash_len);
280 if (status != PSA_SUCCESS) {
281 goto exit;
282 }
283
284 psa_hash_abort(&op);
285 }
286
287 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
288 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
289 }
290
291 exit:
292 psa_hash_abort(&op);
293 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
294
295 return PSA_TO_MBEDTLS_ERR(status);
296 }
297
298 /* Combine the hashes of the digit array into a public key. This is used in
299 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
300 * step 4), and to calculate a public key candidate from a signature and message
301 * (RFC8554 Algorithm 4b step 3).
302 *
303 * params The LMOTS parameter set, I and q values which describe
304 * the key being used.
305 * y_hashed_digits The array of hashes, one hash for each digit of the
306 * symbol array (which is of size P, 34 in the case of
307 * MBEDTLS_LMOTS_SHA256_N32_W8)
308 *
309 * pub_key The output public key (or candidate public key in
310 * case this is being run as part of signature
311 * verification), in the form of a hash output.
312 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)313 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
314 const unsigned char *y_hashed_digits,
315 unsigned char *pub_key)
316 {
317 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
318 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
319 size_t output_hash_len;
320
321 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
322 if (status != PSA_SUCCESS) {
323 goto exit;
324 }
325
326 status = psa_hash_update(&op,
327 params->I_key_identifier,
328 MBEDTLS_LMOTS_I_KEY_ID_LEN);
329 if (status != PSA_SUCCESS) {
330 goto exit;
331 }
332
333 status = psa_hash_update(&op, params->q_leaf_identifier,
334 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
335 if (status != PSA_SUCCESS) {
336 goto exit;
337 }
338
339 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
340 if (status != PSA_SUCCESS) {
341 goto exit;
342 }
343
344 status = psa_hash_update(&op, y_hashed_digits,
345 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
346 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
347 if (status != PSA_SUCCESS) {
348 goto exit;
349 }
350
351 status = psa_hash_finish(&op, pub_key,
352 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
353 &output_hash_len);
354 if (status != PSA_SUCCESS) {
355
356 exit:
357 psa_hash_abort(&op);
358 }
359
360 return PSA_TO_MBEDTLS_ERR(status);
361 }
362
363 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_lms_error_from_psa(psa_status_t status)364 int mbedtls_lms_error_from_psa(psa_status_t status)
365 {
366 switch (status) {
367 case PSA_SUCCESS:
368 return 0;
369 case PSA_ERROR_HARDWARE_FAILURE:
370 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
371 case PSA_ERROR_NOT_SUPPORTED:
372 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
373 case PSA_ERROR_BUFFER_TOO_SMALL:
374 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
375 case PSA_ERROR_INVALID_ARGUMENT:
376 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
377 default:
378 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
379 }
380 }
381 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
382
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)383 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
384 {
385 memset(ctx, 0, sizeof(*ctx));
386 }
387
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)388 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
389 {
390 mbedtls_platform_zeroize(ctx, sizeof(*ctx));
391 }
392
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)393 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
394 const unsigned char *key, size_t key_len)
395 {
396 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
397 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
398 }
399
400 ctx->params.type = (mbedtls_lmots_algorithm_type_t)
401 MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
402
403 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
404 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
405 }
406
407 memcpy(ctx->params.I_key_identifier,
408 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
409 MBEDTLS_LMOTS_I_KEY_ID_LEN);
410
411 memcpy(ctx->params.q_leaf_identifier,
412 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
413 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
414
415 memcpy(ctx->public_key,
416 key + PUBLIC_KEY_KEY_HASH_OFFSET,
417 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
418
419 ctx->have_public_key = 1;
420
421 return 0;
422 }
423
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)424 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
425 unsigned char *key, size_t key_size,
426 size_t *key_len)
427 {
428 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
429 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
430 }
431
432 if (!ctx->have_public_key) {
433 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
434 }
435
436 MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
437
438 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
439 ctx->params.I_key_identifier,
440 MBEDTLS_LMOTS_I_KEY_ID_LEN);
441
442 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
443 ctx->params.q_leaf_identifier,
444 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
445
446 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
447 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
448
449 if (key_len != NULL) {
450 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
451 }
452
453 return 0;
454 }
455
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)456 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
457 const unsigned char *msg,
458 size_t msg_size,
459 const unsigned char *sig,
460 size_t sig_size,
461 unsigned char *out,
462 size_t out_size,
463 size_t *out_len)
464 {
465 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
466 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
467 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
468
469 if (msg == NULL && msg_size != 0) {
470 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
471 }
472
473 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
474 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
475 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
476 }
477
478 ret = create_digit_array_with_checksum(params, msg, msg_size,
479 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
480 tmp_digit_array);
481 if (ret) {
482 return ret;
483 }
484
485 ret = hash_digit_array(params,
486 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
487 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
488 if (ret) {
489 return ret;
490 }
491
492 ret = public_key_from_hashed_digit_array(params,
493 (unsigned char *) y_hashed_digits,
494 out);
495 if (ret) {
496 return ret;
497 }
498
499 if (out_len != NULL) {
500 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
501 }
502
503 return 0;
504 }
505
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)506 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
507 const unsigned char *msg, size_t msg_size,
508 const unsigned char *sig, size_t sig_size)
509 {
510 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
511 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
512
513 if (msg == NULL && msg_size != 0) {
514 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
515 }
516
517 if (!ctx->have_public_key) {
518 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
519 }
520
521 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
522 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
523 }
524
525 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
526 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
527 }
528
529 if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
530 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
531 }
532
533 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
534 msg, msg_size, sig, sig_size,
535 Kc_public_key_candidate,
536 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
537 NULL);
538 if (ret) {
539 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
540 }
541
542 if (memcmp(&Kc_public_key_candidate, ctx->public_key,
543 sizeof(ctx->public_key))) {
544 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
545 }
546
547 return 0;
548 }
549
550 #if defined(MBEDTLS_LMS_PRIVATE)
551
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)552 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
553 {
554 memset(ctx, 0, sizeof(*ctx));
555 }
556
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)557 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
558 {
559 mbedtls_platform_zeroize(ctx,
560 sizeof(*ctx));
561 }
562
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)563 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
564 mbedtls_lmots_algorithm_type_t type,
565 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
566 uint32_t q_leaf_identifier,
567 const unsigned char *seed,
568 size_t seed_size)
569 {
570 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
571 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
572 size_t output_hash_len;
573 unsigned int i_digit_idx;
574 unsigned char i_digit_idx_bytes[2];
575 unsigned char const_bytes[1] = { 0xFF };
576
577 if (ctx->have_private_key) {
578 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
579 }
580
581 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
582 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
583 }
584
585 ctx->params.type = type;
586
587 memcpy(ctx->params.I_key_identifier,
588 I_key_identifier,
589 sizeof(ctx->params.I_key_identifier));
590
591 MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
592
593 for (i_digit_idx = 0;
594 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
595 i_digit_idx++) {
596 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
597 if (status != PSA_SUCCESS) {
598 goto exit;
599 }
600
601 status = psa_hash_update(&op,
602 ctx->params.I_key_identifier,
603 sizeof(ctx->params.I_key_identifier));
604 if (status != PSA_SUCCESS) {
605 goto exit;
606 }
607
608 status = psa_hash_update(&op,
609 ctx->params.q_leaf_identifier,
610 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
611 if (status != PSA_SUCCESS) {
612 goto exit;
613 }
614
615 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
616 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
617 if (status != PSA_SUCCESS) {
618 goto exit;
619 }
620
621 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
622 if (status != PSA_SUCCESS) {
623 goto exit;
624 }
625
626 status = psa_hash_update(&op, seed, seed_size);
627 if (status != PSA_SUCCESS) {
628 goto exit;
629 }
630
631 status = psa_hash_finish(&op,
632 ctx->private_key[i_digit_idx],
633 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
634 &output_hash_len);
635 if (status != PSA_SUCCESS) {
636 goto exit;
637 }
638
639 psa_hash_abort(&op);
640 }
641
642 ctx->have_private_key = 1;
643
644 exit:
645 psa_hash_abort(&op);
646
647 return PSA_TO_MBEDTLS_ERR(status);
648 }
649
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)650 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
651 const mbedtls_lmots_private_t *priv_ctx)
652 {
653 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
655
656 /* Check that a private key is loaded */
657 if (!priv_ctx->have_private_key) {
658 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
659 }
660
661 ret = hash_digit_array(&priv_ctx->params,
662 (unsigned char *) priv_ctx->private_key, NULL,
663 NULL, (unsigned char *) y_hashed_digits);
664 if (ret) {
665 goto exit;
666 }
667
668 ret = public_key_from_hashed_digit_array(&priv_ctx->params,
669 (unsigned char *) y_hashed_digits,
670 ctx->public_key);
671 if (ret) {
672 goto exit;
673 }
674
675 memcpy(&ctx->params, &priv_ctx->params,
676 sizeof(ctx->params));
677
678 ctx->have_public_key = 1;
679
680 exit:
681 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
682
683 return ret;
684 }
685
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)686 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
687 int (*f_rng)(void *, unsigned char *, size_t),
688 void *p_rng, const unsigned char *msg, size_t msg_size,
689 unsigned char *sig, size_t sig_size, size_t *sig_len)
690 {
691 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
692 /* Create a temporary buffer to prepare the signature in. This allows us to
693 * finish creating a signature (ensuring the process doesn't fail), and then
694 * erase the private key **before** writing any data into the sig parameter
695 * buffer. If data were directly written into the sig buffer, it might leak
696 * a partial signature on failure, which effectively compromises the private
697 * key.
698 */
699 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
700 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
701 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
702
703 if (msg == NULL && msg_size != 0) {
704 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
705 }
706
707 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
708 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
709 }
710
711 /* Check that a private key is loaded */
712 if (!ctx->have_private_key) {
713 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
714 }
715
716 ret = f_rng(p_rng, tmp_c_random,
717 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
718 if (ret) {
719 return ret;
720 }
721
722 ret = create_digit_array_with_checksum(&ctx->params,
723 msg, msg_size,
724 tmp_c_random,
725 tmp_digit_array);
726 if (ret) {
727 goto exit;
728 }
729
730 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
731 NULL, tmp_digit_array, (unsigned char *) tmp_sig);
732 if (ret) {
733 goto exit;
734 }
735
736 MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
737
738 /* Test hook to check if sig is being written to before we invalidate the
739 * private key.
740 */
741 #if defined(MBEDTLS_TEST_HOOKS)
742 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
743 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
744 if (ret != 0) {
745 return ret;
746 }
747 }
748 #endif /* defined(MBEDTLS_TEST_HOOKS) */
749
750 /* We've got a valid signature now, so it's time to make sure the private
751 * key can't be reused.
752 */
753 ctx->have_private_key = 0;
754 mbedtls_platform_zeroize(ctx->private_key,
755 sizeof(ctx->private_key));
756
757 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
758 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
759
760 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
761 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
762 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
763
764 if (sig_len != NULL) {
765 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
766 }
767
768 ret = 0;
769
770 exit:
771 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
772 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
773
774 return ret;
775 }
776
777 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
778 #endif /* defined(MBEDTLS_LMS_C) */
779
