1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this implementation
10 * of the LM-OTS algorithm:
11 *
12 * [1] IETF RFC8554
13 * D. McGrew, M. Curcio, S.Fluhrer
14 * https://datatracker.ietf.org/doc/html/rfc8554
15 *
16 * [2] NIST Special Publication 800-208
17 * David A. Cooper et. al.
18 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_LMS_C)
24
25 #include <string.h>
26
27 #include "lmots.h"
28
29 #include "mbedtls/lms.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "psa_util_internal.h"
33
34 #include "psa/crypto.h"
35
36 /* Define a local translating function to save code size by not using too many
37 * arguments in each translating place. */
local_err_translation(psa_status_t status)38 static int local_err_translation(psa_status_t status)
39 {
40 return psa_status_to_mbedtls(status, psa_to_lms_errors,
41 ARRAY_LENGTH(psa_to_lms_errors),
42 psa_generic_status_to_mbedtls);
43 }
44 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
45
46 #define PUBLIC_KEY_TYPE_OFFSET (0)
47 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
48 MBEDTLS_LMOTS_TYPE_LEN)
49 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
50 MBEDTLS_LMOTS_I_KEY_ID_LEN)
51 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
52 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
53
54 /* We only support parameter sets that use 8-bit digits, as it does not require
55 * translation logic between digits and bytes */
56 #define W_WINTERNITZ_PARAMETER (8u)
57 #define CHECKSUM_LEN (2)
58 #define I_DIGIT_IDX_LEN (2)
59 #define J_HASH_IDX_LEN (1)
60 #define D_CONST_LEN (2)
61
62 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
63
64 #define D_CONST_LEN (2)
65 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
66 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
67
68 #if defined(MBEDTLS_TEST_HOOKS)
69 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
70 #endif /* defined(MBEDTLS_TEST_HOOKS) */
71
72 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
73 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
74 * the checksum algorithm.
75 *
76 * params The LMOTS parameter set, I and q values which
77 * describe the key being used.
78 *
79 * digest The digit string to create the digest from. As
80 * this does not contain a checksum, it is the same
81 * size as a hash output.
82 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)83 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
84 const unsigned char *digest)
85 {
86 size_t idx;
87 unsigned sum = 0;
88
89 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
90 sum += DIGIT_MAX_VALUE - digest[idx];
91 }
92
93 return sum;
94 }
95
96 /* Create the string of digest digits (in the base determined by the Winternitz
97 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
98 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
99 * 4b step 3) for details.
100 *
101 * params The LMOTS parameter set, I and q values which
102 * describe the key being used.
103 *
104 * msg The message that will be hashed to create the
105 * digest.
106 *
107 * msg_size The size of the message.
108 *
109 * C_random_value The random value that will be combined with the
110 * message digest. This is always the same size as a
111 * hash output for whichever hash algorithm is
112 * determined by the parameter set.
113 *
114 * output An output containing the digit string (+
115 * checksum) of length P digits (in the case of
116 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
117 * size P bytes).
118 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)119 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
120 const unsigned char *msg,
121 size_t msg_len,
122 const unsigned char *C_random_value,
123 unsigned char *out)
124 {
125 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
126 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
127 size_t output_hash_len;
128 unsigned short checksum;
129
130 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
131 if (status != PSA_SUCCESS) {
132 goto exit;
133 }
134
135 status = psa_hash_update(&op, params->I_key_identifier,
136 MBEDTLS_LMOTS_I_KEY_ID_LEN);
137 if (status != PSA_SUCCESS) {
138 goto exit;
139 }
140
141 status = psa_hash_update(&op, params->q_leaf_identifier,
142 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
143 if (status != PSA_SUCCESS) {
144 goto exit;
145 }
146
147 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
148 if (status != PSA_SUCCESS) {
149 goto exit;
150 }
151
152 status = psa_hash_update(&op, C_random_value,
153 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
154 if (status != PSA_SUCCESS) {
155 goto exit;
156 }
157
158 status = psa_hash_update(&op, msg, msg_len);
159 if (status != PSA_SUCCESS) {
160 goto exit;
161 }
162
163 status = psa_hash_finish(&op, out,
164 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
165 &output_hash_len);
166 if (status != PSA_SUCCESS) {
167 goto exit;
168 }
169
170 checksum = lmots_checksum_calculate(params, out);
171 MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
172
173 exit:
174 psa_hash_abort(&op);
175
176 return PSA_TO_MBEDTLS_ERR(status);
177 }
178
179 /* Hash each element of the string of digits (+ checksum), producing a hash
180 * output for each element. This is used in several places (by varying the
181 * hash_idx_min/max_values) in order to calculate a public key from a private
182 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
183 * Algorithm 3 step 5), and to calculate a public key candidate from a
184 * signature and message (RFC8554 Algorithm 4b step 3).
185 *
186 * params The LMOTS parameter set, I and q values which
187 * describe the key being used.
188 *
189 * x_digit_array The array of digits (of size P, 34 in the case of
190 * MBEDTLS_LMOTS_SHA256_N32_W8).
191 *
192 * hash_idx_min_values An array of the starting values of the j iterator
193 * for each of the members of the digit array. If
194 * this value in NULL, then all iterators will start
195 * at 0.
196 *
197 * hash_idx_max_values An array of the upper bound values of the j
198 * iterator for each of the members of the digit
199 * array. If this value in NULL, then iterator is
200 * bounded to be less than 2^w - 1 (255 in the case
201 * of MBEDTLS_LMOTS_SHA256_N32_W8)
202 *
203 * output An array containing a hash output for each member
204 * of the digit string P. In the case of
205 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
206 * 34.
207 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)208 static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
209 const unsigned char *x_digit_array,
210 const unsigned char *hash_idx_min_values,
211 const unsigned char *hash_idx_max_values,
212 unsigned char *output)
213 {
214 unsigned int i_digit_idx;
215 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
216 unsigned int j_hash_idx;
217 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
218 unsigned int j_hash_idx_min;
219 unsigned int j_hash_idx_max;
220 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
222 size_t output_hash_len;
223 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
224
225 for (i_digit_idx = 0;
226 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
227 i_digit_idx++) {
228
229 memcpy(tmp_hash,
230 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
231 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
232
233 j_hash_idx_min = hash_idx_min_values != NULL ?
234 hash_idx_min_values[i_digit_idx] : 0;
235 j_hash_idx_max = hash_idx_max_values != NULL ?
236 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
237
238 for (j_hash_idx = j_hash_idx_min;
239 j_hash_idx < j_hash_idx_max;
240 j_hash_idx++) {
241 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
242 if (status != PSA_SUCCESS) {
243 goto exit;
244 }
245
246 status = psa_hash_update(&op,
247 params->I_key_identifier,
248 MBEDTLS_LMOTS_I_KEY_ID_LEN);
249 if (status != PSA_SUCCESS) {
250 goto exit;
251 }
252
253 status = psa_hash_update(&op,
254 params->q_leaf_identifier,
255 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
256 if (status != PSA_SUCCESS) {
257 goto exit;
258 }
259
260 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
261 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
262 if (status != PSA_SUCCESS) {
263 goto exit;
264 }
265
266 j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
267 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
268 if (status != PSA_SUCCESS) {
269 goto exit;
270 }
271
272 status = psa_hash_update(&op, tmp_hash,
273 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
274 if (status != PSA_SUCCESS) {
275 goto exit;
276 }
277
278 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
279 &output_hash_len);
280 if (status != PSA_SUCCESS) {
281 goto exit;
282 }
283
284 psa_hash_abort(&op);
285 }
286
287 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
288 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
289 }
290
291 exit:
292 psa_hash_abort(&op);
293 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
294
295 return PSA_TO_MBEDTLS_ERR(status);
296 }
297
298 /* Combine the hashes of the digit array into a public key. This is used in
299 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
300 * step 4), and to calculate a public key candidate from a signature and message
301 * (RFC8554 Algorithm 4b step 3).
302 *
303 * params The LMOTS parameter set, I and q values which describe
304 * the key being used.
305 * y_hashed_digits The array of hashes, one hash for each digit of the
306 * symbol array (which is of size P, 34 in the case of
307 * MBEDTLS_LMOTS_SHA256_N32_W8)
308 *
309 * pub_key The output public key (or candidate public key in
310 * case this is being run as part of signature
311 * verification), in the form of a hash output.
312 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)313 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
314 const unsigned char *y_hashed_digits,
315 unsigned char *pub_key)
316 {
317 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
318 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
319 size_t output_hash_len;
320
321 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
322 if (status != PSA_SUCCESS) {
323 goto exit;
324 }
325
326 status = psa_hash_update(&op,
327 params->I_key_identifier,
328 MBEDTLS_LMOTS_I_KEY_ID_LEN);
329 if (status != PSA_SUCCESS) {
330 goto exit;
331 }
332
333 status = psa_hash_update(&op, params->q_leaf_identifier,
334 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
335 if (status != PSA_SUCCESS) {
336 goto exit;
337 }
338
339 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
340 if (status != PSA_SUCCESS) {
341 goto exit;
342 }
343
344 status = psa_hash_update(&op, y_hashed_digits,
345 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
346 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
347 if (status != PSA_SUCCESS) {
348 goto exit;
349 }
350
351 status = psa_hash_finish(&op, pub_key,
352 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
353 &output_hash_len);
354 if (status != PSA_SUCCESS) {
355
356 exit:
357 psa_hash_abort(&op);
358 }
359
360 return PSA_TO_MBEDTLS_ERR(status);
361 }
362
363 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_lms_error_from_psa(psa_status_t status)364 int mbedtls_lms_error_from_psa(psa_status_t status)
365 {
366 switch (status) {
367 case PSA_SUCCESS:
368 return 0;
369 case PSA_ERROR_HARDWARE_FAILURE:
370 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
371 case PSA_ERROR_NOT_SUPPORTED:
372 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
373 case PSA_ERROR_BUFFER_TOO_SMALL:
374 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
375 case PSA_ERROR_INVALID_ARGUMENT:
376 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
377 default:
378 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
379 }
380 }
381 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
382
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)383 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
384 {
385 memset(ctx, 0, sizeof(*ctx));
386 }
387
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)388 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
389 {
390 if (ctx == NULL) {
391 return;
392 }
393
394 mbedtls_platform_zeroize(ctx, sizeof(*ctx));
395 }
396
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)397 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
398 const unsigned char *key, size_t key_len)
399 {
400 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
401 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
402 }
403
404 ctx->params.type = (mbedtls_lmots_algorithm_type_t)
405 MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
406
407 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
408 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
409 }
410
411 memcpy(ctx->params.I_key_identifier,
412 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
413 MBEDTLS_LMOTS_I_KEY_ID_LEN);
414
415 memcpy(ctx->params.q_leaf_identifier,
416 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
417 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
418
419 memcpy(ctx->public_key,
420 key + PUBLIC_KEY_KEY_HASH_OFFSET,
421 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
422
423 ctx->have_public_key = 1;
424
425 return 0;
426 }
427
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)428 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
429 unsigned char *key, size_t key_size,
430 size_t *key_len)
431 {
432 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
433 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
434 }
435
436 if (!ctx->have_public_key) {
437 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
438 }
439
440 MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
441
442 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
443 ctx->params.I_key_identifier,
444 MBEDTLS_LMOTS_I_KEY_ID_LEN);
445
446 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
447 ctx->params.q_leaf_identifier,
448 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
449
450 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
451 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
452
453 if (key_len != NULL) {
454 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
455 }
456
457 return 0;
458 }
459
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)460 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
461 const unsigned char *msg,
462 size_t msg_size,
463 const unsigned char *sig,
464 size_t sig_size,
465 unsigned char *out,
466 size_t out_size,
467 size_t *out_len)
468 {
469 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
470 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
471 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
472
473 if (msg == NULL && msg_size != 0) {
474 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
475 }
476
477 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
478 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
479 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
480 }
481
482 ret = create_digit_array_with_checksum(params, msg, msg_size,
483 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
484 tmp_digit_array);
485 if (ret) {
486 return ret;
487 }
488
489 ret = hash_digit_array(params,
490 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
491 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
492 if (ret) {
493 return ret;
494 }
495
496 ret = public_key_from_hashed_digit_array(params,
497 (unsigned char *) y_hashed_digits,
498 out);
499 if (ret) {
500 return ret;
501 }
502
503 if (out_len != NULL) {
504 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
505 }
506
507 return 0;
508 }
509
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)510 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
511 const unsigned char *msg, size_t msg_size,
512 const unsigned char *sig, size_t sig_size)
513 {
514 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
515 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
516
517 if (msg == NULL && msg_size != 0) {
518 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
519 }
520
521 if (!ctx->have_public_key) {
522 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
523 }
524
525 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
526 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
527 }
528
529 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
530 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
531 }
532
533 if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
534 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
535 }
536
537 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
538 msg, msg_size, sig, sig_size,
539 Kc_public_key_candidate,
540 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
541 NULL);
542 if (ret) {
543 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
544 }
545
546 if (memcmp(&Kc_public_key_candidate, ctx->public_key,
547 sizeof(ctx->public_key))) {
548 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
549 }
550
551 return 0;
552 }
553
554 #if defined(MBEDTLS_LMS_PRIVATE)
555
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)556 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
557 {
558 memset(ctx, 0, sizeof(*ctx));
559 }
560
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)561 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
562 {
563 if (ctx == NULL) {
564 return;
565 }
566
567 mbedtls_platform_zeroize(ctx,
568 sizeof(*ctx));
569 }
570
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)571 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
572 mbedtls_lmots_algorithm_type_t type,
573 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
574 uint32_t q_leaf_identifier,
575 const unsigned char *seed,
576 size_t seed_size)
577 {
578 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
579 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
580 size_t output_hash_len;
581 unsigned int i_digit_idx;
582 unsigned char i_digit_idx_bytes[2];
583 unsigned char const_bytes[1] = { 0xFF };
584
585 if (ctx->have_private_key) {
586 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
587 }
588
589 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
590 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
591 }
592
593 ctx->params.type = type;
594
595 memcpy(ctx->params.I_key_identifier,
596 I_key_identifier,
597 sizeof(ctx->params.I_key_identifier));
598
599 MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
600
601 for (i_digit_idx = 0;
602 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
603 i_digit_idx++) {
604 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
605 if (status != PSA_SUCCESS) {
606 goto exit;
607 }
608
609 status = psa_hash_update(&op,
610 ctx->params.I_key_identifier,
611 sizeof(ctx->params.I_key_identifier));
612 if (status != PSA_SUCCESS) {
613 goto exit;
614 }
615
616 status = psa_hash_update(&op,
617 ctx->params.q_leaf_identifier,
618 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
619 if (status != PSA_SUCCESS) {
620 goto exit;
621 }
622
623 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
624 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
625 if (status != PSA_SUCCESS) {
626 goto exit;
627 }
628
629 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
630 if (status != PSA_SUCCESS) {
631 goto exit;
632 }
633
634 status = psa_hash_update(&op, seed, seed_size);
635 if (status != PSA_SUCCESS) {
636 goto exit;
637 }
638
639 status = psa_hash_finish(&op,
640 ctx->private_key[i_digit_idx],
641 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
642 &output_hash_len);
643 if (status != PSA_SUCCESS) {
644 goto exit;
645 }
646
647 psa_hash_abort(&op);
648 }
649
650 ctx->have_private_key = 1;
651
652 exit:
653 psa_hash_abort(&op);
654
655 return PSA_TO_MBEDTLS_ERR(status);
656 }
657
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)658 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
659 const mbedtls_lmots_private_t *priv_ctx)
660 {
661 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
662 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
663
664 /* Check that a private key is loaded */
665 if (!priv_ctx->have_private_key) {
666 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
667 }
668
669 ret = hash_digit_array(&priv_ctx->params,
670 (unsigned char *) priv_ctx->private_key, NULL,
671 NULL, (unsigned char *) y_hashed_digits);
672 if (ret) {
673 goto exit;
674 }
675
676 ret = public_key_from_hashed_digit_array(&priv_ctx->params,
677 (unsigned char *) y_hashed_digits,
678 ctx->public_key);
679 if (ret) {
680 goto exit;
681 }
682
683 memcpy(&ctx->params, &priv_ctx->params,
684 sizeof(ctx->params));
685
686 ctx->have_public_key = 1;
687
688 exit:
689 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
690
691 return ret;
692 }
693
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)694 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
695 int (*f_rng)(void *, unsigned char *, size_t),
696 void *p_rng, const unsigned char *msg, size_t msg_size,
697 unsigned char *sig, size_t sig_size, size_t *sig_len)
698 {
699 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
700 /* Create a temporary buffer to prepare the signature in. This allows us to
701 * finish creating a signature (ensuring the process doesn't fail), and then
702 * erase the private key **before** writing any data into the sig parameter
703 * buffer. If data were directly written into the sig buffer, it might leak
704 * a partial signature on failure, which effectively compromises the private
705 * key.
706 */
707 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
708 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
709 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
710
711 if (msg == NULL && msg_size != 0) {
712 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
713 }
714
715 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
716 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
717 }
718
719 /* Check that a private key is loaded */
720 if (!ctx->have_private_key) {
721 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
722 }
723
724 ret = f_rng(p_rng, tmp_c_random,
725 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
726 if (ret) {
727 return ret;
728 }
729
730 ret = create_digit_array_with_checksum(&ctx->params,
731 msg, msg_size,
732 tmp_c_random,
733 tmp_digit_array);
734 if (ret) {
735 goto exit;
736 }
737
738 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
739 NULL, tmp_digit_array, (unsigned char *) tmp_sig);
740 if (ret) {
741 goto exit;
742 }
743
744 MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
745
746 /* Test hook to check if sig is being written to before we invalidate the
747 * private key.
748 */
749 #if defined(MBEDTLS_TEST_HOOKS)
750 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
751 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
752 if (ret != 0) {
753 return ret;
754 }
755 }
756 #endif /* defined(MBEDTLS_TEST_HOOKS) */
757
758 /* We've got a valid signature now, so it's time to make sure the private
759 * key can't be reused.
760 */
761 ctx->have_private_key = 0;
762 mbedtls_platform_zeroize(ctx->private_key,
763 sizeof(ctx->private_key));
764
765 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
766 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
767
768 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
769 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
770 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
771
772 if (sig_len != NULL) {
773 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
774 }
775
776 ret = 0;
777
778 exit:
779 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
780 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
781
782 return ret;
783 }
784
785 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
786 #endif /* defined(MBEDTLS_LMS_C) */
787
