1 /*
2 * The LM-OTS one-time public-key signature scheme
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this implementation
10 * of the LM-OTS algorithm:
11 *
12 * [1] IETF RFC8554
13 * D. McGrew, M. Curcio, S.Fluhrer
14 * https://datatracker.ietf.org/doc/html/rfc8554
15 *
16 * [2] NIST Special Publication 800-208
17 * David A. Cooper et. al.
18 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_LMS_C)
24
25 #include <string.h>
26
27 #include "lmots.h"
28
29 #include "mbedtls/lms.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "psa_util_internal.h"
33
34 #include "psa/crypto.h"
35
36 /* Define a local translating function to save code size by not using too many
37 * arguments in each translating place. */
local_err_translation(psa_status_t status)38 static int local_err_translation(psa_status_t status)
39 {
40 return psa_status_to_mbedtls(status, psa_to_lms_errors,
41 ARRAY_LENGTH(psa_to_lms_errors),
42 psa_generic_status_to_mbedtls);
43 }
44 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
45
46 #define PUBLIC_KEY_TYPE_OFFSET (0)
47 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
48 MBEDTLS_LMOTS_TYPE_LEN)
49 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
50 MBEDTLS_LMOTS_I_KEY_ID_LEN)
51 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
52 MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
53
54 /* We only support parameter sets that use 8-bit digits, as it does not require
55 * translation logic between digits and bytes */
56 #define W_WINTERNITZ_PARAMETER (8u)
57 #define CHECKSUM_LEN (2)
58 #define I_DIGIT_IDX_LEN (2)
59 #define J_HASH_IDX_LEN (1)
60 #define D_CONST_LEN (2)
61
62 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
63
64 #define D_CONST_LEN (2)
65 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
66 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
67
68 #if defined(MBEDTLS_TEST_HOOKS)
69 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
70 #endif /* defined(MBEDTLS_TEST_HOOKS) */
71
72 /* Calculate the checksum digits that are appended to the end of the LMOTS digit
73 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
74 * the checksum algorithm.
75 *
76 * params The LMOTS parameter set, I and q values which
77 * describe the key being used.
78 *
79 * digest The digit string to create the digest from. As
80 * this does not contain a checksum, it is the same
81 * size as a hash output.
82 */
lmots_checksum_calculate(const mbedtls_lmots_parameters_t * params,const unsigned char * digest)83 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
84 const unsigned char *digest)
85 {
86 size_t idx;
87 unsigned sum = 0;
88
89 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
90 sum += DIGIT_MAX_VALUE - digest[idx];
91 }
92
93 return sum;
94 }
95
96 /* Create the string of digest digits (in the base determined by the Winternitz
97 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
98 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
99 * 4b step 3) for details.
100 *
101 * params The LMOTS parameter set, I and q values which
102 * describe the key being used.
103 *
104 * msg The message that will be hashed to create the
105 * digest.
106 *
107 * msg_size The size of the message.
108 *
109 * C_random_value The random value that will be combined with the
110 * message digest. This is always the same size as a
111 * hash output for whichever hash algorithm is
112 * determined by the parameter set.
113 *
114 * output An output containing the digit string (+
115 * checksum) of length P digits (in the case of
116 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
117 * size P bytes).
118 */
create_digit_array_with_checksum(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_len,const unsigned char * C_random_value,unsigned char * out)119 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
120 const unsigned char *msg,
121 size_t msg_len,
122 const unsigned char *C_random_value,
123 unsigned char *out)
124 {
125 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
126 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
127 size_t output_hash_len;
128 unsigned short checksum;
129
130 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
131 if (status != PSA_SUCCESS) {
132 goto exit;
133 }
134
135 status = psa_hash_update(&op, params->I_key_identifier,
136 MBEDTLS_LMOTS_I_KEY_ID_LEN);
137 if (status != PSA_SUCCESS) {
138 goto exit;
139 }
140
141 status = psa_hash_update(&op, params->q_leaf_identifier,
142 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
143 if (status != PSA_SUCCESS) {
144 goto exit;
145 }
146
147 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
148 if (status != PSA_SUCCESS) {
149 goto exit;
150 }
151
152 status = psa_hash_update(&op, C_random_value,
153 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
154 if (status != PSA_SUCCESS) {
155 goto exit;
156 }
157
158 status = psa_hash_update(&op, msg, msg_len);
159 if (status != PSA_SUCCESS) {
160 goto exit;
161 }
162
163 status = psa_hash_finish(&op, out,
164 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
165 &output_hash_len);
166 if (status != PSA_SUCCESS) {
167 goto exit;
168 }
169
170 checksum = lmots_checksum_calculate(params, out);
171 MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
172
173 exit:
174 psa_hash_abort(&op);
175
176 return PSA_TO_MBEDTLS_ERR(status);
177 }
178
179 /* Hash each element of the string of digits (+ checksum), producing a hash
180 * output for each element. This is used in several places (by varying the
181 * hash_idx_min/max_values) in order to calculate a public key from a private
182 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
183 * Algorithm 3 step 5), and to calculate a public key candidate from a
184 * signature and message (RFC8554 Algorithm 4b step 3).
185 *
186 * params The LMOTS parameter set, I and q values which
187 * describe the key being used.
188 *
189 * x_digit_array The array of digits (of size P, 34 in the case of
190 * MBEDTLS_LMOTS_SHA256_N32_W8).
191 *
192 * hash_idx_min_values An array of the starting values of the j iterator
193 * for each of the members of the digit array. If
194 * this value in NULL, then all iterators will start
195 * at 0.
196 *
197 * hash_idx_max_values An array of the upper bound values of the j
198 * iterator for each of the members of the digit
199 * array. If this value in NULL, then iterator is
200 * bounded to be less than 2^w - 1 (255 in the case
201 * of MBEDTLS_LMOTS_SHA256_N32_W8)
202 *
203 * output An array containing a hash output for each member
204 * of the digit string P. In the case of
205 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
206 * 34.
207 */
hash_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * x_digit_array,const unsigned char * hash_idx_min_values,const unsigned char * hash_idx_max_values,unsigned char * output)208 static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
209 const unsigned char *x_digit_array,
210 const unsigned char *hash_idx_min_values,
211 const unsigned char *hash_idx_max_values,
212 unsigned char *output)
213 {
214 unsigned int i_digit_idx;
215 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
216 unsigned int j_hash_idx;
217 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
218 unsigned int j_hash_idx_min;
219 unsigned int j_hash_idx_max;
220 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
222 size_t output_hash_len;
223 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
224
225 for (i_digit_idx = 0;
226 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
227 i_digit_idx++) {
228
229 memcpy(tmp_hash,
230 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
231 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
232
233 j_hash_idx_min = hash_idx_min_values != NULL ?
234 hash_idx_min_values[i_digit_idx] : 0;
235 j_hash_idx_max = hash_idx_max_values != NULL ?
236 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
237
238 for (j_hash_idx = j_hash_idx_min;
239 j_hash_idx < j_hash_idx_max;
240 j_hash_idx++) {
241 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
242 if (status != PSA_SUCCESS) {
243 goto exit;
244 }
245
246 status = psa_hash_update(&op,
247 params->I_key_identifier,
248 MBEDTLS_LMOTS_I_KEY_ID_LEN);
249 if (status != PSA_SUCCESS) {
250 goto exit;
251 }
252
253 status = psa_hash_update(&op,
254 params->q_leaf_identifier,
255 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
256 if (status != PSA_SUCCESS) {
257 goto exit;
258 }
259
260 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
261 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
262 if (status != PSA_SUCCESS) {
263 goto exit;
264 }
265
266 j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
267 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
268 if (status != PSA_SUCCESS) {
269 goto exit;
270 }
271
272 status = psa_hash_update(&op, tmp_hash,
273 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
274 if (status != PSA_SUCCESS) {
275 goto exit;
276 }
277
278 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
279 &output_hash_len);
280 if (status != PSA_SUCCESS) {
281 goto exit;
282 }
283
284 psa_hash_abort(&op);
285 }
286
287 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
288 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
289 }
290
291 exit:
292 psa_hash_abort(&op);
293 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
294
295 return PSA_TO_MBEDTLS_ERR(status);
296 }
297
298 /* Combine the hashes of the digit array into a public key. This is used in
299 * in order to calculate a public key from a private key (RFC8554 Algorithm 1
300 * step 4), and to calculate a public key candidate from a signature and message
301 * (RFC8554 Algorithm 4b step 3).
302 *
303 * params The LMOTS parameter set, I and q values which describe
304 * the key being used.
305 * y_hashed_digits The array of hashes, one hash for each digit of the
306 * symbol array (which is of size P, 34 in the case of
307 * MBEDTLS_LMOTS_SHA256_N32_W8)
308 *
309 * pub_key The output public key (or candidate public key in
310 * case this is being run as part of signature
311 * verification), in the form of a hash output.
312 */
public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t * params,const unsigned char * y_hashed_digits,unsigned char * pub_key)313 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
314 const unsigned char *y_hashed_digits,
315 unsigned char *pub_key)
316 {
317 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
318 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
319 size_t output_hash_len;
320
321 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
322 if (status != PSA_SUCCESS) {
323 goto exit;
324 }
325
326 status = psa_hash_update(&op,
327 params->I_key_identifier,
328 MBEDTLS_LMOTS_I_KEY_ID_LEN);
329 if (status != PSA_SUCCESS) {
330 goto exit;
331 }
332
333 status = psa_hash_update(&op, params->q_leaf_identifier,
334 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
335 if (status != PSA_SUCCESS) {
336 goto exit;
337 }
338
339 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
340 if (status != PSA_SUCCESS) {
341 goto exit;
342 }
343
344 status = psa_hash_update(&op, y_hashed_digits,
345 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
346 MBEDTLS_LMOTS_N_HASH_LEN(params->type));
347 if (status != PSA_SUCCESS) {
348 goto exit;
349 }
350
351 status = psa_hash_finish(&op, pub_key,
352 MBEDTLS_LMOTS_N_HASH_LEN(params->type),
353 &output_hash_len);
354 if (status != PSA_SUCCESS) {
355
356 exit:
357 psa_hash_abort(&op);
358 }
359
360 return PSA_TO_MBEDTLS_ERR(status);
361 }
362
363 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_lms_error_from_psa(psa_status_t status)364 int mbedtls_lms_error_from_psa(psa_status_t status)
365 {
366 switch (status) {
367 case PSA_SUCCESS:
368 return 0;
369 case PSA_ERROR_HARDWARE_FAILURE:
370 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
371 case PSA_ERROR_NOT_SUPPORTED:
372 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
373 case PSA_ERROR_BUFFER_TOO_SMALL:
374 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
375 case PSA_ERROR_INVALID_ARGUMENT:
376 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
377 default:
378 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
379 }
380 }
381 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
382
mbedtls_lmots_public_init(mbedtls_lmots_public_t * ctx)383 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
384 {
385 memset(ctx, 0, sizeof(*ctx));
386 }
387
mbedtls_lmots_public_free(mbedtls_lmots_public_t * ctx)388 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
389 {
390 if (ctx == NULL) {
391 return;
392 }
393
394 mbedtls_platform_zeroize(ctx, sizeof(*ctx));
395 }
396
mbedtls_lmots_import_public_key(mbedtls_lmots_public_t * ctx,const unsigned char * key,size_t key_len)397 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
398 const unsigned char *key, size_t key_len)
399 {
400 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
401 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
402 }
403
404 uint32_t type = MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
405 if (type != (uint32_t) MBEDTLS_LMOTS_SHA256_N32_W8) {
406 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
407 }
408 ctx->params.type = (mbedtls_lmots_algorithm_type_t) type;
409
410 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
411 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
412 }
413
414 memcpy(ctx->params.I_key_identifier,
415 key + PUBLIC_KEY_I_KEY_ID_OFFSET,
416 MBEDTLS_LMOTS_I_KEY_ID_LEN);
417
418 memcpy(ctx->params.q_leaf_identifier,
419 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
420 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
421
422 memcpy(ctx->public_key,
423 key + PUBLIC_KEY_KEY_HASH_OFFSET,
424 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
425
426 ctx->have_public_key = 1;
427
428 return 0;
429 }
430
mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t * ctx,unsigned char * key,size_t key_size,size_t * key_len)431 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
432 unsigned char *key, size_t key_size,
433 size_t *key_len)
434 {
435 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
436 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
437 }
438
439 if (!ctx->have_public_key) {
440 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
441 }
442
443 MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
444
445 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
446 ctx->params.I_key_identifier,
447 MBEDTLS_LMOTS_I_KEY_ID_LEN);
448
449 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
450 ctx->params.q_leaf_identifier,
451 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
452
453 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
454 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
455
456 if (key_len != NULL) {
457 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
458 }
459
460 return 0;
461 }
462
mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t * params,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size,unsigned char * out,size_t out_size,size_t * out_len)463 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
464 const unsigned char *msg,
465 size_t msg_size,
466 const unsigned char *sig,
467 size_t sig_size,
468 unsigned char *out,
469 size_t out_size,
470 size_t *out_len)
471 {
472 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
473 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
475
476 if (msg == NULL && msg_size != 0) {
477 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
478 }
479
480 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
481 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
482 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
483 }
484
485 ret = create_digit_array_with_checksum(params, msg, msg_size,
486 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
487 tmp_digit_array);
488 if (ret) {
489 return ret;
490 }
491
492 ret = hash_digit_array(params,
493 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
494 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
495 if (ret) {
496 return ret;
497 }
498
499 ret = public_key_from_hashed_digit_array(params,
500 (unsigned char *) y_hashed_digits,
501 out);
502 if (ret) {
503 return ret;
504 }
505
506 if (out_len != NULL) {
507 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
508 }
509
510 return 0;
511 }
512
mbedtls_lmots_verify(const mbedtls_lmots_public_t * ctx,const unsigned char * msg,size_t msg_size,const unsigned char * sig,size_t sig_size)513 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
514 const unsigned char *msg, size_t msg_size,
515 const unsigned char *sig, size_t sig_size)
516 {
517 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
519
520 if (msg == NULL && msg_size != 0) {
521 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
522 }
523
524 if (!ctx->have_public_key) {
525 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
526 }
527
528 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
529 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
530 }
531
532 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
533 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
534 }
535
536 if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
537 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
538 }
539
540 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
541 msg, msg_size, sig, sig_size,
542 Kc_public_key_candidate,
543 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
544 NULL);
545 if (ret) {
546 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
547 }
548
549 if (memcmp(&Kc_public_key_candidate, ctx->public_key,
550 sizeof(ctx->public_key))) {
551 return MBEDTLS_ERR_LMS_VERIFY_FAILED;
552 }
553
554 return 0;
555 }
556
557 #if defined(MBEDTLS_LMS_PRIVATE)
558
mbedtls_lmots_private_init(mbedtls_lmots_private_t * ctx)559 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
560 {
561 memset(ctx, 0, sizeof(*ctx));
562 }
563
mbedtls_lmots_private_free(mbedtls_lmots_private_t * ctx)564 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
565 {
566 if (ctx == NULL) {
567 return;
568 }
569
570 mbedtls_platform_zeroize(ctx,
571 sizeof(*ctx));
572 }
573
mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t * ctx,mbedtls_lmots_algorithm_type_t type,const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],uint32_t q_leaf_identifier,const unsigned char * seed,size_t seed_size)574 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
575 mbedtls_lmots_algorithm_type_t type,
576 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
577 uint32_t q_leaf_identifier,
578 const unsigned char *seed,
579 size_t seed_size)
580 {
581 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
582 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
583 size_t output_hash_len;
584 unsigned int i_digit_idx;
585 unsigned char i_digit_idx_bytes[2];
586 unsigned char const_bytes[1] = { 0xFF };
587
588 if (ctx->have_private_key) {
589 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
590 }
591
592 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
593 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
594 }
595
596 ctx->params.type = type;
597
598 memcpy(ctx->params.I_key_identifier,
599 I_key_identifier,
600 sizeof(ctx->params.I_key_identifier));
601
602 MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
603
604 for (i_digit_idx = 0;
605 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
606 i_digit_idx++) {
607 status = psa_hash_setup(&op, PSA_ALG_SHA_256);
608 if (status != PSA_SUCCESS) {
609 goto exit;
610 }
611
612 status = psa_hash_update(&op,
613 ctx->params.I_key_identifier,
614 sizeof(ctx->params.I_key_identifier));
615 if (status != PSA_SUCCESS) {
616 goto exit;
617 }
618
619 status = psa_hash_update(&op,
620 ctx->params.q_leaf_identifier,
621 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
622 if (status != PSA_SUCCESS) {
623 goto exit;
624 }
625
626 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
627 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
628 if (status != PSA_SUCCESS) {
629 goto exit;
630 }
631
632 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
633 if (status != PSA_SUCCESS) {
634 goto exit;
635 }
636
637 status = psa_hash_update(&op, seed, seed_size);
638 if (status != PSA_SUCCESS) {
639 goto exit;
640 }
641
642 status = psa_hash_finish(&op,
643 ctx->private_key[i_digit_idx],
644 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
645 &output_hash_len);
646 if (status != PSA_SUCCESS) {
647 goto exit;
648 }
649
650 psa_hash_abort(&op);
651 }
652
653 ctx->have_private_key = 1;
654
655 exit:
656 psa_hash_abort(&op);
657
658 return PSA_TO_MBEDTLS_ERR(status);
659 }
660
mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t * ctx,const mbedtls_lmots_private_t * priv_ctx)661 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
662 const mbedtls_lmots_private_t *priv_ctx)
663 {
664 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
666
667 /* Check that a private key is loaded */
668 if (!priv_ctx->have_private_key) {
669 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
670 }
671
672 ret = hash_digit_array(&priv_ctx->params,
673 (unsigned char *) priv_ctx->private_key, NULL,
674 NULL, (unsigned char *) y_hashed_digits);
675 if (ret) {
676 goto exit;
677 }
678
679 ret = public_key_from_hashed_digit_array(&priv_ctx->params,
680 (unsigned char *) y_hashed_digits,
681 ctx->public_key);
682 if (ret) {
683 goto exit;
684 }
685
686 memcpy(&ctx->params, &priv_ctx->params,
687 sizeof(ctx->params));
688
689 ctx->have_public_key = 1;
690
691 exit:
692 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
693
694 return ret;
695 }
696
mbedtls_lmots_sign(mbedtls_lmots_private_t * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * msg,size_t msg_size,unsigned char * sig,size_t sig_size,size_t * sig_len)697 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
698 int (*f_rng)(void *, unsigned char *, size_t),
699 void *p_rng, const unsigned char *msg, size_t msg_size,
700 unsigned char *sig, size_t sig_size, size_t *sig_len)
701 {
702 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
703 /* Create a temporary buffer to prepare the signature in. This allows us to
704 * finish creating a signature (ensuring the process doesn't fail), and then
705 * erase the private key **before** writing any data into the sig parameter
706 * buffer. If data were directly written into the sig buffer, it might leak
707 * a partial signature on failure, which effectively compromises the private
708 * key.
709 */
710 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
711 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
712 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
713
714 if (msg == NULL && msg_size != 0) {
715 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
716 }
717
718 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
719 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
720 }
721
722 /* Check that a private key is loaded */
723 if (!ctx->have_private_key) {
724 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
725 }
726
727 ret = f_rng(p_rng, tmp_c_random,
728 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
729 if (ret) {
730 return ret;
731 }
732
733 ret = create_digit_array_with_checksum(&ctx->params,
734 msg, msg_size,
735 tmp_c_random,
736 tmp_digit_array);
737 if (ret) {
738 goto exit;
739 }
740
741 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
742 NULL, tmp_digit_array, (unsigned char *) tmp_sig);
743 if (ret) {
744 goto exit;
745 }
746
747 MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
748
749 /* Test hook to check if sig is being written to before we invalidate the
750 * private key.
751 */
752 #if defined(MBEDTLS_TEST_HOOKS)
753 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
754 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
755 if (ret != 0) {
756 return ret;
757 }
758 }
759 #endif /* defined(MBEDTLS_TEST_HOOKS) */
760
761 /* We've got a valid signature now, so it's time to make sure the private
762 * key can't be reused.
763 */
764 ctx->have_private_key = 0;
765 mbedtls_platform_zeroize(ctx->private_key,
766 sizeof(ctx->private_key));
767
768 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
769 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
770
771 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
772 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
773 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
774
775 if (sig_len != NULL) {
776 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
777 }
778
779 ret = 0;
780
781 exit:
782 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
783 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
784
785 return ret;
786 }
787
788 #endif /* defined(MBEDTLS_LMS_PRIVATE) */
789 #endif /* defined(MBEDTLS_LMS_C) */
790