1 /* 2 * The LM-OTS one-time public-key signature scheme 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8 /* 9 * The following sources were referenced in the design of this implementation 10 * of the LM-OTS algorithm: 11 * 12 * [1] IETF RFC8554 13 * D. McGrew, M. Curcio, S.Fluhrer 14 * https://datatracker.ietf.org/doc/html/rfc8554 15 * 16 * [2] NIST Special Publication 800-208 17 * David A. Cooper et. al. 18 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf 19 */ 20 21 #include "common.h" 22 23 #if defined(MBEDTLS_LMS_C) 24 25 #include <string.h> 26 27 #include "lmots.h" 28 29 #include "mbedtls/lms.h" 30 #include "mbedtls/platform_util.h" 31 #include "mbedtls/error.h" 32 #include "psa_util_internal.h" 33 34 #include "psa/crypto.h" 35 36 /* Define a local translating function to save code size by not using too many 37 * arguments in each translating place. */ 38 static int local_err_translation(psa_status_t status) 39 { 40 return psa_status_to_mbedtls(status, psa_to_lms_errors, 41 ARRAY_LENGTH(psa_to_lms_errors), 42 psa_generic_status_to_mbedtls); 43 } 44 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) 45 46 #define PUBLIC_KEY_TYPE_OFFSET (0) 47 #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ 48 MBEDTLS_LMOTS_TYPE_LEN) 49 #define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \ 50 MBEDTLS_LMOTS_I_KEY_ID_LEN) 51 #define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \ 52 MBEDTLS_LMOTS_Q_LEAF_ID_LEN) 53 54 /* We only support parameter sets that use 8-bit digits, as it does not require 55 * translation logic between digits and bytes */ 56 #define W_WINTERNITZ_PARAMETER (8u) 57 #define CHECKSUM_LEN (2) 58 #define I_DIGIT_IDX_LEN (2) 59 #define J_HASH_IDX_LEN (1) 60 #define D_CONST_LEN (2) 61 62 #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u) 63 64 #define D_CONST_LEN (2) 65 static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 }; 66 static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 }; 67 68 #if defined(MBEDTLS_TEST_HOOKS) 69 int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL; 70 #endif /* defined(MBEDTLS_TEST_HOOKS) */ 71 72 /* Calculate the checksum digits that are appended to the end of the LMOTS digit 73 * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of 74 * the checksum algorithm. 75 * 76 * params The LMOTS parameter set, I and q values which 77 * describe the key being used. 78 * 79 * digest The digit string to create the digest from. As 80 * this does not contain a checksum, it is the same 81 * size as a hash output. 82 */ 83 static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params, 84 const unsigned char *digest) 85 { 86 size_t idx; 87 unsigned sum = 0; 88 89 for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) { 90 sum += DIGIT_MAX_VALUE - digest[idx]; 91 } 92 93 return sum; 94 } 95 96 /* Create the string of digest digits (in the base determined by the Winternitz 97 * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST 98 * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm 99 * 4b step 3) for details. 100 * 101 * params The LMOTS parameter set, I and q values which 102 * describe the key being used. 103 * 104 * msg The message that will be hashed to create the 105 * digest. 106 * 107 * msg_size The size of the message. 108 * 109 * C_random_value The random value that will be combined with the 110 * message digest. This is always the same size as a 111 * hash output for whichever hash algorithm is 112 * determined by the parameter set. 113 * 114 * output An output containing the digit string (+ 115 * checksum) of length P digits (in the case of 116 * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of 117 * size P bytes). 118 */ 119 static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params, 120 const unsigned char *msg, 121 size_t msg_len, 122 const unsigned char *C_random_value, 123 unsigned char *out) 124 { 125 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; 126 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 127 size_t output_hash_len; 128 unsigned short checksum; 129 130 status = psa_hash_setup(&op, PSA_ALG_SHA_256); 131 if (status != PSA_SUCCESS) { 132 goto exit; 133 } 134 135 status = psa_hash_update(&op, params->I_key_identifier, 136 MBEDTLS_LMOTS_I_KEY_ID_LEN); 137 if (status != PSA_SUCCESS) { 138 goto exit; 139 } 140 141 status = psa_hash_update(&op, params->q_leaf_identifier, 142 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 143 if (status != PSA_SUCCESS) { 144 goto exit; 145 } 146 147 status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN); 148 if (status != PSA_SUCCESS) { 149 goto exit; 150 } 151 152 status = psa_hash_update(&op, C_random_value, 153 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type)); 154 if (status != PSA_SUCCESS) { 155 goto exit; 156 } 157 158 status = psa_hash_update(&op, msg, msg_len); 159 if (status != PSA_SUCCESS) { 160 goto exit; 161 } 162 163 status = psa_hash_finish(&op, out, 164 MBEDTLS_LMOTS_N_HASH_LEN(params->type), 165 &output_hash_len); 166 if (status != PSA_SUCCESS) { 167 goto exit; 168 } 169 170 checksum = lmots_checksum_calculate(params, out); 171 MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type)); 172 173 exit: 174 psa_hash_abort(&op); 175 176 return PSA_TO_MBEDTLS_ERR(status); 177 } 178 179 /* Hash each element of the string of digits (+ checksum), producing a hash 180 * output for each element. This is used in several places (by varying the 181 * hash_idx_min/max_values) in order to calculate a public key from a private 182 * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554 183 * Algorithm 3 step 5), and to calculate a public key candidate from a 184 * signature and message (RFC8554 Algorithm 4b step 3). 185 * 186 * params The LMOTS parameter set, I and q values which 187 * describe the key being used. 188 * 189 * x_digit_array The array of digits (of size P, 34 in the case of 190 * MBEDTLS_LMOTS_SHA256_N32_W8). 191 * 192 * hash_idx_min_values An array of the starting values of the j iterator 193 * for each of the members of the digit array. If 194 * this value in NULL, then all iterators will start 195 * at 0. 196 * 197 * hash_idx_max_values An array of the upper bound values of the j 198 * iterator for each of the members of the digit 199 * array. If this value in NULL, then iterator is 200 * bounded to be less than 2^w - 1 (255 in the case 201 * of MBEDTLS_LMOTS_SHA256_N32_W8) 202 * 203 * output An array containing a hash output for each member 204 * of the digit string P. In the case of 205 * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 * 206 * 34. 207 */ 208 static int hash_digit_array(const mbedtls_lmots_parameters_t *params, 209 const unsigned char *x_digit_array, 210 const unsigned char *hash_idx_min_values, 211 const unsigned char *hash_idx_max_values, 212 unsigned char *output) 213 { 214 unsigned int i_digit_idx; 215 unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN]; 216 unsigned int j_hash_idx; 217 unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN]; 218 unsigned int j_hash_idx_min; 219 unsigned int j_hash_idx_max; 220 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; 221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 222 size_t output_hash_len; 223 unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 224 225 for (i_digit_idx = 0; 226 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type); 227 i_digit_idx++) { 228 229 memcpy(tmp_hash, 230 &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], 231 MBEDTLS_LMOTS_N_HASH_LEN(params->type)); 232 233 j_hash_idx_min = hash_idx_min_values != NULL ? 234 hash_idx_min_values[i_digit_idx] : 0; 235 j_hash_idx_max = hash_idx_max_values != NULL ? 236 hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE; 237 238 for (j_hash_idx = j_hash_idx_min; 239 j_hash_idx < j_hash_idx_max; 240 j_hash_idx++) { 241 status = psa_hash_setup(&op, PSA_ALG_SHA_256); 242 if (status != PSA_SUCCESS) { 243 goto exit; 244 } 245 246 status = psa_hash_update(&op, 247 params->I_key_identifier, 248 MBEDTLS_LMOTS_I_KEY_ID_LEN); 249 if (status != PSA_SUCCESS) { 250 goto exit; 251 } 252 253 status = psa_hash_update(&op, 254 params->q_leaf_identifier, 255 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 256 if (status != PSA_SUCCESS) { 257 goto exit; 258 } 259 260 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0); 261 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN); 262 if (status != PSA_SUCCESS) { 263 goto exit; 264 } 265 266 j_hash_idx_bytes[0] = (uint8_t) j_hash_idx; 267 status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN); 268 if (status != PSA_SUCCESS) { 269 goto exit; 270 } 271 272 status = psa_hash_update(&op, tmp_hash, 273 MBEDTLS_LMOTS_N_HASH_LEN(params->type)); 274 if (status != PSA_SUCCESS) { 275 goto exit; 276 } 277 278 status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash), 279 &output_hash_len); 280 if (status != PSA_SUCCESS) { 281 goto exit; 282 } 283 284 psa_hash_abort(&op); 285 } 286 287 memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], 288 tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type)); 289 } 290 291 exit: 292 psa_hash_abort(&op); 293 mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash)); 294 295 return PSA_TO_MBEDTLS_ERR(status); 296 } 297 298 /* Combine the hashes of the digit array into a public key. This is used in 299 * in order to calculate a public key from a private key (RFC8554 Algorithm 1 300 * step 4), and to calculate a public key candidate from a signature and message 301 * (RFC8554 Algorithm 4b step 3). 302 * 303 * params The LMOTS parameter set, I and q values which describe 304 * the key being used. 305 * y_hashed_digits The array of hashes, one hash for each digit of the 306 * symbol array (which is of size P, 34 in the case of 307 * MBEDTLS_LMOTS_SHA256_N32_W8) 308 * 309 * pub_key The output public key (or candidate public key in 310 * case this is being run as part of signature 311 * verification), in the form of a hash output. 312 */ 313 static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params, 314 const unsigned char *y_hashed_digits, 315 unsigned char *pub_key) 316 { 317 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; 318 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 319 size_t output_hash_len; 320 321 status = psa_hash_setup(&op, PSA_ALG_SHA_256); 322 if (status != PSA_SUCCESS) { 323 goto exit; 324 } 325 326 status = psa_hash_update(&op, 327 params->I_key_identifier, 328 MBEDTLS_LMOTS_I_KEY_ID_LEN); 329 if (status != PSA_SUCCESS) { 330 goto exit; 331 } 332 333 status = psa_hash_update(&op, params->q_leaf_identifier, 334 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 335 if (status != PSA_SUCCESS) { 336 goto exit; 337 } 338 339 status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN); 340 if (status != PSA_SUCCESS) { 341 goto exit; 342 } 343 344 status = psa_hash_update(&op, y_hashed_digits, 345 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) * 346 MBEDTLS_LMOTS_N_HASH_LEN(params->type)); 347 if (status != PSA_SUCCESS) { 348 goto exit; 349 } 350 351 status = psa_hash_finish(&op, pub_key, 352 MBEDTLS_LMOTS_N_HASH_LEN(params->type), 353 &output_hash_len); 354 if (status != PSA_SUCCESS) { 355 356 exit: 357 psa_hash_abort(&op); 358 } 359 360 return PSA_TO_MBEDTLS_ERR(status); 361 } 362 363 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 364 int mbedtls_lms_error_from_psa(psa_status_t status) 365 { 366 switch (status) { 367 case PSA_SUCCESS: 368 return 0; 369 case PSA_ERROR_HARDWARE_FAILURE: 370 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 371 case PSA_ERROR_NOT_SUPPORTED: 372 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; 373 case PSA_ERROR_BUFFER_TOO_SMALL: 374 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; 375 case PSA_ERROR_INVALID_ARGUMENT: 376 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 377 default: 378 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 379 } 380 } 381 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 382 383 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx) 384 { 385 memset(ctx, 0, sizeof(*ctx)); 386 } 387 388 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx) 389 { 390 if (ctx == NULL) { 391 return; 392 } 393 394 mbedtls_platform_zeroize(ctx, sizeof(*ctx)); 395 } 396 397 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx, 398 const unsigned char *key, size_t key_len) 399 { 400 if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) { 401 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 402 } 403 404 uint32_t type = MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); 405 if (type != (uint32_t) MBEDTLS_LMOTS_SHA256_N32_W8) { 406 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 407 } 408 ctx->params.type = (mbedtls_lmots_algorithm_type_t) type; 409 410 if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) { 411 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 412 } 413 414 memcpy(ctx->params.I_key_identifier, 415 key + PUBLIC_KEY_I_KEY_ID_OFFSET, 416 MBEDTLS_LMOTS_I_KEY_ID_LEN); 417 418 memcpy(ctx->params.q_leaf_identifier, 419 key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, 420 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 421 422 memcpy(ctx->public_key, 423 key + PUBLIC_KEY_KEY_HASH_OFFSET, 424 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); 425 426 ctx->have_public_key = 1; 427 428 return 0; 429 } 430 431 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx, 432 unsigned char *key, size_t key_size, 433 size_t *key_len) 434 { 435 if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) { 436 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; 437 } 438 439 if (!ctx->have_public_key) { 440 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 441 } 442 443 MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); 444 445 memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET, 446 ctx->params.I_key_identifier, 447 MBEDTLS_LMOTS_I_KEY_ID_LEN); 448 449 memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, 450 ctx->params.q_leaf_identifier, 451 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 452 453 memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key, 454 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); 455 456 if (key_len != NULL) { 457 *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type); 458 } 459 460 return 0; 461 } 462 463 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params, 464 const unsigned char *msg, 465 size_t msg_size, 466 const unsigned char *sig, 467 size_t sig_size, 468 unsigned char *out, 469 size_t out_size, 470 size_t *out_len) 471 { 472 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; 473 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 475 476 if (msg == NULL && msg_size != 0) { 477 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 478 } 479 480 if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) || 481 out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) { 482 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 483 } 484 485 ret = create_digit_array_with_checksum(params, msg, msg_size, 486 sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, 487 tmp_digit_array); 488 if (ret) { 489 return ret; 490 } 491 492 ret = hash_digit_array(params, 493 sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type), 494 tmp_digit_array, NULL, (unsigned char *) y_hashed_digits); 495 if (ret) { 496 return ret; 497 } 498 499 ret = public_key_from_hashed_digit_array(params, 500 (unsigned char *) y_hashed_digits, 501 out); 502 if (ret) { 503 return ret; 504 } 505 506 if (out_len != NULL) { 507 *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type); 508 } 509 510 return 0; 511 } 512 513 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx, 514 const unsigned char *msg, size_t msg_size, 515 const unsigned char *sig, size_t sig_size) 516 { 517 unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 519 520 if (msg == NULL && msg_size != 0) { 521 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 522 } 523 524 if (!ctx->have_public_key) { 525 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 526 } 527 528 if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) { 529 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 530 } 531 532 if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) { 533 return MBEDTLS_ERR_LMS_VERIFY_FAILED; 534 } 535 536 if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) { 537 return MBEDTLS_ERR_LMS_VERIFY_FAILED; 538 } 539 540 ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params, 541 msg, msg_size, sig, sig_size, 542 Kc_public_key_candidate, 543 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), 544 NULL); 545 if (ret) { 546 return MBEDTLS_ERR_LMS_VERIFY_FAILED; 547 } 548 549 if (memcmp(&Kc_public_key_candidate, ctx->public_key, 550 sizeof(ctx->public_key))) { 551 return MBEDTLS_ERR_LMS_VERIFY_FAILED; 552 } 553 554 return 0; 555 } 556 557 #if defined(MBEDTLS_LMS_PRIVATE) 558 559 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx) 560 { 561 memset(ctx, 0, sizeof(*ctx)); 562 } 563 564 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx) 565 { 566 if (ctx == NULL) { 567 return; 568 } 569 570 mbedtls_platform_zeroize(ctx, 571 sizeof(*ctx)); 572 } 573 574 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx, 575 mbedtls_lmots_algorithm_type_t type, 576 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], 577 uint32_t q_leaf_identifier, 578 const unsigned char *seed, 579 size_t seed_size) 580 { 581 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; 582 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 583 size_t output_hash_len; 584 unsigned int i_digit_idx; 585 unsigned char i_digit_idx_bytes[2]; 586 unsigned char const_bytes[1] = { 0xFF }; 587 588 if (ctx->have_private_key) { 589 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 590 } 591 592 if (type != MBEDTLS_LMOTS_SHA256_N32_W8) { 593 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 594 } 595 596 ctx->params.type = type; 597 598 memcpy(ctx->params.I_key_identifier, 599 I_key_identifier, 600 sizeof(ctx->params.I_key_identifier)); 601 602 MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0); 603 604 for (i_digit_idx = 0; 605 i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type); 606 i_digit_idx++) { 607 status = psa_hash_setup(&op, PSA_ALG_SHA_256); 608 if (status != PSA_SUCCESS) { 609 goto exit; 610 } 611 612 status = psa_hash_update(&op, 613 ctx->params.I_key_identifier, 614 sizeof(ctx->params.I_key_identifier)); 615 if (status != PSA_SUCCESS) { 616 goto exit; 617 } 618 619 status = psa_hash_update(&op, 620 ctx->params.q_leaf_identifier, 621 MBEDTLS_LMOTS_Q_LEAF_ID_LEN); 622 if (status != PSA_SUCCESS) { 623 goto exit; 624 } 625 626 MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0); 627 status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN); 628 if (status != PSA_SUCCESS) { 629 goto exit; 630 } 631 632 status = psa_hash_update(&op, const_bytes, sizeof(const_bytes)); 633 if (status != PSA_SUCCESS) { 634 goto exit; 635 } 636 637 status = psa_hash_update(&op, seed, seed_size); 638 if (status != PSA_SUCCESS) { 639 goto exit; 640 } 641 642 status = psa_hash_finish(&op, 643 ctx->private_key[i_digit_idx], 644 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), 645 &output_hash_len); 646 if (status != PSA_SUCCESS) { 647 goto exit; 648 } 649 650 psa_hash_abort(&op); 651 } 652 653 ctx->have_private_key = 1; 654 655 exit: 656 psa_hash_abort(&op); 657 658 return PSA_TO_MBEDTLS_ERR(status); 659 } 660 661 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx, 662 const mbedtls_lmots_private_t *priv_ctx) 663 { 664 unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 666 667 /* Check that a private key is loaded */ 668 if (!priv_ctx->have_private_key) { 669 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 670 } 671 672 ret = hash_digit_array(&priv_ctx->params, 673 (unsigned char *) priv_ctx->private_key, NULL, 674 NULL, (unsigned char *) y_hashed_digits); 675 if (ret) { 676 goto exit; 677 } 678 679 ret = public_key_from_hashed_digit_array(&priv_ctx->params, 680 (unsigned char *) y_hashed_digits, 681 ctx->public_key); 682 if (ret) { 683 goto exit; 684 } 685 686 memcpy(&ctx->params, &priv_ctx->params, 687 sizeof(ctx->params)); 688 689 ctx->have_public_key = 1; 690 691 exit: 692 mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits)); 693 694 return ret; 695 } 696 697 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx, 698 int (*f_rng)(void *, unsigned char *, size_t), 699 void *p_rng, const unsigned char *msg, size_t msg_size, 700 unsigned char *sig, size_t sig_size, size_t *sig_len) 701 { 702 unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; 703 /* Create a temporary buffer to prepare the signature in. This allows us to 704 * finish creating a signature (ensuring the process doesn't fail), and then 705 * erase the private key **before** writing any data into the sig parameter 706 * buffer. If data were directly written into the sig buffer, it might leak 707 * a partial signature on failure, which effectively compromises the private 708 * key. 709 */ 710 unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 711 unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 712 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 713 714 if (msg == NULL && msg_size != 0) { 715 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 716 } 717 718 if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) { 719 return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL; 720 } 721 722 /* Check that a private key is loaded */ 723 if (!ctx->have_private_key) { 724 return MBEDTLS_ERR_LMS_BAD_INPUT_DATA; 725 } 726 727 ret = f_rng(p_rng, tmp_c_random, 728 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); 729 if (ret) { 730 return ret; 731 } 732 733 ret = create_digit_array_with_checksum(&ctx->params, 734 msg, msg_size, 735 tmp_c_random, 736 tmp_digit_array); 737 if (ret) { 738 goto exit; 739 } 740 741 ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key, 742 NULL, tmp_digit_array, (unsigned char *) tmp_sig); 743 if (ret) { 744 goto exit; 745 } 746 747 MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET); 748 749 /* Test hook to check if sig is being written to before we invalidate the 750 * private key. 751 */ 752 #if defined(MBEDTLS_TEST_HOOKS) 753 if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) { 754 ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig); 755 if (ret != 0) { 756 return ret; 757 } 758 } 759 #endif /* defined(MBEDTLS_TEST_HOOKS) */ 760 761 /* We've got a valid signature now, so it's time to make sure the private 762 * key can't be reused. 763 */ 764 ctx->have_private_key = 0; 765 mbedtls_platform_zeroize(ctx->private_key, 766 sizeof(ctx->private_key)); 767 768 memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random, 769 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type)); 770 771 memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig, 772 MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type) 773 * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type)); 774 775 if (sig_len != NULL) { 776 *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type); 777 } 778 779 ret = 0; 780 781 exit: 782 mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array)); 783 mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig)); 784 785 return ret; 786 } 787 788 #endif /* defined(MBEDTLS_LMS_PRIVATE) */ 789 #endif /* defined(MBEDTLS_LMS_C) */ 790