/* * The LM-OTS one-time public-key signature scheme * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * The following sources were referenced in the design of this implementation * of the LM-OTS algorithm: * * [1] IETF RFC8554 * D. McGrew, M. Curcio, S.Fluhrer * https://datatracker.ietf.org/doc/html/rfc8554 * * [2] NIST Special Publication 800-208 * David A. Cooper et. al. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf */ #include "common.h" #ifdef MBEDTLS_LMS_C #include #include "lmots.h" #include "mbedtls/lms.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "psa/crypto.h" #define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \ MBEDTLS_LMOTS_TYPE_LEN) #define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type)) #define MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET (0) #define MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_TYPE_OFFSET + \ MBEDTLS_LMOTS_TYPE_LEN) #define MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET + \ MBEDTLS_LMOTS_I_KEY_ID_LEN) #define MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET (MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET + \ MBEDTLS_LMOTS_Q_LEAF_ID_LEN) /* We only support parameter sets that use 8-bit digits, as it does not require * translation logic between digits and bytes */ #define W_WINTERNITZ_PARAMETER (8u) #define CHECKSUM_LEN (2) #define I_DIGIT_IDX_LEN (2) #define J_HASH_IDX_LEN (1) #define D_CONST_LEN (2) /* Currently only defined for SHA256, 32 is the max hash output size */ #define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX (MBEDTLS_LMOTS_N_HASH_LEN_MAX) #define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u) #define D_CONST_LEN (2) static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80}; static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81}; void unsigned_int_to_network_bytes( unsigned int val, size_t len, unsigned char *bytes ) { size_t idx; for ( idx = 0; idx < len; idx++ ) { bytes[idx] = ( val >> ( ( len - 1 - idx ) * 8 ) ) & 0xFF; } } unsigned int network_bytes_to_unsigned_int( size_t len, const unsigned char *bytes ) { size_t idx; unsigned int val = 0; for ( idx = 0; idx < len; idx++ ) { val |= ( ( unsigned int )bytes[idx] ) << (8 * ( len - 1 - idx ) ); } return val; } static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params, const unsigned char* digest ) { size_t idx; unsigned sum = 0; for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ ) { sum += DIGIT_MAX_VALUE - digest[idx]; } return sum; } static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params, const unsigned char *msg, size_t msg_len, const unsigned char *C_random_value, unsigned char *out ) { psa_hash_operation_t op; psa_status_t status; size_t output_hash_len; unsigned short checksum; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; op = psa_hash_operation_init( ); status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->I_key_identifier, MBEDTLS_LMOTS_I_KEY_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, C_random_value, MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, msg, msg_len ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_finish( &op, out, MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type), &output_hash_len ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; checksum = lmots_checksum_calculate( params, out ); unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN, out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); exit: psa_hash_abort( &op ); return( ret ); } static int hash_digit_array( const mbedtls_lmots_parameters_t *params, const unsigned char *x_digit_array, const unsigned char *hash_idx_min_values, const unsigned char *hash_idx_max_values, unsigned char *output ) { unsigned char i_digit_idx; unsigned char j_hash_idx; unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN]; unsigned char j_hash_idx_bytes[1]; /* These can't be unsigned chars, because they are sometimes set to * #DIGIT_MAX_VALUE, which has a value of 256 */ unsigned int j_hash_idx_min; unsigned int j_hash_idx_max; psa_hash_operation_t op; psa_status_t status; size_t output_hash_len; unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; op = psa_hash_operation_init( ); for ( i_digit_idx = 0; i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type); i_digit_idx++ ) { memcpy( tmp_hash, &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); j_hash_idx_min = hash_idx_min_values != NULL ? hash_idx_min_values[i_digit_idx] : 0; j_hash_idx_max = hash_idx_max_values != NULL ? hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE; for ( j_hash_idx = ( unsigned char )j_hash_idx_min; j_hash_idx < j_hash_idx_max; j_hash_idx++ ) { status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->I_key_identifier, MBEDTLS_LMOTS_I_KEY_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN, i_digit_idx_bytes ); status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; unsigned_int_to_network_bytes( j_hash_idx, J_HASH_IDX_LEN, j_hash_idx_bytes ); status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ), &output_hash_len ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; psa_hash_abort( &op ); } memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); } exit: if( ret ) { psa_hash_abort( &op ); return( ret ); } mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) ); return ret; } static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params, const unsigned char *y_hashed_digits, unsigned char *pub_key ) { psa_hash_operation_t op; psa_status_t status; size_t output_hash_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; op = psa_hash_operation_init( ); status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->I_key_identifier, MBEDTLS_LMOTS_I_KEY_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, params->q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_update( &op, y_hashed_digits, MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) * MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; status = psa_hash_finish( &op, pub_key, MBEDTLS_LMOTS_N_HASH_LEN(params->type), &output_hash_len ); ret = mbedtls_lms_error_from_psa( status ); exit: psa_hash_abort( &op ); return( ret ); } int mbedtls_lms_error_from_psa( psa_status_t status ) { switch( status ) { case PSA_SUCCESS: return( 0 ); case PSA_ERROR_HARDWARE_FAILURE: return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); case PSA_ERROR_NOT_SUPPORTED: return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ); case PSA_ERROR_BUFFER_TOO_SMALL: return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); case PSA_ERROR_INVALID_ARGUMENT: return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); default: return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); } } void mbedtls_lmots_init_public( mbedtls_lmots_public_t *ctx ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ; } void mbedtls_lmots_free_public( mbedtls_lmots_public_t *ctx ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_public_t ) ) ; } int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx, const unsigned char *key, size_t key_len ) { ctx->params.type = network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); if ( key_len < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } memcpy( ctx->params.I_key_identifier, key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET, MBEDTLS_LMOTS_I_KEY_ID_LEN ); memcpy( ctx->params.q_leaf_identifier, key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); memcpy( ctx->public_key, key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET, MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); ctx->have_public_key = 1; return( 0 ); } int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params, const unsigned char *msg, size_t msg_size, const unsigned char *sig, size_t sig_size, unsigned char *out, size_t out_size, size_t *out_len ) { unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if ( msg == NULL && msg_size != 0 ) { return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if ( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) || out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } ret = create_digit_array_with_checksum( params, msg, msg_size, sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_digit_array ); if ( ret ) { return ( ret ); } ret = hash_digit_array( params, sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type), tmp_digit_array, NULL, ( unsigned char * )y_hashed_digits ); if ( ret ) { return ( ret ); } ret = public_key_from_hashed_digit_array( params, ( unsigned char * )y_hashed_digits, out ); if ( ret ) { return ( ret ); } if ( out_len != NULL ) { *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type); } return( 0 ); } int mbedtls_lmots_verify( mbedtls_lmots_public_t *ctx, const unsigned char *msg, size_t msg_size, const unsigned char *sig, size_t sig_size ) { unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if ( msg == NULL && msg_size != 0 ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if ( !ctx->have_public_key ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if( ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8 ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if ( network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 ) { return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); } ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params, msg, msg_size, sig, sig_size, Kc_public_key_candidate, MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), NULL ); if ( ret ) { return( ret ); } if ( memcmp( &Kc_public_key_candidate, ctx->public_key, sizeof( ctx->public_key ) ) ) { return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); } return( 0 ); } #ifdef MBEDTLS_LMS_PRIVATE void mbedtls_lmots_init_private( mbedtls_lmots_private_t *ctx ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ; } void mbedtls_lmots_free_private( mbedtls_lmots_private_t *ctx ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_lmots_private_t ) ) ; } int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx, mbedtls_lmots_algorithm_type_t type, const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], uint32_t q_leaf_identifier, const unsigned char *seed, size_t seed_size ) { psa_hash_operation_t op; psa_status_t status; size_t output_hash_len; unsigned int i_digit_idx; unsigned char i_digit_idx_bytes[2]; unsigned char const_bytes[1]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if ( ctx->have_private_key ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if ( type != MBEDTLS_LMOTS_SHA256_N32_W8 ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } op = psa_hash_operation_init( ); ctx->params.type = type; memcpy( ctx->params.I_key_identifier, I_key_identifier, sizeof( ctx->params.I_key_identifier ) ); unsigned_int_to_network_bytes( q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN, ctx->params.q_leaf_identifier ); unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ), const_bytes ); for ( i_digit_idx = 0; i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type); i_digit_idx++ ) { status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); ret = mbedtls_lms_error_from_psa( status ); if ( ret != 0 ) goto exit; ret = psa_hash_update( &op, ctx->params.I_key_identifier, sizeof( ctx->params.I_key_identifier ) ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; status = psa_hash_update( &op, ctx->params.q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN, i_digit_idx_bytes ); status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; status = psa_hash_update( &op, const_bytes, sizeof( const_bytes ) ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; status = psa_hash_update( &op, seed, seed_size ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; status = psa_hash_finish( &op, ctx->private_key[i_digit_idx], MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), &output_hash_len ); ret = mbedtls_lms_error_from_psa( status ); if ( ret ) goto exit; psa_hash_abort( &op ); } ctx->have_private_key = 1; exit: if( ret ) { psa_hash_abort( &op ); return( ret ); } return ret; } int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx, mbedtls_lmots_private_t *priv_ctx ) { unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* Check that a private key is loaded */ if ( !priv_ctx->have_private_key ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } ret = hash_digit_array( &priv_ctx->params, ( unsigned char * )priv_ctx->private_key, NULL, NULL, ( unsigned char * )y_hashed_digits ); if ( ret ) { return( ret ); } ret = public_key_from_hashed_digit_array( &priv_ctx->params, ( unsigned char * )y_hashed_digits, ctx->public_key ); if ( ret ) { return( ret ); } memcpy( &ctx->params, &priv_ctx->params, sizeof( ctx->params ) ); ctx->have_public_key = 1; return( ret ); } int mbedtls_lmots_export_public_key( mbedtls_lmots_public_t *ctx, unsigned char *key, size_t key_size, size_t *key_len ) { if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) { return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); } if( ! ctx->have_public_key ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } unsigned_int_to_network_bytes( ctx->params.type, MBEDTLS_LMOTS_TYPE_LEN, key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_I_KEY_ID_OFFSET, ctx->params.I_key_identifier, MBEDTLS_LMOTS_I_KEY_ID_LEN ); memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_Q_LEAF_ID_OFFSET, ctx->params.q_leaf_identifier, MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); memcpy( key + MBEDTLS_LMOTS_PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key, MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); if( key_len != NULL ) { *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type); } return( 0 ); } int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *msg, size_t msg_size, unsigned char *sig, size_t sig_size, size_t* sig_len ) { unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; /* Create a temporary buffer to prepare the signature in. This allows us to * finish creating a signature (ensuring the process doesn't fail), and then * erase the private key **before** writing any data into the sig parameter * buffer. If data were directly written into the sig buffer, it might leak * a partial signature on failure, which effectively compromises the private * key. */ unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; unsigned char tmp_c_random[MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN_MAX]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if ( msg == NULL && msg_size != 0 ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) ) { return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); } /* Check that a private key is loaded */ if ( !ctx->have_private_key ) { return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); } ret = f_rng( p_rng, tmp_c_random, MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); if ( ret ) { return( ret ); } ret = create_digit_array_with_checksum( &ctx->params, msg, msg_size, tmp_c_random, tmp_digit_array ); if ( ret ) { return( ret ); } ret = hash_digit_array( &ctx->params, ( unsigned char * )ctx->private_key, NULL, tmp_digit_array, ( unsigned char * )tmp_sig ); if ( ret ) { return( ret ); } unsigned_int_to_network_bytes( ctx->params.type, MBEDTLS_LMOTS_TYPE_LEN, sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); /* We've got a valid signature now, so it's time to make sure the private * key can't be reused. */ ctx->have_private_key = 0; mbedtls_platform_zeroize( ctx->private_key, sizeof( ctx->private_key ) ); memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random, MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) ); memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig, MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type) * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); if( sig_len != NULL ) { *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type); } return( 0 ); } #endif /* MBEDTLS_LMS_PRIVATE */ #endif /* MBEDTLS_LMS_C */