luna - wolfssl/wolfcrypt/src/wc_lms

   1/* wc_lms_impl.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22/* Implementation based on:
  23 *   RFC 8554: Leighton-Micali Hash-Based Signatures
  24 *   https://datatracker.ietf.org/doc/html/rfc8554
  25 * Implementation by Sean Parkinson.
  26 */
  27
  28/* Possible LMS options:
  29 *
  30 * WC_LMS_FULL_HASH                                      Default: OFF
  31 *   Performs a full hash instead of assuming internals.
  32 *   Enable when using hardware SHA-256.
  33 * WOLFSSL_LMS_VERIFY_ONLY                               Default: OFF
  34 *   Only compiles in verification code.
  35 * WOLFSSL_WC_LMS_SMALL                                  Default: OFF
  36 *   Implementation is smaller code size with slow signing.
  37 *   Enable when memory is limited.
  38 */
  39
  40#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  41
  42#include <wolfssl/wolfcrypt/wc_lms.h>
  43
  44#ifdef NO_INLINE
  45    #include <wolfssl/wolfcrypt/misc.h>
  46#else
  47    #define WOLFSSL_MISC_INCLUDED
  48    #include <wolfcrypt/src/misc.c>
  49#endif
  50
  51#ifdef WOLFSSL_HAVE_LMS
  52
  53/* Length of R in bytes. */
  54#define LMS_R_LEN           4U
  55/* Length of D in bytes. */
  56#define LMS_D_LEN           2U
  57/* Length of checksum in bytes. */
  58#define LMS_CKSM_LEN        2
  59
  60/* Predefined values used in hashes to make them unique. */
  61/* Fixed value for calculating x. */
  62#define LMS_D_FIXED         0xff
  63/* D value when computing public key. */
  64#define LMS_D_PBLC          0x8080
  65/* D value when computing message. */
  66#define LMS_D_MESG          0x8181
  67/* D value when computing leaf node. */
  68#define LMS_D_LEAF          0x8282
  69/* D value when computing interior node. */
  70#define LMS_D_INTR          0x8383
  71/* D value when computing C, randomizer value. */
  72#define LMS_D_C             0xfffd
  73/* D value when computing child SEED for private key. */
  74#define LMS_D_CHILD_SEED    0xfffe
  75/* D value when computing child I for private key. */
  76#define LMS_D_CHILD_I       0xffff
  77
  78/* Length of data to hash when computing seed:
  79 *   16 + 4 + 2 + 32/24 = 54/46 */
  80#define LMS_SEED_HASH_LEN(hLen)     \
  81    (LMS_I_LEN + LMS_R_LEN + LMS_D_LEN + (word32)(hLen))
  82
  83/* Length of data to hash when computing a node:
  84 *   16 + 4 + 2 + 32/24 + 32/24 = 86/70 */
  85#define LMS_NODE_HASH_LEN(hLen)     \
  86    (LMS_I_LEN + LMS_R_LEN + LMS_D_LEN + 2U * (word32)(hLen))
  87
  88/* Length of data to hash when computing most results:
  89 *   16 + 4 + 2 + 1 + 32/24 = 55/47 */
  90#define LMS_HASH_BUFFER_LEN(hLen)   \
  91    (LMS_I_LEN + LMS_Q_LEN + LMS_P_LEN + LMS_W_LEN + (word32)(hLen))
  92
  93/* Length of preliminary data to hash when computing K:
  94 *   16 + 4 + 2 = 22 */
  95#define LMS_K_PRE_LEN       (LMS_I_LEN + LMS_Q_LEN + LMS_P_LEN)
  96
  97/* Length of preliminary data to hash when computing message hash:
  98 *   16 + 4 + 2 = 22 */
  99#define LMS_MSG_PRE_LEN     (LMS_I_LEN + LMS_Q_LEN + LMS_P_LEN)
 100
 101
 102#ifdef WC_LMS_DEBUG_PRINT_DATA
 103/* Print data when debugging implementation.
 104 *
 105 * @param [in] name  String to print before data.
 106 * @param [in] data  Array of bytes.
 107 * @param [in] len   Length of data in array.
 108 */
 109static void print_data(const char* name, const byte* data, int len)
 110{
 111    int i;
 112
 113    fprintf(stderr, "%6s: ", name);
 114    for (i = 0; i < len; i++) {
 115        fprintf(stderr, "%02x", data[i]);
 116    }
 117    fprintf(stderr, "\n");
 118}
 119#endif
 120
 121/***************************************
 122 * Index APIs
 123 **************************************/
 124
 125#ifndef WOLFSSL_LMS_VERIFY_ONLY
 126/* Zero index.
 127 *
 128 * @param [out] a    Byte array. Big-endian encoding.
 129 * @param [in]  len  Length of array in bytes.
 130 */
 131static WC_INLINE void wc_lms_idx_zero(unsigned char* a, word32 len)
 132{
 133    XMEMSET(a, 0, len);
 134}
 135
 136/* Increment big-endian value.
 137 *
 138 * @param [in, out] a    Byte array. Big-endian encoding.
 139 * @param [in]      len  Length of array in bytes.
 140 */
 141static WC_INLINE void wc_lms_idx_inc(unsigned char* a, word32 len)
 142{
 143    word32 i;
 144
 145    /* Starting at least-significant byte up to most. */
 146    for (i = len; i > 0; i--) {
 147        /* Add one/carry to byte. */
 148        if ((++a[i - 1]) != 0) {
 149            /* No more carry. */
 150            break;
 151        }
 152    }
 153}
 154#endif /* !WOLFSSL_LMS_VERIFY_ONLY */
 155
 156/***************************************
 157 * Hash APIs
 158 **************************************/
 159
 160/* Set hash data and length into SHA-256 digest.
 161 *
 162 * @param [in, out] state  SHA-256 digest object.
 163 * @param [in]      data   Data to add to hash.
 164 * @param [in]      len    Number of bytes in data. Must be less than a block.
 165 */
 166#define LMS_SHA256_SET_DATA(sha256, data, len)  \
 167do {                                            \
 168    XMEMCPY((sha256)->buffer, (data), (len));   \
 169    (sha256)->buffLen = (len);                  \
 170    (sha256)->loLen = (len);                    \
 171} while (0)
 172
 173/* Add hash data and length into SHA-256 digest.
 174 *
 175 * @param [in, out] state  SHA-256 digest object.
 176 * @param [in]      data   Data to add to hash.
 177 * @param [in]      len    Number of bytes in data. Must be less than a block.
 178 */
 179#define LMS_SHA256_ADD_DATA(sha256, data, len)                              \
 180do {                                                                        \
 181    XMEMCPY((byte*)(sha256)->buffer + (sha256)->buffLen, (data), (len));    \
 182    (sha256)->buffLen += (len);                                             \
 183    (sha256)->loLen += (len);                                               \
 184} while (0)
 185
 186/* Set the length of 54 bytes in buffer as per SHA-256 final operation.
 187 *
 188 * @param [in, out] buffer  Hash data buffer to add length to.
 189 */
 190#define LMS_SHA256_SET_LEN_54(buffer)   \
 191do {                                    \
 192    (buffer)[54] = 0x80;                \
 193    (buffer)[55] = 0x00;                \
 194    (buffer)[56] = 0x00;                \
 195    (buffer)[57] = 0x00;                \
 196    (buffer)[58] = 0x00;                \
 197    (buffer)[59] = 0x00;                \
 198    (buffer)[60] = 0x00;                \
 199    (buffer)[61] = 0x00;                \
 200    (buffer)[62] = 0x01;                \
 201    (buffer)[63] = 0xb0;                \
 202} while (0)
 203
 204/* Set the length of 55 bytes in buffer as per SHA-256 final operation.
 205 *
 206 * @param [in, out] buffer  Hash data buffer to add length to.
 207 */
 208#define LMS_SHA256_SET_LEN_55(buffer)   \
 209do {                                    \
 210    (buffer)[55] = 0x80;                \
 211    (buffer)[56] = 0x00;                \
 212    (buffer)[57] = 0x00;                \
 213    (buffer)[58] = 0x00;                \
 214    (buffer)[59] = 0x00;                \
 215    (buffer)[60] = 0x00;                \
 216    (buffer)[61] = 0x00;                \
 217    (buffer)[62] = 0x01;                \
 218    (buffer)[63] = 0xb8;                \
 219} while (0)
 220
 221#ifndef WOLFSSL_NO_LMS_SHA256_256
 222#ifndef WC_LMS_FULL_HASH
 223/* Hash one full block of data and compute result.
 224 *
 225 * @param [in]  sha256  SHA-256 hash object.
 226 * @param [in]  data    Data to hash.
 227 * @param [out] hash    Hash output.
 228 * @return  0 on success.
 229 */
 230static WC_INLINE int wc_lms_hash_block(wc_Sha256* sha256, const byte* data,
 231    byte* hash)
 232{
 233    /* Hash the block and reset SHA-256 state. */
 234    return wc_Sha256HashBlock(sha256, data, hash);
 235}
 236#endif /* !WC_LMS_FULL_HASH */
 237
 238/* Hash data and compute result.
 239 *
 240 * @param [in]  sha256  SHA-256 hash object.
 241 * @param [in]  data    Data to hash.
 242 * @param [in]  len     Length of data to hash.
 243 * @param [out] hash    Hash output.
 244 * @return  0 on success.
 245 */
 246static WC_INLINE int wc_lms_hash(wc_Sha256* sha256, byte* data, word32 len,
 247    byte* hash)
 248{
 249    int ret;
 250
 251#ifndef WC_LMS_FULL_HASH
 252    if (len < WC_SHA256_BLOCK_SIZE) {
 253        /* Store data into SHA-256 object's buffer. */
 254        LMS_SHA256_SET_DATA(sha256, data, len);
 255        ret = wc_Sha256Final(sha256, hash);
 256    }
 257    else if (len < WC_SHA256_BLOCK_SIZE + WC_SHA256_PAD_SIZE) {
 258        ret = wc_Sha256HashBlock(sha256, data, NULL);
 259        if (ret == 0) {
 260            byte* buffer = (byte*)sha256->buffer;
 261            word32 rem = len - WC_SHA256_BLOCK_SIZE;
 262
 263            XMEMCPY(buffer, data + WC_SHA256_BLOCK_SIZE, rem);
 264            buffer[rem++] = 0x80;
 265            XMEMSET(buffer + rem, 0, WC_SHA256_BLOCK_SIZE - 2 - rem);
 266            buffer[WC_SHA256_BLOCK_SIZE - 2] = (byte)(len >> 5);
 267            buffer[WC_SHA256_BLOCK_SIZE - 1] = (byte)(len << 3);
 268            ret = wc_Sha256HashBlock(sha256, buffer, hash);
 269        }
 270    }
 271    else {
 272        ret = wc_Sha256Update(sha256, data, len);
 273        if (ret == 0) {
 274            ret = wc_Sha256Final(sha256, hash);
 275        }
 276    }
 277#else
 278    ret = wc_Sha256Update(sha256, data, len);
 279    if (ret == 0) {
 280        ret = wc_Sha256Final(sha256, hash);
 281    }
 282#endif /* !WC_LMS_FULL_HASH */
 283
 284    return ret;
 285}
 286#endif /* !WOLFSSL_NO_LMS_SHA256_256 */
 287
 288/* Update hash with first data.
 289 *
 290 * Sets the data directly into SHA-256's buffer if valid.
 291 *
 292 * @param [in]  sha256  SHA-256 hash object.
 293 * @param [in]  data    Data to hash.
 294 * @param [in]  len     Length of data to hash.
 295 * @return  0 on success.
 296 */
 297static WC_INLINE int wc_lms_hash_first(wc_Sha256* sha256, const byte* data,
 298    word32 len)
 299{
 300    int ret = 0;
 301
 302#ifndef WC_LMS_FULL_HASH
 303    if (len < WC_SHA256_BLOCK_SIZE) {
 304        /* Store data into SHA-256 object's buffer. */
 305        LMS_SHA256_SET_DATA(sha256, data, len);
 306    }
 307    else
 308#endif /* !WC_LMS_FULL_HASH */
 309    {
 310        ret = wc_Sha256Update(sha256, data, len);
 311    }
 312
 313    return ret;
 314}
 315
 316/* Update hash with further data.
 317 *
 318 * Adds the data directly into SHA-256's buffer if valid.
 319 *
 320 * @param [in]  sha256  SHA-256 hash object.
 321 * @param [in]  data    Data to hash.
 322 * @param [in]  len     Length of data to hash.
 323 * @return  0 on success.
 324 */
 325static WC_INLINE int wc_lms_hash_update(wc_Sha256* sha256, const byte* data,
 326    word32 len)
 327{
 328    int ret = 0;
 329
 330#ifndef WC_LMS_FULL_HASH
 331    if (sha256->buffLen + len < WC_SHA256_BLOCK_SIZE) {
 332        /* Add data to SHA-256 object's buffer. */
 333        LMS_SHA256_ADD_DATA(sha256, data, len);
 334    }
 335    else if (sha256->buffLen + len < 2 * WC_SHA256_BLOCK_SIZE) {
 336        byte* buffer = (byte*)sha256->buffer;
 337
 338        XMEMCPY(buffer + sha256->buffLen, data,
 339            WC_SHA256_BLOCK_SIZE - sha256->buffLen);
 340        ret = wc_Sha256HashBlock(sha256, buffer, NULL);
 341        if (ret == 0) {
 342            word32 rem = len - (WC_SHA256_BLOCK_SIZE - sha256->buffLen);
 343            XMEMCPY(buffer, data + WC_SHA256_BLOCK_SIZE - sha256->buffLen, rem);
 344            sha256->buffLen = rem;
 345            sha256->loLen += len;
 346        }
 347    }
 348    else {
 349        ret = wc_Sha256Update(sha256, data, len);
 350    }
 351#else
 352    ret = wc_Sha256Update(sha256, data, len);
 353#endif /* !WC_LMS_FULL_HASH */
 354
 355    return ret;
 356}
 357
 358#ifndef WOLFSSL_NO_LMS_SHA256_256
 359/* Finalize hash.
 360 *
 361 * @param [in]  sha256  SHA-256 hash object.
 362 * @param [out] hash    Hash output.
 363 * @return  0 on success.
 364 */
 365static WC_INLINE int wc_lms_hash_final(wc_Sha256* sha256, byte* hash)
 366{
 367#ifndef WC_LMS_FULL_HASH
 368    int ret = 0;
 369    byte* buffer = (byte*)sha256->buffer;
 370
 371    buffer[sha256->buffLen++] = 0x80;
 372    if (sha256->buffLen > WC_SHA256_PAD_SIZE) {
 373        XMEMSET(buffer + sha256->buffLen, 0,
 374            WC_SHA256_BLOCK_SIZE - sha256->buffLen);
 375        ret = wc_Sha256HashBlock(sha256, buffer, NULL);
 376        sha256->buffLen = 0;
 377    }
 378    if (ret == 0) {
 379        XMEMSET(buffer + sha256->buffLen, 0,
 380            WC_SHA256_BLOCK_SIZE - 8 - sha256->buffLen);
 381        sha256->hiLen = (sha256->hiLen << 3) + (sha256->loLen >> 29);
 382        sha256->loLen = sha256->loLen << 3;
 383    #ifdef LITTLE_ENDIAN_ORDER
 384        sha256->buffer[14] = ByteReverseWord32(sha256->hiLen);
 385        sha256->buffer[15] = ByteReverseWord32(sha256->loLen);
 386    #else
 387        sha256->buffer[14] = sha256->hiLen;
 388        sha256->buffer[15] = sha256->loLen;
 389    #endif
 390        ret = wc_Sha256HashBlock(sha256, buffer, hash);
 391        sha256->buffLen = 0;
 392        sha256->hiLen = 0;
 393        sha256->loLen = 0;
 394    }
 395
 396    return ret;
 397#else
 398    return wc_Sha256Final(sha256, hash);
 399#endif
 400}
 401#endif /* !WOLFSSL_NO_LMS_SHA256_256 */
 402
 403#ifdef WOLFSSL_LMS_SHA256_192
 404/* Set the length of 46 bytes in buffer as per SHA-256 final operation.
 405 *
 406 * @param [in, out] buffer  Hash data buffer to add length to.
 407 */
 408#define LMS_SHA256_SET_LEN_46(buffer)   \
 409do {                                    \
 410    (buffer)[46] = 0x80;                \
 411    (buffer)[47] = 0x00;                \
 412    (buffer)[48] = 0x00;                \
 413    (buffer)[49] = 0x00;                \
 414    (buffer)[50] = 0x00;                \
 415    (buffer)[51] = 0x00;                \
 416    (buffer)[52] = 0x00;                \
 417    (buffer)[53] = 0x00;                \
 418    (buffer)[54] = 0x00;                \
 419    (buffer)[55] = 0x00;                \
 420    (buffer)[56] = 0x00;                \
 421    (buffer)[57] = 0x00;                \
 422    (buffer)[58] = 0x00;                \
 423    (buffer)[59] = 0x00;                \
 424    (buffer)[60] = 0x00;                \
 425    (buffer)[61] = 0x00;                \
 426    (buffer)[62] = 0x01;                \
 427    (buffer)[63] = 0x70;                \
 428} while (0)
 429
 430/* Set the length of 47 bytes in buffer as per SHA-256 final operation.
 431 *
 432 * @param [in, out] buffer  Hash data buffer to add length to.
 433 */
 434#define LMS_SHA256_SET_LEN_47(buffer)   \
 435do {                                    \
 436    (buffer)[47] = 0x80;                \
 437    (buffer)[48] = 0x00;                \
 438    (buffer)[49] = 0x00;                \
 439    (buffer)[50] = 0x00;                \
 440    (buffer)[51] = 0x00;                \
 441    (buffer)[52] = 0x00;                \
 442    (buffer)[53] = 0x00;                \
 443    (buffer)[54] = 0x00;                \
 444    (buffer)[55] = 0x00;                \
 445    (buffer)[56] = 0x00;                \
 446    (buffer)[57] = 0x00;                \
 447    (buffer)[58] = 0x00;                \
 448    (buffer)[59] = 0x00;                \
 449    (buffer)[60] = 0x00;                \
 450    (buffer)[61] = 0x00;                \
 451    (buffer)[62] = 0x01;                \
 452    (buffer)[63] = 0x78;                \
 453} while (0)
 454
 455#ifndef WC_LMS_FULL_HASH
 456/* Hash one full block of data and compute result.
 457 *
 458 * @param [in]  sha256  SHA-256 hash object.
 459 * @param [in]  data    Data to hash.
 460 * @param [out] hash    Hash output.
 461 * @return  0 on success.
 462 */
 463static WC_INLINE int wc_lms_sha256_192_hash_block(wc_Sha256* sha256,
 464    const byte* data, byte* hash)
 465{
 466    int ret;
 467    unsigned char output[WC_SHA256_DIGEST_SIZE];
 468
 469    /* Hash the block and reset SHA-256 state. */
 470    ret = wc_Sha256HashBlock(sha256, data, output);
 471    if (ret == 0) {
 472        XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 473    }
 474
 475    return ret;
 476}
 477#endif /* !WC_LMS_FULL_HASH */
 478
 479/* Hash data and compute result.
 480 *
 481 * @param [in]  sha256  SHA-256 hash object.
 482 * @param [in]  data    Data to hash.
 483 * @param [in]  len     Length of data to hash.
 484 * @param [out] hash    Hash output.
 485 * @return  0 on success.
 486 */
 487static WC_INLINE int wc_lms_hash_sha256_192(wc_Sha256* sha256, byte* data,
 488    word32 len, byte* hash)
 489{
 490    int ret;
 491    unsigned char output[WC_SHA256_DIGEST_SIZE];
 492
 493#ifndef WC_LMS_FULL_HASH
 494    if (len < WC_SHA256_BLOCK_SIZE) {
 495        /* Store data into SHA-256 object's buffer. */
 496        LMS_SHA256_SET_DATA(sha256, data, len);
 497        ret = wc_Sha256Final(sha256, output);
 498        if (ret == 0) {
 499            XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 500        }
 501    }
 502    else if (len < WC_SHA256_BLOCK_SIZE + WC_SHA256_PAD_SIZE) {
 503        ret = wc_Sha256HashBlock(sha256, data, NULL);
 504        if (ret == 0) {
 505            byte* buffer = (byte*)sha256->buffer;
 506            word32 rem = len - WC_SHA256_BLOCK_SIZE;
 507
 508            XMEMCPY(buffer, data + WC_SHA256_BLOCK_SIZE, rem);
 509            buffer[rem++] = 0x80;
 510            XMEMSET(buffer + rem, 0, WC_SHA256_BLOCK_SIZE - 2 - rem);
 511            buffer[WC_SHA256_BLOCK_SIZE - 2] = (byte)(len >> 5);
 512            buffer[WC_SHA256_BLOCK_SIZE - 1] = (byte)(len << 3);
 513            ret = wc_Sha256HashBlock(sha256, buffer, output);
 514            if (ret == 0) {
 515                XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 516            }
 517        }
 518    }
 519    else {
 520        ret = wc_Sha256Update(sha256, data, len);
 521        if (ret == 0) {
 522            ret = wc_Sha256Final(sha256, output);
 523            if (ret == 0) {
 524                XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 525            }
 526        }
 527    }
 528#else
 529    ret = wc_Sha256Update(sha256, data, len);
 530    if (ret == 0) {
 531        ret = wc_Sha256Final(sha256, output);
 532        if (ret == 0) {
 533            XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 534        }
 535    }
 536#endif /* !WC_LMS_FULL_HASH */
 537
 538    return ret;
 539}
 540
 541/* Finalize hash.
 542 *
 543 * @param [in]  sha256  SHA-256 hash object.
 544 * @param [out] hash    Hash output.
 545 * @return  0 on success.
 546 */
 547static WC_INLINE int wc_lms_hash_sha256_192_final(wc_Sha256* sha256, byte* hash)
 548{
 549#ifndef WC_LMS_FULL_HASH
 550    int ret = 0;
 551    byte* buffer = (byte*)sha256->buffer;
 552    unsigned char output[WC_SHA256_DIGEST_SIZE];
 553
 554    buffer[sha256->buffLen++] = 0x80;
 555    if (sha256->buffLen > WC_SHA256_PAD_SIZE) {
 556        XMEMSET(buffer + sha256->buffLen, 0,
 557            WC_SHA256_BLOCK_SIZE - sha256->buffLen);
 558        ret = wc_Sha256HashBlock(sha256, buffer, NULL);
 559        sha256->buffLen = 0;
 560    }
 561    if (ret == 0) {
 562        XMEMSET(buffer + sha256->buffLen, 0,
 563            WC_SHA256_BLOCK_SIZE - 8 - sha256->buffLen);
 564        sha256->hiLen = (sha256->hiLen << 3) + (sha256->loLen >> 29);
 565        sha256->loLen = sha256->loLen << 3;
 566    #ifdef LITTLE_ENDIAN_ORDER
 567        sha256->buffer[14] = ByteReverseWord32(sha256->hiLen);
 568        sha256->buffer[15] = ByteReverseWord32(sha256->loLen);
 569    #else
 570        sha256->buffer[14] = sha256->hiLen;
 571        sha256->buffer[15] = sha256->loLen;
 572    #endif
 573        ret = wc_Sha256HashBlock(sha256, buffer, output);
 574        if (ret == 0) {
 575            XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 576        }
 577        sha256->buffLen = 0;
 578        sha256->hiLen = 0;
 579        sha256->loLen = 0;
 580    }
 581
 582    return ret;
 583#else
 584    int ret;
 585    unsigned char output[WC_SHA256_DIGEST_SIZE];
 586
 587    ret = wc_Sha256Final(sha256, output);
 588    if (ret == 0) {
 589        XMEMCPY(hash, output, WC_SHA256_192_DIGEST_SIZE);
 590    }
 591
 592    return ret;
 593#endif
 594}
 595#endif /* WOLFSSL_LMS_SHA256_192 */
 596
 597#ifdef WOLFSSL_LMS_SHAKE256
 598/* Hash data using SHAKE256 and compute result.
 599 *
 600 * @param [in]  shake    SHAKE256 hash object.
 601 * @param [in]  data     Data to hash.
 602 * @param [in]  len      Length of data to hash.
 603 * @param [out] hash     Hash output.
 604 * @param [in]  hashLen  Length of hash output.
 605 * @return  0 on success.
 606 */
 607static WC_INLINE int wc_lms_shake256_hash(wc_Shake* shake, byte* data,
 608    word32 len, byte* hash, word32 hashLen)
 609{
 610    int ret;
 611
 612    ret = wc_Shake256_Update(shake, data, len);
 613    if (ret == 0) {
 614        ret = wc_Shake256_Final(shake, hash, hashLen);
 615    }
 616
 617    return ret;
 618}
 619
 620/* Update hash with first data using SHAKE256.
 621 *
 622 * @param [in]  shake  SHAKE256 hash object.
 623 * @param [in]  data   Data to hash.
 624 * @param [in]  len    Length of data to hash.
 625 * @return  0 on success.
 626 */
 627static WC_INLINE int wc_lms_shake256_hash_first(wc_Shake* shake,
 628    const byte* data, word32 len)
 629{
 630    return wc_Shake256_Update(shake, data, len);
 631}
 632
 633/* Update hash with further data using SHAKE256.
 634 *
 635 * @param [in]  shake  SHAKE256 hash object.
 636 * @param [in]  data   Data to hash.
 637 * @param [in]  len    Length of data to hash.
 638 * @return  0 on success.
 639 */
 640static WC_INLINE int wc_lms_shake256_hash_update(wc_Shake* shake,
 641    const byte* data, word32 len)
 642{
 643    return wc_Shake256_Update(shake, data, len);
 644}
 645
 646/* Finalize SHAKE256 hash.
 647 *
 648 * @param [in]  shake    SHAKE256 hash object.
 649 * @param [out] hash     Hash output.
 650 * @param [in]  hashLen  Length of hash output.
 651 * @return  0 on success.
 652 */
 653static WC_INLINE int wc_lms_shake256_hash_final(wc_Shake* shake, byte* hash,
 654    word32 hashLen)
 655{
 656    return wc_Shake256_Final(shake, hash, hashLen);
 657}
 658#endif /* WOLFSSL_LMS_SHAKE256 */
 659
 660/***************************************
 661 * LM-OTS APIs
 662 **************************************/
 663
 664/* Expand Q to and array of Winternitz width bits values plus checksum.
 665 *
 666 * Supported Winternitz widths: 8, 4, 2, 1.
 667 *
 668 * Algorithm 2: Checksum Calculation
 669 *   sum = 0
 670 *   for ( i = 0; i < (n*8/w); i = i + 1 ) {
 671 *     sum = sum + (2^w - 1) - coef(S, i, w)
 672 *   }
 673 *   return (sum << ls)
 674 * Section 3.1.3: Strings of w-Bit Elements
 675 *   coef(S, i, w) = (2^w - 1) AND
 676 *                   ( byte(S, floor(i * w / 8)) >>
 677 *                     (8 - (w * (i % (8 / w)) + w)) )
 678 * Combine coefficient expansion with checksum calculation.
 679 *
 680 * @param [in]  q   Q array of bytes.
 681 * @param [in]  n   Number of bytes in Q.
 682 * @param [in]  w   Winternitz width in bits.
 683 * @param [in]  ls  Left shift of checksum.
 684 * @param [out] qe  Expanded Q with checksum.
 685 * @return  0 on success.
 686 * @return  BAD_FUNC_ARG when Winternitz width is not supported.
 687 */
 688static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
 689    byte* qe)
 690{
 691    int ret = 0;
 692    /* sum is word16: the small-variant checksum loop below relies on
 693     * arithmetic wrapping at 2^16 (sum <<= w then sum >> (16 - w) reads the
 694     * top byte of the rolled value). Switching to a wider type would let
 695     * those high bits leak into subsequent reads. */
 696    word16 sum;
 697    unsigned int i;
 698
 699#ifndef WOLFSSL_WC_LMS_SMALL
 700    switch (w) {
 701        /* Winternitz width of 8. */
 702        case 8:
 703            /* No expansion required, just copy. */
 704            XMEMCPY(qe, q, n);
 705            /* Start sum with all 2^w - 1s and subtract from that. */
 706            sum = (word16)(0xffU * n);
 707            /* For each byte of the hash. */
 708            for (i = 0; i < n; i++) {
 709                /* Subtract coefficient from sum. */
 710                sum = (word16)(sum - q[i]);
 711            }
 712            /* Put coefficients of checksum on the end. */
 713            qe[n + 0] = (word8)(sum >> 8);
 714            qe[n + 1] = (word8)(sum     );
 715            break;
 716        /* Winternitz width of 4. */
 717        case 4:
 718            sum = (word16)(2U * 0xfU * n);
 719            /* For each byte of the hash. */
 720            for (i = 0; i < n; i++) {
 721                /* Get coefficient. */
 722                qe[0] = (q[i] >> 4)      ;
 723                qe[1] = (q[i]     ) & 0xf;
 724                /* Subtract coefficients from sum. */
 725                sum = (word16)(sum - qe[0]);
 726                sum = (word16)(sum - qe[1]);
 727                /* Move to next coefficients. */
 728                qe += 2;
 729            }
 730            /* Put coefficients of checksum on the end. */
 731            qe[0] = (word8)((sum >> 8) & 0xf);
 732            qe[1] = (word8)((sum >> 4) & 0xf);
 733            qe[2] = (word8)((sum     ) & 0xf);
 734            break;
 735        /* Winternitz width of 2. */
 736        case 2:
 737            sum = (word16)(4U * 0x3U * n);
 738            /* For each byte of the hash. */
 739            for (i = 0; i < n; i++) {
 740                /* Get coefficients. */
 741                qe[0] = (q[i] >> 6)      ;
 742                qe[1] = (q[i] >> 4) & 0x3;
 743                qe[2] = (q[i] >> 2) & 0x3;
 744                qe[3] = (q[i]     ) & 0x3;
 745                /* Subtract coefficients from sum. */
 746                sum = (word16)(sum - qe[0]);
 747                sum = (word16)(sum - qe[1]);
 748                sum = (word16)(sum - qe[2]);
 749                sum = (word16)(sum - qe[3]);
 750                /* Move to next coefficients. */
 751                qe += 4;
 752            }
 753            /* Put coefficients of checksum on the end. */
 754            qe[0] = (word8)((sum >>  8) & 0x3);
 755            qe[1] = (word8)((sum >>  6) & 0x3);
 756            qe[2] = (word8)((sum >>  4) & 0x3);
 757            qe[3] = (word8)((sum >>  2) & 0x3);
 758            qe[4] = (word8)((sum      ) & 0x3);
 759            break;
 760        /* Winternitz width of 1. */
 761        case 1:
 762            sum = (word16)(8U * 0x01U * n);
 763            /* For each byte of the hash. */
 764            for (i = 0; i < n; i++) {
 765                /* Get coefficients. */
 766                qe[0] = (q[i] >> 7)      ;
 767                qe[1] = (q[i] >> 6) & 0x1;
 768                qe[2] = (q[i] >> 5) & 0x1;
 769                qe[3] = (q[i] >> 4) & 0x1;
 770                qe[4] = (q[i] >> 3) & 0x1;
 771                qe[5] = (q[i] >> 2) & 0x1;
 772                qe[6] = (q[i] >> 1) & 0x1;
 773                qe[7] = (q[i]     ) & 0x1;
 774                /* Subtract coefficients from sum. */
 775                sum = (word16)(sum - qe[0]);
 776                sum = (word16)(sum - qe[1]);
 777                sum = (word16)(sum - qe[2]);
 778                sum = (word16)(sum - qe[3]);
 779                sum = (word16)(sum - qe[4]);
 780                sum = (word16)(sum - qe[5]);
 781                sum = (word16)(sum - qe[6]);
 782                sum = (word16)(sum - qe[7]);
 783                /* Move to next coefficients. */
 784                qe += 8;
 785            }
 786            /* Put coefficients of checksum on the end. */
 787#ifdef WOLFSSL_LMS_SHA256_192
 788            if (ls == 7)
 789#endif
 790            {
 791                qe[0] = (word8)((sum >>  8)  );
 792                qe++;
 793            }
 794            qe[0] = (word8)((sum >>  7) & 0x1);
 795            qe[1] = (word8)((sum >>  6) & 0x1);
 796            qe[2] = (word8)((sum >>  5) & 0x1);
 797            qe[3] = (word8)((sum >>  4) & 0x1);
 798            qe[4] = (word8)((sum >>  3) & 0x1);
 799            qe[5] = (word8)((sum >>  2) & 0x1);
 800            qe[6] = (word8)((sum >>  1) & 0x1);
 801            qe[7] = (word8)((sum      ) & 0x1);
 802            break;
 803        default:
 804            ret = BAD_FUNC_ARG;
 805            break;
 806    }
 807
 808    (void)ls;
 809#else
 810    int j;
 811
 812    if ((w != 8) && (w != 4) && (w != 2) && (w != 1)) {
 813        ret = BAD_FUNC_ARG;
 814    }
 815
 816    if (ret == 0) {
 817        /* Start sum with all 2^w - 1s and subtract from that. */
 818        sum = (word16)(((1U << w) - 1U) * ((n * 8U) / w));
 819        /* For each byte of the hash. */
 820        for (i = 0; i < n; i++) {
 821            /* Get next byte. */
 822            byte a = *(q++);
 823            /* For each width bits of byte. */
 824            for (j = 8 - w; j >= 0; j -= w) {
 825                /* Get coefficient. */
 826                *qe = (byte)(a >> (8 - w));
 827                /* Subtract coefficient from sum. */
 828                sum = (word16)(sum - *qe);
 829                /* Move to next coefficient. */
 830                qe++;
 831                /* Remove width bits. */
 832                a = (byte)(a << w);
 833            }
 834        }
 835        /* Shift sum up as required to pack it on the end of hash. */
 836        sum = (word16)(sum << ls);
 837        /* For each width bit of checksum. */
 838        for (j = 16 - w; j >= ls; j--) {
 839            /* Get coefficient. */
 840            *(qe++) = (byte)(sum >> (16 - w));
 841            /* Remove width bits. */
 842            sum = (word16)(sum << w);
 843        }
 844    }
 845#endif /* !WOLFSSL_WC_LMS_SMALL */
 846
 847    return ret;
 848}
 849
 850/* Calculate the hash for the message.
 851 *
 852 * Algorithm 3: Generating a One-Time Signature From a Private Key and a
 853 * Message
 854 *   ...
 855 *   5. Compute the array y as follows:
 856 *      Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
 857 * Algorithm 4b: Computing a Public Key Candidate Kc from a Signature,
 858 * Message, Signature Typecode pubtype, and Identifiers I, q
 859 *   ...
 860 *   3. Compute the string Kc as follows:
 861 *      Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
 862 *
 863 * @param [in, out]  state  LMS state.
 864 * @param [in]       msg    Message to hash.
 865 * @param [in]       msgSz  Length of message in bytes.
 866 * @param [in]       c      C or randomizer value.
 867 * @param [out]      q      Computed Q value.
 868 * @return  0 on success.
 869 */
 870static int wc_lmots_msg_hash(LmsState* state, const byte* msg, word32 msgSz,
 871    const byte* c, byte* q)
 872{
 873    int ret;
 874    byte* buffer = state->buffer;
 875    byte* ip = buffer + LMS_I_LEN + LMS_Q_LEN;
 876
 877    /* I || u32str(q) || u16str(D_MESG) */
 878    c16toa(LMS_D_MESG, ip);
 879#ifdef WOLFSSL_LMS_SHAKE256
 880    if (LMS_IS_SHAKE(state->params->lmOtsType)) {
 881        /* H(I || u32str(q) || u16str(D_MESG) || ...) */
 882        ret = wc_lms_shake256_hash_first(LMS_STATE_SHAKE(state), buffer,
 883            LMS_MSG_PRE_LEN);
 884        if (ret == 0) {
 885            /* H(... || C || ...) */
 886            ret = wc_lms_shake256_hash_update(LMS_STATE_SHAKE(state), c,
 887                state->params->hash_len);
 888        }
 889        if (ret == 0) {
 890            /* H(... || message) */
 891            ret = wc_lms_shake256_hash_update(LMS_STATE_SHAKE(state), msg, msgSz);
 892        }
 893        if (ret == 0) {
 894            /* Q = H(...) */
 895            ret = wc_lms_shake256_hash_final(LMS_STATE_SHAKE(state), q,
 896                state->params->hash_len);
 897        }
 898    }
 899    else
 900#endif
 901    {
 902        /* H(I || u32str(q) || u16str(D_MESG) || ...) */
 903        ret = wc_lms_hash_first(LMS_STATE_HASH(state), buffer, LMS_MSG_PRE_LEN);
 904        if (ret == 0) {
 905            /* H(... || C || ...) */
 906            ret = wc_lms_hash_update(LMS_STATE_HASH(state), c,
 907                state->params->hash_len);
 908        }
 909        if (ret == 0) {
 910            /* H(... || message) */
 911            ret = wc_lms_hash_update(LMS_STATE_HASH(state), msg, msgSz);
 912        }
 913    #ifdef WOLFSSL_LMS_SHA256_192
 914        if ((ret == 0) &&
 915                ((state->params->lmOtsType & LMS_HASH_MASK) ==
 916                 LMS_SHA256_192)) {
 917            /* Q = H(...) */
 918            ret = wc_lms_hash_sha256_192_final(LMS_STATE_HASH(state), q);
 919        }
 920        else
 921    #endif
 922    #ifndef WOLFSSL_NO_LMS_SHA256_256
 923        if (ret == 0) {
 924            /* Q = H(...) */
 925            ret = wc_lms_hash_final(LMS_STATE_HASH(state), q);
 926        }
 927        else
 928    #endif
 929        if (ret == 0) {
 930            ret = NOT_COMPILED_IN;
 931        }
 932    }
 933
 934    return ret;
 935}
 936
 937#ifndef WOLFSSL_LMS_VERIFY_ONLY
 938/* Compute array y, intermediates of public key calculation, for signature.
 939 *
 940 * Verification will perform the remaining iterations of hashing.
 941 *
 942 * Algorithm 3: Generating a One-Time Signature From a Private Key and a
 943 * Message
 944 *   ...
 945 *   5. Compute the array y as follows:
 946 *      Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
 947 *      for ( i = 0; i < p; i = i + 1 ) {
 948 *        a = coef(Q || Cksm(Q), i, w)
 949 *        tmp = x[i]
 950 *        for ( j = 0; j < a; j = j + 1 ) {
 951 *          tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
 952 *        }
 953 *        y[i] = tmp
 954 *      }
 955 * x[i] can be calculated on the fly using pseudo key generation in Appendix A.
 956 * Appendix A, The elements of the LM-OTS private keys are computed as:
 957 *   x_q[i] = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED).
 958 *
 959 * @param [in, out]  state  LMS state.
 960 * @param [in]       seed   Seed to hash.
 961 * @param [in]       msg    Message to sign.
 962 * @param [in]       msgSZ  Length of message in bytes.
 963 * @param [in]       c      C or randomizer value to hash.
 964 * @param [out]      y      Calculated intermediate hashes.
 965 * @return  0 on success.
 966 */
 967static int wc_lmots_compute_y_from_seed(LmsState* state, const byte* seed,
 968    const byte* msg, word32 msgSz, const byte* c, byte* y)
 969{
 970    const LmsParams* params = state->params;
 971    int ret;
 972    word16 i;
 973    byte q[LMS_MAX_NODE_LEN + LMS_CKSM_LEN];
 974#ifdef WOLFSSL_SMALL_STACK
 975    byte* a = state->a;
 976#else
 977    byte a[LMS_MAX_P];
 978#endif /* WOLFSSL_SMALL_STACK */
 979    byte* buffer = state->buffer;
 980    byte* ip = buffer + LMS_I_LEN + LMS_Q_LEN;
 981    byte* jp = ip + LMS_P_LEN;
 982    byte* tmp = jp + LMS_W_LEN;
 983
 984    /* Q = H(I || u32str(q) || u16str(D_MESG) || C || message) */
 985    ret = wc_lmots_msg_hash(state, msg, msgSz, c, q);
 986    if (ret == 0) {
 987        /* Calculate checksum list all coefficients. */
 988        ret = wc_lmots_q_expand(q, (word8)params->hash_len, params->width,
 989            params->ls, a);
 990    }
 991#ifndef WC_LMS_FULL_HASH
 992#ifdef WOLFSSL_LMS_SHAKE256
 993    if ((ret == 0) && !LMS_IS_SHAKE(params->lmOtsType))
 994#else
 995    if (ret == 0)
 996#endif
 997    {
 998    #ifdef WOLFSSL_LMS_SHA256_192
 999        if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1000            /* Put in padding for final block. */
1001            LMS_SHA256_SET_LEN_47(buffer);
1002        }
1003        else
1004    #endif
1005        {
1006        #ifndef WOLFSSL_NO_LMS_SHA256_256
1007            /* Put in padding for final block. */
1008            LMS_SHA256_SET_LEN_55(buffer);
1009        #endif
1010        }
1011    }
1012#endif /* !WC_LMS_FULL_HASH */
1013
1014    /* Compute y for each coefficient. */
1015    for (i = 0; (ret == 0) && (i < params->p); i++) {
1016        unsigned int j;
1017
1018        /* tmp = x[i]
1019         *     = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED). */
1020        c16toa(i, ip);
1021        *jp = LMS_D_FIXED;
1022#ifdef WOLFSSL_LMS_SHAKE256
1023        if (LMS_IS_SHAKE(params->lmOtsType)) {
1024            XMEMCPY(tmp, seed, params->hash_len);
1025            ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1026                LMS_HASH_BUFFER_LEN(params->hash_len), tmp, params->hash_len);
1027        }
1028        else
1029#endif
1030        {
1031#ifndef WC_LMS_FULL_HASH
1032    #ifdef WOLFSSL_LMS_SHA256_192
1033        if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1034            XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1035            ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1036        }
1037        else
1038    #endif
1039        {
1040        #ifndef WOLFSSL_NO_LMS_SHA256_256
1041            XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1042            ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1043        #else
1044            ret = NOT_COMPILED_IN;
1045        #endif
1046        }
1047#else
1048    #ifdef WOLFSSL_LMS_SHA256_192
1049        if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1050            XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1051            ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1052                LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
1053        }
1054        else
1055    #endif
1056        {
1057        #ifndef WOLFSSL_NO_LMS_SHA256_256
1058            XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1059            ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1060                LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
1061        #else
1062            ret = NOT_COMPILED_IN;
1063        #endif
1064        }
1065#endif /* !WC_LMS_FULL_HASH */
1066        }
1067
1068        /* Apply the hash function coefficient number of times. */
1069        for (j = 0; (ret == 0) && (j < a[i]); j++) {
1070            /* I || u32str(q) || u16str(i) || u8str(j) || tmp */
1071            *jp = (byte)j;
1072            /* tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) */
1073    #ifdef WOLFSSL_LMS_SHAKE256
1074            if (LMS_IS_SHAKE(params->lmOtsType)) {
1075                ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1076                    LMS_HASH_BUFFER_LEN(params->hash_len), tmp,
1077                    params->hash_len);
1078            }
1079            else
1080    #endif
1081            {
1082    #ifndef WC_LMS_FULL_HASH
1083        #ifdef WOLFSSL_LMS_SHA256_192
1084            if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1085                ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1086            }
1087            else
1088        #endif
1089            {
1090            #ifndef WOLFSSL_NO_LMS_SHA256_256
1091                ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1092            #else
1093                ret = NOT_COMPILED_IN;
1094            #endif
1095            }
1096    #else
1097        #ifdef WOLFSSL_LMS_SHA256_192
1098            if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1099                ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1100                    LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
1101            }
1102            else
1103        #endif
1104            {
1105            #ifndef WOLFSSL_NO_LMS_SHA256_256
1106                ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1107                    LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
1108            #else
1109                ret = NOT_COMPILED_IN;
1110            #endif
1111            }
1112    #endif /* !WC_LMS_FULL_HASH */
1113            }
1114        }
1115
1116        if (ret == 0) {
1117            /* y[i] = tmp */
1118            XMEMCPY(y, tmp, params->hash_len);
1119            y += params->hash_len;
1120        }
1121    }
1122
1123    return ret;
1124}
1125#endif /* !WOLFSSL_LMS_VERIFY_ONLY */
1126
1127/* Compute public key candidate K from signature.
1128 *
1129 * Signing performed the first coefficient number of iterations of hashing.
1130 *
1131 * Algorithm 4b: Computing a Public Key Candidate Kc from a Signature,
1132 * Message, Signature Typecode pubtype, and Identifiers I, q
1133 *   ...
1134 *   3. Compute the string Kc as follows:
1135 *      Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
1136 *      for ( i = 0; i < p; i = i + 1 ) {
1137 *        a = coef(Q || Cksm(Q), i, w)
1138 *        tmp = y[i]
1139 *        for ( j = a; j < 2^w - 1; j = j + 1 ) {
1140 *          tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
1141 *        }
1142 *        z[i] = tmp
1143 *      }
1144 *      Kc = H(I || u32str(q) || u16str(D_PBLC) ||
1145 *                                    z[0] || z[1] || ... || z[p-1])
1146 *   4, Return Kc.
1147 *
1148 * @param [in, out] state  LMS state.
1149 * @param [in]      msg    Message to compute Kc for.
1150 * @param [in]      msgSz  Length of message in bytes.
1151 * @param [in]      c      C or randomizer value from signature.
1152 * @param [in]      sig_y  Part of signature containing array y.
1153 * @param [out]     kc     Kc or public key candidate K.
1154 * @return  0 on success.
1155 */
1156static int wc_lmots_compute_kc_from_sig(LmsState* state, const byte* msg,
1157    word32 msgSz, const byte* c, const byte* sig_y, byte* kc)
1158{
1159    const LmsParams* params = state->params;
1160    int ret;
1161    word16 i;
1162    byte q[LMS_MAX_NODE_LEN + LMS_CKSM_LEN];
1163#ifdef WOLFSSL_SMALL_STACK
1164    byte* a = state->a;
1165#else
1166    byte a[LMS_MAX_P];
1167#endif /* WOLFSSL_SMALL_STACK */
1168    byte* buffer = state->buffer;
1169    byte* ip = buffer + LMS_I_LEN + LMS_Q_LEN;
1170    byte* jp = ip + LMS_P_LEN;
1171    byte* tmp = jp + LMS_W_LEN;
1172    unsigned int max = ((unsigned int)1 << params->width) - 1;
1173
1174    /* I || u32str(q) || u16str(D_PBLC). */
1175    c16toa(LMS_D_PBLC, ip);
1176#ifdef WOLFSSL_LMS_SHAKE256
1177    if (LMS_IS_SHAKE(params->lmOtsType)) {
1178        /* H(I || u32str(q) || u16str(D_PBLC) || ...). */
1179        ret = wc_lms_shake256_hash_first(LMS_STATE_SHAKE_K(state), buffer,
1180            LMS_K_PRE_LEN);
1181        if (ret == 0) {
1182            /* Q = H(I || u32str(q) || u16str(D_MESG) || C || message) */
1183            ret = wc_lmots_msg_hash(state, msg, msgSz, c, q);
1184        }
1185        if (ret == 0) {
1186            /* Calculate checksum list all coefficients. */
1187            ret = wc_lmots_q_expand(q, (word8)params->hash_len, params->width,
1188                params->ls, a);
1189        }
1190
1191        /* Compute z for each coefficient. */
1192        for (i = 0; (ret == 0) && (i < params->p); i++) {
1193            unsigned int j;
1194
1195            /* I || u32(str) || u16str(i) || ... */
1196            c16toa(i, ip);
1197
1198            /* tmp = y[i].
1199             * I || u32(str) || u16str(i) || ... || tmp */
1200            XMEMCPY(tmp, sig_y, params->hash_len);
1201            sig_y += params->hash_len;
1202
1203            /* Finish iterations of hash from coefficient to max. */
1204            for (j = a[i]; (ret == 0) && (j < max); j++) {
1205                /* I || u32str(q) || u16str(i) || u8str(j) || tmp */
1206                *jp = (word8)j;
1207                /* tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) */
1208                ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1209                    LMS_HASH_BUFFER_LEN(params->hash_len), tmp,
1210                    params->hash_len);
1211            }
1212
1213            if (ret == 0) {
1214                /* H(... || z[i] || ...) (for calculating Kc). */
1215                ret = wc_lms_shake256_hash_update(LMS_STATE_SHAKE_K(state), tmp,
1216                    params->hash_len);
1217            }
1218        }
1219
1220        if (ret == 0) {
1221            /* Kc = H(...) */
1222            ret = wc_lms_shake256_hash_final(LMS_STATE_SHAKE_K(state), kc,
1223                params->hash_len);
1224        }
1225    }
1226    else
1227#endif
1228    {
1229        /* H(I || u32str(q) || u16str(D_PBLC) || ...). */
1230        ret = wc_lms_hash_first(LMS_STATE_HASH_K(state), buffer, LMS_K_PRE_LEN);
1231        if (ret == 0) {
1232            /* Q = H(I || u32str(q) || u16str(D_MESG) || C || message) */
1233            ret = wc_lmots_msg_hash(state, msg, msgSz, c, q);
1234        }
1235        if (ret == 0) {
1236            /* Calculate checksum list all coefficients. */
1237            ret = wc_lmots_q_expand(q, (word8)params->hash_len, params->width,
1238                params->ls, a);
1239        }
1240#ifndef WC_LMS_FULL_HASH
1241        if (ret == 0) {
1242        #ifdef WOLFSSL_LMS_SHA256_192
1243            if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1244                /* Put in padding for final block. */
1245                LMS_SHA256_SET_LEN_47(buffer);
1246            }
1247            else
1248        #endif
1249            {
1250            #ifndef WOLFSSL_NO_LMS_SHA256_256
1251                /* Put in padding for final block. */
1252                LMS_SHA256_SET_LEN_55(buffer);
1253            #endif
1254            }
1255        }
1256#endif /* !WC_LMS_FULL_HASH */
1257
1258        /* Compute z for each coefficient. */
1259        for (i = 0; (ret == 0) && (i < params->p); i++) {
1260            unsigned int j;
1261
1262            /* I || u32(str) || u16str(i) || ... */
1263            c16toa(i, ip);
1264
1265            /* tmp = y[i].
1266             * I || u32(str) || u16str(i) || ... || tmp */
1267            XMEMCPY(tmp, sig_y, params->hash_len);
1268            sig_y += params->hash_len;
1269
1270            /* Finish iterations of hash from coefficient to max. */
1271            for (j = a[i]; (ret == 0) && (j < max); j++) {
1272                /* I || u32str(q) || u16str(i) || u8str(j) || tmp */
1273                *jp = (word8)j;
1274                /* tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) */
1275        #ifndef WC_LMS_FULL_HASH
1276            #ifdef WOLFSSL_LMS_SHA256_192
1277                if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1278                    ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer,
1279                        tmp);
1280                }
1281                else
1282            #endif
1283                {
1284                #ifndef WOLFSSL_NO_LMS_SHA256_256
1285                    ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1286                #else
1287                    ret = NOT_COMPILED_IN;
1288                #endif
1289                }
1290                /* Apply the hash function coefficient number of times. */
1291        #else
1292            #ifdef WOLFSSL_LMS_SHA256_192
1293                if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1294                    ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1295                        LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
1296                }
1297                else
1298            #endif
1299                {
1300                #ifndef WOLFSSL_NO_LMS_SHA256_256
1301                    ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1302                        LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
1303                #else
1304                    ret = NOT_COMPILED_IN;
1305                #endif
1306                }
1307        #endif /* !WC_LMS_FULL_HASH */
1308            }
1309
1310            if (ret == 0) {
1311                /* H(... || z[i] || ...) (for calculating Kc). */
1312                ret = wc_lms_hash_update(LMS_STATE_HASH_K(state), tmp,
1313                    params->hash_len);
1314            }
1315        }
1316
1317    #ifdef WOLFSSL_LMS_SHA256_192
1318        if ((ret == 0) &&
1319                ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192)) {
1320            /* Kc = H(...) */
1321            ret = wc_lms_hash_sha256_192_final(LMS_STATE_HASH_K(state), kc);
1322        }
1323        else
1324    #endif
1325        if (ret == 0) {
1326        #ifndef WOLFSSL_NO_LMS_SHA256_256
1327            /* Kc = H(...) */
1328            ret = wc_lms_hash_final(LMS_STATE_HASH_K(state), kc);
1329        #else
1330            ret = NOT_COMPILED_IN;
1331        #endif
1332        }
1333    }
1334
1335    return ret;
1336}
1337
1338#ifndef WOLFSSL_LMS_VERIFY_ONLY
1339/* Generate LM-OTS public key.
1340 *
1341 * Caller set: state->buffer = I || u32str(q)
1342 *
1343 * Algorithm 1: Generating a One-Time Signature Public Key From a Private Key
1344 *   ...
1345 *   4. Compute the string K as follows:
1346 *      for ( i = 0; i < p; i = i + 1 ) {
1347 *        tmp = x[i]
1348 *        for ( j = 0; j < 2^w - 1; j = j + 1 ) {
1349 *          tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
1350 *        }
1351 *        y[i] = tmp
1352 *      }
1353 *      K = H(I || u32str(q) || u16str(D_PBLC) || y[0] || ... || y[p-1])
1354 *   ...
1355 * x[i] can be calculated on the fly using pseudo key generation in Appendix A.
1356 * Appendix A, The elements of the LM-OTS private keys are computed as:
1357 *   x_q[i] = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED).
1358 *
1359 * @param [in, out]  state   LMS state.
1360 * @param [in]       seed    Seed to hash.
1361 * @param [out]      k       K, the public key hash, or OTS_PUB_HASH
1362 */
1363static int wc_lmots_make_public_hash(LmsState* state, const byte* seed, byte* k)
1364{
1365    const LmsParams* params = state->params;
1366    int ret;
1367    word16 i;
1368    byte* buffer = state->buffer;
1369    byte* ip = buffer + LMS_I_LEN + LMS_Q_LEN;
1370    byte* jp = ip + LMS_P_LEN;
1371    byte* tmp = jp + LMS_W_LEN;
1372    unsigned int max = ((unsigned int)1 << params->width) - 1;
1373
1374    /* I || u32str(q) || u16str(D_PBLC). */
1375    c16toa(LMS_D_PBLC, ip);
1376#ifdef WOLFSSL_LMS_SHAKE256
1377    if (LMS_IS_SHAKE(params->lmOtsType)) {
1378        /* K = H(I || u32str(q) || u16str(D_PBLC) || ...) */
1379        ret = wc_lms_shake256_hash_first(LMS_STATE_SHAKE_K(state), buffer,
1380            LMS_K_PRE_LEN);
1381
1382        for (i = 0; (ret == 0) && (i < params->p); i++) {
1383            unsigned int j;
1384
1385            /* tmp = x[i]
1386             *     = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED). */
1387            c16toa(i, ip);
1388            *jp = LMS_D_FIXED;
1389            XMEMCPY(tmp, seed, params->hash_len);
1390            ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1391                LMS_HASH_BUFFER_LEN(params->hash_len), tmp, params->hash_len);
1392            /* Do all iterations to calculate y. */
1393            for (j = 0; (ret == 0) && (j < max); j++) {
1394                /* I || u32str(q) || u16str(i) || u8str(j) || tmp */
1395                *jp = (word8)j;
1396                /* tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) */
1397                ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1398                    LMS_HASH_BUFFER_LEN(params->hash_len), tmp,
1399                    params->hash_len);
1400            }
1401            if (ret == 0) {
1402                /* K = H(... || y[i] || ...) */
1403                ret = wc_lms_shake256_hash_update(LMS_STATE_SHAKE_K(state), tmp,
1404                    params->hash_len);
1405            }
1406        }
1407        if (ret == 0) {
1408            /* K = H(I || u32str(q) || u16str(D_PBLC) ||
1409             *       y[0] || ... || y[p-1]) */
1410            ret = wc_lms_shake256_hash_final(LMS_STATE_SHAKE_K(state), k,
1411                params->hash_len);
1412        }
1413    }
1414    else
1415#endif
1416    {
1417        /* K = H(I || u32str(q) || u16str(D_PBLC) || ...) */
1418        ret = wc_lms_hash_first(LMS_STATE_HASH_K(state), buffer, LMS_K_PRE_LEN);
1419
1420#ifndef WC_LMS_FULL_HASH
1421    #ifdef WOLFSSL_LMS_SHA256_192
1422        if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1423            /* Put in padding for final block. */
1424            LMS_SHA256_SET_LEN_47(buffer);
1425        }
1426        else
1427    #endif
1428        {
1429        #ifndef WOLFSSL_NO_LMS_SHA256_256
1430            /* Put in padding for final block. */
1431            LMS_SHA256_SET_LEN_55(buffer);
1432        #endif
1433        }
1434#endif /* !WC_LMS_FULL_HASH */
1435
1436        for (i = 0; (ret == 0) && (i < params->p); i++) {
1437            unsigned int j;
1438
1439            /* tmp = x[i]
1440             *     = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED). */
1441            c16toa(i, ip);
1442            *jp = LMS_D_FIXED;
1443#ifndef WC_LMS_FULL_HASH
1444        #ifdef WOLFSSL_LMS_SHA256_192
1445            if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1446                XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1447                ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1448            }
1449            else
1450        #endif
1451            {
1452            #ifndef WOLFSSL_NO_LMS_SHA256_256
1453                XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1454                ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1455            #else
1456                ret = NOT_COMPILED_IN;
1457            #endif
1458            }
1459#else
1460        #ifdef WOLFSSL_LMS_SHA256_192
1461            if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1462                XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1463                ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1464                    LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
1465            }
1466            else
1467        #endif
1468            {
1469            #ifndef WOLFSSL_NO_LMS_SHA256_256
1470                XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1471                ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1472                    LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
1473            #else
1474                ret = NOT_COMPILED_IN;
1475            #endif
1476            }
1477#endif /* !WC_LMS_FULL_HASH */
1478            /* Do all iterations to calculate y. */
1479            for (j = 0; (ret == 0) && (j < max); j++) {
1480                /* I || u32str(q) || u16str(i) || u8str(j) || tmp */
1481                *jp = (word8)j;
1482                /* tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) */
1483        #ifndef WC_LMS_FULL_HASH
1484            #ifdef WOLFSSL_LMS_SHA256_192
1485                if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1486                    ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer,
1487                        tmp);
1488                }
1489                else
1490            #endif
1491                {
1492                #ifndef WOLFSSL_NO_LMS_SHA256_256
1493                    ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
1494                #else
1495                    ret = NOT_COMPILED_IN;
1496                #endif
1497                }
1498        #else
1499            #ifdef WOLFSSL_LMS_SHA256_192
1500                if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1501                    ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1502                        LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
1503                }
1504                else
1505            #endif
1506                {
1507                #ifndef WOLFSSL_NO_LMS_SHA256_256
1508                    ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1509                        LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
1510                #else
1511                    ret = NOT_COMPILED_IN;
1512                #endif
1513                }
1514        #endif /* !WC_LMS_FULL_HASH */
1515            }
1516            if (ret == 0) {
1517                /* K = H(... || y[i] || ...) */
1518                ret = wc_lms_hash_update(LMS_STATE_HASH_K(state), tmp,
1519                    params->hash_len);
1520            }
1521        }
1522    #ifdef WOLFSSL_LMS_SHA256_192
1523        if ((ret == 0) &&
1524                ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192)) {
1525            /* K = H(I || u32str(q) || u16str(D_PBLC) ||
1526             *       y[0] || ... || y[p-1]) */
1527            ret = wc_lms_hash_sha256_192_final(LMS_STATE_HASH_K(state), k);
1528        }
1529        else
1530    #endif
1531        if (ret == 0) {
1532        #ifndef WOLFSSL_NO_LMS_SHA256_256
1533            /* K = H(I || u32str(q) || u16str(D_PBLC) ||
1534             *       y[0] || ... || y[p-1]) */
1535            ret = wc_lms_hash_final(LMS_STATE_HASH_K(state), k);
1536        #else
1537            ret = NOT_COMPILED_IN;
1538        #endif
1539        }
1540    }
1541
1542    return ret;
1543}
1544
1545/* Encode the LM-OTS public key.
1546 *
1547 * Encoded into public key and signature if more than one level.
1548 * T[1] is already in place. Putting in: type, ostype and I.
1549 *
1550 * Section 4.3:
1551 *   u32str(type) || u32str(otstype) || I || T[1]
1552 *
1553 * @param [in]  params  LMS parameters.
1554 * @param [in]  priv    LMS private ley.
1555 * @param [out] pub     LMS public key.
1556 */
1557static void wc_lmots_public_key_encode(const LmsParams* params,
1558    const byte* priv, byte* pub)
1559{
1560    const byte* priv_i = priv + LMS_Q_LEN + params->hash_len;
1561
1562    /* u32str(type) || ... || T(1) */
1563    c32toa(params->lmsType & LMS_H_W_MASK, pub);
1564    pub += 4;
1565    /* u32str(type) || u32str(otstype) || ... || T(1) */
1566    c32toa(params->lmOtsType & LMS_H_W_MASK, pub);
1567    pub += 4;
1568    /* u32str(type) || u32str(otstype) || I || T(1) */
1569    XMEMCPY(pub, priv_i, LMS_I_LEN);
1570}
1571#endif /* !WOLFSSL_LMS_VERIFY_ONLY */
1572
1573/* Check the public key matches the parameters.
1574 *
1575 * @param [in] params  LMS parameters.
1576 * @param [in] pub     Public key.
1577 * @return  0 on success.
1578 * @return  PUBLIC_KEY_E when LMS or LM-OTS type doesn't match.
1579 */
1580static int wc_lmots_public_key_check(const LmsParams* params, const byte* pub)
1581{
1582    int ret = 0;
1583    word32 type;
1584
1585    /* Get message hash and height type. */
1586    ato32(pub, &type);
1587    pub += 4;
1588    /* Compare with parameters. */
1589    if (type != (params->lmsType & LMS_H_W_MASK)) {
1590        ret = PUBLIC_KEY_E;
1591    }
1592    if (ret == 0) {
1593        /* Get node hash and Winternitz width type. */
1594        ato32(pub, &type);
1595        /* Compare with parameters. */
1596        if (type != (params->lmOtsType & LMS_H_W_MASK)) {
1597            ret = PUBLIC_KEY_E;
1598        }
1599    }
1600
1601    return ret;
1602}
1603
1604/* Calculate public key candidate K from signature.
1605 *
1606 * Algorithm 4b: Computing a Public Key Candidate Kc from a Signature,
1607 * Message, Signature Typecode pubtype, and Identifiers I, q
1608 *   ...
1609 *   2. Parse sigtype, C, and y from the signature as follows:
1610 *      a. sigtype = strTou32(first 4 bytes of signature)
1611 *      b. If sigtype is not equal to pubtype, return INVALID.
1612 *      ...
1613 *      d. C = next n bytes of signature
1614 *      e.   y[0] = next n bytes of signature
1615 *           y[1] = next n bytes of signature
1616 *           ...
1617 *         y[p-1] = next n bytes of signature
1618 *   3. Compute the string Kc as follows:
1619 *   ...
1620 *
1621 * @param [in, out] state  LMS state.
1622 * @param [in]      pub    LMS public key.
1623 * @param [in]      msg    Message/next private key to verify.
1624 * @param [in]      msgSz  Length of message in bytes.
1625 * @param [in]      sig    Signature including type, C and y[0..p-1].
1626 * @param [out]     kc     Public key candidate Kc.
1627 */
1628static int wc_lmots_calc_kc(LmsState* state, const byte* pub, const byte* msg,
1629    word32 msgSz, const byte* sig, byte* kc)
1630{
1631    int ret = 0;
1632
1633    /* Check signature type. */
1634    if (XMEMCMP(pub, sig, LMS_TYPE_LEN) != 0) {
1635        ret = SIG_TYPE_E;
1636    }
1637    if (ret == 0) {
1638        /* Get C or randomizer value from signature. */
1639        const byte* c = sig + LMS_TYPE_LEN;
1640        /* Get array y from signature. */
1641        const byte* y = c + state->params->hash_len;
1642
1643        /* Compute the public key candidate Kc from the signature. */
1644        ret = wc_lmots_compute_kc_from_sig(state, msg, msgSz, c, y, kc);
1645    }
1646
1647    return ret;
1648}
1649
1650#ifndef WOLFSSL_LMS_VERIFY_ONLY
1651/* Generate LM-OTS private key.
1652 *
1653 * Algorithm 5: Computing an LMS Private Key
1654 * But use Appendix A to generate x on the fly.
1655 *   PRIV = SEED | I
1656 *
1657 * @param [in]  rng       Random number generator.
1658 * @param [in]  seed_len  Length of seed to generate.
1659 * @param [out] priv      Private key data.
1660 */
1661static int wc_lmots_make_private_key(WC_RNG* rng, word16 seed_len, byte* priv)
1662{
1663    return wc_RNG_GenerateBlock(rng, priv, seed_len + LMS_I_LEN);
1664}
1665
1666/* Generate LM-OTS signature.
1667 *
1668 * Algorithm 3: Generating a One-Time Signature From a Private Key and a
1669 * Message
1670 *   ...
1671 *   4. Set C to a uniformly random n-byte string
1672 *   5. Compute the array y as follows:
1673 *      ...
1674 *   6. Return u32str(type) || C || y[0] || ... || y[p-1]
1675 *
1676 * @param [in, out] state  LMS state.
1677 * @param [in]      seed   Private key seed.
1678 * @param [in]      msg    Message to be signed.
1679 * @param [in]      msgSz  Length of message in bytes.
1680 * @param [out]     sig    Signature buffer.
1681 * @return  0 on success.
1682 */
1683static int wc_lmots_sign(LmsState* state, const byte* seed, const byte* msg,
1684    word32 msgSz, byte* sig)
1685{
1686    int ret;
1687    byte* buffer = state->buffer;
1688    byte* ip = buffer + LMS_I_LEN + LMS_Q_LEN;
1689    byte* jp = ip + LMS_P_LEN;
1690    byte* tmp = jp + LMS_W_LEN;
1691    byte* sig_c = sig;
1692
1693    /* I || u32str(q) || u16str(0xFFFD) || ... */
1694    c16toa(LMS_D_C, ip);
1695    /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || ... */
1696    *jp = LMS_D_FIXED;
1697#ifdef WOLFSSL_LMS_SHAKE256
1698    if (LMS_IS_SHAKE(state->params->lmOtsType)) {
1699        /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED */
1700        XMEMCPY(tmp, seed, state->params->hash_len);
1701        /* C = H(I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED)
1702         * sig = u32str(type) || C || ... */
1703        ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1704            LMS_HASH_BUFFER_LEN(state->params->hash_len), sig_c,
1705            state->params->hash_len);
1706    }
1707    else
1708#endif
1709    {
1710#ifndef WC_LMS_FULL_HASH
1711#ifdef WOLFSSL_LMS_SHA256_192
1712    if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1713        /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED */
1714        XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1715        /* C = H(I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED)
1716         * sig = u32str(type) || C || ... */
1717        /* Put in padding for final block. */
1718        LMS_SHA256_SET_LEN_47(buffer);
1719        ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, sig_c);
1720    }
1721    else
1722#endif
1723    {
1724    #ifndef WOLFSSL_NO_LMS_SHA256_256
1725        /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED */
1726        XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1727        /* C = H(I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED)
1728         * sig = u32str(type) || C || ... */
1729        /* Put in padding for final block. */
1730        LMS_SHA256_SET_LEN_55(buffer);
1731        ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, sig_c);
1732    #else
1733        ret = NOT_COMPILED_IN;
1734    #endif
1735    }
1736#else
1737#ifdef WOLFSSL_LMS_SHA256_192
1738    if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1739        /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED */
1740        XMEMCPY(tmp, seed, WC_SHA256_192_DIGEST_SIZE);
1741        /* C = H(I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED)
1742         * sig = u32str(type) || C || ... */
1743        ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1744            LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), sig_c);
1745    }
1746    else
1747#endif
1748    {
1749    #ifndef WOLFSSL_NO_LMS_SHA256_256
1750        /* I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED */
1751        XMEMCPY(tmp, seed, WC_SHA256_DIGEST_SIZE);
1752        /* C = H(I || u32str(q) || u16str(0xFFFD) || u8str(0xFF) || SEED)
1753         * sig = u32str(type) || C || ... */
1754        ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1755            LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), sig_c);
1756    #else
1757        ret = NOT_COMPILED_IN;
1758    #endif
1759    }
1760#endif /* !WC_LMS_FULL_HASH */
1761    }
1762
1763    if (ret == 0) {
1764        byte* sig_y = sig_c + state->params->hash_len;
1765
1766        /* Compute array y.
1767         * sig = u32str(type) || C || y[0] || ... || y[p-1] */
1768        ret = wc_lmots_compute_y_from_seed(state, seed, msg, msgSz, sig_c,
1769            sig_y);
1770    }
1771
1772    return ret;
1773}
1774#endif /* WOLFSSL_LMS_VERIFY_ONLY */
1775
1776/***************************************
1777 * LMS APIs
1778 **************************************/
1779
1780#ifndef WOLFSSL_LMS_VERIFY_ONLY
1781#ifndef WOLFSSL_WC_LMS_SMALL
1782/* Load the LMS private state from data.
1783 *
1784 * @param [in]  params     LMS parameters.
1785 * @param [out] state      Private key state.
1786 * @param [in]  priv_data  Private key data.
1787 */
1788static void wc_lms_priv_state_load(const LmsParams* params, LmsPrivState* state,
1789    byte* priv_data)
1790{
1791    /* Authentication path data. */
1792    state->auth_path = priv_data;
1793    priv_data += (word32)params->height * params->hash_len;
1794
1795    /* Stack of nodes. */
1796    state->stack.stack = priv_data;
1797    priv_data += (params->height + 1) * params->hash_len;
1798    ato32(priv_data, &state->stack.offset);
1799    priv_data += 4;
1800
1801    /* Cached root nodes. */
1802    state->root = priv_data;
1803    priv_data += LMS_ROOT_CACHE_LEN(params->rootLevels, params->hash_len);
1804
1805    /* Cached leaf nodes. */
1806    state->leaf.cache = priv_data;
1807    priv_data += LMS_LEAF_CACHE_LEN(params->cacheBits, params->hash_len);
1808    ato32(priv_data, &state->leaf.idx);
1809    priv_data += 4;
1810    ato32(priv_data, &state->leaf.offset);
1811    /* priv_data += 4; */
1812}
1813
1814/* Store the LMS private state into data.
1815 *
1816 * @param [in]      params     LMS parameters.
1817 * @param [in]      state      Private key state.
1818 * @param [in, out] priv_data  Private key data.
1819 */
1820static void wc_lms_priv_state_store(const LmsParams* params,
1821    LmsPrivState* state, byte* priv_data)
1822{
1823    /* Authentication path data. */
1824    priv_data += (word32)params->height * params->hash_len;
1825
1826    /* Stack of nodes. */
1827    priv_data += (params->height + 1) * params->hash_len;
1828    c32toa(state->stack.offset, priv_data);
1829    priv_data += 4;
1830
1831    /* Cached root nodes. */
1832    priv_data += LMS_ROOT_CACHE_LEN(params->rootLevels, params->hash_len);
1833
1834    /* Cached leaf nodes. */
1835    priv_data += LMS_LEAF_CACHE_LEN(params->cacheBits, params->hash_len);
1836    c32toa(state->leaf.idx, priv_data);
1837    priv_data += 4;
1838    c32toa(state->leaf.offset, priv_data);
1839    /* priv_data += 4; */
1840}
1841
1842#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
1843/* Copy LMS private key state.
1844 *
1845 * @param [in]  params  LMS parameters.
1846 * @param [out] dst     LMS private state destination.
1847 * @param [in]  src     LMS private state source.
1848 */
1849static void wc_lms_priv_state_copy(const LmsParams* params,
1850    LmsPrivState* dst, const LmsPrivState* src)
1851{
1852    XMEMCPY(dst->auth_path, src->auth_path, LMS_PRIV_STATE_LEN(params->height,
1853        params->rootLevels, params->cacheBits, params->hash_len));
1854    dst->stack.offset = src->stack.offset;
1855    dst->leaf.idx = src->leaf.idx;
1856    dst->leaf.offset = src->leaf.offset;
1857}
1858#endif /* !WOLFSSL_LMS_NO_SIGN_SMOOTHING */
1859#endif /* !WOLFSSL_WC_LMS_SMALL */
1860
1861/* Calculate the leaf node hash.
1862 *
1863 * Assumes buffer already contains : I
1864 *
1865 * Appendix C.
1866 *   ...
1867 *     temp = H(I || u32str(r)|| u16str(D_LEAF) || OTS_PUB_HASH[i])
1868 *   ...
1869 * Section 5.3. LMS Public Key
1870 *                                        ... where we denote the public
1871 *   key final hash value (namely, the K value computed in Algorithm 1)
1872 *   associated with the i-th LM-OTS private key as OTS_PUB_HASH[i], ...
1873 * Algorithm 1: Generating a One-Time Signature Public Key From a
1874 * Private Key
1875 *   ...
1876 *   K = H(I || u32str(q) || u16str(D_PBLC) || y[0] || ... || y[p-1])
1877 *   ...
1878 * Therefore:
1879 *   OTS_PUB_HASH[i] = H(I || u32str(i) || u16str(D_PBLC) ||
1880 *                       y[0] || ... || y[p-1])
1881 *
1882 * @param [in, out] state  LMS state.
1883 * @param [in]      seed   Private seed to generate x.
1884 * @param [in]      i      Index of leaf.
1885 * @param [in]      r      Leaf hash index.
1886 * @param [out]     leaf   Leaf node hash.
1887 */
1888static int wc_lms_leaf_hash(LmsState* state, const byte* seed, word32 i,
1889    word32 r, byte* leaf)
1890{
1891    int ret;
1892    byte* buffer = state->buffer;
1893    byte* rp = buffer + LMS_I_LEN;
1894    byte* dp = rp + LMS_R_LEN;
1895    byte* ots_pub_hash = dp + LMS_D_LEN;
1896
1897    /* I || u32str(i) || ... */
1898    c32toa(i, rp);
1899    /* OTS_PUB_HASH[i] = H(I || u32str(i) || u16str(D_PBLC) ||
1900     *                     y[0] || ... || y[p-1])
1901     */
1902    ret = wc_lmots_make_public_hash(state, seed, ots_pub_hash);
1903    if (ret == 0) {
1904        /* I || u32str(r) || ... || OTS_PUB_HASH[i] */
1905        c32toa(r, rp);
1906        /* I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i] */
1907        c16toa(LMS_D_LEAF, dp);
1908        /* temp = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i]) */
1909#ifdef WOLFSSL_LMS_SHAKE256
1910        if (LMS_IS_SHAKE(state->params->lmOtsType)) {
1911            ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1912                LMS_SEED_HASH_LEN(state->params->hash_len), leaf,
1913                state->params->hash_len);
1914        }
1915        else
1916#endif
1917        {
1918#ifndef WC_LMS_FULL_HASH
1919        /* Put in padding for final block. */
1920    #ifdef WOLFSSL_LMS_SHA256_192
1921        if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1922            LMS_SHA256_SET_LEN_46(buffer);
1923            ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, leaf);
1924        }
1925        else
1926    #endif
1927        {
1928        #ifndef WOLFSSL_NO_LMS_SHA256_256
1929            LMS_SHA256_SET_LEN_54(buffer);
1930            ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, leaf);
1931        #else
1932            ret = NOT_COMPILED_IN;
1933        #endif
1934        }
1935#else
1936    #ifdef WOLFSSL_LMS_SHA256_192
1937        if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1938            ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
1939                LMS_SEED_HASH_LEN(WC_SHA256_192_DIGEST_SIZE), leaf);
1940        }
1941        else
1942    #endif
1943        {
1944        #ifndef WOLFSSL_NO_LMS_SHA256_256
1945            ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
1946                LMS_SEED_HASH_LEN(WC_SHA256_DIGEST_SIZE), leaf);
1947        #else
1948            ret = NOT_COMPILED_IN;
1949        #endif
1950        }
1951#endif /* !WC_LMS_FULL_HASH */
1952        }
1953    }
1954
1955    return ret;
1956}
1957
1958/* Calculate interior node hash.
1959 *
1960 * Appendix C. n Iterative Algorithm for Computing an LMS Public Key
1961 * Generating an LMS Public Key from an LMS Private Key
1962 *   ...
1963 *   left_side = pop(data stack);
1964 *   temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
1965 *   ...
1966 * Popping the stack is done in the caller.
1967 *
1968 * @param [in, out] state  LMS state.
1969 * @param [in]      sp     Stack pointer to left nodes.
1970 * @param [in]      r      Node hash index.
1971 * @param [out]     node   Interior node hash.
1972 */
1973static int wc_lms_interior_hash(LmsState* state, byte* sp, word32 r,
1974    byte* node)
1975{
1976    int ret;
1977    byte* buffer = state->buffer;
1978    byte* rp = buffer + LMS_I_LEN;
1979    byte* left = rp + LMS_R_LEN + LMS_D_LEN;
1980
1981    /* I || u32str(r) || u16str(D_INTR) || ... || temp */
1982    c32toa(r, rp);
1983#ifdef WOLFSSL_LMS_SHAKE256
1984    if (LMS_IS_SHAKE(state->params->lmOtsType)) {
1985        /* left_side = pop(data stack)
1986         * I || u32str(r) || u16str(D_INTR) || left_side || temp */
1987        XMEMCPY(left, sp, state->params->hash_len);
1988        /* temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp) */
1989        ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
1990            LMS_NODE_HASH_LEN(state->params->hash_len), node,
1991            state->params->hash_len);
1992    }
1993    else
1994#endif
1995#ifdef WOLFSSL_LMS_SHA256_192
1996    if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
1997        /* left_side = pop(data stack)
1998         * I || u32str(r) || u16str(D_INTR) || left_side || temp */
1999        XMEMCPY(left, sp, WC_SHA256_192_DIGEST_SIZE);
2000        /* temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp) */
2001        ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
2002            LMS_NODE_HASH_LEN(WC_SHA256_192_DIGEST_SIZE), node);
2003    }
2004    else
2005#endif
2006    {
2007    #ifndef WOLFSSL_NO_LMS_SHA256_256
2008        /* left_side = pop(data stack)
2009         * I || u32str(r) || u16str(D_INTR) || left_side || temp */
2010        XMEMCPY(left, sp, WC_SHA256_DIGEST_SIZE);
2011        /* temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp) */
2012        ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
2013            LMS_NODE_HASH_LEN(WC_SHA256_DIGEST_SIZE), node);
2014    #else
2015        ret = NOT_COMPILED_IN;
2016    #endif
2017    }
2018
2019    return ret;
2020}
2021
2022#ifdef WOLFSSL_WC_LMS_SMALL
2023/* Computes hash of the Merkle tree and gets the authentication path for q.
2024 *
2025 * Appendix C: An Iterative Algorithm for Computing an LMS Public Key
2026 *    for ( i = 0; i < 2^h; i = i + 1 ) {
2027 *      r = i + num_lmots_keys;
2028 *      temp = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i])
2029 *      j = i;
2030 *      while (j % 2 == 1) {
2031 *        r = (r - 1)/2;
2032 *        j = (j-1) / 2;
2033 *        left_side = pop(data stack);
2034 *        temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
2035 *      }
2036 *      push temp onto the data stack
2037 *   }
2038 *   public_key = pop(data stack)
2039 *
2040 * @param [in, out] state      LMS state.
2041 * @param [in]      id         Unique tree identifier, I.
2042 * @param [in]      seed       Private seed to generate x.
2043 * @param [in]      max        Count of leaf nodes to calculate. Must be greater
2044 *                             than q. Must be a power of 2.
2045 * @param [in]      q          Index for authentication path.
2046 * @param [out]     auth_path  Authentication path for index.
2047 * @param [out]     pub        LMS public key.
2048 * @param [out]     stack_d    Where to store stack data.
2049 * @return  0 on success.
2050 */
2051static int wc_lms_treehash(LmsState* state, const byte* id, const byte* seed,
2052    word32 q, byte* auth_path, byte* pub)
2053{
2054    int ret = 0;
2055    const LmsParams* params = state->params;
2056    byte* buffer = state->buffer;
2057    byte* rp = buffer + LMS_I_LEN;
2058    byte* dp = rp + LMS_R_LEN;
2059    byte* left = dp + LMS_D_LEN;
2060    byte* temp = left + params->hash_len;
2061    WC_DECLARE_VAR(stack, byte, (LMS_MAX_HEIGHT + 1) * LMS_MAX_NODE_LEN, 0);
2062    byte* sp;
2063    word32 i;
2064
2065    /* I || ... */
2066    XMEMCPY(buffer, id, LMS_I_LEN);
2067
2068    /* Allocate stack of left side hashes. */
2069    WC_ALLOC_VAR_EX(stack, byte,
2070        LMS_STACK_CACHE_LEN(params->height, params->hash_len),
2071        NULL, DYNAMIC_TYPE_TMP_BUFFER,
2072        { ret=MEMORY_E; });
2073    sp = stack;
2074
2075    /* Compute all nodes requested. */
2076    for (i = 0; (ret == 0) && (i < ((word32)1 << params->height)); i++) {
2077        word32 j = i;
2078        word16 h = 0;
2079        /* r = i + num_lmots_keys */
2080        word32 r = i + ((word32)1 << (params->height));
2081
2082        /* Calculate leaf node hash. */
2083        ret = wc_lms_leaf_hash(state, seed, i, r, temp);
2084
2085        /* Store the node if on the authentication path. */
2086        if ((ret == 0) && (auth_path != NULL) && ((q ^ 0x1) == i)) {
2087            XMEMCPY(auth_path, temp, params->hash_len);
2088        }
2089
2090        /* I || ... || u16str(D_INTR) || ... || temp */
2091        c16toa(LMS_D_INTR, dp);
2092        /* Calculate parent node is we have both left and right. */
2093        while ((ret == 0) && ((j & 0x1) == 1)) {
2094            /* Get parent node index. r and j are odd. */
2095            r >>= 1;
2096            j >>= 1;
2097            h++;
2098
2099            /* Calculate interior node hash.
2100             * temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
2101             */
2102            sp -= params->hash_len;
2103            ret = wc_lms_interior_hash(state, sp, r, temp);
2104
2105            /* Copy out node to authentication path if on path. */
2106            if ((ret == 0) && (auth_path != NULL) && (((q >> h) ^ 0x1) == j)) {
2107                XMEMCPY(auth_path + h * params->hash_len, temp,
2108                    params->hash_len);
2109            }
2110        }
2111        /* Push temp onto the data stack. */
2112        XMEMCPY(sp, temp, params->hash_len);
2113        sp += params->hash_len;
2114    }
2115
2116    if ((ret == 0) && (pub != NULL)) {
2117        /* Public key, root node, is top of data stack. */
2118        XMEMCPY(pub, stack, params->hash_len);
2119    }
2120    WC_FREE_VAR_EX(stack, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2121    return ret;
2122}
2123
2124/* Compute the LMS public key - root node of tree.
2125 *
2126 * @param [in, out] state  LMS state.
2127 * @param [in]      id     Unique tree identifier, I.
2128 * @param [in]      seed   Private seed to generate x.
2129 * @param [out]     pub    LMS public key.
2130 * @return  0 on success.
2131 */
2132static int wc_lms_make_public_key(LmsState* state, const byte* id,
2133    const byte* seed, byte* pub)
2134{
2135    return wc_lms_treehash(state, id, seed, 0, NULL, pub);
2136}
2137
2138/* Calculate the authentication path.
2139 *
2140 * @param [in, out] state  LMS state.
2141 * @param [in]      id     Public random: I.
2142 * @param [in]      seed   Private random: SEED.
2143 * @param [in]      q      Index of leaf.
2144 * @param [out]     sig    Signature buffer to place authentication path into.
2145 * @param [out]     root   Root node of tree.
2146 * @return  0 on success.
2147 */
2148static int wc_lms_auth_path(LmsState* state, const byte* id, const byte* seed,
2149    word32 q, byte* sig, byte* root)
2150{
2151    return wc_lms_treehash(state, id, seed, q, sig, root);
2152}
2153#else
2154/* Computes hash of the Merkle tree and gets the authentication path for q.
2155 *
2156 * Appendix C: An Iterative Algorithm for Computing an LMS Public Key
2157 *    for ( i = 0; i < 2^h; i = i + 1 ) {
2158 *      r = i + num_lmots_keys;
2159 *      temp = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i])
2160 *      j = i;
2161 *      while (j % 2 == 1) {
2162 *        r = (r - 1)/2;
2163 *        j = (j-1) / 2;
2164 *        left_side = pop(data stack);
2165 *        temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
2166 *      }
2167 *      push temp onto the data stack
2168 *   }
2169 *   public_key = pop(data stack)
2170 *
2171 * @param [in, out] state      LMS state.
2172 * @param [in, out] privState  LMS state of the private key.
2173 * @param [in]      id         Unique tree identifier, I.
2174 * @param [in]      seed       Private seed to generate x.
2175 * @param [in]      q          Index for authentication path.
2176 * @return  0 on success.
2177 */
2178static int wc_lms_treehash_init(LmsState* state, LmsPrivState* privState,
2179    const byte* id, const byte* seed, word32 q)
2180{
2181    int ret = 0;
2182    const LmsParams* params = state->params;
2183    byte* buffer = state->buffer;
2184    byte* auth_path = privState->auth_path;
2185    byte* root = privState->root;
2186    HssLeafCache* leaf = &privState->leaf;
2187    byte* rp = buffer + LMS_I_LEN;
2188    byte* dp = rp + LMS_R_LEN;
2189    byte* left = dp + LMS_D_LEN;
2190    byte* temp = left + params->hash_len;
2191    WC_DECLARE_VAR(stack, byte, (LMS_MAX_HEIGHT + 1) * LMS_MAX_NODE_LEN, 0);
2192    word32 spi = 0;
2193    word32 i;
2194    word32 max_h = (word32)1 << params->height;
2195    word32 max_cb = (word32)1 << params->cacheBits;
2196
2197    privState->stack.offset = 0;
2198    /* Reset the cached stack. */
2199    leaf->offset = 0;
2200    leaf->idx = q;
2201    if ((q + max_cb) > max_h) {
2202        leaf->idx = max_h - max_cb;
2203    }
2204
2205    /* I || ... */
2206    XMEMCPY(buffer, id, LMS_I_LEN);
2207
2208    /* Allocate stack of left side hashes. */
2209    WC_ALLOC_VAR_EX(stack, byte,
2210        LMS_STACK_CACHE_LEN(params->height, params->hash_len),
2211        NULL, DYNAMIC_TYPE_TMP_BUFFER,
2212        { ret=MEMORY_E; });
2213
2214    /* Compute all nodes requested. */
2215    for (i = 0; (ret == 0) && (i < max_h); i++) {
2216        word32 j = i;
2217        word16 h = 0;
2218        /* r = i + num_lmots_keys */
2219        word32 r = i + max_h;
2220
2221        /* Calculate leaf node hash. */
2222        ret = wc_lms_leaf_hash(state, seed, i, r, temp);
2223
2224        /* Cache leaf node if in range. */
2225        if ((ret == 0) && (i >= leaf->idx) && (i < leaf->idx + max_cb)) {
2226            XMEMCPY(leaf->cache + (i - leaf->idx) * params->hash_len, temp,
2227                    params->hash_len);
2228        }
2229
2230        /* Store the node if on the authentication path. */
2231        if ((ret == 0) && (auth_path != NULL) && ((q ^ 0x1) == i)) {
2232            XMEMCPY(auth_path, temp, params->hash_len);
2233        }
2234
2235        /* I || ... || u16str(D_INTR) || ... || temp */
2236        c16toa(LMS_D_INTR, dp);
2237        /* Calculate parent node is we have both left and right. */
2238        while ((ret == 0) && ((j & 0x1) == 1)) {
2239            /* Get parent node index. r and j are odd. */
2240            r >>= 1;
2241            j >>= 1;
2242            h++;
2243
2244            /* Calculate interior node hash.
2245             * temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
2246             */
2247            spi -= params->hash_len;
2248            ret = wc_lms_interior_hash(state, stack + spi, r, temp);
2249
2250            /* Copy out top root nodes. */
2251            if ((h > params->height - params->rootLevels) &&
2252                    ((i >> (h-1)) != ((i + 1) >> (h - 1)))) {
2253                word32 off = ((word32)1U << (params->height - h)) +
2254                             (i >> h) - 1U;
2255                XMEMCPY(root + off * params->hash_len, temp, params->hash_len);
2256            }
2257
2258            /* Copy out node to authentication path if on path. */
2259            if ((ret == 0) && (auth_path != NULL) && (((q >> h) ^ 0x1) == j)) {
2260                XMEMCPY(auth_path + h * params->hash_len, temp,
2261                    params->hash_len);
2262            }
2263        }
2264        /* Push temp onto the data stack. */
2265        XMEMCPY(stack + spi, temp, params->hash_len);
2266        spi += params->hash_len;
2267
2268        if (i == q - 1) {
2269            XMEMCPY(privState->stack.stack, stack, spi);
2270            privState->stack.offset = spi;
2271        }
2272    }
2273
2274    WC_FREE_VAR_EX(stack, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2275    return ret;
2276}
2277
2278/* Computes hash of the Merkle tree and gets the authentication path for q.
2279 *
2280 * Appendix C: An Iterative Algorithm for Computing an LMS Public Key
2281 *    for ( i = 0; i < 2^h; i = i + 1 ) {
2282 *      r = i + num_lmots_keys;
2283 *      temp = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i])
2284 *      j = i;
2285 *      while (j % 2 == 1) {
2286 *        r = (r - 1)/2;
2287 *        j = (j-1) / 2;
2288 *        left_side = pop(data stack);
2289 *        temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp)
2290 *      }
2291 *      push temp onto the data stack
2292 *   }
2293 *   public_key = pop(data stack)
2294 *
2295 * @param [in, out] state       LMS state.
2296 * @param [in, out] privState   LMS state of the private key.
2297 * @param [in]      id          Unique tree identifier, I.
2298 * @param [in]      seed        Private seed to generate x.
2299 * @param [in]      min_idx     Minimum leaf index to process.
2300 * @param [in]      max_idx     Maximum leaf index to process.
2301 * @param [in]      q           Index for authentication path.
2302 * @param [in]      useRoot     Whether to use nodes from root cache.
2303 * @return  0 on success.
2304 */
2305static int wc_lms_treehash_update(LmsState* state, LmsPrivState* privState,
2306    const byte* id, const byte* seed, word32 min_idx, word32 max_idx, word32 q,
2307    int useRoot)
2308{
2309    int ret = 0;
2310    const LmsParams* params = state->params;
2311    byte* buffer = state->buffer;
2312    byte* auth_path = privState->auth_path;
2313    LmsStack* stackCache = &privState->stack;
2314    HssLeafCache* leaf = &privState->leaf;
2315    byte* rp = buffer + LMS_I_LEN;
2316    byte* dp = rp + LMS_R_LEN;
2317    byte* left = dp + LMS_D_LEN;
2318    byte* temp = left + params->hash_len;
2319    WC_DECLARE_VAR(stack, byte, (LMS_MAX_HEIGHT + 1) * LMS_MAX_NODE_LEN, 0);
2320    byte* sp;
2321    word32 max_cb = (word32)1 << params->cacheBits;
2322    word32 i;
2323
2324    /* I || ... */
2325    XMEMCPY(buffer, id, LMS_I_LEN);
2326
2327    /* Allocate stack of left side hashes. */
2328    WC_ALLOC_VAR_EX(stack, byte,
2329        LMS_STACK_CACHE_LEN(params->height, params->hash_len),
2330        NULL, DYNAMIC_TYPE_TMP_BUFFER,
2331        { ret=MEMORY_E; });
2332
2333    /* Public key, root node, is top of data stack. */
2334    if (ret == 0) {
2335        XMEMCPY(stack, stackCache->stack,
2336                (word32)params->height * params->hash_len);
2337        sp = stack + stackCache->offset;
2338    }
2339
2340    /* Compute all nodes requested. */
2341    for (i = min_idx; (ret == 0) && (i <= max_idx); i++) {
2342        word32 j = i;
2343        word16 h = 0;
2344        /* r = i + num_lmots_keys */
2345        word32 r = i + ((word32)1 << (params->height));
2346
2347        if ((i >= leaf->idx) && (i < leaf->idx + max_cb)) {
2348            /* Calculate offset of node in cache. */
2349            word32 off = ((i - (leaf->idx + max_cb) + leaf->offset) % max_cb) *
2350                params->hash_len;
2351            /* Copy cached node into working buffer. */
2352            XMEMCPY(temp, leaf->cache + off, params->hash_len);
2353        }
2354        else {
2355            /* Calculate leaf node hash. */
2356            ret = wc_lms_leaf_hash(state, seed, i, r, temp);
2357
2358            /* Slide the leaf cache forward by one slot when i is exactly the
2359             * leaf immediately past the cached window and still within the
2360             * window we will need to cover q. Callers (wc_hss_init_auth_path /
2361             * wc_hss_update_auth_path) advance i contiguously, so i never
2362             * jumps past leaf->idx + max_cb in normal use; if that invariant
2363             * is broken, the cache stays put and i is silently uncached
2364             * (correct, but defeats the cache). */
2365            if (i > leaf->idx + max_cb) {
2366                WOLFSSL_MSG("Bad value for index");
2367            }
2368            if ((i == leaf->idx + max_cb) && (i < (q + max_cb))) {
2369                /* Copy working node into cache over old first node. */
2370                XMEMCPY(leaf->cache + leaf->offset * params->hash_len, temp,
2371                    params->hash_len);
2372                /* Increase start index as first node replaced. */
2373                leaf->idx++;
2374                /* Update offset of first leaf node. */
2375                leaf->offset = (leaf->offset + 1) & (max_cb - 1);
2376            }
2377        }
2378
2379        /* Store the node if on the authentication path. */
2380        if ((ret == 0) && ((q ^ 0x1) == i)) {
2381            XMEMCPY(auth_path, temp, params->hash_len);
2382        }
2383
2384        /* I || ... || u16str(D_INTR) || ... || temp */
2385        c16toa(LMS_D_INTR, dp);
2386        /* Calculate parent node if we have both left and right. */
2387        while ((ret == 0) && ((j & 0x1) == 1)) {
2388            /* Get parent node index. r and j are odd. */
2389            r >>= 1;
2390            j >>= 1;
2391            h++;
2392
2393            sp -= params->hash_len;
2394            if (useRoot && (h > params->height - params->rootLevels) &&
2395                    (h <= params->height)) {
2396                /* Calculate offset of cached root node. */
2397                word32 off = ((word32)1U << (params->height - h)) +
2398                    (i >> h) - 1;
2399                XMEMCPY(temp, privState->root + (off * params->hash_len),
2400                    params->hash_len);
2401            }
2402            else {
2403                /* Calculate interior node hash.
2404                 * temp = H(I || u32str(r) || u16str(D_INTR) || left_side ||
2405                 *          temp)
2406                 */
2407                ret = wc_lms_interior_hash(state, sp, r, temp);
2408            }
2409
2410            /* Copy out top root nodes. */
2411            if ((ret == 0) && (q == 0) && (!useRoot) &&
2412                    (h > params->height - params->rootLevels) &&
2413                    ((i >> (h-1)) != ((i + 1) >> (h - 1)))) {
2414                word32 off = ((word32)1U << (params->height - h)) +
2415                             (i >> h) - 1U;
2416                XMEMCPY(privState->root + off * params->hash_len, temp,
2417                    params->hash_len);
2418            }
2419
2420            /* Copy out node to authentication path if on path. */
2421            if ((ret == 0) && (((q >> h) ^ 0x1) == j)) {
2422                XMEMCPY(auth_path + h * params->hash_len, temp,
2423                    params->hash_len);
2424            }
2425        }
2426        if (ret == 0) {
2427            /* Push temp onto the data stack. */
2428            XMEMCPY(sp, temp, params->hash_len);
2429            sp += params->hash_len;
2430
2431            /* Save stack after updating first node. */
2432            if (i == min_idx) {
2433                /* Copy stack back. */
2434                stackCache->offset = (word32)((size_t)sp - (size_t)stack);
2435                XMEMCPY(stackCache->stack, stack, stackCache->offset);
2436            }
2437        }
2438    }
2439
2440    if (ret == 0) {
2441        if (!useRoot) {
2442            /* Copy stack back. */
2443            XMEMCPY(stackCache->stack, stack,
2444                    (word32)params->height * params->hash_len);
2445            stackCache->offset = (word32)((size_t)sp - (size_t)stack);
2446        }
2447    }
2448
2449    WC_FREE_VAR_EX(stack, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2450    return ret;
2451}
2452#endif /* WOLFSSL_WC_LMS_SMALL */
2453
2454/* Sign message using LMS.
2455 *
2456 * Appendix D. Method for Deriving Authentication Path for a Signature.
2457 * Generating an LMS Signature
2458 *   ...
2459 *   3. Create the LM-OTS signature for the message:
2460 *      ots_signature = lmots_sign(message, LMS_PRIV[q])
2461 *   4. Compute the array path as follows:
2462 *      ...
2463 *   5. S = u32str(q) || ots_signature || u32str(type) ||
2464 *                           path[0] || path[1] || ... || path[h-1]
2465 *   ...
2466 * path[] added by caller as it can come from cache.
2467 *
2468 * @param [in, out] state  LMS state.
2469 * @param [in]      priv   LMS private key.
2470 * @param [in]      msg    Message/public key to sign.
2471 * @param [in]      msgSz  Length of message in bytes.
2472 * @param [out]     sig    LMS signature.
2473 * @return  0 on success.
2474 */
2475static int wc_lms_sign(LmsState* state, const byte* priv, const byte* msg,
2476    word32 msgSz, byte* sig)
2477{
2478    int ret;
2479    const LmsParams* params = state->params;
2480    byte* buffer = state->buffer;
2481    byte* s = sig;
2482    const byte* priv_q = priv;
2483    const byte* priv_seed = priv_q + LMS_Q_LEN;
2484    const byte* priv_i = priv_seed + params->hash_len;
2485
2486    /* Setup for hashing: I || Q */
2487    XMEMCPY(buffer, priv_i, LMS_I_LEN);
2488    XMEMCPY(buffer + LMS_I_LEN, priv_q, LMS_Q_LEN);
2489
2490    /* Copy q from private key.
2491     * S = u32str(q) || ... */
2492    XMEMCPY(s, priv_q, LMS_Q_LEN);
2493    s += LMS_Q_LEN;
2494
2495    /* ots_signature = sig = u32str(type) || ... */
2496    c32toa(state->params->lmOtsType & LMS_H_W_MASK, s);
2497    s += LMS_TYPE_LEN;
2498    /* Sign this level.
2499     * S = u32str(q) || ots_signature || ... */
2500    ret = wc_lmots_sign(state, priv_seed, msg, msgSz, s);
2501    if (ret == 0) {
2502        /* Skip over ots_signature. */
2503        s += params->hash_len + params->p * params->hash_len;
2504        /* S = u32str(q) || ots_signature || u32str(type) || ... */
2505        c32toa(params->lmsType & LMS_H_W_MASK, s);
2506    }
2507
2508    return ret;
2509}
2510
2511#if !defined(WOLFSSL_WC_LMS_SMALL) && !defined(WOLFSSL_LMS_NO_SIG_CACHE)
2512/* Copy in the cached signature data.
2513 *
2514 * @param [in]  params    LMS parameters.
2515 * @param [in]  y         y cache.
2516 * @param [in]  priv      Private key data.
2517 * @param [out] sig       Signature data.
2518 */
2519static void wc_lms_sig_copy(const LmsParams* params, const byte* y,
2520    const byte* priv, byte* sig)
2521{
2522    /* Put in q. */
2523    XMEMCPY(sig, priv, LMS_Q_LEN);
2524    sig += LMS_Q_LEN;
2525    /* S = u32str(q) || ... */
2526    c32toa(params->lmOtsType & LMS_H_W_MASK, sig);
2527    sig += LMS_TYPE_LEN;
2528    /* S = u32str(q) || ots_signature || ... */
2529    XMEMCPY(sig, y, LMOTS_Y_LEN(params->p, params->hash_len));
2530    sig += LMOTS_Y_LEN(params->p, params->hash_len);
2531    /* S = u32str(q) || ots_signature || u32str(type) || ... */
2532    c32toa(params->lmsType & LMS_H_W_MASK, sig);
2533}
2534#endif /* !WOLFSSL_WC_LMS_SMALL && !WOLFSSL_LMS_NO_SIG_CACHE */
2535#endif /* !WOLFSSL_LMS_VERIFY_ONLY */
2536
2537/* Compute the root node of the LMS tree.
2538 *
2539 * Algorithm 6a: Computing an LMS Public Key Candidate from a Signature,
2540 * Message, Identifier, and Algorithm Typecodes
2541 *   ...
2542 *   4. Compute the candidate LMS root value Tc as follows:
2543 *      node_num = 2^h + q
2544 *      tmp = H(I || u32str(node_num) || u16str(D_LEAF) || Kc)
2545 *      i = 0
2546 *      while (node_num > 1) {
2547 *        if (node_num is odd):
2548 *          tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||path[i]||tmp)
2549 *        else:
2550 *          tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||tmp||path[i])
2551 *        node_num = node_num/2
2552 *        i = i + 1
2553 *      }
2554 *      Tc = tmp
2555 *   5. Return Tc.
2556 *
2557 * @param [in, out]  state  LMS state.
2558 * @param [in]       q      Index of node.
2559 * @param [in]       kc     K candidate.
2560 * @param [in]       path   Authentication path from signature.
2561 * @param [out]      tc     T candidate.
2562 * @return  0 on success.
2563 */
2564static int wc_lms_compute_root(LmsState* state, word32 q, const byte* kc,
2565    const byte* path, byte* tc)
2566{
2567    int ret;
2568    const LmsParams* params = state->params;
2569    byte* buffer = state->buffer;
2570    byte* rp = buffer + LMS_I_LEN;
2571    byte* ip = rp + LMS_Q_LEN;
2572    byte* node = ip + LMS_P_LEN;
2573    byte* b[2][2];
2574    /* node_num = 2^h + q */
2575    word32 r = ((word32)1 << params->height) + q;
2576
2577    /* tmp = H(I || u32str(node_num) || u16str(D_LEAF) || Kc) */
2578    c32toa(r, rp);
2579    c16toa(LMS_D_LEAF, ip);
2580    XMEMCPY(node, kc, params->hash_len);
2581    /* Put tmp into offset required for first iteration. */
2582#ifdef WOLFSSL_LMS_SHAKE256
2583    if (LMS_IS_SHAKE(params->lmOtsType)) {
2584        b[0][0] = node;
2585        b[0][1] = node + params->hash_len;
2586        b[1][0] = node + params->hash_len;
2587        b[1][1] = node;
2588        ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
2589            LMS_SEED_HASH_LEN(params->hash_len), b[r & 1][0],
2590            params->hash_len);
2591    }
2592    else
2593#endif
2594    {
2595#ifndef WC_LMS_FULL_HASH
2596    /* Put in padding for final block. */
2597#ifdef WOLFSSL_LMS_SHA256_192
2598    if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2599        b[0][0] = node;
2600        b[0][1] = node + WC_SHA256_192_DIGEST_SIZE;
2601        b[1][0] = node + WC_SHA256_192_DIGEST_SIZE;
2602        b[1][1] = node;
2603        LMS_SHA256_SET_LEN_46(buffer);
2604        ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, b[r & 1][0]);
2605    }
2606    else
2607#endif
2608    {
2609    #ifndef WOLFSSL_NO_LMS_SHA256_256
2610        b[0][0] = node;
2611        b[0][1] = node + WC_SHA256_DIGEST_SIZE;
2612        b[1][0] = node + WC_SHA256_DIGEST_SIZE;
2613        b[1][1] = node;
2614        LMS_SHA256_SET_LEN_54(buffer);
2615        ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, b[r & 1][0]);
2616    #else
2617        ret = NOT_COMPILED_IN;
2618    #endif
2619    }
2620#else
2621#ifdef WOLFSSL_LMS_SHA256_192
2622    if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2623        b[0][0] = node;
2624        b[0][1] = node + WC_SHA256_192_DIGEST_SIZE;
2625        b[1][0] = node + WC_SHA256_192_DIGEST_SIZE;
2626        b[1][1] = node;
2627        ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
2628            LMS_SEED_HASH_LEN(WC_SHA256_192_DIGEST_SIZE), b[r & 1][0]);
2629    }
2630    else
2631#endif
2632    {
2633    #ifndef WOLFSSL_NO_LMS_SHA256_256
2634        b[0][0] = node;
2635        b[0][1] = node + WC_SHA256_DIGEST_SIZE;
2636        b[1][0] = node + WC_SHA256_DIGEST_SIZE;
2637        b[1][1] = node;
2638        ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
2639            LMS_SEED_HASH_LEN(WC_SHA256_DIGEST_SIZE), b[r & 1][0]);
2640    #else
2641        ret = NOT_COMPILED_IN;
2642    #endif
2643    }
2644#endif /* !WC_LMS_FULL_HASH */
2645    }
2646
2647    if (ret == 0) {
2648        int i;
2649
2650        /* I||...||u16str(D_INT)||... */
2651        c16toa(LMS_D_INTR, ip);
2652
2653        /* Do all but last height. */
2654    #ifdef WOLFSSL_LMS_SHAKE256
2655        if (LMS_IS_SHAKE(params->lmOtsType)) {
2656            for (i = 0; (ret == 0) && (i < params->height - 1); i++) {
2657                /* Put path into offset required. */
2658                XMEMCPY(b[r & 1][1], path, params->hash_len);
2659                path += params->hash_len;
2660
2661                /* node_num = node_num / 2 */
2662                r >>= 1;
2663                /*  H(...||u32str(node_num/2)||..) */
2664                c32toa(r, rp);
2665                ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
2666                    LMS_NODE_HASH_LEN(params->hash_len), b[r & 1][0],
2667                    params->hash_len);
2668            }
2669            if (ret == 0) {
2670                /* Last height. */
2671                XMEMCPY(b[r & 1][1], path, params->hash_len);
2672                r >>= 1;
2673                c32toa(r, rp);
2674                ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
2675                    LMS_NODE_HASH_LEN(params->hash_len), tc, params->hash_len);
2676            }
2677        }
2678        else
2679    #endif
2680    #ifdef WOLFSSL_LMS_SHA256_192
2681        if ((params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2682            for (i = 0; (ret == 0) && (i < params->height - 1); i++) {
2683                /* Put path into offset required. */
2684                XMEMCPY(b[r & 1][1], path, WC_SHA256_192_DIGEST_SIZE);
2685                path += WC_SHA256_192_DIGEST_SIZE;
2686
2687                /* node_num = node_num / 2 */
2688                r >>= 1;
2689                /*  H(...||u32str(node_num/2)||..) */
2690                c32toa(r, rp);
2691                /* tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||path[i]||tmp)
2692                 * or
2693                 * tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||tmp||path[i])
2694                 * Put tmp result into offset required for next iteration. */
2695                ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
2696                    LMS_NODE_HASH_LEN(WC_SHA256_192_DIGEST_SIZE), b[r & 1][0]);
2697            }
2698            if (ret == 0) {
2699                /* Last height. */
2700                /* Put path into offset required. */
2701                XMEMCPY(b[r & 1][1], path, WC_SHA256_192_DIGEST_SIZE);
2702                /* node_num = node_num / 2 */
2703                r >>= 1;
2704                /*  H(...||u32str(node_num/2)||..) */
2705                c32toa(r, rp);
2706                /* tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||path[i]||tmp)
2707                 * or
2708                 * tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||tmp||path[i])
2709                 * Put tmp result into Tc.*/
2710                ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
2711                    LMS_NODE_HASH_LEN(WC_SHA256_192_DIGEST_SIZE), tc);
2712            }
2713        }
2714        else
2715    #endif
2716        {
2717        #ifndef WOLFSSL_NO_LMS_SHA256_256
2718            for (i = 0; (ret == 0) && (i < params->height - 1); i++) {
2719                /* Put path into offset required. */
2720                XMEMCPY(b[r & 1][1], path, WC_SHA256_DIGEST_SIZE);
2721                path += WC_SHA256_DIGEST_SIZE;
2722
2723                /* node_num = node_num / 2 */
2724                r >>= 1;
2725                /*  H(...||u32str(node_num/2)||..) */
2726                c32toa(r, rp);
2727                /* tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||path[i]||tmp)
2728                 * or
2729                 * tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||tmp||path[i])
2730                 * Put tmp result into offset required for next iteration. */
2731                ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
2732                    LMS_NODE_HASH_LEN(WC_SHA256_DIGEST_SIZE), b[r & 1][0]);
2733            }
2734            if (ret == 0) {
2735                /* Last height. */
2736                /* Put path into offset required. */
2737                XMEMCPY(b[r & 1][1], path, WC_SHA256_DIGEST_SIZE);
2738                /* node_num = node_num / 2 */
2739                r >>= 1;
2740                /*  H(...||u32str(node_num/2)||..) */
2741                c32toa(r, rp);
2742                /* tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||path[i]||tmp)
2743                 * or
2744                 * tmp = H(I||u32str(node_num/2)||u16str(D_INTR)||tmp||path[i])
2745                 * Put tmp result into Tc.*/
2746                ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
2747                    LMS_NODE_HASH_LEN(WC_SHA256_DIGEST_SIZE), tc);
2748            }
2749        #else
2750            ret = NOT_COMPILED_IN;
2751        #endif
2752        }
2753    }
2754
2755    return ret;
2756}
2757
2758/* LMS verify message using public key and signature.
2759 *
2760 * Algorithm 6a: Computing an LMS Public Key Candidate from a Signature,
2761 * Message, Identifier, and Algorithm Typecodes
2762 *   ...
2763 *   2. Parse sigtype, q, lmots_signature, and path from the signature
2764 *      as follows:
2765 *      a. q = strTou32(first 4 bytes of signature)
2766 *      ...
2767 *      e. lmots_signature = bytes 4 through 7 + n * (p + 1)
2768 *         of signature
2769 *      ...
2770 *      j. Set path as follows:
2771 *           path[0] = next m bytes of signature
2772 *           path[1] = next m bytes of signature
2773 *              ...
2774 *         path[h-1] = next m bytes of signature
2775 *   3. Kc = candidate public key computed by applying Algorithm 4b
2776 *      to the signature lmots_signature, the message, and the
2777 *      identifiers I, q
2778 *   4. Compute the candidate LMS root value Tc as follows:
2779 *      ...
2780 *   5. Return Tc
2781 * Algorithm 6: LMS Signature Verification
2782 *   ...
2783 *   3. Compute the LMS Public Key Candidate Tc from the signature,
2784 *      message, identifier, pubtype, and ots_typecode, using
2785 *      Algorithm 6a.
2786 *   4. If Tc is equal to T[1], return VALID; otherwise, return INVALID.
2787 *
2788 * @param [in, out] state  LMS state.
2789 * @param [in]      pub    LMS public key.
2790 * @param [in]      msg    Message/public key to verify.
2791 * @param [in]      msgSz  Length of message in bytes.
2792 * @param [in]      sig    LMS signature.
2793 */
2794static int wc_lms_verify(LmsState* state, const byte* pub, const byte* msg,
2795    word32 msgSz, const byte* sig, word32 sigSz)
2796{
2797    int ret;
2798    const LmsParams* params = state->params;
2799    byte* buffer = state->buffer;
2800    const byte* pub_i = pub + LMS_TYPE_LEN + LMS_TYPE_LEN;
2801    const byte* pub_k = pub_i + LMS_I_LEN;
2802    const byte* sig_q = sig;
2803    byte tc[LMS_MAX_NODE_LEN];
2804    byte* kc = tc;
2805    /* Bytes consumed by this LMS signature: q || lmots_type || C || y[p] ||
2806     * lms_type || path[height]. wc_lms_verify reads exactly this much from
2807     * sig; the caller (wc_hss_verify or wc_LmsKey_Verify) has guaranteed
2808     * sigSz covers it, but check defensively here as well. */
2809    const word32 lms_sig_required =
2810        LMS_SIG_LEN(params->height, params->p, params->hash_len);
2811
2812    if (sigSz < lms_sig_required) {
2813        return BUFFER_E;
2814    }
2815
2816    /* Algorithm 6. Step 3. */
2817    /* Check the public key LMS type matches parameters. */
2818    ret = wc_lmots_public_key_check(params, pub);
2819    if (ret == 0) {
2820        /* Algorithm 6a. Step 2.e. */
2821        const byte* sig_lmots = sig + LMS_Q_LEN;
2822
2823        /* Setup buffer with I || Q. */
2824        XMEMCPY(buffer, pub_i, LMS_I_LEN);
2825        XMEMCPY(buffer + LMS_I_LEN, sig_q, LMS_Q_LEN);
2826
2827        /* Algorithm 6a. Step 3. */
2828        ret = wc_lmots_calc_kc(state, pub + LMS_TYPE_LEN, msg, msgSz,
2829            sig_lmots, kc);
2830    }
2831    if (ret == 0) {
2832        /* Algorithm 6a. Step 3.d-e: Check LMS type in signature matches
2833         * the expected type from the public key.
2834         *
2835         * Bounds: the upfront sigSz check above guarantees the 4-byte
2836         * lms_type field at this offset is within the buffer.
2837         *
2838         * Mask: params->lmsType holds wolfSSL-internal flags (0xf000)
2839         * identifying the hash family alongside the RFC 8554 type code
2840         * (low 12 bits, LMS_H_W_MASK). The wire format strips the
2841         * private flags (see encoder lines 2483, 2510, 1559), so the
2842         * comparison is against the RFC type code only. This is safe so
2843         * long as the (lmsType, lmOtsType) pair, masked to the low 12 bits,
2844         * is unique across the static map -- i.e., no two  entries from
2845         * different hash families happen to have the same RFC code pair.
2846         * All current entries have matching hash families, so the pair is
2847         * trivially unique. A future entry mixing families would need this
2848         * checked explicitly.  Any future parameter set that introduces a
2849         * collision in the low 12 bits would require this check to compare
2850         * the full lmsType, not the masked form. */
2851        const byte* sig_lms_type = sig + LMS_Q_LEN + LMS_TYPE_LEN +
2852            params->hash_len + params->p * params->hash_len;
2853        word32 sigType;
2854
2855        ato32(sig_lms_type, &sigType);
2856        if (sigType != (params->lmsType & LMS_H_W_MASK)) {
2857            ret = SIG_TYPE_E;
2858        }
2859    }
2860    if (ret == 0) {
2861        /* Algorithm 6a. Step 2.j. */
2862        const byte* sig_path = sig + LMS_Q_LEN + LMS_TYPE_LEN +
2863            params->hash_len + params->p * params->hash_len + LMS_TYPE_LEN;
2864        word32 q;
2865
2866        /* Algorithm 6a. Step 2.a. */
2867        ato32(sig_q, &q);
2868
2869        /* Algorithm 6a. Steps 4-5. */
2870        ret = wc_lms_compute_root(state, q, kc, sig_path, tc);
2871    }
2872    /* Algorithm 6. Step 4. */
2873    if ((ret == 0) && (XMEMCMP(pub_k, tc, params->hash_len) != 0)) {
2874        ret = SIG_VERIFY_E;
2875    }
2876
2877    return ret;
2878}
2879
2880/***************************************
2881 * HSS APIs
2882 **************************************/
2883
2884#ifndef WOLFSSL_LMS_VERIFY_ONLY
2885/* Derive the seed and i for child.
2886 *
2887 * @param [in, out] state   LMS state.
2888 * @param [in]      id      Parent's I.
2889 * @param [in]      seed    Parent's SEED.
2890 * @param [in]      q       Parent's q.
2891 * @param [out]     seed_i  Derived SEED and I.
2892 * @return  0 on success.
2893 */
2894static int wc_hss_derive_seed_i(LmsState* state, const byte* id,
2895    const byte* seed, const byte* q, byte* seed_i)
2896{
2897    int ret = 0;
2898    byte buffer[WC_SHA256_BLOCK_SIZE];
2899    byte* idp = buffer;
2900    byte* qp = idp + LMS_I_LEN;
2901    byte* ip = qp + LMS_Q_LEN;
2902    byte* jp = ip + LMS_P_LEN;
2903    byte* tmp = jp + LMS_W_LEN;
2904
2905    /* parent's I || ... */
2906    XMEMCPY(idp, id, LMS_I_LEN);
2907    /* parent's I || q || ... */
2908    XMEMCPY(qp, q, LMS_Q_LEN);
2909    /* parent's I || q || D_CHILD_SEED || ... */
2910    c16toa(LMS_D_CHILD_SEED, ip);
2911    /* parent's I || q || D_CHILD_SEED || D_FIXED || ... */
2912    *jp = LMS_D_FIXED;
2913    /* parent's I || q || D_CHILD_SEED || D_FIXED || parent's SEED */
2914    XMEMCPY(tmp, seed, state->params->hash_len);
2915    /* SEED = H(parent's I || q || D_CHILD_SEED || D_FIXED || parent's SEED) */
2916#ifdef WOLFSSL_LMS_SHAKE256
2917    if (LMS_IS_SHAKE(state->params->lmOtsType)) {
2918        ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
2919            LMS_HASH_BUFFER_LEN(state->params->hash_len), seed_i,
2920            state->params->hash_len);
2921        if (ret == 0) {
2922            seed_i += state->params->hash_len;
2923        }
2924    }
2925    else
2926#endif
2927    {
2928#ifndef WC_LMS_FULL_HASH
2929#ifdef WOLFSSL_LMS_SHA256_192
2930    if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2931        /* Put in padding for final block. */
2932        LMS_SHA256_SET_LEN_47(buffer);
2933        ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, seed_i);
2934        if (ret == 0) {
2935            seed_i += WC_SHA256_192_DIGEST_SIZE;
2936        }
2937    }
2938    else
2939#endif
2940    {
2941    #ifndef WOLFSSL_NO_LMS_SHA256_256
2942        /* Put in padding for final block. */
2943        LMS_SHA256_SET_LEN_55(buffer);
2944        ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, seed_i);
2945        if (ret == 0) {
2946            seed_i += WC_SHA256_DIGEST_SIZE;
2947        }
2948    #else
2949        ret = NOT_COMPILED_IN;
2950    #endif
2951    }
2952#else
2953#ifdef WOLFSSL_LMS_SHA256_192
2954    if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2955        ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
2956            LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), seed_i);
2957    }
2958    else
2959#endif
2960    {
2961    #ifndef WOLFSSL_NO_LMS_SHA256_256
2962        ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
2963            LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), seed_i);
2964    #else
2965        ret = NOT_COMPILED_IN;
2966    #endif
2967    }
2968#endif /* !WC_LMS_FULL_HASH */
2969    }
2970
2971    if (ret == 0) {
2972        /* parent's I || q || D_CHILD_I || D_FIXED || parent's SEED */
2973        c16toa(LMS_D_CHILD_I, ip);
2974        /* I = H(parent's I || q || D_CHILD_I || D_FIXED || parent's SEED) */
2975#ifdef WOLFSSL_LMS_SHAKE256
2976        if (LMS_IS_SHAKE(state->params->lmOtsType)) {
2977            ret = wc_lms_shake256_hash(LMS_STATE_SHAKE(state), buffer,
2978                LMS_HASH_BUFFER_LEN(state->params->hash_len), tmp,
2979                state->params->hash_len);
2980        }
2981        else
2982#endif
2983        {
2984#ifndef WC_LMS_FULL_HASH
2985    #ifdef WOLFSSL_LMS_SHA256_192
2986        if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
2987            ret = wc_lms_sha256_192_hash_block(LMS_STATE_HASH(state), buffer, tmp);
2988        }
2989        else
2990    #endif
2991        {
2992        #ifndef WOLFSSL_NO_LMS_SHA256_256
2993            ret = wc_lms_hash_block(LMS_STATE_HASH(state), buffer, tmp);
2994        #else
2995            ret = NOT_COMPILED_IN;
2996        #endif
2997        }
2998#else
2999    #ifdef WOLFSSL_LMS_SHA256_192
3000        if ((state->params->lmOtsType & LMS_HASH_MASK) == LMS_SHA256_192) {
3001            ret = wc_lms_hash_sha256_192(LMS_STATE_HASH(state), buffer,
3002                LMS_HASH_BUFFER_LEN(WC_SHA256_192_DIGEST_SIZE), tmp);
3003        }
3004        else
3005    #endif
3006        {
3007        #ifndef WOLFSSL_NO_LMS_SHA256_256
3008            ret = wc_lms_hash(LMS_STATE_HASH(state), buffer,
3009                LMS_HASH_BUFFER_LEN(WC_SHA256_DIGEST_SIZE), tmp);
3010        #else
3011            ret = NOT_COMPILED_IN;
3012        #endif
3013        }
3014#endif /* !WC_LMS_FULL_HASH */
3015        }
3016        /* Copy part of hash as new I into private key. */
3017        XMEMCPY(seed_i, tmp, LMS_I_LEN);
3018    }
3019
3020    return ret;
3021}
3022
3023/* Get q, index, of leaf at the specified level. */
3024#define LMS_Q_AT_LEVEL(q, ls, l, h)                                 \
3025    (w64GetLow32(w64ShiftRight((q), (((ls) - 1 - (l)) * (h)))) &    \
3026     (((word32)1U << (h)) - 1U))
3027
3028/* Expand the seed and I for further levels and set q for each level.
3029 *
3030 * @param [in, out] state     LMS state.
3031 * @param [in, out] priv      Private key for use in signing.
3032 * @param [in]      priv_raw  Private key read.
3033 * @param [in]      inc       Whether this is an incremental expansion.
3034 * @return  0 on success.
3035 */
3036static int wc_hss_expand_private_key(LmsState* state, byte* priv,
3037    const byte* priv_raw, int inc)
3038{
3039    const LmsParams* params = state->params;
3040    int ret = 0;
3041    w64wrapper q;
3042    w64wrapper qm1;
3043    word32 q32;
3044    byte* priv_q;
3045    byte* priv_seed_i;
3046    word32 i;
3047
3048    /* Get the 64-bit q value from the raw private key. */
3049    ato64(priv_raw, &q);
3050    /* Step over q and parameter set. */
3051    priv_raw += HSS_Q_LEN + HSS_PRIV_KEY_PARAM_SET_LEN;
3052
3053    /* Get q of highest level. */
3054    q32 = LMS_Q_AT_LEVEL(q, params->levels, 0, params->height);
3055    /* Set q of highest tree. */
3056    c32toa(q32, priv);
3057
3058    /* Incremental expansion needs q-1. */
3059    if (inc) {
3060        /* Calculate q-1 for comparison. */
3061        qm1 = q;
3062        w64Decrement(&qm1);
3063    }
3064    else {
3065        /* Copy out SEED and I into private key. */
3066        XMEMCPY(priv + LMS_Q_LEN, priv_raw, params->hash_len + LMS_I_LEN);
3067    }
3068
3069    /* Compute SEED and I for rest of levels. */
3070    for (i = 1U; (ret == 0) && (i < params->levels); i++) {
3071        /* Don't skip calculating SEED and I. */
3072        int skip = 0;
3073
3074        /* Incremental means q, SEED and I already present if q unchanged. */
3075        if (inc) {
3076            /* Calculate previous levels q for previous 64-bit q value. */
3077            word32 qm1_32 = LMS_Q_AT_LEVEL(qm1, params->levels, (int)i - 1,
3078                params->height);
3079            /* Same q at previous level means no need to re-compute. */
3080            if (q32 == qm1_32) {
3081                /* Do skip calculating SEED and I. */
3082                skip = 1;
3083            }
3084        }
3085
3086        /* Get pointers into private q to write q and seed + I. */
3087        priv_q = priv;
3088        priv += LMS_Q_LEN;
3089        priv_seed_i = priv;
3090        priv += params->hash_len + LMS_I_LEN;
3091
3092        /* Get q for level from 64-bit composite. */
3093        q32 = w64GetLow32(w64ShiftRight(q, (int)(params->levels - 1U - i) *
3094            params->height)) & (((word32)1U << params->height) - 1U);
3095        /* Set q of tree. */
3096        c32toa(q32, priv);
3097
3098        if (!skip) {
3099            /* Derive SEED and I into private key. */
3100            ret = wc_hss_derive_seed_i(state, priv_seed_i + params->hash_len,
3101                priv_seed_i, priv_q, priv + LMS_Q_LEN);
3102        }
3103    }
3104
3105    return ret;
3106}
3107
3108#ifndef WOLFSSL_WC_LMS_SMALL
3109#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3110/* Initialize the next subtree.
3111 *
3112 * @param [in] state      LMS state.
3113 * @param [in] privState  LMS private state.
3114 * @param [in] curr       Current private key.
3115 * @param [in] priv       Next private key.
3116 * @param [in] q          q for this level.
3117 * @return  0 on success.
3118 */
3119static int wc_lms_next_subtree_init(LmsState* state, LmsPrivState* privState,
3120    byte* curr, byte* priv, word32 q)
3121{
3122    int ret;
3123    const LmsParams* params = state->params;
3124    byte* priv_q;
3125    byte* priv_seed;
3126    byte* priv_i;
3127    word32 pq;
3128
3129    /* Get next key pointer. */
3130    priv_q = priv;
3131    /* Get pointers of current private. */
3132    priv_seed = curr + LMS_Q_LEN;
3133    priv_i = curr + LMS_Q_LEN + params->hash_len;
3134    /* Move next private key to next leaf for updating.*/
3135    priv += LMS_Q_LEN + params->hash_len + LMS_I_LEN;
3136
3137    ato32(curr, &pq);
3138    pq = (pq + 1U) & ((((word32)1U) << params->height) - (word32)1U);
3139    c32toa(pq, priv_q);
3140
3141    privState->stack.offset = 0;
3142    /* No unary minus on unsigned; avoids MSVC C4146 and passes clang-tidy */
3143    privState->leaf.idx = (word32)(0U - ((word32)1U << params->cacheBits));
3144    privState->leaf.offset = 0;
3145
3146    /* Derive SEED and I for next tree. */
3147    ret = wc_hss_derive_seed_i(state, priv_i, priv_seed, priv_q,
3148        priv + LMS_Q_LEN);
3149    if (ret == 0) {
3150        /* Update treehash for first leaf. */
3151        ret = wc_lms_treehash_update(state, privState,
3152            priv + LMS_Q_LEN + params->hash_len, priv + LMS_Q_LEN, 0, q, 0, 0);
3153    }
3154
3155    return ret;
3156}
3157
3158/* Increment count on next subtree.
3159 *
3160 * @param [in] state     LMS state.
3161 * @param [in] priv_key  HSS private key.
3162 * @param [in] q64       64-bit q for all levels.
3163 * @return  0 on success.
3164 */
3165static int wc_hss_next_subtree_inc(LmsState* state, HssPrivKey* priv_key,
3166    w64wrapper q64)
3167{
3168    int ret = 0;
3169    const LmsParams* params = state->params;
3170    byte* curr = priv_key->priv;
3171    byte* priv = priv_key->next_priv;
3172    int i;
3173    w64wrapper p64 = q64;
3174    byte tmp_priv[LMS_PRIV_LEN(LMS_MAX_NODE_LEN)];
3175    int use_tmp = 0;
3176    word32 lastQMax = 0;
3177    w64wrapper p64_hi;
3178    w64wrapper q64_hi;
3179
3180    /* Get previous index. */
3181    w64Decrement(&p64);
3182    /* Get index of previous and current parent. */
3183    p64_hi = w64ShiftRight(p64, (params->levels - 1) * params->height);
3184    q64_hi = w64ShiftRight(q64, (params->levels - 1) * params->height);
3185    for (i = 1; (ret == 0) && (i < params->levels); i++) {
3186        word32 qc;
3187        w64wrapper cp64_hi;
3188        w64wrapper cq64_hi;
3189
3190        /* Get index of previous and current child. */
3191        cp64_hi = w64ShiftRight(p64, (params->levels - i - 1) * params->height);
3192        cq64_hi = w64ShiftRight(q64, (params->levels - i - 1) * params->height);
3193        /* Get the q for the child. */
3194        ato32(curr + LMS_PRIV_LEN(params->hash_len), &qc);
3195
3196        /* Compare index of parent node with previous value. */
3197        if (w64LT(p64_hi, q64_hi)) {
3198            wc_lms_priv_state_copy(params, &priv_key->state[i],
3199                &priv_key->next_state[i-1]);
3200            ret = wc_lms_next_subtree_init(state, &priv_key->next_state[i - 1],
3201                use_tmp ? tmp_priv : curr, priv, 0);
3202            use_tmp = 0;
3203        }
3204        /* Check whether the child is in a new subtree. */
3205        else if ((qc == ((word32)1 << params->height) - 1) &&
3206                w64LT(cp64_hi, cq64_hi)) {
3207            XMEMSET(tmp_priv, 0, LMS_Q_LEN);
3208            /* Check whether the node at the previous level is also in a new
3209             * subtree. */
3210            if (lastQMax) {
3211                /* Calculate new SEED and I based on new subtree. */
3212                ret = wc_hss_derive_seed_i(state,
3213                    priv + LMS_Q_LEN + params->hash_len, priv + LMS_Q_LEN,
3214                    tmp_priv, tmp_priv + LMS_Q_LEN);
3215            }
3216            else {
3217                /* Calculate new SEED and I based on parent. */
3218                ret = wc_hss_derive_seed_i(state,
3219                    curr + LMS_Q_LEN + params->hash_len, curr + LMS_Q_LEN, priv,
3220                    tmp_priv + LMS_Q_LEN);
3221            }
3222            /* Values not stored so note that they are in temporary. */
3223            use_tmp = 1;
3224
3225            /* Set the the q. */
3226            XMEMCPY(tmp_priv, curr + LMS_PRIV_LEN(params->hash_len), LMS_Q_LEN);
3227        }
3228
3229        lastQMax = (qc == (((word32)1U << params->height) - (word32)1U));
3230        curr += LMS_PRIV_LEN(params->hash_len);
3231        priv += LMS_PRIV_LEN(params->hash_len);
3232        p64_hi = cp64_hi;
3233        q64_hi = cq64_hi;
3234    }
3235
3236    ForceZero(tmp_priv, sizeof(tmp_priv));
3237    return ret;
3238}
3239
3240/* Initialize the next subtree for each level bar the highest.
3241 *
3242 * @param [in, out] state     LMS state.
3243 * @param [out]     priv_key  Private key data.
3244 * @return  0 on success.
3245 */
3246static int wc_hss_next_subtrees_init(LmsState* state, HssPrivKey* priv_key)
3247{
3248    int ret = 0;
3249    const LmsParams* params = state->params;
3250    byte* curr = priv_key->priv;
3251    byte* priv = priv_key->next_priv;
3252    int i;
3253
3254    XMEMCPY(priv, curr, LMS_PRIV_LEN(params->hash_len));
3255    wc_lms_idx_inc(priv, LMS_Q_LEN);
3256
3257    for (i = 1; (ret == 0) && (i < params->levels); i++) {
3258        word32 q;
3259
3260        ato32(curr + LMS_PRIV_LEN(params->hash_len), &q);
3261        ret = wc_lms_next_subtree_init(state, &priv_key->next_state[i - 1],
3262            curr, priv, q);
3263
3264        curr += LMS_PRIV_LEN(params->hash_len);
3265        priv += LMS_PRIV_LEN(params->hash_len);
3266    }
3267
3268    return ret;
3269}
3270#endif
3271
3272/* Update the authentication path and caches.
3273 *
3274 * @param [in, out] state     LMS state.
3275 * @param [in, out] priv_key  Private key information.
3276 * @param [in]      levels    Number of level to start at.
3277 * @param [out]     pub_root  Public root.
3278 * @return  0 on success.
3279 */
3280static int wc_hss_init_auth_path(LmsState* state, HssPrivKey* priv_key,
3281    byte* pub_root)
3282{
3283    int ret = 0;
3284    int levels = state->params->levels;
3285    byte* priv = priv_key->priv +
3286        LMS_PRIV_LEN(state->params->hash_len) * (word32)(levels - 1);
3287    int l;
3288
3289    for (l = levels - 1; (ret == 0) && (l >= 0); l--) {
3290        word32 q;
3291        const byte* priv_q = priv;
3292        const byte* priv_seed = priv_q + LMS_Q_LEN;
3293        const byte* priv_i = priv_seed + state->params->hash_len;
3294
3295        /* Get current q for tree at level. */
3296        ato32(priv_q, &q);
3297        /* Set cache start to a value that indicates no numbers available. */
3298        ret = wc_lms_treehash_init(state, &priv_key->state[l], priv_i,
3299             priv_seed, q);
3300
3301        /* Move onto next level's data. */
3302        priv -= LMS_PRIV_LEN(state->params->hash_len);
3303    }
3304
3305    if ((ret == 0) && (pub_root != NULL)) {
3306        XMEMCPY(pub_root, priv_key->state[0].root, state->params->hash_len);
3307    }
3308
3309    return ret;
3310}
3311
3312/* Calculate the corresponding authentication path index at that height.
3313 *
3314 * @param [in] i  Leaf node index.
3315 * @param [in] h  Height to calculate for.
3316 * @return  Index on authentication path.
3317 */
3318#define LMS_AUTH_PATH_IDX(i, h)                                 \
3319    (((i) ^ ((word32)1U << (h))) | (((word32)1U << (h)) - 1))
3320
3321/* Update the authentication path.
3322 *
3323 * @param [in, out] state     LMS state.
3324 * @param [in, out] priv_key  Private key information.
3325 * @param [in]      levels    Number of level to start at.
3326 * @return  0 on success.
3327 */
3328static int wc_hss_update_auth_path(LmsState* state, HssPrivKey* priv_key,
3329    byte* priv_raw, int levels)
3330{
3331    const LmsParams* params = state->params;
3332    int ret = 0;
3333    byte* priv = priv_key->priv +
3334        LMS_PRIV_LEN(params->hash_len) * (word32)(levels - 1);
3335    int i;
3336#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3337    w64wrapper q64;
3338#endif
3339
3340    (void)priv_raw;
3341#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3342    ato64(priv_raw, &q64);
3343#endif
3344
3345    for (i = levels - 1; (ret == 0) && (i >= 0); i--) {
3346        word32 q;
3347        const byte* priv_q = priv;
3348        const byte* priv_seed = priv_q + LMS_Q_LEN;
3349        const byte* priv_i = priv_seed + params->hash_len;
3350        LmsPrivState* privState = &priv_key->state[i];
3351
3352        /* Get q for tree at level. */
3353        ato32(priv_q, &q);
3354    #ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3355        if ((levels > 1) && (i == levels - 1) && (q == 0)) {
3356            /* New sub-tree. */
3357            ret = wc_hss_next_subtree_inc(state, priv_key, q64);
3358        }
3359        if ((ret == 0) && (q != 0))
3360    #else
3361        if (q == 0) {
3362            /* New sub-tree. */
3363            ret = wc_lms_treehash_init(state, privState, priv_i, priv_seed, 0);
3364        }
3365        else
3366    #endif
3367        {
3368            word32 maxq = q - 1;
3369            int h;
3370            int maxh = params->height;
3371
3372            /* Check each index at each height needed for the auth path. */
3373            for (h = 0; (h < maxh) && (h <= maxh - params->rootLevels); h++) {
3374                /* Calculate the index for current q and q-1. */
3375                word32 qa = LMS_AUTH_PATH_IDX(q, h);
3376                word32 qm1a = LMS_AUTH_PATH_IDX(q - 1, h);
3377                /* If different then needs to be computed so keep highest. */
3378                if ((qa != qm1a) && (qa > maxq)) {
3379                    maxq = qa;
3380                }
3381            }
3382            for (; h < maxh; h++) {
3383                /* Calculate the index for current q and q-1. */
3384                word32 qa = LMS_AUTH_PATH_IDX(q, h);
3385                word32 qm1a = LMS_AUTH_PATH_IDX(q - 1, h);
3386                /* If different then copy in cached hash. */
3387                if ((qa != qm1a) && (qa > maxq)) {
3388                    word32 off = ((word32)1U << (params->height - h)) +
3389                                 (qa >> h) - 1U;
3390                    XMEMCPY(privState->auth_path + h * params->hash_len,
3391                        privState->root + off * params->hash_len,
3392                        params->hash_len);
3393                }
3394            }
3395            /* Update the treehash and calculate the extra indices for
3396             * authentication path. */
3397            ret = wc_lms_treehash_update(state, privState, priv_i, priv_seed,
3398                q - 1, maxq, q, 1);
3399        #ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3400            if ((ret == 0) && (i > 0)) {
3401                w64wrapper tmp64 = w64ShiftRight(q64,
3402                    (levels - i) * params->height);
3403                w64Increment(&tmp64);
3404                tmp64 = w64ShiftLeft(tmp64, 64 - (i * params->height));
3405                if (!w64IsZero(tmp64)) {
3406                    priv_seed = priv_key->next_priv +
3407                        (word32)i * LMS_PRIV_LEN(params->hash_len) + LMS_Q_LEN;
3408                    priv_i = priv_seed + params->hash_len;
3409                    privState = &priv_key->next_state[i - 1];
3410
3411                    ret = wc_lms_treehash_update(state, privState, priv_i,
3412                        priv_seed, q, q, 0, 0);
3413                }
3414            }
3415        #endif
3416            break;
3417        }
3418
3419        /* Move onto next level's data. */
3420        priv -= LMS_PRIV_LEN(params->hash_len);
3421    }
3422
3423    return ret;
3424}
3425
3426#if !defined(WOLFSSL_LMS_NO_SIG_CACHE) && (LMS_MAX_LEVELS > 1)
3427/* Pre-sign for current q so that it isn't needed in signing.
3428 *
3429 * @param [in, out] state     LMS state.
3430 * @param [in, out] priv_key  Private key.
3431 */
3432static int wc_hss_presign(LmsState* state, HssPrivKey* priv_key)
3433{
3434    int ret = 0;
3435    const LmsParams* params = state->params;
3436    byte* buffer = state->buffer;
3437    byte pub[LMS_PUBKEY_LEN(LMS_MAX_NODE_LEN)];
3438    byte* root = pub + LMS_PUBKEY_LEN(params->hash_len) - params->hash_len;
3439    byte* priv = priv_key->priv;
3440    int i;
3441
3442    for (i = params->levels - 2; i >= 0; i--) {
3443        const byte* p = priv + (word32)i * LMS_PRIV_LEN(params->hash_len);
3444        const byte* priv_q = p;
3445        const byte* priv_seed = priv_q + LMS_Q_LEN;
3446        const byte* priv_i = priv_seed + params->hash_len;
3447
3448        /* ... || T(1) */
3449        XMEMCPY(root, priv_key->state[i + 1].root, params->hash_len);
3450        /* u32str(type) || u32str(otstype) || I || T(1) */
3451        p = priv + ((word32)i + 1U) * LMS_PRIV_LEN(params->hash_len);
3452        wc_lmots_public_key_encode(params, p, pub);
3453
3454        /* Setup for hashing: I || Q || ... */
3455        XMEMCPY(buffer, priv_i, LMS_I_LEN);
3456        XMEMCPY(buffer + LMS_I_LEN, priv_q, LMS_Q_LEN);
3457
3458        /* LM-OTS Sign this level. */
3459        ret = wc_lmots_sign(state, priv_seed, pub,
3460                LMS_PUBKEY_LEN(params->hash_len),
3461                priv_key->y + (word32)i *
3462                    LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len));
3463    }
3464
3465    return ret;
3466}
3467#endif /* !WOLFSSL_LMS_NO_SIG_CACHE && LMS_MAX_LEVELS > 1 */
3468#endif /* !WOLFSSL_WC_LMS_SMALL */
3469
3470/* Load the private key data into HSS private key structure.
3471 *
3472 * @param [in]      params     LMS parameters.
3473 * @param [in, out] key        HSS private key.
3474 * @param [in]      priv_data  Private key data.
3475 */
3476static void wc_hss_priv_data_load(const LmsParams* params, HssPrivKey* key,
3477    byte* priv_data)
3478{
3479#ifndef WOLFSSL_WC_LMS_SMALL
3480    int l;
3481#endif
3482
3483    /* Expanded private keys. */
3484    key->priv = priv_data;
3485    priv_data += LMS_PRIV_KEY_LEN(params->levels, params->hash_len);
3486
3487#ifndef WOLFSSL_WC_LMS_SMALL
3488    for (l = 0; l < params->levels; l++) {
3489        /* Caches for subtree. */
3490        wc_lms_priv_state_load(params, &key->state[l], priv_data);
3491        priv_data += LMS_PRIV_STATE_LEN(params->height, params->rootLevels,
3492            params->cacheBits, params->hash_len);
3493    }
3494
3495#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3496    /* Next subtree's expanded private keys. */
3497    key->next_priv = priv_data;
3498    priv_data += LMS_PRIV_KEY_LEN(params->levels, params->hash_len);
3499    for (l = 0; l < params->levels - 1; l++) {
3500        /* Next subtree's caches. */
3501        wc_lms_priv_state_load(params, &key->next_state[l], priv_data);
3502        priv_data += LMS_PRIV_STATE_LEN(params->height, params->rootLevels,
3503            params->cacheBits, params->hash_len);
3504    }
3505#endif /* WOLFSSL_LMS_NO_SIGN_SMOOTHING */
3506
3507#ifndef WOLFSSL_LMS_NO_SIG_CACHE
3508    /* Signature cache. */
3509    key->y = priv_data;
3510#endif /* WOLFSSL_LMS_NO_SIG_CACHE */
3511#endif /* WOLFSSL_WC_LMS_SMALL */
3512}
3513
3514#ifndef WOLFSSL_WC_LMS_SMALL
3515/* Store the private key data from HSS private key structure.
3516 *
3517 * @param [in]      params     LMS parameters.
3518 * @param [in]      key        HSS private key.
3519 * @param [in, out] priv_data  Private key data.
3520 */
3521static void wc_hss_priv_data_store(const LmsParams* params, HssPrivKey* key,
3522    byte* priv_data)
3523{
3524    int l;
3525
3526    /* Expanded private keys. */
3527    priv_data += LMS_PRIV_KEY_LEN(params->levels, params->hash_len);
3528
3529    for (l = 0; l < params->levels; l++) {
3530        /* Caches for subtrees. */
3531        wc_lms_priv_state_store(params, &key->state[l], priv_data);
3532        priv_data += LMS_PRIV_STATE_LEN(params->height, params->rootLevels,
3533            params->cacheBits, params->hash_len);
3534    }
3535#ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3536    /* Next subtree's expanded private keys. */
3537    priv_data += LMS_PRIV_KEY_LEN(params->levels, params->hash_len);
3538    for (l = 0; l < params->levels - 1; l++) {
3539        /* Next subtree's caches. */
3540        wc_lms_priv_state_store(params, &key->next_state[l], priv_data);
3541        priv_data += LMS_PRIV_STATE_LEN(params->height, params->rootLevels,
3542            params->cacheBits, params->hash_len);
3543    }
3544#endif /* WOLFSSL_LMS_NO_SIGN_SMOOTHING */
3545
3546#ifndef WOLFSSL_LMS_NO_SIG_CACHE
3547    /* Signature cache. */
3548#endif /* WOLFSSL_LMS_NO_SIG_CACHE */
3549}
3550#endif /* WOLFSSL_WC_LMS_SMALL */
3551
3552/* Expand private key for each level and calculating auth path..
3553 *
3554 * @param [in, out] state      LMS state.
3555 * @param [in]      priv_raw   Raw private key bytes.
3556 * @param [out]     priv_key   Private key data.
3557 * @param [out]     priv_data  Private key data.
3558 * @param [out]     pub_root   Public key root node.
3559 * @return  0 on success.
3560 */
3561int wc_hss_reload_key(LmsState* state, const byte* priv_raw,
3562    HssPrivKey* priv_key, byte* priv_data, byte* pub_root)
3563{
3564    int ret = 0;
3565
3566    (void)pub_root;
3567
3568    /* Defend against undefined shifts; LmsParams* params = state->params */
3569    if (state->params->height >= 32U) {
3570        return BAD_FUNC_ARG;
3571    }
3572#ifndef WOLFSSL_WC_LMS_SMALL
3573    if (state->params->cacheBits >= 32U) {
3574        return BAD_FUNC_ARG;
3575    }
3576#endif
3577
3578    wc_hss_priv_data_load(state->params, priv_key, priv_data);
3579#ifndef WOLFSSL_WC_LMS_SMALL
3580    priv_key->inited = 0;
3581#endif
3582
3583#ifdef WOLFSSL_WC_LMS_SERIALIZE_STATE
3584    if (pub_root != NULL)
3585#endif
3586    {
3587        /* Expand the raw private key into the private key data. */
3588        ret = wc_hss_expand_private_key(state, priv_key->priv, priv_raw, 0);
3589    #ifndef WOLFSSL_WC_LMS_SMALL
3590        if ((ret == 0) && (!priv_key->inited)) {
3591            /* Initialize the authentication paths and caches for all trees. */
3592            ret = wc_hss_init_auth_path(state, priv_key, pub_root);
3593        #ifndef WOLFSSL_LMS_NO_SIGN_SMOOTHING
3594            if (ret == 0) {
3595                ret = wc_hss_next_subtrees_init(state, priv_key);
3596            }
3597        #endif
3598        #if !defined(WOLFSSL_LMS_NO_SIG_CACHE) && (LMS_MAX_LEVELS > 1)
3599            if (ret == 0) {
3600                /* Calculate signatures for trees not at bottom. */
3601                ret = wc_hss_presign(state, priv_key);
3602            }
3603        #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3604        }
3605    #endif /* WOLFSSL_WC_LMS_SMALL */
3606    }
3607#ifndef WOLFSSL_WC_LMS_SMALL
3608    /* Set initialized flag. */
3609    priv_key->inited = (ret == 0);
3610#endif
3611
3612    return ret;
3613}
3614
3615/* Make an HSS key pair.
3616 *
3617 * @param [in, out] state      LMS state.
3618 * @param [in]      rng        Random number generator.
3619 * @param [out]     priv_raw   Private key to write.
3620 * @param [out]     priv_key   Private key.
3621 * @param [out]     priv_data  Private key data.
3622 * @param [out]     pub        Public key.
3623 * @return  0 on success.
3624 */
3625int wc_hss_make_key(LmsState* state, WC_RNG* rng, byte* priv_raw,
3626    HssPrivKey* priv_key, byte* priv_data, byte* pub)
3627{
3628    const LmsParams* params = state->params;
3629    int ret = 0;
3630    word32 i;
3631    byte* p = priv_raw;
3632    byte* pub_root = pub + LMS_L_LEN + LMS_TYPE_LEN + LMS_TYPE_LEN + LMS_I_LEN;
3633
3634    /* The 64-bit q starts at 0 - set into raw private key. */
3635    wc_lms_idx_zero(p, HSS_Q_LEN);
3636    p += HSS_Q_LEN;
3637
3638    /* Set the LMS and LM-OTS types for each level. */
3639    for (i = 0; i < params->levels; i++) {
3640        p[i] = (byte)(((params->lmsType & LMS_H_W_MASK) << 4) +
3641                      (params->lmOtsType & LMS_H_W_MASK));
3642    }
3643    /* Set rest of levels to an invalid value. */
3644    for (; i < HSS_MAX_LEVELS; i++) {
3645        p[i] = 0xff;
3646    }
3647    p += HSS_PRIV_KEY_PARAM_SET_LEN;
3648
3649    /* Make the private key. */
3650    ret = wc_lmots_make_private_key(rng, params->hash_len, p);
3651
3652    if (ret == 0) {
3653        /* Set the levels into the public key data. */
3654        c32toa(params->levels, pub);
3655        pub += LMS_L_LEN;
3656
3657        ret = wc_hss_reload_key(state, priv_raw, priv_key, priv_data, pub_root);
3658    }
3659    #ifdef WOLFSSL_WC_LMS_SMALL
3660    if (ret == 0) {
3661        byte* priv_seed = priv_key->priv + LMS_Q_LEN;
3662        byte* priv_i = priv_seed + params->hash_len;
3663
3664        /* Compute the root of the highest tree to get the root for public key.
3665         */
3666        ret = wc_lms_make_public_key(state, priv_i, priv_seed, pub_root);
3667    }
3668    #endif /* !WOLFSSL_WC_LMS_SMALL */
3669    if (ret == 0) {
3670        /* Encode the public key with remaining fields from the private key. */
3671        wc_lmots_public_key_encode(params, priv_key->priv, pub);
3672    }
3673
3674#ifdef WOLFSSL_WC_LMS_SERIALIZE_STATE
3675    wc_hss_priv_data_store(state->params, priv_key, priv_data);
3676#endif
3677
3678    return ret;
3679}
3680
3681#ifdef WOLFSSL_WC_LMS_SMALL
3682/* Sign message using HSS.
3683 *
3684 * Algorithm 8: Generating an HSS signature
3685 *   1. If the message-signing key prv[L-1] is exhausted, regenerate
3686 *      that key pair, together with any parent key pairs that might
3687 *      be necessary.
3688 *      If the root key pair is exhausted, then the HSS key pair is
3689 *      exhausted and MUST NOT generate any more signatures.
3690 *      d = L
3691 *      while (prv[d-1].q == 2^(prv[d-1].h)) {
3692 *        d = d - 1
3693 *        if (d == 0)
3694 *          return FAILURE
3695 *      }
3696 *      while (d < L) {
3697 *        create lms key pair pub[d], prv[d]
3698 *        sig[d-1] = lms_signature( pub[d], prv[d-1] )
3699 *        d = d + 1
3700 *      }
3701 *   2. Sign the message.
3702 *      sig[L-1] = lms_signature( msg, prv[L-1] )
3703 *   3. Create the list of signed public keys.
3704 *      i = 0;
3705 *      while (i < L-1) {
3706 *        signed_pub_key[i] = sig[i] || pub[i+1]
3707 *        i = i + 1
3708 *      }
3709 *   4. Return u32str(L-1) || signed_pub_key[0] || ...
3710 *                               || signed_pub_key[L-2] || sig[L-1]
3711 *
3712 * @param [in, out] state     LMS state.
3713 * @param [in, out] priv_raw  Raw private key bytes.
3714 * @param [in, out] priv_key  Private key data.
3715 * @param [in]      msg       Message to sign.
3716 * @param [in]      msgSz     Length of message in bytes.
3717 * @param [out]     sig       Signature of message.
3718 * @return  0 on success.
3719 */
3720int wc_hss_sign(LmsState* state, byte* priv_raw, HssPrivKey* priv_key,
3721    byte* priv_data, const byte* msg, word32 msgSz, byte* sig)
3722{
3723    const LmsParams* params = state->params;
3724    int ret = 0;
3725    byte* priv = priv_key->priv;
3726
3727    (void)priv_data;
3728
3729    /* Step 1. Part 2: Check for total key exhaustion. */
3730    if (!wc_hss_sigsleft(params, priv_raw)) {
3731        ret = KEY_EXHAUSTED_E;
3732    }
3733
3734    if (ret == 0) {
3735        /* Expand the raw private key into the private key data. */
3736        ret = wc_hss_expand_private_key(state, priv, priv_raw, 0);
3737    }
3738    if (ret == 0) {
3739        int i;
3740        w64wrapper q;
3741        w64wrapper qm1;
3742
3743        /* Get 64-bit q from raw private key. */
3744        ato64(priv_raw, &q);
3745        /* Calculate q-1 for comparison. */
3746        qm1 = q;
3747        w64Decrement(&qm1);
3748
3749        /* Set number of signed public keys. */
3750        c32toa((word32)(params->levels - 1), sig);
3751        sig += params->sig_len;
3752
3753        /* Build from bottom up. */
3754        for (i = params->levels - 1; (ret == 0) && (i >= 0); i--) {
3755            byte* p = priv + (word32)i * LMS_PRIV_LEN(params->hash_len);
3756            byte* root = NULL;
3757
3758            /* Move to start of next signature at this level. */
3759            sig -= LMS_SIG_LEN(params->height, params->p, params->hash_len);
3760            if (i != 0) {
3761                /* Put root node into signature at this index. */
3762                root = sig - params->hash_len;
3763            }
3764
3765            /* Sign using LMS for this level. */
3766            ret = wc_lms_sign(state, p, msg, msgSz, sig);
3767            if (ret == 0) {
3768                byte* s = sig + LMS_Q_LEN + LMS_TYPE_LEN +
3769                            LMOTS_Y_LEN(params->p, params->hash_len) +
3770                            LMS_TYPE_LEN;
3771                byte* priv_q = p;
3772                byte* priv_seed = priv_q + LMS_Q_LEN;
3773                byte* priv_i = priv_seed + params->hash_len;
3774                word32 q32;
3775
3776                /* Get Q from private key as a number. */
3777                ato32(priv_q, &q32);
3778                /* Calculate authentication path. */
3779                ret = wc_lms_auth_path(state, priv_i, priv_seed, q32, s, root);
3780            }
3781            if ((ret == 0) && (i != 0)) {
3782                /* Create public data for this level if there is another. */
3783                sig -= LMS_PUBKEY_LEN(params->hash_len);
3784                msg = sig;
3785                msgSz = LMS_PUBKEY_LEN(params->hash_len);
3786                wc_lmots_public_key_encode(params, p, sig);
3787            }
3788        }
3789    }
3790    if (ret == 0) {
3791        /* Increment index of leaf node to sign with in raw data. */
3792        wc_lms_idx_inc(priv_raw, HSS_Q_LEN);
3793    }
3794
3795    return ret;
3796}
3797#else
3798/* Build signature for HSS signed message.
3799 *
3800 * Algorithm 8: Generating an HSS signature
3801 *   1. ...
3802 *      while (prv[d-1].q == 2^(prv[d-1].h)) {
3803 *        d = d - 1
3804 *        if (d == 0)
3805 *          return FAILURE
3806 *      }
3807 *      while (d < L) {
3808 *        create lms key pair pub[d], prv[d]
3809 *        sig[d-1] = lms_signature( pub[d], prv[d-1] )
3810 *        d = d + 1
3811 *      }
3812 *   2. Sign the message.
3813 *      sig[L-1] = lms_signature( msg, prv[L-1] )
3814 *   3. Create the list of signed public keys.
3815 *      i = 0;
3816 *      while (i < L-1) {
3817 *        signed_pub_key[i] = sig[i] || pub[i+1]
3818 *        i = i + 1
3819 *      }
3820 *   4. Return u32str(L-1) || signed_pub_key[0] || ...
3821 *                               || signed_pub_key[L-2] || sig[L-1]
3822 *
3823 * @param [in, out] state      LMS state.
3824 * @param [in, out] priv_raw   Raw private key bytes.
3825 * @param [in, out] priv_key   Private key data.
3826 * @param [in]      msg        Message to sign.
3827 * @param [in]      msgSz      Length of message in bytes.
3828 * @param [out]     sig        Signature of message.
3829 * @return  0 on success.
3830 */
3831static int wc_hss_sign_build_sig(LmsState* state, byte* priv_raw,
3832    HssPrivKey* priv_key, const byte* msg, word32 msgSz, byte* sig)
3833{
3834    const LmsParams* params = state->params;
3835    int ret = 0;
3836    int i;
3837    w64wrapper q;
3838    w64wrapper qm1;
3839    byte* priv = priv_key->priv;
3840
3841    /* Get 64-bit q from raw private key. */
3842    ato64(priv_raw, &q);
3843    /* Calculate q-1 for comparison. */
3844    qm1 = q;
3845    w64Decrement(&qm1);
3846
3847    /* Set number of signed public keys. */
3848    c32toa((word32)(params->levels - 1), sig);
3849    sig += params->sig_len;
3850
3851    /* Build from bottom up. */
3852    for (i = params->levels - 1; (ret == 0) && (i >= 0); i--) {
3853        byte* p = priv + (word32)i * LMS_PRIV_LEN(params->hash_len);
3854    #if !defined(WOLFSSL_LMS_MAX_LEVELS) || WOLFSSL_LMS_MAX_LEVELS > 1
3855        byte* root = NULL;
3856    #endif
3857    #ifndef WOLFSSL_LMS_NO_SIG_CACHE
3858        int store_p = 0;
3859        word32 q_32 = LMS_Q_AT_LEVEL(q, params->levels, i,
3860            params->height);
3861        word32 qm1_32 = LMS_Q_AT_LEVEL(qm1, params->levels, i,
3862            params->height);
3863    #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3864
3865        /* Move to start of next signature at this level. */
3866        sig -= LMS_SIG_LEN(params->height, params->p, params->hash_len);
3867    #if !defined(WOLFSSL_LMS_MAX_LEVELS) || WOLFSSL_LMS_MAX_LEVELS > 1
3868        if (i != 0) {
3869            /* Put root node into signature at this index. */
3870            root = sig - params->hash_len;
3871        }
3872    #endif
3873
3874    #ifndef WOLFSSL_LMS_NO_SIG_CACHE
3875        /* Check if we have a cached version of C and the p hashes that we
3876         * can reuse. */
3877        if ((i < params->levels - 1) && (q_32 == qm1_32)) {
3878            wc_lms_sig_copy(params, priv_key->y +
3879                (word32)i * LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len),
3880                p, sig);
3881        }
3882        else
3883    #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3884        {
3885            /* Sign using LMS for this level. */
3886            ret = wc_lms_sign(state, p, msg, msgSz, sig);
3887        #ifndef WOLFSSL_LMS_NO_SIG_CACHE
3888            store_p = (i < params->levels - 1);
3889        #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3890        }
3891        if (ret == 0) {
3892            byte* s = sig + LMS_Q_LEN + LMS_TYPE_LEN;
3893
3894        #ifndef WOLFSSL_LMS_NO_SIG_CACHE
3895            /* Check if we computed new C and p hashes. */
3896            if (store_p) {
3897                /* Cache the C and p hashes. */
3898                XMEMCPY(priv_key->y +
3899                    (word32)i *
3900                        LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len), s,
3901                    LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len));
3902            }
3903        #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3904            s += LMOTS_Y_LEN(params->p, params->hash_len) + LMS_TYPE_LEN;
3905
3906            /* Copy the authentication path out of the private key. */
3907            XMEMCPY(s, priv_key->state[i].auth_path,
3908                (word32)params->height * params->hash_len);
3909        #if !defined(WOLFSSL_LMS_MAX_LEVELS) || WOLFSSL_LMS_MAX_LEVELS > 1
3910            /* Copy the root node into signature unless at top. */
3911            if (i != 0) {
3912                XMEMCPY(root, priv_key->state[i].root, params->hash_len);
3913            }
3914        #endif
3915        }
3916        if ((ret == 0) && (i != 0)) {
3917            /* Create public data for this level if there is another. */
3918            sig -= LMS_PUBKEY_LEN(params->hash_len);
3919            msg = sig;
3920            msgSz = LMS_PUBKEY_LEN(params->hash_len);
3921            wc_lmots_public_key_encode(params, p, sig);
3922        }
3923    }
3924
3925    return ret;
3926}
3927
3928/* Sign message using HSS.
3929 *
3930 * Algorithm 8: Generating an HSS signature
3931 *   1. If the message-signing key prv[L-1] is exhausted, regenerate
3932 *      that key pair, together with any parent key pairs that might
3933 *      be necessary.
3934 *      If the root key pair is exhausted, then the HSS key pair is
3935 *      exhausted and MUST NOT generate any more signatures.
3936 *      d = L
3937 *      while (prv[d-1].q == 2^(prv[d-1].h)) {
3938 *        d = d - 1
3939 *        if (d == 0)
3940 *          return FAILURE
3941 *      }
3942 *      while (d < L) {
3943 *        create lms key pair pub[d], prv[d]
3944 *        sig[d-1] = lms_signature( pub[d], prv[d-1] )
3945 *        d = d + 1
3946 *      }
3947 *   2. Sign the message.
3948 *      sig[L-1] = lms_signature( msg, prv[L-1] )
3949 *   3. Create the list of signed public keys.
3950 *      i = 0;
3951 *      while (i < L-1) {
3952 *        signed_pub_key[i] = sig[i] || pub[i+1]
3953 *        i = i + 1
3954 *      }
3955 *   4. Return u32str(L-1) || signed_pub_key[0] || ...
3956 *                               || signed_pub_key[L-2] || sig[L-1]
3957 *
3958 * @param [in, out] state      LMS state.
3959 * @param [in, out] priv_raw   Raw private key bytes.
3960 * @param [in, out] priv_key   Private key.
3961 * @param [in, out] priv_data  Private key data.
3962 * @param [in]      msg        Message to sign.
3963 * @param [in]      msgSz      Length of message in bytes.
3964 * @param [out]     sig        Signature of message.
3965 * @return  0 on success.
3966 */
3967int wc_hss_sign(LmsState* state, byte* priv_raw, HssPrivKey* priv_key,
3968    byte* priv_data, const byte* msg, word32 msgSz, byte* sig)
3969{
3970    const LmsParams* params = state->params;
3971    int ret = 0;
3972
3973    /* Validate fixed parameters for static code analyzers. */
3974    if ((params->rootLevels == 0) || (params->rootLevels > params->height)) {
3975        ret = BAD_FUNC_ARG;
3976    }
3977
3978    /* Step 1. Part 2: Check for total key exhaustion. */
3979    if ((ret == 0) && (!wc_hss_sigsleft(params, priv_raw))) {
3980        ret = KEY_EXHAUSTED_E;
3981    }
3982
3983    if ((ret == 0) && (!priv_key->inited)) {
3984        /* Initialize the authentication paths and caches for all trees. */
3985        ret = wc_hss_init_auth_path(state, priv_key, NULL);
3986    #if !defined(WOLFSSL_LMS_NO_SIG_CACHE) && (LMS_MAX_LEVELS > 1)
3987        if (ret == 0) {
3988            ret = wc_hss_presign(state, priv_key);
3989        }
3990    #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
3991        /* Set initialized flag. */
3992        priv_key->inited = (ret == 0);
3993    }
3994    if (ret == 0) {
3995        ret = wc_hss_sign_build_sig(state, priv_raw, priv_key, msg, msgSz, sig);
3996    }
3997    if (ret == 0) {
3998        /* Increment index of leaf node to sign with in raw data. */
3999        wc_lms_idx_inc(priv_raw, HSS_Q_LEN);
4000    }
4001    /* Check we will produce another signature. */
4002    if ((ret == 0) && wc_hss_sigsleft(params, priv_raw)) {
4003        /* Update the expanded private key data. */
4004        ret = wc_hss_expand_private_key(state, priv_key->priv, priv_raw, 1);
4005        if (ret == 0) {
4006            /* Update authentication path and caches for all trees. */
4007            ret = wc_hss_update_auth_path(state, priv_key, priv_raw,
4008                params->levels);
4009        }
4010    }
4011    if (ret == 0) {
4012        /* Store the updated private key data. */
4013        wc_hss_priv_data_store(state->params, priv_key, priv_data);
4014    }
4015
4016    return ret;
4017}
4018#endif
4019
4020/* Check whether key is exhausted.
4021 *
4022 * First 8 bytes of raw key is the index.
4023 * Check index is less than count of leaf nodes.
4024 *
4025 * @param [in] params    LMS parameters.
4026 * @param [in] priv_raw  HSS raw private key.
4027 * @return  1 when signature possible.
4028 * @return  0 when private key exhausted.
4029 */
4030int wc_hss_sigsleft(const LmsParams* params, const byte* priv_raw)
4031{
4032    int ret;
4033    w64wrapper q;
4034    w64wrapper cnt;
4035
4036    if (params->levels * params->height >= 64) {
4037        ret = 1;
4038    }
4039    else {
4040        /* Get current q - next leaf index to sign with. */
4041        ato64(priv_raw, &q);
4042        /* 1 << total_height = total leaf nodes. */
4043        cnt = w64ShiftLeft(w64From32(0, 1), params->levels * params->height);
4044        /* Check q is less than total leaf node count. */
4045        ret = w64LT(q, cnt);
4046    }
4047
4048    return ret;
4049}
4050#endif /* !WOLFSSL_LMS_VERIFY_ONLY */
4051
4052/* Verify message using HSS.
4053 *
4054 * Section 6.3. Signature Verification
4055 *  1. Nspk = strTou32(first four bytes of S)
4056 *  2. if Nspk+1 is not equal to the number of levels L in pub:
4057 *  3.   return INVALID
4058 *  4. key = pub
4059 *  5. for (i = 0; i < Nspk; i = i + 1) {
4060 *  6.   sig = siglist[i]
4061 *  7.   msg = publist[i]
4062 *  8.   if (lms_verify(msg, key, sig) != VALID):
4063 *  9.     return INVALID
4064 * 10.   key = msg
4065 * 11. }
4066 * 12. return lms_verify(message, key, siglist[Nspk])
4067 *
4068 * @param [in, out] state  LMS state.
4069 * @param [in]      pub    HSS public key.
4070 * @param [in]      msg    Message to verify.
4071 * @param [in]      msgSz  Length of message in bytes.
4072 * @param [in]      sig    Signature of message.
4073 * @return  0 on success.
4074 * @return  SIG_VERIFY_E on failure.
4075 */
4076int wc_hss_verify(LmsState* state, const byte* pub, const byte* msg,
4077    word32 msgSz, const byte* sig, word32 sigSz)
4078{
4079    const LmsParams* params = state->params;
4080    int ret = 0;
4081    word32 nspk;
4082    const byte* key = pub + LMS_L_LEN;
4083    word32 levels;
4084    word32 sigRem;
4085    /* Bytes consumed by one LMS signature in the HSS chain (matches the
4086     * lms_sig_required calculation in wc_lms_verify). */
4087    const word32 lms_sig_bytes =
4088        LMS_SIG_LEN(params->height, params->p, params->hash_len);
4089    const word32 next_pubkey_bytes = LMS_PUBKEY_LEN(params->hash_len);
4090
4091    /* Need at least the leading L (number of signed public keys). */
4092    if (sigSz < LMS_L_LEN) {
4093        return BUFFER_E;
4094    }
4095
4096    /* Get number of levels from public key. */
4097    ato32(pub, &levels);
4098    /* Line 1: Get number of signed public keys from signature. */
4099    ato32(sig, &nspk);
4100    /* Line 6 (First iteration): Move to start of next signature. */
4101    sig += LMS_L_LEN;
4102    sigRem = sigSz - LMS_L_LEN;
4103
4104    /* Validate that the count of levels matches the parameters. */
4105    if (levels != state->params->levels) {
4106        ret = SIG_VERIFY_E;
4107    }
4108    /* Line 2: Verify that pub and signature match in levels. */
4109    if ((ret == 0) && (nspk + 1 != levels)) {
4110        /* Line 3: Return invalid signature. */
4111        ret = SIG_VERIFY_E;
4112    }
4113    if (ret == 0) {
4114        word32 i;
4115
4116        /* Line 5: For all but last LMS signature. */
4117        for (i = 0; (ret == 0) && (i < nspk); i++) {
4118            const byte* pubList;
4119
4120            /* Defensive bounds: each non-final iteration consumes one
4121             * LMS signature plus the next-level public key. */
4122            if (sigRem < lms_sig_bytes + next_pubkey_bytes) {
4123                ret = BUFFER_E;
4124                break;
4125            }
4126
4127            /* Line 7: Get start of public key in signature. */
4128            pubList = sig + lms_sig_bytes;
4129            /* Line 8: Verify the LMS signature with public key as message. */
4130            ret = wc_lms_verify(state, key, pubList,
4131                next_pubkey_bytes, sig, lms_sig_bytes);
4132            /* Line 10: Next key is from signature. */
4133            key = pubList;
4134            /* Line 6: Move to start of next signature. */
4135            sig = pubList + next_pubkey_bytes;
4136            sigRem -= (lms_sig_bytes + next_pubkey_bytes);
4137        }
4138    }
4139    if (ret == 0) {
4140        /* Line 12: Verify bottom tree with real message. The bottom-tree
4141         * LMS signature consumes exactly the remaining sigSz; pass that
4142         * as the bound and let wc_lms_verify enforce its own minimum. */
4143        ret = wc_lms_verify(state, key, msg, msgSz, sig, sigRem);
4144    }
4145
4146    return ret;
4147}
4148
4149#endif /* WOLFSSL_HAVE_LMS */
4150