cjson
fuzzing
inputs
test1 test10 test11 test2 test3 test3.bu test3.uf test3.uu test4 test5 test6 test7 test8 test9library_config
cJSONConfig.cmake.in cJSONConfigVersion.cmake.in libcjson.pc.in libcjson_utils.pc.in uninstall.cmaketests
inputs
test1 test1.expected test10 test10.expected test11 test11.expected test2 test2.expected test3 test3.expected test4 test4.expected test5 test5.expected test6 test7 test7.expected test8 test8.expected test9 test9.expectedjson-patch-tests
.editorconfig .gitignore .npmignore README.md cjson-utils-tests.json package.json spec_tests.json tests.jsonunity
auto
colour_prompt.rb colour_reporter.rb generate_config.yml generate_module.rb generate_test_runner.rb parse_output.rb stylize_as_junit.rb test_file_filter.rb type_sanitizer.rb unity_test_summary.py unity_test_summary.rb unity_to_junit.pydocs
ThrowTheSwitchCodingStandard.md UnityAssertionsCheatSheetSuitableforPrintingandPossiblyFraming.pdf UnityAssertionsReference.md UnityConfigurationGuide.md UnityGettingStartedGuide.md UnityHelperScriptsGuide.md license.txtexamples
unity_config.hcurl
.github
scripts
cleancmd.pl cmp-config.pl cmp-pkg-config.sh codespell-ignore.words codespell.sh distfiles.sh pyspelling.words pyspelling.yaml randcurl.pl requirements-docs.txt requirements-proselint.txt requirements.txt shellcheck-ci.sh shellcheck.sh spellcheck.curl trimmarkdownheader.pl typos.sh typos.toml verify-examples.pl verify-synopsis.pl yamlcheck.sh yamlcheck.yamlworkflows
appveyor-status.yml checkdocs.yml checksrc.yml checkurls.yml codeql.yml configure-vs-cmake.yml curl-for-win.yml distcheck.yml fuzz.yml http3-linux.yml label.yml linux-old.yml linux.yml macos.yml non-native.yml windows.ymlCMake
CurlSymbolHiding.cmake CurlTests.c FindBrotli.cmake FindCares.cmake FindGSS.cmake FindGnuTLS.cmake FindLDAP.cmake FindLibbacktrace.cmake FindLibgsasl.cmake FindLibidn2.cmake FindLibpsl.cmake FindLibssh.cmake FindLibssh2.cmake FindLibuv.cmake FindMbedTLS.cmake FindNGHTTP2.cmake FindNGHTTP3.cmake FindNGTCP2.cmake FindNettle.cmake FindQuiche.cmake FindRustls.cmake FindWolfSSL.cmake FindZstd.cmake Macros.cmake OtherTests.cmake PickyWarnings.cmake Utilities.cmake cmake_uninstall.in.cmake curl-config.in.cmake unix-cache.cmake win32-cache.cmakedocs
cmdline-opts
.gitignore CMakeLists.txt MANPAGE.md Makefile.am Makefile.inc _AUTHORS.md _BUGS.md _DESCRIPTION.md _ENVIRONMENT.md _EXITCODES.md _FILES.md _GLOBBING.md _NAME.md _OPTIONS.md _OUTPUT.md _PROGRESS.md _PROTOCOLS.md _PROXYPREFIX.md _SEEALSO.md _SYNOPSIS.md _URL.md _VARIABLES.md _VERSION.md _WWW.md abstract-unix-socket.md alt-svc.md anyauth.md append.md aws-sigv4.md basic.md ca-native.md cacert.md capath.md cert-status.md cert-type.md cert.md ciphers.md compressed-ssh.md compressed.md config.md connect-timeout.md connect-to.md continue-at.md cookie-jar.md cookie.md create-dirs.md create-file-mode.md crlf.md crlfile.md curves.md data-ascii.md data-binary.md data-raw.md data-urlencode.md data.md delegation.md digest.md disable-eprt.md disable-epsv.md disable.md disallow-username-in-url.md dns-interface.md dns-ipv4-addr.md dns-ipv6-addr.md dns-servers.md doh-cert-status.md doh-insecure.md doh-url.md dump-ca-embed.md dump-header.md ech.md egd-file.md engine.md etag-compare.md etag-save.md expect100-timeout.md fail-early.md fail-with-body.md fail.md false-start.md follow.md form-escape.md form-string.md form.md ftp-account.md ftp-alternative-to-user.md ftp-create-dirs.md ftp-method.md ftp-pasv.md ftp-port.md ftp-pret.md ftp-skip-pasv-ip.md ftp-ssl-ccc-mode.md ftp-ssl-ccc.md ftp-ssl-control.md get.md globoff.md happy-eyeballs-timeout-ms.md haproxy-clientip.md haproxy-protocol.md head.md header.md help.md hostpubmd5.md hostpubsha256.md hsts.md http0.9.md http1.0.md http1.1.md http2-prior-knowledge.md http2.md http3-only.md http3.md ignore-content-length.md insecure.md interface.md ip-tos.md ipfs-gateway.md ipv4.md ipv6.md json.md junk-session-cookies.md keepalive-cnt.md keepalive-time.md key-type.md key.md knownhosts.md krb.md libcurl.md limit-rate.md list-only.md local-port.md location-trusted.md location.md login-options.md mail-auth.md mail-from.md mail-rcpt-allowfails.md mail-rcpt.md mainpage.idx manual.md max-filesize.md max-redirs.md max-time.md metalink.md mptcp.md negotiate.md netrc-file.md netrc-optional.md netrc.md next.md no-alpn.md no-buffer.md no-clobber.md no-keepalive.md no-npn.md no-progress-meter.md no-sessionid.md noproxy.md ntlm-wb.md ntlm.md oauth2-bearer.md out-null.md output-dir.md output.md parallel-immediate.md parallel-max-host.md parallel-max.md parallel.md pass.md path-as-is.md pinnedpubkey.md post301.md post302.md post303.md preproxy.md progress-bar.md proto-default.md proto-redir.md proto.md proxy-anyauth.md proxy-basic.md proxy-ca-native.md proxy-cacert.md proxy-capath.md proxy-cert-type.md proxy-cert.md proxy-ciphers.md proxy-crlfile.md proxy-digest.md proxy-header.md proxy-http2.md proxy-insecure.md proxy-key-type.md proxy-key.md proxy-negotiate.md proxy-ntlm.md proxy-pass.md proxy-pinnedpubkey.md proxy-service-name.md proxy-ssl-allow-beast.md proxy-ssl-auto-client-cert.md proxy-tls13-ciphers.md proxy-tlsauthtype.md proxy-tlspassword.md proxy-tlsuser.md proxy-tlsv1.md proxy-user.md proxy.md proxy1.0.md proxytunnel.md pubkey.md quote.md random-file.md range.md rate.md raw.md referer.md remote-header-name.md remote-name-all.md remote-name.md remote-time.md remove-on-error.md request-target.md request.md resolve.md retry-all-errors.md retry-connrefused.md retry-delay.md retry-max-time.md retry.md sasl-authzid.md sasl-ir.md service-name.md show-error.md show-headers.md sigalgs.md silent.md skip-existing.md socks4.md socks4a.md socks5-basic.md socks5-gssapi-nec.md socks5-gssapi-service.md socks5-gssapi.md socks5-hostname.md socks5.md speed-limit.md speed-time.md ssl-allow-beast.md ssl-auto-client-cert.md ssl-no-revoke.md ssl-reqd.md ssl-revoke-best-effort.md ssl-sessions.md ssl.md sslv2.md sslv3.md stderr.md styled-output.md suppress-connect-headers.md tcp-fastopen.md tcp-nodelay.md telnet-option.md tftp-blksize.md tftp-no-options.md time-cond.md tls-earlydata.md tls-max.md tls13-ciphers.md tlsauthtype.md tlspassword.md tlsuser.md tlsv1.0.md tlsv1.1.md tlsv1.2.md tlsv1.3.md tlsv1.md tr-encoding.md trace-ascii.md trace-config.md trace-ids.md trace-time.md trace.md unix-socket.md upload-file.md upload-flags.md url-query.md url.md use-ascii.md user-agent.md user.md variable.md verbose.md version.md vlan-priority.md write-out.md xattr.mdexamples
.checksrc .gitignore 10-at-a-time.c CMakeLists.txt Makefile.am Makefile.example Makefile.inc README.md adddocsref.pl address-scope.c altsvc.c anyauthput.c block_ip.c cacertinmem.c certinfo.c chkspeed.c connect-to.c cookie_interface.c crawler.c debug.c default-scheme.c ephiperfifo.c evhiperfifo.c externalsocket.c fileupload.c ftp-delete.c ftp-wildcard.c ftpget.c ftpgetinfo.c ftpgetresp.c ftpsget.c ftpupload.c ftpuploadfrommem.c ftpuploadresume.c getinfo.c getinmemory.c getredirect.c getreferrer.c ghiper.c headerapi.c hiperfifo.c hsts-preload.c htmltidy.c htmltitle.cpp http-options.c http-post.c http2-download.c http2-pushinmemory.c http2-serverpush.c http2-upload.c http3-present.c http3.c httpcustomheader.c httpput-postfields.c httpput.c https.c imap-append.c imap-authzid.c imap-copy.c imap-create.c imap-delete.c imap-examine.c imap-fetch.c imap-list.c imap-lsub.c imap-multi.c imap-noop.c imap-search.c imap-ssl.c imap-store.c imap-tls.c interface.c ipv6.c keepalive.c localport.c log_failed_transfers.c maxconnects.c multi-app.c multi-debugcallback.c multi-double.c multi-event.c multi-formadd.c multi-legacy.c multi-post.c multi-single.c multi-uv.c netrc.c parseurl.c persistent.c pop3-authzid.c pop3-dele.c pop3-list.c pop3-multi.c pop3-noop.c pop3-retr.c pop3-ssl.c pop3-stat.c pop3-tls.c pop3-top.c pop3-uidl.c post-callback.c postinmemory.c postit2-formadd.c postit2.c progressfunc.c protofeats.c range.c resolve.c rtsp-options.c sendrecv.c sepheaders.c sessioninfo.c sftpget.c sftpuploadresume.c shared-connection-cache.c simple.c simplepost.c simplessl.c smooth-gtk-thread.c smtp-authzid.c smtp-expn.c smtp-mail.c smtp-mime.c smtp-multi.c smtp-ssl.c smtp-tls.c smtp-vrfy.c sslbackend.c synctime.c threaded.c unixsocket.c url2file.c urlapi.c usercertinmem.c version-check.pl websocket-cb.c websocket-updown.c websocket.c xmlstream.cinternals
BUFQ.md BUFREF.md CHECKSRC.md CLIENT-READERS.md CLIENT-WRITERS.md CODE_STYLE.md CONNECTION-FILTERS.md CREDENTIALS.md CURLX.md DYNBUF.md HASH.md LLIST.md MID.md MQTT.md MULTI-EV.md NEW-PROTOCOL.md PEERS.md PORTING.md RATELIMITS.md README.md SCORECARD.md SPLAY.md STRPARSE.md THRDPOOL-AND-QUEUE.md TIME-KEEPING.md TLS-SESSIONS.md UINT_SETS.md WEBSOCKET.mdlibcurl
opts
CMakeLists.txt CURLINFO_ACTIVESOCKET.md CURLINFO_APPCONNECT_TIME.md CURLINFO_APPCONNECT_TIME_T.md CURLINFO_CAINFO.md CURLINFO_CAPATH.md CURLINFO_CERTINFO.md CURLINFO_CONDITION_UNMET.md CURLINFO_CONNECT_TIME.md CURLINFO_CONNECT_TIME_T.md CURLINFO_CONN_ID.md CURLINFO_CONTENT_LENGTH_DOWNLOAD.md CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md CURLINFO_CONTENT_LENGTH_UPLOAD.md CURLINFO_CONTENT_LENGTH_UPLOAD_T.md CURLINFO_CONTENT_TYPE.md CURLINFO_COOKIELIST.md CURLINFO_EARLYDATA_SENT_T.md CURLINFO_EFFECTIVE_METHOD.md CURLINFO_EFFECTIVE_URL.md CURLINFO_FILETIME.md CURLINFO_FILETIME_T.md CURLINFO_FTP_ENTRY_PATH.md CURLINFO_HEADER_SIZE.md CURLINFO_HTTPAUTH_AVAIL.md CURLINFO_HTTPAUTH_USED.md CURLINFO_HTTP_CONNECTCODE.md CURLINFO_HTTP_VERSION.md CURLINFO_LASTSOCKET.md CURLINFO_LOCAL_IP.md CURLINFO_LOCAL_PORT.md CURLINFO_NAMELOOKUP_TIME.md CURLINFO_NAMELOOKUP_TIME_T.md CURLINFO_NUM_CONNECTS.md CURLINFO_OS_ERRNO.md CURLINFO_POSTTRANSFER_TIME_T.md CURLINFO_PRETRANSFER_TIME.md CURLINFO_PRETRANSFER_TIME_T.md CURLINFO_PRIMARY_IP.md CURLINFO_PRIMARY_PORT.md CURLINFO_PRIVATE.md CURLINFO_PROTOCOL.md CURLINFO_PROXYAUTH_AVAIL.md CURLINFO_PROXYAUTH_USED.md CURLINFO_PROXY_ERROR.md CURLINFO_PROXY_SSL_VERIFYRESULT.md CURLINFO_QUEUE_TIME_T.md CURLINFO_REDIRECT_COUNT.md CURLINFO_REDIRECT_TIME.md CURLINFO_REDIRECT_TIME_T.md CURLINFO_REDIRECT_URL.md CURLINFO_REFERER.md CURLINFO_REQUEST_SIZE.md CURLINFO_RESPONSE_CODE.md CURLINFO_RETRY_AFTER.md CURLINFO_RTSP_CLIENT_CSEQ.md CURLINFO_RTSP_CSEQ_RECV.md CURLINFO_RTSP_SERVER_CSEQ.md CURLINFO_RTSP_SESSION_ID.md CURLINFO_SCHEME.md CURLINFO_SIZE_DELIVERED.md CURLINFO_SIZE_DOWNLOAD.md CURLINFO_SIZE_DOWNLOAD_T.md CURLINFO_SIZE_UPLOAD.md CURLINFO_SIZE_UPLOAD_T.md CURLINFO_SPEED_DOWNLOAD.md CURLINFO_SPEED_DOWNLOAD_T.md CURLINFO_SPEED_UPLOAD.md CURLINFO_SPEED_UPLOAD_T.md CURLINFO_SSL_ENGINES.md CURLINFO_SSL_VERIFYRESULT.md CURLINFO_STARTTRANSFER_TIME.md CURLINFO_STARTTRANSFER_TIME_T.md CURLINFO_TLS_SESSION.md CURLINFO_TLS_SSL_PTR.md CURLINFO_TOTAL_TIME.md CURLINFO_TOTAL_TIME_T.md CURLINFO_USED_PROXY.md CURLINFO_XFER_ID.md CURLMINFO_XFERS_ADDED.md CURLMINFO_XFERS_CURRENT.md CURLMINFO_XFERS_DONE.md CURLMINFO_XFERS_PENDING.md CURLMINFO_XFERS_RUNNING.md CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.md CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.md CURLMOPT_MAXCONNECTS.md CURLMOPT_MAX_CONCURRENT_STREAMS.md CURLMOPT_MAX_HOST_CONNECTIONS.md CURLMOPT_MAX_PIPELINE_LENGTH.md CURLMOPT_MAX_TOTAL_CONNECTIONS.md CURLMOPT_NETWORK_CHANGED.md CURLMOPT_NOTIFYDATA.md CURLMOPT_NOTIFYFUNCTION.md CURLMOPT_PIPELINING.md CURLMOPT_PIPELINING_SERVER_BL.md CURLMOPT_PIPELINING_SITE_BL.md CURLMOPT_PUSHDATA.md CURLMOPT_PUSHFUNCTION.md CURLMOPT_QUICK_EXIT.md CURLMOPT_RESOLVE_THREADS_MAX.md CURLMOPT_SOCKETDATA.md CURLMOPT_SOCKETFUNCTION.md CURLMOPT_TIMERDATA.md CURLMOPT_TIMERFUNCTION.md CURLOPT_ABSTRACT_UNIX_SOCKET.md CURLOPT_ACCEPTTIMEOUT_MS.md CURLOPT_ACCEPT_ENCODING.md CURLOPT_ADDRESS_SCOPE.md CURLOPT_ALTSVC.md CURLOPT_ALTSVC_CTRL.md CURLOPT_APPEND.md CURLOPT_AUTOREFERER.md CURLOPT_AWS_SIGV4.md CURLOPT_BUFFERSIZE.md CURLOPT_CAINFO.md CURLOPT_CAINFO_BLOB.md CURLOPT_CAPATH.md CURLOPT_CA_CACHE_TIMEOUT.md CURLOPT_CERTINFO.md CURLOPT_CHUNK_BGN_FUNCTION.md CURLOPT_CHUNK_DATA.md CURLOPT_CHUNK_END_FUNCTION.md CURLOPT_CLOSESOCKETDATA.md CURLOPT_CLOSESOCKETFUNCTION.md CURLOPT_CONNECTTIMEOUT.md CURLOPT_CONNECTTIMEOUT_MS.md CURLOPT_CONNECT_ONLY.md CURLOPT_CONNECT_TO.md CURLOPT_CONV_FROM_NETWORK_FUNCTION.md CURLOPT_CONV_FROM_UTF8_FUNCTION.md CURLOPT_CONV_TO_NETWORK_FUNCTION.md CURLOPT_COOKIE.md CURLOPT_COOKIEFILE.md CURLOPT_COOKIEJAR.md CURLOPT_COOKIELIST.md CURLOPT_COOKIESESSION.md CURLOPT_COPYPOSTFIELDS.md CURLOPT_CRLF.md CURLOPT_CRLFILE.md CURLOPT_CURLU.md CURLOPT_CUSTOMREQUEST.md CURLOPT_DEBUGDATA.md CURLOPT_DEBUGFUNCTION.md CURLOPT_DEFAULT_PROTOCOL.md CURLOPT_DIRLISTONLY.md CURLOPT_DISALLOW_USERNAME_IN_URL.md CURLOPT_DNS_CACHE_TIMEOUT.md CURLOPT_DNS_INTERFACE.md CURLOPT_DNS_LOCAL_IP4.md CURLOPT_DNS_LOCAL_IP6.md CURLOPT_DNS_SERVERS.md CURLOPT_DNS_SHUFFLE_ADDRESSES.md CURLOPT_DNS_USE_GLOBAL_CACHE.md CURLOPT_DOH_SSL_VERIFYHOST.md CURLOPT_DOH_SSL_VERIFYPEER.md CURLOPT_DOH_SSL_VERIFYSTATUS.md CURLOPT_DOH_URL.md CURLOPT_ECH.md CURLOPT_EGDSOCKET.md CURLOPT_ERRORBUFFER.md CURLOPT_EXPECT_100_TIMEOUT_MS.md CURLOPT_FAILONERROR.md CURLOPT_FILETIME.md CURLOPT_FNMATCH_DATA.md CURLOPT_FNMATCH_FUNCTION.md CURLOPT_FOLLOWLOCATION.md CURLOPT_FORBID_REUSE.md CURLOPT_FRESH_CONNECT.md CURLOPT_FTPPORT.md CURLOPT_FTPSSLAUTH.md CURLOPT_FTP_ACCOUNT.md CURLOPT_FTP_ALTERNATIVE_TO_USER.md CURLOPT_FTP_CREATE_MISSING_DIRS.md CURLOPT_FTP_FILEMETHOD.md CURLOPT_FTP_SKIP_PASV_IP.md CURLOPT_FTP_SSL_CCC.md CURLOPT_FTP_USE_EPRT.md CURLOPT_FTP_USE_EPSV.md CURLOPT_FTP_USE_PRET.md CURLOPT_GSSAPI_DELEGATION.md CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.md CURLOPT_HAPROXYPROTOCOL.md CURLOPT_HAPROXY_CLIENT_IP.md CURLOPT_HEADER.md CURLOPT_HEADERDATA.md CURLOPT_HEADERFUNCTION.md CURLOPT_HEADEROPT.md CURLOPT_HSTS.md CURLOPT_HSTSREADDATA.md CURLOPT_HSTSREADFUNCTION.md CURLOPT_HSTSWRITEDATA.md CURLOPT_HSTSWRITEFUNCTION.md CURLOPT_HSTS_CTRL.md CURLOPT_HTTP09_ALLOWED.md CURLOPT_HTTP200ALIASES.md CURLOPT_HTTPAUTH.md CURLOPT_HTTPGET.md CURLOPT_HTTPHEADER.md CURLOPT_HTTPPOST.md CURLOPT_HTTPPROXYTUNNEL.md CURLOPT_HTTP_CONTENT_DECODING.md CURLOPT_HTTP_TRANSFER_DECODING.md CURLOPT_HTTP_VERSION.md CURLOPT_IGNORE_CONTENT_LENGTH.md CURLOPT_INFILESIZE.md CURLOPT_INFILESIZE_LARGE.md CURLOPT_INTERFACE.md CURLOPT_INTERLEAVEDATA.md CURLOPT_INTERLEAVEFUNCTION.md CURLOPT_IOCTLDATA.md CURLOPT_IOCTLFUNCTION.md CURLOPT_IPRESOLVE.md CURLOPT_ISSUERCERT.md CURLOPT_ISSUERCERT_BLOB.md CURLOPT_KEEP_SENDING_ON_ERROR.md CURLOPT_KEYPASSWD.md CURLOPT_KRBLEVEL.md CURLOPT_LOCALPORT.md CURLOPT_LOCALPORTRANGE.md CURLOPT_LOGIN_OPTIONS.md CURLOPT_LOW_SPEED_LIMIT.md CURLOPT_LOW_SPEED_TIME.md CURLOPT_MAIL_AUTH.md CURLOPT_MAIL_FROM.md CURLOPT_MAIL_RCPT.md CURLOPT_MAIL_RCPT_ALLOWFAILS.md CURLOPT_MAXAGE_CONN.md CURLOPT_MAXCONNECTS.md CURLOPT_MAXFILESIZE.md CURLOPT_MAXFILESIZE_LARGE.md CURLOPT_MAXLIFETIME_CONN.md CURLOPT_MAXREDIRS.md CURLOPT_MAX_RECV_SPEED_LARGE.md CURLOPT_MAX_SEND_SPEED_LARGE.md CURLOPT_MIMEPOST.md CURLOPT_MIME_OPTIONS.md CURLOPT_NETRC.md CURLOPT_NETRC_FILE.md CURLOPT_NEW_DIRECTORY_PERMS.md CURLOPT_NEW_FILE_PERMS.md CURLOPT_NOBODY.md CURLOPT_NOPROGRESS.md CURLOPT_NOPROXY.md CURLOPT_NOSIGNAL.md CURLOPT_OPENSOCKETDATA.md CURLOPT_OPENSOCKETFUNCTION.md CURLOPT_PASSWORD.md CURLOPT_PATH_AS_IS.md CURLOPT_PINNEDPUBLICKEY.md CURLOPT_PIPEWAIT.md CURLOPT_PORT.md CURLOPT_POST.md CURLOPT_POSTFIELDS.md CURLOPT_POSTFIELDSIZE.md CURLOPT_POSTFIELDSIZE_LARGE.md CURLOPT_POSTQUOTE.md CURLOPT_POSTREDIR.md CURLOPT_PREQUOTE.md CURLOPT_PREREQDATA.md CURLOPT_PREREQFUNCTION.md CURLOPT_PRE_PROXY.md CURLOPT_PRIVATE.md CURLOPT_PROGRESSDATA.md CURLOPT_PROGRESSFUNCTION.md CURLOPT_PROTOCOLS.md CURLOPT_PROTOCOLS_STR.md CURLOPT_PROXY.md CURLOPT_PROXYAUTH.md CURLOPT_PROXYHEADER.md CURLOPT_PROXYPASSWORD.md CURLOPT_PROXYPORT.md CURLOPT_PROXYTYPE.md CURLOPT_PROXYUSERNAME.md CURLOPT_PROXYUSERPWD.md CURLOPT_PROXY_CAINFO.md CURLOPT_PROXY_CAINFO_BLOB.md CURLOPT_PROXY_CAPATH.md CURLOPT_PROXY_CRLFILE.md CURLOPT_PROXY_ISSUERCERT.md CURLOPT_PROXY_ISSUERCERT_BLOB.md CURLOPT_PROXY_KEYPASSWD.md CURLOPT_PROXY_PINNEDPUBLICKEY.md CURLOPT_PROXY_SERVICE_NAME.md CURLOPT_PROXY_SSLCERT.md CURLOPT_PROXY_SSLCERTTYPE.md CURLOPT_PROXY_SSLCERT_BLOB.md CURLOPT_PROXY_SSLKEY.md CURLOPT_PROXY_SSLKEYTYPE.md CURLOPT_PROXY_SSLKEY_BLOB.md CURLOPT_PROXY_SSLVERSION.md CURLOPT_PROXY_SSL_CIPHER_LIST.md CURLOPT_PROXY_SSL_OPTIONS.md CURLOPT_PROXY_SSL_VERIFYHOST.md CURLOPT_PROXY_SSL_VERIFYPEER.md CURLOPT_PROXY_TLS13_CIPHERS.md CURLOPT_PROXY_TLSAUTH_PASSWORD.md CURLOPT_PROXY_TLSAUTH_TYPE.md CURLOPT_PROXY_TLSAUTH_USERNAME.md CURLOPT_PROXY_TRANSFER_MODE.md CURLOPT_PUT.md CURLOPT_QUICK_EXIT.md CURLOPT_QUOTE.md CURLOPT_RANDOM_FILE.md CURLOPT_RANGE.md CURLOPT_READDATA.md CURLOPT_READFUNCTION.md CURLOPT_REDIR_PROTOCOLS.md CURLOPT_REDIR_PROTOCOLS_STR.md CURLOPT_REFERER.md CURLOPT_REQUEST_TARGET.md CURLOPT_RESOLVE.md CURLOPT_RESOLVER_START_DATA.md CURLOPT_RESOLVER_START_FUNCTION.md CURLOPT_RESUME_FROM.md CURLOPT_RESUME_FROM_LARGE.md CURLOPT_RTSP_CLIENT_CSEQ.md CURLOPT_RTSP_REQUEST.md CURLOPT_RTSP_SERVER_CSEQ.md CURLOPT_RTSP_SESSION_ID.md CURLOPT_RTSP_STREAM_URI.md CURLOPT_RTSP_TRANSPORT.md CURLOPT_SASL_AUTHZID.md CURLOPT_SASL_IR.md CURLOPT_SEEKDATA.md CURLOPT_SEEKFUNCTION.md CURLOPT_SERVER_RESPONSE_TIMEOUT.md CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md CURLOPT_SERVICE_NAME.md CURLOPT_SHARE.md CURLOPT_SOCKOPTDATA.md CURLOPT_SOCKOPTFUNCTION.md CURLOPT_SOCKS5_AUTH.md CURLOPT_SOCKS5_GSSAPI_NEC.md CURLOPT_SOCKS5_GSSAPI_SERVICE.md CURLOPT_SSH_AUTH_TYPES.md CURLOPT_SSH_COMPRESSION.md CURLOPT_SSH_HOSTKEYDATA.md CURLOPT_SSH_HOSTKEYFUNCTION.md CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.md CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256.md CURLOPT_SSH_KEYDATA.md CURLOPT_SSH_KEYFUNCTION.md CURLOPT_SSH_KNOWNHOSTS.md CURLOPT_SSH_PRIVATE_KEYFILE.md CURLOPT_SSH_PUBLIC_KEYFILE.md CURLOPT_SSLCERT.md CURLOPT_SSLCERTTYPE.md CURLOPT_SSLCERT_BLOB.md CURLOPT_SSLENGINE.md CURLOPT_SSLENGINE_DEFAULT.md CURLOPT_SSLKEY.md CURLOPT_SSLKEYTYPE.md CURLOPT_SSLKEY_BLOB.md CURLOPT_SSLVERSION.md CURLOPT_SSL_CIPHER_LIST.md CURLOPT_SSL_CTX_DATA.md CURLOPT_SSL_CTX_FUNCTION.md CURLOPT_SSL_EC_CURVES.md CURLOPT_SSL_ENABLE_ALPN.md CURLOPT_SSL_ENABLE_NPN.md CURLOPT_SSL_FALSESTART.md CURLOPT_SSL_OPTIONS.md CURLOPT_SSL_SESSIONID_CACHE.md CURLOPT_SSL_SIGNATURE_ALGORITHMS.md CURLOPT_SSL_VERIFYHOST.md CURLOPT_SSL_VERIFYPEER.md CURLOPT_SSL_VERIFYSTATUS.md CURLOPT_STDERR.md CURLOPT_STREAM_DEPENDS.md CURLOPT_STREAM_DEPENDS_E.md CURLOPT_STREAM_WEIGHT.md CURLOPT_SUPPRESS_CONNECT_HEADERS.md CURLOPT_TCP_FASTOPEN.md CURLOPT_TCP_KEEPALIVE.md CURLOPT_TCP_KEEPCNT.md CURLOPT_TCP_KEEPIDLE.md CURLOPT_TCP_KEEPINTVL.md CURLOPT_TCP_NODELAY.md CURLOPT_TELNETOPTIONS.md CURLOPT_TFTP_BLKSIZE.md CURLOPT_TFTP_NO_OPTIONS.md CURLOPT_TIMECONDITION.md CURLOPT_TIMEOUT.md CURLOPT_TIMEOUT_MS.md CURLOPT_TIMEVALUE.md CURLOPT_TIMEVALUE_LARGE.md CURLOPT_TLS13_CIPHERS.md CURLOPT_TLSAUTH_PASSWORD.md CURLOPT_TLSAUTH_TYPE.md CURLOPT_TLSAUTH_USERNAME.md CURLOPT_TRAILERDATA.md CURLOPT_TRAILERFUNCTION.md CURLOPT_TRANSFERTEXT.md CURLOPT_TRANSFER_ENCODING.md CURLOPT_UNIX_SOCKET_PATH.md CURLOPT_UNRESTRICTED_AUTH.md CURLOPT_UPKEEP_INTERVAL_MS.md CURLOPT_UPLOAD.md CURLOPT_UPLOAD_BUFFERSIZE.md CURLOPT_UPLOAD_FLAGS.md CURLOPT_URL.md CURLOPT_USERAGENT.md CURLOPT_USERNAME.md CURLOPT_USERPWD.md CURLOPT_USE_SSL.md CURLOPT_VERBOSE.md CURLOPT_WILDCARDMATCH.md CURLOPT_WRITEDATA.md CURLOPT_WRITEFUNCTION.md CURLOPT_WS_OPTIONS.md CURLOPT_XFERINFODATA.md CURLOPT_XFERINFOFUNCTION.md CURLOPT_XOAUTH2_BEARER.md CURLSHOPT_LOCKFUNC.md CURLSHOPT_SHARE.md CURLSHOPT_UNLOCKFUNC.md CURLSHOPT_UNSHARE.md CURLSHOPT_USERDATA.md Makefile.am Makefile.incinclude
curl
Makefile.am curl.h curlver.h easy.h header.h mprintf.h multi.h options.h stdcheaders.h system.h typecheck-gcc.h urlapi.h websockets.hlib
curlx
base64.c base64.h basename.c basename.h dynbuf.c dynbuf.h fopen.c fopen.h inet_ntop.c inet_ntop.h inet_pton.c inet_pton.h multibyte.c multibyte.h nonblock.c nonblock.h snprintf.c snprintf.h strcopy.c strcopy.h strdup.c strdup.h strerr.c strerr.h strparse.c strparse.h timediff.c timediff.h timeval.c timeval.h version_win32.c version_win32.h wait.c wait.h warnless.c warnless.h winapi.c winapi.hvauth
cleartext.c cram.c digest.c digest.h digest_sspi.c gsasl.c krb5_gssapi.c krb5_sspi.c ntlm.c ntlm_sspi.c oauth2.c spnego_gssapi.c spnego_sspi.c vauth.c vauth.hvquic
curl_ngtcp2.c curl_ngtcp2.h curl_quiche.c curl_quiche.h vquic-tls.c vquic-tls.h vquic.c vquic.h vquic_int.hvtls
apple.c apple.h cipher_suite.c cipher_suite.h gtls.c gtls.h hostcheck.c hostcheck.h keylog.c keylog.h mbedtls.c mbedtls.h openssl.c openssl.h rustls.c rustls.h schannel.c schannel.h schannel_int.h schannel_verify.c vtls.c vtls.h vtls_int.h vtls_scache.c vtls_scache.h vtls_spack.c vtls_spack.h wolfssl.c wolfssl.h x509asn1.c x509asn1.hm4
.gitignore curl-amissl.m4 curl-apple-sectrust.m4 curl-compilers.m4 curl-confopts.m4 curl-functions.m4 curl-gnutls.m4 curl-mbedtls.m4 curl-openssl.m4 curl-override.m4 curl-reentrant.m4 curl-rustls.m4 curl-schannel.m4 curl-sysconfig.m4 curl-wolfssl.m4 xc-am-iface.m4 xc-cc-check.m4 xc-lt-iface.m4 xc-val-flgs.m4 zz40-xc-ovr.m4 zz50-xc-ovr.m4projects
OS400
.checksrc README.OS400 ccsidcurl.c ccsidcurl.h config400.default curl.cmd curl.inc.in curlcl.c curlmain.c initscript.sh make-docs.sh make-include.sh make-lib.sh make-src.sh make-tests.sh makefile.sh os400sys.c os400sys.hWindows
tmpl
.gitattributes README.txt curl-all.sln curl.sln curl.vcxproj curl.vcxproj.filters libcurl.sln libcurl.vcxproj libcurl.vcxproj.filtersvms
Makefile.am backup_gnv_curl_src.com build_curl-config_script.com build_gnv_curl.com build_gnv_curl_pcsi_desc.com build_gnv_curl_pcsi_text.com build_gnv_curl_release_notes.com build_libcurl_pc.com build_vms.com clean_gnv_curl.com compare_curl_source.com config_h.com curl_crtl_init.c curl_gnv_build_steps.txt curl_release_note_start.txt curl_startup.com curlmsg.h curlmsg.msg curlmsg.sdl curlmsg_vms.h generate_config_vms_h_curl.com generate_vax_transfer.com gnv_conftest.c_first gnv_curl_configure.sh gnv_libcurl_symbols.opt gnv_link_curl.com macro32_exactcase.patch make_gnv_curl_install.sh make_pcsi_curl_kit_name.com pcsi_gnv_curl_file_list.txt pcsi_product_gnv_curl.com readme report_openssl_version.c setup_gnv_curl_build.com stage_curl_install.com vms_eco_level.hscripts
.checksrc CMakeLists.txt Makefile.am badwords badwords-all badwords.txt cd2cd cd2nroff cdall checksrc-all.pl checksrc.pl cmakelint.sh completion.pl contributors.sh contrithanks.sh coverage.sh delta dmaketgz extract-unit-protos firefox-db2pem.sh installcheck.sh maketgz managen mdlinkcheck mk-ca-bundle.pl mk-unity.pl nroff2cd perlcheck.sh pythonlint.sh randdisable release-notes.pl release-tools.sh schemetable.c singleuse.pl spacecheck.pl top-complexity top-length verify-release wcurlsrc
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc config2setopts.c config2setopts.h curl.rc curlinfo.c mk-file-embed.pl mkhelp.pl slist_wc.c slist_wc.h terminal.c terminal.h tool_cb_dbg.c tool_cb_dbg.h tool_cb_hdr.c tool_cb_hdr.h tool_cb_prg.c tool_cb_prg.h tool_cb_rea.c tool_cb_rea.h tool_cb_see.c tool_cb_see.h tool_cb_soc.c tool_cb_soc.h tool_cb_wrt.c tool_cb_wrt.h tool_cfgable.c tool_cfgable.h tool_dirhie.c tool_dirhie.h tool_doswin.c tool_doswin.h tool_easysrc.c tool_easysrc.h tool_filetime.c tool_filetime.h tool_findfile.c tool_findfile.h tool_formparse.c tool_formparse.h tool_getparam.c tool_getparam.h tool_getpass.c tool_getpass.h tool_help.c tool_help.h tool_helpers.c tool_helpers.h tool_hugehelp.h tool_ipfs.c tool_ipfs.h tool_libinfo.c tool_libinfo.h tool_listhelp.c tool_main.c tool_main.h tool_msgs.c tool_msgs.h tool_operate.c tool_operate.h tool_operhlp.c tool_operhlp.h tool_paramhlp.c tool_paramhlp.h tool_parsecfg.c tool_parsecfg.h tool_progress.c tool_progress.h tool_sdecls.h tool_setopt.c tool_setopt.h tool_setup.h tool_ssls.c tool_ssls.h tool_stderr.c tool_stderr.h tool_urlglob.c tool_urlglob.h tool_util.c tool_util.h tool_version.h tool_vms.c tool_vms.h tool_writeout.c tool_writeout.h tool_writeout_json.c tool_writeout_json.h tool_xattr.c tool_xattr.h var.c var.htests
certs
.gitignore CMakeLists.txt Makefile.am Makefile.inc genserv.pl srp-verifier-conf srp-verifier-db test-ca.cnf test-ca.prm test-client-cert.prm test-client-eku-only.prm test-localhost-san-first.prm test-localhost-san-last.prm test-localhost.nn.prm test-localhost.prm test-localhost0h.prmdata
.gitignore DISABLED Makefile.am data-xml1 data1400.c data1401.c data1402.c data1403.c data1404.c data1405.c data1406.c data1407.c data1420.c data1461.txt data1463.txt data1465.c data1481.c data1705-1.md data1705-2.md data1705-3.md data1705-4.md data1705-stdout.1 data1706-1.md data1706-2.md data1706-3.md data1706-4.md data1706-stdout.txt data320.html test1 test10 test100 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 test1008 test1009 test101 test1010 test1011 test1012 test1013 test1014 test1015 test1016 test1017 test1018 test1019 test102 test1020 test1021 test1022 test1023 test1024 test1025 test1026 test1027 test1028 test1029 test103 test1030 test1031 test1032 test1033 test1034 test1035 test1036 test1037 test1038 test1039 test104 test1040 test1041 test1042 test1043 test1044 test1045 test1046 test1047 test1048 test1049 test105 test1050 test1051 test1052 test1053 test1054 test1055 test1056 test1057 test1058 test1059 test106 test1060 test1061 test1062 test1063 test1064 test1065 test1066 test1067 test1068 test1069 test107 test1070 test1071 test1072 test1073 test1074 test1075 test1076 test1077 test1078 test1079 test108 test1080 test1081 test1082 test1083 test1084 test1085 test1086 test1087 test1088 test1089 test109 test1090 test1091 test1092 test1093 test1094 test1095 test1096 test1097 test1098 test1099 test11 test110 test1100 test1101 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 test111 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 test112 test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 test1128 test1129 test113 test1130 test1131 test1132 test1133 test1134 test1135 test1136 test1137 test1138 test1139 test114 test1140 test1141 test1142 test1143 test1144 test1145 test1146 test1147 test1148 test1149 test115 test1150 test1151 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 test116 test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 test1168 test1169 test117 test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 test1178 test1179 test118 test1180 test1181 test1182 test1183 test1184 test1185 test1186 test1187 test1188 test1189 test119 test1190 test1191 test1192 test1193 test1194 test1195 test1196 test1197 test1198 test1199 test12 test120 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 test1208 test1209 test121 test1210 test1211 test1212 test1213 test1214 test1215 test1216 test1217 test1218 test1219 test122 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 test1228 test1229 test123 test1230 test1231 test1232 test1233 test1234 test1235 test1236 test1237 test1238 test1239 test124 test1240 test1241 test1242 test1243 test1244 test1245 test1246 test1247 test1248 test1249 test125 test1250 test1251 test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 test126 test1260 test1261 test1262 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test127 test1270 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 test1279 test128 test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 test1288 test1289 test129 test1290 test1291 test1292 test1293 test1294 test1295 test1296 test1297 test1298 test1299 test13 test130 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 test1309 test131 test1310 test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 test132 test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 test1328 test1329 test133 test1330 test1331 test1332 test1333 test1334 test1335 test1336 test1337 test1338 test1339 test134 test1340 test1341 test1342 test1343 test1344 test1345 test1346 test1347 test1348 test1349 test135 test1350 test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 test136 test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 test1368 test1369 test137 test1370 test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 test138 test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 test1388 test1389 test139 test1390 test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 test14 test140 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 test1408 test1409 test141 test1410 test1411 test1412 test1413 test1414 test1415 test1416 test1417 test1418 test1419 test142 test1420 test1421 test1422 test1423 test1424 test1425 test1426 test1427 test1428 test1429 test143 test1430 test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 test144 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 test1448 test1449 test145 test1450 test1451 test1452 test1453 test1454 test1455 test1456 test1457 test1458 test1459 test146 test1460 test1461 test1462 test1463 test1464 test1465 test1466 test1467 test1468 test1469 test147 test1470 test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 test1479 test148 test1480 test1481 test1482 test1483 test1484 test1485 test1486 test1487 test1488 test1489 test149 test1490 test1491 test1492 test1493 test1494 test1495 test1496 test1497 test1498 test1499 test15 test150 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 test1508 test1509 test151 test1510 test1511 test1512 test1513 test1514 test1515 test1516 test1517 test1518 test1519 test152 test1520 test1521 test1522 test1523 test1524 test1525 test1526 test1527 test1528 test1529 test153 test1530 test1531 test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 test154 test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 test1548 test1549 test155 test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 test1558 test1559 test156 test1560 test1561 test1562 test1563 test1564 test1565 test1566 test1567 test1568 test1569 test157 test1570 test1571 test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 test158 test1580 test1581 test1582 test1583 test1584 test1585 test1586 test1587 test1588 test1589 test159 test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 test1598 test1599 test16 test160 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 test1608 test1609 test161 test1610 test1611 test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 test162 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 test1628 test1629 test163 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 test1638 test1639 test164 test1640 test1641 test1642 test1643 test1644 test1645 test165 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 test1658 test1659 test166 test1660 test1661 test1662 test1663 test1664 test1665 test1666 test1667 test1668 test1669 test167 test1670 test1671 test1672 test1673 test1674 test1675 test1676 test168 test1680 test1681 test1682 test1683 test1684 test1685 test169 test17 test170 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 test1708 test1709 test171 test1710 test1711 test1712 test1713 test1714 test1715 test172 test1720 test1721 test173 test174 test175 test176 test177 test178 test179 test18 test180 test1800 test1801 test1802 test181 test182 test183 test184 test1847 test1848 test1849 test185 test1850 test1851 test186 test187 test188 test189 test19 test190 test1900 test1901 test1902 test1903 test1904 test1905 test1906 test1907 test1908 test1909 test191 test1910 test1911 test1912 test1913 test1914 test1915 test1916 test1917 test1918 test1919 test192 test1920 test1921 test193 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test194 test1940 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 test195 test1955 test1956 test1957 test1958 test1959 test196 test1960 test1964 test1965 test1966 test197 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 test1978 test1979 test198 test1980 test1981 test1982 test1983 test1984 test199 test2 test20 test200 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 test2008 test2009 test201 test2010 test2011 test2012 test2013 test2014 test202 test2023 test2024 test2025 test2026 test2027 test2028 test2029 test203 test2030 test2031 test2032 test2033 test2034 test2035 test2037 test2038 test2039 test204 test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 test2048 test2049 test205 test2050 test2051 test2052 test2053 test2054 test2055 test2056 test2057 test2058 test2059 test206 test2060 test2061 test2062 test2063 test2064 test2065 test2066 test2067 test2068 test2069 test207 test2070 test2071 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 test208 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 test2088 test2089 test209 test2090 test2091 test2092 test21 test210 test2100 test2101 test2102 test2103 test2104 test211 test212 test213 test214 test215 test216 test217 test218 test219 test22 test220 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 test221 test222 test223 test224 test225 test226 test227 test228 test229 test23 test230 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 test2309 test231 test232 test233 test234 test235 test236 test237 test238 test239 test24 test240 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 test2408 test2409 test241 test2410 test2411 test242 test243 test244 test245 test246 test247 test248 test249 test25 test250 test2500 test2501 test2502 test2503 test2504 test2505 test2506 test251 test252 test253 test254 test255 test256 test257 test258 test259 test26 test260 test2600 test2601 test2602 test2603 test2604 test2605 test261 test262 test263 test264 test265 test266 test267 test268 test269 test27 test270 test2700 test2701 test2702 test2703 test2704 test2705 test2706 test2707 test2708 test2709 test271 test2710 test2711 test2712 test2713 test2714 test2715 test2716 test2717 test2718 test2719 test272 test2720 test2721 test2722 test2723 test273 test274 test275 test276 test277 test278 test279 test28 test280 test281 test282 test283 test284 test285 test286 test287 test288 test289 test29 test290 test291 test292 test293 test294 test295 test296 test297 test298 test299 test3 test30 test300 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 test3008 test3009 test301 test3010 test3011 test3012 test3013 test3014 test3015 test3016 test3017 test3018 test3019 test302 test3020 test3021 test3022 test3023 test3024 test3025 test3026 test3027 test3028 test3029 test303 test3030 test3031 test3032 test3033 test3034 test3035 test3036 test304 test305 test306 test307 test308 test309 test31 test310 test3100 test3101 test3102 test3103 test3104 test3105 test3106 test311 test312 test313 test314 test315 test316 test317 test318 test319 test32 test320 test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 test3209 test321 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 test3218 test3219 test322 test3220 test323 test324 test325 test326 test327 test328 test329 test33 test330 test3300 test3301 test3302 test331 test332 test333 test334 test335 test336 test337 test338 test339 test34 test340 test341 test342 test343 test344 test345 test346 test347 test348 test349 test35 test350 test351 test352 test353 test354 test355 test356 test357 test358 test359 test36 test360 test361 test362 test363 test364 test365 test366 test367 test368 test369 test37 test370 test371 test372 test373 test374 test375 test376 test378 test379 test38 test380 test381 test383 test384 test385 test386 test387 test388 test389 test39 test390 test391 test392 test393 test394 test395 test396 test397 test398 test399 test4 test40 test400 test4000 test4001 test401 test402 test403 test404 test405 test406 test407 test408 test409 test41 test410 test411 test412 test413 test414 test415 test416 test417 test418 test419 test42 test420 test421 test422 test423 test424 test425 test426 test427 test428 test429 test43 test430 test431 test432 test433 test434 test435 test436 test437 test438 test439 test44 test440 test441 test442 test443 test444 test445 test446 test447 test448 test449 test45 test450 test451 test452 test453 test454 test455 test456 test457 test458 test459 test46 test460 test461 test462 test463 test467 test468 test469 test47 test470 test471 test472 test473 test474 test475 test476 test477 test478 test479 test48 test480 test481 test482 test483 test484 test485 test486 test487 test488 test489 test49 test490 test491 test492 test493 test494 test495 test496 test497 test498 test499 test5 test50 test500 test501 test502 test503 test504 test505 test506 test507 test508 test509 test51 test510 test511 test512 test513 test514 test515 test516 test517 test518 test519 test52 test520 test521 test522 test523 test524 test525 test526 test527 test528 test529 test53 test530 test531 test532 test533 test534 test535 test536 test537 test538 test539 test54 test540 test541 test542 test543 test544 test545 test546 test547 test548 test549 test55 test550 test551 test552 test553 test554 test555 test556 test557 test558 test559 test56 test560 test561 test562 test563 test564 test565 test566 test567 test568 test569 test57 test570 test571 test572 test573 test574 test575 test576 test577 test578 test579 test58 test580 test581 test582 test583 test584 test585 test586 test587 test588 test589 test59 test590 test591 test592 test593 test594 test595 test596 test597 test598 test599 test6 test60 test600 test601 test602 test603 test604 test605 test606 test607 test608 test609 test61 test610 test611 test612 test613 test614 test615 test616 test617 test618 test619 test62 test620 test621 test622 test623 test624 test625 test626 test627 test628 test629 test63 test630 test631 test632 test633 test634 test635 test636 test637 test638 test639 test64 test640 test641 test642 test643 test644 test645 test646 test647 test648 test649 test65 test650 test651 test652 test653 test654 test655 test656 test658 test659 test66 test660 test661 test662 test663 test664 test665 test666 test667 test668 test669 test67 test670 test671 test672 test673 test674 test675 test676 test677 test678 test679 test68 test680 test681 test682 test683 test684 test685 test686 test687 test688 test689 test69 test690 test691 test692 test693 test694 test695 test696 test697 test698 test699 test7 test70 test700 test701 test702 test703 test704 test705 test706 test707 test708 test709 test71 test710 test711 test712 test713 test714 test715 test716 test717 test718 test719 test72 test720 test721 test722 test723 test724 test725 test726 test727 test728 test729 test73 test730 test731 test732 test733 test734 test735 test736 test737 test738 test739 test74 test740 test741 test742 test743 test744 test745 test746 test747 test748 test749 test75 test750 test751 test752 test753 test754 test755 test756 test757 test758 test759 test76 test760 test761 test762 test763 test764 test765 test766 test767 test768 test769 test77 test770 test771 test772 test773 test774 test775 test776 test777 test778 test779 test78 test780 test781 test782 test783 test784 test785 test786 test787 test788 test789 test79 test790 test791 test792 test793 test794 test795 test796 test797 test798 test799 test8 test80 test800 test801 test802 test803 test804 test805 test806 test807 test808 test809 test81 test810 test811 test812 test813 test814 test815 test816 test817 test818 test819 test82 test820 test821 test822 test823 test824 test825 test826 test827 test828 test829 test83 test830 test831 test832 test833 test834 test835 test836 test837 test838 test839 test84 test840 test841 test842 test843 test844 test845 test846 test847 test848 test849 test85 test850 test851 test852 test853 test854 test855 test856 test857 test858 test859 test86 test860 test861 test862 test863 test864 test865 test866 test867 test868 test869 test87 test870 test871 test872 test873 test874 test875 test876 test877 test878 test879 test88 test880 test881 test882 test883 test884 test885 test886 test887 test888 test889 test89 test890 test891 test892 test893 test894 test895 test896 test897 test898 test899 test9 test90 test900 test901 test902 test903 test904 test905 test906 test907 test908 test909 test91 test910 test911 test912 test913 test914 test915 test916 test917 test918 test919 test92 test920 test921 test922 test923 test924 test925 test926 test927 test928 test929 test93 test930 test931 test932 test933 test934 test935 test936 test937 test938 test939 test94 test940 test941 test942 test943 test944 test945 test946 test947 test948 test949 test95 test950 test951 test952 test953 test954 test955 test956 test957 test958 test959 test96 test960 test961 test962 test963 test964 test965 test966 test967 test968 test969 test97 test970 test971 test972 test973 test974 test975 test976 test977 test978 test979 test98 test980 test981 test982 test983 test984 test985 test986 test987 test988 test989 test99 test990 test991 test992 test993 test994 test995 test996 test997 test998 test999http
testenv
__init__.py caddy.py certs.py client.py curl.py dante.py dnsd.py env.py httpd.py nghttpx.py ports.py sshd.py vsftpd.py ws_echo_server.pylibtest
.gitignore CMakeLists.txt Makefile.am Makefile.inc cli_ftp_upload.c cli_h2_pausing.c cli_h2_serverpush.c cli_h2_upgrade_extreme.c cli_hx_download.c cli_hx_upload.c cli_tls_session_reuse.c cli_upload_pausing.c cli_ws_data.c cli_ws_pingpong.c first.c first.h lib1156.c lib1301.c lib1308.c lib1485.c lib1500.c lib1501.c lib1502.c lib1506.c lib1507.c lib1508.c lib1509.c lib1510.c lib1511.c lib1512.c lib1513.c lib1514.c lib1515.c lib1517.c lib1518.c lib1520.c lib1522.c lib1523.c lib1525.c lib1526.c lib1527.c lib1528.c lib1529.c lib1530.c lib1531.c lib1532.c lib1533.c lib1534.c lib1535.c lib1536.c lib1537.c lib1538.c lib1540.c lib1541.c lib1542.c lib1545.c lib1549.c lib1550.c lib1551.c lib1552.c lib1553.c lib1554.c lib1555.c lib1556.c lib1557.c lib1558.c lib1559.c lib1560.c lib1564.c lib1565.c lib1567.c lib1568.c lib1569.c lib1571.c lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c lib1598.c lib1599.c lib1662.c lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c lib1915.c lib1916.c lib1918.c lib1919.c lib1920.c lib1921.c lib1933.c lib1934.c lib1935.c lib1936.c lib1937.c lib1938.c lib1939.c lib1940.c lib1945.c lib1947.c lib1948.c lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c lib1964.c lib1965.c lib1970.c lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c lib2023.c lib2032.c lib2082.c lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c lib2402.c lib2404.c lib2405.c lib2502.c lib2504.c lib2505.c lib2506.c lib2700.c lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c lib3207.c lib3208.c lib500.c lib501.c lib502.c lib503.c lib504.c lib505.c lib506.c lib507.c lib508.c lib509.c lib510.c lib511.c lib512.c lib513.c lib514.c lib515.c lib516.c lib517.c lib518.c lib519.c lib520.c lib521.c lib523.c lib524.c lib525.c lib526.c lib530.c lib533.c lib536.c lib537.c lib539.c lib540.c lib541.c lib542.c lib543.c lib544.c lib547.c lib549.c lib552.c lib553.c lib554.c lib555.c lib556.c lib557.c lib558.c lib559.c lib560.c lib562.c lib564.c lib566.c lib567.c lib568.c lib569.c lib570.c lib571.c lib572.c lib573.c lib574.c lib575.c lib576.c lib578.c lib579.c lib582.c lib583.c lib586.c lib589.c lib590.c lib591.c lib597.c lib598.c lib599.c lib643.c lib650.c lib651.c lib652.c lib653.c lib654.c lib655.c lib658.c lib659.c lib661.c lib666.c lib667.c lib668.c lib670.c lib674.c lib676.c lib677.c lib678.c lib694.c lib695.c lib751.c lib753.c lib757.c lib758.c lib766.c memptr.c mk-lib1521.pl test1013.pl test1022.pl test307.pl test610.pl test613.pl testtrace.c testtrace.h testutil.c testutil.h unitcheck.hserver
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc dnsd.c first.c first.h getpart.c mqttd.c resolve.c rtspd.c sockfilt.c socksd.c sws.c tftpd.c util.ctunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md tool1394.c tool1604.c tool1621.c tool1622.c tool1623.c tool1720.cunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md unit1300.c unit1302.c unit1303.c unit1304.c unit1305.c unit1307.c unit1309.c unit1323.c unit1330.c unit1395.c unit1396.c unit1397.c unit1398.c unit1399.c unit1600.c unit1601.c unit1602.c unit1603.c unit1605.c unit1606.c unit1607.c unit1608.c unit1609.c unit1610.c unit1611.c unit1612.c unit1614.c unit1615.c unit1616.c unit1620.c unit1625.c unit1626.c unit1627.c unit1636.c unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c unit1657.c unit1658.c unit1660.c unit1661.c unit1663.c unit1664.c unit1666.c unit1667.c unit1668.c unit1669.c unit1674.c unit1675.c unit1676.c unit1979.c unit1980.c unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c unit3200.c unit3205.c unit3211.c unit3212.c unit3213.c unit3214.c unit3216.c unit3219.c unit3300.c unit3301.c unit3302.cexamples
.env config.ini crypto_test.lua env_test.lua fs_example.lua http_server.lua https_test.lua ini_example.lua json.lua log.lua path_fs_example.lua process_example.lua request_download.lua request_test.lua run_all.lua sqlite_example.lua sqlite_http_template.lua stash_test.lua template_test.lua timer.lua websocket.luainiparser
example
iniexample.c iniwrite.c parse.c twisted-errors.ini twisted-genhuge.py twisted-ofkey.ini twisted-ofval.ini twisted.initest
CMakeLists.txt test_dictionary.c test_iniparser.c unity-config.yml unity_config.hjinjac
libjinjac
src
CMakeLists.txt ast.c ast.h block_statement.c block_statement.h buffer.c buffer.h buildin.c buildin.h common.h convert.c convert.h flex_decl.h jfunction.c jfunction.h jinja_expression.l jinja_expression.y jinjac_parse.c jinjac_parse.h jinjac_stream.c jinjac_stream.h jlist.c jlist.h jobject.c jobject.h parameter.c parameter.h str_obj.c str_obj.h trace.c trace.htest
.gitignore CMakeLists.txt autotest.rb test_01.expected test_01.jinja test_01b.expected test_01b.jinja test_01c.expected test_01c.jinja test_01d.expected test_01d.jinja test_02.expected test_02.jinja test_03.expected test_03.jinja test_04.expected test_04.jinja test_05.expected test_05.jinja test_06.expected test_06.jinja test_07.expected test_07.jinja test_08.expected test_08.jinja test_08b.expected test_08b.jinja test_09.expected test_09.jinja test_10.expected test_10.jinja test_11.expected test_11.jinja test_12.expected test_12.jinja test_13.expected test_13.jinja test_14.expected test_14.jinja test_15.expected test_15.jinja test_16.expected test_16.jinja test_17.expected test_17.jinja test_18.expected test_18.jinja test_18b.expected test_18b.jinja test_18c.expected test_18c.jinja test_19.expected test_19.jinja test_19b.expected test_19b.jinja test_19c.expected test_19c.jinja test_19d.expected test_19d.jinja test_19e.expected test_19e.jinja test_19f.expected test_19f.jinja test_20.expected test_20.jinja test_21.expected test_21.jinja test_22.expected test_22.jinja test_22a.expected test_22a.jinja test_22b.expected test_22b.jinja test_23.expected test_23.jinja test_24.expected test_24.jinjalibev
Changes LICENSE Makefile Makefile.am Makefile.in README Symbols.ev Symbols.event aclocal.m4 autogen.sh compile config.guess config.h config.h.in config.status config.sub configure configure.ac depcomp ev++.h ev.3 ev.c ev.h ev.pod ev_epoll.c ev_kqueue.c ev_poll.c ev_port.c ev_select.c ev_vars.h ev_win32.c ev_wrap.h event.c event.h install-sh libev.m4 libtool ltmain.sh missing mkinstalldirs stamp-h1luajit
doc
bluequad-print.css bluequad.css contact.html ext_buffer.html ext_c_api.html ext_ffi.html ext_ffi_api.html ext_ffi_semantics.html ext_ffi_tutorial.html ext_jit.html ext_profiler.html extensions.html install.html luajit.html running.html
dynasm
dasm_arm.h dasm_arm.lua dasm_arm64.h dasm_arm64.lua dasm_mips.h dasm_mips.lua dasm_mips64.lua dasm_ppc.h dasm_ppc.lua dasm_proto.h dasm_x64.lua dasm_x86.h dasm_x86.lua dynasm.luasrc
host
.gitignore README buildvm.c buildvm.h buildvm_asm.c buildvm_fold.c buildvm_lib.c buildvm_libbc.h buildvm_peobj.c genlibbc.lua genminilua.lua genversion.lua minilua.cjit
.gitignore bc.lua bcsave.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_mips.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua dis_mipsel.lua dis_ppc.lua dis_x64.lua dis_x86.lua dump.lua p.lua v.lua zone.luawolfssl
.github
workflows
ada.yml arduino.yml async-examples.yml async.yml atecc608-sim.yml bind.yml cmake-autoconf.yml cmake.yml codespell.yml coverity-scan-fixes.yml cryptocb-only.yml curl.yml cyrus-sasl.yml disable-pk-algs.yml docker-Espressif.yml docker-OpenWrt.yml emnet-nonblock.yml fil-c.yml freertos-mem-track.yml gencertbuf.yml grpc.yml haproxy.yml hostap-vm.yml intelasm-c-fallback.yml ipmitool.yml jwt-cpp.yml krb5.yml libspdm.yml libssh2.yml libvncserver.yml linuxkm.yml macos-apple-native-cert-validation.yml mbedtls.sh mbedtls.yml membrowse-comment.yml membrowse-onboard.yml membrowse-report.yml memcached.sh memcached.yml mono.yml mosquitto.yml msmtp.yml msys2.yml multi-arch.yml multi-compiler.yml net-snmp.yml nginx.yml no-malloc.yml no-tls.yml nss.sh nss.yml ntp.yml ocsp.yml openldap.yml openssh.yml openssl-ech.yml opensslcoexist.yml openvpn.yml os-check.yml packaging.yml pam-ipmi.yml pq-all.yml pr-commit-check.yml psk.yml puf.yml python.yml rng-tools.yml rust-wrapper.yml se050-sim.yml smallStackSize.yml socat.yml softhsm.yml sssd.yml stm32-sim.yml stsafe-a120-sim.yml stunnel.yml symbol-prefixes.yml threadx.yml tls-anvil.yml trackmemory.yml watcomc.yml win-csharp-test.yml wolfCrypt-Wconversion.yml wolfboot-integration.yml wolfsm.yml xcode.yml zephyr-4.x.yml zephyr.ymlIDE
ARDUINO
Arduino_README_prepend.md README.md include.am keywords.txt library.properties.template wolfssl-arduino.cpp wolfssl-arduino.sh wolfssl.hECLIPSE
Espressif
ESP-IDF
examples
template
CMakeLists.txt Makefile README.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp8266wolfssl_benchmark
VisualGDB
wolfssl_benchmark_IDF_v4.4_ESP32.sln wolfssl_benchmark_IDF_v4.4_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32.sln wolfssl_benchmark_IDF_v5_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32C3.sln wolfssl_benchmark_IDF_v5_ESP32C3.vgdbproj wolfssl_benchmark_IDF_v5_ESP32S3.sln wolfssl_benchmark_IDF_v5_ESP32S3.vgdbprojwolfssl_client
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_client_ESP8266.vgdbprojwolfssl_server
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_server_ESP8266.vgdbprojwolfssl_test
VisualGDB
wolfssl_test-IDF_v5_ESP32.sln wolfssl_test-IDF_v5_ESP32.vgdbproj wolfssl_test-IDF_v5_ESP32C3.sln wolfssl_test-IDF_v5_ESP32C3.vgdbproj wolfssl_test-IDF_v5_ESP32C6.sln wolfssl_test-IDF_v5_ESP32C6.vgdbproj wolfssl_test_IDF_v5_ESP32S3.sln wolfssl_test_IDF_v5_ESP32S3.vgdbprojGCC-ARM
Makefile Makefile.bench Makefile.client Makefile.common Makefile.server Makefile.static Makefile.test README.md include.am linker.ld linker_fips.ldIAR-EWARM
embOS
SAMV71_XULT
embOS_SAMV71_XULT_user_settings
user_settings.h user_settings_simple_example.h user_settings_verbose_example.hembOS_wolfcrypt_benchmark_SAMV71_XULT
README_wolfcrypt_benchmark wolfcrypt_benchmark.ewd wolfcrypt_benchmark.ewpINTIME-RTOS
Makefile README.md include.am libwolfssl.c libwolfssl.vcxproj user_settings.h wolfExamples.c wolfExamples.h wolfExamples.sln wolfExamples.vcxproj wolfssl-lib.sln wolfssl-lib.vcxprojMQX
Makefile README-jp.md README.md client-tls.c include.am server-tls.c user_config.h user_settings.hMSVS-2019-AZSPHERE
wolfssl_new_azsphere
.gitignore CMakeLists.txt CMakeSettings.json app_manifest.json applibs_versions.h launch.vs.json main.cNETOS
Makefile.wolfcrypt.inc README.md include.am user_settings.h user_settings.h-cert2425 user_settings.h-cert3389 wolfssl_netos_custom.cPlatformIO
examples
wolfssl_benchmark
CMakeLists.txt README.md platformio.ini sdkconfig.defaults wolfssl_benchmark.code-workspaceROWLEY-CROSSWORKS-ARM
Kinetis_FlashPlacement.xml README.md arm_startup.c benchmark_main.c hw.h include.am kinetis_hw.c retarget.c test_main.c user_settings.h wolfssl.hzp wolfssl_ltc.hzpRenesas
e2studio
RA6M3
README.md README_APRA6M_en.md README_APRA6M_jp.md include.amRX72N
EnvisionKit
Simple
README_EN.md README_JP.mdwolfssl_demo
key_data.c key_data.h user_settings.h wolfssl_demo.c wolfssl_demo.h wolfssl_tsip_unit_test.cSTM32Cube
README.md STM32_Benchmarks.md default_conf.ftl include.am main.c wolfssl_example.c wolfssl_example.hWIN
README.txt include.am test.vcxproj user_settings.h user_settings_dtls.h wolfssl-fips.sln wolfssl-fips.vcxprojWIN-SRTP-KDF-140-3
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojWIN10
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojXCODE
Benchmark
include.amXilinxSDK
README.md bench.sh combine.sh eclipse_formatter_profile.xml graph.sh include.am user_settings.h wolfssl_example.capple-universal
wolfssl-multiplatform
iotsafe
Makefile README.md ca-cert.c devices.c devices.h include.am main.c memory-tls.c startup.c target.ld user_settings.hmynewt
README.md apps.wolfcrypttest.pkg.yml crypto.wolfssl.pkg.yml crypto.wolfssl.syscfg.yml include.am setup.shcerts
1024
ca-cert.der ca-cert.pem ca-key.der ca-key.pem client-cert.der client-cert.pem client-key.der client-key.pem client-keyPub.der dh1024.der dh1024.pem dsa-pub-1024.pem dsa1024.der dsa1024.pem include.am rsa1024.der server-cert.der server-cert.pem server-key.der server-key.pemcrl
extra-crls
ca-int-cert-revoked.pem claim-root.pem crl_critical_entry.pem crlnum_57oct.pem crlnum_64oct.pem general-server-crl.pem large_crlnum.pem large_crlnum2.pemdilithium
bench_dilithium_level2_key.der bench_dilithium_level3_key.der bench_dilithium_level5_key.der include.amecc
bp256r1-key.der bp256r1-key.pem ca-secp256k1-cert.pem ca-secp256k1-key.pem client-bp256r1-cert.der client-bp256r1-cert.pem client-secp256k1-cert.der client-secp256k1-cert.pem genecc.sh include.am secp256k1-key.der secp256k1-key.pem secp256k1-param.pem secp256k1-privkey.der secp256k1-privkey.pem server-bp256r1-cert.der server-bp256r1-cert.pem server-secp256k1-cert.der server-secp256k1-cert.pem server2-secp256k1-cert.der server2-secp256k1-cert.pem wolfssl.cnf wolfssl_384.cnfed25519
ca-ed25519-key.der ca-ed25519-key.pem ca-ed25519-priv.der ca-ed25519-priv.pem ca-ed25519.der ca-ed25519.pem client-ed25519-key.der client-ed25519-key.pem client-ed25519-priv.der client-ed25519-priv.pem client-ed25519.der client-ed25519.pem eddsa-ed25519.der eddsa-ed25519.pem gen-ed25519-certs.sh gen-ed25519-keys.sh gen-ed25519.sh include.am root-ed25519-key.der root-ed25519-key.pem root-ed25519-priv.der root-ed25519-priv.pem root-ed25519.der root-ed25519.pem server-ed25519-cert.pem server-ed25519-key.der server-ed25519-key.pem server-ed25519-priv.der server-ed25519-priv.pem server-ed25519.der server-ed25519.pemed448
ca-ed448-key.der ca-ed448-key.pem ca-ed448-priv.der ca-ed448-priv.pem ca-ed448.der ca-ed448.pem client-ed448-key.der client-ed448-key.pem client-ed448-priv.der client-ed448-priv.pem client-ed448.der client-ed448.pem gen-ed448-certs.sh gen-ed448-keys.sh include.am root-ed448-key.der root-ed448-key.pem root-ed448-priv.der root-ed448-priv.pem root-ed448.der root-ed448.pem server-ed448-cert.pem server-ed448-key.der server-ed448-key.pem server-ed448-priv.der server-ed448-priv.pem server-ed448.der server-ed448.pemexternal
DigiCertGlobalRootCA.pem README.txt ca-digicert-ev.pem ca-globalsign-root.pem ca-google-root.pem ca_collection.pem include.amintermediate
ca_false_intermediate
gentestcert.sh int_ca.key server.key test_ca.key test_ca.pem test_int_not_cacert.pem test_sign_bynoca_srv.pem wolfssl_base.conf wolfssl_srv.conflms
bc_hss_L2_H5_W8_root.der bc_hss_L3_H5_W4_root.der bc_lms_chain_ca.der bc_lms_chain_leaf.der bc_lms_native_bc_root.der bc_lms_sha256_h10_w8_root.der bc_lms_sha256_h5_w4_root.der include.ammldsa
README.txt include.am mldsa44-cert.der mldsa44-cert.pem mldsa44-key.pem mldsa44_bare-priv.der mldsa44_bare-seed.der mldsa44_oqskeypair.der mldsa44_priv-only.der mldsa44_pub-spki.der mldsa44_seed-only.der mldsa44_seed-priv.der mldsa65-cert.der mldsa65-cert.pem mldsa65-key.pem mldsa65_bare-priv.der mldsa65_bare-seed.der mldsa65_oqskeypair.der mldsa65_priv-only.der mldsa65_pub-spki.der mldsa65_seed-only.der mldsa65_seed-priv.der mldsa87-cert.der mldsa87-cert.pem mldsa87-key.pem mldsa87_bare-priv.der mldsa87_bare-seed.der mldsa87_oqskeypair.der mldsa87_priv-only.der mldsa87_pub-spki.der mldsa87_seed-only.der mldsa87_seed-priv.derocsp
imposter-root-ca-cert.der imposter-root-ca-cert.pem imposter-root-ca-key.der imposter-root-ca-key.pem include.am index-ca-and-intermediate-cas.txt index-ca-and-intermediate-cas.txt.attr index-intermediate1-ca-issued-certs.txt index-intermediate1-ca-issued-certs.txt.attr index-intermediate2-ca-issued-certs.txt index-intermediate2-ca-issued-certs.txt.attr index-intermediate3-ca-issued-certs.txt index-intermediate3-ca-issued-certs.txt.attr intermediate1-ca-cert.der intermediate1-ca-cert.pem intermediate1-ca-key.der intermediate1-ca-key.pem intermediate2-ca-cert.der intermediate2-ca-cert.pem intermediate2-ca-key.der intermediate2-ca-key.pem intermediate3-ca-cert.der intermediate3-ca-cert.pem intermediate3-ca-key.der intermediate3-ca-key.pem ocsp-responder-cert.der ocsp-responder-cert.pem ocsp-responder-key.der ocsp-responder-key.pem openssl.cnf renewcerts-for-test.sh renewcerts.sh root-ca-cert.der root-ca-cert.pem root-ca-crl.pem root-ca-key.der root-ca-key.pem server1-cert.der server1-cert.pem server1-chain-noroot.pem server1-key.der server1-key.pem server2-cert.der server2-cert.pem server2-key.der server2-key.pem server3-cert.der server3-cert.pem server3-key.der server3-key.pem server4-cert.der server4-cert.pem server4-key.der server4-key.pem server5-cert.der server5-cert.pem server5-key.der server5-key.pem test-leaf-response.der test-multi-response.der test-response-nointern.der test-response-rsapss.der test-response.derp521
ca-p521-key.der ca-p521-key.pem ca-p521-priv.der ca-p521-priv.pem ca-p521.der ca-p521.pem client-p521-key.der client-p521-key.pem client-p521-priv.der client-p521-priv.pem client-p521.der client-p521.pem gen-p521-certs.sh gen-p521-keys.sh include.am root-p521-key.der root-p521-key.pem root-p521-priv.der root-p521-priv.pem root-p521.der root-p521.pem server-p521-cert.pem server-p521-key.der server-p521-key.pem server-p521-priv.der server-p521-priv.pem server-p521.der server-p521.pemrpk
client-cert-rpk.der client-ecc-cert-rpk.der include.am server-cert-rpk.der server-ecc-cert-rpk.derrsapss
ca-3072-rsapss-key.der ca-3072-rsapss-key.pem ca-3072-rsapss-priv.der ca-3072-rsapss-priv.pem ca-3072-rsapss.der ca-3072-rsapss.pem ca-rsapss-key.der ca-rsapss-key.pem ca-rsapss-priv.der ca-rsapss-priv.pem ca-rsapss.der ca-rsapss.pem client-3072-rsapss-key.der client-3072-rsapss-key.pem client-3072-rsapss-priv.der client-3072-rsapss-priv.pem client-3072-rsapss.der client-3072-rsapss.pem client-rsapss-key.der client-rsapss-key.pem client-rsapss-priv.der client-rsapss-priv.pem client-rsapss.der client-rsapss.pem gen-rsapss-keys.sh include.am renew-rsapss-certs.sh root-3072-rsapss-key.der root-3072-rsapss-key.pem root-3072-rsapss-priv.der root-3072-rsapss-priv.pem root-3072-rsapss.der root-3072-rsapss.pem root-rsapss-key.der root-rsapss-key.pem root-rsapss-priv.der root-rsapss-priv.pem root-rsapss.der root-rsapss.pem server-3072-rsapss-cert.pem server-3072-rsapss-key.der server-3072-rsapss-key.pem server-3072-rsapss-priv.der server-3072-rsapss-priv.pem server-3072-rsapss.der server-3072-rsapss.pem server-mix-rsapss-cert.pem server-rsapss-cert.pem server-rsapss-key.der server-rsapss-key.pem server-rsapss-priv.der server-rsapss-priv.pem server-rsapss.der server-rsapss.pemslhdsa
bench_slhdsa_sha2_128f_key.der bench_slhdsa_sha2_128s_key.der bench_slhdsa_sha2_192f_key.der bench_slhdsa_sha2_192s_key.der bench_slhdsa_sha2_256f_key.der bench_slhdsa_sha2_256s_key.der bench_slhdsa_shake128f_key.der bench_slhdsa_shake128s_key.der bench_slhdsa_shake192f_key.der bench_slhdsa_shake192s_key.der bench_slhdsa_shake256f_key.der bench_slhdsa_shake256s_key.der client-mldsa44-priv.pem client-mldsa44-sha2.der client-mldsa44-sha2.pem client-mldsa44-shake.der client-mldsa44-shake.pem gen-slhdsa-mldsa-certs.sh include.am root-slhdsa-sha2-128s-priv.der root-slhdsa-sha2-128s-priv.pem root-slhdsa-sha2-128s.der root-slhdsa-sha2-128s.pem root-slhdsa-shake-128s-priv.der root-slhdsa-shake-128s-priv.pem root-slhdsa-shake-128s.der root-slhdsa-shake-128s.pem server-mldsa44-priv.pem server-mldsa44-sha2.der server-mldsa44-sha2.pem server-mldsa44-shake.der server-mldsa44-shake.pemsm2
ca-sm2-key.der ca-sm2-key.pem ca-sm2-priv.der ca-sm2-priv.pem ca-sm2.der ca-sm2.pem client-sm2-key.der client-sm2-key.pem client-sm2-priv.der client-sm2-priv.pem client-sm2.der client-sm2.pem fix_sm2_spki.py gen-sm2-certs.sh gen-sm2-keys.sh include.am root-sm2-key.der root-sm2-key.pem root-sm2-priv.der root-sm2-priv.pem root-sm2.der root-sm2.pem self-sm2-cert.pem self-sm2-key.pem self-sm2-priv.pem server-sm2-cert.der server-sm2-cert.pem server-sm2-key.der server-sm2-key.pem server-sm2-priv.der server-sm2-priv.pem server-sm2.der server-sm2.pemstatickeys
dh-ffdhe2048-params.pem dh-ffdhe2048-pub.der dh-ffdhe2048-pub.pem dh-ffdhe2048.der dh-ffdhe2048.pem ecc-secp256r1.der ecc-secp256r1.pem gen-static.sh include.am x25519-pub.der x25519-pub.pem x25519.der x25519.pemtest
catalog.txt cert-bad-neg-int.der cert-bad-oid.der cert-bad-utf8.der cert-ext-ia.cfg cert-ext-ia.der cert-ext-ia.pem cert-ext-joi.cfg cert-ext-joi.der cert-ext-joi.pem cert-ext-mnc.der cert-ext-multiple.cfg cert-ext-multiple.der cert-ext-multiple.pem cert-ext-nc-combined.der cert-ext-nc-combined.pem cert-ext-nc.cfg cert-ext-nc.der cert-ext-nc.pem cert-ext-ncdns.der cert-ext-ncdns.pem cert-ext-ncip.der cert-ext-ncip.pem cert-ext-ncmixed.der cert-ext-ncmulti.der cert-ext-ncmulti.pem cert-ext-ncrid.der cert-ext-ncrid.pem cert-ext-nct.cfg cert-ext-nct.der cert-ext-nct.pem cert-ext-ndir-exc.cfg cert-ext-ndir-exc.der cert-ext-ndir-exc.pem cert-ext-ndir.cfg cert-ext-ndir.der cert-ext-ndir.pem cert-ext-ns.der cert-over-max-altnames.cfg cert-over-max-altnames.der cert-over-max-altnames.pem cert-over-max-nc.cfg cert-over-max-nc.der cert-over-max-nc.pem client-ecc-cert-ski.hex cn-ip-literal.der cn-ip-wildcard.der crit-cert.pem crit-key.pem dh1024.der dh1024.pem dh512.der dh512.pem digsigku.pem encrypteddata.msg gen-badsig.sh gen-ext-certs.sh gen-testcerts.sh include.am kari-keyid-cms.msg ktri-keyid-cms.msg ossl-trusted-cert.pem server-badaltname.der server-badaltname.pem server-badaltnull.der server-badaltnull.pem server-badcn.der server-badcn.pem server-badcnnull.der server-badcnnull.pem server-cert-ecc-badsig.der server-cert-ecc-badsig.pem server-cert-rsa-badsig.der server-cert-rsa-badsig.pem server-duplicate-policy.pem server-garbage.der server-garbage.pem server-goodalt.der server-goodalt.pem server-goodaltwild.der server-goodaltwild.pem server-goodcn.der server-goodcn.pem server-goodcnwild.der server-goodcnwild.pem server-localhost.der server-localhost.pem smime-test-canon.p7s smime-test-multipart-badsig.p7s smime-test-multipart.p7s smime-test.p7stest-pathlen
assemble-chains.sh chainA-ICA1-key.pem chainA-ICA1-pathlen0.pem chainA-assembled.pem chainA-entity-key.pem chainA-entity.pem chainB-ICA1-key.pem chainB-ICA1-pathlen0.pem chainB-ICA2-key.pem chainB-ICA2-pathlen1.pem chainB-assembled.pem chainB-entity-key.pem chainB-entity.pem chainC-ICA1-key.pem chainC-ICA1-pathlen1.pem chainC-assembled.pem chainC-entity-key.pem chainC-entity.pem chainD-ICA1-key.pem chainD-ICA1-pathlen127.pem chainD-assembled.pem chainD-entity-key.pem chainD-entity.pem chainE-ICA1-key.pem chainE-ICA1-pathlen128.pem chainE-assembled.pem chainE-entity-key.pem chainE-entity.pem chainF-ICA1-key.pem chainF-ICA1-pathlen1.pem chainF-ICA2-key.pem chainF-ICA2-pathlen0.pem chainF-assembled.pem chainF-entity-key.pem chainF-entity.pem chainG-ICA1-key.pem chainG-ICA1-pathlen0.pem chainG-ICA2-key.pem chainG-ICA2-pathlen1.pem chainG-ICA3-key.pem chainG-ICA3-pathlen99.pem chainG-ICA4-key.pem chainG-ICA4-pathlen5.pem chainG-ICA5-key.pem chainG-ICA5-pathlen20.pem chainG-ICA6-key.pem chainG-ICA6-pathlen10.pem chainG-ICA7-key.pem chainG-ICA7-pathlen100.pem chainG-assembled.pem chainG-entity-key.pem chainG-entity.pem chainH-ICA1-key.pem chainH-ICA1-pathlen0.pem chainH-ICA2-key.pem chainH-ICA2-pathlen2.pem chainH-ICA3-key.pem chainH-ICA3-pathlen2.pem chainH-ICA4-key.pem chainH-ICA4-pathlen2.pem chainH-assembled.pem chainH-entity-key.pem chainH-entity.pem chainI-ICA1-key.pem chainI-ICA1-no_pathlen.pem chainI-ICA2-key.pem chainI-ICA2-no_pathlen.pem chainI-ICA3-key.pem chainI-ICA3-pathlen2.pem chainI-assembled.pem chainI-entity-key.pem chainI-entity.pem chainJ-ICA1-key.pem chainJ-ICA1-no_pathlen.pem chainJ-ICA2-key.pem chainJ-ICA2-no_pathlen.pem chainJ-ICA3-key.pem chainJ-ICA3-no_pathlen.pem chainJ-ICA4-key.pem chainJ-ICA4-pathlen2.pem chainJ-assembled.pem chainJ-entity-key.pem chainJ-entity.pem include.am refreshkeys.shtest-serial0
ee_normal.pem ee_serial0.pem generate_certs.sh include.am intermediate_serial0.pem root_serial0.pem root_serial0_key.pem selfsigned_nonca_serial0.pemxmss
bc_xmss_chain_ca.der bc_xmss_chain_leaf.der bc_xmss_sha2_10_256_root.der bc_xmss_sha2_16_256_root.der bc_xmssmt_sha2_20_2_256_root.der bc_xmssmt_sha2_20_4_256_root.der bc_xmssmt_sha2_40_8_256_root.der include.amcmake
Config.cmake.in README.md config.in functions.cmake include.am options.h.in wolfssl-config-version.cmake.in wolfssl-targets.cmake.indebian
changelog.in control.in copyright include.am libwolfssl-dev.install libwolfssl.install rules.indoc
dox_comments
header_files
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h puf.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wc_she.h wc_slhdsa.h wolfio.hheader_files-ja
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wolfio.h
examples
async
Makefile README.md async_client.c async_server.c async_tls.c async_tls.h include.am user_settings.hconfigs
README.md include.am user_settings_EBSnet.h user_settings_all.h user_settings_arduino.h user_settings_baremetal.h user_settings_ca.h user_settings_curve25519nonblock.h user_settings_dtls13.h user_settings_eccnonblock.h user_settings_espressif.h user_settings_fipsv2.h user_settings_fipsv5.h user_settings_min_ecc.h user_settings_openssl_compat.h user_settings_pkcs7.h user_settings_platformio.h user_settings_pq.h user_settings_rsa_only.h user_settings_stm32.h user_settings_template.h user_settings_tls12.h user_settings_tls13.h user_settings_wolfboot_keytools.h user_settings_wolfssh.h user_settings_wolftpm.hechoclient
echoclient.c echoclient.h echoclient.sln echoclient.vcproj echoclient.vcxproj include.am quitlinuxkm
Kbuild Makefile README.md get_thread_size.c include.am linuxkm-fips-hash-wrapper.sh linuxkm-fips-hash.c linuxkm_memory.c linuxkm_memory.h linuxkm_wc_port.h lkcapi_aes_glue.c lkcapi_dh_glue.c lkcapi_ecdh_glue.c lkcapi_ecdsa_glue.c lkcapi_glue.c lkcapi_rsa_glue.c lkcapi_sha_glue.c module_exports.c.template module_hooks.c pie_redirect_table.c wolfcrypt.lds x86_vector_register_glue.cm4
ax_add_am_macro.m4 ax_am_jobserver.m4 ax_am_macros.m4 ax_append_compile_flags.m4 ax_append_flag.m4 ax_append_link_flags.m4 ax_append_to_file.m4 ax_atomic.m4 ax_bsdkm.m4 ax_check_compile_flag.m4 ax_check_link_flag.m4 ax_compiler_version.m4 ax_count_cpus.m4 ax_create_generic_config.m4 ax_debug.m4 ax_file_escapes.m4 ax_harden_compiler_flags.m4 ax_linuxkm.m4 ax_print_to_file.m4 ax_pthread.m4 ax_require_defined.m4 ax_tls.m4 ax_vcs_checkout.m4 hexversion.m4 lib_socket_nsl.m4 visibility.m4mqx
wolfcrypt_benchmark
ReferencedRSESystems.xml wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfcrypt_test
ReferencedRSESystems.xml wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfssl_client
ReferencedRSESystems.xml wolfssl_client_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchscripts
aria-cmake-build-test.sh asn1_oid_sum.pl benchmark.test benchmark_compare.sh cleanup_testfiles.sh crl-gen-openssl.test crl-revoked.test dertoc.pl dtls.test dtlscid.test external.test google.test include.am makedistsmall.sh memtest.sh ocsp-responder-openssl-interop.test ocsp-stapling-with-ca-as-responder.test ocsp-stapling-with-wolfssl-responder.test ocsp-stapling.test ocsp-stapling2.test ocsp-stapling_tls13multi.test ocsp.test openssl.test openssl_srtp.test pem.test ping.test pkcallbacks.test psk.test resume.test rsapss.test sniffer-gen.sh sniffer-ipv6.pcap sniffer-static-rsa.pcap sniffer-testsuite.test sniffer-tls12-keylog.out sniffer-tls12-keylog.pcap sniffer-tls12-keylog.sslkeylog sniffer-tls13-dh-resume.pcap sniffer-tls13-dh.pcap sniffer-tls13-ecc-resume.pcap sniffer-tls13-ecc.pcap sniffer-tls13-hrr.pcap sniffer-tls13-keylog.out sniffer-tls13-keylog.pcap sniffer-tls13-keylog.sslkeylog sniffer-tls13-x25519-resume.pcap sniffer-tls13-x25519.pcap stm32l4-v4_0_1_build.sh tls13.test trusted_peer.test unit.test.in user_settings_asm.shsrc
bio.c conf.c crl.c dtls.c dtls13.c include.am internal.c keys.c ocsp.c pk.c pk_ec.c pk_rsa.c quic.c sniffer.c ssl.c ssl_api_cert.c ssl_api_crl_ocsp.c ssl_api_pk.c ssl_asn1.c ssl_bn.c ssl_certman.c ssl_crypto.c ssl_ech.c ssl_load.c ssl_misc.c ssl_p7p12.c ssl_sess.c ssl_sk.c tls.c tls13.c wolfio.c x509.c x509_str.ctests
api
api.h api_decl.h create_ocsp_test_blobs.py include.am test_aes.c test_aes.h test_arc4.c test_arc4.h test_ascon.c test_ascon.h test_ascon_kats.h test_asn.c test_asn.h test_blake2.c test_blake2.h test_camellia.c test_camellia.h test_certman.c test_certman.h test_chacha.c test_chacha.h test_chacha20_poly1305.c test_chacha20_poly1305.h test_cmac.c test_cmac.h test_curve25519.c test_curve25519.h test_curve448.c test_curve448.h test_des3.c test_des3.h test_dh.c test_dh.h test_digest.h test_dsa.c test_dsa.h test_dtls.c test_dtls.h test_ecc.c test_ecc.h test_ed25519.c test_ed25519.h test_ed448.c test_ed448.h test_evp.c test_evp.h test_evp_cipher.c test_evp_cipher.h test_evp_digest.c test_evp_digest.h test_evp_pkey.c test_evp_pkey.h test_hash.c test_hash.h test_hmac.c test_hmac.h test_md2.c test_md2.h test_md4.c test_md4.h test_md5.c test_md5.h test_mldsa.c test_mldsa.h test_mlkem.c test_mlkem.h test_ocsp.c test_ocsp.h test_ocsp_test_blobs.h test_ossl_asn1.c test_ossl_asn1.h test_ossl_bio.c test_ossl_bio.h test_ossl_bn.c test_ossl_bn.h test_ossl_cipher.c test_ossl_cipher.h test_ossl_dgst.c test_ossl_dgst.h test_ossl_dh.c test_ossl_dh.h test_ossl_dsa.c test_ossl_dsa.h test_ossl_ec.c test_ossl_ec.h test_ossl_ecx.c test_ossl_ecx.h test_ossl_mac.c test_ossl_mac.h test_ossl_obj.c test_ossl_obj.h test_ossl_p7p12.c test_ossl_p7p12.h test_ossl_pem.c test_ossl_pem.h test_ossl_rand.c test_ossl_rand.h test_ossl_rsa.c test_ossl_rsa.h test_ossl_sk.c test_ossl_sk.h test_ossl_x509.c test_ossl_x509.h test_ossl_x509_acert.c test_ossl_x509_acert.h test_ossl_x509_crypto.c test_ossl_x509_crypto.h test_ossl_x509_ext.c test_ossl_x509_ext.h test_ossl_x509_info.c test_ossl_x509_info.h test_ossl_x509_io.c test_ossl_x509_io.h test_ossl_x509_lu.c test_ossl_x509_lu.h test_ossl_x509_name.c test_ossl_x509_name.h test_ossl_x509_pk.c test_ossl_x509_pk.h test_ossl_x509_str.c test_ossl_x509_str.h test_ossl_x509_vp.c test_ossl_x509_vp.h test_pkcs12.c test_pkcs12.h test_pkcs7.c test_pkcs7.h test_poly1305.c test_poly1305.h test_random.c test_random.h test_rc2.c test_rc2.h test_ripemd.c test_ripemd.h test_rsa.c test_rsa.h test_sha.c test_sha.h test_sha256.c test_sha256.h test_sha3.c test_sha3.h test_sha512.c test_sha512.h test_she.c test_she.h test_signature.c test_signature.h test_slhdsa.c test_slhdsa.h test_sm2.c test_sm2.h test_sm3.c test_sm3.h test_sm4.c test_sm4.h test_tls.c test_tls.h test_tls13.c test_tls13.h test_tls_ext.c test_tls_ext.h test_wc_encrypt.c test_wc_encrypt.h test_wolfmath.c test_wolfmath.h test_x509.c test_x509.hwolfcrypt
benchmark
README.md benchmark-VS2022.sln benchmark-VS2022.vcxproj benchmark-VS2022.vcxproj.user benchmark.c benchmark.h benchmark.sln benchmark.vcproj benchmark.vcxproj include.amsrc
port
Espressif
esp_crt_bundle
README.md cacrt_all.pem cacrt_deprecated.pem cacrt_local.pem esp_crt_bundle.c gen_crt_bundle.py pio_install_cryptography.pyRenesas
README.md renesas_common.c renesas_fspsm_aes.c renesas_fspsm_rsa.c renesas_fspsm_sha.c renesas_fspsm_util.c renesas_rx64_hw_sha.c renesas_rx64_hw_util.c renesas_tsip_aes.c renesas_tsip_rsa.c renesas_tsip_sha.c renesas_tsip_util.carm
armv8-32-aes-asm.S armv8-32-aes-asm_c.c armv8-32-chacha-asm.S armv8-32-chacha-asm_c.c armv8-32-curve25519.S armv8-32-curve25519_c.c armv8-32-mlkem-asm.S armv8-32-mlkem-asm_c.c armv8-32-poly1305-asm.S armv8-32-poly1305-asm_c.c armv8-32-sha256-asm.S armv8-32-sha256-asm_c.c armv8-32-sha3-asm.S armv8-32-sha3-asm_c.c armv8-32-sha512-asm.S armv8-32-sha512-asm_c.c armv8-aes-asm.S armv8-aes-asm_c.c armv8-aes.c armv8-chacha-asm.S armv8-chacha-asm_c.c armv8-curve25519.S armv8-curve25519_c.c armv8-mlkem-asm.S armv8-mlkem-asm_c.c armv8-poly1305-asm.S armv8-poly1305-asm_c.c armv8-sha256-asm.S armv8-sha256-asm_c.c armv8-sha256.c armv8-sha3-asm.S armv8-sha3-asm_c.c armv8-sha512-asm.S armv8-sha512-asm_c.c armv8-sha512.c cryptoCell.c cryptoCellHash.c thumb2-aes-asm.S thumb2-aes-asm_c.c thumb2-chacha-asm.S thumb2-chacha-asm_c.c thumb2-curve25519.S thumb2-curve25519_c.c thumb2-mlkem-asm.S thumb2-mlkem-asm_c.c thumb2-poly1305-asm.S thumb2-poly1305-asm_c.c thumb2-sha256-asm.S thumb2-sha256-asm_c.c thumb2-sha3-asm.S thumb2-sha3-asm_c.c thumb2-sha512-asm.S thumb2-sha512-asm_c.ccaam
README.md caam_aes.c caam_doc.pdf caam_driver.c caam_error.c caam_integrity.c caam_qnx.c caam_sha.c wolfcaam_aes.c wolfcaam_cmac.c wolfcaam_ecdsa.c wolfcaam_fsl_nxp.c wolfcaam_hash.c wolfcaam_hmac.c wolfcaam_init.c wolfcaam_qnx.c wolfcaam_rsa.c wolfcaam_seco.c wolfcaam_x25519.cdevcrypto
README.md devcrypto_aes.c devcrypto_ecdsa.c devcrypto_hash.c devcrypto_hmac.c devcrypto_rsa.c devcrypto_x25519.c wc_devcrypto.criscv
riscv-64-aes.c riscv-64-chacha.c riscv-64-poly1305.c riscv-64-sha256.c riscv-64-sha3.c riscv-64-sha512.cwolfssl
openssl
aes.h asn1.h asn1t.h bio.h bn.h buffer.h camellia.h cmac.h cms.h compat_types.h conf.h crypto.h des.h dh.h dsa.h ec.h ec25519.h ec448.h ecdh.h ecdsa.h ed25519.h ed448.h engine.h err.h evp.h fips_rand.h hmac.h include.am kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h opensslconf.h opensslv.h ossl_typ.h pem.h pkcs12.h pkcs7.h rand.h rc4.h ripemd.h rsa.h safestack.h sha.h sha3.h srp.h ssl.h ssl23.h stack.h tls1.h txt_db.h ui.h x509.h x509_vfy.h x509v3.hwolfcrypt
port
Renesas
renesas-fspsm-crypt.h renesas-fspsm-types.h renesas-rx64-hw-crypt.h renesas-tsip-crypt.h renesas_cmn.h renesas_fspsm_internal.h renesas_sync.h renesas_tsip_internal.h renesas_tsip_types.hcaam
caam_driver.h caam_error.h caam_qnx.h wolfcaam.h wolfcaam_aes.h wolfcaam_cmac.h wolfcaam_ecdsa.h wolfcaam_fsl_nxp.h wolfcaam_hash.h wolfcaam_qnx.h wolfcaam_rsa.h wolfcaam_seco.h wolfcaam_sha.h wolfcaam_x25519.hwrapper
Ada
examples
src
aes_verify_main.adb rsa_verify_main.adb sha256_main.adb spark_sockets.adb spark_sockets.ads spark_terminal.adb spark_terminal.ads tls_client.adb tls_client.ads tls_client_main.adb tls_server.adb tls_server.ads tls_server_main.adbtests
src
aes_bindings_tests.adb aes_bindings_tests.ads rsa_verify_bindings_tests.adb rsa_verify_bindings_tests.ads sha256_bindings_tests.adb sha256_bindings_tests.ads tests.adbCSharp
wolfSSL-Example-IOCallbacks
App.config wolfSSL-Example-IOCallbacks.cs wolfSSL-Example-IOCallbacks.csprojwolfSSL-TLS-ServerThreaded
App.config wolfSSL-TLS-ServerThreaded.cs wolfSSL-TLS-ServerThreaded.csprojrust
wolfssl-wolfcrypt
src
aes.rs blake2.rs chacha20_poly1305.rs cmac.rs cmac_mac.rs curve25519.rs dh.rs dilithium.rs ecc.rs ecdsa.rs ed25519.rs ed448.rs fips.rs hkdf.rs hmac.rs hmac_mac.rs kdf.rs lib.rs lms.rs mlkem.rs mlkem_kem.rs pbkdf2_password_hash.rs prf.rs random.rs rsa.rs rsa_pkcs1v15.rs sha.rs sha_digest.rs sys.rstests
test_aes.rs test_blake2.rs test_chacha20_poly1305.rs test_cmac.rs test_cmac_mac.rs test_curve25519.rs test_dh.rs test_dilithium.rs test_ecc.rs test_ecdsa.rs test_ed25519.rs test_ed448.rs test_hkdf.rs test_hmac.rs test_hmac_mac.rs test_kdf.rs test_lms.rs test_mlkem.rs test_mlkem_kem.rs test_pbkdf2_password_hash.rs test_prf.rs test_random.rs test_rsa.rs test_rsa_pkcs1v15.rs test_sha.rs test_sha_digest.rs test_wolfcrypt.rszephyr
samples
wolfssl_benchmark
CMakeLists.txt README install_test.sh prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.confwolfssl_test
CMakeLists.txt README install_test.sh prj-no-malloc.conf prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.conf
wolfssl/wolfcrypt/src/wc_xmss_impl.c
raw
1/* wc_xmss_impl.c
2 *
3 * Copyright (C) 2006-2026 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22/* Based on:
23 * o RFC 8391 - XMSS: eXtended Merkle Signature Scheme
24 * o [HDSS] "Hash-based Digital Signature Schemes", Buchmann, Dahmen and Szydlo
25 * from "Post Quantum Cryptography", Springer 2009.
26 * o [OPX] "Optimal Parameters for XMSS^MT", Hulsing, Rausch and Buchmann
27 *
28 * TODO: "Simple and Memory-efficient Signature Generation of XMSS^MT"
29 * (https://ece.engr.uvic.ca/~raltawy/SAC2021/9.pdf)
30 */
31
32#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
33
34#include <wolfssl/wolfcrypt/wc_xmss.h>
35#include <wolfssl/wolfcrypt/hash.h>
36
37#ifdef NO_INLINE
38 #include <wolfssl/wolfcrypt/misc.h>
39#else
40 #define WOLFSSL_MISC_INCLUDED
41 #include <wolfcrypt/src/misc.c>
42#endif
43
44#if defined(WOLFSSL_HAVE_XMSS)
45
46/* Indices into Hash Address. */
47#define XMSS_ADDR_LAYER 0
48#define XMSS_ADDR_TREE_HI 1
49#define XMSS_ADDR_TREE 2
50#define XMSS_ADDR_TYPE 3
51#define XMSS_ADDR_OTS 4
52#define XMSS_ADDR_LTREE 4
53#define XMSS_ADDR_TREE_ZERO 4
54#define XMSS_ADDR_CHAIN 5
55#define XMSS_ADDR_TREE_HEIGHT 5
56#define XMSS_ADDR_HASH 6
57#define XMSS_ADDR_TREE_INDEX 6
58#define XMSS_ADDR_KEY_MASK 7
59
60/* Types of hash addresses. */
61#define WC_XMSS_ADDR_TYPE_OTS 0
62#define WC_XMSS_ADDR_TYPE_LTREE 1
63#define WC_XMSS_ADDR_TYPE_TREE 2
64
65/* Byte to include in hash to create unique sequence. */
66#define XMSS_HASH_PADDING_F 0U
67#define XMSS_HASH_PADDING_H 1U
68#define XMSS_HASH_PADDING_HASH 2U
69#define XMSS_HASH_PADDING_PRF 3U
70#define XMSS_HASH_PADDING_PRF_KEYGEN 4U
71
72/* Fixed parameter values. */
73#define XMSS_WOTS_W 16U
74#define XMSS_WOTS_LOG_W 4U
75#define XMSS_WOTS_LEN2 3U
76#define XMSS_CSUM_SHIFT 4U
77#define XMSS_CSUM_LEN 2U
78
79/* Length of the message to the PRF. */
80#define XMSS_PRF_M_LEN 32U
81
82/* Length of index encoding when doing XMSS. */
83#define XMSS_IDX_LEN 4U
84
85/* Size of the N when using SHA-256 and 32 byte padding. */
86#define XMSS_SHA256_32_N WC_SHA256_DIGEST_SIZE
87/* Size of the padding when using SHA-256 and 32 byte padding. */
88#define XMSS_SHA256_32_PAD_LEN 32U
89
90/* Calculate PRF data length for parameters. */
91#define XMSS_HASH_PRF_DATA_LEN(params) \
92 ((word32)(params)->pad_len + (params)->n + WC_XMSS_ADDR_LEN)
93/* PRF data length when using SHA-256 with 32 byte padding. */
94#define XMSS_HASH_PRF_DATA_LEN_SHA256_32 \
95 (XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N + WC_XMSS_ADDR_LEN)
96
97/* Calculate chain hash data length for parameters. */
98#define XMSS_CHAIN_HASH_DATA_LEN(params) \
99 ((word32)(params)->pad_len + 2U * (params)->n)
100/* Chain hash data length when using SHA-256 with 32 byte padding. */
101#define XMSS_CHAIN_HASH_DATA_LEN_SHA256_32 \
102 (XMSS_SHA256_32_PAD_LEN + 2U * XMSS_SHA256_32_N)
103
104/* Calculate rand hash data length for parameters. */
105#define XMSS_RAND_HASH_DATA_LEN(params) \
106 ((word32)(params)->pad_len + 3U * (params)->n)
107/* Rand hash data length when using SHA-256 with 32 byte padding. */
108#define XMSS_RAND_HASH_DATA_LEN_SHA256_32 \
109 (XMSS_SHA256_32_PAD_LEN + 3U * XMSS_SHA256_32_N)
110
111/* Encode pad value into byte array. Front fill with 0s.
112 *
113 * RFC 8391: 2.4
114 *
115 * @param [in] n Number to encode.
116 * @param [out] a Array to hold encoding.
117 * @param [in] l Length of array.
118 */
119#define XMSS_PAD_ENC(n, a, l) \
120do { \
121 XMEMSET(a, 0, l); \
122 (a)[(l) - 1] = (byte)(n); \
123} while (0)
124
125
126/********************************************
127 * Index 32/64 bits
128 ********************************************/
129
130/* Index of 32 or 64 bits. */
131typedef union wc_Idx {
132#if WOLFSSL_XMSS_MAX_HEIGHT > 32
133 /* 64-bit representation. */
134 w64wrapper u64;
135#endif
136#if WOLFSSL_XMSS_MIN_HEIGHT <= 32
137 /* 32-bit representation. */
138 word32 u32;
139#endif
140} wc_Idx;
141
142#if WOLFSSL_XMSS_MAX_HEIGHT > 32
143/* Set index to zero.
144 *
145 * Index is up to 64-bits.
146 *
147 * @param [out] idx 32/64-bit index to zero.
148 */
149#define WC_IDX_ZERO(idx) w64Zero(&(idx).u64)
150#else
151/* Set index to zero.
152 *
153 * Index is no more than 32-bits.
154 *
155 * @param [out] idx 32/64-bit index to zero.
156 */
157#define WC_IDX_ZERO(idx) idx.u32 = 0
158#endif
159
160#if WOLFSSL_XMSS_MAX_HEIGHT > 32
161/* Decode 64-bit index.
162 *
163 * @param [out] i Index from encoding.
164 * @param [in] c Count of bytes to decode to index.
165 * @param [in] a Array to decode from.
166 * @param [out] ret Return value.
167 */
168#define IDX64_DECODE(i, c, a, ret) \
169 if ((c) == 5) { \
170 word32 t; \
171 ato32((a) + 1, &t); \
172 (i) = w64From32((a)[0], t); \
173 } \
174 else if ((c) == 8) { \
175 ato64(a, &(i)); \
176 }
177
178/* Decode 64-bit index.
179 *
180 * @param [out] i Index from encoding.
181 * @param [in] c Count of bytes to decode to index.
182 * @param [in] a Array to decode from.
183 * @param [out] ret Return value.
184 */
185#define XMSS_IDX64_DECODE(i, c, a, ret) \
186do { \
187 IDX64_DECODE(i, c, a, ret) \
188 else { \
189 (ret) = NOT_COMPILED_IN; \
190 } \
191} while (0)
192
193/* Check whether index is valid.
194 *
195 * @param [in] i Index to check.
196 * @param [in] c Count of bytes i was encoded in.
197 * @param [in] h Full tree Height.
198 */
199#define IDX64_INVALID(i, c, h) \
200 ((w64GetHigh32(w64Add32(i, 1, NULL)) >> ((h) - 32)) != 0)
201
202/* Set 64-bit index as hash address value for tree.
203 *
204 * @param [in] i Index to set.
205 * @param [in] c Count of bytes to encode into.
206 * @param [in] h Height of tree.
207 * @param [out] a Hash address to encode into.
208 * @param [out] l Index of leaf.
209 */
210#define IDX64_SET_ADDR_TREE(i, c, h, a, l) \
211 if ((c) > 4) { \
212 (l) = w64GetLow32(i) & (((word32)1U << (h)) - 1U); \
213 (i) = w64ShiftRight(i, h); \
214 (a)[XMSS_ADDR_TREE_HI] = w64GetHigh32(i); \
215 (a)[XMSS_ADDR_TREE] = w64GetLow32(i); \
216 }
217#endif /* WOLFSSL_XMSS_MAX_HEIGHT > 32 */
218
219#if WOLFSSL_XMSS_MIN_HEIGHT <= 32
220/* Decode 32-bit index.
221 *
222 * @param [out] i Index from encoding.
223 * @param [in] c Count of bytes to decode to index.
224 * @param [in] a Array to decode from.
225 * @param [out] ret Return value.
226 */
227#define IDX32_DECODE(i, c, a, ret) \
228 if ((c) == 4) { \
229 ato32(a, &(i)); \
230 } \
231 else if ((c) == 3) { \
232 ato24(a, &(i)); \
233 }
234
235/* Decode 32-bit index.
236 *
237 * @param [out] i Index from encoding.
238 * @param [in] c Count of bytes to decode to index.
239 * @param [in] a Array to decode from.
240 * @param [out] ret Return value.
241 */
242#define XMSS_IDX32_DECODE(i, c, a, ret) \
243do { \
244 IDX32_DECODE(i, c, a, ret) \
245 else { \
246 (ret) = NOT_COMPILED_IN; \
247 } \
248} while (0)
249
250/* Check whether 32-bit index is valid.
251 *
252 * @param [in] i Index to check.
253 * @param [in] c Count of bytes i was encoded in.
254 * @param [in] h Full tree Height.
255 */
256#define IDX32_INVALID(i, c, h) \
257 ((((i) + 1) >> (h)) != 0)
258
259/* Set 32-bit index as hash address value for tree.
260 *
261 * @param [in] i Index to set.
262 * @param [in] c Count of bytes to encode into.
263 * @param [in] h Height of tree.
264 * @param [out] a Hash address to encode into.
265 * @param [out] l Index of leaf.
266 */
267#define IDX32_SET_ADDR_TREE(i, c, h, a, l) \
268 if ((c) <= 4) { \
269 (l) = ((i) & (((word32)1U << (h)) - 1U)); \
270 (i) >>= params->sub_h; \
271 (a)[XMSS_ADDR_TREE] = (i); \
272 }
273
274#endif /* WOLFSSL_XMSS_MIN_HEIGHT <= 32 */
275
276#if (WOLFSSL_XMSS_MAX_HEIGHT > 32) && (WOLFSSL_XMSS_MIN_HEIGHT <= 32)
277
278/* Decode 32/64-bit index.
279 *
280 * @param [out] idx Index from encoding.
281 * @param [in] c Count of bytes to decode to index.
282 * @param [in] a Array to decode from.
283 * @param [out] ret Return value.
284 */
285#define WC_IDX_DECODE(idx, c, a, ret) \
286do { \
287 IDX64_DECODE((idx).u64, c, a, ret) \
288 else \
289 IDX32_DECODE((idx).u32, c, a, ret) \
290 else { \
291 (ret) = NOT_COMPILED_IN; \
292 } \
293} while (0)
294
295/* Check whether index is valid.
296 *
297 * @param [in] i Index to check.
298 * @param [in] c Count of bytes i was encoded in.
299 * @param [in] h Full tree Height.
300 */
301#define WC_IDX_INVALID(i, c, h) \
302 ((((c) > 4) && IDX64_INVALID((i).u64, c, h)) || \
303 (((c) <= 4) && IDX32_INVALID((i).u32, c, h)))
304
305/* Set 32/64-bit index as hash address value for tree.
306 *
307 * @param [in] i Index to set.
308 * @param [in] c Count of bytes to encode into.
309 * @param [in] h Height of tree.
310 * @param [out] a Hash address to encode into.
311 * @param [out] l Index of leaf.
312 */
313#define WC_IDX_SET_ADDR_TREE(idx, c, h, a, l) \
314do { \
315 IDX64_SET_ADDR_TREE((idx).u64, c, h, a, l) \
316 else \
317 IDX32_SET_ADDR_TREE((idx).u32, c, h, a, l) \
318} while (0)
319
320#elif WOLFSSL_XMSS_MAX_HEIGHT > 32
321
322/* Decode 64-bit index.
323 *
324 * @param [out] idx Index from encoding.
325 * @param [in] c Count of bytes to decode to index.
326 * @param [in] a Array to decode from.
327 * @param [out] ret Return value.
328 */
329#define WC_IDX_DECODE(idx, c, a, ret) \
330do { \
331 IDX64_DECODE((idx).u64, c, a, ret) \
332} while (0)
333
334/* Check whether index is valid.
335 *
336 * @param [in] i Index to check.
337 * @param [in] c Count of bytes i was encoded in.
338 * @param [in] h Full tree Height.
339 */
340#define WC_IDX_INVALID(i, c, h) \
341 IDX64_INVALID((i).u64, c, h)
342
343/* Set 64-bit index as hash address value for tree.
344 *
345 * @param [in] i Index to set.
346 * @param [in] c Count of bytes to encode into.
347 * @param [in] h Height of tree.
348 * @param [out] a Hash address to encode into.
349 * @param [out] l Index of leaf.
350 */
351#define WC_IDX_SET_ADDR_TREE(idx, c, h, a, l) \
352do { \
353 IDX64_SET_ADDR_TREE((idx).u64, c, h, a, l) \
354} while (0)
355
356#else
357
358/* Decode 32-bit index.
359 *
360 * @param [out] idx Index from encoding.
361 * @param [in] c Count of bytes to decode to index.
362 * @param [in] a Array to decode from.
363 * @param [out] ret Return value.
364 */
365#define WC_IDX_DECODE(idx, c, a, ret) \
366do { \
367 IDX32_DECODE((idx).u32, c, a, ret) \
368 else { \
369 (ret) = NOT_COMPILED_IN; \
370 } \
371} while (0)
372
373/* Check whether index is valid.
374 *
375 * @param [in] i Index to check.
376 * @param [in] c Count of bytes i was encoded in.
377 * @param [in] h Full tree Height.
378 */
379#define WC_IDX_INVALID(i, c, h) \
380 IDX32_INVALID((i).u32, c, h)
381
382/* Set 32-bit index as hash address value for tree.
383 *
384 * @param [in] i Index to set.
385 * @param [in] c Count of bytes to encode into.
386 * @param [in] h Height of tree.
387 * @param [out] a Hash address to encode into.
388 * @param [out] l Index of leaf.
389 */
390#define WC_IDX_SET_ADDR_TREE(idx, c, h, a, l) \
391do { \
392 IDX32_SET_ADDR_TREE(idx.u32, c, h, a, l) \
393} while (0)
394
395#endif /* (WOLFSSL_XMSS_MAX_HEIGHT > 32) && (WOLFSSL_XMSS_MIN_HEIGHT <= 32) */
396
397#ifndef WOLFSSL_XMSS_VERIFY_ONLY
398/* Update index by adding one to big-endian encoded value.
399 *
400 * @param [in, out] a Array index is encoded in.
401 * @param [in] l Length of encoded index.
402 */
403static void wc_idx_update(unsigned char* a, word32 l)
404{
405 word32 i;
406
407 for (i = l; i > 0; i--) {
408 if ((++a[i - 1]) != 0) {
409 break;
410 }
411 }
412}
413
414/* Copy index from source buffer to destination buffer.
415 *
416 * Index is put in the back of the destination buffer.
417 *
418 * @param [in] s Source buffer.
419 * @param [in] sl Length of index in source.
420 * @param [in, out] d Destination buffer.
421 * @param [in] dl Length of destination buffer.
422 */
423static void wc_idx_copy(const unsigned char* s, word32 sl, unsigned char* d,
424 word32 dl)
425{
426 /* Zero the destination first so an invariant violation produces a
427 * deterministic empty buffer rather than reusing prior contents. */
428 XMEMSET(d, 0, dl);
429 /* Caller must size the destination at least as large as the source.
430 * Without this guard, dl - sl wraps to ~4 GB and corrupts memory. */
431 if (dl < sl) {
432 return;
433 }
434 XMEMCPY(d + dl - sl, s, sl);
435}
436#endif
437
438/********************************************
439 * Hash Address.
440 ********************************************/
441
442/* Set the hash address based on subtree.
443 *
444 * @param [out] a Hash address.
445 * @param [in] s Subtree hash address.
446 * @param [in] t Type of hash address.
447 */
448#define XMSS_ADDR_SET_SUBTREE(a, s, t) \
449do { \
450 (a)[XMSS_ADDR_LAYER] = (s)[XMSS_ADDR_LAYER]; \
451 (a)[XMSS_ADDR_TREE_HI] = (s)[XMSS_ADDR_TREE_HI]; \
452 (a)[XMSS_ADDR_TREE] = (s)[XMSS_ADDR_TREE]; \
453 (a)[XMSS_ADDR_TYPE] = (t); \
454 XMEMSET((a) + 4, 0, sizeof(a) - 4 * sizeof(*(a)));\
455} while (0)
456
457/* Set the OTS hash address based on subtree.
458 *
459 * @param [out] a Hash address.
460 * @param [in] s Subtree hash address.
461 */
462#define XMSS_ADDR_OTS_SET_SUBTREE(a, s) \
463 XMSS_ADDR_SET_SUBTREE(a, s, WC_XMSS_ADDR_TYPE_OTS)
464/* Set the L-tree address based on subtree.
465 *
466 * @param [out] a Hash address.
467 * @param [in] s Subtree hash address.
468 */
469#define XMSS_ADDR_LTREE_SET_SUBTREE(a, s) \
470 XMSS_ADDR_SET_SUBTREE(a, s, WC_XMSS_ADDR_TYPE_LTREE)
471/* Set the hash tree address based on subtree.
472 *
473 * @param [out] a Hash address.
474 * @param [in] s Subtree hash address.
475 */
476#define XMSS_ADDR_TREE_SET_SUBTREE(a, s) \
477 XMSS_ADDR_SET_SUBTREE(a, s, WC_XMSS_ADDR_TYPE_TREE)
478
479#ifdef LITTLE_ENDIAN_ORDER
480
481/* Set a byte value into a word of an encoded address.
482 *
483 * @param [in, out] a Encoded hash address.
484 * @param [in] i Index of word.
485 * @param [in] b Byte to set.
486 */
487#define XMSS_ADDR_SET_BYTE(a, i, b) \
488 ((word32*)(a))[i] = (word32)(b) << 24
489
490#else
491
492/* Set a byte value into a word of an encoded address.
493 *
494 * @param [in, out] a Encoded hash address.
495 * @param [in] i Index of word.
496 * @param [in] b Byte to set.
497 */
498#define XMSS_ADDR_SET_BYTE(a, i, b) \
499 ((word32*)(a))[i] = (b)
500
501#endif /* LITTLE_ENDIAN_ORDER */
502
503/* Convert hash address to bytes.
504 *
505 * @param [out] bytes Array to encode into.
506 * @param [in] addr Hash address.
507 */
508static void wc_xmss_addr_encode(const HashAddress addr, byte* bytes)
509{
510 c32toa((addr)[0], (bytes) + (0 * 4));
511 c32toa((addr)[1], (bytes) + (1 * 4));
512 c32toa((addr)[2], (bytes) + (2 * 4));
513 c32toa((addr)[3], (bytes) + (3 * 4));
514 c32toa((addr)[4], (bytes) + (4 * 4));
515 c32toa((addr)[5], (bytes) + (5 * 4));
516 c32toa((addr)[6], (bytes) + (6 * 4));
517 c32toa((addr)[7], (bytes) + (7 * 4));
518}
519
520/********************************************
521 * HASHING
522 ********************************************/
523
524#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256) && \
525 !defined(WC_XMSS_FULL_HASH)
526
527/* Set hash data and length into SHA-256 digest.
528 *
529 * @param [in, out] state XMSS/MT state with SHA-256 digest.
530 * @param [in] data Data to add to hash.
531 * @param [in] len Number of bytes in data.
532 * Must be less than a block.
533 * @param [in] total_len Number of bytes updated so far.
534 */
535#define XMSS_SHA256_SET_DATA(state, data, len, total_len) \
536do { \
537 XMEMCPY((state)->digest.sha256.buffer, data, len); \
538 (state)->digest.sha256.buffLen = (len); \
539 (state)->digest.sha256.loLen = (total_len); \
540} while (0)
541
542/* Save the SHA-256 state to cache.
543 *
544 * @param [in, out] state XMSS/MT state with SHA-256 digest and state cache.
545 */
546#define XMSS_SHA256_STATE_CACHE(state) \
547 (state)->dgst_state[0] = (state)->digest.sha256.digest[0]; \
548 (state)->dgst_state[1] = (state)->digest.sha256.digest[1]; \
549 (state)->dgst_state[2] = (state)->digest.sha256.digest[2]; \
550 (state)->dgst_state[3] = (state)->digest.sha256.digest[3]; \
551 (state)->dgst_state[4] = (state)->digest.sha256.digest[4]; \
552 (state)->dgst_state[5] = (state)->digest.sha256.digest[5]; \
553 (state)->dgst_state[6] = (state)->digest.sha256.digest[6]; \
554 (state)->dgst_state[7] = (state)->digest.sha256.digest[7]; \
555
556/* Restore the SHA-256 state from cache and set length.
557 *
558 * @param [in, out] state XMSS/MT state with SHA-256 digest and state cache.
559 * @param [in] len Number of bytes of data hashed so far.
560 */
561#define XMSS_SHA256_STATE_RESTORE(state, len) \
562do { \
563 (state)->digest.sha256.digest[0] = (state)->dgst_state[0]; \
564 (state)->digest.sha256.digest[1] = (state)->dgst_state[1]; \
565 (state)->digest.sha256.digest[2] = (state)->dgst_state[2]; \
566 (state)->digest.sha256.digest[3] = (state)->dgst_state[3]; \
567 (state)->digest.sha256.digest[4] = (state)->dgst_state[4]; \
568 (state)->digest.sha256.digest[5] = (state)->dgst_state[5]; \
569 (state)->digest.sha256.digest[6] = (state)->dgst_state[6]; \
570 (state)->digest.sha256.digest[7] = (state)->dgst_state[7]; \
571 (state)->digest.sha256.loLen = (len); \
572} while (0)
573
574/* Restore the SHA-256 state from cache and set data and length.
575 *
576 * @param [in, out] state XMSS/MT state with SHA-256 digest and cache.
577 * @param [in] data Data to add to hash.
578 * @param [in] len Number of bytes in data.
579 * Must be less than a block.
580 * @param [in] total_len Number of bytes updated so far.
581 */
582#define XMSS_SHA256_STATE_RESTORE_DATA(state, data, len, total_len) \
583do { \
584 (state)->digest.sha256.digest[0] = (state)->dgst_state[0]; \
585 (state)->digest.sha256.digest[1] = (state)->dgst_state[1]; \
586 (state)->digest.sha256.digest[2] = (state)->dgst_state[2]; \
587 (state)->digest.sha256.digest[3] = (state)->dgst_state[3]; \
588 (state)->digest.sha256.digest[4] = (state)->dgst_state[4]; \
589 (state)->digest.sha256.digest[5] = (state)->dgst_state[5]; \
590 (state)->digest.sha256.digest[6] = (state)->dgst_state[6]; \
591 (state)->digest.sha256.digest[7] = (state)->dgst_state[7]; \
592 XMSS_SHA256_SET_DATA(state, data, len, total_len); \
593} while (0)
594
595#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 && !WC_XMSS_FULL_HASH */
596
597/* Hash the data into output buffer.
598 *
599 * @param [in] state XMSS/MT state including digest and parameters.
600 * @param [in] in Data to digest.
601 * @param [in] inlen Length of data to digest in bytes.
602 * @param [out] out Buffer to put digest into.
603 */
604static WC_INLINE void wc_xmss_hash(XmssState* state, const byte* in,
605 word32 inlen, byte* out)
606{
607 int ret;
608 const XmssParams* params = state->params;
609
610#ifdef WC_XMSS_SHA256
611 /* Full SHA-256 digest. */
612 if ((params->hash == WC_HASH_TYPE_SHA256) &&
613 (params->n == WC_SHA256_DIGEST_SIZE)) {
614 ret = wc_Sha256Update(&state->digest.sha256, in, inlen);
615 if (ret == 0) {
616 ret = wc_Sha256Final(&state->digest.sha256, out);
617 }
618 }
619#if WOLFSSL_WC_XMSS_MIN_HASH_SIZE <= 192 && WOLFSSL_WC_XMSS_MAX_HASH_SIZE >= 192
620 /* Partial SHA-256 digest. */
621 else if (params->hash == WC_HASH_TYPE_SHA256) {
622 byte buf[WC_SHA256_DIGEST_SIZE];
623 ret = wc_Sha256Update(&state->digest.sha256, in, inlen);
624 if (ret == 0) {
625 ret = wc_Sha256Final(&state->digest.sha256, buf);
626 }
627 if (ret == 0) {
628 XMEMCPY(out, buf, params->n);
629 }
630 }
631#endif
632 else
633#endif /* WC_XMSS_SHA256 */
634#ifdef WC_XMSS_SHA512
635 /* Full SHA-512 digest. */
636 if (params->hash == WC_HASH_TYPE_SHA512) {
637 ret = wc_Sha512Update(&state->digest.sha512, in, inlen);
638 if (ret == 0) {
639 ret = wc_Sha512Final(&state->digest.sha512, out);
640 }
641 }
642 else
643#endif /* WC_XMSS_SHA512 */
644#ifdef WC_XMSS_SHAKE128
645 /* Digest with SHAKE-128. */
646 if (params->hash == WC_HASH_TYPE_SHAKE128) {
647 ret = wc_Shake128_Update(&state->digest.shake, in, inlen);
648 if (ret == 0) {
649 ret = wc_Shake128_Final(&state->digest.shake, out, params->n);
650 }
651 }
652 else
653#endif /* WC_XMSS_SHAKE128 */
654#ifdef WC_XMSS_SHAKE256
655 /* Digest with SHAKE-256. */
656 if (params->hash == WC_HASH_TYPE_SHAKE256) {
657 ret = wc_Shake256_Update(&state->digest.shake, in, inlen);
658 if (ret == 0) {
659 ret = wc_Shake256_Final(&state->digest.shake, out, params->n);
660 }
661 }
662 else
663#endif /* WC_XMSS_SHAKE256 */
664 {
665 /* Unsupported digest function. */
666 ret = NOT_COMPILED_IN;
667 }
668
669 if (state->ret == 0) {
670 /* Store any digest failures for public APIs to return. */
671 state->ret = ret;
672 }
673}
674
675#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
676#ifndef WC_XMSS_FULL_HASH
677/* Chain hashing.
678 *
679 * RFC 8391: 3.1.2, Algorithm 2: chain - Chaining Function
680 * ...
681 * ADRS.setKeyAndMask(0);
682 * KEY = PRF(SEED, ADRS);
683 * ADRS.setKeyAndMask(1);
684 * BM = PRF(SEED, ADRS);
685 * tmp = F(KEY, tmp XOR BM);
686 * return tmp;
687 *
688 * @param [in] state XMSS/MT state including digest and parameters.
689 * @param [in] tmp Temporary buffer holding chain data.
690 * @param [in] addr Hash address as a byte array.
691 * @param [out] hash Buffer to hold hash.
692 */
693static void wc_xmss_chain_hash_sha256_32(XmssState* state, const byte* tmp,
694 byte* addr, byte* hash)
695{
696 /* Offsets into chain hash data. */
697 byte* pad = state->buf;
698 byte* key = pad + XMSS_SHA256_32_PAD_LEN;
699 byte* bm = key + XMSS_SHA256_32_N;
700 int ret;
701
702 /* Calculate n-byte key - KEY. */
703 ((word32*)addr)[XMSS_ADDR_KEY_MASK] = 0;
704 /* Copy back state after first 64 bytes. */
705 XMSS_SHA256_STATE_RESTORE_DATA(state, addr, WC_XMSS_ADDR_LEN,
706 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
707 /* Calculate hash. */
708 ret = wc_Sha256Final(&state->digest.sha256, key);
709
710 if (ret == 0) {
711 /* Calculate n-byte bit mask - BM. */
712 addr[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
713 /* Copy back state after first 64 bytes. */
714 XMSS_SHA256_STATE_RESTORE_DATA(state, addr, WC_XMSS_ADDR_LEN,
715 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
716 /* Calculate hash. */
717 ret = wc_Sha256Final(&state->digest.sha256, bm);
718 }
719
720 if (ret == 0) {
721 /* Function padding set in caller. */
722 xorbuf(bm, tmp, XMSS_SHA256_32_N);
723 ret = wc_Sha256Update(&state->digest.sha256, state->buf,
724 XMSS_CHAIN_HASH_DATA_LEN_SHA256_32);
725 }
726 if (ret == 0) {
727 /* Calculate the chain hash. */
728 ret = wc_Sha256Final(&state->digest.sha256, hash);
729 }
730 if (state->ret == 0) {
731 /* Store any digest failures for public APIs to return. */
732 state->ret = ret;
733 }
734}
735#else
736/* Chain hashing.
737 *
738 * Padding, seed, addr for PRF set by caller into prf_buf.
739 *
740 * RFC 8391: 3.1.2, Algorithm 2: chain - Chaining Function
741 * ...
742 * ADRS.setKeyAndMask(0);
743 * KEY = PRF(SEED, ADRS);
744 * ADRS.setKeyAndMask(1);
745 * BM = PRF(SEED, ADRS);
746 * tmp = F(KEY, tmp XOR BM);
747 * return tmp;
748 *
749 * @param [in] state XMSS/MT state including digest and parameters.
750 * @param [in] tmp Temporary buffer holding chain data.
751 * @param [out] out Buffer to hold hash.
752 */
753static void wc_xmss_chain_hash_sha256_32(XmssState* state, const byte* tmp,
754 byte* hash)
755{
756 byte* addr = state->prf_buf + XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N;
757 /* Offsets into chain hash data. */
758 byte* pad = state->buf;
759 byte* key = pad + XMSS_SHA256_32_PAD_LEN;
760 byte* bm = key + XMSS_SHA256_32_N;
761
762 /* Calculate n-byte key - KEY. */
763 ((word32*)addr)[XMSS_ADDR_KEY_MASK] = 0;
764 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, key);
765 /* Calculate the n-byte mask. */
766 addr[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
767 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, bm);
768
769 /* Function padding set in caller. */
770 xorbuf(bm, tmp, XMSS_SHA256_32_N);
771 /* Calculate the chain hash. */
772 wc_xmss_hash(state, state->buf, XMSS_CHAIN_HASH_DATA_LEN_SHA256_32, hash);
773}
774#endif /* !WC_XMSS_FULL_HASH */
775#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
776
777/* Chain hashing.
778 *
779 * Padding, seed, addr for PRF set by caller into prf_buf.
780 *
781 * RFC 8391: 3.1.2, Algorithm 2: chain - Chaining Function
782 * ...
783 * ADRS.setKeyAndMask(0);
784 * KEY = PRF(SEED, ADRS);
785 * ADRS.setKeyAndMask(1);
786 * BM = PRF(SEED, ADRS);
787 * tmp = F(KEY, tmp XOR BM);
788 * return tmp;
789 *
790 * @param [in] state XMSS/MT state including digest and parameters.
791 * @param [in] tmp Temporary buffer holding chain data.
792 * @param [out] hash Buffer to hold hash.
793 */
794static void wc_xmss_chain_hash(XmssState* state, const byte* tmp, byte* hash)
795{
796 const XmssParams* params = state->params;
797 byte* addr = state->prf_buf + params->pad_len + params->n;
798 /* Offsets into chain hash data. */
799 byte* pad = state->buf;
800 byte* key = pad + params->pad_len;
801 byte* bm = key + params->n;
802
803 /* Calculate n-byte key - KEY. */
804 ((word32*)addr)[XMSS_ADDR_KEY_MASK] = 0;
805 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN(params), key);
806 /* Calculate n-byte bit mask - BM. */
807 addr[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
808 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN(params), bm);
809
810 /* Function padding set in caller. */
811 xorbuf(bm, tmp, params->n);
812 /* Calculate the chain hash. */
813 wc_xmss_hash(state, state->buf, XMSS_CHAIN_HASH_DATA_LEN(params), hash);
814}
815
816#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
817#ifndef WC_XMSS_FULL_HASH
818/* Randomized tree hashing.
819 *
820 * RFC 8391: 4.1.4, Algorithm 7: RAND_HASH
821 * ...
822 * ADRS.setKeyAndMask(0);
823 * KEY = PRF(SEED, ADRS);
824 * ADRS.setKeyAndMask(1);
825 * BM_0 = PRF(SEED, ADRS);
826 * ADRS.setKeyAndMask(2);
827 * BM_1 = PRF(SEED, ADRS);
828 * return H(KEY, (LEFT XOR BM_0) || (RIGHT XOR BM_1));
829 *
830 * @param [in] state XMSS/MT state including digest and parameters.
831 * @param [in] data Input data.
832 * @param [in] addr Hash address.
833 * @param [out] hash Buffer to hold hash.
834 */
835static void wc_xmss_rand_hash_sha256_32_prehash(XmssState* state,
836 const byte* data, HashAddress addr, byte* hash)
837{
838 int ret;
839 /* Offsets into rand hash data. */
840 byte* pad = state->buf;
841 byte* key = pad + XMSS_SHA256_32_PAD_LEN;
842 byte* bm0 = key + XMSS_SHA256_32_N;
843 byte* bm1 = bm0 + XMSS_SHA256_32_N;
844 byte addr_buf[WC_XMSS_ADDR_LEN];
845
846 addr[XMSS_ADDR_KEY_MASK] = 0;
847 wc_xmss_addr_encode(addr, addr_buf);
848
849 /* Calculate n-byte key - KEY. */
850 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
851 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
852 /* Calculate hash. */
853 ret = wc_Sha256Final(&state->digest.sha256, key);
854
855 /* Calculate n-byte mask - BM_0. */
856 if (ret == 0) {
857 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
858 /* Copy back state after first 64 bytes. */
859 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
860 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
861 /* Calculate hash. */
862 ret = wc_Sha256Final(&state->digest.sha256, bm0);
863 }
864
865 /* Calculate n-byte mask - BM_1. */
866 if (ret == 0) {
867 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
868 /* Copy back state after first 64 bytes. */
869 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
870 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
871 /* Calculate hash. */
872 ret = wc_Sha256Final(&state->digest.sha256, bm1);
873 }
874
875 if (ret == 0) {
876 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, pad, XMSS_SHA256_32_PAD_LEN);
877 /* XOR into bm0 and bm1. */
878 xorbuf(bm0, data, XMSS_SHA256_32_N * 2);
879 ret = wc_Sha256Update(&state->digest.sha256, state->buf,
880 XMSS_RAND_HASH_DATA_LEN_SHA256_32);
881 }
882 if (ret == 0) {
883 ret = wc_Sha256Final(&state->digest.sha256, hash);
884 }
885 if (state->ret == 0) {
886 /* Store any digest failures for public APIs to return. */
887 state->ret = ret;
888 }
889}
890#endif /* !WC_XMSS_FULL_HASH */
891
892/* Randomized tree hashing.
893 *
894 * RFC 8391: 4.1.4, Algorithm 7: RAND_HASH
895 * ...
896 * ADRS.setKeyAndMask(0);
897 * KEY = PRF(SEED, ADRS);
898 * ADRS.setKeyAndMask(1);
899 * BM_0 = PRF(SEED, ADRS);
900 * ADRS.setKeyAndMask(2);
901 * BM_1 = PRF(SEED, ADRS);
902 * return H(KEY, (LEFT XOR BM_0) || (RIGHT XOR BM_1));
903 *
904 * @param [in] state XMSS/MT state including digest and parameters.
905 * @param [in] data Input data.
906 * @param [in] pk_seed Random public seed.
907 * @param [in] addr Hash address.
908 * @param [out] hash Buffer to hold hash.
909 */
910static void wc_xmss_rand_hash_sha256_32(XmssState* state, const byte* data,
911 const byte* pk_seed, HashAddress addr, byte* hash)
912{
913 byte* addr_buf = state->prf_buf + XMSS_SHA256_32_PAD_LEN +
914 XMSS_SHA256_32_N;
915 /* Offsets into rand hash data. */
916 byte* pad = state->buf;
917 byte* key = pad + XMSS_SHA256_32_PAD_LEN;
918 byte* bm0 = key + XMSS_SHA256_32_N;
919 byte* bm1 = bm0 + XMSS_SHA256_32_N;
920#ifndef WC_XMSS_FULL_HASH
921 int ret;
922
923 /* Encode padding byte for PRF. */
924 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, XMSS_SHA256_32_PAD_LEN);
925 /* Append public seed for PRF. */
926 XMEMCPY(state->prf_buf + XMSS_SHA256_32_PAD_LEN, pk_seed,
927 XMSS_SHA256_32_N);
928
929 /* Set key mask to initial value and append encoding. */
930 addr[XMSS_ADDR_KEY_MASK] = 0;
931 wc_xmss_addr_encode(addr, addr_buf);
932
933 /* Calculate n-byte key - KEY. */
934 ret = wc_Sha256Update(&state->digest.sha256, state->prf_buf,
935 XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N);
936 if (ret == 0) {
937 /* Copy state after first 64 bytes. */
938 XMSS_SHA256_STATE_CACHE(state);
939 /* Copy in remaining 32 bytes to buffer. */
940 XMSS_SHA256_SET_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
941 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
942 /* Calculate hash. */
943 ret = wc_Sha256Final(&state->digest.sha256, key);
944 }
945
946 /* Calculate n-byte mask - BM_0. */
947 if (ret == 0) {
948 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
949 /* Copy back state after first 64 bytes. */
950 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
951 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
952 /* Calculate hash. */
953 ret = wc_Sha256Final(&state->digest.sha256, bm0);
954 }
955
956 /* Calculate n-byte mask - BM_1. */
957 if (ret == 0) {
958 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
959 /* Copy back state after first 64 bytes. */
960 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
961 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
962 /* Calculate hash. */
963 ret = wc_Sha256Final(&state->digest.sha256, bm1);
964 }
965
966 if (ret == 0) {
967 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, pad, XMSS_SHA256_32_PAD_LEN);
968 /* XOR into bm0 and bm1. */
969 xorbuf(bm0, data, 2 * XMSS_SHA256_32_N);
970 ret = wc_Sha256Update(&state->digest.sha256, state->buf,
971 XMSS_RAND_HASH_DATA_LEN_SHA256_32);
972 }
973 if (ret == 0) {
974 ret = wc_Sha256Final(&state->digest.sha256, hash);
975 }
976 if (state->ret == 0) {
977 /* Store any digest failures for public APIs to return. */
978 state->ret = ret;
979 }
980#else
981 /* Encode padding byte for PRF. */
982 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, XMSS_SHA256_32_PAD_LEN);
983 /* Append public seed for PRF. */
984 XMEMCPY(state->prf_buf + XMSS_SHA256_32_PAD_LEN, pk_seed,
985 XMSS_SHA256_32_N);
986
987 /* Set key mask to initial value and append encoding. */
988 addr[XMSS_ADDR_KEY_MASK] = 0;
989 wc_xmss_addr_encode(addr, addr_buf);
990
991 /* Calculate n-byte key - KEY. */
992 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, key);
993 /* Calculate n-byte mask - BM_0. */
994 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
995 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, bm0);
996 /* Calculate n-byte mask - BM_1. */
997 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
998 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, bm1);
999
1000 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, state->buf, XMSS_SHA256_32_PAD_LEN);
1001 xorbuf(bm0, data, 2 * XMSS_SHA256_32_N);
1002 wc_xmss_hash(state, state->buf, XMSS_RAND_HASH_DATA_LEN_SHA256_32, hash);
1003#endif /* WC_XMSS_FULL_HASH */
1004}
1005#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1006
1007/* Randomized tree hashing.
1008 *
1009 * RFC 8391: 4.1.4, Algorithm 7: RAND_HASH
1010 * ...
1011 * ADRS.setKeyAndMask(0);
1012 * KEY = PRF(SEED, ADRS);
1013 * ADRS.setKeyAndMask(1);
1014 * BM_0 = PRF(SEED, ADRS);
1015 * ADRS.setKeyAndMask(2);
1016 * BM_1 = PRF(SEED, ADRS);
1017 * return H(KEY, (LEFT XOR BM_0) || (RIGHT XOR BM_1));
1018 *
1019 * @param [in] state XMSS/MT state including digest and parameters.
1020 * @param [in] data Input data.
1021 * @param [in] pk_seed Random public seed.
1022 * @param [in] addr Hash address.
1023 * @param [out] hash Buffer to hold hash.
1024 */
1025static void wc_xmss_rand_hash(XmssState* state, const byte* data,
1026 const byte* pk_seed, HashAddress addr, byte* hash)
1027{
1028 const XmssParams* params = state->params;
1029
1030#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1031 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
1032 (params->n == XMSS_SHA256_32_N) &&
1033 (params->hash == WC_HASH_TYPE_SHA256)) {
1034 wc_xmss_rand_hash_sha256_32(state, data, pk_seed, addr, hash);
1035 }
1036 else
1037#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1038 {
1039 byte* addr_buf = state->prf_buf + params->pad_len + params->n;
1040 /* Offsets into rand hash data. */
1041 byte* pad = state->buf;
1042 byte* key = pad + params->pad_len;
1043 byte* bm0 = key + params->n;
1044 byte* bm1 = bm0 + params->n;
1045 const word32 len = XMSS_HASH_PRF_DATA_LEN(params);
1046
1047 /* Encode padding byte for PRF. */
1048 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, params->pad_len);
1049 /* Append public seed for PRF. */
1050 XMEMCPY(state->prf_buf + params->pad_len, pk_seed, params->n);
1051
1052 /* Set key mask to initial value and append encoding. */
1053 addr[XMSS_ADDR_KEY_MASK] = 0;
1054 wc_xmss_addr_encode(addr, addr_buf);
1055
1056 /* Calculate n-byte key - KEY. */
1057 wc_xmss_hash(state, state->prf_buf, len, key);
1058 /* Calculate n-byte mask - BM_0. */
1059 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
1060 wc_xmss_hash(state, state->prf_buf, len, bm0);
1061 /* Calculate n-byte mask - BM_1. */
1062 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
1063 wc_xmss_hash(state, state->prf_buf, len, bm1);
1064
1065 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, pad, params->pad_len);
1066 xorbuf(bm0, data, 2U * params->n);
1067 wc_xmss_hash(state, state->buf, XMSS_RAND_HASH_DATA_LEN(params), hash);
1068 }
1069}
1070
1071#if !defined(WOLFSSL_WC_XMSS_SMALL) || defined(WOLFSSL_XMSS_VERIFY_ONLY)
1072#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1073/* Randomized tree hashing.
1074 *
1075 * RFC 8391: 4.1.4, Algorithm 7: RAND_HASH
1076 * ...
1077 * ADRS.setKeyAndMask(0);
1078 * KEY = PRF(SEED, ADRS);
1079 * ADRS.setKeyAndMask(1);
1080 * BM_0 = PRF(SEED, ADRS);
1081 * ADRS.setKeyAndMask(2);
1082 * BM_1 = PRF(SEED, ADRS);
1083 * return H(KEY, (LEFT XOR BM_0) || (RIGHT XOR BM_1));
1084 *
1085 * @param [in] state XMSS/MT state including digest and parameters.
1086 * @param [in] left First half of data.
1087 * @param [in] right Second half of data.
1088 * @param [in] pk_seed Random public seed.
1089 * @param [in] addr Hash address.
1090 * @param [out] hash Buffer to hold hash.
1091 */
1092static void wc_xmss_rand_hash_lr_sha256_32(XmssState* state, const byte* left,
1093 const byte* right, const byte* pk_seed, HashAddress addr, byte* hash)
1094{
1095 byte* addr_buf = state->prf_buf + XMSS_SHA256_32_PAD_LEN +
1096 XMSS_SHA256_32_N;
1097 /* Offsets into rand hash data. */
1098 byte* pad = state->buf;
1099 byte* key = pad + XMSS_SHA256_32_PAD_LEN;
1100 byte* bm0 = key + XMSS_SHA256_32_N;
1101 byte* bm1 = bm0 + XMSS_SHA256_32_N;
1102#ifndef WC_XMSS_FULL_HASH
1103 int ret;
1104
1105 /* Encode padding byte for PRF. */
1106 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, XMSS_SHA256_32_PAD_LEN);
1107 /* Append public seed for PRF. */
1108 XMEMCPY(state->prf_buf + XMSS_SHA256_32_PAD_LEN, pk_seed,
1109 XMSS_SHA256_32_N);
1110
1111 /* Set key mask to initial value and append encoding. */
1112 addr[XMSS_ADDR_KEY_MASK] = 0;
1113 wc_xmss_addr_encode(addr, addr_buf);
1114
1115 /* Calculate n-byte key - KEY. */
1116 ret = wc_Sha256Update(&state->digest.sha256, state->prf_buf,
1117 XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N);
1118 if (ret == 0) {
1119 /* Copy state after first 64 bytes. */
1120 XMSS_SHA256_STATE_CACHE(state);
1121 /* Copy in remaining 32 bytes to buffer. */
1122 XMSS_SHA256_SET_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
1123 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
1124 /* Calculate hash. */
1125 ret = wc_Sha256Final(&state->digest.sha256, key);
1126 }
1127
1128 /* Calculate n-byte mask - BM_0. */
1129 if (ret == 0) {
1130 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
1131 /* Copy back state after first 64 bytes. */
1132 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
1133 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
1134 /* Calculate hash. */
1135 ret = wc_Sha256Final(&state->digest.sha256, bm0);
1136 }
1137
1138 /* Calculate n-byte mask - BM_1. */
1139 if (ret == 0) {
1140 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
1141 /* Copy back state after first 64 bytes. */
1142 XMSS_SHA256_STATE_RESTORE_DATA(state, addr_buf, WC_XMSS_ADDR_LEN,
1143 XMSS_HASH_PRF_DATA_LEN_SHA256_32);
1144 /* Calculate hash. */
1145 ret = wc_Sha256Final(&state->digest.sha256, bm1);
1146 }
1147
1148 if (ret == 0) {
1149 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, pad, XMSS_SHA256_32_PAD_LEN);
1150 /* XOR into bm0 and bm1. */
1151 XMEMCPY(state->prf_buf, left, XMSS_SHA256_32_N);
1152 XMEMCPY(state->prf_buf + XMSS_SHA256_32_N, right, XMSS_SHA256_32_N);
1153 xorbuf(bm0, state->prf_buf, 2 * XMSS_SHA256_32_N);
1154 ret = wc_Sha256Update(&state->digest.sha256, state->buf,
1155 XMSS_RAND_HASH_DATA_LEN_SHA256_32);
1156 }
1157 if (ret == 0) {
1158 ret = wc_Sha256Final(&state->digest.sha256, hash);
1159 }
1160 if (state->ret == 0) {
1161 /* Store any digest failures for public APIs to return. */
1162 state->ret = ret;
1163 }
1164#else
1165 /* Encode padding byte for PRF. */
1166 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, XMSS_SHA256_32_PAD_LEN);
1167 /* Append public seed for PRF. */
1168 XMEMCPY(state->prf_buf + XMSS_SHA256_32_PAD_LEN, pk_seed, XMSS_SHA256_32_N);
1169
1170 /* Set key mask to initial value and append encoding. */
1171 addr[XMSS_ADDR_KEY_MASK] = 0;
1172 wc_xmss_addr_encode(addr, addr_buf);
1173
1174 /* Calculate n-byte key - KEY. */
1175 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, key);
1176 /* Calculate n-byte mask - BM_0. */
1177 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
1178 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, bm0);
1179 /* Calculate n-byte mask - BM_1. */
1180 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
1181 wc_xmss_hash(state, state->prf_buf, XMSS_HASH_PRF_DATA_LEN_SHA256_32, bm1);
1182
1183 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, state->buf, XMSS_SHA256_32_PAD_LEN);
1184 XMEMCPY(state->prf_buf, left, XMSS_SHA256_32_N);
1185 XMEMCPY(state->prf_buf + XMSS_SHA256_32_N, right, XMSS_SHA256_32_N);
1186 xorbuf(bm0, state->prf_buf, 2 * XMSS_SHA256_32_N);
1187 wc_xmss_hash(state, state->buf, XMSS_RAND_HASH_DATA_LEN_SHA256_32, hash);
1188#endif /* WC_XMSS_FULL_HASH */
1189}
1190#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1191/* Randomized tree hashing - left and right separate parameters.
1192 *
1193 * RFC 8391: 4.1.4, Algorithm 7: RAND_HASH
1194 * ...
1195 * ADRS.setKeyAndMask(0);
1196 * KEY = PRF(SEED, ADRS);
1197 * ADRS.setKeyAndMask(1);
1198 * BM_0 = PRF(SEED, ADRS);
1199 * ADRS.setKeyAndMask(2);
1200 * BM_1 = PRF(SEED, ADRS);
1201 * return H(KEY, (LEFT XOR BM_0) || (RIGHT XOR BM_1));
1202 *
1203 * @param [in] state XMSS/MT state including digest and parameters.
1204 * @param [in] left First half of data.
1205 * @param [in] right Second half of data.
1206 * @param [in] pk_seed Random public seed.
1207 * @param [in] addr Hash address.
1208 * @param [out] hash Buffer to hold hash.
1209 */
1210static void wc_xmss_rand_hash_lr(XmssState* state, const byte* left,
1211 const byte* right, const byte* pk_seed, HashAddress addr, byte* hash)
1212{
1213 const XmssParams* params = state->params;
1214
1215#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1216 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
1217 (params->n == XMSS_SHA256_32_N) &&
1218 (params->hash == WC_HASH_TYPE_SHA256)) {
1219 wc_xmss_rand_hash_lr_sha256_32(state, left, right, pk_seed, addr, hash);
1220 }
1221 else
1222#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1223 {
1224 byte* addr_buf = state->prf_buf + params->pad_len + params->n;
1225 /* Offsets into rand hash data. */
1226 byte* pad = state->buf;
1227 byte* key = pad + params->pad_len;
1228 byte* bm0 = key + params->n;
1229 byte* bm1 = bm0 + params->n;
1230 const word32 len = XMSS_HASH_PRF_DATA_LEN(params);
1231
1232 /* Encode padding byte for PRF. */
1233 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, state->prf_buf, params->pad_len);
1234 /* Append public seed for PRF. */
1235 XMEMCPY(state->prf_buf + params->pad_len, pk_seed, params->n);
1236
1237 /* Set key mask to initial value and append encoding. */
1238 addr[XMSS_ADDR_KEY_MASK] = 0;
1239 wc_xmss_addr_encode(addr, addr_buf);
1240
1241 /* Calculate n-byte key - KEY. */
1242 wc_xmss_hash(state, state->prf_buf, len, key);
1243 /* Calculate n-byte mask - BM_0. */
1244 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 1;
1245 wc_xmss_hash(state, state->prf_buf, len, bm0);
1246 /* Calculate n-byte mask - BM_1. */
1247 addr_buf[XMSS_ADDR_KEY_MASK * 4 + 3] = 2;
1248 wc_xmss_hash(state, state->prf_buf, len, bm1);
1249
1250 XMSS_PAD_ENC(XMSS_HASH_PADDING_H, pad, params->pad_len);
1251 XMEMCPY(state->prf_buf, left, params->n);
1252 XMEMCPY(state->prf_buf + params->n, right, params->n);
1253 xorbuf(bm0, state->prf_buf, 2U * params->n);
1254 wc_xmss_hash(state, state->buf, XMSS_RAND_HASH_DATA_LEN(params), hash);
1255 }
1256}
1257#endif /* !WOLFSSL_WC_XMSS_SMALL || WOLFSSL_XMSS_VERIFY_ONLY */
1258
1259/* Compute message hash from the random r, root, index and message.
1260 *
1261 * RFC 8391: 4.1.9, Algorithm 12: XMSS_sign
1262 * ...
1263 * byte[n] M' = H_msg(r || getRoot(SK) || (toByte(idx_sig, n)), M);
1264 * RFC 8391: 5.1
1265 * H_msg: SHA2-256(toByte(2, 32) || KEY || M)
1266 * H_msg: SHA2-512(toByte(2, 64) || KEY || M)
1267 * H_msg: SHAKE128(toByte(2, 32) || KEY || M, 256)
1268 * H_msg: SHAKE256(toByte(2, 64) || KEY || M, 512)
1269 *
1270 * @param [in] state XMSS/MT state including digest and parameters.
1271 * @param [in] random Random value of n bytes.
1272 * @param [in] root Public root.
1273 * @param [in] idx Buffer holding encoded index.
1274 * @param [in] idx_len Length of encoded index in bytes.
1275 * @param [in] m Message to hash.
1276 * @param [in] mlen Length of message.
1277 * @param [out] hash Buffer to hold hash.
1278 */
1279static void wc_xmss_hash_message(XmssState* state, const byte* random,
1280 const byte* root, const byte* idx, word8 idx_len, const byte* m,
1281 word32 mlen, byte* hash)
1282{
1283 int ret;
1284 const XmssParams* params = state->params;
1285 word32 padKeyLen = XMSS_RAND_HASH_DATA_LEN(params);
1286 /* Offsets into message hash data. */
1287 byte* padKey = state->buf;
1288 byte* pad = padKey;
1289 byte* key = pad + params->pad_len;
1290 byte* root_sk = key + params->n;
1291 byte* idx_sig = root_sk + params->n;
1292
1293 /* idx_len encodes a leaf number (4 or 8 bytes per RFC 8391) and is
1294 * front-padded into an n-byte field. n >= 24 for every supported
1295 * parameter set, so idx_len <= n always holds in valid params, but
1296 * guard explicitly: if the invariant is ever violated, the (word32)
1297 * cast on the subtraction would otherwise produce an around 4 GB
1298 * XMEMSET. */
1299 if (idx_len > params->n) {
1300 state->ret = WC_FAILURE;
1301 return;
1302 }
1303
1304 /* Set prefix data before message. */
1305 XMSS_PAD_ENC(XMSS_HASH_PADDING_HASH, pad, params->pad_len);
1306 XMEMCPY(key, random, params->n);
1307 XMEMCPY(root_sk, root, params->n);
1308 XMEMSET(idx_sig, 0, (word32)(params->n - idx_len));
1309 XMEMCPY(idx_sig + params->n - idx_len, idx, idx_len);
1310
1311 /* Hash the padding and key first. */
1312#ifdef WC_XMSS_SHA256
1313 if (params->hash == WC_HASH_TYPE_SHA256) {
1314 ret = wc_Sha256Update(&state->digest.sha256, padKey, padKeyLen);
1315 }
1316 else
1317#endif /* WC_XMSS_SHA256 */
1318#ifdef WC_XMSS_SHA512
1319 if (params->hash == WC_HASH_TYPE_SHA512) {
1320 ret = wc_Sha512Update(&state->digest.sha512, padKey, padKeyLen);
1321 }
1322 else
1323#endif /* WC_XMSS_SHA512 */
1324#ifdef WC_XMSS_SHAKE128
1325 if (params->hash == WC_HASH_TYPE_SHAKE128) {
1326 ret = wc_Shake128_Update(&state->digest.shake, padKey, padKeyLen);
1327 }
1328 else
1329#endif /* WC_XMSS_SHAKE128 */
1330#ifdef WC_XMSS_SHAKE256
1331 if (params->hash == WC_HASH_TYPE_SHAKE256) {
1332 ret = wc_Shake256_Update(&state->digest.shake, padKey, padKeyLen);
1333 }
1334 else
1335#endif /* WC_XMSS_SHAKE256 */
1336 {
1337 /* Unsupported digest function. */
1338 ret = NOT_COMPILED_IN;
1339 }
1340 if (ret == 0) {
1341 /* Generate hash of message - M'. */
1342 wc_xmss_hash(state, m, mlen, hash);
1343 }
1344 else if (state->ret == 0) {
1345 /* Store any digest failures for public APIs to return. */
1346 state->ret = ret;
1347 }
1348}
1349
1350#ifndef WOLFSSL_XMSS_VERIFY_ONLY
1351
1352/* Compute PRF with key and message.
1353 *
1354 * RFC 8391: 5.1
1355 * PRF: SHA2-256(toByte(3, 32) || KEY || M)
1356 * PRF: SHA2-512(toByte(3, 64) || KEY || M)
1357 * PRF: SHAKE128(toByte(3, 32) || KEY || M, 256)
1358 * PRF: SHAKE256(toByte(3, 64) || KEY || M, 512)
1359 *
1360 * @param [in] state XMSS/MT state including digest and parameters.
1361 * @param [in] key Key used to derive pseudo-random from.
1362 * @param [in] m 32 bytes of data to derive pseudo-random from.
1363 * @param [out] prf Buffer to hold pseudo-random data.
1364 */
1365static void wc_xmss_prf(XmssState* state, const byte* key, const byte* m,
1366 byte* prf)
1367{
1368 const XmssParams* params = state->params;
1369 byte* pad = state->prf_buf;
1370 byte* key_buf = pad + params->pad_len;
1371 byte* m_buf = key_buf + params->n;
1372
1373 /* 00[0..pl-1] || 03 || key[0..n-1] || m[0..31] */
1374 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, pad, params->pad_len);
1375 XMEMCPY(key_buf, key, params->n);
1376 XMEMCPY(m_buf, m, XMSS_PRF_M_LEN);
1377
1378 /* Hash the PRF data. */
1379 wc_xmss_hash(state, state->prf_buf,
1380 (word32)params->pad_len + params->n + XMSS_PRF_M_LEN, prf);
1381}
1382
1383#ifdef XMSS_CALL_PRF_KEYGEN
1384/* Compute PRF for keygen with key and message.
1385 *
1386 * NIST SP 800-208: 5.1, 5.2, 5.3, 5.4
1387 * PRFkeygen (KEY, M): SHA-256(toByte(4, 32) || KEY || M)
1388 * PRFkeygen (KEY, M): T192(SHA-256(toByte(4, 4) || KEY || M))
1389 * PRFkeygen (KEY, M): SHAKE256(toByte(4, 32) || KEY || M, 256)
1390 * PRFkeygen (KEY, M): SHAKE256(toByte(4, 4) || KEY || M, 192)
1391 *
1392 * @param [in] state XMSS/MT state including digest and parameters.
1393 * @param [in] key Key of n bytes used to derive pseudo-random from.
1394 * @param [in] m n + 32 bytes of data to derive pseudo-random from.
1395 * @param [out] prf Buffer to hold pseudo-random data.
1396 */
1397static void wc_xmss_prf_keygen(XmssState* state, const byte* key,
1398 const byte* m, byte* prf)
1399{
1400 const XmssParams* params = state->params;
1401 byte* pad = state->prf_buf;
1402 byte* key_buf = pad + params->pad_len;
1403 byte* m_buf = key_buf + params->n;
1404
1405 /* 00[0..pl-1] || 04 || key[0..n-1] || m[0..n+31] */
1406 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF_KEYGEN, pad, params->pad_len);
1407 XMEMCPY(key_buf, key, params->n);
1408 XMEMCPY(m_buf, m, params->n + XMSS_PRF_M_LEN);
1409
1410 /* Hash the PRF keygen data. */
1411 wc_xmss_hash(state, state->prf_buf, params->pad_len + 2 * params->n +
1412 XMSS_PRF_M_LEN, prf);
1413}
1414#endif /* XMSS_CALL_PRF_KEYGEN */
1415
1416#endif /* !WOLFSSL_XMSS_VERIFY_ONLY */
1417
1418/********************************************
1419 * WOTS
1420 ********************************************/
1421
1422#ifndef WOLFSSL_XMSS_VERIFY_ONLY
1423
1424#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1425/* Expand private seed with PRF keygen.
1426 *
1427 * RFC 8391: 4.1.3
1428 * "the existence of a method getWOTS_SK(SK, i) is assumed"
1429 * NIST SP 800-208: 7.2.1, Algorithm 10'
1430 * ...
1431 * for ( j=0; j < len; j++) {
1432 * ADRS.setChainAddress(j);
1433 * sk[j] = PRFkeygen(S_XMSS, SEED || ADRS);
1434 * }
1435 *
1436 * @param [in] state XMSS/MT state including digest and parameters.
1437 * @param [in] sk_seed Buffer holding private seed.
1438 * @param [in] pk_seed Random public seed.
1439 * @param [in] addr Hash address as a byte array.
1440 * @param [out] gen_seed Buffer to hold seeds.
1441 */
1442static void wc_xmss_wots_get_wots_sk_sha256_32(XmssState* state,
1443 const byte* sk_seed, const byte* pk_seed, byte* addr, byte* gen_seed)
1444{
1445 const XmssParams* params = state->params;
1446 word32 i;
1447 byte* pad = state->prf_buf;
1448 byte* s_xmss = pad + XMSS_SHA256_32_PAD_LEN;
1449 byte* seed = s_xmss + XMSS_SHA256_32_N;
1450 byte* addr_buf = seed + XMSS_SHA256_32_N;
1451 int ret;
1452
1453 ((word32*)addr)[XMSS_ADDR_CHAIN] = 0;
1454 ((word32*)addr)[XMSS_ADDR_HASH] = 0;
1455 ((word32*)addr)[XMSS_ADDR_KEY_MASK] = 0;
1456
1457 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF_KEYGEN, pad, XMSS_SHA256_32_PAD_LEN);
1458 XMEMCPY(s_xmss, sk_seed, XMSS_SHA256_32_N);
1459 XMEMCPY(seed, pk_seed, XMSS_SHA256_32_N);
1460 XMEMCPY(addr_buf, addr, WC_XMSS_ADDR_LEN);
1461
1462#ifndef WC_XMSS_FULL_HASH
1463 ret = wc_Sha256Update(&state->digest.sha256, pad, XMSS_SHA256_32_PAD_LEN +
1464 XMSS_SHA256_32_N);
1465 if (ret == 0) {
1466 /* Copy state after first 64 bytes. */
1467 XMSS_SHA256_STATE_CACHE(state);
1468 ret = wc_Sha256Update(&state->digest.sha256, seed, XMSS_SHA256_32_N +
1469 WC_XMSS_ADDR_LEN);
1470 }
1471 if (ret == 0) {
1472 ret = wc_Sha256Final(&state->digest.sha256, gen_seed);
1473 }
1474 for (i = 1; (ret == 0) && (i < params->wots_len); i++) {
1475 gen_seed += XMSS_SHA256_32_N;
1476 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1477 XMSS_SHA256_STATE_RESTORE(state, 64);
1478 ret = wc_Sha256Update(&state->digest.sha256, seed, XMSS_SHA256_32_N +
1479 WC_XMSS_ADDR_LEN);
1480 if (ret == 0) {
1481 ret = wc_Sha256Final(&state->digest.sha256, gen_seed);
1482 }
1483 }
1484#else
1485 ret = wc_Sha256Update(&state->digest.sha256, state->prf_buf,
1486 XMSS_SHA256_32_PAD_LEN + 2 * XMSS_SHA256_32_N + WC_XMSS_ADDR_LEN);
1487 if (ret == 0) {
1488 ret = wc_Sha256Final(&state->digest.sha256, gen_seed);
1489 }
1490 for (i = 1; (ret == 0) && i < params->wots_len; i++) {
1491 gen_seed += XMSS_SHA256_32_N;
1492 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1493 ret = wc_Sha256Update(&state->digest.sha256, state->prf_buf,
1494 XMSS_SHA256_32_PAD_LEN + 2 * XMSS_SHA256_32_N + WC_XMSS_ADDR_LEN);
1495 if (ret == 0) {
1496 ret = wc_Sha256Final(&state->digest.sha256, gen_seed);
1497 }
1498 }
1499#endif /* WC_XMSS_FULL_HASH*/
1500
1501 if (state->ret == 0) {
1502 /* Store any digest failures for public APIs to return. */
1503 state->ret = ret;
1504 }
1505}
1506#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1507
1508/* Expand private seed with PRF keygen.
1509 *
1510 * RFC 8391: 4.1.3
1511 * "the existence of a method getWOTS_SK(SK, i) is assumed"
1512 * NIST SP 800-208: 7.2.1
1513 * Algorithm 10'
1514 * ...
1515 * for ( j=0; j < len; j++) {
1516 * ADRS.setChainAddress(j);
1517 * sk[j] = PRFkeygen(S_XMSS, SEED || ADRS);
1518 * }
1519 *
1520 * @param [in] state XMSS/MT state including digest and parameters.
1521 * @param [in] sk_seed Buffer holding private seed.
1522 * @param [in] pk_seed Random public seed.
1523 * @param [in] addr Hash address as a byte array.
1524 * @param [out] gen_seed Buffer to hold seeds.
1525 */
1526static void wc_xmss_wots_get_wots_sk(XmssState* state, const byte* sk_seed,
1527 const byte* pk_seed, byte* addr, byte* gen_seed)
1528{
1529 const XmssParams* params = state->params;
1530 word32 i;
1531#ifdef XMSS_CALL_PRF_KEYGEN
1532 byte* seed = state->buf;
1533 byte* addr_buf = seed + params->n;
1534#else
1535 byte* pad = state->prf_buf;
1536 byte* s_xmss = pad + params->pad_len;
1537 byte* seed = s_xmss + params->n;
1538 byte* addr_buf = seed + params->n;
1539 const word32 len =
1540 (word32)params->pad_len + params->n * 2U + WC_XMSS_ADDR_LEN;
1541#endif /* XMSS_CALL_PRF_KEYGEN */
1542
1543 /* Ensure hash address fields are 0. */
1544 ((word32*)addr)[XMSS_ADDR_CHAIN] = 0;
1545 ((word32*)addr)[XMSS_ADDR_HASH] = 0;
1546 ((word32*)addr)[XMSS_ADDR_KEY_MASK] = 0;
1547
1548#ifdef XMSS_CALL_PRF_KEYGEN
1549 /* Copy the seed and address into PRF keygen message buffer. */
1550 XMEMCPY(seed, pk_seed, params->n);
1551 XMEMCPY(addr_buf, addr, WC_XMSS_ADDR_LEN);
1552
1553 wc_xmss_prf_keygen(state, sk_seed, state->buf, gen_seed);
1554 for (i = 1; i < params->wots_len; i++) {
1555 gen_seed += params->n;
1556 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1557 wc_xmss_prf_keygen(state, sk_seed, state->buf, gen_seed);
1558 }
1559#else
1560 /* Copy the PRF keygen fields into one buffer. */
1561 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF_KEYGEN, pad, params->pad_len);
1562 XMEMCPY(s_xmss, sk_seed, params->n);
1563 XMEMCPY(seed, pk_seed, params->n);
1564 XMEMCPY(addr_buf, addr, WC_XMSS_ADDR_LEN);
1565
1566 /* Fill output with hashes of different chain hash addresses. */
1567 wc_xmss_hash(state, state->prf_buf, len, gen_seed);
1568 for (i = 1; i < params->wots_len; i++) {
1569 gen_seed += params->n;
1570 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1571 wc_xmss_hash(state, state->prf_buf, len, gen_seed);
1572 }
1573#endif /* XMSS_CALL_PRF_KEYGEN */
1574}
1575
1576#endif /* !WOLFSSL_XMSS_VERIFY_ONLY */
1577
1578#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1579/* Chain hashing to calculate node hash.
1580 *
1581 * RFC 8391: 3.1.2, Algorithm 2 - recursive.
1582 * This function is an iterative version.
1583 *
1584 * @param [in] state XMSS/MT state including digest and parameters.
1585 * @param [in] data Initial data to hash.
1586 * @param [in] start Starting hash value in hash address.
1587 * @param [in] steps Size of step.
1588 * @param [in] pk_seed Random public seed.
1589 * @param [in] addr Hash address as a byte array.
1590 * @param [out] hash Chained hash.
1591 */
1592static void wc_xmss_chain_sha256_32(XmssState* state, const byte* data,
1593 unsigned int start, unsigned int steps, const byte* pk_seed, byte* addr,
1594 byte* hash)
1595{
1596 if (steps > 0) {
1597 word32 i;
1598 byte* pad = state->prf_buf;
1599 byte* seed = pad + XMSS_SHA256_32_PAD_LEN;
1600#ifndef WC_XMSS_FULL_HASH
1601 int ret;
1602
1603 /* Set data for PRF hash. */
1604 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, pad, XMSS_SHA256_32_PAD_LEN);
1605 XMEMCPY(seed, pk_seed, XMSS_SHA256_32_N);
1606
1607 /* Hash first 64 bytes. */
1608 ret = wc_Sha256Update(&state->digest.sha256, state->prf_buf,
1609 XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N);
1610 if (ret == 0) {
1611 /* Copy state after first 64 bytes. */
1612 XMSS_SHA256_STATE_CACHE(state);
1613 /* Only do this once for all chain hash calls. */
1614 XMSS_PAD_ENC(XMSS_HASH_PADDING_F, state->buf,
1615 state->params->pad_len);
1616
1617 /* Set address. */
1618 XMSS_ADDR_SET_BYTE(addr, XMSS_ADDR_HASH, start);
1619 wc_xmss_chain_hash_sha256_32(state, data, addr, hash);
1620 /* Iterate 'steps' calls to the hash function. */
1621 for (i = start+1; i < (start+steps) && i < XMSS_WOTS_W; i++) {
1622 addr[XMSS_ADDR_HASH * 4 + 3] = (byte)i;
1623 wc_xmss_chain_hash_sha256_32(state, hash, addr, hash);
1624 }
1625 }
1626 else if (state->ret == 0) {
1627 /* Store any digest failures for public APIs to return. */
1628 state->ret = ret;
1629 }
1630#else
1631 const XmssParams* params = state->params;
1632 byte* addr_buf = seed + XMSS_SHA256_32_N;
1633
1634 /* Set data for PRF hash. */
1635 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, pad, XMSS_SHA256_32_PAD_LEN);
1636 XMEMCPY(seed, pk_seed, params->n);
1637 XMEMCPY(addr_buf, addr, WC_XMSS_ADDR_LEN);
1638
1639 /* Only do this once for all chain hash calls. */
1640 XMSS_PAD_ENC(XMSS_HASH_PADDING_F, state->buf, params->pad_len);
1641
1642 /* Set address. */
1643 XMSS_ADDR_SET_BYTE(addr_buf, XMSS_ADDR_HASH, start);
1644 wc_xmss_chain_hash_sha256_32(state, data, hash);
1645 /* Iterate 'steps' calls to the hash function. */
1646 for (i = start+1; i < (start+steps) && i < XMSS_WOTS_W; i++) {
1647 addr_buf[XMSS_ADDR_HASH * 4 + 3] = (byte)i;
1648 wc_xmss_chain_hash_sha256_32(state, hash, hash);
1649 }
1650#endif /* !WC_XMSS_FULL_HASH */
1651 }
1652 else if (hash != data) {
1653 XMEMCPY(hash, data, XMSS_SHA256_32_N);
1654 }
1655}
1656#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1657
1658/* Chain hashing to calculate node hash.
1659 *
1660 * RFC 8391: 3.1.2, Algorithm 2 - recursive.
1661 * This function is an iterative version.
1662 *
1663 * @param [in] state XMSS/MT state including digest and parameters.
1664 * @param [in] data Initial data to hash.
1665 * @param [in] start Starting hash value in hash address.
1666 * @param [in] steps Size of step.
1667 * @param [in] pk_seed Random public seed.
1668 * @param [in] addr Hash address as a byte array.
1669 * @param [out] hash Chained hash.
1670 */
1671static void wc_xmss_chain(XmssState* state, const byte* data,
1672 unsigned int start, unsigned int steps, const byte* pk_seed, byte* addr,
1673 byte* hash)
1674{
1675 const XmssParams* params = state->params;
1676
1677 if (steps > 0) {
1678 word32 i;
1679 byte* pad = state->prf_buf;
1680 byte* seed = pad + params->pad_len;
1681 byte* addr_buf = seed + params->n;
1682
1683 /* Set data for PRF hash. */
1684 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, pad, params->pad_len);
1685 XMEMCPY(seed, pk_seed, params->n);
1686 XMEMCPY(addr_buf, addr, 32);
1687
1688 /* Only do this once for all chain hash calls. */
1689 XMSS_PAD_ENC(XMSS_HASH_PADDING_F, state->buf, params->pad_len);
1690
1691 /* Set address. */
1692 XMSS_ADDR_SET_BYTE(addr_buf, XMSS_ADDR_HASH, start);
1693 wc_xmss_chain_hash(state, data, hash);
1694 /* Iterate 'steps' calls to the hash function. */
1695 for (i = start+1; i < (start+steps) && i < XMSS_WOTS_W; i++) {
1696 addr_buf[XMSS_ADDR_HASH * 4 + 3] = (byte)i;
1697 wc_xmss_chain_hash(state, hash, hash);
1698 }
1699 }
1700 else if (hash != data) {
1701 XMEMCPY(hash, data, params->n);
1702 }
1703}
1704
1705/* Convert base on message and add checksum.
1706 *
1707 * RFC 8391:, 2.6, Algorithm 1: base_w
1708 * int in = 0;
1709 * int out = 0;
1710 * unsigned int total = 0;
1711 * int bits = 0;
1712 * int consumed;
1713 *
1714 * for ( consumed = 0; consumed < out_len; consumed++ ) {
1715 * if ( bits == 0 ) {
1716 * total = X[in];
1717 * in++;
1718 * bits += 8;
1719 * }
1720 * bits -= lg(w);
1721 * basew[out] = (total >> bits) AND (w - 1);
1722 * out++;
1723 * }
1724 * return basew;
1725 *
1726 * base_w implemented for w == 16 (lg(w) == 4).
1727 *
1728 * RFC 8391: 3.1.5, Algorithm 5:
1729 * ...
1730 * csum = 0;
1731 *
1732 * # Convert message to base w
1733 * msg = base_w(M, w, len_1);
1734 * # Compute checksum
1735 * for ( i = 0; i < len_1; i++ ) {
1736 * csum = csum + w - 1 - msg[i];
1737 * }
1738 *
1739 * # Convert csum to base w
1740 * csum = csum << ( 8 - ( ( len_2 * lg(w) ) % 8 ));
1741 * len_2_bytes = ceil( ( len_2 * lg(w) ) / 8 );
1742 * msg = msg || base_w(toByte(csum, len_2_bytes), w, len_2);
1743 *
1744 * len_1 == 8 * n / 4 = n * 2
1745 * Implemented for len_2 == 3
1746 *
1747 * @param [in] m Message data.
1748 * @param [in] n Number of bytes in hash.
1749 * @param [out] msg Message in new base.
1750 */
1751static void wc_xmss_msg_convert(const byte* m, word8 n, word8* msg)
1752{
1753 word8 i;
1754 /* csum is word16: the WOTS+ checksum below relies on arithmetic
1755 * wrapping at 2^16 (max accumulated value 1920 fits, but the algorithm
1756 * treats the field as a fixed-width 16-bit integer per RFC 8391
1757 * Algorithm 7 step 4). */
1758 word16 csum = 0;
1759
1760 /* Split each full byte of m into two bytes of msg. */
1761 for (i = 0; i < n; i++) {
1762 msg[0] = (word8)(m[i] >> 4);
1763 msg[1] = (word8)(m[i] & 0xf);
1764 csum = (word16)(csum + XMSS_WOTS_W - 1U - msg[0]);
1765 csum = (word16)(csum + XMSS_WOTS_W - 1U - msg[1]);
1766 msg += 2;
1767 }
1768
1769 /* Append checksum to message. (Maximum value: 1920 = 64 * 2 * 15) */
1770 msg[0] = (word8)( csum >> 8) ;
1771 msg[1] = (word8)((csum >> 4) & 0x0f);
1772 msg[2] = (word8)((csum ) & 0x0f);
1773}
1774
1775#ifndef WOLFSSL_XMSS_VERIFY_ONLY
1776
1777/* WOTS+ generate public key with private seed.
1778 *
1779 * RFC 8391: 4.1.6, Algorithm 9:
1780 * ...
1781 * pk = WOTS_genPK (getWOTS_SK(SK, s + i), SEED, ADRS);
1782 * RFC 8391, 3.1.4, Algorithm 4: WOTS_genPK
1783 * ...
1784 * for ( i = 0; i < len; i++ ) {
1785 * ADRS.setChainAddress(i);
1786 * pk[i] = chain(sk[i], 0, w - 1, SEED, ADRS);
1787 * }
1788 * return pk;
1789 *
1790 * WOTS_genPK only used in Algorithm 9 and it is convenient to combine with
1791 * getWOTS_SK due to parameter specific implementations.
1792 *
1793 * @param [in] state XMSS/MT state including digest and parameters.
1794 * @param [in] sk Random private seed.
1795 * @param [in] seed Random public seed.
1796 * @param [in] addr Hashing address.
1797 * @param [out] pk Public key.
1798 */
1799static void wc_xmss_wots_gen_pk(XmssState* state, const byte* sk,
1800 const byte* seed, HashAddress addr, byte* pk)
1801{
1802 const XmssParams* params = state->params;
1803 byte* addr_buf = state->encMsg;
1804 word32 i;
1805
1806 /* Ensure chain address is 0 and encode into a buffer. */
1807 addr[XMSS_ADDR_CHAIN] = 0;
1808 wc_xmss_addr_encode(addr, addr_buf);
1809
1810#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1811 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
1812 (params->n == XMSS_SHA256_32_N) &&
1813 (params->hash == WC_HASH_TYPE_SHA256)) {
1814 /* Expand the private seed - getWOTS_SK */
1815 wc_xmss_wots_get_wots_sk_sha256_32(state, sk, seed, addr_buf,
1816 pk);
1817
1818 /* Calculate chain hash. */
1819 wc_xmss_chain_sha256_32(state, pk, 0, XMSS_WOTS_W - 1, seed, addr_buf,
1820 pk);
1821 for (i = 1; i < params->wots_len; i++) {
1822 pk += params->n;
1823 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1824 wc_xmss_chain_sha256_32(state, pk, 0, XMSS_WOTS_W - 1, seed,
1825 addr_buf, pk);
1826 }
1827 }
1828 else
1829#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1830 {
1831 /* Expand the private seed - getWOTS_SK */
1832 wc_xmss_wots_get_wots_sk(state, sk, seed, addr_buf, pk);
1833
1834 /* Calculate chain hash. */
1835 wc_xmss_chain(state, pk, 0, XMSS_WOTS_W - 1, seed, addr_buf, pk);
1836 for (i = 1; i < params->wots_len; i++) {
1837 pk += params->n;
1838 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1839 wc_xmss_chain(state, pk, 0, XMSS_WOTS_W - 1, seed, addr_buf, pk);
1840 }
1841 }
1842}
1843/* Generate a signature from a privatge key and message.
1844 *
1845 * RFC 8391: 4.1.9, Algorithm 11: treeSig
1846 * sig_ots = WOTS_sign(getWOTS_SK(SK, idx_sig),
1847 * M', getSEED(SK), ADRS);
1848 * RFC 8391: 3.1.5, Algorithm 5: WOTS_sign
1849 * (Convert message to base w and append checksum in base w)
1850 * ...
1851 * for ( i = 0; i < len; i++ ) {
1852 * ADRS.setChainAddress(i);
1853 * sig[i] = chain(sk[i], 0, msg[i], SEED, ADRS);
1854 * }
1855 * return sig;
1856 *
1857 * WOTS_sign only used in Algorithm 11 and convenient to do getWOTS_SK due to
1858 * hash address reuse and parameter specific implementations.
1859 *
1860 * @param [in] state XMSS/MT state including digest and parameters.
1861 * @param [in] m Message hash to sign.
1862 * @param [in] sk Random private seed.
1863 * @param [in] seed Random public seed.
1864 * @param [in] addr Hashing address.
1865 * @param [out] sig Calculated XMSS/MT signature.
1866 */
1867static void wc_xmss_wots_sign(XmssState* state, const byte* m,
1868 const byte* sk, const byte* seed, HashAddress addr, byte* sig)
1869{
1870 const XmssParams* params = state->params;
1871 byte* addr_buf = state->pk;
1872 word32 i;
1873
1874 /* Convert message to base w and append checksum in base w. */
1875 wc_xmss_msg_convert(m, params->n, state->encMsg);
1876
1877 /* Set initial chain value and encode hash address. */
1878 addr[XMSS_ADDR_CHAIN] = 0;
1879 wc_xmss_addr_encode(addr, addr_buf);
1880
1881#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1882 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
1883 (params->n == XMSS_SHA256_32_N) &&
1884 (params->hash == WC_HASH_TYPE_SHA256)) {
1885 /* Expand the private seed - getWOTS_SK */
1886 wc_xmss_wots_get_wots_sk_sha256_32(state, sk, seed, addr_buf, sig);
1887
1888 /* Calculate chain hash. */
1889 wc_xmss_chain_sha256_32(state, sig, 0, state->encMsg[0], seed, addr_buf,
1890 sig);
1891 for (i = 1; i < params->wots_len; i++) {
1892 sig += params->n;
1893 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1894 wc_xmss_chain_sha256_32(state, sig, 0, state->encMsg[i], seed,
1895 addr_buf, sig);
1896 }
1897 }
1898 else
1899#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1900 {
1901 /* Expand the private seed - getWOTS_SK */
1902 wc_xmss_wots_get_wots_sk(state, sk, seed, addr_buf, sig);
1903
1904 /* Calculate chain hash. */
1905 wc_xmss_chain(state, sig, 0, state->encMsg[0], seed, addr_buf, sig);
1906 for (i = 1; i < params->wots_len; i++) {
1907 sig += params->n;
1908 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1909 wc_xmss_chain(state, sig, 0, state->encMsg[i], seed, addr_buf, sig);
1910 }
1911 }
1912}
1913
1914#endif /* !WOLFSSL_XMSS_VERIFY_ONLY */
1915
1916/* Compute WOTS+ public key value from signature and message.
1917 *
1918 * RFC 8319: 3.1.6
1919 * Algorithm 6: WOTS_pkFromSig
1920 * (Convert message to base w and append checksum in base w)
1921 * ...
1922 * for ( i = 0; i < len; i++ ) {
1923 * ADRS.setChainAddress(i);
1924 * tmp_pk[i] = chain(sig[i], msg[i], w - 1 - msg[i], SEED, ADRS);
1925 * }
1926 * return tmp_pk;
1927 *
1928 * @param [in] state XMSS/MT state including digest and parameters.
1929 * @param [in] sig XMSS/MT Signature.
1930 * @param [in] m Message to verify.
1931 * @param [in] seed Random public seed.
1932 * @param [in] addr Hashing address.
1933 * @param [out] pk Public key.
1934 */
1935static void wc_xmss_wots_pk_from_sig(XmssState* state, const byte* sig,
1936 const byte* m, const byte* seed, HashAddress addr, byte* pk)
1937{
1938 const XmssParams* params = state->params;
1939 byte* addr_buf = state->stack;
1940 word32 i;
1941
1942 /* Convert message to base w and append checksum in base w. */
1943 wc_xmss_msg_convert(m, params->n, state->encMsg);
1944
1945 /* Start with address with chain value of 0. */
1946 addr[XMSS_ADDR_CHAIN] = 0;
1947 wc_xmss_addr_encode(addr, addr_buf);
1948
1949#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256)
1950 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
1951 (params->n == XMSS_SHA256_32_N) &&
1952 (params->hash == WC_HASH_TYPE_SHA256)) {
1953 /* Calculate chain hash. */
1954 wc_xmss_chain_sha256_32(state, sig, state->encMsg[0],
1955 XMSS_WOTS_W - 1 - state->encMsg[0], seed, addr_buf, pk);
1956 for (i = 1; i < params->wots_len; i++) {
1957 sig += params->n;
1958 pk += params->n;
1959 /* Update chain. */
1960 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1961 wc_xmss_chain_sha256_32(state, sig, state->encMsg[i],
1962 XMSS_WOTS_W - 1 - state->encMsg[i], seed, addr_buf, pk);
1963 }
1964 }
1965 else
1966#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 */
1967 {
1968 /* Calculate chain hash. */
1969 wc_xmss_chain(state, sig, state->encMsg[0],
1970 XMSS_WOTS_W - 1 - state->encMsg[0], seed, addr_buf, pk);
1971 for (i = 1; i < params->wots_len; i++) {
1972 sig += params->n;
1973 pk += params->n;
1974 /* Update chain. */
1975 addr_buf[XMSS_ADDR_CHAIN * 4 + 3] = (byte)i;
1976 wc_xmss_chain(state, sig, state->encMsg[i],
1977 XMSS_WOTS_W - 1 - state->encMsg[i], seed, addr_buf, pk);
1978 }
1979 }
1980}
1981
1982/********************************************
1983 * L-TREE - unbalanced binary hash tree
1984 ********************************************/
1985
1986/* Compute leaves of L-tree from WOTS+ public key and compress to single value.
1987 *
1988 * RFC 8391: 4.1.5, Algorithm 8: ltree
1989 * unsigned int len' = len;
1990 * ADRS.setTreeHeight(0);
1991 * while ( len' > 1 ) {
1992 * for ( i = 0; i < floor(len' / 2); i++ ) {
1993 * ADRS.setTreeIndex(i);
1994 * pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);
1995 * }
1996 * if ( len' % 2 == 1 ) {
1997 * pk[floor(len' / 2)] = pk[len' - 1];
1998 * }
1999 * len' = ceil(len' / 2);
2000 * ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
2001 * }
2002 * return pk[0];
2003 *
2004 * @param [in] state XMSS/MT state including digest and parameters.
2005 * @param [in] pk WOTS+ public key.
2006 * @param [in] seed Random public seed.
2007 * @param [in] addr Hashing address.
2008 * @param [out] pk0 N-byte compressed public key value pk[0].
2009 */
2010static void wc_xmss_ltree(XmssState* state, byte* pk, const byte* seed,
2011 HashAddress addr, byte* pk0)
2012{
2013 const XmssParams* params = state->params;
2014 word8 len = params->wots_len;
2015 word32 h = 0;
2016
2017#if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256) && \
2018 !defined(WC_XMSS_FULL_HASH)
2019 /* Precompute hash state after first 64 bytes (common to all hashes). */
2020 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
2021 (params->n == XMSS_SHA256_32_N) &&
2022 (params->hash == WC_HASH_TYPE_SHA256)) {
2023 byte* prf_buf = state->prf_buf;
2024 int ret;
2025
2026 XMSS_PAD_ENC(XMSS_HASH_PADDING_PRF, prf_buf, XMSS_SHA256_32_PAD_LEN);
2027 XMEMCPY(prf_buf + XMSS_SHA256_32_PAD_LEN, seed, XMSS_SHA256_32_N);
2028
2029 ret = wc_Sha256Update(&state->digest.sha256, prf_buf,
2030 XMSS_SHA256_32_PAD_LEN + XMSS_SHA256_32_N);
2031 if (ret == 0) {
2032 /* Copy state after first 64 bytes. */
2033 XMSS_SHA256_STATE_CACHE(state);
2034 }
2035 else if (state->ret == 0) {
2036 /* Store any digest failures for public APIs to return. */
2037 state->ret = ret;
2038 }
2039 }
2040#endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 && !WC_XMSS_FULL_HASH */
2041 while (len > 1) {
2042 word8 i;
2043 word8 len2 = len >> 1;
2044
2045 addr[XMSS_ADDR_TREE_HEIGHT] = h++;
2046
2047 for (i = 0; i < len2; i++) {
2048 addr[XMSS_ADDR_TREE_INDEX] = i;
2049 #if !defined(WOLFSSL_WC_XMSS_SMALL) && defined(WC_XMSS_SHA256) && \
2050 !defined(WC_XMSS_FULL_HASH)
2051 if ((params->pad_len == XMSS_SHA256_32_PAD_LEN) &&
2052 (params->n == XMSS_SHA256_32_N) &&
2053 (params->hash == WC_HASH_TYPE_SHA256)) {
2054 wc_xmss_rand_hash_sha256_32_prehash(state,
2055 pk + i * 2 * XMSS_SHA256_32_N, addr,
2056 pk + i * XMSS_SHA256_32_N);
2057 }
2058 else
2059 #endif /* !WOLFSSL_WC_XMSS_SMALL && WC_XMSS_SHA256 &&
2060 * !WC_XMSS_FULL_HASH */
2061 {
2062 wc_xmss_rand_hash(state, pk + i * 2 * params->n,
2063 seed, addr, pk + i * params->n);
2064 }
2065 }
2066 if (len & 1) {
2067 XMEMCPY(pk + len2 * params->n, pk + (len - 1) * params->n,
2068 params->n);
2069 }
2070 len = (word8)(len2 + (len & 1));
2071 }
2072 /* Return compressed public key value pk[0]. */
2073 XMEMCPY(pk0, pk, params->n);
2074}
2075
2076#ifndef WOLFSSL_XMSS_VERIFY_ONLY
2077
2078#ifdef WOLFSSL_WC_XMSS_SMALL
2079
2080/********************************************
2081 * TREE HASH
2082 ********************************************/
2083
2084#ifndef WOLFSSL_SMALL_STACK
2085/* Compute internal nodes of Merkle tree.
2086 *
2087 * Implementation always starts at index 0. (s = 0)
2088 *
2089 * Build authentication path, if required, rather than duplicating work.
2090 * When node is generated, copy out to authentication path array of nodes.
2091 *
2092 * RFC 8391: 4.1.6, Algorithm 9: treeHash
2093 * if( s % (1 << t) != 0 ) return -1;
2094 * for ( i = 0; i < 2^t; i++ ) {
2095 * SEED = getSEED(SK);
2096 * ADRS.setType(0); # Type = OTS hash address
2097 * ADRS.setOTSAddress(s + i);
2098 * pk = WOTS_genPK (getWOTS_SK(SK, s + i), SEED, ADRS);
2099 * ADRS.setType(1); # Type = L-tree address
2100 * ADRS.setLTreeAddress(s + i);
2101 * node = ltree(pk, SEED, ADRS);
2102 * ADRS.setType(2); # Type = hash tree address
2103 * ADRS.setTreeHeight(0);
2104 * ADRS.setTreeIndex(i + s);
2105 * while ( Top node on Stack has same height t' as node ) {
2106 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
2107 * node = RAND_HASH(Stack.pop(), node, SEED, ADRS);
2108 * ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
2109 * }
2110 * Stack.push(node);
2111 * }
2112 * return Stack.pop();
2113 * RFC 8391: 4.1.9, (Example) buildAuth
2114 * for ( j = 0; j < h; j++ ) {
2115 * k = floor(i / (2^j)) XOR 1;
2116 * auth[j] = treeHash(SK, k * 2^j, j, ADRS);
2117 * }
2118 *
2119 * @param [in] state XMSS/MT state including digest and parameters.
2120 * @param [in] sk_seed Random private seed.
2121 * @param [in] pk_seed Random public seed.
2122 * @param [in] leafIdx Index of lead node.
2123 * @param [in] subtree_addr Address of subtree.
2124 * @param [out] root Root node of the tree.
2125 * @param [out] auth_path Nodes of the authentication path.
2126 */
2127static void wc_xmss_treehash(XmssState* state, const byte* sk_seed,
2128 const byte* pk_seed, word32 leafIdx, const word32* subtree, byte* root,
2129 byte* auth_path)
2130{
2131 const XmssParams* params = state->params;
2132 const word8 n = params->n;
2133 byte* node = state->stack;
2134 HashAddress ots;
2135 HashAddress ltree;
2136 HashAddress tree;
2137 word8 height[WC_XMSS_MAX_TREE_HEIGHT + 1];
2138 word8 offset = 0;
2139 word32 max = (word32)1U << params->sub_h;
2140 word32 i;
2141
2142 /* Copy hash address into one for each purpose. */
2143 XMSS_ADDR_OTS_SET_SUBTREE(ots, subtree);
2144 XMSS_ADDR_LTREE_SET_SUBTREE(ltree, subtree);
2145 XMSS_ADDR_TREE_SET_SUBTREE(tree, subtree);
2146
2147 for (i = 0; i < max; i++) {
2148 word8 h;
2149
2150 /* Calculate WOTS+ public key. */
2151 ots[XMSS_ADDR_OTS] = i;
2152 wc_xmss_wots_gen_pk(state, sk_seed, pk_seed, ots, state->pk);
2153 /* Calculate public value. */
2154 ltree[XMSS_ADDR_LTREE] = i;
2155 wc_xmss_ltree(state, state->pk, pk_seed, ltree, node);
2156
2157 /* Initial height at this offset is 0. */
2158 h = height[offset] = 0;
2159 /* Copy node, at height 0, out if on authentication path. */
2160 if ((auth_path != NULL) && ((leafIdx ^ 0x1) == i)) {
2161 XMEMCPY(auth_path, node, n);
2162 }
2163
2164 /* Top node on Stack has same height t' as node. */
2165 while ((offset >= 1) && (h == height[offset - 1])) {
2166 word32 tree_idx = i >> (h + 1);
2167
2168 node -= n;
2169 /* Calculate hash of node. */
2170 tree[XMSS_ADDR_TREE_HEIGHT] = h;
2171 tree[XMSS_ADDR_TREE_INDEX] = tree_idx;
2172 wc_xmss_rand_hash(state, node, pk_seed, tree, node);
2173
2174 /* Update offset and height. */
2175 offset--;
2176 h = ++height[offset];
2177
2178 /* Copy node out if on authentication path. */
2179 if ((auth_path != NULL) && (((leafIdx >> h) ^ 0x1) == tree_idx)) {
2180 XMEMCPY(auth_path + h * n, node, n);
2181 }
2182 }
2183 offset++;
2184 node += n;
2185 }
2186
2187 /* Copy the root node. */
2188 XMEMCPY(root, state->stack, n);
2189}
2190#else
2191/* Compute internal nodes of Merkle tree.
2192 *
2193 * Implementation always starts at index 0. (s = 0)
2194 *
2195 * Build authentication path, if required, rather than duplicating work.
2196 * When node is generated, copy out to authentication path array of nodes.
2197 *
2198 * RFC 8391: 4.1.6, Algorithm 9: treeHash
2199 * if( s % (1 << t) != 0 ) return -1;
2200 * for ( i = 0; i < 2^t; i++ ) {
2201 * SEED = getSEED(SK);
2202 * ADRS.setType(0); # Type = OTS hash address
2203 * ADRS.setOTSAddress(s + i);
2204 * pk = WOTS_genPK (getWOTS_SK(SK, s + i), SEED, ADRS);
2205 * ADRS.setType(1); # Type = L-tree address
2206 * ADRS.setLTreeAddress(s + i);
2207 * node = ltree(pk, SEED, ADRS);
2208 * ADRS.setType(2); # Type = hash tree address
2209 * ADRS.setTreeHeight(0);
2210 * ADRS.setTreeIndex(i + s);
2211 * while ( Top node on Stack has same height t' as node ) {
2212 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
2213 * node = RAND_HASH(Stack.pop(), node, SEED, ADRS);
2214 * ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
2215 * }
2216 * Stack.push(node);
2217 * }
2218 * return Stack.pop();
2219 * RFC 8391: 4.1.9, (Example) buildAuth
2220 * for ( j = 0; j < h; j++ ) {
2221 * k = floor(i / (2^j)) XOR 1;
2222 * auth[j] = treeHash(SK, k * 2^j, j, ADRS);
2223 * }
2224 *
2225 * @param [in] state XMSS/MT state including digest and parameters.
2226 * @param [in] sk_seed Random private seed.
2227 * @param [in] pk_seed Random public seed.
2228 * @param [in] leafIdx Index of lead node.
2229 * @param [in] subtree_addr Address of subtree.
2230 * @param [out] root Root node of the tree.
2231 * @param [out] auth_path Nodes of the authentication path.
2232 */
2233static void wc_xmss_treehash(XmssState* state, const byte* sk_seed,
2234 const byte* pk_seed, word32 leafIdx, const word32* subtree, byte* root,
2235 byte* auth_path)
2236{
2237 const XmssParams* params = state->params;
2238 const word8 n = params->n;
2239 byte* node = state->stack;
2240 HashAddress addr;
2241 word8 height[WC_XMSS_MAX_TREE_HEIGHT + 1];
2242 word8 offset = 0;
2243 word32 max = (word32)1U << params->sub_h;
2244 word32 i;
2245
2246 XMSS_ADDR_SET_SUBTREE(addr, subtree, 0);
2247
2248 for (i = 0; i < max; i++) {
2249 word8 h;
2250
2251 /* Calculate WOTS+ public key. */
2252 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
2253 addr[XMSS_ADDR_LTREE] = i;
2254 wc_xmss_wots_gen_pk(state, sk_seed, pk_seed, addr, state->pk);
2255 /* Calculate public value. */
2256 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_LTREE;
2257 wc_xmss_ltree(state, state->pk, pk_seed, addr, node);
2258 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_TREE;
2259 addr[XMSS_ADDR_TREE_ZERO] = 0;
2260
2261 /* Initial height at this offset is 0. */
2262 h = height[offset] = 0;
2263 /* Copy node out if on authentication path. */
2264 if ((auth_path != NULL) && ((leafIdx ^ 0x1) == i)) {
2265 XMEMCPY(auth_path, node, n);
2266 }
2267
2268 /* Top node on Stack has same height t' as node. */
2269 while ((offset >= 1) && (h == height[offset - 1])) {
2270 word32 tree_idx = i >> (h + 1);
2271
2272 node -= n;
2273 /* Calculate hash of node. */
2274 addr[XMSS_ADDR_TREE_HEIGHT] = h;
2275 addr[XMSS_ADDR_TREE_INDEX] = tree_idx;
2276 wc_xmss_rand_hash(state, node, pk_seed, addr, node);
2277
2278 /* Update offset and height. */
2279 offset--;
2280 h = ++height[offset];
2281
2282 /* Copy node out if on authentication path. */
2283 if ((auth_path != NULL) && (((leafIdx >> h) ^ 0x1) == tree_idx)) {
2284 XMEMCPY(auth_path + h * n, node, n);
2285 }
2286 }
2287 offset++;
2288 node += n;
2289 /* Reset hash address ready for use as OTS and LTREE. */
2290 addr[XMSS_ADDR_TREE_HEIGHT] = 0;
2291 addr[XMSS_ADDR_TREE_INDEX] = 0;
2292 }
2293
2294 /* Copy the root node. */
2295 XMEMCPY(root, state->stack, n);
2296}
2297#endif /* !WOLFSSL_SMALL_STACK */
2298
2299/********************************************
2300 * MAKE KEY
2301 ********************************************/
2302
2303/* Derives XMSSMT (and XMSS) key pair from seeds.
2304 *
2305 * RFC 8391: 4.1.7, Algorithm 10: XMSS_keyGen.
2306 * ...
2307 * initialize SK_PRF with a uniformly random n-byte string;
2308 * setSK_PRF(SK, SK_PRF);
2309 *
2310 * # Initialization for common contents
2311 * initialize SEED with a uniformly random n-byte string;
2312 * setSEED(SK, SEED);
2313 * setWOTS_SK(SK, wots_sk));
2314 * ADRS = toByte(0, 32);
2315 * root = treeHash(SK, 0, h, ADRS);
2316 *
2317 * SK = idx || wots_sk || SK_PRF || root || SEED;
2318 * PK = OID || root || SEED;
2319 * return (SK || PK);
2320 *
2321 * wots_sk, SK_PRF and SEED passed in as seed.
2322 * Store seed for wots_sk instead of generated wots_sk.
2323 * OID not stored in PK this is handled in upper layer.
2324 *
2325 * @param [in] state XMSS/MT state including digest and parameters.
2326 * @param [in] seed Random seeds.
2327 * @param [out] sk Secret/Private key.
2328 * @param [out] pk Public key.
2329 * @return 0 on success.
2330 * @return <0 on digest failure.
2331 */
2332int wc_xmssmt_keygen(XmssState* state, const unsigned char* seed,
2333 unsigned char* sk, unsigned char* pk)
2334{
2335 const XmssParams* params = state->params;
2336 const word8 n = params->n;
2337 const byte* seed_priv = seed;
2338 const byte* seed_pub = seed + 2 * n;
2339 /* Offsets into secret/private key. */
2340 byte* sk_idx = sk;
2341 byte* sk_seed = sk_idx + params->idx_len;
2342 byte* sk_pub = sk_seed + 2 * n;
2343 /* Offsets into public key. */
2344 byte* pk_root = pk;
2345 byte* pk_seed = pk_root + n;
2346
2347 /* Set first index to 0 in private key. */
2348 XMEMSET(sk_idx, 0, params->idx_len);
2349 /* Set private key seed and private key for PRF in to private key. */
2350 XMEMCPY(sk_seed, seed_priv, 2U * n);
2351 /* Set public key seed into public key. */
2352 XMEMCPY(pk_seed, seed_pub, n);
2353
2354 /* Set all address values to zero. */
2355 XMEMSET(state->addr, 0, sizeof(HashAddress));
2356 /* Set depth into address. */
2357 state->addr[XMSS_ADDR_LAYER] = (word32)(params->d - 1);
2358 /* Compute root node into public key. */
2359 wc_xmss_treehash(state, sk_seed, pk_seed, 0, state->addr, pk_root, NULL);
2360
2361 /* Append public key (root node and public seed) to private key. */
2362 XMEMCPY(sk_pub, pk_root, 2U * n);
2363
2364 /* Return any errors that occurred during hashing. */
2365 return state->ret;
2366}
2367
2368/********************************************
2369 * SIGN
2370 ********************************************/
2371
2372/**
2373 * Sign message using XMSS/XMSS^MT.
2374 *
2375 * RFC 8391: 4.1.9, Algorithm 11: treeSig
2376 * auth = buildAuth(SK, idx_sig, ADRS);
2377 * ADRS.setType(0); # Type = OTS hash address
2378 * ADRS.setOTSAddress(idx_sig);
2379 * sig_ots = WOTS_sign(getWOTS_SK(SK, idx_sig),
2380 * M', getSEED(SK), ADRS);
2381 * Sig = sig_ots || auth;
2382 * return Sig;
2383 * RFC 8391: 4.2.4, Algorithm 16: XMSSMT_sign
2384 * # Init
2385 * ADRS = toByte(0, 32);
2386 * SEED = getSEED(SK_MT);
2387 * SK_PRF = getSK_PRF(SK_MT);
2388 * idx_sig = getIdx(SK_MT);
2389 *
2390 * # Update SK_MT
2391 * setIdx(SK_MT, idx_sig + 1);
2392 *
2393 * # Message compression
2394 * byte[n] r = PRF(SK_PRF, toByte(idx_sig, 32));
2395 * byte[n] M' = H_msg(r || getRoot(SK_MT) || (toByte(idx_sig, n)), M);
2396 *
2397 * # Sign
2398 * Sig_MT = idx_sig;
2399 * unsigned int idx_tree
2400 * = (h - h / d) most significant bits of idx_sig;
2401 * unsigned int idx_leaf = (h / d) least significant bits of idx_sig;
2402 * SK = idx_leaf || getXMSS_SK(SK_MT, idx_tree, 0) || SK_PRF
2403 * || toByte(0, n) || SEED;
2404 * ADRS.setLayerAddress(0);
2405 * ADRS.setTreeAddress(idx_tree);
2406 * Sig_tmp = treeSig(M', SK, idx_leaf, ADRS);
2407 * Sig_MT = Sig_MT || r || Sig_tmp;
2408 * for ( j = 1; j < d; j++ ) {
2409 * root = treeHash(SK, 0, h / d, ADRS);
2410 * idx_leaf = (h / d) least significant bits of idx_tree;
2411 * idx_tree = (h - j * (h / d)) most significant bits of idx_tree;
2412 * SK = idx_leaf || getXMSS_SK(SK_MT, idx_tree, j) || SK_PRF
2413 * || toByte(0, n) || SEED;
2414 * ADRS.setLayerAddress(j);
2415 * ADRS.setTreeAddress(idx_tree);
2416 * Sig_tmp = treeSig(root, SK, idx_leaf, ADRS);
2417 * Sig_MT = Sig_MT || Sig_tmp;
2418 * }
2419 * return SK_MT || Sig_MT
2420 *
2421 * buildAuth from treeSig done inside treeHash as this is more efficient.
2422 *
2423 * @param [in] state XMSS/MT state including digest and parameters.
2424 * @param [in] m Buffer holding message.
2425 * @param [in] mlen Length of message in buffer.
2426 * @param [in, out] sk Secret/Private key.
2427 * @param [out] sig Signature.
2428 * @return 0 on success.
2429 * @return <0 on digest failure.
2430 */
2431int wc_xmssmt_sign(XmssState* state, const unsigned char* m, word32 mlen,
2432 unsigned char* sk, unsigned char* sig)
2433{
2434 int ret = 0;
2435 const XmssParams* params = state->params;
2436 const word8 n = params->n;
2437 const word8 hs = params->sub_h;
2438 const word16 hsn = (word16)(hs * n);
2439 const byte* sk_seed = sk + params->idx_len;
2440 const byte* pk_seed = sk + params->idx_len + 3 * n;
2441 wc_Idx idx;
2442 byte* sig_r = sig + params->idx_len;
2443 byte root[WC_XMSS_MAX_N];
2444 unsigned int i;
2445
2446 WC_IDX_ZERO(idx);
2447 /* Set all address values to zero and set type to OTS. */
2448 XMEMSET(state->addr, 0, sizeof(HashAddress));
2449 state->addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
2450
2451 /* Copy the index into the signature data: Sig_MT = idx_sig. */
2452 XMEMCPY(sig, sk, params->idx_len);
2453
2454 /* Read index from the secret key. */
2455 WC_IDX_DECODE(idx, params->idx_len, sk, ret);
2456 /* Validate index in secret key. */
2457 if ((ret == 0) && (WC_IDX_INVALID(idx, params->idx_len, params->h))) {
2458 /* Set index to maximum value to distinguish from valid value. */
2459 XMEMSET(sk, 0xFF, params->idx_len);
2460 /* Zeroize the secret key. */
2461 ForceZero(sk + params->idx_len, params->sk_len - params->idx_len);
2462 ret = KEY_EXHAUSTED_E;
2463 }
2464
2465 /* Update SK_MT */
2466 if (ret == 0) {
2467 /* Increment the index in the secret key. */
2468 wc_idx_update(sk, params->idx_len);
2469 }
2470
2471 /* Message compression */
2472 if (ret == 0) {
2473 const byte* sk_prf = sk + params->idx_len + n;
2474
2475 /* byte[n] r = PRF(SK_PRF, toByte(idx_sig, 32)); */
2476 wc_idx_copy(sig, params->idx_len, state->buf, XMSS_PRF_M_LEN);
2477 wc_xmss_prf(state, sk_prf, state->buf, sig_r);
2478 ret = state->ret;
2479 }
2480 if (ret == 0) {
2481 const byte* pub_root = sk + params->idx_len + 2 * n;
2482 /* byte[n] M' = H_msg(r || getRoot(SK_MT) || (toByte(idx_sig, n)), M);
2483 */
2484 wc_xmss_hash_message(state, sig_r, pub_root, sig, params->idx_len, m,
2485 mlen, root);
2486 ret = state->ret;
2487 /* Place WOTS+ signatures after index and 'r'. */
2488 sig += params->idx_len + n;
2489 }
2490
2491 /* Sign. */
2492 for (i = 0; (ret == 0) && (i < params->d); i++) {
2493 word32 idx_leaf = 0;
2494
2495 /* Set layer, tree and OTS leaf index into hash address. */
2496 state->addr[XMSS_ADDR_LAYER] = i;
2497 WC_IDX_SET_ADDR_TREE(idx, params->idx_len, hs, state->addr, idx_leaf);
2498 /* treeSig || treeHash = sig_ots || auth */
2499 state->addr[XMSS_ADDR_OTS] = idx_leaf;
2500 /* Create WOTS+ signature for tree into signature (sig_ots). */
2501 wc_xmss_wots_sign(state, root, sk_seed, pk_seed, state->addr, sig);
2502 ret = state->ret;
2503 if (ret == 0) {
2504 sig += params->wots_sig_len;
2505 /* Add authentication path (auth) and calc new root. */
2506 wc_xmss_treehash(state, sk_seed, pk_seed, idx_leaf, state->addr,
2507 root, sig);
2508 ret = state->ret;
2509 sig += hsn;
2510 }
2511 }
2512
2513 return ret;
2514}
2515
2516#else
2517
2518/********************************************
2519 * Fast C implementation
2520 ********************************************/
2521
2522/* Tree hash data - needs to be unpacked from binary. */
2523typedef struct TreeHash {
2524 /* Next index to update in tree - max 20 bits. */
2525 word32 nextIdx;
2526 /* Number of stack entries used by tree - 0..<subtree height>. */
2527 word8 used;
2528 /* Tree is finished. */
2529 word8 completed;
2530} TreeHash;
2531
2532/* BDS state. */
2533typedef struct BdsState {
2534 /* Stack of nodes - subtree height + 1 nodes. */
2535 byte* stack;
2536 /* Height of stack node - subtree height + 1 of 0..<subtree height - 1>. */
2537 byte* height;
2538 /* Authentication path for next index - subtree height nodes. */
2539 byte* authPath;
2540 /* Hashes of nodes kept - subtree height / 2 nodes. */
2541 byte* keep;
2542 /* Tree hash instances - subtree height minus K instances. */
2543 byte* treeHash;
2544 /* Hashes of nodes for tree hash - one for each tree hash instance. */
2545 byte* treeHashNode;
2546 /* Hashes of nodes to retain - based on K parameter. */
2547 byte* retain;
2548 /* Next leaf to calculate - max 20 bits. */
2549 word32 next;
2550 /* Current offset into stack - 0..<subtree height>. */
2551 word8 offset;
2552} BdsState;
2553
2554/* Index to BDS state accounting for swapping.
2555 *
2556 * @param [in] idx Index of node.
2557 * @param [in] i Depth of tree.
2558 * @param [in] hs Height of subtree.
2559 * @param [in] d Depth/number of trees.
2560 * @return Index of working BDS state.
2561 */
2562#define BDS_IDX(idx, i, hs, d) \
2563 ((word8)(((((idx) >> ((hs) * ((i) + 1))) & 1) == 0) ? (i) : ((d) + (i))))
2564/* Index to alternate BDS state accounting for swapping.
2565 *
2566 * @param [in] idx Index of node.
2567 * @param [in] i Depth of tree.
2568 * @param [in] hs Height of subtree.
2569 * @param [in] d Depth/number of trees.
2570 * @return Index of alternate BDS state.
2571 */
2572#define BDS_ALT_IDX(idx, i, hs, d) \
2573 ((word8)(((((idx) >> ((hs) * ((i) + 1))) & 1) == 0) ? ((d) + (i)) : (i)))
2574
2575/********************************************
2576 * Tree Hash APIs
2577 ********************************************/
2578
2579/* Initialize the tree hash data at specified index for the BDS state.
2580 *
2581 * @param [in, out] bds BDS state.
2582 * @param [in] i Index of tree hash.
2583 */
2584static void wc_xmss_bds_state_treehash_init(BdsState* bds, word32 i)
2585{
2586 byte* sk = bds->treeHash + i * 4U;
2587 c32to24(0, sk);
2588 sk[3] = 0 | (1U << 7);
2589}
2590
2591/* Set next index into tree hash data at specified index for the BDS state.
2592 *
2593 * @param [in, out] bds BDS state.
2594 * @param [in] i Index of tree hash.
2595 * @param [in] nextIdx Next index for tree hash.
2596 */
2597static void wc_xmss_bds_state_treehash_set_next_idx(BdsState* bds, int i,
2598 word32 nextIdx)
2599{
2600 byte* sk = bds->treeHash + i * 4;
2601 c32to24(nextIdx, sk);
2602 sk[3] = 0 | (0 << 7);
2603}
2604
2605/* Mark tree hash, at specified index for the BDS state, as complete.
2606 *
2607 * @param [in, out] bds BDS state.
2608 * @param [in] i Index of tree hash.
2609 */
2610static void wc_xmss_bds_state_treehash_complete(BdsState* bds, int i)
2611{
2612 byte* sk = bds->treeHash + i * 4;
2613 sk[3] |= 1 << 7; /* // NOLINT(clang-analyzer-core.NullDereference) */
2614}
2615
2616/* Get the tree hash data at specified index for the BDS state.
2617 *
2618 * @param [in] bds BDS state.
2619 * @param [in] i Index of tree hash.
2620 * @param [out] treeHash Tree hash instance to fill out.
2621 */
2622static void wc_xmss_bds_state_treehash_get(BdsState* bds, int i,
2623 TreeHash* treeHash)
2624{
2625 byte* sk = bds->treeHash + i * 4;
2626 ato24(sk, &treeHash->nextIdx);
2627 treeHash->used = sk[3] & 0x7f;
2628 treeHash->completed = sk[3] >> 7;
2629}
2630
2631/* Set the tree hash data at specified index for the BDS state.
2632 *
2633 * @param [in, out] bds BDS state.
2634 * @param [in] i Index of tree hash.
2635 * @param [in] treeHash Tree hash data.
2636 */
2637static void wc_xmss_bds_state_treehash_set(BdsState* bds, int i,
2638 TreeHash* treeHash)
2639{
2640 byte* sk = bds->treeHash + i * 4;
2641 c32to24(treeHash->nextIdx, sk);
2642 sk[3] = (byte)(treeHash->used | (treeHash->completed << 7));
2643}
2644
2645/********************************************
2646 * BDS State APIs
2647 ********************************************/
2648
2649/* Allocate memory for BDS state.
2650 *
2651 * When using a static BDS state (XMSS) then pass in handle to data for bds.
2652 *
2653 * @param [in] params XMSS/MT parameters.
2654 * @param [in, out] bds Handle to BDS state. May be NULL if not allocated.
2655 * @return 0 on success.
2656 * @return MEMORY_E on dynamic memory allocation failure.
2657 */
2658static int wc_xmss_bds_state_alloc(const XmssParams* params, BdsState** bds,
2659 void* heap)
2660{
2661 const word8 cnt = (word8)(2 * params->d - 1);
2662 int ret = 0;
2663
2664 if (*bds == NULL) {
2665 /* Allocate memory for BDS states. */
2666 *bds = (BdsState*)XMALLOC(sizeof(BdsState) * cnt, heap,
2667 DYNAMIC_TYPE_TMP_BUFFER);
2668 if (*bds == NULL) {
2669 ret = MEMORY_E;
2670 }
2671 else {
2672 XMEMSET(*bds, 0, sizeof(BdsState) * cnt);
2673 }
2674 }
2675
2676 return ret;
2677}
2678
2679/* Dispose of allocated memory associated with BDS state.
2680 *
2681 * @param [in] bds BDS state.
2682 * @param [in] heap Dynamic memory hint.
2683 */
2684static void wc_xmss_bds_state_free(BdsState* bds, void* heap)
2685{
2686 /* BDS states was allocated - must free. */
2687 XFREE(bds, heap, DYNAMIC_TYPE_TMP_BUFFER);
2688}
2689
2690/* Load the BDS state from the secret/private key.
2691 *
2692 * @param [in] state XMSS/MT state including digest and parameters.
2693 * @param [in] sk Secret/private key.
2694 * @param [out] bds BDS states.
2695 * @param [out] wots_sigs WOTS signatures when XMSS^MT.
2696 */
2697static int wc_xmss_bds_state_load(const XmssState* state, byte* sk,
2698 BdsState* bds, byte** wots_sigs)
2699{
2700 const XmssParams* params = state->params;
2701 const word8 n = params->n;
2702 const word8 hs = params->sub_h;
2703 const word8 hsk = (word8)(params->sub_h - params->bds_k);
2704 const word8 k = params->bds_k;
2705 const word32 retainLen = XMSS_RETAIN_LEN(k, n);
2706 int i;
2707
2708 /* Skip past standard SK = idx || wots_sk || SK_PRF || root || SEED; */
2709 sk += params->idx_len + 4 * n;
2710
2711 if (2 * (int)params->d - 1 <= 0)
2712 return WC_FAILURE;
2713
2714 for (i = 0; i < 2 * (int)params->d - 1; i++) {
2715 /* Set pointers into SK. */
2716 bds[i].stack = sk;
2717 sk += (hs + 1) * n;
2718 bds[i].height = sk;
2719 sk += hs + 1;
2720 bds[i].authPath = sk;
2721 sk += hs * n;
2722 bds[i].keep = sk;
2723 sk += (hs >> 1) * n;
2724 bds[i].treeHash = sk;
2725 sk += hsk * 4;
2726 bds[i].treeHashNode = sk;
2727 sk += hsk * n;
2728 bds[i].retain = sk;
2729 sk += retainLen;
2730 /* Load values - big-endian encoded. */
2731 ato24(sk, &bds[i].next);
2732 sk += 3;
2733 bds[i].offset = sk[0];
2734 sk += 1;
2735 }
2736
2737 if (wots_sigs != NULL) {
2738 *wots_sigs = sk;
2739 }
2740
2741 return 0;
2742}
2743
2744/* Store the BDS state into the secret/private key.
2745 *
2746 * @param [in] state XMSS/MT state including digest and parameters.
2747 * @param [in, out] sk Secret/private key.
2748 * @param [in] bds BDS states.
2749 */
2750static int wc_xmss_bds_state_store(const XmssState* state, byte* sk,
2751 BdsState* bds)
2752{
2753 int i;
2754 const XmssParams* params = state->params;
2755 const word8 n = params->n;
2756 const word8 hs = params->sub_h;
2757 const word8 hsk = (word8)(params->sub_h - params->bds_k);
2758 const word8 k = params->bds_k;
2759 const word32 skip = (word32)((hs + 1) * n + /* BdsState.stack */
2760 hs + 1 + /* BdsState.height */
2761 hs * n + /* BdsState.authPath */
2762 (hs >> 1) * n + /* BdsState.keep */
2763 hsk * 4 + /* BdsState.treeHash */
2764 hsk * n) + /* BdsState.treeHashNode */
2765 XMSS_RETAIN_LEN(k, n); /* BdsState.retain */
2766
2767 /* Ignore standard SK = idx || wots_sk || SK_PRF || root || SEED; */
2768 sk += params->idx_len + 4 * n;
2769
2770 if (2 * (int)params->d - 1 <= 0)
2771 return WC_FAILURE;
2772
2773 for (i = 0; i < 2 * (int)params->d - 1; i++) {
2774 /* Skip pointers into sk. */
2775 sk += skip;
2776 /* Save values - big-endian encoded. */
2777 c32to24(bds[i].next, sk); /* NOLINT(clang-analyzer-core.CallAndMessage) */
2778 sk += 3;
2779 sk[0] = bds[i].offset;
2780 sk += 1;
2781 }
2782
2783 return 0;
2784}
2785
2786/********************************************
2787 * BDS
2788 ********************************************/
2789
2790/* Compute node at next index.
2791 *
2792 * RFC 8391: 4.1.6, Algorithm 9: treeHash
2793 * ...
2794 * ADRS.setType(0); # Type = OTS hash address
2795 * ADRS.setOTSAddress(s + i);
2796 * pk = WOTS_genPK (getWOTS_SK(SK, s + i), SEED, ADRS);
2797 * ADRS.setType(1); # Type = L-tree address
2798 * ADRS.setLTreeAddress(s + i);
2799 * node = ltree(pk, SEED, ADRS);
2800 * ADRS.setType(2); # Type = hash tree address
2801 * ADRS.setTreeHeight(0);
2802 * ADRS.setTreeIndex(i + s);
2803 * while ( Top node on Stack has same height t' as node ) {
2804 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
2805 * node = RAND_HASH(Stack.pop(), node, SEED, ADRS);
2806 * ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
2807 * }
2808 * Stack.push(node);
2809 * ...
2810 *
2811 * @param [in] state XMSS/MT state including digest and parameters.
2812 * @param [in] bds BDS state.
2813 * @param [in] sk_seed Random secret/private seed.
2814 * @param [in] pk_seed Random public seed.
2815 * @param [in] addr Hash address.
2816 * @param [out] root Root node.
2817 */
2818static void wc_xmss_bds_next_idx(XmssState* state, BdsState* bds,
2819 const byte* sk_seed, const byte* pk_seed, HashAddress addr, word32 i,
2820 word8* height, word8* offset, word8** sp)
2821{
2822 const XmssParams* params = state->params;
2823 const word8 hs = params->sub_h;
2824 const word8 hsk = (word8)(params->sub_h - params->bds_k);
2825 const word8 n = params->n;
2826 word8 o = *offset;
2827 word8* node = *sp;
2828 word8 h;
2829
2830 /* Calculate WOTS+ public key. */
2831 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
2832 addr[XMSS_ADDR_OTS] = (word32)i;
2833 wc_xmss_wots_gen_pk(state, sk_seed, pk_seed, addr, state->pk);
2834 /* Calculate public value. */
2835 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_LTREE;
2836 wc_xmss_ltree(state, state->pk, pk_seed, addr, node);
2837 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_TREE;
2838 addr[XMSS_ADDR_TREE_ZERO] = 0;
2839
2840 /* Initial height at this offset is 0. */
2841 h = height[o] = 0;
2842 /* HDSS, Section 4.5, 2: TREEHASH[h].push(v[h][3])
2843 * Copy right node to tree hash nodes if second right node. */
2844 if ((hsk > 0) && (i == 3)) {
2845 XMEMCPY(bds->treeHashNode, node + n, n);
2846 }
2847
2848 /* Top node on Stack has same height t' as node. */
2849 while ((o >= 1) && (h == height[o - 1])) {
2850 /* HDSS, Section 4.5, 1: AUTH[h] = v[h][1], h = 0,...,H-1.
2851 * Cache left node if on authentication path. */
2852 if ((i >> h) == 1) {
2853 if (bds->authPath == NULL) {
2854 state->ret = WC_FAILURE;
2855 return;
2856 }
2857 XMEMCPY(bds->authPath + h * n, node, n);
2858 }
2859 /* This is a right node. */
2860 else if (h < hsk) {
2861 /* HDSS, Section 4.5, 2: TREEHASH[h].push(v[h][3])
2862 * Copy right node to tree hash if second right node. */
2863 if ((i >> h) == 3) {
2864 XMEMCPY(bds->treeHashNode + h * n, node, n);
2865 }
2866 }
2867 else {
2868 /* HDSS, Section 4.5, 3: RETAIN[h].push(v[j][2j+3] for
2869 * h = H-K,...,H-2 and j = 2^(H-h-1)-2,...,0.
2870 * Retain high right nodes.
2871 */
2872 word32 ro = (word32)(((word32)1U << (hs - 1 - h)) + h - hs +
2873 (((i >> h) - 3) >> 1));
2874 XMEMCPY(bds->retain + ro * n, node, n);
2875 }
2876
2877 node -= n;
2878 /* Calculate hash of node. */
2879 addr[XMSS_ADDR_TREE_HEIGHT] = h;
2880 addr[XMSS_ADDR_TREE_INDEX] = (word32)(i >> (h + 1));
2881 wc_xmss_rand_hash(state, node, pk_seed, addr, node);
2882
2883 /* Update offset and height. */
2884 o--;
2885 h = ++height[o];
2886 }
2887
2888 *offset = o;
2889 *sp = node;
2890}
2891
2892/* Compute initial Merkle tree and store nodes.
2893 *
2894 * HDSS, Section 4.5, The algorithm, Initialization.
2895 * 1. We store the authentication path for the first leaf (s = 0):
2896 * AUTH[h] = v[h][1], h = 0,...,H-1.
2897 * 2. Depending on the parameter K, we store the next right authentication
2898 * node for each height h = 0,...,H-K-1 in the treehash instances:
2899 * TREEHASH[h].push(v[h][3]).
2900 * 3. Finally we store the right authentication nodes clode to the root using
2901 * the stacks RETAIN[h]:
2902 * RETAIN[h].push(v[j][2j+3] for h = H-K,...,H-2 and j = 2^(H-h-1)-2,...,0.
2903 *
2904 * RFC 8391: 4.1.6, Algorithm 9: treeHash
2905 * if( s % (1 << t) != 0 ) return -1;
2906 * for ( i = 0; i < 2^t; i++ ) {
2907 * SEED = getSEED(SK);
2908 * [Compute node at next index]
2909 * }
2910 * return Stack.pop();
2911 *
2912 * @param [in] state XMSS/MT state including digest and parameters.
2913 * @param [in] bds BDS state.
2914 * @param [in] sk_seed Random secret/private seed.
2915 * @param [in] pk_seed Random public seed.
2916 * @param [in] addr Hash address.
2917 * @param [out] root Root node.
2918 */
2919static void wc_xmss_bds_treehash_initial(XmssState* state, BdsState* bds,
2920 const byte* sk_seed, const byte* pk_seed, const HashAddress addr,
2921 byte* root)
2922{
2923 const XmssParams* params = state->params;
2924 const word8 hsk = (word8)(params->sub_h - params->bds_k);
2925 const word8 n = params->n;
2926 word8* node = state->stack;
2927 HashAddress addrCopy;
2928 word8 height[WC_XMSS_MAX_TREE_HEIGHT + 1];
2929 word8 offset = 0;
2930 word32 maxIdx = (word32)1U << params->sub_h;
2931 word32 i;
2932
2933 /* First signing index will be 0 - setup BDS state. */
2934 bds->offset = 0;
2935 bds->next = 0;
2936 /* Reset the hash tree status. */
2937 if (bds->treeHash != NULL) {
2938 for (i = 0; i < hsk; i++) {
2939 wc_xmss_bds_state_treehash_init(bds, i);
2940 }
2941 }
2942
2943 /* Copy hash address into local. */
2944 XMSS_ADDR_OTS_SET_SUBTREE(addrCopy, addr);
2945
2946 /* Compute each node in tree. */
2947 for (i = 0; i < maxIdx; i++) {
2948 wc_xmss_bds_next_idx(state, bds, sk_seed, pk_seed, addrCopy, i, height,
2949 &offset, &node);
2950 offset++;
2951 node += n;
2952 /* Rest the hash address for reuse. */
2953 addrCopy[XMSS_ADDR_TREE_HEIGHT] = 0;
2954 addrCopy[XMSS_ADDR_TREE_INDEX] = 0;
2955 }
2956
2957 /* Copy the root node. */
2958 XMEMCPY(root, state->stack, n);
2959}
2960
2961/* Update internal nodes of Merkle tree at next index.
2962 *
2963 * RFC 8391: 4.1.6, Algorithm 9: treeHash
2964 * ...
2965 * SEED = getSEED(SK);
2966 * ADRS.setType(0); # Type = OTS hash address
2967 * ADRS.setOTSAddress(s + i);
2968 * pk = WOTS_genPK (getWOTS_SK(SK, s + i), SEED, ADRS);
2969 * ADRS.setType(1); # Type = L-tree address
2970 * ADRS.setLTreeAddress(s + i);
2971 * node = ltree(pk, SEED, ADRS);
2972 * ADRS.setType(2); # Type = hash tree address
2973 * ADRS.setTreeHeight(0);
2974 * ADRS.setTreeIndex(i + s);
2975 * while ( Top node on Stack has same height t' as node ) {
2976 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
2977 * node = RAND_HASH(Stack.pop(), node, SEED, ADRS);
2978 * ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
2979 * }
2980 * Stack.push(node);
2981 *
2982 * @param [in] state XMSS/MT state including digest and parameters.
2983 * @param [in, out] bds BDS state.
2984 * @param [in] height Height of nodes to update.
2985 * @param [in] sk_seed Random secret/private seed.
2986 * @param [in] pk_seed Random public seed.
2987 * @param [in] addr Hash address.
2988 */
2989static void wc_xmss_bds_treehash_update(XmssState* state, BdsState* bds,
2990 word8 height, const byte* sk_seed, const byte* pk_seed,
2991 const HashAddress addr)
2992{
2993 const XmssParams* params = state->params;
2994 const word8 n = params->n;
2995 HashAddress addrLocal;
2996 TreeHash treeHash[1];
2997 byte* sp = bds->stack + bds->offset * n;
2998 byte* node = state->stack + WC_XMSS_MAX_STACK_LEN - n;
2999 word8 h;
3000
3001 /* Get the tree hash data. */
3002 wc_xmss_bds_state_treehash_get(bds, height, treeHash);
3003 /* Copy hash address into local as OTS type. */
3004 XMSS_ADDR_OTS_SET_SUBTREE(addrLocal, addr);
3005 /* Calculate WOTS+ public key. */
3006 addrLocal[XMSS_ADDR_OTS] = treeHash->nextIdx;
3007 wc_xmss_wots_gen_pk(state, sk_seed, pk_seed, addrLocal, state->pk);
3008 /* Calculate public value. */
3009 addrLocal[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_LTREE;
3010 wc_xmss_ltree(state, state->pk, pk_seed, addrLocal, node);
3011 addrLocal[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_TREE;
3012 addrLocal[XMSS_ADDR_TREE_ZERO] = 0;
3013
3014 /* Initial height is 0. */
3015 h = 0;
3016
3017 /* Top node on Stack has same height t' as node. */
3018 while ((treeHash->used > 0) && (h == bds->height[bds->offset - 1])) {
3019 sp -= n;
3020 /* Copy from stack to before last calculated node. */
3021 node -= n;
3022 XMEMCPY(node, sp, n);
3023
3024 /* Calculate hash of node. */
3025 addrLocal[XMSS_ADDR_TREE_HEIGHT] = h;
3026 addrLocal[XMSS_ADDR_TREE_INDEX] = treeHash->nextIdx >> (h + 1);
3027 wc_xmss_rand_hash(state, node, pk_seed, addrLocal, node);
3028
3029 /* Update used, offset and height. */
3030 treeHash->used--;
3031 bds->offset--;
3032 h++;
3033 }
3034
3035 /* Check whether we reached the height we wanted to update. */
3036 if (h == height) {
3037 /* Cache node. */
3038 XMEMCPY(bds->treeHashNode + height * n, node, n);
3039 treeHash->completed = 1;
3040 }
3041 else {
3042 /* Push calculated node onto stack. */
3043 XMEMCPY(sp, node, n);
3044 treeHash->used++;
3045 /* Update BDS state. */
3046 bds->height[bds->offset] = h;
3047 bds->offset++;
3048 treeHash->nextIdx++;
3049 }
3050
3051 /* Set the tree hash data back. */
3052 wc_xmss_bds_state_treehash_set(bds, height, treeHash);
3053}
3054
3055/* Updates hash trees that need it most.
3056 *
3057 * Algorithm 4.6: Authentication path computation, Step 5.
3058 *
3059 * @param [in] state XMSS/MT state including digest and parameters.
3060 * @param [in, out] bds BDS state.
3061 * @param [in] updates Current number of updates.
3062 * @param [in] sk_seed Random secret/private seed.
3063 * @param [in] pk_seed Random public seed.
3064 * @param [in] addr Hash address.
3065 * @return Number of available updates.
3066 */
3067static word8 wc_xmss_bds_treehash_updates(XmssState* state, BdsState* bds,
3068 word8 updates, const byte* sk_seed, const byte* pk_seed,
3069 const HashAddress addr)
3070{
3071 const XmssParams* params = state->params;
3072 const word8 hs = params->sub_h;
3073 const word8 hsk = (word8)(params->sub_h - params->bds_k);
3074
3075 if (bds->treeHash == NULL) {
3076 state->ret = WC_FAILURE;
3077 return 0;
3078 }
3079
3080 while (updates > 0) {
3081 word8 minH = hs;
3082 word8 h = hsk;
3083 word8 i;
3084
3085 /* Step 5.a. k <- min{ h: TREEHASH(h).height() =
3086 min[j=0..H-K-1]{TREEHASH(j.height()} } */
3087 for (i = 0; i < hsk; i++) {
3088 TreeHash treeHash[1];
3089
3090 wc_xmss_bds_state_treehash_get(bds, i, treeHash);
3091
3092 if (treeHash->completed) {
3093 /* Finished - ignore. */
3094 }
3095 else if (treeHash->used == 0) {
3096 /* None used, low height. */
3097 if (i < minH) {
3098 h = i;
3099 minH = i;
3100 }
3101 }
3102 /* Find the height of lowest in cache. */
3103 else {
3104 word8 j;
3105 word8 lowH = hs;
3106 byte* height = bds->height + bds->offset - treeHash->used;
3107
3108 for (j = 0; j < treeHash->used; j++) {
3109 lowH = (word8)min(height[j], lowH);
3110 }
3111 if (lowH < minH) {
3112 /* New lowest height. */
3113 h = i;
3114 minH = lowH;
3115 }
3116 }
3117 }
3118 /* If none lower, then stop. */
3119 if (h == hsk) {
3120 break;
3121 }
3122
3123 /* Step 5.b. TREEHASH(k).update() */
3124 /* Update tree to the lowest height. */
3125 wc_xmss_bds_treehash_update(state, bds, h, sk_seed, pk_seed, addr);
3126 updates--;
3127 }
3128 return updates;
3129}
3130
3131/* Update BDS at next leaf.
3132 *
3133 * Don't do anything if processed all leaves.
3134 *
3135 * @param [in] state XMSS/MT state including digest and parameters.
3136 * @param [in, out] bds BDS state.
3137 * @param [in] sk_seed Random secret/private seed.
3138 * @param [in] pk_seed Random public seed.
3139 * @param [in] addr Hash address.
3140 */
3141static void wc_xmss_bds_update(XmssState* state, BdsState* bds,
3142 const byte* sk_seed, const byte* pk_seed, const HashAddress addr)
3143{
3144 if (bds->next < ((word32)1U << state->params->sub_h)) {
3145 const XmssParams* params = state->params;
3146 byte* sp = bds->stack + bds->offset * params->n;
3147 HashAddress addrCopy;
3148
3149 XMSS_ADDR_OTS_SET_SUBTREE(addrCopy, addr);
3150 if (bds->height == NULL) {
3151 state->ret = WC_FAILURE;
3152 return;
3153 }
3154 wc_xmss_bds_next_idx(state, bds, sk_seed, pk_seed, addrCopy, bds->next,
3155 bds->height, &bds->offset, &sp);
3156 bds->offset++;
3157 bds->next++;
3158 }
3159}
3160
3161/* Find index of lowest zero bit.
3162 *
3163 * Supports max up to 31.
3164 *
3165 * @param [in] n Number to evaluate.
3166 * @param [in] max Max number of bits.
3167 * @param [out] b Next bit above first zero bit.
3168 * @return Index of lowest bit that is zero.
3169 */
3170static word8 wc_xmss_lowest_zero_bit_index(word32 n, word8 max, word8* b)
3171{
3172 word8 i;
3173
3174 /* Check each bit from lowest for a zero bit. */
3175 for (i = 0; i < max; i++) {
3176 if ((n & 1) == 0) {
3177 break;
3178 }
3179 n >>= 1;
3180 }
3181
3182 /* Return next bit after 0 bit. */
3183 *b = (n >> 1) & 1;
3184 return i;
3185}
3186
3187/* Returns auth path for node leafIdx and computes for next leaf node.
3188 *
3189 * HDSS, Algorithm 4.6: Authentication path computation, Steps 1-4.
3190 *
3191 * @param [in] state XMSS/MT state including digest and parameters.
3192 * @param [in, out] bds BDS state.
3193 * @param [in] leafIdx Current leaf index.
3194 * @param [in] sk_seed Random secret/private seed.
3195 * @param [in] pk_seed Random public seed.
3196 * @param [in] addr Hash address.
3197 */
3198static void wc_xmss_bds_auth_path(XmssState* state, BdsState* bds,
3199 const word32 leafIdx, const byte* sk_seed, const byte* pk_seed,
3200 HashAddress addr)
3201{
3202 const XmssParams* params = state->params;
3203 const word8 n = params->n;
3204 const word8 hs = params->sub_h;
3205 const word8 hsk = (word8)(params->sub_h - params->bds_k);
3206 word8 tau;
3207 byte* node = state->encMsg;
3208 word8 parent;
3209
3210 if ((bds->keep == NULL) || (bds->authPath == NULL)) {
3211 state->ret = WC_FAILURE;
3212 return;
3213 }
3214
3215 /* Step 1. Find the height of first left node in authentication path. */
3216 tau = wc_xmss_lowest_zero_bit_index(leafIdx, hs, &parent);
3217 if (tau == 0) {
3218 /* Step 2. Keep node if parent is a left node.
3219 * if s/(2^tau+1) is even and tau < H-1 then KEEP[tau] <- AUTH[tau]
3220 */
3221 if (parent == 0) {
3222 XMEMCPY(bds->keep, bds->authPath, n);
3223 }
3224
3225 /* Step 3. if tau = 0 then AUTH[0] <- LEAFCALC(s) */
3226 /* Calculate WOTS+ public key. */
3227 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
3228 addr[XMSS_ADDR_OTS] = leafIdx;
3229 wc_xmss_wots_gen_pk(state, sk_seed, pk_seed, addr, state->pk);
3230 /* Calculate public value. */
3231 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_LTREE;
3232 wc_xmss_ltree(state, state->pk, pk_seed, addr, bds->authPath);
3233 }
3234 else {
3235 byte* authPath;
3236 byte* nodes;
3237 word8 i;
3238
3239 authPath = bds->authPath + tau * n;
3240 /* Step 4.a. <node> = AUTH[tau-1] || KEEP[tau-1]
3241 * Only keeping half of nodes, so need to copy out before updating.
3242 */
3243 XMEMCPY(node, authPath - n, n);
3244 XMEMCPY(node + n, bds->keep + ((tau - 1) >> 1) * n, n);
3245
3246 /* Step 2. Keep node if parent is a left node.
3247 * if s/(2^tau+1) is even and tau < H-1 then KEEP[tau] <- AUTH[tau]
3248 */
3249 if ((tau < hs - 1) && (parent == 0)) {
3250 XMEMCPY(bds->keep + (tau >> 1) * n, authPath, n);
3251 }
3252
3253 /* Step 4.a. AUTH[tau] <- g(<node>) */
3254 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_TREE;
3255 addr[XMSS_ADDR_TREE_ZERO] = 0;
3256 addr[XMSS_ADDR_TREE_HEIGHT] = (word32)(tau - 1);
3257 addr[XMSS_ADDR_TREE_INDEX] = leafIdx >> tau;
3258 wc_xmss_rand_hash(state, node, pk_seed, addr, authPath);
3259
3260 /* Step 4.b. <Calculate new right nodes on lower heights> */
3261 authPath = bds->authPath;
3262 nodes = bds->treeHashNode;
3263 /* for h = 0 to tau - 1 do */
3264 for (i = 0; i < tau; i++) {
3265 /* if h < H - K then AUTH[h] <- TREEHASH[h].pop()*/
3266 if (i < hsk) {
3267 XMEMCPY(authPath, nodes, n);
3268 nodes += n;
3269 }
3270 /* if h >= H - K then AUTH[h] <- RETAIN[h].pop()*/
3271 else {
3272 word32 o = (word32)(((word32)1U << (hs - 1 - i)) + i - hs +
3273 (((leafIdx >> i) - 1) >> 1));
3274 XMEMCPY(authPath, bds->retain + o * n, n);
3275 }
3276 authPath += n;
3277 }
3278
3279 /* Step 4.c. Initialize treehash instances for heights:
3280 * 0, ..., min{tau-1, H - K - 1} */
3281 tau = (word8)min(tau, hsk);
3282 for (i = 0; i < tau; i++) {
3283 word32 startIdx = leafIdx + 1U + 3U * ((word32)1U << i);
3284 if (startIdx < ((word32)1U << hs)) {
3285 wc_xmss_bds_state_treehash_set_next_idx(bds, i, startIdx);
3286 }
3287 }
3288 }
3289}
3290
3291/********************************************
3292 * XMSS
3293 ********************************************/
3294
3295/* Derives XMSS key pair from seeds.
3296 *
3297 * RFC 8391: 4.1.7, Algorithm 10: XMSS_keyGen.
3298 * ...
3299 * initialize SK_PRF with a uniformly random n-byte string;
3300 * setSK_PRF(SK, SK_PRF);
3301 *
3302 * # Initialization for common contents
3303 * initialize SEED with a uniformly random n-byte string;
3304 * setSEED(SK, SEED);
3305 * setWOTS_SK(SK, wots_sk));
3306 * ADRS = toByte(0, 32);
3307 * root = treeHash(SK, 0, h, ADRS);
3308 *
3309 * SK = idx || wots_sk || SK_PRF || root || SEED;
3310 * PK = OID || root || SEED;
3311 * return (SK || PK);
3312 *
3313 * HDSS, Section 4.5, The algorithm, Initialization.
3314 *
3315 * wots_sk, SK_PRF and SEED passed in as seed.
3316 * Store seed for wots_sk instead of generated wots_sk.
3317 * OID not stored in PK this is handled in upper layer.
3318 * BDS state is appended to SK:
3319 * SK = idx || wots_sk || SK_PRF || root || SEED || BDS_STATE;
3320 *
3321 * @param [in] state XMSS/MT state including digest and parameters.
3322 * @param [in] seed Secret/Private and public seed.
3323 * @param [out] sk Secret key.
3324 * @param [out] pk Public key.
3325 * @return 0 on success.
3326 * @return MEMORY_E on dynamic memory allocation failure.
3327 * @return <0 on digest failure.
3328 */
3329int wc_xmss_keygen(XmssState* state, const unsigned char* seed,
3330 unsigned char* sk, unsigned char* pk)
3331{
3332#if WOLFSSL_XMSS_MIN_HEIGHT <= 32
3333 int ret = 0;
3334 const XmssParams* params = state->params;
3335 const word8 n = params->n;
3336 /* Offset of root node in public key. */
3337 byte* pk_root = pk;
3338 WC_DECLARE_VAR(bds, BdsState, 1, 0);
3339
3340#ifdef WOLFSSL_SMALL_STACK
3341 /* Allocate memory for tree hash instances and put in BDS state. */
3342 ret = wc_xmss_bds_state_alloc(params, &bds, state->heap);
3343 if (ret == 0)
3344#endif
3345 {
3346 /* Setup pointers into sk - assumes sk is initialized to zeros. */
3347 ret = wc_xmss_bds_state_load(state, sk, bds, NULL);
3348 }
3349 if (ret == 0) {
3350 /* Offsets into seed. */
3351 const byte* seed_priv = seed;
3352 const byte* seed_pub = seed + 2 * n;
3353 /* Offsets into secret/private key. */
3354 word32* sk_idx = (word32*)sk;
3355 byte* sk_seeds = sk + params->idx_len;
3356 /* Offsets into public key. */
3357 byte* pk_seed = pk + n;
3358
3359 /* Set first index to 0 in private key. idx_len always 4. */
3360 *sk_idx = 0;
3361 /* Set private key seed and private key for PRF in to private key. */
3362 XMEMCPY(sk_seeds, seed_priv, 2U * n);
3363 /* Set public key seed into public key. */
3364 XMEMCPY(pk_seed, seed_pub, n);
3365
3366 /* Set all address values to zero. */
3367 XMEMSET(state->addr, 0, sizeof(HashAddress));
3368 /* Hash address layer is 0. */
3369 /* Compute root node into public key. */
3370 wc_xmss_bds_treehash_initial(state, bds, sk_seeds, pk_seed,
3371 state->addr, pk_root);
3372 /* Return any errors that occurred during hashing. */
3373 ret = state->ret;
3374 }
3375 if (ret == 0) {
3376 /* Offset of root node in private key. */
3377 byte* sk_root = sk + params->idx_len + 2 * n;
3378
3379 /* Append public key (root node and public seed) to private key. */
3380 XMEMCPY(sk_root, pk_root, 2U * n);
3381
3382 /* Store BDS state back into secret/private key. */
3383 ret = wc_xmss_bds_state_store(state, sk, bds);
3384 }
3385
3386#ifdef WOLFSSL_SMALL_STACK
3387 /* Dispose of allocated data of BDS states. */
3388 wc_xmss_bds_state_free(bds, state->heap);
3389#endif
3390 return ret;
3391#else
3392 (void)state;
3393 (void)pk;
3394 (void)sk;
3395 (void)seed;
3396
3397 return NOT_COMPILED_IN;
3398#endif /* WOLFSSL_XMSS_MIN_HEIGHT <= 32 */
3399}
3400
3401/* Sign a message with XMSS.
3402 *
3403 * RFC 8391: 4.1.9, Algorithm 11: treeSig
3404 * ...
3405 * ADRS.setType(0); # Type = OTS hash address
3406 * ADRS.setOTSAddress(idx_sig);
3407 * sig_ots = WOTS_sign(getWOTS_SK(SK, idx_sig),
3408 * M', getSEED(SK), ADRS);
3409 * Sig = sig_ots || auth;
3410 * return Sig;
3411 * RFC 8391: 4.1.9, Algorithm 12: XMSS_sign
3412 * idx_sig = getIdx(SK);
3413 * setIdx(SK, idx_sig + 1);
3414 * ADRS = toByte(0, 32);
3415 * byte[n] r = PRF(getSK_PRF(SK), toByte(idx_sig, 32));
3416 * byte[n] M' = H_msg(r || getRoot(SK) || (toByte(idx_sig, n)), M);
3417 * Sig = idx_sig || r || treeSig(M', SK, idx_sig, ADRS);
3418 * return (SK || Sig);
3419 *
3420 * HDSS, Section 4.5, The algorithm, Update and output phase.
3421 *
3422 * 'auth' was built at key generation or after computing previous signature.
3423 * Build next authentication path after signature created.
3424 *
3425 * @param [in] state XMSS/MT state including digest and parameters.
3426 * @param [in] m Buffer holding message.
3427 * @param [in] mlen Length of message in buffer.
3428 * @param [in, out] sk Secret/Private key.
3429 * @param [out] sm Signature and message data.
3430 * @param [in, out] smlen On in, length of signature and message buffer.
3431 * On out, length of signature and message data.
3432 * @return 0 on success.
3433 * @return <0 on digest failure.
3434 */
3435int wc_xmss_sign(XmssState* state, const unsigned char* m, word32 mlen,
3436 unsigned char* sk, unsigned char* sig)
3437{
3438#if WOLFSSL_XMSS_MIN_HEIGHT <= 32
3439 int ret = 0;
3440 const XmssParams* params = state->params;
3441 const word8 n = params->n;
3442 const word8 h = params->h;
3443 const word8 hk = (word8)(params->h - params->bds_k);
3444 const byte* sk_seed = sk + XMSS_IDX_LEN;
3445 const byte* pk_seed = sk + XMSS_IDX_LEN + 3 * n;
3446 byte node[WC_XMSS_MAX_N];
3447 word32 idx;
3448 byte* sig_r = sig + XMSS_IDX_LEN;
3449 WC_DECLARE_VAR(bds, BdsState, 1, 0);
3450
3451#ifdef WOLFSSL_SMALL_STACK
3452 /* Allocate memory for tree hash instances and put in BDS state. */
3453 ret = wc_xmss_bds_state_alloc(params, &bds, state->heap);
3454 if (ret == 0)
3455#endif
3456 {
3457 /* Load the BDS state from secret/private key. */
3458 ret = wc_xmss_bds_state_load(state, sk, bds, NULL);
3459 }
3460 if (ret == 0) {
3461 /* Copy the index into the signature data: Sig = idx_sig || ... */
3462 *((word32*)sig) = *((word32*)sk);
3463 /* Read index from the secret key. */
3464 ato32(sk, &idx);
3465
3466 /* Check index is valid. */
3467 if (IDX32_INVALID(idx, XMSS_IDX_LEN, h)) {
3468 /* Set index to maximum value to distinguish from valid value. */
3469 XMEMSET(sk, 0xFF, XMSS_IDX_LEN);
3470 /* Zeroize the secret key. */
3471 ForceZero(sk + XMSS_IDX_LEN, params->sk_len - XMSS_IDX_LEN);
3472 ret = KEY_EXHAUSTED_E;
3473 }
3474 }
3475
3476 /* Update SK_MT */
3477 if (ret == 0) {
3478 /* Increment the index in the secret key. */
3479 c32toa(idx + 1, sk);
3480 }
3481
3482 /* Message compression */
3483 if (ret == 0) {
3484 const byte* sk_prf = sk + XMSS_IDX_LEN + n;
3485
3486 /* byte[n] r = PRF(SK_PRF, toByte(idx_sig, 32)); */
3487 wc_idx_copy(sig, params->idx_len, state->buf, XMSS_PRF_M_LEN);
3488 wc_xmss_prf(state, sk_prf, state->buf, sig_r);
3489 ret = state->ret;
3490 }
3491 if (ret == 0) {
3492 const byte* pub_root = sk + XMSS_IDX_LEN + 2 * n;
3493
3494 /* Compute the message hash. */
3495 wc_xmss_hash_message(state, sig_r, pub_root, sig, XMSS_IDX_LEN, m, mlen,
3496 node);
3497 ret = state->ret;
3498 /* Place new signature data after index and 'r'. */
3499 sig += XMSS_IDX_LEN + n;
3500 }
3501
3502 if (ret == 0) {
3503 /* Set all address values to zero and set type to OTS. */
3504 XMEMSET(state->addr, 0, sizeof(HashAddress));
3505 state->addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
3506 /* treeSig || treeHash = sig_ots || auth */
3507 state->addr[XMSS_ADDR_OTS] = idx;
3508 /* Create WOTS+ signature for tree into signature (sig_ots). */
3509 wc_xmss_wots_sign(state, node, sk_seed, pk_seed, state->addr, sig);
3510 ret = state->ret;
3511 }
3512 if (ret == 0) {
3513 sig += params->wots_sig_len;
3514 /* Add authentication path (auth) and calc new root. */
3515 XMEMCPY(sig, bds->authPath, (word32)h * n);
3516 ret = state->ret;
3517 }
3518
3519 if (ret == 0) {
3520 /* Update BDS state - update authentication path for next index. */
3521 /* Check not last node. */
3522 if (idx < ((word32)1U << h) - 1U) {
3523 /* Calculate next authentication path node. */
3524 wc_xmss_bds_auth_path(state, bds, idx, sk_seed, pk_seed,
3525 state->addr);
3526 ret = state->ret;
3527 if (ret == 0) {
3528 /* Algorithm 4.6: Step 5. */
3529 wc_xmss_bds_treehash_updates(state, bds, hk >> 1, sk_seed,
3530 pk_seed, state->addr);
3531 ret = state->ret;
3532 }
3533 }
3534 }
3535 if (ret == 0) {
3536 /* Store BDS state back into secret/private key. */
3537 ret = wc_xmss_bds_state_store(state, sk, bds);
3538 }
3539
3540#ifdef WOLFSSL_SMALL_STACK
3541 /* Dispose of allocated data of BDS states. */
3542 wc_xmss_bds_state_free(bds, state->heap);
3543#endif
3544 return ret;
3545#else
3546 (void)state;
3547 (void)m;
3548 (void)mlen;
3549 (void)sk;
3550 (void)sig;
3551
3552 return NOT_COMPILED_IN;
3553#endif /* WOLFSSL_XMSS_MIN_HEIGHT <= 32 */
3554}
3555
3556/********************************************
3557 * XMSS^MT
3558 ********************************************/
3559
3560/* Generate a XMSS^MT key pair from seeds.
3561 *
3562 * RFC 8391: 4.2.2, Algorithm 15: XMSS^MT_keyGen.
3563 * ...
3564 * # Example initialization
3565 * idx_MT = 0;
3566 * setIdx(SK_MT, idx_MT);
3567 * initialize SK_PRF with a uniformly random n-byte string;
3568 * setSK_PRF(SK_MT, SK_PRF);
3569 * initialize SEED with a uniformly random n-byte string;
3570 * setSEED(SK_MT, SEED);
3571 *
3572 * # Generate reduced XMSS private keys
3573 * ADRS = toByte(0, 32);
3574 * for ( layer = 0; layer < d; layer++ ) {
3575 * ADRS.setLayerAddress(layer);
3576 * for ( tree = 0; tree <
3577 * (1 << ((d - 1 - layer) * (h / d)));
3578 * tree++ ) {
3579 * ADRS.setTreeAddress(tree);
3580 * for ( i = 0; i < 2^(h / d); i++ ) {
3581 * wots_sk[i] = WOTS_genSK();
3582 * }
3583 * setXMSS_SK(SK_MT, wots_sk, tree, layer);
3584 * }
3585 * }
3586 *
3587 * SK = getXMSS_SK(SK_MT, 0, d - 1);
3588 * setSEED(SK, SEED);
3589 * root = treeHash(SK, 0, h / d, ADRS);
3590 * setRoot(SK_MT, root);
3591 *
3592 * PK_MT = OID || root || SEED;
3593 * return (SK_MT || PK_MT);
3594 *
3595 * HDSS, Section 4.5, The algorithm, Initialization.
3596 * OPX, Section 2, Key Generation.
3597 *
3598 * wots_sk, SK_PRF and SEED passed in as seed.
3599 * Store seed for wots_sk instead of generated wots_sk.
3600 * OID not stored in PK this is handled in upper layer.
3601 * BDS state is appended to SK:
3602 * SK = idx || wots_sk || SK_PRF || root || SEED || BDS_STATE;
3603 *
3604 * @param [in] state XMSS/MT state including digest and parameters.
3605 * @param [in] seed Secret/Private and public seed.
3606 * @param [out] sk Secret key.
3607 * @param [out] pk Public key.
3608 * @return 0 on success.
3609 * @return MEMORY_E on dynamic memory allocation failure.
3610 * @return <0 on digest failure.
3611 */
3612int wc_xmssmt_keygen(XmssState* state, const unsigned char* seed,
3613 unsigned char* sk, unsigned char* pk)
3614{
3615 int ret = 0;
3616 const XmssParams* params = state->params;
3617 const word8 n = params->n;
3618 unsigned char* sk_seed = sk + params->idx_len;
3619 unsigned char* pk_root = pk;
3620 unsigned char* pk_seed = pk + n;
3621 word8 i;
3622 byte* wots_sigs;
3623 BdsState* bds = NULL;
3624
3625 /* Allocate memory for BDS states and tree hash instances. */
3626 ret = wc_xmss_bds_state_alloc(params, &bds, state->heap);
3627 if (ret == 0) {
3628 /* Load the BDS state from secret/private key. */
3629 ret = wc_xmss_bds_state_load(state, sk, bds, &wots_sigs);
3630 }
3631 if (ret == 0) {
3632 /* Offsets into seed. */
3633 const byte* seed_priv = seed;
3634 const byte* seed_pub = seed + 2 * params->n;
3635
3636 /* Set first index to 0 in private key. */
3637 XMEMSET(sk, 0, params->idx_len);
3638 /* Set private key seed and private key for PRF in to private key. */
3639 XMEMCPY(sk_seed, seed_priv, 2U * n);
3640 /* Set public key seed into public key. */
3641 XMEMCPY(pk_seed, seed_pub, n);
3642
3643 /* Set all address values to zero. */
3644 XMEMSET(state->addr, 0, sizeof(HashAddress));
3645 /* Hash address layer is 0 = bottom-most layer. */
3646 }
3647
3648 /* Setup state and compute WOTS+ signatures for all but top-most subtree. */
3649 for (i = 0; (ret == 0) && (i < params->d - 1); i++) {
3650 /* Compute root for subtree. */
3651 wc_xmss_bds_treehash_initial(state, bds + i, sk_seed, pk_seed,
3652 state->addr, pk_root);
3653 ret = state->ret;
3654 if (ret == 0) {
3655 /* Create signature for subtree for first index. */
3656 state->addr[XMSS_ADDR_LAYER] = (word32)(i + 1);
3657 wc_xmss_wots_sign(state, pk_root, sk_seed, pk_seed, state->addr,
3658 wots_sigs + i * params->wots_sig_len);
3659 ret = state->ret;
3660 }
3661 }
3662 if (ret == 0) {
3663 /* Compute root for top-most subtree. */
3664 wc_xmss_bds_treehash_initial(state, bds + i, sk_seed, pk_seed,
3665 state->addr, pk_root);
3666 /* Return any errors that occurred during hashing. */
3667 ret = state->ret;
3668 }
3669
3670 if (ret == 0) {
3671 /* Offset of root node in private key. */
3672 unsigned char* sk_root = sk_seed + 2 * n;
3673
3674 /* Append public key (root node and public seed) to private key. */
3675 XMEMCPY(sk_root, pk_root, 2U * n);
3676
3677 /* Store BDS state back into secret/private key. */
3678 ret = wc_xmss_bds_state_store(state, sk, bds);
3679 }
3680
3681 /* Dispose of allocated data of BDS states. */
3682 wc_xmss_bds_state_free(bds, state->heap);
3683 return ret;
3684}
3685
3686
3687#if !defined(WORD64_AVAILABLE) && (WOLFSSL_XMSS_MAX_HEIGHT > 32)
3688 #error "Support not available - use XMSS small code option"
3689#endif
3690
3691#if (WOLFSSL_XMSS_MAX_HEIGHT > 32)
3692 typedef word64 XmssIdx;
3693 #define IDX_MAX_BITS 64
3694#else
3695 typedef word32 XmssIdx;
3696 #define IDX_MAX_BITS 32
3697#endif
3698
3699/* Decode index into word.
3700 *
3701 * @param [out] idx Index from encoding.
3702 * @param [in] c Count of bytes to decode to index.
3703 * @param [in] a Array to decode from.
3704 */
3705static void xmss_idx_decode(XmssIdx* idx, word8 c, const unsigned char* a)
3706{
3707 word8 i;
3708 XmssIdx n = 0;
3709
3710 for (i = 0; i < c; i++) {
3711 n <<= 8;
3712 n += a[i];
3713 }
3714
3715 *idx = n;
3716}
3717
3718/* Check whether index is valid.
3719 *
3720 * @param [in] i Index to check.
3721 * @param [in] h Full tree Height.
3722 */
3723static int xmss_idx_invalid(XmssIdx i, word8 h)
3724{
3725 return ((i + 1) >> h) != 0;
3726}
3727
3728/* Get tree and leaf index from index.
3729 *
3730 * @param [in] i Index to split.
3731 * @param [in] h Tree height.
3732 * @param [out] t Tree index.
3733 * @param [out] l Leaf index.
3734 */
3735static void xmss_idx_get_tree_leaf(XmssIdx i, word8 h, XmssIdx* t, word32* l)
3736{
3737 *l = (word32)i & (((word32)1U << h) - 1U);
3738 *t = i >> h;
3739}
3740
3741/* Set the index into address as the tree index.
3742 *
3743 * @param [in] i Tree index.
3744 * @param [in, out] a Hash address.
3745 */
3746static void xmss_idx_set_addr_tree(XmssIdx i, HashAddress a)
3747{
3748#if IDX_MAX_BITS == 32
3749 a[XMSS_ADDR_TREE_HI] = 0;
3750 a[XMSS_ADDR_TREE] = i;
3751#else
3752 a[XMSS_ADDR_TREE_HI] = (word32)(i >> 32);
3753 a[XMSS_ADDR_TREE] = (word32)(i );
3754#endif
3755}
3756
3757/* Sign message with XMSS^MT.
3758 *
3759 * RFC 8391: 4.1.9, Algorithm 11: treeSig
3760 * ...
3761 * ADRS.setType(0); # Type = OTS hash address
3762 * ADRS.setOTSAddress(idx_sig);
3763 * sig_ots = WOTS_sign(getWOTS_SK(SK, idx_sig),
3764 * M', getSEED(SK), ADRS);
3765 * Sig = sig_ots || auth;
3766 * return Sig;
3767 * RFC 8391: 4.2.4, Algorithm 16: XMSS^MT_sign.
3768 * ...
3769 * # Init
3770 * ADRS = toByte(0, 32);
3771 * SEED = getSEED(SK_MT);
3772 * SK_PRF = getSK_PRF(SK_MT);
3773 * idx_sig = getIdx(SK_MT);
3774 *
3775 * # Update SK_MT
3776 * setIdx(SK_MT, idx_sig + 1);
3777 *
3778 * # Message compression
3779 * byte[n] r = PRF(SK_PRF, toByte(idx_sig, 32));
3780 * byte[n] M' = H_msg(r || getRoot(SK_MT) || (toByte(idx_sig, n)), M);
3781 *
3782 * # Sign
3783 * Sig_MT = idx_sig;
3784 * unsigned int idx_tree
3785 * = (h - h / d) most significant bits of idx_sig;
3786 * unsigned int idx_leaf = (h / d) least significant bits of idx_sig;
3787 * SK = idx_leaf || getXMSS_SK(SK_MT, idx_tree, 0) || SK_PRF
3788 * || toByte(0, n) || SEED;
3789 * ADRS.setLayerAddress(0);
3790 * ADRS.setTreeAddress(idx_tree);
3791 * Sig_tmp = treeSig(M', SK, idx_leaf, ADRS);
3792 * Sig_MT = Sig_MT || r || Sig_tmp;
3793 * for ( j = 1; j < d; j++ ) {
3794 * root = treeHash(SK, 0, h / d, ADRS);
3795 * idx_leaf = (h / d) least significant bits of idx_tree;
3796 * idx_tree = (h - j * (h / d)) most significant bits of idx_tree;
3797 * SK = idx_leaf || getXMSS_SK(SK_MT, idx_tree, j) || SK_PRF
3798 * || toByte(0, n) || SEED;
3799 * ADRS.setLayerAddress(j);
3800 * ADRS.setTreeAddress(idx_tree);
3801 * Sig_tmp = treeSig(root, SK, idx_leaf, ADRS);
3802 * Sig_MT = Sig_MT || Sig_tmp;
3803 * }
3804 * return SK_MT || Sig_MT;
3805 *
3806 * 'auth' was built at key generation or after computing previous signature.
3807 *
3808 * @param [in] state XMSS/MT state including digest and parameters.
3809 * @param [in, out] bds BDS state.
3810 * @param [in] idx Index to sign with.
3811 * @param [in] wots_sigs Pre-computed WOTS+ signatures.
3812 * @param [in] m Buffer holding message.
3813 * @param [in] mlen Length of message in buffer.
3814 * @param [in, out] sk Secret/Private key.
3815 * @param [out] sig Signature and message data.
3816 * @return 0 on success.
3817 * @return <0 on digest failure.
3818 */
3819static int wc_xmssmt_sign_msg(XmssState* state, BdsState* bds, XmssIdx idx,
3820 byte* wots_sigs, const unsigned char* m, word32 mlen, unsigned char* sk,
3821 unsigned char* sig)
3822{
3823 int ret;
3824 const XmssParams* params = state->params;
3825 const word8 n = params->n;
3826 const word8 hs = params->sub_h;
3827 const word8 idx_len = params->idx_len;
3828 const byte* sk_prf = sk + idx_len + n;
3829 byte* sig_mt = sig;
3830 byte* sig_r = sig + idx_len;
3831 byte node[WC_XMSS_MAX_N];
3832
3833 /* Message compression */
3834 /* byte[n] r = PRF(SK_PRF, toByte(idx_sig, 32)); */
3835 wc_idx_copy(sig_mt, idx_len, state->buf, XMSS_PRF_M_LEN);
3836 wc_xmss_prf(state, sk_prf, state->buf, sig_r);
3837 ret = state->ret;
3838 if (ret == 0) {
3839 const byte* pub_root = sk + idx_len + 2 * n;
3840 /* byte[n] M' = H_msg(r || getRoot(SK_MT) || (toByte(idx_sig, n)), M);
3841 */
3842 wc_xmss_hash_message(state, sig_r, pub_root, sig, idx_len, m, mlen,
3843 node);
3844 ret = state->ret;
3845 /* Place new signature data after index and 'r'. */
3846 sig += idx_len + n;
3847 }
3848
3849 /* Sign */
3850 if (ret == 0) {
3851 const byte* sk_seed = sk + idx_len;
3852 const byte* pk_seed = sk + idx_len + 3 * n;
3853 XmssIdx idx_tree;
3854 word32 idx_leaf;
3855
3856 /* Set all address values to zero and set type to OTS. */
3857 XMEMSET(state->addr, 0, sizeof(HashAddress));
3858 state->addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
3859
3860 /* Fist iteration - calculate signature. */
3861 /* Set layer, tree and OTS leaf index into hash address. */
3862 state->addr[XMSS_ADDR_LAYER] = 0;
3863 xmss_idx_get_tree_leaf(idx, hs, &idx_tree, &idx_leaf);
3864 xmss_idx_set_addr_tree(idx_tree, state->addr);
3865 /* treeSig || treeHash = sig_ots || auth */
3866 state->addr[XMSS_ADDR_OTS] = idx_leaf;
3867 /* Create WOTS+ signature for tree into signature (sig_ots). */
3868 wc_xmss_wots_sign(state, node, sk_seed, pk_seed, state->addr, sig);
3869 ret = state->ret;
3870 }
3871 if (ret == 0) {
3872 word8 i;
3873 byte *authPath;
3874
3875 sig += params->wots_sig_len;
3876 /* Add authentication path. */
3877 authPath = bds[BDS_IDX(idx, 0, hs, params->d)].authPath;
3878 if (authPath == NULL) {
3879 state->ret = WC_FAILURE;
3880 return state->ret;
3881 }
3882 XMEMCPY(sig, authPath, (word32)hs * n);
3883 sig += hs * n;
3884
3885 /* Remaining iterations from storage. */
3886 for (i = 1; i < params->d; i++) {
3887 /* Copy out precomputed signature into signature (sig_ots). */
3888 XMEMCPY(sig, wots_sigs + (i - 1) * params->wots_sig_len,
3889 params->wots_sig_len);
3890 sig += params->wots_sig_len;
3891 /* Add authentication path (auth) and calc new root. */
3892 authPath = bds[BDS_IDX(idx, i, hs, params->d)].authPath;
3893 if (authPath == NULL) {
3894 state->ret = WC_FAILURE;
3895 return state->ret;
3896 }
3897 XMEMCPY(sig, authPath, (word32)hs * n);
3898 sig += hs * n;
3899 }
3900 ret = state->ret;
3901 }
3902
3903 return ret;
3904}
3905
3906/* Compute BDS state for signing next index.
3907 *
3908 * HDSS, Section 4.5, The algorithm, Update and output phase.
3909 * OPX, Section 2, Signature Generation. Para 2 and 3.
3910 *
3911 * @param [in] state XMSS/MT state including digest and parameters.
3912 * @param [in, out] bds BDS state.
3913 * @param [in] idx Index to sign with.
3914 * @param [in] wots_sigs Pre-computed WOTS+ signatures.
3915 * @param [in] m Buffer holding message.
3916 * @param [in] mlen Length of message in buffer.
3917 * @param [in, out] sk Secret/Private key.
3918 * @param [out] sig Signature and message data.
3919 * @return 0 on success.
3920 * @return <0 on digest failure.
3921 */
3922static int wc_xmssmt_sign_next_idx(XmssState* state, BdsState* bds, XmssIdx idx,
3923 byte* wots_sigs, unsigned char* sk)
3924{
3925 int ret = 0;
3926 const XmssParams* params = state->params;
3927 const word8 n = params->n;
3928 const word8 h = params->h;
3929 const word8 hs = params->sub_h;
3930 const word8 hsk = (word8)(params->sub_h - params->bds_k);
3931 const byte* sk_seed = sk + params->idx_len;
3932 const byte* pk_seed = sk + params->idx_len + 3 * n;
3933 XmssIdx idx_tree;
3934 int computeAuthPath = 1;
3935 unsigned int updates;
3936 word8 i;
3937
3938 /* Update BDS state - update authentication path for next index. */
3939 /* HDSS, Algorithm 4.6, Step 5: repeat (H - K) / 2 times. */
3940 updates = hsk >> 1;
3941
3942 idx_tree = (idx >> hs) + 1;
3943 /* Check whether last tree. */
3944 if (idx_tree < ((XmssIdx)1 << (h - hs))) {
3945 /* Set hash address to next tree. */
3946 state->addr[XMSS_ADDR_LAYER] = 0;
3947 xmss_idx_set_addr_tree(idx_tree, state->addr);
3948 /* Update BDS state. */
3949 wc_xmss_bds_update(state, &bds[BDS_ALT_IDX(idx, 0, hs, params->d)],
3950 sk_seed, pk_seed, state->addr);
3951 ret = state->ret;
3952 }
3953
3954 for (i = 0; (ret == 0) && (i < params->d); i++) {
3955 word32 idx_leaf;
3956 word8 bds_i = BDS_IDX(idx, i, hs, params->d);
3957 word8 alt_i = BDS_ALT_IDX(idx, i, hs, params->d);
3958
3959 /* Check not last at height. */
3960 if (((idx + 1) << (IDX_MAX_BITS - ((i + 1) * hs))) != 0) {
3961 state->addr[XMSS_ADDR_LAYER] = i;
3962 xmss_idx_get_tree_leaf(idx >> (hs * i), hs, &idx_tree, &idx_leaf);
3963 xmss_idx_set_addr_tree(idx_tree, state->addr);
3964 idx_tree++;
3965
3966 if (computeAuthPath) {
3967 /* Compute authentication path for tree. */
3968 wc_xmss_bds_auth_path(state, &bds[bds_i], idx_leaf, sk_seed,
3969 pk_seed, state->addr);
3970 ret = state->ret;
3971 computeAuthPath = 0;
3972 }
3973
3974 if (ret == 0) {
3975 /* HDSS, Algorithm 4.6: Step 5. */
3976 updates = wc_xmss_bds_treehash_updates(state, &bds[bds_i],
3977 (word8)updates, sk_seed, pk_seed, state->addr);
3978 ret = state->ret;
3979 }
3980
3981 /* Check tree not first, updates to do, tree not last at height and
3982 * next leaf in alt state is not last. */
3983 if ((ret == 0) && (i > 0) && (updates > 0) &&
3984 (idx_tree < ((XmssIdx)1 << (h - (hs * (i + 1))))) &&
3985 (bds[alt_i].next < ((XmssIdx)1 << h))) {
3986 xmss_idx_set_addr_tree(idx_tree, state->addr);
3987 /* Update alternative BDS state. */
3988 wc_xmss_bds_update(state, &bds[alt_i], sk_seed, pk_seed,
3989 state->addr);
3990 ret = state->ret;
3991 updates--;
3992 }
3993 }
3994 /* Last at height. */
3995 else {
3996 /* Set layer, tree and OTS leaf index into hash address. */
3997 state->addr[XMSS_ADDR_LAYER] = (word32)(i + 1);
3998 idx_tree = (idx + 1) >> ((i + 1) * hs);
3999 xmss_idx_get_tree_leaf(idx_tree, hs, &idx_tree, &idx_leaf);
4000 xmss_idx_set_addr_tree(idx_tree, state->addr);
4001 /* Cache WOTS+ signature for new tree. */
4002 state->addr[XMSS_ADDR_OTS] = idx_leaf;
4003 wc_xmss_wots_sign(state, bds[alt_i].stack, sk_seed, pk_seed,
4004 state->addr, wots_sigs + i * params->wots_sig_len);
4005 ret = state->ret;
4006
4007 if (ret == 0) {
4008 word8 d;
4009
4010 /* Reset old BDS state. */
4011 bds[bds_i].offset = 0;
4012 bds[bds_i].next = 0;
4013
4014 /* Done an update. */
4015 updates--;
4016 /* Need to compute authentication path in next tree up. */
4017 computeAuthPath = 1;
4018 /* Mark the tree hashes as complete in new BDS state. */
4019 for (d = 0; d < hsk; d++) {
4020 wc_xmss_bds_state_treehash_complete(&bds[alt_i], d);
4021 }
4022 }
4023 }
4024 }
4025
4026 return ret;
4027}
4028
4029/* Sign a message with XMSS^MT and update BDS state for signing next index.
4030 *
4031 * RFC 8391: 4.2.4, Algorithm 16: XMSS^MT_sign.
4032 * HDSS, Section 4.5, The algorithm, Update and output phase.
4033 *
4034 * @param [in] state XMSS/MT state including digest and parameters.
4035 * @param [in] m Buffer holding message.
4036 * @param [in] mlen Length of message in buffer.
4037 * @param [in, out] sk Secret/Private key.
4038 * @param [out] sig Signature and message data.
4039 * @return 0 on success.
4040 * @return MEMORY_E on dynamic memory allocation failure.
4041 * @return <0 on digest failure.
4042 */
4043int wc_xmssmt_sign(XmssState* state, const unsigned char* m, word32 mlen,
4044 unsigned char* sk, unsigned char* sig)
4045{
4046 int ret = 0;
4047 const XmssParams* params = state->params;
4048 const word8 h = params->h;
4049 const word8 idx_len = params->idx_len;
4050 XmssIdx idx = 0;
4051 byte* sig_mt = sig;
4052 byte* wots_sigs;
4053 BdsState* bds = NULL;
4054
4055 /* Allocate memory for BDS states and tree hash instances. */
4056 ret = wc_xmss_bds_state_alloc(params, &bds, state->heap);
4057 if (ret == 0) {
4058 /* Load the BDS state from secret/private key. */
4059 ret = wc_xmss_bds_state_load(state, sk, bds, &wots_sigs);
4060 }
4061 if (ret == 0) {
4062 /* Copy the index into the signature data: Sig_MT = idx_sig. */
4063 XMEMCPY(sig_mt, sk, idx_len);
4064
4065 /* Read index from the secret key. */
4066 xmss_idx_decode(&idx, idx_len, sk);
4067 }
4068 if ((ret == 0) && xmss_idx_invalid(idx, h)) {
4069 /* Set index to maximum value to distinguish from valid value. */
4070 XMEMSET(sk, 0xFF, idx_len);
4071 /* Zeroize the secret key. */
4072 ForceZero(sk + idx_len, params->sk_len - idx_len);
4073 ret = KEY_EXHAUSTED_E;
4074 }
4075
4076 if (ret == 0) {
4077 /* Increment the index in the secret key. */
4078 wc_idx_update(sk, idx_len);
4079
4080 /* Compute signature. */
4081 ret = wc_xmssmt_sign_msg(state, bds, idx, wots_sigs, m, mlen, sk, sig);
4082 }
4083
4084 /* Only update if not last index. */
4085 if ((ret == 0) && (idx < (((XmssIdx)1 << h) - 1))) {
4086 /* Update BDS state for signing next index. */
4087 ret = wc_xmssmt_sign_next_idx(state, bds, idx, wots_sigs, sk);
4088 }
4089
4090 if (ret == 0) {
4091 /* Store BDS state back into secret/private key. */
4092 ret = wc_xmss_bds_state_store(state, sk, bds);
4093 }
4094
4095 /* Dispose of allocated data of BDS states. */
4096 wc_xmss_bds_state_free(bds, state->heap);
4097 return ret;
4098}
4099
4100#endif /* WOLFSSL_WC_XMSS_SMALL */
4101
4102/* Check if more signatures are possible with secret/private key.
4103 *
4104 * @param [in] params XMSS parameters
4105 * @param [in] sk Secret/private key.
4106 * @return 1 when signatures possible.
4107 * @return 0 when key exhausted.
4108 */
4109
4110int wc_xmss_sigsleft(const XmssParams* params, unsigned char* sk)
4111{
4112 int ret = 0;
4113 wc_Idx idx;
4114
4115 WC_IDX_ZERO(idx);
4116 /* Read index from the secret key. */
4117 WC_IDX_DECODE(idx, params->idx_len, sk, ret);
4118 /* Check validity of index. */
4119 if ((ret == 0) && (WC_IDX_INVALID(idx, params->idx_len, params->h))) {
4120 ret = KEY_EXHAUSTED_E;
4121 }
4122
4123 return ret == 0;
4124}
4125#endif /* !WOLFSSL_XMSS_VERIFY_ONLY */
4126
4127/********************************************
4128 * SIGN OPEN - Verify
4129 ********************************************/
4130
4131#if !defined(WOLFSSL_WC_XMSS_SMALL) || defined(WOLFSSL_XMSS_VERIFY_ONLY)
4132/* Compute root node with leaf and authentication path.
4133 *
4134 * RFC 8391: 4.1.10, Algorithm 13: XMSS_rootFromSig
4135 * ...
4136 * for ( k = 0; k < h; k++ ) {
4137 * ADRS.setTreeHeight(k);
4138 * if ( (floor(idx_sig / (2^k)) % 2) == 0 ) {
4139 * ADRS.setTreeIndex(ADRS.getTreeIndex() / 2);
4140 * node[1] = RAND_HASH(node[0], auth[k], SEED, ADRS);
4141 * } else {
4142 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
4143 * node[1] = RAND_HASH(auth[k], node[0], SEED, ADRS);
4144 * }
4145 * node[0] = node[1];
4146 * }
4147 * return node[0];
4148 *
4149 * @param [in] state XMSS/MT state including digest and parameters.
4150 * @param [in] idx_leaf Index of leaf node.
4151 * @param [in] auth_path Authentication path.
4152 * @param [in] pk_seed Random public seed.
4153 * @param [in] addr Hash address.
4154 * @param [in, out] root On in, leaf node. On out, root node.
4155 */
4156static void wc_xmss_compute_root(XmssState* state, word32 idx_leaf,
4157 const byte* auth_path, const byte* pk_seed, HashAddress addr, byte* root)
4158{
4159 const XmssParams* params = state->params;
4160 const word8 n = params->n;
4161 const byte* b[2][2] = { { root, auth_path }, { auth_path, root } };
4162 word8 i;
4163
4164 for (i = 0; i < params->sub_h; i++) {
4165 /* Get which side the leaf is on. */
4166 word8 s = idx_leaf & 1;
4167 /* Set tree height and index. */
4168 addr[XMSS_ADDR_TREE_HEIGHT] = i;
4169 idx_leaf >>= 1;
4170 addr[XMSS_ADDR_TREE_INDEX] = idx_leaf;
4171
4172 /* Put the result into buffer position for next RAND_HASH. */
4173 wc_xmss_rand_hash_lr(state, b[s][0], b[s][1], pk_seed, addr, root);
4174 /* Move to next auth path node. */
4175 b[0][1] += n;
4176 b[1][0] += n;
4177 }
4178}
4179#else
4180/* Compute root node with leaf and authentication path.
4181 *
4182 * RFC 8391: 4.1.10, Algorithm 13: XMSS_rootFromSig
4183 * ...
4184 * for ( k = 0; k < h; k++ ) {
4185 * ADRS.setTreeHeight(k);
4186 * if ( (floor(idx_sig / (2^k)) % 2) == 0 ) {
4187 * ADRS.setTreeIndex(ADRS.getTreeIndex() / 2);
4188 * node[1] = RAND_HASH(node[0], auth[k], SEED, ADRS);
4189 * } else {
4190 * ADRS.setTreeIndex((ADRS.getTreeIndex() - 1) / 2);
4191 * node[1] = RAND_HASH(auth[k], node[0], SEED, ADRS);
4192 * }
4193 * node[0] = node[1];
4194 * }
4195 * return node[0];
4196 *
4197 * @param [in] state XMSS/MT state including digest and parameters.
4198 * @param [in] idx_leaf Index of leaf node.
4199 * @param [in] auth_path Authentication path.
4200 * @param [in] pk_seed Random public seed.
4201 * @param [in] addr Hash address.
4202 * @param [in, out] node On in, leaf node. On out, root node.
4203 */
4204static void wc_xmss_compute_root(XmssState* state, word32 idx_leaf,
4205 const byte* auth_path, const byte* pk_seed, HashAddress addr, byte* node)
4206{
4207 const XmssParams* params = state->params;
4208 const word8 n = params->n;
4209 byte buffer[2 * WC_XMSS_MAX_N];
4210 byte* b[2][2] = { { buffer, buffer + n }, { buffer + n, buffer } };
4211 word8 i;
4212
4213 /* Setup buffer for first RAND_HASH. */
4214 XMEMCPY(b[idx_leaf & 1][0], node, n);
4215 XMEMCPY(b[idx_leaf & 1][1], auth_path, n);
4216 auth_path += n;
4217
4218 for (i = 0; i < params->sub_h - 1; i++) {
4219 /* Set tree height and index. */
4220 addr[XMSS_ADDR_TREE_HEIGHT] = i;
4221 idx_leaf >>= 1;
4222 addr[XMSS_ADDR_TREE_INDEX] = idx_leaf;
4223
4224 /* Put the result into buffer position for next RAND_HASH. */
4225 wc_xmss_rand_hash(state, buffer, pk_seed, addr, b[idx_leaf & 1][0]);
4226 /* Put auth path node into other half of buffer. */
4227 XMEMCPY(b[idx_leaf & 1][1], auth_path, n);
4228 /* Move to next auth path node. */
4229 auth_path += n;
4230 }
4231
4232 addr[XMSS_ADDR_TREE_HEIGHT] = i;
4233 idx_leaf >>= 1;
4234 addr[XMSS_ADDR_TREE_INDEX] = idx_leaf;
4235 /* Last iteration into output node. */
4236 wc_xmss_rand_hash(state, buffer, pk_seed, addr, node);
4237}
4238#endif /* !WOLFSSL_WC_XMSS_SMALL || WOLFSSL_XMSS_VERIFY_ONLY */
4239
4240/* Compute a root node from a tree signature.
4241 *
4242 * RFC 8391: 4.1.10, Algorithm 13: XMSS_rootFromSig
4243 * ADRS.setType(0); # Type = OTS hash address
4244 * ADRS.setOTSAddress(idx_sig);
4245 * pk_ots = WOTS_pkFromSig(sig_ots, M', SEED, ADRS);
4246 * ADRS.setType(1); # Type = L-tree address
4247 * ADRS.setLTreeAddress(idx_sig);
4248 * byte[n][2] node;
4249 * node[0] = ltree(pk_ots, SEED, ADRS);
4250 * ADRS.setType(2); # Type = hash tree address
4251 * ADRS.setTreeIndex(idx_sig);
4252 * [Compute root with leaf and authentication path]
4253 *
4254 * Computing the root from the leaf and authentication path can be implemented
4255 * in different ways and is therefore extracted to its own function.
4256 *
4257 * @param [in] state XMSS/MT state including digest and parameters.
4258 * @param [in] pk_seed Random public seed.
4259 * @param [in] sig WOTS+ signature for this tree.
4260 * @param [in] idx_sig Index of signature leaf in this tree.
4261 * @param [in, out] addr Hash address.
4262 * @param [in, out] node On in, previous root node.
4263 * On out, root node of this subtree.
4264 */
4265static void wc_xmss_root_from_sig(XmssState* state, const byte* pk_seed,
4266 const byte* sig, word32 idx_sig, HashAddress addr, byte* node)
4267{
4268 const XmssParams* params = state->params;
4269 byte* wots_pk = state->pk;
4270 const byte* auth_path = sig + params->wots_sig_len;
4271
4272 /* Compute WOTS+ public key value from signature. */
4273 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_OTS;
4274 addr[XMSS_ADDR_OTS] = idx_sig;
4275 wc_xmss_wots_pk_from_sig(state, sig, node, pk_seed, addr, wots_pk);
4276
4277 /* Compute leaves of L-tree from WOTS+ public key. */
4278 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_LTREE;
4279 /* XMSS_ADDR_LTREE is same as XMSS_ADDR_OTS in index and value. */
4280 wc_xmss_ltree(state, wots_pk, pk_seed, addr, node);
4281
4282 /* Compute root node from leaf and authentication path. */
4283 addr[XMSS_ADDR_TYPE] = WC_XMSS_ADDR_TYPE_TREE;
4284 addr[XMSS_ADDR_TREE_ZERO] = 0;
4285 wc_xmss_compute_root(state, idx_sig, auth_path, pk_seed, addr, node);
4286}
4287
4288/* Verify message with signature using XMSS/MT.
4289 *
4290 * RFC 8391: 4.2.5, Algorithm 17: XMSSMT_verify
4291 * idx_sig = getIdx(Sig_MT);
4292 * SEED = getSEED(PK_MT);
4293 * ADRS = toByte(0, 32);
4294 *
4295 * byte[n] M' = H_msg(getR(Sig_MT) || getRoot(PK_MT)
4296 * || (toByte(idx_sig, n)), M);
4297 *
4298 * unsigned int idx_leaf
4299 * = (h / d) least significant bits of idx_sig;
4300 * unsigned int idx_tree
4301 * = (h - h / d) most significant bits of idx_sig;
4302 * Sig' = getXMSSSignature(Sig_MT, 0);
4303 * ADRS.setLayerAddress(0);
4304 * ADRS.setTreeAddress(idx_tree);
4305 * byte[n] node = XMSS_rootFromSig(idx_leaf, getSig_ots(Sig'),
4306 * getAuth(Sig'), M', SEED, ADRS);
4307 * for ( j = 1; j < d; j++ ) {
4308 * idx_leaf = (h / d) least significant bits of idx_tree;
4309 * idx_tree = (h - j * h / d) most significant bits of idx_tree;
4310 * Sig' = getXMSSSignature(Sig_MT, j);
4311 * ADRS.setLayerAddress(j);
4312 * ADRS.setTreeAddress(idx_tree);
4313 * node = XMSS_rootFromSig(idx_leaf, getSig_ots(Sig'),
4314 * getAuth(Sig'), node, SEED, ADRS);
4315 * }
4316 * if ( node == getRoot(PK_MT) ) {
4317 * return true;
4318 * } else {
4319 * return false;
4320 * }
4321 *
4322 * @param [in] state XMSS/MT state including digest and parameters.
4323 * @param [in] m Message buffer.
4324 * @param [in] mlen Length of message in bytes.
4325 * @param [in] sig Buffer holding signature.
4326 * @param [in] pk Public key.
4327 * @return 0 on success.
4328 * @return MEMORY_E on dynamic memory allocation failure.
4329 * @return SIG_VERIFY_E on verification failure.
4330 * @return <0 on digest failure.
4331 */
4332int wc_xmssmt_verify(XmssState* state, const unsigned char* m, word32 mlen,
4333 const unsigned char* sig, const unsigned char* pk)
4334{
4335 const XmssParams* params = state->params;
4336 const word8 n = params->n;
4337 int ret = 0;
4338 const byte* pub_root = pk;
4339 const byte* pk_seed = pk + n;
4340 byte node[WC_XMSS_MAX_N];
4341 wc_Idx idx;
4342 word32 idx_leaf = 0;
4343 unsigned int i;
4344
4345 /* Set 32/64-bit index to 0. */
4346 WC_IDX_ZERO(idx);
4347 /* Set all address values to zero. */
4348 XMEMSET(state->addr, 0, sizeof(HashAddress));
4349
4350 if (ret == 0) {
4351 /* Convert the index bytes from the signature to an integer. */
4352 WC_IDX_DECODE(idx, params->idx_len, sig, ret);
4353 }
4354
4355 if (ret == 0) {
4356 const byte* sig_r = sig + params->idx_len;
4357 /* byte[n] M' = H_msg(getR(Sig_MT) || getRoot(PK_MT) ||
4358 * (toByte(idx_sig, n)), M);
4359 */
4360 wc_xmss_hash_message(state, sig_r, pub_root, sig, params->idx_len, m,
4361 mlen, node);
4362 ret = state->ret;
4363 }
4364
4365 if (ret == 0) {
4366 /* Set tree of hash address. */
4367 WC_IDX_SET_ADDR_TREE(idx, params->idx_len, params->sub_h, state->addr,
4368 idx_leaf);
4369
4370 /* Skip to first WOTS+ signature and derive root. */
4371 sig += params->idx_len + n;
4372 wc_xmss_root_from_sig(state, pk_seed, sig, idx_leaf, state->addr,
4373 node);
4374 ret = state->ret;
4375 }
4376 /* Calculate root of remaining subtrees up to top. */
4377 for (i = 1; (ret == 0) && (i < params->d); i++) {
4378 /* Set layer and tree. */
4379 state->addr[XMSS_ADDR_LAYER] = i;
4380 WC_IDX_SET_ADDR_TREE(idx, params->idx_len, params->sub_h, state->addr,
4381 idx_leaf);
4382 /* Skip to next WOTS+ signature and derive root. */
4383 sig += params->wots_sig_len + params->sub_h * n;
4384 wc_xmss_root_from_sig(state, pk_seed, sig, idx_leaf, state->addr,
4385 node);
4386 ret = state->ret;
4387 }
4388 /* Compare calculated node with public key root. */
4389 if ((ret == 0) && (XMEMCMP(node, pub_root, n) != 0)) {
4390 ret = SIG_VERIFY_E;
4391 }
4392
4393 return ret;
4394}
4395#endif /* WOLFSSL_HAVE_XMSS */
4396