diff options
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | asn1.c | 183 | ||||
-rw-r--r-- | asn1_internal.h | 15 | ||||
-rw-r--r-- | ecdsa.c | 1 | ||||
-rw-r--r-- | hal.h | 20 | ||||
-rw-r--r-- | hal_internal.h | 35 | ||||
-rw-r--r-- | hash.c | 2 | ||||
-rw-r--r-- | hashsig.c | 2122 | ||||
-rw-r--r-- | hashsig.h | 118 | ||||
-rw-r--r-- | ks.c | 16 | ||||
-rw-r--r-- | ks.h | 4 | ||||
-rw-r--r-- | ks_volatile.c | 8 | ||||
-rw-r--r-- | locks.c | 5 | ||||
-rw-r--r-- | pbkdf2.c | 2 | ||||
-rw-r--r-- | rpc_api.c | 23 | ||||
-rw-r--r-- | rpc_client.c | 144 | ||||
-rw-r--r-- | rpc_pkey.c | 206 | ||||
-rw-r--r-- | rpc_server.c | 529 | ||||
-rw-r--r-- | tests/Makefile | 4 | ||||
-rw-r--r-- | tests/test-hashsig.h | 925 | ||||
-rw-r--r-- | tests/test-rpc_hashsig.c | 594 | ||||
-rw-r--r-- | tests/test-xdr.c | 111 | ||||
-rw-r--r-- | xdr.c | 222 | ||||
-rw-r--r-- | xdr_internal.h | 44 |
24 files changed, 4792 insertions, 547 deletions
@@ -34,7 +34,7 @@ STATIC_CORE_STATE_BLOCKS = 32 STATIC_HASH_STATE_BLOCKS = 32 STATIC_HMAC_STATE_BLOCKS = 16 STATIC_PKEY_STATE_BLOCKS = 256 -STATIC_KS_VOLATILE_SLOTS = 128 +STATIC_KS_VOLATILE_SLOTS = 1280 LIB = libhal.a @@ -93,7 +93,7 @@ endif # makefile, so the working definition of "always want" is sometimes # just "building this is harmless even if we don't use it." -OBJ += errorstrings.o hash.o asn1.o ecdsa.o rsa.o xdr.o slip.o +OBJ += errorstrings.o hash.o asn1.o ecdsa.o rsa.o hashsig.o xdr.o slip.o OBJ += rpc_api.o rpc_hash.o uuid.o rpc_pkcs1.o crc32.o locks.o logging.o # Object files to build when we're on a platform with direct access @@ -220,6 +220,7 @@ CFLAGS += -DHAL_STATIC_CORE_STATE_BLOCKS=${STATIC_CORE_STATE_BLOCKS} CFLAGS += -DHAL_STATIC_HASH_STATE_BLOCKS=${STATIC_HASH_STATE_BLOCKS} CFLAGS += -DHAL_STATIC_HMAC_STATE_BLOCKS=${STATIC_HMAC_STATE_BLOCKS} CFLAGS += -DHAL_STATIC_PKEY_STATE_BLOCKS=${STATIC_PKEY_STATE_BLOCKS} +CFLAGS += -DHAL_STATIC_KS_VOLATILE_SLOTS=${STATIC_KS_VOLATILE_SLOTS} CFLAGS += -I${CRYPTECH_ROOT}/sw/libhal CFLAGS += -I${LIBTFM_BLD} @@ -272,6 +273,7 @@ novena-eim.o hal_io_eim.o: novena-eim.h slip.o rpc_client_serial.o rpc_server_serial.o: slip_internal.h ${OBJ}: verilog_constants.h rpc_client.o rpc_server.o xdr.o: xdr_internal.h +hashsig.o: hashsig.h last_gasp_pin_internal.h: ./utils/last_gasp_default_pin >$@ @@ -60,12 +60,36 @@ * Algorithm OIDs used in SPKI and PKCS #8. */ +/* + * From RFC 5480 New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) + * + * rsaEncryption OBJECT IDENTIFIER ::= { + * iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) + * pkcs-1(1) 1 } + */ const uint8_t hal_asn1_oid_rsaEncryption[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 }; const size_t hal_asn1_oid_rsaEncryption_len = sizeof(hal_asn1_oid_rsaEncryption); +/* + * From RFC 5480 Elliptic Curve Cryptography Subject Public Key Information + * + * id-ecPublicKey OBJECT IDENTIFIER ::= { + * iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } + */ const uint8_t hal_asn1_oid_ecPublicKey[] = { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 }; const size_t hal_asn1_oid_ecPublicKey_len = sizeof(hal_asn1_oid_ecPublicKey); +/* + * From RFC 5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm + * + * aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) + * us(840) organization(1) gov(101) csor(3) + * nistAlgorithm(4) 1 } + * + * id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } + * + * id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } + */ #if KEK_LENGTH == (bitsToBytes(128)) const uint8_t hal_asn1_oid_aesKeyWrap[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x08 }; const size_t hal_asn1_oid_aesKeyWrap_len = sizeof(hal_asn1_oid_aesKeyWrap); @@ -77,6 +101,15 @@ const size_t hal_asn1_oid_aesKeyWrap_len = sizeof(hal_asn1_oid_aesKeyWrap); #endif /* + * From draft-housley-cms-mts-hash-sig Use of the Hash-based Merkle Tree Signature (MTS) Algorithm in the Cryptographic Message Syntax (CMS) + * + * id-alg-mts-hashsig OBJECT IDENTIFIER ::= { iso(1) member-body(2) + * us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) alg(3) 17 } + */ +const uint8_t hal_asn1_oid_mts_hashsig[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x10, 0x03, 0x11 }; +const size_t hal_asn1_oid_mts_hashsig_len = sizeof(hal_asn1_oid_mts_hashsig); + +/* * Encode tag and length fields of an ASN.1 object. * * Sets *der_len to the size of of the ASN.1 header (tag and length @@ -174,6 +207,88 @@ hal_error_t hal_asn1_encode_integer(const fp_int * const bn, } /* + * Encode an unsigned ASN.1 INTEGER from a uint32_t. If der is + * NULL, just return the length of what we would have encoded. + */ + +hal_error_t hal_asn1_encode_uint32(const uint32_t n, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + /* + * We only handle unsigned INTEGERs, so we need to pad data with a + * leading zero if the most significant bit is set, to avoid + * flipping the ASN.1 sign bit. + */ + + size_t vlen; + hal_error_t err; + size_t hlen; + + /* DER says to use the minimum number of octets */ + if (n < 0x80) vlen = 1; + else if (n < 0x8000) vlen = 2; + else if (n < 0x800000) vlen = 3; + else if (n < 0x80000000) vlen = 4; + else vlen = 5; + + err = hal_asn1_encode_header(ASN1_INTEGER, vlen, der, &hlen, der_max); + + if (der_len != NULL) + *der_len = hlen + vlen; + + if (der == NULL || err != HAL_OK) + return err; + + hal_assert(hlen + vlen <= der_max); + + der += hlen; + + uint32_t m = n; + for (size_t i = vlen; i > 0; --i) { + der[i - 1] = m & 0xff; + m >>= 8; + } + + return HAL_OK; +} + +/* + * Encode an ASN.1 OCTET STRING. If der is NULL, just return the length + * of what we would have encoded. + */ + +hal_error_t hal_asn1_encode_octet_string(const uint8_t * const data, const size_t data_len, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + if (data_len == 0 || (der != NULL && data == NULL)) + return HAL_ERROR_BAD_ARGUMENTS; + + size_t hlen; + hal_error_t err; + + if ((err = hal_asn1_encode_header(ASN1_OCTET_STRING, data_len, NULL, &hlen, 0)) != HAL_OK) + return err; + + if (der_len != NULL) + *der_len = hlen + data_len; + + if (der == NULL) + return HAL_OK; + + hal_assert(hlen + data_len <= der_max); + + /* + * Handle data early, in case it was staged into our output buffer. + */ + memmove(der + hlen, data, data_len); + + if ((err = hal_asn1_encode_header(ASN1_OCTET_STRING, data_len, der, &hlen, der_max)) != HAL_OK) + return err; + + return HAL_OK; +} + +/* * Encode a public key into a X.509 SubjectPublicKeyInfo (RFC 5280). */ @@ -483,6 +598,68 @@ hal_error_t hal_asn1_decode_integer(fp_int *bn, } /* + * Decode an ASN.1 INTEGER into a uint32_t. Since we only + * support (or need to support, or expect to see) unsigned integers, + * we return failure if the sign bit is set in the ASN.1 INTEGER. + */ + +hal_error_t hal_asn1_decode_uint32(uint32_t *np, + const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + if (np == NULL || der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + hal_error_t err; + size_t hlen, vlen; + + if ((err = hal_asn1_decode_header(ASN1_INTEGER, der, der_max, &hlen, &vlen)) != HAL_OK) + return err; + + if (der_len != NULL) + *der_len = hlen + vlen; + + if (vlen < 1 || vlen > 5 || (der[hlen] & 0x80) != 0x00 || (vlen == 5 && der[hlen] != 0)) + return HAL_ERROR_ASN1_PARSE_FAILED; + + uint32_t n = 0; + for (size_t i = 0; i < vlen; ++i) { + n <<= 8; // slightly inefficient for the first octet + n += der[hlen + i]; + } + *np = n; + + return HAL_OK; +} + +/* + * Decode an ASN.1 OCTET STRING. + */ + +hal_error_t hal_asn1_decode_octet_string(uint8_t *data, const size_t data_len, + const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + if (der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + size_t hlen, vlen; + hal_error_t err; + + if ((err = hal_asn1_decode_header(ASN1_OCTET_STRING, der, der_max, &hlen, &vlen)) != HAL_OK) + return err; + + if (der_len != NULL) + *der_len = hlen + vlen; + + if (data != NULL) { + if (data_len != vlen) + return HAL_ERROR_ASN1_PARSE_FAILED; + memmove(data, der + hlen, vlen); + } + + return HAL_OK; +} + +/* * Decode a public key from a X.509 SubjectPublicKeyInfo (RFC 5280). */ @@ -787,6 +964,12 @@ hal_error_t hal_asn1_guess_key_type(hal_key_type_t *type, return err; } + if (alg_oid_len == hal_asn1_oid_mts_hashsig_len && memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) == 0) { + *type = public ? HAL_KEY_TYPE_HASHSIG_PUBLIC : HAL_KEY_TYPE_HASHSIG_PRIVATE; + *curve = HAL_CURVE_NONE; + return HAL_OK; + } + *type = HAL_KEY_TYPE_NONE; *curve = HAL_CURVE_NONE; return HAL_ERROR_UNSUPPORTED_KEY; diff --git a/asn1_internal.h b/asn1_internal.h index 3de8bd6..23d8a77 100644 --- a/asn1_internal.h +++ b/asn1_internal.h @@ -102,6 +102,9 @@ extern const size_t hal_asn1_oid_ecPublicKey_len; extern const uint8_t hal_asn1_oid_aesKeyWrap[]; extern const size_t hal_asn1_oid_aesKeyWrap_len; +extern const uint8_t hal_asn1_oid_mts_hashsig[]; +extern const size_t hal_asn1_oid_mts_hashsig_len; + /* * Transcoding functions. */ @@ -117,9 +120,21 @@ extern hal_error_t hal_asn1_decode_header(const uint8_t tag, extern hal_error_t hal_asn1_encode_integer(const fp_int * const bn, uint8_t *der, size_t *der_len, const size_t der_max); +extern hal_error_t hal_asn1_encode_uint32(const uint32_t n, + uint8_t *der, size_t *der_len, const size_t der_max); + +extern hal_error_t hal_asn1_encode_octet_string(const uint8_t * const data, const size_t data_len, + uint8_t *der, size_t *der_len, const size_t der_max); + extern hal_error_t hal_asn1_decode_integer(fp_int *bn, const uint8_t * const der, size_t *der_len, const size_t der_max); +extern hal_error_t hal_asn1_decode_uint32(uint32_t *np, + const uint8_t * const der, size_t *der_len, const size_t der_max); + +extern hal_error_t hal_asn1_decode_octet_string(uint8_t *data, const size_t data_len, + const uint8_t * const der, size_t *der_len, const size_t der_max); + extern hal_error_t hal_asn1_encode_spki(const uint8_t * const alg_oid, const size_t alg_oid_len, const uint8_t * const curve_oid, const size_t curve_oid_len, const uint8_t * const pubkey, const size_t pubkey_len, @@ -711,6 +711,7 @@ static hal_error_t point_scalar_multiply(const fp_int * const k, point_double (M[1], M[1], curve); point_add (M[bit], P, M[bit], curve); + hal_task_yield_maybe(); } /* @@ -163,6 +163,8 @@ DEFINE_HAL_ERROR(HAL_ERROR_NOT_IMPLEMENTED, "Not implemented") \ DEFINE_HAL_ERROR(HAL_ERROR_CORE_REASSIGNED, "Core has been reassigned since last use") \ DEFINE_HAL_ERROR(HAL_ERROR_ASSERTION_FAILED, "Assertion failed") \ + DEFINE_HAL_ERROR(HAL_ERROR_HASHSIG_KEY_EXHAUSTED, "Key exhausted") \ + DEFINE_HAL_ERROR(HAL_ERROR_NOT_READY, "Not ready for this operation") \ END_OF_HAL_ERROR_LIST /* Marker to forestall silly line continuation errors */ @@ -428,7 +430,11 @@ typedef enum { HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_RSA_PUBLIC, HAL_KEY_TYPE_EC_PRIVATE, - HAL_KEY_TYPE_EC_PUBLIC + HAL_KEY_TYPE_EC_PUBLIC, + HAL_KEY_TYPE_HASHSIG_PRIVATE, + HAL_KEY_TYPE_HASHSIG_PUBLIC, + HAL_KEY_TYPE_HASHSIG_LMS, + HAL_KEY_TYPE_HASHSIG_LMOTS, } hal_key_type_t; typedef enum { @@ -809,6 +815,18 @@ extern hal_error_t hal_rpc_pkey_generate_ec(const hal_client_handle_t client, const hal_curve_name_t curve, const hal_key_flags_t flags); +typedef enum lmots_algorithm_type lmots_algorithm_t; +typedef enum lms_algorithm_type lms_algorithm_t; + +extern hal_error_t hal_rpc_pkey_generate_hashsig(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const hal_key_flags_t flags); + extern hal_error_t hal_rpc_pkey_close(const hal_pkey_handle_t pkey); extern hal_error_t hal_rpc_pkey_delete(const hal_pkey_handle_t pkey); diff --git a/hal_internal.h b/hal_internal.h index 742b67b..94546c3 100644 --- a/hal_internal.h +++ b/hal_internal.h @@ -61,7 +61,7 @@ } while (0) /* - * htonl is not available in arm-none-eabi headers or libc. + * htonl and htons are not available in arm-none-eabi headers or libc. */ #ifndef STM32F4XX #include <arpa/inet.h> @@ -75,10 +75,18 @@ inline uint32_t htonl(uint32_t w) ((w & 0x00ff0000) >> 8) + ((w & 0xff000000) >> 24); } +inline uint16_t htons(uint16_t w) +{ + return + ((w & 0x00ff) << 8) + + ((w & 0xff00) >> 8); +} #else /* big endian */ #define htonl(x) (x) +#define htons(x) (x) #endif #define ntohl htonl +#define ntohs htons #endif /* @@ -130,17 +138,17 @@ static inline hal_error_t hal_io_wait_valid2(const hal_core_t *core1, const hal_ /* * Static memory allocation on start-up. Don't use this except where - * really necessary. By design, there's no way to free this, we don't - * want to have to manage a heap. Intent is just to allow allocation - * things like the large-ish ks_index arrays used by ks_flash.c from a - * memory source external to the executable image file (eg, from the - * secondary SDRAM chip on the Cryptech Alpha board). + * really necessary. Intent is just to allow allocation of things like + * the large-ish ks_index arrays used by ks_flash.c from a memory source + * external to the executable image file (eg, from the secondary SDRAM + * chip on the Cryptech Alpha board). * * We shouldn't need this except on the HSM, so for now we don't bother * with implementing a version of this based on malloc() or sbrk(). */ extern void *hal_allocate_static_memory(const size_t size); +extern hal_error_t hal_free_static_memory(const void * const ptr); /* * Longest hash block and digest we support at the moment. @@ -160,6 +168,7 @@ extern void hal_ks_unlock(void); extern void hal_rsa_bf_lock(void); extern void hal_rsa_bf_unlock(void); extern void hal_task_yield(void); +extern void hal_task_yield_maybe(void); /* * Thread sleep. Currently used only for bad-PIN delays. @@ -296,6 +305,15 @@ typedef struct { const hal_curve_name_t curve, const hal_key_flags_t flags); + hal_error_t (*generate_hashsig)(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const hal_key_flags_t flags); + hal_error_t (*close)(const hal_pkey_handle_t pkey); hal_error_t (*delete)(const hal_pkey_handle_t pkey); @@ -643,9 +661,10 @@ typedef enum { RPC_FUNC_PKEY_GET_ATTRIBUTES, RPC_FUNC_PKEY_EXPORT, RPC_FUNC_PKEY_IMPORT, + RPC_FUNC_PKEY_GENERATE_HASHSIG, } rpc_func_num_t; -#define RPC_VERSION 0x01010000 /* 1.1.0.0 */ +#define RPC_VERSION 0x01010100 /* 1.1.1.0 */ /* * RPC client locality. These have to be defines rather than an enum, @@ -662,7 +681,7 @@ typedef enum { */ #ifndef HAL_RPC_MAX_PKT_SIZE -#define HAL_RPC_MAX_PKT_SIZE 4096 +#define HAL_RPC_MAX_PKT_SIZE 16384 #endif /* @@ -447,7 +447,7 @@ hal_error_t hal_hash_initialize(hal_core_t *core, hal_core_free(core); /* A dynamically allocated core that can't restore state isn't going to work. */ - if (!state->descriptor->can_restore_state && (flags & STATE_FLAG_FREE_CORE) != 0) + if (!descriptor->can_restore_state && (flags & STATE_FLAG_FREE_CORE) != 0) return HAL_ERROR_BAD_ARGUMENTS; if (state_buffer == NULL && (state = alloc_static_hash_state()) == NULL) diff --git a/hashsig.c b/hashsig.c new file mode 100644 index 0000000..4060818 --- /dev/null +++ b/hashsig.c @@ -0,0 +1,2122 @@ +/* + * hashsig.c + * --------- + * Implementation of draft-mcgrew-hash-sigs-10.txt + * + * Copyright (c) 2018, NORDUnet A/S All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of the NORDUnet nor the names of its contributors may + * be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "hal.h" +#include "hashsig.h" +#include "ks.h" +#include "asn1_internal.h" +#include "xdr_internal.h" + +typedef struct { uint8_t bytes[32]; } bytestring32; +typedef struct { uint8_t bytes[16]; } bytestring16; + +#define D_PBLC 0x8080 +#define D_MESG 0x8181 +#define D_LEAF 0x8282 +#define D_INTR 0x8383 + +#define u32str(X) htonl(X) +#define u16str(X) htons(X) +#define u8str(X) (X & 0xff) + +#define check(op) do { hal_error_t _err = (op); if (_err != HAL_OK) return _err; } while (0) + +/* ---------------------------------------------------------------- */ + +/* + * XDR extensions + */ + +static inline hal_error_t hal_xdr_encode_bytestring32(uint8_t ** const outbuf, const uint8_t * const limit, const bytestring32 * const value) +{ + return hal_xdr_encode_fixed_opaque(outbuf, limit, (const uint8_t *)value, sizeof(bytestring32)); +} + +static inline hal_error_t hal_xdr_decode_bytestring32_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring32 **value) +{ + return hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, (const uint8_t ** const)value, sizeof(bytestring32)); +} + +static inline hal_error_t hal_xdr_decode_bytestring32(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring32 * const value) +{ + return hal_xdr_decode_fixed_opaque(inbuf, limit, (uint8_t * const)value, sizeof(bytestring32)); +} + +static inline hal_error_t hal_xdr_encode_bytestring16(uint8_t ** const outbuf, const uint8_t * const limit, const bytestring16 *value) +{ + return hal_xdr_encode_fixed_opaque(outbuf, limit, (const uint8_t *)value, sizeof(bytestring16)); +} + +static inline hal_error_t hal_xdr_decode_bytestring16_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring16 **value) +{ + return hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, (const uint8_t ** const)value, sizeof(bytestring16)); +} + +static inline hal_error_t hal_xdr_decode_bytestring16(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring16 * const value) +{ + return hal_xdr_decode_fixed_opaque(inbuf, limit, (uint8_t * const)value, sizeof(bytestring16)); +} + +/* ---------------------------------------------------------------- */ + +/* + * ASN.1 extensions + */ + +static inline hal_error_t hal_asn1_encode_size_t(const size_t n, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_uint32((const uint32_t)n, der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_size_t(size_t *np, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + /* trust the compiler to optimize out the unused code path */ + if (sizeof(size_t) == sizeof(uint32_t)) { + return hal_asn1_decode_uint32((uint32_t *)np, der, der_len, der_max); + } + else { + uint32_t n; + hal_error_t err; + + if ((err = hal_asn1_decode_uint32(&n, der, der_len, der_max)) == HAL_OK) + *np = (size_t)n; + + return err; + } +} + +static inline hal_error_t hal_asn1_encode_lms_algorithm(const lms_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_uint32((const uint32_t)type, der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_lms_algorithm(lms_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + uint32_t n; + hal_error_t err; + + if ((err = hal_asn1_decode_uint32(&n, der, der_len, der_max)) == HAL_OK) + *type = (lms_algorithm_t)n; + + return err; +} + +static inline hal_error_t hal_asn1_encode_lmots_algorithm(const lmots_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_uint32((const uint32_t)type, der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_lmots_algorithm(lmots_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + uint32_t n; + hal_error_t err; + + if ((err = hal_asn1_decode_uint32(&n, der, der_len, der_max)) == HAL_OK) + *type = (lmots_algorithm_t)n; + + return err; +} + +static inline hal_error_t hal_asn1_encode_uuid(const hal_uuid_t * const data, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_octet_string((const uint8_t * const)data, sizeof(hal_uuid_t), der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_uuid(hal_uuid_t *data, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_decode_octet_string((uint8_t *)data, sizeof(hal_uuid_t), der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_encode_bytestring16(const bytestring16 * const data, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_octet_string((const uint8_t * const)data, sizeof(bytestring16), der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_bytestring16(bytestring16 *data, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_decode_octet_string((uint8_t *)data, sizeof(bytestring16), der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_encode_bytestring32(const bytestring32 * const data, uint8_t *der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_encode_octet_string((const uint8_t * const)data, sizeof(bytestring32), der, der_len, der_max); +} + +static inline hal_error_t hal_asn1_decode_bytestring32(bytestring32 *data, const uint8_t * const der, size_t *der_len, const size_t der_max) +{ + return hal_asn1_decode_octet_string((uint8_t *)data, sizeof(bytestring32), der, der_len, der_max); +} + +/* ---------------------------------------------------------------- */ + +/* + * LM-OTS + */ + +typedef const struct lmots_parameter_set { + lmots_algorithm_t type; + size_t n, w, p, ls; +} lmots_parameter_t; +static lmots_parameter_t lmots_parameters[] = { + { lmots_sha256_n32_w1, 32, 1, 265, 7 }, + { lmots_sha256_n32_w2, 32, 2, 133, 6 }, + { lmots_sha256_n32_w4, 32, 4, 67, 4 }, + { lmots_sha256_n32_w8, 32, 8, 34, 0 }, +}; + +typedef struct lmots_key { + hal_key_type_t type; + lmots_parameter_t *lmots; + bytestring16 I; + size_t q; + bytestring32 * x; + bytestring32 K; +} lmots_key_t; + +static inline lmots_parameter_t *lmots_select_parameter_set(const lmots_algorithm_t lmots_type) +{ + if (lmots_type < lmots_sha256_n32_w1 || lmots_type > lmots_sha256_n32_w8) + return NULL; + else + return &lmots_parameters[lmots_type - lmots_sha256_n32_w1]; +} + +static inline size_t lmots_private_key_len(lmots_parameter_t * const lmots) +{ + /* u32str(type) || I || u32str(q) || x[0] || x[1] || ... || x[p-1] */ + return 2 * sizeof(uint32_t) + sizeof(bytestring16) + (lmots->p * lmots->n); +} + +static inline size_t lmots_public_key_len(lmots_parameter_t * const lmots) +{ + /* u32str(type) || I || u32str(q) || K */ + return 2 * sizeof(uint32_t) + sizeof(bytestring16) + lmots->n; +} + +static inline size_t lmots_signature_len(lmots_parameter_t * const lmots) +{ + /* u32str(type) || C || y[0] || ... || y[p-1] */ + return sizeof(uint32_t) + (lmots->p + 1) * lmots->n; +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +/* Given a key with most fields filled in, generate the lmots private and + * public key components (x and K). + * Let the caller worry about storage. + */ +static hal_error_t lmots_generate(lmots_key_t * const key) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS || key->lmots == NULL || key->x == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + +// Algorithm 0: Generating a Private Key + +// 3. set n and p according to the typecode and Table 1 + + size_t n = key->lmots->n; + size_t p = key->lmots->p; + size_t w = key->lmots->w; + +// 4. compute the array x as follows: +// for ( i = 0; i < p; i = i + 1 ) { +// set x[i] to a uniformly random n-byte string +// } + + for (size_t i = 0; i < p; ++i) + check(hal_rpc_get_random(&key->x[i], n)); + +// Algorithm 1: Generating a One Time Signature Public Key From a +// Private Key + +// 4. compute the string K as follows: + + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + bytestring32 y[p]; + uint32_t l; + uint16_t s; + uint8_t b; + +// for ( i = 0; i < p; i = i + 1 ) { + for (size_t i = 0; i < p; ++i) { + +// tmp = x[i] + bytestring32 tmp; + memcpy(&tmp, &key->x[i], sizeof(tmp)); + +// for ( j = 0; j < 2^w - 1; j = j + 1 ) { + for (size_t j = 0; j < (1U << w) - 1; ++j) { + +// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b))); + check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp))); + check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp))); + } + +// y[i] = tmp + memcpy(&y[i], &tmp, sizeof(tmp)); +// } + } + +// K = H(I || u32str(q) || u16str(D_PBLC) || y[0] || ... || y[p-1]) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_PBLC); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + for (size_t i = 0; i < p; ++i) + check(hal_hash_update(state, (const uint8_t *)&y[i], sizeof(y[i]))); + check(hal_hash_finalize(state, (uint8_t *)&key->K, sizeof(key->K))); + + return HAL_OK; +} +#endif + +/* strings of w-bit elements */ +static uint8_t coef(const uint8_t * const S, const size_t i, size_t w) +{ + switch (w) { + case 1: + return (S[i/8] >> (7 - (i % 8))) & 0x01; + case 2: + return (S[i/4] >> (6 - (2 * (i % 4)))) & 0x03; + case 4: + return (S[i/2] >> (4 - (4 * (i % 2)))) & 0x0f; + case 8: + return S[i]; + default: + return 0; + } +} + +/* checksum */ +static uint16_t Cksm(const uint8_t * const S, lmots_parameter_t *lmots) +{ + uint16_t sum = 0; + + for (size_t i = 0; i < (lmots->n * 8 / lmots->w); ++i) + sum += ((1 << lmots->w) - 1) - coef(S, i, lmots->w); + + return (sum << lmots->ls); +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +static hal_error_t lmots_sign(lmots_key_t *key, + const uint8_t * const msg, const size_t msg_len, + uint8_t * sig, size_t *sig_len, const size_t sig_max) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS || msg == NULL || sig == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + +// Algorithm 3: Generating a One Time Signature From a Private Key and a +// Message + +// 1. set type to the typecode of the algorithm +// +// 2. set n, p, and w according to the typecode and Table 1 + + size_t n = key->lmots->n; + size_t p = key->lmots->p; + size_t w = key->lmots->w; + + if (sig_max < lmots_signature_len(key->lmots)) + return HAL_ERROR_BAD_ARGUMENTS; + +// 3. determine x, I and q from the private key +// +// 4. set C to a uniformly random n-byte string + + bytestring32 C; + check(hal_rpc_get_random(&C, n)); + +// 5. compute the array y as follows: + + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + uint8_t Q[n + 2]; /* hash || 16-bit checksum */ + uint32_t l; + uint16_t s; + uint8_t b; + +// Q = H(I || u32str(q) || u16str(D_MESG) || C || message) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_MESG); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + check(hal_hash_update(state, (const uint8_t *)&C, sizeof(C))); + check(hal_hash_update(state, msg, msg_len)); + check(hal_hash_finalize(state, Q, n)); + + /* append checksum */ + *(uint16_t *)&Q[n] = u16str(Cksm((uint8_t *)Q, key->lmots)); + + bytestring32 y[p]; + +// for ( i = 0; i < p; i = i + 1 ) { + for (size_t i = 0; i < p; ++i) { + +// a = coef(Q || Cksm(Q), i, w) + uint8_t a = coef(Q, i, w); + +// tmp = x[i] + bytestring32 tmp; + memcpy(&tmp, &key->x[i], sizeof(tmp)); + +// for ( j = 0; j < a; j = j + 1 ) { + for (size_t j = 0; j < (size_t)a; ++j) { + +// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b))); + check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp))); + check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp))); +// } + } + +// y[i] = tmp + memcpy(&y[i], &tmp, sizeof(tmp)); + } + +// 6. return u32str(type) || C || y[0] || ... || y[p-1] + uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_max; + check(hal_xdr_encode_int(&sigptr, siglim, key->lmots->type)); + check(hal_xdr_encode_bytestring32(&sigptr, siglim, &C)); + for (size_t i = 0; i < p; ++i) + check(hal_xdr_encode_bytestring32(&sigptr, siglim, &y[i])); + + if (sig_len != NULL) + *sig_len = sigptr - sig; + + return HAL_OK; +} +#endif + +static hal_error_t lmots_public_key_candidate(const lmots_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + const uint8_t * const sig, const size_t sig_len) +{ + if (key == NULL || msg == NULL || sig == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + /* Skip the length checks here, because we did a unitary length check + * at the start of lms_verify. + */ + +// 1. if the signature is not at least four bytes long, return INVALID +// +// 2. parse sigtype, C, and y from the signature as follows: +// a. sigtype = strTou32(first 4 bytes of signature) + + const uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_len; + + uint32_t sigtype; + check(hal_xdr_decode_int(&sigptr, siglim, &sigtype)); + +// b. if sigtype is not equal to pubtype, return INVALID + + if ((lmots_algorithm_t)sigtype != key->lmots->type) + return HAL_ERROR_INVALID_SIGNATURE; + +// c. set n and p according to the pubtype and Table 1; if the +// signature is not exactly 4 + n * (p+1) bytes long, return INVALID + + size_t n = key->lmots->n; + size_t p = key->lmots->p; + size_t w = key->lmots->w; + +// d. C = next n bytes of signature + + bytestring32 C; + check(hal_xdr_decode_bytestring32(&sigptr, siglim, &C)); + +// e. y[0] = next n bytes of signature +// y[1] = next n bytes of signature +// ... +// y[p-1] = next n bytes of signature + + bytestring32 y[p]; + for (size_t i = 0; i < p; ++i) + check(hal_xdr_decode_bytestring32(&sigptr, siglim, &y[i])); + +// 3. compute the string Kc as follows + + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + uint8_t Q[n + 2]; /* hash || 16-bit checksum */ + uint32_t l; + uint16_t s; + uint8_t b; + +// Q = H(I || u32str(q) || u16str(D_MESG) || C || message) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_MESG); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + check(hal_hash_update(state, (const uint8_t *)&C, sizeof(C))); + check(hal_hash_update(state, msg, msg_len)); + check(hal_hash_finalize(state, Q, n)); + + /* append checksum */ + *(uint16_t *)&Q[n] = u16str(Cksm((uint8_t *)Q, key->lmots)); + + bytestring32 z[p]; + +// for ( i = 0; i < p; i = i + 1 ) { + for (size_t i = 0; i < p; ++i) { + +// a = coef(Q || Cksm(Q), i, w) + uint8_t a = coef(Q, i, w); + +// tmp = y[i] + bytestring32 tmp; + memcpy(&tmp, &y[i], sizeof(tmp)); + +// for ( j = a; j < 2^w - 1; j = j + 1 ) { + for (size_t j = (size_t)a; j < (1U << w) - 1; ++j) { + +// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b))); + check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp))); + check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp))); +// } + } + +// z[i] = tmp + memcpy(&z[i], &tmp, sizeof(tmp)); +// } + } + +// Kc = H(I || u32str(q) || u16str(D_PBLC) || z[0] || z[1] || ... || z[p-1]) + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_PBLC); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + for (size_t i = 0; i < p; ++i) + check(hal_hash_update(state, (const uint8_t *)&z[i], sizeof(z[i]))); + check(hal_hash_finalize(state, (uint8_t *)&key->K, sizeof(key->K))); + +// 4. return Kc + return HAL_OK; +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +static hal_error_t lmots_private_key_to_der(const lmots_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS) + return HAL_ERROR_BAD_ARGUMENTS; + + // u32str(lmots_type) || I || u32str(q) || K || x[0] || x[1] || ... || x[p-1] + /* K is not an integral part of the private key, but we store it to speed up restart */ + + /* + * Calculate data length. + */ + + size_t len, vlen = 0, hlen; + + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_size_t(key->q, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring32(&key->K, NULL, &len, 0)); vlen += len; + for (size_t i = 0; i < key->lmots->p; ++i) { + check(hal_asn1_encode_bytestring32(&key->x[i], NULL, &len, 0)); vlen += len; + } + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, NULL, &hlen, 0)); + + check(hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, NULL, hlen + vlen, NULL, der_len, der_max)); + + if (der == NULL) + return HAL_OK; + + /* + * Encode data. + */ + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max)); + + uint8_t *d = der + hlen; + memset(d, 0, vlen); + + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_size_t(key->q, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_bytestring32(&key->K, d, &len, vlen)); d += len; vlen -= len; + for (size_t i = 0; i < key->lmots->p; ++i) { + check(hal_asn1_encode_bytestring32(&key->x[i], d, &len, vlen)); d += len; vlen -= len; + } + + return hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, der, d - der, der, der_len, der_max); +} + +static size_t lmots_private_key_to_der_len(const lmots_key_t * const key) +{ + size_t len = 0; + return (lmots_private_key_to_der(key, NULL, &len, 0) == HAL_OK) ? len : 0; +} + +static hal_error_t lmots_private_key_from_der(lmots_key_t *key, + const uint8_t *der, const size_t der_len) +{ + if (key == NULL || der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + key->type = HAL_KEY_TYPE_HASHSIG_LMOTS; + + size_t hlen, vlen, alg_oid_len, curve_oid_len, privkey_len; + const uint8_t *alg_oid, *curve_oid, *privkey; + + check(hal_asn1_decode_pkcs8_privatekeyinfo(&alg_oid, &alg_oid_len, + &curve_oid, &curve_oid_len, + &privkey, &privkey_len, + der, der_len)); + + if (alg_oid_len != hal_asn1_oid_mts_hashsig_len || + memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0 || + curve_oid_len != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + check(hal_asn1_decode_header(ASN1_SEQUENCE, privkey, privkey_len, &hlen, &vlen)); + + const uint8_t *d = privkey + hlen; + size_t len; + + // u32str(lmots_type) || I || u32str(q) || K || x[0] || x[1] || ... || x[p-1] + + lmots_algorithm_t lmots_type; + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, vlen)); d += len; vlen -= len; + key->lmots = lmots_select_parameter_set(lmots_type); + check(hal_asn1_decode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_decode_size_t(&key->q, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_decode_bytestring32(&key->K, d, &len, vlen)); d += len; vlen -= len; + if (key->x != NULL) { + for (size_t i = 0; i < key->lmots->p; ++i) { + check(hal_asn1_decode_bytestring32(&key->x[i], d, &len, vlen)); d += len; vlen -= len; + } + + if (d != privkey + privkey_len) + return HAL_ERROR_ASN1_PARSE_FAILED; + } + + return HAL_OK; +} +#endif + +/* ---------------------------------------------------------------- */ + +/* + * LMS + */ + +typedef const struct lms_parameter_set { + lms_algorithm_t type; + size_t m, h; +} lms_parameter_t; +static lms_parameter_t lms_parameters[] = { + { lms_sha256_n32_h5, 32, 5 }, + { lms_sha256_n32_h10, 32, 10 }, + { lms_sha256_n32_h15, 32, 15 }, + { lms_sha256_n32_h20, 32, 20 }, + { lms_sha256_n32_h25, 32, 25 }, +}; + +typedef struct lms_key { + hal_key_type_t type; + size_t level; + lms_parameter_t *lms; + lmots_parameter_t *lmots; + bytestring16 I; + size_t q; /* index of next lmots signing key */ + hal_uuid_t *lmots_keys; /* private key components */ + bytestring32 *T; /* public key components */ + bytestring32 T1; /* copy of T[1] */ + uint8_t *pubkey; /* in XDR format */ + size_t pubkey_len; + uint8_t *signature; /* of public key by parent lms key */ + size_t signature_len; +} lms_key_t; + +static inline lms_parameter_t *lms_select_parameter_set(const lms_algorithm_t lms_type) +{ + if (lms_type < lms_sha256_n32_h5 || lms_type > lms_sha256_n32_h25) + return NULL; + else + return &lms_parameters[lms_type - lms_sha256_n32_h5]; +} + +static inline size_t lms_public_key_len(lms_parameter_t * const lms) +{ + /* u32str(type) || u32str(otstype) || I || T[1] */ + return 2 * sizeof(uint32_t) + 16 + lms->m; +} + +static inline size_t lms_signature_len(lms_parameter_t * const lms, lmots_parameter_t * const lmots) +{ + /* u32str(q) || ots_signature || u32str(type) || path[0] || path[1] || ... || path[h-1] */ + return 2 * sizeof(uint32_t) + lmots_signature_len(lmots) + lms->h * lms->m; +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +/* Given a key with most fields filled in, generate the lms private and + * public key components. + * Let the caller worry about storage. + */ +static hal_error_t lms_generate(lms_key_t *key) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS || key->lms == NULL || key->lmots == NULL || key->lmots_keys == NULL || key->T == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + check(hal_uuid_gen((hal_uuid_t *)&key->I)); + key->q = 0; + + bytestring32 x[key->lmots->p]; + lmots_key_t lmots_key = { + .type = HAL_KEY_TYPE_HASHSIG_LMOTS, + .lmots = key->lmots, + .x = x + }; + memcpy(&lmots_key.I, &key->I, sizeof(key->I)); + + hal_pkey_slot_t slot = { + .type = HAL_KEY_TYPE_HASHSIG_LMOTS, + .curve = HAL_CURVE_NONE, + .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0) + }; + hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile; + + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + uint32_t l; + uint16_t s; + size_t h2 = (1 << key->lms->h); + + /* private key - array of lmots key names */ + for (size_t q = 0; q < h2; ++q) { + /* generate the lmots private and public key components */ + lmots_key.q = q; + check(lmots_generate(&lmots_key)); + + /* store the lmots key */ + uint8_t der[lmots_private_key_to_der_len(&lmots_key)]; + size_t der_len; + check(lmots_private_key_to_der(&lmots_key, der, &der_len, sizeof(der))); + check(hal_uuid_gen(&slot.name)); + hal_error_t err = hal_ks_store(ks, &slot, der, der_len); + memset(&x, 0, sizeof(x)); + memset(der, 0, sizeof(der)); + if (err != HAL_OK) return err; + + /* record the lmots keystore name */ + memcpy(&key->lmots_keys[q], &slot.name, sizeof(slot.name)); + + /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[r-2^h]) */ + size_t r = h2 + q; + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K))); + check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r]))); + hal_task_yield_maybe(); + } + + /* generate the rest of T[r] = H(I || u32str(r) || u16str(D_INTR) || T[2*r] || T[2*r+1]) */ + for (size_t r = h2 - 1; r > 0; --r) { + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + check(hal_hash_update(state, (const uint8_t *)&key->T[2*r], sizeof(key->T[r]))); + check(hal_hash_update(state, (const uint8_t *)&key->T[2*r+1], sizeof(key->T[r]))); + check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r]))); + hal_task_yield_maybe(); + } + + memcpy(&key->T1, &key->T[1], sizeof(key->T1)); + + /* generate the XDR encoding of the public key, which will be signed + * by the previous lms key + */ + uint8_t *pubkey = key->pubkey; + const uint8_t * const publim = key->pubkey + key->pubkey_len; + // u32str(lms_type) || u32str(lmots_type) || I || T[1] + check(hal_xdr_encode_int(&pubkey, publim, key->lms->type)); + check(hal_xdr_encode_int(&pubkey, publim, key->lmots->type)); + check(hal_xdr_encode_bytestring16(&pubkey, publim, &key->I)); + check(hal_xdr_encode_bytestring32(&pubkey, publim, &key->T1)); + + return HAL_OK; +} + +static hal_error_t lms_delete(const lms_key_t * const key) +{ + hal_pkey_slot_t slot = {0}; + hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile; + + /* delete the lmots keys */ + for (size_t i = 0; i < (1U << key->lms->h); ++i) { + memcpy(&slot.name, &key->lmots_keys[i], sizeof(slot.name)); + check(hal_ks_delete(ks, &slot)); + hal_task_yield_maybe(); + } + + /* delete the lms key */ + memcpy(&slot.name, &key->I, sizeof(slot.name)); + return hal_ks_delete(ks, &slot); +} + +static hal_error_t lms_private_key_to_der(const lms_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max); + +static hal_error_t lms_sign(lms_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + uint8_t *sig, size_t *sig_len, const size_t sig_max) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS || msg == NULL || sig == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + if (key->q >= (1U << key->lms->h)) + return HAL_ERROR_HASHSIG_KEY_EXHAUSTED; + + if (sig_max < lms_signature_len(key->lms, key->lmots)) + return HAL_ERROR_RESULT_TOO_LONG; + + /* u32str(q) || ots_signature || u32str(lms_type) || path[0] || path[1] || ... || path[h-1] */ + + uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_max; + check(hal_xdr_encode_int(&sigptr, siglim, key->q)); + + /* fetch and decode the lmots signing key from the keystore */ + hal_pkey_slot_t slot; + memset(&slot, 0, sizeof(slot)); + memcpy(&slot.name, &key->lmots_keys[key->q], sizeof(slot.name)); + + lmots_key_t lmots_key; + memset(&lmots_key, 0, sizeof(lmots_key)); + bytestring32 x[key->lmots->p]; + memset(&x, 0, sizeof(x)); + lmots_key.x = x; + + uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; + size_t der_len; + hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile; + check(hal_ks_fetch(ks, &slot, der, &der_len, sizeof(der))); + check(lmots_private_key_from_der(&lmots_key, der, der_len)); + memset(&der, 0, sizeof(der)); + + //? check lmots_type and I vs. lms key? + + /* generate the lmots signature */ + size_t lmots_sig_len; + check(lmots_sign(&lmots_key, msg, msg_len, sigptr, &lmots_sig_len, sig_max - (sigptr - sig))); + memset(&x, 0, sizeof(x)); + sigptr += lmots_sig_len; + + check(hal_xdr_encode_int(&sigptr, siglim, key->lms->type)); + + /* generate the path array */ + for (size_t r = (1 << key->lms->h) + key->q; r > 1; r /= 2) + check(hal_xdr_encode_bytestring32(&sigptr, siglim, ((r & 1) ? &key->T[r-1] : &key->T[r+1]))); + + if (sig_len != NULL) + *sig_len = sigptr - sig; + + /* update and store q before returning the signature */ + ++key->q; + check(lms_private_key_to_der(key, der, &der_len, sizeof(der))); + slot.type = HAL_KEY_TYPE_HASHSIG_LMS; + slot.flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((key->level == 0) ? HAL_KEY_FLAG_TOKEN : 0); + memcpy(&slot.name, &key->I, sizeof(slot.name)); + check(hal_ks_rewrite_der(ks, &slot, der, der_len)); + + return HAL_OK; +} +#endif + +static hal_error_t lms_public_key_candidate(const lms_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + const uint8_t * const sig, const size_t sig_len, + bytestring32 * Tc); + +static hal_error_t lms_verify(const lms_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + const uint8_t * const sig, const size_t sig_len) +{ + if (key == NULL || msg == NULL || sig == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + /* We can do one length check right now, rather than the 3 in + * Algorithm 6b and 2 in Algorithm 4b, because the lms and lmots types + * in the signature have to match the key. + */ + if (sig_len != lms_signature_len(key->lms, key->lmots)) + return HAL_ERROR_INVALID_SIGNATURE; + +// Algorithm 6: LMS Signature Verification +// +// 1. if the public key is not at least eight bytes long, return +// INVALID +// +// 2. parse pubtype, I, and T[1] from the public key as follows: +// +// a. pubtype = strTou32(first 4 bytes of public key) +// +// b. ots_typecode = strTou32(next 4 bytes of public key) +// +// c. set m according to pubtype, based on Table 2 +// +// d. if the public key is not exactly 24 + m bytes +// long, return INVALID +// +// e. I = next 16 bytes of the public key +// +// f. T[1] = next m bytes of the public key +// +// 3. compute the candidate LMS root value Tc from the signature, +// message, identifier and pubtype using Algorithm 6b. + + bytestring32 Tc; + check(lms_public_key_candidate(key, msg, msg_len, sig, sig_len, &Tc)); + +// 4. if Tc is equal to T[1], return VALID; otherwise, return INVALID + + return (memcmp(&Tc, &key->T1, sizeof(Tc)) ? HAL_ERROR_INVALID_SIGNATURE : HAL_OK); +} + +static hal_error_t lms_public_key_candidate(const lms_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + const uint8_t * const sig, const size_t sig_len, + bytestring32 * Tc) +{ +// Algorithm 6b: Computing an LMS Public Key Candidate from a Signature, +// Message, Identifier, and algorithm typecode + /* XXX and pubotstype */ + +// 1. if the signature is not at least eight bytes long, return INVALID +// +// 2. parse sigtype, q, ots_signature, and path from the signature as +// follows: +// +// a. q = strTou32(first 4 bytes of signature) + + const uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_len; + + uint32_t q; + check(hal_xdr_decode_int(&sigptr, siglim, &q)); + +// b. otssigtype = strTou32(next 4 bytes of signature) + + uint32_t otssigtype; + check(hal_xdr_decode_int_peek(&sigptr, siglim, &otssigtype)); + +// c. if otssigtype is not the OTS typecode from the public key, return INVALID + + if ((lmots_algorithm_t)otssigtype != key->lmots->type) + return HAL_ERROR_INVALID_SIGNATURE; + +// d. set n, p according to otssigtype and Table 1; if the +// signature is not at least 12 + n * (p + 1) bytes long, return INVALID +// +// e. ots_signature = bytes 8 through 8 + n * (p + 1) - 1 of signature + + /* XXX Technically, this is also wrong - this is the remainder of + * ots_signature after otssigtype. The full ots_signature would be + * bytes 4 through 8 + n * (p + 1) - 1. + */ + + const uint8_t * const ots_signature = sigptr; + sigptr += lmots_signature_len(key->lmots); + +// f. sigtype = strTou32(4 bytes of signature at location 8 + n * (p + 1)) + + uint32_t sigtype; + check(hal_xdr_decode_int(&sigptr, siglim, &sigtype)); + +// f. if sigtype is not the LM typecode from the public key, return INVALID + + if ((lms_algorithm_t)sigtype != key->lms->type) + return HAL_ERROR_INVALID_SIGNATURE; + +// g. set m, h according to sigtype and Table 2 + + size_t m = key->lms->m; + size_t h = key->lms->h; + size_t h2 = (1 << key->lms->h); + +// h. if q >= 2^h or the signature is not exactly 12 + n * (p + 1) + m * h bytes long, return INVALID + + if (q >= h2) + return HAL_ERROR_INVALID_SIGNATURE; + +// i. set path as follows: +// path[0] = next m bytes of signature +// path[1] = next m bytes of signature +// ... +// path[h-1] = next m bytes of signature + + bytestring32 path[h]; + for (size_t i = 0; i < h; ++i) + check(hal_xdr_decode_bytestring32(&sigptr, siglim, &path[i])); + +// 3. Kc = candidate public key computed by applying Algorithm 4b +// to the signature ots_signature, the message, and the +// identifiers I, q + + lmots_key_t lmots_key = { + .type = HAL_KEY_TYPE_HASHSIG_LMOTS, + .lmots = key->lmots, + .q = q + }; + memcpy(&lmots_key.I, &key->I, sizeof(lmots_key.I)); + check(lmots_public_key_candidate(&lmots_key, msg, msg_len, ots_signature, lmots_signature_len(key->lmots))); + +// 4. compute the candidate LMS root value Tc as follows: + + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + uint32_t l; + uint16_t s; + +// node_num = 2^h + q + size_t r = h2 + q; + +// tmp = H(I || u32str(node_num) || u16str(D_LEAF) || Kc) + bytestring32 tmp; + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&lmots_key.I, sizeof(lmots_key.I))); + l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K))); + check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp))); + +// i = 0 +// while (node_num > 1) { +// if (node_num is odd): +// tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || path[i] || tmp) +// else: +// tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || tmp || path[i]) +// node_num = node_num/2 +// i = i + 1 +// } + for (size_t i = 0; r > 1; r /= 2, ++i) { + check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); + check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); + l = u32str(r/2); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); + s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + if (r & 1) { + check(hal_hash_update(state, (const uint8_t *)&path[i], m)); + check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp))); + } + else { + check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp))); + check(hal_hash_update(state, (const uint8_t *)&path[i], m)); + } + check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp))); + } + +// Tc = tmp + memcpy(Tc, &tmp, sizeof(*Tc)); + + return HAL_OK; +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +static hal_error_t lms_private_key_to_der(const lms_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS) + return HAL_ERROR_BAD_ARGUMENTS; + + /* + * Calculate data length. + */ + + // u32str(lms_type) || u32str(lmots_type) || I || q + + size_t len, vlen = 0, hlen; + + check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_size_t(key->q, NULL, &len, 0)); vlen += len; + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, NULL, &hlen, 0)); + + check(hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, NULL, hlen + vlen, NULL, der_len, der_max)); + + if (der == NULL) + return HAL_OK; + + /* + * Encode data. + */ + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max)); + + uint8_t *d = der + hlen; + memset(d, 0, vlen); + + check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_size_t(key->q, d, &len, vlen)); d += len; vlen -= len; + + return hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, der, d - der, der, der_len, der_max); +} + +static size_t lms_private_key_to_der_len(const lms_key_t * const key) +{ + size_t len = 0; + return lms_private_key_to_der(key, NULL, &len, 0) == HAL_OK ? len : 0; +} + +static hal_error_t lms_private_key_from_der(lms_key_t *key, + const uint8_t *der, const size_t der_len) +{ + if (key == NULL || der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + key->type = HAL_KEY_TYPE_HASHSIG_LMS; + + size_t hlen, vlen, alg_oid_len, curve_oid_len, privkey_len; + const uint8_t *alg_oid, *curve_oid, *privkey; + + check(hal_asn1_decode_pkcs8_privatekeyinfo(&alg_oid, &alg_oid_len, + &curve_oid, &curve_oid_len, + &privkey, &privkey_len, + der, der_len)); + + if (alg_oid_len != hal_asn1_oid_mts_hashsig_len || + memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0 || + curve_oid_len != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + check(hal_asn1_decode_header(ASN1_SEQUENCE, privkey, privkey_len, &hlen, &vlen)); + + const uint8_t *d = privkey + hlen; + size_t n; + + // u32str(lms_type) || u32str(lmots_type) || I || q + + lms_algorithm_t lms_type; + check(hal_asn1_decode_lms_algorithm(&lms_type, d, &n, vlen)); d += n; vlen -= n; + key->lms = lms_select_parameter_set(lms_type); + lmots_algorithm_t lmots_type; + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &n, vlen)); d += n; vlen -= n; + key->lmots = lmots_select_parameter_set(lmots_type); + check(hal_asn1_decode_bytestring16(&key->I, d, &n, vlen)); d += n; vlen -= n; + check(hal_asn1_decode_size_t(&key->q, d, &n, vlen)); d += n; vlen -= n; + + if (d != privkey + privkey_len) + return HAL_ERROR_ASN1_PARSE_FAILED; + + return HAL_OK; +} +#endif + +/* ---------------------------------------------------------------- */ + +/* + * HSS + */ + +/* For purposes of the external API, the key type is "hal_hashsig_key_t". + * Internally, we refer to it as "hss_key_t". + */ + +typedef struct hal_hashsig_key hss_key_t; + +struct hal_hashsig_key { + hal_key_type_t type; + hss_key_t *next; + hal_uuid_t name; + size_t L; + lms_parameter_t *lms; + lmots_parameter_t *lmots; + bytestring16 I; + bytestring32 T1; + lms_key_t *lms_keys; +}; + +const size_t hal_hashsig_key_t_size = sizeof(hss_key_t); + +static hss_key_t *hss_keys = NULL; + +static inline size_t hss_public_key_len(lms_parameter_t * const lms) +{ + /* L || pub[0] */ + return sizeof(uint32_t) + lms_public_key_len(lms); +} + +static inline size_t hss_signature_len(const size_t L, lms_parameter_t * const lms, lmots_parameter_t * const lmots) +{ + /* u32str(Nspk) || sig[0] || pub[1] || ... || sig[Nspk-1] || pub[Nspk] || sig[Nspk] */ + return sizeof(uint32_t) + L * lms_signature_len(lms, lmots) + (L - 1) * lms_public_key_len(lms); +} + +size_t hal_hashsig_signature_len(const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type) +{ + lms_parameter_t * const lms = lms_select_parameter_set(lms_type); + if (lms == NULL) + return 0; + + lmots_parameter_t * const lmots = lmots_select_parameter_set(lmots_type); + if (lmots == NULL) + return 0; + + return hss_signature_len(L, lms, lmots); +} + +size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type) +{ + lmots_parameter_t * const lmots = lmots_select_parameter_set(lmots_type); + if (lmots == NULL) + return 0; + + return lmots_private_key_len(lmots); +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +static int restart_in_progress = 0; + +static inline void *gnaw(uint8_t **mem, size_t *len, const size_t size) +{ + if (mem == NULL || *mem == NULL || len == NULL || size > *len) + return NULL; + void *ret = *mem; + *mem += size; + *len -= size; + return ret; +} + +static hal_error_t hss_alloc(hal_hashsig_key_t **key_, + const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type) +{ + if (key_ == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + if (L == 0 || L > 8) + return HAL_ERROR_BAD_ARGUMENTS; + + lms_parameter_t *lms = lms_select_parameter_set(lms_type); + if (lms == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + size_t h2 = (1 << lms->h); + + lmots_parameter_t *lmots = lmots_select_parameter_set(lmots_type); + if (lmots == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + /* w=1 fails on the Alpha, because the key exceeds the keystore block + * size. The XDR encoding of the key is going to differ from the DER + * encoding, but it's at least in the ballpark to tell us whether the key + * will fit. + */ + if (lmots_private_key_len(lmots) > HAL_KS_BLOCK_SIZE) + return HAL_ERROR_UNSUPPORTED_KEY; + + if (hss_signature_len(L, lms, lmots) > HAL_RPC_MAX_PKT_SIZE) + return HAL_ERROR_UNSUPPORTED_KEY; + + /* check volatile keystore for space to store the lower-level trees */ + size_t available; + check(hal_ks_available(hal_ks_volatile, &available)); + if (available < (L - 1) * (h2 + 1)) + return HAL_ERROR_NO_KEY_INDEX_SLOTS; + + size_t lms_sig_len = lms_signature_len(lms, lmots); + size_t lms_pub_len = lms_public_key_len(lms); + + /* allocate lms tree nodes and lmots key names, atomically */ + size_t len = (sizeof(hss_key_t) + + L * sizeof(lms_key_t) + + L * lms_sig_len + + L * lms_pub_len + + L * h2 * sizeof(hal_uuid_t) + + L * (2 * h2) * sizeof(bytestring32)); + uint8_t *mem = hal_allocate_static_memory(len); + if (mem == NULL) + return HAL_ERROR_ALLOCATION_FAILURE; + memset(mem, 0, len); + + /* allocate the key that will stay in working memory */ + hss_key_t *key = gnaw(&mem, &len, sizeof(hss_key_t)); + *key_ = key; + key->type = HAL_KEY_TYPE_HASHSIG_PRIVATE; + key->L = L; + key->lms = lms; + key->lmots = lmots; + + /* add to the list of active keys */ + key->next = hss_keys; + hss_keys = key; + + /* allocate the list of lms trees */ + key->lms_keys = gnaw(&mem, &len, L * sizeof(lms_key_t)); + for (size_t i = 0; i < L; ++i) { + /* XXX some of this is redundant to lms_private_key_from_der */ + lms_key_t * lms_key = &key->lms_keys[i]; + lms_key->type = HAL_KEY_TYPE_HASHSIG_LMS; + lms_key->lms = lms; + lms_key->lmots = lmots; + lms_key->level = i; + lms_key->lmots_keys = (hal_uuid_t *)gnaw(&mem, &len, h2 * sizeof(hal_uuid_t)); + lms_key->T = gnaw(&mem, &len, (2 * h2) * sizeof(bytestring32)); + lms_key->signature = gnaw(&mem, &len, lms_sig_len); + lms_key->signature_len = lms_sig_len; + lms_key->pubkey = gnaw(&mem, &len, lms_pub_len); + lms_key->pubkey_len = lms_pub_len; + } + + return HAL_OK; +} + +/* called from pkey_local_generate_hashsig */ +hal_error_t hal_hashsig_key_gen(hal_core_t *core, + hal_hashsig_key_t **key_, + const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type) +{ + /* hss_alloc does most of the checks */ + + if (restart_in_progress) + return HAL_ERROR_NOT_READY; + + /* check flash keystore for space to store the root tree */ + lms_parameter_t *lms = lms_select_parameter_set(lms_type); + if (lms == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + size_t available; + check(hal_ks_available(hal_ks_token, &available)); + if (available < (1U << lms->h) + 2) + return HAL_ERROR_NO_KEY_INDEX_SLOTS; + + check(hss_alloc(key_, L, lms_type, lmots_type)); + hss_key_t *key = *key_; + + /* generate the lms trees */ + for (size_t i = 0; i < L; ++i) { + lms_key_t * lms_key = &key->lms_keys[i]; + + check(lms_generate(lms_key)); + + if (i > 0) + /* sign this tree with the previous */ + check(lms_sign(&key->lms_keys[i-1], + (const uint8_t * const)lms_key->pubkey, lms_public_key_len(key->lms), + lms_key->signature, NULL, lms_signature_len(key->lms, key->lmots))); + + /* store the lms key */ + hal_pkey_slot_t slot = { + .type = HAL_KEY_TYPE_HASHSIG_LMS, + .curve = HAL_CURVE_NONE, + .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((i == 0) ? HAL_KEY_FLAG_TOKEN: 0) + }; + hal_ks_t *ks = (i == 0) ? hal_ks_token : hal_ks_volatile; + uint8_t der[lms_private_key_to_der_len(lms_key)]; + size_t der_len; + + memcpy(&slot.name, &lms_key->I, sizeof(slot.name)); + check(lms_private_key_to_der(lms_key, der, &der_len, sizeof(der))); + check(hal_ks_store(ks, &slot, der, der_len)); + } + + memcpy(&key->I, &key->lms_keys[0].I, sizeof(key->I)); + memcpy(&key->T1, &key->lms_keys[0].T1, sizeof(key->T1)); + + /* pkey_local_generate_hashsig stores the key */ + + return HAL_OK; +} + +/* caller will delete the hss key from the keystore */ +hal_error_t hal_hashsig_key_delete(const hal_hashsig_key_t * const key) +{ + if (restart_in_progress) + return HAL_ERROR_NOT_READY; + + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE) + return HAL_ERROR_BAD_ARGUMENTS; + + /* delete the lms trees and their lmots keys */ + for (size_t level = 0; level < key->L; ++level) + check(lms_delete(&key->lms_keys[level])); + + /* XXX free memory, if supported */ + (void)hal_free_static_memory(key); + + /* remove from global hss_keys linked list */ + /* XXX or mark it unused, for possible re-use */ + if (hss_keys == key) { + hss_keys = key->next; + } + else { + for (hss_key_t *prev = hss_keys; prev != NULL; prev = prev->next) { + if (prev->next == key) { + prev->next = key->next; + break; + } + } + } + + return HAL_OK; +} + +hal_error_t hal_hashsig_sign(hal_core_t *core, + const hal_hashsig_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + uint8_t *sig, size_t *sig_len, const size_t sig_max) +{ + if (restart_in_progress) + return HAL_ERROR_NOT_READY; + + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE || msg == NULL || sig == NULL || sig_len == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + if (sig_max < hss_signature_len(key->L, key->lms, key->lmots)) + return HAL_ERROR_RESULT_TOO_LONG; + +// To sign a message using the private key prv, the following steps are +// performed: +// +// If prv[L-1] is exhausted, then determine the smallest integer d +// such that all of the private keys prv[d], prv[d+1], ... , prv[L-1] +// are exhausted. If d is equal to zero, then the HSS key pair is +// exhausted, and it MUST NOT generate any more signatures. +// Otherwise, the key pairs for levels d through L-1 must be +// regenerated during the signature generation process, as follows. +// For i from d to L-1, a new LMS public and private key pair with a +// new identifier is generated, pub[i] and prv[i] are set to those +// values, then the public key pub[i] is signed with prv[i-1], and +// sig[i-1] is set to the resulting value. + + size_t h2 = (1 << key->lms->h); + if (key->lms_keys[key->L-1].q >= h2) { + size_t d; + for (d = key->L-1; d > 0 && key->lms_keys[d-1].q >= h2; --d) { + } + if (d == 0) + return HAL_ERROR_HASHSIG_KEY_EXHAUSTED; + for ( ; d < key->L; ++d) { + lms_key_t *lms_key = &key->lms_keys[d]; + /* Delete then regenerate the LMS key. We don't worry about + * power-cycling in the middle, because the lower-level trees are + * all stored in the volatile keystore, so we'd have to regenerate + * them anyway on restart; and this way we don't have to allocate + * any additional memory. + */ + check(lms_delete(lms_key)); + check(lms_generate(lms_key)); + check(lms_sign(&key->lms_keys[d-1], + (const uint8_t * const)lms_key->pubkey, lms_key->pubkey_len, + lms_key->signature, NULL, lms_key->signature_len)); + + hal_pkey_slot_t slot = { + .type = HAL_KEY_TYPE_HASHSIG_LMS, + .curve = HAL_CURVE_NONE, + .flags = (lms_key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0 + }; + hal_ks_t *ks = (lms_key->level == 0) ? hal_ks_token : hal_ks_volatile; + uint8_t der[lms_private_key_to_der_len(lms_key)]; + size_t der_len; + + memcpy(&slot.name, &lms_key->I, sizeof(slot.name)); + check(lms_private_key_to_der(lms_key, der, &der_len, sizeof(der))); + check(hal_ks_store(ks, &slot, der, der_len)); + } + } + +// The message is signed with prv[L-1], and the value sig[L-1] is set +// to that result. +// +// The value of the HSS signature is set as follows. We let +// signed_pub_key denote an array of octet strings, where +// signed_pub_key[i] = sig[i] || pub[i+1], for i between 0 and Nspk- +// 1, inclusive, where Nspk = L-1 denotes the number of signed public +// keys. Then the HSS signature is u32str(Nspk) || +// signed_pub_key[0] || ... || signed_pub_key[Nspk-1] || sig[Nspk]. + + uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_max; + check(hal_xdr_encode_int(&sigptr, siglim, key->L - 1)); + + /* copy the lms signed public keys into the signature */ + for (size_t i = 1; i < key->L; ++i) { + lms_key_t *lms_key = &key->lms_keys[i]; + check(hal_xdr_encode_fixed_opaque(&sigptr, siglim, lms_key->signature, lms_key->signature_len)); + check(hal_xdr_encode_fixed_opaque(&sigptr, siglim, lms_key->pubkey, lms_key->pubkey_len)); + } + + /* sign the message with the last lms private key */ + size_t len; + check(lms_sign(&key->lms_keys[key->L-1], msg, msg_len, sigptr, &len, sig_max - (sigptr - sig))); + sigptr += len; + *sig_len = sigptr - sig; + + return HAL_OK; +} +#endif + +hal_error_t hal_hashsig_verify(hal_core_t *core, + const hal_hashsig_key_t * const key, + const uint8_t * const msg, const size_t msg_len, + const uint8_t * const sig, const size_t sig_len) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PUBLIC || msg == NULL || sig == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + core = core; + +// To verify a signature sig and message using the public key pub, the +// following steps are performed: +// +// The signature S is parsed into its components as follows: +// +// Nspk = strTou32(first four bytes of S) +// if Nspk+1 is not equal to the number of levels L in pub: +// return INVALID + + const uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + sig_len; + + uint32_t Nspk; + check(hal_xdr_decode_int(&sigptr, siglim, &Nspk)); + if (Nspk + 1 != key->L) + return HAL_ERROR_INVALID_SIGNATURE; + +// key = pub +// for (i = 0; i < Nspk; i = i + 1) { +// sig = next LMS signature parsed from S +// msg = next LMS public key parsed from S +// if (lms_verify(msg, key, sig) != VALID): +// return INVALID +// key = msg +// } + + lms_key_t pub = { + .type = HAL_KEY_TYPE_HASHSIG_LMS, + .lms = key->lms, + .lmots = key->lmots + }; + memcpy(&pub.I, &key->I, sizeof(pub.I)); + memcpy(&pub.T1, &key->T1, sizeof(pub.T1)); + + for (size_t i = 0; i < Nspk; ++i) { + const uint8_t * const lms_sig = sigptr; + /* peek into the signature for the lmots and lms types */ + /* XXX The structure of the LMS signature makes this a bigger pain + * in the ass than necessary. + */ + /* skip over q */ + sigptr += 4; + /* read lmots_type out of the ots_signature */ + uint32_t lmots_type; + check(hal_xdr_decode_int_peek(&sigptr, siglim, &lmots_type)); + lmots_parameter_t *lmots = lmots_select_parameter_set((lmots_algorithm_t)lmots_type); + if (lmots == NULL) + return HAL_ERROR_INVALID_SIGNATURE; + /* skip over ots_signature */ + sigptr += lmots_signature_len(lmots); + /* read lms_type after ots_signature */ + uint32_t lms_type; + check(hal_xdr_decode_int(&sigptr, siglim, &lms_type)); + lms_parameter_t *lms = lms_select_parameter_set((lms_algorithm_t)lms_type); + if (lms == NULL) + return HAL_ERROR_INVALID_SIGNATURE; + /* skip over the path elements of the lms signature */ + sigptr += lms->h * lms->m; + /*XXX sigptr = lms_sig + lms_signature_len(lms, lmots); */ + + /* verify the signature over the bytestring version of the signed public key */ + check(lms_verify(&pub, sigptr, lms_public_key_len(lms), lms_sig, sigptr - lms_sig)); + + /* parse the signed public key */ + check(hal_xdr_decode_int(&sigptr, siglim, &lms_type)); + pub.lms = lms_select_parameter_set((lmots_algorithm_t)lms_type); + if (pub.lms == NULL) + return HAL_ERROR_INVALID_SIGNATURE; + check(hal_xdr_decode_int(&sigptr, siglim, &lmots_type)); + pub.lmots = lmots_select_parameter_set((lmots_algorithm_t)lmots_type); + if (pub.lmots == NULL) + return HAL_ERROR_INVALID_SIGNATURE; + check(hal_xdr_decode_bytestring16(&sigptr, siglim, &pub.I)); + check(hal_xdr_decode_bytestring32(&sigptr, siglim, &pub.T1)); + } + + /* verify the final signature over the message */ + return lms_verify(&pub, msg, msg_len, sigptr, sig_len - (sigptr - sig)); +} + +hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE) + return HAL_ERROR_BAD_ARGUMENTS; + + /* + * Calculate data length. + */ + + size_t len, vlen = 0, hlen; + + check(hal_asn1_encode_size_t(key->L, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring32(&key->T1, NULL, &len, 0)); vlen += len; + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, NULL, &hlen, 0)); + + check(hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, NULL, hlen + vlen, NULL, der_len, der_max)); + + if (der == NULL) + return HAL_OK; + + /* + * Encode data. + */ + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max)); + + uint8_t *d = der + hlen; + memset(d, 0, vlen); + + check(hal_asn1_encode_size_t(key->L, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len; + check(hal_asn1_encode_bytestring32(&key->T1, d, &len, vlen)); d += len; vlen -= len; + + return hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, der, d - der, der, der_len, der_max); +} + +size_t hal_hashsig_private_key_to_der_len(const hal_hashsig_key_t * const key) +{ + size_t len = 0; + return hal_hashsig_private_key_to_der(key, NULL, &len, 0) == HAL_OK ? len : 0; +} + +hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const uint8_t *der, const size_t der_len) +{ + if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hal_hashsig_key_t) || der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + memset(keybuf, 0, keybuf_len); + + hss_key_t *key = *key_ = keybuf; + + key->type = HAL_KEY_TYPE_HASHSIG_PRIVATE; + + size_t hlen, vlen, alg_oid_len, curve_oid_len, privkey_len; + const uint8_t *alg_oid, *curve_oid, *privkey; + hal_error_t err; + + if ((err = hal_asn1_decode_pkcs8_privatekeyinfo(&alg_oid, &alg_oid_len, + &curve_oid, &curve_oid_len, + &privkey, &privkey_len, + der, der_len)) != HAL_OK) + return err; + + if (alg_oid_len != hal_asn1_oid_mts_hashsig_len || + memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0 || + curve_oid_len != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + if ((err = hal_asn1_decode_header(ASN1_SEQUENCE, privkey, privkey_len, &hlen, &vlen)) != HAL_OK) + return err; + + const uint8_t *d = privkey + hlen; + size_t n; + + check(hal_asn1_decode_size_t(&key->L, d, &n, vlen)); d += n; vlen -= n; + lms_algorithm_t lms_type; + check(hal_asn1_decode_lms_algorithm(&lms_type, d, &n, vlen)); d += n; vlen -= n; + key->lms = lms_select_parameter_set(lms_type); + lmots_algorithm_t lmots_type; + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &n, vlen)); d += n; vlen -= n; + key->lmots = lmots_select_parameter_set(lmots_type); + check(hal_asn1_decode_bytestring16(&key->I, d, &n, vlen)); d += n; vlen -= n; + check(hal_asn1_decode_bytestring32(&key->T1, d, &n, vlen)); d += n; vlen -= n; + + if (d != privkey + privkey_len) + return HAL_ERROR_ASN1_PARSE_FAILED; + + /* Find this key in the list of active hashsig keys, and return a + * pointer to that key structure, rather than the caller-provided key + * structure. (The caller will wipe his own key structure when done, + * and not molest ours.) + */ + for (hss_key_t *hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) { + if (memcmp(&key->I, &hss_key->lms_keys[0].I, sizeof(key->I)) == 0) { + *key_ = hss_key; + } + } + + return HAL_OK; +} + +hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + if (key == NULL || (key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE && + key->type != HAL_KEY_TYPE_HASHSIG_PUBLIC)) + return HAL_ERROR_BAD_ARGUMENTS; + + // L || u32str(lms_type) || u32str(lmots_type) || I || T[1] + + size_t len, vlen = 0, hlen; + + check(hal_asn1_encode_size_t(key->L, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len; + check(hal_asn1_encode_bytestring32(&key->T1, NULL, &len, 0)); vlen += len; + + check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max)); + + if (der != NULL) { + uint8_t *d = der + hlen; + size_t dlen = vlen; + memset(d, 0, vlen); + + check(hal_asn1_encode_size_t(key->L, d, &len, dlen)); d += len; dlen -= len; + check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, dlen)); d += len; dlen -= len; + check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, dlen)); d += len; dlen -= len; + check(hal_asn1_encode_bytestring16(&key->I, d, &len, dlen)); d += len; dlen -= len; + check(hal_asn1_encode_bytestring32(&key->T1, d, &len, dlen)); d += len; dlen -= len; + } + + return hal_asn1_encode_spki(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len, + NULL, 0, der, hlen + vlen, + der, der_len, der_max); + +} + +size_t hal_hashsig_public_key_to_der_len(const hal_hashsig_key_t * const key) +{ + size_t len = 0; + return hal_hashsig_public_key_to_der(key, NULL, &len, 0) == HAL_OK ? len : 0; +} + +hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const uint8_t * const der, const size_t der_len) +{ + if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hss_key_t) || der == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + hss_key_t *key = keybuf; + + memset(keybuf, 0, keybuf_len); + *key_ = key; + + key->type = HAL_KEY_TYPE_HASHSIG_PUBLIC; + + const uint8_t *alg_oid = NULL, *null = NULL, *pubkey = NULL; + size_t alg_oid_len, null_len, pubkey_len; + + check(hal_asn1_decode_spki(&alg_oid, &alg_oid_len, &null, &null_len, &pubkey, &pubkey_len, der, der_len)); + + if (null != NULL || null_len != 0 || alg_oid == NULL || + alg_oid_len != hal_asn1_oid_mts_hashsig_len || memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + size_t len, hlen, vlen; + + check(hal_asn1_decode_header(ASN1_SEQUENCE, pubkey, pubkey_len, &hlen, &vlen)); + + const uint8_t * const pubkey_end = pubkey + hlen + vlen; + const uint8_t *d = pubkey + hlen; + + // L || u32str(lms_type) || u32str(lmots_type) || I || T[1] + + lms_algorithm_t lms_type; + lmots_algorithm_t lmots_type; + + check(hal_asn1_decode_size_t(&key->L, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d)); d += len; + key->lms = lms_select_parameter_set(lms_type); + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len; + key->lmots = lmots_select_parameter_set(lmots_type); + check(hal_asn1_decode_bytestring16(&key->I, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_bytestring32(&key->T1, d, &len, pubkey_end - d)); d += len; + + if (d != pubkey_end) + return HAL_ERROR_ASN1_PARSE_FAILED; + + + return HAL_OK; +} + +hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const uint8_t * const I, const size_t I_len, + const uint8_t * const T1, const size_t T1_len) +{ + if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hal_hashsig_key_t) || + I == NULL || I_len != sizeof(bytestring16) || + T1 == NULL || T1_len != sizeof(bytestring32)) + return HAL_ERROR_BAD_ARGUMENTS; + + memset(keybuf, 0, keybuf_len); + + hal_hashsig_key_t *key = keybuf; + + key->type = HAL_KEY_TYPE_HASHSIG_PUBLIC; + + key->L = L; + key->lms = lms_select_parameter_set(lms_type); + key->lmots = lmots_select_parameter_set(lmots_type); + if (key->lms == NULL || key->lmots == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + memcpy(&key->I, I, I_len); + memcpy(&key->T1, T1, T1_len); + + *key_ = key; + + return HAL_OK; +} + + +hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const uint8_t * const xdr, const size_t xdr_len) +{ + const uint8_t *xdrptr = xdr; + const uint8_t * const xdrlim = xdr + xdr_len; + + /* L || u32str(lms_type) || u32str(lmots_type) || I || T[1] */ + + uint32_t L, lms_type, lmots_type; + bytestring16 *I; + bytestring32 *T1; + + check(hal_xdr_decode_int(&xdrptr, xdrlim, &L)); + check(hal_xdr_decode_int(&xdrptr, xdrlim, &lms_type)); + check(hal_xdr_decode_int(&xdrptr, xdrlim, &lmots_type)); + check(hal_xdr_decode_bytestring16_ptr(&xdrptr, xdrlim, &I)); + check(hal_xdr_decode_bytestring32_ptr(&xdrptr, xdrlim, &T1)); + + return hal_hashsig_key_load_public(key_, keybuf, keybuf_len, L, lms_type, lmots_type, + (const uint8_t * const)I, sizeof(bytestring16), + (const uint8_t * const)T1, sizeof(bytestring32)); +} + +hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len, + uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max) +{ + if (der == NULL || xdr == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + const uint8_t *alg_oid = NULL, *null = NULL, *pubkey = NULL; + size_t alg_oid_len, null_len, pubkey_len; + + check(hal_asn1_decode_spki(&alg_oid, &alg_oid_len, &null, &null_len, &pubkey, &pubkey_len, der, der_len)); + + if (null != NULL || null_len != 0 || alg_oid == NULL || + alg_oid_len != hal_asn1_oid_mts_hashsig_len || memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + size_t len, hlen, vlen; + + check(hal_asn1_decode_header(ASN1_SEQUENCE, pubkey, pubkey_len, &hlen, &vlen)); + + const uint8_t * const pubkey_end = pubkey + hlen + vlen; + const uint8_t *d = pubkey + hlen; + + // L || u32str(lms_type) || u32str(lmots_type) || I || T[1] + + size_t L; + lms_algorithm_t lms_type; + lmots_algorithm_t lmots_type; + bytestring16 I; + bytestring32 T1; + + check(hal_asn1_decode_size_t(&L, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_bytestring16(&I, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_bytestring32(&T1, d, &len, pubkey_end - d)); d += len; + + if (d != pubkey_end) + return HAL_ERROR_ASN1_PARSE_FAILED; + + uint8_t * xdrptr = xdr; + const uint8_t * const xdrlim = xdr + xdr_max; + + check(hal_xdr_encode_int(&xdrptr, xdrlim, L)); + check(hal_xdr_encode_int(&xdrptr, xdrlim, lms_type)); + check(hal_xdr_encode_int(&xdrptr, xdrlim, lmots_type)); + check(hal_xdr_encode_bytestring16(&xdrptr, xdrlim, &I)); + check(hal_xdr_encode_bytestring32(&xdrptr, xdrlim, &T1)); + + if (xdr_len != NULL) + *xdr_len = xdrptr - xdr; + + return HAL_OK; +} + +#if RPC_CLIENT == RPC_CLIENT_LOCAL +/* Reinitialize the hashsig key structures after a device restart */ +hal_error_t hal_hashsig_ks_init(void) +{ + const hal_client_handle_t client = { -1 }; + const hal_session_handle_t session = { HAL_HANDLE_NONE }; + hal_uuid_t prev_name = {{0}}; + unsigned len; + hal_pkey_slot_t slot = {0}; + uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; + size_t der_len; + + restart_in_progress = 1; + + /* Find all hss private keys */ + while ((hal_ks_match(hal_ks_token, client, session, + HAL_KEY_TYPE_HASHSIG_PRIVATE, HAL_CURVE_NONE, 0, 0, NULL, 0, + &slot.name, &len, 1, &prev_name) == HAL_OK) && (len > 0)) { + hal_hashsig_key_t keybuf, *key; + if (hal_ks_fetch(hal_ks_token, &slot, der, &der_len, sizeof(der)) != HAL_OK || + hal_hashsig_private_key_from_der(&key, (void *)&keybuf, sizeof(keybuf), der, der_len) != HAL_OK) { + (void)hal_ks_delete(hal_ks_token, &slot); + continue; + } + + /* Make sure we have the lms key */ + hal_pkey_slot_t lms_slot = {0}; + lms_key_t lms_key; + memcpy(&lms_slot.name, &key->I, sizeof(lms_slot.name)); + if (hal_ks_fetch(hal_ks_token, &lms_slot, der, &der_len, sizeof(der)) != HAL_OK || + lms_private_key_from_der(&lms_key, der, der_len) != HAL_OK || + /* check keys for consistency */ + lms_key.lms != key->lms || + lms_key.lmots != key->lmots || + memcmp(&lms_key.I, &key->I, sizeof(lms_key.I)) != 0 || + /* optimistically allocate the full hss key structure */ + hss_alloc(&key, key->L, key->lms->type, key->lmots->type) != HAL_OK) { + (void)hal_ks_delete(hal_ks_token, &slot); + (void)hal_ks_delete(hal_ks_token, &lms_slot); + continue; + } + + /* hss_alloc redefines key, so copy fields from the old version of the key */ + memcpy(&key->I, &keybuf.I, sizeof(key->I)); + memcpy(&key->T1, &keybuf.T1, sizeof(key->T1)); + key->name = slot.name; + + /* initialize top-level lms key (beyond what hss_alloc did) */ + memcpy(&key->lms_keys[0].I, &lms_key.I, sizeof(lms_key.I)); + key->lms_keys[0].q = lms_key.q; + + prev_name = slot.name; + } + + /* Delete orphaned lms keys */ + memset(&prev_name, 0, sizeof(prev_name)); + while ((hal_ks_match(hal_ks_token, client, session, + HAL_KEY_TYPE_HASHSIG_LMS, HAL_CURVE_NONE, 0, 0, NULL, 0, + &slot.name, &len, 1, &prev_name) == HAL_OK) && (len > 0)) { + hss_key_t *hss_key; + for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) { + if (memcmp(&slot.name, &hss_key->I, sizeof(slot.name)) == 0) + break; + } + if (hss_key == NULL) { + (void)hal_ks_delete(hal_ks_token, &slot); + continue; + } + + prev_name = slot.name; + } + + /* Find all lmots keys */ + memset(&prev_name, 0, sizeof(prev_name)); + while ((hal_ks_match(hal_ks_token, client, session, + HAL_KEY_TYPE_HASHSIG_LMOTS, HAL_CURVE_NONE, 0, 0, NULL, 0, + &slot.name, &len, 1, &prev_name) == HAL_OK) && (len > 0)) { + if (hss_keys == NULL) { + /* if no hss keys were recovered, all lmots keys are orphaned */ + (void)hal_ks_delete(hal_ks_token, &slot); + continue; + } + + lmots_key_t lmots_key = {0}; + if (hal_ks_fetch(hal_ks_token, &slot, der, &der_len, sizeof(der)) != HAL_OK || + lmots_private_key_from_der(&lmots_key, der, der_len) != HAL_OK) { + (void)hal_ks_delete(hal_ks_token, &slot); + continue; + } + + hss_key_t *hss_key; + for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) { + if (memcmp(&hss_key->I, &lmots_key.I, sizeof(lmots_key.I)) == 0) + break; + } + if (hss_key == NULL) { + /* delete orphaned key */ + (void)hal_ks_delete(hal_ks_token, &slot); + continue; + } + + /* record this lmots key in the top-level lms key */ + memcpy(&hss_key->lms_keys[0].lmots_keys[lmots_key.q], &slot.name, sizeof(slot.name)); + + /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || K) */ + size_t r = (1U << hss_key->lms->h) + lmots_key.q; + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)); + hal_hash_update(state, (const uint8_t *)&hss_key->I, sizeof(hss_key->I)); + uint32_t l = u32str(r); hal_hash_update(state, (const uint8_t *)&l, sizeof(l)); + uint16_t s = u16str(D_LEAF); hal_hash_update(state, (const uint8_t *)&s, sizeof(s)); + hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K)); + hal_hash_finalize(state, (uint8_t *)&hss_key->lms_keys[0].T[r], sizeof(hss_key->lms_keys[0].T[r])); + + prev_name = slot.name; + } + + /* After all keys have been read, scan for completeness. */ + hal_uuid_t uuid_0 = {{0}}; + hss_key_t *hss_key, *hss_next = NULL; + for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_next) { + hss_next = hss_key->next; + int fail = 0; + for (size_t i = 0; i < (1U << hss_key->lms->h); ++i) { + if (hal_uuid_cmp(&hss_key->lms_keys[0].lmots_keys[i], &uuid_0) == 0) { + fail = 1; + break; + } + } + if (fail) { + fail: + /* lms key is incomplete, give up on it */ + /* delete lmots keys */ + for (size_t i = 0; i < (1U << hss_key->lms->h); ++i) { + if (hal_uuid_cmp(&hss_key->lms_keys[0].lmots_keys[i], &uuid_0) != 0) { + memcpy(&slot.name, &hss_key->lms_keys[0].lmots_keys[i], sizeof(slot.name)); + (void)hal_ks_delete(hal_ks_token, &slot); + } + } + /* delete lms key */ + memcpy(&slot.name, &hss_key->I, sizeof(slot.name)); + (void)hal_ks_delete(hal_ks_token, &slot); + /* delete hss key */ + slot.name = hss_key->name; + (void)hal_ks_delete(hal_ks_token, &slot); + /* remove the hss key from the key list */ + if (hss_keys == hss_key) { + hss_keys = hss_key->next; + } + else { + for (hss_key_t *prev = hss_keys; prev != NULL; prev = prev->next) { + if (prev->next == hss_key) { + prev->next = hss_key->next; + break; + } + } + } + (void)hal_free_static_memory(hss_key); + continue; + } + + /* generate the rest of T[] */ + for (size_t r = (1U << hss_key->lms->h) - 1; r > 0; --r) { + uint8_t statebuf[512]; + hal_hash_state_t *state = NULL; + hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)); + hal_hash_update(state, (const uint8_t *)&hss_key->I, sizeof(hss_key->I)); + uint32_t l = u32str(r); hal_hash_update(state, (const uint8_t *)&l, sizeof(l)); + uint16_t s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); + hal_hash_update(state, (const uint8_t *)&hss_key->lms_keys[0].T[2*r], sizeof(hss_key->lms_keys[0].T[r])); + hal_hash_update(state, (const uint8_t *)&hss_key->lms_keys[0].T[2*r+1], sizeof(hss_key->lms_keys[0].T[r])); + hal_hash_finalize(state, (uint8_t *)&hss_key->lms_keys[0].T[r], sizeof(hss_key->lms_keys[0].T[r])); + } + if (memcmp(&hss_key->lms_keys[0].T[1], &hss_key->T1, sizeof(hss_key->lms_keys[0].T[1])) != 0) + goto fail; + + /* generate the lower-level lms keys */ + for (size_t i = 1; i < hss_key->L; ++i) { + lms_key_t * lms_key = &hss_key->lms_keys[i]; + if (lms_generate(lms_key) != HAL_OK) + goto fail; + + /* store the lms key */ + slot.type = HAL_KEY_TYPE_HASHSIG_LMS; + slot.flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE; + memcpy(&slot.name, &lms_key->I, sizeof(slot.name)); + if (lms_private_key_to_der(lms_key, der, &der_len, sizeof(der)) != HAL_OK || + hal_ks_store(hal_ks_volatile, &slot, der, der_len) != HAL_OK || + /* sign this lms key with the previous */ + lms_sign(&hss_key->lms_keys[i-1], + (const uint8_t * const)lms_key->pubkey, lms_key->pubkey_len, + lms_key->signature, NULL, lms_key->signature_len) != HAL_OK) + goto fail; + } + } + + restart_in_progress = 0; + return HAL_OK; +} +#endif diff --git a/hashsig.h b/hashsig.h new file mode 100644 index 0000000..3753496 --- /dev/null +++ b/hashsig.h @@ -0,0 +1,118 @@ +/* + * hashsig.h + * --------- + * Implementation of draft-mcgrew-hash-sigs-08.txt + * + * Copyright (c) 2018, NORDUnet A/S All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of the NORDUnet nor the names of its contributors may + * be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _HAL_HASHSIG_H_ +#define _HAL_HASHSIG_H_ + +typedef enum lmots_algorithm_type { + lmots_reserved = 0, + lmots_sha256_n32_w1 = 1, + lmots_sha256_n32_w2 = 2, + lmots_sha256_n32_w4 = 3, + lmots_sha256_n32_w8 = 4 +} lmots_algorithm_t; + +typedef enum lms_algorithm_type { + lms_reserved = 0, + lms_sha256_n32_h5 = 5, + lms_sha256_n32_h10 = 6, + lms_sha256_n32_h15 = 7, + lms_sha256_n32_h20 = 8, + lms_sha256_n32_h25 = 9 +} lms_algorithm_t; + +typedef struct hal_hashsig_key hal_hashsig_key_t; + +extern const size_t hal_hashsig_key_t_size; + +extern hal_error_t hal_hashsig_key_gen(hal_core_t *core, + hal_hashsig_key_t **key_, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type); + +extern hal_error_t hal_hashsig_key_delete(const hal_hashsig_key_t * const key); + +extern hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max); + +extern size_t hal_hashsig_private_key_to_der_len(const hal_hashsig_key_t * const key); + +extern hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const uint8_t *der, const size_t der_len); + +extern hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key, + uint8_t *der, size_t *der_len, const size_t der_max); + +extern size_t hal_hashsig_public_key_to_der_len(const hal_hashsig_key_t * const key); + +extern hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key, + void *keybuf, const size_t keybuf_len, + const uint8_t * const der, const size_t der_len); + +extern hal_error_t hal_hashsig_sign(hal_core_t *core, + const hal_hashsig_key_t * const key, + const uint8_t * const hash, const size_t hash_len, + uint8_t *signature, size_t *signature_len, const size_t signature_max); + +extern hal_error_t hal_hashsig_verify(hal_core_t *core, + const hal_hashsig_key_t * const key, + const uint8_t * const hash, const size_t hash_len, + const uint8_t * const signature, const size_t signature_len); + +extern hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const uint8_t * const I, const size_t I_len, + const uint8_t * const T1, const size_t T1_len); + +extern hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_, + void *keybuf, const size_t keybuf_len, + const uint8_t * const xdr, const size_t xdr_len); + +extern size_t hal_hashsig_signature_len(const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type); + +extern size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type); + +extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len, + uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max); + +extern hal_error_t hal_hashsig_ks_init(void); + +#endif /* _HAL_HASHSIG_H_ */ @@ -514,6 +514,10 @@ static inline int acceptable_key_type(const hal_key_type_t type) case HAL_KEY_TYPE_EC_PRIVATE: case HAL_KEY_TYPE_RSA_PUBLIC: case HAL_KEY_TYPE_EC_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + case HAL_KEY_TYPE_HASHSIG_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_LMS: + case HAL_KEY_TYPE_HASHSIG_LMOTS: return 1; default: return 0; @@ -1019,6 +1023,18 @@ hal_error_t hal_ks_rewrite_der(hal_ks_t *ks, return err; } +hal_error_t hal_ks_available(hal_ks_t *ks, size_t *count) +{ + if (ks == NULL || count == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + hal_ks_lock(); + *count = ks->size - ks->used; + hal_ks_unlock(); + + return HAL_OK; +} + /* * Local variables: * indent-tabs-mode: nil @@ -58,7 +58,7 @@ * the UUID generation code (by definition -- it's not a version 4 UUID). */ -const hal_uuid_t hal_ks_pin_uuid; +extern const hal_uuid_t hal_ks_pin_uuid; /* * Known block states. @@ -426,6 +426,8 @@ extern hal_error_t hal_ks_block_update(hal_ks_t *ks, const hal_uuid_t * const uuid, int *hint); +extern hal_error_t hal_ks_available(hal_ks_t *ks, size_t *count); + #endif /* _KS_H_ */ /* diff --git a/ks_volatile.c b/ks_volatile.c index 55fd6a5..10fff9a 100644 --- a/ks_volatile.c +++ b/ks_volatile.c @@ -42,10 +42,6 @@ #include "hal_internal.h" #include "ks.h" -#ifndef STATIC_KS_VOLATILE_SLOTS -#define STATIC_KS_VOLATILE_SLOTS HAL_STATIC_PKEY_STATE_BLOCKS -#endif - #ifndef KS_VOLATILE_CACHE_SIZE #define KS_VOLATILE_CACHE_SIZE 4 #endif @@ -257,8 +253,8 @@ static hal_error_t ks_volatile_init(hal_ks_t *ks, const int alloc) hal_error_t err; if (alloc && - (err = hal_ks_alloc_common(ks, STATIC_KS_VOLATILE_SLOTS, KS_VOLATILE_CACHE_SIZE, - &mem, sizeof(*db->keys) * STATIC_KS_VOLATILE_SLOTS)) != HAL_OK) + (err = hal_ks_alloc_common(ks, HAL_STATIC_KS_VOLATILE_SLOTS, KS_VOLATILE_CACHE_SIZE, + &mem, sizeof(*db->keys) * HAL_STATIC_KS_VOLATILE_SLOTS)) != HAL_OK) return err; if (alloc) @@ -103,6 +103,11 @@ WEAK_FUNCTION void hal_task_yield(void) return; } +WEAK_FUNCTION void hal_task_yield_maybe(void) +{ + return; +} + /* * Local variables: * indent-tabs-mode: nil @@ -139,6 +139,8 @@ hal_error_t hal_pbkdf2(hal_core_t *core, for (iteration = 2; iteration <= iterations_desired; iteration++) { + hal_task_yield_maybe(); + if ((err = do_hmac(core, descriptor, password, password_length, mac, descriptor->digest_length, 0, mac, sizeof(mac))) != HAL_OK) @@ -35,6 +35,7 @@ #include "hal.h" #include "hal_internal.h" +#include "hashsig.h" const hal_hash_handle_t hal_hash_handle_none = {HAL_HANDLE_NONE}; @@ -64,6 +65,10 @@ static inline int check_pkey_type(const hal_key_type_t type) case HAL_KEY_TYPE_RSA_PUBLIC: case HAL_KEY_TYPE_EC_PRIVATE: case HAL_KEY_TYPE_EC_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + case HAL_KEY_TYPE_HASHSIG_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_LMS: + case HAL_KEY_TYPE_HASHSIG_LMOTS: return 1; default: return 0; @@ -91,6 +96,10 @@ static inline int check_pkey_type_curve_flags(const hal_key_type_t type, case HAL_KEY_TYPE_RSA_PRIVATE: case HAL_KEY_TYPE_RSA_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + case HAL_KEY_TYPE_HASHSIG_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_LMS: + case HAL_KEY_TYPE_HASHSIG_LMOTS: return curve == HAL_CURVE_NONE; case HAL_KEY_TYPE_EC_PRIVATE: @@ -264,6 +273,20 @@ hal_error_t hal_rpc_pkey_generate_ec(const hal_client_handle_t client, return hal_rpc_pkey_dispatch->generate_ec(client, session, pkey, name, curve, flags); } +hal_error_t hal_rpc_pkey_generate_hashsig(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const hal_key_flags_t flags) +{ + if (pkey == NULL || name == NULL || !check_pkey_flags(flags)) + return HAL_ERROR_BAD_ARGUMENTS; + return hal_rpc_pkey_dispatch->generate_hashsig(client, session, pkey, name, hss_levels, lms_type, lmots_type, flags); +} + hal_error_t hal_rpc_pkey_close(const hal_pkey_handle_t pkey) { return hal_rpc_pkey_dispatch->close(pkey); diff --git a/rpc_client.c b/rpc_client.c index afa05ac..e97289e 100644 --- a/rpc_client.c +++ b/rpc_client.c @@ -4,7 +4,7 @@ * Remote procedure call client-side private API implementation. * * Authors: Rob Austein, Paul Selkirk - * Copyright (c) 2015-2016, NORDUnet A/S All rights reserved. + * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -36,6 +36,7 @@ #include "hal.h" #include "hal_internal.h" #include "xdr_internal.h" +#include "hashsig.h" #ifndef HAL_RPC_CLIENT_DEBUG #define HAL_RPC_CLIENT_DEBUG 0 @@ -137,7 +138,7 @@ static hal_error_t get_random(void *buffer, const size_t length) uint8_t outbuf[nargs(3)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(4) + pad(length)]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t rcvlen = length; + size_t rcvlen = length; hal_client_handle_t dummy_client = {0}; hal_error_t rpc_ret; @@ -150,7 +151,7 @@ static hal_error_t get_random(void *buffer, const size_t length) check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_buffer(&iptr, ilimit, buffer, &rcvlen)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, buffer, &rcvlen)); // XXX check rcvlen vs length } return rpc_ret; @@ -168,7 +169,7 @@ static hal_error_t set_pin(const hal_client_handle_t client, check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_SET_PIN)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, user)); - check(hal_xdr_encode_buffer(&optr, olimit, (const uint8_t *)pin, pin_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, (const uint8_t *)pin, pin_len)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_SET_PIN, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -203,7 +204,7 @@ static hal_error_t login(const hal_client_handle_t client, check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_LOGIN)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, user)); - check(hal_xdr_encode_buffer(&optr, olimit, (const uint8_t *)pin, pin_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, (const uint8_t *)pin, pin_len)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_LOGIN, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -296,7 +297,6 @@ static hal_error_t hash_get_digest_algorithm_id(const hal_digest_algorithm_t alg uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(4) + pad(len_max)]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t len32 = len_max; hal_client_handle_t dummy_client = {0}; hal_error_t rpc_ret; @@ -311,8 +311,8 @@ static hal_error_t hash_get_digest_algorithm_id(const hal_digest_algorithm_t alg check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_buffer(&iptr, ilimit, id, &len32)); - *len = len32; + *len = len_max; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, id, len)); } return rpc_ret; } @@ -356,7 +356,7 @@ static hal_error_t hash_initialize(const hal_client_handle_t client, check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, session.handle)); check(hal_xdr_encode_int(&optr, olimit, alg)); - check(hal_xdr_encode_buffer(&optr, olimit, key, key_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, key, key_len)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_HASH_INITIALIZE, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -380,7 +380,7 @@ static hal_error_t hash_update(const hal_hash_handle_t hash, check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_HASH_UPDATE)); check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle)); check(hal_xdr_encode_int(&optr, olimit, hash.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, data, length)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, data, length)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_HASH_UPDATE, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -395,7 +395,7 @@ static hal_error_t hash_finalize(const hal_hash_handle_t hash, uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(4) + pad(length)]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t digest_len = length; + size_t digest_len = length; hal_client_handle_t dummy_client = {0}; hal_error_t rpc_ret; @@ -409,7 +409,7 @@ static hal_error_t hash_finalize(const hal_hash_handle_t hash, check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_buffer(&iptr, ilimit, digest, &digest_len)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, digest, &digest_len)); /* XXX check digest_len vs length */ } return rpc_ret; @@ -425,27 +425,25 @@ static hal_error_t pkey_remote_load(const hal_client_handle_t client, uint8_t outbuf[nargs(5) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t name_len = sizeof(name->uuid); + size_t name_len = sizeof(name->uuid); hal_error_t rpc_ret; check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_LOAD)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, session.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, der, der_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, der, der_len)); check(hal_xdr_encode_int(&optr, olimit, flags)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_PKEY_LOAD, inbuf, sizeof(inbuf), &iptr, &ilimit)); check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); - if (rpc_ret == HAL_OK) { check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); - check(hal_xdr_decode_buffer(&iptr, ilimit, name->uuid, &name_len)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len)); if (name_len != sizeof(name->uuid)) return HAL_ERROR_KEY_NAME_TOO_LONG; } - return rpc_ret; } @@ -462,7 +460,7 @@ static hal_error_t pkey_remote_open(const hal_client_handle_t client, check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_OPEN)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, session.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, name->uuid, sizeof(name->uuid))); + check(hal_xdr_encode_variable_opaque(&optr, olimit, name->uuid, sizeof(name->uuid))); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_PKEY_OPEN, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -486,14 +484,14 @@ static hal_error_t pkey_remote_generate_rsa(const hal_client_handle_t client, uint8_t outbuf[nargs(6) + pad(exp_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t name_len = sizeof(name->uuid); + size_t name_len = sizeof(name->uuid); hal_error_t rpc_ret; check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_RSA)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, session.handle)); check(hal_xdr_encode_int(&optr, olimit, key_len)); - check(hal_xdr_encode_buffer(&optr, olimit, exp, exp_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, exp, exp_len)); check(hal_xdr_encode_int(&optr, olimit, flags)); check(hal_rpc_send(outbuf, optr - outbuf)); @@ -503,7 +501,7 @@ static hal_error_t pkey_remote_generate_rsa(const hal_client_handle_t client, if (rpc_ret == HAL_OK) { check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); - check(hal_xdr_decode_buffer(&iptr, ilimit, name->uuid, &name_len)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len)); if (name_len != sizeof(name->uuid)) return HAL_ERROR_KEY_NAME_TOO_LONG; } @@ -521,7 +519,7 @@ static hal_error_t pkey_remote_generate_ec(const hal_client_handle_t client, uint8_t outbuf[nargs(5)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t name_len = sizeof(name->uuid); + size_t name_len = sizeof(name->uuid); hal_error_t rpc_ret; check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_EC)); @@ -537,7 +535,45 @@ static hal_error_t pkey_remote_generate_ec(const hal_client_handle_t client, if (rpc_ret == HAL_OK) { check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); - check(hal_xdr_decode_buffer(&iptr, ilimit, name->uuid, &name_len)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len)); + if (name_len != sizeof(name->uuid)) + return HAL_ERROR_KEY_NAME_TOO_LONG; + } + + return rpc_ret; +} + +static hal_error_t pkey_remote_generate_hashsig(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const hal_key_flags_t flags) +{ + uint8_t outbuf[nargs(7)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); + uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; + const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); + size_t name_len = sizeof(name->uuid); + hal_error_t rpc_ret; + + check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_HASHSIG)); + check(hal_xdr_encode_int(&optr, olimit, client.handle)); + check(hal_xdr_encode_int(&optr, olimit, session.handle)); + check(hal_xdr_encode_int(&optr, olimit, (uint32_t)hss_levels)); + check(hal_xdr_encode_int(&optr, olimit, (uint32_t)lms_type)); + check(hal_xdr_encode_int(&optr, olimit, (uint32_t)lmots_type)); + check(hal_xdr_encode_int(&optr, olimit, flags)); + check(hal_rpc_send(outbuf, optr - outbuf)); + + check(read_matching_packet(RPC_FUNC_PKEY_GENERATE_HASHSIG, inbuf, sizeof(inbuf), &iptr, &ilimit)); + + check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); + + if (rpc_ret == HAL_OK) { + check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len)); if (name_len != sizeof(name->uuid)) return HAL_ERROR_KEY_NAME_TOO_LONG; } @@ -675,12 +711,11 @@ static size_t pkey_remote_get_public_key_len(const hal_pkey_handle_t pkey) check(read_matching_packet(RPC_FUNC_PKEY_GET_PUBLIC_KEY_LEN, inbuf, sizeof(inbuf), &iptr, &ilimit)); check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); - if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_int(&iptr, ilimit, &len32)); + if (rpc_ret == HAL_OK && + hal_xdr_decode_int(&iptr, ilimit, &len32) == HAL_OK) return (size_t)len32; - } - else - return 0; + + return 0; } static hal_error_t pkey_remote_get_public_key(const hal_pkey_handle_t pkey, @@ -689,7 +724,6 @@ static hal_error_t pkey_remote_get_public_key(const hal_pkey_handle_t pkey, uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(4) + pad(der_max)]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t dlen32 = der_max; hal_client_handle_t dummy_client = {0}; hal_error_t rpc_ret; @@ -703,8 +737,8 @@ static hal_error_t pkey_remote_get_public_key(const hal_pkey_handle_t pkey, check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_buffer(&iptr, ilimit, der, &dlen32)); - *der_len = (size_t)dlen32; + *der_len = der_max; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, der, der_len)); } return rpc_ret; } @@ -717,7 +751,6 @@ static hal_error_t pkey_remote_sign(const hal_pkey_handle_t pkey, uint8_t outbuf[nargs(6) + pad(input_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(4) + pad(signature_max)]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t slen32 = signature_max; hal_client_handle_t dummy_client = {0}; hal_error_t rpc_ret; @@ -725,7 +758,7 @@ static hal_error_t pkey_remote_sign(const hal_pkey_handle_t pkey, check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle)); check(hal_xdr_encode_int(&optr, olimit, pkey.handle)); check(hal_xdr_encode_int(&optr, olimit, hash.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, input, input_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, input, input_len)); check(hal_xdr_encode_int(&optr, olimit, signature_max)); check(hal_rpc_send(outbuf, optr - outbuf)); @@ -733,8 +766,8 @@ static hal_error_t pkey_remote_sign(const hal_pkey_handle_t pkey, check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_buffer(&iptr, ilimit, signature, &slen32)); - *signature_len = (size_t)slen32; + *signature_len = signature_max; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, signature, signature_len)); } return rpc_ret; } @@ -754,8 +787,8 @@ static hal_error_t pkey_remote_verify(const hal_pkey_handle_t pkey, check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle)); check(hal_xdr_encode_int(&optr, olimit, pkey.handle)); check(hal_xdr_encode_int(&optr, olimit, hash.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, input, input_len)); - check(hal_xdr_encode_buffer(&optr, olimit, signature, signature_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, input, input_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, signature, signature_len)); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_PKEY_VERIFY, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -800,12 +833,12 @@ static hal_error_t pkey_remote_match(const hal_client_handle_t client, if (attributes != NULL) { for (int i = 0; i < attributes_len; i++) { check(hal_xdr_encode_int(&optr, olimit, attributes[i].type)); - check(hal_xdr_encode_buffer(&optr, olimit, attributes[i].value, attributes[i].length)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, attributes[i].value, attributes[i].length)); } } check(hal_xdr_encode_int(&optr, olimit, *state)); check(hal_xdr_encode_int(&optr, olimit, result_max)); - check(hal_xdr_encode_buffer(&optr, olimit, previous_uuid->uuid, sizeof(previous_uuid->uuid))); + check(hal_xdr_encode_variable_opaque(&optr, olimit, previous_uuid->uuid, sizeof(previous_uuid->uuid))); check(hal_rpc_send(outbuf, optr - outbuf)); check(read_matching_packet(RPC_FUNC_PKEY_MATCH, inbuf, sizeof(inbuf), &iptr, &ilimit)); @@ -818,8 +851,8 @@ static hal_error_t pkey_remote_match(const hal_client_handle_t client, *state = ustate; check(hal_xdr_decode_int(&iptr, ilimit, &array_len)); for (int i = 0; i < array_len; ++i) { - uint32_t uuid_len = sizeof(result[i].uuid); - check(hal_xdr_decode_buffer(&iptr, ilimit, result[i].uuid, &uuid_len)); + size_t uuid_len = sizeof(result[i].uuid); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, result[i].uuid, &uuid_len)); if (uuid_len != sizeof(result[i].uuid)) return HAL_ERROR_KEY_NAME_TOO_LONG; } @@ -851,7 +884,7 @@ static hal_error_t pkey_remote_set_attributes(const hal_pkey_handle_t pkey, if (attributes[i].length == HAL_PKEY_ATTRIBUTE_NIL) check(hal_xdr_encode_int(&optr, olimit, HAL_PKEY_ATTRIBUTE_NIL)); else - check(hal_xdr_encode_buffer(&optr, olimit, attributes[i].value, attributes[i].length)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, attributes[i].value, attributes[i].length)); } check(hal_rpc_send(outbuf, optr - outbuf)); @@ -902,10 +935,10 @@ static hal_error_t pkey_remote_get_attributes(const hal_pkey_handle_t pkey, attributes[i].length = u32; } else { - u32 = attributes_buffer + attributes_buffer_len - abuf; - check(hal_xdr_decode_buffer(&iptr, ilimit, abuf, &u32)); + size_t len = attributes_buffer + attributes_buffer_len - abuf; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, abuf, &len)); attributes[i].value = abuf; - attributes[i].length = u32; + attributes[i].length = len; abuf += u32; } } @@ -936,13 +969,10 @@ static hal_error_t pkey_remote_export(const hal_pkey_handle_t pkey, check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); if (rpc_ret == HAL_OK) { - uint32_t len; - len = pkcs8_max; - check(hal_xdr_decode_buffer(&iptr, ilimit, pkcs8, &len)); - *pkcs8_len = (size_t) len; - len = kek_max; - check(hal_xdr_decode_buffer(&iptr, ilimit, kek, &len)); - *kek_len = (size_t) len; + *pkcs8_len = pkcs8_max; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, pkcs8, pkcs8_len)); + *kek_len = kek_max; + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, kek, kek_len)); } return rpc_ret; } @@ -959,15 +989,15 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client, uint8_t outbuf[nargs(7) + pad(pkcs8_len) + pad(kek_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - uint32_t name_len = sizeof(name->uuid); + size_t name_len = sizeof(name->uuid); hal_error_t rpc_ret; check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT)); check(hal_xdr_encode_int(&optr, olimit, client.handle)); check(hal_xdr_encode_int(&optr, olimit, session.handle)); check(hal_xdr_encode_int(&optr, olimit, kekek.handle)); - check(hal_xdr_encode_buffer(&optr, olimit, pkcs8, pkcs8_len)); - check(hal_xdr_encode_buffer(&optr, olimit, kek, kek_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, pkcs8, pkcs8_len)); + check(hal_xdr_encode_variable_opaque(&optr, olimit, kek, kek_len)); check(hal_xdr_encode_int(&optr, olimit, flags)); check(hal_rpc_send(outbuf, optr - outbuf)); @@ -977,7 +1007,7 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client, if (rpc_ret == HAL_OK) { check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); - check(hal_xdr_decode_buffer(&iptr, ilimit, name->uuid, &name_len)); + check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len)); if (name_len != sizeof(name->uuid)) return HAL_ERROR_KEY_NAME_TOO_LONG; } @@ -1102,6 +1132,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = { .open = pkey_remote_open, .generate_rsa = pkey_remote_generate_rsa, .generate_ec = pkey_remote_generate_ec, + .generate_hashsig = pkey_remote_generate_hashsig, .close = pkey_remote_close, .delete = pkey_remote_delete, .get_key_type = pkey_remote_get_key_type, @@ -1124,6 +1155,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = { .open = pkey_remote_open, .generate_rsa = pkey_remote_generate_rsa, .generate_ec = pkey_remote_generate_ec, + .generate_hashsig = pkey_remote_generate_hashsig, .close = pkey_remote_close, .delete = pkey_remote_delete, .get_key_type = pkey_remote_get_key_type, @@ -38,6 +38,7 @@ #include "hal.h" #include "hal_internal.h" #include "asn1_internal.h" +#include "hashsig.h" #ifndef HAL_STATIC_PKEY_STATE_BLOCKS #define HAL_STATIC_PKEY_STATE_BLOCKS 0 @@ -521,6 +522,68 @@ static hal_error_t pkey_local_generate_ec(const hal_client_handle_t client, } /* + * Generate a new hash-tree key with supplied name, return a key handle. + */ + +static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const size_t hss_levels, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + const hal_key_flags_t flags) +{ + hal_assert(pkey != NULL && name != NULL); + + hal_hashsig_key_t *key = NULL; + hal_pkey_slot_t *slot; + hal_error_t err; + + if ((err = check_writable(client, flags)) != HAL_OK) + return err; + + if ((slot = alloc_slot(flags)) == NULL) + return HAL_ERROR_NO_KEY_SLOTS_AVAILABLE; + + if ((err = hal_uuid_gen(&slot->name)) != HAL_OK) + return err; + + slot->client = client; + slot->session = session; + slot->type = HAL_KEY_TYPE_HASHSIG_PRIVATE, + slot->curve = HAL_CURVE_NONE; + slot->flags = flags; + + if ((err = hal_hashsig_key_gen(NULL, &key, hss_levels, lms_type, lmots_type)) != HAL_OK) { + slot->type = HAL_KEY_TYPE_NONE; + return err; + } + + uint8_t der[hal_hashsig_private_key_to_der_len(key)]; + size_t der_len; + + if ((err = hal_hashsig_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK) + err = hal_ks_store(ks_from_flags(flags), slot, der, der_len); + + /* There's nothing sensitive in the top-level private key, but we wipe + * the der anyway, for symmetry with other key types. The actual key buf + * is allocated internally and stays in memory, because everything else + * is linked off of it. + */ + memset(der, 0, sizeof(der)); + + if (err != HAL_OK) { + slot->type = HAL_KEY_TYPE_NONE; + return err; + } + + *pkey = slot->pkey; + *name = slot->name; + return HAL_OK; +} + +/* * Discard key handle, leaving key intact. */ @@ -539,6 +602,7 @@ static hal_error_t pkey_local_close(const hal_pkey_handle_t pkey) /* * Delete a key from the store, given its key handle. */ +static hal_error_t pkey_local_get_key_type(const hal_pkey_handle_t pkey, hal_key_type_t *type); static hal_error_t pkey_local_delete(const hal_pkey_handle_t pkey) { @@ -552,6 +616,21 @@ static hal_error_t pkey_local_delete(const hal_pkey_handle_t pkey) if ((err = check_writable(slot->client, slot->flags)) != HAL_OK) return err; + hal_key_type_t key_type; + if ((err = pkey_local_get_key_type(pkey, &key_type)) != HAL_OK) + return err; + + if (key_type == HAL_KEY_TYPE_HASHSIG_PRIVATE) { + hal_hashsig_key_t *key; + uint8_t keybuf[hal_hashsig_key_t_size]; + uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; + size_t der_len; + if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) != HAL_OK || + (err = hal_hashsig_private_key_from_der(&key, keybuf, sizeof(keybuf), der, der_len)) != HAL_OK || + (err = hal_hashsig_key_delete(key)) != HAL_OK) + return err; + } + err = hal_ks_delete(ks_from_flags(slot->flags), slot); if (err == HAL_OK || err == HAL_ERROR_KEY_NOT_FOUND) @@ -633,9 +712,15 @@ static size_t pkey_local_get_public_key_len(const hal_pkey_handle_t pkey) size_t result = 0; - uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size ? hal_rsa_key_t_size : hal_ecdsa_key_t_size]; - hal_rsa_key_t *rsa_key = NULL; - hal_ecdsa_key_t *ecdsa_key = NULL; +#ifndef max +#define max(a, b) ((a) >= (b) ? (a) : (b)) +#endif + size_t keybuf_size = max(hal_rsa_key_t_size, hal_ecdsa_key_t_size); + keybuf_size = max(keybuf_size, hal_hashsig_key_t_size); + uint8_t keybuf[keybuf_size]; + hal_rsa_key_t *rsa_key = NULL; + hal_ecdsa_key_t *ecdsa_key = NULL; + hal_hashsig_key_t *hashsig_key = NULL; uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; hal_error_t err; @@ -645,6 +730,7 @@ static size_t pkey_local_get_public_key_len(const hal_pkey_handle_t pkey) case HAL_KEY_TYPE_RSA_PUBLIC: case HAL_KEY_TYPE_EC_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_PUBLIC: result = der_len; break; @@ -658,6 +744,11 @@ static size_t pkey_local_get_public_key_len(const hal_pkey_handle_t pkey) result = hal_ecdsa_public_key_to_der_len(ecdsa_key); break; + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + if (hal_hashsig_private_key_from_der(&hashsig_key, keybuf, sizeof(keybuf), der, der_len) == HAL_OK) + result = hal_hashsig_public_key_to_der_len(hashsig_key); + break; + default: break; } @@ -681,10 +772,12 @@ static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey, if (slot == NULL) return HAL_ERROR_KEY_NOT_FOUND; - uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size - ? hal_rsa_key_t_size : hal_ecdsa_key_t_size]; - hal_rsa_key_t *rsa_key = NULL; - hal_ecdsa_key_t *ecdsa_key = NULL; + size_t keybuf_size = max(hal_rsa_key_t_size, hal_ecdsa_key_t_size); + keybuf_size = max(keybuf_size, hal_hashsig_key_t_size); + uint8_t keybuf[keybuf_size]; + hal_rsa_key_t *rsa_key = NULL; + hal_ecdsa_key_t *ecdsa_key = NULL; + hal_hashsig_key_t *hashsig_key = NULL; uint8_t buf[HAL_KS_WRAPPED_KEYSIZE]; size_t buf_len; hal_error_t err; @@ -694,6 +787,7 @@ static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey, case HAL_KEY_TYPE_RSA_PUBLIC: case HAL_KEY_TYPE_EC_PUBLIC: + case HAL_KEY_TYPE_HASHSIG_PUBLIC: if (der_len != NULL) *der_len = buf_len; if (der != NULL && der_max < buf_len) @@ -712,6 +806,11 @@ static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey, err = hal_ecdsa_public_key_to_der(ecdsa_key, der, der_len, der_max); break; + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + if ((err = hal_hashsig_private_key_from_der(&hashsig_key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK) + err = hal_hashsig_public_key_to_der(hashsig_key, der, der_len, der_max); + break; + default: err = HAL_ERROR_UNSUPPORTED_KEY; break; @@ -812,6 +911,44 @@ static hal_error_t pkey_local_sign_ecdsa(hal_pkey_slot_t *slot, return HAL_OK; } +static hal_error_t pkey_local_sign_hashsig(hal_pkey_slot_t *slot, + uint8_t *keybuf, const size_t keybuf_len, + const uint8_t * const der, const size_t der_len, + const hal_hash_handle_t hash, + const uint8_t * input, size_t input_len, + uint8_t * signature, size_t *signature_len, const size_t signature_max) +{ + hal_hashsig_key_t *key = NULL; + hal_error_t err; + + hal_assert(signature != NULL && signature_len != NULL); + hal_assert((hash.handle == HAL_HANDLE_NONE) != (input == NULL || input_len == 0)); + + if ((err = hal_hashsig_private_key_from_der(&key, keybuf, keybuf_len, der, der_len)) != HAL_OK) + return err; + + if (input == NULL || input_len == 0) { + hal_digest_algorithm_t alg; + + if ((err = hal_rpc_hash_get_algorithm(hash, &alg)) != HAL_OK || + (err = hal_rpc_hash_get_digest_length(alg, &input_len)) != HAL_OK) + return err; + + if (input_len > signature_max) + return HAL_ERROR_RESULT_TOO_LONG; + + if ((err = hal_rpc_hash_finalize(hash, signature, input_len)) != HAL_OK) + return err; + + input = signature; + } + + if ((err = hal_hashsig_sign(NULL, key, input, input_len, signature, signature_len, signature_max)) != HAL_OK) + return err; + + return HAL_OK; +} + static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey, const hal_hash_handle_t hash, const uint8_t * const input, const size_t input_len, @@ -828,13 +965,20 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey, const hal_hash_handle_t hash, const uint8_t * const input, const size_t input_len, uint8_t * signature, size_t *signature_len, const size_t signature_max); + size_t keybuf_size; switch (slot->type) { case HAL_KEY_TYPE_RSA_PRIVATE: signer = pkey_local_sign_rsa; + keybuf_size = hal_rsa_key_t_size; break; case HAL_KEY_TYPE_EC_PRIVATE: signer = pkey_local_sign_ecdsa; + keybuf_size = hal_ecdsa_key_t_size; + break; + case HAL_KEY_TYPE_HASHSIG_PRIVATE: + signer = pkey_local_sign_hashsig; + keybuf_size = hal_hashsig_key_t_size; break; default: return HAL_ERROR_UNSUPPORTED_KEY; @@ -843,8 +987,7 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey, if ((slot->flags & HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE) == 0) return HAL_ERROR_FORBIDDEN; - uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size - ? hal_rsa_key_t_size : hal_ecdsa_key_t_size]; + uint8_t keybuf[keybuf_size]; uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; hal_error_t err; @@ -957,6 +1100,40 @@ static hal_error_t pkey_local_verify_ecdsa(uint8_t *keybuf, const size_t keybuf_ return HAL_OK; } +static hal_error_t pkey_local_verify_hashsig(uint8_t *keybuf, const size_t keybuf_len, const hal_key_type_t type, + const uint8_t * const der, const size_t der_len, + const hal_hash_handle_t hash, + const uint8_t * input, size_t input_len, + const uint8_t * const signature, const size_t signature_len) +{ + uint8_t digest[signature_len]; + hal_hashsig_key_t *key = NULL; + hal_error_t err; + + hal_assert(signature != NULL && signature_len > 0); + hal_assert((hash.handle == HAL_HANDLE_NONE) != (input == NULL || input_len == 0)); + + if ((err = hal_hashsig_public_key_from_der(&key, keybuf, keybuf_len, der, der_len)) != HAL_OK) + return err; + + if (input == NULL || input_len == 0) { + hal_digest_algorithm_t alg; + + // ??? + if ((err = hal_rpc_hash_get_algorithm(hash, &alg)) != HAL_OK || + (err = hal_rpc_hash_get_digest_length(alg, &input_len)) != HAL_OK || + (err = hal_rpc_hash_finalize(hash, digest, sizeof(digest))) != HAL_OK) + return err; + + input = digest; + } + + if ((err = hal_hashsig_verify(NULL, key, input, input_len, signature, signature_len)) != HAL_OK) + return err; + + return HAL_OK; +} + static hal_error_t pkey_local_verify(const hal_pkey_handle_t pkey, const hal_hash_handle_t hash, const uint8_t * const input, const size_t input_len, @@ -972,15 +1149,22 @@ static hal_error_t pkey_local_verify(const hal_pkey_handle_t pkey, const hal_hash_handle_t hash, const uint8_t * const input, const size_t input_len, const uint8_t * const signature, const size_t signature_len); + size_t keybuf_size; switch (slot->type) { case HAL_KEY_TYPE_RSA_PRIVATE: case HAL_KEY_TYPE_RSA_PUBLIC: verifier = pkey_local_verify_rsa; + keybuf_size = hal_rsa_key_t_size; break; case HAL_KEY_TYPE_EC_PRIVATE: case HAL_KEY_TYPE_EC_PUBLIC: verifier = pkey_local_verify_ecdsa; + keybuf_size = hal_ecdsa_key_t_size; + break; + case HAL_KEY_TYPE_HASHSIG_PUBLIC: + verifier = pkey_local_verify_hashsig; + keybuf_size = hal_hashsig_key_t_size; break; default: return HAL_ERROR_UNSUPPORTED_KEY; @@ -989,8 +1173,7 @@ static hal_error_t pkey_local_verify(const hal_pkey_handle_t pkey, if ((slot->flags & HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE) == 0) return HAL_ERROR_FORBIDDEN; - uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size - ? hal_rsa_key_t_size : hal_ecdsa_key_t_size]; + uint8_t keybuf[keybuf_size]; uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; hal_error_t err; @@ -1314,6 +1497,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = { .open = pkey_local_open, .generate_rsa = pkey_local_generate_rsa, .generate_ec = pkey_local_generate_ec, + .generate_hashsig = pkey_local_generate_hashsig, .close = pkey_local_close, .delete = pkey_local_delete, .get_key_type = pkey_local_get_key_type, diff --git a/rpc_server.c b/rpc_server.c index 4a5fa4c..5a06e37 100644 --- a/rpc_server.c +++ b/rpc_server.c @@ -3,7 +3,7 @@ * ------------ * Remote procedure call server-side private API implementation. * - * Copyright (c) 2016-2017, NORDUnet A/S All rights reserved. + * Copyright (c) 2016-2018, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -35,6 +35,7 @@ #include "hal.h" #include "hal_internal.h" #include "xdr_internal.h" +#include "hashsig.h" /* * RPC calls. @@ -49,45 +50,34 @@ static hal_error_t get_version(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); uint32_t version; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - - /* call the local function */ - ret = hal_rpc_get_version(&version); + check(hal_rpc_get_version(&version)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, version)); - - return ret; + return hal_xdr_encode_int(optr, olimit, version); } static hal_error_t get_random(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); uint32_t length; - hal_error_t ret; + hal_error_t err; + + /* skip over unused client argument */ + *iptr += nargs(1); - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &length)); /* sanity check length */ - if (length == 0 || length > (uint32_t)(olimit - *optr - 4)) + if (length == 0 || length > (uint32_t)(olimit - *optr - nargs(1))) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* call the local function */ /* get the data directly into the output buffer */ - check(hal_xdr_encode_int(optr, olimit, length)); - ret = hal_rpc_get_random(*optr, (size_t)length); - if (ret == HAL_OK) + if ((err = hal_rpc_get_random(*optr + nargs(1), (size_t)length)) == HAL_OK) { + check(hal_xdr_encode_int(optr, olimit, length)); *optr += pad(length); - else - /* don't return data if error */ - *optr -= 4; + } - return ret; + return err; } static hal_error_t set_pin(const uint8_t **iptr, const uint8_t * const ilimit, @@ -96,17 +86,13 @@ static hal_error_t set_pin(const uint8_t **iptr, const uint8_t * const ilimit, hal_client_handle_t client; uint32_t user; const uint8_t *pin; - uint32_t pin_len; - hal_error_t ret; + size_t pin_len; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &user)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &pin, &pin_len)); - - /* call the local function */ - ret = hal_rpc_set_pin(client, user, (const char * const)pin, pin_len); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &pin, &pin_len)); - return ret; + return hal_rpc_set_pin(client, user, (const char * const)pin, pin_len); } static hal_error_t login(const uint8_t **iptr, const uint8_t * const ilimit, @@ -115,45 +101,29 @@ static hal_error_t login(const uint8_t **iptr, const uint8_t * const ilimit, hal_client_handle_t client; uint32_t user; const uint8_t *pin; - uint32_t pin_len; - hal_error_t ret; + size_t pin_len; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &user)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &pin, &pin_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &pin, &pin_len)); - /* call the local function */ - ret = hal_rpc_login(client, user, (const char * const)pin, pin_len); - - return ret; + return hal_rpc_login(client, user, (const char * const)pin, pin_len); } static hal_error_t logout(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { hal_client_handle_t client; - hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - /* call the local function */ - ret = hal_rpc_logout(client); - - return ret; + return hal_rpc_logout(client); } static hal_error_t logout_all(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); - hal_error_t ret; - - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - - /* call the local function */ - ret = hal_rpc_logout_all(); - - return ret; + return hal_rpc_logout_all(); } static hal_error_t is_logged_in(const uint8_t **iptr, const uint8_t * const ilimit, @@ -161,88 +131,69 @@ static hal_error_t is_logged_in(const uint8_t **iptr, const uint8_t * const ilim { hal_client_handle_t client; uint32_t user; - hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &user)); - /* call the local function */ - ret = hal_rpc_is_logged_in(client, user); - - return ret; + return hal_rpc_is_logged_in(client, user); } static hal_error_t hash_get_digest_len(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); uint32_t alg; size_t length; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &alg)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_hash_get_digest_length(alg, &length); + check(hal_xdr_decode_int(iptr, ilimit, &alg)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, length)); + check(hal_rpc_hash_get_digest_length(alg, &length)); - return ret; + return hal_xdr_encode_int(optr, olimit, length); } static hal_error_t hash_get_digest_algorithm_id(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); uint32_t alg; size_t len; uint32_t len_max; - uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; + + /* skip over unused client argument */ + *iptr += nargs(1); - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &alg)); check(hal_xdr_decode_int(iptr, ilimit, &len_max)); /* sanity check len_max */ - if (len_max > (uint32_t)(olimit - *optr - 4)) + if (len_max > (uint32_t)(olimit - *optr - nargs(1))) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* call the local function */ /* get the data directly into the output buffer */ - *optr += 4; /* reserve 4 bytes for length */ - ret = hal_rpc_hash_get_digest_algorithm_id(alg, *optr, &len, (size_t)len_max); - if (ret == HAL_OK) { - *optr = optr_orig; + if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, *optr + nargs(1), &len, (size_t)len_max)) == HAL_OK) { check(hal_xdr_encode_int(optr, olimit, len)); *optr += pad(len); } - else { - /* don't return data if error */ - *optr = optr_orig; - } - return ret; + + return err; } static hal_error_t hash_get_algorithm(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_hash_handle_t hash; hal_digest_algorithm_t alg; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_hash_get_algorithm(hash, &alg); + check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, alg)); + check(hal_rpc_hash_get_algorithm(hash, &alg)); - return ret; + return hal_xdr_encode_int(optr, olimit, alg); } static hal_error_t hash_initialize(const uint8_t **iptr, const uint8_t * const ilimit, @@ -253,67 +204,57 @@ static hal_error_t hash_initialize(const uint8_t **iptr, const uint8_t * const i hal_hash_handle_t hash; uint32_t alg; const uint8_t *key; - uint32_t key_len; - hal_error_t ret; + size_t key_len; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &alg)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &key, &key_len)); - - /* call the local function */ - ret = hal_rpc_hash_initialize(client, session, &hash, (hal_digest_algorithm_t)alg, key, (size_t)key_len); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &key, &key_len)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, hash.handle)); + check(hal_rpc_hash_initialize(client, session, &hash, (hal_digest_algorithm_t)alg, key, (size_t)key_len)); - return ret; + return hal_xdr_encode_int(optr, olimit, hash.handle); } static hal_error_t hash_update(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_hash_handle_t hash; const uint8_t *data; - uint32_t length; - hal_error_t ret; + size_t length; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &data, &length)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_hash_update(hash, data, (size_t)length); + check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &data, &length)); - return ret; + return hal_rpc_hash_update(hash, data, (size_t)length); } static hal_error_t hash_finalize(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_hash_handle_t hash; uint32_t length; - hal_error_t ret; + hal_error_t err; + + /* skip over unused client argument */ + *iptr += nargs(1); - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); check(hal_xdr_decode_int(iptr, ilimit, &length)); /* sanity check length */ - if (length == 0 || length > (uint32_t)(olimit - *optr - 4)) + if (length > (uint32_t)(olimit - *optr - nargs(1))) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* call the local function */ /* get the data directly into the output buffer */ - check(hal_xdr_encode_int(optr, olimit, length)); - ret = hal_rpc_hash_finalize(hash, *optr, (size_t)length); - if (ret == HAL_OK) + if ((err = hal_rpc_hash_finalize(hash, *optr + nargs(1), (size_t)length)) == HAL_OK) { + check(hal_xdr_encode_int(optr, olimit, length)); *optr += pad(length); - else - /* don't return data if error */ - *optr -= 4; - return ret; + } + + return err; } static hal_error_t pkey_load(const uint8_t **iptr, const uint8_t * const ilimit, @@ -324,28 +265,23 @@ static hal_error_t pkey_load(const uint8_t **iptr, const uint8_t * const ilimit, hal_pkey_handle_t pkey; hal_uuid_t name; const uint8_t *der; - uint32_t der_len; + size_t der_len; hal_key_flags_t flags; - hal_error_t ret; uint8_t *optr_orig = *optr; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &der, &der_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &der, &der_len)); check(hal_xdr_decode_int(iptr, ilimit, &flags)); - ret = hal_rpc_pkey_load(client, session, &pkey, &name, der, der_len, flags); - - if (ret == HAL_OK) - ret = hal_xdr_encode_int(optr, olimit, pkey.handle); - - if (ret == HAL_OK) - ret = hal_xdr_encode_buffer(optr, olimit, name.uuid, sizeof(name.uuid)); + check(hal_rpc_pkey_load(client, session, &pkey, &name, der, der_len, flags)); - if (ret != HAL_OK) + if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) *optr = optr_orig; - return ret; + return err; } static hal_error_t pkey_open(const uint8_t **iptr, const uint8_t * const ilimit, @@ -355,23 +291,18 @@ static hal_error_t pkey_open(const uint8_t **iptr, const uint8_t * const ilimit, hal_session_handle_t session; hal_pkey_handle_t pkey; const uint8_t *name_ptr; - uint32_t name_len; - hal_error_t ret; + size_t name_len; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &name_ptr, &name_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &name_ptr, &name_len)); if (name_len != sizeof(hal_uuid_t)) return HAL_ERROR_KEY_NAME_TOO_LONG; - /* call the local function */ - ret = hal_rpc_pkey_open(client, session, &pkey, (const hal_uuid_t *) name_ptr); + check(hal_rpc_pkey_open(client, session, &pkey, (const hal_uuid_t *) name_ptr)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, pkey.handle)); - - return ret; + return hal_xdr_encode_int(optr, olimit, pkey.handle); } static hal_error_t pkey_generate_rsa(const uint8_t **iptr, const uint8_t * const ilimit, @@ -383,27 +314,24 @@ static hal_error_t pkey_generate_rsa(const uint8_t **iptr, const uint8_t * const hal_uuid_t name; uint32_t key_len; const uint8_t *exp; - uint32_t exp_len; + size_t exp_len; hal_key_flags_t flags; - hal_error_t ret; + uint8_t *optr_orig = *optr; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &key_len)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &exp, &exp_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &exp, &exp_len)); check(hal_xdr_decode_int(iptr, ilimit, &flags)); - /* call the local function */ - ret = hal_rpc_pkey_generate_rsa(client, session, &pkey, &name, key_len, exp, exp_len, flags); + check(hal_rpc_pkey_generate_rsa(client, session, &pkey, &name, key_len, exp, exp_len, flags)); - if (ret == HAL_OK) { - uint8_t *optr_orig = *optr; - if ((ret = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || - (ret = hal_xdr_encode_buffer(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) - *optr = optr_orig; - } + if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) + *optr = optr_orig; - return ret; + return err; } static hal_error_t pkey_generate_ec(const uint8_t **iptr, const uint8_t * const ilimit, @@ -415,76 +343,93 @@ static hal_error_t pkey_generate_ec(const uint8_t **iptr, const uint8_t * const hal_uuid_t name; uint32_t curve; hal_key_flags_t flags; - hal_error_t ret; + uint8_t *optr_orig = *optr; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &curve)); check(hal_xdr_decode_int(iptr, ilimit, &flags)); - /* call the local function */ - ret = hal_rpc_pkey_generate_ec(client, session, &pkey, &name, curve, flags); + check(hal_rpc_pkey_generate_ec(client, session, &pkey, &name, curve, flags)); - if (ret == HAL_OK) { - uint8_t *optr_orig = *optr; - if ((ret = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || - (ret = hal_xdr_encode_buffer(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) - *optr = optr_orig; - } + if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) + *optr = optr_orig; - return ret; + return err; +} + +static hal_error_t pkey_generate_hashsig(const uint8_t **iptr, const uint8_t * const ilimit, + uint8_t **optr, const uint8_t * const olimit) +{ + hal_client_handle_t client; + hal_session_handle_t session; + hal_pkey_handle_t pkey; + hal_uuid_t name; + uint32_t hss_levels; + uint32_t lms_type; + uint32_t lmots_type; + hal_key_flags_t flags; + uint8_t *optr_orig = *optr; + hal_error_t err; + + check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); + check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); + check(hal_xdr_decode_int(iptr, ilimit, &hss_levels)); + check(hal_xdr_decode_int(iptr, ilimit, &lms_type)); + check(hal_xdr_decode_int(iptr, ilimit, &lmots_type)); + check(hal_xdr_decode_int(iptr, ilimit, &flags)); + + check(hal_rpc_pkey_generate_hashsig(client, session, &pkey, &name, hss_levels, lms_type, lmots_type, flags)); + + if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) + *optr = optr_orig; + + return err; } static hal_error_t pkey_close(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_pkey_close(pkey); + check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - return ret; + return hal_rpc_pkey_close(pkey); } static hal_error_t pkey_delete(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_pkey_delete(pkey); + check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - return ret; + return hal_rpc_pkey_delete(pkey); } static hal_error_t pkey_get_key_type(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; hal_key_type_t type; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_pkey_get_key_type(pkey, &type); + check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, type)); + check(hal_rpc_pkey_get_key_type(pkey, &type)); - return ret; + return hal_xdr_encode_int(optr, olimit, type); } static hal_error_t pkey_get_key_curve(const uint8_t **iptr, const uint8_t * const ilimit, @@ -493,89 +438,71 @@ static hal_error_t pkey_get_key_curve(const uint8_t **iptr, const uint8_t * cons hal_client_handle_t client; hal_pkey_handle_t pkey; hal_curve_name_t curve; - hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - /* call the local function */ - ret = hal_rpc_pkey_get_key_curve(pkey, &curve); + check(hal_rpc_pkey_get_key_curve(pkey, &curve)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, curve)); - - return ret; + return hal_xdr_encode_int(optr, olimit, curve); } static hal_error_t pkey_get_key_flags(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; hal_key_flags_t flags; - hal_error_t ret; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); - /* call the local function */ - ret = hal_rpc_pkey_get_key_flags(pkey, &flags); + check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - if (ret == HAL_OK) - check(hal_xdr_encode_int(optr, olimit, flags)); + check(hal_rpc_pkey_get_key_flags(pkey, &flags)); - return ret; + return hal_xdr_encode_int(optr, olimit, flags); } static hal_error_t pkey_get_public_key_len(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; size_t len; - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); + /* skip over unused client argument */ + *iptr += nargs(1); + check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - /* call the local function */ len = hal_rpc_pkey_get_public_key_len(pkey); - check(hal_xdr_encode_int(optr, olimit, len)); - - return HAL_OK; + return hal_xdr_encode_int(optr, olimit, len); } static hal_error_t pkey_get_public_key(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) { - hal_client_handle_t client __attribute__((unused)); hal_pkey_handle_t pkey; size_t len; uint32_t len_max; - uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; + + /* skip over unused client argument */ + *iptr += nargs(1); - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &len_max)); /* sanity check len_max */ - if (len_max > (uint32_t)(olimit - *optr - 4)) + if (len_max > (uint32_t)(olimit - *optr - nargs(1))) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* call the local function */ /* get the data directly into the output buffer */ - *optr += 4; /* reserve 4 bytes for length */ - ret = hal_rpc_pkey_get_public_key(pkey, *optr, &len, len_max); - if (ret == HAL_OK) { - *optr = optr_orig; + if ((err = hal_rpc_pkey_get_public_key(pkey, *optr + nargs(1), &len, len_max)) == HAL_OK) { check(hal_xdr_encode_int(optr, olimit, len)); *optr += pad(len); } - else { - /* don't return data if error */ - *optr = optr_orig; - } - return ret; + + return err; } static hal_error_t pkey_sign(const uint8_t **iptr, const uint8_t * const ilimit, @@ -585,31 +512,28 @@ static hal_error_t pkey_sign(const uint8_t **iptr, const uint8_t * const ilimit, hal_pkey_handle_t pkey; hal_hash_handle_t hash; const uint8_t *input; - uint32_t input_len; + size_t input_len; uint32_t sig_max; size_t sig_len; - uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &input, &input_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &input, &input_len)); check(hal_xdr_decode_int(iptr, ilimit, &sig_max)); /* sanity check sig_max */ - if (sig_max > (uint32_t)(olimit - *optr - 4)) + if (sig_max > (uint32_t)(olimit - *optr - nargs(1))) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* call the local function */ /* get the data directly into the output buffer */ - *optr += 4; /* reserve 4 bytes for length */ - ret = hal_rpc_pkey_sign(pkey, hash, input, input_len, *optr, &sig_len, sig_max); - *optr = optr_orig; - if (ret == HAL_OK) { + err = hal_rpc_pkey_sign(pkey, hash, input, input_len, *optr + nargs(1), &sig_len, sig_max); + if (err == HAL_OK) { check(hal_xdr_encode_int(optr, olimit, sig_len)); *optr += pad(sig_len); } - return ret; + + return err; } static hal_error_t pkey_verify(const uint8_t **iptr, const uint8_t * const ilimit, @@ -619,21 +543,17 @@ static hal_error_t pkey_verify(const uint8_t **iptr, const uint8_t * const ilimi hal_pkey_handle_t pkey; hal_hash_handle_t hash; const uint8_t *input; - uint32_t input_len; + size_t input_len; const uint8_t *sig; - uint32_t sig_len; - hal_error_t ret; + size_t sig_len; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &input, &input_len)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &sig, &sig_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &input, &input_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &sig, &sig_len)); - /* call the local function */ - ret = hal_rpc_pkey_verify(pkey, hash, input, input_len, sig, sig_len); - - return ret; + return hal_rpc_pkey_verify(pkey, hash, input, input_len, sig, sig_len); } static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit, @@ -641,11 +561,12 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit { hal_client_handle_t client; hal_session_handle_t session; - uint32_t type, curve, attributes_len, state, result_max, previous_uuid_len; + uint32_t type, curve, attributes_len, state, result_max; + size_t previous_uuid_len; const uint8_t *previous_uuid_ptr; hal_key_flags_t mask, flags; uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); @@ -660,16 +581,16 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit for (size_t i = 0; i < attributes_len; i++) { hal_pkey_attribute_t *a = &attributes[i]; const uint8_t *value; - uint32_t value_len; + size_t value_len; check(hal_xdr_decode_int(iptr, ilimit, &a->type)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &value, &value_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &value, &value_len)); a->value = value; a->length = value_len; } check(hal_xdr_decode_int(iptr, ilimit, &state)); check(hal_xdr_decode_int(iptr, ilimit, &result_max)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &previous_uuid_ptr, &previous_uuid_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &previous_uuid_ptr, &previous_uuid_len)); if (previous_uuid_len != sizeof(hal_uuid_t)) return HAL_ERROR_KEY_NAME_TOO_LONG; @@ -679,24 +600,21 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit hal_uuid_t result[result_max]; unsigned result_len, ustate = state; - ret = hal_rpc_pkey_match(client, session, type, curve, mask, flags, - attributes, attributes_len, - &ustate, result, &result_len, result_max, - previous_uuid); + check(hal_rpc_pkey_match(client, session, type, curve, mask, flags, + attributes, attributes_len, &ustate, result, + &result_len, result_max, previous_uuid)); - if (ret == HAL_OK) - ret = hal_xdr_encode_int(optr, olimit, ustate); + if ((err = hal_xdr_encode_int(optr, olimit, ustate)) == HAL_OK) + err = hal_xdr_encode_int(optr, olimit, result_len); - if (ret == HAL_OK) - ret = hal_xdr_encode_int(optr, olimit, result_len); + for (size_t i = 0; err == HAL_OK && i < result_len; ++i) + err = hal_xdr_encode_variable_opaque(optr, olimit, result[i].uuid, + sizeof(result[i].uuid)); - for (size_t i = 0; ret == HAL_OK && i < result_len; ++i) - ret = hal_xdr_encode_buffer(optr, olimit, result[i].uuid, - sizeof(result[i].uuid)); - if (ret != HAL_OK) + if (err != HAL_OK) *optr = optr_orig; - return ret; + return err; } static hal_error_t pkey_set_attributes(const uint8_t **iptr, const uint8_t * const ilimit, @@ -705,7 +623,6 @@ static hal_error_t pkey_set_attributes(const uint8_t **iptr, const uint8_t * con hal_client_handle_t client; hal_pkey_handle_t pkey; uint32_t attributes_len; - hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); @@ -724,14 +641,14 @@ static hal_error_t pkey_set_attributes(const uint8_t **iptr, const uint8_t * con else { *iptr = iptr_prior_to_decoding_length; const uint8_t *value; - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &value, &a->length)); + size_t len; + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &value, &len)); a->value = value; + a->length = len; } } - ret = hal_rpc_pkey_set_attributes(pkey, attributes, attributes_len); - - return ret; + return hal_rpc_pkey_set_attributes(pkey, attributes, attributes_len); } static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * const ilimit, @@ -741,7 +658,7 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con hal_pkey_handle_t pkey; uint32_t attributes_len, u32; uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); @@ -761,26 +678,24 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con uint8_t attributes_buffer[attributes_buffer_len > 0 ? attributes_buffer_len : 1]; - ret = hal_rpc_pkey_get_attributes(pkey, attributes, attributes_len, - attributes_buffer, attributes_buffer_len); - - if (ret == HAL_OK) { - ret = hal_xdr_encode_int(optr, olimit, attributes_len); - for (size_t i = 0; ret == HAL_OK && i < attributes_len; i++) { - ret = hal_xdr_encode_int(optr, olimit, attributes[i].type); - if (ret != HAL_OK) - break; - if (attributes_buffer_len == 0) - ret = hal_xdr_encode_int(optr, olimit, attributes[i].length); - else - ret = hal_xdr_encode_buffer(optr, olimit, attributes[i].value, attributes[i].length); + check(hal_rpc_pkey_get_attributes(pkey, attributes, attributes_len, + attributes_buffer, attributes_buffer_len)); + + if ((err = hal_xdr_encode_int(optr, olimit, attributes_len)) == HAL_OK) { + for (size_t i = 0; err == HAL_OK && i < attributes_len; i++) { + if ((err = hal_xdr_encode_int(optr, olimit, attributes[i].type)) == HAL_OK) { + if (attributes_buffer_len == 0) + err = hal_xdr_encode_int(optr, olimit, attributes[i].length); + else + err = hal_xdr_encode_variable_opaque(optr, olimit, attributes[i].value, attributes[i].length); + } } } - if (ret != HAL_OK) + if (err != HAL_OK) *optr = optr_orig; - return ret; + return err; } static hal_error_t pkey_export(const uint8_t **iptr, const uint8_t * const ilimit, @@ -792,7 +707,7 @@ static hal_error_t pkey_export(const uint8_t **iptr, const uint8_t * const ilimi size_t pkcs8_len, kek_len; uint32_t pkcs8_max, kek_max; uint8_t *optr_orig = *optr; - hal_error_t ret; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); @@ -802,18 +717,13 @@ static hal_error_t pkey_export(const uint8_t **iptr, const uint8_t * const ilimi uint8_t pkcs8[pkcs8_max], kek[kek_max]; - ret = hal_rpc_pkey_export(pkey, kekek, pkcs8, &pkcs8_len, sizeof(pkcs8), kek, &kek_len, sizeof(kek)); + check(hal_rpc_pkey_export(pkey, kekek, pkcs8, &pkcs8_len, sizeof(pkcs8), kek, &kek_len, sizeof(kek))); - if (ret == HAL_OK) - ret = hal_xdr_encode_buffer(optr, olimit, pkcs8, pkcs8_len); - - if (ret == HAL_OK) - ret = hal_xdr_encode_buffer(optr, olimit, kek, kek_len); - - if (ret != HAL_OK) + if ((err = hal_xdr_encode_variable_opaque(optr, olimit, pkcs8, pkcs8_len)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, kek, kek_len)) != HAL_OK) *optr = optr_orig; - return ret; + return err; } static hal_error_t pkey_import(const uint8_t **iptr, const uint8_t * const ilimit, @@ -825,30 +735,25 @@ static hal_error_t pkey_import(const uint8_t **iptr, const uint8_t * const ilimi hal_pkey_handle_t kekek; hal_uuid_t name; const uint8_t *pkcs8, *kek; - uint32_t pkcs8_len, kek_len; + size_t pkcs8_len, kek_len; uint8_t *optr_orig = *optr; hal_key_flags_t flags; - hal_error_t ret; + hal_error_t err; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &kekek.handle)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &pkcs8, &pkcs8_len)); - check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &kek, &kek_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &pkcs8, &pkcs8_len)); + check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &kek, &kek_len)); check(hal_xdr_decode_int(iptr, ilimit, &flags)); - ret = hal_rpc_pkey_import(client, session, &pkey, &name, kekek, pkcs8, pkcs8_len, kek, kek_len, flags); - - if (ret == HAL_OK) - ret = hal_xdr_encode_int(optr, olimit, pkey.handle); + check(hal_rpc_pkey_import(client, session, &pkey, &name, kekek, pkcs8, pkcs8_len, kek, kek_len, flags)); - if (ret == HAL_OK) - ret = hal_xdr_encode_buffer(optr, olimit, name.uuid, sizeof(name.uuid)); - - if (ret != HAL_OK) + if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || + (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) *optr = optr_orig; - return ret; + return err; } @@ -857,17 +762,16 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile { const uint8_t * iptr = ibuf; const uint8_t * const ilimit = ibuf + ilen; - uint8_t * optr = obuf + 12; /* reserve space for opcode, client, and response code */ + uint8_t * optr = obuf + nargs(3); /* reserve space for opcode, client, and response code */ const uint8_t * const olimit = obuf + *olen; uint32_t rpc_func_num; uint32_t client_handle; - hal_error_t ret; + hal_error_t err; hal_error_t (*handler)(const uint8_t **iptr, const uint8_t * const ilimit, uint8_t **optr, const uint8_t * const olimit) = NULL; check(hal_xdr_decode_int(&iptr, ilimit, &rpc_func_num)); - check(hal_xdr_decode_int(&iptr, ilimit, &client_handle)); - check(hal_xdr_undecode_int(&iptr)); + check(hal_xdr_decode_int_peek(&iptr, ilimit, &client_handle)); switch (rpc_func_num) { case RPC_FUNC_GET_VERSION: @@ -921,6 +825,9 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile case RPC_FUNC_PKEY_GENERATE_EC: handler = pkey_generate_ec; break; + case RPC_FUNC_PKEY_GENERATE_HASHSIG: + handler = pkey_generate_hashsig; + break; case RPC_FUNC_PKEY_CLOSE: handler = pkey_close; break; @@ -966,16 +873,16 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile } if (handler) - ret = handler(&iptr, ilimit, &optr, olimit); + err = handler(&iptr, ilimit, &optr, olimit); else - ret = HAL_ERROR_RPC_BAD_FUNCTION; + err = HAL_ERROR_RPC_BAD_FUNCTION; /* Encode opcode, client ID, and response code at the beginning of the payload */ *olen = optr - obuf; optr = obuf; check(hal_xdr_encode_int(&optr, olimit, rpc_func_num)); check(hal_xdr_encode_int(&optr, olimit, client_handle)); - check(hal_xdr_encode_int(&optr, olimit, ret)); + check(hal_xdr_encode_int(&optr, olimit, err)); return HAL_OK; } diff --git a/tests/Makefile b/tests/Makefile index 79cb3ff..d186000 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -45,7 +45,7 @@ CFLAGS ?= -g3 -Wall -fPIC -std=c99 -I${LIBHAL_SRC} -I${LIBTFM_BLD} CORE_TESTS = test-aes-key-wrap test-hash test-pbkdf2 test-ecdsa test-bus test-trng test-rsa test-mkmif SERVER_TESTS = test-rpc_server -CLIENT_TESTS = test-rpc_hash test-rpc_pkey test-rpc_get_version test-rpc_get_random test-rpc_login test-rpc_bighash +CLIENT_TESTS = test-rpc_hash test-rpc_pkey test-rpc_get_version test-rpc_get_random test-rpc_login test-rpc_bighash test-xdr test-rpc_hashsig ALL_TESTS = ${CORE_TESTS} ${SERVER_TESTS} ${CLIENT_TESTS} @@ -78,3 +78,5 @@ ${BIN}: %: %.o ${LIBS} %.o: %.c ${LBHAL_SRC}/*.h ${LIBTFM_BLD}/tfm.h ${CC} ${CFLAGS} -c -o $@ $< + +test-rpc_hashsig.o: test-hashsig.h diff --git a/tests/test-hashsig.h b/tests/test-hashsig.h new file mode 100644 index 0000000..4b8333f --- /dev/null +++ b/tests/test-hashsig.h @@ -0,0 +1,925 @@ +/* + * draft-mcgrew test cases + */ + +/* Test Case 1 Public Key */ + +static uint8_t tc1_key[] = { + 0x00, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x05, + 0x00, 0x00, 0x00, 0x04, + 0x61, 0xa5, 0xd5, 0x7d, 0x37, 0xf5, 0xe4, 0x6b, + 0xfb, 0x75, 0x20, 0x80, 0x6b, 0x07, 0xa1, 0xb8, + 0x50, 0x65, 0x0e, 0x3b, 0x31, 0xfe, 0x4a, 0x77, + 0x3e, 0xa2, 0x9a, 0x07, 0xf0, 0x9c, 0xf2, 0xea, + 0x30, 0xe5, 0x79, 0xf0, 0xdf, 0x58, 0xef, 0x8e, + 0x29, 0x8d, 0xa0, 0x43, 0x4c, 0xb2, 0xb8, 0x78, +}; + +/* Test Case 1 Message */ + +static uint8_t tc1_msg[] = { + 0x54, 0x68, 0x65, 0x20, 0x70, 0x6f, 0x77, 0x65, + 0x72, 0x73, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x64, + 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, + 0x20, 0x74, 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, + 0x55, 0x6e, 0x69, 0x74, 0x65, 0x64, 0x20, 0x53, + 0x74, 0x61, 0x74, 0x65, 0x73, 0x20, 0x62, 0x79, + 0x20, 0x74, 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, + 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, 0x69, 0x6f, + 0x6e, 0x2c, 0x20, 0x6e, 0x6f, 0x72, 0x20, 0x70, + 0x72, 0x6f, 0x68, 0x69, 0x62, 0x69, 0x74, 0x65, + 0x64, 0x20, 0x62, 0x79, 0x20, 0x69, 0x74, 0x20, + 0x74, 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x53, + 0x74, 0x61, 0x74, 0x65, 0x73, 0x2c, 0x20, 0x61, + 0x72, 0x65, 0x20, 0x72, 0x65, 0x73, 0x65, 0x72, + 0x76, 0x65, 0x64, 0x20, 0x74, 0x6f, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x73, 0x20, 0x72, 0x65, 0x73, 0x70, 0x65, 0x63, + 0x74, 0x69, 0x76, 0x65, 0x6c, 0x79, 0x2c, 0x20, + 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x70, 0x65, 0x6f, 0x70, 0x6c, 0x65, + 0x2e, 0x0a, +}; + +/* Test Case 1 Signature */ +/* 2 levels, both h=5, w=8 */ + +static uint8_t tc1_sig[] = { + 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x05, + 0x00, 0x00, 0x00, 0x04, + 0xd3, 0x2b, 0x56, 0x67, 0x1d, 0x7e, 0xb9, 0x88, + 0x33, 0xc4, 0x9b, 0x43, 0x3c, 0x27, 0x25, 0x86, + 0xbc, 0x4a, 0x1c, 0x8a, 0x89, 0x70, 0x52, 0x8f, + 0xfa, 0x04, 0xb9, 0x66, 0xf9, 0x42, 0x6e, 0xb9, + 0x96, 0x5a, 0x25, 0xbf, 0xd3, 0x7f, 0x19, 0x6b, + 0x90, 0x73, 0xf3, 0xd4, 0xa2, 0x32, 0xfe, 0xb6, + 0x91, 0x28, 0xec, 0x45, 0x14, 0x6f, 0x86, 0x29, + 0x2f, 0x9d, 0xff, 0x96, 0x10, 0xa7, 0xbf, 0x95, + 0xa6, 0x4c, 0x7f, 0x60, 0xf6, 0x26, 0x1a, 0x62, + 0x04, 0x3f, 0x86, 0xc7, 0x03, 0x24, 0xb7, 0x70, + 0x7f, 0x5b, 0x4a, 0x8a, 0x6e, 0x19, 0xc1, 0x14, + 0xc7, 0xbe, 0x86, 0x6d, 0x48, 0x87, 0x78, 0xa0, + 0xe0, 0x5f, 0xd5, 0xc6, 0x50, 0x9a, 0x6e, 0x61, + 0xd5, 0x59, 0xcf, 0x1a, 0x77, 0xa9, 0x70, 0xde, + 0x92, 0x7d, 0x60, 0xc7, 0x0d, 0x3d, 0xe3, 0x1a, + 0x7f, 0xa0, 0x10, 0x09, 0x94, 0xe1, 0x62, 0xa2, + 0x58, 0x2e, 0x8f, 0xf1, 0xb1, 0x0c, 0xd9, 0x9d, + 0x4e, 0x8e, 0x41, 0x3e, 0xf4, 0x69, 0x55, 0x9f, + 0x7d, 0x7e, 0xd1, 0x2c, 0x83, 0x83, 0x42, 0xf9, + 0xb9, 0xc9, 0x6b, 0x83, 0xa4, 0x94, 0x3d, 0x16, + 0x81, 0xd8, 0x4b, 0x15, 0x35, 0x7f, 0xf4, 0x8c, + 0xa5, 0x79, 0xf1, 0x9f, 0x5e, 0x71, 0xf1, 0x84, + 0x66, 0xf2, 0xbb, 0xef, 0x4b, 0xf6, 0x60, 0xc2, + 0x51, 0x8e, 0xb2, 0x0d, 0xe2, 0xf6, 0x6e, 0x3b, + 0x14, 0x78, 0x42, 0x69, 0xd7, 0xd8, 0x76, 0xf5, + 0xd3, 0x5d, 0x3f, 0xbf, 0xc7, 0x03, 0x9a, 0x46, + 0x2c, 0x71, 0x6b, 0xb9, 0xf6, 0x89, 0x1a, 0x7f, + 0x41, 0xad, 0x13, 0x3e, 0x9e, 0x1f, 0x6d, 0x95, + 0x60, 0xb9, 0x60, 0xe7, 0x77, 0x7c, 0x52, 0xf0, + 0x60, 0x49, 0x2f, 0x2d, 0x7c, 0x66, 0x0e, 0x14, + 0x71, 0xe0, 0x7e, 0x72, 0x65, 0x55, 0x62, 0x03, + 0x5a, 0xbc, 0x9a, 0x70, 0x1b, 0x47, 0x3e, 0xcb, + 0xc3, 0x94, 0x3c, 0x6b, 0x9c, 0x4f, 0x24, 0x05, + 0xa3, 0xcb, 0x8b, 0xf8, 0xa6, 0x91, 0xca, 0x51, + 0xd3, 0xf6, 0xad, 0x2f, 0x42, 0x8b, 0xab, 0x6f, + 0x3a, 0x30, 0xf5, 0x5d, 0xd9, 0x62, 0x55, 0x63, + 0xf0, 0xa7, 0x5e, 0xe3, 0x90, 0xe3, 0x85, 0xe3, + 0xae, 0x0b, 0x90, 0x69, 0x61, 0xec, 0xf4, 0x1a, + 0xe0, 0x73, 0xa0, 0x59, 0x0c, 0x2e, 0xb6, 0x20, + 0x4f, 0x44, 0x83, 0x1c, 0x26, 0xdd, 0x76, 0x8c, + 0x35, 0xb1, 0x67, 0xb2, 0x8c, 0xe8, 0xdc, 0x98, + 0x8a, 0x37, 0x48, 0x25, 0x52, 0x30, 0xce, 0xf9, + 0x9e, 0xbf, 0x14, 0xe7, 0x30, 0x63, 0x2f, 0x27, + 0x41, 0x44, 0x89, 0x80, 0x8a, 0xfa, 0xb1, 0xd1, + 0xe7, 0x83, 0xed, 0x04, 0x51, 0x6d, 0xe0, 0x12, + 0x49, 0x86, 0x82, 0x21, 0x2b, 0x07, 0x81, 0x05, + 0x79, 0xb2, 0x50, 0x36, 0x59, 0x41, 0xbc, 0xc9, + 0x81, 0x42, 0xda, 0x13, 0x60, 0x9e, 0x97, 0x68, + 0xaa, 0xf6, 0x5d, 0xe7, 0x62, 0x0d, 0xab, 0xec, + 0x29, 0xeb, 0x82, 0xa1, 0x7f, 0xde, 0x35, 0xaf, + 0x15, 0xad, 0x23, 0x8c, 0x73, 0xf8, 0x1b, 0xdb, + 0x8d, 0xec, 0x2f, 0xc0, 0xe7, 0xf9, 0x32, 0x70, + 0x10, 0x99, 0x76, 0x2b, 0x37, 0xf4, 0x3c, 0x4a, + 0x3c, 0x20, 0x01, 0x0a, 0x3d, 0x72, 0xe2, 0xf6, + 0x06, 0xbe, 0x10, 0x8d, 0x31, 0x0e, 0x63, 0x9f, + 0x09, 0xce, 0x72, 0x86, 0x80, 0x0d, 0x9e, 0xf8, + 0xa1, 0xa4, 0x02, 0x81, 0xcc, 0x5a, 0x7e, 0xa9, + 0x8d, 0x2a, 0xdc, 0x7c, 0x74, 0x00, 0xc2, 0xfe, + 0x5a, 0x10, 0x15, 0x52, 0xdf, 0x4e, 0x3c, 0xcc, + 0xfd, 0x0c, 0xbf, 0x2d, 0xdf, 0x5d, 0xc6, 0x77, + 0x9c, 0xbb, 0xc6, 0x8f, 0xee, 0x0c, 0x3e, 0xfe, + 0x4e, 0xc2, 0x2b, 0x83, 0xa2, 0xca, 0xa3, 0xe4, + 0x8e, 0x08, 0x09, 0xa0, 0xa7, 0x50, 0xb7, 0x3c, + 0xcd, 0xcf, 0x3c, 0x79, 0xe6, 0x58, 0x0c, 0x15, + 0x4f, 0x8a, 0x58, 0xf7, 0xf2, 0x43, 0x35, 0xee, + 0xc5, 0xc5, 0xeb, 0x5e, 0x0c, 0xf0, 0x1d, 0xcf, + 0x44, 0x39, 0x42, 0x40, 0x95, 0xfc, 0xeb, 0x07, + 0x7f, 0x66, 0xde, 0xd5, 0xbe, 0xc7, 0x3b, 0x27, + 0xc5, 0xb9, 0xf6, 0x4a, 0x2a, 0x9a, 0xf2, 0xf0, + 0x7c, 0x05, 0xe9, 0x9e, 0x5c, 0xf8, 0x0f, 0x00, + 0x25, 0x2e, 0x39, 0xdb, 0x32, 0xf6, 0xc1, 0x96, + 0x74, 0xf1, 0x90, 0xc9, 0xfb, 0xc5, 0x06, 0xd8, + 0x26, 0x85, 0x77, 0x13, 0xaf, 0xd2, 0xca, 0x6b, + 0xb8, 0x5c, 0xd8, 0xc1, 0x07, 0x34, 0x75, 0x52, + 0xf3, 0x05, 0x75, 0xa5, 0x41, 0x78, 0x16, 0xab, + 0x4d, 0xb3, 0xf6, 0x03, 0xf2, 0xdf, 0x56, 0xfb, + 0xc4, 0x13, 0xe7, 0xd0, 0xac, 0xd8, 0xbd, 0xd8, + 0x13, 0x52, 0xb2, 0x47, 0x1f, 0xc1, 0xbc, 0x4f, + 0x1e, 0xf2, 0x96, 0xfe, 0xa1, 0x22, 0x04, 0x03, + 0x46, 0x6b, 0x1a, 0xfe, 0x78, 0xb9, 0x4f, 0x7e, + 0xcf, 0x7c, 0xc6, 0x2f, 0xb9, 0x2b, 0xe1, 0x4f, + 0x18, 0xc2, 0x19, 0x23, 0x84, 0xeb, 0xce, 0xaf, + 0x88, 0x01, 0xaf, 0xdf, 0x94, 0x7f, 0x69, 0x8c, + 0xe9, 0xc6, 0xce, 0xb6, 0x96, 0xed, 0x70, 0xe9, + 0xe8, 0x7b, 0x01, 0x44, 0x41, 0x7e, 0x8d, 0x7b, + 0xaf, 0x25, 0xeb, 0x5f, 0x70, 0xf0, 0x9f, 0x01, + 0x6f, 0xc9, 0x25, 0xb4, 0xdb, 0x04, 0x8a, 0xb8, + 0xd8, 0xcb, 0x2a, 0x66, 0x1c, 0xe3, 0xb5, 0x7a, + 0xda, 0x67, 0x57, 0x1f, 0x5d, 0xd5, 0x46, 0xfc, + 0x22, 0xcb, 0x1f, 0x97, 0xe0, 0xeb, 0xd1, 0xa6, + 0x59, 0x26, 0xb1, 0x23, 0x4f, 0xd0, 0x4f, 0x17, + 0x1c, 0xf4, 0x69, 0xc7, 0x6b, 0x88, 0x4c, 0xf3, + 0x11, 0x5c, 0xce, 0x6f, 0x79, 0x2c, 0xc8, 0x4e, + 0x36, 0xda, 0x58, 0x96, 0x0c, 0x5f, 0x1d, 0x76, + 0x0f, 0x32, 0xc1, 0x2f, 0xae, 0xf4, 0x77, 0xe9, + 0x4c, 0x92, 0xeb, 0x75, 0x62, 0x5b, 0x6a, 0x37, + 0x1e, 0xfc, 0x72, 0xd6, 0x0c, 0xa5, 0xe9, 0x08, + 0xb3, 0xa7, 0xdd, 0x69, 0xfe, 0xf0, 0x24, 0x91, + 0x50, 0xe3, 0xee, 0xbd, 0xfe, 0xd3, 0x9c, 0xbd, + 0xc3, 0xce, 0x97, 0x04, 0x88, 0x2a, 0x20, 0x72, + 0xc7, 0x5e, 0x13, 0x52, 0x7b, 0x7a, 0x58, 0x1a, + 0x55, 0x61, 0x68, 0x78, 0x3d, 0xc1, 0xe9, 0x75, + 0x45, 0xe3, 0x18, 0x65, 0xdd, 0xc4, 0x6b, 0x3c, + 0x95, 0x78, 0x35, 0xda, 0x25, 0x2b, 0xb7, 0x32, + 0x8d, 0x3e, 0xe2, 0x06, 0x24, 0x45, 0xdf, 0xb8, + 0x5e, 0xf8, 0xc3, 0x5f, 0x8e, 0x1f, 0x33, 0x71, + 0xaf, 0x34, 0x02, 0x3c, 0xef, 0x62, 0x6e, 0x0a, + 0xf1, 0xe0, 0xbc, 0x01, 0x73, 0x51, 0xaa, 0xe2, + 0xab, 0x8f, 0x5c, 0x61, 0x2e, 0xad, 0x0b, 0x72, + 0x9a, 0x1d, 0x05, 0x9d, 0x02, 0xbf, 0xe1, 0x8e, + 0xfa, 0x97, 0x1b, 0x73, 0x00, 0xe8, 0x82, 0x36, + 0x0a, 0x93, 0xb0, 0x25, 0xff, 0x97, 0xe9, 0xe0, + 0xee, 0xc0, 0xf3, 0xf3, 0xf1, 0x30, 0x39, 0xa1, + 0x7f, 0x88, 0xb0, 0xcf, 0x80, 0x8f, 0x48, 0x84, + 0x31, 0x60, 0x6c, 0xb1, 0x3f, 0x92, 0x41, 0xf4, + 0x0f, 0x44, 0xe5, 0x37, 0xd3, 0x02, 0xc6, 0x4a, + 0x4f, 0x1f, 0x4a, 0xb9, 0x49, 0xb9, 0xfe, 0xef, + 0xad, 0xcb, 0x71, 0xab, 0x50, 0xef, 0x27, 0xd6, + 0xd6, 0xca, 0x85, 0x10, 0xf1, 0x50, 0xc8, 0x5f, + 0xb5, 0x25, 0xbf, 0x25, 0x70, 0x3d, 0xf7, 0x20, + 0x9b, 0x60, 0x66, 0xf0, 0x9c, 0x37, 0x28, 0x0d, + 0x59, 0x12, 0x8d, 0x2f, 0x0f, 0x63, 0x7c, 0x7d, + 0x7d, 0x7f, 0xad, 0x4e, 0xd1, 0xc1, 0xea, 0x04, + 0xe6, 0x28, 0xd2, 0x21, 0xe3, 0xd8, 0xdb, 0x77, + 0xb7, 0xc8, 0x78, 0xc9, 0x41, 0x1c, 0xaf, 0xc5, + 0x07, 0x1a, 0x34, 0xa0, 0x0f, 0x4c, 0xf0, 0x77, + 0x38, 0x91, 0x27, 0x53, 0xdf, 0xce, 0x48, 0xf0, + 0x75, 0x76, 0xf0, 0xd4, 0xf9, 0x4f, 0x42, 0xc6, + 0xd7, 0x6f, 0x7c, 0xe9, 0x73, 0xe9, 0x36, 0x70, + 0x95, 0xba, 0x7e, 0x9a, 0x36, 0x49, 0xb7, 0xf4, + 0x61, 0xd9, 0xf9, 0xac, 0x13, 0x32, 0xa4, 0xd1, + 0x04, 0x4c, 0x96, 0xae, 0xfe, 0xe6, 0x76, 0x76, + 0x40, 0x1b, 0x64, 0x45, 0x7c, 0x54, 0xd6, 0x5f, + 0xef, 0x65, 0x00, 0xc5, 0x9c, 0xdf, 0xb6, 0x9a, + 0xf7, 0xb6, 0xdd, 0xdf, 0xcb, 0x0f, 0x08, 0x62, + 0x78, 0xdd, 0x8a, 0xd0, 0x68, 0x60, 0x78, 0xdf, + 0xb0, 0xf3, 0xf7, 0x9c, 0xd8, 0x93, 0xd3, 0x14, + 0x16, 0x86, 0x48, 0x49, 0x98, 0x98, 0xfb, 0xc0, + 0xce, 0xd5, 0xf9, 0x5b, 0x74, 0xe8, 0xff, 0x14, + 0xd7, 0x35, 0xcd, 0xea, 0x96, 0x8b, 0xee, 0x74, + 0x00, 0x00, 0x00, 0x05, + 0xd8, 0xb8, 0x11, 0x2f, 0x92, 0x00, 0xa5, 0xe5, + 0x0c, 0x4a, 0x26, 0x21, 0x65, 0xbd, 0x34, 0x2c, + 0xd8, 0x00, 0xb8, 0x49, 0x68, 0x10, 0xbc, 0x71, + 0x62, 0x77, 0x43, 0x5a, 0xc3, 0x76, 0x72, 0x8d, + 0x12, 0x9a, 0xc6, 0xed, 0xa8, 0x39, 0xa6, 0xf3, + 0x57, 0xb5, 0xa0, 0x43, 0x87, 0xc5, 0xce, 0x97, + 0x38, 0x2a, 0x78, 0xf2, 0xa4, 0x37, 0x29, 0x17, + 0xee, 0xfc, 0xbf, 0x93, 0xf6, 0x3b, 0xb5, 0x91, + 0x12, 0xf5, 0xdb, 0xe4, 0x00, 0xbd, 0x49, 0xe4, + 0x50, 0x1e, 0x85, 0x9f, 0x88, 0x5b, 0xf0, 0x73, + 0x6e, 0x90, 0xa5, 0x09, 0xb3, 0x0a, 0x26, 0xbf, + 0xac, 0x8c, 0x17, 0xb5, 0x99, 0x1c, 0x15, 0x7e, + 0xb5, 0x97, 0x11, 0x15, 0xaa, 0x39, 0xef, 0xd8, + 0xd5, 0x64, 0xa6, 0xb9, 0x02, 0x82, 0xc3, 0x16, + 0x8a, 0xf2, 0xd3, 0x0e, 0xf8, 0x9d, 0x51, 0xbf, + 0x14, 0x65, 0x45, 0x10, 0xa1, 0x2b, 0x8a, 0x14, + 0x4c, 0xca, 0x18, 0x48, 0xcf, 0x7d, 0xa5, 0x9c, + 0xc2, 0xb3, 0xd9, 0xd0, 0x69, 0x2d, 0xd2, 0xa2, + 0x0b, 0xa3, 0x86, 0x34, 0x80, 0xe2, 0x5b, 0x1b, + 0x85, 0xee, 0x86, 0x0c, 0x62, 0xbf, 0x51, 0x36, + 0x00, 0x00, 0x00, 0x05, + 0x00, 0x00, 0x00, 0x04, + 0xd2, 0xf1, 0x4f, 0xf6, 0x34, 0x6a, 0xf9, 0x64, + 0x56, 0x9f, 0x7d, 0x6c, 0xb8, 0x80, 0xa1, 0xb6, + 0x6c, 0x50, 0x04, 0x91, 0x7d, 0xa6, 0xea, 0xfe, + 0x4d, 0x9e, 0xf6, 0xc6, 0x40, 0x7b, 0x3d, 0xb0, + 0xe5, 0x48, 0x5b, 0x12, 0x2d, 0x9e, 0xbe, 0x15, + 0xcd, 0xa9, 0x3c, 0xfe, 0xc5, 0x82, 0xd7, 0xab, + 0x00, 0x00, 0x00, 0x0a, + 0x00, 0x00, 0x00, 0x04, + 0x07, 0x03, 0xc4, 0x91, 0xe7, 0x55, 0x8b, 0x35, + 0x01, 0x1e, 0xce, 0x35, 0x92, 0xea, 0xa5, 0xda, + 0x4d, 0x91, 0x87, 0x86, 0x77, 0x12, 0x33, 0xe8, + 0x35, 0x3b, 0xc4, 0xf6, 0x23, 0x23, 0x18, 0x5c, + 0x95, 0xca, 0xe0, 0x5b, 0x89, 0x9e, 0x35, 0xdf, + 0xfd, 0x71, 0x70, 0x54, 0x70, 0x62, 0x09, 0x98, + 0x8e, 0xbf, 0xdf, 0x6e, 0x37, 0x96, 0x0b, 0xb5, + 0xc3, 0x8d, 0x76, 0x57, 0xe8, 0xbf, 0xfe, 0xef, + 0x9b, 0xc0, 0x42, 0xda, 0x4b, 0x45, 0x25, 0x65, + 0x04, 0x85, 0xc6, 0x6d, 0x0c, 0xe1, 0x9b, 0x31, + 0x75, 0x87, 0xc6, 0xba, 0x4b, 0xff, 0xcc, 0x42, + 0x8e, 0x25, 0xd0, 0x89, 0x31, 0xe7, 0x2d, 0xfb, + 0x6a, 0x12, 0x0c, 0x56, 0x12, 0x34, 0x42, 0x58, + 0xb8, 0x5e, 0xfd, 0xb7, 0xdb, 0x1d, 0xb9, 0xe1, + 0x86, 0x5a, 0x73, 0xca, 0xf9, 0x65, 0x57, 0xeb, + 0x39, 0xed, 0x3e, 0x3f, 0x42, 0x69, 0x33, 0xac, + 0x9e, 0xed, 0xdb, 0x03, 0xa1, 0xd2, 0x37, 0x4a, + 0xf7, 0xbf, 0x77, 0x18, 0x55, 0x77, 0x45, 0x62, + 0x37, 0xf9, 0xde, 0x2d, 0x60, 0x11, 0x3c, 0x23, + 0xf8, 0x46, 0xdf, 0x26, 0xfa, 0x94, 0x20, 0x08, + 0xa6, 0x98, 0x99, 0x4c, 0x08, 0x27, 0xd9, 0x0e, + 0x86, 0xd4, 0x3e, 0x0d, 0xf7, 0xf4, 0xbf, 0xcd, + 0xb0, 0x9b, 0x86, 0xa3, 0x73, 0xb9, 0x82, 0x88, + 0xb7, 0x09, 0x4a, 0xd8, 0x1a, 0x01, 0x85, 0xac, + 0x10, 0x0e, 0x4f, 0x2c, 0x5f, 0xc3, 0x8c, 0x00, + 0x3c, 0x1a, 0xb6, 0xfe, 0xa4, 0x79, 0xeb, 0x2f, + 0x5e, 0xbe, 0x48, 0xf5, 0x84, 0xd7, 0x15, 0x9b, + 0x8a, 0xda, 0x03, 0x58, 0x6e, 0x65, 0xad, 0x9c, + 0x96, 0x9f, 0x6a, 0xec, 0xbf, 0xe4, 0x4c, 0xf3, + 0x56, 0x88, 0x8a, 0x7b, 0x15, 0xa3, 0xff, 0x07, + 0x4f, 0x77, 0x17, 0x60, 0xb2, 0x6f, 0x9c, 0x04, + 0x88, 0x4e, 0xe1, 0xfa, 0xa3, 0x29, 0xfb, 0xf4, + 0xe6, 0x1a, 0xf2, 0x3a, 0xee, 0x7f, 0xa5, 0xd4, + 0xd9, 0xa5, 0xdf, 0xcf, 0x43, 0xc4, 0xc2, 0x6c, + 0xe8, 0xae, 0xa2, 0xce, 0x8a, 0x29, 0x90, 0xd7, + 0xba, 0x7b, 0x57, 0x10, 0x8b, 0x47, 0xda, 0xbf, + 0xbe, 0xad, 0xb2, 0xb2, 0x5b, 0x3c, 0xac, 0xc1, + 0xac, 0x0c, 0xef, 0x34, 0x6c, 0xbb, 0x90, 0xfb, + 0x04, 0x4b, 0xee, 0xe4, 0xfa, 0xc2, 0x60, 0x3a, + 0x44, 0x2b, 0xdf, 0x7e, 0x50, 0x72, 0x43, 0xb7, + 0x31, 0x9c, 0x99, 0x44, 0xb1, 0x58, 0x6e, 0x89, + 0x9d, 0x43, 0x1c, 0x7f, 0x91, 0xbc, 0xcc, 0xc8, + 0x69, 0x0d, 0xbf, 0x59, 0xb2, 0x83, 0x86, 0xb2, + 0x31, 0x5f, 0x3d, 0x36, 0xef, 0x2e, 0xaa, 0x3c, + 0xf3, 0x0b, 0x2b, 0x51, 0xf4, 0x8b, 0x71, 0xb0, + 0x03, 0xdf, 0xb0, 0x82, 0x49, 0x48, 0x42, 0x01, + 0x04, 0x3f, 0x65, 0xf5, 0xa3, 0xef, 0x6b, 0xbd, + 0x61, 0xdd, 0xfe, 0xe8, 0x1a, 0xca, 0x9c, 0xe6, + 0x00, 0x81, 0x26, 0x2a, 0x00, 0x00, 0x04, 0x80, + 0xdc, 0xbc, 0x9a, 0x3d, 0xa6, 0xfb, 0xef, 0x5c, + 0x1c, 0x0a, 0x55, 0xe4, 0x8a, 0x0e, 0x72, 0x9f, + 0x91, 0x84, 0xfc, 0xb1, 0x40, 0x7c, 0x31, 0x52, + 0x9d, 0xb2, 0x68, 0xf6, 0xfe, 0x50, 0x03, 0x2a, + 0x36, 0x3c, 0x98, 0x01, 0x30, 0x68, 0x37, 0xfa, + 0xfa, 0xbd, 0xf9, 0x57, 0xfd, 0x97, 0xea, 0xfc, + 0x80, 0xdb, 0xd1, 0x65, 0xe4, 0x35, 0xd0, 0xe2, + 0xdf, 0xd8, 0x36, 0xa2, 0x8b, 0x35, 0x40, 0x23, + 0x92, 0x4b, 0x6f, 0xb7, 0xe4, 0x8b, 0xc0, 0xb3, + 0xed, 0x95, 0xee, 0xa6, 0x4c, 0x2d, 0x40, 0x2f, + 0x4d, 0x73, 0x4c, 0x8d, 0xc2, 0x6f, 0x3a, 0xc5, + 0x91, 0x82, 0x5d, 0xae, 0xf0, 0x1e, 0xae, 0x3c, + 0x38, 0xe3, 0x32, 0x8d, 0x00, 0xa7, 0x7d, 0xc6, + 0x57, 0x03, 0x4f, 0x28, 0x7c, 0xcb, 0x0f, 0x0e, + 0x1c, 0x9a, 0x7c, 0xbd, 0xc8, 0x28, 0xf6, 0x27, + 0x20, 0x5e, 0x47, 0x37, 0xb8, 0x4b, 0x58, 0x37, + 0x65, 0x51, 0xd4, 0x4c, 0x12, 0xc3, 0xc2, 0x15, + 0xc8, 0x12, 0xa0, 0x97, 0x07, 0x89, 0xc8, 0x3d, + 0xe5, 0x1d, 0x6a, 0xd7, 0x87, 0x27, 0x19, 0x63, + 0x32, 0x7f, 0x0a, 0x5f, 0xbb, 0x6b, 0x59, 0x07, + 0xde, 0xc0, 0x2c, 0x9a, 0x90, 0x93, 0x4a, 0xf5, + 0xa1, 0xc6, 0x3b, 0x72, 0xc8, 0x26, 0x53, 0x60, + 0x5d, 0x1d, 0xcc, 0xe5, 0x15, 0x96, 0xb3, 0xc2, + 0xb4, 0x56, 0x96, 0x68, 0x9f, 0x2e, 0xb3, 0x82, + 0x00, 0x74, 0x97, 0x55, 0x76, 0x92, 0xca, 0xac, + 0x4d, 0x57, 0xb5, 0xde, 0x9f, 0x55, 0x69, 0xbc, + 0x2a, 0xd0, 0x13, 0x7f, 0xd4, 0x7f, 0xb4, 0x7e, + 0x66, 0x4f, 0xcb, 0x6d, 0xb4, 0x97, 0x1f, 0x5b, + 0x3e, 0x07, 0xac, 0xed, 0xa9, 0xac, 0x13, 0x0e, + 0x9f, 0x38, 0x18, 0x2d, 0xe9, 0x94, 0xcf, 0xf1, + 0x92, 0xec, 0x0e, 0x82, 0xfd, 0x6d, 0x4c, 0xb7, + 0xf3, 0xfe, 0x00, 0x81, 0x25, 0x89, 0xb7, 0xa7, + 0xce, 0x51, 0x54, 0x40, 0x45, 0x64, 0x33, 0x01, + 0x6b, 0x84, 0xa5, 0x9b, 0xec, 0x66, 0x19, 0xa1, + 0xc6, 0xc0, 0xb3, 0x7d, 0xd1, 0x45, 0x0e, 0xd4, + 0xf2, 0xd8, 0xb5, 0x84, 0x41, 0x0c, 0xed, 0xa8, + 0x02, 0x5f, 0x5d, 0x2d, 0x8d, 0xd0, 0xd2, 0x17, + 0x6f, 0xc1, 0xcf, 0x2c, 0xc0, 0x6f, 0xa8, 0xc8, + 0x2b, 0xed, 0x4d, 0x94, 0x4e, 0x71, 0x33, 0x9e, + 0xce, 0x78, 0x0f, 0xd0, 0x25, 0xbd, 0x41, 0xec, + 0x34, 0xeb, 0xff, 0x9d, 0x42, 0x70, 0xa3, 0x22, + 0x4e, 0x01, 0x9f, 0xcb, 0x44, 0x44, 0x74, 0xd4, + 0x82, 0xfd, 0x2d, 0xbe, 0x75, 0xef, 0xb2, 0x03, + 0x89, 0xcc, 0x10, 0xcd, 0x60, 0x0a, 0xbb, 0x54, + 0xc4, 0x7e, 0xde, 0x93, 0xe0, 0x8c, 0x11, 0x4e, + 0xdb, 0x04, 0x11, 0x7d, 0x71, 0x4d, 0xc1, 0xd5, + 0x25, 0xe1, 0x1b, 0xed, 0x87, 0x56, 0x19, 0x2f, + 0x92, 0x9d, 0x15, 0x46, 0x2b, 0x93, 0x9f, 0xf3, + 0xf5, 0x2f, 0x22, 0x52, 0xda, 0x2e, 0xd6, 0x4d, + 0x8f, 0xae, 0x88, 0x81, 0x8b, 0x1e, 0xfa, 0x2c, + 0x7b, 0x08, 0xc8, 0x79, 0x4f, 0xb1, 0xb2, 0x14, + 0xaa, 0x23, 0x3d, 0xb3, 0x16, 0x28, 0x33, 0x14, + 0x1e, 0xa4, 0x38, 0x3f, 0x1a, 0x6f, 0x12, 0x0b, + 0xe1, 0xdb, 0x82, 0xce, 0x36, 0x30, 0xb3, 0x42, + 0x91, 0x14, 0x46, 0x31, 0x57, 0xa6, 0x4e, 0x91, + 0x23, 0x4d, 0x47, 0x5e, 0x2f, 0x79, 0xcb, 0xf0, + 0x5e, 0x4d, 0xb6, 0xa9, 0x40, 0x7d, 0x72, 0xc6, + 0xbf, 0xf7, 0xd1, 0x19, 0x8b, 0x5c, 0x4d, 0x6a, + 0xad, 0x28, 0x31, 0xdb, 0x61, 0x27, 0x49, 0x93, + 0x71, 0x5a, 0x01, 0x82, 0xc7, 0xdc, 0x80, 0x89, + 0xe3, 0x2c, 0x85, 0x31, 0xde, 0xed, 0x4f, 0x74, + 0x31, 0xc0, 0x7c, 0x02, 0x19, 0x5e, 0xba, 0x2e, + 0xf9, 0x1e, 0xfb, 0x56, 0x13, 0xc3, 0x7a, 0xf7, + 0xae, 0x0c, 0x06, 0x6b, 0xab, 0xc6, 0x93, 0x69, + 0x70, 0x0e, 0x1d, 0xd2, 0x6e, 0xdd, 0xc0, 0xd2, + 0x16, 0xc7, 0x81, 0xd5, 0x6e, 0x4c, 0xe4, 0x7e, + 0x33, 0x03, 0xfa, 0x73, 0x00, 0x7f, 0xf7, 0xb9, + 0x49, 0xef, 0x23, 0xbe, 0x2a, 0xa4, 0xdb, 0xf2, + 0x52, 0x06, 0xfe, 0x45, 0xc2, 0x0d, 0xd8, 0x88, + 0x39, 0x5b, 0x25, 0x26, 0x39, 0x1a, 0x72, 0x49, + 0x96, 0xa4, 0x41, 0x56, 0xbe, 0xac, 0x80, 0x82, + 0x12, 0x85, 0x87, 0x92, 0xbf, 0x8e, 0x74, 0xcb, + 0xa4, 0x9d, 0xee, 0x5e, 0x88, 0x12, 0xe0, 0x19, + 0xda, 0x87, 0x45, 0x4b, 0xff, 0x9e, 0x84, 0x7e, + 0xd8, 0x3d, 0xb0, 0x7a, 0xf3, 0x13, 0x74, 0x30, + 0x82, 0xf8, 0x80, 0xa2, 0x78, 0xf6, 0x82, 0xc2, + 0xbd, 0x0a, 0xd6, 0x88, 0x7c, 0xb5, 0x9f, 0x65, + 0x2e, 0x15, 0x59, 0x87, 0xd6, 0x1b, 0xbf, 0x6a, + 0x88, 0xd3, 0x6e, 0xe9, 0x3b, 0x60, 0x72, 0xe6, + 0x65, 0x6d, 0x9c, 0xcb, 0xaa, 0xe3, 0xd6, 0x55, + 0x85, 0x2e, 0x38, 0xde, 0xb3, 0xa2, 0xdc, 0xf8, + 0x05, 0x8d, 0xc9, 0xfb, 0x6f, 0x2a, 0xb3, 0xd3, + 0xb3, 0x53, 0x9e, 0xb7, 0x7b, 0x24, 0x8a, 0x66, + 0x10, 0x91, 0xd0, 0x5e, 0xb6, 0xe2, 0xf2, 0x97, + 0x77, 0x4f, 0xe6, 0x05, 0x35, 0x98, 0x45, 0x7c, + 0xc6, 0x19, 0x08, 0x31, 0x8d, 0xe4, 0xb8, 0x26, + 0xf0, 0xfc, 0x86, 0xd4, 0xbb, 0x11, 0x7d, 0x33, + 0xe8, 0x65, 0xaa, 0x80, 0x50, 0x09, 0xcc, 0x29, + 0x18, 0xd9, 0xc2, 0xf8, 0x40, 0xc4, 0xda, 0x43, + 0xa7, 0x03, 0xad, 0x9f, 0x5b, 0x58, 0x06, 0x16, + 0x3d, 0x71, 0x61, 0x69, 0x6b, 0x5a, 0x0a, 0xdc, + 0x00, 0x00, 0x00, 0x05, + 0xd5, 0xc0, 0xd1, 0xbe, 0xbb, 0x06, 0x04, 0x8e, + 0xd6, 0xfe, 0x2e, 0xf2, 0xc6, 0xce, 0xf3, 0x05, + 0xb3, 0xed, 0x63, 0x39, 0x41, 0xeb, 0xc8, 0xb3, + 0xbe, 0xc9, 0x73, 0x87, 0x54, 0xcd, 0xdd, 0x60, + 0xe1, 0x92, 0x0a, 0xda, 0x52, 0xf4, 0x3d, 0x05, + 0x5b, 0x50, 0x31, 0xce, 0xe6, 0x19, 0x25, 0x20, + 0xd6, 0xa5, 0x11, 0x55, 0x14, 0x85, 0x1c, 0xe7, + 0xfd, 0x44, 0x8d, 0x4a, 0x39, 0xfa, 0xe2, 0xab, + 0x23, 0x35, 0xb5, 0x25, 0xf4, 0x84, 0xe9, 0xb4, + 0x0d, 0x6a, 0x4a, 0x96, 0x93, 0x94, 0x84, 0x3b, + 0xdc, 0xf6, 0xd1, 0x4c, 0x48, 0xe8, 0x01, 0x5e, + 0x08, 0xab, 0x92, 0x66, 0x2c, 0x05, 0xc6, 0xe9, + 0xf9, 0x0b, 0x65, 0xa7, 0xa6, 0x20, 0x16, 0x89, + 0x99, 0x9f, 0x32, 0xbf, 0xd3, 0x68, 0xe5, 0xe3, + 0xec, 0x9c, 0xb7, 0x0a, 0xc7, 0xb8, 0x39, 0x90, + 0x03, 0xf1, 0x75, 0xc4, 0x08, 0x85, 0x08, 0x1a, + 0x09, 0xab, 0x30, 0x34, 0x91, 0x1f, 0xe1, 0x25, + 0x63, 0x10, 0x51, 0xdf, 0x04, 0x08, 0xb3, 0x94, + 0x6b, 0x0b, 0xde, 0x79, 0x09, 0x11, 0xe8, 0x97, + 0x8b, 0xa0, 0x7d, 0xd5, 0x6c, 0x73, 0xe7, 0xee, +}; + +/* Test Case 2 Public Key */ + +static uint8_t tc2_key[] = { + 0x00, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x06, + 0x00, 0x00, 0x00, 0x03, + 0xd0, 0x8f, 0xab, 0xd4, 0xa2, 0x09, 0x1f, 0xf0, + 0xa8, 0xcb, 0x4e, 0xd8, 0x34, 0xe7, 0x45, 0x34, + 0x32, 0xa5, 0x88, 0x85, 0xcd, 0x9b, 0xa0, 0x43, + 0x12, 0x35, 0x46, 0x6b, 0xff, 0x96, 0x51, 0xc6, + 0xc9, 0x21, 0x24, 0x40, 0x4d, 0x45, 0xfa, 0x53, + 0xcf, 0x16, 0x1c, 0x28, 0xf1, 0xad, 0x5a, 0x8e, +}; + +/* Test Case 2 Message */ + +static uint8_t tc2_msg[] = { + 0x54, 0x68, 0x65, 0x20, 0x65, 0x6e, 0x75, 0x6d, + 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, + 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x43, + 0x6f, 0x6e, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, + 0x69, 0x6f, 0x6e, 0x2c, 0x20, 0x6f, 0x66, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x61, 0x69, 0x6e, 0x20, + 0x72, 0x69, 0x67, 0x68, 0x74, 0x73, 0x2c, 0x20, + 0x73, 0x68, 0x61, 0x6c, 0x6c, 0x20, 0x6e, 0x6f, + 0x74, 0x20, 0x62, 0x65, 0x20, 0x63, 0x6f, 0x6e, + 0x73, 0x74, 0x72, 0x75, 0x65, 0x64, 0x20, 0x74, + 0x6f, 0x20, 0x64, 0x65, 0x6e, 0x79, 0x20, 0x6f, + 0x72, 0x20, 0x64, 0x69, 0x73, 0x70, 0x61, 0x72, + 0x61, 0x67, 0x65, 0x20, 0x6f, 0x74, 0x68, 0x65, + 0x72, 0x73, 0x20, 0x72, 0x65, 0x74, 0x61, 0x69, + 0x6e, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x70, 0x65, 0x6f, 0x70, 0x6c, + 0x65, 0x2e, 0x0a, +}; + +/* Test Case 2 Signature */ +/* 2 levels: h=10, w=4; h=5, w=8 */ + +static uint8_t tc2_sig[] = { + 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x03, + 0x00, 0x00, 0x00, 0x03, + 0x3d, 0x46, 0xbe, 0xe8, 0x66, 0x0f, 0x8f, 0x21, + 0x5d, 0x3f, 0x96, 0x40, 0x8a, 0x7a, 0x64, 0xcf, + 0x1c, 0x4d, 0xa0, 0x2b, 0x63, 0xa5, 0x5f, 0x62, + 0xc6, 0x66, 0xef, 0x57, 0x07, 0xa9, 0x14, 0xce, + 0x06, 0x74, 0xe8, 0xcb, 0x7a, 0x55, 0xf0, 0xc4, + 0x8d, 0x48, 0x4f, 0x31, 0xf3, 0xaa, 0x4a, 0xf9, + 0x71, 0x9a, 0x74, 0xf2, 0x2c, 0xf8, 0x23, 0xb9, + 0x44, 0x31, 0xd0, 0x1c, 0x92, 0x6e, 0x2a, 0x76, + 0xbb, 0x71, 0x22, 0x6d, 0x27, 0x97, 0x00, 0xec, + 0x81, 0xc9, 0xe9, 0x5f, 0xb1, 0x1a, 0x0d, 0x10, + 0xd0, 0x65, 0x27, 0x9a, 0x57, 0x96, 0xe2, 0x65, + 0xae, 0x17, 0x73, 0x7c, 0x44, 0xeb, 0x8c, 0x59, + 0x45, 0x08, 0xe1, 0x26, 0xa9, 0xa7, 0x87, 0x0b, + 0xf4, 0x36, 0x08, 0x20, 0xbd, 0xeb, 0x9a, 0x01, + 0xd9, 0x69, 0x37, 0x79, 0xe4, 0x16, 0x82, 0x8e, + 0x75, 0xbd, 0xdd, 0x7d, 0x8c, 0x70, 0xd5, 0x0a, + 0x0a, 0xc8, 0xba, 0x39, 0x81, 0x09, 0x09, 0xd4, + 0x45, 0xf4, 0x4c, 0xb5, 0xbb, 0x58, 0xde, 0x73, + 0x7e, 0x60, 0xcb, 0x43, 0x45, 0x30, 0x27, 0x86, + 0xef, 0x2c, 0x6b, 0x14, 0xaf, 0x21, 0x2c, 0xa1, + 0x9e, 0xde, 0xaa, 0x3b, 0xfc, 0xfe, 0x8b, 0xaa, + 0x66, 0x21, 0xce, 0x88, 0x48, 0x0d, 0xf2, 0x37, + 0x1d, 0xd3, 0x7a, 0xdd, 0x73, 0x2c, 0x9d, 0xe4, + 0xea, 0x2c, 0xe0, 0xdf, 0xfa, 0x53, 0xc9, 0x26, + 0x49, 0xa1, 0x8d, 0x39, 0xa5, 0x07, 0x88, 0xf4, + 0x65, 0x29, 0x87, 0xf2, 0x26, 0xa1, 0xd4, 0x81, + 0x68, 0x20, 0x5d, 0xf6, 0xae, 0x7c, 0x58, 0xe0, + 0x49, 0xa2, 0x5d, 0x49, 0x07, 0xed, 0xc1, 0xaa, + 0x90, 0xda, 0x8a, 0xa5, 0xe5, 0xf7, 0x67, 0x17, + 0x73, 0xe9, 0x41, 0xd8, 0x05, 0x53, 0x60, 0x21, + 0x5c, 0x6b, 0x60, 0xdd, 0x35, 0x46, 0x3c, 0xf2, + 0x24, 0x0a, 0x9c, 0x06, 0xd6, 0x94, 0xe9, 0xcb, + 0x54, 0xe7, 0xb1, 0xe1, 0xbf, 0x49, 0x4d, 0x0d, + 0x1a, 0x28, 0xc0, 0xd3, 0x1a, 0xcc, 0x75, 0x16, + 0x1f, 0x4f, 0x48, 0x5d, 0xfd, 0x3c, 0xb9, 0x57, + 0x8e, 0x83, 0x6e, 0xc2, 0xdc, 0x72, 0x2f, 0x37, + 0xed, 0x30, 0x87, 0x2e, 0x07, 0xf2, 0xb8, 0xbd, + 0x03, 0x74, 0xeb, 0x57, 0xd2, 0x2c, 0x61, 0x4e, + 0x09, 0x15, 0x0f, 0x6c, 0x0d, 0x87, 0x74, 0xa3, + 0x9a, 0x6e, 0x16, 0x82, 0x11, 0x03, 0x5d, 0xc5, + 0x29, 0x88, 0xab, 0x46, 0xea, 0xca, 0x9e, 0xc5, + 0x97, 0xfb, 0x18, 0xb4, 0x93, 0x6e, 0x66, 0xef, + 0x2f, 0x0d, 0xf2, 0x6e, 0x8d, 0x1e, 0x34, 0xda, + 0x28, 0xcb, 0xb3, 0xaf, 0x75, 0x23, 0x13, 0x72, + 0x0c, 0x7b, 0x34, 0x54, 0x34, 0xf7, 0x2d, 0x65, + 0x31, 0x43, 0x28, 0xbb, 0xb0, 0x30, 0xd0, 0xf0, + 0xf6, 0xd5, 0xe4, 0x7b, 0x28, 0xea, 0x91, 0x00, + 0x8f, 0xb1, 0x1b, 0x05, 0x01, 0x77, 0x05, 0xa8, + 0xbe, 0x3b, 0x2a, 0xdb, 0x83, 0xc6, 0x0a, 0x54, + 0xf9, 0xd1, 0xd1, 0xb2, 0xf4, 0x76, 0xf9, 0xe3, + 0x93, 0xeb, 0x56, 0x95, 0x20, 0x3d, 0x2b, 0xa6, + 0xad, 0x81, 0x5e, 0x6a, 0x11, 0x1e, 0xa2, 0x93, + 0xdc, 0xc2, 0x10, 0x33, 0xf9, 0x45, 0x3d, 0x49, + 0xc8, 0xe5, 0xa6, 0x38, 0x7f, 0x58, 0x8b, 0x1e, + 0xa4, 0xf7, 0x06, 0x21, 0x7c, 0x15, 0x1e, 0x05, + 0xf5, 0x5a, 0x6e, 0xb7, 0x99, 0x7b, 0xe0, 0x9d, + 0x56, 0xa3, 0x26, 0xa3, 0x2f, 0x9c, 0xba, 0x1f, + 0xbe, 0x1c, 0x07, 0xbb, 0x49, 0xfa, 0x04, 0xce, + 0xcf, 0x9d, 0xf1, 0xa1, 0xb8, 0x15, 0x48, 0x3c, + 0x75, 0xd7, 0xa2, 0x7c, 0xc8, 0x8a, 0xd1, 0xb1, + 0x23, 0x8e, 0x5e, 0xa9, 0x86, 0xb5, 0x3e, 0x08, + 0x70, 0x45, 0x72, 0x3c, 0xe1, 0x61, 0x87, 0xed, + 0xa2, 0x2e, 0x33, 0xb2, 0xc7, 0x07, 0x09, 0xe5, + 0x32, 0x51, 0x02, 0x5a, 0xbd, 0xe8, 0x93, 0x96, + 0x45, 0xfc, 0x8c, 0x06, 0x93, 0xe9, 0x77, 0x63, + 0x92, 0x8f, 0x00, 0xb2, 0xe3, 0xc7, 0x5a, 0xf3, + 0x94, 0x2d, 0x8d, 0xda, 0xee, 0x81, 0xb5, 0x9a, + 0x6f, 0x1f, 0x67, 0xef, 0xda, 0x0e, 0xf8, 0x1d, + 0x11, 0x87, 0x3b, 0x59, 0x13, 0x7f, 0x67, 0x80, + 0x0b, 0x35, 0xe8, 0x1b, 0x01, 0x56, 0x3d, 0x18, + 0x7c, 0x4a, 0x15, 0x75, 0xa1, 0xac, 0xb9, 0x2d, + 0x08, 0x7b, 0x51, 0x7a, 0x88, 0x33, 0x38, 0x3f, + 0x05, 0xd3, 0x57, 0xef, 0x46, 0x78, 0xde, 0x0c, + 0x57, 0xff, 0x9f, 0x1b, 0x2d, 0xa6, 0x1d, 0xfd, + 0xe5, 0xd8, 0x83, 0x18, 0xbc, 0xdd, 0xe4, 0xd9, + 0x06, 0x1c, 0xc7, 0x5c, 0x2d, 0xe3, 0xcd, 0x47, + 0x40, 0xdd, 0x77, 0x39, 0xca, 0x3e, 0xf6, 0x6f, + 0x19, 0x30, 0x02, 0x6f, 0x47, 0xd9, 0xeb, 0xaa, + 0x71, 0x3b, 0x07, 0x17, 0x6f, 0x76, 0xf9, 0x53, + 0xe1, 0xc2, 0xe7, 0xf8, 0xf2, 0x71, 0xa6, 0xca, + 0x37, 0x5d, 0xbf, 0xb8, 0x3d, 0x71, 0x9b, 0x16, + 0x35, 0xa7, 0xd8, 0xa1, 0x38, 0x91, 0x95, 0x79, + 0x44, 0xb1, 0xc2, 0x9b, 0xb1, 0x01, 0x91, 0x3e, + 0x16, 0x6e, 0x11, 0xbd, 0x5f, 0x34, 0x18, 0x6f, + 0xa6, 0xc0, 0xa5, 0x55, 0xc9, 0x02, 0x6b, 0x25, + 0x6a, 0x68, 0x60, 0xf4, 0x86, 0x6b, 0xd6, 0xd0, + 0xb5, 0xbf, 0x90, 0x62, 0x70, 0x86, 0xc6, 0x14, + 0x91, 0x33, 0xf8, 0x28, 0x2c, 0xe6, 0xc9, 0xb3, + 0x62, 0x24, 0x42, 0x44, 0x3d, 0x5e, 0xca, 0x95, + 0x9d, 0x6c, 0x14, 0xca, 0x83, 0x89, 0xd1, 0x2c, + 0x40, 0x68, 0xb5, 0x03, 0xe4, 0xe3, 0xc3, 0x9b, + 0x63, 0x5b, 0xea, 0x24, 0x5d, 0x9d, 0x05, 0xa2, + 0x55, 0x8f, 0x24, 0x9c, 0x96, 0x61, 0xc0, 0x42, + 0x7d, 0x2e, 0x48, 0x9c, 0xa5, 0xb5, 0xdd, 0xe2, + 0x20, 0xa9, 0x03, 0x33, 0xf4, 0x86, 0x2a, 0xec, + 0x79, 0x32, 0x23, 0xc7, 0x81, 0x99, 0x7d, 0xa9, + 0x82, 0x66, 0xc1, 0x2c, 0x50, 0xea, 0x28, 0xb2, + 0xc4, 0x38, 0xe7, 0xa3, 0x79, 0xeb, 0x10, 0x6e, + 0xca, 0x0c, 0x7f, 0xd6, 0x00, 0x6e, 0x9b, 0xf6, + 0x12, 0xf3, 0xea, 0x0a, 0x45, 0x4b, 0xa3, 0xbd, + 0xb7, 0x6e, 0x80, 0x27, 0x99, 0x2e, 0x60, 0xde, + 0x01, 0xe9, 0x09, 0x4f, 0xdd, 0xeb, 0x33, 0x49, + 0x88, 0x39, 0x14, 0xfb, 0x17, 0xa9, 0x62, 0x1a, + 0xb9, 0x29, 0xd9, 0x70, 0xd1, 0x01, 0xe4, 0x5f, + 0x82, 0x78, 0xc1, 0x4b, 0x03, 0x2b, 0xca, 0xb0, + 0x2b, 0xd1, 0x56, 0x92, 0xd2, 0x1b, 0x6c, 0x5c, + 0x20, 0x4a, 0xbb, 0xf0, 0x77, 0xd4, 0x65, 0x55, + 0x3b, 0xd6, 0xed, 0xa6, 0x45, 0xe6, 0xc3, 0x06, + 0x5d, 0x33, 0xb1, 0x0d, 0x51, 0x8a, 0x61, 0xe1, + 0x5e, 0xd0, 0xf0, 0x92, 0xc3, 0x22, 0x26, 0x28, + 0x1a, 0x29, 0xc8, 0xa0, 0xf5, 0x0c, 0xde, 0x0a, + 0x8c, 0x66, 0x23, 0x6e, 0x29, 0xc2, 0xf3, 0x10, + 0xa3, 0x75, 0xce, 0xbd, 0xa1, 0xdc, 0x6b, 0xb9, + 0xa1, 0xa0, 0x1d, 0xae, 0x6c, 0x7a, 0xba, 0x8e, + 0xbe, 0xdc, 0x63, 0x71, 0xa7, 0xd5, 0x2a, 0xac, + 0xb9, 0x55, 0xf8, 0x3b, 0xd6, 0xe4, 0xf8, 0x4d, + 0x29, 0x49, 0xdc, 0xc1, 0x98, 0xfb, 0x77, 0xc7, + 0xe5, 0xcd, 0xf6, 0x04, 0x0b, 0x0f, 0x84, 0xfa, + 0xf8, 0x28, 0x08, 0xbf, 0x98, 0x55, 0x77, 0xf0, + 0xa2, 0xac, 0xf2, 0xec, 0x7e, 0xd7, 0xc0, 0xb0, + 0xae, 0x8a, 0x27, 0x0e, 0x95, 0x17, 0x43, 0xff, + 0x23, 0xe0, 0xb2, 0xdd, 0x12, 0xe9, 0xc3, 0xc8, + 0x28, 0xfb, 0x55, 0x98, 0xa2, 0x24, 0x61, 0xaf, + 0x94, 0xd5, 0x68, 0xf2, 0x92, 0x40, 0xba, 0x28, + 0x20, 0xc4, 0x59, 0x1f, 0x71, 0xc0, 0x88, 0xf9, + 0x6e, 0x09, 0x5d, 0xd9, 0x8b, 0xea, 0xe4, 0x56, + 0x57, 0x9e, 0xbb, 0xba, 0x36, 0xf6, 0xd9, 0xca, + 0x26, 0x13, 0xd1, 0xc2, 0x6e, 0xee, 0x4d, 0x8c, + 0x73, 0x21, 0x7a, 0xc5, 0x96, 0x2b, 0x5f, 0x31, + 0x47, 0xb4, 0x92, 0xe8, 0x83, 0x15, 0x97, 0xfd, + 0x89, 0xb6, 0x4a, 0xa7, 0xfd, 0xe8, 0x2e, 0x19, + 0x74, 0xd2, 0xf6, 0x77, 0x95, 0x04, 0xdc, 0x21, + 0x43, 0x5e, 0xb3, 0x10, 0x93, 0x50, 0x75, 0x6b, + 0x9f, 0xda, 0xbe, 0x1c, 0x6f, 0x36, 0x80, 0x81, + 0xbd, 0x40, 0xb2, 0x7e, 0xbc, 0xb9, 0x81, 0x9a, + 0x75, 0xd7, 0xdf, 0x8b, 0xb0, 0x7b, 0xb0, 0x5d, + 0xb1, 0xba, 0xb7, 0x05, 0xa4, 0xb7, 0xe3, 0x71, + 0x25, 0x18, 0x63, 0x39, 0x46, 0x4a, 0xd8, 0xfa, + 0xaa, 0x4f, 0x05, 0x2c, 0xc1, 0x27, 0x29, 0x19, + 0xfd, 0xe3, 0xe0, 0x25, 0xbb, 0x64, 0xaa, 0x8e, + 0x0e, 0xb1, 0xfc, 0xbf, 0xcc, 0x25, 0xac, 0xb5, + 0xf7, 0x18, 0xce, 0x4f, 0x7c, 0x21, 0x82, 0xfb, + 0x39, 0x3a, 0x18, 0x14, 0xb0, 0xe9, 0x42, 0x49, + 0x0e, 0x52, 0xd3, 0xbc, 0xa8, 0x17, 0xb2, 0xb2, + 0x6e, 0x90, 0xd4, 0xc9, 0xb0, 0xcc, 0x38, 0x60, + 0x8a, 0x6c, 0xef, 0x5e, 0xb1, 0x53, 0xaf, 0x08, + 0x58, 0xac, 0xc8, 0x67, 0xc9, 0x92, 0x2a, 0xed, + 0x43, 0xbb, 0x67, 0xd7, 0xb3, 0x3a, 0xcc, 0x51, + 0x93, 0x13, 0xd2, 0x8d, 0x41, 0xa5, 0xc6, 0xfe, + 0x6c, 0xf3, 0x59, 0x5d, 0xd5, 0xee, 0x63, 0xf0, + 0xa4, 0xc4, 0x06, 0x5a, 0x08, 0x35, 0x90, 0xb2, + 0x75, 0x78, 0x8b, 0xee, 0x7a, 0xd8, 0x75, 0xa7, + 0xf8, 0x8d, 0xd7, 0x37, 0x20, 0x70, 0x8c, 0x6c, + 0x6c, 0x0e, 0xcf, 0x1f, 0x43, 0xbb, 0xaa, 0xda, + 0xe6, 0xf2, 0x08, 0x55, 0x7f, 0xdc, 0x07, 0xbd, + 0x4e, 0xd9, 0x1f, 0x88, 0xce, 0x4c, 0x0d, 0xe8, + 0x42, 0x76, 0x1c, 0x70, 0xc1, 0x86, 0xbf, 0xda, + 0xfa, 0xfc, 0x44, 0x48, 0x34, 0xbd, 0x34, 0x18, + 0xbe, 0x42, 0x53, 0xa7, 0x1e, 0xaf, 0x41, 0xd7, + 0x18, 0x75, 0x3a, 0xd0, 0x77, 0x54, 0xca, 0x3e, + 0xff, 0xd5, 0x96, 0x0b, 0x03, 0x36, 0x98, 0x17, + 0x95, 0x72, 0x14, 0x26, 0x80, 0x35, 0x99, 0xed, + 0x5b, 0x2b, 0x75, 0x16, 0x92, 0x0e, 0xfc, 0xbe, + 0x32, 0xad, 0xa4, 0xbc, 0xf6, 0xc7, 0x3b, 0xd2, + 0x9e, 0x3f, 0xa1, 0x52, 0xd9, 0xad, 0xec, 0xa3, + 0x60, 0x20, 0xfd, 0xee, 0xee, 0x1b, 0x73, 0x95, + 0x21, 0xd3, 0xea, 0x8c, 0x0d, 0xa4, 0x97, 0x00, + 0x3d, 0xf1, 0x51, 0x38, 0x97, 0xb0, 0xf5, 0x47, + 0x94, 0xa8, 0x73, 0x67, 0x0b, 0x8d, 0x93, 0xbc, + 0xca, 0x2a, 0xe4, 0x7e, 0x64, 0x42, 0x4b, 0x74, + 0x23, 0xe1, 0xf0, 0x78, 0xd9, 0x55, 0x4b, 0xb5, + 0x23, 0x2c, 0xc6, 0xde, 0x8a, 0xae, 0x9b, 0x83, + 0xfa, 0x5b, 0x95, 0x10, 0xbe, 0xb3, 0x9c, 0xcf, + 0x4b, 0x4e, 0x1d, 0x9c, 0x0f, 0x19, 0xd5, 0xe1, + 0x7f, 0x58, 0xe5, 0xb8, 0x70, 0x5d, 0x9a, 0x68, + 0x37, 0xa7, 0xd9, 0xbf, 0x99, 0xcd, 0x13, 0x38, + 0x7a, 0xf2, 0x56, 0xa8, 0x49, 0x16, 0x71, 0xf1, + 0xf2, 0xf2, 0x2a, 0xf2, 0x53, 0xbc, 0xff, 0x54, + 0xb6, 0x73, 0x19, 0x9b, 0xdb, 0x7d, 0x05, 0xd8, + 0x10, 0x64, 0xef, 0x05, 0xf8, 0x0f, 0x01, 0x53, + 0xd0, 0xbe, 0x79, 0x19, 0x68, 0x4b, 0x23, 0xda, + 0x8d, 0x42, 0xff, 0x3e, 0xff, 0xdb, 0x7c, 0xa0, + 0x98, 0x50, 0x33, 0xf3, 0x89, 0x18, 0x1f, 0x47, + 0x65, 0x91, 0x38, 0x00, 0x3d, 0x71, 0x2b, 0x5e, + 0xc0, 0xa6, 0x14, 0xd3, 0x1c, 0xc7, 0x48, 0x7f, + 0x52, 0xde, 0x86, 0x64, 0x91, 0x6a, 0xf7, 0x9c, + 0x98, 0x45, 0x6b, 0x2c, 0x94, 0xa8, 0x03, 0x80, + 0x83, 0xdb, 0x55, 0x39, 0x1e, 0x34, 0x75, 0x86, + 0x22, 0x50, 0x27, 0x4a, 0x1d, 0xe2, 0x58, 0x4f, + 0xec, 0x97, 0x5f, 0xb0, 0x95, 0x36, 0x79, 0x2c, + 0xfb, 0xfc, 0xf6, 0x19, 0x28, 0x56, 0xcc, 0x76, + 0xeb, 0x5b, 0x13, 0xdc, 0x47, 0x09, 0xe2, 0xf7, + 0x30, 0x1d, 0xdf, 0xf2, 0x6e, 0xc1, 0xb2, 0x3d, + 0xe2, 0xd1, 0x88, 0xc9, 0x99, 0x16, 0x6c, 0x74, + 0xe1, 0xe1, 0x4b, 0xbc, 0x15, 0xf4, 0x57, 0xcf, + 0x4e, 0x47, 0x1a, 0xe1, 0x3d, 0xcb, 0xdd, 0x9c, + 0x50, 0xf4, 0xd6, 0x46, 0xfc, 0x62, 0x78, 0xe8, + 0xfe, 0x7e, 0xb6, 0xcb, 0x5c, 0x94, 0x10, 0x0f, + 0xa8, 0x70, 0x18, 0x73, 0x80, 0xb7, 0x77, 0xed, + 0x19, 0xd7, 0x86, 0x8f, 0xd8, 0xca, 0x7c, 0xeb, + 0x7f, 0xa7, 0xd5, 0xcc, 0x86, 0x1c, 0x5b, 0xda, + 0xc9, 0x8e, 0x74, 0x95, 0xeb, 0x0a, 0x2c, 0xee, + 0xc1, 0x92, 0x4a, 0xe9, 0x79, 0xf4, 0x4c, 0x53, + 0x90, 0xeb, 0xed, 0xdd, 0xc6, 0x5d, 0x6e, 0xc1, + 0x12, 0x87, 0xd9, 0x78, 0xb8, 0xdf, 0x06, 0x42, + 0x19, 0xbc, 0x56, 0x79, 0xf7, 0xd7, 0xb2, 0x64, + 0xa7, 0x6f, 0xf2, 0x72, 0xb2, 0xac, 0x9f, 0x2f, + 0x7c, 0xfc, 0x9f, 0xdc, 0xfb, 0x6a, 0x51, 0x42, + 0x82, 0x40, 0x02, 0x7a, 0xfd, 0x9d, 0x52, 0xa7, + 0x9b, 0x64, 0x7c, 0x90, 0xc2, 0x70, 0x9e, 0x06, + 0x0e, 0xd7, 0x0f, 0x87, 0x29, 0x9d, 0xd7, 0x98, + 0xd6, 0x8f, 0x4f, 0xad, 0xd3, 0xda, 0x6c, 0x51, + 0xd8, 0x39, 0xf8, 0x51, 0xf9, 0x8f, 0x67, 0x84, + 0x0b, 0x96, 0x4e, 0xbe, 0x73, 0xf8, 0xce, 0xc4, + 0x15, 0x72, 0x53, 0x8e, 0xc6, 0xbc, 0x13, 0x10, + 0x34, 0xca, 0x28, 0x94, 0xeb, 0x73, 0x6b, 0x3b, + 0xda, 0x93, 0xd9, 0xf5, 0xf6, 0xfa, 0x6f, 0x6c, + 0x0f, 0x03, 0xce, 0x43, 0x36, 0x2b, 0x84, 0x14, + 0x94, 0x03, 0x55, 0xfb, 0x54, 0xd3, 0xdf, 0xdd, + 0x03, 0x63, 0x3a, 0xe1, 0x08, 0xf3, 0xde, 0x3e, + 0xbc, 0x85, 0xa3, 0xff, 0x51, 0xef, 0xee, 0xa3, + 0xbc, 0x2c, 0xf2, 0x7e, 0x16, 0x58, 0xf1, 0x78, + 0x9e, 0xe6, 0x12, 0xc8, 0x3d, 0x0f, 0x5f, 0xd5, + 0x6f, 0x7c, 0xd0, 0x71, 0x93, 0x0e, 0x29, 0x46, + 0xbe, 0xee, 0xca, 0xa0, 0x4d, 0xcc, 0xea, 0x9f, + 0x97, 0x78, 0x60, 0x01, 0x47, 0x5e, 0x02, 0x94, + 0xbc, 0x28, 0x52, 0xf6, 0x2e, 0xb5, 0xd3, 0x9b, + 0xb9, 0xfb, 0xee, 0xf7, 0x59, 0x16, 0xef, 0xe4, + 0x4a, 0x66, 0x2e, 0xca, 0xe3, 0x7e, 0xde, 0x27, + 0xe9, 0xd6, 0xea, 0xdf, 0xde, 0xb8, 0xf8, 0xb2, + 0xb2, 0xdb, 0xcc, 0xbf, 0x96, 0xfa, 0x6d, 0xba, + 0xf7, 0x32, 0x1f, 0xb0, 0xe7, 0x01, 0xf4, 0xd4, + 0x29, 0xc2, 0xf4, 0xdc, 0xd1, 0x53, 0xa2, 0x74, + 0x25, 0x74, 0x12, 0x6e, 0x5e, 0xac, 0xcc, 0x77, + 0x68, 0x6a, 0xcf, 0x6e, 0x3e, 0xe4, 0x8f, 0x42, + 0x37, 0x66, 0xe0, 0xfc, 0x46, 0x68, 0x10, 0xa9, + 0x05, 0xff, 0x54, 0x53, 0xec, 0x99, 0x89, 0x7b, + 0x56, 0xbc, 0x55, 0xdd, 0x49, 0xb9, 0x91, 0x14, + 0x2f, 0x65, 0x04, 0x3f, 0x2d, 0x74, 0x4e, 0xeb, + 0x93, 0x5b, 0xa7, 0xf4, 0xef, 0x23, 0xcf, 0x80, + 0xcc, 0x5a, 0x8a, 0x33, 0x5d, 0x36, 0x19, 0xd7, + 0x81, 0xe7, 0x45, 0x48, 0x26, 0xdf, 0x72, 0x0e, + 0xec, 0x82, 0xe0, 0x60, 0x34, 0xc4, 0x46, 0x99, + 0xb5, 0xf0, 0xc4, 0x4a, 0x87, 0x87, 0x75, 0x2e, + 0x05, 0x7f, 0xa3, 0x41, 0x9b, 0x5b, 0xb0, 0xe2, + 0x5d, 0x30, 0x98, 0x1e, 0x41, 0xcb, 0x13, 0x61, + 0x32, 0x2d, 0xba, 0x8f, 0x69, 0x93, 0x1c, 0xf4, + 0x2f, 0xad, 0x3f, 0x3b, 0xce, 0x6d, 0xed, 0x5b, + 0x8b, 0xfc, 0x3d, 0x20, 0xa2, 0x14, 0x88, 0x61, + 0xb2, 0xaf, 0xc1, 0x45, 0x62, 0xdd, 0xd2, 0x7f, + 0x12, 0x89, 0x7a, 0xbf, 0x06, 0x85, 0x28, 0x8d, + 0xcc, 0x5c, 0x49, 0x82, 0xf8, 0x26, 0x02, 0x68, + 0x46, 0xa2, 0x4b, 0xf7, 0x7e, 0x38, 0x3c, 0x7a, + 0xac, 0xab, 0x1a, 0xb6, 0x92, 0xb2, 0x9e, 0xd8, + 0xc0, 0x18, 0xa6, 0x5f, 0x3d, 0xc2, 0xb8, 0x7f, + 0xf6, 0x19, 0xa6, 0x33, 0xc4, 0x1b, 0x4f, 0xad, + 0xb1, 0xc7, 0x87, 0x25, 0xc1, 0xf8, 0xf9, 0x22, + 0xf6, 0x00, 0x97, 0x87, 0xb1, 0x96, 0x42, 0x47, + 0xdf, 0x01, 0x36, 0xb1, 0xbc, 0x61, 0x4a, 0xb5, + 0x75, 0xc5, 0x9a, 0x16, 0xd0, 0x89, 0x91, 0x7b, + 0xd4, 0xa8, 0xb6, 0xf0, 0x4d, 0x95, 0xc5, 0x81, + 0x27, 0x9a, 0x13, 0x9b, 0xe0, 0x9f, 0xcf, 0x6e, + 0x98, 0xa4, 0x70, 0xa0, 0xbc, 0xec, 0xa1, 0x91, + 0xfc, 0xe4, 0x76, 0xf9, 0x37, 0x00, 0x21, 0xcb, + 0xc0, 0x55, 0x18, 0xa7, 0xef, 0xd3, 0x5d, 0x89, + 0xd8, 0x57, 0x7c, 0x99, 0x0a, 0x5e, 0x19, 0x96, + 0x1b, 0xa1, 0x62, 0x03, 0xc9, 0x59, 0xc9, 0x18, + 0x29, 0xba, 0x74, 0x97, 0xcf, 0xfc, 0xbb, 0x4b, + 0x29, 0x45, 0x46, 0x45, 0x4f, 0xa5, 0x38, 0x8a, + 0x23, 0xa2, 0x2e, 0x80, 0x5a, 0x5c, 0xa3, 0x5f, + 0x95, 0x65, 0x98, 0x84, 0x8b, 0xda, 0x67, 0x86, + 0x15, 0xfe, 0xc2, 0x8a, 0xfd, 0x5d, 0xa6, 0x1a, + 0x00, 0x00, 0x00, 0x06, + 0xb3, 0x26, 0x49, 0x33, 0x13, 0x05, 0x3c, 0xed, + 0x38, 0x76, 0xdb, 0x9d, 0x23, 0x71, 0x48, 0x18, + 0x1b, 0x71, 0x73, 0xbc, 0x7d, 0x04, 0x2c, 0xef, + 0xb4, 0xdb, 0xe9, 0x4d, 0x2e, 0x58, 0xcd, 0x21, + 0xa7, 0x69, 0xdb, 0x46, 0x57, 0xa1, 0x03, 0x27, + 0x9b, 0xa8, 0xef, 0x3a, 0x62, 0x9c, 0xa8, 0x4e, + 0xe8, 0x36, 0x17, 0x2a, 0x9c, 0x50, 0xe5, 0x1f, + 0x45, 0x58, 0x17, 0x41, 0xcf, 0x80, 0x83, 0x15, + 0x0b, 0x49, 0x1c, 0xb4, 0xec, 0xbb, 0xab, 0xec, + 0x12, 0x8e, 0x7c, 0x81, 0xa4, 0x6e, 0x62, 0xa6, + 0x7b, 0x57, 0x64, 0x0a, 0x0a, 0x78, 0xbe, 0x1c, + 0xbf, 0x7d, 0xd9, 0xd4, 0x19, 0xa1, 0x0c, 0xd8, + 0x68, 0x6d, 0x16, 0x62, 0x1a, 0x80, 0x81, 0x6b, + 0xfd, 0xb5, 0xbd, 0xc5, 0x62, 0x11, 0xd7, 0x2c, + 0xa7, 0x0b, 0x81, 0xf1, 0x11, 0x7d, 0x12, 0x95, + 0x29, 0xa7, 0x57, 0x0c, 0xf7, 0x9c, 0xf5, 0x2a, + 0x70, 0x28, 0xa4, 0x85, 0x38, 0xec, 0xdd, 0x3b, + 0x38, 0xd3, 0xd5, 0xd6, 0x2d, 0x26, 0x24, 0x65, + 0x95, 0xc4, 0xfb, 0x73, 0xa5, 0x25, 0xa5, 0xed, + 0x2c, 0x30, 0x52, 0x4e, 0xbb, 0x1d, 0x8c, 0xc8, + 0x2e, 0x0c, 0x19, 0xbc, 0x49, 0x77, 0xc6, 0x89, + 0x8f, 0xf9, 0x5f, 0xd3, 0xd3, 0x10, 0xb0, 0xba, + 0xe7, 0x16, 0x96, 0xce, 0xf9, 0x3c, 0x6a, 0x55, + 0x24, 0x56, 0xbf, 0x96, 0xe9, 0xd0, 0x75, 0xe3, + 0x83, 0xbb, 0x75, 0x43, 0xc6, 0x75, 0x84, 0x2b, + 0xaf, 0xbf, 0xc7, 0xcd, 0xb8, 0x84, 0x83, 0xb3, + 0x27, 0x6c, 0x29, 0xd4, 0xf0, 0xa3, 0x41, 0xc2, + 0xd4, 0x06, 0xe4, 0x0d, 0x46, 0x53, 0xb7, 0xe4, + 0xd0, 0x45, 0x85, 0x1a, 0xcf, 0x6a, 0x0a, 0x0e, + 0xa9, 0xc7, 0x10, 0xb8, 0x05, 0xcc, 0xed, 0x46, + 0x35, 0xee, 0x8c, 0x10, 0x73, 0x62, 0xf0, 0xfc, + 0x8d, 0x80, 0xc1, 0x4d, 0x0a, 0xc4, 0x9c, 0x51, + 0x67, 0x03, 0xd2, 0x6d, 0x14, 0x75, 0x2f, 0x34, + 0xc1, 0xc0, 0xd2, 0xc4, 0x24, 0x75, 0x81, 0xc1, + 0x8c, 0x2c, 0xf4, 0xde, 0x48, 0xe9, 0xce, 0x94, + 0x9b, 0xe7, 0xc8, 0x88, 0xe9, 0xca, 0xeb, 0xe4, + 0xa4, 0x15, 0xe2, 0x91, 0xfd, 0x10, 0x7d, 0x21, + 0xdc, 0x1f, 0x08, 0x4b, 0x11, 0x58, 0x20, 0x82, + 0x49, 0xf2, 0x8f, 0x4f, 0x7c, 0x7e, 0x93, 0x1b, + 0xa7, 0xb3, 0xbd, 0x0d, 0x82, 0x4a, 0x45, 0x70, + 0x00, 0x00, 0x00, 0x05, + 0x00, 0x00, 0x00, 0x04, + 0x21, 0x5f, 0x83, 0xb7, 0xcc, 0xb9, 0xac, 0xbc, + 0xd0, 0x8d, 0xb9, 0x7b, 0x0d, 0x04, 0xdc, 0x2b, + 0xa1, 0xcd, 0x03, 0x58, 0x33, 0xe0, 0xe9, 0x00, + 0x59, 0x60, 0x3f, 0x26, 0xe0, 0x7a, 0xd2, 0xaa, + 0xd1, 0x52, 0x33, 0x8e, 0x7a, 0x5e, 0x59, 0x84, + 0xbc, 0xd5, 0xf7, 0xbb, 0x4e, 0xba, 0x40, 0xb7, + 0x00, 0x00, 0x00, 0x04, + 0x00, 0x00, 0x00, 0x04, + 0x0e, 0xb1, 0xed, 0x54, 0xa2, 0x46, 0x0d, 0x51, + 0x23, 0x88, 0xca, 0xd5, 0x33, 0x13, 0x8d, 0x24, + 0x05, 0x34, 0xe9, 0x7b, 0x1e, 0x82, 0xd3, 0x3b, + 0xd9, 0x27, 0xd2, 0x01, 0xdf, 0xc2, 0x4e, 0xbb, + 0x11, 0xb3, 0x64, 0x90, 0x23, 0x69, 0x6f, 0x85, + 0x15, 0x0b, 0x18, 0x9e, 0x50, 0xc0, 0x0e, 0x98, + 0x85, 0x0a, 0xc3, 0x43, 0xa7, 0x7b, 0x36, 0x38, + 0x31, 0x9c, 0x34, 0x7d, 0x73, 0x10, 0x26, 0x9d, + 0x3b, 0x77, 0x14, 0xfa, 0x40, 0x6b, 0x8c, 0x35, + 0xb0, 0x21, 0xd5, 0x4d, 0x4f, 0xda, 0xda, 0x7b, + 0x9c, 0xe5, 0xd4, 0xba, 0x5b, 0x06, 0x71, 0x9e, + 0x72, 0xaa, 0xf5, 0x8c, 0x5a, 0xae, 0x7a, 0xca, + 0x05, 0x7a, 0xa0, 0xe2, 0xe7, 0x4e, 0x7d, 0xcf, + 0xd1, 0x7a, 0x08, 0x23, 0x42, 0x9d, 0xb6, 0x29, + 0x65, 0xb7, 0xd5, 0x63, 0xc5, 0x7b, 0x4c, 0xec, + 0x94, 0x2c, 0xc8, 0x65, 0xe2, 0x9c, 0x1d, 0xad, + 0x83, 0xca, 0xc8, 0xb4, 0xd6, 0x1a, 0xac, 0xc4, + 0x57, 0xf3, 0x36, 0xe6, 0xa1, 0x0b, 0x66, 0x32, + 0x3f, 0x58, 0x87, 0xbf, 0x35, 0x23, 0xdf, 0xca, + 0xde, 0xe1, 0x58, 0x50, 0x3b, 0xfa, 0xa8, 0x9d, + 0xc6, 0xbf, 0x59, 0xda, 0xa8, 0x2a, 0xfd, 0x2b, + 0x5e, 0xbb, 0x2a, 0x9c, 0xa6, 0x57, 0x2a, 0x60, + 0x67, 0xce, 0xe7, 0xc3, 0x27, 0xe9, 0x03, 0x9b, + 0x3b, 0x6e, 0xa6, 0xa1, 0xed, 0xc7, 0xfd, 0xc3, + 0xdf, 0x92, 0x7a, 0xad, 0xe1, 0x0c, 0x1c, 0x9f, + 0x2d, 0x5f, 0xf4, 0x46, 0x45, 0x0d, 0x2a, 0x39, + 0x98, 0xd0, 0xf9, 0xf6, 0x20, 0x2b, 0x5e, 0x07, + 0xc3, 0xf9, 0x7d, 0x24, 0x58, 0xc6, 0x9d, 0x3c, + 0x81, 0x90, 0x64, 0x39, 0x78, 0xd7, 0xa7, 0xf4, + 0xd6, 0x4e, 0x97, 0xe3, 0xf1, 0xc4, 0xa0, 0x8a, + 0x7c, 0x5b, 0xc0, 0x3f, 0xd5, 0x56, 0x82, 0xc0, + 0x17, 0xe2, 0x90, 0x7e, 0xab, 0x07, 0xe5, 0xbb, + 0x2f, 0x19, 0x01, 0x43, 0x47, 0x5a, 0x60, 0x43, + 0xd5, 0xe6, 0xd5, 0x26, 0x34, 0x71, 0xf4, 0xee, + 0xcf, 0x6e, 0x25, 0x75, 0xfb, 0xc6, 0xff, 0x37, + 0xed, 0xfa, 0x24, 0x9d, 0x6c, 0xda, 0x1a, 0x09, + 0xf7, 0x97, 0xfd, 0x5a, 0x3c, 0xd5, 0x3a, 0x06, + 0x67, 0x00, 0xf4, 0x58, 0x63, 0xf0, 0x4b, 0x6c, + 0x8a, 0x58, 0xcf, 0xd3, 0x41, 0x24, 0x1e, 0x00, + 0x2d, 0x0d, 0x2c, 0x02, 0x17, 0x47, 0x2b, 0xf1, + 0x8b, 0x63, 0x6a, 0xe5, 0x47, 0xc1, 0x77, 0x13, + 0x68, 0xd9, 0xf3, 0x17, 0x83, 0x5c, 0x9b, 0x0e, + 0xf4, 0x30, 0xb3, 0xdf, 0x40, 0x34, 0xf6, 0xaf, + 0x00, 0xd0, 0xda, 0x44, 0xf4, 0xaf, 0x78, 0x00, + 0xbc, 0x7a, 0x5c, 0xf8, 0xa5, 0xab, 0xdb, 0x12, + 0xdc, 0x71, 0x8b, 0x55, 0x9b, 0x74, 0xca, 0xb9, + 0x09, 0x0e, 0x33, 0xcc, 0x58, 0xa9, 0x55, 0x30, + 0x09, 0x81, 0xc4, 0x20, 0xc4, 0xda, 0x8f, 0xfd, + 0x67, 0xdf, 0x54, 0x08, 0x90, 0xa0, 0x62, 0xfe, + 0x40, 0xdb, 0xa8, 0xb2, 0xc1, 0xc5, 0x48, 0xce, + 0xd2, 0x24, 0x73, 0x21, 0x9c, 0x53, 0x49, 0x11, + 0xd4, 0x8c, 0xca, 0xab, 0xfb, 0x71, 0xbc, 0x71, + 0x86, 0x2f, 0x4a, 0x24, 0xeb, 0xd3, 0x76, 0xd2, + 0x88, 0xfd, 0x4e, 0x6f, 0xb0, 0x6e, 0xd8, 0x70, + 0x57, 0x87, 0xc5, 0xfe, 0xdc, 0x81, 0x3c, 0xd2, + 0x69, 0x7e, 0x5b, 0x1a, 0xac, 0x1c, 0xed, 0x45, + 0x76, 0x7b, 0x14, 0xce, 0x88, 0x40, 0x9e, 0xae, + 0xbb, 0x60, 0x1a, 0x93, 0x55, 0x9a, 0xae, 0x89, + 0x3e, 0x14, 0x3d, 0x1c, 0x39, 0x5b, 0xc3, 0x26, + 0xda, 0x82, 0x1d, 0x79, 0xa9, 0xed, 0x41, 0xdc, + 0xfb, 0xe5, 0x49, 0x14, 0x7f, 0x71, 0xc0, 0x92, + 0xf4, 0xf3, 0xac, 0x52, 0x2b, 0x5c, 0xc5, 0x72, + 0x90, 0x70, 0x66, 0x50, 0x48, 0x7b, 0xae, 0x9b, + 0xb5, 0x67, 0x1e, 0xcc, 0x9c, 0xcc, 0x2c, 0xe5, + 0x1e, 0xad, 0x87, 0xac, 0x01, 0x98, 0x52, 0x68, + 0x52, 0x12, 0x22, 0xfb, 0x90, 0x57, 0xdf, 0x7e, + 0xd4, 0x18, 0x10, 0xb5, 0xef, 0x0d, 0x4f, 0x7c, + 0xc6, 0x73, 0x68, 0xc9, 0x0f, 0x57, 0x3b, 0x1a, + 0xc2, 0xce, 0x95, 0x6c, 0x36, 0x5e, 0xd3, 0x8e, + 0x89, 0x3c, 0xe7, 0xb2, 0xfa, 0xe1, 0x5d, 0x36, + 0x85, 0xa3, 0xdf, 0x2f, 0xa3, 0xd4, 0xcc, 0x09, + 0x8f, 0xa5, 0x7d, 0xd6, 0x0d, 0x2c, 0x97, 0x54, + 0xa8, 0xad, 0xe9, 0x80, 0xad, 0x0f, 0x93, 0xf6, + 0x78, 0x70, 0x75, 0xc3, 0xf6, 0x80, 0xa2, 0xba, + 0x19, 0x36, 0xa8, 0xc6, 0x1d, 0x1a, 0xf5, 0x2a, + 0xb7, 0xe2, 0x1f, 0x41, 0x6b, 0xe0, 0x9d, 0x2a, + 0x8d, 0x64, 0xc3, 0xd3, 0xd8, 0x58, 0x29, 0x68, + 0xc2, 0x83, 0x99, 0x02, 0x22, 0x9f, 0x85, 0xae, + 0xe2, 0x97, 0xe7, 0x17, 0xc0, 0x94, 0xc8, 0xdf, + 0x4a, 0x23, 0xbb, 0x5d, 0xb6, 0x58, 0xdd, 0x37, + 0x7b, 0xf0, 0xf4, 0xff, 0x3f, 0xfd, 0x8f, 0xba, + 0x5e, 0x38, 0x3a, 0x48, 0x57, 0x48, 0x02, 0xed, + 0x54, 0x5b, 0xbe, 0x7a, 0x6b, 0x47, 0x53, 0x53, + 0x33, 0x53, 0xd7, 0x37, 0x06, 0x06, 0x76, 0x40, + 0x13, 0x5a, 0x7c, 0xe5, 0x17, 0x27, 0x9c, 0xd6, + 0x83, 0x03, 0x97, 0x47, 0xd2, 0x18, 0x64, 0x7c, + 0x86, 0xe0, 0x97, 0xb0, 0xda, 0xa2, 0x87, 0x2d, + 0x54, 0xb8, 0xf3, 0xe5, 0x08, 0x59, 0x87, 0x62, + 0x95, 0x47, 0xb8, 0x30, 0xd8, 0x11, 0x81, 0x61, + 0xb6, 0x50, 0x79, 0xfe, 0x7b, 0xc5, 0x9a, 0x99, + 0xe9, 0xc3, 0xc7, 0x38, 0x0e, 0x3e, 0x70, 0xb7, + 0x13, 0x8f, 0xe5, 0xd9, 0xbe, 0x25, 0x51, 0x50, + 0x2b, 0x69, 0x8d, 0x09, 0xae, 0x19, 0x39, 0x72, + 0xf2, 0x7d, 0x40, 0xf3, 0x8d, 0xea, 0x26, 0x4a, + 0x01, 0x26, 0xe6, 0x37, 0xd7, 0x4a, 0xe4, 0xc9, + 0x2a, 0x62, 0x49, 0xfa, 0x10, 0x34, 0x36, 0xd3, + 0xeb, 0x0d, 0x40, 0x29, 0xac, 0x71, 0x2b, 0xfc, + 0x7a, 0x5e, 0xac, 0xbd, 0xd7, 0x51, 0x8d, 0x6d, + 0x4f, 0xe9, 0x03, 0xa5, 0xae, 0x65, 0x52, 0x7c, + 0xd6, 0x5b, 0xb0, 0xd4, 0xe9, 0x92, 0x5c, 0xa2, + 0x4f, 0xd7, 0x21, 0x4d, 0xc6, 0x17, 0xc1, 0x50, + 0x54, 0x4e, 0x42, 0x3f, 0x45, 0x0c, 0x99, 0xce, + 0x51, 0xac, 0x80, 0x05, 0xd3, 0x3a, 0xcd, 0x74, + 0xf1, 0xbe, 0xd3, 0xb1, 0x7b, 0x72, 0x66, 0xa4, + 0xa3, 0xbb, 0x86, 0xda, 0x7e, 0xba, 0x80, 0xb1, + 0x01, 0xe1, 0x5c, 0xb7, 0x9d, 0xe9, 0xa2, 0x07, + 0x85, 0x2c, 0xf9, 0x12, 0x49, 0xef, 0x48, 0x06, + 0x19, 0xff, 0x2a, 0xf8, 0xca, 0xbc, 0xa8, 0x31, + 0x25, 0xd1, 0xfa, 0xa9, 0x4c, 0xbb, 0x0a, 0x03, + 0xa9, 0x06, 0xf6, 0x83, 0xb3, 0xf4, 0x7a, 0x97, + 0xc8, 0x71, 0xfd, 0x51, 0x3e, 0x51, 0x0a, 0x7a, + 0x25, 0xf2, 0x83, 0xb1, 0x96, 0x07, 0x57, 0x78, + 0x49, 0x61, 0x52, 0xa9, 0x1c, 0x2b, 0xf9, 0xda, + 0x76, 0xeb, 0xe0, 0x89, 0xf4, 0x65, 0x48, 0x77, + 0xf2, 0xd5, 0x86, 0xae, 0x71, 0x49, 0xc4, 0x06, + 0xe6, 0x63, 0xea, 0xde, 0xb2, 0xb5, 0xc7, 0xe8, + 0x24, 0x29, 0xb9, 0xe8, 0xcb, 0x48, 0x34, 0xc8, + 0x34, 0x64, 0xf0, 0x79, 0x99, 0x53, 0x32, 0xe4, + 0xb3, 0xc8, 0xf5, 0xa7, 0x2b, 0xb4, 0xb8, 0xc6, + 0xf7, 0x4b, 0x0d, 0x45, 0xdc, 0x6c, 0x1f, 0x79, + 0x95, 0x2c, 0x0b, 0x74, 0x20, 0xdf, 0x52, 0x5e, + 0x37, 0xc1, 0x53, 0x77, 0xb5, 0xf0, 0x98, 0x43, + 0x19, 0xc3, 0x99, 0x39, 0x21, 0xe5, 0xcc, 0xd9, + 0x7e, 0x09, 0x75, 0x92, 0x06, 0x45, 0x30, 0xd3, + 0x3d, 0xe3, 0xaf, 0xad, 0x57, 0x33, 0xcb, 0xe7, + 0x70, 0x3c, 0x52, 0x96, 0x26, 0x3f, 0x77, 0x34, + 0x2e, 0xfb, 0xf5, 0xa0, 0x47, 0x55, 0xb0, 0xb3, + 0xc9, 0x97, 0xc4, 0x32, 0x84, 0x63, 0xe8, 0x4c, + 0xaa, 0x2d, 0xe3, 0xff, 0xdc, 0xd2, 0x97, 0xba, + 0xaa, 0xac, 0xd7, 0xae, 0x64, 0x6e, 0x44, 0xb5, + 0xc0, 0xf1, 0x60, 0x44, 0xdf, 0x38, 0xfa, 0xbd, + 0x29, 0x6a, 0x47, 0xb3, 0xa8, 0x38, 0xa9, 0x13, + 0x98, 0x2f, 0xb2, 0xe3, 0x70, 0xc0, 0x78, 0xed, + 0xb0, 0x42, 0xc8, 0x4d, 0xb3, 0x4c, 0xe3, 0x6b, + 0x46, 0xcc, 0xb7, 0x64, 0x60, 0xa6, 0x90, 0xcc, + 0x86, 0xc3, 0x02, 0x45, 0x7d, 0xd1, 0xcd, 0xe1, + 0x97, 0xec, 0x80, 0x75, 0xe8, 0x2b, 0x39, 0x3d, + 0x54, 0x20, 0x75, 0x13, 0x4e, 0x2a, 0x17, 0xee, + 0x70, 0xa5, 0xe1, 0x87, 0x07, 0x5d, 0x03, 0xae, + 0x3c, 0x85, 0x3c, 0xff, 0x60, 0x72, 0x9b, 0xa4, + 0x00, 0x00, 0x00, 0x05, + 0x4d, 0xe1, 0xf6, 0x96, 0x5b, 0xda, 0xbc, 0x67, + 0x6c, 0x5a, 0x4d, 0xc7, 0xc3, 0x5f, 0x97, 0xf8, + 0x2c, 0xb0, 0xe3, 0x1c, 0x68, 0xd0, 0x4f, 0x1d, + 0xad, 0x96, 0x31, 0x4f, 0xf0, 0x9e, 0x6b, 0x3d, + 0xe9, 0x6a, 0xee, 0xe3, 0x00, 0xd1, 0xf6, 0x8b, + 0xf1, 0xbc, 0xa9, 0xfc, 0x58, 0xe4, 0x03, 0x23, + 0x36, 0xcd, 0x81, 0x9a, 0xaf, 0x57, 0x87, 0x44, + 0xe5, 0x0d, 0x13, 0x57, 0xa0, 0xe4, 0x28, 0x67, + 0x04, 0xd3, 0x41, 0xaa, 0x0a, 0x33, 0x7b, 0x19, + 0xfe, 0x4b, 0xc4, 0x3c, 0x2e, 0x79, 0x96, 0x4d, + 0x4f, 0x35, 0x10, 0x89, 0xf2, 0xe0, 0xe4, 0x1c, + 0x7c, 0x43, 0xae, 0x0d, 0x49, 0xe7, 0xf4, 0x04, + 0xb0, 0xf7, 0x5b, 0xe8, 0x0e, 0xa3, 0xaf, 0x09, + 0x8c, 0x97, 0x52, 0x42, 0x0a, 0x8a, 0xc0, 0xea, + 0x2b, 0xbb, 0x1f, 0x4e, 0xeb, 0xa0, 0x52, 0x38, + 0xae, 0xf0, 0xd8, 0xce, 0x63, 0xf0, 0xc6, 0xe5, + 0xe4, 0x04, 0x1d, 0x95, 0x39, 0x8a, 0x6f, 0x7f, + 0x3e, 0x0e, 0xe9, 0x7c, 0xc1, 0x59, 0x18, 0x49, + 0xd4, 0xed, 0x23, 0x63, 0x38, 0xb1, 0x47, 0xab, + 0xde, 0x9f, 0x51, 0xef, 0x9f, 0xd4, 0xe1, 0xc1, +}; + +typedef struct { const uint8_t *val; size_t len; } hashsig_tc_bn_t; +typedef struct { hashsig_tc_bn_t key, msg, sig; } hashsig_tc_t; + +static const hashsig_tc_t hashsig_tc[] = { + { { tc1_key, sizeof(tc1_key) }, + { tc1_msg, sizeof(tc1_msg) }, + { tc1_sig, sizeof(tc1_sig) } }, + { { tc2_key, sizeof(tc2_key) }, + { tc2_msg, sizeof(tc2_msg) }, + { tc2_sig, sizeof(tc2_sig) } }, +}; diff --git a/tests/test-rpc_hashsig.c b/tests/test-rpc_hashsig.c new file mode 100644 index 0000000..00728c3 --- /dev/null +++ b/tests/test-rpc_hashsig.c @@ -0,0 +1,594 @@ +/* + * test-rpc_hashsig.c + * ------------------ + * Test code for RPC interface to Cryptech public key operations. + * + * Copyright (c) 2018, NORDUnet A/S + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of the NORDUnet nor the names of its contributors may + * be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* Parts of this may eventually get folded into test-rpc_pkey.c, + * but for now I'd rather do it stand-alone. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <getopt.h> +#include <assert.h> +#include <string.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include <hal.h> +#include <hashsig.h> +#include "test-hashsig.h" + +#include <sys/time.h> +/* not included in my glibc, sigh... */ +void timersub(struct timeval *a, struct timeval *b, struct timeval *res) +{ + res->tv_sec = a->tv_sec - b->tv_sec; + res->tv_usec = a->tv_usec - b->tv_usec; + if (res->tv_usec < 0) { + res->tv_usec += 1000000; + --res->tv_sec; + } + if (res->tv_usec > 1000000) { + res->tv_usec -= 1000000; + ++res->tv_sec; + } +} + +static int debug = 0; +static int info = 0; + +#define lose(...) do { printf(__VA_ARGS__); goto fail; } while (0) + +static int test_hashsig_testvec_local(const hashsig_tc_t * const tc, hal_key_flags_t flags) +{ + hal_error_t err; + + assert(tc != NULL); + + printf("Starting local hashsig test vector test\n"); + + uint8_t tc_keybuf[hal_hashsig_key_t_size]; + hal_hashsig_key_t *tc_key = NULL; + + if ((err = hal_hashsig_key_load_public_xdr(&tc_key, + tc_keybuf, sizeof(tc_keybuf), + tc->key.val, tc->key.len)) != HAL_OK) + lose("Could not load public key from test vector: %s\n", hal_error_string(err)); + + if ((err = hal_hashsig_verify(NULL, tc_key, tc->msg.val, tc->msg.len, tc->sig.val, tc->sig.len)) != HAL_OK) + lose("Verify failed: %s\n", hal_error_string(err)); + + printf("OK\n"); + return 1; + +fail: + return 0; +} + +static int test_hashsig_testvec_remote(const hashsig_tc_t * const tc, hal_key_flags_t flags) +{ + const hal_client_handle_t client = {HAL_HANDLE_NONE}; + const hal_session_handle_t session = {HAL_HANDLE_NONE}; + hal_pkey_handle_t public_key = {HAL_HANDLE_NONE}; + hal_error_t err; + size_t len; + + assert(tc != NULL); + + { + flags |= HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE; + + printf("Starting remote hashsig test vector test, flags 0x%lx\n", (unsigned long) flags); + + uint8_t tc_keybuf[hal_hashsig_key_t_size]; + hal_hashsig_key_t *tc_key = NULL; + + if ((err = hal_hashsig_key_load_public_xdr(&tc_key, + tc_keybuf, sizeof(tc_keybuf), + tc->key.val, tc->key.len)) != HAL_OK) + lose("Could not load public key from test vector: %s\n", hal_error_string(err)); + + hal_uuid_t public_name; + + uint8_t public_der[hal_hashsig_public_key_to_der_len(tc_key)]; + + if ((err = hal_hashsig_public_key_to_der(tc_key, public_der, &len, sizeof(public_der))) != HAL_OK) + lose("Could not DER encode public key from test vector: %s\n", hal_error_string(err)); + + assert(len == sizeof(public_der)); + + if ((err = hal_rpc_pkey_load(client, session, &public_key, &public_name, + public_der, sizeof(public_der), flags)) != HAL_OK) + lose("Could not load public key into RPC: %s\n", hal_error_string(err)); + + if ((err = hal_rpc_pkey_verify(public_key, hal_hash_handle_none, + tc->msg.val, tc->msg.len, tc->sig.val, tc->sig.len)) != HAL_OK) + lose("Could not verify: %s\n", hal_error_string(err)); + + if ((err = hal_rpc_pkey_delete(public_key)) != HAL_OK) + lose("Could not delete public key: %s\n", hal_error_string(err)); + + printf("OK\n"); + return 1; + } + +fail: + if (public_key.handle != HAL_HANDLE_NONE && + (err = hal_rpc_pkey_delete(public_key)) != HAL_OK) + printf("Warning: could not delete public key: %s\n", hal_error_string(err)); + + return 0; +} + +static void hexdump(const char * const label, const uint8_t * const buf, const size_t len) +{ + printf("%-11s ", label); + + for (size_t i = 0; i < len; ++i) { + printf("%02x", buf[i]); + if ((i & 0x0f) == 0x0f) { + printf("\n"); + if (i < len - 1) + printf(" "); + } + } + if ((len & 0x0f) != 0) + printf("\n"); +} + +static inline size_t lms_type_to_h(const lms_algorithm_t lms_type) +{ + switch (lms_type) { + case lms_sha256_n32_h5: return 5; + case lms_sha256_n32_h10: return 10; + case lms_sha256_n32_h15: return 15; + case lms_sha256_n32_h20: return 20; + case lms_sha256_n32_h25: return 25; + default: return 0; + } +} + +static inline size_t lmots_type_to_w(const lmots_algorithm_t lmots_type) +{ + switch (lmots_type) { + case lmots_sha256_n32_w1: return 1; + case lmots_sha256_n32_w2: return 2; + case lmots_sha256_n32_w4: return 4; + case lmots_sha256_n32_w8: return 8; + default: return 0; + } +} + +static inline size_t lmots_type_to_p(const lmots_algorithm_t lmots_type) +{ + switch (lmots_type) { + case lmots_sha256_n32_w1: return 265; + case lmots_sha256_n32_w2: return 133; + case lmots_sha256_n32_w4: return 67; + case lmots_sha256_n32_w8: return 34; + default: return 0; + } +} + +#include <xdr_internal.h> + +static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t len) +{ + const uint8_t *sigptr = sig; + const uint8_t * const siglim = sig + len; + hal_error_t err; + + hexdump("Nspk", sigptr, 4); + uint32_t Nspk; + if ((err = hal_xdr_decode_int(&sigptr, siglim, &Nspk)) != HAL_OK) return err; + + for (size_t i = 0; i < Nspk + 1; ++i) { + printf("--------------------------------------------\nsig[%lu]\n", i); + hexdump("q", sigptr, 4); sigptr += 4; + + { + hexdump("lmots type", sigptr, 4); + uint32_t lmots_type; + if ((err = hal_xdr_decode_int(&sigptr, siglim, &lmots_type)) != HAL_OK) return err; + hexdump("C", sigptr, 32); sigptr += 32; + size_t p = lmots_type_to_p((const lmots_algorithm_t)lmots_type); + for (size_t j = 0; j < p; ++j) { + char label[16]; + sprintf(label, "y[%lu]", j); + hexdump(label, sigptr, 32); sigptr += 32; + } + } + + hexdump("lms type", sigptr, 4); + uint32_t lms_type; + if ((err = hal_xdr_decode_int(&sigptr, siglim, &lms_type)) != HAL_OK) return err; + size_t h = lms_type_to_h((const lms_algorithm_t)lms_type); + for (size_t j = 0; j < h; ++j) { + char label[16]; + sprintf(label, "path[%lu]", j); + hexdump(label, sigptr, 32); sigptr += 32; + } + + if (i == Nspk) + break; + + printf("--------------------------------------------\npubkey[%lu]\n", i + 1); + hexdump("lms type", sigptr, 4); sigptr += 4; + hexdump("lmots type", sigptr, 4); sigptr += 4; + hexdump("I", sigptr, 16); sigptr += 16; + hexdump("T[1]", sigptr, 32); sigptr += 32; + } + + if (sigptr < siglim) { + printf("--------------------------------------------\nextra\n"); + hexdump("", sigptr, siglim - sigptr); + } + + return HAL_OK; +} + +static int test_hashsig_sign(const size_t L, + const lms_algorithm_t lms_type, + const lmots_algorithm_t lmots_type, + size_t iterations, + int save, int keep) +{ + const hal_client_handle_t client = {HAL_HANDLE_NONE}; + const hal_session_handle_t session = {HAL_HANDLE_NONE}; + hal_pkey_handle_t private_key = {HAL_HANDLE_NONE}; + hal_pkey_handle_t public_key = {HAL_HANDLE_NONE}; + hal_error_t err; + size_t len; + + { + char save_name[16]; + if (save) { + sprintf(save_name, "L%d.lms%d.ots%d", (int)L, (int)lms_type, (int)lmots_type); + FILE *fp; + if ((fp = fopen(save_name, "wb")) == NULL) + lose("Error opening %s: %s\n", save_name, strerror(errno)); + size_t len1; + if ((len1 = fwrite(tc1_msg, 1, sizeof(tc1_msg), fp)) != sizeof(tc1_msg)) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, save_name, sizeof(tc1_msg)); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", save_name, strerror(errno)); + } + + hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN; + + printf("Starting hashsig key test: L %lu, lms type %u (h=%lu), lmots type %u (w=%lu)\n", + L, lms_type, lms_type_to_h(lms_type), lmots_type, lmots_type_to_w(lmots_type)); + + if (info) + printf("Info: signature length %lu, lmots private key length %lu\n", + hal_hashsig_signature_len(L, lms_type, lmots_type), + hal_hashsig_lmots_private_key_len(lmots_type)); + + hal_uuid_t private_name, public_name; + struct timeval tv_start, tv_end, tv_diff; + + size_t h = lms_type_to_h(lms_type); + + if (info) + gettimeofday(&tv_start, NULL); + if ((err = hal_rpc_pkey_generate_hashsig(client, session, &private_key, &private_name, + L, lms_type, lmots_type, flags)) != HAL_OK) + lose("Could not generate hashsig private key: %s\n", hal_error_string(err)); + if (info) { + gettimeofday(&tv_end, NULL); + timersub(&tv_end, &tv_start, &tv_diff); + long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << h)); + printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n", + tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000, + per_key / 1000000, (per_key % 1000000) / 1000); + } + + uint8_t public_der[hal_rpc_pkey_get_public_key_len(private_key)]; + + if ((err = hal_rpc_pkey_get_public_key(private_key, public_der, &len, sizeof(public_der))) != HAL_OK) + lose("Could not DER encode public key from private key: %s\n", hal_error_string(err)); + + assert(len == sizeof(public_der)); + + if ((err = hal_rpc_pkey_load(client, session, &public_key, &public_name, + public_der, sizeof(public_der), flags)) != HAL_OK) + lose("Could not load public key into RPC: %s\n", hal_error_string(err)); + + if (save) { + char fn[strlen(save_name) + 5]; + sprintf(fn, "%s.pub", save_name); + FILE *fp; + if ((fp = fopen(fn, "wb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + uint8_t pub[60]; + if ((err = hal_hashsig_public_key_der_to_xdr(public_der, sizeof(public_der), pub, &len, sizeof(pub))) != HAL_OK) + lose("Could not XDR encode public key: %s\n", hal_error_string(err)); + size_t len1; + if ((len1 = fwrite(pub, 1, len, fp)) != len) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + } + + if (iterations > 0) { + uint8_t sig[hal_hashsig_signature_len(L, lms_type, lmots_type)]; + + if (info) + gettimeofday(&tv_start, NULL); + int i; + for (i = 0; i < iterations; ++i) { + if ((err = hal_rpc_pkey_sign(private_key, hal_hash_handle_none, + tc1_msg, sizeof(tc1_msg), sig, &len, sizeof(sig))) == HAL_OK) { + assert(len == sizeof(sig)); + if (debug) { + printf("Debug: received signature:\n"); + dump_hss_signature(sig, len); + } + } + else { + if (i == (1 << (L * h)) && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED) + break; + else + lose("Could not sign (%d): %s\n", i, hal_error_string(err)); + } + if (save) { + char fn[strlen(save_name) + 16]; + sprintf(fn, "%s.%d.sig", save_name, i); + FILE *fp; + if ((fp = fopen(fn, "wb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + size_t len1; + if ((len1 = fwrite(sig, 1, len, fp)) != len) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + } + } + if (info) { + gettimeofday(&tv_end, NULL); + timersub(&tv_end, &tv_start, &tv_diff); + long per_sig = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / i; + printf("Info: %ldm%ld.%03lds to generate %d signatures (%ld.%03lds per signature)\n", + tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000, i, + per_sig / 1000000, (per_sig % 1000000) / 1000); + } + + if (info) + gettimeofday(&tv_start, NULL); + if ((err = hal_rpc_pkey_verify(public_key, hal_hash_handle_none, + tc1_msg, sizeof(tc1_msg), sig, len)) != HAL_OK) + lose("Could not verify: %s\n", hal_error_string(err)); + if (info) { + gettimeofday(&tv_end, NULL); + timersub(&tv_end, &tv_start, &tv_diff); + printf("Info: %ldm%ld.%03lds to verify 1 signature\n", + tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000); + } + } + + if (!keep) { + if ((err = hal_rpc_pkey_delete(private_key)) != HAL_OK) + lose("Could not delete private key: %s\n", hal_error_string(err)); + } + + if ((err = hal_rpc_pkey_delete(public_key)) != HAL_OK) + lose("Could not delete public key: %s\n", hal_error_string(err)); + + printf("OK\n"); + return 1; + } + +fail: + if (private_key.handle != HAL_HANDLE_NONE && + (err = hal_rpc_pkey_delete(private_key)) != HAL_OK) + printf("Warning: could not delete private key: %s\n", hal_error_string(err)); + + if (public_key.handle != HAL_HANDLE_NONE && + (err = hal_rpc_pkey_delete(public_key)) != HAL_OK) + printf("Warning: could not delete public key: %s\n", hal_error_string(err)); + + return 0; +} + +static int read_sig(char *fn) +{ + { + FILE *fp; + if ((fp = fopen(fn, "rb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + + struct stat statbuf; + if (stat(fn, &statbuf) != 0) + lose("Error statting %s: %s\n", fn, strerror(errno)); + + uint8_t sig[statbuf.st_size]; + size_t len; + if ((len = fread(sig, 1, sizeof(sig), fp)) != sizeof(sig)) + lose("Read %lu bytes from %s, expected %lu\n", len, fn, sizeof(sig)); + + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + + hal_error_t err; + if ((err = dump_hss_signature(sig, len)) != HAL_OK) + lose("Error parsing signature: %s\n", hal_error_string(err)); + } + + return 1; +fail: + return 0; +} + +int main(int argc, char *argv[]) +{ + const hal_client_handle_t client = {HAL_HANDLE_NONE}; + char *pin = "fnord"; + int do_default = 1; + int do_testvec = 0; + size_t iterations = 1; + size_t L_lo = 0, L_hi = 0; + size_t lms_lo = 5, lms_hi = 0; + size_t lmots_lo = 3, lmots_hi = 0; + int save = 0, keep = 0; + char *p; + hal_error_t err; + int ok = 1; + +char usage[] = "\ +Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n] [-s] [-r file]\n\ + -d: enable debugging - hexdump signatures\n\ + -i: enable informational messages - runtimes and signature lengths\n\ + -p: user PIN\n\ + -t: verify test vectors\n\ + -L: number of levels in the HSS scheme (1..8)\n\ + -l: LMS type (5..9)\n\ + -o: LM-OTS type (1..4)\n\ + -n: number of signatures to generate (0..'max')\n\ + -s: save generated public key and signatures\n\ + -k: keep (don't delete) the generated keys on the hsm\n\ + -r: read and pretty-print a saved signature file\n\ +Numeric arguments can be a single number or a range, e.g. '1..4'\n"; + + int opt; + while ((opt = getopt(argc, argv, "ditp:L:l:o:n:skr:h?")) != -1) { + switch (opt) { + case 'd': + debug = 1; + break; + case 'i': + info = 1; + break; + case 't': + do_testvec = 1; + do_default = 0; + break; + case 'p': + pin = optarg; + break; + case 'n': + if (strcmp(optarg, "max") == 0) + iterations = (size_t)-1; + else + iterations = (size_t)atoi(optarg); + do_default = 0; + break; + case 'L': + if ((p = strtok(optarg, ".")) != NULL) + L_lo = (size_t)atoi(p); + if ((p = strtok(NULL, ".")) != NULL) + L_hi = (size_t)atoi(p); + do_default = 0; + break; + case 'l': + if ((p = strtok(optarg, ".")) != NULL) + lms_lo = (size_t)atoi(p); + if ((p = strtok(NULL, ".")) != NULL) + lms_hi = (size_t)atoi(p); + do_default = 0; + break; + case 'o': + if ((p = strtok(optarg, ".")) != NULL) + lmots_lo = (size_t)atoi(p); + if ((p = strtok(NULL, ".")) != NULL) + lmots_hi = (size_t)atoi(p); + do_default = 0; + break; + case's': + save = 1; + break; + case 'k': + keep = 1; + break; + case 'r': + ok &= read_sig(optarg); + do_default = 0; + break; + case 'h': + case '?': + fprintf(stdout, usage, argv[0]); + exit(EXIT_SUCCESS); + default: + fprintf(stderr, usage, argv[0]); + exit(EXIT_FAILURE); + } + } + + if (do_default) { + do_testvec = 1; + L_lo = 1; + } + + if (L_hi < L_lo) L_hi = L_lo; + if (lms_hi < lms_lo) lms_hi = lms_lo; + if (lmots_hi < lmots_lo) lmots_hi = lmots_lo; + + if ((err = hal_rpc_client_init()) != HAL_OK) + printf("Warning: Trouble initializing RPC client: %s\n", hal_error_string(err)); + + if ((err = hal_rpc_login(client, HAL_USER_NORMAL, pin, strlen(pin))) != HAL_OK) + printf("Warning: Trouble logging into HSM: %s\n", hal_error_string(err)); + + if (do_testvec) { + for (int i = 0; i < (sizeof(hashsig_tc)/sizeof(*hashsig_tc)); i++) + ok &= test_hashsig_testvec_local(&hashsig_tc[i], 0); + + for (int i = 0; i < (sizeof(hashsig_tc)/sizeof(*hashsig_tc)); i++) + for (int j = 0; j < 2; j++) + ok &= test_hashsig_testvec_remote(&hashsig_tc[i], j * HAL_KEY_FLAG_TOKEN); + } + + /* signing/performance tests: run with -i */ + /* A single test would be of the form '-L 2 -l 5 -o 3 -n 1' */ + /* A range test of just keygen would be of the form '-o 1..4 -n 0' */ + /* A test to key exhaustion would be of the form '-n max' */ + if (L_lo > 0) { + for (size_t L = L_lo; L <= L_hi; ++L) { + for (lms_algorithm_t lms_type = lms_lo; lms_type <= lms_hi; ++lms_type) { + for (lmots_algorithm_t lmots_type = lmots_lo; lmots_type <= lmots_hi; ++lmots_type) { + ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations, save, keep); + } + } + } + } + + if ((err = hal_rpc_logout(client)) != HAL_OK) + printf("Warning: Trouble logging out of HSM: %s\n", hal_error_string(err)); + + if ((err = hal_rpc_client_close()) != HAL_OK) + printf("Warning: Trouble shutting down RPC client: %s\n", hal_error_string(err)); + + return !ok; +} diff --git a/tests/test-xdr.c b/tests/test-xdr.c new file mode 100644 index 0000000..eedf48d --- /dev/null +++ b/tests/test-xdr.c @@ -0,0 +1,111 @@ +/* + * xdr.c + * ----- + * Serialization/deserialization routines, using XDR (RFC 4506) encoding. + * These functions are not part of the public libhal API. + * + * Copyright (c) 2016-2018, NORDUnet A/S All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of the NORDUnet nor the names of its contributors may + * be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdint.h> +#include <stddef.h> /* ptrdiff_t */ +#include <string.h> /* memcpy, memset */ + +#include "hal.h" +#include "hal_internal.h" /* htonl/ntohl */ +#include "xdr_internal.h" + +static void hexdump(uint8_t *buf, uint32_t len) +{ + for (uint32_t i = 0; i < len; ++i) + printf("%02x%c", buf[i], ((i & 0x07) == 0x07) ? '\n' : ' '); + if ((len & 0x07) != 0) + printf("\n"); +} + +int main(int argc, char *argv[]) +{ + uint32_t i; + uint8_t buf[256] = {0}; + uint8_t *bufptr = buf; + const uint8_t *readptr; + uint8_t *limit = buf + sizeof(buf); + hal_error_t ret; + uint8_t alphabet[] = "abcdefghijklmnopqrstuvwxyz"; + uint8_t readbuf[256] = {0}; + + printf("hal_xdr_encode_int: work to failure\n"); + for (i = 1; i < 100; ++i) { + if ((ret = hal_xdr_encode_int(&bufptr, limit, i)) != HAL_OK) { + printf("%d: %s\n", i, hal_error_string(ret)); + break; + } + } + hexdump(buf, ((uint8_t *)bufptr - buf)); + + printf("\nhal_xdr_decode_int:\n"); + readptr = buf; + while (readptr < bufptr) { + if ((ret = hal_xdr_decode_int(&readptr, limit, &i)) != HAL_OK) { + printf("%s\n", hal_error_string(ret)); + break; + } + printf("%u ", i); + } + printf("\n"); + + printf("\nhal_xdr_encode_variable_opaque: work to failure\n"); + memset(buf, 0, sizeof(buf)); + bufptr = buf; + for (i = 1; ; ++i) { + if ((ret = hal_xdr_encode_variable_opaque(&bufptr, limit, alphabet, i)) != HAL_OK) { + printf("%d: %s\n", i, hal_error_string(ret)); + break; + } + } + hexdump(buf, ((uint8_t *)bufptr - buf)); + + printf("\nhal_xdr_decode_variable_opaque:\n"); + readptr = buf; + while (readptr < bufptr) { + size_t len = bufptr - readptr; + if ((ret = hal_xdr_decode_variable_opaque(&readptr, limit, readbuf, &len)) != HAL_OK) { + printf("%s\n", hal_error_string(ret)); + break; + } + printf("%lu: ", len); + for (size_t j = 0; j < len; ++j) + putchar(readbuf[j]); + putchar('\n'); + memset(readbuf, 0, sizeof(readbuf)); + } + + return 0; +} @@ -2,8 +2,9 @@ * xdr.c * ----- * Serialization/deserialization routines, using XDR (RFC 4506) encoding. + * These functions are not part of the public libhal API. * - * Copyright (c) 2016, NORDUnet A/S All rights reserved. + * Copyright (c) 2016-2018, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -38,7 +39,7 @@ #include <string.h> /* memcpy, memset */ #include "hal.h" -#include "hal_internal.h" +#include "hal_internal.h" /* htonl/ntohl */ #include "xdr_internal.h" /* encode/decode_int. This covers int, unsigned int, enum, and bool types, @@ -61,7 +62,8 @@ hal_error_t hal_xdr_encode_int(uint8_t ** const outbuf, const uint8_t * const li return HAL_OK; } -hal_error_t hal_xdr_decode_int(const uint8_t ** const inbuf, const uint8_t * const limit, uint32_t *value) +/* decode an integer value without advancing the input pointer */ +hal_error_t hal_xdr_decode_int_peek(const uint8_t ** const inbuf, const uint8_t * const limit, uint32_t *value) { /* arg checks */ if (inbuf == NULL || *inbuf == NULL || limit == NULL || value == NULL) @@ -72,44 +74,38 @@ hal_error_t hal_xdr_decode_int(const uint8_t ** const inbuf, const uint8_t * con return HAL_ERROR_XDR_BUFFER_OVERFLOW; *value = ntohl(**(uint32_t **)inbuf); - *inbuf += sizeof(*value); return HAL_OK; } -/* Undo the last decode_int - roll back the input pointer. - */ -hal_error_t hal_xdr_undecode_int(const uint8_t ** const inbuf) +/* decode an integer value the regular way */ +hal_error_t hal_xdr_decode_int(const uint8_t ** const inbuf, const uint8_t * const limit, uint32_t *value) { - if (inbuf == NULL || *inbuf == NULL) - return HAL_ERROR_BAD_ARGUMENTS; + hal_error_t err; - *inbuf -= sizeof(uint32_t); - return HAL_OK; + if ((err = hal_xdr_decode_int_peek(inbuf, limit, value)) == HAL_OK) + *inbuf += sizeof(*value); + + return err; } -/* encode/decode_buffer. This covers variable-length string and opaque types. - * The data is preceded by a 4-byte length word (encoded as above), and padded - * to a multiple of 4 bytes as necessary. +/* encode/decode_fixed_opaque. This covers fixed-length string and opaque types. + * The data is padded to a multiple of 4 bytes as necessary. */ -hal_error_t hal_xdr_encode_buffer(uint8_t **outbuf, const uint8_t * const limit, const uint8_t *value, const uint32_t len) +hal_error_t hal_xdr_encode_fixed_opaque(uint8_t ** const outbuf, const uint8_t * const limit, const uint8_t * const value, const size_t len) { - hal_error_t ret; + if (len == 0) + return HAL_OK; /* arg checks */ - if (outbuf == NULL || *outbuf == NULL || limit == NULL || - (value == NULL && len != 0)) + if (outbuf == NULL || *outbuf == NULL || limit == NULL || value == NULL) return HAL_ERROR_BAD_ARGUMENTS; /* buffer overflow check */ - if (limit - *outbuf < (ptrdiff_t)(((len + 3) & ~3) + sizeof(len))) + if (limit - *outbuf < (ptrdiff_t)((len + 3) & ~3)) return HAL_ERROR_XDR_BUFFER_OVERFLOW; - /* encode length */ - if ((ret = hal_xdr_encode_int(outbuf, limit, len)) != HAL_OK) - return ret; - - /* write the string or opaque data */ + /* write the data */ memcpy(*outbuf, value, len); *outbuf += len; @@ -123,139 +119,101 @@ hal_error_t hal_xdr_encode_buffer(uint8_t **outbuf, const uint8_t * const limit, return HAL_OK; } -/* This version returns a pointer to the data in the input buffer. - * It is used in the rpc server. - */ -hal_error_t hal_xdr_decode_buffer_in_place(const uint8_t **inbuf, const uint8_t * const limit, const uint8_t ** const value, uint32_t * const len) +hal_error_t hal_xdr_decode_fixed_opaque_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, const uint8_t ** const value, const size_t len) { - hal_error_t ret; - uint32_t xdr_len; - const uint8_t *orig_inbuf = *inbuf; - /* arg checks */ - if (inbuf == NULL || *inbuf == NULL || limit == NULL || value == NULL || len == NULL) + if (inbuf == NULL || *inbuf == NULL || limit == NULL || value == NULL) return HAL_ERROR_BAD_ARGUMENTS; - /* decode the length */ - if ((ret = hal_xdr_decode_int(inbuf, limit, &xdr_len)) != HAL_OK) - return ret; - - /* input and output buffer overflow checks vs decoded length */ - - /* decoded length is past the end of the input buffer; - * we're probably out of sync, but nothing we can do now - */ - if (limit - *inbuf < (ptrdiff_t)xdr_len) { - /* undo read of length */ - *inbuf = orig_inbuf; + /* buffer overflow check */ + if (limit - *inbuf < (ptrdiff_t)len) return HAL_ERROR_XDR_BUFFER_OVERFLOW; - } - /* return a pointer to the string or opaque data */ + /* return a pointer to the data */ *value = *inbuf; - *len = xdr_len; /* update the buffer pointer, skipping any padding bytes */ - *inbuf += (xdr_len + 3) & ~3; + *inbuf += ((len + 3) & ~3); return HAL_OK; } -/* This version copies the data to the user-supplied buffer. - * It is used in the rpc client. - */ -hal_error_t hal_xdr_decode_buffer(const uint8_t **inbuf, const uint8_t * const limit, uint8_t * const value, uint32_t * const len) +hal_error_t hal_xdr_decode_fixed_opaque(const uint8_t ** const inbuf, const uint8_t * const limit, uint8_t * const value, const size_t len) { - if (inbuf == NULL || value == NULL || len == NULL) - return HAL_ERROR_BAD_ARGUMENTS; + const uint8_t *p; + hal_error_t err; - hal_error_t ret; - const uint8_t *vptr; - const uint8_t *orig_inbuf = *inbuf; - uint32_t xdr_len; + /* get and advance the input data pointer */ + if ((err = hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, &p, len)) == HAL_OK) + /* read the data */ + memcpy(value, p, len); + + return err; +} - if ((ret = hal_xdr_decode_buffer_in_place(inbuf, limit, &vptr, &xdr_len)) != HAL_OK) - return ret; +/* encode/decode_variable_opaque. This covers variable-length string and opaque types. + * The data is preceded by a 4-byte length word (encoded as above), and padded + * to a multiple of 4 bytes as necessary. + */ - if (*len < xdr_len) { - /* user buffer is too small, undo read of length */ - *inbuf = orig_inbuf; - ret = HAL_ERROR_XDR_BUFFER_OVERFLOW; - } - else { - memcpy(value, vptr, xdr_len); - } +hal_error_t hal_xdr_encode_variable_opaque(uint8_t ** const outbuf, const uint8_t * const limit, const uint8_t * const value, const size_t len) +{ + hal_error_t err; - *len = xdr_len; + /* encode length */ + if ((err = hal_xdr_encode_int(outbuf, limit, (uint32_t)len)) == HAL_OK) { + /* encode data */ + if ((err = hal_xdr_encode_fixed_opaque(outbuf, limit, value, len)) != HAL_OK) + /* undo write of length */ + *outbuf -= 4; + } - return ret; + return err; } -/* ---------------------------------------------------------------- */ - -#ifdef TEST -static void hexdump(uint8_t *buf, uint32_t len) +/* This version returns a pointer to the data in the input buffer. + * It is used in the rpc server. + */ +hal_error_t hal_xdr_decode_variable_opaque_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, const uint8_t ** const value, size_t * const len) { - for (uint32_t i = 0; i < len; ++i) - printf("%02x%c", buf[i], ((i & 0x07) == 0x07) ? '\n' : ' '); - if ((len & 0x07) != 0) - printf("\n"); + hal_error_t err; + uint32_t xdr_len; + + /* arg checks */ + if (len == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + /* read length */ + if ((err = hal_xdr_decode_int(inbuf, limit, &xdr_len)) == HAL_OK) { + /* get the data pointer */ + if ((err = hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, value, xdr_len)) == HAL_OK) + *len = xdr_len; + else + /* undo read of length */ + *inbuf -= 4; + } + + return err; } -int main(int argc, char *argv[]) +/* This version copies the data to the user-supplied buffer. + * It is used in the rpc client. + */ +hal_error_t hal_xdr_decode_variable_opaque(const uint8_t ** const inbuf, const uint8_t * const limit, uint8_t * const value, size_t * const len) { - uint32_t i; - uint8_t buf[64] = {0}; - uint8_t *bufptr = buf, *readptr; - uint8_t *limit = buf + sizeof(buf); - hal_error_t ret; - uint8_t alphabet[] = "abcdefghijklmnopqrstuvwxyz"; - uint8_t readbuf[64] = {0}; - - printf("hal_xdr_encode_int: work to failure\n"); - for (i = 1; i < 100; ++i) { - if ((ret = hal_xdr_encode_int(&bufptr, limit, i)) != HAL_OK) { - printf("%d: %s\n", i, hal_error_string(ret)); - break; - } - } - hexdump(buf, ((uint8_t *)bufptr - buf)); - - printf("\nhal_xdr_decode_int:\n"); - readptr = buf; - while (readptr < bufptr) { - if ((ret = hal_xdr_decode_int(&readptr, limit, &i)) != HAL_OK) { - printf("%s\n", hal_error_string(ret)); - break; - } - printf("%u ", i); - } - printf("\n"); - - printf("\nhal_xdr_encode_buffer: work to failure\n"); - memset(buf, 0, sizeof(buf)); - bufptr = buf; - for (i = 1; i < 10; ++i) { - if ((ret = hal_xdr_encode_buffer(&bufptr, limit, alphabet, i)) != HAL_OK) { - printf("%d: %s\n", i, hal_error_string(ret)); - break; - } - } - hexdump(buf, ((uint8_t *)bufptr - buf)); - - printf("\nhal_xdr_decode_buffer:\n"); - readptr = buf; - i = sizeof(readbuf); - while (readptr < bufptr) { - if ((ret = hal_xdr_decode_buffer(&readptr, limit, readbuf, &i)) != HAL_OK) { - printf("%s\n", hal_error_string(ret)); - break; - } - printf("%u: ", i); for (int j = 0; j < i; ++j) putchar(readbuf[j]); putchar('\n'); - i = sizeof(readbuf); - memset(readbuf, 0, sizeof(readbuf)); + hal_error_t err; + size_t xdr_len; + const uint8_t *p; + + /* read data pointer and length */ + if ((err = hal_xdr_decode_variable_opaque_ptr(inbuf, limit, &p, &xdr_len)) == HAL_OK) { + /* user buffer overflow check */ + if (*len < xdr_len) + return HAL_ERROR_XDR_BUFFER_OVERFLOW; + /* read the data */ + memcpy(value, p, xdr_len); + *len = xdr_len; } - return 0; + return err; } -#endif diff --git a/xdr_internal.h b/xdr_internal.h index 9d02fd3..aa3a1e9 100644 --- a/xdr_internal.h +++ b/xdr_internal.h @@ -2,8 +2,9 @@ * xdr_internal.h * -------------- * Serialization/deserialization routines, using XDR (RFC 4506) encoding. + * These functions are not part of the public libhal API. * - * Copyright (c) 2016, NORDUnet A/S All rights reserved. + * Copyright (c) 2016-2018, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -35,10 +36,6 @@ #ifndef _XDR_INTERNAL_H #define _XDR_INTERNAL_H - /* - * RPC serialization/deserialization routines, using XDR (RFC 4506) encoding. - */ - hal_error_t hal_xdr_encode_int(uint8_t ** const outbuf, const uint8_t * const limit, const uint32_t value); @@ -47,22 +44,35 @@ hal_error_t hal_xdr_decode_int(const uint8_t ** const inbuf, const uint8_t * const limit, uint32_t * const value); -hal_error_t hal_xdr_undecode_int(const uint8_t ** const inbuf); +hal_error_t hal_xdr_decode_int_peek(const uint8_t ** const inbuf, + const uint8_t * const limit, + uint32_t * const value); + +hal_error_t hal_xdr_encode_fixed_opaque(uint8_t ** const outbuf, + const uint8_t * const limit, + const uint8_t * const value, const size_t len); -hal_error_t hal_xdr_encode_buffer(uint8_t ** const outbuf, - const uint8_t * const limit, - const uint8_t * const value, - const uint32_t len); +hal_error_t hal_xdr_decode_fixed_opaque(const uint8_t ** const inbuf, + const uint8_t * const limit, + uint8_t * const value, const size_t len); -hal_error_t hal_xdr_decode_buffer_in_place(const uint8_t ** const inbuf, +hal_error_t hal_xdr_decode_fixed_opaque_ptr(const uint8_t ** const inbuf, + const uint8_t * const limit, + const uint8_t ** const vptr, const size_t len); + +hal_error_t hal_xdr_encode_variable_opaque(uint8_t ** const outbuf, const uint8_t * const limit, - const uint8_t ** const vptr, - uint32_t * const len); + const uint8_t * const value, + const size_t len); -hal_error_t hal_xdr_decode_buffer(const uint8_t ** const inbuf, - const uint8_t * const limit, - uint8_t * const value, - uint32_t * const len); +hal_error_t hal_xdr_decode_variable_opaque(const uint8_t ** const inbuf, + const uint8_t * const limit, + uint8_t * const value, + size_t * const len); +hal_error_t hal_xdr_decode_variable_opaque_ptr(const uint8_t ** const inbuf, + const uint8_t * const limit, + const uint8_t ** const vptr, + size_t * const len); #endif /* _XDR_INTERNAL_H*/ |