Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/pubkey/xmss/xmss_verification_operation.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * XMSS Verification Operation
3
 * Provides signature verification capabilities for Extended Hash-Based
4
 * Signatures (XMSS).
5
 *
6
 * (C) 2016,2017 Matthias Gierlings
7
 *
8
 * Botan is released under the Simplified BSD License (see license.txt)
9
 **/
10
11
#include <botan/internal/xmss_verification_operation.h>
12
#include <botan/internal/xmss_common_ops.h>
13
#include <botan/internal/xmss_tools.h>
14
#include <array>
15
16
namespace Botan {
17
18
XMSS_Verification_Operation::XMSS_Verification_Operation(
19
   const XMSS_PublicKey& public_key) :
20
   m_pub_key(public_key),
21
   m_hash(public_key.xmss_hash_function()),
22
   m_msg_buf(0)
23
0
   {
24
0
   }
Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&)
Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&)
25
26
secure_vector<uint8_t>
27
XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
28
      const secure_vector<uint8_t>& msg,
29
      XMSS_Address& adrs,
30
      const secure_vector<uint8_t>& seed)
31
0
   {
32
0
   const auto params = m_pub_key.xmss_parameters();
33
34
0
   const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index());
35
0
   adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
36
0
   adrs.set_ots_address(next_index);
37
38
0
   XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(),
39
0
                                   msg,
40
0
                                   sig.tree().ots_signature(),
41
0
                                   adrs,
42
0
                                   seed);
43
44
0
   adrs.set_type(XMSS_Address::Type::LTree_Address);
45
0
   adrs.set_ltree_address(next_index);
46
47
0
   std::array<secure_vector<uint8_t>, 2> node;
48
0
   XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots, adrs, seed, m_hash, params);
49
50
0
   adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
51
0
   adrs.set_tree_index(next_index);
52
53
0
   for(size_t k = 0; k < params.tree_height(); k++)
54
0
      {
55
0
      adrs.set_tree_height(static_cast<uint32_t>(k));
56
0
      if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0)
57
0
         {
58
0
         adrs.set_tree_index(adrs.get_tree_index() >> 1);
59
0
         XMSS_Common_Ops::randomize_tree_hash(node[1],
60
0
                                              node[0],
61
0
                                              sig.tree().authentication_path()[k],
62
0
                                              adrs,
63
0
                                              seed,
64
0
                                              m_hash,
65
0
                                              params);
66
0
         }
67
0
      else
68
0
         {
69
0
         adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
70
0
         XMSS_Common_Ops::randomize_tree_hash(node[1],
71
0
                                              sig.tree().authentication_path()[k],
72
0
                                              node[0],
73
0
                                              adrs,
74
0
                                              seed,
75
0
                                              m_hash,
76
0
                                              params);
77
0
         }
78
0
      node[0] = node[1];
79
0
      }
80
0
   return node[0];
81
0
   }
82
83
bool
84
XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
85
                                    const secure_vector<uint8_t>& msg,
86
                                    const XMSS_PublicKey& public_key)
87
0
   {
88
0
   XMSS_Address adrs;
89
0
   secure_vector<uint8_t> index_bytes;
90
0
   XMSS_Tools::concat(index_bytes,
91
0
                      sig.unused_leaf_index(),
92
0
                      m_pub_key.xmss_parameters().element_size());
93
0
   secure_vector<uint8_t> msg_digest =
94
0
      m_hash.h_msg(sig.randomness(),
95
0
                   public_key.root(),
96
0
                   index_bytes,
97
0
                   msg);
98
99
0
   secure_vector<uint8_t> node = root_from_signature(sig,
100
0
                                 msg_digest,
101
0
                                 adrs,
102
0
                                 public_key.public_seed());
103
104
0
   return (node == public_key.root());
105
0
   }
106
107
// FIXME: XMSS signature verification requires the "randomness" parameter out
108
// of the XMSS signature, which is part of the prefix that is hashed before
109
// msg. Since the signature is unknown till sign() is called all message
110
// content has to be buffered. For large messages this can be inconvenient or
111
// impossible.
112
// Possible solution: Change PK_Ops::Verification interface to take the
113
// signature as constructor argument, make sign a parameterless member call.
114
void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len)
115
0
   {
116
0
   std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf));
117
0
   }
118
119
bool XMSS_Verification_Operation::is_valid_signature(const uint8_t sig[],
120
      size_t sig_len)
121
0
   {
122
0
   try
123
0
      {
124
0
      XMSS_Signature signature(m_pub_key.xmss_parameters().oid(),
125
0
                               secure_vector<uint8_t>(sig, sig + sig_len));
126
0
      bool result = verify(signature, m_msg_buf, m_pub_key);
127
0
      m_msg_buf.clear();
128
0
      return result;
129
0
      }
130
0
   catch(...)
131
0
      {
132
0
      m_msg_buf.clear();
133
0
      return false;
134
0
      }
135
0
   }
136
137
}
138