/src/openssl/crypto/slh_dsa/slh_wots.c

Source
/*
 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/crypto.h>
#include "slh_dsa_local.h"
#include "slh_dsa_key.h"

/* For the parameter sets defined there is only one w value */
#define SLH_WOTS_LOGW 4
#define SLH_WOTS_W 16
#define SLH_WOTS_LEN1(n) (2 * (n))
#define SLH_WOTS_LEN2 3
#define SLH_WOTS_CHECKSUM_LEN ((SLH_WOTS_LEN2 + SLH_WOTS_LOGW + 7) / 8)
#define SLH_WOTS_LEN_MAX SLH_WOTS_LEN(SLH_MAX_N)
#define NIBBLE_MASK 15
#define NIBBLE_SHIFT 4

/*
 * @brief Convert a byte array to a byte array of (4 bit) nibbles
 * This is a Variant of the FIPS 205 Algorithm 4 base_2^b function.
 *
 * @param in A byte message to convert
 * @param in_len The size of |in|.
 * @param out The returned array of nibbles, with a size of 2*|in_len|
 */
static ossl_inline void slh_bytes_to_nibbles(const uint8_t *in, size_t in_len,
    uint8_t *out)
{
    size_t consumed = 0;

    for (consumed = 0; consumed < in_len; consumed++) {
        *out++ = (*in >> NIBBLE_SHIFT);
        *out++ = (*in++ & NIBBLE_MASK);
    }
}

/*
 * With w = 16 the maximum checksum is 0xF * n which fits into 12 bits
 * which is 3 nibbles.
 *
 * This is effectively a cutdown version of Algorithm 7: steps 3 to 6
 * which does a complicated base2^b(tobyte()) operation.
 */
static ossl_inline void compute_checksum_nibbles(const uint8_t *in, size_t in_len,
    uint8_t *out)
{
    size_t i;
    uint16_t csum = 0;

    /* Compute checksum */
    for (i = 0; i < in_len; ++i)
        csum += in[i];
    /*
     * This line is effectively the same as doing csum += NIBBLE_MASK - in[i]
     * in the loop above.
     */
    csum = (uint16_t)(NIBBLE_MASK * in_len) - csum;

    /* output checksum as 3 nibbles */
    out[0] = (csum >> (2 * NIBBLE_SHIFT)) & NIBBLE_MASK;
    out[1] = (csum >> NIBBLE_SHIFT) & NIBBLE_MASK;
    out[2] = csum & NIBBLE_MASK;
}

/**
 * @brief WOTS+ Chaining function
 * See FIPS 205 Section 5 Algorithm 5
 *
 * Iterates using a hash function on the input |steps| times starting at index
 * |start|. (Internally the |adrs| hash address is used to update the chaining
 * index).
 *
 * @param ctx Contains SLH_DSA algorithm functions and constants.
 * @param in An input string of |n| bytes
 * @param start_index The chaining start index
 * @param steps The number of iterations starting from |start_index|
 *              Note |start_index| + |steps| < w
 *              (where w = 16 indicates the length of the hash chains)
 * @param pk_seed A public key seed (which is added to the hash)
 * @param adrs An ADRS object which has a type of WOTS_HASH, and has a layer
 *             address, tree address, key pair address and chain address
 * @params wpkt A WPACKET object to write the hash chain to (n bytes are written)
 * @returns 1 on success, or 0 on error.
 */
static int slh_wots_chain(SLH_DSA_HASH_CTX *ctx, const uint8_t *in,
    uint8_t start_index, uint8_t steps,
    const uint8_t *pk_seed, uint8_t *adrs, WPACKET *wpkt)
{
    const SLH_DSA_KEY *key = ctx->key;
    SLH_HASH_FUNC_DECLARE(key, hashf);
    SLH_ADRS_FUNC_DECLARE(key, adrsf);
    SLH_HASH_FN_DECLARE(hashf, F);
    SLH_ADRS_FN_DECLARE(adrsf, set_hash_address);
    size_t j = start_index, end_index;
    size_t n = key->params->n;
    uint8_t *tmp; /* Pointer into the |wpkt| buffer */
    size_t tmp_len = n;

    if (steps == 0)
        return WPACKET_memcpy(wpkt, in, n);

    if (!WPACKET_allocate_bytes(wpkt, tmp_len, &tmp))
        return 0;

    set_hash_address(adrs, (uint32_t)(j++));
    if (!F(ctx, pk_seed, adrs, in, n, tmp, tmp_len))
        return 0;

    end_index = start_index + steps;
    for (; j < end_index; ++j) {
        set_hash_address(adrs, (uint32_t)j);
        if (!F(ctx, pk_seed, adrs, tmp, n, tmp, tmp_len))
            return 0;
    }
    return 1;
}

/**
 * @brief WOTS+ Public key generation.
 * See FIPS 205 Section 5.1 Algorithm 6
 *
 * @param ctx Contains SLH_DSA algorithm functions and constants.
 * @param sk_seed A private key seed of size |n|
 * @param pk_seed A public key seed of size |n|
 * @param adrs An ADRS object containing the layer address, tree address and
 *             keypair address of the WOTS+ public key to generate.
 * @param pk_out The generated public key of size |n|
 * @param pk_out_len The maximum size of |pk_out|
 * @returns 1 on success, or 0 on error.
 */
int ossl_slh_wots_pk_gen(SLH_DSA_HASH_CTX *ctx,
    const uint8_t *sk_seed, const uint8_t *pk_seed,
    uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len)
{
    int ret = 0;
    const SLH_DSA_KEY *key = ctx->key;
    size_t n = key->params->n;
    size_t len = SLH_WOTS_LEN(n); /* 2 * n + 3 */
    uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N];
    size_t tmp_len = n * len;

    SLH_HASH_FUNC_DECLARE(key, hashf);
    SLH_ADRS_FUNC_DECLARE(key, adrsf);
    SLH_ADRS_DECLARE(wots_pk_adrs);

    if (!hashf->wots_pk_gen(ctx, sk_seed, pk_seed, adrs, tmp, tmp_len))
        goto end;

    adrsf->copy(wots_pk_adrs, adrs);
    adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK);
    adrsf->copy_keypair_address(wots_pk_adrs, adrs);
    ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len, pk_out, pk_out_len);
end:
    return ret;
}

/**
 * @brief WOTS+ Signature generation
 * See FIPS 205 Section 5.2 Algorithm 7
 *
 * The returned signature size is len * |n| bytes (where len = 2 * |n| + 3).
 *
 * @param ctx Contains SLH_DSA algorithm functions and constants.
 * @param msg An input message of size |n| bytes.
 *            The message is either an XMSS or FORS public key
 * @param sk_seed The private key seed of size |n| bytes
 * @param pk_seed The public key seed  of size |n| bytes
 * @param adrs An address containing the layer address, tree address and key
 *             pair address. The size is either 32 or 22 bytes.
 * @param sig_wpkt A WPACKET object to write the signature to.
 * @returns 1 on success, or 0 on error.
 */
int ossl_slh_wots_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg,
    const uint8_t *sk_seed, const uint8_t *pk_seed,
    uint8_t *adrs, WPACKET *sig_wpkt)
{
    int ret = 0;
    const SLH_DSA_KEY *key = ctx->key;
    uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX]; /* size is >= 2 * n + 3 */
    uint8_t sk[SLH_MAX_N];
    size_t i;
    size_t n = key->params->n;
    size_t len1 = SLH_WOTS_LEN1(n); /* 2 * n = the msg length in nibbles */
    size_t len = len1 + SLH_WOTS_LEN2; /* 2 * n + 3 (3 checksum nibbles) */

    SLH_ADRS_DECLARE(sk_adrs);
    SLH_HASH_FUNC_DECLARE(key, hashf);
    SLH_ADRS_FUNC_DECLARE(key, adrsf);
    SLH_HASH_FN_DECLARE(hashf, PRF);
    SLH_ADRS_FN_DECLARE(adrsf, set_chain_address);

    /*
     * Convert n message bytes to 2*n base w=16 integers
     * i.e. Convert message to an array of 2*n nibbles.
     */
    slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles);
    /* Compute a 12 bit checksum and add it to the end */
    compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1);

    adrsf->copy(sk_adrs, adrs);
    adrsf->set_type_and_clear(sk_adrs, SLH_ADRS_TYPE_WOTS_PRF);
    adrsf->copy_keypair_address(sk_adrs, adrs);

    for (i = 0; i < len; ++i) {
        set_chain_address(sk_adrs, (uint32_t)i);
        /* compute chain i secret */
        if (!PRF(ctx, pk_seed, sk_seed, sk_adrs, sk, sizeof(sk)))
            goto err;
        set_chain_address(adrs, (uint32_t)i);
        /* compute chain i signature */
        if (!slh_wots_chain(ctx, sk, 0, msg_and_csum_nibbles[i],
                pk_seed, adrs, sig_wpkt))
            goto err;
    }
    ret = 1;
err:
    return ret;
}

/**
 * @brief Compute a candidate WOTS+ public key from a message and signature
 * See FIPS 205 Section 5.3 Algorithm 8
 *
 * The size of the signature is len * |n| bytes (where len = 2 * |n| + 3).
 *
 * @param ctx Contains SLH_DSA algorithm functions and constants.
 * @param sig_rpkt A PACKET object to read a WOTS+ signature from
 * @param msg A message of size |n| bytes.
 * @param pk_seed The public key seed of size |n|.
 * @param adrs An ADRS object containing the layer address, tree address and
 *             key pair address that of the WOTS+ key used to sign the message.
 * @param pk_out The returned public key candidate of size |n|
 * @param pk_out_len The maximum size of |pk_out|
 * @returns 1 on success, or 0 on error.
 */
int ossl_slh_wots_pk_from_sig(SLH_DSA_HASH_CTX *ctx,
    PACKET *sig_rpkt, const uint8_t *msg,
    const uint8_t *pk_seed, uint8_t *adrs,
    uint8_t *pk_out, size_t pk_out_len)
{
    int ret = 0;
    const SLH_DSA_KEY *key = ctx->key;
    uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX];
    size_t i;
    size_t n = key->params->n;
    size_t len1 = SLH_WOTS_LEN1(n);
    size_t len = len1 + SLH_WOTS_LEN2; /* 2n + 3 */
    const uint8_t *sig_i; /* Pointer into |sig_rpkt| buffer */
    uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N];
    WPACKET pkt, *tmp_pkt = &pkt;
    size_t tmp_len = 0;

    SLH_HASH_FUNC_DECLARE(key, hashf);
    SLH_ADRS_FUNC_DECLARE(key, adrsf);
    SLH_ADRS_FN_DECLARE(adrsf, set_chain_address);
    SLH_ADRS_DECLARE(wots_pk_adrs);

    if (!WPACKET_init_static_len(tmp_pkt, tmp, sizeof(tmp), 0))
        return 0;

    slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles);
    compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1);

    /* Compute the end nodes for each of the chains */
    for (i = 0; i < len; ++i) {
        set_chain_address(adrs, (uint32_t)i);
        if (!PACKET_get_bytes(sig_rpkt, &sig_i, n)
            || !slh_wots_chain(ctx, sig_i, msg_and_csum_nibbles[i],
                NIBBLE_MASK - msg_and_csum_nibbles[i],
                pk_seed, adrs, tmp_pkt))
            goto err;
    }
    /* compress the computed public key value */
    adrsf->copy(wots_pk_adrs, adrs);
    adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK);
    adrsf->copy_keypair_address(wots_pk_adrs, adrs);
    if (!WPACKET_get_total_written(tmp_pkt, &tmp_len))
        goto err;
    ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len,
        pk_out, pk_out_len);
err:
    if (!WPACKET_finish(tmp_pkt))
        ret = 0;
    return ret;
}

Coverage Report

Created: 2026-02-22 06:11

Line	Count	Source
1		/*
2		* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <string.h>
11		#include <openssl/crypto.h>
12		#include "slh_dsa_local.h"
13		#include "slh_dsa_key.h"
14
15		/* For the parameter sets defined there is only one w value */
16		#define SLH_WOTS_LOGW 4
17		#define SLH_WOTS_W 16
18	0	#define SLH_WOTS_LEN1(n) (2 * (n))
19	0	#define SLH_WOTS_LEN2 3
20		#define SLH_WOTS_CHECKSUM_LEN ((SLH_WOTS_LEN2 + SLH_WOTS_LOGW + 7) / 8)
21		#define SLH_WOTS_LEN_MAX SLH_WOTS_LEN(SLH_MAX_N)
22	0	#define NIBBLE_MASK 15
23	0	#define NIBBLE_SHIFT 4
24
25		/*
26		* @brief Convert a byte array to a byte array of (4 bit) nibbles
27		* This is a Variant of the FIPS 205 Algorithm 4 base_2^b function.
28		*
29		* @param in A byte message to convert
30		* @param in_len The size of \|in\|.
31		* @param out The returned array of nibbles, with a size of 2*\|in_len\|
32		*/
33		static ossl_inline void slh_bytes_to_nibbles(const uint8_t *in, size_t in_len,
34		uint8_t *out)
35	0	{
36	0	size_t consumed = 0;
37
38	0	for (consumed = 0; consumed < in_len; consumed++) {
39	0	out++ = (in >> NIBBLE_SHIFT);
40	0	out++ = (in++ & NIBBLE_MASK);
41	0	}
42	0	}
43
44		/*
45		* With w = 16 the maximum checksum is 0xF * n which fits into 12 bits
46		* which is 3 nibbles.
47		*
48		* This is effectively a cutdown version of Algorithm 7: steps 3 to 6
49		* which does a complicated base2^b(tobyte()) operation.
50		*/
51		static ossl_inline void compute_checksum_nibbles(const uint8_t *in, size_t in_len,
52		uint8_t *out)
53	0	{
54	0	size_t i;
55	0	uint16_t csum = 0;
56
57		/* Compute checksum */
58	0	for (i = 0; i < in_len; ++i)
59	0	csum += in[i];
60		/*
61		* This line is effectively the same as doing csum += NIBBLE_MASK - in[i]
62		* in the loop above.
63		*/
64	0	csum = (uint16_t)(NIBBLE_MASK * in_len) - csum;
65
66		/* output checksum as 3 nibbles */
67	0	out[0] = (csum >> (2 * NIBBLE_SHIFT)) & NIBBLE_MASK;
68	0	out[1] = (csum >> NIBBLE_SHIFT) & NIBBLE_MASK;
69	0	out[2] = csum & NIBBLE_MASK;
70	0	}
71
72		/**
73		* @brief WOTS+ Chaining function
74		* See FIPS 205 Section 5 Algorithm 5
75		*
76		* Iterates using a hash function on the input \|steps\| times starting at index
77		* \|start\|. (Internally the \|adrs\| hash address is used to update the chaining
78		* index).
79		*
80		* @param ctx Contains SLH_DSA algorithm functions and constants.
81		* @param in An input string of \|n\| bytes
82		* @param start_index The chaining start index
83		* @param steps The number of iterations starting from \|start_index\|
84		* Note \|start_index\| + \|steps\| < w
85		* (where w = 16 indicates the length of the hash chains)
86		* @param pk_seed A public key seed (which is added to the hash)
87		* @param adrs An ADRS object which has a type of WOTS_HASH, and has a layer
88		* address, tree address, key pair address and chain address
89		* @params wpkt A WPACKET object to write the hash chain to (n bytes are written)
90		* @returns 1 on success, or 0 on error.
91		*/
92		static int slh_wots_chain(SLH_DSA_HASH_CTX ctx, const uint8_t in,
93		uint8_t start_index, uint8_t steps,
94		const uint8_t pk_seed, uint8_t adrs, WPACKET *wpkt)
95	0	{
96	0	const SLH_DSA_KEY *key = ctx->key;
97	0	SLH_HASH_FUNC_DECLARE(key, hashf);
98	0	SLH_ADRS_FUNC_DECLARE(key, adrsf);
99	0	SLH_HASH_FN_DECLARE(hashf, F);
100	0	SLH_ADRS_FN_DECLARE(adrsf, set_hash_address);
101	0	size_t j = start_index, end_index;
102	0	size_t n = key->params->n;
103	0	uint8_t tmp; / Pointer into the \|wpkt\| buffer */
104	0	size_t tmp_len = n;
105
106	0	if (steps == 0)
107	0	return WPACKET_memcpy(wpkt, in, n);
108
109	0	if (!WPACKET_allocate_bytes(wpkt, tmp_len, &tmp))
110	0	return 0;
111
112	0	set_hash_address(adrs, (uint32_t)(j++));
113	0	if (!F(ctx, pk_seed, adrs, in, n, tmp, tmp_len))
114	0	return 0;
115
116	0	end_index = start_index + steps;
117	0	for (; j < end_index; ++j) {
118	0	set_hash_address(adrs, (uint32_t)j);
119	0	if (!F(ctx, pk_seed, adrs, tmp, n, tmp, tmp_len))
120	0	return 0;
121	0	}
122	0	return 1;
123	0	}
124
125		/**
126		* @brief WOTS+ Public key generation.
127		* See FIPS 205 Section 5.1 Algorithm 6
128		*
129		* @param ctx Contains SLH_DSA algorithm functions and constants.
130		* @param sk_seed A private key seed of size \|n\|
131		* @param pk_seed A public key seed of size \|n\|
132		* @param adrs An ADRS object containing the layer address, tree address and
133		* keypair address of the WOTS+ public key to generate.
134		* @param pk_out The generated public key of size \|n\|
135		* @param pk_out_len The maximum size of \|pk_out\|
136		* @returns 1 on success, or 0 on error.
137		*/
138		int ossl_slh_wots_pk_gen(SLH_DSA_HASH_CTX *ctx,
139		const uint8_t sk_seed, const uint8_t pk_seed,
140		uint8_t adrs, uint8_t pk_out, size_t pk_out_len)
141	0	{
142	0	int ret = 0;
143	0	const SLH_DSA_KEY *key = ctx->key;
144	0	size_t n = key->params->n;
145	0	size_t len = SLH_WOTS_LEN(n); /* 2 * n + 3 */
146	0	uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N];
147	0	size_t tmp_len = n * len;
148
149	0	SLH_HASH_FUNC_DECLARE(key, hashf);
150	0	SLH_ADRS_FUNC_DECLARE(key, adrsf);
151	0	SLH_ADRS_DECLARE(wots_pk_adrs);
152
153	0	if (!hashf->wots_pk_gen(ctx, sk_seed, pk_seed, adrs, tmp, tmp_len))
154	0	goto end;
155
156	0	adrsf->copy(wots_pk_adrs, adrs);
157	0	adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK);
158	0	adrsf->copy_keypair_address(wots_pk_adrs, adrs);
159	0	ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len, pk_out, pk_out_len);
160	0	end:
161	0	return ret;
162	0	}
163
164		/**
165		* @brief WOTS+ Signature generation
166		* See FIPS 205 Section 5.2 Algorithm 7
167		*
168		* The returned signature size is len * \|n\| bytes (where len = 2 * \|n\| + 3).
169		*
170		* @param ctx Contains SLH_DSA algorithm functions and constants.
171		* @param msg An input message of size \|n\| bytes.
172		* The message is either an XMSS or FORS public key
173		* @param sk_seed The private key seed of size \|n\| bytes
174		* @param pk_seed The public key seed of size \|n\| bytes
175		* @param adrs An address containing the layer address, tree address and key
176		* pair address. The size is either 32 or 22 bytes.
177		* @param sig_wpkt A WPACKET object to write the signature to.
178		* @returns 1 on success, or 0 on error.
179		*/
180		int ossl_slh_wots_sign(SLH_DSA_HASH_CTX ctx, const uint8_t msg,
181		const uint8_t sk_seed, const uint8_t pk_seed,
182		uint8_t adrs, WPACKET sig_wpkt)
183	0	{
184	0	int ret = 0;
185	0	const SLH_DSA_KEY *key = ctx->key;
186	0	uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX]; /* size is >= 2 * n + 3 */
187	0	uint8_t sk[SLH_MAX_N];
188	0	size_t i;
189	0	size_t n = key->params->n;
190	0	size_t len1 = SLH_WOTS_LEN1(n); /* 2 * n = the msg length in nibbles */
191	0	size_t len = len1 + SLH_WOTS_LEN2; /* 2 * n + 3 (3 checksum nibbles) */
192
193	0	SLH_ADRS_DECLARE(sk_adrs);
194	0	SLH_HASH_FUNC_DECLARE(key, hashf);
195	0	SLH_ADRS_FUNC_DECLARE(key, adrsf);
196	0	SLH_HASH_FN_DECLARE(hashf, PRF);
197	0	SLH_ADRS_FN_DECLARE(adrsf, set_chain_address);
198
199		/*
200		* Convert n message bytes to 2*n base w=16 integers
201		* i.e. Convert message to an array of 2*n nibbles.
202		*/
203	0	slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles);
204		/* Compute a 12 bit checksum and add it to the end */
205	0	compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1);
206
207	0	adrsf->copy(sk_adrs, adrs);
208	0	adrsf->set_type_and_clear(sk_adrs, SLH_ADRS_TYPE_WOTS_PRF);
209	0	adrsf->copy_keypair_address(sk_adrs, adrs);
210
211	0	for (i = 0; i < len; ++i) {
212	0	set_chain_address(sk_adrs, (uint32_t)i);
213		/* compute chain i secret */
214	0	if (!PRF(ctx, pk_seed, sk_seed, sk_adrs, sk, sizeof(sk)))
215	0	goto err;
216	0	set_chain_address(adrs, (uint32_t)i);
217		/* compute chain i signature */
218	0	if (!slh_wots_chain(ctx, sk, 0, msg_and_csum_nibbles[i],
219	0	pk_seed, adrs, sig_wpkt))
220	0	goto err;
221	0	}
222	0	ret = 1;
223	0	err:
224	0	return ret;
225	0	}
226
227		/**
228		* @brief Compute a candidate WOTS+ public key from a message and signature
229		* See FIPS 205 Section 5.3 Algorithm 8
230		*
231		* The size of the signature is len * \|n\| bytes (where len = 2 * \|n\| + 3).
232		*
233		* @param ctx Contains SLH_DSA algorithm functions and constants.
234		* @param sig_rpkt A PACKET object to read a WOTS+ signature from
235		* @param msg A message of size \|n\| bytes.
236		* @param pk_seed The public key seed of size \|n\|.
237		* @param adrs An ADRS object containing the layer address, tree address and
238		* key pair address that of the WOTS+ key used to sign the message.
239		* @param pk_out The returned public key candidate of size \|n\|
240		* @param pk_out_len The maximum size of \|pk_out\|
241		* @returns 1 on success, or 0 on error.
242		*/
243		int ossl_slh_wots_pk_from_sig(SLH_DSA_HASH_CTX *ctx,
244		PACKET sig_rpkt, const uint8_t msg,
245		const uint8_t pk_seed, uint8_t adrs,
246		uint8_t *pk_out, size_t pk_out_len)
247	0	{
248	0	int ret = 0;
249	0	const SLH_DSA_KEY *key = ctx->key;
250	0	uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX];
251	0	size_t i;
252	0	size_t n = key->params->n;
253	0	size_t len1 = SLH_WOTS_LEN1(n);
254	0	size_t len = len1 + SLH_WOTS_LEN2; /* 2n + 3 */
255	0	const uint8_t sig_i; / Pointer into \|sig_rpkt\| buffer */
256	0	uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N];
257	0	WPACKET pkt, *tmp_pkt = &pkt;
258	0	size_t tmp_len = 0;
259
260	0	SLH_HASH_FUNC_DECLARE(key, hashf);
261	0	SLH_ADRS_FUNC_DECLARE(key, adrsf);
262	0	SLH_ADRS_FN_DECLARE(adrsf, set_chain_address);
263	0	SLH_ADRS_DECLARE(wots_pk_adrs);
264
265	0	if (!WPACKET_init_static_len(tmp_pkt, tmp, sizeof(tmp), 0))
266	0	return 0;
267
268	0	slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles);
269	0	compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1);
270
271		/* Compute the end nodes for each of the chains */
272	0	for (i = 0; i < len; ++i) {
273	0	set_chain_address(adrs, (uint32_t)i);
274	0	if (!PACKET_get_bytes(sig_rpkt, &sig_i, n)
275	0	\|\| !slh_wots_chain(ctx, sig_i, msg_and_csum_nibbles[i],
276	0	NIBBLE_MASK - msg_and_csum_nibbles[i],
277	0	pk_seed, adrs, tmp_pkt))
278	0	goto err;
279	0	}
280		/* compress the computed public key value */
281	0	adrsf->copy(wots_pk_adrs, adrs);
282	0	adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK);
283	0	adrsf->copy_keypair_address(wots_pk_adrs, adrs);
284	0	if (!WPACKET_get_total_written(tmp_pkt, &tmp_len))
285	0	goto err;
286	0	ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len,
287	0	pk_out, pk_out_len);
288	0	err:
289	0	if (!WPACKET_finish(tmp_pkt))
290	0	ret = 0;
291	0	return ret;
292	0	}