| /* |
| * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. |
| * |
| * Licensed under the Apache License 2.0 (the "License"). You may not use |
| * this file except in compliance with the License. You can obtain a copy |
| * in the file LICENSE in the source distribution or at |
| * https://www.openssl.org/source/license.html |
| */ |
| |
| /* @brief Internal LMS helper functions */ |
| |
| #include "internal/packet.h" |
| #include <openssl/params.h> |
| #include <openssl/core_names.h> |
| #include <openssl/evp.h> |
| |
| /* |
| * This LMS implementation assumes that the hash algorithm must be the same for |
| * LMS params and OTS params. Since OpenSSL does not have a "SHAKE256-192" |
| * algorithm, we have to check the digest size as well as the name. |
| * This macro can be used to compare 2 LMS_PARAMS, LMS_PARAMS and LM_OTS_PARAMS. |
| */ |
| #define HASH_NOT_MATCHED(a, b) \ |
| (a)->n != (b)->n || (strcmp((a)->digestname, (b)->digestname) != 0) |
| |
| /* |
| * See RFC 8554 Section 3.1.3: Strings of w-bit Elements |
| * w: Is one of {1,2,4,8} |
| */ |
| static ossl_unused ossl_inline uint8_t lms_ots_coef(const unsigned char *S, uint16_t i, uint8_t w) |
| { |
| uint8_t bitmask = (1 << w) - 1; |
| uint8_t shift = 8 - (w * (i % (8 / w)) + w); |
| int id = (i * w) / 8; |
| |
| return (S[id] >> shift) & bitmask; |
| } |
| |
| static ossl_unused ossl_inline int lms_evp_md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *md, |
| const LMS_PARAMS *lms_params) |
| { |
| OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; |
| OSSL_PARAM *p = NULL; |
| |
| /* The OpenSSL SHAKE implementation requires the xoflen to be set */ |
| if (strncmp(lms_params->digestname, "SHAKE", 5) == 0) { |
| params[0] = OSSL_PARAM_construct_uint32(OSSL_DIGEST_PARAM_XOFLEN, |
| (uint32_t *)&lms_params->n); |
| p = params; |
| } |
| return EVP_DigestInit_ex2(ctx, md, p); |
| } |
