Added Extended Hash-Based Signatures (XMSS)

[1] XMSS: Extended Hash-Based Signatures,
    draft-itrf-cfrg-xmss-hash-based-signatures-06
    Release: July 2016.
    https://datatracker.ietf.org/doc/
    draft-irtf-cfrg-xmss-hash-based-signatures/?include_text=1

Provides XMSS_PublicKey and XMSS_PrivateKey classes as well as implementations
for the Botan interfaces PK_Ops::Signature and PK_Ops::Verification. XMSS has
been integrated into the Botan test bench, signature generation and verification
can be tested independently by invoking "botan-test xmss_sign" and
"botan-test xmss_verify"

- Some headers that are not required to be exposed to users of the library have
  to be declared as public in `info.txt`. Declaring those headers private will
  cause the amalgamation build to fail. The following headers have been
  declared public inside `info.txt`, even though they are only intended for
  internal use:
    * atomic.h
    * xmss_hash.h
    * xmss_index_registry.h
    * xmss_address.h
    * xmss_common_ops.h
    * xmss_tools.h
    * xmss_wots_parameters.h
    * xmss_wots_privatekey.h
    * xmss_wots_publickey.h

- XMSS_Verification_Operation Requires the "randomness" parameter out of the
  XMSS signature. "Randomness" is part of the prefix that is hashed *before*
  the message. Since the signature is unknown till sign() is called, all
  message content has to be buffered. For large messages this can be
  inconvenient or impossible.

  **Possible solution**: Change PK_Ops::Verification interface to take
  the signature as constructor argument, and provide a setter method to be able
  to update reuse the instance on multiple signatures. Make sign a parameterless
  member call. This solution requires interface changes in botan.

  **Suggested workaround** for signing large messages is to not sign the message
  itself, but to precompute the message hash manually using Botan::HashFunctio
  and sign the message hash instead of the message itself.

- Some of the available test vectors for the XMSS signature verification have
  been commented out in order to reduce testbench runtime.

6 files changed, 57 insertions, 3 deletions

diff --git a/src/lib/asn1/oids.cpp b/src/lib/asn1/oids.cpp
index fb2aa0043..f3536216b 100644
--- a/src/lib/asn1/oids.cpp
+++ b/src/lib/asn1/oids.cpp
@@ -15,6 +15,8 @@ namespace OIDS {
 std::string lookup(const OID& oid)
    {
    const std::string oid_str = oid.as_string();
+   if(oid_str == "0.0.0.0.0.0.0") return "XMSS"; // FIXME: Preliminary OID
+   // update once XMSS OIDs are available.
    if(oid_str == "1.0.14888.3.0.5") return "ECKCDSA";
    if(oid_str == "1.2.250.1.223.101.256.1") return "frp256v1";
    if(oid_str == "1.2.410.200004.1.100.4.3") return "ECKCDSA/EMSA1(SHA-1)";
@@ -182,6 +184,8 @@ std::string lookup(const OID& oid)
 
 OID lookup(const std::string& name)
    {
+   if(name == "XMSS") return OID("0.0.0.0.0.0.0"); // FIXME: Preliminary OID
+   // update once XMSS OIDs are available.
    if(name == "AES-128/CBC") return OID("2.16.840.1.101.3.4.1.2");
    if(name == "AES-128/GCM") return OID("2.16.840.1.101.3.4.1.6");
    if(name == "AES-128/OCB") return OID("1.3.6.1.4.1.25258.3.2.1");
diff --git a/src/lib/pubkey/xmss/xmss_index_registry.h b/src/lib/pubkey/xmss/xmss_index_registry.h
index 8759ca03b..3e5aaa794 100644
--- a/src/lib/pubkey/xmss/xmss_index_registry.h
+++ b/src/lib/pubkey/xmss/xmss_index_registry.h
@@ -12,12 +12,19 @@
 #include <cstddef>
 #include <limits>
 #include <memory>
+<<<<<<< HEAD
+=======
+#include <mutex>
+>>>>>>> 959425d... Added Extended Hash-Based Signatures (XMSS)
 #include <string>
 #include <botan/hash.h>
 #include <botan/secmem.h>
 #include <botan/types.h>
 #include <botan/atomic.h>
+<<<<<<< HEAD
 #include <botan/mutex.h>
+=======
+>>>>>>> 959425d... Added Extended Hash-Based Signatures (XMSS)
 
 namespace Botan {
 
diff --git a/src/lib/pubkey/xmss/xmss_signature_operation.cpp b/src/lib/pubkey/xmss/xmss_signature_operation.cpp
index 07121db14..abbcadff7 100644
--- a/src/lib/pubkey/xmss/xmss_signature_operation.cpp
+++ b/src/lib/pubkey/xmss/xmss_signature_operation.cpp
@@ -101,7 +101,7 @@ void XMSS_Signature_Operation::initialize()
    m_randomness = m_hash.prf(m_priv_key.prf(), index_bytes);
    index_bytes.clear();
    XMSS_Tools::concat(index_bytes, m_leaf_idx,
-                            m_priv_key.xmss_parameters().element_size());
+                      m_priv_key.xmss_parameters().element_size());
    m_hash.h_msg_init(m_randomness,
                      m_priv_key.root(),
                      index_bytes);
diff --git a/src/lib/pubkey/xmss/xmss_tools.cpp b/src/lib/pubkey/xmss/xmss_tools.cpp
new file mode 100644
index 000000000..13e66759c
--- /dev/null
+++ b/src/lib/pubkey/xmss/xmss_tools.cpp
@@ -0,0 +1,32 @@
+/**
+ * XMSS Tools
+ * Contains some helper functions.
+ * (C) 2016 Matthias Gierlings
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+#include <botan/xmss_tools.h>
+
+namespace Botan {
+
+XMSS_Tools::XMSS_Tools()
+   {
+#if defined(BOTAN_TARGET_CPU_HAS_KNOWN_ENDIANESS)
+#if defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
+           m_is_little_endian = true;
+#else
+           m_is_little_endian = false;
+#endif
+#else
+       uint16_t data = 0x01;
+       m_is_little_endian = reinterpret_cast<const byte*>(&data)[0] == 0x01;
+#endif
+   }
+
+const XMSS_Tools& XMSS_Tools::get()
+   {
+   static const XMSS_Tools self;
+   return self;
+   }
+
+}
diff --git a/src/lib/pubkey/xmss/xmss_tools.h b/src/lib/pubkey/xmss/xmss_tools.h
index 773953fae..ab60665c7 100644
--- a/src/lib/pubkey/xmss/xmss_tools.h
+++ b/src/lib/pubkey/xmss/xmss_tools.h
@@ -11,7 +11,10 @@
 #include <stdint.h>
 #include <iterator>
 #include <type_traits>
+<<<<<<< HEAD
 #include <botan/cpuid.h>
+=======
+>>>>>>> 959425d... Added Extended Hash-Based Signatures (XMSS)
 #include <botan/types.h>
 #include <botan/secmem.h>
 
@@ -64,13 +67,17 @@ void XMSS_Tools::concat(secure_vector<byte>& target, const T& src)
    {
    const byte* src_bytes = reinterpret_cast<const byte*>(&src);
    if(CPUID::is_little_endian())
+      {
       std::reverse_copy(src_bytes,
                         src_bytes + sizeof(src),
                         std::back_inserter(target));
+      }
    else
+      {
       std::copy(src_bytes,
                 src_bytes + sizeof(src),
                 std::back_inserter(target));
+      }
    }
 
 
@@ -87,13 +94,17 @@ void XMSS_Tools::concat(secure_vector<byte>& target,
 
    const byte* src_bytes = reinterpret_cast<const byte*>(&src);
    if(CPUID::is_little_endian())
+      {
       std::reverse_copy(src_bytes,
                         src_bytes + c,
                         std::back_inserter(target));
+      }
    else
+      {
       std::copy(src_bytes + sizeof(src) - c,
                 src_bytes + sizeof(src),
                 std::back_inserter(target));
+      }
    }
 }
 
diff --git a/src/lib/pubkey/xmss/xmss_verification_operation.cpp b/src/lib/pubkey/xmss/xmss_verification_operation.cpp
index 79bd61d17..c789a6d85 100644
--- a/src/lib/pubkey/xmss/xmss_verification_operation.cpp
+++ b/src/lib/pubkey/xmss/xmss_verification_operation.cpp
@@ -78,8 +78,8 @@ XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
    XMSS_Address adrs;
    secure_vector<byte> index_bytes;
    XMSS_Tools::concat(index_bytes,
-                            sig.unused_leaf_index(),
-                            m_xmss_params.element_size());
+                      sig.unused_leaf_index(),
+                      m_xmss_params.element_size());
    secure_vector<byte> msg_digest =
       m_hash.h_msg(sig.randomness(),
                    public_key.root(),