/* BEGIN_HEADER */ #include "lmots.h" #include "mbedtls/lms.h" #if defined(MBEDTLS_TEST_HOOKS) int check_lmots_private_key_for_leak(unsigned char *sig) { size_t idx; for (idx = MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(MBEDTLS_LMOTS_SHA256_N32_W8); idx < MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8); idx++) { TEST_EQUAL(sig[idx], 0x7E); } return 0; exit: return -1; } #endif /* defined(MBEDTLS_TEST_HOOKS) */ /* END_HEADER */ /* BEGIN_DEPENDENCIES * depends_on:MBEDTLS_LMS_C * END_DEPENDENCIES */ /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ void lmots_sign_verify_test(data_t *msg, data_t *key_id, int leaf_id, data_t *seed) { mbedtls_lmots_public_t pub_ctx; mbedtls_lmots_private_t priv_ctx; unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; mbedtls_lmots_public_init(&pub_ctx); mbedtls_lmots_private_init(&priv_ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8, key_id->x, leaf_id, seed->x, seed->len), 0); TEST_EQUAL(mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0); TEST_EQUAL(mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL, msg->x, msg->len, sig, sizeof(sig), NULL), 0); TEST_EQUAL(mbedtls_lmots_verify(&pub_ctx, msg->x, msg->len, sig, sizeof(sig)), 0); exit: mbedtls_lmots_public_free(&pub_ctx); mbedtls_lmots_private_free(&priv_ctx); USE_PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ void lmots_sign_verify_null_msg_test(data_t *key_id, int leaf_id, data_t *seed) { mbedtls_lmots_public_t pub_ctx; mbedtls_lmots_private_t priv_ctx; unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; mbedtls_lmots_public_init(&pub_ctx); mbedtls_lmots_private_init(&priv_ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8, key_id->x, leaf_id, seed->x, seed->len), 0); TEST_EQUAL(mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0); TEST_EQUAL(mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL, NULL, 0, sig, sizeof(sig), NULL), 0); TEST_EQUAL(mbedtls_lmots_verify(&pub_ctx, NULL, 0, sig, sizeof(sig)), 0); exit: mbedtls_lmots_public_free(&pub_ctx); mbedtls_lmots_private_free(&priv_ctx); USE_PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE */ void lmots_verify_test(data_t *msg, data_t *sig, data_t *pub_key, int expected_rc) { mbedtls_lmots_public_t ctx; unsigned int size; unsigned char *tmp_sig = NULL; mbedtls_lmots_public_init(&ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_import_public_key(&ctx, pub_key->x, pub_key->len), 0); TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, sig->x, sig->len), expected_rc); /* Test negative cases if the input data is valid */ if (expected_rc == 0) { if (msg->len >= 1) { /* Altering first message byte must cause verification failure */ msg->x[0] ^= 1; TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, sig->x, sig->len), MBEDTLS_ERR_LMS_VERIFY_FAILED); msg->x[0] ^= 1; /* Altering last message byte must cause verification failure */ msg->x[msg->len - 1] ^= 1; TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, sig->x, sig->len), MBEDTLS_ERR_LMS_VERIFY_FAILED); msg->x[msg->len - 1] ^= 1; } /* Altering first signature byte must cause verification failure */ sig->x[0] ^= 1; TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, sig->x, sig->len), MBEDTLS_ERR_LMS_VERIFY_FAILED); sig->x[0] ^= 1; /* Altering last signature byte must cause verification failure */ sig->x[sig->len - 1] ^= 1; TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, sig->x, sig->len), MBEDTLS_ERR_LMS_VERIFY_FAILED); sig->x[sig->len - 1] ^= 1; /* Signatures of all sizes must not verify, whether shorter or longer */ for (size = 0; size < sig->len; size++) { if (size == sig->len) { continue; } TEST_CALLOC(tmp_sig, size); if (tmp_sig != NULL) { memcpy(tmp_sig, sig->x, MIN(size, sig->len)); } TEST_EQUAL(mbedtls_lmots_verify(&ctx, msg->x, msg->len, tmp_sig, size), MBEDTLS_ERR_LMS_VERIFY_FAILED); mbedtls_free(tmp_sig); tmp_sig = NULL; } } exit: mbedtls_free(tmp_sig); mbedtls_lmots_public_free(&ctx); USE_PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE */ void lmots_import_export_test(data_t *pub_key, int expected_import_rc) { mbedtls_lmots_public_t ctx; unsigned char *exported_pub_key = NULL; size_t exported_pub_key_buf_size; size_t exported_pub_key_size; mbedtls_lmots_public_init(&ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_import_public_key(&ctx, pub_key->x, pub_key->len), expected_import_rc); if (expected_import_rc == 0) { exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8); TEST_CALLOC(exported_pub_key, exported_pub_key_buf_size); TEST_EQUAL(mbedtls_lmots_export_public_key(&ctx, exported_pub_key, exported_pub_key_buf_size, &exported_pub_key_size), 0); TEST_EQUAL(exported_pub_key_size, MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)); TEST_MEMORY_COMPARE(pub_key->x, pub_key->len, exported_pub_key, exported_pub_key_size); mbedtls_free(exported_pub_key); exported_pub_key = NULL; /* Export into too-small buffer should fail */ exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) - 1; TEST_CALLOC(exported_pub_key, exported_pub_key_buf_size); TEST_EQUAL(mbedtls_lmots_export_public_key(&ctx, exported_pub_key, exported_pub_key_buf_size, NULL), MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL); mbedtls_free(exported_pub_key); exported_pub_key = NULL; /* Export into too-large buffer should succeed */ exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) + 1; TEST_CALLOC(exported_pub_key, exported_pub_key_buf_size); TEST_EQUAL(mbedtls_lmots_export_public_key(&ctx, exported_pub_key, exported_pub_key_buf_size, &exported_pub_key_size), 0); TEST_MEMORY_COMPARE(pub_key->x, pub_key->len, exported_pub_key, exported_pub_key_size); mbedtls_free(exported_pub_key); exported_pub_key = NULL; } exit: mbedtls_lmots_public_free(&ctx); mbedtls_free(exported_pub_key); USE_PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ void lmots_reuse_test(data_t *msg, data_t *key_id, int leaf_id, data_t *seed) { mbedtls_lmots_private_t ctx; unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; mbedtls_lmots_private_init(&ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8, key_id->x, leaf_id, seed->x, seed->len), 0); TEST_EQUAL(mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, msg->x, msg->len, sig, sizeof(sig), NULL), 0); /* Running another sign operation should fail, since the key should now have * been erased. */ TEST_EQUAL(mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, msg->x, msg->len, sig, sizeof(sig), NULL), MBEDTLS_ERR_LMS_BAD_INPUT_DATA); exit: mbedtls_lmots_private_free(&ctx); USE_PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_LMS_PRIVATE */ void lmots_signature_leak_test(data_t *msg, data_t *key_id, int leaf_id, data_t *seed) { mbedtls_lmots_private_t ctx; unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; mbedtls_lmots_sign_private_key_invalidated_hook = &check_lmots_private_key_for_leak; /* Fill with recognisable pattern */ memset(sig, 0x7E, sizeof(sig)); mbedtls_lmots_private_init(&ctx); USE_PSA_INIT(); TEST_EQUAL(mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8, key_id->x, leaf_id, seed->x, seed->len), 0); TEST_EQUAL(mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, msg->x, msg->len, sig, sizeof(sig), NULL), 0); exit: mbedtls_lmots_private_free(&ctx); mbedtls_lmots_sign_private_key_invalidated_hook = NULL; USE_PSA_DONE(); } /* END_CASE */