| /* BEGIN_HEADER */ |
| #include "lmots.h" |
| #include "mbedtls/lms.h" |
| |
| #if defined(MBEDTLS_TEST_HOOKS) |
| int check_lmots_private_key_for_leak(unsigned char * sig) |
| { |
| size_t idx; |
| |
| for( idx = MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(MBEDTLS_LMOTS_SHA256_N32_W8); |
| idx < MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8); |
| idx++ ) |
| { |
| TEST_EQUAL( sig[idx], 0x7E ); |
| } |
| |
| return( 0 ); |
| |
| exit: |
| return( -1 ); |
| } |
| #endif /* defined(MBEDTLS_TEST_HOOKS) */ |
| |
| /* END_HEADER */ |
| |
| /* BEGIN_DEPENDENCIES |
| * depends_on:MBEDTLS_LMS_C |
| * END_DEPENDENCIES |
| */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ |
| void lmots_sign_verify_test ( data_t *msg, data_t *key_id, int leaf_id, |
| data_t *seed ) |
| { |
| mbedtls_lmots_public_t pub_ctx; |
| mbedtls_lmots_private_t priv_ctx; |
| unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; |
| |
| mbedtls_lmots_public_init( &pub_ctx ); |
| mbedtls_lmots_private_init( &priv_ctx ); |
| |
| TEST_EQUAL( mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8, |
| key_id->x, leaf_id, seed->x, seed->len ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0 ); |
| TEST_EQUAL( mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL, |
| msg->x, msg->len, sig, sizeof(sig), NULL ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_verify(&pub_ctx, msg->x, msg->len, sig, sizeof(sig)), 0 ); |
| |
| exit: |
| mbedtls_lmots_public_free( &pub_ctx ); |
| mbedtls_lmots_private_free( &priv_ctx ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ |
| void lmots_sign_verify_null_msg_test ( data_t *key_id, int leaf_id, data_t *seed ) |
| { |
| mbedtls_lmots_public_t pub_ctx; |
| mbedtls_lmots_private_t priv_ctx; |
| unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; |
| |
| mbedtls_lmots_public_init( &pub_ctx ); |
| mbedtls_lmots_private_init( &priv_ctx ); |
| |
| TEST_EQUAL( mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8, |
| key_id->x, leaf_id, seed->x, seed->len ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0 ); |
| TEST_EQUAL( mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL, |
| NULL, 0, sig, sizeof(sig), NULL ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_verify(&pub_ctx, NULL, 0, sig, sizeof(sig)), 0 ); |
| |
| exit: |
| mbedtls_lmots_public_free( &pub_ctx ); |
| mbedtls_lmots_private_free( &priv_ctx ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void lmots_verify_test ( data_t *msg, data_t *sig, data_t *pub_key, |
| int expected_rc ) |
| { |
| mbedtls_lmots_public_t ctx; |
| unsigned int size; |
| unsigned char *tmp_sig = NULL; |
| |
| mbedtls_lmots_public_init( &ctx ); |
| |
| TEST_EQUAL(mbedtls_lmots_import_public_key( &ctx, pub_key->x, pub_key->len ), 0); |
| |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), expected_rc); |
| |
| /* Test negative cases if the input data is valid */ |
| if( expected_rc == 0 ) |
| { |
| if( msg->len >= 1 ) |
| { |
| /* Altering first message byte must cause verification failure */ |
| msg->x[0] ^= 1; |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), |
| MBEDTLS_ERR_LMS_VERIFY_FAILED); |
| msg->x[0] ^= 1; |
| |
| /* Altering last message byte must cause verification failure */ |
| msg->x[msg->len - 1] ^= 1; |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), |
| MBEDTLS_ERR_LMS_VERIFY_FAILED); |
| msg->x[msg->len - 1] ^= 1; |
| } |
| |
| /* Altering first signature byte must cause verification failure */ |
| sig->x[0] ^= 1; |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), |
| MBEDTLS_ERR_LMS_VERIFY_FAILED); |
| sig->x[0] ^= 1; |
| |
| /* Altering last signature byte must cause verification failure */ |
| sig->x[sig->len - 1] ^= 1; |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), |
| MBEDTLS_ERR_LMS_VERIFY_FAILED); |
| sig->x[sig->len - 1] ^= 1; |
| |
| /* Signatures of all sizes must not verify, whether shorter or longer */ |
| for( size = 0; size < sig->len; size++ ) { |
| if( size == sig->len ) |
| continue; |
| |
| ASSERT_ALLOC( tmp_sig, size ); |
| if( tmp_sig != NULL ) |
| memcpy( tmp_sig, sig->x, MIN(size, sig->len) ); |
| |
| TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, tmp_sig, size ), |
| MBEDTLS_ERR_LMS_VERIFY_FAILED); |
| mbedtls_free( tmp_sig ); |
| tmp_sig = NULL; |
| } |
| } |
| |
| exit: |
| mbedtls_free( tmp_sig ); |
| mbedtls_lmots_public_free( &ctx ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void lmots_import_export_test ( data_t * pub_key, int expected_import_rc ) |
| { |
| mbedtls_lmots_public_t ctx; |
| unsigned char *exported_pub_key = NULL; |
| size_t exported_pub_key_buf_size; |
| size_t exported_pub_key_size; |
| |
| mbedtls_lmots_public_init( &ctx ); |
| TEST_EQUAL( mbedtls_lmots_import_public_key( &ctx, pub_key->x, pub_key->len ), |
| expected_import_rc ); |
| |
| if( expected_import_rc == 0 ) |
| { |
| exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8); |
| ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size ); |
| |
| TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key, |
| exported_pub_key_buf_size, |
| &exported_pub_key_size ), 0 ); |
| |
| TEST_EQUAL( exported_pub_key_size, |
| MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) ); |
| ASSERT_COMPARE( pub_key->x, pub_key->len, |
| exported_pub_key, exported_pub_key_size ); |
| mbedtls_free(exported_pub_key); |
| exported_pub_key = NULL; |
| |
| /* Export into too-small buffer should fail */ |
| exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) - 1; |
| ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size); |
| TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key, |
| exported_pub_key_buf_size, NULL ), |
| MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); |
| mbedtls_free(exported_pub_key); |
| exported_pub_key = NULL; |
| |
| /* Export into too-large buffer should succeed */ |
| exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) + 1; |
| ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size); |
| TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key, |
| exported_pub_key_buf_size, |
| &exported_pub_key_size ), |
| 0 ); |
| ASSERT_COMPARE( pub_key->x, pub_key->len, |
| exported_pub_key, exported_pub_key_size ); |
| mbedtls_free(exported_pub_key); |
| exported_pub_key = NULL; |
| } |
| |
| exit: |
| mbedtls_lmots_public_free( &ctx ); |
| mbedtls_free( exported_pub_key ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */ |
| void lmots_reuse_test ( data_t *msg, data_t *key_id, int leaf_id, data_t *seed ) |
| { |
| mbedtls_lmots_private_t ctx; |
| unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; |
| |
| mbedtls_lmots_private_init( &ctx ); |
| TEST_EQUAL( mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8, |
| key_id->x, leaf_id, seed->x, |
| seed->len ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, |
| msg->x, msg->len, sig, sizeof( sig ), NULL ), 0 ); |
| |
| /* Running another sign operation should fail, since the key should now have |
| * been erased. |
| */ |
| TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, |
| msg->x, msg->len, sig, sizeof( sig ), NULL ), MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); |
| |
| exit: |
| mbedtls_lmots_private_free( &ctx ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_LMS_PRIVATE */ |
| void lmots_signature_leak_test ( data_t *msg, data_t *key_id, int leaf_id, |
| data_t *seed ) |
| { |
| mbedtls_lmots_private_t ctx; |
| unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)]; |
| |
| mbedtls_lmots_sign_private_key_invalidated_hook = &check_lmots_private_key_for_leak; |
| |
| /* Fill with recognisable pattern */ |
| memset( sig, 0x7E, sizeof( sig ) ); |
| |
| mbedtls_lmots_private_init( &ctx ); |
| TEST_EQUAL( mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8, |
| key_id->x, leaf_id, seed->x, |
| seed->len ), 0 ); |
| TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL, |
| msg->x, msg->len, sig, sizeof( sig ), NULL ), 0 ); |
| |
| exit: |
| mbedtls_lmots_private_free( &ctx ); |
| mbedtls_lmots_sign_private_key_invalidated_hook = NULL; |
| } |
| /* END_CASE */ |