Merge pull request #6413 from daverodgman/update_docs_links
Update documentation links
diff --git a/3rdparty/everest/library/everest.c b/3rdparty/everest/library/everest.c
index 82c4e03..fefc6a2 100644
--- a/3rdparty/everest/library/everest.c
+++ b/3rdparty/everest/library/everest.c
@@ -28,12 +28,7 @@
#include "everest/x25519.h"
#include "everest/everest.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
diff --git a/ChangeLog.d/LMS.txt b/ChangeLog.d/LMS.txt
new file mode 100644
index 0000000..6de374f
--- /dev/null
+++ b/ChangeLog.d/LMS.txt
@@ -0,0 +1,11 @@
+Features
+ * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
+ Signature verification is production-ready, but generation is for testing
+ purposes only. This currently only supports one parameter set
+ (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
+ 1024 messages. As such, it is not intended for use in TLS, but instead for
+ verification of assets transmitted over an insecure channel, particularly
+ firmware images.
+ * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
+ required for LMS. This can be used independently, but each key can only be
+ used to sign one message so is impractical for most circumstances.
diff --git a/ChangeLog.d/fix_aead_psa_driver_build.txt b/ChangeLog.d/fix_aead_psa_driver_build.txt
new file mode 100644
index 0000000..a6d11d3
--- /dev/null
+++ b/ChangeLog.d/fix_aead_psa_driver_build.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix compilation errors when trying to build with
+ PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
new file mode 100644
index 0000000..bac4910
--- /dev/null
+++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix bugs and missing dependencies when
+ building and testing configurations with
+ only one encryption type enabled in TLS 1.2.
diff --git a/ChangeLog.d/platform-setbuf.txt b/ChangeLog.d/platform-setbuf.txt
new file mode 100644
index 0000000..844f70c
--- /dev/null
+++ b/ChangeLog.d/platform-setbuf.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Provide the missing definition of mbedtls_setbuf() in some configurations
+ with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 1038706..0081ca3 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -353,6 +353,16 @@
#error "MBEDTLS_MD_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_LMS_C) && \
+ ! ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) )
+#error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
+#endif
+
+#if defined(MBEDTLS_LMS_PRIVATE) && \
+ ( !defined(MBEDTLS_LMS_C) )
+#error "MBEDTLS_LMS_PRIVATE requires MBEDTLS_LMS_C"
+#endif
+
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
#error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
@@ -523,6 +533,20 @@
#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously"
#endif
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_VSNPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_VSNPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) &&\
+ ( defined(MBEDTLS_PLATFORM_STD_VSNPRINTF) ||\
+ defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_VSNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_VSNPRINTF/MBEDTLS_PLATFORM_VSNPRINTF_ALT cannot be defined simultaneously"
+#endif
+
#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\
!defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
#error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites"
@@ -874,6 +898,11 @@
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_TICKET_C) && \
+ !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
+#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) && \
MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH >= 256
#error "MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH must be less than 256"
@@ -962,7 +991,9 @@
#error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites"
#endif
-
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
+#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites"
+#endif
/* Reject attempts to enable options that have been removed and that could
* cause a build to succeed but with features removed. */
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 8b2b9ea..eb83913 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -82,6 +82,7 @@
* POLY1305 3 0x0057-0x005B
* CHACHAPOLY 2 0x0054-0x0056
* PLATFORM 2 0x0070-0x0072
+ * LMS 5 0x0011-0x0019
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors
diff --git a/include/mbedtls/lms.h b/include/mbedtls/lms.h
new file mode 100644
index 0000000..5e03d9b
--- /dev/null
+++ b/include/mbedtls/lms.h
@@ -0,0 +1,450 @@
+/**
+ * \file lms.h
+ *
+ * \brief This file provides an API for the LMS post-quantum-safe stateful-hash
+ public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ * This implementation currently only supports a single parameter set
+ * MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one
+ * of the signature schemes recommended by the IETF draft SUIT standard
+ * for IOT firmware upgrades (RFC9019).
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_LMS_H
+#define MBEDTLS_LMS_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "mbedtls/build_info.h"
+
+#define MBEDTLS_ERR_LMS_BAD_INPUT_DATA -0x0011 /**< Bad data has been input to an LMS function */
+#define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */
+#define MBEDTLS_ERR_LMS_VERIFY_FAILED -0x0015 /**< LMS signature verification failed */
+#define MBEDTLS_ERR_LMS_ALLOC_FAILED -0x0017 /**< LMS failed to allocate space for a private key */
+#define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */
+
+/* Currently only defined for SHA256, 32 is the max hash output size */
+#define MBEDTLS_LMOTS_N_HASH_LEN_MAX (32u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX (34u)
+#define MBEDTLS_LMOTS_N_HASH_LEN(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0)
+#define MBEDTLS_LMOTS_I_KEY_ID_LEN (16u)
+#define MBEDTLS_LMOTS_Q_LEAF_ID_LEN (4u)
+#define MBEDTLS_LMOTS_TYPE_LEN (4u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0)
+#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \
+ (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \
+ MBEDTLS_LMOTS_N_HASH_LEN(type)))
+
+
+#define MBEDTLS_LMS_TYPE_LEN (4)
+#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0)
+
+/* The length of a hash output, Currently only imlemented for SHA256.
+ * Max is 32 bytes.
+ */
+#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0)
+#define MBEDTLS_LMS_M_NODE_BYTES_MAX 32
+
+#define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+ MBEDTLS_LMOTS_SIG_LEN(otstype) + \
+ MBEDTLS_LMS_TYPE_LEN + \
+ (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \
+ MBEDTLS_LMS_M_NODE_BYTES(type)))
+
+#define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \
+ MBEDTLS_LMOTS_TYPE_LEN + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+ MBEDTLS_LMS_M_NODE_BYTES(type))
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** The Identifier of the LMS parameter set, as per
+ * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
+ * We are only implementing a subset of the types, particularly H10, for the sake of simplicty.
+ */
+typedef enum {
+ MBEDTLS_LMS_SHA256_M32_H10 = 0x6,
+} mbedtls_lms_algorithm_type_t;
+
+/** The Identifier of the LMOTS parameter set, as per
+ * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml.
+ * We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicty.
+ */
+typedef enum {
+ MBEDTLS_LMOTS_SHA256_N32_W8 = 4
+} mbedtls_lmots_algorithm_type_t;
+
+/** LMOTS parameters structure.
+ *
+ * This contains the metadata associated with an LMOTS key, detailing the
+ * algorithm type, the key ID, and the leaf identifier should be key be part of
+ * a LMS key.
+ */
+typedef struct {
+ unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+ identifier. */
+ unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which
+ leaf of the LMS key this is.
+ 0 if the key is not part of an LMS key. */
+ mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as
+ per IANA. Only SHA256_N32_W8 is
+ currently supported. */
+} mbedtls_lmots_parameters_t;
+
+/** LMOTS public context structure.
+ *
+ * A LMOTS public key is a hash output, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ * UNINITIALIZED -> INIT [label="init"];
+ * HAVE_PUBLIC_KEY -> INIT [label="free"];
+ * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+ mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+ unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+ Boolean values only. */
+} mbedtls_lmots_public_t;
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMOTS private context structure.
+ *
+ * A LMOTS private key is one hash output for each of digit of the digest +
+ * checksum, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ * UNINITIALIZED -> INIT [label="init"];
+ * HAVE_PRIVATE_KEY -> INIT [label="free"];
+ * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ * HAVE_PRIVATE_KEY -> INIT [label="sign"];
+ * }
+ * \enddot
+ */
+typedef struct {
+ mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+ unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+ Boolean values only. */
+} mbedtls_lmots_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+
+/** LMS parameters structure.
+ *
+ * This contains the metadata associated with an LMS key, detailing the
+ * algorithm type, the type of the underlying OTS algorithm, and the key ID.
+ */
+typedef struct {
+ unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+ identifier. */
+ mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as
+ per IANA. Only SHA256_N32_W8 is
+ currently supported. */
+ mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per
+ IANA. Only SHA256_M32_H10 is currently
+ supported. */
+} mbedtls_lms_parameters_t;
+
+/** LMS public context structure.
+ *
+ *A LMS public key is the hash output that is the root of the Merkle tree, and
+ * the applicable parameter set
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ * UNINITIALIZED -> INIT [label="init"];
+ * HAVE_PUBLIC_KEY -> INIT [label="free"];
+ * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+ mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+ unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in
+ the form of the Merkle tree root node. */
+ unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+ Boolean values only. */
+} mbedtls_lms_public_t;
+
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMS private context structure.
+ *
+ * A LMS private key is a set of LMOTS private keys, an index to the next usable
+ * key, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ * UNINITIALIZED -> INIT [label="init"];
+ * HAVE_PRIVATE_KEY -> INIT [label="free"];
+ * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+ mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+ uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not
+ been used. */
+ mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key
+ for each leaf node in the Merkle tree. NULL
+ when have_private_key is 0 and non-NULL otherwise.
+ is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */
+ mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to
+ build the Merkle tree. NULL
+ when have_private_key is 0 and
+ non-NULL otherwise.
+ Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type)
+ in length. */
+ unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+ Boolean values only. */
+} mbedtls_lms_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+/**
+ * \brief This function initializes an LMS public context
+ *
+ * \param ctx The uninitialized LMS context that will then be
+ * initialized.
+ */
+void mbedtls_lms_public_init( mbedtls_lms_public_t *ctx );
+
+/**
+ * \brief This function uninitializes an LMS public context
+ *
+ * \param ctx The initialized LMS context that will then be
+ * uninitialized.
+ */
+void mbedtls_lms_public_free( mbedtls_lms_public_t *ctx );
+
+/**
+ * \brief This function imports an LMS public key into a
+ * public LMS context.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMS context store the key in.
+ * \param key The buffer from which the key will be read.
+ * #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from
+ * this.
+ * \param key_size The size of the key being imported.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_import_public_key( mbedtls_lms_public_t *ctx,
+ const unsigned char *key, size_t key_size );
+
+/**
+ * \brief This function exports an LMS public key from a
+ * LMS public context that already contains a public
+ * key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a public key.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMS public context that contains
+ * the public key.
+ * \param key The buffer into which the key will be output. Must
+ * be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size.
+ * \param key_size The size of the key buffer.
+ * \param key_len If not NULL, will be written with the size of the
+ * key.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_export_public_key( const mbedtls_lms_public_t *ctx,
+ unsigned char *key, size_t key_size,
+ size_t *key_len );
+
+/**
+ * \brief This function verifies a LMS signature, using a
+ * LMS context that contains a public key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a public key
+ * (either by import or generation).
+ *
+ * \param ctx The initialized LMS public context from which the
+ * public key will be read.
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf from which the signature will be read.
+ * #MBEDTLS_LMS_SIG_LEN bytes will be read from
+ * this.
+ * \param sig_size The size of the signature to be verified.
+ *
+ * \return \c 0 on successful verification.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
+ const unsigned char *msg, size_t msg_size,
+ const unsigned char *sig, size_t sig_size );
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/**
+ * \brief This function initializes an LMS private context
+ *
+ * \param ctx The uninitialized LMS private context that will
+ * then be initialized. */
+void mbedtls_lms_private_init( mbedtls_lms_private_t *ctx );
+
+/**
+ * \brief This function uninitializes an LMS private context
+ *
+ * \param ctx The initialized LMS private context that will then
+ * be uninitialized.
+ */
+void mbedtls_lms_private_free( mbedtls_lms_private_t *ctx );
+
+/**
+ * \brief This function generates an LMS private key, and
+ * stores in into an LMS private context.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx The initialized LMOTS context to generate the key
+ * into.
+ * \param type The LMS parameter set identifier.
+ * \param otstype The LMOTS parameter set identifier.
+ * \param f_rng The RNG function to be used to generate the key ID.
+ * \param p_rng The RNG context to be passed to f_rng
+ * \param seed The seed used to deterministically generate the
+ * key.
+ * \param seed_size The length of the seed.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_generate_private_key( mbedtls_lms_private_t *ctx,
+ mbedtls_lms_algorithm_type_t type,
+ mbedtls_lmots_algorithm_type_t otstype,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void* p_rng, const unsigned char *seed,
+ size_t seed_size );
+
+/**
+ * \brief This function calculates an LMS public key from a
+ * LMS context that already contains a private key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a private key.
+ *
+ * \param ctx The initialized LMS public context to calculate the key
+ * from and store it into.
+ *
+ * \param priv_ctx The LMS private context to read the private key
+ * from. This must have been initialized and contain a
+ * private key.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_calculate_public_key( mbedtls_lms_public_t *ctx,
+ const mbedtls_lms_private_t *priv_ctx );
+
+/**
+ * \brief This function creates a LMS signature, using a
+ * LMS context that contains unused private keys.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a private
+ * key.
+ *
+ * \note Each of the LMOTS private keys inside a LMS private
+ * key can only be used once. If they are reused, then
+ * attackers may be able to forge signatures with that
+ * key. This is all handled transparently, but it is
+ * important to not perform copy operations on LMS
+ * contexts that contain private key material.
+ *
+ * \param ctx The initialized LMS private context from which the
+ * private key will be read.
+ * \param f_rng The RNG function to be used for signature
+ * generation.
+ * \param p_rng The RNG context to be passed to f_rng
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf into which the signature will be stored.
+ * Must be at least #MBEDTLS_LMS_SIG_LEN in size.
+ * \param sig_size The size of the buffer the signature will be
+ * written into.
+ * \param sig_len If not NULL, will be written with the size of the
+ * signature.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lms_sign( mbedtls_lms_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void* p_rng, const unsigned char *msg,
+ unsigned int msg_size, unsigned char *sig, size_t sig_size,
+ size_t *sig_len );
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMS_H */
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 7269f13..61007d8 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1380,6 +1380,8 @@
* saved after the handshake to allow for more efficient serialization, so if
* you don't need this feature you'll save RAM by disabling it.
*
+ * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
+ *
* Comment to disable the context serialization APIs.
*/
#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
@@ -2460,6 +2462,32 @@
#define MBEDTLS_HMAC_DRBG_C
/**
+ * \def MBEDTLS_LMS_C
+ *
+ * Enable the LMS stateful-hash asymmetric signature algorithm.
+ *
+ * Module: library/lms.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ * Uncomment to enable the LMS verification algorithm and public key operations.
+ */
+#define MBEDTLS_LMS_C
+
+/**
+ * \def MBEDTLS_LMS_PRIVATE
+ *
+ * Enable LMS private-key operations and signing code. Functions enabled by this
+ * option are experimental, and should not be used in production.
+ *
+ * Requires: MBEDTLS_LMS_C
+ *
+ * Uncomment to enable the LMS signature algorithm and private key operations.
+ */
+//#define MBEDTLS_LMS_PRIVATE
+
+/**
* \def MBEDTLS_NIST_KW_C
*
* Enable the Key Wrapping mode for 128-bit block ciphers,
@@ -3052,7 +3080,8 @@
* Module: library/ssl_ticket.c
* Caller:
*
- * Requires: MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO
+ * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) &&
+ * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
*/
#define MBEDTLS_SSL_TICKET_C
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index a5a43ac..62e12d2 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -11,6 +11,13 @@
* implementations of these functions, or implementations specific to
* their platform, which can be statically linked to the library or
* dynamically configured at runtime.
+ *
+ * When all compilation options related to platform abstraction are
+ * disabled, this header just defines `mbedtls_xxx` function names
+ * as aliases to the standard `xxx` function.
+ *
+ * Most modules in the library and example programs are expected to
+ * include this header.
*/
/*
* Copyright The Mbed TLS Contributors
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 385c250..219d820 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1188,6 +1188,10 @@
uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */
unsigned char MBEDTLS_PRIVATE(resumption_key)[MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN];
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+ char *MBEDTLS_PRIVATE(hostname); /*!< host name binded with tickets */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
+
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C)
mbedtls_time_t MBEDTLS_PRIVATE(ticket_received); /*!< time ticket was received */
#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_CLI_C */
@@ -1390,10 +1394,12 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_SRV_C)
/** Callback to retrieve PSK key from identity */
int (*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */
#endif
+#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
/** Callback to create & write a cookie for ClientHello verification */
@@ -3415,6 +3421,7 @@
mbedtls_svc_key_id_t psk );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Set the PSK callback (server-side only).
*
@@ -3457,6 +3464,7 @@
int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
size_t),
void *p_psk );
+#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index add6b03..6c09b3a 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -516,7 +516,7 @@
* mbedtls_x509_crt_init().
* \param buf The address of the readable buffer holding the DER encoded
* certificate to use. On success, this buffer must be
- * retained and not be changed for the liftetime of the
+ * retained and not be changed for the lifetime of the
* CRT chain \p chain, that is, until \p chain is destroyed
* through a call to mbedtls_x509_crt_free().
* \param buflen The size in Bytes of \p buf.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 9513814..7c325f7 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -44,6 +44,8 @@
hash_info.c
hkdf.c
hmac_drbg.c
+ lmots.c
+ lms.c
md.c
md5.c
memory_buffer_alloc.c
diff --git a/library/Makefile b/library/Makefile
index 9c3af3b..624773d 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -109,6 +109,8 @@
hash_info.o \
hkdf.o \
hmac_drbg.o \
+ lmots.o \
+ lms.o \
md.o \
md5.o \
memory_buffer_alloc.o \
diff --git a/library/aes.c b/library/aes.c
index 03eccef..289890d 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -40,14 +40,7 @@
#include "aesni.h"
#endif
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_AES_ALT)
diff --git a/library/aria.c b/library/aria.c
index bc05c4a..f78d289 100644
--- a/library/aria.c
+++ b/library/aria.c
@@ -31,14 +31,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_ARIA_ALT)
diff --git a/library/asn1parse.c b/library/asn1parse.c
index 83c7c58..d874fff 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -31,13 +31,7 @@
#include "mbedtls/bignum.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
/*
* ASN.1 DER decoding routines
diff --git a/library/asn1write.c b/library/asn1write.c
index 053dbb6..f1adcb5 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -26,13 +26,7 @@
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_t len )
{
diff --git a/library/base64.c b/library/base64.c
index 83daa0b..9021a04 100644
--- a/library/base64.c
+++ b/library/base64.c
@@ -28,12 +28,7 @@
#if defined(MBEDTLS_SELF_TEST)
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
#define BASE64_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
diff --git a/library/bignum.c b/library/bignum.c
index 19d59be..1c7f919 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -47,15 +47,7 @@
#include <limits.h>
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#define MPI_VALIDATE_RET( cond ) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
diff --git a/library/bignum_core.c b/library/bignum_core.c
index c47292e..d0728e7 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -26,15 +26,7 @@
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "bignum_core.h"
#include "bn_mul.h"
diff --git a/library/bignum_mod.c b/library/bignum_mod.c
index de28093..f2c11a5 100644
--- a/library/bignum_mod.c
+++ b/library/bignum_mod.c
@@ -27,15 +27,7 @@
#include "mbedtls/error.h"
#include "mbedtls/bignum.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "bignum_core.h"
#include "bignum_mod.h"
diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
index 8c89b2c..e1c96d6 100644
--- a/library/bignum_mod_raw.c
+++ b/library/bignum_mod_raw.c
@@ -26,15 +26,7 @@
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "bignum_core.h"
#include "bignum_mod_raw.h"
diff --git a/library/camellia.c b/library/camellia.c
index c29e6c1..5dd6c56 100644
--- a/library/camellia.c
+++ b/library/camellia.c
@@ -32,14 +32,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_CAMELLIA_ALT)
diff --git a/library/chacha20.c b/library/chacha20.c
index f6d6e25..e53eb82 100644
--- a/library/chacha20.c
+++ b/library/chacha20.c
@@ -32,14 +32,7 @@
#include <stddef.h>
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_CHACHA20_ALT)
diff --git a/library/chachapoly.c b/library/chachapoly.c
index 1f75528..e283853 100644
--- a/library/chachapoly.c
+++ b/library/chachapoly.c
@@ -28,14 +28,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_CHACHAPOLY_ALT)
diff --git a/library/cipher.c b/library/cipher.c
index 752d1fe..dfb7329 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -63,12 +63,7 @@
#include "mbedtls/nist_kw.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
static int supported_init = 0;
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
index 7da7d9d..8e395b3 100644
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -68,13 +68,7 @@
#include <string.h>
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if defined(MBEDTLS_GCM_C)
/* shared by all GCM ciphers */
diff --git a/library/constant_time.c b/library/constant_time.c
index 8980701..01a6976 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -81,7 +81,7 @@
#endif
}
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
size_t mbedtls_ct_size_mask( size_t value )
{
@@ -97,7 +97,7 @@
#endif
}
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#if defined(MBEDTLS_BIGNUM_C)
@@ -404,7 +404,7 @@
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
const unsigned char *src,
@@ -654,7 +654,7 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#if defined(MBEDTLS_BIGNUM_C)
diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h
index fc24ae5..340a588 100644
--- a/library/constant_time_internal.h
+++ b/library/constant_time_internal.h
@@ -213,7 +213,7 @@
#endif /* MBEDTLS_BASE64_C */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
/** Conditional memcpy without branches.
*
@@ -321,7 +321,7 @@
unsigned char *output );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 8919c78..71c48af 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -36,14 +36,7 @@
#include <stdio.h>
#endif
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
/*
* CTR_DRBG context initialization
diff --git a/library/debug.c b/library/debug.c
index fa60d13..bdbf6dd 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -21,16 +21,7 @@
#if defined(MBEDTLS_DEBUG_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_time_t time_t
-#define mbedtls_snprintf snprintf
-#define mbedtls_vsnprintf vsnprintf
-#endif
#include "mbedtls/debug.h"
#include "mbedtls/error.h"
diff --git a/library/des.c b/library/des.c
index 91d22b5..65f5681 100644
--- a/library/des.c
+++ b/library/des.c
@@ -33,14 +33,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_DES_ALT)
diff --git a/library/dhm.c b/library/dhm.c
index 1ba5339..6ee5402 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -43,15 +43,7 @@
#include "mbedtls/asn1.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if !defined(MBEDTLS_DHM_ALT)
diff --git a/library/ecdsa.c b/library/ecdsa.c
index dcdf83c..c58e331 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -36,13 +36,7 @@
#include "mbedtls/hmac_drbg.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
diff --git a/library/ecjpake.c b/library/ecjpake.c
index 020eee5..289255a 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -857,12 +857,7 @@
#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif
#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
!defined(MBEDTLS_SHA256_C)
diff --git a/library/ecp.c b/library/ecp.c
index 009be61..ee6c24a 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -84,15 +84,7 @@
#if !defined(MBEDTLS_ECP_ALT)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "ecp_internal_alt.h"
diff --git a/library/entropy.c b/library/entropy.c
index 08c5bd7..1e0d9d3 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -32,18 +32,9 @@
#include <stdio.h>
#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
#include "mbedtls/platform.h"
-#endif
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#define ENTROPY_MAX_LOOP 256 /**< Maximum amount to loop before error */
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 2ae57fd..2df9bbe 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -35,9 +35,7 @@
#if defined(MBEDTLS_TIMING_C)
#include "mbedtls/timing.h"
#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || !defined(HAVE_SYSCTL_ARND)
#include "mbedtls/platform.h"
-#endif
#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
diff --git a/library/gcm.c b/library/gcm.c
index ac329e3..f004a73c 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -32,6 +32,7 @@
#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
+#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -41,15 +42,6 @@
#include "aesni.h"
#endif
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
-#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
#if !defined(MBEDTLS_GCM_ALT)
/*
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index 8b13a86..6bc679d 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -37,14 +37,7 @@
#include <stdio.h>
#endif
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_SELF_TEST */
-#endif /* MBEDTLS_PLATFORM_C */
/*
* HMAC_DRBG context initialization
diff --git a/library/lmots.c b/library/lmots.c
new file mode 100644
index 0000000..788063c
--- /dev/null
+++ b/library/lmots.c
@@ -0,0 +1,826 @@
+/*
+ * The LM-OTS one-time public-key signature scheme
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the LM-OTS algorithm:
+ *
+ * [1] IETF RFC8554
+ * D. McGrew, M. Curcio, S.Fluhrer
+ * https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ * [2] NIST Special Publication 800-208
+ * David A. Cooper et. al.
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "mbedtls/lms.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "psa/crypto.h"
+
+#define PUBLIC_KEY_TYPE_OFFSET (0)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN)
+#define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+
+/* We only support parameter sets that use 8-bit digits, as it does not require
+ * translation logic between digits and bytes */
+#define W_WINTERNITZ_PARAMETER (8u)
+#define CHECKSUM_LEN (2)
+#define I_DIGIT_IDX_LEN (2)
+#define J_HASH_IDX_LEN (1)
+#define D_CONST_LEN (2)
+
+#define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
+
+#define D_CONST_LEN (2)
+static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80};
+static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81};
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int( *mbedtls_lmots_sign_private_key_invalidated_hook )( unsigned char * ) = NULL;
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+void mbedtls_lms_unsigned_int_to_network_bytes( unsigned int val, size_t len,
+ unsigned char *bytes )
+{
+ size_t idx;
+
+ for ( idx = 0; idx < len; idx++ )
+ {
+ bytes[idx] = ( val >> ( ( len - 1 - idx ) * 8 ) ) & 0xFF;
+ }
+}
+
+unsigned int mbedtls_lms_network_bytes_to_unsigned_int( size_t len,
+ const unsigned char *bytes )
+{
+ size_t idx;
+ unsigned int val = 0;
+
+ for ( idx = 0; idx < len; idx++ )
+ {
+ val |= ( ( unsigned int )bytes[idx] ) << (8 * ( len - 1 - idx ) );
+ }
+
+ return ( val );
+}
+
+/* Calculate the checksum digits that are appended to the end of the LMOTS digit
+ * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
+ * the checksum algorithm.
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * digest The digit string to create the digest from. As
+ * this does not contain a checksum, it is the same
+ * size as a hash output.
+ */
+static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params,
+ const unsigned char* digest )
+{
+ size_t idx;
+ unsigned sum = 0;
+
+ for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ )
+ {
+ sum += DIGIT_MAX_VALUE - digest[idx];
+ }
+
+ return ( sum );
+}
+
+/* Create the string of digest digits (in the base determined by the Winternitz
+ * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
+ * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
+ * 4b step 3) for details.
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * msg The message that will be hashed to create the
+ * digest.
+ *
+ * msg_size The size of the message.
+ *
+ * C_random_value The random value that will be combined with the
+ * message digest. This is always the same size as a
+ * hash output for whichever hash algorithm is
+ * determined by the parameter set.
+ *
+ * output An output containing the digit string (+
+ * checksum) of length P digits (in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
+ * size P bytes).
+ */
+static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_len,
+ const unsigned char *C_random_value,
+ unsigned char *out )
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned short checksum;
+
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, C_random_value,
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, msg, msg_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op, out,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ checksum = lmots_checksum_calculate( params, out );
+ mbedtls_lms_unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN,
+ out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
+
+exit:
+ psa_hash_abort( &op );
+
+ return( mbedtls_lms_error_from_psa( status ) );
+}
+
+/* Hash each element of the string of digits (+ checksum), producing a hash
+ * output for each element. This is used in several places (by varying the
+ * hash_idx_min/max_values) in order to calculate a public key from a private
+ * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
+ * Algorithm 3 step 5), and to calculate a public key candidate from a
+ * signature and message (RFC8554 Algorithm 4b step 3).
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * x_digit_array The array of digits (of size P, 34 in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8).
+ *
+ * hash_idx_min_values An array of the starting values of the j iterator
+ * for each of the members of the digit array. If
+ * this value in NULL, then all iterators will start
+ * at 0.
+ *
+ * hash_idx_max_values An array of the upper bound values of the j
+ * iterator for each of the members of the digit
+ * array. If this value in NULL, then iterator is
+ * bounded to be less than 2^w - 1 (255 in the case
+ * of MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ * output An array containing a hash output for each member
+ * of the digit string P. In the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
+ * 34.
+ */
+static int hash_digit_array( const mbedtls_lmots_parameters_t *params,
+ const unsigned char *x_digit_array,
+ const unsigned char *hash_idx_min_values,
+ const unsigned char *hash_idx_max_values,
+ unsigned char *output )
+{
+ unsigned int i_digit_idx;
+ unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
+ unsigned int j_hash_idx;
+ unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
+ unsigned int j_hash_idx_min;
+ unsigned int j_hash_idx_max;
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+
+ for ( i_digit_idx = 0;
+ i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
+ i_digit_idx++ )
+ {
+
+ memcpy( tmp_hash,
+ &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
+
+ j_hash_idx_min = hash_idx_min_values != NULL ?
+ hash_idx_min_values[i_digit_idx] : 0;
+ j_hash_idx_max = hash_idx_max_values != NULL ?
+ hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
+
+ for ( j_hash_idx = j_hash_idx_min;
+ j_hash_idx < j_hash_idx_max;
+ j_hash_idx++ )
+ {
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op,
+ params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op,
+ params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx,
+ I_DIGIT_IDX_LEN,
+ i_digit_idx_bytes );
+ status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ mbedtls_lms_unsigned_int_to_network_bytes( j_hash_idx,
+ J_HASH_IDX_LEN,
+ j_hash_idx_bytes );
+ status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, tmp_hash,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ psa_hash_abort( &op );
+ }
+
+ memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+ tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
+ }
+
+exit:
+ psa_hash_abort( &op );
+ mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) );
+
+ return( mbedtls_lms_error_from_psa( status ) );
+}
+
+/* Combine the hashes of the digit array into a public key. This is used in
+ * in order to calculate a public key from a private key (RFC8554 Algorithm 1
+ * step 4), and to calculate a public key candidate from a signature and message
+ * (RFC8554 Algorithm 4b step 3).
+ *
+ * params The LMOTS parameter set, I and q values which describe
+ * the key being used.
+ * y_hashed_digits The array of hashes, one hash for each digit of the
+ * symbol array (which is of size P, 34 in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ * pub_key The output public key (or candidate public key in
+ * case this is being run as part of signature
+ * verification), in the form of a hash output.
+ */
+static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params,
+ const unsigned char *y_hashed_digits,
+ unsigned char *pub_key )
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op,
+ params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, y_hashed_digits,
+ MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op, pub_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+
+exit:
+ psa_hash_abort( &op );
+
+ return( mbedtls_lms_error_from_psa( status ) );
+}
+
+int mbedtls_lms_error_from_psa( psa_status_t status )
+{
+ switch( status )
+ {
+ case PSA_SUCCESS:
+ return( 0 );
+ case PSA_ERROR_HARDWARE_FAILURE:
+ return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
+ case PSA_ERROR_NOT_SUPPORTED:
+ return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED );
+ case PSA_ERROR_BUFFER_TOO_SMALL:
+ return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ case PSA_ERROR_INVALID_ARGUMENT:
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ default:
+ return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
+ }
+}
+
+void mbedtls_lmots_public_init( mbedtls_lmots_public_t *ctx )
+{
+ memset( ctx, 0, sizeof( *ctx ) ) ;
+}
+
+void mbedtls_lmots_public_free( mbedtls_lmots_public_t *ctx )
+{
+ mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ;
+}
+
+int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx,
+ const unsigned char *key, size_t key_len )
+{
+ if( key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ctx->params.type =
+ mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
+ key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
+
+ if( key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ memcpy( ctx->params.I_key_identifier,
+ key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+
+ memcpy( ctx->params.q_leaf_identifier,
+ key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+
+ memcpy( ctx->public_key,
+ key + PUBLIC_KEY_KEY_HASH_OFFSET,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
+
+ ctx->have_public_key = 1;
+
+ return( 0 );
+}
+
+int mbedtls_lmots_export_public_key( const mbedtls_lmots_public_t *ctx,
+ unsigned char *key, size_t key_size,
+ size_t *key_len )
+{
+ if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ }
+
+ if( ! ctx->have_public_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type,
+ MBEDTLS_LMOTS_TYPE_LEN,
+ key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
+
+ memcpy( key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+
+ memcpy( key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+ ctx->params.q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+
+ memcpy( key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
+
+ if( key_len != NULL )
+ {
+ *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
+ }
+
+ return( 0 );
+}
+
+int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_size,
+ const unsigned char *sig,
+ size_t sig_size,
+ unsigned char *out,
+ size_t out_size,
+ size_t *out_len )
+{
+ unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+ unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( msg == NULL && msg_size != 0 )
+ {
+ return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
+ out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ret = create_digit_array_with_checksum( params, msg, msg_size,
+ sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
+ tmp_digit_array );
+ if( ret )
+ {
+ return ( ret );
+ }
+
+ ret = hash_digit_array( params,
+ sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
+ tmp_digit_array, NULL, ( unsigned char * )y_hashed_digits );
+ if( ret )
+ {
+ return ( ret );
+ }
+
+ ret = public_key_from_hashed_digit_array( params,
+ ( unsigned char * )y_hashed_digits,
+ out );
+ if( ret )
+ {
+ return ( ret );
+ }
+
+ if( out_len != NULL )
+ {
+ *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
+ }
+
+ return( 0 );
+}
+
+int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx,
+ const unsigned char *msg, size_t msg_size,
+ const unsigned char *sig, size_t sig_size )
+{
+ unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( msg == NULL && msg_size != 0 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( !ctx->have_public_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
+ sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params,
+ msg, msg_size, sig, sig_size,
+ Kc_public_key_candidate,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+ NULL );
+ if( ret )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( memcmp( &Kc_public_key_candidate, ctx->public_key,
+ sizeof( ctx->public_key ) ) )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ return( 0 );
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+void mbedtls_lmots_private_init( mbedtls_lmots_private_t *ctx )
+{
+ memset( ctx, 0, sizeof( *ctx ) ) ;
+}
+
+void mbedtls_lmots_private_free( mbedtls_lmots_private_t *ctx )
+{
+ mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ;
+}
+
+int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx,
+ mbedtls_lmots_algorithm_type_t type,
+ const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+ uint32_t q_leaf_identifier,
+ const unsigned char *seed,
+ size_t seed_size )
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned int i_digit_idx;
+ unsigned char i_digit_idx_bytes[2];
+ unsigned char const_bytes[1];
+
+ if( ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( type != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ctx->params.type = type;
+
+ memcpy( ctx->params.I_key_identifier,
+ I_key_identifier,
+ sizeof( ctx->params.I_key_identifier ) );
+
+ mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
+ ctx->params.q_leaf_identifier );
+
+ mbedtls_lms_unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ),
+ const_bytes );
+
+ for ( i_digit_idx = 0;
+ i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
+ i_digit_idx++ )
+ {
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op,
+ ctx->params.I_key_identifier,
+ sizeof( ctx->params.I_key_identifier ) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op,
+ ctx->params.q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN,
+ i_digit_idx_bytes );
+ status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, const_bytes, sizeof( const_bytes ) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, seed, seed_size );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op,
+ ctx->private_key[i_digit_idx],
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ psa_hash_abort( &op );
+ }
+
+ ctx->have_private_key = 1;
+
+exit:
+ psa_hash_abort( &op );
+
+ return ( mbedtls_lms_error_from_psa( status ) );
+}
+
+int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx,
+ const mbedtls_lmots_private_t *priv_ctx )
+{
+ unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that a private key is loaded */
+ if( !priv_ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ret = hash_digit_array( &priv_ctx->params,
+ ( unsigned char * )priv_ctx->private_key, NULL,
+ NULL, ( unsigned char * )y_hashed_digits );
+ if( ret )
+ {
+ goto exit;
+ }
+
+ ret = public_key_from_hashed_digit_array( &priv_ctx->params,
+ ( unsigned char * )y_hashed_digits,
+ ctx->public_key );
+ if( ret )
+ {
+ goto exit;
+ }
+
+ memcpy( &ctx->params, &priv_ctx->params,
+ sizeof( ctx->params ) );
+
+ ctx->have_public_key = 1;
+
+exit:
+ mbedtls_platform_zeroize( y_hashed_digits, sizeof( y_hashed_digits ) );
+
+ return( ret );
+}
+
+int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *msg, size_t msg_size,
+ unsigned char *sig, size_t sig_size, size_t* sig_len )
+{
+ unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+ /* Create a temporary buffer to prepare the signature in. This allows us to
+ * finish creating a signature (ensuring the process doesn't fail), and then
+ * erase the private key **before** writing any data into the sig parameter
+ * buffer. If data were directly written into the sig buffer, it might leak
+ * a partial signature on failure, which effectively compromises the private
+ * key.
+ */
+ unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( msg == NULL && msg_size != 0 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ }
+
+ /* Check that a private key is loaded */
+ if( !ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ret = f_rng( p_rng, tmp_c_random,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
+ if( ret )
+ {
+ return( ret );
+ }
+
+ ret = create_digit_array_with_checksum( &ctx->params,
+ msg, msg_size,
+ tmp_c_random,
+ tmp_digit_array );
+ if( ret )
+ {
+ goto exit;
+ }
+
+ ret = hash_digit_array( &ctx->params, ( unsigned char * )ctx->private_key,
+ NULL, tmp_digit_array, ( unsigned char * )tmp_sig );
+ if( ret )
+ {
+ goto exit;
+ }
+
+ mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type,
+ MBEDTLS_LMOTS_TYPE_LEN,
+ sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET );
+
+ /* Test hook to check if sig is being written to before we invalidate the
+ * private key.
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+ if( mbedtls_lmots_sign_private_key_invalidated_hook != NULL )
+ {
+ ret = ( *mbedtls_lmots_sign_private_key_invalidated_hook )( sig );
+ if( ret != 0 )
+ return( ret );
+ }
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+ /* We've got a valid signature now, so it's time to make sure the private
+ * key can't be reused.
+ */
+ ctx->have_private_key = 0;
+ mbedtls_platform_zeroize( ctx->private_key,
+ sizeof( ctx->private_key ) );
+
+ memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) );
+
+ memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
+ MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
+ * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) );
+
+ if( sig_len != NULL )
+ {
+ *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize( tmp_digit_array, sizeof( tmp_digit_array ) );
+ mbedtls_platform_zeroize( tmp_sig, sizeof( tmp_sig ) );
+
+ return ( ret );
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/lmots.h b/library/lmots.h
new file mode 100644
index 0000000..39e8699
--- /dev/null
+++ b/library/lmots.h
@@ -0,0 +1,322 @@
+/**
+ * \file lmots.h
+ *
+ * \brief This file provides an API for the LM-OTS post-quantum-safe one-time
+ * public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ * This implementation currently only supports a single parameter set
+ * MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MBEDTLS_LMOTS_H
+#define MBEDTLS_LMOTS_H
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+#include "mbedtls/lms.h"
+
+#include <stdint.h>
+#include <stddef.h>
+
+
+#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+ MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0)
+#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#if defined(MBEDTLS_TEST_HOOKS)
+extern int( *mbedtls_lmots_sign_private_key_invalidated_hook )( unsigned char * );
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/**
+ * \brief This function converts an unsigned int into a
+ * network-byte-order (big endian) string.
+ *
+ * \param val The unsigned integer value
+ * \param len The length of the string.
+ * \param bytes The string to output into.
+ */
+void mbedtls_lms_unsigned_int_to_network_bytes( unsigned int val, size_t len,
+ unsigned char *bytes );
+
+/**
+ * \brief This function converts a network-byte-order
+ * (big endian) string into an unsigned integer.
+ *
+ * \param len The length of the string.
+ * \param bytes The string.
+ *
+ * \return The corresponding LMS error code.
+ */
+unsigned int mbedtls_lms_network_bytes_to_unsigned_int( size_t len,
+ const unsigned char *bytes );
+
+/**
+ * \brief This function converts a \ref psa_status_t to a
+ * low-level LMS error code.
+ *
+ * \param status The psa_status_t to convert
+ *
+ * \return The corresponding LMS error code.
+ */
+int mbedtls_lms_error_from_psa( psa_status_t status );
+
+
+/**
+ * \brief This function initializes a public LMOTS context
+ *
+ * \param ctx The uninitialized LMOTS context that will then be
+ * initialized.
+ */
+void mbedtls_lmots_public_init( mbedtls_lmots_public_t *ctx );
+
+/**
+ * \brief This function uninitializes a public LMOTS context
+ *
+ * \param ctx The initialized LMOTS context that will then be
+ * uninitialized.
+ */
+void mbedtls_lmots_public_free( mbedtls_lmots_public_t *ctx );
+
+/**
+ * \brief This function imports an LMOTS public key into a
+ * LMOTS context.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMOTS context store the key in.
+ * \param key The buffer from which the key will be read.
+ * #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read
+ * from this.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx,
+ const unsigned char *key, size_t key_size );
+
+/**
+ * \brief This function exports an LMOTS public key from a
+ * LMOTS context that already contains a public key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a public key.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMOTS context that contains the
+ * publc key.
+ * \param key The buffer into which the key will be output. Must
+ * be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_export_public_key( const mbedtls_lmots_public_t *ctx,
+ unsigned char *key, size_t key_size,
+ size_t *key_len );
+
+/**
+ * \brief This function creates a candidate public key from
+ * an LMOTS signature. This can then be compared to
+ * the real public key to determine the validity of
+ * the signature.
+ *
+ * \note This function is exposed publicly to be used in LMS
+ * signature verification, it is expected that
+ * mbedtls_lmots_verify will be used for LMOTS
+ * signature verification.
+ *
+ * \param params The LMOTS parameter set, q and I values as an
+ * mbedtls_lmots_parameters_t struct.
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buffer from which the signature will be read.
+ * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ * this.
+ * \param out The buffer where the candidate public key will be
+ * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN
+ * bytes in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_size,
+ const unsigned char *sig,
+ size_t sig_size,
+ unsigned char *out,
+ size_t out_size,
+ size_t *out_len );
+
+/**
+ * \brief This function verifies a LMOTS signature, using a
+ * LMOTS context that contains a public key.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a public key
+ * (either by import or calculation from a private
+ * key).
+ *
+ * \param ctx The initialized LMOTS context from which the public
+ * key will be read.
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf from which the signature will be read.
+ * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ * this.
+ *
+ * \return \c 0 on successful verification.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx,
+ const unsigned char *msg,
+ size_t msg_size, const unsigned char *sig,
+ size_t sig_size );
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/**
+ * \brief This function initializes a private LMOTS context
+ *
+ * \param ctx The uninitialized LMOTS context that will then be
+ * initialized.
+ */
+void mbedtls_lmots_private_init( mbedtls_lmots_private_t *ctx );
+
+/**
+ * \brief This function uninitializes a private LMOTS context
+ *
+ * \param ctx The initialized LMOTS context that will then be
+ * uninitialized.
+ */
+void mbedtls_lmots_private_free( mbedtls_lmots_private_t *ctx );
+
+/**
+ * \brief This function calculates an LMOTS private key, and
+ * stores in into an LMOTS context.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx The initialized LMOTS context to generate the key
+ * into.
+ * \param I_key_identifier The key identifier of the key, as a 16-byte string.
+ * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is
+ * not being used as part of an LMS key, this should
+ * be set to 0.
+ * \param seed The seed used to deterministically generate the
+ * key.
+ * \param seed_size The length of the seed.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx,
+ mbedtls_lmots_algorithm_type_t type,
+ const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+ uint32_t q_leaf_identifier,
+ const unsigned char *seed,
+ size_t seed_size );
+
+/**
+ * \brief This function generates an LMOTS public key from a
+ * LMOTS context that already contains a private key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a private key.
+ *
+ * \param ctx The initialized LMOTS context to generate the key
+ * from and store it into.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx,
+ const mbedtls_lmots_private_t *priv_ctx );
+
+/**
+ * \brief This function creates a LMOTS signature, using a
+ * LMOTS context that contains a private key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a private
+ * key.
+ *
+ * \note LMOTS private keys can only be used once, otherwise
+ * attackers may be able to create forged signatures.
+ * If the signing operation is successful, the private
+ * key in the context will be erased, and no further
+ * signing will be possible until another private key
+ * is loaded
+ *
+ * \param ctx The initialized LMOTS context from which the
+ * private key will be read.
+ * \param f_rng The RNG function to be used for signature
+ * generation.
+ * \param p_rng The RNG context to be passed to f_rng
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf into which the signature will be stored.
+ * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *msg, size_t msg_size,
+ unsigned char *sig, size_t sig_size, size_t* sig_len );
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMOTS_H */
diff --git a/library/lms.c b/library/lms.c
new file mode 100644
index 0000000..46ea567
--- /dev/null
+++ b/library/lms.c
@@ -0,0 +1,789 @@
+/*
+ * The LMS stateful-hash public-key signature scheme
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the LMS algorithm:
+ *
+ * [1] IETF RFC8554
+ * D. McGrew, M. Curcio, S.Fluhrer
+ * https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ * [2] NIST Special Publication 800-208
+ * David A. Cooper et. al.
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "psa/crypto.h"
+
+#include "mbedtls/lms.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/platform.h"
+
+#define SIG_Q_LEAF_ID_OFFSET (0)
+#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+#define SIG_TYPE_OFFSET(otstype) (SIG_OTS_SIG_OFFSET + \
+ MBEDTLS_LMOTS_SIG_LEN(otstype))
+#define SIG_PATH_OFFSET(otstype) (SIG_TYPE_OFFSET(otstype) + \
+ MBEDTLS_LMS_TYPE_LEN)
+
+#define PUBLIC_KEY_TYPE_OFFSET (0)
+#define PUBLIC_KEY_OTSTYPE_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
+ MBEDTLS_LMS_TYPE_LEN)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_OTSTYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_ROOT_NODE_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN)
+
+
+/* Currently only support H=10 */
+#define H_TREE_HEIGHT_MAX 10
+#define MERKLE_TREE_NODE_AM_MAX (1u << (H_TREE_HEIGHT_MAX + 1u))
+#define MERKLE_TREE_NODE_AM(type) (1u << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u))
+#define MERKLE_TREE_LEAF_NODE_AM(type) (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type))
+#define MERKLE_TREE_INTERNAL_NODE_AM(type) (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type))
+
+#define D_CONST_LEN (2)
+static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = {0x82, 0x82};
+static const unsigned char D_INTR_CONSTANT_BYTES[D_CONST_LEN] = {0x83, 0x83};
+
+
+/* Calculate the value of a leaf node of the Merkle tree (which is a hash of a
+ * public key and some other parameters like the leaf index). This function
+ * implements RFC8554 section 5.3, in the case where r >= 2^h.
+ *
+ * params The LMS parameter set, the underlying LMOTS
+ * parameter set, and I value which describe the key
+ * being used.
+ *
+ * pub_key The public key of the private whose index
+ * corresponds to the index of this leaf node. This
+ * is a hash output.
+ *
+ * r_node_idx The index of this node in the Merkle tree. Note
+ * that the root node of the Merkle tree is
+ * 1-indexed.
+ *
+ * out The output node value, which is a hash output.
+ */
+static int create_merkle_leaf_value( const mbedtls_lms_parameters_t *params,
+ unsigned char *pub_key,
+ unsigned int r_node_idx,
+ unsigned char *out )
+{
+ psa_hash_operation_t op;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char r_node_idx_bytes[4];
+
+ op = psa_hash_operation_init( );
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ mbedtls_lms_unsigned_int_to_network_bytes( r_node_idx, 4, r_node_idx_bytes );
+ status = psa_hash_update( &op, r_node_idx_bytes, 4 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, D_LEAF_CONSTANT_BYTES, D_CONST_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, pub_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->otstype) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+exit:
+ psa_hash_abort( &op );
+
+ return ( mbedtls_lms_error_from_psa( status ) );
+}
+
+/* Calculate the value of an internal node of the Merkle tree (which is a hash
+ * of a public key and some other parameters like the node index). This function
+ * implements RFC8554 section 5.3, in the case where r < 2^h.
+ *
+ * params The LMS parameter set, the underlying LMOTS
+ * parameter set, and I value which describe the key
+ * being used.
+ *
+ * left_node The value of the child of this node which is on
+ * the left-hand side. As with all nodes on the
+ * Merkle tree, this is a hash output.
+ *
+ * right_node The value of the child of this node which is on
+ * the right-hand side. As with all nodes on the
+ * Merkle tree, this is a hash output.
+ *
+ * r_node_idx The index of this node in the Merkle tree. Note
+ * that the root node of the Merkle tree is
+ * 1-indexed.
+ *
+ * out The output node value, which is a hash output.
+ */
+static int create_merkle_internal_value( const mbedtls_lms_parameters_t *params,
+ const unsigned char *left_node,
+ const unsigned char *right_node,
+ unsigned int r_node_idx,
+ unsigned char *out )
+{
+ psa_hash_operation_t op;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char r_node_idx_bytes[4];
+
+ op = psa_hash_operation_init( );
+ status = psa_hash_setup( &op, PSA_ALG_SHA_256 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ mbedtls_lms_unsigned_int_to_network_bytes( r_node_idx, 4, r_node_idx_bytes );
+ status = psa_hash_update( &op, r_node_idx_bytes, 4 );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, D_INTR_CONSTANT_BYTES, D_CONST_LEN );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, left_node,
+ MBEDTLS_LMS_M_NODE_BYTES(params->type) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_update( &op, right_node,
+ MBEDTLS_LMS_M_NODE_BYTES(params->type) );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_hash_finish( &op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+ &output_hash_len );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+exit:
+ psa_hash_abort( &op );
+
+ return( mbedtls_lms_error_from_psa( status ) );
+}
+
+void mbedtls_lms_public_init( mbedtls_lms_public_t *ctx )
+{
+ memset( ctx, 0, sizeof( *ctx ) ) ;
+}
+
+void mbedtls_lms_public_free( mbedtls_lms_public_t *ctx )
+{
+ mbedtls_platform_zeroize( ctx, sizeof( *ctx ) );
+}
+
+int mbedtls_lms_import_public_key( mbedtls_lms_public_t *ctx,
+ const unsigned char *key, size_t key_size )
+{
+ mbedtls_lms_algorithm_type_t type;
+ mbedtls_lmots_algorithm_type_t otstype;
+
+ type = mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMS_TYPE_LEN,
+ key + PUBLIC_KEY_TYPE_OFFSET );
+ if( type != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+ ctx->params.type = type;
+
+ if( key_size != MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ otstype = mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
+ key + PUBLIC_KEY_OTSTYPE_OFFSET );
+ if( otstype != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+ ctx->params.otstype = otstype;
+
+ memcpy( ctx->params.I_key_identifier,
+ key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ memcpy( ctx->T_1_pub_key, key + PUBLIC_KEY_ROOT_NODE_OFFSET,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) );
+
+ ctx->have_public_key = 1;
+
+ return( 0 );
+}
+
+int mbedtls_lms_export_public_key( const mbedtls_lms_public_t *ctx,
+ unsigned char *key,
+ size_t key_size, size_t *key_len )
+{
+ if( key_size < MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ }
+
+ if( ! ctx->have_public_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ mbedtls_lms_unsigned_int_to_network_bytes(
+ ctx->params.type,
+ MBEDTLS_LMS_TYPE_LEN, key + PUBLIC_KEY_TYPE_OFFSET );
+ mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.otstype,
+ MBEDTLS_LMOTS_TYPE_LEN,
+ key + PUBLIC_KEY_OTSTYPE_OFFSET );
+ memcpy( key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ memcpy( key +PUBLIC_KEY_ROOT_NODE_OFFSET,
+ ctx->T_1_pub_key,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) );
+
+ if( key_len != NULL )
+ {
+ *key_len = MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type);
+ }
+
+ return( 0 );
+}
+
+int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
+ const unsigned char *msg, size_t msg_size,
+ const unsigned char *sig, size_t sig_size )
+{
+ unsigned int q_leaf_identifier;
+ unsigned char Kc_candidate_ots_pub_key[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char Tc_candidate_root_node[MBEDTLS_LMS_M_NODE_BYTES_MAX];
+ unsigned int height;
+ unsigned int curr_node_id;
+ unsigned int parent_node_id;
+ const unsigned char* left_node;
+ const unsigned char* right_node;
+ mbedtls_lmots_parameters_t ots_params;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( ! ctx->have_public_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->params.type
+ != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
+ sig + SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_SIG_TYPE_OFFSET )
+ != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMS_TYPE_LEN,
+ sig + SIG_TYPE_OFFSET(ctx->params.otstype))
+ != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+
+ q_leaf_identifier = mbedtls_lms_network_bytes_to_unsigned_int(
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN, sig + SIG_Q_LEAF_ID_OFFSET );
+
+ if( q_leaf_identifier >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ memcpy( ots_params.I_key_identifier,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
+ ots_params.q_leaf_identifier );
+ ots_params.type = ctx->params.otstype;
+
+ ret = mbedtls_lmots_calculate_public_key_candidate( &ots_params, msg,
+ msg_size, sig + SIG_OTS_SIG_OFFSET,
+ MBEDTLS_LMOTS_SIG_LEN(ctx->params.otstype), Kc_candidate_ots_pub_key,
+ sizeof( Kc_candidate_ots_pub_key ), NULL );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ create_merkle_leaf_value(
+ &ctx->params,
+ Kc_candidate_ots_pub_key,
+ MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+ Tc_candidate_root_node );
+
+ curr_node_id = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) +
+ q_leaf_identifier;
+
+ for( height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+ height++ )
+ {
+ parent_node_id = curr_node_id / 2;
+
+ /* Left/right node ordering matters for the hash */
+ if( curr_node_id & 1 )
+ {
+ left_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+ height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+ right_node = Tc_candidate_root_node;
+ }
+ else
+ {
+ left_node = Tc_candidate_root_node;
+ right_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+ height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+ }
+
+ create_merkle_internal_value( &ctx->params, left_node, right_node,
+ parent_node_id, Tc_candidate_root_node);
+
+ curr_node_id /= 2;
+ }
+
+ if( memcmp( Tc_candidate_root_node, ctx->T_1_pub_key,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)) )
+ {
+ return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+ }
+
+ return( 0 );
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/* Calculate a full Merkle tree based on a private key. This function
+ * implements RFC8554 section 5.3, and is used to generate a public key (as the
+ * public key is the root node of the Merkle tree).
+ *
+ * ctx The LMS private context, containing a parameter
+ * set and private key material consisting of both
+ * public and private OTS.
+ *
+ * tree The output tree, which is 2^(H + 1) hash outputs.
+ * In the case of H=10 we have 2048 tree nodes (of
+ * which 1024 of them are leaf nodes). Note that
+ * because the Merkle tree root is 1-indexed, the 0
+ * index tree node is never used.
+ */
+static int calculate_merkle_tree( const mbedtls_lms_private_t *ctx,
+ unsigned char *tree )
+{
+ unsigned int priv_key_idx;
+ unsigned int r_node_idx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* First create the leaf nodes, in ascending order */
+ for( priv_key_idx = 0;
+ priv_key_idx < MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type);
+ priv_key_idx++ )
+ {
+ r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + priv_key_idx;
+
+ ret = create_merkle_leaf_value( &ctx->params,
+ ctx->ots_public_keys[priv_key_idx].public_key, r_node_idx,
+ &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)] );
+ if( ret != 0 )
+ {
+ return( ret );
+ }
+ }
+
+ /* Then the internal nodes, in reverse order so that we can guarantee the
+ * parent has been created */
+ for( r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) - 1;
+ r_node_idx > 0;
+ r_node_idx-- )
+ {
+ ret = create_merkle_internal_value( &ctx->params,
+ &tree[( r_node_idx * 2 ) * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+ &tree[( r_node_idx * 2 + 1 ) * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+ r_node_idx,
+ &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)] );
+ if( ret != 0 )
+ {
+ return( ret );
+ }
+ }
+
+ return( 0 );
+}
+
+/* Calculate a path from a leaf node of the Merkle tree to the root of the tree,
+ * and return the full path. This function implements RFC8554 section 5.4.1, as
+ * the Merkle path is the main component of an LMS signature.
+ *
+ * ctx The LMS private context, containing a parameter
+ * set and private key material consisting of both
+ * public and private OTS.
+ *
+ * leaf_node_id Which leaf node to calculate the path from.
+ *
+ * path The output path, which is H hash outputs.
+ */
+static int get_merkle_path( mbedtls_lms_private_t *ctx,
+ unsigned int leaf_node_id,
+ unsigned char *path )
+{
+ unsigned char tree[MERKLE_TREE_NODE_AM_MAX][MBEDTLS_LMS_M_NODE_BYTES_MAX];
+ unsigned int curr_node_id = leaf_node_id;
+ unsigned int adjacent_node_id;
+ unsigned int height;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = calculate_merkle_tree( ctx, ( unsigned char * )tree );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ for( height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+ height++ )
+ {
+ adjacent_node_id = curr_node_id ^ 1;
+
+ memcpy( &path[height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+ &tree[adjacent_node_id],
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) );
+
+ curr_node_id >>=1;
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize( tree, sizeof( tree ) );
+
+ return( ret );
+}
+
+void mbedtls_lms_private_init( mbedtls_lms_private_t *ctx )
+{
+ memset( ctx, 0, sizeof( *ctx ) ) ;
+}
+
+void mbedtls_lms_private_free( mbedtls_lms_private_t *ctx )
+{
+ unsigned int idx;
+
+ if( ctx->have_private_key )
+ {
+ if( ctx->ots_private_keys != NULL )
+ {
+ for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ )
+ {
+ mbedtls_lmots_private_free( &ctx->ots_private_keys[idx] );
+ }
+ }
+
+ if( ctx->ots_public_keys != NULL )
+ {
+ for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ )
+ {
+ mbedtls_lmots_public_free( &ctx->ots_public_keys[idx] );
+ }
+ }
+
+ mbedtls_free( ctx->ots_private_keys );
+ mbedtls_free( ctx->ots_public_keys );
+ }
+
+ mbedtls_platform_zeroize( ctx, sizeof( *ctx ) );
+}
+
+
+int mbedtls_lms_generate_private_key( mbedtls_lms_private_t *ctx,
+ mbedtls_lms_algorithm_type_t type,
+ mbedtls_lmots_algorithm_type_t otstype,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void* p_rng, const unsigned char *seed,
+ size_t seed_size )
+{
+ unsigned int idx = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( type != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( otstype != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ctx->params.type = type;
+ ctx->params.otstype = otstype;
+ ctx->have_private_key = 1;
+
+ ret = f_rng( p_rng,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ /* Requires a cast to size_t to avoid an implicit cast warning on certain
+ * platforms (particularly Windows) */
+ ctx->ots_private_keys = mbedtls_calloc( ( size_t )MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+ sizeof( *ctx->ots_private_keys ) );
+ if( ctx->ots_private_keys == NULL )
+ {
+ ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ goto exit;
+ }
+
+ /* Requires a cast to size_t to avoid an implicit cast warning on certain
+ * platforms (particularly Windows) */
+ ctx->ots_public_keys = mbedtls_calloc( ( size_t )MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+ sizeof( *ctx->ots_public_keys ) );
+ if( ctx->ots_public_keys == NULL )
+ {
+ ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ goto exit;
+ }
+
+ for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ )
+ {
+ mbedtls_lmots_private_init( &ctx->ots_private_keys[idx] );
+ mbedtls_lmots_public_init( &ctx->ots_public_keys[idx] );
+ }
+
+
+ for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ )
+ {
+ ret = mbedtls_lmots_generate_private_key( &ctx->ots_private_keys[idx],
+ otstype,
+ ctx->params.I_key_identifier,
+ idx, seed, seed_size );
+ if( ret != 0 )
+ goto exit;
+
+ ret = mbedtls_lmots_calculate_public_key( &ctx->ots_public_keys[idx],
+ &ctx->ots_private_keys[idx] );
+ if( ret != 0 )
+ goto exit;
+ }
+
+ ctx->q_next_usable_key = 0;
+
+exit:
+ if( ret != 0 )
+ {
+ mbedtls_lms_private_free(ctx);
+ }
+
+ return( ret );
+}
+
+int mbedtls_lms_calculate_public_key( mbedtls_lms_public_t *ctx,
+ const mbedtls_lms_private_t *priv_ctx )
+{
+ unsigned char tree[MERKLE_TREE_NODE_AM_MAX][MBEDTLS_LMS_M_NODE_BYTES_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( ! priv_ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( priv_ctx->params.type
+ != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( priv_ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ memcpy( &ctx->params, &priv_ctx->params,
+ sizeof( mbedtls_lmots_parameters_t ) );
+
+ ret = calculate_merkle_tree( priv_ctx, ( unsigned char * )tree );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ /* Root node is always at position 1, due to 1-based indexing */
+ memcpy( ctx->T_1_pub_key, &tree[1],
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) );
+
+ ctx->have_public_key = 1;
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize( tree, sizeof( tree ) );
+
+ return( ret );
+}
+
+
+int mbedtls_lms_sign( mbedtls_lms_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void* p_rng, const unsigned char *msg,
+ unsigned int msg_size, unsigned char *sig, size_t sig_size,
+ size_t *sig_len )
+{
+ uint32_t q_leaf_identifier;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( ! ctx->have_private_key )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( sig_size < MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) )
+ {
+ return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ }
+
+ if( ctx->params.type != MBEDTLS_LMS_SHA256_M32_H10 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8 )
+ {
+ return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ if( ctx->q_next_usable_key >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type) )
+ {
+ return( MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS );
+ }
+
+
+ q_leaf_identifier = ctx->q_next_usable_key;
+ /* This new value must _always_ be written back to the disk before the
+ * signature is returned.
+ */
+ ctx->q_next_usable_key += 1;
+
+ if ( MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)
+ < SIG_OTS_SIG_OFFSET )
+ {
+ return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+ }
+
+ ret = mbedtls_lmots_sign( &ctx->ots_private_keys[q_leaf_identifier],
+ f_rng, p_rng, msg, msg_size,
+ sig + SIG_OTS_SIG_OFFSET,
+ MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) - SIG_OTS_SIG_OFFSET,
+ NULL );
+ if( ret != 0 )
+ {
+ return( ret );
+ }
+
+ mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type,
+ MBEDTLS_LMS_TYPE_LEN,
+ sig + SIG_TYPE_OFFSET(ctx->params.otstype) );
+ mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
+ sig + SIG_Q_LEAF_ID_OFFSET );
+
+ ret = get_merkle_path( ctx,
+ MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+ sig + SIG_PATH_OFFSET(ctx->params.otstype) );
+ if( ret != 0 )
+ {
+ return( ret );
+ }
+
+ if( sig_len != NULL )
+ {
+ *sig_len = MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype);
+ }
+
+
+ return( 0 );
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/md.c b/library/md.c
index a387da5..8efcf10 100644
--- a/library/md.c
+++ b/library/md.c
@@ -36,13 +36,7 @@
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include <string.h>
diff --git a/library/md5.c b/library/md5.c
index a9bbcb4..f7a225c 100644
--- a/library/md5.c
+++ b/library/md5.c
@@ -32,14 +32,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_MD5_ALT)
diff --git a/library/mps_trace.h b/library/mps_trace.h
index 7c23601..820a1b6 100644
--- a/library/mps_trace.h
+++ b/library/mps_trace.h
@@ -30,13 +30,7 @@
#include "mps_common.h"
#include "mps_trace.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_vsnprintf vsnprintf
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_MPS_ENABLE_TRACE)
diff --git a/library/net_sockets.c b/library/net_sockets.c
index d1700f3..637b9f8 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -37,11 +37,7 @@
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in mbedtls_config.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#endif
#include "mbedtls/net_sockets.h"
#include "mbedtls/error.h"
diff --git a/library/nist_kw.c b/library/nist_kw.c
index 1aea0b6..495c23d 100644
--- a/library/nist_kw.c
+++ b/library/nist_kw.c
@@ -39,14 +39,7 @@
#include <stdint.h>
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
#if !defined(MBEDTLS_NIST_KW_ALT)
diff --git a/library/oid.c b/library/oid.c
index dcd1815..aa5f69c 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -32,11 +32,7 @@
#include <stdio.h>
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_snprintf snprintf
-#endif
/*
* Macro to automatically add the size of #define'd OIDs
diff --git a/library/pem.c b/library/pem.c
index e4101e8..e8abba1 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -33,13 +33,7 @@
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 2d4f4f2..5de8fa6 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -55,13 +55,7 @@
#include "hash_info.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include <limits.h>
#include <stdint.h>
diff --git a/library/pkcs5.c b/library/pkcs5.c
index 847496d..ac5945a 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -42,12 +42,7 @@
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif
#include "hash_info.h"
#include "mbedtls/psa_util.h"
diff --git a/library/pkparse.c b/library/pkparse.c
index 2a9a558..b982637 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -48,13 +48,7 @@
#include "mbedtls/pkcs12.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if defined(MBEDTLS_FS_IO)
/*
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 4d87b07..f699a27 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -51,13 +51,7 @@
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if defined(MBEDTLS_RSA_C)
/*
diff --git a/library/poly1305.c b/library/poly1305.c
index f0d4cb6..0850f66 100644
--- a/library/poly1305.c
+++ b/library/poly1305.c
@@ -28,14 +28,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_POLY1305_ALT)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 38b49cb..2ce5e43 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -52,10 +52,6 @@
#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/aes.h"
#include "mbedtls/asn1.h"
@@ -3592,6 +3588,7 @@
break;
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
default:
+ (void) nonce_length;
return( PSA_ERROR_NOT_SUPPORTED );
}
@@ -3708,39 +3705,34 @@
return( status );
}
-static psa_status_t psa_validate_tag_length( psa_aead_operation_t *operation,
- psa_algorithm_t alg ) {
- uint8_t tag_len = 0;
- if( psa_driver_get_tag_len( operation, &tag_len ) != PSA_SUCCESS )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
+static psa_status_t psa_validate_tag_length( psa_algorithm_t alg ) {
+ const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg );
switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+#if defined(PSA_WANT_ALG_CCM)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
/* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
if( tag_len < 4 || tag_len > 16 || tag_len % 2 )
return( PSA_ERROR_INVALID_ARGUMENT );
break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#endif /* PSA_WANT_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+#if defined(PSA_WANT_ALG_GCM)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
/* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
if( tag_len != 4 && tag_len != 8 && ( tag_len < 12 || tag_len > 16 ) )
return( PSA_ERROR_INVALID_ARGUMENT );
break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#endif /* PSA_WANT_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
/* We only support the default tag length. */
if( tag_len != 16 )
return( PSA_ERROR_INVALID_ARGUMENT );
break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
default:
(void) tag_len;
@@ -3791,6 +3783,9 @@
.core = slot->attr
};
+ if( ( status = psa_validate_tag_length( alg ) ) != PSA_SUCCESS )
+ goto exit;
+
if( is_encrypt )
status = psa_driver_wrapper_aead_encrypt_setup( operation,
&attributes,
@@ -3806,9 +3801,6 @@
if( status != PSA_SUCCESS )
goto exit;
- if( ( status = psa_validate_tag_length( operation, alg ) ) != PSA_SUCCESS )
- goto exit;
-
operation->key_type = psa_get_key_type( &attributes );
exit:
diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
index 714d950..48969b3 100644
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c
@@ -27,10 +27,6 @@
#include <string.h>
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ccm.h"
#include "mbedtls/chachapoly.h"
@@ -49,7 +45,6 @@
size_t key_bits;
const mbedtls_cipher_info_t *cipher_info;
mbedtls_cipher_id_t cipher_id;
- size_t full_tag_length = 0;
( void ) key_buffer_size;
@@ -66,7 +61,6 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
operation->alg = PSA_ALG_CCM;
- full_tag_length = 16;
/* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
* The call to mbedtls_ccm_encrypt_and_tag or
* mbedtls_ccm_auth_decrypt will validate the tag length. */
@@ -85,7 +79,6 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
operation->alg = PSA_ALG_GCM;
- full_tag_length = 16;
/* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
* The call to mbedtls_gcm_crypt_and_tag or
* mbedtls_gcm_auth_decrypt will validate the tag length. */
@@ -104,7 +97,6 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
operation->alg = PSA_ALG_CHACHA20_POLY1305;
- full_tag_length = 16;
/* We only support the default tag length. */
if( alg != PSA_ALG_CHACHA20_POLY1305 )
return( PSA_ERROR_NOT_SUPPORTED );
@@ -124,16 +116,9 @@
return( PSA_ERROR_NOT_SUPPORTED );
}
- if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
- key_bits, alg )
- > full_tag_length )
- return( PSA_ERROR_INVALID_ARGUMENT );
-
operation->key_type = psa_get_key_type( attributes );
- operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
- key_bits,
- alg );
+ operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH( alg );
return( PSA_SUCCESS );
}
diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c
index 629feb7..ab79086 100644
--- a/library/psa_crypto_client.c
+++ b/library/psa_crypto_client.c
@@ -25,10 +25,6 @@
#include <string.h>
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
void psa_reset_key_attributes( psa_key_attributes_t *attributes )
{
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index 12c649d..ee23b6f 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -226,10 +226,6 @@
const uint8_t *ciphertext, size_t ciphertext_length,
uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length );
-psa_status_t psa_driver_get_tag_len(
- psa_aead_operation_t *operation,
- uint8_t *tag_len );
-
psa_status_t psa_driver_wrapper_aead_encrypt_setup(
psa_aead_operation_t *operation,
const psa_key_attributes_t *attributes,
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index 59c3a0e..29f53b9 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -31,10 +31,6 @@
#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include <mbedtls/ecdsa.h>
#include <mbedtls/ecp.h>
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index 7d4718d..f1b9809 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -32,10 +32,6 @@
#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include <mbedtls/rsa.h>
#include <mbedtls/error.h>
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
index 56678d6..87d2634 100644
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@@ -38,10 +38,6 @@
#endif
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index a18350e..9dceaac 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -34,12 +34,7 @@
#include <stdlib.h>
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
index db7786d..3186a36 100644
--- a/library/psa_crypto_storage.c
+++ b/library/psa_crypto_storage.c
@@ -36,13 +36,7 @@
#include "psa/internal_trusted_storage.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
diff --git a/library/psa_its_file.c b/library/psa_its_file.c
index b7c2e6b..a35ac24 100644
--- a/library/psa_its_file.c
+++ b/library/psa_its_file.c
@@ -22,11 +22,7 @@
#if defined(MBEDTLS_PSA_ITS_FILE_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_snprintf snprintf
-#endif
#if defined(_WIN32)
#include <windows.h>
diff --git a/library/ripemd160.c b/library/ripemd160.c
index 41d8387..6212cb2 100644
--- a/library/ripemd160.c
+++ b/library/ripemd160.c
@@ -33,14 +33,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_RIPEMD160_ALT)
diff --git a/library/rsa.c b/library/rsa.c
index 4df240a..ae9e68b 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -63,14 +63,7 @@
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PKCS1_V21 */
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#if !defined(MBEDTLS_RSA_ALT)
diff --git a/library/sha1.c b/library/sha1.c
index 56532b1..5ae818a 100644
--- a/library/sha1.c
+++ b/library/sha1.c
@@ -32,14 +32,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_SHA1_ALT)
diff --git a/library/sha256.c b/library/sha256.c
index 4819ba3..0e9c1a1 100644
--- a/library/sha256.c
+++ b/library/sha256.c
@@ -32,17 +32,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if defined(__aarch64__)
# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
diff --git a/library/sha512.c b/library/sha512.c
index f96580d..aa6f06a 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -38,17 +38,7 @@
#include <string.h>
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif /* MBEDTLS_PLATFORM_C */
-#endif /* MBEDTLS_SELF_TEST */
#if defined(__aarch64__)
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 6505e11..8405d27 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -25,13 +25,7 @@
#if defined(MBEDTLS_SSL_CACHE_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ssl_cache.h"
#include "ssl_misc.h"
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 808aa9e..a83527f 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -23,11 +23,7 @@
#if defined(MBEDTLS_SSL_TLS_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#endif
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
diff --git a/library/ssl_client.c b/library/ssl_client.c
index e7453d5..90ec252 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -24,13 +24,7 @@
#if defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include <string.h>
@@ -719,6 +713,34 @@
{
int ret;
size_t session_id_len;
+ mbedtls_ssl_session *session_negotiate = ssl->session_negotiate;
+
+ if( session_negotiate == NULL )
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_HAVE_TIME)
+
+ /* Check if a tls13 ticket has been configured. */
+ if( ssl->handshake->resume != 0 &&
+ session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ session_negotiate->ticket != NULL )
+ {
+ mbedtls_time_t now = mbedtls_time( NULL );
+ uint64_t age = (uint64_t)( now - session_negotiate->ticket_received );
+ if( session_negotiate->ticket_received > now ||
+ age > session_negotiate->ticket_lifetime )
+ {
+ /* Without valid ticket, disable session resumption.*/
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ( "Ticket expired, disable session resumption" ) );
+ ssl->handshake->resume = 0;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_HAVE_TIME */
if( ssl->conf->f_rng == NULL )
{
@@ -737,7 +759,7 @@
{
if( ssl->handshake->resume )
{
- ssl->tls_version = ssl->session_negotiate->tls_version;
+ ssl->tls_version = session_negotiate->tls_version;
ssl->handshake->min_tls_version = ssl->tls_version;
}
else
@@ -771,7 +793,7 @@
* to zero, except in the case of a TLS 1.2 session renegotiation or
* session resumption.
*/
- session_id_len = ssl->session_negotiate->id_len;
+ session_id_len = session_negotiate->id_len;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
@@ -794,8 +816,8 @@
if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
#endif
{
- if( ( ssl->session_negotiate->ticket != NULL ) &&
- ( ssl->session_negotiate->ticket_len != 0 ) )
+ if( ( session_negotiate->ticket != NULL ) &&
+ ( session_negotiate->ticket_len != 0 ) )
{
session_id_len = 32;
}
@@ -827,13 +849,13 @@
}
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
- if( session_id_len != ssl->session_negotiate->id_len )
+ if( session_id_len != session_negotiate->id_len )
{
- ssl->session_negotiate->id_len = session_id_len;
+ session_negotiate->id_len = session_id_len;
if( session_id_len > 0 )
{
ret = ssl->conf->f_rng( ssl->conf->p_rng,
- ssl->session_negotiate->id,
+ session_negotiate->id,
session_id_len );
if( ret != 0 )
{
@@ -843,9 +865,39 @@
}
}
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ssl->handshake->resume )
+ {
+ int hostname_mismatch = ssl->hostname != NULL ||
+ session_negotiate->hostname != NULL;
+ if( ssl->hostname != NULL && session_negotiate->hostname != NULL )
+ {
+ hostname_mismatch = strcmp(
+ ssl->hostname, session_negotiate->hostname ) != 0;
+ }
+
+ if( hostname_mismatch )
+ {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ( "Hostname mismatch the session ticket, "
+ "disable session resumption." ) );
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+ }
+ else
+ {
+ return mbedtls_ssl_session_set_hostname( session_negotiate,
+ ssl->hostname );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
return( 0 );
}
-
/*
* Write ClientHello handshake message.
* Handler for MBEDTLS_SSL_CLIENT_HELLO
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index b6a8add..190c0f0 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -25,12 +25,7 @@
#if defined(MBEDTLS_SSL_COOKIE_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ssl_cookie.h"
#include "ssl_misc.h"
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index afacb76..828937c 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2494,4 +2494,13 @@
unsigned char *buf, unsigned char *end );
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_CLI_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
+ const char *hostname );
+#endif
+
#endif /* ssl_misc.h */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index dbef29b..ab2ecb3 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -26,13 +26,7 @@
#if defined(MBEDTLS_SSL_TLS_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
@@ -1124,7 +1118,9 @@
mbedtls_ssl_transform *transform,
mbedtls_record *rec )
{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_CIPHER_MODE_AEAD)
size_t olen;
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_CIPHER_MODE_AEAD */
mbedtls_ssl_mode_t ssl_mode;
int ret;
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 359686a..e39563b 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -21,13 +21,7 @@
#if defined(MBEDTLS_SSL_TICKET_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "ssl_misc.h"
#include "mbedtls/ssl_ticket.h"
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f0615ea..c36729f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -27,15 +27,7 @@
#include <assert.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_printf printf
-#endif /* !MBEDTLS_PLATFORM_C */
#include "mbedtls/ssl.h"
#include "ssl_client.h"
@@ -243,10 +235,13 @@
{
mbedtls_ssl_session_free( dst );
memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
-
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
dst->ticket = NULL;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ dst->hostname = NULL;
#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -295,6 +290,18 @@
memcpy( dst->ticket, src->ticket, src->ticket_len );
}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( src->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ret = mbedtls_ssl_session_set_hostname( dst, src->hostname );
+ if( ret != 0 )
+ return ( ret );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
return( 0 );
@@ -1373,6 +1380,23 @@
if( ssl->handshake->resume == 1 )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
+ {
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
+
+ if( mbedtls_ssl_validate_ciphersuite(
+ ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
+ MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not a valid TLS 1.3 ciphersuite.",
+ session->ciphersuite ) );
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
session ) ) != 0 )
return( ret );
@@ -1795,6 +1819,7 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SSL_SRV_C)
void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
size_t),
@@ -1803,6 +1828,8 @@
conf->f_psk = f_psk;
conf->p_psk = p_psk;
}
+#endif /* MBEDTLS_SSL_SRV_C */
+
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1914,6 +1941,7 @@
/* Serialization of TLS 1.3 sessions:
*
* struct {
+ * opaque hostname<0..2^16-1>;
* uint64 ticket_received;
* uint32 ticket_lifetime;
* opaque ticket<1..2^16-1>;
@@ -1940,6 +1968,11 @@
size_t *olen )
{
unsigned char *p = buf;
+#if defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ size_t hostname_len = ( session->hostname == NULL ) ?
+ 0 : strlen( session->hostname ) + 1;
+#endif
size_t needed = 1 /* endpoint */
+ 2 /* ciphersuite */
+ 4 /* ticket_age_add */
@@ -1958,6 +1991,11 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ needed += 2 /* hostname_len */
+ + hostname_len; /* hostname */
+#endif
+
needed += 4 /* ticket_lifetime */
+ 2; /* ticket_len */
@@ -1995,6 +2033,17 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
+ p += 2;
+ if( hostname_len > 0 )
+ {
+ /* save host name */
+ memcpy( p, session->hostname, hostname_len );
+ p += hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
#if defined(MBEDTLS_HAVE_TIME)
MBEDTLS_PUT_UINT64_BE( (uint64_t) session->ticket_received, p, 0 );
p += 8;
@@ -2055,6 +2104,28 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS)
+ size_t hostname_len;
+ /* load host name */
+ if( end - p < 2 )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ hostname_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+
+ if( end - p < ( long int )hostname_len )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ if( hostname_len > 0 )
+ {
+ session->hostname = mbedtls_calloc( 1, hostname_len );
+ if( session->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ memcpy( session->hostname, p, hostname_len );
+ p += hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
+ MBEDTLS_SSL_SESSION_TICKETS */
+
#if defined(MBEDTLS_HAVE_TIME)
if( end - p < 8 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -3656,6 +3727,10 @@
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ mbedtls_free( session->hostname );
+#endif
mbedtls_free( session->ticket );
#endif
@@ -8778,4 +8853,54 @@
}
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
+ const char *hostname )
+{
+ /* Initialize to suppress unnecessary compiler warning */
+ size_t hostname_len = 0;
+
+ /* Check if new hostname is valid before
+ * making any change to current one */
+ if( hostname != NULL )
+ {
+ hostname_len = strlen( hostname );
+
+ if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
+ /* Now it's clear that we will overwrite the old hostname,
+ * so we can free it safely */
+ if( session->hostname != NULL )
+ {
+ mbedtls_platform_zeroize( session->hostname,
+ strlen( session->hostname ) );
+ mbedtls_free( session->hostname );
+ }
+
+ /* Passing NULL as hostname shall clear the old one */
+ if( hostname == NULL )
+ {
+ session->hostname = NULL;
+ }
+ else
+ {
+ session->hostname = mbedtls_calloc( 1, hostname_len + 1 );
+ if( session->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+ memcpy( session->hostname, hostname, hostname_len );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION &&
+ MBEDTLS_SSL_CLI_C */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index d1ec55c..7b62e71 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -21,13 +21,7 @@
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ssl.h"
#include "ssl_client.h"
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 997f584..66c61a3 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -21,13 +21,7 @@
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 40e3cfd..2b59b4a 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -665,54 +665,194 @@
return ( 0 );
}
-/* Check if we have any PSK to offer, returns 0 if a PSK is available. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_get_psk_to_offer(
- const mbedtls_ssl_context *ssl,
- int *psk_type,
- const unsigned char **psk, size_t *psk_len,
- const unsigned char **psk_identity, size_t *psk_identity_len )
+static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
{
- *psk = NULL;
- *psk_len = 0;
- *psk_identity = NULL;
- *psk_identity_len = 0;
- *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
+
+ if( ciphersuite_info != NULL )
+ return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
+
+ return( PSA_ALG_NONE );
+}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- /* Check if a ticket has been configured. */
- if( ssl->session_negotiate != NULL &&
- ssl->session_negotiate->ticket != NULL )
+static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ return( ssl->handshake->resume &&
+ session != NULL && session->ticket != NULL );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **identity,
+ size_t *identity_len )
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+
+ if( !ssl_tls13_has_configured_ticket( ssl ) )
+ return( -1 );
+
+ *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
+ *identity = session->ticket;
+ *identity_len = session->ticket_len;
+ return( 0 );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **psk,
+ size_t *psk_len )
+{
+
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+
+ if( !ssl_tls13_has_configured_ticket( ssl ) )
+ return( -1 );
+
+ *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
+ *psk = session->resumption_key;
+ *psk_len = session->resumption_key_len;
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static int ssl_tls13_has_configured_psk( const mbedtls_ssl_config *conf )
+{
+ return( conf->psk != NULL && conf->psk_identity != NULL );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **identity,
+ size_t *identity_len )
+{
+
+ if( !ssl_tls13_has_configured_psk( ssl->conf ) )
+ return( -1 );
+
+ *hash_alg = PSA_ALG_SHA_256;
+ *identity = ssl->conf->psk_identity;
+ *identity_len = ssl->conf->psk_identity_len;
+ return( 0 );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **psk,
+ size_t *psk_len )
+{
+
+ if( !ssl_tls13_has_configured_psk( ssl->conf ) )
+ return( -1 );
+
+ *hash_alg = PSA_ALG_SHA_256;
+ *psk = ssl->conf->psk;
+ *psk_len = ssl->conf->psk_len;
+ return( 0 );
+}
+
+static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
+{
+ int configured_psk_count = 0;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if( ssl_tls13_has_configured_ticket( ssl ) )
{
-#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t now = mbedtls_time( NULL );
- if( ssl->session_negotiate->ticket_received <= now &&
- (uint64_t)( now - ssl->session_negotiate->ticket_received )
- <= ssl->session_negotiate->ticket_lifetime )
- {
- *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
- *psk = ssl->session_negotiate->resumption_key;
- *psk_len = ssl->session_negotiate->resumption_key_len;
- *psk_identity = ssl->session_negotiate->ticket;
- *psk_identity_len = ssl->session_negotiate->ticket_len;
- return( 0 );
- }
-#endif /* MBEDTLS_HAVE_TIME */
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
+ configured_psk_count++;
}
#endif
-
- /* Check if an external PSK has been configured. */
- if( ssl->conf->psk != NULL )
+ if( ssl_tls13_has_configured_psk( ssl->conf ) )
{
- *psk = ssl->conf->psk;
- *psk_len = ssl->conf->psk_len;
- *psk_identity = ssl->conf->psk_identity;
- *psk_identity_len = ssl->conf->psk_identity_len;
- return( 0 );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
+ configured_psk_count++;
}
+ return( configured_psk_count );
+}
- return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ const unsigned char *identity,
+ size_t identity_len,
+ uint32_t obfuscated_ticket_age,
+ size_t *out_len )
+{
+ ((void) ssl);
+ *out_len = 0;
+
+ /*
+ * - identity_len (2 bytes)
+ * - identity (psk_identity_len bytes)
+ * - obfuscated_ticket_age (4 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len );
+
+ MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 );
+ memcpy( buf + 2, identity, identity_len );
+ MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len );
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len );
+
+ *out_len = 6 + identity_len;
+
+ return( 0 );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ int psk_type,
+ psa_algorithm_t hash_alg,
+ const unsigned char *psk,
+ size_t psk_len,
+ size_t *out_len )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char binder_len;
+ unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
+ size_t transcript_len = 0;
+
+ *out_len = 0;
+
+ binder_len = PSA_HASH_LENGTH( hash_alg );
+
+ /*
+ * - binder_len (1 bytes)
+ * - binder (binder_len bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len );
+
+ buf[0] = binder_len;
+
+ /* Get current state of handshake transcript. */
+ ret = mbedtls_ssl_get_handshake_transcript(
+ ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
+ transcript, sizeof( transcript ), &transcript_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
+ psk, psk_len, psk_type,
+ transcript, buf + 1 );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
+ return( ret );
+ }
+ MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len );
+
+ *out_len = 1 + binder_len;
+
+ return( 0 );
}
/*
@@ -739,140 +879,104 @@
*
*/
int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
- mbedtls_ssl_context *ssl,
- unsigned char *buf, unsigned char *end,
- size_t *out_len, size_t *binders_len )
+ mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
+ size_t *out_len, size_t *binders_len )
{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int configured_psk_count = 0;
unsigned char *p = buf;
- const unsigned char *psk;
- size_t psk_len;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
- int psk_type;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- const int *ciphersuites;
- psa_algorithm_t psa_hash_alg;
- int hash_len = 0;
- size_t identities_len, l_binders_len;
- uint32_t obfuscated_ticket_age = 0;
+ psa_algorithm_t hash_alg;
+ const unsigned char *identity;
+ size_t identity_len;
+ size_t l_binders_len = 0;
+ size_t output_len;
*out_len = 0;
*binders_len = 0;
- /* Check if we have any PSKs to offer. If so, return the first.
- *
- * NOTE: Ultimately, we want to be able to offer multiple PSKs,
- * in which case we want to iterate over them here.
- *
- * As it stands, however, we only ever offer one, chosen
- * by the following heuristic:
- * - If a ticket has been configured, offer the corresponding PSK.
- * - If no ticket has been configured by an external PSK has been
- * configured, offer that.
- * - Otherwise, skip the PSK extension.
- */
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
+ /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
+ configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
+ if( configured_psk_count == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
return( 0 );
}
- if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
- {
- /*
- * Ciphersuite list
- */
- ciphersuites = ssl->conf->ciphersuite_list;
- for( int i = 0; ciphersuites[i] != 0; i++ )
- {
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ciphersuites[i] );
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
+ configured_psk_count ) );
- if( mbedtls_ssl_validate_ciphersuite(
- ssl, ciphersuite_info,
- MBEDTLS_SSL_VERSION_TLS1_3,
- MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
- continue;
-
- /* In this implementation we only add one pre-shared-key
- * extension.
- */
- ssl->session_negotiate->ciphersuite = ciphersuites[i];
- break;
- }
- }
- else
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
- {
-#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t now = mbedtls_time( NULL );
-
- obfuscated_ticket_age =
- ( (uint32_t)( now - ssl->session_negotiate->ticket_received ) * 1000 )
- + ssl->session_negotiate->ticket_age_add;
-#endif
- }
- else
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "write_identities_of_pre_shared_key_ext: "
- "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite );
- /* No suitable ciphersuite for the PSK */
- if( ciphersuite_info == NULL )
- return( 0 );
-
- psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
- hash_len = PSA_HASH_LENGTH( psa_hash_alg );
- if( hash_len == -1 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-
- /* Check if we have space to write the extension, binder included.
+ /* Check if we have space to write the extension, binders included.
* - extension_type (2 bytes)
* - extension_data_len (2 bytes)
* - identities_len (2 bytes)
- * - identity_len (2 bytes)
- * - identity (psk_identity_len bytes)
- * - obfuscated_ticket_age (4 bytes)
- * - binders_len (2 bytes)
- * - binder_len (1 byte)
- * - binder (hash_len bytes)
*/
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
+ p += 6;
- identities_len = 6 + psk_identity_len;
- l_binders_len = 1 + hash_len;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if( ssl_tls13_ticket_get_identity(
+ ssl, &hash_alg, &identity, &identity_len ) == 0 )
+ {
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_time_t now = mbedtls_time( NULL );
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ uint32_t obfuscated_ticket_age =
+ (uint32_t)( now - session->ticket_received );
+
+ obfuscated_ticket_age *= 1000;
+ obfuscated_ticket_age += session->ticket_age_add;
+
+ ret = ssl_tls13_write_identity( ssl, p, end,
+ identity, identity_len,
+ obfuscated_ticket_age,
+ &output_len );
+#else
+ ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len,
+ 0, &output_len );
+#endif /* MBEDTLS_HAVE_TIME */
+ if( ret != 0 )
+ return( ret );
+
+ p += output_len;
+ l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ if( ssl_tls13_psk_get_identity(
+ ssl, &hash_alg, &identity, &identity_len ) == 0 )
+ {
+
+ ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0,
+ &output_len );
+ if( ret != 0 )
+ return( ret );
+
+ p += output_len;
+ l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
+ }
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, adding pre_shared_key extension, "
"omitting PSK binder list" ) );
- /* Extension header */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
- MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
- MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 );
+ /* Take into account the two bytes for the length of the binders. */
+ l_binders_len += 2;
+ /* Check if there is enough space for binders */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len );
- MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 );
- MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 );
- p += 8;
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, psk_identity_len );
- memcpy( p, psk_identity, psk_identity_len );
- p += psk_identity_len;
+ /*
+ * - extension_type (2 bytes)
+ * - extension_data_len (2 bytes)
+ * - identities_len (2 bytes)
+ */
+ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
+ MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 );
+ MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
- /* add obfuscated ticket age */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
- MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 );
- p += 4;
+ *out_len = ( p - buf ) + l_binders_len;
+ *binders_len = l_binders_len;
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 + l_binders_len );
- *out_len = ( p - buf ) + l_binders_len + 2;
- *binders_len = l_binders_len + 2;
+ MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
@@ -880,67 +984,133 @@
}
int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
- mbedtls_ssl_context *ssl,
- unsigned char *buf, unsigned char *end )
+ mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- psa_algorithm_t psa_hash_alg;
- int hash_len = 0;
- const unsigned char *psk = NULL;
- size_t psk_len = 0;
- int psk_type;
- unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
- size_t transcript_len;
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ const unsigned char *psk;
+ size_t psk_len;
+ size_t output_len;
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
- {
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite );
- if( ciphersuite_info == NULL )
- return( 0 );
-
- psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
- hash_len = PSA_HASH_LENGTH( psa_hash_alg );
- if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) );
-
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 + hash_len );
- /* 2 bytes length field for array of psk binders */
- MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 );
+ /* Check if we have space to write binders_len.
+ * - binders_len (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
p += 2;
- /* 1 bytes length field for next psk binder */
- *p++ = MBEDTLS_BYTE_0( hash_len );
-
- /* Get current state of handshake transcript. */
- ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
- transcript, sizeof( transcript ),
- &transcript_len );
- if( ret != 0 )
- return( ret );
-
- ret = mbedtls_ssl_tls13_create_psk_binder( ssl,
- mbedtls_psa_translate_md( ciphersuite_info->mac ),
- psk, psk_len, psk_type,
- transcript, p );
- if( ret != 0 )
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
- return( ret );
+
+ ret = ssl_tls13_write_binder( ssl, p, end,
+ MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
+ hash_alg, psk, psk_len,
+ &output_len );
+ if( ret != 0 )
+ return( ret );
+ p += output_len;
}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
+ {
+
+ ret = ssl_tls13_write_binder( ssl, p, end,
+ MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
+ hash_alg, psk, psk_len,
+ &output_len );
+ if( ret != 0 )
+ return( ret );
+ p += output_len;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
+
+ /*
+ * - binders_len (2 bytes)
+ */
+ MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
return( 0 );
}
+
+/*
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ *
+ * select (Handshake.msg_type) {
+ * ...
+ * case server_hello: uint16 selected_identity;
+ * };
+ *
+ * } PreSharedKeyExtension;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int selected_identity;
+ const unsigned char *psk;
+ size_t psk_len;
+ psa_algorithm_t hash_alg;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
+ selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
+
+ if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) );
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
+ {
+ ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
+ }
+ else
+#endif
+ if( ssl_tls13_has_configured_psk( ssl->conf ) )
+ {
+ ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
+ return( ret );
+ }
+
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+
+ return( 0 );
+}
+
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
@@ -1299,92 +1469,6 @@
return( 0 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-/*
- * struct {
- * opaque identity<1..2^16-1>;
- * uint32 obfuscated_ticket_age;
- * } PskIdentity;
- *
- * opaque PskBinderEntry<32..255>;
- *
- * struct {
- *
- * select (Handshake.msg_type) {
- * ...
- * case server_hello: uint16 selected_identity;
- * };
- *
- * } PreSharedKeyExtension;
- *
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end )
-{
- int ret = 0;
- size_t selected_identity;
-
- int psk_type;
- const unsigned char *psk;
- size_t psk_len;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
-
- /* Check which PSK we've offered.
- *
- * NOTE: Ultimately, we want to offer multiple PSKs, and in this
- * case, we need to iterate over them here.
- */
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
- {
- /* If we haven't offered a PSK, the server must not send
- * a PSK identity extension. */
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 2 );
- selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
-
- /* We have offered only one PSK, so the only valid choice
- * for the server is PSK index 0.
- *
- * This will change once we support multiple PSKs. */
- if( selected_identity > 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) );
-
- if( ( ret = mbedtls_ssl_send_alert_message( ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 )
- {
- return( ret );
- }
-
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- }
-
- /* Set the chosen PSK
- *
- * TODO: We don't have to do this in case we offered 0-RTT and the
- * server accepted it, because in this case we've already
- * set the handshake PSK. */
- ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
- if( ret != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
- return( ret );
- }
-
- ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
- return( 0 );
-}
-
-#endif
-
/* Parse ServerHello message and configure context
*
* struct {
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 6591ecb..3e54f38 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -34,13 +34,7 @@
#include "mbedtls/ecp.h"
#endif /* MBEDTLS_ECP_C */
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif /* MBEDTLS_PLATFORM_C */
#include "ssl_misc.h"
#include "ssl_tls13_keys.h"
@@ -186,9 +180,9 @@
if( now < session->start )
{
MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "Ticket expired: now=%" MBEDTLS_PRINTF_LONGLONG
- ", start=%" MBEDTLS_PRINTF_LONGLONG,
- (long long)now, (long long)session->start ) );
+ 3, ( "Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
+ ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
+ (long long)now, (long long)session->start ) );
goto exit;
}
@@ -208,7 +202,7 @@
if( age_in_s > 604800 )
{
MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "Ticket expired: Ticket age exceed limitation ticket_age=%lu",
+ 3, ( "Ticket age exceeds limitation ticket_age=%lu",
(long unsigned int)age_in_s ) );
goto exit;
}
@@ -231,8 +225,8 @@
age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
{
MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "Ticket expired: Ticket age outside tolerance window "
- "( diff=%d )", (int)age_diff_in_ms ) );
+ 3, ( "Ticket age outside tolerance window ( diff=%d )",
+ (int)age_diff_in_ms ) );
goto exit;
}
@@ -2848,7 +2842,8 @@
* MAY treat a ticket as valid for a shorter period of time than what
* is stated in the ticket_lifetime.
*/
- ticket_lifetime %= 604800;
+ if( ticket_lifetime > 604800 )
+ ticket_lifetime = 604800;
MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
( unsigned int )ticket_lifetime ) );
diff --git a/library/x509.c b/library/x509.c
index f1d988a..ca2e907 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -43,16 +43,7 @@
#include "mbedtls/pem.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#endif
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 0cd996d..2a3fac7 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -42,15 +42,7 @@
#include "mbedtls/pem.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_snprintf snprintf
-#endif
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index af1e487..c4f97bb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -50,15 +50,7 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "hash_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_snprintf snprintf
-#endif
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 25069b2..dee0ea6 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -42,15 +42,7 @@
#include "mbedtls/pem.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_snprintf snprintf
-#endif
#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
#include <stdio.h>
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index c4dd1b7..976f6e6 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -45,13 +45,7 @@
#include "mbedtls/pem.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
{
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 136e25b..476c20e 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -25,17 +25,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_MD_C) && \
defined(MBEDTLS_FS_IO)
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index 3d11d47..95f43b8 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -42,7 +42,7 @@
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_context ticket_ctx;
#endif
unsigned char buf[4096];
@@ -89,7 +89,7 @@
}
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_init( &ticket_ctx );
#endif
@@ -114,7 +114,7 @@
mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
}
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
if( options & 0x4 )
{
if( mbedtls_ssl_ticket_setup( &ticket_ctx,
@@ -173,7 +173,7 @@
}
exit:
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_free( &ticket_ctx );
#endif
mbedtls_entropy_free( &entropy );
diff --git a/programs/hash/generic_sum.c b/programs/hash/generic_sum.c
index f38a976..6f49e79 100644
--- a/programs/hash/generic_sum.c
+++ b/programs/hash/generic_sum.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_MD_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/md.h"
diff --git a/programs/hash/hello.c b/programs/hash/hello.c
index cb8de8b..3ef0652 100644
--- a/programs/hash/hello.c
+++ b/programs/hash/hello.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if defined(MBEDTLS_MD5_C)
#include "mbedtls/md5.h"
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 45de57b..3619cb2 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 9ada4ea..2e696e5 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 2956308..e6f53ed 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index 281a26b..5dd6bdd 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_ECDH_C) || \
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index c1c5070..1035bb2 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_ECDSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index 8779519..9e5329f 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index bd16b24..02a19e9 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && \
defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO) && \
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index df1e502..589bee9 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \
defined(MBEDTLS_FS_IO) && \
diff --git a/programs/pkey/mpi_demo.c b/programs/pkey/mpi_demo.c
index eed8dfc..4c34b99 100644
--- a/programs/pkey/mpi_demo.c
+++ b/programs/pkey/mpi_demo.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/bignum.h"
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index b09b6b8..0d8388f 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index 3df11f7..5d45738 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 7b5d8e1..301edb8 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index e82653b..6b96452 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_PK_PARSE_C) || \
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index c01a5cf..783f3ca 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c
index 25a42d3..777b22e 100644
--- a/programs/pkey/rsa_encrypt.c
+++ b/programs/pkey/rsa_encrypt.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c
index 67711bd..7acda81 100644
--- a/programs/pkey/rsa_genkey.c
+++ b/programs/pkey/rsa_genkey.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) && \
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 1df9b13..f4deab0 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -19,18 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 8078ab6..0cbde02 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index a8b1abb..a3fa6d7 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index 3a20778..7dcccda 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
diff --git a/programs/random/gen_entropy.c b/programs/random/gen_entropy.c
index 4deb924..f0ffea2 100644
--- a/programs/random/gen_entropy.c
+++ b/programs/random/gen_entropy.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/entropy.h"
diff --git a/programs/random/gen_random_ctr_drbg.c b/programs/random/gen_random_ctr_drbg.c
index 0a9e2dd..2a3dd54 100644
--- a/programs/random/gen_random_ctr_drbg.c
+++ b/programs/random/gen_random_ctr_drbg.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_FS_IO)
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index e06d535..23a34e0 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_fprintf fprintf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_TIMING_C) || \
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index 9317449..10d82ba 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -19,18 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_fprintf fprintf
-#define mbedtls_time_t time_t
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
/* Uncomment out the following line to default to IPv4 and disable IPv6 */
//#define FORCE_IPV4
diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c
index 8f2fed8..efcf650 100644
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@@ -20,16 +20,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
/*
* We're creating and connecting the socket "manually" rather than using the
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index a80ff71..5025698 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -19,19 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 6377162..be474d4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -405,6 +405,7 @@
" exchanges=%%d default: 1\n" \
" reconnect=%%d number of reconnections using session resumption\n" \
" default: 0 (disabled)\n" \
+ " reco_server_name=%%s default: localhost\n" \
" reco_delay=%%d default: 0 seconds\n" \
" reco_mode=%%d 0: copy session, 1: serialize session\n" \
" default: 1\n" \
@@ -498,6 +499,7 @@
int recsplit; /* enable record splitting? */
int dhmlen; /* minimum DHM params len in bits */
int reconnect; /* attempt to resume session */
+ const char *reco_server_name; /* hostname of the server (re-connect) */
int reco_delay; /* delay in seconds before resuming session */
int reco_mode; /* how to keep the session around */
int reconnect_hard; /* unexpectedly reconnect from the same port */
@@ -923,6 +925,7 @@
opt.recsplit = DFL_RECSPLIT;
opt.dhmlen = DFL_DHMLEN;
opt.reconnect = DFL_RECONNECT;
+ opt.reco_server_name = DFL_SERVER_NAME;
opt.reco_delay = DFL_RECO_DELAY;
opt.reco_mode = DFL_RECO_MODE;
opt.reconnect_hard = DFL_RECONNECT_HARD;
@@ -1119,6 +1122,8 @@
if( opt.reconnect < 0 || opt.reconnect > 2 )
goto usage;
}
+ else if( strcmp( p, "rec_server_name" ) == 0 )
+ opt.reco_server_name = q;
else if( strcmp( p, "reco_delay" ) == 0 )
{
opt.reco_delay = atoi( q );
@@ -3113,6 +3118,16 @@
goto exit;
}
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( ( ret = mbedtls_ssl_set_hostname( &ssl,
+ opt.reco_server_name ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
+ ret );
+ goto exit;
+ }
+#endif
+
if( ( ret = mbedtls_net_connect( &server_fd,
opt.server_addr, opt.server_port,
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 07b3e6f..49de984 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -19,18 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 664a384..9fb6507 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -26,19 +26,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index ac14789..b3ec7d6 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -20,18 +20,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 3b66372..c9d9df2 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -19,19 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 7526bc6..4f789d5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -49,7 +49,7 @@
#include "mbedtls/ssl_cache.h"
#endif
-#if defined(MBEDTLS_SSL_TICKET_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
#include "mbedtls/ssl_ticket.h"
#endif
@@ -120,6 +120,7 @@
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define DFL_DUMMY_TICKET 0
#define DFL_TICKET_ROTATE 0
#define DFL_TICKET_TIMEOUT 86400
#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM
@@ -283,7 +284,7 @@
#else
#define USAGE_CA_CALLBACK ""
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
#define USAGE_TICKETS \
" tickets=%%d default: 1 (enabled)\n" \
" ticket_rotate=%%d default: 0 (disabled)\n" \
@@ -291,7 +292,7 @@
" ticket_aead=%%s default: \"AES-256-GCM\"\n"
#else
#define USAGE_TICKETS ""
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
#define USAGE_EAP_TLS \
" eap_tls=%%d default: 0 (disabled)\n"
@@ -638,6 +639,7 @@
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* accept truncated hmac? */
int tickets; /* enable / disable session tickets */
+ int dummy_ticket; /* enable / disable dummy ticket generator */
int ticket_rotate; /* session ticket rotate (code coverage) */
int ticket_timeout; /* session ticket lifetime */
int ticket_aead; /* session ticket protection */
@@ -1351,6 +1353,75 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_HAVE_TIME)
+/* Functions for session ticket tests */
+int dummy_ticket_write( void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *ticket_lifetime )
+{
+ int ret;
+ unsigned char *p = start;
+ size_t clear_len;
+ ((void) p_ticket);
+
+ if( end - p < 4 )
+ {
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ }
+ *((uint32_t *)p) = 7 * 24 * 3600;
+ *ticket_lifetime = 7 * 24 * 3600;
+ p += 4;
+
+ /* Dump session state */
+ if( ( ret = mbedtls_ssl_session_save( session, p, end - p,
+ &clear_len ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ *tlen = 4 + clear_len;
+
+ return( 0 );
+}
+
+int dummy_ticket_parse( void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len )
+{
+ int ret;
+ ((void) p_ticket);
+
+ if( ( ret = mbedtls_ssl_session_load( session, buf + 4, len - 4 ) ) != 0 )
+ return( ret );
+
+ switch( opt.dummy_ticket % 7 )
+ {
+ case 1:
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );
+ case 2:
+ return( MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED );
+ case 3:
+ session->start = mbedtls_time( NULL ) + 10;
+ break;
+ case 4:
+ session->start = mbedtls_time( NULL ) - 10 - 7 * 24 * 3600;
+ break;
+ case 5:
+ session->start = mbedtls_time( NULL ) - 10;
+ break;
+ case 6:
+ session->start = mbedtls_time( NULL );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ session->ticket_age_add -= 1000;
+#endif
+ break;
+ default:
+ break;
+ }
+
+ return( ret );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
+
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
@@ -1406,9 +1477,9 @@
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_context ticket_ctx;
-#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
#if defined(SNI_OPTION)
sni_entry *sni_info = NULL;
#endif
@@ -1497,7 +1568,7 @@
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_init( &ticket_ctx );
#endif
#if defined(MBEDTLS_SSL_ALPN)
@@ -1607,6 +1678,7 @@
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.tickets = DFL_TICKETS;
+ opt.dummy_ticket = DFL_DUMMY_TICKET;
opt.ticket_rotate = DFL_TICKET_ROTATE;
opt.ticket_timeout = DFL_TICKET_TIMEOUT;
opt.ticket_aead = DFL_TICKET_AEAD;
@@ -2002,6 +2074,12 @@
if( opt.tickets < 0 )
goto usage;
}
+ else if( strcmp( p, "dummy_ticket" ) == 0 )
+ {
+ opt.dummy_ticket = atoi( q );
+ if( opt.dummy_ticket < 0 )
+ goto usage;
+ }
else if( strcmp( p, "ticket_rotate" ) == 0 )
{
opt.ticket_rotate = atoi( q );
@@ -2916,22 +2994,37 @@
mbedtls_ssl_cache_set );
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
if( opt.tickets != MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
{
- if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
- rng_get, &rng,
- opt.ticket_aead,
- opt.ticket_timeout ) ) != 0 )
+#if defined(MBEDTLS_HAVE_TIME)
+ if( opt.dummy_ticket )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret );
- goto exit;
+ mbedtls_ssl_conf_session_tickets_cb( &conf,
+ dummy_ticket_write,
+ dummy_ticket_parse,
+ NULL );
+ }
+ else
+#endif /* MBEDTLS_HAVE_TIME */
+ {
+ if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
+ rng_get, &rng,
+ opt.ticket_aead,
+ opt.ticket_timeout ) ) != 0 )
+ {
+ mbedtls_printf(
+ " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n",
+ ret );
+ goto exit;
+ }
+
+ mbedtls_ssl_conf_session_tickets_cb( &conf,
+ mbedtls_ssl_ticket_write,
+ mbedtls_ssl_ticket_parse,
+ &ticket_ctx );
}
- mbedtls_ssl_conf_session_tickets_cb( &conf,
- mbedtls_ssl_ticket_write,
- mbedtls_ssl_ticket_parse,
- &ticket_ctx );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_new_session_tickets( &conf, opt.tickets );
#endif
@@ -4212,7 +4305,7 @@
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_free( &ticket_ctx );
#endif
#if defined(MBEDTLS_SSL_COOKIE_C)
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index c368f57..659b3ab 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -22,23 +22,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_printf printf
-#define mbedtls_fprintf fprintf
-#define mbedtls_snprintf snprintf
-#define mbedtls_setbuf setbuf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#undef HAVE_RNG
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index a6d83e7..920a473 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -22,13 +22,6 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_PLATFORM_C)
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_exit exit
-#define mbedtls_printf printf
-#define mbedtls_free free
-#endif
#if !defined(MBEDTLS_HAVE_TIME)
int main( void )
diff --git a/programs/test/cmake_package/cmake_package.c b/programs/test/cmake_package/cmake_package.c
index 1ae627d..4105d2b 100644
--- a/programs/test/cmake_package/cmake_package.c
+++ b/programs/test/cmake_package/cmake_package.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#include "mbedtls/version.h"
diff --git a/programs/test/cmake_package_install/cmake_package_install.c b/programs/test/cmake_package_install/cmake_package_install.c
index 9d5d3e4..48fb559 100644
--- a/programs/test/cmake_package_install/cmake_package_install.c
+++ b/programs/test/cmake_package_install/cmake_package_install.c
@@ -20,17 +20,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#include "mbedtls/version.h"
diff --git a/programs/test/cmake_subproject/cmake_subproject.c b/programs/test/cmake_subproject/cmake_subproject.c
index ff6ebf0..b1d005c 100644
--- a/programs/test/cmake_subproject/cmake_subproject.c
+++ b/programs/test/cmake_subproject/cmake_subproject.c
@@ -20,17 +20,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#include "mbedtls/version.h"
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
index c083604..ff61fcd 100644
--- a/programs/test/dlopen.c
+++ b/programs/test/dlopen.c
@@ -19,17 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/x509_crt.h"
diff --git a/programs/test/query_compile_time_config.c b/programs/test/query_compile_time_config.c
index 5aa0233..f37973c 100644
--- a/programs/test/query_compile_time_config.c
+++ b/programs/test/query_compile_time_config.c
@@ -19,14 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#define USAGE \
"usage: %s [ -all | -any | -l ] <MBEDTLS_CONFIG> ...\n\n" \
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index ab337a2..2d6103c 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -54,19 +54,7 @@
#include <limits.h>
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c
index d6e5561..979b551 100644
--- a/programs/test/zeroize.c
+++ b/programs/test/zeroize.c
@@ -29,15 +29,7 @@
#include <stdio.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#include "mbedtls/platform_util.h"
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index cf6a56c..7138fa8 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -19,18 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BASE64_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/error.h"
diff --git a/programs/util/strerror.c b/programs/util/strerror.c
index f91da13..66052fd 100644
--- a/programs/util/strerror.c
+++ b/programs/util/strerror.c
@@ -19,14 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#endif
#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
#include "mbedtls/error.h"
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 985b970..00d563f 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -19,19 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 7460bbf..30b389a 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_SHA256_C) || \
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 793982d..c93ff1e 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c
index aa353be..28cb99e 100644
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c
index e07bed7..b8b0ecd 100644
--- a/programs/x509/load_roots.c
+++ b/programs/x509/load_roots.c
@@ -46,19 +46,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_TIMING_C)
diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c
index 24324ff..dda14e1 100644
--- a/programs/x509/req_app.c
+++ b/programs/x509/req_app.c
@@ -19,16 +19,7 @@
#include "mbedtls/build_info.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
diff --git a/scripts/config.py b/scripts/config.py
index f045f98..470c63d 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -7,6 +7,11 @@
if 'MBEDTLS_RSA_C' in config: print('RSA is enabled')
"""
+# Note that as long as Mbed TLS 2.28 LTS is maintained, the version of
+# this script in the mbedtls-2.28 branch must remain compatible with
+# Python 3.4. The version in development may only use more recent features
+# in parts that are not backported to 2.28.
+
## Copyright The Mbed TLS Contributors
## SPDX-License-Identifier: Apache-2.0
##
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index a5ae6a2..8ef2e6d 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -1616,22 +1616,6 @@
}
}
-psa_status_t psa_driver_get_tag_len( psa_aead_operation_t *operation,
- uint8_t *tag_len )
-{
- if( operation == NULL || tag_len == NULL )
- return( PSA_ERROR_INVALID_ARGUMENT );
-
-#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-#if defined(PSA_CRYPTO_DRIVER_TEST)
- *tag_len = operation->ctx.transparent_test_driver_ctx.tag_length;
- return ( PSA_SUCCESS );
-#endif
-#endif
- *tag_len = operation->ctx.mbedtls_ctx.tag_length;
- return ( PSA_SUCCESS );
-}
-
psa_status_t psa_driver_wrapper_aead_encrypt_setup(
psa_aead_operation_t *operation,
const psa_key_attributes_t *attributes,
diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt
index c42d2ff..fc210b9 100644
--- a/scripts/data_files/error.fmt
+++ b/scripts/data_files/error.fmt
@@ -25,11 +25,7 @@
#if defined(MBEDTLS_ERROR_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#define mbedtls_snprintf snprintf
-#endif
#include <stdio.h>
#include <string.h>
diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt
index 59eb168..b5d3eec 100644
--- a/scripts/data_files/query_config.fmt
+++ b/scripts/data_files/query_config.fmt
@@ -21,12 +21,7 @@
#include "query_config.h"
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_PLATFORM_C */
/*
* Include all the headers with public APIs in case they define a macro to its
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 0a03f02..41b0337 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -47,7 +47,7 @@
my @low_level_modules = qw( AES ARIA ASN1 BASE64 BIGNUM
CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
- ENTROPY ERROR GCM HKDF HMAC_DRBG MD5
+ ENTROPY ERROR GCM HKDF HMAC_DRBG LMS MD5
NET OID PADLOCK PBKDF2 PLATFORM POLY1305 RIPEMD160
SHA1 SHA256 SHA512 THREADING );
my @high_level_modules = qw( CIPHER DHM ECP MD
diff --git a/scripts/mbedtls_dev/test_case.py b/scripts/mbedtls_dev/test_case.py
index 6a46e42..d0afa59 100644
--- a/scripts/mbedtls_dev/test_case.py
+++ b/scripts/mbedtls_dev/test_case.py
@@ -92,9 +92,11 @@
"""
if caller is None:
caller = os.path.basename(sys.argv[0])
- with open(filename, 'w') as out:
+ tempfile = filename + '.new'
+ with open(tempfile, 'w') as out:
out.write('# Automatically generated by {}. Do not edit!\n'
.format(caller))
for tc in test_cases:
tc.write(out)
out.write('\n# End of automatically generated file.\n')
+ os.replace(tempfile, filename)
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux
new file mode 100644
index 0000000..967f8f5
--- /dev/null
+++ b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux
Binary files differ
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv
new file mode 100644
index 0000000..ab1b23f
--- /dev/null
+++ b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv
Binary files differ
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub
new file mode 100644
index 0000000..5397d60
--- /dev/null
+++ b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub
Binary files differ
diff --git a/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
new file mode 100644
index 0000000..db85e01
--- /dev/null
+++ b/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
Binary files differ
diff --git a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
new file mode 100644
index 0000000..6e827ce
--- /dev/null
+++ b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
Binary files differ
diff --git a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub
new file mode 100644
index 0000000..652c089
--- /dev/null
+++ b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub
Binary files differ
diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h
index 8052a85..0bbca4a 100644
--- a/tests/include/test/drivers/crypto_config_test_driver_extension.h
+++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h
@@ -142,6 +142,14 @@
#endif
#endif
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305)
+#undef MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 1
+#endif
+#endif
+
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_AES
@@ -182,9 +190,16 @@
#endif
#endif
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20
+#else
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 1
+#endif
+#endif
+
#define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1
#define MBEDTLS_PSA_ACCEL_ALG_CCM 1
-#define MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 1
#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1
#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1
#define MBEDTLS_PSA_ACCEL_ALG_ECDH 1
@@ -217,7 +232,6 @@
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC 1
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DES 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA 1
diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h
index 93a3e11..e0e6fd2 100644
--- a/tests/include/test/helpers.h
+++ b/tests/include/test/helpers.h
@@ -37,20 +37,7 @@
#define MBEDTLS_TEST_MUTEX_USAGE
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_snprintf snprintf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_exit exit
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#include <stddef.h>
#include <stdint.h>
@@ -59,6 +46,13 @@
#include "mbedtls/bignum.h"
#endif
+/** The type of test case arguments that contain binary data. */
+typedef struct data_tag
+{
+ uint8_t * x;
+ uint32_t len;
+} data_t;
+
typedef enum
{
MBEDTLS_TEST_RESULT_SUCCESS = 0,
@@ -276,6 +270,29 @@
#endif
#if defined(MBEDTLS_BIGNUM_C)
+/** Allocate and populate a core MPI from a test case argument.
+ *
+ * This function allocates exactly as many limbs as necessary to fit
+ * the length of the input. In other words, it preserves leading zeros.
+ *
+ * The limb array is allocated with mbedtls_calloc() and must later be
+ * freed with mbedtls_free().
+ *
+ * \param[in,out] pX The address where a pointer to the allocated limb
+ * array will be stored.
+ * \c *pX must be null on entry.
+ * On exit, \c *pX is null on error or if the number
+ * of limbs is 0.
+ * \param[out] plimbs The address where the number of limbs will be stored.
+ * \param[in] input The test argument to read.
+ * It is interpreted as a hexadecimal representation
+ * of a non-negative integer.
+ *
+ * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise.
+ */
+int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs,
+ const char *input );
+
/** Read an MPI from a hexadecimal string.
*
* Like mbedtls_mpi_read_string(), but size the resulting bignum based
@@ -291,7 +308,6 @@
*
* \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise.
*/
-/* Since the library has exactly the desired behavior, this is trivial. */
int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s );
#endif /* MBEDTLS_BIGNUM_C */
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index 8535b93..695a243 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -28,20 +28,7 @@
#include <stdlib.h>
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_snprintf snprintf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_exit exit
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index 3487026..c8586d2 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -66,6 +66,165 @@
-s "Found PSK KEX MODE" \
-s "No matched ciphersuite"
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \
+ "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \
+ "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 2" \
+ -s "sent selected_identity: 0" \
+ -s "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "key exchange mode: ephemeral$" \
+ -S "ticket is not authentic"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \
+ "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \
+ "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 2" \
+ -s "sent selected_identity: 1" \
+ -s "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "key exchange mode: ephemeral$" \
+ -s "ticket is not authentic"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -s "ticket is not authentic" \
+ -S "ticket is expired" \
+ -S "Invalid ticket start time" \
+ -S "Ticket age exceeds limitation" \
+ -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "ticket is not authentic" \
+ -s "ticket is expired" \
+ -S "Invalid ticket start time" \
+ -S "Ticket age exceeds limitation" \
+ -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "ticket is not authentic" \
+ -S "ticket is expired" \
+ -s "Invalid ticket start time" \
+ -S "Ticket age exceeds limitation" \
+ -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "ticket is not authentic" \
+ -S "ticket is expired" \
+ -S "Invalid ticket start time" \
+ -s "Ticket age exceeds limitation" \
+ -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "ticket is not authentic" \
+ -S "ticket is expired" \
+ -S "Invalid ticket start time" \
+ -S "Ticket age exceeds limitation" \
+ -s "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+ MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \
+ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Pre-configured PSK number = 1" \
+ -S "sent selected_identity:" \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk_ephemeral" \
+ -S "key exchange mode: psk$" \
+ -S "ticket is not authentic" \
+ -S "ticket is expired" \
+ -S "Invalid ticket start time" \
+ -S "Ticket age exceeds limitation" \
+ -s "Ticket age outside tolerance window"
requires_gnutls_tls1_3
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a1b47f4..f1b2f0e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -987,6 +987,8 @@
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
make
msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
@@ -1246,6 +1248,8 @@
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_SSL_SRV_C
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
make
msg "test: full minus CIPHER"
@@ -1268,12 +1272,171 @@
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
make
msg "test: crypto_full minus CIPHER"
make test
}
+component_test_tls1_2_default_stream_cipher_only () {
+ msg "build: default with only stream cipher"
+
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+ # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only stream cipher"
+ make test
+
+ # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
+}
+
+component_test_tls1_2_default_stream_cipher_only_use_psa () {
+ msg "build: default with only stream cipher use psa"
+
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+ # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only stream cipher use psa"
+ make test
+
+ # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
+}
+
+component_test_tls1_2_default_cbc_legacy_cipher_only () {
+ msg "build: default with only CBC-legacy cipher"
+
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only CBC-legacy cipher"
+ make test
+
+ msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
+ tests/ssl-opt.sh -f "TLS 1.2"
+}
+
+component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
+ msg "build: default with only CBC-legacy cipher use psa"
+
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only CBC-legacy cipher use psa"
+ make test
+
+ msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)"
+ tests/ssl-opt.sh -f "TLS 1.2"
+}
+
+component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
+ msg "build: default with only CBC-legacy and CBC-EtM ciphers"
+
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only CBC-legacy and CBC-EtM ciphers"
+ make test
+
+ msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
+ tests/ssl-opt.sh -f "TLS 1.2"
+}
+
+component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
+ msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
+
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
+ scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
+ # Modules that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ make
+
+ msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa"
+ make test
+
+ msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)"
+ tests/ssl-opt.sh -f "TLS 1.2"
+}
+
component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full
@@ -1672,6 +1835,8 @@
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@@ -1941,6 +2106,41 @@
make test
}
+component_test_psa_crypto_config_accel_aead () {
+ msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
+
+ # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
+ # partial support for cipher operations in the driver test library.
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
+
+ loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
+ loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
+ make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
+
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py unset MBEDTLS_CCM_C
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Features that depend on AEAD
+ scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ scripts/config.py unset MBEDTLS_SSL_TICKET_C
+
+ loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
+ make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
+
+ # There's a risk of something getting re-enabled via config_psa.h
+ # make sure it did not happen.
+ not grep mbedtls_ccm library/ccm.o
+ not grep mbedtls_gcm library/gcm.o
+ not grep mbedtls_chachapoly library/chachapoly.o
+
+ msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
+ make test
+}
+
component_test_psa_crypto_config_no_driver() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
@@ -2083,6 +2283,8 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2103,6 +2305,8 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2123,6 +2327,8 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2180,6 +2386,8 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2200,6 +2408,8 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+ scripts/config.py unset MBEDTLS_LMS_C
+ scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2314,6 +2524,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
+ scripts/config.py unset MBEDTLS_PLATFORM_VSNPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
diff --git a/tests/scripts/depends-hashes.pl b/tests/scripts/depends-hashes.pl
index 68297a6..db18a92 100755
--- a/tests/scripts/depends-hashes.pl
+++ b/tests/scripts/depends-hashes.pl
@@ -57,7 +57,7 @@
['unset MBEDTLS_MD5_C'],
['unset MBEDTLS_SHA512_C', 'unset MBEDTLS_SHA384_C '],
['unset MBEDTLS_SHA384_C'],
- ['unset MBEDTLS_SHA256_C', 'unset MBEDTLS_SHA224_C'],
+ ['unset MBEDTLS_SHA256_C', 'unset MBEDTLS_SHA224_C', 'unset MBEDTLS_LMS_C', 'unset MBEDTLS_LMS_PRIVATE'],
['unset MBEDTLS_SHA1_C'],
);
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index 7626ecd..8a4d281 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -31,7 +31,7 @@
function.
- arguments(): a method to generate the list of arguments required for the
test_function.
- - generate_function_test(): a method to generate TestCases for the function.
+ - generate_function_tests(): a method to generate TestCases for the function.
This should create instances of the class with required input data, and
call `.create_test_case()` to yield the TestCase.
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index 15fa8bc..22eadd1 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -74,7 +74,7 @@
my $prefix = $^O eq "MSWin32" ? '' : './';
-my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed,
+my (@failed_suites, $total_tests_run, $failed, $suite_cases_passed,
$suite_cases_failed, $suite_cases_skipped, $total_cases_passed,
$total_cases_failed, $total_cases_skipped );
my $suites_skipped = 0;
@@ -112,7 +112,7 @@
pad_print_center( 72, '-', "End $suite" );
}
} else {
- $failed_suites++;
+ push @failed_suites, $suite;
print "FAIL\n";
if( $verbose ) {
pad_print_center( 72, '-', "Begin $suite" );
@@ -139,12 +139,17 @@
}
print "-" x 72, "\n";
-print $failed_suites ? "FAILED" : "PASSED";
+print @failed_suites ? "FAILED" : "PASSED";
printf( " (%d suites, %d tests run%s)\n",
scalar(@suites) - $suites_skipped,
$total_tests_run,
$suites_skipped ? ", $suites_skipped suites skipped" : "" );
+if( $verbose && @failed_suites ) {
+ # the output can be very long, so provide a summary of which suites failed
+ print " failed suites : @failed_suites\n";
+}
+
if( $verbose > 1 ) {
print " test cases passed :", $total_cases_passed, "\n";
print " failed :", $total_cases_failed, "\n";
@@ -159,5 +164,5 @@
}
}
-exit( $failed_suites ? 1 : 0 );
+exit( @failed_suites ? 1 : 0 );
diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c
index b561960..93a75f6 100644
--- a/tests/src/drivers/test_driver_aead.c
+++ b/tests/src/drivers/test_driver_aead.c
@@ -25,6 +25,10 @@
#include "test/drivers/aead.h"
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#include "libtestdriver1/library/psa_crypto_aead.h"
+#endif
+
mbedtls_test_driver_aead_hooks_t
mbedtls_test_driver_aead_hooks = MBEDTLS_TEST_DRIVER_AEAD_INIT;
@@ -46,7 +50,18 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_encrypt(
+ (const libtestdriver1_psa_key_attributes_t *)attributes,
+ key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, ciphertext_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_encrypt(
attributes, key_buffer, key_buffer_size,
@@ -94,7 +109,18 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_decrypt(
+ (const libtestdriver1_psa_key_attributes_t *)attributes,
+ key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, plaintext_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_decrypt(
attributes, key_buffer, key_buffer_size,
@@ -139,7 +165,14 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_encrypt_setup( operation,
+ (const libtestdriver1_psa_key_attributes_t *)attributes,
+ key_buffer,
+ key_buffer_size, alg );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_encrypt_setup( operation, attributes, key_buffer,
key_buffer_size, alg );
@@ -171,7 +204,13 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_decrypt_setup( operation,
+ (const libtestdriver1_psa_key_attributes_t *)attributes,
+ key_buffer, key_buffer_size, alg );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_decrypt_setup( operation, attributes, key_buffer,
key_buffer_size, alg );
@@ -202,7 +241,11 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_set_nonce( operation, nonce, nonce_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_set_nonce( operation, nonce, nonce_length );
#else
@@ -230,7 +273,12 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_set_lengths( operation, ad_length,
+ plaintext_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_set_lengths( operation, ad_length,
plaintext_length );
@@ -259,7 +307,11 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_update_ad( operation, input, input_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_update_ad( operation, input, input_length );
#else
@@ -290,7 +342,13 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_update( operation, input,
+ input_length, output,
+ output_size, output_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_update( operation, input, input_length, output,
output_size, output_length );
@@ -326,7 +384,13 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_finish( operation, ciphertext,
+ ciphertext_size, ciphertext_length,
+ tag, tag_size, tag_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_finish( operation, ciphertext, ciphertext_size,
ciphertext_length, tag, tag_size,
@@ -364,9 +428,19 @@
else
{
uint8_t check_tag[PSA_AEAD_TAG_MAX_SIZE];
- size_t check_tag_length;
+ size_t check_tag_length = 0;
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_finish( operation,
+ plaintext,
+ plaintext_size,
+ plaintext_length,
+ check_tag,
+ sizeof( check_tag ),
+ &check_tag_length );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_finish( operation,
plaintext,
@@ -410,7 +484,11 @@
}
else
{
-#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+ mbedtls_test_driver_aead_hooks.driver_status =
+ libtestdriver1_mbedtls_psa_aead_abort( operation );
+#elif defined(MBEDTLS_PSA_BUILTIN_AEAD)
mbedtls_test_driver_aead_hooks.driver_status =
mbedtls_psa_aead_abort( operation );
#else
diff --git a/tests/src/helpers.c b/tests/src/helpers.c
index 4f976a2..b7c8364 100644
--- a/tests/src/helpers.c
+++ b/tests/src/helpers.c
@@ -15,6 +15,7 @@
* limitations under the License.
*/
+#include <test/constant_flow.h>
#include <test/helpers.h>
#include <test/macros.h>
#include <string.h>
@@ -102,8 +103,12 @@
int mbedtls_test_equal( const char *test, int line_no, const char* filename,
unsigned long long value1, unsigned long long value2 )
{
+ TEST_CF_PUBLIC( &value1, sizeof( value1 ) );
+ TEST_CF_PUBLIC( &value2, sizeof( value2 ) );
+
if( value1 == value2 )
return( 1 );
+
if( mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED )
{
/* We've already recorded the test as having failed. Don't
@@ -125,8 +130,12 @@
int mbedtls_test_le_u( const char *test, int line_no, const char* filename,
unsigned long long value1, unsigned long long value2 )
{
+ TEST_CF_PUBLIC( &value1, sizeof( value1 ) );
+ TEST_CF_PUBLIC( &value2, sizeof( value2 ) );
+
if( value1 <= value2 )
return( 1 );
+
if( mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED )
{
/* We've already recorded the test as having failed. Don't
@@ -148,8 +157,12 @@
int mbedtls_test_le_s( const char *test, int line_no, const char* filename,
long long value1, long long value2 )
{
+ TEST_CF_PUBLIC( &value1, sizeof( value1 ) );
+ TEST_CF_PUBLIC( &value2, sizeof( value2 ) );
+
if( value1 <= value2 )
return( 1 );
+
if( mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED )
{
/* We've already recorded the test as having failed. Don't
@@ -332,6 +345,51 @@
#endif /* MBEDTLS_TEST_HOOKS */
#if defined(MBEDTLS_BIGNUM_C)
+#include "bignum_core.h"
+
+int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs,
+ const char *input )
+{
+ /* Sanity check */
+ if( *pX != NULL )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+ size_t hex_len = strlen( input );
+ size_t byte_len = ( hex_len + 1 ) / 2;
+ *plimbs = CHARS_TO_LIMBS( byte_len );
+ if( *plimbs == 0 )
+ return( 0 );
+
+ *pX = mbedtls_calloc( *plimbs, sizeof( **pX ) );
+ if( *pX == NULL )
+ return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+ unsigned char *byte_start = ( unsigned char * ) *pX;
+ if( byte_len % sizeof( mbedtls_mpi_uint ) != 0 )
+ {
+ byte_start += sizeof( mbedtls_mpi_uint ) - byte_len % sizeof( mbedtls_mpi_uint );
+ }
+ if( ( hex_len & 1 ) != 0 )
+ {
+ /* mbedtls_test_unhexify wants an even number of hex digits */
+ TEST_ASSERT( ascii2uc( *input, byte_start ) == 0 );
+ ++byte_start;
+ ++input;
+ --byte_len;
+ }
+ TEST_ASSERT( mbedtls_test_unhexify( byte_start,
+ byte_len,
+ input,
+ &byte_len ) == 0 );
+
+ mbedtls_mpi_core_bigendian_to_host( *pX, *plimbs );
+ return( 0 );
+
+exit:
+ mbedtls_free( *pX );
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+}
+
int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s )
{
/* mbedtls_mpi_read_string() currently retains leading zeros.
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 67e9cfb..f6437f5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -12842,7 +12842,6 @@
-s "key exchange mode: psk_ephemeral" \
-s "found pre_shared_key extension"
-
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C
@@ -12874,6 +12873,47 @@
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test "TLS 1.3: NewSessionTicket: servername check, m->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI debug_level=4 server_name=localhost reco_mode=1 reconnect=1" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "got new session ticket." \
+ -c "Saving session for reuse... ok" \
+ -c "Reconnecting with saved session" \
+ -c "HTTP/1.0 200 OK" \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+ -s "key exchange mode: ephemeral" \
+ -s "key exchange mode: psk_ephemeral" \
+ -s "found pre_shared_key extension"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4 \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI debug_level=4 server_name=localhost rec_server_name=remote reco_mode=1 reconnect=1" \
+ 1 \
+ -c "Protocol is TLSv1.3" \
+ -c "got new session ticket." \
+ -c "Saving session for reuse... ok" \
+ -c "Reconnecting with saved session" \
+ -c "Hostname mismatch the session ticket, disable session resumption." \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index a620178..fe33f9b 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -12,20 +12,7 @@
#if defined (MBEDTLS_ERROR_C)
#include "mbedtls/error.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_snprintf snprintf
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#define mbedtls_exit exit
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
@@ -52,13 +39,6 @@
#include <unistd.h>
#endif
-/* Type for Hex parameters */
-typedef struct data_tag
-{
- uint8_t * x;
- uint32_t len;
-} data_t;
-
/*----------------------------------------------------------------------------*/
/* Status and error constants */
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 37468df..af617fc 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -1,9 +1,6 @@
/* BEGIN_HEADER */
#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_AES_C)
#include "mbedtls/aes.h"
-#endif
#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
diff --git a/tests/suites/test_suite_cmac.data b/tests/suites/test_suite_cmac.data
index 70b7609..5956a69 100644
--- a/tests/suites/test_suite_cmac.data
+++ b/tests/suites/test_suite_cmac.data
@@ -22,15 +22,15 @@
CMAC init #5 AES-224: bad key size
depends_on:MBEDTLS_AES_C
-mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
CMAC init #6 AES-0: bad key size
depends_on:MBEDTLS_AES_C
-mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
CMAC init #7 Camellia: wrong cipher
depends_on:MBEDTLS_CAMELLIA_C
-mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+mbedtls_cmac_setkey:MBEDTLS_CIPHER_CAMELLIA_192_ECB:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
CMAC Single Blocks #1 - Empty block, no updates
mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":-1:"":-1:"":-1:"":-1:"bb1d6929e95937287fa37d129b756746"
diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function
index e23b471..515a974 100644
--- a/tests/suites/test_suite_ecdh.function
+++ b/tests/suites/test_suite_ecdh.function
@@ -50,6 +50,9 @@
mbedtls_ecp_keypair kp;
int invalid_side = 42;
+ mbedtls_ecdh_init( &ctx );
+ mbedtls_ecp_keypair_init( &kp );
+
TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdh_get_params( &ctx, &kp,
invalid_side ) );
diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function
index 47c25e3..d90a586 100644
--- a/tests/suites/test_suite_ecjpake.function
+++ b/tests/suites/test_suite_ecjpake.function
@@ -109,6 +109,8 @@
mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1;
+ mbedtls_ecjpake_init( &ctx );
+
TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_setup( &ctx,
invalid_role,
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 42d69b4..7d29e52 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -72,6 +72,9 @@
size_t olen;
unsigned char buf[42] = { 0 };
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_ecp_point_init( &P );
+
TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecp_point_write_binary( &grp, &P,
invalid_fmt,
diff --git a/tests/suites/test_suite_lmots.data b/tests/suites/test_suite_lmots.data
new file mode 100644
index 0000000..2737272
--- /dev/null
+++ b/tests/suites/test_suite_lmots.data
@@ -0,0 +1,151 @@
+LMOTS sign-verify test #1
+# This test uses a fixed message, and then generates a private key, signs the
+# message, and verifies the signature.
+lmots_sign_verify_test:"c41ba177a0ca1ec31dfb2e145237e65b":"00000000000000000000000000000000":12:"403cbcc9808bb4b5ad72476ea297b2854c928ff5336f0b98ac2237ec83225ae7"
+
+LMOTS sign-verify test #2
+# This test uses a fixed message, and then generates a private key, signs the
+# message, and verifies the signature.
+lmots_sign_verify_test:"55a6647a581004306792b653a561d9f3":"00000000000000000000000000000000":12:"c3dbc3fea047dca8fb7a3cdf609a5b7f48599c193c90e958ce9388c84df0a906"
+
+LMOTS NULL-message sign-verify test
+# This test uses a NULL zero-length message, and then generates a private key,
+# signs the message, and verifies the signature.
+lmots_sign_verify_null_msg_test::"00000000000000000000000000000000":12:"be5fa89144f2d665c66ead8216bc02006e0eccd8b3697a0aea44f6c93afe7955"
+
+LMOTS hsslms interop test #1
+# This test uses data from https://github.com/pmvr/python-hsslms due to the
+# limited amount of available test vectors for LMOTS, and few implementations
+# providing direct access to the underlying OTS signature scheme. The private
+# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+# This test uses the same OTS key as the LMS hsslms interop test 1 (leaf 0 of
+# the LMS key), and the same message.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# pip3 install --user hsslms==0.1.2
+#
+# from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
+# import pickle
+#
+# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# private_key = pickle.load(private_key_file)
+#
+# ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 0, private_key.SEED)
+# ots_public_key = ots_private_key.gen_pub()
+# message = bytes.fromhex('60da1a17c88c59da8a730e6ca8effd37')
+# sig = ots_private_key.sign(message)
+# print('lmots_verify_test:"{}":"{}":"{}":0'.format(message.hex(), sig.hex(), ots_public_key.pubkey.hex()))
+lmots_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"000000040bb462a8f59a277c1706ab69b1a40b0d56a3ffe1ddf0dfa890096c7a9c48b360e1e8f7abe4dc1950c4a64545ce6c0fe2a34477ec40f56db4eec37c1a2168e3059d4338a4eb368a64be5f98b5452f2c2fad23dcac585f5fe308bfc3df0b5cbc6cf3545236ed6c5a863e677521b5b5cee0aa1e755c3bbf5fb7326fac1a88cb12dd7f8d68ebe8bad07195a12fa11299073731e67f2452009252c595fc7d9285b90aaa912eb6cf0b5debc0996ca55ad5186702b244a616c4b9e0ceeea229e1e821c1ab0db906ce87640d128f1d8c4742d9baf340a8030df726a99a9b97f139ec57d8d87efdfca235f12de64e0a993804b95227cdfd26220a84502e350faaf5f91f3f49610eda211f9409005679e32068def22a2dcce3d226d0f68c4abc727b90d9c01daa05db24d7c0c9e9e48202e3420992ba78c36bc21c45cdf218801dc7053e3cbf39c141784e7a861671588622d540187912234ce628ea9cbd1800d215641163c762d2fd9194fa54bd9b46c83754579476398a5c2fece4642f1ee286a4e9a310b5e23088c75a68b123044c1c365c8b53fe9f895fa5d76fe1277c7c0f2a39f5b233f7d2acd5358feec2255feadb1c2513c4351c9bd1afe22d159f2d392c83bf7ec26b59e78330cd346adb85ef62fee3da63150ab5e0d7ce5d0ef353895360017faf3f35aca2cf3b8eda65389e2ba86f78ebfbe73382dfe9002331f24e96e1a6e56e7cc99ee848b82ad1ade3229e9e28168acfa8c059ed03028e8c872e72ff4cf8a50b84ade908ecf229a26ff1007c476d1aa376323fc567c9471085336496b231b5245a43c6c86c6a71c1b1fb4bd87c2d0b026bff55de121620a089ed9ade51c3bd91c703844c180ef9ad0ab550b9560ba9f1452463ce20987a402213ca5c16c927a0a85091dd74fbee22cac6b1afbc7e7dec229325c25ea3b3cc5a1c48c80665f9903e482b143f7cd051bdb990355f79c62553453c72ccbcc578df77069a7b0cf6fdc6853ec2f96fb7cc100216ae1b17aa20782fb0cd0f261b76a48b5d6f7bb48fa5f78c02a11ee81a8c0c81183910af770f2e907ebd5b2dc3a2b83529f62da074ca73c434f8f30b68a5dfee740f78d2c13b53c904e46dddf723923bfbffa437a4130c8c9b6d79a57db1c408b9c023f80fb3d766cb915e722f3b3152625d77bce3ca0c01e77f3750d7d1bef1ddda8b9b4233b09c89abe5913db50847a7ea219c3f406aa4cf41b6310bafa99a7b14f94b8ccd4dc7edb1a1e963ce26a53f3be71b4151ce5fae10ca30055e754880680e38cf2f21251f229341f7af9536360a428c2593c43fd2ae471bc1fa2b45ad55742a2f12f31eed6cb67945a898650c13650c4cffeecba8655f87e49ce921ced7ab00cf54eedf0c70e5c6cfa7f006763f0ac14d80cfb1662321cdccca8b1adf426eb9ca16ef2b978bb9ac229131fa5c1266a4980449c324ebdd8bcc98916089ee0b6966da7dc25350bdc758431884359d02f5fa567b39f49a6e410da2d0363944a090926308ed0ce7d565e6c4585ea010bc38ef1c976ae16ec1fbe6fb9d4d50e49a7be8273d2d56bf4e72acbadd90d5f8dee0":"0000000447cc5b29dd0cecd01c382434a6d1686400000000761e8e577fb4d12058806fc7bdaaef0ba64e454dc59b0230a77b43bbd83dc8c6":0
+
+LMOTS hsslms interop test #2
+# This test uses data from https://github.com/pmvr/python-hsslms due to the
+# limited amount of available test vectors for LMOTS, and few implementations
+# providing direct access to the underlying OTS signature scheme. The private
+# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+# This test uses the same OTS key as the LMS hsslms interop test 2 (leaf 1 of
+# the LMS key), and the same message.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# pip3 install --user hsslms==0.1.2
+#
+# from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
+# import pickle
+#
+# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# private_key = pickle.load(private_key_file)
+#
+#ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 1, private_key.SEED)
+#ots_public_key = ots_private_key.gen_pub()
+#message = bytes.fromhex('92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1')
+#sig = ots_private_key.sign(message)
+#print('lmots_verify_test:"{}":"{}":"{}":0'.format(message.hex(), sig.hex(), ots_public_key.pubkey.hex()))
+lmots_verify_test:"92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1":"00000004e29f47d2314ebaf22ebb821dec653f5bd105aced5d24829787a93da910baa495cd5a8576dad606cc7407c4d8a38a715ded879274c5347a200cc1c08a6fcc7288e280bb2e66b682c4b20c514f7a990ce01594001917be8d1cb5a23c22dc00c81b18b8047177cc109a1ff862f535319b703be8e4439062348b7bc73e85e69f7d3f033767146130991f78b497e2a0eee1059d2cd87e0a99c1aae47a6496664735cdb383a8f7a1d686199cf2e07a67e9ef409048efb76cf0c689c1c6c67a5b6966e4b4773710bdff3f72a4f85428187f912c9f13a8bd06533450ce04dbbd2c022eab44a5f6a822d78918f692fa5c6c90aab8941072d679b89388160556597acf17b95b3ffdf8c4c21df5327bd756772a45fdde182004d91cff5aba111fbb70b5970a7d7416220de31e6e76646372e4a1606fbbd5be215a32bbb84da99c63af271edbd42ee87de174cabec7734b6d924d329640bdb84059cbcea89caa703667f5e1b3c1c71b53213f1cd7d1da3e42da70edeb7c0b596bcb981c08eb0f02408ee028a57165cbdc36c9edafa559826c2e690e73da7c7fa1b0fa0e6041a692a2e8f27af80513c07ecd89caaf78ddf8e2edaa17bece335068153b253ceef38b491801c1ef7c648045ce7c517afab888603648b17d3a98a3b5622b469a829b023c5cb2ce42462c28d22bc3de91dd8b38bab539971b0c7596dcd0d8c0d84bfd7925d6e2f2d114ca4f91fca12178a451ac0dabc8c21396ad5be57ea0648bd1054de00aa7fd3d46453ebacf6b611e05842f5f019aeca3c798ae063631fd5e56ea1f7a21bbea5c30e6d60a724ce187e7c497d918d2a4d5094224dde94a02e851eae1626533992a599a641466e4d683e40b5a28695aababd2d7f7d2ccee72c289876c8d581babaeb3d738f1d1fc765e9fee3f70670913e07cd38fc7b37e2caba0a735352aa3f4b2467010bb1b725d4bbd86d8c98eece10e925d8bb5c0e993dfa45621f91596f5d1e1446b118c48bc1e403627fdd299ad4d3d5f3a2dfb239bf22e7ff25d83287ba3a96b24cda0252df1907af1cb74d31d720c5baca0f316769f7f98b409c17bb543c39628446183e326d0745b4424520a9d582fc817eac55b0efc2ca4659a60a95e1d3b77bf1454e5cd4d1d54d51159d3df70a78345d1d6a7e0746b3deb080883f6506e9e7d0fb4bddaa66aa7cf555df1bb9d3f848b7e604b690a403f4e40188110e0ef9af15dc4952a8ed100987e39e8184be8dc62441ac2a561c7cbe431c45b0ec03c41c4867e38925977fc240ed2a04d73d4319435de354dfe0184220c71bd59be4e7f6dc9a1a27f4eefc990d615b2c12e13f1821727a607afdab359d2bad5b1be689a36662e052cfade2c0f5cc842c090082068d324f0e338830030d255ee6e6d9303c0037c24985338dfa16b5980a99782af1b3aca9123b5063e0b9f1a31105e2c9eaae2353b2ed53dab5b4fb43b4697d05fcf4941be071edf3456ac8e35eba39800ad968155574c14b6ce109982177b00ea5fbb739dc7553e40c98824d4932185e61ccc380b07476ae210ce3657b24f4639261a5e7e0c52d6afdea97bb2fc":"0000000447cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de494b":0
+
+LMOTS hsslms interop NULL-message test
+# This test uses data from https://github.com/pmvr/python-hsslms due to the
+# limited amount of available test vectors for LMOTS, and few implementations
+# providing direct access to the underlying OTS signature scheme. The private
+# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# pip3 install --user hsslms==0.1.2
+#
+# from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
+# import pickle
+#
+# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# private_key = pickle.load(private_key_file)
+#
+#ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 3, private_key.SEED)
+#ots_public_key = ots_private_key.gen_pub()
+#message = bytes()
+#sig = ots_private_key.sign(message)
+#print('lmots_verify_test:"{}":"{}":"{}":0'.format(message.hex(), sig.hex(), ots_public_key.pubkey.hex()))
+lmots_verify_test:"":"00000004862327ead0b0eee8bde100614b3369e183f97812c13f0979f7d37482a2ae719a811ba3a5c65cc036270d4b31ed6caa900ba0a98e3e5d6f7e4286571e003fd7f8fd523c7707eb00d25ce6b0d2c92317b2531b8ebb184ed65f7bd4c20611154409acb5134389c8aca9cb98c380fc8de4f48078a1859126967275219ca0168c6f0cfec0c2f63f98fb2a741fc15a5d59b50a97efe2564bd8a4f05fe250d4ec316e6a833a2dafaea47efa359840fb887e3a5ae0b07c75ed1dda3cc253365c5b9320180e5273a2c5078cdc0d3aefeaa94d8888c3112c2b68f85fdfaa13b5088f4bdf570f5a2ae32114497d28a6b46abe602f142a9382651a4b5fe7aeda3e54deaf85d51d59bc945e3970d4f603cb1617137c182087dcecb7f97016e138ae4c7f8926a9fbf7d1154cd53971e3c86e230fe783efdc44f4459143eeddec73612a11f6c4796bb734b703b94b3ee02a136f676ff959bd9dcba3a6cdf8244310b4125a07ef7a364d47c2d0067370f9024bb02217ea19baafa6111dbe1daa6f4d3ae287f8b4675934a8cb124b64f3d2baac01504a66b5cb80d5fe88281c92eb2d9e6105368ce748c2269f28444d20f8fa06f96738942606fd2ee1ae17b45953af9cc8aa10089b80c951ae7d4c6496476e0f9d88050a09433a99b92f1bd2bc2cc4e712fbba650e8c61716a2396bd802679096b2ed113dcf9107196f41185c9baa295c1000879dae4e36344b7ca9a4f040ceec064ff4a654a561a21fbdd0c28a4d0245da9fdb37a7ce20875e323db04197b6ec9d0265a840687a4067b6670482e3a765895a57f26fb971e359f30fa3c65b6197fbfe6433364f0062cc20d8ee2ebed5c3b96dfcd46aa99956b5b1602d9ea16b05ed54f1a72557148ec3a43baaac2474f735ce82979c87df358d175f4686aebde24b768f0f8dfa3c20d9c33db8244f47793eae676afe7485b08163ebd5c4b02c227a38824bb58d034e0a00395ce19e34846b8f6ce3cd3ba877a6ee953738c0ebffdc6eee63bff648e1530f611e9b5de0e5c41bf2f50375347dbe3c332ec523d516aa9478fdf61952f44068447d1474bc3a33f0d973f7b36360ddefd21ba57916dc0ee7a21082ec9c024d78938616e8bbaff451c8da9675cef9d0610872e8cd2b7673a86148e3abba473d0e4e1579ca3faa891d475a6bab9dc3a90537c701a62f41198b0e86f101b506a8a5b102ddd6fdafca56e7f32f4217f8bb7c228066c53fcd78b8541c3ffeb88fe685c796711bbe2d8fee6e9adcc077c140216438c5db25e7b7b34164fce6343dd8de5aa8310d18c9cf91992a25e6f71eb39fb7c267dc3b87d1781b34a4f3c84e2ecc04f73104d50e00631e2e7b157a8374c2b08dbcb3210b2852738a16cc580fa6df62b93f27151bfa77eaeb726ab18137e14962676836a573a6ac62b1bb8d40b402d2da0b37bb5a29e2ef154a78f61b632c2e9279670ba9a7a2c2ceda3f931940a5766738ad8ee62761c87d94e50ec995c01484fe6c96d0fb2ae97394e6497a4a8087c366edd038d72b01f4eb351a2ac41d19df56db40491da464a6f0c646b859e7ea3b0584be618fd7fb48c":"0000000447cc5b29dd0cecd01c382434a6d16864000000033fa1330497e44e2773f08e4727eb4d745db9051d6a60779e58a922dc8a7d4ede":0
+
+LMOTS hash-sigs interop negative test (altered random value)
+# This test uses the valid signature from hsslms interop test 1, and then
+# alters the random value (C) of the signature, and is expected to fail to
+# verify.
+lmots_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"000000041bb462a8f59a277c1706ab69b1a40b0d56a3ffe1ddf0dfa890096c7a9c48b360e1e8f7abe4dc1950c4a64545ce6c0fe2a34477ec40f56db4eec37c1a2168e3059d4338a4eb368a64be5f98b5452f2c2fad23dcac585f5fe308bfc3df0b5cbc6cf3545236ed6c5a863e677521b5b5cee0aa1e755c3bbf5fb7326fac1a88cb12dd7f8d68ebe8bad07195a12fa11299073731e67f2452009252c595fc7d9285b90aaa912eb6cf0b5debc0996ca55ad5186702b244a616c4b9e0ceeea229e1e821c1ab0db906ce87640d128f1d8c4742d9baf340a8030df726a99a9b97f139ec57d8d87efdfca235f12de64e0a993804b95227cdfd26220a84502e350faaf5f91f3f49610eda211f9409005679e32068def22a2dcce3d226d0f68c4abc727b90d9c01daa05db24d7c0c9e9e48202e3420992ba78c36bc21c45cdf218801dc7053e3cbf39c141784e7a861671588622d540187912234ce628ea9cbd1800d215641163c762d2fd9194fa54bd9b46c83754579476398a5c2fece4642f1ee286a4e9a310b5e23088c75a68b123044c1c365c8b53fe9f895fa5d76fe1277c7c0f2a39f5b233f7d2acd5358feec2255feadb1c2513c4351c9bd1afe22d159f2d392c83bf7ec26b59e78330cd346adb85ef62fee3da63150ab5e0d7ce5d0ef353895360017faf3f35aca2cf3b8eda65389e2ba86f78ebfbe73382dfe9002331f24e96e1a6e56e7cc99ee848b82ad1ade3229e9e28168acfa8c059ed03028e8c872e72ff4cf8a50b84ade908ecf229a26ff1007c476d1aa376323fc567c9471085336496b231b5245a43c6c86c6a71c1b1fb4bd87c2d0b026bff55de121620a089ed9ade51c3bd91c703844c180ef9ad0ab550b9560ba9f1452463ce20987a402213ca5c16c927a0a85091dd74fbee22cac6b1afbc7e7dec229325c25ea3b3cc5a1c48c80665f9903e482b143f7cd051bdb990355f79c62553453c72ccbcc578df77069a7b0cf6fdc6853ec2f96fb7cc100216ae1b17aa20782fb0cd0f261b76a48b5d6f7bb48fa5f78c02a11ee81a8c0c81183910af770f2e907ebd5b2dc3a2b83529f62da074ca73c434f8f30b68a5dfee740f78d2c13b53c904e46dddf723923bfbffa437a4130c8c9b6d79a57db1c408b9c023f80fb3d766cb915e722f3b3152625d77bce3ca0c01e77f3750d7d1bef1ddda8b9b4233b09c89abe5913db50847a7ea219c3f406aa4cf41b6310bafa99a7b14f94b8ccd4dc7edb1a1e963ce26a53f3be71b4151ce5fae10ca30055e754880680e38cf2f21251f229341f7af9536360a428c2593c43fd2ae471bc1fa2b45ad55742a2f12f31eed6cb67945a898650c13650c4cffeecba8655f87e49ce921ced7ab00cf54eedf0c70e5c6cfa7f006763f0ac14d80cfb1662321cdccca8b1adf426eb9ca16ef2b978bb9ac229131fa5c1266a4980449c324ebdd8bcc98916089ee0b6966da7dc25350bdc758431884359d02f5fa567b39f49a6e410da2d0363944a090926308ed0ce7d565e6c4585ea010bc38ef1c976ae16ec1fbe6fb9d4d50e49a7be8273d2d56bf4e72acbadd90d5f8dee0":"0000000447cc5b29dd0cecd01c382434a6d1686400000000761e8e577fb4d12058806fc7bdaaef0ba64e454dc59b0230a77b43bbd83dc8c6":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMOTS negative test (invalid type) #1
+# This test uses the valid signature from hsslms interop test 1, and then
+# sets an invalid LMOTS type (0x5), and is expected to fail to
+# verify.
+lmots_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"000000050bb462a8f59a277c1706ab69b1a40b0d56a3ffe1ddf0dfa890096c7a9c48b360e1e8f7abe4dc1950c4a64545ce6c0fe2a34477ec40f56db4eec37c1a2168e3059d4338a4eb368a64be5f98b5452f2c2fad23dcac585f5fe308bfc3df0b5cbc6cf3545236ed6c5a863e677521b5b5cee0aa1e755c3bbf5fb7326fac1a88cb12dd7f8d68ebe8bad07195a12fa11299073731e67f2452009252c595fc7d9285b90aaa912eb6cf0b5debc0996ca55ad5186702b244a616c4b9e0ceeea229e1e821c1ab0db906ce87640d128f1d8c4742d9baf340a8030df726a99a9b97f139ec57d8d87efdfca235f12de64e0a993804b95227cdfd26220a84502e350faaf5f91f3f49610eda211f9409005679e32068def22a2dcce3d226d0f68c4abc727b90d9c01daa05db24d7c0c9e9e48202e3420992ba78c36bc21c45cdf218801dc7053e3cbf39c141784e7a861671588622d540187912234ce628ea9cbd1800d215641163c762d2fd9194fa54bd9b46c83754579476398a5c2fece4642f1ee286a4e9a310b5e23088c75a68b123044c1c365c8b53fe9f895fa5d76fe1277c7c0f2a39f5b233f7d2acd5358feec2255feadb1c2513c4351c9bd1afe22d159f2d392c83bf7ec26b59e78330cd346adb85ef62fee3da63150ab5e0d7ce5d0ef353895360017faf3f35aca2cf3b8eda65389e2ba86f78ebfbe73382dfe9002331f24e96e1a6e56e7cc99ee848b82ad1ade3229e9e28168acfa8c059ed03028e8c872e72ff4cf8a50b84ade908ecf229a26ff1007c476d1aa376323fc567c9471085336496b231b5245a43c6c86c6a71c1b1fb4bd87c2d0b026bff55de121620a089ed9ade51c3bd91c703844c180ef9ad0ab550b9560ba9f1452463ce20987a402213ca5c16c927a0a85091dd74fbee22cac6b1afbc7e7dec229325c25ea3b3cc5a1c48c80665f9903e482b143f7cd051bdb990355f79c62553453c72ccbcc578df77069a7b0cf6fdc6853ec2f96fb7cc100216ae1b17aa20782fb0cd0f261b76a48b5d6f7bb48fa5f78c02a11ee81a8c0c81183910af770f2e907ebd5b2dc3a2b83529f62da074ca73c434f8f30b68a5dfee740f78d2c13b53c904e46dddf723923bfbffa437a4130c8c9b6d79a57db1c408b9c023f80fb3d766cb915e722f3b3152625d77bce3ca0c01e77f3750d7d1bef1ddda8b9b4233b09c89abe5913db50847a7ea219c3f406aa4cf41b6310bafa99a7b14f94b8ccd4dc7edb1a1e963ce26a53f3be71b4151ce5fae10ca30055e754880680e38cf2f21251f229341f7af9536360a428c2593c43fd2ae471bc1fa2b45ad55742a2f12f31eed6cb67945a898650c13650c4cffeecba8655f87e49ce921ced7ab00cf54eedf0c70e5c6cfa7f006763f0ac14d80cfb1662321cdccca8b1adf426eb9ca16ef2b978bb9ac229131fa5c1266a4980449c324ebdd8bcc98916089ee0b6966da7dc25350bdc758431884359d02f5fa567b39f49a6e410da2d0363944a090926308ed0ce7d565e6c4585ea010bc38ef1c976ae16ec1fbe6fb9d4d50e49a7be8273d2d56bf4e72acbadd90d5f8dee0":"0000000447cc5b29dd0cecd01c382434a6d1686400000000761e8e577fb4d12058806fc7bdaaef0ba64e454dc59b0230a77b43bbd83dc8c6":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMOTS negative test (invalid type) #2
+# This test uses the valid signature from hsslms interop test 1, and then
+# sets an invalid LMOTS type (0x3), and is expected to fail to
+# verify.
+lmots_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"000000030bb462a8f59a277c1706ab69b1a40b0d56a3ffe1ddf0dfa890096c7a9c48b360e1e8f7abe4dc1950c4a64545ce6c0fe2a34477ec40f56db4eec37c1a2168e3059d4338a4eb368a64be5f98b5452f2c2fad23dcac585f5fe308bfc3df0b5cbc6cf3545236ed6c5a863e677521b5b5cee0aa1e755c3bbf5fb7326fac1a88cb12dd7f8d68ebe8bad07195a12fa11299073731e67f2452009252c595fc7d9285b90aaa912eb6cf0b5debc0996ca55ad5186702b244a616c4b9e0ceeea229e1e821c1ab0db906ce87640d128f1d8c4742d9baf340a8030df726a99a9b97f139ec57d8d87efdfca235f12de64e0a993804b95227cdfd26220a84502e350faaf5f91f3f49610eda211f9409005679e32068def22a2dcce3d226d0f68c4abc727b90d9c01daa05db24d7c0c9e9e48202e3420992ba78c36bc21c45cdf218801dc7053e3cbf39c141784e7a861671588622d540187912234ce628ea9cbd1800d215641163c762d2fd9194fa54bd9b46c83754579476398a5c2fece4642f1ee286a4e9a310b5e23088c75a68b123044c1c365c8b53fe9f895fa5d76fe1277c7c0f2a39f5b233f7d2acd5358feec2255feadb1c2513c4351c9bd1afe22d159f2d392c83bf7ec26b59e78330cd346adb85ef62fee3da63150ab5e0d7ce5d0ef353895360017faf3f35aca2cf3b8eda65389e2ba86f78ebfbe73382dfe9002331f24e96e1a6e56e7cc99ee848b82ad1ade3229e9e28168acfa8c059ed03028e8c872e72ff4cf8a50b84ade908ecf229a26ff1007c476d1aa376323fc567c9471085336496b231b5245a43c6c86c6a71c1b1fb4bd87c2d0b026bff55de121620a089ed9ade51c3bd91c703844c180ef9ad0ab550b9560ba9f1452463ce20987a402213ca5c16c927a0a85091dd74fbee22cac6b1afbc7e7dec229325c25ea3b3cc5a1c48c80665f9903e482b143f7cd051bdb990355f79c62553453c72ccbcc578df77069a7b0cf6fdc6853ec2f96fb7cc100216ae1b17aa20782fb0cd0f261b76a48b5d6f7bb48fa5f78c02a11ee81a8c0c81183910af770f2e907ebd5b2dc3a2b83529f62da074ca73c434f8f30b68a5dfee740f78d2c13b53c904e46dddf723923bfbffa437a4130c8c9b6d79a57db1c408b9c023f80fb3d766cb915e722f3b3152625d77bce3ca0c01e77f3750d7d1bef1ddda8b9b4233b09c89abe5913db50847a7ea219c3f406aa4cf41b6310bafa99a7b14f94b8ccd4dc7edb1a1e963ce26a53f3be71b4151ce5fae10ca30055e754880680e38cf2f21251f229341f7af9536360a428c2593c43fd2ae471bc1fa2b45ad55742a2f12f31eed6cb67945a898650c13650c4cffeecba8655f87e49ce921ced7ab00cf54eedf0c70e5c6cfa7f006763f0ac14d80cfb1662321cdccca8b1adf426eb9ca16ef2b978bb9ac229131fa5c1266a4980449c324ebdd8bcc98916089ee0b6966da7dc25350bdc758431884359d02f5fa567b39f49a6e410da2d0363944a090926308ed0ce7d565e6c4585ea010bc38ef1c976ae16ec1fbe6fb9d4d50e49a7be8273d2d56bf4e72acbadd90d5f8dee0":"0000000447cc5b29dd0cecd01c382434a6d1686400000000761e8e577fb4d12058806fc7bdaaef0ba64e454dc59b0230a77b43bbd83dc8c6":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMOTS key import / export test
+# This test uses the valid public key for hsslms interop test 1, imports it, and
+# then exports it. It also checks if the export correctly fails when the export
+# buffer is too small.
+lmots_import_export_test:"0000000447cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de494b":0
+
+LMOTS key import too large key test
+# This test uses the valid public key for hsslms interop test 1, add an extra
+# byte, and then imports it. This should fail.
+lmots_import_export_test:"0000000447cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de494b00":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMOTS key import too small key test
+# This test uses the valid public key for hsslms interop test 1, removes a byte,
+# and then imports it. This should fail.
+lmots_import_export_test:"0000000447cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de49":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMOTS key import no type test
+# This test uses the valid public key for hsslms interop test 1, cuts it down so
+# it's smaller than the LMOTS type offset, and imports it. This should fail, and
+# not attempt to read invalidly outside the buffer.
+lmots_import_export_test:"000000":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMOTS key import invalid type test #1
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMOTS type to 0x3, and imports it. This should fail.
+lmots_import_export_test:"0000000347cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de494b":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMOTS key import invalid type test #2
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMOTS type to 0x5, and imports it. This should fail, and not attempt to read
+# invalidly outside the buffer.
+lmots_import_export_test:"0000000547cc5b29dd0cecd01c382434a6d1686400000001f337dde97685d008a4440b59550277390018d3f1d485fa4b8c91796032de494b":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMOTS key reuse test
+# This test uses a fixed message, and then generates a private key, signs the
+# message, and then attempts to sign the message again. The second signature
+# must fail as private key material must be deleted after a key is used to sign.
+lmots_reuse_test:"cfcd1e81193e310c9d931d1b00818d14":"00000000000000000000000000000000":12:"a7f53cc5a228ce63811ba4d7c1f74f7fce62afbf6813f3ca3ae43c11b138086f"
+
+LMOTS signature leak test
+# This test uses a fixed message, and then generates a private key, signs the
+# message, and then uses a test hook to check that the signature has not been
+# modifier before the private key has been deleted (which could cause signature
+# leakage during errors).
+lmots_signature_leak_test:"cfcd1e81193e310c9d931d1b00818d14":"00000000000000000000000000000000":12:"a7f53cc5a228ce63811ba4d7c1f74f7fce62afbf6813f3ca3ae43c11b138086f"
diff --git a/tests/suites/test_suite_lmots.function b/tests/suites/test_suite_lmots.function
new file mode 100644
index 0000000..53ab02f
--- /dev/null
+++ b/tests/suites/test_suite_lmots.function
@@ -0,0 +1,246 @@
+/* BEGIN_HEADER */
+#include "lmots.h"
+#include "mbedtls/lms.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int check_lmots_private_key_for_leak(unsigned char * sig)
+{
+ size_t idx;
+
+ for( idx = MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(MBEDTLS_LMOTS_SHA256_N32_W8);
+ idx < MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8);
+ idx++ )
+ {
+ TEST_EQUAL( sig[idx], 0x7E );
+ }
+
+ return( 0 );
+
+exit:
+ return( -1 );
+}
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_LMS_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */
+void lmots_sign_verify_test ( data_t *msg, data_t *key_id, int leaf_id,
+ data_t *seed )
+{
+ mbedtls_lmots_public_t pub_ctx;
+ mbedtls_lmots_private_t priv_ctx;
+ unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lmots_public_init( &pub_ctx );
+ mbedtls_lmots_private_init( &priv_ctx );
+
+ TEST_EQUAL( mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
+ key_id->x, leaf_id, seed->x, seed->len ), 0 );
+ TEST_EQUAL( mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0 );
+ TEST_EQUAL( mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL,
+ msg->x, msg->len, sig, sizeof(sig), NULL ), 0 );
+ TEST_EQUAL( mbedtls_lmots_verify(&pub_ctx, msg->x, msg->len, sig, sizeof(sig)), 0 );
+
+exit:
+ mbedtls_lmots_public_free( &pub_ctx );
+ mbedtls_lmots_private_free( &priv_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */
+void lmots_sign_verify_null_msg_test ( data_t *key_id, int leaf_id, data_t *seed )
+{
+ mbedtls_lmots_public_t pub_ctx;
+ mbedtls_lmots_private_t priv_ctx;
+ unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lmots_public_init( &pub_ctx );
+ mbedtls_lmots_private_init( &priv_ctx );
+
+ TEST_EQUAL( mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
+ key_id->x, leaf_id, seed->x, seed->len ), 0 );
+ TEST_EQUAL( mbedtls_lmots_calculate_public_key(&pub_ctx, &priv_ctx), 0 );
+ TEST_EQUAL( mbedtls_lmots_sign(&priv_ctx, &mbedtls_test_rnd_std_rand, NULL,
+ NULL, 0, sig, sizeof(sig), NULL ), 0 );
+ TEST_EQUAL( mbedtls_lmots_verify(&pub_ctx, NULL, 0, sig, sizeof(sig)), 0 );
+
+exit:
+ mbedtls_lmots_public_free( &pub_ctx );
+ mbedtls_lmots_private_free( &priv_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void lmots_verify_test ( data_t *msg, data_t *sig, data_t *pub_key,
+ int expected_rc )
+{
+ mbedtls_lmots_public_t ctx;
+ unsigned int size;
+ unsigned char *tmp_sig = NULL;
+
+ mbedtls_lmots_public_init( &ctx );
+
+ TEST_EQUAL(mbedtls_lmots_import_public_key( &ctx, pub_key->x, pub_key->len ), 0);
+
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), expected_rc);
+
+ /* Test negative cases if the input data is valid */
+ if( expected_rc == 0 )
+ {
+ if( msg->len >= 1 )
+ {
+ /* Altering first message byte must cause verification failure */
+ msg->x[0] ^= 1;
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ msg->x[0] ^= 1;
+
+ /* Altering last message byte must cause verification failure */
+ msg->x[msg->len - 1] ^= 1;
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ msg->x[msg->len - 1] ^= 1;
+ }
+
+ /* Altering first signature byte must cause verification failure */
+ sig->x[0] ^= 1;
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ sig->x[0] ^= 1;
+
+ /* Altering last signature byte must cause verification failure */
+ sig->x[sig->len - 1] ^= 1;
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ sig->x[sig->len - 1] ^= 1;
+
+ /* Signatures of all sizes must not verify, whether shorter or longer */
+ for( size = 0; size < sig->len; size++ ) {
+ if( size == sig->len )
+ continue;
+
+ ASSERT_ALLOC( tmp_sig, size );
+ if( tmp_sig != NULL )
+ memcpy( tmp_sig, sig->x, MIN(size, sig->len) );
+
+ TEST_EQUAL(mbedtls_lmots_verify( &ctx, msg->x, msg->len, tmp_sig, size ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ mbedtls_free( tmp_sig );
+ tmp_sig = NULL;
+ }
+ }
+
+exit:
+ mbedtls_free( tmp_sig );
+ mbedtls_lmots_public_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void lmots_import_export_test ( data_t * pub_key, int expected_import_rc )
+{
+ mbedtls_lmots_public_t ctx;
+ unsigned char *exported_pub_key = NULL;
+ size_t exported_pub_key_buf_size;
+ size_t exported_pub_key_size;
+
+ mbedtls_lmots_public_init( &ctx );
+ TEST_EQUAL( mbedtls_lmots_import_public_key( &ctx, pub_key->x, pub_key->len ),
+ expected_import_rc );
+
+ if( expected_import_rc == 0 )
+ {
+ exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8);
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size );
+
+ TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size,
+ &exported_pub_key_size ), 0 );
+
+ TEST_EQUAL( exported_pub_key_size,
+ MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) );
+ ASSERT_COMPARE( pub_key->x, pub_key->len,
+ exported_pub_key, exported_pub_key_size );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+
+ /* Export into too-small buffer should fail */
+ exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) - 1;
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size);
+ TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size, NULL ),
+ MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+
+ /* Export into too-large buffer should succeed */
+ exported_pub_key_buf_size = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(MBEDTLS_LMOTS_SHA256_N32_W8) + 1;
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size);
+ TEST_EQUAL( mbedtls_lmots_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size,
+ &exported_pub_key_size ),
+ 0 );
+ ASSERT_COMPARE( pub_key->x, pub_key->len,
+ exported_pub_key, exported_pub_key_size );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+ }
+
+exit:
+ mbedtls_lmots_public_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */
+void lmots_reuse_test ( data_t *msg, data_t *key_id, int leaf_id, data_t *seed )
+{
+ mbedtls_lmots_private_t ctx;
+ unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lmots_private_init( &ctx );
+ TEST_EQUAL( mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
+ key_id->x, leaf_id, seed->x,
+ seed->len ), 0 );
+ TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL,
+ msg->x, msg->len, sig, sizeof( sig ), NULL ), 0 );
+
+ /* Running another sign operation should fail, since the key should now have
+ * been erased.
+ */
+ TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL,
+ msg->x, msg->len, sig, sizeof( sig ), NULL ), MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
+
+exit:
+ mbedtls_lmots_private_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_LMS_PRIVATE */
+void lmots_signature_leak_test ( data_t *msg, data_t *key_id, int leaf_id,
+ data_t *seed )
+{
+ mbedtls_lmots_private_t ctx;
+ unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lmots_sign_private_key_invalidated_hook = &check_lmots_private_key_for_leak;
+
+ /* Fill with recognisable pattern */
+ memset( sig, 0x7E, sizeof( sig ) );
+
+ mbedtls_lmots_private_init( &ctx );
+ TEST_EQUAL( mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
+ key_id->x, leaf_id, seed->x,
+ seed->len ), 0 );
+ TEST_EQUAL( mbedtls_lmots_sign(&ctx, mbedtls_test_rnd_std_rand, NULL,
+ msg->x, msg->len, sig, sizeof( sig ), NULL ), 0 );
+
+exit:
+ mbedtls_lmots_private_free( &ctx );
+ mbedtls_lmots_sign_private_key_invalidated_hook = NULL;
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_lms.data b/tests/suites/test_suite_lms.data
new file mode 100644
index 0000000..7802a70
--- /dev/null
+++ b/tests/suites/test_suite_lms.data
@@ -0,0 +1,263 @@
+LMS sign-verify test
+# This test uses a fixed message, and then generates a private key, signs the
+# message, and verifies the signature.
+lms_sign_verify_test:"c41ba177a0ca1ec31dfb2e145237e65b":"626201f41afd7c9af793cf158da58e33"
+
+LMS NULL-message sign-verify test
+# This test uses a NULL zero-length message, and then generates a private key,
+# signs the message, and verifies the signature.
+lms_sign_verify_null_msg_test:"923a3c8e38c9b72e067996bfdaa36856"
+
+LMS pyhsslms interop test #1
+# This test uses data from https://github.com/russhousley/pyhsslms due to the
+# limited amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
+# uses leaf key 0, so must be the first signature generated by the key if the
+# signature is to be reproduced. Message data is random. Note that pyhsslms
+# stores public keys and signatures in HSS form, which appends a 4-byte "levels"
+# word at the start of the key/sig. We strip these 4 bytes from the signature
+# and the public key before including them in a the test data.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# * pip3 install --user pyhsslms
+# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+#
+# import pyhsslms
+#
+# private_key = pyhsslms.HssLmsPrivateKey('tmp/lms')
+# public_key = private_key.hss_pub
+#
+# message1 = bytes.fromhex('60da1a17c88c59da8a730e6ca8effd37')
+# sig1 = private_key.sign(message1)[4:]
+# print('lms_verify_test:"{}":"{}":"{}":0'.format(message1.hex(), sig1.hex(), public_key.serialize()[4:].hex()))
+lms_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"000000000000000436c1e7d365851f12310f77341f4f994da12f39ad5d4cddf51563e80c98640f7edcc6ca027a76e48fe8f01f077f2733026c75e76fdb236b981e7bbe92e37527a5dc64d67449106387ab0ffffd5b5d4187165b4f03965dbdc5c652a4fc81ab83e951b24b61bf86d4d9a7e8d15206cac92c866b5bb358745306525955c56dfc925c48d0259865372043643c3b11daedd40d474c386daa36e3887bb65633cab290078eb2bc24c478a9ae18ac9fbd7c4a6e5338410b22adf02a27178c5a6e2d9ad403120d76c4dd27ec8974943b8226f86834364ac40984a96f1a1201e50eaf31c44e1c12b03a0cab40f6dcfc8acacfbd46333b48985e8b3a843c8f562a8007f69586444114adade8931adbdd636ee055423e33e4fddeff509a64b4589d25034adca9d55359c1489699cc6438c21da4b01d5403f53c2308fa28a9318235b788c15b37d359217301e9d0fa1b9a3b71ef95aca3657a976fd021ce20bbd4674d1a0cc551050b21ecd96f74a591bd84b5e9ae8b966592721a24bf0e16a44102c86999697ade9f7c937277fe8447b65573776507eda7725fbdf5ce27cdf6552d57b76e6f807a575dae1c9abaeb4667bcf0534ce78796f542b65a109bd9650b880d0ca638cf5de1ad97f6c52fa24951404cad923f649aabe664fabf318fc5910a8fecae45479b36c4961572a9d472b6de23cd601ae0d79ec98dcf9d0d5de6ebc9e71665d2b7066a8cdb93a5f65f48978fee68ed8c94a43af8759a2603321af84d22a4a37d7dfe6811f3d9b3c1bd9940214678f784658bf224a6e7efe22e30b962c7cbd18bb92df3d5e86b81493db30d761fb4775dab56a6c446f2b34d906944a72cf71f4f637f0668069f24ebb55e1c50b52c2f35b568b66fa648f5ebf10f74ff48246c3ead6cd6a5901c35f3411584760574c2db86ee5d23a094bffc16369f9845fe2570b1357315f401f1bc201ba165ee16a9afd811e4f9f34b8414134346598cd5fe76c883c5215d75106eceff18135c65473186ed1bcc45246d30aa7b1e561c46d0d1cca3da2e19cca1cfe4e89ca61de070d3cad2f96270962cd770c9154ce7bb5844171293e1a2722d3e340602895ae3c6848c83e264709af8677ff1d49580348d6084e41146410e537e6fdf91881fb8b858aaa04f064671971d082e1f7681eb9ac11da7b4776bedb0bdff6dcdab8facec17df48928e3be3603262cf39d0828ceca9230ccb610e8a6c7ea8e9a3a1d4e43d2f9c204d9327d6a2e8b4dc7b9a13838e1b08b414d9ef3495aee4f4fc05d71a5e8bd828f155a8a3b7ca6e22be59901fe627408a2e8ca8dc28458a4eda726b9e8f511c27495ea3bd3a50997d17a0de3394ccd51329e386ff39708e851cec61335e6b2bc6ad5aac9851a5467eba51cfc59804d674ca23232f8da4ad28c22f7dd54461e366e247e2ef28df07f6b3e4bc2c2e0b0233aee191c2efae467b2bd511c7cfd61dc96148b69b967b9d5eb0efe41a8b0197f8cdef88060d80ce1a2f3f649ab552b52bb1123eec2848c9dceff7ce5a1768d87e67105eda66493a017771170e3462566a08366aa01dfb2b0ca838c8018f0545000000068b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":0
+
+LMS pyhsslms interop test #2
+# This test case continues from "LMS pyhsslms interop test #1".
+# The signature uses leaf key 1, so must be the second signature generated by
+# the key if the signature is to be reproduced.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization), after generating the
+# first signature:
+#
+# message2 = bytes.fromhex('92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1')
+# sig2 = private_key.sign(message2)[4:]
+# print('lms_verify_test:"{}":"{}":"{}":0'.format(message2.hex(), sig2.hex(), public_key.serialize()[4:].hex()))
+lms_verify_test:"92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1":"00000001000000042fd4410a9c1947c00419216c64bc236a1620bde03ca9221e67f933bd2664f065e0cfc910c6a4317de4bda8c7fc1244ee1c102e8acc281d96c6a25d1925e087623fcb4faa00219e1f04a2c191ceceee98f2acd0fb1395fd984892f893a3ad862ff6def851e81915b9111288f84fb131e14979f1df6eecc774db45054041bfe74ec0446a0e6a6e01f9b402f41e784a2fcdc0cdccf0b89c2c8a9d2ab28e95e133b33dfb631619e75ec80a9c5d8f634f1d60feec2a5d9a5d6316fa7968734c26c3f60e53613096330a6fc1f779fe501db94b2a932ddc05740a872a8ec34c6d79c6689cd2cd6620d92ea89b39a62053c0bdd7596b360ff45de04bef0cd9b985f00681875e9f3465a71e5055e202dc51bf9ab29d227e8d2b09c6089f82cd356eb1622ada2233209f096cb35086fa2415434ef3ecd660bddf328d70e204d9a8be18319df1bd5c64072b30b72ec792c0a200b29429e262435b03f7fbb6dfcd76b9a84621c91e0ef646bd7367eead3582028a8ed9b40b1fe1562863ea43af350cdf0c965dc8329131df3f00b4b8a33548d7f7f1b03e952064e0f4cd9662af5a0d25ec8dc126d9621bf4707fbd525023ce91cbe05517bf2491e6455f2273b354c9d2f4a4364c3caf44c98ad23601cf1fc9cb490d2a9b9cdb1d60f0328e40734201e9e03f7af30fe6f0d6c7437fdd13573b012cd060a1a325b35d1a3d77e94a666d3873e267223a4e5bcf0752395570ad51d1ac7480cba32fcc8bf93439b8feafd0fb3520ab76d9ae2fba3b4600afce5fd96ff07d0e62579c16f993715f363982409ba38a46d09e6b448738f2bdb4277c65c933ea4a991fdc8021e3b9bbe5d00078b94ed1a78c61ee9d1dec014f99d23905a8fff335a9cca0228e7244a2a8b461970655b8a7f0f684c3f271c5f76924d851850b74754e24abaa9828d353976509dc4c4a241a0c314b80e400aceefe234fbdfb9af60d7c65752a4a396c4cdea1fec3478c263fb5883aa009f1845c4cb3f128c5eb9b290639c7c82fe33b17bd5ddb460a68d54be472769f77c73f7b4bfead2af4a9af6322f5bec9159d234e94a7d496cb6349a4b36fc7ca4e2c42168034bff62e687089fdd27a78484c788556edb58d7c911199752ca609a7906355f226756cd7c6c167b2a2929e8913fb2ec7c46c5caf73252f06cd51c5ca979d0b552831beeb5bcc25fba8ac83c8857633e3873adab0d23f1bb326a6c960e8bb1119e2f917c3892e9ad83f8af74abe0a0beee1734fdf5fe04024a6a644c2bbf88c6019d7115b0742898e90cc2d001efbc6f8e38eeedd5e9e9c777d1ecc6a2a9cf6d67a68781d99db1bbecdfe2e40dbe9074e7a69f0fa9037aecc31c9305c67129e0dbc8a66c8de6c18ed41746d794809bb3a5cc68c17db3052fe31e390ca862be3163660a1f70c5d2f026ed7649437600e38ee08e33f05aac9bcd8b7db309f2f41c34ba44304115ef8bbdba63629607daf67e2e642a726e021f6599032a0f8f3edef2ef5b007d3618856d48aec7894e9a4b802caf9c3f0022c6e61d34c38ba2ddef3c1b0797e7dc74faacb44ac72b5ea078f1a21c2cffc46ba000000063b71be980cffb4e8a8e310341d3b711ab19545ae90c3ac6adcbeb764419411a6ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":0
+
+LMS pyhsslms interop NULL-message test
+# This test uses data from https://github.com/russhousley/pyhsslms due to the limited
+# amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
+# uses leaf key 2, so must be the third signature generated by the key if the
+# signature is to be reproduced. Message data is random. Note that hash-sigs
+# stores public keys and signatures in HSS form, which appends a 4-byte
+# "levels" word at the start of the key/sig. We strip these 4 bytes from the
+# signature and the public key before including them in a the test data.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# * pip3 install --user pyhsslms
+# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * touch message.bin (create empty message file)
+# * hsslms sign tmp/lms.prv message.bin (incorrect signature using leaf node 0)
+# * rm message.bin.sig
+# * hsslms sign tmp/lms.prv message.bin (incorrect signature using leaf node 1)
+# * rm message.bin.sig
+# * hsslms sign tmp/lms.prv message.bin (correct signature using leaf node 2)
+# * cat message.bin.sig | xxd
+#
+# To validate the signature:
+# * <Save signature in binary format>
+# * touch message.bin (create empty message file)
+# * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
+# HSS levels)
+# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8 tmp/lms.pub
+# * hsslms verify tmp/lms message.bin
+lms_verify_test:"":"0000000200000004b219a0053b6bfe1988ade7b0a438c106262366cb6338eb6ccd161326b29076d3493e88ab5df10ab456ddbac63f9cc7bc626a832664861a61125963f6e4b1fc202b0d6421cb1307451614d4d0e9e4509bc3991ede829f3805531912af12028c33128212a6e0539a458da092e83dcced8ffb1d9280e76593a239d3e87858905d3b4ae3864cd55972f5610759bb7d929d24ae262a1e028f140e90aa7375e43032c0bc28fe5fc25d53a26f4f9e6de18da2f697f82e409308e5b316413df8e85487391c46e784f9303f133ed332c88e6d1467cebffd9547592e907ceba2992a0442410c7a87104697a4ab3483d9b2af9df574edf23811cec0e681246f07ac74e1ddf64a7f7abc72d0a23b70d5f7c9649188eec8644f2437951640af4f673e6bb7d36a10c5c4c857f518974929824011dc79f484107388b92762acb11839c7cafec7daabdbe651f500930386b403ccec90a507829c18df23a800250d412a82b4072c94de24da9fa25720f1ee433953fca2d9b38ffc5c8b6328e69bf928936218bd253cac5a7122b74639ed7f4085d27efda2a698aff4bce385b475470adb19ab2095b3979e74e63914ef5430094e2028440f4d2aa448bb41f1d4481ad76c9b6671f4a7aafdbea44316aa97993fa31c56c34f0acd6295cd2fca8be9ea6af2f4d656f89b113cb3b3ce35753bc0128629372fade890397c297ee4c22e735e2b5f3c7383ed154cf0941884136bc6e51f860803b963c145795c8f573ab43953d25c0837bb13adbcfc506795db26fbd7a277d9532a23b5c472628944a3dcfc424e42fc54b2ed2cc8166cb82e9364af9120881313c97e429bed15bd9d46fe407f229cbc6daf1442e42c57664a7e832a809364750396a0b134efccf9a31e1ef1fdd2279d1179a673feda330b9989681c94d69eb197b6c3048623e49c98cc7cfc8d845c17f9059e7f15b72af8680cad2591cc9c135b2044fe7df45b8b6ef6e8af85ddb677f0897ffbda8131fff0eba1f94200f435bc26cfe5093c63f547620efb3bf8f905fe4ca1c40e163dfb6432c4acf068540c2c81c0392d375e99e3960973447beceefbd437f51616f85236d75815c51073277cc7ceca622bb76236d05a830e024a231566fb07f6f4e3671bc7fd5e22e4da1f4d4f4e56a179325b2ea9e51d6484df0941e0b46bcf4148e98530e9b3641e351b67073ace8438fac6d9a19988af4d594048f12eac4bbaa73eb15d597b1fdbf34ce9410520d9dc4b6bb7a99a12dcdc530c49bb67ca942adecb7adf27456eba9a9b416bb98b25c8020f4c2507b74a9ddb94f197ea42f03500bde751c04ec2c6b427ce0f80322a6b356f0d9d26531843639c7c7938b83541c58fedd0398d81b93032cb4892903a5b1cfd205b333702e7f80c1461a15edd6058c2e08d8afe44e4c5bfd7d9ac2578b5a16b4c4e43bad5f7b22041de5a95c6f64422db270e1f616e379a034fb3c08cf892af6df8af91c2767eb76bcf018e35d66fbf4ac1e5a6a10033ea118f8cd2edf57c2288a93f2f85b6ff41283b029e5c7b04bdac33b5aa79bf799292a0a046b98e6d13a2bb53a970dd0a5784034600000006c3faf2b844e6f17384998ae0616755eb7578458b7096078a36f9e556a2a091be47c0f85ffd8ee916734855a6d116fa1431ad6cff45d2a8a7f6c122f4d492df32438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":0
+
+LMS hash-sigs interop test #1
+# This test uses data from https://github.com/cisco/hash-sigs due to the
+# limited amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
+# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
+# signature uses leaf key 0, so must be the first signature generated by the key
+# if the signature is to be reproduced. Message data is random. Note that
+# hash-sigs stores public keys and signatures in HSS form, which appends a
+# 4-byte "levels" word at the start of the key/sig. We strip these 4 bytes from
+# the signature and the public key before including them in a the test data.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# * <download and build hash-sigs>
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
+# * <Save message in binary format>
+# * <hash-sigs>/demo sign tmp/lms message.bin
+# * cat message.bin.sig | xxd
+#
+# To validate the signature:
+# * Save message and signature in binary format
+# * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
+# HSS levels)
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+# * <hash-sigs/demo> verify tmp/lms message.bin
+lms_verify_test:"6b7439e31ef128c54f1536f745ff1246":"0000000000000004163fc2e3d3267d8c0d9fd9e7bb7a4eae84c3d98cd565de361edc426067960fc3201d9be1c30f4e4edce91844753aa13ff21e92648ac795b7c29dd6140962b5a1fb97b02570402a498a495044edcb26d1321c52e91c60cc3feb8f8e84fc77f97fb6e7afbfe4c2f2203d8d84303e2dd212b652e08a2e5a24a333df859cea3c5a547561f7ce6d182e2a3f2f018ef7e0578621916cff905c0713fa5f2bf73248ae6985aebc4086b79ebf71b8dcbb592eb61dc6303d06dbda88063690361b0dd25ea1c2c6b4d82dddbe11740864c65c228d67e9a1710506e585a748e7e02b36706e5cff83b3589613f07c636ab7784d6a8288d33e80f063165a2ddcbb0d7da815df8043dfa500c3e313c533bf6aec959237c923813d3109bdaeb195b1337f4cf21c1c863f6261dca411819603a3ea60cf34c81b462c4979b357da2bcdf3128343ca5a8a957e3ca4eebb914d743862e29ef48e43e7c5a7aaf7a2fe1251c309c65e9143dcfb298fa0d353084f60c0779e1a09b040f13c1025ec99402b844ff9996decf4b5f0d32a0858126ff293472aa93fbc2017d39fee93ff9f0ca2752b25cfa12542bf19cc1b8c102d65b70dccf760f26cb546742ce909d45345f802a985bae6a0f922a9c2a3dc992fae9f6f2fba0c52cad82564bde6ed8af880ee7a5eb5c6436611e5da1c690831bed34e3dd65acf2b8f496b6448e957afc16c48b6cd733bc84e3606a1d0609f08015c14b5619a2723f9b22950efc7ff7b733c299fcd84ed89c4d5cd43a9a54f25fc0fa1370d184f9e8011b60ba38dfca0eeeb56ae37a5823718c8210db20c2de13c39e43970b0b53b85b9cf9ea0dd025e7db558b463c683980fe59e0defde41afe825cfb8606ca861602a7fefd7506edc81b7ab4a1e0626e0bac1f99be118dbc1e291028fc73d0a0ea6559ae1dcf7477d64742c9bef88ef04b2ee4d392cf1efa23d8b05d11d2414e64f4540623e11bbf57fb8ae219331db0df459a9849f2700e6fa7ff4edb0fc01764949e279e84374e7a57fb5ee6221b2b72dbcf2ab9c988fe07d21e169b4338887129ac503cc6c0912787778d51b4b921cf7bb17d4028b7faf6c21dd616a1ac3b50d595ae0e3662e7faa16b9dec7694462c7fb8539ece0af33cc5a3dc33641b8827bf4751a708d7bf286cf2e795b8f45b76e1109abd908d0388d6ab8ecea67b187aabd80349e4bd286e3b6eeb3535cc9c343a39fe90cb443906b19d2483b4c93d0e35cd68d9f5523d5400a2b1708ba3361bd0757ed69b1da8845594edf053995b2d96bed8210aaab25fc34b2dd58004ce800360f24861e5912ac339ed0a78548e303e728a41e05c11d79013e3971eafa8034e63ecf1c842f0d9e735ff3b5badfd63ae07f051c94a9a867260b517e5c2c75e88e03d069bd39816a2255c90de81bb79622145b7469853a02eac45289fd9f9f40e2fccdd8ddb740469331f61badc1b7f6e0145dfe30141ad2f26ac8d7ff5125dc4dff1fec57629cea4f7de4401fc056e9a38ea028ac9c666ccd3f527947672408a759a5791d9efdeb1ff25392413728a03d4c641f4ce1542b6952e7595f1eecf1060000000671b0912d734442146e128d0029101ad34a6d2d586640235c828d427dfaffdb156771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0
+
+LMS hash-sigs interop test #2
+# This test uses data from https://github.com/cisco/hash-sigs due to the
+# limited amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
+# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
+# signature uses leaf key 1, so must be the second signature generated by the key
+# if the signature is to be reproduced. Message data is random. Note that
+# hash-sigs stores public keys and signatures in HSS form, which appends a
+# 4-byte "levels" word at the start of the key/sig. We strip these 4 bytes from
+# the signature and the public key before including them in a the test data.
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# * <download and build hash-sigs>
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
+# * <Save message in binary format>
+# * <hash-sigs>/demo sign tmp/lms message.bin (incorrect signature using leaf node 0)
+# * rm message.bin.sig
+# * <hash-sigs>/demo sign tmp/lms message.bin (correct signature using leaf node 1)
+# * cat message.bin.sig | xxd
+#
+# To validate the signature:
+# * Save message and signature in binary format
+# * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
+# HSS levels)
+# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+# * <hash-sigs/demo> verify tmp/lms message.bin
+lms_verify_test:"0705ba8297c7b9fa5f08e37825ad24a0":"00000001000000040a432454b99750f7b703f0280f92818b0570d0267a423b377be7cf0561305d4ce987b9d8dbc1c3f8ba410bbe6b921406eb802688d2dd8a1a6fa4a124cbcae9b5a210f583a956384c06311953b038b4ad2c2808224fc3a6410cd3b89274371956bcd4253a251cba6409b09c822e1d29d7a037648a6f2562d0df6359a043622f256f5ac79736c08fc4185758ff002a8397e560d5812373946348afba2ccf2cc0f3ba741ec076d4587a54b8b625804b814c30540152a3dc843a590c94cc23ba857e4c458c8ab687b5b9b68837ee890454cc19bb5f42a1e6dc051803fab50b440067a903013f675a774b5d02cd56289518d65f869f22b2e2b58d499e9e3929ec5a9f5d6d6e03cf91486094aba7c88491cde35b81c175c40410bc402d20f0a73a4da844d3a1d47e57618b7f18fa5ac85e877b5faa1e0b6733c2d96b2970fdd6e606435e3ec50eafa88f84fb7512217aa4be5858a140f242603bda634d76c484a184298c4da903094468d032b88586fd2f35182405cd85115af6a0bbd431f2e44217a1691dd8887db91d3b97264ff552ae7dc110a3a111f2bf74ce42079055dfb8390a16d67f28b738f837aa7880f3134deabcf6ec74cdb521bff44df61c999bf7a8ddc43b64812cd4f3bfb15104867d5e585d1cbf99738e0df92660b3e9135a4377d1199b8b97362fc87ce3c99db3b8aba63ba35eb353e5ec79bcee82b9ccc1b4f7d1b8ce7e5f8813d007be3d0e45cb8e7173337a5a7c4d32ea5116e0fdbd7846ea1f366a531449c78cd7a16ce5bffcd6cccf54b7f249a74e0df6b07f6b48db42eb958ff18b06995368af0cadd82f44cf44e4b53f0993de5f06b289bee41cd25f90a9fbd1bfb1ab2451c96b07adcfb5210d291dd505ea30e5d30395c8d84eabccdd2c7d6f28a88f5e5d245a6980c57810cfe17c9a37ef5e79b7b9ca755d56a789d21985372bed42ae2830d81ebf0fad6c721bd1d3ee91ae363f40d386aac23e7c0db965539ce9bff38f0f24bec3227b5a24f4cd7fa71ca9d306faa3fc4726cdb6634f218897b79a4aed67a58799285104eed74703ec4af6d5738b27b4d6fb71e52c1149069483a7cca6c3fccbdff77312ff5c635d8b0ccd53dbaf7b498727f7c7a70d3fd1c3f217e2cbd0dfe91258acb7f79f53f56012a82da997ea777b76dac0472e5f9830a93fb09703b1c0e45cbfbf641de94fcc6c609f02a5b31ad5821ba6cd48829fc5e0c4ad78e11e4cac8efbb1b170c794b7b131b0c1c4e39fdef81db9e7acced5ec824aed0c4e6b57fd1add4191e87be1446c7c519eb671205ce8c5855ad7a2b9ff7a9cd5c45336f508d0f8d2c1152dc2656650bdaf8fced642f3a4d445b5fc49910bdbdc9635de0086ee9582a796ca9f6052de805f41dfbd3e94982a05cbd36bab583dd5b1586ddbb3b1a45f1a265bec062c1a50d220870c0c622d852e650a67f31e8eb3d19e964de0926712b7f429ad05024b8db51eb6702c39580f62f037388862251bf66f02edee9615a63957eab75b28501f9f26cecd09a5c949127c9a3095036667fce8e45ba75568d5160fa1725a9e0038145d948f437640dc4441000000066e8db13a9e79d10a4e067aad448a1847b5489a62cde3054ee1e5ff2e37549d516771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0
+
+LMS hsslms interop test #1
+# This test uses data from https://github.com/pmvr/python-hsslms due to the
+# limited amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# pip3 install --user hsslms==0.1.2
+#
+# from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
+# import pickle
+#
+# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# private_key = pickle.load(private_key_file)
+#
+# public_key = private_key.gen_pub()
+#
+# message = bytes.fromhex('60da1a17c88c59da8a730e6ca8effd37')
+# sig = private_key.sign(message)
+#
+# print('lms_verify_test:"{}":"{}":"{}":0'.format(message.hex(), sig.hex(), public_key.get_pubkey().hex()))
+lms_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"00000000000000041394a893e40be29923751880ca3cd10b5a67c2356c87c240e0733c3a3781b421f89dcedd553f5c1c0fdf4e53e4e484766860bf77e6a1e5911c9a389390f7d62accb581ddd4d6479c88a9ba3c20235805bb544db1da6667c5bd6caec6a5cc0afb02ebb35c1db7aac5d16446d4f8fc3518ed44ceb4eab20974627ccea5b1571a292bb2fa08ccb284957605083bfba07a33f233c66187bebd4523d095e21546be84ba56ed61768b9210fc754c78ca2d6a788e1558533d5407c45b04a0bbe6a20d0660efec80e1e468874d81c98d81acc87981c236b68695fbaf70d188617fdb86a5840c835687249f688434159035778260026d536570f24a422d5255d2572603fdf631668074dce5fc469710aa99a1f21280708e73bcd4e50492d2ff1dbaea1058974fbe9bc393a4f837987faf0175b814ebafa02095bffee2518a6fbb3555de9b3ff0c87c0c7b2c61ce3ef25e70e1a2ff5aa6dc7dfb3533e53192bc68807727b76c8752bdaa2c8d0c66e6bd94ff4df2f9fcb5609cf9bd04635743340736b84a98c3769bef074c081ebdd0fd17e853165dfa4764b23c63dd8a4a8c10b58a790ab92f81a32973f0f60d9f33d801a2c476190a7f8521a998220d8f838c3932da4dab89f62e028973b1891aa0954faf3da6174ea445c0e6ec27a58bb74000253fd3d76909298d44b3beaea58f130102cba5d928afcec92991f9483294f0fb52c16df4e98c0839e058d064921582b144602306d0a1ff623bbc1b1de106045384cb0f20db3198d99b266f83cb7c4585786477cb38b140f7cc48fecb9c5c272df2881750af48da8ace04e1b109de3a295c91373c55e8dd36cdf455c17a0b9c27cbbaa80a7571cf5d5074c384948a7e006ea6346e2e8fd1082f0d7a498c6445ed2da31014f4476e41e1367cffac8ac93b7a59bab5e23dcc9130f8e3264b2920e503246e11fbb15b599e58350cdd60e3a370c7cb0a81e73fa17eb2f12702ff3c1cb6a75d7718687d545cf9d00d4bb277905291ee86f1dfc045d9c59d6aca2faa90d2654dffc652fe89c4b37048f8c46a6410aff4e46c281c1d4b2f6ea1408d0615bac721ece31a9a69c70f3b860d730996ad735eeb376022c4828135466101cdfb2c88cf02864c40bf5c5aa63e44d58c8f28933d8d3c53883a95f4109a185b7fe6eb1d87d76823e63bf9d72d96b60d2cdcf942ca06d4f278711eb1eaadf11e9bffc7af361ae0c0fa23ba2bbc2f673a05c1ee3f3ccb3bfab4dffc4b9c234b0b9c34fd1b5f0d01c4e10cfd0800f90ade702dff2c893f098de1637de094fd959440009ccb34dff6cab72fe80e839e6e89551274e6cf6e862532f524c804259a0c8e4622c106df6431dbac870cac64f7099674c8050f5149326d961af7486e8229f5b5eba743ef78dc56b4f3acb1ed5029fba223223a5e835abd61409316a68c899abe85c0514642dff696da0be97416d774fa7f5dcc3aa2c8469b47516f7b27cbbc66faa4e62b6a3201f7976ea20b89ef349a497967c093e3431df9d619a11ed2cd930324438f4cc9d11654e0c9d229d6bd239487598a3482f63294e9e85c29a576b1c86d0884000000064c6b6388b7436123dac99e0ec7fe53b075e2ba9844505ce1eb3c7f70332c6ac543dcda2e63b26f5efa39ced6095a54625e67ab25d3df068e903eaaee894ac0f1fdeb4a2f1390f655db3608583eacfb0be4282f7bd1c42c5d748d524d7cdcd45878dea56cbc11a63bebbd74a5413ce72a931b1d4794c78c4cf16315bf2e055bb3305fe0272c8b916856cc27aa7a773ddce62afa7bb4da76c287e0ed3ed10452512de82c051f17b49c608b1a259e16a3812c0de684f2cb1ee59296c375376f146e2b0cc299ef41ed8e6fdf0557ec8d95fa026970f8d47c8347fed1e37e018413c5e813d1726ea18bc926ed02840349ab3b2adc8758a9cd57be38e9e76869762a81bb79721ca1c031c9dfdc3735fe9318064b62c2a7e8e2ec099963257b0705aac812dbc8cc3fbeea81af7c0d592c7e2ad1c21e877d4ae392b13ac1b57a8311d406":"000000060000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":0
+
+LMS hsslms interop test #2
+# This test uses data from https://github.com/pmvr/python-hsslms due to the
+# limited amount of available test vectors for LMS. The private key is stored in
+# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+#
+# To produce another signature with this message and key (note that the actual
+# signature bytes will differ due to randomization):
+# pip3 install --user hsslms==0.1.2
+#
+# from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
+# import pickle
+#
+# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# private_key = pickle.load(private_key_file)
+#
+# public_key = private_key.gen_pub()
+#
+# message = bytes.fromhex('60da1a17c88c59da8a730e6ca8effd37')
+# sig = private_key.sign(message)
+#
+# message = bytes.fromhex('92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1')
+# sig = private_key.sign(message)
+#
+# print('lms_verify_test:"{}":"{}":"{}":0'.format(message.hex(), sig.hex(), public_key.get_pubkey().hex()))
+lms_verify_test:"92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a1":"00000001000000042e758f2a0e8f301af58847b6973a15fe4856b91af88a1ff601e2f0e87bde33afbc39202a66e38931fbecd7d493cf957b37eeb57ed2e4d8f693b97adafa8241746d775cfb9471688d935e090581eb8586e7004d6b8855963d82ccb6f79df2d93dd35848556da6735def0f0c6c8fc969c1df692341f6a99626eff37d20226cef361c8802a995fa43535fe2336d8ae468c78eb6a7082e27c2c6317c034369b588e3d65a2eeac9804b427702dc49f681a841076813ed407399aa778259e7c34c750baa6d296a384e1274facaba9e2214d197628f5df7b2bf3896fedeab377b8edb775d6e8d67f1474ba3066794447f8f8e0c13552a007557a1f1c3b9bd2b41d9b446c6bcf36c828fd4c80850a31ee603065f5cc90d198df03835195b14e27da7bf727a16081fcc787f1dc7fa6da8b9ff908fb2c02d6f2a183486de0e39cd7da7fcdee0c8e96876c56ad9b0b18e4e4999e2c81a618aa4b27e050ce488dbb1e79089131afacc446cdf15b625f4e011f8d8160bb93f326bca3bb56fa41e34893d55f17d746fc142297997c5dbbba8f6b6c80678168ba455f12bac6982e5192de5462a46e14a45a01ce9e07279aa301dfd0fa9a12c6a55059b19a19d7afbe99779ea130ddeeb5ecb67d2ddb6c1c5d198e421b78091efa5aa429e1eb052760c0d8e2eb0c0ced000e93f7f265611a385f77c0cece0496eb29010f710e70a768d3713f0b7fc60c8ce372dc3234f27c7a1c2776a939ef70c7be869337b967df2223d4f20dca697e3bb6d0e53bbad153ff08d579f60c8535710f253b90e73ee9a19e1e57df66ec6c85ad1b4cea28a9d62fc5a4cf130f70b910dbc7e6f0e6b0cce1a1b5ff106b7f0b101405c0989084b2c94977116b98d15d6062a8d77d660aa813d432cf3338484308b7beed10236081f52da44eb807f9a75fd4cc1ba998ef3fc2e4791712597c786dd46431468bb4a1975a6cd854a1da23912fc99160f51df484efc9371c2d8e028d9468635cf93226f5a8834d14cead59e5d2a61dd6440d7b91c903ae8823907b75595c4828c7710036b347dcfb67f8561e835a53f569c8b3a1cd4317b2a6b2243100ee3d9468f9191acf2276d18dde9ebf2e11a48ba1fc1a15dc51091d3358d8d1f65ec7d84b97bb1669a9141f74065454f08e5ef25432b7635b8ec673ca70e4b3c25d07975a6fb725a56f28c1b5a81a6da2fe0a2c3474275926f9819a25b942462a68097e1cf6d9ae94f6b1f76b54addaeda04f9fc8db025fd6c453e1ad928f9323bf1381fce1893938828612728185d22a3d45d21ce762c066ab53a582c487d76d431e5b8f65a382142dd823d4620931e5572a4e6aee69986421afa119634bc8ea88aa6535c4d619ca0e0af94934637bc0c834e5e2a7a2853fa73835d00e13e5f26ad085ef66c8efb60097860cb199e03596a3b8f0ec78690d527bbc9363dd9702226788b1529871df74918ae2a4e02745043bd5ee8ab027826fb4cd54b0c27d99076757a1b41e2725ec02adc7926e8213796a8aa1740a2dc675437771e0364a83b0bd64c9620f6c203d92626ff29ef736eac0e13c71fd1957333ee0048000000061f7b7d6f916710efe9ed625ae689c67b3cc1cdf0d672e58c0b86b3839bbba2c243dcda2e63b26f5efa39ced6095a54625e67ab25d3df068e903eaaee894ac0f1fdeb4a2f1390f655db3608583eacfb0be4282f7bd1c42c5d748d524d7cdcd45878dea56cbc11a63bebbd74a5413ce72a931b1d4794c78c4cf16315bf2e055bb3305fe0272c8b916856cc27aa7a773ddce62afa7bb4da76c287e0ed3ed10452512de82c051f17b49c608b1a259e16a3812c0de684f2cb1ee59296c375376f146e2b0cc299ef41ed8e6fdf0557ec8d95fa026970f8d47c8347fed1e37e018413c5e813d1726ea18bc926ed02840349ab3b2adc8758a9cd57be38e9e76869762a81bb79721ca1c031c9dfdc3735fe9318064b62c2a7e8e2ec099963257b0705aac812dbc8cc3fbeea81af7c0d592c7e2ad1c21e877d4ae392b13ac1b57a8311d406":"000000060000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":0
+
+LMS negative test (invalid lms type) #1
+# This test uses the data from hash-sigs interop test #1. This test has a valid
+# LMOTS type (0x4) but an invalid LMS type (0x5), and should fail.
+lms_verify_test:"bfff9cd687351db88a98c71fd2f9b927a0ee600130a112533b791041d30cb91665fc369a5ac7cc9a04547414ac45288081d19d4a600579c73ac4bc953de03ad6":"0000000000000004e474c96c496b231ecedcd92566ab3e1cdfac83f7e56abaae6571401e212e59bdbcc18105e0709249510d13d7ae1091558c217033316ac70a36aae764bd0f4032e369453c634b81061079d216d03d3c55976a1aabc00287b307297ae03587ba20839460daae85d26dfcef7638c10a1d8559612e5e9ced1a4205a52ca0ce88e58602e59cf9ab34adf2e958e56570573297b99f733fbbf58d2440526fd4dc15c5509e8a11405f6c08772abcf58731fbf9a73642670e3247c5f70905f0fa81f6174bf32977209923507525a170fcd260e81f04193583fbcd305ac245c80eb337ca326fd1105e73748fab8a1f0c8d8a99f011718e7aae027a34d2a85ff18769fa277810126a86b51b096a04d8e28a4fb8c5e14e50a67cb1ee88e43e5cc077902442f5d9c55ac2b8acdd76c67bc740c6083aba4e3cb404c23f1f3118337563fef6a4b01fb476810c5b5682d0aecdccd55c85a4af50e9150f7d83dcccd8e822a302e6e5a52e00505e6e65338dcfb9cfbe22594e9e18ebde36af29450c5ea31523019cf64fd6eca8c77d98c2a146dcedd51bf6c61c1f7cacbce3ab20c8606930cc42737e17f2703cf0980aef560768d1ac5585c05a60a5f94db15f5ac4d4df5cbd81430878d4e9b77346e3a6538b80b80873e3e6c37860470091979296631440adb8cc71991aba2a4dd2884764878306fe774a25512cfbf080f2829ea2903ffa748dd187c21aef918ee3436a1bd336c3d09cc1f748d7528db90a98f69078b82c4d23de7bcec092a292d2b8cac71a5c87d008f128b89a5e608a4501aef41e9f17e4056ed4767957188f780159daebf327751386980b0fca5a2d36b141acff957f46ce2381897099619475db9d3a613e7ef98b056f42b4d6eafb1d62eebbe46a7502f893fbd36ccfb12a280f45ffb93f050eb280bf0a6cd640abdea8590bffb98bdb29ee3a31daa0fa3ab35fee11dc1b7d1fcea82b0e284b2e35b34e77c3f401ed887e7fc6c97b327f76f99caca2f355afa2753a8923bfb06fb2a9df08d31c93882e34ef5a3cccc9d078855334bdf909ae418b177724c42fb1d586d212c4474932acce295236030f4379158957300fe9fdc5cc9145e3ded50cf9f5a8e19321961536c4a47fffc3eb4383fb78a5d2aeed5b45b92132b5e2a53e3b67841fa2e1bd217ee2c30812c4eb1bd4f8c85b328e23d27f12a2fad5c6b236c87f8fd1aad441416e53ebd4d45d4bf601b94eb37dc9a065218ae58e69dba1250bb20626baeda961b3ef11d217697e73f41fa3870d726a032bc4a388fb12c023822945df058e22f54e5f6377eab34297c57883515204fc189d0d4b0ad9bacb24acf7f9d55e7c6368bb8ababd7622f586ec22683306c5d88d5244219a3952adbd85c89893a441a58b532e15600cd5afdbb5b441e1670b72656c7995189bdf993154e09912db8c4ddaff0e75591720230cf99c8b71cd841dffc4372c5e0f9ff906a379d28d6884351609bf7c849ebfabfb049ae986bbb8467251dbf5ccdd05a86ff6ce1392f7ca1bd49595ad9ad805d71b389afab1865f7f69dc24662af19934f025ced212536509500c132aec000000058b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMS negative test (invalid lms type) #2
+# This test uses the data from hash-sigs interop test #1. This test has a valid
+# LMOTS type (0x4) but an invalid LMS type (0x7), and should fail.
+lms_verify_test:"bfff9cd687351db88a98c71fd2f9b927a0ee600130a112533b791041d30cb91665fc369a5ac7cc9a04547414ac45288081d19d4a600579c73ac4bc953de03ad6":"0000000000000004e474c96c496b231ecedcd92566ab3e1cdfac83f7e56abaae6571401e212e59bdbcc18105e0709249510d13d7ae1091558c217033316ac70a36aae764bd0f4032e369453c634b81061079d216d03d3c55976a1aabc00287b307297ae03587ba20839460daae85d26dfcef7638c10a1d8559612e5e9ced1a4205a52ca0ce88e58602e59cf9ab34adf2e958e56570573297b99f733fbbf58d2440526fd4dc15c5509e8a11405f6c08772abcf58731fbf9a73642670e3247c5f70905f0fa81f6174bf32977209923507525a170fcd260e81f04193583fbcd305ac245c80eb337ca326fd1105e73748fab8a1f0c8d8a99f011718e7aae027a34d2a85ff18769fa277810126a86b51b096a04d8e28a4fb8c5e14e50a67cb1ee88e43e5cc077902442f5d9c55ac2b8acdd76c67bc740c6083aba4e3cb404c23f1f3118337563fef6a4b01fb476810c5b5682d0aecdccd55c85a4af50e9150f7d83dcccd8e822a302e6e5a52e00505e6e65338dcfb9cfbe22594e9e18ebde36af29450c5ea31523019cf64fd6eca8c77d98c2a146dcedd51bf6c61c1f7cacbce3ab20c8606930cc42737e17f2703cf0980aef560768d1ac5585c05a60a5f94db15f5ac4d4df5cbd81430878d4e9b77346e3a6538b80b80873e3e6c37860470091979296631440adb8cc71991aba2a4dd2884764878306fe774a25512cfbf080f2829ea2903ffa748dd187c21aef918ee3436a1bd336c3d09cc1f748d7528db90a98f69078b82c4d23de7bcec092a292d2b8cac71a5c87d008f128b89a5e608a4501aef41e9f17e4056ed4767957188f780159daebf327751386980b0fca5a2d36b141acff957f46ce2381897099619475db9d3a613e7ef98b056f42b4d6eafb1d62eebbe46a7502f893fbd36ccfb12a280f45ffb93f050eb280bf0a6cd640abdea8590bffb98bdb29ee3a31daa0fa3ab35fee11dc1b7d1fcea82b0e284b2e35b34e77c3f401ed887e7fc6c97b327f76f99caca2f355afa2753a8923bfb06fb2a9df08d31c93882e34ef5a3cccc9d078855334bdf909ae418b177724c42fb1d586d212c4474932acce295236030f4379158957300fe9fdc5cc9145e3ded50cf9f5a8e19321961536c4a47fffc3eb4383fb78a5d2aeed5b45b92132b5e2a53e3b67841fa2e1bd217ee2c30812c4eb1bd4f8c85b328e23d27f12a2fad5c6b236c87f8fd1aad441416e53ebd4d45d4bf601b94eb37dc9a065218ae58e69dba1250bb20626baeda961b3ef11d217697e73f41fa3870d726a032bc4a388fb12c023822945df058e22f54e5f6377eab34297c57883515204fc189d0d4b0ad9bacb24acf7f9d55e7c6368bb8ababd7622f586ec22683306c5d88d5244219a3952adbd85c89893a441a58b532e15600cd5afdbb5b441e1670b72656c7995189bdf993154e09912db8c4ddaff0e75591720230cf99c8b71cd841dffc4372c5e0f9ff906a379d28d6884351609bf7c849ebfabfb049ae986bbb8467251dbf5ccdd05a86ff6ce1392f7ca1bd49595ad9ad805d71b389afab1865f7f69dc24662af19934f025ced212536509500c132aec000000078b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMS negative test (invalid lm_ots type) #1
+# This test uses the data from hash-sigs interop test #1. This test has an
+# invalid LMOTS type (0x3) but a valid LMS type (0x6), and should fail.
+lms_verify_test:"bfff9cd687351db88a98c71fd2f9b927a0ee600130a112533b791041d30cb91665fc369a5ac7cc9a04547414ac45288081d19d4a600579c73ac4bc953de03ad6":"0000000000000003e474c96c496b231ecedcd92566ab3e1cdfac83f7e56abaae6571401e212e59bdbcc18105e0709249510d13d7ae1091558c217033316ac70a36aae764bd0f4032e369453c634b81061079d216d03d3c55976a1aabc00287b307297ae03587ba20839460daae85d26dfcef7638c10a1d8559612e5e9ced1a4205a52ca0ce88e58602e59cf9ab34adf2e958e56570573297b99f733fbbf58d2440526fd4dc15c5509e8a11405f6c08772abcf58731fbf9a73642670e3247c5f70905f0fa81f6174bf32977209923507525a170fcd260e81f04193583fbcd305ac245c80eb337ca326fd1105e73748fab8a1f0c8d8a99f011718e7aae027a34d2a85ff18769fa277810126a86b51b096a04d8e28a4fb8c5e14e50a67cb1ee88e43e5cc077902442f5d9c55ac2b8acdd76c67bc740c6083aba4e3cb404c23f1f3118337563fef6a4b01fb476810c5b5682d0aecdccd55c85a4af50e9150f7d83dcccd8e822a302e6e5a52e00505e6e65338dcfb9cfbe22594e9e18ebde36af29450c5ea31523019cf64fd6eca8c77d98c2a146dcedd51bf6c61c1f7cacbce3ab20c8606930cc42737e17f2703cf0980aef560768d1ac5585c05a60a5f94db15f5ac4d4df5cbd81430878d4e9b77346e3a6538b80b80873e3e6c37860470091979296631440adb8cc71991aba2a4dd2884764878306fe774a25512cfbf080f2829ea2903ffa748dd187c21aef918ee3436a1bd336c3d09cc1f748d7528db90a98f69078b82c4d23de7bcec092a292d2b8cac71a5c87d008f128b89a5e608a4501aef41e9f17e4056ed4767957188f780159daebf327751386980b0fca5a2d36b141acff957f46ce2381897099619475db9d3a613e7ef98b056f42b4d6eafb1d62eebbe46a7502f893fbd36ccfb12a280f45ffb93f050eb280bf0a6cd640abdea8590bffb98bdb29ee3a31daa0fa3ab35fee11dc1b7d1fcea82b0e284b2e35b34e77c3f401ed887e7fc6c97b327f76f99caca2f355afa2753a8923bfb06fb2a9df08d31c93882e34ef5a3cccc9d078855334bdf909ae418b177724c42fb1d586d212c4474932acce295236030f4379158957300fe9fdc5cc9145e3ded50cf9f5a8e19321961536c4a47fffc3eb4383fb78a5d2aeed5b45b92132b5e2a53e3b67841fa2e1bd217ee2c30812c4eb1bd4f8c85b328e23d27f12a2fad5c6b236c87f8fd1aad441416e53ebd4d45d4bf601b94eb37dc9a065218ae58e69dba1250bb20626baeda961b3ef11d217697e73f41fa3870d726a032bc4a388fb12c023822945df058e22f54e5f6377eab34297c57883515204fc189d0d4b0ad9bacb24acf7f9d55e7c6368bb8ababd7622f586ec22683306c5d88d5244219a3952adbd85c89893a441a58b532e15600cd5afdbb5b441e1670b72656c7995189bdf993154e09912db8c4ddaff0e75591720230cf99c8b71cd841dffc4372c5e0f9ff906a379d28d6884351609bf7c849ebfabfb049ae986bbb8467251dbf5ccdd05a86ff6ce1392f7ca1bd49595ad9ad805d71b389afab1865f7f69dc24662af19934f025ced212536509500c132aec000000068b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMS negative test (invalid lm_ots type) #2
+# This test uses the data from hash-sigs interop test #1. This test has an
+# invalid LMOTS type (0x5) but a valid LMS type (0x6), and should fail.
+lms_verify_test:"bfff9cd687351db88a98c71fd2f9b927a0ee600130a112533b791041d30cb91665fc369a5ac7cc9a04547414ac45288081d19d4a600579c73ac4bc953de03ad6":"0000000000000005e474c96c496b231ecedcd92566ab3e1cdfac83f7e56abaae6571401e212e59bdbcc18105e0709249510d13d7ae1091558c217033316ac70a36aae764bd0f4032e369453c634b81061079d216d03d3c55976a1aabc00287b307297ae03587ba20839460daae85d26dfcef7638c10a1d8559612e5e9ced1a4205a52ca0ce88e58602e59cf9ab34adf2e958e56570573297b99f733fbbf58d2440526fd4dc15c5509e8a11405f6c08772abcf58731fbf9a73642670e3247c5f70905f0fa81f6174bf32977209923507525a170fcd260e81f04193583fbcd305ac245c80eb337ca326fd1105e73748fab8a1f0c8d8a99f011718e7aae027a34d2a85ff18769fa277810126a86b51b096a04d8e28a4fb8c5e14e50a67cb1ee88e43e5cc077902442f5d9c55ac2b8acdd76c67bc740c6083aba4e3cb404c23f1f3118337563fef6a4b01fb476810c5b5682d0aecdccd55c85a4af50e9150f7d83dcccd8e822a302e6e5a52e00505e6e65338dcfb9cfbe22594e9e18ebde36af29450c5ea31523019cf64fd6eca8c77d98c2a146dcedd51bf6c61c1f7cacbce3ab20c8606930cc42737e17f2703cf0980aef560768d1ac5585c05a60a5f94db15f5ac4d4df5cbd81430878d4e9b77346e3a6538b80b80873e3e6c37860470091979296631440adb8cc71991aba2a4dd2884764878306fe774a25512cfbf080f2829ea2903ffa748dd187c21aef918ee3436a1bd336c3d09cc1f748d7528db90a98f69078b82c4d23de7bcec092a292d2b8cac71a5c87d008f128b89a5e608a4501aef41e9f17e4056ed4767957188f780159daebf327751386980b0fca5a2d36b141acff957f46ce2381897099619475db9d3a613e7ef98b056f42b4d6eafb1d62eebbe46a7502f893fbd36ccfb12a280f45ffb93f050eb280bf0a6cd640abdea8590bffb98bdb29ee3a31daa0fa3ab35fee11dc1b7d1fcea82b0e284b2e35b34e77c3f401ed887e7fc6c97b327f76f99caca2f355afa2753a8923bfb06fb2a9df08d31c93882e34ef5a3cccc9d078855334bdf909ae418b177724c42fb1d586d212c4474932acce295236030f4379158957300fe9fdc5cc9145e3ded50cf9f5a8e19321961536c4a47fffc3eb4383fb78a5d2aeed5b45b92132b5e2a53e3b67841fa2e1bd217ee2c30812c4eb1bd4f8c85b328e23d27f12a2fad5c6b236c87f8fd1aad441416e53ebd4d45d4bf601b94eb37dc9a065218ae58e69dba1250bb20626baeda961b3ef11d217697e73f41fa3870d726a032bc4a388fb12c023822945df058e22f54e5f6377eab34297c57883515204fc189d0d4b0ad9bacb24acf7f9d55e7c6368bb8ababd7622f586ec22683306c5d88d5244219a3952adbd85c89893a441a58b532e15600cd5afdbb5b441e1670b72656c7995189bdf993154e09912db8c4ddaff0e75591720230cf99c8b71cd841dffc4372c5e0f9ff906a379d28d6884351609bf7c849ebfabfb049ae986bbb8467251dbf5ccdd05a86ff6ce1392f7ca1bd49595ad9ad805d71b389afab1865f7f69dc24662af19934f025ced212536509500c132aec000000068b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMS negative test (invalid leaf ID)
+# This test uses the data from hash-sigs interop test #1. In this case,
+# the leaf ID is 1024, which is invalid for MBEDTLS_LMS_SHA256_M32_H10. This
+# test should fail to verify the signature.
+lms_verify_test:"bfff9cd687351db88a98c71fd2f9b927a0ee600130a112533b791041d30cb91665fc369a5ac7cc9a04547414ac45288081d19d4a600579c73ac4bc953de03ad6":"0000040000000004e474c96c496b231ecedcd92566ab3e1cdfac83f7e56abaae6571401e212e59bdbcc18105e0709249510d13d7ae1091558c217033316ac70a36aae764bd0f4032e369453c634b81061079d216d03d3c55976a1aabc00287b307297ae03587ba20839460daae85d26dfcef7638c10a1d8559612e5e9ced1a4205a52ca0ce88e58602e59cf9ab34adf2e958e56570573297b99f733fbbf58d2440526fd4dc15c5509e8a11405f6c08772abcf58731fbf9a73642670e3247c5f70905f0fa81f6174bf32977209923507525a170fcd260e81f04193583fbcd305ac245c80eb337ca326fd1105e73748fab8a1f0c8d8a99f011718e7aae027a34d2a85ff18769fa277810126a86b51b096a04d8e28a4fb8c5e14e50a67cb1ee88e43e5cc077902442f5d9c55ac2b8acdd76c67bc740c6083aba4e3cb404c23f1f3118337563fef6a4b01fb476810c5b5682d0aecdccd55c85a4af50e9150f7d83dcccd8e822a302e6e5a52e00505e6e65338dcfb9cfbe22594e9e18ebde36af29450c5ea31523019cf64fd6eca8c77d98c2a146dcedd51bf6c61c1f7cacbce3ab20c8606930cc42737e17f2703cf0980aef560768d1ac5585c05a60a5f94db15f5ac4d4df5cbd81430878d4e9b77346e3a6538b80b80873e3e6c37860470091979296631440adb8cc71991aba2a4dd2884764878306fe774a25512cfbf080f2829ea2903ffa748dd187c21aef918ee3436a1bd336c3d09cc1f748d7528db90a98f69078b82c4d23de7bcec092a292d2b8cac71a5c87d008f128b89a5e608a4501aef41e9f17e4056ed4767957188f780159daebf327751386980b0fca5a2d36b141acff957f46ce2381897099619475db9d3a613e7ef98b056f42b4d6eafb1d62eebbe46a7502f893fbd36ccfb12a280f45ffb93f050eb280bf0a6cd640abdea8590bffb98bdb29ee3a31daa0fa3ab35fee11dc1b7d1fcea82b0e284b2e35b34e77c3f401ed887e7fc6c97b327f76f99caca2f355afa2753a8923bfb06fb2a9df08d31c93882e34ef5a3cccc9d078855334bdf909ae418b177724c42fb1d586d212c4474932acce295236030f4379158957300fe9fdc5cc9145e3ded50cf9f5a8e19321961536c4a47fffc3eb4383fb78a5d2aeed5b45b92132b5e2a53e3b67841fa2e1bd217ee2c30812c4eb1bd4f8c85b328e23d27f12a2fad5c6b236c87f8fd1aad441416e53ebd4d45d4bf601b94eb37dc9a065218ae58e69dba1250bb20626baeda961b3ef11d217697e73f41fa3870d726a032bc4a388fb12c023822945df058e22f54e5f6377eab34297c57883515204fc189d0d4b0ad9bacb24acf7f9d55e7c6368bb8ababd7622f586ec22683306c5d88d5244219a3952adbd85c89893a441a58b532e15600cd5afdbb5b441e1670b72656c7995189bdf993154e09912db8c4ddaff0e75591720230cf99c8b71cd841dffc4372c5e0f9ff906a379d28d6884351609bf7c849ebfabfb049ae986bbb8467251dbf5ccdd05a86ff6ce1392f7ca1bd49595ad9ad805d71b389afab1865f7f69dc24662af19934f025ced212536509500c132aec000000068b991bed50319a6cb9ff040b92f1563889b3787c37145fc9737d4643f66ade33ebd85a2c29b8c64a581cff01b89d59807d6fade2d2c88872f77d0ed83d97c4b5438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":MBEDTLS_ERR_LMS_VERIFY_FAILED
+
+LMS import/export test
+# This test uses the key from hsslms interop test 1, imports it, exports it and
+# tests that it is the same. It also checks if the export correctly fail when
+# the buffer is too small.
+lms_import_export_test:"000000060000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":0
+
+LMS key import too large key test
+# This test uses the valid public key for hsslms interop test 1, add an extra
+# byte, and then imports it. This should fail.
+lms_import_export_test:"000000060000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d00":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import too small key test
+# This test uses the valid public key for hsslms interop test 1, removes a byte,
+# and then imports it. This should fail.
+lms_import_export_test:"000000060000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import no LMS type test
+# This test uses the valid public key for hsslms interop test 1, cuts it down so
+# it's smaller than the LMS type offset, and imports it. This should fail, and
+# not attempt to read invalidly outside the buffer.
+lms_import_export_test:"000000":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import no LMOTS type test
+# This test uses the valid public key for hsslms interop test 1, cuts it down so
+# it's smaller than the LMOTS type offset, and imports it. This should fail, and
+# not attempt to read invalidly outside the buffer.
+lms_import_export_test:"00000006000000":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import invalid LMS type test #1
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMS type to 0x5, and imports it. This should fail.
+lms_import_export_test:"000000050000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import invalid LMS type test #2
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMS type to 0x7, and imports it. This should fail, and not attempt to read
+# invalidly outside the buffer.
+lms_import_export_test:"000000070000000447cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import invalid LMOTS type test #1
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMOTS type to 0x3, and imports it. This should fail.
+lms_import_export_test:"000000060000000347cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
+
+LMS key import invalid LMOTS type test #2
+# This test uses the valid public key for hsslms interop test 1, alters the
+# LMOTS type to 0x5, and imports it. This should fail, and not attempt to read
+# invalidly outside the buffer.
+lms_import_export_test:"000000060000000547cc5b29dd0cecd01c382434a6d16864d51b60cdb2a9eed2419015d8524c717ce38a865d7a37da6c84f94621ad595f5d":MBEDTLS_ERR_LMS_BAD_INPUT_DATA
diff --git a/tests/suites/test_suite_lms.function b/tests/suites/test_suite_lms.function
new file mode 100644
index 0000000..c5c8aa4
--- /dev/null
+++ b/tests/suites/test_suite_lms.function
@@ -0,0 +1,201 @@
+/* BEGIN_HEADER */
+#include "mbedtls/lms.h"
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_LMS_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */
+void lms_sign_verify_test ( data_t *msg, data_t *seed )
+{
+ mbedtls_lms_public_t pub_ctx;
+ mbedtls_lms_private_t priv_ctx;
+ unsigned char sig[MBEDTLS_LMS_SIG_LEN(MBEDTLS_LMS_SHA256_M32_H10, MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lms_public_init( &pub_ctx );
+ mbedtls_lms_private_init( &priv_ctx );
+
+ /* Allocation failure isn't a test failure, since it likely just means
+ * there's not enough memory to run the test.
+ */
+ TEST_EQUAL( mbedtls_lms_generate_private_key( &priv_ctx, MBEDTLS_LMS_SHA256_M32_H10,
+ MBEDTLS_LMOTS_SHA256_N32_W8,
+ mbedtls_test_rnd_std_rand, NULL,
+ seed->x, seed->len ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_calculate_public_key( &pub_ctx, &priv_ctx ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_sign( &priv_ctx, mbedtls_test_rnd_std_rand, NULL,
+ msg->x, msg->len, sig, sizeof( sig ),
+ NULL ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_verify( &pub_ctx, msg->x, msg->len, sig,
+ sizeof( sig ) ), 0 );
+
+exit:
+ mbedtls_lms_public_free( &pub_ctx );
+ mbedtls_lms_private_free( &priv_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_LMS_PRIVATE */
+void lms_sign_verify_null_msg_test( data_t *seed )
+{
+ mbedtls_lms_public_t pub_ctx;
+ mbedtls_lms_private_t priv_ctx;
+ unsigned char sig[MBEDTLS_LMS_SIG_LEN(MBEDTLS_LMS_SHA256_M32_H10, MBEDTLS_LMOTS_SHA256_N32_W8)];
+
+ mbedtls_lms_public_init( &pub_ctx );
+ mbedtls_lms_private_init( &priv_ctx );
+
+ /* Allocation failure isn't a test failure, since it likely just means
+ * there's not enough memory to run the test.
+ */
+ TEST_EQUAL( mbedtls_lms_generate_private_key( &priv_ctx, MBEDTLS_LMS_SHA256_M32_H10,
+ MBEDTLS_LMOTS_SHA256_N32_W8,
+ mbedtls_test_rnd_std_rand, NULL,
+ seed->x, seed->len ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_calculate_public_key( &pub_ctx, &priv_ctx ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_sign( &priv_ctx, mbedtls_test_rnd_std_rand, NULL,
+ NULL, 0, sig, sizeof( sig ),
+ NULL ), 0 );
+
+ TEST_EQUAL( mbedtls_lms_verify( &pub_ctx, NULL, 0, sig,
+ sizeof( sig ) ), 0 );
+
+exit:
+ mbedtls_lms_public_free( &pub_ctx );
+ mbedtls_lms_private_free( &priv_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void lms_verify_test ( data_t * msg, data_t * sig, data_t * pub_key,
+ int expected_rc )
+{
+ mbedtls_lms_public_t ctx;
+ unsigned int size;
+ unsigned char *tmp_sig = NULL;
+
+ mbedtls_lms_public_init( &ctx);
+
+ TEST_EQUAL(mbedtls_lms_import_public_key( &ctx, pub_key->x, pub_key->len ), 0);
+
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, sig->x, sig->len ), expected_rc);
+
+ /* Test negative cases if the input data is valid */
+ if( expected_rc == 0 )
+ {
+ if( msg->len >= 1 )
+ {
+ /* Altering first message byte must cause verification failure */
+ msg->x[0] ^= 1;
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ msg->x[0] ^= 1;
+
+ /* Altering last message byte must cause verification failure */
+ msg->x[msg->len - 1] ^= 1;
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ msg->x[msg->len - 1] ^= 1;
+ }
+
+ if( sig->len >= 1 )
+ {
+ /* Altering first signature byte must cause verification failure */
+ sig->x[0] ^= 1;
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ sig->x[0] ^= 1;
+
+ /* Altering last signature byte must cause verification failure */
+ sig->x[sig->len - 1] ^= 1;
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, sig->x, sig->len ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ sig->x[sig->len - 1] ^= 1;
+ }
+
+ /* Signatures of all sizes must not verify, whether shorter or longer */
+ for( size = 0; size < sig->len; size++ ) {
+ if( size == sig->len )
+ continue;
+
+ ASSERT_ALLOC( tmp_sig, size );
+ if( tmp_sig != NULL )
+ memcpy( tmp_sig, sig->x, MIN(size, sig->len) );
+
+ TEST_EQUAL(mbedtls_lms_verify( &ctx, msg->x, msg->len, tmp_sig, size ),
+ MBEDTLS_ERR_LMS_VERIFY_FAILED);
+ mbedtls_free( tmp_sig );
+ tmp_sig = NULL;
+ }
+ }
+
+exit:
+ mbedtls_free( tmp_sig );
+ mbedtls_lms_public_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void lms_import_export_test ( data_t * pub_key, int expected_import_rc )
+{
+ mbedtls_lms_public_t ctx;
+ size_t exported_pub_key_buf_size = 0;
+ size_t exported_pub_key_size = 0;
+ unsigned char *exported_pub_key = NULL;
+
+ mbedtls_lms_public_init(&ctx);
+ TEST_EQUAL( mbedtls_lms_import_public_key( &ctx, pub_key->x, pub_key->len ),
+ expected_import_rc );
+
+ if( expected_import_rc == 0 )
+ {
+ exported_pub_key_buf_size = MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10);
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size );
+
+ TEST_EQUAL( mbedtls_lms_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size,
+ &exported_pub_key_size ), 0 );
+
+ TEST_EQUAL( exported_pub_key_size,
+ MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10 ) );
+ ASSERT_COMPARE( pub_key->x, pub_key->len,
+ exported_pub_key, exported_pub_key_size );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+
+ /* Export into too-small buffer should fail */
+ exported_pub_key_buf_size = MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10) - 1;
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size);
+ TEST_EQUAL( mbedtls_lms_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size, NULL ),
+ MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+
+ /* Export into too-large buffer should succeed */
+ exported_pub_key_buf_size = MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10) + 1;
+ ASSERT_ALLOC( exported_pub_key, exported_pub_key_buf_size);
+ TEST_EQUAL( mbedtls_lms_export_public_key( &ctx, exported_pub_key,
+ exported_pub_key_buf_size,
+ &exported_pub_key_size ),
+ 0 );
+ ASSERT_COMPARE( pub_key->x, pub_key->len,
+ exported_pub_key, exported_pub_key_size );
+ mbedtls_free(exported_pub_key);
+ exported_pub_key = NULL;
+ }
+
+exit:
+ mbedtls_free( exported_pub_key );
+ mbedtls_lms_public_free( &ctx );
+}
+/* END_CASE */
+
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 85812f5..95e0d31 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -441,30 +441,66 @@
Base test mbedtls_mpi_lsb #4
mpi_lsb:"2000":13
-Base test mbedtls_mpi_bitlen #1
+Test mbedtls_mpi_core_bitlen 764-bit
+mpi_core_bitlen:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":764
+
+Test mbedtls_mpi_core_bitlen 0x18
+mpi_core_bitlen:"18":5
+
+Test mbedtls_mpi_core_bitlen 0x18 with leading 0 limb(s)
+mpi_core_bitlen:"00000000000000018":5
+
+Test mbedtls_mpi_core_bitlen 0x18 << 64
+mpi_core_bitlen:"180000000000000000":69
+
+Test mbedtls_mpi_core_bitlen 0x01
+mpi_core_bitlen:"1":1
+
+Test mbedtls_mpi_core_bitlen 0x0f
+mpi_core_bitlen:"f":4
+
+Test mbedtls_mpi_core_bitlen 0x10
+mpi_core_bitlen:"10":5
+
+Test mbedtls_mpi_core_bitlen 0x0a
+mpi_core_bitlen:"a":4
+
+Test mbedtls_mpi_core_bitlen: 0 (1 limb)
+mpi_core_bitlen:"0":0
+
+Test mbedtls_mpi_bitlen 764-bit
mpi_bitlen:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":764
-Base test mbedtls_mpi_bitlen #2
+Test mbedtls_mpi_bitlen 0x18
mpi_bitlen:"18":5
-Base test mbedtls_mpi_bitlen #3
+Test mbedtls_mpi_bitlen 0x18 with leading 0 limb(s)
+mpi_bitlen:"00000000000000018":5
+
+Test mbedtls_mpi_bitlen 0x18 << 64
+mpi_bitlen:"180000000000000000":69
+
+Test mbedtls_mpi_bitlen 0x01
mpi_bitlen:"1":1
-Base test mbedtls_mpi_bitlen #4
+Test mbedtls_mpi_bitlen 0x0f
mpi_bitlen:"f":4
-Base test mbedtls_mpi_bitlen #5
+Test mbedtls_mpi_bitlen 0x10
mpi_bitlen:"10":5
-Base test mbedtls_mpi_bitlen #6
+Test mbedtls_mpi_bitlen 0x0a
mpi_bitlen:"a":4
-Base test mbedtls_mpi_bitlen: 0 (null)
+Test mbedtls_mpi_bitlen: 0 (null)
mpi_bitlen:"":0
-Base test mbedtls_mpi_bitlen: 0 (1 limb)
+Test mbedtls_mpi_bitlen: 0 (1 limb)
mpi_bitlen:"0":0
+Test mbedtls_mpi_bitlen: -0x18
+mpi_bitlen:"-18":5
+
Base test mbedtls_mpi_cmp_int #1
mpi_cmp_int:693:693:0
@@ -595,22 +631,22 @@
mpi_cmp_mpi:"-1230000000000000000":"0":-1
mbedtls_mpi_core_lt_ct: x=y (1 limb)
-mpi_core_lt_ct:"02B5":"02B5":0
+mpi_core_lt_ct:"2B5":"2B5":0
mbedtls_mpi_core_lt_ct: x>y (1 limb)
-mpi_core_lt_ct:"02B5":"02B4":0
+mpi_core_lt_ct:"2B5":"2B4":0
mbedtls_mpi_core_lt_ct: x<y (1 limb)
-mpi_core_lt_ct:"02B5":"02B6":1
+mpi_core_lt_ct:"2B5":"2B6":1
mbedtls_mpi_core_lt_ct: x=y (0 limbs)
mpi_core_lt_ct:"":"":0
mbedtls_mpi_core_lt_ct: x>y (63 bit x, y first byte greater)
-mpi_core_lt_ct:"7FFFFFFFFFFFFFFF":"FF":0
+mpi_core_lt_ct:"7FFFFFFFFFFFFFFF":"00000000000000FF":0
mbedtls_mpi_core_lt_ct: x<y (63 bit y, x first byte greater)
-mpi_core_lt_ct:"FF":"7FFFFFFFFFFFFFFF":1
+mpi_core_lt_ct:"00000000000000FF":"7FFFFFFFFFFFFFFF":1
mbedtls_mpi_core_lt_ct: x>y (64 bit x, y=x-1)
mpi_core_lt_ct:"8000000000000000":"7FFFFFFFFFFFFFFF":0
@@ -619,28 +655,28 @@
mpi_core_lt_ct:"7FFFFFFFFFFFFFFF":"8000000000000000":1
mbedtls_mpi_core_lt_ct: x>y (64 bit x, y=1)
-mpi_core_lt_ct:"8000000000000000":"01":0
+mpi_core_lt_ct:"8000000000000000":"0000000000000001":0
mbedtls_mpi_core_lt_ct: x<y (64 bit y, x=1)
-mpi_core_lt_ct:"01":"8000000000000000":1
+mpi_core_lt_ct:"0000000000000001":"8000000000000000":1
mbedtls_mpi_core_lt_ct: x>y (64 bit x, y=0)
-mpi_core_lt_ct:"8000000000000000":"00":0
+mpi_core_lt_ct:"8000000000000000":"0000000000000000":0
mbedtls_mpi_core_lt_ct: x<y (64 bit y, x=0)
-mpi_core_lt_ct:"00":"8000000000000000":1
+mpi_core_lt_ct:"0000000000000000":"8000000000000000":1
mbedtls_mpi_core_lt_ct: x>y (64 bit x, first bytes equal)
-mpi_core_lt_ct:"FFFFFFFFFFFFFFFF":"FF":0
+mpi_core_lt_ct:"FFFFFFFFFFFFFFFF":"00000000000000FF":0
mbedtls_mpi_core_lt_ct: x<y (64 bit y, first bytes equal)
-mpi_core_lt_ct:"FF":"FFFFFFFFFFFFFFFF":1
+mpi_core_lt_ct:"00000000000000FF":"FFFFFFFFFFFFFFFF":1
mbedtls_mpi_core_lt_ct: x>y (31 bit x, y first byte greater)
-mpi_core_lt_ct:"7FFFFFFF":"FF":0
+mpi_core_lt_ct:"7FFFFFFF":"000000FF":0
mbedtls_mpi_core_lt_ct: x<y (31 bit y, x first byte greater)
-mpi_core_lt_ct:"FF":"7FFFFFFF":1
+mpi_core_lt_ct:"000000FF":"7FFFFFFF":1
mbedtls_mpi_core_lt_ct: x>y (32 bit x, y=x-1)
mpi_core_lt_ct:"80000000":"7FFFFFFF":0
@@ -649,25 +685,25 @@
mpi_core_lt_ct:"7FFFFFFF":"80000000":1
mbedtls_mpi_core_lt_ct: x>y (32 bit x, y=1)
-mpi_core_lt_ct:"80000000":"01":0
+mpi_core_lt_ct:"80000000":"00000001":0
mbedtls_mpi_core_lt_ct: x<y (32 bit y, x=1)
-mpi_core_lt_ct:"01":"80000000":1
+mpi_core_lt_ct:"00000001":"80000000":1
mbedtls_mpi_core_lt_ct: x>y (32 bit x, y=0)
-mpi_core_lt_ct:"80000000":"00":0
+mpi_core_lt_ct:"80000000":"00000000":0
mbedtls_mpi_core_lt_ct: x<y (32 bit y, x=0)
-mpi_core_lt_ct:"00":"80000000":1
+mpi_core_lt_ct:"00000000":"80000000":1
mbedtls_mpi_core_lt_ct: x>y (32 bit x, first bytes equal)
-mpi_core_lt_ct:"FFFFFFFF":"FF":0
+mpi_core_lt_ct:"FFFFFFFF":"000000FF":0
mbedtls_mpi_core_lt_ct: x<y (32 bit y, first bytes equal)
-mpi_core_lt_ct:"FF":"FFFFFFFF":1
+mpi_core_lt_ct:"000000FF":"FFFFFFFF":1
mbedtls_mpi_core_lt_ct: x<y, zero vs non-zero MS limb
-mpi_core_lt_ct:"00FFFFFFFFFFFFFFFF":"01FFFFFFFFFFFFFFFF":1
+mpi_core_lt_ct:"0FFFFFFFFFFFFFFFF":"1FFFFFFFFFFFFFFFF":1
mbedtls_mpi_core_lt_ct: x>y, equal MS limbs
mpi_core_lt_ct:"EEFFFFFFFFFFFFFFFF":"EEFFFFFFFFFFFFFFF1":0
diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function
index ff2eaac..9812c56 100644
--- a/tests/suites/test_suite_mpi.function
+++ b/tests/suites/test_suite_mpi.function
@@ -665,6 +665,20 @@
/* END_CASE */
/* BEGIN_CASE */
+void mpi_core_bitlen( char *input_X, int nr_bits )
+{
+ mbedtls_mpi_uint *X = NULL;
+ size_t limbs;
+
+ TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs, input_X ), 0 );
+ TEST_EQUAL( mbedtls_mpi_core_bitlen( X, limbs ), nr_bits );
+
+exit:
+ mbedtls_free( X );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void mpi_bitlen( char * input_X, int nr_bits )
{
mbedtls_mpi X;
@@ -728,38 +742,29 @@
/* END_CASE */
/* BEGIN_CASE */
-void mpi_core_lt_ct( data_t * input_X, data_t * input_Y, int input_ret )
+void mpi_core_lt_ct( char *input_X, char *input_Y, int exp_ret )
{
- #define MAX_LEN 64
- mbedtls_mpi_uint X[MAX_LEN];
- mbedtls_mpi_uint Y[MAX_LEN];
- unsigned exp_ret = input_ret;
- unsigned ret;
- size_t len = CHARS_TO_LIMBS(
- input_X->len > input_Y->len ? input_X->len : input_Y->len );
+ mbedtls_mpi_uint *X = NULL;
+ size_t X_limbs;
+ mbedtls_mpi_uint *Y = NULL;
+ size_t Y_limbs;
+ int ret;
- TEST_LE_U( len, MAX_LEN );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &X_limbs, input_X ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &Y, &Y_limbs, input_Y ) );
- TEST_ASSERT( mbedtls_mpi_core_read_be( X, len, input_X->x, input_X->len )
- == 0 );
- TEST_ASSERT( mbedtls_mpi_core_read_be( Y, len, input_Y->x, input_Y->len )
- == 0 );
+ /* We need two same-length limb arrays */
+ TEST_EQUAL( X_limbs, Y_limbs );
- TEST_CF_SECRET( X, len * sizeof( mbedtls_mpi_uint ) );
- TEST_CF_SECRET( Y, len * sizeof( mbedtls_mpi_uint ) );
+ TEST_CF_SECRET( X, X_limbs * sizeof( mbedtls_mpi_uint ) );
+ TEST_CF_SECRET( Y, X_limbs * sizeof( mbedtls_mpi_uint ) );
- ret = mbedtls_mpi_core_lt_ct( X, Y, len );
-
- TEST_CF_PUBLIC( X, len * sizeof( mbedtls_mpi_uint ) );
- TEST_CF_PUBLIC( Y, len * sizeof( mbedtls_mpi_uint ) );
- TEST_CF_PUBLIC( &ret, sizeof( ret ) );
-
+ ret = mbedtls_mpi_core_lt_ct( X, Y, X_limbs );
TEST_EQUAL( ret, exp_ret );
exit:
- ;
-
- #undef MAX_LEN
+ mbedtls_free( X );
+ mbedtls_free( Y );
}
/* END_CASE */
diff --git a/tests/suites/test_suite_pkcs12.function b/tests/suites/test_suite_pkcs12.function
index 841bd1d..3fad814 100644
--- a/tests/suites/test_suite_pkcs12.function
+++ b/tests/suites/test_suite_pkcs12.function
@@ -25,7 +25,6 @@
data_t* expected_output, int expected_status )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *output_data = NULL;
unsigned char *password = NULL;
@@ -46,15 +45,15 @@
ASSERT_ALLOC( output_data, key_size );
- ret = mbedtls_pkcs12_derivation( output_data,
- key_size,
- password,
- password_len,
- salt,
- salt_len,
- md_type,
- MBEDTLS_PKCS12_DERIVE_KEY,
- iterations );
+ int ret = mbedtls_pkcs12_derivation( output_data,
+ key_size,
+ password,
+ password_len,
+ salt,
+ salt_len,
+ md_type,
+ MBEDTLS_PKCS12_DERIVE_KEY,
+ iterations );
TEST_EQUAL( ret, expected_status );
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index f2478be..cded3a8 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -3643,15 +3643,15 @@
PSA Multipart AEAD verify: ChaCha20 - Poly1305, invalid tag length 0
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,0):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_INVALID_ARGUMENT
+aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,0):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_INVALID_ARGUMENT
PSA Multipart AEAD verify: ChaCha20 - Poly1305, invalid tag length 15
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,15):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_INVALID_ARGUMENT
+aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,15):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_INVALID_ARGUMENT
PSA Multipart AEAD verify: ChaCha20 - Poly1305, invalid tag length 17
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,17):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_INVALID_ARGUMENT
+aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,17):"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_INVALID_ARGUMENT
PSA Multipart AEAD verify: ChaCha20 - Poly1305 (RFC7539, bad tag)
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
@@ -3951,7 +3951,7 @@
PSA AEAD setup: invalid algorithm (ChaCha20 - Poly1305 with short tag)
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,12):PSA_ERROR_NOT_SUPPORTED
+aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,12):PSA_ERROR_INVALID_ARGUMENT
PSA AEAD setup: AES - CCM, invalid tag length 0
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES
@@ -4031,15 +4031,15 @@
PSA AEAD setup: ChaCha20-Poly1305, invalid tag length 0
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,0):PSA_ERROR_NOT_SUPPORTED
+aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,0):PSA_ERROR_INVALID_ARGUMENT
PSA AEAD setup: ChaCha20-Poly1305, invalid tag length 15
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,15):PSA_ERROR_NOT_SUPPORTED
+aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,15):PSA_ERROR_INVALID_ARGUMENT
PSA AEAD setup: ChaCha20-Poly1305, invalid tag length 17
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
-aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,17):PSA_ERROR_NOT_SUPPORTED
+aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,17):PSA_ERROR_INVALID_ARGUMENT
PSA Multipart State Checks, AES - GCM
depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index f24d1a4..7b5743e 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -2184,8 +2184,9 @@
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen( psk_identity ) ) == 0 );
-
+#if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb( &server.conf, psk_dummy_callback, NULL );
+#endif
}
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)