sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-10-04 00:02:01 -04:00
Code Issues Projects Releases Wiki Activity
liboqs/tests/test_sig.c
Marco Gianvecchio 8ee6039c74
Add bitflip test for trivial SUF-CMA forgeries (#2090) 
* add bitflip test to test_sig.c
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* format code
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* - add sig->suf_cma
- add command-line argument to test_sig.c (the number of bitflips)
- update CROSS upstream to SUF-CMA
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* %d to %ld for size_t bitflips

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* cast argument bitflips to size_t
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* replace atoi() with strtol()
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* cast bit_index to %llu

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* update bitflip tests:
- revert CROSS to EUF-CMA
- add test_bitflip_message
- exclude stateful signatures for now
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* remove bitflips_as_str in printf
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* test_bitflip as a single function, add support for stateful signatures
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* add OQS_TEST_CT_DECLASSIFY after test_bitflip_stfl
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* [extended tests]
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* more OQS_TEST_CT_DECLASSIFY [extended tests]
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* patch dilithium to add suf-cma
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* run copy_from_upstream.py
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* SUF-CMA in dilithium docs, run copy_from_upstream.py
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* correct sizeof in OQS_randombytes call (thank you @SWilson4!)
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* factor bitflip testing functions out into test_helpers.c
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* --allow-multiple-definition for Windows .dll in test_kem_mem
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

* --allow-multiple-definition for Windows .dll in test_sig and test_sig_stfl
Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>

---------

Signed-off-by: rtjk <47841774+rtjk@users.noreply.github.com>
2025-03-14 11:53:05 -04:00

352 lines
11 KiB
C
Raw Blame History

// SPDX-License-Identifier: MIT
#if defined(_WIN32)
#pragma warning(disable : 4244 4293)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <oqs/oqs.h>
#if OQS_USE_PTHREADS
#include <pthread.h>
#endif
#include "system_info.c"
#include "test_helpers.h"
typedef struct magic_s {
uint8_t val[31];
} magic_t;
static OQS_STATUS sig_test_correctness(const char *method_name, bool bitflips_all[2], size_t bitflips[2]) {
OQS_SIG *sig = NULL;
uint8_t *public_key = NULL;
uint8_t *secret_key = NULL;
uint8_t *message = NULL;
size_t message_len = 100;
uint8_t ctx[257] = { 0 };
uint8_t *signature = NULL;
size_t signature_len;
OQS_STATUS rc, ret = OQS_ERROR;
//The magic numbers are random values.
//The length of the magic number was chosen to be 31 to break alignment
magic_t magic;
OQS_randombytes(magic.val, sizeof(magic_t));
sig = OQS_SIG_new(method_name);
if (sig == NULL) {
fprintf(stderr, "ERROR: OQS_SIG_new failed\n");
goto err;
}
char bitflips_as_str[2][50];
for (int i = 0; i < 2; i++) {
if (bitflips_all[i]) {
snprintf(bitflips_as_str[i], sizeof(bitflips_as_str[i]), "all");
} else {
snprintf(bitflips_as_str[i], sizeof(bitflips_as_str[i]), "%ld random", bitflips[i]);
}
}
printf("================================================================================\n");
printf("Sample computation for signature %s\n", sig->method_name);
if (sig->euf_cma) {
printf("Testing EUF-CMA by flipping %s bits of the message\n", bitflips_as_str[0]);
}
if (sig->suf_cma) {
printf("Testing SUF-CMA by flipping %s bits of the signature\n", bitflips_as_str[1]);
}
printf("Version source: %s\n", sig->alg_version);
printf("================================================================================\n");
public_key = OQS_MEM_malloc(sig->length_public_key + 2 * sizeof(magic_t));
secret_key = OQS_MEM_malloc(sig->length_secret_key + 2 * sizeof(magic_t));
message = OQS_MEM_malloc(message_len + 2 * sizeof(magic_t));
signature = OQS_MEM_malloc(sig->length_signature + 2 * sizeof(magic_t));
if ((public_key == NULL) || (secret_key == NULL) || (message == NULL) || (signature == NULL)) {
fprintf(stderr, "ERROR: OQS_MEM_malloc failed\n");
goto err;
}
//Set the magic numbers before
memcpy(public_key, magic.val, sizeof(magic_t));
memcpy(secret_key, magic.val, sizeof(magic_t));
memcpy(message, magic.val, sizeof(magic_t));
memcpy(signature, magic.val, sizeof(magic_t));
public_key += sizeof(magic_t);
secret_key += sizeof(magic_t);
message += sizeof(magic_t);
signature += sizeof(magic_t);
// and after
memcpy(public_key + sig->length_public_key, magic.val, sizeof(magic_t));
memcpy(secret_key + sig->length_secret_key, magic.val, sizeof(magic_t));
memcpy(message + message_len, magic.val, sizeof(magic_t));
memcpy(signature + sig->length_signature, magic.val, sizeof(magic_t));
OQS_randombytes(message, message_len);
OQS_TEST_CT_DECLASSIFY(message, message_len);
rc = OQS_SIG_keypair(sig, public_key, secret_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_keypair failed\n");
goto err;
}
rc = OQS_SIG_sign(sig, signature, &signature_len, message, message_len, secret_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_sign failed\n");
goto err;
}
OQS_TEST_CT_DECLASSIFY(public_key, sig->length_public_key);
OQS_TEST_CT_DECLASSIFY(signature, signature_len);
rc = OQS_SIG_verify(sig, message, message_len, signature, signature_len, public_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_verify failed\n");
goto err;
}
rc = test_sig_bitflip(sig, message, message_len, signature, signature_len, public_key, bitflips_all, bitflips, false, NULL, 0);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
goto err;
}
/* testing signing with context, if supported */
OQS_randombytes(ctx, 257);
if (sig->sig_with_ctx_support) {
for (size_t i = 0; i < 256; ++i) {
rc = OQS_SIG_sign_with_ctx_str(sig, signature, &signature_len, message, message_len, ctx, i, secret_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_sign_with_ctx_str failed\n");
goto err;
}
OQS_TEST_CT_DECLASSIFY(public_key, sig->length_public_key);
OQS_TEST_CT_DECLASSIFY(signature, signature_len);
rc = OQS_SIG_verify_with_ctx_str(sig, message, message_len, signature, signature_len, ctx, i, public_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_verify_with_ctx_str failed\n");
goto err;
}
rc = test_sig_bitflip(sig, message, message_len, signature, signature_len, public_key, bitflips_all, bitflips, true, ctx, i);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
goto err;
}
}
rc = OQS_SIG_sign_with_ctx_str(sig, signature, &signature_len, message, message_len, ctx, 256, secret_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_ERROR) {
fprintf(stderr, "ERROR: OQS_SIG_sign_with_ctx_str should only support up to 255 byte contexts\n");
goto err;
}
} else {
rc = OQS_SIG_sign_with_ctx_str(sig, signature, &signature_len, message, message_len, ctx, 1, secret_key);
if (rc != OQS_ERROR) {
fprintf(stderr, "ERROR: OQS_SIG_sign_with_ctx_str should fail without support for context strings\n");
goto err;
}
}
rc = OQS_SIG_sign_with_ctx_str(sig, signature, &signature_len, message, message_len, NULL, 0, secret_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_sign_with_ctx_str should always succeed when providing a NULL context string\n");
goto err;
}
OQS_TEST_CT_DECLASSIFY(public_key, sig->length_public_key);
OQS_TEST_CT_DECLASSIFY(signature, signature_len);
rc = OQS_SIG_verify_with_ctx_str(sig, message, message_len, signature, signature_len, NULL, 0, public_key);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
fprintf(stderr, "ERROR: OQS_SIG_verify_with_ctx_str failed\n");
goto err;
}
rc = test_sig_bitflip(sig, message, message_len, signature, signature_len, public_key, bitflips_all, bitflips, true, NULL, 0);
OQS_TEST_CT_DECLASSIFY(&rc, sizeof rc);
if (rc != OQS_SUCCESS) {
goto err;
}
#ifndef OQS_ENABLE_TEST_CONSTANT_TIME
/* check magic values */
int rv = memcmp(public_key + sig->length_public_key, magic.val, sizeof(magic_t));
rv |= memcmp(secret_key + sig->length_secret_key, magic.val, sizeof(magic_t));
rv |= memcmp(message + message_len, magic.val, sizeof(magic_t));
rv |= memcmp(signature + sig->length_signature, magic.val, sizeof(magic_t));
rv |= memcmp(public_key - sizeof(magic_t), magic.val, sizeof(magic_t));
rv |= memcmp(secret_key - sizeof(magic_t), magic.val, sizeof(magic_t));
rv |= memcmp(message - sizeof(magic_t), magic.val, sizeof(magic_t));
rv |= memcmp(signature - sizeof(magic_t), magic.val, sizeof(magic_t));
if (rv) {
fprintf(stderr, "ERROR: Magic numbers do not match\n");
goto err;
}
#endif
printf("verification passes as expected\n");
ret = OQS_SUCCESS;
goto cleanup;
err:
ret = OQS_ERROR;
cleanup:
if (secret_key) {
OQS_MEM_secure_free(secret_key - sizeof(magic_t), sig->length_secret_key + 2 * sizeof(magic_t));
}
if (public_key) {
OQS_MEM_insecure_free(public_key - sizeof(magic_t));
}
if (message) {
OQS_MEM_insecure_free(message - sizeof(magic_t));
}
if (signature) {
OQS_MEM_insecure_free(signature - sizeof(magic_t));
}
OQS_SIG_free(sig);
return ret;
}
#ifdef OQS_ENABLE_TEST_CONSTANT_TIME
static void TEST_SIG_randombytes(uint8_t *random_array, size_t bytes_to_read) {
// We can't make direct calls to the system randombytes on some platforms,
// so we have to swap out the OQS_randombytes provider.
OQS_randombytes_switch_algorithm("system");
OQS_randombytes(random_array, bytes_to_read);
OQS_randombytes_custom_algorithm(&TEST_SIG_randombytes);
// OQS_TEST_CT_CLASSIFY tells Valgrind's memcheck tool to issue a warning if
// the program branches on any byte that depends on random_array. This helps us
// identify timing side-channels, as these bytes often contain secret data.
OQS_TEST_CT_CLASSIFY(random_array, bytes_to_read);
}
#endif
#if OQS_USE_PTHREADS
struct thread_data {
char *alg_name;
bool *bitflips_all;
size_t *bitflips;
OQS_STATUS rc;
};
void *test_wrapper(void *arg) {
struct thread_data *td = arg;
td->rc = sig_test_correctness(td->alg_name, td->bitflips_all, td->bitflips);
OQS_thread_stop();
return NULL;
}
#endif
int main(int argc, char **argv) {
OQS_init();
printf("Testing signature algorithms using liboqs version %s\n", OQS_version());
if (argc < 2 || argc > 4) {
fprintf(stderr, "Usage: test_sig algname [bitflips_msg] [bitflips_sig]\n");
fprintf(stderr, " algname: ");
for (size_t i = 0; i < OQS_SIG_algs_length; i++) {
if (i > 0) {
fprintf(stderr, ", ");
}
fprintf(stderr, "%s", OQS_SIG_alg_identifier(i));
}
fprintf(stderr, "\n");
fprintf(stderr, " bitflips_msg: the number of random bitflips to perform for each EUF-CMA signature (\"all\" to flip every bit)\n");
fprintf(stderr, " bitflips_sig: the number of random bitflips to perform for each SUF-CMA signature (\"all\" to flip every bit)\n");
OQS_destroy();
return EXIT_FAILURE;
}
print_system_info();
char *alg_name = argv[1];
if (!OQS_SIG_alg_is_enabled(alg_name)) {
printf("Signature algorithm %s not enabled!\n", alg_name);
OQS_destroy();
return EXIT_FAILURE;
}
/* by default, flip 50 random bits of the message and signature (to test EUF-CMA and SUF-CMA, respectively) */
bool bitflips_all[2] = {false, false};
size_t bitflips[2] = {50, 50};
if (argc >= 3) {
if (strcmp(argv[2], "all") == 0) {
bitflips_all[0] = true;
} else {
bitflips[0] = (size_t)strtol(argv[2], NULL, 10);
}
}
if (argc == 4) {
if (strcmp(argv[3], "all") == 0) {
bitflips_all[1] = true;
} else {
bitflips[1] = (size_t)strtol(argv[3], NULL, 10);
}
}
#ifdef OQS_ENABLE_TEST_CONSTANT_TIME
OQS_randombytes_custom_algorithm(&TEST_SIG_randombytes);
#else
OQS_randombytes_switch_algorithm("system");
#endif
OQS_STATUS rc;
#if OQS_USE_PTHREADS
#define MAX_LEN_SIG_NAME_ 64
// don't run algorithms with large stack usage in threads
char no_thread_sig_patterns[][MAX_LEN_SIG_NAME_] = {"MAYO-5", "cross-rsdp-128-small", "cross-rsdp-192-small", "cross-rsdp-256-balanced", "cross-rsdp-256-small", "cross-rsdpg-192-small", "cross-rsdpg-256-small"};
int test_in_thread = 1;
for (size_t i = 0 ; i < sizeof(no_thread_sig_patterns) / MAX_LEN_SIG_NAME_; ++i) {
if (strstr(alg_name, no_thread_sig_patterns[i]) != NULL) {
test_in_thread = 0;
break;
}
}
if (test_in_thread) {
pthread_t thread;
struct thread_data td = {.alg_name = alg_name, .bitflips_all = bitflips_all, .bitflips = bitflips, .rc = OQS_ERROR};
int trc = pthread_create(&thread, NULL, test_wrapper, &td);
if (trc) {
fprintf(stderr, "ERROR: Creating pthread\n");
OQS_destroy();
return EXIT_FAILURE;
}
pthread_join(thread, NULL);
rc = td.rc;
} else {
rc = sig_test_correctness(alg_name, bitflips_all, bitflips);
}
#else
rc = sig_test_correctness(alg_name, bitflips_all, bitflips);
#endif
if (rc != OQS_SUCCESS) {
OQS_destroy();
return EXIT_FAILURE;
}
OQS_destroy();
return EXIT_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink