From e293d105cfd0da6bcc7308fdbe2020f5c8b6d347 Mon Sep 17 00:00:00 2001
From: Kris Kwiatkowski <kris@pqshield.com>
Date: Mon, 3 Jun 2024 11:21:10 +0100
Subject: [PATCH] Fix memory corruption

---
 Makefile       |  2 +-
 test/acvpkat.c | 41 +++++++++++++++++++++++++----------------
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/Makefile b/Makefile
index 8558a27..450f342 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 CC = /usr/bin/gcc
-CFLAGS = -Wall -g -O3 -Wextra -Wpedantic -L/opt/homebrew/lib/ -I/opt/homebrew/Cellar/json-c/0.17/include/json-c
+CFLAGS = -Wall -ggdb -O3 -Wextra -Wpedantic -L/usr/lib/ -I/usr/include/json-c
 LDLIBS = -lcrypto -ljson-c
 
 SOURCES = params.c hash.c fips202.c hash_address.c randombytes.c wots.c xmss.c xmss_core.c xmss_commons.c utils.c
diff --git a/test/acvpkat.c b/test/acvpkat.c
index e1dfc15..1657d86 100644
--- a/test/acvpkat.c
+++ b/test/acvpkat.c
@@ -20,6 +20,8 @@
 
 #include <json.h>
 
+#define MESSAGE_LEN 128u
+
 struct param_t {
     uint8_t oid;
     const char *name;
@@ -59,7 +61,7 @@ void vectors_keygen(uint32_t oid, json_object *jreq, json_object *jres, uint32_t
         tc_req = json_object_new_object();
         tc_res = json_object_new_object();
 
-        getentropy(seed, 3*params.n);
+        randombytes(seed, 3*params.n);
         xmssmt_core_seed_keypair(&params, &pk[XMSS_OID_LEN], &sk[XMSS_OID_LEN], seed);
 
         json_object_object_add(tc_req, "tcId", json_object_new_int(i+1));
@@ -73,12 +75,12 @@ void vectors_keygen(uint32_t oid, json_object *jreq, json_object *jres, uint32_t
         free(sbuf);
 
         json_object_object_add(tc_res, "tcId", json_object_new_int(i+1));
-        sbuf = malloc(2*params.pk_bytes + 1);
+        sbuf = malloc(2*(params.pk_bytes + XMSS_OID_LEN) + 1);
         sprint_hex(sbuf, pk, params.pk_bytes + XMSS_OID_LEN);
         json_object_object_add(tc_res, "publicKey", json_object_new_string(sbuf));
         free(sbuf);
 
-        sbuf = malloc(2*params.sk_bytes + 1);
+        sbuf = malloc(2*(params.sk_bytes + XMSS_OID_LEN) + 1);
         sprint_hex(sbuf, sk, params.sk_bytes + XMSS_OID_LEN);
         json_object_object_add(tc_res, "secretKey", json_object_new_string(sbuf));
         free(sbuf);
@@ -156,9 +158,9 @@ void vectors_siggen(uint32_t oid, unsigned char *sk, json_object *jreq, json_obj
     struct json_object *tc_req, *tcs_req, *tc_res, *tcs_res;
     
     xmss_parse_oid(&params, oid);
-    unsigned char sm[params.sig_bytes + 128];
+    unsigned char sm[params.sig_bytes + MESSAGE_LEN];
     unsigned long long smlen = 0;
-    unsigned char msg[128];
+    unsigned char msg[MESSAGE_LEN];
     unsigned q;
     unsigned height = 1u << (params.full_height);
     char *sbuf;
@@ -170,19 +172,19 @@ void vectors_siggen(uint32_t oid, unsigned char *sk, json_object *jreq, json_obj
         tc_req = json_object_new_object();
         tc_res = json_object_new_object();
 
-        getentropy(msg, 128);
-        getentropy(&q, sizeof(q));
+        randombytes(msg, MESSAGE_LEN);
+        randombytes((void*)&q, sizeof(q));
         q = q % height;
         smlen = 0;
 
         ull_to_bytes(sk, params.index_bytes, q);
-        xmss_core_sign(&params, sk, sm, &smlen, msg, 128);
+        xmss_core_sign(&params, sk, sm, &smlen, msg, MESSAGE_LEN);
 
         json_object_object_add(tc_res, "tcId", json_object_new_int(i+1));
         json_object_object_add(tc_req, "tcId", json_object_new_int(i+1));
 
-        sbuf = malloc(2*128 + 1);
-        sprint_hex(sbuf, msg, 128);
+        sbuf = malloc(2*MESSAGE_LEN + 1);
+        sprint_hex(sbuf, msg, MESSAGE_LEN);
         json_object_object_add(tc_req, "message", json_object_new_string(sbuf));
         free(sbuf);
 
@@ -208,6 +210,7 @@ void siggen_KAT(const struct param_t *h) {
     unsigned char seed[params.n * 3];
     unsigned char pk[params.pk_bytes + XMSS_OID_LEN];
     unsigned char sk[params.sk_bytes + XMSS_OID_LEN];
+    size_t i;
 
     jreq = json_object_new_object();
     jres = json_object_new_object();
@@ -221,6 +224,12 @@ void siggen_KAT(const struct param_t *h) {
     tg_req = json_object_new_object();
     tg_res = json_object_new_object();
 
+    // Store key OIDs
+    for (i = 0; i < XMSS_OID_LEN; i++) {
+        pk[XMSS_OID_LEN - i - 1] = (h->oid >> (8 * i)) & 0xFF;
+        sk[XMSS_OID_LEN - i - 1] = (h->oid >> (8 * i)) & 0xFF;
+    }
+
     // Request file
     json_object_object_add(tg_req, "tgId", json_object_new_int(1));
     json_object_object_add(tg_req, "testType", json_object_new_string("AFT"));
@@ -230,8 +239,8 @@ void siggen_KAT(const struct param_t *h) {
     // Response file
     json_object_object_add(tg_res, "tgId", json_object_new_int(1));
     json_object_object_add(tg_res, "OID", json_object_new_int(h->oid));
-    
-    getentropy(seed, 3*params.n);
+
+    randombytes(seed, 3*params.n);
     xmssmt_core_seed_keypair(&params, pk + XMSS_OID_LEN, sk + XMSS_OID_LEN, seed);
 
     sbuf = malloc(2*params.n + 1);
@@ -243,12 +252,12 @@ void siggen_KAT(const struct param_t *h) {
     json_object_object_add(tg_req, "I", json_object_new_string(sbuf));
     free(sbuf);
 
-    sbuf = malloc(2*params.pk_bytes + 1);
+    sbuf = malloc(2*(params.pk_bytes + XMSS_OID_LEN) + 1);
     sprint_hex(sbuf, pk, params.pk_bytes  + XMSS_OID_LEN);
     json_object_object_add(tg_res, "publicKey", json_object_new_string(sbuf));
     free(sbuf);
 
-    vectors_siggen(h->oid, sk + XMSS_OID_LEN, tg_req, tg_res, h->n_samples); 
+    vectors_siggen(h->oid, sk + XMSS_OID_LEN, tg_req, tg_res, h->n_samples);
 
     json_object_array_add(tgs_req, tg_req);
     json_object_array_add(tgs_res, tg_res);
@@ -263,8 +272,8 @@ void siggen_KAT(const struct param_t *h) {
     sprintf(buf, "XMSS-%s-%s-H%u/%s", "sigGen", h->hash, h->height, "expectedResults.json");
     json_object_to_file_ext(buf, jres, JSON_C_TO_STRING_SPACED | JSON_C_TO_STRING_PRETTY);
 
-    json_object_put(jres);
     json_object_put(jreq);
+    json_object_put(jres);
 }
 
 int main() {
@@ -285,7 +294,7 @@ int main() {
         {0x15, "XMSS-SHAKE256_20_192", "SHAKE256-N24", 20, 3}   // H20
     };
     
-    for (size_t i=0; i<12; i++) {
+    for (size_t i=0; i<sizeof(OIDs)/sizeof(OIDs[0]); i++) {
         keygen_KAT(&OIDs[i]);
         siggen_KAT(&OIDs[i]);
     }