diff options
author | Niels Möller <nisse@lysator.liu.se> | 2021-03-13 15:19:19 +0100 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2021-03-17 10:23:37 +0100 |
commit | 74ee0e82b6891e090f20723750faeb19064e31b2 (patch) | |
tree | e721d3c9d10a6cf62ff0a4fdc087cfc198df633f | |
parent | 971bed6ab4b27014eb23085e8176917e1a096fd5 (diff) | |
download | nettle-74ee0e82b6891e090f20723750faeb19064e31b2.tar.gz |
Fix bug in ecc_ecdsa_verify.
* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.
(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | ecc-ecdsa-verify.c | 4 | ||||
-rw-r--r-- | testsuite/ecdsa-sign-test.c | 13 | ||||
-rw-r--r-- | testsuite/ecdsa-verify-test.c | 20 |
4 files changed, 44 insertions, 3 deletions
@@ -1,7 +1,15 @@ 2021-03-13 Niels Möller <nisse@lysator.liu.se> - * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + * testsuite/ecdsa-verify-test.c (test_main): Add test case that + triggers an assert on 64-bit platforms, without above fix. + * testsuite/ecdsa-sign-test.c (test_main): Test case generating + the same signature. + +2021-03-13 Niels Möller <nisse@lysator.liu.se> + * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. 2021-03-11 Niels Möller <nisse@lysator.liu.se> * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index 1b2dcca7..f3b112b0 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -102,10 +102,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_mod_mul (&ecc->q, u1, hp, sinv, u1); + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ - ecc_mod_mul (&ecc->q, u2, rp, sinv, u2); + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c index b240a31b..08a10a1d 100644 --- a/testsuite/ecdsa-sign-test.c +++ b/testsuite/ecdsa-sign-test.c @@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Producing the signature for corresponding test in + ecdsa-verify-test.c, with special u1 and u2. */ + test_ecdsa (&_nettle_secp_224r1, + "99b5b787484def12894ca507058b3bf5" + "43d72d82fa7721d2e805e5e6", + "2", + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&_nettle_secp_192r1, diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c index 3ceac0eb..8110c64d 100644 --- a/testsuite/ecdsa-verify-test.c +++ b/testsuite/ecdsa-verify-test.c @@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Corresponds to nonce k = 2 and private key z = + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and + hash are chosen so that intermediate scalars in the verify + equations are u1 = 0x6b245680e700, u2 = + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical + reduction of the scalars. Bug caused by missing canonical + reduction reported by Guido Vranken. */ + test_ecdsa (&_nettle_secp_224r1, + "9e7e6cc6b1bdfa8ee039b66ad85e5490" + "7be706a900a3cba1c8fdd014", /* x */ + "74855db3f7c1b4097ae095745fc915e3" + "8a79d2a1de28f282eafb22ba", /* y */ + + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test case provided by Guido Vranken, from oss-fuzz */ test_ecdsa (&_nettle_secp_192r1, "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */ |