Commit 2397757b authored by Niels Möller's avatar Niels Möller
Browse files

Fix bug in ecc_ecdsa_verify.

* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.
parent 5b7608fd
2021-03-13 Niels Möller <nisse@lysator.liu.se>
* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.
2021-03-13 Niels Möller <nisse@lysator.liu.se>
* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
2021-03-11 Niels Möller <nisse@lysator.liu.se>
* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
......
......@@ -102,10 +102,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
/* u1 = h / s, P1 = u1 * G */
ecc_hash (&ecc->q, hp, length, digest);
ecc_mod_mul (&ecc->q, u1, hp, sinv, u1);
ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
/* u2 = r / s, P2 = u2 * Y */
ecc_mod_mul (&ecc->q, u2, rp, sinv, u2);
ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
/* Total storage: 5*ecc->p.size + ecc->mul_itch */
ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
......
......@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
/* Producing the signature for corresponding test in
ecdsa-verify-test.c, with special u1 and u2. */
test_ecdsa (&_nettle_secp_224r1,
"99b5b787484def12894ca507058b3bf5"
"43d72d82fa7721d2e805e5e6",
"2",
SHEX("cdb887ac805a3b42e22d224c85482053"
"16c755d4a736bb2032c92553"),
"706a46dc76dcb76798e60e6d89474788"
"d16dc18032d268fd1a704fa6", /* r */
"3a41e1423b1853e8aa89747b1f987364"
"44705d6d6d8371ea1f578f2e"); /* s */
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
test_ecdsa (&_nettle_secp_192r1,
......
......@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
/* Corresponds to nonce k = 2 and private key z =
0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
hash are chosen so that intermediate scalars in the verify
equations are u1 = 0x6b245680e700, u2 =
259da6542d4ba7d21ad916c3bd57f811. These values require canonical
reduction of the scalars. Bug caused by missing canonical
reduction reported by Guido Vranken. */
test_ecdsa (&_nettle_secp_224r1,
"9e7e6cc6b1bdfa8ee039b66ad85e5490"
"7be706a900a3cba1c8fdd014", /* x */
"74855db3f7c1b4097ae095745fc915e3"
"8a79d2a1de28f282eafb22ba", /* y */
SHEX("cdb887ac805a3b42e22d224c85482053"
"16c755d4a736bb2032c92553"),
"706a46dc76dcb76798e60e6d89474788"
"d16dc18032d268fd1a704fa6", /* r */
"3a41e1423b1853e8aa89747b1f987364"
"44705d6d6d8371ea1f578f2e"); /* s */
/* Test case provided by Guido Vranken, from oss-fuzz */
test_ecdsa (&_nettle_secp_192r1,
"14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment