failing wycheproof test - extreme value for k and edgecase s

karel-m · karel-m · commit 4adf30ce9a0a · 2018-11-07T09:13:25.000+01:00
diff --git a/tests/ecc_test.c b/tests/ecc_test.c
@@ -295,91 +295,118 @@ static int _ecc_issue443_447(void)
 static int _ecc_issue446(void)
 {
    const ltc_ecc_curve* cu;
-   ecc_key key;
+   ecc_key key1, key2;
    int err, stat = 0;
    unsigned char hash[64];
    unsigned long hashlen;
    const unsigned char msg1[] = { 0x31,0x32,0x33,0x34,0x30,0x30 };
    const unsigned char msg2[] = { 0x36,0x39,0x38,0x31,0x39 };
-   const unsigned char pub[] = {
-      0x04,
+   const unsigned char msg3[] = { 0x4d,0x73,0x67 };
+   const unsigned char pub1[] = {
+      0x04, /* secp256r1 */
       0x29,0x27,0xb1,0x05,0x12,0xba,0xe3,0xed,0xdc,0xfe,0x46,0x78,0x28,0x12,0x8b,0xad,
       0x29,0x03,0x26,0x99,0x19,0xf7,0x08,0x60,0x69,0xc8,0xc4,0xdf,0x6c,0x73,0x28,0x38,
       0xc7,0x78,0x79,0x64,0xea,0xac,0x00,0xe5,0x92,0x1f,0xb1,0x49,0x8a,0x60,0xf4,0x60,
       0x67,0x66,0xb3,0xd9,0x68,0x50,0x01,0x55,0x8d,0x1a,0x97,0x4e,0x73,0x41,0x51,0x3e
    };
-   /* msg1+pub+sig1 test vector is from wycheproof/ecdsa_test VALID */
+   const unsigned char pub2[] = {
+      0x04, /* secp224r1 */
+      0x53,0x88,0x35,0x38,0xd8,0x66,0x09,0x21,0x7a,0x4d,0x9c,0x27,0x99,0x2e,
+      0x2b,0xd7,0x04,0xa4,0xbb,0x12,0xfb,0x91,0x25,0x3c,0xd4,0xf4,0x96,0xfa,
+      0x00,0xb3,0x2f,0x3a,0x2d,0x15,0x3a,0x52,0xbb,0x57,0x76,0x50,0xcd,0xf1,
+      0xb7,0x3a,0x34,0x05,0x35,0xc7,0xe7,0x3d,0xeb,0x59,0x9a,0xa9,0x50,0x88
+   };
+   /* msg1+pub1+sig1 test vector is from wycheproof/ecdsa_test VALID */
    const unsigned char sig1[] = {
       0x30,0x45,0x02,0x20,0x2b,0xa3,0xa8,0xbe,0x6b,0x94,0xd5,0xec,0x80,0xa6,0xd9,0xd1,0x19,0x0a,
       0x43,0x6e,0xff,0xe5,0x0d,0x85,0xa1,0xee,0xe8,0x59,0xb8,0xcc,0x6a,0xf9,0xbd,0x5c,0x2e,0x18,
       0x02,0x21,0x00,0xb3,0x29,0xf4,0x79,0xa2,0xbb,0xd0,0xa5,0xc3,0x84,0xee,0x14,0x93,0xb1,0xf5,
       0x18,0x6a,0x87,0x13,0x9c,0xac,0x5d,0xf4,0x08,0x7c,0x13,0x4b,0x49,0x15,0x68,0x47,0xdb
    };
-   /* msg1+pub+sig2 test vector is from wycheproof/ecdsa_test INVALID (changing tag value of sequence) */
+   /* msg1+pub1+sig2 test vector is from wycheproof/ecdsa_test INVALID (changing tag value of sequence) */
    const unsigned char sig2[] = {
       0x31,0x45,0x02,0x20,0x2b,0xa3,0xa8,0xbe,0x6b,0x94,0xd5,0xec,0x80,0xa6,0xd9,0xd1,0x19,0x0a,
       0x43,0x6e,0xff,0xe5,0x0d,0x85,0xa1,0xee,0xe8,0x59,0xb8,0xcc,0x6a,0xf9,0xbd,0x5c,0x2e,0x18,
       0x02,0x21,0x00,0xb3,0x29,0xf4,0x79,0xa2,0xbb,0xd0,0xa5,0xc3,0x84,0xee,0x14,0x93,0xb1,0xf5,
       0x18,0x6a,0x87,0x13,0x9c,0xac,0x5d,0xf4,0x08,0x7c,0x13,0x4b,0x49,0x15,0x68,0x47,0xdb
    };
-   /* msg2+pub+sig3 test vector is from wycheproof/ecdsa_test VALID (Edge case for Shamir multiplication) */
+   /* msg2+pub1+sig3 test vector is from wycheproof/ecdsa_test VALID (Edge case for Shamir multiplication) */
    const unsigned char sig3[] = {
       0x30,0x44,0x02,0x20,0x64,0xa1,0xaa,0xb5,0x00,0x0d,0x0e,0x80,0x4f,0x3e,0x2f,0xc0,0x2b,0xde,
       0xe9,0xbe,0x8f,0xf3,0x12,0x33,0x4e,0x2b,0xa1,0x6d,0x11,0x54,0x7c,0x97,0x71,0x1c,0x89,0x8e,
       0x02,0x20,0x6a,0xf0,0x15,0x97,0x1c,0xc3,0x0b,0xe6,0xd1,0xa2,0x06,0xd4,0xe0,0x13,0xe0,0x99,
       0x77,0x72,0xa2,0xf9,0x1d,0x73,0x28,0x6f,0xfd,0x68,0x3b,0x9b,0xb2,0xcf,0x4f,0x1b
    };
-   /* msg1+pub+sig4 test vector is from wycheproof/ecdsa_test INVALID (long form encoding of length) */
+   /* msg1+pub1+sig4 test vector is from wycheproof/ecdsa_test INVALID (long form encoding of length) */
    const unsigned char sig4[] = {
       0x30,0x81,0x45,0x02,0x20,0x2b,0xa3,0xa8,0xbe,0x6b,0x94,0xd5,0xec,0x80,0xa6,0xd9,0xd1,0x19,
       0x0a,0x43,0x6e,0xff,0xe5,0x0d,0x85,0xa1,0xee,0xe8,0x59,0xb8,0xcc,0x6a,0xf9,0xbd,0x5c,0x2e,
       0x18,0x02,0x21,0x00,0xb3,0x29,0xf4,0x79,0xa2,0xbb,0xd0,0xa5,0xc3,0x84,0xee,0x14,0x93,0xb1,
       0xf5,0x18,0x6a,0x87,0x13,0x9c,0xac,0x5d,0xf4,0x08,0x7c,0x13,0x4b,0x49,0x15,0x68,0x47,0xdb
    };
-   /* msg1+pub+sig5 test vector is from wycheproof/ecdsa_test INVALID (length contains leading 0) */
+   /* msg1+pub1+sig5 test vector is from wycheproof/ecdsa_test INVALID (length contains leading 0) */
    const unsigned char sig5[] = {
       0x30,0x82,0x00,0x45,0x02,0x20,0x2b,0xa3,0xa8,0xbe,0x6b,0x94,0xd5,0xec,0x80,0xa6,0xd9,0xd1,
       0x19,0x0a,0x43,0x6e,0xff,0xe5,0x0d,0x85,0xa1,0xee,0xe8,0x59,0xb8,0xcc,0x6a,0xf9,0xbd,0x5c,
       0x2e,0x18,0x02,0x21,0x00,0xb3,0x29,0xf4,0x79,0xa2,0xbb,0xd0,0xa5,0xc3,0x84,0xee,0x14,0x93,
       0xb1,0xf5,0x18,0x6a,0x87,0x13,0x9c,0xac,0x5d,0xf4,0x08,0x7c,0x13,0x4b,0x49,0x15,0x68,0x47,0xdb
    };
+   /* msg3+pub2+sig6 test vector is from wycheproof/ecdsa_test VALID (extreme value for k and edgecase s) */
+   const unsigned char sig6[] = {
+      0x30,0x3c,0x02,0x1c,0x70,0x6a,0x46,0xdc,0x76,0xdc,0xb7,0x67,0x98,0xe6,0x0e,0x6d,0x89,0x47,0x47,0x88,0xd1,
+      0x6d,0xc1,0x80,0x32,0xd2,0x68,0xfd,0x1a,0x70,0x4f,0xa6,0x02,0x1c,0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,
+      0x55,0x55,0x55,0x55,0x55,0x55,0x07,0x8b,0xa0,0x3d,0xa5,0x6a,0x06,0x9f,0x0d,0xc1,0xc9,0x74,0x0e,0x14
+   };
 
-   hashlen = sizeof(hash);
-   DO(hash_memory(find_hash("sha256"), msg1, sizeof(msg1), hash, &hashlen));
    DO(ecc_find_curve("secp256r1", &cu));
-   DO(ecc_set_curve(cu, &key));
-   DO(ecc_set_key(pub, sizeof(pub), PK_PUBLIC, &key));
+   DO(ecc_set_curve(cu, &key1));
+   DO(ecc_set_key(pub1, sizeof(pub1), PK_PUBLIC, &key1));
 
-   DO(ecc_verify_hash(sig1, sizeof(sig1), hash, hashlen, &stat, &key));
+   DO(ecc_find_curve("secp224r1", &cu));
+   DO(ecc_set_curve(cu, &key2));
+   DO(ecc_set_key(pub2, sizeof(pub2), PK_PUBLIC, &key2));
+
+   hashlen = sizeof(hash);
+   DO(hash_memory(find_hash("sha256"), msg1, sizeof(msg1), hash, &hashlen));
+   DO(ecc_verify_hash(sig1, sizeof(sig1), hash, hashlen, &stat, &key1));
    if (stat != 1) return CRYPT_FAIL_TESTVECTOR; /* expected result: VALID */
 
-   err = ecc_verify_hash(sig2, sizeof(sig2), hash, hashlen, &stat, &key);
+   err = ecc_verify_hash(sig2, sizeof(sig2), hash, hashlen, &stat, &key1);
    if (err == CRYPT_OK && stat == 1) {
       fprintf(stderr, "XXX-TODO should fail - wycheproof / changing tag value of sequence\n");
       /* return CRYPT_FAIL_TESTVECTOR; / * expected result: INVALID */
    }
 
-   err = ecc_verify_hash(sig4, sizeof(sig4), hash, hashlen, &stat, &key);
+   err = ecc_verify_hash(sig4, sizeof(sig4), hash, hashlen, &stat, &key1);
    if (err == CRYPT_OK && stat == 1) {
       fprintf(stderr, "XXX-TODO should fail - wycheproof / long form encoding of length\n");
       /* return CRYPT_FAIL_TESTVECTOR; / * expected result: INVALID */
    }
 
-   err = ecc_verify_hash(sig5, sizeof(sig5), hash, hashlen, &stat, &key);
+   err = ecc_verify_hash(sig5, sizeof(sig5), hash, hashlen, &stat, &key1);
    if (err == CRYPT_OK && stat == 1) {
       fprintf(stderr, "XXX-TODO should fail - wycheproof / length contains leading 0\n");
       /* return CRYPT_FAIL_TESTVECTOR; / * expected result: INVALID */
    }
 
    hashlen = sizeof(hash);
    DO(hash_memory(find_hash("sha256"), msg2, sizeof(msg2), hash, &hashlen));
-   DO(ecc_verify_hash(sig3, sizeof(sig3), hash, hashlen, &stat, &key));
+   DO(ecc_verify_hash(sig3, sizeof(sig3), hash, hashlen, &stat, &key1));
    if (stat != 1) {
       fprintf(stderr, "XXX-TODO should be valid - wycheproof / Edge case for Shamir multiplication\n");
       /* return CRYPT_FAIL_TESTVECTOR; / * expected result: VALID */
    }
 
-   ecc_free(&key);
+   hashlen = sizeof(hash);
+   DO(hash_memory(find_hash("sha224"), msg3, sizeof(msg3), hash, &hashlen));
+   DO(ecc_verify_hash(sig6, sizeof(sig6), hash, hashlen, &stat, &key2));
+   if (stat != 1) {
+      fprintf(stderr, "XXX-TODO should be valid - wycheproof / extreme value for k and edgecase s\n");
+      /* return CRYPT_FAIL_TESTVECTOR; / * expected result: VALID */
+   }
+
+   ecc_free(&key1);
+   ecc_free(&key2);
    return CRYPT_OK;
 }
 
