From 05a708f7e2d7a1a264b7b0e3210dbdf7e884b5da Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 26 Apr 2019 15:06:22 +0100 Subject: [PATCH] Add negative tests for Curve25519 If we provide low order element as a public key and the implementation maps the point in infinity to the origin, we can force the common secret to be zero. According to the standard (RFC 7748) this is allowed but in this case the primitive must not be used in a protocol that requires contributory behaviour. Mbed Crypto returns an error when the result is the point in the infinity and does not map it to the origin. This is safe even if used in protocols that require contributory behaviour. This commit adds test cases that verify that Mbed Crypto returns an error when low order public keys are processed. The low order elements in the test cases were taken from this website: https://cr.yp.to/ecdh.html --- tests/suites/test_suite_ecp.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 22f36fa3bc..51f7e39e63 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -430,6 +430,22 @@ ECP point multiplication Curve25519 (normalized) #1 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"09":"00":"01":"057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA514FDA863":"00":"01":0 +ECP point multiplication Curve25519 (not normalized) #2 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"1B":"00":"03":"057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA514FDA863":"00":"01":MBEDTLS_ERR_ECP_INVALID_KEY + +ECP point multiplication Curve25519 (element of order 2: origin) #3 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"00":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +ECP point multiplication Curve25519 (element of order 4: 1) #4 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"01":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +ECP point multiplication Curve25519 (element of order 8) #5 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + ECP test vectors Curve448 (RFC 7748 6.2, after decodeUCoordinate) depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ecp_test_vec_x:MBEDTLS_ECP_DP_CURVE448:"eb7298a5c0d8c29a1dab27f1a6826300917389449741a974f5bac9d98dc298d46555bce8bae89eeed400584bb046cf75579f51d125498f98":"a01fc432e5807f17530d1288da125b0cd453d941726436c8bbd9c5222c3da7fa639ce03db8d23b274a0721a1aed5227de6e3b731ccf7089b":"ad997351b6106f36b0d1091b929c4c37213e0d2b97e85ebb20c127691d0dad8f1d8175b0723745e639a3cb7044290b99e0e2a0c27a6a301c":"0936f37bc6c1bd07ae3dec7ab5dc06a73ca13242fb343efc72b9d82730b445f3d4b0bd077162a46dcfec6f9b590bfcbcf520cdb029a8b73e":"9d874a5137509a449ad5853040241c5236395435c36424fd560b0cb62b281d285275a740ce32a22dd1740f4aa9161cec95ccc61a18f4ff07"