Merge pull request #839 from mpg/reject-low-order-points-early-x25519-restricted
Reject low order points early x25519
This commit is contained in:
Gilles Peskine
GitHub
commit
89a1ebc20b
5 changed files with 3287 additions and 3040 deletions
6
ChangeLog.d/reject-low-order-points-early.txt
Normal file
6
ChangeLog.d/reject-low-order-points-early.txt
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
Security
|
||||||
|
* An adversary with access to precise enough timing information (typically, a
|
||||||
|
co-located process) could recover a Curve25519 or Curve448 static ECDH key
|
||||||
|
after inputting a chosen public key and observing the victim performing the
|
||||||
|
corresponding private-key operation. Found and reported by Leila Batina,
|
||||||
|
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
|
||||||
|
|
@ -44,6 +44,46 @@
|
||||||
|
|
||||||
#include "mbedtls/bignum.h"
|
#include "mbedtls/bignum.h"
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Conversion macros for embedded constants:
|
||||||
|
* build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_HAVE_INT32)
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
|
||||||
|
( (mbedtls_mpi_uint) (a) << 0 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (b) << 8 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (c) << 16 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (d) << 24 )
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_4( a, b, 0, 0 )
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ), \
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_4( e, f, g, h )
|
||||||
|
|
||||||
|
#else /* 64-bits */
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
|
||||||
|
( (mbedtls_mpi_uint) (a) << 0 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (b) << 8 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (c) << 16 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (d) << 24 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (e) << 32 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (f) << 40 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (g) << 48 ) | \
|
||||||
|
( (mbedtls_mpi_uint) (h) << 56 )
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
|
||||||
|
|
||||||
|
#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
|
||||||
|
|
||||||
|
#endif /* bits in mbedtls_mpi_uint */
|
||||||
|
|
||||||
#if defined(MBEDTLS_HAVE_ASM)
|
#if defined(MBEDTLS_HAVE_ASM)
|
||||||
|
|
||||||
#ifndef asm
|
#ifndef asm
|
||||||
|
|
|
||||||
100
library/ecp.c
100
library/ecp.c
|
|
@ -77,6 +77,7 @@
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
|
#include "bn_mul.h"
|
||||||
#include "ecp_invasive.h"
|
#include "ecp_invasive.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
@ -2746,6 +2747,97 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||||
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
|
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
|
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
|
||||||
|
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
|
||||||
|
#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
|
||||||
|
#define ECP_MPI_INIT_ARRAY(x) \
|
||||||
|
ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
|
||||||
|
/*
|
||||||
|
* Constants for the two points other than 0, 1, -1 (mod p) in
|
||||||
|
* https://cr.yp.to/ecdh.html#validate
|
||||||
|
* See ecp_check_pubkey_x25519().
|
||||||
|
*/
|
||||||
|
static const mbedtls_mpi_uint x25519_bad_point_1[] = {
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ),
|
||||||
|
};
|
||||||
|
static const mbedtls_mpi_uint x25519_bad_point_2[] = {
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ),
|
||||||
|
MBEDTLS_BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ),
|
||||||
|
};
|
||||||
|
static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
|
||||||
|
x25519_bad_point_1 );
|
||||||
|
static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
|
||||||
|
x25519_bad_point_2 );
|
||||||
|
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check that the input point is not one of the low-order points.
|
||||||
|
* This is recommended by the "May the Fourth" paper:
|
||||||
|
* https://eprint.iacr.org/2017/806.pdf
|
||||||
|
* Those points are never sent by an honest peer.
|
||||||
|
*/
|
||||||
|
static int ecp_check_bad_points_mx( const mbedtls_mpi *X, const mbedtls_mpi *P,
|
||||||
|
const mbedtls_ecp_group_id grp_id )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
mbedtls_mpi XmP;
|
||||||
|
|
||||||
|
mbedtls_mpi_init( &XmP );
|
||||||
|
|
||||||
|
/* Reduce X mod P so that we only need to check values less than P.
|
||||||
|
* We know X < 2^256 so we can proceed by subtraction. */
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &XmP, X ) );
|
||||||
|
while( mbedtls_mpi_cmp_mpi( &XmP, P ) >= 0 )
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &XmP, &XmP, P ) );
|
||||||
|
|
||||||
|
/* Check against the known bad values that are less than P. For Curve448
|
||||||
|
* these are 0, 1 and -1. For Curve25519 we check the values less than P
|
||||||
|
* from the following list: https://cr.yp.to/ecdh.html#validate */
|
||||||
|
if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_ECP_INVALID_KEY;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
|
||||||
|
if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
|
||||||
|
{
|
||||||
|
if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_1 ) == 0 )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_ECP_INVALID_KEY;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_2 ) == 0 )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_ECP_INVALID_KEY;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
(void) grp_id;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Final check: check if XmP + 1 is P (final because it changes XmP!) */
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
|
||||||
|
if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_ECP_INVALID_KEY;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
mbedtls_mpi_free( &XmP );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check validity of a public key for Montgomery curves with x-only schemes
|
* Check validity of a public key for Montgomery curves with x-only schemes
|
||||||
*/
|
*/
|
||||||
|
|
@ -2757,7 +2849,13 @@ static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_
|
||||||
if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
|
if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
|
||||||
return( MBEDTLS_ERR_ECP_INVALID_KEY );
|
return( MBEDTLS_ERR_ECP_INVALID_KEY );
|
||||||
|
|
||||||
return( 0 );
|
/* Implicit in all standards (as they don't consider negative numbers):
|
||||||
|
* X must be non-negative. This is normally ensured by the way it's
|
||||||
|
* encoded for transmission, but let's be extra sure. */
|
||||||
|
if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 )
|
||||||
|
return( MBEDTLS_ERR_ECP_INVALID_KEY );
|
||||||
|
|
||||||
|
return( ecp_check_bad_points_mx( &pt->X, &grp->P, grp->id ) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
|
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
|
||||||
|
|
||||||
|
|
|
||||||
6049
library/ecp_curves.c
6049
library/ecp_curves.c
File diff suppressed because it is too large
Load diff
|
|
@ -33,13 +33,133 @@ ECP curve info #8
|
||||||
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||||
mbedtls_ecp_curve_info:MBEDTLS_ECP_DP_SECP192R1:19:192:"secp192r1"
|
mbedtls_ecp_curve_info:MBEDTLS_ECP_DP_SECP192R1:19:192:"secp192r1"
|
||||||
|
|
||||||
ECP check pubkey Montgomery #1 (too big)
|
ECP check pubkey Curve25519 #1 (biggest)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0
|
||||||
|
|
||||||
|
ECP check pubkey Curve25519 #2 (too big)
|
||||||
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"010000000000000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"010000000000000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
ECP check pubkey Montgomery #2 (biggest)
|
ECP check pubkey Curve25519 #3 (DoS big)
|
||||||
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"0100000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve25519 y ignored
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"2":"-1":"1":0
|
||||||
|
|
||||||
|
ECP check pubkey Curve25519 z is not 1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"2":"0":"2":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve25519 x negative
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"-2":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #2
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"1":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #3 (let's call this u)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #4 (let's call this v)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #5 p-1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #6 p
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #7 p+1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #8 p+u
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"80b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebcd":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #9 p+v
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"d7119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c4c":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #10 2p-1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd9":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #11 2p
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffda":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
# see https://cr.yp.to/ecdh.html#validate
|
||||||
|
ECP check pubkey Curve25519 low-order point #12 2p+1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdb":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 #1 (biggest)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 #2 (too big)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 #3 (DoS big)
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"0100000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 y ignored
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"2":"-1":"1":0
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 z is not 1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"2":"0":"2":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 x negative
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"-2":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 low-order point #1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 low-order point #2
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"1":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 low-order point #3 p-1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 low-order point #4 p
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
|
ECP check pubkey Curve448 low-order point #5 p+1
|
||||||
|
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||||
|
ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
ECP check pubkey Koblitz #1 (point not on curve)
|
ECP check pubkey Koblitz #1 (point not on curve)
|
||||||
depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
||||||
|
|
@ -473,15 +593,15 @@ ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2
|
||||||
|
|
||||||
ECP point multiplication Curve25519 (element of order 2: origin) #3
|
ECP point multiplication Curve25519 (element of order 2: origin) #3
|
||||||
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"00":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
|
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"00":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
ECP point multiplication Curve25519 (element of order 4: 1) #4
|
ECP point multiplication Curve25519 (element of order 4: 1) #4
|
||||||
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"01":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
|
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"01":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
ECP point multiplication Curve25519 (element of order 8) #5
|
ECP point multiplication Curve25519 (element of order 8) #5
|
||||||
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
|
ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY
|
||||||
|
|
||||||
ECP point multiplication rng fail secp256r1
|
ECP point multiplication rng fail secp256r1
|
||||||
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue