From 4eb5868ce8963827aa6e00a01ed90df488b288fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Wed, 14 Sep 2022 16:17:52 +0200
Subject: Fix ECDSA verify corner case

* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj,
to produce correct result in a corner case where point addition
needs to use point duplication. Also use ecc_j_to_a rather than
ecc->h_to_a, since ecdsa supports only weierstrass curves.
* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change.

* testsuite/ecdsa-verify-test.c (test_main): Add corresponding test.
* testsuite/ecdsa-sign-test.c (test_main): And a test producing
the problematic signature.
---
 testsuite/ecdsa-sign-test.c   | 12 ++++++++++++
 testsuite/ecdsa-verify-test.c | 15 +++++++++++++++
 2 files changed, 27 insertions(+)

(limited to 'testsuite')

diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c
index c79493ae..b8a100b6 100644
--- a/testsuite/ecdsa-sign-test.c
+++ b/testsuite/ecdsa-sign-test.c
@@ -77,6 +77,18 @@ test_main (void)
 	      "3a41e1423b1853e8aa89747b1f987364"
 	      "44705d6d6d8371ea1f578f2e"); /* s */
 
+  /* Produce a signature where verify operation results in a point duplication. */
+  test_ecdsa (&_nettle_secp_256r1,
+	      "1", /* Private key */
+	      "01010101010101010101010101010101"
+	      "01010101010101010101010101010101", /* nonce */
+	      SHEX("6ff03b949241ce1dadd43519e6960e0a"
+		   "85b41a69a05c328103aa2bce1594ca16"), /* hash */
+	      "6ff03b949241ce1dadd43519e6960e0a"
+	      "85b41a69a05c328103aa2bce1594ca16", /* r */
+	      "53f097727a0e0dc284a0daa0da0ab77d"
+	      "5792ae67ed075d1f8d5bda0f853fa093"); /* s */
+
   /* Test cases for the smaller groups, verified with a
      proof-of-concept implementation done for Yubico AB. */
   test_ecdsa (&_nettle_secp_192r1,
diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c
index 8110c64d..8d527000 100644
--- a/testsuite/ecdsa-verify-test.c
+++ b/testsuite/ecdsa-verify-test.c
@@ -109,6 +109,21 @@ test_main (void)
 	      "952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */
 	      "ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */
 
+  /* Test case provided by Guido Vranken, from oss-fuzz. Triggers
+     point duplication in the verify operation by using private key =
+     1 (public key = generator) and hash = r. */
+  test_ecdsa (&_nettle_secp_256r1,
+	      "6B17D1F2E12C4247F8BCE6E563A440F2"
+	      "77037D812DEB33A0F4A13945D898C296", /* x */
+	      "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
+	      "2BCE33576B315ECECBB6406837BF51F5", /* y */
+	      SHEX("6ff03b949241ce1dadd43519e6960e0a"
+		   "85b41a69a05c328103aa2bce1594ca16"), /* hash */
+	      "6ff03b949241ce1dadd43519e6960e0a"
+	      "85b41a69a05c328103aa2bce1594ca16", /* r */
+	      "53f097727a0e0dc284a0daa0da0ab77d"
+	      "5792ae67ed075d1f8d5bda0f853fa093"); /* s */
+
   /* From RFC 4754 */
   test_ecdsa (&_nettle_secp_256r1,
 	      "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
-- 
cgit v1.2.1