Closed aaronmdjones closed 5 years ago
ARM Internal Ref: IOTSSL-2797
This is not a bug.
mbedtls_mpi_read_binary
and mbedtls_mpi_write_binary
read and write in big endian, your sample data is in little endian.
Try replace your data const with
static const unsigned char ecdh_x25519_alice_sk[] = {
0x55U, 0x1AU, 0xAEU, 0x9CU, 0x85U, 0xBAU, 0xD9U, 0xDDU,
0x43U, 0xD5U, 0x25U, 0xDAU, 0x39U, 0x72U, 0x7EU, 0x22U,
0x21U, 0x54U, 0xA3U, 0x3AU, 0x67U, 0x6BU, 0xEEU, 0x4BU,
0xF4U, 0xB6U, 0xC0U, 0x60U, 0x66U, 0x0CU, 0xF8U, 0x28U,
};
static const unsigned char ecdh_x25519_alice_pk[] = {
0x46U, 0x37U, 0xE3U, 0xCFU, 0xCFU, 0x96U, 0xBDU, 0x86U,
0x3EU, 0x47U, 0x3BU, 0x06U, 0x81U, 0x4FU, 0x2FU, 0xB4U,
0x93U, 0xF5U, 0x95U, 0xC9U, 0x41U, 0x95U, 0xB8U, 0x58U,
0xD3U, 0x62U, 0xCAU, 0x7BU, 0xF4U, 0x59U, 0xAFU, 0x75U,
};
static const unsigned char ecdh_x25519_bob_sk[] = {
0x56U, 0x7EU, 0xF2U, 0xBEU, 0x65U, 0x39U, 0x22U, 0x97U,
0xE4U, 0xBDU, 0x4CU, 0xCAU, 0xFEU, 0x08U, 0xE6U, 0x2DU,
0xDBU, 0xAEU, 0x90U, 0xAEU, 0x28U, 0x0FU, 0xCFU, 0x9FU,
0x2FU, 0xF6U, 0x77U, 0x39U, 0xC4U, 0xF4U, 0x90U, 0xB8U,
};
static const unsigned char ecdh_x25519_bob_pk[] = {
0x39U, 0xBEU, 0x4CU, 0xA9U, 0x88U, 0xC2U, 0xC1U, 0xF5U,
0x1DU, 0x54U, 0xD1U, 0x5FU, 0x6FU, 0xC2U, 0xCBU, 0xF2U,
0x21U, 0xF2U, 0x33U, 0x91U, 0x4CU, 0x35U, 0x2DU, 0x2AU,
0xBEU, 0x62U, 0xA3U, 0x0EU, 0xD4U, 0xA0U, 0x66U, 0x10U,
};
static const unsigned char ecdh_x25519_secret[] = {
0x4DU, 0xADU, 0xA5U, 0xFBU, 0x57U, 0xCBU, 0xCBU, 0x01U,
0x1CU, 0x4CU, 0x1EU, 0x8AU, 0x59U, 0xD0U, 0x03U, 0xECU,
0x11U, 0x32U, 0x1DU, 0x07U, 0x28U, 0x92U, 0x05U, 0xA9U,
0xD4U, 0xA7U, 0x0AU, 0x21U, 0xF9U, 0x7EU, 0xF1U, 0x2DU,
};
you program should work as expected.
That's strange... I did try reversing the arrays, and it still failed at the same step. I even noted that in my report; but I just tried those arrays above and indeed it works...
Perhaps not enough caffeine was involved.
Description
Bug
OS:
Linux
mbed TLS build:
Version: 2.16.0 OS version: Gentoo Hardened Configuration:
Compiler and options:
Expected behavior
mbedtls_ecp_check_privkey() should return zero when given a properly-generated X25519 private key.
Actual behavior
mbedtls_ecp_check_privkey() fails for X25519 private keys. It also fails with the reference test vectors from the Curve25519 description paper. I also tried the verbatim vectors (unclamped), and I tried reversing the byte arrays, and I tried prepending a 0x00 to the arrays.
Steps to reproduce