From 3b66a2dd18e35798c0e7282f5f800e64d581deb3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Mar 2023 15:15:58 -0500 Subject: [PATCH] Update to the new wycheproof (#8403) (#8417) --- docs/development/test-vectors.rst | 2 +- .../hazmat/backends/openssl/utils.py | 5 ++++- tests/wycheproof/test_ecdh.py | 21 ++++++++++++++++++- tests/wycheproof/test_ecdsa.py | 5 +++++ 4 files changed, 30 insertions(+), 3 deletions(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 256ee9d9a4c7..aa57eeddff14 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -22,7 +22,7 @@ for various cryptographic algorithms. These are not included in the repository continuous integration environments. We have ensured all test vectors are used as of commit -``2196000605e45d91097147c9c71f26b72af58003``. +``b063b4aedae951c69df014cd25fa6d69ae9e8cb9``. Asymmetric ciphers ~~~~~~~~~~~~~~~~~~ diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index 3a70a5818474..0a4c29595f02 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -18,7 +18,10 @@ def _evp_pkey_derive(backend: "Backend", evp_pkey, peer_public_key) -> bytes: res = backend._lib.EVP_PKEY_derive_init(ctx) backend.openssl_assert(res == 1) res = backend._lib.EVP_PKEY_derive_set_peer(ctx, peer_public_key._evp_pkey) - backend.openssl_assert(res == 1) + if res != 1: + errors_with_text = backend._consume_errors_with_text() + raise ValueError("Error computing shared key.", errors_with_text) + keylen = backend._ffi.new("size_t *") res = backend._lib.EVP_PKEY_derive(ctx, backend._ffi.NULL, keylen) backend.openssl_assert(res == 1) diff --git a/tests/wycheproof/test_ecdh.py b/tests/wycheproof/test_ecdh.py index 1de26cb263bd..9fecdef9ea4e 100644 --- a/tests/wycheproof/test_ecdh.py +++ b/tests/wycheproof/test_ecdh.py @@ -21,6 +21,12 @@ "secp521r1": ec.SECP521R1(), "secp224k1": None, "secp256k1": ec.SECP256K1(), + "sect283r1": ec.SECT283R1(), + "sect409r1": ec.SECT409R1(), + "sect571r1": ec.SECT571R1(), + "sect283k1": ec.SECT283K1(), + "sect409k1": ec.SECT409K1(), + "sect571k1": ec.SECT571K1(), "brainpoolP224r1": None, "brainpoolP256r1": ec.BrainpoolP256R1(), "brainpoolP320r1": None, @@ -31,6 +37,7 @@ "brainpoolP320t1": None, "brainpoolP384t1": None, "brainpoolP512t1": None, + "FRP256v1": None, } @@ -46,6 +53,12 @@ "ecdh_secp256r1_test.json", "ecdh_secp384r1_test.json", "ecdh_secp521r1_test.json", + "ecdh_sect283k1_test.json", + "ecdh_sect283r1_test.json", + "ecdh_sect409k1_test.json", + "ecdh_sect409r1_test.json", + "ecdh_sect571k1_test.json", + "ecdh_sect571r1_test.json", ) def test_ecdh(backend, wycheproof): curve = _CURVES[wycheproof.testgroup["curve"]] @@ -70,7 +83,13 @@ def test_ecdh(backend, wycheproof): except UnsupportedAlgorithm: return - if wycheproof.valid or wycheproof.acceptable: + if wycheproof.valid or ( + wycheproof.acceptable + and not ( + wycheproof.has_flag("LowOrderPublic") + and backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + ) + ): computed_shared = private_key.exchange(ec.ECDH(), public_key) expected_shared = binascii.unhexlify(wycheproof.testcase["shared"]) assert computed_shared == expected_shared diff --git a/tests/wycheproof/test_ecdsa.py b/tests/wycheproof/test_ecdsa.py index ffdfcc461342..edd2d12860f3 100644 --- a/tests/wycheproof/test_ecdsa.py +++ b/tests/wycheproof/test_ecdsa.py @@ -53,6 +53,11 @@ "ecdsa_secp384r1_sha3_512_test.json", "ecdsa_secp521r1_sha512_test.json", "ecdsa_secp521r1_sha3_512_test.json", + "ecdsa_secp160k1_sha256_test.json", + "ecdsa_secp160r1_sha256_test.json", + "ecdsa_secp160r2_sha256_test.json", + "ecdsa_secp192k1_sha256_test.json", + "ecdsa_secp192r1_sha256_test.json", ) def test_ecdsa_signature(backend, wycheproof): try: