From e13b54e5f74c5f2d4b87bcbdba919d742ac0b9de Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Fri, 4 Aug 2017 13:49:29 +0100
Subject: [PATCH 1/4] Change PK module preprocessor check on word size

There were preprocessor directives in pk.c and pk_wrap.c that cheked
whether the bit length of size_t was greater than that of unsigned int.
However, the check relied on the POLARSSL_HAVE_INT64 macro being
defined which is not directly related to size_t. This might result in
errors in some platforms. This change modifies the check to use the
macros SIZE_MAX and UINT_MAX instead making the code more robust.
---
 library/pk.c      |  7 +++----
 library/pk_wrap.c | 14 +++++++-------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/library/pk.c b/library/pk.c
index fc036d2c5..8bcba5874 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -30,8 +30,6 @@
 #include "polarssl/pk.h"
 #include "polarssl/pk_wrap.h"
 
-#include "polarssl/bignum.h"
-
 #if defined(POLARSSL_RSA_C)
 #include "polarssl/rsa.h"
 #endif
@@ -43,6 +41,7 @@
 #endif
 
 #include <limits.h>
+#include <stdint.h>
 
 /* Implementation that should never be optimized out by the compiler */
 static void polarssl_zeroize( void *v, size_t n ) {
@@ -212,10 +211,10 @@ int pk_verify_ext( pk_type_t type, const void *options,
         int ret;
         const pk_rsassa_pss_options *pss_opts;
 
-#if defined(POLARSSL_HAVE_INT64)
+#if SIZE_MAX > UINT_MAX
         if( md_alg == POLARSSL_MD_NONE && UINT_MAX < hash_len )
             return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
-#endif /* POLARSSL_HAVE_INT64 */
+#endif /* SIZE_MAX > UINT_MAX */
 
         if( options == NULL )
             return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index ceaaad110..9da59ec15 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -31,7 +31,6 @@
 
 /* Even if RSA not activated, for the sake of RSA-alt */
 #include "polarssl/rsa.h"
-#include "polarssl/bignum.h"
 
 #include <string.h>
 
@@ -52,6 +51,7 @@
 #endif
 
 #include <limits.h>
+#include <stdint.h>
 
 /* Implementation that should never be optimized out by the compiler */
 static void polarssl_zeroize( void *v, size_t n ) {
@@ -76,10 +76,10 @@ static int rsa_verify_wrap( void *ctx, md_type_t md_alg,
 {
     int ret;
 
-#if defined(POLARSSL_HAVE_INT64)
+#if SIZE_MAX > UINT_MAX
     if( md_alg == POLARSSL_MD_NONE && UINT_MAX < hash_len )
         return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
-#endif /* POLARSSL_HAVE_INT64 */
+#endif /* SIZE_MAX > UINT_MAX */
 
     if( sig_len < ((rsa_context *) ctx)->len )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
@@ -100,10 +100,10 @@ static int rsa_sign_wrap( void *ctx, md_type_t md_alg,
                    unsigned char *sig, size_t *sig_len,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-#if defined(POLARSSL_HAVE_INT64)
+#if SIZE_MAX > UINT_MAX
     if( md_alg == POLARSSL_MD_NONE && UINT_MAX < hash_len )
         return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
-#endif /* POLARSSL_HAVE_INT64 */
+#endif /* SIZE_MAX > UINT_MAX */
 
     *sig_len = ((rsa_context *) ctx)->len;
 
@@ -424,10 +424,10 @@ static int rsa_alt_sign_wrap( void *ctx, md_type_t md_alg,
 {
     rsa_alt_context *rsa_alt = (rsa_alt_context *) ctx;
 
-#if defined(POLARSSL_HAVE_INT64)
+#if SIZE_MAX > UINT_MAX
     if( UINT_MAX < hash_len )
         return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
-#endif /* POLARSSL_HAVE_INT64 */
+#endif /* SIZE_MAX > UINT_MAX */
 
     *sig_len = rsa_alt->key_len_func( rsa_alt->key );
 

From fdac76f330b7328f7d4ace55a0d265ed6416dc4e Mon Sep 17 00:00:00 2001
From: Darryl Green <darryl.green@arm.com>
Date: Mon, 20 Nov 2017 15:53:43 +0000
Subject: [PATCH 2/4] Add checks for private parameter in ecdsa_sign()

---
 ChangeLog       | 2 ++
 library/ecdsa.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 6a1be9892..a90ee112d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,8 @@ Bugfix
    * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
      dates on leap years with 100 and 400 intervals are handled correctly. Found
      by Nicholas Wilson. #694
+   * Add a check for invalid private parameters in ecdsa_sign.
+     Reported by Yolan Romailler.
 
 = mbed TLS 1.3.21 branch released 2017-08-10
 
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3f72d857c..e95b80245 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -110,6 +110,10 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
     if( grp->N.p == NULL )
         return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
 
+    /* Make sure d is in range 1..n-1 */
+    if( mpi_cmp_int( d, 1 ) < 0 || mpi_cmp_mpi( d, &grp->N ) >= 0 )
+        return( POLARSSL_ERR_ECP_INVALID_KEY );
+
     ecp_point_init( &R );
     mpi_init( &k ); mpi_init( &e ); mpi_init( &t );
 

From 851111dc16ca7203f3a82320da04b3e9f3eeaa7e Mon Sep 17 00:00:00 2001
From: Darryl Green <darryl.green@arm.com>
Date: Mon, 20 Nov 2017 15:54:05 +0000
Subject: [PATCH 3/4] Add tests for invalid private parameters in ecdsa_sign()

---
 tests/suites/test_suite_ecdsa.data     | 46 ++++++++++++++++++++++++--
 tests/suites/test_suite_ecdsa.function | 13 +++++---
 2 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data
index b03549bf5..651ffd397 100644
--- a/tests/suites/test_suite_ecdsa.data
+++ b/tests/suites/test_suite_ecdsa.data
@@ -20,15 +20,15 @@ ecdsa_prim_random:POLARSSL_ECP_DP_SECP521R1
 
 ECDSA primitive rfc 4754 p256
 depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
-ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315"
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315":0
 
 ECDSA primitive rfc 4754 p384
 depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED
-ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"0BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F"
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"0BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F":0
 
 ECDSA primitive rfc 4754 p521
 depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED
-ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP521R1:"0065FDA3409451DCAB0A0EAD45495112A3D813C17BFD34BDF8C1209D7DF5849120597779060A7FF9D704ADF78B570FFAD6F062E95C7E0C5D5481C5B153B48B375FA1":"0151518F1AF0F563517EDD5485190DF95A4BF57B5CBA4CF2A9A3F6474725A35F7AFE0A6DDEB8BEDBCD6A197E592D40188901CECD650699C9B5E456AEA5ADD19052A8":"006F3B142EA1BFFF7E2837AD44C9E4FF6D2D34C73184BBAD90026DD5E6E85317D9DF45CAD7803C6C20035B2F3FF63AFF4E1BA64D1C077577DA3F4286C58F0AEAE643":"00C1C2B305419F5A41344D7E4359933D734096F556197A9B244342B8B62F46F9373778F9DE6B6497B1EF825FF24F42F9B4A4BD7382CFC3378A540B1B7F0C1B956C2F":"DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F":"0154FD3836AF92D0DCA57DD5341D3053988534FDE8318FC6AAAAB68E2E6F4339B19F2F281A7E0B22C269D93CF8794A9278880ED7DBB8D9362CAEACEE544320552251":"017705A7030290D1CEB605A9A1BB03FF9CDD521E87A696EC926C8C10C8362DF4975367101F67D1CF9BCCBF2F3D239534FA509E70AAC851AE01AAC68D62F866472660"
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP521R1:"0065FDA3409451DCAB0A0EAD45495112A3D813C17BFD34BDF8C1209D7DF5849120597779060A7FF9D704ADF78B570FFAD6F062E95C7E0C5D5481C5B153B48B375FA1":"0151518F1AF0F563517EDD5485190DF95A4BF57B5CBA4CF2A9A3F6474725A35F7AFE0A6DDEB8BEDBCD6A197E592D40188901CECD650699C9B5E456AEA5ADD19052A8":"006F3B142EA1BFFF7E2837AD44C9E4FF6D2D34C73184BBAD90026DD5E6E85317D9DF45CAD7803C6C20035B2F3FF63AFF4E1BA64D1C077577DA3F4286C58F0AEAE643":"00C1C2B305419F5A41344D7E4359933D734096F556197A9B244342B8B62F46F9373778F9DE6B6497B1EF825FF24F42F9B4A4BD7382CFC3378A540B1B7F0C1B956C2F":"DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F":"0154FD3836AF92D0DCA57DD5341D3053988534FDE8318FC6AAAAB68E2E6F4339B19F2F281A7E0B22C269D93CF8794A9278880ED7DBB8D9362CAEACEE544320552251":"017705A7030290D1CEB605A9A1BB03FF9CDD521E87A696EC926C8C10C8362DF4975367101F67D1CF9BCCBF2F3D239534FA509E70AAC851AE01AAC68D62F866472660":0
 
 ECDSA write-read random #1
 depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
@@ -273,3 +273,43 @@ ecdsa_write_read_det_random:POLARSSL_ECP_DP_SECP521R1:POLARSSL_MD_SHA256
 ECDSA deterministic read-write random p521 sha384
 depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED:POLARSSL_SHA512_C
 ecdsa_write_read_det_random:POLARSSL_ECP_DP_SECP521R1:POLARSSL_MD_SHA384
+
+ECDSA zero private parameter p192
+depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP192R1:"0":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B15":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9C":"98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF":"57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA private parameter greater than n p192
+depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD41":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B15":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61":"98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF":"57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA zero private parameter p224
+depends_on:POLARSSL_ECP_DP_SECP224R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP224R1:"0":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D5":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61":"22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC":"66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA private parameter greater than n p224
+depends_on:POLARSSL_ECP_DP_SECP224R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C11":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D5":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC":"66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA zero private parameter p256
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"0":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA private parameter greater than n p256
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F1":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA zero private parameter p384
+depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"0":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA private parameter greater than n p384
+depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"10BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA zero private parameter p521
+depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP521R1:"0":"0151518F1AF0F563517EDD5485190DF95A4BF57B5CBA4CF2A9A3F6474725A35F7AFE0A6DDEB8BEDBCD6A197E592D40188901CECD650699C9B5E456AEA5ADD19052A8":"006F3B142EA1BFFF7E2837AD44C9E4FF6D2D34C73184BBAD90026DD5E6E85317D9DF45CAD7803C6C20035B2F3FF63AFF4E1BA64D1C077577DA3F4286C58F0AEAE643":"00C1C2B305419F5A41344D7E4359933D734096F556197A9B244342B8B62F46F9373778F9DE6B6497B1EF825FF24F42F9B4A4BD7382CFC3378A540B1B7F0C1B956C2F":"DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F":"0154FD3836AF92D0DCA57DD5341D3053988534FDE8318FC6AAAAB68E2E6F4339B19F2F281A7E0B22C269D93CF8794A9278880ED7DBB8D9362CAEACEE544320552251":"017705A7030290D1CEB605A9A1BB03FF9CDD521E87A696EC926C8C10C8362DF4975367101F67D1CF9BCCBF2F3D239534FA509E70AAC851AE01AAC68D62F866472660":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECDSA private parameter greater than n p521
+depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED
+ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP521R1:"0065FDA3409451DCAB0A0EAD45495112A3D813C17BFD34BDF8C1209D7DF5849120597779060A7FF9D704ADF78B570FFAD6F062E95C7E0C5D5481C5B153B48B375FA11":"0151518F1AF0F563517EDD5485190DF95A4BF57B5CBA4CF2A9A3F6474725A35F7AFE0A6DDEB8BEDBCD6A197E592D40188901CECD650699C9B5E456AEA5ADD19052A8":"006F3B142EA1BFFF7E2837AD44C9E4FF6D2D34C73184BBAD90026DD5E6E85317D9DF45CAD7803C6C20035B2F3FF63AFF4E1BA64D1C077577DA3F4286C58F0AEAE643":"00C1C2B305419F5A41344D7E4359933D734096F556197A9B244342B8B62F46F9373778F9DE6B6497B1EF825FF24F42F9B4A4BD7382CFC3378A540B1B7F0C1B956C2F":"DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F":"0154FD3836AF92D0DCA57DD5341D3053988534FDE8318FC6AAAAB68E2E6F4339B19F2F281A7E0B22C269D93CF8794A9278880ED7DBB8D9362CAEACEE544320552251":"017705A7030290D1CEB605A9A1BB03FF9CDD521E87A696EC926C8C10C8362DF4975367101F67D1CF9BCCBF2F3D239534FA509E70AAC851AE01AAC68D62F866472660":POLARSSL_ERR_ECP_INVALID_KEY
diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function
index ee379dcf9..f57ee1478 100644
--- a/tests/suites/test_suite_ecdsa.function
+++ b/tests/suites/test_suite_ecdsa.function
@@ -42,7 +42,7 @@ exit:
 /* BEGIN_CASE */
 void ecdsa_prim_test_vectors( int id, char *d_str, char *xQ_str, char *yQ_str,
                               char *k_str, char *hash_str, char *r_str,
-                              char *s_str )
+                              char *s_str, int result )
 {
     ecp_group grp;
     ecp_point Q;
@@ -80,12 +80,15 @@ void ecdsa_prim_test_vectors( int id, char *d_str, char *xQ_str, char *yQ_str,
     }
 
     TEST_ASSERT( ecdsa_sign( &grp, &r, &s, &d, hash, hlen,
-                 rnd_buffer_rand, &rnd_info ) == 0 );
+                 rnd_buffer_rand, &rnd_info ) == result );
 
-    TEST_ASSERT( mpi_cmp_mpi( &r, &r_check ) == 0 );
-    TEST_ASSERT( mpi_cmp_mpi( &s, &s_check ) == 0 );
+    if ( result == 0 )
+    {
+        TEST_ASSERT( mpi_cmp_mpi( &r, &r_check ) == 0 );
+        TEST_ASSERT( mpi_cmp_mpi( &s, &s_check ) == 0 );
 
-    TEST_ASSERT( ecdsa_verify( &grp, hash, hlen, &Q, &r_check, &s_check ) == 0 );
+        TEST_ASSERT( ecdsa_verify( &grp, hash, hlen, &Q, &r_check, &s_check ) == 0 );
+    }
 
 exit:
     ecp_group_free( &grp );

From 046fff12fab56996c406e9f08206fca8f62110e0 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 4 Dec 2017 17:25:54 +0100
Subject: [PATCH 4/4] Added ChangeLog entry

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 90c6e6bcf..159f4cbad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,7 @@ Bugfix
      encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
      to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
      KNOX Security, Samsung Research America
+   * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
 
 = mbed TLS 1.3.20 branch released 2017-06-21