add secp160r1; fix handling curves with order > p

the secret multiplier is limited by the order of the base point, that
also informs the size of elements for the signature (as they are
calculated modulo order), but the public point is a point, so its
elements are modulo prime from the curve. The same thing applies to the
shared secret: it's just one coordinate of the point, so it's modulo p
of the curve, not modulo order of generator.

for all curves up till now the size of order and size of the prime was
the same so it worked fine, but secp160r1 is different, so it showed the
bugs

so fix this bug and add secp160r1 as the test coverage for it

Author: tomato42

src/ecdsa/__init__.py

@@ -22,6 +22,7 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 )
 from .ecdh import (
     ECDH,
@@ -78,5 +79,6 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 ]
 del _hush_pyflakes

src/ecdsa/curves.py

@@ -13,6 +13,7 @@
     "SECP112r1",
     "SECP112r2",
     "SECP128r1",
+    "SECP160r1",
     "NIST192p",
     "NIST224p",
     "NIST256p",
@@ -43,7 +44,7 @@ def __init__(self, name, curve, generator, oid, openssl_name=None):
         self.generator = generator
         self.order = generator.order()
         self.baselen = orderlen(self.order)
-        self.verifying_key_length = 2 * self.baselen
+        self.verifying_key_length = 2 * orderlen(curve.p())
         self.signature_length = 2 * self.baselen
         self.oid = oid
         self.encoded_oid = der.encode_oid(*oid)
@@ -80,6 +81,15 @@ def __repr__(self):
 )
 
 
+SECP160r1 = Curve(
+    "SECP160r1",
+    ecdsa.curve_160r1,
+    ecdsa.generator_160r1,
+    (1, 3, 132, 0, 8),
+    "secp160r1",
+)
+
+
 # the NIST curves
 NIST192p = Curve(
     "NIST192p",
@@ -216,6 +226,7 @@ def __repr__(self):
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 ]
 
 

src/ecdsa/ecdh.py

@@ -304,7 +304,7 @@ def generate_sharedsecret_bytes(self):
         :rtype: byte string
         """
         return number_to_string(
-            self.generate_sharedsecret(), self.private_key.curve.order
+            self.generate_sharedsecret(), self.private_key.curve.curve.p()
         )
 
     def generate_sharedsecret(self):

src/ecdsa/ecdsa.py

@@ -339,6 +339,27 @@ def point_is_valid(generator, x, y):
 )
 
 
+# secp160r1
+_p = int(remove_whitespace("FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 7FFFFFFF"), 16)
+# S = 1053CDE4 2C14D696 E6768756 1517533B F3F83345
+# _a = -3
+_b = int(remove_whitespace("1C97BEFC 54BD7A8B 65ACF89F 81D4D4AD C565FA45"), 16)
+_Gx = int(
+    remove_whitespace("4A96B568 8EF57328 46646989 68C38BB9 13CBFC82"), 16,
+)
+_Gy = int(
+    remove_whitespace("23A62855 3168947D 59DCC912 04235137 7AC5FB32"), 16,
+)
+_r = int(
+    remove_whitespace("01 00000000 00000000 0001F4C8 F927AED3 CA752257"), 16,
+)
+_h = 1
+curve_160r1 = ellipticcurve.CurveFp(_p, -3, _b, _h)
+generator_160r1 = ellipticcurve.PointJacobi(
+    curve_160r1, _Gx, _Gy, 1, _r, generator=True
+)
+
+
 # NIST Curve P-192:
 _p = 6277101735386680763835789423207666416083908700390324961279
 _r = 6277101735386680763835789423176059013767194773182842284081

src/ecdsa/keys.py

@@ -272,12 +272,12 @@ def _from_raw_encoding(string, curve):
         order = curve.order
         # real assert, from_string() should not call us with different length
         assert len(string) == curve.verifying_key_length
-        xs = string[: curve.baselen]
-        ys = string[curve.baselen :]
-        if len(xs) != curve.baselen:
-            raise MalformedPointError("Unexpected length of encoded x")
-        if len(ys) != curve.baselen:
-            raise MalformedPointError("Unexpected length of encoded y")
+        xs = string[: curve.verifying_key_length // 2]
+        ys = string[curve.verifying_key_length // 2 :]
+        # real assert, verifying_key_length is calculated by multiplying an
+        # integer by two so it will always be even
+        assert len(xs) == curve.verifying_key_length // 2
+        assert len(ys) == curve.verifying_key_length // 2
         x = string_to_number(xs)
         y = string_to_number(ys)
 
@@ -371,7 +371,7 @@ def from_string(
                 raise MalformedPointError(
                     "Invalid X9.62 encoding of the public point"
                 )
-        elif sig_len == curve.baselen + 1:
+        elif sig_len == curve.verifying_key_length // 2 + 1:
             point = cls._from_compressed(string, curve)
         else:
             raise MalformedPointError(
@@ -573,14 +573,14 @@ def from_public_key_recovery_with_digest(
 
     def _raw_encode(self):
         """Convert the public key to the :term:`raw encoding`."""
-        order = self.pubkey.order
+        order = self.curve.curve.p()
         x_str = number_to_string(self.pubkey.point.x(), order)
         y_str = number_to_string(self.pubkey.point.y(), order)
         return x_str + y_str
 
     def _compressed_encode(self):
         """Encode the public point into the compressed form."""
-        order = self.pubkey.order
+        order = self.curve.curve.p()
         x_str = number_to_string(self.pubkey.point.x(), order)
         if self.pubkey.point.y() & 1:
             return b("\x03") + x_str

src/ecdsa/test_ecdh.py

@@ -375,7 +375,7 @@ def test_ecdh_with_openssl(vcurve):
         if hlp.find("-derive") == 0:  # pragma: no cover
             pytest.skip("system openssl does not support `pkeyutl -derive`")
     except RunOpenSslError:  # pragma: no cover
-        pytest.skip("system openssl does not support `pkeyutl -derive`")
+        pytest.skip("system openssl could not be executed")
 
     if os.path.isdir("t"):  # pragma: no branch
         shutil.rmtree("t")
@@ -412,25 +412,20 @@ def test_ecdh_with_openssl(vcurve):
 
     assert secret1 == secret2
 
-    try:
-        run_openssl(
-            "pkeyutl -derive -inkey t/privkey1.pem -peerkey t/pubkey2.pem -out t/secret1"
-        )
-        run_openssl(
-            "pkeyutl -derive -inkey t/privkey2.pem -peerkey t/pubkey1.pem -out t/secret2"
-        )
-    except RunOpenSslError:  # pragma: no cover
-        pytest.skip("system openssl does not support `pkeyutl -derive`")
-        return
+    run_openssl(
+        "pkeyutl -derive -inkey t/privkey1.pem -peerkey t/pubkey2.pem -out t/secret1"
+    )
+    run_openssl(
+        "pkeyutl -derive -inkey t/privkey2.pem -peerkey t/pubkey1.pem -out t/secret2"
+    )
 
     with open("t/secret1", "rb") as e:
         ssl_secret1 = e.read()
     with open("t/secret1", "rb") as e:
         ssl_secret2 = e.read()
 
-    if len(ssl_secret1) != vk1.curve.baselen:  # pragma: no cover
-        pytest.skip("system openssl does not support `pkeyutl -derive`")
-        return
+    assert len(ssl_secret1) == vk1.curve.verifying_key_length // 2
+    assert len(secret1) == vk1.curve.verifying_key_length // 2
 
     assert ssl_secret1 == ssl_secret2
     assert secret1 == ssl_secret1

src/ecdsa/test_pyecdsa.py

@@ -29,6 +29,7 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
     NIST192p,
     NIST224p,
     NIST256p,
@@ -313,8 +314,15 @@ class FakeGenerator:
             def order(self):
                 return 123456789
 
+        class FakeCurveFp:
+            def p(self):
+                return int(
+                    "6525534529039240705020950546962731340"
+                    "4541085228058844382513856749047873406763"
+                )
+
         badcurve = Curve(
-            "unknown", None, FakeGenerator(), (1, 2, 3, 4, 5, 6), None
+            "unknown", FakeCurveFp(), FakeGenerator(), (1, 2, 3, 4, 5, 6), None
         )
         badpub.curve = badcurve
         badder = badpub.to_der()
@@ -832,7 +840,6 @@ def test_VerifyingKey_encode_decode(curve, encoding):
     assert vk.pubkey.point == from_enc.pubkey.point
 
 
-
 class OpenSSL(unittest.TestCase):
     # test interoperability with OpenSSL tools. Note that openssl's ECDSA
     # sign/verify arguments changed between 0.9.8 and 1.0.0: the early
@@ -890,7 +897,13 @@ def test_from_openssl_secp112r2(self):
     def test_from_openssl_secp128r1(self):
         return self.do_test_from_openssl(SECP128r1)
 
-    @pytest.mark.slow
+    @pytest.mark.skipif(
+        "secp160r1" not in OPENSSL_SUPPORTED_CURVES,
+        reason="system openssl does not support secp160r1",
+    )
+    def test_from_openssl_secp160r1(self):
+        return self.do_test_from_openssl(SECP160r1)
+
     @pytest.mark.skipif(
         "prime192v1" not in OPENSSL_SUPPORTED_CURVES,
         reason="system openssl does not support prime192v1",
@@ -1076,7 +1089,13 @@ def test_to_openssl_secp112r2(self):
     def test_to_openssl_secp128r1(self):
         self.do_test_to_openssl(SECP128r1)
 
-    @pytest.mark.slow
+    @pytest.mark.skipif(
+        "secp160r1" not in OPENSSL_SUPPORTED_CURVES,
+        reason="system openssl does not support secp160r1",
+    )
+    def test_to_openssl_secp160r1(self):
+        self.do_test_to_openssl(SECP160r1)
+
     @pytest.mark.skipif(
         "prime192v1" not in OPENSSL_SUPPORTED_CURVES,
         reason="system openssl does not support prime192v1",