Open
Bug 341704
Opened 20 years ago
Updated 3 years ago
Need lower-level ECC algorithm tests
Categories
(NSS :: Test, defect, P3)
Tracking
(Not tracked)
NEW
People
(Reporter: julien.pierre, Unassigned)
Details
We need to have additional tests, just like we have for RSA and the symmetric ciphers. We recently found a problem in ECC algorithms on one machine only because SSL failed. See bug 341573 .
I used the ecperf tool as suggested by Bob. These are the results on the machine/build whicih exhibited the SSL problem :
% ./ecperf
Testing SECP-160K1 using freebl implementation...
ECDH_Derive count: 100 sec: 1.60 op/sec: 62.34
ECDSA_Sign count: 100 sec: 1.64 op/sec: 61.12
ECDHE max rate = 30.87
ECDSA_Verify count: 100 sec: 2.99 op/sec: 33.45
... okay.
Testing NIST-P192 using freebl implementation...
ECDH_Derive count: 100 sec: 0.49 op/sec: 203.73
ECDSA_Sign count: 100 sec: 0.54 op/sec: 186.77
ECDHE max rate = 97.63
Error:: ECDSA_Verify: Peer's certificate has an invalid signature.
... okay.
Testing NIST-P224 using freebl implementation...
ECDH_Derive count: 100 sec: 0.76 op/sec: 131.46
ECDSA_Sign count: 100 sec: 0.82 op/sec: 122.47
ECDHE max rate = 63.48
Error:: ECDSA_Verify: Peer's certificate has an invalid signature.
... okay.
Testing NIST-P256 using freebl implementation...
ECDH_Derive count: 100 sec: 2.57 op/sec: 38.87
ECDSA_Sign count: 100 sec: 2.77 op/sec: 36.08
ECDHE max rate = 18.74
ECDSA_Verify count: 100 sec: 4.76 op/sec: 20.99
... okay.
Testing NIST-P384 using freebl implementation...
ECDH_Derive count: 100 sec: 9.07 op/sec: 11.02
ECDSA_Sign count: 100 sec: 10.01 op/sec: 9.99
ECDHE max rate = 5.25
ECDSA_Verify count: 100 sec: 14.59 op/sec: 6.85
... okay.
Testing NIST-P521 using freebl implementation...
ECDH_Derive count: 100 sec: 12.14 op/sec: 8.24
ECDSA_Sign count: 100 sec: 12.23 op/sec: 8.18
ECDHE max rate = 4.10
ECDSA_Verify count: 100 sec: 19.38 op/sec: 5.16
... okay.
We should integrate this into our QA. And there may be other lower-level tests we want to add.
| Reporter | ||
Comment 1•20 years ago
|
||
Shouldn't some FIPS140 tests also detect the failure of these algorithms ?
I was able to put the module into FIPS mode successfully even on the broken build.
Even if it isn't a FIPS requirement, it might make sense to add an EC test that would detect the verification failure to the self-test, especially as we can't test on every possible chip out there, and sometimes the code doesn't behave only on certain machines as was the case here.
Comment 2•20 years ago
|
||
Our FIPS power-up self-test only tests the NIST P-256
curve with ECDSA.
(http://lxr.mozilla.org/security/ident?i=sftk_fips_ECDSA_PowerUpSelfTest)
ecperf doesn't report any error with NIST P-256, which
is consistent with FIPS power-up self-test's result.
Comment 3•20 years ago
|
||
We seem to be encountering lots of issues due to lack of
complete curve coverage in all.sh.
The ECC library freebl/ecl has a set of standalone tests
(see the "TESTING" section in freebl/ecl/README). We
ought include those tests in our regular testing.
vipul
Comment 4•20 years ago
|
||
(In reply to comment #3)
> We seem to be encountering lots of issues due to lack of
> complete curve coverage in all.sh.
That is the subject of bug 337793, IINM.
A "fix" for bug 337793 was committed just today.
I don't know if it will suffice, but it's a start.
Comment 5•20 years ago
|
||
We may have an ECC selftest, but it may only test certain curves.
Note that ecperf is a good first cut, but it is possible for an algorithm to be broken without us knowing it. We should add some ecc vectors to bltest for each curve we support.
Comment 6•20 years ago
|
||
(In reply to comment #5)
> We may have an ECC selftest, but it may only test certain curves.
>
> Note that ecperf is a good first cut, but it is possible for an algorithm to be
> broken without us knowing it. We should add some ecc vectors to bltest for each
> curve we support.
There are test vectors in bltest for ECDSA for the curves listed in the file cmd/bltest/tests/ecdsa/README. I don't know (remember?) enough about bltest to remember if these are included by default. When I originally wrote the tests I could not write ECDH tests because there was no DH structure to mirror. Adding more curves to the ECDSA test, if desired, should be as "simple" as creating more files. I remember it was non-trivial for me to figure out what these files actually were supposed to be, however.
Douglas
Updated•19 years ago
|
Priority: -- → P3
Updated•19 years ago
|
QA Contact: slavomir.katuscak → test
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•