Open Bug 341704 Opened 20 years ago Updated 3 years ago

Need lower-level ECC algorithm tests

Categories

(NSS :: Test, defect, P3)

3.11.2

Tracking

(Not tracked)

People

(Reporter: julien.pierre, Unassigned)

Details

We need to have additional tests, just like we have for RSA and the symmetric ciphers. We recently found a problem in ECC algorithms on one machine only because SSL failed. See bug 341573 . I used the ecperf tool as suggested by Bob. These are the results on the machine/build whicih exhibited the SSL problem : % ./ecperf Testing SECP-160K1 using freebl implementation... ECDH_Derive count: 100 sec: 1.60 op/sec: 62.34 ECDSA_Sign count: 100 sec: 1.64 op/sec: 61.12 ECDHE max rate = 30.87 ECDSA_Verify count: 100 sec: 2.99 op/sec: 33.45 ... okay. Testing NIST-P192 using freebl implementation... ECDH_Derive count: 100 sec: 0.49 op/sec: 203.73 ECDSA_Sign count: 100 sec: 0.54 op/sec: 186.77 ECDHE max rate = 97.63 Error:: ECDSA_Verify: Peer's certificate has an invalid signature. ... okay. Testing NIST-P224 using freebl implementation... ECDH_Derive count: 100 sec: 0.76 op/sec: 131.46 ECDSA_Sign count: 100 sec: 0.82 op/sec: 122.47 ECDHE max rate = 63.48 Error:: ECDSA_Verify: Peer's certificate has an invalid signature. ... okay. Testing NIST-P256 using freebl implementation... ECDH_Derive count: 100 sec: 2.57 op/sec: 38.87 ECDSA_Sign count: 100 sec: 2.77 op/sec: 36.08 ECDHE max rate = 18.74 ECDSA_Verify count: 100 sec: 4.76 op/sec: 20.99 ... okay. Testing NIST-P384 using freebl implementation... ECDH_Derive count: 100 sec: 9.07 op/sec: 11.02 ECDSA_Sign count: 100 sec: 10.01 op/sec: 9.99 ECDHE max rate = 5.25 ECDSA_Verify count: 100 sec: 14.59 op/sec: 6.85 ... okay. Testing NIST-P521 using freebl implementation... ECDH_Derive count: 100 sec: 12.14 op/sec: 8.24 ECDSA_Sign count: 100 sec: 12.23 op/sec: 8.18 ECDHE max rate = 4.10 ECDSA_Verify count: 100 sec: 19.38 op/sec: 5.16 ... okay. We should integrate this into our QA. And there may be other lower-level tests we want to add.
Shouldn't some FIPS140 tests also detect the failure of these algorithms ? I was able to put the module into FIPS mode successfully even on the broken build. Even if it isn't a FIPS requirement, it might make sense to add an EC test that would detect the verification failure to the self-test, especially as we can't test on every possible chip out there, and sometimes the code doesn't behave only on certain machines as was the case here.
Our FIPS power-up self-test only tests the NIST P-256 curve with ECDSA. (http://lxr.mozilla.org/security/ident?i=sftk_fips_ECDSA_PowerUpSelfTest) ecperf doesn't report any error with NIST P-256, which is consistent with FIPS power-up self-test's result.
We seem to be encountering lots of issues due to lack of complete curve coverage in all.sh. The ECC library freebl/ecl has a set of standalone tests (see the "TESTING" section in freebl/ecl/README). We ought include those tests in our regular testing. vipul
(In reply to comment #3) > We seem to be encountering lots of issues due to lack of > complete curve coverage in all.sh. That is the subject of bug 337793, IINM. A "fix" for bug 337793 was committed just today. I don't know if it will suffice, but it's a start.
We may have an ECC selftest, but it may only test certain curves. Note that ecperf is a good first cut, but it is possible for an algorithm to be broken without us knowing it. We should add some ecc vectors to bltest for each curve we support.
(In reply to comment #5) > We may have an ECC selftest, but it may only test certain curves. > > Note that ecperf is a good first cut, but it is possible for an algorithm to be > broken without us knowing it. We should add some ecc vectors to bltest for each > curve we support. There are test vectors in bltest for ECDSA for the curves listed in the file cmd/bltest/tests/ecdsa/README. I don't know (remember?) enough about bltest to remember if these are included by default. When I originally wrote the tests I could not write ECDH tests because there was no DH structure to mirror. Adding more curves to the ECDSA test, if desired, should be as "simple" as creating more files. I remember it was non-trivial for me to figure out what these files actually were supposed to be, however. Douglas
Priority: -- → P3
QA Contact: slavomir.katuscak → test
Blocks: FIPS2008
No longer blocks: FIPS2008
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.