Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECP self-test2 fails #2650

Closed
hyukdong opened this issue May 16, 2019 · 8 comments
Closed

ECP self-test2 fails #2650

hyukdong opened this issue May 16, 2019 · 8 comments
Labels
component-crypto Crypto primitives and low-level interfaces

Comments

@hyukdong
Copy link

hyukdong commented May 16, 2019

Description

  • Type: Question
  • Priority: Blocker

On mbedTLS 2.16.1, ecp self-test 2 (constant op_count, other point) fails on several curves.
In detail,

  1. test#1 (constant op_count, base point G) runs quite well.
  2. returns error (MBEDTLS_ERR_ECP_INVALID_KEY) on ecp.c line 2468, where the function 'ecp_check_pubkey_sw' compares two points YY and RHS.
  3. the function above is called to check public key for SHORTWEIERSTRASS curves in 'mbedtls_ecp_check_pubkey'. Validity check for Montgomery curves passes which only considers the size of X.
  4. no problem on secp192r1
  5. fails on other secp curves (secp224r1, secp256r1, secp384r1, secp192k1, secp224k1, and secp256k1)
  6. haven't tried Montgomery curves (curve448 and curve25519)

runs on freertos, using lwIP v2.0.3
configurations follows default settings on config-suite-b basically ,and what I guess noteworthy to report are as follows:

  1. No Entropy (MBEDTLS_TEST_NULL_ENTROPY, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES, MBEDTLS_NO_PLATFORM_ENTROPY)
  2. ALT functions (MBEDTLS_PLATFORM_TIME_ALT, MBEDTLS_PLATFORM_PRINTF_ALT, MBEDTLS_PLATFORM_SNPRINTF_ALT)
  3. No touch on BIGNUM or ECP options (options such as MPI Window Size, ECP Max Bits follows mbedTLS default)

Thank you in advance for your support.

@RonEld
Copy link
Contributor

RonEld commented May 19, 2019

Hi @hyukdong
I have tried reproducing your issue, but all the tested SHORTWEIERSTRASS tests passed.
Is there any other configuration that you have modified compared to config-suite-b ?

@RonEld RonEld added component-crypto Crypto primitives and low-level interfaces question labels May 19, 2019
@hyukdong
Copy link
Author

hyukdong commented May 20, 2019

Hello @RonEld , I appreciate your help.
Actually the configuration is quite different to that of config-suite-b.
whole parameters and self-test results are as below.
I believe the problem results from a conflict between mbedTLS and a platform settings (lwIP, freeRTOS, or whatsoever I don't even noticed), since problem inherent in mbedTLS would be filtered by check_config and many users are using it without any problem.
Hope my question is not beyond the scope of the board.
Thank you.

/* Version upgrade */
#define MBEDTLS_CHECK_PARAMS
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
#define MBEDTLS_ECDH_LEGACY_CONTEXT
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

/* System support */
#define MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_TIME

/* mbed TLS feature support */
#define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_PKCS1_V15
#define MBEDTLS_PKCS1_V21
#define MBEDTLS_SSL_PROTO_TLS1_2
#define MBEDTLS_VERSION_C

/* mbed TLS modules */	// removed GCM, NET
#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_DES_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_MD_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_RSA_C
#define MBEDTLS_SHA1_C		// inserted
#define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_USE_C

/* For test certificates */
#define MBEDTLS_BASE64_C
#define MBEDTLS_CERTS_C
#define MBEDTLS_PEM_PARSE_C

/* Save RAM at the expense of ROM */
#define MBEDTLS_AES_ROM_TABLES

/* Significant speed benefit at the expense of some ROM */
#define MBEDTLS_ECP_NIST_OPTIM

/* My Configurations: Entropy */
#define MBEDTLS_TEST_NULL_ENTROPY
#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_NO_PLATFORM_ENTROPY

/* My Configurations: Entropy */
#define MBEDTLS_PLATFORM_MEMORY
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS

/* My Configurations: ALT Functions */
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_PLATFORM_TIME_ALT
#define MBEDTLS_PLATFORM_PRINTF_ALT
#define MBEDTLS_PLATFORM_SNPRINTF_ALT

/* My Configurations: ECP */
#define MBEDTLS_ECP_FIXED_POINT_OPTIM			1
#define MBEDTLS_ECP_RESTARTABLE 
#define MBEDTLS_ECDSA_DETERMINISTIC	 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_PK_PARSE_EC_EXTENDED
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C

/* My Configurations: SSL */
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
#define MBEDTLS_SSL_CACHE_C
#define MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_TICKET_C

/* My Configurations: miscellaneous */
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
#define MBEDTLS_DEBUG_C
#define MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_VERSION_FEATURES
#define MBEDTLS_CCM_C
#define MBEDTLS_CMAC_C
#define MBEDTLS_SELF_TEST
#define MBEDTLS_DHM_C
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_AESNI_C
#define MBEDTLS_HKDF_C					
#define MBEDTLS_PKCS5_C
#define MBEDTLS_PKCS12_C

/* My Configurations: ECDSA Curves */

/* My Configurations: ECDSA Curves */
#define	MBEDTLS_ECP_DP_SECP192R1_ENABLED	// selftest 1 2 success
#define	MBEDTLS_ECP_DP_SECP224R1_ENABLED	// selftest 1 success 2 fails
#define	MBEDTLS_ECP_DP_SECP256R1_ENABLED 	// selftest fails
#define	MBEDTLS_ECP_DP_SECP384R1_ENABLED	// selftest 1 often fails
#define	MBEDTLS_ECP_DP_SECP521R1_ENABLED 	// selftest 1 success 2 fails

#define	MBEDTLS_ECP_DP_BP256R1_ENABLED		// selftest 1 2 success (takes up too much time)
#define	MBEDTLS_ECP_DP_BP384R1_ENABLED		// selftest 1 2 success (takes up too much time)
#define	MBEDTLS_ECP_DP_BP512R1_ENABLED		// selftest 1 2 success (takes up too much time)
#define	MBEDTLS_ECP_DP_SECP192K1_ENABLED	/// selftest fails
#define	MBEDTLS_ECP_DP_SECP224K1_ENABLED	//  selftest 1 success 2 fails
#define	MBEDTLS_ECP_DP_SECP256K1_ENABLED	// selftest fails

#define MBEDTLS_ECP_DP_CURVE25519_ENABLED	// not tested
#define MBEDTLS_ECP_DP_CURVE448_ENABLED		// not tested

@RonEld
Copy link
Contributor

RonEld commented May 20, 2019

@hyukdong Thank you for sharing your configuration!
I have tested your configuration without the alternative platform implementation, and I still get successful results on my Ubuntu desktop.
I would suggest you check your ALT functions, in case they overrun some memory.

@RonEld
Copy link
Contributor

RonEld commented Jul 4, 2019

@hyukdong Do you have an update on your tests?

@hyukdong
Copy link
Author

hyukdong commented Jul 16, 2019

@hyukdong Do you have an update on your tests?

Hello @RonEld , appreciate your consistent interest in this issue and sorry for my late response.
Due to the delay of my problem solving, I had to get my other works done.
Now that other jobs done, I'll pursue this issue for about 2 weeks and whether I solve it or not,
I will share the result and information I earned from it in this board.

I appreciate your suggestion.
Verifying the ALT functions was one of the first things I tried, I failed to get a clue.
However, I have another question which may lead me to get the answer, which is:

mpi_sub_hlp doesn't work properly in my system

The problem above looks same to that described in #641 (#641 (comment)),
where @blaufish claims that mpi_sub_hlp needs boundary check,.
@sbutcher-arm commented that the problem has been solved in v 2.5.1,
but mpi_sub_hlp in the latest mbedTLS has no boundary checking procedure.
Sometimes, but not always, mpi_sub_hlp goes beyond the boundary of MPI input in my system.

Guess some bug in my system (such as byte-ordering) causes this problem in my system, but still curious why the boundary check concept was not adopted in the latest version.

@RonEld
Copy link
Contributor

RonEld commented Aug 22, 2019

Hi @hyukdong
I apologize for delayed reply

The fixes mentioned in the issue you referenced are in the current development branch. ( Actually, the file itself moved to mbed-crpyto repository, but the fix is there).
The mentioned fix is about the sign and about the modulus not being 1. I don't think it's related to your case though.

Is htere any update on your issue?

@hyukdong
Copy link
Author

hyukdong commented Aug 23, 2019

Is htere any update on your issue?

Hello @RonEld
I really appreciate your reply and consistent concerns.
I didn't know how mbedTLS calculates elliptic curve then, but now I understand that boundary check is not necessary.

Long story short, the problem is somehow solved and it was not mbedTLS's fault.
The villain was memcpy in mbedtls_mpi_copy, called when mbedTLS tries to copy ECP parameters such as secp256r1_p and secp521r1_p. Don't know the exact reason but sometimes, when storing the data value (result of memcpy) in register, register turns 0xFF octet into 0x00. (memcpy produces 0x00 when the original source is 0xFF.)

My teammate is investigating this problem and assumes the simulation tool causes such a malfunction. I circumvented the problem by using my own memcpy-like function and mbedTLS works well. All self-tests have been passed.

@RonEld
Copy link
Contributor

RonEld commented Aug 25, 2019

Closing this question, as we believe it was answered and resolved in Mbed TLS side.
If you think this question was wrongfully closed, please reopen, and add your followup question.

@RonEld RonEld closed this as completed Aug 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component-crypto Crypto primitives and low-level interfaces
Projects
None yet
Development

No branches or pull requests

2 participants