search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.32k stars 822 forks source link

[Bug]: Testbench doesn't respect NO_ECC_SECP #6397

Closed maxgerhardt closed 1 year ago

maxgerhardt commented 1 year ago

Contact Details

maximilian.gerhardt@rub.de

Version

870f7cc95b1061b0f829d15315c66b6b6823eb99

Description

WolfSSL and NIST-P curves seem to glued together inseparably. I really don't want the NIST P-x / SECP curve in my application. WolfSSL has the NO_ECC_SECP macro which is supposed to disable these curves.

However, doing so makes the selftests check still attempt to do tests on the NIST curves -- subsequently failing on it, although WolfSSL would be prefectly operateble on the chosen curves.

The testbench should respect NO_ECC_SECP and only test the features / curves it was compile-activated for.

The relevant test.c code does not.

Reproduction steps

(On: Ubuntu 22.04, x64)

  1. ./configure --enable-brainpool --enable-ecccustcurves --disable-curve25519 --disable-ed25519 --enable-crypttests-libs --enable-crypttests
  2. make
  3. ./wolfcrypt/test/testwolfcrypt
  4. EXTRA_CFLAGS="-DNO_ECC_SECP" ./configure --enable-brainpool --enable-ecccustcurves --disable-curve25519 --disable-ed25519 --enable-crypttests-libs --enable-crypttests
  5. make
  6. ./wolfcrypt/test/testwolfcrypt

Relevant log output

With first config:

ECC      test passed!

with second config:

ecc_test_vector 28 failed!: -140
ECC      test failed!
 error L=140
 [fiducial line numbers: 7580 23060 33425 45580]
Exiting main with return code: -1
dgarske commented 1 year ago

Hi @maxgerhardt ,

Yeah you have hit a use-case we haven't tested. We typically always have the standard NIST prime curves enabled. I understand wanting just the brain pool curves enabled. I think at one time this worked and getting it working should be easy. I'll have another engineer review effort.

Thanks, David Garske, wolfSSL

lealem47 commented 1 year ago

Hi @maxgerhardt,

Thank you for this report. This issue should be resolved with https://github.com/wolfSSL/wolfssl/pull/6402

maxgerhardt commented 1 year ago

I applied https://patch-diff.githubusercontent.com/raw/wolfSSL/wolfssl/pull/6402.patch to my wolfssl version and recompiled with NO_ECC_SECP activated and in my embedded application (that has USE_CERT_BUFFERS_256 on), it the fails in the ecc_test_buffers() test in 

    /* Lookup OID id. */
    ret = wc_ecc_get_oid(oid, NULL, &oidSz);

because it can't find the curve OID for it.

ECC buffer test failed!
 error = -10422

Further when WOLFSSL_CERT_GEN is activated, that also blows up

ecc_test_vector 32 failed!: -140
ECC      test failed!
lealem47 commented 1 year ago

@maxgerhardt Could you test with https://github.com/wolfSSL/wolfssl/pull/6411?

lealem47 commented 1 year ago

Hi @maxgerhardt,

Since we never heard back I will go ahead and close out this issue. If anything else come up please do not hesitate to open a new issue anytime. We are always happy to help out in any way we can.

Until next time all the best and thank you for reaching out.