Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add test for ECP group metadata #6203

Merged
merged 6 commits into from
Sep 20, 2022
Merged

Add test for ECP group metadata #6203

merged 6 commits into from
Sep 20, 2022

Conversation

wernerlewis
Copy link
Contributor

@wernerlewis wernerlewis commented Aug 15, 2022
edited
Loading

Description

Test cases added to check curve parameters and information for each
curve supported. Expected parameters are taken from references: SEC 2
for NIST, RFC 5639 for Brainpool, and RFC 7748 for curve25519/curve448.

Each group is compared with known curve parameters, other metadata is
checked and validated against test data. This includes loading the group by
TLS ID, by name, and from the result of mbedtls_ecp_tls_write_group.

This has been tested with the bug described in #5810, which is caught by
these tests. Resolves #5919.

Status

READY

Requires Backporting

Yes 2.28 #6204

@wernerlewis wernerlewis added enhancement component-crypto Crypto primitives and low-level interfaces labels Aug 15, 2022
@wernerlewis wernerlewis added the needs-backports Backports are missing or are pending review and approval. label Aug 15, 2022
@wernerlewis wernerlewis mentioned this pull request Aug 15, 2022
Merged
@wernerlewis
Add test for ECP group metadata
e54046c 
Test cases added to check curve parameters and information for each
curve supported. Expected parameters are taken from references: SEC 2
for NIST, RFC 5639 for Brainpool, and RFC 7748 for curve25519/curve448.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
@wernerlewis wernerlewis added needs-ci Needs to pass CI tests needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review and removed needs-ci Needs to pass CI tests labels Aug 15, 2022
@daverodgman daverodgman added the priority-high High priority - will be reviewed soon label Aug 16, 2022
@daverodgman daverodgman self-requested a review August 24, 2022 14:49
@wernerlewis
Use spec values as-is for test data
c4afef7 
Spec values are now always used for test data, and conversion to
internal representation is done in the test function.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
daverodgman
daverodgman previously approved these changes Aug 31, 2022
View reviewed changes
AndrzejKurek
AndrzejKurek reviewed Sep 19, 2022
View reviewed changes
tests/suites/test_suite_ecp.data Outdated
mbedtls_ecp_group_metadata:MBEDTLS_ECP_DP_BP384R1:384:MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53":"7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826":"4a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11":"1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e":"8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315":"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565":27

Check ECP group metadata #11 bp512r1 (RFC 5639)
depends_on:MBEDTLS_ECP_DP_BP521R1_ENABLED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be MBEDTLS_ECP_DP_BP512R1_ENABLED instead. Interesting that this wasn't picked up by scripts as a typo...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, check_names.py doesn't check tests.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can find out about typos in test dependencies from the result analysis job on Jenkins: it reports test cases that are not executed in any configuration. It isn't a CI failure to have those because some are legitimate and we haven't gotten around to analyzing the logs.

AndrzejKurek
AndrzejKurek suggested changes Sep 19, 2022
View reviewed changes
Copy link
Contributor

@AndrzejKurek AndrzejKurek left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I verified that all of #5919 apart from one (minor) have been addressed: mbedtls_ecp_tls_read_group_id is not called explicitly, but is called via mbedtls_ecp_tls_read_group.
I also verified that all of the data from RFC's is copied properly, apart from one detail: leading zeroes are removed. The library should handle it fine and I would even consider that a part of being able to handle raw data from RFC's, so it would be great to fix that. Also it's easier to search for full test data in the .data file and not pay attention to zeros. Affected curves:

  • secp224k1;
  • secp521r1;
  • brainpoolP384r1.

One major typo found, leading zeroes are a minor and just a reccomendation from me.

@wernerlewis
Fix typo in MBEDTLS_ECP_DP_BP512R1
5780730 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
@wernerlewis
Add leading zeros to group metadata
7403d93 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
@wernerlewis
Add explicit mbedtls_ecp_tls_read_group_id call
ccae25b 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
@daverodgman daverodgman removed the needs-reviewer This PR needs someone to pick it up for review label Sep 20, 2022
daverodgman
daverodgman previously approved these changes Sep 20, 2022
View reviewed changes
AndrzejKurek
AndrzejKurek reviewed Sep 20, 2022
View reviewed changes
tests/suites/test_suite_ecp.function
// Read group from buffer and compare with expected ID
TEST_EQUAL( mbedtls_ecp_tls_read_group_id( &read_g_id, &vbuf, olen ),
0 );
TEST_EQUAL( read_g_id, id );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mbedtls_ecp_tls_read_group_id will modify vbuf.

Suggested change
TEST_EQUAL( read_g_id, id );
TEST_EQUAL( read_g_id, id );
vbuf = buf;

AndrzejKurek
AndrzejKurek suggested changes Sep 20, 2022
View reviewed changes
Copy link
Contributor

@AndrzejKurek AndrzejKurek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change that fails on the CI.

@wernerlewis
Restore vbuf value after modification
05feee1 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
@AndrzejKurek AndrzejKurek added approved Design and code approved - may be waiting for CI or backports and removed needs-review Every commit must be reviewed by at least two team members, labels Sep 20, 2022
@daverodgman daverodgman merged commit 36e1d9e into Mbed-TLS:development Sep 20, 2022
@wernerlewis wernerlewis deleted the ecp_group_test branch September 21, 2022 08:03
@mpg
Copy link
Contributor

mpg commented Dec 13, 2022

@daverodgman Why was this merged while it was labeled needs-backport? As a general rule we wait for backports to be ready before we merge the main PR, and it's OK to make exceptions but IMO we should briefly state the reason why before merging, at least to make it clear that it was a conscious decision.

@mpg
Copy link
Contributor

mpg commented Dec 13, 2022

Note: I just merged the backport #6204 (this is how I noticed) and I don't think it's a problem that it won't be in the same release as the main PR, considering this is just a test enhancement.

@mpg mpg removed the needs-backports Backports are missing or are pending review and approval. label Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm left review comments

@daverodgman daverodgman daverodgman approved these changes

@AndrzejKurek AndrzejKurek AndrzejKurek approved these changes

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports component-crypto Crypto primitives and low-level interfaces enhancement priority-high High priority - will be reviewed soon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Test ECP group metadata
5 participants
@wernerlewis @mpg @daverodgman @gilles-peskine-arm @AndrzejKurek