| commit | 397bfb49f8cf9975706d29577075aa703a4755c1 | [log] [tgz] |
|---|---|---|
| author | Thai Duong <thaidn@users.noreply.github.com> | Wed Feb 01 10:45:16 2017 -0800 |
| committer | GitHub <noreply@github.com> | Wed Feb 01 10:45:16 2017 -0800 |
| tree | 8bba871b7a7fddde1e14262b5a0ed86e420fd0d8 | |
| parent | b898a62f3f61fa30bf1ffd1e04016387ccd59141 [diff] |
Google -> GitHub Sync, 1 Feb 2017 (#19) * Removing duplicates from BigIntegerTest. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=142548323 * Remove @NoPresubmitCheck from testModifiedPublic() and testModifiedPublicSpec(). The corresponding bug was fixed in BC 1.55 or BC 1.56. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=142561682 * minor typos ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=142743772 * Regenerating the test vectors for ECDSA: - this adds more comments for bugtypes and modifications or the signatures. - fixes some ugly formatting. - adds some additional test vectors. There are no new bugs. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=144619819 * Regenerating DSA test vectors: This adds a few more test vectors. The test vectors are now divided between test vectors with valid BER encodings and test vectors with invalid DER encodings. The description of the test vector better describes what was modified. Also fixing issue #17 on Github: testVectors in DsaTest not using the message parameter There are no changes to the presubmit tests. Tests that can be enabled because of the Oracles security update will be added in another CL. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=144814889 * Regenerating test vectors for EcdhTest.java Merging a test with small order into the test vectors. Fixing ASN encoding of 0 (from 0200 to 020100, i.e. length must be > 0). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=144815129 * Regenerating RSA signatures. Adding test vectors that were removed because of b/31575502. Oracle fixes this with CVE-2016-5547. Changing ASN tags with value 0x50 to 0x30 (0x50 would be something like sequence of sequence but does not exist), hence the old vectors are unlikely to cause problems. Adding more modifications of OIDs. The new vectors unpack the OIDs and change the nodes. (E.g. the OID for sha256 is the hexadecimal string "608648016503040201" which is an ASN encoding of "2.16.840.1.101.3.4.2.1". The new test vectors include invalid encoding, encodings with additional nodes, deleted nodes and nodes that are changed to large integers) ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=144846826 ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=145060646 * Removing presubmit restrictions for tests that have been fixed internally and upstream. Mainly these are tests with CVEs that were announced during the Jan 17 security update by Oracle. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=145397539 ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=145418516 * Adding the CVE numbers from Oracles Jan 17 security update to the documentation. Minor changes to some test vectors: Some of the garbage added to the ASN encoding was itself incorrect and has been replaced. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=145650774 * ECDSA MODIFIED_SIGNATURES should be public now. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=146186539
https://github.com/google/wycheproof
Project Wycheproof is named after Mount Wycheproof, the smallest mountain in the world. The main motivation for the project is to have a goal that is achievable. The smaller the mountain the more likely it is to be able to climb it.
Project Wycheproof tests crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product.
At Google, we rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and we found that libraries fall into such implementation pitfalls much too often and for much too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that cryptographic loopholes can be resolved by the same means.
These observations have prompted us to develop Project Wycheproof, a collection of unit tests that detect known weaknesses or check for expected behaviors of some cryptographic algorithm. Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto and authenticated encryption. Our cryptographers have systematically surveyed the literature and implemented most known attacks. We have over 80 test cases which have uncovered more than 40 bugs. For example, we found that we could recover the private key of widely-used DSA and ECDHC implementations.
While we are committed to develop as many attacks as possible, Project Wycheproof is by no means complete. Passing the tests does not imply that the library is secure, it just means that it is not vulnerable to the attacks that Project Wycheproof tests for. Cryptographers are also constantly discovering new attacks. Nevertheless, with Project Wycheproof developers and users now can check their libraries against a large number of known attacks, without having to spend years reading academic papers or become cryptographers themselves.
For more information on the goals and strategies of Project Wycheproof, please check out our doc.
Project Wycheproof has tests for the most popular crypto algorithms, including
The tests detect whether a library is vulnerable to many attacks, including
Our first set of tests are written in Java, because Java has a common cryptographic interface. This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a "defense in depth" argument and expect that the implementations are as robust as possible. For example, we consider weak default values to be a significant security flaw. We are converting as many tests into sets of test vectors to simplify porting the tests to other languages. We provide ready-to-use test runners for Java Cryptography Architecture providers such as Bouncy Castle, Spongy Castle, and the default providers in OpenJDK.
Install Bazel.
Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files: this enables tests with large key sizes. Otherwise you'll see a lot of "iilegal key size" exceptions.
Check out the tests
git clone https://github.com/google/wycheproof.git
bazel test BouncyCastleAllTests
bazel test BouncyCastleAllTests_1_52
bazel test BouncyCastleAllTests_*
WYCHEPROOF_BOUNCYCASTLE_JAR environment variable:$ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle $ bazel test BouncyCastleTestLocal $ bazel test BouncyCastleAllTestsLocal
Note: bazel does not currently invalidate the build on environment changes. If you change the WYCHEPROOF_BOUNCYCASTLE_JAR environment variable, run bazel clean to force a rebuild:
$ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle $ bazel test BouncyCastleTestLocal $ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/other/jar $ bazel clean $ bazel test BouncyCastleTestLocal
bazel test SpongyCastleAllTests
bazel test OpenJDKAllTests
Note that OpenJDKAllTests expects that OpenJDK is your default JDK, so it might refuse to run or its results might be incorrect if you are using some other JDK. If you downloaded your JDK from Oracle or https://java.com, you're probably using Oracle JDK, which should be compatible with OpenJDK, thus the tests should run correctly.
Some tests take a very long time to finish. If you want to exclude them, use BouncyCastleTest, SpongyCastleTest or OpenJDKTest -- these targets exclude all slow tests (which are annotated with @SlowTest).
Most test targets are failing, and each failure might be a security issue. To learn more about what a failed test means, you might want to check out our documentation (doc/bugs.md) or the comments on top of the corresponding test function and test class.
Here are some of the notable vulnerabilities that are uncovered by Project Wycheproof:
OpenJDK's SHA1withDSA leaks private keys > 1024 bits
Bouncy Castle's ECDHC leaks private keys
Project Wycheproof is maintained by:
If you want to contribute, please read CONTRIBUTING and send us pull requests. You can also report bugs or request new tests.
If you'd like to talk to our developers or get notified about major new tests, you may want to subscribe to our mailing list. To join, simply send an empty mail to wycheproof-users+subscribe@googlegroups.com.