KAS-ECC and KAS-FFC runtime error

Question

KAS-ECC and KAS-FFC runtime error

Closed this issue 3 years ago · 10 comments

Hi,
When I run offline test for KAS-ECC or KAS-FFC, I get this error:
./app/acvp_app --kas_ecc --vector_req kas_ecc_request.json --vector_rsp kas_ecc_response.json --sample --verbose

Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    certs/mozzila_trust_anchors.pem
ACV_CERT_FILE:  certs/XXX_Demo.cer
ACV_KEY_FILE:   certs/PRIVATEKEY.key

***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 2
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 1
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6465]--> KAS-ECC mode 4
***ACVP [STATUS][acvp_run_vectors_from_file:880]--> Beginning offline processing of vector sets...
***ACVP [INFO][acvp_run_vectors_from_file:946]--> Received vsid_url=/acvp/v1/testSessions/175206/vectorSets/543813
***ACVP [INFO][acvp_run_vectors_from_file:946]--> Received vsid_url=/acvp/v1/testSessions/175206/vectorSets/543814
***ACVP [INFO][acvp_run_vectors_from_file:946]--> Received vsid_url=/acvp/v1/testSessions/175206/vectorSets/543815
***ACVP [STATUS][acvp_dispatch_vector_set:2697]--> Processing vector set: 543813
***ACVP [STATUS][acvp_dispatch_vector_set:2698]--> Algorithm: KAS-ECC
***ACVP [INFO][acvp_kas_ecc_cdh:364]--> Test group: 1
***ACVP [INFO][acvp_kas_ecc_cdh:365]--> curve: P-224
***ACVP [INFO][acvp_kas_ecc_cdh:373]--> Found new KAS-ECC CDH test vector...
***ACVP [INFO][acvp_kas_ecc_cdh:416]--> psx: 0F124CA68C5DA3408FD4C9B36331A1A1FA0710849E9537A0AE82BCD3
***ACVP [INFO][acvp_kas_ecc_cdh:417]--> psy: 1DCDA7E2E3D845B9C0BDD2418658FF797EA189E5136626FF4623431D
***ACVP [ERR][acvp_kas_ecc_cdh:434]--> crypto module failed the operation
***ACVP [ERR][acvp_run_vectors_from_file:968]--> KAT dispatch error

I get the same error when I run KAS-FFC.

Answer 1 · 2021-04-24T12:43:04.000Z

There's a couple of reasons that would happen. Either those are old KAS request files. NIST still allows testing them on the demo server, but they are of no use when it comes to production server testing because they are based on SP800-56Ar2 not SP800-56Ar3 which is now required. Or you've registered for something we don't support in our app code.

What version of libacvp are you using ? I'd recommend staying with the latest version, NIST moves fast these days.
When did you download the request files ?
Have you modified the registration in app_main.c ?

Answer 2 · 2021-04-25T00:20:42.000Z

Hi @bfussell,
I got the KAS request files from the demo server using this command:
./app/acvp_app --kas_ecc --vector_req kas_ecc_request.json --sample

I am currently using the latest libacvp_1_4_0-throttle. I downloaded the files and ran the test right after. No, I did not modify the registration in app_main.c
Thank you

Answer 3 · 2021-04-25T16:48:59.000Z

The algorithms in your output indicate KAS-ECC anad KAS-ECC CDH are in the request file. Neither of those are requested by default in libacvp_1_4_0-throttle. We only request KAS-ECC-SCC presently. Was the request file downloaded a while back ?

Answer 4 · 2021-04-25T21:27:52.000Z

No, the request files were not downloaded a while back. I downloaded the request file and tested it the same time. This is what my header looks like:
{
"vsId": 545274,
"algorithm": "KAS-ECC",
"mode": "CDH-Component",
"revision": "1.0",
"isSample": true,
"testGroups": [
...
...
...

"vsId": 545276,
"algorithm": "KAS-ECC-SSC",
"revision": "Sp800-56Ar3",
"isSample": true,
"testGroups": [

I delete the data part that has the mode as CDH-component and tried again. This is the error message I got:
***ACVP [INFO][acvp_kas_ecc_ssc:1094]--> Test group: 1
***ACVP [INFO][acvp_kas_ecc_ssc:1095]--> test type: AFT
***ACVP [INFO][acvp_kas_ecc_ssc:1096]--> curve: P-384
***ACVP [INFO][acvp_kas_ecc_ssc:1097]--> hash: SHA2-512
***ACVP [INFO][acvp_kas_ecc_ssc:1106]--> Found new KAS-ECC-SSC Component test vector...
***ACVP [INFO][acvp_kas_ecc_ssc:1149]--> psx: 4E2B32511EF782B35BBDC2BF16FE4EA57E3943FA37BE8F589EFF580F4A0F787CFDC6563A84F274C46EF73C2C2A61AD7E
***ACVP [INFO][acvp_kas_ecc_ssc:1150]--> psy: 093C0D2464C8B6BBADE5BEB698969C7708068AF05F779A53412E4BB7C6ADC9859907DC5ECA4B7723D9E6618D294471C1
***ACVP [ERR][acvp_kas_ecc_ssc:1239]--> crypto module failed the operation
***ACVP [ERR][acvp_run_vectors_from_file:968]--> KAT dispatch error

By the way, I did not modify the app_main.c file.
Thank you

Answer 5 · 2021-04-25T22:02:41.000Z

Hello,

I know it sounds a redundant question, but are you quite sure you have the latest 1_4_0-throttle codebase? The output for your verbose logging is on different line numbers than what I get and from what is in the current source file. The non-SSC algorithms are supposed to only be enabled if ACVP_ENABLE_DEPRECIATED_VERSION is defined as a build flag as well, which is not set anywhere in our current build system.

Thanks,
Andrew

Answer 6 · 2021-04-26T20:22:54.000Z

Thanks @bfussell,
I switched to the latest 1_4_0-throttle codebase. However, I am still getting an error.
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6480]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6480]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6480]--> KAS-ECC mode 4
***ACVP [INFO][acvp_add_kas_ecc_prereq_val:6480]--> KAS-ECC mode 4
***ACVP [STATUS][acvp_run_vectors_from_file:942]--> Beginning offline processing of vector sets...
***ACVP [INFO][acvp_run_vectors_from_file:1008]--> Received vsid_url=/acvp/v1/testSessions/175553/vectorSets/547162
***ACVP [STATUS][acvp_dispatch_vector_set:2850]--> Processing vector set: 547162
***ACVP [STATUS][acvp_dispatch_vector_set:2851]--> Algorithm: KAS-ECC-SSC
***ACVP [INFO][acvp_kas_ecc_ssc:1030]--> Test group: 1
***ACVP [INFO][acvp_kas_ecc_ssc:1031]--> test type: AFT
***ACVP [INFO][acvp_kas_ecc_ssc:1032]--> curve: P-256
***ACVP [INFO][acvp_kas_ecc_ssc:1033]--> hash: SHA2-512
***ACVP [INFO][acvp_kas_ecc_ssc:1042]--> Found new KAS-ECC-SSC Component test vector...
***ACVP [INFO][acvp_kas_ecc_ssc:1085]--> psx: BC1EE7768D08CFCBE8BF1BD74B3A02CF5930BFD7690D6DD5FCEFC97C87BE203C
***ACVP [INFO][acvp_kas_ecc_ssc:1086]--> psy: A5B38D145D22A8681D4EC349994F87C26029E9E3E9CB7F454FA09B83A956D6B2
***ACVP [ERR][acvp_kas_ecc_ssc:1175]--> crypto module failed the operation
***ACVP [ERR][acvp_run_vectors_from_file:1030]--> KAT dispatch error

Answer 7 · 2021-04-26T20:26:50.000Z

Hello,

Could you provide what version of OpenSSL you are using, and if you are using a FOM, its version, in this instance?

Thanks,
Andrew

Answer 8 · 2021-04-26T21:14:30.000Z

openssl version
OpenSSL 1.0.2h-fips 3 May 2016

Answer 9 · 2021-04-26T21:46:31.000Z

Looking at the app code, every single error path has a printf indicating what failed. I don't see any error printfs in you output. Is it possible you don't stdout enabled for printfs for this environment ?

Answer 10 · 2021-04-26T23:11:19.000Z

I was able to test it out on the target system with no issues. Thank you