1194947 - miscalculation in mp_exptmod()

Status: RESOLVED DUPLICATE of bug 1190248

(NSS :: Libraries, defect)

Description

[Hanno Boeck]

Attachment: sample code, compile with -I[path_to_mpi_includes] libmpi.a

mp_exptmod() will sometimes calculate wrong values.
Example:
(80^fc) mod 0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0EED0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F7C000000000000000000000000000000000000000000000000000000000000000000000000000000000000

I have attached a sample code showing that. Using first mp_expt and then mp_mod gives a different result than mp_exptmod. Should give the same result.

As this is basically the "RSA-function" this may have security implications (but not sure, needs some skilled cryptographer to investigate whether this is exploitable in any way).

(Found with afl by comparing openssl/nss results)

Comment 1

[Martin Thomson [:mt:]]

Buck passing.

Comment 2

[Franziskus Kiefer [:franziskus]]

I can't reproduce this, maybe it got somehow fixed already?

Comment 3

[Hanno Boeck]

I just bisected which commit fixed this and it was this one:
https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c

This is the fix for bug #1190248 which was also reported by me. However in #1190248 we concluded that this likely is not a severe issue, which might be wrong. I'll comment there further.

Comment 4

[Franziskus Kiefer [:franziskus]]

can we close this one then? (I can't see bug 1190248)

Comment 5

[Hanno Boeck]

Yes, I think we'll handle the issue in #1190248 (although I'd appreciate a bit more activity there).