Closed
Bug 1190448
Opened 10 years ago
Closed 9 years ago
Insufficient validation of input data
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 380351
People
(Reporter: wladd, Unassigned)
References
Details
(Keywords: sec-other)
Attachments
(1 file)
|
989 bytes,
patch
|
Details | Diff | Splinter Review |
In pkcs11c.c we see the following code:
if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
withCofactor = PR_TRUE;
} else {
/* When not using cofactor derivation, one should
* validate the public key to avoid small subgroup
* attacks.
*/
if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint)
!= SECSuccess) {
goto ec_loser;
}
}
This code doesn't validate that the point is on the curve when cofactor derivation is used. But cofactor derivation doesn't prevent small subgroup attacks. For example, an attacker could send a point with order about 2^26 on some other curve, and recover the secret key modulo that order. This issue doesn't affect TLS users.
|
||
Comment 1•10 years ago
|
||
If this doesn't affect TLS are there other Firefox features that would use this code?
Flags: needinfo?(wladd)
|
Reporter | |
Comment 2•10 years ago
|
||
I don't know. You'd have to ask someone more familiar with the high level interactions, or alternatively put a canary in the code, and run a bunch of tests.
Flags: needinfo?(wladd)
|
||
Comment 3•10 years ago
|
||
bug 38035 would make this check irrelevant because it moves the check into the EC_DH function in freebl, which would always trigger (even in the cofactor case).
I think the code in question is used by Thunderbird, not Firefox.
|
|
Reporter | |
Comment 4•10 years ago
|
||
The link in that comment is broken, so I am not sure what bug is being referenced. I do not believe that NSS is currently performing the check in freebl after examining the source, and I think the language in your comment is consistent with that. ("would make" implying it hasn't been fixed now.) As you describe it, it sounds like it would address the issue.
|
|
||
Updated•10 years ago
|
Attachment #8642487 -
Attachment is patch: true
Attachment #8642487 -
Attachment mime type: text/x-patch → text/plain
|
|
||
Comment 5•10 years ago
|
||
Looks like he meant bug 380351
|
||
Updated•10 years ago
|
Group: core-security → crypto-core-security
|
||
Updated•9 years ago
|
status-firefox42:
affected → ---
|
||
Comment 6•9 years ago
|
||
Closing this ad duplicate of bug 380351 that fixes this issue as well.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•6 years ago
|
Group: crypto-core-security
QA Contact: jjones
You need to log in
before you can comment on or make changes to this bug.
Description
•