miscalculation in mp_exptmod()

RESOLVED DUPLICATE of bug 1190248

Status

RESOLVED DUPLICATE of bug 1190248
4 years ago
2 years ago

People

(Reporter: hanno, Unassigned)

Tracking

({sec-high})

3.19.2
sec-high
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 8648348 [details]
sample code, compile with -I[path_to_mpi_includes] libmpi.a

mp_exptmod() will sometimes calculate wrong values.
Example:
(80^fc) mod 0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0EED0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F7C000000000000000000000000000000000000000000000000000000000000000000000000000000000000

I have attached a sample code showing that. Using first mp_expt and then mp_mod gives a different result than mp_exptmod. Should give the same result.

As this is basically the "RSA-function" this may have security implications (but not sure, needs some skilled cryptographer to investigate whether this is exploitable in any way).

(Found with afl by comparing openssl/nss results)
(Reporter)

Updated

4 years ago
Group: core-security
Flags: needinfo?(martin.thomson)
Buck passing.
Flags: needinfo?(martin.thomson) → needinfo?(rlb)
Flags: needinfo?(rrelyea)

Updated

3 years ago
Group: core-security → crypto-core-security
I can't reproduce this, maybe it got somehow fixed already?
Flags: needinfo?(hanno)
(Reporter)

Comment 3

3 years ago
I just bisected which commit fixed this and it was this one:
https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c

This is the fix for bug #1190248 which was also reported by me. However in #1190248 we concluded that this likely is not a severe issue, which might be wrong. I'll comment there further.
Flags: needinfo?(hanno)
can we close this one then? (I can't see bug 1190248)
Flags: needinfo?(hanno)
(Reporter)

Comment 5

3 years ago
Yes, I think we'll handle the issue in #1190248 (although I'd appreciate a bit more activity there).
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(hanno)
Resolution: --- → DUPLICATE
Duplicate of bug: 1190248
Flags: needinfo?(rrelyea)
Flags: needinfo?(rlb)
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Group: crypto-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.