Closed Bug 1605314 Opened 5 years ago Closed 5 years ago

mp_comba_amd64_masm.asm compatibility issue with 8B mp_digits

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

References

Details

(Keywords: sec-moderate)

Attachments

(1 file, 2 obsolete files)

Bug 1605314 - Compare all 8 bytes of an mp_digit when clamping in Windows assembly/mp_comba.
47 bytes, text/x-phabricator-request
Details | Review
Attached file test.patch (obsolete) —

mp_comba_amd64_masm.asm does clamping (removing leading zero digits) incorrectly when an mp_digit is 64 bits. This is exhibited on Windows x64.

https://searchfox.org/mozilla-central/source/security/nss/lib/freebl/mpi/mp_comba_amd64_masm.asm#7993,8003 doesn't use qword ptr, and thus only checks the lower 32 bits.

Reproducer attached.

The fix is straightforward (changing the highlighted lines fixes the test), but I don't have a full patch ready yet. I'm also curious if this asm version has enough performance benefit to warrant the maintainability cost...

Compare all 8 bytes of an mp_digit when clamping in Windows x64 assembly (mp_sqr/mp_mul). Also adds an assertion to ensure that the size of mp_digit matches implementation assumptions.

Kevin, can you take a stab at security classification when you get a chance? Thanks.

Assignee: nobody → kjacobs.bugzilla
Status: NEW → ASSIGNED
Target Milestone: --- → 3.50

Verify that when clamping, the upper DWORD of an mp_digit is checked.

Attachment #9117181 - Attachment is obsolete: true

Running trials in ecperf, the assembly implementation seems to be 1-4% faster (depending on the curve) and in rsaperf, more like a 40% (vs. the non-comba path [0]). So, we probably want to keep this around.

For classification, I'm going to initially call this sec-moderate primarily due to the difficulty of exploiting it (and FWIW, this seems to align with classifications for similar bugs in other libraries). However, the complexity and fact that it can be triggered through many primitives[1,2] and via mp_mul/mp_sqr makes classification difficult, so I'm open to other opinions.

[0] https://searchfox.org/mozilla-central/source/security/nss/lib/freebl/mpi/mpi.c#963-984
[1] https://searchfox.org/mozilla-central/search?q=symbol:mp_exptmod&redirect=false
[2] https://searchfox.org/mozilla-central/search?q=symbol:mpp_pprime&redirect=false

Blocks: 1604596
Keywords: sec-moderate

With blinding, this might be even less relevant. Still it's a good fix to have. It's also another reminder that MPI is a danger to us all.

https://hg.mozilla.org/projects/nss/rev/09673f933c6df7dd676982d9d89b85aa6517c289

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Blocks: 1609751

Comment on attachment 9118439 [details]
Bug 1605314 - Additional tests for mp_comba

Revision D58576 was moved to bug 1609751. Setting attachment 9118439 [details] to obsolete.

Attachment #9118439 - Attachment is obsolete: true
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: