Closed
Bug 319252
Opened 19 years ago
Closed 19 years ago
NSS crashes when generating NIST P512 EC keys.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: rrelyea, Assigned: wtc)
References
Details
Attachments
(1 file, 1 obsolete file)
1.66 KB,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
NSS will crash if you try to generate a keypair on the NIST P512 Eliptic Curve. The crash happens in VerifyKeyPair when trying to Verify a signature.
The problem happens ec_pts_mul_simul_w2 (which is used by p512 curves but not smaller pXXX curves). In ec_pts_mul_simul_w2, the code creates a bunch of mp_int structures with fixed mp_digit values from a stack array. For most operations, these mp_int structures never have to grow, so everything silently works. When we Verify the signature, however, one of these values need to grow from 20 mp_digits to 64 mp_digits, causing the code to allocate a fresh buffer and free the old buffer. Free panics while freeing stack memory.
I have a patch which fixes the problem by using the standard mp_int initialization. Other fixes could include not using simul_w2 for this curve (I don't know what other curves use this function, they could also run into problems).
bob
Reporter | ||
Comment 1•19 years ago
|
||
Here's my potential patch. Note this adds several mallocs and frees to this code path.
Attachment #205103 -
Flags: review?(vipul.gupta)
Comment 2•19 years ago
|
||
Douglas is the right person to review this patch.
vipul
(In reply to comment #1)
> Created an attachment (id=205103) [edit]
> Use standard mpi_initialization on precomputed array
>
> Here's my potential patch. Note this adds several mallocs and frees to this
> code path.
>
Assignee | ||
Comment 3•19 years ago
|
||
Comment on attachment 205103 [details] [diff] [review]
Use standard mpi_initialization on precomputed array
The change to ecl.h should be removed.
There is an unnecessary whitespace change in ecl_mult.c.
But the real problem is that we need to first use
MP_DIGITS to initialize these mp_int's. Otherwise
if any of the mp_init_size calls fails and we go to
CLEANUP, we may call mp_clear on an uninitialized
mp_int.
See dsa.c for an example of MP_DIGITS followed by
mp_init.
Attachment #205103 -
Flags: review?(vipul.gupta) → review-
Assignee | ||
Comment 4•19 years ago
|
||
Comment on attachment 205103 [details] [diff] [review]
Use standard mpi_initialization on precomputed array
Bob, we need to add the following nested for loop before
the existing nested for loop:
>+ for (i = 0; i < 4; i++) {
>+ for (j = 0; j < 4; j++) {
>+ MP_DIGITS(&precomp[i][j][0]) = 0;
>+ MP_DIGITS(&precomp[i][j][1]) = 0;
> }
> }
This will initialize all the mp_int's so that we can call
mp_clear on them safely. Unfortunately we can't combine
the two nested for loops into one.
Reporter | ||
Updated•19 years ago
|
Attachment #205103 -
Flags: review- → review?(wtchang)
Reporter | ||
Comment 5•19 years ago
|
||
Comment on attachment 205103 [details] [diff] [review]
Use standard mpi_initialization on precomputed array
I'd like douglas's review as well.
Attachment #205103 -
Flags: superreview?(douglas)
Reporter | ||
Comment 6•19 years ago
|
||
BTW ecl.h should not be part of the patch.
bob
Comment 7•19 years ago
|
||
Comment on attachment 205103 [details] [diff] [review]
Use standard mpi_initialization on precomputed array
Fine with me, assuming ecl.h is not touched (comment #6) and the whitespace change is removed (comment #3)
Attachment #205103 -
Flags: superreview?(douglas) → superreview+
Reporter | ||
Comment 8•19 years ago
|
||
checked into trunk (3.12)
Checking in ecl_mult.c;
/cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl_mult.c,v <-- ecl_mult.c
new revision: 1.4; previous revision: 1.3
done
I've set the target to 3.12, I'm presuming we do not want this patch in 3.11,
so I'm closing it as well.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12
Assignee | ||
Comment 9•19 years ago
|
||
Douglas, the same technique is used in lib/freebl/ecl/ec2_proj.c,
function ec_GF2m_pt_mul_proj. Should we fix that, too?
I don't understand the code, so this may be a stupid question:
does this bug mean the value of ECL_MAX_FIELD_SIZE_DIGITS is too
small? If so, can we fix this bug by making ECL_MAX_FIELD_SIZE_DIGITS
bigger?
Reporter | ||
Comment 10•19 years ago
|
||
Yes, it means the value is too small for certain MPI operations. Knowing how big that value should be requires knowlege about how MPI works, which may change in the future.
Reporter | ||
Comment 11•19 years ago
|
||
Setting target to 3.11, requires 2 reviews.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12 → 3.11.1
Assignee | ||
Comment 12•19 years ago
|
||
This is what Bob actually checked in on the NSS trunk (3.12).
r=wtc. Douglas gave his r+ to the previous version of
this patch.
I checked in this patch on the NSS_3_11_BRANCH (3.11.1).
Checking in ecl_mult.c;
/cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl_mult.c,v <-- ecl_mult.c
new revision: 1.3.2.1; previous revision: 1.3
done
Attachment #205103 -
Attachment is obsolete: true
Attachment #206147 -
Flags: review+
Attachment #205103 -
Flags: review?(wtchang)
Assignee | ||
Updated•19 years ago
|
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Priority: -- → P1
Resolution: --- → FIXED
Assignee | ||
Comment 13•19 years ago
|
||
*** Bug 325495 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•