Closed
Bug 320038
Opened 19 years ago
Closed 18 years ago
NSS generates private keys for the NIST curve K-233 with the wrong length.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: wtc, Assigned: wtc)
References
Details
Attachments
(2 files, 3 obsolete files)
3.87 KB,
patch
|
rrelyea
:
review+
douglas
:
superreview+
|
Details | Diff | Splinter Review |
4.35 KB,
patch
|
Details | Diff | Splinter Review |
The private keys that NSS generates for the NIST curve K-233 are 30-byte long. But the correct length is 29 bytes. The reason is that in lib/freebl/ec.c, function EC_NewKey, we incorrectly assume the private key is the same length as the base point order, but the private key may be shorter: 1 <= d <= n-1, where d is the private key and n is the base point order. To make matters worse, we specify the base point order of curve K-233 with two unecessary leading hex 0 digits, which makes the base point order one byte too long.
Assignee | ||
Comment 1•19 years ago
|
||
ec.c: the number of bytes that are actually copied to the privKeyBytes buffer is the return value of the mp_to_unsigned_octets function. The CHECK_MPI_OK macro stores the return value fo the function in the local variable err. So we need to set len to err. ecl-ecl-curve.h: remove the unnecessary two leading 0's. You can find the base point order for curve K-233 on SEC 2 (http://www.secg.org/download/aid-386/sec2_final.pdf), Section 3.6.1, page 31, but hopefully it is obvious that the two leading 0's are not necessary.
Attachment #205664 -
Flags: superreview?(douglas)
Attachment #205664 -
Flags: review?(rrelyea)
Comment 2•19 years ago
|
||
Comment on attachment 205664 [details] [diff] [review] Proposed patch r=relyea
Attachment #205664 -
Flags: review?(rrelyea) → review+
Updated•19 years ago
|
Target Milestone: --- → 3.11.1
Assignee | ||
Comment 3•19 years ago
|
||
I found that I can also fix the bug by using mp_to_fixlen_octets. This is more readable than "len = err". I reviewed all the other uses of mp_to_unsigned_octets in NSS and found that they all call mp_unsigned_octet_size first to get the length, so they are all good. I reviewed the parameters for all the NIST recommended curves and found that we also have two unnecessary leading 0's for curve K-409. So I fixed that, too. I suspect that the unnecessary leading 0's were there to pad the base point order to the same length as the other parameters, so in this patch I maintain the alignment using white spaces (outside the strings).
Attachment #205664 -
Attachment is obsolete: true
Attachment #205681 -
Flags: superreview?(douglas)
Attachment #205681 -
Flags: review?(rrelyea)
Attachment #205664 -
Flags: superreview?(douglas)
Comment 4•19 years ago
|
||
Comment on attachment 205681 [details] [diff] [review] Proposed patch v2 Looks okay to me. For background, the reason the extra "00" was at the front of the constant strings in the header file was because it was that way in our OpenSSL code. The reason it was that way in OpenSSL was because their hex_to_big_int routines checked to see if the top bit was 1, and if it was, treated it as a negative number. I checked NSS' mpi library and it doesn't do that, so removing the extra "00" is okay.
Attachment #205681 -
Flags: superreview?(douglas) → superreview+
Assignee | ||
Comment 5•19 years ago
|
||
Douglas: is mp_read_radix (http://lxr.mozilla.org/security/ident?i=mp_read_radix) the counterpart of OpenSSL's hex_to_big_int function?
Assignee | ||
Comment 6•19 years ago
|
||
Comment on attachment 205681 [details] [diff] [review] Proposed patch v2 Douglas, The most significant bit of the base point order for curve K-409 is 0 (the most significant byte is 7F), so you shouldn't need a leading zero byte for OpenSSL's hex_to_big_int routines. On the other hand, the base point orders for the curves P-xxx all have a most significant bit of 1 (their most significant byte is FF), but you didn't add a leading zero byte to any of them. I checked in this patch on the NSS trunk (NSS 3.12). Checking in ec.c; /cvsroot/mozilla/security/nss/lib/freebl/ec.c,v <-- ec.c new revision: 1.10; previous revision: 1.9 done Checking in ecl/ecl-curve.h; /cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl-curve.h,v <-- ecl-curve.h new revision: 1.3; previous revision: 1.2 done
Comment 7•19 years ago
|
||
(In reply to comment #5) > Douglas: is mp_read_radix > (http://lxr.mozilla.org/security/ident?i=mp_read_radix) > the counterpart of OpenSSL's hex_to_big_int function? Yes.
Updated•19 years ago
|
Attachment #205681 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 8•19 years ago
|
||
Patch checked in on the NSS_3_11_BRANCH (3.11.1).
Status: NEW → RESOLVED
Closed: 19 years ago
Priority: -- → P1
Resolution: --- → FIXED
Assignee | ||
Comment 9•18 years ago
|
||
I'd like to propose a better fix for this bug, which allows us to pad the hex strings with leading 00's so that they look nice. When we convert a hex string to an array of bytes, we skip the leading 00's unless the hex string is "00". (Otherwise, "00" would become "".) This patch also backs out my previous fix.
Attachment #213147 -
Flags: superreview?(rrelyea)
Attachment #213147 -
Flags: review?(douglas)
Updated•18 years ago
|
Attachment #213147 -
Flags: review?(douglas) → review+
Assignee | ||
Updated•18 years ago
|
Assignee | ||
Comment 10•18 years ago
|
||
The only change in this version is the comments.
Attachment #213350 -
Flags: superreview?(rrelyea)
Assignee | ||
Updated•18 years ago
|
Attachment #213147 -
Attachment is obsolete: true
Attachment #213147 -
Flags: superreview?(rrelyea)
Comment 11•18 years ago
|
||
Comment on attachment 213350 [details] [diff] [review] Allow the hex strings to have leading 00's, v2 r=relyea
Attachment #213350 -
Flags: superreview?(rrelyea) → superreview+
Assignee | ||
Comment 12•18 years ago
|
||
I checked in the patch "Allow the hex strings to have leading 00's" with a minor change on the NSS trunk (3.12) and NSS_3_11_BRANCH (3.11.1). Checking in softoken/ecdecode.c; /cvsroot/mozilla/security/nss/lib/softoken/ecdecode.c,v <-- ecdecode.c new revision: 1.6; previous revision: 1.5 done Checking in freebl/ecl/ecl-curve.h; /cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl-curve.h,v <-- ecl-curve.h new revision: 1.4; previous revision: 1.3 done Checking in softoken/ecdecode.c; /cvsroot/mozilla/security/nss/lib/softoken/ecdecode.c,v <-- ecdecode.c new revision: 1.4.30.2; previous revision: 1.4.30.1 done Checking in freebl/ecl/ecl-curve.h; /cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl-curve.h,v <-- ecl-curve.h new revision: 1.2.28.2; previous revision: 1.2.28.1 done
Attachment #213350 -
Attachment is obsolete: true
Assignee | ||
Updated•18 years ago
|
Status: REOPENED → RESOLVED
Closed: 19 years ago → 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•