Closed Bug 338599 Opened 18 years ago Closed 18 years ago

NSS ECDSA signature length incompatible with other implementations for some curves

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.11.1
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.2

People

(Reporter: nelson, Assigned: wtc)

Details

Attachments

(3 files, 4 obsolete files)

Proposed patch for NSS_3_11_BRANCH
4.77 KB, patch
nelson
: review+
Details | Diff | Splinter Review
Proposed patch v2
13.28 KB, patch
nelson
: review+
Details | Diff | Splinter Review
More conservative patch for NSS_3_11_BRANCH, v3
11.39 KB, patch
julien.pierre
: review+
nelson
: superreview+
Details | Diff | Splinter Review 
This bug is a "second hand" report of a failure found by members of the 
ECC interoperability forum.  I may have misunderstood a detail or two.

In interoperability testing with another vendor's TLS+ECC server 
implementation, failures were experienced with these cipher suites:
TLS_ECDH_ECDSA_WITH_RC4_128_SHA  and 
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. 
when the third party server's cert used either of these curves:
sect233k1
sect409k1 

The problem reportedly is that NSS computed the acceptable signature 
length incorrectly, and then found the signature to be invalid.

Wan-Teh wrote:  

> When NSS decodes the signed integers [...], it incorrectly uses the 
> curve's field size as opposed to the base point order size 
> [for the signature length].

> The attached patch for NSS is enough to make Firefox connect to [the test 
> server] with the sect233k1 curve.  I haven't done a thorough review of 
> NSS to find other places that also need to be fixed.
Assignee: nobody → wtchang
Priority: -- → P1
Target Milestone: --- → 3.11.2
Version: 3.11 → 3.11.1
I don't have time to work on this bug. Any volunteer?

My patch points out all the places in our code that we need
to fix, but SECKEY_ECParamsToBasePointOrderLen may not
be the right function to export.  One problem is that
it requires us to use a member of SECKEYPublicKey
(&key->u.ec.DEREncodedParams), which probably should be
treated as an opaque structure.  I think a new function
(SECKEY_PublicKeySignatureLen?) that takes 'SECKEYPublicKey *'
as argument would be more appropriate. (cf: PK11_SignatureLen)

One solution that doesn't require exporting any function
is to modify common_DecodeDerSig to handle len=0 as a
special case -- if len is 0, it will pad the r and s
to the same length (but restrict the length to be <=
MAX_ECKEY_LEN).  The drawback of this approach is
that it violates the recommendation of PKCS #11 v2.20
Sec. 12.3.1 "EC Signatures":

  Note: For applications, it is recommended to encode
  the signature as an octet string of length two times
  nLen if possible. This ensures that the application
  works with PKCS#11 modules which have been implemented
  based on an older version of this document. Older
  versions required all signatures to have length two
  times nLen.  It may be impossible to encode the
  signature with the maximum length of two times nLen
  if the application just gets the integer values of r
  and s (i.e. without leading zeros), but does not know
  the base point order n, because r and s can have any
  value between zero and the base point order n.
Assignee: wtchang → libraries
Attached patch Proposed patch (obsolete) — Splinter Review 
I added a new function SECKEY_PublicKeySignatureLen.
It's modeled after SECKEY_PublicKeyStrength, returning
unsigned (int).  This function could also be in
lib/pk11wrap and modeled after PK11_SignatureLen,
returning int.  Not sure which directory it is more
appropriate for.
Attachment #222694 - Attachment is obsolete: true
Attachment #223642 - Flags: review?(nelson)
secvfy.c and nss.def differ enough between the trunk and
NSS_3_11_BRANCH that I had to create a separate patch for
the NSS_3_11_BRANCH.
Attachment #223645 - Flags: review?(nelson)
This patch may be more suitable for the NSS_3_11_BRANCH.
This patch doesn't change the DSA-handling code.
Attachment #223646 - Flags: review?(nelson)
Comment on attachment 223642 [details] [diff] [review]
Proposed patch

r=nelson
Since this new function can return zero (error case), it seems like 
the callers should explicitly test for that return value. 
But this patch is no worse than the code it replaces in that respect.
Attachment #223642 - Flags: review?(nelson) → review+
Comment on attachment 223645 [details] [diff] [review]
Proposed patch for NSS_3_11_BRANCH

One concern I have with this patch is for function VFY_EndWithSignature
Here, we effectively change the variable upon which our choice of signature
size is based from the context type to the key type.  Can we get into a 
case where the key type suggests one signature size and the context type
suggests another?  

The "more conservative" patch has this problem SLIGHTLY less than this 
patch.  I think I value keeping the branch and trunk in sync more 
highly than this conservatism though.  And in any case, my biggest 
concern is error handling (or lack thereof).
Attachment #223645 - Flags: review?(nelson) → review+
Comment on attachment 223646 [details] [diff] [review]
More conservative patch for NSS_3_11_BRANCH

On, one other thought I had.  Seems the term "PublicKey" in the name of the new function is redundant.  But I can live with it.
Attachment #223646 - Flags: review?(nelson) → review+
This new patch addresses Nelson's concerns.

1. Rename the new function SECKEY_SignatureLen.
Originally I named it SECKEY_PublicKeySignatureLen
to hint that the argument is a SECKEYPublicKey *
as opposed to a SECKEYPrivateKey *.  (PK11_SignatureLen
takes a SECKEYPrivateKey * argument.)

2. Make sure the new function and related existing
functions set an error code on failure (when they
return 0).

3. In secvfy.c, the context type (cx->type) is the
same as the key type (cx->key->keyType). To eliminate
this concern in the future, I removed the 'type'
member from the VFYContextStr structure.  So the
patch clearly shows that the old code initializes
cx->type to key->keyType and never changes it.
(Note that 'cx->key' is a copy of 'key'.)

4. I handle the failure of SECKEY_SignatureLen
(when it returns 0).
Attachment #223642 - Attachment is obsolete: true
Attachment #223987 - Flags: review?(nelson)
Comment on attachment 223987 [details] [diff] [review]
Proposed patch v2

Lots of good improvements in this patch!
Thanks, Wan-Teh!
Attachment #223987 - Flags: review?(nelson) → review+
The only change from the v1 patch is that the new function
has been renamed SECKEY_SignatureLen.

I deliberately do not add code to handle SECKEY_SignatureLen
failure (0 return value) and do not use the SECKEY_SignatureLen
function for the DSA cases, because I want to make the diffs
small.  (As Nelson noted, the lack of error handling is no
worse than the original code.) Smaller diffs make it easier
to see that this patch won't affect the non-ECDSA cases.
Attachment #223646 - Attachment is obsolete: true
Attachment #223995 - Flags: review?(julien.pierre.bugs)
OK, to save Nelson some anxiety, I added code to
set error codes and handle failures.  This patch
is still conservative because it doesn't use the
new SECKEY_SignatureLen function for the DSA cases.
Unfortunately I can't remove the 'type' member of
the VFYContextStr structure easily on the NSS_3_11_BRANCH
because it has a different type from key->keyType.
Attachment #223995 - Attachment is obsolete: true
Attachment #223998 - Flags: superreview?(nelson)
Attachment #223998 - Flags: review?(julien.pierre.bugs)
Attachment #223995 - Flags: review?(julien.pierre.bugs)
Comment on attachment 223987 [details] [diff] [review]
Proposed patch v2

I checked in the proposed patch v2 on the NSS trunk
(3.12).

Checking in cryptohi/keyhi.h;
/cvsroot/mozilla/security/nss/lib/cryptohi/keyhi.h,v  <--  keyhi.h
new revision: 1.16; previous revision: 1.15
done
Checking in cryptohi/seckey.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v  <--  seckey.c
new revision: 1.42; previous revision: 1.41
done
Checking in cryptohi/secvfy.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/secvfy.c,v  <--  secvfy.c
new revision: 1.18; previous revision: 1.17
done
Checking in nss/nss.def;
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v  <--  nss.def
new revision: 1.165; previous revision: 1.164
done
Checking in ssl/ssl3con.c;
/cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v  <--  ssl3con.c
new revision: 1.91; previous revision: 1.90
done
Attachment #223998 - Flags: review?(julien.pierre.bugs) → review+
Comment on attachment 223998 [details] [diff] [review]
More conservative patch for NSS_3_11_BRANCH, v3

sr=nelson.  Good patch.
Attachment #223998 - Flags: superreview?(nelson) → superreview+
I checked in the "more conservative patch for NSS_3_11_BRANCH, v3"
on the NSS_3_11_BRANCH.

Checking in cryptohi/keyhi.h;
/cvsroot/mozilla/security/nss/lib/cryptohi/keyhi.h,v  <--  keyhi.h
new revision: 1.13.2.2; previous revision: 1.13.2.1
done
Checking in cryptohi/seckey.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v  <--  seckey.c
new revision: 1.36.2.7; previous revision: 1.36.2.6
done
Checking in cryptohi/secvfy.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/secvfy.c,v  <--  secvfy.c
new revision: 1.16.2.2; previous revision: 1.16.2.1
done
Checking in nss/nss.def;
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v  <--  nss.def
new revision: 1.158.2.5; previous revision: 1.158.2.4
done
Checking in ssl/ssl3con.c;
/cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v  <--  ssl3con.c
new revision: 1.76.2.13; previous revision: 1.76.2.12
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Wan-Teh fixed this bug.
Assignee: libraries → wtchang
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: