Closed Bug 650338 Opened 15 years ago Closed 15 years ago

mp_exptmod() gives incorrect results for NIST-P521 prime.

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.8
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 536389

People

(Reporter: osk, Unassigned)

Details

Attachments

(1 file)

Small C program that reproduces the problem with mp_exptmod.
3.43 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 (.NET CLR 3.5.30729) Build Identifier: nss-3.12.8-with-nspr-4.8.6.tar.gz I'm using the Elliptic Curve and MPI libraries from NSS to build an embedded cryptographic package, and I've been having some trouble getting the NIST-P521 curve to work correctly with some functions. So far I have managed to narrow the problem down to the mp_exptmod() function producing incorrect results when computing an exponent modulus the NIST-P521 prime. Unfortunately, my expertise is lacking with regards to the implementation of mp_exptmod in the NSS library, and I'm running out of ideas on how to identify and fix the problem. I have attached a simple program that demonstrates the error. It works by computing 2^k using mp_2expt, taking the modulus using mp_mod and then comparing the result to the same computation done using mp_exptmod. This simple test passes for all of the NIST primes, but fails for P521. Reproducible: Always Steps to Reproduce: 1. Build the MPI library: cd mozilla/security/nss/lib/freebl/mpi; make libmpi.a 2. Build the example program: gcc exptmodtest.c libmpi.a -Wall -O2 3. Run the program, it will print to stdout whenever mp_exptmod() produces an incorrect answer. Actual Results: [osk@rayon mpi]$ gcc exptmodtest.c libmpi.a -Wall -O2 -o etest [osk@rayon mpi]$ ./etest mp_exptmod() agrees with mp_2expt() for p = PRIME_P192 mp_exptmod() agrees with mp_2expt() for p = PRIME_P224 mp_exptmod() agrees with mp_2expt() for p = PRIME_P256 mp_exptmod() agrees with mp_2expt() for p = PRIME_P384 Error computing 2**466 mod p p = PRIME_P521 2**466 mod p = 400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mp_exptmod() = 0 mp_exptmod() agrees with mp_2expt() for p = PRIME_HUGE1 mp_exptmod() agrees with mp_2expt() for p = PRIME_HUGE2
Version: unspecified → 3.12.8
This bug disappears if patch for bug 536389 is applied to the 3.12.8 sources. Either 3.12.8 is too old, or bug 536389 wasn't checked in the 3_12 branch for some reason.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Reopening because this must be fixed in 3.12.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
IIRC, this can't be fixed in 3.12, because this is 'softoken' issue, and softoken is frozen in 3.12, because FIPS certified.
Anyway, this bug is a dup of bug 536389. If you believe this must be fixed in 3.12, it worth to reopen original bug, not a duplicate.
I verified that Konstantin's patch v4 (attachment 433870 [details] [diff] [review]) in bug 536389 (omitting the changes to mozilla/security/nss/lib/freebl/ecl/ecp_mont.c) makes Owen Kirby's test program pass. So this bug is a duplicate. To fix this bug in NSS 3.12.x, we should check in Konstantin's patch in bug 536389 on the NSS_3_12_BRANCH, ideally after a second code review.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: