Page MenuHome GnuPG
Create Task
Maniphest T5510

libgcrypt: incorrect computation for secp192r1
Closed, ResolvedPublic
Actions

Description

Found by oss-fuzz (ecc-diff-fuzzer)
Regression range is Gcrypt: ccfa9f2c1427b40483984198c3df41f8057f69f8:6dfab8cfb94ccb485a15b13df3c499cbb06fddf2

When multiplying the point on curve secp192r1
0400000000000000000000000000000000ffffffffffffff0030a893b61a4e76af2b682fdb86e043c427c1ad2dfdabb62e
by the scalar
ffffffffffffffffffffffff99def836146bc9b1b4d22830

libgcrypt used to return as other librarires
0400000000000000000000000000000000ffffffffffffff00cf576c49e5b18950d497d024791fbc3ad83e52d2025449d1
But now it returns
04fffffffffffffffffffffffffffffffffffffffffffffeffcf576c49e5b18950d497d024791fbc3ad83e52d2025449d1

Details

Version
libgcrypt git master commit 6dfab8cfb94ccb485a15b13df3c499cbb06fddf2

Revisions and Commits

rC libgcrypt
rCa23a8f04d8da tests/t-mpi-point: Add one more NIST P-256 reduction test-vector.
rCe0bdb19056f4 tests/t-mpi-point: add reduction test-vectors for NIST curves.
rC3f4a59299134 tests/t-mpi-point: add one more NIST P-256 reduction test-vector
rCfc92c609dfdb ec-nist: fix 'mod p' carry adjustment and output masking

Related Objects

Event Timeline

catenacyber created this task.Jun 27 2021, 10:15 PM
jukivili added a subscriber: jukivili.Jun 28 2021, 5:34 PM

Thanks for reporting. There is two commits in that commit range, including https://dev.gnupg.org/rC9d909cb67e70fd792926ac1e2ab305b2cc96bc27 which adds fast reduction for NIST curves. So obviously something is wrong there. Is secp192r1 only curve that is giving wrong results?

jukivili added a comment.Jun 28 2021, 8:03 PM

Attached patch should fix the issue:

0001-ec-nist-fix-output-masking-for-P192-P224-P256-and-P3.patch6 KBDownload

catenacyber added a comment.Jun 28 2021, 8:40 PM

Is secp192r1 only curve that is giving wrong results?

Apparently, fuzzer found variants for secp256r1 and secp384r1

jukivili added a comment.Jun 28 2021, 10:02 PM

P192, P224, P256 and P384 are affected.

Could you post those secp256r1 and secp384r1 cases here as well? I would like to add those to our test-suite. Thanks.

catenacyber added a comment.Jun 29 2021, 8:53 PM
curve=24 secp384r1
point=0400000000000000000000000000000000000000000000000000000000000000000000000000fffffffffffffffffffffc1b0d6f8fb7f2de5b8875645b64042ae20f119f3e1cfefc0215857eeae5f4a8fca737057d69a42c44d958e7cfcc77ce6b
bignum=ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
mbedtls: 0 0400000000000000000000000000000000000000000000000000000000000000000000000000fffffffffffffffffffffce4f29070480d21a4778a9ba49bfbd51df0ee60c1e30103fdea7a81151a0b570258c8fa81965bd3bb26a7183133883194
gcrypt: 0 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0100000000000000fffffffbe4f29070480d21a4778a9ba49bfbd51df0ee60c1e30103fdea7a81151a0b570258c8fa81965bd3bb26a7183133883194
catenacyber added a comment.Jun 29 2021, 8:57 PM
curve=23 secp256r1
point=040000ffffffff0000000000000000000000000000000000000000000000000000cfe26d107a5134d6feb38ce3577075bdc7aa70ff7523d3b203c8a973f2d3dc8e
bignum=0000000000ff0000000400000000000000000000005d00003277002000010000
mbedtls: 0 04fd351b304ad50f36153d8193c4bbf7d4c3bee26e5af52a9c70133edfa62c273e05da8312615436e9c81b5b0624e68667233ace6307afc8056eae85049ca63226
gcrypt: 0 04d6915640b8ba3918f129c108f52f571ec28c1c89ad710b43928c3bd942eb29d8bf181e997b502abf12cf3606eb46379c59fd396bda7b45cdc75d429b2b37b15f
jukivili added a comment.Jun 30 2021, 4:54 PM

Thanks a lot.

Here's second patch with more test-vectors and better fix:

0001-ec-nist-fix-mod-p-carry-adjustment-and-output-maskin.patch42 KBDownload

I'll push this to master soon.

jukivili added a commit: rCfc92c609dfdb: ec-nist: fix 'mod p' carry adjustment and output masking.Jun 30 2021, 5:58 PM
catenacyber added a comment.Jul 1 2021, 10:19 PM

Got a new bug with regression range ccfa9f2c1427b40483984198c3df41f8057f69f8:6dfab8cfb94ccb485a15b13df3c499cbb06fddf2

curve=23 secp256r1
point=04555555ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff73a865e2e128733884fb82ce625ade822f7d8a59a4dcc09266966cf1bf082856
bignum=2020ff2020202020202020202020202020202020202020202020202020202020
nettle: 0 045549408909dd3e772d7d669f8fba2248d334b54be3d18833223d944a328948c76198ac3b29712256dcd9ce1a09471f04267684e1edd45910d61d0b7847db2d58
gcrypt: 0 047a6ec0df23082c8ce54c2b536d76b30464f4e1e690bb77665d298f05f0bee6806e7db3377141cc71ee30dcb8ffb7240bc3ecf29132ab5eb4ae03c067cea0d561
jukivili added a comment.Jul 2 2021, 12:43 AM
In T5510#147840, @catenacyber wrote:

Got a new bug with regression range ccfa9f2c1427b40483984198c3df41f8057f69f8:6dfab8cfb94ccb485a15b13df3c499cbb06fddf2

curve=23 secp256r1
point=04555555ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff73a865e2e128733884fb82ce625ade822f7d8a59a4dcc09266966cf1bf082856
bignum=2020ff2020202020202020202020202020202020202020202020202020202020
nettle: 0 045549408909dd3e772d7d669f8fba2248d334b54be3d18833223d944a328948c76198ac3b29712256dcd9ce1a09471f04267684e1edd45910d61d0b7847db2d58
gcrypt: 0 047a6ec0df23082c8ce54c2b536d76b30464f4e1e690bb77665d298f05f0bee6806e7db3377141cc71ee30dcb8ffb7240bc3ecf29132ab5eb4ae03c067cea0d561

Thanks. Latest libgcrypt master now gives same output as nettle for this case.

jukivili added a commit: rC3f4a59299134: tests/t-mpi-point: add one more NIST P-256 reduction test-vector.Jul 2 2021, 12:49 AM
jukivili closed this task as Resolved.Jul 6 2021, 6:02 PM
jukivili claimed this task.
gniibe mentioned this in rCa23a8f04d8da: tests/t-mpi-point: Add one more NIST P-256 reduction test-vector..Sep 28 2021, 4:07 AM
gniibe added a commit: rCe0bdb19056f4: tests/t-mpi-point: add reduction test-vectors for NIST curves..
gniibe added a commit: rCa23a8f04d8da: tests/t-mpi-point: Add one more NIST P-256 reduction test-vector..