Code stucks at mbedtls_mpi_mod_mpi()

I am using Mbed library in my RSA signature verification algorithm.
However when setting signature with all zeros my program stucks.

after debugging it I see that it stuck at these lines of mbedtls_mpi_mod_mpi

  while (ret_cmp >= (sint32)0)
  {
    ret = mbedtls_mpi_sub_mpi(R, R, B);
    if (ret != (sint32)0)
    {
      break;
    }
    ret_cmp = mbedtls_mpi_cmp_mpi(R, B);
  }

It never exists this loop as ret_cmp is always 1 and this continues over and over again.

Values are as follows:

1- R:

s: 1
n: 129
limbsPtr: 0x28f034
*limbsPtr:666908898

2-B:

s:1
n:64
limbsPtr: 0x28ea5c
*limbsPtr:1316850821

For sint32 mbedtls_mpi_cmp_mpi(const mbedtls_mpi* const X, const mbedtls_mpi* const Y)
this line is executed where X->s equals 1 so ret is returned as 1 and ret_cmp will always be 1 and it will never exit the loop

else
{
if (cntr > cntr2)
{
ret = X->s;
}

I am not sure if there is additional information needed or not.
Also it will be very helpful to give me some hints about meaning of structure mbedtls_mpi and what is limbs referring to.

Could you check this issue ASAP please?

Thanks in advance.

@TareqElgafy Thank you for your question.
The code you are referencing does not seem to be same as the code in mbedtls_mpi_mod_mpi
Could you please specify what Mbed TLS version you are using?
In addition, note that a signature with all zeros is not scenario which is likely to happen in normal use case.

Regards,
Mbed TLS Team member
Ron

@roneld01 Thank you for your quick response.
This code is used from a while so I am not sure which version is it. But I think the new implementation is the same but with different in style and readability.

In addition, note that a signature with all zeros is not scenario which is likely to happen in normal use case.
But what is the case if the hacker tried to send such a signature ? is is acceptable to let him causing my program to stuck?
Is it right for some case for code to always stuck in while a loop at it never exit (like the mention use case above)?
[ret_cmp is always 1 and ret coming from mbedtls_mpi_sub_mpi is always 0) and there is never an exist condition]

@TareqElgafy

But what is the case if the hacker tried to send such a signature ? is is acceptable to let him causing my program to stuck?

Of course that we shouldn’t allow a MITM attack. I was refering to a normal use case. For verifying whether it is a real security threat, we need to investigate this further, whether it is likely to happen in real TLS session, since there are other phases happening before the actual verification.

So will you investigate this? any other input is required from my side?

Hi @TareqElgafy,

I’m afraid I can’t reproduce this issue. I’ve checked a test case with an all-zero RSA signature and it returns MBEDTLS_ERR_RSA_VERIFY_FAILED (for PKCS#1v1.5) or MBEDTLS_ERR_RSA_INVALID_PADDING (for PSS) as expected.

The code you’ve posted for mbedtls_mpi_mod_mpi doesn’t conform to the Mbed TLS style, and the logic is different from both current and past versions of Mbed TLS. Could you please clarify which version of Mbed TLS you’re using? If you’ve changed the code, please make sure that you can reproduce the issue with an official release of Mbed TLS.

If you can reproduce the issue with Mbed TLS, please let us know exactly what inputs you’re passing. It isn’t enough to show the immediate content of the bignum structure: the content of the limbs matters as well. You can use mbedtls_mpi_write_binary or mbedtls_mpi_write_string to print out the numerical value of a bignum, or tell us which RSA function you’re calling, the value of the key, and the size and content of the signature.

Best regards,
Gilles Peskine — Mbed TLS team member