A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_0 2022-03-15T15:54:26+00:00 2022-03-15T15:54:26+00:00 tb 2022-03-15T15:54:26+00:00 urn:sha1:76591ba244323a2970ad751e551ba496278315b1 A bug in the implementation of the Tonelli-Shanks algorithm can lead to an infinite loop. This loop can be hit in various ways, in particular on decompressing an elliptic curve public key via EC_POINT_oct2point() - to do this, one must solve y^2 = x^3 + ax + b for y, given x. If a certificate uses explicit encoding for elliptic curve parameters, this operation needs to be done during certificate verification, leading to a DoS. In particular, everything dealing with untrusted certificates is affected, notably TLS servers explicitly configured to request client certificates (httpd, smtpd, various VPN implementations, ...). Ordinary TLS servers do not consume untrusted certificates. The problem is that we cannot assume that x^3 + ax + b is actually a square on untrusted input and neither can we assume that the modulus p is a prime. Ensuring that p is a prime is too expensive (it would likely itself lead to a DoS). To avoid the infinite loop, fix the logic to be more resilient and explicitly limit the number of iterations that can be done. The bug is such that the infinite loop can also be hit for primes = 3 (mod 4) but fortunately that case is optimized earlier. It's also worth noting that there is a size bound on the field size enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate further DoS vectors in presence of this fix. Reported by Tavis Ormandy and David Benjamin, Google Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL ok beck inoguchi This is errata/7.0/016_bignum.patch.sig 2021-09-10T14:33:44+00:00 tb 2021-09-10T14:33:44+00:00 urn:sha1:9c7f18263be772997a3fc69b29db311365ee986a ok beck inoguchi 2021-09-10T14:32:05+00:00 tb 2021-09-10T14:32:05+00:00 urn:sha1:a7a8157da1afa7599cecd9217d06cce21e3ad67f ok beck jsing 2021-09-10T09:08:03+00:00 tb 2021-09-10T09:08:03+00:00 urn:sha1:94aeb3e2fd2aa6f535f045b0ee734b5d1742522f ok beck jsing 2021-09-08T12:19:17+00:00 tb 2021-09-08T12:19:17+00:00 urn:sha1:229cf417ae65dfb488927f3e25593d1dc2aad539 As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi 2021-08-31T11:19:19+00:00 tb 2021-08-31T11:19:19+00:00 urn:sha1:a5a732ed4c036cb60cfcda0d1737f1d383c2b3d0 2020-09-12T17:16:36+00:00 tb 2020-09-12T17:16:36+00:00 urn:sha1:ad25ca1fcd0c9ca48a2fcd6e68367cd74d82b01f figure out whether top > 0 or top == 0. 2020-09-12T15:24:39+00:00 tb 2020-09-12T15:24:39+00:00 urn:sha1:1e0b199599db7da1624618b2509c1d58106f35f7 If BN_rand() is called with top > 0 and bits == 1, it would allocate a buf[] of size 1 and set the top bit of buf[1]. Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while looking for something else. ok beck djm inoguchi 2019-08-25T19:24:00+00:00 schwarze 2019-08-25T19:24:00+00:00 urn:sha1:0fd355ae5ac95f1b4265d2c28d096b63de52a902 not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200, still under a free license. OK tb@. 2019-08-20T10:59:09+00:00 schwarze 2019-08-20T10:59:09+00:00 urn:sha1:4569778023d8d4ec0159e09baa48f5f397ff8847 in OpenSSL 1.1.1 even though in general, letting random functions accept NULL is not advisable because it can hide programming errors; "yes please" tb@ "unfortunately I suspect you're right" jsing@ "oh well" deraadt@