A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.5.3 2022-03-15T15:52:39+00:00 2022-03-15T15:52:39+00:00 tb 2022-03-15T15:52:39+00:00 urn:sha1:0566442e5364a22ee73d48c1a1b2e5741e5fb155 A bug in the implementation of the Tonelli-Shanks algorithm can lead to an infinite loop. This loop can be hit in various ways, in particular on decompressing an elliptic curve public key via EC_POINT_oct2point() - to do this, one must solve y^2 = x^3 + ax + b for y, given x. If a certificate uses explicit encoding for elliptic curve parameters, this operation needs to be done during certificate verification, leading to a DoS. In particular, everything dealing with untrusted certificates is affected, notably TLS servers explicitly configured to request client certificates (httpd, smtpd, various VPN implementations, ...). Ordinary TLS servers do not consume untrusted certificates. The problem is that we cannot assume that x^3 + ax + b is actually a square on untrusted input and neither can we assume that the modulus p is a prime. Ensuring that p is a prime is too expensive (it would likely itself lead to a DoS). To avoid the infinite loop, fix the logic to be more resilient and explicitly limit the number of iterations that can be done. The bug is such that the infinite loop can also be hit for primes = 3 (mod 4) but fortunately that case is optimized earlier. It's also worth noting that there is a size bound on the field size enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate further DoS vectors in presence of this fix. Reported by Tavis Ormandy and David Benjamin, Google Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL ok beck inoguchi 2022-02-07T19:49:56+00:00 tb 2022-02-07T19:49:56+00:00 urn:sha1:2a7a0fc6126681d5d309772a47c2a7aa45bb00cd This is a very rarely used function and the crash is hard to reach in practice. Instead of implementing BN_is_odd() badly by hand, just call the real thing. Reported by Guido Vranken ok beck jsing 2022-02-07T19:44:23+00:00 tb 2022-02-07T19:44:23+00:00 urn:sha1:ba7fe30fcf200c09c61915f9a3cd9eb665e5e277 From OpenSSL 6a009812, prompted by a report by Guido Vranken ok beck jsing 2022-01-20T10:56:22+00:00 inoguchi 2022-01-20T10:56:22+00:00 urn:sha1:ae60d4677fb27d77be1fda6163944d7d6e899bdb ok jsing@ millert@ tb@ 2022-01-20T10:53:33+00:00 inoguchi 2022-01-20T10:53:33+00:00 urn:sha1:e0e1bf647e391fbbeca93e407acf21bd81b3468f CID 21665 24835 comment from jsing@ and tb@ ok jsing@ millert@ tb@ 2022-01-14T08:01:47+00:00 tb 2022-01-14T08:01:47+00:00 urn:sha1:4c3657741a468acfaaa95c4732410b866126cefc This makes all structs in bn.h opaque that are also opaque in OpenSSL. ok inoguchi jsing 2022-01-14T07:49:49+00:00 tb 2022-01-14T07:49:49+00:00 urn:sha1:82ec18edf4e632f36b6f79c239fdb6961d421a82 This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits). 2021-12-27T15:12:22+00:00 jsing 2021-12-27T15:12:22+00:00 urn:sha1:19abe3564aaf0e3572c3b71bc4f4065e819e371a Discussed with tb@ 2021-12-26T15:16:50+00:00 tb 2021-12-26T15:16:50+00:00 urn:sha1:8bbb1196379de707bb70e7d4ef92d3d214ec58bb BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination which results in a potential use of an uninitialized bit. In practice this doesn't matter since we don't free the cloned BIGNUMs anyway. As jsing points out, these are mostly pointless noise and should be garbage collected. I'll leave that for another rainy day. Coverity flagged one instance BN_gcd_no_branch(), the rest was found by the ever so helpful grep(1). CID 345122 ok jsing 2021-12-04T16:11:10+00:00 tb 2021-12-04T16:11:10+00:00 urn:sha1:6fff4c764088ba7436758d0c3f3e140d832d4035 ok inoguchi jsing