summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_lib.c
diff options
context:
space:
mode:
authortb <>2023-03-04 21:30:23 +0000
committertb <>2023-03-04 21:30:23 +0000
commit0b0f128bcf324942bdf04b0afe8df296e9d7abc9 (patch)
treed779180f7a5713ad27d6a694abfdddc34dd2ce53 /src/lib/libcrypto/rsa/rsa_lib.c
parent5b21203ce56441bf02442a9dbc57d44a0a558cf3 (diff)
downloadopenbsd-0b0f128bcf324942bdf04b0afe8df296e9d7abc9.tar.gz
openbsd-0b0f128bcf324942bdf04b0afe8df296e9d7abc9.tar.bz2
openbsd-0b0f128bcf324942bdf04b0afe8df296e9d7abc9.zip
Cap the number of iterations in DSA signing
The DSA standard specifies an infinite loop: if either r or s is zero in the signature calculation, a new random number k shall be generated and the whole thing is to be redone. The rationale is that, as the standard puts it, "[i]t is extremely unlikely that r = 0 or s = 0 if signatures are generated properly." The problem is... There is no cheap way to know that the DSA domain parameters we are handed are actually DSA domain parameters, so even if all our calculations are carefully done to do all the checks needed, we cannot know if we generate the signatures properly. For this we would need to do two primality checks as well as various congruences and divisibility properties. Doing this easily leads to DoS, so nobody does it. Unfortunately, it is relatively easy to generate parameters that pass all sorts of sanity checks and will always compute s = 0 since g is nilpotent. Thus, as unlikely as it is, if we are in the mathematical model, in practice it is very possible to ensure that s = 0. Read David Benjamin's glorious commit message for more information https://boringssl-review.googlesource.com/c/boringssl/+/57228 Thanks to Guido Vranken for reporting this issue, also thanks to Hanno Boeck who apparently found and reported similar problems earlier. ok beck jsing
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions