)]}' { "commit": "474ddf8ba95f30e69acea37d76b3e671d89381c3", "tree": "801ae4e76c69c583cd142a1c4b1db580042d4dce", "parents": [ "788bf74188fd091b7e67f1ff4a5258bec653b1ea" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Sat Feb 11 10:13:32 2023 -0500" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Thu Feb 23 15:59:47 2023 +0000" }, "message": "Cap the number of ECDSA and DSA sign iterations.\n\nWhen the parameters are incorrect, all assumptions of (EC)DSA fly out\nthe window, including whether the retry loop actually terminates.\n\nWhile ECDSA is broadly used with fixed, named groups, DSA was\ncatastrophically mis-specified with arbitrary parameters being the\ndefault and only mode. Cap the number of retries in DSA_do_sign so\ninvalid DSA groups cannot infinite loop, e.g. if the \"generator\" is\nreally nilpotent.\n\nThis also caps the iteration count for ECDSA. We do, sadly, support\narbitrary curves via EC_GROUP_new_curve_GFp, to help Conscrypt remain\ncompatible with a badly-designed Java API. After\nhttps://boringssl-review.googlesource.com/c/boringssl/+/51925, we\ndocumented that untrusted parameters are not supported and may produce\ngarbage outputs, but we did not document that infinite loops are\npossible. I don\u0027t have an example where an invalid curve breaks ECDSA,\nbut as it breaks all preconditions, I cannot be confident it doesn\u0027t\nexist, so just cap the iterations.\n\nThanks to Hanno Böck who originally reported an infinite loop on\ninvalid DSA groups. While that variation did not affect BoringSSL, it\ninspired us to find other invalid groups which did.\n\nThanks also to Guido Vranken who found, in\nhttps://github.com/openssl/openssl/issues/20268, an infinite loop when\nthe private key is zero. That was fixed in the preceding CL, as it\nimpacts valid groups too, but the infinite loop is ultimately in the\nsame place, so this change also would have mitigated the loop.\n\nUpdate-Note: If signing starts failing with ECDSA_R_INVALID_ITERATIONS,\nsomething went horribly wrong because it should not be possible with\nreal curves. (Needing even one retry has probability 2^-256 or so.)\n\nChange-Id: If8fb0157055d3d8cb180fe4f27ea7eb349ec2738\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57228\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "9f7bba7d7fa59422805532627bb19097f02a1b72", "old_mode": 33188, "old_path": "crypto/dsa/dsa.c", "new_id": "8be01b9f618cc2f8a04f54d517a609a12b728639", "new_mode": 33188, "new_path": "crypto/dsa/dsa.c" }, { "type": "modify", "old_id": "a4b6dfa122ca6a6bdc346427f9be28ece48b191b", "old_mode": 33188, "old_path": "crypto/dsa/dsa_test.cc", "new_id": "cc02782a365425976a7e4c8bd05485373b5374a5", "new_mode": 33188, "new_path": "crypto/dsa/dsa_test.cc" }, { "type": "modify", "old_id": "1cf5206d86efed851594f12f3e73b22333d43b73", "old_mode": 33188, "old_path": "crypto/err/dsa.errordata", "new_id": "4a4b5862df8786a636e0db2726875c70a63f5dea", "new_mode": 33188, "new_path": "crypto/err/dsa.errordata" }, { "type": "modify", "old_id": "58ba591fabc7ac7cdf15cf78d7c80a943b004d7d", "old_mode": 33188, "old_path": "crypto/err/ecdsa.errordata", "new_id": "b1c60d4505c2c8a0ca6cb81bce702eb70940e9e4", "new_mode": 33188, "new_path": "crypto/err/ecdsa.errordata" }, { "type": "modify", "old_id": "95b367f13cb0fbdf505ef241a9a9e863c5b8fefc", "old_mode": 33188, "old_path": "crypto/fipsmodule/ecdsa/ecdsa.c", "new_id": "4cd95bb27215ae67b487c98d56340a3eee2cbd4c", "new_mode": 33188, "new_path": "crypto/fipsmodule/ecdsa/ecdsa.c" }, { "type": "modify", "old_id": "7f10e549020d4109c02a2a0da02e4c3119a31720", "old_mode": 33188, "old_path": "include/openssl/dsa.h", "new_id": "30afd43834d4db2920addda68d5bac464224808b", "new_mode": 33188, "new_path": "include/openssl/dsa.h" }, { "type": "modify", "old_id": "bc0dba56244587bb4e5badcee1cf34ae35534b08", "old_mode": 33188, "old_path": "include/openssl/ecdsa.h", "new_id": "56be1547f5cc16240c4428ffe1b58dfc498ecbad", "new_mode": 33188, "new_path": "include/openssl/ecdsa.h" } ] }