)]}' { "commit": "c7a3c46574e7fc32357b2cc68f961c56c72b0ca4", "tree": "bd99202e416aa75c96ff38e8b6f0c36a020ba44b", "parents": [ "933f72a0f221507a9759502c089c9bb357f00ccb" ], "author": { "name": "Adam Langley", "email": "agl@google.com", "time": "Tue Mar 15 09:52:36 2022 -0700" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Tue Mar 15 17:49:40 2022 +0000" }, "message": "Don\u0027t loop forever in BN_mod_sqrt on invalid inputs.\n\nBN_mod_sqrt implements the Tonelli–Shanks algorithm, which requires a\nprime modulus. It was written such that, given a composite modulus, it\nwould sometimes loop forever. This change fixes the algorithm to always\nterminate. However, callers must still pass a prime modulus for the\nfunction to have a defined output.\n\nIn OpenSSL, this loop resulted in a DoS vulnerability, CVE-2022-0778.\nBoringSSL is mostly unaffected by this. In particular, this case is not\nreachable in BoringSSL from certificate and other ASN.1 elliptic curve\nparsing code. Any impact in BoringSSL is limited to:\n\n- Callers of EC_GROUP_new_curve_GFp that take untrusted curve parameters\n- Callers of BN_mod_sqrt that take untrusted moduli\n\nThis CL updates documentation of those functions to clarify that callers\nshould not pass attacker-controlled values. Even with the infinite loop\nfixed, doing so breaks preconditions and will give undefined output.\n\nChange-Id: I64dc1220aaaaafedba02d2ac0e4232a3a0648160\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51925\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nReviewed-by: Martin Kreichgauer \u003cmartinkr@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "72ec8c2f4ee1fcb742f5052ce0d838d12d7020b3", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/bn_test.cc", "new_id": "7d578028d2fc02306977fd0d5f9043a080bf0ce9", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/bn_test.cc" }, { "type": "modify", "old_id": "db88829775d34f00d9fa2b07f4bca52a54af86cf", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/sqrt.c", "new_id": "9180d540203c6b12dc41efd4d3204f01774729cd", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/sqrt.c" }, { "type": "modify", "old_id": "a95a89405b638d8b644a109f52069f6781bf8b39", "old_mode": 33188, "old_path": "include/openssl/bn.h", "new_id": "d9491a936b3a5c210dcfab222cd52d91b9420166", "new_mode": 33188, "new_path": "include/openssl/bn.h" }, { "type": "modify", "old_id": "cc8138ded72901e04864bb2ddcb6549e8d1c20b5", "old_mode": 33188, "old_path": "include/openssl/ec.h", "new_id": "8339bfbb9a0a00a19f22b0132cede69cb394bb63", "new_mode": 33188, "new_path": "include/openssl/ec.h" } ] }