)]}'
{
  "commit": "d85444e741b73a77fe4359cd3db189482d4f4806",
  "tree": "5e73ef35eef3c1826222395c6286249ca85e2417",
  "parents": [
    "18b1b8b1c4567190fe4a37262fdfba57aa446dc7"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Thu Jul 27 13:54:29 2023 -0700"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Mon Aug 14 20:54:13 2023 +0000"
  },
  "message": "Consistently reject large p and large q in DH\n\nWhen applications use Diffie-Hellman incorrectly, and use\nattacker-supplied domain parameters, rather than known-valid ones (as\nrequired by SP 800-56A, 5.5.2), algorithms that aren\u0027t designed with\nattacker-supplied parameters in mind become attack surfaces.\n\nCVE-2023-3446 and CVE-2023-3817 in OpenSSL cover problems with the\nDH_check function given large p and large q. This CL adds some fast\nvalidity checks to the DH parameters before running any operation. This\ndiffers from upstream in a few ways:\n\n- Upstream only addressed issues with DH_check. We also check in\n  DH_generate_key and DH_check_pub_key.\n\n- For a more consistent invariant, reuse the existing DH modulus limit.\n  Ideally we\u0027d enforce these invariants on DH creation, but this is not\n  possible due to OpenSSL\u0027s API. We additionally check some other\n  cheap invariants.\n\nThis does not impact TLS, or any applications that used Diffie-Hellman\ncorrectly, with trusted, well-known domain parameters.\n\nUltimately, that this comes up at all is a flaw in how DH was specified.\nThis is analogous to the issues with ECC with arbitrary groups and DSA,\nwhich led to https://github.com/openssl/openssl/issues/20268\nCVE-2022-0778, CVE-2020-0601, and likely others. Cryptographic\nprimitives should be limited to a small set of named, well-known domain\nparameters.\n\nUpdate-Note: Egregiously large or invalid DH p, q, or g values will be\nmore consistently rejected in DH operations. This does not impact TLS.\nApplications should switch to modern primitives such as X25519 or ECDH\nwith P-256.\n\nChange-Id: I666fe0b9f8b71632f6cf8064c8ea0251e5c286bb\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62226\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "de01077d7f1067afaa8256c49e83b75c0322e2d4",
      "old_mode": 33188,
      "old_path": "crypto/dh_extra/dh_asn1.c",
      "new_id": "4e2e2c44f8c955d73bc370453ac7beb8c2d232c3",
      "new_mode": 33188,
      "new_path": "crypto/dh_extra/dh_asn1.c"
    },
    {
      "type": "modify",
      "old_id": "f27c8f01ff6c2c5fde02ccc4e57440b7e0d27e91",
      "old_mode": 33188,
      "old_path": "crypto/dh_extra/dh_test.cc",
      "new_id": "881f72ddef1b047565fe363340b8e1cff1b793e7",
      "new_mode": 33188,
      "new_path": "crypto/dh_extra/dh_test.cc"
    },
    {
      "type": "modify",
      "old_id": "0e76747e0d0db53374dd0bcb6085b00f6da7e92c",
      "old_mode": 33188,
      "old_path": "crypto/dh_extra/params.c",
      "new_id": "548c4c8f3da559d07a3efd0d543d39b12a37bcf2",
      "new_mode": 33188,
      "new_path": "crypto/dh_extra/params.c"
    },
    {
      "type": "modify",
      "old_id": "9e1b87d850dd5c8e04732f0e76cba6aaf70a3a78",
      "old_mode": 33188,
      "old_path": "crypto/err/dh.errordata",
      "new_id": "09053aec63e10a527678fc67163b26d6fdb7a8ef",
      "new_mode": 33188,
      "new_path": "crypto/err/dh.errordata"
    },
    {
      "type": "modify",
      "old_id": "0c82c17f008542ec423a6d728e464b3e77df2e6d",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/dh/check.c",
      "new_id": "b92b700d37425cf56836459fc65d9ad3e841c285",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/dh/check.c"
    },
    {
      "type": "modify",
      "old_id": "80940fdb13a9ead82ebd210c558e61eb3eb31e05",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/dh/dh.c",
      "new_id": "1e8971a4a3733790eb117d7efc0269d7a32c3f6d",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/dh/dh.c"
    },
    {
      "type": "modify",
      "old_id": "fe7fda4e9d9ef31d68db7aa0c630b09d416dd09b",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/dh/internal.h",
      "new_id": "d11e59b50c37b16066c79ee5e11701f8427c6020",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/dh/internal.h"
    },
    {
      "type": "modify",
      "old_id": "b83fb5ee1c96837ea1b331930a198a40c3d42f8c",
      "old_mode": 33188,
      "old_path": "include/openssl/dh.h",
      "new_id": "a3094d8f6e89484f7504a35d781ef18fba482672",
      "new_mode": 33188,
      "new_path": "include/openssl/dh.h"
    }
  ]
}