Fix (nearly) infinite loop in RESSOL (modular square root).

It first computed the first i for q**(2**i) == 1, then checked that i was smaller than s. Given a composite modulus (for which the algorithm does not work), the loop might do a very large amount of work before returning the failure.
author: Jack Lloyd <[email protected]> 2016-01-29 14:35:30 -0500
committer: Jack Lloyd <[email protected]> 2016-02-01 06:14:44 -0500
commit: d7471d1d3bbb8b2ed454cb2e2ae15a7d178f2770 (patch)
tree: 8fe6b3e74fead0ff32fc956e50f68c821bdc17a7 /doc/security.rst
parent: 61f919adb8bb3e0ba225f1758d679f775df876ba (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst
index 84d8d49d8..a4aaa5e0d 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -16,6 +16,19 @@ https://keybase.io/jacklloyd and on most PGP keyservers.
 Advisories
 ----------------------------------------
 
+2016
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* 2016-02-01 (CVE-2016-2194): Infinite loop in modulur square root algorithm
+
+  The ressol function implements the Tonelli-Shanks algorithm for
+  finding square roots could be sent into a nearly infinite loop due
+  to a misplaced conditional check. This could occur if a composite
+  modulus is provided, as this algorithm is only defined for primes.
+  This function is exposed to attacker controlled input via the OS2ECP
+  function during ECC point decompression. Found by AFL
+
+  Introduced in 1.7.15, fixed in 1.11.27
+
 2015
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
author	Jack Lloyd <[email protected]>	2016-01-29 14:35:30 -0500
committer	Jack Lloyd <[email protected]>	2016-02-01 06:14:44 -0500
commit	d7471d1d3bbb8b2ed454cb2e2ae15a7d178f2770 (patch)
tree	8fe6b3e74fead0ff32fc956e50f68c821bdc17a7 /doc/security.rst
parent	61f919adb8bb3e0ba225f1758d679f775df876ba (diff)