OpenSSL issues a bugfix for the previous bugfix


If you are an OpenSSL user, you are probably aware of the recent high-profile bugfix release, which came back in March 2022.

This fix came with our OpenSSS 3.0.2 And 1.1.1nUpdates for two current full-supported flavors of the product.

(There’s a legacy version here, 1.0.2, but updates to that version are only available to customers who pay for premium support, and in terms of product changes and improvements from day 1.0.2, we’re asking you to move on to the mainstream version – maybe even special – If you plan to continue paying for support.)

The March 2022 update was an important reminder that deeply buried code with unusual bugs could be neglected year after year, especially if that code is part of a complex, specialized, low-level function.

Bug fixes are then used to compute what is known as a special-purpose algorithm Modular square rootWhich is more complicated to calculate than regular square roots.

Unfortunately, the code to perform this calculation using an algorithm first invented in the 1890s was unrealistically coded, obscenely written, bad comments, and difficult to follow.

However, this was not an explicit “externally-oriented” part of OpenSSL, and it would be a difficult task to rewrite. When confronted with input, it is not searched for consistency.

Because, when confronted with digital certificates that were booby-trapped to create uncategorized numbers, OpenSSL’s BN_mod_sqrt() The function may be tricked into looping forever, trying to close an answer that did not exist.

When you only work with integers and reject any kind of fraction, you see that many numbers do not have modular square roots, just as you see that many integers do not have regular square roots. Thus 7 × 7 = 49, so 49 has a square root which is a whole number, i.e. 7. But there is no integer that can automatically multiply by 50 or 51, because the next “perfect square” is 8 × 8 = 64. You can try as long as you want, but you will never get an integer answer for 151 No.