-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/elliptic: carry bug in x86-64 P-256 #20040
Comments
@agl This sounds like something we should fix in 1.8.2 and 1.9, but it is not necessary to release a new version of 1.6 or 1.7 with a fix. Does that sound right to you? |
I'm not very familiar with the convention for what gets backported and how far, but I agree that this is suitable for 1.8.2, certainly should be in 1.9 and it seems reasonable that it's not so important to warrant a respin for older versions, yes. |
Reopening for backport. |
CL https://golang.org/cl/41070 mentions this issue. |
CL https://golang.org/cl/43770 mentions this issue. |
CL https://golang.org/cl/43773 mentions this issue. |
… implementation. Patch from Vlad Krasnov and confirmed to be under CLA. Fixes #20040. Change-Id: Ieb8436c4dcb6669a1620f1e0d257efd047b1b87c Reviewed-on: https://go-review.googlesource.com/41070 Run-TryBot: Adam Langley <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit 9294fa2) Reviewed-on: https://go-review.googlesource.com/43773 Run-TryBot: Brad Fitzpatrick <[email protected]> Reviewed-by: Chris Broadfoot <[email protected]>
… implementation. Patch from Vlad Krasnov and confirmed to be under CLA. Fixes #20040. Change-Id: Ieb8436c4dcb6669a1620f1e0d257efd047b1b87c Reviewed-on: https://go-review.googlesource.com/41070 Run-TryBot: Adam Langley <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit 9294fa2) Reviewed-on: https://go-review.googlesource.com/43770 Run-TryBot: Brad Fitzpatrick <[email protected]> Reviewed-by: Chris Broadfoot <[email protected]>
(This issue is CVE-2017-8932.) |
I have a suggestion about the release note. As an app developer, I don't use |
Almost sure that TLS as implemented by the Go standard library is not really exploitable.
Go ahead and mention static ECDH and JWT though.
|
Announcement was sent before I read your comment, @FiloSottile, but yes... for those following along, agl's statement in the first post is still true for TLS (as used by net/http). If you're using the elliptic package directly, such as working with JWTs, then you probably want to update. If you're not, then wait for Go 1.8.3, which should be released tomorrow. |
Can someone please summarize what the issue actually means? |
Backlinking for reference: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html |
Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.
This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.
Fix will be coming in just a second.
The text was updated successfully, but these errors were encountered: