[release-branch.go1.11-security] crypto/elliptic: reduce subtraction …

…term to prevent long busy loop If beta8 is unusually large, the addition loop might take a very long time to bring x3-beta8 back positive. This would lead to a DoS vulnerability in the implementation of the P-521 and P-384 elliptic curves that may let an attacker craft inputs to ScalarMult that consume excessive amounts of CPU. This fixes CVE-2019-6486. Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a Reviewed-on: https://team-review.git.corp.google.com/c/399777 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit 746d6abe2dfb9ce7609f8e1e1a8dcb7e221f423e) Reviewed-on: https://team-review.git.corp.google.com/c/401142 Reviewed-by: Filippo Valsorda <valsorda@google.com>
golang · Jan 23, 2019 · 42b42f7 · 42b42f7
1 parent 4601a4c
commit 42b42f7
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
@@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,
 
 	x3 := new(big.Int).Mul(alpha, alpha)
 	beta8 := new(big.Int).Lsh(beta, 3)
+	beta8.Mod(beta8, curve.P)
 	x3.Sub(x3, beta8)
-	for x3.Sign() == -1 {
+	if x3.Sign() == -1 {
 		x3.Add(x3, curve.P)
 	}
 	x3.Mod(x3, curve.P)