Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upcrypto/elliptic: carry bug in x86-64 P-256 #20040
Comments
|
@agl This sounds like something we should fix in 1.8.2 and 1.9, but it is not necessary to release a new version of 1.6 or 1.7 with a fix. Does that sound right to you? |
|
I'm not very familiar with the convention for what gets backported and how far, but I agree that this is suitable for 1.8.2, certainly should be in 1.9 and it seems reasonable that it's not so important to warrant a respin for older versions, yes. |
|
Reopening for backport. |
|
CL https://golang.org/cl/41070 mentions this issue. |
|
CL https://golang.org/cl/43770 mentions this issue. |
|
CL https://golang.org/cl/43773 mentions this issue. |
… implementation. Patch from Vlad Krasnov and confirmed to be under CLA. Fixes #20040. Change-Id: Ieb8436c4dcb6669a1620f1e0d257efd047b1b87c Reviewed-on: https://go-review.googlesource.com/41070 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit 9294fa2) Reviewed-on: https://go-review.googlesource.com/43773 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Chris Broadfoot <cbro@golang.org>
… implementation. Patch from Vlad Krasnov and confirmed to be under CLA. Fixes #20040. Change-Id: Ieb8436c4dcb6669a1620f1e0d257efd047b1b87c Reviewed-on: https://go-review.googlesource.com/41070 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit 9294fa2) Reviewed-on: https://go-review.googlesource.com/43770 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Chris Broadfoot <cbro@golang.org>
|
(This issue is CVE-2017-8932.) |
|
I have a suggestion about the release note. As an app developer, I don't use |
|
Almost sure that TLS as implemented by the Go standard library is not really exploitable.
Go ahead and mention static ECDH and JWT though.
|
|
Announcement was sent before I read your comment, @FiloSottile, but yes... for those following along, agl's statement in the first post is still true for TLS (as used by net/http). If you're using the elliptic package directly, such as working with JWTs, then you probably want to update. If you're not, then wait for Go 1.8.3, which should be released tomorrow. |
|
Can someone please summarize what the issue actually means? |
|
Backlinking for reference: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html |
Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.
This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.
Fix will be coming in just a second.