crypto/elliptic: carry bug in x86-64 P-256

[agl]

Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~2³¹ iterations.

This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.

Fix will be coming in just a second.

[ianlancetaylor]

@agl This sounds like something we should fix in 1.8.2 and 1.9, but it is not necessary to release a new version of 1.6 or 1.7 with a fix. Does that sound right to you?

[agl]

I'm not very familiar with the convention for what gets backported and how far, but I agree that this is suitable for 1.8.2, certainly should be in 1.9 and it seems reasonable that it's not so important to warrant a respin for older versions, yes.

[ianlancetaylor]

Reopening for backport.

[gopherbot]

CL https://golang.org/cl/41070 mentions this issue.

[gopherbot]

CL https://golang.org/cl/43770 mentions this issue.

[gopherbot]

CL https://golang.org/cl/43773 mentions this issue.

[agl]

(This issue is CVE-2017-8932.)