Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/salsa20: keystream loop in amd64 implementation after 256GiB #30965

Closed
FiloSottile opened this issue Mar 20, 2019 · 3 comments
Closed

x/crypto/salsa20: keystream loop in amd64 implementation after 256GiB #30965

FiloSottile opened this issue Mar 20, 2019 · 3 comments
Labels
FrozenDueToAge Security
Milestone
Unreleased

Comments

@FiloSottile
Copy link
Contributor

If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.

Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.

This issue was discovered and reported by Michael McLoughlin.
@gopherbot gopherbot added this to the Unreleased milestone Mar 20, 2019
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/168406 mentions this issue: salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter

justincormack added a commit to justincormack/swarmkit that referenced this issue Mar 21, 2019
@justincormack
Update x/crypto for salsa fix
7c4d53a 
This fixes golang/go#30965

This should not break any update, as we should not be encrypting more than
256GB data, as we only use secretbox for encrypting Raft values.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
@justincormack justincormack mentioned this issue Mar 21, 2019
Merged
justincormack added a commit to justincormack/swarmkit that referenced this issue Mar 21, 2019
@justincormack
Update x/crypto for salsa fix
02f3a99 
This fixes golang/go#30965

This should not break any update, as we should not be encrypting more than
256GB data, as we only use secretbox for encrypting Raft values.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
@sidhax
Copy link

sidhax commented May 3, 2019

Do we have CVE or this is being treated as non-security bug ?

@sidhax
Copy link

sidhax commented May 10, 2019
edited
Loading

CVE has been assigned to this https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11840. Please make sure to get CVE for a security fix in future.

@tsatke tsatke mentioned this issue Aug 28, 2019
Closed
@golang golang locked and limited conversation to collaborators May 9, 2020
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
@FiloSottile
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
a4367e3 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee added a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@c-expert-zigbee
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
6a51aaf 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee added a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@c-expert-zigbee
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
4be1dff 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
@FiloSottile
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
3995ece 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@FiloSottile
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
5abb9ba 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
desdeel2d0m added a commit to desdeel2d0m/crypto that referenced this issue Jul 1, 2024
@desdeel2d0m @FiloSottile
salsa20/salsa: fix keystream loop in amd64 assembly when overflowing …
eb0ed34 
…32-bit counter

Fixes golang/go#30965

Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@FiloSottile @sidhax @gopherbot