Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/{ed25519,ecdsa,rsa}: PrivateKey.Equal leaks timing information #53849

Open
Tracked by #57752
rolandshoemaker opened this issue Jul 13, 2022 · 1 comment
Open
Tracked by #57752
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@rolandshoemaker
Copy link
Member

The implementations of PrivateKey.Equal in the crypto/ed25519, crypto/ecdsa, and crypto/rsa packages
leak timing information during key comparison. We do not consider this a serious security issue, as
attacker controlled private key attacks are generally considered out of scope, the Equals methods
are not used during any cryptographic operations, and because these methods were never documented to
be constant-time.

Regardless, we should make these methods constant-time, since it is (mostly) trivial to do, and because
our stance is that the crypto/* libraries should be generally safe to use by default, and hard to
misuse.

Thanks to Zach Collier (@zamicol) for reporting this issue to the Security team.

@rolandshoemaker rolandshoemaker added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 13, 2022
@rolandshoemaker rolandshoemaker added this to the Backlog milestone Jul 13, 2022
@gopherbot
Copy link

Change https://go.dev/cl/417396 mentions this issue: crypto: make private key equals methods constant time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

3 participants