crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le

[rolandshoemaker]

Due to usage of a conditional branching instruction in the ppc64le implementation of p256NegCond, the function is variable time rather than constant time.

This is a security issue, as it leaks a very small number of bits, but we're treating it as PUBLIC track per the Go Security policy, as it affects a rather niche architecture, and because we're unaware of any protocols this directly affects.

[gopherbot]

Change https://go.dev/cl/643735 mentions this issue: crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le

[gabyhelp]

Related Code Changes

• crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[jkrishmys]

@rolandshoemaker Thank you so much for the observation and quick fix.

[qinlonglong123]

@rolandshoemaker @jkrishmys I see that the relevant code in the CL643735 is also present in Go 1.22, Go 1.23, and other versions. Does this vulnerability affect the lower versions? Does it need to be patched? Thanks.

[jkrishmys]

Hi @qinlonglong123. Indeed you are right, thanks. It is tagged under PUBLIC track of Go Security Policy. I am little new to it. If @rolandshoemaker can advice, that will be great.

[rolandshoemaker]

We'll backport this to the next minor releases.

@gopherbot please open backport issues, this is a minor security issue.

[gopherbot]

Backport issue(s) opened: #71422 (for 1.22), #71423 (for 1.23).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.