Go: crypto/elliptic: carry bug in x86-64 P-256

Created on 19 Apr 2017  ·  12Comments  ·  Source: golang/go

Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc640fba4. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.

This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.

Fix will be coming in just a second.

FrozenDueToAge Security
Source
picture agl
👍21

Most helpful comment

Can someone please summarize what the issue actually means?
What are the odds of the problem appearing on an unpatched version?
How come it slipped through the tests?

picture cryptohazard on 24 May 2017
👍4

All 12 comments

@agl This sounds like something we should fix in 1.8.2 and 1.9, but it is not necessary to release a new version of 1.6 or 1.7 with a fix. Does that sound right to you?

ianlancetaylor picture ianlancetaylor on 19 Apr 2017

I'm not very familiar with the convention for what gets backported and how far, but I agree that this is suitable for 1.8.2, certainly should be in 1.9 and it seems reasonable that it's not so important to warrant a respin for older versions, yes.

agl picture agl on 19 Apr 2017

Reopening for backport.

ianlancetaylor picture ianlancetaylor on 19 Apr 2017

CL https://golang.org/cl/41070 mentions this issue.

gopherbot picture gopherbot on 21 Apr 2017

CL https://golang.org/cl/43770 mentions this issue.

gopherbot picture gopherbot on 19 May 2017

CL https://golang.org/cl/43773 mentions this issue.

gopherbot picture gopherbot on 19 May 2017

(This issue is CVE-2017-8932.)

agl picture agl on 23 May 2017

I have a suggestion about the release note.
Maybe we should include a notice that strongly encourage to upgrade especially if net/http (or other package that require crypto/elliptic) is imported.

As an app developer, I don't use crypto/elliptic in my code.
However it's a package imported by package I use.

pierrre picture pierrre on 23 May 2017

Almost sure that TLS as implemented by the Go standard library is not really exploitable.

Go ahead and mention static ECDH and JWT though.

FiloSottile picture FiloSottile on 24 May 2017

Announcement was sent before I read your comment, @FiloSottile, but yes... for those following along, agl's statement in the first post is still true for TLS (as used by net/http).

If you're using the elliptic package directly, such as working with JWTs, then you probably want to update. If you're not, then wait for Go 1.8.3, which should be released tomorrow.

broady picture broady on 24 May 2017

Can someone please summarize what the issue actually means?
What are the odds of the problem appearing on an unpatched version?
How come it slipped through the tests?

cryptohazard picture cryptohazard on 24 May 2017
👍4

Backlinking for reference: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

nielsole picture nielsole on 28 Dec 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rsc picture rsc  ·  3Comments
rakyll picture rakyll  ·  3Comments
mingrammer picture mingrammer  ·  3Comments
myitcv picture myitcv  ·  3Comments
stub42 picture stub42  ·  3Comments