qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-07 18:06:27 -07:00
Code Releases Activity
d95ca91380
go/src/crypto
History
Filippo Valsorda d95ca91380 crypto/elliptic: fix P-224 field reduction 
This patch fixes two independent bugs in p224Contract, the function that
performs the final complete reduction in the P-224 field. Incorrect
outputs due to these bugs were observable from a high-level
P224().ScalarMult() call.

The first bug was in the calculation of out3GT. That mask was supposed
to be all ones if the third limb of the value is greater than the third
limb of P (out[3] > 0xffff000). Instead, it was also set if they are
equal. That meant that if the third limb was equal, the value was always
considered greater than or equal to P, even when the three bottom limbs
were all zero. There is exactly one affected value, P - 1, which would
trigger the subtraction by P even if it's lower than P already.

The second bug was more easily hit, and is the one that caused the known
high-level incorrect output: after the conditional subtraction by P, a
potential underflow of the lowest limb was not handled. Any values that
trigger the subtraction by P (values between P and 2^224-1, and P - 1
due to the bug above) but have a zero lowest limb would produce invalid
outputs. Those conditions apply to the intermediate representation
before the subtraction, so they are hard to trace to precise inputs.

This patch also adds a test suite for the P-224 field arithmetic,
including a custom fuzzer that automatically explores potential edge
cases by combining limb values that have various meanings in the code.
contractMatchesBigInt in TestP224Contract finds the second bug in less
than a second without being tailored to it, and could eventually find
the first one too by combining 0, (1 << 28) - 1, and the difference of
(1 << 28) and (1 << 12).

The incorrect P224().ScalarMult() output was found by the
elliptic-curve-differential-fuzzer project running on OSS-Fuzz and
reported by Philippe Antoine (Catena cyber).

Fixes CVE-2021-3114
Fixes #43786

Change-Id: I50176602d544de3da854270d66a293bcaca57ad7
Reviewed-on: https://go-review.googlesource.com/c/go/+/284779
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Ian Lance Taylor <iant@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
2021-01-21 18:52:19 +00:00
..
aes
cipher crypto/cipher: use Neon for xor on arm64 2020-11-07 03:19:27 +00:00
des
dsa crypto/dsa,crypto/x509: deprecate DSA and remove crypto/x509 support 2020-10-02 10:48:33 +00:00
ecdsa crypto/ecdsa: use FillBytes on s390x 2020-09-30 15:32:53 +00:00
ed25519 crypto/ed25519/internal/edwards25519: fix typo in comments 2020-12-02 20:17:57 +00:00
elliptic crypto/elliptic: fix P-224 field reduction 2021-01-21 18:52:19 +00:00
hmac crypto/hmac: panic if reusing hash.Hash values 2020-10-19 15:00:02 +00:00
internal
md5 all: update to use os.ReadFile, os.WriteFile, os.CreateTemp, os.MkdirTemp 2020-12-09 19:12:23 +00:00
rand syscall: remove RtlGenRandom and move it into internal/syscall 2021-01-15 18:42:27 +00:00
rc4
rsa
sha1
sha256
sha512
subtle
tls crypto/tls: revert "add HandshakeContext method to Conn" 2020-12-17 20:04:25 +00:00
x509 crypto/x509: update iOS bundled roots to version 55188.40.9 2021-01-15 15:33:02 +00:00
crypto.go
issue21104_test.go