Skip to content

crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes #52075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FiloSottile opened this issue Mar 31, 2022 · 7 comments
Closed

crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes #52075

FiloSottile opened this issue Mar 31, 2022 · 7 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.19

Comments

@FiloSottile
Copy link
Contributor

Wycheproof tests added in CL 396174 revealed a panic in the generic P-256 ScalarMult and ScalarBaseMult.

The attack requires a crafted scalar, which is not possible to supply via crypto/ecdsa or crypto/tls.
@FiloSottile FiloSottile added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels Mar 31, 2022
@FiloSottile FiloSottile added this to the Go1.19 milestone Mar 31, 2022
@FiloSottile FiloSottile self-assigned this Mar 31, 2022
@FiloSottile
Copy link
Contributor Author

@gopherbot please open backport issues for this security fix.

This was referenced Mar 31, 2022
Closed
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #52076 (for 1.17), #52077 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@FiloSottile
Copy link
Contributor Author

Note that this would have been avoided by the nistec changes slated for Go 1.19.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/397135 mentions this issue: crypto/elliptic: tolerate zero-padded scalars in generic P-256

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/397137 mentions this issue: [release-branch.go1.18] crypto/elliptic: tolerate zero-padded scalars in generic P-256

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/397136 mentions this issue: [release-branch.go1.17] crypto/elliptic: tolerate zero-padded scalars in generic P-256

@FiloSottile
Copy link
Contributor Author

This is CVE-2022-28327.

@FiloSottile FiloSottile mentioned this issue Apr 6, 2022
Closed
4 tasks
gopherbot pushed a commit that referenced this issue Apr 6, 2022
@FiloSottile @cherrymui
[release-branch.go1.18] crypto/elliptic: tolerate zero-padded scalars…
c9b9a01 
… in generic P-256

Updates #52075
Fixes #52077
Fixes CVE-2022-28327

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397137
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit that referenced this issue Apr 6, 2022
@FiloSottile @cherrymui
[release-branch.go1.17] crypto/elliptic: tolerate zero-padded scalars…
7139e8b 
… in generic P-256

Updates #52075
Fixes #52076
Fixes CVE-2022-28327

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
@emmansun emmansun mentioned this issue Apr 8, 2022
Closed
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.18.1
9f4f1e8 
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Signed-off-by: Noel Georgi <git@frezbo.dev>
@frezbo frezbo mentioned this issue Apr 13, 2022
Merged
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.17.9

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
8a38a26 
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Signed-off-by: Noel Georgi <git@frezbo.dev>
@frezbo frezbo mentioned this issue Apr 13, 2022
Merged
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.17.9
eb93d04 
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Update zlib download url's to use proper ones

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.17.9
5a97af0 
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Update zlib download url's to use proper ones

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.18.1
851aa75 
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Also update zlib download url's

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
@frezbo
chore: bump go to 1.18.1
a15cbee 
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Also update zlib download url's

Signed-off-by: Noel Georgi <git@frezbo.dev>
jaxesn pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@FiloSottile @jaxesn
crypto/elliptic: tolerate zero-padded scalars in generic P-256
9161430 
Fixes golang#52075

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397135
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
@FiloSottile @danbudris
crypto/elliptic: tolerate zero-padded scalars in generic P-256
2664205 
Fixes golang#52075

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397135
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
@FiloSottile @rcrozean
crypto/elliptic: tolerate zero-padded scalars in generic P-256
192f06f 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@2664205
Upstream Source Commit: golang@7139e8b

# Original Information

Updates golang#52075
Fixes golang#52076
Fixes CVE-2022-28327

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@FiloSottile @rcrozean
crypto/elliptic: tolerate zero-padded scalars in generic P-256
5945853 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@2664205
Upstream Source Commit: golang@7139e8b

# Original Information

Updates golang#52075
Fixes golang#52076
Fixes CVE-2022-28327

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@FiloSottile @rcrozean
crypto/elliptic: tolerate zero-padded scalars in generic P-256
8756eeb 
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@9161430
Upstream Source Commit: golang@3706584

# Original Information

Fixes golang#52075

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397135
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
@golang golang locked and limited conversation to collaborators Jun 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.19
Development

No branches or pull requests
2 participants
@FiloSottile @gopherbot