diff options
author | Filippo Valsorda <filippo@golang.org> | 2019-01-22 16:02:41 -0500 |
---|---|---|
committer | Julie Qiu <julieqiu@google.com> | 2019-01-23 17:28:54 +0000 |
commit | d5f2dc6a5ca30590b121622af8f918d4484d4946 (patch) | |
tree | 750a11205d2eafc04aa2207d4b7fb3713c545fea | |
parent | f5ff72d62301c4e9d0a78167fab5914ca12919bd (diff) | |
download | go-d5f2dc6a5ca30590b121622af8f918d4484d4946.tar.gz go-d5f2dc6a5ca30590b121622af8f918d4484d4946.zip |
[release-branch.go1.10-security] crypto/elliptic: reduce subtraction term to prevent long busy loop
If beta8 is unusually large, the addition loop might take a very long
time to bring x3-beta8 back positive.
This would lead to a DoS vulnerability in the implementation of the
P-521 and P-384 elliptic curves that may let an attacker craft inputs
to ScalarMult that consume excessive amounts of CPU.
This fixes CVE-2019-6486.
Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
Reviewed-on: https://team-review.git.corp.google.com/c/399777
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit 746d6abe2dfb9ce7609f8e1e1a8dcb7e221f423e)
Reviewed-on: https://team-review.git.corp.google.com/c/401143
Reviewed-by: Filippo Valsorda <valsorda@google.com>
-rw-r--r-- | src/crypto/elliptic/elliptic.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go index 35aacf24e5..76b78a790e 100644 --- a/src/crypto/elliptic/elliptic.go +++ b/src/crypto/elliptic/elliptic.go @@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, x3 := new(big.Int).Mul(alpha, alpha) beta8 := new(big.Int).Lsh(beta, 3) + beta8.Mod(beta8, curve.P) x3.Sub(x3, beta8) - for x3.Sign() == -1 { + if x3.Sign() == -1 { x3.Add(x3, curve.P) } x3.Mod(x3, curve.P) |