diff options
author | Filippo Valsorda <filippo@golang.org> | 2022-03-31 12:31:58 -0400 |
---|---|---|
committer | Cherry Mui <cherryyz@google.com> | 2022-04-06 16:36:21 +0000 |
commit | 7139e8b024604ab168b51b99c6e8168257a5bf58 (patch) | |
tree | e0cf09617bacb64b0a1ae2e014a29fe8f4d3c1bb | |
parent | eb75219438e3c3d8947373c1f27c3ac4abf7ee8b (diff) | |
download | go-7139e8b024604ab168b51b99c6e8168257a5bf58.tar.gz go-7139e8b024604ab168b51b99c6e8168257a5bf58.zip |
[release-branch.go1.17] crypto/elliptic: tolerate zero-padded scalars in generic P-256
Updates #52075
Fixes #52076
Fixes CVE-2022-28327
Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
-rw-r--r-- | src/crypto/elliptic/p256.go | 2 | ||||
-rw-r--r-- | src/crypto/elliptic/p256_test.go | 14 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go index b2b12c8f13..da5283735c 100644 --- a/src/crypto/elliptic/p256.go +++ b/src/crypto/elliptic/p256.go @@ -52,7 +52,7 @@ func p256GetScalar(out *[32]byte, in []byte) { n := new(big.Int).SetBytes(in) var scalarBytes []byte - if n.Cmp(p256Params.N) >= 0 { + if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) { n.Mod(n, p256Params.N) scalarBytes = n.Bytes() } else { diff --git a/src/crypto/elliptic/p256_test.go b/src/crypto/elliptic/p256_test.go index 1435f5e1a5..694186df81 100644 --- a/src/crypto/elliptic/p256_test.go +++ b/src/crypto/elliptic/p256_test.go @@ -153,3 +153,17 @@ func TestP256CombinedMult(t *testing.T) { t.Errorf("1×G + (-1)×G = (%d, %d), should be ∞", x, y) } } + +func TestIssue52075(t *testing.T) { + Gx, Gy := P256().Params().Gx, P256().Params().Gy + scalar := make([]byte, 33) + scalar[32] = 1 + x, y := P256().ScalarBaseMult(scalar) + if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 { + t.Errorf("unexpected output (%v,%v)", x, y) + } + x, y = P256().ScalarMult(Gx, Gy, scalar) + if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 { + t.Errorf("unexpected output (%v,%v)", x, y) + } +} |