golang/0007-release-branch.go1.19-crypto-internal-nistec-reduce-.patch

From 639b67ed114151c0d786aa26e7faeab942400703 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 13 Feb 2023 15:16:27 +0100
Subject: [PATCH] [release-branch.go1.19] crypto/internal/nistec: reduce P-256
 scalar

Unlike the rest of nistec, the P-256 assembly doesn't use complete
addition formulas, meaning that p256PointAdd[Affine]Asm won't return the
correct value if the two inputs are equal.

This was (undocumentedly) ignored in the scalar multiplication loops
because as long as the input point is not the identity and the scalar is
lower than the order of the group, the addition inputs can't be the same.

As part of the math/big rewrite, we went however from always reducing
the scalar to only checking its length, under the incorrect assumption
that the scalar multiplication loop didn't require reduction.

Added a reduction, and while at it added it in P256OrdInverse, too, to
enforce a universal reduction invariant on p256OrdElement values.

Note that if the input point is the infinity, the code currently still
relies on undefined behavior, but that's easily tested to behave
acceptably, and will be addressed in a future CL.

Updates #58647
Fixes #58719
Fixes CVE-2023-24532

(Filed with the "safe APIs like complete addition formulas are good" dept.)

Change-Id: I7b2c75238440e6852be2710fad66ff1fdc4e2b24
Reviewed-on: https://go-review.googlesource.com/c/go/+/471255
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 203e59ad41bd288e1d92b6f617c2f55e70d3c8e3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/471696
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 src/crypto/internal/nistec/nistec_test.go     | 81 +++++++++++++++++++
 src/crypto/internal/nistec/p256_asm.go        | 17 ++++
 src/crypto/internal/nistec/p256_asm_ordinv.go |  1 +
 3 files changed, 99 insertions(+)

diff --git a/src/crypto/internal/nistec/nistec_test.go b/src/crypto/internal/nistec/nistec_test.go
index 1903f19af3..1cedebc8ac 100644
--- a/src/crypto/internal/nistec/nistec_test.go
+++ b/src/crypto/internal/nistec/nistec_test.go
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"crypto/elliptic"
 	"crypto/internal/nistec"
+	"fmt"
 	"math/big"
 	"math/rand"
 	"os"
@@ -166,6 +167,86 @@ func testEquivalents[P nistPoint[P]](t *testing.T, newPoint, newGenerator func()
 	}
 }
 
+func TestScalarMult(t *testing.T) {
+	t.Run("P224", func(t *testing.T) {
+		testScalarMult(t, nistec.NewP224Point, nistec.NewP224Generator, elliptic.P224())
+	})
+	t.Run("P256", func(t *testing.T) {
+		testScalarMult(t, nistec.NewP256Point, nistec.NewP256Generator, elliptic.P256())
+	})
+	t.Run("P384", func(t *testing.T) {
+		testScalarMult(t, nistec.NewP384Point, nistec.NewP384Generator, elliptic.P384())
+	})
+	t.Run("P521", func(t *testing.T) {
+		testScalarMult(t, nistec.NewP521Point, nistec.NewP521Generator, elliptic.P521())
+	})
+}
+
+func testScalarMult[P nistPoint[P]](t *testing.T, newPoint func() P, newGenerator func() P, c elliptic.Curve) {
+	G := newGenerator()
+	checkScalar := func(t *testing.T, scalar []byte) {
+		p1, err := newPoint().ScalarBaseMult(scalar)
+		fatalIfErr(t, err)
+		p2, err := newPoint().ScalarMult(G, scalar)
+		fatalIfErr(t, err)
+		if !bytes.Equal(p1.Bytes(), p2.Bytes()) {
+			t.Error("[k]G != ScalarBaseMult(k)")
+		}
+
+		d := new(big.Int).SetBytes(scalar)
+		d.Sub(c.Params().N, d)
+		d.Mod(d, c.Params().N)
+		g1, err := newPoint().ScalarBaseMult(d.FillBytes(make([]byte, len(scalar))))
+		fatalIfErr(t, err)
+		g1.Add(g1, p1)
+		if !bytes.Equal(g1.Bytes(), newPoint().Bytes()) {
+			t.Error("[N - k]G + [k]G != ∞")
+		}
+	}
+
+	byteLen := len(c.Params().N.Bytes())
+	bitLen := c.Params().N.BitLen()
+	t.Run("0", func(t *testing.T) { checkScalar(t, make([]byte, byteLen)) })
+	t.Run("1", func(t *testing.T) {
+		checkScalar(t, big.NewInt(1).FillBytes(make([]byte, byteLen)))
+	})
+	t.Run("N-1", func(t *testing.T) {
+		checkScalar(t, new(big.Int).Sub(c.Params().N, big.NewInt(1)).Bytes())
+	})
+	t.Run("N", func(t *testing.T) { checkScalar(t, c.Params().N.Bytes()) })
+	t.Run("N+1", func(t *testing.T) {
+		checkScalar(t, new(big.Int).Add(c.Params().N, big.NewInt(1)).Bytes())
+	})
+	t.Run("all1s", func(t *testing.T) {
+		s := new(big.Int).Lsh(big.NewInt(1), uint(bitLen))
+		s.Sub(s, big.NewInt(1))
+		checkScalar(t, s.Bytes())
+	})
+	if testing.Short() {
+		return
+	}
+	for i := 0; i < bitLen; i++ {
+		t.Run(fmt.Sprintf("1<<%d", i), func(t *testing.T) {
+			s := new(big.Int).Lsh(big.NewInt(1), uint(i))
+			checkScalar(t, s.FillBytes(make([]byte, byteLen)))
+		})
+	}
+	// Test N+1...N+32 since they risk overlapping with precomputed table values
+	// in the final additions.
+	for i := int64(2); i <= 32; i++ {
+		t.Run(fmt.Sprintf("N+%d", i), func(t *testing.T) {
+			checkScalar(t, new(big.Int).Add(c.Params().N, big.NewInt(i)).Bytes())
+		})
+	}
+}
+
+func fatalIfErr(t *testing.T, err error) {
+	t.Helper()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func BenchmarkScalarMult(b *testing.B) {
 	b.Run("P224", func(b *testing.B) {
 		benchmarkScalarMult(b, nistec.NewP224Generator(), 28)
diff --git a/src/crypto/internal/nistec/p256_asm.go b/src/crypto/internal/nistec/p256_asm.go
index bc443ba323..14713b0406 100644
--- a/src/crypto/internal/nistec/p256_asm.go
+++ b/src/crypto/internal/nistec/p256_asm.go
@@ -365,6 +365,21 @@ func p256PointDoubleAsm(res, in *P256Point)
 // Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.
 type p256OrdElement [4]uint64
 
+// p256OrdReduce ensures s is in the range [0, ord(G)-1].
+func p256OrdReduce(s *p256OrdElement) {
+	// Since 2 * ord(G) > 2²⁵⁶, we can just conditionally subtract ord(G),
+	// keeping the result if it doesn't underflow.
+	t0, b := bits.Sub64(s[0], 0xf3b9cac2fc632551, 0)
+	t1, b := bits.Sub64(s[1], 0xbce6faada7179e84, b)
+	t2, b := bits.Sub64(s[2], 0xffffffffffffffff, b)
+	t3, b := bits.Sub64(s[3], 0xffffffff00000000, b)
+	tMask := b - 1 // zero if subtraction underflowed
+	s[0] ^= (t0 ^ s[0]) & tMask
+	s[1] ^= (t1 ^ s[1]) & tMask
+	s[2] ^= (t2 ^ s[2]) & tMask
+	s[3] ^= (t3 ^ s[3]) & tMask
+}
+
 // Add sets q = p1 + p2, and returns q. The points may overlap.
 func (q *P256Point) Add(r1, r2 *P256Point) *P256Point {
 	var sum, double P256Point
@@ -394,6 +409,7 @@ func (r *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error) {
 	}
 	scalarReversed := new(p256OrdElement)
 	p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar))
+	p256OrdReduce(scalarReversed)
 
 	r.p256BaseMult(scalarReversed)
 	return r, nil
@@ -408,6 +424,7 @@ func (r *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error)
 	}
 	scalarReversed := new(p256OrdElement)
 	p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar))
+	p256OrdReduce(scalarReversed)
 
 	r.Set(q).p256ScalarMult(scalarReversed)
 	return r, nil
diff --git a/src/crypto/internal/nistec/p256_asm_ordinv.go b/src/crypto/internal/nistec/p256_asm_ordinv.go
index 86a7a230bd..1274fb7fd3 100644
--- a/src/crypto/internal/nistec/p256_asm_ordinv.go
+++ b/src/crypto/internal/nistec/p256_asm_ordinv.go
@@ -25,6 +25,7 @@ func P256OrdInverse(k []byte) ([]byte, error) {
 
 	x := new(p256OrdElement)
 	p256OrdBigToLittle(x, (*[32]byte)(k))
+	p256OrdReduce(x)
 
 	// Inversion is implemented as exponentiation by n - 2, per Fermat's little theorem.
 	//
-- 
2.37.1
[Backport] fix some CVE CVE num upstream commit openEuler patch CVE-2023-29400 9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 0016-release-branch.go1.19-html-template-emit-filterFails.patch CVE-2023-24540 ce7bd33345416e6d8cac901792060591cafc2797 0015-release-branch.go1.19-html-template-handle-all-JS-wh.patch CVE-2023-24539 e49282327b05192e46086bf25fd3ac691205fe80 0014-release-branch.go1.19-html-template-disallow-angle-b.patch CVE-2023-24538 b1e3ecfa06b67014429a197ec5e134ce4303ad9b 0013-release-branch.go1.19-html-template-disallow-actions.patch CVE-2023-24537 126a1d02da82f93ede7ce0bd8d3c51ef627f2104 0012-release-branch.go1.19-go-scanner-reject-large-line-a.patch CVE-2023-24536 7917b5f31204528ea72e0629f0b7d52b35b27538 0011-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch CVE-2023-24536 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 0010-release-branch.go1.19-net-textproto-mime-multipart-i.patch CVE-2023-24536 ef41a4e2face45e580c5836eaebd51629fc23f15 0009-release-branch.go1.19-mime-multipart-avoid-excessive.patch CVE-2023-24534 d6759e7a059f4208f07aa781402841d7ddaaef96 0008-release-branch.go1.19-net-textproto-avoid-overpredic.patch CVE-2023-24532 639b67ed114151c0d786aa26e7faeab942400703 0007-release-branch.go1.19-crypto-internal-nistec-reduce-.patch CVE-2022-41723 5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 0006-release-branch.go1.19-net-http-update-bundled-golang.patch CVE-2022-41724 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 0005-release-branch.go1.19-crypto-tls-replace-all-usages-.patch CVE-2022-41725 5c55ac9bf1e5f779220294c843526536605f42ab 0004-release-branch.go1.19-mime-multipart-limit-memory-in.patch CVE-2022-41722 3345ddca41f00f9ed6fc3c1a36f6e2bede02d7ff 0003-release-branch.go1.19-path-filepath-do-not-Clean-a-..patch Signed-off-by: zhangzhihui <zhangzhihui@xfusion.com> 2023-05-10 15:59:54 +08:00			`From 639b67ed114151c0d786aa26e7faeab942400703 Mon Sep 17 00:00:00 2001`
			`From: Filippo Valsorda <filippo@golang.org>`
			`Date: Mon, 13 Feb 2023 15:16:27 +0100`
			`Subject: [PATCH] [release-branch.go1.19] crypto/internal/nistec: reduce P-256`
			`scalar`

			`Unlike the rest of nistec, the P-256 assembly doesn't use complete`
			`addition formulas, meaning that p256PointAdd[Affine]Asm won't return the`
			`correct value if the two inputs are equal.`

			`This was (undocumentedly) ignored in the scalar multiplication loops`
			`because as long as the input point is not the identity and the scalar is`
			`lower than the order of the group, the addition inputs can't be the same.`

			`As part of the math/big rewrite, we went however from always reducing`
			`the scalar to only checking its length, under the incorrect assumption`
			`that the scalar multiplication loop didn't require reduction.`

			`Added a reduction, and while at it added it in P256OrdInverse, too, to`
			`enforce a universal reduction invariant on p256OrdElement values.`

			`Note that if the input point is the infinity, the code currently still`
			`relies on undefined behavior, but that's easily tested to behave`
			`acceptably, and will be addressed in a future CL.`

			`Updates #58647`
			`Fixes #58719`
			`Fixes CVE-2023-24532`

			`(Filed with the "safe APIs like complete addition formulas are good" dept.)`

			`Change-Id: I7b2c75238440e6852be2710fad66ff1fdc4e2b24`
			`Reviewed-on: https://go-review.googlesource.com/c/go/+/471255`
			`TryBot-Result: Gopher Robot <gobot@golang.org>`
			`Reviewed-by: Roland Shoemaker <roland@golang.org>`
			`Run-TryBot: Filippo Valsorda <filippo@golang.org>`
			`Auto-Submit: Filippo Valsorda <filippo@golang.org>`
			`Reviewed-by: Damien Neil <dneil@google.com>`
			`(cherry picked from commit 203e59ad41bd288e1d92b6f617c2f55e70d3c8e3)`
			`Reviewed-on: https://go-review.googlesource.com/c/go/+/471696`
			`Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>`
			`Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>`
			`Run-TryBot: Roland Shoemaker <roland@golang.org>`
			`Reviewed-by: Filippo Valsorda <filippo@golang.org>`
			`---`
			`src/crypto/internal/nistec/nistec_test.go \| 81 +++++++++++++++++++`
			`src/crypto/internal/nistec/p256_asm.go \| 17 ++++`
			`src/crypto/internal/nistec/p256_asm_ordinv.go \| 1 +`
			`3 files changed, 99 insertions(+)`

			`diff --git a/src/crypto/internal/nistec/nistec_test.go b/src/crypto/internal/nistec/nistec_test.go`
			`index 1903f19af3..1cedebc8ac 100644`
			`--- a/src/crypto/internal/nistec/nistec_test.go`
			`+++ b/src/crypto/internal/nistec/nistec_test.go`
			`@@ -8,6 +8,7 @@ import (`
			`"bytes"`
			`"crypto/elliptic"`
			`"crypto/internal/nistec"`
			`+ "fmt"`
			`"math/big"`
			`"math/rand"`
			`"os"`
			`@@ -166,6 +167,86 @@ func testEquivalents[P nistPoint[P]](t *testing.T, newPoint, newGenerator func()`
			`}`
			`}`

			`+func TestScalarMult(t *testing.T) {`
			`+ t.Run("P224", func(t *testing.T) {`
			`+ testScalarMult(t, nistec.NewP224Point, nistec.NewP224Generator, elliptic.P224())`
			`+ })`
			`+ t.Run("P256", func(t *testing.T) {`
			`+ testScalarMult(t, nistec.NewP256Point, nistec.NewP256Generator, elliptic.P256())`
			`+ })`
			`+ t.Run("P384", func(t *testing.T) {`
			`+ testScalarMult(t, nistec.NewP384Point, nistec.NewP384Generator, elliptic.P384())`
			`+ })`
			`+ t.Run("P521", func(t *testing.T) {`
			`+ testScalarMult(t, nistec.NewP521Point, nistec.NewP521Generator, elliptic.P521())`
			`+ })`
			`+}`
			`+`
			`+func testScalarMult[P nistPoint[P]](t *testing.T, newPoint func() P, newGenerator func() P, c elliptic.Curve) {`
			`+ G := newGenerator()`
			`+ checkScalar := func(t *testing.T, scalar []byte) {`
			`+ p1, err := newPoint().ScalarBaseMult(scalar)`
			`+ fatalIfErr(t, err)`
			`+ p2, err := newPoint().ScalarMult(G, scalar)`
			`+ fatalIfErr(t, err)`
			`+ if !bytes.Equal(p1.Bytes(), p2.Bytes()) {`
			`+ t.Error("[k]G != ScalarBaseMult(k)")`
			`+ }`
			`+`
			`+ d := new(big.Int).SetBytes(scalar)`
			`+ d.Sub(c.Params().N, d)`
			`+ d.Mod(d, c.Params().N)`
			`+ g1, err := newPoint().ScalarBaseMult(d.FillBytes(make([]byte, len(scalar))))`
			`+ fatalIfErr(t, err)`
			`+ g1.Add(g1, p1)`
			`+ if !bytes.Equal(g1.Bytes(), newPoint().Bytes()) {`
			`+ t.Error("[N - k]G + [k]G != ∞")`
			`+ }`
			`+ }`
			`+`
			`+ byteLen := len(c.Params().N.Bytes())`
			`+ bitLen := c.Params().N.BitLen()`
			`+ t.Run("0", func(t *testing.T) { checkScalar(t, make([]byte, byteLen)) })`
			`+ t.Run("1", func(t *testing.T) {`
			`+ checkScalar(t, big.NewInt(1).FillBytes(make([]byte, byteLen)))`
			`+ })`
			`+ t.Run("N-1", func(t *testing.T) {`
			`+ checkScalar(t, new(big.Int).Sub(c.Params().N, big.NewInt(1)).Bytes())`
			`+ })`
			`+ t.Run("N", func(t *testing.T) { checkScalar(t, c.Params().N.Bytes()) })`
			`+ t.Run("N+1", func(t *testing.T) {`
			`+ checkScalar(t, new(big.Int).Add(c.Params().N, big.NewInt(1)).Bytes())`
			`+ })`
			`+ t.Run("all1s", func(t *testing.T) {`
			`+ s := new(big.Int).Lsh(big.NewInt(1), uint(bitLen))`
			`+ s.Sub(s, big.NewInt(1))`
			`+ checkScalar(t, s.Bytes())`
			`+ })`
			`+ if testing.Short() {`
			`+ return`
			`+ }`
			`+ for i := 0; i < bitLen; i++ {`
			`+ t.Run(fmt.Sprintf("1<<%d", i), func(t *testing.T) {`
			`+ s := new(big.Int).Lsh(big.NewInt(1), uint(i))`
			`+ checkScalar(t, s.FillBytes(make([]byte, byteLen)))`
			`+ })`
			`+ }`
			`+ // Test N+1...N+32 since they risk overlapping with precomputed table values`
			`+ // in the final additions.`
			`+ for i := int64(2); i <= 32; i++ {`
			`+ t.Run(fmt.Sprintf("N+%d", i), func(t *testing.T) {`
			`+ checkScalar(t, new(big.Int).Add(c.Params().N, big.NewInt(i)).Bytes())`
			`+ })`
			`+ }`
			`+}`
			`+`
			`+func fatalIfErr(t *testing.T, err error) {`
			`+ t.Helper()`
			`+ if err != nil {`
			`+ t.Fatal(err)`
			`+ }`
			`+}`
			`+`
			`func BenchmarkScalarMult(b *testing.B) {`
			`b.Run("P224", func(b *testing.B) {`
			`benchmarkScalarMult(b, nistec.NewP224Generator(), 28)`
			`diff --git a/src/crypto/internal/nistec/p256_asm.go b/src/crypto/internal/nistec/p256_asm.go`
			`index bc443ba323..14713b0406 100644`
			`--- a/src/crypto/internal/nistec/p256_asm.go`
			`+++ b/src/crypto/internal/nistec/p256_asm.go`
			`@@ -365,6 +365,21 @@ func p256PointDoubleAsm(res, in *P256Point)`
			`// Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.`
			`type p256OrdElement [4]uint64`

			`+// p256OrdReduce ensures s is in the range [0, ord(G)-1].`
			`+func p256OrdReduce(s *p256OrdElement) {`
			`+ // Since 2 * ord(G) > 2²⁵⁶, we can just conditionally subtract ord(G),`
			`+ // keeping the result if it doesn't underflow.`
			`+ t0, b := bits.Sub64(s[0], 0xf3b9cac2fc632551, 0)`
			`+ t1, b := bits.Sub64(s[1], 0xbce6faada7179e84, b)`
			`+ t2, b := bits.Sub64(s[2], 0xffffffffffffffff, b)`
			`+ t3, b := bits.Sub64(s[3], 0xffffffff00000000, b)`
			`+ tMask := b - 1 // zero if subtraction underflowed`
			`+ s[0] ^= (t0 ^ s[0]) & tMask`
			`+ s[1] ^= (t1 ^ s[1]) & tMask`
			`+ s[2] ^= (t2 ^ s[2]) & tMask`
			`+ s[3] ^= (t3 ^ s[3]) & tMask`
			`+}`
			`+`
			`// Add sets q = p1 + p2, and returns q. The points may overlap.`
			`func (q P256Point) Add(r1, r2 P256Point) *P256Point {`
			`var sum, double P256Point`
			`@@ -394,6 +409,7 @@ func (r P256Point) ScalarBaseMult(scalar []byte) (P256Point, error) {`
			`}`
			`scalarReversed := new(p256OrdElement)`
			`p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar))`
			`+ p256OrdReduce(scalarReversed)`

			`r.p256BaseMult(scalarReversed)`
			`return r, nil`
			`@@ -408,6 +424,7 @@ func (r P256Point) ScalarMult(q P256Point, scalar []byte) (*P256Point, error)`
			`}`
			`scalarReversed := new(p256OrdElement)`
			`p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar))`
			`+ p256OrdReduce(scalarReversed)`

			`r.Set(q).p256ScalarMult(scalarReversed)`
			`return r, nil`
			`diff --git a/src/crypto/internal/nistec/p256_asm_ordinv.go b/src/crypto/internal/nistec/p256_asm_ordinv.go`
			`index 86a7a230bd..1274fb7fd3 100644`
			`--- a/src/crypto/internal/nistec/p256_asm_ordinv.go`
			`+++ b/src/crypto/internal/nistec/p256_asm_ordinv.go`
			`@@ -25,6 +25,7 @@ func P256OrdInverse(k []byte) ([]byte, error) {`

			`x := new(p256OrdElement)`
			`p256OrdBigToLittle(x, (*[32]byte)(k))`
			`+ p256OrdReduce(x)`

			`// Inversion is implemented as exponentiation by n - 2, per Fermat's little theorem.`
			`//`
			`--`
			`2.37.1`