45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From 867a07a179ebcb40143c76403f7f232b90812059 Mon Sep 17 00:00:00 2001
|
|
From: Filippo Valsorda <filippo@golang.org>
|
|
Date: Tue, 22 Jan 2019 16:02:41 -0500
|
|
Subject: [PATCH] [release-branch.go1.11-security] crypto/elliptic: reduce
|
|
subtraction term to prevent long busy loop
|
|
|
|
If beta8 is unusually large, the addition loop might take a very long
|
|
time to bring x3-beta8 back positive.
|
|
|
|
This would lead to a DoS vulnerability in the implementation of the
|
|
P-521 and P-384 elliptic curves that may let an attacker craft inputs
|
|
to ScalarMult that consume excessive amounts of CPU.
|
|
|
|
This fixes CVE-2019-6486.
|
|
|
|
Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/399777
|
|
Reviewed-by: Adam Langley <agl@google.com>
|
|
Reviewed-by: Julie Qiu <julieqiu@google.com>
|
|
(cherry picked from commit 746d6abe2dfb9ce7609f8e1e1a8dcb7e221f423e)
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/401142
|
|
Reviewed-by: Filippo Valsorda <valsorda@google.com>
|
|
---
|
|
src/crypto/elliptic/elliptic.go | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
|
|
index 4fc2b5e521..c84657c5e3 100644
|
|
--- a/src/crypto/elliptic/elliptic.go
|
|
+++ b/src/crypto/elliptic/elliptic.go
|
|
@@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,
|
|
|
|
x3 := new(big.Int).Mul(alpha, alpha)
|
|
beta8 := new(big.Int).Lsh(beta, 3)
|
|
+ beta8.Mod(beta8, curve.P)
|
|
x3.Sub(x3, beta8)
|
|
- for x3.Sign() == -1 {
|
|
+ if x3.Sign() == -1 {
|
|
x3.Add(x3, curve.P)
|
|
}
|
|
x3.Mod(x3, curve.P)
|
|
--
|
|
2.17.1
|
|
|