crypto/elliptic: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532)
rolandshoemaker opened this issue · 8 comments
In particular (in psuedocode)
x = 48439561293906451759052585252797914202762949526041747995844080717082404635286
y = 36134250956749795798585127919587881956611106672985015071877198253568414405109
P256().ScalarMult(x, y, 30) != P256().ScalarMult(x, y, N + 30)
Thanks to Guido Vranken for reporting this issue via the Ethereum Foundation bug
bounty program.
This is CVE-2023-24532 and Go issue https://go.dev/issue/58647 (this one).
We agreed with @rolandshoemaker that this can be fixed as PUBLIC since it only affects niche configurations, namely very specific direct uses of crypto/elliptic. We found no real world protocol that could be attacked due to this.
Change https://go.dev/cl/471256 mentions this issue: crypto/internal/nistec: refactor scalar multiplication
Change https://go.dev/cl/471255 mentions this issue: crypto/internal/nistec: reduce P-256 scalar
@gopherbot please backport. CL 471255 is a security fix.
/cc @golang/security and @golang/release
Backport issue(s) opened: #58719 (for 1.19), #58720 (for 1.20).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.
Change https://go.dev/cl/471695 mentions this issue: [release-branch.go1.20] crypto/internal/nistec: reduce P-256 scalar
Change https://go.dev/cl/471696 mentions this issue: [release-branch.go1.19] crypto/internal/nistec: reduce P-256 scalar
@FiloSottile FYI https://go.dev/cl/471256 caused a minor regression in one benchmark: https://perf.golang.org/dashboard/?benchmark=GenerateKeyP256-8&unit=sec/op#commit778627f33187d874440ce1f353bb4d7bce55304a
Given this is minor, part of a CVE fix, and presumably in a crypto microbenchmark, I don't think this matters much, just raising it in case you care.
The benchmark is https://github.com/ethereum/go-ethereum/blob/v1.10.9/crypto/ecies/ecies_test.go#L166.