commit | 193c16a3648b8670a762e925b6ac6e074f468a20 | [log] [tgz] |
---|---|---|
author | Filippo Valsorda <filippo@golang.org> | Tue Jan 22 16:02:41 2019 -0500 |
committer | Filippo Valsorda <filippo@golang.org> | Wed Jan 23 22:01:56 2019 +0000 |
tree | 3a37276359c683e8270394e562b281f894c9c3cf | |
parent | 1e450aa2f208046aab0628e024a70c5193559fe7 [diff] |
crypto/elliptic: reduce subtraction term to prevent long busy loop If beta8 is unusually large, the addition loop might take a very long time to bring x3-beta8 back positive. This would lead to a DoS vulnerability in the implementation of the P-521 and P-384 elliptic curves that may let an attacker craft inputs to ScalarMult that consume excessive amounts of CPU. This fixes CVE-2019-6486. Fixes #29903 Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a Reviewed-on: https://team-review.git.corp.google.com/c/399777 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/159218 Reviewed-by: Julie Qiu <julie@golang.org>
Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.
Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Official binary distributions are available at https://golang.org/dl/.
After downloading a binary release, visit https://golang.org/doc/install or load doc/install.html in your web browser for installation instructions.
If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source or load doc/install-source.html in your web browser for source installation instructions.
Go is the work of thousands of contributors. We appreciate your help!
To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html
Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.