Skip to content

crypto/elliptic: bug in x86-64 P-256 implementation #21334

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
randombit opened this issue Aug 7, 2017 · 4 comments
Closed

crypto/elliptic: bug in x86-64 P-256 implementation #21334

randombit opened this issue Aug 7, 2017 · 4 comments
Labels
FrozenDueToAge
Milestone
Go1.10

Comments

@randombit
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.8.3 linux/amd64

What operating system and processor architecture are you using (go env)?

Arch Linux on x86-64

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/jack/opt/go"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/home/jack/var/tmp/go-build612722418=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

Run the code in https://play.golang.org/p/26l_zIOjBf

This is attempting to verify a (somewhat unusual, but valid) ECDSA signature. However, it appears there is some bug in the x86-64 specific P-256 code. The code tries to verify twice, once with the standard ecdsa.Verify and then with a hacked version of the same function MyVerify (in the source), which is just ecdsa.Verify with the specialized codepaths for inverse and combinedMult removed. On my machine the hacked version verifies the signature while the library version (that, for P-256 on x86-64, calls combinedMult) rejects it.

However on the playground, the signature does verify using the stock ecdsa.Verify. This suggests to me that the playground version of Go doesn't use the x86-64 codepath, and is additional validation for there being a bug somewhere. (Either the signature is valid, or it is not - and the versions of ecdsa.Verify in playground and my machine disagree on this point).

A similarly generated signature using P-384 also verified without problems, again suggesting a problem that is P-256 specific.

I have not done further investigation as to the nature of the bug. It's possible it may effect other ECC code using these optimized codepaths.

What did you expect to see?

The signature would verify with ecdsa.Verify

What did you see instead?

It does not verify, if the x86-64 P-256 code is enabled.
@ianlancetaylor ianlancetaylor changed the title Bug in x86-64 P-256 implementation crypto/ecdsa: bug in x86-64 P-256 implementation Aug 7, 2017
@ianlancetaylor ianlancetaylor changed the title crypto/ecdsa: bug in x86-64 P-256 implementation crypto/elliptic: bug in x86-64 P-256 implementation Aug 7, 2017
@ianlancetaylor
Copy link
Member

CC @agl @vkrasnov

@ianlancetaylor ianlancetaylor added this to the Go1.10 milestone Aug 7, 2017
@ianlancetaylor
Copy link
Member

Seems to have broken in the 1.6 release.

@FiloSottile
Copy link
Contributor

Duplicate of #20215

@randombit
Copy link
Author

Sorry, after confirming 1.8.3 was latest release I did not think to check open issues - #20215 definitely looks to be the same issue.

@golang golang locked and limited conversation to collaborators Aug 8, 2018
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.10
Development

No branches or pull requests
5 participants
@randombit @FiloSottile @ianlancetaylor @mvdan @gopherbot