
Go 1.11.5 and Go 1.10.8 are released - stablemap
https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
======
the_duke
> This DoS vulnerability in the crypto/elliptic implementations of the P-521
> and P-384 elliptic curves may let an attacker craft inputs that consume
> excessive amounts of CPU.

> These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
> tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
> key is reused more than once, the attack can also lead to key recovery.

> The issue is CVE-2019-6486 and Go issue golang.org/issue/29903\. See the Go
> issue for more details.

------
jtsylve
The fix, for anyone who is interested:
[https://github.com/golang/go/commit/42b42f71cf8f5956c09e6623...](https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360)

~~~
selljamhere
Is there anyone who can ELI5 what `beta8.Mod(beta8, curve.P)` does?

~~~
lifthrasiir
It is hard to explain what is `beta8` and `curve.P` specifically, but they are
arbitrary-precision integers so you can see what went wrong with an
appropriate pseudocode:

    
    
        x3 = alpha * alpha
        beta8 = beta << 3
        // beta8 %= curve.P
        x3 -= beta8
        while x3 < 0 {
            x3 += curve.P
        }
    

Essentially we want to compute `(alpha * alpha - beta * 8) % curve.P`, so to
say. The modulo is expensive though, so _for typical cases_ we can just
repeatedly add `curve.P` to compute the modulo a few times. This is indeed a
valid optimization when we are sure of the range of `alpha` and `beta`, but
`beta` can be controlled outside. So a very large `beta` from an attacker will
cause the while loop run forever---a denial-of-service attack.

~~~
Thorrez
Here's the new code:

    
    
        beta8.Mod(beta8, curve.P)
        x3.Sub(x3, beta8)
        if x3.Sign() == -1 {
            x3.Add(x3, curve.P)
        }
        x3.Mod(x3, curve.P)
    

I don't understand it why it's all necessary. This is shorter and seems to do
the exact same thing:

    
    
        beta8.Mod(beta8, curve.P)
        x3.Sub(x3, beta8)
        x3.Mod(x3, curve.P)
    

Also, beta8 is never used after this code. So this should do the same thing as
well:

    
    
        x3.Sub(x3, beta8)
        x3.Mod(x3, curve.P)

~~~
lifthrasiir
I think you are right. Go `big.Mod` should be Euclidean (i.e. `x % y` follows
`y`'s sign) so the code is redundant. It doesn't seem to be required to run in
constant time (if so we won't have `if` at all), probably the committer wanted
a minimal change?

------
ronnier
Non mobile link: [https://groups.google.com/forum/#!topic/golang-
announce/mVeX...](https://groups.google.com/forum/#!topic/golang-
announce/mVeX35iXuSw)

------
marcrosoft
Edit: the message starts off with "Hi gophers".

I'm not a "gopher".

Does this label bother anyone else? I love the go programming language but I'm
definitely not on board with this.

I happen to be a software developer who found effectiveness and value in Go
and will continue to use it as long as it proves effective. That is all.

~~~
f2f
they tried to be cheeky. is ignoring that a problem sufficiently
inconveniencing you that it requires a post on a forum?

~~~
marcrosoft
I know they mean well. I'm just wondering if anyone else feels the same way I
do.

~~~
sramsay
It could be worse. You could be a "rustacean."

~~~
inferiorhuman
Back in the 70s, Peugeot, Renault, and Volvo collaborated on an engine design
(used in the DeLorean among other cars). It's got some utterly bizarre design
features but attracted its own relatively dedicated following called… PRVerts.

~~~
flavio81
90° V6 engines are a perversion, anyway.

