[release-branch.go1.18] crypto/elliptic: tolerate zero-padded scalars in generic...

Updates #52075
Fixes #52077
Fixes CVE-2022-28327

Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397137
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>

diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go
index e1c6ff4f8791493a3a858e2c2edbb89a5f593f99..99c39ea9d544120febe86f53a0bdd64c89eee4db 100644 (file)
--- a/src/crypto/elliptic/p256.go
+++ b/src/crypto/elliptic/p256.go
@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) {
        n := new(big.Int).SetBytes(in)
        var scalarBytes []byte
 
-       if n.Cmp(p256Params.N) >= 0 {
+       if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) {
                n.Mod(n, p256Params.N)
                scalarBytes = n.Bytes()
        } else {

diff --git a/src/crypto/elliptic/p256_test.go b/src/crypto/elliptic/p256_test.go
index c6862d95476c6fb8d40b247dfad1aa1fba531fac..a607766bc6cbf315ee2d1169665ec8cf57fcdae4 100644 (file)
--- a/src/crypto/elliptic/p256_test.go
+++ b/src/crypto/elliptic/p256_test.go
@@ -136,3 +136,17 @@ func TestP256CombinedMult(t *testing.T) {
                t.Errorf("1×G + (-1)×G = (%d, %d), should be ∞", x, y)
        }
 }
+
+func TestIssue52075(t *testing.T) {
+       Gx, Gy := P256().Params().Gx, P256().Params().Gy
+       scalar := make([]byte, 33)
+       scalar[32] = 1
+       x, y := P256().ScalarBaseMult(scalar)
+       if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 {
+               t.Errorf("unexpected output (%v,%v)", x, y)
+       }
+       x, y = P256().ScalarMult(Gx, Gy, scalar)
+       if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 {
+               t.Errorf("unexpected output (%v,%v)", x, y)
+       }
+}