1038683 – golang appears to contain an ECC implementation

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1038683 - golang appears to contain an ECC implementation

Summary: golang appears to contain an ECC implementation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	golang
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Čajka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FE-Legal ecc 1379484
TreeView+	depends on / blocked

Reported:	2013-12-05 15:47 UTC by Bill Nottingham
Modified:	2019-07-31 14:00 UTC (History)
CC List:	33 users (show)
Fixed In Version:	golang-1.2-3.el6 golang-1.7.3-2.fc25 golang-1.5.4-4.fc23 golang-1.6.3-4.fc24 golang-1.7.3-2.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-24 16:29:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bill Nottingham 2013-12-05 15:47:27 UTC

Description of problem:

At least, I would assume that's what is in go/src/pkg/crypto/elliptic/.
In Fedora, we only ship certain reviewed curves.

Version-Release number of selected component (if applicable):

1.2-1

How reproducible:

100%

Steps to Reproduce:
1. look at golang's crypto code

Actual results:

Hey, that looks like ECC, and it appears to have been always included.

Comment 1 Vincent Batts 2013-12-05 16:09:19 UTC

This will take a bit of work/consideration on which curves are not allowed.

From just stdlib alone, the following libraries import from crypto/elliptic:
* crypto/ecdsa
* crypto/x509
 - also imports from crypto/ecdsa
* crypto/tls
 - also imports from crypto/ecdsa
 - also imports from crypto/x509

Comment 2 Vincent Batts 2013-12-05 16:13:43 UTC

per http://golang.org/src/pkg/crypto/ecdsa/ecdsa.go, the ecdsa implementation is to spec of the Suite B guide for FIPS 186-3

Comment 9 Vincent Batts 2013-12-20 17:54:29 UTC

I've pushed a patched build to rawhide, to bake for a bit. http://koji.fedoraproject.org/koji/buildinfo?buildID=485741

Comment 10 Fedora Update System 2014-01-21 02:18:47 UTC

golang-1.2-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/golang-1.2-3.fc19

Comment 11 Fedora Update System 2014-01-21 02:19:54 UTC

golang-1.2-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/golang-1.2-3.fc20

Comment 12 Fedora Update System 2014-01-21 02:21:02 UTC

golang-1.2-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/golang-1.2-3.el6

Comment 13 Fedora Update System 2014-01-21 05:21:18 UTC

Package golang-1.2-3.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing golang-1.2-3.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0257/golang-1.2-3.el6
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2014-01-29 03:02:44 UTC

golang-1.2-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-01-30 03:36:38 UTC

golang-1.2-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-02-05 19:25:23 UTC

golang-1.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Daniel Walsh 2016-06-15 20:13:45 UTC

Reopening this bug as this patch is now causing docker builds to fail.

Comment 18 Daniel Walsh 2016-06-15 20:16:30 UTC

Can we revisit this decision, has anything changed in the last few years.  Can we implement just the elyptical curves that the NSA has licenses for?

Comment 19 Daniel Walsh 2016-06-15 20:18:23 UTC

hack/make.sh dynbinary
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#

bundles/1.12.0-dev already exists. Removing.

---> Making bundle: dynbinary (in bundles/1.12.0-dev/dynbinary)
Building: bundles/1.12.0-dev/dynbinary-client/docker-1.12.0-dev
Created binary: bundles/1.12.0-dev/dynbinary-client/docker-1.12.0-dev
Building: bundles/1.12.0-dev/dynbinary-daemon/dockerd-1.12.0-dev
# github.com/google/certificate-transparency/go/x509
vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:342: undefined: elliptic.P224
vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:355: undefined: elliptic.P224
vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:1461: undefined: elliptic.P224
[Exit 1]

Comment 20 Tom "spot" Callaway 2016-06-15 21:33:59 UTC

I'm checking into this.

Comment 21 Antonio Murdaca 2016-06-17 08:33:20 UTC

if this isn't doable, however we can use this patch:

diff --git a/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go b/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go
old mode 100755
new mode 100644
index cda7220..d879b91
--- a/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go
+++ b/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go
@@ -330,7 +330,6 @@ func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm
 //
 // NB: secp256r1 is equivalent to prime256v1
 var (
-	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
 	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
 	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
 	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
@@ -338,8 +337,6 @@ var (
 
 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
 	switch {
-	case oid.Equal(oidNamedCurveP224):
-		return elliptic.P224()
 	case oid.Equal(oidNamedCurveP256):
 		return elliptic.P256()
 	case oid.Equal(oidNamedCurveP384):
@@ -352,8 +349,6 @@ func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
 
 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
 	switch curve {
-	case elliptic.P224():
-		return oidNamedCurveP224, true
 	case elliptic.P256():
 		return oidNamedCurveP256, true
 	case elliptic.P384():
@@ -1458,7 +1453,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interf
 		hashFunc = crypto.SHA1
 	case *ecdsa.PrivateKey:
 		switch priv.Curve {
-		case elliptic.P224(), elliptic.P256():
+		case elliptic.P256():
 			hashFunc = crypto.SHA256
 			signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA256
 		case elliptic.P384():

Comment 22 Dan Williams 2016-08-26 14:53:56 UTC

Any resolution on this?  Upstream Kubernetes no longer builds due to the same github.com/google/certificate-transparency/go/x509/x509.go issues.

Comment 26 Ken Stailey 2016-09-11 20:59:13 UTC

This affects building Google Cloud Print CUPS proxy for Android.

Once I patched out the references to elliptic.P224 I was able to build gcp-connector-util and print from my Android smartphone.

Comment 31 Tom "spot" Callaway 2016-11-17 21:29:44 UTC

The NIST P-224 curve is now permissible in Fedora. I'm rebuilding golang to enable it now.

Comment 32 Tom "spot" Callaway 2016-11-17 21:32:15 UTC

This is now done in Fedora 25+. For other branches, I'll leave the changes to the maintainers.

Comment 33 Fedora Update System 2016-11-18 09:57:39 UTC

golang-1.7.3-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0aae3021b3

Comment 36 Fedora Update System 2016-11-18 14:51:16 UTC

golang-1.6.3-4.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0eb27fee7a

Comment 37 Fedora Update System 2016-11-18 14:59:19 UTC

golang-1.5.4-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-109c7b5f68

Comment 38 Fedora Update System 2016-11-18 20:26:55 UTC

golang-1.7.3-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0aae3021b3

Comment 39 Fedora Update System 2016-11-18 21:37:39 UTC

golang-1.7.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1300e04b7c

Comment 40 Fedora Update System 2016-11-19 07:48:19 UTC

golang-1.7.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1300e04b7c

Comment 41 Fedora Update System 2016-11-19 08:56:42 UTC

golang-1.5.4-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-109c7b5f68

Comment 42 Fedora Update System 2016-11-19 18:50:41 UTC

golang-1.6.3-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0eb27fee7a

Comment 43 Fedora Update System 2016-11-24 16:29:59 UTC

golang-1.7.3-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 44 Fedora Update System 2016-11-29 23:53:00 UTC

golang-1.5.4-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 45 Fedora Update System 2016-11-30 03:52:16 UTC

golang-1.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 46 Fedora Update System 2016-12-05 19:19:44 UTC

golang-1.7.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.

adam
admiller
amurdaca
berrange
cben
dcbw
dwalsh
esm
ewolinet
fdeutsch
fweimer
golang-updates
jeffschroeder
jpeeler
jrieden
kstailey
lemenkov
lsm5
me
mitr
nmavrogi
renich
rfontana
rrelyea
rvokal
sct
sforsber
sgrubb
skottler
smahajan
tcallawa
tmraz
vbatts