crypto/elliptic: incorrect operations on the P-224 curve #43786
The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114.
The text was updated successfully, but these errors were encountered: