crypto/elliptic: incorrect operations on the P-224 curve

[rolandshoemaker]

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114.

[JasonGross]

Would #40171 solve the issue? (I can point at the relevant Go code in fiat-crypto if that would help with integration/testing.)

[mdempsky]

I think the issue is already fixed in today's security fix releases for Go 1.14 and Go 1.15; e.g., 5c8fd72. Presumably the same fix will be ported forward for Go 1.16.

Looking at the fix, it does seem like #40171 would have prevented it.

[gopherbot]

Change https://golang.org/cl/284779 mentions this issue: crypto/elliptic: fix P-224 field reduction