Closed rolandshoemaker closed 3 years ago
Would https://github.com/golang/go/issues/40171 solve the issue? (I can point at the relevant Go code in fiat-crypto if that would help with integration/testing.)
I think the issue is already fixed in today's security fix releases for Go 1.14 and Go 1.15; e.g., 5c8fd727c41e31273923c32b33d4f25855f4e123. Presumably the same fix will be ported forward for Go 1.16.
Looking at the fix, it does seem like #40171 would have prevented it.
Change https://golang.org/cl/284779 mentions this issue: crypto/elliptic: fix P-224 field reduction
Change https://golang.org/cl/315271 mentions this issue: crypto/elliptic: import fiat-crypto P-521 field implementation
The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114.