On Sat, 2019-05-11 at 10:00 +0200, Niels Möller wrote:
Simo Sorce simo@redhat.com writes:
While reviewing FIPS requirements for public key checks in Ephemeral Diffie-Hellman key exchanges it came out that FIPS requires checks that the public key point is not the (0, 0) coordinate and nettle is not doing it (only checks that neither point is negative.
ecc_point_set also checks that the point is on the curve, i.e., satisfies the curve equation. That should rule out (0, 0), except if we have some curve with constant term b == 0, which I don't think makes sense.
Ah you are right the later check would catch it. I was just following the checks FIPS explicitly requires in order and didn't think about that ...
Not sure how FIPS requirements are formulated, but maybe it would be better to add a test case to check that ecc_point_set rejects (0,0) ?
Yes, I will drop my patch and add a test case.
Simo.