On Sun, Nov 20, 2022 at 05:53:20PM +0200, Jouni Malinen wrote: > On Tue, Nov 08, 2022 at 12:05:51AM -0500, Glenn Strauss wrote: > > crypto_ec_point_mul() with mbedtls requires point > > be multiplied by a multiplicand with value < prime > > crypto_ec_point_mul() could be implemented to handle this internally for > crypto libraries that have such constraints on their input values. It might be costly for SAE and DPP to have crypto_ec_point_mul() check range for every single SAE and DPP call to crypto_ec_point_mul(). > I'm > not confident that this specific crypto_ec_point_mul() would be the only > one that could reach this type of a case. For example, what about the > similar construction in dpp_pkex_derive_Qi()? I am not sure either. I did not run into it in the hwsim test suite. > Is that mbedtls constraint documented somewhere? A quick look at the > mbedtls_ecp_mul() documentation did not seem to say anything about the > allowed range for the integer (m). mbedtls_ecp_mul() calls mbedtls_ecp_check_privkey() and mbedtls_ecp_check_pubkey() on its input to validate the arguments. mbedtls_ecp_mul() and other parts of mbedtls ecp operate on valid data which is on the elliptic curve, and does not make guarantees about operations on invalid data. Cheers, Glenn _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
