[gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Jul 20 09:55:06 CEST 2020

Stephan Mueller commented:

The code changes look good to me. @lumag testing that the failure code paths of the new code indeed are good is hard. But IMHO this is not really needed, because the success code paths are only taken IF all checks are good - and if the checks would be poorly implemented it is hardly likely that the success code path is used. Thus, if your normal testing shows that with this code you can still perform DH / ECDH operations as you used to, you validated that the code is good.

@dueno Maybe you can revisit your ECDH full validation key check based on the following idea. Note, mull this idea over with your peers to conclude that I am not off track here. IFF GnuTLS only supports prime field curves with a co-factor of 1 (e.g. all NIST P curves), then any valid point that is on the curve will have an order n based on the construction of those curves. So, if you validate that the point is on the curve, it implies that the order of the point is n. Hence, step 4 of the full validation test is implicitly covered.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_382067645
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200720/089f2531/attachment.html>

More information about the Gnutls-devel mailing list