tree 68c3cecee9a080c04a1ef6711ea32cdc43a0410f
parent 182b0b9966506c8116b35f5a2e55307b7af313f7
author Janos Follath <janos.follath@arm.com> 1556287582 +0100
committer Janos Follath <janos.follath@arm.com> 1556632695 +0100

Add negative tests for Curve25519

If we provide low order element as a public key and the implementation
maps the point in infinity to the origin, we can force the common secret
to be zero.

According to the standard (RFC 7748) this is allowed but in this case
the primitive must not be used in a protocol that requires contributory
behaviour.

Mbed Crypto returns an error when the result is the point in the
infinity and does not map it to the origin. This is safe even if used in
protocols that require contributory behaviour.

This commit adds test cases that verify that Mbed Crypto returns an
error when low order public keys are processed.

The low order elements in the test cases were taken from this website:
https://cr.yp.to/ecdh.html