Missing key validations
veorq opened this issue · comments
Jean-Philippe Aumasson commented
Here the answer is yes :)
Line 114 in b168f70
And here too:
Lines 104 to 110 in b168f70
This is because there is no guarantee that the received bytes or scalar are valid ones wrt Curve25519.
Also, public keys must be validated when instantiated, that is, From<[u8; PUBLIC_KEY_SIZE]>
should verify that the point is not the point at infinity