ECC: import point, always do some checks

SparkiDev · SparkiDev · commit bf652e9b19eb · 2026-01-21T14:05:16.000+10:00
Always check for infinity and, when B param available, whether the point
is on the curve.
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
@@ -10922,6 +10922,22 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key,
     if (err == MP_OKAY)
         err = wc_ecc_check_key(key);
 #endif
+#if (!defined(WOLFSSL_VALIDATE_ECC_IMPORT) || \
+     !defined(HAVE_ECC_CHECK_PUBKEY_ORDER)) && \
+     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
+     !defined(WOLFSSL_CRYPTOCELL) && \
+     (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
+       defined(WOLFSSL_IMXRT1170_CAAM))
+    /* Only do quick checks. */
+    if ((err == MP_OKAY) && wc_ecc_point_is_at_infinity(&key->pubkey)) {
+        err = ECC_INF_E;
+    }
+#ifdef USE_ECC_B_PARAM
+    if ((err == MP_OKAY) && (key->idx != ECC_CUSTOM_IDX))  {
+        err = wc_ecc_point_is_on_curve(&key->pubkey, key->idx);
+    }
+#endif /* USE_ECC_B_PARAM */
+#endif /* !WOLFSSL_VALIDATE_ECC_IMPORT || !HAVE_ECC_CHECK_PUBKEY_ORDER */
 
 #ifdef WOLFSSL_MAXQ10XX_CRYPTO
     if (err == MP_OKAY) {
