xref: /reactos/dll/3rdparty/mbedtls/ecp.c (revision 103a79ce)
1 /*
2  *  Elliptic curves over GF(p): generic functions
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  *
7  *  This file is provided under the Apache License 2.0, or the
8  *  GNU General Public License v2.0 or later.
9  *
10  *  **********
11  *  Apache License 2.0:
12  *
13  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
14  *  not use this file except in compliance with the License.
15  *  You may obtain a copy of the License at
16  *
17  *  http://www.apache.org/licenses/LICENSE-2.0
18  *
19  *  Unless required by applicable law or agreed to in writing, software
20  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22  *  See the License for the specific language governing permissions and
23  *  limitations under the License.
24  *
25  *  **********
26  *
27  *  **********
28  *  GNU General Public License v2.0 or later:
29  *
30  *  This program is free software; you can redistribute it and/or modify
31  *  it under the terms of the GNU General Public License as published by
32  *  the Free Software Foundation; either version 2 of the License, or
33  *  (at your option) any later version.
34  *
35  *  This program is distributed in the hope that it will be useful,
36  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
37  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
38  *  GNU General Public License for more details.
39  *
40  *  You should have received a copy of the GNU General Public License along
41  *  with this program; if not, write to the Free Software Foundation, Inc.,
42  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43  *
44  *  **********
45  */
46 
47 /*
48  * References:
49  *
50  * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
51  * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
52  * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
53  * RFC 4492 for the related TLS structures and constants
54  * RFC 7748 for the Curve448 and Curve25519 curve definitions
55  *
56  * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
57  *
58  * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
59  *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
60  *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
61  *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
62  *
63  * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
64  *     render ECC resistant against Side Channel Attacks. IACR Cryptology
65  *     ePrint Archive, 2004, vol. 2004, p. 342.
66  *     <http://eprint.iacr.org/2004/342.pdf>
67  */
68 
69 #if !defined(MBEDTLS_CONFIG_FILE)
70 #include "mbedtls/config.h"
71 #else
72 #include MBEDTLS_CONFIG_FILE
73 #endif
74 
75 /**
76  * \brief Function level alternative implementation.
77  *
78  * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
79  * replace certain functions in this module. The alternative implementations are
80  * typically hardware accelerators and need to activate the hardware before the
81  * computation starts and deactivate it after it finishes. The
82  * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
83  * this purpose.
84  *
85  * To preserve the correct functionality the following conditions must hold:
86  *
87  * - The alternative implementation must be activated by
88  *   mbedtls_internal_ecp_init() before any of the replaceable functions is
89  *   called.
90  * - mbedtls_internal_ecp_free() must \b only be called when the alternative
91  *   implementation is activated.
92  * - mbedtls_internal_ecp_init() must \b not be called when the alternative
93  *   implementation is activated.
94  * - Public functions must not return while the alternative implementation is
95  *   activated.
96  * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
97  *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
98  *   \endcode ensures that the alternative implementation supports the current
99  *   group.
100  */
101 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
102 #endif
103 
104 #if defined(MBEDTLS_ECP_C)
105 
106 #include "mbedtls/ecp.h"
107 #include "mbedtls/threading.h"
108 #include "mbedtls/platform_util.h"
109 #include "mbedtls/bn_mul.h"
110 
111 #include <string.h>
112 
113 #if !defined(MBEDTLS_ECP_ALT)
114 
115 /* Parameter validation macros based on platform_util.h */
116 #define ECP_VALIDATE_RET( cond )    \
117     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
118 #define ECP_VALIDATE( cond )        \
119     MBEDTLS_INTERNAL_VALIDATE( cond )
120 
121 #if defined(MBEDTLS_PLATFORM_C)
122 #include "mbedtls/platform.h"
123 #else
124 #include <stdlib.h>
125 #include <stdio.h>
126 #define mbedtls_printf     printf
127 #define mbedtls_calloc    calloc
128 #define mbedtls_free       free
129 #endif
130 
131 #include "mbedtls/ecp_internal.h"
132 
133 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
134 #if defined(MBEDTLS_HMAC_DRBG_C)
135 #include "mbedtls/hmac_drbg.h"
136 #elif defined(MBEDTLS_CTR_DRBG_C)
137 #include "mbedtls/ctr_drbg.h"
138 #elif defined(MBEDTLS_SHA512_C)
139 #include "mbedtls/sha512.h"
140 #elif defined(MBEDTLS_SHA256_C)
141 #include "mbedtls/sha256.h"
142 #else
143 #error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
144 #endif
145 #endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
146 
147 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
148     !defined(inline) && !defined(__cplusplus)
149 #define inline __inline
150 #endif
151 
152 #if defined(MBEDTLS_SELF_TEST)
153 /*
154  * Counts of point addition and doubling, and field multiplications.
155  * Used to test resistance of point multiplication to simple timing attacks.
156  */
157 static unsigned long add_count, dbl_count, mul_count;
158 #endif
159 
160 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
161 /*
162  * Currently ecp_mul() takes a RNG function as an argument, used for
163  * side-channel protection, but it can be NULL. The initial reasoning was
164  * that people will pass non-NULL RNG when they care about side-channels, but
165  * unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
166  * no opportunity for the user to do anything about it.
167  *
168  * The obvious strategies for addressing that include:
169  * - change those APIs so that they take RNG arguments;
170  * - require a global RNG to be available to all crypto modules.
171  *
172  * Unfortunately those would break compatibility. So what we do instead is
173  * have our own internal DRBG instance, seeded from the secret scalar.
174  *
175  * The following is a light-weight abstraction layer for doing that with
176  * HMAC_DRBG (first choice) or CTR_DRBG.
177  */
178 
179 #if defined(MBEDTLS_HMAC_DRBG_C)
180 
181 /* DRBG context type */
182 typedef mbedtls_hmac_drbg_context ecp_drbg_context;
183 
184 /* DRBG context init */
ecp_drbg_init(ecp_drbg_context * ctx)185 static inline void ecp_drbg_init( ecp_drbg_context *ctx )
186 {
187     mbedtls_hmac_drbg_init( ctx );
188 }
189 
190 /* DRBG context free */
ecp_drbg_free(ecp_drbg_context * ctx)191 static inline void ecp_drbg_free( ecp_drbg_context *ctx )
192 {
193     mbedtls_hmac_drbg_free( ctx );
194 }
195 
196 /* DRBG function */
ecp_drbg_random(void * p_rng,unsigned char * output,size_t output_len)197 static inline int ecp_drbg_random( void *p_rng,
198                                    unsigned char *output, size_t output_len )
199 {
200     return( mbedtls_hmac_drbg_random( p_rng, output, output_len ) );
201 }
202 
203 /* DRBG context seeding */
ecp_drbg_seed(ecp_drbg_context * ctx,const mbedtls_mpi * secret,size_t secret_len)204 static int ecp_drbg_seed( ecp_drbg_context *ctx,
205                    const mbedtls_mpi *secret, size_t secret_len )
206 {
207     int ret;
208     unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
209     /* The list starts with strong hashes */
210     const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
211     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
212 
213     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
214                                                secret_bytes, secret_len ) );
215 
216     ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
217 
218 cleanup:
219     mbedtls_platform_zeroize( secret_bytes, secret_len );
220 
221     return( ret );
222 }
223 
224 #elif defined(MBEDTLS_CTR_DRBG_C)
225 
226 /* DRBG context type */
227 typedef mbedtls_ctr_drbg_context ecp_drbg_context;
228 
229 /* DRBG context init */
ecp_drbg_init(ecp_drbg_context * ctx)230 static inline void ecp_drbg_init( ecp_drbg_context *ctx )
231 {
232     mbedtls_ctr_drbg_init( ctx );
233 }
234 
235 /* DRBG context free */
ecp_drbg_free(ecp_drbg_context * ctx)236 static inline void ecp_drbg_free( ecp_drbg_context *ctx )
237 {
238     mbedtls_ctr_drbg_free( ctx );
239 }
240 
241 /* DRBG function */
ecp_drbg_random(void * p_rng,unsigned char * output,size_t output_len)242 static inline int ecp_drbg_random( void *p_rng,
243                                    unsigned char *output, size_t output_len )
244 {
245     return( mbedtls_ctr_drbg_random( p_rng, output, output_len ) );
246 }
247 
248 /*
249  * Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
250  * we need to pass an entropy function when seeding. So we use a dummy
251  * function for that, and pass the actual entropy as customisation string.
252  * (During seeding of CTR_DRBG the entropy input and customisation string are
253  * concatenated before being used to update the secret state.)
254  */
ecp_ctr_drbg_null_entropy(void * ctx,unsigned char * out,size_t len)255 static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len)
256 {
257     (void) ctx;
258     memset( out, 0, len );
259     return( 0 );
260 }
261 
262 /* DRBG context seeding */
ecp_drbg_seed(ecp_drbg_context * ctx,const mbedtls_mpi * secret,size_t secret_len)263 static int ecp_drbg_seed( ecp_drbg_context *ctx,
264                    const mbedtls_mpi *secret, size_t secret_len )
265 {
266     int ret;
267     unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
268 
269     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
270                                                secret_bytes, secret_len ) );
271 
272     ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
273                                  secret_bytes, secret_len );
274 
275 cleanup:
276     mbedtls_platform_zeroize( secret_bytes, secret_len );
277 
278     return( ret );
279 }
280 
281 #elif defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA256_C)
282 
283 /* This will be used in the self-test function */
284 #define ECP_ONE_STEP_KDF
285 
286 /*
287  * We need to expand secret data (the scalar) into a longer stream of bytes.
288  *
289  * We'll use the One-Step KDF from NIST SP 800-56C, with option 1 (H is a hash
290  * function) and empty FixedInfo. (Though we'll make it fit the DRBG API for
291  * convenience, this is not a full-fledged DRBG, but we don't need one here.)
292  *
293  * We need a basic hash abstraction layer to use whatever SHA-2 is available.
294  */
295 #if defined(MBEDTLS_SHA512_C)
296 
297 #define HASH_FUNC( in, ilen, out )  mbedtls_sha512_ret( in, ilen, out, 0 );
298 #define HASH_BLOCK_BYTES            ( 512 / 8 )
299 
300 #elif defined(MBEDTLS_SHA256_C)
301 
302 #define HASH_FUNC( in, ilen, out )  mbedtls_sha256_ret( in, ilen, out, 0 );
303 #define HASH_BLOCK_BYTES            ( 256 / 8 )
304 
305 #endif /* SHA512/SHA256 abstraction */
306 
307 /*
308  * State consists of a 32-bit counter plus the secret value.
309  *
310  * We stored them concatenated in a single buffer as that's what will get
311  * passed to the hash function.
312  */
313 typedef struct {
314     size_t total_len;
315     uint8_t buf[4 + MBEDTLS_ECP_MAX_BYTES];
316 } ecp_drbg_context;
317 
ecp_drbg_init(ecp_drbg_context * ctx)318 static void ecp_drbg_init( ecp_drbg_context *ctx )
319 {
320     memset( ctx, 0, sizeof( ecp_drbg_context ) );
321 }
322 
ecp_drbg_free(ecp_drbg_context * ctx)323 static void ecp_drbg_free( ecp_drbg_context *ctx )
324 {
325     mbedtls_platform_zeroize( ctx, sizeof( ecp_drbg_context ) );
326 }
327 
ecp_drbg_seed(ecp_drbg_context * ctx,const mbedtls_mpi * secret,size_t secret_len)328 static int ecp_drbg_seed( ecp_drbg_context *ctx,
329                    const mbedtls_mpi *secret, size_t secret_len )
330 {
331     ctx->total_len = 4 + secret_len;
332     memset( ctx->buf, 0, 4);
333     return( mbedtls_mpi_write_binary( secret, ctx->buf + 4, secret_len ) );
334 }
335 
ecp_drbg_random(void * p_rng,unsigned char * output,size_t output_len)336 static int ecp_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
337 {
338     ecp_drbg_context *ctx = p_rng;
339     int ret;
340     size_t len_done = 0;
341     uint8_t tmp[HASH_BLOCK_BYTES];
342 
343     while( len_done < output_len )
344     {
345         uint8_t use_len;
346 
347         /* This function is only called for coordinate randomisation, which
348          * happens only twice in a scalar multiplication. Each time needs a
349          * random value in the range [2, p-1], and gets it by drawing len(p)
350          * bytes from this function, and retrying up to 10 times if unlucky.
351          *
352          * So for the largest curve, each scalar multiplication draws at most
353          * 20 * 66 bytes. The minimum block size is 32 (SHA-256), so with
354          * rounding that means a most 20 * 3 blocks.
355          *
356          * Since we don't need to draw more that 255 blocks, don't bother
357          * with carry propagation and just return an error instead. We can
358          * change that it we even need to draw more blinding values.
359          */
360         ctx->buf[3] += 1;
361         if( ctx->buf[3] == 0 )
362             return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
363 
364         ret = HASH_FUNC( ctx->buf, ctx->total_len, tmp );
365         if( ret != 0 )
366             return( ret );
367 
368         if( output_len - len_done > HASH_BLOCK_BYTES )
369             use_len = HASH_BLOCK_BYTES;
370         else
371             use_len = output_len - len_done;
372 
373         memcpy( output + len_done, tmp, use_len );
374         len_done += use_len;
375     }
376 
377     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
378 
379     return( 0 );
380 }
381 
382 #else /* DRBG/SHA modules */
383 #error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
384 #endif /* DRBG/SHA modules */
385 #endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
386 
387 #if defined(MBEDTLS_ECP_RESTARTABLE)
388 /*
389  * Maximum number of "basic operations" to be done in a row.
390  *
391  * Default value 0 means that ECC operations will not yield.
392  * Note that regardless of the value of ecp_max_ops, always at
393  * least one step is performed before yielding.
394  *
395  * Setting ecp_max_ops=1 can be suitable for testing purposes
396  * as it will interrupt computation at all possible points.
397  */
398 static unsigned ecp_max_ops = 0;
399 
400 /*
401  * Set ecp_max_ops
402  */
mbedtls_ecp_set_max_ops(unsigned max_ops)403 void mbedtls_ecp_set_max_ops( unsigned max_ops )
404 {
405     ecp_max_ops = max_ops;
406 }
407 
408 /*
409  * Check if restart is enabled
410  */
mbedtls_ecp_restart_is_enabled(void)411 int mbedtls_ecp_restart_is_enabled( void )
412 {
413     return( ecp_max_ops != 0 );
414 }
415 
416 /*
417  * Restart sub-context for ecp_mul_comb()
418  */
419 struct mbedtls_ecp_restart_mul
420 {
421     mbedtls_ecp_point R;    /* current intermediate result                  */
422     size_t i;               /* current index in various loops, 0 outside    */
423     mbedtls_ecp_point *T;   /* table for precomputed points                 */
424     unsigned char T_size;   /* number of points in table T                  */
425     enum {                  /* what were we doing last time we returned?    */
426         ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
427         ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
428         ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
429         ecp_rsm_pre_add,        /* precompute remaining points by adding    */
430         ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
431         ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
432         ecp_rsm_final_norm,     /* do the final normalization               */
433     } state;
434 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
435     ecp_drbg_context drbg_ctx;
436     unsigned char drbg_seeded;
437 #endif
438 };
439 
440 /*
441  * Init restart_mul sub-context
442  */
ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx * ctx)443 static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
444 {
445     mbedtls_ecp_point_init( &ctx->R );
446     ctx->i = 0;
447     ctx->T = NULL;
448     ctx->T_size = 0;
449     ctx->state = ecp_rsm_init;
450 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
451     ecp_drbg_init( &ctx->drbg_ctx );
452     ctx->drbg_seeded = 0;
453 #endif
454 }
455 
456 /*
457  * Free the components of a restart_mul sub-context
458  */
ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx * ctx)459 static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
460 {
461     unsigned char i;
462 
463     if( ctx == NULL )
464         return;
465 
466     mbedtls_ecp_point_free( &ctx->R );
467 
468     if( ctx->T != NULL )
469     {
470         for( i = 0; i < ctx->T_size; i++ )
471             mbedtls_ecp_point_free( ctx->T + i );
472         mbedtls_free( ctx->T );
473     }
474 
475 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
476     ecp_drbg_free( &ctx->drbg_ctx );
477 #endif
478 
479     ecp_restart_rsm_init( ctx );
480 }
481 
482 /*
483  * Restart context for ecp_muladd()
484  */
485 struct mbedtls_ecp_restart_muladd
486 {
487     mbedtls_ecp_point mP;       /* mP value                             */
488     mbedtls_ecp_point R;        /* R intermediate result                */
489     enum {                      /* what should we do next?              */
490         ecp_rsma_mul1 = 0,      /* first multiplication                 */
491         ecp_rsma_mul2,          /* second multiplication                */
492         ecp_rsma_add,           /* addition                             */
493         ecp_rsma_norm,          /* normalization                        */
494     } state;
495 };
496 
497 /*
498  * Init restart_muladd sub-context
499  */
ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx * ctx)500 static void ecp_restart_ma_init( mbedtls_ecp_restart_muladd_ctx *ctx )
501 {
502     mbedtls_ecp_point_init( &ctx->mP );
503     mbedtls_ecp_point_init( &ctx->R );
504     ctx->state = ecp_rsma_mul1;
505 }
506 
507 /*
508  * Free the components of a restart_muladd sub-context
509  */
ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx * ctx)510 static void ecp_restart_ma_free( mbedtls_ecp_restart_muladd_ctx *ctx )
511 {
512     if( ctx == NULL )
513         return;
514 
515     mbedtls_ecp_point_free( &ctx->mP );
516     mbedtls_ecp_point_free( &ctx->R );
517 
518     ecp_restart_ma_init( ctx );
519 }
520 
521 /*
522  * Initialize a restart context
523  */
mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx * ctx)524 void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx )
525 {
526     ECP_VALIDATE( ctx != NULL );
527     ctx->ops_done = 0;
528     ctx->depth = 0;
529     ctx->rsm = NULL;
530     ctx->ma = NULL;
531 }
532 
533 /*
534  * Free the components of a restart context
535  */
mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx * ctx)536 void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx )
537 {
538     if( ctx == NULL )
539         return;
540 
541     ecp_restart_rsm_free( ctx->rsm );
542     mbedtls_free( ctx->rsm );
543 
544     ecp_restart_ma_free( ctx->ma );
545     mbedtls_free( ctx->ma );
546 
547     mbedtls_ecp_restart_init( ctx );
548 }
549 
550 /*
551  * Check if we can do the next step
552  */
mbedtls_ecp_check_budget(const mbedtls_ecp_group * grp,mbedtls_ecp_restart_ctx * rs_ctx,unsigned ops)553 int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
554                               mbedtls_ecp_restart_ctx *rs_ctx,
555                               unsigned ops )
556 {
557     ECP_VALIDATE_RET( grp != NULL );
558 
559     if( rs_ctx != NULL && ecp_max_ops != 0 )
560     {
561         /* scale depending on curve size: the chosen reference is 256-bit,
562          * and multiplication is quadratic. Round to the closest integer. */
563         if( grp->pbits >= 512 )
564             ops *= 4;
565         else if( grp->pbits >= 384 )
566             ops *= 2;
567 
568         /* Avoid infinite loops: always allow first step.
569          * Because of that, however, it's not generally true
570          * that ops_done <= ecp_max_ops, so the check
571          * ops_done > ecp_max_ops below is mandatory. */
572         if( ( rs_ctx->ops_done != 0 ) &&
573             ( rs_ctx->ops_done > ecp_max_ops ||
574               ops > ecp_max_ops - rs_ctx->ops_done ) )
575         {
576             return( MBEDTLS_ERR_ECP_IN_PROGRESS );
577         }
578 
579         /* update running count */
580         rs_ctx->ops_done += ops;
581     }
582 
583     return( 0 );
584 }
585 
586 /* Call this when entering a function that needs its own sub-context */
587 #define ECP_RS_ENTER( SUB )   do {                                      \
588     /* reset ops count for this call if top-level */                    \
589     if( rs_ctx != NULL && rs_ctx->depth++ == 0 )                        \
590         rs_ctx->ops_done = 0;                                           \
591                                                                         \
592     /* set up our own sub-context if needed */                          \
593     if( mbedtls_ecp_restart_is_enabled() &&                             \
594         rs_ctx != NULL && rs_ctx->SUB == NULL )                         \
595     {                                                                   \
596         rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );      \
597         if( rs_ctx->SUB == NULL )                                       \
598             return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                     \
599                                                                         \
600         ecp_restart_## SUB ##_init( rs_ctx->SUB );                      \
601     }                                                                   \
602 } while( 0 )
603 
604 /* Call this when leaving a function that needs its own sub-context */
605 #define ECP_RS_LEAVE( SUB )   do {                                      \
606     /* clear our sub-context when not in progress (done or error) */    \
607     if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
608         ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                            \
609     {                                                                   \
610         ecp_restart_## SUB ##_free( rs_ctx->SUB );                      \
611         mbedtls_free( rs_ctx->SUB );                                    \
612         rs_ctx->SUB = NULL;                                             \
613     }                                                                   \
614                                                                         \
615     if( rs_ctx != NULL )                                                \
616         rs_ctx->depth--;                                                \
617 } while( 0 )
618 
619 #else /* MBEDTLS_ECP_RESTARTABLE */
620 
621 #define ECP_RS_ENTER( sub )     (void) rs_ctx;
622 #define ECP_RS_LEAVE( sub )     (void) rs_ctx;
623 
624 #endif /* MBEDTLS_ECP_RESTARTABLE */
625 
626 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
627     defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
628     defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
629     defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
630     defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
631     defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
632     defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
633     defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
634     defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
635     defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
636     defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
637 #define ECP_SHORTWEIERSTRASS
638 #endif
639 
640 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
641     defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
642 #define ECP_MONTGOMERY
643 #endif
644 
645 /*
646  * Curve types: internal for now, might be exposed later
647  */
648 typedef enum
649 {
650     ECP_TYPE_NONE = 0,
651     ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
652     ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
653 } ecp_curve_type;
654 
655 /*
656  * List of supported curves:
657  *  - internal ID
658  *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
659  *  - size in bits
660  *  - readable name
661  *
662  * Curves are listed in order: largest curves first, and for a given size,
663  * fastest curves first. This provides the default order for the SSL module.
664  *
665  * Reminder: update profiles in x509_crt.c when adding a new curves!
666  */
667 static const mbedtls_ecp_curve_info ecp_supported_curves[] =
668 {
669 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
670     { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
671 #endif
672 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
673     { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
674 #endif
675 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
676     { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
677 #endif
678 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
679     { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
680 #endif
681 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
682     { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
683 #endif
684 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
685     { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
686 #endif
687 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
688     { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
689 #endif
690 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
691     { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
692 #endif
693 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
694     { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
695 #endif
696 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
697     { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
698 #endif
699 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
700     { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
701 #endif
702     { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
703 };
704 
705 #define ECP_NB_CURVES   sizeof( ecp_supported_curves ) /    \
706                         sizeof( ecp_supported_curves[0] )
707 
708 static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
709 
710 /*
711  * List of supported curves and associated info
712  */
mbedtls_ecp_curve_list(void)713 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void )
714 {
715     return( ecp_supported_curves );
716 }
717 
718 /*
719  * List of supported curves, group ID only
720  */
mbedtls_ecp_grp_id_list(void)721 const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void )
722 {
723     static int init_done = 0;
724 
725     if( ! init_done )
726     {
727         size_t i = 0;
728         const mbedtls_ecp_curve_info *curve_info;
729 
730         for( curve_info = mbedtls_ecp_curve_list();
731              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
732              curve_info++ )
733         {
734             ecp_supported_grp_id[i++] = curve_info->grp_id;
735         }
736         ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
737 
738         init_done = 1;
739     }
740 
741     return( ecp_supported_grp_id );
742 }
743 
744 /*
745  * Get the curve info for the internal identifier
746  */
mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)747 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id )
748 {
749     const mbedtls_ecp_curve_info *curve_info;
750 
751     for( curve_info = mbedtls_ecp_curve_list();
752          curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
753          curve_info++ )
754     {
755         if( curve_info->grp_id == grp_id )
756             return( curve_info );
757     }
758 
759     return( NULL );
760 }
761 
762 /*
763  * Get the curve info from the TLS identifier
764  */
mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)765 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id )
766 {
767     const mbedtls_ecp_curve_info *curve_info;
768 
769     for( curve_info = mbedtls_ecp_curve_list();
770          curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
771          curve_info++ )
772     {
773         if( curve_info->tls_id == tls_id )
774             return( curve_info );
775     }
776 
777     return( NULL );
778 }
779 
780 /*
781  * Get the curve info from the name
782  */
mbedtls_ecp_curve_info_from_name(const char * name)783 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name )
784 {
785     const mbedtls_ecp_curve_info *curve_info;
786 
787     if( name == NULL )
788         return( NULL );
789 
790     for( curve_info = mbedtls_ecp_curve_list();
791          curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
792          curve_info++ )
793     {
794         if( strcmp( curve_info->name, name ) == 0 )
795             return( curve_info );
796     }
797 
798     return( NULL );
799 }
800 
801 /*
802  * Get the type of a curve
803  */
ecp_get_type(const mbedtls_ecp_group * grp)804 static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp )
805 {
806     if( grp->G.X.p == NULL )
807         return( ECP_TYPE_NONE );
808 
809     if( grp->G.Y.p == NULL )
810         return( ECP_TYPE_MONTGOMERY );
811     else
812         return( ECP_TYPE_SHORT_WEIERSTRASS );
813 }
814 
815 /*
816  * Initialize (the components of) a point
817  */
mbedtls_ecp_point_init(mbedtls_ecp_point * pt)818 void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
819 {
820     ECP_VALIDATE( pt != NULL );
821 
822     mbedtls_mpi_init( &pt->X );
823     mbedtls_mpi_init( &pt->Y );
824     mbedtls_mpi_init( &pt->Z );
825 }
826 
827 /*
828  * Initialize (the components of) a group
829  */
mbedtls_ecp_group_init(mbedtls_ecp_group * grp)830 void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
831 {
832     ECP_VALIDATE( grp != NULL );
833 
834     grp->id = MBEDTLS_ECP_DP_NONE;
835     mbedtls_mpi_init( &grp->P );
836     mbedtls_mpi_init( &grp->A );
837     mbedtls_mpi_init( &grp->B );
838     mbedtls_ecp_point_init( &grp->G );
839     mbedtls_mpi_init( &grp->N );
840     grp->pbits = 0;
841     grp->nbits = 0;
842     grp->h = 0;
843     grp->modp = NULL;
844     grp->t_pre = NULL;
845     grp->t_post = NULL;
846     grp->t_data = NULL;
847     grp->T = NULL;
848     grp->T_size = 0;
849 }
850 
851 /*
852  * Initialize (the components of) a key pair
853  */
mbedtls_ecp_keypair_init(mbedtls_ecp_keypair * key)854 void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key )
855 {
856     ECP_VALIDATE( key != NULL );
857 
858     mbedtls_ecp_group_init( &key->grp );
859     mbedtls_mpi_init( &key->d );
860     mbedtls_ecp_point_init( &key->Q );
861 }
862 
863 /*
864  * Unallocate (the components of) a point
865  */
mbedtls_ecp_point_free(mbedtls_ecp_point * pt)866 void mbedtls_ecp_point_free( mbedtls_ecp_point *pt )
867 {
868     if( pt == NULL )
869         return;
870 
871     mbedtls_mpi_free( &( pt->X ) );
872     mbedtls_mpi_free( &( pt->Y ) );
873     mbedtls_mpi_free( &( pt->Z ) );
874 }
875 
876 /*
877  * Unallocate (the components of) a group
878  */
mbedtls_ecp_group_free(mbedtls_ecp_group * grp)879 void mbedtls_ecp_group_free( mbedtls_ecp_group *grp )
880 {
881     size_t i;
882 
883     if( grp == NULL )
884         return;
885 
886     if( grp->h != 1 )
887     {
888         mbedtls_mpi_free( &grp->P );
889         mbedtls_mpi_free( &grp->A );
890         mbedtls_mpi_free( &grp->B );
891         mbedtls_ecp_point_free( &grp->G );
892         mbedtls_mpi_free( &grp->N );
893     }
894 
895     if( grp->T != NULL )
896     {
897         for( i = 0; i < grp->T_size; i++ )
898             mbedtls_ecp_point_free( &grp->T[i] );
899         mbedtls_free( grp->T );
900     }
901 
902     mbedtls_platform_zeroize( grp, sizeof( mbedtls_ecp_group ) );
903 }
904 
905 /*
906  * Unallocate (the components of) a key pair
907  */
mbedtls_ecp_keypair_free(mbedtls_ecp_keypair * key)908 void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key )
909 {
910     if( key == NULL )
911         return;
912 
913     mbedtls_ecp_group_free( &key->grp );
914     mbedtls_mpi_free( &key->d );
915     mbedtls_ecp_point_free( &key->Q );
916 }
917 
918 /*
919  * Copy the contents of a point
920  */
mbedtls_ecp_copy(mbedtls_ecp_point * P,const mbedtls_ecp_point * Q)921 int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
922 {
923     int ret;
924     ECP_VALIDATE_RET( P != NULL );
925     ECP_VALIDATE_RET( Q != NULL );
926 
927     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) );
928     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) );
929     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Z, &Q->Z ) );
930 
931 cleanup:
932     return( ret );
933 }
934 
935 /*
936  * Copy the contents of a group object
937  */
mbedtls_ecp_group_copy(mbedtls_ecp_group * dst,const mbedtls_ecp_group * src)938 int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src )
939 {
940     ECP_VALIDATE_RET( dst != NULL );
941     ECP_VALIDATE_RET( src != NULL );
942 
943     return( mbedtls_ecp_group_load( dst, src->id ) );
944 }
945 
946 /*
947  * Set point to zero
948  */
mbedtls_ecp_set_zero(mbedtls_ecp_point * pt)949 int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
950 {
951     int ret;
952     ECP_VALIDATE_RET( pt != NULL );
953 
954     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) );
955     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) );
956     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z , 0 ) );
957 
958 cleanup:
959     return( ret );
960 }
961 
962 /*
963  * Tell if a point is zero
964  */
mbedtls_ecp_is_zero(mbedtls_ecp_point * pt)965 int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
966 {
967     ECP_VALIDATE_RET( pt != NULL );
968 
969     return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 );
970 }
971 
972 /*
973  * Compare two points lazily
974  */
mbedtls_ecp_point_cmp(const mbedtls_ecp_point * P,const mbedtls_ecp_point * Q)975 int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
976                            const mbedtls_ecp_point *Q )
977 {
978     ECP_VALIDATE_RET( P != NULL );
979     ECP_VALIDATE_RET( Q != NULL );
980 
981     if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 &&
982         mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 &&
983         mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 )
984     {
985         return( 0 );
986     }
987 
988     return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
989 }
990 
991 /*
992  * Import a non-zero point from ASCII strings
993  */
mbedtls_ecp_point_read_string(mbedtls_ecp_point * P,int radix,const char * x,const char * y)994 int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
995                            const char *x, const char *y )
996 {
997     int ret;
998     ECP_VALIDATE_RET( P != NULL );
999     ECP_VALIDATE_RET( x != NULL );
1000     ECP_VALIDATE_RET( y != NULL );
1001 
1002     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) );
1003     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) );
1004     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
1005 
1006 cleanup:
1007     return( ret );
1008 }
1009 
1010 /*
1011  * Export a point into unsigned binary data (SEC1 2.3.3)
1012  */
mbedtls_ecp_point_write_binary(const mbedtls_ecp_group * grp,const mbedtls_ecp_point * P,int format,size_t * olen,unsigned char * buf,size_t buflen)1013 int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,
1014                                     const mbedtls_ecp_point *P,
1015                                     int format, size_t *olen,
1016                                     unsigned char *buf, size_t buflen )
1017 {
1018     int ret = 0;
1019     size_t plen;
1020     ECP_VALIDATE_RET( grp  != NULL );
1021     ECP_VALIDATE_RET( P    != NULL );
1022     ECP_VALIDATE_RET( olen != NULL );
1023     ECP_VALIDATE_RET( buf  != NULL );
1024     ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1025                       format == MBEDTLS_ECP_PF_COMPRESSED );
1026 
1027     /*
1028      * Common case: P == 0
1029      */
1030     if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
1031     {
1032         if( buflen < 1 )
1033             return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
1034 
1035         buf[0] = 0x00;
1036         *olen = 1;
1037 
1038         return( 0 );
1039     }
1040 
1041     plen = mbedtls_mpi_size( &grp->P );
1042 
1043     if( format == MBEDTLS_ECP_PF_UNCOMPRESSED )
1044     {
1045         *olen = 2 * plen + 1;
1046 
1047         if( buflen < *olen )
1048             return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
1049 
1050         buf[0] = 0x04;
1051         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
1052         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->Y, buf + 1 + plen, plen ) );
1053     }
1054     else if( format == MBEDTLS_ECP_PF_COMPRESSED )
1055     {
1056         *olen = plen + 1;
1057 
1058         if( buflen < *olen )
1059             return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
1060 
1061         buf[0] = 0x02 + mbedtls_mpi_get_bit( &P->Y, 0 );
1062         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
1063     }
1064 
1065 cleanup:
1066     return( ret );
1067 }
1068 
1069 /*
1070  * Import a point from unsigned binary data (SEC1 2.3.4)
1071  */
mbedtls_ecp_point_read_binary(const mbedtls_ecp_group * grp,mbedtls_ecp_point * pt,const unsigned char * buf,size_t ilen)1072 int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
1073                                    mbedtls_ecp_point *pt,
1074                                    const unsigned char *buf, size_t ilen )
1075 {
1076     int ret;
1077     size_t plen;
1078     ECP_VALIDATE_RET( grp != NULL );
1079     ECP_VALIDATE_RET( pt  != NULL );
1080     ECP_VALIDATE_RET( buf != NULL );
1081 
1082     if( ilen < 1 )
1083         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1084 
1085     if( buf[0] == 0x00 )
1086     {
1087         if( ilen == 1 )
1088             return( mbedtls_ecp_set_zero( pt ) );
1089         else
1090             return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1091     }
1092 
1093     plen = mbedtls_mpi_size( &grp->P );
1094 
1095     if( buf[0] != 0x04 )
1096         return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1097 
1098     if( ilen != 2 * plen + 1 )
1099         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1100 
1101     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->X, buf + 1, plen ) );
1102     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->Y, buf + 1 + plen, plen ) );
1103     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
1104 
1105 cleanup:
1106     return( ret );
1107 }
1108 
1109 /*
1110  * Import a point from a TLS ECPoint record (RFC 4492)
1111  *      struct {
1112  *          opaque point <1..2^8-1>;
1113  *      } ECPoint;
1114  */
mbedtls_ecp_tls_read_point(const mbedtls_ecp_group * grp,mbedtls_ecp_point * pt,const unsigned char ** buf,size_t buf_len)1115 int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
1116                                 mbedtls_ecp_point *pt,
1117                                 const unsigned char **buf, size_t buf_len )
1118 {
1119     unsigned char data_len;
1120     const unsigned char *buf_start;
1121     ECP_VALIDATE_RET( grp != NULL );
1122     ECP_VALIDATE_RET( pt  != NULL );
1123     ECP_VALIDATE_RET( buf != NULL );
1124     ECP_VALIDATE_RET( *buf != NULL );
1125 
1126     /*
1127      * We must have at least two bytes (1 for length, at least one for data)
1128      */
1129     if( buf_len < 2 )
1130         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1131 
1132     data_len = *(*buf)++;
1133     if( data_len < 1 || data_len > buf_len - 1 )
1134         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1135 
1136     /*
1137      * Save buffer start for read_binary and update buf
1138      */
1139     buf_start = *buf;
1140     *buf += data_len;
1141 
1142     return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) );
1143 }
1144 
1145 /*
1146  * Export a point as a TLS ECPoint record (RFC 4492)
1147  *      struct {
1148  *          opaque point <1..2^8-1>;
1149  *      } ECPoint;
1150  */
mbedtls_ecp_tls_write_point(const mbedtls_ecp_group * grp,const mbedtls_ecp_point * pt,int format,size_t * olen,unsigned char * buf,size_t blen)1151 int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
1152                          int format, size_t *olen,
1153                          unsigned char *buf, size_t blen )
1154 {
1155     int ret;
1156     ECP_VALIDATE_RET( grp  != NULL );
1157     ECP_VALIDATE_RET( pt   != NULL );
1158     ECP_VALIDATE_RET( olen != NULL );
1159     ECP_VALIDATE_RET( buf  != NULL );
1160     ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1161                       format == MBEDTLS_ECP_PF_COMPRESSED );
1162 
1163     /*
1164      * buffer length must be at least one, for our length byte
1165      */
1166     if( blen < 1 )
1167         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1168 
1169     if( ( ret = mbedtls_ecp_point_write_binary( grp, pt, format,
1170                     olen, buf + 1, blen - 1) ) != 0 )
1171         return( ret );
1172 
1173     /*
1174      * write length to the first byte and update total length
1175      */
1176     buf[0] = (unsigned char) *olen;
1177     ++*olen;
1178 
1179     return( 0 );
1180 }
1181 
1182 /*
1183  * Set a group from an ECParameters record (RFC 4492)
1184  */
mbedtls_ecp_tls_read_group(mbedtls_ecp_group * grp,const unsigned char ** buf,size_t len)1185 int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
1186                                 const unsigned char **buf, size_t len )
1187 {
1188     int ret;
1189     mbedtls_ecp_group_id grp_id;
1190     ECP_VALIDATE_RET( grp  != NULL );
1191     ECP_VALIDATE_RET( buf  != NULL );
1192     ECP_VALIDATE_RET( *buf != NULL );
1193 
1194     if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, len ) ) != 0 )
1195         return( ret );
1196 
1197     return( mbedtls_ecp_group_load( grp, grp_id ) );
1198 }
1199 
1200 /*
1201  * Read a group id from an ECParameters record (RFC 4492) and convert it to
1202  * mbedtls_ecp_group_id.
1203  */
mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id * grp,const unsigned char ** buf,size_t len)1204 int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
1205                                    const unsigned char **buf, size_t len )
1206 {
1207     uint16_t tls_id;
1208     const mbedtls_ecp_curve_info *curve_info;
1209     ECP_VALIDATE_RET( grp  != NULL );
1210     ECP_VALIDATE_RET( buf  != NULL );
1211     ECP_VALIDATE_RET( *buf != NULL );
1212 
1213     /*
1214      * We expect at least three bytes (see below)
1215      */
1216     if( len < 3 )
1217         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1218 
1219     /*
1220      * First byte is curve_type; only named_curve is handled
1221      */
1222     if( *(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
1223         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1224 
1225     /*
1226      * Next two bytes are the namedcurve value
1227      */
1228     tls_id = *(*buf)++;
1229     tls_id <<= 8;
1230     tls_id |= *(*buf)++;
1231 
1232     if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
1233         return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1234 
1235     *grp = curve_info->grp_id;
1236 
1237     return( 0 );
1238 }
1239 
1240 /*
1241  * Write the ECParameters record corresponding to a group (RFC 4492)
1242  */
mbedtls_ecp_tls_write_group(const mbedtls_ecp_group * grp,size_t * olen,unsigned char * buf,size_t blen)1243 int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
1244                          unsigned char *buf, size_t blen )
1245 {
1246     const mbedtls_ecp_curve_info *curve_info;
1247     ECP_VALIDATE_RET( grp  != NULL );
1248     ECP_VALIDATE_RET( buf  != NULL );
1249     ECP_VALIDATE_RET( olen != NULL );
1250 
1251     if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL )
1252         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1253 
1254     /*
1255      * We are going to write 3 bytes (see below)
1256      */
1257     *olen = 3;
1258     if( blen < *olen )
1259         return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
1260 
1261     /*
1262      * First byte is curve_type, always named_curve
1263      */
1264     *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
1265 
1266     /*
1267      * Next two bytes are the namedcurve value
1268      */
1269     buf[0] = curve_info->tls_id >> 8;
1270     buf[1] = curve_info->tls_id & 0xFF;
1271 
1272     return( 0 );
1273 }
1274 
1275 /*
1276  * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
1277  * See the documentation of struct mbedtls_ecp_group.
1278  *
1279  * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
1280  */
ecp_modp(mbedtls_mpi * N,const mbedtls_ecp_group * grp)1281 static int ecp_modp( mbedtls_mpi *N, const mbedtls_ecp_group *grp )
1282 {
1283     int ret;
1284 
1285     if( grp->modp == NULL )
1286         return( mbedtls_mpi_mod_mpi( N, N, &grp->P ) );
1287 
1288     /* N->s < 0 is a much faster test, which fails only if N is 0 */
1289     if( ( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 ) ||
1290         mbedtls_mpi_bitlen( N ) > 2 * grp->pbits )
1291     {
1292         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1293     }
1294 
1295     MBEDTLS_MPI_CHK( grp->modp( N ) );
1296 
1297     /* N->s < 0 is a much faster test, which fails only if N is 0 */
1298     while( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 )
1299         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &grp->P ) );
1300 
1301     while( mbedtls_mpi_cmp_mpi( N, &grp->P ) >= 0 )
1302         /* we known P, N and the result are positive */
1303         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, N, &grp->P ) );
1304 
1305 cleanup:
1306     return( ret );
1307 }
1308 
1309 /*
1310  * Fast mod-p functions expect their argument to be in the 0..p^2 range.
1311  *
1312  * In order to guarantee that, we need to ensure that operands of
1313  * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
1314  * bring the result back to this range.
1315  *
1316  * The following macros are shortcuts for doing that.
1317  */
1318 
1319 /*
1320  * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
1321  */
1322 #if defined(MBEDTLS_SELF_TEST)
1323 #define INC_MUL_COUNT   mul_count++;
1324 #else
1325 #define INC_MUL_COUNT
1326 #endif
1327 
1328 #define MOD_MUL( N )                                                    \
1329     do                                                                  \
1330     {                                                                   \
1331         MBEDTLS_MPI_CHK( ecp_modp( &(N), grp ) );                       \
1332         INC_MUL_COUNT                                                   \
1333     } while( 0 )
1334 
1335 /*
1336  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
1337  * N->s < 0 is a very fast test, which fails only if N is 0
1338  */
1339 #define MOD_SUB( N )                                                    \
1340     while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 )           \
1341         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
1342 
1343 /*
1344  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
1345  * We known P, N and the result are positive, so sub_abs is correct, and
1346  * a bit faster.
1347  */
1348 #define MOD_ADD( N )                                                    \
1349     while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
1350         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
1351 
1352 #if defined(ECP_SHORTWEIERSTRASS)
1353 /*
1354  * For curves in short Weierstrass form, we do all the internal operations in
1355  * Jacobian coordinates.
1356  *
1357  * For multiplication, we'll use a comb method with coutermeasueres against
1358  * SPA, hence timing attacks.
1359  */
1360 
1361 /*
1362  * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
1363  * Cost: 1N := 1I + 3M + 1S
1364  */
ecp_normalize_jac(const mbedtls_ecp_group * grp,mbedtls_ecp_point * pt)1365 static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt )
1366 {
1367     int ret;
1368     mbedtls_mpi Zi, ZZi;
1369 
1370     if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 )
1371         return( 0 );
1372 
1373 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
1374     if( mbedtls_internal_ecp_grp_capable( grp ) )
1375         return( mbedtls_internal_ecp_normalize_jac( grp, pt ) );
1376 #endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
1377 
1378     mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
1379 
1380     /*
1381      * X = X / Z^2  mod p
1382      */
1383     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &Zi,      &pt->Z,     &grp->P ) );
1384     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,        &Zi     ) ); MOD_MUL( ZZi );
1385     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ZZi    ) ); MOD_MUL( pt->X );
1386 
1387     /*
1388      * Y = Y / Z^3  mod p
1389      */
1390     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ZZi    ) ); MOD_MUL( pt->Y );
1391     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &Zi     ) ); MOD_MUL( pt->Y );
1392 
1393     /*
1394      * Z = 1
1395      */
1396     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
1397 
1398 cleanup:
1399 
1400     mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
1401 
1402     return( ret );
1403 }
1404 
1405 /*
1406  * Normalize jacobian coordinates of an array of (pointers to) points,
1407  * using Montgomery's trick to perform only one inversion mod P.
1408  * (See for example Cohen's "A Course in Computational Algebraic Number
1409  * Theory", Algorithm 10.3.4.)
1410  *
1411  * Warning: fails (returning an error) if one of the points is zero!
1412  * This should never happen, see choice of w in ecp_mul_comb().
1413  *
1414  * Cost: 1N(t) := 1I + (6t - 3)M + 1S
1415  */
ecp_normalize_jac_many(const mbedtls_ecp_group * grp,mbedtls_ecp_point * T[],size_t T_size)1416 static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
1417                                    mbedtls_ecp_point *T[], size_t T_size )
1418 {
1419     int ret;
1420     size_t i;
1421     mbedtls_mpi *c, u, Zi, ZZi;
1422 
1423     if( T_size < 2 )
1424         return( ecp_normalize_jac( grp, *T ) );
1425 
1426 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
1427     if( mbedtls_internal_ecp_grp_capable( grp ) )
1428         return( mbedtls_internal_ecp_normalize_jac_many( grp, T, T_size ) );
1429 #endif
1430 
1431     if( ( c = mbedtls_calloc( T_size, sizeof( mbedtls_mpi ) ) ) == NULL )
1432         return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
1433 
1434     for( i = 0; i < T_size; i++ )
1435         mbedtls_mpi_init( &c[i] );
1436 
1437     mbedtls_mpi_init( &u ); mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
1438 
1439     /*
1440      * c[i] = Z_0 * ... * Z_i
1441      */
1442     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
1443     for( i = 1; i < T_size; i++ )
1444     {
1445         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &c[i], &c[i-1], &T[i]->Z ) );
1446         MOD_MUL( c[i] );
1447     }
1448 
1449     /*
1450      * u = 1 / (Z_0 * ... * Z_n) mod P
1451      */
1452     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[T_size-1], &grp->P ) );
1453 
1454     for( i = T_size - 1; ; i-- )
1455     {
1456         /*
1457          * Zi = 1 / Z_i mod p
1458          * u = 1 / (Z_0 * ... * Z_i) mod P
1459          */
1460         if( i == 0 ) {
1461             MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Zi, &u ) );
1462         }
1463         else
1464         {
1465             MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Zi, &u, &c[i-1]  ) ); MOD_MUL( Zi );
1466             MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u,  &u, &T[i]->Z ) ); MOD_MUL( u );
1467         }
1468 
1469         /*
1470          * proceed as in normalize()
1471          */
1472         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,      &Zi  ) ); MOD_MUL( ZZi );
1473         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->X, &T[i]->X, &ZZi ) ); MOD_MUL( T[i]->X );
1474         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &ZZi ) ); MOD_MUL( T[i]->Y );
1475         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &Zi  ) ); MOD_MUL( T[i]->Y );
1476 
1477         /*
1478          * Post-precessing: reclaim some memory by shrinking coordinates
1479          * - not storing Z (always 1)
1480          * - shrinking other coordinates, but still keeping the same number of
1481          *   limbs as P, as otherwise it will too likely be regrown too fast.
1482          */
1483         MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->X, grp->P.n ) );
1484         MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->Y, grp->P.n ) );
1485         mbedtls_mpi_free( &T[i]->Z );
1486 
1487         if( i == 0 )
1488             break;
1489     }
1490 
1491 cleanup:
1492 
1493     mbedtls_mpi_free( &u ); mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
1494     for( i = 0; i < T_size; i++ )
1495         mbedtls_mpi_free( &c[i] );
1496     mbedtls_free( c );
1497 
1498     return( ret );
1499 }
1500 
1501 /*
1502  * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
1503  * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
1504  */
ecp_safe_invert_jac(const mbedtls_ecp_group * grp,mbedtls_ecp_point * Q,unsigned char inv)1505 static int ecp_safe_invert_jac( const mbedtls_ecp_group *grp,
1506                             mbedtls_ecp_point *Q,
1507                             unsigned char inv )
1508 {
1509     int ret;
1510     unsigned char nonzero;
1511     mbedtls_mpi mQY;
1512 
1513     mbedtls_mpi_init( &mQY );
1514 
1515     /* Use the fact that -Q.Y mod P = P - Q.Y unless Q.Y == 0 */
1516     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mQY, &grp->P, &Q->Y ) );
1517     nonzero = mbedtls_mpi_cmp_int( &Q->Y, 0 ) != 0;
1518     MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &Q->Y, &mQY, inv & nonzero ) );
1519 
1520 cleanup:
1521     mbedtls_mpi_free( &mQY );
1522 
1523     return( ret );
1524 }
1525 
1526 /*
1527  * Point doubling R = 2 P, Jacobian coordinates
1528  *
1529  * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
1530  *
1531  * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
1532  * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
1533  *
1534  * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
1535  *
1536  * Cost: 1D := 3M + 4S          (A ==  0)
1537  *             4M + 4S          (A == -3)
1538  *             3M + 6S + 1a     otherwise
1539  */
ecp_double_jac(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_ecp_point * P)1540 static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1541                            const mbedtls_ecp_point *P )
1542 {
1543     int ret;
1544     mbedtls_mpi M, S, T, U;
1545 
1546 #if defined(MBEDTLS_SELF_TEST)
1547     dbl_count++;
1548 #endif
1549 
1550 #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
1551     if( mbedtls_internal_ecp_grp_capable( grp ) )
1552         return( mbedtls_internal_ecp_double_jac( grp, R, P ) );
1553 #endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
1554 
1555     mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
1556 
1557     /* Special case for A = -3 */
1558     if( grp->A.p == NULL )
1559     {
1560         /* M = 3(X + Z^2)(X - Z^2) */
1561         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
1562         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T,  &P->X,  &S      ) ); MOD_ADD( T );
1563         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U,  &P->X,  &S      ) ); MOD_SUB( U );
1564         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &U      ) ); MOD_MUL( S );
1565         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
1566     }
1567     else
1568     {
1569         /* M = 3.X^2 */
1570         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &P->X   ) ); MOD_MUL( S );
1571         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
1572 
1573         /* Optimize away for "koblitz" curves with A = 0 */
1574         if( mbedtls_mpi_cmp_int( &grp->A, 0 ) != 0 )
1575         {
1576             /* M += A.Z^4 */
1577             MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
1578             MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &S,     &S      ) ); MOD_MUL( T );
1579             MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &grp->A ) ); MOD_MUL( S );
1580             MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M,  &M,     &S      ) ); MOD_ADD( M );
1581         }
1582     }
1583 
1584     /* S = 4.X.Y^2 */
1585     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &P->Y,  &P->Y   ) ); MOD_MUL( T );
1586     MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T,  1               ) ); MOD_ADD( T );
1587     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &T      ) ); MOD_MUL( S );
1588     MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &S,  1               ) ); MOD_ADD( S );
1589 
1590     /* U = 8.Y^4 */
1591     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &T,     &T      ) ); MOD_MUL( U );
1592     MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
1593 
1594     /* T = M^2 - 2.S */
1595     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &M,     &M      ) ); MOD_MUL( T );
1596     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
1597     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
1598 
1599     /* S = M(S - T) - U */
1600     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &T      ) ); MOD_SUB( S );
1601     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &S,     &M      ) ); MOD_MUL( S );
1602     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &U      ) ); MOD_SUB( S );
1603 
1604     /* U = 2.Y.Z */
1605     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &P->Y,  &P->Z   ) ); MOD_MUL( U );
1606     MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
1607 
1608     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &T ) );
1609     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &S ) );
1610     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &U ) );
1611 
1612 cleanup:
1613     mbedtls_mpi_free( &M ); mbedtls_mpi_free( &S ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &U );
1614 
1615     return( ret );
1616 }
1617 
1618 /*
1619  * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
1620  *
1621  * The coordinates of Q must be normalized (= affine),
1622  * but those of P don't need to. R is not normalized.
1623  *
1624  * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
1625  * None of these cases can happen as intermediate step in ecp_mul_comb():
1626  * - at each step, P, Q and R are multiples of the base point, the factor
1627  *   being less than its order, so none of them is zero;
1628  * - Q is an odd multiple of the base point, P an even multiple,
1629  *   due to the choice of precomputed points in the modified comb method.
1630  * So branches for these cases do not leak secret information.
1631  *
1632  * We accept Q->Z being unset (saving memory in tables) as meaning 1.
1633  *
1634  * Cost: 1A := 8M + 3S
1635  */
ecp_add_mixed(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_ecp_point * P,const mbedtls_ecp_point * Q)1636 static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1637                           const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
1638 {
1639     int ret;
1640     mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
1641 
1642 #if defined(MBEDTLS_SELF_TEST)
1643     add_count++;
1644 #endif
1645 
1646 #if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
1647     if( mbedtls_internal_ecp_grp_capable( grp ) )
1648         return( mbedtls_internal_ecp_add_mixed( grp, R, P, Q ) );
1649 #endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
1650 
1651     /*
1652      * Trivial cases: P == 0 or Q == 0 (case 1)
1653      */
1654     if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
1655         return( mbedtls_ecp_copy( R, Q ) );
1656 
1657     if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 0 ) == 0 )
1658         return( mbedtls_ecp_copy( R, P ) );
1659 
1660     /*
1661      * Make sure Q coordinates are normalized
1662      */
1663     if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 1 ) != 0 )
1664         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1665 
1666     mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T3 ); mbedtls_mpi_init( &T4 );
1667     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
1668 
1669     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &P->Z,  &P->Z ) );  MOD_MUL( T1 );
1670     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T1,    &P->Z ) );  MOD_MUL( T2 );
1671     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &T1,    &Q->X ) );  MOD_MUL( T1 );
1672     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T2,    &Q->Y ) );  MOD_MUL( T2 );
1673     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T1,  &T1,    &P->X ) );  MOD_SUB( T1 );
1674     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T2,  &T2,    &P->Y ) );  MOD_SUB( T2 );
1675 
1676     /* Special cases (2) and (3) */
1677     if( mbedtls_mpi_cmp_int( &T1, 0 ) == 0 )
1678     {
1679         if( mbedtls_mpi_cmp_int( &T2, 0 ) == 0 )
1680         {
1681             ret = ecp_double_jac( grp, R, P );
1682             goto cleanup;
1683         }
1684         else
1685         {
1686             ret = mbedtls_ecp_set_zero( R );
1687             goto cleanup;
1688         }
1689     }
1690 
1691     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Z,   &P->Z,  &T1   ) );  MOD_MUL( Z  );
1692     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T1,    &T1   ) );  MOD_MUL( T3 );
1693     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T3,    &T1   ) );  MOD_MUL( T4 );
1694     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &P->X ) );  MOD_MUL( T3 );
1695     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1,  &T3,    2     ) );  MOD_ADD( T1 );
1696     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X,   &T2,    &T2   ) );  MOD_MUL( X  );
1697     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T1   ) );  MOD_SUB( X  );
1698     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T4   ) );  MOD_SUB( X  );
1699     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T3,  &T3,    &X    ) );  MOD_SUB( T3 );
1700     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &T2   ) );  MOD_MUL( T3 );
1701     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T4,    &P->Y ) );  MOD_MUL( T4 );
1702     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &Y,   &T3,    &T4   ) );  MOD_SUB( Y  );
1703 
1704     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &X ) );
1705     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &Y ) );
1706     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &Z ) );
1707 
1708 cleanup:
1709 
1710     mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); mbedtls_mpi_free( &T3 ); mbedtls_mpi_free( &T4 );
1711     mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
1712 
1713     return( ret );
1714 }
1715 
1716 /*
1717  * Randomize jacobian coordinates:
1718  * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
1719  * This is sort of the reverse operation of ecp_normalize_jac().
1720  *
1721  * This countermeasure was first suggested in [2].
1722  */
ecp_randomize_jac(const mbedtls_ecp_group * grp,mbedtls_ecp_point * pt,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1723 static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
1724                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1725 {
1726     int ret;
1727     mbedtls_mpi l, ll;
1728     size_t p_size;
1729     int count = 0;
1730 
1731 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
1732     if( mbedtls_internal_ecp_grp_capable( grp ) )
1733         return( mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ) );
1734 #endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
1735 
1736     p_size = ( grp->pbits + 7 ) / 8;
1737     mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll );
1738 
1739     /* Generate l such that 1 < l < p */
1740     do
1741     {
1742         if( count++ > 30 )
1743         {
1744             ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
1745             goto cleanup;
1746         }
1747 
1748         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
1749         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, ( p_size * 8 ) - grp->pbits ) );
1750     }
1751     while( ( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 ) ||
1752            ( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 ) );
1753 
1754     /* Z = l * Z */
1755     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Z,   &pt->Z,     &l  ) ); MOD_MUL( pt->Z );
1756 
1757     /* X = l^2 * X */
1758     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &l,         &l  ) ); MOD_MUL( ll );
1759     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ll ) ); MOD_MUL( pt->X );
1760 
1761     /* Y = l^3 * Y */
1762     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &ll,        &l  ) ); MOD_MUL( ll );
1763     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ll ) ); MOD_MUL( pt->Y );
1764 
1765 cleanup:
1766     mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
1767 
1768     return( ret );
1769 }
1770 
1771 /*
1772  * Check and define parameters used by the comb method (see below for details)
1773  */
1774 #if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
1775 #error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
1776 #endif
1777 
1778 /* d = ceil( n / w ) */
1779 #define COMB_MAX_D      ( MBEDTLS_ECP_MAX_BITS + 1 ) / 2
1780 
1781 /* number of precomputed points */
1782 #define COMB_MAX_PRE    ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
1783 
1784 /*
1785  * Compute the representation of m that will be used with our comb method.
1786  *
1787  * The basic comb method is described in GECC 3.44 for example. We use a
1788  * modified version that provides resistance to SPA by avoiding zero
1789  * digits in the representation as in [3]. We modify the method further by
1790  * requiring that all K_i be odd, which has the small cost that our
1791  * representation uses one more K_i, due to carries, but saves on the size of
1792  * the precomputed table.
1793  *
1794  * Summary of the comb method and its modifications:
1795  *
1796  * - The goal is to compute m*P for some w*d-bit integer m.
1797  *
1798  * - The basic comb method splits m into the w-bit integers
1799  *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
1800  *   index has residue i modulo d, and computes m * P as
1801  *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
1802  *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
1803  *
1804  * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
1805  *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
1806  *   thereby successively converting it into a form where all summands
1807  *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
1808  *
1809  * - More generally, even if x[i+1] != 0, we can first transform the sum as
1810  *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
1811  *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
1812  *   Performing and iterating this procedure for those x[i] that are even
1813  *   (keeping track of carry), we can transform the original sum into one of the form
1814  *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
1815  *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
1816  *   which is why we are only computing half of it in the first place in
1817  *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
1818  *
1819  * - For the sake of compactness, only the seven low-order bits of x[i]
1820  *   are used to represent its absolute value (K_i in the paper), and the msb
1821  *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
1822  *   if s_i == -1;
1823  *
1824  * Calling conventions:
1825  * - x is an array of size d + 1
1826  * - w is the size, ie number of teeth, of the comb, and must be between
1827  *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
1828  * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
1829  *   (the result will be incorrect if these assumptions are not satisfied)
1830  */
ecp_comb_recode_core(unsigned char x[],size_t d,unsigned char w,const mbedtls_mpi * m)1831 static void ecp_comb_recode_core( unsigned char x[], size_t d,
1832                                   unsigned char w, const mbedtls_mpi *m )
1833 {
1834     size_t i, j;
1835     unsigned char c, cc, adjust;
1836 
1837     memset( x, 0, d+1 );
1838 
1839     /* First get the classical comb values (except for x_d = 0) */
1840     for( i = 0; i < d; i++ )
1841         for( j = 0; j < w; j++ )
1842             x[i] |= mbedtls_mpi_get_bit( m, i + d * j ) << j;
1843 
1844     /* Now make sure x_1 .. x_d are odd */
1845     c = 0;
1846     for( i = 1; i <= d; i++ )
1847     {
1848         /* Add carry and update it */
1849         cc   = x[i] & c;
1850         x[i] = x[i] ^ c;
1851         c = cc;
1852 
1853         /* Adjust if needed, avoiding branches */
1854         adjust = 1 - ( x[i] & 0x01 );
1855         c   |= x[i] & ( x[i-1] * adjust );
1856         x[i] = x[i] ^ ( x[i-1] * adjust );
1857         x[i-1] |= adjust << 7;
1858     }
1859 }
1860 
1861 /*
1862  * Precompute points for the adapted comb method
1863  *
1864  * Assumption: T must be able to hold 2^{w - 1} elements.
1865  *
1866  * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
1867  *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
1868  *
1869  * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
1870  *
1871  * Note: Even comb values (those where P would be omitted from the
1872  *       sum defining T[i] above) are not needed in our adaption
1873  *       the comb method. See ecp_comb_recode_core().
1874  *
1875  * This function currently works in four steps:
1876  * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
1877  * (2) [norm_dbl] Normalization of coordinates of these T[i]
1878  * (3) [add]      Computation of all T[i]
1879  * (4) [norm_add] Normalization of all T[i]
1880  *
1881  * Step 1 can be interrupted but not the others; together with the final
1882  * coordinate normalization they are the largest steps done at once, depending
1883  * on the window size. Here are operation counts for P-256:
1884  *
1885  * step     (2)     (3)     (4)
1886  * w = 5    142     165     208
1887  * w = 4    136      77     160
1888  * w = 3    130      33     136
1889  * w = 2    124      11     124
1890  *
1891  * So if ECC operations are blocking for too long even with a low max_ops
1892  * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
1893  * to minimize maximum blocking time.
1894  */
ecp_precompute_comb(const mbedtls_ecp_group * grp,mbedtls_ecp_point T[],const mbedtls_ecp_point * P,unsigned char w,size_t d,mbedtls_ecp_restart_ctx * rs_ctx)1895 static int ecp_precompute_comb( const mbedtls_ecp_group *grp,
1896                                 mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
1897                                 unsigned char w, size_t d,
1898                                 mbedtls_ecp_restart_ctx *rs_ctx )
1899 {
1900     int ret;
1901     unsigned char i;
1902     size_t j = 0;
1903     const unsigned char T_size = 1U << ( w - 1 );
1904     mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
1905 
1906 #if defined(MBEDTLS_ECP_RESTARTABLE)
1907     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
1908     {
1909         if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
1910             goto dbl;
1911         if( rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl )
1912             goto norm_dbl;
1913         if( rs_ctx->rsm->state == ecp_rsm_pre_add )
1914             goto add;
1915         if( rs_ctx->rsm->state == ecp_rsm_pre_norm_add )
1916             goto norm_add;
1917     }
1918 #else
1919     (void) rs_ctx;
1920 #endif
1921 
1922 #if defined(MBEDTLS_ECP_RESTARTABLE)
1923     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
1924     {
1925         rs_ctx->rsm->state = ecp_rsm_pre_dbl;
1926 
1927         /* initial state for the loop */
1928         rs_ctx->rsm->i = 0;
1929     }
1930 
1931 dbl:
1932 #endif
1933     /*
1934      * Set T[0] = P and
1935      * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
1936      */
1937     MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &T[0], P ) );
1938 
1939 #if defined(MBEDTLS_ECP_RESTARTABLE)
1940     if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
1941         j = rs_ctx->rsm->i;
1942     else
1943 #endif
1944         j = 0;
1945 
1946     for( ; j < d * ( w - 1 ); j++ )
1947     {
1948         MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL );
1949 
1950         i = 1U << ( j / d );
1951         cur = T + i;
1952 
1953         if( j % d == 0 )
1954             MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
1955 
1956         MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
1957     }
1958 
1959 #if defined(MBEDTLS_ECP_RESTARTABLE)
1960     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
1961         rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
1962 
1963 norm_dbl:
1964 #endif
1965     /*
1966      * Normalize current elements in T. As T has holes,
1967      * use an auxiliary array of pointers to elements in T.
1968      */
1969     j = 0;
1970     for( i = 1; i < T_size; i <<= 1 )
1971         TT[j++] = T + i;
1972 
1973     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
1974 
1975     MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
1976 
1977 #if defined(MBEDTLS_ECP_RESTARTABLE)
1978     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
1979         rs_ctx->rsm->state = ecp_rsm_pre_add;
1980 
1981 add:
1982 #endif
1983     /*
1984      * Compute the remaining ones using the minimal number of additions
1985      * Be careful to update T[2^l] only after using it!
1986      */
1987     MBEDTLS_ECP_BUDGET( ( T_size - 1 ) * MBEDTLS_ECP_OPS_ADD );
1988 
1989     for( i = 1; i < T_size; i <<= 1 )
1990     {
1991         j = i;
1992         while( j-- )
1993             MBEDTLS_MPI_CHK( ecp_add_mixed( grp, &T[i + j], &T[j], &T[i] ) );
1994     }
1995 
1996 #if defined(MBEDTLS_ECP_RESTARTABLE)
1997     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
1998         rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
1999 
2000 norm_add:
2001 #endif
2002     /*
2003      * Normalize final elements in T. Even though there are no holes now, we
2004      * still need the auxiliary array for homogeneity with the previous
2005      * call. Also, skip T[0] which is already normalised, being a copy of P.
2006      */
2007     for( j = 0; j + 1 < T_size; j++ )
2008         TT[j] = T + j + 1;
2009 
2010     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
2011 
2012     MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
2013 
2014 cleanup:
2015 #if defined(MBEDTLS_ECP_RESTARTABLE)
2016     if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
2017         ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2018     {
2019         if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
2020             rs_ctx->rsm->i = j;
2021     }
2022 #endif
2023 
2024     return( ret );
2025 }
2026 
2027 /*
2028  * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
2029  *
2030  * See ecp_comb_recode_core() for background
2031  */
ecp_select_comb(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_ecp_point T[],unsigned char T_size,unsigned char i)2032 static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2033                             const mbedtls_ecp_point T[], unsigned char T_size,
2034                             unsigned char i )
2035 {
2036     int ret;
2037     unsigned char ii, j;
2038 
2039     /* Ignore the "sign" bit and scale down */
2040     ii =  ( i & 0x7Fu ) >> 1;
2041 
2042     /* Read the whole table to thwart cache-based timing attacks */
2043     for( j = 0; j < T_size; j++ )
2044     {
2045         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->X, &T[j].X, j == ii ) );
2046         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->Y, &T[j].Y, j == ii ) );
2047     }
2048 
2049     /* Safely invert result if i is "negative" */
2050     MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, i >> 7 ) );
2051 
2052 cleanup:
2053     return( ret );
2054 }
2055 
2056 /*
2057  * Core multiplication algorithm for the (modified) comb method.
2058  * This part is actually common with the basic comb method (GECC 3.44)
2059  *
2060  * Cost: d A + d D + 1 R
2061  */
ecp_mul_comb_core(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_ecp_point T[],unsigned char T_size,const unsigned char x[],size_t d,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_ecp_restart_ctx * rs_ctx)2062 static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2063                               const mbedtls_ecp_point T[], unsigned char T_size,
2064                               const unsigned char x[], size_t d,
2065                               int (*f_rng)(void *, unsigned char *, size_t),
2066                               void *p_rng,
2067                               mbedtls_ecp_restart_ctx *rs_ctx )
2068 {
2069     int ret;
2070     mbedtls_ecp_point Txi;
2071     size_t i;
2072 
2073     mbedtls_ecp_point_init( &Txi );
2074 
2075 #if !defined(MBEDTLS_ECP_RESTARTABLE)
2076     (void) rs_ctx;
2077 #endif
2078 
2079 #if defined(MBEDTLS_ECP_RESTARTABLE)
2080     if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
2081         rs_ctx->rsm->state != ecp_rsm_comb_core )
2082     {
2083         rs_ctx->rsm->i = 0;
2084         rs_ctx->rsm->state = ecp_rsm_comb_core;
2085     }
2086 
2087     /* new 'if' instead of nested for the sake of the 'else' branch */
2088     if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
2089     {
2090         /* restore current index (R already pointing to rs_ctx->rsm->R) */
2091         i = rs_ctx->rsm->i;
2092     }
2093     else
2094 #endif
2095     {
2096         /* Start with a non-zero point and randomize its coordinates */
2097         i = d;
2098         MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
2099         MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
2100 #if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2101         if( f_rng != 0 )
2102 #endif
2103             MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
2104     }
2105 
2106     while( i != 0 )
2107     {
2108         MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD );
2109         --i;
2110 
2111         MBEDTLS_MPI_CHK( ecp_double_jac( grp, R, R ) );
2112         MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, T_size, x[i] ) );
2113         MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, R, &Txi ) );
2114     }
2115 
2116 cleanup:
2117 
2118     mbedtls_ecp_point_free( &Txi );
2119 
2120 #if defined(MBEDTLS_ECP_RESTARTABLE)
2121     if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
2122         ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2123     {
2124         rs_ctx->rsm->i = i;
2125         /* no need to save R, already pointing to rs_ctx->rsm->R */
2126     }
2127 #endif
2128 
2129     return( ret );
2130 }
2131 
2132 /*
2133  * Recode the scalar to get constant-time comb multiplication
2134  *
2135  * As the actual scalar recoding needs an odd scalar as a starting point,
2136  * this wrapper ensures that by replacing m by N - m if necessary, and
2137  * informs the caller that the result of multiplication will be negated.
2138  *
2139  * This works because we only support large prime order for Short Weierstrass
2140  * curves, so N is always odd hence either m or N - m is.
2141  *
2142  * See ecp_comb_recode_core() for background.
2143  */
ecp_comb_recode_scalar(const mbedtls_ecp_group * grp,const mbedtls_mpi * m,unsigned char k[COMB_MAX_D+1],size_t d,unsigned char w,unsigned char * parity_trick)2144 static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
2145                                    const mbedtls_mpi *m,
2146                                    unsigned char k[COMB_MAX_D + 1],
2147                                    size_t d,
2148                                    unsigned char w,
2149                                    unsigned char *parity_trick )
2150 {
2151     int ret;
2152     mbedtls_mpi M, mm;
2153 
2154     mbedtls_mpi_init( &M );
2155     mbedtls_mpi_init( &mm );
2156 
2157     /* N is always odd (see above), just make extra sure */
2158     if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
2159         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
2160 
2161     /* do we need the parity trick? */
2162     *parity_trick = ( mbedtls_mpi_get_bit( m, 0 ) == 0 );
2163 
2164     /* execute parity fix in constant time */
2165     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
2166     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
2167     MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, *parity_trick ) );
2168 
2169     /* actual scalar recoding */
2170     ecp_comb_recode_core( k, d, w, &M );
2171 
2172 cleanup:
2173     mbedtls_mpi_free( &mm );
2174     mbedtls_mpi_free( &M );
2175 
2176     return( ret );
2177 }
2178 
2179 /*
2180  * Perform comb multiplication (for short Weierstrass curves)
2181  * once the auxiliary table has been pre-computed.
2182  *
2183  * Scalar recoding may use a parity trick that makes us compute -m * P,
2184  * if that is the case we'll need to recover m * P at the end.
2185  */
ecp_mul_comb_after_precomp(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * T,unsigned char T_size,unsigned char w,size_t d,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_ecp_restart_ctx * rs_ctx)2186 static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
2187                                 mbedtls_ecp_point *R,
2188                                 const mbedtls_mpi *m,
2189                                 const mbedtls_ecp_point *T,
2190                                 unsigned char T_size,
2191                                 unsigned char w,
2192                                 size_t d,
2193                                 int (*f_rng)(void *, unsigned char *, size_t),
2194                                 void *p_rng,
2195                                 mbedtls_ecp_restart_ctx *rs_ctx )
2196 {
2197     int ret;
2198     unsigned char parity_trick;
2199     unsigned char k[COMB_MAX_D + 1];
2200     mbedtls_ecp_point *RR = R;
2201 
2202 #if defined(MBEDTLS_ECP_RESTARTABLE)
2203     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
2204     {
2205         RR = &rs_ctx->rsm->R;
2206 
2207         if( rs_ctx->rsm->state == ecp_rsm_final_norm )
2208             goto final_norm;
2209     }
2210 #endif
2211 
2212     MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w,
2213                                             &parity_trick ) );
2214     MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, T_size, k, d,
2215                                         f_rng, p_rng, rs_ctx ) );
2216     MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) );
2217 
2218 #if defined(MBEDTLS_ECP_RESTARTABLE)
2219     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
2220         rs_ctx->rsm->state = ecp_rsm_final_norm;
2221 
2222 final_norm:
2223     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
2224 #endif
2225     /*
2226      * Knowledge of the jacobian coordinates may leak the last few bits of the
2227      * scalar [1], and since our MPI implementation isn't constant-flow,
2228      * inversion (used for coordinate normalization) may leak the full value
2229      * of its input via side-channels [2].
2230      *
2231      * [1] https://eprint.iacr.org/2003/191
2232      * [2] https://eprint.iacr.org/2020/055
2233      *
2234      * Avoid the leak by randomizing coordinates before we normalize them.
2235      */
2236 #if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2237     if( f_rng != 0 )
2238 #endif
2239         MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
2240 
2241     MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
2242 
2243 #if defined(MBEDTLS_ECP_RESTARTABLE)
2244     if( rs_ctx != NULL && rs_ctx->rsm != NULL )
2245         MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, RR ) );
2246 #endif
2247 
2248 cleanup:
2249     return( ret );
2250 }
2251 
2252 /*
2253  * Pick window size based on curve size and whether we optimize for base point
2254  */
ecp_pick_window_size(const mbedtls_ecp_group * grp,unsigned char p_eq_g)2255 static unsigned char ecp_pick_window_size( const mbedtls_ecp_group *grp,
2256                                            unsigned char p_eq_g )
2257 {
2258     unsigned char w;
2259 
2260     /*
2261      * Minimize the number of multiplications, that is minimize
2262      * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
2263      * (see costs of the various parts, with 1S = 1M)
2264      */
2265     w = grp->nbits >= 384 ? 5 : 4;
2266 
2267     /*
2268      * If P == G, pre-compute a bit more, since this may be re-used later.
2269      * Just adding one avoids upping the cost of the first mul too much,
2270      * and the memory cost too.
2271      */
2272     if( p_eq_g )
2273         w++;
2274 
2275     /*
2276      * Make sure w is within bounds.
2277      * (The last test is useful only for very small curves in the test suite.)
2278      */
2279     if( w > MBEDTLS_ECP_WINDOW_SIZE )
2280         w = MBEDTLS_ECP_WINDOW_SIZE;
2281     if( w >= grp->nbits )
2282         w = 2;
2283 
2284     return( w );
2285 }
2286 
2287 /*
2288  * Multiplication using the comb method - for curves in short Weierstrass form
2289  *
2290  * This function is mainly responsible for administrative work:
2291  * - managing the restart context if enabled
2292  * - managing the table of precomputed points (passed between the below two
2293  *   functions): allocation, computation, ownership tranfer, freeing.
2294  *
2295  * It delegates the actual arithmetic work to:
2296  *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
2297  *
2298  * See comments on ecp_comb_recode_core() regarding the computation strategy.
2299  */
ecp_mul_comb(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_ecp_restart_ctx * rs_ctx)2300 static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2301                          const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2302                          int (*f_rng)(void *, unsigned char *, size_t),
2303                          void *p_rng,
2304                          mbedtls_ecp_restart_ctx *rs_ctx )
2305 {
2306     int ret;
2307     unsigned char w, p_eq_g, i;
2308     size_t d;
2309     unsigned char T_size = 0, T_ok = 0;
2310     mbedtls_ecp_point *T = NULL;
2311 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2312     ecp_drbg_context drbg_ctx;
2313 
2314     ecp_drbg_init( &drbg_ctx );
2315 #endif
2316 
2317     ECP_RS_ENTER( rsm );
2318 
2319 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2320     if( f_rng == NULL )
2321     {
2322         /* Adjust pointers */
2323         f_rng = &ecp_drbg_random;
2324 #if defined(MBEDTLS_ECP_RESTARTABLE)
2325         if( rs_ctx != NULL && rs_ctx->rsm != NULL )
2326             p_rng = &rs_ctx->rsm->drbg_ctx;
2327         else
2328 #endif
2329             p_rng = &drbg_ctx;
2330 
2331         /* Initialize internal DRBG if necessary */
2332 #if defined(MBEDTLS_ECP_RESTARTABLE)
2333         if( rs_ctx == NULL || rs_ctx->rsm == NULL ||
2334             rs_ctx->rsm->drbg_seeded == 0 )
2335 #endif
2336         {
2337             const size_t m_len = ( grp->nbits + 7 ) / 8;
2338             MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m, m_len ) );
2339         }
2340 #if defined(MBEDTLS_ECP_RESTARTABLE)
2341         if( rs_ctx != NULL && rs_ctx->rsm != NULL )
2342             rs_ctx->rsm->drbg_seeded = 1;
2343 #endif
2344     }
2345 #endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
2346 
2347     /* Is P the base point ? */
2348 #if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
2349     p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
2350                mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
2351 #else
2352     p_eq_g = 0;
2353 #endif
2354 
2355     /* Pick window size and deduce related sizes */
2356     w = ecp_pick_window_size( grp, p_eq_g );
2357     T_size = 1U << ( w - 1 );
2358     d = ( grp->nbits + w - 1 ) / w;
2359 
2360     /* Pre-computed table: do we have it already for the base point? */
2361     if( p_eq_g && grp->T != NULL )
2362     {
2363         /* second pointer to the same table, will be deleted on exit */
2364         T = grp->T;
2365         T_ok = 1;
2366     }
2367     else
2368 #if defined(MBEDTLS_ECP_RESTARTABLE)
2369     /* Pre-computed table: do we have one in progress? complete? */
2370     if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL )
2371     {
2372         /* transfer ownership of T from rsm to local function */
2373         T = rs_ctx->rsm->T;
2374         rs_ctx->rsm->T = NULL;
2375         rs_ctx->rsm->T_size = 0;
2376 
2377         /* This effectively jumps to the call to mul_comb_after_precomp() */
2378         T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
2379     }
2380     else
2381 #endif
2382     /* Allocate table if we didn't have any */
2383     {
2384         T = mbedtls_calloc( T_size, sizeof( mbedtls_ecp_point ) );
2385         if( T == NULL )
2386         {
2387             ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
2388             goto cleanup;
2389         }
2390 
2391         for( i = 0; i < T_size; i++ )
2392             mbedtls_ecp_point_init( &T[i] );
2393 
2394         T_ok = 0;
2395     }
2396 
2397     /* Compute table (or finish computing it) if not done already */
2398     if( !T_ok )
2399     {
2400         MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d, rs_ctx ) );
2401 
2402         if( p_eq_g )
2403         {
2404             /* almost transfer ownership of T to the group, but keep a copy of
2405              * the pointer to use for calling the next function more easily */
2406             grp->T = T;
2407             grp->T_size = T_size;
2408         }
2409     }
2410 
2411     /* Actual comb multiplication using precomputed points */
2412     MBEDTLS_MPI_CHK( ecp_mul_comb_after_precomp( grp, R, m,
2413                                                  T, T_size, w, d,
2414                                                  f_rng, p_rng, rs_ctx ) );
2415 
2416 cleanup:
2417 
2418 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2419     ecp_drbg_free( &drbg_ctx );
2420 #endif
2421 
2422     /* does T belong to the group? */
2423     if( T == grp->T )
2424         T = NULL;
2425 
2426     /* does T belong to the restart context? */
2427 #if defined(MBEDTLS_ECP_RESTARTABLE)
2428     if( rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL )
2429     {
2430         /* transfer ownership of T from local function to rsm */
2431         rs_ctx->rsm->T_size = T_size;
2432         rs_ctx->rsm->T = T;
2433         T = NULL;
2434     }
2435 #endif
2436 
2437     /* did T belong to us? then let's destroy it! */
2438     if( T != NULL )
2439     {
2440         for( i = 0; i < T_size; i++ )
2441             mbedtls_ecp_point_free( &T[i] );
2442         mbedtls_free( T );
2443     }
2444 
2445     /* don't free R while in progress in case R == P */
2446 #if defined(MBEDTLS_ECP_RESTARTABLE)
2447     if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2448 #endif
2449     /* prevent caller from using invalid value */
2450     if( ret != 0 )
2451         mbedtls_ecp_point_free( R );
2452 
2453     ECP_RS_LEAVE( rsm );
2454 
2455     return( ret );
2456 }
2457 
2458 #endif /* ECP_SHORTWEIERSTRASS */
2459 
2460 #if defined(ECP_MONTGOMERY)
2461 /*
2462  * For Montgomery curves, we do all the internal arithmetic in projective
2463  * coordinates. Import/export of points uses only the x coordinates, which is
2464  * internaly represented as X / Z.
2465  *
2466  * For scalar multiplication, we'll use a Montgomery ladder.
2467  */
2468 
2469 /*
2470  * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
2471  * Cost: 1M + 1I
2472  */
ecp_normalize_mxz(const mbedtls_ecp_group * grp,mbedtls_ecp_point * P)2473 static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P )
2474 {
2475     int ret;
2476 
2477 #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
2478     if( mbedtls_internal_ecp_grp_capable( grp ) )
2479         return( mbedtls_internal_ecp_normalize_mxz( grp, P ) );
2480 #endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
2481 
2482     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
2483     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &P->Z ) ); MOD_MUL( P->X );
2484     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
2485 
2486 cleanup:
2487     return( ret );
2488 }
2489 
2490 /*
2491  * Randomize projective x/z coordinates:
2492  * (X, Z) -> (l X, l Z) for random l
2493  * This is sort of the reverse operation of ecp_normalize_mxz().
2494  *
2495  * This countermeasure was first suggested in [2].
2496  * Cost: 2M
2497  */
ecp_randomize_mxz(const mbedtls_ecp_group * grp,mbedtls_ecp_point * P,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2498 static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
2499                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
2500 {
2501     int ret;
2502     mbedtls_mpi l;
2503     size_t p_size;
2504     int count = 0;
2505 
2506 #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
2507     if( mbedtls_internal_ecp_grp_capable( grp ) )
2508         return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng ) );
2509 #endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
2510 
2511     p_size = ( grp->pbits + 7 ) / 8;
2512     mbedtls_mpi_init( &l );
2513 
2514     /* Generate l such that 1 < l < p */
2515     do
2516     {
2517         if( count++ > 30 )
2518         {
2519             ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
2520             goto cleanup;
2521         }
2522 
2523         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
2524         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, ( p_size * 8 ) - grp->pbits ) );
2525     }
2526     while( ( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 ) ||
2527            ( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 ) );
2528 
2529     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &l ) ); MOD_MUL( P->X );
2530     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->Z, &P->Z, &l ) ); MOD_MUL( P->Z );
2531 
2532 cleanup:
2533     mbedtls_mpi_free( &l );
2534 
2535     return( ret );
2536 }
2537 
2538 /*
2539  * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
2540  * for Montgomery curves in x/z coordinates.
2541  *
2542  * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
2543  * with
2544  * d =  X1
2545  * P = (X2, Z2)
2546  * Q = (X3, Z3)
2547  * R = (X4, Z4)
2548  * S = (X5, Z5)
2549  * and eliminating temporary variables tO, ..., t4.
2550  *
2551  * Cost: 5M + 4S
2552  */
ecp_double_add_mxz(const mbedtls_ecp_group * grp,mbedtls_ecp_point * R,mbedtls_ecp_point * S,const mbedtls_ecp_point * P,const mbedtls_ecp_point * Q,const mbedtls_mpi * d)2553 static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
2554                                mbedtls_ecp_point *R, mbedtls_ecp_point *S,
2555                                const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
2556                                const mbedtls_mpi *d )
2557 {
2558     int ret;
2559     mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
2560 
2561 #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
2562     if( mbedtls_internal_ecp_grp_capable( grp ) )
2563         return( mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ) );
2564 #endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
2565 
2566     mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
2567     mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
2568     mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
2569 
2570     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &A,    &P->X,   &P->Z ) ); MOD_ADD( A    );
2571     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &AA,   &A,      &A    ) ); MOD_MUL( AA   );
2572     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &B,    &P->X,   &P->Z ) ); MOD_SUB( B    );
2573     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &BB,   &B,      &B    ) ); MOD_MUL( BB   );
2574     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &E,    &AA,     &BB   ) ); MOD_SUB( E    );
2575     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &C,    &Q->X,   &Q->Z ) ); MOD_ADD( C    );
2576     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &D,    &Q->X,   &Q->Z ) ); MOD_SUB( D    );
2577     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DA,   &D,      &A    ) ); MOD_MUL( DA   );
2578     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &CB,   &C,      &B    ) ); MOD_MUL( CB   );
2579     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &S->X, &DA,     &CB   ) ); MOD_MUL( S->X );
2580     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->X, &S->X,   &S->X ) ); MOD_MUL( S->X );
2581     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S->Z, &DA,     &CB   ) ); MOD_SUB( S->Z );
2582     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, &S->Z,   &S->Z ) ); MOD_MUL( S->Z );
2583     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, d,       &S->Z ) ); MOD_MUL( S->Z );
2584     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->X, &AA,     &BB   ) ); MOD_MUL( R->X );
2585     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &grp->A, &E    ) ); MOD_MUL( R->Z );
2586     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &R->Z, &BB,     &R->Z ) ); MOD_ADD( R->Z );
2587     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &E,      &R->Z ) ); MOD_MUL( R->Z );
2588 
2589 cleanup:
2590     mbedtls_mpi_free( &A ); mbedtls_mpi_free( &AA ); mbedtls_mpi_free( &B );
2591     mbedtls_mpi_free( &BB ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &C );
2592     mbedtls_mpi_free( &D ); mbedtls_mpi_free( &DA ); mbedtls_mpi_free( &CB );
2593 
2594     return( ret );
2595 }
2596 
2597 /*
2598  * Multiplication with Montgomery ladder in x/z coordinates,
2599  * for curves in Montgomery form
2600  */
ecp_mul_mxz(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2601 static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2602                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2603                         int (*f_rng)(void *, unsigned char *, size_t),
2604                         void *p_rng )
2605 {
2606     int ret;
2607     size_t i;
2608     unsigned char b;
2609     mbedtls_ecp_point RP;
2610     mbedtls_mpi PX;
2611 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2612     ecp_drbg_context drbg_ctx;
2613 
2614     ecp_drbg_init( &drbg_ctx );
2615 #endif
2616     mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
2617 
2618 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2619     if( f_rng == NULL )
2620     {
2621         const size_t m_len = ( grp->nbits + 7 ) / 8;
2622         MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
2623         f_rng = &ecp_drbg_random;
2624         p_rng = &drbg_ctx;
2625     }
2626 #endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
2627 
2628     /* Save PX and read from P before writing to R, in case P == R */
2629     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
2630     MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
2631 
2632     /* Set R to zero in modified x/z coordinates */
2633     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->X, 1 ) );
2634     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 0 ) );
2635     mbedtls_mpi_free( &R->Y );
2636 
2637     /* RP.X might be sligtly larger than P, so reduce it */
2638     MOD_ADD( RP.X );
2639 
2640     /* Randomize coordinates of the starting point */
2641 #if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2642     if( f_rng != NULL )
2643 #endif
2644         MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
2645 
2646     /* Loop invariant: R = result so far, RP = R + P */
2647     i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
2648     while( i-- > 0 )
2649     {
2650         b = mbedtls_mpi_get_bit( m, i );
2651         /*
2652          *  if (b) R = 2R + P else R = 2R,
2653          * which is:
2654          *  if (b) double_add( RP, R, RP, R )
2655          *  else   double_add( R, RP, R, RP )
2656          * but using safe conditional swaps to avoid leaks
2657          */
2658         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
2659         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
2660         MBEDTLS_MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
2661         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
2662         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
2663     }
2664 
2665     /*
2666      * Knowledge of the projective coordinates may leak the last few bits of the
2667      * scalar [1], and since our MPI implementation isn't constant-flow,
2668      * inversion (used for coordinate normalization) may leak the full value
2669      * of its input via side-channels [2].
2670      *
2671      * [1] https://eprint.iacr.org/2003/191
2672      * [2] https://eprint.iacr.org/2020/055
2673      *
2674      * Avoid the leak by randomizing coordinates before we normalize them.
2675      */
2676 #if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2677     if( f_rng != NULL )
2678 #endif
2679         MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
2680 
2681     MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
2682 
2683 cleanup:
2684 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
2685     ecp_drbg_free( &drbg_ctx );
2686 #endif
2687 
2688     mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
2689 
2690     return( ret );
2691 }
2692 
2693 #endif /* ECP_MONTGOMERY */
2694 
2695 /*
2696  * Restartable multiplication R = m * P
2697  */
mbedtls_ecp_mul_restartable(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_ecp_restart_ctx * rs_ctx)2698 int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2699              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2700              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
2701              mbedtls_ecp_restart_ctx *rs_ctx )
2702 {
2703     int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2704 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2705     char is_grp_capable = 0;
2706 #endif
2707     ECP_VALIDATE_RET( grp != NULL );
2708     ECP_VALIDATE_RET( R   != NULL );
2709     ECP_VALIDATE_RET( m   != NULL );
2710     ECP_VALIDATE_RET( P   != NULL );
2711 
2712 #if defined(MBEDTLS_ECP_RESTARTABLE)
2713     /* reset ops count for this call if top-level */
2714     if( rs_ctx != NULL && rs_ctx->depth++ == 0 )
2715         rs_ctx->ops_done = 0;
2716 #endif
2717 
2718 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2719     if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
2720         MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
2721 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2722 
2723 #if defined(MBEDTLS_ECP_RESTARTABLE)
2724     /* skip argument check when restarting */
2725     if( rs_ctx == NULL || rs_ctx->rsm == NULL )
2726 #endif
2727     {
2728         /* check_privkey is free */
2729         MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_CHK );
2730 
2731         /* Common sanity checks */
2732         MBEDTLS_MPI_CHK( mbedtls_ecp_check_privkey( grp, m ) );
2733         MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) );
2734     }
2735 
2736     ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2737 #if defined(ECP_MONTGOMERY)
2738     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
2739         MBEDTLS_MPI_CHK( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
2740 #endif
2741 #if defined(ECP_SHORTWEIERSTRASS)
2742     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
2743         MBEDTLS_MPI_CHK( ecp_mul_comb( grp, R, m, P, f_rng, p_rng, rs_ctx ) );
2744 #endif
2745 
2746 cleanup:
2747 
2748 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2749     if( is_grp_capable )
2750         mbedtls_internal_ecp_free( grp );
2751 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2752 
2753 #if defined(MBEDTLS_ECP_RESTARTABLE)
2754     if( rs_ctx != NULL )
2755         rs_ctx->depth--;
2756 #endif
2757 
2758     return( ret );
2759 }
2760 
2761 /*
2762  * Multiplication R = m * P
2763  */
mbedtls_ecp_mul(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2764 int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2765              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2766              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
2767 {
2768     ECP_VALIDATE_RET( grp != NULL );
2769     ECP_VALIDATE_RET( R   != NULL );
2770     ECP_VALIDATE_RET( m   != NULL );
2771     ECP_VALIDATE_RET( P   != NULL );
2772     return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) );
2773 }
2774 
2775 #if defined(ECP_SHORTWEIERSTRASS)
2776 /*
2777  * Check that an affine point is valid as a public key,
2778  * short weierstrass curves (SEC1 3.2.3.1)
2779  */
ecp_check_pubkey_sw(const mbedtls_ecp_group * grp,const mbedtls_ecp_point * pt)2780 static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
2781 {
2782     int ret;
2783     mbedtls_mpi YY, RHS;
2784 
2785     /* pt coordinates must be normalized for our checks */
2786     if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 ||
2787         mbedtls_mpi_cmp_int( &pt->Y, 0 ) < 0 ||
2788         mbedtls_mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 ||
2789         mbedtls_mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 )
2790         return( MBEDTLS_ERR_ECP_INVALID_KEY );
2791 
2792     mbedtls_mpi_init( &YY ); mbedtls_mpi_init( &RHS );
2793 
2794     /*
2795      * YY = Y^2
2796      * RHS = X (X^2 + A) + B = X^3 + A X + B
2797      */
2798     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &YY,  &pt->Y,   &pt->Y  ) );  MOD_MUL( YY  );
2799     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &pt->X,   &pt->X  ) );  MOD_MUL( RHS );
2800 
2801     /* Special case for A = -3 */
2802     if( grp->A.p == NULL )
2803     {
2804         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &RHS, &RHS, 3       ) );  MOD_SUB( RHS );
2805     }
2806     else
2807     {
2808         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS, &grp->A ) );  MOD_ADD( RHS );
2809     }
2810 
2811     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &RHS,     &pt->X  ) );  MOD_MUL( RHS );
2812     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS,     &grp->B ) );  MOD_ADD( RHS );
2813 
2814     if( mbedtls_mpi_cmp_mpi( &YY, &RHS ) != 0 )
2815         ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2816 
2817 cleanup:
2818 
2819     mbedtls_mpi_free( &YY ); mbedtls_mpi_free( &RHS );
2820 
2821     return( ret );
2822 }
2823 #endif /* ECP_SHORTWEIERSTRASS */
2824 
2825 /*
2826  * R = m * P with shortcuts for m == 1 and m == -1
2827  * NOT constant-time - ONLY for short Weierstrass!
2828  */
mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,mbedtls_ecp_restart_ctx * rs_ctx)2829 static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
2830                                       mbedtls_ecp_point *R,
2831                                       const mbedtls_mpi *m,
2832                                       const mbedtls_ecp_point *P,
2833                                       mbedtls_ecp_restart_ctx *rs_ctx )
2834 {
2835     int ret;
2836 
2837     if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
2838     {
2839         MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
2840     }
2841     else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 )
2842     {
2843         MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
2844         if( mbedtls_mpi_cmp_int( &R->Y, 0 ) != 0 )
2845             MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) );
2846     }
2847     else
2848     {
2849         MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, R, m, P,
2850                                                       NULL, NULL, rs_ctx ) );
2851     }
2852 
2853 cleanup:
2854     return( ret );
2855 }
2856 
2857 /*
2858  * Restartable linear combination
2859  * NOT constant-time
2860  */
mbedtls_ecp_muladd_restartable(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,const mbedtls_mpi * n,const mbedtls_ecp_point * Q,mbedtls_ecp_restart_ctx * rs_ctx)2861 int mbedtls_ecp_muladd_restartable(
2862              mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2863              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2864              const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
2865              mbedtls_ecp_restart_ctx *rs_ctx )
2866 {
2867     int ret;
2868     mbedtls_ecp_point mP;
2869     mbedtls_ecp_point *pmP = &mP;
2870     mbedtls_ecp_point *pR = R;
2871 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2872     char is_grp_capable = 0;
2873 #endif
2874     ECP_VALIDATE_RET( grp != NULL );
2875     ECP_VALIDATE_RET( R   != NULL );
2876     ECP_VALIDATE_RET( m   != NULL );
2877     ECP_VALIDATE_RET( P   != NULL );
2878     ECP_VALIDATE_RET( n   != NULL );
2879     ECP_VALIDATE_RET( Q   != NULL );
2880 
2881     if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS )
2882         return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
2883 
2884     mbedtls_ecp_point_init( &mP );
2885 
2886     ECP_RS_ENTER( ma );
2887 
2888 #if defined(MBEDTLS_ECP_RESTARTABLE)
2889     if( rs_ctx != NULL && rs_ctx->ma != NULL )
2890     {
2891         /* redirect intermediate results to restart context */
2892         pmP = &rs_ctx->ma->mP;
2893         pR  = &rs_ctx->ma->R;
2894 
2895         /* jump to next operation */
2896         if( rs_ctx->ma->state == ecp_rsma_mul2 )
2897             goto mul2;
2898         if( rs_ctx->ma->state == ecp_rsma_add )
2899             goto add;
2900         if( rs_ctx->ma->state == ecp_rsma_norm )
2901             goto norm;
2902     }
2903 #endif /* MBEDTLS_ECP_RESTARTABLE */
2904 
2905     MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pmP, m, P, rs_ctx ) );
2906 #if defined(MBEDTLS_ECP_RESTARTABLE)
2907     if( rs_ctx != NULL && rs_ctx->ma != NULL )
2908         rs_ctx->ma->state = ecp_rsma_mul2;
2909 
2910 mul2:
2911 #endif
2912     MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pR,  n, Q, rs_ctx ) );
2913 
2914 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2915     if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
2916         MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
2917 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2918 
2919 #if defined(MBEDTLS_ECP_RESTARTABLE)
2920     if( rs_ctx != NULL && rs_ctx->ma != NULL )
2921         rs_ctx->ma->state = ecp_rsma_add;
2922 
2923 add:
2924 #endif
2925     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_ADD );
2926     MBEDTLS_MPI_CHK( ecp_add_mixed( grp, pR, pmP, pR ) );
2927 #if defined(MBEDTLS_ECP_RESTARTABLE)
2928     if( rs_ctx != NULL && rs_ctx->ma != NULL )
2929         rs_ctx->ma->state = ecp_rsma_norm;
2930 
2931 norm:
2932 #endif
2933     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
2934     MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, pR ) );
2935 
2936 #if defined(MBEDTLS_ECP_RESTARTABLE)
2937     if( rs_ctx != NULL && rs_ctx->ma != NULL )
2938         MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, pR ) );
2939 #endif
2940 
2941 cleanup:
2942 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2943     if( is_grp_capable )
2944         mbedtls_internal_ecp_free( grp );
2945 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2946 
2947     mbedtls_ecp_point_free( &mP );
2948 
2949     ECP_RS_LEAVE( ma );
2950 
2951     return( ret );
2952 }
2953 
2954 /*
2955  * Linear combination
2956  * NOT constant-time
2957  */
mbedtls_ecp_muladd(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_mpi * m,const mbedtls_ecp_point * P,const mbedtls_mpi * n,const mbedtls_ecp_point * Q)2958 int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2959              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2960              const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
2961 {
2962     ECP_VALIDATE_RET( grp != NULL );
2963     ECP_VALIDATE_RET( R   != NULL );
2964     ECP_VALIDATE_RET( m   != NULL );
2965     ECP_VALIDATE_RET( P   != NULL );
2966     ECP_VALIDATE_RET( n   != NULL );
2967     ECP_VALIDATE_RET( Q   != NULL );
2968     return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) );
2969 }
2970 
2971 #if defined(ECP_MONTGOMERY)
2972 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
2973 #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
2974 #define ECP_MPI_INIT_ARRAY(x)   \
2975     ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
2976 /*
2977  * Constants for the two points other than 0, 1, -1 (mod p) in
2978  * https://cr.yp.to/ecdh.html#validate
2979  * See ecp_check_pubkey_x25519().
2980  */
2981 static const mbedtls_mpi_uint x25519_bad_point_1[] = {
2982     MBEDTLS_BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ),
2983     MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ),
2984     MBEDTLS_BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ),
2985     MBEDTLS_BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ),
2986 };
2987 static const mbedtls_mpi_uint x25519_bad_point_2[] = {
2988     MBEDTLS_BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ),
2989     MBEDTLS_BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ),
2990     MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ),
2991     MBEDTLS_BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ),
2992 };
2993 static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
2994         x25519_bad_point_1 );
2995 static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
2996         x25519_bad_point_2 );
2997 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
2998 
2999 /*
3000  * Check that the input point is not one of the low-order points.
3001  * This is recommended by the "May the Fourth" paper:
3002  * https://eprint.iacr.org/2017/806.pdf
3003  * Those points are never sent by an honest peer.
3004  */
ecp_check_bad_points_mx(const mbedtls_mpi * X,const mbedtls_mpi * P,const mbedtls_ecp_group_id grp_id)3005 static int ecp_check_bad_points_mx( const mbedtls_mpi *X, const mbedtls_mpi *P,
3006                                     const mbedtls_ecp_group_id grp_id )
3007 {
3008     int ret;
3009     mbedtls_mpi XmP;
3010 
3011     mbedtls_mpi_init( &XmP );
3012 
3013     /* Reduce X mod P so that we only need to check values less than P.
3014      * We know X < 2^256 so we can proceed by subtraction. */
3015     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &XmP, X ) );
3016     while( mbedtls_mpi_cmp_mpi( &XmP, P ) >= 0 )
3017         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &XmP, &XmP, P ) );
3018 
3019     /* Check against the known bad values that are less than P. For Curve448
3020      * these are 0, 1 and -1. For Curve25519 we check the values less than P
3021      * from the following list: https://cr.yp.to/ecdh.html#validate */
3022     if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
3023     {
3024         ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3025         goto cleanup;
3026     }
3027 
3028 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
3029     if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
3030     {
3031         if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_1 ) == 0 )
3032         {
3033             ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3034             goto cleanup;
3035         }
3036 
3037         if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_2 ) == 0 )
3038         {
3039             ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3040             goto cleanup;
3041         }
3042     }
3043 #else
3044     (void) grp_id;
3045 #endif
3046 
3047     /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
3048     MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
3049     if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
3050     {
3051         ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3052         goto cleanup;
3053     }
3054 
3055     ret = 0;
3056 
3057 cleanup:
3058     mbedtls_mpi_free( &XmP );
3059 
3060     return( ret );
3061 }
3062 
3063 /*
3064  * Check validity of a public key for Montgomery curves with x-only schemes
3065  */
ecp_check_pubkey_mx(const mbedtls_ecp_group * grp,const mbedtls_ecp_point * pt)3066 static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
3067 {
3068     /* [Curve25519 p. 5] Just check X is the correct number of bytes */
3069     /* Allow any public value, if it's too big then we'll just reduce it mod p
3070      * (RFC 7748 sec. 5 para. 3). */
3071     if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
3072         return( MBEDTLS_ERR_ECP_INVALID_KEY );
3073 
3074     /* Implicit in all standards (as they don't consider negative numbers):
3075      * X must be non-negative. This is normally ensured by the way it's
3076      * encoded for transmission, but let's be extra sure. */
3077     if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 )
3078         return( MBEDTLS_ERR_ECP_INVALID_KEY );
3079 
3080     return( ecp_check_bad_points_mx( &pt->X, &grp->P, grp->id ) );
3081 }
3082 #endif /* ECP_MONTGOMERY */
3083 
3084 /*
3085  * Check that a point is valid as a public key
3086  */
mbedtls_ecp_check_pubkey(const mbedtls_ecp_group * grp,const mbedtls_ecp_point * pt)3087 int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
3088                               const mbedtls_ecp_point *pt )
3089 {
3090     ECP_VALIDATE_RET( grp != NULL );
3091     ECP_VALIDATE_RET( pt  != NULL );
3092 
3093     /* Must use affine coordinates */
3094     if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
3095         return( MBEDTLS_ERR_ECP_INVALID_KEY );
3096 
3097 #if defined(ECP_MONTGOMERY)
3098     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
3099         return( ecp_check_pubkey_mx( grp, pt ) );
3100 #endif
3101 #if defined(ECP_SHORTWEIERSTRASS)
3102     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
3103         return( ecp_check_pubkey_sw( grp, pt ) );
3104 #endif
3105     return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
3106 }
3107 
3108 /*
3109  * Check that an mbedtls_mpi is valid as a private key
3110  */
mbedtls_ecp_check_privkey(const mbedtls_ecp_group * grp,const mbedtls_mpi * d)3111 int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
3112                                const mbedtls_mpi *d )
3113 {
3114     ECP_VALIDATE_RET( grp != NULL );
3115     ECP_VALIDATE_RET( d   != NULL );
3116 
3117 #if defined(ECP_MONTGOMERY)
3118     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
3119     {
3120         /* see RFC 7748 sec. 5 para. 5 */
3121         if( mbedtls_mpi_get_bit( d, 0 ) != 0 ||
3122             mbedtls_mpi_get_bit( d, 1 ) != 0 ||
3123             mbedtls_mpi_bitlen( d ) - 1 != grp->nbits ) /* mbedtls_mpi_bitlen is one-based! */
3124             return( MBEDTLS_ERR_ECP_INVALID_KEY );
3125 
3126         /* see [Curve25519] page 5 */
3127         if( grp->nbits == 254 && mbedtls_mpi_get_bit( d, 2 ) != 0 )
3128             return( MBEDTLS_ERR_ECP_INVALID_KEY );
3129 
3130         return( 0 );
3131     }
3132 #endif /* ECP_MONTGOMERY */
3133 #if defined(ECP_SHORTWEIERSTRASS)
3134     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
3135     {
3136         /* see SEC1 3.2 */
3137         if( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
3138             mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
3139             return( MBEDTLS_ERR_ECP_INVALID_KEY );
3140         else
3141             return( 0 );
3142     }
3143 #endif /* ECP_SHORTWEIERSTRASS */
3144 
3145     return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
3146 }
3147 
3148 /*
3149  * Generate a private key
3150  */
mbedtls_ecp_gen_privkey(const mbedtls_ecp_group * grp,mbedtls_mpi * d,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)3151 int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
3152                      mbedtls_mpi *d,
3153                      int (*f_rng)(void *, unsigned char *, size_t),
3154                      void *p_rng )
3155 {
3156     int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3157     size_t n_size;
3158 #if defined(ECP_SHORTWEIERSTRASS)
3159     mbedtls_mpi one;
3160 
3161     mbedtls_mpi_init( &one );
3162 #endif
3163 
3164     ECP_VALIDATE_RET( grp   != NULL );
3165     ECP_VALIDATE_RET( d     != NULL );
3166     ECP_VALIDATE_RET( f_rng != NULL );
3167 
3168     n_size = ( grp->nbits + 7 ) / 8;
3169 
3170 #if defined(ECP_MONTGOMERY)
3171     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
3172     {
3173         /* [M225] page 5 */
3174         size_t b;
3175 
3176         do {
3177             MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
3178         } while( mbedtls_mpi_bitlen( d ) == 0);
3179 
3180         /* Make sure the most significant bit is nbits */
3181         b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */
3182         if( b > grp->nbits )
3183             MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) );
3184         else
3185             MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
3186 
3187         /* Make sure the last two bits are unset for Curve448, three bits for
3188            Curve25519 */
3189         MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
3190         MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
3191         if( grp->nbits == 254 )
3192         {
3193             MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
3194         }
3195     }
3196 #endif /* ECP_MONTGOMERY */
3197 
3198 #if defined(ECP_SHORTWEIERSTRASS)
3199     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
3200     {
3201         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
3202         int count = 0;
3203         unsigned lt_lower = 1, lt_upper = 0;
3204 
3205         MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &one, grp->N.n ) );
3206         MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
3207 
3208         /*
3209          * Match the procedure given in RFC 6979 (deterministic ECDSA):
3210          * - use the same byte ordering;
3211          * - keep the leftmost nbits bits of the generated octet string;
3212          * - try until result is in the desired range.
3213          * This also avoids any biais, which is especially important for ECDSA.
3214          */
3215         do
3216         {
3217             MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
3218             MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
3219 
3220             /*
3221              * Each try has at worst a probability 1/2 of failing (the msb has
3222              * a probability 1/2 of being 0, and then the result will be < N),
3223              * so after 30 tries failure probability is a most 2**(-30).
3224              *
3225              * For most curves, 1 try is enough with overwhelming probability,
3226              * since N starts with a lot of 1s in binary, but some curves
3227              * such as secp224k1 are actually very close to the worst case.
3228              */
3229             if( ++count > 30 )
3230             {
3231                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
3232                 goto cleanup;
3233             }
3234 
3235             MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( d, &grp->N, &lt_upper ) );
3236             MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( d, &one, &lt_lower ) );
3237         }
3238         while( lt_lower != 0 || lt_upper == 0 );
3239     }
3240 #endif /* ECP_SHORTWEIERSTRASS */
3241 
3242 cleanup:
3243 #if defined(ECP_SHORTWEIERSTRASS)
3244     mbedtls_mpi_free( &one );
3245 #endif
3246     return( ret );
3247 }
3248 
3249 /*
3250  * Generate a keypair with configurable base point
3251  */
mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group * grp,const mbedtls_ecp_point * G,mbedtls_mpi * d,mbedtls_ecp_point * Q,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)3252 int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
3253                      const mbedtls_ecp_point *G,
3254                      mbedtls_mpi *d, mbedtls_ecp_point *Q,
3255                      int (*f_rng)(void *, unsigned char *, size_t),
3256                      void *p_rng )
3257 {
3258     int ret;
3259     ECP_VALIDATE_RET( grp   != NULL );
3260     ECP_VALIDATE_RET( d     != NULL );
3261     ECP_VALIDATE_RET( G     != NULL );
3262     ECP_VALIDATE_RET( Q     != NULL );
3263     ECP_VALIDATE_RET( f_rng != NULL );
3264 
3265     MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
3266     MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
3267 
3268 cleanup:
3269     return( ret );
3270 }
3271 
3272 /*
3273  * Generate key pair, wrapper for conventional base point
3274  */
mbedtls_ecp_gen_keypair(mbedtls_ecp_group * grp,mbedtls_mpi * d,mbedtls_ecp_point * Q,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)3275 int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp,
3276                              mbedtls_mpi *d, mbedtls_ecp_point *Q,
3277                              int (*f_rng)(void *, unsigned char *, size_t),
3278                              void *p_rng )
3279 {
3280     ECP_VALIDATE_RET( grp   != NULL );
3281     ECP_VALIDATE_RET( d     != NULL );
3282     ECP_VALIDATE_RET( Q     != NULL );
3283     ECP_VALIDATE_RET( f_rng != NULL );
3284 
3285     return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) );
3286 }
3287 
3288 /*
3289  * Generate a keypair, prettier wrapper
3290  */
mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id,mbedtls_ecp_keypair * key,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)3291 int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
3292                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
3293 {
3294     int ret;
3295     ECP_VALIDATE_RET( key   != NULL );
3296     ECP_VALIDATE_RET( f_rng != NULL );
3297 
3298     if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
3299         return( ret );
3300 
3301     return( mbedtls_ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
3302 }
3303 
3304 /*
3305  * Check a public-private key pair
3306  */
mbedtls_ecp_check_pub_priv(const mbedtls_ecp_keypair * pub,const mbedtls_ecp_keypair * prv)3307 int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv )
3308 {
3309     int ret;
3310     mbedtls_ecp_point Q;
3311     mbedtls_ecp_group grp;
3312     ECP_VALIDATE_RET( pub != NULL );
3313     ECP_VALIDATE_RET( prv != NULL );
3314 
3315     if( pub->grp.id == MBEDTLS_ECP_DP_NONE ||
3316         pub->grp.id != prv->grp.id ||
3317         mbedtls_mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
3318         mbedtls_mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
3319         mbedtls_mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
3320     {
3321         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
3322     }
3323 
3324     mbedtls_ecp_point_init( &Q );
3325     mbedtls_ecp_group_init( &grp );
3326 
3327     /* mbedtls_ecp_mul() needs a non-const group... */
3328     mbedtls_ecp_group_copy( &grp, &prv->grp );
3329 
3330     /* Also checks d is valid */
3331     MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
3332 
3333     if( mbedtls_mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
3334         mbedtls_mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
3335         mbedtls_mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
3336     {
3337         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3338         goto cleanup;
3339     }
3340 
3341 cleanup:
3342     mbedtls_ecp_point_free( &Q );
3343     mbedtls_ecp_group_free( &grp );
3344 
3345     return( ret );
3346 }
3347 
3348 #if defined(MBEDTLS_SELF_TEST)
3349 
3350 #if defined(ECP_ONE_STEP_KDF)
3351 /*
3352  * There are no test vectors from NIST for the One-Step KDF in SP 800-56C,
3353  * but unofficial ones can be found at:
3354  * https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors
3355  *
3356  * We only use the ones with empty fixedInfo, and for brevity's sake, only
3357  * 40-bytes output (with SHA-256 that's more than one block, and with SHA-512
3358  * less than one block).
3359  */
3360 #if defined(MBEDTLS_SHA512_C)
3361 
3362 static const uint8_t test_kdf_z[16] = {
3363     0x3b, 0xa9, 0x79, 0xe9, 0xbc, 0x5e, 0x3e, 0xc7,
3364     0x61, 0x30, 0x36, 0xb6, 0xf5, 0x1c, 0xd5, 0xaa,
3365 };
3366 static const uint8_t test_kdf_out[40] = {
3367     0x3e, 0xf6, 0xda, 0xf9, 0x51, 0x60, 0x70, 0x5f,
3368     0xdf, 0x21, 0xcd, 0xab, 0xac, 0x25, 0x7b, 0x05,
3369     0xfe, 0xc1, 0xab, 0x7c, 0xc9, 0x68, 0x43, 0x25,
3370     0x8a, 0xfc, 0x40, 0x6e, 0x5b, 0xf7, 0x98, 0x27,
3371     0x10, 0xfa, 0x7b, 0x93, 0x52, 0xd4, 0x16, 0xaa,
3372 };
3373 
3374 #elif defined(MBEDTLS_SHA256_C)
3375 
3376 static const uint8_t test_kdf_z[16] = {
3377     0xc8, 0x3e, 0x35, 0x8e, 0x99, 0xa6, 0x89, 0xc6,
3378     0x7d, 0xb4, 0xfe, 0x39, 0xcf, 0x8f, 0x26, 0xe1,
3379 };
3380 static const uint8_t test_kdf_out[40] = {
3381     0x7d, 0xf6, 0x41, 0xf8, 0x3c, 0x47, 0xdc, 0x28,
3382     0x5f, 0x7f, 0xaa, 0xde, 0x05, 0x64, 0xd6, 0x25,
3383     0x00, 0x6a, 0x47, 0xd9, 0x1e, 0xa4, 0xa0, 0x8c,
3384     0xd7, 0xf7, 0x0c, 0x99, 0xaa, 0xa0, 0x72, 0x66,
3385     0x69, 0x0e, 0x25, 0xaa, 0xa1, 0x63, 0x14, 0x79,
3386 };
3387 
3388 #endif
3389 
ecp_kdf_self_test(void)3390 static int ecp_kdf_self_test( void )
3391 {
3392     int ret;
3393     ecp_drbg_context kdf_ctx;
3394     mbedtls_mpi scalar;
3395     uint8_t out[sizeof( test_kdf_out )];
3396 
3397     ecp_drbg_init( &kdf_ctx );
3398     mbedtls_mpi_init( &scalar );
3399     memset( out, 0, sizeof( out ) );
3400 
3401     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &scalar,
3402                         test_kdf_z, sizeof( test_kdf_z ) ) );
3403 
3404     MBEDTLS_MPI_CHK( ecp_drbg_seed( &kdf_ctx,
3405                                     &scalar, sizeof( test_kdf_z ) ) );
3406 
3407     MBEDTLS_MPI_CHK( ecp_drbg_random( &kdf_ctx, out, sizeof( out ) ) );
3408 
3409     if( memcmp( out, test_kdf_out, sizeof( out ) ) != 0 )
3410         ret = -1;
3411 
3412 cleanup:
3413     ecp_drbg_free( &kdf_ctx );
3414     mbedtls_mpi_free( &scalar );
3415 
3416     return( ret );
3417 }
3418 #endif /* ECP_ONE_STEP_KDF */
3419 
3420 /*
3421  * Checkup routine
3422  */
mbedtls_ecp_self_test(int verbose)3423 int mbedtls_ecp_self_test( int verbose )
3424 {
3425     int ret;
3426     size_t i;
3427     mbedtls_ecp_group grp;
3428     mbedtls_ecp_point R, P;
3429     mbedtls_mpi m;
3430     unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
3431     /* exponents especially adapted for secp192r1 */
3432     const char *exponents[] =
3433     {
3434         "000000000000000000000000000000000000000000000001", /* one */
3435         "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
3436         "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
3437         "400000000000000000000000000000000000000000000000", /* one and zeros */
3438         "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
3439         "555555555555555555555555555555555555555555555555", /* 101010... */
3440     };
3441 
3442     mbedtls_ecp_group_init( &grp );
3443     mbedtls_ecp_point_init( &R );
3444     mbedtls_ecp_point_init( &P );
3445     mbedtls_mpi_init( &m );
3446 
3447     /* Use secp192r1 if available, or any available curve */
3448 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
3449     MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
3450 #else
3451     MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->grp_id ) );
3452 #endif
3453 
3454     if( verbose != 0 )
3455         mbedtls_printf( "  ECP test #1 (constant op_count, base point G): " );
3456 
3457     /* Do a dummy multiplication first to trigger precomputation */
3458     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &m, 2 ) );
3459     MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &P, &m, &grp.G, NULL, NULL ) );
3460 
3461     add_count = 0;
3462     dbl_count = 0;
3463     mul_count = 0;
3464     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
3465     MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
3466 
3467     for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
3468     {
3469         add_c_prev = add_count;
3470         dbl_c_prev = dbl_count;
3471         mul_c_prev = mul_count;
3472         add_count = 0;
3473         dbl_count = 0;
3474         mul_count = 0;
3475 
3476         MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
3477         MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
3478 
3479         if( add_count != add_c_prev ||
3480             dbl_count != dbl_c_prev ||
3481             mul_count != mul_c_prev )
3482         {
3483             if( verbose != 0 )
3484                 mbedtls_printf( "failed (%u)\n", (unsigned int) i );
3485 
3486             ret = 1;
3487             goto cleanup;
3488         }
3489     }
3490 
3491     if( verbose != 0 )
3492         mbedtls_printf( "passed\n" );
3493 
3494     if( verbose != 0 )
3495         mbedtls_printf( "  ECP test #2 (constant op_count, other point): " );
3496     /* We computed P = 2G last time, use it */
3497 
3498     add_count = 0;
3499     dbl_count = 0;
3500     mul_count = 0;
3501     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
3502     MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
3503 
3504     for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
3505     {
3506         add_c_prev = add_count;
3507         dbl_c_prev = dbl_count;
3508         mul_c_prev = mul_count;
3509         add_count = 0;
3510         dbl_count = 0;
3511         mul_count = 0;
3512 
3513         MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
3514         MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
3515 
3516         if( add_count != add_c_prev ||
3517             dbl_count != dbl_c_prev ||
3518             mul_count != mul_c_prev )
3519         {
3520             if( verbose != 0 )
3521                 mbedtls_printf( "failed (%u)\n", (unsigned int) i );
3522 
3523             ret = 1;
3524             goto cleanup;
3525         }
3526     }
3527 
3528     if( verbose != 0 )
3529         mbedtls_printf( "passed\n" );
3530 
3531 #if defined(ECP_ONE_STEP_KDF)
3532     if( verbose != 0 )
3533         mbedtls_printf( "  ECP test #3 (internal KDF): " );
3534 
3535     ret = ecp_kdf_self_test();
3536     if( ret != 0 )
3537     {
3538         if( verbose != 0 )
3539             mbedtls_printf( "failed\n" );
3540 
3541         ret = 1;
3542         goto cleanup;
3543     }
3544 
3545     if( verbose != 0 )
3546         mbedtls_printf( "passed\n" );
3547 #endif /* ECP_ONE_STEP_KDF */
3548 
3549 cleanup:
3550 
3551     if( ret < 0 && verbose != 0 )
3552         mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
3553 
3554     mbedtls_ecp_group_free( &grp );
3555     mbedtls_ecp_point_free( &R );
3556     mbedtls_ecp_point_free( &P );
3557     mbedtls_mpi_free( &m );
3558 
3559     if( verbose != 0 )
3560         mbedtls_printf( "\n" );
3561 
3562     return( ret );
3563 }
3564 
3565 #endif /* MBEDTLS_SELF_TEST */
3566 
3567 #endif /* !MBEDTLS_ECP_ALT */
3568 
3569 #endif /* MBEDTLS_ECP_C */
3570