1
/*
2
 *  Elliptic curves over GF(p): generic functions
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7

8
/*
9
 * References:
10
 *
11
 * SEC1 https://www.secg.org/sec1-v2.pdf
12
 * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
13
 * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
14
 * RFC 4492 for the related TLS structures and constants
15
 * - https://www.rfc-editor.org/rfc/rfc4492
16
 * RFC 7748 for the Curve448 and Curve25519 curve definitions
17
 * - https://www.rfc-editor.org/rfc/rfc7748
18
 *
19
 * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
20
 *
21
 * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
22
 *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
23
 *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
24
 *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
25
 *
26
 * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
27
 *     render ECC resistant against Side Channel Attacks. IACR Cryptology
28
 *     ePrint Archive, 2004, vol. 2004, p. 342.
29
 *     <http://eprint.iacr.org/2004/342.pdf>
30
 */
31

32
#include "common.h"
33

34
/**
35
 * \brief Function level alternative implementation.
36
 *
37
 * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
38
 * replace certain functions in this module. The alternative implementations are
39
 * typically hardware accelerators and need to activate the hardware before the
40
 * computation starts and deactivate it after it finishes. The
41
 * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
42
 * this purpose.
43
 *
44
 * To preserve the correct functionality the following conditions must hold:
45
 *
46
 * - The alternative implementation must be activated by
47
 *   mbedtls_internal_ecp_init() before any of the replaceable functions is
48
 *   called.
49
 * - mbedtls_internal_ecp_free() must \b only be called when the alternative
50
 *   implementation is activated.
51
 * - mbedtls_internal_ecp_init() must \b not be called when the alternative
52
 *   implementation is activated.
53
 * - Public functions must not return while the alternative implementation is
54
 *   activated.
55
 * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
56
 *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
57
 *   \endcode ensures that the alternative implementation supports the current
58
 *   group.
59
 */
60
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
61
#endif
62

63
#if defined(MBEDTLS_ECP_LIGHT)
64

65
#include "mbedtls/ecp.h"
66
#include "mbedtls/threading.h"
67
#include "mbedtls/platform_util.h"
68
#include "mbedtls/error.h"
69

70
#include "bn_mul.h"
71
#include "ecp_invasive.h"
72

73
#include <string.h>
74

75
#if !defined(MBEDTLS_ECP_ALT)
76

77
#include "mbedtls/platform.h"
78

79
#include "ecp_internal_alt.h"
80

81
#if defined(MBEDTLS_SELF_TEST)
82
/*
83
 * Counts of point addition and doubling, and field multiplications.
84
 * Used to test resistance of point multiplication to simple timing attacks.
85
 */
86
#if defined(MBEDTLS_ECP_C)
87
static unsigned long add_count, dbl_count;
88
#endif /* MBEDTLS_ECP_C */
89
static unsigned long mul_count;
90
#endif
91

92
#if defined(MBEDTLS_ECP_RESTARTABLE)
93
/*
94
 * Maximum number of "basic operations" to be done in a row.
95
 *
96
 * Default value 0 means that ECC operations will not yield.
97
 * Note that regardless of the value of ecp_max_ops, always at
98
 * least one step is performed before yielding.
99
 *
100
 * Setting ecp_max_ops=1 can be suitable for testing purposes
101
 * as it will interrupt computation at all possible points.
102
 */
103
static unsigned ecp_max_ops = 0;
104

105
/*
106
 * Set ecp_max_ops
107
 */
108
void mbedtls_ecp_set_max_ops(unsigned max_ops)
109
{
110
    ecp_max_ops = max_ops;
111
}
112

113
/*
114
 * Check if restart is enabled
115
 */
116
int mbedtls_ecp_restart_is_enabled(void)
117
{
118
    return ecp_max_ops != 0;
119
}
120

121
/*
122
 * Restart sub-context for ecp_mul_comb()
123
 */
124
struct mbedtls_ecp_restart_mul {
125
    mbedtls_ecp_point R;    /* current intermediate result                  */
126
    size_t i;               /* current index in various loops, 0 outside    */
127
    mbedtls_ecp_point *T;   /* table for precomputed points                 */
128
    unsigned char T_size;   /* number of points in table T                  */
129
    enum {                  /* what were we doing last time we returned?    */
130
        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
131
        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
132
        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
133
        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
134
        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
135
        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
136
        ecp_rsm_final_norm,     /* do the final normalization               */
137
    } state;
138
};
139

140
/*
141
 * Init restart_mul sub-context
142
 */
143
static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
144
{
145
    mbedtls_ecp_point_init(&ctx->R);
146
    ctx->i = 0;
147
    ctx->T = NULL;
148
    ctx->T_size = 0;
149
    ctx->state = ecp_rsm_init;
150
}
151

152
/*
153
 * Free the components of a restart_mul sub-context
154
 */
155
static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
156
{
157
    unsigned char i;
158

159
    if (ctx == NULL) {
160
        return;
161
    }
162

163
    mbedtls_ecp_point_free(&ctx->R);
164

165
    if (ctx->T != NULL) {
166
        for (i = 0; i < ctx->T_size; i++) {
167
            mbedtls_ecp_point_free(ctx->T + i);
168
        }
169
        mbedtls_free(ctx->T);
170
    }
171

172
    ecp_restart_rsm_init(ctx);
173
}
174

175
/*
176
 * Restart context for ecp_muladd()
177
 */
178
struct mbedtls_ecp_restart_muladd {
179
    mbedtls_ecp_point mP;       /* mP value                             */
180
    mbedtls_ecp_point R;        /* R intermediate result                */
181
    enum {                      /* what should we do next?              */
182
        ecp_rsma_mul1 = 0,      /* first multiplication                 */
183
        ecp_rsma_mul2,          /* second multiplication                */
184
        ecp_rsma_add,           /* addition                             */
185
        ecp_rsma_norm,          /* normalization                        */
186
    } state;
187
};
188

189
/*
190
 * Init restart_muladd sub-context
191
 */
192
static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
193
{
194
    mbedtls_ecp_point_init(&ctx->mP);
195
    mbedtls_ecp_point_init(&ctx->R);
196
    ctx->state = ecp_rsma_mul1;
197
}
198

199
/*
200
 * Free the components of a restart_muladd sub-context
201
 */
202
static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
203
{
204
    if (ctx == NULL) {
205
        return;
206
    }
207

208
    mbedtls_ecp_point_free(&ctx->mP);
209
    mbedtls_ecp_point_free(&ctx->R);
210

211
    ecp_restart_ma_init(ctx);
212
}
213

214
/*
215
 * Initialize a restart context
216
 */
217
void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
218
{
219
    ctx->ops_done = 0;
220
    ctx->depth = 0;
221
    ctx->rsm = NULL;
222
    ctx->ma = NULL;
223
}
224

225
/*
226
 * Free the components of a restart context
227
 */
228
void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
229
{
230
    if (ctx == NULL) {
231
        return;
232
    }
233

234
    ecp_restart_rsm_free(ctx->rsm);
235
    mbedtls_free(ctx->rsm);
236

237
    ecp_restart_ma_free(ctx->ma);
238
    mbedtls_free(ctx->ma);
239

240
    mbedtls_ecp_restart_init(ctx);
241
}
242

243
/*
244
 * Check if we can do the next step
245
 */
246
int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
247
                             mbedtls_ecp_restart_ctx *rs_ctx,
248
                             unsigned ops)
249
{
250
    if (rs_ctx != NULL && ecp_max_ops != 0) {
251
        /* scale depending on curve size: the chosen reference is 256-bit,
252
         * and multiplication is quadratic. Round to the closest integer. */
253
        if (grp->pbits >= 512) {
254
            ops *= 4;
255
        } else if (grp->pbits >= 384) {
256
            ops *= 2;
257
        }
258

259
        /* Avoid infinite loops: always allow first step.
260
         * Because of that, however, it's not generally true
261
         * that ops_done <= ecp_max_ops, so the check
262
         * ops_done > ecp_max_ops below is mandatory. */
263
        if ((rs_ctx->ops_done != 0) &&
264
            (rs_ctx->ops_done > ecp_max_ops ||
265
             ops > ecp_max_ops - rs_ctx->ops_done)) {
266
            return MBEDTLS_ERR_ECP_IN_PROGRESS;
267
        }
268

269
        /* update running count */
270
        rs_ctx->ops_done += ops;
271
    }
272

273
    return 0;
274
}
275

276
/* Call this when entering a function that needs its own sub-context */
277
#define ECP_RS_ENTER(SUB)   do {                                      \
278
        /* reset ops count for this call if top-level */                    \
279
        if (rs_ctx != NULL && rs_ctx->depth++ == 0)                        \
280
        rs_ctx->ops_done = 0;                                           \
281
                                                                        \
282
        /* set up our own sub-context if needed */                          \
283
        if (mbedtls_ecp_restart_is_enabled() &&                             \
284
            rs_ctx != NULL && rs_ctx->SUB == NULL)                         \
285
        {                                                                   \
286
            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));      \
287
            if (rs_ctx->SUB == NULL)                                       \
288
            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                     \
289
                                                                      \
290
            ecp_restart_## SUB ##_init(rs_ctx->SUB);                      \
291
        }                                                                   \
292
} while (0)
293

294
/* Call this when leaving a function that needs its own sub-context */
295
#define ECP_RS_LEAVE(SUB)   do {                                      \
296
        /* clear our sub-context when not in progress (done or error) */    \
297
        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
298
            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                            \
299
        {                                                                   \
300
            ecp_restart_## SUB ##_free(rs_ctx->SUB);                      \
301
            mbedtls_free(rs_ctx->SUB);                                    \
302
            rs_ctx->SUB = NULL;                                             \
303
        }                                                                   \
304
                                                                        \
305
        if (rs_ctx != NULL)                                                \
306
        rs_ctx->depth--;                                                \
307
} while (0)
308

309
#else /* MBEDTLS_ECP_RESTARTABLE */
310

311
#define ECP_RS_ENTER(sub)     (void) rs_ctx;
312
#define ECP_RS_LEAVE(sub)     (void) rs_ctx;
313

314
#endif /* MBEDTLS_ECP_RESTARTABLE */
315

316
#if defined(MBEDTLS_ECP_C)
317
static void mpi_init_many(mbedtls_mpi *arr, size_t size)
318
{
319
    while (size--) {
320
        mbedtls_mpi_init(arr++);
321
    }
322
}
323

324
static void mpi_free_many(mbedtls_mpi *arr, size_t size)
325
{
326
    while (size--) {
327
        mbedtls_mpi_free(arr++);
328
    }
329
}
330
#endif /* MBEDTLS_ECP_C */
331

332
/*
333
 * List of supported curves:
334
 *  - internal ID
335
 *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
336
 *  - size in bits
337
 *  - readable name
338
 *
339
 * Curves are listed in order: largest curves first, and for a given size,
340
 * fastest curves first.
341
 *
342
 * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
343
 */
344
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
345
{
346
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
347
    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
348
#endif
349
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
350
    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
351
#endif
352
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
353
    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
354
#endif
355
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
356
    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
357
#endif
358
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
359
    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
360
#endif
361
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
362
    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
363
#endif
364
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
365
    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
366
#endif
367
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
368
    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
369
#endif
370
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
371
    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
372
#endif
373
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
374
    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
375
#endif
376
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
377
    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
378
#endif
379
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
380
    { MBEDTLS_ECP_DP_CURVE25519,   29,     256,    "x25519"            },
381
#endif
382
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
383
    { MBEDTLS_ECP_DP_CURVE448,     30,     448,    "x448"              },
384
#endif
385
    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
386
};
387

388
#define ECP_NB_CURVES   sizeof(ecp_supported_curves) /    \
389
    sizeof(ecp_supported_curves[0])
390

391
static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
392

393
/*
394
 * List of supported curves and associated info
395
 */
396
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
397
{
398
    return ecp_supported_curves;
399
}
400

401
/*
402
 * List of supported curves, group ID only
403
 */
404
const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
405
{
406
    static int init_done = 0;
407

408
    if (!init_done) {
409
        size_t i = 0;
410
        const mbedtls_ecp_curve_info *curve_info;
411

412
        for (curve_info = mbedtls_ecp_curve_list();
413
             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
414
             curve_info++) {
415
            ecp_supported_grp_id[i++] = curve_info->grp_id;
416
        }
417
        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
418

419
        init_done = 1;
420
    }
421

422
    return ecp_supported_grp_id;
423
}
424

425
/*
426
 * Get the curve info for the internal identifier
427
 */
428
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
429
{
430
    const mbedtls_ecp_curve_info *curve_info;
431

432
    for (curve_info = mbedtls_ecp_curve_list();
433
         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
434
         curve_info++) {
435
        if (curve_info->grp_id == grp_id) {
436
            return curve_info;
437
        }
438
    }
439

440
    return NULL;
441
}
442

443
/*
444
 * Get the curve info from the TLS identifier
445
 */
446
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
447
{
448
    const mbedtls_ecp_curve_info *curve_info;
449

450
    for (curve_info = mbedtls_ecp_curve_list();
451
         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
452
         curve_info++) {
453
        if (curve_info->tls_id == tls_id) {
454
            return curve_info;
455
        }
456
    }
457

458
    return NULL;
459
}
460

461
/*
462
 * Get the curve info from the name
463
 */
464
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
465
{
466
    const mbedtls_ecp_curve_info *curve_info;
467

468
    if (name == NULL) {
469
        return NULL;
470
    }
471

472
    for (curve_info = mbedtls_ecp_curve_list();
473
         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
474
         curve_info++) {
475
        if (strcmp(curve_info->name, name) == 0) {
476
            return curve_info;
477
        }
478
    }
479

480
    return NULL;
481
}
482

483
/*
484
 * Get the type of a curve
485
 */
486
mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
487
{
488
    if (grp->G.X.p == NULL) {
489
        return MBEDTLS_ECP_TYPE_NONE;
490
    }
491

492
    if (grp->G.Y.p == NULL) {
493
        return MBEDTLS_ECP_TYPE_MONTGOMERY;
494
    } else {
495
        return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
496
    }
497
}
498

499
/*
500
 * Initialize (the components of) a point
501
 */
502
void mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
503
{
504
    mbedtls_mpi_init(&pt->X);
505
    mbedtls_mpi_init(&pt->Y);
506
    mbedtls_mpi_init(&pt->Z);
507
}
508

509
/*
510
 * Initialize (the components of) a group
511
 */
512
void mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
513
{
514
    grp->id = MBEDTLS_ECP_DP_NONE;
515
    mbedtls_mpi_init(&grp->P);
516
    mbedtls_mpi_init(&grp->A);
517
    mbedtls_mpi_init(&grp->B);
518
    mbedtls_ecp_point_init(&grp->G);
519
    mbedtls_mpi_init(&grp->N);
520
    grp->pbits = 0;
521
    grp->nbits = 0;
522
    grp->h = 0;
523
    grp->modp = NULL;
524
    grp->t_pre = NULL;
525
    grp->t_post = NULL;
526
    grp->t_data = NULL;
527
    grp->T = NULL;
528
    grp->T_size = 0;
529
}
530

531
/*
532
 * Initialize (the components of) a key pair
533
 */
534
void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
535
{
536
    mbedtls_ecp_group_init(&key->grp);
537
    mbedtls_mpi_init(&key->d);
538
    mbedtls_ecp_point_init(&key->Q);
539
}
540

541
/*
542
 * Unallocate (the components of) a point
543
 */
544
void mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
545
{
546
    if (pt == NULL) {
547
        return;
548
    }
549

550
    mbedtls_mpi_free(&(pt->X));
551
    mbedtls_mpi_free(&(pt->Y));
552
    mbedtls_mpi_free(&(pt->Z));
553
}
554

555
/*
556
 * Check that the comb table (grp->T) is static initialized.
557
 */
558
static int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
559
{
560
#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
561
    return grp->T != NULL && grp->T_size == 0;
562
#else
563
    (void) grp;
564
    return 0;
565
#endif
566
}
567

568
/*
569
 * Unallocate (the components of) a group
570
 */
571
void mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
572
{
573
    size_t i;
574

575
    if (grp == NULL) {
576
        return;
577
    }
578

579
    if (grp->h != 1) {
580
        mbedtls_mpi_free(&grp->A);
581
        mbedtls_mpi_free(&grp->B);
582
        mbedtls_ecp_point_free(&grp->G);
583

584
#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
585
        mbedtls_mpi_free(&grp->N);
586
        mbedtls_mpi_free(&grp->P);
587
#endif
588
    }
589

590
    if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
591
        for (i = 0; i < grp->T_size; i++) {
592
            mbedtls_ecp_point_free(&grp->T[i]);
593
        }
594
        mbedtls_free(grp->T);
595
    }
596

597
    mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
598
}
599

600
/*
601
 * Unallocate (the components of) a key pair
602
 */
603
void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
604
{
605
    if (key == NULL) {
606
        return;
607
    }
608

609
    mbedtls_ecp_group_free(&key->grp);
610
    mbedtls_mpi_free(&key->d);
611
    mbedtls_ecp_point_free(&key->Q);
612
}
613

614
/*
615
 * Copy the contents of a point
616
 */
617
int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
618
{
619
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
620
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
621
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
622
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
623

624
cleanup:
625
    return ret;
626
}
627

628
/*
629
 * Copy the contents of a group object
630
 */
631
int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
632
{
633
    return mbedtls_ecp_group_load(dst, src->id);
634
}
635

636
/*
637
 * Set point to zero
638
 */
639
int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
640
{
641
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
642
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
643
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
644
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
645

646
cleanup:
647
    return ret;
648
}
649

650
/*
651
 * Tell if a point is zero
652
 */
653
int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
654
{
655
    return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
656
}
657

658
/*
659
 * Compare two points lazily
660
 */
661
int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
662
                          const mbedtls_ecp_point *Q)
663
{
664
    if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
665
        mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
666
        mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
667
        return 0;
668
    }
669

670
    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
671
}
672

673
/*
674
 * Import a non-zero point from ASCII strings
675
 */
676
int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
677
                                  const char *x, const char *y)
678
{
679
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
680
    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
681
    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
682
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
683

684
cleanup:
685
    return ret;
686
}
687

688
/*
689
 * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
690
 */
691
int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
692
                                   const mbedtls_ecp_point *P,
693
                                   int format, size_t *olen,
694
                                   unsigned char *buf, size_t buflen)
695
{
696
    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
697
    size_t plen;
698
    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
699
        format != MBEDTLS_ECP_PF_COMPRESSED) {
700
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
701
    }
702

703
    plen = mbedtls_mpi_size(&grp->P);
704

705
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
706
    (void) format; /* Montgomery curves always use the same point format */
707
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
708
        *olen = plen;
709
        if (buflen < *olen) {
710
            return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
711
        }
712

713
        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
714
    }
715
#endif
716
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
717
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
718
        /*
719
         * Common case: P == 0
720
         */
721
        if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
722
            if (buflen < 1) {
723
                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
724
            }
725

726
            buf[0] = 0x00;
727
            *olen = 1;
728

729
            return 0;
730
        }
731

732
        if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
733
            *olen = 2 * plen + 1;
734

735
            if (buflen < *olen) {
736
                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
737
            }
738

739
            buf[0] = 0x04;
740
            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
741
            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
742
        } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
743
            *olen = plen + 1;
744

745
            if (buflen < *olen) {
746
                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
747
            }
748

749
            buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
750
            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
751
        }
752
    }
753
#endif
754

755
cleanup:
756
    return ret;
757
}
758

759
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
760
static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
761
                                   const mbedtls_mpi *X,
762
                                   mbedtls_mpi *Y,
763
                                   int parity_bit);
764
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
765

766
/*
767
 * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
768
 */
769
int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
770
                                  mbedtls_ecp_point *pt,
771
                                  const unsigned char *buf, size_t ilen)
772
{
773
    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
774
    size_t plen;
775
    if (ilen < 1) {
776
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
777
    }
778

779
    plen = mbedtls_mpi_size(&grp->P);
780

781
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
782
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
783
        if (plen != ilen) {
784
            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
785
        }
786

787
        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
788
        mbedtls_mpi_free(&pt->Y);
789

790
        if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
791
            /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
792
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
793
        }
794

795
        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
796
    }
797
#endif
798
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
799
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
800
        if (buf[0] == 0x00) {
801
            if (ilen == 1) {
802
                return mbedtls_ecp_set_zero(pt);
803
            } else {
804
                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
805
            }
806
        }
807

808
        if (ilen < 1 + plen) {
809
            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
810
        }
811

812
        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
813
        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
814

815
        if (buf[0] == 0x04) {
816
            /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
817
            if (ilen != 1 + plen * 2) {
818
                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
819
            }
820
            return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
821
        } else if (buf[0] == 0x02 || buf[0] == 0x03) {
822
            /* format == MBEDTLS_ECP_PF_COMPRESSED */
823
            if (ilen != 1 + plen) {
824
                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
825
            }
826
            return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
827
                                           (buf[0] & 1));
828
        } else {
829
            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
830
        }
831
    }
832
#endif
833

834
cleanup:
835
    return ret;
836
}
837

838
/*
839
 * Import a point from a TLS ECPoint record (RFC 4492)
840
 *      struct {
841
 *          opaque point <1..2^8-1>;
842
 *      } ECPoint;
843
 */
844
int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
845
                               mbedtls_ecp_point *pt,
846
                               const unsigned char **buf, size_t buf_len)
847
{
848
    unsigned char data_len;
849
    const unsigned char *buf_start;
850
    /*
851
     * We must have at least two bytes (1 for length, at least one for data)
852
     */
853
    if (buf_len < 2) {
854
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
855
    }
856

857
    data_len = *(*buf)++;
858
    if (data_len < 1 || data_len > buf_len - 1) {
859
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
860
    }
861

862
    /*
863
     * Save buffer start for read_binary and update buf
864
     */
865
    buf_start = *buf;
866
    *buf += data_len;
867

868
    return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
869
}
870

871
/*
872
 * Export a point as a TLS ECPoint record (RFC 4492)
873
 *      struct {
874
 *          opaque point <1..2^8-1>;
875
 *      } ECPoint;
876
 */
877
int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
878
                                int format, size_t *olen,
879
                                unsigned char *buf, size_t blen)
880
{
881
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882
    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
883
        format != MBEDTLS_ECP_PF_COMPRESSED) {
884
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
885
    }
886

887
    /*
888
     * buffer length must be at least one, for our length byte
889
     */
890
    if (blen < 1) {
891
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
892
    }
893

894
    if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
895
                                              olen, buf + 1, blen - 1)) != 0) {
896
        return ret;
897
    }
898

899
    /*
900
     * write length to the first byte and update total length
901
     */
902
    buf[0] = (unsigned char) *olen;
903
    ++*olen;
904

905
    return 0;
906
}
907

908
/*
909
 * Set a group from an ECParameters record (RFC 4492)
910
 */
911
int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
912
                               const unsigned char **buf, size_t len)
913
{
914
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
915
    mbedtls_ecp_group_id grp_id;
916
    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
917
        return ret;
918
    }
919

920
    return mbedtls_ecp_group_load(grp, grp_id);
921
}
922

923
/*
924
 * Read a group id from an ECParameters record (RFC 4492) and convert it to
925
 * mbedtls_ecp_group_id.
926
 */
927
int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
928
                                  const unsigned char **buf, size_t len)
929
{
930
    uint16_t tls_id;
931
    const mbedtls_ecp_curve_info *curve_info;
932
    /*
933
     * We expect at least three bytes (see below)
934
     */
935
    if (len < 3) {
936
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
937
    }
938

939
    /*
940
     * First byte is curve_type; only named_curve is handled
941
     */
942
    if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
943
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
944
    }
945

946
    /*
947
     * Next two bytes are the namedcurve value
948
     */
949
    tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
950
    *buf += 2;
951

952
    if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
953
        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
954
    }
955

956
    *grp = curve_info->grp_id;
957

958
    return 0;
959
}
960

961
/*
962
 * Write the ECParameters record corresponding to a group (RFC 4492)
963
 */
964
int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
965
                                unsigned char *buf, size_t blen)
966
{
967
    const mbedtls_ecp_curve_info *curve_info;
968
    if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
969
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
970
    }
971

972
    /*
973
     * We are going to write 3 bytes (see below)
974
     */
975
    *olen = 3;
976
    if (blen < *olen) {
977
        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
978
    }
979

980
    /*
981
     * First byte is curve_type, always named_curve
982
     */
983
    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
984

985
    /*
986
     * Next two bytes are the namedcurve value
987
     */
988
    MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
989

990
    return 0;
991
}
992

993
/*
994
 * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
995
 * See the documentation of struct mbedtls_ecp_group.
996
 *
997
 * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
998
 */
999
static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
1000
{
1001
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002

1003
    if (grp->modp == NULL) {
1004
        return mbedtls_mpi_mod_mpi(N, N, &grp->P);
1005
    }
1006

1007
    /* N->s < 0 is a much faster test, which fails only if N is 0 */
1008
    if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
1009
        mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
1010
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1011
    }
1012

1013
    MBEDTLS_MPI_CHK(grp->modp(N));
1014

1015
    /* N->s < 0 is a much faster test, which fails only if N is 0 */
1016
    while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
1017
        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
1018
    }
1019

1020
    while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
1021
        /* we known P, N and the result are positive */
1022
        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
1023
    }
1024

1025
cleanup:
1026
    return ret;
1027
}
1028

1029
/*
1030
 * Fast mod-p functions expect their argument to be in the 0..p^2 range.
1031
 *
1032
 * In order to guarantee that, we need to ensure that operands of
1033
 * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
1034
 * bring the result back to this range.
1035
 *
1036
 * The following macros are shortcuts for doing that.
1037
 */
1038

1039
/*
1040
 * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
1041
 */
1042
#if defined(MBEDTLS_SELF_TEST)
1043
#define INC_MUL_COUNT   mul_count++;
1044
#else
1045
#define INC_MUL_COUNT
1046
#endif
1047

1048
#define MOD_MUL(N)                                                    \
1049
    do                                                                  \
1050
    {                                                                   \
1051
        MBEDTLS_MPI_CHK(ecp_modp(&(N), grp));                       \
1052
        INC_MUL_COUNT                                                   \
1053
    } while (0)
1054

1055
static inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
1056
                                      mbedtls_mpi *X,
1057
                                      const mbedtls_mpi *A,
1058
                                      const mbedtls_mpi *B)
1059
{
1060
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1061
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
1062
    MOD_MUL(*X);
1063
cleanup:
1064
    return ret;
1065
}
1066

1067
/*
1068
 * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
1069
 * N->s < 0 is a very fast test, which fails only if N is 0
1070
 */
1071
#define MOD_SUB(N)                                                          \
1072
    do {                                                                      \
1073
        while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0)             \
1074
        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P));      \
1075
    } while (0)
1076

1077
MBEDTLS_MAYBE_UNUSED
1078
static inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
1079
                                      mbedtls_mpi *X,
1080
                                      const mbedtls_mpi *A,
1081
                                      const mbedtls_mpi *B)
1082
{
1083
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1084
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
1085
    MOD_SUB(X);
1086
cleanup:
1087
    return ret;
1088
}
1089

1090
/*
1091
 * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
1092
 * We known P, N and the result are positive, so sub_abs is correct, and
1093
 * a bit faster.
1094
 */
1095
#define MOD_ADD(N)                                                   \
1096
    while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0)                  \
1097
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
1098

1099
static inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
1100
                                      mbedtls_mpi *X,
1101
                                      const mbedtls_mpi *A,
1102
                                      const mbedtls_mpi *B)
1103
{
1104
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1105
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
1106
    MOD_ADD(X);
1107
cleanup:
1108
    return ret;
1109
}
1110

1111
MBEDTLS_MAYBE_UNUSED
1112
static inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
1113
                                          mbedtls_mpi *X,
1114
                                          const mbedtls_mpi *A,
1115
                                          mbedtls_mpi_uint c)
1116
{
1117
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1118

1119
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
1120
    MOD_ADD(X);
1121
cleanup:
1122
    return ret;
1123
}
1124

1125
MBEDTLS_MAYBE_UNUSED
1126
static inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
1127
                                          mbedtls_mpi *X,
1128
                                          const mbedtls_mpi *A,
1129
                                          mbedtls_mpi_uint c)
1130
{
1131
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1132

1133
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
1134
    MOD_SUB(X);
1135
cleanup:
1136
    return ret;
1137
}
1138

1139
#define MPI_ECP_SUB_INT(X, A, c)             \
1140
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
1141

1142
MBEDTLS_MAYBE_UNUSED
1143
static inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
1144
                                          mbedtls_mpi *X,
1145
                                          size_t count)
1146
{
1147
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1148
    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
1149
    MOD_ADD(X);
1150
cleanup:
1151
    return ret;
1152
}
1153

1154
/*
1155
 * Macro wrappers around ECP modular arithmetic
1156
 *
1157
 * Currently, these wrappers are defined via the bignum module.
1158
 */
1159

1160
#define MPI_ECP_ADD(X, A, B)                                                  \
1161
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
1162

1163
#define MPI_ECP_SUB(X, A, B)                                                  \
1164
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
1165

1166
#define MPI_ECP_MUL(X, A, B)                                                  \
1167
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
1168

1169
#define MPI_ECP_SQR(X, A)                                                     \
1170
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
1171

1172
#define MPI_ECP_MUL_INT(X, A, c)                                              \
1173
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
1174

1175
#define MPI_ECP_INV(dst, src)                                                 \
1176
    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
1177

1178
#define MPI_ECP_MOV(X, A)                                                     \
1179
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
1180

1181
#define MPI_ECP_SHIFT_L(X, count)                                             \
1182
    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
1183

1184
#define MPI_ECP_LSET(X, c)                                                    \
1185
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
1186

1187
#define MPI_ECP_CMP_INT(X, c)                                                 \
1188
    mbedtls_mpi_cmp_int(X, c)
1189

1190
#define MPI_ECP_CMP(X, Y)                                                     \
1191
    mbedtls_mpi_cmp_mpi(X, Y)
1192

1193
/* Needs f_rng, p_rng to be defined. */
1194
#define MPI_ECP_RAND(X)                                                       \
1195
    MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
1196

1197
/* Conditional negation
1198
 * Needs grp and a temporary MPI tmp to be defined. */
1199
#define MPI_ECP_COND_NEG(X, cond)                                        \
1200
    do                                                                     \
1201
    {                                                                      \
1202
        unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0;        \
1203
        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X)));      \
1204
        MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp,          \
1205
                                                     nonzero & cond)); \
1206
    } while (0)
1207

1208
#define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
1209

1210
#define MPI_ECP_VALID(X)                      \
1211
    ((X)->p != NULL)
1212

1213
#define MPI_ECP_COND_ASSIGN(X, Y, cond)       \
1214
    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
1215

1216
#define MPI_ECP_COND_SWAP(X, Y, cond)       \
1217
    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
1218

1219
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
1220

1221
/*
1222
 * Computes the right-hand side of the Short Weierstrass equation
1223
 * RHS = X^3 + A X + B
1224
 */
1225
static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
1226
                      mbedtls_mpi *rhs,
1227
                      const mbedtls_mpi *X)
1228
{
1229
    int ret;
1230

1231
    /* Compute X^3 + A X + B as X (X^2 + A) + B */
1232
    MPI_ECP_SQR(rhs, X);
1233

1234
    /* Special case for A = -3 */
1235
    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
1236
        MPI_ECP_SUB_INT(rhs, rhs, 3);
1237
    } else {
1238
        MPI_ECP_ADD(rhs, rhs, &grp->A);
1239
    }
1240

1241
    MPI_ECP_MUL(rhs, rhs, X);
1242
    MPI_ECP_ADD(rhs, rhs, &grp->B);
1243

1244
cleanup:
1245
    return ret;
1246
}
1247

1248
/*
1249
 * Derive Y from X and a parity bit
1250
 */
1251
static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
1252
                                   const mbedtls_mpi *X,
1253
                                   mbedtls_mpi *Y,
1254
                                   int parity_bit)
1255
{
1256
    /* w = y^2 = x^3 + ax + b
1257
     * y = sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4)
1258
     *
1259
     * Note: this method for extracting square root does not validate that w
1260
     * was indeed a square so this function will return garbage in Y if X
1261
     * does not correspond to a point on the curve.
1262
     */
1263

1264
    /* Check prerequisite p = 3 mod 4 */
1265
    if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
1266
        mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
1267
        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1268
    }
1269

1270
    int ret;
1271
    mbedtls_mpi exp;
1272
    mbedtls_mpi_init(&exp);
1273

1274
    /* use Y to store intermediate result, actually w above */
1275
    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
1276

1277
    /* w = y^2 */ /* Y contains y^2 intermediate result */
1278
    /* exp = ((p+1)/4) */
1279
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
1280
    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
1281
    /* sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4) */
1282
    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
1283

1284
    /* check parity bit match or else invert Y */
1285
    /* This quick inversion implementation is valid because Y != 0 for all
1286
     * Short Weierstrass curves supported by mbedtls, as each supported curve
1287
     * has an order that is a large prime, so each supported curve does not
1288
     * have any point of order 2, and a point with Y == 0 would be of order 2 */
1289
    if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
1290
        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
1291
    }
1292

1293
cleanup:
1294

1295
    mbedtls_mpi_free(&exp);
1296
    return ret;
1297
}
1298
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
1299

1300
#if defined(MBEDTLS_ECP_C)
1301
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
1302
/*
1303
 * For curves in short Weierstrass form, we do all the internal operations in
1304
 * Jacobian coordinates.
1305
 *
1306
 * For multiplication, we'll use a comb method with countermeasures against
1307
 * SPA, hence timing attacks.
1308
 */
1309

1310
/*
1311
 * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
1312
 * Cost: 1N := 1I + 3M + 1S
1313
 */
1314
static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
1315
{
1316
    if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
1317
        return 0;
1318
    }
1319

1320
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
1321
    if (mbedtls_internal_ecp_grp_capable(grp)) {
1322
        return mbedtls_internal_ecp_normalize_jac(grp, pt);
1323
    }
1324
#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
1325

1326
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
1327
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1328
#else
1329
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1330
    mbedtls_mpi T;
1331
    mbedtls_mpi_init(&T);
1332

1333
    MPI_ECP_INV(&T,       &pt->Z);            /* T   <-          1 / Z   */
1334
    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'  <- Y*T    = Y / Z   */
1335
    MPI_ECP_SQR(&T,       &T);                /* T   <- T^2    = 1 / Z^2 */
1336
    MPI_ECP_MUL(&pt->X,   &pt->X,     &T);    /* X   <- X  * T = X / Z^2 */
1337
    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'' <- Y' * T = Y / Z^3 */
1338

1339
    MPI_ECP_LSET(&pt->Z, 1);
1340

1341
cleanup:
1342

1343
    mbedtls_mpi_free(&T);
1344

1345
    return ret;
1346
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
1347
}
1348

1349
/*
1350
 * Normalize jacobian coordinates of an array of (pointers to) points,
1351
 * using Montgomery's trick to perform only one inversion mod P.
1352
 * (See for example Cohen's "A Course in Computational Algebraic Number
1353
 * Theory", Algorithm 10.3.4.)
1354
 *
1355
 * Warning: fails (returning an error) if one of the points is zero!
1356
 * This should never happen, see choice of w in ecp_mul_comb().
1357
 *
1358
 * Cost: 1N(t) := 1I + (6t - 3)M + 1S
1359
 */
1360
static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
1361
                                  mbedtls_ecp_point *T[], size_t T_size)
1362
{
1363
    if (T_size < 2) {
1364
        return ecp_normalize_jac(grp, *T);
1365
    }
1366

1367
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
1368
    if (mbedtls_internal_ecp_grp_capable(grp)) {
1369
        return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size);
1370
    }
1371
#endif
1372

1373
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
1374
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1375
#else
1376
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1377
    size_t i;
1378
    mbedtls_mpi *c, t;
1379

1380
    if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
1381
        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
1382
    }
1383

1384
    mbedtls_mpi_init(&t);
1385

1386
    mpi_init_many(c, T_size);
1387
    /*
1388
     * c[i] = Z_0 * ... * Z_i,   i = 0,..,n := T_size-1
1389
     */
1390
    MPI_ECP_MOV(&c[0], &T[0]->Z);
1391
    for (i = 1; i < T_size; i++) {
1392
        MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
1393
    }
1394

1395
    /*
1396
     * c[n] = 1 / (Z_0 * ... * Z_n) mod P
1397
     */
1398
    MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
1399

1400
    for (i = T_size - 1;; i--) {
1401
        /* At the start of iteration i (note that i decrements), we have
1402
         * - c[j] = Z_0 * .... * Z_j        for j  < i,
1403
         * - c[j] = 1 / (Z_0 * .... * Z_j)  for j == i,
1404
         *
1405
         * This is maintained via
1406
         * - c[i-1] <- c[i] * Z_i
1407
         *
1408
         * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
1409
         * to do the actual normalization. For i==0, we already have
1410
         * c[0] = 1 / Z_0.
1411
         */
1412

1413
        if (i > 0) {
1414
            /* Compute 1/Z_i and establish invariant for the next iteration. */
1415
            MPI_ECP_MUL(&t,      &c[i], &c[i-1]);
1416
            MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
1417
        } else {
1418
            MPI_ECP_MOV(&t, &c[0]);
1419
        }
1420

1421
        /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
1422
        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
1423
        MPI_ECP_SQR(&t,       &t);
1424
        MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
1425
        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
1426

1427
        /*
1428
         * Post-precessing: reclaim some memory by shrinking coordinates
1429
         * - not storing Z (always 1)
1430
         * - shrinking other coordinates, but still keeping the same number of
1431
         *   limbs as P, as otherwise it will too likely be regrown too fast.
1432
         */
1433
        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
1434
        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
1435

1436
        MPI_ECP_LSET(&T[i]->Z, 1);
1437

1438
        if (i == 0) {
1439
            break;
1440
        }
1441
    }
1442

1443
cleanup:
1444

1445
    mbedtls_mpi_free(&t);
1446
    mpi_free_many(c, T_size);
1447
    mbedtls_free(c);
1448

1449
    return ret;
1450
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
1451
}
1452

1453
/*
1454
 * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
1455
 * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
1456
 */
1457
static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
1458
                               mbedtls_ecp_point *Q,
1459
                               unsigned char inv)
1460
{
1461
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1462
    mbedtls_mpi tmp;
1463
    mbedtls_mpi_init(&tmp);
1464

1465
    MPI_ECP_COND_NEG(&Q->Y, inv);
1466

1467
cleanup:
1468
    mbedtls_mpi_free(&tmp);
1469
    return ret;
1470
}
1471

1472
/*
1473
 * Point doubling R = 2 P, Jacobian coordinates
1474
 *
1475
 * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
1476
 *
1477
 * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
1478
 * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
1479
 *
1480
 * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
1481
 *
1482
 * Cost: 1D := 3M + 4S          (A ==  0)
1483
 *             4M + 4S          (A == -3)
1484
 *             3M + 6S + 1a     otherwise
1485
 */
1486
static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1487
                          const mbedtls_ecp_point *P,
1488
                          mbedtls_mpi tmp[4])
1489
{
1490
#if defined(MBEDTLS_SELF_TEST)
1491
    dbl_count++;
1492
#endif
1493

1494
#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
1495
    if (mbedtls_internal_ecp_grp_capable(grp)) {
1496
        return mbedtls_internal_ecp_double_jac(grp, R, P);
1497
    }
1498
#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
1499

1500
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
1501
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1502
#else
1503
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1504

1505
    /* Special case for A = -3 */
1506
    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
1507
        /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
1508
        MPI_ECP_SQR(&tmp[1],  &P->Z);
1509
        MPI_ECP_ADD(&tmp[2],  &P->X,  &tmp[1]);
1510
        MPI_ECP_SUB(&tmp[3],  &P->X,  &tmp[1]);
1511
        MPI_ECP_MUL(&tmp[1],  &tmp[2],     &tmp[3]);
1512
        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],     3);
1513
    } else {
1514
        /* tmp[0] <- M = 3.X^2 + A.Z^4 */
1515
        MPI_ECP_SQR(&tmp[1],  &P->X);
1516
        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],  3);
1517

1518
        /* Optimize away for "koblitz" curves with A = 0 */
1519
        if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
1520
            /* M += A.Z^4 */
1521
            MPI_ECP_SQR(&tmp[1],  &P->Z);
1522
            MPI_ECP_SQR(&tmp[2],  &tmp[1]);
1523
            MPI_ECP_MUL(&tmp[1],  &tmp[2],     &grp->A);
1524
            MPI_ECP_ADD(&tmp[0],  &tmp[0],     &tmp[1]);
1525
        }
1526
    }
1527

1528
    /* tmp[1] <- S = 4.X.Y^2 */
1529
    MPI_ECP_SQR(&tmp[2],  &P->Y);
1530
    MPI_ECP_SHIFT_L(&tmp[2],  1);
1531
    MPI_ECP_MUL(&tmp[1],  &P->X, &tmp[2]);
1532
    MPI_ECP_SHIFT_L(&tmp[1],  1);
1533

1534
    /* tmp[3] <- U = 8.Y^4 */
1535
    MPI_ECP_SQR(&tmp[3],  &tmp[2]);
1536
    MPI_ECP_SHIFT_L(&tmp[3],  1);
1537

1538
    /* tmp[2] <- T = M^2 - 2.S */
1539
    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
1540
    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
1541
    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
1542

1543
    /* tmp[1] <- S = M(S - T) - U */
1544
    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[2]);
1545
    MPI_ECP_MUL(&tmp[1],  &tmp[1],     &tmp[0]);
1546
    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[3]);
1547

1548
    /* tmp[3] <- U = 2.Y.Z */
1549
    MPI_ECP_MUL(&tmp[3],  &P->Y,  &P->Z);
1550
    MPI_ECP_SHIFT_L(&tmp[3],  1);
1551

1552
    /* Store results */
1553
    MPI_ECP_MOV(&R->X, &tmp[2]);
1554
    MPI_ECP_MOV(&R->Y, &tmp[1]);
1555
    MPI_ECP_MOV(&R->Z, &tmp[3]);
1556

1557
cleanup:
1558

1559
    return ret;
1560
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
1561
}
1562

1563
/*
1564
 * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
1565
 *
1566
 * The coordinates of Q must be normalized (= affine),
1567
 * but those of P don't need to. R is not normalized.
1568
 *
1569
 * P,Q,R may alias, but only at the level of EC points: they must be either
1570
 * equal as pointers, or disjoint (including the coordinate data buffers).
1571
 * Fine-grained aliasing at the level of coordinates is not supported.
1572
 *
1573
 * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
1574
 * None of these cases can happen as intermediate step in ecp_mul_comb():
1575
 * - at each step, P, Q and R are multiples of the base point, the factor
1576
 *   being less than its order, so none of them is zero;
1577
 * - Q is an odd multiple of the base point, P an even multiple,
1578
 *   due to the choice of precomputed points in the modified comb method.
1579
 * So branches for these cases do not leak secret information.
1580
 *
1581
 * Cost: 1A := 8M + 3S
1582
 */
1583
static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1584
                         const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
1585
                         mbedtls_mpi tmp[4])
1586
{
1587
#if defined(MBEDTLS_SELF_TEST)
1588
    add_count++;
1589
#endif
1590

1591
#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
1592
    if (mbedtls_internal_ecp_grp_capable(grp)) {
1593
        return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
1594
    }
1595
#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
1596

1597
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
1598
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1599
#else
1600
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1601

1602
    /* NOTE: Aliasing between input and output is allowed, so one has to make
1603
     *       sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
1604
     *       longer read from. */
1605
    mbedtls_mpi * const X = &R->X;
1606
    mbedtls_mpi * const Y = &R->Y;
1607
    mbedtls_mpi * const Z = &R->Z;
1608

1609
    if (!MPI_ECP_VALID(&Q->Z)) {
1610
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1611
    }
1612

1613
    /*
1614
     * Trivial cases: P == 0 or Q == 0 (case 1)
1615
     */
1616
    if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
1617
        return mbedtls_ecp_copy(R, Q);
1618
    }
1619

1620
    if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
1621
        return mbedtls_ecp_copy(R, P);
1622
    }
1623

1624
    /*
1625
     * Make sure Q coordinates are normalized
1626
     */
1627
    if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
1628
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1629
    }
1630

1631
    MPI_ECP_SQR(&tmp[0], &P->Z);
1632
    MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
1633
    MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
1634
    MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
1635
    MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
1636
    MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
1637

1638
    /* Special cases (2) and (3) */
1639
    if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
1640
        if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
1641
            ret = ecp_double_jac(grp, R, P, tmp);
1642
            goto cleanup;
1643
        } else {
1644
            ret = mbedtls_ecp_set_zero(R);
1645
            goto cleanup;
1646
        }
1647
    }
1648

1649
    /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
1650
    MPI_ECP_MUL(Z,        &P->Z,    &tmp[0]);
1651
    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
1652
    MPI_ECP_MUL(&tmp[3],  &tmp[2],  &tmp[0]);
1653
    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &P->X);
1654

1655
    MPI_ECP_MOV(&tmp[0], &tmp[2]);
1656
    MPI_ECP_SHIFT_L(&tmp[0], 1);
1657

1658
    /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
1659
    MPI_ECP_SQR(X,        &tmp[1]);
1660
    MPI_ECP_SUB(X,        X,        &tmp[0]);
1661
    MPI_ECP_SUB(X,        X,        &tmp[3]);
1662
    MPI_ECP_SUB(&tmp[2],  &tmp[2],  X);
1663
    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &tmp[1]);
1664
    MPI_ECP_MUL(&tmp[3],  &tmp[3],  &P->Y);
1665
    /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
1666
    MPI_ECP_SUB(Y,     &tmp[2],     &tmp[3]);
1667

1668
cleanup:
1669

1670
    return ret;
1671
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
1672
}
1673

1674
/*
1675
 * Randomize jacobian coordinates:
1676
 * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
1677
 * This is sort of the reverse operation of ecp_normalize_jac().
1678
 *
1679
 * This countermeasure was first suggested in [2].
1680
 */
1681
static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
1682
                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1683
{
1684
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
1685
    if (mbedtls_internal_ecp_grp_capable(grp)) {
1686
        return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
1687
    }
1688
#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
1689

1690
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
1691
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1692
#else
1693
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1694
    mbedtls_mpi l;
1695

1696
    mbedtls_mpi_init(&l);
1697

1698
    /* Generate l such that 1 < l < p */
1699
    MPI_ECP_RAND(&l);
1700

1701
    /* Z' = l * Z */
1702
    MPI_ECP_MUL(&pt->Z,   &pt->Z,     &l);
1703

1704
    /* Y' = l * Y */
1705
    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
1706

1707
    /* X' = l^2 * X */
1708
    MPI_ECP_SQR(&l,       &l);
1709
    MPI_ECP_MUL(&pt->X,   &pt->X,     &l);
1710

1711
    /* Y'' = l^2 * Y' = l^3 * Y */
1712
    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
1713

1714
cleanup:
1715
    mbedtls_mpi_free(&l);
1716

1717
    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
1718
        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
1719
    }
1720
    return ret;
1721
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
1722
}
1723

1724
/*
1725
 * Check and define parameters used by the comb method (see below for details)
1726
 */
1727
#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
1728
#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
1729
#endif
1730

1731
/* d = ceil( n / w ) */
1732
#define COMB_MAX_D      (MBEDTLS_ECP_MAX_BITS + 1) / 2
1733

1734
/* number of precomputed points */
1735
#define COMB_MAX_PRE    (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
1736

1737
/*
1738
 * Compute the representation of m that will be used with our comb method.
1739
 *
1740
 * The basic comb method is described in GECC 3.44 for example. We use a
1741
 * modified version that provides resistance to SPA by avoiding zero
1742
 * digits in the representation as in [3]. We modify the method further by
1743
 * requiring that all K_i be odd, which has the small cost that our
1744
 * representation uses one more K_i, due to carries, but saves on the size of
1745
 * the precomputed table.
1746
 *
1747
 * Summary of the comb method and its modifications:
1748
 *
1749
 * - The goal is to compute m*P for some w*d-bit integer m.
1750
 *
1751
 * - The basic comb method splits m into the w-bit integers
1752
 *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
1753
 *   index has residue i modulo d, and computes m * P as
1754
 *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
1755
 *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
1756
 *
1757
 * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
1758
 *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
1759
 *   thereby successively converting it into a form where all summands
1760
 *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
1761
 *
1762
 * - More generally, even if x[i+1] != 0, we can first transform the sum as
1763
 *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
1764
 *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
1765
 *   Performing and iterating this procedure for those x[i] that are even
1766
 *   (keeping track of carry), we can transform the original sum into one of the form
1767
 *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
1768
 *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
1769
 *   which is why we are only computing half of it in the first place in
1770
 *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
1771
 *
1772
 * - For the sake of compactness, only the seven low-order bits of x[i]
1773
 *   are used to represent its absolute value (K_i in the paper), and the msb
1774
 *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
1775
 *   if s_i == -1;
1776
 *
1777
 * Calling conventions:
1778
 * - x is an array of size d + 1
1779
 * - w is the size, ie number of teeth, of the comb, and must be between
1780
 *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
1781
 * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
1782
 *   (the result will be incorrect if these assumptions are not satisfied)
1783
 */
1784
static void ecp_comb_recode_core(unsigned char x[], size_t d,
1785
                                 unsigned char w, const mbedtls_mpi *m)
1786
{
1787
    size_t i, j;
1788
    unsigned char c, cc, adjust;
1789

1790
    memset(x, 0, d+1);
1791

1792
    /* First get the classical comb values (except for x_d = 0) */
1793
    for (i = 0; i < d; i++) {
1794
        for (j = 0; j < w; j++) {
1795
            x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
1796
        }
1797
    }
1798

1799
    /* Now make sure x_1 .. x_d are odd */
1800
    c = 0;
1801
    for (i = 1; i <= d; i++) {
1802
        /* Add carry and update it */
1803
        cc   = x[i] & c;
1804
        x[i] = x[i] ^ c;
1805
        c = cc;
1806

1807
        /* Adjust if needed, avoiding branches */
1808
        adjust = 1 - (x[i] & 0x01);
1809
        c   |= x[i] & (x[i-1] * adjust);
1810
        x[i] = x[i] ^ (x[i-1] * adjust);
1811
        x[i-1] |= adjust << 7;
1812
    }
1813
}
1814

1815
/*
1816
 * Precompute points for the adapted comb method
1817
 *
1818
 * Assumption: T must be able to hold 2^{w - 1} elements.
1819
 *
1820
 * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
1821
 *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
1822
 *
1823
 * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
1824
 *
1825
 * Note: Even comb values (those where P would be omitted from the
1826
 *       sum defining T[i] above) are not needed in our adaption
1827
 *       the comb method. See ecp_comb_recode_core().
1828
 *
1829
 * This function currently works in four steps:
1830
 * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
1831
 * (2) [norm_dbl] Normalization of coordinates of these T[i]
1832
 * (3) [add]      Computation of all T[i]
1833
 * (4) [norm_add] Normalization of all T[i]
1834
 *
1835
 * Step 1 can be interrupted but not the others; together with the final
1836
 * coordinate normalization they are the largest steps done at once, depending
1837
 * on the window size. Here are operation counts for P-256:
1838
 *
1839
 * step     (2)     (3)     (4)
1840
 * w = 5    142     165     208
1841
 * w = 4    136      77     160
1842
 * w = 3    130      33     136
1843
 * w = 2    124      11     124
1844
 *
1845
 * So if ECC operations are blocking for too long even with a low max_ops
1846
 * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
1847
 * to minimize maximum blocking time.
1848
 */
1849
static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
1850
                               mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
1851
                               unsigned char w, size_t d,
1852
                               mbedtls_ecp_restart_ctx *rs_ctx)
1853
{
1854
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1855
    unsigned char i;
1856
    size_t j = 0;
1857
    const unsigned char T_size = 1U << (w - 1);
1858
    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
1859

1860
    mbedtls_mpi tmp[4];
1861

1862
    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
1863

1864
#if defined(MBEDTLS_ECP_RESTARTABLE)
1865
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1866
        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
1867
            goto dbl;
1868
        }
1869
        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
1870
            goto norm_dbl;
1871
        }
1872
        if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
1873
            goto add;
1874
        }
1875
        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
1876
            goto norm_add;
1877
        }
1878
    }
1879
#else
1880
    (void) rs_ctx;
1881
#endif
1882

1883
#if defined(MBEDTLS_ECP_RESTARTABLE)
1884
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1885
        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
1886

1887
        /* initial state for the loop */
1888
        rs_ctx->rsm->i = 0;
1889
    }
1890

1891
dbl:
1892
#endif
1893
    /*
1894
     * Set T[0] = P and
1895
     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
1896
     */
1897
    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
1898

1899
#if defined(MBEDTLS_ECP_RESTARTABLE)
1900
    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
1901
        j = rs_ctx->rsm->i;
1902
    } else
1903
#endif
1904
    j = 0;
1905

1906
    for (; j < d * (w - 1); j++) {
1907
        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
1908

1909
        i = 1U << (j / d);
1910
        cur = T + i;
1911

1912
        if (j % d == 0) {
1913
            MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
1914
        }
1915

1916
        MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
1917
    }
1918

1919
#if defined(MBEDTLS_ECP_RESTARTABLE)
1920
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1921
        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
1922
    }
1923

1924
norm_dbl:
1925
#endif
1926
    /*
1927
     * Normalize current elements in T to allow them to be used in
1928
     * ecp_add_mixed() below, which requires one normalized input.
1929
     *
1930
     * As T has holes, use an auxiliary array of pointers to elements in T.
1931
     *
1932
     */
1933
    j = 0;
1934
    for (i = 1; i < T_size; i <<= 1) {
1935
        TT[j++] = T + i;
1936
    }
1937

1938
    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
1939

1940
    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
1941

1942
#if defined(MBEDTLS_ECP_RESTARTABLE)
1943
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1944
        rs_ctx->rsm->state = ecp_rsm_pre_add;
1945
    }
1946

1947
add:
1948
#endif
1949
    /*
1950
     * Compute the remaining ones using the minimal number of additions
1951
     * Be careful to update T[2^l] only after using it!
1952
     */
1953
    MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
1954

1955
    for (i = 1; i < T_size; i <<= 1) {
1956
        j = i;
1957
        while (j--) {
1958
            MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
1959
        }
1960
    }
1961

1962
#if defined(MBEDTLS_ECP_RESTARTABLE)
1963
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1964
        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
1965
    }
1966

1967
norm_add:
1968
#endif
1969
    /*
1970
     * Normalize final elements in T. Even though there are no holes now, we
1971
     * still need the auxiliary array for homogeneity with the previous
1972
     * call. Also, skip T[0] which is already normalised, being a copy of P.
1973
     */
1974
    for (j = 0; j + 1 < T_size; j++) {
1975
        TT[j] = T + j + 1;
1976
    }
1977

1978
    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
1979

1980
    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
1981

1982
    /* Free Z coordinate (=1 after normalization) to save RAM.
1983
     * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
1984
     * since from this point onwards, they are only accessed indirectly
1985
     * via the getter function ecp_select_comb() which does set the
1986
     * target's Z coordinate to 1. */
1987
    for (i = 0; i < T_size; i++) {
1988
        mbedtls_mpi_free(&T[i].Z);
1989
    }
1990

1991
cleanup:
1992

1993
    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
1994

1995
#if defined(MBEDTLS_ECP_RESTARTABLE)
1996
    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
1997
        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
1998
        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
1999
            rs_ctx->rsm->i = j;
2000
        }
2001
    }
2002
#endif
2003

2004
    return ret;
2005
}
2006

2007
/*
2008
 * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
2009
 *
2010
 * See ecp_comb_recode_core() for background
2011
 */
2012
static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2013
                           const mbedtls_ecp_point T[], unsigned char T_size,
2014
                           unsigned char i)
2015
{
2016
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2017
    unsigned char ii, j;
2018

2019
    /* Ignore the "sign" bit and scale down */
2020
    ii =  (i & 0x7Fu) >> 1;
2021

2022
    /* Read the whole table to thwart cache-based timing attacks */
2023
    for (j = 0; j < T_size; j++) {
2024
        MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
2025
        MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
2026
    }
2027

2028
    /* Safely invert result if i is "negative" */
2029
    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
2030

2031
    MPI_ECP_LSET(&R->Z, 1);
2032

2033
cleanup:
2034
    return ret;
2035
}
2036

2037
/*
2038
 * Core multiplication algorithm for the (modified) comb method.
2039
 * This part is actually common with the basic comb method (GECC 3.44)
2040
 *
2041
 * Cost: d A + d D + 1 R
2042
 */
2043
static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2044
                             const mbedtls_ecp_point T[], unsigned char T_size,
2045
                             const unsigned char x[], size_t d,
2046
                             int (*f_rng)(void *, unsigned char *, size_t),
2047
                             void *p_rng,
2048
                             mbedtls_ecp_restart_ctx *rs_ctx)
2049
{
2050
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2051
    mbedtls_ecp_point Txi;
2052
    mbedtls_mpi tmp[4];
2053
    size_t i;
2054

2055
    mbedtls_ecp_point_init(&Txi);
2056
    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2057

2058
#if !defined(MBEDTLS_ECP_RESTARTABLE)
2059
    (void) rs_ctx;
2060
#endif
2061

2062
#if defined(MBEDTLS_ECP_RESTARTABLE)
2063
    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
2064
        rs_ctx->rsm->state != ecp_rsm_comb_core) {
2065
        rs_ctx->rsm->i = 0;
2066
        rs_ctx->rsm->state = ecp_rsm_comb_core;
2067
    }
2068

2069
    /* new 'if' instead of nested for the sake of the 'else' branch */
2070
    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
2071
        /* restore current index (R already pointing to rs_ctx->rsm->R) */
2072
        i = rs_ctx->rsm->i;
2073
    } else
2074
#endif
2075
    {
2076
        /* Start with a non-zero point and randomize its coordinates */
2077
        i = d;
2078
        MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
2079
        if (f_rng != 0) {
2080
            MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
2081
        }
2082
    }
2083

2084
    while (i != 0) {
2085
        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
2086
        --i;
2087

2088
        MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
2089
        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
2090
        MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
2091
    }
2092

2093
cleanup:
2094

2095
    mbedtls_ecp_point_free(&Txi);
2096
    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2097

2098
#if defined(MBEDTLS_ECP_RESTARTABLE)
2099
    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
2100
        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2101
        rs_ctx->rsm->i = i;
2102
        /* no need to save R, already pointing to rs_ctx->rsm->R */
2103
    }
2104
#endif
2105

2106
    return ret;
2107
}
2108

2109
/*
2110
 * Recode the scalar to get constant-time comb multiplication
2111
 *
2112
 * As the actual scalar recoding needs an odd scalar as a starting point,
2113
 * this wrapper ensures that by replacing m by N - m if necessary, and
2114
 * informs the caller that the result of multiplication will be negated.
2115
 *
2116
 * This works because we only support large prime order for Short Weierstrass
2117
 * curves, so N is always odd hence either m or N - m is.
2118
 *
2119
 * See ecp_comb_recode_core() for background.
2120
 */
2121
static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
2122
                                  const mbedtls_mpi *m,
2123
                                  unsigned char k[COMB_MAX_D + 1],
2124
                                  size_t d,
2125
                                  unsigned char w,
2126
                                  unsigned char *parity_trick)
2127
{
2128
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2129
    mbedtls_mpi M, mm;
2130

2131
    mbedtls_mpi_init(&M);
2132
    mbedtls_mpi_init(&mm);
2133

2134
    /* N is always odd (see above), just make extra sure */
2135
    if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
2136
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2137
    }
2138

2139
    /* do we need the parity trick? */
2140
    *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
2141

2142
    /* execute parity fix in constant time */
2143
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
2144
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
2145
    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
2146

2147
    /* actual scalar recoding */
2148
    ecp_comb_recode_core(k, d, w, &M);
2149

2150
cleanup:
2151
    mbedtls_mpi_free(&mm);
2152
    mbedtls_mpi_free(&M);
2153

2154
    return ret;
2155
}
2156

2157
/*
2158
 * Perform comb multiplication (for short Weierstrass curves)
2159
 * once the auxiliary table has been pre-computed.
2160
 *
2161
 * Scalar recoding may use a parity trick that makes us compute -m * P,
2162
 * if that is the case we'll need to recover m * P at the end.
2163
 */
2164
static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
2165
                                      mbedtls_ecp_point *R,
2166
                                      const mbedtls_mpi *m,
2167
                                      const mbedtls_ecp_point *T,
2168
                                      unsigned char T_size,
2169
                                      unsigned char w,
2170
                                      size_t d,
2171
                                      int (*f_rng)(void *, unsigned char *, size_t),
2172
                                      void *p_rng,
2173
                                      mbedtls_ecp_restart_ctx *rs_ctx)
2174
{
2175
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2176
    unsigned char parity_trick;
2177
    unsigned char k[COMB_MAX_D + 1];
2178
    mbedtls_ecp_point *RR = R;
2179

2180
#if defined(MBEDTLS_ECP_RESTARTABLE)
2181
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2182
        RR = &rs_ctx->rsm->R;
2183

2184
        if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
2185
            goto final_norm;
2186
        }
2187
    }
2188
#endif
2189

2190
    MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
2191
                                           &parity_trick));
2192
    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
2193
                                      f_rng, p_rng, rs_ctx));
2194
    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
2195

2196
#if defined(MBEDTLS_ECP_RESTARTABLE)
2197
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2198
        rs_ctx->rsm->state = ecp_rsm_final_norm;
2199
    }
2200

2201
final_norm:
2202
    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
2203
#endif
2204
    /*
2205
     * Knowledge of the jacobian coordinates may leak the last few bits of the
2206
     * scalar [1], and since our MPI implementation isn't constant-flow,
2207
     * inversion (used for coordinate normalization) may leak the full value
2208
     * of its input via side-channels [2].
2209
     *
2210
     * [1] https://eprint.iacr.org/2003/191
2211
     * [2] https://eprint.iacr.org/2020/055
2212
     *
2213
     * Avoid the leak by randomizing coordinates before we normalize them.
2214
     */
2215
    if (f_rng != 0) {
2216
        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
2217
    }
2218

2219
    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
2220

2221
#if defined(MBEDTLS_ECP_RESTARTABLE)
2222
    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2223
        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
2224
    }
2225
#endif
2226

2227
cleanup:
2228
    return ret;
2229
}
2230

2231
/*
2232
 * Pick window size based on curve size and whether we optimize for base point
2233
 */
2234
static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
2235
                                          unsigned char p_eq_g)
2236
{
2237
    unsigned char w;
2238

2239
    /*
2240
     * Minimize the number of multiplications, that is minimize
2241
     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
2242
     * (see costs of the various parts, with 1S = 1M)
2243
     */
2244
    w = grp->nbits >= 384 ? 5 : 4;
2245

2246
    /*
2247
     * If P == G, pre-compute a bit more, since this may be re-used later.
2248
     * Just adding one avoids upping the cost of the first mul too much,
2249
     * and the memory cost too.
2250
     */
2251
    if (p_eq_g) {
2252
        w++;
2253
    }
2254

2255
    /*
2256
     * If static comb table may not be used (!p_eq_g) or static comb table does
2257
     * not exists, make sure w is within bounds.
2258
     * (The last test is useful only for very small curves in the test suite.)
2259
     *
2260
     * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
2261
     * static comb table, because the size of static comb table is fixed when
2262
     * it is generated.
2263
     */
2264
#if (MBEDTLS_ECP_WINDOW_SIZE < 6)
2265
    if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
2266
        w = MBEDTLS_ECP_WINDOW_SIZE;
2267
    }
2268
#endif
2269
    if (w >= grp->nbits) {
2270
        w = 2;
2271
    }
2272

2273
    return w;
2274
}
2275

2276
/*
2277
 * Multiplication using the comb method - for curves in short Weierstrass form
2278
 *
2279
 * This function is mainly responsible for administrative work:
2280
 * - managing the restart context if enabled
2281
 * - managing the table of precomputed points (passed between the below two
2282
 *   functions): allocation, computation, ownership transfer, freeing.
2283
 *
2284
 * It delegates the actual arithmetic work to:
2285
 *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
2286
 *
2287
 * See comments on ecp_comb_recode_core() regarding the computation strategy.
2288
 */
2289
static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2290
                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2291
                        int (*f_rng)(void *, unsigned char *, size_t),
2292
                        void *p_rng,
2293
                        mbedtls_ecp_restart_ctx *rs_ctx)
2294
{
2295
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2296
    unsigned char w, p_eq_g, i;
2297
    size_t d;
2298
    unsigned char T_size = 0, T_ok = 0;
2299
    mbedtls_ecp_point *T = NULL;
2300

2301
    ECP_RS_ENTER(rsm);
2302

2303
    /* Is P the base point ? */
2304
#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
2305
    p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
2306
              MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
2307
#else
2308
    p_eq_g = 0;
2309
#endif
2310

2311
    /* Pick window size and deduce related sizes */
2312
    w = ecp_pick_window_size(grp, p_eq_g);
2313
    T_size = 1U << (w - 1);
2314
    d = (grp->nbits + w - 1) / w;
2315

2316
    /* Pre-computed table: do we have it already for the base point? */
2317
    if (p_eq_g && grp->T != NULL) {
2318
        /* second pointer to the same table, will be deleted on exit */
2319
        T = grp->T;
2320
        T_ok = 1;
2321
    } else
2322
#if defined(MBEDTLS_ECP_RESTARTABLE)
2323
    /* Pre-computed table: do we have one in progress? complete? */
2324
    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
2325
        /* transfer ownership of T from rsm to local function */
2326
        T = rs_ctx->rsm->T;
2327
        rs_ctx->rsm->T = NULL;
2328
        rs_ctx->rsm->T_size = 0;
2329

2330
        /* This effectively jumps to the call to mul_comb_after_precomp() */
2331
        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
2332
    } else
2333
#endif
2334
    /* Allocate table if we didn't have any */
2335
    {
2336
        T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
2337
        if (T == NULL) {
2338
            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
2339
            goto cleanup;
2340
        }
2341

2342
        for (i = 0; i < T_size; i++) {
2343
            mbedtls_ecp_point_init(&T[i]);
2344
        }
2345

2346
        T_ok = 0;
2347
    }
2348

2349
    /* Compute table (or finish computing it) if not done already */
2350
    if (!T_ok) {
2351
        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
2352

2353
        if (p_eq_g) {
2354
            /* almost transfer ownership of T to the group, but keep a copy of
2355
             * the pointer to use for calling the next function more easily */
2356
            grp->T = T;
2357
            grp->T_size = T_size;
2358
        }
2359
    }
2360

2361
    /* Actual comb multiplication using precomputed points */
2362
    MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
2363
                                               T, T_size, w, d,
2364
                                               f_rng, p_rng, rs_ctx));
2365

2366
cleanup:
2367

2368
    /* does T belong to the group? */
2369
    if (T == grp->T) {
2370
        T = NULL;
2371
    }
2372

2373
    /* does T belong to the restart context? */
2374
#if defined(MBEDTLS_ECP_RESTARTABLE)
2375
    if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
2376
        /* transfer ownership of T from local function to rsm */
2377
        rs_ctx->rsm->T_size = T_size;
2378
        rs_ctx->rsm->T = T;
2379
        T = NULL;
2380
    }
2381
#endif
2382

2383
    /* did T belong to us? then let's destroy it! */
2384
    if (T != NULL) {
2385
        for (i = 0; i < T_size; i++) {
2386
            mbedtls_ecp_point_free(&T[i]);
2387
        }
2388
        mbedtls_free(T);
2389
    }
2390

2391
    /* prevent caller from using invalid value */
2392
    int should_free_R = (ret != 0);
2393
#if defined(MBEDTLS_ECP_RESTARTABLE)
2394
    /* don't free R while in progress in case R == P */
2395
    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2396
        should_free_R = 0;
2397
    }
2398
#endif
2399
    if (should_free_R) {
2400
        mbedtls_ecp_point_free(R);
2401
    }
2402

2403
    ECP_RS_LEAVE(rsm);
2404

2405
    return ret;
2406
}
2407

2408
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2409

2410
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2411
/*
2412
 * For Montgomery curves, we do all the internal arithmetic in projective
2413
 * coordinates. Import/export of points uses only the x coordinates, which is
2414
 * internally represented as X / Z.
2415
 *
2416
 * For scalar multiplication, we'll use a Montgomery ladder.
2417
 */
2418

2419
/*
2420
 * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
2421
 * Cost: 1M + 1I
2422
 */
2423
static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
2424
{
2425
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
2426
    if (mbedtls_internal_ecp_grp_capable(grp)) {
2427
        return mbedtls_internal_ecp_normalize_mxz(grp, P);
2428
    }
2429
#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
2430

2431
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
2432
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2433
#else
2434
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2435
    MPI_ECP_INV(&P->Z, &P->Z);
2436
    MPI_ECP_MUL(&P->X, &P->X, &P->Z);
2437
    MPI_ECP_LSET(&P->Z, 1);
2438

2439
cleanup:
2440
    return ret;
2441
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
2442
}
2443

2444
/*
2445
 * Randomize projective x/z coordinates:
2446
 * (X, Z) -> (l X, l Z) for random l
2447
 * This is sort of the reverse operation of ecp_normalize_mxz().
2448
 *
2449
 * This countermeasure was first suggested in [2].
2450
 * Cost: 2M
2451
 */
2452
static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
2453
                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
2454
{
2455
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
2456
    if (mbedtls_internal_ecp_grp_capable(grp)) {
2457
        return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
2458
    }
2459
#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
2460

2461
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
2462
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2463
#else
2464
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2465
    mbedtls_mpi l;
2466
    mbedtls_mpi_init(&l);
2467

2468
    /* Generate l such that 1 < l < p */
2469
    MPI_ECP_RAND(&l);
2470

2471
    MPI_ECP_MUL(&P->X, &P->X, &l);
2472
    MPI_ECP_MUL(&P->Z, &P->Z, &l);
2473

2474
cleanup:
2475
    mbedtls_mpi_free(&l);
2476

2477
    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2478
        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
2479
    }
2480
    return ret;
2481
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
2482
}
2483

2484
/*
2485
 * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
2486
 * for Montgomery curves in x/z coordinates.
2487
 *
2488
 * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
2489
 * with
2490
 * d =  X1
2491
 * P = (X2, Z2)
2492
 * Q = (X3, Z3)
2493
 * R = (X4, Z4)
2494
 * S = (X5, Z5)
2495
 * and eliminating temporary variables tO, ..., t4.
2496
 *
2497
 * Cost: 5M + 4S
2498
 */
2499
static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
2500
                              mbedtls_ecp_point *R, mbedtls_ecp_point *S,
2501
                              const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
2502
                              const mbedtls_mpi *d,
2503
                              mbedtls_mpi T[4])
2504
{
2505
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
2506
    if (mbedtls_internal_ecp_grp_capable(grp)) {
2507
        return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
2508
    }
2509
#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
2510

2511
#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
2512
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2513
#else
2514
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2515

2516
    MPI_ECP_ADD(&T[0], &P->X,   &P->Z);   /* Pp := PX + PZ                    */
2517
    MPI_ECP_SUB(&T[1], &P->X,   &P->Z);   /* Pm := PX - PZ                    */
2518
    MPI_ECP_ADD(&T[2], &Q->X,   &Q->Z);   /* Qp := QX + XZ                    */
2519
    MPI_ECP_SUB(&T[3], &Q->X,   &Q->Z);   /* Qm := QX - QZ                    */
2520
    MPI_ECP_MUL(&T[3], &T[3],   &T[0]);   /* Qm * Pp                          */
2521
    MPI_ECP_MUL(&T[2], &T[2],   &T[1]);   /* Qp * Pm                          */
2522
    MPI_ECP_SQR(&T[0], &T[0]);            /* Pp^2                             */
2523
    MPI_ECP_SQR(&T[1], &T[1]);            /* Pm^2                             */
2524
    MPI_ECP_MUL(&R->X, &T[0],   &T[1]);   /* Pp^2 * Pm^2                      */
2525
    MPI_ECP_SUB(&T[0], &T[0],   &T[1]);   /* Pp^2 - Pm^2                      */
2526
    MPI_ECP_MUL(&R->Z, &grp->A, &T[0]);   /* A * (Pp^2 - Pm^2)                */
2527
    MPI_ECP_ADD(&R->Z, &T[1],   &R->Z);   /* [ A * (Pp^2-Pm^2) ] + Pm^2       */
2528
    MPI_ECP_ADD(&S->X, &T[3],   &T[2]);   /* Qm*Pp + Qp*Pm                    */
2529
    MPI_ECP_SQR(&S->X, &S->X);            /* (Qm*Pp + Qp*Pm)^2                */
2530
    MPI_ECP_SUB(&S->Z, &T[3],   &T[2]);   /* Qm*Pp - Qp*Pm                    */
2531
    MPI_ECP_SQR(&S->Z, &S->Z);            /* (Qm*Pp - Qp*Pm)^2                */
2532
    MPI_ECP_MUL(&S->Z, d,       &S->Z);   /* d * ( Qm*Pp - Qp*Pm )^2          */
2533
    MPI_ECP_MUL(&R->Z, &T[0],   &R->Z);   /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
2534

2535
cleanup:
2536

2537
    return ret;
2538
#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
2539
}
2540

2541
/*
2542
 * Multiplication with Montgomery ladder in x/z coordinates,
2543
 * for curves in Montgomery form
2544
 */
2545
static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2546
                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2547
                       int (*f_rng)(void *, unsigned char *, size_t),
2548
                       void *p_rng)
2549
{
2550
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2551
    size_t i;
2552
    unsigned char b;
2553
    mbedtls_ecp_point RP;
2554
    mbedtls_mpi PX;
2555
    mbedtls_mpi tmp[4];
2556
    mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
2557

2558
    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2559

2560
    if (f_rng == NULL) {
2561
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2562
    }
2563

2564
    /* Save PX and read from P before writing to R, in case P == R */
2565
    MPI_ECP_MOV(&PX, &P->X);
2566
    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
2567

2568
    /* Set R to zero in modified x/z coordinates */
2569
    MPI_ECP_LSET(&R->X, 1);
2570
    MPI_ECP_LSET(&R->Z, 0);
2571
    mbedtls_mpi_free(&R->Y);
2572

2573
    /* RP.X might be slightly larger than P, so reduce it */
2574
    MOD_ADD(&RP.X);
2575

2576
    /* Randomize coordinates of the starting point */
2577
    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
2578

2579
    /* Loop invariant: R = result so far, RP = R + P */
2580
    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
2581
    while (i-- > 0) {
2582
        b = mbedtls_mpi_get_bit(m, i);
2583
        /*
2584
         *  if (b) R = 2R + P else R = 2R,
2585
         * which is:
2586
         *  if (b) double_add( RP, R, RP, R )
2587
         *  else   double_add( R, RP, R, RP )
2588
         * but using safe conditional swaps to avoid leaks
2589
         */
2590
        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
2591
        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
2592
        MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
2593
        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
2594
        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
2595
    }
2596

2597
    /*
2598
     * Knowledge of the projective coordinates may leak the last few bits of the
2599
     * scalar [1], and since our MPI implementation isn't constant-flow,
2600
     * inversion (used for coordinate normalization) may leak the full value
2601
     * of its input via side-channels [2].
2602
     *
2603
     * [1] https://eprint.iacr.org/2003/191
2604
     * [2] https://eprint.iacr.org/2020/055
2605
     *
2606
     * Avoid the leak by randomizing coordinates before we normalize them.
2607
     */
2608
    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
2609
    MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
2610

2611
cleanup:
2612
    mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
2613

2614
    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2615
    return ret;
2616
}
2617

2618
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
2619

2620
/*
2621
 * Restartable multiplication R = m * P
2622
 *
2623
 * This internal function can be called without an RNG in case where we know
2624
 * the inputs are not sensitive.
2625
 */
2626
static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2627
                                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2628
                                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
2629
                                        mbedtls_ecp_restart_ctx *rs_ctx)
2630
{
2631
    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2632
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2633
    char is_grp_capable = 0;
2634
#endif
2635

2636
#if defined(MBEDTLS_ECP_RESTARTABLE)
2637
    /* reset ops count for this call if top-level */
2638
    if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
2639
        rs_ctx->ops_done = 0;
2640
    }
2641
#else
2642
    (void) rs_ctx;
2643
#endif
2644

2645
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2646
    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
2647
        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
2648
    }
2649
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
2650

2651
    int restarting = 0;
2652
#if defined(MBEDTLS_ECP_RESTARTABLE)
2653
    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
2654
#endif
2655
    /* skip argument check when restarting */
2656
    if (!restarting) {
2657
        /* check_privkey is free */
2658
        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
2659

2660
        /* Common sanity checks */
2661
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
2662
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2663
    }
2664

2665
    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2666
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2667
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
2668
        MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
2669
    }
2670
#endif
2671
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2672
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
2673
        MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
2674
    }
2675
#endif
2676

2677
cleanup:
2678

2679
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2680
    if (is_grp_capable) {
2681
        mbedtls_internal_ecp_free(grp);
2682
    }
2683
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
2684

2685
#if defined(MBEDTLS_ECP_RESTARTABLE)
2686
    if (rs_ctx != NULL) {
2687
        rs_ctx->depth--;
2688
    }
2689
#endif
2690

2691
    return ret;
2692
}
2693

2694
/*
2695
 * Restartable multiplication R = m * P
2696
 */
2697
int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2698
                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2699
                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
2700
                                mbedtls_ecp_restart_ctx *rs_ctx)
2701
{
2702
    if (f_rng == NULL) {
2703
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2704
    }
2705

2706
    return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
2707
}
2708

2709
/*
2710
 * Multiplication R = m * P
2711
 */
2712
int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2713
                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2714
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
2715
{
2716
    return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
2717
}
2718
#endif /* MBEDTLS_ECP_C */
2719

2720
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2721
/*
2722
 * Check that an affine point is valid as a public key,
2723
 * short weierstrass curves (SEC1 3.2.3.1)
2724
 */
2725
static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
2726
{
2727
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2728
    mbedtls_mpi YY, RHS;
2729

2730
    /* pt coordinates must be normalized for our checks */
2731
    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
2732
        mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
2733
        mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
2734
        mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
2735
        return MBEDTLS_ERR_ECP_INVALID_KEY;
2736
    }
2737

2738
    mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
2739

2740
    /*
2741
     * YY = Y^2
2742
     * RHS = X^3 + A X + B
2743
     */
2744
    MPI_ECP_SQR(&YY,  &pt->Y);
2745
    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
2746

2747
    if (MPI_ECP_CMP(&YY, &RHS) != 0) {
2748
        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2749
    }
2750

2751
cleanup:
2752

2753
    mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
2754

2755
    return ret;
2756
}
2757
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2758

2759
#if defined(MBEDTLS_ECP_C)
2760
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2761
/*
2762
 * R = m * P with shortcuts for m == 0, m == 1 and m == -1
2763
 * NOT constant-time - ONLY for short Weierstrass!
2764
 */
2765
static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
2766
                                     mbedtls_ecp_point *R,
2767
                                     const mbedtls_mpi *m,
2768
                                     const mbedtls_ecp_point *P,
2769
                                     mbedtls_ecp_restart_ctx *rs_ctx)
2770
{
2771
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2772
    mbedtls_mpi tmp;
2773
    mbedtls_mpi_init(&tmp);
2774

2775
    if (mbedtls_mpi_cmp_int(m, 0) == 0) {
2776
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2777
        MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
2778
    } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
2779
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2780
        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
2781
    } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
2782
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2783
        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
2784
        MPI_ECP_NEG(&R->Y);
2785
    } else {
2786
        MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
2787
                                                     NULL, NULL, rs_ctx));
2788
    }
2789

2790
cleanup:
2791
    mbedtls_mpi_free(&tmp);
2792

2793
    return ret;
2794
}
2795

2796
/*
2797
 * Restartable linear combination
2798
 * NOT constant-time
2799
 */
2800
int mbedtls_ecp_muladd_restartable(
2801
    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2802
    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2803
    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
2804
    mbedtls_ecp_restart_ctx *rs_ctx)
2805
{
2806
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2807
    mbedtls_ecp_point mP;
2808
    mbedtls_ecp_point *pmP = &mP;
2809
    mbedtls_ecp_point *pR = R;
2810
    mbedtls_mpi tmp[4];
2811
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2812
    char is_grp_capable = 0;
2813
#endif
2814
    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
2815
        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2816
    }
2817

2818
    mbedtls_ecp_point_init(&mP);
2819
    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2820

2821
    ECP_RS_ENTER(ma);
2822

2823
#if defined(MBEDTLS_ECP_RESTARTABLE)
2824
    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2825
        /* redirect intermediate results to restart context */
2826
        pmP = &rs_ctx->ma->mP;
2827
        pR  = &rs_ctx->ma->R;
2828

2829
        /* jump to next operation */
2830
        if (rs_ctx->ma->state == ecp_rsma_mul2) {
2831
            goto mul2;
2832
        }
2833
        if (rs_ctx->ma->state == ecp_rsma_add) {
2834
            goto add;
2835
        }
2836
        if (rs_ctx->ma->state == ecp_rsma_norm) {
2837
            goto norm;
2838
        }
2839
    }
2840
#endif /* MBEDTLS_ECP_RESTARTABLE */
2841

2842
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
2843
#if defined(MBEDTLS_ECP_RESTARTABLE)
2844
    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2845
        rs_ctx->ma->state = ecp_rsma_mul2;
2846
    }
2847

2848
mul2:
2849
#endif
2850
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR,  n, Q, rs_ctx));
2851

2852
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2853
    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
2854
        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
2855
    }
2856
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
2857

2858
#if defined(MBEDTLS_ECP_RESTARTABLE)
2859
    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2860
        rs_ctx->ma->state = ecp_rsma_add;
2861
    }
2862

2863
add:
2864
#endif
2865
    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
2866
    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
2867
#if defined(MBEDTLS_ECP_RESTARTABLE)
2868
    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2869
        rs_ctx->ma->state = ecp_rsma_norm;
2870
    }
2871

2872
norm:
2873
#endif
2874
    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
2875
    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
2876

2877
#if defined(MBEDTLS_ECP_RESTARTABLE)
2878
    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2879
        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
2880
    }
2881
#endif
2882

2883
cleanup:
2884

2885
    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2886

2887
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
2888
    if (is_grp_capable) {
2889
        mbedtls_internal_ecp_free(grp);
2890
    }
2891
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
2892

2893
    mbedtls_ecp_point_free(&mP);
2894

2895
    ECP_RS_LEAVE(ma);
2896

2897
    return ret;
2898
}
2899

2900
/*
2901
 * Linear combination
2902
 * NOT constant-time
2903
 */
2904
int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2905
                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2906
                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
2907
{
2908
    return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
2909
}
2910
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2911
#endif /* MBEDTLS_ECP_C */
2912

2913
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2914
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
2915
#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
2916
#define ECP_MPI_INIT_ARRAY(x)   \
2917
    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
2918
/*
2919
 * Constants for the two points other than 0, 1, -1 (mod p) in
2920
 * https://cr.yp.to/ecdh.html#validate
2921
 * See ecp_check_pubkey_x25519().
2922
 */
2923
static const mbedtls_mpi_uint x25519_bad_point_1[] = {
2924
    MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
2925
    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
2926
    MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
2927
    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
2928
};
2929
static const mbedtls_mpi_uint x25519_bad_point_2[] = {
2930
    MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
2931
    MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
2932
    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
2933
    MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
2934
};
2935
static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
2936
    x25519_bad_point_1);
2937
static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
2938
    x25519_bad_point_2);
2939
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
2940

2941
/*
2942
 * Check that the input point is not one of the low-order points.
2943
 * This is recommended by the "May the Fourth" paper:
2944
 * https://eprint.iacr.org/2017/806.pdf
2945
 * Those points are never sent by an honest peer.
2946
 */
2947
static int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
2948
                                   const mbedtls_ecp_group_id grp_id)
2949
{
2950
    int ret;
2951
    mbedtls_mpi XmP;
2952

2953
    mbedtls_mpi_init(&XmP);
2954

2955
    /* Reduce X mod P so that we only need to check values less than P.
2956
     * We know X < 2^256 so we can proceed by subtraction. */
2957
    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
2958
    while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
2959
        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
2960
    }
2961

2962
    /* Check against the known bad values that are less than P. For Curve448
2963
     * these are 0, 1 and -1. For Curve25519 we check the values less than P
2964
     * from the following list: https://cr.yp.to/ecdh.html#validate */
2965
    if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) {  /* takes care of 0 and 1 */
2966
        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2967
        goto cleanup;
2968
    }
2969

2970
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
2971
    if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
2972
        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
2973
            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2974
            goto cleanup;
2975
        }
2976

2977
        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
2978
            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2979
            goto cleanup;
2980
        }
2981
    }
2982
#else
2983
    (void) grp_id;
2984
#endif
2985

2986
    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
2987
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
2988
    if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
2989
        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2990
        goto cleanup;
2991
    }
2992

2993
    ret = 0;
2994

2995
cleanup:
2996
    mbedtls_mpi_free(&XmP);
2997

2998
    return ret;
2999
}
3000

3001
/*
3002
 * Check validity of a public key for Montgomery curves with x-only schemes
3003
 */
3004
static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
3005
{
3006
    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
3007
    /* Allow any public value, if it's too big then we'll just reduce it mod p
3008
     * (RFC 7748 sec. 5 para. 3). */
3009
    if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
3010
        return MBEDTLS_ERR_ECP_INVALID_KEY;
3011
    }
3012

3013
    /* Implicit in all standards (as they don't consider negative numbers):
3014
     * X must be non-negative. This is normally ensured by the way it's
3015
     * encoded for transmission, but let's be extra sure. */
3016
    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
3017
        return MBEDTLS_ERR_ECP_INVALID_KEY;
3018
    }
3019

3020
    return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
3021
}
3022
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3023

3024
/*
3025
 * Check that a point is valid as a public key
3026
 */
3027
int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
3028
                             const mbedtls_ecp_point *pt)
3029
{
3030
    /* Must use affine coordinates */
3031
    if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
3032
        return MBEDTLS_ERR_ECP_INVALID_KEY;
3033
    }
3034

3035
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3036
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3037
        return ecp_check_pubkey_mx(grp, pt);
3038
    }
3039
#endif
3040
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3041
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3042
        return ecp_check_pubkey_sw(grp, pt);
3043
    }
3044
#endif
3045
    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3046
}
3047

3048
/*
3049
 * Check that an mbedtls_mpi is valid as a private key
3050
 */
3051
int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
3052
                              const mbedtls_mpi *d)
3053
{
3054
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3055
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3056
        /* see RFC 7748 sec. 5 para. 5 */
3057
        if (mbedtls_mpi_get_bit(d, 0) != 0 ||
3058
            mbedtls_mpi_get_bit(d, 1) != 0 ||
3059
            mbedtls_mpi_bitlen(d) != grp->nbits + 1) {  /* mbedtls_mpi_bitlen is one-based! */
3060
            return MBEDTLS_ERR_ECP_INVALID_KEY;
3061
        }
3062

3063
        /* see [Curve25519] page 5 */
3064
        if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
3065
            return MBEDTLS_ERR_ECP_INVALID_KEY;
3066
        }
3067

3068
        return 0;
3069
    }
3070
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3071
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3072
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3073
        /* see SEC1 3.2 */
3074
        if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
3075
            mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
3076
            return MBEDTLS_ERR_ECP_INVALID_KEY;
3077
        } else {
3078
            return 0;
3079
        }
3080
    }
3081
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3082

3083
    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3084
}
3085

3086
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3087
MBEDTLS_STATIC_TESTABLE
3088
int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
3089
                               mbedtls_mpi *d,
3090
                               int (*f_rng)(void *, unsigned char *, size_t),
3091
                               void *p_rng)
3092
{
3093
    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3094
    size_t n_random_bytes = high_bit / 8 + 1;
3095

3096
    /* [Curve25519] page 5 */
3097
    /* Generate a (high_bit+1)-bit random number by generating just enough
3098
     * random bytes, then shifting out extra bits from the top (necessary
3099
     * when (high_bit+1) is not a multiple of 8). */
3100
    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
3101
                                            f_rng, p_rng));
3102
    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
3103

3104
    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
3105

3106
    /* Make sure the last two bits are unset for Curve448, three bits for
3107
       Curve25519 */
3108
    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
3109
    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
3110
    if (high_bit == 254) {
3111
        MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
3112
    }
3113

3114
cleanup:
3115
    return ret;
3116
}
3117
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3118

3119
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3120
static int mbedtls_ecp_gen_privkey_sw(
3121
    const mbedtls_mpi *N, mbedtls_mpi *d,
3122
    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3123
{
3124
    int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
3125
    switch (ret) {
3126
        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
3127
            return MBEDTLS_ERR_ECP_RANDOM_FAILED;
3128
        default:
3129
            return ret;
3130
    }
3131
}
3132
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3133

3134
/*
3135
 * Generate a private key
3136
 */
3137
int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
3138
                            mbedtls_mpi *d,
3139
                            int (*f_rng)(void *, unsigned char *, size_t),
3140
                            void *p_rng)
3141
{
3142
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3143
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3144
        return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
3145
    }
3146
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3147

3148
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3149
    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3150
        return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
3151
    }
3152
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3153

3154
    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3155
}
3156

3157
#if defined(MBEDTLS_ECP_C)
3158
/*
3159
 * Generate a keypair with configurable base point
3160
 */
3161
int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
3162
                                 const mbedtls_ecp_point *G,
3163
                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
3164
                                 int (*f_rng)(void *, unsigned char *, size_t),
3165
                                 void *p_rng)
3166
{
3167
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3168
    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
3169
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
3170

3171
cleanup:
3172
    return ret;
3173
}
3174

3175
/*
3176
 * Generate key pair, wrapper for conventional base point
3177
 */
3178
int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
3179
                            mbedtls_mpi *d, mbedtls_ecp_point *Q,
3180
                            int (*f_rng)(void *, unsigned char *, size_t),
3181
                            void *p_rng)
3182
{
3183
    return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
3184
}
3185

3186
/*
3187
 * Generate a keypair, prettier wrapper
3188
 */
3189
int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
3190
                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3191
{
3192
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3193
    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
3194
        return ret;
3195
    }
3196

3197
    return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
3198
}
3199
#endif /* MBEDTLS_ECP_C */
3200

3201
int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
3202
                               mbedtls_ecp_keypair *key,
3203
                               const mbedtls_ecp_point *Q)
3204
{
3205
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3206

3207
    if (key->grp.id == MBEDTLS_ECP_DP_NONE) {
3208
        /* Group not set yet */
3209
        if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
3210
            return ret;
3211
        }
3212
    } else if (key->grp.id != grp_id) {
3213
        /* Group mismatch */
3214
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3215
    }
3216
    return mbedtls_ecp_copy(&key->Q, Q);
3217
}
3218

3219

3220
#define ECP_CURVE25519_KEY_SIZE 32
3221
#define ECP_CURVE448_KEY_SIZE   56
3222
/*
3223
 * Read a private key.
3224
 */
3225
int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
3226
                         const unsigned char *buf, size_t buflen)
3227
{
3228
    int ret = 0;
3229

3230
    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
3231
        return ret;
3232
    }
3233

3234
    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
3235

3236
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3237
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3238
        /*
3239
         * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
3240
         */
3241
        if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
3242
            if (buflen != ECP_CURVE25519_KEY_SIZE) {
3243
                return MBEDTLS_ERR_ECP_INVALID_KEY;
3244
            }
3245

3246
            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
3247

3248
            /* Set the three least significant bits to 0 */
3249
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
3250
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
3251
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
3252

3253
            /* Set the most significant bit to 0 */
3254
            MBEDTLS_MPI_CHK(
3255
                mbedtls_mpi_set_bit(&key->d,
3256
                                    ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
3257
                );
3258

3259
            /* Set the second most significant bit to 1 */
3260
            MBEDTLS_MPI_CHK(
3261
                mbedtls_mpi_set_bit(&key->d,
3262
                                    ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
3263
                );
3264
        } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
3265
            if (buflen != ECP_CURVE448_KEY_SIZE) {
3266
                return MBEDTLS_ERR_ECP_INVALID_KEY;
3267
            }
3268

3269
            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
3270

3271
            /* Set the two least significant bits to 0 */
3272
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
3273
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
3274

3275
            /* Set the most significant bit to 1 */
3276
            MBEDTLS_MPI_CHK(
3277
                mbedtls_mpi_set_bit(&key->d,
3278
                                    ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
3279
                );
3280
        }
3281
    }
3282
#endif
3283
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3284
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3285
        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
3286
    }
3287
#endif
3288

3289
    if (ret == 0) {
3290
        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
3291
    }
3292

3293
cleanup:
3294

3295
    if (ret != 0) {
3296
        mbedtls_mpi_free(&key->d);
3297
    }
3298

3299
    return ret;
3300
}
3301

3302
/*
3303
 * Write a private key.
3304
 */
3305
#if !defined MBEDTLS_DEPRECATED_REMOVED
3306
int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
3307
                          unsigned char *buf, size_t buflen)
3308
{
3309
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3310

3311
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3312
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3313
        if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
3314
            if (buflen < ECP_CURVE25519_KEY_SIZE) {
3315
                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3316
            }
3317

3318
        } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
3319
            if (buflen < ECP_CURVE448_KEY_SIZE) {
3320
                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3321
            }
3322
        }
3323
        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
3324
    }
3325
#endif
3326
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3327
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3328
        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
3329
    }
3330

3331
#endif
3332
cleanup:
3333

3334
    return ret;
3335
}
3336
#endif /* MBEDTLS_DEPRECATED_REMOVED */
3337

3338
int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
3339
                              size_t *olen, unsigned char *buf, size_t buflen)
3340
{
3341
    size_t len = (key->grp.nbits + 7) / 8;
3342
    if (len > buflen) {
3343
        /* For robustness, ensure *olen <= buflen even on error. */
3344
        *olen = 0;
3345
        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3346
    }
3347
    *olen = len;
3348

3349
    /* Private key not set */
3350
    if (key->d.n == 0) {
3351
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3352
    }
3353

3354
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3355
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3356
        return mbedtls_mpi_write_binary_le(&key->d, buf, len);
3357
    }
3358
#endif
3359

3360
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3361
    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3362
        return mbedtls_mpi_write_binary(&key->d, buf, len);
3363
    }
3364
#endif
3365

3366
    /* Private key set but no recognized curve type? This shouldn't happen. */
3367
    return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3368
}
3369

3370
/*
3371
 * Write a public key.
3372
 */
3373
int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
3374
                                 int format, size_t *olen,
3375
                                 unsigned char *buf, size_t buflen)
3376
{
3377
    return mbedtls_ecp_point_write_binary(&key->grp, &key->Q,
3378
                                          format, olen, buf, buflen);
3379
}
3380

3381

3382
#if defined(MBEDTLS_ECP_C)
3383
/*
3384
 * Check a public-private key pair
3385
 */
3386
int mbedtls_ecp_check_pub_priv(
3387
    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
3388
    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3389
{
3390
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3391
    mbedtls_ecp_point Q;
3392
    mbedtls_ecp_group grp;
3393
    if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
3394
        pub->grp.id != prv->grp.id ||
3395
        mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
3396
        mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
3397
        mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
3398
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3399
    }
3400

3401
    mbedtls_ecp_point_init(&Q);
3402
    mbedtls_ecp_group_init(&grp);
3403

3404
    /* mbedtls_ecp_mul() needs a non-const group... */
3405
    mbedtls_ecp_group_copy(&grp, &prv->grp);
3406

3407
    /* Also checks d is valid */
3408
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
3409

3410
    if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
3411
        mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
3412
        mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
3413
        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3414
        goto cleanup;
3415
    }
3416

3417
cleanup:
3418
    mbedtls_ecp_point_free(&Q);
3419
    mbedtls_ecp_group_free(&grp);
3420

3421
    return ret;
3422
}
3423

3424
int mbedtls_ecp_keypair_calc_public(mbedtls_ecp_keypair *key,
3425
                                    int (*f_rng)(void *, unsigned char *, size_t),
3426
                                    void *p_rng)
3427
{
3428
    return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G,
3429
                           f_rng, p_rng);
3430
}
3431
#endif /* MBEDTLS_ECP_C */
3432

3433
mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
3434
    const mbedtls_ecp_keypair *key)
3435
{
3436
    return key->grp.id;
3437
}
3438

3439
/*
3440
 * Export generic key-pair parameters.
3441
 */
3442
int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
3443
                       mbedtls_mpi *d, mbedtls_ecp_point *Q)
3444
{
3445
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3446

3447
    if (grp != NULL && (ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
3448
        return ret;
3449
    }
3450

3451
    if (d != NULL && (ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
3452
        return ret;
3453
    }
3454

3455
    if (Q != NULL && (ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
3456
        return ret;
3457
    }
3458

3459
    return 0;
3460
}
3461

3462
#if defined(MBEDTLS_SELF_TEST)
3463

3464
#if defined(MBEDTLS_ECP_C)
3465
/*
3466
 * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
3467
 *
3468
 * This is the linear congruential generator from numerical recipes,
3469
 * except we only use the low byte as the output. See
3470
 * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
3471
 */
3472
static int self_test_rng(void *ctx, unsigned char *out, size_t len)
3473
{
3474
    static uint32_t state = 42;
3475

3476
    (void) ctx;
3477

3478
    for (size_t i = 0; i < len; i++) {
3479
        state = state * 1664525u + 1013904223u;
3480
        out[i] = (unsigned char) state;
3481
    }
3482

3483
    return 0;
3484
}
3485

3486
/* Adjust the exponent to be a valid private point for the specified curve.
3487
 * This is sometimes necessary because we use a single set of exponents
3488
 * for all curves but the validity of values depends on the curve. */
3489
static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
3490
                                     mbedtls_mpi *m)
3491
{
3492
    int ret = 0;
3493
    switch (grp->id) {
3494
    /* If Curve25519 is available, then that's what we use for the
3495
     * Montgomery test, so we don't need the adjustment code. */
3496
#if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
3497
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
3498
        case MBEDTLS_ECP_DP_CURVE448:
3499
            /* Move highest bit from 254 to N-1. Setting bit N-1 is
3500
             * necessary to enforce the highest-bit-set constraint. */
3501
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
3502
            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
3503
            /* Copy second-highest bit from 253 to N-2. This is not
3504
             * necessary but improves the test variety a bit. */
3505
            MBEDTLS_MPI_CHK(
3506
                mbedtls_mpi_set_bit(m, grp->nbits - 1,
3507
                                    mbedtls_mpi_get_bit(m, 253)));
3508
            break;
3509
#endif
3510
#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
3511
        default:
3512
            /* Non-Montgomery curves and Curve25519 need no adjustment. */
3513
            (void) grp;
3514
            (void) m;
3515
            goto cleanup;
3516
    }
3517
cleanup:
3518
    return ret;
3519
}
3520

3521
/* Calculate R = m.P for each m in exponents. Check that the number of
3522
 * basic operations doesn't depend on the value of m. */
3523
static int self_test_point(int verbose,
3524
                           mbedtls_ecp_group *grp,
3525
                           mbedtls_ecp_point *R,
3526
                           mbedtls_mpi *m,
3527
                           const mbedtls_ecp_point *P,
3528
                           const char *const *exponents,
3529
                           size_t n_exponents)
3530
{
3531
    int ret = 0;
3532
    size_t i = 0;
3533
    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
3534
    add_count = 0;
3535
    dbl_count = 0;
3536
    mul_count = 0;
3537

3538
    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
3539
    MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
3540
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
3541

3542
    for (i = 1; i < n_exponents; i++) {
3543
        add_c_prev = add_count;
3544
        dbl_c_prev = dbl_count;
3545
        mul_c_prev = mul_count;
3546
        add_count = 0;
3547
        dbl_count = 0;
3548
        mul_count = 0;
3549

3550
        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
3551
        MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
3552
        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
3553

3554
        if (add_count != add_c_prev ||
3555
            dbl_count != dbl_c_prev ||
3556
            mul_count != mul_c_prev) {
3557
            ret = 1;
3558
            break;
3559
        }
3560
    }
3561

3562
cleanup:
3563
    if (verbose != 0) {
3564
        if (ret != 0) {
3565
            mbedtls_printf("failed (%u)\n", (unsigned int) i);
3566
        } else {
3567
            mbedtls_printf("passed\n");
3568
        }
3569
    }
3570
    return ret;
3571
}
3572
#endif /* MBEDTLS_ECP_C */
3573

3574
/*
3575
 * Checkup routine
3576
 */
3577
int mbedtls_ecp_self_test(int verbose)
3578
{
3579
#if defined(MBEDTLS_ECP_C)
3580
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3581
    mbedtls_ecp_group grp;
3582
    mbedtls_ecp_point R, P;
3583
    mbedtls_mpi m;
3584

3585
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3586
    /* Exponents especially adapted for secp192k1, which has the lowest
3587
     * order n of all supported curves (secp192r1 is in a slightly larger
3588
     * field but the order of its base point is slightly smaller). */
3589
    const char *sw_exponents[] =
3590
    {
3591
        "000000000000000000000000000000000000000000000001", /* one */
3592
        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
3593
        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
3594
        "400000000000000000000000000000000000000000000000", /* one and zeros */
3595
        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
3596
        "555555555555555555555555555555555555555555555555", /* 101010... */
3597
    };
3598
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3599
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3600
    const char *m_exponents[] =
3601
    {
3602
        /* Valid private values for Curve25519. In a build with Curve448
3603
         * but not Curve25519, they will be adjusted in
3604
         * self_test_adjust_exponent(). */
3605
        "4000000000000000000000000000000000000000000000000000000000000000",
3606
        "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
3607
        "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
3608
        "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
3609
        "5555555555555555555555555555555555555555555555555555555555555550",
3610
        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
3611
    };
3612
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3613

3614
    mbedtls_ecp_group_init(&grp);
3615
    mbedtls_ecp_point_init(&R);
3616
    mbedtls_ecp_point_init(&P);
3617
    mbedtls_mpi_init(&m);
3618

3619
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3620
    /* Use secp192r1 if available, or any available curve */
3621
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
3622
    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
3623
#else
3624
    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
3625
#endif
3626

3627
    if (verbose != 0) {
3628
        mbedtls_printf("  ECP SW test #1 (constant op_count, base point G): ");
3629
    }
3630
    /* Do a dummy multiplication first to trigger precomputation */
3631
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
3632
    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
3633
    ret = self_test_point(verbose,
3634
                          &grp, &R, &m, &grp.G,
3635
                          sw_exponents,
3636
                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
3637
    if (ret != 0) {
3638
        goto cleanup;
3639
    }
3640

3641
    if (verbose != 0) {
3642
        mbedtls_printf("  ECP SW test #2 (constant op_count, other point): ");
3643
    }
3644
    /* We computed P = 2G last time, use it */
3645
    ret = self_test_point(verbose,
3646
                          &grp, &R, &m, &P,
3647
                          sw_exponents,
3648
                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
3649
    if (ret != 0) {
3650
        goto cleanup;
3651
    }
3652

3653
    mbedtls_ecp_group_free(&grp);
3654
    mbedtls_ecp_point_free(&R);
3655
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3656

3657
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3658
    if (verbose != 0) {
3659
        mbedtls_printf("  ECP Montgomery test (constant op_count): ");
3660
    }
3661
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
3662
    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
3663
#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
3664
    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
3665
#else
3666
#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
3667
#endif
3668
    ret = self_test_point(verbose,
3669
                          &grp, &R, &m, &grp.G,
3670
                          m_exponents,
3671
                          sizeof(m_exponents) / sizeof(m_exponents[0]));
3672
    if (ret != 0) {
3673
        goto cleanup;
3674
    }
3675
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3676

3677
cleanup:
3678

3679
    if (ret < 0 && verbose != 0) {
3680
        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
3681
    }
3682

3683
    mbedtls_ecp_group_free(&grp);
3684
    mbedtls_ecp_point_free(&R);
3685
    mbedtls_ecp_point_free(&P);
3686
    mbedtls_mpi_free(&m);
3687

3688
    if (verbose != 0) {
3689
        mbedtls_printf("\n");
3690
    }
3691

3692
    return ret;
3693
#else /* MBEDTLS_ECP_C */
3694
    (void) verbose;
3695
    return 0;
3696
#endif /* MBEDTLS_ECP_C */
3697
}
3698

3699
#endif /* MBEDTLS_SELF_TEST */
3700

3701
#endif /* !MBEDTLS_ECP_ALT */
3702

3703
#endif /* MBEDTLS_ECP_LIGHT */
3704

3705