mbedtls/library/ecp.c

*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi *  Elliptic curves over GF(p): generic functions
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *  Copyright The Mbed TLS Contributors
*62c56f98SSadaf Ebrahimi *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * References:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * SEC1 https://www.secg.org/sec1-v2.pdf
*62c56f98SSadaf Ebrahimi * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
*62c56f98SSadaf Ebrahimi * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
*62c56f98SSadaf Ebrahimi * RFC 4492 for the related TLS structures and constants
*62c56f98SSadaf Ebrahimi * - https://www.rfc-editor.org/rfc/rfc4492
*62c56f98SSadaf Ebrahimi * RFC 7748 for the Curve448 and Curve25519 curve definitions
*62c56f98SSadaf Ebrahimi * - https://www.rfc-editor.org/rfc/rfc7748
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
*62c56f98SSadaf Ebrahimi *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
*62c56f98SSadaf Ebrahimi *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
*62c56f98SSadaf Ebrahimi *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
*62c56f98SSadaf Ebrahimi *     render ECC resistant against Side Channel Attacks. IACR Cryptology
*62c56f98SSadaf Ebrahimi *     ePrint Archive, 2004, vol. 2004, p. 342.
*62c56f98SSadaf Ebrahimi *     <http://eprint.iacr.org/2004/342.pdf>
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "common.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Function level alternative implementation.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
*62c56f98SSadaf Ebrahimi * replace certain functions in this module. The alternative implementations are
*62c56f98SSadaf Ebrahimi * typically hardware accelerators and need to activate the hardware before the
*62c56f98SSadaf Ebrahimi * computation starts and deactivate it after it finishes. The
*62c56f98SSadaf Ebrahimi * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
*62c56f98SSadaf Ebrahimi * this purpose.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * To preserve the correct functionality the following conditions must hold:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - The alternative implementation must be activated by
*62c56f98SSadaf Ebrahimi *   mbedtls_internal_ecp_init() before any of the replaceable functions is
*62c56f98SSadaf Ebrahimi *   called.
*62c56f98SSadaf Ebrahimi * - mbedtls_internal_ecp_free() must \b only be called when the alternative
*62c56f98SSadaf Ebrahimi *   implementation is activated.
*62c56f98SSadaf Ebrahimi * - mbedtls_internal_ecp_init() must \b not be called when the alternative
*62c56f98SSadaf Ebrahimi *   implementation is activated.
*62c56f98SSadaf Ebrahimi * - Public functions must not return while the alternative implementation is
*62c56f98SSadaf Ebrahimi *   activated.
*62c56f98SSadaf Ebrahimi * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
*62c56f98SSadaf Ebrahimi *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
*62c56f98SSadaf Ebrahimi *   \endcode ensures that the alternative implementation supports the current
*62c56f98SSadaf Ebrahimi *   group.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_LIGHT)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/ecp.h"
*62c56f98SSadaf Ebrahimi#include "mbedtls/threading.h"
*62c56f98SSadaf Ebrahimi#include "mbedtls/platform_util.h"
*62c56f98SSadaf Ebrahimi#include "mbedtls/error.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "bn_mul.h"
*62c56f98SSadaf Ebrahimi#include "ecp_invasive.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include <string.h>
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_ECP_ALT)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/platform.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "ecp_internal_alt.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SELF_TEST)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Counts of point addition and doubling, and field multiplications.
*62c56f98SSadaf Ebrahimi * Used to test resistance of point multiplication to simple timing attacks.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimistatic unsigned long add_count, dbl_count;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimistatic unsigned long mul_count;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Maximum number of "basic operations" to be done in a row.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Default value 0 means that ECC operations will not yield.
*62c56f98SSadaf Ebrahimi * Note that regardless of the value of ecp_max_ops, always at
*62c56f98SSadaf Ebrahimi * least one step is performed before yielding.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Setting ecp_max_ops=1 can be suitable for testing purposes
*62c56f98SSadaf Ebrahimi * as it will interrupt computation at all possible points.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic unsigned ecp_max_ops = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Set ecp_max_ops
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_set_max_ops(unsigned max_ops)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    ecp_max_ops = max_ops;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check if restart is enabled
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_restart_is_enabled(void)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return ecp_max_ops != 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Restart sub-context for ecp_mul_comb()
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ecp_restart_mul {
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point R;    /* current intermediate result                  */
*62c56f98SSadaf Ebrahimi    size_t i;               /* current index in various loops, 0 outside    */
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *T;   /* table for precomputed points                 */
*62c56f98SSadaf Ebrahimi    unsigned char T_size;   /* number of points in table T                  */
*62c56f98SSadaf Ebrahimi    enum {                  /* what were we doing last time we returned?    */
*62c56f98SSadaf Ebrahimi        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
*62c56f98SSadaf Ebrahimi        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
*62c56f98SSadaf Ebrahimi        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
*62c56f98SSadaf Ebrahimi        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
*62c56f98SSadaf Ebrahimi        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
*62c56f98SSadaf Ebrahimi        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
*62c56f98SSadaf Ebrahimi        ecp_rsm_final_norm,     /* do the final normalization               */
*62c56f98SSadaf Ebrahimi    } state;
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Init restart_mul sub-context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&ctx->R);
*62c56f98SSadaf Ebrahimi    ctx->i = 0;
*62c56f98SSadaf Ebrahimi    ctx->T = NULL;
*62c56f98SSadaf Ebrahimi    ctx->T_size = 0;
*62c56f98SSadaf Ebrahimi    ctx->state = ecp_rsm_init;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Free the components of a restart_mul sub-context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    unsigned char i;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ctx == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&ctx->R);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ctx->T != NULL) {
*62c56f98SSadaf Ebrahimi        for (i = 0; i < ctx->T_size; i++) {
*62c56f98SSadaf Ebrahimi            mbedtls_ecp_point_free(ctx->T + i);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        mbedtls_free(ctx->T);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ecp_restart_rsm_init(ctx);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Restart context for ecp_muladd()
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ecp_restart_muladd {
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point mP;       /* mP value                             */
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point R;        /* R intermediate result                */
*62c56f98SSadaf Ebrahimi    enum {                      /* what should we do next?              */
*62c56f98SSadaf Ebrahimi        ecp_rsma_mul1 = 0,      /* first multiplication                 */
*62c56f98SSadaf Ebrahimi        ecp_rsma_mul2,          /* second multiplication                */
*62c56f98SSadaf Ebrahimi        ecp_rsma_add,           /* addition                             */
*62c56f98SSadaf Ebrahimi        ecp_rsma_norm,          /* normalization                        */
*62c56f98SSadaf Ebrahimi    } state;
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Init restart_muladd sub-context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&ctx->mP);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&ctx->R);
*62c56f98SSadaf Ebrahimi    ctx->state = ecp_rsma_mul1;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Free the components of a restart_muladd sub-context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (ctx == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&ctx->mP);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&ctx->R);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ecp_restart_ma_init(ctx);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Initialize a restart context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    ctx->ops_done = 0;
*62c56f98SSadaf Ebrahimi    ctx->depth = 0;
*62c56f98SSadaf Ebrahimi    ctx->rsm = NULL;
*62c56f98SSadaf Ebrahimi    ctx->ma = NULL;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Free the components of a restart context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (ctx == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ecp_restart_rsm_free(ctx->rsm);
*62c56f98SSadaf Ebrahimi    mbedtls_free(ctx->rsm);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ecp_restart_ma_free(ctx->ma);
*62c56f98SSadaf Ebrahimi    mbedtls_free(ctx->ma);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_restart_init(ctx);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check if we can do the next step
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                             mbedtls_ecp_restart_ctx *rs_ctx,
*62c56f98SSadaf Ebrahimi                             unsigned ops)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && ecp_max_ops != 0) {
*62c56f98SSadaf Ebrahimi        /* scale depending on curve size: the chosen reference is 256-bit,
*62c56f98SSadaf Ebrahimi         * and multiplication is quadratic. Round to the closest integer. */
*62c56f98SSadaf Ebrahimi        if (grp->pbits >= 512) {
*62c56f98SSadaf Ebrahimi            ops *= 4;
*62c56f98SSadaf Ebrahimi        } else if (grp->pbits >= 384) {
*62c56f98SSadaf Ebrahimi            ops *= 2;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Avoid infinite loops: always allow first step.
*62c56f98SSadaf Ebrahimi         * Because of that, however, it's not generally true
*62c56f98SSadaf Ebrahimi         * that ops_done <= ecp_max_ops, so the check
*62c56f98SSadaf Ebrahimi         * ops_done > ecp_max_ops below is mandatory. */
*62c56f98SSadaf Ebrahimi        if ((rs_ctx->ops_done != 0) &&
*62c56f98SSadaf Ebrahimi            (rs_ctx->ops_done > ecp_max_ops ||
*62c56f98SSadaf Ebrahimi             ops > ecp_max_ops - rs_ctx->ops_done)) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_IN_PROGRESS;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* update running count */
*62c56f98SSadaf Ebrahimi        rs_ctx->ops_done += ops;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Call this when entering a function that needs its own sub-context */
*62c56f98SSadaf Ebrahimi#define ECP_RS_ENTER(SUB)   do {                                      \
*62c56f98SSadaf Ebrahimi        /* reset ops count for this call if top-level */                    \
*62c56f98SSadaf Ebrahimi        if (rs_ctx != NULL && rs_ctx->depth++ == 0)                        \
*62c56f98SSadaf Ebrahimi        rs_ctx->ops_done = 0;                                           \
*62c56f98SSadaf Ebrahimi                                                                        \
*62c56f98SSadaf Ebrahimi        /* set up our own sub-context if needed */                          \
*62c56f98SSadaf Ebrahimi        if (mbedtls_ecp_restart_is_enabled() &&                             \
*62c56f98SSadaf Ebrahimi            rs_ctx != NULL && rs_ctx->SUB == NULL)                         \
*62c56f98SSadaf Ebrahimi        {                                                                   \
*62c56f98SSadaf Ebrahimi            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));      \
*62c56f98SSadaf Ebrahimi            if (rs_ctx->SUB == NULL)                                       \
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                     \
*62c56f98SSadaf Ebrahimi                                                                      \
*62c56f98SSadaf Ebrahimi            ecp_restart_## SUB ##_init(rs_ctx->SUB);                      \
*62c56f98SSadaf Ebrahimi        }                                                                   \
*62c56f98SSadaf Ebrahimi} while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Call this when leaving a function that needs its own sub-context */
*62c56f98SSadaf Ebrahimi#define ECP_RS_LEAVE(SUB)   do {                                      \
*62c56f98SSadaf Ebrahimi        /* clear our sub-context when not in progress (done or error) */    \
*62c56f98SSadaf Ebrahimi        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
*62c56f98SSadaf Ebrahimi            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                            \
*62c56f98SSadaf Ebrahimi        {                                                                   \
*62c56f98SSadaf Ebrahimi            ecp_restart_## SUB ##_free(rs_ctx->SUB);                      \
*62c56f98SSadaf Ebrahimi            mbedtls_free(rs_ctx->SUB);                                    \
*62c56f98SSadaf Ebrahimi            rs_ctx->SUB = NULL;                                             \
*62c56f98SSadaf Ebrahimi        }                                                                   \
*62c56f98SSadaf Ebrahimi                                                                        \
*62c56f98SSadaf Ebrahimi        if (rs_ctx != NULL)                                                \
*62c56f98SSadaf Ebrahimi        rs_ctx->depth--;                                                \
*62c56f98SSadaf Ebrahimi} while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#else /* MBEDTLS_ECP_RESTARTABLE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define ECP_RS_ENTER(sub)     (void) rs_ctx;
*62c56f98SSadaf Ebrahimi#define ECP_RS_LEAVE(sub)     (void) rs_ctx;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_RESTARTABLE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimistatic void mpi_init_many(mbedtls_mpi *arr, size_t size)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    while (size--) {
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_init(arr++);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic void mpi_free_many(mbedtls_mpi *arr, size_t size)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    while (size--) {
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(arr++);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * List of supported curves:
*62c56f98SSadaf Ebrahimi *  - internal ID
*62c56f98SSadaf Ebrahimi *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
*62c56f98SSadaf Ebrahimi *  - size in bits
*62c56f98SSadaf Ebrahimi *  - readable name
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Curves are listed in order: largest curves first, and for a given size,
*62c56f98SSadaf Ebrahimi * fastest curves first.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic const mbedtls_ecp_curve_info ecp_supported_curves[] =
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_CURVE25519,   29,     256,    "x25519"            },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_CURVE448,     30,     448,    "x448"              },
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define ECP_NB_CURVES   sizeof(ecp_supported_curves) /    \
*62c56f98SSadaf Ebrahimi    sizeof(ecp_supported_curves[0])
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * List of supported curves and associated info
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return ecp_supported_curves;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * List of supported curves, group ID only
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    static int init_done = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (!init_done) {
*62c56f98SSadaf Ebrahimi        size_t i = 0;
*62c56f98SSadaf Ebrahimi        const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        for (curve_info = mbedtls_ecp_curve_list();
*62c56f98SSadaf Ebrahimi             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi             curve_info++) {
*62c56f98SSadaf Ebrahimi            ecp_supported_grp_id[i++] = curve_info->grp_id;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        init_done = 1;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ecp_supported_grp_id;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Get the curve info for the internal identifier
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (curve_info = mbedtls_ecp_curve_list();
*62c56f98SSadaf Ebrahimi         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi         curve_info++) {
*62c56f98SSadaf Ebrahimi        if (curve_info->grp_id == grp_id) {
*62c56f98SSadaf Ebrahimi            return curve_info;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return NULL;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Get the curve info from the TLS identifier
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (curve_info = mbedtls_ecp_curve_list();
*62c56f98SSadaf Ebrahimi         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi         curve_info++) {
*62c56f98SSadaf Ebrahimi        if (curve_info->tls_id == tls_id) {
*62c56f98SSadaf Ebrahimi            return curve_info;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return NULL;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Get the curve info from the name
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (name == NULL) {
*62c56f98SSadaf Ebrahimi        return NULL;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (curve_info = mbedtls_ecp_curve_list();
*62c56f98SSadaf Ebrahimi         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi         curve_info++) {
*62c56f98SSadaf Ebrahimi        if (strcmp(curve_info->name, name) == 0) {
*62c56f98SSadaf Ebrahimi            return curve_info;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return NULL;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Get the type of a curve
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimimbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (grp->G.X.p == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ECP_TYPE_NONE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (grp->G.Y.p == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ECP_TYPE_MONTGOMERY;
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Initialize (the components of) a point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&pt->X);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&pt->Y);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&pt->Z);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Initialize (the components of) a group
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    grp->id = MBEDTLS_ECP_DP_NONE;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&grp->P);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&grp->A);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&grp->B);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&grp->G);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&grp->N);
*62c56f98SSadaf Ebrahimi    grp->pbits = 0;
*62c56f98SSadaf Ebrahimi    grp->nbits = 0;
*62c56f98SSadaf Ebrahimi    grp->h = 0;
*62c56f98SSadaf Ebrahimi    grp->modp = NULL;
*62c56f98SSadaf Ebrahimi    grp->t_pre = NULL;
*62c56f98SSadaf Ebrahimi    grp->t_post = NULL;
*62c56f98SSadaf Ebrahimi    grp->t_data = NULL;
*62c56f98SSadaf Ebrahimi    grp->T = NULL;
*62c56f98SSadaf Ebrahimi    grp->T_size = 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Initialize (the components of) a key pair
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_init(&key->grp);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&key->d);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&key->Q);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Unallocate (the components of) a point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (pt == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&(pt->X));
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&(pt->Y));
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&(pt->Z));
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that the comb table (grp->T) is static initialized.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
*62c56f98SSadaf Ebrahimi    return grp->T != NULL && grp->T_size == 0;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    (void) grp;
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Unallocate (the components of) a group
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    size_t i;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (grp == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (grp->h != 1) {
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&grp->A);
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&grp->B);
*62c56f98SSadaf Ebrahimi        mbedtls_ecp_point_free(&grp->G);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&grp->N);
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&grp->P);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
*62c56f98SSadaf Ebrahimi        for (i = 0; i < grp->T_size; i++) {
*62c56f98SSadaf Ebrahimi            mbedtls_ecp_point_free(&grp->T[i]);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        mbedtls_free(grp->T);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Unallocate (the components of) a key pair
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (key == NULL) {
*62c56f98SSadaf Ebrahimi        return;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_free(&key->grp);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&key->d);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&key->Q);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Copy the contents of a point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Copy the contents of a group object
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_group_load(dst, src->id);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Set point to zero
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Tell if a point is zero
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Compare two points lazily
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                          const mbedtls_ecp_point *Q)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Import a non-zero point from ASCII strings
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
*62c56f98SSadaf Ebrahimi                                  const char *x, const char *y)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                   const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                                   int format, size_t *olen,
*62c56f98SSadaf Ebrahimi                                   unsigned char *buf, size_t buflen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    size_t plen;
*62c56f98SSadaf Ebrahimi    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
*62c56f98SSadaf Ebrahimi        format != MBEDTLS_ECP_PF_COMPRESSED) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    plen = mbedtls_mpi_size(&grp->P);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    (void) format; /* Montgomery curves always use the same point format */
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        *olen = plen;
*62c56f98SSadaf Ebrahimi        if (buflen < *olen) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        /*
*62c56f98SSadaf Ebrahimi         * Common case: P == 0
*62c56f98SSadaf Ebrahimi         */
*62c56f98SSadaf Ebrahimi        if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
*62c56f98SSadaf Ebrahimi            if (buflen < 1) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            buf[0] = 0x00;
*62c56f98SSadaf Ebrahimi            *olen = 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
*62c56f98SSadaf Ebrahimi            *olen = 2 * plen + 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            if (buflen < *olen) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            buf[0] = 0x04;
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
*62c56f98SSadaf Ebrahimi        } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
*62c56f98SSadaf Ebrahimi            *olen = plen + 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            if (buflen < *olen) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimistatic int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                   const mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                   mbedtls_mpi *Y,
*62c56f98SSadaf Ebrahimi                                   int parity_bit);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                  mbedtls_ecp_point *pt,
*62c56f98SSadaf Ebrahimi                                  const unsigned char *buf, size_t ilen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    size_t plen;
*62c56f98SSadaf Ebrahimi    if (ilen < 1) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    plen = mbedtls_mpi_size(&grp->P);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        if (plen != ilen) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&pt->Y);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
*62c56f98SSadaf Ebrahimi            /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        if (buf[0] == 0x00) {
*62c56f98SSadaf Ebrahimi            if (ilen == 1) {
*62c56f98SSadaf Ebrahimi                return mbedtls_ecp_set_zero(pt);
*62c56f98SSadaf Ebrahimi            } else {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (ilen < 1 + plen) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (buf[0] == 0x04) {
*62c56f98SSadaf Ebrahimi            /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
*62c56f98SSadaf Ebrahimi            if (ilen != 1 + plen * 2) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi            return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
*62c56f98SSadaf Ebrahimi        } else if (buf[0] == 0x02 || buf[0] == 0x03) {
*62c56f98SSadaf Ebrahimi            /* format == MBEDTLS_ECP_PF_COMPRESSED */
*62c56f98SSadaf Ebrahimi            if (ilen != 1 + plen) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi            return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
*62c56f98SSadaf Ebrahimi                                           (buf[0] & 1));
*62c56f98SSadaf Ebrahimi        } else {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Import a point from a TLS ECPoint record (RFC 4492)
*62c56f98SSadaf Ebrahimi *      struct {
*62c56f98SSadaf Ebrahimi *          opaque point <1..2^8-1>;
*62c56f98SSadaf Ebrahimi *      } ECPoint;
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                               mbedtls_ecp_point *pt,
*62c56f98SSadaf Ebrahimi                               const unsigned char **buf, size_t buf_len)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    unsigned char data_len;
*62c56f98SSadaf Ebrahimi    const unsigned char *buf_start;
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * We must have at least two bytes (1 for length, at least one for data)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (buf_len < 2) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    data_len = *(*buf)++;
*62c56f98SSadaf Ebrahimi    if (data_len < 1 || data_len > buf_len - 1) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Save buffer start for read_binary and update buf
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    buf_start = *buf;
*62c56f98SSadaf Ebrahimi    *buf += data_len;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Export a point as a TLS ECPoint record (RFC 4492)
*62c56f98SSadaf Ebrahimi *      struct {
*62c56f98SSadaf Ebrahimi *          opaque point <1..2^8-1>;
*62c56f98SSadaf Ebrahimi *      } ECPoint;
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
*62c56f98SSadaf Ebrahimi                                int format, size_t *olen,
*62c56f98SSadaf Ebrahimi                                unsigned char *buf, size_t blen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
*62c56f98SSadaf Ebrahimi        format != MBEDTLS_ECP_PF_COMPRESSED) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * buffer length must be at least one, for our length byte
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (blen < 1) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
*62c56f98SSadaf Ebrahimi                                              olen, buf + 1, blen - 1)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * write length to the first byte and update total length
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    buf[0] = (unsigned char) *olen;
*62c56f98SSadaf Ebrahimi    ++*olen;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Set a group from an ECParameters record (RFC 4492)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                               const unsigned char **buf, size_t len)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_id grp_id;
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_group_load(grp, grp_id);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Read a group id from an ECParameters record (RFC 4492) and convert it to
*62c56f98SSadaf Ebrahimi * mbedtls_ecp_group_id.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
*62c56f98SSadaf Ebrahimi                                  const unsigned char **buf, size_t len)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    uint16_t tls_id;
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * We expect at least three bytes (see below)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (len < 3) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * First byte is curve_type; only named_curve is handled
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Next two bytes are the namedcurve value
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
*62c56f98SSadaf Ebrahimi    *buf += 2;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    *grp = curve_info->grp_id;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write the ECParameters record corresponding to a group (RFC 4492)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
*62c56f98SSadaf Ebrahimi                                unsigned char *buf, size_t blen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_curve_info *curve_info;
*62c56f98SSadaf Ebrahimi    if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * We are going to write 3 bytes (see below)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    *olen = 3;
*62c56f98SSadaf Ebrahimi    if (blen < *olen) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * First byte is curve_type, always named_curve
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Next two bytes are the namedcurve value
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
*62c56f98SSadaf Ebrahimi * See the documentation of struct mbedtls_ecp_group.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (grp->modp == NULL) {
*62c56f98SSadaf Ebrahimi        return mbedtls_mpi_mod_mpi(N, N, &grp->P);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* N->s < 0 is a much faster test, which fails only if N is 0 */
*62c56f98SSadaf Ebrahimi    if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(grp->modp(N));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* N->s < 0 is a much faster test, which fails only if N is 0 */
*62c56f98SSadaf Ebrahimi    while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
*62c56f98SSadaf Ebrahimi        /* we known P, N and the result are positive */
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Fast mod-p functions expect their argument to be in the 0..p^2 range.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * In order to guarantee that, we need to ensure that operands of
*62c56f98SSadaf Ebrahimi * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
*62c56f98SSadaf Ebrahimi * bring the result back to this range.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The following macros are shortcuts for doing that.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SELF_TEST)
*62c56f98SSadaf Ebrahimi#define INC_MUL_COUNT   mul_count++;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define INC_MUL_COUNT
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MOD_MUL(N)                                                    \
*62c56f98SSadaf Ebrahimi    do                                                                  \
*62c56f98SSadaf Ebrahimi    {                                                                   \
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_modp(&(N), grp));                       \
*62c56f98SSadaf Ebrahimi        INC_MUL_COUNT                                                   \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                      mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *A,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *B)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
*62c56f98SSadaf Ebrahimi    MOD_MUL(*X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
*62c56f98SSadaf Ebrahimi * N->s < 0 is a very fast test, which fails only if N is 0
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MOD_SUB(N)                                                          \
*62c56f98SSadaf Ebrahimi    do {                                                                      \
*62c56f98SSadaf Ebrahimi        while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0)             \
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P));      \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if (defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
*62c56f98SSadaf Ebrahimi    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ECP_ADD_MIXED_ALT))) || \
*62c56f98SSadaf Ebrahimi    (defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) && \
*62c56f98SSadaf Ebrahimi    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)))
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                      mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *A,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *B)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
*62c56f98SSadaf Ebrahimi    MOD_SUB(X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* All functions referencing mbedtls_mpi_sub_mod() are alt-implemented without fallback */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
*62c56f98SSadaf Ebrahimi * We known P, N and the result are positive, so sub_abs is correct, and
*62c56f98SSadaf Ebrahimi * a bit faster.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MOD_ADD(N)                                                   \
*62c56f98SSadaf Ebrahimi    while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0)                  \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                      mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *A,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *B)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
*62c56f98SSadaf Ebrahimi    MOD_ADD(X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                          mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                          const mbedtls_mpi *A,
*62c56f98SSadaf Ebrahimi                                          mbedtls_mpi_uint c)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
*62c56f98SSadaf Ebrahimi    MOD_ADD(X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                          mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                          const mbedtls_mpi *A,
*62c56f98SSadaf Ebrahimi                                          mbedtls_mpi_uint c)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
*62c56f98SSadaf Ebrahimi    MOD_SUB(X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_SUB_INT(X, A, c)             \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
*62c56f98SSadaf Ebrahimi    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ECP_ADD_MIXED_ALT))
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                          mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                          size_t count)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
*62c56f98SSadaf Ebrahimi    MOD_ADD(X);
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif \
*62c56f98SSadaf Ebrahimi    /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Macro wrappers around ECP modular arithmetic
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Currently, these wrappers are defined via the bignum module.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_ADD(X, A, B)                                                  \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_SUB(X, A, B)                                                  \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_MUL(X, A, B)                                                  \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_SQR(X, A)                                                     \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_MUL_INT(X, A, c)                                              \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_INV(dst, src)                                                 \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_MOV(X, A)                                                     \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_SHIFT_L(X, count)                                             \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_LSET(X, c)                                                    \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_CMP_INT(X, c)                                                 \
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_cmp_int(X, c)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_CMP(X, Y)                                                     \
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_cmp_mpi(X, Y)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Needs f_rng, p_rng to be defined. */
*62c56f98SSadaf Ebrahimi#define MPI_ECP_RAND(X)                                                       \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Conditional negation
*62c56f98SSadaf Ebrahimi * Needs grp and a temporary MPI tmp to be defined. */
*62c56f98SSadaf Ebrahimi#define MPI_ECP_COND_NEG(X, cond)                                        \
*62c56f98SSadaf Ebrahimi    do                                                                     \
*62c56f98SSadaf Ebrahimi    {                                                                      \
*62c56f98SSadaf Ebrahimi        unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0;        \
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X)));      \
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp,          \
*62c56f98SSadaf Ebrahimi                                                     nonzero & cond)); \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_VALID(X)                      \
*62c56f98SSadaf Ebrahimi    ((X)->p != NULL)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_COND_ASSIGN(X, Y, cond)       \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MPI_ECP_COND_SWAP(X, Y, cond)       \
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Computes the right-hand side of the Short Weierstrass equation
*62c56f98SSadaf Ebrahimi * RHS = X^3 + A X + B
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_sw_rhs(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                      mbedtls_mpi *rhs,
*62c56f98SSadaf Ebrahimi                      const mbedtls_mpi *X)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Compute X^3 + A X + B as X (X^2 + A) + B */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(rhs, X);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Special case for A = -3 */
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
*62c56f98SSadaf Ebrahimi        MPI_ECP_SUB_INT(rhs, rhs, 3);
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        MPI_ECP_ADD(rhs, rhs, &grp->A);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(rhs, rhs, X);
*62c56f98SSadaf Ebrahimi    MPI_ECP_ADD(rhs, rhs, &grp->B);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Derive Y from X and a parity bit
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                   const mbedtls_mpi *X,
*62c56f98SSadaf Ebrahimi                                   mbedtls_mpi *Y,
*62c56f98SSadaf Ebrahimi                                   int parity_bit)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    /* w = y^2 = x^3 + ax + b
*62c56f98SSadaf Ebrahimi     * y = sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4)
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * Note: this method for extracting square root does not validate that w
*62c56f98SSadaf Ebrahimi     * was indeed a square so this function will return garbage in Y if X
*62c56f98SSadaf Ebrahimi     * does not correspond to a point on the curve.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Check prerequisite p = 3 mod 4 */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    int ret;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi exp;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&exp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* use Y to store intermediate result, actually w above */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* w = y^2 */ /* Y contains y^2 intermediate result */
*62c56f98SSadaf Ebrahimi    /* exp = ((p+1)/4) */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
*62c56f98SSadaf Ebrahimi    /* sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4) */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* check parity bit match or else invert Y */
*62c56f98SSadaf Ebrahimi    /* This quick inversion implementation is valid because Y != 0 for all
*62c56f98SSadaf Ebrahimi     * Short Weierstrass curves supported by mbedtls, as each supported curve
*62c56f98SSadaf Ebrahimi     * has an order that is a large prime, so each supported curve does not
*62c56f98SSadaf Ebrahimi     * have any point of order 2, and a point with Y == 0 would be of order 2 */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&exp);
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * For curves in short Weierstrass form, we do all the internal operations in
*62c56f98SSadaf Ebrahimi * Jacobian coordinates.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * For multiplication, we'll use a comb method with countermeasures against
*62c56f98SSadaf Ebrahimi * SPA, hence timing attacks.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
*62c56f98SSadaf Ebrahimi * Cost: 1N := 1I + 3M + 1S
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_normalize_jac(grp, pt);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi T;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&T);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_INV(&T,       &pt->Z);            /* T   <-          1 / Z   */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'  <- Y*T    = Y / Z   */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&T,       &T);                /* T   <- T^2    = 1 / Z^2 */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->X,   &pt->X,     &T);    /* X   <- X  * T = X / Z^2 */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'' <- Y' * T = Y / Z^3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_LSET(&pt->Z, 1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&T);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Normalize jacobian coordinates of an array of (pointers to) points,
*62c56f98SSadaf Ebrahimi * using Montgomery's trick to perform only one inversion mod P.
*62c56f98SSadaf Ebrahimi * (See for example Cohen's "A Course in Computational Algebraic Number
*62c56f98SSadaf Ebrahimi * Theory", Algorithm 10.3.4.)
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Warning: fails (returning an error) if one of the points is zero!
*62c56f98SSadaf Ebrahimi * This should never happen, see choice of w in ecp_mul_comb().
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: 1N(t) := 1I + (6t - 3)M + 1S
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                  mbedtls_ecp_point *T[], size_t T_size)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (T_size < 2) {
*62c56f98SSadaf Ebrahimi        return ecp_normalize_jac(grp, *T);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    size_t i;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi *c, t;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&t);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_init_many(c, T_size);
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * c[i] = Z_0 * ... * Z_i,   i = 0,..,n := T_size-1
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&c[0], &T[0]->Z);
*62c56f98SSadaf Ebrahimi    for (i = 1; i < T_size; i++) {
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * c[n] = 1 / (Z_0 * ... * Z_n) mod P
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (i = T_size - 1;; i--) {
*62c56f98SSadaf Ebrahimi        /* At the start of iteration i (note that i decrements), we have
*62c56f98SSadaf Ebrahimi         * - c[j] = Z_0 * .... * Z_j        for j  < i,
*62c56f98SSadaf Ebrahimi         * - c[j] = 1 / (Z_0 * .... * Z_j)  for j == i,
*62c56f98SSadaf Ebrahimi         *
*62c56f98SSadaf Ebrahimi         * This is maintained via
*62c56f98SSadaf Ebrahimi         * - c[i-1] <- c[i] * Z_i
*62c56f98SSadaf Ebrahimi         *
*62c56f98SSadaf Ebrahimi         * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
*62c56f98SSadaf Ebrahimi         * to do the actual normalization. For i==0, we already have
*62c56f98SSadaf Ebrahimi         * c[0] = 1 / Z_0.
*62c56f98SSadaf Ebrahimi         */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (i > 0) {
*62c56f98SSadaf Ebrahimi            /* Compute 1/Z_i and establish invariant for the next iteration. */
*62c56f98SSadaf Ebrahimi            MPI_ECP_MUL(&t,      &c[i], &c[i-1]);
*62c56f98SSadaf Ebrahimi            MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
*62c56f98SSadaf Ebrahimi        } else {
*62c56f98SSadaf Ebrahimi            MPI_ECP_MOV(&t, &c[0]);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
*62c56f98SSadaf Ebrahimi        MPI_ECP_SQR(&t,       &t);
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /*
*62c56f98SSadaf Ebrahimi         * Post-precessing: reclaim some memory by shrinking coordinates
*62c56f98SSadaf Ebrahimi         * - not storing Z (always 1)
*62c56f98SSadaf Ebrahimi         * - shrinking other coordinates, but still keeping the same number of
*62c56f98SSadaf Ebrahimi         *   limbs as P, as otherwise it will too likely be regrown too fast.
*62c56f98SSadaf Ebrahimi         */
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MPI_ECP_LSET(&T[i]->Z, 1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (i == 0) {
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&t);
*62c56f98SSadaf Ebrahimi    mpi_free_many(c, T_size);
*62c56f98SSadaf Ebrahimi    mbedtls_free(c);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
*62c56f98SSadaf Ebrahimi * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                               mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi                               unsigned char inv)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&tmp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_COND_NEG(&Q->Y, inv);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&tmp);
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Point doubling R = 2 P, Jacobian coordinates
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
*62c56f98SSadaf Ebrahimi * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: 1D := 3M + 4S          (A ==  0)
*62c56f98SSadaf Ebrahimi *             4M + 4S          (A == -3)
*62c56f98SSadaf Ebrahimi *             3M + 6S + 1a     otherwise
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                          const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                          mbedtls_mpi tmp[4])
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SELF_TEST)
*62c56f98SSadaf Ebrahimi    dbl_count++;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_double_jac(grp, R, P);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Special case for A = -3 */
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
*62c56f98SSadaf Ebrahimi        /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
*62c56f98SSadaf Ebrahimi        MPI_ECP_SQR(&tmp[1],  &P->Z);
*62c56f98SSadaf Ebrahimi        MPI_ECP_ADD(&tmp[2],  &P->X,  &tmp[1]);
*62c56f98SSadaf Ebrahimi        MPI_ECP_SUB(&tmp[3],  &P->X,  &tmp[1]);
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL(&tmp[1],  &tmp[2],     &tmp[3]);
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],     3);
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        /* tmp[0] <- M = 3.X^2 + A.Z^4 */
*62c56f98SSadaf Ebrahimi        MPI_ECP_SQR(&tmp[1],  &P->X);
*62c56f98SSadaf Ebrahimi        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],  3);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Optimize away for "koblitz" curves with A = 0 */
*62c56f98SSadaf Ebrahimi        if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
*62c56f98SSadaf Ebrahimi            /* M += A.Z^4 */
*62c56f98SSadaf Ebrahimi            MPI_ECP_SQR(&tmp[1],  &P->Z);
*62c56f98SSadaf Ebrahimi            MPI_ECP_SQR(&tmp[2],  &tmp[1]);
*62c56f98SSadaf Ebrahimi            MPI_ECP_MUL(&tmp[1],  &tmp[2],     &grp->A);
*62c56f98SSadaf Ebrahimi            MPI_ECP_ADD(&tmp[0],  &tmp[0],     &tmp[1]);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* tmp[1] <- S = 4.X.Y^2 */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&tmp[2],  &P->Y);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SHIFT_L(&tmp[2],  1);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[1],  &P->X, &tmp[2]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SHIFT_L(&tmp[1],  1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* tmp[3] <- U = 8.Y^4 */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&tmp[3],  &tmp[2]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SHIFT_L(&tmp[3],  1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* tmp[2] <- T = M^2 - 2.S */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* tmp[1] <- S = M(S - T) - U */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[2]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[1],  &tmp[1],     &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[3]);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* tmp[3] <- U = 2.Y.Z */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[3],  &P->Y,  &P->Z);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SHIFT_L(&tmp[3],  1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Store results */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&R->X, &tmp[2]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&R->Y, &tmp[1]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&R->Z, &tmp[3]);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The coordinates of Q must be normalized (= affine),
*62c56f98SSadaf Ebrahimi * but those of P don't need to. R is not normalized.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * P,Q,R may alias, but only at the level of EC points: they must be either
*62c56f98SSadaf Ebrahimi * equal as pointers, or disjoint (including the coordinate data buffers).
*62c56f98SSadaf Ebrahimi * Fine-grained aliasing at the level of coordinates is not supported.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
*62c56f98SSadaf Ebrahimi * None of these cases can happen as intermediate step in ecp_mul_comb():
*62c56f98SSadaf Ebrahimi * - at each step, P, Q and R are multiples of the base point, the factor
*62c56f98SSadaf Ebrahimi *   being less than its order, so none of them is zero;
*62c56f98SSadaf Ebrahimi * - Q is an odd multiple of the base point, P an even multiple,
*62c56f98SSadaf Ebrahimi *   due to the choice of precomputed points in the modified comb method.
*62c56f98SSadaf Ebrahimi * So branches for these cases do not leak secret information.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: 1A := 8M + 3S
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                         const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi                         mbedtls_mpi tmp[4])
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SELF_TEST)
*62c56f98SSadaf Ebrahimi    add_count++;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* NOTE: Aliasing between input and output is allowed, so one has to make
*62c56f98SSadaf Ebrahimi     *       sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
*62c56f98SSadaf Ebrahimi     *       longer read from. */
*62c56f98SSadaf Ebrahimi    mbedtls_mpi * const X = &R->X;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi * const Y = &R->Y;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi * const Z = &R->Z;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (!MPI_ECP_VALID(&Q->Z)) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Trivial cases: P == 0 or Q == 0 (case 1)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ecp_copy(R, Q);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ecp_copy(R, P);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Make sure Q coordinates are normalized
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&tmp[0], &P->Z);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Special cases (2) and (3) */
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
*62c56f98SSadaf Ebrahimi        if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
*62c56f98SSadaf Ebrahimi            ret = ecp_double_jac(grp, R, P, tmp);
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi        } else {
*62c56f98SSadaf Ebrahimi            ret = mbedtls_ecp_set_zero(R);
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(Z,        &P->Z,    &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[3],  &tmp[2],  &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &P->X);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&tmp[0], &tmp[2]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SHIFT_L(&tmp[0], 1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(X,        &tmp[1]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(X,        X,        &tmp[0]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(X,        X,        &tmp[3]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&tmp[2],  &tmp[2],  X);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &tmp[1]);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&tmp[3],  &tmp[3],  &P->Y);
*62c56f98SSadaf Ebrahimi    /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(Y,     &tmp[2],     &tmp[3]);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Randomize jacobian coordinates:
*62c56f98SSadaf Ebrahimi * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
*62c56f98SSadaf Ebrahimi * This is sort of the reverse operation of ecp_normalize_jac().
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This countermeasure was first suggested in [2].
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
*62c56f98SSadaf Ebrahimi                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi l;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Generate l such that 1 < l < p */
*62c56f98SSadaf Ebrahimi    MPI_ECP_RAND(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Z' = l * Z */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->Z,   &pt->Z,     &l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Y' = l * Y */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* X' = l^2 * X */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&l,       &l);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->X,   &pt->X,     &l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Y'' = l^2 * Y' = l^3 * Y */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check and define parameters used by the comb method (see below for details)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
*62c56f98SSadaf Ebrahimi#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* d = ceil( n / w ) */
*62c56f98SSadaf Ebrahimi#define COMB_MAX_D      (MBEDTLS_ECP_MAX_BITS + 1) / 2
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* number of precomputed points */
*62c56f98SSadaf Ebrahimi#define COMB_MAX_PRE    (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Compute the representation of m that will be used with our comb method.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The basic comb method is described in GECC 3.44 for example. We use a
*62c56f98SSadaf Ebrahimi * modified version that provides resistance to SPA by avoiding zero
*62c56f98SSadaf Ebrahimi * digits in the representation as in [3]. We modify the method further by
*62c56f98SSadaf Ebrahimi * requiring that all K_i be odd, which has the small cost that our
*62c56f98SSadaf Ebrahimi * representation uses one more K_i, due to carries, but saves on the size of
*62c56f98SSadaf Ebrahimi * the precomputed table.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Summary of the comb method and its modifications:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - The goal is to compute m*P for some w*d-bit integer m.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - The basic comb method splits m into the w-bit integers
*62c56f98SSadaf Ebrahimi *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
*62c56f98SSadaf Ebrahimi *   index has residue i modulo d, and computes m * P as
*62c56f98SSadaf Ebrahimi *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
*62c56f98SSadaf Ebrahimi *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
*62c56f98SSadaf Ebrahimi *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
*62c56f98SSadaf Ebrahimi *   thereby successively converting it into a form where all summands
*62c56f98SSadaf Ebrahimi *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - More generally, even if x[i+1] != 0, we can first transform the sum as
*62c56f98SSadaf Ebrahimi *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
*62c56f98SSadaf Ebrahimi *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
*62c56f98SSadaf Ebrahimi *   Performing and iterating this procedure for those x[i] that are even
*62c56f98SSadaf Ebrahimi *   (keeping track of carry), we can transform the original sum into one of the form
*62c56f98SSadaf Ebrahimi *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
*62c56f98SSadaf Ebrahimi *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
*62c56f98SSadaf Ebrahimi *   which is why we are only computing half of it in the first place in
*62c56f98SSadaf Ebrahimi *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * - For the sake of compactness, only the seven low-order bits of x[i]
*62c56f98SSadaf Ebrahimi *   are used to represent its absolute value (K_i in the paper), and the msb
*62c56f98SSadaf Ebrahimi *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
*62c56f98SSadaf Ebrahimi *   if s_i == -1;
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Calling conventions:
*62c56f98SSadaf Ebrahimi * - x is an array of size d + 1
*62c56f98SSadaf Ebrahimi * - w is the size, ie number of teeth, of the comb, and must be between
*62c56f98SSadaf Ebrahimi *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
*62c56f98SSadaf Ebrahimi * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
*62c56f98SSadaf Ebrahimi *   (the result will be incorrect if these assumptions are not satisfied)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic void ecp_comb_recode_core(unsigned char x[], size_t d,
*62c56f98SSadaf Ebrahimi                                 unsigned char w, const mbedtls_mpi *m)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    size_t i, j;
*62c56f98SSadaf Ebrahimi    unsigned char c, cc, adjust;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    memset(x, 0, d+1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* First get the classical comb values (except for x_d = 0) */
*62c56f98SSadaf Ebrahimi    for (i = 0; i < d; i++) {
*62c56f98SSadaf Ebrahimi        for (j = 0; j < w; j++) {
*62c56f98SSadaf Ebrahimi            x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Now make sure x_1 .. x_d are odd */
*62c56f98SSadaf Ebrahimi    c = 0;
*62c56f98SSadaf Ebrahimi    for (i = 1; i <= d; i++) {
*62c56f98SSadaf Ebrahimi        /* Add carry and update it */
*62c56f98SSadaf Ebrahimi        cc   = x[i] & c;
*62c56f98SSadaf Ebrahimi        x[i] = x[i] ^ c;
*62c56f98SSadaf Ebrahimi        c = cc;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Adjust if needed, avoiding branches */
*62c56f98SSadaf Ebrahimi        adjust = 1 - (x[i] & 0x01);
*62c56f98SSadaf Ebrahimi        c   |= x[i] & (x[i-1] * adjust);
*62c56f98SSadaf Ebrahimi        x[i] = x[i] ^ (x[i-1] * adjust);
*62c56f98SSadaf Ebrahimi        x[i-1] |= adjust << 7;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Precompute points for the adapted comb method
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Assumption: T must be able to hold 2^{w - 1} elements.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
*62c56f98SSadaf Ebrahimi *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Note: Even comb values (those where P would be omitted from the
*62c56f98SSadaf Ebrahimi *       sum defining T[i] above) are not needed in our adaption
*62c56f98SSadaf Ebrahimi *       the comb method. See ecp_comb_recode_core().
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This function currently works in four steps:
*62c56f98SSadaf Ebrahimi * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
*62c56f98SSadaf Ebrahimi * (2) [norm_dbl] Normalization of coordinates of these T[i]
*62c56f98SSadaf Ebrahimi * (3) [add]      Computation of all T[i]
*62c56f98SSadaf Ebrahimi * (4) [norm_add] Normalization of all T[i]
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Step 1 can be interrupted but not the others; together with the final
*62c56f98SSadaf Ebrahimi * coordinate normalization they are the largest steps done at once, depending
*62c56f98SSadaf Ebrahimi * on the window size. Here are operation counts for P-256:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * step     (2)     (3)     (4)
*62c56f98SSadaf Ebrahimi * w = 5    142     165     208
*62c56f98SSadaf Ebrahimi * w = 4    136      77     160
*62c56f98SSadaf Ebrahimi * w = 3    130      33     136
*62c56f98SSadaf Ebrahimi * w = 2    124      11     124
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * So if ECC operations are blocking for too long even with a low max_ops
*62c56f98SSadaf Ebrahimi * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
*62c56f98SSadaf Ebrahimi * to minimize maximum blocking time.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_precompute_comb(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                               mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                               unsigned char w, size_t d,
*62c56f98SSadaf Ebrahimi                               mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    unsigned char i;
*62c56f98SSadaf Ebrahimi    size_t j = 0;
*62c56f98SSadaf Ebrahimi    const unsigned char T_size = 1U << (w - 1);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp[4];
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
*62c56f98SSadaf Ebrahimi            goto dbl;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
*62c56f98SSadaf Ebrahimi            goto norm_dbl;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
*62c56f98SSadaf Ebrahimi            goto add;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
*62c56f98SSadaf Ebrahimi            goto norm_add;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    (void) rs_ctx;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* initial state for the loop */
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->i = 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimidbl:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Set T[0] = P and
*62c56f98SSadaf Ebrahimi     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
*62c56f98SSadaf Ebrahimi        j = rs_ctx->rsm->i;
*62c56f98SSadaf Ebrahimi    } else
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    j = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (; j < d * (w - 1); j++) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        i = 1U << (j / d);
*62c56f98SSadaf Ebrahimi        cur = T + i;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (j % d == 0) {
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahiminorm_dbl:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Normalize current elements in T to allow them to be used in
*62c56f98SSadaf Ebrahimi     * ecp_add_mixed() below, which requires one normalized input.
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * As T has holes, use an auxiliary array of pointers to elements in T.
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    j = 0;
*62c56f98SSadaf Ebrahimi    for (i = 1; i < T_size; i <<= 1) {
*62c56f98SSadaf Ebrahimi        TT[j++] = T + i;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_pre_add;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimiadd:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Compute the remaining ones using the minimal number of additions
*62c56f98SSadaf Ebrahimi     * Be careful to update T[2^l] only after using it!
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (i = 1; i < T_size; i <<= 1) {
*62c56f98SSadaf Ebrahimi        j = i;
*62c56f98SSadaf Ebrahimi        while (j--) {
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahiminorm_add:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Normalize final elements in T. Even though there are no holes now, we
*62c56f98SSadaf Ebrahimi     * still need the auxiliary array for homogeneity with the previous
*62c56f98SSadaf Ebrahimi     * call. Also, skip T[0] which is already normalised, being a copy of P.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    for (j = 0; j + 1 < T_size; j++) {
*62c56f98SSadaf Ebrahimi        TT[j] = T + j + 1;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Free Z coordinate (=1 after normalization) to save RAM.
*62c56f98SSadaf Ebrahimi     * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
*62c56f98SSadaf Ebrahimi     * since from this point onwards, they are only accessed indirectly
*62c56f98SSadaf Ebrahimi     * via the getter function ecp_select_comb() which does set the
*62c56f98SSadaf Ebrahimi     * target's Z coordinate to 1. */
*62c56f98SSadaf Ebrahimi    for (i = 0; i < T_size; i++) {
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&T[i].Z);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
*62c56f98SSadaf Ebrahimi        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
*62c56f98SSadaf Ebrahimi            rs_ctx->rsm->i = j;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * See ecp_comb_recode_core() for background
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                           const mbedtls_ecp_point T[], unsigned char T_size,
*62c56f98SSadaf Ebrahimi                           unsigned char i)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    unsigned char ii, j;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Ignore the "sign" bit and scale down */
*62c56f98SSadaf Ebrahimi    ii =  (i & 0x7Fu) >> 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Read the whole table to thwart cache-based timing attacks */
*62c56f98SSadaf Ebrahimi    for (j = 0; j < T_size; j++) {
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Safely invert result if i is "negative" */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_LSET(&R->Z, 1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Core multiplication algorithm for the (modified) comb method.
*62c56f98SSadaf Ebrahimi * This part is actually common with the basic comb method (GECC 3.44)
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: d A + d D + 1 R
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                             const mbedtls_ecp_point T[], unsigned char T_size,
*62c56f98SSadaf Ebrahimi                             const unsigned char x[], size_t d,
*62c56f98SSadaf Ebrahimi                             int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                             void *p_rng,
*62c56f98SSadaf Ebrahimi                             mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point Txi;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp[4];
*62c56f98SSadaf Ebrahimi    size_t i;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&Txi);
*62c56f98SSadaf Ebrahimi    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    (void) rs_ctx;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state != ecp_rsm_comb_core) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->i = 0;
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_comb_core;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* new 'if' instead of nested for the sake of the 'else' branch */
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
*62c56f98SSadaf Ebrahimi        /* restore current index (R already pointing to rs_ctx->rsm->R) */
*62c56f98SSadaf Ebrahimi        i = rs_ctx->rsm->i;
*62c56f98SSadaf Ebrahimi    } else
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    {
*62c56f98SSadaf Ebrahimi        /* Start with a non-zero point and randomize its coordinates */
*62c56f98SSadaf Ebrahimi        i = d;
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
*62c56f98SSadaf Ebrahimi        if (f_rng != 0) {
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    while (i != 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
*62c56f98SSadaf Ebrahimi        --i;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&Txi);
*62c56f98SSadaf Ebrahimi    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
*62c56f98SSadaf Ebrahimi        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->i = i;
*62c56f98SSadaf Ebrahimi        /* no need to save R, already pointing to rs_ctx->rsm->R */
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Recode the scalar to get constant-time comb multiplication
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * As the actual scalar recoding needs an odd scalar as a starting point,
*62c56f98SSadaf Ebrahimi * this wrapper ensures that by replacing m by N - m if necessary, and
*62c56f98SSadaf Ebrahimi * informs the caller that the result of multiplication will be negated.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This works because we only support large prime order for Short Weierstrass
*62c56f98SSadaf Ebrahimi * curves, so N is always odd hence either m or N - m is.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * See ecp_comb_recode_core() for background.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                  const mbedtls_mpi *m,
*62c56f98SSadaf Ebrahimi                                  unsigned char k[COMB_MAX_D + 1],
*62c56f98SSadaf Ebrahimi                                  size_t d,
*62c56f98SSadaf Ebrahimi                                  unsigned char w,
*62c56f98SSadaf Ebrahimi                                  unsigned char *parity_trick)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi M, mm;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&M);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&mm);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* N is always odd (see above), just make extra sure */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* do we need the parity trick? */
*62c56f98SSadaf Ebrahimi    *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* execute parity fix in constant time */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* actual scalar recoding */
*62c56f98SSadaf Ebrahimi    ecp_comb_recode_core(k, d, w, &M);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&mm);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&M);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Perform comb multiplication (for short Weierstrass curves)
*62c56f98SSadaf Ebrahimi * once the auxiliary table has been pre-computed.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Scalar recoding may use a parity trick that makes us compute -m * P,
*62c56f98SSadaf Ebrahimi * if that is the case we'll need to recover m * P at the end.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                      mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_mpi *m,
*62c56f98SSadaf Ebrahimi                                      const mbedtls_ecp_point *T,
*62c56f98SSadaf Ebrahimi                                      unsigned char T_size,
*62c56f98SSadaf Ebrahimi                                      unsigned char w,
*62c56f98SSadaf Ebrahimi                                      size_t d,
*62c56f98SSadaf Ebrahimi                                      int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                                      void *p_rng,
*62c56f98SSadaf Ebrahimi                                      mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    unsigned char parity_trick;
*62c56f98SSadaf Ebrahimi    unsigned char k[COMB_MAX_D + 1];
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *RR = R;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        RR = &rs_ctx->rsm->R;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
*62c56f98SSadaf Ebrahimi            goto final_norm;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
*62c56f98SSadaf Ebrahimi                                           &parity_trick));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
*62c56f98SSadaf Ebrahimi                                      f_rng, p_rng, rs_ctx));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->state = ecp_rsm_final_norm;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimifinal_norm:
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Knowledge of the jacobian coordinates may leak the last few bits of the
*62c56f98SSadaf Ebrahimi     * scalar [1], and since our MPI implementation isn't constant-flow,
*62c56f98SSadaf Ebrahimi     * inversion (used for coordinate normalization) may leak the full value
*62c56f98SSadaf Ebrahimi     * of its input via side-channels [2].
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * [1] https://eprint.iacr.org/2003/191
*62c56f98SSadaf Ebrahimi     * [2] https://eprint.iacr.org/2020/055
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * Avoid the leak by randomizing coordinates before we normalize them.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (f_rng != 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Pick window size based on curve size and whether we optimize for base point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                          unsigned char p_eq_g)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    unsigned char w;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Minimize the number of multiplications, that is minimize
*62c56f98SSadaf Ebrahimi     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
*62c56f98SSadaf Ebrahimi     * (see costs of the various parts, with 1S = 1M)
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    w = grp->nbits >= 384 ? 5 : 4;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * If P == G, pre-compute a bit more, since this may be re-used later.
*62c56f98SSadaf Ebrahimi     * Just adding one avoids upping the cost of the first mul too much,
*62c56f98SSadaf Ebrahimi     * and the memory cost too.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    if (p_eq_g) {
*62c56f98SSadaf Ebrahimi        w++;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * If static comb table may not be used (!p_eq_g) or static comb table does
*62c56f98SSadaf Ebrahimi     * not exists, make sure w is within bounds.
*62c56f98SSadaf Ebrahimi     * (The last test is useful only for very small curves in the test suite.)
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
*62c56f98SSadaf Ebrahimi     * static comb table, because the size of static comb table is fixed when
*62c56f98SSadaf Ebrahimi     * it is generated.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi#if (MBEDTLS_ECP_WINDOW_SIZE < 6)
*62c56f98SSadaf Ebrahimi    if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
*62c56f98SSadaf Ebrahimi        w = MBEDTLS_ECP_WINDOW_SIZE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    if (w >= grp->nbits) {
*62c56f98SSadaf Ebrahimi        w = 2;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return w;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Multiplication using the comb method - for curves in short Weierstrass form
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This function is mainly responsible for administrative work:
*62c56f98SSadaf Ebrahimi * - managing the restart context if enabled
*62c56f98SSadaf Ebrahimi * - managing the table of precomputed points (passed between the below two
*62c56f98SSadaf Ebrahimi *   functions): allocation, computation, ownership transfer, freeing.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * It delegates the actual arithmetic work to:
*62c56f98SSadaf Ebrahimi *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * See comments on ecp_comb_recode_core() regarding the computation strategy.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                        int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                        void *p_rng,
*62c56f98SSadaf Ebrahimi                        mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    unsigned char w, p_eq_g, i;
*62c56f98SSadaf Ebrahimi    size_t d;
*62c56f98SSadaf Ebrahimi    unsigned char T_size = 0, T_ok = 0;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *T = NULL;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ECP_RS_ENTER(rsm);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Is P the base point ? */
*62c56f98SSadaf Ebrahimi#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
*62c56f98SSadaf Ebrahimi    p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
*62c56f98SSadaf Ebrahimi              MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    p_eq_g = 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Pick window size and deduce related sizes */
*62c56f98SSadaf Ebrahimi    w = ecp_pick_window_size(grp, p_eq_g);
*62c56f98SSadaf Ebrahimi    T_size = 1U << (w - 1);
*62c56f98SSadaf Ebrahimi    d = (grp->nbits + w - 1) / w;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Pre-computed table: do we have it already for the base point? */
*62c56f98SSadaf Ebrahimi    if (p_eq_g && grp->T != NULL) {
*62c56f98SSadaf Ebrahimi        /* second pointer to the same table, will be deleted on exit */
*62c56f98SSadaf Ebrahimi        T = grp->T;
*62c56f98SSadaf Ebrahimi        T_ok = 1;
*62c56f98SSadaf Ebrahimi    } else
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    /* Pre-computed table: do we have one in progress? complete? */
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
*62c56f98SSadaf Ebrahimi        /* transfer ownership of T from rsm to local function */
*62c56f98SSadaf Ebrahimi        T = rs_ctx->rsm->T;
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->T = NULL;
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->T_size = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* This effectively jumps to the call to mul_comb_after_precomp() */
*62c56f98SSadaf Ebrahimi        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
*62c56f98SSadaf Ebrahimi    } else
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /* Allocate table if we didn't have any */
*62c56f98SSadaf Ebrahimi    {
*62c56f98SSadaf Ebrahimi        T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
*62c56f98SSadaf Ebrahimi        if (T == NULL) {
*62c56f98SSadaf Ebrahimi            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        for (i = 0; i < T_size; i++) {
*62c56f98SSadaf Ebrahimi            mbedtls_ecp_point_init(&T[i]);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        T_ok = 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Compute table (or finish computing it) if not done already */
*62c56f98SSadaf Ebrahimi    if (!T_ok) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (p_eq_g) {
*62c56f98SSadaf Ebrahimi            /* almost transfer ownership of T to the group, but keep a copy of
*62c56f98SSadaf Ebrahimi             * the pointer to use for calling the next function more easily */
*62c56f98SSadaf Ebrahimi            grp->T = T;
*62c56f98SSadaf Ebrahimi            grp->T_size = T_size;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Actual comb multiplication using precomputed points */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
*62c56f98SSadaf Ebrahimi                                               T, T_size, w, d,
*62c56f98SSadaf Ebrahimi                                               f_rng, p_rng, rs_ctx));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* does T belong to the group? */
*62c56f98SSadaf Ebrahimi    if (T == grp->T) {
*62c56f98SSadaf Ebrahimi        T = NULL;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* does T belong to the restart context? */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
*62c56f98SSadaf Ebrahimi        /* transfer ownership of T from local function to rsm */
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->T_size = T_size;
*62c56f98SSadaf Ebrahimi        rs_ctx->rsm->T = T;
*62c56f98SSadaf Ebrahimi        T = NULL;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* did T belong to us? then let's destroy it! */
*62c56f98SSadaf Ebrahimi    if (T != NULL) {
*62c56f98SSadaf Ebrahimi        for (i = 0; i < T_size; i++) {
*62c56f98SSadaf Ebrahimi            mbedtls_ecp_point_free(&T[i]);
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        mbedtls_free(T);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* prevent caller from using invalid value */
*62c56f98SSadaf Ebrahimi    int should_free_R = (ret != 0);
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    /* don't free R while in progress in case R == P */
*62c56f98SSadaf Ebrahimi    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
*62c56f98SSadaf Ebrahimi        should_free_R = 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    if (should_free_R) {
*62c56f98SSadaf Ebrahimi        mbedtls_ecp_point_free(R);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ECP_RS_LEAVE(rsm);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * For Montgomery curves, we do all the internal arithmetic in projective
*62c56f98SSadaf Ebrahimi * coordinates. Import/export of points uses only the x coordinates, which is
*62c56f98SSadaf Ebrahimi * internally represented as X / Z.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * For scalar multiplication, we'll use a Montgomery ladder.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
*62c56f98SSadaf Ebrahimi * Cost: 1M + 1I
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_normalize_mxz(grp, P);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MPI_ECP_INV(&P->Z, &P->Z);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&P->X, &P->X, &P->Z);
*62c56f98SSadaf Ebrahimi    MPI_ECP_LSET(&P->Z, 1);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Randomize projective x/z coordinates:
*62c56f98SSadaf Ebrahimi * (X, Z) -> (l X, l Z) for random l
*62c56f98SSadaf Ebrahimi * This is sort of the reverse operation of ecp_normalize_mxz().
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This countermeasure was first suggested in [2].
*62c56f98SSadaf Ebrahimi * Cost: 2M
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi l;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Generate l such that 1 < l < p */
*62c56f98SSadaf Ebrahimi    MPI_ECP_RAND(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&P->X, &P->X, &l);
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&P->Z, &P->Z, &l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&l);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
*62c56f98SSadaf Ebrahimi * for Montgomery curves in x/z coordinates.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
*62c56f98SSadaf Ebrahimi * with
*62c56f98SSadaf Ebrahimi * d =  X1
*62c56f98SSadaf Ebrahimi * P = (X2, Z2)
*62c56f98SSadaf Ebrahimi * Q = (X3, Z3)
*62c56f98SSadaf Ebrahimi * R = (X4, Z4)
*62c56f98SSadaf Ebrahimi * S = (X5, Z5)
*62c56f98SSadaf Ebrahimi * and eliminating temporary variables tO, ..., t4.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Cost: 5M + 4S
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                              mbedtls_ecp_point *R, mbedtls_ecp_point *S,
*62c56f98SSadaf Ebrahimi                              const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi                              const mbedtls_mpi *d,
*62c56f98SSadaf Ebrahimi                              mbedtls_mpi T[4])
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    if (mbedtls_internal_ecp_grp_capable(grp)) {
*62c56f98SSadaf Ebrahimi        return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MPI_ECP_ADD(&T[0], &P->X,   &P->Z);   /* Pp := PX + PZ                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&T[1], &P->X,   &P->Z);   /* Pm := PX - PZ                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_ADD(&T[2], &Q->X,   &Q->Z);   /* Qp := QX + XZ                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&T[3], &Q->X,   &Q->Z);   /* Qm := QX - QZ                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&T[3], &T[3],   &T[0]);   /* Qm * Pp                          */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&T[2], &T[2],   &T[1]);   /* Qp * Pm                          */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&T[0], &T[0]);            /* Pp^2                             */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&T[1], &T[1]);            /* Pm^2                             */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&R->X, &T[0],   &T[1]);   /* Pp^2 * Pm^2                      */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&T[0], &T[0],   &T[1]);   /* Pp^2 - Pm^2                      */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&R->Z, &grp->A, &T[0]);   /* A * (Pp^2 - Pm^2)                */
*62c56f98SSadaf Ebrahimi    MPI_ECP_ADD(&R->Z, &T[1],   &R->Z);   /* [ A * (Pp^2-Pm^2) ] + Pm^2       */
*62c56f98SSadaf Ebrahimi    MPI_ECP_ADD(&S->X, &T[3],   &T[2]);   /* Qm*Pp + Qp*Pm                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&S->X, &S->X);            /* (Qm*Pp + Qp*Pm)^2                */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SUB(&S->Z, &T[3],   &T[2]);   /* Qm*Pp - Qp*Pm                    */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&S->Z, &S->Z);            /* (Qm*Pp - Qp*Pm)^2                */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&S->Z, d,       &S->Z);   /* d * ( Qm*Pp - Qp*Pm )^2          */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MUL(&R->Z, &T[0],   &R->Z);   /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Multiplication with Montgomery ladder in x/z coordinates,
*62c56f98SSadaf Ebrahimi * for curves in Montgomery form
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                       int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                       void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    size_t i;
*62c56f98SSadaf Ebrahimi    unsigned char b;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point RP;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi PX;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp[4];
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (f_rng == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Save PX and read from P before writing to R, in case P == R */
*62c56f98SSadaf Ebrahimi    MPI_ECP_MOV(&PX, &P->X);
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Set R to zero in modified x/z coordinates */
*62c56f98SSadaf Ebrahimi    MPI_ECP_LSET(&R->X, 1);
*62c56f98SSadaf Ebrahimi    MPI_ECP_LSET(&R->Z, 0);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&R->Y);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* RP.X might be slightly larger than P, so reduce it */
*62c56f98SSadaf Ebrahimi    MOD_ADD(&RP.X);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Randomize coordinates of the starting point */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Loop invariant: R = result so far, RP = R + P */
*62c56f98SSadaf Ebrahimi    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
*62c56f98SSadaf Ebrahimi    while (i-- > 0) {
*62c56f98SSadaf Ebrahimi        b = mbedtls_mpi_get_bit(m, i);
*62c56f98SSadaf Ebrahimi        /*
*62c56f98SSadaf Ebrahimi         *  if (b) R = 2R + P else R = 2R,
*62c56f98SSadaf Ebrahimi         * which is:
*62c56f98SSadaf Ebrahimi         *  if (b) double_add( RP, R, RP, R )
*62c56f98SSadaf Ebrahimi         *  else   double_add( R, RP, R, RP )
*62c56f98SSadaf Ebrahimi         * but using safe conditional swaps to avoid leaks
*62c56f98SSadaf Ebrahimi         */
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
*62c56f98SSadaf Ebrahimi        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Knowledge of the projective coordinates may leak the last few bits of the
*62c56f98SSadaf Ebrahimi     * scalar [1], and since our MPI implementation isn't constant-flow,
*62c56f98SSadaf Ebrahimi     * inversion (used for coordinate normalization) may leak the full value
*62c56f98SSadaf Ebrahimi     * of its input via side-channels [2].
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * [1] https://eprint.iacr.org/2003/191
*62c56f98SSadaf Ebrahimi     * [2] https://eprint.iacr.org/2020/055
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     * Avoid the leak by randomizing coordinates before we normalize them.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Restartable multiplication R = m * P
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This internal function can be called without an RNG in case where we know
*62c56f98SSadaf Ebrahimi * the inputs are not sensitive.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
*62c56f98SSadaf Ebrahimi                                        mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    char is_grp_capable = 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    /* reset ops count for this call if top-level */
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
*62c56f98SSadaf Ebrahimi        rs_ctx->ops_done = 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    (void) rs_ctx;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_INTERNAL_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    int restarting = 0;
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    /* skip argument check when restarting */
*62c56f98SSadaf Ebrahimi    if (!restarting) {
*62c56f98SSadaf Ebrahimi        /* check_privkey is free */
*62c56f98SSadaf Ebrahimi        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Common sanity checks */
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    if (is_grp_capable) {
*62c56f98SSadaf Ebrahimi        mbedtls_internal_ecp_free(grp);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_INTERNAL_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->depth--;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Restartable multiplication R = m * P
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
*62c56f98SSadaf Ebrahimi                                mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (f_rng == NULL) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Multiplication R = m * P
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that an affine point is valid as a public key,
*62c56f98SSadaf Ebrahimi * short weierstrass curves (SEC1 3.2.3.1)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi YY, RHS;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* pt coordinates must be normalized for our checks */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * YY = Y^2
*62c56f98SSadaf Ebrahimi     * RHS = X^3 + A X + B
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    MPI_ECP_SQR(&YY,  &pt->Y);
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (MPI_ECP_CMP(&YY, &RHS) != 0) {
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * R = m * P with shortcuts for m == 0, m == 1 and m == -1
*62c56f98SSadaf Ebrahimi * NOT constant-time - ONLY for short Weierstrass!
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                     mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                                     const mbedtls_mpi *m,
*62c56f98SSadaf Ebrahimi                                     const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                                     mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&tmp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_int(m, 0) == 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
*62c56f98SSadaf Ebrahimi    } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
*62c56f98SSadaf Ebrahimi    } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
*62c56f98SSadaf Ebrahimi        MPI_ECP_NEG(&R->Y);
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
*62c56f98SSadaf Ebrahimi                                                     NULL, NULL, rs_ctx));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&tmp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Restartable linear combination
*62c56f98SSadaf Ebrahimi * NOT constant-time
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_muladd_restartable(
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_restart_ctx *rs_ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point mP;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *pmP = &mP;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point *pR = R;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi tmp[4];
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    char is_grp_capable = 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&mP);
*62c56f98SSadaf Ebrahimi    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ECP_RS_ENTER(ma);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
*62c56f98SSadaf Ebrahimi        /* redirect intermediate results to restart context */
*62c56f98SSadaf Ebrahimi        pmP = &rs_ctx->ma->mP;
*62c56f98SSadaf Ebrahimi        pR  = &rs_ctx->ma->R;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* jump to next operation */
*62c56f98SSadaf Ebrahimi        if (rs_ctx->ma->state == ecp_rsma_mul2) {
*62c56f98SSadaf Ebrahimi            goto mul2;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        if (rs_ctx->ma->state == ecp_rsma_add) {
*62c56f98SSadaf Ebrahimi            goto add;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        if (rs_ctx->ma->state == ecp_rsma_norm) {
*62c56f98SSadaf Ebrahimi            goto norm;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_RESTARTABLE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->ma->state = ecp_rsma_mul2;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimimul2:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR,  n, Q, rs_ctx));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_INTERNAL_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->ma->state = ecp_rsma_add;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimiadd:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
*62c56f98SSadaf Ebrahimi        rs_ctx->ma->state = ecp_rsma_norm;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahiminorm:
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE)
*62c56f98SSadaf Ebrahimi    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_INTERNAL_ALT)
*62c56f98SSadaf Ebrahimi    if (is_grp_capable) {
*62c56f98SSadaf Ebrahimi        mbedtls_internal_ecp_free(grp);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_INTERNAL_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&mP);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ECP_RS_LEAVE(ma);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Linear combination
*62c56f98SSadaf Ebrahimi * NOT constant-time
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
*62c56f98SSadaf Ebrahimi#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
*62c56f98SSadaf Ebrahimi#define ECP_MPI_INIT_ARRAY(x)   \
*62c56f98SSadaf Ebrahimi    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Constants for the two points other than 0, 1, -1 (mod p) in
*62c56f98SSadaf Ebrahimi * https://cr.yp.to/ecdh.html#validate
*62c56f98SSadaf Ebrahimi * See ecp_check_pubkey_x25519().
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic const mbedtls_mpi_uint x25519_bad_point_1[] = {
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimistatic const mbedtls_mpi_uint x25519_bad_point_2[] = {
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
*62c56f98SSadaf Ebrahimi    MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimistatic const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
*62c56f98SSadaf Ebrahimi    x25519_bad_point_1);
*62c56f98SSadaf Ebrahimistatic const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
*62c56f98SSadaf Ebrahimi    x25519_bad_point_2);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that the input point is not one of the low-order points.
*62c56f98SSadaf Ebrahimi * This is recommended by the "May the Fourth" paper:
*62c56f98SSadaf Ebrahimi * https://eprint.iacr.org/2017/806.pdf
*62c56f98SSadaf Ebrahimi * Those points are never sent by an honest peer.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
*62c56f98SSadaf Ebrahimi                                   const mbedtls_ecp_group_id grp_id)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi XmP;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&XmP);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Reduce X mod P so that we only need to check values less than P.
*62c56f98SSadaf Ebrahimi     * We know X < 2^256 so we can proceed by subtraction. */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
*62c56f98SSadaf Ebrahimi    while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Check against the known bad values that are less than P. For Curve448
*62c56f98SSadaf Ebrahimi     * these are 0, 1 and -1. For Curve25519 we check the values less than P
*62c56f98SSadaf Ebrahimi     * from the following list: https://cr.yp.to/ecdh.html#validate */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) {  /* takes care of 0 and 1 */
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
*62c56f98SSadaf Ebrahimi    if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
*62c56f98SSadaf Ebrahimi        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
*62c56f98SSadaf Ebrahimi            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
*62c56f98SSadaf Ebrahimi            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    (void) grp_id;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ret = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&XmP);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check validity of a public key for Montgomery curves with x-only schemes
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
*62c56f98SSadaf Ebrahimi    /* Allow any public value, if it's too big then we'll just reduce it mod p
*62c56f98SSadaf Ebrahimi     * (RFC 7748 sec. 5 para. 3). */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Implicit in all standards (as they don't consider negative numbers):
*62c56f98SSadaf Ebrahimi     * X must be non-negative. This is normally ensured by the way it's
*62c56f98SSadaf Ebrahimi     * encoded for transmission, but let's be extra sure. */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that a point is valid as a public key
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                             const mbedtls_ecp_point *pt)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    /* Must use affine coordinates */
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        return ecp_check_pubkey_mx(grp, pt);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        return ecp_check_pubkey_sw(grp, pt);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that an mbedtls_mpi is valid as a private key
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                              const mbedtls_mpi *d)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        /* see RFC 7748 sec. 5 para. 5 */
*62c56f98SSadaf Ebrahimi        if (mbedtls_mpi_get_bit(d, 0) != 0 ||
*62c56f98SSadaf Ebrahimi            mbedtls_mpi_get_bit(d, 1) != 0 ||
*62c56f98SSadaf Ebrahimi            mbedtls_mpi_bitlen(d) - 1 != grp->nbits) {  /* mbedtls_mpi_bitlen is one-based! */
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* see [Curve25519] page 5 */
*62c56f98SSadaf Ebrahimi        if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        /* see SEC1 3.2 */
*62c56f98SSadaf Ebrahimi        if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
*62c56f98SSadaf Ebrahimi            mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi        } else {
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf EbrahimiMBEDTLS_STATIC_TESTABLE
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_gen_privkey_mx(size_t high_bit,
*62c56f98SSadaf Ebrahimi                               mbedtls_mpi *d,
*62c56f98SSadaf Ebrahimi                               int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                               void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    size_t n_random_bytes = high_bit / 8 + 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* [Curve25519] page 5 */
*62c56f98SSadaf Ebrahimi    /* Generate a (high_bit+1)-bit random number by generating just enough
*62c56f98SSadaf Ebrahimi     * random bytes, then shifting out extra bits from the top (necessary
*62c56f98SSadaf Ebrahimi     * when (high_bit+1) is not a multiple of 8). */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
*62c56f98SSadaf Ebrahimi                                            f_rng, p_rng));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Make sure the last two bits are unset for Curve448, three bits for
*62c56f98SSadaf Ebrahimi       Curve25519 */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
*62c56f98SSadaf Ebrahimi    if (high_bit == 254) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimistatic int mbedtls_ecp_gen_privkey_sw(
*62c56f98SSadaf Ebrahimi    const mbedtls_mpi *N, mbedtls_mpi *d,
*62c56f98SSadaf Ebrahimi    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi    switch (ret) {
*62c56f98SSadaf Ebrahimi        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_ECP_RANDOM_FAILED;
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Generate a private key
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                            mbedtls_mpi *d,
*62c56f98SSadaf Ebrahimi                            int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                            void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Generate a keypair with configurable base point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                 const mbedtls_ecp_point *G,
*62c56f98SSadaf Ebrahimi                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi                                 int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                                 void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Generate key pair, wrapper for conventional base point
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                            mbedtls_mpi *d, mbedtls_ecp_point *Q,
*62c56f98SSadaf Ebrahimi                            int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                            void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Generate a keypair, prettier wrapper
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
*62c56f98SSadaf Ebrahimi                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define ECP_CURVE25519_KEY_SIZE 32
*62c56f98SSadaf Ebrahimi#define ECP_CURVE448_KEY_SIZE   56
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Read a private key.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
*62c56f98SSadaf Ebrahimi                         const unsigned char *buf, size_t buflen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        /*
*62c56f98SSadaf Ebrahimi         * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
*62c56f98SSadaf Ebrahimi         */
*62c56f98SSadaf Ebrahimi        if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
*62c56f98SSadaf Ebrahimi            if (buflen != ECP_CURVE25519_KEY_SIZE) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Set the three least significant bits to 0 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Set the most significant bit to 0 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(
*62c56f98SSadaf Ebrahimi                mbedtls_mpi_set_bit(&key->d,
*62c56f98SSadaf Ebrahimi                                    ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
*62c56f98SSadaf Ebrahimi                );
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Set the second most significant bit to 1 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(
*62c56f98SSadaf Ebrahimi                mbedtls_mpi_set_bit(&key->d,
*62c56f98SSadaf Ebrahimi                                    ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
*62c56f98SSadaf Ebrahimi                );
*62c56f98SSadaf Ebrahimi        } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
*62c56f98SSadaf Ebrahimi            if (buflen != ECP_CURVE448_KEY_SIZE) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_INVALID_KEY;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Set the two least significant bits to 0 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Set the most significant bit to 1 */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(
*62c56f98SSadaf Ebrahimi                mbedtls_mpi_set_bit(&key->d,
*62c56f98SSadaf Ebrahimi                                    ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
*62c56f98SSadaf Ebrahimi                );
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ret != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_free(&key->d);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write a private key.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
*62c56f98SSadaf Ebrahimi                          unsigned char *buf, size_t buflen)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
*62c56f98SSadaf Ebrahimi        if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
*62c56f98SSadaf Ebrahimi            if (buflen < ECP_CURVE25519_KEY_SIZE) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
*62c56f98SSadaf Ebrahimi            if (buflen < ECP_CURVE448_KEY_SIZE) {
*62c56f98SSadaf Ebrahimi                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi            }
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check a public-private key pair
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_check_pub_priv(
*62c56f98SSadaf Ebrahimi    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
*62c56f98SSadaf Ebrahimi    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point Q;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group grp;
*62c56f98SSadaf Ebrahimi    if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
*62c56f98SSadaf Ebrahimi        pub->grp.id != prv->grp.id ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&Q);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_init(&grp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* mbedtls_ecp_mul() needs a non-const group... */
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_copy(&grp, &prv->grp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Also checks d is valid */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
*62c56f98SSadaf Ebrahimi        mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
*62c56f98SSadaf Ebrahimi        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&Q);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_free(&grp);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Export generic key-pair parameters.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                       mbedtls_mpi *d, mbedtls_ecp_point *Q)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if ((ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
*62c56f98SSadaf Ebrahimi        return ret;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SELF_TEST)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This is the linear congruential generator from numerical recipes,
*62c56f98SSadaf Ebrahimi * except we only use the low byte as the output. See
*62c56f98SSadaf Ebrahimi * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic int self_test_rng(void *ctx, unsigned char *out, size_t len)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    static uint32_t state = 42;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    (void) ctx;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (size_t i = 0; i < len; i++) {
*62c56f98SSadaf Ebrahimi        state = state * 1664525u + 1013904223u;
*62c56f98SSadaf Ebrahimi        out[i] = (unsigned char) state;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Adjust the exponent to be a valid private point for the specified curve.
*62c56f98SSadaf Ebrahimi * This is sometimes necessary because we use a single set of exponents
*62c56f98SSadaf Ebrahimi * for all curves but the validity of values depends on the curve. */
*62c56f98SSadaf Ebrahimistatic int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                                     mbedtls_mpi *m)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = 0;
*62c56f98SSadaf Ebrahimi    switch (grp->id) {
*62c56f98SSadaf Ebrahimi    /* If Curve25519 is available, then that's what we use for the
*62c56f98SSadaf Ebrahimi     * Montgomery test, so we don't need the adjustment code. */
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_ECP_DP_CURVE448:
*62c56f98SSadaf Ebrahimi            /* Move highest bit from 254 to N-1. Setting bit N-1 is
*62c56f98SSadaf Ebrahimi             * necessary to enforce the highest-bit-set constraint. */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
*62c56f98SSadaf Ebrahimi            /* Copy second-highest bit from 253 to N-2. This is not
*62c56f98SSadaf Ebrahimi             * necessary but improves the test variety a bit. */
*62c56f98SSadaf Ebrahimi            MBEDTLS_MPI_CHK(
*62c56f98SSadaf Ebrahimi                mbedtls_mpi_set_bit(m, grp->nbits - 1,
*62c56f98SSadaf Ebrahimi                                    mbedtls_mpi_get_bit(m, 253)));
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            /* Non-Montgomery curves and Curve25519 need no adjustment. */
*62c56f98SSadaf Ebrahimi            (void) grp;
*62c56f98SSadaf Ebrahimi            (void) m;
*62c56f98SSadaf Ebrahimi            goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Calculate R = m.P for each m in exponents. Check that the number of
*62c56f98SSadaf Ebrahimi * basic operations doesn't depend on the value of m. */
*62c56f98SSadaf Ebrahimistatic int self_test_point(int verbose,
*62c56f98SSadaf Ebrahimi                           mbedtls_ecp_group *grp,
*62c56f98SSadaf Ebrahimi                           mbedtls_ecp_point *R,
*62c56f98SSadaf Ebrahimi                           mbedtls_mpi *m,
*62c56f98SSadaf Ebrahimi                           const mbedtls_ecp_point *P,
*62c56f98SSadaf Ebrahimi                           const char *const *exponents,
*62c56f98SSadaf Ebrahimi                           size_t n_exponents)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    int ret = 0;
*62c56f98SSadaf Ebrahimi    size_t i = 0;
*62c56f98SSadaf Ebrahimi    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
*62c56f98SSadaf Ebrahimi    add_count = 0;
*62c56f98SSadaf Ebrahimi    dbl_count = 0;
*62c56f98SSadaf Ebrahimi    mul_count = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (i = 1; i < n_exponents; i++) {
*62c56f98SSadaf Ebrahimi        add_c_prev = add_count;
*62c56f98SSadaf Ebrahimi        dbl_c_prev = dbl_count;
*62c56f98SSadaf Ebrahimi        mul_c_prev = mul_count;
*62c56f98SSadaf Ebrahimi        add_count = 0;
*62c56f98SSadaf Ebrahimi        dbl_count = 0;
*62c56f98SSadaf Ebrahimi        mul_count = 0;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
*62c56f98SSadaf Ebrahimi        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        if (add_count != add_c_prev ||
*62c56f98SSadaf Ebrahimi            dbl_count != dbl_c_prev ||
*62c56f98SSadaf Ebrahimi            mul_count != mul_c_prev) {
*62c56f98SSadaf Ebrahimi            ret = 1;
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi    if (verbose != 0) {
*62c56f98SSadaf Ebrahimi        if (ret != 0) {
*62c56f98SSadaf Ebrahimi            mbedtls_printf("failed (%u)\n", (unsigned int) i);
*62c56f98SSadaf Ebrahimi        } else {
*62c56f98SSadaf Ebrahimi            mbedtls_printf("passed\n");
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Checkup routine
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ecp_self_test(int verbose)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group grp;
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point R, P;
*62c56f98SSadaf Ebrahimi    mbedtls_mpi m;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    /* Exponents especially adapted for secp192k1, which has the lowest
*62c56f98SSadaf Ebrahimi     * order n of all supported curves (secp192r1 is in a slightly larger
*62c56f98SSadaf Ebrahimi     * field but the order of its base point is slightly smaller). */
*62c56f98SSadaf Ebrahimi    const char *sw_exponents[] =
*62c56f98SSadaf Ebrahimi    {
*62c56f98SSadaf Ebrahimi        "000000000000000000000000000000000000000000000001", /* one */
*62c56f98SSadaf Ebrahimi        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
*62c56f98SSadaf Ebrahimi        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
*62c56f98SSadaf Ebrahimi        "400000000000000000000000000000000000000000000000", /* one and zeros */
*62c56f98SSadaf Ebrahimi        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
*62c56f98SSadaf Ebrahimi        "555555555555555555555555555555555555555555555555", /* 101010... */
*62c56f98SSadaf Ebrahimi    };
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    const char *m_exponents[] =
*62c56f98SSadaf Ebrahimi    {
*62c56f98SSadaf Ebrahimi        /* Valid private values for Curve25519. In a build with Curve448
*62c56f98SSadaf Ebrahimi         * but not Curve25519, they will be adjusted in
*62c56f98SSadaf Ebrahimi         * self_test_adjust_exponent(). */
*62c56f98SSadaf Ebrahimi        "4000000000000000000000000000000000000000000000000000000000000000",
*62c56f98SSadaf Ebrahimi        "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
*62c56f98SSadaf Ebrahimi        "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
*62c56f98SSadaf Ebrahimi        "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
*62c56f98SSadaf Ebrahimi        "5555555555555555555555555555555555555555555555555555555555555550",
*62c56f98SSadaf Ebrahimi        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
*62c56f98SSadaf Ebrahimi    };
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_init(&grp);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&R);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_init(&P);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_init(&m);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
*62c56f98SSadaf Ebrahimi    /* Use secp192r1 if available, or any available curve */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (verbose != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_printf("  ECP SW test #1 (constant op_count, base point G): ");
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    /* Do a dummy multiplication first to trigger precomputation */
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
*62c56f98SSadaf Ebrahimi    ret = self_test_point(verbose,
*62c56f98SSadaf Ebrahimi                          &grp, &R, &m, &grp.G,
*62c56f98SSadaf Ebrahimi                          sw_exponents,
*62c56f98SSadaf Ebrahimi                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
*62c56f98SSadaf Ebrahimi    if (ret != 0) {
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (verbose != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_printf("  ECP SW test #2 (constant op_count, other point): ");
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    /* We computed P = 2G last time, use it */
*62c56f98SSadaf Ebrahimi    ret = self_test_point(verbose,
*62c56f98SSadaf Ebrahimi                          &grp, &R, &m, &P,
*62c56f98SSadaf Ebrahimi                          sw_exponents,
*62c56f98SSadaf Ebrahimi                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
*62c56f98SSadaf Ebrahimi    if (ret != 0) {
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_free(&grp);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&R);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
*62c56f98SSadaf Ebrahimi    if (verbose != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_printf("  ECP Montgomery test (constant op_count): ");
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
*62c56f98SSadaf Ebrahimi#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
*62c56f98SSadaf Ebrahimi    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    ret = self_test_point(verbose,
*62c56f98SSadaf Ebrahimi                          &grp, &R, &m, &grp.G,
*62c56f98SSadaf Ebrahimi                          m_exponents,
*62c56f98SSadaf Ebrahimi                          sizeof(m_exponents) / sizeof(m_exponents[0]));
*62c56f98SSadaf Ebrahimi    if (ret != 0) {
*62c56f98SSadaf Ebrahimi        goto cleanup;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimicleanup:
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ret < 0 && verbose != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_group_free(&grp);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&R);
*62c56f98SSadaf Ebrahimi    mbedtls_ecp_point_free(&P);
*62c56f98SSadaf Ebrahimi    mbedtls_mpi_free(&m);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (verbose != 0) {
*62c56f98SSadaf Ebrahimi        mbedtls_printf("\n");
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return ret;
*62c56f98SSadaf Ebrahimi#else /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi    (void) verbose;
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_C */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SELF_TEST */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* !MBEDTLS_ECP_ALT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_ECP_LIGHT */