commit 6a28870b1eb04181989c37a60e47150e2fb207d8
author Hanno Becker <hanno.becker@arm.com> Wed Jan 05 05:19:48 2022 +0000
committer Hanno Becker <hanno.becker@arm.com> Thu Jan 06 04:46:45 2022 +0000
tree ef516501f22f00f5345135f1dcc65e3be8f616e6
parent 30838868ac135e1bc6f26e08655dd9b54841bf8d

Make ecp_select_comb() create valid EC point with Z coordinate set

ecp_select_comb() did previously not set the Z coordinate of the target point.
Instead, callers would either set it explicitly or leave it uninitialized,
relying on the (only partly upheld) convention that sometimes an uninitialized
Z value represents 1.

This commit modifies ecp_select_comb() to always set the Z coordinate to 1.
This comes at the cost of memory for a single coordinate, which seems worth
it for the increased robustness.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 43becc6..c86d55d 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1927,6 +1927,8 @@
     /* Safely invert result if i is "negative" */
     MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, i >> 7 ) );
 
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+
 cleanup:
     return( ret );
 }
@@ -1979,7 +1981,6 @@
         /* Start with a non-zero point and randomize its coordinates */
         i = d;
         MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
         if( f_rng != 0 )
             MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
     }