TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 10b8e5a5c9095088ba5e8ee5dda8cb6a1aeca5bb^! / . / library / ecp.c
commit10b8e5a5c9095088ba5e8ee5dda8cb6a1aeca5bb[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Wed Jun 23 12:25:48 2021 +0200
committerJanos Follath <janos.follath@arm.com>Fri Jun 25 14:15:22 2021 +0100
treea8cfcc29332ba505933c2bd1c3f42168d25b7234
parent6a5f5745d035e9c609a92bad071d8dd5c8fe0571 [diff] [blame]
Use a more compact encoding of bad points

Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

diff --git a/library/ecp.c b/library/ecp.c
index 5149abb..f803564 100644
--- a/library/ecp.c
+++ b/library/ecp.c

@@ -2936,6 +2936,10 @@
 
 #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* The following constants are defined in ecp_curves.c */
+extern const mbedtls_mpi mbedtls_ecp_x25519_bad_point_1;
+extern const mbedtls_mpi mbedtls_ecp_x25519_bad_point_2;
+
 /*
  * Check that the input point is not one of the low-order points.
  * This is recommended by the "May the Fourth" paper:
@@ -2945,10 +2949,9 @@
 static int ecp_check_pubkey_x25519( const mbedtls_mpi *X, const mbedtls_mpi *P )
 {
     int ret;
-    mbedtls_mpi XmP, bad;
+    mbedtls_mpi XmP;
 
     mbedtls_mpi_init( &XmP );
-    mbedtls_mpi_init( &bad );
 
     /* Reduce X mod P so that we only need to check values less than P.
      * We know X < 2^256 so we can proceed by subtraction. */
@@ -2961,25 +2964,21 @@
     if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &bad, 10,
-        "325606250916557431795983626356110631294008115727848805560023387167927233504" ) );
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
+    if( mbedtls_mpi_cmp_mpi( &XmP, &mbedtls_ecp_x25519_bad_point_1 ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &bad, 10,
-        "39382357235489614581723060781553021112529911719440698176882885853963445705823" ) );
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
+    if( mbedtls_mpi_cmp_mpi( &XmP, &mbedtls_ecp_x25519_bad_point_2 ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &bad, P, 1 ) );
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
+    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
+    if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
     ret = 0;
 
 cleanup:
     mbedtls_mpi_free( &XmP );
-    mbedtls_mpi_free( &bad );
 
     return( ret );
 }