Use a more compact encoding of bad points

Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/ecp.c

@@ -2936,6 +2936,10 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 
 #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* The following constants are defined in ecp_curves.c */
+extern const mbedtls_mpi mbedtls_ecp_x25519_bad_point_1;
+extern const mbedtls_mpi mbedtls_ecp_x25519_bad_point_2;
+
 /*
  * Check that the input point is not one of the low-order points.
  * This is recommended by the "May the Fourth" paper:
@@ -2945,10 +2949,9 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 static int ecp_check_pubkey_x25519( const mbedtls_mpi *X, const mbedtls_mpi *P )
 {
     int ret;
-    mbedtls_mpi XmP, bad;
+    mbedtls_mpi XmP;
 
     mbedtls_mpi_init( &XmP );
-    mbedtls_mpi_init( &bad );
 
     /* Reduce X mod P so that we only need to check values less than P.
      * We know X < 2^256 so we can proceed by subtraction. */
@@ -2961,25 +2964,21 @@ static int ecp_check_pubkey_x25519( const mbedtls_mpi *X, const mbedtls_mpi *P )
     if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &bad, 10,
+    if( mbedtls_mpi_cmp_mpi( &XmP, &mbedtls_ecp_x25519_bad_point_1 ) == 0 )
-        "325606250916557431795983626356110631294008115727848805560023387167927233504" ) );
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &bad, 10,
+    if( mbedtls_mpi_cmp_mpi( &XmP, &mbedtls_ecp_x25519_bad_point_2 ) == 0 )
-        "39382357235489614581723060781553021112529911719440698176882885853963445705823" ) );
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &bad, P, 1 ) );
+    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
-    if( mbedtls_mpi_cmp_mpi( &XmP, &bad ) == 0 )
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
+    if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
     ret = 0;
 
 cleanup:
     mbedtls_mpi_free( &XmP );
-    mbedtls_mpi_free( &bad );
 
     return( ret );
 }

library/ecp_curves.c

@@ -81,6 +81,11 @@
 
 #endif /* bits in mbedtls_mpi_uint */
 
+#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
+
+#define ECP_MPI_INIT_ARRAY(x)   \
+    ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
+
 /*
  * Note: the constants are in little-endian order
  * to be directly usable in MPIs
@@ -716,6 +721,28 @@ cleanup:
 
     return( ret );
 }
+
+/*
+ * Constants for the two points other than 0, 1, -1 (mod p) in
+ * https://cr.yp.to/ecdh.html#validate
+ * See ecp_check_pubkey_x25519().
+ */
+static const mbedtls_mpi_uint x25519_bad_point_1[] = {
+    BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ),
+    BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ),
+    BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ),
+    BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ),
+};
+static const mbedtls_mpi_uint x25519_bad_point_2[] = {
+    BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ),
+    BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ),
+    BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ),
+    BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ),
+};
+const mbedtls_mpi mbedtls_ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
+        x25519_bad_point_1 );
+const mbedtls_mpi mbedtls_ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
+        x25519_bad_point_2 );
 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
 
 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)