From 9edff740e145d2cdaf7e870fcdd6b40c1aaec11e Mon Sep 17 00:00:00 2001
From: TRodziewicz <rodziewicz@gmail.com>
Date: Thu, 4 Mar 2021 17:59:39 +0100
Subject: [PATCH] Fix EC J-PAKE failing when the payload is all-bits-zero

Fix function mbedtls_ecp_mul_shortcuts() to skip multiplication when m
is 0 and simply assignt 0 to R. Additionally fix ecjpake_zkp_read() to
return MBEDTLS_ERR_ECP_INVALID_KEY when the above condintion is met.

Fix #1792

Signed-off-by: TRodziewicz <rodziewicz@gmail.com>
---
 ChangeLog.d/issue1792.txt | 4 ++++
 library/ecjpake.c         | 7 +++++++
 library/ecp.c             | 8 ++++++--
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 ChangeLog.d/issue1792.txt

diff --git a/ChangeLog.d/issue1792.txt b/ChangeLog.d/issue1792.txt
new file mode 100644
index 000000000..e82c80e0b
--- /dev/null
+++ b/ChangeLog.d/issue1792.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix a bug in EC J-PAKE that would cause it fail when the payload is all-
+     bits-zero.
+     Found by Gilles Peskine, reported in #1792.
diff --git a/library/ecjpake.c b/library/ecjpake.c
index bd4716903..b835ac1c2 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -286,6 +286,13 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info,
      * Verification
      */
     MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+
+    if( mbedtls_mpi_cmp_int( &r,0 ) == 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
     MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp,
                      &VV, &h, X, &r, G ) );
 
diff --git a/library/ecp.c b/library/ecp.c
index 3b68e8e2d..6e866fa21 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2795,7 +2795,7 @@ cleanup:
 
 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 /*
- * R = m * P with shortcuts for m == 1 and m == -1
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
  * NOT constant-time - ONLY for short Weierstrass!
  */
 static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
@@ -2806,7 +2806,11 @@ static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+    if ( mbedtls_mpi_cmp_int( m, 0 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_set_zero( R ) );
+    }
+    else if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
     {
         MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
     }