[crypto] Verify that weierstrass_multiply() result is not point at infinity

The point at infinity cannot be represented in affine coordinates, and
so cannot be returned as a valid result from weierstrass_multiply().

The implementation uses projective coordinates internally, in which a
point at infinity is represented by a zero Z-coordinate.  Treat a zero
Z-coordinate as an invalid result.

The projective coordinates are calculated modulo 4N, and so a zero
value may be represented as 0, N, 2N, or 3N.  To minimise code size,
defer the test until after inverting the Z co-ordinate via Fermat's
little theorem via bigint_mod_exp_ladder() (which will calculate the
inverse of zero as zero, and will always produce a result strictly
modulo N).

Defer the test further until after converting the result back to
affine coordinates, to allow the debug message showing the
multiplication result to be printed.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/weierstrass.c b/src/crypto/weierstrass.c
index 4974e5252ab2f202a0b1ad42ea79d20a5fbfeb4c..ecc468af2d2f9d3a82e808239951dbd92211e66e 100644 (file)
--- a/src/crypto/weierstrass.c
+++ b/src/crypto/weierstrass.c
@@ -858,5 +858,9 @@ int weierstrass_multiply ( struct weierstrass_curve *curve, const void *base,
        }
        DBGC ( curve, ")\n" );
 
+       /* Verify result is not the point at infinity */
+       if ( bigint_is_zero ( &temp.multiple.z ) )
+               return -EINVAL;
+
        return 0;
 }