From dcaf99ebb82f74e9371abcf9521fec428c14d405 Mon Sep 17 00:00:00 2001
From: Gabor Mezei <gabor.mezei@arm.com>
Date: Tue, 2 May 2023 13:59:57 +0200
Subject: [PATCH 1/4] Add another round in the Koblitz reduction

The addition can result in an overflow so another round is needed
in the reduction.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
---
 library/ecp_curves.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index db35e966cd..47f1b347d1 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -5571,7 +5571,7 @@ static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
         mask  = ((mbedtls_mpi_uint) 1 << shift) - 1;
     }
 
-    for (size_t pass = 0; pass < 2; pass++) {
+    for (size_t pass = 0; pass < 3; pass++) {
         /* Copy A1 */
         memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
 

From b6653f3e27a68387c4d8f6053f88c2f26bbb9c6a Mon Sep 17 00:00:00 2001
From: Gabor Mezei <gabor.mezei@arm.com>
Date: Mon, 8 May 2023 17:32:44 +0200
Subject: [PATCH 2/4] Update comments

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
---
 library/ecp_curves.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 47f1b347d1..c506dad874 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -5533,7 +5533,6 @@ cleanup:
  * with R about 33 bits, used by the Koblitz curves.
  *
  * Write N as A0 + 2^224 A1, return A0 + R * A1.
- * Actually do two passes, since R is big.
  */
 #define P_KOBLITZ_R     (8 / sizeof(mbedtls_mpi_uint))            // Limbs in R
 
@@ -5571,6 +5570,10 @@ static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
         mask  = ((mbedtls_mpi_uint) 1 << shift) - 1;
     }
 
+    /* Two pass is needed for reducing the value of `A0 + R * A1` and
+     * need an additional one to reduce the possible overflow during
+     * the addition.
+     */
     for (size_t pass = 0; pass < 3; pass++) {
         /* Copy A1 */
         memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);

From 23b10109bbcc83214f034e802d65550fd6aa4736 Mon Sep 17 00:00:00 2001
From: Gabor Mezei <gabor.mezei@arm.com>
Date: Mon, 8 May 2023 17:28:21 +0200
Subject: [PATCH 3/4] Add test cases to test overflow in the Kobltz reduction

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
---
 scripts/mbedtls_dev/ecp.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py
index 2dae703d86..5f0efcf1c3 100644
--- a/scripts/mbedtls_dev/ecp.py
+++ b/scripts/mbedtls_dev/ecp.py
@@ -518,6 +518,10 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon,
         ("fffffffffffffffffffffffffffffffffffffffdffffdc6c"
          "0000000000000000000000000000000100002394013c7364"),
 
+        # Test case for overflow during addition
+        ("00000007ffff71b809e27dd832cfd5e04d9d2dbb9f8da217"
+         "0000000000000000000000000000000000000000520834f0"),
+
         # First 8 number generated by random.getrandbits(384) - seed(2,2)
         ("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
          "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
@@ -582,6 +586,10 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon,
         ("fffffffffffffffffffffffffffffffffffffffffffffffdffffcad8"
          "00000000000000000000000000000000000000010000352802c26590"),
 
+        # Test case for overflow during addition
+        ("0000007ffff2b68161180fd8cd92e1a109be158a19a99b1809db8032"
+         "0000000000000000000000000000000000000000000000000bf04f49"),
+
         # First 8 number generated by random.getrandbits(448) - seed(2,2)
         ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337"
          "15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
@@ -647,6 +655,10 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon,
         ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c0"
          "00000000000000000000000000000000000000000000001000007a4000e9844"),
 
+        # Test case for overflow during addition
+        ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562"
+         "00000000000000000000000000000000000000000000000000000000585674fd"),
+
         # First 8 number generated by random.getrandbits(512) - seed(2,2)
         ("4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
          "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),

From a274041190c48d9c78b24ae68254233d1a12ab32 Mon Sep 17 00:00:00 2001
From: Gabor Mezei <gabor.mezei@arm.com>
Date: Mon, 15 May 2023 14:50:17 +0200
Subject: [PATCH 4/4] Fix comment

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
---
 library/ecp_curves.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index c506dad874..b07753a074 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -5570,8 +5570,8 @@ static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
         mask  = ((mbedtls_mpi_uint) 1 << shift) - 1;
     }
 
-    /* Two pass is needed for reducing the value of `A0 + R * A1` and
-     * need an additional one to reduce the possible overflow during
+    /* Two passes are needed to reduce the value of `A0 + R * A1` and then
+     * we need an additional one to reduce the possible overflow during
      * the addition.
      */
     for (size_t pass = 0; pass < 3; pass++) {