Doc: Add note on special use of A in ecp group structure

[ivq]

Description

ECP implementation sets A to NULL in structure mbedtls_ecp_group for optimizing Short Weierstrass curves with A = -3.
We should warn on this in the document, as using domain parameters in external program is likely to encounter errors if not
noticing this.

Fixes #8045

Gatekeeper checklist

• changelog provided
• backport Backport 2.28: Doc: Add note on special use of A in ecp group structure #8046
• tests not required - only documentation and a one-line static inline function (that's used in the code so we know it's OK)

[gilles-peskine-arm]

Looks good in principle, but the wording isn't quite right.

[gilles-peskine-arm]

A isn't a pointer. This should read something like “sets A to 0 (with A.p == NULL) rather than …”

[mpg]

We should be careful about the wording here: setting A to 0 with A.p != NULL actually means zero. I think using parentheses here is dangerous, as this could be interpreted as optional while it's actually essential.

[gilles-peskine-arm]

As above: “the value 0 (with A.p == NULL) may be used to represent -3.”

[tom-daubney-arm]

@ivq Will you have time to make the small adjustment to the wording to get this PR through review? It would also need a backport and then we can merge it.

[ivq]

Updated. Feel free to point out any wording improvement. Sorry for my poor English.

[mpg]

This is better, but unfortunately, reviewing this made me realise that just documentation is not going to be enough here.

[mpg]

This is clearly an improvement over the existing, but as a general rule documentation shouldn't just say "pay attention" but give concrete guidance. Unfortunately here I'm not sure what users are supposed to do: mbedtls_cmp_int(grp.A, 0) == 0; is not precise enough (some curves do have A == 0), the only correct test would be grp.A.p == NULL, but the field p of mbedtls_mpi is private.

So, we have a weird situation where mbedtls_ecp_group::A is public, but an user can't make sense of it without accessing a private field...

I think documentation alone is not going to be enough here, and we need a new public function. I'm thinking something like mbedtls_ecp_group_a_is_minus_3() returns 1 is A is -3 mod P and returns 0 otherwise. Then the instructions here would be that for Short Weierstrass curves you need to call this function first before trying to use A.

@gilles-peskine-arm wdyt?

[mpg]

Note: for 2.28 fields are not private, so we could do without the new function, but OTOH I don't think it would be a problem to add such small function even in an LTS.

[gilles-peskine-arm]

Looking back, making A and B public was probably a mistake (mine in #4595). A lot of code relies on P and N, even G gets used in ECDSA, but in our code base A and B are only used in ecp*.c and in pkparse to check whether a given list of parameters correspond to a known curve. But it's too late to go back on that in 3.x.

Given that it's public — and even if it wasn't public, for that matter — I'd be tempted to take advantage of the fact that mbedtls_mpi can represent negative numbers and represent this special value as -3 (which would be the only supported negative value). I think this wouldn't change the code size at the point of use (just replacing grp->A.p == 0 by grp->A.s < 0), but it would add a few bytes of code where the groups are defined. However, using negative bignums feels wrong: we're trying to get rid of them.

So I guess the best thing is to keep the representation as is. And since we've made it a public interface, as you suggest, create a new public function (which can be static inline). We should use that function in ecp.c anyway because it's better documentation.

In the LTS, I wouldn't change anything (except the documentation).

[mpg]

In the LTS, I wouldn't change anything (except the documentation).

Actually, is adding a static inline function really a problem in an LTS? The documentation still needs to tell people what to do, and telling them to access grp->A.p feels a bit dirty.

[gilles-peskine-arm]

No, adding a static inline function is fine. I'm not sure it's necessary though. But I wouldn't change ecp.c to use it: it's a risk and you did find a problem that I'd missed).

[ivq]

Updated. Added a new public API mbedtls_ecp_group_a_is_minus_3().

[gilles-peskine-arm]

LGTM arpart from some minor issues with the documentation.

[gilles-peskine-arm]

This sentence applies to Weierstrass curves (for Montgomery curves, there isn't more information about A in the description of the type), so it should be before the line about Montgomery curves.

[gilles-peskine-arm]

Please make a Doxygen link:

Suggested change

	Refer to detailed description of mbedtls_ecp_group if
	Refer to detailed description of ::mbedtls_ecp_group if

[gilles-peskine-arm]

Can you please do the rework by making a commit on top of the previous commit that we reviewed? Force-pushing after a review makes it hard to re-review without doing a complete review from scratch, and that's very time-consuming.

[ivq]

Can you please do the rework by making a commit on top of the previous commit that we reviewed? Force-pushing after a review makes it hard to re-review without doing a complete review from scratch, and that's very time-consuming.

I made a commit on top of commit 153ae46 .
Is it OK now?

[mpg]

LGTM, thanks!

[gilles-peskine-arm]

LGTM

[gilles-peskine-arm]

Please add a changelog entry.

[gilles-peskine-arm]

Please make a backport: a pull request for the branch mbedtls-2.28 with the same changes in ecp.h (documentation, new static inline function) and the changelog entry, but no changes in the .c files (to minimize the risk).

[gilles-peskine-arm]

LGTM