From aa68d36234be0bbf50ed4a43339d51f180462920 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 5 May 2022 19:22:29 +0200
Subject: [PATCH 1/7] Fix order value for curve x448.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 library/ecp_curves.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 6b8ff5c7fb..8bc80cd4e6 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4712,6 +4712,7 @@ static int ecp_use_curve448( mbedtls_ecp_group *grp )
     mbedtls_mpi_free( &grp->G.Y );
 
     /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->N, 0 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
                         curve448_part_of_n, sizeof( curve448_part_of_n ) ) );

From 030e802198afb3a28f7bda60a22981d337a8c5c4 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 5 May 2022 19:28:15 +0200
Subject: [PATCH 2/7] Added Changelog entry.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 ChangeLog.d/bug_order_x448.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 ChangeLog.d/bug_order_x448.txt

diff --git a/ChangeLog.d/bug_order_x448.txt b/ChangeLog.d/bug_order_x448.txt
new file mode 100644
index 0000000000..5da8821a4e
--- /dev/null
+++ b/ChangeLog.d/bug_order_x448.txt
@@ -0,0 +1,3 @@
+Bugfix
+	* Fix order value of curve x448.
+

From f72803d6f98669ed8e04e81da4dec4cc31c17041 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 5 May 2022 20:12:13 +0200
Subject: [PATCH 3/7] Removing tabs.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 ChangeLog.d/bug_order_x448.txt | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ChangeLog.d/bug_order_x448.txt b/ChangeLog.d/bug_order_x448.txt
index 5da8821a4e..cebefc4cf4 100644
--- a/ChangeLog.d/bug_order_x448.txt
+++ b/ChangeLog.d/bug_order_x448.txt
@@ -1,3 +1,2 @@
 Bugfix
-	* Fix order value of curve x448.
-
+    * Fix order value of curve x448.

From b101cb6111c4f0789cf0686be32c68bec6673681 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Fri, 6 May 2022 18:43:58 +0200
Subject: [PATCH 4/7] Since the group is unloaded for all curves, it is better
 to initialize the group also for all curves.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 library/ecp_curves.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 8bc80cd4e6..51956cd5b7 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4712,7 +4712,6 @@ static int ecp_use_curve448( mbedtls_ecp_group *grp )
     mbedtls_mpi_free( &grp->G.Y );
 
     /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
-    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->N, 0 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
                         curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
@@ -4738,6 +4737,8 @@ int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
     ECP_VALIDATE_RET( grp != NULL );
     mbedtls_ecp_group_free( grp );
 
+    mbedtls_ecp_group_init( grp );
+
     grp->id = id;
 
     switch( id )

From 57080461f7b66a0188de8afcb790d9d4104dd53d Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Fri, 17 Jun 2022 13:41:18 +0100
Subject: [PATCH 5/7] Add test-case for checking curve order

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 tests/suites/test_suite_ecp.data     | 53 ++++++++++++++++++++++++++++
 tests/suites/test_suite_ecp.function | 24 +++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 2eb8c2dfe5..4ea4d3b464 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -890,3 +890,56 @@ ecp_export:MBEDTLS_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf906917
 ECP export key parameters #2 (invalid group)
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
 ecp_export:MBEDTLS_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:1
+
+ECP check order for SECP192R1
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831"
+
+ECP check order for SECP224R1
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP224R1:"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"
+
+ECP check order for SECP256R1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP256R1:"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"
+
+ECP check order for SECP384R1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP384R1:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"
+
+ECP check order for SECP521R1
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP521R1:"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409"
+
+ECP check order for BP256R1
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP256R1:"A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7"
+
+ECP check order for BP384R1
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP384R1:"8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565"
+
+ECP check order for BP512R1
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP512R1:"AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069"
+
+ECP check order for CURVE25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_CURVE25519:"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"
+
+ECP check order for SECP192K1
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP192K1:"fffffffffffffffffffffffe26f2fc170f69466a74defd8d"
+
+ECP check order for SECP224K1
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP224K1:"10000000000000000000000000001dce8d2ec6184caf0a971769fb1f7"
+
+ECP check order for SECP256K1
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP256K1:"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"
+
+ECP check order for CURVE448
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_CURVE448:"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
+
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index c3e6b05c19..dd2306fec0 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1063,3 +1063,27 @@ exit:
     mbedtls_ecp_point_free( &export_Q );
 }
 /* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_check_order( int id, char * expected_order_hex )
+{
+    mbedtls_ecp_group grp;
+    mbedtls_mpi expected_n;
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_mpi_init( &expected_n );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+    TEST_ASSERT( mbedtls_test_read_mpi( &expected_n, 16, expected_order_hex ) == 0);
+
+    // check sign bits are well-formed (i.e. 1 or -1) - see #5810
+    TEST_ASSERT( grp.N.s == -1 || grp.N.s == 1);
+    TEST_ASSERT( expected_n.s == -1 || expected_n.s == 1);
+    
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.N, &expected_n ) == 0 );
+
+exit:
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_mpi_free( &expected_n );
+}
+/* END_CASE */
\ No newline at end of file

From 5cab9dafb7ebbb48961e5bc6a7049a9f248e5f57 Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Fri, 17 Jun 2022 13:48:29 +0100
Subject: [PATCH 6/7] fix whitespace

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 tests/suites/test_suite_ecp.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index dd2306fec0..28a6398692 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1079,7 +1079,7 @@ void ecp_check_order( int id, char * expected_order_hex )
     // check sign bits are well-formed (i.e. 1 or -1) - see #5810
     TEST_ASSERT( grp.N.s == -1 || grp.N.s == 1);
     TEST_ASSERT( expected_n.s == -1 || expected_n.s == 1);
-    
+
     TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.N, &expected_n ) == 0 );
 
 exit:

From eb8570f174fcb22e0cd329137dcecf421918b743 Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Fri, 17 Jun 2022 14:59:36 +0100
Subject: [PATCH 7/7] Fix missing newline

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 tests/suites/test_suite_ecp.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 28a6398692..1b77f1de6b 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1086,4 +1086,4 @@ exit:
     mbedtls_ecp_group_free( &grp );
     mbedtls_mpi_free( &expected_n );
 }
-/* END_CASE */
\ No newline at end of file
+/* END_CASE */