3 files changed, 54 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index b461a5a3..ba4fa689 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2021-11-13  Niels Möller  <nisse@lysator.liu.se>
+
+	* ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero
+	input, which needs handling as a special case in the
+	Tonelli-Shanks algorithm.
+
+	* testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0)
+	returns 0.
+	(test_sqrt_ratio): Check that sqrt (0/1) returns 0.
+
 2021-11-11  Niels Möller  <nisse@lysator.liu.se>
 
 	* eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only
diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c
index 3d19fde7..bb321298 100644
--- a/ecc-secp224r1.c
+++ b/ecc-secp224r1.c
@@ -189,10 +189,11 @@ ecc_secp224r1_sqrt (const struct ecc_modulo *p,
 
       if (m == r)
 	{
-	  /* No square root. Will always be detected on first round in
-	     the outer loop. */
+	  /* We get here if there is no square root, or input is zero.
+	     Will always be detected on first round in the outer
+	     loop. */
 	  assert (r == ECC_SQRT_E);
-	  return 0;
+	  return ecc_mod_zero_p (p, xp);
 	}
 
       if (m < r - 1)
diff --git a/testsuite/ecc-sqrt-test.c b/testsuite/ecc-sqrt-test.c
index 69e08aa4..096cbafc 100644
--- a/testsuite/ecc-sqrt-test.c
+++ b/testsuite/ecc-sqrt-test.c
@@ -87,6 +87,25 @@ test_sqrt (gmp_randstate_t rands, const struct ecc_modulo *m, int use_redc)
   rp = xalloc_limbs (2*m->size);
   scratch = xalloc_limbs (m->sqrt_itch);
 
+  /* Check behaviour for zero input */
+  mpn_zero (up, m->size);
+  memset (rp, 17, m->size * sizeof(*rp));
+  if (!m->sqrt (m, rp, up, scratch))
+    {
+      fprintf (stderr, "m->sqrt returned failure for zero input, bit_size = %d\n",
+	       m->bit_size);
+      abort();
+    }
+  if (!ecc_mod_zero_p (m, rp))
+    {
+      fprintf (stderr, "m->sqrt failed for zero input (bit size %u):\n",
+	       m->bit_size);
+      fprintf (stderr, "r = ");
+      mpn_out_str (stderr, 16, rp, m->size);
+      fprintf (stderr, " (bad)\n");
+      abort ();
+    }
+
   /* Find a non-square */
   for (z = 2; mpz_ui_kronecker (z, p) != -1; z++)
     ;
@@ -176,6 +195,27 @@ test_sqrt_ratio (gmp_randstate_t rands, const struct ecc_modulo *m)
   rp = xalloc_limbs (2*m->size);
   scratch = xalloc_limbs (m->sqrt_ratio_itch);
 
+  /* Check behaviour for zero input */
+  mpn_zero (up, m->size);
+  mpn_zero (vp, m->size);
+  vp[0] = 1;
+  memset (rp, 17, m->size * sizeof(*rp));
+  if (!m->sqrt_ratio (m, rp, up, vp, scratch))
+    {
+      fprintf (stderr, "m->sqrt_ratio returned failure for zero input, bit_size = %d\n",
+	       m->bit_size);
+      abort();
+    }
+  if (!ecc_mod_zero_p (m, rp))
+    {
+      fprintf (stderr, "m->sqrt_ratio failed for zero input (bit size %u):\n",
+	       m->bit_size);
+      fprintf (stderr, "r = ");
+      mpn_out_str (stderr, 16, rp, m->size);
+      fprintf (stderr, " (bad)\n");
+      abort ();
+    }
+
   /* Find a non-square */
   for (z = 2; mpz_ui_kronecker (z, p) != -1; z++)
     ;