Add proper allocation of restart context

We'll need to store MPIs and other things that allocate memory in this
context, so we need a place to free it. We can't rely on doing it before
returning from ecp_mul() as we might return MBEDTLS_ERR_ECP_IN_PROGRESS (thus
preserving the context) and never be called again (for example, TLS handshake
aborted for another reason). So, ecp_group_free() looks like a good place to
do this, if the restart context is part of struct ecp_group.

This means it's not possible to use the same ecp_group structure in different
threads concurrently, but:
- that's already the case (and documented) for other reasons
- this feature is precisely intended for environments that lack threading

An alternative option would be for the caller to have to allocate/free the
restart context and pass it explicitly, but this means creating new functions
that take a context argument, and putting a burden on the user.

include/mbedtls/ecp.h

@@ -112,6 +112,16 @@ typedef struct
 }
 mbedtls_ecp_point;
 
+#if defined(MBEDTLS_ECP_EARLY_RETURN)
+/**
+ * \brief           ECP context for resuming operations after returning
+ *                  \c MBEDTLS_ERR_ECP_IN_PROGRESS
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart mbedtls_ecp_restart_ctx;
+#endif
+
 /**
  * \brief           ECP group structure
  *
@@ -153,6 +163,9 @@ typedef struct
     void *t_data;                       /*!< unused                         */
     mbedtls_ecp_point *T;       /*!<  pre-computed points for ecp_mul_comb()        */
     size_t T_size;      /*!<  number for pre-computed points                */
+#if defined(MBEDTLS_ECP_EARLY_RETURN)
+    mbedtls_ecp_restart_ctx *rs;        /*!<  context for resuming operation */
+#endif
 }
 mbedtls_ecp_group;