• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/* BEGIN_HEADER */
2#include "mbedtls/ecp.h"
3
4#include "ecp_invasive.h"
5
6#if defined(MBEDTLS_TEST_HOOKS) &&                  \
7    ( defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||  \
8      defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||  \
9      defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) )
10#define HAVE_FIX_NEGATIVE
11#endif
12
13#define ECP_PF_UNKNOWN     -1
14
15#define ECP_PT_RESET( x )           \
16    mbedtls_ecp_point_free( x );    \
17    mbedtls_ecp_point_init( x );
18
19/* END_HEADER */
20
21/* BEGIN_DEPENDENCIES
22 * depends_on:MBEDTLS_ECP_C
23 * END_DEPENDENCIES
24 */
25
26/* BEGIN_CASE depends_on:NOT_DEFINED */
27void ecp_invalid_param( )
28{
29    mbedtls_ecp_group grp;
30    mbedtls_ecp_point P;
31    int invalid_fmt = 42;
32    size_t olen;
33    unsigned char buf[42] = { 0 };
34
35    TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
36                            mbedtls_ecp_point_write_binary( &grp, &P,
37                                                      invalid_fmt,
38                                                      &olen,
39                                                      buf, sizeof( buf ) ) );
40    TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
41                            mbedtls_ecp_tls_write_point( &grp, &P,
42                                                     invalid_fmt,
43                                                     &olen,
44                                                     buf,
45                                                     sizeof( buf ) ) );
46
47exit:
48    return;
49}
50/* END_CASE */
51
52/* BEGIN_CASE */
53void mbedtls_ecp_curve_info( int id, int tls_id, int size, char * name )
54{
55    const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name;
56
57    by_id   = mbedtls_ecp_curve_info_from_grp_id( id     );
58    by_tls  = mbedtls_ecp_curve_info_from_tls_id( tls_id );
59    by_name = mbedtls_ecp_curve_info_from_name(   name   );
60    TEST_ASSERT( by_id   != NULL );
61    TEST_ASSERT( by_tls  != NULL );
62    TEST_ASSERT( by_name != NULL );
63
64    TEST_ASSERT( by_id == by_tls  );
65    TEST_ASSERT( by_id == by_name );
66
67    TEST_ASSERT( by_id->bit_size == size );
68    TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BITS );
69    TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BYTES * 8 );
70}
71/* END_CASE */
72
73/* BEGIN_CASE */
74void ecp_check_pub( int grp_id, char * x_hex, char * y_hex, char * z_hex,
75                    int ret )
76{
77    mbedtls_ecp_group grp;
78    mbedtls_ecp_point P;
79
80    mbedtls_ecp_group_init( &grp );
81    mbedtls_ecp_point_init( &P );
82
83    TEST_ASSERT( mbedtls_ecp_group_load( &grp, grp_id ) == 0 );
84
85    TEST_ASSERT( mbedtls_test_read_mpi( &P.X, 16, x_hex ) == 0 );
86    TEST_ASSERT( mbedtls_test_read_mpi( &P.Y, 16, y_hex ) == 0 );
87    TEST_ASSERT( mbedtls_test_read_mpi( &P.Z, 16, z_hex ) == 0 );
88
89    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &P ) == ret );
90
91exit:
92    mbedtls_ecp_group_free( &grp );
93    mbedtls_ecp_point_free( &P );
94}
95/* END_CASE */
96
97/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
98void ecp_test_vect_restart( int id,
99                            char *dA_str, char *xA_str, char *yA_str,
100                            char *dB_str,  char *xZ_str, char *yZ_str,
101                            int max_ops, int min_restarts, int max_restarts )
102{
103    /*
104     * Test for early restart. Based on test vectors like ecp_test_vect(),
105     * but for the sake of simplicity only does half of each side. It's
106     * important to test both base point and random point, though, as memory
107     * management is different in each case.
108     *
109     * Don't try using too precise bounds for restarts as the exact number
110     * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and
111     * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may
112     * change in the future. A factor 2 is a minimum safety margin.
113     *
114     * For reference, with mbed TLS 2.4 and default settings, for P-256:
115     * - Random point mult:     ~3250M
116     * - Cold base point mult:  ~3300M
117     * - Hot base point mult:   ~1100M
118     * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum):
119     * - Random point mult:     ~3850M
120     */
121    mbedtls_ecp_restart_ctx ctx;
122    mbedtls_ecp_group grp;
123    mbedtls_ecp_point R, P;
124    mbedtls_mpi dA, xA, yA, dB, xZ, yZ;
125    int cnt_restarts;
126    int ret;
127    mbedtls_test_rnd_pseudo_info rnd_info;
128
129    mbedtls_ecp_restart_init( &ctx );
130    mbedtls_ecp_group_init( &grp );
131    mbedtls_ecp_point_init( &R ); mbedtls_ecp_point_init( &P );
132    mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); mbedtls_mpi_init( &yA );
133    mbedtls_mpi_init( &dB ); mbedtls_mpi_init( &xZ ); mbedtls_mpi_init( &yZ );
134    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
135
136    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
137
138    TEST_ASSERT( mbedtls_test_read_mpi( &dA, 16, dA_str ) == 0 );
139    TEST_ASSERT( mbedtls_test_read_mpi( &xA, 16, xA_str ) == 0 );
140    TEST_ASSERT( mbedtls_test_read_mpi( &yA, 16, yA_str ) == 0 );
141
142    TEST_ASSERT( mbedtls_test_read_mpi( &dB, 16, dB_str ) == 0 );
143    TEST_ASSERT( mbedtls_test_read_mpi( &xZ, 16, xZ_str ) == 0 );
144    TEST_ASSERT( mbedtls_test_read_mpi( &yZ, 16, yZ_str ) == 0 );
145
146    mbedtls_ecp_set_max_ops( (unsigned) max_ops );
147
148    /* Base point case */
149    cnt_restarts = 0;
150    do {
151        ECP_PT_RESET( &R );
152        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dA, &grp.G,
153                &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx );
154    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
155
156    TEST_ASSERT( ret == 0 );
157    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 );
158    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yA ) == 0 );
159
160    TEST_ASSERT( cnt_restarts >= min_restarts );
161    TEST_ASSERT( cnt_restarts <= max_restarts );
162
163    /* Non-base point case */
164    mbedtls_ecp_copy( &P, &R );
165    cnt_restarts = 0;
166    do {
167        ECP_PT_RESET( &R );
168        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P,
169                &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx );
170    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
171
172    TEST_ASSERT( ret == 0 );
173    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 );
174    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
175
176    TEST_ASSERT( cnt_restarts >= min_restarts );
177    TEST_ASSERT( cnt_restarts <= max_restarts );
178
179    /* Do we leak memory when aborting an operation?
180     * This test only makes sense when we actually restart */
181    if( min_restarts > 0 )
182    {
183        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P,
184                &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx );
185        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
186    }
187
188exit:
189    mbedtls_ecp_restart_free( &ctx );
190    mbedtls_ecp_group_free( &grp );
191    mbedtls_ecp_point_free( &R ); mbedtls_ecp_point_free( &P );
192    mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); mbedtls_mpi_free( &yA );
193    mbedtls_mpi_free( &dB ); mbedtls_mpi_free( &xZ ); mbedtls_mpi_free( &yZ );
194}
195/* END_CASE */
196
197/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
198void ecp_muladd_restart( int id, char *xR_str, char *yR_str,
199                         char *u1_str, char *u2_str,
200                         char *xQ_str, char *yQ_str,
201                         int max_ops, int min_restarts, int max_restarts )
202{
203    /*
204     * Compute R = u1 * G + u2 * Q
205     * (test vectors mostly taken from ECDSA intermediate results)
206     *
207     * See comments at the top of ecp_test_vect_restart()
208     */
209    mbedtls_ecp_restart_ctx ctx;
210    mbedtls_ecp_group grp;
211    mbedtls_ecp_point R, Q;
212    mbedtls_mpi u1, u2, xR, yR;
213    int cnt_restarts;
214    int ret;
215
216    mbedtls_ecp_restart_init( &ctx );
217    mbedtls_ecp_group_init( &grp );
218    mbedtls_ecp_point_init( &R );
219    mbedtls_ecp_point_init( &Q );
220    mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
221    mbedtls_mpi_init( &xR ); mbedtls_mpi_init( &yR );
222
223    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
224
225    TEST_ASSERT( mbedtls_test_read_mpi( &u1, 16, u1_str ) == 0 );
226    TEST_ASSERT( mbedtls_test_read_mpi( &u2, 16, u2_str ) == 0 );
227    TEST_ASSERT( mbedtls_test_read_mpi( &xR, 16, xR_str ) == 0 );
228    TEST_ASSERT( mbedtls_test_read_mpi( &yR, 16, yR_str ) == 0 );
229
230    TEST_ASSERT( mbedtls_test_read_mpi( &Q.X, 16, xQ_str ) == 0 );
231    TEST_ASSERT( mbedtls_test_read_mpi( &Q.Y, 16, yQ_str ) == 0 );
232    TEST_ASSERT( mbedtls_mpi_lset( &Q.Z, 1 ) == 0 );
233
234    mbedtls_ecp_set_max_ops( (unsigned) max_ops );
235
236    cnt_restarts = 0;
237    do {
238        ECP_PT_RESET( &R );
239        ret = mbedtls_ecp_muladd_restartable( &grp, &R,
240                                              &u1, &grp.G, &u2, &Q, &ctx );
241    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
242
243    TEST_ASSERT( ret == 0 );
244    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xR ) == 0 );
245    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yR ) == 0 );
246
247    TEST_ASSERT( cnt_restarts >= min_restarts );
248    TEST_ASSERT( cnt_restarts <= max_restarts );
249
250    /* Do we leak memory when aborting an operation?
251     * This test only makes sense when we actually restart */
252    if( min_restarts > 0 )
253    {
254        ret = mbedtls_ecp_muladd_restartable( &grp, &R,
255                                              &u1, &grp.G, &u2, &Q, &ctx );
256        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
257    }
258
259exit:
260    mbedtls_ecp_restart_free( &ctx );
261    mbedtls_ecp_group_free( &grp );
262    mbedtls_ecp_point_free( &R );
263    mbedtls_ecp_point_free( &Q );
264    mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
265    mbedtls_mpi_free( &xR ); mbedtls_mpi_free( &yR );
266}
267/* END_CASE */
268
269/* BEGIN_CASE */
270void ecp_test_vect( int id, char * dA_str, char * xA_str, char * yA_str,
271                    char * dB_str, char * xB_str, char * yB_str,
272                    char * xZ_str, char * yZ_str )
273{
274    mbedtls_ecp_group grp;
275    mbedtls_ecp_point R;
276    mbedtls_mpi dA, xA, yA, dB, xB, yB, xZ, yZ;
277    mbedtls_test_rnd_pseudo_info rnd_info;
278
279    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R );
280    mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); mbedtls_mpi_init( &yA ); mbedtls_mpi_init( &dB );
281    mbedtls_mpi_init( &xB ); mbedtls_mpi_init( &yB ); mbedtls_mpi_init( &xZ ); mbedtls_mpi_init( &yZ );
282    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
283
284    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
285
286    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 );
287
288    TEST_ASSERT( mbedtls_test_read_mpi( &dA, 16, dA_str ) == 0 );
289    TEST_ASSERT( mbedtls_test_read_mpi( &xA, 16, xA_str ) == 0 );
290    TEST_ASSERT( mbedtls_test_read_mpi( &yA, 16, yA_str ) == 0 );
291    TEST_ASSERT( mbedtls_test_read_mpi( &dB, 16, dB_str ) == 0 );
292    TEST_ASSERT( mbedtls_test_read_mpi( &xB, 16, xB_str ) == 0 );
293    TEST_ASSERT( mbedtls_test_read_mpi( &yB, 16, yB_str ) == 0 );
294    TEST_ASSERT( mbedtls_test_read_mpi( &xZ, 16, xZ_str ) == 0 );
295    TEST_ASSERT( mbedtls_test_read_mpi( &yZ, 16, yZ_str ) == 0 );
296
297    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &grp.G,
298                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
299    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 );
300    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yA ) == 0 );
301    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
302    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &R,
303                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
304    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 );
305    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
306    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
307
308    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &grp.G,
309                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
310    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xB ) == 0 );
311    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yB ) == 0 );
312    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
313    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &R,
314                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
315    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 );
316    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
317    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
318
319exit:
320    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R );
321    mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); mbedtls_mpi_free( &yA ); mbedtls_mpi_free( &dB );
322    mbedtls_mpi_free( &xB ); mbedtls_mpi_free( &yB ); mbedtls_mpi_free( &xZ ); mbedtls_mpi_free( &yZ );
323}
324/* END_CASE */
325
326/* BEGIN_CASE */
327void ecp_test_vec_x( int id, char * dA_hex, char * xA_hex, char * dB_hex,
328                     char * xB_hex, char * xS_hex )
329{
330    mbedtls_ecp_group grp;
331    mbedtls_ecp_point R;
332    mbedtls_mpi dA, xA, dB, xB, xS;
333    mbedtls_test_rnd_pseudo_info rnd_info;
334
335    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R );
336    mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA );
337    mbedtls_mpi_init( &dB ); mbedtls_mpi_init( &xB );
338    mbedtls_mpi_init( &xS );
339    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
340
341    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
342
343    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 );
344
345    TEST_ASSERT( mbedtls_test_read_mpi( &dA, 16, dA_hex ) == 0 );
346    TEST_ASSERT( mbedtls_test_read_mpi( &dB, 16, dB_hex ) == 0 );
347    TEST_ASSERT( mbedtls_test_read_mpi( &xA, 16, xA_hex ) == 0 );
348    TEST_ASSERT( mbedtls_test_read_mpi( &xB, 16, xB_hex ) == 0 );
349    TEST_ASSERT( mbedtls_test_read_mpi( &xS, 16, xS_hex ) == 0 );
350
351    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &grp.G,
352                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
353    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
354    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 );
355
356    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &R,
357                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
358    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
359    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xS ) == 0 );
360
361    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &grp.G,
362                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
363    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
364    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xB ) == 0 );
365
366    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &R,
367                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 );
368    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 );
369    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xS ) == 0 );
370
371exit:
372    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R );
373    mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA );
374    mbedtls_mpi_free( &dB ); mbedtls_mpi_free( &xB );
375    mbedtls_mpi_free( &xS );
376}
377/* END_CASE */
378
379/* BEGIN_CASE */
380void ecp_test_mul( int id, data_t * n_hex,
381                   data_t *  Px_hex, data_t *  Py_hex, data_t *  Pz_hex,
382                   data_t * nPx_hex, data_t * nPy_hex, data_t * nPz_hex,
383                   int expected_ret )
384{
385    mbedtls_ecp_group grp;
386    mbedtls_ecp_point P, nP, R;
387    mbedtls_mpi n;
388    mbedtls_test_rnd_pseudo_info rnd_info;
389
390    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R );
391    mbedtls_ecp_point_init( &P ); mbedtls_ecp_point_init( &nP );
392    mbedtls_mpi_init( &n );
393    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
394
395    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
396
397    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 );
398
399    TEST_ASSERT( mbedtls_mpi_read_binary( &n, n_hex->x, n_hex->len ) == 0 );
400
401    TEST_ASSERT( mbedtls_mpi_read_binary( &P.X, Px_hex->x, Px_hex->len ) == 0 );
402    TEST_ASSERT( mbedtls_mpi_read_binary( &P.Y, Py_hex->x, Py_hex->len ) == 0 );
403    TEST_ASSERT( mbedtls_mpi_read_binary( &P.Z, Pz_hex->x, Pz_hex->len ) == 0 );
404    TEST_ASSERT( mbedtls_mpi_read_binary( &nP.X, nPx_hex->x, nPx_hex->len )
405                 == 0 );
406    TEST_ASSERT( mbedtls_mpi_read_binary( &nP.Y, nPy_hex->x, nPy_hex->len )
407                 == 0 );
408    TEST_ASSERT( mbedtls_mpi_read_binary( &nP.Z, nPz_hex->x, nPz_hex->len )
409                 == 0 );
410
411    TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &n, &P,
412                                  &mbedtls_test_rnd_pseudo_rand, &rnd_info )
413                 == expected_ret );
414
415    if( expected_ret == 0 )
416    {
417        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.X, &R.X ) == 0 );
418        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.Y, &R.Y ) == 0 );
419        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.Z, &R.Z ) == 0 );
420    }
421
422exit:
423    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R );
424    mbedtls_ecp_point_free( &P ); mbedtls_ecp_point_free( &nP );
425    mbedtls_mpi_free( &n );
426}
427/* END_CASE */
428
429/* BEGIN_CASE */
430void ecp_test_mul_rng( int id, data_t * d_hex)
431{
432    mbedtls_ecp_group grp;
433    mbedtls_mpi d;
434    mbedtls_ecp_point Q;
435
436    mbedtls_ecp_group_init( &grp ); mbedtls_mpi_init( &d );
437    mbedtls_ecp_point_init( &Q );
438
439    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
440
441    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 );
442
443    TEST_ASSERT( mbedtls_mpi_read_binary( &d, d_hex->x, d_hex->len ) == 0 );
444
445    TEST_ASSERT( mbedtls_ecp_mul( &grp, &Q, &d, &grp.G,
446                                  &mbedtls_test_rnd_zero_rand, NULL )
447                 == MBEDTLS_ERR_ECP_RANDOM_FAILED );
448
449exit:
450    mbedtls_ecp_group_free( &grp ); mbedtls_mpi_free( &d );
451    mbedtls_ecp_point_free( &Q );
452}
453/* END_CASE */
454
455/* BEGIN_CASE depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
456void ecp_muladd( int id,
457                 data_t *u1_bin, data_t *P1_bin,
458                 data_t *u2_bin, data_t *P2_bin,
459                 data_t *expected_result )
460{
461    /* Compute R = u1 * P1 + u2 * P2 */
462    mbedtls_ecp_group grp;
463    mbedtls_ecp_point P1, P2, R;
464    mbedtls_mpi u1, u2;
465    uint8_t actual_result[MBEDTLS_ECP_MAX_PT_LEN];
466    size_t len;
467
468    mbedtls_ecp_group_init( &grp );
469    mbedtls_ecp_point_init( &P1 );
470    mbedtls_ecp_point_init( &P2 );
471    mbedtls_ecp_point_init( &R );
472    mbedtls_mpi_init( &u1 );
473    mbedtls_mpi_init( &u2 );
474
475    TEST_EQUAL( 0, mbedtls_ecp_group_load( &grp, id ) );
476    TEST_EQUAL( 0, mbedtls_mpi_read_binary( &u1, u1_bin->x, u1_bin->len ) );
477    TEST_EQUAL( 0, mbedtls_mpi_read_binary( &u2, u2_bin->x, u2_bin->len ) );
478    TEST_EQUAL( 0, mbedtls_ecp_point_read_binary( &grp, &P1,
479                                                  P1_bin->x, P1_bin->len ) );
480    TEST_EQUAL( 0, mbedtls_ecp_point_read_binary( &grp, &P2,
481                                                  P2_bin->x, P2_bin->len ) );
482
483    TEST_EQUAL( 0, mbedtls_ecp_muladd( &grp, &R, &u1, &P1, &u2, &P2 ) );
484    TEST_EQUAL( 0, mbedtls_ecp_point_write_binary(
485                    &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED,
486                    &len, actual_result, sizeof( actual_result ) ) );
487    TEST_ASSERT( len <= MBEDTLS_ECP_MAX_PT_LEN );
488
489    ASSERT_COMPARE( expected_result->x, expected_result->len,
490                    actual_result, len );
491
492exit:
493    mbedtls_ecp_group_free( &grp );
494    mbedtls_ecp_point_free( &P1 );
495    mbedtls_ecp_point_free( &P2 );
496    mbedtls_ecp_point_free( &R );
497    mbedtls_mpi_free( &u1 );
498    mbedtls_mpi_free( &u2 );
499}
500/* END_CASE */
501
502/* BEGIN_CASE */
503void ecp_fast_mod( int id, char * N_str )
504{
505    mbedtls_ecp_group grp;
506    mbedtls_mpi N, R;
507
508    mbedtls_mpi_init( &N ); mbedtls_mpi_init( &R );
509    mbedtls_ecp_group_init( &grp );
510
511    TEST_ASSERT( mbedtls_test_read_mpi( &N, 16, N_str ) == 0 );
512    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
513    TEST_ASSERT( grp.modp != NULL );
514
515    /*
516     * Store correct result before we touch N
517     */
518    TEST_ASSERT( mbedtls_mpi_mod_mpi( &R, &N, &grp.P ) == 0 );
519
520    TEST_ASSERT( grp.modp( &N ) == 0 );
521    TEST_ASSERT( mbedtls_mpi_bitlen( &N ) <= grp.pbits + 3 );
522
523    /*
524     * Use mod rather than addition/subtraction in case previous test fails
525     */
526    TEST_ASSERT( mbedtls_mpi_mod_mpi( &N, &N, &grp.P ) == 0 );
527    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &N, &R ) == 0 );
528
529exit:
530    mbedtls_mpi_free( &N ); mbedtls_mpi_free( &R );
531    mbedtls_ecp_group_free( &grp );
532}
533/* END_CASE */
534
535/* BEGIN_CASE */
536void ecp_write_binary( int id, char * x, char * y, char * z, int format,
537                       data_t * out, int blen, int ret )
538{
539    mbedtls_ecp_group grp;
540    mbedtls_ecp_point P;
541    unsigned char buf[256];
542    size_t olen;
543
544    memset( buf, 0, sizeof( buf ) );
545
546    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
547
548    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
549
550    TEST_ASSERT( mbedtls_test_read_mpi( &P.X, 16, x ) == 0 );
551    TEST_ASSERT( mbedtls_test_read_mpi( &P.Y, 16, y ) == 0 );
552    TEST_ASSERT( mbedtls_test_read_mpi( &P.Z, 16, z ) == 0 );
553
554    TEST_ASSERT( mbedtls_ecp_point_write_binary( &grp, &P, format,
555                                   &olen, buf, blen ) == ret );
556
557    if( ret == 0 )
558    {
559        TEST_ASSERT( olen <= MBEDTLS_ECP_MAX_PT_LEN );
560        TEST_ASSERT( mbedtls_test_hexcmp( buf, out->x, olen, out->len ) == 0 );
561    }
562
563exit:
564    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P );
565}
566/* END_CASE */
567
568/* BEGIN_CASE */
569void ecp_read_binary( int id, data_t * buf, char * x, char * y, char * z,
570                      int ret )
571{
572    mbedtls_ecp_group grp;
573    mbedtls_ecp_point P;
574    mbedtls_mpi X, Y, Z;
575
576
577    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
578    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
579
580    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
581
582    TEST_ASSERT( mbedtls_test_read_mpi( &X, 16, x ) == 0 );
583    TEST_ASSERT( mbedtls_test_read_mpi( &Y, 16, y ) == 0 );
584    TEST_ASSERT( mbedtls_test_read_mpi( &Z, 16, z ) == 0 );
585
586    TEST_ASSERT( mbedtls_ecp_point_read_binary( &grp, &P, buf->x, buf->len ) == ret );
587
588    if( ret == 0 )
589    {
590        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.X, &X ) == 0 );
591        if( mbedtls_ecp_get_type( &grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
592        {
593            TEST_ASSERT( mbedtls_mpi_cmp_int( &Y, 0 ) == 0 );
594            TEST_ASSERT( P.Y.p == NULL );
595            TEST_ASSERT( mbedtls_mpi_cmp_int( &Z, 1 ) == 0 );
596            TEST_ASSERT( mbedtls_mpi_cmp_int( &P.Z, 1 ) == 0 );
597        }
598        else
599        {
600            TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Y, &Y ) == 0 );
601            TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Z, &Z ) == 0 );
602        }
603    }
604
605exit:
606    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P );
607    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
608}
609/* END_CASE */
610
611/* BEGIN_CASE */
612void mbedtls_ecp_tls_read_point( int id, data_t * buf, char * x, char * y,
613                                 char * z, int ret )
614{
615    mbedtls_ecp_group grp;
616    mbedtls_ecp_point P;
617    mbedtls_mpi X, Y, Z;
618    const unsigned char *vbuf = buf->x;
619
620
621    mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
622    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
623
624    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
625
626    TEST_ASSERT( mbedtls_test_read_mpi( &X, 16, x ) == 0 );
627    TEST_ASSERT( mbedtls_test_read_mpi( &Y, 16, y ) == 0 );
628    TEST_ASSERT( mbedtls_test_read_mpi( &Z, 16, z ) == 0 );
629
630    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &P, &vbuf, buf->len ) == ret );
631
632    if( ret == 0 )
633    {
634        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.X, &X ) == 0 );
635        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Y, &Y ) == 0 );
636        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Z, &Z ) == 0 );
637        TEST_ASSERT( (uint32_t)( vbuf - buf->x ) == buf->len );
638    }
639
640exit:
641    mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P );
642    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
643}
644/* END_CASE */
645
646/* BEGIN_CASE */
647void ecp_tls_write_read_point( int id )
648{
649    mbedtls_ecp_group grp;
650    mbedtls_ecp_point pt;
651    unsigned char buf[256];
652    const unsigned char *vbuf;
653    size_t olen;
654
655    mbedtls_ecp_group_init( &grp );
656    mbedtls_ecp_point_init( &pt );
657
658    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
659
660    memset( buf, 0x00, sizeof( buf ) ); vbuf = buf;
661    TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &grp.G,
662                    MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 );
663    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen )
664                 == MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
665    TEST_ASSERT( vbuf == buf + olen );
666
667    memset( buf, 0x00, sizeof( buf ) ); vbuf = buf;
668    TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &grp.G,
669                    MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 );
670    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 );
671    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.X, &pt.X ) == 0 );
672    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.Y, &pt.Y ) == 0 );
673    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.Z, &pt.Z ) == 0 );
674    TEST_ASSERT( vbuf == buf + olen );
675
676    memset( buf, 0x00, sizeof( buf ) ); vbuf = buf;
677    TEST_ASSERT( mbedtls_ecp_set_zero( &pt ) == 0 );
678    TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &pt,
679                    MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 );
680    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 );
681    TEST_ASSERT( mbedtls_ecp_is_zero( &pt ) );
682    TEST_ASSERT( vbuf == buf + olen );
683
684    memset( buf, 0x00, sizeof( buf ) ); vbuf = buf;
685    TEST_ASSERT( mbedtls_ecp_set_zero( &pt ) == 0 );
686    TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &pt,
687                    MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 );
688    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 );
689    TEST_ASSERT( mbedtls_ecp_is_zero( &pt ) );
690    TEST_ASSERT( vbuf == buf + olen );
691
692exit:
693    mbedtls_ecp_group_free( &grp );
694    mbedtls_ecp_point_free( &pt );
695}
696/* END_CASE */
697
698/* BEGIN_CASE */
699void mbedtls_ecp_tls_read_group( data_t * buf, int result, int bits,
700                                 int record_len )
701{
702    mbedtls_ecp_group grp;
703    const unsigned char *vbuf = buf->x;
704    int ret;
705
706    mbedtls_ecp_group_init( &grp );
707
708    ret = mbedtls_ecp_tls_read_group( &grp, &vbuf, buf->len );
709
710    TEST_ASSERT( ret == result );
711    if( ret == 0)
712    {
713        TEST_ASSERT( mbedtls_mpi_bitlen( &grp.P ) == (size_t) bits );
714        TEST_ASSERT( vbuf - buf->x ==  record_len);
715    }
716
717exit:
718    mbedtls_ecp_group_free( &grp );
719}
720/* END_CASE */
721
722/* BEGIN_CASE */
723void ecp_tls_write_read_group( int id )
724{
725    mbedtls_ecp_group grp1, grp2;
726    unsigned char buf[10];
727    const unsigned char *vbuf = buf;
728    size_t len;
729    int ret;
730
731    mbedtls_ecp_group_init( &grp1 );
732    mbedtls_ecp_group_init( &grp2 );
733    memset( buf, 0x00, sizeof( buf ) );
734
735    TEST_ASSERT( mbedtls_ecp_group_load( &grp1, id ) == 0 );
736
737    TEST_ASSERT( mbedtls_ecp_tls_write_group( &grp1, &len, buf, 10 ) == 0 );
738    ret = mbedtls_ecp_tls_read_group( &grp2, &vbuf, len );
739    TEST_ASSERT( ret == 0 );
740
741    if( ret == 0 )
742    {
743        TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp1.N, &grp2.N ) == 0 );
744        TEST_ASSERT( grp1.id == grp2.id );
745    }
746
747exit:
748    mbedtls_ecp_group_free( &grp1 );
749    mbedtls_ecp_group_free( &grp2 );
750}
751/* END_CASE */
752
753/* BEGIN_CASE */
754void mbedtls_ecp_check_privkey( int id, char * key_hex, int ret )
755{
756    mbedtls_ecp_group grp;
757    mbedtls_mpi d;
758
759    mbedtls_ecp_group_init( &grp );
760    mbedtls_mpi_init( &d );
761
762    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
763    TEST_ASSERT( mbedtls_test_read_mpi( &d, 16, key_hex ) == 0 );
764
765    TEST_ASSERT( mbedtls_ecp_check_privkey( &grp, &d ) == ret );
766
767exit:
768    mbedtls_ecp_group_free( &grp );
769    mbedtls_mpi_free( &d );
770}
771/* END_CASE */
772
773/* BEGIN_CASE */
774void mbedtls_ecp_check_pub_priv( int id_pub, char * Qx_pub, char * Qy_pub,
775                                 int id, char * d, char * Qx, char * Qy,
776                                 int ret )
777{
778    mbedtls_ecp_keypair pub, prv;
779    mbedtls_test_rnd_pseudo_info rnd_info;
780
781    mbedtls_ecp_keypair_init( &pub );
782    mbedtls_ecp_keypair_init( &prv );
783    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
784
785    if( id_pub != MBEDTLS_ECP_DP_NONE )
786        TEST_ASSERT( mbedtls_ecp_group_load( &pub.grp, id_pub ) == 0 );
787    TEST_ASSERT( mbedtls_ecp_point_read_string( &pub.Q, 16, Qx_pub, Qy_pub ) == 0 );
788
789    if( id != MBEDTLS_ECP_DP_NONE )
790        TEST_ASSERT( mbedtls_ecp_group_load( &prv.grp, id ) == 0 );
791    TEST_ASSERT( mbedtls_ecp_point_read_string( &prv.Q, 16, Qx, Qy ) == 0 );
792    TEST_ASSERT( mbedtls_test_read_mpi( &prv.d, 16, d ) == 0 );
793
794    TEST_ASSERT( mbedtls_ecp_check_pub_priv( &pub, &prv,
795                          &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == ret );
796
797exit:
798    mbedtls_ecp_keypair_free( &pub );
799    mbedtls_ecp_keypair_free( &prv );
800}
801/* END_CASE */
802
803/* BEGIN_CASE */
804void mbedtls_ecp_gen_keypair( int id )
805{
806    mbedtls_ecp_group grp;
807    mbedtls_ecp_point Q;
808    mbedtls_mpi d;
809    mbedtls_test_rnd_pseudo_info rnd_info;
810
811    mbedtls_ecp_group_init( &grp );
812    mbedtls_ecp_point_init( &Q );
813    mbedtls_mpi_init( &d );
814    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
815
816    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
817
818    TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q,
819                                          &mbedtls_test_rnd_pseudo_rand,
820                                          &rnd_info ) == 0 );
821
822    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &Q ) == 0 );
823    TEST_ASSERT( mbedtls_ecp_check_privkey( &grp, &d ) == 0 );
824
825exit:
826    mbedtls_ecp_group_free( &grp );
827    mbedtls_ecp_point_free( &Q );
828    mbedtls_mpi_free( &d );
829}
830/* END_CASE */
831
832/* BEGIN_CASE */
833void mbedtls_ecp_gen_key( int id )
834{
835    mbedtls_ecp_keypair key;
836    mbedtls_test_rnd_pseudo_info rnd_info;
837
838    mbedtls_ecp_keypair_init( &key );
839    memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) );
840
841    TEST_ASSERT( mbedtls_ecp_gen_key( id, &key,
842                                      &mbedtls_test_rnd_pseudo_rand,
843                                      &rnd_info ) == 0 );
844
845    TEST_ASSERT( mbedtls_ecp_check_pubkey( &key.grp, &key.Q ) == 0 );
846    TEST_ASSERT( mbedtls_ecp_check_privkey( &key.grp, &key.d ) == 0 );
847
848exit:
849    mbedtls_ecp_keypair_free( &key );
850}
851/* END_CASE */
852
853/* BEGIN_CASE */
854void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonical )
855{
856    int ret = 0;
857    mbedtls_ecp_keypair key;
858    mbedtls_ecp_keypair key2;
859
860    mbedtls_ecp_keypair_init( &key );
861    mbedtls_ecp_keypair_init( &key2 );
862
863    ret = mbedtls_ecp_read_key( grp_id, &key, in_key->x, in_key->len );
864    TEST_ASSERT( ret == expected );
865
866    if( expected == 0 )
867    {
868        ret = mbedtls_ecp_check_privkey( &key.grp, &key.d );
869        TEST_ASSERT( ret == 0 );
870
871        if( canonical )
872        {
873            unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
874
875            ret = mbedtls_ecp_write_key( &key, buf, in_key->len );
876            TEST_ASSERT( ret == 0 );
877
878            ASSERT_COMPARE( in_key->x, in_key->len,
879                            buf, in_key->len );
880        }
881        else
882        {
883            unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
884            unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
885
886            ret = mbedtls_ecp_write_key( &key, export1, in_key->len );
887            TEST_ASSERT( ret == 0 );
888
889            ret = mbedtls_ecp_read_key( grp_id, &key2, export1, in_key->len );
890            TEST_ASSERT( ret == expected );
891
892            ret = mbedtls_ecp_write_key( &key2, export2, in_key->len );
893            TEST_ASSERT( ret == 0 );
894
895            ASSERT_COMPARE( export1, in_key->len,
896                            export2, in_key->len );
897        }
898    }
899
900exit:
901    mbedtls_ecp_keypair_free( &key );
902    mbedtls_ecp_keypair_free( &key2 );
903}
904/* END_CASE */
905
906/* BEGIN_CASE depends_on:HAVE_FIX_NEGATIVE */
907void fix_negative( data_t *N_bin, int c, int bits )
908{
909    mbedtls_mpi C, M, N;
910
911    mbedtls_mpi_init( &C );
912    mbedtls_mpi_init( &M );
913    mbedtls_mpi_init( &N );
914
915    /* C = - c * 2^bits (positive since c is negative) */
916    TEST_EQUAL( 0, mbedtls_mpi_lset( &C, -c ) );
917    TEST_EQUAL( 0, mbedtls_mpi_shift_l( &C, bits ) );
918
919    TEST_EQUAL( 0, mbedtls_mpi_read_binary( &N, N_bin->x, N_bin->len ) );
920    TEST_EQUAL( 0, mbedtls_mpi_grow( &N, C.n ) );
921
922    /* M = N - C = - ( C - N ) (expected result of fix_negative) */
923    TEST_EQUAL( 0, mbedtls_mpi_sub_mpi( &M, &N, &C ) );
924
925    mbedtls_ecp_fix_negative( &N, c, bits );
926
927    TEST_EQUAL( 0, mbedtls_mpi_cmp_mpi( &N, &M ) );
928
929exit:
930    mbedtls_mpi_free( &C );
931    mbedtls_mpi_free( &M );
932    mbedtls_mpi_free( &N );
933}
934/* END_CASE */
935
936/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED */
937void genkey_mx_known_answer( int bits, data_t *seed, data_t *expected )
938{
939    mbedtls_test_rnd_buf_info rnd_info;
940    mbedtls_mpi d;
941    int ret;
942    uint8_t *actual = NULL;
943
944    mbedtls_mpi_init( &d );
945    rnd_info.buf = seed->x;
946    rnd_info.length = seed->len;
947    rnd_info.fallback_f_rng = NULL;
948    rnd_info.fallback_p_rng = NULL;
949
950    ASSERT_ALLOC( actual, expected->len );
951
952    ret = mbedtls_ecp_gen_privkey_mx( bits, &d,
953                                      mbedtls_test_rnd_buffer_rand, &rnd_info );
954
955    if( expected->len == 0 )
956    {
957        /* Expecting an error (happens if there isn't enough randomness) */
958        TEST_ASSERT( ret != 0 );
959    }
960    else
961    {
962        TEST_EQUAL( ret, 0 );
963        TEST_EQUAL( (size_t) bits + 1, mbedtls_mpi_bitlen( &d ) );
964        TEST_EQUAL( 0, mbedtls_mpi_write_binary( &d, actual, expected->len ) );
965        /* Test the exact result. This assumes that the output of the
966         * RNG is used in a specific way, which is overly constraining.
967         * The advantage is that it's easier to test the expected properties
968         * of the generated key:
969         * - The most significant bit must be at a specific positions
970         *   (can be enforced by checking the bit-length).
971         * - The least significant bits must have specific values
972         *   (can be enforced by checking these bits).
973         * - Other bits must be random (by testing with different RNG outputs,
974         *   we validate that those bits are indeed influenced by the RNG). */
975        ASSERT_COMPARE( expected->x, expected->len,
976                        actual, expected->len );
977    }
978
979exit:
980    mbedtls_free( actual );
981    mbedtls_mpi_free( &d );
982}
983/* END_CASE */
984
985/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
986void ecp_selftest(  )
987{
988    TEST_ASSERT( mbedtls_ecp_self_test( 1 ) == 0 );
989}
990/* END_CASE */
991