1/* BEGIN_HEADER */ 2#include "mbedtls/ecp.h" 3#include "mbedtls/ecdsa.h" 4#include "mbedtls/ecdh.h" 5 6#include "ecp_invasive.h" 7 8#if defined(MBEDTLS_TEST_HOOKS) && \ 9 ( defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 10 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 11 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ) 12#define HAVE_FIX_NEGATIVE 13#endif 14 15#define ECP_PF_UNKNOWN -1 16 17#define ECP_PT_RESET( x ) \ 18 mbedtls_ecp_point_free( x ); \ 19 mbedtls_ecp_point_init( x ); 20 21/* Auxiliary function to compare two mbedtls_ecp_group objects. */ 22inline static int mbedtls_ecp_group_cmp( mbedtls_ecp_group *grp1, 23 mbedtls_ecp_group *grp2 ) 24{ 25 if( mbedtls_mpi_cmp_mpi( &grp1->P, &grp2->P ) != 0 ) 26 return 1; 27 if( mbedtls_mpi_cmp_mpi( &grp1->A, &grp2->A ) != 0 ) 28 return 1; 29 if( mbedtls_mpi_cmp_mpi( &grp1->B, &grp2->B ) != 0 ) 30 return 1; 31 if( mbedtls_mpi_cmp_mpi( &grp1->N, &grp2->N ) != 0 ) 32 return 1; 33 if( mbedtls_ecp_point_cmp( &grp1->G, &grp2->G ) != 0 ) 34 return 1; 35 if( grp1->id != grp2->id ) 36 return 1; 37 if( grp1->pbits != grp2->pbits ) 38 return 1; 39 if( grp1->nbits != grp2->nbits ) 40 return 1; 41 if( grp1->h != grp2->h ) 42 return 1; 43 if( grp1->modp != grp2->modp ) 44 return 1; 45 if( grp1->t_pre != grp2->t_pre ) 46 return 1; 47 if( grp1->t_post != grp2->t_post ) 48 return 1; 49 if( grp1->t_data != grp2->t_data ) 50 return 1; 51 if( grp1->T_size != grp2->T_size ) 52 return 1; 53 if( grp1->T != grp2->T ) 54 return 1; 55 56 return 0; 57} 58 59/* END_HEADER */ 60 61/* BEGIN_DEPENDENCIES 62 * depends_on:MBEDTLS_ECP_C 63 * END_DEPENDENCIES 64 */ 65 66/* BEGIN_CASE */ 67void ecp_invalid_param( ) 68{ 69 mbedtls_ecp_group grp; 70 mbedtls_ecp_point P; 71 int invalid_fmt = 42; 72 size_t olen; 73 unsigned char buf[42] = { 0 }; 74 75 mbedtls_ecp_group_init( &grp ); 76 mbedtls_ecp_point_init( &P ); 77 78 TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 79 mbedtls_ecp_point_write_binary( &grp, &P, 80 invalid_fmt, 81 &olen, 82 buf, sizeof( buf ) ) ); 83 TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 84 mbedtls_ecp_tls_write_point( &grp, &P, 85 invalid_fmt, 86 &olen, 87 buf, 88 sizeof( buf ) ) ); 89 90exit: 91 return; 92} 93/* END_CASE */ 94 95/* BEGIN_CASE */ 96void mbedtls_ecp_curve_info( int id, int tls_id, int size, char * name ) 97{ 98 const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name; 99 100 by_id = mbedtls_ecp_curve_info_from_grp_id( id ); 101 by_tls = mbedtls_ecp_curve_info_from_tls_id( tls_id ); 102 by_name = mbedtls_ecp_curve_info_from_name( name ); 103 TEST_ASSERT( by_id != NULL ); 104 TEST_ASSERT( by_tls != NULL ); 105 TEST_ASSERT( by_name != NULL ); 106 107 TEST_ASSERT( by_id == by_tls ); 108 TEST_ASSERT( by_id == by_name ); 109 110 TEST_ASSERT( by_id->bit_size == size ); 111 TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BITS ); 112 TEST_ASSERT( size <= MBEDTLS_ECP_MAX_BYTES * 8 ); 113} 114/* END_CASE */ 115 116/* BEGIN_CASE */ 117void ecp_check_pub( int grp_id, char * x_hex, char * y_hex, char * z_hex, 118 int ret ) 119{ 120 mbedtls_ecp_group grp; 121 mbedtls_ecp_point P; 122 123 mbedtls_ecp_group_init( &grp ); 124 mbedtls_ecp_point_init( &P ); 125 126 TEST_ASSERT( mbedtls_ecp_group_load( &grp, grp_id ) == 0 ); 127 128 TEST_ASSERT( mbedtls_test_read_mpi( &P.X, x_hex ) == 0 ); 129 TEST_ASSERT( mbedtls_test_read_mpi( &P.Y, y_hex ) == 0 ); 130 TEST_ASSERT( mbedtls_test_read_mpi( &P.Z, z_hex ) == 0 ); 131 132 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &P ) == ret ); 133 134exit: 135 mbedtls_ecp_group_free( &grp ); 136 mbedtls_ecp_point_free( &P ); 137} 138/* END_CASE */ 139 140/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 141void ecp_test_vect_restart( int id, 142 char *dA_str, char *xA_str, char *yA_str, 143 char *dB_str, char *xZ_str, char *yZ_str, 144 int max_ops, int min_restarts, int max_restarts ) 145{ 146 /* 147 * Test for early restart. Based on test vectors like ecp_test_vect(), 148 * but for the sake of simplicity only does half of each side. It's 149 * important to test both base point and random point, though, as memory 150 * management is different in each case. 151 * 152 * Don't try using too precise bounds for restarts as the exact number 153 * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and 154 * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may 155 * change in the future. A factor 2 is a minimum safety margin. 156 * 157 * For reference, with mbed TLS 2.4 and default settings, for P-256: 158 * - Random point mult: ~3250M 159 * - Cold base point mult: ~3300M 160 * - Hot base point mult: ~1100M 161 * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum): 162 * - Random point mult: ~3850M 163 */ 164 mbedtls_ecp_restart_ctx ctx; 165 mbedtls_ecp_group grp; 166 mbedtls_ecp_point R, P; 167 mbedtls_mpi dA, xA, yA, dB, xZ, yZ; 168 int cnt_restarts; 169 int ret; 170 mbedtls_test_rnd_pseudo_info rnd_info; 171 172 mbedtls_ecp_restart_init( &ctx ); 173 mbedtls_ecp_group_init( &grp ); 174 mbedtls_ecp_point_init( &R ); mbedtls_ecp_point_init( &P ); 175 mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); mbedtls_mpi_init( &yA ); 176 mbedtls_mpi_init( &dB ); mbedtls_mpi_init( &xZ ); mbedtls_mpi_init( &yZ ); 177 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 178 179 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 180 181 TEST_ASSERT( mbedtls_test_read_mpi( &dA, dA_str ) == 0 ); 182 TEST_ASSERT( mbedtls_test_read_mpi( &xA, xA_str ) == 0 ); 183 TEST_ASSERT( mbedtls_test_read_mpi( &yA, yA_str ) == 0 ); 184 185 TEST_ASSERT( mbedtls_test_read_mpi( &dB, dB_str ) == 0 ); 186 TEST_ASSERT( mbedtls_test_read_mpi( &xZ, xZ_str ) == 0 ); 187 TEST_ASSERT( mbedtls_test_read_mpi( &yZ, yZ_str ) == 0 ); 188 189 mbedtls_ecp_set_max_ops( (unsigned) max_ops ); 190 191 /* Base point case */ 192 cnt_restarts = 0; 193 do { 194 ECP_PT_RESET( &R ); 195 ret = mbedtls_ecp_mul_restartable( &grp, &R, &dA, &grp.G, 196 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx ); 197 } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts ); 198 199 TEST_ASSERT( ret == 0 ); 200 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 ); 201 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yA ) == 0 ); 202 203 TEST_ASSERT( cnt_restarts >= min_restarts ); 204 TEST_ASSERT( cnt_restarts <= max_restarts ); 205 206 /* Non-base point case */ 207 mbedtls_ecp_copy( &P, &R ); 208 cnt_restarts = 0; 209 do { 210 ECP_PT_RESET( &R ); 211 ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P, 212 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx ); 213 } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts ); 214 215 TEST_ASSERT( ret == 0 ); 216 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 ); 217 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 ); 218 219 TEST_ASSERT( cnt_restarts >= min_restarts ); 220 TEST_ASSERT( cnt_restarts <= max_restarts ); 221 222 /* Do we leak memory when aborting an operation? 223 * This test only makes sense when we actually restart */ 224 if( min_restarts > 0 ) 225 { 226 ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P, 227 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx ); 228 TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); 229 } 230 231exit: 232 mbedtls_ecp_restart_free( &ctx ); 233 mbedtls_ecp_group_free( &grp ); 234 mbedtls_ecp_point_free( &R ); mbedtls_ecp_point_free( &P ); 235 mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); mbedtls_mpi_free( &yA ); 236 mbedtls_mpi_free( &dB ); mbedtls_mpi_free( &xZ ); mbedtls_mpi_free( &yZ ); 237} 238/* END_CASE */ 239 240/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 241void ecp_muladd_restart( int id, char *xR_str, char *yR_str, 242 char *u1_str, char *u2_str, 243 char *xQ_str, char *yQ_str, 244 int max_ops, int min_restarts, int max_restarts ) 245{ 246 /* 247 * Compute R = u1 * G + u2 * Q 248 * (test vectors mostly taken from ECDSA intermediate results) 249 * 250 * See comments at the top of ecp_test_vect_restart() 251 */ 252 mbedtls_ecp_restart_ctx ctx; 253 mbedtls_ecp_group grp; 254 mbedtls_ecp_point R, Q; 255 mbedtls_mpi u1, u2, xR, yR; 256 int cnt_restarts; 257 int ret; 258 259 mbedtls_ecp_restart_init( &ctx ); 260 mbedtls_ecp_group_init( &grp ); 261 mbedtls_ecp_point_init( &R ); 262 mbedtls_ecp_point_init( &Q ); 263 mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 ); 264 mbedtls_mpi_init( &xR ); mbedtls_mpi_init( &yR ); 265 266 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 267 268 TEST_ASSERT( mbedtls_test_read_mpi( &u1, u1_str ) == 0 ); 269 TEST_ASSERT( mbedtls_test_read_mpi( &u2, u2_str ) == 0 ); 270 TEST_ASSERT( mbedtls_test_read_mpi( &xR, xR_str ) == 0 ); 271 TEST_ASSERT( mbedtls_test_read_mpi( &yR, yR_str ) == 0 ); 272 273 TEST_ASSERT( mbedtls_test_read_mpi( &Q.X, xQ_str ) == 0 ); 274 TEST_ASSERT( mbedtls_test_read_mpi( &Q.Y, yQ_str ) == 0 ); 275 TEST_ASSERT( mbedtls_mpi_lset( &Q.Z, 1 ) == 0 ); 276 277 mbedtls_ecp_set_max_ops( (unsigned) max_ops ); 278 279 cnt_restarts = 0; 280 do { 281 ECP_PT_RESET( &R ); 282 ret = mbedtls_ecp_muladd_restartable( &grp, &R, 283 &u1, &grp.G, &u2, &Q, &ctx ); 284 } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts ); 285 286 TEST_ASSERT( ret == 0 ); 287 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xR ) == 0 ); 288 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yR ) == 0 ); 289 290 TEST_ASSERT( cnt_restarts >= min_restarts ); 291 TEST_ASSERT( cnt_restarts <= max_restarts ); 292 293 /* Do we leak memory when aborting an operation? 294 * This test only makes sense when we actually restart */ 295 if( min_restarts > 0 ) 296 { 297 ret = mbedtls_ecp_muladd_restartable( &grp, &R, 298 &u1, &grp.G, &u2, &Q, &ctx ); 299 TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); 300 } 301 302exit: 303 mbedtls_ecp_restart_free( &ctx ); 304 mbedtls_ecp_group_free( &grp ); 305 mbedtls_ecp_point_free( &R ); 306 mbedtls_ecp_point_free( &Q ); 307 mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 ); 308 mbedtls_mpi_free( &xR ); mbedtls_mpi_free( &yR ); 309} 310/* END_CASE */ 311 312/* BEGIN_CASE */ 313void ecp_test_vect( int id, char * dA_str, char * xA_str, char * yA_str, 314 char * dB_str, char * xB_str, char * yB_str, 315 char * xZ_str, char * yZ_str ) 316{ 317 mbedtls_ecp_group grp; 318 mbedtls_ecp_point R; 319 mbedtls_mpi dA, xA, yA, dB, xB, yB, xZ, yZ; 320 mbedtls_test_rnd_pseudo_info rnd_info; 321 322 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R ); 323 mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); mbedtls_mpi_init( &yA ); mbedtls_mpi_init( &dB ); 324 mbedtls_mpi_init( &xB ); mbedtls_mpi_init( &yB ); mbedtls_mpi_init( &xZ ); mbedtls_mpi_init( &yZ ); 325 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 326 327 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 328 329 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 ); 330 331 TEST_ASSERT( mbedtls_test_read_mpi( &dA, dA_str ) == 0 ); 332 TEST_ASSERT( mbedtls_test_read_mpi( &xA, xA_str ) == 0 ); 333 TEST_ASSERT( mbedtls_test_read_mpi( &yA, yA_str ) == 0 ); 334 TEST_ASSERT( mbedtls_test_read_mpi( &dB, dB_str ) == 0 ); 335 TEST_ASSERT( mbedtls_test_read_mpi( &xB, xB_str ) == 0 ); 336 TEST_ASSERT( mbedtls_test_read_mpi( &yB, yB_str ) == 0 ); 337 TEST_ASSERT( mbedtls_test_read_mpi( &xZ, xZ_str ) == 0 ); 338 TEST_ASSERT( mbedtls_test_read_mpi( &yZ, yZ_str ) == 0 ); 339 340 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &grp.G, 341 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 342 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 ); 343 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yA ) == 0 ); 344 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 345 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &R, 346 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 347 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 ); 348 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 ); 349 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 350 351 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &grp.G, 352 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 353 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xB ) == 0 ); 354 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yB ) == 0 ); 355 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 356 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &R, 357 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 358 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 ); 359 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 ); 360 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 361 362exit: 363 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R ); 364 mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); mbedtls_mpi_free( &yA ); mbedtls_mpi_free( &dB ); 365 mbedtls_mpi_free( &xB ); mbedtls_mpi_free( &yB ); mbedtls_mpi_free( &xZ ); mbedtls_mpi_free( &yZ ); 366} 367/* END_CASE */ 368 369/* BEGIN_CASE */ 370void ecp_test_vec_x( int id, char * dA_hex, char * xA_hex, char * dB_hex, 371 char * xB_hex, char * xS_hex ) 372{ 373 mbedtls_ecp_group grp; 374 mbedtls_ecp_point R; 375 mbedtls_mpi dA, xA, dB, xB, xS; 376 mbedtls_test_rnd_pseudo_info rnd_info; 377 378 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R ); 379 mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); 380 mbedtls_mpi_init( &dB ); mbedtls_mpi_init( &xB ); 381 mbedtls_mpi_init( &xS ); 382 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 383 384 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 385 386 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 ); 387 388 TEST_ASSERT( mbedtls_test_read_mpi( &dA, dA_hex ) == 0 ); 389 TEST_ASSERT( mbedtls_test_read_mpi( &dB, dB_hex ) == 0 ); 390 TEST_ASSERT( mbedtls_test_read_mpi( &xA, xA_hex ) == 0 ); 391 TEST_ASSERT( mbedtls_test_read_mpi( &xB, xB_hex ) == 0 ); 392 TEST_ASSERT( mbedtls_test_read_mpi( &xS, xS_hex ) == 0 ); 393 394 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &grp.G, 395 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 396 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 397 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 ); 398 399 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &R, 400 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 401 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 402 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xS ) == 0 ); 403 404 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dB, &grp.G, 405 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 406 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 407 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xB ) == 0 ); 408 409 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &dA, &R, 410 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == 0 ); 411 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &R ) == 0 ); 412 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xS ) == 0 ); 413 414exit: 415 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R ); 416 mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); 417 mbedtls_mpi_free( &dB ); mbedtls_mpi_free( &xB ); 418 mbedtls_mpi_free( &xS ); 419} 420/* END_CASE */ 421 422/* BEGIN_CASE */ 423void ecp_test_mul( int id, data_t * n_hex, 424 data_t * Px_hex, data_t * Py_hex, data_t * Pz_hex, 425 data_t * nPx_hex, data_t * nPy_hex, data_t * nPz_hex, 426 int expected_ret ) 427{ 428 mbedtls_ecp_group grp; 429 mbedtls_ecp_point P, nP, R; 430 mbedtls_mpi n; 431 mbedtls_test_rnd_pseudo_info rnd_info; 432 433 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &R ); 434 mbedtls_ecp_point_init( &P ); mbedtls_ecp_point_init( &nP ); 435 mbedtls_mpi_init( &n ); 436 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 437 438 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 439 440 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 ); 441 442 TEST_ASSERT( mbedtls_mpi_read_binary( &n, n_hex->x, n_hex->len ) == 0 ); 443 444 TEST_ASSERT( mbedtls_mpi_read_binary( &P.X, Px_hex->x, Px_hex->len ) == 0 ); 445 TEST_ASSERT( mbedtls_mpi_read_binary( &P.Y, Py_hex->x, Py_hex->len ) == 0 ); 446 TEST_ASSERT( mbedtls_mpi_read_binary( &P.Z, Pz_hex->x, Pz_hex->len ) == 0 ); 447 TEST_ASSERT( mbedtls_mpi_read_binary( &nP.X, nPx_hex->x, nPx_hex->len ) 448 == 0 ); 449 TEST_ASSERT( mbedtls_mpi_read_binary( &nP.Y, nPy_hex->x, nPy_hex->len ) 450 == 0 ); 451 TEST_ASSERT( mbedtls_mpi_read_binary( &nP.Z, nPz_hex->x, nPz_hex->len ) 452 == 0 ); 453 454 TEST_ASSERT( mbedtls_ecp_mul( &grp, &R, &n, &P, 455 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) 456 == expected_ret ); 457 458 if( expected_ret == 0 ) 459 { 460 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.X, &R.X ) == 0 ); 461 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.Y, &R.Y ) == 0 ); 462 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &nP.Z, &R.Z ) == 0 ); 463 } 464 465exit: 466 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &R ); 467 mbedtls_ecp_point_free( &P ); mbedtls_ecp_point_free( &nP ); 468 mbedtls_mpi_free( &n ); 469} 470/* END_CASE */ 471 472/* BEGIN_CASE */ 473void ecp_test_mul_rng( int id, data_t * d_hex) 474{ 475 mbedtls_ecp_group grp; 476 mbedtls_mpi d; 477 mbedtls_ecp_point Q; 478 479 mbedtls_ecp_group_init( &grp ); mbedtls_mpi_init( &d ); 480 mbedtls_ecp_point_init( &Q ); 481 482 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 483 484 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &grp.G ) == 0 ); 485 486 TEST_ASSERT( mbedtls_mpi_read_binary( &d, d_hex->x, d_hex->len ) == 0 ); 487 488 TEST_ASSERT( mbedtls_ecp_mul( &grp, &Q, &d, &grp.G, 489 &mbedtls_test_rnd_zero_rand, NULL ) 490 == MBEDTLS_ERR_ECP_RANDOM_FAILED ); 491 492exit: 493 mbedtls_ecp_group_free( &grp ); mbedtls_mpi_free( &d ); 494 mbedtls_ecp_point_free( &Q ); 495} 496/* END_CASE */ 497 498/* BEGIN_CASE depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 499void ecp_muladd( int id, 500 data_t *u1_bin, data_t *P1_bin, 501 data_t *u2_bin, data_t *P2_bin, 502 data_t *expected_result ) 503{ 504 /* Compute R = u1 * P1 + u2 * P2 */ 505 mbedtls_ecp_group grp; 506 mbedtls_ecp_point P1, P2, R; 507 mbedtls_mpi u1, u2; 508 uint8_t actual_result[MBEDTLS_ECP_MAX_PT_LEN]; 509 size_t len; 510 511 mbedtls_ecp_group_init( &grp ); 512 mbedtls_ecp_point_init( &P1 ); 513 mbedtls_ecp_point_init( &P2 ); 514 mbedtls_ecp_point_init( &R ); 515 mbedtls_mpi_init( &u1 ); 516 mbedtls_mpi_init( &u2 ); 517 518 TEST_EQUAL( 0, mbedtls_ecp_group_load( &grp, id ) ); 519 TEST_EQUAL( 0, mbedtls_mpi_read_binary( &u1, u1_bin->x, u1_bin->len ) ); 520 TEST_EQUAL( 0, mbedtls_mpi_read_binary( &u2, u2_bin->x, u2_bin->len ) ); 521 TEST_EQUAL( 0, mbedtls_ecp_point_read_binary( &grp, &P1, 522 P1_bin->x, P1_bin->len ) ); 523 TEST_EQUAL( 0, mbedtls_ecp_point_read_binary( &grp, &P2, 524 P2_bin->x, P2_bin->len ) ); 525 526 TEST_EQUAL( 0, mbedtls_ecp_muladd( &grp, &R, &u1, &P1, &u2, &P2 ) ); 527 TEST_EQUAL( 0, mbedtls_ecp_point_write_binary( 528 &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED, 529 &len, actual_result, sizeof( actual_result ) ) ); 530 TEST_ASSERT( len <= MBEDTLS_ECP_MAX_PT_LEN ); 531 532 ASSERT_COMPARE( expected_result->x, expected_result->len, 533 actual_result, len ); 534 535exit: 536 mbedtls_ecp_group_free( &grp ); 537 mbedtls_ecp_point_free( &P1 ); 538 mbedtls_ecp_point_free( &P2 ); 539 mbedtls_ecp_point_free( &R ); 540 mbedtls_mpi_free( &u1 ); 541 mbedtls_mpi_free( &u2 ); 542} 543/* END_CASE */ 544 545/* BEGIN_CASE */ 546void ecp_fast_mod( int id, char * N_str ) 547{ 548 mbedtls_ecp_group grp; 549 mbedtls_mpi N, R; 550 551 mbedtls_mpi_init( &N ); mbedtls_mpi_init( &R ); 552 mbedtls_ecp_group_init( &grp ); 553 554 TEST_ASSERT( mbedtls_test_read_mpi( &N, N_str ) == 0 ); 555 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 556 TEST_ASSERT( grp.modp != NULL ); 557 558 /* 559 * Store correct result before we touch N 560 */ 561 TEST_ASSERT( mbedtls_mpi_mod_mpi( &R, &N, &grp.P ) == 0 ); 562 563 TEST_ASSERT( grp.modp( &N ) == 0 ); 564 TEST_ASSERT( mbedtls_mpi_bitlen( &N ) <= grp.pbits + 3 ); 565 566 /* 567 * Use mod rather than addition/subtraction in case previous test fails 568 */ 569 TEST_ASSERT( mbedtls_mpi_mod_mpi( &N, &N, &grp.P ) == 0 ); 570 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &N, &R ) == 0 ); 571 572exit: 573 mbedtls_mpi_free( &N ); mbedtls_mpi_free( &R ); 574 mbedtls_ecp_group_free( &grp ); 575} 576/* END_CASE */ 577 578/* BEGIN_CASE */ 579void ecp_write_binary( int id, char * x, char * y, char * z, int format, 580 data_t * out, int blen, int ret ) 581{ 582 mbedtls_ecp_group grp; 583 mbedtls_ecp_point P; 584 unsigned char buf[256]; 585 size_t olen; 586 587 memset( buf, 0, sizeof( buf ) ); 588 589 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P ); 590 591 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 592 593 TEST_ASSERT( mbedtls_test_read_mpi( &P.X, x ) == 0 ); 594 TEST_ASSERT( mbedtls_test_read_mpi( &P.Y, y ) == 0 ); 595 TEST_ASSERT( mbedtls_test_read_mpi( &P.Z, z ) == 0 ); 596 597 TEST_ASSERT( mbedtls_ecp_point_write_binary( &grp, &P, format, 598 &olen, buf, blen ) == ret ); 599 600 if( ret == 0 ) 601 { 602 TEST_ASSERT( olen <= MBEDTLS_ECP_MAX_PT_LEN ); 603 TEST_ASSERT( mbedtls_test_hexcmp( buf, out->x, olen, out->len ) == 0 ); 604 } 605 606exit: 607 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P ); 608} 609/* END_CASE */ 610 611/* BEGIN_CASE */ 612void ecp_read_binary( int id, data_t * buf, char * x, char * y, char * z, 613 int ret ) 614{ 615 mbedtls_ecp_group grp; 616 mbedtls_ecp_point P; 617 mbedtls_mpi X, Y, Z; 618 619 620 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P ); 621 mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); 622 623 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 624 625 TEST_ASSERT( mbedtls_test_read_mpi( &X, x ) == 0 ); 626 TEST_ASSERT( mbedtls_test_read_mpi( &Y, y ) == 0 ); 627 TEST_ASSERT( mbedtls_test_read_mpi( &Z, z ) == 0 ); 628 629 TEST_ASSERT( mbedtls_ecp_point_read_binary( &grp, &P, buf->x, buf->len ) == ret ); 630 631 if( ret == 0 ) 632 { 633 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.X, &X ) == 0 ); 634 if( mbedtls_ecp_get_type( &grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY ) 635 { 636 TEST_ASSERT( mbedtls_mpi_cmp_int( &Y, 0 ) == 0 ); 637 TEST_ASSERT( P.Y.p == NULL ); 638 TEST_ASSERT( mbedtls_mpi_cmp_int( &Z, 1 ) == 0 ); 639 TEST_ASSERT( mbedtls_mpi_cmp_int( &P.Z, 1 ) == 0 ); 640 } 641 else 642 { 643 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Y, &Y ) == 0 ); 644 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Z, &Z ) == 0 ); 645 } 646 } 647 648exit: 649 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P ); 650 mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z ); 651} 652/* END_CASE */ 653 654/* BEGIN_CASE */ 655void mbedtls_ecp_tls_read_point( int id, data_t * buf, char * x, char * y, 656 char * z, int ret ) 657{ 658 mbedtls_ecp_group grp; 659 mbedtls_ecp_point P; 660 mbedtls_mpi X, Y, Z; 661 const unsigned char *vbuf = buf->x; 662 663 664 mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P ); 665 mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); 666 667 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 668 669 TEST_ASSERT( mbedtls_test_read_mpi( &X, x ) == 0 ); 670 TEST_ASSERT( mbedtls_test_read_mpi( &Y, y ) == 0 ); 671 TEST_ASSERT( mbedtls_test_read_mpi( &Z, z ) == 0 ); 672 673 TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &P, &vbuf, buf->len ) == ret ); 674 675 if( ret == 0 ) 676 { 677 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.X, &X ) == 0 ); 678 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Y, &Y ) == 0 ); 679 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Z, &Z ) == 0 ); 680 TEST_ASSERT( (uint32_t)( vbuf - buf->x ) == buf->len ); 681 } 682 683exit: 684 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &P ); 685 mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z ); 686} 687/* END_CASE */ 688 689/* BEGIN_CASE */ 690void ecp_tls_write_read_point( int id ) 691{ 692 mbedtls_ecp_group grp; 693 mbedtls_ecp_point pt; 694 unsigned char buf[256]; 695 const unsigned char *vbuf; 696 size_t olen; 697 698 mbedtls_ecp_group_init( &grp ); 699 mbedtls_ecp_point_init( &pt ); 700 701 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 702 703 memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; 704 TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &grp.G, 705 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 ); 706 TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) 707 == MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 708 TEST_ASSERT( vbuf == buf + olen ); 709 710 memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; 711 TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &grp.G, 712 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 ); 713 TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); 714 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.X, &pt.X ) == 0 ); 715 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.Y, &pt.Y ) == 0 ); 716 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.G.Z, &pt.Z ) == 0 ); 717 TEST_ASSERT( vbuf == buf + olen ); 718 719 memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; 720 TEST_ASSERT( mbedtls_ecp_set_zero( &pt ) == 0 ); 721 TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &pt, 722 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 ); 723 TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); 724 TEST_ASSERT( mbedtls_ecp_is_zero( &pt ) ); 725 TEST_ASSERT( vbuf == buf + olen ); 726 727 memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; 728 TEST_ASSERT( mbedtls_ecp_set_zero( &pt ) == 0 ); 729 TEST_ASSERT( mbedtls_ecp_tls_write_point( &grp, &pt, 730 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 ); 731 TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); 732 TEST_ASSERT( mbedtls_ecp_is_zero( &pt ) ); 733 TEST_ASSERT( vbuf == buf + olen ); 734 735exit: 736 mbedtls_ecp_group_free( &grp ); 737 mbedtls_ecp_point_free( &pt ); 738} 739/* END_CASE */ 740 741/* BEGIN_CASE */ 742void mbedtls_ecp_tls_read_group( data_t * buf, int result, int bits, 743 int record_len ) 744{ 745 mbedtls_ecp_group grp; 746 const unsigned char *vbuf = buf->x; 747 int ret; 748 749 mbedtls_ecp_group_init( &grp ); 750 751 ret = mbedtls_ecp_tls_read_group( &grp, &vbuf, buf->len ); 752 753 TEST_ASSERT( ret == result ); 754 if( ret == 0) 755 { 756 TEST_ASSERT( mbedtls_mpi_bitlen( &grp.P ) == (size_t) bits ); 757 TEST_ASSERT( vbuf - buf->x == record_len); 758 } 759 760exit: 761 mbedtls_ecp_group_free( &grp ); 762} 763/* END_CASE */ 764 765/* BEGIN_CASE */ 766void ecp_tls_write_read_group( int id ) 767{ 768 mbedtls_ecp_group grp1, grp2; 769 unsigned char buf[10]; 770 const unsigned char *vbuf = buf; 771 size_t len; 772 int ret; 773 774 mbedtls_ecp_group_init( &grp1 ); 775 mbedtls_ecp_group_init( &grp2 ); 776 memset( buf, 0x00, sizeof( buf ) ); 777 778 TEST_ASSERT( mbedtls_ecp_group_load( &grp1, id ) == 0 ); 779 780 TEST_ASSERT( mbedtls_ecp_tls_write_group( &grp1, &len, buf, 10 ) == 0 ); 781 ret = mbedtls_ecp_tls_read_group( &grp2, &vbuf, len ); 782 TEST_ASSERT( ret == 0 ); 783 784 if( ret == 0 ) 785 { 786 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp1.N, &grp2.N ) == 0 ); 787 TEST_ASSERT( grp1.id == grp2.id ); 788 } 789 790exit: 791 mbedtls_ecp_group_free( &grp1 ); 792 mbedtls_ecp_group_free( &grp2 ); 793} 794/* END_CASE */ 795 796/* BEGIN_CASE depends_on:MBEDTLS_ECDH_C:MBEDTLS_ECDSA_C */ 797void mbedtls_ecp_group_metadata( int id, int bit_size, int crv_type, 798 char* P, char* A, char* B, 799 char* G_x, char* G_y, char* N, 800 int tls_id ) 801{ 802 mbedtls_ecp_group grp, grp_read, grp_cpy; 803 const mbedtls_ecp_group_id *g_id; 804 mbedtls_ecp_group_id read_g_id; 805 const mbedtls_ecp_curve_info *crv, *crv_tls_id, *crv_name; 806 807 mbedtls_mpi exp_P, exp_A, exp_B, exp_G_x, exp_G_y, exp_N; 808 809 unsigned char buf[3], ecparameters[3] = { 3, 0, tls_id }; 810 const unsigned char *vbuf = buf; 811 size_t olen; 812 813 mbedtls_ecp_group_init( &grp ); 814 mbedtls_ecp_group_init( &grp_read ); 815 mbedtls_ecp_group_init( &grp_cpy ); 816 817 mbedtls_mpi_init( &exp_P ); 818 mbedtls_mpi_init( &exp_A ); 819 mbedtls_mpi_init( &exp_B ); 820 mbedtls_mpi_init( &exp_G_x ); 821 mbedtls_mpi_init( &exp_G_y ); 822 mbedtls_mpi_init( &exp_N ); 823 824 // Read expected parameters 825 TEST_EQUAL( mbedtls_test_read_mpi( &exp_P, P ), 0 ); 826 TEST_EQUAL( mbedtls_test_read_mpi( &exp_A, A ), 0 ); 827 TEST_EQUAL( mbedtls_test_read_mpi( &exp_G_x, G_x ), 0 ); 828 TEST_EQUAL( mbedtls_test_read_mpi( &exp_N, N ), 0 ); 829 TEST_EQUAL( mbedtls_test_read_mpi( &exp_B, B ), 0 ); 830 TEST_EQUAL( mbedtls_test_read_mpi( &exp_G_y, G_y ), 0 ); 831 832 // Convert exp_A to internal representation (A+2)/4 833 if( crv_type == MBEDTLS_ECP_TYPE_MONTGOMERY ) 834 { 835 TEST_EQUAL( mbedtls_mpi_add_int( &exp_A, &exp_A, 2 ), 0 ); 836 TEST_EQUAL( mbedtls_mpi_div_int( &exp_A, NULL, &exp_A, 4 ), 0 ); 837 } 838 839 // Load group 840 TEST_EQUAL( mbedtls_ecp_group_load( &grp, id ), 0 ); 841 842 // Compare group with expected parameters 843 // A is NULL for SECPxxxR1 curves 844 // B and G_y are NULL for curve25519 and curve448 845 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_P, &grp.P ), 0 ); 846 if( *A != 0 ) 847 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_A, &grp.A ), 0 ); 848 if( *B != 0 ) 849 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_B, &grp.B ), 0 ); 850 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_G_x, &grp.G.X ), 0 ); 851 if( *G_y != 0 ) 852 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_G_y, &grp.G.Y ), 0 ); 853 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &exp_N, &grp.N ), 0 ); 854 855 // Load curve info and compare with known values 856 crv = mbedtls_ecp_curve_info_from_grp_id( id ); 857 TEST_EQUAL( crv->grp_id, id ); 858 TEST_EQUAL( crv->bit_size, bit_size ); 859 TEST_EQUAL( crv->tls_id, tls_id ); 860 861 // Load curve from TLS ID and name, and compare IDs 862 crv_tls_id = mbedtls_ecp_curve_info_from_tls_id( crv->tls_id ); 863 crv_name = mbedtls_ecp_curve_info_from_name( crv->name ); 864 TEST_EQUAL( crv_tls_id->grp_id, id ); 865 TEST_EQUAL( crv_name->grp_id, id ); 866 867 // Validate write_group against test data 868 TEST_EQUAL( mbedtls_ecp_tls_write_group( &grp, &olen, 869 buf, sizeof( buf ) ), 870 0 ); 871 TEST_EQUAL( mbedtls_test_hexcmp( buf, ecparameters, olen, 872 sizeof( ecparameters ) ), 873 0 ); 874 875 // Read group from buffer and compare with expected ID 876 TEST_EQUAL( mbedtls_ecp_tls_read_group_id( &read_g_id, &vbuf, olen ), 877 0 ); 878 TEST_EQUAL( read_g_id, id ); 879 vbuf = buf; 880 TEST_EQUAL( mbedtls_ecp_tls_read_group( &grp_read, &vbuf, olen ), 881 0 ); 882 TEST_EQUAL( grp_read.id, id ); 883 884 // Check curve type, and if it can be used for ECDH/ECDSA 885 TEST_EQUAL( mbedtls_ecp_get_type( &grp ), crv_type ); 886 TEST_EQUAL( mbedtls_ecdh_can_do( id ), 1 ); 887 TEST_EQUAL( mbedtls_ecdsa_can_do( id ), 888 crv_type == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS ); 889 890 // Copy group and compare with original 891 TEST_EQUAL( mbedtls_ecp_group_copy( &grp_cpy, &grp ), 0 ); 892 TEST_EQUAL( mbedtls_ecp_group_cmp( &grp, &grp_cpy ), 0 ); 893 894 // Check curve is in curve list and group ID list 895 for( crv = mbedtls_ecp_curve_list( ); 896 crv->grp_id != MBEDTLS_ECP_DP_NONE && 897 crv->grp_id != (unsigned) id; 898 crv++ ); 899 TEST_EQUAL( crv->grp_id, id ); 900 for( g_id = mbedtls_ecp_grp_id_list( ); 901 *g_id != MBEDTLS_ECP_DP_NONE && *g_id != (unsigned) id; 902 g_id++ ); 903 TEST_EQUAL( *g_id, (unsigned) id ); 904 905exit: 906 mbedtls_ecp_group_free( &grp ); mbedtls_ecp_group_free( &grp_cpy ); 907 mbedtls_ecp_group_free( &grp_read ); 908 mbedtls_mpi_free( &exp_P ); mbedtls_mpi_free( &exp_A ); 909 mbedtls_mpi_free( &exp_B ); mbedtls_mpi_free( &exp_G_x ); 910 mbedtls_mpi_free( &exp_G_y ); mbedtls_mpi_free( &exp_N ); 911} 912/* END_CASE */ 913 914/* BEGIN_CASE */ 915void mbedtls_ecp_check_privkey( int id, char * key_hex, int ret ) 916{ 917 mbedtls_ecp_group grp; 918 mbedtls_mpi d; 919 920 mbedtls_ecp_group_init( &grp ); 921 mbedtls_mpi_init( &d ); 922 923 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 924 TEST_ASSERT( mbedtls_test_read_mpi( &d, key_hex ) == 0 ); 925 926 TEST_ASSERT( mbedtls_ecp_check_privkey( &grp, &d ) == ret ); 927 928exit: 929 mbedtls_ecp_group_free( &grp ); 930 mbedtls_mpi_free( &d ); 931} 932/* END_CASE */ 933 934/* BEGIN_CASE */ 935void mbedtls_ecp_check_pub_priv( int id_pub, char * Qx_pub, char * Qy_pub, 936 int id, char * d, char * Qx, char * Qy, 937 int ret ) 938{ 939 mbedtls_ecp_keypair pub, prv; 940 mbedtls_test_rnd_pseudo_info rnd_info; 941 942 mbedtls_ecp_keypair_init( &pub ); 943 mbedtls_ecp_keypair_init( &prv ); 944 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 945 946 if( id_pub != MBEDTLS_ECP_DP_NONE ) 947 TEST_ASSERT( mbedtls_ecp_group_load( &pub.grp, id_pub ) == 0 ); 948 TEST_ASSERT( mbedtls_ecp_point_read_string( &pub.Q, 16, Qx_pub, Qy_pub ) == 0 ); 949 950 if( id != MBEDTLS_ECP_DP_NONE ) 951 TEST_ASSERT( mbedtls_ecp_group_load( &prv.grp, id ) == 0 ); 952 TEST_ASSERT( mbedtls_ecp_point_read_string( &prv.Q, 16, Qx, Qy ) == 0 ); 953 TEST_ASSERT( mbedtls_test_read_mpi( &prv.d, d ) == 0 ); 954 955 TEST_ASSERT( mbedtls_ecp_check_pub_priv( &pub, &prv, 956 &mbedtls_test_rnd_pseudo_rand, &rnd_info ) == ret ); 957 958exit: 959 mbedtls_ecp_keypair_free( &pub ); 960 mbedtls_ecp_keypair_free( &prv ); 961} 962/* END_CASE */ 963 964/* BEGIN_CASE */ 965void mbedtls_ecp_gen_keypair( int id ) 966{ 967 mbedtls_ecp_group grp; 968 mbedtls_ecp_point Q; 969 mbedtls_mpi d; 970 mbedtls_test_rnd_pseudo_info rnd_info; 971 972 mbedtls_ecp_group_init( &grp ); 973 mbedtls_ecp_point_init( &Q ); 974 mbedtls_mpi_init( &d ); 975 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 976 977 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 978 979 TEST_ASSERT( mbedtls_ecp_gen_keypair( &grp, &d, &Q, 980 &mbedtls_test_rnd_pseudo_rand, 981 &rnd_info ) == 0 ); 982 983 TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &Q ) == 0 ); 984 TEST_ASSERT( mbedtls_ecp_check_privkey( &grp, &d ) == 0 ); 985 986exit: 987 mbedtls_ecp_group_free( &grp ); 988 mbedtls_ecp_point_free( &Q ); 989 mbedtls_mpi_free( &d ); 990} 991/* END_CASE */ 992 993/* BEGIN_CASE */ 994void mbedtls_ecp_gen_key( int id ) 995{ 996 mbedtls_ecp_keypair key; 997 mbedtls_test_rnd_pseudo_info rnd_info; 998 999 mbedtls_ecp_keypair_init( &key ); 1000 memset( &rnd_info, 0x00, sizeof( mbedtls_test_rnd_pseudo_info ) ); 1001 1002 TEST_ASSERT( mbedtls_ecp_gen_key( id, &key, 1003 &mbedtls_test_rnd_pseudo_rand, 1004 &rnd_info ) == 0 ); 1005 1006 TEST_ASSERT( mbedtls_ecp_check_pubkey( &key.grp, &key.Q ) == 0 ); 1007 TEST_ASSERT( mbedtls_ecp_check_privkey( &key.grp, &key.d ) == 0 ); 1008 1009exit: 1010 mbedtls_ecp_keypair_free( &key ); 1011} 1012/* END_CASE */ 1013 1014/* BEGIN_CASE */ 1015void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonical ) 1016{ 1017 int ret = 0; 1018 mbedtls_ecp_keypair key; 1019 mbedtls_ecp_keypair key2; 1020 1021 mbedtls_ecp_keypair_init( &key ); 1022 mbedtls_ecp_keypair_init( &key2 ); 1023 1024 ret = mbedtls_ecp_read_key( grp_id, &key, in_key->x, in_key->len ); 1025 TEST_ASSERT( ret == expected ); 1026 1027 if( expected == 0 ) 1028 { 1029 ret = mbedtls_ecp_check_privkey( &key.grp, &key.d ); 1030 TEST_ASSERT( ret == 0 ); 1031 1032 if( canonical ) 1033 { 1034 unsigned char buf[MBEDTLS_ECP_MAX_BYTES]; 1035 1036 ret = mbedtls_ecp_write_key( &key, buf, in_key->len ); 1037 TEST_ASSERT( ret == 0 ); 1038 1039 ASSERT_COMPARE( in_key->x, in_key->len, 1040 buf, in_key->len ); 1041 } 1042 else 1043 { 1044 unsigned char export1[MBEDTLS_ECP_MAX_BYTES]; 1045 unsigned char export2[MBEDTLS_ECP_MAX_BYTES]; 1046 1047 ret = mbedtls_ecp_write_key( &key, export1, in_key->len ); 1048 TEST_ASSERT( ret == 0 ); 1049 1050 ret = mbedtls_ecp_read_key( grp_id, &key2, export1, in_key->len ); 1051 TEST_ASSERT( ret == expected ); 1052 1053 ret = mbedtls_ecp_write_key( &key2, export2, in_key->len ); 1054 TEST_ASSERT( ret == 0 ); 1055 1056 ASSERT_COMPARE( export1, in_key->len, 1057 export2, in_key->len ); 1058 } 1059 } 1060 1061exit: 1062 mbedtls_ecp_keypair_free( &key ); 1063 mbedtls_ecp_keypair_free( &key2 ); 1064} 1065/* END_CASE */ 1066 1067/* BEGIN_CASE depends_on:HAVE_FIX_NEGATIVE */ 1068void fix_negative( data_t *N_bin, int c, int bits ) 1069{ 1070 mbedtls_mpi C, M, N; 1071 1072 mbedtls_mpi_init( &C ); 1073 mbedtls_mpi_init( &M ); 1074 mbedtls_mpi_init( &N ); 1075 1076 /* C = - c * 2^bits (positive since c is negative) */ 1077 TEST_EQUAL( 0, mbedtls_mpi_lset( &C, -c ) ); 1078 TEST_EQUAL( 0, mbedtls_mpi_shift_l( &C, bits ) ); 1079 1080 TEST_EQUAL( 0, mbedtls_mpi_read_binary( &N, N_bin->x, N_bin->len ) ); 1081 TEST_EQUAL( 0, mbedtls_mpi_grow( &N, C.n ) ); 1082 1083 /* M = N - C = - ( C - N ) (expected result of fix_negative) */ 1084 TEST_EQUAL( 0, mbedtls_mpi_sub_mpi( &M, &N, &C ) ); 1085 1086 mbedtls_ecp_fix_negative( &N, c, bits ); 1087 1088 TEST_EQUAL( 0, mbedtls_mpi_cmp_mpi( &N, &M ) ); 1089 1090exit: 1091 mbedtls_mpi_free( &C ); 1092 mbedtls_mpi_free( &M ); 1093 mbedtls_mpi_free( &N ); 1094} 1095/* END_CASE */ 1096 1097/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED */ 1098void genkey_mx_known_answer( int bits, data_t *seed, data_t *expected ) 1099{ 1100 mbedtls_test_rnd_buf_info rnd_info; 1101 mbedtls_mpi d; 1102 int ret; 1103 uint8_t *actual = NULL; 1104 1105 mbedtls_mpi_init( &d ); 1106 rnd_info.buf = seed->x; 1107 rnd_info.length = seed->len; 1108 rnd_info.fallback_f_rng = NULL; 1109 rnd_info.fallback_p_rng = NULL; 1110 1111 ASSERT_ALLOC( actual, expected->len ); 1112 1113 ret = mbedtls_ecp_gen_privkey_mx( bits, &d, 1114 mbedtls_test_rnd_buffer_rand, &rnd_info ); 1115 1116 if( expected->len == 0 ) 1117 { 1118 /* Expecting an error (happens if there isn't enough randomness) */ 1119 TEST_ASSERT( ret != 0 ); 1120 } 1121 else 1122 { 1123 TEST_EQUAL( ret, 0 ); 1124 TEST_EQUAL( (size_t) bits + 1, mbedtls_mpi_bitlen( &d ) ); 1125 TEST_EQUAL( 0, mbedtls_mpi_write_binary( &d, actual, expected->len ) ); 1126 /* Test the exact result. This assumes that the output of the 1127 * RNG is used in a specific way, which is overly constraining. 1128 * The advantage is that it's easier to test the expected properties 1129 * of the generated key: 1130 * - The most significant bit must be at a specific positions 1131 * (can be enforced by checking the bit-length). 1132 * - The least significant bits must have specific values 1133 * (can be enforced by checking these bits). 1134 * - Other bits must be random (by testing with different RNG outputs, 1135 * we validate that those bits are indeed influenced by the RNG). */ 1136 ASSERT_COMPARE( expected->x, expected->len, 1137 actual, expected->len ); 1138 } 1139 1140exit: 1141 mbedtls_free( actual ); 1142 mbedtls_mpi_free( &d ); 1143} 1144/* END_CASE */ 1145 1146/* BEGIN_CASE */ 1147void ecp_set_zero( int id, data_t * P_bin ) 1148{ 1149 mbedtls_ecp_group grp; 1150 mbedtls_ecp_point pt, zero_pt, nonzero_pt; 1151 1152 mbedtls_ecp_group_init( &grp ); 1153 mbedtls_ecp_point_init( &pt ); 1154 mbedtls_ecp_point_init( &zero_pt ); 1155 mbedtls_ecp_point_init( &nonzero_pt ); 1156 1157 // Set zero and non-zero points for comparison 1158 TEST_EQUAL( mbedtls_ecp_set_zero( &zero_pt ), 0 ); 1159 TEST_EQUAL( mbedtls_ecp_group_load( &grp, id ), 0 ); 1160 TEST_EQUAL( mbedtls_ecp_point_read_binary( &grp, &nonzero_pt, 1161 P_bin->x, P_bin->len ), 0 ); 1162 TEST_EQUAL( mbedtls_ecp_is_zero( &zero_pt ), 1 ); 1163 TEST_EQUAL( mbedtls_ecp_is_zero( &nonzero_pt ), 0 ); 1164 1165 // Test initialized point 1166 TEST_EQUAL( mbedtls_ecp_set_zero( &pt ), 0 ); 1167 TEST_EQUAL( mbedtls_ecp_is_zero( &pt ), 1 ); 1168 TEST_EQUAL( mbedtls_ecp_point_cmp( &zero_pt, &pt ), 0 ); 1169 TEST_EQUAL( mbedtls_ecp_point_cmp( &nonzero_pt, &zero_pt ), 1170 MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1171 1172 // Test zeroed point 1173 TEST_EQUAL( mbedtls_ecp_set_zero( &pt ), 0 ); 1174 TEST_EQUAL( mbedtls_ecp_is_zero( &pt ), 1 ); 1175 TEST_EQUAL( mbedtls_ecp_point_cmp( &zero_pt, &pt ), 0 ); 1176 TEST_EQUAL( mbedtls_ecp_point_cmp( &nonzero_pt, &pt ), 1177 MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1178 1179 // Set point to non-zero value 1180 TEST_EQUAL( mbedtls_ecp_point_read_binary( &grp, &pt, 1181 P_bin->x, P_bin->len ), 0 ); 1182 TEST_EQUAL( mbedtls_ecp_is_zero( &pt ), 0 ); 1183 TEST_EQUAL( mbedtls_ecp_point_cmp( &zero_pt, &pt ), 1184 MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1185 TEST_EQUAL( mbedtls_ecp_point_cmp( &nonzero_pt, &pt), 0 ); 1186 1187 // Test non-zero point 1188 TEST_EQUAL( mbedtls_ecp_set_zero( &pt ), 0 ); 1189 TEST_EQUAL( mbedtls_ecp_is_zero( &pt ), 1 ); 1190 TEST_EQUAL( mbedtls_ecp_point_cmp( &zero_pt, &pt ), 0 ); 1191 TEST_EQUAL( mbedtls_ecp_point_cmp( &nonzero_pt, &pt ), 1192 MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1193 1194 // Test freed non-zero point 1195 TEST_EQUAL( mbedtls_ecp_point_read_binary( &grp, &pt, 1196 P_bin->x, P_bin->len ), 0 ); 1197 mbedtls_ecp_point_free( &pt ); 1198 TEST_EQUAL( mbedtls_ecp_set_zero( &pt ), 0 ); 1199 TEST_EQUAL( mbedtls_ecp_is_zero( &pt ), 1 ); 1200 TEST_EQUAL( mbedtls_ecp_point_cmp( &zero_pt, &pt ), 0 ); 1201 TEST_EQUAL( mbedtls_ecp_point_cmp( &nonzero_pt, &pt), 1202 MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1203 1204exit: 1205 mbedtls_ecp_group_free( &grp ); 1206 mbedtls_ecp_point_free( &pt ); 1207 mbedtls_ecp_point_free( &zero_pt ); 1208 mbedtls_ecp_point_free( &nonzero_pt ); 1209} 1210/* END_CASE */ 1211 1212/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ 1213void ecp_selftest( ) 1214{ 1215 TEST_ASSERT( mbedtls_ecp_self_test( 1 ) == 0 ); 1216} 1217/* END_CASE */ 1218 1219/* BEGIN_CASE */ 1220void ecp_export( int id, char * Qx, char * Qy,char * d, int expected_ret, int invalid_grp ) 1221{ 1222 mbedtls_ecp_keypair key; 1223 mbedtls_ecp_group export_grp; 1224 mbedtls_mpi export_d; 1225 mbedtls_ecp_point export_Q; 1226 1227 mbedtls_ecp_group_init( &export_grp ); 1228 mbedtls_ecp_group_init( &key.grp ); 1229 mbedtls_mpi_init( &export_d ); 1230 mbedtls_ecp_point_init( &export_Q ); 1231 1232 mbedtls_ecp_keypair_init( &key ); 1233 if( invalid_grp == 0 ) 1234 TEST_ASSERT( mbedtls_ecp_group_load( &key.grp, id ) == 0 ); 1235 TEST_ASSERT( mbedtls_ecp_point_read_string( &key.Q, 16, Qx, Qy ) == 0 ); 1236 TEST_ASSERT( mbedtls_test_read_mpi( &key.d, d ) == 0 ); 1237 1238 TEST_EQUAL( mbedtls_ecp_export( &key, &export_grp, 1239 &export_d, &export_Q ), expected_ret ); 1240 1241 if( expected_ret == 0 ) 1242 { 1243 TEST_EQUAL( mbedtls_ecp_point_cmp( &key.Q, &export_Q ), 0 ); 1244 TEST_EQUAL( mbedtls_mpi_cmp_mpi( &key.d, &export_d ), 0 ); 1245 TEST_EQUAL( mbedtls_ecp_group_cmp( &key.grp, &export_grp ), 0 ); 1246 } 1247 1248exit: 1249 mbedtls_ecp_keypair_free( &key ); 1250 mbedtls_ecp_group_free( &export_grp ); 1251 mbedtls_mpi_free( &export_d ); 1252 mbedtls_ecp_point_free( &export_Q ); 1253} 1254/* END_CASE */ 1255 1256/* BEGIN_CASE */ 1257void ecp_check_order( int id, char * expected_order_hex ) 1258{ 1259 mbedtls_ecp_group grp; 1260 mbedtls_mpi expected_n; 1261 1262 mbedtls_ecp_group_init( &grp ); 1263 mbedtls_mpi_init( &expected_n ); 1264 1265 TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 ); 1266 TEST_ASSERT( mbedtls_test_read_mpi( &expected_n, expected_order_hex ) == 0); 1267 1268 // check sign bits are well-formed (i.e. 1 or -1) - see #5810 1269 TEST_ASSERT( grp.N.s == -1 || grp.N.s == 1); 1270 TEST_ASSERT( expected_n.s == -1 || expected_n.s == 1); 1271 1272 TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.N, &expected_n ) == 0 ); 1273 1274exit: 1275 mbedtls_ecp_group_free( &grp ); 1276 mbedtls_mpi_free( &expected_n ); 1277} 1278/* END_CASE */ 1279