1/* BEGIN_HEADER */ 2#include "mbedtls/ecp.h" 3#include "mbedtls/ecdsa.h" 4#include "mbedtls/ecdh.h" 5 6#include "ecp_invasive.h" 7 8#if defined(MBEDTLS_TEST_HOOKS) && \ 9 (defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 10 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 11 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)) 12#define HAVE_FIX_NEGATIVE 13#endif 14 15#define ECP_PF_UNKNOWN -1 16 17#define ECP_PT_RESET(x) \ 18 mbedtls_ecp_point_free(x); \ 19 mbedtls_ecp_point_init(x); 20 21/* Auxiliary function to compare two mbedtls_ecp_group objects. */ 22inline static int mbedtls_ecp_group_cmp(mbedtls_ecp_group *grp1, 23 mbedtls_ecp_group *grp2) 24{ 25 if (mbedtls_mpi_cmp_mpi(&grp1->P, &grp2->P) != 0) { 26 return 1; 27 } 28 if (mbedtls_mpi_cmp_mpi(&grp1->A, &grp2->A) != 0) { 29 return 1; 30 } 31 if (mbedtls_mpi_cmp_mpi(&grp1->B, &grp2->B) != 0) { 32 return 1; 33 } 34 if (mbedtls_mpi_cmp_mpi(&grp1->N, &grp2->N) != 0) { 35 return 1; 36 } 37 if (mbedtls_ecp_point_cmp(&grp1->G, &grp2->G) != 0) { 38 return 1; 39 } 40 if (grp1->id != grp2->id) { 41 return 1; 42 } 43 if (grp1->pbits != grp2->pbits) { 44 return 1; 45 } 46 if (grp1->nbits != grp2->nbits) { 47 return 1; 48 } 49 if (grp1->h != grp2->h) { 50 return 1; 51 } 52 if (grp1->modp != grp2->modp) { 53 return 1; 54 } 55 if (grp1->t_pre != grp2->t_pre) { 56 return 1; 57 } 58 if (grp1->t_post != grp2->t_post) { 59 return 1; 60 } 61 if (grp1->t_data != grp2->t_data) { 62 return 1; 63 } 64 /* Here we should not compare T and T_size as the value of T is 65 * always NULL for Montgomery curves and for Weierstrass curves 66 * it will be NULL until ecp_mul is called. After calling ecp_mul, 67 * the value will be unique (dynamically allocated). 68 */ 69 70 return 0; 71} 72 73/* END_HEADER */ 74 75/* BEGIN_DEPENDENCIES 76 * depends_on:MBEDTLS_ECP_C 77 * END_DEPENDENCIES 78 */ 79 80/* BEGIN_CASE */ 81void ecp_valid_param() 82{ 83 TEST_VALID_PARAM(mbedtls_ecp_group_free(NULL)); 84 TEST_VALID_PARAM(mbedtls_ecp_keypair_free(NULL)); 85 TEST_VALID_PARAM(mbedtls_ecp_point_free(NULL)); 86 87#if defined(MBEDTLS_ECP_RESTARTABLE) 88 TEST_VALID_PARAM(mbedtls_ecp_restart_free(NULL)); 89#endif /* MBEDTLS_ECP_RESTARTABLE */ 90 91exit: 92 return; 93} 94/* END_CASE */ 95 96/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ 97void ecp_invalid_param() 98{ 99 mbedtls_ecp_group grp; 100 mbedtls_ecp_keypair kp; 101 mbedtls_ecp_point P; 102 mbedtls_mpi m; 103 const char *x = "deadbeef"; 104 int valid_fmt = MBEDTLS_ECP_PF_UNCOMPRESSED; 105 int invalid_fmt = 42; 106 size_t olen; 107 unsigned char buf[42] = { 0 }; 108 const unsigned char *null_buf = NULL; 109 mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1; 110#if defined(MBEDTLS_ECP_RESTARTABLE) 111 mbedtls_ecp_restart_ctx restart_ctx; 112#endif /* MBEDTLS_ECP_RESTARTABLE */ 113 114 mbedtls_ecp_group_init(&grp); 115 mbedtls_ecp_point_init(&P); 116 117 TEST_INVALID_PARAM(mbedtls_ecp_point_init(NULL)); 118 TEST_INVALID_PARAM(mbedtls_ecp_keypair_init(NULL)); 119 TEST_INVALID_PARAM(mbedtls_ecp_group_init(NULL)); 120 121#if defined(MBEDTLS_ECP_RESTARTABLE) 122 TEST_INVALID_PARAM(mbedtls_ecp_restart_init(NULL)); 123 TEST_INVALID_PARAM(mbedtls_ecp_check_budget(NULL, &restart_ctx, 42)); 124#endif /* MBEDTLS_ECP_RESTARTABLE */ 125 126 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 127 mbedtls_ecp_copy(NULL, &P)); 128 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 129 mbedtls_ecp_copy(&P, NULL)); 130 131 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 132 mbedtls_ecp_group_copy(NULL, &grp)); 133 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 134 mbedtls_ecp_group_copy(&grp, NULL)); 135 136 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 137 mbedtls_ecp_gen_privkey(NULL, 138 &m, 139 mbedtls_test_rnd_std_rand, 140 NULL)); 141 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 142 mbedtls_ecp_gen_privkey(&grp, 143 NULL, 144 mbedtls_test_rnd_std_rand, 145 NULL)); 146 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 147 mbedtls_ecp_gen_privkey(&grp, 148 &m, 149 NULL, 150 NULL)); 151 152 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 153 mbedtls_ecp_set_zero(NULL)); 154 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 155 mbedtls_ecp_is_zero(NULL)); 156 157 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 158 mbedtls_ecp_point_cmp(NULL, &P)); 159 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 160 mbedtls_ecp_point_cmp(&P, NULL)); 161 162 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 163 mbedtls_ecp_point_read_string(NULL, 2, 164 x, x)); 165 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 166 mbedtls_ecp_point_read_string(&P, 2, 167 NULL, x)); 168 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 169 mbedtls_ecp_point_read_string(&P, 2, 170 x, NULL)); 171 172 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 173 mbedtls_ecp_point_write_binary(NULL, &P, 174 valid_fmt, 175 &olen, 176 buf, sizeof(buf))); 177 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 178 mbedtls_ecp_point_write_binary(&grp, NULL, 179 valid_fmt, 180 &olen, 181 buf, sizeof(buf))); 182 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 183 mbedtls_ecp_point_write_binary(&grp, &P, 184 invalid_fmt, 185 &olen, 186 buf, sizeof(buf))); 187 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 188 mbedtls_ecp_point_write_binary(&grp, &P, 189 valid_fmt, 190 NULL, 191 buf, sizeof(buf))); 192 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 193 mbedtls_ecp_point_write_binary(&grp, &P, 194 valid_fmt, 195 &olen, 196 NULL, sizeof(buf))); 197 198 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 199 mbedtls_ecp_point_read_binary(NULL, &P, buf, 200 sizeof(buf))); 201 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 202 mbedtls_ecp_point_read_binary(&grp, NULL, buf, 203 sizeof(buf))); 204 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 205 mbedtls_ecp_point_read_binary(&grp, &P, NULL, 206 sizeof(buf))); 207 208 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 209 mbedtls_ecp_tls_read_point(NULL, &P, 210 (const unsigned char **) &buf, 211 sizeof(buf))); 212 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 213 mbedtls_ecp_tls_read_point(&grp, NULL, 214 (const unsigned char **) &buf, 215 sizeof(buf))); 216 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 217 mbedtls_ecp_tls_read_point(&grp, &P, &null_buf, 218 sizeof(buf))); 219 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 220 mbedtls_ecp_tls_read_point(&grp, &P, NULL, 221 sizeof(buf))); 222 223 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 224 mbedtls_ecp_tls_write_point(NULL, &P, 225 valid_fmt, 226 &olen, 227 buf, 228 sizeof(buf))); 229 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 230 mbedtls_ecp_tls_write_point(&grp, NULL, 231 valid_fmt, 232 &olen, 233 buf, 234 sizeof(buf))); 235 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 236 mbedtls_ecp_tls_write_point(&grp, &P, 237 invalid_fmt, 238 &olen, 239 buf, 240 sizeof(buf))); 241 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 242 mbedtls_ecp_tls_write_point(&grp, &P, 243 valid_fmt, 244 NULL, 245 buf, 246 sizeof(buf))); 247 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 248 mbedtls_ecp_tls_write_point(&grp, &P, 249 valid_fmt, 250 &olen, 251 NULL, 252 sizeof(buf))); 253 254 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 255 mbedtls_ecp_group_load(NULL, valid_group)); 256 257 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 258 mbedtls_ecp_tls_read_group(NULL, 259 (const unsigned char **) &buf, 260 sizeof(buf))); 261 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 262 mbedtls_ecp_tls_read_group(&grp, NULL, 263 sizeof(buf))); 264 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 265 mbedtls_ecp_tls_read_group(&grp, &null_buf, 266 sizeof(buf))); 267 268 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 269 mbedtls_ecp_tls_read_group_id(NULL, 270 (const unsigned char **) &buf, 271 sizeof(buf))); 272 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 273 mbedtls_ecp_tls_read_group_id(&valid_group, NULL, 274 sizeof(buf))); 275 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 276 mbedtls_ecp_tls_read_group_id(&valid_group, 277 &null_buf, 278 sizeof(buf))); 279 280 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 281 mbedtls_ecp_tls_write_group(NULL, &olen, 282 buf, sizeof(buf))); 283 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 284 mbedtls_ecp_tls_write_group(&grp, NULL, 285 buf, sizeof(buf))); 286 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 287 mbedtls_ecp_tls_write_group(&grp, &olen, 288 NULL, sizeof(buf))); 289 290 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 291 mbedtls_ecp_mul(NULL, &P, &m, &P, 292 mbedtls_test_rnd_std_rand, 293 NULL)); 294 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 295 mbedtls_ecp_mul(&grp, NULL, &m, &P, 296 mbedtls_test_rnd_std_rand, 297 NULL)); 298 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 299 mbedtls_ecp_mul(&grp, &P, NULL, &P, 300 mbedtls_test_rnd_std_rand, 301 NULL)); 302 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 303 mbedtls_ecp_mul(&grp, &P, &m, NULL, 304 mbedtls_test_rnd_std_rand, 305 NULL)); 306 307 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 308 mbedtls_ecp_mul_restartable(NULL, &P, &m, &P, 309 mbedtls_test_rnd_std_rand, 310 NULL, NULL)); 311 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 312 mbedtls_ecp_mul_restartable(&grp, NULL, &m, &P, 313 mbedtls_test_rnd_std_rand, 314 NULL, NULL)); 315 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 316 mbedtls_ecp_mul_restartable(&grp, &P, NULL, &P, 317 mbedtls_test_rnd_std_rand, 318 NULL, NULL)); 319 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 320 mbedtls_ecp_mul_restartable(&grp, &P, &m, NULL, 321 mbedtls_test_rnd_std_rand, 322 NULL, NULL)); 323 324 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 325 mbedtls_ecp_muladd(NULL, &P, &m, &P, 326 &m, &P)); 327 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 328 mbedtls_ecp_muladd(&grp, NULL, &m, &P, 329 &m, &P)); 330 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 331 mbedtls_ecp_muladd(&grp, &P, NULL, &P, 332 &m, &P)); 333 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 334 mbedtls_ecp_muladd(&grp, &P, &m, NULL, 335 &m, &P)); 336 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 337 mbedtls_ecp_muladd(&grp, &P, &m, &P, 338 NULL, &P)); 339 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 340 mbedtls_ecp_muladd(&grp, &P, &m, &P, 341 &m, NULL)); 342 343 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 344 mbedtls_ecp_muladd_restartable(NULL, &P, &m, &P, 345 &m, &P, NULL)); 346 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 347 mbedtls_ecp_muladd_restartable(&grp, NULL, &m, &P, 348 &m, &P, NULL)); 349 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 350 mbedtls_ecp_muladd_restartable(&grp, &P, NULL, &P, 351 &m, &P, NULL)); 352 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 353 mbedtls_ecp_muladd_restartable(&grp, &P, &m, NULL, 354 &m, &P, NULL)); 355 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 356 mbedtls_ecp_muladd_restartable(&grp, &P, &m, &P, 357 NULL, &P, NULL)); 358 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 359 mbedtls_ecp_muladd_restartable(&grp, &P, &m, &P, 360 &m, NULL, NULL)); 361 362 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 363 mbedtls_ecp_check_pubkey(NULL, &P)); 364 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 365 mbedtls_ecp_check_pubkey(&grp, NULL)); 366 367 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 368 mbedtls_ecp_check_pub_priv(NULL, &kp)); 369 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 370 mbedtls_ecp_check_pub_priv(&kp, NULL)); 371 372 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 373 mbedtls_ecp_check_privkey(NULL, &m)); 374 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 375 mbedtls_ecp_check_privkey(&grp, NULL)); 376 377 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 378 mbedtls_ecp_gen_keypair_base(NULL, &P, &m, &P, 379 mbedtls_test_rnd_std_rand, NULL)); 380 381 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 382 mbedtls_ecp_gen_keypair_base(&grp, NULL, &m, &P, 383 mbedtls_test_rnd_std_rand, NULL)); 384 385 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 386 mbedtls_ecp_gen_keypair_base(&grp, &P, NULL, &P, 387 mbedtls_test_rnd_std_rand, NULL)); 388 389 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 390 mbedtls_ecp_gen_keypair_base(&grp, &P, &m, NULL, 391 mbedtls_test_rnd_std_rand, NULL)); 392 393 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 394 mbedtls_ecp_gen_keypair_base(&grp, &P, &m, &P, NULL, NULL)); 395 396 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 397 mbedtls_ecp_gen_keypair(NULL, 398 &m, &P, 399 mbedtls_test_rnd_std_rand, 400 NULL)); 401 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 402 mbedtls_ecp_gen_keypair(&grp, 403 NULL, &P, 404 mbedtls_test_rnd_std_rand, 405 NULL)); 406 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 407 mbedtls_ecp_gen_keypair(&grp, 408 &m, NULL, 409 mbedtls_test_rnd_std_rand, 410 NULL)); 411 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 412 mbedtls_ecp_gen_keypair(&grp, 413 &m, &P, 414 NULL, 415 NULL)); 416 417 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 418 mbedtls_ecp_gen_key(valid_group, NULL, 419 mbedtls_test_rnd_std_rand, 420 NULL)); 421 TEST_INVALID_PARAM_RET(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, 422 mbedtls_ecp_gen_key(valid_group, &kp, 423 NULL, NULL)); 424 425exit: 426 return; 427} 428/* END_CASE */ 429 430/* BEGIN_CASE */ 431void mbedtls_ecp_curve_info(int id, int tls_id, int size, char *name) 432{ 433 const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name; 434 435 by_id = mbedtls_ecp_curve_info_from_grp_id(id); 436 by_tls = mbedtls_ecp_curve_info_from_tls_id(tls_id); 437 by_name = mbedtls_ecp_curve_info_from_name(name); 438 TEST_ASSERT(by_id != NULL); 439 TEST_ASSERT(by_tls != NULL); 440 TEST_ASSERT(by_name != NULL); 441 442 TEST_ASSERT(by_id == by_tls); 443 TEST_ASSERT(by_id == by_name); 444 445 TEST_ASSERT(by_id->bit_size == size); 446 TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BITS); 447 TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BYTES * 8); 448} 449/* END_CASE */ 450 451/* BEGIN_CASE */ 452void ecp_check_pub(int grp_id, char *x_hex, char *y_hex, char *z_hex, 453 int ret) 454{ 455 mbedtls_ecp_group grp; 456 mbedtls_ecp_point P; 457 458 mbedtls_ecp_group_init(&grp); 459 mbedtls_ecp_point_init(&P); 460 461 TEST_ASSERT(mbedtls_ecp_group_load(&grp, grp_id) == 0); 462 463 TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x_hex) == 0); 464 TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y_hex) == 0); 465 TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z_hex) == 0); 466 467 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &P) == ret); 468 469exit: 470 mbedtls_ecp_group_free(&grp); 471 mbedtls_ecp_point_free(&P); 472} 473/* END_CASE */ 474 475/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 476void ecp_test_vect_restart(int id, 477 char *dA_str, char *xA_str, char *yA_str, 478 char *dB_str, char *xZ_str, char *yZ_str, 479 int max_ops, int min_restarts, int max_restarts) 480{ 481 /* 482 * Test for early restart. Based on test vectors like ecp_test_vect(), 483 * but for the sake of simplicity only does half of each side. It's 484 * important to test both base point and random point, though, as memory 485 * management is different in each case. 486 * 487 * Don't try using too precise bounds for restarts as the exact number 488 * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and 489 * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may 490 * change in the future. A factor 2 is a minimum safety margin. 491 * 492 * For reference, with Mbed TLS 2.4 and default settings, for P-256: 493 * - Random point mult: ~3250M 494 * - Cold base point mult: ~3300M 495 * - Hot base point mult: ~1100M 496 * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum): 497 * - Random point mult: ~3850M 498 */ 499 mbedtls_ecp_restart_ctx ctx; 500 mbedtls_ecp_group grp; 501 mbedtls_ecp_point R, P; 502 mbedtls_mpi dA, xA, yA, dB, xZ, yZ; 503 int cnt_restarts; 504 int ret; 505 506 mbedtls_ecp_restart_init(&ctx); 507 mbedtls_ecp_group_init(&grp); 508 mbedtls_ecp_point_init(&R); mbedtls_ecp_point_init(&P); 509 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA); 510 mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ); 511 512 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 513 514 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0); 515 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0); 516 TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0); 517 518 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0); 519 TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0); 520 TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0); 521 522 mbedtls_ecp_set_max_ops((unsigned) max_ops); 523 524 /* Base point case */ 525 cnt_restarts = 0; 526 do { 527 ECP_PT_RESET(&R); 528 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dA, &grp.G, NULL, NULL, &ctx); 529 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts); 530 531 TEST_ASSERT(ret == 0); 532 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0); 533 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0); 534 535 TEST_ASSERT(cnt_restarts >= min_restarts); 536 TEST_ASSERT(cnt_restarts <= max_restarts); 537 538 /* Non-base point case */ 539 mbedtls_ecp_copy(&P, &R); 540 cnt_restarts = 0; 541 do { 542 ECP_PT_RESET(&R); 543 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P, NULL, NULL, &ctx); 544 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts); 545 546 TEST_ASSERT(ret == 0); 547 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0); 548 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0); 549 550 TEST_ASSERT(cnt_restarts >= min_restarts); 551 TEST_ASSERT(cnt_restarts <= max_restarts); 552 553 /* Do we leak memory when aborting an operation? 554 * This test only makes sense when we actually restart */ 555 if (min_restarts > 0) { 556 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P, NULL, NULL, &ctx); 557 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 558 } 559 560exit: 561 mbedtls_ecp_restart_free(&ctx); 562 mbedtls_ecp_group_free(&grp); 563 mbedtls_ecp_point_free(&R); mbedtls_ecp_point_free(&P); 564 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA); 565 mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ); 566} 567/* END_CASE */ 568 569/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 570void ecp_muladd_restart(int id, char *xR_str, char *yR_str, 571 char *u1_str, char *u2_str, 572 char *xQ_str, char *yQ_str, 573 int max_ops, int min_restarts, int max_restarts) 574{ 575 /* 576 * Compute R = u1 * G + u2 * Q 577 * (test vectors mostly taken from ECDSA intermediate results) 578 * 579 * See comments at the top of ecp_test_vect_restart() 580 */ 581 mbedtls_ecp_restart_ctx ctx; 582 mbedtls_ecp_group grp; 583 mbedtls_ecp_point R, Q; 584 mbedtls_mpi u1, u2, xR, yR; 585 int cnt_restarts; 586 int ret; 587 588 mbedtls_ecp_restart_init(&ctx); 589 mbedtls_ecp_group_init(&grp); 590 mbedtls_ecp_point_init(&R); 591 mbedtls_ecp_point_init(&Q); 592 mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2); 593 mbedtls_mpi_init(&xR); mbedtls_mpi_init(&yR); 594 595 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 596 597 TEST_ASSERT(mbedtls_test_read_mpi(&u1, u1_str) == 0); 598 TEST_ASSERT(mbedtls_test_read_mpi(&u2, u2_str) == 0); 599 TEST_ASSERT(mbedtls_test_read_mpi(&xR, xR_str) == 0); 600 TEST_ASSERT(mbedtls_test_read_mpi(&yR, yR_str) == 0); 601 602 TEST_ASSERT(mbedtls_test_read_mpi(&Q.X, xQ_str) == 0); 603 TEST_ASSERT(mbedtls_test_read_mpi(&Q.Y, yQ_str) == 0); 604 TEST_ASSERT(mbedtls_mpi_lset(&Q.Z, 1) == 0); 605 606 mbedtls_ecp_set_max_ops((unsigned) max_ops); 607 608 cnt_restarts = 0; 609 do { 610 ECP_PT_RESET(&R); 611 ret = mbedtls_ecp_muladd_restartable(&grp, &R, 612 &u1, &grp.G, &u2, &Q, &ctx); 613 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts); 614 615 TEST_ASSERT(ret == 0); 616 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xR) == 0); 617 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yR) == 0); 618 619 TEST_ASSERT(cnt_restarts >= min_restarts); 620 TEST_ASSERT(cnt_restarts <= max_restarts); 621 622 /* Do we leak memory when aborting an operation? 623 * This test only makes sense when we actually restart */ 624 if (min_restarts > 0) { 625 ret = mbedtls_ecp_muladd_restartable(&grp, &R, 626 &u1, &grp.G, &u2, &Q, &ctx); 627 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 628 } 629 630exit: 631 mbedtls_ecp_restart_free(&ctx); 632 mbedtls_ecp_group_free(&grp); 633 mbedtls_ecp_point_free(&R); 634 mbedtls_ecp_point_free(&Q); 635 mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2); 636 mbedtls_mpi_free(&xR); mbedtls_mpi_free(&yR); 637} 638/* END_CASE */ 639 640/* BEGIN_CASE */ 641void ecp_test_vect(int id, char *dA_str, char *xA_str, char *yA_str, 642 char *dB_str, char *xB_str, char *yB_str, 643 char *xZ_str, char *yZ_str) 644{ 645 mbedtls_ecp_group grp; 646 mbedtls_ecp_point R; 647 mbedtls_mpi dA, xA, yA, dB, xB, yB, xZ, yZ; 648 mbedtls_test_rnd_pseudo_info rnd_info; 649 650 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R); 651 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA); mbedtls_mpi_init(&dB); 652 mbedtls_mpi_init(&xB); mbedtls_mpi_init(&yB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ); 653 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 654 655 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 656 657 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0); 658 659 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0); 660 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0); 661 TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0); 662 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0); 663 TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_str) == 0); 664 TEST_ASSERT(mbedtls_test_read_mpi(&yB, yB_str) == 0); 665 TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0); 666 TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0); 667 668 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G, 669 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0); 670 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0); 671 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0); 672 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 673 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R, NULL, NULL) == 0); 674 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0); 675 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0); 676 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 677 678 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G, NULL, NULL) == 0); 679 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0); 680 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yB) == 0); 681 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 682 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R, 683 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0); 684 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0); 685 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0); 686 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 687 688exit: 689 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R); 690 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA); mbedtls_mpi_free(&dB); 691 mbedtls_mpi_free(&xB); mbedtls_mpi_free(&yB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ); 692} 693/* END_CASE */ 694 695/* BEGIN_CASE */ 696void ecp_test_vec_x(int id, char *dA_hex, char *xA_hex, char *dB_hex, 697 char *xB_hex, char *xS_hex) 698{ 699 mbedtls_ecp_group grp; 700 mbedtls_ecp_point R; 701 mbedtls_mpi dA, xA, dB, xB, xS; 702 mbedtls_test_rnd_pseudo_info rnd_info; 703 704 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R); 705 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); 706 mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xB); 707 mbedtls_mpi_init(&xS); 708 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 709 710 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 711 712 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0); 713 714 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_hex) == 0); 715 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_hex) == 0); 716 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_hex) == 0); 717 TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_hex) == 0); 718 TEST_ASSERT(mbedtls_test_read_mpi(&xS, xS_hex) == 0); 719 720 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G, 721 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0); 722 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 723 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0); 724 725 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R, 726 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0); 727 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 728 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0); 729 730 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G, NULL, NULL) == 0); 731 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 732 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0); 733 734 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R, NULL, NULL) == 0); 735 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0); 736 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0); 737 738exit: 739 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R); 740 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); 741 mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xB); 742 mbedtls_mpi_free(&xS); 743} 744/* END_CASE */ 745 746/* BEGIN_CASE */ 747void ecp_test_mul(int id, data_t *n_hex, 748 data_t *Px_hex, data_t *Py_hex, data_t *Pz_hex, 749 data_t *nPx_hex, data_t *nPy_hex, data_t *nPz_hex, 750 int expected_ret) 751{ 752 mbedtls_ecp_group grp; 753 mbedtls_ecp_point P, nP, R; 754 mbedtls_mpi n; 755 mbedtls_test_rnd_pseudo_info rnd_info; 756 757 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R); 758 mbedtls_ecp_point_init(&P); mbedtls_ecp_point_init(&nP); 759 mbedtls_mpi_init(&n); 760 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 761 762 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 763 764 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0); 765 766 TEST_ASSERT(mbedtls_mpi_read_binary(&n, n_hex->x, n_hex->len) == 0); 767 768 TEST_ASSERT(mbedtls_mpi_read_binary(&P.X, Px_hex->x, Px_hex->len) == 0); 769 TEST_ASSERT(mbedtls_mpi_read_binary(&P.Y, Py_hex->x, Py_hex->len) == 0); 770 TEST_ASSERT(mbedtls_mpi_read_binary(&P.Z, Pz_hex->x, Pz_hex->len) == 0); 771 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.X, nPx_hex->x, nPx_hex->len) 772 == 0); 773 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Y, nPy_hex->x, nPy_hex->len) 774 == 0); 775 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Z, nPz_hex->x, nPz_hex->len) 776 == 0); 777 778 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &n, &P, 779 &mbedtls_test_rnd_pseudo_rand, &rnd_info) 780 == expected_ret); 781 782 if (expected_ret == 0) { 783 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.X, &R.X) == 0); 784 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Y, &R.Y) == 0); 785 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Z, &R.Z) == 0); 786 } 787 788exit: 789 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R); 790 mbedtls_ecp_point_free(&P); mbedtls_ecp_point_free(&nP); 791 mbedtls_mpi_free(&n); 792} 793/* END_CASE */ 794 795/* BEGIN_CASE */ 796void ecp_test_mul_rng(int id, data_t *d_hex) 797{ 798 mbedtls_ecp_group grp; 799 mbedtls_mpi d; 800 mbedtls_ecp_point Q; 801 802 mbedtls_ecp_group_init(&grp); mbedtls_mpi_init(&d); 803 mbedtls_ecp_point_init(&Q); 804 805 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 806 807 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0); 808 809 TEST_ASSERT(mbedtls_mpi_read_binary(&d, d_hex->x, d_hex->len) == 0); 810 811 TEST_ASSERT(mbedtls_ecp_mul(&grp, &Q, &d, &grp.G, 812 &mbedtls_test_rnd_zero_rand, NULL) 813 == MBEDTLS_ERR_ECP_RANDOM_FAILED); 814 815exit: 816 mbedtls_ecp_group_free(&grp); mbedtls_mpi_free(&d); 817 mbedtls_ecp_point_free(&Q); 818} 819/* END_CASE */ 820 821/* BEGIN_CASE depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 822void ecp_muladd(int id, 823 data_t *u1_bin, data_t *P1_bin, 824 data_t *u2_bin, data_t *P2_bin, 825 data_t *expected_result) 826{ 827 /* Compute R = u1 * P1 + u2 * P2 */ 828 mbedtls_ecp_group grp; 829 mbedtls_ecp_point P1, P2, R; 830 mbedtls_mpi u1, u2; 831 uint8_t actual_result[MBEDTLS_ECP_MAX_PT_LEN]; 832 size_t len; 833 834 mbedtls_ecp_group_init(&grp); 835 mbedtls_ecp_point_init(&P1); 836 mbedtls_ecp_point_init(&P2); 837 mbedtls_ecp_point_init(&R); 838 mbedtls_mpi_init(&u1); 839 mbedtls_mpi_init(&u2); 840 841 TEST_EQUAL(0, mbedtls_ecp_group_load(&grp, id)); 842 TEST_EQUAL(0, mbedtls_mpi_read_binary(&u1, u1_bin->x, u1_bin->len)); 843 TEST_EQUAL(0, mbedtls_mpi_read_binary(&u2, u2_bin->x, u2_bin->len)); 844 TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P1, 845 P1_bin->x, P1_bin->len)); 846 TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P2, 847 P2_bin->x, P2_bin->len)); 848 849 TEST_EQUAL(0, mbedtls_ecp_muladd(&grp, &R, &u1, &P1, &u2, &P2)); 850 TEST_EQUAL(0, mbedtls_ecp_point_write_binary( 851 &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED, 852 &len, actual_result, sizeof(actual_result))); 853 TEST_ASSERT(len <= MBEDTLS_ECP_MAX_PT_LEN); 854 855 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len, 856 actual_result, len); 857 858exit: 859 mbedtls_ecp_group_free(&grp); 860 mbedtls_ecp_point_free(&P1); 861 mbedtls_ecp_point_free(&P2); 862 mbedtls_ecp_point_free(&R); 863 mbedtls_mpi_free(&u1); 864 mbedtls_mpi_free(&u2); 865} 866/* END_CASE */ 867 868/* BEGIN_CASE */ 869void ecp_fast_mod(int id, char *N_str) 870{ 871 mbedtls_ecp_group grp; 872 mbedtls_mpi N, R; 873 874 mbedtls_mpi_init(&N); mbedtls_mpi_init(&R); 875 mbedtls_ecp_group_init(&grp); 876 877 TEST_ASSERT(mbedtls_test_read_mpi(&N, N_str) == 0); 878 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 879 TEST_ASSERT(grp.modp != NULL); 880 881 /* 882 * Store correct result before we touch N 883 */ 884 TEST_ASSERT(mbedtls_mpi_mod_mpi(&R, &N, &grp.P) == 0); 885 886 TEST_ASSERT(grp.modp(&N) == 0); 887 TEST_ASSERT(mbedtls_mpi_bitlen(&N) <= grp.pbits + 3); 888 889 /* 890 * Use mod rather than addition/subtraction in case previous test fails 891 */ 892 TEST_ASSERT(mbedtls_mpi_mod_mpi(&N, &N, &grp.P) == 0); 893 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&N, &R) == 0); 894 895exit: 896 mbedtls_mpi_free(&N); mbedtls_mpi_free(&R); 897 mbedtls_ecp_group_free(&grp); 898} 899/* END_CASE */ 900 901/* BEGIN_CASE */ 902void ecp_write_binary(int id, char *x, char *y, char *z, int format, 903 data_t *out, int blen, int ret) 904{ 905 mbedtls_ecp_group grp; 906 mbedtls_ecp_point P; 907 unsigned char buf[256]; 908 size_t olen; 909 910 memset(buf, 0, sizeof(buf)); 911 912 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P); 913 914 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 915 916 TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x) == 0); 917 TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y) == 0); 918 TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z) == 0); 919 920 TEST_ASSERT(mbedtls_ecp_point_write_binary(&grp, &P, format, 921 &olen, buf, blen) == ret); 922 923 if (ret == 0) { 924 TEST_ASSERT(olen <= MBEDTLS_ECP_MAX_PT_LEN); 925 TEST_ASSERT(mbedtls_test_hexcmp(buf, out->x, olen, out->len) == 0); 926 } 927 928exit: 929 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P); 930} 931/* END_CASE */ 932 933/* BEGIN_CASE */ 934void ecp_read_binary(int id, data_t *buf, char *x, char *y, char *z, 935 int ret) 936{ 937 mbedtls_ecp_group grp; 938 mbedtls_ecp_point P; 939 mbedtls_mpi X, Y, Z; 940 941 942 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P); 943 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z); 944 945 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 946 947 TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0); 948 TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0); 949 TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0); 950 951 TEST_ASSERT(mbedtls_ecp_point_read_binary(&grp, &P, buf->x, buf->len) == ret); 952 953 if (ret == 0) { 954 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0); 955 if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { 956 TEST_ASSERT(mbedtls_mpi_cmp_int(&Y, 0) == 0); 957 TEST_ASSERT(P.Y.p == NULL); 958 TEST_ASSERT(mbedtls_mpi_cmp_int(&Z, 1) == 0); 959 TEST_ASSERT(mbedtls_mpi_cmp_int(&P.Z, 1) == 0); 960 } else { 961 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0); 962 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0); 963 } 964 } 965 966exit: 967 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P); 968 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z); 969} 970/* END_CASE */ 971 972/* BEGIN_CASE */ 973void mbedtls_ecp_tls_read_point(int id, data_t *buf, char *x, char *y, 974 char *z, int ret) 975{ 976 mbedtls_ecp_group grp; 977 mbedtls_ecp_point P; 978 mbedtls_mpi X, Y, Z; 979 const unsigned char *vbuf = buf->x; 980 981 982 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P); 983 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z); 984 985 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 986 987 TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0); 988 TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0); 989 TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0); 990 991 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &P, &vbuf, buf->len) == ret); 992 993 if (ret == 0) { 994 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0); 995 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0); 996 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0); 997 TEST_ASSERT((uint32_t) (vbuf - buf->x) == buf->len); 998 } 999 1000exit: 1001 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P); 1002 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z); 1003} 1004/* END_CASE */ 1005 1006/* BEGIN_CASE */ 1007void ecp_tls_write_read_point(int id) 1008{ 1009 mbedtls_ecp_group grp; 1010 mbedtls_ecp_point pt; 1011 unsigned char buf[256]; 1012 const unsigned char *vbuf; 1013 size_t olen; 1014 1015 mbedtls_ecp_group_init(&grp); 1016 mbedtls_ecp_point_init(&pt); 1017 1018 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 1019 1020 memset(buf, 0x00, sizeof(buf)); vbuf = buf; 1021 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G, 1022 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0); 1023 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) 1024 == MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE); 1025 TEST_ASSERT(vbuf == buf + olen); 1026 1027 memset(buf, 0x00, sizeof(buf)); vbuf = buf; 1028 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G, 1029 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0); 1030 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0); 1031 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.X, &pt.X) == 0); 1032 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Y, &pt.Y) == 0); 1033 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Z, &pt.Z) == 0); 1034 TEST_ASSERT(vbuf == buf + olen); 1035 1036 memset(buf, 0x00, sizeof(buf)); vbuf = buf; 1037 TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0); 1038 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt, 1039 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0); 1040 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0); 1041 TEST_ASSERT(mbedtls_ecp_is_zero(&pt)); 1042 TEST_ASSERT(vbuf == buf + olen); 1043 1044 memset(buf, 0x00, sizeof(buf)); vbuf = buf; 1045 TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0); 1046 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt, 1047 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0); 1048 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0); 1049 TEST_ASSERT(mbedtls_ecp_is_zero(&pt)); 1050 TEST_ASSERT(vbuf == buf + olen); 1051 1052exit: 1053 mbedtls_ecp_group_free(&grp); 1054 mbedtls_ecp_point_free(&pt); 1055} 1056/* END_CASE */ 1057 1058/* BEGIN_CASE */ 1059void mbedtls_ecp_tls_read_group(data_t *buf, int result, int bits, 1060 int record_len) 1061{ 1062 mbedtls_ecp_group grp; 1063 const unsigned char *vbuf = buf->x; 1064 int ret; 1065 1066 mbedtls_ecp_group_init(&grp); 1067 1068 ret = mbedtls_ecp_tls_read_group(&grp, &vbuf, buf->len); 1069 1070 TEST_ASSERT(ret == result); 1071 if (ret == 0) { 1072 TEST_ASSERT(mbedtls_mpi_bitlen(&grp.P) == (size_t) bits); 1073 TEST_ASSERT(vbuf - buf->x == record_len); 1074 } 1075 1076exit: 1077 mbedtls_ecp_group_free(&grp); 1078} 1079/* END_CASE */ 1080 1081/* BEGIN_CASE */ 1082void ecp_tls_write_read_group(int id) 1083{ 1084 mbedtls_ecp_group grp1, grp2; 1085 unsigned char buf[10]; 1086 const unsigned char *vbuf = buf; 1087 size_t len; 1088 int ret; 1089 1090 mbedtls_ecp_group_init(&grp1); 1091 mbedtls_ecp_group_init(&grp2); 1092 memset(buf, 0x00, sizeof(buf)); 1093 1094 TEST_ASSERT(mbedtls_ecp_group_load(&grp1, id) == 0); 1095 1096 TEST_ASSERT(mbedtls_ecp_tls_write_group(&grp1, &len, buf, 10) == 0); 1097 ret = mbedtls_ecp_tls_read_group(&grp2, &vbuf, len); 1098 TEST_ASSERT(ret == 0); 1099 1100 if (ret == 0) { 1101 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp1.N, &grp2.N) == 0); 1102 TEST_ASSERT(grp1.id == grp2.id); 1103 } 1104 1105exit: 1106 mbedtls_ecp_group_free(&grp1); 1107 mbedtls_ecp_group_free(&grp2); 1108} 1109/* END_CASE */ 1110 1111/* BEGIN_CASE depends_on:MBEDTLS_ECDH_C:MBEDTLS_ECDSA_C */ 1112void mbedtls_ecp_group_metadata(int id, int bit_size, int crv_type, 1113 char *P, char *A, char *B, 1114 char *G_x, char *G_y, char *N, 1115 int tls_id) 1116{ 1117 mbedtls_ecp_group grp, grp_read, grp_cpy; 1118 const mbedtls_ecp_group_id *g_id; 1119 mbedtls_ecp_group_id read_g_id; 1120 const mbedtls_ecp_curve_info *crv, *crv_tls_id, *crv_name; 1121 1122 mbedtls_mpi exp_P, exp_A, exp_B, exp_G_x, exp_G_y, exp_N; 1123 1124 unsigned char buf[3], ecparameters[3] = { 3, 0, tls_id }; 1125 const unsigned char *vbuf = buf; 1126 size_t olen; 1127 1128 mbedtls_ecp_group_init(&grp); 1129 mbedtls_ecp_group_init(&grp_read); 1130 mbedtls_ecp_group_init(&grp_cpy); 1131 1132 mbedtls_mpi_init(&exp_P); 1133 mbedtls_mpi_init(&exp_A); 1134 mbedtls_mpi_init(&exp_B); 1135 mbedtls_mpi_init(&exp_G_x); 1136 mbedtls_mpi_init(&exp_G_y); 1137 mbedtls_mpi_init(&exp_N); 1138 1139 // Read expected parameters 1140 TEST_EQUAL(mbedtls_test_read_mpi(&exp_P, P), 0); 1141 TEST_EQUAL(mbedtls_test_read_mpi(&exp_A, A), 0); 1142 TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_x, G_x), 0); 1143 TEST_EQUAL(mbedtls_test_read_mpi(&exp_N, N), 0); 1144 TEST_EQUAL(mbedtls_test_read_mpi(&exp_B, B), 0); 1145 TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_y, G_y), 0); 1146 1147 // Convert exp_A to internal representation (A+2)/4 1148 if (crv_type == MBEDTLS_ECP_TYPE_MONTGOMERY) { 1149 TEST_EQUAL(mbedtls_mpi_add_int(&exp_A, &exp_A, 2), 0); 1150 TEST_EQUAL(mbedtls_mpi_div_int(&exp_A, NULL, &exp_A, 4), 0); 1151 } 1152 1153 // Load group 1154 TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0); 1155 1156 // Compare group with expected parameters 1157 // A is NULL for SECPxxxR1 curves 1158 // B and G_y are NULL for curve25519 and curve448 1159 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_P, &grp.P), 0); 1160 if (*A != 0) { 1161 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_A, &grp.A), 0); 1162 } 1163 if (*B != 0) { 1164 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_B, &grp.B), 0); 1165 } 1166 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_x, &grp.G.X), 0); 1167 if (*G_y != 0) { 1168 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_y, &grp.G.Y), 0); 1169 } 1170 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_N, &grp.N), 0); 1171 1172 // Load curve info and compare with known values 1173 crv = mbedtls_ecp_curve_info_from_grp_id(id); 1174 TEST_EQUAL(crv->grp_id, id); 1175 TEST_EQUAL(crv->bit_size, bit_size); 1176 TEST_EQUAL(crv->tls_id, tls_id); 1177 1178 // Load curve from TLS ID and name, and compare IDs 1179 crv_tls_id = mbedtls_ecp_curve_info_from_tls_id(crv->tls_id); 1180 crv_name = mbedtls_ecp_curve_info_from_name(crv->name); 1181 TEST_EQUAL(crv_tls_id->grp_id, id); 1182 TEST_EQUAL(crv_name->grp_id, id); 1183 1184 // Validate write_group against test data 1185 TEST_EQUAL(mbedtls_ecp_tls_write_group(&grp, &olen, 1186 buf, sizeof(buf)), 1187 0); 1188 TEST_EQUAL(mbedtls_test_hexcmp(buf, ecparameters, olen, 1189 sizeof(ecparameters)), 1190 0); 1191 1192 // Read group from buffer and compare with expected ID 1193 TEST_EQUAL(mbedtls_ecp_tls_read_group_id(&read_g_id, &vbuf, olen), 1194 0); 1195 TEST_EQUAL(read_g_id, id); 1196 vbuf = buf; 1197 TEST_EQUAL(mbedtls_ecp_tls_read_group(&grp_read, &vbuf, olen), 1198 0); 1199 TEST_EQUAL(grp_read.id, id); 1200 1201 // Check curve type, and if it can be used for ECDH/ECDSA 1202 TEST_EQUAL(mbedtls_ecp_get_type(&grp), crv_type); 1203 TEST_EQUAL(mbedtls_ecdh_can_do(id), 1); 1204 TEST_EQUAL(mbedtls_ecdsa_can_do(id), 1205 crv_type == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS); 1206 1207 // Copy group and compare with original 1208 TEST_EQUAL(mbedtls_ecp_group_copy(&grp_cpy, &grp), 0); 1209 TEST_ASSERT(grp_cpy.T == NULL); 1210 TEST_ASSERT(grp_cpy.T_size == 0); 1211 TEST_EQUAL(mbedtls_ecp_group_cmp(&grp, &grp_cpy), 0); 1212 1213 // Check curve is in curve list and group ID list 1214 for (crv = mbedtls_ecp_curve_list(); 1215 crv->grp_id != MBEDTLS_ECP_DP_NONE && 1216 crv->grp_id != (unsigned) id; 1217 crv++) { 1218 ; 1219 } 1220 TEST_EQUAL(crv->grp_id, id); 1221 for (g_id = mbedtls_ecp_grp_id_list(); 1222 *g_id != MBEDTLS_ECP_DP_NONE && *g_id != (unsigned) id; 1223 g_id++) { 1224 ; 1225 } 1226 TEST_EQUAL(*g_id, (unsigned) id); 1227 1228exit: 1229 mbedtls_ecp_group_free(&grp); mbedtls_ecp_group_free(&grp_cpy); 1230 mbedtls_ecp_group_free(&grp_read); 1231 mbedtls_mpi_free(&exp_P); mbedtls_mpi_free(&exp_A); 1232 mbedtls_mpi_free(&exp_B); mbedtls_mpi_free(&exp_G_x); 1233 mbedtls_mpi_free(&exp_G_y); mbedtls_mpi_free(&exp_N); 1234} 1235/* END_CASE */ 1236 1237/* BEGIN_CASE */ 1238void mbedtls_ecp_check_privkey(int id, char *key_hex, int ret) 1239{ 1240 mbedtls_ecp_group grp; 1241 mbedtls_mpi d; 1242 1243 mbedtls_ecp_group_init(&grp); 1244 mbedtls_mpi_init(&d); 1245 1246 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 1247 TEST_ASSERT(mbedtls_test_read_mpi(&d, key_hex) == 0); 1248 1249 TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == ret); 1250 1251exit: 1252 mbedtls_ecp_group_free(&grp); 1253 mbedtls_mpi_free(&d); 1254} 1255/* END_CASE */ 1256 1257/* BEGIN_CASE */ 1258void mbedtls_ecp_check_pub_priv(int id_pub, char *Qx_pub, char *Qy_pub, 1259 int id, char *d, char *Qx, char *Qy, 1260 int ret) 1261{ 1262 mbedtls_ecp_keypair pub, prv; 1263 1264 mbedtls_ecp_keypair_init(&pub); 1265 mbedtls_ecp_keypair_init(&prv); 1266 1267 if (id_pub != MBEDTLS_ECP_DP_NONE) { 1268 TEST_ASSERT(mbedtls_ecp_group_load(&pub.grp, id_pub) == 0); 1269 } 1270 TEST_ASSERT(mbedtls_ecp_point_read_string(&pub.Q, 16, Qx_pub, Qy_pub) == 0); 1271 1272 if (id != MBEDTLS_ECP_DP_NONE) { 1273 TEST_ASSERT(mbedtls_ecp_group_load(&prv.grp, id) == 0); 1274 } 1275 TEST_ASSERT(mbedtls_ecp_point_read_string(&prv.Q, 16, Qx, Qy) == 0); 1276 TEST_ASSERT(mbedtls_test_read_mpi(&prv.d, d) == 0); 1277 1278 TEST_ASSERT(mbedtls_ecp_check_pub_priv(&pub, &prv) == ret); 1279 1280exit: 1281 mbedtls_ecp_keypair_free(&pub); 1282 mbedtls_ecp_keypair_free(&prv); 1283} 1284/* END_CASE */ 1285 1286/* BEGIN_CASE */ 1287void mbedtls_ecp_gen_keypair(int id) 1288{ 1289 mbedtls_ecp_group grp; 1290 mbedtls_ecp_point Q; 1291 mbedtls_mpi d; 1292 mbedtls_test_rnd_pseudo_info rnd_info; 1293 1294 mbedtls_ecp_group_init(&grp); 1295 mbedtls_ecp_point_init(&Q); 1296 mbedtls_mpi_init(&d); 1297 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 1298 1299 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 1300 1301 TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q, 1302 &mbedtls_test_rnd_pseudo_rand, 1303 &rnd_info) == 0); 1304 1305 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &Q) == 0); 1306 TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == 0); 1307 1308exit: 1309 mbedtls_ecp_group_free(&grp); 1310 mbedtls_ecp_point_free(&Q); 1311 mbedtls_mpi_free(&d); 1312} 1313/* END_CASE */ 1314 1315/* BEGIN_CASE */ 1316void mbedtls_ecp_gen_key(int id) 1317{ 1318 mbedtls_ecp_keypair key; 1319 mbedtls_test_rnd_pseudo_info rnd_info; 1320 1321 mbedtls_ecp_keypair_init(&key); 1322 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info)); 1323 1324 TEST_ASSERT(mbedtls_ecp_gen_key(id, &key, 1325 &mbedtls_test_rnd_pseudo_rand, 1326 &rnd_info) == 0); 1327 1328 TEST_ASSERT(mbedtls_ecp_check_pubkey(&key.grp, &key.Q) == 0); 1329 TEST_ASSERT(mbedtls_ecp_check_privkey(&key.grp, &key.d) == 0); 1330 1331exit: 1332 mbedtls_ecp_keypair_free(&key); 1333} 1334/* END_CASE */ 1335 1336/* BEGIN_CASE */ 1337void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonical) 1338{ 1339 int ret = 0; 1340 mbedtls_ecp_keypair key; 1341 mbedtls_ecp_keypair key2; 1342 1343 mbedtls_ecp_keypair_init(&key); 1344 mbedtls_ecp_keypair_init(&key2); 1345 1346 ret = mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len); 1347 TEST_ASSERT(ret == expected); 1348 1349 if (expected == 0) { 1350 ret = mbedtls_ecp_check_privkey(&key.grp, &key.d); 1351 TEST_ASSERT(ret == 0); 1352 1353 if (canonical) { 1354 unsigned char buf[MBEDTLS_ECP_MAX_BYTES]; 1355 1356 ret = mbedtls_ecp_write_key(&key, buf, in_key->len); 1357 TEST_ASSERT(ret == 0); 1358 1359 TEST_MEMORY_COMPARE(in_key->x, in_key->len, 1360 buf, in_key->len); 1361 } else { 1362 unsigned char export1[MBEDTLS_ECP_MAX_BYTES]; 1363 unsigned char export2[MBEDTLS_ECP_MAX_BYTES]; 1364 1365 ret = mbedtls_ecp_write_key(&key, export1, in_key->len); 1366 TEST_ASSERT(ret == 0); 1367 1368 ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len); 1369 TEST_ASSERT(ret == expected); 1370 1371 ret = mbedtls_ecp_write_key(&key2, export2, in_key->len); 1372 TEST_ASSERT(ret == 0); 1373 1374 TEST_MEMORY_COMPARE(export1, in_key->len, 1375 export2, in_key->len); 1376 } 1377 } 1378 1379exit: 1380 mbedtls_ecp_keypair_free(&key); 1381 mbedtls_ecp_keypair_free(&key2); 1382} 1383/* END_CASE */ 1384 1385/* BEGIN_CASE depends_on:HAVE_FIX_NEGATIVE */ 1386void fix_negative(data_t *N_bin, int c, int bits) 1387{ 1388 mbedtls_mpi C, M, N; 1389 1390 mbedtls_mpi_init(&C); 1391 mbedtls_mpi_init(&M); 1392 mbedtls_mpi_init(&N); 1393 1394 /* C = - c * 2^bits (positive since c is negative) */ 1395 TEST_EQUAL(0, mbedtls_mpi_lset(&C, -c)); 1396 TEST_EQUAL(0, mbedtls_mpi_shift_l(&C, bits)); 1397 1398 TEST_EQUAL(0, mbedtls_mpi_read_binary(&N, N_bin->x, N_bin->len)); 1399 TEST_EQUAL(0, mbedtls_mpi_grow(&N, C.n)); 1400 1401 /* M = N - C = - ( C - N ) (expected result of fix_negative) */ 1402 TEST_EQUAL(0, mbedtls_mpi_sub_mpi(&M, &N, &C)); 1403 1404 mbedtls_ecp_fix_negative(&N, c, bits); 1405 1406 TEST_EQUAL(0, mbedtls_mpi_cmp_mpi(&N, &M)); 1407 1408exit: 1409 mbedtls_mpi_free(&C); 1410 mbedtls_mpi_free(&M); 1411 mbedtls_mpi_free(&N); 1412} 1413/* END_CASE */ 1414 1415/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED */ 1416void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected) 1417{ 1418 mbedtls_test_rnd_buf_info rnd_info; 1419 mbedtls_mpi d; 1420 int ret; 1421 uint8_t *actual = NULL; 1422 1423 mbedtls_mpi_init(&d); 1424 rnd_info.buf = seed->x; 1425 rnd_info.length = seed->len; 1426 rnd_info.fallback_f_rng = NULL; 1427 rnd_info.fallback_p_rng = NULL; 1428 1429 TEST_CALLOC(actual, expected->len); 1430 1431 ret = mbedtls_ecp_gen_privkey_mx(bits, &d, 1432 mbedtls_test_rnd_buffer_rand, &rnd_info); 1433 1434 if (expected->len == 0) { 1435 /* Expecting an error (happens if there isn't enough randomness) */ 1436 TEST_ASSERT(ret != 0); 1437 } else { 1438 TEST_EQUAL(ret, 0); 1439 TEST_EQUAL((size_t) bits + 1, mbedtls_mpi_bitlen(&d)); 1440 TEST_EQUAL(0, mbedtls_mpi_write_binary(&d, actual, expected->len)); 1441 /* Test the exact result. This assumes that the output of the 1442 * RNG is used in a specific way, which is overly constraining. 1443 * The advantage is that it's easier to test the expected properties 1444 * of the generated key: 1445 * - The most significant bit must be at a specific positions 1446 * (can be enforced by checking the bit-length). 1447 * - The least significant bits must have specific values 1448 * (can be enforced by checking these bits). 1449 * - Other bits must be random (by testing with different RNG outputs, 1450 * we validate that those bits are indeed influenced by the RNG). */ 1451 TEST_MEMORY_COMPARE(expected->x, expected->len, 1452 actual, expected->len); 1453 } 1454 1455exit: 1456 mbedtls_free(actual); 1457 mbedtls_mpi_free(&d); 1458} 1459/* END_CASE */ 1460 1461/* BEGIN_CASE */ 1462void ecp_set_zero(int id, data_t *P_bin) 1463{ 1464 mbedtls_ecp_group grp; 1465 mbedtls_ecp_point pt, zero_pt, nonzero_pt; 1466 1467 mbedtls_ecp_group_init(&grp); 1468 mbedtls_ecp_point_init(&pt); 1469 mbedtls_ecp_point_init(&zero_pt); 1470 mbedtls_ecp_point_init(&nonzero_pt); 1471 1472 // Set zero and non-zero points for comparison 1473 TEST_EQUAL(mbedtls_ecp_set_zero(&zero_pt), 0); 1474 TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0); 1475 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &nonzero_pt, 1476 P_bin->x, P_bin->len), 0); 1477 TEST_EQUAL(mbedtls_ecp_is_zero(&zero_pt), 1); 1478 TEST_EQUAL(mbedtls_ecp_is_zero(&nonzero_pt), 0); 1479 1480 // Test initialized point 1481 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0); 1482 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1); 1483 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0); 1484 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &zero_pt), 1485 MBEDTLS_ERR_ECP_BAD_INPUT_DATA); 1486 1487 // Test zeroed point 1488 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0); 1489 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1); 1490 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0); 1491 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 1492 MBEDTLS_ERR_ECP_BAD_INPUT_DATA); 1493 1494 // Set point to non-zero value 1495 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt, 1496 P_bin->x, P_bin->len), 0); 1497 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 0); 1498 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 1499 MBEDTLS_ERR_ECP_BAD_INPUT_DATA); 1500 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 0); 1501 1502 // Test non-zero point 1503 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0); 1504 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1); 1505 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0); 1506 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 1507 MBEDTLS_ERR_ECP_BAD_INPUT_DATA); 1508 1509 // Test freed non-zero point 1510 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt, 1511 P_bin->x, P_bin->len), 0); 1512 mbedtls_ecp_point_free(&pt); 1513 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0); 1514 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1); 1515 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0); 1516 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 1517 MBEDTLS_ERR_ECP_BAD_INPUT_DATA); 1518 1519exit: 1520 mbedtls_ecp_group_free(&grp); 1521 mbedtls_ecp_point_free(&pt); 1522 mbedtls_ecp_point_free(&zero_pt); 1523 mbedtls_ecp_point_free(&nonzero_pt); 1524} 1525/* END_CASE */ 1526 1527/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ 1528void ecp_selftest() 1529{ 1530 TEST_ASSERT(mbedtls_ecp_self_test(1) == 0); 1531} 1532/* END_CASE */ 1533 1534/* BEGIN_CASE */ 1535void ecp_check_order(int id, char *expected_order_hex) 1536{ 1537 mbedtls_ecp_group grp; 1538 mbedtls_mpi expected_n; 1539 1540 mbedtls_ecp_group_init(&grp); 1541 mbedtls_mpi_init(&expected_n); 1542 1543 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0); 1544 TEST_ASSERT(mbedtls_test_read_mpi(&expected_n, expected_order_hex) == 0); 1545 1546 // check sign bits are well-formed (i.e. 1 or -1) - see #5810 1547 TEST_ASSERT(grp.N.s == -1 || grp.N.s == 1); 1548 TEST_ASSERT(expected_n.s == -1 || expected_n.s == 1); 1549 1550 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.N, &expected_n) == 0); 1551 1552exit: 1553 mbedtls_ecp_group_free(&grp); 1554 mbedtls_mpi_free(&expected_n); 1555} 1556/* END_CASE */ 1557