tests/suites/test_suite_ecp.function

/* BEGIN_HEADER */
#include "mbedtls/ecp.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecdh.h"

#include "ecp_invasive.h"

#if defined(MBEDTLS_TEST_HOOKS) &&                  \
    (defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||  \
    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||  \
    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED))
#define HAVE_FIX_NEGATIVE
#endif

#define ECP_PF_UNKNOWN     -1

#define ECP_PT_RESET(x)           \
    mbedtls_ecp_point_free(x);    \
    mbedtls_ecp_point_init(x);

/* Auxiliary function to compare two mbedtls_ecp_group objects. */
inline static int mbedtls_ecp_group_cmp(mbedtls_ecp_group *grp1,
                                        mbedtls_ecp_group *grp2)
{
    if (mbedtls_mpi_cmp_mpi(&grp1->P, &grp2->P) != 0) {
        return 1;
    }
    if (mbedtls_mpi_cmp_mpi(&grp1->A, &grp2->A) != 0) {
        return 1;
    }
    if (mbedtls_mpi_cmp_mpi(&grp1->B, &grp2->B) != 0) {
        return 1;
    }
    if (mbedtls_mpi_cmp_mpi(&grp1->N, &grp2->N) != 0) {
        return 1;
    }
    if (mbedtls_ecp_point_cmp(&grp1->G, &grp2->G) != 0) {
        return 1;
    }
    if (grp1->id != grp2->id) {
        return 1;
    }
    if (grp1->pbits != grp2->pbits) {
        return 1;
    }
    if (grp1->nbits != grp2->nbits) {
        return 1;
    }
    if (grp1->h != grp2->h) {
        return 1;
    }
    if (grp1->modp != grp2->modp) {
        return 1;
    }
    if (grp1->t_pre != grp2->t_pre) {
        return 1;
    }
    if (grp1->t_post != grp2->t_post) {
        return 1;
    }
    if (grp1->t_data != grp2->t_data) {
        return 1;
    }
    if (grp1->T_size != grp2->T_size) {
        return 1;
    }
    if (grp1->T != grp2->T) {
        return 1;
    }

    return 0;
}

/* END_HEADER */

/* BEGIN_DEPENDENCIES
 * depends_on:MBEDTLS_ECP_C
 * END_DEPENDENCIES
 */

/* BEGIN_CASE */
void ecp_invalid_param()
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;
    int invalid_fmt = 42;
    size_t olen;
    unsigned char buf[42] = { 0 };

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&P);

    TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
               mbedtls_ecp_point_write_binary(&grp, &P,
                                              invalid_fmt,
                                              &olen,
                                              buf, sizeof(buf)));
    TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
               mbedtls_ecp_tls_write_point(&grp, &P,
                                           invalid_fmt,
                                           &olen,
                                           buf,
                                           sizeof(buf)));

exit:
    return;
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_curve_info(int id, int tls_id, int size, char *name)
{
    const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name;

    by_id   = mbedtls_ecp_curve_info_from_grp_id(id);
    by_tls  = mbedtls_ecp_curve_info_from_tls_id(tls_id);
    by_name = mbedtls_ecp_curve_info_from_name(name);
    TEST_ASSERT(by_id   != NULL);
    TEST_ASSERT(by_tls  != NULL);
    TEST_ASSERT(by_name != NULL);

    TEST_ASSERT(by_id == by_tls);
    TEST_ASSERT(by_id == by_name);

    TEST_ASSERT(by_id->bit_size == size);
    TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BITS);
    TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BYTES * 8);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_check_pub(int grp_id, char *x_hex, char *y_hex, char *z_hex,
                   int ret)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&P);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, grp_id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z_hex) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &P) == ret);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&P);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
void ecp_test_vect_restart(int id,
                           char *dA_str, char *xA_str, char *yA_str,
                           char *dB_str,  char *xZ_str, char *yZ_str,
                           int max_ops, int min_restarts, int max_restarts)
{
    /*
     * Test for early restart. Based on test vectors like ecp_test_vect(),
     * but for the sake of simplicity only does half of each side. It's
     * important to test both base point and random point, though, as memory
     * management is different in each case.
     *
     * Don't try using too precise bounds for restarts as the exact number
     * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and
     * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may
     * change in the future. A factor 2 is a minimum safety margin.
     *
     * For reference, with mbed TLS 2.4 and default settings, for P-256:
     * - Random point mult:     ~3250M
     * - Cold base point mult:  ~3300M
     * - Hot base point mult:   ~1100M
     * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum):
     * - Random point mult:     ~3850M
     */
    mbedtls_ecp_restart_ctx ctx;
    mbedtls_ecp_group grp;
    mbedtls_ecp_point R, P;
    mbedtls_mpi dA, xA, yA, dB, xZ, yZ;
    int cnt_restarts;
    int ret;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_restart_init(&ctx);
    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&R); mbedtls_ecp_point_init(&P);
    mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA);
    mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0);

    mbedtls_ecp_set_max_ops((unsigned) max_ops);

    /* Base point case */
    cnt_restarts = 0;
    do {
        ECP_PT_RESET(&R);
        ret = mbedtls_ecp_mul_restartable(&grp, &R, &dA, &grp.G,
                                          &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);

    TEST_ASSERT(ret == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0);

    TEST_ASSERT(cnt_restarts >= min_restarts);
    TEST_ASSERT(cnt_restarts <= max_restarts);

    /* Non-base point case */
    mbedtls_ecp_copy(&P, &R);
    cnt_restarts = 0;
    do {
        ECP_PT_RESET(&R);
        ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P,
                                          &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);

    TEST_ASSERT(ret == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);

    TEST_ASSERT(cnt_restarts >= min_restarts);
    TEST_ASSERT(cnt_restarts <= max_restarts);

    /* Do we leak memory when aborting an operation?
     * This test only makes sense when we actually restart */
    if (min_restarts > 0) {
        ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P,
                                          &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
        TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
    }

exit:
    mbedtls_ecp_restart_free(&ctx);
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&R); mbedtls_ecp_point_free(&P);
    mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA);
    mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
void ecp_muladd_restart(int id, char *xR_str, char *yR_str,
                        char *u1_str, char *u2_str,
                        char *xQ_str, char *yQ_str,
                        int max_ops, int min_restarts, int max_restarts)
{
    /*
     * Compute R = u1 * G + u2 * Q
     * (test vectors mostly taken from ECDSA intermediate results)
     *
     * See comments at the top of ecp_test_vect_restart()
     */
    mbedtls_ecp_restart_ctx ctx;
    mbedtls_ecp_group grp;
    mbedtls_ecp_point R, Q;
    mbedtls_mpi u1, u2, xR, yR;
    int cnt_restarts;
    int ret;

    mbedtls_ecp_restart_init(&ctx);
    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&R);
    mbedtls_ecp_point_init(&Q);
    mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);
    mbedtls_mpi_init(&xR); mbedtls_mpi_init(&yR);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&u1, u1_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&u2, u2_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xR, xR_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yR, yR_str) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&Q.X, xQ_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&Q.Y, yQ_str) == 0);
    TEST_ASSERT(mbedtls_mpi_lset(&Q.Z, 1) == 0);

    mbedtls_ecp_set_max_ops((unsigned) max_ops);

    cnt_restarts = 0;
    do {
        ECP_PT_RESET(&R);
        ret = mbedtls_ecp_muladd_restartable(&grp, &R,
                                             &u1, &grp.G, &u2, &Q, &ctx);
    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);

    TEST_ASSERT(ret == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xR) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yR) == 0);

    TEST_ASSERT(cnt_restarts >= min_restarts);
    TEST_ASSERT(cnt_restarts <= max_restarts);

    /* Do we leak memory when aborting an operation?
     * This test only makes sense when we actually restart */
    if (min_restarts > 0) {
        ret = mbedtls_ecp_muladd_restartable(&grp, &R,
                                             &u1, &grp.G, &u2, &Q, &ctx);
        TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
    }

exit:
    mbedtls_ecp_restart_free(&ctx);
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&R);
    mbedtls_ecp_point_free(&Q);
    mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);
    mbedtls_mpi_free(&xR); mbedtls_mpi_free(&yR);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_test_vect(int id, char *dA_str, char *xA_str, char *yA_str,
                   char *dB_str, char *xB_str, char *yB_str,
                   char *xZ_str, char *yZ_str)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point R;
    mbedtls_mpi dA, xA, yA, dB, xB, yB, xZ, yZ;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
    mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA); mbedtls_mpi_init(&dB);
    mbedtls_mpi_init(&xB); mbedtls_mpi_init(&yB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yB, yB_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yB) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
    mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA); mbedtls_mpi_free(&dB);
    mbedtls_mpi_free(&xB); mbedtls_mpi_free(&yB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_test_vec_x(int id, char *dA_hex, char *xA_hex, char *dB_hex,
                    char *xB_hex, char *xS_hex)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point R;
    mbedtls_mpi dA, xA, dB, xB, xS;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
    mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA);
    mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xB);
    mbedtls_mpi_init(&xS);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_hex) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&xS, xS_hex) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0);

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
    mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA);
    mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xB);
    mbedtls_mpi_free(&xS);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_test_mul(int id, data_t *n_hex,
                  data_t *Px_hex, data_t *Py_hex, data_t *Pz_hex,
                  data_t *nPx_hex, data_t *nPy_hex, data_t *nPz_hex,
                  int expected_ret)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P, nP, R;
    mbedtls_mpi n;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
    mbedtls_ecp_point_init(&P); mbedtls_ecp_point_init(&nP);
    mbedtls_mpi_init(&n);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);

    TEST_ASSERT(mbedtls_mpi_read_binary(&n, n_hex->x, n_hex->len) == 0);

    TEST_ASSERT(mbedtls_mpi_read_binary(&P.X, Px_hex->x, Px_hex->len) == 0);
    TEST_ASSERT(mbedtls_mpi_read_binary(&P.Y, Py_hex->x, Py_hex->len) == 0);
    TEST_ASSERT(mbedtls_mpi_read_binary(&P.Z, Pz_hex->x, Pz_hex->len) == 0);
    TEST_ASSERT(mbedtls_mpi_read_binary(&nP.X, nPx_hex->x, nPx_hex->len)
                == 0);
    TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Y, nPy_hex->x, nPy_hex->len)
                == 0);
    TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Z, nPz_hex->x, nPz_hex->len)
                == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &n, &P,
                                &mbedtls_test_rnd_pseudo_rand, &rnd_info)
                == expected_ret);

    if (expected_ret == 0) {
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.X, &R.X) == 0);
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Y, &R.Y) == 0);
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Z, &R.Z) == 0);
    }

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
    mbedtls_ecp_point_free(&P); mbedtls_ecp_point_free(&nP);
    mbedtls_mpi_free(&n);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_test_mul_rng(int id, data_t *d_hex)
{
    mbedtls_ecp_group grp;
    mbedtls_mpi d;
    mbedtls_ecp_point Q;

    mbedtls_ecp_group_init(&grp); mbedtls_mpi_init(&d);
    mbedtls_ecp_point_init(&Q);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);

    TEST_ASSERT(mbedtls_mpi_read_binary(&d, d_hex->x, d_hex->len) == 0);

    TEST_ASSERT(mbedtls_ecp_mul(&grp, &Q, &d, &grp.G,
                                &mbedtls_test_rnd_zero_rand, NULL)
                == MBEDTLS_ERR_ECP_RANDOM_FAILED);

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_mpi_free(&d);
    mbedtls_ecp_point_free(&Q);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
void ecp_muladd(int id,
                data_t *u1_bin, data_t *P1_bin,
                data_t *u2_bin, data_t *P2_bin,
                data_t *expected_result)
{
    /* Compute R = u1 * P1 + u2 * P2 */
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P1, P2, R;
    mbedtls_mpi u1, u2;
    uint8_t actual_result[MBEDTLS_ECP_MAX_PT_LEN];
    size_t len;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&P1);
    mbedtls_ecp_point_init(&P2);
    mbedtls_ecp_point_init(&R);
    mbedtls_mpi_init(&u1);
    mbedtls_mpi_init(&u2);

    TEST_EQUAL(0, mbedtls_ecp_group_load(&grp, id));
    TEST_EQUAL(0, mbedtls_mpi_read_binary(&u1, u1_bin->x, u1_bin->len));
    TEST_EQUAL(0, mbedtls_mpi_read_binary(&u2, u2_bin->x, u2_bin->len));
    TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P1,
                                                P1_bin->x, P1_bin->len));
    TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P2,
                                                P2_bin->x, P2_bin->len));

    TEST_EQUAL(0, mbedtls_ecp_muladd(&grp, &R, &u1, &P1, &u2, &P2));
    TEST_EQUAL(0, mbedtls_ecp_point_write_binary(
                   &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED,
                   &len, actual_result, sizeof(actual_result)));
    TEST_ASSERT(len <= MBEDTLS_ECP_MAX_PT_LEN);

    ASSERT_COMPARE(expected_result->x, expected_result->len,
                   actual_result, len);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&P1);
    mbedtls_ecp_point_free(&P2);
    mbedtls_ecp_point_free(&R);
    mbedtls_mpi_free(&u1);
    mbedtls_mpi_free(&u2);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_fast_mod(int id, char *N_str)
{
    mbedtls_ecp_group grp;
    mbedtls_mpi N, R;

    mbedtls_mpi_init(&N); mbedtls_mpi_init(&R);
    mbedtls_ecp_group_init(&grp);

    TEST_ASSERT(mbedtls_test_read_mpi(&N, N_str) == 0);
    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
    TEST_ASSERT(grp.modp != NULL);

    /*
     * Store correct result before we touch N
     */
    TEST_ASSERT(mbedtls_mpi_mod_mpi(&R, &N, &grp.P) == 0);

    TEST_ASSERT(grp.modp(&N) == 0);
    TEST_ASSERT(mbedtls_mpi_bitlen(&N) <= grp.pbits + 3);

    /*
     * Use mod rather than addition/subtraction in case previous test fails
     */
    TEST_ASSERT(mbedtls_mpi_mod_mpi(&N, &N, &grp.P) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&N, &R) == 0);

exit:
    mbedtls_mpi_free(&N); mbedtls_mpi_free(&R);
    mbedtls_ecp_group_free(&grp);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_write_binary(int id, char *x, char *y, char *z, int format,
                      data_t *out, int blen, int ret)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;
    unsigned char buf[256];
    size_t olen;

    memset(buf, 0, sizeof(buf));

    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z) == 0);

    TEST_ASSERT(mbedtls_ecp_point_write_binary(&grp, &P, format,
                                               &olen, buf, blen) == ret);

    if (ret == 0) {
        TEST_ASSERT(olen <= MBEDTLS_ECP_MAX_PT_LEN);
        TEST_ASSERT(mbedtls_test_hexcmp(buf, out->x, olen, out->len) == 0);
    }

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_read_binary(int id, data_t *buf, char *x, char *y, char *z,
                     int ret)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;
    mbedtls_mpi X, Y, Z;


    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0);

    TEST_ASSERT(mbedtls_ecp_point_read_binary(&grp, &P, buf->x, buf->len) == ret);

    if (ret == 0) {
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0);
        if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
            TEST_ASSERT(mbedtls_mpi_cmp_int(&Y, 0) == 0);
            TEST_ASSERT(P.Y.p == NULL);
            TEST_ASSERT(mbedtls_mpi_cmp_int(&Z, 1) == 0);
            TEST_ASSERT(mbedtls_mpi_cmp_int(&P.Z, 1) == 0);
        } else {
            TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
            TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0);

            if (buf->x[0] == 0x04 &&
                /* (reading compressed format supported only for
                 *  Short Weierstrass curves with prime p where p = 3 mod 4) */
                id != MBEDTLS_ECP_DP_SECP224R1 &&
                id != MBEDTLS_ECP_DP_SECP224K1) {
                /* re-encode in compressed format and test read again */
                mbedtls_mpi_free(&P.Y);
                buf->x[0] = 0x02 + mbedtls_mpi_get_bit(&Y, 0);
                TEST_ASSERT(mbedtls_ecp_point_read_binary(&grp, &P, buf->x, buf->len/2+1) == 0);
                TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
            }
        }
    }

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_tls_read_point(int id, data_t *buf, char *x, char *y,
                                char *z, int ret)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;
    mbedtls_mpi X, Y, Z;
    const unsigned char *vbuf = buf->x;


    mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0);

    TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &P, &vbuf, buf->len) == ret);

    if (ret == 0) {
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0);
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0);
        TEST_ASSERT((uint32_t) (vbuf - buf->x) == buf->len);
    }

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_tls_write_read_point(int id)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point pt;
    unsigned char buf[256];
    const unsigned char *vbuf;
    size_t olen;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&pt);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    memset(buf, 0x00, sizeof(buf)); vbuf = buf;
    TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G,
                                            MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.X, &pt.X) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Y, &pt.Y) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Z, &pt.Z) == 0);
    TEST_ASSERT(vbuf == buf + olen);

    memset(buf, 0x00, sizeof(buf)); vbuf = buf;
    TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G,
                                            MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.X, &pt.X) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Y, &pt.Y) == 0);
    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Z, &pt.Z) == 0);
    TEST_ASSERT(vbuf == buf + olen);

    memset(buf, 0x00, sizeof(buf)); vbuf = buf;
    TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt,
                                            MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
    TEST_ASSERT(mbedtls_ecp_is_zero(&pt));
    TEST_ASSERT(vbuf == buf + olen);

    memset(buf, 0x00, sizeof(buf)); vbuf = buf;
    TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt,
                                            MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0);
    TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
    TEST_ASSERT(mbedtls_ecp_is_zero(&pt));
    TEST_ASSERT(vbuf == buf + olen);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&pt);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_tls_read_group(data_t *buf, int result, int bits,
                                int record_len)
{
    mbedtls_ecp_group grp;
    const unsigned char *vbuf = buf->x;
    int ret;

    mbedtls_ecp_group_init(&grp);

    ret = mbedtls_ecp_tls_read_group(&grp, &vbuf, buf->len);

    TEST_ASSERT(ret == result);
    if (ret == 0) {
        TEST_ASSERT(mbedtls_mpi_bitlen(&grp.P) == (size_t) bits);
        TEST_ASSERT(vbuf - buf->x ==  record_len);
    }

exit:
    mbedtls_ecp_group_free(&grp);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_tls_write_read_group(int id)
{
    mbedtls_ecp_group grp1, grp2;
    unsigned char buf[10];
    const unsigned char *vbuf = buf;
    size_t len;
    int ret;

    mbedtls_ecp_group_init(&grp1);
    mbedtls_ecp_group_init(&grp2);
    memset(buf, 0x00, sizeof(buf));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp1, id) == 0);

    TEST_ASSERT(mbedtls_ecp_tls_write_group(&grp1, &len, buf, 10) == 0);
    ret = mbedtls_ecp_tls_read_group(&grp2, &vbuf, len);
    TEST_ASSERT(ret == 0);

    if (ret == 0) {
        TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp1.N, &grp2.N) == 0);
        TEST_ASSERT(grp1.id == grp2.id);
    }

exit:
    mbedtls_ecp_group_free(&grp1);
    mbedtls_ecp_group_free(&grp2);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_group_metadata(int id, int bit_size, int crv_type,
                                char *P, char *A, char *B,
                                char *G_x, char *G_y, char *N,
                                int tls_id)
{
    mbedtls_ecp_group grp, grp_read, grp_cpy;
    const mbedtls_ecp_group_id *g_id;
    mbedtls_ecp_group_id read_g_id;
    const mbedtls_ecp_curve_info *crv, *crv_tls_id, *crv_name;

    mbedtls_mpi exp_P, exp_A, exp_B, exp_G_x, exp_G_y, exp_N;

    unsigned char buf[3], ecparameters[3] = { 3, 0, tls_id };
    const unsigned char *vbuf = buf;
    size_t olen;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_group_init(&grp_read);
    mbedtls_ecp_group_init(&grp_cpy);

    mbedtls_mpi_init(&exp_P);
    mbedtls_mpi_init(&exp_A);
    mbedtls_mpi_init(&exp_B);
    mbedtls_mpi_init(&exp_G_x);
    mbedtls_mpi_init(&exp_G_y);
    mbedtls_mpi_init(&exp_N);

    // Read expected parameters
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_P, P), 0);
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_A, A), 0);
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_x, G_x), 0);
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_N, N), 0);
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_B, B), 0);
    TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_y, G_y), 0);

    // Convert exp_A to internal representation (A+2)/4
    if (crv_type == MBEDTLS_ECP_TYPE_MONTGOMERY) {
        TEST_EQUAL(mbedtls_mpi_add_int(&exp_A, &exp_A, 2), 0);
        TEST_EQUAL(mbedtls_mpi_div_int(&exp_A, NULL, &exp_A, 4), 0);
    }

    // Load group
    TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);

    // Compare group with expected parameters
    // A is NULL for SECPxxxR1 curves
    // B and G_y are NULL for curve25519 and curve448
    TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_P, &grp.P), 0);
    if (*A != 0) {
        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_A, &grp.A), 0);
    }
    if (*B != 0) {
        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_B, &grp.B), 0);
    }
    TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_x, &grp.G.X), 0);
    if (*G_y != 0) {
        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_y, &grp.G.Y), 0);
    }
    TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_N, &grp.N), 0);

    // Load curve info and compare with known values
    crv = mbedtls_ecp_curve_info_from_grp_id(id);
    TEST_EQUAL(crv->grp_id, id);
    TEST_EQUAL(crv->bit_size, bit_size);
    TEST_EQUAL(crv->tls_id, tls_id);

    // Load curve from TLS ID and name, and compare IDs
    crv_tls_id = mbedtls_ecp_curve_info_from_tls_id(crv->tls_id);
    crv_name = mbedtls_ecp_curve_info_from_name(crv->name);
    TEST_EQUAL(crv_tls_id->grp_id, id);
    TEST_EQUAL(crv_name->grp_id, id);

    // Validate write_group against test data
    TEST_EQUAL(mbedtls_ecp_tls_write_group(&grp, &olen,
                                           buf, sizeof(buf)),
               0);
    TEST_EQUAL(mbedtls_test_hexcmp(buf, ecparameters, olen,
                                   sizeof(ecparameters)),
               0);

    // Read group from buffer and compare with expected ID
    TEST_EQUAL(mbedtls_ecp_tls_read_group_id(&read_g_id, &vbuf, olen),
               0);
    TEST_EQUAL(read_g_id, id);
    vbuf = buf;
    TEST_EQUAL(mbedtls_ecp_tls_read_group(&grp_read, &vbuf, olen),
               0);
    TEST_EQUAL(grp_read.id, id);

    // Check curve type, and if it can be used for ECDH/ECDSA
    TEST_EQUAL(mbedtls_ecp_get_type(&grp), crv_type);
#if defined(MBEDTLS_ECDH_C)
    TEST_EQUAL(mbedtls_ecdh_can_do(id), 1);
#endif
#if defined(MBEDTLS_ECDSA_C)
    TEST_EQUAL(mbedtls_ecdsa_can_do(id),
               crv_type == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS);
#endif

    // Copy group and compare with original
    TEST_EQUAL(mbedtls_ecp_group_copy(&grp_cpy, &grp), 0);
    TEST_EQUAL(mbedtls_ecp_group_cmp(&grp, &grp_cpy), 0);

    // Check curve is in curve list and group ID list
    for (crv = mbedtls_ecp_curve_list();
         crv->grp_id != MBEDTLS_ECP_DP_NONE &&
         crv->grp_id != (unsigned) id;
         crv++) {
        ;
    }
    TEST_EQUAL(crv->grp_id, id);
    for (g_id = mbedtls_ecp_grp_id_list();
         *g_id != MBEDTLS_ECP_DP_NONE && *g_id != (unsigned) id;
         g_id++) {
        ;
    }
    TEST_EQUAL(*g_id, (unsigned) id);

exit:
    mbedtls_ecp_group_free(&grp); mbedtls_ecp_group_free(&grp_cpy);
    mbedtls_ecp_group_free(&grp_read);
    mbedtls_mpi_free(&exp_P); mbedtls_mpi_free(&exp_A);
    mbedtls_mpi_free(&exp_B); mbedtls_mpi_free(&exp_G_x);
    mbedtls_mpi_free(&exp_G_y); mbedtls_mpi_free(&exp_N);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_check_privkey(int id, char *key_hex, int ret)
{
    mbedtls_ecp_group grp;
    mbedtls_mpi d;

    mbedtls_ecp_group_init(&grp);
    mbedtls_mpi_init(&d);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&d, key_hex) == 0);

    TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == ret);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_mpi_free(&d);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_check_pub_priv(int id_pub, char *Qx_pub, char *Qy_pub,
                                int id, char *d, char *Qx, char *Qy,
                                int ret)
{
    mbedtls_ecp_keypair pub, prv;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_keypair_init(&pub);
    mbedtls_ecp_keypair_init(&prv);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    if (id_pub != MBEDTLS_ECP_DP_NONE) {
        TEST_ASSERT(mbedtls_ecp_group_load(&pub.grp, id_pub) == 0);
    }
    TEST_ASSERT(mbedtls_ecp_point_read_string(&pub.Q, 16, Qx_pub, Qy_pub) == 0);

    if (id != MBEDTLS_ECP_DP_NONE) {
        TEST_ASSERT(mbedtls_ecp_group_load(&prv.grp, id) == 0);
    }
    TEST_ASSERT(mbedtls_ecp_point_read_string(&prv.Q, 16, Qx, Qy) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&prv.d, d) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pub_priv(&pub, &prv,
                                           &mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);

exit:
    mbedtls_ecp_keypair_free(&pub);
    mbedtls_ecp_keypair_free(&prv);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_gen_keypair(int id)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point Q;
    mbedtls_mpi d;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&Q);
    mbedtls_mpi_init(&d);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);

    TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q,
                                        &mbedtls_test_rnd_pseudo_rand,
                                        &rnd_info) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &Q) == 0);
    TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == 0);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&Q);
    mbedtls_mpi_free(&d);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_gen_key(int id)
{
    mbedtls_ecp_keypair key;
    mbedtls_test_rnd_pseudo_info rnd_info;

    mbedtls_ecp_keypair_init(&key);
    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));

    TEST_ASSERT(mbedtls_ecp_gen_key(id, &key,
                                    &mbedtls_test_rnd_pseudo_rand,
                                    &rnd_info) == 0);

    TEST_ASSERT(mbedtls_ecp_check_pubkey(&key.grp, &key.Q) == 0);
    TEST_ASSERT(mbedtls_ecp_check_privkey(&key.grp, &key.d) == 0);

exit:
    mbedtls_ecp_keypair_free(&key);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonical)
{
    int ret = 0;
    mbedtls_ecp_keypair key;
    mbedtls_ecp_keypair key2;

    mbedtls_ecp_keypair_init(&key);
    mbedtls_ecp_keypair_init(&key2);

    ret = mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len);
    TEST_ASSERT(ret == expected);

    if (expected == 0) {
        ret = mbedtls_ecp_check_privkey(&key.grp, &key.d);
        TEST_ASSERT(ret == 0);

        if (canonical) {
            unsigned char buf[MBEDTLS_ECP_MAX_BYTES];

            ret = mbedtls_ecp_write_key(&key, buf, in_key->len);
            TEST_ASSERT(ret == 0);

            ASSERT_COMPARE(in_key->x, in_key->len,
                           buf, in_key->len);
        } else {
            unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
            unsigned char export2[MBEDTLS_ECP_MAX_BYTES];

            ret = mbedtls_ecp_write_key(&key, export1, in_key->len);
            TEST_ASSERT(ret == 0);

            ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len);
            TEST_ASSERT(ret == expected);

            ret = mbedtls_ecp_write_key(&key2, export2, in_key->len);
            TEST_ASSERT(ret == 0);

            ASSERT_COMPARE(export1, in_key->len,
                           export2, in_key->len);
        }
    }

exit:
    mbedtls_ecp_keypair_free(&key);
    mbedtls_ecp_keypair_free(&key2);
}
/* END_CASE */

/* BEGIN_CASE depends_on:HAVE_FIX_NEGATIVE */
void fix_negative(data_t *N_bin, int c, int bits)
{
    mbedtls_mpi C, M, N;

    mbedtls_mpi_init(&C);
    mbedtls_mpi_init(&M);
    mbedtls_mpi_init(&N);

    /* C = - c * 2^bits (positive since c is negative) */
    TEST_EQUAL(0, mbedtls_mpi_lset(&C, -c));
    TEST_EQUAL(0, mbedtls_mpi_shift_l(&C, bits));

    TEST_EQUAL(0, mbedtls_mpi_read_binary(&N, N_bin->x, N_bin->len));
    TEST_EQUAL(0, mbedtls_mpi_grow(&N, C.n));

    /* M = N - C = - ( C - N ) (expected result of fix_negative) */
    TEST_EQUAL(0, mbedtls_mpi_sub_mpi(&M, &N, &C));

    mbedtls_ecp_fix_negative(&N, c, bits);

    TEST_EQUAL(0, mbedtls_mpi_cmp_mpi(&N, &M));

exit:
    mbedtls_mpi_free(&C);
    mbedtls_mpi_free(&M);
    mbedtls_mpi_free(&N);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED */
void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected)
{
    mbedtls_test_rnd_buf_info rnd_info;
    mbedtls_mpi d;
    int ret;
    uint8_t *actual = NULL;

    mbedtls_mpi_init(&d);
    rnd_info.buf = seed->x;
    rnd_info.length = seed->len;
    rnd_info.fallback_f_rng = NULL;
    rnd_info.fallback_p_rng = NULL;

    ASSERT_ALLOC(actual, expected->len);

    ret = mbedtls_ecp_gen_privkey_mx(bits, &d,
                                     mbedtls_test_rnd_buffer_rand, &rnd_info);

    if (expected->len == 0) {
        /* Expecting an error (happens if there isn't enough randomness) */
        TEST_ASSERT(ret != 0);
    } else {
        TEST_EQUAL(ret, 0);
        TEST_EQUAL((size_t) bits + 1, mbedtls_mpi_bitlen(&d));
        TEST_EQUAL(0, mbedtls_mpi_write_binary(&d, actual, expected->len));
        /* Test the exact result. This assumes that the output of the
         * RNG is used in a specific way, which is overly constraining.
         * The advantage is that it's easier to test the expected properties
         * of the generated key:
         * - The most significant bit must be at a specific positions
         *   (can be enforced by checking the bit-length).
         * - The least significant bits must have specific values
         *   (can be enforced by checking these bits).
         * - Other bits must be random (by testing with different RNG outputs,
         *   we validate that those bits are indeed influenced by the RNG). */
        ASSERT_COMPARE(expected->x, expected->len,
                       actual, expected->len);
    }

exit:
    mbedtls_free(actual);
    mbedtls_mpi_free(&d);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_set_zero(int id, data_t *P_bin)
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_point pt, zero_pt, nonzero_pt;

    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point_init(&pt);
    mbedtls_ecp_point_init(&zero_pt);
    mbedtls_ecp_point_init(&nonzero_pt);

    // Set zero and non-zero points for comparison
    TEST_EQUAL(mbedtls_ecp_set_zero(&zero_pt), 0);
    TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);
    TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &nonzero_pt,
                                             P_bin->x, P_bin->len), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&zero_pt), 1);
    TEST_EQUAL(mbedtls_ecp_is_zero(&nonzero_pt), 0);

    // Test initialized point
    TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &zero_pt),
               MBEDTLS_ERR_ECP_BAD_INPUT_DATA);

    // Test zeroed point
    TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
               MBEDTLS_ERR_ECP_BAD_INPUT_DATA);

    // Set point to non-zero value
    TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt,
                                             P_bin->x, P_bin->len), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 0);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt),
               MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 0);

    // Test non-zero point
    TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
               MBEDTLS_ERR_ECP_BAD_INPUT_DATA);

    // Test freed non-zero point
    TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt,
                                             P_bin->x, P_bin->len), 0);
    mbedtls_ecp_point_free(&pt);
    TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
    TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
    TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
               MBEDTLS_ERR_ECP_BAD_INPUT_DATA);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&pt);
    mbedtls_ecp_point_free(&zero_pt);
    mbedtls_ecp_point_free(&nonzero_pt);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void ecp_selftest()
{
    TEST_ASSERT(mbedtls_ecp_self_test(1) == 0);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_export(int id, char *Qx, char *Qy, char *d, int expected_ret, int invalid_grp)
{
    mbedtls_ecp_keypair key;
    mbedtls_ecp_group export_grp;
    mbedtls_mpi export_d;
    mbedtls_ecp_point export_Q;

    mbedtls_ecp_group_init(&export_grp);
    mbedtls_ecp_group_init(&key.grp);
    mbedtls_mpi_init(&export_d);
    mbedtls_ecp_point_init(&export_Q);

    mbedtls_ecp_keypair_init(&key);
    if (invalid_grp == 0) {
        TEST_ASSERT(mbedtls_ecp_group_load(&key.grp, id) == 0);
    }
    TEST_ASSERT(mbedtls_ecp_point_read_string(&key.Q, 16, Qx, Qy) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&key.d, d) == 0);

    TEST_EQUAL(mbedtls_ecp_export(&key, &export_grp,
                                  &export_d, &export_Q), expected_ret);

    if (expected_ret == 0) {
        TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
        TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
    }

exit:
    mbedtls_ecp_keypair_free(&key);
    mbedtls_ecp_group_free(&export_grp);
    mbedtls_mpi_free(&export_d);
    mbedtls_ecp_point_free(&export_Q);
}
/* END_CASE */

/* BEGIN_CASE */
void ecp_check_order(int id, char *expected_order_hex)
{
    mbedtls_ecp_group grp;
    mbedtls_mpi expected_n;

    mbedtls_ecp_group_init(&grp);
    mbedtls_mpi_init(&expected_n);

    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
    TEST_ASSERT(mbedtls_test_read_mpi(&expected_n, expected_order_hex) == 0);

    // check sign bits are well-formed (i.e. 1 or -1) - see #5810
    TEST_ASSERT(grp.N.s == -1 || grp.N.s == 1);
    TEST_ASSERT(expected_n.s == -1 || expected_n.s == 1);

    TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.N, &expected_n) == 0);

exit:
    mbedtls_ecp_group_free(&grp);
    mbedtls_mpi_free(&expected_n);
}
/* END_CASE */