TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9a1d02d738243c3b01b0bdd0351adce1722d9e84 / . / tests / suites / test_suite_ecp.function
blob: 96537c2b3bc3c4e6130fb5e6177efaab27648fa1 [file] [log] [blame]
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1/* BEGIN_HEADER */
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]2#include "mbedtls/ecp.h"
Minos Galanakis9a1d02d2023-02-03 19:14:56 +0000[diff] [blame^]3#include "ecp_invasive.h"
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]4#include "mbedtls/ecdsa.h"
5#include "mbedtls/ecdh.h"
Paul Bakkerdbd443d2013-08-16 13:38:47 +0200[diff] [blame]6
Gabor Mezei23d4b8b2023-02-13 14:13:33 +0100[diff] [blame]7#include "bignum_core.h"
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]8#include "ecp_invasive.h"
Gabor Mezeid8f67b92023-02-06 15:49:42 +0100[diff] [blame]9#include "bignum_mod_raw_invasive.h"
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]10
11#if defined(MBEDTLS_TEST_HOOKS) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]12 (defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
13 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
14 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED))
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]15#define HAVE_FIX_NEGATIVE
16#endif
17
Manuel Pégourié-Gonnard6c7af4c2015-04-03 16:41:52 +0200[diff] [blame]18#define ECP_PF_UNKNOWN -1
Manuel Pégourié-Gonnard7a28e992018-10-16 11:22:45 +0200[diff] [blame]19
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]20#define ECP_PT_RESET(x) \
21 mbedtls_ecp_point_free(x); \
22 mbedtls_ecp_point_init(x);
Gilles Peskine78880732021-03-29 21:32:16 +0200[diff] [blame]23
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]24/* Auxiliary function to compare two mbedtls_ecp_group objects. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]25inline static int mbedtls_ecp_group_cmp(mbedtls_ecp_group *grp1,
26 mbedtls_ecp_group *grp2)
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]27{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]28 if (mbedtls_mpi_cmp_mpi(&grp1->P, &grp2->P) != 0) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]29 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]30 }
31 if (mbedtls_mpi_cmp_mpi(&grp1->A, &grp2->A) != 0) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]32 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]33 }
34 if (mbedtls_mpi_cmp_mpi(&grp1->B, &grp2->B) != 0) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]35 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]36 }
37 if (mbedtls_mpi_cmp_mpi(&grp1->N, &grp2->N) != 0) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]38 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]39 }
40 if (mbedtls_ecp_point_cmp(&grp1->G, &grp2->G) != 0) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]41 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42 }
43 if (grp1->id != grp2->id) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]44 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45 }
46 if (grp1->pbits != grp2->pbits) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]47 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48 }
49 if (grp1->nbits != grp2->nbits) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]50 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]51 }
52 if (grp1->h != grp2->h) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]53 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 }
55 if (grp1->modp != grp2->modp) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]56 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 }
58 if (grp1->t_pre != grp2->t_pre) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]59 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60 }
61 if (grp1->t_post != grp2->t_post) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]62 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63 }
64 if (grp1->t_data != grp2->t_data) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]65 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]66 }
67 if (grp1->T_size != grp2->T_size) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]68 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]69 }
70 if (grp1->T != grp2->T) {
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]71 return 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]72 }
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]73
74 return 0;
75}
76
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]77/* END_HEADER */
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]78
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]79/* BEGIN_DEPENDENCIES
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80 * depends_on:MBEDTLS_ECP_C
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]81 * END_DEPENDENCIES
82 */
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]83
Tuvshinzaya Erdenekhuufb389dd2022-07-27 15:23:02 +0100[diff] [blame]84/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]85void ecp_invalid_param()
Hanno Becker12dff032018-12-14 15:08:13 +0000[diff] [blame]86{
87 mbedtls_ecp_group grp;
Hanno Becker12dff032018-12-14 15:08:13 +0000[diff] [blame]88 mbedtls_ecp_point P;
Hanno Becker12dff032018-12-14 15:08:13 +0000[diff] [blame]89 int invalid_fmt = 42;
90 size_t olen;
91 unsigned char buf[42] = { 0 };
Hanno Becker12dff032018-12-14 15:08:13 +0000[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 mbedtls_ecp_group_init(&grp);
94 mbedtls_ecp_point_init(&P);
Gabor Mezeif29c2a52022-09-23 15:25:27 +0200[diff] [blame]95
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]96 TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
97 mbedtls_ecp_point_write_binary(&grp, &P,
98 invalid_fmt,
99 &olen,
100 buf, sizeof(buf)));
101 TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
102 mbedtls_ecp_tls_write_point(&grp, &P,
103 invalid_fmt,
104 &olen,
105 buf,
106 sizeof(buf)));
Hanno Becker12dff032018-12-14 15:08:13 +0000[diff] [blame]107
108exit:
109 return;
110}
111/* END_CASE */
112
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]113/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114void mbedtls_ecp_curve_info(int id, int tls_id, int size, char *name)
Manuel Pégourié-Gonnard0267e3d2013-11-30 15:10:14 +0100[diff] [blame]115{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]116 const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name;
Manuel Pégourié-Gonnard0267e3d2013-11-30 15:10:14 +0100[diff] [blame]117
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 by_id = mbedtls_ecp_curve_info_from_grp_id(id);
119 by_tls = mbedtls_ecp_curve_info_from_tls_id(tls_id);
120 by_name = mbedtls_ecp_curve_info_from_name(name);
121 TEST_ASSERT(by_id != NULL);
122 TEST_ASSERT(by_tls != NULL);
123 TEST_ASSERT(by_name != NULL);
Manuel Pégourié-Gonnard0267e3d2013-11-30 15:10:14 +0100[diff] [blame]124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]125 TEST_ASSERT(by_id == by_tls);
126 TEST_ASSERT(by_id == by_name);
Manuel Pégourié-Gonnard0267e3d2013-11-30 15:10:14 +0100[diff] [blame]127
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 TEST_ASSERT(by_id->bit_size == size);
129 TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BITS);
130 TEST_ASSERT(size <= MBEDTLS_ECP_MAX_BYTES * 8);
Manuel Pégourié-Gonnard0267e3d2013-11-30 15:10:14 +0100[diff] [blame]131}
132/* END_CASE */
133
134/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]135void ecp_check_pub(int grp_id, char *x_hex, char *y_hex, char *z_hex,
136 int ret)
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]137{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]138 mbedtls_ecp_group grp;
139 mbedtls_ecp_point P;
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141 mbedtls_ecp_group_init(&grp);
142 mbedtls_ecp_point_init(&P);
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]144 TEST_ASSERT(mbedtls_ecp_group_load(&grp, grp_id) == 0);
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]145
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x_hex) == 0);
147 TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y_hex) == 0);
148 TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z_hex) == 0);
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &P) == ret);
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]151
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]152exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]153 mbedtls_ecp_group_free(&grp);
154 mbedtls_ecp_point_free(&P);
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]155}
156/* END_CASE */
157
Manuel Pégourié-Gonnard4b9c51e2017-04-20 15:50:26 +0200[diff] [blame]158/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]159void ecp_test_vect_restart(int id,
160 char *dA_str, char *xA_str, char *yA_str,
161 char *dB_str, char *xZ_str, char *yZ_str,
162 int max_ops, int min_restarts, int max_restarts)
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]163{
164 /*
165 * Test for early restart. Based on test vectors like ecp_test_vect(),
166 * but for the sake of simplicity only does half of each side. It's
167 * important to test both base point and random point, though, as memory
168 * management is different in each case.
169 *
170 * Don't try using too precise bounds for restarts as the exact number
171 * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and
172 * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may
173 * change in the future. A factor 2 is a minimum safety margin.
174 *
175 * For reference, with mbed TLS 2.4 and default settings, for P-256:
Manuel Pégourié-Gonnard9c5c78f2017-03-20 14:13:07 +0100[diff] [blame]176 * - Random point mult: ~3250M
177 * - Cold base point mult: ~3300M
178 * - Hot base point mult: ~1100M
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]179 * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum):
Manuel Pégourié-Gonnard9c5c78f2017-03-20 14:13:07 +0100[diff] [blame]180 * - Random point mult: ~3850M
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]181 */
Manuel Pégourié-Gonnardb739a712017-04-19 10:11:56 +0200[diff] [blame]182 mbedtls_ecp_restart_ctx ctx;
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]183 mbedtls_ecp_group grp;
Manuel Pégourié-Gonnard7a28e992018-10-16 11:22:45 +0200[diff] [blame]184 mbedtls_ecp_point R, P;
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]185 mbedtls_mpi dA, xA, yA, dB, xZ, yZ;
186 int cnt_restarts;
187 int ret;
Manuel Pégourié-Gonnardaa3ed6f2021-06-15 11:29:26 +0200[diff] [blame]188 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]190 mbedtls_ecp_restart_init(&ctx);
191 mbedtls_ecp_group_init(&grp);
192 mbedtls_ecp_point_init(&R); mbedtls_ecp_point_init(&P);
193 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA);
194 mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ);
195 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]196
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]197 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0);
200 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0);
201 TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]203 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0);
204 TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0);
205 TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]207 mbedtls_ecp_set_max_ops((unsigned) max_ops);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]208
209 /* Base point case */
210 cnt_restarts = 0;
211 do {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 ECP_PT_RESET(&R);
213 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dA, &grp.G,
214 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
215 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]216
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 TEST_ASSERT(ret == 0);
218 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);
219 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]221 TEST_ASSERT(cnt_restarts >= min_restarts);
222 TEST_ASSERT(cnt_restarts <= max_restarts);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]223
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]224 /* Non-base point case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]225 mbedtls_ecp_copy(&P, &R);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]226 cnt_restarts = 0;
227 do {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]228 ECP_PT_RESET(&R);
229 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P,
230 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
231 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]232
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]233 TEST_ASSERT(ret == 0);
234 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
235 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]237 TEST_ASSERT(cnt_restarts >= min_restarts);
238 TEST_ASSERT(cnt_restarts <= max_restarts);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]239
Manuel Pégourié-Gonnard46ba7f32017-08-28 12:20:39 +0200[diff] [blame]240 /* Do we leak memory when aborting an operation?
241 * This test only makes sense when we actually restart */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]242 if (min_restarts > 0) {
243 ret = mbedtls_ecp_mul_restartable(&grp, &R, &dB, &P,
244 &mbedtls_test_rnd_pseudo_rand, &rnd_info, &ctx);
245 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard46ba7f32017-08-28 12:20:39 +0200[diff] [blame]246 }
Manuel Pégourié-Gonnard77af79a2017-03-14 10:58:00 +0100[diff] [blame]247
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]248exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249 mbedtls_ecp_restart_free(&ctx);
250 mbedtls_ecp_group_free(&grp);
251 mbedtls_ecp_point_free(&R); mbedtls_ecp_point_free(&P);
252 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA);
253 mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ);
Manuel Pégourié-Gonnard510d5ca2017-03-08 11:41:47 +0100[diff] [blame]254}
255/* END_CASE */
256
Manuel Pégourié-Gonnard57866462022-12-06 12:14:49 +0100[diff] [blame]257/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]258void ecp_muladd_restart(int id, char *xR_str, char *yR_str,
259 char *u1_str, char *u2_str,
260 char *xQ_str, char *yQ_str,
261 int max_ops, int min_restarts, int max_restarts)
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]262{
263 /*
264 * Compute R = u1 * G + u2 * Q
265 * (test vectors mostly taken from ECDSA intermediate results)
266 *
267 * See comments at the top of ecp_test_vect_restart()
268 */
269 mbedtls_ecp_restart_ctx ctx;
270 mbedtls_ecp_group grp;
271 mbedtls_ecp_point R, Q;
272 mbedtls_mpi u1, u2, xR, yR;
273 int cnt_restarts;
274 int ret;
275
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276 mbedtls_ecp_restart_init(&ctx);
277 mbedtls_ecp_group_init(&grp);
278 mbedtls_ecp_point_init(&R);
279 mbedtls_ecp_point_init(&Q);
280 mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);
281 mbedtls_mpi_init(&xR); mbedtls_mpi_init(&yR);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]282
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 TEST_ASSERT(mbedtls_test_read_mpi(&u1, u1_str) == 0);
286 TEST_ASSERT(mbedtls_test_read_mpi(&u2, u2_str) == 0);
287 TEST_ASSERT(mbedtls_test_read_mpi(&xR, xR_str) == 0);
288 TEST_ASSERT(mbedtls_test_read_mpi(&yR, yR_str) == 0);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]290 TEST_ASSERT(mbedtls_test_read_mpi(&Q.X, xQ_str) == 0);
291 TEST_ASSERT(mbedtls_test_read_mpi(&Q.Y, yQ_str) == 0);
292 TEST_ASSERT(mbedtls_mpi_lset(&Q.Z, 1) == 0);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294 mbedtls_ecp_set_max_ops((unsigned) max_ops);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]295
296 cnt_restarts = 0;
297 do {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]298 ECP_PT_RESET(&R);
299 ret = mbedtls_ecp_muladd_restartable(&grp, &R,
300 &u1, &grp.G, &u2, &Q, &ctx);
301 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]303 TEST_ASSERT(ret == 0);
304 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xR) == 0);
305 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yR) == 0);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]307 TEST_ASSERT(cnt_restarts >= min_restarts);
308 TEST_ASSERT(cnt_restarts <= max_restarts);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]309
Manuel Pégourié-Gonnard46ba7f32017-08-28 12:20:39 +0200[diff] [blame]310 /* Do we leak memory when aborting an operation?
311 * This test only makes sense when we actually restart */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 if (min_restarts > 0) {
313 ret = mbedtls_ecp_muladd_restartable(&grp, &R,
314 &u1, &grp.G, &u2, &Q, &ctx);
315 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard46ba7f32017-08-28 12:20:39 +0200[diff] [blame]316 }
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]317
318exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 mbedtls_ecp_restart_free(&ctx);
320 mbedtls_ecp_group_free(&grp);
321 mbedtls_ecp_point_free(&R);
322 mbedtls_ecp_point_free(&Q);
323 mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);
324 mbedtls_mpi_free(&xR); mbedtls_mpi_free(&yR);
Manuel Pégourié-Gonnard54dd6522017-04-20 13:36:18 +0200[diff] [blame]325}
326/* END_CASE */
327
Manuel Pégourié-Gonnard312d2e82013-12-04 11:08:01 +0100[diff] [blame]328/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329void ecp_test_vect(int id, char *dA_str, char *xA_str, char *yA_str,
330 char *dB_str, char *xB_str, char *yB_str,
331 char *xZ_str, char *yZ_str)
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]332{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]333 mbedtls_ecp_group grp;
334 mbedtls_ecp_point R;
335 mbedtls_mpi dA, xA, yA, dB, xB, yB, xZ, yZ;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200[diff] [blame]336 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]337
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]338 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
339 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA); mbedtls_mpi_init(&yA); mbedtls_mpi_init(&dB);
340 mbedtls_mpi_init(&xB); mbedtls_mpi_init(&yB); mbedtls_mpi_init(&xZ); mbedtls_mpi_init(&yZ);
341 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]342
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]343 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);
Manuel Pégourié-Gonnard1c330572012-11-24 12:05:44 +0100[diff] [blame]346
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]347 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_str) == 0);
348 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_str) == 0);
349 TEST_ASSERT(mbedtls_test_read_mpi(&yA, yA_str) == 0);
350 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_str) == 0);
351 TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_str) == 0);
352 TEST_ASSERT(mbedtls_test_read_mpi(&yB, yB_str) == 0);
353 TEST_ASSERT(mbedtls_test_read_mpi(&xZ, xZ_str) == 0);
354 TEST_ASSERT(mbedtls_test_read_mpi(&yZ, yZ_str) == 0);
Manuel Pégourié-Gonnarde739f012012-11-07 12:24:22 +0100[diff] [blame]355
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]356 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G,
357 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
358 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);
359 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yA) == 0);
360 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
361 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R,
362 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
363 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
364 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);
365 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
Manuel Pégourié-Gonnarde739f012012-11-07 12:24:22 +0100[diff] [blame]366
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]367 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G,
368 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
369 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0);
370 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yB) == 0);
371 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
372 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R,
373 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
374 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xZ) == 0);
375 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.Y, &yZ) == 0);
376 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
Manuel Pégourié-Gonnarde739f012012-11-07 12:24:22 +0100[diff] [blame]377
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]378exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
380 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA); mbedtls_mpi_free(&yA); mbedtls_mpi_free(&dB);
381 mbedtls_mpi_free(&xB); mbedtls_mpi_free(&yB); mbedtls_mpi_free(&xZ); mbedtls_mpi_free(&yZ);
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]382}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]383/* END_CASE */
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]384
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]385/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386void ecp_test_vec_x(int id, char *dA_hex, char *xA_hex, char *dB_hex,
387 char *xB_hex, char *xS_hex)
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]388{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]389 mbedtls_ecp_group grp;
390 mbedtls_ecp_point R;
391 mbedtls_mpi dA, xA, dB, xB, xS;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200[diff] [blame]392 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]393
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]394 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
395 mbedtls_mpi_init(&dA); mbedtls_mpi_init(&xA);
396 mbedtls_mpi_init(&dB); mbedtls_mpi_init(&xB);
397 mbedtls_mpi_init(&xS);
398 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]404 TEST_ASSERT(mbedtls_test_read_mpi(&dA, dA_hex) == 0);
405 TEST_ASSERT(mbedtls_test_read_mpi(&dB, dB_hex) == 0);
406 TEST_ASSERT(mbedtls_test_read_mpi(&xA, xA_hex) == 0);
407 TEST_ASSERT(mbedtls_test_read_mpi(&xB, xB_hex) == 0);
408 TEST_ASSERT(mbedtls_test_read_mpi(&xS, xS_hex) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]410 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &grp.G,
411 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
412 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
413 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xA) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &R,
416 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
417 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
418 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]419
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dB, &grp.G,
421 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
422 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
423 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xB) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]424
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]425 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &dA, &R,
426 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == 0);
427 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &R) == 0);
428 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&R.X, &xS) == 0);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]429
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]430exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
432 mbedtls_mpi_free(&dA); mbedtls_mpi_free(&xA);
433 mbedtls_mpi_free(&dB); mbedtls_mpi_free(&xB);
434 mbedtls_mpi_free(&xS);
Manuel Pégourié-Gonnarda0179b82013-12-04 11:49:20 +0100[diff] [blame]435}
436/* END_CASE */
437
438/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439void ecp_test_mul(int id, data_t *n_hex,
440 data_t *Px_hex, data_t *Py_hex, data_t *Pz_hex,
441 data_t *nPx_hex, data_t *nPy_hex, data_t *nPz_hex,
442 int expected_ret)
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]443{
444 mbedtls_ecp_group grp;
445 mbedtls_ecp_point P, nP, R;
446 mbedtls_mpi n;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200[diff] [blame]447 mbedtls_test_rnd_pseudo_info rnd_info;
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]449 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&R);
450 mbedtls_ecp_point_init(&P); mbedtls_ecp_point_init(&nP);
451 mbedtls_mpi_init(&n);
452 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]453
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]454 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]456 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 TEST_ASSERT(mbedtls_mpi_read_binary(&n, n_hex->x, n_hex->len) == 0);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 TEST_ASSERT(mbedtls_mpi_read_binary(&P.X, Px_hex->x, Px_hex->len) == 0);
461 TEST_ASSERT(mbedtls_mpi_read_binary(&P.Y, Py_hex->x, Py_hex->len) == 0);
462 TEST_ASSERT(mbedtls_mpi_read_binary(&P.Z, Pz_hex->x, Pz_hex->len) == 0);
463 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.X, nPx_hex->x, nPx_hex->len)
464 == 0);
465 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Y, nPy_hex->x, nPy_hex->len)
466 == 0);
467 TEST_ASSERT(mbedtls_mpi_read_binary(&nP.Z, nPz_hex->x, nPz_hex->len)
468 == 0);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]469
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470 TEST_ASSERT(mbedtls_ecp_mul(&grp, &R, &n, &P,
471 &mbedtls_test_rnd_pseudo_rand, &rnd_info)
472 == expected_ret);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 if (expected_ret == 0) {
475 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.X, &R.X) == 0);
476 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Y, &R.Y) == 0);
477 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&nP.Z, &R.Z) == 0);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]478 }
479
480exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]481 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&R);
482 mbedtls_ecp_point_free(&P); mbedtls_ecp_point_free(&nP);
483 mbedtls_mpi_free(&n);
Janos Follath182b0b92019-04-26 14:28:19 +0100[diff] [blame]484}
485/* END_CASE */
486
487/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]488void ecp_test_mul_rng(int id, data_t *d_hex)
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]489{
490 mbedtls_ecp_group grp;
491 mbedtls_mpi d;
492 mbedtls_ecp_point Q;
493
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 mbedtls_ecp_group_init(&grp); mbedtls_mpi_init(&d);
495 mbedtls_ecp_point_init(&Q);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]496
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]497 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]498
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &grp.G) == 0);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]500
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 TEST_ASSERT(mbedtls_mpi_read_binary(&d, d_hex->x, d_hex->len) == 0);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]502
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 TEST_ASSERT(mbedtls_ecp_mul(&grp, &Q, &d, &grp.G,
504 &mbedtls_test_rnd_zero_rand, NULL)
505 == MBEDTLS_ERR_ECP_RANDOM_FAILED);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]506
507exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]508 mbedtls_ecp_group_free(&grp); mbedtls_mpi_free(&d);
509 mbedtls_ecp_point_free(&Q);
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]510}
511/* END_CASE */
512
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]513/* BEGIN_CASE depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]514void ecp_muladd(int id,
515 data_t *u1_bin, data_t *P1_bin,
516 data_t *u2_bin, data_t *P2_bin,
517 data_t *expected_result)
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]518{
519 /* Compute R = u1 * P1 + u2 * P2 */
520 mbedtls_ecp_group grp;
521 mbedtls_ecp_point P1, P2, R;
522 mbedtls_mpi u1, u2;
523 uint8_t actual_result[MBEDTLS_ECP_MAX_PT_LEN];
524 size_t len;
525
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]526 mbedtls_ecp_group_init(&grp);
527 mbedtls_ecp_point_init(&P1);
528 mbedtls_ecp_point_init(&P2);
529 mbedtls_ecp_point_init(&R);
530 mbedtls_mpi_init(&u1);
531 mbedtls_mpi_init(&u2);
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]532
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]533 TEST_EQUAL(0, mbedtls_ecp_group_load(&grp, id));
534 TEST_EQUAL(0, mbedtls_mpi_read_binary(&u1, u1_bin->x, u1_bin->len));
535 TEST_EQUAL(0, mbedtls_mpi_read_binary(&u2, u2_bin->x, u2_bin->len));
536 TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P1,
537 P1_bin->x, P1_bin->len));
538 TEST_EQUAL(0, mbedtls_ecp_point_read_binary(&grp, &P2,
539 P2_bin->x, P2_bin->len));
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]541 TEST_EQUAL(0, mbedtls_ecp_muladd(&grp, &R, &u1, &P1, &u2, &P2));
542 TEST_EQUAL(0, mbedtls_ecp_point_write_binary(
543 &grp, &R, MBEDTLS_ECP_PF_UNCOMPRESSED,
544 &len, actual_result, sizeof(actual_result)));
545 TEST_ASSERT(len <= MBEDTLS_ECP_MAX_PT_LEN);
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 ASSERT_COMPARE(expected_result->x, expected_result->len,
548 actual_result, len);
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]549
550exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]551 mbedtls_ecp_group_free(&grp);
552 mbedtls_ecp_point_free(&P1);
553 mbedtls_ecp_point_free(&P2);
554 mbedtls_ecp_point_free(&R);
555 mbedtls_mpi_free(&u1);
556 mbedtls_mpi_free(&u2);
Gilles Peskineca91ee42021-04-03 18:31:01 +0200[diff] [blame]557}
558/* END_CASE */
559
Jonas923d5792020-05-13 14:22:45 +0900[diff] [blame]560/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]561void ecp_fast_mod(int id, char *N_str)
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]562{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 mbedtls_ecp_group grp;
564 mbedtls_mpi N, R;
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]565
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]566 mbedtls_mpi_init(&N); mbedtls_mpi_init(&R);
567 mbedtls_ecp_group_init(&grp);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]569 TEST_ASSERT(mbedtls_test_read_mpi(&N, N_str) == 0);
570 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
571 TEST_ASSERT(grp.modp != NULL);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]572
573 /*
574 * Store correct result before we touch N
575 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 TEST_ASSERT(mbedtls_mpi_mod_mpi(&R, &N, &grp.P) == 0);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]578 TEST_ASSERT(grp.modp(&N) == 0);
579 TEST_ASSERT(mbedtls_mpi_bitlen(&N) <= grp.pbits + 3);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]580
581 /*
Paul Bakkerd8b0c5e2014-04-11 15:31:33 +0200[diff] [blame]582 * Use mod rather than addition/subtraction in case previous test fails
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]583 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 TEST_ASSERT(mbedtls_mpi_mod_mpi(&N, &N, &grp.P) == 0);
585 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&N, &R) == 0);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]586
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]587exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 mbedtls_mpi_free(&N); mbedtls_mpi_free(&R);
589 mbedtls_ecp_group_free(&grp);
Manuel Pégourié-Gonnard84338242012-11-11 20:45:18 +0100[diff] [blame]590}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]591/* END_CASE */
Manuel Pégourié-Gonnardb4a310b2012-11-13 20:57:00 +0100[diff] [blame]592
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]593/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594void ecp_write_binary(int id, char *x, char *y, char *z, int format,
595 data_t *out, int blen, int ret)
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]596{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597 mbedtls_ecp_group grp;
598 mbedtls_ecp_point P;
Azim Khanf1aaec92017-05-30 14:23:15 +0100[diff] [blame]599 unsigned char buf[256];
Manuel Pégourié-Gonnard420f1eb2013-02-10 12:22:46 +0100[diff] [blame]600 size_t olen;
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 memset(buf, 0, sizeof(buf));
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]603
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]608 TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x) == 0);
609 TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y) == 0);
610 TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z) == 0);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]611
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]612 TEST_ASSERT(mbedtls_ecp_point_write_binary(&grp, &P, format,
613 &olen, buf, blen) == ret);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]614
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]615 if (ret == 0) {
616 TEST_ASSERT(olen <= MBEDTLS_ECP_MAX_PT_LEN);
617 TEST_ASSERT(mbedtls_test_hexcmp(buf, out->x, olen, out->len) == 0);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]618 }
619
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]620exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]622}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]623/* END_CASE */
Manuel Pégourié-Gonnarde19feb52012-11-24 14:10:14 +0100[diff] [blame]624
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]625/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]626void ecp_read_binary(int id, data_t *buf, char *x, char *y, char *z,
627 int ret)
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]628{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629 mbedtls_ecp_group grp;
630 mbedtls_ecp_point P;
631 mbedtls_mpi X, Y, Z;
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]632
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]633
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
635 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]636
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]637 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]638
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]639 TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0);
640 TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0);
641 TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0);
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]643 TEST_ASSERT(mbedtls_ecp_point_read_binary(&grp, &P, buf->x, buf->len) == ret);
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]644
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 if (ret == 0) {
646 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0);
647 if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
648 TEST_ASSERT(mbedtls_mpi_cmp_int(&Y, 0) == 0);
649 TEST_ASSERT(P.Y.p == NULL);
650 TEST_ASSERT(mbedtls_mpi_cmp_int(&Z, 1) == 0);
651 TEST_ASSERT(mbedtls_mpi_cmp_int(&P.Z, 1) == 0);
652 } else {
653 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
654 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0);
Glenn Strauss2ff77112022-09-14 23:27:50 -0400[diff] [blame]655
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]656 if (buf->x[0] == 0x04 &&
Glenn Strauss2ff77112022-09-14 23:27:50 -0400[diff] [blame]657 /* (reading compressed format supported only for
658 * Short Weierstrass curves with prime p where p = 3 mod 4) */
659 id != MBEDTLS_ECP_DP_SECP224R1 &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]660 id != MBEDTLS_ECP_DP_SECP224K1) {
Glenn Strauss2ff77112022-09-14 23:27:50 -0400[diff] [blame]661 /* re-encode in compressed format and test read again */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]662 mbedtls_mpi_free(&P.Y);
663 buf->x[0] = 0x02 + mbedtls_mpi_get_bit(&Y, 0);
664 TEST_ASSERT(mbedtls_ecp_point_read_binary(&grp, &P, buf->x, buf->len/2+1) == 0);
665 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
Glenn Strauss2ff77112022-09-14 23:27:50 -0400[diff] [blame]666 }
Janos Follath59b813c2019-02-13 10:44:06 +0000[diff] [blame]667 }
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]668 }
669
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]670exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]671 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
672 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]673}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]674/* END_CASE */
Manuel Pégourié-Gonnard5e402d82012-11-24 16:19:42 +0100[diff] [blame]675
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]676/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677void mbedtls_ecp_tls_read_point(int id, data_t *buf, char *x, char *y,
678 char *z, int ret)
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]679{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 mbedtls_ecp_group grp;
681 mbedtls_ecp_point P;
682 mbedtls_mpi X, Y, Z;
Azim Khand30ca132017-06-09 04:32:58 +0100[diff] [blame]683 const unsigned char *vbuf = buf->x;
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]684
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]686 mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
687 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]689 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]691 TEST_ASSERT(mbedtls_test_read_mpi(&X, x) == 0);
692 TEST_ASSERT(mbedtls_test_read_mpi(&Y, y) == 0);
693 TEST_ASSERT(mbedtls_test_read_mpi(&Z, z) == 0);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]694
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &P, &vbuf, buf->len) == ret);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]696
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]697 if (ret == 0) {
698 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.X, &X) == 0);
699 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Y, &Y) == 0);
700 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&P.Z, &Z) == 0);
701 TEST_ASSERT((uint32_t) (vbuf - buf->x) == buf->len);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]702 }
703
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]704exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]705 mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
706 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]707}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]708/* END_CASE */
Manuel Pégourié-Gonnard8c16f962013-02-10 13:00:20 +0100[diff] [blame]709
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]710/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711void ecp_tls_write_read_point(int id)
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]712{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]713 mbedtls_ecp_group grp;
714 mbedtls_ecp_point pt;
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]715 unsigned char buf[256];
Manuel Pégourié-Gonnard98f51812013-02-10 13:38:29 +0100[diff] [blame]716 const unsigned char *vbuf;
Manuel Pégourié-Gonnard420f1eb2013-02-10 12:22:46 +0100[diff] [blame]717 size_t olen;
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]718
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]719 mbedtls_ecp_group_init(&grp);
720 mbedtls_ecp_point_init(&pt);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]721
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]723
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]724 memset(buf, 0x00, sizeof(buf)); vbuf = buf;
725 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G,
726 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0);
727 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
728 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.X, &pt.X) == 0);
729 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Y, &pt.Y) == 0);
730 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Z, &pt.Z) == 0);
731 TEST_ASSERT(vbuf == buf + olen);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]733 memset(buf, 0x00, sizeof(buf)); vbuf = buf;
734 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &grp.G,
735 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0);
736 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
737 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.X, &pt.X) == 0);
738 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Y, &pt.Y) == 0);
739 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.G.Z, &pt.Z) == 0);
740 TEST_ASSERT(vbuf == buf + olen);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]742 memset(buf, 0x00, sizeof(buf)); vbuf = buf;
743 TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0);
744 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt,
745 MBEDTLS_ECP_PF_COMPRESSED, &olen, buf, 256) == 0);
746 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
747 TEST_ASSERT(mbedtls_ecp_is_zero(&pt));
748 TEST_ASSERT(vbuf == buf + olen);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]749
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]750 memset(buf, 0x00, sizeof(buf)); vbuf = buf;
751 TEST_ASSERT(mbedtls_ecp_set_zero(&pt) == 0);
752 TEST_ASSERT(mbedtls_ecp_tls_write_point(&grp, &pt,
753 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, buf, 256) == 0);
754 TEST_ASSERT(mbedtls_ecp_tls_read_point(&grp, &pt, &vbuf, olen) == 0);
755 TEST_ASSERT(mbedtls_ecp_is_zero(&pt));
756 TEST_ASSERT(vbuf == buf + olen);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]757
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]758exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]759 mbedtls_ecp_group_free(&grp);
760 mbedtls_ecp_point_free(&pt);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]761}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]762/* END_CASE */
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]763
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]764/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]765void mbedtls_ecp_tls_read_group(data_t *buf, int result, int bits,
766 int record_len)
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]767{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768 mbedtls_ecp_group grp;
Azim Khand30ca132017-06-09 04:32:58 +0100[diff] [blame]769 const unsigned char *vbuf = buf->x;
Azim Khanf1aaec92017-05-30 14:23:15 +0100[diff] [blame]770 int ret;
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]771
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]772 mbedtls_ecp_group_init(&grp);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]773
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]774 ret = mbedtls_ecp_tls_read_group(&grp, &vbuf, buf->len);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776 TEST_ASSERT(ret == result);
777 if (ret == 0) {
778 TEST_ASSERT(mbedtls_mpi_bitlen(&grp.P) == (size_t) bits);
779 TEST_ASSERT(vbuf - buf->x == record_len);
Manuel Pégourié-Gonnard7c145c62013-02-10 13:20:52 +0100[diff] [blame]780 }
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]781
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]782exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]783 mbedtls_ecp_group_free(&grp);
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]784}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]785/* END_CASE */
Manuel Pégourié-Gonnard6282aca2013-02-10 11:15:11 +0100[diff] [blame]786
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]787/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]788void ecp_tls_write_read_group(int id)
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]789{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]790 mbedtls_ecp_group grp1, grp2;
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]791 unsigned char buf[10];
Manuel Pégourié-Gonnard7c145c62013-02-10 13:20:52 +0100[diff] [blame]792 const unsigned char *vbuf = buf;
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]793 size_t len;
794 int ret;
795
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]796 mbedtls_ecp_group_init(&grp1);
797 mbedtls_ecp_group_init(&grp2);
798 memset(buf, 0x00, sizeof(buf));
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]799
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]800 TEST_ASSERT(mbedtls_ecp_group_load(&grp1, id) == 0);
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]801
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]802 TEST_ASSERT(mbedtls_ecp_tls_write_group(&grp1, &len, buf, 10) == 0);
803 ret = mbedtls_ecp_tls_read_group(&grp2, &vbuf, len);
804 TEST_ASSERT(ret == 0);
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]805
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806 if (ret == 0) {
807 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp1.N, &grp2.N) == 0);
808 TEST_ASSERT(grp1.id == grp2.id);
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]809 }
810
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]811exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]812 mbedtls_ecp_group_free(&grp1);
813 mbedtls_ecp_group_free(&grp2);
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]814}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]815/* END_CASE */
Manuel Pégourié-Gonnard46106a92013-02-10 12:51:17 +0100[diff] [blame]816
Valerio Setti46829482023-01-18 13:59:30 +0100[diff] [blame]817/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]818void mbedtls_ecp_group_metadata(int id, int bit_size, int crv_type,
819 char *P, char *A, char *B,
820 char *G_x, char *G_y, char *N,
821 int tls_id)
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]822{
823 mbedtls_ecp_group grp, grp_read, grp_cpy;
824 const mbedtls_ecp_group_id *g_id;
Werner Lewisccae25b2022-09-20 10:00:07 +0100[diff] [blame]825 mbedtls_ecp_group_id read_g_id;
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]826 const mbedtls_ecp_curve_info *crv, *crv_tls_id, *crv_name;
827
828 mbedtls_mpi exp_P, exp_A, exp_B, exp_G_x, exp_G_y, exp_N;
829
830 unsigned char buf[3], ecparameters[3] = { 3, 0, tls_id };
831 const unsigned char *vbuf = buf;
832 size_t olen;
833
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 mbedtls_ecp_group_init(&grp);
835 mbedtls_ecp_group_init(&grp_read);
836 mbedtls_ecp_group_init(&grp_cpy);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]837
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]838 mbedtls_mpi_init(&exp_P);
839 mbedtls_mpi_init(&exp_A);
840 mbedtls_mpi_init(&exp_B);
841 mbedtls_mpi_init(&exp_G_x);
842 mbedtls_mpi_init(&exp_G_y);
843 mbedtls_mpi_init(&exp_N);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]844
845 // Read expected parameters
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]846 TEST_EQUAL(mbedtls_test_read_mpi(&exp_P, P), 0);
847 TEST_EQUAL(mbedtls_test_read_mpi(&exp_A, A), 0);
848 TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_x, G_x), 0);
849 TEST_EQUAL(mbedtls_test_read_mpi(&exp_N, N), 0);
850 TEST_EQUAL(mbedtls_test_read_mpi(&exp_B, B), 0);
851 TEST_EQUAL(mbedtls_test_read_mpi(&exp_G_y, G_y), 0);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]852
Werner Lewisc4afef72022-08-25 10:29:19 +0100[diff] [blame]853 // Convert exp_A to internal representation (A+2)/4
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854 if (crv_type == MBEDTLS_ECP_TYPE_MONTGOMERY) {
855 TEST_EQUAL(mbedtls_mpi_add_int(&exp_A, &exp_A, 2), 0);
856 TEST_EQUAL(mbedtls_mpi_div_int(&exp_A, NULL, &exp_A, 4), 0);
Werner Lewisc4afef72022-08-25 10:29:19 +0100[diff] [blame]857 }
858
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]859 // Load group
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]860 TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]861
862 // Compare group with expected parameters
863 // A is NULL for SECPxxxR1 curves
864 // B and G_y are NULL for curve25519 and curve448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]865 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_P, &grp.P), 0);
866 if (*A != 0) {
867 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_A, &grp.A), 0);
868 }
869 if (*B != 0) {
870 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_B, &grp.B), 0);
871 }
872 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_x, &grp.G.X), 0);
873 if (*G_y != 0) {
874 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_G_y, &grp.G.Y), 0);
875 }
876 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&exp_N, &grp.N), 0);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]877
878 // Load curve info and compare with known values
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 crv = mbedtls_ecp_curve_info_from_grp_id(id);
880 TEST_EQUAL(crv->grp_id, id);
881 TEST_EQUAL(crv->bit_size, bit_size);
882 TEST_EQUAL(crv->tls_id, tls_id);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]883
884 // Load curve from TLS ID and name, and compare IDs
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]885 crv_tls_id = mbedtls_ecp_curve_info_from_tls_id(crv->tls_id);
886 crv_name = mbedtls_ecp_curve_info_from_name(crv->name);
887 TEST_EQUAL(crv_tls_id->grp_id, id);
888 TEST_EQUAL(crv_name->grp_id, id);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]889
Werner Lewisccae25b2022-09-20 10:00:07 +0100[diff] [blame]890 // Validate write_group against test data
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 TEST_EQUAL(mbedtls_ecp_tls_write_group(&grp, &olen,
892 buf, sizeof(buf)),
893 0);
894 TEST_EQUAL(mbedtls_test_hexcmp(buf, ecparameters, olen,
895 sizeof(ecparameters)),
896 0);
Werner Lewisccae25b2022-09-20 10:00:07 +0100[diff] [blame]897
898 // Read group from buffer and compare with expected ID
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]899 TEST_EQUAL(mbedtls_ecp_tls_read_group_id(&read_g_id, &vbuf, olen),
900 0);
901 TEST_EQUAL(read_g_id, id);
Werner Lewis05feee12022-09-20 12:05:00 +0100[diff] [blame]902 vbuf = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]903 TEST_EQUAL(mbedtls_ecp_tls_read_group(&grp_read, &vbuf, olen),
904 0);
905 TEST_EQUAL(grp_read.id, id);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]906
907 // Check curve type, and if it can be used for ECDH/ECDSA
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]908 TEST_EQUAL(mbedtls_ecp_get_type(&grp), crv_type);
Valerio Setti46829482023-01-18 13:59:30 +0100[diff] [blame]909#if defined(MBEDTLS_ECDH_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]910 TEST_EQUAL(mbedtls_ecdh_can_do(id), 1);
Valerio Setti46829482023-01-18 13:59:30 +0100[diff] [blame]911#endif
912#if defined(MBEDTLS_ECDSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]913 TEST_EQUAL(mbedtls_ecdsa_can_do(id),
914 crv_type == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS);
Valerio Setti46829482023-01-18 13:59:30 +0100[diff] [blame]915#endif
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]916
917 // Copy group and compare with original
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]918 TEST_EQUAL(mbedtls_ecp_group_copy(&grp_cpy, &grp), 0);
919 TEST_EQUAL(mbedtls_ecp_group_cmp(&grp, &grp_cpy), 0);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]920
921 // Check curve is in curve list and group ID list
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 for (crv = mbedtls_ecp_curve_list();
923 crv->grp_id != MBEDTLS_ECP_DP_NONE &&
924 crv->grp_id != (unsigned) id;
925 crv++) {
926 ;
927 }
928 TEST_EQUAL(crv->grp_id, id);
929 for (g_id = mbedtls_ecp_grp_id_list();
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]930 *g_id != MBEDTLS_ECP_DP_NONE && *g_id != (unsigned) id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 g_id++) {
932 ;
933 }
934 TEST_EQUAL(*g_id, (unsigned) id);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]935
936exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]937 mbedtls_ecp_group_free(&grp); mbedtls_ecp_group_free(&grp_cpy);
938 mbedtls_ecp_group_free(&grp_read);
939 mbedtls_mpi_free(&exp_P); mbedtls_mpi_free(&exp_A);
940 mbedtls_mpi_free(&exp_B); mbedtls_mpi_free(&exp_G_x);
941 mbedtls_mpi_free(&exp_G_y); mbedtls_mpi_free(&exp_N);
Werner Lewise54046c2022-08-15 11:43:56 +0100[diff] [blame]942}
943/* END_CASE */
944
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]945/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]946void mbedtls_ecp_check_privkey(int id, char *key_hex, int ret)
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]947{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]948 mbedtls_ecp_group grp;
949 mbedtls_mpi d;
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]950
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 mbedtls_ecp_group_init(&grp);
952 mbedtls_mpi_init(&d);
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
955 TEST_ASSERT(mbedtls_test_read_mpi(&d, key_hex) == 0);
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]956
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]957 TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == ret);
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]958
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]959exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]960 mbedtls_ecp_group_free(&grp);
961 mbedtls_mpi_free(&d);
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]962}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]963/* END_CASE */
Manuel Pégourié-Gonnardc8dc2952013-07-01 14:06:13 +0200[diff] [blame]964
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]965/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]966void mbedtls_ecp_check_pub_priv(int id_pub, char *Qx_pub, char *Qy_pub,
967 int id, char *d, char *Qx, char *Qy,
968 int ret)
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]969{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970 mbedtls_ecp_keypair pub, prv;
Manuel Pégourié-Gonnardf8c24bf2021-06-15 11:29:26 +0200[diff] [blame]971 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 mbedtls_ecp_keypair_init(&pub);
974 mbedtls_ecp_keypair_init(&prv);
975 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]977 if (id_pub != MBEDTLS_ECP_DP_NONE) {
978 TEST_ASSERT(mbedtls_ecp_group_load(&pub.grp, id_pub) == 0);
979 }
980 TEST_ASSERT(mbedtls_ecp_point_read_string(&pub.Q, 16, Qx_pub, Qy_pub) == 0);
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]981
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]982 if (id != MBEDTLS_ECP_DP_NONE) {
983 TEST_ASSERT(mbedtls_ecp_group_load(&prv.grp, id) == 0);
984 }
985 TEST_ASSERT(mbedtls_ecp_point_read_string(&prv.Q, 16, Qx, Qy) == 0);
986 TEST_ASSERT(mbedtls_test_read_mpi(&prv.d, d) == 0);
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]987
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]988 TEST_ASSERT(mbedtls_ecp_check_pub_priv(&pub, &prv,
989 &mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]990
991exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]992 mbedtls_ecp_keypair_free(&pub);
993 mbedtls_ecp_keypair_free(&prv);
Manuel Pégourié-Gonnard30668d62014-11-06 15:25:32 +0100[diff] [blame]994}
995/* END_CASE */
996
997/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]998void mbedtls_ecp_gen_keypair(int id)
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]999{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1000 mbedtls_ecp_group grp;
1001 mbedtls_ecp_point Q;
1002 mbedtls_mpi d;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200[diff] [blame]1003 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1004
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1005 mbedtls_ecp_group_init(&grp);
1006 mbedtls_ecp_point_init(&Q);
1007 mbedtls_mpi_init(&d);
1008 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1009
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1010 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1011
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 TEST_ASSERT(mbedtls_ecp_gen_keypair(&grp, &d, &Q,
1013 &mbedtls_test_rnd_pseudo_rand,
1014 &rnd_info) == 0);
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1015
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1016 TEST_ASSERT(mbedtls_ecp_check_pubkey(&grp, &Q) == 0);
1017 TEST_ASSERT(mbedtls_ecp_check_privkey(&grp, &d) == 0);
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1018
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]1019exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1020 mbedtls_ecp_group_free(&grp);
1021 mbedtls_ecp_point_free(&Q);
1022 mbedtls_mpi_free(&d);
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1023}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1024/* END_CASE */
Manuel Pégourié-Gonnard45a035a2013-01-26 14:42:45 +0100[diff] [blame]1025
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1026/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1027void mbedtls_ecp_gen_key(int id)
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1028{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 mbedtls_ecp_keypair key;
Ronald Cron351f0ee2020-06-10 12:12:18 +0200[diff] [blame]1030 mbedtls_test_rnd_pseudo_info rnd_info;
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1031
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1032 mbedtls_ecp_keypair_init(&key);
1033 memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1034
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1035 TEST_ASSERT(mbedtls_ecp_gen_key(id, &key,
1036 &mbedtls_test_rnd_pseudo_rand,
1037 &rnd_info) == 0);
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1038
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1039 TEST_ASSERT(mbedtls_ecp_check_pubkey(&key.grp, &key.Q) == 0);
1040 TEST_ASSERT(mbedtls_ecp_check_privkey(&key.grp, &key.d) == 0);
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1041
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]1042exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1043 mbedtls_ecp_keypair_free(&key);
Manuel Pégourié-Gonnard104ee1d2013-11-30 14:13:16 +0100[diff] [blame]1044}
1045/* END_CASE */
1046
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1047/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonical)
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1049{
1050 int ret = 0;
1051 mbedtls_ecp_keypair key;
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1052 mbedtls_ecp_keypair key2;
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1054 mbedtls_ecp_keypair_init(&key);
1055 mbedtls_ecp_keypair_init(&key2);
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1057 ret = mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len);
1058 TEST_ASSERT(ret == expected);
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1059
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1060 if (expected == 0) {
1061 ret = mbedtls_ecp_check_privkey(&key.grp, &key.d);
1062 TEST_ASSERT(ret == 0);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1063
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1064 if (canonical) {
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1065 unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1066
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067 ret = mbedtls_ecp_write_key(&key, buf, in_key->len);
1068 TEST_ASSERT(ret == 0);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1069
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1070 ASSERT_COMPARE(in_key->x, in_key->len,
1071 buf, in_key->len);
1072 } else {
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1073 unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1074 unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1075
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076 ret = mbedtls_ecp_write_key(&key, export1, in_key->len);
1077 TEST_ASSERT(ret == 0);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1079 ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len);
1080 TEST_ASSERT(ret == expected);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1081
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1082 ret = mbedtls_ecp_write_key(&key2, export2, in_key->len);
1083 TEST_ASSERT(ret == 0);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1084
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1085 ASSERT_COMPARE(export1, in_key->len,
1086 export2, in_key->len);
Steven Cooremande8593f2020-06-09 19:55:26 +0200[diff] [blame]1087 }
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1088 }
1089
1090exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1091 mbedtls_ecp_keypair_free(&key);
1092 mbedtls_ecp_keypair_free(&key2);
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]1093}
1094/* END_CASE */
1095
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1096/* BEGIN_CASE depends_on:HAVE_FIX_NEGATIVE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1097void fix_negative(data_t *N_bin, int c, int bits)
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1098{
1099 mbedtls_mpi C, M, N;
1100
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1101 mbedtls_mpi_init(&C);
1102 mbedtls_mpi_init(&M);
1103 mbedtls_mpi_init(&N);
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1104
Gilles Peskine392d1012021-04-09 15:46:51 +0200[diff] [blame]1105 /* C = - c * 2^bits (positive since c is negative) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1106 TEST_EQUAL(0, mbedtls_mpi_lset(&C, -c));
1107 TEST_EQUAL(0, mbedtls_mpi_shift_l(&C, bits));
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1109 TEST_EQUAL(0, mbedtls_mpi_read_binary(&N, N_bin->x, N_bin->len));
1110 TEST_EQUAL(0, mbedtls_mpi_grow(&N, C.n));
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1111
Gilles Peskine392d1012021-04-09 15:46:51 +0200[diff] [blame]1112 /* M = N - C = - ( C - N ) (expected result of fix_negative) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1113 TEST_EQUAL(0, mbedtls_mpi_sub_mpi(&M, &N, &C));
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1114
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1115 mbedtls_ecp_fix_negative(&N, c, bits);
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1116
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1117 TEST_EQUAL(0, mbedtls_mpi_cmp_mpi(&N, &M));
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1118
1119exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1120 mbedtls_mpi_free(&C);
1121 mbedtls_mpi_free(&M);
1122 mbedtls_mpi_free(&N);
Gilles Peskine618be2e2021-04-03 21:47:53 +0200[diff] [blame]1123}
1124/* END_CASE */
1125
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1126/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1127void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected)
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1128{
1129 mbedtls_test_rnd_buf_info rnd_info;
1130 mbedtls_mpi d;
1131 int ret;
1132 uint8_t *actual = NULL;
1133
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1134 mbedtls_mpi_init(&d);
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1135 rnd_info.buf = seed->x;
1136 rnd_info.length = seed->len;
1137 rnd_info.fallback_f_rng = NULL;
1138 rnd_info.fallback_p_rng = NULL;
1139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1140 ASSERT_ALLOC(actual, expected->len);
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1142 ret = mbedtls_ecp_gen_privkey_mx(bits, &d,
1143 mbedtls_test_rnd_buffer_rand, &rnd_info);
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 if (expected->len == 0) {
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1146 /* Expecting an error (happens if there isn't enough randomness) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1147 TEST_ASSERT(ret != 0);
1148 } else {
1149 TEST_EQUAL(ret, 0);
1150 TEST_EQUAL((size_t) bits + 1, mbedtls_mpi_bitlen(&d));
1151 TEST_EQUAL(0, mbedtls_mpi_write_binary(&d, actual, expected->len));
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1152 /* Test the exact result. This assumes that the output of the
1153 * RNG is used in a specific way, which is overly constraining.
1154 * The advantage is that it's easier to test the expected properties
1155 * of the generated key:
1156 * - The most significant bit must be at a specific positions
1157 * (can be enforced by checking the bit-length).
1158 * - The least significant bits must have specific values
1159 * (can be enforced by checking these bits).
1160 * - Other bits must be random (by testing with different RNG outputs,
1161 * we validate that those bits are indeed influenced by the RNG). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1162 ASSERT_COMPARE(expected->x, expected->len,
1163 actual, expected->len);
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1164 }
1165
1166exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1167 mbedtls_free(actual);
1168 mbedtls_mpi_free(&d);
Gilles Peskine6ff8a012021-03-24 12:01:02 +0100[diff] [blame]1169}
1170/* END_CASE */
1171
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1172/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1173void ecp_set_zero(int id, data_t *P_bin)
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1174{
1175 mbedtls_ecp_group grp;
1176 mbedtls_ecp_point pt, zero_pt, nonzero_pt;
1177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1178 mbedtls_ecp_group_init(&grp);
1179 mbedtls_ecp_point_init(&pt);
1180 mbedtls_ecp_point_init(&zero_pt);
1181 mbedtls_ecp_point_init(&nonzero_pt);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1182
1183 // Set zero and non-zero points for comparison
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 TEST_EQUAL(mbedtls_ecp_set_zero(&zero_pt), 0);
1185 TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);
1186 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &nonzero_pt,
1187 P_bin->x, P_bin->len), 0);
1188 TEST_EQUAL(mbedtls_ecp_is_zero(&zero_pt), 1);
1189 TEST_EQUAL(mbedtls_ecp_is_zero(&nonzero_pt), 0);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1190
1191 // Test initialized point
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1192 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
1193 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
1194 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
1195 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &zero_pt),
1196 MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1197
1198 // Test zeroed point
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
1200 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
1201 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
1202 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
1203 MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1204
1205 // Set point to non-zero value
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1206 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt,
1207 P_bin->x, P_bin->len), 0);
1208 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 0);
1209 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt),
1210 MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
1211 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt), 0);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1212
1213 // Test non-zero point
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1214 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
1215 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
1216 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
1217 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
1218 MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1219
1220 // Test freed non-zero point
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1221 TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &pt,
1222 P_bin->x, P_bin->len), 0);
1223 mbedtls_ecp_point_free(&pt);
1224 TEST_EQUAL(mbedtls_ecp_set_zero(&pt), 0);
1225 TEST_EQUAL(mbedtls_ecp_is_zero(&pt), 1);
1226 TEST_EQUAL(mbedtls_ecp_point_cmp(&zero_pt, &pt), 0);
1227 TEST_EQUAL(mbedtls_ecp_point_cmp(&nonzero_pt, &pt),
1228 MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1229
1230exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1231 mbedtls_ecp_group_free(&grp);
1232 mbedtls_ecp_point_free(&pt);
1233 mbedtls_ecp_point_free(&zero_pt);
1234 mbedtls_ecp_point_free(&nonzero_pt);
Werner Lewis3b097392022-08-08 11:53:45 +0100[diff] [blame]1235}
1236/* END_CASE */
1237
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1238/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239void ecp_selftest()
Manuel Pégourié-Gonnardb4a310b2012-11-13 20:57:00 +0100[diff] [blame]1240{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1241 TEST_ASSERT(mbedtls_ecp_self_test(1) == 0);
Manuel Pégourié-Gonnardb4a310b2012-11-13 20:57:00 +0100[diff] [blame]1242}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1243/* END_CASE */
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1244
1245/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1246void ecp_export(int id, char *Qx, char *Qy, char *d, int expected_ret, int invalid_grp)
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1247{
1248 mbedtls_ecp_keypair key;
1249 mbedtls_ecp_group export_grp;
1250 mbedtls_mpi export_d;
1251 mbedtls_ecp_point export_Q;
1252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1253 mbedtls_ecp_group_init(&export_grp);
1254 mbedtls_ecp_group_init(&key.grp);
1255 mbedtls_mpi_init(&export_d);
1256 mbedtls_ecp_point_init(&export_Q);
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1258 mbedtls_ecp_keypair_init(&key);
1259 if (invalid_grp == 0) {
1260 TEST_ASSERT(mbedtls_ecp_group_load(&key.grp, id) == 0);
1261 }
1262 TEST_ASSERT(mbedtls_ecp_point_read_string(&key.Q, 16, Qx, Qy) == 0);
1263 TEST_ASSERT(mbedtls_test_read_mpi(&key.d, d) == 0);
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 TEST_EQUAL(mbedtls_ecp_export(&key, &export_grp,
1266 &export_d, &export_Q), expected_ret);
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1268 if (expected_ret == 0) {
1269 TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
1270 TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
1271 TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1272 }
1273
1274exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1275 mbedtls_ecp_keypair_free(&key);
1276 mbedtls_ecp_group_free(&export_grp);
1277 mbedtls_mpi_free(&export_d);
1278 mbedtls_ecp_point_free(&export_Q);
Przemek Stekiel4b30feb2022-03-18 13:58:26 +0100[diff] [blame]1279}
1280/* END_CASE */
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1281
1282/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1283void ecp_check_order(int id, char *expected_order_hex)
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1284{
1285 mbedtls_ecp_group grp;
1286 mbedtls_mpi expected_n;
1287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1288 mbedtls_ecp_group_init(&grp);
1289 mbedtls_mpi_init(&expected_n);
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1290
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1291 TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
1292 TEST_ASSERT(mbedtls_test_read_mpi(&expected_n, expected_order_hex) == 0);
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1293
1294 // check sign bits are well-formed (i.e. 1 or -1) - see #5810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1295 TEST_ASSERT(grp.N.s == -1 || grp.N.s == 1);
1296 TEST_ASSERT(expected_n.s == -1 || expected_n.s == 1);
Dave Rodgman5cab9da2022-06-17 13:48:29 +0100[diff] [blame]1297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1298 TEST_ASSERT(mbedtls_mpi_cmp_mpi(&grp.N, &expected_n) == 0);
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1299
1300exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1301 mbedtls_ecp_group_free(&grp);
1302 mbedtls_mpi_free(&expected_n);
Dave Rodgman57080462022-06-17 13:41:18 +0100[diff] [blame]1303}
Dave Rodgmaneb8570f2022-06-17 14:59:36 +0100[diff] [blame]1304/* END_CASE */
Gabor Mezei51ec06a2023-01-25 18:05:44 +0100[diff] [blame]1305
1306/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
1307void ecp_mod_p192_raw(char *input_N,
1308 char *input_X,
1309 char *result)
1310{
1311 mbedtls_mpi_uint *X = NULL;
1312 mbedtls_mpi_uint *N = NULL;
1313 mbedtls_mpi_uint *res = NULL;
1314 size_t limbs_X;
1315 size_t limbs_N;
1316 size_t limbs_res;
1317
1318 mbedtls_mpi_mod_modulus m;
1319 mbedtls_mpi_mod_modulus_init(&m);
1320
1321 TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
1322 TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
1323 TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
1324
1325 size_t limbs = limbs_N;
1326 size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
1327
1328 TEST_EQUAL(limbs_X, 2 * limbs);
1329 TEST_EQUAL(limbs_res, limbs);
1330
1331 TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
1332 &m, N, limbs,
1333 MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
1334
Gabor Mezei2038ce92023-01-31 14:33:12 +0100[diff] [blame]1335 TEST_EQUAL(mbedtls_ecp_mod_p192_raw(X, limbs_X), 0);
Gabor Mezei23d4b8b2023-02-13 14:13:33 +0100[diff] [blame]1336 TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 192);
Gabor Mezei51ec06a2023-01-25 18:05:44 +0100[diff] [blame]1337 mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
1338 ASSERT_COMPARE(X, bytes, res, bytes);
1339
1340exit:
1341 mbedtls_free(X);
1342 mbedtls_free(res);
1343
1344 mbedtls_mpi_mod_modulus_free(&m);
1345 mbedtls_free(N);
1346}
1347/* END_CASE */
Gabor Mezeid8f67b92023-02-06 15:49:42 +0100[diff] [blame]1348
1349/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
1350void ecp_mod_p521_raw(char *input_N,
1351 char *input_X,
1352 char *result)
1353{
1354 mbedtls_mpi_uint *X = NULL;
1355 mbedtls_mpi_uint *N = NULL;
1356 mbedtls_mpi_uint *res = NULL;
1357 size_t limbs_X;
1358 size_t limbs_N;
1359 size_t limbs_res;
1360
1361 mbedtls_mpi_mod_modulus m;
1362 mbedtls_mpi_mod_modulus_init(&m);
1363
1364 TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
1365 TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
1366 TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
1367
1368 size_t limbs = limbs_N;
1369 size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
1370
Gabor Mezeicf228702023-02-15 16:52:33 +0100[diff] [blame]1371 TEST_EQUAL(limbs_X, 2 * limbs);
Gabor Mezeid8f67b92023-02-06 15:49:42 +0100[diff] [blame]1372 TEST_EQUAL(limbs_res, limbs);
1373
1374 TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
1375 &m, N, limbs,
1376 MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
1377
Gabor Mezeib62ad5d2023-02-06 17:13:02 +0100[diff] [blame]1378 TEST_EQUAL(mbedtls_ecp_mod_p521_raw(X, limbs_X), 0);
Gabor Mezei555b1f72023-02-15 17:13:20 +0100[diff] [blame]1379 TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 522);
Gabor Mezeid8f67b92023-02-06 15:49:42 +0100[diff] [blame]1380 mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
1381 ASSERT_COMPARE(X, bytes, res, bytes);
1382
1383exit:
1384 mbedtls_free(X);
1385 mbedtls_free(res);
1386
1387 mbedtls_mpi_mod_modulus_free(&m);
1388 mbedtls_free(N);
1389}
1390/* END_CASE */
Minos Galanakis9a1d02d2023-02-03 19:14:56 +0000[diff] [blame^]1391
1392/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
1393void ecp_mod_setup(char *input_A, int id, int ctype, int iret)
1394{
1395 int ret;
1396 mbedtls_mpi_mod_modulus m;
1397 mbedtls_mpi_mod_modulus_init(&m);
1398 mbedtls_mpi_uint *p = NULL;
1399 size_t p_limbs;
1400 size_t bytes;
1401
1402 TEST_EQUAL(mbedtls_test_read_mpi_core(&p, &p_limbs, input_A), 0);
1403
1404 ret = mbedtls_ecp_modulus_setup(&m, id, ctype);
1405 TEST_EQUAL(ret, iret);
1406
1407 if (ret == 0) {
1408
1409 /* Test for limb sizes */
1410 TEST_EQUAL(m.limbs, p_limbs);
1411 bytes = p_limbs * sizeof(mbedtls_mpi_uint);
1412
1413 /* Test for validity of moduli by the presence of Montgomery consts */
1414
1415 TEST_ASSERT(m.rep.mont.mm != 0);
1416 TEST_ASSERT(m.rep.mont.rr != NULL);
1417
1418
1419 /* Compare output byte-by-byte */
1420 ASSERT_COMPARE(p, bytes, m.p, bytes);
1421
1422 /* Test for user free-ing allocated memory */
1423 mbedtls_mpi_mod_modulus_free(&m);
1424 }
1425
1426exit:
1427 mbedtls_mpi_mod_modulus_free(&m);
1428 mbedtls_free(p);
1429}
1430/* END_CASE */