tests/suites/test_suite_bignum_mod_raw.function

/* BEGIN_HEADER */
#include "mbedtls/bignum.h"
#include "mbedtls/entropy.h"
#include "bignum_core.h"
#include "bignum_mod_raw.h"
#include "constant_time_internal.h"
#include "test/constant_flow.h"

#include "bignum_mod_raw_invasive.h"

/* END_HEADER */

/* BEGIN_DEPENDENCIES
 * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_ECP_WITH_MPI_UINT
 * END_DEPENDENCIES
 */

/* BEGIN_CASE */
void mpi_mod_raw_io(data_t *input, int nb_int, int nx_32_int,
                    int iendian, int iret, int oret)
{
    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    if (iret != 0) {
        TEST_ASSERT(oret == 0);
    }

    TEST_LE_S(0, nb_int);
    size_t nb = nb_int;

    unsigned char buf[1024];
    TEST_LE_U(nb, sizeof(buf));

    /* nx_32_int is the number of 32 bit limbs, if we have 64 bit limbs we need
     * to halve the number of limbs to have the same size. */
    size_t nx;
    TEST_LE_S(0, nx_32_int);
    if (sizeof(mbedtls_mpi_uint) == 8) {
        nx = nx_32_int / 2 + nx_32_int % 2;
    } else {
        nx = nx_32_int;
    }

    mbedtls_mpi_uint X[sizeof(buf) / sizeof(mbedtls_mpi_uint)];
    TEST_LE_U(nx, sizeof(X) / sizeof(X[0]));

    int endian;
    if (iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID) {
        endian = MBEDTLS_MPI_MOD_EXT_REP_LE;
    } else {
        endian = iendian;
    }

    mbedtls_mpi_uint init[sizeof(X) / sizeof(X[0])];
    memset(init, 0xFF, sizeof(init));
    int ret = mbedtls_mpi_mod_modulus_setup(&m, init, nx);
    TEST_EQUAL(ret, 0);

    if (iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && iret != 0) {
        endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
    }

    ret = mbedtls_mpi_mod_raw_read(X, &m, input->x, input->len, endian);
    TEST_EQUAL(ret, iret);

    if (iret == 0) {
        if (iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && oret != 0) {
            endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
        }

        ret = mbedtls_mpi_mod_raw_write(X, &m, buf, nb, endian);
        TEST_EQUAL(ret, oret);
    }

    if ((iret == 0) && (oret == 0)) {
        if (nb > input->len) {
            if (endian == MBEDTLS_MPI_MOD_EXT_REP_BE) {
                size_t leading_zeroes = nb - input->len;
                TEST_ASSERT(memcmp(buf + nb - input->len, input->x, input->len) == 0);
                for (size_t i = 0; i < leading_zeroes; i++) {
                    TEST_EQUAL(buf[i], 0);
                }
            } else {
                TEST_ASSERT(memcmp(buf, input->x, input->len) == 0);
                for (size_t i = input->len; i < nb; i++) {
                    TEST_EQUAL(buf[i], 0);
                }
            }
        } else {
            if (endian == MBEDTLS_MPI_MOD_EXT_REP_BE) {
                size_t leading_zeroes = input->len - nb;
                TEST_ASSERT(memcmp(input->x + input->len - nb, buf, nb) == 0);
                for (size_t i = 0; i < leading_zeroes; i++) {
                    TEST_EQUAL(input->x[i], 0);
                }
            } else {
                TEST_ASSERT(memcmp(input->x, buf, nb) == 0);
                for (size_t i = nb; i < input->len; i++) {
                    TEST_EQUAL(input->x[i], 0);
                }
            }
        }
    }

exit:
    mbedtls_mpi_mod_modulus_free(&m);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_cond_assign(char *input_X,
                             char *input_Y,
                             int input_bytes)
{
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *Y = NULL;
    mbedtls_mpi_uint *buff_m = NULL;
    size_t limbs_X;
    size_t limbs_Y;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&Y, &limbs_Y, input_Y), 0);

    size_t limbs = limbs_X;
    size_t copy_limbs = CHARS_TO_LIMBS(input_bytes);
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
    size_t copy_bytes = copy_limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(limbs_X, limbs_Y);
    TEST_ASSERT(copy_limbs <= limbs);

    TEST_CALLOC(buff_m, copy_limbs);
    memset(buff_m, 0xFF, copy_limbs);
    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, buff_m, copy_limbs), 0);

    /* condition is false */
    TEST_CF_SECRET(X, bytes);
    TEST_CF_SECRET(Y, bytes);

    mbedtls_mpi_mod_raw_cond_assign(X, Y, &m, 0);

    TEST_CF_PUBLIC(X, bytes);
    TEST_CF_PUBLIC(Y, bytes);

    TEST_ASSERT(memcmp(X, Y, bytes) != 0);

    /* condition is true */
    TEST_CF_SECRET(X, bytes);
    TEST_CF_SECRET(Y, bytes);

    mbedtls_mpi_mod_raw_cond_assign(X, Y, &m, 1);

    TEST_CF_PUBLIC(X, bytes);
    TEST_CF_PUBLIC(Y, bytes);

    /* Check if the given length is copied even it is smaller
       than the length of the given MPIs. */
    if (copy_limbs < limbs) {
        TEST_MEMORY_COMPARE(X, copy_bytes, Y, copy_bytes);
        TEST_ASSERT(memcmp(X, Y, bytes) != 0);
    } else {
        TEST_MEMORY_COMPARE(X, bytes, Y, bytes);
    }

exit:
    mbedtls_free(X);
    mbedtls_free(Y);

    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(buff_m);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_cond_swap(char *input_X,
                           char *input_Y,
                           int input_bytes)
{
    mbedtls_mpi_uint *tmp_X = NULL;
    mbedtls_mpi_uint *tmp_Y = NULL;
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *Y = NULL;
    mbedtls_mpi_uint *buff_m = NULL;
    size_t limbs_X;
    size_t limbs_Y;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(mbedtls_test_read_mpi_core(&tmp_X, &limbs_X, input_X), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&tmp_Y, &limbs_Y, input_Y), 0);

    size_t limbs = limbs_X;
    size_t copy_limbs = CHARS_TO_LIMBS(input_bytes);
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
    size_t copy_bytes = copy_limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(limbs_X, limbs_Y);
    TEST_ASSERT(copy_limbs <= limbs);

    TEST_CALLOC(buff_m, copy_limbs);
    memset(buff_m, 0xFF, copy_limbs);
    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, buff_m, copy_limbs), 0);

    TEST_CALLOC(X, limbs);
    memcpy(X, tmp_X, bytes);

    TEST_CALLOC(Y, bytes);
    memcpy(Y, tmp_Y, bytes);

    /* condition is false */
    TEST_CF_SECRET(X, bytes);
    TEST_CF_SECRET(Y, bytes);

    mbedtls_mpi_mod_raw_cond_swap(X, Y, &m, 0);

    TEST_CF_PUBLIC(X, bytes);
    TEST_CF_PUBLIC(Y, bytes);

    TEST_MEMORY_COMPARE(X, bytes, tmp_X, bytes);
    TEST_MEMORY_COMPARE(Y, bytes, tmp_Y, bytes);

    /* condition is true */
    TEST_CF_SECRET(X, bytes);
    TEST_CF_SECRET(Y, bytes);

    mbedtls_mpi_mod_raw_cond_swap(X, Y, &m, 1);

    TEST_CF_PUBLIC(X, bytes);
    TEST_CF_PUBLIC(Y, bytes);

    /* Check if the given length is copied even it is smaller
       than the length of the given MPIs. */
    if (copy_limbs < limbs) {
        TEST_MEMORY_COMPARE(X, copy_bytes, tmp_Y, copy_bytes);
        TEST_MEMORY_COMPARE(Y, copy_bytes, tmp_X, copy_bytes);
        TEST_ASSERT(memcmp(X, tmp_X, bytes) != 0);
        TEST_ASSERT(memcmp(X, tmp_Y, bytes) != 0);
        TEST_ASSERT(memcmp(Y, tmp_X, bytes) != 0);
        TEST_ASSERT(memcmp(Y, tmp_Y, bytes) != 0);
    } else {
        TEST_MEMORY_COMPARE(X, bytes, tmp_Y, bytes);
        TEST_MEMORY_COMPARE(Y, bytes, tmp_X, bytes);
    }

exit:
    mbedtls_free(tmp_X);
    mbedtls_free(tmp_Y);
    mbedtls_free(X);
    mbedtls_free(Y);

    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(buff_m);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_sub(char *input_A,
                     char *input_B,
                     char *input_N,
                     char *result)
{
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *B = NULL;
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *res = NULL;
    size_t limbs_A;
    size_t limbs_B;
    size_t limbs_N;
    size_t limbs_res;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(mbedtls_test_read_mpi_core(&A,   &limbs_A,   input_A), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&B,   &limbs_B,   input_B), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&N,   &limbs_N,   input_N), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);

    size_t limbs = limbs_N;
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(limbs_A,   limbs);
    TEST_EQUAL(limbs_B,   limbs);
    TEST_EQUAL(limbs_res, limbs);

    TEST_CALLOC(X, limbs);

    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, N, limbs), 0);

    mbedtls_mpi_mod_raw_sub(X, A, B, &m);
    TEST_MEMORY_COMPARE(X, bytes, res, bytes);

    /* alias X to A */
    memcpy(X, A, bytes);
    mbedtls_mpi_mod_raw_sub(X, X, B, &m);
    TEST_MEMORY_COMPARE(X, bytes, res, bytes);

    /* alias X to B */
    memcpy(X, B, bytes);
    mbedtls_mpi_mod_raw_sub(X, A, X, &m);
    TEST_MEMORY_COMPARE(X, bytes, res, bytes);

    /* A == B: alias A and B */
    if (memcmp(A, B, bytes) == 0) {
        mbedtls_mpi_mod_raw_sub(X, A, A, &m);
        TEST_MEMORY_COMPARE(X, bytes, res, bytes);

        /* X, A, B all aliased together */
        memcpy(X, A, bytes);
        mbedtls_mpi_mod_raw_sub(X, X, X, &m);
        TEST_MEMORY_COMPARE(X, bytes, res, bytes);
    }
exit:
    mbedtls_free(A);
    mbedtls_free(B);
    mbedtls_free(X);
    mbedtls_free(res);

    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(N);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
void mpi_mod_raw_fix_quasi_reduction(char *input_N,
                                     char *input_X,
                                     char *result)
{
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *res = NULL;
    mbedtls_mpi_uint *tmp = NULL;
    size_t limbs_X;
    size_t limbs_N;
    size_t limbs_res;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(mbedtls_test_read_mpi_core(&X,   &limbs_X,   input_X), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&N,   &limbs_N,   input_N), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result),  0);

    size_t limbs = limbs_N;
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(limbs_X,   limbs);
    TEST_EQUAL(limbs_res, limbs);

    TEST_CALLOC(tmp, limbs);
    memcpy(tmp, X, bytes);

    /* Check that 0 <= X < 2N */
    mbedtls_mpi_uint c = mbedtls_mpi_core_sub(tmp, X, N, limbs);
    TEST_ASSERT(c || mbedtls_mpi_core_lt_ct(tmp, N, limbs));

    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, N, limbs), 0);

    mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
    TEST_MEMORY_COMPARE(X, bytes, res, bytes);

exit:
    mbedtls_free(X);
    mbedtls_free(res);
    mbedtls_free(tmp);

    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(N);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_mul(char *input_A,
                     char *input_B,
                     char *input_N,
                     char *result)
{
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *B = NULL;
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *R = NULL;
    mbedtls_mpi_uint *T = NULL;
    size_t limbs_A;
    size_t limbs_B;
    size_t limbs_N;
    size_t limbs_R;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(mbedtls_test_read_mpi_core(&A, &limbs_A, input_A), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&B, &limbs_B, input_B), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
    TEST_EQUAL(mbedtls_test_read_mpi_core(&R, &limbs_R, result), 0);

    const size_t limbs = limbs_N;
    const size_t bytes = limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(limbs_A, limbs);
    TEST_EQUAL(limbs_B, limbs);
    TEST_EQUAL(limbs_R, limbs);

    TEST_CALLOC(X, limbs);

    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, N, limbs), 0);

    const size_t limbs_T = limbs * 2 + 1;
    TEST_CALLOC(T, limbs_T);

    mbedtls_mpi_mod_raw_mul(X, A, B, &m, T);
    TEST_MEMORY_COMPARE(X, bytes, R, bytes);

    /* alias X to A */
    memcpy(X, A, bytes);
    mbedtls_mpi_mod_raw_mul(X, X, B, &m, T);
    TEST_MEMORY_COMPARE(X, bytes, R, bytes);

    /* alias X to B */
    memcpy(X, B, bytes);
    mbedtls_mpi_mod_raw_mul(X, A, X, &m, T);
    TEST_MEMORY_COMPARE(X, bytes, R, bytes);

    /* A == B: alias A and B */
    if (memcmp(A, B, bytes) == 0) {
        mbedtls_mpi_mod_raw_mul(X, A, A, &m, T);
        TEST_MEMORY_COMPARE(X, bytes, R, bytes);

        /* X, A, B all aliased together */
        memcpy(X, A, bytes);
        mbedtls_mpi_mod_raw_mul(X, X, X, &m, T);
        TEST_MEMORY_COMPARE(X, bytes, R, bytes);
    }
    /* A != B: test B * A */
    else {
        mbedtls_mpi_mod_raw_mul(X, B, A, &m, T);
        TEST_MEMORY_COMPARE(X, bytes, R, bytes);

        /* B * A: alias X to A */
        memcpy(X, A, bytes);
        mbedtls_mpi_mod_raw_mul(X, B, X, &m, T);
        TEST_MEMORY_COMPARE(X, bytes, R, bytes);

        /* B + A: alias X to B */
        memcpy(X, B, bytes);
        mbedtls_mpi_mod_raw_mul(X, X, A, &m, T);
        TEST_MEMORY_COMPARE(X, bytes, R, bytes);
    }

exit:
    mbedtls_free(A);
    mbedtls_free(B);
    mbedtls_free(X);
    mbedtls_free(R);
    mbedtls_free(T);

    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(N);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_inv_prime(char *input_N, char *input_A, char *input_X)
{
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *X = NULL;
    size_t A_limbs, N_limbs, X_limbs;
    mbedtls_mpi_uint *Y = NULL;
    mbedtls_mpi_uint *T = NULL;
    const mbedtls_mpi_uint *R2 = NULL;

    /* Legacy MPIs for computing R2 */
    mbedtls_mpi N_mpi;  /* gets set up manually, aliasing N, so no need to free */
    mbedtls_mpi R2_mpi;
    mbedtls_mpi_init(&R2_mpi);

    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &A_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&N, &N_limbs, input_N));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &X_limbs, input_X));
    TEST_CALLOC(Y, N_limbs);

    TEST_EQUAL(A_limbs, N_limbs);
    TEST_EQUAL(X_limbs, N_limbs);

    N_mpi.s = 1;
    N_mpi.p = N;
    N_mpi.n = N_limbs;
    TEST_EQUAL(0, mbedtls_mpi_core_get_mont_r2_unsafe(&R2_mpi, &N_mpi));
    TEST_EQUAL(0, mbedtls_mpi_grow(&R2_mpi, N_limbs));
    R2 = R2_mpi.p;

    size_t working_limbs = mbedtls_mpi_mod_raw_inv_prime_working_limbs(N_limbs);

    /* No point exactly duplicating the code in mbedtls_mpi_mod_raw_inv_prime_working_limbs()
     * to see if the output is correct, but we can check that it's in a
     * reasonable range.  The current calculation works out as
     * `1 + N_limbs * (welem + 4)`, where welem is the number of elements in
     * the window (1 << 1 up to 1 << 6).
     */
    size_t min_expected_working_limbs = 1 + N_limbs * 5;
    size_t max_expected_working_limbs = 1 + N_limbs * 68;

    TEST_LE_U(min_expected_working_limbs, working_limbs);
    TEST_LE_U(working_limbs, max_expected_working_limbs);

    /* Should also be at least mbedtls_mpi_core_montmul_working_limbs() */
    TEST_LE_U(mbedtls_mpi_core_montmul_working_limbs(N_limbs),
              working_limbs);

    TEST_CALLOC(T, working_limbs);

    mbedtls_mpi_mod_raw_inv_prime(Y, A, N, N_limbs, R2, T);

    TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint)));

    /* Check when output aliased to input */

    mbedtls_mpi_mod_raw_inv_prime(A, A, N, N_limbs, R2, T);

    TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint)));

exit:
    mbedtls_free(T);
    mbedtls_free(A);
    mbedtls_free(N);
    mbedtls_free(X);
    mbedtls_free(Y);
    mbedtls_mpi_free(&R2_mpi);
    // R2 doesn't need to be freed as it is only aliasing R2_mpi
    // N_mpi doesn't need to be freed as it is only aliasing N
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_add(char *input_N,
                     char *input_A, char *input_B,
                     char *input_S)
{
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *B = NULL;
    mbedtls_mpi_uint *S = NULL;
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *X = NULL;
    size_t A_limbs, B_limbs, N_limbs, S_limbs;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &A_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&B, &B_limbs, input_B));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&N, &N_limbs, input_N));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&S, &S_limbs, input_S));

    /* Modulus gives the number of limbs; all inputs must have the same. */
    size_t limbs = N_limbs;
    size_t bytes = limbs * sizeof(*A);

    TEST_EQUAL(A_limbs, limbs);
    TEST_EQUAL(B_limbs, limbs);
    TEST_EQUAL(S_limbs, limbs);

    TEST_CALLOC(X, limbs);

    TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
                   &m, N, limbs), 0);

    /* A + B => Correct result */
    mbedtls_mpi_mod_raw_add(X, A, B, &m);
    TEST_MEMORY_COMPARE(X, bytes, S, bytes);

    /* A + B: alias X to A => Correct result */
    memcpy(X, A, bytes);
    mbedtls_mpi_mod_raw_add(X, X, B, &m);
    TEST_MEMORY_COMPARE(X, bytes, S, bytes);

    /* A + B: alias X to B => Correct result */
    memcpy(X, B, bytes);
    mbedtls_mpi_mod_raw_add(X, A, X, &m);
    TEST_MEMORY_COMPARE(X, bytes, S, bytes);

    if (memcmp(A, B, bytes) == 0) {
        /* A == B: alias A and B */

        /* A + A => Correct result */
        mbedtls_mpi_mod_raw_add(X, A, A, &m);
        TEST_MEMORY_COMPARE(X, bytes, S, bytes);

        /* A + A: X, A, B all aliased together => Correct result */
        memcpy(X, A, bytes);
        mbedtls_mpi_mod_raw_add(X, X, X, &m);
        TEST_MEMORY_COMPARE(X, bytes, S, bytes);
    } else {
        /* A != B: test B + A */

        /* B + A => Correct result */
        mbedtls_mpi_mod_raw_add(X, B, A, &m);
        TEST_MEMORY_COMPARE(X, bytes, S, bytes);

        /* B + A: alias X to A => Correct result */
        memcpy(X, A, bytes);
        mbedtls_mpi_mod_raw_add(X, B, X, &m);
        TEST_MEMORY_COMPARE(X, bytes, S, bytes);

        /* B + A: alias X to B => Correct result */
        memcpy(X, B, bytes);
        mbedtls_mpi_mod_raw_add(X, X, A, &m);
        TEST_MEMORY_COMPARE(X, bytes, S, bytes);
    }

exit:
    mbedtls_mpi_mod_modulus_free(&m);

    mbedtls_free(A);
    mbedtls_free(B);
    mbedtls_free(S);
    mbedtls_free(N);
    mbedtls_free(X);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_canonical_to_modulus_rep(const char *input_N, int rep,
                                          const char *input_A,
                                          const char *input_X)
{
    mbedtls_mpi_mod_modulus N;
    mbedtls_mpi_mod_modulus_init(&N);
    mbedtls_mpi_uint *A = NULL;
    size_t A_limbs = 0;;
    mbedtls_mpi_uint *X = NULL;
    size_t X_limbs = 0;

    TEST_EQUAL(0, mbedtls_test_read_mpi_modulus(&N, input_N, rep));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &A_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &X_limbs, input_X));

    TEST_EQUAL(0, mbedtls_mpi_mod_raw_canonical_to_modulus_rep(A, &N));
    TEST_MEMORY_COMPARE(A, A_limbs * sizeof(mbedtls_mpi_uint),
                        X, X_limbs * sizeof(mbedtls_mpi_uint));

exit:
    mbedtls_test_mpi_mod_modulus_free_with_limbs(&N);
    mbedtls_free(A);
    mbedtls_free(X);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_modulus_to_canonical_rep(const char *input_N, int rep,
                                          const char *input_A,
                                          const char *input_X)
{
    mbedtls_mpi_mod_modulus N;
    mbedtls_mpi_mod_modulus_init(&N);
    mbedtls_mpi_uint *A = NULL;
    size_t A_limbs = 0;
    mbedtls_mpi_uint *X = NULL;
    size_t X_limbs = 0;

    TEST_EQUAL(0, mbedtls_test_read_mpi_modulus(&N, input_N, rep));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &A_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &X_limbs, input_X));

    TEST_EQUAL(0, mbedtls_mpi_mod_raw_modulus_to_canonical_rep(A, &N));
    TEST_MEMORY_COMPARE(A, A_limbs * sizeof(mbedtls_mpi_uint),
                        X, X_limbs * sizeof(mbedtls_mpi_uint));

exit:
    mbedtls_test_mpi_mod_modulus_free_with_limbs(&N);
    mbedtls_free(A);
    mbedtls_free(X);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_to_mont_rep(char *input_N, char *input_A, char *input_X)
{
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *R = NULL; /* for result of low-level conversion */
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *T = NULL;
    size_t n_limbs, a_limbs, x_limbs;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    /* Read inputs */
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&N, &n_limbs, input_N));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &a_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &x_limbs, input_X));

    /* Number to convert must have same number of limbs as modulus */
    TEST_EQUAL(a_limbs, n_limbs);

    /* Higher-level conversion is in-place, so expected result must have the
     * same number of limbs too */
    TEST_EQUAL(x_limbs, n_limbs);

    size_t limbs = n_limbs;
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(0, mbedtls_mpi_mod_modulus_setup(&m, N, n_limbs));

    /* 1. Test low-level function first */

    /* It has separate output, and requires temporary working storage */
    size_t temp_limbs = mbedtls_mpi_core_montmul_working_limbs(limbs);
    TEST_CALLOC(T, temp_limbs);
    TEST_CALLOC(R, limbs);
    mbedtls_mpi_core_to_mont_rep(R, A, N, n_limbs,
                                 m.rep.mont.mm, m.rep.mont.rr, T);
    /* Test that the low-level function gives the required value */
    TEST_MEMORY_COMPARE(R, bytes, X, bytes);

    /* Test when output is aliased to input */
    memcpy(R, A, bytes);
    mbedtls_mpi_core_to_mont_rep(R, R, N, n_limbs,
                                 m.rep.mont.mm, m.rep.mont.rr, T);
    TEST_MEMORY_COMPARE(R, bytes, X, bytes);

    /* 2. Test higher-level cannonical to Montgomery conversion */

    TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep(A, &m));

    /* The result matches expected value */
    TEST_MEMORY_COMPARE(A, bytes, X, bytes);

exit:
    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(T);
    mbedtls_free(N);
    mbedtls_free(A);
    mbedtls_free(R);
    mbedtls_free(X);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_from_mont_rep(char *input_N, char *input_A, char *input_X)
{
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *R = NULL; /* for result of low-level conversion */
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *T = NULL;
    size_t n_limbs, a_limbs, x_limbs;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    /* Read inputs */
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&N, &n_limbs, input_N));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &a_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &x_limbs, input_X));

    /* Number to convert must have same number of limbs as modulus */
    TEST_EQUAL(a_limbs, n_limbs);

    /* Higher-level conversion is in-place, so expected result must have the
     * same number of limbs too */
    TEST_EQUAL(x_limbs, n_limbs);

    size_t limbs = n_limbs;
    size_t bytes = limbs * sizeof(mbedtls_mpi_uint);

    TEST_EQUAL(0, mbedtls_mpi_mod_modulus_setup(&m, N, n_limbs));

    /* 1. Test low-level function first */

    /* It has separate output, and requires temporary working storage */
    size_t temp_limbs = mbedtls_mpi_core_montmul_working_limbs(limbs);
    TEST_CALLOC(T, temp_limbs);
    TEST_CALLOC(R, limbs);
    mbedtls_mpi_core_from_mont_rep(R, A, N, n_limbs,
                                   m.rep.mont.mm, T);
    /* Test that the low-level function gives the required value */
    TEST_MEMORY_COMPARE(R, bytes, X, bytes);

    /* Test when output is aliased to input */
    memcpy(R, A, bytes);
    mbedtls_mpi_core_from_mont_rep(R, R, N, n_limbs,
                                   m.rep.mont.mm, T);
    TEST_MEMORY_COMPARE(R, bytes, X, bytes);

    /* 2. Test higher-level Montgomery to cannonical conversion */

    TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep(A, &m));

    /* The result matches expected value */
    TEST_MEMORY_COMPARE(A, bytes, X, bytes);

exit:
    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(T);
    mbedtls_free(N);
    mbedtls_free(A);
    mbedtls_free(R);
    mbedtls_free(X);
}
/* END_CASE */

/* BEGIN_CASE */
void mpi_mod_raw_neg(char *input_N, char *input_A, char *input_X)
{
    mbedtls_mpi_uint *N = NULL;
    mbedtls_mpi_uint *A = NULL;
    mbedtls_mpi_uint *X = NULL;
    mbedtls_mpi_uint *R = NULL;
    mbedtls_mpi_uint *Z = NULL;
    size_t n_limbs, a_limbs, x_limbs, bytes;

    mbedtls_mpi_mod_modulus m;
    mbedtls_mpi_mod_modulus_init(&m);

    /* Read inputs */
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&N, &n_limbs, input_N));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &a_limbs, input_A));
    TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &x_limbs, input_X));

    TEST_EQUAL(a_limbs, n_limbs);
    TEST_EQUAL(x_limbs, n_limbs);
    bytes = n_limbs * sizeof(mbedtls_mpi_uint);

    TEST_CALLOC(R, n_limbs);
    TEST_CALLOC(Z, n_limbs);

    TEST_EQUAL(0, mbedtls_mpi_mod_modulus_setup(&m, N, n_limbs));

    /* Neg( A == 0 ) => Zero result */
    mbedtls_mpi_mod_raw_neg(R, Z, &m);
    TEST_MEMORY_COMPARE(R, bytes, Z, bytes);

    /* Neg( A == N ) => Zero result */
    mbedtls_mpi_mod_raw_neg(R, N, &m);
    TEST_MEMORY_COMPARE(R, bytes, Z, bytes);

    /* Neg( A ) => Correct result */
    mbedtls_mpi_mod_raw_neg(R, A, &m);
    TEST_MEMORY_COMPARE(R, bytes, X, bytes);

    /* Neg( A ): alias A to R => Correct result */
    mbedtls_mpi_mod_raw_neg(A, A, &m);
    TEST_MEMORY_COMPARE(A, bytes, X, bytes);
exit:
    mbedtls_mpi_mod_modulus_free(&m);
    mbedtls_free(N);
    mbedtls_free(A);
    mbedtls_free(X);
    mbedtls_free(R);
    mbedtls_free(Z);
}
/* END_CASE */