From 72ee1e3f3c4b7045cca770577d70cc88cb7b5460 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:34:09 +0100 Subject: [PATCH 1/9] Unify mbedtls_mpi_add_mpi and mbedtls_mpi_sub_mpi mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just with one bit to flip in the sign calculation. Move the shared logic to a new auxiliary function. This slightly reduces the code size (if the compiler doesn't inline) and reduces the maintenance burden. Signed-off-by: Gilles Peskine --- library/bignum.c | 47 +++++++++++++++-------------------------------- 1 file changed, 15 insertions(+), 32 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 521787d74..abbf9b8a4 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -972,10 +972,12 @@ cleanup: return( ret ); } -/* - * Signed addition: X = A + B +/* Common function for signed addition and subtraction. + * Calculate A + B * flip_B where flip_B is 1 or -1. */ -int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +static int add_sub_mpi( mbedtls_mpi *X, + const mbedtls_mpi *A, const mbedtls_mpi *B, + int flip_B ) { int ret, s; MPI_VALIDATE_RET( X != NULL ); @@ -983,7 +985,7 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi MPI_VALIDATE_RET( B != NULL ); s = A->s; - if( A->s * B->s < 0 ) + if( A->s * B->s * flip_B < 0 ) { if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) { @@ -1007,39 +1009,20 @@ cleanup: return( ret ); } +/* + * Signed addition: X = A + B + */ +int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +{ + return( add_sub_mpi( X, A, B, 1 ) ); +} + /* * Signed subtraction: X = A - B */ int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) { - int ret, s; - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( A != NULL ); - MPI_VALIDATE_RET( B != NULL ); - - s = A->s; - if( A->s * B->s > 0 ) - { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); - X->s = -s; - } - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) ); - X->s = s; - } - -cleanup: - - return( ret ); + return( add_sub_mpi( X, A, B, -1 ) ); } /* From 128895775d4ccb64977f1d3f7020b85f19428fa8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:55:33 +0100 Subject: [PATCH 2/9] Document invariants of MPI objects Note that s must be +1 for zero. Note that p may be NULL for zero, when n is 0. Signed-off-by: Gilles Peskine --- include/mbedtls/bignum.h | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 9d15955f3..3bd1ca026 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -188,9 +188,27 @@ extern "C" { */ typedef struct mbedtls_mpi { - int MBEDTLS_PRIVATE(s); /*!< Sign: -1 if the mpi is negative, 1 otherwise */ - size_t MBEDTLS_PRIVATE(n); /*!< total # of limbs */ - mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); /*!< pointer to limbs */ + /** Sign: -1 if the mpi is negative, 1 otherwise. + * + * The number 0 must be represented with `s = +1`. Although many library + * functions treat all-limbs-zero as equivalent to a valid representation + * of 0 regardless of the sign bit, there are exceptions, so bignum + * functions and external callers must always set \c s to +1 for the + * number zero. + * + * Note that this implies that calloc() or `... = {0}` does not create + * a valid MPI representation. You must call mbedtls_mpi_init(). + */ + int MBEDTLS_PRIVATE(s); + + /** Total number of limbs in \c p. */ + size_t MBEDTLS_PRIVATE(n); + + /** Pointer to limbs. + * + * This may be \c NULL if \c n is 0. + */ + mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); } mbedtls_mpi; From 4cbbfd8d4ee6c724c385688467f23ca5a73071fc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:57:52 +0100 Subject: [PATCH 3/9] For binary operations, test both x op y and y op x This exposes a bug in mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() which will be fixed in a subsequent commit. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 279668fd5..c2891fc61 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -57,15 +57,8 @@ def limbs_mpi(val: int, bits_in_limb: int) -> int: return (val.bit_length() + bits_in_limb - 1) // bits_in_limb def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: - """Return all pair combinations from input values. - - The return value is cast, as older versions of mypy are unable to derive - the specific type returned by itertools.combinations_with_replacement. - """ - return typing.cast( - List[Tuple[T, T]], - list(itertools.combinations_with_replacement(values, 2)) - ) + """Return all pair combinations from input values.""" + return [(x, y) for x in values for y in values] class OperationCommon: From 4a768dd17d9910e0e90ae739ecdaf68de1ee78f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 22:02:16 +0100 Subject: [PATCH 4/9] Fix negative zero created by (-A) + (+A) or (-A) - (-A) In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value was zero, the sign bit of the result was incorrectly set to -1 when the left-hand operand was negative. This is not a valid mbedtls_mpi representation. Fix this: always set the sign to +1 when the result is 0. Signed-off-by: Gilles Peskine --- library/bignum.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index abbf9b8a4..42be815ba 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -987,14 +987,19 @@ static int add_sub_mpi( mbedtls_mpi *X, s = A->s; if( A->s * B->s * flip_B < 0 ) { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) + int cmp = mbedtls_mpi_cmp_abs( A, B ); + if( cmp >= 0 ) { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; + /* If |A| = |B|, the result is 0 and we must set the sign bit + * to +1 regardless of which of A or B was negative. Otherwise, + * since |A| > |B|, the sign is the sign of A. */ + X->s = cmp == 0 ? 1 : s; } else { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); + /* Since |A| < |B|, the sign is the opposite of A. */ X->s = -s; } } From 806c9588ef424af188c5afe3c0932acee131bd63 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 22:05:52 +0100 Subject: [PATCH 5/9] Changelog entry for the negative zero from add/sub Signed-off-by: Gilles Peskine --- ChangeLog.d/negative-zero-from-add.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/negative-zero-from-add.txt diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt new file mode 100644 index 000000000..107d858d3 --- /dev/null +++ b/ChangeLog.d/negative-zero-from-add.txt @@ -0,0 +1,6 @@ +Bugfix + * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) + with A > 0 created an unintended representation of the value 0 which was + not processed correctly by some bignum operations. Fix this. This had no + consequence on cryptography code, but might affect applications that call + bignum directly and use negative numbers. From ca6e8aac587966c726c25723c67c3680edc57ef5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:08:44 +0100 Subject: [PATCH 6/9] Support negative zero as MPI test input The bignum module does not officially support "negative zero" (an mbedtls_mpi object with s=-1 and all limbs zero). However, we have a history of bugs where a function that should produce an official zero (with s=1), produces a negative zero in some circumstances. So it's good to check that the bignum functions are robust when passed a negative zero as input. And for that, we need a way to construct a negative zero from test case arguments. There are checks that functions don't produce negative zeros as output in the test suite. Skip those checks if there's a negative zero input: we don't want functions to _create_ negative zeros, but we don't mind if they _propagate_ negative zeros. Signed-off-by: Gilles Peskine --- tests/include/test/helpers.h | 26 +++++++++++++++++----- tests/src/helpers.c | 28 ++++++++++++++++++++++-- tests/suites/test_suite_bignum.function | 17 +++++++++++--- tests/suites/test_suite_bignum.misc.data | 24 ++++++++++++++++++++ 4 files changed, 84 insertions(+), 11 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index e0e6fd27f..568d5e527 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -295,13 +295,19 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, /** Read an MPI from a hexadecimal string. * - * Like mbedtls_mpi_read_string(), but size the resulting bignum based - * on the number of digits in the string. In particular, construct a - * bignum with 0 limbs for an empty string, and a bignum with leading 0 - * limbs if the string has sufficiently many leading 0 digits. + * Like mbedtls_mpi_read_string(), but with tighter guarantees around + * edge cases. * - * This is important so that the "0 (null)" and "0 (1 limb)" and - * "leading zeros" test cases do what they claim. + * - This function guarantees that if \p s begins with '-' then the sign + * bit of the result will be negative, even if the value is 0. + * When this function encounters such a "negative 0", it + * increments #mbedtls_test_read_mpi. + * - The size of the result is exactly the minimum number of limbs needed + * to fit the digits in the input. In particular, this function constructs + * a bignum with 0 limbs for an empty string, and a bignum with leading 0 + * limbs if the string has sufficiently many leading 0 digits. + * This is important so that the "0 (null)" and "0 (1 limb)" and + * "leading zeros" test cases do what they claim. * * \param[out] X The MPI object to populate. It must be initialized. * \param[in] s The null-terminated hexadecimal string to read from. @@ -309,6 +315,14 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise. */ int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ); + +/** Nonzero if the current test case had an input parsed with + * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc., + * constructing a result with the sign bit set to -1 and the value being + * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is + * tested for robustness). + */ +extern unsigned mbedtls_test_case_uses_negative_0; #endif /* MBEDTLS_BIGNUM_C */ #endif /* TEST_HELPERS_H */ diff --git a/tests/src/helpers.c b/tests/src/helpers.c index cc23fd7c4..7c83714f1 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -89,6 +89,10 @@ void mbedtls_test_set_step( unsigned long step ) mbedtls_test_info.step = step; } +#if defined(MBEDTLS_BIGNUM_C) +unsigned mbedtls_test_case_uses_negative_0 = 0; +#endif + void mbedtls_test_info_reset( void ) { mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS; @@ -98,6 +102,9 @@ void mbedtls_test_info_reset( void ) mbedtls_test_info.filename = 0; memset( mbedtls_test_info.line1, 0, sizeof( mbedtls_test_info.line1 ) ); memset( mbedtls_test_info.line2, 0, sizeof( mbedtls_test_info.line2 ) ); +#if defined(MBEDTLS_BIGNUM_C) + mbedtls_test_case_uses_negative_0 = 0; +#endif } int mbedtls_test_equal( const char *test, int line_no, const char* filename, @@ -396,6 +403,15 @@ exit: int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ) { + int negative = 0; + /* Always set the sign bit to -1 if the input has a minus sign, even for 0. + * This creates an invalid representation, which mbedtls_mpi_read_string() + * avoids but we want to be able to create that in test data. */ + if( s[0] == '-' ) + { + ++s; + negative = 1; + } /* mbedtls_mpi_read_string() currently retains leading zeros. * It always allocates at least one limb for the value 0. */ if( s[0] == 0 ) @@ -403,7 +419,15 @@ int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ) mbedtls_mpi_free( X ); return( 0 ); } - else - return( mbedtls_mpi_read_string( X, 16, s ) ); + int ret = mbedtls_mpi_read_string( X, 16, s ); + if( ret != 0 ) + return( ret ); + if( negative ) + { + if( mbedtls_mpi_cmp_int( X, 0 ) == 0 ) + ++mbedtls_test_case_uses_negative_0; + X->s = -1; + } + return( 0 ); } #endif diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 5c3d776f0..b75f534f4 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -13,10 +13,21 @@ * constructing the value. */ static int sign_is_valid( const mbedtls_mpi *X ) { + /* Only +1 and -1 are valid sign bits, not e.g. 0 */ if( X->s != 1 && X->s != -1 ) - return( 0 ); // invalid sign bit, e.g. 0 - if( mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 ) - return( 0 ); // negative zero + return( 0 ); + + /* The value 0 must be represented with the sign +1. A "negative zero" + * with s=-1 is an invalid representation. Forbid that. As an exception, + * we sometimes test the robustness of library functions when given + * a negative zero input. If a test case has a negative zero as input, + * we don't mind if the function has a negative zero output. */ + if( ! mbedtls_test_case_uses_negative_0 && + mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 ) + { + return( 0 ); + } + return( 1 ); } diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 0b8aa334a..818f3613b 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1144,6 +1144,18 @@ mpi_div_mpi:"":"1":"":"":0 Test mbedtls_mpi_div_mpi: 0 (null) / -1 mpi_div_mpi:"":"-1":"":"":0 +Test mbedtls_mpi_div_mpi: -0 (null) / 1 +mpi_div_mpi:"-":"1":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / -1 +mpi_div_mpi:"-":"-1":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / 42 +mpi_div_mpi:"-":"2a":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / -42 +mpi_div_mpi:"-":"-2a":"":"":0 + Test mbedtls_mpi_div_mpi #1 mpi_div_mpi:"9e22d6da18a33d1ef28d2a82242b3f6e9c9742f63e5d440f58a190bfaf23a7866e67589adb80":"22":"4a6abf75b13dc268ea9cc8b5b6aaf0ac85ecd437a4e0987fb13cf8d2acc57c0306c738c1583":"1a":0 @@ -1204,6 +1216,18 @@ mpi_mod_mpi:"":"1":"":0 Test mbedtls_mpi_mod_mpi: 0 (null) % -1 mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE +Test mbedtls_mpi_mod_mpi: -0 (null) % 1 +mpi_mod_mpi:"-":"1":"":0 + +Test mbedtls_mpi_mod_mpi: -0 (null) % -1 +mpi_mod_mpi:"-":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE + +Test mbedtls_mpi_mod_mpi: -0 (null) % 42 +mpi_mod_mpi:"-":"2a":"":0 + +Test mbedtls_mpi_mod_mpi: -0 (null) % -42 +mpi_mod_mpi:"-":"-2a":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE + Base test mbedtls_mpi_mod_int #1 mpi_mod_int:"3e8":"d":"c":0 From 35af02171d186b29c746e9e54c32387f75dcd30d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 20:43:33 +0100 Subject: [PATCH 7/9] Add negative zero as an input to automatically generated tests Although negative zero is officially unsupported, we've had bugs related to it in the past. So do test functions with a negative zero input. There will likely be cases where we don't want to accept negative zero as if it was valid, because it's too hard to handle. We'll add exceptions on a case by case basis. For the functions that are currently tested by the generated tests, the new test cases pass. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 8 +++++++- tests/scripts/generate_bignum_tests.py | 28 +++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index c2891fc61..1eb4ca7df 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -38,7 +38,13 @@ def invmod(a: int, n: int) -> int: raise ValueError("Not invertible") def hex_to_int(val: str) -> int: - return int(val, 16) if val else 0 + """Implement the syntax accepted by mbedtls_test_read_mpi(). + + This is a superset of what is accepted by mbedtls_test_read_mpi_core(). + """ + if val == '' or val == '-': + return 0 + return int(val, 16) def quote_str(val) -> str: return "\"{}\"".format(val) diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index a105203b0..f1b24409e 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -78,11 +78,16 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC #pylint: disable=abstract-method """Common features for bignum operations in legacy tests.""" input_values = [ - "", "0", "7b", "-7b", + "", "0", "-", "-0", + "7b", "-7b", "0000000000000000123", "-0000000000000000123", "1230000000000000000", "-1230000000000000000" ] + def description_suffix(self) -> str: + """Text to add at the end of the test case description.""" + return "" + def description(self) -> str: """Generate a description for the test case. @@ -96,6 +101,9 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC self.symbol, self.value_description(self.arg_b) ) + description_suffix = self.description_suffix() + if description_suffix: + self.case_description += " " + description_suffix return super().description() @staticmethod @@ -107,6 +115,8 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC """ if val == "": return "0 (null)" + if val == "-": + return "negative 0 (null)" if val == "0": return "0 (1 limb)" @@ -171,9 +181,21 @@ class BignumAdd(BignumOperation): ] ) - def result(self) -> List[str]: - return [bignum_common.quote_str("{:x}").format(self.int_a + self.int_b)] + def __init__(self, val_a: str, val_b: str) -> None: + super().__init__(val_a, val_b) + self._result = self.int_a + self.int_b + def description_suffix(self) -> str: + if (self.int_a >= 0 and self.int_b >= 0): + return "" # obviously positive result or 0 + if (self.int_a <= 0 and self.int_b <= 0): + return "" # obviously negative result or 0 + # The sign of the result is not obvious, so indicate it + return ", result{}0".format('>' if self._result > 0 else + '<' if self._result < 0 else '=') + + def result(self) -> List[str]: + return [bignum_common.quote_str("{:x}".format(self._result))] if __name__ == '__main__': # Use the section of the docstring relevant to the CLI as description From b9b9026c531e0f6c6df02a1025cdabc48cfa0e99 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Nov 2022 09:15:21 +0100 Subject: [PATCH 8/9] Pacify pylint Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 5 +---- tests/scripts/generate_bignum_tests.py | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 1eb4ca7df..8b11bc283 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -14,9 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -import itertools -import typing - from abc import abstractmethod from typing import Iterator, List, Tuple, TypeVar @@ -42,7 +39,7 @@ def hex_to_int(val: str) -> int: This is a superset of what is accepted by mbedtls_test_read_mpi_core(). """ - if val == '' or val == '-': + if val in ['', '-']: return 0 return int(val, 16) diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index f1b24409e..eee2f657a 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -85,6 +85,7 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC ] def description_suffix(self) -> str: + #pylint: disable=no-self-use # derived classes need self """Text to add at the end of the test case description.""" return "" From 23875ceb112cc2dd66b034a76f7357c641987338 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 11 Nov 2022 15:59:51 +0100 Subject: [PATCH 9/9] Fix autocucumber in documentation Signed-off-by: Gilles Peskine --- tests/include/test/helpers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 568d5e527..5f9bde697 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -301,7 +301,7 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, * - This function guarantees that if \p s begins with '-' then the sign * bit of the result will be negative, even if the value is 0. * When this function encounters such a "negative 0", it - * increments #mbedtls_test_read_mpi. + * increments #mbedtls_test_case_uses_negative_0. * - The size of the result is exactly the minimum number of limbs needed * to fit the digits in the input. In particular, this function constructs * a bignum with 0 limbs for an empty string, and a bignum with leading 0