2015-03-26 03:49:37 +00:00
|
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This package is an SSL implementation written
|
|
|
|
* by Eric Young (eay@cryptsoft.com).
|
|
|
|
* The implementation was written so as to conform with Netscapes SSL.
|
|
|
|
*
|
|
|
|
* This library is free for commercial and non-commercial use as long as
|
|
|
|
* the following conditions are aheared to. The following conditions
|
|
|
|
* apply to all code found in this distribution, be it the RC4, RSA,
|
|
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
|
|
|
* included with this distribution is covered by the same copyright terms
|
|
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
|
|
|
*
|
|
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in
|
|
|
|
* the code are not to be removed.
|
|
|
|
* If this package is used in a product, Eric Young should be given attribution
|
|
|
|
* as the author of the parts of the library used.
|
|
|
|
* This can be in the form of a textual message at program startup or
|
|
|
|
* in documentation (online or textual) provided with the package.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
|
|
* must display the following acknowledgement:
|
|
|
|
* "This product includes cryptographic software written by
|
|
|
|
* Eric Young (eay@cryptsoft.com)"
|
|
|
|
* The word 'cryptographic' can be left out if the rouines from the library
|
|
|
|
* being used are not cryptographic related :-).
|
|
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from
|
|
|
|
* the apps directory (application code) you must include an acknowledgement:
|
|
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* The licence and distribution terms for any publically available version or
|
|
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
|
|
|
* copied and put under another distribution licence
|
|
|
|
* [including the GNU Public Licence.]
|
|
|
|
*/
|
|
|
|
/* ====================================================================
|
|
|
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
|
|
|
*
|
|
|
|
* Portions of the attached software ("Contribution") are developed by
|
|
|
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
|
|
|
*
|
|
|
|
* The Contribution is licensed pursuant to the Eric Young open source
|
|
|
|
* license provided above.
|
|
|
|
*
|
|
|
|
* The binary polynomial arithmetic software is originally written by
|
|
|
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
|
|
|
|
* Laboratories. */
|
|
|
|
|
2016-06-26 22:58:55 +01:00
|
|
|
#include <assert.h>
|
2015-05-27 19:51:51 +01:00
|
|
|
#include <errno.h>
|
2016-06-26 21:56:29 +01:00
|
|
|
#include <limits.h>
|
2015-03-26 03:49:37 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
2015-11-11 22:01:27 +00:00
|
|
|
#include <utility>
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
#include <gtest/gtest.h>
|
|
|
|
|
2018-01-25 23:02:45 +00:00
|
|
|
#include <openssl/bio.h>
|
2015-03-26 03:49:37 +00:00
|
|
|
#include <openssl/bn.h>
|
2016-08-18 04:10:28 +01:00
|
|
|
#include <openssl/bytestring.h>
|
2015-03-26 03:49:37 +00:00
|
|
|
#include <openssl/crypto.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/mem.h>
|
Make BN_num_bits_word constant-time.
(The BN_num_bits_word implementation was originally written by Andy
Polyakov for OpenSSL. See also
https://github.com/openssl/openssl/pull/5154.)
BN_num_bits, by way of BN_num_bits_word, currently leaks the
most-significant word of its argument via branching and memory access
pattern.
BN_num_bits is called on RSA prime factors in various places. These have
public bit lengths, but all bits beyond the high bit are secret. This
fully resolves those cases.
There are a few places where BN_num_bits is called on an input where
the bit length is also secret. The two left in BoringSSL are:
- BN_mod_exp_mont_consttime calls it on the RSA private exponent.
- The timing "fix" to add the order to k in DSA.
This does *not* fully resolve those cases as we still only look at the
top word. Today, that is guaranteed to be non-zero, but only because of
the long-standing bn_correct_top timing leak. Once that is fixed (I hope
to have patches soon), a constant-time BN_num_bits on such inputs must
count bits on each word.
Instead, those cases should not call BN_num_bits at all. The former uses
the bit width to pick windows, but it should be using the maximum bit
width. The next patch will fix this. The latter is the same "fix" we
excised from ECDSA in a838f9dc7e6cc091237f0acbbe4953104104e815. That
should be excised from DSA after the bn_correct_top bug is fixed.
Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu
for reporting this issue.
Change-Id: Idc3da518cc5ec18bd8688b95f959b15300a57c14
Reviewed-on: https://boringssl-review.googlesource.com/25184
Reviewed-by: Adam Langley <agl@google.com>
2018-01-22 15:44:50 +00:00
|
|
|
#include <openssl/rand.h>
|
2015-03-26 03:49:37 +00:00
|
|
|
|
2017-11-09 17:31:03 +00:00
|
|
|
#include "./internal.h"
|
2019-01-26 20:57:51 +00:00
|
|
|
#include "./rsaz_exp.h"
|
2017-04-28 22:47:06 +01:00
|
|
|
#include "../../internal.h"
|
2018-12-31 20:44:33 +00:00
|
|
|
#include "../../test/abi_test.h"
|
2017-04-28 22:47:06 +01:00
|
|
|
#include "../../test/file_test.h"
|
|
|
|
#include "../../test/test_util.h"
|
2015-03-26 03:49:37 +00:00
|
|
|
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
static int HexToBIGNUM(bssl::UniquePtr<BIGNUM> *out, const char *in) {
|
2015-12-03 16:04:24 +00:00
|
|
|
BIGNUM *raw = NULL;
|
|
|
|
int ret = BN_hex2bn(&raw, in);
|
|
|
|
out->reset(raw);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
// A BIGNUMFileTest wraps a FileTest to give |BIGNUM| values and also allows
|
|
|
|
// injecting oversized |BIGNUM|s.
|
|
|
|
class BIGNUMFileTest {
|
|
|
|
public:
|
|
|
|
BIGNUMFileTest(FileTest *t, unsigned large_mask)
|
|
|
|
: t_(t), large_mask_(large_mask), num_bignums_(0) {}
|
2015-03-26 03:49:37 +00:00
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
unsigned num_bignums() const { return num_bignums_; }
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> GetBIGNUM(const char *attribute) {
|
|
|
|
return GetBIGNUMImpl(attribute, true /* resize */);
|
2015-03-26 03:49:37 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
bool GetInt(int *out, const char *attribute) {
|
|
|
|
bssl::UniquePtr<BIGNUM> ret =
|
|
|
|
GetBIGNUMImpl(attribute, false /* don't resize */);
|
|
|
|
if (!ret) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
BN_ULONG word = BN_get_word(ret.get());
|
|
|
|
if (word > INT_MAX) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
*out = static_cast<int>(word);
|
|
|
|
return true;
|
2016-06-26 21:56:29 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
private:
|
|
|
|
bssl::UniquePtr<BIGNUM> GetBIGNUMImpl(const char *attribute, bool resize) {
|
|
|
|
std::string hex;
|
|
|
|
if (!t_->GetAttribute(&hex, attribute)) {
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> ret;
|
|
|
|
if (HexToBIGNUM(&ret, hex.c_str()) != static_cast<int>(hex.size())) {
|
|
|
|
t_->PrintLine("Could not decode '%s'.", hex.c_str());
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
if (resize) {
|
|
|
|
// Test with an oversized |BIGNUM| if necessary.
|
|
|
|
if ((large_mask_ & (1 << num_bignums_)) &&
|
2018-01-15 10:23:24 +00:00
|
|
|
!bn_resize_words(ret.get(), ret->width * 2 + 1)) {
|
2018-01-23 23:51:42 +00:00
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
num_bignums_++;
|
|
|
|
}
|
|
|
|
return ret;
|
2016-06-26 21:56:29 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
FileTest *t_;
|
|
|
|
unsigned large_mask_;
|
|
|
|
unsigned num_bignums_;
|
|
|
|
};
|
2016-06-26 21:56:29 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
static testing::AssertionResult AssertBIGNUMSEqual(
|
|
|
|
const char *operation_expr, const char *expected_expr,
|
|
|
|
const char *actual_expr, const char *operation, const BIGNUM *expected,
|
|
|
|
const BIGNUM *actual) {
|
2016-06-26 20:03:41 +01:00
|
|
|
if (BN_cmp(expected, actual) == 0) {
|
2017-06-04 20:37:23 +01:00
|
|
|
return testing::AssertionSuccess();
|
2016-06-26 20:03:41 +01:00
|
|
|
}
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<char> expected_str(BN_bn2hex(expected));
|
|
|
|
bssl::UniquePtr<char> actual_str(BN_bn2hex(actual));
|
2016-06-26 20:03:41 +01:00
|
|
|
if (!expected_str || !actual_str) {
|
2017-06-04 20:37:23 +01:00
|
|
|
return testing::AssertionFailure() << "Error converting BIGNUMs to hex";
|
2015-03-26 03:49:37 +00:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
return testing::AssertionFailure()
|
|
|
|
<< "Wrong value for " << operation
|
|
|
|
<< "\nActual: " << actual_str.get() << " (" << actual_expr
|
|
|
|
<< ")\nExpected: " << expected_str.get() << " (" << expected_expr
|
|
|
|
<< ")";
|
2016-06-26 20:03:41 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
#define EXPECT_BIGNUMS_EQUAL(op, a, b) \
|
|
|
|
EXPECT_PRED_FORMAT3(AssertBIGNUMSEqual, op, a, b)
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestSum(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> b = t->GetBIGNUM("B");
|
|
|
|
bssl::UniquePtr<BIGNUM> sum = t->GetBIGNUM("Sum");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(sum);
|
2016-06-26 20:03:41 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_add(ret.get(), a.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A + B", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), sum.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - A", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), sum.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - B", a.get(), ret.get());
|
2016-06-26 20:03:41 +01:00
|
|
|
|
2016-07-02 00:36:06 +01:00
|
|
|
// Test that the functions work when |r| and |a| point to the same |BIGNUM|,
|
|
|
|
// or when |r| and |b| point to the same |BIGNUM|. TODO: Test the case where
|
|
|
|
// all of |r|, |a|, and |b| point to the same |BIGNUM|.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_add(ret.get(), ret.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A + B (r is a)", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), b.get()));
|
|
|
|
ASSERT_TRUE(BN_add(ret.get(), a.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A + B (r is b)", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), sum.get()));
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), ret.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - A (r is a)", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), sum.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - A (r is b)", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), sum.get()));
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), ret.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - B (r is a)", a.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), b.get()));
|
|
|
|
ASSERT_TRUE(BN_sub(ret.get(), sum.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - B (r is b)", a.get(), ret.get());
|
2016-07-02 00:36:06 +01:00
|
|
|
|
2016-07-02 01:12:40 +01:00
|
|
|
// Test |BN_uadd| and |BN_usub| with the prerequisites they are documented as
|
|
|
|
// having. Note that these functions are frequently used when the
|
|
|
|
// prerequisites don't hold. In those cases, they are supposed to work as if
|
|
|
|
// the prerequisite hold, but we don't test that yet. TODO: test that.
|
2018-03-04 05:38:00 +00:00
|
|
|
if (!BN_is_negative(a.get()) && !BN_is_negative(b.get())) {
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_uadd(ret.get(), a.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A +u B", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), sum.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u A", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), sum.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u B", a.get(), ret.get());
|
2016-07-02 01:12:40 +01:00
|
|
|
|
|
|
|
// Test that the functions work when |r| and |a| point to the same |BIGNUM|,
|
|
|
|
// or when |r| and |b| point to the same |BIGNUM|. TODO: Test the case where
|
|
|
|
// all of |r|, |a|, and |b| point to the same |BIGNUM|.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_uadd(ret.get(), ret.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A +u B (r is a)", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), b.get()));
|
|
|
|
ASSERT_TRUE(BN_uadd(ret.get(), a.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A +u B (r is b)", sum.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), sum.get()));
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), ret.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u A (r is a)", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), sum.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u A (r is b)", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), sum.get()));
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), ret.get(), b.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u B (r is a)", a.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), b.get()));
|
|
|
|
ASSERT_TRUE(BN_usub(ret.get(), sum.get(), ret.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum -u B (r is b)", a.get(), ret.get());
|
2018-03-04 05:38:00 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), sum.get(), a.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("|Sum - A|", b.get(), ret.get());
|
|
|
|
ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), a.get(), sum.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("|A - Sum|", b.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), sum.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("|Sum - B|", a.get(), ret.get());
|
|
|
|
ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), b.get(), sum.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("|B - Sum|", a.get(), ret.get());
|
2016-07-02 01:12:40 +01:00
|
|
|
}
|
|
|
|
|
2016-07-01 22:46:21 +01:00
|
|
|
// Test with |BN_add_word| and |BN_sub_word| if |b| is small enough.
|
|
|
|
BN_ULONG b_word = BN_get_word(b.get());
|
|
|
|
if (!BN_is_negative(b.get()) && b_word != (BN_ULONG)-1) {
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_add_word(ret.get(), b_word));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A + B (word)", sum.get(), ret.get());
|
2016-07-01 22:46:21 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), sum.get()));
|
|
|
|
ASSERT_TRUE(BN_sub_word(ret.get(), b_word));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Sum - B (word)", a.get(), ret.get());
|
|
|
|
}
|
2015-03-26 03:49:37 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestLShift1(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> lshift1 = t->GetBIGNUM("LShift1");
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(lshift1);
|
|
|
|
ASSERT_TRUE(zero);
|
2016-06-26 20:18:28 +01:00
|
|
|
|
2016-06-26 22:12:23 +01:00
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new()), two(BN_new()), remainder(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(two);
|
|
|
|
ASSERT_TRUE(remainder);
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_set_word(two.get(), 2));
|
|
|
|
ASSERT_TRUE(BN_add(ret.get(), a.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A + A", lshift1.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_mul(ret.get(), a.get(), two.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * 2", lshift1.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(ret.get(), remainder.get(), lshift1.get(), two.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LShift1 / 2", a.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LShift1 % 2", zero.get(), remainder.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_lshift1(ret.get(), a.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A << 1", lshift1.get(), ret.get());
|
|
|
|
|
2018-02-04 03:39:35 +00:00
|
|
|
ASSERT_TRUE(BN_lshift(ret.get(), a.get(), 1));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A << 1 (variable shift)", lshift1.get(), ret.get());
|
2017-06-04 20:37:23 +01:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_rshift1(ret.get(), lshift1.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LShift >> 1", a.get(), ret.get());
|
2016-06-26 20:18:28 +01:00
|
|
|
|
2018-02-04 03:39:35 +00:00
|
|
|
ASSERT_TRUE(BN_rshift(ret.get(), lshift1.get(), 1));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LShift >> 1 (variable shift)", a.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(bn_rshift_secret_shift(ret.get(), lshift1.get(), 1, ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LShift >> 1 (secret shift)", a.get(), ret.get());
|
|
|
|
|
2016-06-26 20:18:28 +01:00
|
|
|
// Set the LSB to 1 and test rshift1 again.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_bit(lshift1.get(), 0));
|
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(ret.get(), nullptr /* rem */, lshift1.get(), two.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("(LShift1 | 1) / 2", a.get(), ret.get());
|
2016-06-26 20:18:28 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_rshift1(ret.get(), lshift1.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("(LShift | 1) >> 1", a.get(), ret.get());
|
2018-02-04 03:39:35 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_rshift(ret.get(), lshift1.get(), 1));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("(LShift | 1) >> 1 (variable shift)", a.get(),
|
|
|
|
ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(bn_rshift_secret_shift(ret.get(), lshift1.get(), 1, ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("(LShift | 1) >> 1 (secret shift)", a.get(), ret.get());
|
2016-06-26 20:18:28 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestLShift(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> lshift = t->GetBIGNUM("LShift");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(lshift);
|
2016-06-27 23:57:57 +01:00
|
|
|
int n = 0;
|
2018-01-23 23:51:42 +00:00
|
|
|
ASSERT_TRUE(t->GetInt(&n, "N"));
|
2016-06-26 21:56:29 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_lshift(ret.get(), a.get(), n));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A << N", lshift.get(), ret.get());
|
2016-06-26 21:56:29 +01:00
|
|
|
|
2018-03-04 07:51:04 +00:00
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_lshift(ret.get(), ret.get(), n));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A << N (in-place)", lshift.get(), ret.get());
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_rshift(ret.get(), lshift.get(), n));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N", a.get(), ret.get());
|
2018-02-04 03:39:35 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(bn_rshift_secret_shift(ret.get(), lshift.get(), n, ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N (secret shift)", a.get(), ret.get());
|
2016-06-26 21:56:29 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestRShift(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> rshift = t->GetBIGNUM("RShift");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(rshift);
|
2016-06-27 23:57:57 +01:00
|
|
|
int n = 0;
|
2018-01-23 23:51:42 +00:00
|
|
|
ASSERT_TRUE(t->GetInt(&n, "N"));
|
2016-06-26 21:56:29 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_rshift(ret.get(), a.get(), n));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N", rshift.get(), ret.get());
|
2018-02-04 03:39:35 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_rshift(ret.get(), ret.get(), n));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N (in-place)", rshift.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(bn_rshift_secret_shift(ret.get(), a.get(), n, ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N (secret shift)", rshift.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
|
|
|
ASSERT_TRUE(bn_rshift_secret_shift(ret.get(), ret.get(), n, ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A >> N (in-place secret shift)", rshift.get(),
|
|
|
|
ret.get());
|
2016-06-26 21:56:29 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestSquare(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> square = t->GetBIGNUM("Square");
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(square);
|
|
|
|
ASSERT_TRUE(zero);
|
2016-06-26 22:12:23 +01:00
|
|
|
|
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new()), remainder(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(remainder);
|
|
|
|
ASSERT_TRUE(BN_sqr(ret.get(), a.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A^2", square.get(), ret.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_mul(ret.get(), a.get(), a.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A", square.get(), ret.get());
|
|
|
|
|
2017-11-12 03:41:17 +00:00
|
|
|
if (!BN_is_zero(a.get())) {
|
|
|
|
ASSERT_TRUE(BN_div(ret.get(), remainder.get(), square.get(), a.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Square / A", a.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Square % A", zero.get(), remainder.get());
|
|
|
|
}
|
2016-06-26 22:12:23 +01:00
|
|
|
|
|
|
|
BN_set_negative(a.get(), 0);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_sqrt(ret.get(), square.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("sqrt(Square)", a.get(), ret.get());
|
2016-06-26 22:12:23 +01:00
|
|
|
|
2016-07-03 01:48:45 +01:00
|
|
|
// BN_sqrt should fail on non-squares and negative numbers.
|
|
|
|
if (!BN_is_zero(square.get())) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> tmp(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(tmp);
|
|
|
|
ASSERT_TRUE(BN_copy(tmp.get(), square.get()));
|
2016-07-03 01:48:45 +01:00
|
|
|
BN_set_negative(tmp.get(), 1);
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_sqrt(ret.get(), tmp.get(), ctx))
|
|
|
|
<< "BN_sqrt succeeded on a negative number";
|
2016-07-03 01:48:45 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
|
|
|
BN_set_negative(tmp.get(), 0);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_add(tmp.get(), tmp.get(), BN_value_one()));
|
|
|
|
EXPECT_FALSE(BN_sqrt(ret.get(), tmp.get(), ctx))
|
|
|
|
<< "BN_sqrt succeeded on a non-square";
|
2016-07-03 01:48:45 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
}
|
2017-11-12 03:41:17 +00:00
|
|
|
|
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
2018-01-20 21:51:54 +00:00
|
|
|
int a_width = bn_minimal_width(a.get());
|
|
|
|
if (a_width <= BN_SMALL_MAX_WORDS) {
|
|
|
|
for (size_t num_a = a_width; num_a <= BN_SMALL_MAX_WORDS; num_a++) {
|
2017-11-12 03:41:17 +00:00
|
|
|
SCOPED_TRACE(num_a);
|
|
|
|
size_t num_r = 2 * num_a;
|
|
|
|
// Use newly-allocated buffers so ASan will catch out-of-bounds writes.
|
|
|
|
std::unique_ptr<BN_ULONG[]> a_words(new BN_ULONG[num_a]),
|
|
|
|
r_words(new BN_ULONG[num_r]);
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_copy_words(a_words.get(), num_a, a.get()));
|
2017-11-12 03:41:17 +00:00
|
|
|
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_mul_small(r_words.get(), num_r, a_words.get(), num_a, a_words.get(),
|
|
|
|
num_a);
|
2017-11-12 03:41:17 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), num_r));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A (words)", square.get(), ret.get());
|
|
|
|
|
|
|
|
OPENSSL_memset(r_words.get(), 'A', num_r * sizeof(BN_ULONG));
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_sqr_small(r_words.get(), num_r, a_words.get(), num_a);
|
2017-11-12 03:41:17 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), num_r));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A^2 (words)", square.get(), ret.get());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
2016-06-26 22:12:23 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestProduct(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> b = t->GetBIGNUM("B");
|
|
|
|
bssl::UniquePtr<BIGNUM> product = t->GetBIGNUM("Product");
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(product);
|
|
|
|
ASSERT_TRUE(zero);
|
2016-06-26 22:28:55 +01:00
|
|
|
|
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new()), remainder(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(remainder);
|
|
|
|
ASSERT_TRUE(BN_mul(ret.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * B", product.get(), ret.get());
|
|
|
|
|
2017-11-12 03:41:17 +00:00
|
|
|
if (!BN_is_zero(a.get())) {
|
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(ret.get(), remainder.get(), product.get(), a.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Product / A", b.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Product % A", zero.get(), remainder.get());
|
|
|
|
}
|
2017-06-04 20:37:23 +01:00
|
|
|
|
2017-11-12 03:41:17 +00:00
|
|
|
if (!BN_is_zero(b.get())) {
|
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(ret.get(), remainder.get(), product.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Product / B", a.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Product % B", zero.get(), remainder.get());
|
|
|
|
}
|
|
|
|
|
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
2018-01-20 21:51:54 +00:00
|
|
|
BN_set_negative(a.get(), 0);
|
|
|
|
BN_set_negative(b.get(), 0);
|
|
|
|
BN_set_negative(product.get(), 0);
|
|
|
|
|
|
|
|
int a_width = bn_minimal_width(a.get());
|
|
|
|
int b_width = bn_minimal_width(b.get());
|
|
|
|
if (a_width <= BN_SMALL_MAX_WORDS && b_width <= BN_SMALL_MAX_WORDS) {
|
|
|
|
for (size_t num_a = static_cast<size_t>(a_width);
|
|
|
|
num_a <= BN_SMALL_MAX_WORDS; num_a++) {
|
2017-11-12 03:41:17 +00:00
|
|
|
SCOPED_TRACE(num_a);
|
2018-01-20 21:51:54 +00:00
|
|
|
for (size_t num_b = static_cast<size_t>(b_width);
|
|
|
|
num_b <= BN_SMALL_MAX_WORDS; num_b++) {
|
2017-11-12 03:41:17 +00:00
|
|
|
SCOPED_TRACE(num_b);
|
|
|
|
size_t num_r = num_a + num_b;
|
|
|
|
// Use newly-allocated buffers so ASan will catch out-of-bounds writes.
|
|
|
|
std::unique_ptr<BN_ULONG[]> a_words(new BN_ULONG[num_a]),
|
|
|
|
b_words(new BN_ULONG[num_b]), r_words(new BN_ULONG[num_r]);
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_copy_words(a_words.get(), num_a, a.get()));
|
|
|
|
ASSERT_TRUE(bn_copy_words(b_words.get(), num_b, b.get()));
|
2017-11-12 03:41:17 +00:00
|
|
|
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_mul_small(r_words.get(), num_r, a_words.get(), num_a, b_words.get(),
|
|
|
|
num_b);
|
2017-11-12 03:41:17 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), num_r));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * B (words)", product.get(), ret.get());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
2016-06-26 22:28:55 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestQuotient(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> b = t->GetBIGNUM("B");
|
|
|
|
bssl::UniquePtr<BIGNUM> quotient = t->GetBIGNUM("Quotient");
|
|
|
|
bssl::UniquePtr<BIGNUM> remainder = t->GetBIGNUM("Remainder");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(quotient);
|
|
|
|
ASSERT_TRUE(remainder);
|
2016-06-26 22:58:55 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new()), ret2(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(ret2);
|
|
|
|
ASSERT_TRUE(BN_div(ret.get(), ret2.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A / B", quotient.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A % B", remainder.get(), ret2.get());
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_mul(ret.get(), quotient.get(), b.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_add(ret.get(), ret.get(), remainder.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("Quotient * B + Remainder", a.get(), ret.get());
|
2016-06-26 22:58:55 +01:00
|
|
|
|
2018-03-04 07:51:04 +00:00
|
|
|
// The remaining division variants only handle a positive quotient.
|
|
|
|
if (BN_is_negative(b.get())) {
|
|
|
|
BN_set_negative(b.get(), 0);
|
|
|
|
BN_set_negative(quotient.get(), !BN_is_negative(quotient.get()));
|
|
|
|
}
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> nnmod(BN_new());
|
|
|
|
ASSERT_TRUE(nnmod);
|
|
|
|
ASSERT_TRUE(BN_copy(nnmod.get(), remainder.get()));
|
|
|
|
if (BN_is_negative(nnmod.get())) {
|
|
|
|
ASSERT_TRUE(BN_add(nnmod.get(), nnmod.get(), b.get()));
|
|
|
|
}
|
|
|
|
ASSERT_TRUE(BN_nnmod(ret.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A % B (non-negative)", nnmod.get(), ret.get());
|
|
|
|
|
|
|
|
// The remaining division variants only handle a positive numerator.
|
|
|
|
if (BN_is_negative(a.get())) {
|
|
|
|
BN_set_negative(a.get(), 0);
|
|
|
|
BN_set_negative(quotient.get(), 0);
|
|
|
|
BN_set_negative(remainder.get(), 0);
|
|
|
|
}
|
|
|
|
|
2016-06-26 22:58:55 +01:00
|
|
|
// Test with |BN_mod_word| and |BN_div_word| if the divisor is small enough.
|
|
|
|
BN_ULONG b_word = BN_get_word(b.get());
|
2018-03-04 07:51:04 +00:00
|
|
|
if (b_word != (BN_ULONG)-1) {
|
2016-06-26 22:58:55 +01:00
|
|
|
BN_ULONG remainder_word = BN_get_word(remainder.get());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_NE(remainder_word, (BN_ULONG)-1);
|
|
|
|
ASSERT_TRUE(BN_copy(ret.get(), a.get()));
|
2016-06-26 22:58:55 +01:00
|
|
|
BN_ULONG ret_word = BN_div_word(ret.get(), b_word);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(remainder_word, ret_word);
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A / B (word)", quotient.get(), ret.get());
|
2016-06-26 22:58:55 +01:00
|
|
|
|
|
|
|
ret_word = BN_mod_word(a.get(), b_word);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(remainder_word, ret_word);
|
2018-02-04 01:32:44 +00:00
|
|
|
|
|
|
|
if (b_word <= 0xffff) {
|
|
|
|
EXPECT_EQ(remainder_word, bn_mod_u16_consttime(a.get(), b_word));
|
|
|
|
}
|
2016-06-26 22:58:55 +01:00
|
|
|
}
|
|
|
|
|
2018-03-04 07:51:04 +00:00
|
|
|
ASSERT_TRUE(bn_div_consttime(ret.get(), ret2.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A / B (constant-time)", quotient.get(), ret.get());
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A % B (constant-time)", remainder.get(), ret2.get());
|
2016-06-26 22:58:55 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestModMul(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> b = t->GetBIGNUM("B");
|
|
|
|
bssl::UniquePtr<BIGNUM> m = t->GetBIGNUM("M");
|
|
|
|
bssl::UniquePtr<BIGNUM> mod_mul = t->GetBIGNUM("ModMul");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(m);
|
|
|
|
ASSERT_TRUE(mod_mul);
|
2016-07-03 01:33:07 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_mod_mul(ret.get(), a.get(), b.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * B (mod M)", mod_mul.get(), ret.get());
|
2016-07-03 01:33:07 +01:00
|
|
|
|
|
|
|
if (BN_is_odd(m.get())) {
|
|
|
|
// Reduce |a| and |b| and test the Montgomery version.
|
2018-01-23 22:03:26 +00:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(m.get(), ctx));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(mont);
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
|
|
|
|
// Sanity-check that the constant-time version computes the same n0 and RR.
|
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont2(
|
|
|
|
BN_MONT_CTX_new_consttime(m.get(), ctx));
|
|
|
|
ASSERT_TRUE(mont2);
|
|
|
|
EXPECT_BIGNUMS_EQUAL("RR (mod M) (constant-time)", &mont->RR, &mont2->RR);
|
|
|
|
EXPECT_EQ(mont->n0[0], mont2->n0[0]);
|
|
|
|
EXPECT_EQ(mont->n0[1], mont2->n0[1]);
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> a_tmp(BN_new()), b_tmp(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a_tmp);
|
|
|
|
ASSERT_TRUE(b_tmp);
|
2017-11-12 05:58:13 +00:00
|
|
|
ASSERT_TRUE(BN_nnmod(a.get(), a.get(), m.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_nnmod(b.get(), b.get(), m.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_to_montgomery(a_tmp.get(), a.get(), mont.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_to_montgomery(b_tmp.get(), b.get(), mont.get(), ctx));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_mod_mul_montgomery(ret.get(), a_tmp.get(), b_tmp.get(),
|
|
|
|
mont.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_from_montgomery(ret.get(), ret.get(), mont.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * B (mod M) (Montgomery)", mod_mul.get(),
|
|
|
|
ret.get());
|
2017-11-12 05:58:13 +00:00
|
|
|
|
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
2018-01-20 21:51:54 +00:00
|
|
|
size_t m_width = static_cast<size_t>(bn_minimal_width(m.get()));
|
|
|
|
if (m_width <= BN_SMALL_MAX_WORDS) {
|
|
|
|
std::unique_ptr<BN_ULONG[]> a_words(new BN_ULONG[m_width]),
|
|
|
|
b_words(new BN_ULONG[m_width]), r_words(new BN_ULONG[m_width]);
|
|
|
|
ASSERT_TRUE(bn_copy_words(a_words.get(), m_width, a.get()));
|
|
|
|
ASSERT_TRUE(bn_copy_words(b_words.get(), m_width, b.get()));
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_to_montgomery_small(a_words.get(), a_words.get(), m_width, mont.get());
|
|
|
|
bn_to_montgomery_small(b_words.get(), b_words.get(), m_width, mont.get());
|
|
|
|
bn_mod_mul_montgomery_small(r_words.get(), a_words.get(), b_words.get(),
|
|
|
|
m_width, mont.get());
|
2017-11-12 05:58:13 +00:00
|
|
|
// Use the second half of |tmp| so ASan will catch out-of-bounds writes.
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_from_montgomery_small(r_words.get(), r_words.get(), m_width,
|
|
|
|
mont.get());
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), m_width));
|
2017-11-12 05:58:13 +00:00
|
|
|
EXPECT_BIGNUMS_EQUAL("A * B (mod M) (Montgomery, words)", mod_mul.get(),
|
|
|
|
ret.get());
|
|
|
|
}
|
|
|
|
#endif
|
2016-07-03 01:33:07 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestModSquare(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> m = t->GetBIGNUM("M");
|
|
|
|
bssl::UniquePtr<BIGNUM> mod_square = t->GetBIGNUM("ModSquare");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(m);
|
|
|
|
ASSERT_TRUE(mod_square);
|
2017-01-26 14:55:07 +00:00
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> a_copy(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(a_copy);
|
|
|
|
ASSERT_TRUE(BN_mod_mul(ret.get(), a.get(), a.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A (mod M)", mod_square.get(), ret.get());
|
|
|
|
|
|
|
|
// Repeat the operation with |a_copy|.
|
|
|
|
ASSERT_TRUE(BN_copy(a_copy.get(), a.get()));
|
|
|
|
ASSERT_TRUE(BN_mod_mul(ret.get(), a.get(), a_copy.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A_copy (mod M)", mod_square.get(), ret.get());
|
2017-01-26 14:55:07 +00:00
|
|
|
|
|
|
|
if (BN_is_odd(m.get())) {
|
|
|
|
// Reduce |a| and test the Montgomery version.
|
2018-01-23 22:03:26 +00:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(m.get(), ctx));
|
2017-01-26 14:55:07 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> a_tmp(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(mont);
|
|
|
|
ASSERT_TRUE(a_tmp);
|
2017-11-12 05:58:13 +00:00
|
|
|
ASSERT_TRUE(BN_nnmod(a.get(), a.get(), m.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_to_montgomery(a_tmp.get(), a.get(), mont.get(), ctx));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_mod_mul_montgomery(ret.get(), a_tmp.get(), a_tmp.get(),
|
|
|
|
mont.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_from_montgomery(ret.get(), ret.get(), mont.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A (mod M) (Montgomery)", mod_square.get(),
|
|
|
|
ret.get());
|
|
|
|
|
|
|
|
// Repeat the operation with |a_copy|.
|
|
|
|
ASSERT_TRUE(BN_copy(a_copy.get(), a_tmp.get()));
|
|
|
|
ASSERT_TRUE(BN_mod_mul_montgomery(ret.get(), a_tmp.get(), a_copy.get(),
|
|
|
|
mont.get(), ctx));
|
|
|
|
ASSERT_TRUE(BN_from_montgomery(ret.get(), ret.get(), mont.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A_copy (mod M) (Montgomery)", mod_square.get(),
|
|
|
|
ret.get());
|
2017-11-12 05:58:13 +00:00
|
|
|
|
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
2018-01-20 21:51:54 +00:00
|
|
|
size_t m_width = static_cast<size_t>(bn_minimal_width(m.get()));
|
|
|
|
if (m_width <= BN_SMALL_MAX_WORDS) {
|
|
|
|
std::unique_ptr<BN_ULONG[]> a_words(new BN_ULONG[m_width]),
|
|
|
|
a_copy_words(new BN_ULONG[m_width]), r_words(new BN_ULONG[m_width]);
|
|
|
|
ASSERT_TRUE(bn_copy_words(a_words.get(), m_width, a.get()));
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_to_montgomery_small(a_words.get(), a_words.get(), m_width, mont.get());
|
|
|
|
bn_mod_mul_montgomery_small(r_words.get(), a_words.get(), a_words.get(),
|
|
|
|
m_width, mont.get());
|
|
|
|
bn_from_montgomery_small(r_words.get(), r_words.get(), m_width, mont.get());
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), m_width));
|
2017-11-12 05:58:13 +00:00
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A (mod M) (Montgomery, words)",
|
|
|
|
mod_square.get(), ret.get());
|
|
|
|
|
|
|
|
// Repeat the operation with |a_copy_words|.
|
|
|
|
OPENSSL_memcpy(a_copy_words.get(), a_words.get(),
|
2018-01-20 21:51:54 +00:00
|
|
|
m_width * sizeof(BN_ULONG));
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_mod_mul_montgomery_small(r_words.get(), a_words.get(),
|
|
|
|
a_copy_words.get(), m_width, mont.get());
|
2017-11-12 05:58:13 +00:00
|
|
|
// Use the second half of |tmp| so ASan will catch out-of-bounds writes.
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_from_montgomery_small(r_words.get(), r_words.get(), m_width,
|
|
|
|
mont.get());
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), m_width));
|
2017-11-12 05:58:13 +00:00
|
|
|
EXPECT_BIGNUMS_EQUAL("A * A_copy (mod M) (Montgomery, words)",
|
|
|
|
mod_square.get(), ret.get());
|
|
|
|
}
|
|
|
|
#endif
|
2017-01-26 14:55:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestModExp(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> e = t->GetBIGNUM("E");
|
|
|
|
bssl::UniquePtr<BIGNUM> m = t->GetBIGNUM("M");
|
|
|
|
bssl::UniquePtr<BIGNUM> mod_exp = t->GetBIGNUM("ModExp");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(e);
|
|
|
|
ASSERT_TRUE(m);
|
|
|
|
ASSERT_TRUE(mod_exp);
|
2016-07-03 15:05:56 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_mod_exp(ret.get(), a.get(), e.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A ^ E (mod M)", mod_exp.get(), ret.get());
|
2016-07-03 15:05:56 +01:00
|
|
|
|
2018-04-17 16:59:28 +01:00
|
|
|
// The other implementations require reduced inputs.
|
|
|
|
ASSERT_TRUE(BN_nnmod(a.get(), a.get(), m.get(), ctx));
|
|
|
|
|
2016-07-03 15:05:56 +01:00
|
|
|
if (BN_is_odd(m.get())) {
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_mod_exp_mont(ret.get(), a.get(), e.get(), m.get(), ctx, NULL));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A ^ E (mod M) (Montgomery)", mod_exp.get(),
|
|
|
|
ret.get());
|
2016-07-03 15:05:56 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_mod_exp_mont_consttime(ret.get(), a.get(), e.get(), m.get(),
|
|
|
|
ctx, NULL));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A ^ E (mod M) (constant-time)", mod_exp.get(),
|
|
|
|
ret.get());
|
2017-11-12 10:03:24 +00:00
|
|
|
|
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
2018-01-20 21:51:54 +00:00
|
|
|
size_t m_width = static_cast<size_t>(bn_minimal_width(m.get()));
|
|
|
|
if (m_width <= BN_SMALL_MAX_WORDS) {
|
2018-01-23 22:03:26 +00:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(m.get(), ctx));
|
2017-11-12 10:03:24 +00:00
|
|
|
ASSERT_TRUE(mont.get());
|
2018-01-20 21:51:54 +00:00
|
|
|
std::unique_ptr<BN_ULONG[]> r_words(new BN_ULONG[m_width]),
|
|
|
|
a_words(new BN_ULONG[m_width]);
|
|
|
|
ASSERT_TRUE(bn_copy_words(a_words.get(), m_width, a.get()));
|
2018-04-04 04:35:52 +01:00
|
|
|
bn_to_montgomery_small(a_words.get(), a_words.get(), m_width, mont.get());
|
|
|
|
bn_mod_exp_mont_small(r_words.get(), a_words.get(), m_width, e->d,
|
|
|
|
e->width, mont.get());
|
|
|
|
bn_from_montgomery_small(r_words.get(), r_words.get(), m_width,
|
|
|
|
mont.get());
|
2018-01-20 21:51:54 +00:00
|
|
|
ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), m_width));
|
2017-11-12 10:03:24 +00:00
|
|
|
EXPECT_BIGNUMS_EQUAL("A ^ E (mod M) (Montgomery, words)", mod_exp.get(),
|
|
|
|
ret.get());
|
|
|
|
}
|
|
|
|
#endif
|
2017-06-04 20:37:23 +01:00
|
|
|
}
|
2016-07-03 15:05:56 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestExp(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> e = t->GetBIGNUM("E");
|
|
|
|
bssl::UniquePtr<BIGNUM> exp = t->GetBIGNUM("Exp");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(e);
|
|
|
|
ASSERT_TRUE(exp);
|
2016-07-03 16:52:58 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_exp(ret.get(), a.get(), e.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("A ^ E", exp.get(), ret.get());
|
2016-07-03 16:52:58 +01:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestModSqrt(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> p = t->GetBIGNUM("P");
|
|
|
|
bssl::UniquePtr<BIGNUM> mod_sqrt = t->GetBIGNUM("ModSqrt");
|
2016-11-25 13:56:15 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> mod_sqrt2(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(p);
|
|
|
|
ASSERT_TRUE(mod_sqrt);
|
|
|
|
ASSERT_TRUE(mod_sqrt2);
|
|
|
|
// There are two possible answers.
|
|
|
|
ASSERT_TRUE(BN_sub(mod_sqrt2.get(), p.get(), mod_sqrt.get()));
|
2016-07-03 20:19:20 +01:00
|
|
|
|
2016-11-25 13:56:15 +00:00
|
|
|
// -0 is 0, not P.
|
|
|
|
if (BN_is_zero(mod_sqrt.get())) {
|
|
|
|
BN_zero(mod_sqrt2.get());
|
|
|
|
}
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_mod_sqrt(ret.get(), a.get(), p.get(), ctx));
|
|
|
|
if (BN_cmp(ret.get(), mod_sqrt2.get()) != 0) {
|
|
|
|
EXPECT_BIGNUMS_EQUAL("sqrt(A) (mod P)", mod_sqrt.get(), ret.get());
|
2016-07-03 20:19:20 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestNotModSquare(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> not_mod_square = t->GetBIGNUM("NotModSquare");
|
|
|
|
bssl::UniquePtr<BIGNUM> p = t->GetBIGNUM("P");
|
2016-11-25 20:10:17 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(not_mod_square);
|
|
|
|
ASSERT_TRUE(p);
|
|
|
|
ASSERT_TRUE(ret);
|
2016-11-25 20:10:17 +00:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_mod_sqrt(ret.get(), not_mod_square.get(), p.get(), ctx))
|
|
|
|
<< "BN_mod_sqrt unexpectedly succeeded.";
|
2016-11-25 20:10:17 +00:00
|
|
|
|
|
|
|
uint32_t err = ERR_peek_error();
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(ERR_LIB_BN, ERR_GET_LIB(err));
|
|
|
|
EXPECT_EQ(BN_R_NOT_A_SQUARE, ERR_GET_REASON(err));
|
|
|
|
ERR_clear_error();
|
2016-11-25 20:10:17 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:51:42 +00:00
|
|
|
static void TestModInv(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> m = t->GetBIGNUM("M");
|
|
|
|
bssl::UniquePtr<BIGNUM> mod_inv = t->GetBIGNUM("ModInv");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(m);
|
|
|
|
ASSERT_TRUE(mod_inv);
|
2016-07-26 01:20:32 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_mod_inverse(ret.get(), a.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("inv(A) (mod M)", mod_inv.get(), ret.get());
|
2018-02-18 05:37:04 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_gcd(ret.get(), a.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("GCD(A, M)", BN_value_one(), ret.get());
|
2018-03-04 03:04:14 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_nnmod(a.get(), a.get(), m.get(), ctx));
|
|
|
|
int no_inverse;
|
|
|
|
ASSERT_TRUE(
|
|
|
|
bn_mod_inverse_consttime(ret.get(), &no_inverse, a.get(), m.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("inv(A) (mod M) (constant-time)", mod_inv.get(),
|
|
|
|
ret.get());
|
2017-06-04 20:37:23 +01:00
|
|
|
}
|
|
|
|
|
2018-02-17 23:45:44 +00:00
|
|
|
static void TestGCD(BIGNUMFileTest *t, BN_CTX *ctx) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
|
|
|
|
bssl::UniquePtr<BIGNUM> b = t->GetBIGNUM("B");
|
|
|
|
bssl::UniquePtr<BIGNUM> gcd = t->GetBIGNUM("GCD");
|
2018-03-04 07:51:04 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> lcm = t->GetBIGNUM("LCM");
|
2018-02-17 23:45:44 +00:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(gcd);
|
2018-03-04 07:51:04 +00:00
|
|
|
ASSERT_TRUE(lcm);
|
2018-02-17 23:45:44 +00:00
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> ret(BN_new());
|
|
|
|
ASSERT_TRUE(ret);
|
|
|
|
ASSERT_TRUE(BN_gcd(ret.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("GCD(A, B)", gcd.get(), ret.get());
|
2018-02-18 05:37:04 +00:00
|
|
|
|
|
|
|
if (!BN_is_one(gcd.get())) {
|
|
|
|
EXPECT_FALSE(BN_mod_inverse(ret.get(), a.get(), b.get(), ctx))
|
|
|
|
<< "A^-1 (mod B) computed, but it does not exist";
|
|
|
|
EXPECT_FALSE(BN_mod_inverse(ret.get(), b.get(), a.get(), ctx))
|
|
|
|
<< "B^-1 (mod A) computed, but it does not exist";
|
2018-03-04 03:04:14 +00:00
|
|
|
|
|
|
|
if (!BN_is_zero(b.get())) {
|
|
|
|
bssl::UniquePtr<BIGNUM> a_reduced(BN_new());
|
|
|
|
ASSERT_TRUE(a_reduced);
|
|
|
|
ASSERT_TRUE(BN_nnmod(a_reduced.get(), a.get(), b.get(), ctx));
|
|
|
|
int no_inverse;
|
|
|
|
EXPECT_FALSE(bn_mod_inverse_consttime(ret.get(), &no_inverse,
|
|
|
|
a_reduced.get(), b.get(), ctx))
|
|
|
|
<< "A^-1 (mod B) computed, but it does not exist";
|
|
|
|
EXPECT_TRUE(no_inverse);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!BN_is_zero(a.get())) {
|
|
|
|
bssl::UniquePtr<BIGNUM> b_reduced(BN_new());
|
|
|
|
ASSERT_TRUE(b_reduced);
|
|
|
|
ASSERT_TRUE(BN_nnmod(b_reduced.get(), b.get(), a.get(), ctx));
|
|
|
|
int no_inverse;
|
|
|
|
EXPECT_FALSE(bn_mod_inverse_consttime(ret.get(), &no_inverse,
|
|
|
|
b_reduced.get(), a.get(), ctx))
|
|
|
|
<< "B^-1 (mod A) computed, but it does not exist";
|
|
|
|
EXPECT_TRUE(no_inverse);
|
|
|
|
}
|
2018-02-18 05:37:04 +00:00
|
|
|
}
|
2018-03-04 07:51:04 +00:00
|
|
|
|
|
|
|
int is_relative_prime;
|
|
|
|
ASSERT_TRUE(
|
|
|
|
bn_is_relatively_prime(&is_relative_prime, a.get(), b.get(), ctx));
|
|
|
|
EXPECT_EQ(is_relative_prime, BN_is_one(gcd.get()));
|
|
|
|
|
|
|
|
if (!BN_is_zero(gcd.get())) {
|
|
|
|
ASSERT_TRUE(bn_lcm_consttime(ret.get(), a.get(), b.get(), ctx));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("LCM(A, B)", lcm.get(), ret.get());
|
|
|
|
}
|
2018-02-17 23:45:44 +00:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
class BNTest : public testing::Test {
|
|
|
|
protected:
|
|
|
|
void SetUp() override {
|
|
|
|
ctx_.reset(BN_CTX_new());
|
|
|
|
ASSERT_TRUE(ctx_);
|
2016-07-26 01:20:32 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
BN_CTX *ctx() { return ctx_.get(); }
|
2016-07-26 01:20:32 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
private:
|
|
|
|
bssl::UniquePtr<BN_CTX> ctx_;
|
2016-06-26 20:03:41 +01:00
|
|
|
};
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, TestVectors) {
|
|
|
|
static const struct {
|
|
|
|
const char *name;
|
2018-01-23 23:51:42 +00:00
|
|
|
void (*func)(BIGNUMFileTest *t, BN_CTX *ctx);
|
2017-06-04 20:37:23 +01:00
|
|
|
} kTests[] = {
|
|
|
|
{"Sum", TestSum},
|
|
|
|
{"LShift1", TestLShift1},
|
|
|
|
{"LShift", TestLShift},
|
|
|
|
{"RShift", TestRShift},
|
|
|
|
{"Square", TestSquare},
|
|
|
|
{"Product", TestProduct},
|
|
|
|
{"Quotient", TestQuotient},
|
|
|
|
{"ModMul", TestModMul},
|
|
|
|
{"ModSquare", TestModSquare},
|
|
|
|
{"ModExp", TestModExp},
|
|
|
|
{"Exp", TestExp},
|
|
|
|
{"ModSqrt", TestModSqrt},
|
|
|
|
{"NotModSquare", TestNotModSquare},
|
|
|
|
{"ModInv", TestModInv},
|
2018-02-17 23:45:44 +00:00
|
|
|
{"GCD", TestGCD},
|
2017-06-04 20:37:23 +01:00
|
|
|
};
|
2016-06-26 20:03:41 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
FileTestGTest("crypto/fipsmodule/bn/bn_tests.txt", [&](FileTest *t) {
|
2018-01-23 23:51:42 +00:00
|
|
|
void (*func)(BIGNUMFileTest *t, BN_CTX *ctx) = nullptr;
|
2017-06-04 20:37:23 +01:00
|
|
|
for (const auto &test : kTests) {
|
|
|
|
if (t->GetType() == test.name) {
|
2018-01-23 23:51:42 +00:00
|
|
|
func = test.func;
|
|
|
|
break;
|
2017-06-04 20:37:23 +01:00
|
|
|
}
|
2016-06-26 20:03:41 +01:00
|
|
|
}
|
2018-01-23 23:51:42 +00:00
|
|
|
if (!func) {
|
|
|
|
FAIL() << "Unknown test type: " << t->GetType();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run the test with normalize-sized |BIGNUM|s.
|
|
|
|
BIGNUMFileTest bn_test(t, 0);
|
|
|
|
BN_CTX_start(ctx());
|
|
|
|
func(&bn_test, ctx());
|
|
|
|
BN_CTX_end(ctx());
|
|
|
|
unsigned num_bignums = bn_test.num_bignums();
|
|
|
|
|
|
|
|
// Repeat the test with all combinations of large and small |BIGNUM|s.
|
|
|
|
for (unsigned large_mask = 1; large_mask < (1u << num_bignums);
|
|
|
|
large_mask++) {
|
|
|
|
SCOPED_TRACE(large_mask);
|
|
|
|
BIGNUMFileTest bn_test2(t, large_mask);
|
|
|
|
BN_CTX_start(ctx());
|
|
|
|
func(&bn_test2, ctx());
|
|
|
|
BN_CTX_end(ctx());
|
|
|
|
}
|
2017-06-04 20:37:23 +01:00
|
|
|
});
|
2016-06-26 20:03:41 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, BN2BinPadded) {
|
2015-03-26 03:49:37 +00:00
|
|
|
uint8_t zeros[256], out[256], reference[128];
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(zeros, 0, sizeof(zeros));
|
2015-03-26 03:49:37 +00:00
|
|
|
|
|
|
|
// Test edge case at 0.
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> n(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(n);
|
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(NULL, 0, n.get()));
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(out, -1, sizeof(out));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(out, sizeof(out), n.get()));
|
|
|
|
EXPECT_EQ(Bytes(zeros), Bytes(out));
|
2015-03-26 03:49:37 +00:00
|
|
|
|
|
|
|
// Test a random numbers at various byte lengths.
|
|
|
|
for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_rand(n.get(), bytes * 8, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY));
|
|
|
|
ASSERT_EQ(bytes, BN_num_bytes(n.get()));
|
|
|
|
ASSERT_EQ(bytes, BN_bn2bin(n.get(), reference));
|
|
|
|
|
2015-03-26 03:49:37 +00:00
|
|
|
// Empty buffer should fail.
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_bn2bin_padded(NULL, 0, n.get()));
|
|
|
|
|
2015-03-26 03:49:37 +00:00
|
|
|
// One byte short should fail.
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_bn2bin_padded(out, bytes - 1, n.get()));
|
|
|
|
|
2015-03-26 03:49:37 +00:00
|
|
|
// Exactly right size should encode.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(out, bytes, n.get()));
|
|
|
|
EXPECT_EQ(Bytes(reference, bytes), Bytes(out, bytes));
|
|
|
|
|
2015-03-26 03:49:37 +00:00
|
|
|
// Pad up one byte extra.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(out, bytes + 1, n.get()));
|
|
|
|
EXPECT_EQ(0u, out[0]);
|
|
|
|
EXPECT_EQ(Bytes(reference, bytes), Bytes(out + 1, bytes));
|
|
|
|
|
2015-03-26 03:49:37 +00:00
|
|
|
// Pad up to 256.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(out, sizeof(out), n.get()));
|
|
|
|
EXPECT_EQ(Bytes(zeros, sizeof(out) - bytes),
|
|
|
|
Bytes(out, sizeof(out) - bytes));
|
|
|
|
EXPECT_EQ(Bytes(reference, bytes), Bytes(out + sizeof(out) - bytes, bytes));
|
2018-01-23 04:09:16 +00:00
|
|
|
|
|
|
|
// Repeat some tests with a non-minimal |BIGNUM|.
|
|
|
|
EXPECT_TRUE(bn_resize_words(n.get(), 32));
|
|
|
|
|
|
|
|
EXPECT_FALSE(BN_bn2bin_padded(out, bytes - 1, n.get()));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(out, bytes + 1, n.get()));
|
|
|
|
EXPECT_EQ(0u, out[0]);
|
|
|
|
EXPECT_EQ(Bytes(reference, bytes), Bytes(out + 1, bytes));
|
2015-03-26 03:49:37 +00:00
|
|
|
}
|
|
|
|
}
|
2015-04-21 00:52:31 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, LittleEndian) {
|
2016-12-08 04:53:22 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> x(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> y(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(x);
|
|
|
|
ASSERT_TRUE(y);
|
2016-12-08 04:53:22 +00:00
|
|
|
|
|
|
|
// Test edge case at 0. Fill |out| with garbage to ensure |BN_bn2le_padded|
|
|
|
|
// wrote the result.
|
|
|
|
uint8_t out[256], zeros[256];
|
|
|
|
OPENSSL_memset(out, -1, sizeof(out));
|
|
|
|
OPENSSL_memset(zeros, 0, sizeof(zeros));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2le_padded(out, sizeof(out), x.get()));
|
|
|
|
EXPECT_EQ(Bytes(zeros), Bytes(out));
|
2016-12-08 04:53:22 +00:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_le2bn(out, sizeof(out), y.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("BN_le2bn round-trip", x.get(), y.get());
|
2016-12-08 04:53:22 +00:00
|
|
|
|
|
|
|
// Test random numbers at various byte lengths.
|
|
|
|
for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_rand(x.get(), bytes * 8, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY));
|
2016-12-08 04:53:22 +00:00
|
|
|
|
|
|
|
// Fill |out| with garbage to ensure |BN_bn2le_padded| wrote the result.
|
|
|
|
OPENSSL_memset(out, -1, sizeof(out));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2le_padded(out, sizeof(out), x.get()));
|
2016-12-08 04:53:22 +00:00
|
|
|
|
|
|
|
// Compute the expected value by reversing the big-endian output.
|
|
|
|
uint8_t expected[sizeof(out)];
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_bn2bin_padded(expected, sizeof(expected), x.get()));
|
2016-12-08 04:53:22 +00:00
|
|
|
for (size_t i = 0; i < sizeof(expected) / 2; i++) {
|
|
|
|
uint8_t tmp = expected[i];
|
|
|
|
expected[i] = expected[sizeof(expected) - 1 - i];
|
|
|
|
expected[sizeof(expected) - 1 - i] = tmp;
|
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(Bytes(out), Bytes(expected));
|
2016-12-08 04:53:22 +00:00
|
|
|
|
|
|
|
// Make sure the decoding produces the same BIGNUM.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_le2bn(out, bytes, y.get()));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("BN_le2bn round-trip", x.get(), y.get());
|
2016-12-08 04:53:22 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
static int DecimalToBIGNUM(bssl::UniquePtr<BIGNUM> *out, const char *in) {
|
2015-04-21 00:52:31 +01:00
|
|
|
BIGNUM *raw = NULL;
|
|
|
|
int ret = BN_dec2bn(&raw, in);
|
|
|
|
out->reset(raw);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, Dec2BN) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn;
|
2015-04-21 00:52:31 +01:00
|
|
|
int ret = DecimalToBIGNUM(&bn, "0");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(1, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = DecimalToBIGNUM(&bn, "256");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(3, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 256));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = DecimalToBIGNUM(&bn, "-42");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(3, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_abs_is_word(bn.get(), 42));
|
|
|
|
EXPECT_TRUE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = DecimalToBIGNUM(&bn, "-0");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(2, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = DecimalToBIGNUM(&bn, "42trailing garbage is ignored");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(2, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_abs_is_word(bn.get(), 42));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, Hex2BN) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn;
|
2015-04-21 00:52:31 +01:00
|
|
|
int ret = HexToBIGNUM(&bn, "0");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(1, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = HexToBIGNUM(&bn, "256");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(3, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 0x256));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = HexToBIGNUM(&bn, "-42");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(3, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_abs_is_word(bn.get(), 0x42));
|
|
|
|
EXPECT_TRUE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = HexToBIGNUM(&bn, "-0");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(2, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
ret = HexToBIGNUM(&bn, "abctrailing garbage is ignored");
|
2017-10-30 18:11:43 +00:00
|
|
|
ASSERT_EQ(3, ret);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 0xabc));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
}
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
static bssl::UniquePtr<BIGNUM> ASCIIToBIGNUM(const char *in) {
|
2015-04-21 00:52:31 +01:00
|
|
|
BIGNUM *raw = NULL;
|
|
|
|
if (!BN_asc2bn(&raw, in)) {
|
|
|
|
return nullptr;
|
|
|
|
}
|
2016-08-18 04:10:28 +01:00
|
|
|
return bssl::UniquePtr<BIGNUM>(raw);
|
2015-04-21 00:52:31 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, ASC2BN) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn = ASCIIToBIGNUM("0");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("256");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 256));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("-42");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_abs_is_word(bn.get(), 42));
|
|
|
|
EXPECT_TRUE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("0x1234");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 0x1234));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("0X1234");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 0x1234));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("-0xabcd");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_abs_is_word(bn.get(), 0xabcd));
|
|
|
|
EXPECT_FALSE(!BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("-0");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_zero(bn.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
|
|
|
|
bn = ASCIIToBIGNUM("123trailing garbage is ignored");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
EXPECT_TRUE(BN_is_word(bn.get(), 123));
|
|
|
|
EXPECT_FALSE(BN_is_negative(bn.get()));
|
2015-04-21 00:52:31 +01:00
|
|
|
}
|
2015-05-26 23:35:28 +01:00
|
|
|
|
2015-08-12 01:17:28 +01:00
|
|
|
struct MPITest {
|
|
|
|
const char *base10;
|
|
|
|
const char *mpi;
|
|
|
|
size_t mpi_len;
|
|
|
|
};
|
|
|
|
|
|
|
|
static const MPITest kMPITests[] = {
|
|
|
|
{ "0", "\x00\x00\x00\x00", 4 },
|
|
|
|
{ "1", "\x00\x00\x00\x01\x01", 5 },
|
|
|
|
{ "-1", "\x00\x00\x00\x01\x81", 5 },
|
|
|
|
{ "128", "\x00\x00\x00\x02\x00\x80", 6 },
|
|
|
|
{ "256", "\x00\x00\x00\x02\x01\x00", 6 },
|
|
|
|
{ "-256", "\x00\x00\x00\x02\x81\x00", 6 },
|
|
|
|
};
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, MPI) {
|
2015-08-12 01:17:28 +01:00
|
|
|
uint8_t scratch[8];
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
for (const auto &test : kMPITests) {
|
|
|
|
SCOPED_TRACE(test.base10);
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(ASCIIToBIGNUM(test.base10));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
2016-09-30 01:18:38 +01:00
|
|
|
|
2015-08-12 01:17:28 +01:00
|
|
|
const size_t mpi_len = BN_bn2mpi(bn.get(), NULL);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_LE(mpi_len, sizeof(scratch)) << "MPI size is too large to test";
|
2015-08-12 01:17:28 +01:00
|
|
|
|
|
|
|
const size_t mpi_len2 = BN_bn2mpi(bn.get(), scratch);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(mpi_len, mpi_len2);
|
|
|
|
EXPECT_EQ(Bytes(test.mpi, test.mpi_len), Bytes(scratch, mpi_len));
|
2015-08-12 01:17:28 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn2(BN_mpi2bn(scratch, mpi_len, NULL));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn2) << "failed to parse";
|
|
|
|
EXPECT_BIGNUMS_EQUAL("BN_mpi2bn", bn.get(), bn2.get());
|
2015-08-12 01:17:28 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, Rand) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
2015-05-26 23:35:28 +01:00
|
|
|
|
2018-02-04 16:09:50 +00:00
|
|
|
static const int kTop[] = {BN_RAND_TOP_ANY, BN_RAND_TOP_ONE, BN_RAND_TOP_TWO};
|
|
|
|
static const int kBottom[] = {BN_RAND_BOTTOM_ANY, BN_RAND_BOTTOM_ODD};
|
|
|
|
for (unsigned bits = 0; bits < 256; bits++) {
|
|
|
|
SCOPED_TRACE(bits);
|
|
|
|
for (int top : kTop) {
|
|
|
|
SCOPED_TRACE(top);
|
|
|
|
for (int bottom : kBottom) {
|
|
|
|
SCOPED_TRACE(bottom);
|
|
|
|
|
|
|
|
// Generate 100 numbers and ensure that they have the expected bit
|
|
|
|
// patterns. The probability of any one bit not covering both its values
|
|
|
|
// is 2^-100.
|
|
|
|
bool seen_n_1_clear = false, seen_n_1_set = false;
|
|
|
|
bool seen_n_2_clear = false, seen_n_2_set = false;
|
|
|
|
bool seen_0_clear = false, seen_0_set = false;
|
|
|
|
for (int i = 0; i < 100; i++) {
|
|
|
|
ASSERT_TRUE(BN_rand(bn.get(), bits, top, bottom));
|
|
|
|
EXPECT_LE(BN_num_bits(bn.get()), bits);
|
|
|
|
if (BN_is_bit_set(bn.get(), bits - 1)) {
|
|
|
|
seen_n_1_set = true;
|
|
|
|
} else {
|
|
|
|
seen_n_1_clear = true;
|
|
|
|
}
|
|
|
|
if (BN_is_bit_set(bn.get(), bits - 2)) {
|
|
|
|
seen_n_2_set = true;
|
|
|
|
} else {
|
|
|
|
seen_n_2_clear = true;
|
|
|
|
}
|
|
|
|
if (BN_is_bit_set(bn.get(), 0)) {
|
|
|
|
seen_0_set = true;
|
|
|
|
} else {
|
|
|
|
seen_0_clear = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (bits > 0) {
|
|
|
|
EXPECT_TRUE(seen_0_set);
|
|
|
|
EXPECT_TRUE(seen_n_1_set);
|
|
|
|
if (bits > 1) {
|
|
|
|
EXPECT_TRUE(seen_n_2_set);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (bits == 0) {
|
|
|
|
// Nothing additional to check. The |BN_num_bits| check ensures we
|
|
|
|
// always got zero.
|
|
|
|
} else if (bits == 1) {
|
|
|
|
// Bit zero is bit n-1.
|
|
|
|
EXPECT_EQ(bottom == BN_RAND_BOTTOM_ANY && top == BN_RAND_TOP_ANY,
|
|
|
|
seen_0_clear);
|
|
|
|
} else if (bits == 2) {
|
|
|
|
// Bit zero is bit n-2.
|
|
|
|
EXPECT_EQ(bottom == BN_RAND_BOTTOM_ANY && top != BN_RAND_TOP_TWO,
|
|
|
|
seen_0_clear);
|
|
|
|
EXPECT_EQ(top == BN_RAND_TOP_ANY, seen_n_1_clear);
|
|
|
|
} else {
|
|
|
|
EXPECT_EQ(bottom == BN_RAND_BOTTOM_ANY, seen_0_clear);
|
|
|
|
EXPECT_EQ(top != BN_RAND_TOP_TWO, seen_n_2_clear);
|
|
|
|
EXPECT_EQ(top == BN_RAND_TOP_ANY, seen_n_1_clear);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2015-05-26 23:35:28 +01:00
|
|
|
}
|
2015-06-12 03:52:07 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, RandRange) {
|
2017-04-13 21:43:43 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new()), six(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
ASSERT_TRUE(six);
|
|
|
|
ASSERT_TRUE(BN_set_word(six.get(), 6));
|
2017-04-13 21:43:43 +01:00
|
|
|
|
|
|
|
// Generate 1,000 random numbers and ensure they all stay in range. This check
|
|
|
|
// may flakily pass when it should have failed but will not flakily fail.
|
|
|
|
bool seen[6] = {false, false, false, false, false};
|
|
|
|
for (unsigned i = 0; i < 1000; i++) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(i);
|
|
|
|
ASSERT_TRUE(BN_rand_range_ex(bn.get(), 1, six.get()));
|
2017-04-13 21:43:43 +01:00
|
|
|
|
|
|
|
BN_ULONG word = BN_get_word(bn.get());
|
|
|
|
if (BN_is_negative(bn.get()) ||
|
|
|
|
word < 1 ||
|
|
|
|
word >= 6) {
|
2017-06-04 20:37:23 +01:00
|
|
|
FAIL() << "BN_rand_range_ex generated invalid value: " << word;
|
2017-04-13 21:43:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
seen[word] = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test that all numbers were accounted for. Note this test is probabilistic
|
|
|
|
// and may flakily fail when it should have passed. As an upper-bound on the
|
|
|
|
// failure probability, we'll never see any one number with probability
|
|
|
|
// (4/5)^1000, so the probability of failure is at most 5*(4/5)^1000. This is
|
|
|
|
// around 1 in 2^320.
|
|
|
|
for (unsigned i = 1; i < 6; i++) {
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(seen[i]) << "BN_rand_range failed to generated " << i;
|
2017-04-13 21:43:43 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-12 03:52:07 +01:00
|
|
|
struct ASN1Test {
|
|
|
|
const char *value_ascii;
|
|
|
|
const char *der;
|
|
|
|
size_t der_len;
|
|
|
|
};
|
|
|
|
|
|
|
|
static const ASN1Test kASN1Tests[] = {
|
|
|
|
{"0", "\x02\x01\x00", 3},
|
|
|
|
{"1", "\x02\x01\x01", 3},
|
|
|
|
{"127", "\x02\x01\x7f", 3},
|
|
|
|
{"128", "\x02\x02\x00\x80", 4},
|
|
|
|
{"0xdeadbeef", "\x02\x05\x00\xde\xad\xbe\xef", 7},
|
|
|
|
{"0x0102030405060708",
|
|
|
|
"\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10},
|
|
|
|
{"0xffffffffffffffff",
|
|
|
|
"\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11},
|
|
|
|
};
|
|
|
|
|
|
|
|
struct ASN1InvalidTest {
|
|
|
|
const char *der;
|
|
|
|
size_t der_len;
|
|
|
|
};
|
|
|
|
|
|
|
|
static const ASN1InvalidTest kASN1InvalidTests[] = {
|
|
|
|
// Bad tag.
|
|
|
|
{"\x03\x01\x00", 3},
|
|
|
|
// Empty contents.
|
|
|
|
{"\x02\x00", 2},
|
2015-09-23 17:23:01 +01:00
|
|
|
// Negative numbers.
|
2017-10-24 00:30:26 +01:00
|
|
|
{"\x02\x01\x80", 3},
|
|
|
|
{"\x02\x01\xff", 3},
|
2015-09-23 17:23:01 +01:00
|
|
|
// Unnecessary leading zeros.
|
2017-10-24 00:30:26 +01:00
|
|
|
{"\x02\x02\x00\x01", 4},
|
2015-09-15 21:47:35 +01:00
|
|
|
};
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, ASN1) {
|
2015-06-12 03:52:07 +01:00
|
|
|
for (const ASN1Test &test : kASN1Tests) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(test.value_ascii);
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn = ASCIIToBIGNUM(test.value_ascii);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
2015-06-12 03:52:07 +01:00
|
|
|
|
|
|
|
// Test that the input is correctly parsed.
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn2(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn2);
|
2015-06-12 03:52:07 +01:00
|
|
|
CBS cbs;
|
|
|
|
CBS_init(&cbs, reinterpret_cast<const uint8_t*>(test.der), test.der_len);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_parse_asn1_unsigned(&cbs, bn2.get()));
|
|
|
|
EXPECT_EQ(0u, CBS_len(&cbs));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("decode ASN.1", bn.get(), bn2.get());
|
2015-06-12 03:52:07 +01:00
|
|
|
|
|
|
|
// Test the value serializes correctly.
|
2016-10-23 18:05:02 +01:00
|
|
|
bssl::ScopedCBB cbb;
|
2015-06-12 03:52:07 +01:00
|
|
|
uint8_t *der;
|
|
|
|
size_t der_len;
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(CBB_init(cbb.get(), 0));
|
|
|
|
ASSERT_TRUE(BN_marshal_asn1(cbb.get(), bn.get()));
|
|
|
|
ASSERT_TRUE(CBB_finish(cbb.get(), &der, &der_len));
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<uint8_t> delete_der(der);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(Bytes(test.der, test.der_len), Bytes(der, der_len));
|
2015-06-12 03:52:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
for (const ASN1InvalidTest &test : kASN1InvalidTests) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(Bytes(test.der, test.der_len));;
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
2015-06-12 03:52:07 +01:00
|
|
|
CBS cbs;
|
2017-06-04 20:37:23 +01:00
|
|
|
CBS_init(&cbs, reinterpret_cast<const uint8_t *>(test.der), test.der_len);
|
|
|
|
EXPECT_FALSE(BN_parse_asn1_unsigned(&cbs, bn.get()))
|
|
|
|
<< "Parsed invalid input.";
|
2015-06-12 03:52:07 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Serializing negative numbers is not supported.
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn = ASCIIToBIGNUM("-1");
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
2016-10-23 18:05:02 +01:00
|
|
|
bssl::ScopedCBB cbb;
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(CBB_init(cbb.get(), 0));
|
|
|
|
EXPECT_FALSE(BN_marshal_asn1(cbb.get(), bn.get()))
|
|
|
|
<< "Serialized negative number.";
|
2016-06-26 22:58:55 +01:00
|
|
|
ERR_clear_error();
|
2015-06-12 03:52:07 +01:00
|
|
|
}
|
2016-06-26 22:28:55 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, NegativeZero) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> a(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> b(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> c(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(c);
|
2016-06-26 22:28:55 +01:00
|
|
|
|
|
|
|
// Test that BN_mul never gives negative zero.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(a.get(), 1));
|
2016-06-26 22:28:55 +01:00
|
|
|
BN_set_negative(a.get(), 1);
|
|
|
|
BN_zero(b.get());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_mul(c.get(), a.get(), b.get(), ctx()));
|
|
|
|
EXPECT_TRUE(BN_is_zero(c.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(c.get()));
|
2016-06-26 22:28:55 +01:00
|
|
|
|
2016-08-03 05:21:18 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> numerator(BN_new()), denominator(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(numerator);
|
|
|
|
ASSERT_TRUE(denominator);
|
2016-08-02 18:09:19 +01:00
|
|
|
|
2016-08-03 05:21:18 +01:00
|
|
|
// Test that BN_div never gives negative zero in the quotient.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(numerator.get(), 1));
|
|
|
|
ASSERT_TRUE(BN_set_word(denominator.get(), 2));
|
2016-08-03 05:21:18 +01:00
|
|
|
BN_set_negative(numerator.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx()));
|
|
|
|
EXPECT_TRUE(BN_is_zero(a.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(a.get()));
|
2016-08-02 18:09:19 +01:00
|
|
|
|
2016-08-03 05:21:18 +01:00
|
|
|
// Test that BN_div never gives negative zero in the remainder.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(denominator.get(), 1));
|
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx()));
|
|
|
|
EXPECT_TRUE(BN_is_zero(b.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(b.get()));
|
2016-08-02 17:49:38 +01:00
|
|
|
|
|
|
|
// Test that BN_set_negative will not produce a negative zero.
|
|
|
|
BN_zero(a.get());
|
|
|
|
BN_set_negative(a.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_is_negative(a.get()));
|
2016-08-02 17:49:38 +01:00
|
|
|
|
|
|
|
// Test that forcibly creating a negative zero does not break |BN_bn2hex| or
|
|
|
|
// |BN_bn2dec|.
|
|
|
|
a->neg = 1;
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<char> dec(BN_bn2dec(a.get()));
|
|
|
|
bssl::UniquePtr<char> hex(BN_bn2hex(a.get()));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(dec);
|
|
|
|
ASSERT_TRUE(hex);
|
|
|
|
EXPECT_STREQ("-0", dec.get());
|
|
|
|
EXPECT_STREQ("-0", hex.get());
|
2016-06-26 22:58:55 +01:00
|
|
|
|
2016-11-16 13:56:39 +00:00
|
|
|
// Test that |BN_rshift| and |BN_rshift1| will not produce a negative zero.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(a.get(), 1));
|
2016-11-16 13:56:39 +00:00
|
|
|
BN_set_negative(a.get(), 1);
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_rshift(b.get(), a.get(), 1));
|
|
|
|
EXPECT_TRUE(BN_is_zero(b.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(b.get()));
|
2016-11-16 13:56:39 +00:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_rshift1(c.get(), a.get()));
|
|
|
|
EXPECT_TRUE(BN_is_zero(c.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(c.get()));
|
2016-11-16 13:56:39 +00:00
|
|
|
|
|
|
|
// Test that |BN_div_word| will not produce a negative zero.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_NE((BN_ULONG)-1, BN_div_word(a.get(), 2));
|
|
|
|
EXPECT_TRUE(BN_is_zero(a.get()));
|
|
|
|
EXPECT_FALSE(BN_is_negative(a.get()));
|
2016-06-26 22:58:55 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, BadModulus) {
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> a(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> b(BN_new());
|
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(b);
|
|
|
|
ASSERT_TRUE(zero);
|
2016-06-26 22:58:55 +01:00
|
|
|
|
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_div(a.get(), b.get(), BN_value_one(), zero.get(), ctx()));
|
2016-06-26 22:58:55 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(
|
|
|
|
BN_mod_mul(a.get(), BN_value_one(), BN_value_one(), zero.get(), ctx()));
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(
|
|
|
|
BN_mod_exp(a.get(), BN_value_one(), BN_value_one(), zero.get(), ctx()));
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_mod_exp_mont(a.get(), BN_value_one(), BN_value_one(),
|
|
|
|
zero.get(), ctx(), NULL));
|
2016-07-01 22:34:10 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_mod_exp_mont_consttime(
|
|
|
|
a.get(), BN_value_one(), BN_value_one(), zero.get(), ctx(), nullptr));
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2018-01-23 22:03:26 +00:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(zero.get(), ctx()));
|
|
|
|
EXPECT_FALSE(mont);
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
mont.reset(BN_MONT_CTX_new_consttime(b.get(), ctx()));
|
|
|
|
EXPECT_FALSE(mont);
|
|
|
|
ERR_clear_error();
|
|
|
|
|
2016-06-26 23:15:12 +01:00
|
|
|
// Some operations also may not be used with an even modulus.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(b.get(), 16));
|
2016-06-26 23:15:12 +01:00
|
|
|
|
2018-01-23 22:03:26 +00:00
|
|
|
mont.reset(BN_MONT_CTX_new_for_modulus(b.get(), ctx()));
|
|
|
|
EXPECT_FALSE(mont);
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
mont.reset(BN_MONT_CTX_new_consttime(b.get(), ctx()));
|
|
|
|
EXPECT_FALSE(mont);
|
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_mod_exp_mont(a.get(), BN_value_one(), BN_value_one(), b.get(),
|
|
|
|
ctx(), NULL));
|
2016-07-01 22:34:10 +01:00
|
|
|
ERR_clear_error();
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_mod_exp_mont_consttime(
|
|
|
|
a.get(), BN_value_one(), BN_value_one(), b.get(), ctx(), nullptr));
|
2016-06-26 23:15:12 +01:00
|
|
|
ERR_clear_error();
|
2016-06-26 22:28:55 +01:00
|
|
|
}
|
2016-06-26 23:17:31 +01:00
|
|
|
|
2018-08-15 02:56:24 +01:00
|
|
|
// Test that a**0 mod 1 == 0.
|
|
|
|
TEST_F(BNTest, ExpZeroModOne) {
|
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new()), a(BN_new()), r(BN_new()),
|
|
|
|
minus_one(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(zero);
|
|
|
|
ASSERT_TRUE(a);
|
|
|
|
ASSERT_TRUE(r);
|
2018-08-15 02:56:24 +01:00
|
|
|
ASSERT_TRUE(minus_one);
|
|
|
|
ASSERT_TRUE(BN_set_word(minus_one.get(), 1));
|
|
|
|
BN_set_negative(minus_one.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_rand(a.get(), 1024, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY));
|
2016-06-26 23:17:31 +01:00
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2018-04-17 16:59:28 +01:00
|
|
|
ASSERT_TRUE(BN_mod_exp(r.get(), a.get(), zero.get(), BN_value_one(), ctx()));
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
2018-08-15 02:56:24 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_mod_exp(r.get(), zero.get(), zero.get(), BN_value_one(), ctx()));
|
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
2017-06-04 20:37:23 +01:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_mod_exp_mont_word(r.get(), 42, zero.get(), BN_value_one(),
|
2018-04-17 16:59:28 +01:00
|
|
|
ctx(), nullptr));
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
2018-08-15 02:56:24 +01:00
|
|
|
ASSERT_TRUE(BN_mod_exp_mont_word(r.get(), 0, zero.get(), BN_value_one(),
|
|
|
|
ctx(), nullptr));
|
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
|
|
|
|
|
|
|
// |BN_mod_exp_mont| and |BN_mod_exp_mont_consttime| require fully-reduced
|
|
|
|
// inputs, so a**0 mod 1 is not a valid call. 0**0 mod 1 is valid, however.
|
|
|
|
ASSERT_TRUE(BN_mod_exp_mont(r.get(), zero.get(), zero.get(), BN_value_one(),
|
|
|
|
ctx(), nullptr));
|
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_mod_exp_mont_consttime(r.get(), zero.get(), zero.get(),
|
|
|
|
BN_value_one(), ctx(), nullptr));
|
|
|
|
EXPECT_TRUE(BN_is_zero(r.get()));
|
2016-06-26 23:17:31 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, SmallPrime) {
|
2016-06-26 23:17:31 +01:00
|
|
|
static const unsigned kBits = 10;
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> r(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(r);
|
|
|
|
ASSERT_TRUE(BN_generate_prime_ex(r.get(), static_cast<int>(kBits), 0, NULL,
|
|
|
|
NULL, NULL));
|
|
|
|
EXPECT_EQ(kBits, BN_num_bits(r.get()));
|
2016-06-26 23:17:31 +01:00
|
|
|
}
|
2016-07-09 23:22:50 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, CmpWord) {
|
2016-07-29 17:11:34 +01:00
|
|
|
static const BN_ULONG kMaxWord = (BN_ULONG)-1;
|
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> r(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(r);
|
|
|
|
ASSERT_TRUE(BN_set_word(r.get(), 0));
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_EQ(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), 1), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(r.get(), 100));
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), 99), 0);
|
|
|
|
EXPECT_EQ(BN_cmp_word(r.get(), 100), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), 101), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
|
|
|
|
BN_set_negative(r.get(), 1);
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), 100), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(r.get(), kMaxWord));
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), kMaxWord - 1), 0);
|
|
|
|
EXPECT_EQ(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_add(r.get(), r.get(), BN_value_one()));
|
2016-07-29 17:11:34 +01:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_GT(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
|
|
|
|
BN_set_negative(r.get(), 1);
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), 0), 0);
|
|
|
|
EXPECT_LT(BN_cmp_word(r.get(), kMaxWord), 0);
|
2016-07-29 17:11:34 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, BN2Dec) {
|
2016-08-23 06:19:01 +01:00
|
|
|
static const char *kBN2DecTests[] = {
|
|
|
|
"0",
|
|
|
|
"1",
|
|
|
|
"-1",
|
|
|
|
"100",
|
|
|
|
"-100",
|
|
|
|
"123456789012345678901234567890",
|
|
|
|
"-123456789012345678901234567890",
|
|
|
|
"123456789012345678901234567890123456789012345678901234567890",
|
|
|
|
"-123456789012345678901234567890123456789012345678901234567890",
|
|
|
|
};
|
|
|
|
|
|
|
|
for (const char *test : kBN2DecTests) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(test);
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn;
|
2016-08-23 06:19:01 +01:00
|
|
|
int ret = DecimalToBIGNUM(&bn, test);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_NE(0, ret);
|
2016-08-23 06:19:01 +01:00
|
|
|
|
2016-08-18 04:10:28 +01:00
|
|
|
bssl::UniquePtr<char> dec(BN_bn2dec(bn.get()));
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(dec);
|
|
|
|
EXPECT_STREQ(test, dec.get());
|
2016-08-23 06:19:01 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, SetGetU64) {
|
2016-08-24 04:53:12 +01:00
|
|
|
static const struct {
|
|
|
|
const char *hex;
|
|
|
|
uint64_t value;
|
|
|
|
} kU64Tests[] = {
|
|
|
|
{"0", UINT64_C(0x0)},
|
|
|
|
{"1", UINT64_C(0x1)},
|
|
|
|
{"ffffffff", UINT64_C(0xffffffff)},
|
|
|
|
{"100000000", UINT64_C(0x100000000)},
|
|
|
|
{"ffffffffffffffff", UINT64_C(0xffffffffffffffff)},
|
|
|
|
};
|
|
|
|
|
|
|
|
for (const auto& test : kU64Tests) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(test.hex);
|
2016-08-24 04:53:12 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new()), expected;
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
ASSERT_TRUE(BN_set_u64(bn.get(), test.value));
|
|
|
|
ASSERT_TRUE(HexToBIGNUM(&expected, test.hex));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("BN_set_u64", expected.get(), bn.get());
|
2016-12-16 00:28:44 +00:00
|
|
|
|
|
|
|
uint64_t tmp;
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_get_u64(bn.get(), &tmp));
|
|
|
|
EXPECT_EQ(test.value, tmp);
|
2016-12-16 00:28:44 +00:00
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
// BN_get_u64 ignores the sign bit.
|
2016-12-16 00:28:44 +00:00
|
|
|
BN_set_negative(bn.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_get_u64(bn.get(), &tmp));
|
|
|
|
EXPECT_EQ(test.value, tmp);
|
2016-12-16 00:28:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Test that BN_get_u64 fails on large numbers.
|
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(bn);
|
|
|
|
ASSERT_TRUE(BN_lshift(bn.get(), BN_value_one(), 64));
|
2016-12-16 00:28:44 +00:00
|
|
|
|
|
|
|
uint64_t tmp;
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_get_u64(bn.get(), &tmp));
|
2016-12-16 00:28:44 +00:00
|
|
|
|
|
|
|
BN_set_negative(bn.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_get_u64(bn.get(), &tmp));
|
2016-08-24 04:53:12 +01:00
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, Pow2) {
|
|
|
|
bssl::UniquePtr<BIGNUM> power_of_two(BN_new()), random(BN_new()),
|
|
|
|
expected(BN_new()), actual(BN_new());
|
|
|
|
ASSERT_TRUE(power_of_two);
|
|
|
|
ASSERT_TRUE(random);
|
|
|
|
ASSERT_TRUE(expected);
|
|
|
|
ASSERT_TRUE(actual);
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Choose an exponent.
|
|
|
|
for (size_t e = 3; e < 512; e += 11) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(e);
|
2017-01-30 19:52:27 +00:00
|
|
|
// Choose a bit length for our randoms.
|
|
|
|
for (int len = 3; len < 512; len += 23) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(len);
|
2017-01-30 19:52:27 +00:00
|
|
|
// Set power_of_two = 2^e.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_lshift(power_of_two.get(), BN_value_one(), (int)e));
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Test BN_is_pow2 on power_of_two.
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_TRUE(BN_is_pow2(power_of_two.get()));
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Pick a large random value, ensuring it isn't a power of two.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_rand(random.get(), len, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY));
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Test BN_is_pow2 on |r|.
|
2017-06-04 20:37:23 +01:00
|
|
|
EXPECT_FALSE(BN_is_pow2(random.get()));
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Test BN_mod_pow2 on |r|.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_mod(expected.get(), random.get(), power_of_two.get(), ctx()));
|
|
|
|
ASSERT_TRUE(BN_mod_pow2(actual.get(), random.get(), e));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("random (mod power_of_two)", expected.get(),
|
|
|
|
actual.get());
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Test BN_nnmod_pow2 on |r|.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_nnmod(expected.get(), random.get(), power_of_two.get(), ctx()));
|
|
|
|
ASSERT_TRUE(BN_nnmod_pow2(actual.get(), random.get(), e));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("random (mod power_of_two), non-negative",
|
|
|
|
expected.get(), actual.get());
|
2017-01-30 19:52:27 +00:00
|
|
|
|
|
|
|
// Test BN_nnmod_pow2 on -|r|.
|
|
|
|
BN_set_negative(random.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(
|
|
|
|
BN_nnmod(expected.get(), random.get(), power_of_two.get(), ctx()));
|
|
|
|
ASSERT_TRUE(BN_nnmod_pow2(actual.get(), random.get(), e));
|
|
|
|
EXPECT_BIGNUMS_EQUAL("-random (mod power_of_two), non-negative",
|
|
|
|
expected.get(), actual.get());
|
2017-01-30 19:52:27 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-27 17:10:02 +01:00
|
|
|
static const int kPrimes[] = {
|
|
|
|
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
|
|
|
|
37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
|
|
|
|
83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
|
|
|
|
139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193,
|
|
|
|
197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257,
|
|
|
|
263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
|
|
|
|
331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389,
|
|
|
|
397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457,
|
|
|
|
461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
|
|
|
|
541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
|
|
|
|
607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
|
|
|
|
673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,
|
|
|
|
751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823,
|
|
|
|
827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887,
|
|
|
|
907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977,
|
|
|
|
983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
|
|
|
|
1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117,
|
|
|
|
1123, 1129, 1151, 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
|
|
|
|
1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
|
|
|
|
1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373,
|
|
|
|
1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453,
|
|
|
|
1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, 1531,
|
|
|
|
1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607,
|
|
|
|
1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
|
|
|
|
1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777,
|
|
|
|
1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
|
|
|
|
1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951,
|
|
|
|
1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029,
|
|
|
|
2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113,
|
|
|
|
2129, 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213,
|
|
|
|
2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293,
|
|
|
|
2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
|
|
|
|
2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447,
|
|
|
|
2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
|
|
|
|
2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
|
|
|
|
2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,
|
|
|
|
2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797,
|
|
|
|
2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887,
|
|
|
|
2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971,
|
|
|
|
2999, 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
|
|
|
|
3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, 3187,
|
|
|
|
3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
|
|
|
|
3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359,
|
|
|
|
3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433, 3449, 3457, 3461,
|
|
|
|
3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539,
|
|
|
|
3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617,
|
|
|
|
3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697, 3701,
|
|
|
|
3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
|
|
|
|
3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889,
|
|
|
|
3907, 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
|
|
|
|
4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
|
|
|
|
4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157,
|
|
|
|
4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243, 4253,
|
|
|
|
4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339, 4349,
|
|
|
|
4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451,
|
|
|
|
4457, 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
|
|
|
|
4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637, 4639, 4643,
|
|
|
|
4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
|
|
|
|
4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817,
|
|
|
|
4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
|
|
|
|
4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009,
|
|
|
|
5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101,
|
|
|
|
5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209,
|
|
|
|
5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
|
|
|
|
5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417,
|
|
|
|
5419, 5431, 5437, 5441, 5443, 5449, 5471, 5477, 5479, 5483, 5501,
|
|
|
|
5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
|
|
|
|
5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683,
|
|
|
|
5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783,
|
|
|
|
5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857,
|
|
|
|
5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953,
|
|
|
|
5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
|
|
|
|
6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163,
|
|
|
|
6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263,
|
|
|
|
6269, 6271, 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337,
|
|
|
|
6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427,
|
|
|
|
6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553,
|
|
|
|
6563, 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659,
|
|
|
|
6661, 6673, 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737,
|
|
|
|
6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
|
|
|
|
6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947,
|
|
|
|
6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, 7001, 7013,
|
|
|
|
7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
|
|
|
|
7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,
|
|
|
|
7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333,
|
|
|
|
7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477,
|
|
|
|
7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547,
|
|
|
|
7549, 7559, 7561, 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
|
|
|
|
7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717,
|
|
|
|
7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829,
|
|
|
|
7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927,
|
|
|
|
7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, 8039, 8053,
|
|
|
|
8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147,
|
|
|
|
8161, 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237,
|
|
|
|
8243, 8263, 8269, 8273, 8287, 8291, 8293, 8297, 8311, 8317, 8329,
|
|
|
|
8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
|
|
|
|
8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563,
|
|
|
|
8573, 8581, 8597, 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663,
|
|
|
|
8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
|
|
|
|
8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831,
|
|
|
|
8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, 8933,
|
|
|
|
8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013, 9029,
|
|
|
|
9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137,
|
|
|
|
9151, 9157, 9161, 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
|
|
|
|
9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319, 9323, 9337,
|
|
|
|
9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421,
|
|
|
|
9431, 9433, 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497,
|
|
|
|
9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623,
|
|
|
|
9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721,
|
|
|
|
9733, 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811,
|
|
|
|
9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, 9901,
|
|
|
|
9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
|
|
|
|
10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133,
|
|
|
|
10139, 10141, 10151, 10159, 10163, 10169, 10177, 10181, 10193, 10211, 10223,
|
|
|
|
10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
|
|
|
|
10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429,
|
|
|
|
10433, 10453, 10457, 10459, 10463, 10477, 10487, 10499, 10501, 10513, 10529,
|
|
|
|
10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639,
|
|
|
|
10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733,
|
|
|
|
10739, 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
|
|
|
|
10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, 10957,
|
|
|
|
10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071,
|
|
|
|
11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171,
|
|
|
|
11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257, 11261, 11273, 11279,
|
|
|
|
11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393,
|
|
|
|
11399, 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491,
|
|
|
|
11497, 11503, 11519, 11527, 11549, 11551, 11579, 11587, 11593, 11597, 11617,
|
|
|
|
11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
|
|
|
|
11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831,
|
|
|
|
11833, 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933,
|
|
|
|
11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
|
|
|
|
12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119,
|
|
|
|
12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, 12227, 12239, 12241,
|
|
|
|
12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329, 12343,
|
|
|
|
12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437,
|
|
|
|
12451, 12457, 12473, 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
|
|
|
|
12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601, 12611, 12613,
|
|
|
|
12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713,
|
|
|
|
12721, 12739, 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823,
|
|
|
|
12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923,
|
|
|
|
12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009,
|
|
|
|
13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127,
|
|
|
|
13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, 13217, 13219, 13229,
|
|
|
|
13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
|
|
|
|
13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457,
|
|
|
|
13463, 13469, 13477, 13487, 13499, 13513, 13523, 13537, 13553, 13567, 13577,
|
|
|
|
13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
|
|
|
|
13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759,
|
|
|
|
13763, 13781, 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877,
|
|
|
|
13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967,
|
|
|
|
13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083,
|
|
|
|
14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
|
|
|
|
14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327, 14341, 14347,
|
|
|
|
14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447,
|
|
|
|
14449, 14461, 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551,
|
|
|
|
14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629, 14633, 14639, 14653,
|
|
|
|
14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747,
|
|
|
|
14753, 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831,
|
|
|
|
14843, 14851, 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939,
|
|
|
|
14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
|
|
|
|
15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161,
|
|
|
|
15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, 15263, 15269,
|
|
|
|
15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
|
|
|
|
15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443,
|
|
|
|
15451, 15461, 15467, 15473, 15493, 15497, 15511, 15527, 15541, 15551, 15559,
|
|
|
|
15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647, 15649,
|
|
|
|
15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749,
|
|
|
|
15761, 15767, 15773, 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
|
|
|
|
15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959,
|
|
|
|
15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069,
|
|
|
|
16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187,
|
|
|
|
16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, 16273, 16301,
|
|
|
|
16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421,
|
|
|
|
16427, 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529,
|
|
|
|
16547, 16553, 16561, 16567, 16573, 16603, 16607, 16619, 16631, 16633, 16649,
|
|
|
|
16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
|
|
|
|
16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883,
|
|
|
|
16889, 16901, 16903, 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981,
|
|
|
|
16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
|
|
|
|
17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191,
|
|
|
|
17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, 17321,
|
|
|
|
17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393, 17401,
|
|
|
|
17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491,
|
|
|
|
17497, 17509, 17519, 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
|
|
|
|
17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707, 17713, 17729,
|
|
|
|
17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839,
|
|
|
|
17851, 17863, 17881, 17891, 17903, 17909, 17911, 17921, 17923, 17929, 17939,
|
|
|
|
17957, 17959, 17971, 17977, 17981, 17987, 17989, 18013, 18041, 18043, 18047,
|
|
|
|
18049, 18059, 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133,
|
|
|
|
18143, 18149, 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233,
|
|
|
|
18251, 18253, 18257, 18269, 18287, 18289, 18301, 18307, 18311, 18313, 18329,
|
|
|
|
18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, 18439,
|
|
|
|
18443, 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, 18523, 18539,
|
|
|
|
18541, 18553, 18583, 18587, 18593, 18617, 18637, 18661, 18671, 18679, 18691,
|
|
|
|
18701, 18713, 18719, 18731, 18743, 18749, 18757, 18773, 18787, 18793, 18797,
|
|
|
|
18803, 18839, 18859, 18869, 18899, 18911, 18913, 18917, 18919, 18947, 18959,
|
|
|
|
18973, 18979, 19001, 19009, 19013, 19031, 19037, 19051, 19069, 19073, 19079,
|
|
|
|
19081, 19087, 19121, 19139, 19141, 19157, 19163, 19181, 19183, 19207, 19211,
|
|
|
|
19213, 19219, 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309,
|
|
|
|
19319, 19333, 19373, 19379, 19381, 19387, 19391, 19403, 19417, 19421, 19423,
|
|
|
|
19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471, 19477, 19483,
|
|
|
|
19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, 19583,
|
|
|
|
19597, 19603, 19609, 19661, 19681, 19687, 19697, 19699, 19709, 19717, 19727,
|
|
|
|
19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801, 19813, 19819, 19841,
|
|
|
|
19843, 19853, 19861, 19867, 19889, 19891, 19913, 19919, 19927, 19937, 19949,
|
|
|
|
19961, 19963, 19973, 19979, 19991, 19993, 19997,
|
2017-04-20 00:40:08 +01:00
|
|
|
};
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
TEST_F(BNTest, PrimeChecking) {
|
2017-04-20 00:40:08 +01:00
|
|
|
bssl::UniquePtr<BIGNUM> p(BN_new());
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(p);
|
2017-04-20 00:40:08 +01:00
|
|
|
int is_probably_prime_1 = 0, is_probably_prime_2 = 0;
|
2018-01-27 23:49:02 +00:00
|
|
|
enum bn_primality_result_t result_3;
|
2017-04-20 00:40:08 +01:00
|
|
|
|
|
|
|
const int max_prime = kPrimes[OPENSSL_ARRAY_SIZE(kPrimes)-1];
|
|
|
|
size_t next_prime_index = 0;
|
|
|
|
|
|
|
|
for (int i = 0; i <= max_prime; i++) {
|
2017-06-04 20:37:23 +01:00
|
|
|
SCOPED_TRACE(i);
|
2017-04-20 00:40:08 +01:00
|
|
|
bool is_prime = false;
|
|
|
|
|
|
|
|
if (i == kPrimes[next_prime_index]) {
|
|
|
|
is_prime = true;
|
|
|
|
next_prime_index++;
|
|
|
|
}
|
|
|
|
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(p.get(), i));
|
|
|
|
ASSERT_TRUE(BN_primality_test(
|
|
|
|
&is_probably_prime_1, p.get(), BN_prime_checks, ctx(),
|
|
|
|
false /* do_trial_division */, nullptr /* callback */));
|
|
|
|
EXPECT_EQ(is_prime ? 1 : 0, is_probably_prime_1);
|
|
|
|
ASSERT_TRUE(BN_primality_test(
|
|
|
|
&is_probably_prime_2, p.get(), BN_prime_checks, ctx(),
|
|
|
|
true /* do_trial_division */, nullptr /* callback */));
|
|
|
|
EXPECT_EQ(is_prime ? 1 : 0, is_probably_prime_2);
|
2018-01-27 23:49:02 +00:00
|
|
|
if (i > 3 && i % 2 == 1) {
|
|
|
|
ASSERT_TRUE(BN_enhanced_miller_rabin_primality_test(
|
|
|
|
&result_3, p.get(), BN_prime_checks, ctx(), nullptr /* callback */));
|
|
|
|
EXPECT_EQ(is_prime, result_3 == bn_probably_prime);
|
|
|
|
}
|
2017-04-20 00:40:08 +01:00
|
|
|
}
|
|
|
|
|
2017-04-21 16:49:34 +01:00
|
|
|
// Negative numbers are not prime.
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_set_word(p.get(), 7));
|
2017-04-21 16:49:34 +01:00
|
|
|
BN_set_negative(p.get(), 1);
|
2017-06-04 20:37:23 +01:00
|
|
|
ASSERT_TRUE(BN_primality_test(&is_probably_prime_1, p.get(), BN_prime_checks,
|
|
|
|
ctx(), false /* do_trial_division */,
|
|
|
|
nullptr /* callback */));
|
|
|
|
EXPECT_EQ(0, is_probably_prime_1);
|
|
|
|
ASSERT_TRUE(BN_primality_test(&is_probably_prime_2, p.get(), BN_prime_checks,
|
|
|
|
ctx(), true /* do_trial_division */,
|
|
|
|
nullptr /* callback */));
|
|
|
|
EXPECT_EQ(0, is_probably_prime_2);
|
2018-03-20 19:48:41 +00:00
|
|
|
|
|
|
|
// The following composite numbers come from http://oeis.org/A014233 and are
|
|
|
|
// such that the first several primes are not a Rabin-Miller composite
|
|
|
|
// witness.
|
|
|
|
static const char *kA014233[] = {
|
|
|
|
"2047",
|
|
|
|
"1373653",
|
|
|
|
"25326001",
|
|
|
|
"3215031751",
|
|
|
|
"2152302898747",
|
|
|
|
"3474749660383",
|
|
|
|
"341550071728321",
|
|
|
|
"3825123056546413051",
|
|
|
|
"318665857834031151167461",
|
|
|
|
"3317044064679887385961981",
|
|
|
|
};
|
|
|
|
for (const char *str : kA014233) {
|
|
|
|
SCOPED_TRACE(str);
|
|
|
|
EXPECT_NE(0, DecimalToBIGNUM(&p, str));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_primality_test(
|
|
|
|
&is_probably_prime_1, p.get(), BN_prime_checks, ctx(),
|
|
|
|
false /* do_trial_division */, nullptr /* callback */));
|
|
|
|
EXPECT_EQ(0, is_probably_prime_1);
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_primality_test(
|
|
|
|
&is_probably_prime_2, p.get(), BN_prime_checks, ctx(),
|
|
|
|
true /* do_trial_division */, nullptr /* callback */));
|
|
|
|
EXPECT_EQ(0, is_probably_prime_2);
|
2018-01-27 23:49:02 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(BN_enhanced_miller_rabin_primality_test(
|
|
|
|
&result_3, p.get(), BN_prime_checks, ctx(), nullptr /* callback */));
|
|
|
|
EXPECT_EQ(bn_composite, result_3);
|
2018-03-20 19:48:41 +00:00
|
|
|
}
|
2018-04-03 19:01:12 +01:00
|
|
|
|
|
|
|
// BN_primality_test works with null |BN_CTX|.
|
|
|
|
ASSERT_TRUE(BN_set_word(p.get(), 5));
|
|
|
|
ASSERT_TRUE(BN_primality_test(
|
|
|
|
&is_probably_prime_1, p.get(), BN_prime_checks, nullptr /* ctx */,
|
|
|
|
false /* do_trial_division */, nullptr /* callback */));
|
|
|
|
EXPECT_EQ(1, is_probably_prime_1);
|
2016-07-09 23:22:50 +01:00
|
|
|
}
|
2017-11-09 17:31:03 +00:00
|
|
|
|
Make BN_num_bits_word constant-time.
(The BN_num_bits_word implementation was originally written by Andy
Polyakov for OpenSSL. See also
https://github.com/openssl/openssl/pull/5154.)
BN_num_bits, by way of BN_num_bits_word, currently leaks the
most-significant word of its argument via branching and memory access
pattern.
BN_num_bits is called on RSA prime factors in various places. These have
public bit lengths, but all bits beyond the high bit are secret. This
fully resolves those cases.
There are a few places where BN_num_bits is called on an input where
the bit length is also secret. The two left in BoringSSL are:
- BN_mod_exp_mont_consttime calls it on the RSA private exponent.
- The timing "fix" to add the order to k in DSA.
This does *not* fully resolve those cases as we still only look at the
top word. Today, that is guaranteed to be non-zero, but only because of
the long-standing bn_correct_top timing leak. Once that is fixed (I hope
to have patches soon), a constant-time BN_num_bits on such inputs must
count bits on each word.
Instead, those cases should not call BN_num_bits at all. The former uses
the bit width to pick windows, but it should be using the maximum bit
width. The next patch will fix this. The latter is the same "fix" we
excised from ECDSA in a838f9dc7e6cc091237f0acbbe4953104104e815. That
should be excised from DSA after the bn_correct_top bug is fixed.
Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu
for reporting this issue.
Change-Id: Idc3da518cc5ec18bd8688b95f959b15300a57c14
Reviewed-on: https://boringssl-review.googlesource.com/25184
Reviewed-by: Adam Langley <agl@google.com>
2018-01-22 15:44:50 +00:00
|
|
|
TEST_F(BNTest, NumBitsWord) {
|
|
|
|
constexpr BN_ULONG kOne = 1;
|
|
|
|
|
|
|
|
// 2^(N-1) takes N bits.
|
|
|
|
for (unsigned i = 1; i < BN_BITS2; i++) {
|
|
|
|
EXPECT_EQ(i, BN_num_bits_word(kOne << (i - 1))) << i;
|
|
|
|
}
|
|
|
|
|
|
|
|
// 2^N - 1 takes N bits.
|
|
|
|
for (unsigned i = 0; i < BN_BITS2; i++) {
|
|
|
|
EXPECT_EQ(i, BN_num_bits_word((kOne << i) - 1)) << i;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (unsigned i = 1; i < 100; i++) {
|
|
|
|
// Generate a random value of a random length.
|
|
|
|
uint8_t buf[1 + sizeof(BN_ULONG)];
|
|
|
|
RAND_bytes(buf, sizeof(buf));
|
|
|
|
|
|
|
|
BN_ULONG w;
|
|
|
|
memcpy(&w, &buf[1], sizeof(w));
|
|
|
|
|
|
|
|
const unsigned num_bits = buf[0] % (BN_BITS2 + 1);
|
|
|
|
if (num_bits == BN_BITS2) {
|
|
|
|
w |= kOne << (BN_BITS2 - 1);
|
|
|
|
} else if (num_bits == 0) {
|
|
|
|
w = 0;
|
|
|
|
} else {
|
|
|
|
w &= (kOne << num_bits) - 1;
|
|
|
|
w |= kOne << (num_bits - 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPECT_EQ(num_bits, BN_num_bits_word(w)) << w;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-11-09 17:31:03 +00:00
|
|
|
#if !defined(BORINGSSL_SHARED_LIBRARY)
|
|
|
|
TEST_F(BNTest, LessThanWords) {
|
|
|
|
// kTestVectors is an array of 256-bit values in sorted order.
|
|
|
|
static const BN_ULONG kTestVectors[][256 / BN_BITS2] = {
|
|
|
|
{TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x00000002), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x0000ffff), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x83339914), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0xfffffffe), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0xffffffff), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0xed17ac85, 0x83339914), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x83339914), TOBN(0x00000000, 0x00000001),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
|
|
|
|
TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000)},
|
|
|
|
{TOBN(0x00000000, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0x00000000, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0xed17ac85, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0xed17ac85, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0xffffffff, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0xffffffff, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
|
|
|
|
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
|
|
|
|
{TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff)},
|
|
|
|
{TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
|
|
|
|
{TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
|
|
|
|
TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
|
|
|
|
{TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff),
|
|
|
|
TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
|
|
|
|
{TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
|
|
|
|
TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
|
|
|
|
};
|
|
|
|
|
|
|
|
// Determine where the single-word values stop.
|
|
|
|
size_t one_word;
|
|
|
|
for (one_word = 0; one_word < OPENSSL_ARRAY_SIZE(kTestVectors); one_word++) {
|
|
|
|
int is_word = 1;
|
|
|
|
for (size_t i = 1; i < OPENSSL_ARRAY_SIZE(kTestVectors[one_word]); i++) {
|
|
|
|
if (kTestVectors[one_word][i] != 0) {
|
|
|
|
is_word = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!is_word) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTestVectors); i++) {
|
|
|
|
SCOPED_TRACE(i);
|
|
|
|
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kTestVectors); j++) {
|
|
|
|
SCOPED_TRACE(j);
|
|
|
|
EXPECT_EQ(i < j ? 1 : 0,
|
|
|
|
bn_less_than_words(kTestVectors[i], kTestVectors[j],
|
|
|
|
OPENSSL_ARRAY_SIZE(kTestVectors[i])));
|
|
|
|
for (size_t k = 0; k < one_word; k++) {
|
|
|
|
SCOPED_TRACE(k);
|
|
|
|
EXPECT_EQ(k <= i && i < j ? 1 : 0,
|
|
|
|
bn_in_range_words(kTestVectors[i], kTestVectors[k][0],
|
|
|
|
kTestVectors[j],
|
|
|
|
OPENSSL_ARRAY_SIZE(kTestVectors[i])));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPECT_EQ(0, bn_less_than_words(NULL, NULL, 0));
|
|
|
|
EXPECT_EQ(0, bn_in_range_words(NULL, 0, NULL, 0));
|
|
|
|
}
|
2018-01-23 23:51:42 +00:00
|
|
|
#endif // !BORINGSSL_SHARED_LIBRARY
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
|
|
|
|
TEST_F(BNTest, NonMinimal) {
|
|
|
|
bssl::UniquePtr<BIGNUM> ten(BN_new());
|
|
|
|
ASSERT_TRUE(ten);
|
|
|
|
ASSERT_TRUE(BN_set_word(ten.get(), 10));
|
2018-01-20 23:55:47 +00:00
|
|
|
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> ten_copy(BN_dup(ten.get()));
|
|
|
|
ASSERT_TRUE(ten_copy);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> eight(BN_new());
|
|
|
|
ASSERT_TRUE(eight);
|
|
|
|
ASSERT_TRUE(BN_set_word(eight.get(), 8));
|
|
|
|
|
2018-01-20 23:55:47 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> forty_two(BN_new());
|
|
|
|
ASSERT_TRUE(forty_two);
|
|
|
|
ASSERT_TRUE(BN_set_word(forty_two.get(), 42));
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> two_exp_256(BN_new());
|
|
|
|
ASSERT_TRUE(two_exp_256);
|
|
|
|
ASSERT_TRUE(BN_lshift(two_exp_256.get(), BN_value_one(), 256));
|
|
|
|
|
2018-01-25 23:02:45 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> zero(BN_new());
|
|
|
|
ASSERT_TRUE(zero);
|
|
|
|
BN_zero(zero.get());
|
|
|
|
|
2018-01-20 23:55:47 +00:00
|
|
|
for (size_t width = 1; width < 10; width++) {
|
|
|
|
SCOPED_TRACE(width);
|
2018-01-25 23:02:45 +00:00
|
|
|
// Make |ten| and |zero| wider.
|
2018-01-20 23:55:47 +00:00
|
|
|
EXPECT_TRUE(bn_resize_words(ten.get(), width));
|
2018-01-15 10:23:24 +00:00
|
|
|
EXPECT_EQ(static_cast<int>(width), ten->width);
|
2018-01-25 23:02:45 +00:00
|
|
|
EXPECT_TRUE(bn_resize_words(zero.get(), width));
|
2018-01-15 10:23:24 +00:00
|
|
|
EXPECT_EQ(static_cast<int>(width), zero->width);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
|
|
|
EXPECT_TRUE(BN_abs_is_word(ten.get(), 10));
|
|
|
|
EXPECT_TRUE(BN_is_word(ten.get(), 10));
|
|
|
|
EXPECT_EQ(10u, BN_get_word(ten.get()));
|
|
|
|
uint64_t v;
|
|
|
|
ASSERT_TRUE(BN_get_u64(ten.get(), &v));
|
|
|
|
EXPECT_EQ(10u, v);
|
|
|
|
|
|
|
|
EXPECT_TRUE(BN_equal_consttime(ten.get(), ten_copy.get()));
|
|
|
|
EXPECT_TRUE(BN_equal_consttime(ten_copy.get(), ten.get()));
|
|
|
|
EXPECT_EQ(BN_cmp(ten.get(), ten_copy.get()), 0);
|
2018-01-27 23:54:28 +00:00
|
|
|
EXPECT_EQ(BN_cmp(ten_copy.get(), ten.get()), 0);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
|
|
|
EXPECT_FALSE(BN_equal_consttime(ten.get(), eight.get()));
|
|
|
|
EXPECT_LT(BN_cmp(eight.get(), ten.get()), 0);
|
2018-01-27 23:54:28 +00:00
|
|
|
EXPECT_GT(BN_cmp(ten.get(), eight.get()), 0);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
|
|
|
EXPECT_FALSE(BN_equal_consttime(ten.get(), forty_two.get()));
|
|
|
|
EXPECT_GT(BN_cmp(forty_two.get(), ten.get()), 0);
|
2018-01-27 23:54:28 +00:00
|
|
|
EXPECT_LT(BN_cmp(ten.get(), forty_two.get()), 0);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
|
|
|
EXPECT_FALSE(BN_equal_consttime(ten.get(), two_exp_256.get()));
|
|
|
|
EXPECT_GT(BN_cmp(two_exp_256.get(), ten.get()), 0);
|
2018-01-27 23:54:28 +00:00
|
|
|
EXPECT_LT(BN_cmp(ten.get(), two_exp_256.get()), 0);
|
2018-01-20 23:55:47 +00:00
|
|
|
|
|
|
|
EXPECT_EQ(4u, BN_num_bits(ten.get()));
|
|
|
|
EXPECT_EQ(1u, BN_num_bytes(ten.get()));
|
|
|
|
EXPECT_FALSE(BN_is_pow2(ten.get()));
|
2018-01-25 23:02:45 +00:00
|
|
|
|
|
|
|
bssl::UniquePtr<char> hex(BN_bn2hex(ten.get()));
|
|
|
|
EXPECT_STREQ("0a", hex.get());
|
|
|
|
hex.reset(BN_bn2hex(zero.get()));
|
|
|
|
EXPECT_STREQ("0", hex.get());
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
|
|
|
|
ASSERT_TRUE(bio);
|
|
|
|
ASSERT_TRUE(BN_print(bio.get(), ten.get()));
|
|
|
|
const uint8_t *ptr;
|
|
|
|
size_t len;
|
|
|
|
ASSERT_TRUE(BIO_mem_contents(bio.get(), &ptr, &len));
|
|
|
|
// TODO(davidben): |BN_print| removes leading zeros within a byte, while
|
|
|
|
// |BN_bn2hex| rounds up to a byte, except for zero which it prints as
|
|
|
|
// "0". Fix this discrepancy?
|
|
|
|
EXPECT_EQ(Bytes("a"), Bytes(ptr, len));
|
|
|
|
|
|
|
|
bio.reset(BIO_new(BIO_s_mem()));
|
|
|
|
ASSERT_TRUE(bio);
|
|
|
|
ASSERT_TRUE(BN_print(bio.get(), zero.get()));
|
|
|
|
ASSERT_TRUE(BIO_mem_contents(bio.get(), &ptr, &len));
|
|
|
|
EXPECT_EQ(Bytes("0"), Bytes(ptr, len));
|
2018-01-20 23:55:47 +00:00
|
|
|
}
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
|
|
|
|
// |ten| may be resized back down to one word.
|
|
|
|
EXPECT_TRUE(bn_resize_words(ten.get(), 1));
|
2018-01-15 10:23:24 +00:00
|
|
|
EXPECT_EQ(1, ten->width);
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
|
|
|
|
// But not to zero words, which it does not fit.
|
|
|
|
EXPECT_FALSE(bn_resize_words(ten.get(), 0));
|
|
|
|
|
|
|
|
EXPECT_TRUE(BN_is_pow2(eight.get()));
|
|
|
|
EXPECT_TRUE(bn_resize_words(eight.get(), 4));
|
2018-01-15 10:23:24 +00:00
|
|
|
EXPECT_EQ(4, eight->width);
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
EXPECT_TRUE(BN_is_pow2(eight.get()));
|
2018-01-23 21:17:55 +00:00
|
|
|
|
|
|
|
// |BN_MONT_CTX| is always stored minimally and uses the same R independent of
|
2018-04-04 04:15:08 +01:00
|
|
|
// input width. Additionally, mont->RR is always the same width as mont->N,
|
|
|
|
// even if it fits in a smaller value.
|
2018-01-23 21:17:55 +00:00
|
|
|
static const uint8_t kP[] = {
|
2018-04-04 04:15:08 +01:00
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
|
2018-01-23 21:17:55 +00:00
|
|
|
};
|
|
|
|
bssl::UniquePtr<BIGNUM> p(BN_bin2bn(kP, sizeof(kP), nullptr));
|
|
|
|
ASSERT_TRUE(p);
|
|
|
|
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
// Test both the constant-time and variable-time functions at both minimal and
|
|
|
|
// non-minimal |p|.
|
2018-01-23 22:03:26 +00:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(p.get(), ctx()));
|
2018-01-23 21:17:55 +00:00
|
|
|
ASSERT_TRUE(mont);
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont2(
|
|
|
|
BN_MONT_CTX_new_consttime(p.get(), ctx()));
|
|
|
|
ASSERT_TRUE(mont2);
|
2018-01-23 21:17:55 +00:00
|
|
|
|
|
|
|
ASSERT_TRUE(bn_resize_words(p.get(), 32));
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont3(
|
2018-01-23 22:03:26 +00:00
|
|
|
BN_MONT_CTX_new_for_modulus(p.get(), ctx()));
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
ASSERT_TRUE(mont3);
|
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont4(
|
|
|
|
BN_MONT_CTX_new_consttime(p.get(), ctx()));
|
|
|
|
ASSERT_TRUE(mont4);
|
2018-01-23 21:17:55 +00:00
|
|
|
|
2018-01-15 10:23:24 +00:00
|
|
|
EXPECT_EQ(mont->N.width, mont2->N.width);
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
EXPECT_EQ(mont->N.width, mont3->N.width);
|
|
|
|
EXPECT_EQ(mont->N.width, mont4->N.width);
|
2018-01-23 21:17:55 +00:00
|
|
|
EXPECT_EQ(0, BN_cmp(&mont->RR, &mont2->RR));
|
Restore the BN_mod codepath for public Montgomery moduli.
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.
Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.
Should we wish to avoid BN_mod, I have an alternate version lying
around:
First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.
The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.
The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.
Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)
After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)
Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-10 21:46:33 +01:00
|
|
|
EXPECT_EQ(0, BN_cmp(&mont->RR, &mont3->RR));
|
|
|
|
EXPECT_EQ(0, BN_cmp(&mont->RR, &mont4->RR));
|
2018-04-04 04:15:08 +01:00
|
|
|
EXPECT_EQ(mont->N.width, mont->RR.width);
|
|
|
|
EXPECT_EQ(mont->N.width, mont2->RR.width);
|
|
|
|
EXPECT_EQ(mont->N.width, mont3->RR.width);
|
|
|
|
EXPECT_EQ(mont->N.width, mont4->RR.width);
|
Add initial support for non-minimal BIGNUMs.
Thanks to Andres Erbsen for extremely helpful suggestions on how finally
plug this long-standing hole!
OpenSSL BIGNUMs are currently minimal-width, which means they cannot be
constant-time. We'll need to either excise BIGNUM from RSA and EC or
somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it
from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to
handle non-minimal word widths is probably simpler.
The main constraint is BIGNUM's large "calculator" API surface. One
could, in theory, do arbitrary math on RSA components, which means all
public functions must tolerate non-minimal inputs. This is also useful
for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is
silly.
As a first step, fix comparison-type functions that were assuming
minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only
until the rest of the library is fixed.
bn->top is now a loose upper bound we carry around. It does not affect
numerical results, only performance and secrecy. This is a departure
from the original meaning, and compiler help in auditing everything is
nice, so the final change in this series will rename bn->top to
bn->width. Thus these new functions are named per "width", not "top".
Looking further ahead, how are output BIGNUM widths determined? There's
three notions of correctness here:
1. Do I compute the right answer for all widths?
2. Do I handle secret data in constant time?
3. Does my memory usage not balloon absurdly?
For (1), a BIGNUM function must give the same answer for all input
widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be
wider than |m| by way of leading zeres. The simplest approach is to
write code in a width-agnostic way and rely on functions to accept all
widths. Where functions need to look at bn->d, we'll a few helper
functions to smooth over funny widths.
For (2), (1) is little cumbersome. Consider constant-time modular
addition. A sane type system would guarantee input widths match. But C
is weak here, and bifurcating the internals is a lot of work. Thus, at
least for now, I do not propose we move RSA's internal computation out
of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to
stack-allocate, curves were already specialized, and EC only has two
types with many operations on those types. None of these apply to RSA.
We've got numbers mod n, mod p, mod q, and their corresponding
exponents, each of which is used for basically one operation.)
Instead, constant-time BIGNUM functions will output non-minimal widths.
This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul,
constant-time[*] would dictate r->top = a->top + b->top. A calculator
repeatedly multiplying by one would then run out of memory. Those we'll
split into a private BN_mul_fixed for crypto, leaving BN_mul for
calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top.
[*] BN_mul is not constant-time for other reasons, but that will be
fixed separately.
Bug: 232
Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069
Reviewed-on: https://boringssl-review.googlesource.com/25244
Reviewed-by: Adam Langley <agl@google.com>
2018-01-20 20:56:53 +00:00
|
|
|
}
|
2018-01-30 01:14:09 +00:00
|
|
|
|
|
|
|
TEST_F(BNTest, CountLowZeroBits) {
|
2018-02-04 03:39:35 +00:00
|
|
|
bssl::UniquePtr<BIGNUM> bn(BN_new());
|
|
|
|
ASSERT_TRUE(bn);
|
2018-01-30 01:14:09 +00:00
|
|
|
|
2018-02-04 03:39:35 +00:00
|
|
|
for (int i = 0; i < BN_BITS2; i++) {
|
|
|
|
SCOPED_TRACE(i);
|
|
|
|
for (int set_high_bits = 0; set_high_bits < 2; set_high_bits++) {
|
|
|
|
BN_ULONG word = ((BN_ULONG)1) << i;
|
|
|
|
if (set_high_bits) {
|
|
|
|
BN_ULONG junk;
|
|
|
|
RAND_bytes(reinterpret_cast<uint8_t *>(&junk), sizeof(junk));
|
|
|
|
word |= junk & ~(word - 1);
|
|
|
|
}
|
|
|
|
SCOPED_TRACE(word);
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_set_word(bn.get(), word));
|
|
|
|
EXPECT_EQ(i, BN_count_low_zero_bits(bn.get()));
|
|
|
|
ASSERT_TRUE(bn_resize_words(bn.get(), 16));
|
|
|
|
EXPECT_EQ(i, BN_count_low_zero_bits(bn.get()));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_set_word(bn.get(), word));
|
|
|
|
ASSERT_TRUE(BN_lshift(bn.get(), bn.get(), BN_BITS2 * 5));
|
|
|
|
EXPECT_EQ(i + BN_BITS2 * 5, BN_count_low_zero_bits(bn.get()));
|
|
|
|
ASSERT_TRUE(bn_resize_words(bn.get(), 16));
|
|
|
|
EXPECT_EQ(i + BN_BITS2 * 5, BN_count_low_zero_bits(bn.get()));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_set_word(bn.get(), word));
|
|
|
|
ASSERT_TRUE(BN_set_bit(bn.get(), BN_BITS2 * 5));
|
|
|
|
EXPECT_EQ(i, BN_count_low_zero_bits(bn.get()));
|
|
|
|
ASSERT_TRUE(bn_resize_words(bn.get(), 16));
|
|
|
|
EXPECT_EQ(i, BN_count_low_zero_bits(bn.get()));
|
|
|
|
}
|
|
|
|
}
|
2018-01-30 01:14:09 +00:00
|
|
|
|
2018-02-04 03:39:35 +00:00
|
|
|
BN_zero(bn.get());
|
|
|
|
EXPECT_EQ(0, BN_count_low_zero_bits(bn.get()));
|
|
|
|
ASSERT_TRUE(bn_resize_words(bn.get(), 16));
|
|
|
|
EXPECT_EQ(0, BN_count_low_zero_bits(bn.get()));
|
2018-01-30 01:14:09 +00:00
|
|
|
}
|
2018-07-21 00:29:14 +01:00
|
|
|
|
|
|
|
TEST_F(BNTest, WriteIntoNegative) {
|
|
|
|
bssl::UniquePtr<BIGNUM> r(BN_new());
|
|
|
|
ASSERT_TRUE(r);
|
|
|
|
bssl::UniquePtr<BIGNUM> two(BN_new());
|
|
|
|
ASSERT_TRUE(two);
|
|
|
|
ASSERT_TRUE(BN_set_word(two.get(), 2));
|
|
|
|
bssl::UniquePtr<BIGNUM> three(BN_new());
|
|
|
|
ASSERT_TRUE(three);
|
|
|
|
ASSERT_TRUE(BN_set_word(three.get(), 3));
|
|
|
|
bssl::UniquePtr<BIGNUM> seven(BN_new());
|
|
|
|
ASSERT_TRUE(seven);
|
|
|
|
ASSERT_TRUE(BN_set_word(seven.get(), 7));
|
|
|
|
|
|
|
|
ASSERT_TRUE(BN_set_word(r.get(), 1));
|
|
|
|
BN_set_negative(r.get(), 1);
|
|
|
|
ASSERT_TRUE(BN_mod_add_quick(r.get(), two.get(), three.get(), seven.get()));
|
|
|
|
EXPECT_TRUE(BN_is_word(r.get(), 5));
|
|
|
|
EXPECT_FALSE(BN_is_negative(r.get()));
|
|
|
|
|
|
|
|
BN_set_negative(r.get(), 1);
|
|
|
|
ASSERT_TRUE(BN_mod_sub_quick(r.get(), two.get(), three.get(), seven.get()));
|
|
|
|
EXPECT_TRUE(BN_is_word(r.get(), 6));
|
|
|
|
EXPECT_FALSE(BN_is_negative(r.get()));
|
|
|
|
}
|
2018-12-31 20:44:33 +00:00
|
|
|
|
|
|
|
#if defined(OPENSSL_BN_ASM_MONT) && defined(SUPPORTS_ABI_TEST)
|
|
|
|
TEST_F(BNTest, BNMulMontABI) {
|
|
|
|
for (size_t words : {4, 5, 6, 7, 8, 16, 32}) {
|
|
|
|
SCOPED_TRACE(words);
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> m(BN_new());
|
|
|
|
ASSERT_TRUE(m);
|
|
|
|
ASSERT_TRUE(BN_set_bit(m.get(), 0));
|
|
|
|
ASSERT_TRUE(BN_set_bit(m.get(), words * BN_BITS2 - 1));
|
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(m.get(), ctx()));
|
|
|
|
ASSERT_TRUE(mont);
|
|
|
|
|
|
|
|
std::vector<BN_ULONG> r(words), a(words), b(words);
|
|
|
|
a[0] = 1;
|
|
|
|
b[0] = 42;
|
|
|
|
|
|
|
|
CHECK_ABI(bn_mul_mont, r.data(), a.data(), b.data(), mont->N.d, mont->n0,
|
|
|
|
words);
|
|
|
|
CHECK_ABI(bn_mul_mont, r.data(), a.data(), a.data(), mont->N.d, mont->n0,
|
|
|
|
words);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif // OPENSSL_BN_ASM_MONT && SUPPORTS_ABI_TEST
|
2019-01-26 20:57:51 +00:00
|
|
|
|
|
|
|
#if defined(RSAZ_ENABLED) && defined(SUPPORTS_ABI_TEST)
|
|
|
|
TEST_F(BNTest, RSAZABI) {
|
|
|
|
if (!rsaz_avx2_capable()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
alignas(64) BN_ULONG table[32 * 18] = {0};
|
|
|
|
alignas(64) BN_ULONG rsaz1[40], rsaz2[40], rsaz3[40], n_rsaz[40];
|
|
|
|
BN_ULONG norm[16], n_norm[16];
|
|
|
|
|
|
|
|
OPENSSL_memset(norm, 0x42, sizeof(norm));
|
|
|
|
OPENSSL_memset(n_norm, 0x99, sizeof(n_norm));
|
|
|
|
|
|
|
|
bssl::UniquePtr<BIGNUM> n(BN_new());
|
|
|
|
ASSERT_TRUE(n);
|
|
|
|
ASSERT_TRUE(bn_set_words(n.get(), n_norm, 16));
|
|
|
|
bssl::UniquePtr<BN_MONT_CTX> mont(
|
|
|
|
BN_MONT_CTX_new_for_modulus(n.get(), nullptr));
|
|
|
|
ASSERT_TRUE(mont);
|
|
|
|
const BN_ULONG k = mont->n0[0];
|
|
|
|
|
|
|
|
CHECK_ABI(rsaz_1024_norm2red_avx2, rsaz1, norm);
|
|
|
|
CHECK_ABI(rsaz_1024_norm2red_avx2, n_rsaz, n_norm);
|
|
|
|
CHECK_ABI(rsaz_1024_sqr_avx2, rsaz2, rsaz1, n_rsaz, k, 1);
|
|
|
|
CHECK_ABI(rsaz_1024_sqr_avx2, rsaz3, rsaz2, n_rsaz, k, 4);
|
|
|
|
CHECK_ABI(rsaz_1024_mul_avx2, rsaz3, rsaz1, rsaz2, n_rsaz, k);
|
|
|
|
CHECK_ABI(rsaz_1024_scatter5_avx2, table, rsaz3, 7);
|
|
|
|
CHECK_ABI(rsaz_1024_gather5_avx2, rsaz1, table, 7);
|
|
|
|
CHECK_ABI(rsaz_1024_red2norm_avx2, norm, rsaz1);
|
|
|
|
}
|
|
|
|
#endif // RSAZ_ENABLED && SUPPORTS_ABI_TEST
|