Commit Graph

1404 Commits

Author SHA1 Message Date
Brian Smith
92d60c2059 Use Fermat's Little Theorem when converting points to affine.
Fermat's Little Theorem is already used for the custom curve implementations.
Use it, for the same reasons, for the ec_montgomery-based implementations.

I tested the performance (only) on x86-64 Windows.

Change-Id: Ibf770fd3f2d3e2cfe69f06bc12c81171624ff557
Reviewed-on: https://boringssl-review.googlesource.com/8924
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-28 18:29:32 +00:00
Brian Smith
286fbf2ce0 Add tests for |BN_mod_inverse| with modulus 1.
Zero is only a valid input to or output of |BN_mod_inverse| when the
modulus is one. |BN_MONT_CTX_set| actually depends on this, so test
that this works.

Change-Id: Ic18f1fe786f668394951d4309020c6ead95e5e28
Reviewed-on: https://boringssl-review.googlesource.com/8922
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-28 18:07:03 +00:00
Brian Smith
574f37ff92 gofmt crypto/bn/check_bn_tests.go.
Some gerrit git hook says this is necessary.

Change-Id: I8a7a0a0e6732688c965b43824fe54b2db79a4919
Reviewed-on: https://boringssl-review.googlesource.com/8990
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-27 21:26:02 +00:00
Brian Smith
7241ca5ce4 Avoid one |BN_mod_inverse| in |RSA_check_key|.
|BN_mod_inverse| is expensive and leaky. In this case, we can avoid
it completely by taking advantage of the fact that we already have
the two values that are supposed to be inverses of each other.

Change-Id: I2230b4166fb9d89c7445f9f7c045a4c9e4c377b3
Reviewed-on: https://boringssl-review.googlesource.com/8925
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-27 17:19:11 +00:00
Brian Smith
289c843a9a Refactor BN_rand_range to reduce code duplication.
Besides reducing code duplication, also move the relative location of
the check of |count|. Previously, the code was generating a random
value and then terminating the loop without using it if |count| went
to zero. Now the wasted call to |BN_rand| is not made.

Also add a note about the applicability of the special case logic for
|range| of the form |0b100...| to RSA blinding.

Change-Id: Iaa33b9529f1665ac59aefcc8b371fa32445e7578
Reviewed-on: https://boringssl-review.googlesource.com/8960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-27 14:20:16 +00:00
David Benjamin
69e0a457a1 Remove OPENSSL_ALLOW_PROXY_CERTS.
One less random environment variable for us to be sensitive to. (We
should probably unwind all this proxy cert stuff. I don't believe they
are ever enabled.)

Change-Id: I74993178679ea49e60c81d8416e502cbebf02ec9
Reviewed-on: https://boringssl-review.googlesource.com/8948
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 22:49:52 +00:00
David Benjamin
ac6a84bc7a Always check that the value returned by asn1_do_adb() is non-NULL.
(Imported from upstream's a9b23465243b6d692bb0b419bdbe0b1f5a849e9c,
5e102f96eb6fcdba1db2dba41132f92fa492aea0, and
9bda72880113b2b2262d290b23bdd1d3b19ff5b3.)

Change-Id: Ib608acb86cc128cacf20811c21bf6b38b0520106
Reviewed-on: https://boringssl-review.googlesource.com/8944
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 22:41:51 +00:00
David Benjamin
64ac925601 Fix ASN1_STRING_to_UTF8 could not convert NumericString
tag2nbyte had -1 at 18th position, but underlying ASN1_mbstring_copy
supports NumericString. tag2nbyte is also used in do_print_ex which will
not be broken by setting 1 at 18th position of tag2nbyte

(Imported from upstream's bd598cc405e981de259a07558e600b5a9ef64bd6.)

Change-Id: Ie063afcaac8a7d5046cdb385059b991b92cd6659
Reviewed-on: https://boringssl-review.googlesource.com/8946
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 22:41:42 +00:00
David Benjamin
abaef2e869 Fix omitted selector handling.
The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.

(Imported from upstream's c4210673313482edacede58d92e92c213d7a181a.)

svaldez and I stared at this for a while and we believe this change is
correct. It's also irrelevant because our only remaining ADB (ANY
DEFINED BY) table is POLICYQUALINFO which does not allow its selector to
be omitted. Also, if it did, it would be a slight change in behavior.
We'd switch from using POLICYQUALINFO's default_tt (filling in an
ASN1_ANY) to its null_tt (which doesn't exist, so error).

Change-Id: If6a929e3dafca18431775b01958d0dae1c09f3b4
Reviewed-on: https://boringssl-review.googlesource.com/8943
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 20:01:37 +00:00
David Benjamin
ee2aea0d9b Fix an error path leak in int X509_ATTRIBUTE_set1_data()
(Imported from upstream's e6f65f769d87846bdc5b58ef8d2ef4074044022d.)

Change-Id: I95df13561481e98faaf8227561228c151dd344b6
Reviewed-on: https://boringssl-review.googlesource.com/8942
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 19:53:44 +00:00
David Benjamin
51162639ec Import (unreachable) bsaes-armv7.pl XTS fixes.
This imports upstream's b62e9bf5cbbe278b7e0017c9234999dae68ee867 and
c3bc7f498815b355533d96b54b9a09e030d4130c. This is a no-op since we don't
use the XTS bits though keep the files in sync so long as we have them.

Comparing to master, we're now up-to-date on that file except for
a285992763f3961f69a8d86bf7dfff020a08cef9. (I've left that alone since
that touches lots of files and we should probably get better test
configuration before importing something scary like #undef __thumb2__.)

Change-Id: Ie0556757c954ef559e03a6d62c940d5901ca704a
Reviewed-on: https://boringssl-review.googlesource.com/8945
Reviewed-by: Adam Langley <agl@google.com>
2016-07-26 19:47:12 +00:00
David Benjamin
599922feee Fix an error path leak in do_ext_nconf()
(Imported from upstream's 4457017587efae316ac10b159f2e5b0cc81d9921. This
also applies the change in
https://github.com/openssl/openssl/pull/1351.)

Change-Id: Ief4e4b282f5e987981922d127b5345d374d009cf
Reviewed-on: https://boringssl-review.googlesource.com/8941
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 19:11:01 +00:00
David Benjamin
4ff41f614c Check for overflow in CBB_add_u24.
All other CBB_add_u<N> functions take a narrowed type, but not every
uint32_t may fit in a u24. Check for this rather than silently truncate.

Change-Id: I23879ad0f4d2934f257e39e795cf93c6e3e878bf
Reviewed-on: https://boringssl-review.googlesource.com/8940
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-26 15:19:41 +00:00
David Benjamin
ebec9c341b Inline bio_set.
It's only called in one place. The comment about stack-allocated BIOs no
longer applies.

Change-Id: I5a3cec30bcb46bf1ee2bffd6117485383520b314
Reviewed-on: https://boringssl-review.googlesource.com/8902
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-25 18:44:46 +00:00
Adam Langley
d5d24fd14e Add mod_mul tests where M ≪ A and B.
BN_mod_mul_montgomery has a problem where the modulus is much smaller
than one of the arguments. While bn_test.cc knows this and reduces the
inputs before testing |BN_mod_mul_montgomery|, none of the previous test
vectors actually failed without this. (Except those that passed negative
vaules.)

This change adds tests where M ≪ A and B.

Change-Id: I53b5188ea5fb5e48d0d197718ed33c644cde8477
Reviewed-on: https://boringssl-review.googlesource.com/8890
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Brian Smith <brian@briansmith.org>
Commit-Queue: David Benjamin <davidben@google.com>
2016-07-22 14:47:24 +00:00
David Benjamin
00d7a7cee7 Drop cached certificate signature validity flag
It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

(Imported from upstream's 0e76014e584ba78ef1d6ecb4572391ef61c4fb51.)

This is in master and not 1.0.2, but having a per-certificate signature
cache when this is a function of signature and issuer seems dubious at
best. Thanks to Viktor Dukhovni for pointing this change out to me.
(And for making the original change upstream, of course.)

Change-Id: Ie692d651726f14aeba6eaab03ac918fcaedb4eeb
Reviewed-on: https://boringssl-review.googlesource.com/8880
Reviewed-by: Adam Langley <agl@google.com>
2016-07-21 17:46:15 +00:00
Brian Smith
c7fe3b9ac5 Ensure result affine coordinates in nistz256 are fully reduced.
Revert 3f3358ac15. Add documentation
clarifying the misunderstanding that lead to the mistake, and make use
of the recently-added |bn_set_words|.

Change-Id: I58814bace3db3b0b44e2dfe09c44918a4710c621
Reviewed-on: https://boringssl-review.googlesource.com/8831
Reviewed-by: Adam Langley <agl@google.com>
2016-07-19 22:26:53 +00:00
David Benjamin
93a034a7d7 CBBs are in an undefined state after an operation failed.
Our CBB patterns do not make it safe to use a CBB after any operation
failed. Suppose one does:

  int add_to_cbb(CBB *cbb) {
    CBB child;
    return CBB_add_u8(cbb, 1) &&
           CBB_add_u8_length_prefixed(cbb, &child) &&
           CBB_add_u8(&child, 2) &&
           /* Flush |cbb| before |child| goes out of scoped. */
           CBB_flush(cbb);
  }

If one of the earlier operations fails, any attempt to use |cbb| (except
CBB_cleanup) would hit a memory error. Doing this would be a bug anyway,
since the CBB would be in an undefined state anyway (wrote only half my
object), but the memory error is bad manners.

Officially document that using a CBB after failure is illegal and, to
avoid the memory error, set a poison bit on the cbb_buffer_st to prevent
all future operations. In theory we could make failure +
CBB_discard_child work, but this is not very useful and would require a
more complex CBB pattern.

Change-Id: I4303ee1c326785849ce12b5f7aa8bbde6b95d2ec
Reviewed-on: https://boringssl-review.googlesource.com/8840
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-19 20:51:51 +00:00
Brian Smith
feff406782 Switch one point addition to a point doubling in p256-x86_64.c.
Change-Id: I67d8e72ff6f7d0b5d2393555b236510c391f2e78
Reviewed-on: https://boringssl-review.googlesource.com/8830
Reviewed-by: Adam Langley <agl@google.com>
2016-07-18 16:07:09 +00:00
Steven Valdez
143e8b3fd9 Add TLS 1.3 1-RTT.
This adds the machinery for doing TLS 1.3 1RTT.

Change-Id: I736921ffe9dc6f6e64a08a836df6bb166d20f504
Reviewed-on: https://boringssl-review.googlesource.com/8720
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-18 09:54:46 +00:00
David Benjamin
61672818ef Check for buffered handshake messages on cipher change in DTLS.
This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It
is possible for us to, while receiving pre-CCS handshake messages, to
buffer up a message with sequence number meant for a post-CCS Finished.
When we then get to the new epoch and attempt to read the Finished, we
will process the buffered Finished although it was sent with the wrong
encryption.

Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is
a property of the transport. Notably, read_state may fail. In DTLS
check the handshake buffer size. We could place this check in
read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so
we will need to implement this at the cipher change point anyway. (For
now, there is only an assert on the TLS side. This will be replaced with
a proper check in TLS 1.3.)

Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297
Reviewed-on: https://boringssl-review.googlesource.com/8790
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-16 08:25:02 +00:00
David Benjamin
edd65fb132 Const-correct HKDF_expand.
prk should be a const parameter.

Change-Id: I2369ed9f87fc3c59afc07d3b667b86aec340052e
Reviewed-on: https://boringssl-review.googlesource.com/8810
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-16 07:55:19 +00:00
Matt Braithwaite
1c256544dd RSA_marshal_private_key: add missing CBB_flush()
Change-Id: I2584bd86473be5b9d92a13b65dc78658a433a375
Reviewed-on: https://boringssl-review.googlesource.com/8737
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-13 03:49:41 +00:00
David Benjamin
1f61f0d7c3 Implement TLS 1.3's downgrade signal.
For now, skip the 1.2 -> 1.1 signal since that will affect shipping
code. We may as well enable it too, but wait until things have settled
down. This implements the version in draft-14 since draft-13's isn't
backwards-compatible.

Change-Id: I46be43e6f4c5203eb4ae006d1c6a2fe7d7a949ec
Reviewed-on: https://boringssl-review.googlesource.com/8724
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-12 19:17:43 +00:00
Adam Langley
310d3f63f3 Change |EVP_PKEY_up_ref| to return int.
Upstream have added |EVP_PKEY_up_ref|, but their version returns an int.
Having this function with a different signature like that is dangerous
so this change aligns BoringSSL with upstream. Users of this function in
Chromium and internally should already have been updated.

Change-Id: I0a7aeaf1a1ca3b0f0c635e2ee3826aa100b18157
Reviewed-on: https://boringssl-review.googlesource.com/8736
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-12 17:55:41 +00:00
Adam Langley
27516f7c97 Add no-op function ENGINE_register_all_complete.
libssh2 expects this function.

Change-Id: Ie2d6ceb25d1b633e1363e82f8a6c187b75a4319f
Reviewed-on: https://boringssl-review.googlesource.com/8735
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-12 17:54:41 +00:00
David Benjamin
ea9a0d5313 Refine SHA-1 default in signature algorithm negotiation.
Rather than blindly select SHA-1 if we can't find a matching one, act as
if the peer advertised rsa_pkcs1_sha1 and ecdsa_sha1. This means that we
will fail the handshake if no common algorithm may be found.

This is done in preparation for removing the SHA-1 default in TLS 1.3.

Change-Id: I3584947909d3d6988b940f9404044cace265b20d
Reviewed-on: https://boringssl-review.googlesource.com/8695
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-12 16:32:31 +00:00
Adam Langley
10f97f3bfc Revert "Move C++ helpers into |bssl| namespace."
This reverts commit 09feb0f3d9.

(In order to make WebRTC happy this also needs to be reverted.)
2016-07-12 08:09:33 -07:00
Adam Langley
d2b5af56cf Revert scoped_types.h change.
This reverts commits:
8d79ed6740
19fdcb5234
8d79ed6740

Because WebRTC (at least) includes our headers in an extern "C" block,
which precludes having any C++ in them.

Change-Id: Ia849f43795a40034cbd45b22ea680b51aab28b2d
2016-07-12 08:05:38 -07:00
David Benjamin
0ee319322c Breaking news: 1998 has come and gone.
Last month's canary for loop did not die in the coal mine of decrepit
toolchains. Make a note of this in STYLE.md so we know to start breeding
more of them. We can indeed declare index variables like it's 1999.

I haven't bothered to convert all of our for loops because that will be
tedious, but we can do it as we touch the code. Or if someone feels
really really bored.

BUG=47

Change-Id: Ib76c0767c1b509e825eac66f8c2e3ee2134e2493
Reviewed-on: https://boringssl-review.googlesource.com/8740
Reviewed-by: Adam Langley <agl@google.com>
2016-07-11 23:51:47 +00:00
Adam Langley
8c3c3135a2 Remove scoped_types.h.
This change scatters the contents of the two scoped_types.h files into
the headers for each of the areas of the code. The types are now in the
|bssl| namespace.

Change-Id: I802b8de68fba4786b6a0ac1bacd11d81d5842423
Reviewed-on: https://boringssl-review.googlesource.com/8731
Reviewed-by: Adam Langley <agl@google.com>
2016-07-11 23:08:27 +00:00
Adam Langley
09feb0f3d9 Move C++ helpers into |bssl| namespace.
We currently have the situation where the |tool| and |bssl_shim| code
includes scoped_types.h from crypto/test and ssl/test. That's weird and
shouldn't happen. Also, our C++ consumers might quite like to have
access to the scoped types.

Thus this change moves some of the template code to base.h and puts it
all in a |bssl| namespace to prepare for scattering these types into
their respective headers. In order that all the existing test code be
able to access these types, it's all moved into the same namespace.

Change-Id: I3207e29474dc5fcc344ace43119df26dae04eabb
Reviewed-on: https://boringssl-review.googlesource.com/8730
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 23:04:52 +00:00
David Benjamin
4748944644 Reorder functions in bn_test.
We usually put main at the end. There's now nothing interesting in the
function, so avoid having to declare every test at the top.

Change-Id: Iac469f41f0fb7d1f58d12dfbf651bf0d39f073d0
Reviewed-on: https://boringssl-review.googlesource.com/8712
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 21:58:03 +00:00
David Benjamin
ffb7adccc7 Convert BN_mod_sqrt tests to bn_tests.txt.
That removes the last of the bc stuff.

BUG=31

Change-Id: If64c974b75c36daf14c46f07b0d9355b7cd0adcb
Reviewed-on: https://boringssl-review.googlesource.com/8711
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 21:57:04 +00:00
Alessandro Ghedini
0d099f0f1b Define RAND_cleanup in one place only
Change-Id: I439e275394c2ad686924f4e7dfc99cfdc7bb14b9
Reviewed-on: https://boringssl-review.googlesource.com/8682
Reviewed-by: Adam Langley <agl@google.com>
2016-07-11 17:02:45 +00:00
David Benjamin
ce9a2166d6 Document that BN_mod_sqrt assumes p is a prime.
Change-Id: I5be2337ce6c333b704894c64e7931919bc047995
Reviewed-on: https://boringssl-review.googlesource.com/8595
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:41 +00:00
David Benjamin
4cb00ba08c Convert test_exp to bn_tests.txt.
Amazingly, this function actually has (not crypto-related) callers, despite
being pretty much useless for cryptography.

BUG=31

Change-Id: I440827380995695c7a15bbf2220a05ffb28d9335
Reviewed-on: https://boringssl-review.googlesource.com/8594
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:28 +00:00
David Benjamin
ad6d33c70d Convert test_mod_exp_mont5 test vectors.
These were generated by running test_mod_exp_mont5 10 times. The values with
Montgomery representation 1 were generated separately so the test file could
preserve the comment. (Though, at 10,000 lines, no one's going to find it...)

BUG=31

Change-Id: I8e9d4d6d7b5f7d283bd259df10a1dbdc90b888cf
Reviewed-on: https://boringssl-review.googlesource.com/8611
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:17 +00:00
David Benjamin
45a8c8a3c4 Convert test_mod_exp and test_mod_exp_consttime.
Honestly, with this size of number, they're pretty bad test vectors.
test_mod_exp_mont5 will be imported in the next commit which should help.

This was done by taking test_mod_exp's generation, running it a few times
(since otherwise the modulus is always the same). I also ran it a few times
with the odd constraint removed since BN_mod_exp is supposed to support it,
even if it's not actually useful.

BUG=31

Change-Id: Id53953f0544123a5ea71efac534946055dd5aabc
Reviewed-on: https://boringssl-review.googlesource.com/8610
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:49 +00:00
David Benjamin
28a8c2fe25 Fold the rest of test_sqrt into TestSquare.
BUG=31

Change-Id: Ief7bda365c3d786f946caaba0ab2af03c50459c3
Reviewed-on: https://boringssl-review.googlesource.com/8609
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:37 +00:00
David Benjamin
5a13e40ab6 Convert test_mont and test_mod_mul to bn_tests.txt.
That one needs reduced inputs and the other ought to be also tested against
unreduced ones is a bit annoying. But the previous commit made sure BN_nnmod
has tests, and test_mont could stand to inherit test_mod_mul's test data (it
only had five tests originally!), so I merged them.

BUG=31

Change-Id: I1eb585b14f85f0ea01ee81537a01e07ced9f5d9a
Reviewed-on: https://boringssl-review.googlesource.com/8608
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:13 +00:00
David Benjamin
e8317a5530 Add tests for BN_nnmod.
Change-Id: Ic72e00bb01d254408671b3f8d036be3cd4c06086
Reviewed-on: https://boringssl-review.googlesource.com/8606
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:53 +00:00
David Benjamin
7819409e13 Generate more test data in test_mont.
In preparation for converting test_mont and test_mod_mul to test vectors, make
test_mont less silly. We can certainly get away with doing more than five
tests. Also generate |a| and |b| anew each time. Otherwise the first BN_nmod is
destructive.

Change-Id: I944007ed7b6013a16d972cb7290ab9992c9360ce
Reviewed-on: https://boringssl-review.googlesource.com/8605
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:33 +00:00
David Benjamin
56cbbe5b8d Use BN_set_bit in TestLShift1.
No need for the special case and such.

Change-Id: If8fbc73eda0ccbaf3fd422e97c96fee6dc10b1ab
Reviewed-on: https://boringssl-review.googlesource.com/8604
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:11 +00:00
David Benjamin
66a0e6e37d Add a Go tool to check bn_tests.txt.
Since the format no longer is readable by bc, compare it to Go's math/big
instead.

Change-Id: I34d37aa0c29c6f4178267858cb0d3941b4266b93
Reviewed-on: https://boringssl-review.googlesource.com/8603
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:09:49 +00:00
David Benjamin
1701776908 Clarify how Quotient tests do rounding.
Change-Id: Ifea17a894065cce607845208c96e2092e4632d61
Reviewed-on: https://boringssl-review.googlesource.com/8607
Reviewed-by: Adam Langley <agl@google.com>
2016-07-06 22:17:26 +00:00
Brian Smith
3d4030b5f7 Test |BN_uadd| and |BN_usub|.
Also, update the documentation about aliasing for |BN_usub|. It might
be better to find a way to factor out the shared logic between the
tests of these functions and the tests of |BN_add| and |BN_usub|, but
doing so would end up up creating a lot of parameters due to the many
distinct strings used in the messages.

Change-Id: Ic9d714858212fc92aa6bbcc3959576fe6bbf58c3
Reviewed-on: https://boringssl-review.googlesource.com/8593
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 18:18:21 +00:00
Brian Smith
e4bf8b3e05 Test aliasing in |BN_add| and |BN_sub|.
Also update the documentation for |BN_sub|.

Change-Id: I544dbfc56f22844f6ca08e9e472ec13e76baf8c4
Reviewed-on: https://boringssl-review.googlesource.com/8592
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 17:58:28 +00:00
Brian Smith
fe47ba2fc5 Test |BN_add_word| and |BN_sub_word|.
Change-Id: If2be0632aef7f2be1c43650e993a89518b354f60
Reviewed-on: https://boringssl-review.googlesource.com/8591
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-01 21:53:14 +00:00
Brian Smith
b72f66f59c Test |BN_mod_exp_mont| with zero and even modulus too.
|BN_mod_exp_mont| should be tested the same way as the other variants,
especially since it is exported.

Change-Id: I8c05725289c0ebcce7aba7e666915c4c1a841c2b
Reviewed-on: https://boringssl-review.googlesource.com/8590
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-01 21:42:19 +00:00