test/exptest.c

   1 /*
   2  * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include <stdlib.h>
  12 #include <string.h>
  13
  14 #include "internal/nelem.h"
  15
  16 #include <openssl/bio.h>
  17 #include <openssl/bn.h>
  18 #include <openssl/rand.h>
  19 #include <openssl/err.h>
  20
  21 #include "testutil.h"
  22
  23 #define NUM_BITS        (BN_BITS2 * 4)
  24
  25 #define BN_print_var(v) test_output_bignum(#v, v)
  26
  27 /*
  28  * Test that r == 0 in test_exp_mod_zero(). Returns one on success,
  29  * returns zero and prints debug output otherwise.
  30  */
  31 static int a_is_zero_mod_one(const char *method, const BIGNUM *r,
  32                              const BIGNUM *a)
  33 {
  34     if (!BN_is_zero(r)) {
  35         TEST_error("%s failed: a ** 0 mod 1 = r (should be 0)", method);
  36         BN_print_var(a);
  37         BN_print_var(r);
  38         return 0;
  39     }
  40     return 1;
  41 }
  42
  43 /*
  44  * test_mod_exp_zero tests that x**0 mod 1 == 0. It returns zero on success.
  45  */
  46 static int test_mod_exp_zero(void)
  47 {
  48     BIGNUM *a = NULL, *p = NULL, *m = NULL;
  49     BIGNUM *r = NULL;
  50     BN_ULONG one_word = 1;
  51     BN_CTX *ctx = BN_CTX_new();
  52     int ret = 1, failed = 0;
  53
  54     if (!TEST_ptr(m = BN_new())
  55         || !TEST_ptr(a = BN_new())
  56         || !TEST_ptr(p = BN_new())
  57         || !TEST_ptr(r = BN_new()))
  58         goto err;
  59
  60     BN_one(m);
  61     BN_one(a);
  62     BN_zero(p);
  63
  64     if (!TEST_true(BN_rand(a, 1024, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)))
  65         goto err;
  66
  67     if (!TEST_true(BN_mod_exp(r, a, p, m, ctx)))
  68         goto err;
  69
  70     if (!TEST_true(a_is_zero_mod_one("BN_mod_exp", r, a)))
  71         failed = 1;
  72
  73     if (!TEST_true(BN_mod_exp_recp(r, a, p, m, ctx)))
  74         goto err;
  75
  76     if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_recp", r, a)))
  77         failed = 1;
  78
  79     if (!TEST_true(BN_mod_exp_simple(r, a, p, m, ctx)))
  80         goto err;
  81
  82     if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_simple", r, a)))
  83         failed = 1;
  84
  85     if (!TEST_true(BN_mod_exp_mont(r, a, p, m, ctx, NULL)))
  86         goto err;
  87
  88     if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a)))
  89         failed = 1;
  90
  91     if (!TEST_true(BN_mod_exp_mont_consttime(r, a, p, m, ctx, NULL)))
  92         goto err;
  93
  94     if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a)))
  95         failed = 1;
  96
  97     /*
  98      * A different codepath exists for single word multiplication
  99      * in non-constant-time only.
 100      */
 101     if (!TEST_true(BN_mod_exp_mont_word(r, one_word, p, m, ctx, NULL)))
 102         goto err;
 103
 104     if (!TEST_BN_eq_zero(r)) {
 105         TEST_error("BN_mod_exp_mont_word failed: "
 106                    "1 ** 0 mod 1 = r (should be 0)");
 107         BN_print_var(r);
 108         goto err;
 109     }
 110
 111     ret = !failed;
 112  err:
 113     BN_free(r);
 114     BN_free(a);
 115     BN_free(p);
 116     BN_free(m);
 117     BN_CTX_free(ctx);
 118
 119     return ret;
 120 }
 121
 122 static int test_mod_exp(int round)
 123 {
 124     BN_CTX *ctx;
 125     unsigned char c;
 126     int ret = 0;
 127     BIGNUM *r_mont = NULL;
 128     BIGNUM *r_mont_const = NULL;
 129     BIGNUM *r_recp = NULL;
 130     BIGNUM *r_simple = NULL;
 131     BIGNUM *a = NULL;
 132     BIGNUM *b = NULL;
 133     BIGNUM *m = NULL;
 134
 135     if (!TEST_ptr(ctx = BN_CTX_new()))
 136         goto err;
 137
 138     if (!TEST_ptr(r_mont = BN_new())
 139         || !TEST_ptr(r_mont_const = BN_new())
 140         || !TEST_ptr(r_recp = BN_new())
 141         || !TEST_ptr(r_simple = BN_new())
 142         || !TEST_ptr(a = BN_new())
 143         || !TEST_ptr(b = BN_new())
 144         || !TEST_ptr(m = BN_new()))
 145         goto err;
 146
 147     if (!TEST_true(RAND_bytes(&c, 1)))
 148         goto err;
 149     c = (c % BN_BITS) - BN_BITS2;
 150     if (!TEST_true(BN_rand(a, NUM_BITS + c, BN_RAND_TOP_ONE,
 151                            BN_RAND_BOTTOM_ANY)))
 152         goto err;
 153
 154     if (!TEST_true(RAND_bytes(&c, 1)))
 155         goto err;
 156     c = (c % BN_BITS) - BN_BITS2;
 157     if (!TEST_true(BN_rand(b, NUM_BITS + c, BN_RAND_TOP_ONE,
 158                            BN_RAND_BOTTOM_ANY)))
 159         goto err;
 160
 161     if (!TEST_true(RAND_bytes(&c, 1)))
 162         goto err;
 163     c = (c % BN_BITS) - BN_BITS2;
 164     if (!TEST_true(BN_rand(m, NUM_BITS + c, BN_RAND_TOP_ONE,
 165                            BN_RAND_BOTTOM_ODD)))
 166         goto err;
 167
 168     if (!TEST_true(BN_mod(a, a, m, ctx))
 169         || !TEST_true(BN_mod(b, b, m, ctx))
 170         || !TEST_true(BN_mod_exp_mont(r_mont, a, b, m, ctx, NULL))
 171         || !TEST_true(BN_mod_exp_recp(r_recp, a, b, m, ctx))
 172         || !TEST_true(BN_mod_exp_simple(r_simple, a, b, m, ctx))
 173         || !TEST_true(BN_mod_exp_mont_consttime(r_mont_const, a, b, m, ctx, NULL)))
 174         goto err;
 175
 176     if (!TEST_BN_eq(r_simple, r_mont)
 177         || !TEST_BN_eq(r_simple, r_recp)
 178         || !TEST_BN_eq(r_simple, r_mont_const)) {
 179         if (BN_cmp(r_simple, r_mont) != 0)
 180             TEST_info("simple and mont results differ");
 181         if (BN_cmp(r_simple, r_mont_const) != 0)
 182             TEST_info("simple and mont const time results differ");
 183         if (BN_cmp(r_simple, r_recp) != 0)
 184             TEST_info("simple and recp results differ");
 185
 186         BN_print_var(a);
 187         BN_print_var(b);
 188         BN_print_var(m);
 189         BN_print_var(r_simple);
 190         BN_print_var(r_recp);
 191         BN_print_var(r_mont);
 192         BN_print_var(r_mont_const);
 193         goto err;
 194     }
 195
 196     ret = 1;
 197  err:
 198     BN_free(r_mont);
 199     BN_free(r_mont_const);
 200     BN_free(r_recp);
 201     BN_free(r_simple);
 202     BN_free(a);
 203     BN_free(b);
 204     BN_free(m);
 205     BN_CTX_free(ctx);
 206
 207     return ret;
 208 }
 209
 210 static int test_mod_exp_x2(int idx)
 211 {
 212     BN_CTX *ctx;
 213     int ret = 0;
 214     BIGNUM *r_mont_const_x2_1 = NULL;
 215     BIGNUM *r_mont_const_x2_2 = NULL;
 216     BIGNUM *r_simple1 = NULL;
 217     BIGNUM *r_simple2 = NULL;
 218     BIGNUM *a1 = NULL;
 219     BIGNUM *b1 = NULL;
 220     BIGNUM *m1 = NULL;
 221     BIGNUM *a2 = NULL;
 222     BIGNUM *b2 = NULL;
 223     BIGNUM *m2 = NULL;
 224     int factor_size = 0;
 225
 226     /*
 227      * Currently only 1024-bit factor size is supported.
 228      */
 229     if (idx <= 100)
 230         factor_size = 1024;
 231
 232     if (!TEST_ptr(ctx = BN_CTX_new()))
 233         goto err;
 234
 235     if (!TEST_ptr(r_mont_const_x2_1 = BN_new())
 236         || !TEST_ptr(r_mont_const_x2_2 = BN_new())
 237         || !TEST_ptr(r_simple1 = BN_new())
 238         || !TEST_ptr(r_simple2 = BN_new())
 239         || !TEST_ptr(a1 = BN_new())
 240         || !TEST_ptr(b1 = BN_new())
 241         || !TEST_ptr(m1 = BN_new())
 242         || !TEST_ptr(a2 = BN_new())
 243         || !TEST_ptr(b2 = BN_new())
 244         || !TEST_ptr(m2 = BN_new()))
 245         goto err;
 246
 247     BN_rand(a1, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
 248     BN_rand(b1, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
 249     BN_rand(m1, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD);
 250     BN_rand(a2, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
 251     BN_rand(b2, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
 252     BN_rand(m2, factor_size, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD);
 253
 254     if (!TEST_true(BN_mod(a1, a1, m1, ctx))
 255         || !TEST_true(BN_mod(b1, b1, m1, ctx))
 256         || !TEST_true(BN_mod(a2, a2, m2, ctx))
 257         || !TEST_true(BN_mod(b2, b2, m2, ctx))
 258         || !TEST_true(BN_mod_exp_simple(r_simple1, a1, b1, m1, ctx))
 259         || !TEST_true(BN_mod_exp_simple(r_simple2, a2, b2, m2, ctx))
 260         || !TEST_true(BN_mod_exp_mont_consttime_x2(r_mont_const_x2_1, a1, b1, m1, NULL,
 261                                                    r_mont_const_x2_2, a2, b2, m2, NULL,
 262                                                    ctx)))
 263         goto err;
 264
 265     if (!TEST_BN_eq(r_simple1, r_mont_const_x2_1)
 266         || !TEST_BN_eq(r_simple2, r_mont_const_x2_2)) {
 267         if (BN_cmp(r_simple1, r_mont_const_x2_1) != 0)
 268             TEST_info("simple and mont const time x2 (#1) results differ");
 269         if (BN_cmp(r_simple2, r_mont_const_x2_2) != 0)
 270             TEST_info("simple and mont const time x2 (#2) results differ");
 271
 272         BN_print_var(a1);
 273         BN_print_var(b1);
 274         BN_print_var(m1);
 275         BN_print_var(a2);
 276         BN_print_var(b2);
 277         BN_print_var(m2);
 278         BN_print_var(r_simple1);
 279         BN_print_var(r_simple2);
 280         BN_print_var(r_mont_const_x2_1);
 281         BN_print_var(r_mont_const_x2_2);
 282         goto err;
 283     }
 284
 285     ret = 1;
 286  err:
 287     BN_free(r_mont_const_x2_1);
 288     BN_free(r_mont_const_x2_2);
 289     BN_free(r_simple1);
 290     BN_free(r_simple2);
 291     BN_free(a1);
 292     BN_free(b1);
 293     BN_free(m1);
 294     BN_free(a2);
 295     BN_free(b2);
 296     BN_free(m2);
 297     BN_CTX_free(ctx);
 298
 299     return ret;
 300 }
 301
 302 int setup_tests(void)
 303 {
 304     ADD_TEST(test_mod_exp_zero);
 305     ADD_ALL_TESTS(test_mod_exp, 200);
 306     ADD_ALL_TESTS(test_mod_exp_x2, 100);
 307     return 1;
 308 }