Bugfix of bn_sqr_mont procedure on SPARC sun4v

The fix for sparcv9-mont.pl came from Andy Polyakov (@dot-asm)

Fixes #15587

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/29948)

diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl
index a7624df99f48de8f0241714ab7e8e03f69b28df9..928b2eca1b679b750475dab524037d5ecc36c6ea 100644 (file)
--- a/crypto/bn/asm/sparcv9-mont.pl
+++ b/crypto/bn/asm/sparcv9-mont.pl
@@ -394,11 +394,11 @@ $code.=<<___;
 
        mulx    $car1,$mul1,$car1
        mulx    $npj,$mul1,$acc1
+       add     $tmp1,$car0,$car0
        add     $tmp0,$car1,$car1
        and     $car0,$mask,$acc0
        ld      [$np+8],$npj                    ! np[2]
        srlx    $car1,32,$car1
-       add     $tmp1,$car1,$car1
        srlx    $car0,32,$car0
        add     $acc0,$car1,$car1
        and     $car0,1,$sbit

diff --git a/test/bntest.c b/test/bntest.c
index aeba02dc0c0962cd2dfc3295e5d57742200769fd..990e11ced39c5bda09222231beeae380c0dded9e 100644 (file)
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -1664,6 +1664,52 @@ err:
     return st;
 }
 
+static int file_modsqr(STANZA *s)
+{
+    BIGNUM *a = NULL, *m = NULL, *mod_sqr = NULL, *ret = NULL;
+    int st = 0;
+
+    if (!TEST_ptr(a = getBN(s, "A"))
+        || !TEST_ptr(m = getBN(s, "M"))
+        || !TEST_ptr(mod_sqr = getBN(s, "ModSqr"))
+        || !TEST_ptr(ret = BN_new()))
+        goto err;
+
+    if (!TEST_true(BN_mod_sqr(ret, a, m, ctx))
+        || !equalBN("A^2 (mod M)", mod_sqr, ret))
+        goto err;
+
+    if (BN_is_odd(m)) {
+        /* Reduce |a| and test the Montgomery version. */
+        BN_MONT_CTX *mont = BN_MONT_CTX_new();
+        BIGNUM *a_tmp = BN_new();
+
+        if (mont == NULL || a_tmp == NULL
+            || !TEST_true(BN_MONT_CTX_set(mont, m, ctx))
+            || !TEST_true(BN_nnmod(a_tmp, a, m, ctx))
+            || !TEST_true(BN_to_montgomery(a_tmp, a_tmp, mont, ctx))
+            || !TEST_true(BN_mod_mul_montgomery(ret, a_tmp, a_tmp,
+                mont, ctx))
+            || !TEST_true(BN_from_montgomery(ret, ret, mont, ctx))
+            || !equalBN("A^2 (mod M) (mont)", mod_sqr, ret))
+            st = 0;
+        else
+            st = 1;
+        BN_MONT_CTX_free(mont);
+        BN_free(a_tmp);
+        if (st == 0)
+            goto err;
+    }
+
+    st = 1;
+err:
+    BN_free(a);
+    BN_free(m);
+    BN_free(mod_sqr);
+    BN_free(ret);
+    return st;
+}
+
 static int file_modexp(STANZA *s)
 {
     BIGNUM *a = NULL, *e = NULL, *m = NULL, *mod_exp = NULL, *ret = NULL;
@@ -3274,6 +3320,7 @@ static int file_test_run(STANZA *s)
         { "Product", file_product },
         { "Quotient", file_quotient },
         { "ModMul", file_modmul },
+        { "ModSqr", file_modsqr },
         { "ModExp", file_modexp },
         { "Exp", file_exp },
         { "ModSqrt", file_modsqrt },

diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 85a17e0a05dc1dce20d161eb96b966bc6a402dd6..c162624bda4fc8b7ff3931f7ea2211b0a0d32e96 100644 (file)
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2010,6 +2010,14 @@ A = ca6c51ba2f410d09bf71d60fe
 B = 8bdfa8fe5ef3b2ad02bc63c4d
 M = 84daecf412b8c50ad6dfdb546c3eb783dcc6f32003eda914bb
 
+# These test vectors satisfy A ^ 2 = ModSqr (mod M) and 0 <= ModSqr < M.
+
+Title = ModSqr tests
+
+# Regression test for https://github.com/openssl/openssl/issues/15587
+ModSqr = 166794ed50cb31b6e6a319f7474416c266d5c3f3115ea2a7ed9638367d1f955f66a7179ee3ce5ee5e04e63c46781f1192beac3abb26ff238f5ed2f5505ae06003ff
+A = 1407833bd4c893195cc32f56a507f15140be687a1994febe0bdbe793125f010a3c1c814737b10ab690498b7990ce4e625ad2f32cbf42626cb9649da38a5c9c76a99
+M = 1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 
 # These test vectors satisfy A ^ E = ModExp (mod M) and 0 <= ModExp < M.