Commit bb565cd2 authored by Bodo Möller's avatar Bodo Möller Committed by Emilia Kasper
Browse files

Backport regression test 



master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdd.

This code is now in 1.0.2/1.0.1, so also backport the test.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent a43bcd9e

crypto/bn/bntest.c

+76 −0
Original line number Diff line number Diff line
@@ -107,6 +107,7 @@ int test_mod(BIO *bp,BN_CTX *ctx); 
int test_mod_mul(BIO *bp,BN_CTX *ctx);

int test_mod_exp(BIO *bp,BN_CTX *ctx);

int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);

int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);

int test_exp(BIO *bp,BN_CTX *ctx);

int test_gf2m_add(BIO *bp);

int test_gf2m_mod(BIO *bp);
@@ -249,6 +250,7 @@ int main(int argc, char *argv[]) 


	message(out,"BN_mod_exp_mont_consttime");

	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;

	if (!test_mod_exp_mont5(out,ctx)) goto err;

	(void)BIO_flush(out);



	message(out,"BN_exp");
@@ -1012,6 +1014,80 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx) 
	return(1);

	}



/* Test constant-time modular exponentiation with 1024-bit inputs,

 * which on x86_64 cause a different code branch to be taken.

 */

int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)

	{

	BIGNUM *a,*p,*m,*d,*e;



	BN_MONT_CTX *mont;



	a=BN_new();

	p=BN_new();

	m=BN_new();

	d=BN_new();

	e=BN_new();



	mont = BN_MONT_CTX_new();



	BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */

	/* Zero exponent */

	BN_bntest_rand(a,1024,0,0);

	BN_zero(p);

	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))

		return 0;

	if(!BN_is_one(d))

		{

		fprintf(stderr, "Modular exponentiation test failed!\n");

		return 0;

		}

	/* Zero input */

	BN_bntest_rand(p,1024,0,0);

	BN_zero(a);

	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))

		return 0;

	if(!BN_is_zero(d))

		{

		fprintf(stderr, "Modular exponentiation test failed!\n");

		return 0;

		}

	/* Craft an input whose Montgomery representation is 1,

	 * i.e., shorter than the modulus m, in order to test

	 * the const time precomputation scattering/gathering.

	 */

	BN_one(a);

	BN_MONT_CTX_set(mont,m,ctx);

	if(!BN_from_montgomery(e,a,mont,ctx))

		return 0;

	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))

		return 0;

	if(!BN_mod_exp_simple(a,e,p,m,ctx))

		return 0;

	if(BN_cmp(a,d) != 0)

		{

		fprintf(stderr,"Modular exponentiation test failed!\n");

		return 0;

		}

	/* Finally, some regular test vectors. */

	BN_bntest_rand(e,1024,0,0);

	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))

		return 0;

	if(!BN_mod_exp_simple(a,e,p,m,ctx))

		return 0;

	if(BN_cmp(a,d) != 0)

		{

		fprintf(stderr,"Modular exponentiation test failed!\n");

		return 0;

		}

	BN_free(a);

	BN_free(p);

	BN_free(m);

	BN_free(d);

	BN_free(e);

	return(1);

	}



int test_exp(BIO *bp, BN_CTX *ctx)

	{

	BIGNUM *a,*b,*d,*e,*one;