handle negative scalars correctly when doing point multiplication

[openssl.git] / crypto / ec / ectest.c

diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index ac9eec859806f2cd098b0e8b267e3c6198ac1f68..766a0dbc753e4fedcbb1d5a593be03d221791b54 100644 (file)
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -90,7 +90,7 @@ void timings(EC_GROUP *group, int simult, BN_CTX *ctx)
        if (!EC_GROUP_get_curve_GFp(group, s, NULL, NULL, ctx)) ABORT;
        fprintf(stdout, "Timings for %d bit prime, ", (int)BN_num_bits(s));
        if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
-       fprintf(stdout, "%d bit exponents ", (int)BN_num_bits(s));
+       fprintf(stdout, "%d bit scalars ", (int)BN_num_bits(s));
        fflush(stdout);
 
        P = EC_POINT_new(group);
@@ -323,6 +323,7 @@ int main(int argc, char *argv[])
        if (0 != BN_cmp(y, z)) ABORT;
        
        fprintf(stdout, "verify group order ... ");
+       fflush(stdout);
        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
        if (!EC_POINTs_mul(group, Q, z, 0, NULL, NULL, ctx)) ABORT;
        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
@@ -357,6 +358,7 @@ int main(int argc, char *argv[])
        if (0 != BN_cmp(y, z)) ABORT;
        
        fprintf(stdout, "verify group order ... ");
+       fflush(stdout);
        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
        if (!EC_POINTs_mul(group, Q, z, 0, NULL, NULL, ctx)) ABORT;
        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
@@ -392,6 +394,7 @@ int main(int argc, char *argv[])
        if (0 != BN_cmp(y, z)) ABORT;
        
        fprintf(stdout, "verify group order ... ");
+       fflush(stdout);
        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
        if (!EC_POINTs_mul(group, Q, z, 0, NULL, NULL, ctx)) ABORT;
        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
@@ -432,6 +435,7 @@ int main(int argc, char *argv[])
        if (0 != BN_cmp(y, z)) ABORT;
        
        fprintf(stdout, "verify group order ... ");
+       fflush(stdout);
        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
        if (!EC_POINTs_mul(group, Q, z, 0, NULL, NULL, ctx)) ABORT;
        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
@@ -478,6 +482,7 @@ int main(int argc, char *argv[])
        if (0 != BN_cmp(y, z)) ABORT;
        
        fprintf(stdout, "verify group order ... ");
+       fflush(stdout);
        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
        if (!EC_POINTs_mul(group, Q, z, 0, NULL, NULL, ctx)) ABORT;
        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
@@ -514,7 +519,8 @@ int main(int argc, char *argv[])
                scalars[0] = y; /* (group order + 1)/2,  so  y*Q + y*Q = Q */
                scalars[1] = y;
 
-               fprintf(stdout, "simultaneous multiplication ... ");
+               fprintf(stdout, "simultaneous multiplication ...");
+               fflush(stdout);
 
                /* z is still the group order */
                if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
@@ -522,13 +528,36 @@ int main(int argc, char *argv[])
                if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
                if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
 
-               fprintf(stdout, "ok\n\n");
+               fprintf(stdout, ".");
+               fflush(stdout);
+
+               if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
+               if (!BN_copy(z, y)) ABORT;
+               z->neg = 1;
+
+               points[0] = Q;
+               points[1] = Q;
+               scalars[0] = y;
+               scalars[1] = z;
+
+               if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+               if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+               fprintf(stdout, " ok\n\n");
        }
 
 
 #if 0
        timings(P_192, 0, ctx);
        timings(P_192, 1, ctx);
+       timings(P_224, 0, ctx);
+       timings(P_224, 1, ctx);
+       timings(P_256, 0, ctx);
+       timings(P_256, 1, ctx);
+       timings(P_384, 0, ctx);
+       timings(P_384, 1, ctx);
+       timings(P_521, 0, ctx);
+       timings(P_521, 1, ctx);
 #endif