X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=test%2Fbntest.c;h=077f5e8d85c33c174cbc3c468ddb061006afab3c;hb=df2cb82ae397ac7e1466f674ecd2309ac6de14e7;hp=9de1e6eda43869afb2692a1c29e273c13be86f37;hpb=e1cfd184dafb3e0759c567d7ca13a92b5491ff89;p=openssl.git diff --git a/test/bntest.c b/test/bntest.c index 9de1e6eda4..077f5e8d85 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,30 +12,17 @@ #include #include -#include "e_os.h" -#include #include #include #include #include +#include "internal/nelem.h" +#include "internal/numbers.h" #include "testutil.h" -/* - * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function. - * This is fine in itself, it will end up as an unused static function in - * the worst case. However, it references bn_expand2(), which is a private - * function in libcrypto and therefore unavailable on some systems. This - * may result in a linker error because of unresolved symbols. - * - * To avoid this, we define a dummy variant of bn_expand2() here, and to - * avoid possible clashes with libcrypto, we rename it first, using a macro. - */ -#define bn_expand2 dummy_bn_expand2 -BIGNUM *bn_expand2(BIGNUM *b, int words); -BIGNUM *bn_expand2(BIGNUM *b, int words) { return NULL; } -#include "../crypto/bn/bn_lcl.h" - -#define MAXPAIRS 20 +#ifdef OPENSSL_SYS_WINDOWS +# define strcasecmp _stricmp +#endif /* * Things in boring, not in openssl. TODO we should add them. @@ -43,17 +30,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) { return NULL; } #define HAVE_BN_PADDED 0 #define HAVE_BN_SQRT 0 -typedef struct pair_st { - char *key; - char *value; -} PAIR; - -typedef struct stanza_st { - int start; - int numpairs; - PAIR pairs[MAXPAIRS]; -} STANZA; - typedef struct filetest_st { const char *name; int (*func)(STANZA *s); @@ -67,15 +43,15 @@ typedef struct mpitest_st { static const int NUM0 = 100; /* number of tests */ static const int NUM1 = 50; /* additional tests for some functions */ -static BIO *fp; static BN_CTX *ctx; /* * Polynomial coefficients used in GFM tests. */ +#ifndef OPENSSL_NO_EC2M static int p0[] = { 163, 7, 6, 3, 0, -1 }; static int p1[] = { 193, 15, 0, -1 }; - +#endif /* * Look for |key| in the stanza and return it or NULL if not found. @@ -91,6 +67,18 @@ static const char *findattr(STANZA *s, const char *key) return NULL; } +/* + * Parse BIGNUM from sparse hex-strings, return |BN_hex2bn| result. + */ +static int parse_bigBN(BIGNUM **out, const char *bn_strings[]) +{ + char *bigstring = glue_strings(bn_strings, NULL); + int ret = BN_hex2bn(out, bigstring); + + OPENSSL_free(bigstring); + return ret; +} + /* * Parse BIGNUM, return number of bytes parsed. */ @@ -112,7 +100,7 @@ static BIGNUM *getBN(STANZA *s, const char *attribute) BIGNUM *ret = NULL; if ((hex = findattr(s, attribute)) == NULL) { - TEST_error("Can't find %s in test at line %d", attribute, s->start); + TEST_error("%s:%d: Can't find %s", s->test_file, s->start, attribute); return NULL; } @@ -135,7 +123,7 @@ static int getint(STANZA *s, int *out, const char *attribute) *out = (int)word; st = 1; -err: + err: BN_free(ret); return st; } @@ -150,7 +138,6 @@ static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual) return 0; } - /* * Return a "random" flag for if a BN should be negated. */ @@ -162,8 +149,79 @@ static int rand_neg(void) return sign[(neg++) % 8]; } +static int test_swap(void) +{ + BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; + int top, cond, st = 0; + + if (!TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) + || !TEST_ptr(c = BN_new()) + || !TEST_ptr(d = BN_new())) + goto err; + + BN_bntest_rand(a, 1024, 1, 0); + BN_bntest_rand(b, 1024, 1, 0); + BN_copy(c, a); + BN_copy(d, b); + top = BN_num_bits(a) / BN_BITS2; + + /* regular swap */ + BN_swap(a, b); + if (!equalBN("swap", a, d) + || !equalBN("swap", b, c)) + goto err; + + /* conditional swap: true */ + cond = 1; + BN_consttime_swap(cond, a, b, top); + if (!equalBN("cswap true", a, c) + || !equalBN("cswap true", b, d)) + goto err; + + /* conditional swap: false */ + cond = 0; + BN_consttime_swap(cond, a, b, top); + if (!equalBN("cswap false", a, c) + || !equalBN("cswap false", b, d)) + goto err; + + /* same tests but checking flag swap */ + BN_set_flags(a, BN_FLG_CONSTTIME); -static int test_sub() + BN_swap(a, b); + if (!equalBN("swap, flags", a, d) + || !equalBN("swap, flags", b, c) + || !TEST_true(BN_get_flags(b, BN_FLG_CONSTTIME)) + || !TEST_false(BN_get_flags(a, BN_FLG_CONSTTIME))) + goto err; + + cond = 1; + BN_consttime_swap(cond, a, b, top); + if (!equalBN("cswap true, flags", a, c) + || !equalBN("cswap true, flags", b, d) + || !TEST_true(BN_get_flags(a, BN_FLG_CONSTTIME)) + || !TEST_false(BN_get_flags(b, BN_FLG_CONSTTIME))) + goto err; + + cond = 0; + BN_consttime_swap(cond, a, b, top); + if (!equalBN("cswap false, flags", a, c) + || !equalBN("cswap false, flags", b, d) + || !TEST_true(BN_get_flags(a, BN_FLG_CONSTTIME)) + || !TEST_false(BN_get_flags(b, BN_FLG_CONSTTIME))) + goto err; + + st = 1; + err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(d); + return st; +} + +static int test_sub(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL; int i, st = 0; @@ -182,8 +240,8 @@ static int test_sub() BN_add_word(b, i); } else { BN_bntest_rand(b, 400 + i - NUM1, 0, 0); - a->neg = rand_neg(); - b->neg = rand_neg(); + BN_set_negative(a, rand_neg()); + BN_set_negative(b, rand_neg()); } BN_sub(c, a, b); BN_add(c, c, b); @@ -192,15 +250,14 @@ static int test_sub() goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); return st; } - -static int test_div_recip() +static int test_div_recip(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; BN_RECP_CTX *recp = NULL; @@ -222,8 +279,8 @@ static int test_div_recip() BN_add_word(a, i); } else BN_bntest_rand(b, 50 + 3 * (i - NUM1), 0, 0); - a->neg = rand_neg(); - b->neg = rand_neg(); + BN_set_negative(a, rand_neg()); + BN_set_negative(b, rand_neg()); BN_RECP_CTX_set(recp, b, ctx); BN_div_recp(d, c, a, recp, ctx); BN_mul(e, d, b, ctx); @@ -233,7 +290,7 @@ static int test_div_recip() goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -243,8 +300,7 @@ err: return st; } - -static int test_mod() +static int test_mod(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; int st = 0, i; @@ -259,8 +315,8 @@ static int test_mod() BN_bntest_rand(a, 1024, 0, 0); for (i = 0; i < NUM0; i++) { BN_bntest_rand(b, 450 + i * 10, 0, 0); - a->neg = rand_neg(); - b->neg = rand_neg(); + BN_set_negative(a, rand_neg()); + BN_set_negative(b, rand_neg()); BN_mod(c, a, b, ctx); BN_div(d, e, a, b, ctx); BN_sub(e, e, c); @@ -268,7 +324,7 @@ static int test_mod() goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -317,31 +373,15 @@ static const char *bn2strings[] = { NULL }; -static char *glue(const char *list[]) -{ - size_t len = 0; - char *p, *save; - int i; - - for (i = 0; list[i] != NULL; i++) - len += strlen(list[i]); - if (!TEST_ptr(p = save = OPENSSL_malloc(len + 1))) - return NULL; - for (i = 0; list[i] != NULL; i++) - p += strlen(strcpy(p, list[i])); - return save; -} - /* * Test constant-time modular exponentiation with 1024-bit inputs, which on * x86_64 cause a different code branch to be taken. */ -static int test_modexp_mont5() +static int test_modexp_mont5(void) { BIGNUM *a = NULL, *p = NULL, *m = NULL, *d = NULL, *e = NULL; BIGNUM *b = NULL, *n = NULL, *c = NULL; BN_MONT_CTX *mont = NULL; - char *bigstring; int st = 0; if (!TEST_ptr(a = BN_new()) @@ -387,12 +427,8 @@ static int test_modexp_mont5() goto err; /* Regression test for carry bug in sqr[x]8x_mont */ - bigstring = glue(bn1strings); - BN_hex2bn(&n, bigstring); - OPENSSL_free(bigstring); - bigstring = glue(bn2strings); - BN_hex2bn(&a, bigstring); - OPENSSL_free(bigstring); + parse_bigBN(&n, bn1strings); + parse_bigBN(&a, bn2strings); BN_free(b); b = BN_dup(a); BN_MONT_CTX_set(mont, n, ctx); @@ -401,6 +437,109 @@ static int test_modexp_mont5() if (!TEST_BN_eq(c, d)) goto err; + /* Regression test for carry bug in bn_sqrx8x_internal */ + { + static const char *ahex[] = { + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FFEADBCFC4DAE7FFF908E92820306B", + "9544D954000000006C0000000000000000000000000000000000000000000000", + "00000000000000000000FF030202FFFFF8FFEBDBCFC4DAE7FFF908E92820306B", + "9544D954000000006C000000FF0302030000000000FFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF01FC00FF02FFFFFFFF", + "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FCFD", + "FCFFFFFFFFFF000000000000000000FF0302030000000000FFFFFFFFFFFFFFFF", + "FF00FCFDFDFF030202FF00000000FFFFFFFFFFFFFFFFFF00FCFDFCFFFFFFFFFF", + NULL + }; + static const char *nhex[] = { + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8F8F8F8000000", + "00000010000000006C0000000000000000000000000000000000000000000000", + "00000000000000000000000000000000000000FFFFFFFFFFFFF8F8F8F8000000", + "00000010000000006C000000000000000000000000FFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "FFFFFFFFFFFF000000000000000000000000000000000000FFFFFFFFFFFFFFFF", + "FFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + NULL + }; + + parse_bigBN(&a, ahex); + parse_bigBN(&n, nhex); + } + BN_free(b); + b = BN_dup(a); + BN_MONT_CTX_set(mont, n, ctx); + if (!TEST_true(BN_mod_mul_montgomery(c, a, a, mont, ctx)) + || !TEST_true(BN_mod_mul_montgomery(d, a, b, mont, ctx)) + || !TEST_BN_eq(c, d)) + goto err; + + /* Regression test for bug in BN_from_montgomery_word */ + BN_hex2bn(&a, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); + BN_hex2bn(&n, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); + BN_MONT_CTX_set(mont, n, ctx); + if (!TEST_false(BN_mod_mul_montgomery(d, a, a, mont, ctx))) + goto err; + + /* Regression test for bug in rsaz_1024_mul_avx2 */ + BN_hex2bn(&a, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"); + BN_hex2bn(&b, + "2020202020202020202020202020202020202020202020202020202020202020" + "2020202020202020202020202020202020202020202020202020202020202020" + "20202020202020FF202020202020202020202020202020202020202020202020" + "2020202020202020202020202020202020202020202020202020202020202020"); + BN_hex2bn(&n, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020FF"); + BN_MONT_CTX_set(mont, n, ctx); + BN_mod_exp_mont_consttime(c, a, b, n, ctx, mont); + BN_mod_exp_mont(d, a, b, n, ctx, mont); + if (!TEST_BN_eq(c, d)) + goto err; + + /* + * rsaz_1024_mul_avx2 expects fully-reduced inputs. + * BN_mod_exp_mont_consttime should reduce the input first. + */ + BN_hex2bn(&a, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"); + BN_hex2bn(&b, + "1FA53F26F8811C58BE0357897AA5E165693230BC9DF5F01DFA6A2D59229EC69D" + "9DE6A89C36E3B6957B22D6FAAD5A3C73AE587B710DBE92E83D3A9A3339A085CB" + "B58F508CA4F837924BB52CC1698B7FDC2FD74362456A595A5B58E38E38E38E38" + "E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E"); + BN_hex2bn(&n, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"); + BN_MONT_CTX_set(mont, n, ctx); + BN_mod_exp_mont_consttime(c, a, b, n, ctx, mont); + BN_zero(d); + if (!TEST_BN_eq(c, d)) + goto err; + /* Zero input */ BN_bntest_rand(p, 1024, 0, 0); BN_zero(a); @@ -430,7 +569,7 @@ static int test_modexp_mont5() st = 1; -err: + err: BN_MONT_CTX_free(mont); BN_free(a); BN_free(p); @@ -444,7 +583,7 @@ err: } #ifndef OPENSSL_NO_EC2M -static int test_gf2m_add() +static int test_gf2m_add(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL; int i, st = 0; @@ -457,8 +596,8 @@ static int test_gf2m_add() for (i = 0; i < NUM0; i++) { BN_rand(a, 512, 0, 0); BN_copy(b, BN_value_one()); - a->neg = rand_neg(); - b->neg = rand_neg(); + BN_set_negative(a, rand_neg()); + BN_set_negative(b, rand_neg()); BN_GF2m_add(c, a, b); /* Test that two added values have the correct parity. */ if (!TEST_false((BN_is_odd(a) && BN_is_odd(c)) @@ -477,7 +616,7 @@ static int test_gf2m_add() return st; } -static int test_gf2m_mod() +static int test_gf2m_mod(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL, *e = NULL; int i, j, st = 0; @@ -515,7 +654,7 @@ static int test_gf2m_mod() return st; } -static int test_gf2m_mul() +static int test_gf2m_mul(void) { BIGNUM *a, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL; BIGNUM *e = NULL, *f = NULL, *g = NULL, *h = NULL; @@ -566,7 +705,7 @@ static int test_gf2m_mul() return st; } -static int test_gf2m_sqr() +static int test_gf2m_sqr(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; int i, j, st = 0; @@ -603,7 +742,7 @@ static int test_gf2m_sqr() return st; } -static int test_gf2m_modinv() +static int test_gf2m_modinv(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; int i, j, st = 0; @@ -638,7 +777,7 @@ static int test_gf2m_modinv() return st; } -static int test_gf2m_moddiv() +static int test_gf2m_moddiv(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; BIGNUM *e = NULL, *f = NULL; @@ -680,7 +819,7 @@ static int test_gf2m_moddiv() return st; } -static int test_gf2m_modexp() +static int test_gf2m_modexp(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; BIGNUM *e = NULL, *f = NULL; @@ -726,7 +865,7 @@ static int test_gf2m_modexp() return st; } -static int test_gf2m_modsqrt() +static int test_gf2m_modsqrt(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; BIGNUM *e = NULL, *f = NULL; @@ -768,7 +907,7 @@ static int test_gf2m_modsqrt() return st; } -static int test_gf2m_modsolvequad() +static int test_gf2m_modsolvequad(void) { BIGNUM *a = NULL, *b[2] = {NULL,NULL}, *c = NULL, *d = NULL; BIGNUM *e = NULL; @@ -819,7 +958,7 @@ static int test_gf2m_modsolvequad() } #endif -static int test_kronecker() +static int test_kronecker(void) { BIGNUM *a = NULL, *b = NULL, *r = NULL, *t = NULL; int i, legendre, kronecker, st = 0; @@ -842,27 +981,27 @@ static int test_kronecker() if (!TEST_true(BN_generate_prime_ex(b, 512, 0, NULL, NULL, NULL))) goto err; - b->neg = rand_neg(); + BN_set_negative(b, rand_neg()); for (i = 0; i < NUM0; i++) { if (!TEST_true(BN_bntest_rand(a, 512, 0, 0))) goto err; - a->neg = rand_neg(); + BN_set_negative(a, rand_neg()); /* t := (|b|-1)/2 (note that b is odd) */ if (!TEST_true(BN_copy(t, b))) goto err; - t->neg = 0; + BN_set_negative(t, 0); if (!TEST_true(BN_sub_word(t, 1))) goto err; if (!TEST_true(BN_rshift1(t, t))) goto err; /* r := a^t mod b */ - b->neg = 0; + BN_set_negative(b, 0); if (!TEST_true(BN_mod_exp_recp(r, a, t, b, ctx))) goto err; - b->neg = 1; + BN_set_negative(b, 1); if (BN_is_word(r, 1)) legendre = 1; @@ -881,7 +1020,7 @@ static int test_kronecker() if (!TEST_int_ge(kronecker = BN_kronecker(a, b, ctx), -1)) goto err; /* we actually need BN_kronecker(a, |b|) */ - if (a->neg && b->neg) + if (BN_is_negative(a) && BN_is_negative(b)) kronecker = -kronecker; if (!TEST_int_eq(legendre, kronecker)) @@ -998,7 +1137,7 @@ static int file_sum(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(sum); @@ -1047,7 +1186,7 @@ static int file_lshift1(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(lshift1); BN_free(zero); @@ -1065,7 +1204,9 @@ static int file_lshift(STANZA *s) if (!TEST_ptr(a = getBN(s, "A")) || !TEST_ptr(lshift = getBN(s, "LShift")) - || !TEST_ptr(ret = BN_new())) + || !TEST_ptr(ret = BN_new()) + || !getint(s, &n, "N")) + goto err; if (!TEST_true(BN_lshift(ret, a, n)) || !equalBN("A << N", lshift, ret) @@ -1074,7 +1215,7 @@ static int file_lshift(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(lshift); BN_free(ret); @@ -1104,7 +1245,7 @@ static int file_rshift(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(rshift); BN_free(ret); @@ -1161,7 +1302,7 @@ static int file_square(STANZA *s) #endif st = 1; -err: + err: BN_free(a); BN_free(square); BN_free(zero); @@ -1198,7 +1339,7 @@ static int file_product(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(product); @@ -1281,7 +1422,7 @@ static int file_quotient(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(quotient); @@ -1335,7 +1476,7 @@ static int file_modmul(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(m); @@ -1381,13 +1522,13 @@ static int file_modexp(STANZA *s) "0000000000000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000000000000000000001"); - BN_mod_exp(d, a, b, c, ctx); - BN_mul(e, a, a, ctx); - if (!TEST_BN_eq(d, e)) + if (!TEST_true(BN_mod_exp(d, a, b, c, ctx)) + || !TEST_true(BN_mul(e, a, a, ctx)) + || !TEST_BN_eq(d, e)) goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -1415,7 +1556,7 @@ static int file_exp(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(e); BN_free(exp); @@ -1446,7 +1587,7 @@ static int file_modsqrt(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(p); BN_free(mod_sqrt); @@ -1455,7 +1596,7 @@ err: return st; } -static int test_bn2padded() +static int test_bn2padded(void) { #if HAVE_BN_PADDED uint8_t zeros[256], out[256], reference[128]; @@ -1476,8 +1617,8 @@ static int test_bn2padded() /* Test a random numbers at various byte lengths. */ for (size_t bytes = 128 - 7; bytes <= 128; bytes++) { -#define TOP_BIT_ON 0 -#define BOTTOM_BIT_NOTOUCH 0 +# define TOP_BIT_ON 0 +# define BOTTOM_BIT_NOTOUCH 0 if (!TEST_true(BN_rand(n, bytes * 8, TOP_BIT_ON, BOTTOM_BIT_NOTOUCH))) goto err; if (!TEST_int_eq(BN_num_bytes(n),A) bytes @@ -1508,7 +1649,7 @@ static int test_bn2padded() } st = 1; -err: + err: BN_free(n); return st; #else @@ -1516,7 +1657,7 @@ err: #endif } -static int test_dec2bn() +static int test_dec2bn(void) { BIGNUM *bn = NULL; int st = 0; @@ -1580,12 +1721,12 @@ static int test_dec2bn() goto err; st = 1; -err: + err: BN_free(bn); return st; } -static int test_hex2bn() +static int test_hex2bn(void) { BIGNUM *bn = NULL; int st = 0; @@ -1646,12 +1787,12 @@ static int test_hex2bn() goto err; st = 1; -err: + err: BN_free(bn); return st; } -static int test_asc2bn() +static int test_asc2bn(void) { BIGNUM *bn = NULL; int st = 0; @@ -1700,7 +1841,7 @@ static int test_asc2bn() goto err; st = 1; -err: + err: BN_free(bn); return st; } @@ -1744,12 +1885,12 @@ static int test_mpi(int i) BN_free(bn2); st = 1; -err: + err: BN_free(bn); return st; } -static int test_rand() +static int test_rand(void) { BIGNUM *bn = NULL; int st = 0; @@ -1770,12 +1911,12 @@ static int test_rand() goto err; st = 1; -err: + err: BN_free(bn); return st; } -static int test_negzero() +static int test_negzero(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; BIGNUM *numerator = NULL, *denominator = NULL; @@ -1834,7 +1975,7 @@ static int test_negzero() goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -1844,7 +1985,7 @@ err: return st; } -static int test_badmod() +static int test_badmod(void) { BIGNUM *a = NULL, *b = NULL, *zero = NULL; BN_MONT_CTX *mont = NULL; @@ -1875,7 +2016,7 @@ static int test_badmod() ERR_clear_error(); if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(), - zero, ctx, NULL))) + zero, ctx, NULL))) goto err; ERR_clear_error(); @@ -1897,12 +2038,12 @@ static int test_badmod() ERR_clear_error(); if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(), - b, ctx, NULL))) + b, ctx, NULL))) goto err; ERR_clear_error(); st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(zero); @@ -1910,7 +2051,7 @@ err: return st; } -static int test_expmodzero() +static int test_expmodzero(void) { BIGNUM *a = NULL, *r = NULL, *zero = NULL; int st = 0; @@ -1936,14 +2077,61 @@ static int test_expmodzero() goto err; st = 1; -err: + err: BN_free(zero); BN_free(a); BN_free(r); return st; } -static int test_smallprime() +static int test_expmodone(void) +{ + int ret = 0, i; + BIGNUM *r = BN_new(); + BIGNUM *a = BN_new(); + BIGNUM *p = BN_new(); + BIGNUM *m = BN_new(); + + if (!TEST_ptr(r) + || !TEST_ptr(a) + || !TEST_ptr(p) + || !TEST_ptr(p) + || !TEST_ptr(m) + || !TEST_true(BN_set_word(a, 1)) + || !TEST_true(BN_set_word(p, 0)) + || !TEST_true(BN_set_word(m, 1))) + goto err; + + /* Calculate r = 1 ^ 0 mod 1, and check the result is always 0 */ + for (i = 0; i < 2; i++) { + if (!TEST_true(BN_mod_exp(r, a, p, m, NULL)) + || !TEST_BN_eq_zero(r) + || !TEST_true(BN_mod_exp_mont(r, a, p, m, NULL, NULL)) + || !TEST_BN_eq_zero(r) + || !TEST_true(BN_mod_exp_mont_consttime(r, a, p, m, NULL, NULL)) + || !TEST_BN_eq_zero(r) + || !TEST_true(BN_mod_exp_mont_word(r, 1, p, m, NULL, NULL)) + || !TEST_BN_eq_zero(r) + || !TEST_true(BN_mod_exp_simple(r, a, p, m, NULL)) + || !TEST_BN_eq_zero(r) + || !TEST_true(BN_mod_exp_recp(r, a, p, m, NULL)) + || !TEST_BN_eq_zero(r)) + goto err; + /* Repeat for r = 1 ^ 0 mod -1 */ + if (i == 0) + BN_set_negative(m, 1); + } + + ret = 1; + err: + BN_free(r); + BN_free(a); + BN_free(p); + BN_free(m); + return ret; +} + +static int test_smallprime(void) { static const int kBits = 10; BIGNUM *r; @@ -1956,106 +2144,142 @@ static int test_smallprime() goto err; st = 1; -err: + err: BN_free(r); return st; } -static int test_3_is_prime() +static int primes[] = { 2, 3, 5, 7, 17863 }; + +static int test_is_prime(int i) { int ret = 0; BIGNUM *r = NULL; + int trial; - /* - * For a long time, small primes were not considered prime when - * do_trial_division was set. - */ - if (!TEST_ptr(r = BN_new()) - || !TEST_true(BN_set_word(r, 3)) - || !TEST_int_eq(BN_is_prime_fasttest_ex(r, 3 /* nchecks */, ctx, - 0 /* do_trial_division */, NULL), 1) - || !TEST_int_eq(BN_is_prime_fasttest_ex(r, 3 /* nchecks */, ctx, - 1 /* do_trial_division */, NULL), 1)) + if (!TEST_ptr(r = BN_new())) goto err; - ret = 1; + for (trial = 0; trial <= 1; ++trial) { + if (!TEST_true(BN_set_word(r, primes[i])) + || !TEST_int_eq(BN_is_prime_fasttest_ex(r, 1, ctx, trial, NULL), + 1)) + goto err; + } -err: + ret = 1; + err: BN_free(r); return ret; } +static int not_primes[] = { -1, 0, 1, 4 }; -/* Delete leading and trailing spaces from a string */ -static char *strip_spaces(char *p) +static int test_not_prime(int i) { - char *q; + int ret = 0; + BIGNUM *r = NULL; + int trial; - /* Skip over leading spaces */ - while (*p && isspace(*p)) - p++; - if (!*p) - return NULL; + if (!TEST_ptr(r = BN_new())) + goto err; + + for (trial = 0; trial <= 1; ++trial) { + if (!TEST_true(BN_set_word(r, not_primes[i])) + || !TEST_false(BN_is_prime_fasttest_ex(r, 1, ctx, trial, NULL))) + goto err; + } - for (q = p + strlen(p) - 1; q != p && isspace(*q); ) - *q-- = '\0'; - return *p ? p : NULL; + ret = 1; + err: + BN_free(r); + return ret; } -/* - * Read next test stanza; return 1 if found, 0 on EOF or error. - */ -static int readstanza(STANZA *s, int *linesread) +static int test_ctx_set_ct_flag(BN_CTX *c) { - PAIR *pp = s->pairs; - char *p, *equals, *key, *value; - char buff[1024]; - - while (BIO_gets(fp, buff, sizeof(buff))) { - (*linesread)++; - if (!TEST_ptr(p = strchr(buff, '\n'))) { - TEST_info("Line %d too long", s->start); - return 0; - } - *p = '\0'; + int st = 0; + size_t i; + BIGNUM *b[15]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (!TEST_ptr(b[i] = BN_CTX_get(c))) + goto err; + if (i % 2 == 1) + BN_set_flags(b[i], BN_FLG_CONSTTIME); + } - /* Blank line marks end of tests. */ - if (buff[0] == '\0') - break; + st = 1; + err: + BN_CTX_end(c); + return st; +} - /* Lines starting with a pound sign are ignored. */ - if (buff[0] == '#') - continue; +static int test_ctx_check_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[30]; - if (!TEST_ptr(equals = strchr(buff, '='))) - return 0; - *equals++ = '\0'; - - if (!TEST_ptr(key = strip_spaces(buff)) - || !TEST_ptr(value = strip_spaces(equals)) - || !TEST_int_lt(s->numpairs++, MAXPAIRS) - || !TEST_ptr(pp->key = OPENSSL_strdup(key)) - || !TEST_ptr(pp->value = OPENSSL_strdup(value))) - return 0; - pp++; + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (!TEST_ptr(b[i] = BN_CTX_get(c))) + goto err; + if (!TEST_false(BN_get_flags(b[i], BN_FLG_CONSTTIME))) + goto err; } - /* If we read anything, return ok. */ - return 1; + st = 1; + err: + BN_CTX_end(c); + return st; } -static void clearstanza(STANZA *s) +static int test_ctx_consttime_flag(void) { - PAIR *pp = s->pairs; - int i = s->numpairs; - int start = s->start; + /*- + * The constant-time flag should not "leak" among BN_CTX frames: + * + * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and + * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained + * from the frame before ending it. + * - test_ctx_check_ct_flag() then starts a new frame and gets a + * number of BIGNUMs from it. In absence of leaks, none of the + * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. + * + * In actual BN_CTX usage inside libcrypto the leak could happen at + * any depth level in the BN_CTX stack, with varying results + * depending on the patterns of sibling trees of nested function + * calls sharing the same BN_CTX object, and the effect of + * unintended BN_FLG_CONSTTIME on the called BN_* functions. + * + * This simple unit test abstracts away this complexity and verifies + * that the leak does not happen between two sibling functions + * sharing the same BN_CTX object at the same level of nesting. + * + */ + BN_CTX *nctx = NULL; + BN_CTX *sctx = NULL; + size_t i = 0; + int st = 0; - for ( ; --i >= 0; pp++) { - OPENSSL_free(pp->key); - OPENSSL_free(pp->value); + if (!TEST_ptr(nctx = BN_CTX_new()) + || !TEST_ptr(sctx = BN_CTX_secure_new())) + goto err; + + for (i = 0; i < 2; i++) { + BN_CTX *c = i == 0 ? nctx : sctx; + if (!TEST_true(test_ctx_set_ct_flag(c)) + || !TEST_true(test_ctx_check_ct_flag(c))) + goto err; } - memset(s, 0, sizeof(*s)); - s->start = start; + + st = 1; + err: + BN_CTX_free(nctx); + BN_CTX_free(sctx); + return st; } static int file_test_run(STANZA *s) @@ -2079,56 +2303,55 @@ static int file_test_run(STANZA *s) for ( ; --numtests >= 0; tp++) { if (findattr(s, tp->name) != NULL) { if (!tp->func(s)) { - TEST_info("Failed %s test at %d", tp->name, s->start); + TEST_info("%s:%d: Failed %s test", + s->test_file, s->start, tp->name); return 0; } return 1; } } - TEST_info("Unknown test at %d", s->start); + TEST_info("%s:%d: Unknown test", s->test_file, s->start); return 0; } -static char * const *testfiles; - static int run_file_tests(int i) { - STANZA s; - int linesread = 0, errcnt = 0; + STANZA *s = NULL; + char *testfile = test_get_argument(i); + int c; - if (!TEST_ptr(fp = BIO_new_file(testfiles[i], "rb"))) + if (!TEST_ptr(s = OPENSSL_zalloc(sizeof(*s)))) + return 0; + if (!test_start_file(s, testfile)) { + OPENSSL_free(s); return 0; + } /* Read test file. */ - set_test_title(testfiles[i]); - memset(&s, 0, sizeof(s)); - while (!BIO_eof(fp) && readstanza(&s, &linesread)) { - if (s.numpairs == 0) + while (!BIO_eof(s->fp) && test_readstanza(s)) { + if (s->numpairs == 0) continue; - if (!file_test_run(&s)) { - errcnt++; - } - clearstanza(&s); - s.start = linesread; + if (!file_test_run(s)) + s->errors++; + s->numtests++; + test_clearstanza(s); } - BIO_free(fp); + test_end_file(s); + c = s->errors; + OPENSSL_free(s); - return errcnt == 0; + return c == 0; } -int test_main(int argc, char *argv[]) +int setup_tests(void) { - static const char rnd_seed[] = - "If not seeded, BN_generate_prime might fail"; - int result = EXIT_FAILURE; - + int n = test_get_argument_count(); - RAND_seed(rnd_seed, sizeof rnd_seed); if (!TEST_ptr(ctx = BN_CTX_new())) - goto end; + return 0; - if (argc < 2) { + if (n == 0) { ADD_TEST(test_sub); ADD_TEST(test_div_recip); ADD_TEST(test_mod); @@ -2143,7 +2366,10 @@ int test_main(int argc, char *argv[]) ADD_TEST(test_negzero); ADD_TEST(test_badmod); ADD_TEST(test_expmodzero); + ADD_TEST(test_expmodone); ADD_TEST(test_smallprime); + ADD_TEST(test_swap); + ADD_TEST(test_ctx_consttime_flag); #ifndef OPENSSL_NO_EC2M ADD_TEST(test_gf2m_add); ADD_TEST(test_gf2m_mod); @@ -2155,15 +2381,15 @@ int test_main(int argc, char *argv[]) ADD_TEST(test_gf2m_modsqrt); ADD_TEST(test_gf2m_modsolvequad); #endif - ADD_TEST(test_3_is_prime); + ADD_ALL_TESTS(test_is_prime, (int)OSSL_NELEM(primes)); + ADD_ALL_TESTS(test_not_prime, (int)OSSL_NELEM(not_primes)); } else { - testfiles = &argv[1]; - ADD_ALL_TESTS(run_file_tests, argc - 1); + ADD_ALL_TESTS(run_file_tests, n); } + return 1; +} - result = run_tests(argv[0]); - -end: +void cleanup_tests(void) +{ BN_CTX_free(ctx); - return result; }