• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (c) 2016, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/base.h>
16 
17 #include <stdio.h>
18 #include <string.h>
19 
20 #include <gtest/gtest.h>
21 
22 #include <openssl/bn.h>
23 #include <openssl/cpu.h>
24 #include <openssl/ec.h>
25 #include <openssl/mem.h>
26 #include <openssl/nid.h>
27 
28 #include "internal.h"
29 #include "../bn/internal.h"
30 #include "../../internal.h"
31 #include "../../test/abi_test.h"
32 #include "../../test/file_test.h"
33 #include "../../test/test_util.h"
34 #include "p256-x86_64.h"
35 
36 
37 // Disable tests if BORINGSSL_SHARED_LIBRARY is defined. These tests need access
38 // to internal functions.
39 #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
40     !defined(OPENSSL_SMALL) && !defined(BORINGSSL_SHARED_LIBRARY)
41 
TEST(P256_X86_64Test,SelectW5)42 TEST(P256_X86_64Test, SelectW5) {
43   // Fill a table with some garbage input.
44   alignas(64) P256_POINT table[16];
45   for (size_t i = 0; i < 16; i++) {
46     OPENSSL_memset(table[i].X, 3 * i, sizeof(table[i].X));
47     OPENSSL_memset(table[i].Y, 3 * i + 1, sizeof(table[i].Y));
48     OPENSSL_memset(table[i].Z, 3 * i + 2, sizeof(table[i].Z));
49   }
50 
51   for (int i = 0; i <= 16; i++) {
52     P256_POINT val;
53     ecp_nistz256_select_w5(&val, table, i);
54 
55     P256_POINT expected;
56     if (i == 0) {
57       OPENSSL_memset(&expected, 0, sizeof(expected));
58     } else {
59       expected = table[i-1];
60     }
61 
62     EXPECT_EQ(Bytes(reinterpret_cast<const char *>(&expected), sizeof(expected)),
63               Bytes(reinterpret_cast<const char *>(&val), sizeof(val)));
64   }
65 
66   // This is a constant-time function, so it is only necessary to instrument one
67   // index for ABI checking.
68   P256_POINT val;
69   CHECK_ABI(ecp_nistz256_select_w5, &val, table, 7);
70 }
71 
TEST(P256_X86_64Test,SelectW7)72 TEST(P256_X86_64Test, SelectW7) {
73   // Fill a table with some garbage input.
74   alignas(64) P256_POINT_AFFINE table[64];
75   for (size_t i = 0; i < 64; i++) {
76     OPENSSL_memset(table[i].X, 2 * i, sizeof(table[i].X));
77     OPENSSL_memset(table[i].Y, 2 * i + 1, sizeof(table[i].Y));
78   }
79 
80   for (int i = 0; i <= 64; i++) {
81     P256_POINT_AFFINE val;
82     ecp_nistz256_select_w7(&val, table, i);
83 
84     P256_POINT_AFFINE expected;
85     if (i == 0) {
86       OPENSSL_memset(&expected, 0, sizeof(expected));
87     } else {
88       expected = table[i-1];
89     }
90 
91     EXPECT_EQ(Bytes(reinterpret_cast<const char *>(&expected), sizeof(expected)),
92               Bytes(reinterpret_cast<const char *>(&val), sizeof(val)));
93   }
94 
95   // This is a constant-time function, so it is only necessary to instrument one
96   // index for ABI checking.
97   P256_POINT_AFFINE val;
98   CHECK_ABI(ecp_nistz256_select_w7, &val, table, 42);
99 }
100 
TEST(P256_X86_64Test,BEEU)101 TEST(P256_X86_64Test, BEEU) {
102   if ((OPENSSL_ia32cap_P[1] & (1 << 28)) == 0) {
103     // No AVX support; cannot run the BEEU code.
104     return;
105   }
106 
107   bssl::UniquePtr<EC_GROUP> group(
108       EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
109   ASSERT_TRUE(group);
110 
111   BN_ULONG order_words[P256_LIMBS];
112   ASSERT_TRUE(
113       bn_copy_words(order_words, P256_LIMBS, EC_GROUP_get0_order(group.get())));
114 
115   BN_ULONG in[P256_LIMBS], out[P256_LIMBS];
116   EC_SCALAR in_scalar, out_scalar, result;
117   OPENSSL_memset(in, 0, sizeof(in));
118 
119   // Trying to find the inverse of zero should fail.
120   ASSERT_FALSE(beeu_mod_inverse_vartime(out, in, order_words));
121   // This is not a constant-time function, so instrument both zero and a few
122   // inputs below.
123   ASSERT_FALSE(CHECK_ABI(beeu_mod_inverse_vartime, out, in, order_words));
124 
125   // kOneMont is 1, in Montgomery form.
126   static const BN_ULONG kOneMont[P256_LIMBS] = {
127       TOBN(0xc46353d, 0x039cdaaf),
128       TOBN(0x43190552, 0x58e8617b),
129       0,
130       0xffffffff,
131   };
132 
133   for (BN_ULONG i = 1; i < 2000; i++) {
134     SCOPED_TRACE(i);
135 
136     in[0] = i;
137     if (i >= 1000) {
138       in[1] = i << 8;
139       in[2] = i << 32;
140       in[3] = i << 48;
141     } else {
142       in[1] = in[2] = in[3] = 0;
143     }
144 
145     EXPECT_TRUE(bn_less_than_words(in, order_words, P256_LIMBS));
146     ASSERT_TRUE(beeu_mod_inverse_vartime(out, in, order_words));
147     EXPECT_TRUE(bn_less_than_words(out, order_words, P256_LIMBS));
148 
149     // Calculate out*in and confirm that it equals one, modulo the order.
150     OPENSSL_memcpy(in_scalar.bytes, in, sizeof(in));
151     OPENSSL_memcpy(out_scalar.bytes, out, sizeof(out));
152     ec_scalar_to_montgomery(group.get(), &in_scalar, &in_scalar);
153     ec_scalar_to_montgomery(group.get(), &out_scalar, &out_scalar);
154     ec_scalar_mul_montgomery(group.get(), &result, &in_scalar, &out_scalar);
155 
156     EXPECT_EQ(0, OPENSSL_memcmp(kOneMont, &result, sizeof(kOneMont)));
157 
158     // Invert the result and expect to get back to the original value.
159     ASSERT_TRUE(beeu_mod_inverse_vartime(out, out, order_words));
160     EXPECT_EQ(0, OPENSSL_memcmp(in, out, sizeof(in)));
161 
162     if (i < 5) {
163       EXPECT_TRUE(CHECK_ABI(beeu_mod_inverse_vartime, out, in, order_words));
164     }
165   }
166 }
167 
GetFieldElement(FileTest * t,BN_ULONG out[P256_LIMBS],const char * name)168 static bool GetFieldElement(FileTest *t, BN_ULONG out[P256_LIMBS],
169                             const char *name) {
170   std::vector<uint8_t> bytes;
171   if (!t->GetBytes(&bytes, name)) {
172     return false;
173   }
174 
175   if (bytes.size() != BN_BYTES * P256_LIMBS) {
176     ADD_FAILURE() << "Invalid length: " << name;
177     return false;
178   }
179 
180   // |byte| contains bytes in big-endian while |out| should contain |BN_ULONG|s
181   // in little-endian.
182   OPENSSL_memset(out, 0, P256_LIMBS * sizeof(BN_ULONG));
183   for (size_t i = 0; i < bytes.size(); i++) {
184     out[P256_LIMBS - 1 - (i / BN_BYTES)] <<= 8;
185     out[P256_LIMBS - 1 - (i / BN_BYTES)] |= bytes[i];
186   }
187 
188   return true;
189 }
190 
FieldElementToString(const BN_ULONG a[P256_LIMBS])191 static std::string FieldElementToString(const BN_ULONG a[P256_LIMBS]) {
192   std::string ret;
193   for (size_t i = P256_LIMBS-1; i < P256_LIMBS; i--) {
194     char buf[2 * BN_BYTES + 1];
195     BIO_snprintf(buf, sizeof(buf), BN_HEX_FMT2, a[i]);
196     ret += buf;
197   }
198   return ret;
199 }
200 
ExpectFieldElementsEqual(const char * expected_expr,const char * actual_expr,const BN_ULONG expected[P256_LIMBS],const BN_ULONG actual[P256_LIMBS])201 static testing::AssertionResult ExpectFieldElementsEqual(
202     const char *expected_expr, const char *actual_expr,
203     const BN_ULONG expected[P256_LIMBS], const BN_ULONG actual[P256_LIMBS]) {
204   if (OPENSSL_memcmp(expected, actual, sizeof(BN_ULONG) * P256_LIMBS) == 0) {
205     return testing::AssertionSuccess();
206   }
207 
208   return testing::AssertionFailure()
209          << "Expected: " << FieldElementToString(expected) << " ("
210          << expected_expr << ")\n"
211          << "Actual:   " << FieldElementToString(actual) << " (" << actual_expr
212          << ")";
213 }
214 
215 #define EXPECT_FIELD_ELEMENTS_EQUAL(a, b) \
216   EXPECT_PRED_FORMAT2(ExpectFieldElementsEqual, a, b)
217 
PointToAffine(P256_POINT_AFFINE * out,const P256_POINT * in)218 static bool PointToAffine(P256_POINT_AFFINE *out, const P256_POINT *in) {
219   static const uint8_t kP[] = {
220       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
221       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
222       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
223   };
224 
225   bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new()), z(BN_new());
226   bssl::UniquePtr<BIGNUM> p(BN_bin2bn(kP, sizeof(kP), nullptr));
227   if (!x || !y || !z || !p ||
228       !bn_set_words(x.get(), in->X, P256_LIMBS) ||
229       !bn_set_words(y.get(), in->Y, P256_LIMBS) ||
230       !bn_set_words(z.get(), in->Z, P256_LIMBS)) {
231     return false;
232   }
233 
234   // Coordinates must be fully-reduced.
235   if (BN_cmp(x.get(), p.get()) >= 0 ||
236       BN_cmp(y.get(), p.get()) >= 0 ||
237       BN_cmp(z.get(), p.get()) >= 0) {
238     return false;
239   }
240 
241   if (BN_is_zero(z.get())) {
242     // The point at infinity is represented as (0, 0).
243     OPENSSL_memset(out, 0, sizeof(P256_POINT_AFFINE));
244     return true;
245   }
246 
247   bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
248   bssl::UniquePtr<BN_MONT_CTX> mont(
249       BN_MONT_CTX_new_for_modulus(p.get(), ctx.get()));
250   if (!ctx || !mont ||
251       // Invert Z.
252       !BN_from_montgomery(z.get(), z.get(), mont.get(), ctx.get()) ||
253       !BN_mod_inverse(z.get(), z.get(), p.get(), ctx.get()) ||
254       !BN_to_montgomery(z.get(), z.get(), mont.get(), ctx.get()) ||
255       // Convert (X, Y, Z) to (X/Z^2, Y/Z^3).
256       !BN_mod_mul_montgomery(x.get(), x.get(), z.get(), mont.get(),
257                              ctx.get()) ||
258       !BN_mod_mul_montgomery(x.get(), x.get(), z.get(), mont.get(),
259                              ctx.get()) ||
260       !BN_mod_mul_montgomery(y.get(), y.get(), z.get(), mont.get(),
261                              ctx.get()) ||
262       !BN_mod_mul_montgomery(y.get(), y.get(), z.get(), mont.get(),
263                              ctx.get()) ||
264       !BN_mod_mul_montgomery(y.get(), y.get(), z.get(), mont.get(),
265                              ctx.get()) ||
266       !bn_copy_words(out->X, P256_LIMBS, x.get()) ||
267       !bn_copy_words(out->Y, P256_LIMBS, y.get())) {
268     return false;
269   }
270   return true;
271 }
272 
ExpectPointsEqual(const char * expected_expr,const char * actual_expr,const P256_POINT_AFFINE * expected,const P256_POINT * actual)273 static testing::AssertionResult ExpectPointsEqual(
274     const char *expected_expr, const char *actual_expr,
275     const P256_POINT_AFFINE *expected, const P256_POINT *actual) {
276   // There are multiple representations of the same |P256_POINT|, so convert to
277   // |P256_POINT_AFFINE| and compare.
278   P256_POINT_AFFINE affine;
279   if (!PointToAffine(&affine, actual)) {
280     return testing::AssertionFailure()
281            << "Could not convert " << actual_expr << " to affine: ("
282            << FieldElementToString(actual->X) << ", "
283            << FieldElementToString(actual->Y) << ", "
284            << FieldElementToString(actual->Z) << ")";
285   }
286 
287   if (OPENSSL_memcmp(expected, &affine, sizeof(P256_POINT_AFFINE)) != 0) {
288     return testing::AssertionFailure()
289            << "Expected: (" << FieldElementToString(expected->X) << ", "
290            << FieldElementToString(expected->Y) << ") (" << expected_expr
291            << "; affine)\n"
292            << "Actual:   (" << FieldElementToString(affine.X) << ", "
293            << FieldElementToString(affine.Y) << ") (" << actual_expr << ")";
294   }
295 
296   return testing::AssertionSuccess();
297 }
298 
299 #define EXPECT_POINTS_EQUAL(a, b) EXPECT_PRED_FORMAT2(ExpectPointsEqual, a, b)
300 
TestNegate(FileTest * t)301 static void TestNegate(FileTest *t) {
302   BN_ULONG a[P256_LIMBS], b[P256_LIMBS];
303   ASSERT_TRUE(GetFieldElement(t, a, "A"));
304   ASSERT_TRUE(GetFieldElement(t, b, "B"));
305 
306   // Test that -A = B.
307   BN_ULONG ret[P256_LIMBS];
308   ecp_nistz256_neg(ret, a);
309   EXPECT_FIELD_ELEMENTS_EQUAL(b, ret);
310 
311   OPENSSL_memcpy(ret, a, sizeof(ret));
312   ecp_nistz256_neg(ret, ret /* a */);
313   EXPECT_FIELD_ELEMENTS_EQUAL(b, ret);
314 
315   // Test that -B = A.
316   ecp_nistz256_neg(ret, b);
317   EXPECT_FIELD_ELEMENTS_EQUAL(a, ret);
318 
319   OPENSSL_memcpy(ret, b, sizeof(ret));
320   ecp_nistz256_neg(ret, ret /* b */);
321   EXPECT_FIELD_ELEMENTS_EQUAL(a, ret);
322 }
323 
TestMulMont(FileTest * t)324 static void TestMulMont(FileTest *t) {
325   BN_ULONG a[P256_LIMBS], b[P256_LIMBS], result[P256_LIMBS];
326   ASSERT_TRUE(GetFieldElement(t, a, "A"));
327   ASSERT_TRUE(GetFieldElement(t, b, "B"));
328   ASSERT_TRUE(GetFieldElement(t, result, "Result"));
329 
330   BN_ULONG ret[P256_LIMBS];
331   ecp_nistz256_mul_mont(ret, a, b);
332   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
333 
334   ecp_nistz256_mul_mont(ret, b, a);
335   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
336 
337   OPENSSL_memcpy(ret, a, sizeof(ret));
338   ecp_nistz256_mul_mont(ret, ret /* a */, b);
339   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
340 
341   OPENSSL_memcpy(ret, a, sizeof(ret));
342   ecp_nistz256_mul_mont(ret, b, ret);
343   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
344 
345   OPENSSL_memcpy(ret, b, sizeof(ret));
346   ecp_nistz256_mul_mont(ret, a, ret /* b */);
347   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
348 
349   OPENSSL_memcpy(ret, b, sizeof(ret));
350   ecp_nistz256_mul_mont(ret, ret /* b */, a);
351   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
352 
353   if (OPENSSL_memcmp(a, b, sizeof(a)) == 0) {
354     ecp_nistz256_sqr_mont(ret, a);
355     EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
356 
357     OPENSSL_memcpy(ret, a, sizeof(ret));
358     ecp_nistz256_sqr_mont(ret, ret /* a */);
359     EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
360   }
361 }
362 
TestFromMont(FileTest * t)363 static void TestFromMont(FileTest *t) {
364   BN_ULONG a[P256_LIMBS], result[P256_LIMBS];
365   ASSERT_TRUE(GetFieldElement(t, a, "A"));
366   ASSERT_TRUE(GetFieldElement(t, result, "Result"));
367 
368   BN_ULONG ret[P256_LIMBS];
369   ecp_nistz256_from_mont(ret, a);
370   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
371 
372   OPENSSL_memcpy(ret, a, sizeof(ret));
373   ecp_nistz256_from_mont(ret, ret /* a */);
374   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
375 }
376 
TestPointAdd(FileTest * t)377 static void TestPointAdd(FileTest *t) {
378   P256_POINT a, b;
379   P256_POINT_AFFINE result;
380   ASSERT_TRUE(GetFieldElement(t, a.X, "A.X"));
381   ASSERT_TRUE(GetFieldElement(t, a.Y, "A.Y"));
382   ASSERT_TRUE(GetFieldElement(t, a.Z, "A.Z"));
383   ASSERT_TRUE(GetFieldElement(t, b.X, "B.X"));
384   ASSERT_TRUE(GetFieldElement(t, b.Y, "B.Y"));
385   ASSERT_TRUE(GetFieldElement(t, b.Z, "B.Z"));
386   ASSERT_TRUE(GetFieldElement(t, result.X, "Result.X"));
387   ASSERT_TRUE(GetFieldElement(t, result.Y, "Result.Y"));
388 
389   P256_POINT ret;
390   ecp_nistz256_point_add(&ret, &a, &b);
391   EXPECT_POINTS_EQUAL(&result, &ret);
392 
393   ecp_nistz256_point_add(&ret, &b, &a);
394   EXPECT_POINTS_EQUAL(&result, &ret);
395 
396   OPENSSL_memcpy(&ret, &a, sizeof(ret));
397   ecp_nistz256_point_add(&ret, &ret /* a */, &b);
398   EXPECT_POINTS_EQUAL(&result, &ret);
399 
400   OPENSSL_memcpy(&ret, &a, sizeof(ret));
401   ecp_nistz256_point_add(&ret, &b, &ret /* a */);
402   EXPECT_POINTS_EQUAL(&result, &ret);
403 
404   OPENSSL_memcpy(&ret, &b, sizeof(ret));
405   ecp_nistz256_point_add(&ret, &a, &ret /* b */);
406   EXPECT_POINTS_EQUAL(&result, &ret);
407 
408   OPENSSL_memcpy(&ret, &b, sizeof(ret));
409   ecp_nistz256_point_add(&ret, &ret /* b */, &a);
410   EXPECT_POINTS_EQUAL(&result, &ret);
411 
412   P256_POINT_AFFINE a_affine, b_affine, infinity;
413   OPENSSL_memset(&infinity, 0, sizeof(infinity));
414   ASSERT_TRUE(PointToAffine(&a_affine, &a));
415   ASSERT_TRUE(PointToAffine(&b_affine, &b));
416 
417   // ecp_nistz256_point_add_affine does not work when a == b unless doubling the
418   // point at infinity.
419   if (OPENSSL_memcmp(&a_affine, &b_affine, sizeof(a_affine)) != 0 ||
420       OPENSSL_memcmp(&a_affine, &infinity, sizeof(a_affine)) == 0) {
421     ecp_nistz256_point_add_affine(&ret, &a, &b_affine);
422     EXPECT_POINTS_EQUAL(&result, &ret);
423 
424     OPENSSL_memcpy(&ret, &a, sizeof(ret));
425     ecp_nistz256_point_add_affine(&ret, &ret /* a */, &b_affine);
426     EXPECT_POINTS_EQUAL(&result, &ret);
427 
428     ecp_nistz256_point_add_affine(&ret, &b, &a_affine);
429     EXPECT_POINTS_EQUAL(&result, &ret);
430 
431     OPENSSL_memcpy(&ret, &b, sizeof(ret));
432     ecp_nistz256_point_add_affine(&ret, &ret /* b */, &a_affine);
433     EXPECT_POINTS_EQUAL(&result, &ret);
434   }
435 
436   if (OPENSSL_memcmp(&a, &b, sizeof(a)) == 0) {
437     ecp_nistz256_point_double(&ret, &a);
438     EXPECT_POINTS_EQUAL(&result, &ret);
439 
440     ret = a;
441     ecp_nistz256_point_double(&ret, &ret /* a */);
442     EXPECT_POINTS_EQUAL(&result, &ret);
443   }
444 }
445 
TestOrdMulMont(FileTest * t)446 static void TestOrdMulMont(FileTest *t) {
447   // This test works on scalars rather than field elements, but the
448   // representation is the same.
449   BN_ULONG a[P256_LIMBS], b[P256_LIMBS], result[P256_LIMBS];
450   ASSERT_TRUE(GetFieldElement(t, a, "A"));
451   ASSERT_TRUE(GetFieldElement(t, b, "B"));
452   ASSERT_TRUE(GetFieldElement(t, result, "Result"));
453 
454   BN_ULONG ret[P256_LIMBS];
455   ecp_nistz256_ord_mul_mont(ret, a, b);
456   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
457 
458   ecp_nistz256_ord_mul_mont(ret, b, a);
459   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
460 
461   OPENSSL_memcpy(ret, a, sizeof(ret));
462   ecp_nistz256_ord_mul_mont(ret, ret /* a */, b);
463   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
464 
465   OPENSSL_memcpy(ret, a, sizeof(ret));
466   ecp_nistz256_ord_mul_mont(ret, b, ret);
467   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
468 
469   OPENSSL_memcpy(ret, b, sizeof(ret));
470   ecp_nistz256_ord_mul_mont(ret, a, ret /* b */);
471   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
472 
473   OPENSSL_memcpy(ret, b, sizeof(ret));
474   ecp_nistz256_ord_mul_mont(ret, ret /* b */, a);
475   EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
476 
477   if (OPENSSL_memcmp(a, b, sizeof(a)) == 0) {
478     ecp_nistz256_ord_sqr_mont(ret, a, 1);
479     EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
480 
481     OPENSSL_memcpy(ret, a, sizeof(ret));
482     ecp_nistz256_ord_sqr_mont(ret, ret /* a */, 1);
483     EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
484   }
485 }
486 
TEST(P256_X86_64Test,TestVectors)487 TEST(P256_X86_64Test, TestVectors) {
488   return FileTestGTest("crypto/fipsmodule/ec/p256-x86_64_tests.txt",
489                        [](FileTest *t) {
490     if (t->GetParameter() == "Negate") {
491       TestNegate(t);
492     } else if (t->GetParameter() == "MulMont") {
493       TestMulMont(t);
494     } else if (t->GetParameter() == "FromMont") {
495       TestFromMont(t);
496     } else if (t->GetParameter() == "PointAdd") {
497       TestPointAdd(t);
498     } else if (t->GetParameter() == "OrdMulMont") {
499       TestOrdMulMont(t);
500     } else {
501       FAIL() << "Unknown test type:" << t->GetParameter();
502     }
503   });
504 }
505 
506 // Instrument the functions covered in TestVectors for ABI checking.
TEST(P256_X86_64Test,ABI)507 TEST(P256_X86_64Test, ABI) {
508   BN_ULONG a[P256_LIMBS], b[P256_LIMBS], c[P256_LIMBS];
509   OPENSSL_memset(a, 0x01, sizeof(a));
510   // These functions are all constant-time, so it is only necessary to
511   // instrument one call each for ABI checking.
512   CHECK_ABI(ecp_nistz256_neg, b, a);
513   CHECK_ABI(ecp_nistz256_mul_mont, c, a, b);
514   CHECK_ABI(ecp_nistz256_sqr_mont, c, a);
515   CHECK_ABI(ecp_nistz256_from_mont, c, a);
516   CHECK_ABI(ecp_nistz256_ord_mul_mont, c, a, b);
517 
518   // Check a few different loop counts.
519   CHECK_ABI(ecp_nistz256_ord_sqr_mont, b, a, 1);
520   CHECK_ABI(ecp_nistz256_ord_sqr_mont, b, a, 3);
521 
522   // Point addition has some special cases around infinity and doubling. Test a
523   // few different scenarios.
524   static const P256_POINT kA = {
525       {TOBN(0x60559ac7, 0xc8d0d89d), TOBN(0x6cda3400, 0x545f7e2c),
526        TOBN(0x9b5159e0, 0x323e6048), TOBN(0xcb8dea33, 0x27057fe6)},
527       {TOBN(0x81a2d3bc, 0xc93a2d53), TOBN(0x81f40762, 0xa4f33ccf),
528        TOBN(0xc3c3300a, 0xa8ad50ea), TOBN(0x553de89b, 0x31719830)},
529       {TOBN(0x3fd9470f, 0xb277d181), TOBN(0xc191b8d5, 0x6376f206),
530        TOBN(0xb2572c1f, 0x45eda26f), TOBN(0x4589e40d, 0xf2efc546)},
531   };
532   static const P256_POINT kB = {
533       {TOBN(0x3cf0b0aa, 0x92054341), TOBN(0xb949bb80, 0xdab57807),
534        TOBN(0x99de6814, 0xefd21b3e), TOBN(0x32ad5649, 0x7c6c6e83)},
535       {TOBN(0x06afaa02, 0x688399e0), TOBN(0x75f2d096, 0x2a3ce65c),
536        TOBN(0xf6a31eb7, 0xca0244b3), TOBN(0x57b33b7a, 0xcfeee75e)},
537       {TOBN(0x7617d2e0, 0xb4f1d35f), TOBN(0xa922cb10, 0x7f592b65),
538        TOBN(0x12fd6c7a, 0x51a2f474), TOBN(0x337d5e1e, 0xc2fc711b)},
539   };
540   // This file represents Jacobian infinity as (*, *, 0).
541   static const P256_POINT kInfinity = {
542       {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)},
543       {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)},
544       {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)},
545   };
546 
547   P256_POINT p;
548   CHECK_ABI(ecp_nistz256_point_add, &p, &kA, &kB);
549   CHECK_ABI(ecp_nistz256_point_add, &p, &kA, &kA);
550   OPENSSL_memcpy(&p, &kA, sizeof(P256_POINT));
551   ecp_nistz256_neg(p.Y, p.Y);
552   CHECK_ABI(ecp_nistz256_point_add, &p, &kA, &p);  // A + -A
553   CHECK_ABI(ecp_nistz256_point_add, &p, &kA, &kInfinity);
554   CHECK_ABI(ecp_nistz256_point_add, &p, &kInfinity, &kA);
555   CHECK_ABI(ecp_nistz256_point_add, &p, &kInfinity, &kInfinity);
556   CHECK_ABI(ecp_nistz256_point_double, &p, &kA);
557   CHECK_ABI(ecp_nistz256_point_double, &p, &kInfinity);
558 
559   static const P256_POINT_AFFINE kC = {
560       {TOBN(0x7e3ad339, 0xfb3fa5f0), TOBN(0x559d669d, 0xe3a047b2),
561        TOBN(0x8883b298, 0x7042e595), TOBN(0xfabada65, 0x7e477f08)},
562       {TOBN(0xd9cfceb8, 0xda1c3e85), TOBN(0x80863761, 0x0ce6d6bc),
563        TOBN(0xa8409d84, 0x66034f02), TOBN(0x05519925, 0x31a68d55)},
564   };
565   // This file represents affine infinity as (0, 0).
566   static const P256_POINT_AFFINE kInfinityAffine = {
567     {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)},
568     {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)},
569   };
570 
571   CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kA, &kC);
572   CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kA, &kInfinityAffine);
573   CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kInfinity, &kInfinityAffine);
574   CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kInfinity, &kC);
575 }
576 
577 #endif
578