Make explicit _ct and _nonct versions of bn_mod_exp funcitons that

matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
author: beck <> 2017-01-21 09:38:59 +0000
committer: beck <> 2017-01-21 09:38:59 +0000
commit: ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7 (patch)
tree: a68beae7892dad13fd8d76ba1fc45e6570e3360b /src/regress
parent: 0c45e4e4d42eacefe309063241d5a7f6de6674e7 (diff)
download: openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.gz
openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.bz2
openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.zip
5 files changed, 143 insertions, 8 deletions
diff --git a/src/regress/lib/libcrypto/bn/general/Makefile b/src/regress/lib/libcrypto/bn/general/Makefile
index 18207ffb01..d578d0fe12 100644
--- a/src/regress/lib/libcrypto/bn/general/Makefile
+++ b/src/regress/lib/libcrypto/bn/general/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.3 2016/12/21 15:51:05 jsing Exp $
+#       $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 .include "../../Makefile.inc"
@@ -6,6 +6,6 @@ PROG=	bntest
 LDADD=  ${CRYPTO_INT}
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/bn/general/bntest.c b/src/regress/lib/libcrypto/bn/general/bntest.c
index 0247dacaa4..7e5e6ed81b 100644
--- a/src/regress/lib/libcrypto/bn/general/bntest.c
+++ b/src/regress/lib/libcrypto/bn/general/bntest.c
@@ -84,6 +84,15 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
 const int num0 = 100; /* number of tests */
@@ -1037,6 +1046,14 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
                fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
                return (0);
        }
+        if (BN_mod_exp_ct(d, a, b, c, ctx)) {
+                fprintf(stderr, "BN_mod_exp_ct with zero modulus succeeded!\n");
+                return (0);
+        }
+        if (BN_mod_exp_nonct(d, a, b, c, ctx)) {
+                fprintf(stderr, "BN_mod_exp_nonct with zero modulus succeeded!\n");
+                return (0);
+        }
        BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
        for (i = 0; i < num2; i++) {
@@ -1069,6 +1086,70 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
                        break;
                }
        }
+        BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+        for (i = 0; i < num2; i++) {
+                BN_bntest_rand(a, 20 + i * 5, 0, 0);
+                BN_bntest_rand(b, 2 + i, 0, 0);
+                if (!BN_mod_exp_ct(d, a, b, c, ctx)) {
+                        rc = 0;
+                        break;
+                }
+                if (bp != NULL) {
+                        if (!results) {
+                                BN_print(bp, a);
+                                BIO_puts(bp, " ^ ");
+                                BN_print(bp, b);
+                                BIO_puts(bp, " % ");
+                                BN_print(bp, c);
+                                BIO_puts(bp, " - ");
+                        }
+                        BN_print(bp, d);
+                        BIO_puts(bp, "\n");
+                }
+                BN_exp(e, a, b, ctx);
+                BN_sub(e, e, d);
+                BN_div(a, b, e, c, ctx);
+                if (!BN_is_zero(b)) {
+                        fprintf(stderr, "Modulo exponentiation test failed!\n");
+                        rc = 0;
+                        break;
+                }
+        }
+        BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+        for (i = 0; i < num2; i++) {
+                BN_bntest_rand(a, 20 + i * 5, 0, 0);
+                BN_bntest_rand(b, 2 + i, 0, 0);
+                if (!BN_mod_exp_nonct(d, a, b, c, ctx)) {
+                        rc = 0;
+                        break;
+                }
+                if (bp != NULL) {
+                        if (!results) {
+                                BN_print(bp, a);
+                                BIO_puts(bp, " ^ ");
+                                BN_print(bp, b);
+                                BIO_puts(bp, " % ");
+                                BN_print(bp, c);
+                                BIO_puts(bp, " - ");
+                        }
+                        BN_print(bp, d);
+                        BIO_puts(bp, "\n");
+                }
+                BN_exp(e, a, b, ctx);
+                BN_sub(e, e, d);
+                BN_div(a, b, e, c, ctx);
+                if (!BN_is_zero(b)) {
+                        fprintf(stderr, "Modulo exponentiation test failed!\n");
+                        rc = 0;
+                        break;
+                }
+        }
        BN_free(a);
        BN_free(b);
        BN_free(c);
diff --git a/src/regress/lib/libcrypto/bn/mont/Makefile b/src/regress/lib/libcrypto/bn/mont/Makefile
index eda36001a3..55c48220d4 100644
--- a/src/regress/lib/libcrypto/bn/mont/Makefile
+++ b/src/regress/lib/libcrypto/bn/mont/Makefile
@@ -1,9 +1,9 @@
-#       $OpenBSD: Makefile,v 1.2 2014/07/08 15:53:52 jsing Exp $
+#       $OpenBSD: Makefile,v 1.3 2017/01/21 09:38:58 beck Exp $
 PROG=   mont
 LDADD=  -lcrypto
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/exp/Makefile b/src/regress/lib/libcrypto/exp/Makefile
index 3914201431..890b38e9fe 100644
--- a/src/regress/lib/libcrypto/exp/Makefile
+++ b/src/regress/lib/libcrypto/exp/Makefile
@@ -1,9 +1,9 @@
-#       $OpenBSD: Makefile,v 1.3 2014/07/08 15:53:52 jsing Exp $
+#       $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 PROG=   exptest
-LDADD=  -lcrypto
+LDADD=  ${CRYPTO_INT}
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/exp/exptest.c b/src/regress/lib/libcrypto/exp/exptest.c
index 45ca5ac5f5..375628cb25 100644
--- a/src/regress/lib/libcrypto/exp/exptest.c
+++ b/src/regress/lib/libcrypto/exp/exptest.c
@@ -64,6 +64,15 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 #define NUM_BITS        (BN_BITS*2)
 /*
@@ -116,6 +125,18 @@ static int test_exp_mod_zero(void)
        if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
                failed = 1;
+        if (!BN_mod_exp_ct(&r, &a, &p, &m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_ct", &r, &a))
+                failed = 1;
+        if (!BN_mod_exp_nonct(&r, &a, &p, &m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_nonct", &r, &a))
+                failed = 1;
        if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
                goto err;
@@ -134,6 +155,18 @@ static int test_exp_mod_zero(void)
        if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
                failed = 1;
+        if (!BN_mod_exp_mont_ct(&r, &a, &p, &m, ctx, NULL))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", &r, &a))
+                failed = 1;
+        if (!BN_mod_exp_mont_nonct(&r, &a, &p, &m, ctx, NULL))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", &r, &a))
+                failed = 1;
        if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
                goto err;
        }
@@ -175,7 +208,8 @@ int main(int argc, char *argv[])
        BIO *out = NULL;
        int i, ret;
        unsigned char c;
-        BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, *a, *b, *m;
+        BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple,
+            *r_mont_ct, *r_mont_nonct, *a, *b, *m;
        ERR_load_BN_strings();
@@ -184,6 +218,8 @@ int main(int argc, char *argv[])
                exit(1);
        r_mont = BN_new();
        r_mont_const = BN_new();
+        r_mont_ct = BN_new();
+        r_mont_nonct = BN_new();
        r_recp = BN_new();
        r_simple = BN_new();
        a = BN_new();
@@ -221,6 +257,20 @@ int main(int argc, char *argv[])
                        exit(1);
                }
+                ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_ct() problems\n");
+                        ERR_print_errors(out);
+                        exit(1);
+                }
+                ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_nonct() problems\n");
+                        ERR_print_errors(out);
+                        exit(1);
+                }
                ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
                if (ret <= 0) {
                        printf("BN_mod_exp_recp() problems\n");
@@ -254,6 +304,10 @@ int main(int argc, char *argv[])
                                printf("\nsimple and mont const time results differ\n");
                        if (BN_cmp(r_simple, r_recp) != 0)
                                printf("\nsimple and recp results differ\n");
+                        if (BN_cmp(r_mont, r_mont_ct) != 0)
+                                printf("\nmont_ct and mont results differ\n");
+                        if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
+                                printf("\nmont_ct and mont_nonct results differ\n");
                        printf("a (%3d) = ", BN_num_bits(a));
                        BN_print(out, a);
author	beck <>	2017-01-21 09:38:59 +0000
committer	beck <>	2017-01-21 09:38:59 +0000
commit	ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7 (patch)
tree	a68beae7892dad13fd8d76ba1fc45e6570e3360b /src/regress
parent	0c45e4e4d42eacefe309063241d5a7f6de6674e7 (diff)
download	openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.gz openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.bz2 openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.zip

diff --git a/src/regress/lib/libcrypto/bn/general/Makefile b/src/regress/lib/libcrypto/bn/general/Makefile index 18207ffb01..d578d0fe12 100644 --- a/src/regress/lib/libcrypto/bn/general/Makefile +++ b/src/regress/lib/libcrypto/bn/general/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.3 2016/12/21 15:51:05 jsing Exp $	1	# $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
2		2
3	.include "../../Makefile.inc"	3	.include "../../Makefile.inc"
4		4
@@ -6,6 +6,6 @@ PROG= bntest
6	LDADD= ${CRYPTO_INT}	6	LDADD= ${CRYPTO_INT}
7	DPADD= ${LIBCRYPTO}	7	DPADD= ${LIBCRYPTO}
8	WARNINGS= Yes	8	WARNINGS= Yes
9	CFLAGS+= -DLIBRESSL_INTERNAL -Werror	9	CFLAGS+= -Werror
10		10
11	.include <bsd.regress.mk>	11	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/bn/general/bntest.c b/src/regress/lib/libcrypto/bn/general/bntest.c index 0247dacaa4..7e5e6ed81b 100644 --- a/src/regress/lib/libcrypto/bn/general/bntest.c +++ b/src/regress/lib/libcrypto/bn/general/bntest.c
@@ -84,6 +84,15 @@
84	#include <openssl/x509.h>	84	#include <openssl/x509.h>
85	#include <openssl/err.h>	85	#include <openssl/err.h>
86		86
		87	int BN_mod_exp_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		88	const BIGNUM m, BN_CTX ctx);
		89	int BN_mod_exp_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		90	const BIGNUM m, BN_CTX ctx);
		91	int BN_mod_exp_mont_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		92	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		93	int BN_mod_exp_mont_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		94	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		95
87	int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);	96	int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
88		97
89	const int num0 = 100; /* number of tests */	98	const int num0 = 100; /* number of tests */
@@ -1037,6 +1046,14 @@ test_mod_exp(BIO bp, BN_CTX ctx)
1037	fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");	1046	fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
1038	return (0);	1047	return (0);
1039	}	1048	}
		1049	if (BN_mod_exp_ct(d, a, b, c, ctx)) {
		1050	fprintf(stderr, "BN_mod_exp_ct with zero modulus succeeded!\n");
		1051	return (0);
		1052	}
		1053	if (BN_mod_exp_nonct(d, a, b, c, ctx)) {
		1054	fprintf(stderr, "BN_mod_exp_nonct with zero modulus succeeded!\n");
		1055	return (0);
		1056	}
1040		1057
1041	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */	1058	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1042	for (i = 0; i < num2; i++) {	1059	for (i = 0; i < num2; i++) {
@@ -1069,6 +1086,70 @@ test_mod_exp(BIO bp, BN_CTX ctx)
1069	break;	1086	break;
1070	}	1087	}
1071	}	1088	}
		1089
		1090	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
		1091	for (i = 0; i < num2; i++) {
		1092	BN_bntest_rand(a, 20 + i * 5, 0, 0);
		1093	BN_bntest_rand(b, 2 + i, 0, 0);
		1094
		1095	if (!BN_mod_exp_ct(d, a, b, c, ctx)) {
		1096	rc = 0;
		1097	break;
		1098	}
		1099
		1100	if (bp != NULL) {
		1101	if (!results) {
		1102	BN_print(bp, a);
		1103	BIO_puts(bp, " ^ ");
		1104	BN_print(bp, b);
		1105	BIO_puts(bp, " % ");
		1106	BN_print(bp, c);
		1107	BIO_puts(bp, " - ");
		1108	}
		1109	BN_print(bp, d);
		1110	BIO_puts(bp, "\n");
		1111	}
		1112	BN_exp(e, a, b, ctx);
		1113	BN_sub(e, e, d);
		1114	BN_div(a, b, e, c, ctx);
		1115	if (!BN_is_zero(b)) {
		1116	fprintf(stderr, "Modulo exponentiation test failed!\n");
		1117	rc = 0;
		1118	break;
		1119	}
		1120	}
		1121
		1122	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
		1123	for (i = 0; i < num2; i++) {
		1124	BN_bntest_rand(a, 20 + i * 5, 0, 0);
		1125	BN_bntest_rand(b, 2 + i, 0, 0);
		1126
		1127	if (!BN_mod_exp_nonct(d, a, b, c, ctx)) {
		1128	rc = 0;
		1129	break;
		1130	}
		1131
		1132	if (bp != NULL) {
		1133	if (!results) {
		1134	BN_print(bp, a);
		1135	BIO_puts(bp, " ^ ");
		1136	BN_print(bp, b);
		1137	BIO_puts(bp, " % ");
		1138	BN_print(bp, c);
		1139	BIO_puts(bp, " - ");
		1140	}
		1141	BN_print(bp, d);
		1142	BIO_puts(bp, "\n");
		1143	}
		1144	BN_exp(e, a, b, ctx);
		1145	BN_sub(e, e, d);
		1146	BN_div(a, b, e, c, ctx);
		1147	if (!BN_is_zero(b)) {
		1148	fprintf(stderr, "Modulo exponentiation test failed!\n");
		1149	rc = 0;
		1150	break;
		1151	}
		1152	}
1072	BN_free(a);	1153	BN_free(a);
1073	BN_free(b);	1154	BN_free(b);
1074	BN_free(c);	1155	BN_free(c);


diff --git a/src/regress/lib/libcrypto/bn/mont/Makefile b/src/regress/lib/libcrypto/bn/mont/Makefile index eda36001a3..55c48220d4 100644 --- a/src/regress/lib/libcrypto/bn/mont/Makefile +++ b/src/regress/lib/libcrypto/bn/mont/Makefile
@@ -1,9 +1,9 @@
1	# $OpenBSD: Makefile,v 1.2 2014/07/08 15:53:52 jsing Exp $	1	# $OpenBSD: Makefile,v 1.3 2017/01/21 09:38:58 beck Exp $
2		2
3	PROG= mont	3	PROG= mont
4	LDADD= -lcrypto	4	LDADD= -lcrypto
5	DPADD= ${LIBCRYPTO}	5	DPADD= ${LIBCRYPTO}
6	WARNINGS= Yes	6	WARNINGS= Yes
7	CFLAGS+= -DLIBRESSL_INTERNAL -Werror	7	CFLAGS+= -Werror
8		8
9	.include <bsd.regress.mk>	9	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/exp/Makefile b/src/regress/lib/libcrypto/exp/Makefile index 3914201431..890b38e9fe 100644 --- a/src/regress/lib/libcrypto/exp/Makefile +++ b/src/regress/lib/libcrypto/exp/Makefile
@@ -1,9 +1,9 @@
1	# $OpenBSD: Makefile,v 1.3 2014/07/08 15:53:52 jsing Exp $	1	# $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
2		2
3	PROG= exptest	3	PROG= exptest
4	LDADD= -lcrypto	4	LDADD= ${CRYPTO_INT}
5	DPADD= ${LIBCRYPTO}	5	DPADD= ${LIBCRYPTO}
6	WARNINGS= Yes	6	WARNINGS= Yes
7	CFLAGS+= -DLIBRESSL_INTERNAL -Werror	7	CFLAGS+= -Werror
8		8
9	.include <bsd.regress.mk>	9	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/exp/exptest.c b/src/regress/lib/libcrypto/exp/exptest.c index 45ca5ac5f5..375628cb25 100644 --- a/src/regress/lib/libcrypto/exp/exptest.c +++ b/src/regress/lib/libcrypto/exp/exptest.c
@@ -64,6 +64,15 @@
64	#include <openssl/bn.h>	64	#include <openssl/bn.h>
65	#include <openssl/err.h>	65	#include <openssl/err.h>
66		66
		67	int BN_mod_exp_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		68	const BIGNUM m, BN_CTX ctx);
		69	int BN_mod_exp_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		70	const BIGNUM m, BN_CTX ctx);
		71	int BN_mod_exp_mont_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		72	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		73	int BN_mod_exp_mont_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		74	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		75
67	#define NUM_BITS (BN_BITS*2)	76	#define NUM_BITS (BN_BITS*2)
68		77
69	/*	78	/*
@@ -116,6 +125,18 @@ static int test_exp_mod_zero(void)
116	if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))	125	if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
117	failed = 1;	126	failed = 1;
118		127
		128	if (!BN_mod_exp_ct(&r, &a, &p, &m, ctx))
		129	goto err;
		130
		131	if (!a_is_zero_mod_one("BN_mod_exp_ct", &r, &a))
		132	failed = 1;
		133
		134	if (!BN_mod_exp_nonct(&r, &a, &p, &m, ctx))
		135	goto err;
		136
		137	if (!a_is_zero_mod_one("BN_mod_exp_nonct", &r, &a))
		138	failed = 1;
		139
119	if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))	140	if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
120	goto err;	141	goto err;
121		142
@@ -134,6 +155,18 @@ static int test_exp_mod_zero(void)
134	if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))	155	if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
135	failed = 1;	156	failed = 1;
136		157
		158	if (!BN_mod_exp_mont_ct(&r, &a, &p, &m, ctx, NULL))
		159	goto err;
		160
		161	if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", &r, &a))
		162	failed = 1;
		163
		164	if (!BN_mod_exp_mont_nonct(&r, &a, &p, &m, ctx, NULL))
		165	goto err;
		166
		167	if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", &r, &a))
		168	failed = 1;
		169
137	if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {	170	if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
138	goto err;	171	goto err;
139	}	172	}
@@ -175,7 +208,8 @@ int main(int argc, char *argv[])
175	BIO *out = NULL;	208	BIO *out = NULL;
176	int i, ret;	209	int i, ret;
177	unsigned char c;	210	unsigned char c;
178	BIGNUM r_mont, r_mont_const, r_recp, r_simple, a, b, *m;	211	BIGNUM r_mont, r_mont_const, r_recp, r_simple,
		212	r_mont_ct, r_mont_nonct, a, b, *m;
179		213
180	ERR_load_BN_strings();	214	ERR_load_BN_strings();
181		215
@@ -184,6 +218,8 @@ int main(int argc, char *argv[])
184	exit(1);	218	exit(1);
185	r_mont = BN_new();	219	r_mont = BN_new();
186	r_mont_const = BN_new();	220	r_mont_const = BN_new();
		221	r_mont_ct = BN_new();
		222	r_mont_nonct = BN_new();
187	r_recp = BN_new();	223	r_recp = BN_new();
188	r_simple = BN_new();	224	r_simple = BN_new();
189	a = BN_new();	225	a = BN_new();
@@ -221,6 +257,20 @@ int main(int argc, char *argv[])
221	exit(1);	257	exit(1);
222	}	258	}
223		259
		260	ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
		261	if (ret <= 0) {
		262	printf("BN_mod_exp_mont_ct() problems\n");
		263	ERR_print_errors(out);
		264	exit(1);
		265	}
		266
		267	ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
		268	if (ret <= 0) {
		269	printf("BN_mod_exp_mont_nonct() problems\n");
		270	ERR_print_errors(out);
		271	exit(1);
		272	}
		273
224	ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);	274	ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
225	if (ret <= 0) {	275	if (ret <= 0) {
226	printf("BN_mod_exp_recp() problems\n");	276	printf("BN_mod_exp_recp() problems\n");
@@ -254,6 +304,10 @@ int main(int argc, char *argv[])
254	printf("\nsimple and mont const time results differ\n");	304	printf("\nsimple and mont const time results differ\n");
255	if (BN_cmp(r_simple, r_recp) != 0)	305	if (BN_cmp(r_simple, r_recp) != 0)
256	printf("\nsimple and recp results differ\n");	306	printf("\nsimple and recp results differ\n");
		307	if (BN_cmp(r_mont, r_mont_ct) != 0)
		308	printf("\nmont_ct and mont results differ\n");
		309	if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
		310	printf("\nmont_ct and mont_nonct results differ\n");
257		311
258	printf("a (%3d) = ", BN_num_bits(a));	312	printf("a (%3d) = ", BN_num_bits(a));
259	BN_print(out, a);	313	BN_print(out, a);