Google Git
Sign in
boringssl / boringssl.git / e5d6b2fbb45b5638cc9a4c98508748436cb07a44 / . / fuzz / bn_mod_exp.cc
blob: 0bfa5a85c7210203c300a896f143f13c8830ecd2 [file] [log] [blame]
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]1/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/bn.h>
16#include <openssl/bytestring.h>
17#include <openssl/mem.h>
18
19#define CHECK(expr) \
20 do { \
21 if (!(expr)) { \
22 printf("%s failed\n", #expr); \
23 abort(); \
24 } \
25 } while (false)
26
27// Basic implementation of mod_exp using square and multiple method.
28int mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
29 BN_CTX *ctx) {
30 if (BN_is_one(m)) {
31 BN_zero(r);
32 return 1;
33 }
34
35 bssl::UniquePtr<BIGNUM> exp(BN_dup(p));
36 bssl::UniquePtr<BIGNUM> base(BN_new());
37 if (!exp || !base) {
38 return 0;
39 }
40 if (!BN_one(r) || !BN_nnmod(base.get(), a, m, ctx)) {
41 return 0;
42 }
43
44 while (!BN_is_zero(exp.get())) {
45 if (BN_is_odd(exp.get())) {
46 if (!BN_mul(r, r, base.get(), ctx) || !BN_nnmod(r, r, m, ctx)) {
47 return 0;
48 }
49 }
50 if (!BN_rshift1(exp.get(), exp.get()) ||
51 !BN_mul(base.get(), base.get(), base.get(), ctx) ||
52 !BN_nnmod(base.get(), base.get(), m, ctx)) {
53 return 0;
54 }
55 }
56
57 return 1;
58}
59
60extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
61 CBS cbs, child0, child1, child2;
62 uint8_t sign;
63 CBS_init(&cbs, buf, len);
David Benjaminaf924182017-10-26 22:34:55 -0400[diff] [blame]64 if (!CBS_get_u16_length_prefixed(&cbs, &child0) ||
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]65 !CBS_get_u8(&child0, &sign) ||
66 CBS_len(&child0) == 0 ||
David Benjaminaf924182017-10-26 22:34:55 -0400[diff] [blame]67 !CBS_get_u16_length_prefixed(&cbs, &child1) ||
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]68 CBS_len(&child1) == 0 ||
David Benjaminaf924182017-10-26 22:34:55 -0400[diff] [blame]69 !CBS_get_u16_length_prefixed(&cbs, &child2) ||
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]70 CBS_len(&child2) == 0) {
71 return 0;
72 }
David Benjaminfc9c6752017-11-28 14:49:53 -0500[diff] [blame]73
74 // Don't fuzz inputs larger than 512 bytes (4096 bits). This isn't ideal, but
75 // the naive |mod_exp| above is somewhat slow, so this otherwise causes the
76 // fuzzers to spend a lot of time exploring timeouts.
77 if (CBS_len(&child0) > 512 ||
78 CBS_len(&child1) > 512 ||
79 CBS_len(&child2) > 512) {
80 return 0;
81 }
82
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]83 bssl::UniquePtr<BIGNUM> base(
84 BN_bin2bn(CBS_data(&child0), CBS_len(&child0), nullptr));
85 BN_set_negative(base.get(), sign % 2);
86 bssl::UniquePtr<BIGNUM> power(
87 BN_bin2bn(CBS_data(&child1), CBS_len(&child1), nullptr));
88 bssl::UniquePtr<BIGNUM> modulus(
89 BN_bin2bn(CBS_data(&child2), CBS_len(&child2), nullptr));
90
91 if (BN_is_zero(modulus.get())) {
92 return 0;
93 }
94
95 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]96 bssl::UniquePtr<BIGNUM> result(BN_new());
97 bssl::UniquePtr<BIGNUM> expected(BN_new());
98 CHECK(ctx);
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]99 CHECK(result);
100 CHECK(expected);
101
102 CHECK(mod_exp(expected.get(), base.get(), power.get(), modulus.get(),
103 ctx.get()));
104 CHECK(BN_mod_exp(result.get(), base.get(), power.get(), modulus.get(),
105 ctx.get()));
106 CHECK(BN_cmp(result.get(), expected.get()) == 0);
107
108 if (BN_is_odd(modulus.get())) {
David Benjaminf4b708c2018-01-23 17:03:26 -0500[diff] [blame]109 bssl::UniquePtr<BN_MONT_CTX> mont(
110 BN_MONT_CTX_new_for_modulus(modulus.get(), ctx.get()));
111 CHECK(mont);
David Benjamina63d0ad2018-04-17 11:59:28 -0400[diff] [blame]112 // |BN_mod_exp_mont| and |BN_mod_exp_mont_consttime| require reduced inputs.
113 CHECK(BN_nnmod(base.get(), base.get(), modulus.get(), ctx.get()));
Steven Valdez7f8c5532017-10-03 13:14:18 -0400[diff] [blame]114 CHECK(BN_mod_exp_mont(result.get(), base.get(), power.get(), modulus.get(),
115 ctx.get(), mont.get()));
116 CHECK(BN_cmp(result.get(), expected.get()) == 0);
117 CHECK(BN_mod_exp_mont_consttime(result.get(), base.get(), power.get(),
118 modulus.get(), ctx.get(), mont.get()));
119 CHECK(BN_cmp(result.get(), expected.get()) == 0);
120 }
121
122 uint8_t *data = (uint8_t *)OPENSSL_malloc(BN_num_bytes(result.get()));
123 BN_bn2bin(result.get(), data);
124 OPENSSL_free(data);
125
126 return 0;
127}