bn_mod_exp.cc
Go to the documentation of this file.
1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/bn.h>
16 #include <openssl/bytestring.h>
17 #include <openssl/mem.h>
18 
19 #define CHECK(expr) \
20  do { \
21  if (!(expr)) { \
22  printf("%s failed\n", #expr); \
23  abort(); \
24  } \
25  } while (false)
26 
27 // Basic implementation of mod_exp using square and multiple method.
28 int mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
29  BN_CTX *ctx) {
30  if (BN_is_one(m)) {
31  BN_zero(r);
32  return 1;
33  }
34 
35  bssl::UniquePtr<BIGNUM> exp(BN_dup(p));
36  bssl::UniquePtr<BIGNUM> base(BN_new());
37  if (!exp || !base) {
38  return 0;
39  }
40  if (!BN_one(r) || !BN_nnmod(base.get(), a, m, ctx)) {
41  return 0;
42  }
43 
44  while (!BN_is_zero(exp.get())) {
45  if (BN_is_odd(exp.get())) {
46  if (!BN_mul(r, r, base.get(), ctx) || !BN_nnmod(r, r, m, ctx)) {
47  return 0;
48  }
49  }
50  if (!BN_rshift1(exp.get(), exp.get()) ||
51  !BN_mul(base.get(), base.get(), base.get(), ctx) ||
52  !BN_nnmod(base.get(), base.get(), m, ctx)) {
53  return 0;
54  }
55  }
56 
57  return 1;
58 }
59 
60 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
61  CBS cbs, child0, child1, child2;
62  uint8_t sign;
63  CBS_init(&cbs, buf, len);
64  if (!CBS_get_u16_length_prefixed(&cbs, &child0) ||
65  !CBS_get_u8(&child0, &sign) ||
66  CBS_len(&child0) == 0 ||
67  !CBS_get_u16_length_prefixed(&cbs, &child1) ||
68  CBS_len(&child1) == 0 ||
69  !CBS_get_u16_length_prefixed(&cbs, &child2) ||
70  CBS_len(&child2) == 0) {
71  return 0;
72  }
73 
74  // Don't fuzz inputs larger than 512 bytes (4096 bits). This isn't ideal, but
75  // the naive |mod_exp| above is somewhat slow, so this otherwise causes the
76  // fuzzers to spend a lot of time exploring timeouts.
77  if (CBS_len(&child0) > 512 ||
78  CBS_len(&child1) > 512 ||
79  CBS_len(&child2) > 512) {
80  return 0;
81  }
82 
83  bssl::UniquePtr<BIGNUM> base(
84  BN_bin2bn(CBS_data(&child0), CBS_len(&child0), nullptr));
85  BN_set_negative(base.get(), sign % 2);
86  bssl::UniquePtr<BIGNUM> power(
87  BN_bin2bn(CBS_data(&child1), CBS_len(&child1), nullptr));
88  bssl::UniquePtr<BIGNUM> modulus(
89  BN_bin2bn(CBS_data(&child2), CBS_len(&child2), nullptr));
90 
91  if (BN_is_zero(modulus.get())) {
92  return 0;
93  }
94 
95  bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
96  bssl::UniquePtr<BIGNUM> result(BN_new());
97  bssl::UniquePtr<BIGNUM> expected(BN_new());
98  CHECK(ctx);
99  CHECK(result);
100  CHECK(expected);
101 
102  CHECK(mod_exp(expected.get(), base.get(), power.get(), modulus.get(),
103  ctx.get()));
104  CHECK(BN_mod_exp(result.get(), base.get(), power.get(), modulus.get(),
105  ctx.get()));
106  CHECK(BN_cmp(result.get(), expected.get()) == 0);
107 
108  if (BN_is_odd(modulus.get())) {
109  bssl::UniquePtr<BN_MONT_CTX> mont(
110  BN_MONT_CTX_new_for_modulus(modulus.get(), ctx.get()));
111  CHECK(mont);
112  // |BN_mod_exp_mont| and |BN_mod_exp_mont_consttime| require reduced inputs.
113  CHECK(BN_nnmod(base.get(), base.get(), modulus.get(), ctx.get()));
114  CHECK(BN_mod_exp_mont(result.get(), base.get(), power.get(), modulus.get(),
115  ctx.get(), mont.get()));
116  CHECK(BN_cmp(result.get(), expected.get()) == 0);
117  CHECK(BN_mod_exp_mont_consttime(result.get(), base.get(), power.get(),
118  modulus.get(), ctx.get(), mont.get()));
119  CHECK(BN_cmp(result.get(), expected.get()) == 0);
120  }
121 
122  uint8_t *data = (uint8_t *)OPENSSL_malloc(BN_num_bytes(result.get()));
123  BN_bn2bin(result.get(), data);
124  OPENSSL_free(data);
125 
126  return 0;
127 }
_gevent_test_main.result
result
Definition: _gevent_test_main.py:96
bn.h
BN_rshift1
#define BN_rshift1
Definition: boringssl_prefix_symbols.h:988
cbs_st
Definition: bytestring.h:39
ctx
Definition: benchmark-async.c:30
BN_dup
#define BN_dup
Definition: boringssl_prefix_symbols.h:919
CBS_data
#define CBS_data
Definition: boringssl_prefix_symbols.h:1057
BN_bin2bn
#define BN_bin2bn
Definition: boringssl_prefix_symbols.h:900
BN_mod_exp
#define BN_mod_exp
Definition: boringssl_prefix_symbols.h:948
buf
voidpf void * buf
Definition: bloaty/third_party/zlib/contrib/minizip/ioapi.h:136
power
int power
Definition: abseil-cpp/absl/strings/internal/pow10_helper_test.cc:29
CBS_len
#define CBS_len
Definition: boringssl_prefix_symbols.h:1089
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
Definition: bn_mod_exp.cc:60
ctx
static struct test_ctx ctx
Definition: test-ipc-send-recv.c:65
a
int a
Definition: abseil-cpp/absl/container/internal/hash_policy_traits_test.cc:88
bignum_ctx
Definition: ctx.c:91
cbs
const CBS * cbs
Definition: third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h:107
xds_manager.p
p
Definition: xds_manager.py:60
BN_num_bytes
#define BN_num_bytes
Definition: boringssl_prefix_symbols.h:976
CBS_init
#define CBS_init
Definition: boringssl_prefix_symbols.h:1085
uint8_t
unsigned char uint8_t
Definition: stdint-msvc2008.h:78
BN_one
#define BN_one
Definition: boringssl_prefix_symbols.h:977
OPENSSL_malloc
#define OPENSSL_malloc
Definition: boringssl_prefix_symbols.h:1885
bytestring.h
BN_mod_exp_mont
#define BN_mod_exp_mont
Definition: boringssl_prefix_symbols.h:950
CBS_get_u8
#define CBS_get_u8
Definition: boringssl_prefix_symbols.h:1082
CHECK
#define CHECK(expr)
Definition: bn_mod_exp.cc:19
BN_is_odd
#define BN_is_odd
Definition: boringssl_prefix_symbols.h:934
BN_mul
#define BN_mul
Definition: boringssl_prefix_symbols.h:969
gen_synthetic_protos.base
base
Definition: gen_synthetic_protos.py:31
BN_is_zero
#define BN_is_zero
Definition: boringssl_prefix_symbols.h:940
data
char data[kBufferLength]
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1006
BN_CTX_new
#define BN_CTX_new
Definition: boringssl_prefix_symbols.h:885
BN_bn2bin
#define BN_bn2bin
Definition: boringssl_prefix_symbols.h:901
BN_MONT_CTX_new_for_modulus
#define BN_MONT_CTX_new_for_modulus
Definition: boringssl_prefix_symbols.h:893
BN_zero
#define BN_zero
Definition: boringssl_prefix_symbols.h:1004
bignum_st
Definition: bn.h:957
BN_is_one
#define BN_is_one
Definition: boringssl_prefix_symbols.h:935
CBS_get_u16_length_prefixed
#define CBS_get_u16_length_prefixed
Definition: boringssl_prefix_symbols.h:1074
fix_build_deps.r
r
Definition: fix_build_deps.py:491
BN_cmp
#define BN_cmp
Definition: boringssl_prefix_symbols.h:912
BN_mod_exp_mont_consttime
#define BN_mod_exp_mont_consttime
Definition: boringssl_prefix_symbols.h:951
BN_nnmod
#define BN_nnmod
Definition: boringssl_prefix_symbols.h:972
mem.h
len
int len
Definition: abseil-cpp/absl/base/internal/low_level_alloc_test.cc:46
regress.m
m
Definition: regress/regress.py:25
OPENSSL_free
#define OPENSSL_free
Definition: boringssl_prefix_symbols.h:1869
BN_set_negative
#define BN_set_negative
Definition: boringssl_prefix_symbols.h:990
mod_exp
int mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx)
Definition: bn_mod_exp.cc:28
BN_new
#define BN_new
Definition: boringssl_prefix_symbols.h:971

grpc
Author(s):
autogenerated on Fri May 16 2025 02:57:49