diff options
author | David Benjamin <davidben@google.com> | 2017-11-16 21:18:08 +0800 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2017-11-20 18:32:30 +0000 |
commit | 0a5f00673656b1f8714f5ef275816e23fdf927f1 (patch) | |
tree | 1945f943e07a5233d3f6b4ad889ac67c66100d79 | |
parent | e7c95d91f8f42b0f17fb113e2204e2d9af4d2814 (diff) | |
download | boringssl-0a5f00673656b1f8714f5ef275816e23fdf927f1.zip boringssl-0a5f00673656b1f8714f5ef275816e23fdf927f1.tar.gz boringssl-0a5f00673656b1f8714f5ef275816e23fdf927f1.tar.bz2 |
Test that EC_POINT_mul works with the order.
|EC_POINT_mul| is almost exclusively used with reduced scalars, with
this exception. This comes from consumers following NIST SP 800-56A
section 5.6.2.3.2. (Though all our curves have cofactor one, so this
check isn't useful.)
Add a test for this so we don't accidentally break it.
Change-Id: I42492db38a1ea03acec4febdd7945c8a3933530a
Reviewed-on: https://boringssl-review.googlesource.com/23084
Reviewed-by: Adam Langley <agl@google.com>
-rw-r--r-- | crypto/fipsmodule/ec/ec_test.cc | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc index 0ee7378..5e5ce94 100644 --- a/crypto/fipsmodule/ec/ec_test.cc +++ b/crypto/fipsmodule/ec/ec_test.cc @@ -407,6 +407,38 @@ TEST_P(ECCurveTest, MulZero) { << "p * 0 did not return point at infinity."; } +// Test that multiplying by the order produces ∞ and, moreover, that callers may +// do so. |EC_POINT_mul| is almost exclusively used with reduced scalars, with +// this exception. This comes from consumers following NIST SP 800-56A section +// 5.6.2.3.2. (Though all our curves have cofactor one, so this check isn't +// useful.) +TEST_P(ECCurveTest, MulOrder) { + bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(GetParam().nid)); + ASSERT_TRUE(group); + + // Test that g × order = ∞. + bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group.get())); + ASSERT_TRUE(point); + ASSERT_TRUE(EC_POINT_mul(group.get(), point.get(), + EC_GROUP_get0_order(group.get()), nullptr, nullptr, + nullptr)); + + EXPECT_TRUE(EC_POINT_is_at_infinity(group.get(), point.get())) + << "g * order did not return point at infinity."; + + // Test that p × order = ∞, for some arbitrary p. + bssl::UniquePtr<BIGNUM> forty_two(BN_new()); + ASSERT_TRUE(forty_two); + ASSERT_TRUE(BN_set_word(forty_two.get(), 42)); + ASSERT_TRUE(EC_POINT_mul(group.get(), point.get(), forty_two.get(), nullptr, + nullptr, nullptr)); + ASSERT_TRUE(EC_POINT_mul(group.get(), point.get(), nullptr, point.get(), + EC_GROUP_get0_order(group.get()), nullptr)); + + EXPECT_TRUE(EC_POINT_is_at_infinity(group.get(), point.get())) + << "p * order did not return point at infinity."; +} + // Test that 10×∞ + G = G. TEST_P(ECCurveTest, Mul) { bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(GetParam().nid)); |