From 64ae838780259bfb447a4830816e95349ab26d13 Mon Sep 17 00:00:00 2001
From: dan pittman <dan@dpitt.me>
Date: Mon, 23 Oct 2023 11:40:37 -0700
Subject: [PATCH] Add test coverage for consttime_x2 mod exp function

---
 crypto/fipsmodule/bn/bn_test.cc               | 41 +++++++++++++++++++
 .../fipsmodule/bn/test/mod_exp_x2_tests.txt   | 15 +++++++
 sources.cmake                                 |  1 +
 3 files changed, 57 insertions(+)
 create mode 100644 crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt

diff --git a/crypto/fipsmodule/bn/bn_test.cc b/crypto/fipsmodule/bn/bn_test.cc
index 51d46921ec..2f4c642ed1 100644
--- a/crypto/fipsmodule/bn/bn_test.cc
+++ b/crypto/fipsmodule/bn/bn_test.cc
@@ -831,6 +831,41 @@ static void TestModExp(BIGNUMFileTest *t, BN_CTX *ctx) {
   }
 }
 
+static void TestModExp2(BIGNUMFileTest *t, BN_CTX *ctx) {
+  bssl::UniquePtr<BIGNUM> a1 = t->GetBIGNUM("A1");
+  bssl::UniquePtr<BIGNUM> e1 = t->GetBIGNUM("E1");
+  bssl::UniquePtr<BIGNUM> m1 = t->GetBIGNUM("M1");
+  bssl::UniquePtr<BIGNUM> mod_exp1 = t->GetBIGNUM("ModExp1");
+  ASSERT_TRUE(a1);
+  ASSERT_TRUE(e1);
+  ASSERT_TRUE(m1);
+  ASSERT_TRUE(mod_exp1);
+
+  bssl::UniquePtr<BIGNUM> a2 = t->GetBIGNUM("A2");
+  bssl::UniquePtr<BIGNUM> e2 = t->GetBIGNUM("E2");
+  bssl::UniquePtr<BIGNUM> m2 = t->GetBIGNUM("M2");
+  bssl::UniquePtr<BIGNUM> mod_exp2 = t->GetBIGNUM("ModExp2");
+  ASSERT_TRUE(a2);
+  ASSERT_TRUE(e2);
+  ASSERT_TRUE(m2);
+  ASSERT_TRUE(mod_exp2);
+
+  bssl::UniquePtr<BIGNUM> ret1(BN_new());
+  ASSERT_TRUE(ret1);
+
+  bssl::UniquePtr<BIGNUM> ret2(BN_new());
+  ASSERT_TRUE(ret2);
+
+  ASSERT_TRUE(BN_mod_exp_mont_consttime_x2(ret1.get(), a1.get(), e1.get(), m1.get(), NULL,
+                                           ret2.get(), a2.get(), e2.get(), m2.get(), NULL,
+					   ctx));
+
+  EXPECT_BIGNUMS_EQUAL("A1 ^ E1 (mod M1) (constant-time)", mod_exp1.get(),
+		       ret1.get());
+  EXPECT_BIGNUMS_EQUAL("A2 ^ E2 (mod M2) (constant-time)", mod_exp2.get(),
+		       ret2.get());
+}
+
 static void TestExp(BIGNUMFileTest *t, BN_CTX *ctx) {
   bssl::UniquePtr<BIGNUM> a = t->GetBIGNUM("A");
   bssl::UniquePtr<BIGNUM> e = t->GetBIGNUM("E");
@@ -1002,6 +1037,7 @@ static void RunBNFileTest(FileTest *t, BN_CTX *ctx) {
       {"ModMul", TestModMul},
       {"ModSquare", TestModSquare},
       {"ModExp", TestModExp},
+      {"ModExp2", TestModExp2},
       {"Exp", TestExp},
       {"ModSqrt", TestModSqrt},
       {"NotModSquare", TestNotModSquare},
@@ -1053,6 +1089,11 @@ TEST_F(BNTest, ModExpTestVectors) {
                 [&](FileTest *t) { RunBNFileTest(t, ctx()); });
 }
 
+TEST_F(BNTest, ModExp2TestVectors) {
+  FileTestGTest("crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt",
+                [&](FileTest *t) { RunBNFileTest(t, ctx()); });
+}
+
 TEST_F(BNTest, ModInvTestVectors) {
   FileTestGTest("crypto/fipsmodule/bn/test/mod_inv_tests.txt",
                 [&](FileTest *t) { RunBNFileTest(t, ctx()); });
diff --git a/crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt b/crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt
new file mode 100644
index 0000000000..1a97cd013f
--- /dev/null
+++ b/crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt
@@ -0,0 +1,15 @@
+# ModExp2 tests.
+
+# This blends two different scenarios drawn from the mod_exp_tests,
+# under the heading "RSAZ 512-Bit".
+
+# Control: No relationship between A and M except that A < M and they're the same number of limbs.
+ModExp2 = 7f34c1cd63377bc3abf2bb5b2d1bf5f06454e1e8040fe19a72245ce9731cbee1bf9e84532300776c8021ed4f3a8de508d85b4cf320bd82065a013754857b50c4
+A2 = 8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364
+E2 =  be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
+M2 = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
+# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.
+ModExp1 = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490
+A1 = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490
+E1 =  be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
+M1 = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
diff --git a/sources.cmake b/sources.cmake
index ef4b4dceb0..3e58017191 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -60,6 +60,7 @@ set(
   crypto/fipsmodule/bn/test/gcd_tests.txt
   crypto/fipsmodule/bn/test/miller_rabin_tests.txt
   crypto/fipsmodule/bn/test/mod_exp_tests.txt
+  crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt
   crypto/fipsmodule/bn/test/mod_inv_tests.txt
   crypto/fipsmodule/bn/test/mod_mul_tests.txt
   crypto/fipsmodule/bn/test/mod_sqrt_tests.txt