| /* BEGIN_HEADER */ |
| /* Dedicated test suite for mbedtls_mpi_core_random() and the upper-layer |
| * functions. Due to the complexity of how these functions are tested, |
| * we test all the layers in a single test suite, unlike the way other |
| * functions are tested with each layer in its own test suite. |
| * |
| * Test strategy |
| * ============= |
| * |
| * There are three main goals for testing random() functions: |
| * - Parameter validation. |
| * - Correctness of outputs (well-formed, in range). |
| * - Distribution of outputs. |
| * |
| * We test parameter validation in a standard way, with unit tests with |
| * positive and negative cases: |
| * - mbedtls_mpi_core_random(): negative cases for mpi_core_random_basic. |
| * - mbedtls_mpi_mod_raw_random(), mbedtls_mpi_mod_random(): negative |
| * cases for mpi_mod_random_validation. |
| * - mbedtls_mpi_random(): mpi_random_fail. |
| * |
| * We test the correctness of outputs in positive tests: |
| * - mbedtls_mpi_core_random(): positive cases for mpi_core_random_basic, |
| * and mpi_random_many. |
| * - mbedtls_mpi_mod_raw_random(), mbedtls_mpi_mod_random(): tested indirectly |
| * via mpi_mod_random_values. |
| * - mbedtls_mpi_random(): mpi_random_sizes, plus indirectly via |
| * mpi_random_values. |
| * |
| * We test the distribution of outputs only for mbedtls_mpi_core_random(), |
| * in mpi_random_many, which runs the function multiple times. This also |
| * helps in validating the output range, through test cases with a small |
| * range where any output out of range would be very likely to lead to a |
| * test failure. For the other functions, we validate the distribution |
| * indirectly by testing that these functions consume the random generator |
| * in the same way as mbedtls_mpi_core_random(). This is done in |
| * mpi_mod_random_values and mpi_legacy_random_values. |
| */ |
| |
| #include "mbedtls/bignum.h" |
| #include "mbedtls/entropy.h" |
| #include "bignum_core.h" |
| #include "bignum_mod_raw.h" |
| #include "constant_time_internal.h" |
| |
| /* This test suite only manipulates non-negative bignums. */ |
| static int sign_is_valid( const mbedtls_mpi *X ) |
| { |
| return( X->s == 1 ); |
| } |
| |
| /* A common initializer for test functions that should generate the same |
| * sequences for reproducibility and good coverage. */ |
| const mbedtls_test_rnd_pseudo_info rnd_pseudo_seed = { |
| /* 16-word key */ |
| {'T', 'h', 'i', 's', ' ', 'i', 's', ' ', |
| 'a', ' ', 's', 'e', 'e', 'd', '!', 0}, |
| /* 2-word initial state, should be zero */ |
| 0, 0}; |
| |
| /* Test whether bytes represents (in big-endian base 256) a number b that |
| * is significantly above a power of 2. That is, b must not have a long run |
| * of unset bits after the most significant bit. |
| * |
| * Let n be the bit-size of b, i.e. the integer such that 2^n <= b < 2^{n+1}. |
| * This function returns 1 if, when drawing a number between 0 and b, |
| * the probability that this number is at least 2^n is not negligible. |
| * This probability is (b - 2^n) / b and this function checks that this |
| * number is above some threshold A. The threshold value is heuristic and |
| * based on the needs of mpi_random_many(). |
| */ |
| static int is_significantly_above_a_power_of_2( data_t *bytes ) |
| { |
| const uint8_t *p = bytes->x; |
| size_t len = bytes->len; |
| unsigned x; |
| |
| /* Skip leading null bytes */ |
| while( len > 0 && p[0] == 0 ) |
| { |
| ++p; |
| --len; |
| } |
| /* 0 is not significantly above a power of 2 */ |
| if( len == 0 ) |
| return( 0 ); |
| /* Extract the (up to) 2 most significant bytes */ |
| if( len == 1 ) |
| x = p[0]; |
| else |
| x = ( p[0] << 8 ) | p[1]; |
| |
| /* Shift the most significant bit of x to position 8 and mask it out */ |
| while( ( x & 0xfe00 ) != 0 ) |
| x >>= 1; |
| x &= 0x00ff; |
| |
| /* At this point, x = floor((b - 2^n) / 2^(n-8)). b is significantly above |
| * a power of 2 iff x is significantly above 0 compared to 2^8. |
| * Testing x >= 2^4 amounts to picking A = 1/16 in the function |
| * description above. */ |
| return( x >= 0x10 ); |
| } |
| |
| /* END_HEADER */ |
| |
| /* BEGIN_DEPENDENCIES |
| * depends_on:MBEDTLS_BIGNUM_C |
| * END_DEPENDENCIES |
| */ |
| |
| /* BEGIN_CASE */ |
| void mpi_core_random_basic( int min, char *bound_bytes, int expected_ret ) |
| { |
| /* Same RNG as in mpi_random_values */ |
| mbedtls_test_rnd_pseudo_info rnd = rnd_pseudo_seed; |
| size_t limbs; |
| mbedtls_mpi_uint *lower_bound = NULL; |
| mbedtls_mpi_uint *upper_bound = NULL; |
| mbedtls_mpi_uint *result = NULL; |
| |
| TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &upper_bound, &limbs, |
| bound_bytes ) ); |
| ASSERT_ALLOC( lower_bound, limbs ); |
| lower_bound[0] = min; |
| ASSERT_ALLOC( result, limbs ); |
| |
| TEST_EQUAL( expected_ret, |
| mbedtls_mpi_core_random( result, min, upper_bound, limbs, |
| mbedtls_test_rnd_pseudo_rand, &rnd ) ); |
| |
| if( expected_ret == 0 ) |
| { |
| TEST_EQUAL( 0, mbedtls_mpi_core_lt_ct( result, lower_bound, limbs ) ); |
| TEST_EQUAL( 1, mbedtls_mpi_core_lt_ct( result, upper_bound, limbs ) ); |
| } |
| |
| exit: |
| mbedtls_free( lower_bound ); |
| mbedtls_free( upper_bound ); |
| mbedtls_free( result ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_legacy_random_values( int min, char *max_hex ) |
| { |
| /* Same RNG as in mpi_core_random_basic */ |
| mbedtls_test_rnd_pseudo_info rnd_core = rnd_pseudo_seed; |
| mbedtls_test_rnd_pseudo_info rnd_legacy; |
| memcpy( &rnd_legacy, &rnd_core, sizeof( rnd_core ) ); |
| mbedtls_mpi max_legacy; |
| mbedtls_mpi_init( &max_legacy ); |
| mbedtls_mpi_uint *R_core = NULL; |
| mbedtls_mpi R_legacy; |
| mbedtls_mpi_init( &R_legacy ); |
| |
| TEST_EQUAL( 0, mbedtls_test_read_mpi( &max_legacy, max_hex ) ); |
| size_t limbs = max_legacy.n; |
| ASSERT_ALLOC( R_core, limbs ); |
| |
| /* Call the legacy function and the core function with the same random |
| * stream. */ |
| int core_ret = mbedtls_mpi_core_random( R_core, min, max_legacy.p, limbs, |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_core ); |
| int legacy_ret = mbedtls_mpi_random( &R_legacy, min, &max_legacy, |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_legacy ); |
| |
| /* They must return the same status, and, on success, output the |
| * same number, with the same limb count. */ |
| TEST_EQUAL( core_ret, legacy_ret ); |
| if( core_ret == 0 ) |
| { |
| ASSERT_COMPARE( R_core, limbs * ciL, |
| R_legacy.p, R_legacy.n * ciL ); |
| } |
| |
| /* Also check that they have consumed the RNG in the same way. */ |
| /* This may theoretically fail on rare platforms with padding in |
| * the structure! If this is a problem in practice, change to a |
| * field-by-field comparison. */ |
| ASSERT_COMPARE( &rnd_core, sizeof( rnd_core ), |
| &rnd_legacy, sizeof( rnd_legacy ) ); |
| |
| exit: |
| mbedtls_mpi_free( &max_legacy ); |
| mbedtls_free( R_core ); |
| mbedtls_mpi_free( &R_legacy ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_mod_random_values( int min, char *max_hex, int rep ) |
| { |
| /* Same RNG as in mpi_core_random_basic */ |
| mbedtls_test_rnd_pseudo_info rnd_core = rnd_pseudo_seed; |
| mbedtls_test_rnd_pseudo_info rnd_mod_raw; |
| memcpy( &rnd_mod_raw, &rnd_core, sizeof( rnd_core ) ); |
| mbedtls_test_rnd_pseudo_info rnd_mod; |
| memcpy( &rnd_mod, &rnd_core, sizeof( rnd_core ) ); |
| mbedtls_mpi_uint *R_core = NULL; |
| mbedtls_mpi_uint *R_mod_raw = NULL; |
| mbedtls_mpi_uint *R_mod_digits = NULL; |
| mbedtls_mpi_mod_residue R_mod; |
| mbedtls_mpi_mod_modulus N; |
| mbedtls_mpi_mod_modulus_init( &N ); |
| |
| TEST_EQUAL( mbedtls_test_read_mpi_modulus( &N, max_hex, rep ), 0 ); |
| ASSERT_ALLOC( R_core, N.limbs ); |
| ASSERT_ALLOC( R_mod_raw, N.limbs ); |
| ASSERT_ALLOC( R_mod_digits, N.limbs ); |
| TEST_EQUAL( mbedtls_mpi_mod_residue_setup( &R_mod, &N, |
| R_mod_digits, N.limbs ), |
| 0 ); |
| |
| /* Call the core and mod random() functions with the same random stream. */ |
| int core_ret = mbedtls_mpi_core_random( R_core, |
| min, N.p, N.limbs, |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_core ); |
| int mod_raw_ret = mbedtls_mpi_mod_raw_random( R_mod_raw, |
| min, &N, |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_mod_raw ); |
| int mod_ret = mbedtls_mpi_mod_random( &R_mod, |
| min, &N, |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_mod ); |
| |
| /* They must return the same status, and, on success, output the |
| * same number, with the same limb count. */ |
| TEST_EQUAL( core_ret, mod_raw_ret ); |
| TEST_EQUAL( core_ret, mod_ret ); |
| if( core_ret == 0 ) |
| { |
| TEST_EQUAL( mbedtls_mpi_mod_raw_modulus_to_canonical_rep( R_mod_raw, &N ), |
| 0 ); |
| ASSERT_COMPARE( R_core, N.limbs * ciL, |
| R_mod_raw, N.limbs * ciL ); |
| TEST_EQUAL( mbedtls_mpi_mod_raw_modulus_to_canonical_rep( R_mod_digits, &N ), |
| 0 ); |
| ASSERT_COMPARE( R_core, N.limbs * ciL, |
| R_mod_digits, N.limbs * ciL ); |
| } |
| |
| /* Also check that they have consumed the RNG in the same way. */ |
| /* This may theoretically fail on rare platforms with padding in |
| * the structure! If this is a problem in practice, change to a |
| * field-by-field comparison. */ |
| ASSERT_COMPARE( &rnd_core, sizeof( rnd_core ), |
| &rnd_mod_raw, sizeof( rnd_mod_raw ) ); |
| ASSERT_COMPARE( &rnd_core, sizeof( rnd_core ), |
| &rnd_mod, sizeof( rnd_mod ) ); |
| |
| exit: |
| mbedtls_test_mpi_mod_modulus_free_with_limbs( &N ); |
| mbedtls_free( R_core ); |
| mbedtls_free( R_mod_raw ); |
| mbedtls_free( R_mod_digits ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_random_many( int min, char *bound_hex, int iterations ) |
| { |
| /* Generate numbers in the range 1..bound-1. Do it iterations times. |
| * This function assumes that the value of bound is at least 2 and |
| * that iterations is large enough that a one-in-2^iterations chance |
| * effectively never occurs. |
| */ |
| |
| data_t bound_bytes = {NULL, 0}; |
| mbedtls_mpi_uint *upper_bound = NULL; |
| size_t limbs; |
| size_t n_bits; |
| mbedtls_mpi_uint *result = NULL; |
| size_t b; |
| /* If upper_bound is small, stats[b] is the number of times the value b |
| * has been generated. Otherwise stats[b] is the number of times a |
| * value with bit b set has been generated. */ |
| size_t *stats = NULL; |
| size_t stats_len; |
| int full_stats; |
| size_t i; |
| |
| TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &upper_bound, &limbs, |
| bound_hex ) ); |
| ASSERT_ALLOC( result, limbs ); |
| |
| n_bits = mbedtls_mpi_core_bitlen( upper_bound, limbs ); |
| /* Consider a bound "small" if it's less than 2^5. This value is chosen |
| * to be small enough that the probability of missing one value is |
| * negligible given the number of iterations. It must be less than |
| * 256 because some of the code below assumes that "small" values |
| * fit in a byte. */ |
| if( n_bits <= 5 ) |
| { |
| full_stats = 1; |
| stats_len = (uint8_t) upper_bound[0]; |
| } |
| else |
| { |
| full_stats = 0; |
| stats_len = n_bits; |
| } |
| ASSERT_ALLOC( stats, stats_len ); |
| |
| for( i = 0; i < (size_t) iterations; i++ ) |
| { |
| mbedtls_test_set_step( i ); |
| TEST_EQUAL( 0, mbedtls_mpi_core_random( result, |
| min, upper_bound, limbs, |
| mbedtls_test_rnd_std_rand, NULL ) ); |
| |
| /* Temporarily use a legacy MPI for analysis, because the |
| * necessary auxiliary functions don't exist yet in core. */ |
| mbedtls_mpi B = {1, limbs, upper_bound}; |
| mbedtls_mpi R = {1, limbs, result}; |
| |
| TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R, &B ) < 0 ); |
| TEST_ASSERT( mbedtls_mpi_cmp_int( &R, min ) >= 0 ); |
| if( full_stats ) |
| { |
| uint8_t value; |
| TEST_EQUAL( 0, mbedtls_mpi_write_binary( &R, &value, 1 ) ); |
| TEST_ASSERT( value < stats_len ); |
| ++stats[value]; |
| } |
| else |
| { |
| for( b = 0; b < n_bits; b++ ) |
| stats[b] += mbedtls_mpi_get_bit( &R, b ); |
| } |
| } |
| |
| if( full_stats ) |
| { |
| for( b = min; b < stats_len; b++ ) |
| { |
| mbedtls_test_set_step( 1000000 + b ); |
| /* Assert that each value has been reached at least once. |
| * This is almost guaranteed if the iteration count is large |
| * enough. This is a very crude way of checking the distribution. |
| */ |
| TEST_ASSERT( stats[b] > 0 ); |
| } |
| } |
| else |
| { |
| bound_bytes.len = limbs * sizeof( mbedtls_mpi_uint ); |
| ASSERT_ALLOC( bound_bytes.x, bound_bytes.len ); |
| mbedtls_mpi_core_write_be( upper_bound, limbs, |
| bound_bytes.x, bound_bytes.len ); |
| int statistically_safe_all_the_way = |
| is_significantly_above_a_power_of_2( &bound_bytes ); |
| for( b = 0; b < n_bits; b++ ) |
| { |
| mbedtls_test_set_step( 1000000 + b ); |
| /* Assert that each bit has been set in at least one result and |
| * clear in at least one result. Provided that iterations is not |
| * too small, it would be extremely unlikely for this not to be |
| * the case if the results are uniformly distributed. |
| * |
| * As an exception, the top bit may legitimately never be set |
| * if bound is a power of 2 or only slightly above. |
| */ |
| if( statistically_safe_all_the_way || b != n_bits - 1 ) |
| { |
| TEST_ASSERT( stats[b] > 0 ); |
| } |
| TEST_ASSERT( stats[b] < (size_t) iterations ); |
| } |
| } |
| |
| exit: |
| mbedtls_free( bound_bytes.x ); |
| mbedtls_free( upper_bound ); |
| mbedtls_free( result ); |
| mbedtls_free( stats ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_random_sizes( int min, data_t *bound_bytes, int nlimbs, int before ) |
| { |
| mbedtls_mpi upper_bound; |
| mbedtls_mpi result; |
| |
| mbedtls_mpi_init( &upper_bound ); |
| mbedtls_mpi_init( &result ); |
| |
| if( before != 0 ) |
| { |
| /* Set result to sign(before) * 2^(|before|-1) */ |
| TEST_ASSERT( mbedtls_mpi_lset( &result, before > 0 ? 1 : -1 ) == 0 ); |
| if( before < 0 ) |
| before = - before; |
| TEST_ASSERT( mbedtls_mpi_shift_l( &result, before - 1 ) == 0 ); |
| } |
| |
| TEST_EQUAL( 0, mbedtls_mpi_grow( &result, nlimbs ) ); |
| TEST_EQUAL( 0, mbedtls_mpi_read_binary( &upper_bound, |
| bound_bytes->x, bound_bytes->len ) ); |
| TEST_EQUAL( 0, mbedtls_mpi_random( &result, min, &upper_bound, |
| mbedtls_test_rnd_std_rand, NULL ) ); |
| TEST_ASSERT( sign_is_valid( &result ) ); |
| TEST_ASSERT( mbedtls_mpi_cmp_mpi( &result, &upper_bound ) < 0 ); |
| TEST_ASSERT( mbedtls_mpi_cmp_int( &result, min ) >= 0 ); |
| |
| exit: |
| mbedtls_mpi_free( &upper_bound ); |
| mbedtls_mpi_free( &result ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_mod_random_validation( int min, char *bound_hex, |
| int result_limbs_delta, |
| int expected_ret ) |
| { |
| mbedtls_mpi_uint *result_digits = NULL; |
| mbedtls_mpi_mod_modulus N; |
| mbedtls_mpi_mod_modulus_init( &N ); |
| |
| TEST_EQUAL( mbedtls_test_read_mpi_modulus( &N, bound_hex, |
| MBEDTLS_MPI_MOD_REP_OPT_RED ), |
| 0 ); |
| size_t result_limbs = N.limbs + result_limbs_delta; |
| ASSERT_ALLOC( result_digits, result_limbs ); |
| /* Build a reside that might not match the modulus, to test that |
| * the library function rejects that as expected. */ |
| mbedtls_mpi_mod_residue result = {result_digits, result_limbs}; |
| |
| TEST_EQUAL( mbedtls_mpi_mod_random( &result, min, &N, |
| mbedtls_test_rnd_std_rand, NULL ), |
| expected_ret ); |
| if( expected_ret == 0 ) |
| { |
| /* Success should only be expected when the result has the same |
| * size as the modulus, otherwise it's a mistake in the test data. */ |
| TEST_EQUAL( result_limbs, N.limbs ); |
| /* Sanity check: check that the result is in range */ |
| TEST_EQUAL( mbedtls_mpi_core_lt_ct( result_digits, N.p, N.limbs ), |
| 1 ); |
| /* Check result >= min (changes result) */ |
| TEST_EQUAL( mbedtls_mpi_core_sub_int( result_digits, result_digits, min, |
| result_limbs ), |
| 0 ); |
| } |
| |
| /* When the result has the right number of limbs, also test mod_raw |
| * (for which this is an unchecked precondition). */ |
| if( result_limbs_delta == 0 ) |
| { |
| TEST_EQUAL( mbedtls_mpi_mod_raw_random( result_digits, min, &N, |
| mbedtls_test_rnd_std_rand, NULL ), |
| expected_ret ); |
| if( expected_ret == 0 ) |
| { |
| TEST_EQUAL( mbedtls_mpi_core_lt_ct( result_digits, N.p, N.limbs ), |
| 1 ); |
| TEST_EQUAL( mbedtls_mpi_core_sub_int( result_digits, result.p, min, |
| result_limbs ), |
| 0 ); |
| } |
| } |
| |
| exit: |
| mbedtls_test_mpi_mod_modulus_free_with_limbs( &N ); |
| mbedtls_free( result_digits ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE */ |
| void mpi_random_fail( int min, data_t *bound_bytes, int expected_ret ) |
| { |
| mbedtls_mpi upper_bound; |
| mbedtls_mpi result; |
| int actual_ret; |
| |
| mbedtls_mpi_init( &upper_bound ); |
| mbedtls_mpi_init( &result ); |
| |
| TEST_EQUAL( 0, mbedtls_mpi_read_binary( &upper_bound, |
| bound_bytes->x, bound_bytes->len ) ); |
| actual_ret = mbedtls_mpi_random( &result, min, &upper_bound, |
| mbedtls_test_rnd_std_rand, NULL ); |
| TEST_EQUAL( expected_ret, actual_ret ); |
| |
| exit: |
| mbedtls_mpi_free( &upper_bound ); |
| mbedtls_mpi_free( &result ); |
| } |
| /* END_CASE */ |