]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/bntest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Enable openssl req -x509 to create certificates from CSRs
[thirdparty/openssl.git] / test / bntest.c
CommitLineData
440e5d80 1/*
38fc02a7 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
440e5d80
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
d02b48c6 8 */
8d1ebff4
RS		 9#include <assert.h>
10#include <errno.h>
d02b48c6 11#include <stdio.h>
d02b48c6 12#include <string.h>
08073700
RB		 13#ifdef __TANDEM
14# include <strings.h> /* strcasecmp */
15#endif
8d1ebff4 16#include <ctype.h>
17e3dd1c 17
ec577822 18#include <openssl/bn.h>
8d1ebff4 19#include <openssl/crypto.h>
ec577822 20#include <openssl/err.h>
8d1ebff4 21#include <openssl/rand.h>
2b1aa198
RL		 22#include "internal/nelem.h"
23#include "internal/numbers.h"
8d1ebff4 24#include "testutil.h"
d02b48c6 25
2b1aa198
RL		 26#ifdef OPENSSL_SYS_WINDOWS
27# define strcasecmp _stricmp
28#endif
8927c278 29
8d1ebff4 30/*
fd009d76 31 * Things in boring, not in openssl.
8d1ebff4 32 */
8d1ebff4 33#define HAVE_BN_SQRT 0
0f113f3e 34
8d1ebff4
RS		 35typedef struct filetest_st {
36 const char *name;
37 int (*func)(STANZA *s);
38} FILETEST;
0f113f3e 39
8d1ebff4
RS		 40typedef struct mpitest_st {
41 const char *base10;
42 const char *mpi;
43 size_t mpi_len;
44} MPITEST;
0f113f3e 45
8d1ebff4
RS		 46static const int NUM0 = 100; /* number of tests */
47static const int NUM1 = 50; /* additional tests for some functions */
8d1ebff4 48static BN_CTX *ctx;
0f113f3e 49
30bea14b
RS		 50/*
51 * Polynomial coefficients used in GFM tests.
52 */
ed5c7ea2 53#ifndef OPENSSL_NO_EC2M
30bea14b
RS		 54static int p0[] = { 163, 7, 6, 3, 0, -1 };
55static int p1[] = { 193, 15, 0, -1 };
ed5c7ea2 56#endif
0f113f3e 57
8d1ebff4
RS		 58/*
59 * Look for |key| in the stanza and return it or NULL if not found.
60 */
61static const char *findattr(STANZA *s, const char *key)
62{
63 int i = s->numpairs;
64 PAIR *pp = s->pairs;
0f113f3e 65
8d1ebff4
RS		 66 for ( ; --i >= 0; pp++)
67 if (strcasecmp(pp->key, key) == 0)
68 return pp->value;
69 return NULL;
70}
0f113f3e 71
4483fbae
F		 72/*
73 * Parse BIGNUM from sparse hex-strings, return |BN_hex2bn| result.
74 */
75static int parse_bigBN(BIGNUM **out, const char *bn_strings[])
76{
77 char *bigstring = glue_strings(bn_strings, NULL);
78 int ret = BN_hex2bn(out, bigstring);
79
80 OPENSSL_free(bigstring);
81 return ret;
82}
83
8d1ebff4
RS		 84/*
85 * Parse BIGNUM, return number of bytes parsed.
86 */
87static int parseBN(BIGNUM **out, const char *in)
88{
89 *out = NULL;
90 return BN_hex2bn(out, in);
91}
0f113f3e 92
8d1ebff4
RS		 93static int parsedecBN(BIGNUM **out, const char *in)
94{
95 *out = NULL;
96 return BN_dec2bn(out, in);
97}
96a4c31b 98
8d1ebff4
RS		 99static BIGNUM *getBN(STANZA *s, const char *attribute)
100{
101 const char *hex;
102 BIGNUM *ret = NULL;
8ff70f33 103
8d1ebff4 104 if ((hex = findattr(s, attribute)) == NULL) {
ae269dd8 105 TEST_error("%s:%d: Can't find %s", s->test_file, s->start, attribute);
8d1ebff4
RS		 106 return NULL;
107 }
0f113f3e 108
8d1ebff4 109 if (parseBN(&ret, hex) != (int)strlen(hex)) {
30bea14b 110 TEST_error("Could not decode '%s'", hex);
8d1ebff4
RS		 111 return NULL;
112 }
113 return ret;
114}
0f113f3e 115
8d1ebff4
RS		 116static int getint(STANZA *s, int *out, const char *attribute)
117{
30bea14b 118 BIGNUM *ret;
8d1ebff4
RS		 119 BN_ULONG word;
120 int st = 0;
0f113f3e 121
30bea14b
RS		 122 if (!TEST_ptr(ret = getBN(s, attribute))
123 || !TEST_ulong_le(word = BN_get_word(ret), INT_MAX))
0f113f3e 124 goto err;
0f113f3e 125
8d1ebff4
RS		 126 *out = (int)word;
127 st = 1;
fe16ae5f 128 err:
8d1ebff4
RS		 129 BN_free(ret);
130 return st;
131}
0f113f3e 132
8d1ebff4
RS		 133static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual)
134{
8d1ebff4
RS		 135 if (BN_cmp(expected, actual) == 0)
136 return 1;
0f113f3e 137
dc352c19
P		 138 TEST_error("unexpected %s value", op);
139 TEST_BN_eq(expected, actual);
8d1ebff4 140 return 0;
0f113f3e 141}
d02b48c6 142
8d1ebff4
RS		 143/*
144 * Return a "random" flag for if a BN should be negated.
145 */
146static int rand_neg(void)
147{
148 static unsigned int neg = 0;
149 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
0f113f3e 150
8d1ebff4 151 return sign[(neg++) % 8];
0f113f3e 152}
d02b48c6 153
9e5b50b5
BB		 154static int test_swap(void)
155{
156 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL;
157 int top, cond, st = 0;
158
159 if (!TEST_ptr(a = BN_new())
160 || !TEST_ptr(b = BN_new())
161 || !TEST_ptr(c = BN_new())
162 || !TEST_ptr(d = BN_new()))
163 goto err;
164
e2f50811
SL		 165 if (!(TEST_true(BN_bntest_rand(a, 1024, 1, 0))
166 && TEST_true(BN_bntest_rand(b, 1024, 1, 0))
167 && TEST_ptr(BN_copy(c, a))
168 && TEST_ptr(BN_copy(d, b))))
169 goto err;
fe16ae5f 170 top = BN_num_bits(a) / BN_BITS2;
9e5b50b5
BB		 171
172 /* regular swap */
173 BN_swap(a, b);
174 if (!equalBN("swap", a, d)
175 || !equalBN("swap", b, c))
176 goto err;
177
178 /* conditional swap: true */
179 cond = 1;
180 BN_consttime_swap(cond, a, b, top);
181 if (!equalBN("cswap true", a, c)
182 || !equalBN("cswap true", b, d))
183 goto err;
184
185 /* conditional swap: false */
186 cond = 0;
187 BN_consttime_swap(cond, a, b, top);
188 if (!equalBN("cswap false", a, c)
189 || !equalBN("cswap false", b, d))
190 goto err;
191
192 /* same tests but checking flag swap */
193 BN_set_flags(a, BN_FLG_CONSTTIME);
194
195 BN_swap(a, b);
196 if (!equalBN("swap, flags", a, d)
197 || !equalBN("swap, flags", b, c)
198 || !TEST_true(BN_get_flags(b, BN_FLG_CONSTTIME))
199 || !TEST_false(BN_get_flags(a, BN_FLG_CONSTTIME)))
200 goto err;
201
202 cond = 1;
203 BN_consttime_swap(cond, a, b, top);
204 if (!equalBN("cswap true, flags", a, c)
205 || !equalBN("cswap true, flags", b, d)
206 || !TEST_true(BN_get_flags(a, BN_FLG_CONSTTIME))
207 || !TEST_false(BN_get_flags(b, BN_FLG_CONSTTIME)))
208 goto err;
209
210 cond = 0;
211 BN_consttime_swap(cond, a, b, top);
212 if (!equalBN("cswap false, flags", a, c)
213 || !equalBN("cswap false, flags", b, d)
214 || !TEST_true(BN_get_flags(a, BN_FLG_CONSTTIME))
215 || !TEST_false(BN_get_flags(b, BN_FLG_CONSTTIME)))
216 goto err;
217
218 st = 1;
219 err:
220 BN_free(a);
221 BN_free(b);
222 BN_free(c);
223 BN_free(d);
224 return st;
225}
226
31a80694 227static int test_sub(void)
0f113f3e 228{
30bea14b
RS		 229 BIGNUM *a = NULL, *b = NULL, *c = NULL;
230 int i, st = 0;
0f113f3e 231
30bea14b
RS		 232 if (!TEST_ptr(a = BN_new())
233 || !TEST_ptr(b = BN_new())
234 || !TEST_ptr(c = BN_new()))
235 goto err;
0f113f3e 236
8d1ebff4
RS		 237 for (i = 0; i < NUM0 + NUM1; i++) {
238 if (i < NUM1) {
e2f50811
SL		 239 if (!(TEST_true(BN_bntest_rand(a, 512, 0, 0)))
240 && TEST_ptr(BN_copy(b, a))
241 && TEST_int_ne(BN_set_bit(a, i), 0)
242 && TEST_true(BN_add_word(b, i)))
30bea14b 243 goto err;
0f113f3e 244 } else {
e2f50811
SL		 245 if (!TEST_true(BN_bntest_rand(b, 400 + i - NUM1, 0, 0)))
246 goto err;
2b1aa198
RL		 247 BN_set_negative(a, rand_neg());
248 BN_set_negative(b, rand_neg());
0f113f3e 249 }
e2f50811
SL		 250 if (!(TEST_true(BN_sub(c, a, b))
251 && TEST_true(BN_add(c, c, b))
252 && TEST_true(BN_sub(c, c, a))
253 && TEST_BN_eq_zero(c)))
30bea14b 254 goto err;
0f113f3e 255 }
30bea14b 256 st = 1;
fe16ae5f 257 err:
0f113f3e
MC		 258 BN_free(a);
259 BN_free(b);
260 BN_free(c);
30bea14b 261 return st;
0f113f3e 262}
8169dd73 263
31a80694 264static int test_div_recip(void)
0f113f3e 265{
30bea14b
RS		 266 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL;
267 BN_RECP_CTX *recp = NULL;
268 int st = 0, i;
0f113f3e 269
30bea14b
RS		 270 if (!TEST_ptr(a = BN_new())
271 || !TEST_ptr(b = BN_new())
272 || !TEST_ptr(c = BN_new())
273 || !TEST_ptr(d = BN_new())
274 || !TEST_ptr(e = BN_new())
275 || !TEST_ptr(recp = BN_RECP_CTX_new()))
276 goto err;
0f113f3e 277
8d1ebff4
RS		 278 for (i = 0; i < NUM0 + NUM1; i++) {
279 if (i < NUM1) {
e2f50811
SL		 280 if (!(TEST_true(BN_bntest_rand(a, 400, 0, 0))
281 && TEST_ptr(BN_copy(b, a))
282 && TEST_true(BN_lshift(a, a, i))
283 && TEST_true(BN_add_word(a, i))))
284 goto err;
285 } else {
286 if (!(TEST_true(BN_bntest_rand(b, 50 + 3 * (i - NUM1), 0, 0))))
287 goto err;
288 }
2b1aa198
RL		 289 BN_set_negative(a, rand_neg());
290 BN_set_negative(b, rand_neg());
e2f50811
SL		 291 if (!(TEST_true(BN_RECP_CTX_set(recp, b, ctx))
292 && TEST_true(BN_div_recp(d, c, a, recp, ctx))
293 && TEST_true(BN_mul(e, d, b, ctx))
294 && TEST_true(BN_add(d, e, c))
295 && TEST_true(BN_sub(d, d, a))
296 && TEST_BN_eq_zero(d)))
30bea14b 297 goto err;
0f113f3e 298 }
30bea14b 299 st = 1;
fe16ae5f 300 err:
0f113f3e
MC		 301 BN_free(a);
302 BN_free(b);
303 BN_free(c);
304 BN_free(d);
305 BN_free(e);
306 BN_RECP_CTX_free(recp);
30bea14b 307 return st;
0f113f3e 308}
d02b48c6 309
105c8315
P		 310static struct {
311 int n, divisor, result, remainder;
312} signed_mod_tests[] = {
313 { 10, 3, 3, 1 },
314 { -10, 3, -3, -1 },
315 { 10, -3, -3, 1 },
316 { -10, -3, 3, -1 },
317};
318
319static BIGNUM *set_signed_bn(int value)
320{
321 BIGNUM *bn = BN_new();
322
323 if (bn == NULL)
324 return NULL;
325 if (!BN_set_word(bn, value < 0 ? -value : value)) {
326 BN_free(bn);
327 return NULL;
328 }
329 BN_set_negative(bn, value < 0);
330 return bn;
331}
332
333static int test_signed_mod_replace_ab(int n)
334{
335 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL;
336 int st = 0;
337
338 if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n))
339 || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor))
340 || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result))
341 || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder)))
342 goto err;
343
344 if (TEST_true(BN_div(a, b, a, b, ctx))
345 && TEST_BN_eq(a, c)
346 && TEST_BN_eq(b, d))
347 st = 1;
348 err:
349 BN_free(a);
350 BN_free(b);
351 BN_free(c);
352 BN_free(d);
353 return st;
354}
355
356static int test_signed_mod_replace_ba(int n)
357{
358 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL;
359 int st = 0;
360
361 if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n))
362 || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor))
363 || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result))
364 || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder)))
365 goto err;
366
367 if (TEST_true(BN_div(b, a, a, b, ctx))
368 && TEST_BN_eq(b, c)
369 && TEST_BN_eq(a, d))
370 st = 1;
371 err:
372 BN_free(a);
373 BN_free(b);
374 BN_free(c);
375 BN_free(d);
376 return st;
377}
378
31a80694 379static int test_mod(void)
0f113f3e 380{
30bea14b
RS		 381 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL;
382 int st = 0, i;
0f113f3e 383
30bea14b
RS		 384 if (!TEST_ptr(a = BN_new())
385 || !TEST_ptr(b = BN_new())
386 || !TEST_ptr(c = BN_new())
387 || !TEST_ptr(d = BN_new())
388 || !TEST_ptr(e = BN_new()))
389 goto err;
0f113f3e 390
e2f50811
SL		 391 if (!(TEST_true(BN_bntest_rand(a, 1024, 0, 0))))
392 goto err;
8d1ebff4 393 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 394 if (!(TEST_true(BN_bntest_rand(b, 450 + i * 10, 0, 0))))
395 goto err;
2b1aa198
RL		 396 BN_set_negative(a, rand_neg());
397 BN_set_negative(b, rand_neg());
e2f50811
SL		 398 if (!(TEST_true(BN_mod(c, a, b, ctx))
399 && TEST_true(BN_div(d, e, a, b, ctx))
105c8315
P		 400 && TEST_BN_eq(e, c)
401 && TEST_true(BN_mul(c, d, b, ctx))
402 && TEST_true(BN_add(d, c, e))
403 && TEST_BN_eq(d, a)))
30bea14b 404 goto err;
0f113f3e 405 }
30bea14b 406 st = 1;
fe16ae5f 407 err:
0f113f3e
MC		 408 BN_free(a);
409 BN_free(b);
410 BN_free(c);
411 BN_free(d);
412 BN_free(e);
30bea14b 413 return st;
0f113f3e 414}
d02b48c6 415
26a39fa9
RS		 416static const char *bn1strings[] = {
417 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
418 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
419 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
420 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
421 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
422 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
423 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
424 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000FFFFFFFF00",
425 "0000000000000000000000000000000000000000000000000000000000000000",
426 "0000000000000000000000000000000000000000000000000000000000000000",
427 "0000000000000000000000000000000000000000000000000000000000000000",
428 "0000000000000000000000000000000000000000000000000000000000000000",
429 "0000000000000000000000000000000000000000000000000000000000000000",
430 "0000000000000000000000000000000000000000000000000000000000000000",
431 "0000000000000000000000000000000000000000000000000000000000000000",
432 "00000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF",
433 NULL
434};
435
436static const char *bn2strings[] = {
437 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
438 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
439 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
440 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
441 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
442 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
443 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
444 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000FFFFFFFF0000000000",
445 "0000000000000000000000000000000000000000000000000000000000000000",
446 "0000000000000000000000000000000000000000000000000000000000000000",
447 "0000000000000000000000000000000000000000000000000000000000000000",
448 "0000000000000000000000000000000000000000000000000000000000000000",
449 "0000000000000000000000000000000000000000000000000000000000000000",
450 "0000000000000000000000000000000000000000000000000000000000000000",
451 "0000000000000000000000000000000000000000000000000000000000000000",
452 "000000000000000000000000000000000000000000FFFFFFFFFFFFFF00000000",
453 NULL
454};
455
8d1ebff4
RS		 456/*
457 * Test constant-time modular exponentiation with 1024-bit inputs, which on
458 * x86_64 cause a different code branch to be taken.
459 */
31a80694 460static int test_modexp_mont5(void)
0f113f3e 461{
30bea14b
RS		 462 BIGNUM *a = NULL, *p = NULL, *m = NULL, *d = NULL, *e = NULL;
463 BIGNUM *b = NULL, *n = NULL, *c = NULL;
464 BN_MONT_CTX *mont = NULL;
30bea14b 465 int st = 0;
0f113f3e 466
30bea14b
RS		 467 if (!TEST_ptr(a = BN_new())
468 || !TEST_ptr(p = BN_new())
469 || !TEST_ptr(m = BN_new())
470 || !TEST_ptr(d = BN_new())
471 || !TEST_ptr(e = BN_new())
472 || !TEST_ptr(b = BN_new())
473 || !TEST_ptr(n = BN_new())
474 || !TEST_ptr(c = BN_new())
475 || !TEST_ptr(mont = BN_MONT_CTX_new()))
476 goto err;
0f113f3e 477
e2f50811
SL		 478 /* must be odd for montgomery */
479 if (!(TEST_true(BN_bntest_rand(m, 1024, 0, 1))
480 /* Zero exponent */
481 && TEST_true(BN_bntest_rand(a, 1024, 0, 0))))
482 goto err;
8d1ebff4 483 BN_zero(p);
e2f50811 484
30bea14b
RS		 485 if (!TEST_true(BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL)))
486 goto err;
dc352c19 487 if (!TEST_BN_eq_one(d))
30bea14b 488 goto err;
0f113f3e 489
8d1ebff4 490 /* Regression test for carry bug in mulx4x_mont */
e2f50811 491 if (!(TEST_true(BN_hex2bn(&a,
8d1ebff4
RS		 492 "7878787878787878787878787878787878787878787878787878787878787878"
493 "7878787878787878787878787878787878787878787878787878787878787878"
494 "7878787878787878787878787878787878787878787878787878787878787878"
e2f50811
SL		 495 "7878787878787878787878787878787878787878787878787878787878787878"))
496 && TEST_true(BN_hex2bn(&b,
8d1ebff4
RS		 497 "095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744"
498 "E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593"
499 "9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03"
e2f50811
SL		 500 "9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81"))
501 && TEST_true(BN_hex2bn(&n,
8d1ebff4
RS		 502 "D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B"
503 "91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5"
504 "D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4"
e2f50811
SL		 505 "2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF"))))
506 goto err;
507
508 if (!(TEST_true(BN_MONT_CTX_set(mont, n, ctx))
509 && TEST_true(BN_mod_mul_montgomery(c, a, b, mont, ctx))
510 && TEST_true(BN_mod_mul_montgomery(d, b, a, mont, ctx))
511 && TEST_BN_eq(c, d)))
30bea14b 512 goto err;
0f113f3e 513
3e7a4963 514 /* Regression test for carry bug in sqr[x]8x_mont */
e2f50811
SL		 515 if (!(TEST_true(parse_bigBN(&n, bn1strings))
516 && TEST_true(parse_bigBN(&a, bn2strings))))
517 goto err;
26a39fa9 518 BN_free(b);
e2f50811
SL		 519 if (!(TEST_ptr(b = BN_dup(a))
520 && TEST_true(BN_MONT_CTX_set(mont, n, ctx))
521 && TEST_true(BN_mod_mul_montgomery(c, a, a, mont, ctx))
522 && TEST_true(BN_mod_mul_montgomery(d, a, b, mont, ctx))
523 && TEST_BN_eq(c, d)))
30bea14b 524 goto err;
3e7a4963 525
420b88ce
AP		 526 /* Regression test for carry bug in bn_sqrx8x_internal */
527 {
528 static const char *ahex[] = {
529 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
530 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
531 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
532 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
533 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FFEADBCFC4DAE7FFF908E92820306B",
534 "9544D954000000006C0000000000000000000000000000000000000000000000",
535 "00000000000000000000FF030202FFFFF8FFEBDBCFC4DAE7FFF908E92820306B",
536 "9544D954000000006C000000FF0302030000000000FFFFFFFFFFFFFFFFFFFFFF",
537 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF01FC00FF02FFFFFFFF",
538 "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FCFD",
539 "FCFFFFFFFFFF000000000000000000FF0302030000000000FFFFFFFFFFFFFFFF",
540 "FF00FCFDFDFF030202FF00000000FFFFFFFFFFFFFFFFFF00FCFDFCFFFFFFFFFF",
541 NULL
4483fbae 542 };
420b88ce
AP		 543 static const char *nhex[] = {
544 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
545 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
546 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
547 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
548 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8F8F8F8000000",
549 "00000010000000006C0000000000000000000000000000000000000000000000",
550 "00000000000000000000000000000000000000FFFFFFFFFFFFF8F8F8F8000000",
551 "00000010000000006C000000000000000000000000FFFFFFFFFFFFFFFFFFFFFF",
552 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
553 "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
554 "FFFFFFFFFFFF000000000000000000000000000000000000FFFFFFFFFFFFFFFF",
555 "FFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
556 NULL
4483fbae
F		 557 };
558
e2f50811
SL		 559 if (!(TEST_true(parse_bigBN(&a, ahex))
560 && TEST_true(parse_bigBN(&n, nhex))))
561 goto err;
420b88ce
AP		 562 }
563 BN_free(b);
e2f50811
SL		 564 if (!(TEST_ptr(b = BN_dup(a))
565 && TEST_true(BN_MONT_CTX_set(mont, n, ctx))))
566 goto err;
567
f91e026e
BE		 568 if (!TEST_true(BN_mod_mul_montgomery(c, a, a, mont, ctx))
569 || !TEST_true(BN_mod_mul_montgomery(d, a, b, mont, ctx))
570 || !TEST_BN_eq(c, d))
571 goto err;
572
573 /* Regression test for bug in BN_from_montgomery_word */
e2f50811 574 if (!(TEST_true(BN_hex2bn(&a,
f91e026e
BE		 575 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
576 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 577 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
578 && TEST_true(BN_hex2bn(&n,
f91e026e 579 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 580 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
581 && TEST_true(BN_MONT_CTX_set(mont, n, ctx))
582 && TEST_false(BN_mod_mul_montgomery(d, a, a, mont, ctx))))
420b88ce
AP		 583 goto err;
584
77d75993 585 /* Regression test for bug in rsaz_1024_mul_avx2 */
e2f50811 586 if (!(TEST_true(BN_hex2bn(&a,
77d75993
AP		 587 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
588 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
589 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 590 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"))
591 && TEST_true(BN_hex2bn(&b,
77d75993
AP		 592 "2020202020202020202020202020202020202020202020202020202020202020"
593 "2020202020202020202020202020202020202020202020202020202020202020"
594 "20202020202020FF202020202020202020202020202020202020202020202020"
e2f50811
SL		 595 "2020202020202020202020202020202020202020202020202020202020202020"))
596 && TEST_true(BN_hex2bn(&n,
77d75993
AP		 597 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
598 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
599 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 600 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020FF"))
601 && TEST_true(BN_MONT_CTX_set(mont, n, ctx))
602 && TEST_true(BN_mod_exp_mont_consttime(c, a, b, n, ctx, mont))
603 && TEST_true(BN_mod_exp_mont(d, a, b, n, ctx, mont))
604 && TEST_BN_eq(c, d)))
77d75993
AP		 605 goto err;
606
3afd537a
DB		 607 /*
608 * rsaz_1024_mul_avx2 expects fully-reduced inputs.
609 * BN_mod_exp_mont_consttime should reduce the input first.
610 */
e2f50811 611 if (!(TEST_true(BN_hex2bn(&a,
3afd537a
DB		 612 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
613 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
614 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 615 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"))
616 && TEST_true(BN_hex2bn(&b,
3afd537a
DB		 617 "1FA53F26F8811C58BE0357897AA5E165693230BC9DF5F01DFA6A2D59229EC69D"
618 "9DE6A89C36E3B6957B22D6FAAD5A3C73AE587B710DBE92E83D3A9A3339A085CB"
619 "B58F508CA4F837924BB52CC1698B7FDC2FD74362456A595A5B58E38E38E38E38"
e2f50811
SL		 620 "E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E"))
621 && TEST_true(BN_hex2bn(&n,
3afd537a
DB		 622 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
623 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
624 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
e2f50811
SL		 625 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"))
626 && TEST_true(BN_MONT_CTX_set(mont, n, ctx))
627 && TEST_true(BN_mod_exp_mont_consttime(c, a, b, n, ctx, mont))))
628 goto err;
3afd537a
DB		 629 BN_zero(d);
630 if (!TEST_BN_eq(c, d))
631 goto err;
632
336923c0
BE		 633 /*
634 * Regression test for overflow bug in bn_sqr_comba4/8 for
635 * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
636 */
637 {
638 static const char *ehex[] = {
639 "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
640 "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
641 "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
642 "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
643 "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
644 "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
645 "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
646 "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
647 NULL};
648 static const char *phex[] = {
649 "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
650 "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
651 "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
652 "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
653 "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
654 "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813",
655 "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4",
656 "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5",
657 NULL};
658 static const char *mhex[] = {
659 "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f",
660 "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3",
661 "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900",
662 "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b",
663 "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc",
664 "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647",
665 "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c",
666 "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b",
667 NULL};
668
669 if (!TEST_true(parse_bigBN(&e, ehex))
670 || !TEST_true(parse_bigBN(&p, phex))
671 || !TEST_true(parse_bigBN(&m, mhex))
672 || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
673 || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
674 || !TEST_BN_eq(a, d))
675 goto err;
676 }
677
8d1ebff4 678 /* Zero input */
e2f50811
SL		 679 if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0)))
680 goto err;
8d1ebff4 681 BN_zero(a);
30bea14b 682 if (!TEST_true(BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
dc352c19 683 || !TEST_BN_eq_zero(d))
30bea14b
RS		 684 goto err;
685
8d1ebff4
RS		 686 /*
687 * Craft an input whose Montgomery representation is 1, i.e., shorter
688 * than the modulus m, in order to test the const time precomputation
689 * scattering/gathering.
690 */
e2f50811
SL		 691 if (!(TEST_true(BN_one(a))
692 && TEST_true(BN_MONT_CTX_set(mont, m, ctx))))
693 goto err;
30bea14b
RS		 694 if (!TEST_true(BN_from_montgomery(e, a, mont, ctx))
695 || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
696 || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
dc352c19 697 || !TEST_BN_eq(a, d))
30bea14b
RS		 698 goto err;
699
8d1ebff4 700 /* Finally, some regular test vectors. */
e2f50811
SL		 701 if (!(TEST_true(BN_bntest_rand(e, 1024, 0, 0))
702 && TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
703 && TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
704 && TEST_BN_eq(a, d)))
30bea14b
RS		 705 goto err;
706
707 st = 1;
708
fe16ae5f 709 err:
0f113f3e
MC		 710 BN_MONT_CTX_free(mont);
711 BN_free(a);
8d1ebff4
RS		 712 BN_free(p);
713 BN_free(m);
0f113f3e 714 BN_free(d);
8d1ebff4
RS		 715 BN_free(e);
716 BN_free(b);
0f113f3e 717 BN_free(n);
8d1ebff4 718 BN_free(c);
30bea14b 719 return st;
0f113f3e 720}
d02b48c6 721
8d1ebff4 722#ifndef OPENSSL_NO_EC2M
31a80694 723static int test_gf2m_add(void)
0f113f3e 724{
30bea14b 725 BIGNUM *a = NULL, *b = NULL, *c = NULL;
8d1ebff4 726 int i, st = 0;
0f113f3e 727
30bea14b
RS		 728 if (!TEST_ptr(a = BN_new())
729 || !TEST_ptr(b = BN_new())
730 || !TEST_ptr(c = BN_new()))
731 goto err;
0f113f3e 732
8d1ebff4 733 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 734 if (!(TEST_true(BN_rand(a, 512, 0, 0))
735 && TEST_ptr(BN_copy(b, BN_value_one()))))
736 goto err;
2b1aa198
RL		 737 BN_set_negative(a, rand_neg());
738 BN_set_negative(b, rand_neg());
e2f50811
SL		 739 if (!(TEST_true(BN_GF2m_add(c, a, b))
740 /* Test that two added values have the correct parity. */
741 && TEST_false((BN_is_odd(a) && BN_is_odd(c))
742 || (!BN_is_odd(a) && !BN_is_odd(c)))))
8d1ebff4 743 goto err;
e2f50811
SL		 744 if (!(TEST_true(BN_GF2m_add(c, c, c))
745 /* Test that c + c = 0. */
746 && TEST_BN_eq_zero(c)))
8d1ebff4 747 goto err;
0f113f3e 748 }
8d1ebff4
RS		 749 st = 1;
750 err:
0f113f3e
MC		 751 BN_free(a);
752 BN_free(b);
753 BN_free(c);
8d1ebff4 754 return st;
0f113f3e 755}
d02b48c6 756
31a80694 757static int test_gf2m_mod(void)
0f113f3e 758{
1287dabd 759 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL, *e = NULL;
8d1ebff4 760 int i, j, st = 0;
0f113f3e 761
30bea14b
RS		 762 if (!TEST_ptr(a = BN_new())
763 || !TEST_ptr(b[0] = BN_new())
764 || !TEST_ptr(b[1] = BN_new())
765 || !TEST_ptr(c = BN_new())
766 || !TEST_ptr(d = BN_new())
767 || !TEST_ptr(e = BN_new()))
768 goto err;
0f113f3e 769
e2f50811
SL		 770 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
771 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
772 goto err;
0f113f3e 773
8d1ebff4 774 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 775 if (!TEST_true(BN_bntest_rand(a, 1024, 0, 0)))
776 goto err;
8d1ebff4 777 for (j = 0; j < 2; j++) {
e2f50811
SL		 778 if (!(TEST_true(BN_GF2m_mod(c, a, b[j]))
779 && TEST_true(BN_GF2m_add(d, a, c))
780 && TEST_true(BN_GF2m_mod(e, d, b[j]))
781 /* Test that a + (a mod p) mod p == 0. */
782 && TEST_BN_eq_zero(e)))
8d1ebff4 783 goto err;
0f113f3e
MC		 784 }
785 }
8d1ebff4
RS		 786 st = 1;
787 err:
0f113f3e 788 BN_free(a);
8d1ebff4
RS		 789 BN_free(b[0]);
790 BN_free(b[1]);
0f113f3e
MC		 791 BN_free(c);
792 BN_free(d);
793 BN_free(e);
8d1ebff4 794 return st;
0f113f3e 795}
d02b48c6 796
31a80694 797static int test_gf2m_mul(void)
0f113f3e 798{
30bea14b
RS		 799 BIGNUM *a, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
800 BIGNUM *e = NULL, *f = NULL, *g = NULL, *h = NULL;
8d1ebff4 801 int i, j, st = 0;
30bea14b
RS		 802
803 if (!TEST_ptr(a = BN_new())
804 || !TEST_ptr(b[0] = BN_new())
805 || !TEST_ptr(b[1] = BN_new())
806 || !TEST_ptr(c = BN_new())
807 || !TEST_ptr(d = BN_new())
808 || !TEST_ptr(e = BN_new())
809 || !TEST_ptr(f = BN_new())
810 || !TEST_ptr(g = BN_new())
811 || !TEST_ptr(h = BN_new()))
812 goto err;
0f113f3e 813
e2f50811
SL		 814 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
815 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
816 goto err;
0f113f3e 817
8d1ebff4 818 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 819 if (!(TEST_true(BN_bntest_rand(a, 1024, 0, 0))
820 && TEST_true(BN_bntest_rand(c, 1024, 0, 0))
821 && TEST_true(BN_bntest_rand(d, 1024, 0, 0))))
822 goto err;
8d1ebff4 823 for (j = 0; j < 2; j++) {
e2f50811
SL		 824 if (!(TEST_true(BN_GF2m_mod_mul(e, a, c, b[j], ctx))
825 && TEST_true(BN_GF2m_add(f, a, d))
826 && TEST_true(BN_GF2m_mod_mul(g, f, c, b[j], ctx))
827 && TEST_true(BN_GF2m_mod_mul(h, d, c, b[j], ctx))
828 && TEST_true(BN_GF2m_add(f, e, g))
829 && TEST_true(BN_GF2m_add(f, f, h))
830 /* Test that (a+d)*c = a*c + d*c. */
831 && TEST_BN_eq_zero(f)))
8d1ebff4 832 goto err;
0f113f3e 833 }
29851264 834 }
8d1ebff4 835 st = 1;
30bea14b 836
8d1ebff4 837 err:
0f113f3e 838 BN_free(a);
8d1ebff4
RS		 839 BN_free(b[0]);
840 BN_free(b[1]);
0f113f3e
MC		 841 BN_free(c);
842 BN_free(d);
843 BN_free(e);
8d1ebff4
RS		 844 BN_free(f);
845 BN_free(g);
846 BN_free(h);
847 return st;
0f113f3e 848}
d02b48c6 849
31a80694 850static int test_gf2m_sqr(void)
0f113f3e 851{
1287dabd 852 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
8d1ebff4 853 int i, j, st = 0;
0f113f3e 854
30bea14b
RS		 855 if (!TEST_ptr(a = BN_new())
856 || !TEST_ptr(b[0] = BN_new())
857 || !TEST_ptr(b[1] = BN_new())
858 || !TEST_ptr(c = BN_new())
859 || !TEST_ptr(d = BN_new()))
860 goto err;
a9009e51 861
e2f50811
SL		 862 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
863 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
864 goto err;
0f113f3e 865
8d1ebff4 866 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 867 if (!TEST_true(BN_bntest_rand(a, 1024, 0, 0)))
868 goto err;
8d1ebff4 869 for (j = 0; j < 2; j++) {
e2f50811
SL		 870 if (!(TEST_true(BN_GF2m_mod_sqr(c, a, b[j], ctx))
871 && TEST_true(BN_copy(d, a))
872 && TEST_true(BN_GF2m_mod_mul(d, a, d, b[j], ctx))
873 && TEST_true(BN_GF2m_add(d, c, d))
874 /* Test that a*a = a^2. */
875 && TEST_BN_eq_zero(d)))
8d1ebff4 876 goto err;
0f113f3e
MC		 877 }
878 }
8d1ebff4
RS		 879 st = 1;
880 err:
0f113f3e 881 BN_free(a);
8d1ebff4
RS		 882 BN_free(b[0]);
883 BN_free(b[1]);
0f113f3e
MC		 884 BN_free(c);
885 BN_free(d);
8d1ebff4 886 return st;
0f113f3e
MC		 887}
888
31a80694 889static int test_gf2m_modinv(void)
0f113f3e 890{
1287dabd 891 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
8d1ebff4 892 int i, j, st = 0;
0f113f3e 893
30bea14b
RS		 894 if (!TEST_ptr(a = BN_new())
895 || !TEST_ptr(b[0] = BN_new())
896 || !TEST_ptr(b[1] = BN_new())
897 || !TEST_ptr(c = BN_new())
898 || !TEST_ptr(d = BN_new()))
899 goto err;
0f113f3e 900
e2f50811
SL		 901 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
902 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
903 goto err;
0f113f3e 904
8d1ebff4 905 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 906 if (!TEST_true(BN_bntest_rand(a, 512, 0, 0)))
907 goto err;
0f113f3e 908 for (j = 0; j < 2; j++) {
e2f50811
SL		 909 if (!(TEST_true(BN_GF2m_mod_inv(c, a, b[j], ctx))
910 && TEST_true(BN_GF2m_mod_mul(d, a, c, b[j], ctx))
911 /* Test that ((1/a)*a) = 1. */
912 && TEST_BN_eq_one(d)))
0f113f3e 913 goto err;
0f113f3e
MC		 914 }
915 }
8d1ebff4 916 st = 1;
0f113f3e
MC		 917 err:
918 BN_free(a);
919 BN_free(b[0]);
920 BN_free(b[1]);
921 BN_free(c);
922 BN_free(d);
8d1ebff4 923 return st;
0f113f3e
MC		 924}
925
31a80694 926static int test_gf2m_moddiv(void)
0f113f3e 927{
1287dabd 928 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
30bea14b 929 BIGNUM *e = NULL, *f = NULL;
8d1ebff4 930 int i, j, st = 0;
0f113f3e 931
30bea14b
RS		 932 if (!TEST_ptr(a = BN_new())
933 || !TEST_ptr(b[0] = BN_new())
934 || !TEST_ptr(b[1] = BN_new())
935 || !TEST_ptr(c = BN_new())
936 || !TEST_ptr(d = BN_new())
937 || !TEST_ptr(e = BN_new())
938 || !TEST_ptr(f = BN_new()))
939 goto err;
0f113f3e 940
e2f50811
SL		 941 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
942 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
943 goto err;
0f113f3e 944
8d1ebff4 945 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 946 if (!(TEST_true(BN_bntest_rand(a, 512, 0, 0))
947 && TEST_true(BN_bntest_rand(c, 512, 0, 0))))
948 goto err;
0f113f3e 949 for (j = 0; j < 2; j++) {
e2f50811
SL		 950 if (!(TEST_true(BN_GF2m_mod_div(d, a, c, b[j], ctx))
951 && TEST_true(BN_GF2m_mod_mul(e, d, c, b[j], ctx))
952 && TEST_true(BN_GF2m_mod_div(f, a, e, b[j], ctx))
953 /* Test that ((a/c)*c)/a = 1. */
954 && TEST_BN_eq_one(f)))
0f113f3e 955 goto err;
0f113f3e
MC		 956 }
957 }
8d1ebff4 958 st = 1;
0f113f3e
MC		 959 err:
960 BN_free(a);
961 BN_free(b[0]);
962 BN_free(b[1]);
963 BN_free(c);
964 BN_free(d);
965 BN_free(e);
966 BN_free(f);
8d1ebff4 967 return st;
0f113f3e
MC		 968}
969
31a80694 970static int test_gf2m_modexp(void)
0f113f3e 971{
1287dabd 972 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
30bea14b 973 BIGNUM *e = NULL, *f = NULL;
8d1ebff4 974 int i, j, st = 0;
0f113f3e 975
30bea14b
RS		 976 if (!TEST_ptr(a = BN_new())
977 || !TEST_ptr(b[0] = BN_new())
978 || !TEST_ptr(b[1] = BN_new())
979 || !TEST_ptr(c = BN_new())
980 || !TEST_ptr(d = BN_new())
981 || !TEST_ptr(e = BN_new())
982 || !TEST_ptr(f = BN_new()))
983 goto err;
0f113f3e 984
e2f50811
SL		 985 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
986 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
987 goto err;
0f113f3e 988
8d1ebff4 989 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 990 if (!(TEST_true(BN_bntest_rand(a, 512, 0, 0))
991 && TEST_true(BN_bntest_rand(c, 512, 0, 0))
992 && TEST_true(BN_bntest_rand(d, 512, 0, 0))))
993 goto err;
0f113f3e 994 for (j = 0; j < 2; j++) {
e2f50811
SL		 995 if (!(TEST_true(BN_GF2m_mod_exp(e, a, c, b[j], ctx))
996 && TEST_true(BN_GF2m_mod_exp(f, a, d, b[j], ctx))
997 && TEST_true(BN_GF2m_mod_mul(e, e, f, b[j], ctx))
998 && TEST_true(BN_add(f, c, d))
999 && TEST_true(BN_GF2m_mod_exp(f, a, f, b[j], ctx))
1000 && TEST_true(BN_GF2m_add(f, e, f))
1001 /* Test that a^(c+d)=a^c*a^d. */
1002 && TEST_BN_eq_zero(f)))
0f113f3e 1003 goto err;
0f113f3e
MC		 1004 }
1005 }
8d1ebff4 1006 st = 1;
0f113f3e
MC		 1007 err:
1008 BN_free(a);
1009 BN_free(b[0]);
1010 BN_free(b[1]);
1011 BN_free(c);
1012 BN_free(d);
1013 BN_free(e);
1014 BN_free(f);
8d1ebff4 1015 return st;
0f113f3e
MC		 1016}
1017
31a80694 1018static int test_gf2m_modsqrt(void)
0f113f3e 1019{
1287dabd 1020 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
30bea14b 1021 BIGNUM *e = NULL, *f = NULL;
8d1ebff4 1022 int i, j, st = 0;
0f113f3e 1023
30bea14b
RS		 1024 if (!TEST_ptr(a = BN_new())
1025 || !TEST_ptr(b[0] = BN_new())
1026 || !TEST_ptr(b[1] = BN_new())
1027 || !TEST_ptr(c = BN_new())
1028 || !TEST_ptr(d = BN_new())
1029 || !TEST_ptr(e = BN_new())
1030 || !TEST_ptr(f = BN_new()))
1031 goto err;
0f113f3e 1032
e2f50811
SL		 1033 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
1034 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
1035 goto err;
0f113f3e 1036
8d1ebff4 1037 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 1038 if (!TEST_true(BN_bntest_rand(a, 512, 0, 0)))
1039 goto err;
1040
0f113f3e 1041 for (j = 0; j < 2; j++) {
e2f50811
SL		 1042 if (!(TEST_true(BN_GF2m_mod(c, a, b[j]))
1043 && TEST_true(BN_GF2m_mod_sqrt(d, a, b[j], ctx))
1044 && TEST_true(BN_GF2m_mod_sqr(e, d, b[j], ctx))
1045 && TEST_true(BN_GF2m_add(f, c, e))
1046 /* Test that d^2 = a, where d = sqrt(a). */
1047 && TEST_BN_eq_zero(f)))
0f113f3e 1048 goto err;
0f113f3e
MC		 1049 }
1050 }
8d1ebff4 1051 st = 1;
0f113f3e
MC		 1052 err:
1053 BN_free(a);
1054 BN_free(b[0]);
1055 BN_free(b[1]);
1056 BN_free(c);
1057 BN_free(d);
1058 BN_free(e);
1059 BN_free(f);
8d1ebff4 1060 return st;
0f113f3e
MC		 1061}
1062
31a80694 1063static int test_gf2m_modsolvequad(void)
0f113f3e 1064{
1287dabd 1065 BIGNUM *a = NULL, *b[2] = {NULL, NULL}, *c = NULL, *d = NULL;
30bea14b 1066 BIGNUM *e = NULL;
8d1ebff4 1067 int i, j, s = 0, t, st = 0;
0f113f3e 1068
30bea14b
RS		 1069 if (!TEST_ptr(a = BN_new())
1070 || !TEST_ptr(b[0] = BN_new())
1071 || !TEST_ptr(b[1] = BN_new())
1072 || !TEST_ptr(c = BN_new())
1073 || !TEST_ptr(d = BN_new())
1074 || !TEST_ptr(e = BN_new()))
1075 goto err;
0f113f3e 1076
e2f50811
SL		 1077 if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
1078 && TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
1079 goto err;
0f113f3e 1080
8d1ebff4 1081 for (i = 0; i < NUM0; i++) {
e2f50811
SL		 1082 if (!TEST_true(BN_bntest_rand(a, 512, 0, 0)))
1083 goto err;
0f113f3e
MC		 1084 for (j = 0; j < 2; j++) {
1085 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1086 if (t) {
1087 s++;
e2f50811
SL		 1088 if (!(TEST_true(BN_GF2m_mod_sqr(d, c, b[j], ctx))
1089 && TEST_true(BN_GF2m_add(d, c, d))
1090 && TEST_true(BN_GF2m_mod(e, a, b[j]))
1091 && TEST_true(BN_GF2m_add(e, e, d))
1092 /*
1093 * Test that solution of quadratic c
1094 * satisfies c^2 + c = a.
1095 */
1096 && TEST_BN_eq_zero(e)))
0f113f3e 1097 goto err;
0f113f3e
MC		 1098 }
1099 }
1100 }
30bea14b
RS		 1101 if (!TEST_int_ge(s, 0)) {
1102 TEST_info("%d tests found no roots; probably an error", NUM0);
0f113f3e
MC		 1103 goto err;
1104 }
8d1ebff4 1105 st = 1;
0f113f3e
MC		 1106 err:
1107 BN_free(a);
1108 BN_free(b[0]);
1109 BN_free(b[1]);
1110 BN_free(c);
1111 BN_free(d);
1112 BN_free(e);
8d1ebff4 1113 return st;
0f113f3e 1114}
b3310161 1115#endif
8d1ebff4 1116
31a80694 1117static int test_kronecker(void)
0f113f3e 1118{
30bea14b
RS		 1119 BIGNUM *a = NULL, *b = NULL, *r = NULL, *t = NULL;
1120 int i, legendre, kronecker, st = 0;
8d1ebff4 1121
30bea14b
RS		 1122 if (!TEST_ptr(a = BN_new())
1123 || !TEST_ptr(b = BN_new())
1124 || !TEST_ptr(r = BN_new())
1125 || !TEST_ptr(t = BN_new()))
8d1ebff4
RS		 1126 goto err;
1127
1128 /*
1129 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1130 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1131 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1132 * generate a random prime b and compare these values for a number of
1133 * random a's. (That is, we run the Solovay-Strassen primality test to
1134 * confirm that b is prime, except that we don't want to test whether b
1135 * is prime but whether BN_kronecker works.)
1136 */
1137
30bea14b 1138 if (!TEST_true(BN_generate_prime_ex(b, 512, 0, NULL, NULL, NULL)))
8d1ebff4 1139 goto err;
2b1aa198 1140 BN_set_negative(b, rand_neg());
8d1ebff4
RS		 1141
1142 for (i = 0; i < NUM0; i++) {
30bea14b 1143 if (!TEST_true(BN_bntest_rand(a, 512, 0, 0)))
8d1ebff4 1144 goto err;
2b1aa198 1145 BN_set_negative(a, rand_neg());
8d1ebff4
RS		 1146
1147 /* t := (|b|-1)/2 (note that b is odd) */
30bea14b 1148 if (!TEST_true(BN_copy(t, b)))
8d1ebff4 1149 goto err;
2b1aa198 1150 BN_set_negative(t, 0);
30bea14b 1151 if (!TEST_true(BN_sub_word(t, 1)))
8d1ebff4 1152 goto err;
30bea14b 1153 if (!TEST_true(BN_rshift1(t, t)))
8d1ebff4
RS		 1154 goto err;
1155 /* r := a^t mod b */
2b1aa198 1156 BN_set_negative(b, 0);
8d1ebff4 1157
30bea14b 1158 if (!TEST_true(BN_mod_exp_recp(r, a, t, b, ctx)))
8d1ebff4 1159 goto err;
2b1aa198 1160 BN_set_negative(b, 1);
8d1ebff4
RS		 1161
1162 if (BN_is_word(r, 1))
1163 legendre = 1;
1164 else if (BN_is_zero(r))
1165 legendre = 0;
1166 else {
30bea14b 1167 if (!TEST_true(BN_add_word(r, 1)))
8d1ebff4 1168 goto err;
30bea14b
RS		 1169 if (!TEST_int_eq(BN_ucmp(r, b), 0)) {
1170 TEST_info("Legendre symbol computation failed");
8d1ebff4
RS		 1171 goto err;
1172 }
1173 legendre = -1;
1174 }
1175
30bea14b 1176 if (!TEST_int_ge(kronecker = BN_kronecker(a, b, ctx), -1))
8d1ebff4
RS		 1177 goto err;
1178 /* we actually need BN_kronecker(a, |b|) */
2b1aa198 1179 if (BN_is_negative(a) && BN_is_negative(b))
8d1ebff4
RS		 1180 kronecker = -kronecker;
1181
30bea14b 1182 if (!TEST_int_eq(legendre, kronecker))
8d1ebff4 1183 goto err;
8d1ebff4
RS		 1184 }
1185
1186 st = 1;
1187 err:
1188 BN_free(a);
1189 BN_free(b);
1190 BN_free(r);
1191 BN_free(t);
1192 return st;
1193}
1194
1195static int file_sum(STANZA *s)
1196{
30bea14b 1197 BIGNUM *a = NULL, *b = NULL, *sum = NULL, *ret = NULL;
8d1ebff4
RS		 1198 BN_ULONG b_word;
1199 int st = 0;
1200
30bea14b
RS		 1201 if (!TEST_ptr(a = getBN(s, "A"))
1202 || !TEST_ptr(b = getBN(s, "B"))
1203 || !TEST_ptr(sum = getBN(s, "Sum"))
1204 || !TEST_ptr(ret = BN_new()))
8d1ebff4
RS		 1205 goto err;
1206
30bea14b 1207 if (!TEST_true(BN_add(ret, a, b))
8d1ebff4 1208 || !equalBN("A + B", sum, ret)
30bea14b 1209 || !TEST_true(BN_sub(ret, sum, a))
8d1ebff4 1210 || !equalBN("Sum - A", b, ret)
30bea14b 1211 || !TEST_true(BN_sub(ret, sum, b))
8d1ebff4
RS		 1212 || !equalBN("Sum - B", a, ret))
1213 goto err;
1214
1215 /*
1216 * Test that the functions work when |r| and |a| point to the same BIGNUM,
1217 * or when |r| and |b| point to the same BIGNUM.
fd009d76 1218 * There is no test for all of |r|, |a|, and |b| pointint to the same BIGNUM.
8d1ebff4 1219 */
30bea14b
RS		 1220 if (!TEST_true(BN_copy(ret, a))
1221 || !TEST_true(BN_add(ret, ret, b))
8d1ebff4 1222 || !equalBN("A + B (r is a)", sum, ret)
30bea14b
RS		 1223 || !TEST_true(BN_copy(ret, b))
1224 || !TEST_true(BN_add(ret, a, ret))
8d1ebff4 1225 || !equalBN("A + B (r is b)", sum, ret)
30bea14b
RS		 1226 || !TEST_true(BN_copy(ret, sum))
1227 || !TEST_true(BN_sub(ret, ret, a))
8d1ebff4 1228 || !equalBN("Sum - A (r is a)", b, ret)
30bea14b
RS		 1229 || !TEST_true(BN_copy(ret, a))
1230 || !TEST_true(BN_sub(ret, sum, ret))
8d1ebff4 1231 || !equalBN("Sum - A (r is b)", b, ret)
30bea14b
RS		 1232 || !TEST_true(BN_copy(ret, sum))
1233 || !TEST_true(BN_sub(ret, ret, b))
8d1ebff4 1234 || !equalBN("Sum - B (r is a)", a, ret)
30bea14b
RS		 1235 || !TEST_true(BN_copy(ret, b))
1236 || !TEST_true(BN_sub(ret, sum, ret))
8d1ebff4
RS		 1237 || !equalBN("Sum - B (r is b)", a, ret))
1238 goto err;
1239
1240 /*
1241 * Test BN_uadd() and BN_usub() with the prerequisites they are
1242 * documented as having. Note that these functions are frequently used
1243 * when the prerequisites don't hold. In those cases, they are supposed
1244 * to work as if the prerequisite hold, but we don't test that yet.
8d1ebff4
RS		 1245 */
1246 if (!BN_is_negative(a) && !BN_is_negative(b) && BN_cmp(a, b) >= 0) {
30bea14b 1247 if (!TEST_true(BN_uadd(ret, a, b))
8d1ebff4 1248 || !equalBN("A +u B", sum, ret)
30bea14b 1249 || !TEST_true(BN_usub(ret, sum, a))
8d1ebff4 1250 || !equalBN("Sum -u A", b, ret)
30bea14b 1251 || !TEST_true(BN_usub(ret, sum, b))
8d1ebff4
RS		 1252 || !equalBN("Sum -u B", a, ret))
1253 goto err;
1254 /*
1255 * Test that the functions work when |r| and |a| point to the same
1256 * BIGNUM, or when |r| and |b| point to the same BIGNUM.
fd009d76
P		 1257 * There is no test for all of |r|, |a|, and |b| pointint to the same
1258 * BIGNUM.
8d1ebff4 1259 */
30bea14b
RS		 1260 if (!TEST_true(BN_copy(ret, a))
1261 || !TEST_true(BN_uadd(ret, ret, b))
8d1ebff4 1262 || !equalBN("A +u B (r is a)", sum, ret)
30bea14b
RS		 1263 || !TEST_true(BN_copy(ret, b))
1264 || !TEST_true(BN_uadd(ret, a, ret))
8d1ebff4 1265 || !equalBN("A +u B (r is b)", sum, ret)
30bea14b
RS		 1266 || !TEST_true(BN_copy(ret, sum))
1267 || !TEST_true(BN_usub(ret, ret, a))
8d1ebff4 1268 || !equalBN("Sum -u A (r is a)", b, ret)
30bea14b
RS		 1269 || !TEST_true(BN_copy(ret, a))
1270 || !TEST_true(BN_usub(ret, sum, ret))
8d1ebff4 1271 || !equalBN("Sum -u A (r is b)", b, ret)
30bea14b
RS		 1272 || !TEST_true(BN_copy(ret, sum))
1273 || !TEST_true(BN_usub(ret, ret, b))
8d1ebff4 1274 || !equalBN("Sum -u B (r is a)", a, ret)
30bea14b
RS		 1275 || !TEST_true(BN_copy(ret, b))
1276 || !TEST_true(BN_usub(ret, sum, ret))
8d1ebff4
RS		 1277 || !equalBN("Sum -u B (r is b)", a, ret))
1278 goto err;
1279 }
1280
1281 /*
1282 * Test with BN_add_word() and BN_sub_word() if |b| is small enough.
1283 */
1284 b_word = BN_get_word(b);
1285 if (!BN_is_negative(b) && b_word != (BN_ULONG)-1) {
30bea14b
RS		 1286 if (!TEST_true(BN_copy(ret, a))
1287 || !TEST_true(BN_add_word(ret, b_word))
8d1ebff4 1288 || !equalBN("A + B (word)", sum, ret)
30bea14b
RS		 1289 || !TEST_true(BN_copy(ret, sum))
1290 || !TEST_true(BN_sub_word(ret, b_word))
8d1ebff4
RS		 1291 || !equalBN("Sum - B (word)", a, ret))
1292 goto err;
1293 }
1294 st = 1;
1295
fe16ae5f 1296 err:
8d1ebff4
RS		 1297 BN_free(a);
1298 BN_free(b);
1299 BN_free(sum);
1300 BN_free(ret);
1301 return st;
1302}
1303
1304static int file_lshift1(STANZA *s)
1305{
30bea14b
RS		 1306 BIGNUM *a = NULL, *lshift1 = NULL, *zero = NULL, *ret = NULL;
1307 BIGNUM *two = NULL, *remainder = NULL;
8d1ebff4
RS		 1308 int st = 0;
1309
30bea14b
RS		 1310 if (!TEST_ptr(a = getBN(s, "A"))
1311 || !TEST_ptr(lshift1 = getBN(s, "LShift1"))
1312 || !TEST_ptr(zero = BN_new())
1313 || !TEST_ptr(ret = BN_new())
1314 || !TEST_ptr(two = BN_new())
1315 || !TEST_ptr(remainder = BN_new()))
8d1ebff4
RS		 1316 goto err;
1317
1318 BN_zero(zero);
1319
30bea14b
RS		 1320 if (!TEST_true(BN_set_word(two, 2))
1321 || !TEST_true(BN_add(ret, a, a))
8d1ebff4 1322 || !equalBN("A + A", lshift1, ret)
30bea14b 1323 || !TEST_true(BN_mul(ret, a, two, ctx))
8d1ebff4 1324 || !equalBN("A * 2", lshift1, ret)
30bea14b 1325 || !TEST_true(BN_div(ret, remainder, lshift1, two, ctx))
8d1ebff4
RS		 1326 || !equalBN("LShift1 / 2", a, ret)
1327 || !equalBN("LShift1 % 2", zero, remainder)
30bea14b 1328 || !TEST_true(BN_lshift1(ret, a))
8d1ebff4 1329 || !equalBN("A << 1", lshift1, ret)
30bea14b 1330 || !TEST_true(BN_rshift1(ret, lshift1))
8d1ebff4 1331 || !equalBN("LShift >> 1", a, ret)
30bea14b 1332 || !TEST_true(BN_rshift1(ret, lshift1))
8d1ebff4
RS		 1333 || !equalBN("LShift >> 1", a, ret))
1334 goto err;
1335
1336 /* Set the LSB to 1 and test rshift1 again. */
30bea14b
RS		 1337 if (!TEST_true(BN_set_bit(lshift1, 0))
1338 || !TEST_true(BN_div(ret, NULL /* rem */ , lshift1, two, ctx))
8d1ebff4 1339 || !equalBN("(LShift1 | 1) / 2", a, ret)
30bea14b 1340 || !TEST_true(BN_rshift1(ret, lshift1))
8d1ebff4
RS		 1341 || !equalBN("(LShift | 1) >> 1", a, ret))
1342 goto err;
1343
1344 st = 1;
fe16ae5f 1345 err:
8d1ebff4
RS		 1346 BN_free(a);
1347 BN_free(lshift1);
1348 BN_free(zero);
1349 BN_free(ret);
1350 BN_free(two);
1351 BN_free(remainder);
1352
1353 return st;
1354}
1355
1356static int file_lshift(STANZA *s)
1357{
30bea14b
RS		 1358 BIGNUM *a = NULL, *lshift = NULL, *ret = NULL;
1359 int n = 0, st = 0;
8d1ebff4 1360
30bea14b
RS		 1361 if (!TEST_ptr(a = getBN(s, "A"))
1362 || !TEST_ptr(lshift = getBN(s, "LShift"))
83ccead4
MC		 1363 || !TEST_ptr(ret = BN_new())
1364 || !getint(s, &n, "N"))
1365 goto err;
8d1ebff4 1366
30bea14b 1367 if (!TEST_true(BN_lshift(ret, a, n))
8d1ebff4 1368 || !equalBN("A << N", lshift, ret)
30bea14b 1369 || !TEST_true(BN_rshift(ret, lshift, n))
8d1ebff4
RS		 1370 || !equalBN("A >> N", a, ret))
1371 goto err;
1372
1373 st = 1;
fe16ae5f 1374 err:
8d1ebff4
RS		 1375 BN_free(a);
1376 BN_free(lshift);
1377 BN_free(ret);
1378 return st;
1379}
1380
1381static int file_rshift(STANZA *s)
1382{
30bea14b
RS		 1383 BIGNUM *a = NULL, *rshift = NULL, *ret = NULL;
1384 int n = 0, st = 0;
8d1ebff4 1385
30bea14b
RS		 1386 if (!TEST_ptr(a = getBN(s, "A"))
1387 || !TEST_ptr(rshift = getBN(s, "RShift"))
1388 || !TEST_ptr(ret = BN_new())
1389 || !getint(s, &n, "N"))
8d1ebff4
RS		 1390 goto err;
1391
30bea14b 1392 if (!TEST_true(BN_rshift(ret, a, n))
8d1ebff4 1393 || !equalBN("A >> N", rshift, ret))
30bea14b 1394 goto err;
ceac1975
RL		 1395
1396 /* If N == 1, try with rshift1 as well */
1397 if (n == 1) {
30bea14b 1398 if (!TEST_true(BN_rshift1(ret, a))
ceac1975 1399 || !equalBN("A >> 1 (rshift1)", rshift, ret))
30bea14b 1400 goto err;
ceac1975 1401 }
30bea14b 1402 st = 1;
8d1ebff4 1403
fe16ae5f 1404 err:
8d1ebff4
RS		 1405 BN_free(a);
1406 BN_free(rshift);
1407 BN_free(ret);
30bea14b 1408 return st;
8d1ebff4
RS		 1409}
1410
1411static int file_square(STANZA *s)
1412{
30bea14b
RS		 1413 BIGNUM *a = NULL, *square = NULL, *zero = NULL, *ret = NULL;
1414 BIGNUM *remainder = NULL, *tmp = NULL;
8d1ebff4
RS		 1415 int st = 0;
1416
30bea14b
RS		 1417 if (!TEST_ptr(a = getBN(s, "A"))
1418 || !TEST_ptr(square = getBN(s, "Square"))
1419 || !TEST_ptr(zero = BN_new())
1420 || !TEST_ptr(ret = BN_new())
1421 || !TEST_ptr(remainder = BN_new()))
8d1ebff4
RS		 1422 goto err;
1423
1424 BN_zero(zero);
30bea14b 1425 if (!TEST_true(BN_sqr(ret, a, ctx))
8d1ebff4 1426 || !equalBN("A^2", square, ret)
30bea14b 1427 || !TEST_true(BN_mul(ret, a, a, ctx))
8d1ebff4 1428 || !equalBN("A * A", square, ret)
30bea14b 1429 || !TEST_true(BN_div(ret, remainder, square, a, ctx))
8d1ebff4
RS		 1430 || !equalBN("Square / A", a, ret)
1431 || !equalBN("Square % A", zero, remainder))
1432 goto err;
1433
1434#if HAVE_BN_SQRT
1435 BN_set_negative(a, 0);
30bea14b 1436 if (!TEST_true(BN_sqrt(ret, square, ctx))
8d1ebff4
RS		 1437 || !equalBN("sqrt(Square)", a, ret))
1438 goto err;
1439
1440 /* BN_sqrt should fail on non-squares and negative numbers. */
dc352c19
P		 1441 if (!TEST_BN_eq_zero(square)) {
1442 if (!TEST_ptr(tmp = BN_new())
1443 || !TEST_true(BN_copy(tmp, square)))
8d1ebff4
RS		 1444 goto err;
1445 BN_set_negative(tmp, 1);
1446
30bea14b 1447 if (!TEST_int_eq(BN_sqrt(ret, tmp, ctx), 0))
8d1ebff4 1448 goto err;
8d1ebff4
RS		 1449 ERR_clear_error();
1450
1451 BN_set_negative(tmp, 0);
1452 if (BN_add(tmp, tmp, BN_value_one()))
1453 goto err;
30bea14b 1454 if (!TEST_int_eq(BN_sqrt(ret, tmp, ctx)))
8d1ebff4 1455 goto err;
8d1ebff4
RS		 1456 ERR_clear_error();
1457 }
1458#endif
1459
1460 st = 1;
fe16ae5f 1461 err:
8d1ebff4
RS		 1462 BN_free(a);
1463 BN_free(square);
1464 BN_free(zero);
1465 BN_free(ret);
1466 BN_free(remainder);
1467 BN_free(tmp);
1468 return st;
1469}
1470
1471static int file_product(STANZA *s)
1472{
30bea14b
RS		 1473 BIGNUM *a = NULL, *b = NULL, *product = NULL, *ret = NULL;
1474 BIGNUM *remainder = NULL, *zero = NULL;
8d1ebff4
RS		 1475 int st = 0;
1476
30bea14b
RS		 1477 if (!TEST_ptr(a = getBN(s, "A"))
1478 || !TEST_ptr(b = getBN(s, "B"))
1479 || !TEST_ptr(product = getBN(s, "Product"))
1480 || !TEST_ptr(ret = BN_new())
1481 || !TEST_ptr(remainder = BN_new())
1482 || !TEST_ptr(zero = BN_new()))
8d1ebff4
RS		 1483 goto err;
1484
1485 BN_zero(zero);
1486
30bea14b 1487 if (!TEST_true(BN_mul(ret, a, b, ctx))
8d1ebff4 1488 || !equalBN("A * B", product, ret)
30bea14b 1489 || !TEST_true(BN_div(ret, remainder, product, a, ctx))
8d1ebff4
RS		 1490 || !equalBN("Product / A", b, ret)
1491 || !equalBN("Product % A", zero, remainder)
30bea14b 1492 || !TEST_true(BN_div(ret, remainder, product, b, ctx))
8d1ebff4
RS		 1493 || !equalBN("Product / B", a, ret)
1494 || !equalBN("Product % B", zero, remainder))
1495 goto err;
1496
1497 st = 1;
fe16ae5f 1498 err:
8d1ebff4
RS		 1499 BN_free(a);
1500 BN_free(b);
1501 BN_free(product);
1502 BN_free(ret);
1503 BN_free(remainder);
1504 BN_free(zero);
1505 return st;
1506}
1507
1508static int file_quotient(STANZA *s)
1509{
30bea14b
RS		 1510 BIGNUM *a = NULL, *b = NULL, *quotient = NULL, *remainder = NULL;
1511 BIGNUM *ret = NULL, *ret2 = NULL, *nnmod = NULL;
8d1ebff4
RS		 1512 BN_ULONG b_word, ret_word;
1513 int st = 0;
1514
30bea14b
RS		 1515 if (!TEST_ptr(a = getBN(s, "A"))
1516 || !TEST_ptr(b = getBN(s, "B"))
1517 || !TEST_ptr(quotient = getBN(s, "Quotient"))
1518 || !TEST_ptr(remainder = getBN(s, "Remainder"))
1519 || !TEST_ptr(ret = BN_new())
1520 || !TEST_ptr(ret2 = BN_new())
1521 || !TEST_ptr(nnmod = BN_new()))
8d1ebff4
RS		 1522 goto err;
1523
30bea14b 1524 if (!TEST_true(BN_div(ret, ret2, a, b, ctx))
8d1ebff4
RS		 1525 || !equalBN("A / B", quotient, ret)
1526 || !equalBN("A % B", remainder, ret2)
30bea14b
RS		 1527 || !TEST_true(BN_mul(ret, quotient, b, ctx))
1528 || !TEST_true(BN_add(ret, ret, remainder))
8d1ebff4
RS		 1529 || !equalBN("Quotient * B + Remainder", a, ret))
1530 goto err;
1531
1532 /*
1533 * Test with BN_mod_word() and BN_div_word() if the divisor is
1534 * small enough.
1535 */
1536 b_word = BN_get_word(b);
1537 if (!BN_is_negative(b) && b_word != (BN_ULONG)-1) {
1538 BN_ULONG remainder_word = BN_get_word(remainder);
1539
1540 assert(remainder_word != (BN_ULONG)-1);
30bea14b 1541 if (!TEST_ptr(BN_copy(ret, a)))
8d1ebff4
RS		 1542 goto err;
1543 ret_word = BN_div_word(ret, b_word);
1544 if (ret_word != remainder_word) {
1545#ifdef BN_DEC_FMT1
30bea14b
RS		 1546 TEST_error(
1547 "Got A %% B (word) = " BN_DEC_FMT1 ", wanted " BN_DEC_FMT1,
8d1ebff4
RS		 1548 ret_word, remainder_word);
1549#else
30bea14b 1550 TEST_error("Got A %% B (word) mismatch");
8d1ebff4
RS		 1551#endif
1552 goto err;
1553 }
1554 if (!equalBN ("A / B (word)", quotient, ret))
1555 goto err;
1556
1557 ret_word = BN_mod_word(a, b_word);
1558 if (ret_word != remainder_word) {
1559#ifdef BN_DEC_FMT1
30bea14b
RS		 1560 TEST_error(
1561 "Got A %% B (word) = " BN_DEC_FMT1 ", wanted " BN_DEC_FMT1 "",
8d1ebff4
RS		 1562 ret_word, remainder_word);
1563#else
30bea14b 1564 TEST_error("Got A %% B (word) mismatch");
8d1ebff4
RS		 1565#endif
1566 goto err;
1567 }
1568 }
1569
1570 /* Test BN_nnmod. */
1571 if (!BN_is_negative(b)) {
30bea14b
RS		 1572 if (!TEST_true(BN_copy(nnmod, remainder))
1573 || (BN_is_negative(nnmod)
1574 && !TEST_true(BN_add(nnmod, nnmod, b)))
1575 || !TEST_true(BN_nnmod(ret, a, b, ctx))
8d1ebff4
RS		 1576 || !equalBN("A % B (non-negative)", nnmod, ret))
1577 goto err;
1578 }
1579
1580 st = 1;
fe16ae5f 1581 err:
8d1ebff4
RS		 1582 BN_free(a);
1583 BN_free(b);
1584 BN_free(quotient);
1585 BN_free(remainder);
1586 BN_free(ret);
1587 BN_free(ret2);
1588 BN_free(nnmod);
1589 return st;
1590}
1591
1592static int file_modmul(STANZA *s)
1593{
30bea14b 1594 BIGNUM *a = NULL, *b = NULL, *m = NULL, *mod_mul = NULL, *ret = NULL;
8d1ebff4
RS		 1595 int st = 0;
1596
30bea14b
RS		 1597 if (!TEST_ptr(a = getBN(s, "A"))
1598 || !TEST_ptr(b = getBN(s, "B"))
1599 || !TEST_ptr(m = getBN(s, "M"))
1600 || !TEST_ptr(mod_mul = getBN(s, "ModMul"))
1601 || !TEST_ptr(ret = BN_new()))
8d1ebff4
RS		 1602 goto err;
1603
30bea14b 1604 if (!TEST_true(BN_mod_mul(ret, a, b, m, ctx))
8d1ebff4
RS		 1605 || !equalBN("A * B (mod M)", mod_mul, ret))
1606 goto err;
1607
1608 if (BN_is_odd(m)) {
1609 /* Reduce |a| and |b| and test the Montgomery version. */
1610 BN_MONT_CTX *mont = BN_MONT_CTX_new();
1611 BIGNUM *a_tmp = BN_new();
1612 BIGNUM *b_tmp = BN_new();
30bea14b 1613
8d1ebff4 1614 if (mont == NULL || a_tmp == NULL || b_tmp == NULL
30bea14b
RS		 1615 || !TEST_true(BN_MONT_CTX_set(mont, m, ctx))
1616 || !TEST_true(BN_nnmod(a_tmp, a, m, ctx))
1617 || !TEST_true(BN_nnmod(b_tmp, b, m, ctx))
1618 || !TEST_true(BN_to_montgomery(a_tmp, a_tmp, mont, ctx))
1619 || !TEST_true(BN_to_montgomery(b_tmp, b_tmp, mont, ctx))
1620 || !TEST_true(BN_mod_mul_montgomery(ret, a_tmp, b_tmp,
1621 mont, ctx))
1622 || !TEST_true(BN_from_montgomery(ret, ret, mont, ctx))
1623 || !equalBN("A * B (mod M) (mont)", mod_mul, ret))
8d1ebff4 1624 st = 0;
30bea14b 1625 else
8d1ebff4 1626 st = 1;
8d1ebff4
RS		 1627 BN_MONT_CTX_free(mont);
1628 BN_free(a_tmp);
1629 BN_free(b_tmp);
1630 if (st == 0)
1631 goto err;
1632 }
1633
1634 st = 1;
fe16ae5f 1635 err:
8d1ebff4
RS		 1636 BN_free(a);
1637 BN_free(b);
1638 BN_free(m);
1639 BN_free(mod_mul);
1640 BN_free(ret);
1641 return st;
1642}
1643
1644static int file_modexp(STANZA *s)
1645{
30bea14b
RS		 1646 BIGNUM *a = NULL, *e = NULL, *m = NULL, *mod_exp = NULL, *ret = NULL;
1647 BIGNUM *b = NULL, *c = NULL, *d = NULL;
8d1ebff4
RS		 1648 int st = 0;
1649
30bea14b
RS		 1650 if (!TEST_ptr(a = getBN(s, "A"))
1651 || !TEST_ptr(e = getBN(s, "E"))
1652 || !TEST_ptr(m = getBN(s, "M"))
1653 || !TEST_ptr(mod_exp = getBN(s, "ModExp"))
1654 || !TEST_ptr(ret = BN_new())
1655 || !TEST_ptr(d = BN_new()))
8d1ebff4
RS		 1656 goto err;
1657
30bea14b 1658 if (!TEST_true(BN_mod_exp(ret, a, e, m, ctx))
8d1ebff4
RS		 1659 || !equalBN("A ^ E (mod M)", mod_exp, ret))
1660 goto err;
1661
1662 if (BN_is_odd(m)) {
30bea14b 1663 if (!TEST_true(BN_mod_exp_mont(ret, a, e, m, ctx, NULL))
8d1ebff4 1664 || !equalBN("A ^ E (mod M) (mont)", mod_exp, ret)
30bea14b
RS		 1665 || !TEST_true(BN_mod_exp_mont_consttime(ret, a, e, m,
1666 ctx, NULL))
8d1ebff4
RS		 1667 || !equalBN("A ^ E (mod M) (mont const", mod_exp, ret))
1668 goto err;
1669 }
1670
1671 /* Regression test for carry propagation bug in sqr8x_reduction */
1672 BN_hex2bn(&a, "050505050505");
1673 BN_hex2bn(&b, "02");
1674 BN_hex2bn(&c,
1675 "4141414141414141414141274141414141414141414141414141414141414141"
1676 "4141414141414141414141414141414141414141414141414141414141414141"
1677 "4141414141414141414141800000000000000000000000000000000000000000"
1678 "0000000000000000000000000000000000000000000000000000000000000000"
1679 "0000000000000000000000000000000000000000000000000000000000000000"
1680 "0000000000000000000000000000000000000000000000000000000001");
9e206ce5
P		 1681 if (!TEST_true(BN_mod_exp(d, a, b, c, ctx))
1682 || !TEST_true(BN_mul(e, a, a, ctx))
1683 || !TEST_BN_eq(d, e))
8d1ebff4 1684 goto err;
8d1ebff4
RS		 1685
1686 st = 1;
fe16ae5f 1687 err:
8d1ebff4
RS		 1688 BN_free(a);
1689 BN_free(b);
1690 BN_free(c);
1691 BN_free(d);
1692 BN_free(e);
1693 BN_free(m);
1694 BN_free(mod_exp);
1695 BN_free(ret);
1696 return st;
1697}
1698
1699static int file_exp(STANZA *s)
1700{
30bea14b 1701 BIGNUM *a = NULL, *e = NULL, *exp = NULL, *ret = NULL;
8d1ebff4
RS		 1702 int st = 0;
1703
30bea14b
RS		 1704 if (!TEST_ptr(a = getBN(s, "A"))
1705 || !TEST_ptr(e = getBN(s, "E"))
1706 || !TEST_ptr(exp = getBN(s, "Exp"))
1707 || !TEST_ptr(ret = BN_new()))
8d1ebff4
RS		 1708 goto err;
1709
30bea14b 1710 if (!TEST_true(BN_exp(ret, a, e, ctx))
8d1ebff4
RS		 1711 || !equalBN("A ^ E", exp, ret))
1712 goto err;
1713
1714 st = 1;
fe16ae5f 1715 err:
8d1ebff4
RS		 1716 BN_free(a);
1717 BN_free(e);
1718 BN_free(exp);
1719 BN_free(ret);
1720 return st;
1721}
1722
1723static int file_modsqrt(STANZA *s)
1724{
30bea14b 1725 BIGNUM *a = NULL, *p = NULL, *mod_sqrt = NULL, *ret = NULL, *ret2 = NULL;
8d1ebff4
RS		 1726 int st = 0;
1727
30bea14b
RS		 1728 if (!TEST_ptr(a = getBN(s, "A"))
1729 || !TEST_ptr(p = getBN(s, "P"))
1730 || !TEST_ptr(mod_sqrt = getBN(s, "ModSqrt"))
1731 || !TEST_ptr(ret = BN_new())
1732 || !TEST_ptr(ret2 = BN_new()))
8d1ebff4
RS		 1733 goto err;
1734
1735 /* There are two possible answers. */
30bea14b
RS		 1736 if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
1737 || !TEST_true(BN_sub(ret2, p, ret)))
8d1ebff4
RS		 1738 goto err;
1739
30bea14b 1740 /* The first condition should NOT be a test. */
8d1ebff4
RS		 1741 if (BN_cmp(ret2, mod_sqrt) != 0
1742 && !equalBN("sqrt(A) (mod P)", mod_sqrt, ret))
1743 goto err;
1744
1745 st = 1;
fe16ae5f 1746 err:
8d1ebff4
RS		 1747 BN_free(a);
1748 BN_free(p);
1749 BN_free(mod_sqrt);
1750 BN_free(ret);
1751 BN_free(ret2);
1752 return st;
1753}
1754
b75d6310
CPG		 1755static int file_gcd(STANZA *s)
1756{
1757 BIGNUM *a = NULL, *b = NULL, *gcd = NULL, *ret = NULL;
1758 int st = 0;
1759
1760 if (!TEST_ptr(a = getBN(s, "A"))
1761 || !TEST_ptr(b = getBN(s, "B"))
1762 || !TEST_ptr(gcd = getBN(s, "GCD"))
1763 || !TEST_ptr(ret = BN_new()))
1764 goto err;
1765
1766 if (!TEST_true(BN_gcd(ret, a, b, ctx))
1767 || !equalBN("gcd(A,B)", gcd, ret))
1768 goto err;
1769
1770 st = 1;
1771 err:
1772 BN_free(a);
1773 BN_free(b);
1774 BN_free(gcd);
1775 BN_free(ret);
1776 return st;
1777}
1778
31a80694 1779static int test_bn2padded(void)
8d1ebff4 1780{
8d1ebff4 1781 uint8_t zeros[256], out[256], reference[128];
23750f67
RL		 1782 size_t bytes;
1783 BIGNUM *n;
8d1ebff4
RS		 1784 int st = 0;
1785
1786 /* Test edge case at 0. */
23750f67 1787 if (!TEST_ptr((n = BN_new())))
8d1ebff4 1788 goto err;
23750f67 1789 if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), 0))
8d1ebff4 1790 goto err;
8d1ebff4 1791 memset(out, -1, sizeof(out));
23750f67 1792 if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out)))
8d1ebff4 1793 goto err;
8d1ebff4 1794 memset(zeros, 0, sizeof(zeros));
30bea14b 1795 if (!TEST_mem_eq(zeros, sizeof(zeros), out, sizeof(out)))
8d1ebff4 1796 goto err;
8d1ebff4
RS		 1797
1798 /* Test a random numbers at various byte lengths. */
23750f67 1799 for (bytes = 128 - 7; bytes <= 128; bytes++) {
fe16ae5f
NT		 1800# define TOP_BIT_ON 0
1801# define BOTTOM_BIT_NOTOUCH 0
30bea14b 1802 if (!TEST_true(BN_rand(n, bytes * 8, TOP_BIT_ON, BOTTOM_BIT_NOTOUCH)))
8d1ebff4 1803 goto err;
23750f67
RL		 1804 if (!TEST_int_eq(BN_num_bytes(n), bytes)
1805 || !TEST_int_eq(BN_bn2bin(n, reference), bytes))
8d1ebff4 1806 goto err;
8d1ebff4 1807 /* Empty buffer should fail. */
23750f67 1808 if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), -1))
8d1ebff4 1809 goto err;
8d1ebff4 1810 /* One byte short should fail. */
23750f67 1811 if (!TEST_int_eq(BN_bn2binpad(n, out, bytes - 1), -1))
8d1ebff4 1812 goto err;
8d1ebff4 1813 /* Exactly right size should encode. */
23750f67
RL		 1814 if (!TEST_int_eq(BN_bn2binpad(n, out, bytes), bytes)
1815 || !TEST_mem_eq(out, bytes, reference, bytes))
8d1ebff4 1816 goto err;
8d1ebff4 1817 /* Pad up one byte extra. */
23750f67 1818 if (!TEST_int_eq(BN_bn2binpad(n, out, bytes + 1), bytes + 1)
30bea14b
RS		 1819 || !TEST_mem_eq(out + 1, bytes, reference, bytes)
1820 || !TEST_mem_eq(out, 1, zeros, 1))
8d1ebff4 1821 goto err;
8d1ebff4 1822 /* Pad up to 256. */
23750f67 1823 if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out))
30bea14b
RS		 1824 || !TEST_mem_eq(out + sizeof(out) - bytes, bytes,
1825 reference, bytes)
23750f67 1826 || !TEST_mem_eq(out, sizeof(out) - bytes,
30bea14b 1827 zeros, sizeof(out) - bytes))
8d1ebff4 1828 goto err;
8d1ebff4
RS		 1829 }
1830
1831 st = 1;
fe16ae5f 1832 err:
8d1ebff4
RS		 1833 BN_free(n);
1834 return st;
8d1ebff4
RS		 1835}
1836
5288303d
RL		 1837static const MPITEST kSignedTests_BE[] = {
1838 {"-1", "\xff", 1},
1839 {"0", "", 0},
1840 {"1", "\x01", 1},
1841 /*
1842 * The above cover the basics, now let's go for possible bignum
1843 * chunk edges and other word edges (for a broad definition of
1844 * "word", i.e. 1 byte included).
1845 */
1846 /* 1 byte edge */
1847 {"127", "\x7f", 1},
1848 {"-127", "\x81", 1},
1849 {"128", "\x00\x80", 2},
1850 {"-128", "\x80", 1},
1851 {"129", "\x00\x81", 2},
1852 {"-129", "\xff\x7f", 2},
1853 {"255", "\x00\xff", 2},
1854 {"-255", "\xff\x01", 2},
1855 {"256", "\x01\x00", 2},
1856 {"-256", "\xff\x00", 2},
1857 /* 2 byte edge */
1858 {"32767", "\x7f\xff", 2},
1859 {"-32767", "\x80\x01", 2},
1860 {"32768", "\x00\x80\x00", 3},
1861 {"-32768", "\x80\x00", 2},
1862 {"32769", "\x00\x80\x01", 3},
1863 {"-32769", "\xff\x7f\xff", 3},
1864 {"65535", "\x00\xff\xff", 3},
1865 {"-65535", "\xff\x00\x01", 3},
1866 {"65536", "\x01\x00\x00", 3},
1867 {"-65536", "\xff\x00\x00", 3},
1868 /* 4 byte edge */
1869 {"2147483647", "\x7f\xff\xff\xff", 4},
1870 {"-2147483647", "\x80\x00\x00\x01", 4},
1871 {"2147483648", "\x00\x80\x00\x00\x00", 5},
1872 {"-2147483648", "\x80\x00\x00\x00", 4},
1873 {"2147483649", "\x00\x80\x00\x00\x01", 5},
1874 {"-2147483649", "\xff\x7f\xff\xff\xff", 5},
1875 {"4294967295", "\x00\xff\xff\xff\xff", 5},
1876 {"-4294967295", "\xff\x00\x00\x00\x01", 5},
1877 {"4294967296", "\x01\x00\x00\x00\x00", 5},
1878 {"-4294967296", "\xff\x00\x00\x00\x00", 5},
1879 /* 8 byte edge */
1880 {"9223372036854775807", "\x7f\xff\xff\xff\xff\xff\xff\xff", 8},
1881 {"-9223372036854775807", "\x80\x00\x00\x00\x00\x00\x00\x01", 8},
1882 {"9223372036854775808", "\x00\x80\x00\x00\x00\x00\x00\x00\x00", 9},
1883 {"-9223372036854775808", "\x80\x00\x00\x00\x00\x00\x00\x00", 8},
1884 {"9223372036854775809", "\x00\x80\x00\x00\x00\x00\x00\x00\x01", 9},
1885 {"-9223372036854775809", "\xff\x7f\xff\xff\xff\xff\xff\xff\xff", 9},
1886 {"18446744073709551615", "\x00\xff\xff\xff\xff\xff\xff\xff\xff", 9},
1887 {"-18446744073709551615", "\xff\x00\x00\x00\x00\x00\x00\x00\x01", 9},
1888 {"18446744073709551616", "\x01\x00\x00\x00\x00\x00\x00\x00\x00", 9},
1889 {"-18446744073709551616", "\xff\x00\x00\x00\x00\x00\x00\x00\x00", 9},
1890};
1891
1892static int copy_reversed(uint8_t *dst, uint8_t *src, size_t len)
1893{
1894 for (dst += len - 1; len > 0; src++, dst--, len--)
1895 *dst = *src;
1896 return 1;
1897}
1898
1899static int test_bn2signed(int i)
1900{
1901 uint8_t scratch[10], reversed[10];
1902 const MPITEST *test = &kSignedTests_BE[i];
1903 BIGNUM *bn = NULL, *bn2 = NULL;
1904 int st = 0;
1905
1906 if (!TEST_ptr(bn = BN_new())
1907 || !TEST_true(BN_asc2bn(&bn, test->base10)))
1908 goto err;
1909
1910 /*
1911 * Check BN_signed_bn2bin() / BN_signed_bin2bn()
1912 * The interesting stuff happens in the last bytes of the buffers,
1913 * the beginning is just padding (i.e. sign extension).
1914 */
1915 i = sizeof(scratch) - test->mpi_len;
1916 if (!TEST_int_eq(BN_signed_bn2bin(bn, scratch, sizeof(scratch)),
1917 sizeof(scratch))
1918 || !TEST_true(copy_reversed(reversed, scratch, sizeof(scratch)))
1919 || !TEST_mem_eq(test->mpi, test->mpi_len, scratch + i, test->mpi_len))
1920 goto err;
1921
1922 if (!TEST_ptr(bn2 = BN_signed_bin2bn(scratch, sizeof(scratch), NULL))
1923 || !TEST_BN_eq(bn, bn2))
1924 goto err;
1925
1926 BN_free(bn2);
1927 bn2 = NULL;
1928
1929 /* Check that a parse of the reversed buffer works too */
1930 if (!TEST_ptr(bn2 = BN_signed_lebin2bn(reversed, sizeof(reversed), NULL))
1931 || !TEST_BN_eq(bn, bn2))
1932 goto err;
1933
1934 BN_free(bn2);
1935 bn2 = NULL;
1936
1937 /*
1938 * Check BN_signed_bn2lebin() / BN_signed_lebin2bn()
1939 * The interesting stuff happens in the first bytes of the buffers,
1940 * the end is just padding (i.e. sign extension).
1941 */
1942 i = sizeof(reversed) - test->mpi_len;
1943 if (!TEST_int_eq(BN_signed_bn2lebin(bn, scratch, sizeof(scratch)),
1944 sizeof(scratch))
1945 || !TEST_true(copy_reversed(reversed, scratch, sizeof(scratch)))
1946 || !TEST_mem_eq(test->mpi, test->mpi_len, reversed + i, test->mpi_len))
1947 goto err;
1948
1949 if (!TEST_ptr(bn2 = BN_signed_lebin2bn(scratch, sizeof(scratch), NULL))
1950 || !TEST_BN_eq(bn, bn2))
1951 goto err;
1952
1953 BN_free(bn2);
1954 bn2 = NULL;
1955
1956 /* Check that a parse of the reversed buffer works too */
1957 if (!TEST_ptr(bn2 = BN_signed_bin2bn(reversed, sizeof(reversed), NULL))
1958 || !TEST_BN_eq(bn, bn2))
1959 goto err;
1960
1961 st = 1;
1962 err:
1963 BN_free(bn2);
1964 BN_free(bn);
1965 return st;
1966}
1967
31a80694 1968static int test_dec2bn(void)
8d1ebff4
RS		 1969{
1970 BIGNUM *bn = NULL;
1971 int st = 0;
1972
30bea14b 1973 if (!TEST_int_eq(parsedecBN(&bn, "0"), 1)
dc352c19
P		 1974 || !TEST_BN_eq_word(bn, 0)
1975 || !TEST_BN_eq_zero(bn)
1976 || !TEST_BN_le_zero(bn)
1977 || !TEST_BN_ge_zero(bn)
1978 || !TEST_BN_even(bn))
8d1ebff4 1979 goto err;
8d1ebff4 1980 BN_free(bn);
dc352c19 1981 bn = NULL;
8d1ebff4 1982
30bea14b 1983 if (!TEST_int_eq(parsedecBN(&bn, "256"), 3)
dc352c19
P		 1984 || !TEST_BN_eq_word(bn, 256)
1985 || !TEST_BN_ge_zero(bn)
1986 || !TEST_BN_gt_zero(bn)
1987 || !TEST_BN_ne_zero(bn)
1988 || !TEST_BN_even(bn))
8d1ebff4 1989 goto err;
8d1ebff4 1990 BN_free(bn);
dc352c19 1991 bn = NULL;
8d1ebff4 1992
30bea14b 1993 if (!TEST_int_eq(parsedecBN(&bn, "-42"), 3)
dc352c19
P		 1994 || !TEST_BN_abs_eq_word(bn, 42)
1995 || !TEST_BN_lt_zero(bn)
1996 || !TEST_BN_le_zero(bn)
1997 || !TEST_BN_ne_zero(bn)
1998 || !TEST_BN_even(bn))
8d1ebff4 1999 goto err;
8d1ebff4 2000 BN_free(bn);
dc352c19
P		 2001 bn = NULL;
2002
2003 if (!TEST_int_eq(parsedecBN(&bn, "1"), 1)
2004 || !TEST_BN_eq_word(bn, 1)
2005 || !TEST_BN_ne_zero(bn)
2006 || !TEST_BN_gt_zero(bn)
2007 || !TEST_BN_ge_zero(bn)
2008 || !TEST_BN_eq_one(bn)
2009 || !TEST_BN_odd(bn))
2010 goto err;
2011 BN_free(bn);
2012 bn = NULL;
8d1ebff4 2013
30bea14b 2014 if (!TEST_int_eq(parsedecBN(&bn, "-0"), 2)
dc352c19
P		 2015 || !TEST_BN_eq_zero(bn)
2016 || !TEST_BN_ge_zero(bn)
2017 || !TEST_BN_le_zero(bn)
2018 || !TEST_BN_even(bn))
8d1ebff4 2019 goto err;
8d1ebff4 2020 BN_free(bn);
dc352c19 2021 bn = NULL;
8d1ebff4 2022
30bea14b 2023 if (!TEST_int_eq(parsedecBN(&bn, "42trailing garbage is ignored"), 2)
dc352c19
P		 2024 || !TEST_BN_abs_eq_word(bn, 42)
2025 || !TEST_BN_ge_zero(bn)
2026 || !TEST_BN_gt_zero(bn)
2027 || !TEST_BN_ne_zero(bn)
2028 || !TEST_BN_even(bn))
8d1ebff4 2029 goto err;
8d1ebff4
RS		 2030
2031 st = 1;
fe16ae5f 2032 err:
8d1ebff4
RS		 2033 BN_free(bn);
2034 return st;
2035}
2036
31a80694 2037static int test_hex2bn(void)
8d1ebff4
RS		 2038{
2039 BIGNUM *bn = NULL;
30bea14b 2040 int st = 0;
8d1ebff4 2041
30bea14b 2042 if (!TEST_int_eq(parseBN(&bn, "0"), 1)
dc352c19
P		 2043 || !TEST_BN_eq_zero(bn)
2044 || !TEST_BN_ge_zero(bn)
2045 || !TEST_BN_even(bn))
8d1ebff4 2046 goto err;
8d1ebff4 2047 BN_free(bn);
dc352c19 2048 bn = NULL;
8d1ebff4 2049
30bea14b 2050 if (!TEST_int_eq(parseBN(&bn, "256"), 3)
dc352c19
P		 2051 || !TEST_BN_eq_word(bn, 0x256)
2052 || !TEST_BN_ge_zero(bn)
2053 || !TEST_BN_gt_zero(bn)
2054 || !TEST_BN_ne_zero(bn)
2055 || !TEST_BN_even(bn))
8d1ebff4 2056 goto err;
8d1ebff4 2057 BN_free(bn);
dc352c19 2058 bn = NULL;
8d1ebff4 2059
30bea14b 2060 if (!TEST_int_eq(parseBN(&bn, "-42"), 3)
dc352c19
P		 2061 || !TEST_BN_abs_eq_word(bn, 0x42)
2062 || !TEST_BN_lt_zero(bn)
2063 || !TEST_BN_le_zero(bn)
2064 || !TEST_BN_ne_zero(bn)
2065 || !TEST_BN_even(bn))
2066 goto err;
2067 BN_free(bn);
2068 bn = NULL;
2069
2070 if (!TEST_int_eq(parseBN(&bn, "cb"), 2)
2071 || !TEST_BN_eq_word(bn, 0xCB)
2072 || !TEST_BN_ge_zero(bn)
2073 || !TEST_BN_gt_zero(bn)
2074 || !TEST_BN_ne_zero(bn)
2075 || !TEST_BN_odd(bn))
8d1ebff4 2076 goto err;
8d1ebff4 2077 BN_free(bn);
dc352c19 2078 bn = NULL;
8d1ebff4 2079
30bea14b 2080 if (!TEST_int_eq(parseBN(&bn, "-0"), 2)
dc352c19
P		 2081 || !TEST_BN_eq_zero(bn)
2082 || !TEST_BN_ge_zero(bn)
2083 || !TEST_BN_le_zero(bn)
2084 || !TEST_BN_even(bn))
8d1ebff4 2085 goto err;
8d1ebff4 2086 BN_free(bn);
dc352c19 2087 bn = NULL;
8d1ebff4 2088
30bea14b 2089 if (!TEST_int_eq(parseBN(&bn, "abctrailing garbage is ignored"), 3)
dc352c19
P		 2090 || !TEST_BN_eq_word(bn, 0xabc)
2091 || !TEST_BN_ge_zero(bn)
2092 || !TEST_BN_gt_zero(bn)
2093 || !TEST_BN_ne_zero(bn)
2094 || !TEST_BN_even(bn))
8d1ebff4 2095 goto err;
8d1ebff4
RS		 2096 st = 1;
2097
fe16ae5f 2098 err:
8d1ebff4
RS		 2099 BN_free(bn);
2100 return st;
2101}
2102
31a80694 2103static int test_asc2bn(void)
8d1ebff4 2104{
30bea14b 2105 BIGNUM *bn = NULL;
8d1ebff4
RS		 2106 int st = 0;
2107
30bea14b 2108 if (!TEST_ptr(bn = BN_new()))
8d1ebff4 2109 goto err;
8d1ebff4 2110
30bea14b 2111 if (!TEST_true(BN_asc2bn(&bn, "0"))
dc352c19
P		 2112 || !TEST_BN_eq_zero(bn)
2113 || !TEST_BN_ge_zero(bn))
8d1ebff4 2114 goto err;
8d1ebff4 2115
30bea14b 2116 if (!TEST_true(BN_asc2bn(&bn, "256"))
dc352c19
P		 2117 || !TEST_BN_eq_word(bn, 256)
2118 || !TEST_BN_ge_zero(bn))
8d1ebff4 2119 goto err;
8d1ebff4 2120
30bea14b 2121 if (!TEST_true(BN_asc2bn(&bn, "-42"))
dc352c19
P		 2122 || !TEST_BN_abs_eq_word(bn, 42)
2123 || !TEST_BN_lt_zero(bn))
8d1ebff4 2124 goto err;
8d1ebff4 2125
30bea14b 2126 if (!TEST_true(BN_asc2bn(&bn, "0x1234"))
dc352c19
P		 2127 || !TEST_BN_eq_word(bn, 0x1234)
2128 || !TEST_BN_ge_zero(bn))
8d1ebff4 2129 goto err;
8d1ebff4 2130
30bea14b 2131 if (!TEST_true(BN_asc2bn(&bn, "0X1234"))
dc352c19
P		 2132 || !TEST_BN_eq_word(bn, 0x1234)
2133 || !TEST_BN_ge_zero(bn))
8d1ebff4 2134 goto err;
8d1ebff4 2135
30bea14b 2136 if (!TEST_true(BN_asc2bn(&bn, "-0xabcd"))
dc352c19
P		 2137 || !TEST_BN_abs_eq_word(bn, 0xabcd)
2138 || !TEST_BN_lt_zero(bn))
8d1ebff4 2139 goto err;
8d1ebff4 2140
30bea14b 2141 if (!TEST_true(BN_asc2bn(&bn, "-0"))
dc352c19
P		 2142 || !TEST_BN_eq_zero(bn)
2143 || !TEST_BN_ge_zero(bn))
30bea14b
RS		 2144 goto err;
2145
2146 if (!TEST_true(BN_asc2bn(&bn, "123trailing garbage is ignored"))
dc352c19
P		 2147 || !TEST_BN_eq_word(bn, 123)
2148 || !TEST_BN_ge_zero(bn))
8d1ebff4 2149 goto err;
8d1ebff4
RS		 2150
2151 st = 1;
fe16ae5f 2152 err:
8d1ebff4
RS		 2153 BN_free(bn);
2154 return st;
2155}
2156
2157static const MPITEST kMPITests[] = {
2158 {"0", "\x00\x00\x00\x00", 4},
2159 {"1", "\x00\x00\x00\x01\x01", 5},
2160 {"-1", "\x00\x00\x00\x01\x81", 5},
2161 {"128", "\x00\x00\x00\x02\x00\x80", 6},
2162 {"256", "\x00\x00\x00\x02\x01\x00", 6},
2163 {"-256", "\x00\x00\x00\x02\x81\x00", 6},
2164};
2165
30bea14b 2166static int test_mpi(int i)
8d1ebff4
RS		 2167{
2168 uint8_t scratch[8];
30bea14b 2169 const MPITEST *test = &kMPITests[i];
8d1ebff4 2170 size_t mpi_len, mpi_len2;
30bea14b 2171 BIGNUM *bn = NULL;
8d1ebff4
RS		 2172 BIGNUM *bn2 = NULL;
2173 int st = 0;
2174
30bea14b
RS		 2175 if (!TEST_ptr(bn = BN_new())
2176 || !TEST_true(BN_asc2bn(&bn, test->base10)))
2177 goto err;
2178 mpi_len = BN_bn2mpi(bn, NULL);
2179 if (!TEST_size_t_le(mpi_len, sizeof(scratch)))
2180 goto err;
8d1ebff4 2181
30bea14b
RS		 2182 if (!TEST_size_t_eq(mpi_len2 = BN_bn2mpi(bn, scratch), mpi_len)
2183 || !TEST_mem_eq(test->mpi, test->mpi_len, scratch, mpi_len))
2184 goto err;
8d1ebff4 2185
30bea14b
RS		 2186 if (!TEST_ptr(bn2 = BN_mpi2bn(scratch, mpi_len, NULL)))
2187 goto err;
8d1ebff4 2188
dc352c19 2189 if (!TEST_BN_eq(bn, bn2)) {
8d1ebff4 2190 BN_free(bn2);
30bea14b 2191 goto err;
8d1ebff4 2192 }
30bea14b 2193 BN_free(bn2);
8d1ebff4
RS		 2194
2195 st = 1;
fe16ae5f 2196 err:
8d1ebff4
RS		 2197 BN_free(bn);
2198 return st;
0f113f3e 2199}
bdec3c53 2200
31a80694 2201static int test_rand(void)
0f113f3e 2202{
30bea14b 2203 BIGNUM *bn = NULL;
8d1ebff4 2204 int st = 0;
0f113f3e 2205
30bea14b 2206 if (!TEST_ptr(bn = BN_new()))
8d1ebff4 2207 return 0;
0f113f3e 2208
30bea14b
RS		 2209 /* Test BN_rand for degenerate cases with |top| and |bottom| parameters. */
2210 if (!TEST_false(BN_rand(bn, 0, 0 /* top */ , 0 /* bottom */ ))
2211 || !TEST_false(BN_rand(bn, 0, 1 /* top */ , 1 /* bottom */ ))
2212 || !TEST_true(BN_rand(bn, 1, 0 /* top */ , 0 /* bottom */ ))
dc352c19 2213 || !TEST_BN_eq_one(bn)
30bea14b
RS		 2214 || !TEST_false(BN_rand(bn, 1, 1 /* top */ , 0 /* bottom */ ))
2215 || !TEST_true(BN_rand(bn, 1, -1 /* top */ , 1 /* bottom */ ))
dc352c19 2216 || !TEST_BN_eq_one(bn)
30bea14b 2217 || !TEST_true(BN_rand(bn, 2, 1 /* top */ , 0 /* bottom */ ))
dc352c19 2218 || !TEST_BN_eq_word(bn, 3))
8d1ebff4 2219 goto err;
0f113f3e 2220
8d1ebff4 2221 st = 1;
fe16ae5f 2222 err:
8d1ebff4
RS		 2223 BN_free(bn);
2224 return st;
2225}
2226
bb5b3e6d
P		 2227/*
2228 * Run some statistical tests to provide a degree confidence that the
5d2f3e4a
P		 2229 * BN_rand_range() function works as expected. The test cases and
2230 * critical values are generated by the bn_rand_range script.
bb5b3e6d 2231 *
5d2f3e4a
P		 2232 * Each individual test is a Chi^2 goodness of fit for a specified number
2233 * of samples and range. The samples are assumed to be independent and
2234 * that they are from a discrete uniform distribution.
bb5b3e6d 2235 *
5d2f3e4a
P		 2236 * Some of these individual tests are expected to fail, the success/failure
2237 * of each is an independent Bernoulli trial. The number of such successes
2238 * will form a binomial distribution. The count of the successes is compared
2239 * against a precomputed critical value to determine the overall outcome.
bb5b3e6d 2240 */
5d2f3e4a 2241struct rand_range_case {
bb5b3e6d
P		 2242 unsigned int range;
2243 unsigned int iterations;
2244 double critical;
bb5b3e6d
P		 2245};
2246
5d2f3e4a
P		 2247#include "bn_rand_range.h"
2248
2249static int test_rand_range_single(size_t n)
bb5b3e6d
P		 2250{
2251 const unsigned int range = rand_range_cases[n].range;
2252 const unsigned int iterations = rand_range_cases[n].iterations;
2253 const double critical = rand_range_cases[n].critical;
2254 const double expected = iterations / (double)range;
2255 double sum = 0;
2256 BIGNUM *rng = NULL, *val = NULL;
2257 size_t *counts;
2258 unsigned int i, v;
2259 int res = 0;
2260
2261 if (!TEST_ptr(counts = OPENSSL_zalloc(sizeof(*counts) * range))
2262 || !TEST_ptr(rng = BN_new())
2263 || !TEST_ptr(val = BN_new())
2264 || !TEST_true(BN_set_word(rng, range)))
2265 goto err;
2266 for (i = 0; i < iterations; i++) {
2267 if (!TEST_true(BN_rand_range(val, rng))
2268 || !TEST_uint_lt(v = (unsigned int)BN_get_word(val), range))
2269 goto err;
2270 counts[v]++;
2271 }
2272
bb5b3e6d
P		 2273 for (i = 0; i < range; i++) {
2274 const double delta = counts[i] - expected;
2275 sum += delta * delta;
2276 }
2277 sum /= expected;
bb5b3e6d 2278
5d2f3e4a
P		 2279 if (sum > critical) {
2280 TEST_info("Chi^2 test negative %.4f > %4.f", sum, critical);
2281 TEST_note("test case %zu range %u iterations %u", n + 1, range,
2282 iterations);
2283 goto err;
2284 }
2285
2286 res = 1;
bb5b3e6d
P		 2287err:
2288 BN_free(rng);
2289 BN_free(val);
2290 OPENSSL_free(counts);
2291 return res;
2292}
2293
5d2f3e4a
P		 2294static int test_rand_range(void)
2295{
2296 int n_success = 0;
2297 size_t i;
2298
2299 for (i = 0; i < OSSL_NELEM(rand_range_cases); i++)
2300 n_success += test_rand_range_single(i);
2301 if (TEST_int_ge(n_success, binomial_critical))
2302 return 1;
79c44b4e 2303 TEST_note("This test is expected to fail by chance 0.01%% of the time.");
5d2f3e4a
P		 2304 return 0;
2305}
2306
31a80694 2307static int test_negzero(void)
8d1ebff4 2308{
30bea14b 2309 BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL;
8d1ebff4
RS		 2310 BIGNUM *numerator = NULL, *denominator = NULL;
2311 int consttime, st = 0;
2312
30bea14b
RS		 2313 if (!TEST_ptr(a = BN_new())
2314 || !TEST_ptr(b = BN_new())
2315 || !TEST_ptr(c = BN_new())
2316 || !TEST_ptr(d = BN_new()))
8d1ebff4
RS		 2317 goto err;
2318
2319 /* Test that BN_mul never gives negative zero. */
30bea14b 2320 if (!TEST_true(BN_set_word(a, 1)))
8d1ebff4
RS		 2321 goto err;
2322 BN_set_negative(a, 1);
2323 BN_zero(b);
30bea14b 2324 if (!TEST_true(BN_mul(c, a, b, ctx)))
8d1ebff4 2325 goto err;
dc352c19
P		 2326 if (!TEST_BN_eq_zero(c)
2327 || !TEST_BN_ge_zero(c))
8d1ebff4 2328 goto err;
8d1ebff4
RS		 2329
2330 for (consttime = 0; consttime < 2; consttime++) {
30bea14b
RS		 2331 if (!TEST_ptr(numerator = BN_new())
2332 || !TEST_ptr(denominator = BN_new()))
0f113f3e 2333 goto err;
8d1ebff4
RS		 2334 if (consttime) {
2335 BN_set_flags(numerator, BN_FLG_CONSTTIME);
2336 BN_set_flags(denominator, BN_FLG_CONSTTIME);
2337 }
2338 /* Test that BN_div never gives negative zero in the quotient. */
30bea14b
RS		 2339 if (!TEST_true(BN_set_word(numerator, 1))
2340 || !TEST_true(BN_set_word(denominator, 2)))
0f113f3e 2341 goto err;
8d1ebff4 2342 BN_set_negative(numerator, 1);
30bea14b 2343 if (!TEST_true(BN_div(a, b, numerator, denominator, ctx))
dc352c19
P		 2344 || !TEST_BN_eq_zero(a)
2345 || !TEST_BN_ge_zero(a))
0f113f3e 2346 goto err;
0f113f3e 2347
8d1ebff4 2348 /* Test that BN_div never gives negative zero in the remainder. */
30bea14b
RS		 2349 if (!TEST_true(BN_set_word(denominator, 1))
2350 || !TEST_true(BN_div(a, b, numerator, denominator, ctx))
dc352c19
P		 2351 || !TEST_BN_eq_zero(b)
2352 || !TEST_BN_ge_zero(b))
0f113f3e 2353 goto err;
8d1ebff4
RS		 2354 BN_free(numerator);
2355 BN_free(denominator);
2356 numerator = denominator = NULL;
2357 }
0f113f3e 2358
8d1ebff4
RS		 2359 /* Test that BN_set_negative will not produce a negative zero. */
2360 BN_zero(a);
2361 BN_set_negative(a, 1);
30bea14b 2362 if (BN_is_negative(a))
8d1ebff4 2363 goto err;
8d1ebff4 2364 st = 1;
30bea14b 2365
fe16ae5f 2366 err:
23a1d5e9
RS		 2367 BN_free(a);
2368 BN_free(b);
8d1ebff4
RS		 2369 BN_free(c);
2370 BN_free(d);
2371 BN_free(numerator);
2372 BN_free(denominator);
2373 return st;
0f113f3e 2374}
c7820896 2375
31a80694 2376static int test_badmod(void)
0f113f3e 2377{
30bea14b
RS		 2378 BIGNUM *a = NULL, *b = NULL, *zero = NULL;
2379 BN_MONT_CTX *mont = NULL;
8d1ebff4 2380 int st = 0;
0f113f3e 2381
30bea14b
RS		 2382 if (!TEST_ptr(a = BN_new())
2383 || !TEST_ptr(b = BN_new())
2384 || !TEST_ptr(zero = BN_new())
2385 || !TEST_ptr(mont = BN_MONT_CTX_new()))
0f113f3e 2386 goto err;
8d1ebff4 2387 BN_zero(zero);
0f113f3e 2388
30bea14b 2389 if (!TEST_false(BN_div(a, b, BN_value_one(), zero, ctx)))
8d1ebff4 2390 goto err;
8d1ebff4 2391 ERR_clear_error();
0f113f3e 2392
30bea14b 2393 if (!TEST_false(BN_mod_mul(a, BN_value_one(), BN_value_one(), zero, ctx)))
8d1ebff4 2394 goto err;
8d1ebff4 2395 ERR_clear_error();
0f113f3e 2396
30bea14b 2397 if (!TEST_false(BN_mod_exp(a, BN_value_one(), BN_value_one(), zero, ctx)))
8d1ebff4 2398 goto err;
8d1ebff4 2399 ERR_clear_error();
0f113f3e 2400
30bea14b
RS		 2401 if (!TEST_false(BN_mod_exp_mont(a, BN_value_one(), BN_value_one(),
2402 zero, ctx, NULL)))
8d1ebff4 2403 goto err;
8d1ebff4 2404 ERR_clear_error();
0f113f3e 2405
30bea14b 2406 if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(),
fe16ae5f 2407 zero, ctx, NULL)))
8d1ebff4 2408 goto err;
8d1ebff4 2409 ERR_clear_error();
0f113f3e 2410
30bea14b 2411 if (!TEST_false(BN_MONT_CTX_set(mont, zero, ctx)))
8d1ebff4 2412 goto err;
8d1ebff4 2413 ERR_clear_error();
0f113f3e 2414
8d1ebff4 2415 /* Some operations also may not be used with an even modulus. */
30bea14b 2416 if (!TEST_true(BN_set_word(b, 16)))
8d1ebff4 2417 goto err;
0f113f3e 2418
30bea14b 2419 if (!TEST_false(BN_MONT_CTX_set(mont, b, ctx)))
8d1ebff4 2420 goto err;
8d1ebff4 2421 ERR_clear_error();
0f113f3e 2422
30bea14b
RS		 2423 if (!TEST_false(BN_mod_exp_mont(a, BN_value_one(), BN_value_one(),
2424 b, ctx, NULL)))
8d1ebff4 2425 goto err;
8d1ebff4
RS		 2426 ERR_clear_error();
2427
30bea14b 2428 if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(),
fe16ae5f 2429 b, ctx, NULL)))
8d1ebff4 2430 goto err;
8d1ebff4
RS		 2431 ERR_clear_error();
2432
2433 st = 1;
fe16ae5f 2434 err:
23a1d5e9 2435 BN_free(a);
8d1ebff4
RS		 2436 BN_free(b);
2437 BN_free(zero);
2438 BN_MONT_CTX_free(mont);
2439 return st;
0f113f3e
MC		 2440}
2441
31a80694 2442static int test_expmodzero(void)
0f113f3e 2443{
30bea14b 2444 BIGNUM *a = NULL, *r = NULL, *zero = NULL;
8d1ebff4 2445 int st = 0;
0f113f3e 2446
30bea14b
RS		 2447 if (!TEST_ptr(zero = BN_new())
2448 || !TEST_ptr(a = BN_new())
2449 || !TEST_ptr(r = BN_new()))
0f113f3e 2450 goto err;
8d1ebff4
RS		 2451 BN_zero(zero);
2452
30bea14b 2453 if (!TEST_true(BN_mod_exp(r, a, zero, BN_value_one(), NULL))
dc352c19 2454 || !TEST_BN_eq_zero(r)
30bea14b
RS		 2455 || !TEST_true(BN_mod_exp_mont(r, a, zero, BN_value_one(),
2456 NULL, NULL))
dc352c19 2457 || !TEST_BN_eq_zero(r)
30bea14b
RS		 2458 || !TEST_true(BN_mod_exp_mont_consttime(r, a, zero,
2459 BN_value_one(),
2460 NULL, NULL))
dc352c19 2461 || !TEST_BN_eq_zero(r)
30bea14b
RS		 2462 || !TEST_true(BN_mod_exp_mont_word(r, 42, zero,
2463 BN_value_one(), NULL, NULL))
dc352c19 2464 || !TEST_BN_eq_zero(r))
0f113f3e 2465 goto err;
0f113f3e 2466
8d1ebff4 2467 st = 1;
fe16ae5f 2468 err:
8d1ebff4
RS		 2469 BN_free(zero);
2470 BN_free(a);
2471 BN_free(r);
2472 return st;
0f113f3e
MC		 2473}
2474
adf65243
MC		 2475static int test_expmodone(void)
2476{
2477 int ret = 0, i;
2478 BIGNUM *r = BN_new();
2479 BIGNUM *a = BN_new();
2480 BIGNUM *p = BN_new();
2481 BIGNUM *m = BN_new();
2482
2483 if (!TEST_ptr(r)
2484 || !TEST_ptr(a)
2485 || !TEST_ptr(p)
2486 || !TEST_ptr(p)
2487 || !TEST_ptr(m)
2488 || !TEST_true(BN_set_word(a, 1))
2489 || !TEST_true(BN_set_word(p, 0))
2490 || !TEST_true(BN_set_word(m, 1)))
2491 goto err;
2492
2493 /* Calculate r = 1 ^ 0 mod 1, and check the result is always 0 */
2494 for (i = 0; i < 2; i++) {
2495 if (!TEST_true(BN_mod_exp(r, a, p, m, NULL))
2496 || !TEST_BN_eq_zero(r)
2497 || !TEST_true(BN_mod_exp_mont(r, a, p, m, NULL, NULL))
2498 || !TEST_BN_eq_zero(r)
2499 || !TEST_true(BN_mod_exp_mont_consttime(r, a, p, m, NULL, NULL))
2500 || !TEST_BN_eq_zero(r)
2501 || !TEST_true(BN_mod_exp_mont_word(r, 1, p, m, NULL, NULL))
2502 || !TEST_BN_eq_zero(r)
2503 || !TEST_true(BN_mod_exp_simple(r, a, p, m, NULL))
2504 || !TEST_BN_eq_zero(r)
2505 || !TEST_true(BN_mod_exp_recp(r, a, p, m, NULL))
2506 || !TEST_BN_eq_zero(r))
2507 goto err;
2508 /* Repeat for r = 1 ^ 0 mod -1 */
2509 if (i == 0)
2510 BN_set_negative(m, 1);
2511 }
2512
2513 ret = 1;
fe16ae5f 2514 err:
adf65243
MC		 2515 BN_free(r);
2516 BN_free(a);
2517 BN_free(p);
2518 BN_free(m);
2519 return ret;
2520}
2521
291f616c 2522static int test_smallprime(int kBits)
8ff70f33 2523{
30bea14b 2524 BIGNUM *r;
8d1ebff4 2525 int st = 0;
8ff70f33 2526
291f616c
BE		 2527 if (!TEST_ptr(r = BN_new()))
2528 goto err;
2529
2530 if (kBits <= 1) {
2531 if (!TEST_false(BN_generate_prime_ex(r, kBits, 0,
2532 NULL, NULL, NULL)))
2533 goto err;
2534 } else {
2535 if (!TEST_true(BN_generate_prime_ex(r, kBits, 0,
2536 NULL, NULL, NULL))
2537 || !TEST_int_eq(BN_num_bits(r), kBits))
2538 goto err;
2539 }
2540
2541 st = 1;
2542 err:
2543 BN_free(r);
2544 return st;
2545}
2546
2547static int test_smallsafeprime(int kBits)
2548{
2549 BIGNUM *r;
2550 int st = 0;
2551
2552 if (!TEST_ptr(r = BN_new()))
8d1ebff4 2553 goto err;
8ff70f33 2554
291f616c
BE		 2555 if (kBits <= 5 && kBits != 3) {
2556 if (!TEST_false(BN_generate_prime_ex(r, kBits, 1,
2557 NULL, NULL, NULL)))
2558 goto err;
2559 } else {
2560 if (!TEST_true(BN_generate_prime_ex(r, kBits, 1,
2561 NULL, NULL, NULL))
2562 || !TEST_int_eq(BN_num_bits(r), kBits))
2563 goto err;
2564 }
2565
8d1ebff4 2566 st = 1;
fe16ae5f 2567 err:
8d1ebff4
RS		 2568 BN_free(r);
2569 return st;
2570}
8ff70f33 2571
7d79d13a
SL		 2572static int primes[] = { 2, 3, 5, 7, 17863 };
2573
2574static int test_is_prime(int i)
6e64c560
AL		 2575{
2576 int ret = 0;
30bea14b 2577 BIGNUM *r = NULL;
7d79d13a 2578 int trial;
6e64c560 2579
7d79d13a 2580 if (!TEST_ptr(r = BN_new()))
6e64c560 2581 goto err;
6e64c560 2582
7d79d13a
SL		 2583 for (trial = 0; trial <= 1; ++trial) {
2584 if (!TEST_true(BN_set_word(r, primes[i]))
42619397 2585 || !TEST_int_eq(BN_check_prime(r, ctx, NULL),
7d79d13a
SL		 2586 1))
2587 goto err;
2588 }
2589
6e64c560 2590 ret = 1;
fe16ae5f 2591 err:
7d79d13a
SL		 2592 BN_free(r);
2593 return ret;
2594}
6e64c560 2595
7d79d13a
SL		 2596static int not_primes[] = { -1, 0, 1, 4 };
2597
2598static int test_not_prime(int i)
2599{
2600 int ret = 0;
2601 BIGNUM *r = NULL;
2602 int trial;
2603
2604 if (!TEST_ptr(r = BN_new()))
2605 goto err;
2606
2607 for (trial = 0; trial <= 1; ++trial) {
2608 if (!TEST_true(BN_set_word(r, not_primes[i]))
42619397 2609 || !TEST_false(BN_check_prime(r, ctx, NULL)))
7d79d13a
SL		 2610 goto err;
2611 }
2612
2613 ret = 1;
fe16ae5f 2614 err:
6e64c560
AL		 2615 BN_free(r);
2616 return ret;
2617}
2618
fe16ae5f
NT		 2619static int test_ctx_set_ct_flag(BN_CTX *c)
2620{
2621 int st = 0;
2622 size_t i;
2623 BIGNUM *b[15];
2624
2625 BN_CTX_start(c);
2626 for (i = 0; i < OSSL_NELEM(b); i++) {
2627 if (!TEST_ptr(b[i] = BN_CTX_get(c)))
2628 goto err;
2629 if (i % 2 == 1)
2630 BN_set_flags(b[i], BN_FLG_CONSTTIME);
2631 }
2632
2633 st = 1;
2634 err:
2635 BN_CTX_end(c);
2636 return st;
2637}
2638
2639static int test_ctx_check_ct_flag(BN_CTX *c)
2640{
2641 int st = 0;
2642 size_t i;
2643 BIGNUM *b[30];
2644
2645 BN_CTX_start(c);
2646 for (i = 0; i < OSSL_NELEM(b); i++) {
2647 if (!TEST_ptr(b[i] = BN_CTX_get(c)))
2648 goto err;
2649 if (!TEST_false(BN_get_flags(b[i], BN_FLG_CONSTTIME)))
2650 goto err;
2651 }
2652
2653 st = 1;
2654 err:
2655 BN_CTX_end(c);
2656 return st;
2657}
2658
2659static int test_ctx_consttime_flag(void)
2660{
2661 /*-
2662 * The constant-time flag should not "leak" among BN_CTX frames:
2663 *
2664 * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
2665 * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
2666 * from the frame before ending it.
2667 * - test_ctx_check_ct_flag() then starts a new frame and gets a
2668 * number of BIGNUMs from it. In absence of leaks, none of the
2669 * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
2670 *
2671 * In actual BN_CTX usage inside libcrypto the leak could happen at
2672 * any depth level in the BN_CTX stack, with varying results
2673 * depending on the patterns of sibling trees of nested function
2674 * calls sharing the same BN_CTX object, and the effect of
2675 * unintended BN_FLG_CONSTTIME on the called BN_* functions.
2676 *
2677 * This simple unit test abstracts away this complexity and verifies
2678 * that the leak does not happen between two sibling functions
2679 * sharing the same BN_CTX object at the same level of nesting.
2680 *
2681 */
2682 BN_CTX *nctx = NULL;
2683 BN_CTX *sctx = NULL;
2684 size_t i = 0;
2685 int st = 0;
2686
2687 if (!TEST_ptr(nctx = BN_CTX_new())
2688 || !TEST_ptr(sctx = BN_CTX_secure_new()))
2689 goto err;
2690
2691 for (i = 0; i < 2; i++) {
2692 BN_CTX *c = i == 0 ? nctx : sctx;
2693 if (!TEST_true(test_ctx_set_ct_flag(c))
2694 || !TEST_true(test_ctx_check_ct_flag(c)))
2695 goto err;
2696 }
2697
2698 st = 1;
2699 err:
2700 BN_CTX_free(nctx);
2701 BN_CTX_free(sctx);
2702 return st;
2703}
2704
b75d6310
CPG		 2705static int test_gcd_prime(void)
2706{
2707 BIGNUM *a = NULL, *b = NULL, *gcd = NULL;
2708 int i, st = 0;
2709
2710 if (!TEST_ptr(a = BN_new())
2711 || !TEST_ptr(b = BN_new())
2712 || !TEST_ptr(gcd = BN_new()))
2713 goto err;
2714
2715 if (!TEST_true(BN_generate_prime_ex(a, 1024, 0, NULL, NULL, NULL)))
2716 goto err;
2717 for (i = 0; i < NUM0; i++) {
2718 if (!TEST_true(BN_generate_prime_ex(b, 1024, 0,
2719 NULL, NULL, NULL))
2720 || !TEST_true(BN_gcd(gcd, a, b, ctx))
2721 || !TEST_true(BN_is_one(gcd)))
2722 goto err;
2723 }
2724
2725 st = 1;
2726 err:
2727 BN_free(a);
2728 BN_free(b);
2729 BN_free(gcd);
2730 return st;
2731}
2732
18d42d8d
BE		 2733typedef struct mod_exp_test_st
2734{
2735 const char *base;
2736 const char *exp;
2737 const char *mod;
2738 const char *res;
2739} MOD_EXP_TEST;
2740
2741static const MOD_EXP_TEST ModExpTests[] = {
2742 /* original test vectors for rsaz_512_sqr bug, by OSS-Fuzz */
2743 {
2744 "1166180238001879113042182292626169621106255558914000595999312084"
2745 "4627946820899490684928760491249738643524880720584249698100907201"
2746 "002086675047927600340800371",
2747 "8000000000000000000000000000000000000000000000000000000000000000"
2748 "0000000000000000000000000000000000000000000000000000000000000000"
2749 "00000000",
2750 "1340780792684523720980737645613191762604395855615117867483316354"
2751 "3294276330515137663421134775482798690129946803802212663956180562"
2752 "088664022929883876655300863",
2753 "8243904058268085430037326628480645845409758077568738532059032482"
2754 "8294114415890603594730158120426756266457928475330450251339773498"
2755 "26758407619521544102068438"
2756 },
2757 {
2758 "4974270041410803822078866696159586946995877618987010219312844726"
2759 "0284386121835740784990869050050504348861513337232530490826340663"
2760 "197278031692737429054",
2761 "4974270041410803822078866696159586946995877428188754995041148539"
2762 "1663243362592271353668158565195557417149981094324650322556843202"
2763 "946445882670777892608",
2764 "1340780716511420227215592830971452482815377482627251725537099028"
2765 "4429769497230131760206012644403029349547320953206103351725462999"
2766 "947509743623340557059752191",
2767 "5296244594780707015616522701706118082963369547253192207884519362"
2768 "1767869984947542695665420219028522815539559194793619684334900442"
2769 "49304558011362360473525933"
2770 },
2771 /* test vectors for rsaz_512_srq bug, with rcx/rbx=1 */
2772 { /* between first and second iteration */
2773 "5148719036160389201525610950887605325980251964889646556085286545"
2774 "3931548809178823413169359635978762036512397113080988070677858033"
2775 "36463909753993540214027190",
2776 "6703903964971298549787012499102923063739682910296196688861780721"
2777 "8608820150367734884009371490834517138450159290932430254268769414"
2778 "05973284973216824503042158",
2779 "6703903964971298549787012499102923063739682910296196688861780721"
2780 "8608820150367734884009371490834517138450159290932430254268769414"
2781 "05973284973216824503042159",
2782 "1"
2783 },
2784 { /* between second and third iteration */
2785 "8908340854353752577419678771330460827942371434853054158622636544"
2786 "8151360109722890949471912566649465436296659601091730745087014189"
2787 "2672764191218875181826063",
2788 "6703903964971298549787012499102923063739682910296196688861780721"
2789 "8608820150367734884009371490834517138450159290932430254268769414"
2790 "05973284973216824503042158",
2791 "6703903964971298549787012499102923063739682910296196688861780721"
2792 "8608820150367734884009371490834517138450159290932430254268769414"
2793 "05973284973216824503042159",
2794 "1"
2795 },
2796 { /* between third and fourth iteration */
2797 "3427446396505596330634350984901719674479522569002785244080234738"
2798 "4288743635435746136297299366444548736533053717416735379073185344"
2799 "26985272974404612945608761",
2800 "6703903964971298549787012499102923063739682910296196688861780721"
2801 "8608820150367734884009371490834517138450159290932430254268769414"
2802 "05973284973216824503042158",
2803 "6703903964971298549787012499102923063739682910296196688861780721"
2804 "8608820150367734884009371490834517138450159290932430254268769414"
2805 "05973284973216824503042159",
2806 "1"
2807 },
2808 { /* between fourth and fifth iteration */
2809 "3472743044917564564078857826111874560045331237315597383869652985"
2810 "6919870028890895988478351133601517365908445058405433832718206902"
2811 "4088133164805266956353542",
2812 "6703903964971298549787012499102923063739682910296196688861780721"
2813 "8608820150367734884009371490834517138450159290932430254268769414"
2814 "05973284973216824503042158",
2815 "6703903964971298549787012499102923063739682910296196688861780721"
2816 "8608820150367734884009371490834517138450159290932430254268769414"
2817 "05973284973216824503042159",
2818 "1"
2819 },
2820 { /* between fifth and sixth iteration */
2821 "3608632990153469264412378349742339216742409743898601587274768025"
2822 "0110772032985643555192767717344946174122842255204082586753499651"
2823 "14483434992887431333675068",
2824 "6703903964971298549787012499102923063739682910296196688861780721"
2825 "8608820150367734884009371490834517138450159290932430254268769414"
2826 "05973284973216824503042158",
2827 "6703903964971298549787012499102923063739682910296196688861780721"
2828 "8608820150367734884009371490834517138450159290932430254268769414"
2829 "05973284973216824503042159",
2830 "1"
2831 },
2832 { /* between sixth and seventh iteration */
2833 "8455374370234070242910508226941981520235709767260723212165264877"
2834 "8689064388017521524568434328264431772644802567028663962962025746"
2835 "9283458217850119569539086",
2836 "6703903964971298549787012499102923063739682910296196688861780721"
2837 "8608820150367734884009371490834517138450159290932430254268769414"
2838 "05973284973216824503042158",
2839 "6703903964971298549787012499102923063739682910296196688861780721"
2840 "8608820150367734884009371490834517138450159290932430254268769414"
2841 "05973284973216824503042159",
2842 "1"
2843 },
2844 { /* between seventh and eighth iteration */
2845 "5155371529688532178421209781159131443543419764974688878527112131"
2846 "7446518205609427412336183157918981038066636807317733319323257603"
2847 "04416292040754017461076359",
2848 "1005585594745694782468051874865438459560952436544429503329267108"
2849 "2791323022555160232601405723625177570767523893639864538140315412"
2850 "108959927459825236754563832",
2851 "1005585594745694782468051874865438459560952436544429503329267108"
2852 "2791323022555160232601405723625177570767523893639864538140315412"
2853 "108959927459825236754563833",
2854 "1"
2855 },
2856 /* test vectors for rsaz_512_srq bug, with rcx/rbx=2 */
2857 { /* between first and second iteration */
2858 "3155666506033786929967309937640790361084670559125912405342594979"
2859 "4345142818528956285490897841406338022378565972533508820577760065"
2860 "58494345853302083699912572",
2861 "6703903964971298549787012499102923063739682910296196688861780721"
2862 "8608820150367734884009371490834517138450159290932430254268769414"
2863 "05973284973216824503042158",
2864 "6703903964971298549787012499102923063739682910296196688861780721"
2865 "8608820150367734884009371490834517138450159290932430254268769414"
2866 "05973284973216824503042159",
2867 "1"
2868 },
2869 { /* between second and third iteration */
2870 "3789819583801342198190405714582958759005991915505282362397087750"
2871 "4213544724644823098843135685133927198668818185338794377239590049"
2872 "41019388529192775771488319",
2873 "6703903964971298549787012499102923063739682910296196688861780721"
2874 "8608820150367734884009371490834517138450159290932430254268769414"
2875 "05973284973216824503042158",
2876 "6703903964971298549787012499102923063739682910296196688861780721"
2877 "8608820150367734884009371490834517138450159290932430254268769414"
2878 "05973284973216824503042159",
2879 "1"
2880 },
2881 { /* between third and forth iteration */
2882 "4695752552040706867080542538786056470322165281761525158189220280"
2883 "4025547447667484759200742764246905647644662050122968912279199065"
2884 "48065034299166336940507214",
2885 "6703903964971298549787012499102923063739682910296196688861780721"
2886 "8608820150367734884009371490834517138450159290932430254268769414"
2887 "05973284973216824503042158",
2888 "6703903964971298549787012499102923063739682910296196688861780721"
2889 "8608820150367734884009371490834517138450159290932430254268769414"
2890 "05973284973216824503042159",
2891 "1"
2892 },
2893 { /* between forth and fifth iteration */
2894 "2159140240970485794188159431017382878636879856244045329971239574"
2895 "8919691133560661162828034323196457386059819832804593989740268964"
2896 "74502911811812651475927076",
2897 "6703903964971298549787012499102923063739682910296196688861780721"
2898 "8608820150367734884009371490834517138450159290932430254268769414"
2899 "05973284973216824503042158",
2900 "6703903964971298549787012499102923063739682910296196688861780721"
2901 "8608820150367734884009371490834517138450159290932430254268769414"
2902 "05973284973216824503042159",
2903 "1"
2904 },
2905 { /* between fifth and sixth iteration */
2906 "5239312332984325668414624633307915097111691815000872662334695514"
2907 "5436533521392362443557163429336808208137221322444780490437871903"
2908 "99972784701334569424519255",
2909 "6703903964971298549787012499102923063739682910296196688861780721"
2910 "8608820150367734884009371490834517138450159290932430254268769414"
2911 "05973284973216824503042158",
2912 "6703903964971298549787012499102923063739682910296196688861780721"
2913 "8608820150367734884009371490834517138450159290932430254268769414"
2914 "05973284973216824503042159",
2915 "1"
2916 },
2917 { /* between sixth and seventh iteration */
2918 "1977953647322612860406858017869125467496941904523063466791308891"
2919 "1172796739058531929470539758361774569875505293428856181093904091"
2920 "33788264851714311303725089",
2921 "6703903964971298549787012499102923063739682910296196688861780721"
2922 "8608820150367734884009371490834517138450159290932430254268769414"
2923 "05973284973216824503042158",
2924 "6703903964971298549787012499102923063739682910296196688861780721"
2925 "8608820150367734884009371490834517138450159290932430254268769414"
2926 "05973284973216824503042159",
2927 "1"
2928 },
2929 { /* between seventh and eighth iteration */
2930 "6456987954117763835533395796948878140715006860263624787492985786"
2931 "8514630216966738305923915688821526449499763719943997120302368211"
2932 "04813318117996225041943964",
2933 "1340780792994259709957402499820584612747936582059239337772356144"
2934 "3721764030073546976801874298166903427690031858186486050853753882"
2935 "811946551499689575296532556",
2936 "1340780792994259709957402499820584612747936582059239337772356144"
2937 "3721764030073546976801874298166903427690031858186486050853753882"
2938 "811946551499689575296532557",
2939 "1"
2940 }
2941};
2942
2943static int test_mod_exp(int i)
2944{
2945 const MOD_EXP_TEST *test = &ModExpTests[i];
2946 int res = 0;
2947 BIGNUM* result = NULL;
2948 BIGNUM *base = NULL, *exponent = NULL, *modulo = NULL;
2949 char *s = NULL;
2950
2951 if (!TEST_ptr(result = BN_new())
2952 || !TEST_true(BN_dec2bn(&base, test->base))
2953 || !TEST_true(BN_dec2bn(&exponent, test->exp))
2954 || !TEST_true(BN_dec2bn(&modulo, test->mod)))
2955 goto err;
2956
2957 if (!TEST_int_eq(BN_mod_exp(result, base, exponent, modulo, ctx), 1))
2958 goto err;
2959
2960 if (!TEST_ptr(s = BN_bn2dec(result)))
2961 goto err;
2962
2963 if (!TEST_mem_eq(s, strlen(s), test->res, strlen(test->res)))
2964 goto err;
2965
2966 res = 1;
2967
2968 err:
2969 OPENSSL_free(s);
2970 BN_free(result);
2971 BN_free(base);
2972 BN_free(exponent);
2973 BN_free(modulo);
2974 return res;
2975}
2976
2977static int test_mod_exp_consttime(int i)
2978{
2979 const MOD_EXP_TEST *test = &ModExpTests[i];
2980 int res = 0;
2981 BIGNUM* result = NULL;
2982 BIGNUM *base = NULL, *exponent = NULL, *modulo = NULL;
2983 char *s = NULL;
2984
2985 if (!TEST_ptr(result = BN_new())
2986 || !TEST_true(BN_dec2bn(&base, test->base))
2987 || !TEST_true(BN_dec2bn(&exponent, test->exp))
2988 || !TEST_true(BN_dec2bn(&modulo, test->mod)))
2989 goto err;
2990
2991 BN_set_flags(base, BN_FLG_CONSTTIME);
2992 BN_set_flags(exponent, BN_FLG_CONSTTIME);
2993 BN_set_flags(modulo, BN_FLG_CONSTTIME);
2994
2995 if (!TEST_int_eq(BN_mod_exp(result, base, exponent, modulo, ctx), 1))
2996 goto err;
2997
2998 if (!TEST_ptr(s = BN_bn2dec(result)))
2999 goto err;
3000
3001 if (!TEST_mem_eq(s, strlen(s), test->res, strlen(test->res)))
3002 goto err;
3003
3004 res = 1;
3005
3006 err:
3007 OPENSSL_free(s);
3008 BN_free(result);
3009 BN_free(base);
3010 BN_free(exponent);
3011 BN_free(modulo);
3012 return res;
3013}
3014
8d1ebff4 3015static int file_test_run(STANZA *s)
0f113f3e 3016{
8d1ebff4
RS		 3017 static const FILETEST filetests[] = {
3018 {"Sum", file_sum},
3019 {"LShift1", file_lshift1},
3020 {"LShift", file_lshift},
3021 {"RShift", file_rshift},
3022 {"Square", file_square},
3023 {"Product", file_product},
3024 {"Quotient", file_quotient},
3025 {"ModMul", file_modmul},
3026 {"ModExp", file_modexp},
3027 {"Exp", file_exp},
3028 {"ModSqrt", file_modsqrt},
b75d6310 3029 {"GCD", file_gcd},
8d1ebff4
RS		 3030 };
3031 int numtests = OSSL_NELEM(filetests);
3032 const FILETEST *tp = filetests;
0f113f3e 3033
8d1ebff4 3034 for ( ; --numtests >= 0; tp++) {
30bea14b
RS		 3035 if (findattr(s, tp->name) != NULL) {
3036 if (!tp->func(s)) {
ae269dd8
RS		 3037 TEST_info("%s:%d: Failed %s test",
3038 s->test_file, s->start, tp->name);
30bea14b
RS		 3039 return 0;
3040 }
3041 return 1;
3042 }
0f113f3e 3043 }
ae269dd8 3044 TEST_info("%s:%d: Unknown test", s->test_file, s->start);
8d1ebff4 3045 return 0;
0f113f3e 3046}
d02b48c6 3047
e1cfd184 3048static int run_file_tests(int i)
0f113f3e 3049{
ae269dd8 3050 STANZA *s = NULL;
ad887416 3051 char *testfile = test_get_argument(i);
ae269dd8 3052 int c;
0f113f3e 3053
ae269dd8 3054 if (!TEST_ptr(s = OPENSSL_zalloc(sizeof(*s))))
e1cfd184 3055 return 0;
ad887416 3056 if (!test_start_file(s, testfile)) {
ae269dd8
RS		 3057 OPENSSL_free(s);
3058 return 0;
3059 }
e1cfd184 3060
8d1ebff4 3061 /* Read test file. */
ae269dd8
RS		 3062 while (!BIO_eof(s->fp) && test_readstanza(s)) {
3063 if (s->numpairs == 0)
8d1ebff4 3064 continue;
ae269dd8
RS		 3065 if (!file_test_run(s))
3066 s->errors++;
3067 s->numtests++;
3068 test_clearstanza(s);
0f113f3e 3069 }
ae269dd8
RS		 3070 test_end_file(s);
3071 c = s->errors;
3072 OPENSSL_free(s);
8d1ebff4 3073
ae269dd8 3074 return c == 0;
0f113f3e 3075}
d02b48c6 3076
5d2f3e4a
P		 3077typedef enum OPTION_choice {
3078 OPT_ERR = -1,
3079 OPT_EOF = 0,
3080 OPT_STOCHASTIC_TESTS,
3081 OPT_TEST_ENUM
3082} OPTION_CHOICE;
3083
a43ce58f
SL		 3084const OPTIONS *test_get_options(void)
3085{
a43ce58f
SL		 3086 static const OPTIONS test_options[] = {
3087 OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("[file...]\n"),
5d2f3e4a 3088 { "stochastic", OPT_STOCHASTIC_TESTS, '-', "Run stochastic tests" },
a43ce58f
SL		 3089 { OPT_HELP_STR, 1, '-',
3090 "file\tFile to run tests on. Normal tests are not run\n" },
3091 { NULL }
3092 };
3093 return test_options;
3094}
e1cfd184 3095
ad887416 3096int setup_tests(void)
0f113f3e 3097{
5d2f3e4a
P		 3098 OPTION_CHOICE o;
3099 int n, stochastic = 0;
3100
3101 while ((o = opt_next()) != OPT_EOF) {
3102 switch (o) {
3103 case OPT_STOCHASTIC_TESTS:
3104 stochastic = 1;
3105 break;
3106 case OPT_TEST_CASES:
3107 break;
3108 default:
3109 case OPT_ERR:
dd6b2706 3110 return 0;
5d2f3e4a
P		 3111 }
3112 }
3113 n = test_get_argument_count();
8d1ebff4 3114
e1cfd184 3115 if (!TEST_ptr(ctx = BN_CTX_new()))
ad887416 3116 return 0;
e1cfd184 3117
ad887416 3118 if (n == 0) {
e1cfd184
RS		 3119 ADD_TEST(test_sub);
3120 ADD_TEST(test_div_recip);
105c8315
P		 3121 ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests));
3122 ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests));
e1cfd184
RS		 3123 ADD_TEST(test_mod);
3124 ADD_TEST(test_modexp_mont5);
3125 ADD_TEST(test_kronecker);
3126 ADD_TEST(test_rand);
3127 ADD_TEST(test_bn2padded);
3128 ADD_TEST(test_dec2bn);
3129 ADD_TEST(test_hex2bn);
3130 ADD_TEST(test_asc2bn);
3131 ADD_ALL_TESTS(test_mpi, (int)OSSL_NELEM(kMPITests));
5288303d 3132 ADD_ALL_TESTS(test_bn2signed, (int)OSSL_NELEM(kSignedTests_BE));
e1cfd184
RS		 3133 ADD_TEST(test_negzero);
3134 ADD_TEST(test_badmod);
3135 ADD_TEST(test_expmodzero);
adf65243 3136 ADD_TEST(test_expmodone);
291f616c
BE		 3137 ADD_ALL_TESTS(test_smallprime, 16);
3138 ADD_ALL_TESTS(test_smallsafeprime, 16);
9e5b50b5 3139 ADD_TEST(test_swap);
fe16ae5f 3140 ADD_TEST(test_ctx_consttime_flag);
8d1ebff4 3141#ifndef OPENSSL_NO_EC2M
e1cfd184
RS		 3142 ADD_TEST(test_gf2m_add);
3143 ADD_TEST(test_gf2m_mod);
3144 ADD_TEST(test_gf2m_mul);
3145 ADD_TEST(test_gf2m_sqr);
3146 ADD_TEST(test_gf2m_modinv);
3147 ADD_TEST(test_gf2m_moddiv);
3148 ADD_TEST(test_gf2m_modexp);
3149 ADD_TEST(test_gf2m_modsqrt);
3150 ADD_TEST(test_gf2m_modsolvequad);
8d1ebff4 3151#endif
7d79d13a
SL		 3152 ADD_ALL_TESTS(test_is_prime, (int)OSSL_NELEM(primes));
3153 ADD_ALL_TESTS(test_not_prime, (int)OSSL_NELEM(not_primes));
b75d6310 3154 ADD_TEST(test_gcd_prime);
18d42d8d
BE		 3155 ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests));
3156 ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests));
5d2f3e4a
P		 3157 if (stochastic)
3158 ADD_TEST(test_rand_range);
e1cfd184 3159 } else {
ad887416 3160 ADD_ALL_TESTS(run_file_tests, n);
e1cfd184 3161 }
ad887416
P		 3162 return 1;
3163}
8d1ebff4 3164
ad887416
P		 3165void cleanup_tests(void)
3166{
8d1ebff4 3167 BN_CTX_free(ctx);
0f113f3e 3168}
A mirror of the official openssl repository