]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/bntest.c
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of the attached software ("Contribution") are developed by
61 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 * The Contribution is licensed pursuant to the Eric Young open source
64 * license provided above.
66 * The binary polynomial arithmetic software is originally written by
67 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
77 #include <openssl/bio.h>
78 #include <openssl/bn.h>
79 #include <openssl/rand.h>
80 #include <openssl/x509.h>
81 #include <openssl/err.h>
84 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
85 * This is fine in itself, it will end up as an unused static function in
86 * the worst case. However, it referenses bn_expand2(), which is a private
87 * function in libcrypto and therefore unavailable on some systems. This
88 * may result in a linker error because of unresolved symbols.
90 * To avoid this, we define a dummy variant of bn_expand2() here, and to
91 * avoid possible clashes with libcrypto, we rename it first, using a macro.
93 #define bn_expand2 dummy_bn_expand2
94 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
) { return NULL
; }
96 #include "../crypto/bn/bn_lcl.h"
98 static const int num0
= 100; /* number of tests */
99 static const int num1
= 50; /* additional tests for some functions */
100 static const int num2
= 5; /* number of tests for slow functions */
102 int test_add(BIO
*bp
);
103 int test_sub(BIO
*bp
);
104 int test_lshift1(BIO
*bp
);
105 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
);
106 int test_rshift1(BIO
*bp
);
107 int test_rshift(BIO
*bp
, BN_CTX
*ctx
);
108 int test_div(BIO
*bp
, BN_CTX
*ctx
);
109 int test_div_word(BIO
*bp
);
110 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
);
111 int test_mul(BIO
*bp
);
112 int test_sqr(BIO
*bp
, BN_CTX
*ctx
);
113 int test_mont(BIO
*bp
, BN_CTX
*ctx
);
114 int test_mod(BIO
*bp
, BN_CTX
*ctx
);
115 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
116 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
117 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
);
118 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
);
119 int test_exp(BIO
*bp
, BN_CTX
*ctx
);
120 int test_gf2m_add(BIO
*bp
);
121 int test_gf2m_mod(BIO
*bp
);
122 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
123 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
);
124 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
);
125 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
);
126 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
127 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
);
128 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
);
129 int test_kron(BIO
*bp
, BN_CTX
*ctx
);
130 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
);
131 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
);
133 static int results
= 0;
135 static unsigned char lst
[] =
136 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
137 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
139 static const char rnd_seed
[] =
140 "string to make the random number generator think it has entropy";
142 static void message(BIO
*out
, char *m
)
144 fprintf(stderr
, "test %s\n", m
);
145 BIO_puts(out
, "print \"test ");
147 BIO_puts(out
, "\\n\"\n");
150 int main(int argc
, char *argv
[])
154 char *outfile
= NULL
;
158 RAND_seed(rnd_seed
, sizeof rnd_seed
); /* or BN_generate_prime may fail */
163 if (strcmp(*argv
, "-results") == 0)
165 else if (strcmp(*argv
, "-out") == 0) {
178 out
= BIO_new(BIO_s_file());
181 if (outfile
== NULL
) {
182 BIO_set_fp(out
, stdout
, BIO_NOCLOSE
| BIO_FP_TEXT
);
184 if (!BIO_write_filename(out
, outfile
)) {
189 #ifdef OPENSSL_SYS_VMS
191 BIO
*tmpbio
= BIO_new(BIO_f_linebuffer());
192 out
= BIO_push(tmpbio
, out
);
197 BIO_puts(out
, "obase=16\nibase=16\n");
199 message(out
, "BN_add");
202 (void)BIO_flush(out
);
204 message(out
, "BN_sub");
207 (void)BIO_flush(out
);
209 message(out
, "BN_lshift1");
210 if (!test_lshift1(out
))
212 (void)BIO_flush(out
);
214 message(out
, "BN_lshift (fixed)");
215 if (!test_lshift(out
, ctx
, BN_bin2bn(lst
, sizeof(lst
) - 1, NULL
)))
217 (void)BIO_flush(out
);
219 message(out
, "BN_lshift");
220 if (!test_lshift(out
, ctx
, NULL
))
222 (void)BIO_flush(out
);
224 message(out
, "BN_rshift1");
225 if (!test_rshift1(out
))
227 (void)BIO_flush(out
);
229 message(out
, "BN_rshift");
230 if (!test_rshift(out
, ctx
))
232 (void)BIO_flush(out
);
234 message(out
, "BN_sqr");
235 if (!test_sqr(out
, ctx
))
237 (void)BIO_flush(out
);
239 message(out
, "BN_mul");
242 (void)BIO_flush(out
);
244 message(out
, "BN_div");
245 if (!test_div(out
, ctx
))
247 (void)BIO_flush(out
);
249 message(out
, "BN_div_word");
250 if (!test_div_word(out
))
252 (void)BIO_flush(out
);
254 message(out
, "BN_div_recp");
255 if (!test_div_recp(out
, ctx
))
257 (void)BIO_flush(out
);
259 message(out
, "BN_mod");
260 if (!test_mod(out
, ctx
))
262 (void)BIO_flush(out
);
264 message(out
, "BN_mod_mul");
265 if (!test_mod_mul(out
, ctx
))
267 (void)BIO_flush(out
);
269 message(out
, "BN_mont");
270 if (!test_mont(out
, ctx
))
272 (void)BIO_flush(out
);
274 message(out
, "BN_mod_exp");
275 if (!test_mod_exp(out
, ctx
))
277 (void)BIO_flush(out
);
279 message(out
, "BN_mod_exp_mont_consttime");
280 if (!test_mod_exp_mont_consttime(out
, ctx
))
282 if (!test_mod_exp_mont5(out
, ctx
))
284 (void)BIO_flush(out
);
286 message(out
, "BN_exp");
287 if (!test_exp(out
, ctx
))
289 (void)BIO_flush(out
);
291 message(out
, "BN_kronecker");
292 if (!test_kron(out
, ctx
))
294 (void)BIO_flush(out
);
296 message(out
, "BN_mod_sqrt");
297 if (!test_sqrt(out
, ctx
))
299 (void)BIO_flush(out
);
301 message(out
, "Small prime generation");
302 if (!test_small_prime(out
, ctx
))
304 (void)BIO_flush(out
);
306 #ifndef OPENSSL_NO_EC2M
307 message(out
, "BN_GF2m_add");
308 if (!test_gf2m_add(out
))
310 (void)BIO_flush(out
);
312 message(out
, "BN_GF2m_mod");
313 if (!test_gf2m_mod(out
))
315 (void)BIO_flush(out
);
317 message(out
, "BN_GF2m_mod_mul");
318 if (!test_gf2m_mod_mul(out
, ctx
))
320 (void)BIO_flush(out
);
322 message(out
, "BN_GF2m_mod_sqr");
323 if (!test_gf2m_mod_sqr(out
, ctx
))
325 (void)BIO_flush(out
);
327 message(out
, "BN_GF2m_mod_inv");
328 if (!test_gf2m_mod_inv(out
, ctx
))
330 (void)BIO_flush(out
);
332 message(out
, "BN_GF2m_mod_div");
333 if (!test_gf2m_mod_div(out
, ctx
))
335 (void)BIO_flush(out
);
337 message(out
, "BN_GF2m_mod_exp");
338 if (!test_gf2m_mod_exp(out
, ctx
))
340 (void)BIO_flush(out
);
342 message(out
, "BN_GF2m_mod_sqrt");
343 if (!test_gf2m_mod_sqrt(out
, ctx
))
345 (void)BIO_flush(out
);
347 message(out
, "BN_GF2m_mod_solve_quad");
348 if (!test_gf2m_mod_solve_quad(out
, ctx
))
350 (void)BIO_flush(out
);
357 BIO_puts(out
, "1\n"); /* make sure the Perl script fed by bc
358 * notices the failure, see test_bn in
359 * test/Makefile.ssl */
360 (void)BIO_flush(out
);
362 ERR_print_errors_fp(stderr
);
366 int test_add(BIO
*bp
)
375 BN_bntest_rand(a
, 512, 0, 0);
376 for (i
= 0; i
< num0
; i
++) {
377 BN_bntest_rand(b
, 450 + i
, 0, 0);
395 if (!BN_is_zero(c
)) {
396 fprintf(stderr
, "Add test failed!\n");
406 int test_sub(BIO
*bp
)
415 for (i
= 0; i
< num0
+ num1
; i
++) {
417 BN_bntest_rand(a
, 512, 0, 0);
419 if (BN_set_bit(a
, i
) == 0)
423 BN_bntest_rand(b
, 400 + i
- num1
, 0, 0);
440 if (!BN_is_zero(c
)) {
441 fprintf(stderr
, "Subtract test failed!\n");
451 int test_div(BIO
*bp
, BN_CTX
*ctx
)
453 BIGNUM
*a
, *b
, *c
, *d
, *e
;
465 if (BN_div(d
, c
, a
, b
, ctx
)) {
466 fprintf(stderr
, "Division by zero succeeded!\n");
470 for (i
= 0; i
< num0
+ num1
; i
++) {
472 BN_bntest_rand(a
, 400, 0, 0);
477 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
480 BN_div(d
, c
, a
, b
, ctx
);
500 BN_mul(e
, d
, b
, ctx
);
503 if (!BN_is_zero(d
)) {
504 fprintf(stderr
, "Division test failed!\n");
516 static void print_word(BIO
*bp
, BN_ULONG w
)
518 int i
= sizeof(w
) * 8;
524 byte
= (unsigned char)(w
>> i
);
526 fmt
= byte
? "%X" : NULL
;
531 BIO_printf(bp
, fmt
, byte
);
534 /* If we haven't printed anything, at least print a zero! */
539 int test_div_word(BIO
*bp
)
548 for (i
= 0; i
< num0
; i
++) {
550 BN_bntest_rand(a
, 512, -1, 0);
551 BN_bntest_rand(b
, BN_BITS2
, -1, 0);
552 } while (BN_is_zero(b
));
556 r
= BN_div_word(b
, s
);
580 if (!BN_is_zero(b
)) {
581 fprintf(stderr
, "Division (word) test failed!\n");
590 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
)
592 BIGNUM
*a
, *b
, *c
, *d
, *e
;
596 recp
= BN_RECP_CTX_new();
603 for (i
= 0; i
< num0
+ num1
; i
++) {
605 BN_bntest_rand(a
, 400, 0, 0);
610 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
613 BN_RECP_CTX_set(recp
, b
, ctx
);
614 BN_div_recp(d
, c
, a
, recp
, ctx
);
634 BN_mul(e
, d
, b
, ctx
);
637 if (!BN_is_zero(d
)) {
638 fprintf(stderr
, "Reciprocal division test failed!\n");
639 fprintf(stderr
, "a=");
640 BN_print_fp(stderr
, a
);
641 fprintf(stderr
, "\nb=");
642 BN_print_fp(stderr
, b
);
643 fprintf(stderr
, "\n");
652 BN_RECP_CTX_free(recp
);
656 int test_mul(BIO
*bp
)
658 BIGNUM
*a
, *b
, *c
, *d
, *e
;
672 for (i
= 0; i
< num0
+ num1
; i
++) {
674 BN_bntest_rand(a
, 100, 0, 0);
675 BN_bntest_rand(b
, 100, 0, 0);
677 BN_bntest_rand(b
, i
- num1
, 0, 0);
680 BN_mul(c
, a
, b
, ctx
);
691 BN_div(d
, e
, c
, a
, ctx
);
693 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
694 fprintf(stderr
, "Multiplication test failed!\n");
707 int test_sqr(BIO
*bp
, BN_CTX
*ctx
)
709 BIGNUM
*a
, *c
, *d
, *e
;
716 if (a
== NULL
|| c
== NULL
|| d
== NULL
|| e
== NULL
) {
720 for (i
= 0; i
< num0
; i
++) {
721 BN_bntest_rand(a
, 40 + i
* 10, 0, 0);
734 BN_div(d
, e
, c
, a
, ctx
);
736 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
737 fprintf(stderr
, "Square test failed!\n");
742 /* Regression test for a BN_sqr overflow bug. */
744 "80000000000000008000000000000001"
745 "FFFFFFFFFFFFFFFE0000000000000000");
757 BN_mul(d
, a
, a
, ctx
);
759 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
760 "different results!\n");
764 /* Regression test for a BN_sqr overflow bug. */
766 "80000000000000000000000080000001"
767 "FFFFFFFE000000000000000000000000");
779 BN_mul(d
, a
, a
, ctx
);
781 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
782 "different results!\n");
794 int test_mont(BIO
*bp
, BN_CTX
*ctx
)
796 BIGNUM
*a
, *b
, *c
, *d
, *A
, *B
;
809 mont
= BN_MONT_CTX_new();
814 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
815 fprintf(stderr
, "BN_MONT_CTX_set succeeded for zero modulus!\n");
820 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
821 fprintf(stderr
, "BN_MONT_CTX_set succeeded for even modulus!\n");
825 BN_bntest_rand(a
, 100, 0, 0);
826 BN_bntest_rand(b
, 100, 0, 0);
827 for (i
= 0; i
< num2
; i
++) {
828 int bits
= (200 * (i
+ 1)) / num2
;
832 BN_bntest_rand(n
, bits
, 0, 1);
833 BN_MONT_CTX_set(mont
, n
, ctx
);
835 BN_nnmod(a
, a
, n
, ctx
);
836 BN_nnmod(b
, b
, n
, ctx
);
838 BN_to_montgomery(A
, a
, mont
, ctx
);
839 BN_to_montgomery(B
, b
, mont
, ctx
);
841 BN_mod_mul_montgomery(c
, A
, B
, mont
, ctx
);
842 BN_from_montgomery(A
, c
, mont
, ctx
);
849 BN_print(bp
, &mont
->N
);
855 BN_mod_mul(d
, a
, b
, n
, ctx
);
857 if (!BN_is_zero(d
)) {
858 fprintf(stderr
, "Montgomery multiplication test failed!\n");
862 BN_MONT_CTX_free(mont
);
873 int test_mod(BIO
*bp
, BN_CTX
*ctx
)
875 BIGNUM
*a
, *b
, *c
, *d
, *e
;
884 BN_bntest_rand(a
, 1024, 0, 0);
885 for (i
= 0; i
< num0
; i
++) {
886 BN_bntest_rand(b
, 450 + i
* 10, 0, 0);
889 BN_mod(c
, a
, b
, ctx
);
900 BN_div(d
, e
, a
, b
, ctx
);
902 if (!BN_is_zero(e
)) {
903 fprintf(stderr
, "Modulo test failed!\n");
915 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
917 BIGNUM
*a
, *b
, *c
, *d
, *e
;
929 if (BN_mod_mul(e
, a
, b
, c
, ctx
)) {
930 fprintf(stderr
, "BN_mod_mul with zero modulus succeeded!\n");
934 for (j
= 0; j
< 3; j
++) {
935 BN_bntest_rand(c
, 1024, 0, 0);
936 for (i
= 0; i
< num0
; i
++) {
937 BN_bntest_rand(a
, 475 + i
* 10, 0, 0);
938 BN_bntest_rand(b
, 425 + i
* 11, 0, 0);
941 if (!BN_mod_mul(e
, a
, b
, c
, ctx
)) {
944 while ((l
= ERR_get_error()))
945 fprintf(stderr
, "ERROR:%s\n", ERR_error_string(l
, NULL
));
955 if ((a
->neg
^ b
->neg
) && !BN_is_zero(e
)) {
957 * If (a*b) % c is negative, c must be added in order
958 * to obtain the normalized remainder (new with
959 * OpenSSL 0.9.7, previous versions of BN_mod_mul
960 * could generate negative results)
970 BN_mul(d
, a
, b
, ctx
);
972 BN_div(a
, b
, d
, c
, ctx
);
973 if (!BN_is_zero(b
)) {
974 fprintf(stderr
, "Modulo multiply test failed!\n");
975 ERR_print_errors_fp(stderr
);
988 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
990 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1002 if (BN_mod_exp(d
, a
, b
, c
, ctx
)) {
1003 fprintf(stderr
, "BN_mod_exp with zero modulus succeeded!\n");
1007 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
1008 for (i
= 0; i
< num2
; i
++) {
1009 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1010 BN_bntest_rand(b
, 2 + i
, 0, 0);
1012 if (!BN_mod_exp(d
, a
, b
, c
, ctx
))
1018 BIO_puts(bp
, " ^ ");
1020 BIO_puts(bp
, " % ");
1022 BIO_puts(bp
, " - ");
1027 BN_exp(e
, a
, b
, ctx
);
1029 BN_div(a
, b
, e
, c
, ctx
);
1030 if (!BN_is_zero(b
)) {
1031 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1036 /* Regression test for carry propagation bug in sqr8x_reduction */
1037 BN_hex2bn(&a
, "050505050505");
1038 BN_hex2bn(&b
, "02");
1040 "4141414141414141414141274141414141414141414141414141414141414141"
1041 "4141414141414141414141414141414141414141414141414141414141414141"
1042 "4141414141414141414141800000000000000000000000000000000000000000"
1043 "0000000000000000000000000000000000000000000000000000000000000000"
1044 "0000000000000000000000000000000000000000000000000000000000000000"
1045 "0000000000000000000000000000000000000000000000000000000001");
1046 BN_mod_exp(d
, a
, b
, c
, ctx
);
1047 BN_mul(e
, a
, a
, ctx
);
1049 fprintf(stderr
, "BN_mod_exp and BN_mul produce different results!\n");
1061 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
)
1063 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1075 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1076 fprintf(stderr
, "BN_mod_exp_mont_consttime with zero modulus "
1082 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1083 fprintf(stderr
, "BN_mod_exp_mont_consttime with even modulus "
1088 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
1089 for (i
= 0; i
< num2
; i
++) {
1090 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1091 BN_bntest_rand(b
, 2 + i
, 0, 0);
1093 if (!BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
))
1099 BIO_puts(bp
, " ^ ");
1101 BIO_puts(bp
, " % ");
1103 BIO_puts(bp
, " - ");
1108 BN_exp(e
, a
, b
, ctx
);
1110 BN_div(a
, b
, e
, c
, ctx
);
1111 if (!BN_is_zero(b
)) {
1112 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1125 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1126 * x86_64 cause a different code branch to be taken.
1128 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
)
1130 BIGNUM
*a
, *p
, *m
, *d
, *e
;
1138 mont
= BN_MONT_CTX_new();
1140 BN_bntest_rand(m
, 1024, 0, 1); /* must be odd for montgomery */
1142 BN_bntest_rand(a
, 1024, 0, 0);
1144 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1146 if (!BN_is_one(d
)) {
1147 fprintf(stderr
, "Modular exponentiation test failed!\n");
1151 BN_bntest_rand(p
, 1024, 0, 0);
1153 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1155 if (!BN_is_zero(d
)) {
1156 fprintf(stderr
, "Modular exponentiation test failed!\n");
1160 * Craft an input whose Montgomery representation is 1, i.e., shorter
1161 * than the modulus m, in order to test the const time precomputation
1162 * scattering/gathering.
1165 BN_MONT_CTX_set(mont
, m
, ctx
);
1166 if (!BN_from_montgomery(e
, a
, mont
, ctx
))
1168 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1170 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1172 if (BN_cmp(a
, d
) != 0) {
1173 fprintf(stderr
, "Modular exponentiation test failed!\n");
1176 /* Finally, some regular test vectors. */
1177 BN_bntest_rand(e
, 1024, 0, 0);
1178 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1180 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1182 if (BN_cmp(a
, d
) != 0) {
1183 fprintf(stderr
, "Modular exponentiation test failed!\n");
1186 BN_MONT_CTX_free(mont
);
1195 int test_exp(BIO
*bp
, BN_CTX
*ctx
)
1197 BIGNUM
*a
, *b
, *d
, *e
, *one
;
1207 for (i
= 0; i
< num2
; i
++) {
1208 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1209 BN_bntest_rand(b
, 2 + i
, 0, 0);
1211 if (BN_exp(d
, a
, b
, ctx
) <= 0)
1217 BIO_puts(bp
, " ^ ");
1219 BIO_puts(bp
, " - ");
1225 for (; !BN_is_zero(b
); BN_sub(b
, b
, one
))
1226 BN_mul(e
, e
, a
, ctx
);
1228 if (!BN_is_zero(e
)) {
1229 fprintf(stderr
, "Exponentiation test failed!\n");
1241 #ifndef OPENSSL_NO_EC2M
1242 int test_gf2m_add(BIO
*bp
)
1251 for (i
= 0; i
< num0
; i
++) {
1252 BN_rand(a
, 512, 0, 0);
1253 BN_copy(b
, BN_value_one());
1254 a
->neg
= rand_neg();
1255 b
->neg
= rand_neg();
1256 BN_GF2m_add(c
, a
, b
);
1257 /* Test that two added values have the correct parity. */
1258 if ((BN_is_odd(a
) && BN_is_odd(c
))
1259 || (!BN_is_odd(a
) && !BN_is_odd(c
))) {
1260 fprintf(stderr
, "GF(2^m) addition test (a) failed!\n");
1263 BN_GF2m_add(c
, c
, c
);
1264 /* Test that c + c = 0. */
1265 if (!BN_is_zero(c
)) {
1266 fprintf(stderr
, "GF(2^m) addition test (b) failed!\n");
1278 int test_gf2m_mod(BIO
*bp
)
1280 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1282 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1283 int p1
[] = { 193, 15, 0, -1 };
1292 BN_GF2m_arr2poly(p0
, b
[0]);
1293 BN_GF2m_arr2poly(p1
, b
[1]);
1295 for (i
= 0; i
< num0
; i
++) {
1296 BN_bntest_rand(a
, 1024, 0, 0);
1297 for (j
= 0; j
< 2; j
++) {
1298 BN_GF2m_mod(c
, a
, b
[j
]);
1299 BN_GF2m_add(d
, a
, c
);
1300 BN_GF2m_mod(e
, d
, b
[j
]);
1301 /* Test that a + (a mod p) mod p == 0. */
1302 if (!BN_is_zero(e
)) {
1303 fprintf(stderr
, "GF(2^m) modulo test failed!\n");
1319 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
1321 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
, *g
, *h
;
1323 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1324 int p1
[] = { 193, 15, 0, -1 };
1336 BN_GF2m_arr2poly(p0
, b
[0]);
1337 BN_GF2m_arr2poly(p1
, b
[1]);
1339 for (i
= 0; i
< num0
; i
++) {
1340 BN_bntest_rand(a
, 1024, 0, 0);
1341 BN_bntest_rand(c
, 1024, 0, 0);
1342 BN_bntest_rand(d
, 1024, 0, 0);
1343 for (j
= 0; j
< 2; j
++) {
1344 BN_GF2m_mod_mul(e
, a
, c
, b
[j
], ctx
);
1345 BN_GF2m_add(f
, a
, d
);
1346 BN_GF2m_mod_mul(g
, f
, c
, b
[j
], ctx
);
1347 BN_GF2m_mod_mul(h
, d
, c
, b
[j
], ctx
);
1348 BN_GF2m_add(f
, e
, g
);
1349 BN_GF2m_add(f
, f
, h
);
1350 /* Test that (a+d)*c = a*c + d*c. */
1351 if (!BN_is_zero(f
)) {
1353 "GF(2^m) modular multiplication test failed!\n");
1372 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
)
1374 BIGNUM
*a
, *b
[2], *c
, *d
;
1376 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1377 int p1
[] = { 193, 15, 0, -1 };
1385 BN_GF2m_arr2poly(p0
, b
[0]);
1386 BN_GF2m_arr2poly(p1
, b
[1]);
1388 for (i
= 0; i
< num0
; i
++) {
1389 BN_bntest_rand(a
, 1024, 0, 0);
1390 for (j
= 0; j
< 2; j
++) {
1391 BN_GF2m_mod_sqr(c
, a
, b
[j
], ctx
);
1393 BN_GF2m_mod_mul(d
, a
, d
, b
[j
], ctx
);
1394 BN_GF2m_add(d
, c
, d
);
1395 /* Test that a*a = a^2. */
1396 if (!BN_is_zero(d
)) {
1397 fprintf(stderr
, "GF(2^m) modular squaring test failed!\n");
1412 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
)
1414 BIGNUM
*a
, *b
[2], *c
, *d
;
1416 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1417 int p1
[] = { 193, 15, 0, -1 };
1425 BN_GF2m_arr2poly(p0
, b
[0]);
1426 BN_GF2m_arr2poly(p1
, b
[1]);
1428 for (i
= 0; i
< num0
; i
++) {
1429 BN_bntest_rand(a
, 512, 0, 0);
1430 for (j
= 0; j
< 2; j
++) {
1431 BN_GF2m_mod_inv(c
, a
, b
[j
], ctx
);
1432 BN_GF2m_mod_mul(d
, a
, c
, b
[j
], ctx
);
1433 /* Test that ((1/a)*a) = 1. */
1434 if (!BN_is_one(d
)) {
1435 fprintf(stderr
, "GF(2^m) modular inversion test failed!\n");
1450 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
)
1452 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1454 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1455 int p1
[] = { 193, 15, 0, -1 };
1465 BN_GF2m_arr2poly(p0
, b
[0]);
1466 BN_GF2m_arr2poly(p1
, b
[1]);
1468 for (i
= 0; i
< num0
; i
++) {
1469 BN_bntest_rand(a
, 512, 0, 0);
1470 BN_bntest_rand(c
, 512, 0, 0);
1471 for (j
= 0; j
< 2; j
++) {
1472 BN_GF2m_mod_div(d
, a
, c
, b
[j
], ctx
);
1473 BN_GF2m_mod_mul(e
, d
, c
, b
[j
], ctx
);
1474 BN_GF2m_mod_div(f
, a
, e
, b
[j
], ctx
);
1475 /* Test that ((a/c)*c)/a = 1. */
1476 if (!BN_is_one(f
)) {
1477 fprintf(stderr
, "GF(2^m) modular division test failed!\n");
1494 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
1496 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1498 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1499 int p1
[] = { 193, 15, 0, -1 };
1509 BN_GF2m_arr2poly(p0
, b
[0]);
1510 BN_GF2m_arr2poly(p1
, b
[1]);
1512 for (i
= 0; i
< num0
; i
++) {
1513 BN_bntest_rand(a
, 512, 0, 0);
1514 BN_bntest_rand(c
, 512, 0, 0);
1515 BN_bntest_rand(d
, 512, 0, 0);
1516 for (j
= 0; j
< 2; j
++) {
1517 BN_GF2m_mod_exp(e
, a
, c
, b
[j
], ctx
);
1518 BN_GF2m_mod_exp(f
, a
, d
, b
[j
], ctx
);
1519 BN_GF2m_mod_mul(e
, e
, f
, b
[j
], ctx
);
1521 BN_GF2m_mod_exp(f
, a
, f
, b
[j
], ctx
);
1522 BN_GF2m_add(f
, e
, f
);
1523 /* Test that a^(c+d)=a^c*a^d. */
1524 if (!BN_is_zero(f
)) {
1526 "GF(2^m) modular exponentiation test failed!\n");
1543 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1545 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1547 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1548 int p1
[] = { 193, 15, 0, -1 };
1558 BN_GF2m_arr2poly(p0
, b
[0]);
1559 BN_GF2m_arr2poly(p1
, b
[1]);
1561 for (i
= 0; i
< num0
; i
++) {
1562 BN_bntest_rand(a
, 512, 0, 0);
1563 for (j
= 0; j
< 2; j
++) {
1564 BN_GF2m_mod(c
, a
, b
[j
]);
1565 BN_GF2m_mod_sqrt(d
, a
, b
[j
], ctx
);
1566 BN_GF2m_mod_sqr(e
, d
, b
[j
], ctx
);
1567 BN_GF2m_add(f
, c
, e
);
1568 /* Test that d^2 = a, where d = sqrt(a). */
1569 if (!BN_is_zero(f
)) {
1570 fprintf(stderr
, "GF(2^m) modular square root test failed!\n");
1587 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
)
1589 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1590 int i
, j
, s
= 0, t
, ret
= 0;
1591 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1592 int p1
[] = { 193, 15, 0, -1 };
1601 BN_GF2m_arr2poly(p0
, b
[0]);
1602 BN_GF2m_arr2poly(p1
, b
[1]);
1604 for (i
= 0; i
< num0
; i
++) {
1605 BN_bntest_rand(a
, 512, 0, 0);
1606 for (j
= 0; j
< 2; j
++) {
1607 t
= BN_GF2m_mod_solve_quad(c
, a
, b
[j
], ctx
);
1610 BN_GF2m_mod_sqr(d
, c
, b
[j
], ctx
);
1611 BN_GF2m_add(d
, c
, d
);
1612 BN_GF2m_mod(e
, a
, b
[j
]);
1613 BN_GF2m_add(e
, e
, d
);
1615 * Test that solution of quadratic c satisfies c^2 + c = a.
1617 if (!BN_is_zero(e
)) {
1619 "GF(2^m) modular solve quadratic test failed!\n");
1628 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1631 "this is very unlikely and probably indicates an error.\n");
1645 static int genprime_cb(int p
, int n
, BN_GENCB
*arg
)
1662 int test_kron(BIO
*bp
, BN_CTX
*ctx
)
1665 BIGNUM
*a
, *b
, *r
, *t
;
1667 int legendre
, kronecker
;
1674 if (a
== NULL
|| b
== NULL
|| r
== NULL
|| t
== NULL
)
1677 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1680 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1681 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1682 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1683 * generate a random prime b and compare these values for a number of
1684 * random a's. (That is, we run the Solovay-Strassen primality test to
1685 * confirm that b is prime, except that we don't want to test whether b
1686 * is prime but whether BN_kronecker works.)
1689 if (!BN_generate_prime_ex(b
, 512, 0, NULL
, NULL
, &cb
))
1691 b
->neg
= rand_neg();
1694 for (i
= 0; i
< num0
; i
++) {
1695 if (!BN_bntest_rand(a
, 512, 0, 0))
1697 a
->neg
= rand_neg();
1699 /* t := (|b|-1)/2 (note that b is odd) */
1703 if (!BN_sub_word(t
, 1))
1705 if (!BN_rshift1(t
, t
))
1707 /* r := a^t mod b */
1710 if (!BN_mod_exp_recp(r
, a
, t
, b
, ctx
))
1714 if (BN_is_word(r
, 1))
1716 else if (BN_is_zero(r
))
1719 if (!BN_add_word(r
, 1))
1721 if (0 != BN_ucmp(r
, b
)) {
1722 fprintf(stderr
, "Legendre symbol computation failed\n");
1728 kronecker
= BN_kronecker(a
, b
, ctx
);
1731 /* we actually need BN_kronecker(a, |b|) */
1732 if (a
->neg
&& b
->neg
)
1733 kronecker
= -kronecker
;
1735 if (legendre
!= kronecker
) {
1736 fprintf(stderr
, "legendre != kronecker; a = ");
1737 BN_print_fp(stderr
, a
);
1738 fprintf(stderr
, ", b = ");
1739 BN_print_fp(stderr
, b
);
1740 fprintf(stderr
, "\n");
1759 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1769 if (a
== NULL
|| p
== NULL
|| r
== NULL
)
1772 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1774 for (i
= 0; i
< 16; i
++) {
1776 unsigned primes
[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1778 if (!BN_set_word(p
, primes
[i
]))
1781 if (!BN_set_word(a
, 32))
1783 if (!BN_set_word(r
, 2 * i
+ 1))
1786 if (!BN_generate_prime_ex(p
, 256, 0, a
, r
, &cb
))
1790 p
->neg
= rand_neg();
1792 for (j
= 0; j
< num2
; j
++) {
1794 * construct 'a' such that it is a square modulo p, but in
1795 * general not a proper square and not reduced modulo p
1797 if (!BN_bntest_rand(r
, 256, 0, 3))
1799 if (!BN_nnmod(r
, r
, p
, ctx
))
1801 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1803 if (!BN_bntest_rand(a
, 256, 0, 3))
1805 if (!BN_nnmod(a
, a
, p
, ctx
))
1807 if (!BN_mod_sqr(a
, a
, p
, ctx
))
1809 if (!BN_mul(a
, a
, r
, ctx
))
1812 if (!BN_sub(a
, a
, p
))
1815 if (!BN_mod_sqrt(r
, a
, p
, ctx
))
1817 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1820 if (!BN_nnmod(a
, a
, p
, ctx
))
1823 if (BN_cmp(a
, r
) != 0) {
1824 fprintf(stderr
, "BN_mod_sqrt failed: a = ");
1825 BN_print_fp(stderr
, a
);
1826 fprintf(stderr
, ", r = ");
1827 BN_print_fp(stderr
, r
);
1828 fprintf(stderr
, ", p = ");
1829 BN_print_fp(stderr
, p
);
1830 fprintf(stderr
, "\n");
1849 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
)
1851 static const int bits
= 10;
1856 if (!BN_generate_prime_ex(r
, bits
, 0, NULL
, NULL
, NULL
))
1858 if (BN_num_bits(r
) != bits
) {
1859 BIO_printf(bp
, "Expected %d bit prime, got %d bit number\n", bits
,
1871 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
)
1873 BIGNUM
*a
, *b
, *c
, *d
;
1885 BN_bntest_rand(a
, 200, 0, 0);
1886 a
->neg
= rand_neg();
1888 for (i
= 0; i
< num0
; i
++) {
1889 BN_lshift(b
, a
, i
+ 1);
1894 BIO_puts(bp
, " * ");
1896 BIO_puts(bp
, " - ");
1901 BN_mul(d
, a
, c
, ctx
);
1903 if (!BN_is_zero(d
)) {
1904 fprintf(stderr
, "Left shift test failed!\n");
1905 fprintf(stderr
, "a=");
1906 BN_print_fp(stderr
, a
);
1907 fprintf(stderr
, "\nb=");
1908 BN_print_fp(stderr
, b
);
1909 fprintf(stderr
, "\nc=");
1910 BN_print_fp(stderr
, c
);
1911 fprintf(stderr
, "\nd=");
1912 BN_print_fp(stderr
, d
);
1913 fprintf(stderr
, "\n");
1924 int test_lshift1(BIO
*bp
)
1933 BN_bntest_rand(a
, 200, 0, 0);
1934 a
->neg
= rand_neg();
1935 for (i
= 0; i
< num0
; i
++) {
1940 BIO_puts(bp
, " * 2");
1941 BIO_puts(bp
, " - ");
1948 if (!BN_is_zero(a
)) {
1949 fprintf(stderr
, "Left shift one test failed!\n");
1961 int test_rshift(BIO
*bp
, BN_CTX
*ctx
)
1963 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1973 BN_bntest_rand(a
, 200, 0, 0);
1974 a
->neg
= rand_neg();
1975 for (i
= 0; i
< num0
; i
++) {
1976 BN_rshift(b
, a
, i
+ 1);
1981 BIO_puts(bp
, " / ");
1983 BIO_puts(bp
, " - ");
1988 BN_div(d
, e
, a
, c
, ctx
);
1990 if (!BN_is_zero(d
)) {
1991 fprintf(stderr
, "Right shift test failed!\n");
2003 int test_rshift1(BIO
*bp
)
2012 BN_bntest_rand(a
, 200, 0, 0);
2013 a
->neg
= rand_neg();
2014 for (i
= 0; i
< num0
; i
++) {
2019 BIO_puts(bp
, " / 2");
2020 BIO_puts(bp
, " - ");
2027 if (!BN_is_zero(c
) && !BN_abs_is_word(c
, 1)) {
2028 fprintf(stderr
, "Right shift one test failed!\n");
2041 static unsigned int neg
= 0;
2042 static int sign
[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2044 return (sign
[(neg
++) % 8]);