]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/bntest.c
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
16 #include <internal/numbers.h>
17 #include <openssl/bn.h>
18 #include <openssl/crypto.h>
19 #include <openssl/err.h>
20 #include <openssl/rand.h>
22 #include "test_main_custom.h"
25 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
26 * This is fine in itself, it will end up as an unused static function in
27 * the worst case. However, it references bn_expand2(), which is a private
28 * function in libcrypto and therefore unavailable on some systems. This
29 * may result in a linker error because of unresolved symbols.
31 * To avoid this, we define a dummy variant of bn_expand2() here, and to
32 * avoid possible clashes with libcrypto, we rename it first, using a macro.
34 #define bn_expand2 dummy_bn_expand2
35 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
);
36 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
) { return NULL
; }
37 #include "../crypto/bn/bn_lcl.h"
42 * Things in boring, not in openssl. TODO we should add them.
44 #define HAVE_BN_PADDED 0
45 #define HAVE_BN_SQRT 0
47 typedef struct pair_st
{
52 typedef struct stanza_st
{
58 typedef struct filetest_st
{
60 int (*func
)(STANZA
*s
);
63 typedef struct mpitest_st
{
69 static const int NUM0
= 100; /* number of tests */
70 static const int NUM1
= 50; /* additional tests for some functions */
76 * Look for |key| in the stanza and return it or NULL if not found.
78 static const char *findattr(STANZA
*s
, const char *key
)
83 for ( ; --i
>= 0; pp
++)
84 if (strcasecmp(pp
->key
, key
) == 0)
90 * Parse BIGNUM, return number of bytes parsed.
92 static int parseBN(BIGNUM
**out
, const char *in
)
95 return BN_hex2bn(out
, in
);
98 static int parsedecBN(BIGNUM
**out
, const char *in
)
101 return BN_dec2bn(out
, in
);
104 static BIGNUM
*getBN(STANZA
*s
, const char *attribute
)
109 if ((hex
= findattr(s
, attribute
)) == NULL
) {
110 fprintf(stderr
, "Can't find %s in test at line %d\n",
111 attribute
, s
->start
);
115 if (parseBN(&ret
, hex
) != (int)strlen(hex
)) {
116 fprintf(stderr
, "Could not decode '%s'.\n", hex
);
122 static int getint(STANZA
*s
, int *out
, const char *attribute
)
124 BIGNUM
*ret
= getBN(s
, attribute
);
131 if ((word
= BN_get_word(ret
)) > INT_MAX
)
141 static int equalBN(const char *op
, const BIGNUM
*expected
, const BIGNUM
*actual
)
146 if (BN_cmp(expected
, actual
) == 0)
149 exstr
= BN_bn2hex(expected
);
150 actstr
= BN_bn2hex(actual
);
151 if (exstr
== NULL
|| actstr
== NULL
)
154 fprintf(stderr
, "Got %s =\n", op
);
155 fprintf(stderr
, "\t%s\n", actstr
);
156 fprintf(stderr
, "wanted:\n");
157 fprintf(stderr
, "\t%s\n", exstr
);
161 OPENSSL_free(actstr
);
167 * Return a "random" flag for if a BN should be negated.
169 static int rand_neg(void)
171 static unsigned int neg
= 0;
172 static int sign
[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
174 return sign
[(neg
++) % 8];
178 static int test_sub()
187 for (i
= 0; i
< NUM0
+ NUM1
; i
++) {
189 BN_bntest_rand(a
, 512, 0, 0);
191 if (BN_set_bit(a
, i
) == 0)
195 BN_bntest_rand(b
, 400 + i
- NUM1
, 0, 0);
202 if (!BN_is_zero(c
)) {
203 printf("Subtract test failed!\n");
214 static int test_div_recip()
216 BIGNUM
*a
, *b
, *c
, *d
, *e
;
220 recp
= BN_RECP_CTX_new();
227 for (i
= 0; i
< NUM0
+ NUM1
; i
++) {
229 BN_bntest_rand(a
, 400, 0, 0);
234 BN_bntest_rand(b
, 50 + 3 * (i
- NUM1
), 0, 0);
237 BN_RECP_CTX_set(recp
, b
, ctx
);
238 BN_div_recp(d
, c
, a
, recp
, ctx
);
239 BN_mul(e
, d
, b
, ctx
);
242 if (!BN_is_zero(d
)) {
243 printf("Reciprocal division test failed!\n");
245 BN_print_fp(stdout
, a
);
247 BN_print_fp(stdout
, b
);
257 BN_RECP_CTX_free(recp
);
262 static int test_mod()
264 BIGNUM
*a
, *b
, *c
, *d
, *e
;
273 BN_bntest_rand(a
, 1024, 0, 0);
274 for (i
= 0; i
< NUM0
; i
++) {
275 BN_bntest_rand(b
, 450 + i
* 10, 0, 0);
278 BN_mod(c
, a
, b
, ctx
);
279 BN_div(d
, e
, a
, b
, ctx
);
281 if (!BN_is_zero(e
)) {
282 printf("Modulo test failed!\n");
294 static const char *bn1strings
[] = {
295 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
296 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
297 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
298 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
299 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
300 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
301 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
302 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000FFFFFFFF00",
303 "0000000000000000000000000000000000000000000000000000000000000000",
304 "0000000000000000000000000000000000000000000000000000000000000000",
305 "0000000000000000000000000000000000000000000000000000000000000000",
306 "0000000000000000000000000000000000000000000000000000000000000000",
307 "0000000000000000000000000000000000000000000000000000000000000000",
308 "0000000000000000000000000000000000000000000000000000000000000000",
309 "0000000000000000000000000000000000000000000000000000000000000000",
310 "00000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF",
314 static const char *bn2strings
[] = {
315 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
316 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
317 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
318 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
319 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
320 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
321 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
322 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000FFFFFFFF0000000000",
323 "0000000000000000000000000000000000000000000000000000000000000000",
324 "0000000000000000000000000000000000000000000000000000000000000000",
325 "0000000000000000000000000000000000000000000000000000000000000000",
326 "0000000000000000000000000000000000000000000000000000000000000000",
327 "0000000000000000000000000000000000000000000000000000000000000000",
328 "0000000000000000000000000000000000000000000000000000000000000000",
329 "0000000000000000000000000000000000000000000000000000000000000000",
330 "000000000000000000000000000000000000000000FFFFFFFFFFFFFF00000000",
334 static char *glue(const char *list
[])
340 for (i
= 0; list
[i
] != NULL
; i
++)
341 len
+= strlen(list
[i
]);
342 p
= save
= OPENSSL_malloc(len
+ 1);
344 for (i
= 0; list
[i
] != NULL
; i
++)
345 p
+= strlen(strcpy(p
, list
[i
]));
351 * Test constant-time modular exponentiation with 1024-bit inputs, which on
352 * x86_64 cause a different code branch to be taken.
354 static int test_modexp_mont5()
356 BIGNUM
*a
, *p
, *m
, *d
, *e
, *b
, *n
, *c
;
368 mont
= BN_MONT_CTX_new();
370 BN_bntest_rand(m
, 1024, 0, 1); /* must be odd for montgomery */
372 BN_bntest_rand(a
, 1024, 0, 0);
374 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
377 printf("Modular exponentiation test failed!\n");
381 /* Regression test for carry bug in mulx4x_mont */
383 "7878787878787878787878787878787878787878787878787878787878787878"
384 "7878787878787878787878787878787878787878787878787878787878787878"
385 "7878787878787878787878787878787878787878787878787878787878787878"
386 "7878787878787878787878787878787878787878787878787878787878787878");
388 "095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744"
389 "E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593"
390 "9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03"
391 "9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81");
393 "D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B"
394 "91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5"
395 "D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4"
396 "2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF");
397 BN_MONT_CTX_set(mont
, n
, ctx
);
398 BN_mod_mul_montgomery(c
, a
, b
, mont
, ctx
);
399 BN_mod_mul_montgomery(d
, b
, a
, mont
, ctx
);
401 fprintf(stderr
, "Montgomery multiplication test failed:"
406 /* Regression test for carry bug in sqr[x]8x_mont */
407 bigstring
= glue(bn1strings
);
408 BN_hex2bn(&n
, bigstring
);
409 OPENSSL_free(bigstring
);
410 bigstring
= glue(bn2strings
);
411 BN_hex2bn(&a
, bigstring
);
412 OPENSSL_free(bigstring
);
415 BN_MONT_CTX_set(mont
, n
, ctx
);
416 BN_mod_mul_montgomery(c
, a
, a
, mont
, ctx
);
417 BN_mod_mul_montgomery(d
, a
, b
, mont
, ctx
);
419 fprintf(stderr
, "Montgomery multiplication test failed:"
425 BN_bntest_rand(p
, 1024, 0, 0);
427 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
429 if (!BN_is_zero(d
)) {
430 fprintf(stderr
, "Modular exponentiation test failed!\n");
434 * Craft an input whose Montgomery representation is 1, i.e., shorter
435 * than the modulus m, in order to test the const time precomputation
436 * scattering/gathering.
439 BN_MONT_CTX_set(mont
, m
, ctx
);
440 if (!BN_from_montgomery(e
, a
, mont
, ctx
))
442 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
444 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
446 if (BN_cmp(a
, d
) != 0) {
447 printf("Modular exponentiation test failed!\n");
450 /* Finally, some regular test vectors. */
451 BN_bntest_rand(e
, 1024, 0, 0);
452 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
454 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
456 if (BN_cmp(a
, d
) != 0) {
457 printf("Modular exponentiation test failed!\n");
460 BN_MONT_CTX_free(mont
);
472 #ifndef OPENSSL_NO_EC2M
473 static int test_gf2m_add()
482 for (i
= 0; i
< NUM0
; i
++) {
483 BN_rand(a
, 512, 0, 0);
484 BN_copy(b
, BN_value_one());
487 BN_GF2m_add(c
, a
, b
);
488 /* Test that two added values have the correct parity. */
489 if ((BN_is_odd(a
) && BN_is_odd(c
))
490 || (!BN_is_odd(a
) && !BN_is_odd(c
))) {
491 printf("GF(2^m) addition test (a) failed!\n");
494 BN_GF2m_add(c
, c
, c
);
495 /* Test that c + c = 0. */
496 if (!BN_is_zero(c
)) {
497 printf("GF(2^m) addition test (b) failed!\n");
509 static int test_gf2m_mod()
511 static int p0
[] = { 163, 7, 6, 3, 0, -1 };
512 static int p1
[] = { 193, 15, 0, -1 };
513 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
523 BN_GF2m_arr2poly(p0
, b
[0]);
524 BN_GF2m_arr2poly(p1
, b
[1]);
526 for (i
= 0; i
< NUM0
; i
++) {
527 BN_bntest_rand(a
, 1024, 0, 0);
528 for (j
= 0; j
< 2; j
++) {
529 BN_GF2m_mod(c
, a
, b
[j
]);
530 BN_GF2m_add(d
, a
, c
);
531 BN_GF2m_mod(e
, d
, b
[j
]);
532 /* Test that a + (a mod p) mod p == 0. */
533 if (!BN_is_zero(e
)) {
534 printf("GF(2^m) modulo test failed!\n");
550 static int test_gf2m_mul()
552 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
, *g
, *h
;
554 int p0
[] = { 163, 7, 6, 3, 0, -1 };
555 int p1
[] = { 193, 15, 0, -1 };
567 BN_GF2m_arr2poly(p0
, b
[0]);
568 BN_GF2m_arr2poly(p1
, b
[1]);
570 for (i
= 0; i
< NUM0
; i
++) {
571 BN_bntest_rand(a
, 1024, 0, 0);
572 BN_bntest_rand(c
, 1024, 0, 0);
573 BN_bntest_rand(d
, 1024, 0, 0);
574 for (j
= 0; j
< 2; j
++) {
575 BN_GF2m_mod_mul(e
, a
, c
, b
[j
], ctx
);
576 BN_GF2m_add(f
, a
, d
);
577 BN_GF2m_mod_mul(g
, f
, c
, b
[j
], ctx
);
578 BN_GF2m_mod_mul(h
, d
, c
, b
[j
], ctx
);
579 BN_GF2m_add(f
, e
, g
);
580 BN_GF2m_add(f
, f
, h
);
581 /* Test that (a+d)*c = a*c + d*c. */
582 if (!BN_is_zero(f
)) {
583 printf("GF(2^m) modular multiplication test failed!\n");
602 static int test_gf2m_sqr()
604 BIGNUM
*a
, *b
[2], *c
, *d
;
606 int p0
[] = { 163, 7, 6, 3, 0, -1 };
607 int p1
[] = { 193, 15, 0, -1 };
615 BN_GF2m_arr2poly(p0
, b
[0]);
616 BN_GF2m_arr2poly(p1
, b
[1]);
618 for (i
= 0; i
< NUM0
; i
++) {
619 BN_bntest_rand(a
, 1024, 0, 0);
620 for (j
= 0; j
< 2; j
++) {
621 BN_GF2m_mod_sqr(c
, a
, b
[j
], ctx
);
623 BN_GF2m_mod_mul(d
, a
, d
, b
[j
], ctx
);
624 BN_GF2m_add(d
, c
, d
);
625 /* Test that a*a = a^2. */
626 if (!BN_is_zero(d
)) {
627 printf("GF(2^m) modular squaring test failed!\n");
642 static int test_gf2m_modinv()
644 BIGNUM
*a
, *b
[2], *c
, *d
;
646 int p0
[] = { 163, 7, 6, 3, 0, -1 };
647 int p1
[] = { 193, 15, 0, -1 };
655 BN_GF2m_arr2poly(p0
, b
[0]);
656 BN_GF2m_arr2poly(p1
, b
[1]);
658 for (i
= 0; i
< NUM0
; i
++) {
659 BN_bntest_rand(a
, 512, 0, 0);
660 for (j
= 0; j
< 2; j
++) {
661 BN_GF2m_mod_inv(c
, a
, b
[j
], ctx
);
662 BN_GF2m_mod_mul(d
, a
, c
, b
[j
], ctx
);
663 /* Test that ((1/a)*a) = 1. */
665 printf("GF(2^m) modular inversion test failed!\n");
680 static int test_gf2m_moddiv()
682 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
684 int p0
[] = { 163, 7, 6, 3, 0, -1 };
685 int p1
[] = { 193, 15, 0, -1 };
695 BN_GF2m_arr2poly(p0
, b
[0]);
696 BN_GF2m_arr2poly(p1
, b
[1]);
698 for (i
= 0; i
< NUM0
; i
++) {
699 BN_bntest_rand(a
, 512, 0, 0);
700 BN_bntest_rand(c
, 512, 0, 0);
701 for (j
= 0; j
< 2; j
++) {
702 BN_GF2m_mod_div(d
, a
, c
, b
[j
], ctx
);
703 BN_GF2m_mod_mul(e
, d
, c
, b
[j
], ctx
);
704 BN_GF2m_mod_div(f
, a
, e
, b
[j
], ctx
);
705 /* Test that ((a/c)*c)/a = 1. */
707 printf("GF(2^m) modular division test failed!\n");
724 static int test_gf2m_modexp()
726 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
728 int p0
[] = { 163, 7, 6, 3, 0, -1 };
729 int p1
[] = { 193, 15, 0, -1 };
739 BN_GF2m_arr2poly(p0
, b
[0]);
740 BN_GF2m_arr2poly(p1
, b
[1]);
742 for (i
= 0; i
< NUM0
; i
++) {
743 BN_bntest_rand(a
, 512, 0, 0);
744 BN_bntest_rand(c
, 512, 0, 0);
745 BN_bntest_rand(d
, 512, 0, 0);
746 for (j
= 0; j
< 2; j
++) {
747 BN_GF2m_mod_exp(e
, a
, c
, b
[j
], ctx
);
748 BN_GF2m_mod_exp(f
, a
, d
, b
[j
], ctx
);
749 BN_GF2m_mod_mul(e
, e
, f
, b
[j
], ctx
);
751 BN_GF2m_mod_exp(f
, a
, f
, b
[j
], ctx
);
752 BN_GF2m_add(f
, e
, f
);
753 /* Test that a^(c+d)=a^c*a^d. */
754 if (!BN_is_zero(f
)) {
755 printf("GF(2^m) modular exponentiation test failed!\n");
772 static int test_gf2m_modsqrt()
774 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
776 int p0
[] = { 163, 7, 6, 3, 0, -1 };
777 int p1
[] = { 193, 15, 0, -1 };
787 BN_GF2m_arr2poly(p0
, b
[0]);
788 BN_GF2m_arr2poly(p1
, b
[1]);
790 for (i
= 0; i
< NUM0
; i
++) {
791 BN_bntest_rand(a
, 512, 0, 0);
792 for (j
= 0; j
< 2; j
++) {
793 BN_GF2m_mod(c
, a
, b
[j
]);
794 BN_GF2m_mod_sqrt(d
, a
, b
[j
], ctx
);
795 BN_GF2m_mod_sqr(e
, d
, b
[j
], ctx
);
796 BN_GF2m_add(f
, c
, e
);
797 /* Test that d^2 = a, where d = sqrt(a). */
798 if (!BN_is_zero(f
)) {
799 printf("GF(2^m) modular square root test failed!\n");
816 static int test_gf2m_modsolvequad()
818 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
819 int i
, j
, s
= 0, t
, st
= 0;
820 int p0
[] = { 163, 7, 6, 3, 0, -1 };
821 int p1
[] = { 193, 15, 0, -1 };
830 BN_GF2m_arr2poly(p0
, b
[0]);
831 BN_GF2m_arr2poly(p1
, b
[1]);
833 for (i
= 0; i
< NUM0
; i
++) {
834 BN_bntest_rand(a
, 512, 0, 0);
835 for (j
= 0; j
< 2; j
++) {
836 t
= BN_GF2m_mod_solve_quad(c
, a
, b
[j
], ctx
);
839 BN_GF2m_mod_sqr(d
, c
, b
[j
], ctx
);
840 BN_GF2m_add(d
, c
, d
);
841 BN_GF2m_mod(e
, a
, b
[j
]);
842 BN_GF2m_add(e
, e
, d
);
844 * Test that solution of quadratic c satisfies c^2 + c = a.
846 if (!BN_is_zero(e
)) {
847 printf("GF(2^m) modular solve quadratic test failed!\n");
855 printf("All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
857 printf("this is very unlikely and probably indicates an error.\n");
872 static int test_kronecker()
874 BIGNUM
*a
, *b
, *r
, *t
;
876 int legendre
, kronecker
;
883 if (a
== NULL
|| b
== NULL
|| r
== NULL
|| t
== NULL
)
887 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
888 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
889 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
890 * generate a random prime b and compare these values for a number of
891 * random a's. (That is, we run the Solovay-Strassen primality test to
892 * confirm that b is prime, except that we don't want to test whether b
893 * is prime but whether BN_kronecker works.)
896 if (!BN_generate_prime_ex(b
, 512, 0, NULL
, NULL
, NULL
))
900 for (i
= 0; i
< NUM0
; i
++) {
901 if (!BN_bntest_rand(a
, 512, 0, 0))
905 /* t := (|b|-1)/2 (note that b is odd) */
909 if (!BN_sub_word(t
, 1))
911 if (!BN_rshift1(t
, t
))
916 if (!BN_mod_exp_recp(r
, a
, t
, b
, ctx
))
920 if (BN_is_word(r
, 1))
922 else if (BN_is_zero(r
))
925 if (!BN_add_word(r
, 1))
927 if (0 != BN_ucmp(r
, b
)) {
928 printf("Legendre symbol computation failed\n");
934 kronecker
= BN_kronecker(a
, b
, ctx
);
937 /* we actually need BN_kronecker(a, |b|) */
938 if (a
->neg
&& b
->neg
)
939 kronecker
= -kronecker
;
941 if (legendre
!= kronecker
) {
942 printf("legendre != kronecker; a = ");
943 BN_print_fp(stdout
, a
);
945 BN_print_fp(stdout
, b
);
960 static int file_sum(STANZA
*s
)
962 BIGNUM
*a
= getBN(s
, "A");
963 BIGNUM
*b
= getBN(s
, "B");
964 BIGNUM
*sum
= getBN(s
, "Sum");
965 BIGNUM
*ret
= BN_new();
969 if (a
== NULL
|| b
== NULL
|| sum
== NULL
|| ret
== NULL
)
972 if (!BN_add(ret
, a
, b
)
973 || !equalBN("A + B", sum
, ret
)
974 || !BN_sub(ret
, sum
, a
)
975 || !equalBN("Sum - A", b
, ret
)
976 || !BN_sub(ret
, sum
, b
)
977 || !equalBN("Sum - B", a
, ret
))
981 * Test that the functions work when |r| and |a| point to the same BIGNUM,
982 * or when |r| and |b| point to the same BIGNUM.
983 * TODO: Test where all of |r|, |a|, and |b| point to the same BIGNUM.
986 || !BN_add(ret
, ret
, b
)
987 || !equalBN("A + B (r is a)", sum
, ret
)
989 || !BN_add(ret
, a
, ret
)
990 || !equalBN("A + B (r is b)", sum
, ret
)
991 || !BN_copy(ret
, sum
)
992 || !BN_sub(ret
, ret
, a
)
993 || !equalBN("Sum - A (r is a)", b
, ret
)
995 || !BN_sub(ret
, sum
, ret
)
996 || !equalBN("Sum - A (r is b)", b
, ret
)
997 || !BN_copy(ret
, sum
)
998 || !BN_sub(ret
, ret
, b
)
999 || !equalBN("Sum - B (r is a)", a
, ret
)
1001 || !BN_sub(ret
, sum
, ret
)
1002 || !equalBN("Sum - B (r is b)", a
, ret
))
1006 * Test BN_uadd() and BN_usub() with the prerequisites they are
1007 * documented as having. Note that these functions are frequently used
1008 * when the prerequisites don't hold. In those cases, they are supposed
1009 * to work as if the prerequisite hold, but we don't test that yet.
1012 if (!BN_is_negative(a
) && !BN_is_negative(b
) && BN_cmp(a
, b
) >= 0) {
1013 if (!BN_uadd(ret
, a
, b
)
1014 || !equalBN("A +u B", sum
, ret
)
1015 || !BN_usub(ret
, sum
, a
)
1016 || !equalBN("Sum -u A", b
, ret
)
1017 || !BN_usub(ret
, sum
, b
)
1018 || !equalBN("Sum -u B", a
, ret
))
1021 * Test that the functions work when |r| and |a| point to the same
1022 * BIGNUM, or when |r| and |b| point to the same BIGNUM.
1023 * TODO: Test where all of |r|, |a|, and |b| point to the same BIGNUM.
1025 if (!BN_copy(ret
, a
)
1026 || !BN_uadd(ret
, ret
, b
)
1027 || !equalBN("A +u B (r is a)", sum
, ret
)
1029 || !BN_uadd(ret
, a
, ret
)
1030 || !equalBN("A +u B (r is b)", sum
, ret
)
1031 || !BN_copy(ret
, sum
)
1032 || !BN_usub(ret
, ret
, a
)
1033 || !equalBN("Sum -u A (r is a)", b
, ret
)
1035 || !BN_usub(ret
, sum
, ret
)
1036 || !equalBN("Sum -u A (r is b)", b
, ret
)
1037 || !BN_copy(ret
, sum
)
1038 || !BN_usub(ret
, ret
, b
)
1039 || !equalBN("Sum -u B (r is a)", a
, ret
)
1041 || !BN_usub(ret
, sum
, ret
)
1042 || !equalBN("Sum -u B (r is b)", a
, ret
))
1047 * Test with BN_add_word() and BN_sub_word() if |b| is small enough.
1049 b_word
= BN_get_word(b
);
1050 if (!BN_is_negative(b
) && b_word
!= (BN_ULONG
)-1) {
1051 if (!BN_copy(ret
, a
)
1052 || !BN_add_word(ret
, b_word
)
1053 || !equalBN("A + B (word)", sum
, ret
)
1054 || !BN_copy(ret
, sum
)
1055 || !BN_sub_word(ret
, b_word
)
1056 || !equalBN("Sum - B (word)", a
, ret
))
1069 static int file_lshift1(STANZA
*s
)
1071 BIGNUM
*a
= getBN(s
, "A");
1072 BIGNUM
*lshift1
= getBN(s
, "LShift1");
1073 BIGNUM
*zero
= BN_new();
1074 BIGNUM
*ret
= BN_new();
1075 BIGNUM
*two
= BN_new();
1076 BIGNUM
*remainder
= BN_new();
1079 if (a
== NULL
|| lshift1
== NULL
|| zero
== NULL
1080 || ret
== NULL
|| two
== NULL
|| remainder
== NULL
)
1085 if (!BN_set_word(two
, 2)
1086 || !BN_add(ret
, a
, a
)
1087 || !equalBN("A + A", lshift1
, ret
)
1088 || !BN_mul(ret
, a
, two
, ctx
)
1089 || !equalBN("A * 2", lshift1
, ret
)
1090 || !BN_div(ret
, remainder
, lshift1
, two
, ctx
)
1091 || !equalBN("LShift1 / 2", a
, ret
)
1092 || !equalBN("LShift1 % 2", zero
, remainder
)
1093 || !BN_lshift1(ret
, a
)
1094 || !equalBN("A << 1", lshift1
, ret
)
1095 || !BN_rshift1(ret
, lshift1
)
1096 || !equalBN("LShift >> 1", a
, ret
)
1097 || !BN_rshift1(ret
, lshift1
)
1098 || !equalBN("LShift >> 1", a
, ret
))
1101 /* Set the LSB to 1 and test rshift1 again. */
1102 if (!BN_set_bit(lshift1
, 0)
1103 || !BN_div(ret
, NULL
/* rem */ , lshift1
, two
, ctx
)
1104 || !equalBN("(LShift1 | 1) / 2", a
, ret
)
1105 || !BN_rshift1(ret
, lshift1
)
1106 || !equalBN("(LShift | 1) >> 1", a
, ret
))
1121 static int file_lshift(STANZA
*s
)
1123 BIGNUM
*a
= getBN(s
, "A");
1124 BIGNUM
*lshift
= getBN(s
, "LShift");
1125 BIGNUM
*ret
= BN_new();
1129 if (a
== NULL
|| lshift
== NULL
|| ret
== NULL
|| !getint(s
, &n
, "N"))
1132 if (!BN_lshift(ret
, a
, n
)
1133 || !equalBN("A << N", lshift
, ret
)
1134 || !BN_rshift(ret
, lshift
, n
)
1135 || !equalBN("A >> N", a
, ret
))
1146 static int file_rshift(STANZA
*s
)
1148 BIGNUM
*a
= getBN(s
, "A");
1149 BIGNUM
*rshift
= getBN(s
, "RShift");
1150 BIGNUM
*ret
= BN_new();
1154 if (a
== NULL
|| rshift
== NULL
|| ret
== NULL
|| !getint(s
, &n
, "N"))
1157 if (!BN_rshift(ret
, a
, n
)
1158 || !equalBN("A >> N", rshift
, ret
))
1169 static int file_square(STANZA
*s
)
1171 BIGNUM
*a
= getBN(s
, "A");
1172 BIGNUM
*square
= getBN(s
, "Square");
1173 BIGNUM
*zero
= BN_new();
1174 BIGNUM
*ret
= BN_new();
1175 BIGNUM
*remainder
= BN_new();
1179 if (a
== NULL
|| square
== NULL
|| zero
== NULL
|| ret
== NULL
1180 || remainder
== NULL
)
1185 if (!BN_sqr(ret
, a
, ctx
)
1186 || !equalBN("A^2", square
, ret
)
1187 || !BN_mul(ret
, a
, a
, ctx
)
1188 || !equalBN("A * A", square
, ret
)
1189 || !BN_div(ret
, remainder
, square
, a
, ctx
)
1190 || !equalBN("Square / A", a
, ret
)
1191 || !equalBN("Square % A", zero
, remainder
))
1195 BN_set_negative(a
, 0);
1196 if (!BN_sqrt(ret
, square
, ctx
)
1197 || !equalBN("sqrt(Square)", a
, ret
))
1200 /* BN_sqrt should fail on non-squares and negative numbers. */
1201 if (!BN_is_zero(square
)) {
1203 if (tmp
== NULL
|| !BN_copy(tmp
, square
))
1205 BN_set_negative(tmp
, 1);
1207 if (BN_sqrt(ret
, tmp
, ctx
)) {
1208 fprintf(stderr
, "BN_sqrt succeeded on a negative number");
1213 BN_set_negative(tmp
, 0);
1214 if (BN_add(tmp
, tmp
, BN_value_one()))
1216 if (BN_sqrt(ret
, tmp
, ctx
)) {
1217 fprintf(stderr
, "BN_sqrt succeeded on a non-square");
1235 static int file_product(STANZA
*s
)
1237 BIGNUM
*a
= getBN(s
, "A");
1238 BIGNUM
*b
= getBN(s
, "B");
1239 BIGNUM
*product
= getBN(s
, "Product");
1240 BIGNUM
*ret
= BN_new();
1241 BIGNUM
*remainder
= BN_new();
1242 BIGNUM
*zero
= BN_new();
1245 if (a
== NULL
|| b
== NULL
|| product
== NULL
|| ret
== NULL
1246 || remainder
== NULL
|| zero
== NULL
)
1251 if (!BN_mul(ret
, a
, b
, ctx
)
1252 || !equalBN("A * B", product
, ret
)
1253 || !BN_div(ret
, remainder
, product
, a
, ctx
)
1254 || !equalBN("Product / A", b
, ret
)
1255 || !equalBN("Product % A", zero
, remainder
)
1256 || !BN_div(ret
, remainder
, product
, b
, ctx
)
1257 || !equalBN("Product / B", a
, ret
)
1258 || !equalBN("Product % B", zero
, remainder
))
1272 static int file_quotient(STANZA
*s
)
1274 BIGNUM
*a
= getBN(s
, "A");
1275 BIGNUM
*b
= getBN(s
, "B");
1276 BIGNUM
*quotient
= getBN(s
, "Quotient");
1277 BIGNUM
*remainder
= getBN(s
, "Remainder");
1278 BIGNUM
*ret
= BN_new();
1279 BIGNUM
*ret2
= BN_new();
1280 BIGNUM
*nnmod
= BN_new();
1281 BN_ULONG b_word
, ret_word
;
1284 if (a
== NULL
|| b
== NULL
|| quotient
== NULL
|| remainder
== NULL
1285 || ret
== NULL
|| ret2
== NULL
|| nnmod
== NULL
)
1288 if (!BN_div(ret
, ret2
, a
, b
, ctx
)
1289 || !equalBN("A / B", quotient
, ret
)
1290 || !equalBN("A % B", remainder
, ret2
)
1291 || !BN_mul(ret
, quotient
, b
, ctx
)
1292 || !BN_add(ret
, ret
, remainder
)
1293 || !equalBN("Quotient * B + Remainder", a
, ret
))
1297 * Test with BN_mod_word() and BN_div_word() if the divisor is
1300 b_word
= BN_get_word(b
);
1301 if (!BN_is_negative(b
) && b_word
!= (BN_ULONG
)-1) {
1302 BN_ULONG remainder_word
= BN_get_word(remainder
);
1304 assert(remainder_word
!= (BN_ULONG
)-1);
1305 if (!BN_copy(ret
, a
))
1307 ret_word
= BN_div_word(ret
, b_word
);
1308 if (ret_word
!= remainder_word
) {
1311 "Got A %% B (word) = " BN_DEC_FMT1
", wanted " BN_DEC_FMT1
"\n",
1312 ret_word
, remainder_word
);
1314 fprintf(stderr
, "Got A %% B (word) mismatch\n");
1318 if (!equalBN ("A / B (word)", quotient
, ret
))
1321 ret_word
= BN_mod_word(a
, b_word
);
1322 if (ret_word
!= remainder_word
) {
1325 "Got A %% B (word) = " BN_DEC_FMT1
", wanted " BN_DEC_FMT1
"\n",
1326 ret_word
, remainder_word
);
1328 fprintf(stderr
, "Got A %% B (word) mismatch\n");
1334 /* Test BN_nnmod. */
1335 if (!BN_is_negative(b
)) {
1336 if (!BN_copy(nnmod
, remainder
)
1337 || (BN_is_negative(nnmod
) && !BN_add(nnmod
, nnmod
, b
))
1338 || !BN_nnmod(ret
, a
, b
, ctx
)
1339 || !equalBN("A % B (non-negative)", nnmod
, ret
))
1355 static int file_modmul(STANZA
*s
)
1357 BIGNUM
*a
= getBN(s
, "A");
1358 BIGNUM
*b
= getBN(s
, "B");
1359 BIGNUM
*m
= getBN(s
, "M");
1360 BIGNUM
*mod_mul
= getBN(s
, "ModMul");
1361 BIGNUM
*ret
= BN_new();
1364 if (a
== NULL
|| b
== NULL
|| m
== NULL
|| mod_mul
== NULL
|| ret
== NULL
)
1367 if (!BN_mod_mul(ret
, a
, b
, m
, ctx
)
1368 || !equalBN("A * B (mod M)", mod_mul
, ret
))
1372 /* Reduce |a| and |b| and test the Montgomery version. */
1373 BN_MONT_CTX
*mont
= BN_MONT_CTX_new();
1374 BIGNUM
*a_tmp
= BN_new();
1375 BIGNUM
*b_tmp
= BN_new();
1376 if (mont
== NULL
|| a_tmp
== NULL
|| b_tmp
== NULL
1377 || !BN_MONT_CTX_set(mont
, m
, ctx
)
1378 || !BN_nnmod(a_tmp
, a
, m
, ctx
)
1379 || !BN_nnmod(b_tmp
, b
, m
, ctx
)
1380 || !BN_to_montgomery(a_tmp
, a_tmp
, mont
, ctx
)
1381 || !BN_to_montgomery(b_tmp
, b_tmp
, mont
, ctx
)
1382 || !BN_mod_mul_montgomery(ret
, a_tmp
, b_tmp
, mont
, ctx
)
1383 || !BN_from_montgomery(ret
, ret
, mont
, ctx
)
1384 || !equalBN("A * B (mod M) (mont)", mod_mul
, ret
)) {
1389 BN_MONT_CTX_free(mont
);
1406 static int file_modexp(STANZA
*s
)
1408 BIGNUM
*a
= getBN(s
, "A");
1409 BIGNUM
*e
= getBN(s
, "E");
1410 BIGNUM
*m
= getBN(s
, "M");
1411 BIGNUM
*mod_exp
= getBN(s
, "ModExp");
1412 BIGNUM
*ret
= BN_new();
1413 BIGNUM
*b
= NULL
, *c
= NULL
, *d
= BN_new();
1416 if (a
== NULL
|| e
== NULL
|| m
== NULL
|| mod_exp
== NULL
|| ret
== NULL
)
1419 if (!BN_mod_exp(ret
, a
, e
, m
, ctx
)
1420 || !equalBN("A ^ E (mod M)", mod_exp
, ret
))
1424 if (!BN_mod_exp_mont(ret
, a
, e
, m
, ctx
, NULL
)
1425 || !equalBN("A ^ E (mod M) (mont)", mod_exp
, ret
)
1426 || !BN_mod_exp_mont_consttime(ret
, a
, e
, m
, ctx
, NULL
)
1427 || !equalBN("A ^ E (mod M) (mont const", mod_exp
, ret
))
1431 /* Regression test for carry propagation bug in sqr8x_reduction */
1432 BN_hex2bn(&a
, "050505050505");
1433 BN_hex2bn(&b
, "02");
1435 "4141414141414141414141274141414141414141414141414141414141414141"
1436 "4141414141414141414141414141414141414141414141414141414141414141"
1437 "4141414141414141414141800000000000000000000000000000000000000000"
1438 "0000000000000000000000000000000000000000000000000000000000000000"
1439 "0000000000000000000000000000000000000000000000000000000000000000"
1440 "0000000000000000000000000000000000000000000000000000000001");
1441 BN_mod_exp(d
, a
, b
, c
, ctx
);
1442 BN_mul(e
, a
, a
, ctx
);
1444 fprintf(stderr
, "BN_mod_exp and BN_mul produce different results!\n");
1461 static int file_exp(STANZA
*s
)
1463 BIGNUM
*a
= getBN(s
, "A");
1464 BIGNUM
*e
= getBN(s
, "E");
1465 BIGNUM
*exp
= getBN(s
, "Exp");
1466 BIGNUM
*ret
= BN_new();
1469 if (a
== NULL
|| e
== NULL
|| exp
== NULL
|| ret
== NULL
)
1472 if (!BN_exp(ret
, a
, e
, ctx
)
1473 || !equalBN("A ^ E", exp
, ret
))
1485 static int file_modsqrt(STANZA
*s
)
1487 BIGNUM
*a
= getBN(s
, "A");
1488 BIGNUM
*p
= getBN(s
, "P");
1489 BIGNUM
*mod_sqrt
= getBN(s
, "ModSqrt");
1490 BIGNUM
*ret
= BN_new();
1491 BIGNUM
*ret2
= BN_new();
1494 if (a
== NULL
|| p
== NULL
|| mod_sqrt
== NULL
1495 || ret
== NULL
|| ret2
== NULL
)
1498 /* There are two possible answers. */
1499 if (!BN_mod_sqrt(ret
, a
, p
, ctx
) || !BN_sub(ret2
, p
, ret
))
1502 if (BN_cmp(ret2
, mod_sqrt
) != 0
1503 && !equalBN("sqrt(A) (mod P)", mod_sqrt
, ret
))
1516 static int test_bn2padded()
1519 uint8_t zeros
[256], out
[256], reference
[128];
1520 BIGNUM
*n
= BN_new();
1523 /* Test edge case at 0. */
1526 if (!BN_bn2bin_padded(NULL
, 0, n
)) {
1528 "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
1531 memset(out
, -1, sizeof(out
));
1532 if (!BN_bn2bin_padded(out
, sizeof(out
), n
)) {
1534 "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
1537 memset(zeros
, 0, sizeof(zeros
));
1538 if (memcmp(zeros
, out
, sizeof(out
))) {
1539 fprintf(stderr
, "BN_bn2bin_padded did not zero buffer.\n");
1543 /* Test a random numbers at various byte lengths. */
1544 for (size_t bytes
= 128 - 7; bytes
<= 128; bytes
++) {
1545 #define TOP_BIT_ON 0
1546 #define BOTTOM_BIT_NOTOUCH 0
1547 if (!BN_rand(n
, bytes
* 8, TOP_BIT_ON
, BOTTOM_BIT_NOTOUCH
)) {
1548 ERR_print_errors_fp(stderr
);
1551 if (BN_num_bytes(n
) != bytes
1552 || BN_bn2bin(n
, reference
) != bytes
) {
1553 fprintf(stderr
, "Bad result from BN_rand; bytes.\n");
1556 /* Empty buffer should fail. */
1557 if (BN_bn2bin_padded(NULL
, 0, n
)) {
1559 "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");
1562 /* One byte short should fail. */
1563 if (BN_bn2bin_padded(out
, bytes
- 1, n
)) {
1565 "BN_bn2bin_padded incorrectly succeeded on short.\n");
1568 /* Exactly right size should encode. */
1569 if (!BN_bn2bin_padded(out
, bytes
, n
)
1570 || memcmp(out
, reference
, bytes
) != 0) {
1572 "BN_bn2bin_padded gave a bad result.\n");
1575 /* Pad up one byte extra. */
1576 if (!BN_bn2bin_padded(out
, bytes
+ 1, n
)
1577 || memcmp(out
+ 1, reference
, bytes
)
1578 || memcmp(out
, zeros
, 1)) {
1580 "BN_bn2bin_padded gave a bad result.\n");
1583 /* Pad up to 256. */
1584 if (!BN_bn2bin_padded(out
, sizeof(out
), n
)
1585 || memcmp(out
+ sizeof(out
) - bytes
, reference
, bytes
)
1586 || memcmp(out
, zeros
, sizeof(out
) - bytes
)) {
1588 "BN_bn2bin_padded gave a bad result.\n");
1602 static int test_dec2bn()
1607 int ret
= parsedecBN(&bn
, "0");
1608 if (ret
!= 1 || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1609 fprintf(stderr
, "BN_dec2bn(0) gave a bad result.\n");
1614 ret
= parsedecBN(&bn
, "256");
1615 if (ret
!= 3 || !BN_is_word(bn
, 256) || BN_is_negative(bn
)) {
1616 fprintf(stderr
, "BN_dec2bn(256) gave a bad result.\n");
1621 ret
= parsedecBN(&bn
, "-42");
1622 if (ret
!= 3 || !BN_abs_is_word(bn
, 42) || !BN_is_negative(bn
)) {
1623 fprintf(stderr
, "BN_dec2bn(42) gave a bad result.\n");
1628 ret
= parsedecBN(&bn
, "-0");
1629 if (ret
!= 2 || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1630 fprintf(stderr
, "BN_dec2bn(-0) gave a bad result.\n");
1635 ret
= parsedecBN(&bn
, "42trailing garbage is ignored");
1636 if (ret
!= 2 || !BN_abs_is_word(bn
, 42)
1637 || BN_is_negative(bn
)) {
1638 fprintf(stderr
, "BN_dec2bn(42trailing...) gave a bad result.\n");
1648 static int test_hex2bn()
1653 ret
= parseBN(&bn
, "0");
1654 if (ret
!= 1 || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1655 fprintf(stderr
, "BN_hex2bn(0) gave a bad result.\n");
1660 ret
= parseBN(&bn
, "256");
1661 if (ret
!= 3 || !BN_is_word(bn
, 0x256) || BN_is_negative(bn
)) {
1662 fprintf(stderr
, "BN_hex2bn(256) gave a bad result.\n");
1667 ret
= parseBN(&bn
, "-42");
1668 if (ret
!= 3 || !BN_abs_is_word(bn
, 0x42) || !BN_is_negative(bn
)) {
1669 fprintf(stderr
, "BN_hex2bn(-42) gave a bad result.\n");
1674 ret
= parseBN(&bn
, "-0");
1675 if (ret
!= 2 || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1676 fprintf(stderr
, "BN_hex2bn(-0) gave a bad result.\n");
1681 ret
= parseBN(&bn
, "abctrailing garbage is ignored");
1682 if (ret
!= 3 || !BN_is_word(bn
, 0xabc) || BN_is_negative(bn
)) {
1683 fprintf(stderr
, "BN_hex2bn(abctrail...) gave a bad result.\n");
1693 static int test_asc2bn()
1695 BIGNUM
*bn
= BN_new();
1698 if (!BN_asc2bn(&bn
, "0") || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1699 fprintf(stderr
, "BN_asc2bn(0) gave a bad result.\n");
1703 if (!BN_asc2bn(&bn
, "256") || !BN_is_word(bn
, 256) || BN_is_negative(bn
)) {
1704 fprintf(stderr
, "BN_asc2bn(256) gave a bad result.\n");
1708 if (!BN_asc2bn(&bn
, "-42")
1709 || !BN_abs_is_word(bn
, 42) || !BN_is_negative(bn
)) {
1710 fprintf(stderr
, "BN_asc2bn(-42) gave a bad result.\n");
1714 if (!BN_asc2bn(&bn
, "0x1234")
1715 || !BN_is_word(bn
, 0x1234) || BN_is_negative(bn
)) {
1716 fprintf(stderr
, "BN_asc2bn(0x1234) gave a bad result.\n");
1720 if (!BN_asc2bn(&bn
, "0X1234")
1721 || !BN_is_word(bn
, 0x1234) || BN_is_negative(bn
)) {
1722 fprintf(stderr
, "BN_asc2bn(0X1234) gave a bad result.\n");
1726 if (!BN_asc2bn(&bn
, "-0xabcd")
1727 || !BN_abs_is_word(bn
, 0xabcd) || !BN_is_negative(bn
)) {
1728 fprintf(stderr
, "BN_asc2bn(-0xabcd) gave a bad result.\n");
1732 if (!BN_asc2bn(&bn
, "-0") || !BN_is_zero(bn
) || BN_is_negative(bn
)) {
1733 fprintf(stderr
, "BN_asc2bn(-0) gave a bad result.\n");
1737 if (!BN_asc2bn(&bn
, "123trailing garbage is ignored")
1738 || !BN_is_word(bn
, 123) || BN_is_negative(bn
)) {
1739 fprintf(stderr
, "BN_asc2bn(123trail...) gave a bad result.\n");
1749 static const MPITEST kMPITests
[] = {
1750 {"0", "\x00\x00\x00\x00", 4},
1751 {"1", "\x00\x00\x00\x01\x01", 5},
1752 {"-1", "\x00\x00\x00\x01\x81", 5},
1753 {"128", "\x00\x00\x00\x02\x00\x80", 6},
1754 {"256", "\x00\x00\x00\x02\x01\x00", 6},
1755 {"-256", "\x00\x00\x00\x02\x81\x00", 6},
1758 static int test_mpi()
1761 int i
= (int)sizeof(kMPITests
) / sizeof(kMPITests
[0]);
1762 const MPITEST
*test
= kMPITests
;
1763 size_t mpi_len
, mpi_len2
;
1764 BIGNUM
*bn
= BN_new();
1768 for ( ; --i
>= 0; test
++) {
1769 if (!BN_asc2bn(&bn
, test
->base10
)) {
1770 fprintf(stderr
, "Can't convert %s\n", test
->base10
);
1773 mpi_len
= BN_bn2mpi(bn
, NULL
);
1774 if (mpi_len
> sizeof (scratch
)) {
1776 "MPI test #%u: MPI size is too large to test.\n",
1781 mpi_len2
= BN_bn2mpi(bn
, scratch
);
1782 if (mpi_len
!= mpi_len2
) {
1783 fprintf(stderr
, "MPI test #%u: length changes.\n",
1788 if (mpi_len
!= test
->mpi_len
1789 || memcmp(test
->mpi
, scratch
, mpi_len
) != 0) {
1790 fprintf(stderr
, "MPI test #%u failed:\n", (unsigned)i
);
1794 bn2
= BN_mpi2bn(scratch
, mpi_len
, NULL
);
1796 fprintf(stderr
, "MPI test #%u: failed to parse\n",
1801 if (BN_cmp(bn
, bn2
) != 0) {
1802 fprintf(stderr
, "MPI test #%u: wrong result\n",
1816 static int test_rand()
1818 BIGNUM
*bn
= BN_new();
1825 * Test BN_rand for degenerate cases with |top| and |bottom| parameters.
1827 if (BN_rand(bn
, 0, 0 /* top */ , 0 /* bottom */ )) {
1828 fprintf(stderr
, "BN_rand1 gave a bad result.\n");
1831 if (BN_rand(bn
, 0, 1 /* top */ , 1 /* bottom */ )) {
1832 fprintf(stderr
, "BN_rand2 gave a bad result.\n");
1836 if (!BN_rand(bn
, 1, 0 /* top */ , 0 /* bottom */ ) || !BN_is_word(bn
, 1)) {
1837 fprintf(stderr
, "BN_rand3 gave a bad result.\n");
1840 if (BN_rand(bn
, 1, 1 /* top */ , 0 /* bottom */ )) {
1841 fprintf(stderr
, "BN_rand4 gave a bad result.\n");
1844 if (!BN_rand(bn
, 1, -1 /* top */ , 1 /* bottom */ ) || !BN_is_word(bn
, 1)) {
1845 fprintf(stderr
, "BN_rand5 gave a bad result.\n");
1849 if (!BN_rand(bn
, 2, 1 /* top */ , 0 /* bottom */ ) || !BN_is_word(bn
, 3)) {
1850 fprintf(stderr
, "BN_rand6 gave a bad result.\n");
1860 static int test_negzero()
1862 BIGNUM
*a
= BN_new();
1863 BIGNUM
*b
= BN_new();
1864 BIGNUM
*c
= BN_new();
1865 BIGNUM
*d
= BN_new();
1866 BIGNUM
*numerator
= NULL
, *denominator
= NULL
;
1867 int consttime
, st
= 0;
1869 if (a
== NULL
|| b
== NULL
|| c
== NULL
|| d
== NULL
)
1872 /* Test that BN_mul never gives negative zero. */
1873 if (!BN_set_word(a
, 1))
1875 BN_set_negative(a
, 1);
1877 if (!BN_mul(c
, a
, b
, ctx
))
1879 if (!BN_is_zero(c
) || BN_is_negative(c
)) {
1880 fprintf(stderr
, "Multiplication test failed!\n");
1884 for (consttime
= 0; consttime
< 2; consttime
++) {
1885 numerator
= BN_new();
1886 denominator
= BN_new();
1887 if (numerator
== NULL
|| denominator
== NULL
)
1890 BN_set_flags(numerator
, BN_FLG_CONSTTIME
);
1891 BN_set_flags(denominator
, BN_FLG_CONSTTIME
);
1893 /* Test that BN_div never gives negative zero in the quotient. */
1894 if (!BN_set_word(numerator
, 1) || !BN_set_word(denominator
, 2))
1896 BN_set_negative(numerator
, 1);
1897 if (!BN_div(a
, b
, numerator
, denominator
, ctx
))
1899 if (!BN_is_zero(a
) || BN_is_negative(a
)) {
1900 fprintf(stderr
, "Incorrect quotient (consttime = %d).\n",
1905 /* Test that BN_div never gives negative zero in the remainder. */
1906 if (!BN_set_word(denominator
, 1))
1908 if (!BN_div(a
, b
, numerator
, denominator
, ctx
))
1910 if (!BN_is_zero(b
) || BN_is_negative(b
)) {
1911 fprintf(stderr
, "Incorrect remainder (consttime = %d).\n",
1916 BN_free(denominator
);
1917 numerator
= denominator
= NULL
;
1920 /* Test that BN_set_negative will not produce a negative zero. */
1922 BN_set_negative(a
, 1);
1923 if (BN_is_negative(a
)) {
1924 fprintf(stderr
, "BN_set_negative produced a negative zero.\n");
1935 BN_free(denominator
);
1939 static int test_badmod()
1941 BIGNUM
*a
= BN_new();
1942 BIGNUM
*b
= BN_new();
1943 BIGNUM
*zero
= BN_new();
1944 BN_MONT_CTX
*mont
= BN_MONT_CTX_new();
1947 if (a
== NULL
|| b
== NULL
|| zero
== NULL
|| mont
== NULL
)
1951 if (BN_div(a
, b
, BN_value_one(), zero
, ctx
)) {
1952 fprintf(stderr
, "Division by zero succeeded!\n");
1957 if (BN_mod_mul(a
, BN_value_one(), BN_value_one(), zero
, ctx
)) {
1958 fprintf(stderr
, "BN_mod_mul with zero modulus succeeded!\n");
1963 if (BN_mod_exp(a
, BN_value_one(), BN_value_one(), zero
, ctx
)) {
1964 fprintf(stderr
, "BN_mod_exp with zero modulus succeeded!\n");
1969 if (BN_mod_exp_mont(a
, BN_value_one(), BN_value_one(), zero
, ctx
, NULL
)) {
1970 fprintf(stderr
, "BN_mod_exp_mont with zero modulus succeeded!\n");
1975 if (BN_mod_exp_mont_consttime(a
, BN_value_one(), BN_value_one(),
1978 "BN_mod_exp_mont_consttime with zero modulus succeeded!\n");
1983 if (BN_MONT_CTX_set(mont
, zero
, ctx
)) {
1984 fprintf(stderr
, "BN_MONT_CTX_set succeeded for zero modulus!\n");
1989 /* Some operations also may not be used with an even modulus. */
1990 if (!BN_set_word(b
, 16))
1993 if (BN_MONT_CTX_set(mont
, b
, ctx
)) {
1995 "BN_MONT_CTX_set succeeded for even modulus!\n");
2000 if (BN_mod_exp_mont(a
, BN_value_one(), BN_value_one(), b
, ctx
, NULL
)) {
2002 "BN_mod_exp_mont with even modulus succeeded!\n");
2007 if (BN_mod_exp_mont_consttime(a
, BN_value_one(), BN_value_one(),
2010 "BN_mod_exp_mont_consttime with even modulus succeeded!\n");
2020 BN_MONT_CTX_free(mont
);
2024 static int test_expmodzero()
2026 BIGNUM
*zero
= BN_new();
2027 BIGNUM
*a
= BN_new();
2028 BIGNUM
*r
= BN_new();
2031 if (zero
== NULL
|| a
== NULL
|| r
== NULL
|| !BN_rand(a
, 1024, 0, 0))
2035 if (!BN_mod_exp(r
, a
, zero
, BN_value_one(), NULL
)
2037 || !BN_mod_exp_mont(r
, a
, zero
, BN_value_one(), NULL
, NULL
)
2039 || !BN_mod_exp_mont_consttime(r
, a
, zero
, BN_value_one(), NULL
, NULL
)
2041 || !BN_mod_exp_mont_word(r
, 42, zero
, BN_value_one(), NULL
, NULL
)
2053 static int test_smallprime()
2055 static const int kBits
= 10;
2056 BIGNUM
*r
= BN_new();
2060 || !BN_generate_prime_ex(r
, (int)kBits
, 0, NULL
, NULL
, NULL
))
2062 if (BN_num_bits(r
) != kBits
) {
2063 fprintf(stderr
, "Expected %u bit prime, got %u bit number\n",
2064 kBits
, BN_num_bits(r
));
2075 /* Delete leading and trailing spaces from a string */
2076 static char *strip_spaces(char *p
)
2080 /* Skip over leading spaces */
2081 while (*p
&& isspace(*p
))
2086 for (q
= p
+ strlen(p
) - 1; q
!= p
&& isspace(*q
); )
2088 return *p
? p
: NULL
;
2092 * Read next test stanza; return 1 if found, 0 on EOF or error.
2094 static int readstanza(STANZA
*s
, int *linesread
)
2096 PAIR
*pp
= s
->pairs
;
2097 char *p
, *equals
, *key
, *value
;
2100 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
2102 if ((p
= strchr(buff
, '\n')) == NULL
) {
2103 fprintf(stderr
, "Line %d too long.\n", s
->start
);
2108 /* Blank line marks end of tests. */
2109 if (buff
[0] == '\0')
2112 /* Lines starting with a pound sign are ignored. */
2116 if ((equals
= strchr(buff
, '=')) == NULL
) {
2117 fprintf(stderr
, "Line %d missing equals.\n", s
->start
);
2122 key
= strip_spaces(buff
);
2123 value
= strip_spaces(equals
);
2124 if (key
== NULL
|| value
== NULL
) {
2125 fprintf(stderr
, "Line %d missing field.\n", s
->start
);
2129 if (s
->numpairs
>= MAXPAIRS
) {
2130 fprintf(stderr
, "Line %d too many lines\n", s
->start
);
2133 pp
->key
= OPENSSL_strdup(key
);
2134 pp
->value
= OPENSSL_strdup(value
);
2138 /* If we read anything, return ok. */
2142 static void clearstanza(STANZA
*s
)
2144 PAIR
*pp
= s
->pairs
;
2145 int i
= s
->numpairs
;
2146 int start
= s
->start
;
2148 for ( ; --i
>= 0; pp
++) {
2149 OPENSSL_free(pp
->key
);
2150 OPENSSL_free(pp
->value
);
2152 memset(s
, 0, sizeof(*s
));
2156 static int file_test_run(STANZA
*s
)
2158 static const FILETEST filetests
[] = {
2160 {"LShift1", file_lshift1
},
2161 {"LShift", file_lshift
},
2162 {"RShift", file_rshift
},
2163 {"Square", file_square
},
2164 {"Product", file_product
},
2165 {"Quotient", file_quotient
},
2166 {"ModMul", file_modmul
},
2167 {"ModExp", file_modexp
},
2169 {"ModSqrt", file_modsqrt
},
2171 int numtests
= OSSL_NELEM(filetests
);
2172 const FILETEST
*tp
= filetests
;
2174 for ( ; --numtests
>= 0; tp
++) {
2175 if (findattr(s
, tp
->name
) != NULL
)
2178 fprintf(stderr
, "Unknown test at %d\n", s
->start
);
2182 static int file_tests()
2185 int linesread
= 0, result
= 0;
2187 /* Read test file. */
2188 memset(&s
, 0, sizeof(s
));
2189 while (!feof(fp
) && readstanza(&s
, &linesread
)) {
2190 if (s
.numpairs
== 0)
2192 if (!file_test_run(&s
)) {
2194 fprintf(stderr
, "Test at %d failed\n", s
.start
);
2198 s
.start
= linesread
;
2206 int test_main(int argc
, char *argv
[])
2208 static const char rnd_seed
[] =
2209 "If not seeded, BN_generate_prime might fail";
2213 fprintf(stderr
, "%s TEST_FILE\n", argv
[0]);
2218 ADD_TEST(test_div_recip
);
2220 ADD_TEST(test_modexp_mont5
);
2221 ADD_TEST(test_kronecker
);
2222 ADD_TEST(test_rand
);
2223 ADD_TEST(test_bn2padded
);
2224 ADD_TEST(test_dec2bn
);
2225 ADD_TEST(test_hex2bn
);
2226 ADD_TEST(test_asc2bn
);
2228 ADD_TEST(test_negzero
);
2229 ADD_TEST(test_badmod
);
2230 ADD_TEST(test_expmodzero
);
2231 ADD_TEST(test_smallprime
);
2232 #ifndef OPENSSL_NO_EC2M
2233 ADD_TEST(test_gf2m_add
);
2234 ADD_TEST(test_gf2m_mod
);
2235 ADD_TEST(test_gf2m_mul
);
2236 ADD_TEST(test_gf2m_sqr
);
2237 ADD_TEST(test_gf2m_modinv
);
2238 ADD_TEST(test_gf2m_moddiv
);
2239 ADD_TEST(test_gf2m_modexp
);
2240 ADD_TEST(test_gf2m_modsqrt
);
2241 ADD_TEST(test_gf2m_modsolvequad
);
2243 ADD_TEST(file_tests
);
2245 RAND_seed(rnd_seed
, sizeof rnd_seed
);
2247 TEST_check(ctx
!= NULL
);
2249 fp
= fopen(argv
[1], "r");
2250 TEST_check(fp
!= NULL
);
2251 result
= run_tests(argv
[0]);