]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/bntest.c
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * Portions of the attached software ("Contribution") are developed by
14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
16 * The Contribution is licensed pursuant to the Eric Young open source
17 * license provided above.
19 * The binary polynomial arithmetic software is originally written by
20 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
30 #include <openssl/bio.h>
31 #include <openssl/bn.h>
32 #include <openssl/rand.h>
33 #include <openssl/x509.h>
34 #include <openssl/err.h>
37 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
38 * This is fine in itself, it will end up as an unused static function in
39 * the worst case. However, it referenses bn_expand2(), which is a private
40 * function in libcrypto and therefore unavailable on some systems. This
41 * may result in a linker error because of unresolved symbols.
43 * To avoid this, we define a dummy variant of bn_expand2() here, and to
44 * avoid possible clashes with libcrypto, we rename it first, using a macro.
46 #define bn_expand2 dummy_bn_expand2
47 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
);
48 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
) { return NULL
; }
50 #include "../crypto/bn/bn_lcl.h"
52 static const int num0
= 100; /* number of tests */
53 static const int num1
= 50; /* additional tests for some functions */
54 static const int num2
= 5; /* number of tests for slow functions */
56 int test_add(BIO
*bp
);
57 int test_sub(BIO
*bp
);
58 int test_lshift1(BIO
*bp
);
59 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
);
60 int test_rshift1(BIO
*bp
);
61 int test_rshift(BIO
*bp
, BN_CTX
*ctx
);
62 int test_div(BIO
*bp
, BN_CTX
*ctx
);
63 int test_div_word(BIO
*bp
);
64 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
);
65 int test_mul(BIO
*bp
);
66 int test_sqr(BIO
*bp
, BN_CTX
*ctx
);
67 int test_mont(BIO
*bp
, BN_CTX
*ctx
);
68 int test_mod(BIO
*bp
, BN_CTX
*ctx
);
69 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
70 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
71 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
);
72 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
);
73 int test_exp(BIO
*bp
, BN_CTX
*ctx
);
74 int test_gf2m_add(BIO
*bp
);
75 int test_gf2m_mod(BIO
*bp
);
76 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
77 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
);
78 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
);
79 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
);
80 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
81 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
);
82 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
);
83 int test_kron(BIO
*bp
, BN_CTX
*ctx
);
84 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
);
85 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
);
86 int test_bn2dec(BIO
*bp
);
88 static int results
= 0;
90 static unsigned char lst
[] =
91 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
92 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
94 static const char rnd_seed
[] =
95 "string to make the random number generator think it has entropy";
97 static void message(BIO
*out
, char *m
)
99 fprintf(stderr
, "test %s\n", m
);
100 BIO_puts(out
, "print \"test ");
102 BIO_puts(out
, "\\n\"\n");
105 int main(int argc
, char *argv
[])
109 char *outfile
= NULL
;
111 CRYPTO_set_mem_debug(1);
112 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON
);
116 RAND_seed(rnd_seed
, sizeof rnd_seed
); /* or BN_generate_prime may fail */
121 if (strcmp(*argv
, "-results") == 0)
123 else if (strcmp(*argv
, "-out") == 0) {
136 out
= BIO_new(BIO_s_file());
139 if (outfile
== NULL
) {
140 BIO_set_fp(out
, stdout
, BIO_NOCLOSE
| BIO_FP_TEXT
);
142 if (!BIO_write_filename(out
, outfile
)) {
147 #ifdef OPENSSL_SYS_VMS
149 BIO
*tmpbio
= BIO_new(BIO_f_linebuffer());
150 out
= BIO_push(tmpbio
, out
);
155 BIO_puts(out
, "obase=16\nibase=16\n");
157 message(out
, "BN_add");
160 (void)BIO_flush(out
);
162 message(out
, "BN_sub");
165 (void)BIO_flush(out
);
167 message(out
, "BN_lshift1");
168 if (!test_lshift1(out
))
170 (void)BIO_flush(out
);
172 message(out
, "BN_lshift (fixed)");
173 if (!test_lshift(out
, ctx
, BN_bin2bn(lst
, sizeof(lst
) - 1, NULL
)))
175 (void)BIO_flush(out
);
177 message(out
, "BN_lshift");
178 if (!test_lshift(out
, ctx
, NULL
))
180 (void)BIO_flush(out
);
182 message(out
, "BN_rshift1");
183 if (!test_rshift1(out
))
185 (void)BIO_flush(out
);
187 message(out
, "BN_rshift");
188 if (!test_rshift(out
, ctx
))
190 (void)BIO_flush(out
);
192 message(out
, "BN_sqr");
193 if (!test_sqr(out
, ctx
))
195 (void)BIO_flush(out
);
197 message(out
, "BN_mul");
200 (void)BIO_flush(out
);
202 message(out
, "BN_div");
203 if (!test_div(out
, ctx
))
205 (void)BIO_flush(out
);
207 message(out
, "BN_div_word");
208 if (!test_div_word(out
))
210 (void)BIO_flush(out
);
212 message(out
, "BN_div_recp");
213 if (!test_div_recp(out
, ctx
))
215 (void)BIO_flush(out
);
217 message(out
, "BN_mod");
218 if (!test_mod(out
, ctx
))
220 (void)BIO_flush(out
);
222 message(out
, "BN_mod_mul");
223 if (!test_mod_mul(out
, ctx
))
225 (void)BIO_flush(out
);
227 message(out
, "BN_mont");
228 if (!test_mont(out
, ctx
))
230 (void)BIO_flush(out
);
232 message(out
, "BN_mod_exp");
233 if (!test_mod_exp(out
, ctx
))
235 (void)BIO_flush(out
);
237 message(out
, "BN_mod_exp_mont_consttime");
238 if (!test_mod_exp_mont_consttime(out
, ctx
))
240 if (!test_mod_exp_mont5(out
, ctx
))
242 (void)BIO_flush(out
);
244 message(out
, "BN_exp");
245 if (!test_exp(out
, ctx
))
247 (void)BIO_flush(out
);
249 message(out
, "BN_kronecker");
250 if (!test_kron(out
, ctx
))
252 (void)BIO_flush(out
);
254 message(out
, "BN_mod_sqrt");
255 if (!test_sqrt(out
, ctx
))
257 (void)BIO_flush(out
);
259 message(out
, "Small prime generation");
260 if (!test_small_prime(out
, ctx
))
262 (void)BIO_flush(out
);
264 message(out
, "BN_bn2dec");
265 if (!test_bn2dec(out
))
267 (void)BIO_flush(out
);
269 #ifndef OPENSSL_NO_EC2M
270 message(out
, "BN_GF2m_add");
271 if (!test_gf2m_add(out
))
273 (void)BIO_flush(out
);
275 message(out
, "BN_GF2m_mod");
276 if (!test_gf2m_mod(out
))
278 (void)BIO_flush(out
);
280 message(out
, "BN_GF2m_mod_mul");
281 if (!test_gf2m_mod_mul(out
, ctx
))
283 (void)BIO_flush(out
);
285 message(out
, "BN_GF2m_mod_sqr");
286 if (!test_gf2m_mod_sqr(out
, ctx
))
288 (void)BIO_flush(out
);
290 message(out
, "BN_GF2m_mod_inv");
291 if (!test_gf2m_mod_inv(out
, ctx
))
293 (void)BIO_flush(out
);
295 message(out
, "BN_GF2m_mod_div");
296 if (!test_gf2m_mod_div(out
, ctx
))
298 (void)BIO_flush(out
);
300 message(out
, "BN_GF2m_mod_exp");
301 if (!test_gf2m_mod_exp(out
, ctx
))
303 (void)BIO_flush(out
);
305 message(out
, "BN_GF2m_mod_sqrt");
306 if (!test_gf2m_mod_sqrt(out
, ctx
))
308 (void)BIO_flush(out
);
310 message(out
, "BN_GF2m_mod_solve_quad");
311 if (!test_gf2m_mod_solve_quad(out
, ctx
))
313 (void)BIO_flush(out
);
318 ERR_print_errors_fp(stderr
);
320 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
321 if (CRYPTO_mem_leaks_fp(stderr
) <= 0)
326 BIO_puts(out
, "1\n"); /* make sure the Perl script fed by bc
327 * notices the failure, see test_bn in
328 * test/Makefile.ssl */
329 (void)BIO_flush(out
);
333 ERR_print_errors_fp(stderr
);
337 int test_add(BIO
*bp
)
346 BN_bntest_rand(a
, 512, 0, 0);
347 for (i
= 0; i
< num0
; i
++) {
348 BN_bntest_rand(b
, 450 + i
, 0, 0);
366 if (!BN_is_zero(c
)) {
367 fprintf(stderr
, "Add test failed!\n");
377 int test_sub(BIO
*bp
)
386 for (i
= 0; i
< num0
+ num1
; i
++) {
388 BN_bntest_rand(a
, 512, 0, 0);
390 if (BN_set_bit(a
, i
) == 0)
394 BN_bntest_rand(b
, 400 + i
- num1
, 0, 0);
411 if (!BN_is_zero(c
)) {
412 fprintf(stderr
, "Subtract test failed!\n");
422 int test_div(BIO
*bp
, BN_CTX
*ctx
)
424 BIGNUM
*a
, *b
, *c
, *d
, *e
;
436 if (BN_div(d
, c
, a
, b
, ctx
)) {
437 fprintf(stderr
, "Division by zero succeeded!\n");
441 for (i
= 0; i
< num0
+ num1
; i
++) {
443 BN_bntest_rand(a
, 400, 0, 0);
448 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
451 BN_div(d
, c
, a
, b
, ctx
);
471 BN_mul(e
, d
, b
, ctx
);
474 if (!BN_is_zero(d
)) {
475 fprintf(stderr
, "Division test failed!\n");
487 static void print_word(BIO
*bp
, BN_ULONG w
)
489 int i
= sizeof(w
) * 8;
495 byte
= (unsigned char)(w
>> i
);
497 fmt
= byte
? "%X" : NULL
;
502 BIO_printf(bp
, fmt
, byte
);
505 /* If we haven't printed anything, at least print a zero! */
510 int test_div_word(BIO
*bp
)
519 for (i
= 0; i
< num0
; i
++) {
521 BN_bntest_rand(a
, 512, -1, 0);
522 BN_bntest_rand(b
, BN_BITS2
, -1, 0);
523 } while (BN_is_zero(b
));
527 rmod
= BN_mod_word(b
, s
);
528 r
= BN_div_word(b
, s
);
531 fprintf(stderr
, "Mod (word) test failed!\n");
557 if (!BN_is_zero(b
)) {
558 fprintf(stderr
, "Division (word) test failed!\n");
567 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
)
569 BIGNUM
*a
, *b
, *c
, *d
, *e
;
573 recp
= BN_RECP_CTX_new();
580 for (i
= 0; i
< num0
+ num1
; i
++) {
582 BN_bntest_rand(a
, 400, 0, 0);
587 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
590 BN_RECP_CTX_set(recp
, b
, ctx
);
591 BN_div_recp(d
, c
, a
, recp
, ctx
);
611 BN_mul(e
, d
, b
, ctx
);
614 if (!BN_is_zero(d
)) {
615 fprintf(stderr
, "Reciprocal division test failed!\n");
616 fprintf(stderr
, "a=");
617 BN_print_fp(stderr
, a
);
618 fprintf(stderr
, "\nb=");
619 BN_print_fp(stderr
, b
);
620 fprintf(stderr
, "\n");
629 BN_RECP_CTX_free(recp
);
633 int test_mul(BIO
*bp
)
635 BIGNUM
*a
, *b
, *c
, *d
, *e
;
649 for (i
= 0; i
< num0
+ num1
; i
++) {
651 BN_bntest_rand(a
, 100, 0, 0);
652 BN_bntest_rand(b
, 100, 0, 0);
654 BN_bntest_rand(b
, i
- num1
, 0, 0);
657 BN_mul(c
, a
, b
, ctx
);
668 BN_div(d
, e
, c
, a
, ctx
);
670 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
671 fprintf(stderr
, "Multiplication test failed!\n");
684 int test_sqr(BIO
*bp
, BN_CTX
*ctx
)
686 BIGNUM
*a
, *c
, *d
, *e
;
693 if (a
== NULL
|| c
== NULL
|| d
== NULL
|| e
== NULL
) {
697 for (i
= 0; i
< num0
; i
++) {
698 BN_bntest_rand(a
, 40 + i
* 10, 0, 0);
711 BN_div(d
, e
, c
, a
, ctx
);
713 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
714 fprintf(stderr
, "Square test failed!\n");
719 /* Regression test for a BN_sqr overflow bug. */
721 "80000000000000008000000000000001"
722 "FFFFFFFFFFFFFFFE0000000000000000");
734 BN_mul(d
, a
, a
, ctx
);
736 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
737 "different results!\n");
741 /* Regression test for a BN_sqr overflow bug. */
743 "80000000000000000000000080000001"
744 "FFFFFFFE000000000000000000000000");
756 BN_mul(d
, a
, a
, ctx
);
758 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
759 "different results!\n");
771 int test_mont(BIO
*bp
, BN_CTX
*ctx
)
773 BIGNUM
*a
, *b
, *c
, *d
, *A
, *B
;
786 mont
= BN_MONT_CTX_new();
791 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
792 fprintf(stderr
, "BN_MONT_CTX_set succeeded for zero modulus!\n");
797 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
798 fprintf(stderr
, "BN_MONT_CTX_set succeeded for even modulus!\n");
802 BN_bntest_rand(a
, 100, 0, 0);
803 BN_bntest_rand(b
, 100, 0, 0);
804 for (i
= 0; i
< num2
; i
++) {
805 int bits
= (200 * (i
+ 1)) / num2
;
809 BN_bntest_rand(n
, bits
, 0, 1);
810 BN_MONT_CTX_set(mont
, n
, ctx
);
812 BN_nnmod(a
, a
, n
, ctx
);
813 BN_nnmod(b
, b
, n
, ctx
);
815 BN_to_montgomery(A
, a
, mont
, ctx
);
816 BN_to_montgomery(B
, b
, mont
, ctx
);
818 BN_mod_mul_montgomery(c
, A
, B
, mont
, ctx
);
819 BN_from_montgomery(A
, c
, mont
, ctx
);
826 BN_print(bp
, &mont
->N
);
832 BN_mod_mul(d
, a
, b
, n
, ctx
);
834 if (!BN_is_zero(d
)) {
835 fprintf(stderr
, "Montgomery multiplication test failed!\n");
839 BN_MONT_CTX_free(mont
);
850 int test_mod(BIO
*bp
, BN_CTX
*ctx
)
852 BIGNUM
*a
, *b
, *c
, *d
, *e
;
861 BN_bntest_rand(a
, 1024, 0, 0);
862 for (i
= 0; i
< num0
; i
++) {
863 BN_bntest_rand(b
, 450 + i
* 10, 0, 0);
866 BN_mod(c
, a
, b
, ctx
);
877 BN_div(d
, e
, a
, b
, ctx
);
879 if (!BN_is_zero(e
)) {
880 fprintf(stderr
, "Modulo test failed!\n");
892 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
894 BIGNUM
*a
, *b
, *c
, *d
, *e
;
906 if (BN_mod_mul(e
, a
, b
, c
, ctx
)) {
907 fprintf(stderr
, "BN_mod_mul with zero modulus succeeded!\n");
911 for (j
= 0; j
< 3; j
++) {
912 BN_bntest_rand(c
, 1024, 0, 0);
913 for (i
= 0; i
< num0
; i
++) {
914 BN_bntest_rand(a
, 475 + i
* 10, 0, 0);
915 BN_bntest_rand(b
, 425 + i
* 11, 0, 0);
918 if (!BN_mod_mul(e
, a
, b
, c
, ctx
)) {
921 while ((l
= ERR_get_error()))
922 fprintf(stderr
, "ERROR:%s\n", ERR_error_string(l
, NULL
));
932 if ((a
->neg
^ b
->neg
) && !BN_is_zero(e
)) {
934 * If (a*b) % c is negative, c must be added in order
935 * to obtain the normalized remainder (new with
936 * OpenSSL 0.9.7, previous versions of BN_mod_mul
937 * could generate negative results)
947 BN_mul(d
, a
, b
, ctx
);
949 BN_div(a
, b
, d
, c
, ctx
);
950 if (!BN_is_zero(b
)) {
951 fprintf(stderr
, "Modulo multiply test failed!\n");
952 ERR_print_errors_fp(stderr
);
965 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
967 BIGNUM
*a
, *b
, *c
, *d
, *e
;
979 if (BN_mod_exp(d
, a
, b
, c
, ctx
)) {
980 fprintf(stderr
, "BN_mod_exp with zero modulus succeeded!\n");
984 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
985 for (i
= 0; i
< num2
; i
++) {
986 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
987 BN_bntest_rand(b
, 2 + i
, 0, 0);
989 if (!BN_mod_exp(d
, a
, b
, c
, ctx
))
1004 BN_exp(e
, a
, b
, ctx
);
1006 BN_div(a
, b
, e
, c
, ctx
);
1007 if (!BN_is_zero(b
)) {
1008 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1013 /* Regression test for carry propagation bug in sqr8x_reduction */
1014 BN_hex2bn(&a
, "050505050505");
1015 BN_hex2bn(&b
, "02");
1017 "4141414141414141414141274141414141414141414141414141414141414141"
1018 "4141414141414141414141414141414141414141414141414141414141414141"
1019 "4141414141414141414141800000000000000000000000000000000000000000"
1020 "0000000000000000000000000000000000000000000000000000000000000000"
1021 "0000000000000000000000000000000000000000000000000000000000000000"
1022 "0000000000000000000000000000000000000000000000000000000001");
1023 BN_mod_exp(d
, a
, b
, c
, ctx
);
1024 BN_mul(e
, a
, a
, ctx
);
1026 fprintf(stderr
, "BN_mod_exp and BN_mul produce different results!\n");
1038 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
)
1040 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1052 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1053 fprintf(stderr
, "BN_mod_exp_mont_consttime with zero modulus "
1059 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1060 fprintf(stderr
, "BN_mod_exp_mont_consttime with even modulus "
1065 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
1066 for (i
= 0; i
< num2
; i
++) {
1067 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1068 BN_bntest_rand(b
, 2 + i
, 0, 0);
1070 if (!BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
))
1076 BIO_puts(bp
, " ^ ");
1078 BIO_puts(bp
, " % ");
1080 BIO_puts(bp
, " - ");
1085 BN_exp(e
, a
, b
, ctx
);
1087 BN_div(a
, b
, e
, c
, ctx
);
1088 if (!BN_is_zero(b
)) {
1089 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1102 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1103 * x86_64 cause a different code branch to be taken.
1105 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
)
1107 BIGNUM
*a
, *p
, *m
, *d
, *e
;
1115 mont
= BN_MONT_CTX_new();
1117 BN_bntest_rand(m
, 1024, 0, 1); /* must be odd for montgomery */
1119 BN_bntest_rand(a
, 1024, 0, 0);
1121 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1123 if (!BN_is_one(d
)) {
1124 fprintf(stderr
, "Modular exponentiation test failed!\n");
1128 BN_bntest_rand(p
, 1024, 0, 0);
1130 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1132 if (!BN_is_zero(d
)) {
1133 fprintf(stderr
, "Modular exponentiation test failed!\n");
1137 * Craft an input whose Montgomery representation is 1, i.e., shorter
1138 * than the modulus m, in order to test the const time precomputation
1139 * scattering/gathering.
1142 BN_MONT_CTX_set(mont
, m
, ctx
);
1143 if (!BN_from_montgomery(e
, a
, mont
, ctx
))
1145 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1147 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1149 if (BN_cmp(a
, d
) != 0) {
1150 fprintf(stderr
, "Modular exponentiation test failed!\n");
1153 /* Finally, some regular test vectors. */
1154 BN_bntest_rand(e
, 1024, 0, 0);
1155 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1157 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1159 if (BN_cmp(a
, d
) != 0) {
1160 fprintf(stderr
, "Modular exponentiation test failed!\n");
1163 BN_MONT_CTX_free(mont
);
1172 int test_exp(BIO
*bp
, BN_CTX
*ctx
)
1174 BIGNUM
*a
, *b
, *d
, *e
, *one
;
1184 for (i
= 0; i
< num2
; i
++) {
1185 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1186 BN_bntest_rand(b
, 2 + i
, 0, 0);
1188 if (BN_exp(d
, a
, b
, ctx
) <= 0)
1194 BIO_puts(bp
, " ^ ");
1196 BIO_puts(bp
, " - ");
1202 for (; !BN_is_zero(b
); BN_sub(b
, b
, one
))
1203 BN_mul(e
, e
, a
, ctx
);
1205 if (!BN_is_zero(e
)) {
1206 fprintf(stderr
, "Exponentiation test failed!\n");
1218 #ifndef OPENSSL_NO_EC2M
1219 int test_gf2m_add(BIO
*bp
)
1228 for (i
= 0; i
< num0
; i
++) {
1229 BN_rand(a
, 512, BN_RAND_TOP_ONE
, BN_RAND_BOTTOM_ANY
);
1230 BN_copy(b
, BN_value_one());
1231 a
->neg
= rand_neg();
1232 b
->neg
= rand_neg();
1233 BN_GF2m_add(c
, a
, b
);
1234 /* Test that two added values have the correct parity. */
1235 if ((BN_is_odd(a
) && BN_is_odd(c
))
1236 || (!BN_is_odd(a
) && !BN_is_odd(c
))) {
1237 fprintf(stderr
, "GF(2^m) addition test (a) failed!\n");
1240 BN_GF2m_add(c
, c
, c
);
1241 /* Test that c + c = 0. */
1242 if (!BN_is_zero(c
)) {
1243 fprintf(stderr
, "GF(2^m) addition test (b) failed!\n");
1255 int test_gf2m_mod(BIO
*bp
)
1257 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1259 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1260 int p1
[] = { 193, 15, 0, -1 };
1269 BN_GF2m_arr2poly(p0
, b
[0]);
1270 BN_GF2m_arr2poly(p1
, b
[1]);
1272 for (i
= 0; i
< num0
; i
++) {
1273 BN_bntest_rand(a
, 1024, 0, 0);
1274 for (j
= 0; j
< 2; j
++) {
1275 BN_GF2m_mod(c
, a
, b
[j
]);
1276 BN_GF2m_add(d
, a
, c
);
1277 BN_GF2m_mod(e
, d
, b
[j
]);
1278 /* Test that a + (a mod p) mod p == 0. */
1279 if (!BN_is_zero(e
)) {
1280 fprintf(stderr
, "GF(2^m) modulo test failed!\n");
1296 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
1298 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
, *g
, *h
;
1300 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1301 int p1
[] = { 193, 15, 0, -1 };
1313 BN_GF2m_arr2poly(p0
, b
[0]);
1314 BN_GF2m_arr2poly(p1
, b
[1]);
1316 for (i
= 0; i
< num0
; i
++) {
1317 BN_bntest_rand(a
, 1024, 0, 0);
1318 BN_bntest_rand(c
, 1024, 0, 0);
1319 BN_bntest_rand(d
, 1024, 0, 0);
1320 for (j
= 0; j
< 2; j
++) {
1321 BN_GF2m_mod_mul(e
, a
, c
, b
[j
], ctx
);
1322 BN_GF2m_add(f
, a
, d
);
1323 BN_GF2m_mod_mul(g
, f
, c
, b
[j
], ctx
);
1324 BN_GF2m_mod_mul(h
, d
, c
, b
[j
], ctx
);
1325 BN_GF2m_add(f
, e
, g
);
1326 BN_GF2m_add(f
, f
, h
);
1327 /* Test that (a+d)*c = a*c + d*c. */
1328 if (!BN_is_zero(f
)) {
1330 "GF(2^m) modular multiplication test failed!\n");
1349 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
)
1351 BIGNUM
*a
, *b
[2], *c
, *d
;
1353 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1354 int p1
[] = { 193, 15, 0, -1 };
1362 BN_GF2m_arr2poly(p0
, b
[0]);
1363 BN_GF2m_arr2poly(p1
, b
[1]);
1365 for (i
= 0; i
< num0
; i
++) {
1366 BN_bntest_rand(a
, 1024, 0, 0);
1367 for (j
= 0; j
< 2; j
++) {
1368 BN_GF2m_mod_sqr(c
, a
, b
[j
], ctx
);
1370 BN_GF2m_mod_mul(d
, a
, d
, b
[j
], ctx
);
1371 BN_GF2m_add(d
, c
, d
);
1372 /* Test that a*a = a^2. */
1373 if (!BN_is_zero(d
)) {
1374 fprintf(stderr
, "GF(2^m) modular squaring test failed!\n");
1389 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
)
1391 BIGNUM
*a
, *b
[2], *c
, *d
;
1393 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1394 int p1
[] = { 193, 15, 0, -1 };
1402 BN_GF2m_arr2poly(p0
, b
[0]);
1403 BN_GF2m_arr2poly(p1
, b
[1]);
1405 for (i
= 0; i
< num0
; i
++) {
1406 BN_bntest_rand(a
, 512, 0, 0);
1407 for (j
= 0; j
< 2; j
++) {
1408 BN_GF2m_mod_inv(c
, a
, b
[j
], ctx
);
1409 BN_GF2m_mod_mul(d
, a
, c
, b
[j
], ctx
);
1410 /* Test that ((1/a)*a) = 1. */
1411 if (!BN_is_one(d
)) {
1412 fprintf(stderr
, "GF(2^m) modular inversion test failed!\n");
1427 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
)
1429 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1431 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1432 int p1
[] = { 193, 15, 0, -1 };
1442 BN_GF2m_arr2poly(p0
, b
[0]);
1443 BN_GF2m_arr2poly(p1
, b
[1]);
1445 for (i
= 0; i
< num0
; i
++) {
1446 BN_bntest_rand(a
, 512, 0, 0);
1447 BN_bntest_rand(c
, 512, 0, 0);
1448 for (j
= 0; j
< 2; j
++) {
1449 BN_GF2m_mod_div(d
, a
, c
, b
[j
], ctx
);
1450 BN_GF2m_mod_mul(e
, d
, c
, b
[j
], ctx
);
1451 BN_GF2m_mod_div(f
, a
, e
, b
[j
], ctx
);
1452 /* Test that ((a/c)*c)/a = 1. */
1453 if (!BN_is_one(f
)) {
1454 fprintf(stderr
, "GF(2^m) modular division test failed!\n");
1471 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
1473 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1475 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1476 int p1
[] = { 193, 15, 0, -1 };
1486 BN_GF2m_arr2poly(p0
, b
[0]);
1487 BN_GF2m_arr2poly(p1
, b
[1]);
1489 for (i
= 0; i
< num0
; i
++) {
1490 BN_bntest_rand(a
, 512, 0, 0);
1491 BN_bntest_rand(c
, 512, 0, 0);
1492 BN_bntest_rand(d
, 512, 0, 0);
1493 for (j
= 0; j
< 2; j
++) {
1494 BN_GF2m_mod_exp(e
, a
, c
, b
[j
], ctx
);
1495 BN_GF2m_mod_exp(f
, a
, d
, b
[j
], ctx
);
1496 BN_GF2m_mod_mul(e
, e
, f
, b
[j
], ctx
);
1498 BN_GF2m_mod_exp(f
, a
, f
, b
[j
], ctx
);
1499 BN_GF2m_add(f
, e
, f
);
1500 /* Test that a^(c+d)=a^c*a^d. */
1501 if (!BN_is_zero(f
)) {
1503 "GF(2^m) modular exponentiation test failed!\n");
1520 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1522 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1524 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1525 int p1
[] = { 193, 15, 0, -1 };
1535 BN_GF2m_arr2poly(p0
, b
[0]);
1536 BN_GF2m_arr2poly(p1
, b
[1]);
1538 for (i
= 0; i
< num0
; i
++) {
1539 BN_bntest_rand(a
, 512, 0, 0);
1540 for (j
= 0; j
< 2; j
++) {
1541 BN_GF2m_mod(c
, a
, b
[j
]);
1542 BN_GF2m_mod_sqrt(d
, a
, b
[j
], ctx
);
1543 BN_GF2m_mod_sqr(e
, d
, b
[j
], ctx
);
1544 BN_GF2m_add(f
, c
, e
);
1545 /* Test that d^2 = a, where d = sqrt(a). */
1546 if (!BN_is_zero(f
)) {
1547 fprintf(stderr
, "GF(2^m) modular square root test failed!\n");
1564 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
)
1566 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1567 int i
, j
, s
= 0, t
, ret
= 0;
1568 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1569 int p1
[] = { 193, 15, 0, -1 };
1578 BN_GF2m_arr2poly(p0
, b
[0]);
1579 BN_GF2m_arr2poly(p1
, b
[1]);
1581 for (i
= 0; i
< num0
; i
++) {
1582 BN_bntest_rand(a
, 512, 0, 0);
1583 for (j
= 0; j
< 2; j
++) {
1584 t
= BN_GF2m_mod_solve_quad(c
, a
, b
[j
], ctx
);
1587 BN_GF2m_mod_sqr(d
, c
, b
[j
], ctx
);
1588 BN_GF2m_add(d
, c
, d
);
1589 BN_GF2m_mod(e
, a
, b
[j
]);
1590 BN_GF2m_add(e
, e
, d
);
1592 * Test that solution of quadratic c satisfies c^2 + c = a.
1594 if (!BN_is_zero(e
)) {
1596 "GF(2^m) modular solve quadratic test failed!\n");
1605 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1608 "this is very unlikely and probably indicates an error.\n");
1622 static int genprime_cb(int p
, int n
, BN_GENCB
*arg
)
1639 int test_kron(BIO
*bp
, BN_CTX
*ctx
)
1642 BIGNUM
*a
, *b
, *r
, *t
;
1644 int legendre
, kronecker
;
1651 if (a
== NULL
|| b
== NULL
|| r
== NULL
|| t
== NULL
)
1654 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1657 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1658 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1659 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1660 * generate a random prime b and compare these values for a number of
1661 * random a's. (That is, we run the Solovay-Strassen primality test to
1662 * confirm that b is prime, except that we don't want to test whether b
1663 * is prime but whether BN_kronecker works.)
1666 if (!BN_generate_prime_ex(b
, 512, 0, NULL
, NULL
, &cb
))
1668 b
->neg
= rand_neg();
1671 for (i
= 0; i
< num0
; i
++) {
1672 if (!BN_bntest_rand(a
, 512, 0, 0))
1674 a
->neg
= rand_neg();
1676 /* t := (|b|-1)/2 (note that b is odd) */
1680 if (!BN_sub_word(t
, 1))
1682 if (!BN_rshift1(t
, t
))
1684 /* r := a^t mod b */
1687 if (!BN_mod_exp_recp(r
, a
, t
, b
, ctx
))
1691 if (BN_is_word(r
, 1))
1693 else if (BN_is_zero(r
))
1696 if (!BN_add_word(r
, 1))
1698 if (0 != BN_ucmp(r
, b
)) {
1699 fprintf(stderr
, "Legendre symbol computation failed\n");
1705 kronecker
= BN_kronecker(a
, b
, ctx
);
1708 /* we actually need BN_kronecker(a, |b|) */
1709 if (a
->neg
&& b
->neg
)
1710 kronecker
= -kronecker
;
1712 if (legendre
!= kronecker
) {
1713 fprintf(stderr
, "legendre != kronecker; a = ");
1714 BN_print_fp(stderr
, a
);
1715 fprintf(stderr
, ", b = ");
1716 BN_print_fp(stderr
, b
);
1717 fprintf(stderr
, "\n");
1736 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1746 if (a
== NULL
|| p
== NULL
|| r
== NULL
)
1749 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1751 for (i
= 0; i
< 16; i
++) {
1753 unsigned primes
[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1755 if (!BN_set_word(p
, primes
[i
]))
1758 if (!BN_set_word(a
, 32))
1760 if (!BN_set_word(r
, 2 * i
+ 1))
1763 if (!BN_generate_prime_ex(p
, 256, 0, a
, r
, &cb
))
1767 p
->neg
= rand_neg();
1769 for (j
= 0; j
< num2
; j
++) {
1771 * construct 'a' such that it is a square modulo p, but in
1772 * general not a proper square and not reduced modulo p
1774 if (!BN_bntest_rand(r
, 256, 0, 3))
1776 if (!BN_nnmod(r
, r
, p
, ctx
))
1778 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1780 if (!BN_bntest_rand(a
, 256, 0, 3))
1782 if (!BN_nnmod(a
, a
, p
, ctx
))
1784 if (!BN_mod_sqr(a
, a
, p
, ctx
))
1786 if (!BN_mul(a
, a
, r
, ctx
))
1789 if (!BN_sub(a
, a
, p
))
1792 if (!BN_mod_sqrt(r
, a
, p
, ctx
))
1794 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1797 if (!BN_nnmod(a
, a
, p
, ctx
))
1800 if (BN_cmp(a
, r
) != 0) {
1801 fprintf(stderr
, "BN_mod_sqrt failed: a = ");
1802 BN_print_fp(stderr
, a
);
1803 fprintf(stderr
, ", r = ");
1804 BN_print_fp(stderr
, r
);
1805 fprintf(stderr
, ", p = ");
1806 BN_print_fp(stderr
, p
);
1807 fprintf(stderr
, "\n");
1826 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
)
1828 static const int bits
= 10;
1833 if (!BN_generate_prime_ex(r
, bits
, 0, NULL
, NULL
, NULL
))
1835 if (BN_num_bits(r
) != bits
) {
1836 BIO_printf(bp
, "Expected %d bit prime, got %d bit number\n", bits
,
1848 int test_bn2dec(BIO
*bp
)
1850 static const char *bn2dec_tests
[] = {
1856 "123456789012345678901234567890",
1857 "-123456789012345678901234567890",
1858 "123456789012345678901234567890123456789012345678901234567890",
1859 "-123456789012345678901234567890123456789012345678901234567890",
1866 for (i
= 0; i
< OSSL_NELEM(bn2dec_tests
); i
++) {
1867 if (!BN_dec2bn(&bn
, bn2dec_tests
[i
]))
1870 dec
= BN_bn2dec(bn
);
1872 fprintf(stderr
, "BN_bn2dec failed on %s.\n", bn2dec_tests
[i
]);
1876 if (strcmp(dec
, bn2dec_tests
[i
]) != 0) {
1877 fprintf(stderr
, "BN_bn2dec gave %s, wanted %s.\n", dec
,
1894 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
)
1896 BIGNUM
*a
, *b
, *c
, *d
;
1908 BN_bntest_rand(a
, 200, 0, 0);
1909 a
->neg
= rand_neg();
1911 for (i
= 0; i
< num0
; i
++) {
1912 BN_lshift(b
, a
, i
+ 1);
1917 BIO_puts(bp
, " * ");
1919 BIO_puts(bp
, " - ");
1924 BN_mul(d
, a
, c
, ctx
);
1926 if (!BN_is_zero(d
)) {
1927 fprintf(stderr
, "Left shift test failed!\n");
1928 fprintf(stderr
, "a=");
1929 BN_print_fp(stderr
, a
);
1930 fprintf(stderr
, "\nb=");
1931 BN_print_fp(stderr
, b
);
1932 fprintf(stderr
, "\nc=");
1933 BN_print_fp(stderr
, c
);
1934 fprintf(stderr
, "\nd=");
1935 BN_print_fp(stderr
, d
);
1936 fprintf(stderr
, "\n");
1947 int test_lshift1(BIO
*bp
)
1956 BN_bntest_rand(a
, 200, 0, 0);
1957 a
->neg
= rand_neg();
1958 for (i
= 0; i
< num0
; i
++) {
1963 BIO_puts(bp
, " * 2");
1964 BIO_puts(bp
, " - ");
1971 if (!BN_is_zero(a
)) {
1972 fprintf(stderr
, "Left shift one test failed!\n");
1984 int test_rshift(BIO
*bp
, BN_CTX
*ctx
)
1986 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1996 BN_bntest_rand(a
, 200, 0, 0);
1997 a
->neg
= rand_neg();
1998 for (i
= 0; i
< num0
; i
++) {
1999 BN_rshift(b
, a
, i
+ 1);
2004 BIO_puts(bp
, " / ");
2006 BIO_puts(bp
, " - ");
2011 BN_div(d
, e
, a
, c
, ctx
);
2013 if (!BN_is_zero(d
)) {
2014 fprintf(stderr
, "Right shift test failed!\n");
2026 int test_rshift1(BIO
*bp
)
2035 BN_bntest_rand(a
, 200, 0, 0);
2036 a
->neg
= rand_neg();
2037 for (i
= 0; i
< num0
; i
++) {
2042 BIO_puts(bp
, " / 2");
2043 BIO_puts(bp
, " - ");
2050 if (!BN_is_zero(c
) && !BN_abs_is_word(c
, 1)) {
2051 fprintf(stderr
, "Right shift one test failed!\n");
2064 static unsigned int neg
= 0;
2065 static int sign
[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2067 return (sign
[(neg
++) % 8]);