]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/bntest.c
1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
78 #include <openssl/bio.h>
79 #include <openssl/bn.h>
80 #include <openssl/rand.h>
81 #include <openssl/x509.h>
82 #include <openssl/err.h>
84 #include "../crypto/bn/bn_lcl.h"
86 static const int num0
= 100; /* number of tests */
87 static const int num1
= 50; /* additional tests for some functions */
88 static const int num2
= 5; /* number of tests for slow functions */
90 int test_add(BIO
*bp
);
91 int test_sub(BIO
*bp
);
92 int test_lshift1(BIO
*bp
);
93 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
);
94 int test_rshift1(BIO
*bp
);
95 int test_rshift(BIO
*bp
, BN_CTX
*ctx
);
96 int test_div(BIO
*bp
, BN_CTX
*ctx
);
97 int test_div_word(BIO
*bp
);
98 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
);
99 int test_mul(BIO
*bp
);
100 int test_sqr(BIO
*bp
, BN_CTX
*ctx
);
101 int test_mont(BIO
*bp
, BN_CTX
*ctx
);
102 int test_mod(BIO
*bp
, BN_CTX
*ctx
);
103 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
104 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
105 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
);
106 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
);
107 int test_exp(BIO
*bp
, BN_CTX
*ctx
);
108 int test_gf2m_add(BIO
*bp
);
109 int test_gf2m_mod(BIO
*bp
);
110 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
);
111 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
);
112 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
);
113 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
);
114 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
);
115 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
);
116 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
);
117 int test_kron(BIO
*bp
, BN_CTX
*ctx
);
118 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
);
119 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
);
121 static int results
= 0;
123 static unsigned char lst
[] =
124 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
125 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
127 static const char rnd_seed
[] =
128 "string to make the random number generator think it has entropy";
130 static void message(BIO
*out
, char *m
)
132 fprintf(stderr
, "test %s\n", m
);
133 BIO_puts(out
, "print \"test ");
135 BIO_puts(out
, "\\n\"\n");
138 int main(int argc
, char *argv
[])
142 char *outfile
= NULL
;
146 RAND_seed(rnd_seed
, sizeof rnd_seed
); /* or BN_generate_prime may fail */
151 if (strcmp(*argv
, "-results") == 0)
153 else if (strcmp(*argv
, "-out") == 0) {
166 out
= BIO_new(BIO_s_file());
169 if (outfile
== NULL
) {
170 BIO_set_fp(out
, stdout
, BIO_NOCLOSE
| BIO_FP_TEXT
);
172 if (!BIO_write_filename(out
, outfile
)) {
177 #ifdef OPENSSL_SYS_VMS
179 BIO
*tmpbio
= BIO_new(BIO_f_linebuffer());
180 out
= BIO_push(tmpbio
, out
);
185 BIO_puts(out
, "obase=16\nibase=16\n");
187 message(out
, "BN_add");
190 (void)BIO_flush(out
);
192 message(out
, "BN_sub");
195 (void)BIO_flush(out
);
197 message(out
, "BN_lshift1");
198 if (!test_lshift1(out
))
200 (void)BIO_flush(out
);
202 message(out
, "BN_lshift (fixed)");
203 if (!test_lshift(out
, ctx
, BN_bin2bn(lst
, sizeof(lst
) - 1, NULL
)))
205 (void)BIO_flush(out
);
207 message(out
, "BN_lshift");
208 if (!test_lshift(out
, ctx
, NULL
))
210 (void)BIO_flush(out
);
212 message(out
, "BN_rshift1");
213 if (!test_rshift1(out
))
215 (void)BIO_flush(out
);
217 message(out
, "BN_rshift");
218 if (!test_rshift(out
, ctx
))
220 (void)BIO_flush(out
);
222 message(out
, "BN_sqr");
223 if (!test_sqr(out
, ctx
))
225 (void)BIO_flush(out
);
227 message(out
, "BN_mul");
230 (void)BIO_flush(out
);
232 message(out
, "BN_div");
233 if (!test_div(out
, ctx
))
235 (void)BIO_flush(out
);
237 message(out
, "BN_div_word");
238 if (!test_div_word(out
))
240 (void)BIO_flush(out
);
242 message(out
, "BN_div_recp");
243 if (!test_div_recp(out
, ctx
))
245 (void)BIO_flush(out
);
247 message(out
, "BN_mod");
248 if (!test_mod(out
, ctx
))
250 (void)BIO_flush(out
);
252 message(out
, "BN_mod_mul");
253 if (!test_mod_mul(out
, ctx
))
255 (void)BIO_flush(out
);
257 message(out
, "BN_mont");
258 if (!test_mont(out
, ctx
))
260 (void)BIO_flush(out
);
262 message(out
, "BN_mod_exp");
263 if (!test_mod_exp(out
, ctx
))
265 (void)BIO_flush(out
);
267 message(out
, "BN_mod_exp_mont_consttime");
268 if (!test_mod_exp_mont_consttime(out
, ctx
))
270 if (!test_mod_exp_mont5(out
, ctx
))
272 (void)BIO_flush(out
);
274 message(out
, "BN_exp");
275 if (!test_exp(out
, ctx
))
277 (void)BIO_flush(out
);
279 message(out
, "BN_kronecker");
280 if (!test_kron(out
, ctx
))
282 (void)BIO_flush(out
);
284 message(out
, "BN_mod_sqrt");
285 if (!test_sqrt(out
, ctx
))
287 (void)BIO_flush(out
);
289 message(out
, "Small prime generation");
290 if (!test_small_prime(out
, ctx
))
292 (void)BIO_flush(out
);
294 #ifndef OPENSSL_NO_EC2M
295 message(out
, "BN_GF2m_add");
296 if (!test_gf2m_add(out
))
298 (void)BIO_flush(out
);
300 message(out
, "BN_GF2m_mod");
301 if (!test_gf2m_mod(out
))
303 (void)BIO_flush(out
);
305 message(out
, "BN_GF2m_mod_mul");
306 if (!test_gf2m_mod_mul(out
, ctx
))
308 (void)BIO_flush(out
);
310 message(out
, "BN_GF2m_mod_sqr");
311 if (!test_gf2m_mod_sqr(out
, ctx
))
313 (void)BIO_flush(out
);
315 message(out
, "BN_GF2m_mod_inv");
316 if (!test_gf2m_mod_inv(out
, ctx
))
318 (void)BIO_flush(out
);
320 message(out
, "BN_GF2m_mod_div");
321 if (!test_gf2m_mod_div(out
, ctx
))
323 (void)BIO_flush(out
);
325 message(out
, "BN_GF2m_mod_exp");
326 if (!test_gf2m_mod_exp(out
, ctx
))
328 (void)BIO_flush(out
);
330 message(out
, "BN_GF2m_mod_sqrt");
331 if (!test_gf2m_mod_sqrt(out
, ctx
))
333 (void)BIO_flush(out
);
335 message(out
, "BN_GF2m_mod_solve_quad");
336 if (!test_gf2m_mod_solve_quad(out
, ctx
))
338 (void)BIO_flush(out
);
345 BIO_puts(out
, "1\n"); /* make sure the Perl script fed by bc
346 * notices the failure, see test_bn in
347 * test/Makefile.ssl */
348 (void)BIO_flush(out
);
349 ERR_load_crypto_strings();
350 ERR_print_errors_fp(stderr
);
354 int test_add(BIO
*bp
)
363 BN_bntest_rand(a
, 512, 0, 0);
364 for (i
= 0; i
< num0
; i
++) {
365 BN_bntest_rand(b
, 450 + i
, 0, 0);
383 if (!BN_is_zero(c
)) {
384 fprintf(stderr
, "Add test failed!\n");
394 int test_sub(BIO
*bp
)
403 for (i
= 0; i
< num0
+ num1
; i
++) {
405 BN_bntest_rand(a
, 512, 0, 0);
407 if (BN_set_bit(a
, i
) == 0)
411 BN_bntest_rand(b
, 400 + i
- num1
, 0, 0);
428 if (!BN_is_zero(c
)) {
429 fprintf(stderr
, "Subtract test failed!\n");
439 int test_div(BIO
*bp
, BN_CTX
*ctx
)
441 BIGNUM
*a
, *b
, *c
, *d
, *e
;
453 if (BN_div(d
, c
, a
, b
, ctx
)) {
454 fprintf(stderr
, "Division by zero succeeded!\n");
458 for (i
= 0; i
< num0
+ num1
; i
++) {
460 BN_bntest_rand(a
, 400, 0, 0);
465 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
468 BN_div(d
, c
, a
, b
, ctx
);
488 BN_mul(e
, d
, b
, ctx
);
491 if (!BN_is_zero(d
)) {
492 fprintf(stderr
, "Division test failed!\n");
504 static void print_word(BIO
*bp
, BN_ULONG w
)
506 #ifdef SIXTY_FOUR_BIT
507 if (sizeof(w
) > sizeof(unsigned long)) {
508 unsigned long h
= (unsigned long)(w
>> 32), l
= (unsigned long)(w
);
511 BIO_printf(bp
, "%lX%08lX", h
, l
);
513 BIO_printf(bp
, "%lX", l
);
517 BIO_printf(bp
, BN_HEX_FMT1
, w
);
520 int test_div_word(BIO
*bp
)
529 for (i
= 0; i
< num0
; i
++) {
531 BN_bntest_rand(a
, 512, -1, 0);
532 BN_bntest_rand(b
, BN_BITS2
, -1, 0);
533 } while (BN_is_zero(b
));
537 r
= BN_div_word(b
, s
);
561 if (!BN_is_zero(b
)) {
562 fprintf(stderr
, "Division (word) test failed!\n");
571 int test_div_recp(BIO
*bp
, BN_CTX
*ctx
)
573 BIGNUM
*a
, *b
, *c
, *d
, *e
;
577 recp
= BN_RECP_CTX_new();
584 for (i
= 0; i
< num0
+ num1
; i
++) {
586 BN_bntest_rand(a
, 400, 0, 0);
591 BN_bntest_rand(b
, 50 + 3 * (i
- num1
), 0, 0);
594 BN_RECP_CTX_set(recp
, b
, ctx
);
595 BN_div_recp(d
, c
, a
, recp
, ctx
);
615 BN_mul(e
, d
, b
, ctx
);
618 if (!BN_is_zero(d
)) {
619 fprintf(stderr
, "Reciprocal division test failed!\n");
620 fprintf(stderr
, "a=");
621 BN_print_fp(stderr
, a
);
622 fprintf(stderr
, "\nb=");
623 BN_print_fp(stderr
, b
);
624 fprintf(stderr
, "\n");
633 BN_RECP_CTX_free(recp
);
637 int test_mul(BIO
*bp
)
639 BIGNUM
*a
, *b
, *c
, *d
, *e
;
653 for (i
= 0; i
< num0
+ num1
; i
++) {
655 BN_bntest_rand(a
, 100, 0, 0);
656 BN_bntest_rand(b
, 100, 0, 0);
658 BN_bntest_rand(b
, i
- num1
, 0, 0);
661 BN_mul(c
, a
, b
, ctx
);
672 BN_div(d
, e
, c
, a
, ctx
);
674 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
675 fprintf(stderr
, "Multiplication test failed!\n");
688 int test_sqr(BIO
*bp
, BN_CTX
*ctx
)
690 BIGNUM
*a
, *c
, *d
, *e
;
697 if (a
== NULL
|| c
== NULL
|| d
== NULL
|| e
== NULL
) {
701 for (i
= 0; i
< num0
; i
++) {
702 BN_bntest_rand(a
, 40 + i
* 10, 0, 0);
715 BN_div(d
, e
, c
, a
, ctx
);
717 if (!BN_is_zero(d
) || !BN_is_zero(e
)) {
718 fprintf(stderr
, "Square test failed!\n");
723 /* Regression test for a BN_sqr overflow bug. */
725 "80000000000000008000000000000001"
726 "FFFFFFFFFFFFFFFE0000000000000000");
738 BN_mul(d
, a
, a
, ctx
);
740 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
741 "different results!\n");
745 /* Regression test for a BN_sqr overflow bug. */
747 "80000000000000000000000080000001"
748 "FFFFFFFE000000000000000000000000");
760 BN_mul(d
, a
, a
, ctx
);
762 fprintf(stderr
, "Square test failed: BN_sqr and BN_mul produce "
763 "different results!\n");
775 int test_mont(BIO
*bp
, BN_CTX
*ctx
)
777 BIGNUM
*a
, *b
, *c
, *d
, *A
, *B
;
790 mont
= BN_MONT_CTX_new();
795 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
796 fprintf(stderr
, "BN_MONT_CTX_set succeeded for zero modulus!\n");
801 if (BN_MONT_CTX_set(mont
, n
, ctx
)) {
802 fprintf(stderr
, "BN_MONT_CTX_set succeeded for even modulus!\n");
806 BN_bntest_rand(a
, 100, 0, 0);
807 BN_bntest_rand(b
, 100, 0, 0);
808 for (i
= 0; i
< num2
; i
++) {
809 int bits
= (200 * (i
+ 1)) / num2
;
813 BN_bntest_rand(n
, bits
, 0, 1);
814 BN_MONT_CTX_set(mont
, n
, ctx
);
816 BN_nnmod(a
, a
, n
, ctx
);
817 BN_nnmod(b
, b
, n
, ctx
);
819 BN_to_montgomery(A
, a
, mont
, ctx
);
820 BN_to_montgomery(B
, b
, mont
, ctx
);
822 BN_mod_mul_montgomery(c
, A
, B
, mont
, ctx
);
823 BN_from_montgomery(A
, c
, mont
, ctx
);
830 BN_print(bp
, &mont
->N
);
836 BN_mod_mul(d
, a
, b
, n
, ctx
);
838 if (!BN_is_zero(d
)) {
839 fprintf(stderr
, "Montgomery multiplication test failed!\n");
843 BN_MONT_CTX_free(mont
);
854 int test_mod(BIO
*bp
, BN_CTX
*ctx
)
856 BIGNUM
*a
, *b
, *c
, *d
, *e
;
865 BN_bntest_rand(a
, 1024, 0, 0);
866 for (i
= 0; i
< num0
; i
++) {
867 BN_bntest_rand(b
, 450 + i
* 10, 0, 0);
870 BN_mod(c
, a
, b
, ctx
);
881 BN_div(d
, e
, a
, b
, ctx
);
883 if (!BN_is_zero(e
)) {
884 fprintf(stderr
, "Modulo test failed!\n");
896 int test_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
898 BIGNUM
*a
, *b
, *c
, *d
, *e
;
910 if (BN_mod_mul(e
, a
, b
, c
, ctx
)) {
911 fprintf(stderr
, "BN_mod_mul with zero modulus succeeded!\n");
915 for (j
= 0; j
< 3; j
++) {
916 BN_bntest_rand(c
, 1024, 0, 0);
917 for (i
= 0; i
< num0
; i
++) {
918 BN_bntest_rand(a
, 475 + i
* 10, 0, 0);
919 BN_bntest_rand(b
, 425 + i
* 11, 0, 0);
922 if (!BN_mod_mul(e
, a
, b
, c
, ctx
)) {
925 while ((l
= ERR_get_error()))
926 fprintf(stderr
, "ERROR:%s\n", ERR_error_string(l
, NULL
));
936 if ((a
->neg
^ b
->neg
) && !BN_is_zero(e
)) {
938 * If (a*b) % c is negative, c must be added in order
939 * to obtain the normalized remainder (new with
940 * OpenSSL 0.9.7, previous versions of BN_mod_mul
941 * could generate negative results)
951 BN_mul(d
, a
, b
, ctx
);
953 BN_div(a
, b
, d
, c
, ctx
);
954 if (!BN_is_zero(b
)) {
955 fprintf(stderr
, "Modulo multiply test failed!\n");
956 ERR_print_errors_fp(stderr
);
969 int test_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
971 BIGNUM
*a
, *b
, *c
, *d
, *e
;
983 if (BN_mod_exp(d
, a
, b
, c
, ctx
)) {
984 fprintf(stderr
, "BN_mod_exp with zero modulus succeeded!\n");
988 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
989 for (i
= 0; i
< num2
; i
++) {
990 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
991 BN_bntest_rand(b
, 2 + i
, 0, 0);
993 if (!BN_mod_exp(d
, a
, b
, c
, ctx
))
1001 BIO_puts(bp
, " % ");
1003 BIO_puts(bp
, " - ");
1008 BN_exp(e
, a
, b
, ctx
);
1010 BN_div(a
, b
, e
, c
, ctx
);
1011 if (!BN_is_zero(b
)) {
1012 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1017 /* Regression test for carry propagation bug in sqr8x_reduction */
1018 BN_hex2bn(&a
, "050505050505");
1019 BN_hex2bn(&b
, "02");
1021 "4141414141414141414141274141414141414141414141414141414141414141"
1022 "4141414141414141414141414141414141414141414141414141414141414141"
1023 "4141414141414141414141800000000000000000000000000000000000000000"
1024 "0000000000000000000000000000000000000000000000000000000000000000"
1025 "0000000000000000000000000000000000000000000000000000000000000000"
1026 "0000000000000000000000000000000000000000000000000000000001");
1027 BN_mod_exp(d
, a
, b
, c
, ctx
);
1028 BN_mul(e
, a
, a
, ctx
);
1030 fprintf(stderr
, "BN_mod_exp and BN_mul produce different results!\n");
1042 int test_mod_exp_mont_consttime(BIO
*bp
, BN_CTX
*ctx
)
1044 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1056 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1057 fprintf(stderr
, "BN_mod_exp_mont_consttime with zero modulus "
1063 if (BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
)) {
1064 fprintf(stderr
, "BN_mod_exp_mont_consttime with even modulus "
1069 BN_bntest_rand(c
, 30, 0, 1); /* must be odd for montgomery */
1070 for (i
= 0; i
< num2
; i
++) {
1071 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1072 BN_bntest_rand(b
, 2 + i
, 0, 0);
1074 if (!BN_mod_exp_mont_consttime(d
, a
, b
, c
, ctx
, NULL
))
1080 BIO_puts(bp
, " ^ ");
1082 BIO_puts(bp
, " % ");
1084 BIO_puts(bp
, " - ");
1089 BN_exp(e
, a
, b
, ctx
);
1091 BN_div(a
, b
, e
, c
, ctx
);
1092 if (!BN_is_zero(b
)) {
1093 fprintf(stderr
, "Modulo exponentiation test failed!\n");
1106 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1107 * x86_64 cause a different code branch to be taken.
1109 int test_mod_exp_mont5(BIO
*bp
, BN_CTX
*ctx
)
1111 BIGNUM
*a
, *p
, *m
, *d
, *e
;
1119 mont
= BN_MONT_CTX_new();
1121 BN_bntest_rand(m
, 1024, 0, 1); /* must be odd for montgomery */
1123 BN_bntest_rand(a
, 1024, 0, 0);
1125 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1127 if (!BN_is_one(d
)) {
1128 fprintf(stderr
, "Modular exponentiation test failed!\n");
1132 BN_bntest_rand(p
, 1024, 0, 0);
1134 if (!BN_mod_exp_mont_consttime(d
, a
, p
, m
, ctx
, NULL
))
1136 if (!BN_is_zero(d
)) {
1137 fprintf(stderr
, "Modular exponentiation test failed!\n");
1141 * Craft an input whose Montgomery representation is 1, i.e., shorter
1142 * than the modulus m, in order to test the const time precomputation
1143 * scattering/gathering.
1146 BN_MONT_CTX_set(mont
, m
, ctx
);
1147 if (!BN_from_montgomery(e
, a
, mont
, ctx
))
1149 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1151 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1153 if (BN_cmp(a
, d
) != 0) {
1154 fprintf(stderr
, "Modular exponentiation test failed!\n");
1157 /* Finally, some regular test vectors. */
1158 BN_bntest_rand(e
, 1024, 0, 0);
1159 if (!BN_mod_exp_mont_consttime(d
, e
, p
, m
, ctx
, NULL
))
1161 if (!BN_mod_exp_simple(a
, e
, p
, m
, ctx
))
1163 if (BN_cmp(a
, d
) != 0) {
1164 fprintf(stderr
, "Modular exponentiation test failed!\n");
1167 BN_MONT_CTX_free(mont
);
1176 int test_exp(BIO
*bp
, BN_CTX
*ctx
)
1178 BIGNUM
*a
, *b
, *d
, *e
, *one
;
1188 for (i
= 0; i
< num2
; i
++) {
1189 BN_bntest_rand(a
, 20 + i
* 5, 0, 0);
1190 BN_bntest_rand(b
, 2 + i
, 0, 0);
1192 if (BN_exp(d
, a
, b
, ctx
) <= 0)
1198 BIO_puts(bp
, " ^ ");
1200 BIO_puts(bp
, " - ");
1206 for (; !BN_is_zero(b
); BN_sub(b
, b
, one
))
1207 BN_mul(e
, e
, a
, ctx
);
1209 if (!BN_is_zero(e
)) {
1210 fprintf(stderr
, "Exponentiation test failed!\n");
1222 #ifndef OPENSSL_NO_EC2M
1223 int test_gf2m_add(BIO
*bp
)
1232 for (i
= 0; i
< num0
; i
++) {
1233 BN_rand(a
, 512, 0, 0);
1234 BN_copy(b
, BN_value_one());
1235 a
->neg
= rand_neg();
1236 b
->neg
= rand_neg();
1237 BN_GF2m_add(c
, a
, b
);
1238 /* Test that two added values have the correct parity. */
1239 if ((BN_is_odd(a
) && BN_is_odd(c
))
1240 || (!BN_is_odd(a
) && !BN_is_odd(c
))) {
1241 fprintf(stderr
, "GF(2^m) addition test (a) failed!\n");
1244 BN_GF2m_add(c
, c
, c
);
1245 /* Test that c + c = 0. */
1246 if (!BN_is_zero(c
)) {
1247 fprintf(stderr
, "GF(2^m) addition test (b) failed!\n");
1259 int test_gf2m_mod(BIO
*bp
)
1261 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1263 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1264 int p1
[] = { 193, 15, 0, -1 };
1273 BN_GF2m_arr2poly(p0
, b
[0]);
1274 BN_GF2m_arr2poly(p1
, b
[1]);
1276 for (i
= 0; i
< num0
; i
++) {
1277 BN_bntest_rand(a
, 1024, 0, 0);
1278 for (j
= 0; j
< 2; j
++) {
1279 BN_GF2m_mod(c
, a
, b
[j
]);
1280 BN_GF2m_add(d
, a
, c
);
1281 BN_GF2m_mod(e
, d
, b
[j
]);
1282 /* Test that a + (a mod p) mod p == 0. */
1283 if (!BN_is_zero(e
)) {
1284 fprintf(stderr
, "GF(2^m) modulo test failed!\n");
1300 int test_gf2m_mod_mul(BIO
*bp
, BN_CTX
*ctx
)
1302 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
, *g
, *h
;
1304 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1305 int p1
[] = { 193, 15, 0, -1 };
1317 BN_GF2m_arr2poly(p0
, b
[0]);
1318 BN_GF2m_arr2poly(p1
, b
[1]);
1320 for (i
= 0; i
< num0
; i
++) {
1321 BN_bntest_rand(a
, 1024, 0, 0);
1322 BN_bntest_rand(c
, 1024, 0, 0);
1323 BN_bntest_rand(d
, 1024, 0, 0);
1324 for (j
= 0; j
< 2; j
++) {
1325 BN_GF2m_mod_mul(e
, a
, c
, b
[j
], ctx
);
1326 BN_GF2m_add(f
, a
, d
);
1327 BN_GF2m_mod_mul(g
, f
, c
, b
[j
], ctx
);
1328 BN_GF2m_mod_mul(h
, d
, c
, b
[j
], ctx
);
1329 BN_GF2m_add(f
, e
, g
);
1330 BN_GF2m_add(f
, f
, h
);
1331 /* Test that (a+d)*c = a*c + d*c. */
1332 if (!BN_is_zero(f
)) {
1334 "GF(2^m) modular multiplication test failed!\n");
1353 int test_gf2m_mod_sqr(BIO
*bp
, BN_CTX
*ctx
)
1355 BIGNUM
*a
, *b
[2], *c
, *d
;
1357 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1358 int p1
[] = { 193, 15, 0, -1 };
1366 BN_GF2m_arr2poly(p0
, b
[0]);
1367 BN_GF2m_arr2poly(p1
, b
[1]);
1369 for (i
= 0; i
< num0
; i
++) {
1370 BN_bntest_rand(a
, 1024, 0, 0);
1371 for (j
= 0; j
< 2; j
++) {
1372 BN_GF2m_mod_sqr(c
, a
, b
[j
], ctx
);
1374 BN_GF2m_mod_mul(d
, a
, d
, b
[j
], ctx
);
1375 BN_GF2m_add(d
, c
, d
);
1376 /* Test that a*a = a^2. */
1377 if (!BN_is_zero(d
)) {
1378 fprintf(stderr
, "GF(2^m) modular squaring test failed!\n");
1393 int test_gf2m_mod_inv(BIO
*bp
, BN_CTX
*ctx
)
1395 BIGNUM
*a
, *b
[2], *c
, *d
;
1397 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1398 int p1
[] = { 193, 15, 0, -1 };
1406 BN_GF2m_arr2poly(p0
, b
[0]);
1407 BN_GF2m_arr2poly(p1
, b
[1]);
1409 for (i
= 0; i
< num0
; i
++) {
1410 BN_bntest_rand(a
, 512, 0, 0);
1411 for (j
= 0; j
< 2; j
++) {
1412 BN_GF2m_mod_inv(c
, a
, b
[j
], ctx
);
1413 BN_GF2m_mod_mul(d
, a
, c
, b
[j
], ctx
);
1414 /* Test that ((1/a)*a) = 1. */
1415 if (!BN_is_one(d
)) {
1416 fprintf(stderr
, "GF(2^m) modular inversion test failed!\n");
1431 int test_gf2m_mod_div(BIO
*bp
, BN_CTX
*ctx
)
1433 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1435 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1436 int p1
[] = { 193, 15, 0, -1 };
1446 BN_GF2m_arr2poly(p0
, b
[0]);
1447 BN_GF2m_arr2poly(p1
, b
[1]);
1449 for (i
= 0; i
< num0
; i
++) {
1450 BN_bntest_rand(a
, 512, 0, 0);
1451 BN_bntest_rand(c
, 512, 0, 0);
1452 for (j
= 0; j
< 2; j
++) {
1453 BN_GF2m_mod_div(d
, a
, c
, b
[j
], ctx
);
1454 BN_GF2m_mod_mul(e
, d
, c
, b
[j
], ctx
);
1455 BN_GF2m_mod_div(f
, a
, e
, b
[j
], ctx
);
1456 /* Test that ((a/c)*c)/a = 1. */
1457 if (!BN_is_one(f
)) {
1458 fprintf(stderr
, "GF(2^m) modular division test failed!\n");
1475 int test_gf2m_mod_exp(BIO
*bp
, BN_CTX
*ctx
)
1477 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1479 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1480 int p1
[] = { 193, 15, 0, -1 };
1490 BN_GF2m_arr2poly(p0
, b
[0]);
1491 BN_GF2m_arr2poly(p1
, b
[1]);
1493 for (i
= 0; i
< num0
; i
++) {
1494 BN_bntest_rand(a
, 512, 0, 0);
1495 BN_bntest_rand(c
, 512, 0, 0);
1496 BN_bntest_rand(d
, 512, 0, 0);
1497 for (j
= 0; j
< 2; j
++) {
1498 BN_GF2m_mod_exp(e
, a
, c
, b
[j
], ctx
);
1499 BN_GF2m_mod_exp(f
, a
, d
, b
[j
], ctx
);
1500 BN_GF2m_mod_mul(e
, e
, f
, b
[j
], ctx
);
1502 BN_GF2m_mod_exp(f
, a
, f
, b
[j
], ctx
);
1503 BN_GF2m_add(f
, e
, f
);
1504 /* Test that a^(c+d)=a^c*a^d. */
1505 if (!BN_is_zero(f
)) {
1507 "GF(2^m) modular exponentiation test failed!\n");
1524 int test_gf2m_mod_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1526 BIGNUM
*a
, *b
[2], *c
, *d
, *e
, *f
;
1528 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1529 int p1
[] = { 193, 15, 0, -1 };
1539 BN_GF2m_arr2poly(p0
, b
[0]);
1540 BN_GF2m_arr2poly(p1
, b
[1]);
1542 for (i
= 0; i
< num0
; i
++) {
1543 BN_bntest_rand(a
, 512, 0, 0);
1544 for (j
= 0; j
< 2; j
++) {
1545 BN_GF2m_mod(c
, a
, b
[j
]);
1546 BN_GF2m_mod_sqrt(d
, a
, b
[j
], ctx
);
1547 BN_GF2m_mod_sqr(e
, d
, b
[j
], ctx
);
1548 BN_GF2m_add(f
, c
, e
);
1549 /* Test that d^2 = a, where d = sqrt(a). */
1550 if (!BN_is_zero(f
)) {
1551 fprintf(stderr
, "GF(2^m) modular square root test failed!\n");
1568 int test_gf2m_mod_solve_quad(BIO
*bp
, BN_CTX
*ctx
)
1570 BIGNUM
*a
, *b
[2], *c
, *d
, *e
;
1571 int i
, j
, s
= 0, t
, ret
= 0;
1572 int p0
[] = { 163, 7, 6, 3, 0, -1 };
1573 int p1
[] = { 193, 15, 0, -1 };
1582 BN_GF2m_arr2poly(p0
, b
[0]);
1583 BN_GF2m_arr2poly(p1
, b
[1]);
1585 for (i
= 0; i
< num0
; i
++) {
1586 BN_bntest_rand(a
, 512, 0, 0);
1587 for (j
= 0; j
< 2; j
++) {
1588 t
= BN_GF2m_mod_solve_quad(c
, a
, b
[j
], ctx
);
1591 BN_GF2m_mod_sqr(d
, c
, b
[j
], ctx
);
1592 BN_GF2m_add(d
, c
, d
);
1593 BN_GF2m_mod(e
, a
, b
[j
]);
1594 BN_GF2m_add(e
, e
, d
);
1596 * Test that solution of quadratic c satisfies c^2 + c = a.
1598 if (!BN_is_zero(e
)) {
1600 "GF(2^m) modular solve quadratic test failed!\n");
1609 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1612 "this is very unlikely and probably indicates an error.\n");
1626 static int genprime_cb(int p
, int n
, BN_GENCB
*arg
)
1643 int test_kron(BIO
*bp
, BN_CTX
*ctx
)
1646 BIGNUM
*a
, *b
, *r
, *t
;
1648 int legendre
, kronecker
;
1655 if (a
== NULL
|| b
== NULL
|| r
== NULL
|| t
== NULL
)
1658 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1661 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1662 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1663 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1664 * generate a random prime b and compare these values for a number of
1665 * random a's. (That is, we run the Solovay-Strassen primality test to
1666 * confirm that b is prime, except that we don't want to test whether b
1667 * is prime but whether BN_kronecker works.)
1670 if (!BN_generate_prime_ex(b
, 512, 0, NULL
, NULL
, &cb
))
1672 b
->neg
= rand_neg();
1675 for (i
= 0; i
< num0
; i
++) {
1676 if (!BN_bntest_rand(a
, 512, 0, 0))
1678 a
->neg
= rand_neg();
1680 /* t := (|b|-1)/2 (note that b is odd) */
1684 if (!BN_sub_word(t
, 1))
1686 if (!BN_rshift1(t
, t
))
1688 /* r := a^t mod b */
1691 if (!BN_mod_exp_recp(r
, a
, t
, b
, ctx
))
1695 if (BN_is_word(r
, 1))
1697 else if (BN_is_zero(r
))
1700 if (!BN_add_word(r
, 1))
1702 if (0 != BN_ucmp(r
, b
)) {
1703 fprintf(stderr
, "Legendre symbol computation failed\n");
1709 kronecker
= BN_kronecker(a
, b
, ctx
);
1712 /* we actually need BN_kronecker(a, |b|) */
1713 if (a
->neg
&& b
->neg
)
1714 kronecker
= -kronecker
;
1716 if (legendre
!= kronecker
) {
1717 fprintf(stderr
, "legendre != kronecker; a = ");
1718 BN_print_fp(stderr
, a
);
1719 fprintf(stderr
, ", b = ");
1720 BN_print_fp(stderr
, b
);
1721 fprintf(stderr
, "\n");
1740 int test_sqrt(BIO
*bp
, BN_CTX
*ctx
)
1750 if (a
== NULL
|| p
== NULL
|| r
== NULL
)
1753 BN_GENCB_set(&cb
, genprime_cb
, NULL
);
1755 for (i
= 0; i
< 16; i
++) {
1757 unsigned primes
[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1759 if (!BN_set_word(p
, primes
[i
]))
1762 if (!BN_set_word(a
, 32))
1764 if (!BN_set_word(r
, 2 * i
+ 1))
1767 if (!BN_generate_prime_ex(p
, 256, 0, a
, r
, &cb
))
1771 p
->neg
= rand_neg();
1773 for (j
= 0; j
< num2
; j
++) {
1775 * construct 'a' such that it is a square modulo p, but in
1776 * general not a proper square and not reduced modulo p
1778 if (!BN_bntest_rand(r
, 256, 0, 3))
1780 if (!BN_nnmod(r
, r
, p
, ctx
))
1782 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1784 if (!BN_bntest_rand(a
, 256, 0, 3))
1786 if (!BN_nnmod(a
, a
, p
, ctx
))
1788 if (!BN_mod_sqr(a
, a
, p
, ctx
))
1790 if (!BN_mul(a
, a
, r
, ctx
))
1793 if (!BN_sub(a
, a
, p
))
1796 if (!BN_mod_sqrt(r
, a
, p
, ctx
))
1798 if (!BN_mod_sqr(r
, r
, p
, ctx
))
1801 if (!BN_nnmod(a
, a
, p
, ctx
))
1804 if (BN_cmp(a
, r
) != 0) {
1805 fprintf(stderr
, "BN_mod_sqrt failed: a = ");
1806 BN_print_fp(stderr
, a
);
1807 fprintf(stderr
, ", r = ");
1808 BN_print_fp(stderr
, r
);
1809 fprintf(stderr
, ", p = ");
1810 BN_print_fp(stderr
, p
);
1811 fprintf(stderr
, "\n");
1830 int test_small_prime(BIO
*bp
, BN_CTX
*ctx
)
1832 static const int bits
= 10;
1837 if (!BN_generate_prime_ex(r
, bits
, 0, NULL
, NULL
, NULL
))
1839 if (BN_num_bits(r
) != bits
) {
1840 BIO_printf(bp
, "Expected %d bit prime, got %d bit number\n", bits
,
1852 int test_lshift(BIO
*bp
, BN_CTX
*ctx
, BIGNUM
*a_
)
1854 BIGNUM
*a
, *b
, *c
, *d
;
1866 BN_bntest_rand(a
, 200, 0, 0);
1867 a
->neg
= rand_neg();
1869 for (i
= 0; i
< num0
; i
++) {
1870 BN_lshift(b
, a
, i
+ 1);
1875 BIO_puts(bp
, " * ");
1877 BIO_puts(bp
, " - ");
1882 BN_mul(d
, a
, c
, ctx
);
1884 if (!BN_is_zero(d
)) {
1885 fprintf(stderr
, "Left shift test failed!\n");
1886 fprintf(stderr
, "a=");
1887 BN_print_fp(stderr
, a
);
1888 fprintf(stderr
, "\nb=");
1889 BN_print_fp(stderr
, b
);
1890 fprintf(stderr
, "\nc=");
1891 BN_print_fp(stderr
, c
);
1892 fprintf(stderr
, "\nd=");
1893 BN_print_fp(stderr
, d
);
1894 fprintf(stderr
, "\n");
1905 int test_lshift1(BIO
*bp
)
1914 BN_bntest_rand(a
, 200, 0, 0);
1915 a
->neg
= rand_neg();
1916 for (i
= 0; i
< num0
; i
++) {
1921 BIO_puts(bp
, " * 2");
1922 BIO_puts(bp
, " - ");
1929 if (!BN_is_zero(a
)) {
1930 fprintf(stderr
, "Left shift one test failed!\n");
1942 int test_rshift(BIO
*bp
, BN_CTX
*ctx
)
1944 BIGNUM
*a
, *b
, *c
, *d
, *e
;
1954 BN_bntest_rand(a
, 200, 0, 0);
1955 a
->neg
= rand_neg();
1956 for (i
= 0; i
< num0
; i
++) {
1957 BN_rshift(b
, a
, i
+ 1);
1962 BIO_puts(bp
, " / ");
1964 BIO_puts(bp
, " - ");
1969 BN_div(d
, e
, a
, c
, ctx
);
1971 if (!BN_is_zero(d
)) {
1972 fprintf(stderr
, "Right shift test failed!\n");
1984 int test_rshift1(BIO
*bp
)
1993 BN_bntest_rand(a
, 200, 0, 0);
1994 a
->neg
= rand_neg();
1995 for (i
= 0; i
< num0
; i
++) {
2000 BIO_puts(bp
, " / 2");
2001 BIO_puts(bp
, " - ");
2008 if (!BN_is_zero(c
) && !BN_abs_is_word(c
, 1)) {
2009 fprintf(stderr
, "Right shift one test failed!\n");
2022 static unsigned int neg
= 0;
2023 static int sign
[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2025 return (sign
[(neg
++) % 8]);