1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
72 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
73 * deprecated functions for openssl-internal code */
74 #ifdef OPENSSL_NO_DEPRECATED
75 #undef OPENSSL_NO_DEPRECATED
84 #include <openssl/bio.h>
85 #include <openssl/bn.h>
86 #include <openssl/rand.h>
87 #include <openssl/x509.h>
88 #include <openssl/err.h>
90 #include "../crypto/bn/bn_lcl.h"
92 const int num0 = 100; /* number of tests */
93 const int num1 = 50; /* additional tests for some functions */
94 const int num2 = 5; /* number of tests for slow functions */
96 int test_add(BIO *bp);
97 int test_sub(BIO *bp);
98 int test_lshift1(BIO *bp);
99 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_);
100 int test_rshift1(BIO *bp);
101 int test_rshift(BIO *bp,BN_CTX *ctx);
102 int test_div(BIO *bp,BN_CTX *ctx);
103 int test_div_word(BIO *bp);
104 int test_div_recp(BIO *bp,BN_CTX *ctx);
105 int test_mul(BIO *bp);
106 int test_sqr(BIO *bp,BN_CTX *ctx);
107 int test_mont(BIO *bp,BN_CTX *ctx);
108 int test_mod(BIO *bp,BN_CTX *ctx);
109 int test_mod_mul(BIO *bp,BN_CTX *ctx);
110 int test_mod_exp(BIO *bp,BN_CTX *ctx);
111 int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
112 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
113 int test_exp(BIO *bp,BN_CTX *ctx);
114 int test_gf2m_add(BIO *bp);
115 int test_gf2m_mod(BIO *bp);
116 int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx);
117 int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx);
118 int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx);
119 int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx);
120 int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx);
121 int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx);
122 int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx);
123 int test_kron(BIO *bp,BN_CTX *ctx);
124 int test_sqrt(BIO *bp,BN_CTX *ctx);
125 int test_small_prime(BIO *bp,BN_CTX *ctx);
126 int test_probable_prime_coprime(BIO *bp,BN_CTX *ctx);
128 static int results=0;
130 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
131 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
133 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
135 static void message(BIO *out, char *m)
137 fprintf(stderr, "test %s\n", m);
138 BIO_puts(out, "print \"test ");
140 BIO_puts(out, "\\n\"\n");
143 int main(int argc, char *argv[])
151 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
157 if (strcmp(*argv,"-results") == 0)
159 else if (strcmp(*argv,"-out") == 0)
161 if (--argc < 1) break;
170 if (ctx == NULL) EXIT(1);
172 out=BIO_new(BIO_s_file());
173 if (out == NULL) EXIT(1);
176 BIO_set_fp(out,stdout,BIO_NOCLOSE);
180 if (!BIO_write_filename(out,outfile))
188 BIO_puts(out,"obase=16\nibase=16\n");
190 message(out,"BN_add");
191 if (!test_add(out)) goto err;
192 (void)BIO_flush(out);
194 message(out,"BN_sub");
195 if (!test_sub(out)) goto err;
196 (void)BIO_flush(out);
198 message(out,"BN_lshift1");
199 if (!test_lshift1(out)) goto err;
200 (void)BIO_flush(out);
202 message(out,"BN_lshift (fixed)");
203 if (!test_lshift(out,ctx,BN_bin2bn(lst,sizeof(lst)-1,NULL)))
205 (void)BIO_flush(out);
207 message(out,"BN_lshift");
208 if (!test_lshift(out,ctx,NULL)) goto err;
209 (void)BIO_flush(out);
211 message(out,"BN_rshift1");
212 if (!test_rshift1(out)) goto err;
213 (void)BIO_flush(out);
215 message(out,"BN_rshift");
216 if (!test_rshift(out,ctx)) goto err;
217 (void)BIO_flush(out);
219 message(out,"BN_sqr");
220 if (!test_sqr(out,ctx)) goto err;
221 (void)BIO_flush(out);
223 message(out,"BN_mul");
224 if (!test_mul(out)) goto err;
225 (void)BIO_flush(out);
227 message(out,"BN_div");
228 if (!test_div(out,ctx)) goto err;
229 (void)BIO_flush(out);
231 message(out,"BN_div_word");
232 if (!test_div_word(out)) goto err;
233 (void)BIO_flush(out);
235 message(out,"BN_div_recp");
236 if (!test_div_recp(out,ctx)) goto err;
237 (void)BIO_flush(out);
239 message(out,"BN_mod");
240 if (!test_mod(out,ctx)) goto err;
241 (void)BIO_flush(out);
243 message(out,"BN_mod_mul");
244 if (!test_mod_mul(out,ctx)) goto err;
245 (void)BIO_flush(out);
247 message(out,"BN_mont");
248 if (!test_mont(out,ctx)) goto err;
249 (void)BIO_flush(out);
251 message(out,"BN_mod_exp");
252 if (!test_mod_exp(out,ctx)) goto err;
253 (void)BIO_flush(out);
255 message(out,"BN_mod_exp_mont_consttime");
256 if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
257 if (!test_mod_exp_mont5(out,ctx)) goto err;
258 (void)BIO_flush(out);
260 message(out,"BN_exp");
261 if (!test_exp(out,ctx)) goto err;
262 (void)BIO_flush(out);
264 message(out,"BN_kronecker");
265 if (!test_kron(out,ctx)) goto err;
266 (void)BIO_flush(out);
268 message(out,"BN_mod_sqrt");
269 if (!test_sqrt(out,ctx)) goto err;
270 (void)BIO_flush(out);
272 message(out,"Small prime generation");
273 if (!test_small_prime(out,ctx)) goto err;
274 (void)BIO_flush(out);
276 #ifdef OPENSSL_SYS_WIN32
277 message(out,"Probable prime generation with coprimes disabled");
279 message(out,"Probable prime generation with coprimes");
280 if (!test_probable_prime_coprime(out,ctx)) goto err;
282 (void)BIO_flush(out);
284 #ifndef OPENSSL_NO_EC2M
285 message(out,"BN_GF2m_add");
286 if (!test_gf2m_add(out)) goto err;
287 (void)BIO_flush(out);
289 message(out,"BN_GF2m_mod");
290 if (!test_gf2m_mod(out)) goto err;
291 (void)BIO_flush(out);
293 message(out,"BN_GF2m_mod_mul");
294 if (!test_gf2m_mod_mul(out,ctx)) goto err;
295 (void)BIO_flush(out);
297 message(out,"BN_GF2m_mod_sqr");
298 if (!test_gf2m_mod_sqr(out,ctx)) goto err;
299 (void)BIO_flush(out);
301 message(out,"BN_GF2m_mod_inv");
302 if (!test_gf2m_mod_inv(out,ctx)) goto err;
303 (void)BIO_flush(out);
305 message(out,"BN_GF2m_mod_div");
306 if (!test_gf2m_mod_div(out,ctx)) goto err;
307 (void)BIO_flush(out);
309 message(out,"BN_GF2m_mod_exp");
310 if (!test_gf2m_mod_exp(out,ctx)) goto err;
311 (void)BIO_flush(out);
313 message(out,"BN_GF2m_mod_sqrt");
314 if (!test_gf2m_mod_sqrt(out,ctx)) goto err;
315 (void)BIO_flush(out);
317 message(out,"BN_GF2m_mod_solve_quad");
318 if (!test_gf2m_mod_solve_quad(out,ctx)) goto err;
319 (void)BIO_flush(out);
327 BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
328 * the failure, see test_bn in test/Makefile.ssl*/
329 (void)BIO_flush(out);
330 ERR_load_crypto_strings();
331 ERR_print_errors_fp(stderr);
336 int test_add(BIO *bp)
345 BN_bntest_rand(&a,512,0,0);
346 for (i=0; i<num0; i++)
348 BN_bntest_rand(&b,450+i,0,0);
370 fprintf(stderr,"Add test failed!\n");
380 int test_sub(BIO *bp)
389 for (i=0; i<num0+num1; i++)
393 BN_bntest_rand(&a,512,0,0);
395 if (BN_set_bit(&a,i)==0) return(0);
400 BN_bntest_rand(&b,400+i-num1,0,0);
421 fprintf(stderr,"Subtract test failed!\n");
431 int test_div(BIO *bp, BN_CTX *ctx)
442 for (i=0; i<num0+num1; i++)
446 BN_bntest_rand(&a,400,0,0);
452 BN_bntest_rand(&b,50+3*(i-num1),0,0);
455 BN_div(&d,&c,&a,&b,ctx);
478 BN_mul(&e,&d,&b,ctx);
483 fprintf(stderr,"Division test failed!\n");
495 static void print_word(BIO *bp,BN_ULONG w)
497 #ifdef SIXTY_FOUR_BIT
498 if (sizeof(w) > sizeof(unsigned long))
500 unsigned long h=(unsigned long)(w>>32),
501 l=(unsigned long)(w);
503 if (h) BIO_printf(bp,"%lX%08lX",h,l);
504 else BIO_printf(bp,"%lX",l);
508 BIO_printf(bp,BN_HEX_FMT1,w);
511 int test_div_word(BIO *bp)
520 for (i=0; i<num0; i++)
523 BN_bntest_rand(&a,512,-1,0);
524 BN_bntest_rand(&b,BN_BITS2,-1,0);
529 r = BN_div_word(&b, s);
558 fprintf(stderr,"Division (word) test failed!\n");
567 int test_div_recp(BIO *bp, BN_CTX *ctx)
573 BN_RECP_CTX_init(&recp);
580 for (i=0; i<num0+num1; i++)
584 BN_bntest_rand(&a,400,0,0);
590 BN_bntest_rand(&b,50+3*(i-num1),0,0);
593 BN_RECP_CTX_set(&recp,&b,ctx);
594 BN_div_recp(&d,&c,&a,&recp,ctx);
617 BN_mul(&e,&d,&b,ctx);
622 fprintf(stderr,"Reciprocal division test failed!\n");
623 fprintf(stderr,"a=");
624 BN_print_fp(stderr,&a);
625 fprintf(stderr,"\nb=");
626 BN_print_fp(stderr,&b);
627 fprintf(stderr,"\n");
636 BN_RECP_CTX_free(&recp);
640 int test_mul(BIO *bp)
647 if (ctx == NULL) EXIT(1);
655 for (i=0; i<num0+num1; i++)
659 BN_bntest_rand(&a,100,0,0);
660 BN_bntest_rand(&b,100,0,0);
663 BN_bntest_rand(&b,i-num1,0,0);
666 BN_mul(&c,&a,&b,ctx);
679 BN_div(&d,&e,&c,&a,ctx);
681 if(!BN_is_zero(&d) || !BN_is_zero(&e))
683 fprintf(stderr,"Multiplication test failed!\n");
696 int test_sqr(BIO *bp, BN_CTX *ctx)
706 for (i=0; i<num0; i++)
708 BN_bntest_rand(&a,40+i*10,0,0);
723 BN_div(&d,&e,&c,&a,ctx);
725 if(!BN_is_zero(&d) || !BN_is_zero(&e))
727 fprintf(stderr,"Square test failed!\n");
738 int test_mont(BIO *bp, BN_CTX *ctx)
753 mont=BN_MONT_CTX_new();
757 BN_bntest_rand(&a,100,0,0); /**/
758 BN_bntest_rand(&b,100,0,0); /**/
759 for (i=0; i<num2; i++)
761 int bits = (200*(i+1))/num2;
765 BN_bntest_rand(&n,bits,0,1);
766 BN_MONT_CTX_set(mont,&n,ctx);
768 BN_nnmod(&a,&a,&n,ctx);
769 BN_nnmod(&b,&b,&n,ctx);
771 BN_to_montgomery(&A,&a,mont,ctx);
772 BN_to_montgomery(&B,&b,mont,ctx);
774 BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
775 BN_from_montgomery(&A,&c,mont,ctx);/**/
781 fprintf(stderr,"%d * %d %% %d\n",
784 BN_num_bits(mont->N));
790 BN_print(bp,&(mont->N));
796 BN_mod_mul(&d,&a,&b,&n,ctx);
800 fprintf(stderr,"Montgomery multiplication test failed!\n");
804 BN_MONT_CTX_free(mont);
815 int test_mod(BIO *bp, BN_CTX *ctx)
817 BIGNUM *a,*b,*c,*d,*e;
826 BN_bntest_rand(a,1024,0,0); /**/
827 for (i=0; i<num0; i++)
829 BN_bntest_rand(b,450+i*10,0,0); /**/
832 BN_mod(c,a,b,ctx);/**/
849 fprintf(stderr,"Modulo test failed!\n");
861 int test_mod_mul(BIO *bp, BN_CTX *ctx)
863 BIGNUM *a,*b,*c,*d,*e;
872 for (j=0; j<3; j++) {
873 BN_bntest_rand(c,1024,0,0); /**/
874 for (i=0; i<num0; i++)
876 BN_bntest_rand(a,475+i*10,0,0); /**/
877 BN_bntest_rand(b,425+i*11,0,0); /**/
880 if (!BN_mod_mul(e,a,b,c,ctx))
884 while ((l=ERR_get_error()))
885 fprintf(stderr,"ERROR:%s\n",
886 ERR_error_string(l,NULL));
898 if ((a->neg ^ b->neg) && !BN_is_zero(e))
900 /* If (a*b) % c is negative, c must be added
901 * in order to obtain the normalized remainder
902 * (new with OpenSSL 0.9.7, previous versions of
903 * BN_mod_mul could generate negative results)
918 fprintf(stderr,"Modulo multiply test failed!\n");
919 ERR_print_errors_fp(stderr);
932 int test_mod_exp(BIO *bp, BN_CTX *ctx)
934 BIGNUM *a,*b,*c,*d,*e;
943 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
944 for (i=0; i<num2; i++)
946 BN_bntest_rand(a,20+i*5,0,0); /**/
947 BN_bntest_rand(b,2+i,0,0); /**/
949 if (!BN_mod_exp(d,a,b,c,ctx))
971 fprintf(stderr,"Modulo exponentiation test failed!\n");
983 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
985 BIGNUM *a,*b,*c,*d,*e;
994 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
995 for (i=0; i<num2; i++)
997 BN_bntest_rand(a,20+i*5,0,0); /**/
998 BN_bntest_rand(b,2+i,0,0); /**/
1000 if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
1019 BN_div(a,b,e,c,ctx);
1022 fprintf(stderr,"Modulo exponentiation test failed!\n");
1034 /* Test constant-time modular exponentiation with 1024-bit inputs,
1035 * which on x86_64 cause a different code branch to be taken.
1037 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1039 BIGNUM *a,*p,*m,*d,*e;
1049 mont = BN_MONT_CTX_new();
1051 BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
1053 BN_bntest_rand(a,1024,0,0);
1055 if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
1059 fprintf(stderr, "Modular exponentiation test failed!\n");
1063 BN_bntest_rand(p,1024,0,0);
1065 if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
1069 fprintf(stderr, "Modular exponentiation test failed!\n");
1072 /* Craft an input whose Montgomery representation is 1,
1073 * i.e., shorter than the modulus m, in order to test
1074 * the const time precomputation scattering/gathering.
1077 BN_MONT_CTX_set(mont,m,ctx);
1078 if(!BN_from_montgomery(e,a,mont,ctx))
1080 if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
1082 if(!BN_mod_exp_simple(a,e,p,m,ctx))
1084 if(BN_cmp(a,d) != 0)
1086 fprintf(stderr,"Modular exponentiation test failed!\n");
1089 /* Finally, some regular test vectors. */
1090 BN_bntest_rand(e,1024,0,0);
1091 if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
1093 if(!BN_mod_exp_simple(a,e,p,m,ctx))
1095 if(BN_cmp(a,d) != 0)
1097 fprintf(stderr,"Modular exponentiation test failed!\n");
1108 int test_exp(BIO *bp, BN_CTX *ctx)
1110 BIGNUM *a,*b,*d,*e,*one;
1120 for (i=0; i<num2; i++)
1122 BN_bntest_rand(a,20+i*5,0,0); /**/
1123 BN_bntest_rand(b,2+i,0,0); /**/
1125 if (BN_exp(d,a,b,ctx) <= 0)
1141 for( ; !BN_is_zero(b) ; BN_sub(b,b,one))
1146 fprintf(stderr,"Exponentiation test failed!\n");
1157 #ifndef OPENSSL_NO_EC2M
1158 int test_gf2m_add(BIO *bp)
1167 for (i=0; i<num0; i++)
1169 BN_rand(&a,512,0,0);
1170 BN_copy(&b, BN_value_one());
1173 BN_GF2m_add(&c,&a,&b);
1174 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1188 /* Test that two added values have the correct parity. */
1189 if((BN_is_odd(&a) && BN_is_odd(&c)) || (!BN_is_odd(&a) && !BN_is_odd(&c)))
1191 fprintf(stderr,"GF(2^m) addition test (a) failed!\n");
1194 BN_GF2m_add(&c,&c,&c);
1195 /* Test that c + c = 0. */
1198 fprintf(stderr,"GF(2^m) addition test (b) failed!\n");
1210 int test_gf2m_mod(BIO *bp)
1212 BIGNUM *a,*b[2],*c,*d,*e;
1214 int p0[] = {163,7,6,3,0,-1};
1215 int p1[] = {193,15,0,-1};
1224 BN_GF2m_arr2poly(p0, b[0]);
1225 BN_GF2m_arr2poly(p1, b[1]);
1227 for (i=0; i<num0; i++)
1229 BN_bntest_rand(a, 1024, 0, 0);
1230 for (j=0; j < 2; j++)
1232 BN_GF2m_mod(c, a, b[j]);
1233 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1247 BN_GF2m_add(d, a, c);
1248 BN_GF2m_mod(e, d, b[j]);
1249 /* Test that a + (a mod p) mod p == 0. */
1252 fprintf(stderr,"GF(2^m) modulo test failed!\n");
1268 int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx)
1270 BIGNUM *a,*b[2],*c,*d,*e,*f,*g,*h;
1272 int p0[] = {163,7,6,3,0,-1};
1273 int p1[] = {193,15,0,-1};
1285 BN_GF2m_arr2poly(p0, b[0]);
1286 BN_GF2m_arr2poly(p1, b[1]);
1288 for (i=0; i<num0; i++)
1290 BN_bntest_rand(a, 1024, 0, 0);
1291 BN_bntest_rand(c, 1024, 0, 0);
1292 BN_bntest_rand(d, 1024, 0, 0);
1293 for (j=0; j < 2; j++)
1295 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1296 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1312 BN_GF2m_add(f, a, d);
1313 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1314 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1315 BN_GF2m_add(f, e, g);
1316 BN_GF2m_add(f, f, h);
1317 /* Test that (a+d)*c = a*c + d*c. */
1320 fprintf(stderr,"GF(2^m) modular multiplication test failed!\n");
1339 int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx)
1341 BIGNUM *a,*b[2],*c,*d;
1343 int p0[] = {163,7,6,3,0,-1};
1344 int p1[] = {193,15,0,-1};
1352 BN_GF2m_arr2poly(p0, b[0]);
1353 BN_GF2m_arr2poly(p1, b[1]);
1355 for (i=0; i<num0; i++)
1357 BN_bntest_rand(a, 1024, 0, 0);
1358 for (j=0; j < 2; j++)
1360 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1362 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1363 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1369 BIO_puts(bp," ^ 2 % ");
1371 BIO_puts(bp, " = ");
1373 BIO_puts(bp,"; a * a = ");
1379 BN_GF2m_add(d, c, d);
1380 /* Test that a*a = a^2. */
1383 fprintf(stderr,"GF(2^m) modular squaring test failed!\n");
1398 int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx)
1400 BIGNUM *a,*b[2],*c,*d;
1402 int p0[] = {163,7,6,3,0,-1};
1403 int p1[] = {193,15,0,-1};
1411 BN_GF2m_arr2poly(p0, b[0]);
1412 BN_GF2m_arr2poly(p1, b[1]);
1414 for (i=0; i<num0; i++)
1416 BN_bntest_rand(a, 512, 0, 0);
1417 for (j=0; j < 2; j++)
1419 BN_GF2m_mod_inv(c, a, b[j], ctx);
1420 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1421 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1427 BIO_puts(bp, " * ");
1429 BIO_puts(bp," - 1 % ");
1435 /* Test that ((1/a)*a) = 1. */
1438 fprintf(stderr,"GF(2^m) modular inversion test failed!\n");
1453 int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx)
1455 BIGNUM *a,*b[2],*c,*d,*e,*f;
1457 int p0[] = {163,7,6,3,0,-1};
1458 int p1[] = {193,15,0,-1};
1468 BN_GF2m_arr2poly(p0, b[0]);
1469 BN_GF2m_arr2poly(p1, b[1]);
1471 for (i=0; i<num0; i++)
1473 BN_bntest_rand(a, 512, 0, 0);
1474 BN_bntest_rand(c, 512, 0, 0);
1475 for (j=0; j < 2; j++)
1477 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1478 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1479 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1480 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1486 BIO_puts(bp, " = ");
1490 BIO_puts(bp, " % ");
1496 /* Test that ((a/c)*c)/a = 1. */
1499 fprintf(stderr,"GF(2^m) modular division test failed!\n");
1516 int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx)
1518 BIGNUM *a,*b[2],*c,*d,*e,*f;
1520 int p0[] = {163,7,6,3,0,-1};
1521 int p1[] = {193,15,0,-1};
1531 BN_GF2m_arr2poly(p0, b[0]);
1532 BN_GF2m_arr2poly(p1, b[1]);
1534 for (i=0; i<num0; i++)
1536 BN_bntest_rand(a, 512, 0, 0);
1537 BN_bntest_rand(c, 512, 0, 0);
1538 BN_bntest_rand(d, 512, 0, 0);
1539 for (j=0; j < 2; j++)
1541 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1542 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1543 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1545 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1546 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1552 BIO_puts(bp, " ^ (");
1556 BIO_puts(bp, ") = ");
1558 BIO_puts(bp, "; - ");
1560 BIO_puts(bp, " % ");
1566 BN_GF2m_add(f, e, f);
1567 /* Test that a^(c+d)=a^c*a^d. */
1570 fprintf(stderr,"GF(2^m) modular exponentiation test failed!\n");
1587 int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx)
1589 BIGNUM *a,*b[2],*c,*d,*e,*f;
1591 int p0[] = {163,7,6,3,0,-1};
1592 int p1[] = {193,15,0,-1};
1602 BN_GF2m_arr2poly(p0, b[0]);
1603 BN_GF2m_arr2poly(p1, b[1]);
1605 for (i=0; i<num0; i++)
1607 BN_bntest_rand(a, 512, 0, 0);
1608 for (j=0; j < 2; j++)
1610 BN_GF2m_mod(c, a, b[j]);
1611 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1612 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1613 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1619 BIO_puts(bp, " ^ 2 - ");
1625 BN_GF2m_add(f, c, e);
1626 /* Test that d^2 = a, where d = sqrt(a). */
1629 fprintf(stderr,"GF(2^m) modular square root test failed!\n");
1646 int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx)
1648 BIGNUM *a,*b[2],*c,*d,*e;
1649 int i, j, s = 0, t, ret = 0;
1650 int p0[] = {163,7,6,3,0,-1};
1651 int p1[] = {193,15,0,-1};
1660 BN_GF2m_arr2poly(p0, b[0]);
1661 BN_GF2m_arr2poly(p1, b[1]);
1663 for (i=0; i<num0; i++)
1665 BN_bntest_rand(a, 512, 0, 0);
1666 for (j=0; j < 2; j++)
1668 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1672 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1673 BN_GF2m_add(d, c, d);
1674 BN_GF2m_mod(e, a, b[j]);
1675 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1681 BIO_puts(bp, " is root of z^2 + z = ");
1683 BIO_puts(bp, " % ");
1689 BN_GF2m_add(e, e, d);
1690 /* Test that solution of quadratic c satisfies c^2 + c = a. */
1693 fprintf(stderr,"GF(2^m) modular solve quadratic test failed!\n");
1700 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1705 BIO_puts(bp, "There are no roots of z^2 + z = ");
1707 BIO_puts(bp, " % ");
1718 fprintf(stderr,"All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0);
1719 fprintf(stderr,"this is very unlikely and probably indicates an error.\n");
1733 static int genprime_cb(int p, int n, BN_GENCB *arg)
1746 int test_kron(BIO *bp, BN_CTX *ctx)
1751 int legendre, kronecker;
1758 if (a == NULL || b == NULL || r == NULL || t == NULL) goto err;
1760 BN_GENCB_set(&cb, genprime_cb, NULL);
1762 /* We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol).
1763 * In this case we know that if b is prime, then BN_kronecker(a, b, ctx)
1764 * is congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol).
1765 * So we generate a random prime b and compare these values
1766 * for a number of random a's. (That is, we run the Solovay-Strassen
1767 * primality test to confirm that b is prime, except that we
1768 * don't want to test whether b is prime but whether BN_kronecker
1771 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb)) goto err;
1772 b->neg = rand_neg();
1775 for (i = 0; i < num0; i++)
1777 if (!BN_bntest_rand(a, 512, 0, 0)) goto err;
1778 a->neg = rand_neg();
1780 /* t := (|b|-1)/2 (note that b is odd) */
1781 if (!BN_copy(t, b)) goto err;
1783 if (!BN_sub_word(t, 1)) goto err;
1784 if (!BN_rshift1(t, t)) goto err;
1785 /* r := a^t mod b */
1788 if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err;
1791 if (BN_is_word(r, 1))
1793 else if (BN_is_zero(r))
1797 if (!BN_add_word(r, 1)) goto err;
1798 if (0 != BN_ucmp(r, b))
1800 fprintf(stderr, "Legendre symbol computation failed\n");
1806 kronecker = BN_kronecker(a, b, ctx);
1807 if (kronecker < -1) goto err;
1808 /* we actually need BN_kronecker(a, |b|) */
1809 if (a->neg && b->neg)
1810 kronecker = -kronecker;
1812 if (legendre != kronecker)
1814 fprintf(stderr, "legendre != kronecker; a = ");
1815 BN_print_fp(stderr, a);
1816 fprintf(stderr, ", b = ");
1817 BN_print_fp(stderr, b);
1818 fprintf(stderr, "\n");
1830 if (a != NULL) BN_free(a);
1831 if (b != NULL) BN_free(b);
1832 if (r != NULL) BN_free(r);
1833 if (t != NULL) BN_free(t);
1837 int test_sqrt(BIO *bp, BN_CTX *ctx)
1847 if (a == NULL || p == NULL || r == NULL) goto err;
1849 BN_GENCB_set(&cb, genprime_cb, NULL);
1851 for (i = 0; i < 16; i++)
1855 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1857 if (!BN_set_word(p, primes[i])) goto err;
1861 if (!BN_set_word(a, 32)) goto err;
1862 if (!BN_set_word(r, 2*i + 1)) goto err;
1864 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb)) goto err;
1867 p->neg = rand_neg();
1869 for (j = 0; j < num2; j++)
1871 /* construct 'a' such that it is a square modulo p,
1872 * but in general not a proper square and not reduced modulo p */
1873 if (!BN_bntest_rand(r, 256, 0, 3)) goto err;
1874 if (!BN_nnmod(r, r, p, ctx)) goto err;
1875 if (!BN_mod_sqr(r, r, p, ctx)) goto err;
1876 if (!BN_bntest_rand(a, 256, 0, 3)) goto err;
1877 if (!BN_nnmod(a, a, p, ctx)) goto err;
1878 if (!BN_mod_sqr(a, a, p, ctx)) goto err;
1879 if (!BN_mul(a, a, r, ctx)) goto err;
1881 if (!BN_sub(a, a, p)) goto err;
1883 if (!BN_mod_sqrt(r, a, p, ctx)) goto err;
1884 if (!BN_mod_sqr(r, r, p, ctx)) goto err;
1886 if (!BN_nnmod(a, a, p, ctx)) goto err;
1888 if (BN_cmp(a, r) != 0)
1890 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1891 BN_print_fp(stderr, a);
1892 fprintf(stderr, ", r = ");
1893 BN_print_fp(stderr, r);
1894 fprintf(stderr, ", p = ");
1895 BN_print_fp(stderr, p);
1896 fprintf(stderr, "\n");
1909 if (a != NULL) BN_free(a);
1910 if (p != NULL) BN_free(p);
1911 if (r != NULL) BN_free(r);
1915 int test_small_prime(BIO *bp,BN_CTX *ctx)
1917 static const int bits = 10;
1922 if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL))
1924 if (BN_num_bits(&r) != bits)
1926 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits, BN_num_bits(&r));
1936 #ifndef OPENSSL_SYS_WIN32
1937 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx)
1941 BN_ULONG primes[5] = { 2, 3, 5, 7, 11 };
1945 for (i = 0; i < 1000; i++)
1947 if (!bn_probable_prime_dh_coprime(&r, 1024, ctx)) goto err;
1949 for (j = 0; j < 5; j++)
1951 if (BN_mod_word(&r, primes[j]) == 0)
1953 BIO_printf(bp, "Number generated is not coprime to %ld:\n", primes[j]);
1954 BN_print_fp(stdout, &r);
1955 BIO_printf(bp, "\n");
1968 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
1983 BN_bntest_rand(a,200,0,0); /**/
1986 for (i=0; i<num0; i++)
2006 fprintf(stderr,"Left shift test failed!\n");
2007 fprintf(stderr,"a=");
2008 BN_print_fp(stderr,a);
2009 fprintf(stderr,"\nb=");
2010 BN_print_fp(stderr,b);
2011 fprintf(stderr,"\nc=");
2012 BN_print_fp(stderr,c);
2013 fprintf(stderr,"\nd=");
2014 BN_print_fp(stderr,d);
2015 fprintf(stderr,"\n");
2026 int test_lshift1(BIO *bp)
2035 BN_bntest_rand(a,200,0,0); /**/
2037 for (i=0; i<num0; i++)
2045 BIO_puts(bp," * 2");
2055 fprintf(stderr,"Left shift one test failed!\n");
2067 int test_rshift(BIO *bp,BN_CTX *ctx)
2069 BIGNUM *a,*b,*c,*d,*e;
2079 BN_bntest_rand(a,200,0,0); /**/
2081 for (i=0; i<num0; i++)
2097 BN_div(d,e,a,c,ctx);
2101 fprintf(stderr,"Right shift test failed!\n");
2113 int test_rshift1(BIO *bp)
2122 BN_bntest_rand(a,200,0,0); /**/
2124 for (i=0; i<num0; i++)
2132 BIO_puts(bp," / 2");
2140 if(!BN_is_zero(c) && !BN_abs_is_word(c, 1))
2142 fprintf(stderr,"Right shift one test failed!\n");
2155 static unsigned int neg=0;
2156 static int sign[8]={0,0,0,1,1,0,1,1};
2158 return(sign[(neg++)%8]);