1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of the attached software ("Contribution") are developed by
61 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 * The Contribution is licensed pursuant to the Eric Young open source
64 * license provided above.
66 * The binary polynomial arithmetic software is originally written by
67 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
77 #include <openssl/bio.h>
78 #include <openssl/bn.h>
79 #include <openssl/rand.h>
80 #include <openssl/x509.h>
81 #include <openssl/err.h>
84 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
85 * This is fine in itself, it will end up as an unused static function in
86 * the worst case. However, it referenses bn_expand2(), which is a private
87 * function in libcrypto and therefore unavailable on some systems. This
88 * may result in a linker error because of unresolved symbols.
90 * To avoid this, we define a dummy variant of bn_expand2() here, and to
91 * avoid possible clashes with libcrypto, we rename it first, using a macro.
93 #define bn_expand2 dummy_bn_expand2
94 BIGNUM *bn_expand2(BIGNUM *b, int words);
95 BIGNUM *bn_expand2(BIGNUM *b, int words) { return NULL; }
97 #include "../crypto/bn/bn_lcl.h"
99 static const int num0 = 100; /* number of tests */
100 static const int num1 = 50; /* additional tests for some functions */
101 static const int num2 = 5; /* number of tests for slow functions */
103 int test_add(BIO *bp);
104 int test_sub(BIO *bp);
105 int test_lshift1(BIO *bp);
106 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
107 int test_rshift1(BIO *bp);
108 int test_rshift(BIO *bp, BN_CTX *ctx);
109 int test_div(BIO *bp, BN_CTX *ctx);
110 int test_div_word(BIO *bp);
111 int test_div_recp(BIO *bp, BN_CTX *ctx);
112 int test_mul(BIO *bp);
113 int test_sqr(BIO *bp, BN_CTX *ctx);
114 int test_mont(BIO *bp, BN_CTX *ctx);
115 int test_mod(BIO *bp, BN_CTX *ctx);
116 int test_mod_mul(BIO *bp, BN_CTX *ctx);
117 int test_mod_exp(BIO *bp, BN_CTX *ctx);
118 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
119 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
120 int test_exp(BIO *bp, BN_CTX *ctx);
121 int test_gf2m_add(BIO *bp);
122 int test_gf2m_mod(BIO *bp);
123 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
124 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
125 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
126 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
127 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
128 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
129 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
130 int test_kron(BIO *bp, BN_CTX *ctx);
131 int test_sqrt(BIO *bp, BN_CTX *ctx);
132 int test_small_prime(BIO *bp, BN_CTX *ctx);
134 static int results = 0;
136 static unsigned char lst[] =
137 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
138 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
140 static const char rnd_seed[] =
141 "string to make the random number generator think it has entropy";
143 static void message(BIO *out, char *m)
145 fprintf(stderr, "test %s\n", m);
146 BIO_puts(out, "print \"test ");
148 BIO_puts(out, "\\n\"\n");
151 int main(int argc, char *argv[])
155 char *outfile = NULL;
157 CRYPTO_set_mem_debug(1);
158 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
162 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
167 if (strcmp(*argv, "-results") == 0)
169 else if (strcmp(*argv, "-out") == 0) {
182 out = BIO_new(BIO_s_file());
185 if (outfile == NULL) {
186 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
188 if (!BIO_write_filename(out, outfile)) {
193 #ifdef OPENSSL_SYS_VMS
195 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
196 out = BIO_push(tmpbio, out);
201 BIO_puts(out, "obase=16\nibase=16\n");
203 message(out, "BN_add");
206 (void)BIO_flush(out);
208 message(out, "BN_sub");
211 (void)BIO_flush(out);
213 message(out, "BN_lshift1");
214 if (!test_lshift1(out))
216 (void)BIO_flush(out);
218 message(out, "BN_lshift (fixed)");
219 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
221 (void)BIO_flush(out);
223 message(out, "BN_lshift");
224 if (!test_lshift(out, ctx, NULL))
226 (void)BIO_flush(out);
228 message(out, "BN_rshift1");
229 if (!test_rshift1(out))
231 (void)BIO_flush(out);
233 message(out, "BN_rshift");
234 if (!test_rshift(out, ctx))
236 (void)BIO_flush(out);
238 message(out, "BN_sqr");
239 if (!test_sqr(out, ctx))
241 (void)BIO_flush(out);
243 message(out, "BN_mul");
246 (void)BIO_flush(out);
248 message(out, "BN_div");
249 if (!test_div(out, ctx))
251 (void)BIO_flush(out);
253 message(out, "BN_div_word");
254 if (!test_div_word(out))
256 (void)BIO_flush(out);
258 message(out, "BN_div_recp");
259 if (!test_div_recp(out, ctx))
261 (void)BIO_flush(out);
263 message(out, "BN_mod");
264 if (!test_mod(out, ctx))
266 (void)BIO_flush(out);
268 message(out, "BN_mod_mul");
269 if (!test_mod_mul(out, ctx))
271 (void)BIO_flush(out);
273 message(out, "BN_mont");
274 if (!test_mont(out, ctx))
276 (void)BIO_flush(out);
278 message(out, "BN_mod_exp");
279 if (!test_mod_exp(out, ctx))
281 (void)BIO_flush(out);
283 message(out, "BN_mod_exp_mont_consttime");
284 if (!test_mod_exp_mont_consttime(out, ctx))
286 if (!test_mod_exp_mont5(out, ctx))
288 (void)BIO_flush(out);
290 message(out, "BN_exp");
291 if (!test_exp(out, ctx))
293 (void)BIO_flush(out);
295 message(out, "BN_kronecker");
296 if (!test_kron(out, ctx))
298 (void)BIO_flush(out);
300 message(out, "BN_mod_sqrt");
301 if (!test_sqrt(out, ctx))
303 (void)BIO_flush(out);
305 message(out, "Small prime generation");
306 if (!test_small_prime(out, ctx))
308 (void)BIO_flush(out);
310 #ifndef OPENSSL_NO_EC2M
311 message(out, "BN_GF2m_add");
312 if (!test_gf2m_add(out))
314 (void)BIO_flush(out);
316 message(out, "BN_GF2m_mod");
317 if (!test_gf2m_mod(out))
319 (void)BIO_flush(out);
321 message(out, "BN_GF2m_mod_mul");
322 if (!test_gf2m_mod_mul(out, ctx))
324 (void)BIO_flush(out);
326 message(out, "BN_GF2m_mod_sqr");
327 if (!test_gf2m_mod_sqr(out, ctx))
329 (void)BIO_flush(out);
331 message(out, "BN_GF2m_mod_inv");
332 if (!test_gf2m_mod_inv(out, ctx))
334 (void)BIO_flush(out);
336 message(out, "BN_GF2m_mod_div");
337 if (!test_gf2m_mod_div(out, ctx))
339 (void)BIO_flush(out);
341 message(out, "BN_GF2m_mod_exp");
342 if (!test_gf2m_mod_exp(out, ctx))
344 (void)BIO_flush(out);
346 message(out, "BN_GF2m_mod_sqrt");
347 if (!test_gf2m_mod_sqrt(out, ctx))
349 (void)BIO_flush(out);
351 message(out, "BN_GF2m_mod_solve_quad");
352 if (!test_gf2m_mod_solve_quad(out, ctx))
354 (void)BIO_flush(out);
359 ERR_print_errors_fp(stderr);
361 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
362 if (CRYPTO_mem_leaks_fp(stderr) <= 0)
367 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
368 * notices the failure, see test_bn in
369 * test/Makefile.ssl */
370 (void)BIO_flush(out);
374 ERR_print_errors_fp(stderr);
378 int test_add(BIO *bp)
387 BN_bntest_rand(a, 512, 0, 0);
388 for (i = 0; i < num0; i++) {
389 BN_bntest_rand(b, 450 + i, 0, 0);
407 if (!BN_is_zero(c)) {
408 fprintf(stderr, "Add test failed!\n");
418 int test_sub(BIO *bp)
427 for (i = 0; i < num0 + num1; i++) {
429 BN_bntest_rand(a, 512, 0, 0);
431 if (BN_set_bit(a, i) == 0)
435 BN_bntest_rand(b, 400 + i - num1, 0, 0);
452 if (!BN_is_zero(c)) {
453 fprintf(stderr, "Subtract test failed!\n");
463 int test_div(BIO *bp, BN_CTX *ctx)
465 BIGNUM *a, *b, *c, *d, *e;
477 if (BN_div(d, c, a, b, ctx)) {
478 fprintf(stderr, "Division by zero succeeded!\n");
482 for (i = 0; i < num0 + num1; i++) {
484 BN_bntest_rand(a, 400, 0, 0);
489 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
492 BN_div(d, c, a, b, ctx);
512 BN_mul(e, d, b, ctx);
515 if (!BN_is_zero(d)) {
516 fprintf(stderr, "Division test failed!\n");
528 static void print_word(BIO *bp, BN_ULONG w)
530 int i = sizeof(w) * 8;
536 byte = (unsigned char)(w >> i);
538 fmt = byte ? "%X" : NULL;
543 BIO_printf(bp, fmt, byte);
546 /* If we haven't printed anything, at least print a zero! */
551 int test_div_word(BIO *bp)
560 for (i = 0; i < num0; i++) {
562 BN_bntest_rand(a, 512, -1, 0);
563 BN_bntest_rand(b, BN_BITS2, -1, 0);
564 } while (BN_is_zero(b));
568 r = BN_div_word(b, s);
592 if (!BN_is_zero(b)) {
593 fprintf(stderr, "Division (word) test failed!\n");
602 int test_div_recp(BIO *bp, BN_CTX *ctx)
604 BIGNUM *a, *b, *c, *d, *e;
608 recp = BN_RECP_CTX_new();
615 for (i = 0; i < num0 + num1; i++) {
617 BN_bntest_rand(a, 400, 0, 0);
622 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
625 BN_RECP_CTX_set(recp, b, ctx);
626 BN_div_recp(d, c, a, recp, ctx);
646 BN_mul(e, d, b, ctx);
649 if (!BN_is_zero(d)) {
650 fprintf(stderr, "Reciprocal division test failed!\n");
651 fprintf(stderr, "a=");
652 BN_print_fp(stderr, a);
653 fprintf(stderr, "\nb=");
654 BN_print_fp(stderr, b);
655 fprintf(stderr, "\n");
664 BN_RECP_CTX_free(recp);
668 int test_mul(BIO *bp)
670 BIGNUM *a, *b, *c, *d, *e;
684 for (i = 0; i < num0 + num1; i++) {
686 BN_bntest_rand(a, 100, 0, 0);
687 BN_bntest_rand(b, 100, 0, 0);
689 BN_bntest_rand(b, i - num1, 0, 0);
692 BN_mul(c, a, b, ctx);
703 BN_div(d, e, c, a, ctx);
705 if (!BN_is_zero(d) || !BN_is_zero(e)) {
706 fprintf(stderr, "Multiplication test failed!\n");
719 int test_sqr(BIO *bp, BN_CTX *ctx)
721 BIGNUM *a, *c, *d, *e;
728 if (a == NULL || c == NULL || d == NULL || e == NULL) {
732 for (i = 0; i < num0; i++) {
733 BN_bntest_rand(a, 40 + i * 10, 0, 0);
746 BN_div(d, e, c, a, ctx);
748 if (!BN_is_zero(d) || !BN_is_zero(e)) {
749 fprintf(stderr, "Square test failed!\n");
754 /* Regression test for a BN_sqr overflow bug. */
756 "80000000000000008000000000000001"
757 "FFFFFFFFFFFFFFFE0000000000000000");
769 BN_mul(d, a, a, ctx);
771 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
772 "different results!\n");
776 /* Regression test for a BN_sqr overflow bug. */
778 "80000000000000000000000080000001"
779 "FFFFFFFE000000000000000000000000");
791 BN_mul(d, a, a, ctx);
793 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
794 "different results!\n");
806 int test_mont(BIO *bp, BN_CTX *ctx)
808 BIGNUM *a, *b, *c, *d, *A, *B;
821 mont = BN_MONT_CTX_new();
826 if (BN_MONT_CTX_set(mont, n, ctx)) {
827 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
832 if (BN_MONT_CTX_set(mont, n, ctx)) {
833 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
837 BN_bntest_rand(a, 100, 0, 0);
838 BN_bntest_rand(b, 100, 0, 0);
839 for (i = 0; i < num2; i++) {
840 int bits = (200 * (i + 1)) / num2;
844 BN_bntest_rand(n, bits, 0, 1);
845 BN_MONT_CTX_set(mont, n, ctx);
847 BN_nnmod(a, a, n, ctx);
848 BN_nnmod(b, b, n, ctx);
850 BN_to_montgomery(A, a, mont, ctx);
851 BN_to_montgomery(B, b, mont, ctx);
853 BN_mod_mul_montgomery(c, A, B, mont, ctx);
854 BN_from_montgomery(A, c, mont, ctx);
861 BN_print(bp, &mont->N);
867 BN_mod_mul(d, a, b, n, ctx);
869 if (!BN_is_zero(d)) {
870 fprintf(stderr, "Montgomery multiplication test failed!\n");
874 BN_MONT_CTX_free(mont);
885 int test_mod(BIO *bp, BN_CTX *ctx)
887 BIGNUM *a, *b, *c, *d, *e;
896 BN_bntest_rand(a, 1024, 0, 0);
897 for (i = 0; i < num0; i++) {
898 BN_bntest_rand(b, 450 + i * 10, 0, 0);
901 BN_mod(c, a, b, ctx);
912 BN_div(d, e, a, b, ctx);
914 if (!BN_is_zero(e)) {
915 fprintf(stderr, "Modulo test failed!\n");
927 int test_mod_mul(BIO *bp, BN_CTX *ctx)
929 BIGNUM *a, *b, *c, *d, *e;
941 if (BN_mod_mul(e, a, b, c, ctx)) {
942 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
946 for (j = 0; j < 3; j++) {
947 BN_bntest_rand(c, 1024, 0, 0);
948 for (i = 0; i < num0; i++) {
949 BN_bntest_rand(a, 475 + i * 10, 0, 0);
950 BN_bntest_rand(b, 425 + i * 11, 0, 0);
953 if (!BN_mod_mul(e, a, b, c, ctx)) {
956 while ((l = ERR_get_error()))
957 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
967 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
969 * If (a*b) % c is negative, c must be added in order
970 * to obtain the normalized remainder (new with
971 * OpenSSL 0.9.7, previous versions of BN_mod_mul
972 * could generate negative results)
982 BN_mul(d, a, b, ctx);
984 BN_div(a, b, d, c, ctx);
985 if (!BN_is_zero(b)) {
986 fprintf(stderr, "Modulo multiply test failed!\n");
987 ERR_print_errors_fp(stderr);
1000 int test_mod_exp(BIO *bp, BN_CTX *ctx)
1002 BIGNUM *a, *b, *c, *d, *e;
1014 if (BN_mod_exp(d, a, b, c, ctx)) {
1015 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
1019 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1020 for (i = 0; i < num2; i++) {
1021 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1022 BN_bntest_rand(b, 2 + i, 0, 0);
1024 if (!BN_mod_exp(d, a, b, c, ctx))
1030 BIO_puts(bp, " ^ ");
1032 BIO_puts(bp, " % ");
1034 BIO_puts(bp, " - ");
1039 BN_exp(e, a, b, ctx);
1041 BN_div(a, b, e, c, ctx);
1042 if (!BN_is_zero(b)) {
1043 fprintf(stderr, "Modulo exponentiation test failed!\n");
1048 /* Regression test for carry propagation bug in sqr8x_reduction */
1049 BN_hex2bn(&a, "050505050505");
1050 BN_hex2bn(&b, "02");
1052 "4141414141414141414141274141414141414141414141414141414141414141"
1053 "4141414141414141414141414141414141414141414141414141414141414141"
1054 "4141414141414141414141800000000000000000000000000000000000000000"
1055 "0000000000000000000000000000000000000000000000000000000000000000"
1056 "0000000000000000000000000000000000000000000000000000000000000000"
1057 "0000000000000000000000000000000000000000000000000000000001");
1058 BN_mod_exp(d, a, b, c, ctx);
1059 BN_mul(e, a, a, ctx);
1061 fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
1073 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1075 BIGNUM *a, *b, *c, *d, *e;
1087 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1088 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1094 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1095 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1100 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1101 for (i = 0; i < num2; i++) {
1102 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1103 BN_bntest_rand(b, 2 + i, 0, 0);
1105 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1111 BIO_puts(bp, " ^ ");
1113 BIO_puts(bp, " % ");
1115 BIO_puts(bp, " - ");
1120 BN_exp(e, a, b, ctx);
1122 BN_div(a, b, e, c, ctx);
1123 if (!BN_is_zero(b)) {
1124 fprintf(stderr, "Modulo exponentiation test failed!\n");
1137 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1138 * x86_64 cause a different code branch to be taken.
1140 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1142 BIGNUM *a, *p, *m, *d, *e;
1150 mont = BN_MONT_CTX_new();
1152 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1154 BN_bntest_rand(a, 1024, 0, 0);
1156 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1158 if (!BN_is_one(d)) {
1159 fprintf(stderr, "Modular exponentiation test failed!\n");
1163 BN_bntest_rand(p, 1024, 0, 0);
1165 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1167 if (!BN_is_zero(d)) {
1168 fprintf(stderr, "Modular exponentiation test failed!\n");
1172 * Craft an input whose Montgomery representation is 1, i.e., shorter
1173 * than the modulus m, in order to test the const time precomputation
1174 * scattering/gathering.
1177 BN_MONT_CTX_set(mont, m, ctx);
1178 if (!BN_from_montgomery(e, a, mont, ctx))
1180 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1182 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1184 if (BN_cmp(a, d) != 0) {
1185 fprintf(stderr, "Modular exponentiation test failed!\n");
1188 /* Finally, some regular test vectors. */
1189 BN_bntest_rand(e, 1024, 0, 0);
1190 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1192 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1194 if (BN_cmp(a, d) != 0) {
1195 fprintf(stderr, "Modular exponentiation test failed!\n");
1198 BN_MONT_CTX_free(mont);
1207 int test_exp(BIO *bp, BN_CTX *ctx)
1209 BIGNUM *a, *b, *d, *e, *one;
1219 for (i = 0; i < num2; i++) {
1220 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1221 BN_bntest_rand(b, 2 + i, 0, 0);
1223 if (BN_exp(d, a, b, ctx) <= 0)
1229 BIO_puts(bp, " ^ ");
1231 BIO_puts(bp, " - ");
1237 for (; !BN_is_zero(b); BN_sub(b, b, one))
1238 BN_mul(e, e, a, ctx);
1240 if (!BN_is_zero(e)) {
1241 fprintf(stderr, "Exponentiation test failed!\n");
1253 #ifndef OPENSSL_NO_EC2M
1254 int test_gf2m_add(BIO *bp)
1263 for (i = 0; i < num0; i++) {
1264 BN_rand(a, 512, 0, 0);
1265 BN_copy(b, BN_value_one());
1266 a->neg = rand_neg();
1267 b->neg = rand_neg();
1268 BN_GF2m_add(c, a, b);
1269 /* Test that two added values have the correct parity. */
1270 if ((BN_is_odd(a) && BN_is_odd(c))
1271 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1272 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1275 BN_GF2m_add(c, c, c);
1276 /* Test that c + c = 0. */
1277 if (!BN_is_zero(c)) {
1278 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1290 int test_gf2m_mod(BIO *bp)
1292 BIGNUM *a, *b[2], *c, *d, *e;
1294 int p0[] = { 163, 7, 6, 3, 0, -1 };
1295 int p1[] = { 193, 15, 0, -1 };
1304 BN_GF2m_arr2poly(p0, b[0]);
1305 BN_GF2m_arr2poly(p1, b[1]);
1307 for (i = 0; i < num0; i++) {
1308 BN_bntest_rand(a, 1024, 0, 0);
1309 for (j = 0; j < 2; j++) {
1310 BN_GF2m_mod(c, a, b[j]);
1311 BN_GF2m_add(d, a, c);
1312 BN_GF2m_mod(e, d, b[j]);
1313 /* Test that a + (a mod p) mod p == 0. */
1314 if (!BN_is_zero(e)) {
1315 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1331 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1333 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1335 int p0[] = { 163, 7, 6, 3, 0, -1 };
1336 int p1[] = { 193, 15, 0, -1 };
1348 BN_GF2m_arr2poly(p0, b[0]);
1349 BN_GF2m_arr2poly(p1, b[1]);
1351 for (i = 0; i < num0; i++) {
1352 BN_bntest_rand(a, 1024, 0, 0);
1353 BN_bntest_rand(c, 1024, 0, 0);
1354 BN_bntest_rand(d, 1024, 0, 0);
1355 for (j = 0; j < 2; j++) {
1356 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1357 BN_GF2m_add(f, a, d);
1358 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1359 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1360 BN_GF2m_add(f, e, g);
1361 BN_GF2m_add(f, f, h);
1362 /* Test that (a+d)*c = a*c + d*c. */
1363 if (!BN_is_zero(f)) {
1365 "GF(2^m) modular multiplication test failed!\n");
1384 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1386 BIGNUM *a, *b[2], *c, *d;
1388 int p0[] = { 163, 7, 6, 3, 0, -1 };
1389 int p1[] = { 193, 15, 0, -1 };
1397 BN_GF2m_arr2poly(p0, b[0]);
1398 BN_GF2m_arr2poly(p1, b[1]);
1400 for (i = 0; i < num0; i++) {
1401 BN_bntest_rand(a, 1024, 0, 0);
1402 for (j = 0; j < 2; j++) {
1403 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1405 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1406 BN_GF2m_add(d, c, d);
1407 /* Test that a*a = a^2. */
1408 if (!BN_is_zero(d)) {
1409 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1424 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1426 BIGNUM *a, *b[2], *c, *d;
1428 int p0[] = { 163, 7, 6, 3, 0, -1 };
1429 int p1[] = { 193, 15, 0, -1 };
1437 BN_GF2m_arr2poly(p0, b[0]);
1438 BN_GF2m_arr2poly(p1, b[1]);
1440 for (i = 0; i < num0; i++) {
1441 BN_bntest_rand(a, 512, 0, 0);
1442 for (j = 0; j < 2; j++) {
1443 BN_GF2m_mod_inv(c, a, b[j], ctx);
1444 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1445 /* Test that ((1/a)*a) = 1. */
1446 if (!BN_is_one(d)) {
1447 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1462 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1464 BIGNUM *a, *b[2], *c, *d, *e, *f;
1466 int p0[] = { 163, 7, 6, 3, 0, -1 };
1467 int p1[] = { 193, 15, 0, -1 };
1477 BN_GF2m_arr2poly(p0, b[0]);
1478 BN_GF2m_arr2poly(p1, b[1]);
1480 for (i = 0; i < num0; i++) {
1481 BN_bntest_rand(a, 512, 0, 0);
1482 BN_bntest_rand(c, 512, 0, 0);
1483 for (j = 0; j < 2; j++) {
1484 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1485 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1486 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1487 /* Test that ((a/c)*c)/a = 1. */
1488 if (!BN_is_one(f)) {
1489 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1506 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1508 BIGNUM *a, *b[2], *c, *d, *e, *f;
1510 int p0[] = { 163, 7, 6, 3, 0, -1 };
1511 int p1[] = { 193, 15, 0, -1 };
1521 BN_GF2m_arr2poly(p0, b[0]);
1522 BN_GF2m_arr2poly(p1, b[1]);
1524 for (i = 0; i < num0; i++) {
1525 BN_bntest_rand(a, 512, 0, 0);
1526 BN_bntest_rand(c, 512, 0, 0);
1527 BN_bntest_rand(d, 512, 0, 0);
1528 for (j = 0; j < 2; j++) {
1529 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1530 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1531 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1533 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1534 BN_GF2m_add(f, e, f);
1535 /* Test that a^(c+d)=a^c*a^d. */
1536 if (!BN_is_zero(f)) {
1538 "GF(2^m) modular exponentiation test failed!\n");
1555 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1557 BIGNUM *a, *b[2], *c, *d, *e, *f;
1559 int p0[] = { 163, 7, 6, 3, 0, -1 };
1560 int p1[] = { 193, 15, 0, -1 };
1570 BN_GF2m_arr2poly(p0, b[0]);
1571 BN_GF2m_arr2poly(p1, b[1]);
1573 for (i = 0; i < num0; i++) {
1574 BN_bntest_rand(a, 512, 0, 0);
1575 for (j = 0; j < 2; j++) {
1576 BN_GF2m_mod(c, a, b[j]);
1577 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1578 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1579 BN_GF2m_add(f, c, e);
1580 /* Test that d^2 = a, where d = sqrt(a). */
1581 if (!BN_is_zero(f)) {
1582 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1599 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1601 BIGNUM *a, *b[2], *c, *d, *e;
1602 int i, j, s = 0, t, ret = 0;
1603 int p0[] = { 163, 7, 6, 3, 0, -1 };
1604 int p1[] = { 193, 15, 0, -1 };
1613 BN_GF2m_arr2poly(p0, b[0]);
1614 BN_GF2m_arr2poly(p1, b[1]);
1616 for (i = 0; i < num0; i++) {
1617 BN_bntest_rand(a, 512, 0, 0);
1618 for (j = 0; j < 2; j++) {
1619 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1622 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1623 BN_GF2m_add(d, c, d);
1624 BN_GF2m_mod(e, a, b[j]);
1625 BN_GF2m_add(e, e, d);
1627 * Test that solution of quadratic c satisfies c^2 + c = a.
1629 if (!BN_is_zero(e)) {
1631 "GF(2^m) modular solve quadratic test failed!\n");
1640 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1643 "this is very unlikely and probably indicates an error.\n");
1657 static int genprime_cb(int p, int n, BN_GENCB *arg)
1674 int test_kron(BIO *bp, BN_CTX *ctx)
1677 BIGNUM *a, *b, *r, *t;
1679 int legendre, kronecker;
1686 if (a == NULL || b == NULL || r == NULL || t == NULL)
1689 BN_GENCB_set(&cb, genprime_cb, NULL);
1692 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1693 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1694 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1695 * generate a random prime b and compare these values for a number of
1696 * random a's. (That is, we run the Solovay-Strassen primality test to
1697 * confirm that b is prime, except that we don't want to test whether b
1698 * is prime but whether BN_kronecker works.)
1701 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1703 b->neg = rand_neg();
1706 for (i = 0; i < num0; i++) {
1707 if (!BN_bntest_rand(a, 512, 0, 0))
1709 a->neg = rand_neg();
1711 /* t := (|b|-1)/2 (note that b is odd) */
1715 if (!BN_sub_word(t, 1))
1717 if (!BN_rshift1(t, t))
1719 /* r := a^t mod b */
1722 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1726 if (BN_is_word(r, 1))
1728 else if (BN_is_zero(r))
1731 if (!BN_add_word(r, 1))
1733 if (0 != BN_ucmp(r, b)) {
1734 fprintf(stderr, "Legendre symbol computation failed\n");
1740 kronecker = BN_kronecker(a, b, ctx);
1743 /* we actually need BN_kronecker(a, |b|) */
1744 if (a->neg && b->neg)
1745 kronecker = -kronecker;
1747 if (legendre != kronecker) {
1748 fprintf(stderr, "legendre != kronecker; a = ");
1749 BN_print_fp(stderr, a);
1750 fprintf(stderr, ", b = ");
1751 BN_print_fp(stderr, b);
1752 fprintf(stderr, "\n");
1771 int test_sqrt(BIO *bp, BN_CTX *ctx)
1781 if (a == NULL || p == NULL || r == NULL)
1784 BN_GENCB_set(&cb, genprime_cb, NULL);
1786 for (i = 0; i < 16; i++) {
1788 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1790 if (!BN_set_word(p, primes[i]))
1793 if (!BN_set_word(a, 32))
1795 if (!BN_set_word(r, 2 * i + 1))
1798 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1802 p->neg = rand_neg();
1804 for (j = 0; j < num2; j++) {
1806 * construct 'a' such that it is a square modulo p, but in
1807 * general not a proper square and not reduced modulo p
1809 if (!BN_bntest_rand(r, 256, 0, 3))
1811 if (!BN_nnmod(r, r, p, ctx))
1813 if (!BN_mod_sqr(r, r, p, ctx))
1815 if (!BN_bntest_rand(a, 256, 0, 3))
1817 if (!BN_nnmod(a, a, p, ctx))
1819 if (!BN_mod_sqr(a, a, p, ctx))
1821 if (!BN_mul(a, a, r, ctx))
1824 if (!BN_sub(a, a, p))
1827 if (!BN_mod_sqrt(r, a, p, ctx))
1829 if (!BN_mod_sqr(r, r, p, ctx))
1832 if (!BN_nnmod(a, a, p, ctx))
1835 if (BN_cmp(a, r) != 0) {
1836 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1837 BN_print_fp(stderr, a);
1838 fprintf(stderr, ", r = ");
1839 BN_print_fp(stderr, r);
1840 fprintf(stderr, ", p = ");
1841 BN_print_fp(stderr, p);
1842 fprintf(stderr, "\n");
1861 int test_small_prime(BIO *bp, BN_CTX *ctx)
1863 static const int bits = 10;
1868 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1870 if (BN_num_bits(r) != bits) {
1871 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1883 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1885 BIGNUM *a, *b, *c, *d;
1897 BN_bntest_rand(a, 200, 0, 0);
1898 a->neg = rand_neg();
1900 for (i = 0; i < num0; i++) {
1901 BN_lshift(b, a, i + 1);
1906 BIO_puts(bp, " * ");
1908 BIO_puts(bp, " - ");
1913 BN_mul(d, a, c, ctx);
1915 if (!BN_is_zero(d)) {
1916 fprintf(stderr, "Left shift test failed!\n");
1917 fprintf(stderr, "a=");
1918 BN_print_fp(stderr, a);
1919 fprintf(stderr, "\nb=");
1920 BN_print_fp(stderr, b);
1921 fprintf(stderr, "\nc=");
1922 BN_print_fp(stderr, c);
1923 fprintf(stderr, "\nd=");
1924 BN_print_fp(stderr, d);
1925 fprintf(stderr, "\n");
1936 int test_lshift1(BIO *bp)
1945 BN_bntest_rand(a, 200, 0, 0);
1946 a->neg = rand_neg();
1947 for (i = 0; i < num0; i++) {
1952 BIO_puts(bp, " * 2");
1953 BIO_puts(bp, " - ");
1960 if (!BN_is_zero(a)) {
1961 fprintf(stderr, "Left shift one test failed!\n");
1973 int test_rshift(BIO *bp, BN_CTX *ctx)
1975 BIGNUM *a, *b, *c, *d, *e;
1985 BN_bntest_rand(a, 200, 0, 0);
1986 a->neg = rand_neg();
1987 for (i = 0; i < num0; i++) {
1988 BN_rshift(b, a, i + 1);
1993 BIO_puts(bp, " / ");
1995 BIO_puts(bp, " - ");
2000 BN_div(d, e, a, c, ctx);
2002 if (!BN_is_zero(d)) {
2003 fprintf(stderr, "Right shift test failed!\n");
2015 int test_rshift1(BIO *bp)
2024 BN_bntest_rand(a, 200, 0, 0);
2025 a->neg = rand_neg();
2026 for (i = 0; i < num0; i++) {
2031 BIO_puts(bp, " / 2");
2032 BIO_puts(bp, " - ");
2039 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2040 fprintf(stderr, "Right shift one test failed!\n");
2053 static unsigned int neg = 0;
2054 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2056 return (sign[(neg++) % 8]);
projects / openssl.git / blob