2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * Portions of the attached software ("Contribution") are developed by
14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
16 * The Contribution is licensed pursuant to the Eric Young open source
17 * license provided above.
19 * The binary polynomial arithmetic software is originally written by
20 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
30 #include <openssl/bio.h>
31 #include <openssl/bn.h>
32 #include <openssl/rand.h>
33 #include <openssl/x509.h>
34 #include <openssl/err.h>
37 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
38 * This is fine in itself, it will end up as an unused static function in
39 * the worst case. However, it referenses bn_expand2(), which is a private
40 * function in libcrypto and therefore unavailable on some systems. This
41 * may result in a linker error because of unresolved symbols.
43 * To avoid this, we define a dummy variant of bn_expand2() here, and to
44 * avoid possible clashes with libcrypto, we rename it first, using a macro.
46 #define bn_expand2 dummy_bn_expand2
47 BIGNUM *bn_expand2(BIGNUM *b, int words);
48 BIGNUM *bn_expand2(BIGNUM *b, int words) { return NULL; }
50 #include "../crypto/bn/bn_lcl.h"
52 static const int num0 = 100; /* number of tests */
53 static const int num1 = 50; /* additional tests for some functions */
54 static const int num2 = 5; /* number of tests for slow functions */
56 int test_add(BIO *bp);
57 int test_sub(BIO *bp);
58 int test_lshift1(BIO *bp);
59 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
60 int test_rshift1(BIO *bp);
61 int test_rshift(BIO *bp, BN_CTX *ctx);
62 int test_div(BIO *bp, BN_CTX *ctx);
63 int test_div_word(BIO *bp);
64 int test_div_recp(BIO *bp, BN_CTX *ctx);
65 int test_mul(BIO *bp);
66 int test_sqr(BIO *bp, BN_CTX *ctx);
67 int test_mont(BIO *bp, BN_CTX *ctx);
68 int test_mod(BIO *bp, BN_CTX *ctx);
69 int test_mod_mul(BIO *bp, BN_CTX *ctx);
70 int test_mod_exp(BIO *bp, BN_CTX *ctx);
71 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
72 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
73 int test_exp(BIO *bp, BN_CTX *ctx);
74 int test_gf2m_add(BIO *bp);
75 int test_gf2m_mod(BIO *bp);
76 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
77 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
78 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
79 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
80 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
81 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
82 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
83 int test_kron(BIO *bp, BN_CTX *ctx);
84 int test_sqrt(BIO *bp, BN_CTX *ctx);
85 int test_small_prime(BIO *bp, BN_CTX *ctx);
87 static int results = 0;
89 static unsigned char lst[] =
90 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
91 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
93 static const char rnd_seed[] =
94 "string to make the random number generator think it has entropy";
96 static void message(BIO *out, char *m)
98 fprintf(stderr, "test %s\n", m);
99 BIO_puts(out, "print \"test ");
101 BIO_puts(out, "\\n\"\n");
104 int main(int argc, char *argv[])
108 char *outfile = NULL;
110 CRYPTO_set_mem_debug(1);
111 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
115 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
120 if (strcmp(*argv, "-results") == 0)
122 else if (strcmp(*argv, "-out") == 0) {
135 out = BIO_new(BIO_s_file());
138 if (outfile == NULL) {
139 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
141 if (!BIO_write_filename(out, outfile)) {
146 #ifdef OPENSSL_SYS_VMS
148 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
149 out = BIO_push(tmpbio, out);
154 BIO_puts(out, "obase=16\nibase=16\n");
156 message(out, "BN_add");
159 (void)BIO_flush(out);
161 message(out, "BN_sub");
164 (void)BIO_flush(out);
166 message(out, "BN_lshift1");
167 if (!test_lshift1(out))
169 (void)BIO_flush(out);
171 message(out, "BN_lshift (fixed)");
172 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
174 (void)BIO_flush(out);
176 message(out, "BN_lshift");
177 if (!test_lshift(out, ctx, NULL))
179 (void)BIO_flush(out);
181 message(out, "BN_rshift1");
182 if (!test_rshift1(out))
184 (void)BIO_flush(out);
186 message(out, "BN_rshift");
187 if (!test_rshift(out, ctx))
189 (void)BIO_flush(out);
191 message(out, "BN_sqr");
192 if (!test_sqr(out, ctx))
194 (void)BIO_flush(out);
196 message(out, "BN_mul");
199 (void)BIO_flush(out);
201 message(out, "BN_div");
202 if (!test_div(out, ctx))
204 (void)BIO_flush(out);
206 message(out, "BN_div_word");
207 if (!test_div_word(out))
209 (void)BIO_flush(out);
211 message(out, "BN_div_recp");
212 if (!test_div_recp(out, ctx))
214 (void)BIO_flush(out);
216 message(out, "BN_mod");
217 if (!test_mod(out, ctx))
219 (void)BIO_flush(out);
221 message(out, "BN_mod_mul");
222 if (!test_mod_mul(out, ctx))
224 (void)BIO_flush(out);
226 message(out, "BN_mont");
227 if (!test_mont(out, ctx))
229 (void)BIO_flush(out);
231 message(out, "BN_mod_exp");
232 if (!test_mod_exp(out, ctx))
234 (void)BIO_flush(out);
236 message(out, "BN_mod_exp_mont_consttime");
237 if (!test_mod_exp_mont_consttime(out, ctx))
239 if (!test_mod_exp_mont5(out, ctx))
241 (void)BIO_flush(out);
243 message(out, "BN_exp");
244 if (!test_exp(out, ctx))
246 (void)BIO_flush(out);
248 message(out, "BN_kronecker");
249 if (!test_kron(out, ctx))
251 (void)BIO_flush(out);
253 message(out, "BN_mod_sqrt");
254 if (!test_sqrt(out, ctx))
256 (void)BIO_flush(out);
258 message(out, "Small prime generation");
259 if (!test_small_prime(out, ctx))
261 (void)BIO_flush(out);
263 #ifndef OPENSSL_NO_EC2M
264 message(out, "BN_GF2m_add");
265 if (!test_gf2m_add(out))
267 (void)BIO_flush(out);
269 message(out, "BN_GF2m_mod");
270 if (!test_gf2m_mod(out))
272 (void)BIO_flush(out);
274 message(out, "BN_GF2m_mod_mul");
275 if (!test_gf2m_mod_mul(out, ctx))
277 (void)BIO_flush(out);
279 message(out, "BN_GF2m_mod_sqr");
280 if (!test_gf2m_mod_sqr(out, ctx))
282 (void)BIO_flush(out);
284 message(out, "BN_GF2m_mod_inv");
285 if (!test_gf2m_mod_inv(out, ctx))
287 (void)BIO_flush(out);
289 message(out, "BN_GF2m_mod_div");
290 if (!test_gf2m_mod_div(out, ctx))
292 (void)BIO_flush(out);
294 message(out, "BN_GF2m_mod_exp");
295 if (!test_gf2m_mod_exp(out, ctx))
297 (void)BIO_flush(out);
299 message(out, "BN_GF2m_mod_sqrt");
300 if (!test_gf2m_mod_sqrt(out, ctx))
302 (void)BIO_flush(out);
304 message(out, "BN_GF2m_mod_solve_quad");
305 if (!test_gf2m_mod_solve_quad(out, ctx))
307 (void)BIO_flush(out);
312 ERR_print_errors_fp(stderr);
314 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
315 if (CRYPTO_mem_leaks_fp(stderr) <= 0)
320 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
321 * notices the failure, see test_bn in
322 * test/Makefile.ssl */
323 (void)BIO_flush(out);
327 ERR_print_errors_fp(stderr);
331 int test_add(BIO *bp)
340 BN_bntest_rand(a, 512, 0, 0);
341 for (i = 0; i < num0; i++) {
342 BN_bntest_rand(b, 450 + i, 0, 0);
360 if (!BN_is_zero(c)) {
361 fprintf(stderr, "Add test failed!\n");
371 int test_sub(BIO *bp)
380 for (i = 0; i < num0 + num1; i++) {
382 BN_bntest_rand(a, 512, 0, 0);
384 if (BN_set_bit(a, i) == 0)
388 BN_bntest_rand(b, 400 + i - num1, 0, 0);
405 if (!BN_is_zero(c)) {
406 fprintf(stderr, "Subtract test failed!\n");
416 int test_div(BIO *bp, BN_CTX *ctx)
418 BIGNUM *a, *b, *c, *d, *e;
430 if (BN_div(d, c, a, b, ctx)) {
431 fprintf(stderr, "Division by zero succeeded!\n");
435 for (i = 0; i < num0 + num1; i++) {
437 BN_bntest_rand(a, 400, 0, 0);
442 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
445 BN_div(d, c, a, b, ctx);
465 BN_mul(e, d, b, ctx);
468 if (!BN_is_zero(d)) {
469 fprintf(stderr, "Division test failed!\n");
481 static void print_word(BIO *bp, BN_ULONG w)
483 int i = sizeof(w) * 8;
489 byte = (unsigned char)(w >> i);
491 fmt = byte ? "%X" : NULL;
496 BIO_printf(bp, fmt, byte);
499 /* If we haven't printed anything, at least print a zero! */
504 int test_div_word(BIO *bp)
513 for (i = 0; i < num0; i++) {
515 BN_bntest_rand(a, 512, -1, 0);
516 BN_bntest_rand(b, BN_BITS2, -1, 0);
517 } while (BN_is_zero(b));
521 r = BN_div_word(b, s);
545 if (!BN_is_zero(b)) {
546 fprintf(stderr, "Division (word) test failed!\n");
555 int test_div_recp(BIO *bp, BN_CTX *ctx)
557 BIGNUM *a, *b, *c, *d, *e;
561 recp = BN_RECP_CTX_new();
568 for (i = 0; i < num0 + num1; i++) {
570 BN_bntest_rand(a, 400, 0, 0);
575 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
578 BN_RECP_CTX_set(recp, b, ctx);
579 BN_div_recp(d, c, a, recp, ctx);
599 BN_mul(e, d, b, ctx);
602 if (!BN_is_zero(d)) {
603 fprintf(stderr, "Reciprocal division test failed!\n");
604 fprintf(stderr, "a=");
605 BN_print_fp(stderr, a);
606 fprintf(stderr, "\nb=");
607 BN_print_fp(stderr, b);
608 fprintf(stderr, "\n");
617 BN_RECP_CTX_free(recp);
621 int test_mul(BIO *bp)
623 BIGNUM *a, *b, *c, *d, *e;
637 for (i = 0; i < num0 + num1; i++) {
639 BN_bntest_rand(a, 100, 0, 0);
640 BN_bntest_rand(b, 100, 0, 0);
642 BN_bntest_rand(b, i - num1, 0, 0);
645 BN_mul(c, a, b, ctx);
656 BN_div(d, e, c, a, ctx);
658 if (!BN_is_zero(d) || !BN_is_zero(e)) {
659 fprintf(stderr, "Multiplication test failed!\n");
672 int test_sqr(BIO *bp, BN_CTX *ctx)
674 BIGNUM *a, *c, *d, *e;
681 if (a == NULL || c == NULL || d == NULL || e == NULL) {
685 for (i = 0; i < num0; i++) {
686 BN_bntest_rand(a, 40 + i * 10, 0, 0);
699 BN_div(d, e, c, a, ctx);
701 if (!BN_is_zero(d) || !BN_is_zero(e)) {
702 fprintf(stderr, "Square test failed!\n");
707 /* Regression test for a BN_sqr overflow bug. */
709 "80000000000000008000000000000001"
710 "FFFFFFFFFFFFFFFE0000000000000000");
722 BN_mul(d, a, a, ctx);
724 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
725 "different results!\n");
729 /* Regression test for a BN_sqr overflow bug. */
731 "80000000000000000000000080000001"
732 "FFFFFFFE000000000000000000000000");
744 BN_mul(d, a, a, ctx);
746 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
747 "different results!\n");
759 int test_mont(BIO *bp, BN_CTX *ctx)
761 BIGNUM *a, *b, *c, *d, *A, *B;
774 mont = BN_MONT_CTX_new();
779 if (BN_MONT_CTX_set(mont, n, ctx)) {
780 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
785 if (BN_MONT_CTX_set(mont, n, ctx)) {
786 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
790 BN_bntest_rand(a, 100, 0, 0);
791 BN_bntest_rand(b, 100, 0, 0);
792 for (i = 0; i < num2; i++) {
793 int bits = (200 * (i + 1)) / num2;
797 BN_bntest_rand(n, bits, 0, 1);
798 BN_MONT_CTX_set(mont, n, ctx);
800 BN_nnmod(a, a, n, ctx);
801 BN_nnmod(b, b, n, ctx);
803 BN_to_montgomery(A, a, mont, ctx);
804 BN_to_montgomery(B, b, mont, ctx);
806 BN_mod_mul_montgomery(c, A, B, mont, ctx);
807 BN_from_montgomery(A, c, mont, ctx);
814 BN_print(bp, &mont->N);
820 BN_mod_mul(d, a, b, n, ctx);
822 if (!BN_is_zero(d)) {
823 fprintf(stderr, "Montgomery multiplication test failed!\n");
827 BN_MONT_CTX_free(mont);
838 int test_mod(BIO *bp, BN_CTX *ctx)
840 BIGNUM *a, *b, *c, *d, *e;
849 BN_bntest_rand(a, 1024, 0, 0);
850 for (i = 0; i < num0; i++) {
851 BN_bntest_rand(b, 450 + i * 10, 0, 0);
854 BN_mod(c, a, b, ctx);
865 BN_div(d, e, a, b, ctx);
867 if (!BN_is_zero(e)) {
868 fprintf(stderr, "Modulo test failed!\n");
880 int test_mod_mul(BIO *bp, BN_CTX *ctx)
882 BIGNUM *a, *b, *c, *d, *e;
894 if (BN_mod_mul(e, a, b, c, ctx)) {
895 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
899 for (j = 0; j < 3; j++) {
900 BN_bntest_rand(c, 1024, 0, 0);
901 for (i = 0; i < num0; i++) {
902 BN_bntest_rand(a, 475 + i * 10, 0, 0);
903 BN_bntest_rand(b, 425 + i * 11, 0, 0);
906 if (!BN_mod_mul(e, a, b, c, ctx)) {
909 while ((l = ERR_get_error()))
910 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
920 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
922 * If (a*b) % c is negative, c must be added in order
923 * to obtain the normalized remainder (new with
924 * OpenSSL 0.9.7, previous versions of BN_mod_mul
925 * could generate negative results)
935 BN_mul(d, a, b, ctx);
937 BN_div(a, b, d, c, ctx);
938 if (!BN_is_zero(b)) {
939 fprintf(stderr, "Modulo multiply test failed!\n");
940 ERR_print_errors_fp(stderr);
953 int test_mod_exp(BIO *bp, BN_CTX *ctx)
955 BIGNUM *a, *b, *c, *d, *e;
967 if (BN_mod_exp(d, a, b, c, ctx)) {
968 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
972 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
973 for (i = 0; i < num2; i++) {
974 BN_bntest_rand(a, 20 + i * 5, 0, 0);
975 BN_bntest_rand(b, 2 + i, 0, 0);
977 if (!BN_mod_exp(d, a, b, c, ctx))
992 BN_exp(e, a, b, ctx);
994 BN_div(a, b, e, c, ctx);
995 if (!BN_is_zero(b)) {
996 fprintf(stderr, "Modulo exponentiation test failed!\n");
1001 /* Regression test for carry propagation bug in sqr8x_reduction */
1002 BN_hex2bn(&a, "050505050505");
1003 BN_hex2bn(&b, "02");
1005 "4141414141414141414141274141414141414141414141414141414141414141"
1006 "4141414141414141414141414141414141414141414141414141414141414141"
1007 "4141414141414141414141800000000000000000000000000000000000000000"
1008 "0000000000000000000000000000000000000000000000000000000000000000"
1009 "0000000000000000000000000000000000000000000000000000000000000000"
1010 "0000000000000000000000000000000000000000000000000000000001");
1011 BN_mod_exp(d, a, b, c, ctx);
1012 BN_mul(e, a, a, ctx);
1014 fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
1026 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1028 BIGNUM *a, *b, *c, *d, *e;
1040 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1041 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1047 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1048 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1053 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1054 for (i = 0; i < num2; i++) {
1055 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1056 BN_bntest_rand(b, 2 + i, 0, 0);
1058 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1064 BIO_puts(bp, " ^ ");
1066 BIO_puts(bp, " % ");
1068 BIO_puts(bp, " - ");
1073 BN_exp(e, a, b, ctx);
1075 BN_div(a, b, e, c, ctx);
1076 if (!BN_is_zero(b)) {
1077 fprintf(stderr, "Modulo exponentiation test failed!\n");
1090 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1091 * x86_64 cause a different code branch to be taken.
1093 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1095 BIGNUM *a, *p, *m, *d, *e;
1103 mont = BN_MONT_CTX_new();
1105 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1107 BN_bntest_rand(a, 1024, 0, 0);
1109 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1111 if (!BN_is_one(d)) {
1112 fprintf(stderr, "Modular exponentiation test failed!\n");
1116 BN_bntest_rand(p, 1024, 0, 0);
1118 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1120 if (!BN_is_zero(d)) {
1121 fprintf(stderr, "Modular exponentiation test failed!\n");
1125 * Craft an input whose Montgomery representation is 1, i.e., shorter
1126 * than the modulus m, in order to test the const time precomputation
1127 * scattering/gathering.
1130 BN_MONT_CTX_set(mont, m, ctx);
1131 if (!BN_from_montgomery(e, a, mont, ctx))
1133 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1135 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1137 if (BN_cmp(a, d) != 0) {
1138 fprintf(stderr, "Modular exponentiation test failed!\n");
1141 /* Finally, some regular test vectors. */
1142 BN_bntest_rand(e, 1024, 0, 0);
1143 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1145 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1147 if (BN_cmp(a, d) != 0) {
1148 fprintf(stderr, "Modular exponentiation test failed!\n");
1151 BN_MONT_CTX_free(mont);
1160 int test_exp(BIO *bp, BN_CTX *ctx)
1162 BIGNUM *a, *b, *d, *e, *one;
1172 for (i = 0; i < num2; i++) {
1173 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1174 BN_bntest_rand(b, 2 + i, 0, 0);
1176 if (BN_exp(d, a, b, ctx) <= 0)
1182 BIO_puts(bp, " ^ ");
1184 BIO_puts(bp, " - ");
1190 for (; !BN_is_zero(b); BN_sub(b, b, one))
1191 BN_mul(e, e, a, ctx);
1193 if (!BN_is_zero(e)) {
1194 fprintf(stderr, "Exponentiation test failed!\n");
1206 #ifndef OPENSSL_NO_EC2M
1207 int test_gf2m_add(BIO *bp)
1216 for (i = 0; i < num0; i++) {
1217 BN_rand(a, 512, 0, 0);
1218 BN_copy(b, BN_value_one());
1219 a->neg = rand_neg();
1220 b->neg = rand_neg();
1221 BN_GF2m_add(c, a, b);
1222 /* Test that two added values have the correct parity. */
1223 if ((BN_is_odd(a) && BN_is_odd(c))
1224 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1225 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1228 BN_GF2m_add(c, c, c);
1229 /* Test that c + c = 0. */
1230 if (!BN_is_zero(c)) {
1231 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1243 int test_gf2m_mod(BIO *bp)
1245 BIGNUM *a, *b[2], *c, *d, *e;
1247 int p0[] = { 163, 7, 6, 3, 0, -1 };
1248 int p1[] = { 193, 15, 0, -1 };
1257 BN_GF2m_arr2poly(p0, b[0]);
1258 BN_GF2m_arr2poly(p1, b[1]);
1260 for (i = 0; i < num0; i++) {
1261 BN_bntest_rand(a, 1024, 0, 0);
1262 for (j = 0; j < 2; j++) {
1263 BN_GF2m_mod(c, a, b[j]);
1264 BN_GF2m_add(d, a, c);
1265 BN_GF2m_mod(e, d, b[j]);
1266 /* Test that a + (a mod p) mod p == 0. */
1267 if (!BN_is_zero(e)) {
1268 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1284 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1286 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1288 int p0[] = { 163, 7, 6, 3, 0, -1 };
1289 int p1[] = { 193, 15, 0, -1 };
1301 BN_GF2m_arr2poly(p0, b[0]);
1302 BN_GF2m_arr2poly(p1, b[1]);
1304 for (i = 0; i < num0; i++) {
1305 BN_bntest_rand(a, 1024, 0, 0);
1306 BN_bntest_rand(c, 1024, 0, 0);
1307 BN_bntest_rand(d, 1024, 0, 0);
1308 for (j = 0; j < 2; j++) {
1309 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1310 BN_GF2m_add(f, a, d);
1311 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1312 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1313 BN_GF2m_add(f, e, g);
1314 BN_GF2m_add(f, f, h);
1315 /* Test that (a+d)*c = a*c + d*c. */
1316 if (!BN_is_zero(f)) {
1318 "GF(2^m) modular multiplication test failed!\n");
1337 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1339 BIGNUM *a, *b[2], *c, *d;
1341 int p0[] = { 163, 7, 6, 3, 0, -1 };
1342 int p1[] = { 193, 15, 0, -1 };
1350 BN_GF2m_arr2poly(p0, b[0]);
1351 BN_GF2m_arr2poly(p1, b[1]);
1353 for (i = 0; i < num0; i++) {
1354 BN_bntest_rand(a, 1024, 0, 0);
1355 for (j = 0; j < 2; j++) {
1356 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1358 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1359 BN_GF2m_add(d, c, d);
1360 /* Test that a*a = a^2. */
1361 if (!BN_is_zero(d)) {
1362 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1377 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1379 BIGNUM *a, *b[2], *c, *d;
1381 int p0[] = { 163, 7, 6, 3, 0, -1 };
1382 int p1[] = { 193, 15, 0, -1 };
1390 BN_GF2m_arr2poly(p0, b[0]);
1391 BN_GF2m_arr2poly(p1, b[1]);
1393 for (i = 0; i < num0; i++) {
1394 BN_bntest_rand(a, 512, 0, 0);
1395 for (j = 0; j < 2; j++) {
1396 BN_GF2m_mod_inv(c, a, b[j], ctx);
1397 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1398 /* Test that ((1/a)*a) = 1. */
1399 if (!BN_is_one(d)) {
1400 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1415 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1417 BIGNUM *a, *b[2], *c, *d, *e, *f;
1419 int p0[] = { 163, 7, 6, 3, 0, -1 };
1420 int p1[] = { 193, 15, 0, -1 };
1430 BN_GF2m_arr2poly(p0, b[0]);
1431 BN_GF2m_arr2poly(p1, b[1]);
1433 for (i = 0; i < num0; i++) {
1434 BN_bntest_rand(a, 512, 0, 0);
1435 BN_bntest_rand(c, 512, 0, 0);
1436 for (j = 0; j < 2; j++) {
1437 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1438 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1439 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1440 /* Test that ((a/c)*c)/a = 1. */
1441 if (!BN_is_one(f)) {
1442 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1459 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1461 BIGNUM *a, *b[2], *c, *d, *e, *f;
1463 int p0[] = { 163, 7, 6, 3, 0, -1 };
1464 int p1[] = { 193, 15, 0, -1 };
1474 BN_GF2m_arr2poly(p0, b[0]);
1475 BN_GF2m_arr2poly(p1, b[1]);
1477 for (i = 0; i < num0; i++) {
1478 BN_bntest_rand(a, 512, 0, 0);
1479 BN_bntest_rand(c, 512, 0, 0);
1480 BN_bntest_rand(d, 512, 0, 0);
1481 for (j = 0; j < 2; j++) {
1482 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1483 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1484 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1486 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1487 BN_GF2m_add(f, e, f);
1488 /* Test that a^(c+d)=a^c*a^d. */
1489 if (!BN_is_zero(f)) {
1491 "GF(2^m) modular exponentiation test failed!\n");
1508 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1510 BIGNUM *a, *b[2], *c, *d, *e, *f;
1512 int p0[] = { 163, 7, 6, 3, 0, -1 };
1513 int p1[] = { 193, 15, 0, -1 };
1523 BN_GF2m_arr2poly(p0, b[0]);
1524 BN_GF2m_arr2poly(p1, b[1]);
1526 for (i = 0; i < num0; i++) {
1527 BN_bntest_rand(a, 512, 0, 0);
1528 for (j = 0; j < 2; j++) {
1529 BN_GF2m_mod(c, a, b[j]);
1530 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1531 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1532 BN_GF2m_add(f, c, e);
1533 /* Test that d^2 = a, where d = sqrt(a). */
1534 if (!BN_is_zero(f)) {
1535 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1552 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1554 BIGNUM *a, *b[2], *c, *d, *e;
1555 int i, j, s = 0, t, ret = 0;
1556 int p0[] = { 163, 7, 6, 3, 0, -1 };
1557 int p1[] = { 193, 15, 0, -1 };
1566 BN_GF2m_arr2poly(p0, b[0]);
1567 BN_GF2m_arr2poly(p1, b[1]);
1569 for (i = 0; i < num0; i++) {
1570 BN_bntest_rand(a, 512, 0, 0);
1571 for (j = 0; j < 2; j++) {
1572 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1575 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1576 BN_GF2m_add(d, c, d);
1577 BN_GF2m_mod(e, a, b[j]);
1578 BN_GF2m_add(e, e, d);
1580 * Test that solution of quadratic c satisfies c^2 + c = a.
1582 if (!BN_is_zero(e)) {
1584 "GF(2^m) modular solve quadratic test failed!\n");
1593 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1596 "this is very unlikely and probably indicates an error.\n");
1610 static int genprime_cb(int p, int n, BN_GENCB *arg)
1627 int test_kron(BIO *bp, BN_CTX *ctx)
1630 BIGNUM *a, *b, *r, *t;
1632 int legendre, kronecker;
1639 if (a == NULL || b == NULL || r == NULL || t == NULL)
1642 BN_GENCB_set(&cb, genprime_cb, NULL);
1645 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1646 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1647 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1648 * generate a random prime b and compare these values for a number of
1649 * random a's. (That is, we run the Solovay-Strassen primality test to
1650 * confirm that b is prime, except that we don't want to test whether b
1651 * is prime but whether BN_kronecker works.)
1654 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1656 b->neg = rand_neg();
1659 for (i = 0; i < num0; i++) {
1660 if (!BN_bntest_rand(a, 512, 0, 0))
1662 a->neg = rand_neg();
1664 /* t := (|b|-1)/2 (note that b is odd) */
1668 if (!BN_sub_word(t, 1))
1670 if (!BN_rshift1(t, t))
1672 /* r := a^t mod b */
1675 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1679 if (BN_is_word(r, 1))
1681 else if (BN_is_zero(r))
1684 if (!BN_add_word(r, 1))
1686 if (0 != BN_ucmp(r, b)) {
1687 fprintf(stderr, "Legendre symbol computation failed\n");
1693 kronecker = BN_kronecker(a, b, ctx);
1696 /* we actually need BN_kronecker(a, |b|) */
1697 if (a->neg && b->neg)
1698 kronecker = -kronecker;
1700 if (legendre != kronecker) {
1701 fprintf(stderr, "legendre != kronecker; a = ");
1702 BN_print_fp(stderr, a);
1703 fprintf(stderr, ", b = ");
1704 BN_print_fp(stderr, b);
1705 fprintf(stderr, "\n");
1724 int test_sqrt(BIO *bp, BN_CTX *ctx)
1734 if (a == NULL || p == NULL || r == NULL)
1737 BN_GENCB_set(&cb, genprime_cb, NULL);
1739 for (i = 0; i < 16; i++) {
1741 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1743 if (!BN_set_word(p, primes[i]))
1746 if (!BN_set_word(a, 32))
1748 if (!BN_set_word(r, 2 * i + 1))
1751 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1755 p->neg = rand_neg();
1757 for (j = 0; j < num2; j++) {
1759 * construct 'a' such that it is a square modulo p, but in
1760 * general not a proper square and not reduced modulo p
1762 if (!BN_bntest_rand(r, 256, 0, 3))
1764 if (!BN_nnmod(r, r, p, ctx))
1766 if (!BN_mod_sqr(r, r, p, ctx))
1768 if (!BN_bntest_rand(a, 256, 0, 3))
1770 if (!BN_nnmod(a, a, p, ctx))
1772 if (!BN_mod_sqr(a, a, p, ctx))
1774 if (!BN_mul(a, a, r, ctx))
1777 if (!BN_sub(a, a, p))
1780 if (!BN_mod_sqrt(r, a, p, ctx))
1782 if (!BN_mod_sqr(r, r, p, ctx))
1785 if (!BN_nnmod(a, a, p, ctx))
1788 if (BN_cmp(a, r) != 0) {
1789 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1790 BN_print_fp(stderr, a);
1791 fprintf(stderr, ", r = ");
1792 BN_print_fp(stderr, r);
1793 fprintf(stderr, ", p = ");
1794 BN_print_fp(stderr, p);
1795 fprintf(stderr, "\n");
1814 int test_small_prime(BIO *bp, BN_CTX *ctx)
1816 static const int bits = 10;
1821 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1823 if (BN_num_bits(r) != bits) {
1824 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1836 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1838 BIGNUM *a, *b, *c, *d;
1850 BN_bntest_rand(a, 200, 0, 0);
1851 a->neg = rand_neg();
1853 for (i = 0; i < num0; i++) {
1854 BN_lshift(b, a, i + 1);
1859 BIO_puts(bp, " * ");
1861 BIO_puts(bp, " - ");
1866 BN_mul(d, a, c, ctx);
1868 if (!BN_is_zero(d)) {
1869 fprintf(stderr, "Left shift test failed!\n");
1870 fprintf(stderr, "a=");
1871 BN_print_fp(stderr, a);
1872 fprintf(stderr, "\nb=");
1873 BN_print_fp(stderr, b);
1874 fprintf(stderr, "\nc=");
1875 BN_print_fp(stderr, c);
1876 fprintf(stderr, "\nd=");
1877 BN_print_fp(stderr, d);
1878 fprintf(stderr, "\n");
1889 int test_lshift1(BIO *bp)
1898 BN_bntest_rand(a, 200, 0, 0);
1899 a->neg = rand_neg();
1900 for (i = 0; i < num0; i++) {
1905 BIO_puts(bp, " * 2");
1906 BIO_puts(bp, " - ");
1913 if (!BN_is_zero(a)) {
1914 fprintf(stderr, "Left shift one test failed!\n");
1926 int test_rshift(BIO *bp, BN_CTX *ctx)
1928 BIGNUM *a, *b, *c, *d, *e;
1938 BN_bntest_rand(a, 200, 0, 0);
1939 a->neg = rand_neg();
1940 for (i = 0; i < num0; i++) {
1941 BN_rshift(b, a, i + 1);
1946 BIO_puts(bp, " / ");
1948 BIO_puts(bp, " - ");
1953 BN_div(d, e, a, c, ctx);
1955 if (!BN_is_zero(d)) {
1956 fprintf(stderr, "Right shift test failed!\n");
1968 int test_rshift1(BIO *bp)
1977 BN_bntest_rand(a, 200, 0, 0);
1978 a->neg = rand_neg();
1979 for (i = 0; i < num0; i++) {
1984 BIO_puts(bp, " / 2");
1985 BIO_puts(bp, " - ");
1992 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
1993 fprintf(stderr, "Right shift one test failed!\n");
2006 static unsigned int neg = 0;
2007 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2009 return (sign[(neg++) % 8]);
projects / openssl.git / blob