1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
78 #include <openssl/bio.h>
79 #include <openssl/bn.h>
80 #include <openssl/rand.h>
81 #include <openssl/x509.h>
82 #include <openssl/err.h>
84 #include "../crypto/bn/bn_lcl.h"
86 static const int num0 = 100; /* number of tests */
87 static const int num1 = 50; /* additional tests for some functions */
88 static const int num2 = 5; /* number of tests for slow functions */
90 int test_add(BIO *bp);
91 int test_sub(BIO *bp);
92 int test_lshift1(BIO *bp);
93 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
94 int test_rshift1(BIO *bp);
95 int test_rshift(BIO *bp, BN_CTX *ctx);
96 int test_div(BIO *bp, BN_CTX *ctx);
97 int test_div_word(BIO *bp);
98 int test_div_recp(BIO *bp, BN_CTX *ctx);
99 int test_mul(BIO *bp);
100 int test_sqr(BIO *bp, BN_CTX *ctx);
101 int test_mont(BIO *bp, BN_CTX *ctx);
102 int test_mod(BIO *bp, BN_CTX *ctx);
103 int test_mod_mul(BIO *bp, BN_CTX *ctx);
104 int test_mod_exp(BIO *bp, BN_CTX *ctx);
105 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
106 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
107 int test_exp(BIO *bp, BN_CTX *ctx);
108 int test_gf2m_add(BIO *bp);
109 int test_gf2m_mod(BIO *bp);
110 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
111 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
112 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
113 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
114 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
115 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
116 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
117 int test_kron(BIO *bp, BN_CTX *ctx);
118 int test_sqrt(BIO *bp, BN_CTX *ctx);
119 int test_small_prime(BIO *bp, BN_CTX *ctx);
120 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx);
122 static int results = 0;
124 static unsigned char lst[] =
125 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
126 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
128 static const char rnd_seed[] =
129 "string to make the random number generator think it has entropy";
131 static void message(BIO *out, char *m)
133 fprintf(stderr, "test %s\n", m);
134 BIO_puts(out, "print \"test ");
136 BIO_puts(out, "\\n\"\n");
139 int main(int argc, char *argv[])
143 char *outfile = NULL;
147 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
152 if (strcmp(*argv, "-results") == 0)
154 else if (strcmp(*argv, "-out") == 0) {
167 out = BIO_new(BIO_s_file());
170 if (outfile == NULL) {
171 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
173 if (!BIO_write_filename(out, outfile)) {
178 #ifdef OPENSSL_SYS_VMS
180 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
181 out = BIO_push(tmpbio, out);
186 BIO_puts(out, "obase=16\nibase=16\n");
188 message(out, "BN_add");
191 (void)BIO_flush(out);
193 message(out, "BN_sub");
196 (void)BIO_flush(out);
198 message(out, "BN_lshift1");
199 if (!test_lshift1(out))
201 (void)BIO_flush(out);
203 message(out, "BN_lshift (fixed)");
204 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
206 (void)BIO_flush(out);
208 message(out, "BN_lshift");
209 if (!test_lshift(out, ctx, NULL))
211 (void)BIO_flush(out);
213 message(out, "BN_rshift1");
214 if (!test_rshift1(out))
216 (void)BIO_flush(out);
218 message(out, "BN_rshift");
219 if (!test_rshift(out, ctx))
221 (void)BIO_flush(out);
223 message(out, "BN_sqr");
224 if (!test_sqr(out, ctx))
226 (void)BIO_flush(out);
228 message(out, "BN_mul");
231 (void)BIO_flush(out);
233 message(out, "BN_div");
234 if (!test_div(out, ctx))
236 (void)BIO_flush(out);
238 message(out, "BN_div_word");
239 if (!test_div_word(out))
241 (void)BIO_flush(out);
243 message(out, "BN_div_recp");
244 if (!test_div_recp(out, ctx))
246 (void)BIO_flush(out);
248 message(out, "BN_mod");
249 if (!test_mod(out, ctx))
251 (void)BIO_flush(out);
253 message(out, "BN_mod_mul");
254 if (!test_mod_mul(out, ctx))
256 (void)BIO_flush(out);
258 message(out, "BN_mont");
259 if (!test_mont(out, ctx))
261 (void)BIO_flush(out);
263 message(out, "BN_mod_exp");
264 if (!test_mod_exp(out, ctx))
266 (void)BIO_flush(out);
268 message(out, "BN_mod_exp_mont_consttime");
269 if (!test_mod_exp_mont_consttime(out, ctx))
271 if (!test_mod_exp_mont5(out, ctx))
273 (void)BIO_flush(out);
275 message(out, "BN_exp");
276 if (!test_exp(out, ctx))
278 (void)BIO_flush(out);
280 message(out, "BN_kronecker");
281 if (!test_kron(out, ctx))
283 (void)BIO_flush(out);
285 message(out, "BN_mod_sqrt");
286 if (!test_sqrt(out, ctx))
288 (void)BIO_flush(out);
290 message(out, "Small prime generation");
291 if (!test_small_prime(out, ctx))
293 (void)BIO_flush(out);
295 #ifdef OPENSSL_SYS_WIN32
296 message(out, "Probable prime generation with coprimes disabled");
298 message(out, "Probable prime generation with coprimes");
299 if (!test_probable_prime_coprime(out, ctx))
302 (void)BIO_flush(out);
304 #ifndef OPENSSL_NO_EC2M
305 message(out, "BN_GF2m_add");
306 if (!test_gf2m_add(out))
308 (void)BIO_flush(out);
310 message(out, "BN_GF2m_mod");
311 if (!test_gf2m_mod(out))
313 (void)BIO_flush(out);
315 message(out, "BN_GF2m_mod_mul");
316 if (!test_gf2m_mod_mul(out, ctx))
318 (void)BIO_flush(out);
320 message(out, "BN_GF2m_mod_sqr");
321 if (!test_gf2m_mod_sqr(out, ctx))
323 (void)BIO_flush(out);
325 message(out, "BN_GF2m_mod_inv");
326 if (!test_gf2m_mod_inv(out, ctx))
328 (void)BIO_flush(out);
330 message(out, "BN_GF2m_mod_div");
331 if (!test_gf2m_mod_div(out, ctx))
333 (void)BIO_flush(out);
335 message(out, "BN_GF2m_mod_exp");
336 if (!test_gf2m_mod_exp(out, ctx))
338 (void)BIO_flush(out);
340 message(out, "BN_GF2m_mod_sqrt");
341 if (!test_gf2m_mod_sqrt(out, ctx))
343 (void)BIO_flush(out);
345 message(out, "BN_GF2m_mod_solve_quad");
346 if (!test_gf2m_mod_solve_quad(out, ctx))
348 (void)BIO_flush(out);
355 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
356 * notices the failure, see test_bn in
357 * test/Makefile.ssl */
358 (void)BIO_flush(out);
359 ERR_load_crypto_strings();
360 ERR_print_errors_fp(stderr);
364 int test_add(BIO *bp)
373 BN_bntest_rand(a, 512, 0, 0);
374 for (i = 0; i < num0; i++) {
375 BN_bntest_rand(b, 450 + i, 0, 0);
393 if (!BN_is_zero(c)) {
394 fprintf(stderr, "Add test failed!\n");
404 int test_sub(BIO *bp)
413 for (i = 0; i < num0 + num1; i++) {
415 BN_bntest_rand(a, 512, 0, 0);
417 if (BN_set_bit(a, i) == 0)
421 BN_bntest_rand(b, 400 + i - num1, 0, 0);
438 if (!BN_is_zero(c)) {
439 fprintf(stderr, "Subtract test failed!\n");
449 int test_div(BIO *bp, BN_CTX *ctx)
451 BIGNUM *a, *b, *c, *d, *e;
463 if (BN_div(d, c, a, b, ctx)) {
464 fprintf(stderr, "Division by zero succeeded!\n");
468 for (i = 0; i < num0 + num1; i++) {
470 BN_bntest_rand(a, 400, 0, 0);
475 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
478 BN_div(d, c, a, b, ctx);
498 BN_mul(e, d, b, ctx);
501 if (!BN_is_zero(d)) {
502 fprintf(stderr, "Division test failed!\n");
514 static void print_word(BIO *bp, BN_ULONG w)
516 #ifdef SIXTY_FOUR_BIT
517 if (sizeof(w) > sizeof(unsigned long)) {
518 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
521 BIO_printf(bp, "%lX%08lX", h, l);
523 BIO_printf(bp, "%lX", l);
527 BIO_printf(bp, BN_HEX_FMT1, w);
530 int test_div_word(BIO *bp)
539 for (i = 0; i < num0; i++) {
541 BN_bntest_rand(a, 512, -1, 0);
542 BN_bntest_rand(b, BN_BITS2, -1, 0);
543 } while (BN_is_zero(b));
547 r = BN_div_word(b, s);
571 if (!BN_is_zero(b)) {
572 fprintf(stderr, "Division (word) test failed!\n");
581 int test_div_recp(BIO *bp, BN_CTX *ctx)
583 BIGNUM *a, *b, *c, *d, *e;
587 recp = BN_RECP_CTX_new();
594 for (i = 0; i < num0 + num1; i++) {
596 BN_bntest_rand(a, 400, 0, 0);
601 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
604 BN_RECP_CTX_set(recp, b, ctx);
605 BN_div_recp(d, c, a, recp, ctx);
625 BN_mul(e, d, b, ctx);
628 if (!BN_is_zero(d)) {
629 fprintf(stderr, "Reciprocal division test failed!\n");
630 fprintf(stderr, "a=");
631 BN_print_fp(stderr, a);
632 fprintf(stderr, "\nb=");
633 BN_print_fp(stderr, b);
634 fprintf(stderr, "\n");
643 BN_RECP_CTX_free(recp);
647 int test_mul(BIO *bp)
649 BIGNUM *a, *b, *c, *d, *e;
663 for (i = 0; i < num0 + num1; i++) {
665 BN_bntest_rand(a, 100, 0, 0);
666 BN_bntest_rand(b, 100, 0, 0);
668 BN_bntest_rand(b, i - num1, 0, 0);
671 BN_mul(c, a, b, ctx);
682 BN_div(d, e, c, a, ctx);
684 if (!BN_is_zero(d) || !BN_is_zero(e)) {
685 fprintf(stderr, "Multiplication test failed!\n");
698 int test_sqr(BIO *bp, BN_CTX *ctx)
700 BIGNUM *a, *c, *d, *e;
707 if (a == NULL || c == NULL || d == NULL || e == NULL) {
711 for (i = 0; i < num0; i++) {
712 BN_bntest_rand(a, 40 + i * 10, 0, 0);
725 BN_div(d, e, c, a, ctx);
727 if (!BN_is_zero(d) || !BN_is_zero(e)) {
728 fprintf(stderr, "Square test failed!\n");
733 /* Regression test for a BN_sqr overflow bug. */
735 "80000000000000008000000000000001"
736 "FFFFFFFFFFFFFFFE0000000000000000");
748 BN_mul(d, a, a, ctx);
750 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
751 "different results!\n");
755 /* Regression test for a BN_sqr overflow bug. */
757 "80000000000000000000000080000001"
758 "FFFFFFFE000000000000000000000000");
770 BN_mul(d, a, a, ctx);
772 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
773 "different results!\n");
785 int test_mont(BIO *bp, BN_CTX *ctx)
787 BIGNUM *a, *b, *c, *d, *A, *B;
800 mont = BN_MONT_CTX_new();
805 if (BN_MONT_CTX_set(mont, n, ctx)) {
806 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
811 if (BN_MONT_CTX_set(mont, n, ctx)) {
812 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
816 BN_bntest_rand(a, 100, 0, 0);
817 BN_bntest_rand(b, 100, 0, 0);
818 for (i = 0; i < num2; i++) {
819 int bits = (200 * (i + 1)) / num2;
823 BN_bntest_rand(n, bits, 0, 1);
824 BN_MONT_CTX_set(mont, n, ctx);
826 BN_nnmod(a, a, n, ctx);
827 BN_nnmod(b, b, n, ctx);
829 BN_to_montgomery(A, a, mont, ctx);
830 BN_to_montgomery(B, b, mont, ctx);
832 BN_mod_mul_montgomery(c, A, B, mont, ctx);
833 BN_from_montgomery(A, c, mont, ctx);
840 BN_print(bp, &mont->N);
846 BN_mod_mul(d, a, b, n, ctx);
848 if (!BN_is_zero(d)) {
849 fprintf(stderr, "Montgomery multiplication test failed!\n");
853 BN_MONT_CTX_free(mont);
864 int test_mod(BIO *bp, BN_CTX *ctx)
866 BIGNUM *a, *b, *c, *d, *e;
875 BN_bntest_rand(a, 1024, 0, 0);
876 for (i = 0; i < num0; i++) {
877 BN_bntest_rand(b, 450 + i * 10, 0, 0);
880 BN_mod(c, a, b, ctx);
891 BN_div(d, e, a, b, ctx);
893 if (!BN_is_zero(e)) {
894 fprintf(stderr, "Modulo test failed!\n");
906 int test_mod_mul(BIO *bp, BN_CTX *ctx)
908 BIGNUM *a, *b, *c, *d, *e;
920 if (BN_mod_mul(e, a, b, c, ctx)) {
921 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
925 for (j = 0; j < 3; j++) {
926 BN_bntest_rand(c, 1024, 0, 0);
927 for (i = 0; i < num0; i++) {
928 BN_bntest_rand(a, 475 + i * 10, 0, 0);
929 BN_bntest_rand(b, 425 + i * 11, 0, 0);
932 if (!BN_mod_mul(e, a, b, c, ctx)) {
935 while ((l = ERR_get_error()))
936 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
946 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
948 * If (a*b) % c is negative, c must be added in order
949 * to obtain the normalized remainder (new with
950 * OpenSSL 0.9.7, previous versions of BN_mod_mul
951 * could generate negative results)
961 BN_mul(d, a, b, ctx);
963 BN_div(a, b, d, c, ctx);
964 if (!BN_is_zero(b)) {
965 fprintf(stderr, "Modulo multiply test failed!\n");
966 ERR_print_errors_fp(stderr);
979 int test_mod_exp(BIO *bp, BN_CTX *ctx)
981 BIGNUM *a, *b, *c, *d, *e;
993 if (BN_mod_exp(d, a, b, c, ctx)) {
994 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
998 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
999 for (i = 0; i < num2; i++) {
1000 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1001 BN_bntest_rand(b, 2 + i, 0, 0);
1003 if (!BN_mod_exp(d, a, b, c, ctx))
1009 BIO_puts(bp, " ^ ");
1011 BIO_puts(bp, " % ");
1013 BIO_puts(bp, " - ");
1018 BN_exp(e, a, b, ctx);
1020 BN_div(a, b, e, c, ctx);
1021 if (!BN_is_zero(b)) {
1022 fprintf(stderr, "Modulo exponentiation test failed!\n");
1034 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1036 BIGNUM *a, *b, *c, *d, *e;
1048 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1049 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1055 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1056 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1061 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1062 for (i = 0; i < num2; i++) {
1063 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1064 BN_bntest_rand(b, 2 + i, 0, 0);
1066 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1072 BIO_puts(bp, " ^ ");
1074 BIO_puts(bp, " % ");
1076 BIO_puts(bp, " - ");
1081 BN_exp(e, a, b, ctx);
1083 BN_div(a, b, e, c, ctx);
1084 if (!BN_is_zero(b)) {
1085 fprintf(stderr, "Modulo exponentiation test failed!\n");
1098 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1099 * x86_64 cause a different code branch to be taken.
1101 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1103 BIGNUM *a, *p, *m, *d, *e;
1111 mont = BN_MONT_CTX_new();
1113 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1115 BN_bntest_rand(a, 1024, 0, 0);
1117 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1119 if (!BN_is_one(d)) {
1120 fprintf(stderr, "Modular exponentiation test failed!\n");
1124 BN_bntest_rand(p, 1024, 0, 0);
1126 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1128 if (!BN_is_zero(d)) {
1129 fprintf(stderr, "Modular exponentiation test failed!\n");
1133 * Craft an input whose Montgomery representation is 1, i.e., shorter
1134 * than the modulus m, in order to test the const time precomputation
1135 * scattering/gathering.
1138 BN_MONT_CTX_set(mont, m, ctx);
1139 if (!BN_from_montgomery(e, a, mont, ctx))
1141 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1143 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1145 if (BN_cmp(a, d) != 0) {
1146 fprintf(stderr, "Modular exponentiation test failed!\n");
1149 /* Finally, some regular test vectors. */
1150 BN_bntest_rand(e, 1024, 0, 0);
1151 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1153 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1155 if (BN_cmp(a, d) != 0) {
1156 fprintf(stderr, "Modular exponentiation test failed!\n");
1159 BN_MONT_CTX_free(mont);
1168 int test_exp(BIO *bp, BN_CTX *ctx)
1170 BIGNUM *a, *b, *d, *e, *one;
1180 for (i = 0; i < num2; i++) {
1181 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1182 BN_bntest_rand(b, 2 + i, 0, 0);
1184 if (BN_exp(d, a, b, ctx) <= 0)
1190 BIO_puts(bp, " ^ ");
1192 BIO_puts(bp, " - ");
1198 for (; !BN_is_zero(b); BN_sub(b, b, one))
1199 BN_mul(e, e, a, ctx);
1201 if (!BN_is_zero(e)) {
1202 fprintf(stderr, "Exponentiation test failed!\n");
1214 #ifndef OPENSSL_NO_EC2M
1215 int test_gf2m_add(BIO *bp)
1224 for (i = 0; i < num0; i++) {
1225 BN_rand(a, 512, 0, 0);
1226 BN_copy(b, BN_value_one());
1227 a->neg = rand_neg();
1228 b->neg = rand_neg();
1229 BN_GF2m_add(c, a, b);
1230 /* Test that two added values have the correct parity. */
1231 if ((BN_is_odd(a) && BN_is_odd(c))
1232 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1233 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1236 BN_GF2m_add(c, c, c);
1237 /* Test that c + c = 0. */
1238 if (!BN_is_zero(c)) {
1239 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1251 int test_gf2m_mod(BIO *bp)
1253 BIGNUM *a, *b[2], *c, *d, *e;
1255 int p0[] = { 163, 7, 6, 3, 0, -1 };
1256 int p1[] = { 193, 15, 0, -1 };
1265 BN_GF2m_arr2poly(p0, b[0]);
1266 BN_GF2m_arr2poly(p1, b[1]);
1268 for (i = 0; i < num0; i++) {
1269 BN_bntest_rand(a, 1024, 0, 0);
1270 for (j = 0; j < 2; j++) {
1271 BN_GF2m_mod(c, a, b[j]);
1272 BN_GF2m_add(d, a, c);
1273 BN_GF2m_mod(e, d, b[j]);
1274 /* Test that a + (a mod p) mod p == 0. */
1275 if (!BN_is_zero(e)) {
1276 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1292 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1294 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1296 int p0[] = { 163, 7, 6, 3, 0, -1 };
1297 int p1[] = { 193, 15, 0, -1 };
1309 BN_GF2m_arr2poly(p0, b[0]);
1310 BN_GF2m_arr2poly(p1, b[1]);
1312 for (i = 0; i < num0; i++) {
1313 BN_bntest_rand(a, 1024, 0, 0);
1314 BN_bntest_rand(c, 1024, 0, 0);
1315 BN_bntest_rand(d, 1024, 0, 0);
1316 for (j = 0; j < 2; j++) {
1317 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1318 BN_GF2m_add(f, a, d);
1319 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1320 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1321 BN_GF2m_add(f, e, g);
1322 BN_GF2m_add(f, f, h);
1323 /* Test that (a+d)*c = a*c + d*c. */
1324 if (!BN_is_zero(f)) {
1326 "GF(2^m) modular multiplication test failed!\n");
1345 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1347 BIGNUM *a, *b[2], *c, *d;
1349 int p0[] = { 163, 7, 6, 3, 0, -1 };
1350 int p1[] = { 193, 15, 0, -1 };
1358 BN_GF2m_arr2poly(p0, b[0]);
1359 BN_GF2m_arr2poly(p1, b[1]);
1361 for (i = 0; i < num0; i++) {
1362 BN_bntest_rand(a, 1024, 0, 0);
1363 for (j = 0; j < 2; j++) {
1364 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1366 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1367 BN_GF2m_add(d, c, d);
1368 /* Test that a*a = a^2. */
1369 if (!BN_is_zero(d)) {
1370 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1385 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1387 BIGNUM *a, *b[2], *c, *d;
1389 int p0[] = { 163, 7, 6, 3, 0, -1 };
1390 int p1[] = { 193, 15, 0, -1 };
1398 BN_GF2m_arr2poly(p0, b[0]);
1399 BN_GF2m_arr2poly(p1, b[1]);
1401 for (i = 0; i < num0; i++) {
1402 BN_bntest_rand(a, 512, 0, 0);
1403 for (j = 0; j < 2; j++) {
1404 BN_GF2m_mod_inv(c, a, b[j], ctx);
1405 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1406 /* Test that ((1/a)*a) = 1. */
1407 if (!BN_is_one(d)) {
1408 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1423 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1425 BIGNUM *a, *b[2], *c, *d, *e, *f;
1427 int p0[] = { 163, 7, 6, 3, 0, -1 };
1428 int p1[] = { 193, 15, 0, -1 };
1438 BN_GF2m_arr2poly(p0, b[0]);
1439 BN_GF2m_arr2poly(p1, b[1]);
1441 for (i = 0; i < num0; i++) {
1442 BN_bntest_rand(a, 512, 0, 0);
1443 BN_bntest_rand(c, 512, 0, 0);
1444 for (j = 0; j < 2; j++) {
1445 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1446 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1447 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1448 /* Test that ((a/c)*c)/a = 1. */
1449 if (!BN_is_one(f)) {
1450 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1467 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1469 BIGNUM *a, *b[2], *c, *d, *e, *f;
1471 int p0[] = { 163, 7, 6, 3, 0, -1 };
1472 int p1[] = { 193, 15, 0, -1 };
1482 BN_GF2m_arr2poly(p0, b[0]);
1483 BN_GF2m_arr2poly(p1, b[1]);
1485 for (i = 0; i < num0; i++) {
1486 BN_bntest_rand(a, 512, 0, 0);
1487 BN_bntest_rand(c, 512, 0, 0);
1488 BN_bntest_rand(d, 512, 0, 0);
1489 for (j = 0; j < 2; j++) {
1490 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1491 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1492 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1494 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1495 BN_GF2m_add(f, e, f);
1496 /* Test that a^(c+d)=a^c*a^d. */
1497 if (!BN_is_zero(f)) {
1499 "GF(2^m) modular exponentiation test failed!\n");
1516 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1518 BIGNUM *a, *b[2], *c, *d, *e, *f;
1520 int p0[] = { 163, 7, 6, 3, 0, -1 };
1521 int p1[] = { 193, 15, 0, -1 };
1531 BN_GF2m_arr2poly(p0, b[0]);
1532 BN_GF2m_arr2poly(p1, b[1]);
1534 for (i = 0; i < num0; i++) {
1535 BN_bntest_rand(a, 512, 0, 0);
1536 for (j = 0; j < 2; j++) {
1537 BN_GF2m_mod(c, a, b[j]);
1538 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1539 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1540 BN_GF2m_add(f, c, e);
1541 /* Test that d^2 = a, where d = sqrt(a). */
1542 if (!BN_is_zero(f)) {
1543 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1560 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1562 BIGNUM *a, *b[2], *c, *d, *e;
1563 int i, j, s = 0, t, ret = 0;
1564 int p0[] = { 163, 7, 6, 3, 0, -1 };
1565 int p1[] = { 193, 15, 0, -1 };
1574 BN_GF2m_arr2poly(p0, b[0]);
1575 BN_GF2m_arr2poly(p1, b[1]);
1577 for (i = 0; i < num0; i++) {
1578 BN_bntest_rand(a, 512, 0, 0);
1579 for (j = 0; j < 2; j++) {
1580 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1583 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1584 BN_GF2m_add(d, c, d);
1585 BN_GF2m_mod(e, a, b[j]);
1586 BN_GF2m_add(e, e, d);
1588 * Test that solution of quadratic c satisfies c^2 + c = a.
1590 if (!BN_is_zero(e)) {
1592 "GF(2^m) modular solve quadratic test failed!\n");
1601 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1604 "this is very unlikely and probably indicates an error.\n");
1618 static int genprime_cb(int p, int n, BN_GENCB *arg)
1635 int test_kron(BIO *bp, BN_CTX *ctx)
1638 BIGNUM *a, *b, *r, *t;
1640 int legendre, kronecker;
1647 if (a == NULL || b == NULL || r == NULL || t == NULL)
1650 BN_GENCB_set(&cb, genprime_cb, NULL);
1653 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1654 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1655 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1656 * generate a random prime b and compare these values for a number of
1657 * random a's. (That is, we run the Solovay-Strassen primality test to
1658 * confirm that b is prime, except that we don't want to test whether b
1659 * is prime but whether BN_kronecker works.)
1662 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1664 b->neg = rand_neg();
1667 for (i = 0; i < num0; i++) {
1668 if (!BN_bntest_rand(a, 512, 0, 0))
1670 a->neg = rand_neg();
1672 /* t := (|b|-1)/2 (note that b is odd) */
1676 if (!BN_sub_word(t, 1))
1678 if (!BN_rshift1(t, t))
1680 /* r := a^t mod b */
1683 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1687 if (BN_is_word(r, 1))
1689 else if (BN_is_zero(r))
1692 if (!BN_add_word(r, 1))
1694 if (0 != BN_ucmp(r, b)) {
1695 fprintf(stderr, "Legendre symbol computation failed\n");
1701 kronecker = BN_kronecker(a, b, ctx);
1704 /* we actually need BN_kronecker(a, |b|) */
1705 if (a->neg && b->neg)
1706 kronecker = -kronecker;
1708 if (legendre != kronecker) {
1709 fprintf(stderr, "legendre != kronecker; a = ");
1710 BN_print_fp(stderr, a);
1711 fprintf(stderr, ", b = ");
1712 BN_print_fp(stderr, b);
1713 fprintf(stderr, "\n");
1732 int test_sqrt(BIO *bp, BN_CTX *ctx)
1742 if (a == NULL || p == NULL || r == NULL)
1745 BN_GENCB_set(&cb, genprime_cb, NULL);
1747 for (i = 0; i < 16; i++) {
1749 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1751 if (!BN_set_word(p, primes[i]))
1754 if (!BN_set_word(a, 32))
1756 if (!BN_set_word(r, 2 * i + 1))
1759 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1763 p->neg = rand_neg();
1765 for (j = 0; j < num2; j++) {
1767 * construct 'a' such that it is a square modulo p, but in
1768 * general not a proper square and not reduced modulo p
1770 if (!BN_bntest_rand(r, 256, 0, 3))
1772 if (!BN_nnmod(r, r, p, ctx))
1774 if (!BN_mod_sqr(r, r, p, ctx))
1776 if (!BN_bntest_rand(a, 256, 0, 3))
1778 if (!BN_nnmod(a, a, p, ctx))
1780 if (!BN_mod_sqr(a, a, p, ctx))
1782 if (!BN_mul(a, a, r, ctx))
1785 if (!BN_sub(a, a, p))
1788 if (!BN_mod_sqrt(r, a, p, ctx))
1790 if (!BN_mod_sqr(r, r, p, ctx))
1793 if (!BN_nnmod(a, a, p, ctx))
1796 if (BN_cmp(a, r) != 0) {
1797 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1798 BN_print_fp(stderr, a);
1799 fprintf(stderr, ", r = ");
1800 BN_print_fp(stderr, r);
1801 fprintf(stderr, ", p = ");
1802 BN_print_fp(stderr, p);
1803 fprintf(stderr, "\n");
1822 int test_small_prime(BIO *bp, BN_CTX *ctx)
1824 static const int bits = 10;
1829 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1831 if (BN_num_bits(r) != bits) {
1832 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1844 #ifndef OPENSSL_SYS_WIN32
1845 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx)
1849 BN_ULONG primes[5] = { 2, 3, 5, 7, 11 };
1853 for (i = 0; i < 1000; i++) {
1854 if (!bn_probable_prime_dh_coprime(r, 1024, ctx))
1857 for (j = 0; j < 5; j++) {
1858 if (BN_mod_word(r, primes[j]) == 0) {
1859 BIO_printf(bp, "Number generated is not coprime to "
1860 BN_DEC_FMT1 ":\n", primes[j]);
1861 BN_print_fp(stdout, r);
1862 BIO_printf(bp, "\n");
1875 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1877 BIGNUM *a, *b, *c, *d;
1889 BN_bntest_rand(a, 200, 0, 0);
1890 a->neg = rand_neg();
1892 for (i = 0; i < num0; i++) {
1893 BN_lshift(b, a, i + 1);
1898 BIO_puts(bp, " * ");
1900 BIO_puts(bp, " - ");
1905 BN_mul(d, a, c, ctx);
1907 if (!BN_is_zero(d)) {
1908 fprintf(stderr, "Left shift test failed!\n");
1909 fprintf(stderr, "a=");
1910 BN_print_fp(stderr, a);
1911 fprintf(stderr, "\nb=");
1912 BN_print_fp(stderr, b);
1913 fprintf(stderr, "\nc=");
1914 BN_print_fp(stderr, c);
1915 fprintf(stderr, "\nd=");
1916 BN_print_fp(stderr, d);
1917 fprintf(stderr, "\n");
1928 int test_lshift1(BIO *bp)
1937 BN_bntest_rand(a, 200, 0, 0);
1938 a->neg = rand_neg();
1939 for (i = 0; i < num0; i++) {
1944 BIO_puts(bp, " * 2");
1945 BIO_puts(bp, " - ");
1952 if (!BN_is_zero(a)) {
1953 fprintf(stderr, "Left shift one test failed!\n");
1965 int test_rshift(BIO *bp, BN_CTX *ctx)
1967 BIGNUM *a, *b, *c, *d, *e;
1977 BN_bntest_rand(a, 200, 0, 0);
1978 a->neg = rand_neg();
1979 for (i = 0; i < num0; i++) {
1980 BN_rshift(b, a, i + 1);
1985 BIO_puts(bp, " / ");
1987 BIO_puts(bp, " - ");
1992 BN_div(d, e, a, c, ctx);
1994 if (!BN_is_zero(d)) {
1995 fprintf(stderr, "Right shift test failed!\n");
2007 int test_rshift1(BIO *bp)
2016 BN_bntest_rand(a, 200, 0, 0);
2017 a->neg = rand_neg();
2018 for (i = 0; i < num0; i++) {
2023 BIO_puts(bp, " / 2");
2024 BIO_puts(bp, " - ");
2031 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2032 fprintf(stderr, "Right shift one test failed!\n");
2045 static unsigned int neg = 0;
2046 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2048 return (sign[(neg++) % 8]);
projects / openssl.git / blob