X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fbn%2Fbntest.c;h=d22c2d43d645c8397f5658e248a3b42f40469ae5;hp=d96d70691c89f65af8cca2475c90dcd250d5b2f7;hb=02450ec69dda7815ba1e7bd74eb30f0ae1eb3042;hpb=db88223baa2091f72774c700825275dcec34f329

diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index d96d70691c..d22c2d43d6 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -55,12 +55,31 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -68,10 +87,6 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
-#ifdef WINDOWS
-#include "../bio/bss_file.c"
-#endif
-
 const int num0 = 100; /* number of tests */
 const int num1 = 50;  /* additional tests for some functions */
 const int num2 = 5;   /* number of tests for slow functions */
@@ -83,6 +98,7 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_);
 int test_rshift1(BIO *bp);
 int test_rshift(BIO *bp,BN_CTX *ctx);
 int test_div(BIO *bp,BN_CTX *ctx);
+int test_div_word(BIO *bp);
 int test_div_recp(BIO *bp,BN_CTX *ctx);
 int test_mul(BIO *bp);
 int test_sqr(BIO *bp,BN_CTX *ctx);
@@ -90,17 +106,24 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
+int test_gf2m_add(BIO *bp);
+int test_gf2m_mod(BIO *bp);
+int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
+int test_small_prime(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
 static int results=0;
 
-#ifdef NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
-
 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
 
@@ -109,11 +132,9 @@ static const char rnd_seed[] = "string to make the random number generator think
 static void message(BIO *out, char *m)
 	{
 	fprintf(stderr, "test %s\n", m);
-#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */
 	BIO_puts(out, "print \"test ");
 	BIO_puts(out, m);
 	BIO_puts(out, "\\n\"\n");
-#endif
 	}
 
 int main(int argc, char *argv[])
@@ -143,10 +164,10 @@ int main(int argc, char *argv[])
 
 
 	ctx=BN_CTX_new();
-	if (ctx == NULL) exit(1);
+	if (ctx == NULL) EXIT(1);
 
 	out=BIO_new(BIO_s_file());
-	if (out == NULL) exit(1);
+	if (out == NULL) EXIT(1);
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -156,7 +177,7 @@ int main(int argc, char *argv[])
 		if (!BIO_write_filename(out,outfile))
 			{
 			perror(outfile);
-			exit(1);
+			EXIT(1);
 			}
 		}
 
@@ -165,89 +186,139 @@ int main(int argc, char *argv[])
 
 	message(out,"BN_add");
 	if (!test_add(out)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_sub");
 	if (!test_sub(out)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_lshift1");
 	if (!test_lshift1(out)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_lshift (fixed)");
 	if (!test_lshift(out,ctx,BN_bin2bn(lst,sizeof(lst)-1,NULL)))
 	    goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_lshift");
 	if (!test_lshift(out,ctx,NULL)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_rshift1");
 	if (!test_rshift1(out)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_rshift");
 	if (!test_rshift(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_sqr");
 	if (!test_sqr(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mul");
 	if (!test_mul(out)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_div");
 	if (!test_div(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
+
+	message(out,"BN_div_word");
+	if (!test_div_word(out)) goto err;
+	(void)BIO_flush(out);
 
 	message(out,"BN_div_recp");
 	if (!test_div_recp(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mod");
 	if (!test_mod(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mod_mul");
 	if (!test_mod_mul(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mont");
 	if (!test_mont(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mod_exp");
 	if (!test_mod_exp(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
+
+	message(out,"BN_mod_exp_mont_consttime");
+	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	if (!test_mod_exp_mont5(out,ctx)) goto err;
+	(void)BIO_flush(out);
 
 	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_kronecker");
 	if (!test_kron(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
 	message(out,"BN_mod_sqrt");
 	if (!test_sqrt(out,ctx)) goto err;
-	BIO_flush(out);
+	(void)BIO_flush(out);
 
+	message(out,"Small prime generation");
+	if (!test_small_prime(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+#ifndef OPENSSL_NO_EC2M
+	message(out,"BN_GF2m_add");
+	if (!test_gf2m_add(out)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod");
+	if (!test_gf2m_mod(out)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_mul");
+	if (!test_gf2m_mod_mul(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_sqr");
+	if (!test_gf2m_mod_sqr(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_inv");
+	if (!test_gf2m_mod_inv(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_div");
+	if (!test_gf2m_mod_div(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_exp");
+	if (!test_gf2m_mod_exp(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_sqrt");
+	if (!test_gf2m_mod_sqrt(out,ctx)) goto err;
+	(void)BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_solve_quad");
+	if (!test_gf2m_mod_solve_quad(out,ctx)) goto err;
+	(void)BIO_flush(out);
+#endif
 	BN_CTX_free(ctx);
 	BIO_free(out);
 
 /**/
-	exit(0);
+	EXIT(0);
 err:
 	BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
 	                      * the failure, see test_bn in test/Makefile.ssl*/
-	BIO_flush(out);
+	(void)BIO_flush(out);
 	ERR_load_crypto_strings();
 	ERR_print_errors_fp(stderr);
-	exit(1);
+	EXIT(1);
 	return(1);
 	}
 
@@ -255,7 +326,6 @@ int test_add(BIO *bp)
 	{
 	BIGNUM a,b,c;
 	int i;
-	int j;
 
 	BN_init(&a);
 	BN_init(&b);
@@ -300,7 +370,6 @@ int test_sub(BIO *bp)
 	{
 	BIGNUM a,b,c;
 	int i;
-	int j;
 
 	BN_init(&a);
 	BN_init(&b);
@@ -352,7 +421,6 @@ int test_div(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM a,b,c,d,e;
 	int i;
-	int j;
 
 	BN_init(&a);
 	BN_init(&b);
@@ -413,12 +481,83 @@ int test_div(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+static void print_word(BIO *bp,BN_ULONG w)
+	{
+#ifdef SIXTY_FOUR_BIT
+	if (sizeof(w) > sizeof(unsigned long))
+		{
+		unsigned long	h=(unsigned long)(w>>32),
+				l=(unsigned long)(w);
+
+		if (h)	BIO_printf(bp,"%lX%08lX",h,l);
+		else	BIO_printf(bp,"%lX",l);
+		return;
+		}
+#endif
+	BIO_printf(bp,BN_HEX_FMT1,w);
+	}
+
+int test_div_word(BIO *bp)
+	{
+	BIGNUM   a,b;
+	BN_ULONG r,s;
+	int i;
+
+	BN_init(&a);
+	BN_init(&b);
+
+	for (i=0; i<num0; i++)
+		{
+		do {
+			BN_bntest_rand(&a,512,-1,0);
+			BN_bntest_rand(&b,BN_BITS2,-1,0);
+			s = b.d[0];
+		} while (!s);
+
+		BN_copy(&b, &a);
+		r = BN_div_word(&b, s);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," / ");
+				print_word(bp,s);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&b);
+			BIO_puts(bp,"\n");
+
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," % ");
+				print_word(bp,s);
+				BIO_puts(bp," - ");
+				}
+			print_word(bp,r);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul_word(&b,s);
+		BN_add_word(&b,r);
+		BN_sub(&b,&a,&b);
+		if(!BN_is_zero(&b))
+		    {
+		    fprintf(stderr,"Division (word) test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	return(1);
+	}
+
 int test_div_recp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM a,b,c,d,e;
 	BN_RECP_CTX recp;
 	int i;
-	int j;
 
 	BN_RECP_CTX_init(&recp);
 	BN_init(&a);
@@ -491,10 +630,11 @@ int test_mul(BIO *bp)
 	{
 	BIGNUM a,b,c,d,e;
 	int i;
-	int j;
-	BN_CTX ctx;
+	BN_CTX *ctx;
 
-	BN_CTX_init(&ctx);
+	ctx = BN_CTX_new();
+	if (ctx == NULL) EXIT(1);
+	
 	BN_init(&a);
 	BN_init(&b);
 	BN_init(&c);
@@ -512,7 +652,7 @@ int test_mul(BIO *bp)
 			BN_bntest_rand(&b,i-num1,0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
-		BN_mul(&c,&a,&b,&ctx);
+		BN_mul(&c,&a,&b,ctx);
 		if (bp != NULL)
 			{
 			if (!results)
@@ -525,7 +665,7 @@ int test_mul(BIO *bp)
 			BN_print(bp,&c);
 			BIO_puts(bp,"\n");
 			}
-		BN_div(&d,&e,&c,&a,&ctx);
+		BN_div(&d,&e,&c,&a,ctx);
 		BN_sub(&d,&d,&b);
 		if(!BN_is_zero(&d) || !BN_is_zero(&e))
 		    {
@@ -538,7 +678,7 @@ int test_mul(BIO *bp)
 	BN_free(&c);
 	BN_free(&d);
 	BN_free(&e);
-	BN_CTX_free(&ctx);
+	BN_CTX_free(ctx);
 	return(1);
 	}
 
@@ -546,7 +686,6 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM a,c,d,e;
 	int i;
-	int j;
 
 	BN_init(&a);
 	BN_init(&c);
@@ -590,7 +729,6 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 	BIGNUM a,b,c,d,A,B;
 	BIGNUM n;
 	int i;
-	int j;
 	BN_MONT_CTX *mont;
 
 	BN_init(&a);
@@ -602,6 +740,8 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 	BN_init(&n);
 
 	mont=BN_MONT_CTX_new();
+	if (mont == NULL)
+		return 0;
 
 	BN_bntest_rand(&a,100,0,0); /**/
 	BN_bntest_rand(&b,100,0,0); /**/
@@ -665,7 +805,6 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*c,*d,*e;
 	int i;
-	int j;
 
 	a=BN_new();
 	b=BN_new();
@@ -711,7 +850,7 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 int test_mod_mul(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*c,*d,*e;
-	int i;
+	int i,j;
 
 	a=BN_new();
 	b=BN_new();
@@ -719,6 +858,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 	d=BN_new();
 	e=BN_new();
 
+	for (j=0; j<3; j++) {
 	BN_bntest_rand(c,1024,0,0); /**/
 	for (i=0; i<num0; i++)
 		{
@@ -733,7 +873,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 			while ((l=ERR_get_error()))
 				fprintf(stderr,"ERROR:%s\n",
 					ERR_error_string(l,NULL));
-			exit(1);
+			EXIT(1);
 			}
 		if (bp != NULL)
 			{
@@ -769,6 +909,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 		    return 0;
 		    }
 		}
+	}
 	BN_free(a);
 	BN_free(b);
 	BN_free(c);
@@ -795,6 +936,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 		BN_bntest_rand(b,2+i,0,0); /**/
 
 		if (!BN_mod_exp(d,a,b,c,ctx))
+			return(0);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
 			return(00);
 
 		if (bp != NULL)
@@ -828,6 +1020,80 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+/* Test constant-time modular exponentiation with 1024-bit inputs,
+ * which on x86_64 cause a different code branch to be taken.
+ */
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*p,*m,*d,*e;
+
+	BN_MONT_CTX *mont;
+
+	a=BN_new();
+	p=BN_new();
+	m=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	mont = BN_MONT_CTX_new();
+
+	BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
+	/* Zero exponent */
+	BN_bntest_rand(a,1024,0,0);
+	BN_zero(p);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_one(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Zero input */
+	BN_bntest_rand(p,1024,0,0);
+	BN_zero(a);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_zero(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Craft an input whose Montgomery representation is 1,
+	 * i.e., shorter than the modulus m, in order to test
+	 * the const time precomputation scattering/gathering.
+	 */
+	BN_one(a);
+	BN_MONT_CTX_set(mont,m,ctx);
+	if(!BN_from_montgomery(e,a,mont,ctx))
+		return 0;
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Finally, some regular test vectors. */
+	BN_bntest_rand(e,1024,0,0);
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	BN_free(a);
+	BN_free(p);
+	BN_free(m);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
@@ -845,8 +1111,8 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 		BN_bntest_rand(a,20+i*5,0,0); /**/
 		BN_bntest_rand(b,2+i,0,0); /**/
 
-		if (!BN_exp(d,a,b,ctx))
-			return(00);
+		if (BN_exp(d,a,b,ctx) <= 0)
+			return(0);
 
 		if (bp != NULL)
 			{
@@ -877,8 +1143,583 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 	BN_free(one);
 	return(1);
 	}
+#ifndef OPENSSL_NO_EC2M
+int test_gf2m_add(BIO *bp)
+	{
+	BIGNUM a,b,c;
+	int i, ret = 0;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(&a,512,0,0);
+		BN_copy(&b, BN_value_one());
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		BN_GF2m_add(&c,&a,&b);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,&b);
+				BIO_puts(bp," = ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+#endif
+		/* Test that two added values have the correct parity. */
+		if((BN_is_odd(&a) && BN_is_odd(&c)) || (!BN_is_odd(&a) && !BN_is_odd(&c)))
+			{
+		    fprintf(stderr,"GF(2^m) addition test (a) failed!\n");
+			goto err;
+			}
+		BN_GF2m_add(&c,&c,&c);
+		/* Test that c + c = 0. */
+		if(!BN_is_zero(&c))
+		    {
+		    fprintf(stderr,"GF(2^m) addition test (b) failed!\n");
+			goto err;
+		    }
+		}
+	ret = 1;
+  err:
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	return ret;
+	}
+
+int test_gf2m_mod(BIO *bp)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod(c, a, b[j]);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp," - ");
+					BN_print(bp,c);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(d, a, c);
+			BN_GF2m_mod(e, d, b[j]);
+			/* Test that a + (a mod p) mod p == 0. */
+			if(!BN_is_zero(e))
+				{
+				fprintf(stderr,"GF(2^m) modulo test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return ret;
+	}
+
+int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f,*g,*h;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+	g=BN_new();
+	h=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		BN_bntest_rand(c, 1024, 0, 0);
+		BN_bntest_rand(d, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_mul(e, a, c, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," * ");
+					BN_print(bp,c);
+					BIO_puts(bp," % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp," - ");
+					BN_print(bp,e);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, a, d);
+			BN_GF2m_mod_mul(g, f, c, b[j], ctx);
+			BN_GF2m_mod_mul(h, d, c, b[j], ctx);
+			BN_GF2m_add(f, e, g);
+			BN_GF2m_add(f, f, h);
+			/* Test that (a+d)*c = a*c + d*c. */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular multiplication test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	BN_free(g);
+	BN_free(h);
+	return ret;
+	}
+
+int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_sqr(c, a, b[j], ctx);
+			BN_copy(d, a);
+			BN_GF2m_mod_mul(d, a, d, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," ^ 2 % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp, " = ");
+					BN_print(bp,c);
+					BIO_puts(bp,"; a * a = ");
+					BN_print(bp,d);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(d, c, d);
+			/* Test that a*a = a^2. */
+			if(!BN_is_zero(d))
+				{
+				fprintf(stderr,"GF(2^m) modular squaring test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	return ret;
+	}
 
-static void genprime_cb(int p, int n, void *arg)
+int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0); 
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_inv(c, a, b[j], ctx);
+			BN_GF2m_mod_mul(d, a, c, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " * ");
+					BN_print(bp,c);
+					BIO_puts(bp," - 1 % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			/* Test that ((1/a)*a) = 1. */
+			if(!BN_is_one(d))
+				{
+				fprintf(stderr,"GF(2^m) modular inversion test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	return ret;
+	}
+
+int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0); 
+		BN_bntest_rand(c, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_div(d, a, c, b[j], ctx);
+			BN_GF2m_mod_mul(e, d, c, b[j], ctx);
+			BN_GF2m_mod_div(f, a, e, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " = ");
+					BN_print(bp,c);
+					BIO_puts(bp," * ");
+					BN_print(bp,d);
+					BIO_puts(bp, " % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			/* Test that ((a/c)*c)/a = 1. */
+			if(!BN_is_one(f))
+				{
+				fprintf(stderr,"GF(2^m) modular division test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		BN_bntest_rand(c, 512, 0, 0);
+		BN_bntest_rand(d, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_exp(e, a, c, b[j], ctx);
+			BN_GF2m_mod_exp(f, a, d, b[j], ctx);
+			BN_GF2m_mod_mul(e, e, f, b[j], ctx);
+			BN_add(f, c, d);
+			BN_GF2m_mod_exp(f, a, f, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " ^ (");
+					BN_print(bp,c);
+					BIO_puts(bp," + ");
+					BN_print(bp,d);
+					BIO_puts(bp, ") = ");
+					BN_print(bp,e);
+					BIO_puts(bp, "; - ");
+					BN_print(bp,f);
+					BIO_puts(bp, " % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, e, f);
+			/* Test that a^(c+d)=a^c*a^d. */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular exponentiation test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod(c, a, b[j]);
+			BN_GF2m_mod_sqrt(d, a, b[j], ctx);
+			BN_GF2m_mod_sqr(e, d, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,d);
+					BIO_puts(bp, " ^ 2 - ");
+					BN_print(bp,a);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, c, e);
+			/* Test that d^2 = a, where d = sqrt(a). */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular square root test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e;
+	int i, j, s = 0, t, ret = 0;
+	int p0[] = {163,7,6,3,0,-1};
+	int p1[] = {193,15,0,-1};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
+			if (t)
+				{
+				s++;
+				BN_GF2m_mod_sqr(d, c, b[j], ctx);
+				BN_GF2m_add(d, c, d);
+				BN_GF2m_mod(e, a, b[j]);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+				if (bp != NULL)
+					{
+					if (!results)
+						{
+						BN_print(bp,c);
+						BIO_puts(bp, " is root of z^2 + z = ");
+						BN_print(bp,a);
+						BIO_puts(bp, " % ");
+						BN_print(bp,b[j]);
+						BIO_puts(bp, "\n");
+						}
+					}
+#endif
+				BN_GF2m_add(e, e, d);
+				/* Test that solution of quadratic c satisfies c^2 + c = a. */
+				if(!BN_is_zero(e))
+					{
+					fprintf(stderr,"GF(2^m) modular solve quadratic test failed!\n");
+					goto err;
+					}
+
+				}
+			else 
+				{
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+				if (bp != NULL)
+					{
+					if (!results)
+						{
+						BIO_puts(bp, "There are no roots of z^2 + z = ");
+						BN_print(bp,a);
+						BIO_puts(bp, " % ");
+						BN_print(bp,b[j]);
+						BIO_puts(bp, "\n");
+						}
+					}
+#endif
+				}
+			}
+		}
+	if (s == 0)
+		{	
+		fprintf(stderr,"All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0);
+		fprintf(stderr,"this is very unlikely and probably indicates an error.\n");
+		goto err;
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return ret;
+	}
+#endif
+static int genprime_cb(int p, int n, BN_GENCB *arg)
 	{
 	char c='*';
 
@@ -888,12 +1729,12 @@ static void genprime_cb(int p, int n, void *arg)
 	if (p == 3) c='\n';
 	putc(c, stderr);
 	fflush(stderr);
-	(void)n;
-	(void)arg;
+	return 1;
 	}
 
 int test_kron(BIO *bp, BN_CTX *ctx)
 	{
+	BN_GENCB cb;
 	BIGNUM *a,*b,*r,*t;
 	int i;
 	int legendre, kronecker;
@@ -904,6 +1745,8 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 	r = BN_new();
 	t = BN_new();
 	if (a == NULL || b == NULL || r == NULL || t == NULL) goto err;
+
+	BN_GENCB_set(&cb, genprime_cb, NULL);
 	
 	/* We test BN_kronecker(a, b, ctx) just for  b  odd (Jacobi symbol).
 	 * In this case we know that if  b  is prime, then BN_kronecker(a, b, ctx)
@@ -914,7 +1757,8 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 	 * don't want to test whether  b  is prime but whether BN_kronecker
 	 * works.) */
 
-	if (!BN_generate_prime(b, 512, 0, NULL, NULL, genprime_cb, NULL)) goto err;
+	if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb)) goto err;
+	b->neg = rand_neg();
 	putc('\n', stderr);
 
 	for (i = 0; i < num0; i++)
@@ -922,12 +1766,16 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 		if (!BN_bntest_rand(a, 512, 0, 0)) goto err;
 		a->neg = rand_neg();
 
-		/* t := (b-1)/2  (note that b is odd) */
+		/* t := (|b|-1)/2  (note that b is odd) */
 		if (!BN_copy(t, b)) goto err;
+		t->neg = 0;
 		if (!BN_sub_word(t, 1)) goto err;
 		if (!BN_rshift1(t, t)) goto err;
 		/* r := a^t mod b */
-		if (!BN_mod_exp(r, a, t, b, ctx)) goto err;
+		b->neg=0;
+		
+		if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err;
+		b->neg=1;
 
 		if (BN_is_word(r, 1))
 			legendre = 1;
@@ -936,7 +1784,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 		else
 			{
 			if (!BN_add_word(r, 1)) goto err;
-			if (0 != BN_cmp(r, b))
+			if (0 != BN_ucmp(r, b))
 				{
 				fprintf(stderr, "Legendre symbol computation failed\n");
 				goto err;
@@ -946,6 +1794,9 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 		
 		kronecker = BN_kronecker(a, b, ctx);
 		if (kronecker < -1) goto err;
+		/* we actually need BN_kronecker(a, |b|) */
+		if (a->neg && b->neg)
+			kronecker = -kronecker;
 		
 		if (legendre != kronecker)
 			{
@@ -974,6 +1825,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 
 int test_sqrt(BIO *bp, BN_CTX *ctx)
 	{
+	BN_GENCB cb;
 	BIGNUM *a,*p,*r;
 	int i, j;
 	int ret = 0;
@@ -982,7 +1834,9 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 	p = BN_new();
 	r = BN_new();
 	if (a == NULL || p == NULL || r == NULL) goto err;
-	
+
+	BN_GENCB_set(&cb, genprime_cb, NULL);
+
 	for (i = 0; i < 16; i++)
 		{
 		if (i < 8)
@@ -996,9 +1850,10 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 			if (!BN_set_word(a, 32)) goto err;
 			if (!BN_set_word(r, 2*i + 1)) goto err;
 		
-			if (!BN_generate_prime(p, 256, 0, a, r, genprime_cb, NULL)) goto err;
+			if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb)) goto err;
 			putc('\n', stderr);
 			}
+		p->neg = rand_neg();
 
 		for (j = 0; j < num2; j++)
 			{
@@ -1011,6 +1866,8 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 			if (!BN_nnmod(a, a, p, ctx)) goto err;
 			if (!BN_mod_sqr(a, a, p, ctx)) goto err;
 			if (!BN_mul(a, a, r, ctx)) goto err;
+			if (rand_neg())
+				if (!BN_sub(a, a, p)) goto err;
 
 			if (!BN_mod_sqrt(r, a, p, ctx)) goto err;
 			if (!BN_mod_sqr(r, r, p, ctx)) goto err;
@@ -1044,6 +1901,28 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 	return ret;
 	}
 
+int test_small_prime(BIO *bp,BN_CTX *ctx)
+	{
+	static const int bits = 10;
+	int ret = 0;
+	BIGNUM r;
+
+	BN_init(&r);
+	if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL))
+		goto err;
+	if (BN_num_bits(&r) != bits)
+		{
+		BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits, BN_num_bits(&r));
+		goto err;
+		}
+
+	ret = 1;
+
+err:
+	BN_clear(&r);
+	return ret;
+	}
+
 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
 	{
 	BIGNUM *a,*b,*c,*d;
@@ -1216,7 +2095,7 @@ int test_rshift1(BIO *bp)
 			}
 		BN_sub(c,a,b);
 		BN_sub(c,c,b);
-		if(!BN_is_zero(c) && !BN_is_one(c))
+		if(!BN_is_zero(c) && !BN_abs_is_word(c, 1))
 		    {
 		    fprintf(stderr,"Right shift one test failed!\n");
 		    return 0;