1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
78 #include <openssl/bio.h>
79 #include <openssl/bn.h>
80 #include <openssl/rand.h>
81 #include <openssl/x509.h>
82 #include <openssl/err.h>
84 #include "../crypto/bn/bn_lcl.h"
86 const int num0 = 100; /* number of tests */
87 const int num1 = 50; /* additional tests for some functions */
88 const int num2 = 5; /* number of tests for slow functions */
90 int test_add(BIO *bp);
91 int test_sub(BIO *bp);
92 int test_lshift1(BIO *bp);
93 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_);
94 int test_rshift1(BIO *bp);
95 int test_rshift(BIO *bp,BN_CTX *ctx);
96 int test_div(BIO *bp,BN_CTX *ctx);
97 int test_div_word(BIO *bp);
98 int test_div_recp(BIO *bp,BN_CTX *ctx);
99 int test_mul(BIO *bp);
100 int test_sqr(BIO *bp,BN_CTX *ctx);
101 int test_mont(BIO *bp,BN_CTX *ctx);
102 int test_mod(BIO *bp,BN_CTX *ctx);
103 int test_mod_mul(BIO *bp,BN_CTX *ctx);
104 int test_mod_exp(BIO *bp,BN_CTX *ctx);
105 int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
106 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
107 int test_exp(BIO *bp,BN_CTX *ctx);
108 int test_gf2m_add(BIO *bp);
109 int test_gf2m_mod(BIO *bp);
110 int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx);
111 int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx);
112 int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx);
113 int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx);
114 int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx);
115 int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx);
116 int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx);
117 int test_kron(BIO *bp,BN_CTX *ctx);
118 int test_sqrt(BIO *bp,BN_CTX *ctx);
119 int test_small_prime(BIO *bp,BN_CTX *ctx);
120 int test_probable_prime_coprime(BIO *bp,BN_CTX *ctx);
122 static int results=0;
124 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
125 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
127 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
129 static void message(BIO *out, char *m)
131 fprintf(stderr, "test %s\n", m);
132 BIO_puts(out, "print \"test ");
134 BIO_puts(out, "\\n\"\n");
137 int main(int argc, char *argv[])
145 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
151 if (strcmp(*argv,"-results") == 0)
153 else if (strcmp(*argv,"-out") == 0)
155 if (--argc < 1) break;
164 if (ctx == NULL) EXIT(1);
166 out=BIO_new(BIO_s_file());
167 if (out == NULL) EXIT(1);
170 BIO_set_fp(out,stdout,BIO_NOCLOSE);
174 if (!BIO_write_filename(out,outfile))
182 BIO_puts(out,"obase=16\nibase=16\n");
184 message(out,"BN_add");
185 if (!test_add(out)) goto err;
186 (void)BIO_flush(out);
188 message(out,"BN_sub");
189 if (!test_sub(out)) goto err;
190 (void)BIO_flush(out);
192 message(out,"BN_lshift1");
193 if (!test_lshift1(out)) goto err;
194 (void)BIO_flush(out);
196 message(out,"BN_lshift (fixed)");
197 if (!test_lshift(out,ctx,BN_bin2bn(lst,sizeof(lst)-1,NULL)))
199 (void)BIO_flush(out);
201 message(out,"BN_lshift");
202 if (!test_lshift(out,ctx,NULL)) goto err;
203 (void)BIO_flush(out);
205 message(out,"BN_rshift1");
206 if (!test_rshift1(out)) goto err;
207 (void)BIO_flush(out);
209 message(out,"BN_rshift");
210 if (!test_rshift(out,ctx)) goto err;
211 (void)BIO_flush(out);
213 message(out,"BN_sqr");
214 if (!test_sqr(out,ctx)) goto err;
215 (void)BIO_flush(out);
217 message(out,"BN_mul");
218 if (!test_mul(out)) goto err;
219 (void)BIO_flush(out);
221 message(out,"BN_div");
222 if (!test_div(out,ctx)) goto err;
223 (void)BIO_flush(out);
225 message(out,"BN_div_word");
226 if (!test_div_word(out)) goto err;
227 (void)BIO_flush(out);
229 message(out,"BN_div_recp");
230 if (!test_div_recp(out,ctx)) goto err;
231 (void)BIO_flush(out);
233 message(out,"BN_mod");
234 if (!test_mod(out,ctx)) goto err;
235 (void)BIO_flush(out);
237 message(out,"BN_mod_mul");
238 if (!test_mod_mul(out,ctx)) goto err;
239 (void)BIO_flush(out);
241 message(out,"BN_mont");
242 if (!test_mont(out,ctx)) goto err;
243 (void)BIO_flush(out);
245 message(out,"BN_mod_exp");
246 if (!test_mod_exp(out,ctx)) goto err;
247 (void)BIO_flush(out);
249 message(out,"BN_mod_exp_mont_consttime");
250 if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
251 if (!test_mod_exp_mont5(out,ctx)) goto err;
252 (void)BIO_flush(out);
254 message(out,"BN_exp");
255 if (!test_exp(out,ctx)) goto err;
256 (void)BIO_flush(out);
258 message(out,"BN_kronecker");
259 if (!test_kron(out,ctx)) goto err;
260 (void)BIO_flush(out);
262 message(out,"BN_mod_sqrt");
263 if (!test_sqrt(out,ctx)) goto err;
264 (void)BIO_flush(out);
266 message(out,"Small prime generation");
267 if (!test_small_prime(out,ctx)) goto err;
268 (void)BIO_flush(out);
270 #ifdef OPENSSL_SYS_WIN32
271 message(out,"Probable prime generation with coprimes disabled");
273 message(out,"Probable prime generation with coprimes");
274 if (!test_probable_prime_coprime(out,ctx)) goto err;
276 (void)BIO_flush(out);
278 #ifndef OPENSSL_NO_EC2M
279 message(out,"BN_GF2m_add");
280 if (!test_gf2m_add(out)) goto err;
281 (void)BIO_flush(out);
283 message(out,"BN_GF2m_mod");
284 if (!test_gf2m_mod(out)) goto err;
285 (void)BIO_flush(out);
287 message(out,"BN_GF2m_mod_mul");
288 if (!test_gf2m_mod_mul(out,ctx)) goto err;
289 (void)BIO_flush(out);
291 message(out,"BN_GF2m_mod_sqr");
292 if (!test_gf2m_mod_sqr(out,ctx)) goto err;
293 (void)BIO_flush(out);
295 message(out,"BN_GF2m_mod_inv");
296 if (!test_gf2m_mod_inv(out,ctx)) goto err;
297 (void)BIO_flush(out);
299 message(out,"BN_GF2m_mod_div");
300 if (!test_gf2m_mod_div(out,ctx)) goto err;
301 (void)BIO_flush(out);
303 message(out,"BN_GF2m_mod_exp");
304 if (!test_gf2m_mod_exp(out,ctx)) goto err;
305 (void)BIO_flush(out);
307 message(out,"BN_GF2m_mod_sqrt");
308 if (!test_gf2m_mod_sqrt(out,ctx)) goto err;
309 (void)BIO_flush(out);
311 message(out,"BN_GF2m_mod_solve_quad");
312 if (!test_gf2m_mod_solve_quad(out,ctx)) goto err;
313 (void)BIO_flush(out);
320 BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
321 * the failure, see test_bn in test/Makefile.ssl
323 (void)BIO_flush(out);
324 ERR_load_crypto_strings();
325 ERR_print_errors_fp(stderr);
330 int test_add(BIO *bp)
339 BN_bntest_rand(a,512,0,0);
340 for (i=0; i<num0; i++)
342 BN_bntest_rand(b,450+i,0,0);
364 fprintf(stderr,"Add test failed!\n");
374 int test_sub(BIO *bp)
383 for (i=0; i<num0+num1; i++)
387 BN_bntest_rand(a,512,0,0);
389 if (BN_set_bit(a,i)==0) return(0);
394 BN_bntest_rand(b,400+i-num1,0,0);
415 fprintf(stderr,"Subtract test failed!\n");
425 int test_div(BIO *bp, BN_CTX *ctx)
427 BIGNUM *a,*b,*c,*d,*e;
436 for (i=0; i<num0+num1; i++)
440 BN_bntest_rand(a,400,0,0);
446 BN_bntest_rand(b,50+3*(i-num1),0,0);
477 fprintf(stderr,"Division test failed!\n");
489 static void print_word(BIO *bp,BN_ULONG w)
491 #ifdef SIXTY_FOUR_BIT
492 if (sizeof(w) > sizeof(unsigned long))
494 unsigned long h=(unsigned long)(w>>32),
495 l=(unsigned long)(w);
497 if (h) BIO_printf(bp,"%lX%08lX",h,l);
498 else BIO_printf(bp,"%lX",l);
502 BIO_printf(bp,BN_HEX_FMT1,w);
505 int test_div_word(BIO *bp)
514 for (i=0; i<num0; i++)
517 BN_bntest_rand(a,512,-1,0);
518 BN_bntest_rand(b,BN_BITS2,-1,0);
523 r = BN_div_word(b, s);
552 fprintf(stderr,"Division (word) test failed!\n");
561 int test_div_recp(BIO *bp, BN_CTX *ctx)
563 BIGNUM *a,*b,*c,*d,*e;
567 recp = BN_RECP_CTX_new();
574 for (i=0; i<num0+num1; i++)
578 BN_bntest_rand(a,400,0,0);
584 BN_bntest_rand(b,50+3*(i-num1),0,0);
587 BN_RECP_CTX_set(recp,b,ctx);
588 BN_div_recp(d,c,a,recp,ctx);
616 fprintf(stderr,"Reciprocal division test failed!\n");
617 fprintf(stderr,"a=");
618 BN_print_fp(stderr,a);
619 fprintf(stderr,"\nb=");
620 BN_print_fp(stderr,b);
621 fprintf(stderr,"\n");
630 BN_RECP_CTX_free(recp);
634 int test_mul(BIO *bp)
636 BIGNUM *a,*b,*c,*d,*e;
641 if (ctx == NULL) EXIT(1);
649 for (i=0; i<num0+num1; i++)
653 BN_bntest_rand(a,100,0,0);
654 BN_bntest_rand(b,100,0,0);
657 BN_bntest_rand(b,i-num1,0,0);
675 if(!BN_is_zero(d) || !BN_is_zero(e))
677 fprintf(stderr,"Multiplication test failed!\n");
690 int test_sqr(BIO *bp, BN_CTX *ctx)
699 if (a == NULL || c == NULL || d == NULL || e == NULL)
704 for (i=0; i<num0; i++)
706 BN_bntest_rand(a,40+i*10,0,0);
723 if(!BN_is_zero(d) || !BN_is_zero(e))
725 fprintf(stderr,"Square test failed!\n");
730 /* Regression test for a BN_sqr overflow bug. */
732 "80000000000000008000000000000001"
733 "FFFFFFFFFFFFFFFE0000000000000000");
747 BN_mul(d, a, a, ctx);
750 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
751 "different results!\n");
755 /* Regression test for a BN_sqr overflow bug. */
757 "80000000000000000000000080000001"
758 "FFFFFFFE000000000000000000000000");
772 BN_mul(d, a, a, ctx);
775 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
776 "different results!\n");
781 if (a != NULL) BN_free(a);
782 if (c != NULL) BN_free(c);
783 if (d != NULL) BN_free(d);
784 if (e != NULL) BN_free(e);
788 int test_mont(BIO *bp, BN_CTX *ctx)
790 BIGNUM *a,*b,*c,*d,*A,*B;
803 mont=BN_MONT_CTX_new();
807 BN_bntest_rand(a,100,0,0);
808 BN_bntest_rand(b,100,0,0);
809 for (i=0; i<num2; i++)
811 int bits = (200*(i+1))/num2;
815 BN_bntest_rand(n,bits,0,1);
816 BN_MONT_CTX_set(mont,n,ctx);
821 BN_to_montgomery(A,a,mont,ctx);
822 BN_to_montgomery(B,b,mont,ctx);
824 BN_mod_mul_montgomery(c,A,B,mont,ctx);
825 BN_from_montgomery(A,c,mont,ctx);
831 fprintf(stderr,"%d * %d %% %d\n",
834 BN_num_bits(&mont->N));
840 BN_print(bp,&mont->N);
846 BN_mod_mul(d,a,b,n,ctx);
850 fprintf(stderr,"Montgomery multiplication test failed!\n");
854 BN_MONT_CTX_free(mont);
865 int test_mod(BIO *bp, BN_CTX *ctx)
867 BIGNUM *a,*b,*c,*d,*e;
876 BN_bntest_rand(a,1024,0,0);
877 for (i=0; i<num0; i++)
879 BN_bntest_rand(b,450+i*10,0,0);
899 fprintf(stderr,"Modulo test failed!\n");
911 int test_mod_mul(BIO *bp, BN_CTX *ctx)
913 BIGNUM *a,*b,*c,*d,*e;
922 for (j=0; j<3; j++) {
923 BN_bntest_rand(c,1024,0,0);
924 for (i=0; i<num0; i++)
926 BN_bntest_rand(a,475+i*10,0,0);
927 BN_bntest_rand(b,425+i*11,0,0);
930 if (!BN_mod_mul(e,a,b,c,ctx))
934 while ((l=ERR_get_error()))
935 fprintf(stderr,"ERROR:%s\n",
936 ERR_error_string(l,NULL));
948 if ((a->neg ^ b->neg) && !BN_is_zero(e))
950 /* If (a*b) % c is negative, c must be added
951 * in order to obtain the normalized remainder
952 * (new with OpenSSL 0.9.7, previous versions of
953 * BN_mod_mul could generate negative results)
968 fprintf(stderr,"Modulo multiply test failed!\n");
969 ERR_print_errors_fp(stderr);
982 int test_mod_exp(BIO *bp, BN_CTX *ctx)
984 BIGNUM *a,*b,*c,*d,*e;
993 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
994 for (i=0; i<num2; i++)
996 BN_bntest_rand(a,20+i*5,0,0);
997 BN_bntest_rand(b,2+i,0,0);
999 if (!BN_mod_exp(d,a,b,c,ctx))
1018 BN_div(a,b,e,c,ctx);
1021 fprintf(stderr,"Modulo exponentiation test failed!\n");
1033 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1035 BIGNUM *a,*b,*c,*d,*e;
1044 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
1045 for (i=0; i<num2; i++)
1047 BN_bntest_rand(a,20+i*5,0,0);
1048 BN_bntest_rand(b,2+i,0,0);
1050 if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
1069 BN_div(a,b,e,c,ctx);
1072 fprintf(stderr,"Modulo exponentiation test failed!\n");
1084 /* Test constant-time modular exponentiation with 1024-bit inputs,
1085 * which on x86_64 cause a different code branch to be taken.
1087 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1089 BIGNUM *a,*p,*m,*d,*e;
1099 mont = BN_MONT_CTX_new();
1101 BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
1103 BN_bntest_rand(a,1024,0,0);
1105 if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
1109 fprintf(stderr, "Modular exponentiation test failed!\n");
1113 BN_bntest_rand(p,1024,0,0);
1115 if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
1119 fprintf(stderr, "Modular exponentiation test failed!\n");
1122 /* Craft an input whose Montgomery representation is 1,
1123 * i.e., shorter than the modulus m, in order to test
1124 * the const time precomputation scattering/gathering.
1127 BN_MONT_CTX_set(mont,m,ctx);
1128 if(!BN_from_montgomery(e,a,mont,ctx))
1130 if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
1132 if(!BN_mod_exp_simple(a,e,p,m,ctx))
1134 if(BN_cmp(a,d) != 0)
1136 fprintf(stderr,"Modular exponentiation test failed!\n");
1139 /* Finally, some regular test vectors. */
1140 BN_bntest_rand(e,1024,0,0);
1141 if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
1143 if(!BN_mod_exp_simple(a,e,p,m,ctx))
1145 if(BN_cmp(a,d) != 0)
1147 fprintf(stderr,"Modular exponentiation test failed!\n");
1158 int test_exp(BIO *bp, BN_CTX *ctx)
1160 BIGNUM *a,*b,*d,*e,*one;
1170 for (i=0; i<num2; i++)
1172 BN_bntest_rand(a,20+i*5,0,0);
1173 BN_bntest_rand(b,2+i,0,0);
1175 if (BN_exp(d,a,b,ctx) <= 0)
1191 for( ; !BN_is_zero(b) ; BN_sub(b,b,one))
1196 fprintf(stderr,"Exponentiation test failed!\n");
1207 #ifndef OPENSSL_NO_EC2M
1208 int test_gf2m_add(BIO *bp)
1217 for (i=0; i<num0; i++)
1220 BN_copy(b, BN_value_one());
1224 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1238 /* Test that two added values have the correct parity. */
1239 if((BN_is_odd(a) && BN_is_odd(c)) || (!BN_is_odd(a) && !BN_is_odd(c)))
1241 fprintf(stderr,"GF(2^m) addition test (a) failed!\n");
1245 /* Test that c + c = 0. */
1248 fprintf(stderr,"GF(2^m) addition test (b) failed!\n");
1260 int test_gf2m_mod(BIO *bp)
1262 BIGNUM *a,*b[2],*c,*d,*e;
1264 int p0[] = {163,7,6,3,0,-1};
1265 int p1[] = {193,15,0,-1};
1274 BN_GF2m_arr2poly(p0, b[0]);
1275 BN_GF2m_arr2poly(p1, b[1]);
1277 for (i=0; i<num0; i++)
1279 BN_bntest_rand(a, 1024, 0, 0);
1280 for (j=0; j < 2; j++)
1282 BN_GF2m_mod(c, a, b[j]);
1283 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1297 BN_GF2m_add(d, a, c);
1298 BN_GF2m_mod(e, d, b[j]);
1299 /* Test that a + (a mod p) mod p == 0. */
1302 fprintf(stderr,"GF(2^m) modulo test failed!\n");
1318 int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx)
1320 BIGNUM *a,*b[2],*c,*d,*e,*f,*g,*h;
1322 int p0[] = {163,7,6,3,0,-1};
1323 int p1[] = {193,15,0,-1};
1335 BN_GF2m_arr2poly(p0, b[0]);
1336 BN_GF2m_arr2poly(p1, b[1]);
1338 for (i=0; i<num0; i++)
1340 BN_bntest_rand(a, 1024, 0, 0);
1341 BN_bntest_rand(c, 1024, 0, 0);
1342 BN_bntest_rand(d, 1024, 0, 0);
1343 for (j=0; j < 2; j++)
1345 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1346 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1362 BN_GF2m_add(f, a, d);
1363 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1364 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1365 BN_GF2m_add(f, e, g);
1366 BN_GF2m_add(f, f, h);
1367 /* Test that (a+d)*c = a*c + d*c. */
1370 fprintf(stderr,"GF(2^m) modular multiplication test failed!\n");
1389 int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx)
1391 BIGNUM *a,*b[2],*c,*d;
1393 int p0[] = {163,7,6,3,0,-1};
1394 int p1[] = {193,15,0,-1};
1402 BN_GF2m_arr2poly(p0, b[0]);
1403 BN_GF2m_arr2poly(p1, b[1]);
1405 for (i=0; i<num0; i++)
1407 BN_bntest_rand(a, 1024, 0, 0);
1408 for (j=0; j < 2; j++)
1410 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1412 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1413 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1419 BIO_puts(bp," ^ 2 % ");
1421 BIO_puts(bp, " = ");
1423 BIO_puts(bp,"; a * a = ");
1429 BN_GF2m_add(d, c, d);
1430 /* Test that a*a = a^2. */
1433 fprintf(stderr,"GF(2^m) modular squaring test failed!\n");
1448 int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx)
1450 BIGNUM *a,*b[2],*c,*d;
1452 int p0[] = {163,7,6,3,0,-1};
1453 int p1[] = {193,15,0,-1};
1461 BN_GF2m_arr2poly(p0, b[0]);
1462 BN_GF2m_arr2poly(p1, b[1]);
1464 for (i=0; i<num0; i++)
1466 BN_bntest_rand(a, 512, 0, 0);
1467 for (j=0; j < 2; j++)
1469 BN_GF2m_mod_inv(c, a, b[j], ctx);
1470 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1471 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1477 BIO_puts(bp, " * ");
1479 BIO_puts(bp," - 1 % ");
1485 /* Test that ((1/a)*a) = 1. */
1488 fprintf(stderr,"GF(2^m) modular inversion test failed!\n");
1503 int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx)
1505 BIGNUM *a,*b[2],*c,*d,*e,*f;
1507 int p0[] = {163,7,6,3,0,-1};
1508 int p1[] = {193,15,0,-1};
1518 BN_GF2m_arr2poly(p0, b[0]);
1519 BN_GF2m_arr2poly(p1, b[1]);
1521 for (i=0; i<num0; i++)
1523 BN_bntest_rand(a, 512, 0, 0);
1524 BN_bntest_rand(c, 512, 0, 0);
1525 for (j=0; j < 2; j++)
1527 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1528 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1529 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1530 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1536 BIO_puts(bp, " = ");
1540 BIO_puts(bp, " % ");
1546 /* Test that ((a/c)*c)/a = 1. */
1549 fprintf(stderr,"GF(2^m) modular division test failed!\n");
1566 int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx)
1568 BIGNUM *a,*b[2],*c,*d,*e,*f;
1570 int p0[] = {163,7,6,3,0,-1};
1571 int p1[] = {193,15,0,-1};
1581 BN_GF2m_arr2poly(p0, b[0]);
1582 BN_GF2m_arr2poly(p1, b[1]);
1584 for (i=0; i<num0; i++)
1586 BN_bntest_rand(a, 512, 0, 0);
1587 BN_bntest_rand(c, 512, 0, 0);
1588 BN_bntest_rand(d, 512, 0, 0);
1589 for (j=0; j < 2; j++)
1591 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1592 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1593 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1595 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1596 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1602 BIO_puts(bp, " ^ (");
1606 BIO_puts(bp, ") = ");
1608 BIO_puts(bp, "; - ");
1610 BIO_puts(bp, " % ");
1616 BN_GF2m_add(f, e, f);
1617 /* Test that a^(c+d)=a^c*a^d. */
1620 fprintf(stderr,"GF(2^m) modular exponentiation test failed!\n");
1637 int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx)
1639 BIGNUM *a,*b[2],*c,*d,*e,*f;
1641 int p0[] = {163,7,6,3,0,-1};
1642 int p1[] = {193,15,0,-1};
1652 BN_GF2m_arr2poly(p0, b[0]);
1653 BN_GF2m_arr2poly(p1, b[1]);
1655 for (i=0; i<num0; i++)
1657 BN_bntest_rand(a, 512, 0, 0);
1658 for (j=0; j < 2; j++)
1660 BN_GF2m_mod(c, a, b[j]);
1661 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1662 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1663 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1669 BIO_puts(bp, " ^ 2 - ");
1675 BN_GF2m_add(f, c, e);
1676 /* Test that d^2 = a, where d = sqrt(a). */
1679 fprintf(stderr,"GF(2^m) modular square root test failed!\n");
1696 int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx)
1698 BIGNUM *a,*b[2],*c,*d,*e;
1699 int i, j, s = 0, t, ret = 0;
1700 int p0[] = {163,7,6,3,0,-1};
1701 int p1[] = {193,15,0,-1};
1710 BN_GF2m_arr2poly(p0, b[0]);
1711 BN_GF2m_arr2poly(p1, b[1]);
1713 for (i=0; i<num0; i++)
1715 BN_bntest_rand(a, 512, 0, 0);
1716 for (j=0; j < 2; j++)
1718 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1722 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1723 BN_GF2m_add(d, c, d);
1724 BN_GF2m_mod(e, a, b[j]);
1725 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1731 BIO_puts(bp, " is root of z^2 + z = ");
1733 BIO_puts(bp, " % ");
1739 BN_GF2m_add(e, e, d);
1740 /* Test that solution of quadratic c satisfies c^2 + c = a. */
1743 fprintf(stderr,"GF(2^m) modular solve quadratic test failed!\n");
1750 #if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1755 BIO_puts(bp, "There are no roots of z^2 + z = ");
1757 BIO_puts(bp, " % ");
1768 fprintf(stderr,"All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0);
1769 fprintf(stderr,"this is very unlikely and probably indicates an error.\n");
1783 static int genprime_cb(int p, int n, BN_GENCB *arg)
1796 int test_kron(BIO *bp, BN_CTX *ctx)
1801 int legendre, kronecker;
1808 if (a == NULL || b == NULL || r == NULL || t == NULL) goto err;
1810 BN_GENCB_set(&cb, genprime_cb, NULL);
1812 /* We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol).
1813 * In this case we know that if b is prime, then BN_kronecker(a, b, ctx)
1814 * is congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol).
1815 * So we generate a random prime b and compare these values
1816 * for a number of random a's. (That is, we run the Solovay-Strassen
1817 * primality test to confirm that b is prime, except that we
1818 * don't want to test whether b is prime but whether BN_kronecker
1821 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb)) goto err;
1822 b->neg = rand_neg();
1825 for (i = 0; i < num0; i++)
1827 if (!BN_bntest_rand(a, 512, 0, 0)) goto err;
1828 a->neg = rand_neg();
1830 /* t := (|b|-1)/2 (note that b is odd) */
1831 if (!BN_copy(t, b)) goto err;
1833 if (!BN_sub_word(t, 1)) goto err;
1834 if (!BN_rshift1(t, t)) goto err;
1835 /* r := a^t mod b */
1838 if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err;
1841 if (BN_is_word(r, 1))
1843 else if (BN_is_zero(r))
1847 if (!BN_add_word(r, 1)) goto err;
1848 if (0 != BN_ucmp(r, b))
1850 fprintf(stderr, "Legendre symbol computation failed\n");
1856 kronecker = BN_kronecker(a, b, ctx);
1857 if (kronecker < -1) goto err;
1858 /* we actually need BN_kronecker(a, |b|) */
1859 if (a->neg && b->neg)
1860 kronecker = -kronecker;
1862 if (legendre != kronecker)
1864 fprintf(stderr, "legendre != kronecker; a = ");
1865 BN_print_fp(stderr, a);
1866 fprintf(stderr, ", b = ");
1867 BN_print_fp(stderr, b);
1868 fprintf(stderr, "\n");
1880 if (a != NULL) BN_free(a);
1881 if (b != NULL) BN_free(b);
1882 if (r != NULL) BN_free(r);
1883 if (t != NULL) BN_free(t);
1887 int test_sqrt(BIO *bp, BN_CTX *ctx)
1897 if (a == NULL || p == NULL || r == NULL) goto err;
1899 BN_GENCB_set(&cb, genprime_cb, NULL);
1901 for (i = 0; i < 16; i++)
1905 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1907 if (!BN_set_word(p, primes[i])) goto err;
1911 if (!BN_set_word(a, 32)) goto err;
1912 if (!BN_set_word(r, 2*i + 1)) goto err;
1914 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb)) goto err;
1917 p->neg = rand_neg();
1919 for (j = 0; j < num2; j++)
1921 /* construct 'a' such that it is a square modulo p,
1922 * but in general not a proper square and not reduced modulo p */
1923 if (!BN_bntest_rand(r, 256, 0, 3)) goto err;
1924 if (!BN_nnmod(r, r, p, ctx)) goto err;
1925 if (!BN_mod_sqr(r, r, p, ctx)) goto err;
1926 if (!BN_bntest_rand(a, 256, 0, 3)) goto err;
1927 if (!BN_nnmod(a, a, p, ctx)) goto err;
1928 if (!BN_mod_sqr(a, a, p, ctx)) goto err;
1929 if (!BN_mul(a, a, r, ctx)) goto err;
1931 if (!BN_sub(a, a, p)) goto err;
1933 if (!BN_mod_sqrt(r, a, p, ctx)) goto err;
1934 if (!BN_mod_sqr(r, r, p, ctx)) goto err;
1936 if (!BN_nnmod(a, a, p, ctx)) goto err;
1938 if (BN_cmp(a, r) != 0)
1940 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1941 BN_print_fp(stderr, a);
1942 fprintf(stderr, ", r = ");
1943 BN_print_fp(stderr, r);
1944 fprintf(stderr, ", p = ");
1945 BN_print_fp(stderr, p);
1946 fprintf(stderr, "\n");
1959 if (a != NULL) BN_free(a);
1960 if (p != NULL) BN_free(p);
1961 if (r != NULL) BN_free(r);
1965 int test_small_prime(BIO *bp,BN_CTX *ctx)
1967 static const int bits = 10;
1972 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1974 if (BN_num_bits(r) != bits)
1976 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits, BN_num_bits(r));
1986 #ifndef OPENSSL_SYS_WIN32
1987 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx)
1991 BN_ULONG primes[5] = { 2, 3, 5, 7, 11 };
1995 for (i = 0; i < 1000; i++)
1997 if (!bn_probable_prime_dh_coprime(r, 1024, ctx)) goto err;
1999 for (j = 0; j < 5; j++)
2001 if (BN_mod_word(r, primes[j]) == 0)
2003 BIO_printf(bp, "Number generated is not coprime to %ld:\n", primes[j]);
2004 BN_print_fp(stdout, r);
2005 BIO_printf(bp, "\n");
2018 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
2033 BN_bntest_rand(a,200,0,0);
2036 for (i=0; i<num0; i++)
2056 fprintf(stderr,"Left shift test failed!\n");
2057 fprintf(stderr,"a=");
2058 BN_print_fp(stderr,a);
2059 fprintf(stderr,"\nb=");
2060 BN_print_fp(stderr,b);
2061 fprintf(stderr,"\nc=");
2062 BN_print_fp(stderr,c);
2063 fprintf(stderr,"\nd=");
2064 BN_print_fp(stderr,d);
2065 fprintf(stderr,"\n");
2076 int test_lshift1(BIO *bp)
2085 BN_bntest_rand(a,200,0,0);
2087 for (i=0; i<num0; i++)
2095 BIO_puts(bp," * 2");
2105 fprintf(stderr,"Left shift one test failed!\n");
2117 int test_rshift(BIO *bp,BN_CTX *ctx)
2119 BIGNUM *a,*b,*c,*d,*e;
2129 BN_bntest_rand(a,200,0,0);
2131 for (i=0; i<num0; i++)
2147 BN_div(d,e,a,c,ctx);
2151 fprintf(stderr,"Right shift test failed!\n");
2163 int test_rshift1(BIO *bp)
2172 BN_bntest_rand(a,200,0,0);
2174 for (i=0; i<num0; i++)
2182 BIO_puts(bp," / 2");
2190 if(!BN_is_zero(c) && !BN_abs_is_word(c, 1))
2192 fprintf(stderr,"Right shift one test failed!\n");
2205 static unsigned int neg=0;
2206 static int sign[8]={0,0,0,1,1,0,1,1};
2208 return(sign[(neg++)%8]);