1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
78 #include <openssl/bio.h>
79 #include <openssl/bn.h>
80 #include <openssl/rand.h>
81 #include <openssl/x509.h>
82 #include <openssl/err.h>
84 #include "../crypto/bn/bn_lcl.h"
86 static const int num0 = 100; /* number of tests */
87 static const int num1 = 50; /* additional tests for some functions */
88 static const int num2 = 5; /* number of tests for slow functions */
90 int test_add(BIO *bp);
91 int test_sub(BIO *bp);
92 int test_lshift1(BIO *bp);
93 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
94 int test_rshift1(BIO *bp);
95 int test_rshift(BIO *bp, BN_CTX *ctx);
96 int test_div(BIO *bp, BN_CTX *ctx);
97 int test_div_word(BIO *bp);
98 int test_div_recp(BIO *bp, BN_CTX *ctx);
99 int test_mul(BIO *bp);
100 int test_sqr(BIO *bp, BN_CTX *ctx);
101 int test_mont(BIO *bp, BN_CTX *ctx);
102 int test_mod(BIO *bp, BN_CTX *ctx);
103 int test_mod_mul(BIO *bp, BN_CTX *ctx);
104 int test_mod_exp(BIO *bp, BN_CTX *ctx);
105 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
106 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
107 int test_exp(BIO *bp, BN_CTX *ctx);
108 int test_gf2m_add(BIO *bp);
109 int test_gf2m_mod(BIO *bp);
110 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
111 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
112 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
113 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
114 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
115 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
116 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
117 int test_kron(BIO *bp, BN_CTX *ctx);
118 int test_sqrt(BIO *bp, BN_CTX *ctx);
119 int test_small_prime(BIO *bp, BN_CTX *ctx);
121 static int results = 0;
123 static unsigned char lst[] =
124 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
125 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
127 static const char rnd_seed[] =
128 "string to make the random number generator think it has entropy";
130 static void message(BIO *out, char *m)
132 fprintf(stderr, "test %s\n", m);
133 BIO_puts(out, "print \"test ");
135 BIO_puts(out, "\\n\"\n");
138 int main(int argc, char *argv[])
142 char *outfile = NULL;
146 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
151 if (strcmp(*argv, "-results") == 0)
153 else if (strcmp(*argv, "-out") == 0) {
166 out = BIO_new(BIO_s_file());
169 if (outfile == NULL) {
170 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
172 if (!BIO_write_filename(out, outfile)) {
177 #ifdef OPENSSL_SYS_VMS
179 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
180 out = BIO_push(tmpbio, out);
185 BIO_puts(out, "obase=16\nibase=16\n");
187 message(out, "BN_add");
190 (void)BIO_flush(out);
192 message(out, "BN_sub");
195 (void)BIO_flush(out);
197 message(out, "BN_lshift1");
198 if (!test_lshift1(out))
200 (void)BIO_flush(out);
202 message(out, "BN_lshift (fixed)");
203 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
205 (void)BIO_flush(out);
207 message(out, "BN_lshift");
208 if (!test_lshift(out, ctx, NULL))
210 (void)BIO_flush(out);
212 message(out, "BN_rshift1");
213 if (!test_rshift1(out))
215 (void)BIO_flush(out);
217 message(out, "BN_rshift");
218 if (!test_rshift(out, ctx))
220 (void)BIO_flush(out);
222 message(out, "BN_sqr");
223 if (!test_sqr(out, ctx))
225 (void)BIO_flush(out);
227 message(out, "BN_mul");
230 (void)BIO_flush(out);
232 message(out, "BN_div");
233 if (!test_div(out, ctx))
235 (void)BIO_flush(out);
237 message(out, "BN_div_word");
238 if (!test_div_word(out))
240 (void)BIO_flush(out);
242 message(out, "BN_div_recp");
243 if (!test_div_recp(out, ctx))
245 (void)BIO_flush(out);
247 message(out, "BN_mod");
248 if (!test_mod(out, ctx))
250 (void)BIO_flush(out);
252 message(out, "BN_mod_mul");
253 if (!test_mod_mul(out, ctx))
255 (void)BIO_flush(out);
257 message(out, "BN_mont");
258 if (!test_mont(out, ctx))
260 (void)BIO_flush(out);
262 message(out, "BN_mod_exp");
263 if (!test_mod_exp(out, ctx))
265 (void)BIO_flush(out);
267 message(out, "BN_mod_exp_mont_consttime");
268 if (!test_mod_exp_mont_consttime(out, ctx))
270 if (!test_mod_exp_mont5(out, ctx))
272 (void)BIO_flush(out);
274 message(out, "BN_exp");
275 if (!test_exp(out, ctx))
277 (void)BIO_flush(out);
279 message(out, "BN_kronecker");
280 if (!test_kron(out, ctx))
282 (void)BIO_flush(out);
284 message(out, "BN_mod_sqrt");
285 if (!test_sqrt(out, ctx))
287 (void)BIO_flush(out);
289 message(out, "Small prime generation");
290 if (!test_small_prime(out, ctx))
292 (void)BIO_flush(out);
294 #ifndef OPENSSL_NO_EC2M
295 message(out, "BN_GF2m_add");
296 if (!test_gf2m_add(out))
298 (void)BIO_flush(out);
300 message(out, "BN_GF2m_mod");
301 if (!test_gf2m_mod(out))
303 (void)BIO_flush(out);
305 message(out, "BN_GF2m_mod_mul");
306 if (!test_gf2m_mod_mul(out, ctx))
308 (void)BIO_flush(out);
310 message(out, "BN_GF2m_mod_sqr");
311 if (!test_gf2m_mod_sqr(out, ctx))
313 (void)BIO_flush(out);
315 message(out, "BN_GF2m_mod_inv");
316 if (!test_gf2m_mod_inv(out, ctx))
318 (void)BIO_flush(out);
320 message(out, "BN_GF2m_mod_div");
321 if (!test_gf2m_mod_div(out, ctx))
323 (void)BIO_flush(out);
325 message(out, "BN_GF2m_mod_exp");
326 if (!test_gf2m_mod_exp(out, ctx))
328 (void)BIO_flush(out);
330 message(out, "BN_GF2m_mod_sqrt");
331 if (!test_gf2m_mod_sqrt(out, ctx))
333 (void)BIO_flush(out);
335 message(out, "BN_GF2m_mod_solve_quad");
336 if (!test_gf2m_mod_solve_quad(out, ctx))
338 (void)BIO_flush(out);
345 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
346 * notices the failure, see test_bn in
347 * test/Makefile.ssl */
348 (void)BIO_flush(out);
349 ERR_load_crypto_strings();
350 ERR_print_errors_fp(stderr);
354 int test_add(BIO *bp)
363 BN_bntest_rand(a, 512, 0, 0);
364 for (i = 0; i < num0; i++) {
365 BN_bntest_rand(b, 450 + i, 0, 0);
383 if (!BN_is_zero(c)) {
384 fprintf(stderr, "Add test failed!\n");
394 int test_sub(BIO *bp)
403 for (i = 0; i < num0 + num1; i++) {
405 BN_bntest_rand(a, 512, 0, 0);
407 if (BN_set_bit(a, i) == 0)
411 BN_bntest_rand(b, 400 + i - num1, 0, 0);
428 if (!BN_is_zero(c)) {
429 fprintf(stderr, "Subtract test failed!\n");
439 int test_div(BIO *bp, BN_CTX *ctx)
441 BIGNUM *a, *b, *c, *d, *e;
453 if (BN_div(d, c, a, b, ctx)) {
454 fprintf(stderr, "Division by zero succeeded!\n");
458 for (i = 0; i < num0 + num1; i++) {
460 BN_bntest_rand(a, 400, 0, 0);
465 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
468 BN_div(d, c, a, b, ctx);
488 BN_mul(e, d, b, ctx);
491 if (!BN_is_zero(d)) {
492 fprintf(stderr, "Division test failed!\n");
504 static void print_word(BIO *bp, BN_ULONG w)
506 #ifdef SIXTY_FOUR_BIT
507 if (sizeof(w) > sizeof(unsigned long)) {
508 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
511 BIO_printf(bp, "%lX%08lX", h, l);
513 BIO_printf(bp, "%lX", l);
517 BIO_printf(bp, BN_HEX_FMT1, w);
520 int test_div_word(BIO *bp)
529 for (i = 0; i < num0; i++) {
531 BN_bntest_rand(a, 512, -1, 0);
532 BN_bntest_rand(b, BN_BITS2, -1, 0);
533 } while (BN_is_zero(b));
537 r = BN_div_word(b, s);
561 if (!BN_is_zero(b)) {
562 fprintf(stderr, "Division (word) test failed!\n");
571 int test_div_recp(BIO *bp, BN_CTX *ctx)
573 BIGNUM *a, *b, *c, *d, *e;
577 recp = BN_RECP_CTX_new();
584 for (i = 0; i < num0 + num1; i++) {
586 BN_bntest_rand(a, 400, 0, 0);
591 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
594 BN_RECP_CTX_set(recp, b, ctx);
595 BN_div_recp(d, c, a, recp, ctx);
615 BN_mul(e, d, b, ctx);
618 if (!BN_is_zero(d)) {
619 fprintf(stderr, "Reciprocal division test failed!\n");
620 fprintf(stderr, "a=");
621 BN_print_fp(stderr, a);
622 fprintf(stderr, "\nb=");
623 BN_print_fp(stderr, b);
624 fprintf(stderr, "\n");
633 BN_RECP_CTX_free(recp);
637 int test_mul(BIO *bp)
639 BIGNUM *a, *b, *c, *d, *e;
653 for (i = 0; i < num0 + num1; i++) {
655 BN_bntest_rand(a, 100, 0, 0);
656 BN_bntest_rand(b, 100, 0, 0);
658 BN_bntest_rand(b, i - num1, 0, 0);
661 BN_mul(c, a, b, ctx);
672 BN_div(d, e, c, a, ctx);
674 if (!BN_is_zero(d) || !BN_is_zero(e)) {
675 fprintf(stderr, "Multiplication test failed!\n");
688 int test_sqr(BIO *bp, BN_CTX *ctx)
690 BIGNUM *a, *c, *d, *e;
697 if (a == NULL || c == NULL || d == NULL || e == NULL) {
701 for (i = 0; i < num0; i++) {
702 BN_bntest_rand(a, 40 + i * 10, 0, 0);
715 BN_div(d, e, c, a, ctx);
717 if (!BN_is_zero(d) || !BN_is_zero(e)) {
718 fprintf(stderr, "Square test failed!\n");
723 /* Regression test for a BN_sqr overflow bug. */
725 "80000000000000008000000000000001"
726 "FFFFFFFFFFFFFFFE0000000000000000");
738 BN_mul(d, a, a, ctx);
740 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
741 "different results!\n");
745 /* Regression test for a BN_sqr overflow bug. */
747 "80000000000000000000000080000001"
748 "FFFFFFFE000000000000000000000000");
760 BN_mul(d, a, a, ctx);
762 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
763 "different results!\n");
775 int test_mont(BIO *bp, BN_CTX *ctx)
777 BIGNUM *a, *b, *c, *d, *A, *B;
790 mont = BN_MONT_CTX_new();
795 if (BN_MONT_CTX_set(mont, n, ctx)) {
796 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
801 if (BN_MONT_CTX_set(mont, n, ctx)) {
802 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
806 BN_bntest_rand(a, 100, 0, 0);
807 BN_bntest_rand(b, 100, 0, 0);
808 for (i = 0; i < num2; i++) {
809 int bits = (200 * (i + 1)) / num2;
813 BN_bntest_rand(n, bits, 0, 1);
814 BN_MONT_CTX_set(mont, n, ctx);
816 BN_nnmod(a, a, n, ctx);
817 BN_nnmod(b, b, n, ctx);
819 BN_to_montgomery(A, a, mont, ctx);
820 BN_to_montgomery(B, b, mont, ctx);
822 BN_mod_mul_montgomery(c, A, B, mont, ctx);
823 BN_from_montgomery(A, c, mont, ctx);
830 BN_print(bp, &mont->N);
836 BN_mod_mul(d, a, b, n, ctx);
838 if (!BN_is_zero(d)) {
839 fprintf(stderr, "Montgomery multiplication test failed!\n");
843 BN_MONT_CTX_free(mont);
854 int test_mod(BIO *bp, BN_CTX *ctx)
856 BIGNUM *a, *b, *c, *d, *e;
865 BN_bntest_rand(a, 1024, 0, 0);
866 for (i = 0; i < num0; i++) {
867 BN_bntest_rand(b, 450 + i * 10, 0, 0);
870 BN_mod(c, a, b, ctx);
881 BN_div(d, e, a, b, ctx);
883 if (!BN_is_zero(e)) {
884 fprintf(stderr, "Modulo test failed!\n");
896 int test_mod_mul(BIO *bp, BN_CTX *ctx)
898 BIGNUM *a, *b, *c, *d, *e;
910 if (BN_mod_mul(e, a, b, c, ctx)) {
911 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
915 for (j = 0; j < 3; j++) {
916 BN_bntest_rand(c, 1024, 0, 0);
917 for (i = 0; i < num0; i++) {
918 BN_bntest_rand(a, 475 + i * 10, 0, 0);
919 BN_bntest_rand(b, 425 + i * 11, 0, 0);
922 if (!BN_mod_mul(e, a, b, c, ctx)) {
925 while ((l = ERR_get_error()))
926 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
936 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
938 * If (a*b) % c is negative, c must be added in order
939 * to obtain the normalized remainder (new with
940 * OpenSSL 0.9.7, previous versions of BN_mod_mul
941 * could generate negative results)
951 BN_mul(d, a, b, ctx);
953 BN_div(a, b, d, c, ctx);
954 if (!BN_is_zero(b)) {
955 fprintf(stderr, "Modulo multiply test failed!\n");
956 ERR_print_errors_fp(stderr);
969 int test_mod_exp(BIO *bp, BN_CTX *ctx)
971 BIGNUM *a, *b, *c, *d, *e;
983 if (BN_mod_exp(d, a, b, c, ctx)) {
984 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
988 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
989 for (i = 0; i < num2; i++) {
990 BN_bntest_rand(a, 20 + i * 5, 0, 0);
991 BN_bntest_rand(b, 2 + i, 0, 0);
993 if (!BN_mod_exp(d, a, b, c, ctx))
1001 BIO_puts(bp, " % ");
1003 BIO_puts(bp, " - ");
1008 BN_exp(e, a, b, ctx);
1010 BN_div(a, b, e, c, ctx);
1011 if (!BN_is_zero(b)) {
1012 fprintf(stderr, "Modulo exponentiation test failed!\n");
1017 /* Regression test for carry propagation bug in sqr8x_reduction */
1018 BN_hex2bn(&a, "050505050505");
1019 BN_hex2bn(&b, "02");
1021 "4141414141414141414141274141414141414141414141414141414141414141"
1022 "4141414141414141414141414141414141414141414141414141414141414141"
1023 "4141414141414141414141800000000000000000000000000000000000000000"
1024 "0000000000000000000000000000000000000000000000000000000000000000"
1025 "0000000000000000000000000000000000000000000000000000000000000000"
1026 "0000000000000000000000000000000000000000000000000000000001");
1027 BN_mod_exp(d, a, b, c, ctx);
1028 BN_mul(e, a, a, ctx);
1030 fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
1042 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1044 BIGNUM *a, *b, *c, *d, *e;
1056 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1057 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1063 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1064 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1069 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1070 for (i = 0; i < num2; i++) {
1071 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1072 BN_bntest_rand(b, 2 + i, 0, 0);
1074 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1080 BIO_puts(bp, " ^ ");
1082 BIO_puts(bp, " % ");
1084 BIO_puts(bp, " - ");
1089 BN_exp(e, a, b, ctx);
1091 BN_div(a, b, e, c, ctx);
1092 if (!BN_is_zero(b)) {
1093 fprintf(stderr, "Modulo exponentiation test failed!\n");
1106 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1107 * x86_64 cause a different code branch to be taken.
1109 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1111 BIGNUM *a, *p, *m, *d, *e;
1119 mont = BN_MONT_CTX_new();
1121 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1123 BN_bntest_rand(a, 1024, 0, 0);
1125 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1127 if (!BN_is_one(d)) {
1128 fprintf(stderr, "Modular exponentiation test failed!\n");
1132 BN_bntest_rand(p, 1024, 0, 0);
1134 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1136 if (!BN_is_zero(d)) {
1137 fprintf(stderr, "Modular exponentiation test failed!\n");
1141 * Craft an input whose Montgomery representation is 1, i.e., shorter
1142 * than the modulus m, in order to test the const time precomputation
1143 * scattering/gathering.
1146 BN_MONT_CTX_set(mont, m, ctx);
1147 if (!BN_from_montgomery(e, a, mont, ctx))
1149 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1151 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1153 if (BN_cmp(a, d) != 0) {
1154 fprintf(stderr, "Modular exponentiation test failed!\n");
1157 /* Finally, some regular test vectors. */
1158 BN_bntest_rand(e, 1024, 0, 0);
1159 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1161 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1163 if (BN_cmp(a, d) != 0) {
1164 fprintf(stderr, "Modular exponentiation test failed!\n");
1167 BN_MONT_CTX_free(mont);
1176 int test_exp(BIO *bp, BN_CTX *ctx)
1178 BIGNUM *a, *b, *d, *e, *one;
1188 for (i = 0; i < num2; i++) {
1189 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1190 BN_bntest_rand(b, 2 + i, 0, 0);
1192 if (BN_exp(d, a, b, ctx) <= 0)
1198 BIO_puts(bp, " ^ ");
1200 BIO_puts(bp, " - ");
1206 for (; !BN_is_zero(b); BN_sub(b, b, one))
1207 BN_mul(e, e, a, ctx);
1209 if (!BN_is_zero(e)) {
1210 fprintf(stderr, "Exponentiation test failed!\n");
1222 #ifndef OPENSSL_NO_EC2M
1223 int test_gf2m_add(BIO *bp)
1232 for (i = 0; i < num0; i++) {
1233 BN_rand(a, 512, 0, 0);
1234 BN_copy(b, BN_value_one());
1235 a->neg = rand_neg();
1236 b->neg = rand_neg();
1237 BN_GF2m_add(c, a, b);
1238 /* Test that two added values have the correct parity. */
1239 if ((BN_is_odd(a) && BN_is_odd(c))
1240 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1241 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1244 BN_GF2m_add(c, c, c);
1245 /* Test that c + c = 0. */
1246 if (!BN_is_zero(c)) {
1247 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1259 int test_gf2m_mod(BIO *bp)
1261 BIGNUM *a, *b[2], *c, *d, *e;
1263 int p0[] = { 163, 7, 6, 3, 0, -1 };
1264 int p1[] = { 193, 15, 0, -1 };
1273 BN_GF2m_arr2poly(p0, b[0]);
1274 BN_GF2m_arr2poly(p1, b[1]);
1276 for (i = 0; i < num0; i++) {
1277 BN_bntest_rand(a, 1024, 0, 0);
1278 for (j = 0; j < 2; j++) {
1279 BN_GF2m_mod(c, a, b[j]);
1280 BN_GF2m_add(d, a, c);
1281 BN_GF2m_mod(e, d, b[j]);
1282 /* Test that a + (a mod p) mod p == 0. */
1283 if (!BN_is_zero(e)) {
1284 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1300 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1302 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1304 int p0[] = { 163, 7, 6, 3, 0, -1 };
1305 int p1[] = { 193, 15, 0, -1 };
1317 BN_GF2m_arr2poly(p0, b[0]);
1318 BN_GF2m_arr2poly(p1, b[1]);
1320 for (i = 0; i < num0; i++) {
1321 BN_bntest_rand(a, 1024, 0, 0);
1322 BN_bntest_rand(c, 1024, 0, 0);
1323 BN_bntest_rand(d, 1024, 0, 0);
1324 for (j = 0; j < 2; j++) {
1325 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1326 BN_GF2m_add(f, a, d);
1327 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1328 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1329 BN_GF2m_add(f, e, g);
1330 BN_GF2m_add(f, f, h);
1331 /* Test that (a+d)*c = a*c + d*c. */
1332 if (!BN_is_zero(f)) {
1334 "GF(2^m) modular multiplication test failed!\n");
1353 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1355 BIGNUM *a, *b[2], *c, *d;
1357 int p0[] = { 163, 7, 6, 3, 0, -1 };
1358 int p1[] = { 193, 15, 0, -1 };
1366 BN_GF2m_arr2poly(p0, b[0]);
1367 BN_GF2m_arr2poly(p1, b[1]);
1369 for (i = 0; i < num0; i++) {
1370 BN_bntest_rand(a, 1024, 0, 0);
1371 for (j = 0; j < 2; j++) {
1372 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1374 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1375 BN_GF2m_add(d, c, d);
1376 /* Test that a*a = a^2. */
1377 if (!BN_is_zero(d)) {
1378 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1393 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1395 BIGNUM *a, *b[2], *c, *d;
1397 int p0[] = { 163, 7, 6, 3, 0, -1 };
1398 int p1[] = { 193, 15, 0, -1 };
1406 BN_GF2m_arr2poly(p0, b[0]);
1407 BN_GF2m_arr2poly(p1, b[1]);
1409 for (i = 0; i < num0; i++) {
1410 BN_bntest_rand(a, 512, 0, 0);
1411 for (j = 0; j < 2; j++) {
1412 BN_GF2m_mod_inv(c, a, b[j], ctx);
1413 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1414 /* Test that ((1/a)*a) = 1. */
1415 if (!BN_is_one(d)) {
1416 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1431 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1433 BIGNUM *a, *b[2], *c, *d, *e, *f;
1435 int p0[] = { 163, 7, 6, 3, 0, -1 };
1436 int p1[] = { 193, 15, 0, -1 };
1446 BN_GF2m_arr2poly(p0, b[0]);
1447 BN_GF2m_arr2poly(p1, b[1]);
1449 for (i = 0; i < num0; i++) {
1450 BN_bntest_rand(a, 512, 0, 0);
1451 BN_bntest_rand(c, 512, 0, 0);
1452 for (j = 0; j < 2; j++) {
1453 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1454 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1455 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1456 /* Test that ((a/c)*c)/a = 1. */
1457 if (!BN_is_one(f)) {
1458 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1475 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1477 BIGNUM *a, *b[2], *c, *d, *e, *f;
1479 int p0[] = { 163, 7, 6, 3, 0, -1 };
1480 int p1[] = { 193, 15, 0, -1 };
1490 BN_GF2m_arr2poly(p0, b[0]);
1491 BN_GF2m_arr2poly(p1, b[1]);
1493 for (i = 0; i < num0; i++) {
1494 BN_bntest_rand(a, 512, 0, 0);
1495 BN_bntest_rand(c, 512, 0, 0);
1496 BN_bntest_rand(d, 512, 0, 0);
1497 for (j = 0; j < 2; j++) {
1498 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1499 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1500 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1502 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1503 BN_GF2m_add(f, e, f);
1504 /* Test that a^(c+d)=a^c*a^d. */
1505 if (!BN_is_zero(f)) {
1507 "GF(2^m) modular exponentiation test failed!\n");
1524 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1526 BIGNUM *a, *b[2], *c, *d, *e, *f;
1528 int p0[] = { 163, 7, 6, 3, 0, -1 };
1529 int p1[] = { 193, 15, 0, -1 };
1539 BN_GF2m_arr2poly(p0, b[0]);
1540 BN_GF2m_arr2poly(p1, b[1]);
1542 for (i = 0; i < num0; i++) {
1543 BN_bntest_rand(a, 512, 0, 0);
1544 for (j = 0; j < 2; j++) {
1545 BN_GF2m_mod(c, a, b[j]);
1546 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1547 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1548 BN_GF2m_add(f, c, e);
1549 /* Test that d^2 = a, where d = sqrt(a). */
1550 if (!BN_is_zero(f)) {
1551 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1568 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1570 BIGNUM *a, *b[2], *c, *d, *e;
1571 int i, j, s = 0, t, ret = 0;
1572 int p0[] = { 163, 7, 6, 3, 0, -1 };
1573 int p1[] = { 193, 15, 0, -1 };
1582 BN_GF2m_arr2poly(p0, b[0]);
1583 BN_GF2m_arr2poly(p1, b[1]);
1585 for (i = 0; i < num0; i++) {
1586 BN_bntest_rand(a, 512, 0, 0);
1587 for (j = 0; j < 2; j++) {
1588 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1591 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1592 BN_GF2m_add(d, c, d);
1593 BN_GF2m_mod(e, a, b[j]);
1594 BN_GF2m_add(e, e, d);
1596 * Test that solution of quadratic c satisfies c^2 + c = a.
1598 if (!BN_is_zero(e)) {
1600 "GF(2^m) modular solve quadratic test failed!\n");
1609 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1612 "this is very unlikely and probably indicates an error.\n");
1626 static int genprime_cb(int p, int n, BN_GENCB *arg)
1643 int test_kron(BIO *bp, BN_CTX *ctx)
1646 BIGNUM *a, *b, *r, *t;
1648 int legendre, kronecker;
1655 if (a == NULL || b == NULL || r == NULL || t == NULL)
1658 BN_GENCB_set(&cb, genprime_cb, NULL);
1661 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1662 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1663 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1664 * generate a random prime b and compare these values for a number of
1665 * random a's. (That is, we run the Solovay-Strassen primality test to
1666 * confirm that b is prime, except that we don't want to test whether b
1667 * is prime but whether BN_kronecker works.)
1670 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1672 b->neg = rand_neg();
1675 for (i = 0; i < num0; i++) {
1676 if (!BN_bntest_rand(a, 512, 0, 0))
1678 a->neg = rand_neg();
1680 /* t := (|b|-1)/2 (note that b is odd) */
1684 if (!BN_sub_word(t, 1))
1686 if (!BN_rshift1(t, t))
1688 /* r := a^t mod b */
1691 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1695 if (BN_is_word(r, 1))
1697 else if (BN_is_zero(r))
1700 if (!BN_add_word(r, 1))
1702 if (0 != BN_ucmp(r, b)) {
1703 fprintf(stderr, "Legendre symbol computation failed\n");
1709 kronecker = BN_kronecker(a, b, ctx);
1712 /* we actually need BN_kronecker(a, |b|) */
1713 if (a->neg && b->neg)
1714 kronecker = -kronecker;
1716 if (legendre != kronecker) {
1717 fprintf(stderr, "legendre != kronecker; a = ");
1718 BN_print_fp(stderr, a);
1719 fprintf(stderr, ", b = ");
1720 BN_print_fp(stderr, b);
1721 fprintf(stderr, "\n");
1740 int test_sqrt(BIO *bp, BN_CTX *ctx)
1750 if (a == NULL || p == NULL || r == NULL)
1753 BN_GENCB_set(&cb, genprime_cb, NULL);
1755 for (i = 0; i < 16; i++) {
1757 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1759 if (!BN_set_word(p, primes[i]))
1762 if (!BN_set_word(a, 32))
1764 if (!BN_set_word(r, 2 * i + 1))
1767 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1771 p->neg = rand_neg();
1773 for (j = 0; j < num2; j++) {
1775 * construct 'a' such that it is a square modulo p, but in
1776 * general not a proper square and not reduced modulo p
1778 if (!BN_bntest_rand(r, 256, 0, 3))
1780 if (!BN_nnmod(r, r, p, ctx))
1782 if (!BN_mod_sqr(r, r, p, ctx))
1784 if (!BN_bntest_rand(a, 256, 0, 3))
1786 if (!BN_nnmod(a, a, p, ctx))
1788 if (!BN_mod_sqr(a, a, p, ctx))
1790 if (!BN_mul(a, a, r, ctx))
1793 if (!BN_sub(a, a, p))
1796 if (!BN_mod_sqrt(r, a, p, ctx))
1798 if (!BN_mod_sqr(r, r, p, ctx))
1801 if (!BN_nnmod(a, a, p, ctx))
1804 if (BN_cmp(a, r) != 0) {
1805 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1806 BN_print_fp(stderr, a);
1807 fprintf(stderr, ", r = ");
1808 BN_print_fp(stderr, r);
1809 fprintf(stderr, ", p = ");
1810 BN_print_fp(stderr, p);
1811 fprintf(stderr, "\n");
1830 int test_small_prime(BIO *bp, BN_CTX *ctx)
1832 static const int bits = 10;
1837 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1839 if (BN_num_bits(r) != bits) {
1840 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1852 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1854 BIGNUM *a, *b, *c, *d;
1866 BN_bntest_rand(a, 200, 0, 0);
1867 a->neg = rand_neg();
1869 for (i = 0; i < num0; i++) {
1870 BN_lshift(b, a, i + 1);
1875 BIO_puts(bp, " * ");
1877 BIO_puts(bp, " - ");
1882 BN_mul(d, a, c, ctx);
1884 if (!BN_is_zero(d)) {
1885 fprintf(stderr, "Left shift test failed!\n");
1886 fprintf(stderr, "a=");
1887 BN_print_fp(stderr, a);
1888 fprintf(stderr, "\nb=");
1889 BN_print_fp(stderr, b);
1890 fprintf(stderr, "\nc=");
1891 BN_print_fp(stderr, c);
1892 fprintf(stderr, "\nd=");
1893 BN_print_fp(stderr, d);
1894 fprintf(stderr, "\n");
1905 int test_lshift1(BIO *bp)
1914 BN_bntest_rand(a, 200, 0, 0);
1915 a->neg = rand_neg();
1916 for (i = 0; i < num0; i++) {
1921 BIO_puts(bp, " * 2");
1922 BIO_puts(bp, " - ");
1929 if (!BN_is_zero(a)) {
1930 fprintf(stderr, "Left shift one test failed!\n");
1942 int test_rshift(BIO *bp, BN_CTX *ctx)
1944 BIGNUM *a, *b, *c, *d, *e;
1954 BN_bntest_rand(a, 200, 0, 0);
1955 a->neg = rand_neg();
1956 for (i = 0; i < num0; i++) {
1957 BN_rshift(b, a, i + 1);
1962 BIO_puts(bp, " / ");
1964 BIO_puts(bp, " - ");
1969 BN_div(d, e, a, c, ctx);
1971 if (!BN_is_zero(d)) {
1972 fprintf(stderr, "Right shift test failed!\n");
1984 int test_rshift1(BIO *bp)
1993 BN_bntest_rand(a, 200, 0, 0);
1994 a->neg = rand_neg();
1995 for (i = 0; i < num0; i++) {
2000 BIO_puts(bp, " / 2");
2001 BIO_puts(bp, " - ");
2008 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2009 fprintf(stderr, "Right shift one test failed!\n");
2022 static unsigned int neg = 0;
2023 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2025 return (sign[(neg++) % 8]);
projects / openssl.git / blob