1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
78 #include <openssl/bio.h>
79 #include <openssl/bn.h>
80 #include <openssl/rand.h>
81 #include <openssl/x509.h>
82 #include <openssl/err.h>
84 #include "../crypto/bn/bn_lcl.h"
86 const int num0 = 100; /* number of tests */
87 const int num1 = 50; /* additional tests for some functions */
88 const int num2 = 5; /* number of tests for slow functions */
90 int test_add(BIO *bp);
91 int test_sub(BIO *bp);
92 int test_lshift1(BIO *bp);
93 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
94 int test_rshift1(BIO *bp);
95 int test_rshift(BIO *bp, BN_CTX *ctx);
96 int test_div(BIO *bp, BN_CTX *ctx);
97 int test_div_word(BIO *bp);
98 int test_div_recp(BIO *bp, BN_CTX *ctx);
99 int test_mul(BIO *bp);
100 int test_sqr(BIO *bp, BN_CTX *ctx);
101 int test_mont(BIO *bp, BN_CTX *ctx);
102 int test_mod(BIO *bp, BN_CTX *ctx);
103 int test_mod_mul(BIO *bp, BN_CTX *ctx);
104 int test_mod_exp(BIO *bp, BN_CTX *ctx);
105 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
106 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
107 int test_exp(BIO *bp, BN_CTX *ctx);
108 int test_gf2m_add(BIO *bp);
109 int test_gf2m_mod(BIO *bp);
110 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
111 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
112 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
113 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
114 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
115 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
116 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
117 int test_kron(BIO *bp, BN_CTX *ctx);
118 int test_sqrt(BIO *bp, BN_CTX *ctx);
119 int test_small_prime(BIO *bp, BN_CTX *ctx);
120 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx);
122 static int results = 0;
124 static unsigned char lst[] =
125 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
126 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
128 static const char rnd_seed[] =
129 "string to make the random number generator think it has entropy";
131 static void message(BIO *out, char *m)
133 fprintf(stderr, "test %s\n", m);
134 BIO_puts(out, "print \"test ");
136 BIO_puts(out, "\\n\"\n");
139 int main(int argc, char *argv[])
143 char *outfile = NULL;
147 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
152 if (strcmp(*argv, "-results") == 0)
154 else if (strcmp(*argv, "-out") == 0) {
167 out = BIO_new(BIO_s_file());
170 if (outfile == NULL) {
171 BIO_set_fp(out, stdout, BIO_NOCLOSE);
173 if (!BIO_write_filename(out, outfile)) {
180 BIO_puts(out, "obase=16\nibase=16\n");
182 message(out, "BN_add");
185 (void)BIO_flush(out);
187 message(out, "BN_sub");
190 (void)BIO_flush(out);
192 message(out, "BN_lshift1");
193 if (!test_lshift1(out))
195 (void)BIO_flush(out);
197 message(out, "BN_lshift (fixed)");
198 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
200 (void)BIO_flush(out);
202 message(out, "BN_lshift");
203 if (!test_lshift(out, ctx, NULL))
205 (void)BIO_flush(out);
207 message(out, "BN_rshift1");
208 if (!test_rshift1(out))
210 (void)BIO_flush(out);
212 message(out, "BN_rshift");
213 if (!test_rshift(out, ctx))
215 (void)BIO_flush(out);
217 message(out, "BN_sqr");
218 if (!test_sqr(out, ctx))
220 (void)BIO_flush(out);
222 message(out, "BN_mul");
225 (void)BIO_flush(out);
227 message(out, "BN_div");
228 if (!test_div(out, ctx))
230 (void)BIO_flush(out);
232 message(out, "BN_div_word");
233 if (!test_div_word(out))
235 (void)BIO_flush(out);
237 message(out, "BN_div_recp");
238 if (!test_div_recp(out, ctx))
240 (void)BIO_flush(out);
242 message(out, "BN_mod");
243 if (!test_mod(out, ctx))
245 (void)BIO_flush(out);
247 message(out, "BN_mod_mul");
248 if (!test_mod_mul(out, ctx))
250 (void)BIO_flush(out);
252 message(out, "BN_mont");
253 if (!test_mont(out, ctx))
255 (void)BIO_flush(out);
257 message(out, "BN_mod_exp");
258 if (!test_mod_exp(out, ctx))
260 (void)BIO_flush(out);
262 message(out, "BN_mod_exp_mont_consttime");
263 if (!test_mod_exp_mont_consttime(out, ctx))
265 if (!test_mod_exp_mont5(out, ctx))
267 (void)BIO_flush(out);
269 message(out, "BN_exp");
270 if (!test_exp(out, ctx))
272 (void)BIO_flush(out);
274 message(out, "BN_kronecker");
275 if (!test_kron(out, ctx))
277 (void)BIO_flush(out);
279 message(out, "BN_mod_sqrt");
280 if (!test_sqrt(out, ctx))
282 (void)BIO_flush(out);
284 message(out, "Small prime generation");
285 if (!test_small_prime(out, ctx))
287 (void)BIO_flush(out);
289 #ifdef OPENSSL_SYS_WIN32
290 message(out, "Probable prime generation with coprimes disabled");
292 message(out, "Probable prime generation with coprimes");
293 if (!test_probable_prime_coprime(out, ctx))
296 (void)BIO_flush(out);
298 #ifndef OPENSSL_NO_EC2M
299 message(out, "BN_GF2m_add");
300 if (!test_gf2m_add(out))
302 (void)BIO_flush(out);
304 message(out, "BN_GF2m_mod");
305 if (!test_gf2m_mod(out))
307 (void)BIO_flush(out);
309 message(out, "BN_GF2m_mod_mul");
310 if (!test_gf2m_mod_mul(out, ctx))
312 (void)BIO_flush(out);
314 message(out, "BN_GF2m_mod_sqr");
315 if (!test_gf2m_mod_sqr(out, ctx))
317 (void)BIO_flush(out);
319 message(out, "BN_GF2m_mod_inv");
320 if (!test_gf2m_mod_inv(out, ctx))
322 (void)BIO_flush(out);
324 message(out, "BN_GF2m_mod_div");
325 if (!test_gf2m_mod_div(out, ctx))
327 (void)BIO_flush(out);
329 message(out, "BN_GF2m_mod_exp");
330 if (!test_gf2m_mod_exp(out, ctx))
332 (void)BIO_flush(out);
334 message(out, "BN_GF2m_mod_sqrt");
335 if (!test_gf2m_mod_sqrt(out, ctx))
337 (void)BIO_flush(out);
339 message(out, "BN_GF2m_mod_solve_quad");
340 if (!test_gf2m_mod_solve_quad(out, ctx))
342 (void)BIO_flush(out);
349 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
350 * notices the failure, see test_bn in
351 * test/Makefile.ssl */
352 (void)BIO_flush(out);
353 ERR_load_crypto_strings();
354 ERR_print_errors_fp(stderr);
358 int test_add(BIO *bp)
367 BN_bntest_rand(a, 512, 0, 0);
368 for (i = 0; i < num0; i++) {
369 BN_bntest_rand(b, 450 + i, 0, 0);
387 if (!BN_is_zero(c)) {
388 fprintf(stderr, "Add test failed!\n");
398 int test_sub(BIO *bp)
407 for (i = 0; i < num0 + num1; i++) {
409 BN_bntest_rand(a, 512, 0, 0);
411 if (BN_set_bit(a, i) == 0)
415 BN_bntest_rand(b, 400 + i - num1, 0, 0);
432 if (!BN_is_zero(c)) {
433 fprintf(stderr, "Subtract test failed!\n");
443 int test_div(BIO *bp, BN_CTX *ctx)
445 BIGNUM *a, *b, *c, *d, *e;
457 if (BN_div(d, c, a, b, ctx)) {
458 fprintf(stderr, "Division by zero succeeded!\n");
462 for (i = 0; i < num0 + num1; i++) {
464 BN_bntest_rand(a, 400, 0, 0);
469 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
472 BN_div(d, c, a, b, ctx);
492 BN_mul(e, d, b, ctx);
495 if (!BN_is_zero(d)) {
496 fprintf(stderr, "Division test failed!\n");
508 static void print_word(BIO *bp, BN_ULONG w)
510 #ifdef SIXTY_FOUR_BIT
511 if (sizeof(w) > sizeof(unsigned long)) {
512 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
515 BIO_printf(bp, "%lX%08lX", h, l);
517 BIO_printf(bp, "%lX", l);
521 BIO_printf(bp, BN_HEX_FMT1, w);
524 int test_div_word(BIO *bp)
533 for (i = 0; i < num0; i++) {
535 BN_bntest_rand(a, 512, -1, 0);
536 BN_bntest_rand(b, BN_BITS2, -1, 0);
537 } while (BN_is_zero(b));
541 r = BN_div_word(b, s);
565 if (!BN_is_zero(b)) {
566 fprintf(stderr, "Division (word) test failed!\n");
575 int test_div_recp(BIO *bp, BN_CTX *ctx)
577 BIGNUM *a, *b, *c, *d, *e;
581 recp = BN_RECP_CTX_new();
588 for (i = 0; i < num0 + num1; i++) {
590 BN_bntest_rand(a, 400, 0, 0);
595 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
598 BN_RECP_CTX_set(recp, b, ctx);
599 BN_div_recp(d, c, a, recp, ctx);
619 BN_mul(e, d, b, ctx);
622 if (!BN_is_zero(d)) {
623 fprintf(stderr, "Reciprocal division test failed!\n");
624 fprintf(stderr, "a=");
625 BN_print_fp(stderr, a);
626 fprintf(stderr, "\nb=");
627 BN_print_fp(stderr, b);
628 fprintf(stderr, "\n");
637 BN_RECP_CTX_free(recp);
641 int test_mul(BIO *bp)
643 BIGNUM *a, *b, *c, *d, *e;
657 for (i = 0; i < num0 + num1; i++) {
659 BN_bntest_rand(a, 100, 0, 0);
660 BN_bntest_rand(b, 100, 0, 0);
662 BN_bntest_rand(b, i - num1, 0, 0);
665 BN_mul(c, a, b, ctx);
676 BN_div(d, e, c, a, ctx);
678 if (!BN_is_zero(d) || !BN_is_zero(e)) {
679 fprintf(stderr, "Multiplication test failed!\n");
692 int test_sqr(BIO *bp, BN_CTX *ctx)
694 BIGNUM *a, *c, *d, *e;
701 if (a == NULL || c == NULL || d == NULL || e == NULL) {
705 for (i = 0; i < num0; i++) {
706 BN_bntest_rand(a, 40 + i * 10, 0, 0);
719 BN_div(d, e, c, a, ctx);
721 if (!BN_is_zero(d) || !BN_is_zero(e)) {
722 fprintf(stderr, "Square test failed!\n");
727 /* Regression test for a BN_sqr overflow bug. */
729 "80000000000000008000000000000001"
730 "FFFFFFFFFFFFFFFE0000000000000000");
742 BN_mul(d, a, a, ctx);
744 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
745 "different results!\n");
749 /* Regression test for a BN_sqr overflow bug. */
751 "80000000000000000000000080000001"
752 "FFFFFFFE000000000000000000000000");
764 BN_mul(d, a, a, ctx);
766 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
767 "different results!\n");
779 int test_mont(BIO *bp, BN_CTX *ctx)
781 BIGNUM *a, *b, *c, *d, *A, *B;
794 mont = BN_MONT_CTX_new();
799 if (BN_MONT_CTX_set(mont, n, ctx)) {
800 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
805 if (BN_MONT_CTX_set(mont, n, ctx)) {
806 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
810 BN_bntest_rand(a, 100, 0, 0);
811 BN_bntest_rand(b, 100, 0, 0);
812 for (i = 0; i < num2; i++) {
813 int bits = (200 * (i + 1)) / num2;
817 BN_bntest_rand(n, bits, 0, 1);
818 BN_MONT_CTX_set(mont, n, ctx);
820 BN_nnmod(a, a, n, ctx);
821 BN_nnmod(b, b, n, ctx);
823 BN_to_montgomery(A, a, mont, ctx);
824 BN_to_montgomery(B, b, mont, ctx);
826 BN_mod_mul_montgomery(c, A, B, mont, ctx);
827 BN_from_montgomery(A, c, mont, ctx);
834 BN_print(bp, &mont->N);
840 BN_mod_mul(d, a, b, n, ctx);
842 if (!BN_is_zero(d)) {
843 fprintf(stderr, "Montgomery multiplication test failed!\n");
847 BN_MONT_CTX_free(mont);
858 int test_mod(BIO *bp, BN_CTX *ctx)
860 BIGNUM *a, *b, *c, *d, *e;
869 BN_bntest_rand(a, 1024, 0, 0);
870 for (i = 0; i < num0; i++) {
871 BN_bntest_rand(b, 450 + i * 10, 0, 0);
874 BN_mod(c, a, b, ctx);
885 BN_div(d, e, a, b, ctx);
887 if (!BN_is_zero(e)) {
888 fprintf(stderr, "Modulo test failed!\n");
900 int test_mod_mul(BIO *bp, BN_CTX *ctx)
902 BIGNUM *a, *b, *c, *d, *e;
914 if (BN_mod_mul(e, a, b, c, ctx)) {
915 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
919 for (j = 0; j < 3; j++) {
920 BN_bntest_rand(c, 1024, 0, 0);
921 for (i = 0; i < num0; i++) {
922 BN_bntest_rand(a, 475 + i * 10, 0, 0);
923 BN_bntest_rand(b, 425 + i * 11, 0, 0);
926 if (!BN_mod_mul(e, a, b, c, ctx)) {
929 while ((l = ERR_get_error()))
930 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
940 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
942 * If (a*b) % c is negative, c must be added in order
943 * to obtain the normalized remainder (new with
944 * OpenSSL 0.9.7, previous versions of BN_mod_mul
945 * could generate negative results)
955 BN_mul(d, a, b, ctx);
957 BN_div(a, b, d, c, ctx);
958 if (!BN_is_zero(b)) {
959 fprintf(stderr, "Modulo multiply test failed!\n");
960 ERR_print_errors_fp(stderr);
973 int test_mod_exp(BIO *bp, BN_CTX *ctx)
975 BIGNUM *a, *b, *c, *d, *e;
987 if (BN_mod_exp(d, a, b, c, ctx)) {
988 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
992 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
993 for (i = 0; i < num2; i++) {
994 BN_bntest_rand(a, 20 + i * 5, 0, 0);
995 BN_bntest_rand(b, 2 + i, 0, 0);
997 if (!BN_mod_exp(d, a, b, c, ctx))
1003 BIO_puts(bp, " ^ ");
1005 BIO_puts(bp, " % ");
1007 BIO_puts(bp, " - ");
1012 BN_exp(e, a, b, ctx);
1014 BN_div(a, b, e, c, ctx);
1015 if (!BN_is_zero(b)) {
1016 fprintf(stderr, "Modulo exponentiation test failed!\n");
1028 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1030 BIGNUM *a, *b, *c, *d, *e;
1042 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1043 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1049 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1050 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1055 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1056 for (i = 0; i < num2; i++) {
1057 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1058 BN_bntest_rand(b, 2 + i, 0, 0);
1060 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1066 BIO_puts(bp, " ^ ");
1068 BIO_puts(bp, " % ");
1070 BIO_puts(bp, " - ");
1075 BN_exp(e, a, b, ctx);
1077 BN_div(a, b, e, c, ctx);
1078 if (!BN_is_zero(b)) {
1079 fprintf(stderr, "Modulo exponentiation test failed!\n");
1092 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1093 * x86_64 cause a different code branch to be taken.
1095 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1097 BIGNUM *a, *p, *m, *d, *e;
1105 mont = BN_MONT_CTX_new();
1107 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1109 BN_bntest_rand(a, 1024, 0, 0);
1111 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1113 if (!BN_is_one(d)) {
1114 fprintf(stderr, "Modular exponentiation test failed!\n");
1118 BN_bntest_rand(p, 1024, 0, 0);
1120 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1122 if (!BN_is_zero(d)) {
1123 fprintf(stderr, "Modular exponentiation test failed!\n");
1127 * Craft an input whose Montgomery representation is 1, i.e., shorter
1128 * than the modulus m, in order to test the const time precomputation
1129 * scattering/gathering.
1132 BN_MONT_CTX_set(mont, m, ctx);
1133 if (!BN_from_montgomery(e, a, mont, ctx))
1135 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1137 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1139 if (BN_cmp(a, d) != 0) {
1140 fprintf(stderr, "Modular exponentiation test failed!\n");
1143 /* Finally, some regular test vectors. */
1144 BN_bntest_rand(e, 1024, 0, 0);
1145 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1147 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1149 if (BN_cmp(a, d) != 0) {
1150 fprintf(stderr, "Modular exponentiation test failed!\n");
1153 BN_MONT_CTX_free(mont);
1162 int test_exp(BIO *bp, BN_CTX *ctx)
1164 BIGNUM *a, *b, *d, *e, *one;
1174 for (i = 0; i < num2; i++) {
1175 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1176 BN_bntest_rand(b, 2 + i, 0, 0);
1178 if (BN_exp(d, a, b, ctx) <= 0)
1184 BIO_puts(bp, " ^ ");
1186 BIO_puts(bp, " - ");
1192 for (; !BN_is_zero(b); BN_sub(b, b, one))
1193 BN_mul(e, e, a, ctx);
1195 if (!BN_is_zero(e)) {
1196 fprintf(stderr, "Exponentiation test failed!\n");
1208 #ifndef OPENSSL_NO_EC2M
1209 int test_gf2m_add(BIO *bp)
1218 for (i = 0; i < num0; i++) {
1219 BN_rand(a, 512, 0, 0);
1220 BN_copy(b, BN_value_one());
1221 a->neg = rand_neg();
1222 b->neg = rand_neg();
1223 BN_GF2m_add(c, a, b);
1224 /* Test that two added values have the correct parity. */
1225 if ((BN_is_odd(a) && BN_is_odd(c))
1226 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1227 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1230 BN_GF2m_add(c, c, c);
1231 /* Test that c + c = 0. */
1232 if (!BN_is_zero(c)) {
1233 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1245 int test_gf2m_mod(BIO *bp)
1247 BIGNUM *a, *b[2], *c, *d, *e;
1249 int p0[] = { 163, 7, 6, 3, 0, -1 };
1250 int p1[] = { 193, 15, 0, -1 };
1259 BN_GF2m_arr2poly(p0, b[0]);
1260 BN_GF2m_arr2poly(p1, b[1]);
1262 for (i = 0; i < num0; i++) {
1263 BN_bntest_rand(a, 1024, 0, 0);
1264 for (j = 0; j < 2; j++) {
1265 BN_GF2m_mod(c, a, b[j]);
1266 BN_GF2m_add(d, a, c);
1267 BN_GF2m_mod(e, d, b[j]);
1268 /* Test that a + (a mod p) mod p == 0. */
1269 if (!BN_is_zero(e)) {
1270 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1286 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1288 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1290 int p0[] = { 163, 7, 6, 3, 0, -1 };
1291 int p1[] = { 193, 15, 0, -1 };
1303 BN_GF2m_arr2poly(p0, b[0]);
1304 BN_GF2m_arr2poly(p1, b[1]);
1306 for (i = 0; i < num0; i++) {
1307 BN_bntest_rand(a, 1024, 0, 0);
1308 BN_bntest_rand(c, 1024, 0, 0);
1309 BN_bntest_rand(d, 1024, 0, 0);
1310 for (j = 0; j < 2; j++) {
1311 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1312 BN_GF2m_add(f, a, d);
1313 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1314 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1315 BN_GF2m_add(f, e, g);
1316 BN_GF2m_add(f, f, h);
1317 /* Test that (a+d)*c = a*c + d*c. */
1318 if (!BN_is_zero(f)) {
1320 "GF(2^m) modular multiplication test failed!\n");
1339 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1341 BIGNUM *a, *b[2], *c, *d;
1343 int p0[] = { 163, 7, 6, 3, 0, -1 };
1344 int p1[] = { 193, 15, 0, -1 };
1352 BN_GF2m_arr2poly(p0, b[0]);
1353 BN_GF2m_arr2poly(p1, b[1]);
1355 for (i = 0; i < num0; i++) {
1356 BN_bntest_rand(a, 1024, 0, 0);
1357 for (j = 0; j < 2; j++) {
1358 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1360 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1361 BN_GF2m_add(d, c, d);
1362 /* Test that a*a = a^2. */
1363 if (!BN_is_zero(d)) {
1364 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1379 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1381 BIGNUM *a, *b[2], *c, *d;
1383 int p0[] = { 163, 7, 6, 3, 0, -1 };
1384 int p1[] = { 193, 15, 0, -1 };
1392 BN_GF2m_arr2poly(p0, b[0]);
1393 BN_GF2m_arr2poly(p1, b[1]);
1395 for (i = 0; i < num0; i++) {
1396 BN_bntest_rand(a, 512, 0, 0);
1397 for (j = 0; j < 2; j++) {
1398 BN_GF2m_mod_inv(c, a, b[j], ctx);
1399 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1400 /* Test that ((1/a)*a) = 1. */
1401 if (!BN_is_one(d)) {
1402 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1417 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1419 BIGNUM *a, *b[2], *c, *d, *e, *f;
1421 int p0[] = { 163, 7, 6, 3, 0, -1 };
1422 int p1[] = { 193, 15, 0, -1 };
1432 BN_GF2m_arr2poly(p0, b[0]);
1433 BN_GF2m_arr2poly(p1, b[1]);
1435 for (i = 0; i < num0; i++) {
1436 BN_bntest_rand(a, 512, 0, 0);
1437 BN_bntest_rand(c, 512, 0, 0);
1438 for (j = 0; j < 2; j++) {
1439 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1440 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1441 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1442 /* Test that ((a/c)*c)/a = 1. */
1443 if (!BN_is_one(f)) {
1444 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1461 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1463 BIGNUM *a, *b[2], *c, *d, *e, *f;
1465 int p0[] = { 163, 7, 6, 3, 0, -1 };
1466 int p1[] = { 193, 15, 0, -1 };
1476 BN_GF2m_arr2poly(p0, b[0]);
1477 BN_GF2m_arr2poly(p1, b[1]);
1479 for (i = 0; i < num0; i++) {
1480 BN_bntest_rand(a, 512, 0, 0);
1481 BN_bntest_rand(c, 512, 0, 0);
1482 BN_bntest_rand(d, 512, 0, 0);
1483 for (j = 0; j < 2; j++) {
1484 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1485 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1486 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1488 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1489 BN_GF2m_add(f, e, f);
1490 /* Test that a^(c+d)=a^c*a^d. */
1491 if (!BN_is_zero(f)) {
1493 "GF(2^m) modular exponentiation test failed!\n");
1510 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1512 BIGNUM *a, *b[2], *c, *d, *e, *f;
1514 int p0[] = { 163, 7, 6, 3, 0, -1 };
1515 int p1[] = { 193, 15, 0, -1 };
1525 BN_GF2m_arr2poly(p0, b[0]);
1526 BN_GF2m_arr2poly(p1, b[1]);
1528 for (i = 0; i < num0; i++) {
1529 BN_bntest_rand(a, 512, 0, 0);
1530 for (j = 0; j < 2; j++) {
1531 BN_GF2m_mod(c, a, b[j]);
1532 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1533 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1534 BN_GF2m_add(f, c, e);
1535 /* Test that d^2 = a, where d = sqrt(a). */
1536 if (!BN_is_zero(f)) {
1537 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1554 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1556 BIGNUM *a, *b[2], *c, *d, *e;
1557 int i, j, s = 0, t, ret = 0;
1558 int p0[] = { 163, 7, 6, 3, 0, -1 };
1559 int p1[] = { 193, 15, 0, -1 };
1568 BN_GF2m_arr2poly(p0, b[0]);
1569 BN_GF2m_arr2poly(p1, b[1]);
1571 for (i = 0; i < num0; i++) {
1572 BN_bntest_rand(a, 512, 0, 0);
1573 for (j = 0; j < 2; j++) {
1574 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1577 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1578 BN_GF2m_add(d, c, d);
1579 BN_GF2m_mod(e, a, b[j]);
1580 BN_GF2m_add(e, e, d);
1582 * Test that solution of quadratic c satisfies c^2 + c = a.
1584 if (!BN_is_zero(e)) {
1586 "GF(2^m) modular solve quadratic test failed!\n");
1595 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1598 "this is very unlikely and probably indicates an error.\n");
1612 static int genprime_cb(int p, int n, BN_GENCB *arg)
1629 int test_kron(BIO *bp, BN_CTX *ctx)
1632 BIGNUM *a, *b, *r, *t;
1634 int legendre, kronecker;
1641 if (a == NULL || b == NULL || r == NULL || t == NULL)
1644 BN_GENCB_set(&cb, genprime_cb, NULL);
1647 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1648 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1649 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1650 * generate a random prime b and compare these values for a number of
1651 * random a's. (That is, we run the Solovay-Strassen primality test to
1652 * confirm that b is prime, except that we don't want to test whether b
1653 * is prime but whether BN_kronecker works.)
1656 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1658 b->neg = rand_neg();
1661 for (i = 0; i < num0; i++) {
1662 if (!BN_bntest_rand(a, 512, 0, 0))
1664 a->neg = rand_neg();
1666 /* t := (|b|-1)/2 (note that b is odd) */
1670 if (!BN_sub_word(t, 1))
1672 if (!BN_rshift1(t, t))
1674 /* r := a^t mod b */
1677 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1681 if (BN_is_word(r, 1))
1683 else if (BN_is_zero(r))
1686 if (!BN_add_word(r, 1))
1688 if (0 != BN_ucmp(r, b)) {
1689 fprintf(stderr, "Legendre symbol computation failed\n");
1695 kronecker = BN_kronecker(a, b, ctx);
1698 /* we actually need BN_kronecker(a, |b|) */
1699 if (a->neg && b->neg)
1700 kronecker = -kronecker;
1702 if (legendre != kronecker) {
1703 fprintf(stderr, "legendre != kronecker; a = ");
1704 BN_print_fp(stderr, a);
1705 fprintf(stderr, ", b = ");
1706 BN_print_fp(stderr, b);
1707 fprintf(stderr, "\n");
1726 int test_sqrt(BIO *bp, BN_CTX *ctx)
1736 if (a == NULL || p == NULL || r == NULL)
1739 BN_GENCB_set(&cb, genprime_cb, NULL);
1741 for (i = 0; i < 16; i++) {
1743 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1745 if (!BN_set_word(p, primes[i]))
1748 if (!BN_set_word(a, 32))
1750 if (!BN_set_word(r, 2 * i + 1))
1753 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1757 p->neg = rand_neg();
1759 for (j = 0; j < num2; j++) {
1761 * construct 'a' such that it is a square modulo p, but in
1762 * general not a proper square and not reduced modulo p
1764 if (!BN_bntest_rand(r, 256, 0, 3))
1766 if (!BN_nnmod(r, r, p, ctx))
1768 if (!BN_mod_sqr(r, r, p, ctx))
1770 if (!BN_bntest_rand(a, 256, 0, 3))
1772 if (!BN_nnmod(a, a, p, ctx))
1774 if (!BN_mod_sqr(a, a, p, ctx))
1776 if (!BN_mul(a, a, r, ctx))
1779 if (!BN_sub(a, a, p))
1782 if (!BN_mod_sqrt(r, a, p, ctx))
1784 if (!BN_mod_sqr(r, r, p, ctx))
1787 if (!BN_nnmod(a, a, p, ctx))
1790 if (BN_cmp(a, r) != 0) {
1791 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1792 BN_print_fp(stderr, a);
1793 fprintf(stderr, ", r = ");
1794 BN_print_fp(stderr, r);
1795 fprintf(stderr, ", p = ");
1796 BN_print_fp(stderr, p);
1797 fprintf(stderr, "\n");
1816 int test_small_prime(BIO *bp, BN_CTX *ctx)
1818 static const int bits = 10;
1823 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1825 if (BN_num_bits(r) != bits) {
1826 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1838 #ifndef OPENSSL_SYS_WIN32
1839 int test_probable_prime_coprime(BIO *bp, BN_CTX *ctx)
1843 BN_ULONG primes[5] = { 2, 3, 5, 7, 11 };
1847 for (i = 0; i < 1000; i++) {
1848 if (!bn_probable_prime_dh_coprime(r, 1024, ctx))
1851 for (j = 0; j < 5; j++) {
1852 if (BN_mod_word(r, primes[j]) == 0) {
1853 BIO_printf(bp, "Number generated is not coprime to "
1854 BN_DEC_FMT1 ":\n", primes[j]);
1855 BN_print_fp(stdout, r);
1856 BIO_printf(bp, "\n");
1869 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1871 BIGNUM *a, *b, *c, *d;
1883 BN_bntest_rand(a, 200, 0, 0);
1884 a->neg = rand_neg();
1886 for (i = 0; i < num0; i++) {
1887 BN_lshift(b, a, i + 1);
1892 BIO_puts(bp, " * ");
1894 BIO_puts(bp, " - ");
1899 BN_mul(d, a, c, ctx);
1901 if (!BN_is_zero(d)) {
1902 fprintf(stderr, "Left shift test failed!\n");
1903 fprintf(stderr, "a=");
1904 BN_print_fp(stderr, a);
1905 fprintf(stderr, "\nb=");
1906 BN_print_fp(stderr, b);
1907 fprintf(stderr, "\nc=");
1908 BN_print_fp(stderr, c);
1909 fprintf(stderr, "\nd=");
1910 BN_print_fp(stderr, d);
1911 fprintf(stderr, "\n");
1922 int test_lshift1(BIO *bp)
1931 BN_bntest_rand(a, 200, 0, 0);
1932 a->neg = rand_neg();
1933 for (i = 0; i < num0; i++) {
1938 BIO_puts(bp, " * 2");
1939 BIO_puts(bp, " - ");
1946 if (!BN_is_zero(a)) {
1947 fprintf(stderr, "Left shift one test failed!\n");
1959 int test_rshift(BIO *bp, BN_CTX *ctx)
1961 BIGNUM *a, *b, *c, *d, *e;
1971 BN_bntest_rand(a, 200, 0, 0);
1972 a->neg = rand_neg();
1973 for (i = 0; i < num0; i++) {
1974 BN_rshift(b, a, i + 1);
1979 BIO_puts(bp, " / ");
1981 BIO_puts(bp, " - ");
1986 BN_div(d, e, a, c, ctx);
1988 if (!BN_is_zero(d)) {
1989 fprintf(stderr, "Right shift test failed!\n");
2001 int test_rshift1(BIO *bp)
2010 BN_bntest_rand(a, 200, 0, 0);
2011 a->neg = rand_neg();
2012 for (i = 0; i < num0; i++) {
2017 BIO_puts(bp, " / 2");
2018 BIO_puts(bp, " - ");
2025 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2026 fprintf(stderr, "Right shift one test failed!\n");
2039 static unsigned int neg = 0;
2040 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2042 return (sign[(neg++) % 8]);
projects / openssl.git / blob