2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * Portions of the attached software ("Contribution") are developed by
14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
16 * The Contribution is licensed pursuant to the Eric Young open source
17 * license provided above.
19 * The binary polynomial arithmetic software is originally written by
20 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
30 #include <openssl/bio.h>
31 #include <openssl/bn.h>
32 #include <openssl/rand.h>
33 #include <openssl/x509.h>
34 #include <openssl/err.h>
37 * In bn_lcl.h, bn_expand() is defined as a static ossl_inline function.
38 * This is fine in itself, it will end up as an unused static function in
39 * the worst case. However, it referenses bn_expand2(), which is a private
40 * function in libcrypto and therefore unavailable on some systems. This
41 * may result in a linker error because of unresolved symbols.
43 * To avoid this, we define a dummy variant of bn_expand2() here, and to
44 * avoid possible clashes with libcrypto, we rename it first, using a macro.
46 #define bn_expand2 dummy_bn_expand2
47 BIGNUM *bn_expand2(BIGNUM *b, int words);
48 BIGNUM *bn_expand2(BIGNUM *b, int words) { return NULL; }
50 #include "../crypto/bn/bn_lcl.h"
52 static const int num0 = 100; /* number of tests */
53 static const int num1 = 50; /* additional tests for some functions */
54 static const int num2 = 5; /* number of tests for slow functions */
56 int test_add(BIO *bp);
57 int test_sub(BIO *bp);
58 int test_lshift1(BIO *bp);
59 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
60 int test_rshift1(BIO *bp);
61 int test_rshift(BIO *bp, BN_CTX *ctx);
62 int test_div(BIO *bp, BN_CTX *ctx);
63 int test_div_word(BIO *bp);
64 int test_div_recp(BIO *bp, BN_CTX *ctx);
65 int test_mul(BIO *bp);
66 int test_sqr(BIO *bp, BN_CTX *ctx);
67 int test_mont(BIO *bp, BN_CTX *ctx);
68 int test_mod(BIO *bp, BN_CTX *ctx);
69 int test_mod_mul(BIO *bp, BN_CTX *ctx);
70 int test_mod_exp(BIO *bp, BN_CTX *ctx);
71 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
72 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
73 int test_exp(BIO *bp, BN_CTX *ctx);
74 int test_gf2m_add(BIO *bp);
75 int test_gf2m_mod(BIO *bp);
76 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
77 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
78 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
79 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
80 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
81 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
82 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
83 int test_kron(BIO *bp, BN_CTX *ctx);
84 int test_sqrt(BIO *bp, BN_CTX *ctx);
85 int test_small_prime(BIO *bp, BN_CTX *ctx);
86 int test_bn2dec(BIO *bp);
88 static int results = 0;
90 static unsigned char lst[] =
91 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
92 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
94 static const char rnd_seed[] =
95 "string to make the random number generator think it has entropy";
97 static void message(BIO *out, char *m)
99 fprintf(stderr, "test %s\n", m);
100 BIO_puts(out, "print \"test ");
102 BIO_puts(out, "\\n\"\n");
105 int main(int argc, char *argv[])
109 char *outfile = NULL;
111 CRYPTO_set_mem_debug(1);
112 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
116 RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
121 if (strcmp(*argv, "-results") == 0)
123 else if (strcmp(*argv, "-out") == 0) {
136 out = BIO_new(BIO_s_file());
139 if (outfile == NULL) {
140 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
142 if (!BIO_write_filename(out, outfile)) {
147 #ifdef OPENSSL_SYS_VMS
149 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
150 out = BIO_push(tmpbio, out);
155 BIO_puts(out, "obase=16\nibase=16\n");
157 message(out, "BN_add");
160 (void)BIO_flush(out);
162 message(out, "BN_sub");
165 (void)BIO_flush(out);
167 message(out, "BN_lshift1");
168 if (!test_lshift1(out))
170 (void)BIO_flush(out);
172 message(out, "BN_lshift (fixed)");
173 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
175 (void)BIO_flush(out);
177 message(out, "BN_lshift");
178 if (!test_lshift(out, ctx, NULL))
180 (void)BIO_flush(out);
182 message(out, "BN_rshift1");
183 if (!test_rshift1(out))
185 (void)BIO_flush(out);
187 message(out, "BN_rshift");
188 if (!test_rshift(out, ctx))
190 (void)BIO_flush(out);
192 message(out, "BN_sqr");
193 if (!test_sqr(out, ctx))
195 (void)BIO_flush(out);
197 message(out, "BN_mul");
200 (void)BIO_flush(out);
202 message(out, "BN_div");
203 if (!test_div(out, ctx))
205 (void)BIO_flush(out);
207 message(out, "BN_div_word");
208 if (!test_div_word(out))
210 (void)BIO_flush(out);
212 message(out, "BN_div_recp");
213 if (!test_div_recp(out, ctx))
215 (void)BIO_flush(out);
217 message(out, "BN_mod");
218 if (!test_mod(out, ctx))
220 (void)BIO_flush(out);
222 message(out, "BN_mod_mul");
223 if (!test_mod_mul(out, ctx))
225 (void)BIO_flush(out);
227 message(out, "BN_mont");
228 if (!test_mont(out, ctx))
230 (void)BIO_flush(out);
232 message(out, "BN_mod_exp");
233 if (!test_mod_exp(out, ctx))
235 (void)BIO_flush(out);
237 message(out, "BN_mod_exp_mont_consttime");
238 if (!test_mod_exp_mont_consttime(out, ctx))
240 if (!test_mod_exp_mont5(out, ctx))
242 (void)BIO_flush(out);
244 message(out, "BN_exp");
245 if (!test_exp(out, ctx))
247 (void)BIO_flush(out);
249 message(out, "BN_kronecker");
250 if (!test_kron(out, ctx))
252 (void)BIO_flush(out);
254 message(out, "BN_mod_sqrt");
255 if (!test_sqrt(out, ctx))
257 (void)BIO_flush(out);
259 message(out, "Small prime generation");
260 if (!test_small_prime(out, ctx))
262 (void)BIO_flush(out);
264 message(out, "BN_bn2dec");
265 if (!test_bn2dec(out))
267 (void)BIO_flush(out);
269 #ifndef OPENSSL_NO_EC2M
270 message(out, "BN_GF2m_add");
271 if (!test_gf2m_add(out))
273 (void)BIO_flush(out);
275 message(out, "BN_GF2m_mod");
276 if (!test_gf2m_mod(out))
278 (void)BIO_flush(out);
280 message(out, "BN_GF2m_mod_mul");
281 if (!test_gf2m_mod_mul(out, ctx))
283 (void)BIO_flush(out);
285 message(out, "BN_GF2m_mod_sqr");
286 if (!test_gf2m_mod_sqr(out, ctx))
288 (void)BIO_flush(out);
290 message(out, "BN_GF2m_mod_inv");
291 if (!test_gf2m_mod_inv(out, ctx))
293 (void)BIO_flush(out);
295 message(out, "BN_GF2m_mod_div");
296 if (!test_gf2m_mod_div(out, ctx))
298 (void)BIO_flush(out);
300 message(out, "BN_GF2m_mod_exp");
301 if (!test_gf2m_mod_exp(out, ctx))
303 (void)BIO_flush(out);
305 message(out, "BN_GF2m_mod_sqrt");
306 if (!test_gf2m_mod_sqrt(out, ctx))
308 (void)BIO_flush(out);
310 message(out, "BN_GF2m_mod_solve_quad");
311 if (!test_gf2m_mod_solve_quad(out, ctx))
313 (void)BIO_flush(out);
318 ERR_print_errors_fp(stderr);
320 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
321 if (CRYPTO_mem_leaks_fp(stderr) <= 0)
326 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
327 * notices the failure, see test_bn in
328 * test/Makefile.ssl */
329 (void)BIO_flush(out);
333 ERR_print_errors_fp(stderr);
337 int test_add(BIO *bp)
346 BN_bntest_rand(a, 512, 0, 0);
347 for (i = 0; i < num0; i++) {
348 BN_bntest_rand(b, 450 + i, 0, 0);
366 if (!BN_is_zero(c)) {
367 fprintf(stderr, "Add test failed!\n");
377 int test_sub(BIO *bp)
386 for (i = 0; i < num0 + num1; i++) {
388 BN_bntest_rand(a, 512, 0, 0);
390 if (BN_set_bit(a, i) == 0)
394 BN_bntest_rand(b, 400 + i - num1, 0, 0);
411 if (!BN_is_zero(c)) {
412 fprintf(stderr, "Subtract test failed!\n");
422 int test_div(BIO *bp, BN_CTX *ctx)
424 BIGNUM *a, *b, *c, *d, *e;
436 if (BN_div(d, c, a, b, ctx)) {
437 fprintf(stderr, "Division by zero succeeded!\n");
441 for (i = 0; i < num0 + num1; i++) {
443 BN_bntest_rand(a, 400, 0, 0);
448 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
451 BN_div(d, c, a, b, ctx);
471 BN_mul(e, d, b, ctx);
474 if (!BN_is_zero(d)) {
475 fprintf(stderr, "Division test failed!\n");
487 static void print_word(BIO *bp, BN_ULONG w)
489 int i = sizeof(w) * 8;
495 byte = (unsigned char)(w >> i);
497 fmt = byte ? "%X" : NULL;
502 BIO_printf(bp, fmt, byte);
505 /* If we haven't printed anything, at least print a zero! */
510 int test_div_word(BIO *bp)
519 for (i = 0; i < num0; i++) {
521 BN_bntest_rand(a, 512, -1, 0);
522 BN_bntest_rand(b, BN_BITS2, -1, 0);
523 } while (BN_is_zero(b));
527 rmod = BN_mod_word(b, s);
528 r = BN_div_word(b, s);
531 fprintf(stderr, "Mod (word) test failed!\n");
557 if (!BN_is_zero(b)) {
558 fprintf(stderr, "Division (word) test failed!\n");
567 int test_div_recp(BIO *bp, BN_CTX *ctx)
569 BIGNUM *a, *b, *c, *d, *e;
573 recp = BN_RECP_CTX_new();
580 for (i = 0; i < num0 + num1; i++) {
582 BN_bntest_rand(a, 400, 0, 0);
587 BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
590 BN_RECP_CTX_set(recp, b, ctx);
591 BN_div_recp(d, c, a, recp, ctx);
611 BN_mul(e, d, b, ctx);
614 if (!BN_is_zero(d)) {
615 fprintf(stderr, "Reciprocal division test failed!\n");
616 fprintf(stderr, "a=");
617 BN_print_fp(stderr, a);
618 fprintf(stderr, "\nb=");
619 BN_print_fp(stderr, b);
620 fprintf(stderr, "\n");
629 BN_RECP_CTX_free(recp);
633 int test_mul(BIO *bp)
635 BIGNUM *a, *b, *c, *d, *e;
649 for (i = 0; i < num0 + num1; i++) {
651 BN_bntest_rand(a, 100, 0, 0);
652 BN_bntest_rand(b, 100, 0, 0);
654 BN_bntest_rand(b, i - num1, 0, 0);
657 BN_mul(c, a, b, ctx);
668 BN_div(d, e, c, a, ctx);
670 if (!BN_is_zero(d) || !BN_is_zero(e)) {
671 fprintf(stderr, "Multiplication test failed!\n");
684 int test_sqr(BIO *bp, BN_CTX *ctx)
686 BIGNUM *a, *c, *d, *e;
693 if (a == NULL || c == NULL || d == NULL || e == NULL) {
697 for (i = 0; i < num0; i++) {
698 BN_bntest_rand(a, 40 + i * 10, 0, 0);
711 BN_div(d, e, c, a, ctx);
713 if (!BN_is_zero(d) || !BN_is_zero(e)) {
714 fprintf(stderr, "Square test failed!\n");
719 /* Regression test for a BN_sqr overflow bug. */
721 "80000000000000008000000000000001"
722 "FFFFFFFFFFFFFFFE0000000000000000");
734 BN_mul(d, a, a, ctx);
736 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
737 "different results!\n");
741 /* Regression test for a BN_sqr overflow bug. */
743 "80000000000000000000000080000001"
744 "FFFFFFFE000000000000000000000000");
756 BN_mul(d, a, a, ctx);
758 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
759 "different results!\n");
771 int test_mont(BIO *bp, BN_CTX *ctx)
773 BIGNUM *a, *b, *c, *d, *A, *B;
786 mont = BN_MONT_CTX_new();
791 if (BN_MONT_CTX_set(mont, n, ctx)) {
792 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
797 if (BN_MONT_CTX_set(mont, n, ctx)) {
798 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
802 BN_bntest_rand(a, 100, 0, 0);
803 BN_bntest_rand(b, 100, 0, 0);
804 for (i = 0; i < num2; i++) {
805 int bits = (200 * (i + 1)) / num2;
809 BN_bntest_rand(n, bits, 0, 1);
810 BN_MONT_CTX_set(mont, n, ctx);
812 BN_nnmod(a, a, n, ctx);
813 BN_nnmod(b, b, n, ctx);
815 BN_to_montgomery(A, a, mont, ctx);
816 BN_to_montgomery(B, b, mont, ctx);
818 BN_mod_mul_montgomery(c, A, B, mont, ctx);
819 BN_from_montgomery(A, c, mont, ctx);
826 BN_print(bp, &mont->N);
832 BN_mod_mul(d, a, b, n, ctx);
834 if (!BN_is_zero(d)) {
835 fprintf(stderr, "Montgomery multiplication test failed!\n");
840 /* Regression test for carry bug in mulx4x_mont */
842 "7878787878787878787878787878787878787878787878787878787878787878"
843 "7878787878787878787878787878787878787878787878787878787878787878"
844 "7878787878787878787878787878787878787878787878787878787878787878"
845 "7878787878787878787878787878787878787878787878787878787878787878");
847 "095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744"
848 "E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593"
849 "9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03"
850 "9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81");
852 "D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B"
853 "91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5"
854 "D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4"
855 "2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF");
856 BN_MONT_CTX_set(mont, n, ctx);
857 BN_mod_mul_montgomery(c, a, b, mont, ctx);
858 BN_mod_mul_montgomery(d, b, a, mont, ctx);
860 fprintf(stderr, "Montgomery multiplication test failed:"
865 BN_MONT_CTX_free(mont);
876 int test_mod(BIO *bp, BN_CTX *ctx)
878 BIGNUM *a, *b, *c, *d, *e;
887 BN_bntest_rand(a, 1024, 0, 0);
888 for (i = 0; i < num0; i++) {
889 BN_bntest_rand(b, 450 + i * 10, 0, 0);
892 BN_mod(c, a, b, ctx);
903 BN_div(d, e, a, b, ctx);
905 if (!BN_is_zero(e)) {
906 fprintf(stderr, "Modulo test failed!\n");
918 int test_mod_mul(BIO *bp, BN_CTX *ctx)
920 BIGNUM *a, *b, *c, *d, *e;
932 if (BN_mod_mul(e, a, b, c, ctx)) {
933 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
937 for (j = 0; j < 3; j++) {
938 BN_bntest_rand(c, 1024, 0, 0);
939 for (i = 0; i < num0; i++) {
940 BN_bntest_rand(a, 475 + i * 10, 0, 0);
941 BN_bntest_rand(b, 425 + i * 11, 0, 0);
944 if (!BN_mod_mul(e, a, b, c, ctx)) {
947 while ((l = ERR_get_error()))
948 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
958 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
960 * If (a*b) % c is negative, c must be added in order
961 * to obtain the normalized remainder (new with
962 * OpenSSL 0.9.7, previous versions of BN_mod_mul
963 * could generate negative results)
973 BN_mul(d, a, b, ctx);
975 BN_div(a, b, d, c, ctx);
976 if (!BN_is_zero(b)) {
977 fprintf(stderr, "Modulo multiply test failed!\n");
978 ERR_print_errors_fp(stderr);
991 int test_mod_exp(BIO *bp, BN_CTX *ctx)
993 BIGNUM *a, *b, *c, *d, *e;
1005 if (BN_mod_exp(d, a, b, c, ctx)) {
1006 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
1010 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1011 for (i = 0; i < num2; i++) {
1012 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1013 BN_bntest_rand(b, 2 + i, 0, 0);
1015 if (!BN_mod_exp(d, a, b, c, ctx))
1021 BIO_puts(bp, " ^ ");
1023 BIO_puts(bp, " % ");
1025 BIO_puts(bp, " - ");
1030 BN_exp(e, a, b, ctx);
1032 BN_div(a, b, e, c, ctx);
1033 if (!BN_is_zero(b)) {
1034 fprintf(stderr, "Modulo exponentiation test failed!\n");
1039 /* Regression test for carry propagation bug in sqr8x_reduction */
1040 BN_hex2bn(&a, "050505050505");
1041 BN_hex2bn(&b, "02");
1043 "4141414141414141414141274141414141414141414141414141414141414141"
1044 "4141414141414141414141414141414141414141414141414141414141414141"
1045 "4141414141414141414141800000000000000000000000000000000000000000"
1046 "0000000000000000000000000000000000000000000000000000000000000000"
1047 "0000000000000000000000000000000000000000000000000000000000000000"
1048 "0000000000000000000000000000000000000000000000000000000001");
1049 BN_mod_exp(d, a, b, c, ctx);
1050 BN_mul(e, a, a, ctx);
1052 fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
1064 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1066 BIGNUM *a, *b, *c, *d, *e;
1078 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1079 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1085 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1086 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1091 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1092 for (i = 0; i < num2; i++) {
1093 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1094 BN_bntest_rand(b, 2 + i, 0, 0);
1096 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1102 BIO_puts(bp, " ^ ");
1104 BIO_puts(bp, " % ");
1106 BIO_puts(bp, " - ");
1111 BN_exp(e, a, b, ctx);
1113 BN_div(a, b, e, c, ctx);
1114 if (!BN_is_zero(b)) {
1115 fprintf(stderr, "Modulo exponentiation test failed!\n");
1128 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1129 * x86_64 cause a different code branch to be taken.
1131 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1133 BIGNUM *a, *p, *m, *d, *e;
1141 mont = BN_MONT_CTX_new();
1143 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1145 BN_bntest_rand(a, 1024, 0, 0);
1147 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1149 if (!BN_is_one(d)) {
1150 fprintf(stderr, "Modular exponentiation test failed!\n");
1154 BN_bntest_rand(p, 1024, 0, 0);
1156 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1158 if (!BN_is_zero(d)) {
1159 fprintf(stderr, "Modular exponentiation test failed!\n");
1163 * Craft an input whose Montgomery representation is 1, i.e., shorter
1164 * than the modulus m, in order to test the const time precomputation
1165 * scattering/gathering.
1168 BN_MONT_CTX_set(mont, m, ctx);
1169 if (!BN_from_montgomery(e, a, mont, ctx))
1171 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1173 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1175 if (BN_cmp(a, d) != 0) {
1176 fprintf(stderr, "Modular exponentiation test failed!\n");
1179 /* Finally, some regular test vectors. */
1180 BN_bntest_rand(e, 1024, 0, 0);
1181 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1183 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1185 if (BN_cmp(a, d) != 0) {
1186 fprintf(stderr, "Modular exponentiation test failed!\n");
1189 BN_MONT_CTX_free(mont);
1198 int test_exp(BIO *bp, BN_CTX *ctx)
1200 BIGNUM *a, *b, *d, *e, *one;
1210 for (i = 0; i < num2; i++) {
1211 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1212 BN_bntest_rand(b, 2 + i, 0, 0);
1214 if (BN_exp(d, a, b, ctx) <= 0)
1220 BIO_puts(bp, " ^ ");
1222 BIO_puts(bp, " - ");
1228 for (; !BN_is_zero(b); BN_sub(b, b, one))
1229 BN_mul(e, e, a, ctx);
1231 if (!BN_is_zero(e)) {
1232 fprintf(stderr, "Exponentiation test failed!\n");
1244 #ifndef OPENSSL_NO_EC2M
1245 int test_gf2m_add(BIO *bp)
1254 for (i = 0; i < num0; i++) {
1255 BN_rand(a, 512, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
1256 BN_copy(b, BN_value_one());
1257 a->neg = rand_neg();
1258 b->neg = rand_neg();
1259 BN_GF2m_add(c, a, b);
1260 /* Test that two added values have the correct parity. */
1261 if ((BN_is_odd(a) && BN_is_odd(c))
1262 || (!BN_is_odd(a) && !BN_is_odd(c))) {
1263 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1266 BN_GF2m_add(c, c, c);
1267 /* Test that c + c = 0. */
1268 if (!BN_is_zero(c)) {
1269 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1281 int test_gf2m_mod(BIO *bp)
1283 BIGNUM *a, *b[2], *c, *d, *e;
1285 int p0[] = { 163, 7, 6, 3, 0, -1 };
1286 int p1[] = { 193, 15, 0, -1 };
1295 BN_GF2m_arr2poly(p0, b[0]);
1296 BN_GF2m_arr2poly(p1, b[1]);
1298 for (i = 0; i < num0; i++) {
1299 BN_bntest_rand(a, 1024, 0, 0);
1300 for (j = 0; j < 2; j++) {
1301 BN_GF2m_mod(c, a, b[j]);
1302 BN_GF2m_add(d, a, c);
1303 BN_GF2m_mod(e, d, b[j]);
1304 /* Test that a + (a mod p) mod p == 0. */
1305 if (!BN_is_zero(e)) {
1306 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1322 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1324 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1326 int p0[] = { 163, 7, 6, 3, 0, -1 };
1327 int p1[] = { 193, 15, 0, -1 };
1339 BN_GF2m_arr2poly(p0, b[0]);
1340 BN_GF2m_arr2poly(p1, b[1]);
1342 for (i = 0; i < num0; i++) {
1343 BN_bntest_rand(a, 1024, 0, 0);
1344 BN_bntest_rand(c, 1024, 0, 0);
1345 BN_bntest_rand(d, 1024, 0, 0);
1346 for (j = 0; j < 2; j++) {
1347 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1348 BN_GF2m_add(f, a, d);
1349 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1350 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1351 BN_GF2m_add(f, e, g);
1352 BN_GF2m_add(f, f, h);
1353 /* Test that (a+d)*c = a*c + d*c. */
1354 if (!BN_is_zero(f)) {
1356 "GF(2^m) modular multiplication test failed!\n");
1375 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1377 BIGNUM *a, *b[2], *c, *d;
1379 int p0[] = { 163, 7, 6, 3, 0, -1 };
1380 int p1[] = { 193, 15, 0, -1 };
1388 BN_GF2m_arr2poly(p0, b[0]);
1389 BN_GF2m_arr2poly(p1, b[1]);
1391 for (i = 0; i < num0; i++) {
1392 BN_bntest_rand(a, 1024, 0, 0);
1393 for (j = 0; j < 2; j++) {
1394 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1396 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1397 BN_GF2m_add(d, c, d);
1398 /* Test that a*a = a^2. */
1399 if (!BN_is_zero(d)) {
1400 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1415 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1417 BIGNUM *a, *b[2], *c, *d;
1419 int p0[] = { 163, 7, 6, 3, 0, -1 };
1420 int p1[] = { 193, 15, 0, -1 };
1428 BN_GF2m_arr2poly(p0, b[0]);
1429 BN_GF2m_arr2poly(p1, b[1]);
1431 for (i = 0; i < num0; i++) {
1432 BN_bntest_rand(a, 512, 0, 0);
1433 for (j = 0; j < 2; j++) {
1434 BN_GF2m_mod_inv(c, a, b[j], ctx);
1435 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1436 /* Test that ((1/a)*a) = 1. */
1437 if (!BN_is_one(d)) {
1438 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1453 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1455 BIGNUM *a, *b[2], *c, *d, *e, *f;
1457 int p0[] = { 163, 7, 6, 3, 0, -1 };
1458 int p1[] = { 193, 15, 0, -1 };
1468 BN_GF2m_arr2poly(p0, b[0]);
1469 BN_GF2m_arr2poly(p1, b[1]);
1471 for (i = 0; i < num0; i++) {
1472 BN_bntest_rand(a, 512, 0, 0);
1473 BN_bntest_rand(c, 512, 0, 0);
1474 for (j = 0; j < 2; j++) {
1475 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1476 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1477 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1478 /* Test that ((a/c)*c)/a = 1. */
1479 if (!BN_is_one(f)) {
1480 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1497 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1499 BIGNUM *a, *b[2], *c, *d, *e, *f;
1501 int p0[] = { 163, 7, 6, 3, 0, -1 };
1502 int p1[] = { 193, 15, 0, -1 };
1512 BN_GF2m_arr2poly(p0, b[0]);
1513 BN_GF2m_arr2poly(p1, b[1]);
1515 for (i = 0; i < num0; i++) {
1516 BN_bntest_rand(a, 512, 0, 0);
1517 BN_bntest_rand(c, 512, 0, 0);
1518 BN_bntest_rand(d, 512, 0, 0);
1519 for (j = 0; j < 2; j++) {
1520 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1521 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1522 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1524 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1525 BN_GF2m_add(f, e, f);
1526 /* Test that a^(c+d)=a^c*a^d. */
1527 if (!BN_is_zero(f)) {
1529 "GF(2^m) modular exponentiation test failed!\n");
1546 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1548 BIGNUM *a, *b[2], *c, *d, *e, *f;
1550 int p0[] = { 163, 7, 6, 3, 0, -1 };
1551 int p1[] = { 193, 15, 0, -1 };
1561 BN_GF2m_arr2poly(p0, b[0]);
1562 BN_GF2m_arr2poly(p1, b[1]);
1564 for (i = 0; i < num0; i++) {
1565 BN_bntest_rand(a, 512, 0, 0);
1566 for (j = 0; j < 2; j++) {
1567 BN_GF2m_mod(c, a, b[j]);
1568 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1569 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1570 BN_GF2m_add(f, c, e);
1571 /* Test that d^2 = a, where d = sqrt(a). */
1572 if (!BN_is_zero(f)) {
1573 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1590 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1592 BIGNUM *a, *b[2], *c, *d, *e;
1593 int i, j, s = 0, t, ret = 0;
1594 int p0[] = { 163, 7, 6, 3, 0, -1 };
1595 int p1[] = { 193, 15, 0, -1 };
1604 BN_GF2m_arr2poly(p0, b[0]);
1605 BN_GF2m_arr2poly(p1, b[1]);
1607 for (i = 0; i < num0; i++) {
1608 BN_bntest_rand(a, 512, 0, 0);
1609 for (j = 0; j < 2; j++) {
1610 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1613 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1614 BN_GF2m_add(d, c, d);
1615 BN_GF2m_mod(e, a, b[j]);
1616 BN_GF2m_add(e, e, d);
1618 * Test that solution of quadratic c satisfies c^2 + c = a.
1620 if (!BN_is_zero(e)) {
1622 "GF(2^m) modular solve quadratic test failed!\n");
1631 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1634 "this is very unlikely and probably indicates an error.\n");
1648 static int genprime_cb(int p, int n, BN_GENCB *arg)
1665 int test_kron(BIO *bp, BN_CTX *ctx)
1668 BIGNUM *a, *b, *r, *t;
1670 int legendre, kronecker;
1677 if (a == NULL || b == NULL || r == NULL || t == NULL)
1680 BN_GENCB_set(&cb, genprime_cb, NULL);
1683 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1684 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1685 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1686 * generate a random prime b and compare these values for a number of
1687 * random a's. (That is, we run the Solovay-Strassen primality test to
1688 * confirm that b is prime, except that we don't want to test whether b
1689 * is prime but whether BN_kronecker works.)
1692 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1694 b->neg = rand_neg();
1697 for (i = 0; i < num0; i++) {
1698 if (!BN_bntest_rand(a, 512, 0, 0))
1700 a->neg = rand_neg();
1702 /* t := (|b|-1)/2 (note that b is odd) */
1706 if (!BN_sub_word(t, 1))
1708 if (!BN_rshift1(t, t))
1710 /* r := a^t mod b */
1713 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1717 if (BN_is_word(r, 1))
1719 else if (BN_is_zero(r))
1722 if (!BN_add_word(r, 1))
1724 if (0 != BN_ucmp(r, b)) {
1725 fprintf(stderr, "Legendre symbol computation failed\n");
1731 kronecker = BN_kronecker(a, b, ctx);
1734 /* we actually need BN_kronecker(a, |b|) */
1735 if (a->neg && b->neg)
1736 kronecker = -kronecker;
1738 if (legendre != kronecker) {
1739 fprintf(stderr, "legendre != kronecker; a = ");
1740 BN_print_fp(stderr, a);
1741 fprintf(stderr, ", b = ");
1742 BN_print_fp(stderr, b);
1743 fprintf(stderr, "\n");
1762 int test_sqrt(BIO *bp, BN_CTX *ctx)
1772 if (a == NULL || p == NULL || r == NULL)
1775 BN_GENCB_set(&cb, genprime_cb, NULL);
1777 for (i = 0; i < 16; i++) {
1779 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1781 if (!BN_set_word(p, primes[i]))
1784 if (!BN_set_word(a, 32))
1786 if (!BN_set_word(r, 2 * i + 1))
1789 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1793 p->neg = rand_neg();
1795 for (j = 0; j < num2; j++) {
1797 * construct 'a' such that it is a square modulo p, but in
1798 * general not a proper square and not reduced modulo p
1800 if (!BN_bntest_rand(r, 256, 0, 3))
1802 if (!BN_nnmod(r, r, p, ctx))
1804 if (!BN_mod_sqr(r, r, p, ctx))
1806 if (!BN_bntest_rand(a, 256, 0, 3))
1808 if (!BN_nnmod(a, a, p, ctx))
1810 if (!BN_mod_sqr(a, a, p, ctx))
1812 if (!BN_mul(a, a, r, ctx))
1815 if (!BN_sub(a, a, p))
1818 if (!BN_mod_sqrt(r, a, p, ctx))
1820 if (!BN_mod_sqr(r, r, p, ctx))
1823 if (!BN_nnmod(a, a, p, ctx))
1826 if (BN_cmp(a, r) != 0) {
1827 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1828 BN_print_fp(stderr, a);
1829 fprintf(stderr, ", r = ");
1830 BN_print_fp(stderr, r);
1831 fprintf(stderr, ", p = ");
1832 BN_print_fp(stderr, p);
1833 fprintf(stderr, "\n");
1852 int test_small_prime(BIO *bp, BN_CTX *ctx)
1854 static const int bits = 10;
1859 if (!BN_generate_prime_ex(r, bits, 0, NULL, NULL, NULL))
1861 if (BN_num_bits(r) != bits) {
1862 BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
1874 int test_bn2dec(BIO *bp)
1876 static const char *bn2dec_tests[] = {
1882 "123456789012345678901234567890",
1883 "-123456789012345678901234567890",
1884 "123456789012345678901234567890123456789012345678901234567890",
1885 "-123456789012345678901234567890123456789012345678901234567890",
1892 for (i = 0; i < OSSL_NELEM(bn2dec_tests); i++) {
1893 if (!BN_dec2bn(&bn, bn2dec_tests[i]))
1896 dec = BN_bn2dec(bn);
1898 fprintf(stderr, "BN_bn2dec failed on %s.\n", bn2dec_tests[i]);
1902 if (strcmp(dec, bn2dec_tests[i]) != 0) {
1903 fprintf(stderr, "BN_bn2dec gave %s, wanted %s.\n", dec,
1920 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1922 BIGNUM *a, *b, *c, *d;
1934 BN_bntest_rand(a, 200, 0, 0);
1935 a->neg = rand_neg();
1937 for (i = 0; i < num0; i++) {
1938 BN_lshift(b, a, i + 1);
1943 BIO_puts(bp, " * ");
1945 BIO_puts(bp, " - ");
1950 BN_mul(d, a, c, ctx);
1952 if (!BN_is_zero(d)) {
1953 fprintf(stderr, "Left shift test failed!\n");
1954 fprintf(stderr, "a=");
1955 BN_print_fp(stderr, a);
1956 fprintf(stderr, "\nb=");
1957 BN_print_fp(stderr, b);
1958 fprintf(stderr, "\nc=");
1959 BN_print_fp(stderr, c);
1960 fprintf(stderr, "\nd=");
1961 BN_print_fp(stderr, d);
1962 fprintf(stderr, "\n");
1973 int test_lshift1(BIO *bp)
1982 BN_bntest_rand(a, 200, 0, 0);
1983 a->neg = rand_neg();
1984 for (i = 0; i < num0; i++) {
1989 BIO_puts(bp, " * 2");
1990 BIO_puts(bp, " - ");
1997 if (!BN_is_zero(a)) {
1998 fprintf(stderr, "Left shift one test failed!\n");
2010 int test_rshift(BIO *bp, BN_CTX *ctx)
2012 BIGNUM *a, *b, *c, *d, *e;
2022 BN_bntest_rand(a, 200, 0, 0);
2023 a->neg = rand_neg();
2024 for (i = 0; i < num0; i++) {
2025 BN_rshift(b, a, i + 1);
2030 BIO_puts(bp, " / ");
2032 BIO_puts(bp, " - ");
2037 BN_div(d, e, a, c, ctx);
2039 if (!BN_is_zero(d)) {
2040 fprintf(stderr, "Right shift test failed!\n");
2052 int test_rshift1(BIO *bp)
2061 BN_bntest_rand(a, 200, 0, 0);
2062 a->neg = rand_neg();
2063 for (i = 0; i < num0; i++) {
2068 BIO_puts(bp, " / 2");
2069 BIO_puts(bp, " - ");
2076 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2077 fprintf(stderr, "Right shift one test failed!\n");
2090 static unsigned int neg = 0;
2091 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2093 return (sign[(neg++) % 8]);
projects / openssl.git / blob