1 /* crypto/bn/bntest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
64 * The Contribution is licensed pursuant to the Eric Young open source
65 * license provided above.
67 * The binary polynomial arithmetic software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
73 * Until the key-gen callbacks are modified to use newer prototypes, we allow
74 * deprecated functions for openssl-internal code
76 #ifdef OPENSSL_NO_DEPRECATED
77 # undef OPENSSL_NO_DEPRECATED
86 #include <openssl/bio.h>
87 #include <openssl/bn.h>
88 #include <openssl/rand.h>
89 #include <openssl/x509.h>
90 #include <openssl/err.h>
93 # define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0]))
96 const int num0 = 100; /* number of tests */
97 const int num1 = 50; /* additional tests for some functions */
98 const int num2 = 5; /* number of tests for slow functions */
100 int test_add(BIO *bp);
101 int test_sub(BIO *bp);
102 int test_lshift1(BIO *bp);
103 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
104 int test_rshift1(BIO *bp);
105 int test_rshift(BIO *bp, BN_CTX *ctx);
106 int test_div(BIO *bp, BN_CTX *ctx);
107 int test_div_word(BIO *bp);
108 int test_div_recp(BIO *bp, BN_CTX *ctx);
109 int test_mul(BIO *bp);
110 int test_sqr(BIO *bp, BN_CTX *ctx);
111 int test_mont(BIO *bp, BN_CTX *ctx);
112 int test_mod(BIO *bp, BN_CTX *ctx);
113 int test_mod_mul(BIO *bp, BN_CTX *ctx);
114 int test_mod_exp(BIO *bp, BN_CTX *ctx);
115 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
116 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
117 int test_exp(BIO *bp, BN_CTX *ctx);
118 int test_gf2m_add(BIO *bp);
119 int test_gf2m_mod(BIO *bp);
120 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
121 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
122 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
123 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
124 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
125 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
126 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
127 int test_kron(BIO *bp, BN_CTX *ctx);
128 int test_sqrt(BIO *bp, BN_CTX *ctx);
130 static int test_ctx_consttime_flag(void);
131 static int results = 0;
133 static unsigned char lst[] =
134 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
135 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
137 static const char rnd_seed[] =
138 "string to make the random number generator think it has entropy";
140 static void message(BIO *out, char *m)
142 fprintf(stderr, "test %s\n", m);
143 BIO_puts(out, "print \"test ");
145 BIO_puts(out, "\\n\"\n");
148 int main(int argc, char *argv[])
152 char *outfile = NULL;
156 RAND_seed(rnd_seed, sizeof(rnd_seed)); /* or BN_generate_prime may fail */
161 if (strcmp(*argv, "-results") == 0)
163 else if (strcmp(*argv, "-out") == 0) {
176 out = BIO_new(BIO_s_file());
179 if (outfile == NULL) {
180 BIO_set_fp(out, stdout, BIO_NOCLOSE);
182 if (!BIO_write_filename(out, outfile)) {
189 BIO_puts(out, "obase=16\nibase=16\n");
191 message(out, "BN_add");
194 (void)BIO_flush(out);
196 message(out, "BN_sub");
199 (void)BIO_flush(out);
201 message(out, "BN_lshift1");
202 if (!test_lshift1(out))
204 (void)BIO_flush(out);
206 message(out, "BN_lshift (fixed)");
207 if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
209 (void)BIO_flush(out);
211 message(out, "BN_lshift");
212 if (!test_lshift(out, ctx, NULL))
214 (void)BIO_flush(out);
216 message(out, "BN_rshift1");
217 if (!test_rshift1(out))
219 (void)BIO_flush(out);
221 message(out, "BN_rshift");
222 if (!test_rshift(out, ctx))
224 (void)BIO_flush(out);
226 message(out, "BN_sqr");
227 if (!test_sqr(out, ctx))
229 (void)BIO_flush(out);
231 message(out, "BN_mul");
234 (void)BIO_flush(out);
236 message(out, "BN_div");
237 if (!test_div(out, ctx))
239 (void)BIO_flush(out);
241 message(out, "BN_div_word");
242 if (!test_div_word(out))
244 (void)BIO_flush(out);
246 message(out, "BN_div_recp");
247 if (!test_div_recp(out, ctx))
249 (void)BIO_flush(out);
251 message(out, "BN_mod");
252 if (!test_mod(out, ctx))
254 (void)BIO_flush(out);
256 message(out, "BN_mod_mul");
257 if (!test_mod_mul(out, ctx))
259 (void)BIO_flush(out);
261 message(out, "BN_mont");
262 if (!test_mont(out, ctx))
264 (void)BIO_flush(out);
266 message(out, "BN_mod_exp");
267 if (!test_mod_exp(out, ctx))
269 (void)BIO_flush(out);
271 message(out, "BN_mod_exp_mont_consttime");
272 if (!test_mod_exp_mont_consttime(out, ctx))
274 if (!test_mod_exp_mont5(out, ctx))
276 (void)BIO_flush(out);
278 message(out, "BN_exp");
279 if (!test_exp(out, ctx))
281 (void)BIO_flush(out);
283 message(out, "BN_kronecker");
284 if (!test_kron(out, ctx))
286 (void)BIO_flush(out);
288 message(out, "BN_mod_sqrt");
289 if (!test_sqrt(out, ctx))
291 (void)BIO_flush(out);
292 #ifndef OPENSSL_NO_EC2M
293 message(out, "BN_GF2m_add");
294 if (!test_gf2m_add(out))
296 (void)BIO_flush(out);
298 message(out, "BN_GF2m_mod");
299 if (!test_gf2m_mod(out))
301 (void)BIO_flush(out);
303 message(out, "BN_GF2m_mod_mul");
304 if (!test_gf2m_mod_mul(out, ctx))
306 (void)BIO_flush(out);
308 message(out, "BN_GF2m_mod_sqr");
309 if (!test_gf2m_mod_sqr(out, ctx))
311 (void)BIO_flush(out);
313 message(out, "BN_GF2m_mod_inv");
314 if (!test_gf2m_mod_inv(out, ctx))
316 (void)BIO_flush(out);
318 message(out, "BN_GF2m_mod_div");
319 if (!test_gf2m_mod_div(out, ctx))
321 (void)BIO_flush(out);
323 message(out, "BN_GF2m_mod_exp");
324 if (!test_gf2m_mod_exp(out, ctx))
326 (void)BIO_flush(out);
328 message(out, "BN_GF2m_mod_sqrt");
329 if (!test_gf2m_mod_sqrt(out, ctx))
331 (void)BIO_flush(out);
333 message(out, "BN_GF2m_mod_solve_quad");
334 if (!test_gf2m_mod_solve_quad(out, ctx))
336 (void)BIO_flush(out);
339 /* silently flush any pre-existing error on the stack */
342 message(out, "BN_CTX_get BN_FLG_CONSTTIME");
343 if (!test_ctx_consttime_flag())
345 (void)BIO_flush(out);
352 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc
353 * notices the failure, see test_bn in
354 * test/Makefile.ssl */
355 (void)BIO_flush(out);
356 ERR_load_crypto_strings();
357 ERR_print_errors_fp(stderr);
362 int test_add(BIO *bp)
371 BN_bntest_rand(&a, 512, 0, 0);
372 for (i = 0; i < num0; i++) {
373 BN_bntest_rand(&b, 450 + i, 0, 0);
391 if (!BN_is_zero(&c)) {
392 fprintf(stderr, "Add test failed!\n");
402 int test_sub(BIO *bp)
411 for (i = 0; i < num0 + num1; i++) {
413 BN_bntest_rand(&a, 512, 0, 0);
415 if (BN_set_bit(&a, i) == 0)
419 BN_bntest_rand(&b, 400 + i - num1, 0, 0);
436 if (!BN_is_zero(&c)) {
437 fprintf(stderr, "Subtract test failed!\n");
447 int test_div(BIO *bp, BN_CTX *ctx)
449 BIGNUM a, b, c, d, e;
461 if (BN_div(&d, &c, &a, &b, ctx)) {
462 fprintf(stderr, "Division by zero succeeded!\n");
466 for (i = 0; i < num0 + num1; i++) {
468 BN_bntest_rand(&a, 400, 0, 0);
470 BN_lshift(&a, &a, i);
473 BN_bntest_rand(&b, 50 + 3 * (i - num1), 0, 0);
476 BN_div(&d, &c, &a, &b, ctx);
496 BN_mul(&e, &d, &b, ctx);
499 if (!BN_is_zero(&d)) {
500 fprintf(stderr, "Division test failed!\n");
512 static void print_word(BIO *bp, BN_ULONG w)
514 #ifdef SIXTY_FOUR_BIT
515 if (sizeof(w) > sizeof(unsigned long)) {
516 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
519 BIO_printf(bp, "%lX%08lX", h, l);
521 BIO_printf(bp, "%lX", l);
525 BIO_printf(bp, BN_HEX_FMT1, w);
528 int test_div_word(BIO *bp)
537 for (i = 0; i < num0; i++) {
539 BN_bntest_rand(&a, 512, -1, 0);
540 BN_bntest_rand(&b, BN_BITS2, -1, 0);
541 } while (BN_is_zero(&b));
545 rmod = BN_mod_word(&b, s);
546 r = BN_div_word(&b, s);
549 fprintf(stderr, "Mod (word) test failed!\n");
575 if (!BN_is_zero(&b)) {
576 fprintf(stderr, "Division (word) test failed!\n");
585 int test_div_recp(BIO *bp, BN_CTX *ctx)
587 BIGNUM a, b, c, d, e;
591 BN_RECP_CTX_init(&recp);
598 for (i = 0; i < num0 + num1; i++) {
600 BN_bntest_rand(&a, 400, 0, 0);
602 BN_lshift(&a, &a, i);
605 BN_bntest_rand(&b, 50 + 3 * (i - num1), 0, 0);
608 BN_RECP_CTX_set(&recp, &b, ctx);
609 BN_div_recp(&d, &c, &a, &recp, ctx);
629 BN_mul(&e, &d, &b, ctx);
632 if (!BN_is_zero(&d)) {
633 fprintf(stderr, "Reciprocal division test failed!\n");
634 fprintf(stderr, "a=");
635 BN_print_fp(stderr, &a);
636 fprintf(stderr, "\nb=");
637 BN_print_fp(stderr, &b);
638 fprintf(stderr, "\n");
647 BN_RECP_CTX_free(&recp);
651 int test_mul(BIO *bp)
653 BIGNUM a, b, c, d, e;
667 for (i = 0; i < num0 + num1; i++) {
669 BN_bntest_rand(&a, 100, 0, 0);
670 BN_bntest_rand(&b, 100, 0, 0);
672 BN_bntest_rand(&b, i - num1, 0, 0);
675 BN_mul(&c, &a, &b, ctx);
686 BN_div(&d, &e, &c, &a, ctx);
688 if (!BN_is_zero(&d) || !BN_is_zero(&e)) {
689 fprintf(stderr, "Multiplication test failed!\n");
702 int test_sqr(BIO *bp, BN_CTX *ctx)
704 BIGNUM *a, *c, *d, *e;
711 if (a == NULL || c == NULL || d == NULL || e == NULL) {
715 for (i = 0; i < num0; i++) {
716 BN_bntest_rand(a, 40 + i * 10, 0, 0);
729 BN_div(d, e, c, a, ctx);
731 if (!BN_is_zero(d) || !BN_is_zero(e)) {
732 fprintf(stderr, "Square test failed!\n");
737 /* Regression test for a BN_sqr overflow bug. */
739 "80000000000000008000000000000001"
740 "FFFFFFFFFFFFFFFE0000000000000000");
752 BN_mul(d, a, a, ctx);
754 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
755 "different results!\n");
759 /* Regression test for a BN_sqr overflow bug. */
761 "80000000000000000000000080000001"
762 "FFFFFFFE000000000000000000000000");
774 BN_mul(d, a, a, ctx);
776 fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
777 "different results!\n");
793 int test_mont(BIO *bp, BN_CTX *ctx)
795 BIGNUM a, b, c, d, A, B;
808 mont = BN_MONT_CTX_new();
813 if (BN_MONT_CTX_set(mont, &n, ctx)) {
814 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
819 if (BN_MONT_CTX_set(mont, &n, ctx)) {
820 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
824 BN_bntest_rand(&a, 100, 0, 0);
825 BN_bntest_rand(&b, 100, 0, 0);
826 for (i = 0; i < num2; i++) {
827 int bits = (200 * (i + 1)) / num2;
831 BN_bntest_rand(&n, bits, 0, 1);
832 BN_MONT_CTX_set(mont, &n, ctx);
834 BN_nnmod(&a, &a, &n, ctx);
835 BN_nnmod(&b, &b, &n, ctx);
837 BN_to_montgomery(&A, &a, mont, ctx);
838 BN_to_montgomery(&B, &b, mont, ctx);
840 BN_mod_mul_montgomery(&c, &A, &B, mont, ctx);
841 BN_from_montgomery(&A, &c, mont, ctx);
845 fprintf(stderr, "%d * %d %% %d\n",
847 BN_num_bits(&b), BN_num_bits(mont->N));
853 BN_print(bp, &(mont->N));
859 BN_mod_mul(&d, &a, &b, &n, ctx);
861 if (!BN_is_zero(&d)) {
862 fprintf(stderr, "Montgomery multiplication test failed!\n");
866 BN_MONT_CTX_free(mont);
877 int test_mod(BIO *bp, BN_CTX *ctx)
879 BIGNUM *a, *b, *c, *d, *e;
888 BN_bntest_rand(a, 1024, 0, 0);
889 for (i = 0; i < num0; i++) {
890 BN_bntest_rand(b, 450 + i * 10, 0, 0);
893 BN_mod(c, a, b, ctx);
904 BN_div(d, e, a, b, ctx);
906 if (!BN_is_zero(e)) {
907 fprintf(stderr, "Modulo test failed!\n");
919 int test_mod_mul(BIO *bp, BN_CTX *ctx)
921 BIGNUM *a, *b, *c, *d, *e;
933 if (BN_mod_mul(e, a, b, c, ctx)) {
934 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
938 for (j = 0; j < 3; j++) {
939 BN_bntest_rand(c, 1024, 0, 0);
940 for (i = 0; i < num0; i++) {
941 BN_bntest_rand(a, 475 + i * 10, 0, 0);
942 BN_bntest_rand(b, 425 + i * 11, 0, 0);
945 if (!BN_mod_mul(e, a, b, c, ctx)) {
948 while ((l = ERR_get_error()))
949 fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
959 if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
961 * If (a*b) % c is negative, c must be added in order
962 * to obtain the normalized remainder (new with
963 * OpenSSL 0.9.7, previous versions of BN_mod_mul
964 * could generate negative results)
974 BN_mul(d, a, b, ctx);
976 BN_div(a, b, d, c, ctx);
977 if (!BN_is_zero(b)) {
978 fprintf(stderr, "Modulo multiply test failed!\n");
979 ERR_print_errors_fp(stderr);
992 int test_mod_exp(BIO *bp, BN_CTX *ctx)
994 BIGNUM *a, *b, *c, *d, *e;
1006 if (BN_mod_exp(d, a, b, c, ctx)) {
1007 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
1011 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1012 for (i = 0; i < num2; i++) {
1013 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1014 BN_bntest_rand(b, 2 + i, 0, 0);
1016 if (!BN_mod_exp(d, a, b, c, ctx))
1022 BIO_puts(bp, " ^ ");
1024 BIO_puts(bp, " % ");
1026 BIO_puts(bp, " - ");
1031 BN_exp(e, a, b, ctx);
1033 BN_div(a, b, e, c, ctx);
1034 if (!BN_is_zero(b)) {
1035 fprintf(stderr, "Modulo exponentiation test failed!\n");
1040 /* Regression test for carry propagation bug in sqr8x_reduction */
1041 BN_hex2bn(&a, "050505050505");
1042 BN_hex2bn(&b, "02");
1044 "4141414141414141414141274141414141414141414141414141414141414141"
1045 "4141414141414141414141414141414141414141414141414141414141414141"
1046 "4141414141414141414141800000000000000000000000000000000000000000"
1047 "0000000000000000000000000000000000000000000000000000000000000000"
1048 "0000000000000000000000000000000000000000000000000000000000000000"
1049 "0000000000000000000000000000000000000000000000000000000001");
1050 BN_mod_exp(d, a, b, c, ctx);
1051 BN_mul(e, a, a, ctx);
1053 fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
1065 int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1067 BIGNUM *a, *b, *c, *d, *e;
1079 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1080 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1086 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1087 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1092 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1093 for (i = 0; i < num2; i++) {
1094 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1095 BN_bntest_rand(b, 2 + i, 0, 0);
1097 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
1103 BIO_puts(bp, " ^ ");
1105 BIO_puts(bp, " % ");
1107 BIO_puts(bp, " - ");
1112 BN_exp(e, a, b, ctx);
1114 BN_div(a, b, e, c, ctx);
1115 if (!BN_is_zero(b)) {
1116 fprintf(stderr, "Modulo exponentiation test failed!\n");
1129 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1130 * x86_64 cause a different code branch to be taken.
1132 int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1134 BIGNUM *a, *p, *m, *d, *e;
1142 mont = BN_MONT_CTX_new();
1144 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1146 BN_bntest_rand(a, 1024, 0, 0);
1148 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1150 if (!BN_is_one(d)) {
1151 fprintf(stderr, "Modular exponentiation test failed!\n");
1155 BN_bntest_rand(p, 1024, 0, 0);
1157 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
1159 if (!BN_is_zero(d)) {
1160 fprintf(stderr, "Modular exponentiation test failed!\n");
1164 * Craft an input whose Montgomery representation is 1, i.e., shorter
1165 * than the modulus m, in order to test the const time precomputation
1166 * scattering/gathering.
1169 BN_MONT_CTX_set(mont, m, ctx);
1170 if (!BN_from_montgomery(e, a, mont, ctx))
1172 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1174 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1176 if (BN_cmp(a, d) != 0) {
1177 fprintf(stderr, "Modular exponentiation test failed!\n");
1180 /* Finally, some regular test vectors. */
1181 BN_bntest_rand(e, 1024, 0, 0);
1182 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
1184 if (!BN_mod_exp_simple(a, e, p, m, ctx))
1186 if (BN_cmp(a, d) != 0) {
1187 fprintf(stderr, "Modular exponentiation test failed!\n");
1190 BN_MONT_CTX_free(mont);
1199 int test_exp(BIO *bp, BN_CTX *ctx)
1201 BIGNUM *a, *b, *d, *e, *one;
1211 for (i = 0; i < num2; i++) {
1212 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1213 BN_bntest_rand(b, 2 + i, 0, 0);
1215 if (BN_exp(d, a, b, ctx) <= 0)
1221 BIO_puts(bp, " ^ ");
1223 BIO_puts(bp, " - ");
1229 for (; !BN_is_zero(b); BN_sub(b, b, one))
1230 BN_mul(e, e, a, ctx);
1232 if (!BN_is_zero(e)) {
1233 fprintf(stderr, "Exponentiation test failed!\n");
1245 #ifndef OPENSSL_NO_EC2M
1246 int test_gf2m_add(BIO *bp)
1255 for (i = 0; i < num0; i++) {
1256 BN_rand(&a, 512, 0, 0);
1257 BN_copy(&b, BN_value_one());
1260 BN_GF2m_add(&c, &a, &b);
1261 # if 0 /* make test uses ouput in bc but bc can't
1262 * handle GF(2^m) arithmetic */
1266 BIO_puts(bp, " ^ ");
1268 BIO_puts(bp, " = ");
1274 /* Test that two added values have the correct parity. */
1275 if ((BN_is_odd(&a) && BN_is_odd(&c))
1276 || (!BN_is_odd(&a) && !BN_is_odd(&c))) {
1277 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1280 BN_GF2m_add(&c, &c, &c);
1281 /* Test that c + c = 0. */
1282 if (!BN_is_zero(&c)) {
1283 fprintf(stderr, "GF(2^m) addition test (b) failed!\n");
1295 int test_gf2m_mod(BIO *bp)
1297 BIGNUM *a, *b[2], *c, *d, *e;
1299 int p0[] = { 163, 7, 6, 3, 0, -1 };
1300 int p1[] = { 193, 15, 0, -1 };
1309 BN_GF2m_arr2poly(p0, b[0]);
1310 BN_GF2m_arr2poly(p1, b[1]);
1312 for (i = 0; i < num0; i++) {
1313 BN_bntest_rand(a, 1024, 0, 0);
1314 for (j = 0; j < 2; j++) {
1315 BN_GF2m_mod(c, a, b[j]);
1316 # if 0 /* make test uses ouput in bc but bc can't
1317 * handle GF(2^m) arithmetic */
1321 BIO_puts(bp, " % ");
1323 BIO_puts(bp, " - ");
1329 BN_GF2m_add(d, a, c);
1330 BN_GF2m_mod(e, d, b[j]);
1331 /* Test that a + (a mod p) mod p == 0. */
1332 if (!BN_is_zero(e)) {
1333 fprintf(stderr, "GF(2^m) modulo test failed!\n");
1349 int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1351 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1353 int p0[] = { 163, 7, 6, 3, 0, -1 };
1354 int p1[] = { 193, 15, 0, -1 };
1366 BN_GF2m_arr2poly(p0, b[0]);
1367 BN_GF2m_arr2poly(p1, b[1]);
1369 for (i = 0; i < num0; i++) {
1370 BN_bntest_rand(a, 1024, 0, 0);
1371 BN_bntest_rand(c, 1024, 0, 0);
1372 BN_bntest_rand(d, 1024, 0, 0);
1373 for (j = 0; j < 2; j++) {
1374 BN_GF2m_mod_mul(e, a, c, b[j], ctx);
1375 # if 0 /* make test uses ouput in bc but bc can't
1376 * handle GF(2^m) arithmetic */
1380 BIO_puts(bp, " * ");
1382 BIO_puts(bp, " % ");
1384 BIO_puts(bp, " - ");
1390 BN_GF2m_add(f, a, d);
1391 BN_GF2m_mod_mul(g, f, c, b[j], ctx);
1392 BN_GF2m_mod_mul(h, d, c, b[j], ctx);
1393 BN_GF2m_add(f, e, g);
1394 BN_GF2m_add(f, f, h);
1395 /* Test that (a+d)*c = a*c + d*c. */
1396 if (!BN_is_zero(f)) {
1398 "GF(2^m) modular multiplication test failed!\n");
1417 int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1419 BIGNUM *a, *b[2], *c, *d;
1421 int p0[] = { 163, 7, 6, 3, 0, -1 };
1422 int p1[] = { 193, 15, 0, -1 };
1430 BN_GF2m_arr2poly(p0, b[0]);
1431 BN_GF2m_arr2poly(p1, b[1]);
1433 for (i = 0; i < num0; i++) {
1434 BN_bntest_rand(a, 1024, 0, 0);
1435 for (j = 0; j < 2; j++) {
1436 BN_GF2m_mod_sqr(c, a, b[j], ctx);
1438 BN_GF2m_mod_mul(d, a, d, b[j], ctx);
1439 # if 0 /* make test uses ouput in bc but bc can't
1440 * handle GF(2^m) arithmetic */
1444 BIO_puts(bp, " ^ 2 % ");
1446 BIO_puts(bp, " = ");
1448 BIO_puts(bp, "; a * a = ");
1454 BN_GF2m_add(d, c, d);
1455 /* Test that a*a = a^2. */
1456 if (!BN_is_zero(d)) {
1457 fprintf(stderr, "GF(2^m) modular squaring test failed!\n");
1472 int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1474 BIGNUM *a, *b[2], *c, *d;
1476 int p0[] = { 163, 7, 6, 3, 0, -1 };
1477 int p1[] = { 193, 15, 0, -1 };
1485 BN_GF2m_arr2poly(p0, b[0]);
1486 BN_GF2m_arr2poly(p1, b[1]);
1488 for (i = 0; i < num0; i++) {
1489 BN_bntest_rand(a, 512, 0, 0);
1490 for (j = 0; j < 2; j++) {
1491 BN_GF2m_mod_inv(c, a, b[j], ctx);
1492 BN_GF2m_mod_mul(d, a, c, b[j], ctx);
1493 # if 0 /* make test uses ouput in bc but bc can't
1494 * handle GF(2^m) arithmetic */
1498 BIO_puts(bp, " * ");
1500 BIO_puts(bp, " - 1 % ");
1506 /* Test that ((1/a)*a) = 1. */
1507 if (!BN_is_one(d)) {
1508 fprintf(stderr, "GF(2^m) modular inversion test failed!\n");
1523 int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1525 BIGNUM *a, *b[2], *c, *d, *e, *f;
1527 int p0[] = { 163, 7, 6, 3, 0, -1 };
1528 int p1[] = { 193, 15, 0, -1 };
1538 BN_GF2m_arr2poly(p0, b[0]);
1539 BN_GF2m_arr2poly(p1, b[1]);
1541 for (i = 0; i < num0; i++) {
1542 BN_bntest_rand(a, 512, 0, 0);
1543 BN_bntest_rand(c, 512, 0, 0);
1544 for (j = 0; j < 2; j++) {
1545 BN_GF2m_mod_div(d, a, c, b[j], ctx);
1546 BN_GF2m_mod_mul(e, d, c, b[j], ctx);
1547 BN_GF2m_mod_div(f, a, e, b[j], ctx);
1548 # if 0 /* make test uses ouput in bc but bc can't
1549 * handle GF(2^m) arithmetic */
1553 BIO_puts(bp, " = ");
1555 BIO_puts(bp, " * ");
1557 BIO_puts(bp, " % ");
1563 /* Test that ((a/c)*c)/a = 1. */
1564 if (!BN_is_one(f)) {
1565 fprintf(stderr, "GF(2^m) modular division test failed!\n");
1582 int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1584 BIGNUM *a, *b[2], *c, *d, *e, *f;
1586 int p0[] = { 163, 7, 6, 3, 0, -1 };
1587 int p1[] = { 193, 15, 0, -1 };
1597 BN_GF2m_arr2poly(p0, b[0]);
1598 BN_GF2m_arr2poly(p1, b[1]);
1600 for (i = 0; i < num0; i++) {
1601 BN_bntest_rand(a, 512, 0, 0);
1602 BN_bntest_rand(c, 512, 0, 0);
1603 BN_bntest_rand(d, 512, 0, 0);
1604 for (j = 0; j < 2; j++) {
1605 BN_GF2m_mod_exp(e, a, c, b[j], ctx);
1606 BN_GF2m_mod_exp(f, a, d, b[j], ctx);
1607 BN_GF2m_mod_mul(e, e, f, b[j], ctx);
1609 BN_GF2m_mod_exp(f, a, f, b[j], ctx);
1610 # if 0 /* make test uses ouput in bc but bc can't
1611 * handle GF(2^m) arithmetic */
1615 BIO_puts(bp, " ^ (");
1617 BIO_puts(bp, " + ");
1619 BIO_puts(bp, ") = ");
1621 BIO_puts(bp, "; - ");
1623 BIO_puts(bp, " % ");
1629 BN_GF2m_add(f, e, f);
1630 /* Test that a^(c+d)=a^c*a^d. */
1631 if (!BN_is_zero(f)) {
1633 "GF(2^m) modular exponentiation test failed!\n");
1650 int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1652 BIGNUM *a, *b[2], *c, *d, *e, *f;
1654 int p0[] = { 163, 7, 6, 3, 0, -1 };
1655 int p1[] = { 193, 15, 0, -1 };
1665 BN_GF2m_arr2poly(p0, b[0]);
1666 BN_GF2m_arr2poly(p1, b[1]);
1668 for (i = 0; i < num0; i++) {
1669 BN_bntest_rand(a, 512, 0, 0);
1670 for (j = 0; j < 2; j++) {
1671 BN_GF2m_mod(c, a, b[j]);
1672 BN_GF2m_mod_sqrt(d, a, b[j], ctx);
1673 BN_GF2m_mod_sqr(e, d, b[j], ctx);
1674 # if 0 /* make test uses ouput in bc but bc can't
1675 * handle GF(2^m) arithmetic */
1679 BIO_puts(bp, " ^ 2 - ");
1685 BN_GF2m_add(f, c, e);
1686 /* Test that d^2 = a, where d = sqrt(a). */
1687 if (!BN_is_zero(f)) {
1688 fprintf(stderr, "GF(2^m) modular square root test failed!\n");
1705 int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1707 BIGNUM *a, *b[2], *c, *d, *e;
1708 int i, j, s = 0, t, ret = 0;
1709 int p0[] = { 163, 7, 6, 3, 0, -1 };
1710 int p1[] = { 193, 15, 0, -1 };
1719 BN_GF2m_arr2poly(p0, b[0]);
1720 BN_GF2m_arr2poly(p1, b[1]);
1722 for (i = 0; i < num0; i++) {
1723 BN_bntest_rand(a, 512, 0, 0);
1724 for (j = 0; j < 2; j++) {
1725 t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
1728 BN_GF2m_mod_sqr(d, c, b[j], ctx);
1729 BN_GF2m_add(d, c, d);
1730 BN_GF2m_mod(e, a, b[j]);
1731 # if 0 /* make test uses ouput in bc but bc can't
1732 * handle GF(2^m) arithmetic */
1736 BIO_puts(bp, " is root of z^2 + z = ");
1738 BIO_puts(bp, " % ");
1744 BN_GF2m_add(e, e, d);
1746 * Test that solution of quadratic c satisfies c^2 + c = a.
1748 if (!BN_is_zero(e)) {
1750 "GF(2^m) modular solve quadratic test failed!\n");
1755 # if 0 /* make test uses ouput in bc but bc can't
1756 * handle GF(2^m) arithmetic */
1759 BIO_puts(bp, "There are no roots of z^2 + z = ");
1761 BIO_puts(bp, " % ");
1772 "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n",
1775 "this is very unlikely and probably indicates an error.\n");
1789 static int genprime_cb(int p, int n, BN_GENCB *arg)
1806 int test_kron(BIO *bp, BN_CTX *ctx)
1809 BIGNUM *a, *b, *r, *t;
1811 int legendre, kronecker;
1818 if (a == NULL || b == NULL || r == NULL || t == NULL)
1821 BN_GENCB_set(&cb, genprime_cb, NULL);
1824 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1825 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1826 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1827 * generate a random prime b and compare these values for a number of
1828 * random a's. (That is, we run the Solovay-Strassen primality test to
1829 * confirm that b is prime, except that we don't want to test whether b
1830 * is prime but whether BN_kronecker works.)
1833 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1835 b->neg = rand_neg();
1838 for (i = 0; i < num0; i++) {
1839 if (!BN_bntest_rand(a, 512, 0, 0))
1841 a->neg = rand_neg();
1843 /* t := (|b|-1)/2 (note that b is odd) */
1847 if (!BN_sub_word(t, 1))
1849 if (!BN_rshift1(t, t))
1851 /* r := a^t mod b */
1854 if (!BN_mod_exp_recp(r, a, t, b, ctx))
1858 if (BN_is_word(r, 1))
1860 else if (BN_is_zero(r))
1863 if (!BN_add_word(r, 1))
1865 if (0 != BN_ucmp(r, b)) {
1866 fprintf(stderr, "Legendre symbol computation failed\n");
1872 kronecker = BN_kronecker(a, b, ctx);
1875 /* we actually need BN_kronecker(a, |b|) */
1876 if (a->neg && b->neg)
1877 kronecker = -kronecker;
1879 if (legendre != kronecker) {
1880 fprintf(stderr, "legendre != kronecker; a = ");
1881 BN_print_fp(stderr, a);
1882 fprintf(stderr, ", b = ");
1883 BN_print_fp(stderr, b);
1884 fprintf(stderr, "\n");
1907 int test_sqrt(BIO *bp, BN_CTX *ctx)
1917 if (a == NULL || p == NULL || r == NULL)
1920 BN_GENCB_set(&cb, genprime_cb, NULL);
1922 for (i = 0; i < 16; i++) {
1924 unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
1926 if (!BN_set_word(p, primes[i]))
1929 if (!BN_set_word(a, 32))
1931 if (!BN_set_word(r, 2 * i + 1))
1934 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
1938 p->neg = rand_neg();
1940 for (j = 0; j < num2; j++) {
1942 * construct 'a' such that it is a square modulo p, but in
1943 * general not a proper square and not reduced modulo p
1945 if (!BN_bntest_rand(r, 256, 0, 3))
1947 if (!BN_nnmod(r, r, p, ctx))
1949 if (!BN_mod_sqr(r, r, p, ctx))
1951 if (!BN_bntest_rand(a, 256, 0, 3))
1953 if (!BN_nnmod(a, a, p, ctx))
1955 if (!BN_mod_sqr(a, a, p, ctx))
1957 if (!BN_mul(a, a, r, ctx))
1960 if (!BN_sub(a, a, p))
1963 if (!BN_mod_sqrt(r, a, p, ctx))
1965 if (!BN_mod_sqr(r, r, p, ctx))
1968 if (!BN_nnmod(a, a, p, ctx))
1971 if (BN_cmp(a, r) != 0) {
1972 fprintf(stderr, "BN_mod_sqrt failed: a = ");
1973 BN_print_fp(stderr, a);
1974 fprintf(stderr, ", r = ");
1975 BN_print_fp(stderr, r);
1976 fprintf(stderr, ", p = ");
1977 BN_print_fp(stderr, p);
1978 fprintf(stderr, "\n");
2000 int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
2002 BIGNUM *a, *b, *c, *d;
2014 BN_bntest_rand(a, 200, 0, 0);
2015 a->neg = rand_neg();
2017 for (i = 0; i < num0; i++) {
2018 BN_lshift(b, a, i + 1);
2023 BIO_puts(bp, " * ");
2025 BIO_puts(bp, " - ");
2030 BN_mul(d, a, c, ctx);
2032 if (!BN_is_zero(d)) {
2033 fprintf(stderr, "Left shift test failed!\n");
2034 fprintf(stderr, "a=");
2035 BN_print_fp(stderr, a);
2036 fprintf(stderr, "\nb=");
2037 BN_print_fp(stderr, b);
2038 fprintf(stderr, "\nc=");
2039 BN_print_fp(stderr, c);
2040 fprintf(stderr, "\nd=");
2041 BN_print_fp(stderr, d);
2042 fprintf(stderr, "\n");
2053 int test_lshift1(BIO *bp)
2062 BN_bntest_rand(a, 200, 0, 0);
2063 a->neg = rand_neg();
2064 for (i = 0; i < num0; i++) {
2069 BIO_puts(bp, " * 2");
2070 BIO_puts(bp, " - ");
2077 if (!BN_is_zero(a)) {
2078 fprintf(stderr, "Left shift one test failed!\n");
2090 int test_rshift(BIO *bp, BN_CTX *ctx)
2092 BIGNUM *a, *b, *c, *d, *e;
2102 BN_bntest_rand(a, 200, 0, 0);
2103 a->neg = rand_neg();
2104 for (i = 0; i < num0; i++) {
2105 BN_rshift(b, a, i + 1);
2110 BIO_puts(bp, " / ");
2112 BIO_puts(bp, " - ");
2117 BN_div(d, e, a, c, ctx);
2119 if (!BN_is_zero(d)) {
2120 fprintf(stderr, "Right shift test failed!\n");
2132 int test_rshift1(BIO *bp)
2141 BN_bntest_rand(a, 200, 0, 0);
2142 a->neg = rand_neg();
2143 for (i = 0; i < num0; i++) {
2148 BIO_puts(bp, " / 2");
2149 BIO_puts(bp, " - ");
2156 if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
2157 fprintf(stderr, "Right shift one test failed!\n");
2170 static unsigned int neg = 0;
2171 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2173 return (sign[(neg++) % 8]);
2176 static int test_ctx_set_ct_flag(BN_CTX *c)
2183 for (i = 0; i < OSSL_NELEM(b); i++) {
2184 if (NULL == (b[i] = BN_CTX_get(c))) {
2185 fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
2189 BN_set_flags(b[i], BN_FLG_CONSTTIME);
2198 static int test_ctx_check_ct_flag(BN_CTX *c)
2205 for (i = 0; i < OSSL_NELEM(b); i++) {
2206 if (NULL == (b[i] = BN_CTX_get(c))) {
2207 fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
2210 if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) {
2211 fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n");
2222 static int test_ctx_consttime_flag(void)
2225 * The constant-time flag should not "leak" among BN_CTX frames:
2227 * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
2228 * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
2229 * from the frame before ending it.
2230 * - test_ctx_check_ct_flag() then starts a new frame and gets a
2231 * number of BIGNUMs from it. In absence of leaks, none of the
2232 * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
2234 * In actual BN_CTX usage inside libcrypto the leak could happen at
2235 * any depth level in the BN_CTX stack, with varying results
2236 * depending on the patterns of sibling trees of nested function
2237 * calls sharing the same BN_CTX object, and the effect of
2238 * unintended BN_FLG_CONSTTIME on the called BN_* functions.
2240 * This simple unit test abstracts away this complexity and verifies
2241 * that the leak does not happen between two sibling functions
2242 * sharing the same BN_CTX object at the same level of nesting.
2248 if (NULL == (c = BN_CTX_new())) {
2249 fprintf(stderr, "ERROR: BN_CTX_new() failed.\n");
2253 if (!test_ctx_set_ct_flag(c)
2254 || !test_ctx_check_ct_flag(c))