summaryrefslogtreecommitdiff
path: root/src/regress/lib/libcrypto/bn/general
diff options
context:
space:
mode:
authorbcook <>2016-09-03 17:32:06 +0000
committerbcook <>2016-09-03 17:32:06 +0000
commitaa3d7c48a4136c2565abe134aba88d74ac25f91b (patch)
tree9e3d88145f0e4ca9d8fcaa3b3a573bfb58e4434e /src/regress/lib/libcrypto/bn/general
parent05812bec7df03184841379790bd48dadca90c010 (diff)
downloadopenbsd-aa3d7c48a4136c2565abe134aba88d74ac25f91b.tar.gz
openbsd-aa3d7c48a4136c2565abe134aba88d74ac25f91b.tar.bz2
openbsd-aa3d7c48a4136c2565abe134aba88d74ac25f91b.zip
import new BN tests from OpenSSL
New tests that various BIGNUM methods behave correctly on zero/even inputs. from OpenSSL ok beck@
Diffstat (limited to 'src/regress/lib/libcrypto/bn/general')
-rw-r--r--src/regress/lib/libcrypto/bn/general/bntest.c342
1 files changed, 250 insertions, 92 deletions
diff --git a/src/regress/lib/libcrypto/bn/general/bntest.c b/src/regress/lib/libcrypto/bn/general/bntest.c
index e1ef1445c6..c5ec3cdc13 100644
--- a/src/regress/lib/libcrypto/bn/general/bntest.c
+++ b/src/regress/lib/libcrypto/bn/general/bntest.c
@@ -104,6 +104,8 @@ int test_mod(BIO *bp, BN_CTX *ctx);
104int test_mod_mul(BIO *bp, BN_CTX *ctx); 104int test_mod_mul(BIO *bp, BN_CTX *ctx);
105int test_mod_exp(BIO *bp, BN_CTX *ctx); 105int test_mod_exp(BIO *bp, BN_CTX *ctx);
106int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx); 106int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
107int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
108int test_mod_exp_sizes(BIO *bp, BN_CTX *ctx);
107int test_exp(BIO *bp, BN_CTX *ctx); 109int test_exp(BIO *bp, BN_CTX *ctx);
108int test_gf2m_add(BIO *bp); 110int test_gf2m_add(BIO *bp);
109int test_gf2m_mod(BIO *bp); 111int test_gf2m_mod(BIO *bp);
@@ -116,12 +118,12 @@ int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
116int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx); 118int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
117int test_kron(BIO *bp, BN_CTX *ctx); 119int test_kron(BIO *bp, BN_CTX *ctx);
118int test_sqrt(BIO *bp, BN_CTX *ctx); 120int test_sqrt(BIO *bp, BN_CTX *ctx);
119int test_mod_exp_sizes(BIO *bp, BN_CTX *ctx);
120int rand_neg(void); 121int rand_neg(void);
121static int results = 0; 122static int results = 0;
122 123
123static const unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9" 124static unsigned char lst[] =
124"\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0"; 125 "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
126 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
125 127
126static void 128static void
127message(BIO *out, char *m) 129message(BIO *out, char *m)
@@ -260,6 +262,11 @@ main(int argc, char *argv[])
260 goto err; 262 goto err;
261 (void)BIO_flush(out); 263 (void)BIO_flush(out);
262 264
265 message(out, "BN_mod_exp_mont5");
266 if (!test_mod_exp_mont5(out, ctx))
267 goto err;
268 (void)BIO_flush(out);
269
263 message(out, "BN_exp"); 270 message(out, "BN_exp");
264 if (!test_exp(out, ctx)) 271 if (!test_exp(out, ctx))
265 goto err; 272 goto err;
@@ -329,11 +336,11 @@ main(int argc, char *argv[])
329 BN_CTX_free(ctx); 336 BN_CTX_free(ctx);
330 BIO_free(out); 337 BIO_free(out);
331 338
332
333 exit(0); 339 exit(0);
334err: 340err:
335 BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices 341 BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc notices
336 * the failure, see test_bn in test/Makefile.ssl*/ 342 * the failure, see test_bn in test/Makefile.ssl*/
343
337 (void)BIO_flush(out); 344 (void)BIO_flush(out);
338 ERR_load_crypto_strings(); 345 ERR_load_crypto_strings();
339 ERR_print_errors_fp(stderr); 346 ERR_print_errors_fp(stderr);
@@ -367,8 +374,8 @@ test_add(BIO *bp)
367 BN_print(bp, &c); 374 BN_print(bp, &c);
368 BIO_puts(bp, "\n"); 375 BIO_puts(bp, "\n");
369 } 376 }
370 a.neg=!a.neg; 377 a.neg = !a.neg;
371 b.neg=!b.neg; 378 b.neg = !b.neg;
372 BN_add(&c, &c, &b); 379 BN_add(&c, &c, &b);
373 BN_add(&c, &c, &a); 380 BN_add(&c, &c, &a);
374 if (!BN_is_zero(&c)) { 381 if (!BN_is_zero(&c)) {
@@ -436,7 +443,7 @@ test_sub(BIO *bp)
436int 443int
437test_div(BIO *bp, BN_CTX *ctx) 444test_div(BIO *bp, BN_CTX *ctx)
438{ 445{
439 BIGNUM a, b,c, d, e; 446 BIGNUM a, b, c, d, e;
440 int i; 447 int i;
441 int rc = 1; 448 int rc = 1;
442 449
@@ -446,6 +453,14 @@ test_div(BIO *bp, BN_CTX *ctx)
446 BN_init(&d); 453 BN_init(&d);
447 BN_init(&e); 454 BN_init(&e);
448 455
456 BN_one(&a);
457 BN_zero(&b);
458
459 if (BN_div(&d, &c, &a, &b, ctx)) {
460 fprintf(stderr, "Division by zero succeeded!\n");
461 return (0);
462 }
463
449 for (i = 0; i < num0 + num1; i++) { 464 for (i = 0; i < num0 + num1; i++) {
450 if (i < num1) { 465 if (i < num1) {
451 BN_bntest_rand(&a, 400, 0, 0); 466 BN_bntest_rand(&a, 400, 0, 0);
@@ -453,7 +468,7 @@ test_div(BIO *bp, BN_CTX *ctx)
453 BN_lshift(&a, &a, i); 468 BN_lshift(&a, &a, i);
454 BN_add_word(&a, i); 469 BN_add_word(&a, i);
455 } else 470 } else
456 BN_bntest_rand(&b, 50 + 3*(i - num1), 0, 0); 471 BN_bntest_rand(&b, 50 + 3 * (i - num1), 0, 0);
457 a.neg = rand_neg(); 472 a.neg = rand_neg();
458 b.neg = rand_neg(); 473 b.neg = rand_neg();
459 BN_div(&d, &c, &a, &b, ctx); 474 BN_div(&d, &c, &a, &b, ctx);
@@ -501,9 +516,9 @@ print_word(BIO *bp, BN_ULONG w)
501 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w); 516 unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
502 517
503 if (h) 518 if (h)
504 BIO_printf(bp, "%lX%08lX",h,l); 519 BIO_printf(bp, "%lX%08lX", h, l);
505 else 520 else
506 BIO_printf(bp, "%lX",l); 521 BIO_printf(bp, "%lX", l);
507 return; 522 return;
508 } 523 }
509#endif 524#endif
@@ -513,7 +528,7 @@ print_word(BIO *bp, BN_ULONG w)
513int 528int
514test_div_word(BIO *bp) 529test_div_word(BIO *bp)
515{ 530{
516 BIGNUM a, b; 531 BIGNUM a, b;
517 BN_ULONG r, rmod, s = 0; 532 BN_ULONG r, rmod, s = 0;
518 int i; 533 int i;
519 int rc = 1; 534 int rc = 1;
@@ -586,7 +601,7 @@ test_div_word(BIO *bp)
586int 601int
587test_div_recp(BIO *bp, BN_CTX *ctx) 602test_div_recp(BIO *bp, BN_CTX *ctx)
588{ 603{
589 BIGNUM a, b,c, d, e; 604 BIGNUM a, b, c, d, e;
590 BN_RECP_CTX recp; 605 BN_RECP_CTX recp;
591 int i; 606 int i;
592 int rc = 1; 607 int rc = 1;
@@ -605,7 +620,7 @@ test_div_recp(BIO *bp, BN_CTX *ctx)
605 BN_lshift(&a, &a, i); 620 BN_lshift(&a, &a, i);
606 BN_add_word(&a, i); 621 BN_add_word(&a, i);
607 } else 622 } else
608 BN_bntest_rand(&b, 50 + 3*(i - num1), 0, 0); 623 BN_bntest_rand(&b, 50 + 3 * (i - num1), 0, 0);
609 a.neg = rand_neg(); 624 a.neg = rand_neg();
610 b.neg = rand_neg(); 625 b.neg = rand_neg();
611 BN_RECP_CTX_set(&recp, &b, ctx); 626 BN_RECP_CTX_set(&recp, &b, ctx);
@@ -655,7 +670,7 @@ test_div_recp(BIO *bp, BN_CTX *ctx)
655int 670int
656test_mul(BIO *bp) 671test_mul(BIO *bp)
657{ 672{
658 BIGNUM a, b,c, d, e; 673 BIGNUM a, b, c, d, e;
659 int i; 674 int i;
660 int rc = 1; 675 int rc = 1;
661 BN_CTX *ctx; 676 BN_CTX *ctx;
@@ -788,7 +803,7 @@ test_sqr(BIO *bp, BN_CTX *ctx)
788 goto err; 803 goto err;
789 } 804 }
790 ret = 1; 805 ret = 1;
791 err: 806err:
792 BN_free(a); 807 BN_free(a);
793 BN_free(c); 808 BN_free(c);
794 BN_free(d); 809 BN_free(d);
@@ -799,7 +814,7 @@ test_sqr(BIO *bp, BN_CTX *ctx)
799int 814int
800test_mont(BIO *bp, BN_CTX *ctx) 815test_mont(BIO *bp, BN_CTX *ctx)
801{ 816{
802 BIGNUM a, b,c, d,A, B; 817 BIGNUM a, b, c, d, A, B;
803 BIGNUM n; 818 BIGNUM n;
804 int i; 819 int i;
805 int rc = 1; 820 int rc = 1;
@@ -817,10 +832,22 @@ test_mont(BIO *bp, BN_CTX *ctx)
817 BN_init(&B); 832 BN_init(&B);
818 BN_init(&n); 833 BN_init(&n);
819 834
820 BN_bntest_rand(&a,100,0,0); 835 BN_zero(&n);
821 BN_bntest_rand(&b,100,0,0); 836 if (BN_MONT_CTX_set(mont, &n, ctx)) {
837 fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
838 return (0);
839 }
840
841 BN_set_word(&n, 16);
842 if (BN_MONT_CTX_set(mont, &n, ctx)) {
843 fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
844 return (0);
845 }
846
847 BN_bntest_rand(&a, 100, 0, 0);
848 BN_bntest_rand(&b, 100, 0, 0);
822 for (i = 0; i < num2; i++) { 849 for (i = 0; i < num2; i++) {
823 int bits = (200*(i + 1))/num2; 850 int bits = (200 * (i + 1)) / num2;
824 851
825 if (bits == 0) 852 if (bits == 0)
826 continue; 853 continue;
@@ -833,8 +860,8 @@ test_mont(BIO *bp, BN_CTX *ctx)
833 BN_to_montgomery(&A, &a, mont, ctx); 860 BN_to_montgomery(&A, &a, mont, ctx);
834 BN_to_montgomery(&B, &b, mont, ctx); 861 BN_to_montgomery(&B, &b, mont, ctx);
835 862
836 BN_mod_mul_montgomery(&c,&A,&B,mont,ctx); 863 BN_mod_mul_montgomery(&c, &A, &B, mont, ctx);
837 BN_from_montgomery(&A,&c,mont,ctx); 864 BN_from_montgomery(&A, &c, mont, ctx);
838 if (bp != NULL) { 865 if (bp != NULL) {
839 if (!results) { 866 if (!results) {
840 BN_print(bp, &a); 867 BN_print(bp, &a);
@@ -879,12 +906,12 @@ test_mod(BIO *bp, BN_CTX *ctx)
879 d = BN_new(); 906 d = BN_new();
880 e = BN_new(); 907 e = BN_new();
881 908
882 BN_bntest_rand(a,1024,0,0); 909 BN_bntest_rand(a, 1024, 0, 0);
883 for (i = 0; i < num0; i++) { 910 for (i = 0; i < num0; i++) {
884 BN_bntest_rand(b,450+i*10,0,0); 911 BN_bntest_rand(b, 450 + i * 10, 0, 0);
885 a->neg = rand_neg(); 912 a->neg = rand_neg();
886 b->neg = rand_neg(); 913 b->neg = rand_neg();
887 BN_mod(c,a,b,ctx); 914 BN_mod(c, a, b, ctx);
888 if (bp != NULL) { 915 if (bp != NULL) {
889 if (!results) { 916 if (!results) {
890 BN_print(bp, a); 917 BN_print(bp, a);
@@ -895,7 +922,7 @@ test_mod(BIO *bp, BN_CTX *ctx)
895 BN_print(bp, c); 922 BN_print(bp, c);
896 BIO_puts(bp, "\n"); 923 BIO_puts(bp, "\n");
897 } 924 }
898 BN_div(d, e,a, b, ctx); 925 BN_div(d, e, a, b, ctx);
899 BN_sub(e, e, c); 926 BN_sub(e, e, c);
900 if (!BN_is_zero(e)) { 927 if (!BN_is_zero(e)) {
901 fprintf(stderr, "Modulo test failed!\n"); 928 fprintf(stderr, "Modulo test failed!\n");
@@ -924,14 +951,22 @@ test_mod_mul(BIO *bp, BN_CTX *ctx)
924 d = BN_new(); 951 d = BN_new();
925 e = BN_new(); 952 e = BN_new();
926 953
954 BN_one(a);
955 BN_one(b);
956 BN_zero(c);
957 if (BN_mod_mul(e, a, b, c, ctx)) {
958 fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
959 return (0);
960 }
961
927 for (j = 0; j < 3; j++) { 962 for (j = 0; j < 3; j++) {
928 BN_bntest_rand(c,1024,0,0); 963 BN_bntest_rand(c, 1024, 0, 0);
929 for (i = 0; i < num0; i++) { 964 for (i = 0; i < num0; i++) {
930 BN_bntest_rand(a,475+i*10,0,0); 965 BN_bntest_rand(a, 475 + i * 10, 0, 0);
931 BN_bntest_rand(b,425+i*11,0,0); 966 BN_bntest_rand(b, 425 + i * 11, 0, 0);
932 a->neg = rand_neg(); 967 a->neg = rand_neg();
933 b->neg = rand_neg(); 968 b->neg = rand_neg();
934 if (!BN_mod_mul(e, a,b, c, ctx)) { 969 if (!BN_mod_mul(e, a, b, c, ctx)) {
935 unsigned long l; 970 unsigned long l;
936 971
937 while ((l = ERR_get_error())) 972 while ((l = ERR_get_error()))
@@ -960,9 +995,9 @@ test_mod_mul(BIO *bp, BN_CTX *ctx)
960 BN_print(bp, e); 995 BN_print(bp, e);
961 BIO_puts(bp, "\n"); 996 BIO_puts(bp, "\n");
962 } 997 }
963 BN_mul(d, a,b, ctx); 998 BN_mul(d, a, b, ctx);
964 BN_sub(d, d, e); 999 BN_sub(d, d, e);
965 BN_div(a, b,d, c, ctx); 1000 BN_div(a, b, d, c, ctx);
966 if (!BN_is_zero(b)) { 1001 if (!BN_is_zero(b)) {
967 fprintf(stderr, "Modulo multiply test failed!\n"); 1002 fprintf(stderr, "Modulo multiply test failed!\n");
968 ERR_print_errors_fp(stderr); 1003 ERR_print_errors_fp(stderr);
@@ -993,12 +1028,20 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
993 d = BN_new(); 1028 d = BN_new();
994 e = BN_new(); 1029 e = BN_new();
995 1030
996 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ 1031 BN_one(a);
1032 BN_one(b);
1033 BN_zero(c);
1034 if (BN_mod_exp(d, a, b, c, ctx)) {
1035 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
1036 return (0);
1037 }
1038
1039 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
997 for (i = 0; i < num2; i++) { 1040 for (i = 0; i < num2; i++) {
998 BN_bntest_rand(a,20+i*5,0,0); 1041 BN_bntest_rand(a, 20 + i * 5, 0, 0);
999 BN_bntest_rand(b,2+i,0,0); 1042 BN_bntest_rand(b, 2 + i, 0, 0);
1000 1043
1001 if (!BN_mod_exp(d, a,b, c, ctx)) { 1044 if (!BN_mod_exp(d, a, b, c, ctx)) {
1002 rc = 0; 1045 rc = 0;
1003 break; 1046 break;
1004 } 1047 }
@@ -1015,9 +1058,9 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
1015 BN_print(bp, d); 1058 BN_print(bp, d);
1016 BIO_puts(bp, "\n"); 1059 BIO_puts(bp, "\n");
1017 } 1060 }
1018 BN_exp(e, a,b, ctx); 1061 BN_exp(e, a, b, ctx);
1019 BN_sub(e, e, d); 1062 BN_sub(e, e, d);
1020 BN_div(a, b,e, c, ctx); 1063 BN_div(a, b, e, c, ctx);
1021 if (!BN_is_zero(b)) { 1064 if (!BN_is_zero(b)) {
1022 fprintf(stderr, "Modulo exponentiation test failed!\n"); 1065 fprintf(stderr, "Modulo exponentiation test failed!\n");
1023 rc = 0; 1066 rc = 0;
@@ -1045,12 +1088,30 @@ test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1045 d = BN_new(); 1088 d = BN_new();
1046 e = BN_new(); 1089 e = BN_new();
1047 1090
1048 BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ 1091 BN_one(a);
1092 BN_one(b);
1093 BN_zero(c);
1094 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1095 fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
1096 "succeeded\n");
1097 rc = 0;
1098 goto err;
1099 }
1100
1101 BN_set_word(c, 16);
1102 if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1103 fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
1104 "succeeded\n");
1105 rc = 0;
1106 goto err;
1107 }
1108
1109 BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
1049 for (i = 0; i < num2; i++) { 1110 for (i = 0; i < num2; i++) {
1050 BN_bntest_rand(a,20+i*5,0,0); 1111 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1051 BN_bntest_rand(b,2+i,0,0); 1112 BN_bntest_rand(b, 2 + i, 0, 0);
1052 1113
1053 if (!BN_mod_exp_mont_consttime(d, a,b, c,ctx, NULL)) { 1114 if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
1054 rc = 0; 1115 rc = 0;
1055 break; 1116 break;
1056 } 1117 }
@@ -1067,15 +1128,16 @@ test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1067 BN_print(bp, d); 1128 BN_print(bp, d);
1068 BIO_puts(bp, "\n"); 1129 BIO_puts(bp, "\n");
1069 } 1130 }
1070 BN_exp(e, a,b, ctx); 1131 BN_exp(e, a, b, ctx);
1071 BN_sub(e, e, d); 1132 BN_sub(e, e, d);
1072 BN_div(a, b,e, c, ctx); 1133 BN_div(a, b, e, c, ctx);
1073 if (!BN_is_zero(b)) { 1134 if (!BN_is_zero(b)) {
1074 fprintf(stderr, "Modulo exponentiation test failed!\n"); 1135 fprintf(stderr, "Modulo exponentiation test failed!\n");
1075 rc = 0; 1136 rc = 0;
1076 break; 1137 break;
1077 } 1138 }
1078 } 1139 }
1140err:
1079 BN_free(a); 1141 BN_free(a);
1080 BN_free(b); 1142 BN_free(b);
1081 BN_free(c); 1143 BN_free(c);
@@ -1084,6 +1146,98 @@ test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
1084 return (rc); 1146 return (rc);
1085} 1147}
1086 1148
1149/*
1150 * Test constant-time modular exponentiation with 1024-bit inputs, which on
1151 * x86_64 cause a different code branch to be taken.
1152 */
1153int
1154test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
1155{
1156 BIGNUM *a, *p, *m, *d, *e;
1157 int rc = 1;
1158 BN_MONT_CTX *mont;
1159
1160 a = BN_new();
1161 p = BN_new();
1162 m = BN_new();
1163 d = BN_new();
1164 e = BN_new();
1165
1166 mont = BN_MONT_CTX_new();
1167
1168 BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */
1169 /* Zero exponent */
1170 BN_bntest_rand(a, 1024, 0, 0);
1171 BN_zero(p);
1172 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL)) {
1173 rc = 0;
1174 goto err;
1175 }
1176 if (!BN_is_one(d)) {
1177 fprintf(stderr, "Modular exponentiation test failed!\n");
1178 rc = 0;
1179 goto err;
1180 }
1181 /* Zero input */
1182 BN_bntest_rand(p, 1024, 0, 0);
1183 BN_zero(a);
1184 if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL)) {
1185 rc = 0;
1186 goto err;
1187 }
1188 if (!BN_is_zero(d)) {
1189 fprintf(stderr, "Modular exponentiation test failed!\n");
1190 rc = 0;
1191 goto err;
1192 }
1193 /*
1194 * Craft an input whose Montgomery representation is 1, i.e., shorter
1195 * than the modulus m, in order to test the const time precomputation
1196 * scattering/gathering.
1197 */
1198 BN_one(a);
1199 BN_MONT_CTX_set(mont, m, ctx);
1200 if (!BN_from_montgomery(e, a, mont, ctx)) {
1201 rc = 0;
1202 goto err;
1203 }
1204 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) {
1205 rc = 0;
1206 goto err;
1207 }
1208 if (!BN_mod_exp_simple(a, e, p, m, ctx)) {
1209 rc = 0;
1210 goto err;
1211 }
1212 if (BN_cmp(a, d) != 0) {
1213 fprintf(stderr, "Modular exponentiation test failed!\n");
1214 rc = 0;
1215 goto err;
1216 }
1217 /* Finally, some regular test vectors. */
1218 BN_bntest_rand(e, 1024, 0, 0);
1219 if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) {
1220 rc = 0;
1221 goto err;
1222 }
1223 if (!BN_mod_exp_simple(a, e, p, m, ctx)) {
1224 rc = 0;
1225 goto err;
1226 }
1227 if (BN_cmp(a, d) != 0) {
1228 fprintf(stderr, "Modular exponentiation test failed!\n");
1229 rc = 0;
1230 goto err;
1231 }
1232err:
1233 BN_free(a);
1234 BN_free(p);
1235 BN_free(m);
1236 BN_free(d);
1237 BN_free(e);
1238 return (rc);
1239}
1240
1087int 1241int
1088test_exp(BIO *bp, BN_CTX *ctx) 1242test_exp(BIO *bp, BN_CTX *ctx)
1089{ 1243{
@@ -1099,10 +1253,10 @@ test_exp(BIO *bp, BN_CTX *ctx)
1099 BN_one(one); 1253 BN_one(one);
1100 1254
1101 for (i = 0; i < num2; i++) { 1255 for (i = 0; i < num2; i++) {
1102 BN_bntest_rand(a,20+i*5,0,0); 1256 BN_bntest_rand(a, 20 + i * 5, 0, 0);
1103 BN_bntest_rand(b,2+i,0,0); 1257 BN_bntest_rand(b, 2 + i, 0, 0);
1104 1258
1105 if (BN_exp(d, a,b, ctx) <= 0) { 1259 if (BN_exp(d, a, b, ctx) <= 0) {
1106 rc = 0; 1260 rc = 0;
1107 break; 1261 break;
1108 } 1262 }
@@ -1119,7 +1273,7 @@ test_exp(BIO *bp, BN_CTX *ctx)
1119 } 1273 }
1120 BN_one(e); 1274 BN_one(e);
1121 for (; !BN_is_zero(b); BN_sub(b, b, one)) 1275 for (; !BN_is_zero(b); BN_sub(b, b, one))
1122 BN_mul(e, e,a, ctx); 1276 BN_mul(e, e, a, ctx);
1123 BN_sub(e, e, d); 1277 BN_sub(e, e, d);
1124 if (!BN_is_zero(e)) { 1278 if (!BN_is_zero(e)) {
1125 fprintf(stderr, "Exponentiation test failed!\n"); 1279 fprintf(stderr, "Exponentiation test failed!\n");
@@ -1165,7 +1319,8 @@ test_gf2m_add(BIO *bp)
1165 } 1319 }
1166#endif 1320#endif
1167 /* Test that two added values have the correct parity. */ 1321 /* Test that two added values have the correct parity. */
1168 if ((BN_is_odd(&a) && BN_is_odd(&c)) || (!BN_is_odd(&a) && !BN_is_odd(&c))) { 1322 if ((BN_is_odd(&a) && BN_is_odd(&c))
1323 || (!BN_is_odd(&a) && !BN_is_odd(&c))) {
1169 fprintf(stderr, "GF(2^m) addition test (a) failed!\n"); 1324 fprintf(stderr, "GF(2^m) addition test (a) failed!\n");
1170 goto err; 1325 goto err;
1171 } 1326 }
@@ -1189,8 +1344,8 @@ test_gf2m_mod(BIO *bp)
1189{ 1344{
1190 BIGNUM *a, *b[2], *c, *d, *e; 1345 BIGNUM *a, *b[2], *c, *d, *e;
1191 int i, j, ret = 0; 1346 int i, j, ret = 0;
1192 int p0[] = {163, 7,6, 3,0, -1}; 1347 int p0[] = { 163, 7, 6, 3, 0, -1 };
1193 int p1[] = {193, 15, 0, -1}; 1348 int p1[] = { 193, 15, 0, -1 };
1194 1349
1195 a = BN_new(); 1350 a = BN_new();
1196 b[0] = BN_new(); 1351 b[0] = BN_new();
@@ -1243,8 +1398,8 @@ test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx)
1243{ 1398{
1244 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h; 1399 BIGNUM *a, *b[2], *c, *d, *e, *f, *g, *h;
1245 int i, j, ret = 0; 1400 int i, j, ret = 0;
1246 int p0[] = {163, 7,6, 3,0, -1}; 1401 int p0[] = { 163, 7, 6, 3, 0, -1 };
1247 int p1[] = {193, 15, 0, -1}; 1402 int p1[] = { 193, 15, 0, -1 };
1248 1403
1249 a = BN_new(); 1404 a = BN_new();
1250 b[0] = BN_new(); 1405 b[0] = BN_new();
@@ -1310,8 +1465,8 @@ test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx)
1310{ 1465{
1311 BIGNUM *a, *b[2], *c, *d; 1466 BIGNUM *a, *b[2], *c, *d;
1312 int i, j, ret = 0; 1467 int i, j, ret = 0;
1313 int p0[] = {163, 7,6, 3,0, -1}; 1468 int p0[] = { 163, 7, 6, 3, 0, -1 };
1314 int p1[] = {193, 15, 0, -1}; 1469 int p1[] = { 193, 15, 0, -1 };
1315 1470
1316 a = BN_new(); 1471 a = BN_new();
1317 b[0] = BN_new(); 1472 b[0] = BN_new();
@@ -1365,8 +1520,8 @@ test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx)
1365{ 1520{
1366 BIGNUM *a, *b[2], *c, *d; 1521 BIGNUM *a, *b[2], *c, *d;
1367 int i, j, ret = 0; 1522 int i, j, ret = 0;
1368 int p0[] = {163, 7,6, 3,0, -1}; 1523 int p0[] = { 163, 7, 6, 3, 0, -1 };
1369 int p1[] = {193, 15, 0, -1}; 1524 int p1[] = { 193, 15, 0, -1 };
1370 1525
1371 a = BN_new(); 1526 a = BN_new();
1372 b[0] = BN_new(); 1527 b[0] = BN_new();
@@ -1416,8 +1571,8 @@ test_gf2m_mod_div(BIO *bp, BN_CTX *ctx)
1416{ 1571{
1417 BIGNUM *a, *b[2], *c, *d, *e, *f; 1572 BIGNUM *a, *b[2], *c, *d, *e, *f;
1418 int i, j, ret = 0; 1573 int i, j, ret = 0;
1419 int p0[] = {163, 7,6, 3,0, -1}; 1574 int p0[] = { 163, 7, 6, 3, 0, -1 };
1420 int p1[] = {193, 15, 0, -1}; 1575 int p1[] = { 193, 15, 0, -1 };
1421 1576
1422 a = BN_new(); 1577 a = BN_new();
1423 b[0] = BN_new(); 1578 b[0] = BN_new();
@@ -1475,8 +1630,8 @@ test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx)
1475{ 1630{
1476 BIGNUM *a, *b[2], *c, *d, *e, *f; 1631 BIGNUM *a, *b[2], *c, *d, *e, *f;
1477 int i, j, ret = 0; 1632 int i, j, ret = 0;
1478 int p0[] = {163, 7,6, 3,0, -1}; 1633 int p0[] = { 163, 7, 6, 3, 0, -1 };
1479 int p1[] = {193, 15, 0, -1}; 1634 int p1[] = { 193, 15, 0, -1 };
1480 1635
1481 a = BN_new(); 1636 a = BN_new();
1482 b[0] = BN_new(); 1637 b[0] = BN_new();
@@ -1542,8 +1697,8 @@ test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx)
1542{ 1697{
1543 BIGNUM *a, *b[2], *c, *d, *e, *f; 1698 BIGNUM *a, *b[2], *c, *d, *e, *f;
1544 int i, j, ret = 0; 1699 int i, j, ret = 0;
1545 int p0[] = {163, 7,6, 3,0, -1}; 1700 int p0[] = { 163, 7, 6, 3, 0, -1 };
1546 int p1[] = {193, 15, 0, -1}; 1701 int p1[] = { 193, 15, 0, -1 };
1547 1702
1548 a = BN_new(); 1703 a = BN_new();
1549 b[0] = BN_new(); 1704 b[0] = BN_new();
@@ -1597,8 +1752,8 @@ test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1597{ 1752{
1598 BIGNUM *a, *b[2], *c, *d, *e; 1753 BIGNUM *a, *b[2], *c, *d, *e;
1599 int i, j, s = 0, t, ret = 0; 1754 int i, j, s = 0, t, ret = 0;
1600 int p0[] = {163, 7,6, 3,0, -1}; 1755 int p0[] = { 163, 7, 6, 3, 0, -1 };
1601 int p1[] = {193, 15, 0, -1}; 1756 int p1[] = { 193, 15, 0, -1 };
1602 1757
1603 a = BN_new(); 1758 a = BN_new();
1604 b[0] = BN_new(); 1759 b[0] = BN_new();
@@ -1637,6 +1792,7 @@ test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1637 fprintf(stderr, "GF(2^m) modular solve quadratic test failed!\n"); 1792 fprintf(stderr, "GF(2^m) modular solve quadratic test failed!\n");
1638 goto err; 1793 goto err;
1639 } 1794 }
1795
1640 } else { 1796 } else {
1641#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */ 1797#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
1642 if (bp != NULL) { 1798 if (bp != NULL) {
@@ -1652,7 +1808,7 @@ test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx)
1652 } 1808 }
1653 } 1809 }
1654 } 1810 }
1655 if (s == 0) { 1811 if (s == 0) {
1656 fprintf(stderr, "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0); 1812 fprintf(stderr, "All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0);
1657 fprintf(stderr, "this is very unlikely and probably indicates an error.\n"); 1813 fprintf(stderr, "this is very unlikely and probably indicates an error.\n");
1658 goto err; 1814 goto err;
@@ -1668,23 +1824,22 @@ err:
1668 return ret; 1824 return ret;
1669} 1825}
1670#endif 1826#endif
1671
1672static int 1827static int
1673genprime_cb(int p, int n, BN_GENCB *arg) 1828genprime_cb(int p, int n, BN_GENCB *arg)
1674{ 1829{
1675 char c='*'; 1830 char c = '*';
1676 1831
1677 if (p == 0) 1832 if (p == 0)
1678 c='.'; 1833 c = '.';
1679 if (p == 1) 1834 if (p == 1)
1680 c='+'; 1835 c = '+';
1681 if (p == 2) 1836 if (p == 2)
1682 c='*'; 1837 c = '*';
1683 if (p == 3) 1838 if (p == 3)
1684 c='\n'; 1839 c = '\n';
1685 putc(c, stderr); 1840 putc(c, stderr);
1686 fflush(stderr); 1841 fflush(stderr);
1687 return 1; 1842 return (1);
1688} 1843}
1689 1844
1690int 1845int
@@ -1705,14 +1860,15 @@ test_kron(BIO *bp, BN_CTX *ctx)
1705 1860
1706 BN_GENCB_set(&cb, genprime_cb, NULL); 1861 BN_GENCB_set(&cb, genprime_cb, NULL);
1707 1862
1708 /* We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). 1863 /*
1709 * In this case we know that if b is prime, then BN_kronecker(a, b, ctx) 1864 * We test BN_kronecker(a, b, ctx) just for b odd (Jacobi symbol). In
1710 * is congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). 1865 * this case we know that if b is prime, then BN_kronecker(a, b, ctx) is
1711 * So we generate a random prime b and compare these values 1866 * congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol). So we
1712 * for a number of random a's. (That is, we run the Solovay-Strassen 1867 * generate a random prime b and compare these values for a number of
1713 * primality test to confirm that b is prime, except that we 1868 * random a's. (That is, we run the Solovay-Strassen primality test to
1714 * don't want to test whether b is prime but whether BN_kronecker 1869 * confirm that b is prime, except that we don't want to test whether b
1715 * works.) */ 1870 * is prime but whether BN_kronecker works.)
1871 */
1716 1872
1717 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb)) 1873 if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb))
1718 goto err; 1874 goto err;
@@ -1809,7 +1965,7 @@ test_sqrt(BIO *bp, BN_CTX *ctx)
1809 } else { 1965 } else {
1810 if (!BN_set_word(a, 32)) 1966 if (!BN_set_word(a, 32))
1811 goto err; 1967 goto err;
1812 if (!BN_set_word(r, 2*i + 1)) 1968 if (!BN_set_word(r, 2 * i + 1))
1813 goto err; 1969 goto err;
1814 1970
1815 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb)) 1971 if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
@@ -1819,8 +1975,10 @@ test_sqrt(BIO *bp, BN_CTX *ctx)
1819 p->neg = rand_neg(); 1975 p->neg = rand_neg();
1820 1976
1821 for (j = 0; j < num2; j++) { 1977 for (j = 0; j < num2; j++) {
1822 /* construct 'a' such that it is a square modulo p, 1978 /*
1823 * but in general not a proper square and not reduced modulo p */ 1979 * construct 'a' such that it is a square modulo p, but in
1980 * general not a proper square and not reduced modulo p
1981 */
1824 if (!BN_bntest_rand(r, 256, 0, 3)) 1982 if (!BN_bntest_rand(r, 256, 0, 3))
1825 goto err; 1983 goto err;
1826 if (!BN_nnmod(r, r, p, ctx)) 1984 if (!BN_nnmod(r, r, p, ctx))
@@ -1889,7 +2047,7 @@ test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1889 a = a_; 2047 a = a_;
1890 else { 2048 else {
1891 a = BN_new(); 2049 a = BN_new();
1892 BN_bntest_rand(a,200,0,0); 2050 BN_bntest_rand(a, 200, 0, 0);
1893 a->neg = rand_neg(); 2051 a->neg = rand_neg();
1894 } 2052 }
1895 for (i = 0; i < num0; i++) { 2053 for (i = 0; i < num0; i++) {
@@ -1905,7 +2063,7 @@ test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_)
1905 BN_print(bp, b); 2063 BN_print(bp, b);
1906 BIO_puts(bp, "\n"); 2064 BIO_puts(bp, "\n");
1907 } 2065 }
1908 BN_mul(d, a,c, ctx); 2066 BN_mul(d, a, c, ctx);
1909 BN_sub(d, d, b); 2067 BN_sub(d, d, b);
1910 if (!BN_is_zero(d)) { 2068 if (!BN_is_zero(d)) {
1911 fprintf(stderr, "Left shift test failed!\n"); 2069 fprintf(stderr, "Left shift test failed!\n");
@@ -1940,7 +2098,7 @@ test_lshift1(BIO *bp)
1940 b = BN_new(); 2098 b = BN_new();
1941 c = BN_new(); 2099 c = BN_new();
1942 2100
1943 BN_bntest_rand(a,200,0,0); 2101 BN_bntest_rand(a, 200, 0, 0);
1944 a->neg = rand_neg(); 2102 a->neg = rand_neg();
1945 for (i = 0; i < num0; i++) { 2103 for (i = 0; i < num0; i++) {
1946 (void)BN_lshift1(b, a); 2104 (void)BN_lshift1(b, a);
@@ -1983,7 +2141,7 @@ test_rshift(BIO *bp, BN_CTX *ctx)
1983 e = BN_new(); 2141 e = BN_new();
1984 BN_one(c); 2142 BN_one(c);
1985 2143
1986 BN_bntest_rand(a,200,0,0); 2144 BN_bntest_rand(a, 200, 0, 0);
1987 a->neg = rand_neg(); 2145 a->neg = rand_neg();
1988 for (i = 0; i < num0; i++) { 2146 for (i = 0; i < num0; i++) {
1989 (void)BN_rshift(b, a, i + 1); 2147 (void)BN_rshift(b, a, i + 1);
@@ -1998,7 +2156,7 @@ test_rshift(BIO *bp, BN_CTX *ctx)
1998 BN_print(bp, b); 2156 BN_print(bp, b);
1999 BIO_puts(bp, "\n"); 2157 BIO_puts(bp, "\n");
2000 } 2158 }
2001 BN_div(d, e,a, c, ctx); 2159 BN_div(d, e, a, c, ctx);
2002 BN_sub(d, d, b); 2160 BN_sub(d, d, b);
2003 if (!BN_is_zero(d)) { 2161 if (!BN_is_zero(d)) {
2004 fprintf(stderr, "Right shift test failed!\n"); 2162 fprintf(stderr, "Right shift test failed!\n");
@@ -2025,7 +2183,7 @@ test_rshift1(BIO *bp)
2025 b = BN_new(); 2183 b = BN_new();
2026 c = BN_new(); 2184 c = BN_new();
2027 2185
2028 BN_bntest_rand(a,200,0,0); 2186 BN_bntest_rand(a, 200, 0, 0);
2029 a->neg = rand_neg(); 2187 a->neg = rand_neg();
2030 for (i = 0; i < num0; i++) { 2188 for (i = 0; i < num0; i++) {
2031 (void)BN_rshift1(b, a); 2189 (void)BN_rshift1(b, a);
@@ -2057,7 +2215,7 @@ int
2057rand_neg(void) 2215rand_neg(void)
2058{ 2216{
2059 static unsigned int neg = 0; 2217 static unsigned int neg = 0;
2060 static int sign[8] = {0, 0,0, 1,1, 0,1, 1}; 2218 static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
2061 2219
2062 return (sign[(neg++) % 8]); 2220 return (sign[(neg++) % 8]);
2063} 2221}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 09:27:10 +0000