regress/libcrypto: merge exp/ into bn/

Move exp/exptest.c to bn/bn_mod_exp.c. This is a BN test that mostly tests a variety of BN_mod_exp*() API behavior and correctness. Commit stolen from jsing
author: tb <> 2022-12-01 21:21:51 +0000
committer: tb <> 2022-12-01 21:21:51 +0000
commit: 71fd38306a8cf41970029e506e8a2793c010e3ed (patch)
tree: 009dac1a4addacaf9a4e4fab38ce60cb3db8f131 /src/regress/lib/libcrypto/bn
parent: 32cbc4bb80ffd13ea1df93bf4cd22a4ff2bb7ca8 (diff)
download: openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.tar.gz
openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.tar.bz2
openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.zip
2 files changed, 361 insertions, 1 deletions
diff --git a/src/regress/lib/libcrypto/bn/Makefile b/src/regress/lib/libcrypto/bn/Makefile
index 971ace1c77..b5d146c71b 100644
--- a/src/regress/lib/libcrypto/bn/Makefile
+++ b/src/regress/lib/libcrypto/bn/Makefile
@@ -1,8 +1,9 @@
-#       $OpenBSD: Makefile,v 1.8 2022/12/01 20:50:10 tb Exp $
+#       $OpenBSD: Makefile,v 1.9 2022/12/01 21:21:51 tb Exp $
 PROGS +=        bn_add_sub
 PROGS +=        bn_cmp
 PROGS +=        bn_isqrt
+PROGS +=        bn_mod_exp
 PROGS +=        bn_mod_exp2_mont
 PROGS +=        bn_mod_sqrt
 PROGS +=        bn_mont
@@ -12,6 +13,7 @@ PROGS +=	bn_to_string
 PROGS +=        bn_unit
 STATIC_LINK +=  bn_isqrt
+STATIC_LINK +=  bn_mod_exp
 STATIC_LINK +=  bn_primes
 STATIC_LINK +=  bn_to_string
 STATIC_LINK +=  bn_rand_interval
diff --git a/src/regress/lib/libcrypto/bn/bn_mod_exp.c b/src/regress/lib/libcrypto/bn/bn_mod_exp.c
new file mode 100644
index 0000000000..337cbd1373
--- /dev/null
+++ b/src/regress/lib/libcrypto/bn/bn_mod_exp.c
@@ -0,0 +1,358 @@
+/*      $OpenBSD: bn_mod_exp.c,v 1.1 2022/12/01 21:21:51 tb Exp $       */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#define NUM_BITS        (BN_BITS*2)
+/*
+ * Test that r == 0 in test_exp_mod_zero(). Returns one on success,
+ * returns zero and prints debug output otherwise.
+ */
+static int
+a_is_zero_mod_one(const char *method, const BIGNUM *r, const BIGNUM *a)
+{
+        if (!BN_is_zero(r)) {
+                fprintf(stderr, "%s failed:\n", method);
+                fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n");
+                fprintf(stderr, "a = ");
+                BN_print_fp(stderr, a);
+                fprintf(stderr, "\nr = ");
+                BN_print_fp(stderr, r);
+                fprintf(stderr, "\n");
+                return 0;
+        }
+        return 1;
+}
+/*
+ * test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success.
+ */
+static int
+test_exp_mod_zero(void)
+{
+        BIGNUM *a = NULL, *p = NULL, *m = NULL, *r = NULL;
+        BN_ULONG one_word = 1;
+        BN_CTX *ctx;
+        int ret = 1, failed = 0;
+        if ((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if ((m = BN_new()) == NULL)
+                goto err;
+        if (!BN_one(m))
+                goto err;
+        if ((a = BN_new()) == NULL)
+                goto err;
+        if (!BN_one(a))
+                goto err;
+        if ((p = BN_new()) == NULL)
+                goto err;
+        BN_zero(p);
+        if ((r = BN_new()) == NULL)
+                goto err;
+        if (!BN_rand(a, 1024, 0, 0))
+                goto err;
+        if (!BN_mod_exp(r, a, p, m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp", r, a))
+                failed = 1;
+        if (!BN_mod_exp_ct(r, a, p, m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_ct", r, a))
+                failed = 1;
+        if (!BN_mod_exp_nonct(r, a, p, m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_nonct", r, a))
+                failed = 1;
+        if (!BN_mod_exp_recp(r, a, p, m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_recp", r, a))
+                failed = 1;
+        if (!BN_mod_exp_simple(r, a, p, m, ctx))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_simple", r, a))
+                failed = 1;
+        if (!BN_mod_exp_mont(r, a, p, m, ctx, NULL))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_mont", r, a))
+                failed = 1;
+        if (!BN_mod_exp_mont_ct(r, a, p, m, ctx, NULL))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", r, a))
+                failed = 1;
+        if (!BN_mod_exp_mont_nonct(r, a, p, m, ctx, NULL))
+                goto err;
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", r, a))
+                failed = 1;
+        if (!BN_mod_exp_mont_consttime(r, a, p, m, ctx, NULL)) {
+                goto err;
+        }
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))
+                failed = 1;
+        /*
+         * A different codepath exists for single word multiplication
+         * in non-constant-time only.
+         */
+        if (!BN_mod_exp_mont_word(r, one_word, p, m, ctx, NULL))
+                goto err;
+        if (!BN_is_zero(r)) {
+                fprintf(stderr, "BN_mod_exp_mont_word failed:\n");
+                fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n");
+                fprintf(stderr, "r = ");
+                BN_print_fp(stderr, r);
+                fprintf(stderr, "\n");
+                return 0;
+        }
+        ret = failed;
+ err:
+        BN_free(r);
+        BN_free(a);
+        BN_free(p);
+        BN_free(m);
+        BN_CTX_free(ctx);
+        return ret;
+}
+int
+main(int argc, char *argv[])
+{
+        BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple;
+        BIGNUM *r_mont_ct, *r_mont_nonct, *a, *b, *m;
+        BN_CTX *ctx;
+        BIO *out = NULL;
+        unsigned char c;
+        int i, ret;
+        ERR_load_BN_strings();
+        if ((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if ((r_mont = BN_new()) == NULL)
+                goto err;
+        if ((r_mont_const = BN_new()) == NULL)
+                goto err;
+        if ((r_mont_ct = BN_new()) == NULL)
+                goto err;
+        if ((r_mont_nonct = BN_new()) == NULL)
+                goto err;
+        if ((r_recp = BN_new()) == NULL)
+                goto err;
+        if ((r_simple = BN_new()) == NULL)
+                goto err;
+        if ((a = BN_new()) == NULL)
+                goto err;
+        if ((b = BN_new()) == NULL)
+                goto err;
+        if ((m = BN_new()) == NULL)
+                goto err;
+        if ((out = BIO_new(BIO_s_file())) == NULL)
+                exit(1);
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+        for (i = 0; i < 200; i++) {
+                arc4random_buf(&c, 1);
+                c = (c % BN_BITS) - BN_BITS2;
+                BN_rand(a, NUM_BITS + c, 0, 0);
+                arc4random_buf(&c, 1);
+                c = (c % BN_BITS) - BN_BITS2;
+                BN_rand(b, NUM_BITS + c, 0, 0);
+                arc4random_buf(&c, 1);
+                c = (c % BN_BITS) - BN_BITS2;
+                BN_rand(m, NUM_BITS + c, 0, 1);
+                BN_mod(a, a, m, ctx);
+                BN_mod(b, b, m, ctx);
+                ret = BN_mod_exp_mont(r_mont, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont() problems\n");
+                        goto err;
+                }
+                ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_ct() problems\n");
+                        goto err;
+                }
+                ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_nonct() problems\n");
+                        goto err;
+                }
+                ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_recp() problems\n");
+                        goto err;
+                }
+                ret = BN_mod_exp_simple(r_simple, a, b, m, ctx);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_simple() problems\n");
+                        goto err;
+                }
+                ret = BN_mod_exp_mont_consttime(r_mont_const, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_consttime() problems\n");
+                        goto err;
+                }
+                if (BN_cmp(r_simple, r_mont) != 0 ||
+                    BN_cmp(r_simple, r_recp) != 0 ||
+                    BN_cmp(r_simple, r_mont_const) != 0) {
+                        if (BN_cmp(r_simple, r_mont) != 0)
+                                printf("\nsimple and mont results differ\n");
+                        if (BN_cmp(r_simple, r_mont_const) != 0)
+                                printf("\nsimple and mont const time results differ\n");
+                        if (BN_cmp(r_simple, r_recp) != 0)
+                                printf("\nsimple and recp results differ\n");
+                        if (BN_cmp(r_mont, r_mont_ct) != 0)
+                                printf("\nmont_ct and mont results differ\n");
+                        if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
+                                printf("\nmont_ct and mont_nonct results differ\n");
+                        printf("a (%3d) = ", BN_num_bits(a));
+                        BN_print(out, a);
+                        printf("\nb (%3d) = ", BN_num_bits(b));
+                        BN_print(out, b);
+                        printf("\nm (%3d) = ", BN_num_bits(m));
+                        BN_print(out, m);
+                        printf("\nsimple   =");
+                        BN_print(out, r_simple);
+                        printf("\nrecp   =");
+                        BN_print(out, r_recp);
+                        printf("\nmont   =");
+                        BN_print(out, r_mont);
+                        printf("\nmont_ct  =");
+                        BN_print(out, r_mont_const);
+                        printf("\n");
+                        exit(1);
+                }
+        }
+        BN_free(r_mont);
+        BN_free(r_mont_const);
+        BN_free(r_mont_ct);
+        BN_free(r_mont_nonct);
+        BN_free(r_recp);
+        BN_free(r_simple);
+        BN_free(a);
+        BN_free(b);
+        BN_free(m);
+        BN_CTX_free(ctx);
+        ERR_remove_thread_state(NULL);
+        CRYPTO_mem_leaks(out);
+        BIO_free(out);
+        if (test_exp_mod_zero() != 0)
+                goto err;
+        return (0);
+ err:
+        ERR_load_crypto_strings();
+        ERR_print_errors(out);
+        return (1);
+}
author	tb <>	2022-12-01 21:21:51 +0000
committer	tb <>	2022-12-01 21:21:51 +0000
commit	71fd38306a8cf41970029e506e8a2793c010e3ed (patch)
tree	009dac1a4addacaf9a4e4fab38ce60cb3db8f131 /src/regress/lib/libcrypto/bn
parent	32cbc4bb80ffd13ea1df93bf4cd22a4ff2bb7ca8 (diff)
download	openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.tar.gz openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.tar.bz2 openbsd-71fd38306a8cf41970029e506e8a2793c010e3ed.zip

diff --git a/src/regress/lib/libcrypto/bn/Makefile b/src/regress/lib/libcrypto/bn/Makefile index 971ace1c77..b5d146c71b 100644 --- a/src/regress/lib/libcrypto/bn/Makefile +++ b/src/regress/lib/libcrypto/bn/Makefile
@@ -1,8 +1,9 @@
1	# $OpenBSD: Makefile,v 1.8 2022/12/01 20:50:10 tb Exp $	1	# $OpenBSD: Makefile,v 1.9 2022/12/01 21:21:51 tb Exp $
2		2
3	PROGS += bn_add_sub	3	PROGS += bn_add_sub
4	PROGS += bn_cmp	4	PROGS += bn_cmp
5	PROGS += bn_isqrt	5	PROGS += bn_isqrt
		6	PROGS += bn_mod_exp
6	PROGS += bn_mod_exp2_mont	7	PROGS += bn_mod_exp2_mont
7	PROGS += bn_mod_sqrt	8	PROGS += bn_mod_sqrt
8	PROGS += bn_mont	9	PROGS += bn_mont
@@ -12,6 +13,7 @@ PROGS += bn_to_string
12	PROGS += bn_unit	13	PROGS += bn_unit
13		14
14	STATIC_LINK += bn_isqrt	15	STATIC_LINK += bn_isqrt
		16	STATIC_LINK += bn_mod_exp
15	STATIC_LINK += bn_primes	17	STATIC_LINK += bn_primes
16	STATIC_LINK += bn_to_string	18	STATIC_LINK += bn_to_string
17	STATIC_LINK += bn_rand_interval	19	STATIC_LINK += bn_rand_interval


diff --git a/src/regress/lib/libcrypto/bn/bn_mod_exp.c b/src/regress/lib/libcrypto/bn/bn_mod_exp.c new file mode 100644 index 0000000000..337cbd1373 --- /dev/null +++ b/src/regress/lib/libcrypto/bn/bn_mod_exp.c
@@ -0,0 +1,358 @@
		1	/* $OpenBSD: bn_mod_exp.c,v 1.1 2022/12/01 21:21:51 tb Exp $ */
		2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
		3	* All rights reserved.
		4	*
		5	* This package is an SSL implementation written
		6	* by Eric Young (eay@cryptsoft.com).
		7	* The implementation was written so as to conform with Netscapes SSL.
		8	*
		9	* This library is free for commercial and non-commercial use as long as
		10	* the following conditions are aheared to. The following conditions
		11	* apply to all code found in this distribution, be it the RC4, RSA,
		12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
		13	* included with this distribution is covered by the same copyright terms
		14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
		15	*
		16	* Copyright remains Eric Young's, and as such any Copyright notices in
		17	* the code are not to be removed.
		18	* If this package is used in a product, Eric Young should be given attribution
		19	* as the author of the parts of the library used.
		20	* This can be in the form of a textual message at program startup or
		21	* in documentation (online or textual) provided with the package.
		22	*
		23	* Redistribution and use in source and binary forms, with or without
		24	* modification, are permitted provided that the following conditions
		25	* are met:
		26	* 1. Redistributions of source code must retain the copyright
		27	* notice, this list of conditions and the following disclaimer.
		28	* 2. Redistributions in binary form must reproduce the above copyright
		29	* notice, this list of conditions and the following disclaimer in the
		30	* documentation and/or other materials provided with the distribution.
		31	* 3. All advertising materials mentioning features or use of this software
		32	* must display the following acknowledgement:
		33	* "This product includes cryptographic software written by
		34	* Eric Young (eay@cryptsoft.com)"
		35	* The word 'cryptographic' can be left out if the rouines from the library
		36	* being used are not cryptographic related :-).
		37	* 4. If you include any Windows specific code (or a derivative thereof) from
		38	* the apps directory (application code) you must include an acknowledgement:
		39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
		40	*
		41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
		42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
		45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
		46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
		47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
		49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
		50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		51	* SUCH DAMAGE.
		52	*
		53	* The licence and distribution terms for any publically available version or
		54	* derivative of this code cannot be changed. i.e. this code cannot simply be
		55	* copied and put under another distribution licence
		56	* [including the GNU Public Licence.]
		57	*/
		58
		59	#include <stdio.h>
		60	#include <stdlib.h>
		61	#include <string.h>
		62
		63	#include <openssl/bio.h>
		64	#include <openssl/bn.h>
		65	#include <openssl/err.h>
		66
		67	int BN_mod_exp_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		68	const BIGNUM m, BN_CTX ctx);
		69	int BN_mod_exp_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		70	const BIGNUM m, BN_CTX ctx);
		71	int BN_mod_exp_mont_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		72	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		73	int BN_mod_exp_mont_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		74	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
		75
		76	#define NUM_BITS (BN_BITS*2)
		77
		78	/*
		79	* Test that r == 0 in test_exp_mod_zero(). Returns one on success,
		80	* returns zero and prints debug output otherwise.
		81	*/
		82	static int
		83	a_is_zero_mod_one(const char method, const BIGNUM r, const BIGNUM *a)
		84	{
		85	if (!BN_is_zero(r)) {
		86	fprintf(stderr, "%s failed:\n", method);
		87	fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n");
		88	fprintf(stderr, "a = ");
		89	BN_print_fp(stderr, a);
		90	fprintf(stderr, "\nr = ");
		91	BN_print_fp(stderr, r);
		92	fprintf(stderr, "\n");
		93	return 0;
		94	}
		95	return 1;
		96	}
		97
		98	/*
		99	* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success.
		100	*/
		101	static int
		102	test_exp_mod_zero(void)
		103	{
		104	BIGNUM a = NULL, p = NULL, m = NULL, r = NULL;
		105	BN_ULONG one_word = 1;
		106	BN_CTX *ctx;
		107	int ret = 1, failed = 0;
		108
		109	if ((ctx = BN_CTX_new()) == NULL)
		110	goto err;
		111	if ((m = BN_new()) == NULL)
		112	goto err;
		113	if (!BN_one(m))
		114	goto err;
		115
		116	if ((a = BN_new()) == NULL)
		117	goto err;
		118	if (!BN_one(a))
		119	goto err;
		120
		121	if ((p = BN_new()) == NULL)
		122	goto err;
		123	BN_zero(p);
		124
		125	if ((r = BN_new()) == NULL)
		126	goto err;
		127
		128	if (!BN_rand(a, 1024, 0, 0))
		129	goto err;
		130
		131	if (!BN_mod_exp(r, a, p, m, ctx))
		132	goto err;
		133
		134	if (!a_is_zero_mod_one("BN_mod_exp", r, a))
		135	failed = 1;
		136
		137	if (!BN_mod_exp_ct(r, a, p, m, ctx))
		138	goto err;
		139
		140	if (!a_is_zero_mod_one("BN_mod_exp_ct", r, a))
		141	failed = 1;
		142
		143	if (!BN_mod_exp_nonct(r, a, p, m, ctx))
		144	goto err;
		145
		146	if (!a_is_zero_mod_one("BN_mod_exp_nonct", r, a))
		147	failed = 1;
		148
		149	if (!BN_mod_exp_recp(r, a, p, m, ctx))
		150	goto err;
		151
		152	if (!a_is_zero_mod_one("BN_mod_exp_recp", r, a))
		153	failed = 1;
		154
		155	if (!BN_mod_exp_simple(r, a, p, m, ctx))
		156	goto err;
		157
		158	if (!a_is_zero_mod_one("BN_mod_exp_simple", r, a))
		159	failed = 1;
		160
		161	if (!BN_mod_exp_mont(r, a, p, m, ctx, NULL))
		162	goto err;
		163
		164	if (!a_is_zero_mod_one("BN_mod_exp_mont", r, a))
		165	failed = 1;
		166
		167	if (!BN_mod_exp_mont_ct(r, a, p, m, ctx, NULL))
		168	goto err;
		169
		170	if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", r, a))
		171	failed = 1;
		172
		173	if (!BN_mod_exp_mont_nonct(r, a, p, m, ctx, NULL))
		174	goto err;
		175
		176	if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", r, a))
		177	failed = 1;
		178
		179	if (!BN_mod_exp_mont_consttime(r, a, p, m, ctx, NULL)) {
		180	goto err;
		181	}
		182
		183	if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))
		184	failed = 1;
		185
		186	/*
		187	* A different codepath exists for single word multiplication
		188	* in non-constant-time only.
		189	*/
		190	if (!BN_mod_exp_mont_word(r, one_word, p, m, ctx, NULL))
		191	goto err;
		192
		193	if (!BN_is_zero(r)) {
		194	fprintf(stderr, "BN_mod_exp_mont_word failed:\n");
		195	fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n");
		196	fprintf(stderr, "r = ");
		197	BN_print_fp(stderr, r);
		198	fprintf(stderr, "\n");
		199	return 0;
		200	}
		201
		202	ret = failed;
		203
		204	err:
		205	BN_free(r);
		206	BN_free(a);
		207	BN_free(p);
		208	BN_free(m);
		209	BN_CTX_free(ctx);
		210
		211	return ret;
		212	}
		213
		214	int
		215	main(int argc, char *argv[])
		216	{
		217	BIGNUM r_mont, r_mont_const, r_recp, r_simple;
		218	BIGNUM r_mont_ct, r_mont_nonct, a, b, *m;
		219	BN_CTX *ctx;
		220	BIO *out = NULL;
		221	unsigned char c;
		222	int i, ret;
		223
		224	ERR_load_BN_strings();
		225
		226	if ((ctx = BN_CTX_new()) == NULL)
		227	goto err;
		228	if ((r_mont = BN_new()) == NULL)
		229	goto err;
		230	if ((r_mont_const = BN_new()) == NULL)
		231	goto err;
		232	if ((r_mont_ct = BN_new()) == NULL)
		233	goto err;
		234	if ((r_mont_nonct = BN_new()) == NULL)
		235	goto err;
		236	if ((r_recp = BN_new()) == NULL)
		237	goto err;
		238	if ((r_simple = BN_new()) == NULL)
		239	goto err;
		240	if ((a = BN_new()) == NULL)
		241	goto err;
		242	if ((b = BN_new()) == NULL)
		243	goto err;
		244	if ((m = BN_new()) == NULL)
		245	goto err;
		246
		247	if ((out = BIO_new(BIO_s_file())) == NULL)
		248	exit(1);
		249	BIO_set_fp(out, stdout, BIO_NOCLOSE);
		250
		251	for (i = 0; i < 200; i++) {
		252	arc4random_buf(&c, 1);
		253	c = (c % BN_BITS) - BN_BITS2;
		254	BN_rand(a, NUM_BITS + c, 0, 0);
		255
		256	arc4random_buf(&c, 1);
		257	c = (c % BN_BITS) - BN_BITS2;
		258	BN_rand(b, NUM_BITS + c, 0, 0);
		259
		260	arc4random_buf(&c, 1);
		261	c = (c % BN_BITS) - BN_BITS2;
		262	BN_rand(m, NUM_BITS + c, 0, 1);
		263
		264	BN_mod(a, a, m, ctx);
		265	BN_mod(b, b, m, ctx);
		266
		267	ret = BN_mod_exp_mont(r_mont, a, b, m, ctx, NULL);
		268	if (ret <= 0) {
		269	printf("BN_mod_exp_mont() problems\n");
		270	goto err;
		271	}
		272
		273	ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
		274	if (ret <= 0) {
		275	printf("BN_mod_exp_mont_ct() problems\n");
		276	goto err;
		277	}
		278
		279	ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
		280	if (ret <= 0) {
		281	printf("BN_mod_exp_mont_nonct() problems\n");
		282	goto err;
		283	}
		284
		285	ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
		286	if (ret <= 0) {
		287	printf("BN_mod_exp_recp() problems\n");
		288	goto err;
		289	}
		290
		291	ret = BN_mod_exp_simple(r_simple, a, b, m, ctx);
		292	if (ret <= 0) {
		293	printf("BN_mod_exp_simple() problems\n");
		294	goto err;
		295	}
		296
		297	ret = BN_mod_exp_mont_consttime(r_mont_const, a, b, m, ctx, NULL);
		298	if (ret <= 0) {
		299	printf("BN_mod_exp_mont_consttime() problems\n");
		300	goto err;
		301	}
		302
		303	if (BN_cmp(r_simple, r_mont) != 0 \|\|
		304	BN_cmp(r_simple, r_recp) != 0 \|\|
		305	BN_cmp(r_simple, r_mont_const) != 0) {
		306	if (BN_cmp(r_simple, r_mont) != 0)
		307	printf("\nsimple and mont results differ\n");
		308	if (BN_cmp(r_simple, r_mont_const) != 0)
		309	printf("\nsimple and mont const time results differ\n");
		310	if (BN_cmp(r_simple, r_recp) != 0)
		311	printf("\nsimple and recp results differ\n");
		312	if (BN_cmp(r_mont, r_mont_ct) != 0)
		313	printf("\nmont_ct and mont results differ\n");
		314	if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
		315	printf("\nmont_ct and mont_nonct results differ\n");
		316
		317	printf("a (%3d) = ", BN_num_bits(a));
		318	BN_print(out, a);
		319	printf("\nb (%3d) = ", BN_num_bits(b));
		320	BN_print(out, b);
		321	printf("\nm (%3d) = ", BN_num_bits(m));
		322	BN_print(out, m);
		323	printf("\nsimple =");
		324	BN_print(out, r_simple);
		325	printf("\nrecp =");
		326	BN_print(out, r_recp);
		327	printf("\nmont =");
		328	BN_print(out, r_mont);
		329	printf("\nmont_ct =");
		330	BN_print(out, r_mont_const);
		331	printf("\n");
		332	exit(1);
		333	}
		334	}
		335	BN_free(r_mont);
		336	BN_free(r_mont_const);
		337	BN_free(r_mont_ct);
		338	BN_free(r_mont_nonct);
		339	BN_free(r_recp);
		340	BN_free(r_simple);
		341	BN_free(a);
		342	BN_free(b);
		343	BN_free(m);
		344	BN_CTX_free(ctx);
		345	ERR_remove_thread_state(NULL);
		346	CRYPTO_mem_leaks(out);
		347	BIO_free(out);
		348
		349	if (test_exp_mod_zero() != 0)
		350	goto err;
		351
		352	return (0);
		353
		354	err:
		355	ERR_load_crypto_strings();
		356	ERR_print_errors(out);
		357	return (1);
		358	}