kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
778 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: bbd8444d92
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bbd8444d92'
${ noResults }
boringssl/crypto/bn/bn_test.c

1470 lines
33 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  59.  *

  60.  * Portions of the attached software ("Contribution") are developed by

  61.  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.

  62.  *

  63.  * The Contribution is licensed pursuant to the Eric Young open source

  64.  * license provided above.

  65.  *

  66.  * The binary polynomial arithmetic software is originally written by

  67.  * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems

  68.  * Laboratories. */

  69. 

  70. #include <stdio.h>

  71. 

  72. #include <openssl/bio.h>

  73. #include <openssl/bn.h>

  74. #include <openssl/crypto.h>

  75. #include <openssl/err.h>

  76. #include <openssl/mem.h>

  77. 

  78. #include "internal.h"

  79. 

  80. static const int num0 = 100; /* number of tests */

  81. static const int num1 = 50;  /* additional tests for some functions */

  82. static const int num2 = 5;   /* number of tests for slow functions */

  83. 

  84. int test_add(BIO *bp);

  85. int test_sub(BIO *bp);

  86. int test_lshift1(BIO *bp);

  87. int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);

  88. int test_rshift1(BIO *bp);

  89. int test_rshift(BIO *bp, BN_CTX *ctx);

  90. int test_sqr(BIO *bp, BN_CTX *ctx);

  91. int test_mul(BIO *bp);

  92. int test_div(BIO *bp, BN_CTX *ctx);

  93. int rand_neg(void);

  94. 

  95. int test_div_word(BIO *bp);

  96. int test_mont(BIO *bp, BN_CTX *ctx);

  97. int test_mod(BIO *bp, BN_CTX *ctx);

  98. int test_mod_mul(BIO *bp, BN_CTX *ctx);

  99. int test_mod_exp(BIO *bp, BN_CTX *ctx);

  100. int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);

  101. int test_exp(BIO *bp, BN_CTX *ctx);

  102. int test_mod_sqrt(BIO *bp, BN_CTX *ctx);

  103. static int test_exp_mod_zero(void);

  104. int test_small_prime(BIO *bp,BN_CTX *ctx);

  105. int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);

  106. int test_sqrt(BIO *bp, BN_CTX *ctx);

  107. int test_bn2bin_padded(BIO *bp, BN_CTX *ctx);

  108. #if 0

  109. int test_gf2m_add(BIO *bp);

  110. int test_gf2m_mod(BIO *bp);

  111. int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);

  112. int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);

  113. int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);

  114. int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);

  115. int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);

  116. int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);

  117. int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);

  118. #endif

  119. static int results = 0;

  120. 

  121. static unsigned char lst[] =

  122.     "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"

  123.     "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";

  124. 

  125. static void ERR_print_errors_fp(FILE *out) {

  126. }

  127. 

  128. static void message(BIO *out, char *m) {

  129.   BIO_puts(out, "print \"test ");

  130.   BIO_puts(out, m);

  131.   BIO_puts(out, "\\n\"\n");

  132. }

  133. 

  134. int main(int argc, char *argv[]) {

  135.   BN_CTX *ctx;

  136.   BIO *out = NULL;

  137.   char *outfile = NULL;

  138. 

  139.   CRYPTO_library_init();

  140. 

  141.   results = 0;

  142. 

  143.   argc--;

  144.   argv++;

  145.   while (argc >= 1) {

  146.     if (strcmp(*argv, "-results") == 0)

  147.       results = 1;

  148.     else if (strcmp(*argv, "-out") == 0) {

  149.       if (--argc < 1)

  150.         break;

  151.       outfile = *(++argv);

  152.     }

  153.     argc--;

  154.     argv++;

  155.   }

  156. 

  157. 

  158.   ctx = BN_CTX_new();

  159.   if (ctx == NULL)

  160.     return 1;

  161. 

  162.   out = BIO_new(BIO_s_file());

  163.   if (out == NULL) {

  164.     return 1;

  165.   }

  166. 

  167.   if (outfile == NULL) {

  168.     BIO_set_fp(out, stdout, BIO_NOCLOSE);

  169.   } else {

  170.     if (!BIO_write_filename(out, outfile)) {

  171.       perror(outfile);

  172.       return 1;

  173.     }

  174.   }

  175. 

  176.   if (!results)

  177.     BIO_puts(out, "obase=16\nibase=16\n");

  178. 

  179.   message(out, "BN_add");

  180.   if (!test_add(out))

  181.     goto err;

  182.   (void)BIO_flush(out);

  183. 

  184.   message(out, "BN_sub");

  185.   if (!test_sub(out))

  186.     goto err;

  187.   (void)BIO_flush(out);

  188. 

  189.   message(out, "BN_lshift1");

  190.   if (!test_lshift1(out))

  191.     goto err;

  192.   (void)BIO_flush(out);

  193. 

  194.   message(out, "BN_lshift (fixed)");

  195.   if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))

  196.     goto err;

  197.   (void)BIO_flush(out);

  198. 

  199.   message(out, "BN_lshift");

  200.   if (!test_lshift(out, ctx, NULL))

  201.     goto err;

  202.   (void)BIO_flush(out);

  203. 

  204.   message(out, "BN_rshift1");

  205.   if (!test_rshift1(out))

  206.     goto err;

  207.   (void)BIO_flush(out);

  208. 

  209.   message(out, "BN_rshift");

  210.   if (!test_rshift(out, ctx))

  211.     goto err;

  212.   (void)BIO_flush(out);

  213. 

  214.   message(out, "BN_sqr");

  215.   if (!test_sqr(out, ctx))

  216.     goto err;

  217.   (void)BIO_flush(out);

  218. 

  219.   message(out, "BN_mul");

  220.   if (!test_mul(out))

  221.     goto err;

  222.   (void)BIO_flush(out);

  223. 

  224.   message(out, "BN_div");

  225.   if (!test_div(out, ctx))

  226.     goto err;

  227.   (void)BIO_flush(out);

  228. 

  229.   message(out, "BN_div_word");

  230.   if (!test_div_word(out))

  231.     goto err;

  232.   (void)BIO_flush(out);

  233. 

  234.   message(out, "BN_mod");

  235.   if (!test_mod(out, ctx))

  236.     goto err;

  237.   (void)BIO_flush(out);

  238. 

  239.   message(out, "BN_mod_mul");

  240.   if (!test_mod_mul(out, ctx))

  241.     goto err;

  242.   (void)BIO_flush(out);

  243. 

  244.   message(out, "BN_mont");

  245.   if (!test_mont(out, ctx))

  246.     goto err;

  247.   (void)BIO_flush(out);

  248. 

  249.   message(out, "BN_mod_exp");

  250.   if (!test_mod_exp(out, ctx))

  251.     goto err;

  252.   (void)BIO_flush(out);

  253. 

  254.   message(out, "BN_mod_exp_mont_consttime");

  255.   if (!test_mod_exp_mont_consttime(out, ctx) ||

  256.       !test_mod_exp_mont5(out, ctx)) {

  257.     goto err;

  258.   }

  259.   (void)BIO_flush(out);

  260. 

  261.   message(out, "BN_exp");

  262.   if (!test_exp(out, ctx) ||

  263.       !test_exp_mod_zero()) {

  264.     goto err;

  265.   }

  266.   (void)BIO_flush(out);

  267. 

  268.   message(out, "BN_mod_sqrt");

  269.   if (!test_mod_sqrt(out, ctx))

  270.     goto err;

  271.   (void)BIO_flush(out);

  272. 

  273.   message(out, "Small prime generation");

  274.   if (!test_small_prime(out, ctx))

  275.     goto err;

  276.   (void)BIO_flush(out);

  277. 

  278.   message(out, "BN_sqrt");

  279.   if (!test_sqrt(out, ctx))

  280.     goto err;

  281.   (void)BIO_flush(out);

  282. 

  283.   message(out, "BN_bn2bin_padded");

  284.   if (!test_bn2bin_padded(out, ctx))

  285.     goto err;

  286.   (void)BIO_flush(out);

  287. 

  288.   BN_CTX_free(ctx);

  289.   BIO_free(out);

  290. 

  291.   printf("PASS\n");

  292.   return 0;

  293. 

  294. err:

  295.   BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc notices

  296.                          * the failure, see test_bn in test/Makefile.ssl*/

  297.   (void)BIO_flush(out);

  298. 

  299.   return 1;

  300. }

  301. 

  302. int test_add(BIO *bp) {

  303.   BIGNUM a, b, c;

  304.   int i;

  305. 

  306.   BN_init(&a);

  307.   BN_init(&b);

  308.   BN_init(&c);

  309. 

  310.   BN_rand(&a, 512, 0, 0);

  311.   for (i = 0; i < num0; i++) {

  312.     BN_rand(&b, 450 + i, 0, 0);

  313.     a.neg = rand_neg();

  314.     b.neg = rand_neg();

  315.     BN_add(&c, &a, &b);

  316.     if (bp != NULL) {

  317.       if (!results) {

  318.         BN_print(bp, &a);

  319.         BIO_puts(bp, " + ");

  320.         BN_print(bp, &b);

  321.         BIO_puts(bp, " - ");

  322.       }

  323.       BN_print(bp, &c);

  324.       BIO_puts(bp, "\n");

  325.     }

  326.     a.neg = !a.neg;

  327.     b.neg = !b.neg;

  328.     BN_add(&c, &c, &b);

  329.     BN_add(&c, &c, &a);

  330.     if (!BN_is_zero(&c)) {

  331.       fprintf(stderr, "Add test failed!\n");

  332.       return 0;

  333.     }

  334.   }

  335.   BN_free(&a);

  336.   BN_free(&b);

  337.   BN_free(&c);

  338.   return (1);

  339. }

  340. 

  341. int test_sub(BIO *bp) {

  342.   BIGNUM a, b, c;

  343.   int i;

  344. 

  345.   BN_init(&a);

  346.   BN_init(&b);

  347.   BN_init(&c);

  348. 

  349.   for (i = 0; i < num0 + num1; i++) {

  350.     if (i < num1) {

  351.       BN_rand(&a, 512, 0, 0);

  352.       BN_copy(&b, &a);

  353.       if (BN_set_bit(&a, i) == 0)

  354.         return (0);

  355.       BN_add_word(&b, i);

  356.     } else {

  357.       BN_rand(&b, 400 + i - num1, 0, 0);

  358.       a.neg = rand_neg();

  359.       b.neg = rand_neg();

  360.     }

  361.     BN_sub(&c, &a, &b);

  362.     if (bp != NULL) {

  363.       if (!results) {

  364.         BN_print(bp, &a);

  365.         BIO_puts(bp, " - ");

  366.         BN_print(bp, &b);

  367.         BIO_puts(bp, " - ");

  368.       }

  369.       BN_print(bp, &c);

  370.       BIO_puts(bp, "\n");

  371.     }

  372.     BN_add(&c, &c, &b);

  373.     BN_sub(&c, &c, &a);

  374.     if (!BN_is_zero(&c)) {

  375.       fprintf(stderr, "Subtract test failed!\n");

  376.       return 0;

  377.     }

  378.   }

  379.   BN_free(&a);

  380.   BN_free(&b);

  381.   BN_free(&c);

  382.   return (1);

  383. }

  384. 

  385. int test_div(BIO *bp, BN_CTX *ctx) {

  386.   BIGNUM a, b, c, d, e;

  387.   int i;

  388. 

  389.   BN_init(&a);

  390.   BN_init(&b);

  391.   BN_init(&c);

  392.   BN_init(&d);

  393.   BN_init(&e);

  394. 

  395.   for (i = 0; i < num0 + num1; i++) {

  396.     if (i < num1) {

  397.       BN_rand(&a, 400, 0, 0);

  398.       BN_copy(&b, &a);

  399.       BN_lshift(&a, &a, i);

  400.       BN_add_word(&a, i);

  401.     } else

  402.       BN_rand(&b, 50 + 3 * (i - num1), 0, 0);

  403.     a.neg = rand_neg();

  404.     b.neg = rand_neg();

  405.     BN_div(&d, &c, &a, &b, ctx);

  406.     if (bp != NULL) {

  407.       if (!results) {

  408.         BN_print(bp, &a);

  409.         BIO_puts(bp, " / ");

  410.         BN_print(bp, &b);

  411.         BIO_puts(bp, " - ");

  412.       }

  413.       BN_print(bp, &d);

  414.       BIO_puts(bp, "\n");

  415. 

  416.       if (!results) {

  417.         BN_print(bp, &a);

  418.         BIO_puts(bp, " % ");

  419.         BN_print(bp, &b);

  420.         BIO_puts(bp, " - ");

  421.       }

  422.       BN_print(bp, &c);

  423.       BIO_puts(bp, "\n");

  424.     }

  425.     BN_mul(&e, &d, &b, ctx);

  426.     BN_add(&d, &e, &c);

  427.     BN_sub(&d, &d, &a);

  428.     if (!BN_is_zero(&d)) {

  429.       fprintf(stderr, "Division test failed!\n");

  430.       return 0;

  431.     }

  432.   }

  433.   BN_free(&a);

  434.   BN_free(&b);

  435.   BN_free(&c);

  436.   BN_free(&d);

  437.   BN_free(&e);

  438.   return (1);

  439. }

  440. 

  441. int test_lshift1(BIO *bp) {

  442.   BIGNUM *a, *b, *c;

  443.   int i;

  444. 

  445.   a = BN_new();

  446.   b = BN_new();

  447.   c = BN_new();

  448. 

  449.   BN_rand(a, 200, 0, 0); /**/

  450.   a->neg = rand_neg();

  451.   for (i = 0; i < num0; i++) {

  452.     BN_lshift1(b, a);

  453.     if (bp != NULL) {

  454.       if (!results) {

  455.         BN_print(bp, a);

  456.         BIO_puts(bp, " * 2");

  457.         BIO_puts(bp, " - ");

  458.       }

  459.       BN_print(bp, b);

  460.       BIO_puts(bp, "\n");

  461.     }

  462.     BN_add(c, a, a);

  463.     BN_sub(a, b, c);

  464.     if (!BN_is_zero(a)) {

  465.       fprintf(stderr, "Left shift one test failed!\n");

  466.       return 0;

  467.     }

  468. 

  469.     BN_copy(a, b);

  470.   }

  471.   BN_free(a);

  472.   BN_free(b);

  473.   BN_free(c);

  474.   return (1);

  475. }

  476. 

  477. int test_rshift(BIO *bp, BN_CTX *ctx) {

  478.   BIGNUM *a, *b, *c, *d, *e;

  479.   int i;

  480. 

  481.   a = BN_new();

  482.   b = BN_new();

  483.   c = BN_new();

  484.   d = BN_new();

  485.   e = BN_new();

  486.   BN_one(c);

  487. 

  488.   BN_rand(a, 200, 0, 0); /**/

  489.   a->neg = rand_neg();

  490.   for (i = 0; i < num0; i++) {

  491.     BN_rshift(b, a, i + 1);

  492.     BN_add(c, c, c);

  493.     if (bp != NULL) {

  494.       if (!results) {

  495.         BN_print(bp, a);

  496.         BIO_puts(bp, " / ");

  497.         BN_print(bp, c);

  498.         BIO_puts(bp, " - ");

  499.       }

  500.       BN_print(bp, b);

  501.       BIO_puts(bp, "\n");

  502.     }

  503.     BN_div(d, e, a, c, ctx);

  504.     BN_sub(d, d, b);

  505.     if (!BN_is_zero(d)) {

  506.       fprintf(stderr, "Right shift test failed!\n");

  507.       return 0;

  508.     }

  509.   }

  510.   BN_free(a);

  511.   BN_free(b);

  512.   BN_free(c);

  513.   BN_free(d);

  514.   BN_free(e);

  515.   return (1);

  516. }

  517. 

  518. int test_rshift1(BIO *bp) {

  519.   BIGNUM *a, *b, *c;

  520.   int i;

  521. 

  522.   a = BN_new();

  523.   b = BN_new();

  524.   c = BN_new();

  525. 

  526.   BN_rand(a, 200, 0, 0); /**/

  527.   a->neg = rand_neg();

  528.   for (i = 0; i < num0; i++) {

  529.     BN_rshift1(b, a);

  530.     if (bp != NULL) {

  531.       if (!results) {

  532.         BN_print(bp, a);

  533.         BIO_puts(bp, " / 2");

  534.         BIO_puts(bp, " - ");

  535.       }

  536.       BN_print(bp, b);

  537.       BIO_puts(bp, "\n");

  538.     }

  539.     BN_sub(c, a, b);

  540.     BN_sub(c, c, b);

  541.     if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {

  542.       fprintf(stderr, "Right shift one test failed!\n");

  543.       return 0;

  544.     }

  545.     BN_copy(a, b);

  546.   }

  547.   BN_free(a);

  548.   BN_free(b);

  549.   BN_free(c);

  550.   return (1);

  551. }

  552. 

  553. int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_) {

  554.   BIGNUM *a, *b, *c, *d;

  555.   int i;

  556. 

  557.   b = BN_new();

  558.   c = BN_new();

  559.   d = BN_new();

  560.   BN_one(c);

  561. 

  562.   if (a_)

  563.     a = a_;

  564.   else {

  565.     a = BN_new();

  566.     BN_rand(a, 200, 0, 0); /**/

  567.     a->neg = rand_neg();

  568.   }

  569.   for (i = 0; i < num0; i++) {

  570.     BN_lshift(b, a, i + 1);

  571.     BN_add(c, c, c);

  572.     if (bp != NULL) {

  573.       if (!results) {

  574.         BN_print(bp, a);

  575.         BIO_puts(bp, " * ");

  576.         BN_print(bp, c);

  577.         BIO_puts(bp, " - ");

  578.       }

  579.       BN_print(bp, b);

  580.       BIO_puts(bp, "\n");

  581.     }

  582.     BN_mul(d, a, c, ctx);

  583.     BN_sub(d, d, b);

  584.     if (!BN_is_zero(d)) {

  585.       fprintf(stderr, "Left shift test failed!\n");

  586.       fprintf(stderr, "a=");

  587.       BN_print_fp(stderr, a);

  588.       fprintf(stderr, "\nb=");

  589.       BN_print_fp(stderr, b);

  590.       fprintf(stderr, "\nc=");

  591.       BN_print_fp(stderr, c);

  592.       fprintf(stderr, "\nd=");

  593.       BN_print_fp(stderr, d);

  594.       fprintf(stderr, "\n");

  595.       return 0;

  596.     }

  597.   }

  598.   BN_free(a);

  599.   BN_free(b);

  600.   BN_free(c);

  601.   BN_free(d);

  602.   return (1);

  603. }

  604. 

  605. int test_mul(BIO *bp) {

  606.   BIGNUM a, b, c, d, e;

  607.   int i;

  608.   BN_CTX *ctx;

  609. 

  610.   ctx = BN_CTX_new();

  611.   if (ctx == NULL)

  612.     abort();

  613. 

  614.   BN_init(&a);

  615.   BN_init(&b);

  616.   BN_init(&c);

  617.   BN_init(&d);

  618.   BN_init(&e);

  619. 

  620.   for (i = 0; i < num0 + num1; i++) {

  621.     if (i <= num1) {

  622.       BN_rand(&a, 100, 0, 0);

  623.       BN_rand(&b, 100, 0, 0);

  624.     } else

  625.       BN_rand(&b, i - num1, 0, 0);

  626.     a.neg = rand_neg();

  627.     b.neg = rand_neg();

  628.     BN_mul(&c, &a, &b, ctx);

  629.     if (bp != NULL) {

  630.       if (!results) {

  631.         BN_print(bp, &a);

  632.         BIO_puts(bp, " * ");

  633.         BN_print(bp, &b);

  634.         BIO_puts(bp, " - ");

  635.       }

  636.       BN_print(bp, &c);

  637.       BIO_puts(bp, "\n");

  638.     }

  639.     BN_div(&d, &e, &c, &a, ctx);

  640.     BN_sub(&d, &d, &b);

  641.     if (!BN_is_zero(&d) || !BN_is_zero(&e)) {

  642.       fprintf(stderr, "Multiplication test failed!\n");

  643.       return 0;

  644.     }

  645.   }

  646.   BN_free(&a);

  647.   BN_free(&b);

  648.   BN_free(&c);

  649.   BN_free(&d);

  650.   BN_free(&e);

  651.   BN_CTX_free(ctx);

  652.   return (1);

  653. }

  654. 

  655. int test_sqr(BIO *bp, BN_CTX *ctx) {

  656.   BIGNUM *a, *c, *d, *e;

  657.   int i, ret = 0;

  658. 

  659.   a = BN_new();

  660.   c = BN_new();

  661.   d = BN_new();

  662.   e = BN_new();

  663.   if (a == NULL || c == NULL || d == NULL || e == NULL) {

  664.     goto err;

  665.   }

  666. 

  667.   for (i = 0; i < num0; i++) {

  668.     BN_rand(a, 40 + i * 10, 0, 0);

  669.     a->neg = rand_neg();

  670.     BN_sqr(c, a, ctx);

  671.     if (bp != NULL) {

  672.       if (!results) {

  673.         BN_print(bp, a);

  674.         BIO_puts(bp, " * ");

  675.         BN_print(bp, a);

  676.         BIO_puts(bp, " - ");

  677.       }

  678.       BN_print(bp, c);

  679.       BIO_puts(bp, "\n");

  680.     }

  681.     BN_div(d, e, c, a, ctx);

  682.     BN_sub(d, d, a);

  683.     if (!BN_is_zero(d) || !BN_is_zero(e)) {

  684.       fprintf(stderr, "Square test failed!\n");

  685.       goto err;

  686.     }

  687.   }

  688. 

  689.   /* Regression test for a BN_sqr overflow bug. */

  690.   BN_hex2bn(&a,

  691.             "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");

  692.   BN_sqr(c, a, ctx);

  693.   if (bp != NULL) {

  694.     if (!results) {

  695.       BN_print(bp, a);

  696.       BIO_puts(bp, " * ");

  697.       BN_print(bp, a);

  698.       BIO_puts(bp, " - ");

  699.     }

  700.     BN_print(bp, c);

  701.     BIO_puts(bp, "\n");

  702.   }

  703.   BN_mul(d, a, a, ctx);

  704.   if (BN_cmp(c, d)) {

  705.     fprintf(stderr,

  706.             "Square test failed: BN_sqr and BN_mul produce "

  707.             "different results!\n");

  708.     goto err;

  709.   }

  710. 

  711.   /* Regression test for a BN_sqr overflow bug. */

  712.   BN_hex2bn(&a,

  713.             "80000000000000000000000080000001FFFFFFFE000000000000000000000000");

  714.   BN_sqr(c, a, ctx);

  715.   if (bp != NULL) {

  716.     if (!results) {

  717.       BN_print(bp, a);

  718.       BIO_puts(bp, " * ");

  719.       BN_print(bp, a);

  720.       BIO_puts(bp, " - ");

  721.     }

  722.     BN_print(bp, c);

  723.     BIO_puts(bp, "\n");

  724.   }

  725.   BN_mul(d, a, a, ctx);

  726.   if (BN_cmp(c, d)) {

  727.     fprintf(stderr,

  728.             "Square test failed: BN_sqr and BN_mul produce "

  729.             "different results!\n");

  730.     goto err;

  731.   }

  732.   ret = 1;

  733. 

  734. err:

  735.   if (a != NULL) {

  736.     BN_free(a);

  737.   }

  738.   if (c != NULL) {

  739.     BN_free(c);

  740.   }

  741.   if (d != NULL) {

  742.     BN_free(d);

  743.   }

  744.   if (e != NULL) {

  745.     BN_free(e);

  746.   }

  747.   return ret;

  748. }

  749. 

  750. 

  751. int rand_neg(void) {

  752.   static unsigned int neg = 0;

  753.   static int sign[8] = {0, 0, 0, 1, 1, 0, 1, 1};

  754. 

  755.   return (sign[(neg++) % 8]);

  756. }

  757. 

  758. static void print_word(BIO *bp, BN_ULONG w) {

  759.   BIO_printf(bp, BN_HEX_FMT1, w);

  760. }

  761. 

  762. int test_div_word(BIO *bp) {

  763.   BIGNUM a, b;

  764.   BN_ULONG r, s;

  765.   int i;

  766. 

  767.   BN_init(&a);

  768.   BN_init(&b);

  769. 

  770.   for (i = 0; i < num0; i++) {

  771.     do {

  772.       BN_rand(&a, 512, -1, 0);

  773.       BN_rand(&b, BN_BITS2, -1, 0);

  774.       s = b.d[0];

  775.     } while (!s);

  776. 

  777.     BN_copy(&b, &a);

  778.     r = BN_div_word(&b, s);

  779. 

  780.     if (bp != NULL) {

  781.       if (!results) {

  782.         BN_print(bp, &a);

  783.         BIO_puts(bp, " / ");

  784.         print_word(bp, s);

  785.         BIO_puts(bp, " - ");

  786.       }

  787.       BN_print(bp, &b);

  788.       BIO_puts(bp, "\n");

  789. 

  790.       if (!results) {

  791.         BN_print(bp, &a);

  792.         BIO_puts(bp, " % ");

  793.         print_word(bp, s);

  794.         BIO_puts(bp, " - ");

  795.       }

  796.       print_word(bp, r);

  797.       BIO_puts(bp, "\n");

  798.     }

  799.     BN_mul_word(&b, s);

  800.     BN_add_word(&b, r);

  801.     BN_sub(&b, &a, &b);

  802.     if (!BN_is_zero(&b)) {

  803.       fprintf(stderr, "Division (word) test failed!\n");

  804.       return 0;

  805.     }

  806.   }

  807.   BN_free(&a);

  808.   BN_free(&b);

  809.   return (1);

  810. }

  811. 

  812. int test_mont(BIO *bp, BN_CTX *ctx) {

  813.   BIGNUM a, b, c, d, A, B;

  814.   BIGNUM n;

  815.   int i;

  816.   BN_MONT_CTX *mont;

  817. 

  818.   BN_init(&a);

  819.   BN_init(&b);

  820.   BN_init(&c);

  821.   BN_init(&d);

  822.   BN_init(&A);

  823.   BN_init(&B);

  824.   BN_init(&n);

  825. 

  826.   mont = BN_MONT_CTX_new();

  827.   if (mont == NULL)

  828.     return 0;

  829. 

  830.   BN_rand(&a, 100, 0, 0); /**/

  831.   BN_rand(&b, 100, 0, 0); /**/

  832.   for (i = 0; i < num2; i++) {

  833.     int bits = (200 * (i + 1)) / num2;

  834. 

  835.     if (bits == 0)

  836.       continue;

  837.     BN_rand(&n, bits, 0, 1);

  838.     BN_MONT_CTX_set(mont, &n, ctx);

  839. 

  840.     BN_nnmod(&a, &a, &n, ctx);

  841.     BN_nnmod(&b, &b, &n, ctx);

  842. 

  843.     BN_to_montgomery(&A, &a, mont, ctx);

  844.     BN_to_montgomery(&B, &b, mont, ctx);

  845. 

  846.     BN_mod_mul_montgomery(&c, &A, &B, mont, ctx); /**/

  847.     BN_from_montgomery(&A, &c, mont, ctx);        /**/

  848.     if (bp != NULL) {

  849.       if (!results) {

  850. #ifdef undef

  851.         fprintf(stderr, "%d * %d %% %d\n", BN_num_bits(&a), BN_num_bits(&b),

  852.                 BN_num_bits(mont->N));

  853. #endif

  854.         BN_print(bp, &a);

  855.         BIO_puts(bp, " * ");

  856.         BN_print(bp, &b);

  857.         BIO_puts(bp, " % ");

  858.         BN_print(bp, &(mont->N));

  859.         BIO_puts(bp, " - ");

  860.       }

  861.       BN_print(bp, &A);

  862.       BIO_puts(bp, "\n");

  863.     }

  864.     BN_mod_mul(&d, &a, &b, &n, ctx);

  865.     BN_sub(&d, &d, &A);

  866.     if (!BN_is_zero(&d)) {

  867.       fprintf(stderr, "Montgomery multiplication test failed!\n");

  868.       return 0;

  869.     }

  870.   }

  871.   BN_MONT_CTX_free(mont);

  872.   BN_free(&a);

  873.   BN_free(&b);

  874.   BN_free(&c);

  875.   BN_free(&d);

  876.   BN_free(&A);

  877.   BN_free(&B);

  878.   BN_free(&n);

  879.   return (1);

  880. }

  881. 

  882. int test_mod(BIO *bp, BN_CTX *ctx) {

  883.   BIGNUM *a, *b, *c, *d, *e;

  884.   int i;

  885. 

  886.   a = BN_new();

  887.   b = BN_new();

  888.   c = BN_new();

  889.   d = BN_new();

  890.   e = BN_new();

  891. 

  892.   BN_rand(a, 1024, 0, 0); /**/

  893.   for (i = 0; i < num0; i++) {

  894.     BN_rand(b, 450 + i * 10, 0, 0); /**/

  895.     a->neg = rand_neg();

  896.     b->neg = rand_neg();

  897.     BN_mod(c, a, b, ctx); /**/

  898.     if (bp != NULL) {

  899.       if (!results) {

  900.         BN_print(bp, a);

  901.         BIO_puts(bp, " % ");

  902.         BN_print(bp, b);

  903.         BIO_puts(bp, " - ");

  904.       }

  905.       BN_print(bp, c);

  906.       BIO_puts(bp, "\n");

  907.     }

  908.     BN_div(d, e, a, b, ctx);

  909.     BN_sub(e, e, c);

  910.     if (!BN_is_zero(e)) {

  911.       fprintf(stderr, "Modulo test failed!\n");

  912.       return 0;

  913.     }

  914.   }

  915.   BN_free(a);

  916.   BN_free(b);

  917.   BN_free(c);

  918.   BN_free(d);

  919.   BN_free(e);

  920.   return (1);

  921. }

  922. 

  923. int test_mod_mul(BIO *bp, BN_CTX *ctx) {

  924.   BIGNUM *a, *b, *c, *d, *e;

  925.   int i, j;

  926. 

  927.   a = BN_new();

  928.   b = BN_new();

  929.   c = BN_new();

  930.   d = BN_new();

  931.   e = BN_new();

  932. 

  933.   for (j = 0; j < 3; j++) {

  934.     BN_rand(c, 1024, 0, 0); /**/

  935.     for (i = 0; i < num0; i++) {

  936.       BN_rand(a, 475 + i * 10, 0, 0); /**/

  937.       BN_rand(b, 425 + i * 11, 0, 0); /**/

  938.       a->neg = rand_neg();

  939.       b->neg = rand_neg();

  940.       if (!BN_mod_mul(e, a, b, c, ctx)) {

  941.         unsigned long l;

  942. 

  943.         while ((l = ERR_get_error()))

  944.           fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));

  945.         abort();

  946.       }

  947.       if (bp != NULL) {

  948.         if (!results) {

  949.           BN_print(bp, a);

  950.           BIO_puts(bp, " * ");

  951.           BN_print(bp, b);

  952.           BIO_puts(bp, " % ");

  953.           BN_print(bp, c);

  954.           if ((a->neg ^ b->neg) && !BN_is_zero(e)) {

  955.             /* If  (a*b) % c  is negative,  c  must be added

  956.              * in order to obtain the normalized remainder

  957.              * (new with OpenSSL 0.9.7, previous versions of

  958.              * BN_mod_mul could generate negative results)

  959.              */

  960.             BIO_puts(bp, " + ");

  961.             BN_print(bp, c);

  962.           }

  963.           BIO_puts(bp, " - ");

  964.         }

  965.         BN_print(bp, e);

  966.         BIO_puts(bp, "\n");

  967.       }

  968.       BN_mul(d, a, b, ctx);

  969.       BN_sub(d, d, e);

  970.       BN_div(a, b, d, c, ctx);

  971.       if (!BN_is_zero(b)) {

  972.         fprintf(stderr, "Modulo multiply test failed!\n");

  973.         ERR_print_errors_fp(stderr);

  974.         return 0;

  975.       }

  976.     }

  977.   }

  978.   BN_free(a);

  979.   BN_free(b);

  980.   BN_free(c);

  981.   BN_free(d);

  982.   BN_free(e);

  983.   return (1);

  984. }

  985. 

  986. int test_mod_exp(BIO *bp, BN_CTX *ctx) {

  987.   BIGNUM *a, *b, *c, *d, *e;

  988.   int i;

  989. 

  990.   a = BN_new();

  991.   b = BN_new();

  992.   c = BN_new();

  993.   d = BN_new();

  994.   e = BN_new();

  995. 

  996.   BN_rand(c, 30, 0, 1); /* must be odd for montgomery */

  997.   for (i = 0; i < num2; i++) {

  998.     BN_rand(a, 20 + i * 5, 0, 0); /**/

  999.     BN_rand(b, 2 + i, 0, 0);      /**/

  1000. 

  1001.     if (!BN_mod_exp(d, a, b, c, ctx))

  1002.       return (0);

  1003. 

  1004.     if (bp != NULL) {

  1005.       if (!results) {

  1006.         BN_print(bp, a);

  1007.         BIO_puts(bp, " ^ ");

  1008.         BN_print(bp, b);

  1009.         BIO_puts(bp, " % ");

  1010.         BN_print(bp, c);

  1011.         BIO_puts(bp, " - ");

  1012.       }

  1013.       BN_print(bp, d);

  1014.       BIO_puts(bp, "\n");

  1015.     }

  1016.     BN_exp(e, a, b, ctx);

  1017.     BN_sub(e, e, d);

  1018.     BN_div(a, b, e, c, ctx);

  1019.     if (!BN_is_zero(b)) {

  1020.       fprintf(stderr, "Modulo exponentiation test failed!\n");

  1021.       return 0;

  1022.     }

  1023.   }

  1024.   BN_free(a);

  1025.   BN_free(b);

  1026.   BN_free(c);

  1027.   BN_free(d);

  1028.   BN_free(e);

  1029.   return (1);

  1030. }

  1031. 

  1032. int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx) {

  1033.   BIGNUM *a, *b, *c, *d, *e;

  1034.   int i;

  1035. 

  1036.   a = BN_new();

  1037.   b = BN_new();

  1038.   c = BN_new();

  1039.   d = BN_new();

  1040.   e = BN_new();

  1041. 

  1042.   BN_rand(c, 30, 0, 1); /* must be odd for montgomery */

  1043.   for (i = 0; i < num2; i++) {

  1044.     BN_rand(a, 20 + i * 5, 0, 0); /**/

  1045.     BN_rand(b, 2 + i, 0, 0);      /**/

  1046. 

  1047.     if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))

  1048.       return (00);

  1049. 

  1050.     if (bp != NULL) {

  1051.       if (!results) {

  1052.         BN_print(bp, a);

  1053.         BIO_puts(bp, " ^ ");

  1054.         BN_print(bp, b);

  1055.         BIO_puts(bp, " % ");

  1056.         BN_print(bp, c);

  1057.         BIO_puts(bp, " - ");

  1058.       }

  1059.       BN_print(bp, d);

  1060.       BIO_puts(bp, "\n");

  1061.     }

  1062.     BN_exp(e, a, b, ctx);

  1063.     BN_sub(e, e, d);

  1064.     BN_div(a, b, e, c, ctx);

  1065.     if (!BN_is_zero(b)) {

  1066.       fprintf(stderr, "Modulo exponentiation test failed!\n");

  1067.       return 0;

  1068.     }

  1069.   }

  1070.   BN_free(a);

  1071.   BN_free(b);

  1072.   BN_free(c);

  1073.   BN_free(d);

  1074.   BN_free(e);

  1075.   return (1);

  1076. }

  1077. 

  1078. /* Test constant-time modular exponentiation with 1024-bit inputs,

  1079.  * which on x86_64 cause a different code branch to be taken. */

  1080. int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) {

  1081.   BIGNUM *a, *p, *m, *d, *e;

  1082. 

  1083.   BN_MONT_CTX *mont;

  1084. 

  1085.   a = BN_new();

  1086.   p = BN_new();

  1087.   m = BN_new();

  1088.   d = BN_new();

  1089.   e = BN_new();

  1090. 

  1091.   mont = BN_MONT_CTX_new();

  1092. 

  1093.   BN_rand(m, 1024, 0, 1); /* must be odd for montgomery */

  1094.   /* Zero exponent */

  1095.   BN_rand(a, 1024, 0, 0);

  1096.   BN_zero(p);

  1097.   if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))

  1098.     return 0;

  1099.   if (!BN_is_one(d)) {

  1100.     fprintf(stderr, "Modular exponentiation test failed!\n");

  1101.     return 0;

  1102.   }

  1103.   /* Zero input */

  1104.   BN_rand(p, 1024, 0, 0);

  1105.   BN_zero(a);

  1106.   if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))

  1107.     return 0;

  1108.   if (!BN_is_zero(d)) {

  1109.     fprintf(stderr, "Modular exponentiation test failed!\n");

  1110.     return 0;

  1111.   }

  1112.   /* Craft an input whose Montgomery representation is 1,

  1113.    * i.e., shorter than the modulus m, in order to test

  1114.    * the const time precomputation scattering/gathering.

  1115.    */

  1116.   BN_one(a);

  1117.   BN_MONT_CTX_set(mont, m, ctx);

  1118.   if (!BN_from_montgomery(e, a, mont, ctx) ||

  1119.       !BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL) ||

  1120.       !BN_mod_exp(a, e, p, m, ctx)) {

  1121.     return 0;

  1122.   }

  1123.   if (BN_cmp(a, d) != 0) {

  1124.     fprintf(stderr, "Modular exponentiation test failed!\n");

  1125.     return 0;

  1126.   }

  1127.   /* Finally, some regular test vectors. */

  1128.   BN_rand(e, 1024, 0, 0);

  1129.   if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))

  1130.     return 0;

  1131.   if (!BN_mod_exp(a, e, p, m, ctx))

  1132.     return 0;

  1133.   if (BN_cmp(a, d) != 0) {

  1134.     fprintf(stderr, "Modular exponentiation test failed!\n");

  1135.     return 0;

  1136.   }

  1137. 

  1138.   BN_MONT_CTX_free(mont);

  1139.   BN_free(a);

  1140.   BN_free(p);

  1141.   BN_free(m);

  1142.   BN_free(d);

  1143.   BN_free(e);

  1144.   return (1);

  1145. }

  1146. 

  1147. int test_exp(BIO *bp, BN_CTX *ctx) {

  1148.   BIGNUM *a, *b, *d, *e, *one;

  1149.   int i;

  1150. 

  1151.   a = BN_new();

  1152.   b = BN_new();

  1153.   d = BN_new();

  1154.   e = BN_new();

  1155.   one = BN_new();

  1156.   BN_one(one);

  1157. 

  1158.   for (i = 0; i < num2; i++) {

  1159.     BN_rand(a, 20 + i * 5, 0, 0); /**/

  1160.     BN_rand(b, 2 + i, 0, 0);      /**/

  1161. 

  1162.     if (BN_exp(d, a, b, ctx) <= 0)

  1163.       return (0);

  1164. 

  1165.     if (bp != NULL) {

  1166.       if (!results) {

  1167.         BN_print(bp, a);

  1168.         BIO_puts(bp, " ^ ");

  1169.         BN_print(bp, b);

  1170.         BIO_puts(bp, " - ");

  1171.       }

  1172.       BN_print(bp, d);

  1173.       BIO_puts(bp, "\n");

  1174.     }

  1175.     BN_one(e);

  1176.     for (; !BN_is_zero(b); BN_sub(b, b, one))

  1177.       BN_mul(e, e, a, ctx);

  1178.     BN_sub(e, e, d);

  1179.     if (!BN_is_zero(e)) {

  1180.       fprintf(stderr, "Exponentiation test failed!\n");

  1181.       return 0;

  1182.     }

  1183.   }

  1184.   BN_free(a);

  1185.   BN_free(b);

  1186.   BN_free(d);

  1187.   BN_free(e);

  1188.   BN_free(one);

  1189.   return (1);

  1190. }

  1191. 

  1192. /* test_exp_mod_zero tests that x**0 mod 1 == 0. */

  1193. static int test_exp_mod_zero(void) {

  1194.   BIGNUM a, p, m;

  1195.   BIGNUM r;

  1196.   BN_CTX *ctx = BN_CTX_new();

  1197.   int ret = 0;

  1198. 

  1199.   BN_init(&m);

  1200.   BN_one(&m);

  1201. 

  1202.   BN_init(&a);

  1203.   BN_one(&a);

  1204. 

  1205.   BN_init(&p);

  1206.   BN_zero(&p);

  1207. 

  1208.   BN_init(&r);

  1209.   BN_mod_exp(&r, &a, &p, &m, ctx);

  1210.   BN_CTX_free(ctx);

  1211. 

  1212.   if (BN_is_zero(&r)) {

  1213.     ret = 1;

  1214.   } else {

  1215.     printf("1**0 mod 1 = ");

  1216.     BN_print_fp(stdout, &r);

  1217.     printf(", should be 0\n");

  1218.   }

  1219. 

  1220.   BN_free(&r);

  1221.   BN_free(&a);

  1222.   BN_free(&p);

  1223.   BN_free(&m);

  1224. 

  1225.   return ret;

  1226. }

  1227. 

  1228. static int genprime_cb(int p, int n, BN_GENCB *arg) {

  1229.   char c = '*';

  1230. 

  1231.   if (p == 0)

  1232.     c = '.';

  1233.   if (p == 1)

  1234.     c = '+';

  1235.   if (p == 2)

  1236.     c = '*';

  1237.   if (p == 3)

  1238.     c = '\n';

  1239.   putc(c, stdout);

  1240.   fflush(stdout);

  1241.   return 1;

  1242. }

  1243. 

  1244. int test_mod_sqrt(BIO *bp, BN_CTX *ctx) {

  1245.   BN_GENCB cb;

  1246.   BIGNUM *a, *p, *r;

  1247.   int i, j;

  1248.   int ret = 0;

  1249. 

  1250.   a = BN_new();

  1251.   p = BN_new();

  1252.   r = BN_new();

  1253.   if (a == NULL || p == NULL || r == NULL)

  1254.     goto err;

  1255. 

  1256.   BN_GENCB_set(&cb, genprime_cb, NULL);

  1257. 

  1258.   for (i = 0; i < 16; i++) {

  1259.     if (i < 8) {

  1260.       unsigned primes[8] = {2, 3, 5, 7, 11, 13, 17, 19};

  1261. 

  1262.       if (!BN_set_word(p, primes[i]))

  1263.         goto err;

  1264.     } else {

  1265.       if (!BN_set_word(a, 32))

  1266.         goto err;

  1267.       if (!BN_set_word(r, 2 * i + 1))

  1268.         goto err;

  1269. 

  1270.       if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))

  1271.         goto err;

  1272.       putc('\n', stdout);

  1273.     }

  1274.     p->neg = rand_neg();

  1275. 

  1276.     for (j = 0; j < num2; j++) {

  1277.       /* construct 'a' such that it is a square modulo p,

  1278.        * but in general not a proper square and not reduced modulo p */

  1279.       if (!BN_rand(r, 256, 0, 3))

  1280.         goto err;

  1281.       if (!BN_nnmod(r, r, p, ctx))

  1282.         goto err;

  1283.       if (!BN_mod_sqr(r, r, p, ctx))

  1284.         goto err;

  1285.       if (!BN_rand(a, 256, 0, 3))

  1286.         goto err;

  1287.       if (!BN_nnmod(a, a, p, ctx))

  1288.         goto err;

  1289.       if (!BN_mod_sqr(a, a, p, ctx))

  1290.         goto err;

  1291.       if (!BN_mul(a, a, r, ctx))

  1292.         goto err;

  1293.       if (rand_neg())

  1294.         if (!BN_sub(a, a, p))

  1295.           goto err;

  1296. 

  1297.       if (!BN_mod_sqrt(r, a, p, ctx))

  1298.         goto err;

  1299.       if (!BN_mod_sqr(r, r, p, ctx))

  1300.         goto err;

  1301. 

  1302.       if (!BN_nnmod(a, a, p, ctx))

  1303.         goto err;

  1304. 

  1305.       if (BN_cmp(a, r) != 0) {

  1306.         fprintf(stderr, "BN_mod_sqrt failed: a = ");

  1307.         BN_print_fp(stderr, a);

  1308.         fprintf(stderr, ", r = ");

  1309.         BN_print_fp(stderr, r);

  1310.         fprintf(stderr, ", p = ");

  1311.         BN_print_fp(stderr, p);

  1312.         fprintf(stderr, "\n");

  1313.         goto err;

  1314.       }

  1315. 

  1316.       putc('.', stdout);

  1317.       fflush(stdout);

  1318.     }

  1319. 

  1320.     putc('\n', stdout);

  1321.     fflush(stderr);

  1322.   }

  1323.   ret = 1;

  1324. err:

  1325.   if (a != NULL)

  1326.     BN_free(a);

  1327.   if (p != NULL)

  1328.     BN_free(p);

  1329.   if (r != NULL)

  1330.     BN_free(r);

  1331.   return ret;

  1332. }

  1333. 

  1334. int test_small_prime(BIO *bp, BN_CTX *ctx) {

  1335.   static const int bits = 10;

  1336.   int ret = 0;

  1337.   BIGNUM r;

  1338. 

  1339.   BN_init(&r);

  1340.   if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL)) {

  1341.     goto err;

  1342.   }

  1343.   if (BN_num_bits(&r) != bits) {

  1344.     BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,

  1345.                BN_num_bits(&r));

  1346.     goto err;

  1347.   }

  1348. 

  1349.   ret = 1;

  1350. 

  1351. err:

  1352.   BN_free(&r);

  1353.   return ret;

  1354. }

  1355. 

  1356. int test_sqrt(BIO *bp, BN_CTX *ctx) {

  1357.   BIGNUM *n = BN_new(), *nn = BN_new(), *sqrt = BN_new();

  1358.   unsigned i;

  1359. 

  1360.   /* Test some random squares. */

  1361.   for (i = 0; i < 100; i++) {

  1362.     if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,

  1363.                  0 /* don't modify bottom bit */) ||

  1364.         !BN_mul(nn, n, n, ctx) ||

  1365.         !BN_sqrt(sqrt, nn, ctx)) {

  1366.       BIO_print_errors_fp(stderr);

  1367.       return 0;

  1368.     }

  1369.     if (BN_cmp(n, sqrt) != 0) {

  1370.       fprintf(stderr, "Bad result from BN_sqrt.\n");

  1371.       return 0;

  1372.     }

  1373.   }

  1374. 

  1375.   /* Test some non-squares */

  1376.   for (i = 0; i < 100; i++) {

  1377.     if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,

  1378.                  0 /* don't modify bottom bit */) ||

  1379.         !BN_mul(nn, n, n, ctx) ||

  1380.         !BN_add(nn, nn, BN_value_one())) {

  1381.       BIO_print_errors_fp(stderr);

  1382.       return 0;

  1383.     }

  1384. 

  1385.     if (BN_sqrt(sqrt, nn, ctx)) {

  1386.       char *nn_str = BN_bn2dec(nn);

  1387.       fprintf(stderr, "BIO_sqrt didn't fail on a non-square: %s\n", nn_str);

  1388.       OPENSSL_free(nn_str);

  1389.     }

  1390.   }

  1391. 

  1392.   BN_free(n);

  1393.   BN_free(sqrt);

  1394.   BN_free(nn);

  1395. 

  1396.   return 1;

  1397. }

  1398. 

  1399. int test_bn2bin_padded(BIO *bp, BN_CTX *ctx) {

  1400.   BIGNUM *n = BN_new();

  1401.   uint8_t zeros[256], out[256], reference[128];

  1402.   size_t bytes;

  1403. 

  1404.   memset(zeros, 0, sizeof(zeros));

  1405. 

  1406.   /* Test edge case at 0. */

  1407.   if (!BN_bn2bin_padded(NULL, 0, n)) {

  1408.     fprintf(stderr,

  1409.             "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");

  1410.     return 0;

  1411.   }

  1412.   memset(out, -1, sizeof(out));

  1413.   if (!BN_bn2bin_padded(out, sizeof(out), n)) {

  1414.     fprintf(stderr,

  1415.             "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");

  1416.     return 0;

  1417.   }

  1418.   if (memcmp(zeros, out, sizeof(out))) {

  1419.     fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");

  1420.     return 0;

  1421.   }

  1422. 

  1423.   /* Test a random numbers at various byte lengths. */

  1424.   for (bytes = 128 - 7; bytes <= 128; bytes++) {

  1425.     if (!BN_rand(n, bytes * 8, 0 /* make sure top bit is 1 */,

  1426.                  0 /* don't modify bottom bit */)) {

  1427.       BIO_print_errors_fp(stderr);

  1428.       return 0;

  1429.     }

  1430.     if (BN_num_bytes(n) != bytes || BN_bn2bin(n, reference) != bytes) {

  1431.       fprintf(stderr, "Bad result from BN_rand; bytes.\n");

  1432.       return 0;

  1433.     }

  1434.     /* Empty buffer should fail. */

  1435.     if (BN_bn2bin_padded(NULL, 0, n)) {

  1436.       fprintf(stderr,

  1437.               "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");

  1438.       return 0;

  1439.     }

  1440.     /* One byte short should fail. */

  1441.     if (BN_bn2bin_padded(out, bytes - 1, n)) {

  1442.       fprintf(stderr, "BN_bn2bin_padded incorrectly succeeded on short.\n");

  1443.       return 0;

  1444.     }

  1445.     /* Exactly right size should encode. */

  1446.     if (!BN_bn2bin_padded(out, bytes, n) ||

  1447.         memcmp(out, reference, bytes) != 0) {

  1448.       fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");

  1449.       return 0;

  1450.     }

  1451.     /* Pad up one byte extra. */

  1452.     if (!BN_bn2bin_padded(out, bytes + 1, n) ||

  1453.         memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {

  1454.       fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");

  1455.       return 0;

  1456.     }

  1457.     /* Pad up to 256. */

  1458.     if (!BN_bn2bin_padded(out, sizeof(out), n) ||

  1459.         memcmp(out + sizeof(out) - bytes, reference, bytes) ||

  1460.         memcmp(out, zeros, sizeof(out) - bytes)) {

  1461.       fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");

  1462.       return 0;

  1463.     }

  1464.   }

  1465. 

  1466.   BN_free(n);

  1467. 

  1468.   return 1;

  1469. }