1 /*
2 * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * EC_KEY low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15 #include "internal/deprecated.h"
16
17 #include <string.h>
18 #include "internal/nelem.h"
19 #include "testutil.h"
20
21 #include <openssl/ec.h>
22 #ifndef OPENSSL_NO_ENGINE
23 # include <openssl/engine.h>
24 #endif
25 #include <openssl/err.h>
26 #include <openssl/obj_mac.h>
27 #include <openssl/objects.h>
28 #include <openssl/rand.h>
29 #include <openssl/bn.h>
30 #include <openssl/opensslconf.h>
31 #include <openssl/core_names.h>
32 #include <openssl/param_build.h>
33 #include <openssl/evp.h>
34
35 static size_t crv_len = 0;
36 static EC_builtin_curve *curves = NULL;
37
38 /* test multiplication with group order, long and negative scalars */
group_order_tests(EC_GROUP * group)39 static int group_order_tests(EC_GROUP *group)
40 {
41 BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
42 EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
43 const EC_POINT *G = NULL;
44 BN_CTX *ctx = NULL;
45 int i = 0, r = 0;
46
47 if (!TEST_ptr(n1 = BN_new())
48 || !TEST_ptr(n2 = BN_new())
49 || !TEST_ptr(order = BN_new())
50 || !TEST_ptr(ctx = BN_CTX_new())
51 || !TEST_ptr(G = EC_GROUP_get0_generator(group))
52 || !TEST_ptr(P = EC_POINT_new(group))
53 || !TEST_ptr(Q = EC_POINT_new(group))
54 || !TEST_ptr(R = EC_POINT_new(group))
55 || !TEST_ptr(S = EC_POINT_new(group)))
56 goto err;
57
58 if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
59 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
60 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
61 #ifndef OPENSSL_NO_DEPRECATED_3_0
62 || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
63 #endif
64 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
65 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
66 || !TEST_true(EC_POINT_copy(P, G))
67 || !TEST_true(BN_one(n1))
68 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
69 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
70 || !TEST_true(BN_sub(n1, order, n1))
71 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
72 || !TEST_true(EC_POINT_invert(group, Q, ctx))
73 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
74 goto err;
75
76 for (i = 1; i <= 2; i++) {
77 #ifndef OPENSSL_NO_DEPRECATED_3_0
78 const BIGNUM *scalars[6];
79 const EC_POINT *points[6];
80 #endif
81
82 if (!TEST_true(BN_set_word(n1, i))
83 /*
84 * If i == 1, P will be the predefined generator for which
85 * EC_GROUP_precompute_mult has set up precomputation.
86 */
87 || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
88 || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
89 || !TEST_true(BN_one(n1))
90 /* n1 = 1 - order */
91 || !TEST_true(BN_sub(n1, n1, order))
92 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
93 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
94
95 /* n2 = 1 + order */
96 || !TEST_true(BN_add(n2, order, BN_value_one()))
97 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
98 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
99
100 /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
101 || !TEST_true(BN_mul(n2, n1, n2, ctx))
102 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
103 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
104 goto err;
105
106 /* n2 = order^2 - 1 */
107 BN_set_negative(n2, 0);
108 if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
109 /* Add P to verify the result. */
110 || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
111 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
112 || !TEST_false(EC_POINT_is_at_infinity(group, P)))
113 goto err;
114
115 #ifndef OPENSSL_NO_DEPRECATED_3_0
116 /* Exercise EC_POINTs_mul, including corner cases. */
117 scalars[0] = scalars[1] = BN_value_one();
118 points[0] = points[1] = P;
119
120 if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
121 || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
122 || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
123 goto err;
124
125 scalars[0] = n1;
126 points[0] = Q; /* => infinity */
127 scalars[1] = n2;
128 points[1] = P; /* => -P */
129 scalars[2] = n1;
130 points[2] = Q; /* => infinity */
131 scalars[3] = n2;
132 points[3] = Q; /* => infinity */
133 scalars[4] = n1;
134 points[4] = P; /* => P */
135 scalars[5] = n2;
136 points[5] = Q; /* => infinity */
137 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
138 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
139 goto err;
140 #endif
141 }
142
143 r = 1;
144 err:
145 if (r == 0 && i != 0)
146 TEST_info(i == 1 ? "allowing precomputation" :
147 "without precomputation");
148 EC_POINT_free(P);
149 EC_POINT_free(Q);
150 EC_POINT_free(R);
151 EC_POINT_free(S);
152 BN_free(n1);
153 BN_free(n2);
154 BN_free(order);
155 BN_CTX_free(ctx);
156 return r;
157 }
158
prime_field_tests(void)159 static int prime_field_tests(void)
160 {
161 BN_CTX *ctx = NULL;
162 BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
163 EC_GROUP *group = NULL;
164 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
165 BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
166 #ifndef OPENSSL_NO_DEPRECATED_3_0
167 const EC_POINT *points[4];
168 const BIGNUM *scalars[4];
169 #endif
170 unsigned char buf[100];
171 size_t len, r = 0;
172 int k;
173
174 if (!TEST_ptr(ctx = BN_CTX_new())
175 || !TEST_ptr(p = BN_new())
176 || !TEST_ptr(a = BN_new())
177 || !TEST_ptr(b = BN_new())
178 || !TEST_true(BN_hex2bn(&p, "17"))
179 || !TEST_true(BN_hex2bn(&a, "1"))
180 || !TEST_true(BN_hex2bn(&b, "1"))
181 || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx))
182 || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
183 goto err;
184
185 TEST_info("Curve defined by Weierstrass equation");
186 TEST_note(" y^2 = x^3 + a*x + b (mod p)");
187 test_output_bignum("a", a);
188 test_output_bignum("b", b);
189 test_output_bignum("p", p);
190
191 buf[0] = 0;
192 if (!TEST_ptr(P = EC_POINT_new(group))
193 || !TEST_ptr(Q = EC_POINT_new(group))
194 || !TEST_ptr(R = EC_POINT_new(group))
195 || !TEST_true(EC_POINT_set_to_infinity(group, P))
196 || !TEST_true(EC_POINT_is_at_infinity(group, P))
197 || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
198 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
199 || !TEST_true(EC_POINT_is_at_infinity(group, P))
200 || !TEST_ptr(x = BN_new())
201 || !TEST_ptr(y = BN_new())
202 || !TEST_ptr(z = BN_new())
203 || !TEST_ptr(yplusone = BN_new())
204 || !TEST_true(BN_hex2bn(&x, "D"))
205 || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)))
206 goto err;
207
208 if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
209 if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
210 goto err;
211 TEST_info("Point is not on curve");
212 test_output_bignum("x", x);
213 test_output_bignum("y", y);
214 goto err;
215 }
216
217 TEST_note("A cyclic subgroup:");
218 k = 100;
219 do {
220 if (!TEST_int_ne(k--, 0))
221 goto err;
222
223 if (EC_POINT_is_at_infinity(group, P)) {
224 TEST_note(" point at infinity");
225 } else {
226 if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
227 ctx)))
228 goto err;
229
230 test_output_bignum("x", x);
231 test_output_bignum("y", y);
232 }
233
234 if (!TEST_true(EC_POINT_copy(R, P))
235 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
236 goto err;
237
238 } while (!EC_POINT_is_at_infinity(group, P));
239
240 if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
241 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
242 goto err;
243
244 len =
245 EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
246 sizeof(buf), ctx);
247 if (!TEST_size_t_ne(len, 0)
248 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
249 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
250 goto err;
251 test_output_memory("Generator as octet string, compressed form:",
252 buf, len);
253
254 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
255 buf, sizeof(buf), ctx);
256 if (!TEST_size_t_ne(len, 0)
257 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
258 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
259 goto err;
260 test_output_memory("Generator as octet string, uncompressed form:",
261 buf, len);
262
263 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID,
264 buf, sizeof(buf), ctx);
265 if (!TEST_size_t_ne(len, 0)
266 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
267 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
268 goto err;
269 test_output_memory("Generator as octet string, hybrid form:",
270 buf, len);
271
272 if (!TEST_true(EC_POINT_invert(group, P, ctx))
273 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
274
275 /*
276 * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
277 * 2000) -- not a NIST curve, but commonly used
278 */
279
280 || !TEST_true(BN_hex2bn(&p, "FFFFFFFF"
281 "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
282 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
283 || !TEST_true(BN_hex2bn(&a, "FFFFFFFF"
284 "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
285 || !TEST_true(BN_hex2bn(&b, "1C97BEFC"
286 "54BD7A8B65ACF89F81D4D4ADC565FA45"))
287 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
288 || !TEST_true(BN_hex2bn(&x, "4A96B568"
289 "8EF573284664698968C38BB913CBFC82"))
290 || !TEST_true(BN_hex2bn(&y, "23a62855"
291 "3168947d59dcc912042351377ac5fb32"))
292 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
293 /*
294 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
295 * and therefore setting the coordinates should fail.
296 */
297 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
298 ctx))
299 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
300 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
301 || !TEST_true(BN_hex2bn(&z, "0100000000"
302 "000000000001F4C8F927AED3CA752257"))
303 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
304 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
305 goto err;
306 TEST_info("SEC2 curve secp160r1 -- Generator");
307 test_output_bignum("x", x);
308 test_output_bignum("y", y);
309 /* G_y value taken from the standard: */
310 if (!TEST_true(BN_hex2bn(&z, "23a62855"
311 "3168947d59dcc912042351377ac5fb32"))
312 || !TEST_BN_eq(y, z)
313 || !TEST_int_eq(EC_GROUP_get_degree(group), 160)
314 || !group_order_tests(group)
315
316 /* Curve P-192 (FIPS PUB 186-2, App. 6) */
317
318 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF"
319 "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
320 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
321 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF"
322 "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
323 || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7"
324 "0FA7E9AB72243049FEB8DEECC146B9B1"))
325 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
326 || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6"
327 "7CBF20EB43A18800F4FF0AFD82FF1012"))
328 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
329 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
330 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF"
331 "FFFFFFFF99DEF836146BC9B1B4D22831"))
332 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
333 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
334 goto err;
335
336 TEST_info("NIST curve P-192 -- Generator");
337 test_output_bignum("x", x);
338 test_output_bignum("y", y);
339 /* G_y value taken from the standard: */
340 if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78"
341 "631011ED6B24CDD573F977A11E794811"))
342 || !TEST_BN_eq(y, z)
343 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
344 /*
345 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
346 * and therefore setting the coordinates should fail.
347 */
348 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
349 ctx))
350 || !TEST_int_eq(EC_GROUP_get_degree(group), 192)
351 || !group_order_tests(group)
352
353 /* Curve P-224 (FIPS PUB 186-2, App. 6) */
354
355 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
356 "FFFFFFFF000000000000000000000001"))
357 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
358 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
359 "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
360 || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
361 "5044B0B7D7BFD8BA270B39432355FFB4"))
362 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
363 || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
364 "4A03C1D356C21122343280D6115C1D21"))
365 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
366 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
367 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
368 "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
369 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
370 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
371 goto err;
372
373 TEST_info("NIST curve P-224 -- Generator");
374 test_output_bignum("x", x);
375 test_output_bignum("y", y);
376 /* G_y value taken from the standard: */
377 if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6"
378 "CD4375A05A07476444D5819985007E34"))
379 || !TEST_BN_eq(y, z)
380 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
381 /*
382 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
383 * and therefore setting the coordinates should fail.
384 */
385 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
386 ctx))
387 || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
388 || !group_order_tests(group)
389
390 /* Curve P-256 (FIPS PUB 186-2, App. 6) */
391
392 || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
393 "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
394 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
395 || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
396 "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
397 || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
398 "651D06B0CC53B0F63BCE3C3E27D2604B"))
399 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
400
401 || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
402 "77037D812DEB33A0F4A13945D898C296"))
403 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
404 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
405 || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
406 "BCE6FAADA7179E84F3B9CAC2FC632551"))
407 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
408 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
409 goto err;
410
411 TEST_info("NIST curve P-256 -- Generator");
412 test_output_bignum("x", x);
413 test_output_bignum("y", y);
414 /* G_y value taken from the standard: */
415 if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
416 "2BCE33576B315ECECBB6406837BF51F5"))
417 || !TEST_BN_eq(y, z)
418 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
419 /*
420 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
421 * and therefore setting the coordinates should fail.
422 */
423 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
424 ctx))
425 || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
426 || !group_order_tests(group)
427
428 /* Curve P-384 (FIPS PUB 186-2, App. 6) */
429
430 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
431 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
432 "FFFFFFFF0000000000000000FFFFFFFF"))
433 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
434 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
435 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
436 "FFFFFFFF0000000000000000FFFFFFFC"))
437 || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
438 "181D9C6EFE8141120314088F5013875A"
439 "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
440 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
441
442 || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
443 "6E1D3B628BA79B9859F741E082542A38"
444 "5502F25DBF55296C3A545E3872760AB7"))
445 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
446 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
447 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
448 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
449 "581A0DB248B0A77AECEC196ACCC52973"))
450 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
451 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
452 goto err;
453
454 TEST_info("NIST curve P-384 -- Generator");
455 test_output_bignum("x", x);
456 test_output_bignum("y", y);
457 /* G_y value taken from the standard: */
458 if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
459 "F8F41DBD289A147CE9DA3113B5F0B8C0"
460 "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
461 || !TEST_BN_eq(y, z)
462 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
463 /*
464 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
465 * and therefore setting the coordinates should fail.
466 */
467 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
468 ctx))
469 || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
470 || !group_order_tests(group)
471
472 /* Curve P-521 (FIPS PUB 186-2, App. 6) */
473 || !TEST_true(BN_hex2bn(&p, "1FF"
474 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
475 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
476 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
477 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
478 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
479 || !TEST_true(BN_hex2bn(&a, "1FF"
480 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
481 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
482 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
483 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
484 || !TEST_true(BN_hex2bn(&b, "051"
485 "953EB9618E1C9A1F929A21A0B68540EE"
486 "A2DA725B99B315F3B8B489918EF109E1"
487 "56193951EC7E937B1652C0BD3BB1BF07"
488 "3573DF883D2C34F1EF451FD46B503F00"))
489 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
490 || !TEST_true(BN_hex2bn(&x, "C6"
491 "858E06B70404E9CD9E3ECB662395B442"
492 "9C648139053FB521F828AF606B4D3DBA"
493 "A14B5E77EFE75928FE1DC127A2FFA8DE"
494 "3348B3C1856A429BF97E7E31C2E5BD66"))
495 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
496 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
497 || !TEST_true(BN_hex2bn(&z, "1FF"
498 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
499 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
500 "51868783BF2F966B7FCC0148F709A5D0"
501 "3BB5C9B8899C47AEBB6FB71E91386409"))
502 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
503 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
504 goto err;
505
506 TEST_info("NIST curve P-521 -- Generator");
507 test_output_bignum("x", x);
508 test_output_bignum("y", y);
509 /* G_y value taken from the standard: */
510 if (!TEST_true(BN_hex2bn(&z, "118"
511 "39296A789A3BC0045C8A5FB42C7D1BD9"
512 "98F54449579B446817AFBD17273E662C"
513 "97EE72995EF42640C550B9013FAD0761"
514 "353C7086A272C24088BE94769FD16650"))
515 || !TEST_BN_eq(y, z)
516 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
517 /*
518 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
519 * and therefore setting the coordinates should fail.
520 */
521 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
522 ctx))
523 || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
524 || !group_order_tests(group)
525
526 /* more tests using the last curve */
527
528 /* Restore the point that got mangled in the (x, y + 1) test. */
529 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
530 || !TEST_true(EC_POINT_copy(Q, P))
531 || !TEST_false(EC_POINT_is_at_infinity(group, Q))
532 || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
533 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
534 || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
535 || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
536 || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
537 || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
538 || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
539 goto err;
540
541 #ifndef OPENSSL_NO_DEPRECATED_3_0
542 TEST_note("combined multiplication ...");
543 points[0] = Q;
544 points[1] = Q;
545 points[2] = Q;
546 points[3] = Q;
547
548 if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
549 || !TEST_true(BN_add(y, z, BN_value_one()))
550 || !TEST_BN_even(y)
551 || !TEST_true(BN_rshift1(y, y)))
552 goto err;
553
554 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
555 scalars[1] = y;
556
557 /* z is still the group order */
558 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
559 || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
560 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
561 || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
562 || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
563 || !TEST_true(BN_add(z, z, y)))
564 goto err;
565 BN_set_negative(z, 1);
566 scalars[0] = y;
567 scalars[1] = z; /* z = -(order + y) */
568
569 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
570 || !TEST_true(EC_POINT_is_at_infinity(group, P))
571 || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
572 || !TEST_true(BN_add(z, x, y)))
573 goto err;
574 BN_set_negative(z, 1);
575 scalars[0] = x;
576 scalars[1] = y;
577 scalars[2] = z; /* z = -(x+y) */
578
579 if (!TEST_ptr(scalar3 = BN_new()))
580 goto err;
581 BN_zero(scalar3);
582 scalars[3] = scalar3;
583
584 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
585 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
586 goto err;
587 #endif
588 TEST_note(" ok\n");
589 r = 1;
590 err:
591 BN_CTX_free(ctx);
592 BN_free(p);
593 BN_free(a);
594 BN_free(b);
595 EC_GROUP_free(group);
596 EC_POINT_free(P);
597 EC_POINT_free(Q);
598 EC_POINT_free(R);
599 BN_free(x);
600 BN_free(y);
601 BN_free(z);
602 BN_free(yplusone);
603 BN_free(scalar3);
604 return r;
605 }
606
607 #ifndef OPENSSL_NO_EC2M
608
609 static struct c2_curve_test {
610 const char *name;
611 const char *p;
612 const char *a;
613 const char *b;
614 const char *x;
615 const char *y;
616 int ybit;
617 const char *order;
618 const char *cof;
619 int degree;
620 } char2_curve_tests[] = {
621 /* Curve K-163 (FIPS PUB 186-2, App. 6) */
622 {
623 "NIST curve K-163",
624 "0800000000000000000000000000000000000000C9",
625 "1",
626 "1",
627 "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
628 "0289070FB05D38FF58321F2E800536D538CCDAA3D9",
629 1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163
630 },
631 /* Curve B-163 (FIPS PUB 186-2, App. 6) */
632 {
633 "NIST curve B-163",
634 "0800000000000000000000000000000000000000C9",
635 "1",
636 "020A601907B8C953CA1481EB10512F78744A3205FD",
637 "03F0EBA16286A2D57EA0991168D4994637E8343E36",
638 "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
639 1, "040000000000000000000292FE77E70C12A4234C33", "2", 163
640 },
641 /* Curve K-233 (FIPS PUB 186-2, App. 6) */
642 {
643 "NIST curve K-233",
644 "020000000000000000000000000000000000000004000000000000000001",
645 "0",
646 "1",
647 "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
648 "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
649 0,
650 "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
651 "4", 233
652 },
653 /* Curve B-233 (FIPS PUB 186-2, App. 6) */
654 {
655 "NIST curve B-233",
656 "020000000000000000000000000000000000000004000000000000000001",
657 "000000000000000000000000000000000000000000000000000000000001",
658 "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
659 "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
660 "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
661 1,
662 "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
663 "2", 233
664 },
665 /* Curve K-283 (FIPS PUB 186-2, App. 6) */
666 {
667 "NIST curve K-283",
668 "08000000"
669 "00000000000000000000000000000000000000000000000000000000000010A1",
670 "0",
671 "1",
672 "0503213F"
673 "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
674 "01CCDA38"
675 "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
676 0,
677 "01FFFFFF"
678 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
679 "4", 283
680 },
681 /* Curve B-283 (FIPS PUB 186-2, App. 6) */
682 {
683 "NIST curve B-283",
684 "08000000"
685 "00000000000000000000000000000000000000000000000000000000000010A1",
686 "00000000"
687 "0000000000000000000000000000000000000000000000000000000000000001",
688 "027B680A"
689 "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
690 "05F93925"
691 "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
692 "03676854"
693 "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
694 1,
695 "03FFFFFF"
696 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
697 "2", 283
698 },
699 /* Curve K-409 (FIPS PUB 186-2, App. 6) */
700 {
701 "NIST curve K-409",
702 "0200000000000000000000000000000000000000"
703 "0000000000000000000000000000000000000000008000000000000000000001",
704 "0",
705 "1",
706 "0060F05F658F49C1AD3AB1890F7184210EFD0987"
707 "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
708 "01E369050B7C4E42ACBA1DACBF04299C3460782F"
709 "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
710 1,
711 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
712 "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
713 "4", 409
714 },
715 /* Curve B-409 (FIPS PUB 186-2, App. 6) */
716 {
717 "NIST curve B-409",
718 "0200000000000000000000000000000000000000"
719 "0000000000000000000000000000000000000000008000000000000000000001",
720 "0000000000000000000000000000000000000000"
721 "0000000000000000000000000000000000000000000000000000000000000001",
722 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E"
723 "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
724 "015D4860D088DDB3496B0C6064756260441CDE4A"
725 "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
726 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5"
727 "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
728 1,
729 "0100000000000000000000000000000000000000"
730 "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
731 "2", 409
732 },
733 /* Curve K-571 (FIPS PUB 186-2, App. 6) */
734 {
735 "NIST curve K-571",
736 "800000000000000"
737 "0000000000000000000000000000000000000000000000000000000000000000"
738 "0000000000000000000000000000000000000000000000000000000000000425",
739 "0",
740 "1",
741 "026EB7A859923FBC"
742 "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6"
743 "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
744 "0349DC807F4FBF37"
745 "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7"
746 "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
747 0,
748 "0200000000000000"
749 "00000000000000000000000000000000000000000000000000000000131850E1"
750 "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
751 "4", 571
752 },
753 /* Curve B-571 (FIPS PUB 186-2, App. 6) */
754 {
755 "NIST curve B-571",
756 "800000000000000"
757 "0000000000000000000000000000000000000000000000000000000000000000"
758 "0000000000000000000000000000000000000000000000000000000000000425",
759 "0000000000000000"
760 "0000000000000000000000000000000000000000000000000000000000000000"
761 "0000000000000000000000000000000000000000000000000000000000000001",
762 "02F40E7E2221F295"
763 "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933"
764 "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
765 "0303001D34B85629"
766 "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293"
767 "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
768 "037BF27342DA639B"
769 "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57"
770 "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
771 1,
772 "03FFFFFFFFFFFFFF"
773 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18"
774 "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
775 "2", 571
776 }
777 };
778
char2_curve_test(int n)779 static int char2_curve_test(int n)
780 {
781 int r = 0;
782 BN_CTX *ctx = NULL;
783 BIGNUM *p = NULL, *a = NULL, *b = NULL;
784 BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
785 EC_GROUP *group = NULL;
786 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
787 # ifndef OPENSSL_NO_DEPRECATED_3_0
788 const EC_POINT *points[3];
789 const BIGNUM *scalars[3];
790 # endif
791 struct c2_curve_test *const test = char2_curve_tests + n;
792
793 if (!TEST_ptr(ctx = BN_CTX_new())
794 || !TEST_ptr(p = BN_new())
795 || !TEST_ptr(a = BN_new())
796 || !TEST_ptr(b = BN_new())
797 || !TEST_ptr(x = BN_new())
798 || !TEST_ptr(y = BN_new())
799 || !TEST_ptr(z = BN_new())
800 || !TEST_ptr(yplusone = BN_new())
801 || !TEST_true(BN_hex2bn(&p, test->p))
802 || !TEST_true(BN_hex2bn(&a, test->a))
803 || !TEST_true(BN_hex2bn(&b, test->b))
804 || !TEST_true(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx))
805 || !TEST_ptr(P = EC_POINT_new(group))
806 || !TEST_ptr(Q = EC_POINT_new(group))
807 || !TEST_ptr(R = EC_POINT_new(group))
808 || !TEST_true(BN_hex2bn(&x, test->x))
809 || !TEST_true(BN_hex2bn(&y, test->y))
810 || !TEST_true(BN_add(yplusone, y, BN_value_one())))
811 goto err;
812
813 /* Change test based on whether binary point compression is enabled or not. */
814 # ifdef OPENSSL_EC_BIN_PT_COMP
815 /*
816 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
817 * and therefore setting the coordinates should fail.
818 */
819 if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
820 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x,
821 test->y_bit,
822 ctx))
823 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
824 || !TEST_true(BN_hex2bn(&z, test->order))
825 || !TEST_true(BN_hex2bn(&cof, test->cof))
826 || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))
827 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
828 goto err;
829 TEST_info("%s -- Generator", test->name);
830 test_output_bignum("x", x);
831 test_output_bignum("y", y);
832 /* G_y value taken from the standard: */
833 if (!TEST_true(BN_hex2bn(&z, test->y))
834 || !TEST_BN_eq(y, z))
835 goto err;
836 # else
837 /*
838 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
839 * and therefore setting the coordinates should fail.
840 */
841 if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
842 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
843 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
844 || !TEST_true(BN_hex2bn(&z, test->order))
845 || !TEST_true(BN_hex2bn(&cof, test->cof))
846 || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)))
847 goto err;
848 TEST_info("%s -- Generator:", test->name);
849 test_output_bignum("x", x);
850 test_output_bignum("y", y);
851 # endif
852
853 if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree)
854 || !group_order_tests(group))
855 goto err;
856
857 /* more tests using the last curve */
858 if (n == OSSL_NELEM(char2_curve_tests) - 1) {
859 if (!TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
860 || !TEST_true(EC_POINT_copy(Q, P))
861 || !TEST_false(EC_POINT_is_at_infinity(group, Q))
862 || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
863 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
864 || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
865 || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
866 || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
867 || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
868 || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
869 goto err;
870
871 # ifndef OPENSSL_NO_DEPRECATED_3_0
872 TEST_note("combined multiplication ...");
873 points[0] = Q;
874 points[1] = Q;
875 points[2] = Q;
876
877 if (!TEST_true(BN_add(y, z, BN_value_one()))
878 || !TEST_BN_even(y)
879 || !TEST_true(BN_rshift1(y, y)))
880 goto err;
881 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
882 scalars[1] = y;
883
884 /* z is still the group order */
885 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
886 || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
887 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
888 || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)))
889 goto err;
890
891 if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
892 || !TEST_true(BN_add(z, z, y)))
893 goto err;
894 BN_set_negative(z, 1);
895 scalars[0] = y;
896 scalars[1] = z; /* z = -(order + y) */
897
898 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
899 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
900 goto err;
901
902 if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
903 || !TEST_true(BN_add(z, x, y)))
904 goto err;
905 BN_set_negative(z, 1);
906 scalars[0] = x;
907 scalars[1] = y;
908 scalars[2] = z; /* z = -(x+y) */
909
910 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx))
911 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
912 goto err;
913 # endif
914 }
915
916 r = 1;
917 err:
918 BN_CTX_free(ctx);
919 BN_free(p);
920 BN_free(a);
921 BN_free(b);
922 BN_free(x);
923 BN_free(y);
924 BN_free(z);
925 BN_free(yplusone);
926 BN_free(cof);
927 EC_POINT_free(P);
928 EC_POINT_free(Q);
929 EC_POINT_free(R);
930 EC_GROUP_free(group);
931 return r;
932 }
933
char2_field_tests(void)934 static int char2_field_tests(void)
935 {
936 BN_CTX *ctx = NULL;
937 BIGNUM *p = NULL, *a = NULL, *b = NULL;
938 EC_GROUP *group = NULL;
939 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
940 BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
941 unsigned char buf[100];
942 size_t len;
943 int k, r = 0;
944
945 if (!TEST_ptr(ctx = BN_CTX_new())
946 || !TEST_ptr(p = BN_new())
947 || !TEST_ptr(a = BN_new())
948 || !TEST_ptr(b = BN_new())
949 || !TEST_true(BN_hex2bn(&p, "13"))
950 || !TEST_true(BN_hex2bn(&a, "3"))
951 || !TEST_true(BN_hex2bn(&b, "1")))
952 goto err;
953
954 if (!TEST_ptr(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx))
955 || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
956 goto err;
957
958 TEST_info("Curve defined by Weierstrass equation");
959 TEST_note(" y^2 + x*y = x^3 + a*x^2 + b (mod p)");
960 test_output_bignum("a", a);
961 test_output_bignum("b", b);
962 test_output_bignum("p", p);
963
964 if (!TEST_ptr(P = EC_POINT_new(group))
965 || !TEST_ptr(Q = EC_POINT_new(group))
966 || !TEST_ptr(R = EC_POINT_new(group))
967 || !TEST_true(EC_POINT_set_to_infinity(group, P))
968 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
969 goto err;
970
971 buf[0] = 0;
972 if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
973 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
974 || !TEST_true(EC_POINT_is_at_infinity(group, P))
975 || !TEST_ptr(x = BN_new())
976 || !TEST_ptr(y = BN_new())
977 || !TEST_ptr(z = BN_new())
978 || !TEST_ptr(cof = BN_new())
979 || !TEST_ptr(yplusone = BN_new())
980 || !TEST_true(BN_hex2bn(&x, "6"))
981 /* Change test based on whether binary point compression is enabled or not. */
982 # ifdef OPENSSL_EC_BIN_PT_COMP
983 || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))
984 # else
985 || !TEST_true(BN_hex2bn(&y, "8"))
986 || !TEST_true(EC_POINT_set_affine_coordinates(group, Q, x, y, ctx))
987 # endif
988 )
989 goto err;
990 if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
991 /* Change test based on whether binary point compression is enabled or not. */
992 # ifdef OPENSSL_EC_BIN_PT_COMP
993 if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
994 goto err;
995 # endif
996 TEST_info("Point is not on curve");
997 test_output_bignum("x", x);
998 test_output_bignum("y", y);
999 goto err;
1000 }
1001
1002 TEST_note("A cyclic subgroup:");
1003 k = 100;
1004 do {
1005 if (!TEST_int_ne(k--, 0))
1006 goto err;
1007
1008 if (EC_POINT_is_at_infinity(group, P))
1009 TEST_note(" point at infinity");
1010 else {
1011 if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
1012 ctx)))
1013 goto err;
1014
1015 test_output_bignum("x", x);
1016 test_output_bignum("y", y);
1017 }
1018
1019 if (!TEST_true(EC_POINT_copy(R, P))
1020 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
1021 goto err;
1022 }
1023 while (!EC_POINT_is_at_infinity(group, P));
1024
1025 if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
1026 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1027 goto err;
1028
1029 /* Change test based on whether binary point compression is enabled or not. */
1030 # ifdef OPENSSL_EC_BIN_PT_COMP
1031 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED,
1032 buf, sizeof(buf), ctx);
1033 if (!TEST_size_t_ne(len, 0)
1034 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1035 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1036 goto err;
1037 test_output_memory("Generator as octet string, compressed form:",
1038 buf, len);
1039 # endif
1040
1041 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
1042 buf, sizeof(buf), ctx);
1043 if (!TEST_size_t_ne(len, 0)
1044 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1045 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1046 goto err;
1047 test_output_memory("Generator as octet string, uncompressed form:",
1048 buf, len);
1049
1050 /* Change test based on whether binary point compression is enabled or not. */
1051 # ifdef OPENSSL_EC_BIN_PT_COMP
1052 len =
1053 EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf),
1054 ctx);
1055 if (!TEST_size_t_ne(len, 0)
1056 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1057 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1058 goto err;
1059 test_output_memory("Generator as octet string, hybrid form:",
1060 buf, len);
1061 # endif
1062
1063 if (!TEST_true(EC_POINT_invert(group, P, ctx))
1064 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)))
1065 goto err;
1066
1067 TEST_note("\n");
1068
1069 r = 1;
1070 err:
1071 BN_CTX_free(ctx);
1072 BN_free(p);
1073 BN_free(a);
1074 BN_free(b);
1075 EC_GROUP_free(group);
1076 EC_POINT_free(P);
1077 EC_POINT_free(Q);
1078 EC_POINT_free(R);
1079 BN_free(x);
1080 BN_free(y);
1081 BN_free(z);
1082 BN_free(cof);
1083 BN_free(yplusone);
1084 return r;
1085 }
1086
hybrid_point_encoding_test(void)1087 static int hybrid_point_encoding_test(void)
1088 {
1089 BIGNUM *x = NULL, *y = NULL;
1090 EC_GROUP *group = NULL;
1091 EC_POINT *point = NULL;
1092 unsigned char *buf = NULL;
1093 size_t len;
1094 int r = 0;
1095
1096 if (!TEST_true(BN_dec2bn(&x, "0"))
1097 || !TEST_true(BN_dec2bn(&y, "1"))
1098 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_sect571k1))
1099 || !TEST_ptr(point = EC_POINT_new(group))
1100 || !TEST_true(EC_POINT_set_affine_coordinates(group, point, x, y, NULL))
1101 || !TEST_size_t_ne(0, (len = EC_POINT_point2oct(group,
1102 point,
1103 POINT_CONVERSION_HYBRID,
1104 NULL,
1105 0,
1106 NULL)))
1107 || !TEST_ptr(buf = OPENSSL_malloc(len))
1108 || !TEST_size_t_eq(len, EC_POINT_point2oct(group,
1109 point,
1110 POINT_CONVERSION_HYBRID,
1111 buf,
1112 len,
1113 NULL)))
1114 goto err;
1115
1116 r = 1;
1117
1118 /* buf contains a valid hybrid point, check that we can decode it. */
1119 if (!TEST_true(EC_POINT_oct2point(group, point, buf, len, NULL)))
1120 r = 0;
1121
1122 /* Flip the y_bit and verify that the invalid encoding is rejected. */
1123 buf[0] ^= 1;
1124 if (!TEST_false(EC_POINT_oct2point(group, point, buf, len, NULL)))
1125 r = 0;
1126
1127 err:
1128 BN_free(x);
1129 BN_free(y);
1130 EC_GROUP_free(group);
1131 EC_POINT_free(point);
1132 OPENSSL_free(buf);
1133 return r;
1134 }
1135 #endif
1136
internal_curve_test(int n)1137 static int internal_curve_test(int n)
1138 {
1139 EC_GROUP *group = NULL;
1140 int nid = curves[n].nid;
1141
1142 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1143 TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
1144 OBJ_nid2sn(nid));
1145 return 0;
1146 }
1147 if (!TEST_true(EC_GROUP_check(group, NULL))) {
1148 TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
1149 EC_GROUP_free(group);
1150 return 0;
1151 }
1152 EC_GROUP_free(group);
1153 return 1;
1154 }
1155
internal_curve_test_method(int n)1156 static int internal_curve_test_method(int n)
1157 {
1158 int r, nid = curves[n].nid;
1159 EC_GROUP *group;
1160
1161 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1162 TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
1163 return 0;
1164 }
1165 r = group_order_tests(group);
1166 EC_GROUP_free(group);
1167 return r;
1168 }
1169
group_field_test(void)1170 static int group_field_test(void)
1171 {
1172 int r = 1;
1173 BIGNUM *secp521r1_field = NULL;
1174 BIGNUM *sect163r2_field = NULL;
1175 EC_GROUP *secp521r1_group = NULL;
1176 EC_GROUP *sect163r2_group = NULL;
1177
1178 BN_hex2bn(&secp521r1_field,
1179 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1180 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1181 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1182 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1183 "FFFF");
1184
1185
1186 BN_hex2bn(§163r2_field,
1187 "08000000000000000000000000000000"
1188 "00000000C9");
1189
1190 secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
1191 if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group)))
1192 r = 0;
1193
1194 # ifndef OPENSSL_NO_EC2M
1195 sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2);
1196 if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group)))
1197 r = 0;
1198 # endif
1199
1200 EC_GROUP_free(secp521r1_group);
1201 EC_GROUP_free(sect163r2_group);
1202 BN_free(secp521r1_field);
1203 BN_free(sect163r2_field);
1204 return r;
1205 }
1206
1207 /*
1208 * nistp_test_params contains magic numbers for testing
1209 * several NIST curves with characteristic > 3.
1210 */
1211 struct nistp_test_params {
1212 const int nid;
1213 int degree;
1214 /*
1215 * Qx, Qy and D are taken from
1216 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
1217 * Otherwise, values are standard curve parameters from FIPS 180-3
1218 */
1219 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
1220 };
1221
1222 static const struct nistp_test_params nistp_tests_params[] = {
1223 {
1224 /* P-224 */
1225 NID_secp224r1,
1226 224,
1227 /* p */
1228 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
1229 /* a */
1230 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
1231 /* b */
1232 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
1233 /* Qx */
1234 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
1235 /* Qy */
1236 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
1237 /* Gx */
1238 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
1239 /* Gy */
1240 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
1241 /* order */
1242 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
1243 /* d */
1244 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
1245 },
1246 {
1247 /* P-256 */
1248 NID_X9_62_prime256v1,
1249 256,
1250 /* p */
1251 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
1252 /* a */
1253 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
1254 /* b */
1255 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
1256 /* Qx */
1257 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
1258 /* Qy */
1259 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
1260 /* Gx */
1261 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
1262 /* Gy */
1263 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
1264 /* order */
1265 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
1266 /* d */
1267 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
1268 },
1269 {
1270 /* P-521 */
1271 NID_secp521r1,
1272 521,
1273 /* p */
1274 "1ff"
1275 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1276 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
1277 /* a */
1278 "1ff"
1279 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1280 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
1281 /* b */
1282 "051"
1283 "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
1284 "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
1285 /* Qx */
1286 "0098"
1287 "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
1288 "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
1289 /* Qy */
1290 "0164"
1291 "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
1292 "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
1293 /* Gx */
1294 "c6"
1295 "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
1296 "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
1297 /* Gy */
1298 "118"
1299 "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
1300 "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
1301 /* order */
1302 "1ff"
1303 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
1304 "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
1305 /* d */
1306 "0100"
1307 "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
1308 "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
1309 },
1310 };
1311
nistp_single_test(int idx)1312 static int nistp_single_test(int idx)
1313 {
1314 const struct nistp_test_params *test = nistp_tests_params + idx;
1315 BN_CTX *ctx = NULL;
1316 BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
1317 BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
1318 EC_GROUP *NISTP = NULL;
1319 EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
1320 int r = 0;
1321
1322 TEST_note("NIST curve P-%d (optimised implementation):",
1323 test->degree);
1324 if (!TEST_ptr(ctx = BN_CTX_new())
1325 || !TEST_ptr(p = BN_new())
1326 || !TEST_ptr(a = BN_new())
1327 || !TEST_ptr(b = BN_new())
1328 || !TEST_ptr(x = BN_new())
1329 || !TEST_ptr(y = BN_new())
1330 || !TEST_ptr(m = BN_new())
1331 || !TEST_ptr(n = BN_new())
1332 || !TEST_ptr(order = BN_new())
1333 || !TEST_ptr(yplusone = BN_new())
1334
1335 || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid))
1336 || !TEST_true(BN_hex2bn(&p, test->p))
1337 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
1338 || !TEST_true(BN_hex2bn(&a, test->a))
1339 || !TEST_true(BN_hex2bn(&b, test->b))
1340 || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
1341 || !TEST_ptr(G = EC_POINT_new(NISTP))
1342 || !TEST_ptr(P = EC_POINT_new(NISTP))
1343 || !TEST_ptr(Q = EC_POINT_new(NISTP))
1344 || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
1345 || !TEST_true(BN_hex2bn(&x, test->Qx))
1346 || !TEST_true(BN_hex2bn(&y, test->Qy))
1347 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1348 /*
1349 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
1350 * and therefore setting the coordinates should fail.
1351 */
1352 || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
1353 yplusone, ctx))
1354 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
1355 ctx))
1356 || !TEST_true(BN_hex2bn(&x, test->Gx))
1357 || !TEST_true(BN_hex2bn(&y, test->Gy))
1358 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
1359 || !TEST_true(BN_hex2bn(&order, test->order))
1360 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
1361 || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
1362 goto err;
1363
1364 TEST_note("NIST test vectors ... ");
1365 if (!TEST_true(BN_hex2bn(&n, test->d)))
1366 goto err;
1367 /* fixed point multiplication */
1368 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1369 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1370 goto err;
1371 /* random point multiplication */
1372 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1373 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1374
1375 /* set generator to P = 2*G, where G is the standard generator */
1376 || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
1377 || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
1378 /* set the scalar to m=n/2, where n is the NIST test scalar */
1379 || !TEST_true(BN_rshift(m, n, 1)))
1380 goto err;
1381
1382 /* test the non-standard generator */
1383 /* fixed point multiplication */
1384 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1385 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1386 goto err;
1387 /* random point multiplication */
1388 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1389 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1390 #ifndef OPENSSL_NO_DEPRECATED_3_0
1391 /* We have not performed precomp so this should be false */
1392 || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
1393 /* now repeat all tests with precomputation */
1394 || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
1395 #endif
1396 )
1397 goto err;
1398
1399 /* fixed point multiplication */
1400 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1401 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1402 goto err;
1403 /* random point multiplication */
1404 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1405 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1406
1407 /* reset generator */
1408 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
1409 goto err;
1410 /* fixed point multiplication */
1411 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1412 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1413 goto err;
1414 /* random point multiplication */
1415 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1416 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1417 goto err;
1418
1419 /* regression test for felem_neg bug */
1420 if (!TEST_true(BN_set_word(m, 32))
1421 || !TEST_true(BN_set_word(n, 31))
1422 || !TEST_true(EC_POINT_copy(P, G))
1423 || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
1424 || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
1425 || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
1426 goto err;
1427
1428 r = 1;
1429 err:
1430 EC_GROUP_free(NISTP);
1431 EC_POINT_free(G);
1432 EC_POINT_free(P);
1433 EC_POINT_free(Q);
1434 EC_POINT_free(Q_CHECK);
1435 BN_free(n);
1436 BN_free(m);
1437 BN_free(p);
1438 BN_free(a);
1439 BN_free(b);
1440 BN_free(x);
1441 BN_free(y);
1442 BN_free(order);
1443 BN_free(yplusone);
1444 BN_CTX_free(ctx);
1445 return r;
1446 }
1447
1448 static const unsigned char p521_named[] = {
1449 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
1450 };
1451
1452 static const unsigned char p521_explicit[] = {
1453 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
1454 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
1455 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1458 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1459 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1460 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
1461 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1462 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1463 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1464 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1465 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1466 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
1467 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
1468 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
1469 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
1470 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
1471 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
1472 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
1473 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
1474 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
1475 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
1476 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
1477 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
1478 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
1479 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
1480 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
1481 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
1482 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
1483 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
1484 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
1485 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1487 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
1488 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
1489 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
1490 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
1491 };
1492
1493 /*
1494 * This test validates a named curve's group parameters using
1495 * EC_GROUP_check_named_curve(). It also checks that modifying any of the
1496 * group parameters results in the curve not being valid.
1497 */
check_named_curve_test(int id)1498 static int check_named_curve_test(int id)
1499 {
1500 int ret = 0, nid, field_nid, has_seed;
1501 EC_GROUP *group = NULL, *gtest = NULL;
1502 const EC_POINT *group_gen = NULL;
1503 EC_POINT *other_gen = NULL;
1504 BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL;
1505 BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL;
1506 BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
1507 BIGNUM *other_order = NULL;
1508 const BIGNUM *group_order = NULL;
1509 BN_CTX *bn_ctx = NULL;
1510 static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
1511 static size_t invalid_seed_len = sizeof(invalid_seed);
1512
1513 /* Do some setup */
1514 nid = curves[id].nid;
1515 if (!TEST_ptr(bn_ctx = BN_CTX_new())
1516 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1517 || !TEST_ptr(gtest = EC_GROUP_dup(group))
1518 || !TEST_ptr(group_p = BN_new())
1519 || !TEST_ptr(group_a = BN_new())
1520 || !TEST_ptr(group_b = BN_new())
1521 || !TEST_ptr(group_cofactor = BN_new())
1522 || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
1523 || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
1524 || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
1525 || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL))
1526 || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
1527 || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
1528 || !TEST_ptr(other_order = BN_dup(group_order))
1529 || !TEST_true(BN_add_word(other_order, 1))
1530 || !TEST_ptr(other_a = BN_dup(group_a))
1531 || !TEST_true(BN_add_word(other_a, 1))
1532 || !TEST_ptr(other_b = BN_dup(group_b))
1533 || !TEST_true(BN_add_word(other_b, 1))
1534 || !TEST_ptr(other_cofactor = BN_dup(group_cofactor))
1535 || !TEST_true(BN_add_word(other_cofactor, 1)))
1536 goto err;
1537
1538 /* Determine if the built-in curve has a seed field set */
1539 has_seed = (EC_GROUP_get_seed_len(group) > 0);
1540 field_nid = EC_GROUP_get_field_type(group);
1541 if (field_nid == NID_X9_62_characteristic_two_field) {
1542 if (!TEST_ptr(other_p = BN_dup(group_p))
1543 || !TEST_true(BN_lshift1(other_p, other_p)))
1544 goto err;
1545 } else {
1546 if (!TEST_ptr(other_p = BN_dup(group_p)))
1547 goto err;
1548 /*
1549 * Just choosing any arbitrary prime does not work..
1550 * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a
1551 * nist prime. So only select one of these as an alternate prime.
1552 */
1553 if (!TEST_ptr(BN_copy(other_p,
1554 BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ?
1555 BN_get0_nist_prime_256() :
1556 BN_get0_nist_prime_192())))
1557 goto err;
1558 }
1559
1560 /* Passes because this is a valid curve */
1561 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)
1562 /* Only NIST curves pass */
1563 || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL),
1564 EC_curve_nid2nist(nid) != NULL ? nid : NID_undef))
1565 goto err;
1566
1567 /* Fail if the curve name doesn't match the parameters */
1568 EC_GROUP_set_curve_name(group, nid + 1);
1569 ERR_set_mark();
1570 if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0))
1571 goto err;
1572 ERR_pop_to_mark();
1573
1574 /* Restore curve name and ensure it's passing */
1575 EC_GROUP_set_curve_name(group, nid);
1576 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1577 goto err;
1578
1579 if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len),
1580 invalid_seed_len))
1581 goto err;
1582
1583 if (has_seed) {
1584 /*
1585 * If the built-in curve has a seed and we set the seed to another value
1586 * then it will fail the check.
1587 */
1588 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0))
1589 goto err;
1590 } else {
1591 /*
1592 * If the built-in curve does not have a seed then setting the seed will
1593 * pass the check (as the seed is optional).
1594 */
1595 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1596 goto err;
1597 }
1598 /* Pass if the seed is unknown (as it is optional) */
1599 if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1)
1600 || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1601 goto err;
1602
1603 /* Check that a duped group passes */
1604 if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1605 goto err;
1606
1607 /* check that changing any generator parameter fails */
1608 if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order,
1609 group_cofactor))
1610 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1611 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order,
1612 group_cofactor))
1613 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1614 /* The order is not an optional field, so this should fail */
1615 || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL,
1616 group_cofactor))
1617 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1618 other_cofactor))
1619 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1620 /* Check that if the cofactor is not set then it still passes */
1621 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1622 NULL))
1623 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)
1624 /* check that restoring the generator passes */
1625 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1626 group_cofactor))
1627 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1628 goto err;
1629
1630 /*
1631 * check that changing any curve parameter fails
1632 *
1633 * Setting arbitrary p, a or b might fail for some EC_GROUPs
1634 * depending on the internal EC_METHOD implementation, hence run
1635 * these tests conditionally to the success of EC_GROUP_set_curve().
1636 */
1637 ERR_set_mark();
1638 if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) {
1639 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1640 goto err;
1641 } else {
1642 /* clear the error stack if EC_GROUP_set_curve() failed */
1643 ERR_pop_to_mark();
1644 ERR_set_mark();
1645 }
1646 if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) {
1647 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1648 goto err;
1649 } else {
1650 /* clear the error stack if EC_GROUP_set_curve() failed */
1651 ERR_pop_to_mark();
1652 ERR_set_mark();
1653 }
1654 if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) {
1655 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1656 goto err;
1657 } else {
1658 /* clear the error stack if EC_GROUP_set_curve() failed */
1659 ERR_pop_to_mark();
1660 ERR_set_mark();
1661 }
1662 ERR_pop_to_mark();
1663
1664 /* Check that restoring the curve parameters passes */
1665 if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL))
1666 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1667 goto err;
1668
1669 ret = 1;
1670 err:
1671 BN_free(group_p);
1672 BN_free(other_p);
1673 BN_free(group_a);
1674 BN_free(other_a);
1675 BN_free(group_b);
1676 BN_free(other_b);
1677 BN_free(group_cofactor);
1678 BN_free(other_cofactor);
1679 BN_free(other_order);
1680 EC_POINT_free(other_gen);
1681 EC_GROUP_free(gtest);
1682 EC_GROUP_free(group);
1683 BN_CTX_free(bn_ctx);
1684 return ret;
1685 }
1686
1687 /*
1688 * This checks the lookup capability of EC_GROUP_check_named_curve()
1689 * when the given group was created with explicit parameters.
1690 *
1691 * It is possible to retrieve an alternative alias that does not match
1692 * the original nid in this case.
1693 */
check_named_curve_lookup_test(int id)1694 static int check_named_curve_lookup_test(int id)
1695 {
1696 int ret = 0, nid, rv = 0;
1697 EC_GROUP *g = NULL , *ga = NULL;
1698 ECPARAMETERS *p = NULL, *pa = NULL;
1699 BN_CTX *ctx = NULL;
1700
1701 /* Do some setup */
1702 nid = curves[id].nid;
1703 if (!TEST_ptr(ctx = BN_CTX_new())
1704 || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid))
1705 || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL)))
1706 goto err;
1707
1708 /* replace with group from explicit parameters */
1709 EC_GROUP_free(g);
1710 if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p)))
1711 goto err;
1712
1713 if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0))
1714 goto err;
1715 if (rv != nid) {
1716 /*
1717 * Found an alias:
1718 * fail if the returned nid is not an alias of the original group.
1719 *
1720 * The comparison here is done by comparing two explicit
1721 * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the
1722 * comparison happens with unnamed EC_GROUPs using the same
1723 * EC_METHODs.
1724 */
1725 if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv))
1726 || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL)))
1727 goto err;
1728
1729 /* replace with group from explicit parameters, then compare */
1730 EC_GROUP_free(ga);
1731 if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa))
1732 || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0))
1733 goto err;
1734 }
1735
1736 ret = 1;
1737
1738 err:
1739 EC_GROUP_free(g);
1740 EC_GROUP_free(ga);
1741 ECPARAMETERS_free(p);
1742 ECPARAMETERS_free(pa);
1743 BN_CTX_free(ctx);
1744
1745 return ret;
1746 }
1747
1748 /*
1749 * Sometime we cannot compare nids for equality, as the built-in curve table
1750 * includes aliases with different names for the same curve.
1751 *
1752 * This function returns TRUE (1) if the checked nids are identical, or if they
1753 * alias to the same curve. FALSE (0) otherwise.
1754 */
1755 static ossl_inline
are_ec_nids_compatible(int n1d,int n2d)1756 int are_ec_nids_compatible(int n1d, int n2d)
1757 {
1758 int ret = 0;
1759 switch (n1d) {
1760 #ifndef OPENSSL_NO_EC2M
1761 case NID_sect113r1:
1762 case NID_wap_wsg_idm_ecid_wtls4:
1763 ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
1764 break;
1765 case NID_sect163k1:
1766 case NID_wap_wsg_idm_ecid_wtls3:
1767 ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
1768 break;
1769 case NID_sect233k1:
1770 case NID_wap_wsg_idm_ecid_wtls10:
1771 ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
1772 break;
1773 case NID_sect233r1:
1774 case NID_wap_wsg_idm_ecid_wtls11:
1775 ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
1776 break;
1777 case NID_X9_62_c2pnb163v1:
1778 case NID_wap_wsg_idm_ecid_wtls5:
1779 ret = (n2d == NID_X9_62_c2pnb163v1
1780 || n2d == NID_wap_wsg_idm_ecid_wtls5);
1781 break;
1782 #endif /* OPENSSL_NO_EC2M */
1783 case NID_secp112r1:
1784 case NID_wap_wsg_idm_ecid_wtls6:
1785 ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
1786 break;
1787 case NID_secp160r2:
1788 case NID_wap_wsg_idm_ecid_wtls7:
1789 ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
1790 break;
1791 #ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
1792 case NID_secp224r1:
1793 case NID_wap_wsg_idm_ecid_wtls12:
1794 ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
1795 break;
1796 #else
1797 /*
1798 * For SEC P-224 we want to ensure that the SECP nid is returned, as
1799 * that is associated with a specialized method.
1800 */
1801 case NID_wap_wsg_idm_ecid_wtls12:
1802 ret = (n2d == NID_secp224r1);
1803 break;
1804 #endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
1805
1806 default:
1807 ret = (n1d == n2d);
1808 }
1809 return ret;
1810 }
1811
1812 /*
1813 * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
1814 * EC_GROUP for built-in curves.
1815 *
1816 * Note that it is possible to retrieve an alternative alias that does not match
1817 * the original nid.
1818 *
1819 * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
1820 */
check_named_curve_from_ecparameters(int id)1821 static int check_named_curve_from_ecparameters(int id)
1822 {
1823 int ret = 0, nid, tnid;
1824 EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
1825 const EC_POINT *group_gen = NULL;
1826 EC_POINT *other_gen = NULL;
1827 BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
1828 BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
1829 const BIGNUM *group_order = NULL;
1830 BIGNUM *other_order = NULL;
1831 BN_CTX *bn_ctx = NULL;
1832 static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
1833 static size_t invalid_seed_len = sizeof(invalid_seed);
1834 ECPARAMETERS *params = NULL, *other_params = NULL;
1835 EC_GROUP *g_ary[8] = {NULL};
1836 EC_GROUP **g_next = &g_ary[0];
1837 ECPARAMETERS *p_ary[8] = {NULL};
1838 ECPARAMETERS **p_next = &p_ary[0];
1839
1840 /* Do some setup */
1841 nid = curves[id].nid;
1842 TEST_note("Curve %s", OBJ_nid2sn(nid));
1843 if (!TEST_ptr(bn_ctx = BN_CTX_new()))
1844 return ret;
1845 BN_CTX_start(bn_ctx);
1846
1847 if (/* Allocations */
1848 !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
1849 || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
1850 || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
1851 || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
1852 || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
1853 /* Generate reference group and params */
1854 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1855 || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
1856 || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
1857 || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
1858 || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
1859 /* compute `other_*` values */
1860 || !TEST_ptr(tmpg = EC_GROUP_dup(group))
1861 || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
1862 || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
1863 || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
1864 other_gen_x, other_gen_y, bn_ctx))
1865 || !TEST_true(BN_copy(other_order, group_order))
1866 || !TEST_true(BN_add_word(other_order, 1))
1867 || !TEST_true(BN_copy(other_cofactor, group_cofactor))
1868 || !TEST_true(BN_add_word(other_cofactor, 1)))
1869 goto err;
1870
1871 EC_POINT_free(other_gen);
1872 other_gen = NULL;
1873
1874 if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
1875 || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
1876 other_gen_x, other_gen_y,
1877 bn_ctx)))
1878 goto err;
1879
1880 /*
1881 * ###########################
1882 * # Actual tests start here #
1883 * ###########################
1884 */
1885
1886 /*
1887 * Creating a group from built-in explicit parameters returns a
1888 * "named" EC_GROUP
1889 */
1890 if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
1891 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
1892 goto err;
1893 /*
1894 * We cannot always guarantee the names match, as the built-in table
1895 * contains aliases for the same curve with different names.
1896 */
1897 if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
1898 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1899 goto err;
1900 }
1901 /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
1902 if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
1903 goto err;
1904
1905 /*
1906 * An invalid seed in the parameters should be ignored: expect a "named"
1907 * group.
1908 */
1909 if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
1910 invalid_seed_len)
1911 || !TEST_ptr(other_params = *p_next++ =
1912 EC_GROUP_get_ecparameters(tmpg, NULL))
1913 || !TEST_ptr(tgroup = *g_next++ =
1914 EC_GROUP_new_from_ecparameters(other_params))
1915 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1916 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1917 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1918 OPENSSL_EC_EXPLICIT_CURVE)) {
1919 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1920 goto err;
1921 }
1922
1923 /*
1924 * A null seed in the parameters should be ignored, as it is optional:
1925 * expect a "named" group.
1926 */
1927 if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
1928 || !TEST_ptr(other_params = *p_next++ =
1929 EC_GROUP_get_ecparameters(tmpg, NULL))
1930 || !TEST_ptr(tgroup = *g_next++ =
1931 EC_GROUP_new_from_ecparameters(other_params))
1932 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1933 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1934 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1935 OPENSSL_EC_EXPLICIT_CURVE)) {
1936 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1937 goto err;
1938 }
1939
1940 /*
1941 * Check that changing any of the generator parameters does not yield a
1942 * match with the built-in curves
1943 */
1944 if (/* Other gen, same group order & cofactor */
1945 !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
1946 group_cofactor))
1947 || !TEST_ptr(other_params = *p_next++ =
1948 EC_GROUP_get_ecparameters(tmpg, NULL))
1949 || !TEST_ptr(tgroup = *g_next++ =
1950 EC_GROUP_new_from_ecparameters(other_params))
1951 || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1952 /* Same gen & cofactor, different order */
1953 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
1954 group_cofactor))
1955 || !TEST_ptr(other_params = *p_next++ =
1956 EC_GROUP_get_ecparameters(tmpg, NULL))
1957 || !TEST_ptr(tgroup = *g_next++ =
1958 EC_GROUP_new_from_ecparameters(other_params))
1959 || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1960 /* The order is not an optional field, so this should fail */
1961 || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
1962 group_cofactor))
1963 /* Check that a wrong cofactor is ignored, and we still match */
1964 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1965 other_cofactor))
1966 || !TEST_ptr(other_params = *p_next++ =
1967 EC_GROUP_get_ecparameters(tmpg, NULL))
1968 || !TEST_ptr(tgroup = *g_next++ =
1969 EC_GROUP_new_from_ecparameters(other_params))
1970 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1971 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1972 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1973 OPENSSL_EC_EXPLICIT_CURVE)
1974 /* Check that if the cofactor is not set then it still matches */
1975 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1976 NULL))
1977 || !TEST_ptr(other_params = *p_next++ =
1978 EC_GROUP_get_ecparameters(tmpg, NULL))
1979 || !TEST_ptr(tgroup = *g_next++ =
1980 EC_GROUP_new_from_ecparameters(other_params))
1981 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1982 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1983 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1984 OPENSSL_EC_EXPLICIT_CURVE)
1985 /* check that restoring the generator passes */
1986 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1987 group_cofactor))
1988 || !TEST_ptr(other_params = *p_next++ =
1989 EC_GROUP_get_ecparameters(tmpg, NULL))
1990 || !TEST_ptr(tgroup = *g_next++ =
1991 EC_GROUP_new_from_ecparameters(other_params))
1992 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1993 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1994 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1995 OPENSSL_EC_EXPLICIT_CURVE))
1996 goto err;
1997
1998 ret = 1;
1999 err:
2000 for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
2001 EC_GROUP_free(*g_next);
2002 for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
2003 ECPARAMETERS_free(*p_next);
2004 ECPARAMETERS_free(params);
2005 EC_POINT_free(other_gen);
2006 EC_GROUP_free(tmpg);
2007 EC_GROUP_free(group);
2008 BN_CTX_end(bn_ctx);
2009 BN_CTX_free(bn_ctx);
2010 return ret;
2011 }
2012
2013
parameter_test(void)2014 static int parameter_test(void)
2015 {
2016 EC_GROUP *group = NULL, *group2 = NULL;
2017 ECPARAMETERS *ecparameters = NULL;
2018 unsigned char *buf = NULL;
2019 int r = 0, len;
2020
2021 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
2022 || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
2023 || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
2024 || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
2025 goto err;
2026
2027 EC_GROUP_free(group);
2028 group = NULL;
2029
2030 /* Test the named curve encoding, which should be default. */
2031 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
2032 || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
2033 || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
2034 goto err;
2035
2036 OPENSSL_free(buf);
2037 buf = NULL;
2038
2039 /*
2040 * Test the explicit encoding. P-521 requires correctly zero-padding the
2041 * curve coefficients.
2042 */
2043 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
2044 if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
2045 || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
2046 goto err;
2047
2048 r = 1;
2049 err:
2050 EC_GROUP_free(group);
2051 EC_GROUP_free(group2);
2052 ECPARAMETERS_free(ecparameters);
2053 OPENSSL_free(buf);
2054 return r;
2055 }
2056
2057 /*
2058 * This test validates converting an EC_GROUP to an OSSL_PARAM array
2059 * using EC_GROUP_to_params(). A named and an explicit curve are tested.
2060 */
ossl_parameter_test(void)2061 static int ossl_parameter_test(void)
2062 {
2063 EC_GROUP *group_nmd = NULL, *group_nmd2 = NULL, *group_nmd3 = NULL;
2064 EC_GROUP *group_exp = NULL, *group_exp2 = NULL;
2065 OSSL_PARAM *params_nmd = NULL, *params_nmd2 = NULL;
2066 OSSL_PARAM *params_exp = NULL, *params_exp2 = NULL;
2067 unsigned char *buf = NULL, *buf2 = NULL;
2068 BN_CTX *bn_ctx = NULL;
2069 OSSL_PARAM_BLD *bld = NULL;
2070 BIGNUM *p, *a, *b;
2071 const EC_POINT *group_gen = NULL;
2072 size_t bsize;
2073 int r = 0;
2074
2075 if (!TEST_ptr(bn_ctx = BN_CTX_new()))
2076 goto err;
2077
2078 /* test named curve */
2079 if (!TEST_ptr(group_nmd = EC_GROUP_new_by_curve_name(NID_secp384r1))
2080 /* test with null BN_CTX */
2081 || !TEST_ptr(params_nmd = EC_GROUP_to_params(
2082 group_nmd, NULL, NULL, NULL))
2083 || !TEST_ptr(group_nmd2 = EC_GROUP_new_from_params(
2084 params_nmd, NULL, NULL))
2085 || !TEST_int_eq(EC_GROUP_cmp(group_nmd, group_nmd2, NULL), 0)
2086 /* test with BN_CTX set */
2087 || !TEST_ptr(params_nmd2 = EC_GROUP_to_params(
2088 group_nmd, NULL, NULL, bn_ctx))
2089 || !TEST_ptr(group_nmd3 = EC_GROUP_new_from_params(
2090 params_nmd2, NULL, NULL))
2091 || !TEST_int_eq(EC_GROUP_cmp(group_nmd, group_nmd3, NULL), 0))
2092 goto err;
2093
2094 /* test explicit curve */
2095 if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()))
2096 goto err;
2097
2098 BN_CTX_start(bn_ctx);
2099 p = BN_CTX_get(bn_ctx);
2100 a = BN_CTX_get(bn_ctx);
2101 b = BN_CTX_get(bn_ctx);
2102
2103 if (!TEST_true(EC_GROUP_get_curve(group_nmd, p, a, b, bn_ctx))
2104 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(
2105 bld, OSSL_PKEY_PARAM_EC_FIELD_TYPE, SN_X9_62_prime_field, 0))
2106 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p))
2107 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a))
2108 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b)))
2109 goto err;
2110
2111 if (EC_GROUP_get0_seed(group_nmd) != NULL) {
2112 if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(
2113 bld, OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group_nmd),
2114 EC_GROUP_get_seed_len(group_nmd))))
2115 goto err;
2116 }
2117 if (EC_GROUP_get0_cofactor(group_nmd) != NULL) {
2118 if (!TEST_true(OSSL_PARAM_BLD_push_BN(
2119 bld, OSSL_PKEY_PARAM_EC_COFACTOR,
2120 EC_GROUP_get0_cofactor(group_nmd))))
2121 goto err;
2122 }
2123
2124 if (!TEST_ptr(group_gen = EC_GROUP_get0_generator(group_nmd))
2125 || !TEST_size_t_gt(bsize = EC_POINT_point2oct(
2126 group_nmd, EC_GROUP_get0_generator(group_nmd),
2127 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx), 0)
2128 || !TEST_ptr(buf2 = OPENSSL_malloc(bsize))
2129 || !TEST_size_t_eq(EC_POINT_point2oct(
2130 group_nmd, EC_GROUP_get0_generator(group_nmd),
2131 POINT_CONVERSION_UNCOMPRESSED, buf2, bsize, bn_ctx), bsize)
2132 || !TEST_true(OSSL_PARAM_BLD_push_octet_string(
2133 bld, OSSL_PKEY_PARAM_EC_GENERATOR, buf2, bsize))
2134 || !TEST_true(OSSL_PARAM_BLD_push_BN(
2135 bld, OSSL_PKEY_PARAM_EC_ORDER, EC_GROUP_get0_order(group_nmd))))
2136 goto err;
2137
2138 if (!TEST_ptr(params_exp = OSSL_PARAM_BLD_to_param(bld))
2139 || !TEST_ptr(group_exp =
2140 EC_GROUP_new_from_params(params_exp, NULL, NULL))
2141 || !TEST_ptr(params_exp2 =
2142 EC_GROUP_to_params(group_exp, NULL, NULL, NULL))
2143 || !TEST_ptr(group_exp2 =
2144 EC_GROUP_new_from_params(params_exp2, NULL, NULL))
2145 || !TEST_int_eq(EC_GROUP_cmp(group_exp, group_exp2, NULL), 0))
2146 goto err;
2147
2148 r = 1;
2149
2150 err:
2151 EC_GROUP_free(group_nmd);
2152 EC_GROUP_free(group_nmd2);
2153 EC_GROUP_free(group_nmd3);
2154 OSSL_PARAM_free(params_nmd);
2155 OSSL_PARAM_free(params_nmd2);
2156 OPENSSL_free(buf);
2157
2158 EC_GROUP_free(group_exp);
2159 EC_GROUP_free(group_exp2);
2160 BN_CTX_end(bn_ctx);
2161 BN_CTX_free(bn_ctx);
2162 OPENSSL_free(buf2);
2163 OSSL_PARAM_BLD_free(bld);
2164 OSSL_PARAM_free(params_exp);
2165 OSSL_PARAM_free(params_exp2);
2166 return r;
2167 }
2168
2169 /*-
2170 * random 256-bit explicit parameters curve, cofactor absent
2171 * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
2172 * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
2173 */
2174 static const unsigned char params_cf_pass[] = {
2175 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
2176 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
2177 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
2178 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
2179 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
2180 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
2181 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
2182 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
2183 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
2184 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
2185 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
2186 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
2187 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
2188 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
2189 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
2190 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
2191 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
2192 0x14, 0xa8, 0x2f, 0x4f
2193 };
2194
2195 /*-
2196 * random 256-bit explicit parameters curve, cofactor absent
2197 * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
2198 * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
2199 */
2200 static const unsigned char params_cf_fail[] = {
2201 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
2202 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
2203 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
2204 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
2205 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
2206 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
2207 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
2208 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
2209 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
2210 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
2211 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
2212 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
2213 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
2214 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
2215 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
2216 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
2217 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
2218 0x34, 0xa2, 0x21, 0x01
2219 };
2220
2221 /*-
2222 * Test two random 256-bit explicit parameters curves with absent cofactor.
2223 * The two curves are chosen to roughly straddle the bounds at which the lib
2224 * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
2225 *
2226 * - params_cf_pass: order is sufficiently close to p to compute cofactor
2227 * - params_cf_fail: order is too far away from p to compute cofactor
2228 *
2229 * For standards-compliant curves, cofactor is chosen as small as possible.
2230 * So you can see neither of these curves are fit for cryptographic use.
2231 *
2232 * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
2233 * h <= 2**(t/8) where t is the security level of the curve, for which the lib
2234 * will always succeed in computing the cofactor. Neither of these curves
2235 * conform to that -- this is just robustness testing.
2236 */
cofactor_range_test(void)2237 static int cofactor_range_test(void)
2238 {
2239 EC_GROUP *group = NULL;
2240 BIGNUM *cf = NULL;
2241 int ret = 0;
2242 const unsigned char *b1 = (const unsigned char *)params_cf_fail;
2243 const unsigned char *b2 = (const unsigned char *)params_cf_pass;
2244
2245 if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
2246 || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
2247 || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
2248 sizeof(params_cf_pass)))
2249 || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
2250 || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
2251 goto err;
2252 ret = 1;
2253 err:
2254 BN_free(cf);
2255 EC_GROUP_free(group);
2256 return ret;
2257 }
2258
2259 /*-
2260 * For named curves, test that:
2261 * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
2262 * - a nonsensical cofactor throws an error (negative test)
2263 * - nonsensical orders throw errors (negative tests)
2264 */
cardinality_test(int n)2265 static int cardinality_test(int n)
2266 {
2267 int ret = 0, is_binary = 0;
2268 int nid = curves[n].nid;
2269 BN_CTX *ctx = NULL;
2270 EC_GROUP *g1 = NULL, *g2 = NULL;
2271 EC_POINT *g2_gen = NULL;
2272 BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
2273 *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
2274
2275 TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
2276
2277 if (!TEST_ptr(ctx = BN_CTX_new())
2278 || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) {
2279 BN_CTX_free(ctx);
2280 return 0;
2281 }
2282
2283 is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field);
2284
2285 BN_CTX_start(ctx);
2286 g1_p = BN_CTX_get(ctx);
2287 g1_a = BN_CTX_get(ctx);
2288 g1_b = BN_CTX_get(ctx);
2289 g1_x = BN_CTX_get(ctx);
2290 g1_y = BN_CTX_get(ctx);
2291 g1_order = BN_CTX_get(ctx);
2292 g1_cf = BN_CTX_get(ctx);
2293
2294 if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
2295 /* pull out the explicit curve parameters */
2296 || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
2297 || !TEST_true(EC_POINT_get_affine_coordinates(g1,
2298 EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
2299 || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
2300 || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
2301 /* construct g2 manually with g1 parameters */
2302 #ifndef OPENSSL_NO_EC2M
2303 || !TEST_ptr(g2 = (is_binary) ?
2304 EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) :
2305 EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
2306 #else
2307 || !TEST_int_eq(0, is_binary)
2308 || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
2309 #endif
2310 || !TEST_ptr(g2_gen = EC_POINT_new(g2))
2311 || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
2312 /* pass NULL cofactor: lib should compute it */
2313 || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
2314 || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
2315 || !TEST_BN_eq(g1_cf, g2_cf)
2316 /* pass zero cofactor: lib should compute it */
2317 || !TEST_true(BN_set_word(g2_cf, 0))
2318 || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
2319 || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
2320 || !TEST_BN_eq(g1_cf, g2_cf)
2321 /* negative test for invalid cofactor */
2322 || !TEST_true(BN_set_word(g2_cf, 0))
2323 || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
2324 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
2325 /* negative test for NULL order */
2326 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
2327 /* negative test for zero order */
2328 || !TEST_true(BN_set_word(g1_order, 0))
2329 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
2330 /* negative test for negative order */
2331 || !TEST_true(BN_set_word(g2_cf, 0))
2332 || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
2333 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
2334 /* negative test for too large order */
2335 || !TEST_true(BN_lshift(g1_order, g1_p, 2))
2336 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
2337 goto err;
2338 ret = 1;
2339 err:
2340 EC_POINT_free(g2_gen);
2341 EC_GROUP_free(g1);
2342 EC_GROUP_free(g2);
2343 BN_CTX_end(ctx);
2344 BN_CTX_free(ctx);
2345 return ret;
2346 }
2347
check_ec_key_field_public_range_test(int id)2348 static int check_ec_key_field_public_range_test(int id)
2349 {
2350 int ret = 0, type = 0;
2351 const EC_POINT *pub = NULL;
2352 const EC_GROUP *group = NULL;
2353 const BIGNUM *field = NULL;
2354 BIGNUM *x = NULL, *y = NULL;
2355 EC_KEY *key = NULL;
2356
2357 if (!TEST_ptr(x = BN_new())
2358 || !TEST_ptr(y = BN_new())
2359 || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
2360 || !TEST_ptr(group = EC_KEY_get0_group(key))
2361 || !TEST_ptr(field = EC_GROUP_get0_field(group))
2362 || !TEST_int_gt(EC_KEY_generate_key(key), 0)
2363 || !TEST_int_gt(EC_KEY_check_key(key), 0)
2364 || !TEST_ptr(pub = EC_KEY_get0_public_key(key))
2365 || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y,
2366 NULL), 0))
2367 goto err;
2368
2369 /*
2370 * Make the public point out of range by adding the field (which will still
2371 * be the same point on the curve). The add is different for char2 fields.
2372 */
2373 type = EC_GROUP_get_field_type(group);
2374 #ifndef OPENSSL_NO_EC2M
2375 if (type == NID_X9_62_characteristic_two_field) {
2376 /* test for binary curves */
2377 if (!TEST_true(BN_GF2m_add(x, x, field)))
2378 goto err;
2379 } else
2380 #endif
2381 if (type == NID_X9_62_prime_field) {
2382 /* test for prime curves */
2383 if (!TEST_true(BN_add(x, x, field)))
2384 goto err;
2385 } else {
2386 /* this should never happen */
2387 TEST_error("Unsupported EC_METHOD field_type");
2388 goto err;
2389 }
2390 if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0))
2391 goto err;
2392
2393 ret = 1;
2394 err:
2395 BN_free(x);
2396 BN_free(y);
2397 EC_KEY_free(key);
2398 return ret;
2399 }
2400
2401 /*
2402 * Helper for ec_point_hex2point_test
2403 *
2404 * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
2405 * (group,P) pair.
2406 *
2407 * If P is NULL use point at infinity.
2408 */
2409 static ossl_inline
ec_point_hex2point_test_helper(const EC_GROUP * group,const EC_POINT * P,point_conversion_form_t form,BN_CTX * bnctx)2410 int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
2411 point_conversion_form_t form,
2412 BN_CTX *bnctx)
2413 {
2414 int ret = 0;
2415 EC_POINT *Q = NULL, *Pinf = NULL;
2416 char *hex = NULL;
2417
2418 if (P == NULL) {
2419 /* If P is NULL use point at infinity. */
2420 if (!TEST_ptr(Pinf = EC_POINT_new(group))
2421 || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
2422 goto err;
2423 P = Pinf;
2424 }
2425
2426 if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
2427 || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
2428 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
2429 goto err;
2430
2431 /*
2432 * The next check is most likely superfluous, as EC_POINT_cmp should already
2433 * cover this.
2434 * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
2435 * so we include it anyway!
2436 */
2437 if (Pinf != NULL
2438 && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
2439 goto err;
2440
2441 ret = 1;
2442
2443 err:
2444 EC_POINT_free(Pinf);
2445 OPENSSL_free(hex);
2446 EC_POINT_free(Q);
2447
2448 return ret;
2449 }
2450
2451 /*
2452 * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
2453 */
ec_point_hex2point_test(int id)2454 static int ec_point_hex2point_test(int id)
2455 {
2456 int ret = 0, nid;
2457 EC_GROUP *group = NULL;
2458 const EC_POINT *G = NULL;
2459 EC_POINT *P = NULL;
2460 BN_CTX *bnctx = NULL;
2461
2462 /* Do some setup */
2463 nid = curves[id].nid;
2464 if (!TEST_ptr(bnctx = BN_CTX_new())
2465 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
2466 || !TEST_ptr(G = EC_GROUP_get0_generator(group))
2467 || !TEST_ptr(P = EC_POINT_dup(G, group)))
2468 goto err;
2469
2470 if (!TEST_true(ec_point_hex2point_test_helper(group, P,
2471 POINT_CONVERSION_COMPRESSED,
2472 bnctx))
2473 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
2474 POINT_CONVERSION_COMPRESSED,
2475 bnctx))
2476 || !TEST_true(ec_point_hex2point_test_helper(group, P,
2477 POINT_CONVERSION_UNCOMPRESSED,
2478 bnctx))
2479 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
2480 POINT_CONVERSION_UNCOMPRESSED,
2481 bnctx))
2482 || !TEST_true(ec_point_hex2point_test_helper(group, P,
2483 POINT_CONVERSION_HYBRID,
2484 bnctx))
2485 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
2486 POINT_CONVERSION_HYBRID,
2487 bnctx)))
2488 goto err;
2489
2490 ret = 1;
2491
2492 err:
2493 EC_POINT_free(P);
2494 EC_GROUP_free(group);
2495 BN_CTX_free(bnctx);
2496
2497 return ret;
2498 }
2499
do_test_custom_explicit_fromdata(EC_GROUP * group,BN_CTX * ctx,unsigned char * gen,int gen_size)2500 static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
2501 unsigned char *gen, int gen_size)
2502 {
2503 int ret = 0, i_out;
2504 EVP_PKEY_CTX *pctx = NULL;
2505 EVP_PKEY *pkeyparam = NULL;
2506 OSSL_PARAM_BLD *bld = NULL;
2507 const char *field_name;
2508 OSSL_PARAM *params = NULL;
2509 const OSSL_PARAM *gettable;
2510 BIGNUM *p, *a, *b;
2511 BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL;
2512 BIGNUM *order_out = NULL, *cofactor_out = NULL;
2513 char name[80];
2514 unsigned char buf[1024];
2515 size_t buf_len, name_len;
2516 #ifndef OPENSSL_NO_EC2M
2517 unsigned int k1 = 0, k2 = 0, k3 = 0;
2518 const char *basis_name = NULL;
2519 #endif
2520
2521 p = BN_CTX_get(ctx);
2522 a = BN_CTX_get(ctx);
2523 b = BN_CTX_get(ctx);
2524
2525 if (!TEST_ptr(b)
2526 || !TEST_ptr(bld = OSSL_PARAM_BLD_new()))
2527 goto err;
2528
2529 if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
2530 field_name = SN_X9_62_prime_field;
2531 } else {
2532 field_name = SN_X9_62_characteristic_two_field;
2533 #ifndef OPENSSL_NO_EC2M
2534 if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
2535 basis_name = SN_X9_62_tpBasis;
2536 if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1)))
2537 goto err;
2538 } else {
2539 basis_name = SN_X9_62_ppBasis;
2540 if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3)))
2541 goto err;
2542 }
2543 #endif /* OPENSSL_NO_EC2M */
2544 }
2545 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
2546 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
2547 OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0))
2548 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p))
2549 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a))
2550 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b)))
2551 goto err;
2552
2553 if (EC_GROUP_get0_seed(group) != NULL) {
2554 if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
2555 OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group),
2556 EC_GROUP_get_seed_len(group))))
2557 goto err;
2558 }
2559 if (EC_GROUP_get0_cofactor(group) != NULL) {
2560 if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR,
2561 EC_GROUP_get0_cofactor(group))))
2562 goto err;
2563 }
2564
2565 if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
2566 OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size))
2567 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER,
2568 EC_GROUP_get0_order(group))))
2569 goto err;
2570
2571 if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
2572 || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
2573 || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
2574 || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
2575 EVP_PKEY_KEY_PARAMETERS, params), 0))
2576 goto err;
2577
2578 /*- Check that all the set values are retrievable -*/
2579
2580 /* There should be no match to a group name since the generator changed */
2581 if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
2582 OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name),
2583 &name_len)))
2584 goto err;
2585
2586 /* The encoding should be explicit as it has no group */
2587 if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
2588 OSSL_PKEY_PARAM_EC_ENCODING,
2589 name, sizeof(name), &name_len))
2590 || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT))
2591 goto err;
2592
2593 if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
2594 OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name),
2595 &name_len))
2596 || !TEST_str_eq(name, field_name))
2597 goto err;
2598
2599 if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
2600 OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len))
2601 || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size))
2602 goto err;
2603
2604 if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out))
2605 || !TEST_BN_eq(p_out, p)
2606 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A,
2607 &a_out))
2608 || !TEST_BN_eq(a_out, a)
2609 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B,
2610 &b_out))
2611 || !TEST_BN_eq(b_out, b)
2612 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER,
2613 &order_out))
2614 || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group)))
2615 goto err;
2616
2617 if (EC_GROUP_get0_cofactor(group) != NULL) {
2618 if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam,
2619 OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out))
2620 || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group)))
2621 goto err;
2622 }
2623 if (EC_GROUP_get0_seed(group) != NULL) {
2624 if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
2625 OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len))
2626 || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group),
2627 EC_GROUP_get_seed_len(group)))
2628 goto err;
2629 }
2630
2631 if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
2632 /* No extra fields should be set for a prime field */
2633 if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2634 OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
2635 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2636 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
2637 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2638 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
2639 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2640 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
2641 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2642 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
2643 || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
2644 OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
2645 &name_len)))
2646 goto err;
2647 } else {
2648 #ifndef OPENSSL_NO_EC2M
2649 if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
2650 OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
2651 || !TEST_int_eq(EC_GROUP_get_degree(group), i_out)
2652 || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
2653 OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
2654 &name_len))
2655 || !TEST_str_eq(name, basis_name))
2656 goto err;
2657
2658 if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
2659 if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
2660 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
2661 || !TEST_int_eq(k1, i_out)
2662 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2663 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
2664 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2665 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
2666 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2667 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)))
2668 goto err;
2669 } else {
2670 if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
2671 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
2672 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
2673 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
2674 || !TEST_int_eq(k1, i_out)
2675 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
2676 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
2677 || !TEST_int_eq(k2, i_out)
2678 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
2679 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
2680 || !TEST_int_eq(k3, i_out))
2681 goto err;
2682 }
2683 #endif /* OPENSSL_NO_EC2M */
2684 }
2685 if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam))
2686 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME))
2687 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING))
2688 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE))
2689 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P))
2690 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A))
2691 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B))
2692 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR))
2693 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER))
2694 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR))
2695 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED))
2696 #ifndef OPENSSL_NO_EC2M
2697 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M))
2698 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE))
2699 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS))
2700 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1))
2701 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2))
2702 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3))
2703 #endif
2704 )
2705 goto err;
2706 ret = 1;
2707 err:
2708 BN_free(order_out);
2709 BN_free(cofactor_out);
2710 BN_free(a_out);
2711 BN_free(b_out);
2712 BN_free(p_out);
2713 OSSL_PARAM_free(params);
2714 OSSL_PARAM_BLD_free(bld);
2715 EVP_PKEY_free(pkeyparam);
2716 EVP_PKEY_CTX_free(pctx);
2717 return ret;
2718 }
2719
2720 /*
2721 * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
2722 */
custom_generator_test(int id)2723 static int custom_generator_test(int id)
2724 {
2725 int ret = 0, nid, bsize;
2726 EC_GROUP *group = NULL;
2727 EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
2728 BN_CTX *ctx = NULL;
2729 BIGNUM *k = NULL;
2730 unsigned char *b1 = NULL, *b2 = NULL;
2731
2732 /* Do some setup */
2733 nid = curves[id].nid;
2734 TEST_note("Curve %s", OBJ_nid2sn(nid));
2735 if (!TEST_ptr(ctx = BN_CTX_new()))
2736 return 0;
2737
2738 BN_CTX_start(ctx);
2739
2740 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
2741 goto err;
2742
2743 /* expected byte length of encoded points */
2744 bsize = (EC_GROUP_get_degree(group) + 7) / 8;
2745 bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
2746
2747 if (!TEST_ptr(k = BN_CTX_get(ctx))
2748 /* fetch a testing scalar k != 0,1 */
2749 || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
2750 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
2751 /* make k even */
2752 || !TEST_true(BN_clear_bit(k, 0))
2753 || !TEST_ptr(G2 = EC_POINT_new(group))
2754 || !TEST_ptr(Q1 = EC_POINT_new(group))
2755 /* Q1 := kG */
2756 || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
2757 /* pull out the bytes of that */
2758 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2759 POINT_CONVERSION_UNCOMPRESSED, NULL,
2760 0, ctx), bsize)
2761 || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
2762 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2763 POINT_CONVERSION_UNCOMPRESSED, b1,
2764 bsize, ctx), bsize)
2765 /* new generator is G2 := 2G */
2766 || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
2767 ctx))
2768 || !TEST_true(EC_GROUP_set_generator(group, G2,
2769 EC_GROUP_get0_order(group),
2770 EC_GROUP_get0_cofactor(group)))
2771 || !TEST_ptr(Q2 = EC_POINT_new(group))
2772 || !TEST_true(BN_rshift1(k, k))
2773 /* Q2 := k/2 G2 */
2774 || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
2775 || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
2776 POINT_CONVERSION_UNCOMPRESSED, NULL,
2777 0, ctx), bsize)
2778 || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
2779 || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
2780 POINT_CONVERSION_UNCOMPRESSED, b2,
2781 bsize, ctx), bsize)
2782 /* Q1 = kG = k/2 G2 = Q2 should hold */
2783 || !TEST_mem_eq(b1, bsize, b2, bsize))
2784 goto err;
2785
2786 if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize))
2787 goto err;
2788
2789 ret = 1;
2790
2791 err:
2792 EC_POINT_free(Q1);
2793 EC_POINT_free(Q2);
2794 EC_POINT_free(G2);
2795 EC_GROUP_free(group);
2796 BN_CTX_end(ctx);
2797 BN_CTX_free(ctx);
2798 OPENSSL_free(b1);
2799 OPENSSL_free(b2);
2800
2801 return ret;
2802 }
2803
2804 /*
2805 * check creation of curves from explicit params through the public API
2806 */
custom_params_test(int id)2807 static int custom_params_test(int id)
2808 {
2809 int ret = 0, nid, bsize;
2810 const char *curve_name = NULL;
2811 EC_GROUP *group = NULL, *altgroup = NULL;
2812 EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
2813 const EC_POINT *Q = NULL;
2814 BN_CTX *ctx = NULL;
2815 BIGNUM *k = NULL;
2816 unsigned char *buf1 = NULL, *buf2 = NULL;
2817 const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL;
2818 BIGNUM *p = NULL, *a = NULL, *b = NULL;
2819 int is_prime = 0;
2820 EC_KEY *eckey1 = NULL, *eckey2 = NULL;
2821 EVP_PKEY *pkey1 = NULL, *pkey2 = NULL;
2822 EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL;
2823 size_t sslen, t;
2824 unsigned char *pub1 = NULL , *pub2 = NULL;
2825 OSSL_PARAM_BLD *param_bld = NULL;
2826 OSSL_PARAM *params1 = NULL, *params2 = NULL;
2827
2828 /* Do some setup */
2829 nid = curves[id].nid;
2830 curve_name = OBJ_nid2sn(nid);
2831 TEST_note("Curve %s", curve_name);
2832
2833 if (nid == NID_sm2)
2834 return TEST_skip("custom params not supported with SM2");
2835
2836 if (!TEST_ptr(ctx = BN_CTX_new()))
2837 return 0;
2838
2839 BN_CTX_start(ctx);
2840 if (!TEST_ptr(p = BN_CTX_get(ctx))
2841 || !TEST_ptr(a = BN_CTX_get(ctx))
2842 || !TEST_ptr(b = BN_CTX_get(ctx))
2843 || !TEST_ptr(k = BN_CTX_get(ctx)))
2844 goto err;
2845
2846 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
2847 goto err;
2848
2849 is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field;
2850 #ifdef OPENSSL_NO_EC2M
2851 if (!is_prime) {
2852 ret = TEST_skip("binary curves not supported in this build");
2853 goto err;
2854 }
2855 #endif
2856
2857 /* expected byte length of encoded points */
2858 bsize = (EC_GROUP_get_degree(group) + 7) / 8;
2859 bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
2860
2861 /* extract parameters from built-in curve */
2862 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
2863 || !TEST_ptr(G2 = EC_POINT_new(group))
2864 /* new generator is G2 := 2G */
2865 || !TEST_true(EC_POINT_dbl(group, G2,
2866 EC_GROUP_get0_generator(group), ctx))
2867 /* pull out the bytes of that */
2868 || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2869 POINT_CONVERSION_UNCOMPRESSED,
2870 NULL, 0, ctx), bsize)
2871 || !TEST_ptr(buf1 = OPENSSL_malloc(bsize))
2872 || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2873 POINT_CONVERSION_UNCOMPRESSED,
2874 buf1, bsize, ctx), bsize)
2875 || !TEST_ptr(z = EC_GROUP_get0_order(group))
2876 || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group))
2877 )
2878 goto err;
2879
2880 /* create a new group using same params (but different generator) */
2881 if (is_prime) {
2882 if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx)))
2883 goto err;
2884 }
2885 #ifndef OPENSSL_NO_EC2M
2886 else {
2887 if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
2888 goto err;
2889 }
2890 #endif
2891
2892 /* set 2*G as the generator of altgroup */
2893 EC_POINT_free(G2); /* discard G2 as it refers to the original group */
2894 if (!TEST_ptr(G2 = EC_POINT_new(altgroup))
2895 || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx))
2896 || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1)
2897 || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof))
2898 )
2899 goto err;
2900
2901 /* verify math checks out */
2902 if (/* allocate temporary points on group and altgroup */
2903 !TEST_ptr(Q1 = EC_POINT_new(group))
2904 || !TEST_ptr(Q2 = EC_POINT_new(altgroup))
2905 /* fetch a testing scalar k != 0,1 */
2906 || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
2907 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
2908 /* make k even */
2909 || !TEST_true(BN_clear_bit(k, 0))
2910 /* Q1 := kG on group */
2911 || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
2912 /* pull out the bytes of that */
2913 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2914 POINT_CONVERSION_UNCOMPRESSED,
2915 NULL, 0, ctx), bsize)
2916 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2917 POINT_CONVERSION_UNCOMPRESSED,
2918 buf1, bsize, ctx), bsize)
2919 /* k := k/2 */
2920 || !TEST_true(BN_rshift1(k, k))
2921 /* Q2 := k/2 G2 on altgroup */
2922 || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx))
2923 /* pull out the bytes of that */
2924 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2925 POINT_CONVERSION_UNCOMPRESSED,
2926 NULL, 0, ctx), bsize)
2927 || !TEST_ptr(buf2 = OPENSSL_malloc(bsize))
2928 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2929 POINT_CONVERSION_UNCOMPRESSED,
2930 buf2, bsize, ctx), bsize)
2931 /* Q1 = kG = k/2 G2 = Q2 should hold */
2932 || !TEST_mem_eq(buf1, bsize, buf2, bsize))
2933 goto err;
2934
2935 /* create two `EC_KEY`s on altgroup */
2936 if (!TEST_ptr(eckey1 = EC_KEY_new())
2937 || !TEST_true(EC_KEY_set_group(eckey1, altgroup))
2938 || !TEST_true(EC_KEY_generate_key(eckey1))
2939 || !TEST_ptr(eckey2 = EC_KEY_new())
2940 || !TEST_true(EC_KEY_set_group(eckey2, altgroup))
2941 || !TEST_true(EC_KEY_generate_key(eckey2)))
2942 goto err;
2943
2944 /* retrieve priv1 for later */
2945 if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1)))
2946 goto err;
2947
2948 /*
2949 * retrieve bytes for pub1 for later
2950 *
2951 * We compute the pub key in the original group as we will later use it to
2952 * define a provider key in the built-in group.
2953 */
2954 if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx))
2955 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2956 POINT_CONVERSION_UNCOMPRESSED,
2957 NULL, 0, ctx), bsize)
2958 || !TEST_ptr(pub1 = OPENSSL_malloc(bsize))
2959 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2960 POINT_CONVERSION_UNCOMPRESSED,
2961 pub1, bsize, ctx), bsize))
2962 goto err;
2963
2964 /* retrieve bytes for pub2 for later */
2965 if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2))
2966 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2967 POINT_CONVERSION_UNCOMPRESSED,
2968 NULL, 0, ctx), bsize)
2969 || !TEST_ptr(pub2 = OPENSSL_malloc(bsize))
2970 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2971 POINT_CONVERSION_UNCOMPRESSED,
2972 pub2, bsize, ctx), bsize))
2973 goto err;
2974
2975 /* create two `EVP_PKEY`s from the `EC_KEY`s */
2976 if (!TEST_ptr(pkey1 = EVP_PKEY_new())
2977 || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1))
2978 goto err;
2979 eckey1 = NULL; /* ownership passed to pkey1 */
2980 if (!TEST_ptr(pkey2 = EVP_PKEY_new())
2981 || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1))
2982 goto err;
2983 eckey2 = NULL; /* ownership passed to pkey2 */
2984
2985 /* Compute keyexchange in both directions */
2986 if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
2987 || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
2988 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
2989 || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
2990 || !TEST_int_gt(bsize, sslen)
2991 || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
2992 goto err;
2993 if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
2994 || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
2995 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
2996 || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
2997 || !TEST_int_gt(bsize, t)
2998 || !TEST_int_le(sslen, t)
2999 || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
3000 goto err;
3001
3002 /* Both sides should expect the same shared secret */
3003 if (!TEST_mem_eq(buf1, sslen, buf2, t))
3004 goto err;
3005
3006 /* Build parameters for provider-native keys */
3007 if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
3008 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
3009 OSSL_PKEY_PARAM_GROUP_NAME,
3010 curve_name, 0))
3011 || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
3012 OSSL_PKEY_PARAM_PUB_KEY,
3013 pub1, bsize))
3014 || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld,
3015 OSSL_PKEY_PARAM_PRIV_KEY,
3016 priv1))
3017 || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld)))
3018 goto err;
3019
3020 OSSL_PARAM_BLD_free(param_bld);
3021 if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
3022 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
3023 OSSL_PKEY_PARAM_GROUP_NAME,
3024 curve_name, 0))
3025 || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
3026 OSSL_PKEY_PARAM_PUB_KEY,
3027 pub2, bsize))
3028 || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld)))
3029 goto err;
3030
3031 /* create two new provider-native `EVP_PKEY`s */
3032 EVP_PKEY_CTX_free(pctx2);
3033 if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
3034 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx2), 1)
3035 || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR,
3036 params1), 1)
3037 || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY,
3038 params2), 1))
3039 goto err;
3040
3041 /* compute keyexchange once more using the provider keys */
3042 EVP_PKEY_CTX_free(pctx1);
3043 if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
3044 || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
3045 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
3046 || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1)
3047 || !TEST_int_gt(bsize, t)
3048 || !TEST_int_le(sslen, t)
3049 || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1)
3050 /* compare with previous result */
3051 || !TEST_mem_eq(buf1, t, buf2, sslen))
3052 goto err;
3053
3054 ret = 1;
3055
3056 err:
3057 BN_CTX_end(ctx);
3058 BN_CTX_free(ctx);
3059 OSSL_PARAM_BLD_free(param_bld);
3060 OSSL_PARAM_free(params1);
3061 OSSL_PARAM_free(params2);
3062 EC_POINT_free(Q1);
3063 EC_POINT_free(Q2);
3064 EC_POINT_free(G2);
3065 EC_GROUP_free(group);
3066 EC_GROUP_free(altgroup);
3067 OPENSSL_free(buf1);
3068 OPENSSL_free(buf2);
3069 OPENSSL_free(pub1);
3070 OPENSSL_free(pub2);
3071 EC_KEY_free(eckey1);
3072 EC_KEY_free(eckey2);
3073 EVP_PKEY_free(pkey1);
3074 EVP_PKEY_free(pkey2);
3075 EVP_PKEY_CTX_free(pctx1);
3076 EVP_PKEY_CTX_free(pctx2);
3077
3078 return ret;
3079 }
3080
ec_d2i_publickey_test(void)3081 static int ec_d2i_publickey_test(void)
3082 {
3083 unsigned char buf[1000];
3084 unsigned char *pubkey_enc = buf;
3085 const unsigned char *pk_enc = pubkey_enc;
3086 EVP_PKEY *gen_key = NULL, *decoded_key = NULL;
3087 EVP_PKEY_CTX *pctx = NULL;
3088 int pklen, ret = 0;
3089 OSSL_PARAM params[2];
3090
3091 if (!TEST_ptr(gen_key = EVP_EC_gen("P-256")))
3092 goto err;
3093
3094 if (!TEST_int_gt(pklen = i2d_PublicKey(gen_key, &pubkey_enc), 0))
3095 goto err;
3096
3097 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3098 "P-256", 0);
3099 params[1] = OSSL_PARAM_construct_end();
3100
3101 if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
3102 || !TEST_true(EVP_PKEY_fromdata_init(pctx))
3103 || !TEST_true(EVP_PKEY_fromdata(pctx, &decoded_key,
3104 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
3105 params))
3106 || !TEST_ptr(decoded_key)
3107 || !TEST_ptr(decoded_key = d2i_PublicKey(EVP_PKEY_EC, &decoded_key,
3108 &pk_enc, pklen)))
3109 goto err;
3110
3111 if (!TEST_true(EVP_PKEY_eq(gen_key, decoded_key)))
3112 goto err;
3113 ret = 1;
3114
3115 err:
3116 EVP_PKEY_CTX_free(pctx);
3117 EVP_PKEY_free(gen_key);
3118 EVP_PKEY_free(decoded_key);
3119 return ret;
3120 }
3121
setup_tests(void)3122 int setup_tests(void)
3123 {
3124 crv_len = EC_get_builtin_curves(NULL, 0);
3125 if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
3126 || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
3127 return 0;
3128
3129 ADD_TEST(parameter_test);
3130 ADD_TEST(ossl_parameter_test);
3131 ADD_TEST(cofactor_range_test);
3132 ADD_ALL_TESTS(cardinality_test, crv_len);
3133 ADD_TEST(prime_field_tests);
3134 #ifndef OPENSSL_NO_EC2M
3135 ADD_TEST(hybrid_point_encoding_test);
3136 ADD_TEST(char2_field_tests);
3137 ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
3138 #endif
3139 ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
3140 ADD_ALL_TESTS(internal_curve_test, crv_len);
3141 ADD_ALL_TESTS(internal_curve_test_method, crv_len);
3142 ADD_TEST(group_field_test);
3143 ADD_ALL_TESTS(check_named_curve_test, crv_len);
3144 ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len);
3145 ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
3146 ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
3147 ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
3148 ADD_ALL_TESTS(custom_generator_test, crv_len);
3149 ADD_ALL_TESTS(custom_params_test, crv_len);
3150 ADD_TEST(ec_d2i_publickey_test);
3151 return 1;
3152 }
3153
cleanup_tests(void)3154 void cleanup_tests(void)
3155 {
3156 OPENSSL_free(curves);
3157 }
3158