/[smecontribs]/rpms/openssl3/contribs10/ectest.c
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/ectest.c

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:55 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Content type: text/plain
Initial import

1 jpp 1.1 /*
2     * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3     * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4     *
5     * Licensed under the Apache License 2.0 (the "License"). You may not use
6     * this file except in compliance with the License. You can obtain a copy
7     * in the file LICENSE in the source distribution or at
8     * https://www.openssl.org/source/license.html
9     */
10    
11     /*
12     * EC_KEY low level APIs are deprecated for public use, but still ok for
13     * internal use.
14     */
15     #include "internal/deprecated.h"
16    
17     #include <string.h>
18     #include "internal/nelem.h"
19     #include "testutil.h"
20    
21     #include <openssl/ec.h>
22     #ifndef OPENSSL_NO_ENGINE
23     # include <openssl/engine.h>
24     #endif
25     #include <openssl/err.h>
26     #include <openssl/obj_mac.h>
27     #include <openssl/objects.h>
28     #include <openssl/rand.h>
29     #include <openssl/bn.h>
30     #include <openssl/opensslconf.h>
31     #include <openssl/core_names.h>
32     #include <openssl/param_build.h>
33     #include <openssl/evp.h>
34    
35     static size_t crv_len = 0;
36     static EC_builtin_curve *curves = NULL;
37    
38     /* test multiplication with group order, long and negative scalars */
39     static int group_order_tests(EC_GROUP *group)
40     {
41     BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
42     EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
43     const EC_POINT *G = NULL;
44     BN_CTX *ctx = NULL;
45     int i = 0, r = 0;
46    
47     if (!TEST_ptr(n1 = BN_new())
48     || !TEST_ptr(n2 = BN_new())
49     || !TEST_ptr(order = BN_new())
50     || !TEST_ptr(ctx = BN_CTX_new())
51     || !TEST_ptr(G = EC_GROUP_get0_generator(group))
52     || !TEST_ptr(P = EC_POINT_new(group))
53     || !TEST_ptr(Q = EC_POINT_new(group))
54     || !TEST_ptr(R = EC_POINT_new(group))
55     || !TEST_ptr(S = EC_POINT_new(group)))
56     goto err;
57    
58     if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
59     || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
60     || !TEST_true(EC_POINT_is_at_infinity(group, Q))
61     #ifndef OPENSSL_NO_DEPRECATED_3_0
62     || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
63     #endif
64     || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
65     || !TEST_true(EC_POINT_is_at_infinity(group, Q))
66     || !TEST_true(EC_POINT_copy(P, G))
67     || !TEST_true(BN_one(n1))
68     || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
69     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
70     || !TEST_true(BN_sub(n1, order, n1))
71     || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
72     || !TEST_true(EC_POINT_invert(group, Q, ctx))
73     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
74     goto err;
75    
76     for (i = 1; i <= 2; i++) {
77     #ifndef OPENSSL_NO_DEPRECATED_3_0
78     const BIGNUM *scalars[6];
79     const EC_POINT *points[6];
80     #endif
81    
82     if (!TEST_true(BN_set_word(n1, i))
83     /*
84     * If i == 1, P will be the predefined generator for which
85     * EC_GROUP_precompute_mult has set up precomputation.
86     */
87     || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
88     || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
89     || !TEST_true(BN_one(n1))
90     /* n1 = 1 - order */
91     || !TEST_true(BN_sub(n1, n1, order))
92     || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
93     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
94    
95     /* n2 = 1 + order */
96     || !TEST_true(BN_add(n2, order, BN_value_one()))
97     || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
98     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
99    
100     /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
101     || !TEST_true(BN_mul(n2, n1, n2, ctx))
102     || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
103     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
104     goto err;
105    
106     /* n2 = order^2 - 1 */
107     BN_set_negative(n2, 0);
108     if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
109     /* Add P to verify the result. */
110     || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
111     || !TEST_true(EC_POINT_is_at_infinity(group, Q))
112     || !TEST_false(EC_POINT_is_at_infinity(group, P)))
113     goto err;
114    
115     #ifndef OPENSSL_NO_DEPRECATED_3_0
116     /* Exercise EC_POINTs_mul, including corner cases. */
117     scalars[0] = scalars[1] = BN_value_one();
118     points[0] = points[1] = P;
119    
120     if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
121     || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
122     || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
123     goto err;
124    
125     scalars[0] = n1;
126     points[0] = Q; /* => infinity */
127     scalars[1] = n2;
128     points[1] = P; /* => -P */
129     scalars[2] = n1;
130     points[2] = Q; /* => infinity */
131     scalars[3] = n2;
132     points[3] = Q; /* => infinity */
133     scalars[4] = n1;
134     points[4] = P; /* => P */
135     scalars[5] = n2;
136     points[5] = Q; /* => infinity */
137     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
138     || !TEST_true(EC_POINT_is_at_infinity(group, P)))
139     goto err;
140     #endif
141     }
142    
143     r = 1;
144     err:
145     if (r == 0 && i != 0)
146     TEST_info(i == 1 ? "allowing precomputation" :
147     "without precomputation");
148     EC_POINT_free(P);
149     EC_POINT_free(Q);
150     EC_POINT_free(R);
151     EC_POINT_free(S);
152     BN_free(n1);
153     BN_free(n2);
154     BN_free(order);
155     BN_CTX_free(ctx);
156     return r;
157     }
158    
159     static int prime_field_tests(void)
160     {
161     BN_CTX *ctx = NULL;
162     BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
163     EC_GROUP *group = NULL;
164     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
165     BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
166     #ifndef OPENSSL_NO_DEPRECATED_3_0
167     const EC_POINT *points[4];
168     const BIGNUM *scalars[4];
169     #endif
170     unsigned char buf[100];
171     size_t len, r = 0;
172     int k;
173    
174     if (!TEST_ptr(ctx = BN_CTX_new())
175     || !TEST_ptr(p = BN_new())
176     || !TEST_ptr(a = BN_new())
177     || !TEST_ptr(b = BN_new())
178     /*
179     * applications should use EC_GROUP_new_curve_GFp so
180     * that the library gets to choose the EC_METHOD
181     */
182     || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method())))
183     goto err;
184    
185     buf[0] = 0;
186     if (!TEST_ptr(P = EC_POINT_new(group))
187     || !TEST_ptr(Q = EC_POINT_new(group))
188     || !TEST_ptr(R = EC_POINT_new(group))
189     || !TEST_ptr(x = BN_new())
190     || !TEST_ptr(y = BN_new())
191     || !TEST_ptr(z = BN_new())
192     || !TEST_ptr(yplusone = BN_new()))
193     goto err;
194    
195     /* Curve P-224 (FIPS PUB 186-2, App. 6) */
196    
197     if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
198     "FFFFFFFF000000000000000000000001"))
199     || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
200     || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
201     "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
202     || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
203     "5044B0B7D7BFD8BA270B39432355FFB4"))
204     || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
205     || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
206     "4A03C1D356C21122343280D6115C1D21"))
207     || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
208     || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
209     || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
210     "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
211     || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
212     || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
213     goto err;
214    
215     TEST_info("NIST curve P-224 -- Generator");
216     test_output_bignum("x", x);
217     test_output_bignum("y", y);
218     /* G_y value taken from the standard: */
219     if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6"
220     "CD4375A05A07476444D5819985007E34"))
221     || !TEST_BN_eq(y, z)
222     || !TEST_true(BN_add(yplusone, y, BN_value_one()))
223     /*
224     * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
225     * and therefore setting the coordinates should fail.
226     */
227     || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
228     ctx))
229     || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
230     || !group_order_tests(group)
231    
232     /* Curve P-256 (FIPS PUB 186-2, App. 6) */
233    
234     || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
235     "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
236     || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
237     || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
238     "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
239     || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
240     "651D06B0CC53B0F63BCE3C3E27D2604B"))
241     || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
242    
243     || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
244     "77037D812DEB33A0F4A13945D898C296"))
245     || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
246     || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
247     || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
248     "BCE6FAADA7179E84F3B9CAC2FC632551"))
249     || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
250     || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
251     goto err;
252    
253     TEST_info("NIST curve P-256 -- Generator");
254     test_output_bignum("x", x);
255     test_output_bignum("y", y);
256     /* G_y value taken from the standard: */
257     if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
258     "2BCE33576B315ECECBB6406837BF51F5"))
259     || !TEST_BN_eq(y, z)
260     || !TEST_true(BN_add(yplusone, y, BN_value_one()))
261     /*
262     * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
263     * and therefore setting the coordinates should fail.
264     */
265     || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
266     ctx))
267     || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
268     || !group_order_tests(group)
269    
270     /* Curve P-384 (FIPS PUB 186-2, App. 6) */
271    
272     || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
273     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
274     "FFFFFFFF0000000000000000FFFFFFFF"))
275     || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
276     || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
277     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
278     "FFFFFFFF0000000000000000FFFFFFFC"))
279     || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
280     "181D9C6EFE8141120314088F5013875A"
281     "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
282     || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
283    
284     || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
285     "6E1D3B628BA79B9859F741E082542A38"
286     "5502F25DBF55296C3A545E3872760AB7"))
287     || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
288     || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
289     || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
290     "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
291     "581A0DB248B0A77AECEC196ACCC52973"))
292     || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
293     || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
294     goto err;
295    
296     TEST_info("NIST curve P-384 -- Generator");
297     test_output_bignum("x", x);
298     test_output_bignum("y", y);
299     /* G_y value taken from the standard: */
300     if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
301     "F8F41DBD289A147CE9DA3113B5F0B8C0"
302     "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
303     || !TEST_BN_eq(y, z)
304     || !TEST_true(BN_add(yplusone, y, BN_value_one()))
305     /*
306     * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
307     * and therefore setting the coordinates should fail.
308     */
309     || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
310     ctx))
311     || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
312     || !group_order_tests(group)
313    
314     /* Curve P-521 (FIPS PUB 186-2, App. 6) */
315     || !TEST_true(BN_hex2bn(&p, "1FF"
316     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
317     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
318     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
319     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
320     || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
321     || !TEST_true(BN_hex2bn(&a, "1FF"
322     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
323     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
324     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
325     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
326     || !TEST_true(BN_hex2bn(&b, "051"
327     "953EB9618E1C9A1F929A21A0B68540EE"
328     "A2DA725B99B315F3B8B489918EF109E1"
329     "56193951EC7E937B1652C0BD3BB1BF07"
330     "3573DF883D2C34F1EF451FD46B503F00"))
331     || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
332     || !TEST_true(BN_hex2bn(&x, "C6"
333     "858E06B70404E9CD9E3ECB662395B442"
334     "9C648139053FB521F828AF606B4D3DBA"
335     "A14B5E77EFE75928FE1DC127A2FFA8DE"
336     "3348B3C1856A429BF97E7E31C2E5BD66"))
337     || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
338     || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
339     || !TEST_true(BN_hex2bn(&z, "1FF"
340     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
341     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
342     "51868783BF2F966B7FCC0148F709A5D0"
343     "3BB5C9B8899C47AEBB6FB71E91386409"))
344     || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
345     || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
346     goto err;
347    
348     TEST_info("NIST curve P-521 -- Generator");
349     test_output_bignum("x", x);
350     test_output_bignum("y", y);
351     /* G_y value taken from the standard: */
352     if (!TEST_true(BN_hex2bn(&z, "118"
353     "39296A789A3BC0045C8A5FB42C7D1BD9"
354     "98F54449579B446817AFBD17273E662C"
355     "97EE72995EF42640C550B9013FAD0761"
356     "353C7086A272C24088BE94769FD16650"))
357     || !TEST_BN_eq(y, z)
358     || !TEST_true(BN_add(yplusone, y, BN_value_one()))
359     /*
360     * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
361     * and therefore setting the coordinates should fail.
362     */
363     || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
364     ctx))
365     || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
366     || !group_order_tests(group)
367    
368     /* more tests using the last curve */
369    
370     /* Restore the point that got mangled in the (x, y + 1) test. */
371     || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
372     || !TEST_true(EC_POINT_copy(Q, P))
373     || !TEST_false(EC_POINT_is_at_infinity(group, Q))
374     || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
375     || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
376     || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
377     || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
378     || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
379     || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
380     || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
381     goto err;
382    
383     #ifndef OPENSSL_NO_DEPRECATED_3_0
384     TEST_note("combined multiplication ...");
385     points[0] = Q;
386     points[1] = Q;
387     points[2] = Q;
388     points[3] = Q;
389    
390     if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
391     || !TEST_true(BN_add(y, z, BN_value_one()))
392     || !TEST_BN_even(y)
393     || !TEST_true(BN_rshift1(y, y)))
394     goto err;
395    
396     scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
397     scalars[1] = y;
398    
399     /* z is still the group order */
400     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
401     || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
402     || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
403     || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
404     || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
405     || !TEST_true(BN_add(z, z, y)))
406     goto err;
407     BN_set_negative(z, 1);
408     scalars[0] = y;
409     scalars[1] = z; /* z = -(order + y) */
410    
411     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
412     || !TEST_true(EC_POINT_is_at_infinity(group, P))
413     || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
414     || !TEST_true(BN_add(z, x, y)))
415     goto err;
416     BN_set_negative(z, 1);
417     scalars[0] = x;
418     scalars[1] = y;
419     scalars[2] = z; /* z = -(x+y) */
420    
421     if (!TEST_ptr(scalar3 = BN_new()))
422     goto err;
423     BN_zero(scalar3);
424     scalars[3] = scalar3;
425    
426     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
427     || !TEST_true(EC_POINT_is_at_infinity(group, P)))
428     goto err;
429     #endif
430     TEST_note(" ok\n");
431     r = 1;
432     err:
433     BN_CTX_free(ctx);
434     BN_free(p);
435     BN_free(a);
436     BN_free(b);
437     EC_GROUP_free(group);
438     EC_POINT_free(P);
439     EC_POINT_free(Q);
440     EC_POINT_free(R);
441     BN_free(x);
442     BN_free(y);
443     BN_free(z);
444     BN_free(yplusone);
445     BN_free(scalar3);
446     return r;
447     }
448    
449     static int internal_curve_test(int n)
450     {
451     EC_GROUP *group = NULL;
452     int nid = curves[n].nid;
453    
454     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
455     TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
456     OBJ_nid2sn(nid));
457     return 0;
458     }
459     if (!TEST_true(EC_GROUP_check(group, NULL))) {
460     TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
461     EC_GROUP_free(group);
462     return 0;
463     }
464     EC_GROUP_free(group);
465     return 1;
466     }
467    
468     static int internal_curve_test_method(int n)
469     {
470     int r, nid = curves[n].nid;
471     EC_GROUP *group;
472    
473     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
474     TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
475     return 0;
476     }
477     r = group_order_tests(group);
478     EC_GROUP_free(group);
479     return r;
480     }
481    
482     static int group_field_test(void)
483     {
484     int r = 1;
485     BIGNUM *secp521r1_field = NULL;
486     BIGNUM *sect163r2_field = NULL;
487     EC_GROUP *secp521r1_group = NULL;
488     EC_GROUP *sect163r2_group = NULL;
489    
490     BN_hex2bn(&secp521r1_field,
491     "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
492     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
493     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
494     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
495     "FFFF");
496    
497    
498     BN_hex2bn(&sect163r2_field,
499     "08000000000000000000000000000000"
500     "00000000C9");
501    
502     secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
503     if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group)))
504     r = 0;
505    
506     # ifndef OPENSSL_NO_EC2M
507     sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2);
508     if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group)))
509     r = 0;
510     # endif
511    
512     EC_GROUP_free(secp521r1_group);
513     EC_GROUP_free(sect163r2_group);
514     BN_free(secp521r1_field);
515     BN_free(sect163r2_field);
516     return r;
517     }
518     /*
519     * nistp_test_params contains magic numbers for testing
520     * several NIST curves with characteristic > 3.
521     */
522     struct nistp_test_params {
523     const int nid;
524     int degree;
525     /*
526     * Qx, Qy and D are taken from
527     * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
528     * Otherwise, values are standard curve parameters from FIPS 180-3
529     */
530     const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
531     };
532    
533     static const struct nistp_test_params nistp_tests_params[] = {
534     {
535     /* P-224 */
536     NID_secp224r1,
537     224,
538     /* p */
539     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
540     /* a */
541     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
542     /* b */
543     "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
544     /* Qx */
545     "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
546     /* Qy */
547     "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
548     /* Gx */
549     "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
550     /* Gy */
551     "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
552     /* order */
553     "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
554     /* d */
555     "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
556     },
557     {
558     /* P-256 */
559     NID_X9_62_prime256v1,
560     256,
561     /* p */
562     "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
563     /* a */
564     "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
565     /* b */
566     "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
567     /* Qx */
568     "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
569     /* Qy */
570     "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
571     /* Gx */
572     "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
573     /* Gy */
574     "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
575     /* order */
576     "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
577     /* d */
578     "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
579     },
580     {
581     /* P-521 */
582     NID_secp521r1,
583     521,
584     /* p */
585     "1ff"
586     "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
587     "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
588     /* a */
589     "1ff"
590     "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
591     "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
592     /* b */
593     "051"
594     "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
595     "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
596     /* Qx */
597     "0098"
598     "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
599     "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
600     /* Qy */
601     "0164"
602     "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
603     "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
604     /* Gx */
605     "c6"
606     "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
607     "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
608     /* Gy */
609     "118"
610     "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
611     "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
612     /* order */
613     "1ff"
614     "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
615     "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
616     /* d */
617     "0100"
618     "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
619     "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
620     },
621     };
622    
623     static int nistp_single_test(int idx)
624     {
625     const struct nistp_test_params *test = nistp_tests_params + idx;
626     BN_CTX *ctx = NULL;
627     BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
628     BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
629     EC_GROUP *NISTP = NULL;
630     EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
631     int r = 0;
632    
633     TEST_note("NIST curve P-%d (optimised implementation):",
634     test->degree);
635     if (!TEST_ptr(ctx = BN_CTX_new())
636     || !TEST_ptr(p = BN_new())
637     || !TEST_ptr(a = BN_new())
638     || !TEST_ptr(b = BN_new())
639     || !TEST_ptr(x = BN_new())
640     || !TEST_ptr(y = BN_new())
641     || !TEST_ptr(m = BN_new())
642     || !TEST_ptr(n = BN_new())
643     || !TEST_ptr(order = BN_new())
644     || !TEST_ptr(yplusone = BN_new())
645    
646     || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid))
647     || !TEST_true(BN_hex2bn(&p, test->p))
648     || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
649     || !TEST_true(BN_hex2bn(&a, test->a))
650     || !TEST_true(BN_hex2bn(&b, test->b))
651     || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
652     || !TEST_ptr(G = EC_POINT_new(NISTP))
653     || !TEST_ptr(P = EC_POINT_new(NISTP))
654     || !TEST_ptr(Q = EC_POINT_new(NISTP))
655     || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
656     || !TEST_true(BN_hex2bn(&x, test->Qx))
657     || !TEST_true(BN_hex2bn(&y, test->Qy))
658     || !TEST_true(BN_add(yplusone, y, BN_value_one()))
659     /*
660     * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
661     * and therefore setting the coordinates should fail.
662     */
663     || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
664     yplusone, ctx))
665     || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
666     ctx))
667     || !TEST_true(BN_hex2bn(&x, test->Gx))
668     || !TEST_true(BN_hex2bn(&y, test->Gy))
669     || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
670     || !TEST_true(BN_hex2bn(&order, test->order))
671     || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
672     || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
673     goto err;
674    
675     TEST_note("NIST test vectors ... ");
676     if (!TEST_true(BN_hex2bn(&n, test->d)))
677     goto err;
678     /* fixed point multiplication */
679     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
680     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
681     goto err;
682     /* random point multiplication */
683     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
684     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
685    
686     /* set generator to P = 2*G, where G is the standard generator */
687     || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
688     || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
689     /* set the scalar to m=n/2, where n is the NIST test scalar */
690     || !TEST_true(BN_rshift(m, n, 1)))
691     goto err;
692    
693     /* test the non-standard generator */
694     /* fixed point multiplication */
695     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
696     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
697     goto err;
698     /* random point multiplication */
699     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
700     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
701     #ifndef OPENSSL_NO_DEPRECATED_3_0
702     /* We have not performed precomp so this should be false */
703     || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
704     /* now repeat all tests with precomputation */
705     || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
706     #endif
707     )
708     goto err;
709    
710     /* fixed point multiplication */
711     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
712     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
713     goto err;
714     /* random point multiplication */
715     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
716     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
717    
718     /* reset generator */
719     || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
720     goto err;
721     /* fixed point multiplication */
722     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
723     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
724     goto err;
725     /* random point multiplication */
726     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
727     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
728     goto err;
729    
730     /* regression test for felem_neg bug */
731     if (!TEST_true(BN_set_word(m, 32))
732     || !TEST_true(BN_set_word(n, 31))
733     || !TEST_true(EC_POINT_copy(P, G))
734     || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
735     || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
736     || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
737     goto err;
738    
739     r = 1;
740     err:
741     EC_GROUP_free(NISTP);
742     EC_POINT_free(G);
743     EC_POINT_free(P);
744     EC_POINT_free(Q);
745     EC_POINT_free(Q_CHECK);
746     BN_free(n);
747     BN_free(m);
748     BN_free(p);
749     BN_free(a);
750     BN_free(b);
751     BN_free(x);
752     BN_free(y);
753     BN_free(order);
754     BN_free(yplusone);
755     BN_CTX_free(ctx);
756     return r;
757     }
758    
759     static const unsigned char p521_named[] = {
760     0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
761     };
762    
763     static const unsigned char p521_explicit[] = {
764     0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
765     0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
766     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
767     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
768     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
769     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
770     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
771     0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
772     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
773     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
774     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
775     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
776     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
777     0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
778     0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
779     0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
780     0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
781     0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
782     0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
783     0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
784     0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
785     0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
786     0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
787     0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
788     0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
789     0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
790     0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
791     0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
792     0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
793     0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
794     0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
795     0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
796     0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
797     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
798     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
799     0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
800     0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
801     0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
802     };
803    
804     /*
805     * This test validates a named curve's group parameters using
806     * EC_GROUP_check_named_curve(). It also checks that modifying any of the
807     * group parameters results in the curve not being valid.
808     */
809     static int check_named_curve_test(int id)
810     {
811     int ret = 0, nid, field_nid, has_seed;
812     EC_GROUP *group = NULL, *gtest = NULL;
813     const EC_POINT *group_gen = NULL;
814     EC_POINT *other_gen = NULL;
815     BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL;
816     BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL;
817     BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
818     BIGNUM *other_order = NULL;
819     const BIGNUM *group_order = NULL;
820     BN_CTX *bn_ctx = NULL;
821     static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
822     static size_t invalid_seed_len = sizeof(invalid_seed);
823    
824     /* Do some setup */
825     nid = curves[id].nid;
826     if (!TEST_ptr(bn_ctx = BN_CTX_new())
827     || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
828     || !TEST_ptr(gtest = EC_GROUP_dup(group))
829     || !TEST_ptr(group_p = BN_new())
830     || !TEST_ptr(group_a = BN_new())
831     || !TEST_ptr(group_b = BN_new())
832     || !TEST_ptr(group_cofactor = BN_new())
833     || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
834     || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
835     || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
836     || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL))
837     || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
838     || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
839     || !TEST_ptr(other_order = BN_dup(group_order))
840     || !TEST_true(BN_add_word(other_order, 1))
841     || !TEST_ptr(other_a = BN_dup(group_a))
842     || !TEST_true(BN_add_word(other_a, 1))
843     || !TEST_ptr(other_b = BN_dup(group_b))
844     || !TEST_true(BN_add_word(other_b, 1))
845     || !TEST_ptr(other_cofactor = BN_dup(group_cofactor))
846     || !TEST_true(BN_add_word(other_cofactor, 1)))
847     goto err;
848    
849     /* Determine if the built-in curve has a seed field set */
850     has_seed = (EC_GROUP_get_seed_len(group) > 0);
851     field_nid = EC_GROUP_get_field_type(group);
852     if (field_nid == NID_X9_62_characteristic_two_field) {
853     if (!TEST_ptr(other_p = BN_dup(group_p))
854     || !TEST_true(BN_lshift1(other_p, other_p)))
855     goto err;
856     } else {
857     if (!TEST_ptr(other_p = BN_dup(group_p)))
858     goto err;
859     /*
860     * Just choosing any arbitrary prime does not work..
861     * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a
862     * nist prime. So only select one of these as an alternate prime.
863     */
864     if (!TEST_ptr(BN_copy(other_p,
865     BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ?
866     BN_get0_nist_prime_256() :
867     BN_get0_nist_prime_192())))
868     goto err;
869     }
870    
871     /* Passes because this is a valid curve */
872     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)
873     /* Only NIST curves pass */
874     || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL),
875     EC_curve_nid2nist(nid) != NULL ? nid : NID_undef))
876     goto err;
877    
878     /* Fail if the curve name doesn't match the parameters */
879     EC_GROUP_set_curve_name(group, nid + 1);
880     ERR_set_mark();
881     if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0))
882     goto err;
883     ERR_pop_to_mark();
884    
885     /* Restore curve name and ensure it's passing */
886     EC_GROUP_set_curve_name(group, nid);
887     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
888     goto err;
889    
890     if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len),
891     invalid_seed_len))
892     goto err;
893    
894     if (has_seed) {
895     /*
896     * If the built-in curve has a seed and we set the seed to another value
897     * then it will fail the check.
898     */
899     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0))
900     goto err;
901     } else {
902     /*
903     * If the built-in curve does not have a seed then setting the seed will
904     * pass the check (as the seed is optional).
905     */
906     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
907     goto err;
908     }
909     /* Pass if the seed is unknown (as it is optional) */
910     if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1)
911     || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
912     goto err;
913    
914     /* Check that a duped group passes */
915     if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
916     goto err;
917    
918     /* check that changing any generator parameter fails */
919     if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order,
920     group_cofactor))
921     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
922     || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order,
923     group_cofactor))
924     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
925     /* The order is not an optional field, so this should fail */
926     || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL,
927     group_cofactor))
928     || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
929     other_cofactor))
930     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
931     /* Check that if the cofactor is not set then it still passes */
932     || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
933     NULL))
934     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)
935     /* check that restoring the generator passes */
936     || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
937     group_cofactor))
938     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
939     goto err;
940    
941     /*
942     * check that changing any curve parameter fails
943     *
944     * Setting arbitrary p, a or b might fail for some EC_GROUPs
945     * depending on the internal EC_METHOD implementation, hence run
946     * these tests conditionally to the success of EC_GROUP_set_curve().
947     */
948     ERR_set_mark();
949     if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) {
950     if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
951     goto err;
952     } else {
953     /* clear the error stack if EC_GROUP_set_curve() failed */
954     ERR_pop_to_mark();
955     ERR_set_mark();
956     }
957     if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) {
958     if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
959     goto err;
960     } else {
961     /* clear the error stack if EC_GROUP_set_curve() failed */
962     ERR_pop_to_mark();
963     ERR_set_mark();
964     }
965     if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) {
966     if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
967     goto err;
968     } else {
969     /* clear the error stack if EC_GROUP_set_curve() failed */
970     ERR_pop_to_mark();
971     ERR_set_mark();
972     }
973     ERR_pop_to_mark();
974    
975     /* Check that restoring the curve parameters passes */
976     if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL))
977     || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
978     goto err;
979    
980     ret = 1;
981     err:
982     BN_free(group_p);
983     BN_free(other_p);
984     BN_free(group_a);
985     BN_free(other_a);
986     BN_free(group_b);
987     BN_free(other_b);
988     BN_free(group_cofactor);
989     BN_free(other_cofactor);
990     BN_free(other_order);
991     EC_POINT_free(other_gen);
992     EC_GROUP_free(gtest);
993     EC_GROUP_free(group);
994     BN_CTX_free(bn_ctx);
995     return ret;
996     }
997    
998     /*
999     * This checks the lookup capability of EC_GROUP_check_named_curve()
1000     * when the given group was created with explicit parameters.
1001     *
1002     * It is possible to retrieve an alternative alias that does not match
1003     * the original nid in this case.
1004     */
1005     static int check_named_curve_lookup_test(int id)
1006     {
1007     int ret = 0, nid, rv = 0;
1008     EC_GROUP *g = NULL , *ga = NULL;
1009     ECPARAMETERS *p = NULL, *pa = NULL;
1010     BN_CTX *ctx = NULL;
1011    
1012     /* Do some setup */
1013     nid = curves[id].nid;
1014     if (!TEST_ptr(ctx = BN_CTX_new())
1015     || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid))
1016     || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL)))
1017     goto err;
1018    
1019     /* replace with group from explicit parameters */
1020     EC_GROUP_free(g);
1021     if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p)))
1022     goto err;
1023    
1024     if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0))
1025     goto err;
1026     if (rv != nid) {
1027     /*
1028     * Found an alias:
1029     * fail if the returned nid is not an alias of the original group.
1030     *
1031     * The comparison here is done by comparing two explicit
1032     * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the
1033     * comparison happens with unnamed EC_GROUPs using the same
1034     * EC_METHODs.
1035     */
1036     if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv))
1037     || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL)))
1038     goto err;
1039    
1040     /* replace with group from explicit parameters, then compare */
1041     EC_GROUP_free(ga);
1042     if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa))
1043     || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0))
1044     goto err;
1045     }
1046    
1047     ret = 1;
1048    
1049     err:
1050     EC_GROUP_free(g);
1051     EC_GROUP_free(ga);
1052     ECPARAMETERS_free(p);
1053     ECPARAMETERS_free(pa);
1054     BN_CTX_free(ctx);
1055    
1056     return ret;
1057     }
1058    
1059     /*
1060     * Sometime we cannot compare nids for equality, as the built-in curve table
1061     * includes aliases with different names for the same curve.
1062     *
1063     * This function returns TRUE (1) if the checked nids are identical, or if they
1064     * alias to the same curve. FALSE (0) otherwise.
1065     */
1066     static ossl_inline
1067     int are_ec_nids_compatible(int n1d, int n2d)
1068     {
1069     int ret = 0;
1070     switch (n1d) {
1071     #ifndef OPENSSL_NO_EC2M
1072     case NID_sect113r1:
1073     case NID_wap_wsg_idm_ecid_wtls4:
1074     ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
1075     break;
1076     case NID_sect163k1:
1077     case NID_wap_wsg_idm_ecid_wtls3:
1078     ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
1079     break;
1080     case NID_sect233k1:
1081     case NID_wap_wsg_idm_ecid_wtls10:
1082     ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
1083     break;
1084     case NID_sect233r1:
1085     case NID_wap_wsg_idm_ecid_wtls11:
1086     ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
1087     break;
1088     case NID_X9_62_c2pnb163v1:
1089     case NID_wap_wsg_idm_ecid_wtls5:
1090     ret = (n2d == NID_X9_62_c2pnb163v1
1091     || n2d == NID_wap_wsg_idm_ecid_wtls5);
1092     break;
1093     #endif /* OPENSSL_NO_EC2M */
1094     case NID_secp112r1:
1095     case NID_wap_wsg_idm_ecid_wtls6:
1096     ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
1097     break;
1098     case NID_secp160r2:
1099     case NID_wap_wsg_idm_ecid_wtls7:
1100     ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
1101     break;
1102     #ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
1103     case NID_secp224r1:
1104     case NID_wap_wsg_idm_ecid_wtls12:
1105     ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
1106     break;
1107     #else
1108     /*
1109     * For SEC P-224 we want to ensure that the SECP nid is returned, as
1110     * that is associated with a specialized method.
1111     */
1112     case NID_wap_wsg_idm_ecid_wtls12:
1113     ret = (n2d == NID_secp224r1);
1114     break;
1115     #endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
1116    
1117     default:
1118     ret = (n1d == n2d);
1119     }
1120     return ret;
1121     }
1122    
1123     /*
1124     * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
1125     * EC_GROUP for built-in curves.
1126     *
1127     * Note that it is possible to retrieve an alternative alias that does not match
1128     * the original nid.
1129     *
1130     * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
1131     */
1132     static int check_named_curve_from_ecparameters(int id)
1133     {
1134     int ret = 0, nid, tnid;
1135     EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
1136     const EC_POINT *group_gen = NULL;
1137     EC_POINT *other_gen = NULL;
1138     BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
1139     BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
1140     const BIGNUM *group_order = NULL;
1141     BIGNUM *other_order = NULL;
1142     BN_CTX *bn_ctx = NULL;
1143     static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
1144     static size_t invalid_seed_len = sizeof(invalid_seed);
1145     ECPARAMETERS *params = NULL, *other_params = NULL;
1146     EC_GROUP *g_ary[8] = {NULL};
1147     EC_GROUP **g_next = &g_ary[0];
1148     ECPARAMETERS *p_ary[8] = {NULL};
1149     ECPARAMETERS **p_next = &p_ary[0];
1150    
1151     /* Do some setup */
1152     nid = curves[id].nid;
1153     TEST_note("Curve %s", OBJ_nid2sn(nid));
1154     if (!TEST_ptr(bn_ctx = BN_CTX_new()))
1155     return ret;
1156     BN_CTX_start(bn_ctx);
1157    
1158     if (/* Allocations */
1159     !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
1160     || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
1161     || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
1162     || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
1163     || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
1164     /* Generate reference group and params */
1165     || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1166     || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
1167     || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
1168     || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
1169     || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
1170     /* compute `other_*` values */
1171     || !TEST_ptr(tmpg = EC_GROUP_dup(group))
1172     || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
1173     || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
1174     || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
1175     other_gen_x, other_gen_y, bn_ctx))
1176     || !TEST_true(BN_copy(other_order, group_order))
1177     || !TEST_true(BN_add_word(other_order, 1))
1178     || !TEST_true(BN_copy(other_cofactor, group_cofactor))
1179     || !TEST_true(BN_add_word(other_cofactor, 1)))
1180     goto err;
1181    
1182     EC_POINT_free(other_gen);
1183     other_gen = NULL;
1184    
1185     if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
1186     || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
1187     other_gen_x, other_gen_y,
1188     bn_ctx)))
1189     goto err;
1190    
1191     /*
1192     * ###########################
1193     * # Actual tests start here #
1194     * ###########################
1195     */
1196    
1197     /*
1198     * Creating a group from built-in explicit parameters returns a
1199     * "named" EC_GROUP
1200     */
1201     if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
1202     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
1203     goto err;
1204     /*
1205     * We cannot always guarantee the names match, as the built-in table
1206     * contains aliases for the same curve with different names.
1207     */
1208     if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
1209     TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1210     goto err;
1211     }
1212     /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
1213     if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
1214     goto err;
1215    
1216     /*
1217     * An invalid seed in the parameters should be ignored: expect a "named"
1218     * group.
1219     */
1220     if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
1221     invalid_seed_len)
1222     || !TEST_ptr(other_params = *p_next++ =
1223     EC_GROUP_get_ecparameters(tmpg, NULL))
1224     || !TEST_ptr(tgroup = *g_next++ =
1225     EC_GROUP_new_from_ecparameters(other_params))
1226     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1227     || !TEST_true(are_ec_nids_compatible(nid, tnid))
1228     || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1229     OPENSSL_EC_EXPLICIT_CURVE)) {
1230     TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1231     goto err;
1232     }
1233    
1234     /*
1235     * A null seed in the parameters should be ignored, as it is optional:
1236     * expect a "named" group.
1237     */
1238     if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
1239     || !TEST_ptr(other_params = *p_next++ =
1240     EC_GROUP_get_ecparameters(tmpg, NULL))
1241     || !TEST_ptr(tgroup = *g_next++ =
1242     EC_GROUP_new_from_ecparameters(other_params))
1243     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1244     || !TEST_true(are_ec_nids_compatible(nid, tnid))
1245     || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1246     OPENSSL_EC_EXPLICIT_CURVE)) {
1247     TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1248     goto err;
1249     }
1250    
1251     /*
1252     * Check that changing any of the generator parameters does not yield a
1253     * match with the built-in curves
1254     */
1255     if (/* Other gen, same group order & cofactor */
1256     !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
1257     group_cofactor))
1258     || !TEST_ptr(other_params = *p_next++ =
1259     EC_GROUP_get_ecparameters(tmpg, NULL))
1260     || !TEST_ptr(tgroup = *g_next++ =
1261     EC_GROUP_new_from_ecparameters(other_params))
1262     || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1263     /* Same gen & cofactor, different order */
1264     || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
1265     group_cofactor))
1266     || !TEST_ptr(other_params = *p_next++ =
1267     EC_GROUP_get_ecparameters(tmpg, NULL))
1268     || !TEST_ptr(tgroup = *g_next++ =
1269     EC_GROUP_new_from_ecparameters(other_params))
1270     || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1271     /* The order is not an optional field, so this should fail */
1272     || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
1273     group_cofactor))
1274     /* Check that a wrong cofactor is ignored, and we still match */
1275     || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1276     other_cofactor))
1277     || !TEST_ptr(other_params = *p_next++ =
1278     EC_GROUP_get_ecparameters(tmpg, NULL))
1279     || !TEST_ptr(tgroup = *g_next++ =
1280     EC_GROUP_new_from_ecparameters(other_params))
1281     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1282     || !TEST_true(are_ec_nids_compatible(nid, tnid))
1283     || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1284     OPENSSL_EC_EXPLICIT_CURVE)
1285     /* Check that if the cofactor is not set then it still matches */
1286     || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1287     NULL))
1288     || !TEST_ptr(other_params = *p_next++ =
1289     EC_GROUP_get_ecparameters(tmpg, NULL))
1290     || !TEST_ptr(tgroup = *g_next++ =
1291     EC_GROUP_new_from_ecparameters(other_params))
1292     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1293     || !TEST_true(are_ec_nids_compatible(nid, tnid))
1294     || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1295     OPENSSL_EC_EXPLICIT_CURVE)
1296     /* check that restoring the generator passes */
1297     || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1298     group_cofactor))
1299     || !TEST_ptr(other_params = *p_next++ =
1300     EC_GROUP_get_ecparameters(tmpg, NULL))
1301     || !TEST_ptr(tgroup = *g_next++ =
1302     EC_GROUP_new_from_ecparameters(other_params))
1303     || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1304     || !TEST_true(are_ec_nids_compatible(nid, tnid))
1305     || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1306     OPENSSL_EC_EXPLICIT_CURVE))
1307     goto err;
1308    
1309     ret = 1;
1310     err:
1311     for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
1312     EC_GROUP_free(*g_next);
1313     for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
1314     ECPARAMETERS_free(*p_next);
1315     ECPARAMETERS_free(params);
1316     EC_POINT_free(other_gen);
1317     EC_GROUP_free(tmpg);
1318     EC_GROUP_free(group);
1319     BN_CTX_end(bn_ctx);
1320     BN_CTX_free(bn_ctx);
1321     return ret;
1322     }
1323    
1324    
1325     static int parameter_test(void)
1326     {
1327     EC_GROUP *group = NULL, *group2 = NULL;
1328     ECPARAMETERS *ecparameters = NULL;
1329     unsigned char *buf = NULL;
1330     int r = 0, len;
1331     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
1332     || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
1333     || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
1334     || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
1335     goto err;
1336    
1337     EC_GROUP_free(group);
1338     group = NULL;
1339    
1340     /* Test the named curve encoding, which should be default. */
1341     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
1342     || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1343     || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
1344     goto err;
1345    
1346     OPENSSL_free(buf);
1347     buf = NULL;
1348    
1349     /*
1350     * Test the explicit encoding. P-521 requires correctly zero-padding the
1351     * curve coefficients.
1352     */
1353     EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
1354     if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1355     || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
1356     goto err;
1357    
1358     r = 1;
1359     err:
1360     EC_GROUP_free(group);
1361     EC_GROUP_free(group2);
1362     ECPARAMETERS_free(ecparameters);
1363     OPENSSL_free(buf);
1364     return r;
1365     }
1366    
1367     /*-
1368     * random 256-bit explicit parameters curve, cofactor absent
1369     * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
1370     * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
1371     */
1372     static const unsigned char params_cf_pass[] = {
1373     0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
1374     0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
1375     0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
1376     0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
1377     0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
1378     0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
1379     0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
1380     0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
1381     0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
1382     0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
1383     0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
1384     0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
1385     0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
1386     0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
1387     0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
1388     0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
1389     0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
1390     0x14, 0xa8, 0x2f, 0x4f
1391     };
1392    
1393     /*-
1394     * random 256-bit explicit parameters curve, cofactor absent
1395     * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
1396     * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
1397     */
1398     static const unsigned char params_cf_fail[] = {
1399     0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
1400     0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
1401     0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
1402     0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
1403     0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
1404     0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
1405     0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
1406     0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
1407     0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
1408     0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
1409     0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
1410     0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
1411     0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
1412     0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
1413     0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
1414     0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
1415     0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
1416     0x34, 0xa2, 0x21, 0x01
1417     };
1418    
1419     /*-
1420     * Test two random 256-bit explicit parameters curves with absent cofactor.
1421     * The two curves are chosen to roughly straddle the bounds at which the lib
1422     * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
1423     *
1424     * - params_cf_pass: order is sufficiently close to p to compute cofactor
1425     * - params_cf_fail: order is too far away from p to compute cofactor
1426     *
1427     * For standards-compliant curves, cofactor is chosen as small as possible.
1428     * So you can see neither of these curves are fit for cryptographic use.
1429     *
1430     * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
1431     * h <= 2**(t/8) where t is the security level of the curve, for which the lib
1432     * will always succeed in computing the cofactor. Neither of these curves
1433     * conform to that -- this is just robustness testing.
1434     */
1435     static int cofactor_range_test(void)
1436     {
1437     EC_GROUP *group = NULL;
1438     BIGNUM *cf = NULL;
1439     int ret = 0;
1440     const unsigned char *b1 = (const unsigned char *)params_cf_fail;
1441     const unsigned char *b2 = (const unsigned char *)params_cf_pass;
1442    
1443     if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
1444     || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
1445     || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
1446     sizeof(params_cf_pass)))
1447     || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
1448     || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
1449     goto err;
1450     ret = 1;
1451     err:
1452     BN_free(cf);
1453     EC_GROUP_free(group);
1454     return ret;
1455     }
1456    
1457     /*-
1458     * For named curves, test that:
1459     * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
1460     * - a nonsensical cofactor throws an error (negative test)
1461     * - nonsensical orders throw errors (negative tests)
1462     */
1463     static int cardinality_test(int n)
1464     {
1465     int ret = 0, is_binary = 0;
1466     int nid = curves[n].nid;
1467     BN_CTX *ctx = NULL;
1468     EC_GROUP *g1 = NULL, *g2 = NULL;
1469     EC_POINT *g2_gen = NULL;
1470     BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
1471     *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
1472    
1473     TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
1474    
1475     if (!TEST_ptr(ctx = BN_CTX_new())
1476     || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) {
1477     BN_CTX_free(ctx);
1478     return 0;
1479     }
1480    
1481     is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field);
1482    
1483     BN_CTX_start(ctx);
1484     g1_p = BN_CTX_get(ctx);
1485     g1_a = BN_CTX_get(ctx);
1486     g1_b = BN_CTX_get(ctx);
1487     g1_x = BN_CTX_get(ctx);
1488     g1_y = BN_CTX_get(ctx);
1489     g1_order = BN_CTX_get(ctx);
1490     g1_cf = BN_CTX_get(ctx);
1491    
1492     if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
1493     /* pull out the explicit curve parameters */
1494     || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
1495     || !TEST_true(EC_POINT_get_affine_coordinates(g1,
1496     EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
1497     || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
1498     || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
1499     /* construct g2 manually with g1 parameters */
1500     #ifndef OPENSSL_NO_EC2M
1501     || !TEST_ptr(g2 = (is_binary) ?
1502     EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) :
1503     EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
1504     #else
1505     || !TEST_int_eq(0, is_binary)
1506     || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
1507     #endif
1508     || !TEST_ptr(g2_gen = EC_POINT_new(g2))
1509     || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
1510     /* pass NULL cofactor: lib should compute it */
1511     || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1512     || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1513     || !TEST_BN_eq(g1_cf, g2_cf)
1514     /* pass zero cofactor: lib should compute it */
1515     || !TEST_true(BN_set_word(g2_cf, 0))
1516     || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1517     || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1518     || !TEST_BN_eq(g1_cf, g2_cf)
1519     /* negative test for invalid cofactor */
1520     || !TEST_true(BN_set_word(g2_cf, 0))
1521     || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1522     || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1523     /* negative test for NULL order */
1524     || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
1525     /* negative test for zero order */
1526     || !TEST_true(BN_set_word(g1_order, 0))
1527     || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1528     /* negative test for negative order */
1529     || !TEST_true(BN_set_word(g2_cf, 0))
1530     || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1531     || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1532     /* negative test for too large order */
1533     || !TEST_true(BN_lshift(g1_order, g1_p, 2))
1534     || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
1535     goto err;
1536     ret = 1;
1537     err:
1538     EC_POINT_free(g2_gen);
1539     EC_GROUP_free(g1);
1540     EC_GROUP_free(g2);
1541     BN_CTX_end(ctx);
1542     BN_CTX_free(ctx);
1543     return ret;
1544     }
1545    
1546     static int check_ec_key_field_public_range_test(int id)
1547     {
1548     int ret = 0, type = 0;
1549     const EC_POINT *pub = NULL;
1550     const EC_GROUP *group = NULL;
1551     const BIGNUM *field = NULL;
1552     BIGNUM *x = NULL, *y = NULL;
1553     EC_KEY *key = NULL;
1554    
1555     if (!TEST_ptr(x = BN_new())
1556     || !TEST_ptr(y = BN_new())
1557     || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
1558     || !TEST_ptr(group = EC_KEY_get0_group(key))
1559     || !TEST_ptr(field = EC_GROUP_get0_field(group))
1560     || !TEST_int_gt(EC_KEY_generate_key(key), 0)
1561     || !TEST_int_gt(EC_KEY_check_key(key), 0)
1562     || !TEST_ptr(pub = EC_KEY_get0_public_key(key))
1563     || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y,
1564     NULL), 0))
1565     goto err;
1566    
1567     /*
1568     * Make the public point out of range by adding the field (which will still
1569     * be the same point on the curve). The add is different for char2 fields.
1570     */
1571     type = EC_GROUP_get_field_type(group);
1572     #ifndef OPENSSL_NO_EC2M
1573     if (type == NID_X9_62_characteristic_two_field) {
1574     /* test for binary curves */
1575     if (!TEST_true(BN_GF2m_add(x, x, field)))
1576     goto err;
1577     } else
1578     #endif
1579     if (type == NID_X9_62_prime_field) {
1580     /* test for prime curves */
1581     if (!TEST_true(BN_add(x, x, field)))
1582     goto err;
1583     } else {
1584     /* this should never happen */
1585     TEST_error("Unsupported EC_METHOD field_type");
1586     goto err;
1587     }
1588     if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0))
1589     goto err;
1590    
1591     ret = 1;
1592     err:
1593     BN_free(x);
1594     BN_free(y);
1595     EC_KEY_free(key);
1596     return ret;
1597     }
1598    
1599     /*
1600     * Helper for ec_point_hex2point_test
1601     *
1602     * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
1603     * (group,P) pair.
1604     *
1605     * If P is NULL use point at infinity.
1606     */
1607     static ossl_inline
1608     int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
1609     point_conversion_form_t form,
1610     BN_CTX *bnctx)
1611     {
1612     int ret = 0;
1613     EC_POINT *Q = NULL, *Pinf = NULL;
1614     char *hex = NULL;
1615    
1616     if (P == NULL) {
1617     /* If P is NULL use point at infinity. */
1618     if (!TEST_ptr(Pinf = EC_POINT_new(group))
1619     || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
1620     goto err;
1621     P = Pinf;
1622     }
1623    
1624     if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
1625     || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
1626     || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
1627     goto err;
1628    
1629     /*
1630     * The next check is most likely superfluous, as EC_POINT_cmp should already
1631     * cover this.
1632     * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
1633     * so we include it anyway!
1634     */
1635     if (Pinf != NULL
1636     && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
1637     goto err;
1638    
1639     ret = 1;
1640    
1641     err:
1642     EC_POINT_free(Pinf);
1643     OPENSSL_free(hex);
1644     EC_POINT_free(Q);
1645    
1646     return ret;
1647     }
1648    
1649     /*
1650     * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
1651     */
1652     static int ec_point_hex2point_test(int id)
1653     {
1654     int ret = 0, nid;
1655     EC_GROUP *group = NULL;
1656     const EC_POINT *G = NULL;
1657     EC_POINT *P = NULL;
1658     BN_CTX * bnctx = NULL;
1659    
1660     /* Do some setup */
1661     nid = curves[id].nid;
1662     if (!TEST_ptr(bnctx = BN_CTX_new())
1663     || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1664     || !TEST_ptr(G = EC_GROUP_get0_generator(group))
1665     || !TEST_ptr(P = EC_POINT_dup(G, group)))
1666     goto err;
1667    
1668     if (!TEST_true(ec_point_hex2point_test_helper(group, P,
1669     POINT_CONVERSION_COMPRESSED,
1670     bnctx))
1671     || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1672     POINT_CONVERSION_COMPRESSED,
1673     bnctx))
1674     || !TEST_true(ec_point_hex2point_test_helper(group, P,
1675     POINT_CONVERSION_UNCOMPRESSED,
1676     bnctx))
1677     || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1678     POINT_CONVERSION_UNCOMPRESSED,
1679     bnctx))
1680     || !TEST_true(ec_point_hex2point_test_helper(group, P,
1681     POINT_CONVERSION_HYBRID,
1682     bnctx))
1683     || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1684     POINT_CONVERSION_HYBRID,
1685     bnctx)))
1686     goto err;
1687    
1688     ret = 1;
1689    
1690     err:
1691     EC_POINT_free(P);
1692     EC_GROUP_free(group);
1693     BN_CTX_free(bnctx);
1694    
1695     return ret;
1696     }
1697    
1698     static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
1699     unsigned char *gen, int gen_size)
1700     {
1701     int ret = 0, i_out;
1702     EVP_PKEY_CTX *pctx = NULL;
1703     EVP_PKEY *pkeyparam = NULL;
1704     OSSL_PARAM_BLD *bld = NULL;
1705     const char *field_name;
1706     OSSL_PARAM *params = NULL;
1707     const OSSL_PARAM *gettable;
1708     BIGNUM *p, *a, *b;
1709     BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL;
1710     BIGNUM *order_out = NULL, *cofactor_out = NULL;
1711     char name[80];
1712     unsigned char buf[1024];
1713     size_t buf_len, name_len;
1714     #ifndef OPENSSL_NO_EC2M
1715     unsigned int k1 = 0, k2 = 0, k3 = 0;
1716     const char *basis_name = NULL;
1717     #endif
1718    
1719     p = BN_CTX_get(ctx);
1720     a = BN_CTX_get(ctx);
1721     b = BN_CTX_get(ctx);
1722    
1723     if (!TEST_ptr(b)
1724     || !TEST_ptr(bld = OSSL_PARAM_BLD_new()))
1725     goto err;
1726    
1727     if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
1728     field_name = SN_X9_62_prime_field;
1729     } else {
1730     field_name = SN_X9_62_characteristic_two_field;
1731     #ifndef OPENSSL_NO_EC2M
1732     if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
1733     basis_name = SN_X9_62_tpBasis;
1734     if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1)))
1735     goto err;
1736     } else {
1737     basis_name = SN_X9_62_ppBasis;
1738     if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3)))
1739     goto err;
1740     }
1741     #endif /* OPENSSL_NO_EC2M */
1742     }
1743     if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
1744     || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
1745     OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0))
1746     || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p))
1747     || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a))
1748     || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b)))
1749     goto err;
1750    
1751     if (EC_GROUP_get0_seed(group) != NULL) {
1752     if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1753     OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group),
1754     EC_GROUP_get_seed_len(group))))
1755     goto err;
1756     }
1757     if (EC_GROUP_get0_cofactor(group) != NULL) {
1758     if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR,
1759     EC_GROUP_get0_cofactor(group))))
1760     goto err;
1761     }
1762    
1763     if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1764     OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size))
1765     || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER,
1766     EC_GROUP_get0_order(group))))
1767     goto err;
1768    
1769     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
1770     || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
1771     || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
1772     || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
1773     EVP_PKEY_KEY_PARAMETERS, params), 0))
1774     goto err;
1775    
1776     /*- Check that all the set values are retrievable -*/
1777    
1778     /* There should be no match to a group name since the generator changed */
1779     if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
1780     OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name),
1781     &name_len)))
1782     goto err;
1783    
1784     /* The encoding should be explicit as it has no group */
1785     if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1786     OSSL_PKEY_PARAM_EC_ENCODING,
1787     name, sizeof(name), &name_len))
1788     || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT))
1789     goto err;
1790    
1791     if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1792     OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name),
1793     &name_len))
1794     || !TEST_str_eq(name, field_name))
1795     goto err;
1796    
1797     if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
1798     OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len))
1799     || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size))
1800     goto err;
1801    
1802     if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out))
1803     || !TEST_BN_eq(p_out, p)
1804     || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A,
1805     &a_out))
1806     || !TEST_BN_eq(a_out, a)
1807     || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B,
1808     &b_out))
1809     || !TEST_BN_eq(b_out, b)
1810     || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER,
1811     &order_out))
1812     || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group)))
1813     goto err;
1814    
1815     if (EC_GROUP_get0_cofactor(group) != NULL) {
1816     if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam,
1817     OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out))
1818     || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group)))
1819     goto err;
1820     }
1821     if (EC_GROUP_get0_seed(group) != NULL) {
1822     if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
1823     OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len))
1824     || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group),
1825     EC_GROUP_get_seed_len(group)))
1826     goto err;
1827     }
1828    
1829     if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
1830     /* No extra fields should be set for a prime field */
1831     if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1832     OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
1833     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1834     OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1835     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1836     OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1837     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1838     OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1839     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1840     OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
1841     || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
1842     OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
1843     &name_len)))
1844     goto err;
1845     } else {
1846     #ifndef OPENSSL_NO_EC2M
1847     if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1848     OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
1849     || !TEST_int_eq(EC_GROUP_get_degree(group), i_out)
1850     || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1851     OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
1852     &name_len))
1853     || !TEST_str_eq(name, basis_name))
1854     goto err;
1855    
1856     if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
1857     if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1858     OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1859     || !TEST_int_eq(k1, i_out)
1860     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1861     OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1862     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1863     OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1864     || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1865     OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)))
1866     goto err;
1867     } else {
1868     if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1869     OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1870     || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1871     OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1872     || !TEST_int_eq(k1, i_out)
1873     || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1874     OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1875     || !TEST_int_eq(k2, i_out)
1876     || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1877     OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
1878     || !TEST_int_eq(k3, i_out))
1879     goto err;
1880     }
1881     #endif /* OPENSSL_NO_EC2M */
1882     }
1883     if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam))
1884     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME))
1885     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING))
1886     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE))
1887     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P))
1888     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A))
1889     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B))
1890     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR))
1891     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER))
1892     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR))
1893     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED))
1894     #ifndef OPENSSL_NO_EC2M
1895     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M))
1896     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE))
1897     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS))
1898     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1))
1899     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2))
1900     || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3))
1901     #endif
1902     )
1903     goto err;
1904     ret = 1;
1905     err:
1906     BN_free(order_out);
1907     BN_free(cofactor_out);
1908     BN_free(a_out);
1909     BN_free(b_out);
1910     BN_free(p_out);
1911     OSSL_PARAM_free(params);
1912     OSSL_PARAM_BLD_free(bld);
1913     EVP_PKEY_free(pkeyparam);
1914     EVP_PKEY_CTX_free(pctx);
1915     return ret;
1916     }
1917    
1918     /*
1919     * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
1920     */
1921     static int custom_generator_test(int id)
1922     {
1923     int ret = 0, nid, bsize;
1924     EC_GROUP *group = NULL;
1925     EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
1926     BN_CTX *ctx = NULL;
1927     BIGNUM *k = NULL;
1928     unsigned char *b1 = NULL, *b2 = NULL;
1929    
1930     /* Do some setup */
1931     nid = curves[id].nid;
1932     TEST_note("Curve %s", OBJ_nid2sn(nid));
1933     if (!TEST_ptr(ctx = BN_CTX_new()))
1934     return 0;
1935    
1936     BN_CTX_start(ctx);
1937    
1938     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
1939     goto err;
1940    
1941     /* expected byte length of encoded points */
1942     bsize = (EC_GROUP_get_degree(group) + 7) / 8;
1943     bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
1944    
1945     if (!TEST_ptr(k = BN_CTX_get(ctx))
1946     /* fetch a testing scalar k != 0,1 */
1947     || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
1948     BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
1949     /* make k even */
1950     || !TEST_true(BN_clear_bit(k, 0))
1951     || !TEST_ptr(G2 = EC_POINT_new(group))
1952     || !TEST_ptr(Q1 = EC_POINT_new(group))
1953     /* Q1 := kG */
1954     || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
1955     /* pull out the bytes of that */
1956     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
1957     POINT_CONVERSION_UNCOMPRESSED, NULL,
1958     0, ctx), bsize)
1959     || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
1960     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
1961     POINT_CONVERSION_UNCOMPRESSED, b1,
1962     bsize, ctx), bsize)
1963     /* new generator is G2 := 2G */
1964     || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
1965     ctx))
1966     || !TEST_true(EC_GROUP_set_generator(group, G2,
1967     EC_GROUP_get0_order(group),
1968     EC_GROUP_get0_cofactor(group)))
1969     || !TEST_ptr(Q2 = EC_POINT_new(group))
1970     || !TEST_true(BN_rshift1(k, k))
1971     /* Q2 := k/2 G2 */
1972     || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
1973     || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
1974     POINT_CONVERSION_UNCOMPRESSED, NULL,
1975     0, ctx), bsize)
1976     || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
1977     || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
1978     POINT_CONVERSION_UNCOMPRESSED, b2,
1979     bsize, ctx), bsize)
1980     /* Q1 = kG = k/2 G2 = Q2 should hold */
1981     || !TEST_mem_eq(b1, bsize, b2, bsize))
1982     goto err;
1983    
1984     if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize))
1985     goto err;
1986    
1987     ret = 1;
1988    
1989     err:
1990     EC_POINT_free(Q1);
1991     EC_POINT_free(Q2);
1992     EC_POINT_free(G2);
1993     EC_GROUP_free(group);
1994     BN_CTX_end(ctx);
1995     BN_CTX_free(ctx);
1996     OPENSSL_free(b1);
1997     OPENSSL_free(b2);
1998    
1999     return ret;
2000     }
2001    
2002     /*
2003     * check creation of curves from explicit params through the public API
2004     */
2005     static int custom_params_test(int id)
2006     {
2007     int ret = 0, nid, bsize;
2008     const char *curve_name = NULL;
2009     EC_GROUP *group = NULL, *altgroup = NULL;
2010     EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
2011     const EC_POINT *Q = NULL;
2012     BN_CTX *ctx = NULL;
2013     BIGNUM *k = NULL;
2014     unsigned char *buf1 = NULL, *buf2 = NULL;
2015     const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL;
2016     BIGNUM *p = NULL, *a = NULL, *b = NULL;
2017     int is_prime = 0;
2018     EC_KEY *eckey1 = NULL, *eckey2 = NULL;
2019     EVP_PKEY *pkey1 = NULL, *pkey2 = NULL;
2020     EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL;
2021     size_t sslen, t;
2022     unsigned char *pub1 = NULL , *pub2 = NULL;
2023     OSSL_PARAM_BLD *param_bld = NULL;
2024     OSSL_PARAM *params1 = NULL, *params2 = NULL;
2025    
2026     /* Do some setup */
2027     nid = curves[id].nid;
2028     curve_name = OBJ_nid2sn(nid);
2029     TEST_note("Curve %s", curve_name);
2030    
2031     if (nid == NID_sm2)
2032     return TEST_skip("custom params not supported with SM2");
2033    
2034     if (!TEST_ptr(ctx = BN_CTX_new()))
2035     return 0;
2036    
2037     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
2038     goto err;
2039    
2040     is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field;
2041     #ifdef OPENSSL_NO_EC2M
2042     if (!is_prime) {
2043     ret = TEST_skip("binary curves not supported in this build");
2044     goto err;
2045     }
2046     #endif
2047    
2048     BN_CTX_start(ctx);
2049     if (!TEST_ptr(p = BN_CTX_get(ctx))
2050     || !TEST_ptr(a = BN_CTX_get(ctx))
2051     || !TEST_ptr(b = BN_CTX_get(ctx))
2052     || !TEST_ptr(k = BN_CTX_get(ctx)))
2053     goto err;
2054    
2055     /* expected byte length of encoded points */
2056     bsize = (EC_GROUP_get_degree(group) + 7) / 8;
2057     bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
2058    
2059     /* extract parameters from built-in curve */
2060     if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
2061     || !TEST_ptr(G2 = EC_POINT_new(group))
2062     /* new generator is G2 := 2G */
2063     || !TEST_true(EC_POINT_dbl(group, G2,
2064     EC_GROUP_get0_generator(group), ctx))
2065     /* pull out the bytes of that */
2066     || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2067     POINT_CONVERSION_UNCOMPRESSED,
2068     NULL, 0, ctx), bsize)
2069     || !TEST_ptr(buf1 = OPENSSL_malloc(bsize))
2070     || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2071     POINT_CONVERSION_UNCOMPRESSED,
2072     buf1, bsize, ctx), bsize)
2073     || !TEST_ptr(z = EC_GROUP_get0_order(group))
2074     || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group))
2075     )
2076     goto err;
2077    
2078     /* create a new group using same params (but different generator) */
2079     if (is_prime) {
2080     if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx)))
2081     goto err;
2082     }
2083     #ifndef OPENSSL_NO_EC2M
2084     else {
2085     if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
2086     goto err;
2087     }
2088     #endif
2089    
2090     /* set 2*G as the generator of altgroup */
2091     EC_POINT_free(G2); /* discard G2 as it refers to the original group */
2092     if (!TEST_ptr(G2 = EC_POINT_new(altgroup))
2093     || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx))
2094     || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1)
2095     || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof))
2096     )
2097     goto err;
2098    
2099     /* verify math checks out */
2100     if (/* allocate temporary points on group and altgroup */
2101     !TEST_ptr(Q1 = EC_POINT_new(group))
2102     || !TEST_ptr(Q2 = EC_POINT_new(altgroup))
2103     /* fetch a testing scalar k != 0,1 */
2104     || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
2105     BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
2106     /* make k even */
2107     || !TEST_true(BN_clear_bit(k, 0))
2108     /* Q1 := kG on group */
2109     || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
2110     /* pull out the bytes of that */
2111     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2112     POINT_CONVERSION_UNCOMPRESSED,
2113     NULL, 0, ctx), bsize)
2114     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2115     POINT_CONVERSION_UNCOMPRESSED,
2116     buf1, bsize, ctx), bsize)
2117     /* k := k/2 */
2118     || !TEST_true(BN_rshift1(k, k))
2119     /* Q2 := k/2 G2 on altgroup */
2120     || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx))
2121     /* pull out the bytes of that */
2122     || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2123     POINT_CONVERSION_UNCOMPRESSED,
2124     NULL, 0, ctx), bsize)
2125     || !TEST_ptr(buf2 = OPENSSL_malloc(bsize))
2126     || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2127     POINT_CONVERSION_UNCOMPRESSED,
2128     buf2, bsize, ctx), bsize)
2129     /* Q1 = kG = k/2 G2 = Q2 should hold */
2130     || !TEST_mem_eq(buf1, bsize, buf2, bsize))
2131     goto err;
2132    
2133     /* create two `EC_KEY`s on altgroup */
2134     if (!TEST_ptr(eckey1 = EC_KEY_new())
2135     || !TEST_true(EC_KEY_set_group(eckey1, altgroup))
2136     || !TEST_true(EC_KEY_generate_key(eckey1))
2137     || !TEST_ptr(eckey2 = EC_KEY_new())
2138     || !TEST_true(EC_KEY_set_group(eckey2, altgroup))
2139     || !TEST_true(EC_KEY_generate_key(eckey2)))
2140     goto err;
2141    
2142     /* retrieve priv1 for later */
2143     if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1)))
2144     goto err;
2145    
2146     /*
2147     * retrieve bytes for pub1 for later
2148     *
2149     * We compute the pub key in the original group as we will later use it to
2150     * define a provider key in the built-in group.
2151     */
2152     if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx))
2153     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2154     POINT_CONVERSION_UNCOMPRESSED,
2155     NULL, 0, ctx), bsize)
2156     || !TEST_ptr(pub1 = OPENSSL_malloc(bsize))
2157     || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2158     POINT_CONVERSION_UNCOMPRESSED,
2159     pub1, bsize, ctx), bsize))
2160     goto err;
2161    
2162     /* retrieve bytes for pub2 for later */
2163     if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2))
2164     || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2165     POINT_CONVERSION_UNCOMPRESSED,
2166     NULL, 0, ctx), bsize)
2167     || !TEST_ptr(pub2 = OPENSSL_malloc(bsize))
2168     || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2169     POINT_CONVERSION_UNCOMPRESSED,
2170     pub2, bsize, ctx), bsize))
2171     goto err;
2172    
2173     /* create two `EVP_PKEY`s from the `EC_KEY`s */
2174     if(!TEST_ptr(pkey1 = EVP_PKEY_new())
2175     || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1))
2176     goto err;
2177     eckey1 = NULL; /* ownership passed to pkey1 */
2178     if(!TEST_ptr(pkey2 = EVP_PKEY_new())
2179     || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1))
2180     goto err;
2181     eckey2 = NULL; /* ownership passed to pkey2 */
2182    
2183     /* Compute keyexchange in both directions */
2184     if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
2185     || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
2186     || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
2187     || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
2188     || !TEST_int_gt(bsize, sslen)
2189     || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
2190     goto err;
2191     if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
2192     || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
2193     || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
2194     || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
2195     || !TEST_int_gt(bsize, t)
2196     || !TEST_int_le(sslen, t)
2197     || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
2198     goto err;
2199    
2200     /* Both sides should expect the same shared secret */
2201     if (!TEST_mem_eq(buf1, sslen, buf2, t))
2202     goto err;
2203    
2204     /* Build parameters for provider-native keys */
2205     if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
2206     || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
2207     OSSL_PKEY_PARAM_GROUP_NAME,
2208     curve_name, 0))
2209     || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
2210     OSSL_PKEY_PARAM_PUB_KEY,
2211     pub1, bsize))
2212     || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld,
2213     OSSL_PKEY_PARAM_PRIV_KEY,
2214     priv1))
2215     || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld)))
2216     goto err;
2217    
2218     OSSL_PARAM_BLD_free(param_bld);
2219     if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
2220     || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
2221     OSSL_PKEY_PARAM_GROUP_NAME,
2222     curve_name, 0))
2223     || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
2224     OSSL_PKEY_PARAM_PUB_KEY,
2225     pub2, bsize))
2226     || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld)))
2227     goto err;
2228    
2229     /* create two new provider-native `EVP_PKEY`s */
2230     EVP_PKEY_CTX_free(pctx2);
2231     if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
2232     || !TEST_true(EVP_PKEY_fromdata_init(pctx2))
2233     || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR,
2234     params1))
2235     || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY,
2236     params2)))
2237     goto err;
2238    
2239     /* compute keyexchange once more using the provider keys */
2240     EVP_PKEY_CTX_free(pctx1);
2241     if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
2242     || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
2243     || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
2244     || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1)
2245     || !TEST_int_gt(bsize, t)
2246     || !TEST_int_le(sslen, t)
2247     || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1)
2248     /* compare with previous result */
2249     || !TEST_mem_eq(buf1, t, buf2, sslen))
2250     goto err;
2251    
2252     ret = 1;
2253    
2254     err:
2255     BN_CTX_end(ctx);
2256     BN_CTX_free(ctx);
2257     OSSL_PARAM_BLD_free(param_bld);
2258     OSSL_PARAM_free(params1);
2259     OSSL_PARAM_free(params2);
2260     EC_POINT_free(Q1);
2261     EC_POINT_free(Q2);
2262     EC_POINT_free(G2);
2263     EC_GROUP_free(group);
2264     EC_GROUP_free(altgroup);
2265     OPENSSL_free(buf1);
2266     OPENSSL_free(buf2);
2267     OPENSSL_free(pub1);
2268     OPENSSL_free(pub2);
2269     EC_KEY_free(eckey1);
2270     EC_KEY_free(eckey2);
2271     EVP_PKEY_free(pkey1);
2272     EVP_PKEY_free(pkey2);
2273     EVP_PKEY_CTX_free(pctx1);
2274     EVP_PKEY_CTX_free(pctx2);
2275    
2276     return ret;
2277     }
2278    
2279     int setup_tests(void)
2280     {
2281     crv_len = EC_get_builtin_curves(NULL, 0);
2282     if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
2283     || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
2284     return 0;
2285    
2286     ADD_TEST(parameter_test);
2287     /*ADD_TEST(cofactor_range_test);*/
2288     ADD_ALL_TESTS(cardinality_test, crv_len);
2289     ADD_TEST(prime_field_tests);
2290     #ifndef OPENSSL_NO_EC2M
2291     ADD_TEST(char2_field_tests);
2292     ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
2293     #endif
2294     ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
2295     ADD_ALL_TESTS(internal_curve_test, crv_len);
2296     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
2297     ADD_TEST(group_field_test);
2298     ADD_ALL_TESTS(check_named_curve_test, crv_len);
2299     ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len);
2300     ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
2301     ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
2302     ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
2303     /* ADD_ALL_TESTS(custom_generator_test, crv_len);
2304     ADD_ALL_TESTS(custom_params_test, crv_len); */
2305     return 1;
2306     }
2307    
2308     void cleanup_tests(void)
2309     {
2310     OPENSSL_free(curves);
2311     }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed