/[smecontribs]/rpms/openssl3/contribs10/ectest.c
ViewVC logotype

Contents of /rpms/openssl3/contribs10/ectest.c

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:55 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Content type: text/plain
Initial import

1 /*
2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * EC_KEY low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15 #include "internal/deprecated.h"
16
17 #include <string.h>
18 #include "internal/nelem.h"
19 #include "testutil.h"
20
21 #include <openssl/ec.h>
22 #ifndef OPENSSL_NO_ENGINE
23 # include <openssl/engine.h>
24 #endif
25 #include <openssl/err.h>
26 #include <openssl/obj_mac.h>
27 #include <openssl/objects.h>
28 #include <openssl/rand.h>
29 #include <openssl/bn.h>
30 #include <openssl/opensslconf.h>
31 #include <openssl/core_names.h>
32 #include <openssl/param_build.h>
33 #include <openssl/evp.h>
34
35 static size_t crv_len = 0;
36 static EC_builtin_curve *curves = NULL;
37
38 /* test multiplication with group order, long and negative scalars */
39 static int group_order_tests(EC_GROUP *group)
40 {
41 BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
42 EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
43 const EC_POINT *G = NULL;
44 BN_CTX *ctx = NULL;
45 int i = 0, r = 0;
46
47 if (!TEST_ptr(n1 = BN_new())
48 || !TEST_ptr(n2 = BN_new())
49 || !TEST_ptr(order = BN_new())
50 || !TEST_ptr(ctx = BN_CTX_new())
51 || !TEST_ptr(G = EC_GROUP_get0_generator(group))
52 || !TEST_ptr(P = EC_POINT_new(group))
53 || !TEST_ptr(Q = EC_POINT_new(group))
54 || !TEST_ptr(R = EC_POINT_new(group))
55 || !TEST_ptr(S = EC_POINT_new(group)))
56 goto err;
57
58 if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
59 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
60 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
61 #ifndef OPENSSL_NO_DEPRECATED_3_0
62 || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
63 #endif
64 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
65 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
66 || !TEST_true(EC_POINT_copy(P, G))
67 || !TEST_true(BN_one(n1))
68 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
69 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
70 || !TEST_true(BN_sub(n1, order, n1))
71 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
72 || !TEST_true(EC_POINT_invert(group, Q, ctx))
73 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
74 goto err;
75
76 for (i = 1; i <= 2; i++) {
77 #ifndef OPENSSL_NO_DEPRECATED_3_0
78 const BIGNUM *scalars[6];
79 const EC_POINT *points[6];
80 #endif
81
82 if (!TEST_true(BN_set_word(n1, i))
83 /*
84 * If i == 1, P will be the predefined generator for which
85 * EC_GROUP_precompute_mult has set up precomputation.
86 */
87 || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
88 || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
89 || !TEST_true(BN_one(n1))
90 /* n1 = 1 - order */
91 || !TEST_true(BN_sub(n1, n1, order))
92 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
93 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
94
95 /* n2 = 1 + order */
96 || !TEST_true(BN_add(n2, order, BN_value_one()))
97 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
98 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
99
100 /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
101 || !TEST_true(BN_mul(n2, n1, n2, ctx))
102 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
103 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
104 goto err;
105
106 /* n2 = order^2 - 1 */
107 BN_set_negative(n2, 0);
108 if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
109 /* Add P to verify the result. */
110 || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
111 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
112 || !TEST_false(EC_POINT_is_at_infinity(group, P)))
113 goto err;
114
115 #ifndef OPENSSL_NO_DEPRECATED_3_0
116 /* Exercise EC_POINTs_mul, including corner cases. */
117 scalars[0] = scalars[1] = BN_value_one();
118 points[0] = points[1] = P;
119
120 if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
121 || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
122 || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
123 goto err;
124
125 scalars[0] = n1;
126 points[0] = Q; /* => infinity */
127 scalars[1] = n2;
128 points[1] = P; /* => -P */
129 scalars[2] = n1;
130 points[2] = Q; /* => infinity */
131 scalars[3] = n2;
132 points[3] = Q; /* => infinity */
133 scalars[4] = n1;
134 points[4] = P; /* => P */
135 scalars[5] = n2;
136 points[5] = Q; /* => infinity */
137 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
138 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
139 goto err;
140 #endif
141 }
142
143 r = 1;
144 err:
145 if (r == 0 && i != 0)
146 TEST_info(i == 1 ? "allowing precomputation" :
147 "without precomputation");
148 EC_POINT_free(P);
149 EC_POINT_free(Q);
150 EC_POINT_free(R);
151 EC_POINT_free(S);
152 BN_free(n1);
153 BN_free(n2);
154 BN_free(order);
155 BN_CTX_free(ctx);
156 return r;
157 }
158
159 static int prime_field_tests(void)
160 {
161 BN_CTX *ctx = NULL;
162 BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
163 EC_GROUP *group = NULL;
164 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
165 BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
166 #ifndef OPENSSL_NO_DEPRECATED_3_0
167 const EC_POINT *points[4];
168 const BIGNUM *scalars[4];
169 #endif
170 unsigned char buf[100];
171 size_t len, r = 0;
172 int k;
173
174 if (!TEST_ptr(ctx = BN_CTX_new())
175 || !TEST_ptr(p = BN_new())
176 || !TEST_ptr(a = BN_new())
177 || !TEST_ptr(b = BN_new())
178 /*
179 * applications should use EC_GROUP_new_curve_GFp so
180 * that the library gets to choose the EC_METHOD
181 */
182 || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method())))
183 goto err;
184
185 buf[0] = 0;
186 if (!TEST_ptr(P = EC_POINT_new(group))
187 || !TEST_ptr(Q = EC_POINT_new(group))
188 || !TEST_ptr(R = EC_POINT_new(group))
189 || !TEST_ptr(x = BN_new())
190 || !TEST_ptr(y = BN_new())
191 || !TEST_ptr(z = BN_new())
192 || !TEST_ptr(yplusone = BN_new()))
193 goto err;
194
195 /* Curve P-224 (FIPS PUB 186-2, App. 6) */
196
197 if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
198 "FFFFFFFF000000000000000000000001"))
199 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
200 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
201 "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
202 || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
203 "5044B0B7D7BFD8BA270B39432355FFB4"))
204 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
205 || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
206 "4A03C1D356C21122343280D6115C1D21"))
207 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
208 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
209 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
210 "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
211 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
212 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
213 goto err;
214
215 TEST_info("NIST curve P-224 -- Generator");
216 test_output_bignum("x", x);
217 test_output_bignum("y", y);
218 /* G_y value taken from the standard: */
219 if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6"
220 "CD4375A05A07476444D5819985007E34"))
221 || !TEST_BN_eq(y, z)
222 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
223 /*
224 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
225 * and therefore setting the coordinates should fail.
226 */
227 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
228 ctx))
229 || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
230 || !group_order_tests(group)
231
232 /* Curve P-256 (FIPS PUB 186-2, App. 6) */
233
234 || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
235 "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
236 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
237 || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
238 "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
239 || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
240 "651D06B0CC53B0F63BCE3C3E27D2604B"))
241 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
242
243 || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
244 "77037D812DEB33A0F4A13945D898C296"))
245 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
246 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
247 || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
248 "BCE6FAADA7179E84F3B9CAC2FC632551"))
249 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
250 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
251 goto err;
252
253 TEST_info("NIST curve P-256 -- Generator");
254 test_output_bignum("x", x);
255 test_output_bignum("y", y);
256 /* G_y value taken from the standard: */
257 if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
258 "2BCE33576B315ECECBB6406837BF51F5"))
259 || !TEST_BN_eq(y, z)
260 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
261 /*
262 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
263 * and therefore setting the coordinates should fail.
264 */
265 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
266 ctx))
267 || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
268 || !group_order_tests(group)
269
270 /* Curve P-384 (FIPS PUB 186-2, App. 6) */
271
272 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
273 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
274 "FFFFFFFF0000000000000000FFFFFFFF"))
275 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
276 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
277 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
278 "FFFFFFFF0000000000000000FFFFFFFC"))
279 || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
280 "181D9C6EFE8141120314088F5013875A"
281 "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
282 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
283
284 || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
285 "6E1D3B628BA79B9859F741E082542A38"
286 "5502F25DBF55296C3A545E3872760AB7"))
287 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
288 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
289 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
290 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
291 "581A0DB248B0A77AECEC196ACCC52973"))
292 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
293 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
294 goto err;
295
296 TEST_info("NIST curve P-384 -- Generator");
297 test_output_bignum("x", x);
298 test_output_bignum("y", y);
299 /* G_y value taken from the standard: */
300 if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
301 "F8F41DBD289A147CE9DA3113B5F0B8C0"
302 "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
303 || !TEST_BN_eq(y, z)
304 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
305 /*
306 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
307 * and therefore setting the coordinates should fail.
308 */
309 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
310 ctx))
311 || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
312 || !group_order_tests(group)
313
314 /* Curve P-521 (FIPS PUB 186-2, App. 6) */
315 || !TEST_true(BN_hex2bn(&p, "1FF"
316 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
317 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
318 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
319 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
320 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
321 || !TEST_true(BN_hex2bn(&a, "1FF"
322 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
323 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
324 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
325 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
326 || !TEST_true(BN_hex2bn(&b, "051"
327 "953EB9618E1C9A1F929A21A0B68540EE"
328 "A2DA725B99B315F3B8B489918EF109E1"
329 "56193951EC7E937B1652C0BD3BB1BF07"
330 "3573DF883D2C34F1EF451FD46B503F00"))
331 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
332 || !TEST_true(BN_hex2bn(&x, "C6"
333 "858E06B70404E9CD9E3ECB662395B442"
334 "9C648139053FB521F828AF606B4D3DBA"
335 "A14B5E77EFE75928FE1DC127A2FFA8DE"
336 "3348B3C1856A429BF97E7E31C2E5BD66"))
337 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
338 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
339 || !TEST_true(BN_hex2bn(&z, "1FF"
340 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
341 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
342 "51868783BF2F966B7FCC0148F709A5D0"
343 "3BB5C9B8899C47AEBB6FB71E91386409"))
344 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
345 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
346 goto err;
347
348 TEST_info("NIST curve P-521 -- Generator");
349 test_output_bignum("x", x);
350 test_output_bignum("y", y);
351 /* G_y value taken from the standard: */
352 if (!TEST_true(BN_hex2bn(&z, "118"
353 "39296A789A3BC0045C8A5FB42C7D1BD9"
354 "98F54449579B446817AFBD17273E662C"
355 "97EE72995EF42640C550B9013FAD0761"
356 "353C7086A272C24088BE94769FD16650"))
357 || !TEST_BN_eq(y, z)
358 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
359 /*
360 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
361 * and therefore setting the coordinates should fail.
362 */
363 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
364 ctx))
365 || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
366 || !group_order_tests(group)
367
368 /* more tests using the last curve */
369
370 /* Restore the point that got mangled in the (x, y + 1) test. */
371 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
372 || !TEST_true(EC_POINT_copy(Q, P))
373 || !TEST_false(EC_POINT_is_at_infinity(group, Q))
374 || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
375 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
376 || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
377 || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
378 || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
379 || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
380 || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
381 goto err;
382
383 #ifndef OPENSSL_NO_DEPRECATED_3_0
384 TEST_note("combined multiplication ...");
385 points[0] = Q;
386 points[1] = Q;
387 points[2] = Q;
388 points[3] = Q;
389
390 if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
391 || !TEST_true(BN_add(y, z, BN_value_one()))
392 || !TEST_BN_even(y)
393 || !TEST_true(BN_rshift1(y, y)))
394 goto err;
395
396 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
397 scalars[1] = y;
398
399 /* z is still the group order */
400 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
401 || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
402 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
403 || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
404 || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
405 || !TEST_true(BN_add(z, z, y)))
406 goto err;
407 BN_set_negative(z, 1);
408 scalars[0] = y;
409 scalars[1] = z; /* z = -(order + y) */
410
411 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
412 || !TEST_true(EC_POINT_is_at_infinity(group, P))
413 || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
414 || !TEST_true(BN_add(z, x, y)))
415 goto err;
416 BN_set_negative(z, 1);
417 scalars[0] = x;
418 scalars[1] = y;
419 scalars[2] = z; /* z = -(x+y) */
420
421 if (!TEST_ptr(scalar3 = BN_new()))
422 goto err;
423 BN_zero(scalar3);
424 scalars[3] = scalar3;
425
426 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
427 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
428 goto err;
429 #endif
430 TEST_note(" ok\n");
431 r = 1;
432 err:
433 BN_CTX_free(ctx);
434 BN_free(p);
435 BN_free(a);
436 BN_free(b);
437 EC_GROUP_free(group);
438 EC_POINT_free(P);
439 EC_POINT_free(Q);
440 EC_POINT_free(R);
441 BN_free(x);
442 BN_free(y);
443 BN_free(z);
444 BN_free(yplusone);
445 BN_free(scalar3);
446 return r;
447 }
448
449 static int internal_curve_test(int n)
450 {
451 EC_GROUP *group = NULL;
452 int nid = curves[n].nid;
453
454 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
455 TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
456 OBJ_nid2sn(nid));
457 return 0;
458 }
459 if (!TEST_true(EC_GROUP_check(group, NULL))) {
460 TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
461 EC_GROUP_free(group);
462 return 0;
463 }
464 EC_GROUP_free(group);
465 return 1;
466 }
467
468 static int internal_curve_test_method(int n)
469 {
470 int r, nid = curves[n].nid;
471 EC_GROUP *group;
472
473 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
474 TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
475 return 0;
476 }
477 r = group_order_tests(group);
478 EC_GROUP_free(group);
479 return r;
480 }
481
482 static int group_field_test(void)
483 {
484 int r = 1;
485 BIGNUM *secp521r1_field = NULL;
486 BIGNUM *sect163r2_field = NULL;
487 EC_GROUP *secp521r1_group = NULL;
488 EC_GROUP *sect163r2_group = NULL;
489
490 BN_hex2bn(&secp521r1_field,
491 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
492 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
493 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
494 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
495 "FFFF");
496
497
498 BN_hex2bn(&sect163r2_field,
499 "08000000000000000000000000000000"
500 "00000000C9");
501
502 secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
503 if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group)))
504 r = 0;
505
506 # ifndef OPENSSL_NO_EC2M
507 sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2);
508 if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group)))
509 r = 0;
510 # endif
511
512 EC_GROUP_free(secp521r1_group);
513 EC_GROUP_free(sect163r2_group);
514 BN_free(secp521r1_field);
515 BN_free(sect163r2_field);
516 return r;
517 }
518 /*
519 * nistp_test_params contains magic numbers for testing
520 * several NIST curves with characteristic > 3.
521 */
522 struct nistp_test_params {
523 const int nid;
524 int degree;
525 /*
526 * Qx, Qy and D are taken from
527 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
528 * Otherwise, values are standard curve parameters from FIPS 180-3
529 */
530 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
531 };
532
533 static const struct nistp_test_params nistp_tests_params[] = {
534 {
535 /* P-224 */
536 NID_secp224r1,
537 224,
538 /* p */
539 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
540 /* a */
541 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
542 /* b */
543 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
544 /* Qx */
545 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
546 /* Qy */
547 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
548 /* Gx */
549 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
550 /* Gy */
551 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
552 /* order */
553 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
554 /* d */
555 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
556 },
557 {
558 /* P-256 */
559 NID_X9_62_prime256v1,
560 256,
561 /* p */
562 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
563 /* a */
564 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
565 /* b */
566 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
567 /* Qx */
568 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
569 /* Qy */
570 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
571 /* Gx */
572 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
573 /* Gy */
574 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
575 /* order */
576 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
577 /* d */
578 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
579 },
580 {
581 /* P-521 */
582 NID_secp521r1,
583 521,
584 /* p */
585 "1ff"
586 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
587 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
588 /* a */
589 "1ff"
590 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
591 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
592 /* b */
593 "051"
594 "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
595 "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
596 /* Qx */
597 "0098"
598 "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
599 "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
600 /* Qy */
601 "0164"
602 "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
603 "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
604 /* Gx */
605 "c6"
606 "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
607 "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
608 /* Gy */
609 "118"
610 "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
611 "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
612 /* order */
613 "1ff"
614 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
615 "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
616 /* d */
617 "0100"
618 "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
619 "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
620 },
621 };
622
623 static int nistp_single_test(int idx)
624 {
625 const struct nistp_test_params *test = nistp_tests_params + idx;
626 BN_CTX *ctx = NULL;
627 BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
628 BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
629 EC_GROUP *NISTP = NULL;
630 EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
631 int r = 0;
632
633 TEST_note("NIST curve P-%d (optimised implementation):",
634 test->degree);
635 if (!TEST_ptr(ctx = BN_CTX_new())
636 || !TEST_ptr(p = BN_new())
637 || !TEST_ptr(a = BN_new())
638 || !TEST_ptr(b = BN_new())
639 || !TEST_ptr(x = BN_new())
640 || !TEST_ptr(y = BN_new())
641 || !TEST_ptr(m = BN_new())
642 || !TEST_ptr(n = BN_new())
643 || !TEST_ptr(order = BN_new())
644 || !TEST_ptr(yplusone = BN_new())
645
646 || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid))
647 || !TEST_true(BN_hex2bn(&p, test->p))
648 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
649 || !TEST_true(BN_hex2bn(&a, test->a))
650 || !TEST_true(BN_hex2bn(&b, test->b))
651 || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
652 || !TEST_ptr(G = EC_POINT_new(NISTP))
653 || !TEST_ptr(P = EC_POINT_new(NISTP))
654 || !TEST_ptr(Q = EC_POINT_new(NISTP))
655 || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
656 || !TEST_true(BN_hex2bn(&x, test->Qx))
657 || !TEST_true(BN_hex2bn(&y, test->Qy))
658 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
659 /*
660 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
661 * and therefore setting the coordinates should fail.
662 */
663 || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
664 yplusone, ctx))
665 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
666 ctx))
667 || !TEST_true(BN_hex2bn(&x, test->Gx))
668 || !TEST_true(BN_hex2bn(&y, test->Gy))
669 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
670 || !TEST_true(BN_hex2bn(&order, test->order))
671 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
672 || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
673 goto err;
674
675 TEST_note("NIST test vectors ... ");
676 if (!TEST_true(BN_hex2bn(&n, test->d)))
677 goto err;
678 /* fixed point multiplication */
679 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
680 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
681 goto err;
682 /* random point multiplication */
683 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
684 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
685
686 /* set generator to P = 2*G, where G is the standard generator */
687 || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
688 || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
689 /* set the scalar to m=n/2, where n is the NIST test scalar */
690 || !TEST_true(BN_rshift(m, n, 1)))
691 goto err;
692
693 /* test the non-standard generator */
694 /* fixed point multiplication */
695 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
696 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
697 goto err;
698 /* random point multiplication */
699 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
700 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
701 #ifndef OPENSSL_NO_DEPRECATED_3_0
702 /* We have not performed precomp so this should be false */
703 || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
704 /* now repeat all tests with precomputation */
705 || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
706 #endif
707 )
708 goto err;
709
710 /* fixed point multiplication */
711 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
712 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
713 goto err;
714 /* random point multiplication */
715 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
716 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
717
718 /* reset generator */
719 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
720 goto err;
721 /* fixed point multiplication */
722 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
723 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
724 goto err;
725 /* random point multiplication */
726 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
727 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
728 goto err;
729
730 /* regression test for felem_neg bug */
731 if (!TEST_true(BN_set_word(m, 32))
732 || !TEST_true(BN_set_word(n, 31))
733 || !TEST_true(EC_POINT_copy(P, G))
734 || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
735 || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
736 || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
737 goto err;
738
739 r = 1;
740 err:
741 EC_GROUP_free(NISTP);
742 EC_POINT_free(G);
743 EC_POINT_free(P);
744 EC_POINT_free(Q);
745 EC_POINT_free(Q_CHECK);
746 BN_free(n);
747 BN_free(m);
748 BN_free(p);
749 BN_free(a);
750 BN_free(b);
751 BN_free(x);
752 BN_free(y);
753 BN_free(order);
754 BN_free(yplusone);
755 BN_CTX_free(ctx);
756 return r;
757 }
758
759 static const unsigned char p521_named[] = {
760 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
761 };
762
763 static const unsigned char p521_explicit[] = {
764 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
765 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
766 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
767 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
768 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
769 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
770 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
771 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
772 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
773 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
774 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
775 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
776 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
777 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
778 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
779 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
780 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
781 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
782 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
783 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
784 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
785 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
786 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
787 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
788 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
789 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
790 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
791 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
792 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
793 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
794 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
795 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
796 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
797 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
798 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
799 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
800 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
801 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
802 };
803
804 /*
805 * This test validates a named curve's group parameters using
806 * EC_GROUP_check_named_curve(). It also checks that modifying any of the
807 * group parameters results in the curve not being valid.
808 */
809 static int check_named_curve_test(int id)
810 {
811 int ret = 0, nid, field_nid, has_seed;
812 EC_GROUP *group = NULL, *gtest = NULL;
813 const EC_POINT *group_gen = NULL;
814 EC_POINT *other_gen = NULL;
815 BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL;
816 BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL;
817 BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
818 BIGNUM *other_order = NULL;
819 const BIGNUM *group_order = NULL;
820 BN_CTX *bn_ctx = NULL;
821 static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
822 static size_t invalid_seed_len = sizeof(invalid_seed);
823
824 /* Do some setup */
825 nid = curves[id].nid;
826 if (!TEST_ptr(bn_ctx = BN_CTX_new())
827 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
828 || !TEST_ptr(gtest = EC_GROUP_dup(group))
829 || !TEST_ptr(group_p = BN_new())
830 || !TEST_ptr(group_a = BN_new())
831 || !TEST_ptr(group_b = BN_new())
832 || !TEST_ptr(group_cofactor = BN_new())
833 || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
834 || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
835 || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
836 || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL))
837 || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
838 || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
839 || !TEST_ptr(other_order = BN_dup(group_order))
840 || !TEST_true(BN_add_word(other_order, 1))
841 || !TEST_ptr(other_a = BN_dup(group_a))
842 || !TEST_true(BN_add_word(other_a, 1))
843 || !TEST_ptr(other_b = BN_dup(group_b))
844 || !TEST_true(BN_add_word(other_b, 1))
845 || !TEST_ptr(other_cofactor = BN_dup(group_cofactor))
846 || !TEST_true(BN_add_word(other_cofactor, 1)))
847 goto err;
848
849 /* Determine if the built-in curve has a seed field set */
850 has_seed = (EC_GROUP_get_seed_len(group) > 0);
851 field_nid = EC_GROUP_get_field_type(group);
852 if (field_nid == NID_X9_62_characteristic_two_field) {
853 if (!TEST_ptr(other_p = BN_dup(group_p))
854 || !TEST_true(BN_lshift1(other_p, other_p)))
855 goto err;
856 } else {
857 if (!TEST_ptr(other_p = BN_dup(group_p)))
858 goto err;
859 /*
860 * Just choosing any arbitrary prime does not work..
861 * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a
862 * nist prime. So only select one of these as an alternate prime.
863 */
864 if (!TEST_ptr(BN_copy(other_p,
865 BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ?
866 BN_get0_nist_prime_256() :
867 BN_get0_nist_prime_192())))
868 goto err;
869 }
870
871 /* Passes because this is a valid curve */
872 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)
873 /* Only NIST curves pass */
874 || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL),
875 EC_curve_nid2nist(nid) != NULL ? nid : NID_undef))
876 goto err;
877
878 /* Fail if the curve name doesn't match the parameters */
879 EC_GROUP_set_curve_name(group, nid + 1);
880 ERR_set_mark();
881 if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0))
882 goto err;
883 ERR_pop_to_mark();
884
885 /* Restore curve name and ensure it's passing */
886 EC_GROUP_set_curve_name(group, nid);
887 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
888 goto err;
889
890 if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len),
891 invalid_seed_len))
892 goto err;
893
894 if (has_seed) {
895 /*
896 * If the built-in curve has a seed and we set the seed to another value
897 * then it will fail the check.
898 */
899 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0))
900 goto err;
901 } else {
902 /*
903 * If the built-in curve does not have a seed then setting the seed will
904 * pass the check (as the seed is optional).
905 */
906 if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
907 goto err;
908 }
909 /* Pass if the seed is unknown (as it is optional) */
910 if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1)
911 || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
912 goto err;
913
914 /* Check that a duped group passes */
915 if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
916 goto err;
917
918 /* check that changing any generator parameter fails */
919 if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order,
920 group_cofactor))
921 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
922 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order,
923 group_cofactor))
924 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
925 /* The order is not an optional field, so this should fail */
926 || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL,
927 group_cofactor))
928 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
929 other_cofactor))
930 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
931 /* Check that if the cofactor is not set then it still passes */
932 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
933 NULL))
934 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)
935 /* check that restoring the generator passes */
936 || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
937 group_cofactor))
938 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
939 goto err;
940
941 /*
942 * check that changing any curve parameter fails
943 *
944 * Setting arbitrary p, a or b might fail for some EC_GROUPs
945 * depending on the internal EC_METHOD implementation, hence run
946 * these tests conditionally to the success of EC_GROUP_set_curve().
947 */
948 ERR_set_mark();
949 if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) {
950 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
951 goto err;
952 } else {
953 /* clear the error stack if EC_GROUP_set_curve() failed */
954 ERR_pop_to_mark();
955 ERR_set_mark();
956 }
957 if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) {
958 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
959 goto err;
960 } else {
961 /* clear the error stack if EC_GROUP_set_curve() failed */
962 ERR_pop_to_mark();
963 ERR_set_mark();
964 }
965 if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) {
966 if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
967 goto err;
968 } else {
969 /* clear the error stack if EC_GROUP_set_curve() failed */
970 ERR_pop_to_mark();
971 ERR_set_mark();
972 }
973 ERR_pop_to_mark();
974
975 /* Check that restoring the curve parameters passes */
976 if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL))
977 || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
978 goto err;
979
980 ret = 1;
981 err:
982 BN_free(group_p);
983 BN_free(other_p);
984 BN_free(group_a);
985 BN_free(other_a);
986 BN_free(group_b);
987 BN_free(other_b);
988 BN_free(group_cofactor);
989 BN_free(other_cofactor);
990 BN_free(other_order);
991 EC_POINT_free(other_gen);
992 EC_GROUP_free(gtest);
993 EC_GROUP_free(group);
994 BN_CTX_free(bn_ctx);
995 return ret;
996 }
997
998 /*
999 * This checks the lookup capability of EC_GROUP_check_named_curve()
1000 * when the given group was created with explicit parameters.
1001 *
1002 * It is possible to retrieve an alternative alias that does not match
1003 * the original nid in this case.
1004 */
1005 static int check_named_curve_lookup_test(int id)
1006 {
1007 int ret = 0, nid, rv = 0;
1008 EC_GROUP *g = NULL , *ga = NULL;
1009 ECPARAMETERS *p = NULL, *pa = NULL;
1010 BN_CTX *ctx = NULL;
1011
1012 /* Do some setup */
1013 nid = curves[id].nid;
1014 if (!TEST_ptr(ctx = BN_CTX_new())
1015 || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid))
1016 || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL)))
1017 goto err;
1018
1019 /* replace with group from explicit parameters */
1020 EC_GROUP_free(g);
1021 if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p)))
1022 goto err;
1023
1024 if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0))
1025 goto err;
1026 if (rv != nid) {
1027 /*
1028 * Found an alias:
1029 * fail if the returned nid is not an alias of the original group.
1030 *
1031 * The comparison here is done by comparing two explicit
1032 * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the
1033 * comparison happens with unnamed EC_GROUPs using the same
1034 * EC_METHODs.
1035 */
1036 if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv))
1037 || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL)))
1038 goto err;
1039
1040 /* replace with group from explicit parameters, then compare */
1041 EC_GROUP_free(ga);
1042 if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa))
1043 || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0))
1044 goto err;
1045 }
1046
1047 ret = 1;
1048
1049 err:
1050 EC_GROUP_free(g);
1051 EC_GROUP_free(ga);
1052 ECPARAMETERS_free(p);
1053 ECPARAMETERS_free(pa);
1054 BN_CTX_free(ctx);
1055
1056 return ret;
1057 }
1058
1059 /*
1060 * Sometime we cannot compare nids for equality, as the built-in curve table
1061 * includes aliases with different names for the same curve.
1062 *
1063 * This function returns TRUE (1) if the checked nids are identical, or if they
1064 * alias to the same curve. FALSE (0) otherwise.
1065 */
1066 static ossl_inline
1067 int are_ec_nids_compatible(int n1d, int n2d)
1068 {
1069 int ret = 0;
1070 switch (n1d) {
1071 #ifndef OPENSSL_NO_EC2M
1072 case NID_sect113r1:
1073 case NID_wap_wsg_idm_ecid_wtls4:
1074 ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
1075 break;
1076 case NID_sect163k1:
1077 case NID_wap_wsg_idm_ecid_wtls3:
1078 ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
1079 break;
1080 case NID_sect233k1:
1081 case NID_wap_wsg_idm_ecid_wtls10:
1082 ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
1083 break;
1084 case NID_sect233r1:
1085 case NID_wap_wsg_idm_ecid_wtls11:
1086 ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
1087 break;
1088 case NID_X9_62_c2pnb163v1:
1089 case NID_wap_wsg_idm_ecid_wtls5:
1090 ret = (n2d == NID_X9_62_c2pnb163v1
1091 || n2d == NID_wap_wsg_idm_ecid_wtls5);
1092 break;
1093 #endif /* OPENSSL_NO_EC2M */
1094 case NID_secp112r1:
1095 case NID_wap_wsg_idm_ecid_wtls6:
1096 ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
1097 break;
1098 case NID_secp160r2:
1099 case NID_wap_wsg_idm_ecid_wtls7:
1100 ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
1101 break;
1102 #ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
1103 case NID_secp224r1:
1104 case NID_wap_wsg_idm_ecid_wtls12:
1105 ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
1106 break;
1107 #else
1108 /*
1109 * For SEC P-224 we want to ensure that the SECP nid is returned, as
1110 * that is associated with a specialized method.
1111 */
1112 case NID_wap_wsg_idm_ecid_wtls12:
1113 ret = (n2d == NID_secp224r1);
1114 break;
1115 #endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
1116
1117 default:
1118 ret = (n1d == n2d);
1119 }
1120 return ret;
1121 }
1122
1123 /*
1124 * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
1125 * EC_GROUP for built-in curves.
1126 *
1127 * Note that it is possible to retrieve an alternative alias that does not match
1128 * the original nid.
1129 *
1130 * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
1131 */
1132 static int check_named_curve_from_ecparameters(int id)
1133 {
1134 int ret = 0, nid, tnid;
1135 EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
1136 const EC_POINT *group_gen = NULL;
1137 EC_POINT *other_gen = NULL;
1138 BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
1139 BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
1140 const BIGNUM *group_order = NULL;
1141 BIGNUM *other_order = NULL;
1142 BN_CTX *bn_ctx = NULL;
1143 static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
1144 static size_t invalid_seed_len = sizeof(invalid_seed);
1145 ECPARAMETERS *params = NULL, *other_params = NULL;
1146 EC_GROUP *g_ary[8] = {NULL};
1147 EC_GROUP **g_next = &g_ary[0];
1148 ECPARAMETERS *p_ary[8] = {NULL};
1149 ECPARAMETERS **p_next = &p_ary[0];
1150
1151 /* Do some setup */
1152 nid = curves[id].nid;
1153 TEST_note("Curve %s", OBJ_nid2sn(nid));
1154 if (!TEST_ptr(bn_ctx = BN_CTX_new()))
1155 return ret;
1156 BN_CTX_start(bn_ctx);
1157
1158 if (/* Allocations */
1159 !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
1160 || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
1161 || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
1162 || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
1163 || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
1164 /* Generate reference group and params */
1165 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1166 || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
1167 || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
1168 || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
1169 || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
1170 /* compute `other_*` values */
1171 || !TEST_ptr(tmpg = EC_GROUP_dup(group))
1172 || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
1173 || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
1174 || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
1175 other_gen_x, other_gen_y, bn_ctx))
1176 || !TEST_true(BN_copy(other_order, group_order))
1177 || !TEST_true(BN_add_word(other_order, 1))
1178 || !TEST_true(BN_copy(other_cofactor, group_cofactor))
1179 || !TEST_true(BN_add_word(other_cofactor, 1)))
1180 goto err;
1181
1182 EC_POINT_free(other_gen);
1183 other_gen = NULL;
1184
1185 if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
1186 || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
1187 other_gen_x, other_gen_y,
1188 bn_ctx)))
1189 goto err;
1190
1191 /*
1192 * ###########################
1193 * # Actual tests start here #
1194 * ###########################
1195 */
1196
1197 /*
1198 * Creating a group from built-in explicit parameters returns a
1199 * "named" EC_GROUP
1200 */
1201 if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
1202 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
1203 goto err;
1204 /*
1205 * We cannot always guarantee the names match, as the built-in table
1206 * contains aliases for the same curve with different names.
1207 */
1208 if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
1209 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1210 goto err;
1211 }
1212 /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
1213 if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
1214 goto err;
1215
1216 /*
1217 * An invalid seed in the parameters should be ignored: expect a "named"
1218 * group.
1219 */
1220 if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
1221 invalid_seed_len)
1222 || !TEST_ptr(other_params = *p_next++ =
1223 EC_GROUP_get_ecparameters(tmpg, NULL))
1224 || !TEST_ptr(tgroup = *g_next++ =
1225 EC_GROUP_new_from_ecparameters(other_params))
1226 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1227 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1228 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1229 OPENSSL_EC_EXPLICIT_CURVE)) {
1230 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1231 goto err;
1232 }
1233
1234 /*
1235 * A null seed in the parameters should be ignored, as it is optional:
1236 * expect a "named" group.
1237 */
1238 if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
1239 || !TEST_ptr(other_params = *p_next++ =
1240 EC_GROUP_get_ecparameters(tmpg, NULL))
1241 || !TEST_ptr(tgroup = *g_next++ =
1242 EC_GROUP_new_from_ecparameters(other_params))
1243 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1244 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1245 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1246 OPENSSL_EC_EXPLICIT_CURVE)) {
1247 TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
1248 goto err;
1249 }
1250
1251 /*
1252 * Check that changing any of the generator parameters does not yield a
1253 * match with the built-in curves
1254 */
1255 if (/* Other gen, same group order & cofactor */
1256 !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
1257 group_cofactor))
1258 || !TEST_ptr(other_params = *p_next++ =
1259 EC_GROUP_get_ecparameters(tmpg, NULL))
1260 || !TEST_ptr(tgroup = *g_next++ =
1261 EC_GROUP_new_from_ecparameters(other_params))
1262 || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1263 /* Same gen & cofactor, different order */
1264 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
1265 group_cofactor))
1266 || !TEST_ptr(other_params = *p_next++ =
1267 EC_GROUP_get_ecparameters(tmpg, NULL))
1268 || !TEST_ptr(tgroup = *g_next++ =
1269 EC_GROUP_new_from_ecparameters(other_params))
1270 || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1271 /* The order is not an optional field, so this should fail */
1272 || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
1273 group_cofactor))
1274 /* Check that a wrong cofactor is ignored, and we still match */
1275 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1276 other_cofactor))
1277 || !TEST_ptr(other_params = *p_next++ =
1278 EC_GROUP_get_ecparameters(tmpg, NULL))
1279 || !TEST_ptr(tgroup = *g_next++ =
1280 EC_GROUP_new_from_ecparameters(other_params))
1281 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1282 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1283 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1284 OPENSSL_EC_EXPLICIT_CURVE)
1285 /* Check that if the cofactor is not set then it still matches */
1286 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1287 NULL))
1288 || !TEST_ptr(other_params = *p_next++ =
1289 EC_GROUP_get_ecparameters(tmpg, NULL))
1290 || !TEST_ptr(tgroup = *g_next++ =
1291 EC_GROUP_new_from_ecparameters(other_params))
1292 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1293 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1294 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1295 OPENSSL_EC_EXPLICIT_CURVE)
1296 /* check that restoring the generator passes */
1297 || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
1298 group_cofactor))
1299 || !TEST_ptr(other_params = *p_next++ =
1300 EC_GROUP_get_ecparameters(tmpg, NULL))
1301 || !TEST_ptr(tgroup = *g_next++ =
1302 EC_GROUP_new_from_ecparameters(other_params))
1303 || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
1304 || !TEST_true(are_ec_nids_compatible(nid, tnid))
1305 || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
1306 OPENSSL_EC_EXPLICIT_CURVE))
1307 goto err;
1308
1309 ret = 1;
1310 err:
1311 for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
1312 EC_GROUP_free(*g_next);
1313 for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
1314 ECPARAMETERS_free(*p_next);
1315 ECPARAMETERS_free(params);
1316 EC_POINT_free(other_gen);
1317 EC_GROUP_free(tmpg);
1318 EC_GROUP_free(group);
1319 BN_CTX_end(bn_ctx);
1320 BN_CTX_free(bn_ctx);
1321 return ret;
1322 }
1323
1324
1325 static int parameter_test(void)
1326 {
1327 EC_GROUP *group = NULL, *group2 = NULL;
1328 ECPARAMETERS *ecparameters = NULL;
1329 unsigned char *buf = NULL;
1330 int r = 0, len;
1331 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
1332 || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
1333 || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
1334 || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
1335 goto err;
1336
1337 EC_GROUP_free(group);
1338 group = NULL;
1339
1340 /* Test the named curve encoding, which should be default. */
1341 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
1342 || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1343 || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
1344 goto err;
1345
1346 OPENSSL_free(buf);
1347 buf = NULL;
1348
1349 /*
1350 * Test the explicit encoding. P-521 requires correctly zero-padding the
1351 * curve coefficients.
1352 */
1353 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
1354 if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1355 || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
1356 goto err;
1357
1358 r = 1;
1359 err:
1360 EC_GROUP_free(group);
1361 EC_GROUP_free(group2);
1362 ECPARAMETERS_free(ecparameters);
1363 OPENSSL_free(buf);
1364 return r;
1365 }
1366
1367 /*-
1368 * random 256-bit explicit parameters curve, cofactor absent
1369 * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
1370 * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
1371 */
1372 static const unsigned char params_cf_pass[] = {
1373 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
1374 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
1375 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
1376 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
1377 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
1378 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
1379 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
1380 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
1381 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
1382 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
1383 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
1384 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
1385 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
1386 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
1387 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
1388 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
1389 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
1390 0x14, 0xa8, 0x2f, 0x4f
1391 };
1392
1393 /*-
1394 * random 256-bit explicit parameters curve, cofactor absent
1395 * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
1396 * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
1397 */
1398 static const unsigned char params_cf_fail[] = {
1399 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
1400 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
1401 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
1402 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
1403 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
1404 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
1405 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
1406 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
1407 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
1408 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
1409 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
1410 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
1411 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
1412 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
1413 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
1414 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
1415 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
1416 0x34, 0xa2, 0x21, 0x01
1417 };
1418
1419 /*-
1420 * Test two random 256-bit explicit parameters curves with absent cofactor.
1421 * The two curves are chosen to roughly straddle the bounds at which the lib
1422 * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
1423 *
1424 * - params_cf_pass: order is sufficiently close to p to compute cofactor
1425 * - params_cf_fail: order is too far away from p to compute cofactor
1426 *
1427 * For standards-compliant curves, cofactor is chosen as small as possible.
1428 * So you can see neither of these curves are fit for cryptographic use.
1429 *
1430 * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
1431 * h <= 2**(t/8) where t is the security level of the curve, for which the lib
1432 * will always succeed in computing the cofactor. Neither of these curves
1433 * conform to that -- this is just robustness testing.
1434 */
1435 static int cofactor_range_test(void)
1436 {
1437 EC_GROUP *group = NULL;
1438 BIGNUM *cf = NULL;
1439 int ret = 0;
1440 const unsigned char *b1 = (const unsigned char *)params_cf_fail;
1441 const unsigned char *b2 = (const unsigned char *)params_cf_pass;
1442
1443 if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
1444 || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
1445 || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
1446 sizeof(params_cf_pass)))
1447 || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
1448 || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
1449 goto err;
1450 ret = 1;
1451 err:
1452 BN_free(cf);
1453 EC_GROUP_free(group);
1454 return ret;
1455 }
1456
1457 /*-
1458 * For named curves, test that:
1459 * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
1460 * - a nonsensical cofactor throws an error (negative test)
1461 * - nonsensical orders throw errors (negative tests)
1462 */
1463 static int cardinality_test(int n)
1464 {
1465 int ret = 0, is_binary = 0;
1466 int nid = curves[n].nid;
1467 BN_CTX *ctx = NULL;
1468 EC_GROUP *g1 = NULL, *g2 = NULL;
1469 EC_POINT *g2_gen = NULL;
1470 BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
1471 *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
1472
1473 TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
1474
1475 if (!TEST_ptr(ctx = BN_CTX_new())
1476 || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) {
1477 BN_CTX_free(ctx);
1478 return 0;
1479 }
1480
1481 is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field);
1482
1483 BN_CTX_start(ctx);
1484 g1_p = BN_CTX_get(ctx);
1485 g1_a = BN_CTX_get(ctx);
1486 g1_b = BN_CTX_get(ctx);
1487 g1_x = BN_CTX_get(ctx);
1488 g1_y = BN_CTX_get(ctx);
1489 g1_order = BN_CTX_get(ctx);
1490 g1_cf = BN_CTX_get(ctx);
1491
1492 if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
1493 /* pull out the explicit curve parameters */
1494 || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
1495 || !TEST_true(EC_POINT_get_affine_coordinates(g1,
1496 EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
1497 || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
1498 || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
1499 /* construct g2 manually with g1 parameters */
1500 #ifndef OPENSSL_NO_EC2M
1501 || !TEST_ptr(g2 = (is_binary) ?
1502 EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) :
1503 EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
1504 #else
1505 || !TEST_int_eq(0, is_binary)
1506 || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
1507 #endif
1508 || !TEST_ptr(g2_gen = EC_POINT_new(g2))
1509 || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
1510 /* pass NULL cofactor: lib should compute it */
1511 || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1512 || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1513 || !TEST_BN_eq(g1_cf, g2_cf)
1514 /* pass zero cofactor: lib should compute it */
1515 || !TEST_true(BN_set_word(g2_cf, 0))
1516 || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1517 || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1518 || !TEST_BN_eq(g1_cf, g2_cf)
1519 /* negative test for invalid cofactor */
1520 || !TEST_true(BN_set_word(g2_cf, 0))
1521 || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1522 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1523 /* negative test for NULL order */
1524 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
1525 /* negative test for zero order */
1526 || !TEST_true(BN_set_word(g1_order, 0))
1527 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1528 /* negative test for negative order */
1529 || !TEST_true(BN_set_word(g2_cf, 0))
1530 || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1531 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1532 /* negative test for too large order */
1533 || !TEST_true(BN_lshift(g1_order, g1_p, 2))
1534 || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
1535 goto err;
1536 ret = 1;
1537 err:
1538 EC_POINT_free(g2_gen);
1539 EC_GROUP_free(g1);
1540 EC_GROUP_free(g2);
1541 BN_CTX_end(ctx);
1542 BN_CTX_free(ctx);
1543 return ret;
1544 }
1545
1546 static int check_ec_key_field_public_range_test(int id)
1547 {
1548 int ret = 0, type = 0;
1549 const EC_POINT *pub = NULL;
1550 const EC_GROUP *group = NULL;
1551 const BIGNUM *field = NULL;
1552 BIGNUM *x = NULL, *y = NULL;
1553 EC_KEY *key = NULL;
1554
1555 if (!TEST_ptr(x = BN_new())
1556 || !TEST_ptr(y = BN_new())
1557 || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
1558 || !TEST_ptr(group = EC_KEY_get0_group(key))
1559 || !TEST_ptr(field = EC_GROUP_get0_field(group))
1560 || !TEST_int_gt(EC_KEY_generate_key(key), 0)
1561 || !TEST_int_gt(EC_KEY_check_key(key), 0)
1562 || !TEST_ptr(pub = EC_KEY_get0_public_key(key))
1563 || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y,
1564 NULL), 0))
1565 goto err;
1566
1567 /*
1568 * Make the public point out of range by adding the field (which will still
1569 * be the same point on the curve). The add is different for char2 fields.
1570 */
1571 type = EC_GROUP_get_field_type(group);
1572 #ifndef OPENSSL_NO_EC2M
1573 if (type == NID_X9_62_characteristic_two_field) {
1574 /* test for binary curves */
1575 if (!TEST_true(BN_GF2m_add(x, x, field)))
1576 goto err;
1577 } else
1578 #endif
1579 if (type == NID_X9_62_prime_field) {
1580 /* test for prime curves */
1581 if (!TEST_true(BN_add(x, x, field)))
1582 goto err;
1583 } else {
1584 /* this should never happen */
1585 TEST_error("Unsupported EC_METHOD field_type");
1586 goto err;
1587 }
1588 if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0))
1589 goto err;
1590
1591 ret = 1;
1592 err:
1593 BN_free(x);
1594 BN_free(y);
1595 EC_KEY_free(key);
1596 return ret;
1597 }
1598
1599 /*
1600 * Helper for ec_point_hex2point_test
1601 *
1602 * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
1603 * (group,P) pair.
1604 *
1605 * If P is NULL use point at infinity.
1606 */
1607 static ossl_inline
1608 int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
1609 point_conversion_form_t form,
1610 BN_CTX *bnctx)
1611 {
1612 int ret = 0;
1613 EC_POINT *Q = NULL, *Pinf = NULL;
1614 char *hex = NULL;
1615
1616 if (P == NULL) {
1617 /* If P is NULL use point at infinity. */
1618 if (!TEST_ptr(Pinf = EC_POINT_new(group))
1619 || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
1620 goto err;
1621 P = Pinf;
1622 }
1623
1624 if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
1625 || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
1626 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
1627 goto err;
1628
1629 /*
1630 * The next check is most likely superfluous, as EC_POINT_cmp should already
1631 * cover this.
1632 * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
1633 * so we include it anyway!
1634 */
1635 if (Pinf != NULL
1636 && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
1637 goto err;
1638
1639 ret = 1;
1640
1641 err:
1642 EC_POINT_free(Pinf);
1643 OPENSSL_free(hex);
1644 EC_POINT_free(Q);
1645
1646 return ret;
1647 }
1648
1649 /*
1650 * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
1651 */
1652 static int ec_point_hex2point_test(int id)
1653 {
1654 int ret = 0, nid;
1655 EC_GROUP *group = NULL;
1656 const EC_POINT *G = NULL;
1657 EC_POINT *P = NULL;
1658 BN_CTX * bnctx = NULL;
1659
1660 /* Do some setup */
1661 nid = curves[id].nid;
1662 if (!TEST_ptr(bnctx = BN_CTX_new())
1663 || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1664 || !TEST_ptr(G = EC_GROUP_get0_generator(group))
1665 || !TEST_ptr(P = EC_POINT_dup(G, group)))
1666 goto err;
1667
1668 if (!TEST_true(ec_point_hex2point_test_helper(group, P,
1669 POINT_CONVERSION_COMPRESSED,
1670 bnctx))
1671 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1672 POINT_CONVERSION_COMPRESSED,
1673 bnctx))
1674 || !TEST_true(ec_point_hex2point_test_helper(group, P,
1675 POINT_CONVERSION_UNCOMPRESSED,
1676 bnctx))
1677 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1678 POINT_CONVERSION_UNCOMPRESSED,
1679 bnctx))
1680 || !TEST_true(ec_point_hex2point_test_helper(group, P,
1681 POINT_CONVERSION_HYBRID,
1682 bnctx))
1683 || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
1684 POINT_CONVERSION_HYBRID,
1685 bnctx)))
1686 goto err;
1687
1688 ret = 1;
1689
1690 err:
1691 EC_POINT_free(P);
1692 EC_GROUP_free(group);
1693 BN_CTX_free(bnctx);
1694
1695 return ret;
1696 }
1697
1698 static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
1699 unsigned char *gen, int gen_size)
1700 {
1701 int ret = 0, i_out;
1702 EVP_PKEY_CTX *pctx = NULL;
1703 EVP_PKEY *pkeyparam = NULL;
1704 OSSL_PARAM_BLD *bld = NULL;
1705 const char *field_name;
1706 OSSL_PARAM *params = NULL;
1707 const OSSL_PARAM *gettable;
1708 BIGNUM *p, *a, *b;
1709 BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL;
1710 BIGNUM *order_out = NULL, *cofactor_out = NULL;
1711 char name[80];
1712 unsigned char buf[1024];
1713 size_t buf_len, name_len;
1714 #ifndef OPENSSL_NO_EC2M
1715 unsigned int k1 = 0, k2 = 0, k3 = 0;
1716 const char *basis_name = NULL;
1717 #endif
1718
1719 p = BN_CTX_get(ctx);
1720 a = BN_CTX_get(ctx);
1721 b = BN_CTX_get(ctx);
1722
1723 if (!TEST_ptr(b)
1724 || !TEST_ptr(bld = OSSL_PARAM_BLD_new()))
1725 goto err;
1726
1727 if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
1728 field_name = SN_X9_62_prime_field;
1729 } else {
1730 field_name = SN_X9_62_characteristic_two_field;
1731 #ifndef OPENSSL_NO_EC2M
1732 if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
1733 basis_name = SN_X9_62_tpBasis;
1734 if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1)))
1735 goto err;
1736 } else {
1737 basis_name = SN_X9_62_ppBasis;
1738 if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3)))
1739 goto err;
1740 }
1741 #endif /* OPENSSL_NO_EC2M */
1742 }
1743 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
1744 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
1745 OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0))
1746 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p))
1747 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a))
1748 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b)))
1749 goto err;
1750
1751 if (EC_GROUP_get0_seed(group) != NULL) {
1752 if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1753 OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group),
1754 EC_GROUP_get_seed_len(group))))
1755 goto err;
1756 }
1757 if (EC_GROUP_get0_cofactor(group) != NULL) {
1758 if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR,
1759 EC_GROUP_get0_cofactor(group))))
1760 goto err;
1761 }
1762
1763 if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld,
1764 OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size))
1765 || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER,
1766 EC_GROUP_get0_order(group))))
1767 goto err;
1768
1769 if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
1770 || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
1771 || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
1772 || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
1773 EVP_PKEY_KEY_PARAMETERS, params), 0))
1774 goto err;
1775
1776 /*- Check that all the set values are retrievable -*/
1777
1778 /* There should be no match to a group name since the generator changed */
1779 if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
1780 OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name),
1781 &name_len)))
1782 goto err;
1783
1784 /* The encoding should be explicit as it has no group */
1785 if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1786 OSSL_PKEY_PARAM_EC_ENCODING,
1787 name, sizeof(name), &name_len))
1788 || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT))
1789 goto err;
1790
1791 if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1792 OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name),
1793 &name_len))
1794 || !TEST_str_eq(name, field_name))
1795 goto err;
1796
1797 if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
1798 OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len))
1799 || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size))
1800 goto err;
1801
1802 if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out))
1803 || !TEST_BN_eq(p_out, p)
1804 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A,
1805 &a_out))
1806 || !TEST_BN_eq(a_out, a)
1807 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B,
1808 &b_out))
1809 || !TEST_BN_eq(b_out, b)
1810 || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER,
1811 &order_out))
1812 || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group)))
1813 goto err;
1814
1815 if (EC_GROUP_get0_cofactor(group) != NULL) {
1816 if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam,
1817 OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out))
1818 || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group)))
1819 goto err;
1820 }
1821 if (EC_GROUP_get0_seed(group) != NULL) {
1822 if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam,
1823 OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len))
1824 || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group),
1825 EC_GROUP_get_seed_len(group)))
1826 goto err;
1827 }
1828
1829 if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) {
1830 /* No extra fields should be set for a prime field */
1831 if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1832 OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
1833 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1834 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1835 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1836 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1837 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1838 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1839 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1840 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
1841 || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam,
1842 OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
1843 &name_len)))
1844 goto err;
1845 } else {
1846 #ifndef OPENSSL_NO_EC2M
1847 if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1848 OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out))
1849 || !TEST_int_eq(EC_GROUP_get_degree(group), i_out)
1850 || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam,
1851 OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name),
1852 &name_len))
1853 || !TEST_str_eq(name, basis_name))
1854 goto err;
1855
1856 if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) {
1857 if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1858 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1859 || !TEST_int_eq(k1, i_out)
1860 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1861 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1862 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1863 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1864 || !TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1865 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)))
1866 goto err;
1867 } else {
1868 if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam,
1869 OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out))
1870 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1871 OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out))
1872 || !TEST_int_eq(k1, i_out)
1873 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1874 OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out))
1875 || !TEST_int_eq(k2, i_out)
1876 || !TEST_true(EVP_PKEY_get_int_param(pkeyparam,
1877 OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))
1878 || !TEST_int_eq(k3, i_out))
1879 goto err;
1880 }
1881 #endif /* OPENSSL_NO_EC2M */
1882 }
1883 if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam))
1884 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME))
1885 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING))
1886 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE))
1887 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P))
1888 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A))
1889 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B))
1890 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR))
1891 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER))
1892 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR))
1893 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED))
1894 #ifndef OPENSSL_NO_EC2M
1895 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M))
1896 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE))
1897 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS))
1898 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1))
1899 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2))
1900 || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3))
1901 #endif
1902 )
1903 goto err;
1904 ret = 1;
1905 err:
1906 BN_free(order_out);
1907 BN_free(cofactor_out);
1908 BN_free(a_out);
1909 BN_free(b_out);
1910 BN_free(p_out);
1911 OSSL_PARAM_free(params);
1912 OSSL_PARAM_BLD_free(bld);
1913 EVP_PKEY_free(pkeyparam);
1914 EVP_PKEY_CTX_free(pctx);
1915 return ret;
1916 }
1917
1918 /*
1919 * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
1920 */
1921 static int custom_generator_test(int id)
1922 {
1923 int ret = 0, nid, bsize;
1924 EC_GROUP *group = NULL;
1925 EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
1926 BN_CTX *ctx = NULL;
1927 BIGNUM *k = NULL;
1928 unsigned char *b1 = NULL, *b2 = NULL;
1929
1930 /* Do some setup */
1931 nid = curves[id].nid;
1932 TEST_note("Curve %s", OBJ_nid2sn(nid));
1933 if (!TEST_ptr(ctx = BN_CTX_new()))
1934 return 0;
1935
1936 BN_CTX_start(ctx);
1937
1938 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
1939 goto err;
1940
1941 /* expected byte length of encoded points */
1942 bsize = (EC_GROUP_get_degree(group) + 7) / 8;
1943 bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
1944
1945 if (!TEST_ptr(k = BN_CTX_get(ctx))
1946 /* fetch a testing scalar k != 0,1 */
1947 || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
1948 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
1949 /* make k even */
1950 || !TEST_true(BN_clear_bit(k, 0))
1951 || !TEST_ptr(G2 = EC_POINT_new(group))
1952 || !TEST_ptr(Q1 = EC_POINT_new(group))
1953 /* Q1 := kG */
1954 || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
1955 /* pull out the bytes of that */
1956 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
1957 POINT_CONVERSION_UNCOMPRESSED, NULL,
1958 0, ctx), bsize)
1959 || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
1960 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
1961 POINT_CONVERSION_UNCOMPRESSED, b1,
1962 bsize, ctx), bsize)
1963 /* new generator is G2 := 2G */
1964 || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
1965 ctx))
1966 || !TEST_true(EC_GROUP_set_generator(group, G2,
1967 EC_GROUP_get0_order(group),
1968 EC_GROUP_get0_cofactor(group)))
1969 || !TEST_ptr(Q2 = EC_POINT_new(group))
1970 || !TEST_true(BN_rshift1(k, k))
1971 /* Q2 := k/2 G2 */
1972 || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
1973 || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
1974 POINT_CONVERSION_UNCOMPRESSED, NULL,
1975 0, ctx), bsize)
1976 || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
1977 || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
1978 POINT_CONVERSION_UNCOMPRESSED, b2,
1979 bsize, ctx), bsize)
1980 /* Q1 = kG = k/2 G2 = Q2 should hold */
1981 || !TEST_mem_eq(b1, bsize, b2, bsize))
1982 goto err;
1983
1984 if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize))
1985 goto err;
1986
1987 ret = 1;
1988
1989 err:
1990 EC_POINT_free(Q1);
1991 EC_POINT_free(Q2);
1992 EC_POINT_free(G2);
1993 EC_GROUP_free(group);
1994 BN_CTX_end(ctx);
1995 BN_CTX_free(ctx);
1996 OPENSSL_free(b1);
1997 OPENSSL_free(b2);
1998
1999 return ret;
2000 }
2001
2002 /*
2003 * check creation of curves from explicit params through the public API
2004 */
2005 static int custom_params_test(int id)
2006 {
2007 int ret = 0, nid, bsize;
2008 const char *curve_name = NULL;
2009 EC_GROUP *group = NULL, *altgroup = NULL;
2010 EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
2011 const EC_POINT *Q = NULL;
2012 BN_CTX *ctx = NULL;
2013 BIGNUM *k = NULL;
2014 unsigned char *buf1 = NULL, *buf2 = NULL;
2015 const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL;
2016 BIGNUM *p = NULL, *a = NULL, *b = NULL;
2017 int is_prime = 0;
2018 EC_KEY *eckey1 = NULL, *eckey2 = NULL;
2019 EVP_PKEY *pkey1 = NULL, *pkey2 = NULL;
2020 EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL;
2021 size_t sslen, t;
2022 unsigned char *pub1 = NULL , *pub2 = NULL;
2023 OSSL_PARAM_BLD *param_bld = NULL;
2024 OSSL_PARAM *params1 = NULL, *params2 = NULL;
2025
2026 /* Do some setup */
2027 nid = curves[id].nid;
2028 curve_name = OBJ_nid2sn(nid);
2029 TEST_note("Curve %s", curve_name);
2030
2031 if (nid == NID_sm2)
2032 return TEST_skip("custom params not supported with SM2");
2033
2034 if (!TEST_ptr(ctx = BN_CTX_new()))
2035 return 0;
2036
2037 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
2038 goto err;
2039
2040 is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field;
2041 #ifdef OPENSSL_NO_EC2M
2042 if (!is_prime) {
2043 ret = TEST_skip("binary curves not supported in this build");
2044 goto err;
2045 }
2046 #endif
2047
2048 BN_CTX_start(ctx);
2049 if (!TEST_ptr(p = BN_CTX_get(ctx))
2050 || !TEST_ptr(a = BN_CTX_get(ctx))
2051 || !TEST_ptr(b = BN_CTX_get(ctx))
2052 || !TEST_ptr(k = BN_CTX_get(ctx)))
2053 goto err;
2054
2055 /* expected byte length of encoded points */
2056 bsize = (EC_GROUP_get_degree(group) + 7) / 8;
2057 bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */
2058
2059 /* extract parameters from built-in curve */
2060 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))
2061 || !TEST_ptr(G2 = EC_POINT_new(group))
2062 /* new generator is G2 := 2G */
2063 || !TEST_true(EC_POINT_dbl(group, G2,
2064 EC_GROUP_get0_generator(group), ctx))
2065 /* pull out the bytes of that */
2066 || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2067 POINT_CONVERSION_UNCOMPRESSED,
2068 NULL, 0, ctx), bsize)
2069 || !TEST_ptr(buf1 = OPENSSL_malloc(bsize))
2070 || !TEST_int_eq(EC_POINT_point2oct(group, G2,
2071 POINT_CONVERSION_UNCOMPRESSED,
2072 buf1, bsize, ctx), bsize)
2073 || !TEST_ptr(z = EC_GROUP_get0_order(group))
2074 || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group))
2075 )
2076 goto err;
2077
2078 /* create a new group using same params (but different generator) */
2079 if (is_prime) {
2080 if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx)))
2081 goto err;
2082 }
2083 #ifndef OPENSSL_NO_EC2M
2084 else {
2085 if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
2086 goto err;
2087 }
2088 #endif
2089
2090 /* set 2*G as the generator of altgroup */
2091 EC_POINT_free(G2); /* discard G2 as it refers to the original group */
2092 if (!TEST_ptr(G2 = EC_POINT_new(altgroup))
2093 || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx))
2094 || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1)
2095 || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof))
2096 )
2097 goto err;
2098
2099 /* verify math checks out */
2100 if (/* allocate temporary points on group and altgroup */
2101 !TEST_ptr(Q1 = EC_POINT_new(group))
2102 || !TEST_ptr(Q2 = EC_POINT_new(altgroup))
2103 /* fetch a testing scalar k != 0,1 */
2104 || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
2105 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
2106 /* make k even */
2107 || !TEST_true(BN_clear_bit(k, 0))
2108 /* Q1 := kG on group */
2109 || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
2110 /* pull out the bytes of that */
2111 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2112 POINT_CONVERSION_UNCOMPRESSED,
2113 NULL, 0, ctx), bsize)
2114 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2115 POINT_CONVERSION_UNCOMPRESSED,
2116 buf1, bsize, ctx), bsize)
2117 /* k := k/2 */
2118 || !TEST_true(BN_rshift1(k, k))
2119 /* Q2 := k/2 G2 on altgroup */
2120 || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx))
2121 /* pull out the bytes of that */
2122 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2123 POINT_CONVERSION_UNCOMPRESSED,
2124 NULL, 0, ctx), bsize)
2125 || !TEST_ptr(buf2 = OPENSSL_malloc(bsize))
2126 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2,
2127 POINT_CONVERSION_UNCOMPRESSED,
2128 buf2, bsize, ctx), bsize)
2129 /* Q1 = kG = k/2 G2 = Q2 should hold */
2130 || !TEST_mem_eq(buf1, bsize, buf2, bsize))
2131 goto err;
2132
2133 /* create two `EC_KEY`s on altgroup */
2134 if (!TEST_ptr(eckey1 = EC_KEY_new())
2135 || !TEST_true(EC_KEY_set_group(eckey1, altgroup))
2136 || !TEST_true(EC_KEY_generate_key(eckey1))
2137 || !TEST_ptr(eckey2 = EC_KEY_new())
2138 || !TEST_true(EC_KEY_set_group(eckey2, altgroup))
2139 || !TEST_true(EC_KEY_generate_key(eckey2)))
2140 goto err;
2141
2142 /* retrieve priv1 for later */
2143 if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1)))
2144 goto err;
2145
2146 /*
2147 * retrieve bytes for pub1 for later
2148 *
2149 * We compute the pub key in the original group as we will later use it to
2150 * define a provider key in the built-in group.
2151 */
2152 if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx))
2153 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2154 POINT_CONVERSION_UNCOMPRESSED,
2155 NULL, 0, ctx), bsize)
2156 || !TEST_ptr(pub1 = OPENSSL_malloc(bsize))
2157 || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
2158 POINT_CONVERSION_UNCOMPRESSED,
2159 pub1, bsize, ctx), bsize))
2160 goto err;
2161
2162 /* retrieve bytes for pub2 for later */
2163 if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2))
2164 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2165 POINT_CONVERSION_UNCOMPRESSED,
2166 NULL, 0, ctx), bsize)
2167 || !TEST_ptr(pub2 = OPENSSL_malloc(bsize))
2168 || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q,
2169 POINT_CONVERSION_UNCOMPRESSED,
2170 pub2, bsize, ctx), bsize))
2171 goto err;
2172
2173 /* create two `EVP_PKEY`s from the `EC_KEY`s */
2174 if(!TEST_ptr(pkey1 = EVP_PKEY_new())
2175 || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1))
2176 goto err;
2177 eckey1 = NULL; /* ownership passed to pkey1 */
2178 if(!TEST_ptr(pkey2 = EVP_PKEY_new())
2179 || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1))
2180 goto err;
2181 eckey2 = NULL; /* ownership passed to pkey2 */
2182
2183 /* Compute keyexchange in both directions */
2184 if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
2185 || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
2186 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
2187 || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
2188 || !TEST_int_gt(bsize, sslen)
2189 || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
2190 goto err;
2191 if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
2192 || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
2193 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
2194 || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
2195 || !TEST_int_gt(bsize, t)
2196 || !TEST_int_le(sslen, t)
2197 || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
2198 goto err;
2199
2200 /* Both sides should expect the same shared secret */
2201 if (!TEST_mem_eq(buf1, sslen, buf2, t))
2202 goto err;
2203
2204 /* Build parameters for provider-native keys */
2205 if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
2206 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
2207 OSSL_PKEY_PARAM_GROUP_NAME,
2208 curve_name, 0))
2209 || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
2210 OSSL_PKEY_PARAM_PUB_KEY,
2211 pub1, bsize))
2212 || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld,
2213 OSSL_PKEY_PARAM_PRIV_KEY,
2214 priv1))
2215 || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld)))
2216 goto err;
2217
2218 OSSL_PARAM_BLD_free(param_bld);
2219 if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new())
2220 || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld,
2221 OSSL_PKEY_PARAM_GROUP_NAME,
2222 curve_name, 0))
2223 || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld,
2224 OSSL_PKEY_PARAM_PUB_KEY,
2225 pub2, bsize))
2226 || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld)))
2227 goto err;
2228
2229 /* create two new provider-native `EVP_PKEY`s */
2230 EVP_PKEY_CTX_free(pctx2);
2231 if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
2232 || !TEST_true(EVP_PKEY_fromdata_init(pctx2))
2233 || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR,
2234 params1))
2235 || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY,
2236 params2)))
2237 goto err;
2238
2239 /* compute keyexchange once more using the provider keys */
2240 EVP_PKEY_CTX_free(pctx1);
2241 if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
2242 || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
2243 || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
2244 || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1)
2245 || !TEST_int_gt(bsize, t)
2246 || !TEST_int_le(sslen, t)
2247 || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1)
2248 /* compare with previous result */
2249 || !TEST_mem_eq(buf1, t, buf2, sslen))
2250 goto err;
2251
2252 ret = 1;
2253
2254 err:
2255 BN_CTX_end(ctx);
2256 BN_CTX_free(ctx);
2257 OSSL_PARAM_BLD_free(param_bld);
2258 OSSL_PARAM_free(params1);
2259 OSSL_PARAM_free(params2);
2260 EC_POINT_free(Q1);
2261 EC_POINT_free(Q2);
2262 EC_POINT_free(G2);
2263 EC_GROUP_free(group);
2264 EC_GROUP_free(altgroup);
2265 OPENSSL_free(buf1);
2266 OPENSSL_free(buf2);
2267 OPENSSL_free(pub1);
2268 OPENSSL_free(pub2);
2269 EC_KEY_free(eckey1);
2270 EC_KEY_free(eckey2);
2271 EVP_PKEY_free(pkey1);
2272 EVP_PKEY_free(pkey2);
2273 EVP_PKEY_CTX_free(pctx1);
2274 EVP_PKEY_CTX_free(pctx2);
2275
2276 return ret;
2277 }
2278
2279 int setup_tests(void)
2280 {
2281 crv_len = EC_get_builtin_curves(NULL, 0);
2282 if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
2283 || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
2284 return 0;
2285
2286 ADD_TEST(parameter_test);
2287 /*ADD_TEST(cofactor_range_test);*/
2288 ADD_ALL_TESTS(cardinality_test, crv_len);
2289 ADD_TEST(prime_field_tests);
2290 #ifndef OPENSSL_NO_EC2M
2291 ADD_TEST(char2_field_tests);
2292 ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
2293 #endif
2294 ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
2295 ADD_ALL_TESTS(internal_curve_test, crv_len);
2296 ADD_ALL_TESTS(internal_curve_test_method, crv_len);
2297 ADD_TEST(group_field_test);
2298 ADD_ALL_TESTS(check_named_curve_test, crv_len);
2299 ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len);
2300 ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
2301 ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
2302 ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
2303 /* ADD_ALL_TESTS(custom_generator_test, crv_len);
2304 ADD_ALL_TESTS(custom_params_test, crv_len); */
2305 return 1;
2306 }
2307
2308 void cleanup_tests(void)
2309 {
2310 OPENSSL_free(curves);
2311 }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed