1 1.1 christos /* 2 1.1 christos * Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 1.1 christos * 5 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 6 1.1 christos * this file except in compliance with the License. You can obtain a copy 7 1.1 christos * in the file LICENSE in the source distribution or at 8 1.1 christos * https://www.openssl.org/source/license.html 9 1.1 christos */ 10 1.1 christos 11 1.1 christos /* 12 1.1 christos * EC_KEY low level APIs are deprecated for public use, but still ok for 13 1.1 christos * internal use. 14 1.1 christos */ 15 1.1 christos #include "internal/deprecated.h" 16 1.1 christos 17 1.1 christos #include <string.h> 18 1.1 christos #include "internal/nelem.h" 19 1.1 christos #include "testutil.h" 20 1.1 christos 21 1.1 christos #include <openssl/ec.h> 22 1.1 christos #ifndef OPENSSL_NO_ENGINE 23 1.3 christos #include <openssl/engine.h> 24 1.1 christos #endif 25 1.1 christos #include <openssl/err.h> 26 1.1 christos #include <openssl/obj_mac.h> 27 1.1 christos #include <openssl/objects.h> 28 1.1 christos #include <openssl/rand.h> 29 1.1 christos #include <openssl/bn.h> 30 1.1 christos #include <openssl/opensslconf.h> 31 1.1 christos #include <openssl/core_names.h> 32 1.1 christos #include <openssl/param_build.h> 33 1.1 christos #include <openssl/evp.h> 34 1.1 christos 35 1.1 christos static size_t crv_len = 0; 36 1.1 christos static EC_builtin_curve *curves = NULL; 37 1.1 christos 38 1.1 christos /* test multiplication with group order, long and negative scalars */ 39 1.1 christos static int group_order_tests(EC_GROUP *group) 40 1.1 christos { 41 1.1 christos BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; 42 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; 43 1.1 christos const EC_POINT *G = NULL; 44 1.1 christos BN_CTX *ctx = NULL; 45 1.1 christos int i = 0, r = 0; 46 1.1 christos 47 1.1 christos if (!TEST_ptr(n1 = BN_new()) 48 1.1 christos || !TEST_ptr(n2 = BN_new()) 49 1.1 christos || !TEST_ptr(order = BN_new()) 50 1.1 christos || !TEST_ptr(ctx = BN_CTX_new()) 51 1.1 christos || !TEST_ptr(G = EC_GROUP_get0_generator(group)) 52 1.1 christos || !TEST_ptr(P = EC_POINT_new(group)) 53 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 54 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 55 1.1 christos || !TEST_ptr(S = EC_POINT_new(group))) 56 1.1 christos goto err; 57 1.1 christos 58 1.1 christos if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) 59 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 60 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 61 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 62 1.1 christos || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) 63 1.1 christos #endif 64 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 65 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 66 1.1 christos || !TEST_true(EC_POINT_copy(P, G)) 67 1.1 christos || !TEST_true(BN_one(n1)) 68 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) 69 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 70 1.1 christos || !TEST_true(BN_sub(n1, order, n1)) 71 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) 72 1.1 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) 73 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) 74 1.1 christos goto err; 75 1.1 christos 76 1.1 christos for (i = 1; i <= 2; i++) { 77 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 78 1.1 christos const BIGNUM *scalars[6]; 79 1.1 christos const EC_POINT *points[6]; 80 1.1 christos #endif 81 1.1 christos 82 1.1 christos if (!TEST_true(BN_set_word(n1, i)) 83 1.1 christos /* 84 1.1 christos * If i == 1, P will be the predefined generator for which 85 1.1 christos * EC_GROUP_precompute_mult has set up precomputation. 86 1.1 christos */ 87 1.1 christos || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) 88 1.1 christos || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) 89 1.1 christos || !TEST_true(BN_one(n1)) 90 1.1 christos /* n1 = 1 - order */ 91 1.1 christos || !TEST_true(BN_sub(n1, n1, order)) 92 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) 93 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 94 1.1 christos 95 1.1 christos /* n2 = 1 + order */ 96 1.1 christos || !TEST_true(BN_add(n2, order, BN_value_one())) 97 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 98 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 99 1.1 christos 100 1.1 christos /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ 101 1.1 christos || !TEST_true(BN_mul(n2, n1, n2, ctx)) 102 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 103 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) 104 1.1 christos goto err; 105 1.1 christos 106 1.1 christos /* n2 = order^2 - 1 */ 107 1.1 christos BN_set_negative(n2, 0); 108 1.1 christos if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 109 1.1 christos /* Add P to verify the result. */ 110 1.1 christos || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) 111 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 112 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, P))) 113 1.1 christos goto err; 114 1.1 christos 115 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 116 1.1 christos /* Exercise EC_POINTs_mul, including corner cases. */ 117 1.1 christos scalars[0] = scalars[1] = BN_value_one(); 118 1.3 christos points[0] = points[1] = P; 119 1.1 christos 120 1.1 christos if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) 121 1.1 christos || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) 122 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) 123 1.1 christos goto err; 124 1.1 christos 125 1.1 christos scalars[0] = n1; 126 1.3 christos points[0] = Q; /* => infinity */ 127 1.1 christos scalars[1] = n2; 128 1.3 christos points[1] = P; /* => -P */ 129 1.1 christos scalars[2] = n1; 130 1.3 christos points[2] = Q; /* => infinity */ 131 1.1 christos scalars[3] = n2; 132 1.3 christos points[3] = Q; /* => infinity */ 133 1.1 christos scalars[4] = n1; 134 1.3 christos points[4] = P; /* => P */ 135 1.1 christos scalars[5] = n2; 136 1.3 christos points[5] = Q; /* => infinity */ 137 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) 138 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 139 1.1 christos goto err; 140 1.1 christos #endif 141 1.1 christos } 142 1.1 christos 143 1.1 christos r = 1; 144 1.1 christos err: 145 1.1 christos if (r == 0 && i != 0) 146 1.3 christos TEST_info(i == 1 ? "allowing precomputation" : "without precomputation"); 147 1.1 christos EC_POINT_free(P); 148 1.1 christos EC_POINT_free(Q); 149 1.1 christos EC_POINT_free(R); 150 1.1 christos EC_POINT_free(S); 151 1.1 christos BN_free(n1); 152 1.1 christos BN_free(n2); 153 1.1 christos BN_free(order); 154 1.1 christos BN_CTX_free(ctx); 155 1.1 christos return r; 156 1.1 christos } 157 1.1 christos 158 1.1 christos static int prime_field_tests(void) 159 1.1 christos { 160 1.1 christos BN_CTX *ctx = NULL; 161 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; 162 1.1 christos EC_GROUP *group = NULL; 163 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 164 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; 165 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 166 1.1 christos const EC_POINT *points[4]; 167 1.1 christos const BIGNUM *scalars[4]; 168 1.1 christos #endif 169 1.1 christos unsigned char buf[100]; 170 1.1 christos size_t len, r = 0; 171 1.1 christos int k; 172 1.1 christos 173 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 174 1.1 christos || !TEST_ptr(p = BN_new()) 175 1.1 christos || !TEST_ptr(a = BN_new()) 176 1.1 christos || !TEST_ptr(b = BN_new()) 177 1.1 christos || !TEST_true(BN_hex2bn(&p, "17")) 178 1.1 christos || !TEST_true(BN_hex2bn(&a, "1")) 179 1.1 christos || !TEST_true(BN_hex2bn(&b, "1")) 180 1.1 christos || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) 181 1.1 christos || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) 182 1.1 christos goto err; 183 1.1 christos 184 1.1 christos TEST_info("Curve defined by Weierstrass equation"); 185 1.1 christos TEST_note(" y^2 = x^3 + a*x + b (mod p)"); 186 1.1 christos test_output_bignum("a", a); 187 1.1 christos test_output_bignum("b", b); 188 1.1 christos test_output_bignum("p", p); 189 1.1 christos 190 1.1 christos buf[0] = 0; 191 1.1 christos if (!TEST_ptr(P = EC_POINT_new(group)) 192 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 193 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 194 1.1 christos || !TEST_true(EC_POINT_set_to_infinity(group, P)) 195 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 196 1.1 christos || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) 197 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) 198 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 199 1.1 christos || !TEST_ptr(x = BN_new()) 200 1.1 christos || !TEST_ptr(y = BN_new()) 201 1.1 christos || !TEST_ptr(z = BN_new()) 202 1.1 christos || !TEST_ptr(yplusone = BN_new()) 203 1.1 christos || !TEST_true(BN_hex2bn(&x, "D")) 204 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) 205 1.1 christos goto err; 206 1.1 christos 207 1.1 christos if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { 208 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) 209 1.1 christos goto err; 210 1.1 christos TEST_info("Point is not on curve"); 211 1.1 christos test_output_bignum("x", x); 212 1.1 christos test_output_bignum("y", y); 213 1.1 christos goto err; 214 1.1 christos } 215 1.1 christos 216 1.1 christos TEST_note("A cyclic subgroup:"); 217 1.1 christos k = 100; 218 1.1 christos do { 219 1.1 christos if (!TEST_int_ne(k--, 0)) 220 1.1 christos goto err; 221 1.1 christos 222 1.1 christos if (EC_POINT_is_at_infinity(group, P)) { 223 1.1 christos TEST_note(" point at infinity"); 224 1.1 christos } else { 225 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, 226 1.3 christos ctx))) 227 1.1 christos goto err; 228 1.1 christos 229 1.1 christos test_output_bignum("x", x); 230 1.1 christos test_output_bignum("y", y); 231 1.1 christos } 232 1.1 christos 233 1.1 christos if (!TEST_true(EC_POINT_copy(R, P)) 234 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) 235 1.1 christos goto err; 236 1.1 christos 237 1.1 christos } while (!EC_POINT_is_at_infinity(group, P)); 238 1.1 christos 239 1.1 christos if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) 240 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 241 1.1 christos goto err; 242 1.1 christos 243 1.3 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, 244 1.3 christos sizeof(buf), ctx); 245 1.1 christos if (!TEST_size_t_ne(len, 0) 246 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 247 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 248 1.1 christos goto err; 249 1.1 christos test_output_memory("Generator as octet string, compressed form:", 250 1.3 christos buf, len); 251 1.1 christos 252 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, 253 1.3 christos buf, sizeof(buf), ctx); 254 1.1 christos if (!TEST_size_t_ne(len, 0) 255 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 256 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 257 1.1 christos goto err; 258 1.1 christos test_output_memory("Generator as octet string, uncompressed form:", 259 1.3 christos buf, len); 260 1.1 christos 261 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, 262 1.3 christos buf, sizeof(buf), ctx); 263 1.1 christos if (!TEST_size_t_ne(len, 0) 264 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 265 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 266 1.1 christos goto err; 267 1.1 christos test_output_memory("Generator as octet string, hybrid form:", 268 1.3 christos buf, len); 269 1.1 christos 270 1.1 christos if (!TEST_true(EC_POINT_invert(group, P, ctx)) 271 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 272 1.1 christos 273 1.3 christos /* 274 1.3 christos * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 275 1.3 christos * 2000) -- not a NIST curve, but commonly used 276 1.3 christos */ 277 1.1 christos 278 1.3 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" 279 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) 280 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 281 1.3 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" 282 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) 283 1.3 christos || !TEST_true(BN_hex2bn(&b, "1C97BEFC" 284 1.1 christos "54BD7A8B65ACF89F81D4D4ADC565FA45")) 285 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 286 1.3 christos || !TEST_true(BN_hex2bn(&x, "4A96B568" 287 1.1 christos "8EF573284664698968C38BB913CBFC82")) 288 1.3 christos || !TEST_true(BN_hex2bn(&y, "23a62855" 289 1.1 christos "3168947d59dcc912042351377ac5fb32")) 290 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 291 1.3 christos /* 292 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 293 1.3 christos * and therefore setting the coordinates should fail. 294 1.3 christos */ 295 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 296 1.3 christos ctx)) 297 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 298 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 299 1.3 christos || !TEST_true(BN_hex2bn(&z, "0100000000" 300 1.1 christos "000000000001F4C8F927AED3CA752257")) 301 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 302 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 303 1.1 christos goto err; 304 1.1 christos TEST_info("SEC2 curve secp160r1 -- Generator"); 305 1.1 christos test_output_bignum("x", x); 306 1.1 christos test_output_bignum("y", y); 307 1.1 christos /* G_y value taken from the standard: */ 308 1.3 christos if (!TEST_true(BN_hex2bn(&z, "23a62855" 309 1.1 christos "3168947d59dcc912042351377ac5fb32")) 310 1.1 christos || !TEST_BN_eq(y, z) 311 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 160) 312 1.1 christos || !group_order_tests(group) 313 1.1 christos 314 1.3 christos /* Curve P-192 (FIPS PUB 186-2, App. 6) */ 315 1.1 christos 316 1.3 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" 317 1.1 christos "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) 318 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 319 1.3 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" 320 1.1 christos "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) 321 1.3 christos || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" 322 1.1 christos "0FA7E9AB72243049FEB8DEECC146B9B1")) 323 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 324 1.3 christos || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" 325 1.1 christos "7CBF20EB43A18800F4FF0AFD82FF1012")) 326 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 327 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 328 1.3 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" 329 1.1 christos "FFFFFFFF99DEF836146BC9B1B4D22831")) 330 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 331 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 332 1.1 christos goto err; 333 1.1 christos 334 1.1 christos TEST_info("NIST curve P-192 -- Generator"); 335 1.1 christos test_output_bignum("x", x); 336 1.1 christos test_output_bignum("y", y); 337 1.1 christos /* G_y value taken from the standard: */ 338 1.3 christos if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" 339 1.1 christos "631011ED6B24CDD573F977A11E794811")) 340 1.1 christos || !TEST_BN_eq(y, z) 341 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 342 1.3 christos /* 343 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 344 1.3 christos * and therefore setting the coordinates should fail. 345 1.3 christos */ 346 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 347 1.3 christos ctx)) 348 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 192) 349 1.1 christos || !group_order_tests(group) 350 1.1 christos 351 1.3 christos /* Curve P-224 (FIPS PUB 186-2, App. 6) */ 352 1.1 christos 353 1.3 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" 354 1.1 christos "FFFFFFFF000000000000000000000001")) 355 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 356 1.3 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" 357 1.1 christos "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) 358 1.3 christos || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" 359 1.1 christos "5044B0B7D7BFD8BA270B39432355FFB4")) 360 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 361 1.3 christos || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" 362 1.1 christos "4A03C1D356C21122343280D6115C1D21")) 363 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 364 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 365 1.3 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" 366 1.1 christos "FFFF16A2E0B8F03E13DD29455C5C2A3D")) 367 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 368 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 369 1.1 christos goto err; 370 1.1 christos 371 1.1 christos TEST_info("NIST curve P-224 -- Generator"); 372 1.1 christos test_output_bignum("x", x); 373 1.1 christos test_output_bignum("y", y); 374 1.1 christos /* G_y value taken from the standard: */ 375 1.3 christos if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" 376 1.1 christos "CD4375A05A07476444D5819985007E34")) 377 1.1 christos || !TEST_BN_eq(y, z) 378 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 379 1.3 christos /* 380 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 381 1.3 christos * and therefore setting the coordinates should fail. 382 1.3 christos */ 383 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 384 1.3 christos ctx)) 385 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 224) 386 1.1 christos || !group_order_tests(group) 387 1.1 christos 388 1.3 christos /* Curve P-256 (FIPS PUB 186-2, App. 6) */ 389 1.1 christos 390 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" 391 1.1 christos "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) 392 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 393 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" 394 1.1 christos "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) 395 1.1 christos || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" 396 1.1 christos "651D06B0CC53B0F63BCE3C3E27D2604B")) 397 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 398 1.1 christos 399 1.1 christos || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" 400 1.1 christos "77037D812DEB33A0F4A13945D898C296")) 401 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 402 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 403 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" 404 1.1 christos "BCE6FAADA7179E84F3B9CAC2FC632551")) 405 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 406 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 407 1.1 christos goto err; 408 1.1 christos 409 1.1 christos TEST_info("NIST curve P-256 -- Generator"); 410 1.1 christos test_output_bignum("x", x); 411 1.1 christos test_output_bignum("y", y); 412 1.1 christos /* G_y value taken from the standard: */ 413 1.1 christos if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" 414 1.1 christos "2BCE33576B315ECECBB6406837BF51F5")) 415 1.1 christos || !TEST_BN_eq(y, z) 416 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 417 1.3 christos /* 418 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 419 1.3 christos * and therefore setting the coordinates should fail. 420 1.3 christos */ 421 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 422 1.3 christos ctx)) 423 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 256) 424 1.1 christos || !group_order_tests(group) 425 1.1 christos 426 1.3 christos /* Curve P-384 (FIPS PUB 186-2, App. 6) */ 427 1.1 christos 428 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 429 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" 430 1.1 christos "FFFFFFFF0000000000000000FFFFFFFF")) 431 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 432 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 433 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" 434 1.1 christos "FFFFFFFF0000000000000000FFFFFFFC")) 435 1.1 christos || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" 436 1.1 christos "181D9C6EFE8141120314088F5013875A" 437 1.1 christos "C656398D8A2ED19D2A85C8EDD3EC2AEF")) 438 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 439 1.1 christos 440 1.1 christos || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" 441 1.1 christos "6E1D3B628BA79B9859F741E082542A38" 442 1.1 christos "5502F25DBF55296C3A545E3872760AB7")) 443 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 444 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 445 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 446 1.1 christos "FFFFFFFFFFFFFFFFC7634D81F4372DDF" 447 1.1 christos "581A0DB248B0A77AECEC196ACCC52973")) 448 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 449 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 450 1.1 christos goto err; 451 1.1 christos 452 1.1 christos TEST_info("NIST curve P-384 -- Generator"); 453 1.1 christos test_output_bignum("x", x); 454 1.1 christos test_output_bignum("y", y); 455 1.1 christos /* G_y value taken from the standard: */ 456 1.1 christos if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" 457 1.1 christos "F8F41DBD289A147CE9DA3113B5F0B8C0" 458 1.1 christos "0A60B1CE1D7E819D7A431D7C90EA0E5F")) 459 1.1 christos || !TEST_BN_eq(y, z) 460 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 461 1.3 christos /* 462 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 463 1.3 christos * and therefore setting the coordinates should fail. 464 1.3 christos */ 465 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 466 1.3 christos ctx)) 467 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 384) 468 1.1 christos || !group_order_tests(group) 469 1.1 christos 470 1.3 christos /* Curve P-521 (FIPS PUB 186-2, App. 6) */ 471 1.3 christos || !TEST_true(BN_hex2bn(&p, "1FF" 472 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 473 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 474 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 475 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) 476 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 477 1.3 christos || !TEST_true(BN_hex2bn(&a, "1FF" 478 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 479 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 480 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 481 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) 482 1.3 christos || !TEST_true(BN_hex2bn(&b, "051" 483 1.1 christos "953EB9618E1C9A1F929A21A0B68540EE" 484 1.1 christos "A2DA725B99B315F3B8B489918EF109E1" 485 1.1 christos "56193951EC7E937B1652C0BD3BB1BF07" 486 1.1 christos "3573DF883D2C34F1EF451FD46B503F00")) 487 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 488 1.3 christos || !TEST_true(BN_hex2bn(&x, "C6" 489 1.1 christos "858E06B70404E9CD9E3ECB662395B442" 490 1.1 christos "9C648139053FB521F828AF606B4D3DBA" 491 1.1 christos "A14B5E77EFE75928FE1DC127A2FFA8DE" 492 1.1 christos "3348B3C1856A429BF97E7E31C2E5BD66")) 493 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 494 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 495 1.3 christos || !TEST_true(BN_hex2bn(&z, "1FF" 496 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 497 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" 498 1.1 christos "51868783BF2F966B7FCC0148F709A5D0" 499 1.1 christos "3BB5C9B8899C47AEBB6FB71E91386409")) 500 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 501 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 502 1.1 christos goto err; 503 1.1 christos 504 1.1 christos TEST_info("NIST curve P-521 -- Generator"); 505 1.1 christos test_output_bignum("x", x); 506 1.1 christos test_output_bignum("y", y); 507 1.1 christos /* G_y value taken from the standard: */ 508 1.3 christos if (!TEST_true(BN_hex2bn(&z, "118" 509 1.1 christos "39296A789A3BC0045C8A5FB42C7D1BD9" 510 1.1 christos "98F54449579B446817AFBD17273E662C" 511 1.1 christos "97EE72995EF42640C550B9013FAD0761" 512 1.1 christos "353C7086A272C24088BE94769FD16650")) 513 1.1 christos || !TEST_BN_eq(y, z) 514 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 515 1.3 christos /* 516 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 517 1.3 christos * and therefore setting the coordinates should fail. 518 1.3 christos */ 519 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 520 1.3 christos ctx)) 521 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 521) 522 1.1 christos || !group_order_tests(group) 523 1.1 christos 524 1.3 christos /* more tests using the last curve */ 525 1.1 christos 526 1.3 christos /* Restore the point that got mangled in the (x, y + 1) test. */ 527 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 528 1.1 christos || !TEST_true(EC_POINT_copy(Q, P)) 529 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q)) 530 1.1 christos || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) 531 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 532 1.3 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ 533 1.1 christos || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) 534 1.1 christos || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) 535 1.3 christos || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ 536 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q))) 537 1.1 christos goto err; 538 1.1 christos 539 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 540 1.1 christos TEST_note("combined multiplication ..."); 541 1.1 christos points[0] = Q; 542 1.1 christos points[1] = Q; 543 1.1 christos points[2] = Q; 544 1.1 christos points[3] = Q; 545 1.1 christos 546 1.1 christos if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) 547 1.1 christos || !TEST_true(BN_add(y, z, BN_value_one())) 548 1.1 christos || !TEST_BN_even(y) 549 1.1 christos || !TEST_true(BN_rshift1(y, y))) 550 1.1 christos goto err; 551 1.1 christos 552 1.3 christos scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 553 1.1 christos scalars[1] = y; 554 1.1 christos 555 1.1 christos /* z is still the group order */ 556 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 557 1.1 christos || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 558 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 559 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) 560 1.1 christos || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) 561 1.1 christos || !TEST_true(BN_add(z, z, y))) 562 1.1 christos goto err; 563 1.1 christos BN_set_negative(z, 1); 564 1.1 christos scalars[0] = y; 565 1.3 christos scalars[1] = z; /* z = -(order + y) */ 566 1.1 christos 567 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 568 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 569 1.1 christos || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) 570 1.1 christos || !TEST_true(BN_add(z, x, y))) 571 1.1 christos goto err; 572 1.1 christos BN_set_negative(z, 1); 573 1.1 christos scalars[0] = x; 574 1.1 christos scalars[1] = y; 575 1.3 christos scalars[2] = z; /* z = -(x+y) */ 576 1.1 christos 577 1.1 christos if (!TEST_ptr(scalar3 = BN_new())) 578 1.1 christos goto err; 579 1.1 christos BN_zero(scalar3); 580 1.1 christos scalars[3] = scalar3; 581 1.1 christos 582 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) 583 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 584 1.1 christos goto err; 585 1.1 christos #endif 586 1.1 christos TEST_note(" ok\n"); 587 1.1 christos r = 1; 588 1.1 christos err: 589 1.1 christos BN_CTX_free(ctx); 590 1.1 christos BN_free(p); 591 1.1 christos BN_free(a); 592 1.1 christos BN_free(b); 593 1.1 christos EC_GROUP_free(group); 594 1.1 christos EC_POINT_free(P); 595 1.1 christos EC_POINT_free(Q); 596 1.1 christos EC_POINT_free(R); 597 1.1 christos BN_free(x); 598 1.1 christos BN_free(y); 599 1.1 christos BN_free(z); 600 1.1 christos BN_free(yplusone); 601 1.1 christos BN_free(scalar3); 602 1.1 christos return r; 603 1.1 christos } 604 1.1 christos 605 1.1 christos #ifndef OPENSSL_NO_EC2M 606 1.1 christos 607 1.1 christos static struct c2_curve_test { 608 1.1 christos const char *name; 609 1.1 christos const char *p; 610 1.1 christos const char *a; 611 1.1 christos const char *b; 612 1.1 christos const char *x; 613 1.1 christos const char *y; 614 1.1 christos int ybit; 615 1.1 christos const char *order; 616 1.1 christos const char *cof; 617 1.1 christos int degree; 618 1.1 christos } char2_curve_tests[] = { 619 1.1 christos /* Curve K-163 (FIPS PUB 186-2, App. 6) */ 620 1.1 christos { 621 1.1 christos "NIST curve K-163", 622 1.1 christos "0800000000000000000000000000000000000000C9", 623 1.1 christos "1", 624 1.1 christos "1", 625 1.1 christos "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8", 626 1.1 christos "0289070FB05D38FF58321F2E800536D538CCDAA3D9", 627 1.3 christos 1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163 }, 628 1.1 christos /* Curve B-163 (FIPS PUB 186-2, App. 6) */ 629 1.1 christos { 630 1.1 christos "NIST curve B-163", 631 1.1 christos "0800000000000000000000000000000000000000C9", 632 1.1 christos "1", 633 1.1 christos "020A601907B8C953CA1481EB10512F78744A3205FD", 634 1.1 christos "03F0EBA16286A2D57EA0991168D4994637E8343E36", 635 1.1 christos "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 636 1.3 christos 1, "040000000000000000000292FE77E70C12A4234C33", "2", 163 }, 637 1.1 christos /* Curve K-233 (FIPS PUB 186-2, App. 6) */ 638 1.1 christos { 639 1.1 christos "NIST curve K-233", 640 1.1 christos "020000000000000000000000000000000000000004000000000000000001", 641 1.1 christos "0", 642 1.1 christos "1", 643 1.1 christos "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126", 644 1.1 christos "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3", 645 1.1 christos 0, 646 1.1 christos "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 647 1.3 christos "4", 233 }, 648 1.1 christos /* Curve B-233 (FIPS PUB 186-2, App. 6) */ 649 1.1 christos { 650 1.1 christos "NIST curve B-233", 651 1.1 christos "020000000000000000000000000000000000000004000000000000000001", 652 1.1 christos "000000000000000000000000000000000000000000000000000000000001", 653 1.1 christos "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD", 654 1.1 christos "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B", 655 1.1 christos "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052", 656 1.1 christos 1, 657 1.1 christos "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 658 1.3 christos "2", 233 }, 659 1.1 christos /* Curve K-283 (FIPS PUB 186-2, App. 6) */ 660 1.1 christos { 661 1.1 christos "NIST curve K-283", 662 1.3 christos "08000000" 663 1.1 christos "00000000000000000000000000000000000000000000000000000000000010A1", 664 1.1 christos "0", 665 1.1 christos "1", 666 1.3 christos "0503213F" 667 1.1 christos "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836", 668 1.3 christos "01CCDA38" 669 1.1 christos "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259", 670 1.1 christos 0, 671 1.3 christos "01FFFFFF" 672 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61", 673 1.3 christos "4", 283 }, 674 1.1 christos /* Curve B-283 (FIPS PUB 186-2, App. 6) */ 675 1.1 christos { 676 1.1 christos "NIST curve B-283", 677 1.3 christos "08000000" 678 1.1 christos "00000000000000000000000000000000000000000000000000000000000010A1", 679 1.3 christos "00000000" 680 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 681 1.3 christos "027B680A" 682 1.1 christos "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5", 683 1.3 christos "05F93925" 684 1.1 christos "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053", 685 1.3 christos "03676854" 686 1.1 christos "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4", 687 1.1 christos 1, 688 1.3 christos "03FFFFFF" 689 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307", 690 1.3 christos "2", 283 }, 691 1.1 christos /* Curve K-409 (FIPS PUB 186-2, App. 6) */ 692 1.1 christos { 693 1.1 christos "NIST curve K-409", 694 1.3 christos "0200000000000000000000000000000000000000" 695 1.1 christos "0000000000000000000000000000000000000000008000000000000000000001", 696 1.1 christos "0", 697 1.1 christos "1", 698 1.3 christos "0060F05F658F49C1AD3AB1890F7184210EFD0987" 699 1.1 christos "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746", 700 1.3 christos "01E369050B7C4E42ACBA1DACBF04299C3460782F" 701 1.1 christos "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B", 702 1.1 christos 1, 703 1.3 christos "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 704 1.1 christos "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 705 1.3 christos "4", 409 }, 706 1.1 christos /* Curve B-409 (FIPS PUB 186-2, App. 6) */ 707 1.1 christos { 708 1.1 christos "NIST curve B-409", 709 1.3 christos "0200000000000000000000000000000000000000" 710 1.1 christos "0000000000000000000000000000000000000000008000000000000000000001", 711 1.3 christos "0000000000000000000000000000000000000000" 712 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 713 1.3 christos "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E" 714 1.1 christos "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F", 715 1.3 christos "015D4860D088DDB3496B0C6064756260441CDE4A" 716 1.1 christos "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7", 717 1.3 christos "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5" 718 1.1 christos "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706", 719 1.1 christos 1, 720 1.3 christos "0100000000000000000000000000000000000000" 721 1.1 christos "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173", 722 1.3 christos "2", 409 }, 723 1.1 christos /* Curve K-571 (FIPS PUB 186-2, App. 6) */ 724 1.1 christos { 725 1.1 christos "NIST curve K-571", 726 1.3 christos "800000000000000" 727 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 728 1.1 christos "0000000000000000000000000000000000000000000000000000000000000425", 729 1.1 christos "0", 730 1.1 christos "1", 731 1.3 christos "026EB7A859923FBC" 732 1.1 christos "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6" 733 1.1 christos "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972", 734 1.3 christos "0349DC807F4FBF37" 735 1.1 christos "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7" 736 1.1 christos "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3", 737 1.1 christos 0, 738 1.3 christos "0200000000000000" 739 1.1 christos "00000000000000000000000000000000000000000000000000000000131850E1" 740 1.1 christos "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001", 741 1.3 christos "4", 571 }, 742 1.1 christos /* Curve B-571 (FIPS PUB 186-2, App. 6) */ 743 1.1 christos { 744 1.1 christos "NIST curve B-571", 745 1.3 christos "800000000000000" 746 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 747 1.1 christos "0000000000000000000000000000000000000000000000000000000000000425", 748 1.3 christos "0000000000000000" 749 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 750 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 751 1.3 christos "02F40E7E2221F295" 752 1.1 christos "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933" 753 1.1 christos "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A", 754 1.3 christos "0303001D34B85629" 755 1.1 christos "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293" 756 1.1 christos "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19", 757 1.3 christos "037BF27342DA639B" 758 1.1 christos "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57" 759 1.1 christos "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B", 760 1.1 christos 1, 761 1.3 christos "03FFFFFFFFFFFFFF" 762 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18" 763 1.1 christos "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47", 764 1.3 christos "2", 571 } 765 1.1 christos }; 766 1.1 christos 767 1.1 christos static int char2_curve_test(int n) 768 1.1 christos { 769 1.1 christos int r = 0; 770 1.1 christos BN_CTX *ctx = NULL; 771 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL; 772 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL; 773 1.1 christos EC_GROUP *group = NULL; 774 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 775 1.3 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 776 1.1 christos const EC_POINT *points[3]; 777 1.1 christos const BIGNUM *scalars[3]; 778 1.3 christos #endif 779 1.1 christos struct c2_curve_test *const test = char2_curve_tests + n; 780 1.1 christos 781 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 782 1.1 christos || !TEST_ptr(p = BN_new()) 783 1.1 christos || !TEST_ptr(a = BN_new()) 784 1.1 christos || !TEST_ptr(b = BN_new()) 785 1.1 christos || !TEST_ptr(x = BN_new()) 786 1.1 christos || !TEST_ptr(y = BN_new()) 787 1.1 christos || !TEST_ptr(z = BN_new()) 788 1.1 christos || !TEST_ptr(yplusone = BN_new()) 789 1.1 christos || !TEST_true(BN_hex2bn(&p, test->p)) 790 1.1 christos || !TEST_true(BN_hex2bn(&a, test->a)) 791 1.1 christos || !TEST_true(BN_hex2bn(&b, test->b)) 792 1.1 christos || !TEST_true(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) 793 1.1 christos || !TEST_ptr(P = EC_POINT_new(group)) 794 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 795 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 796 1.1 christos || !TEST_true(BN_hex2bn(&x, test->x)) 797 1.1 christos || !TEST_true(BN_hex2bn(&y, test->y)) 798 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one()))) 799 1.1 christos goto err; 800 1.1 christos 801 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 802 1.3 christos #ifdef OPENSSL_EC_BIN_PT_COMP 803 1.1 christos /* 804 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 805 1.1 christos * and therefore setting the coordinates should fail. 806 1.1 christos */ 807 1.1 christos if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx)) 808 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 809 1.3 christos test->y_bit, 810 1.3 christos ctx)) 811 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 812 1.1 christos || !TEST_true(BN_hex2bn(&z, test->order)) 813 1.1 christos || !TEST_true(BN_hex2bn(&cof, test->cof)) 814 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)) 815 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 816 1.1 christos goto err; 817 1.1 christos TEST_info("%s -- Generator", test->name); 818 1.1 christos test_output_bignum("x", x); 819 1.1 christos test_output_bignum("y", y); 820 1.1 christos /* G_y value taken from the standard: */ 821 1.1 christos if (!TEST_true(BN_hex2bn(&z, test->y)) 822 1.1 christos || !TEST_BN_eq(y, z)) 823 1.1 christos goto err; 824 1.3 christos #else 825 1.1 christos /* 826 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 827 1.1 christos * and therefore setting the coordinates should fail. 828 1.1 christos */ 829 1.1 christos if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx)) 830 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 831 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 832 1.1 christos || !TEST_true(BN_hex2bn(&z, test->order)) 833 1.1 christos || !TEST_true(BN_hex2bn(&cof, test->cof)) 834 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))) 835 1.1 christos goto err; 836 1.1 christos TEST_info("%s -- Generator:", test->name); 837 1.1 christos test_output_bignum("x", x); 838 1.1 christos test_output_bignum("y", y); 839 1.3 christos #endif 840 1.1 christos 841 1.1 christos if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree) 842 1.1 christos || !group_order_tests(group)) 843 1.1 christos goto err; 844 1.1 christos 845 1.1 christos /* more tests using the last curve */ 846 1.1 christos if (n == OSSL_NELEM(char2_curve_tests) - 1) { 847 1.1 christos if (!TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 848 1.1 christos || !TEST_true(EC_POINT_copy(Q, P)) 849 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q)) 850 1.1 christos || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) 851 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 852 1.3 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ 853 1.1 christos || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) 854 1.1 christos || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) 855 1.3 christos || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ 856 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q))) 857 1.1 christos goto err; 858 1.1 christos 859 1.3 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 860 1.1 christos TEST_note("combined multiplication ..."); 861 1.1 christos points[0] = Q; 862 1.1 christos points[1] = Q; 863 1.1 christos points[2] = Q; 864 1.1 christos 865 1.1 christos if (!TEST_true(BN_add(y, z, BN_value_one())) 866 1.1 christos || !TEST_BN_even(y) 867 1.1 christos || !TEST_true(BN_rshift1(y, y))) 868 1.1 christos goto err; 869 1.3 christos scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 870 1.1 christos scalars[1] = y; 871 1.1 christos 872 1.1 christos /* z is still the group order */ 873 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 874 1.1 christos || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 875 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 876 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))) 877 1.1 christos goto err; 878 1.1 christos 879 1.1 christos if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) 880 1.1 christos || !TEST_true(BN_add(z, z, y))) 881 1.1 christos goto err; 882 1.1 christos BN_set_negative(z, 1); 883 1.1 christos scalars[0] = y; 884 1.3 christos scalars[1] = z; /* z = -(order + y) */ 885 1.1 christos 886 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 887 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 888 1.1 christos goto err; 889 1.1 christos 890 1.1 christos if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) 891 1.1 christos || !TEST_true(BN_add(z, x, y))) 892 1.1 christos goto err; 893 1.1 christos BN_set_negative(z, 1); 894 1.1 christos scalars[0] = x; 895 1.1 christos scalars[1] = y; 896 1.3 christos scalars[2] = z; /* z = -(x+y) */ 897 1.1 christos 898 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) 899 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 900 1.1 christos goto err; 901 1.3 christos #endif 902 1.1 christos } 903 1.1 christos 904 1.1 christos r = 1; 905 1.1 christos err: 906 1.1 christos BN_CTX_free(ctx); 907 1.1 christos BN_free(p); 908 1.1 christos BN_free(a); 909 1.1 christos BN_free(b); 910 1.1 christos BN_free(x); 911 1.1 christos BN_free(y); 912 1.1 christos BN_free(z); 913 1.1 christos BN_free(yplusone); 914 1.1 christos BN_free(cof); 915 1.1 christos EC_POINT_free(P); 916 1.1 christos EC_POINT_free(Q); 917 1.1 christos EC_POINT_free(R); 918 1.1 christos EC_GROUP_free(group); 919 1.1 christos return r; 920 1.1 christos } 921 1.1 christos 922 1.1 christos static int char2_field_tests(void) 923 1.1 christos { 924 1.1 christos BN_CTX *ctx = NULL; 925 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL; 926 1.1 christos EC_GROUP *group = NULL; 927 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 928 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL; 929 1.1 christos unsigned char buf[100]; 930 1.1 christos size_t len; 931 1.1 christos int k, r = 0; 932 1.1 christos 933 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 934 1.1 christos || !TEST_ptr(p = BN_new()) 935 1.1 christos || !TEST_ptr(a = BN_new()) 936 1.1 christos || !TEST_ptr(b = BN_new()) 937 1.1 christos || !TEST_true(BN_hex2bn(&p, "13")) 938 1.1 christos || !TEST_true(BN_hex2bn(&a, "3")) 939 1.1 christos || !TEST_true(BN_hex2bn(&b, "1"))) 940 1.1 christos goto err; 941 1.1 christos 942 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) 943 1.1 christos || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) 944 1.1 christos goto err; 945 1.1 christos 946 1.1 christos TEST_info("Curve defined by Weierstrass equation"); 947 1.1 christos TEST_note(" y^2 + x*y = x^3 + a*x^2 + b (mod p)"); 948 1.1 christos test_output_bignum("a", a); 949 1.1 christos test_output_bignum("b", b); 950 1.1 christos test_output_bignum("p", p); 951 1.1 christos 952 1.3 christos if (!TEST_ptr(P = EC_POINT_new(group)) 953 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 954 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 955 1.1 christos || !TEST_true(EC_POINT_set_to_infinity(group, P)) 956 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 957 1.1 christos goto err; 958 1.1 christos 959 1.1 christos buf[0] = 0; 960 1.1 christos if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) 961 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) 962 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 963 1.1 christos || !TEST_ptr(x = BN_new()) 964 1.1 christos || !TEST_ptr(y = BN_new()) 965 1.1 christos || !TEST_ptr(z = BN_new()) 966 1.1 christos || !TEST_ptr(cof = BN_new()) 967 1.1 christos || !TEST_ptr(yplusone = BN_new()) 968 1.1 christos || !TEST_true(BN_hex2bn(&x, "6")) 969 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 970 1.3 christos #ifdef OPENSSL_EC_BIN_PT_COMP 971 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)) 972 1.3 christos #else 973 1.1 christos || !TEST_true(BN_hex2bn(&y, "8")) 974 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, Q, x, y, ctx)) 975 1.3 christos #endif 976 1.3 christos ) 977 1.1 christos goto err; 978 1.1 christos if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { 979 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 980 1.3 christos #ifdef OPENSSL_EC_BIN_PT_COMP 981 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) 982 1.1 christos goto err; 983 1.3 christos #endif 984 1.1 christos TEST_info("Point is not on curve"); 985 1.1 christos test_output_bignum("x", x); 986 1.1 christos test_output_bignum("y", y); 987 1.1 christos goto err; 988 1.1 christos } 989 1.1 christos 990 1.1 christos TEST_note("A cyclic subgroup:"); 991 1.1 christos k = 100; 992 1.1 christos do { 993 1.1 christos if (!TEST_int_ne(k--, 0)) 994 1.1 christos goto err; 995 1.1 christos 996 1.1 christos if (EC_POINT_is_at_infinity(group, P)) 997 1.1 christos TEST_note(" point at infinity"); 998 1.1 christos else { 999 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, 1000 1.3 christos ctx))) 1001 1.1 christos goto err; 1002 1.1 christos 1003 1.1 christos test_output_bignum("x", x); 1004 1.1 christos test_output_bignum("y", y); 1005 1.1 christos } 1006 1.1 christos 1007 1.1 christos if (!TEST_true(EC_POINT_copy(R, P)) 1008 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) 1009 1.1 christos goto err; 1010 1.3 christos } while (!EC_POINT_is_at_infinity(group, P)); 1011 1.1 christos 1012 1.1 christos if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) 1013 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 1014 1.1 christos goto err; 1015 1.1 christos 1016 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1017 1.3 christos #ifdef OPENSSL_EC_BIN_PT_COMP 1018 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, 1019 1.3 christos buf, sizeof(buf), ctx); 1020 1.1 christos if (!TEST_size_t_ne(len, 0) 1021 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1022 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1023 1.1 christos goto err; 1024 1.1 christos test_output_memory("Generator as octet string, compressed form:", 1025 1.3 christos buf, len); 1026 1.3 christos #endif 1027 1.1 christos 1028 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, 1029 1.3 christos buf, sizeof(buf), ctx); 1030 1.1 christos if (!TEST_size_t_ne(len, 0) 1031 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1032 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1033 1.1 christos goto err; 1034 1.1 christos test_output_memory("Generator as octet string, uncompressed form:", 1035 1.3 christos buf, len); 1036 1.1 christos 1037 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1038 1.3 christos #ifdef OPENSSL_EC_BIN_PT_COMP 1039 1.3 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf), 1040 1.3 christos ctx); 1041 1.1 christos if (!TEST_size_t_ne(len, 0) 1042 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1043 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1044 1.1 christos goto err; 1045 1.1 christos test_output_memory("Generator as octet string, hybrid form:", 1046 1.3 christos buf, len); 1047 1.3 christos #endif 1048 1.1 christos 1049 1.1 christos if (!TEST_true(EC_POINT_invert(group, P, ctx)) 1050 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))) 1051 1.1 christos goto err; 1052 1.1 christos 1053 1.1 christos TEST_note("\n"); 1054 1.1 christos 1055 1.1 christos r = 1; 1056 1.1 christos err: 1057 1.1 christos BN_CTX_free(ctx); 1058 1.1 christos BN_free(p); 1059 1.1 christos BN_free(a); 1060 1.1 christos BN_free(b); 1061 1.1 christos EC_GROUP_free(group); 1062 1.1 christos EC_POINT_free(P); 1063 1.1 christos EC_POINT_free(Q); 1064 1.1 christos EC_POINT_free(R); 1065 1.1 christos BN_free(x); 1066 1.1 christos BN_free(y); 1067 1.1 christos BN_free(z); 1068 1.1 christos BN_free(cof); 1069 1.1 christos BN_free(yplusone); 1070 1.1 christos return r; 1071 1.1 christos } 1072 1.1 christos 1073 1.1 christos static int hybrid_point_encoding_test(void) 1074 1.1 christos { 1075 1.1 christos BIGNUM *x = NULL, *y = NULL; 1076 1.1 christos EC_GROUP *group = NULL; 1077 1.1 christos EC_POINT *point = NULL; 1078 1.1 christos unsigned char *buf = NULL; 1079 1.1 christos size_t len; 1080 1.1 christos int r = 0; 1081 1.1 christos 1082 1.1 christos if (!TEST_true(BN_dec2bn(&x, "0")) 1083 1.1 christos || !TEST_true(BN_dec2bn(&y, "1")) 1084 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_sect571k1)) 1085 1.1 christos || !TEST_ptr(point = EC_POINT_new(group)) 1086 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, point, x, y, NULL)) 1087 1.3 christos || !TEST_size_t_ne(0, (len = EC_POINT_point2oct(group, point, POINT_CONVERSION_HYBRID, NULL, 0, NULL))) 1088 1.1 christos || !TEST_ptr(buf = OPENSSL_malloc(len)) 1089 1.3 christos || !TEST_size_t_eq(len, EC_POINT_point2oct(group, point, POINT_CONVERSION_HYBRID, buf, len, NULL))) 1090 1.1 christos goto err; 1091 1.1 christos 1092 1.1 christos r = 1; 1093 1.1 christos 1094 1.1 christos /* buf contains a valid hybrid point, check that we can decode it. */ 1095 1.1 christos if (!TEST_true(EC_POINT_oct2point(group, point, buf, len, NULL))) 1096 1.1 christos r = 0; 1097 1.1 christos 1098 1.1 christos /* Flip the y_bit and verify that the invalid encoding is rejected. */ 1099 1.1 christos buf[0] ^= 1; 1100 1.1 christos if (!TEST_false(EC_POINT_oct2point(group, point, buf, len, NULL))) 1101 1.1 christos r = 0; 1102 1.1 christos 1103 1.1 christos err: 1104 1.1 christos BN_free(x); 1105 1.1 christos BN_free(y); 1106 1.1 christos EC_GROUP_free(group); 1107 1.1 christos EC_POINT_free(point); 1108 1.1 christos OPENSSL_free(buf); 1109 1.1 christos return r; 1110 1.1 christos } 1111 1.1 christos #endif 1112 1.1 christos 1113 1.1 christos static int internal_curve_test(int n) 1114 1.1 christos { 1115 1.1 christos EC_GROUP *group = NULL; 1116 1.1 christos int nid = curves[n].nid; 1117 1.1 christos 1118 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { 1119 1.1 christos TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", 1120 1.3 christos OBJ_nid2sn(nid)); 1121 1.1 christos return 0; 1122 1.1 christos } 1123 1.1 christos if (!TEST_true(EC_GROUP_check(group, NULL))) { 1124 1.1 christos TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); 1125 1.1 christos EC_GROUP_free(group); 1126 1.1 christos return 0; 1127 1.1 christos } 1128 1.1 christos EC_GROUP_free(group); 1129 1.1 christos return 1; 1130 1.1 christos } 1131 1.1 christos 1132 1.1 christos static int internal_curve_test_method(int n) 1133 1.1 christos { 1134 1.1 christos int r, nid = curves[n].nid; 1135 1.1 christos EC_GROUP *group; 1136 1.1 christos 1137 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { 1138 1.1 christos TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); 1139 1.1 christos return 0; 1140 1.1 christos } 1141 1.1 christos r = group_order_tests(group); 1142 1.1 christos EC_GROUP_free(group); 1143 1.1 christos return r; 1144 1.1 christos } 1145 1.1 christos 1146 1.1 christos static int group_field_test(void) 1147 1.1 christos { 1148 1.1 christos int r = 1; 1149 1.1 christos BIGNUM *secp521r1_field = NULL; 1150 1.1 christos BIGNUM *sect163r2_field = NULL; 1151 1.1 christos EC_GROUP *secp521r1_group = NULL; 1152 1.1 christos EC_GROUP *sect163r2_group = NULL; 1153 1.1 christos 1154 1.1 christos BN_hex2bn(&secp521r1_field, 1155 1.3 christos "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 1156 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 1157 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 1158 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 1159 1.3 christos "FFFF"); 1160 1.1 christos 1161 1.1 christos BN_hex2bn(§163r2_field, 1162 1.3 christos "08000000000000000000000000000000" 1163 1.3 christos "00000000C9"); 1164 1.1 christos 1165 1.1 christos secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); 1166 1.1 christos if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) 1167 1.3 christos r = 0; 1168 1.1 christos 1169 1.3 christos #ifndef OPENSSL_NO_EC2M 1170 1.1 christos sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); 1171 1.1 christos if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) 1172 1.3 christos r = 0; 1173 1.3 christos #endif 1174 1.1 christos 1175 1.1 christos EC_GROUP_free(secp521r1_group); 1176 1.1 christos EC_GROUP_free(sect163r2_group); 1177 1.1 christos BN_free(secp521r1_field); 1178 1.1 christos BN_free(sect163r2_field); 1179 1.1 christos return r; 1180 1.1 christos } 1181 1.1 christos 1182 1.1 christos /* 1183 1.1 christos * nistp_test_params contains magic numbers for testing 1184 1.1 christos * several NIST curves with characteristic > 3. 1185 1.1 christos */ 1186 1.1 christos struct nistp_test_params { 1187 1.1 christos const int nid; 1188 1.1 christos int degree; 1189 1.1 christos /* 1190 1.1 christos * Qx, Qy and D are taken from 1191 1.1 christos * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf 1192 1.1 christos * Otherwise, values are standard curve parameters from FIPS 180-3 1193 1.1 christos */ 1194 1.1 christos const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; 1195 1.1 christos }; 1196 1.1 christos 1197 1.1 christos static const struct nistp_test_params nistp_tests_params[] = { 1198 1.1 christos { 1199 1.3 christos /* P-224 */ 1200 1.3 christos NID_secp224r1, 1201 1.3 christos 224, 1202 1.3 christos /* p */ 1203 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", 1204 1.3 christos /* a */ 1205 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", 1206 1.3 christos /* b */ 1207 1.3 christos "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", 1208 1.3 christos /* Qx */ 1209 1.3 christos "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", 1210 1.3 christos /* Qy */ 1211 1.3 christos "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", 1212 1.3 christos /* Gx */ 1213 1.3 christos "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", 1214 1.3 christos /* Gy */ 1215 1.3 christos "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", 1216 1.3 christos /* order */ 1217 1.3 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1218 1.3 christos /* d */ 1219 1.3 christos "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", 1220 1.3 christos }, 1221 1.1 christos { 1222 1.3 christos /* P-256 */ 1223 1.3 christos NID_X9_62_prime256v1, 1224 1.3 christos 256, 1225 1.3 christos /* p */ 1226 1.3 christos "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 1227 1.3 christos /* a */ 1228 1.3 christos "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 1229 1.3 christos /* b */ 1230 1.3 christos "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 1231 1.3 christos /* Qx */ 1232 1.3 christos "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", 1233 1.3 christos /* Qy */ 1234 1.3 christos "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", 1235 1.3 christos /* Gx */ 1236 1.3 christos "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 1237 1.3 christos /* Gy */ 1238 1.3 christos "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 1239 1.3 christos /* order */ 1240 1.3 christos "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 1241 1.3 christos /* d */ 1242 1.3 christos "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", 1243 1.3 christos }, 1244 1.1 christos { 1245 1.3 christos /* P-521 */ 1246 1.3 christos NID_secp521r1, 1247 1.3 christos 521, 1248 1.3 christos /* p */ 1249 1.3 christos "1ff" 1250 1.3 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" 1251 1.3 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 1252 1.3 christos /* a */ 1253 1.3 christos "1ff" 1254 1.3 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" 1255 1.3 christos "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", 1256 1.3 christos /* b */ 1257 1.3 christos "051" 1258 1.3 christos "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" 1259 1.3 christos "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", 1260 1.3 christos /* Qx */ 1261 1.3 christos "0098" 1262 1.3 christos "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" 1263 1.3 christos "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", 1264 1.3 christos /* Qy */ 1265 1.3 christos "0164" 1266 1.3 christos "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" 1267 1.3 christos "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", 1268 1.3 christos /* Gx */ 1269 1.3 christos "c6" 1270 1.3 christos "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" 1271 1.3 christos "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", 1272 1.3 christos /* Gy */ 1273 1.3 christos "118" 1274 1.3 christos "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" 1275 1.3 christos "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", 1276 1.3 christos /* order */ 1277 1.3 christos "1ff" 1278 1.3 christos "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" 1279 1.3 christos "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", 1280 1.3 christos /* d */ 1281 1.3 christos "0100" 1282 1.3 christos "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" 1283 1.3 christos "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", 1284 1.3 christos }, 1285 1.1 christos }; 1286 1.1 christos 1287 1.1 christos static int nistp_single_test(int idx) 1288 1.1 christos { 1289 1.1 christos const struct nistp_test_params *test = nistp_tests_params + idx; 1290 1.1 christos BN_CTX *ctx = NULL; 1291 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; 1292 1.1 christos BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; 1293 1.1 christos EC_GROUP *NISTP = NULL; 1294 1.1 christos EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; 1295 1.1 christos int r = 0; 1296 1.1 christos 1297 1.1 christos TEST_note("NIST curve P-%d (optimised implementation):", 1298 1.3 christos test->degree); 1299 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 1300 1.1 christos || !TEST_ptr(p = BN_new()) 1301 1.1 christos || !TEST_ptr(a = BN_new()) 1302 1.1 christos || !TEST_ptr(b = BN_new()) 1303 1.1 christos || !TEST_ptr(x = BN_new()) 1304 1.1 christos || !TEST_ptr(y = BN_new()) 1305 1.1 christos || !TEST_ptr(m = BN_new()) 1306 1.1 christos || !TEST_ptr(n = BN_new()) 1307 1.1 christos || !TEST_ptr(order = BN_new()) 1308 1.1 christos || !TEST_ptr(yplusone = BN_new()) 1309 1.1 christos 1310 1.1 christos || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid)) 1311 1.1 christos || !TEST_true(BN_hex2bn(&p, test->p)) 1312 1.1 christos || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) 1313 1.1 christos || !TEST_true(BN_hex2bn(&a, test->a)) 1314 1.1 christos || !TEST_true(BN_hex2bn(&b, test->b)) 1315 1.1 christos || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) 1316 1.1 christos || !TEST_ptr(G = EC_POINT_new(NISTP)) 1317 1.1 christos || !TEST_ptr(P = EC_POINT_new(NISTP)) 1318 1.1 christos || !TEST_ptr(Q = EC_POINT_new(NISTP)) 1319 1.1 christos || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) 1320 1.1 christos || !TEST_true(BN_hex2bn(&x, test->Qx)) 1321 1.1 christos || !TEST_true(BN_hex2bn(&y, test->Qy)) 1322 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 1323 1.3 christos /* 1324 1.3 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 1325 1.3 christos * and therefore setting the coordinates should fail. 1326 1.3 christos */ 1327 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, 1328 1.3 christos yplusone, ctx)) 1329 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, 1330 1.3 christos ctx)) 1331 1.1 christos || !TEST_true(BN_hex2bn(&x, test->Gx)) 1332 1.1 christos || !TEST_true(BN_hex2bn(&y, test->Gy)) 1333 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) 1334 1.1 christos || !TEST_true(BN_hex2bn(&order, test->order)) 1335 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1336 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) 1337 1.1 christos goto err; 1338 1.1 christos 1339 1.1 christos TEST_note("NIST test vectors ... "); 1340 1.1 christos if (!TEST_true(BN_hex2bn(&n, test->d))) 1341 1.1 christos goto err; 1342 1.1 christos /* fixed point multiplication */ 1343 1.1 christos EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1344 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1345 1.1 christos goto err; 1346 1.1 christos /* random point multiplication */ 1347 1.1 christos EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1348 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1349 1.1 christos 1350 1.1 christos /* set generator to P = 2*G, where G is the standard generator */ 1351 1.1 christos || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) 1352 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) 1353 1.1 christos /* set the scalar to m=n/2, where n is the NIST test scalar */ 1354 1.1 christos || !TEST_true(BN_rshift(m, n, 1))) 1355 1.1 christos goto err; 1356 1.1 christos 1357 1.1 christos /* test the non-standard generator */ 1358 1.1 christos /* fixed point multiplication */ 1359 1.1 christos EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1360 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1361 1.1 christos goto err; 1362 1.1 christos /* random point multiplication */ 1363 1.1 christos EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1364 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1365 1.1 christos #ifndef OPENSSL_NO_DEPRECATED_3_0 1366 1.1 christos /* We have not performed precomp so this should be false */ 1367 1.1 christos || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) 1368 1.1 christos /* now repeat all tests with precomputation */ 1369 1.1 christos || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) 1370 1.1 christos #endif 1371 1.3 christos ) 1372 1.1 christos goto err; 1373 1.1 christos 1374 1.1 christos /* fixed point multiplication */ 1375 1.1 christos EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1376 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1377 1.1 christos goto err; 1378 1.1 christos /* random point multiplication */ 1379 1.1 christos EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1380 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1381 1.1 christos 1382 1.3 christos /* reset generator */ 1383 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) 1384 1.1 christos goto err; 1385 1.1 christos /* fixed point multiplication */ 1386 1.1 christos EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1387 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1388 1.1 christos goto err; 1389 1.1 christos /* random point multiplication */ 1390 1.1 christos EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1391 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1392 1.1 christos goto err; 1393 1.1 christos 1394 1.1 christos /* regression test for felem_neg bug */ 1395 1.1 christos if (!TEST_true(BN_set_word(m, 32)) 1396 1.1 christos || !TEST_true(BN_set_word(n, 31)) 1397 1.1 christos || !TEST_true(EC_POINT_copy(P, G)) 1398 1.1 christos || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) 1399 1.1 christos || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) 1400 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) 1401 1.3 christos goto err; 1402 1.1 christos 1403 1.1 christos r = 1; 1404 1.1 christos err: 1405 1.1 christos EC_GROUP_free(NISTP); 1406 1.1 christos EC_POINT_free(G); 1407 1.1 christos EC_POINT_free(P); 1408 1.1 christos EC_POINT_free(Q); 1409 1.1 christos EC_POINT_free(Q_CHECK); 1410 1.1 christos BN_free(n); 1411 1.1 christos BN_free(m); 1412 1.1 christos BN_free(p); 1413 1.1 christos BN_free(a); 1414 1.1 christos BN_free(b); 1415 1.1 christos BN_free(x); 1416 1.1 christos BN_free(y); 1417 1.1 christos BN_free(order); 1418 1.1 christos BN_free(yplusone); 1419 1.1 christos BN_CTX_free(ctx); 1420 1.1 christos return r; 1421 1.1 christos } 1422 1.1 christos 1423 1.1 christos static const unsigned char p521_named[] = { 1424 1.3 christos 0x06, 1425 1.3 christos 0x05, 1426 1.3 christos 0x2b, 1427 1.3 christos 0x81, 1428 1.3 christos 0x04, 1429 1.3 christos 0x00, 1430 1.3 christos 0x23, 1431 1.1 christos }; 1432 1.1 christos 1433 1.1 christos static const unsigned char p521_explicit[] = { 1434 1.3 christos 0x30, 1435 1.3 christos 0x82, 1436 1.3 christos 0x01, 1437 1.3 christos 0xc3, 1438 1.3 christos 0x02, 1439 1.3 christos 0x01, 1440 1.3 christos 0x01, 1441 1.3 christos 0x30, 1442 1.3 christos 0x4d, 1443 1.3 christos 0x06, 1444 1.3 christos 0x07, 1445 1.3 christos 0x2a, 1446 1.3 christos 0x86, 1447 1.3 christos 0x48, 1448 1.3 christos 0xce, 1449 1.3 christos 0x3d, 1450 1.3 christos 0x01, 1451 1.3 christos 0x01, 1452 1.3 christos 0x02, 1453 1.3 christos 0x42, 1454 1.3 christos 0x01, 1455 1.3 christos 0xff, 1456 1.3 christos 0xff, 1457 1.3 christos 0xff, 1458 1.3 christos 0xff, 1459 1.3 christos 0xff, 1460 1.3 christos 0xff, 1461 1.3 christos 0xff, 1462 1.3 christos 0xff, 1463 1.3 christos 0xff, 1464 1.3 christos 0xff, 1465 1.3 christos 0xff, 1466 1.3 christos 0xff, 1467 1.3 christos 0xff, 1468 1.3 christos 0xff, 1469 1.3 christos 0xff, 1470 1.3 christos 0xff, 1471 1.3 christos 0xff, 1472 1.3 christos 0xff, 1473 1.3 christos 0xff, 1474 1.3 christos 0xff, 1475 1.3 christos 0xff, 1476 1.3 christos 0xff, 1477 1.3 christos 0xff, 1478 1.3 christos 0xff, 1479 1.3 christos 0xff, 1480 1.3 christos 0xff, 1481 1.3 christos 0xff, 1482 1.3 christos 0xff, 1483 1.3 christos 0xff, 1484 1.3 christos 0xff, 1485 1.3 christos 0xff, 1486 1.3 christos 0xff, 1487 1.3 christos 0xff, 1488 1.3 christos 0xff, 1489 1.3 christos 0xff, 1490 1.3 christos 0xff, 1491 1.3 christos 0xff, 1492 1.3 christos 0xff, 1493 1.3 christos 0xff, 1494 1.3 christos 0xff, 1495 1.3 christos 0xff, 1496 1.3 christos 0xff, 1497 1.3 christos 0xff, 1498 1.3 christos 0xff, 1499 1.3 christos 0xff, 1500 1.3 christos 0xff, 1501 1.3 christos 0xff, 1502 1.3 christos 0xff, 1503 1.3 christos 0xff, 1504 1.3 christos 0xff, 1505 1.3 christos 0xff, 1506 1.3 christos 0xff, 1507 1.3 christos 0xff, 1508 1.3 christos 0xff, 1509 1.3 christos 0xff, 1510 1.3 christos 0xff, 1511 1.3 christos 0xff, 1512 1.3 christos 0xff, 1513 1.3 christos 0xff, 1514 1.3 christos 0xff, 1515 1.3 christos 0xff, 1516 1.3 christos 0xff, 1517 1.3 christos 0xff, 1518 1.3 christos 0xff, 1519 1.3 christos 0xff, 1520 1.3 christos 0x30, 1521 1.3 christos 0x81, 1522 1.3 christos 0x9f, 1523 1.3 christos 0x04, 1524 1.3 christos 0x42, 1525 1.3 christos 0x01, 1526 1.3 christos 0xff, 1527 1.3 christos 0xff, 1528 1.3 christos 0xff, 1529 1.3 christos 0xff, 1530 1.3 christos 0xff, 1531 1.3 christos 0xff, 1532 1.3 christos 0xff, 1533 1.3 christos 0xff, 1534 1.3 christos 0xff, 1535 1.3 christos 0xff, 1536 1.3 christos 0xff, 1537 1.3 christos 0xff, 1538 1.3 christos 0xff, 1539 1.3 christos 0xff, 1540 1.3 christos 0xff, 1541 1.3 christos 0xff, 1542 1.3 christos 0xff, 1543 1.3 christos 0xff, 1544 1.3 christos 0xff, 1545 1.3 christos 0xff, 1546 1.3 christos 0xff, 1547 1.3 christos 0xff, 1548 1.3 christos 0xff, 1549 1.3 christos 0xff, 1550 1.3 christos 0xff, 1551 1.3 christos 0xff, 1552 1.3 christos 0xff, 1553 1.3 christos 0xff, 1554 1.3 christos 0xff, 1555 1.3 christos 0xff, 1556 1.3 christos 0xff, 1557 1.3 christos 0xff, 1558 1.3 christos 0xff, 1559 1.3 christos 0xff, 1560 1.3 christos 0xff, 1561 1.3 christos 0xff, 1562 1.3 christos 0xff, 1563 1.3 christos 0xff, 1564 1.3 christos 0xff, 1565 1.3 christos 0xff, 1566 1.3 christos 0xff, 1567 1.3 christos 0xff, 1568 1.3 christos 0xff, 1569 1.3 christos 0xff, 1570 1.3 christos 0xff, 1571 1.3 christos 0xff, 1572 1.3 christos 0xff, 1573 1.3 christos 0xff, 1574 1.3 christos 0xff, 1575 1.3 christos 0xff, 1576 1.3 christos 0xff, 1577 1.3 christos 0xff, 1578 1.3 christos 0xff, 1579 1.3 christos 0xff, 1580 1.3 christos 0xff, 1581 1.3 christos 0xff, 1582 1.3 christos 0xff, 1583 1.3 christos 0xff, 1584 1.3 christos 0xff, 1585 1.3 christos 0xff, 1586 1.3 christos 0xff, 1587 1.3 christos 0xff, 1588 1.3 christos 0xff, 1589 1.3 christos 0xff, 1590 1.3 christos 0xfc, 1591 1.3 christos 0x04, 1592 1.3 christos 0x42, 1593 1.3 christos 0x00, 1594 1.3 christos 0x51, 1595 1.3 christos 0x95, 1596 1.3 christos 0x3e, 1597 1.3 christos 0xb9, 1598 1.3 christos 0x61, 1599 1.3 christos 0x8e, 1600 1.3 christos 0x1c, 1601 1.3 christos 0x9a, 1602 1.3 christos 0x1f, 1603 1.3 christos 0x92, 1604 1.3 christos 0x9a, 1605 1.3 christos 0x21, 1606 1.3 christos 0xa0, 1607 1.3 christos 0xb6, 1608 1.3 christos 0x85, 1609 1.3 christos 0x40, 1610 1.3 christos 0xee, 1611 1.3 christos 0xa2, 1612 1.3 christos 0xda, 1613 1.3 christos 0x72, 1614 1.3 christos 0x5b, 1615 1.3 christos 0x99, 1616 1.3 christos 0xb3, 1617 1.3 christos 0x15, 1618 1.3 christos 0xf3, 1619 1.3 christos 0xb8, 1620 1.3 christos 0xb4, 1621 1.3 christos 0x89, 1622 1.3 christos 0x91, 1623 1.3 christos 0x8e, 1624 1.3 christos 0xf1, 1625 1.3 christos 0x09, 1626 1.3 christos 0xe1, 1627 1.3 christos 0x56, 1628 1.3 christos 0x19, 1629 1.3 christos 0x39, 1630 1.3 christos 0x51, 1631 1.3 christos 0xec, 1632 1.3 christos 0x7e, 1633 1.3 christos 0x93, 1634 1.3 christos 0x7b, 1635 1.3 christos 0x16, 1636 1.3 christos 0x52, 1637 1.3 christos 0xc0, 1638 1.3 christos 0xbd, 1639 1.3 christos 0x3b, 1640 1.3 christos 0xb1, 1641 1.3 christos 0xbf, 1642 1.3 christos 0x07, 1643 1.3 christos 0x35, 1644 1.3 christos 0x73, 1645 1.3 christos 0xdf, 1646 1.3 christos 0x88, 1647 1.3 christos 0x3d, 1648 1.3 christos 0x2c, 1649 1.3 christos 0x34, 1650 1.3 christos 0xf1, 1651 1.3 christos 0xef, 1652 1.3 christos 0x45, 1653 1.3 christos 0x1f, 1654 1.3 christos 0xd4, 1655 1.3 christos 0x6b, 1656 1.3 christos 0x50, 1657 1.3 christos 0x3f, 1658 1.3 christos 0x00, 1659 1.3 christos 0x03, 1660 1.3 christos 0x15, 1661 1.3 christos 0x00, 1662 1.3 christos 0xd0, 1663 1.3 christos 0x9e, 1664 1.3 christos 0x88, 1665 1.3 christos 0x00, 1666 1.3 christos 0x29, 1667 1.3 christos 0x1c, 1668 1.3 christos 0xb8, 1669 1.3 christos 0x53, 1670 1.3 christos 0x96, 1671 1.3 christos 0xcc, 1672 1.3 christos 0x67, 1673 1.3 christos 0x17, 1674 1.3 christos 0x39, 1675 1.3 christos 0x32, 1676 1.3 christos 0x84, 1677 1.3 christos 0xaa, 1678 1.3 christos 0xa0, 1679 1.3 christos 0xda, 1680 1.3 christos 0x64, 1681 1.3 christos 0xba, 1682 1.3 christos 0x04, 1683 1.3 christos 0x81, 1684 1.3 christos 0x85, 1685 1.3 christos 0x04, 1686 1.3 christos 0x00, 1687 1.3 christos 0xc6, 1688 1.3 christos 0x85, 1689 1.3 christos 0x8e, 1690 1.3 christos 0x06, 1691 1.3 christos 0xb7, 1692 1.3 christos 0x04, 1693 1.3 christos 0x04, 1694 1.3 christos 0xe9, 1695 1.3 christos 0xcd, 1696 1.3 christos 0x9e, 1697 1.3 christos 0x3e, 1698 1.3 christos 0xcb, 1699 1.3 christos 0x66, 1700 1.3 christos 0x23, 1701 1.3 christos 0x95, 1702 1.3 christos 0xb4, 1703 1.3 christos 0x42, 1704 1.3 christos 0x9c, 1705 1.3 christos 0x64, 1706 1.3 christos 0x81, 1707 1.3 christos 0x39, 1708 1.3 christos 0x05, 1709 1.3 christos 0x3f, 1710 1.3 christos 0xb5, 1711 1.3 christos 0x21, 1712 1.3 christos 0xf8, 1713 1.3 christos 0x28, 1714 1.3 christos 0xaf, 1715 1.3 christos 0x60, 1716 1.3 christos 0x6b, 1717 1.3 christos 0x4d, 1718 1.3 christos 0x3d, 1719 1.3 christos 0xba, 1720 1.3 christos 0xa1, 1721 1.3 christos 0x4b, 1722 1.3 christos 0x5e, 1723 1.3 christos 0x77, 1724 1.3 christos 0xef, 1725 1.3 christos 0xe7, 1726 1.3 christos 0x59, 1727 1.3 christos 0x28, 1728 1.3 christos 0xfe, 1729 1.3 christos 0x1d, 1730 1.3 christos 0xc1, 1731 1.3 christos 0x27, 1732 1.3 christos 0xa2, 1733 1.3 christos 0xff, 1734 1.3 christos 0xa8, 1735 1.3 christos 0xde, 1736 1.3 christos 0x33, 1737 1.3 christos 0x48, 1738 1.3 christos 0xb3, 1739 1.3 christos 0xc1, 1740 1.3 christos 0x85, 1741 1.3 christos 0x6a, 1742 1.3 christos 0x42, 1743 1.3 christos 0x9b, 1744 1.3 christos 0xf9, 1745 1.3 christos 0x7e, 1746 1.3 christos 0x7e, 1747 1.3 christos 0x31, 1748 1.3 christos 0xc2, 1749 1.3 christos 0xe5, 1750 1.3 christos 0xbd, 1751 1.3 christos 0x66, 1752 1.3 christos 0x01, 1753 1.3 christos 0x18, 1754 1.3 christos 0x39, 1755 1.3 christos 0x29, 1756 1.3 christos 0x6a, 1757 1.3 christos 0x78, 1758 1.3 christos 0x9a, 1759 1.3 christos 0x3b, 1760 1.3 christos 0xc0, 1761 1.3 christos 0x04, 1762 1.3 christos 0x5c, 1763 1.3 christos 0x8a, 1764 1.3 christos 0x5f, 1765 1.3 christos 0xb4, 1766 1.3 christos 0x2c, 1767 1.3 christos 0x7d, 1768 1.3 christos 0x1b, 1769 1.3 christos 0xd9, 1770 1.3 christos 0x98, 1771 1.3 christos 0xf5, 1772 1.3 christos 0x44, 1773 1.3 christos 0x49, 1774 1.3 christos 0x57, 1775 1.3 christos 0x9b, 1776 1.3 christos 0x44, 1777 1.3 christos 0x68, 1778 1.3 christos 0x17, 1779 1.3 christos 0xaf, 1780 1.3 christos 0xbd, 1781 1.3 christos 0x17, 1782 1.3 christos 0x27, 1783 1.3 christos 0x3e, 1784 1.3 christos 0x66, 1785 1.3 christos 0x2c, 1786 1.3 christos 0x97, 1787 1.3 christos 0xee, 1788 1.3 christos 0x72, 1789 1.3 christos 0x99, 1790 1.3 christos 0x5e, 1791 1.3 christos 0xf4, 1792 1.3 christos 0x26, 1793 1.3 christos 0x40, 1794 1.3 christos 0xc5, 1795 1.3 christos 0x50, 1796 1.3 christos 0xb9, 1797 1.3 christos 0x01, 1798 1.3 christos 0x3f, 1799 1.3 christos 0xad, 1800 1.3 christos 0x07, 1801 1.3 christos 0x61, 1802 1.3 christos 0x35, 1803 1.3 christos 0x3c, 1804 1.3 christos 0x70, 1805 1.3 christos 0x86, 1806 1.3 christos 0xa2, 1807 1.3 christos 0x72, 1808 1.3 christos 0xc2, 1809 1.3 christos 0x40, 1810 1.3 christos 0x88, 1811 1.3 christos 0xbe, 1812 1.3 christos 0x94, 1813 1.3 christos 0x76, 1814 1.3 christos 0x9f, 1815 1.3 christos 0xd1, 1816 1.3 christos 0x66, 1817 1.3 christos 0x50, 1818 1.3 christos 0x02, 1819 1.3 christos 0x42, 1820 1.3 christos 0x01, 1821 1.3 christos 0xff, 1822 1.3 christos 0xff, 1823 1.3 christos 0xff, 1824 1.3 christos 0xff, 1825 1.3 christos 0xff, 1826 1.3 christos 0xff, 1827 1.3 christos 0xff, 1828 1.3 christos 0xff, 1829 1.3 christos 0xff, 1830 1.3 christos 0xff, 1831 1.3 christos 0xff, 1832 1.3 christos 0xff, 1833 1.3 christos 0xff, 1834 1.3 christos 0xff, 1835 1.3 christos 0xff, 1836 1.3 christos 0xff, 1837 1.3 christos 0xff, 1838 1.3 christos 0xff, 1839 1.3 christos 0xff, 1840 1.3 christos 0xff, 1841 1.3 christos 0xff, 1842 1.3 christos 0xff, 1843 1.3 christos 0xff, 1844 1.3 christos 0xff, 1845 1.3 christos 0xff, 1846 1.3 christos 0xff, 1847 1.3 christos 0xff, 1848 1.3 christos 0xff, 1849 1.3 christos 0xff, 1850 1.3 christos 0xff, 1851 1.3 christos 0xff, 1852 1.3 christos 0xff, 1853 1.3 christos 0xfa, 1854 1.3 christos 0x51, 1855 1.3 christos 0x86, 1856 1.3 christos 0x87, 1857 1.3 christos 0x83, 1858 1.3 christos 0xbf, 1859 1.3 christos 0x2f, 1860 1.3 christos 0x96, 1861 1.3 christos 0x6b, 1862 1.3 christos 0x7f, 1863 1.3 christos 0xcc, 1864 1.3 christos 0x01, 1865 1.3 christos 0x48, 1866 1.3 christos 0xf7, 1867 1.3 christos 0x09, 1868 1.3 christos 0xa5, 1869 1.3 christos 0xd0, 1870 1.3 christos 0x3b, 1871 1.3 christos 0xb5, 1872 1.3 christos 0xc9, 1873 1.3 christos 0xb8, 1874 1.3 christos 0x89, 1875 1.3 christos 0x9c, 1876 1.3 christos 0x47, 1877 1.3 christos 0xae, 1878 1.3 christos 0xbb, 1879 1.3 christos 0x6f, 1880 1.3 christos 0xb7, 1881 1.3 christos 0x1e, 1882 1.3 christos 0x91, 1883 1.3 christos 0x38, 1884 1.3 christos 0x64, 1885 1.3 christos 0x09, 1886 1.3 christos 0x02, 1887 1.3 christos 0x01, 1888 1.3 christos 0x01, 1889 1.1 christos }; 1890 1.1 christos 1891 1.1 christos /* 1892 1.1 christos * This test validates a named curve's group parameters using 1893 1.1 christos * EC_GROUP_check_named_curve(). It also checks that modifying any of the 1894 1.1 christos * group parameters results in the curve not being valid. 1895 1.1 christos */ 1896 1.1 christos static int check_named_curve_test(int id) 1897 1.1 christos { 1898 1.1 christos int ret = 0, nid, field_nid, has_seed; 1899 1.1 christos EC_GROUP *group = NULL, *gtest = NULL; 1900 1.1 christos const EC_POINT *group_gen = NULL; 1901 1.1 christos EC_POINT *other_gen = NULL; 1902 1.1 christos BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL; 1903 1.1 christos BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL; 1904 1.1 christos BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; 1905 1.1 christos BIGNUM *other_order = NULL; 1906 1.1 christos const BIGNUM *group_order = NULL; 1907 1.1 christos BN_CTX *bn_ctx = NULL; 1908 1.1 christos static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; 1909 1.1 christos static size_t invalid_seed_len = sizeof(invalid_seed); 1910 1.1 christos 1911 1.1 christos /* Do some setup */ 1912 1.1 christos nid = curves[id].nid; 1913 1.1 christos if (!TEST_ptr(bn_ctx = BN_CTX_new()) 1914 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) 1915 1.1 christos || !TEST_ptr(gtest = EC_GROUP_dup(group)) 1916 1.1 christos || !TEST_ptr(group_p = BN_new()) 1917 1.1 christos || !TEST_ptr(group_a = BN_new()) 1918 1.1 christos || !TEST_ptr(group_b = BN_new()) 1919 1.1 christos || !TEST_ptr(group_cofactor = BN_new()) 1920 1.1 christos || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) 1921 1.1 christos || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) 1922 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) 1923 1.1 christos || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL)) 1924 1.1 christos || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) 1925 1.1 christos || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) 1926 1.1 christos || !TEST_ptr(other_order = BN_dup(group_order)) 1927 1.1 christos || !TEST_true(BN_add_word(other_order, 1)) 1928 1.1 christos || !TEST_ptr(other_a = BN_dup(group_a)) 1929 1.1 christos || !TEST_true(BN_add_word(other_a, 1)) 1930 1.1 christos || !TEST_ptr(other_b = BN_dup(group_b)) 1931 1.1 christos || !TEST_true(BN_add_word(other_b, 1)) 1932 1.1 christos || !TEST_ptr(other_cofactor = BN_dup(group_cofactor)) 1933 1.1 christos || !TEST_true(BN_add_word(other_cofactor, 1))) 1934 1.1 christos goto err; 1935 1.1 christos 1936 1.1 christos /* Determine if the built-in curve has a seed field set */ 1937 1.1 christos has_seed = (EC_GROUP_get_seed_len(group) > 0); 1938 1.1 christos field_nid = EC_GROUP_get_field_type(group); 1939 1.1 christos if (field_nid == NID_X9_62_characteristic_two_field) { 1940 1.1 christos if (!TEST_ptr(other_p = BN_dup(group_p)) 1941 1.1 christos || !TEST_true(BN_lshift1(other_p, other_p))) 1942 1.1 christos goto err; 1943 1.1 christos } else { 1944 1.1 christos if (!TEST_ptr(other_p = BN_dup(group_p))) 1945 1.1 christos goto err; 1946 1.1 christos /* 1947 1.1 christos * Just choosing any arbitrary prime does not work.. 1948 1.1 christos * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a 1949 1.1 christos * nist prime. So only select one of these as an alternate prime. 1950 1.1 christos */ 1951 1.1 christos if (!TEST_ptr(BN_copy(other_p, 1952 1.3 christos BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ? BN_get0_nist_prime_256() : BN_get0_nist_prime_192()))) 1953 1.1 christos goto err; 1954 1.1 christos } 1955 1.1 christos 1956 1.1 christos /* Passes because this is a valid curve */ 1957 1.1 christos if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid) 1958 1.1 christos /* Only NIST curves pass */ 1959 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL), 1960 1.3 christos EC_curve_nid2nist(nid) != NULL ? nid : NID_undef)) 1961 1.1 christos goto err; 1962 1.1 christos 1963 1.1 christos /* Fail if the curve name doesn't match the parameters */ 1964 1.1 christos EC_GROUP_set_curve_name(group, nid + 1); 1965 1.1 christos ERR_set_mark(); 1966 1.1 christos if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0)) 1967 1.1 christos goto err; 1968 1.1 christos ERR_pop_to_mark(); 1969 1.1 christos 1970 1.1 christos /* Restore curve name and ensure it's passing */ 1971 1.1 christos EC_GROUP_set_curve_name(group, nid); 1972 1.1 christos if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) 1973 1.1 christos goto err; 1974 1.1 christos 1975 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len), 1976 1.3 christos invalid_seed_len)) 1977 1.1 christos goto err; 1978 1.1 christos 1979 1.1 christos if (has_seed) { 1980 1.1 christos /* 1981 1.1 christos * If the built-in curve has a seed and we set the seed to another value 1982 1.1 christos * then it will fail the check. 1983 1.1 christos */ 1984 1.1 christos if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0)) 1985 1.1 christos goto err; 1986 1.1 christos } else { 1987 1.1 christos /* 1988 1.1 christos * If the built-in curve does not have a seed then setting the seed will 1989 1.1 christos * pass the check (as the seed is optional). 1990 1.1 christos */ 1991 1.1 christos if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) 1992 1.1 christos goto err; 1993 1.1 christos } 1994 1.1 christos /* Pass if the seed is unknown (as it is optional) */ 1995 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1) 1996 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) 1997 1.1 christos goto err; 1998 1.1 christos 1999 1.1 christos /* Check that a duped group passes */ 2000 1.1 christos if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) 2001 1.1 christos goto err; 2002 1.1 christos 2003 1.1 christos /* check that changing any generator parameter fails */ 2004 1.1 christos if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order, 2005 1.3 christos group_cofactor)) 2006 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) 2007 1.1 christos || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order, 2008 1.3 christos group_cofactor)) 2009 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) 2010 1.1 christos /* The order is not an optional field, so this should fail */ 2011 1.1 christos || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL, 2012 1.3 christos group_cofactor)) 2013 1.1 christos || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, 2014 1.3 christos other_cofactor)) 2015 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) 2016 1.1 christos /* Check that if the cofactor is not set then it still passes */ 2017 1.1 christos || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, 2018 1.3 christos NULL)) 2019 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid) 2020 1.1 christos /* check that restoring the generator passes */ 2021 1.1 christos || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, 2022 1.3 christos group_cofactor)) 2023 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) 2024 1.1 christos goto err; 2025 1.1 christos 2026 1.1 christos /* 2027 1.1 christos * check that changing any curve parameter fails 2028 1.1 christos * 2029 1.1 christos * Setting arbitrary p, a or b might fail for some EC_GROUPs 2030 1.1 christos * depending on the internal EC_METHOD implementation, hence run 2031 1.1 christos * these tests conditionally to the success of EC_GROUP_set_curve(). 2032 1.1 christos */ 2033 1.1 christos ERR_set_mark(); 2034 1.1 christos if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) { 2035 1.1 christos if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) 2036 1.1 christos goto err; 2037 1.1 christos } else { 2038 1.1 christos /* clear the error stack if EC_GROUP_set_curve() failed */ 2039 1.1 christos ERR_pop_to_mark(); 2040 1.1 christos ERR_set_mark(); 2041 1.1 christos } 2042 1.1 christos if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) { 2043 1.1 christos if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) 2044 1.1 christos goto err; 2045 1.1 christos } else { 2046 1.1 christos /* clear the error stack if EC_GROUP_set_curve() failed */ 2047 1.1 christos ERR_pop_to_mark(); 2048 1.1 christos ERR_set_mark(); 2049 1.1 christos } 2050 1.1 christos if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) { 2051 1.1 christos if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) 2052 1.1 christos goto err; 2053 1.1 christos } else { 2054 1.1 christos /* clear the error stack if EC_GROUP_set_curve() failed */ 2055 1.1 christos ERR_pop_to_mark(); 2056 1.1 christos ERR_set_mark(); 2057 1.1 christos } 2058 1.1 christos ERR_pop_to_mark(); 2059 1.1 christos 2060 1.1 christos /* Check that restoring the curve parameters passes */ 2061 1.1 christos if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL)) 2062 1.1 christos || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) 2063 1.1 christos goto err; 2064 1.1 christos 2065 1.1 christos ret = 1; 2066 1.1 christos err: 2067 1.1 christos BN_free(group_p); 2068 1.1 christos BN_free(other_p); 2069 1.1 christos BN_free(group_a); 2070 1.1 christos BN_free(other_a); 2071 1.1 christos BN_free(group_b); 2072 1.1 christos BN_free(other_b); 2073 1.1 christos BN_free(group_cofactor); 2074 1.1 christos BN_free(other_cofactor); 2075 1.1 christos BN_free(other_order); 2076 1.1 christos EC_POINT_free(other_gen); 2077 1.1 christos EC_GROUP_free(gtest); 2078 1.1 christos EC_GROUP_free(group); 2079 1.1 christos BN_CTX_free(bn_ctx); 2080 1.1 christos return ret; 2081 1.1 christos } 2082 1.1 christos 2083 1.1 christos /* 2084 1.1 christos * This checks the lookup capability of EC_GROUP_check_named_curve() 2085 1.1 christos * when the given group was created with explicit parameters. 2086 1.1 christos * 2087 1.1 christos * It is possible to retrieve an alternative alias that does not match 2088 1.1 christos * the original nid in this case. 2089 1.1 christos */ 2090 1.1 christos static int check_named_curve_lookup_test(int id) 2091 1.1 christos { 2092 1.1 christos int ret = 0, nid, rv = 0; 2093 1.3 christos EC_GROUP *g = NULL, *ga = NULL; 2094 1.1 christos ECPARAMETERS *p = NULL, *pa = NULL; 2095 1.1 christos BN_CTX *ctx = NULL; 2096 1.1 christos 2097 1.1 christos /* Do some setup */ 2098 1.1 christos nid = curves[id].nid; 2099 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 2100 1.1 christos || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid)) 2101 1.1 christos || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL))) 2102 1.1 christos goto err; 2103 1.1 christos 2104 1.1 christos /* replace with group from explicit parameters */ 2105 1.1 christos EC_GROUP_free(g); 2106 1.1 christos if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p))) 2107 1.1 christos goto err; 2108 1.1 christos 2109 1.1 christos if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0)) 2110 1.1 christos goto err; 2111 1.1 christos if (rv != nid) { 2112 1.1 christos /* 2113 1.1 christos * Found an alias: 2114 1.1 christos * fail if the returned nid is not an alias of the original group. 2115 1.1 christos * 2116 1.1 christos * The comparison here is done by comparing two explicit 2117 1.1 christos * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the 2118 1.1 christos * comparison happens with unnamed EC_GROUPs using the same 2119 1.1 christos * EC_METHODs. 2120 1.1 christos */ 2121 1.1 christos if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv)) 2122 1.3 christos || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL))) 2123 1.1 christos goto err; 2124 1.1 christos 2125 1.1 christos /* replace with group from explicit parameters, then compare */ 2126 1.1 christos EC_GROUP_free(ga); 2127 1.1 christos if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa)) 2128 1.3 christos || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0)) 2129 1.1 christos goto err; 2130 1.1 christos } 2131 1.1 christos 2132 1.1 christos ret = 1; 2133 1.1 christos 2134 1.3 christos err: 2135 1.1 christos EC_GROUP_free(g); 2136 1.1 christos EC_GROUP_free(ga); 2137 1.1 christos ECPARAMETERS_free(p); 2138 1.1 christos ECPARAMETERS_free(pa); 2139 1.1 christos BN_CTX_free(ctx); 2140 1.1 christos 2141 1.1 christos return ret; 2142 1.1 christos } 2143 1.1 christos 2144 1.1 christos /* 2145 1.1 christos * Sometime we cannot compare nids for equality, as the built-in curve table 2146 1.1 christos * includes aliases with different names for the same curve. 2147 1.1 christos * 2148 1.1 christos * This function returns TRUE (1) if the checked nids are identical, or if they 2149 1.1 christos * alias to the same curve. FALSE (0) otherwise. 2150 1.1 christos */ 2151 1.3 christos static ossl_inline int are_ec_nids_compatible(int n1d, int n2d) 2152 1.1 christos { 2153 1.1 christos int ret = 0; 2154 1.1 christos switch (n1d) { 2155 1.1 christos #ifndef OPENSSL_NO_EC2M 2156 1.3 christos case NID_sect113r1: 2157 1.3 christos case NID_wap_wsg_idm_ecid_wtls4: 2158 1.3 christos ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); 2159 1.3 christos break; 2160 1.3 christos case NID_sect163k1: 2161 1.3 christos case NID_wap_wsg_idm_ecid_wtls3: 2162 1.3 christos ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); 2163 1.3 christos break; 2164 1.3 christos case NID_sect233k1: 2165 1.3 christos case NID_wap_wsg_idm_ecid_wtls10: 2166 1.3 christos ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); 2167 1.3 christos break; 2168 1.3 christos case NID_sect233r1: 2169 1.3 christos case NID_wap_wsg_idm_ecid_wtls11: 2170 1.3 christos ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); 2171 1.3 christos break; 2172 1.3 christos case NID_X9_62_c2pnb163v1: 2173 1.3 christos case NID_wap_wsg_idm_ecid_wtls5: 2174 1.3 christos ret = (n2d == NID_X9_62_c2pnb163v1 2175 1.3 christos || n2d == NID_wap_wsg_idm_ecid_wtls5); 2176 1.3 christos break; 2177 1.1 christos #endif /* OPENSSL_NO_EC2M */ 2178 1.3 christos case NID_secp112r1: 2179 1.3 christos case NID_wap_wsg_idm_ecid_wtls6: 2180 1.3 christos ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); 2181 1.3 christos break; 2182 1.3 christos case NID_secp160r2: 2183 1.3 christos case NID_wap_wsg_idm_ecid_wtls7: 2184 1.3 christos ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); 2185 1.3 christos break; 2186 1.1 christos #ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 2187 1.3 christos case NID_secp224r1: 2188 1.3 christos case NID_wap_wsg_idm_ecid_wtls12: 2189 1.3 christos ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); 2190 1.3 christos break; 2191 1.1 christos #else 2192 1.3 christos /* 2193 1.3 christos * For SEC P-224 we want to ensure that the SECP nid is returned, as 2194 1.3 christos * that is associated with a specialized method. 2195 1.3 christos */ 2196 1.3 christos case NID_wap_wsg_idm_ecid_wtls12: 2197 1.3 christos ret = (n2d == NID_secp224r1); 2198 1.3 christos break; 2199 1.1 christos #endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ 2200 1.1 christos 2201 1.3 christos default: 2202 1.3 christos ret = (n1d == n2d); 2203 1.1 christos } 2204 1.1 christos return ret; 2205 1.1 christos } 2206 1.1 christos 2207 1.1 christos /* 2208 1.1 christos * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" 2209 1.1 christos * EC_GROUP for built-in curves. 2210 1.1 christos * 2211 1.1 christos * Note that it is possible to retrieve an alternative alias that does not match 2212 1.1 christos * the original nid. 2213 1.1 christos * 2214 1.1 christos * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. 2215 1.1 christos */ 2216 1.1 christos static int check_named_curve_from_ecparameters(int id) 2217 1.1 christos { 2218 1.1 christos int ret = 0, nid, tnid; 2219 1.1 christos EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; 2220 1.1 christos const EC_POINT *group_gen = NULL; 2221 1.1 christos EC_POINT *other_gen = NULL; 2222 1.1 christos BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; 2223 1.1 christos BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; 2224 1.1 christos const BIGNUM *group_order = NULL; 2225 1.1 christos BIGNUM *other_order = NULL; 2226 1.1 christos BN_CTX *bn_ctx = NULL; 2227 1.1 christos static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; 2228 1.1 christos static size_t invalid_seed_len = sizeof(invalid_seed); 2229 1.1 christos ECPARAMETERS *params = NULL, *other_params = NULL; 2230 1.3 christos EC_GROUP *g_ary[8] = { NULL }; 2231 1.1 christos EC_GROUP **g_next = &g_ary[0]; 2232 1.3 christos ECPARAMETERS *p_ary[8] = { NULL }; 2233 1.1 christos ECPARAMETERS **p_next = &p_ary[0]; 2234 1.1 christos 2235 1.1 christos /* Do some setup */ 2236 1.1 christos nid = curves[id].nid; 2237 1.1 christos TEST_note("Curve %s", OBJ_nid2sn(nid)); 2238 1.1 christos if (!TEST_ptr(bn_ctx = BN_CTX_new())) 2239 1.1 christos return ret; 2240 1.1 christos BN_CTX_start(bn_ctx); 2241 1.1 christos 2242 1.1 christos if (/* Allocations */ 2243 1.1 christos !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) 2244 1.1 christos || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) 2245 1.1 christos || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) 2246 1.1 christos || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) 2247 1.1 christos || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) 2248 1.1 christos /* Generate reference group and params */ 2249 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) 2250 1.1 christos || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) 2251 1.1 christos || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) 2252 1.1 christos || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) 2253 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) 2254 1.1 christos /* compute `other_*` values */ 2255 1.1 christos || !TEST_ptr(tmpg = EC_GROUP_dup(group)) 2256 1.1 christos || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) 2257 1.1 christos || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) 2258 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, 2259 1.3 christos other_gen_x, other_gen_y, bn_ctx)) 2260 1.1 christos || !TEST_true(BN_copy(other_order, group_order)) 2261 1.1 christos || !TEST_true(BN_add_word(other_order, 1)) 2262 1.1 christos || !TEST_true(BN_copy(other_cofactor, group_cofactor)) 2263 1.1 christos || !TEST_true(BN_add_word(other_cofactor, 1))) 2264 1.1 christos goto err; 2265 1.1 christos 2266 1.1 christos EC_POINT_free(other_gen); 2267 1.1 christos other_gen = NULL; 2268 1.1 christos 2269 1.1 christos if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) 2270 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, 2271 1.3 christos other_gen_x, other_gen_y, 2272 1.3 christos bn_ctx))) 2273 1.1 christos goto err; 2274 1.1 christos 2275 1.1 christos /* 2276 1.1 christos * ########################### 2277 1.1 christos * # Actual tests start here # 2278 1.1 christos * ########################### 2279 1.1 christos */ 2280 1.1 christos 2281 1.1 christos /* 2282 1.1 christos * Creating a group from built-in explicit parameters returns a 2283 1.1 christos * "named" EC_GROUP 2284 1.1 christos */ 2285 1.1 christos if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) 2286 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) 2287 1.1 christos goto err; 2288 1.1 christos /* 2289 1.1 christos * We cannot always guarantee the names match, as the built-in table 2290 1.1 christos * contains aliases for the same curve with different names. 2291 1.1 christos */ 2292 1.1 christos if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { 2293 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 2294 1.1 christos goto err; 2295 1.1 christos } 2296 1.1 christos /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ 2297 1.1 christos if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) 2298 1.1 christos goto err; 2299 1.1 christos 2300 1.1 christos /* 2301 1.1 christos * An invalid seed in the parameters should be ignored: expect a "named" 2302 1.1 christos * group. 2303 1.1 christos */ 2304 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), 2305 1.3 christos invalid_seed_len) 2306 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2307 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2308 1.3 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2309 1.3 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 2310 1.3 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 2311 1.3 christos OPENSSL_EC_EXPLICIT_CURVE)) { 2312 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 2313 1.1 christos goto err; 2314 1.1 christos } 2315 1.1 christos 2316 1.1 christos /* 2317 1.1 christos * A null seed in the parameters should be ignored, as it is optional: 2318 1.1 christos * expect a "named" group. 2319 1.1 christos */ 2320 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) 2321 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2322 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2323 1.3 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2324 1.3 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 2325 1.3 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 2326 1.3 christos OPENSSL_EC_EXPLICIT_CURVE)) { 2327 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 2328 1.1 christos goto err; 2329 1.1 christos } 2330 1.1 christos 2331 1.1 christos /* 2332 1.1 christos * Check that changing any of the generator parameters does not yield a 2333 1.1 christos * match with the built-in curves 2334 1.1 christos */ 2335 1.1 christos if (/* Other gen, same group order & cofactor */ 2336 1.1 christos !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, 2337 1.3 christos group_cofactor)) 2338 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2339 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2340 1.1 christos || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2341 1.1 christos /* Same gen & cofactor, different order */ 2342 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, 2343 1.3 christos group_cofactor)) 2344 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2345 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2346 1.1 christos || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2347 1.1 christos /* The order is not an optional field, so this should fail */ 2348 1.1 christos || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, 2349 1.3 christos group_cofactor)) 2350 1.1 christos /* Check that a wrong cofactor is ignored, and we still match */ 2351 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 2352 1.3 christos other_cofactor)) 2353 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2354 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2355 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2356 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 2357 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 2358 1.3 christos OPENSSL_EC_EXPLICIT_CURVE) 2359 1.1 christos /* Check that if the cofactor is not set then it still matches */ 2360 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 2361 1.3 christos NULL)) 2362 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2363 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2364 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2365 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 2366 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 2367 1.3 christos OPENSSL_EC_EXPLICIT_CURVE) 2368 1.1 christos /* check that restoring the generator passes */ 2369 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 2370 1.3 christos group_cofactor)) 2371 1.3 christos || !TEST_ptr(other_params = *p_next++ = EC_GROUP_get_ecparameters(tmpg, NULL)) 2372 1.3 christos || !TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(other_params)) 2373 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 2374 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 2375 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 2376 1.3 christos OPENSSL_EC_EXPLICIT_CURVE)) 2377 1.1 christos goto err; 2378 1.1 christos 2379 1.1 christos ret = 1; 2380 1.1 christos err: 2381 1.1 christos for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) 2382 1.1 christos EC_GROUP_free(*g_next); 2383 1.1 christos for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) 2384 1.1 christos ECPARAMETERS_free(*p_next); 2385 1.1 christos ECPARAMETERS_free(params); 2386 1.1 christos EC_POINT_free(other_gen); 2387 1.1 christos EC_GROUP_free(tmpg); 2388 1.1 christos EC_GROUP_free(group); 2389 1.1 christos BN_CTX_end(bn_ctx); 2390 1.1 christos BN_CTX_free(bn_ctx); 2391 1.1 christos return ret; 2392 1.1 christos } 2393 1.1 christos 2394 1.1 christos static int parameter_test(void) 2395 1.1 christos { 2396 1.1 christos EC_GROUP *group = NULL, *group2 = NULL; 2397 1.1 christos ECPARAMETERS *ecparameters = NULL; 2398 1.1 christos unsigned char *buf = NULL; 2399 1.1 christos int r = 0, len; 2400 1.1 christos 2401 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) 2402 1.1 christos || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) 2403 1.1 christos || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) 2404 1.1 christos || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) 2405 1.1 christos goto err; 2406 1.1 christos 2407 1.1 christos EC_GROUP_free(group); 2408 1.1 christos group = NULL; 2409 1.1 christos 2410 1.1 christos /* Test the named curve encoding, which should be default. */ 2411 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) 2412 1.1 christos || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) 2413 1.1 christos || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) 2414 1.1 christos goto err; 2415 1.1 christos 2416 1.1 christos OPENSSL_free(buf); 2417 1.1 christos buf = NULL; 2418 1.1 christos 2419 1.1 christos /* 2420 1.1 christos * Test the explicit encoding. P-521 requires correctly zero-padding the 2421 1.1 christos * curve coefficients. 2422 1.1 christos */ 2423 1.1 christos EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); 2424 1.1 christos if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) 2425 1.1 christos || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) 2426 1.1 christos goto err; 2427 1.1 christos 2428 1.1 christos r = 1; 2429 1.1 christos err: 2430 1.1 christos EC_GROUP_free(group); 2431 1.1 christos EC_GROUP_free(group2); 2432 1.1 christos ECPARAMETERS_free(ecparameters); 2433 1.1 christos OPENSSL_free(buf); 2434 1.1 christos return r; 2435 1.1 christos } 2436 1.1 christos 2437 1.1 christos /* 2438 1.1 christos * This test validates converting an EC_GROUP to an OSSL_PARAM array 2439 1.1 christos * using EC_GROUP_to_params(). A named and an explicit curve are tested. 2440 1.1 christos */ 2441 1.1 christos static int ossl_parameter_test(void) 2442 1.1 christos { 2443 1.1 christos EC_GROUP *group_nmd = NULL, *group_nmd2 = NULL, *group_nmd3 = NULL; 2444 1.1 christos EC_GROUP *group_exp = NULL, *group_exp2 = NULL; 2445 1.1 christos OSSL_PARAM *params_nmd = NULL, *params_nmd2 = NULL; 2446 1.1 christos OSSL_PARAM *params_exp = NULL, *params_exp2 = NULL; 2447 1.1 christos unsigned char *buf = NULL, *buf2 = NULL; 2448 1.1 christos BN_CTX *bn_ctx = NULL; 2449 1.1 christos OSSL_PARAM_BLD *bld = NULL; 2450 1.1 christos BIGNUM *p, *a, *b; 2451 1.1 christos const EC_POINT *group_gen = NULL; 2452 1.1 christos size_t bsize; 2453 1.1 christos int r = 0; 2454 1.1 christos 2455 1.1 christos if (!TEST_ptr(bn_ctx = BN_CTX_new())) 2456 1.1 christos goto err; 2457 1.1 christos 2458 1.1 christos /* test named curve */ 2459 1.1 christos if (!TEST_ptr(group_nmd = EC_GROUP_new_by_curve_name(NID_secp384r1)) 2460 1.1 christos /* test with null BN_CTX */ 2461 1.1 christos || !TEST_ptr(params_nmd = EC_GROUP_to_params( 2462 1.3 christos group_nmd, NULL, NULL, NULL)) 2463 1.1 christos || !TEST_ptr(group_nmd2 = EC_GROUP_new_from_params( 2464 1.3 christos params_nmd, NULL, NULL)) 2465 1.1 christos || !TEST_int_eq(EC_GROUP_cmp(group_nmd, group_nmd2, NULL), 0) 2466 1.1 christos /* test with BN_CTX set */ 2467 1.1 christos || !TEST_ptr(params_nmd2 = EC_GROUP_to_params( 2468 1.3 christos group_nmd, NULL, NULL, bn_ctx)) 2469 1.1 christos || !TEST_ptr(group_nmd3 = EC_GROUP_new_from_params( 2470 1.3 christos params_nmd2, NULL, NULL)) 2471 1.1 christos || !TEST_int_eq(EC_GROUP_cmp(group_nmd, group_nmd3, NULL), 0)) 2472 1.1 christos goto err; 2473 1.1 christos 2474 1.1 christos /* test explicit curve */ 2475 1.1 christos if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())) 2476 1.1 christos goto err; 2477 1.1 christos 2478 1.1 christos BN_CTX_start(bn_ctx); 2479 1.1 christos p = BN_CTX_get(bn_ctx); 2480 1.1 christos a = BN_CTX_get(bn_ctx); 2481 1.1 christos b = BN_CTX_get(bn_ctx); 2482 1.1 christos 2483 1.1 christos if (!TEST_true(EC_GROUP_get_curve(group_nmd, p, a, b, bn_ctx)) 2484 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_utf8_string( 2485 1.3 christos bld, OSSL_PKEY_PARAM_EC_FIELD_TYPE, SN_X9_62_prime_field, 0)) 2486 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p)) 2487 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a)) 2488 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b))) 2489 1.1 christos goto err; 2490 1.1 christos 2491 1.1 christos if (EC_GROUP_get0_seed(group_nmd) != NULL) { 2492 1.1 christos if (!TEST_true(OSSL_PARAM_BLD_push_octet_string( 2493 1.1 christos bld, OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group_nmd), 2494 1.1 christos EC_GROUP_get_seed_len(group_nmd)))) 2495 1.1 christos goto err; 2496 1.1 christos } 2497 1.1 christos if (EC_GROUP_get0_cofactor(group_nmd) != NULL) { 2498 1.1 christos if (!TEST_true(OSSL_PARAM_BLD_push_BN( 2499 1.1 christos bld, OSSL_PKEY_PARAM_EC_COFACTOR, 2500 1.1 christos EC_GROUP_get0_cofactor(group_nmd)))) 2501 1.1 christos goto err; 2502 1.1 christos } 2503 1.1 christos 2504 1.1 christos if (!TEST_ptr(group_gen = EC_GROUP_get0_generator(group_nmd)) 2505 1.1 christos || !TEST_size_t_gt(bsize = EC_POINT_point2oct( 2506 1.3 christos group_nmd, EC_GROUP_get0_generator(group_nmd), 2507 1.3 christos POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx), 2508 1.3 christos 0) 2509 1.1 christos || !TEST_ptr(buf2 = OPENSSL_malloc(bsize)) 2510 1.1 christos || !TEST_size_t_eq(EC_POINT_point2oct( 2511 1.3 christos group_nmd, EC_GROUP_get0_generator(group_nmd), 2512 1.3 christos POINT_CONVERSION_UNCOMPRESSED, buf2, bsize, bn_ctx), 2513 1.3 christos bsize) 2514 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_octet_string( 2515 1.3 christos bld, OSSL_PKEY_PARAM_EC_GENERATOR, buf2, bsize)) 2516 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN( 2517 1.3 christos bld, OSSL_PKEY_PARAM_EC_ORDER, EC_GROUP_get0_order(group_nmd)))) 2518 1.1 christos goto err; 2519 1.1 christos 2520 1.1 christos if (!TEST_ptr(params_exp = OSSL_PARAM_BLD_to_param(bld)) 2521 1.3 christos || !TEST_ptr(group_exp = EC_GROUP_new_from_params(params_exp, NULL, NULL)) 2522 1.3 christos || !TEST_ptr(params_exp2 = EC_GROUP_to_params(group_exp, NULL, NULL, NULL)) 2523 1.3 christos || !TEST_ptr(group_exp2 = EC_GROUP_new_from_params(params_exp2, NULL, NULL)) 2524 1.1 christos || !TEST_int_eq(EC_GROUP_cmp(group_exp, group_exp2, NULL), 0)) 2525 1.1 christos goto err; 2526 1.1 christos 2527 1.1 christos r = 1; 2528 1.1 christos 2529 1.1 christos err: 2530 1.1 christos EC_GROUP_free(group_nmd); 2531 1.1 christos EC_GROUP_free(group_nmd2); 2532 1.1 christos EC_GROUP_free(group_nmd3); 2533 1.1 christos OSSL_PARAM_free(params_nmd); 2534 1.1 christos OSSL_PARAM_free(params_nmd2); 2535 1.1 christos OPENSSL_free(buf); 2536 1.1 christos 2537 1.1 christos EC_GROUP_free(group_exp); 2538 1.1 christos EC_GROUP_free(group_exp2); 2539 1.1 christos BN_CTX_end(bn_ctx); 2540 1.1 christos BN_CTX_free(bn_ctx); 2541 1.1 christos OPENSSL_free(buf2); 2542 1.1 christos OSSL_PARAM_BLD_free(bld); 2543 1.1 christos OSSL_PARAM_free(params_exp); 2544 1.1 christos OSSL_PARAM_free(params_exp2); 2545 1.1 christos return r; 2546 1.1 christos } 2547 1.1 christos 2548 1.1 christos /*- 2549 1.1 christos * random 256-bit explicit parameters curve, cofactor absent 2550 1.1 christos * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) 2551 1.1 christos * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) 2552 1.1 christos */ 2553 1.1 christos static const unsigned char params_cf_pass[] = { 2554 1.1 christos 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, 2555 1.1 christos 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, 2556 1.1 christos 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, 2557 1.1 christos 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, 2558 1.1 christos 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, 2559 1.1 christos 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, 2560 1.1 christos 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, 2561 1.1 christos 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, 2562 1.1 christos 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, 2563 1.1 christos 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, 2564 1.1 christos 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, 2565 1.1 christos 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, 2566 1.1 christos 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, 2567 1.1 christos 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, 2568 1.1 christos 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, 2569 1.1 christos 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, 2570 1.1 christos 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, 2571 1.1 christos 0x14, 0xa8, 0x2f, 0x4f 2572 1.1 christos }; 2573 1.1 christos 2574 1.1 christos /*- 2575 1.1 christos * random 256-bit explicit parameters curve, cofactor absent 2576 1.1 christos * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) 2577 1.1 christos * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) 2578 1.1 christos */ 2579 1.1 christos static const unsigned char params_cf_fail[] = { 2580 1.1 christos 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, 2581 1.1 christos 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, 2582 1.1 christos 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, 2583 1.1 christos 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, 2584 1.1 christos 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, 2585 1.1 christos 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, 2586 1.1 christos 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, 2587 1.1 christos 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, 2588 1.1 christos 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, 2589 1.1 christos 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, 2590 1.1 christos 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, 2591 1.1 christos 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, 2592 1.1 christos 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, 2593 1.1 christos 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, 2594 1.1 christos 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, 2595 1.1 christos 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, 2596 1.1 christos 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, 2597 1.1 christos 0x34, 0xa2, 0x21, 0x01 2598 1.1 christos }; 2599 1.1 christos 2600 1.1 christos /*- 2601 1.1 christos * Test two random 256-bit explicit parameters curves with absent cofactor. 2602 1.1 christos * The two curves are chosen to roughly straddle the bounds at which the lib 2603 1.1 christos * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: 2604 1.1 christos * 2605 1.1 christos * - params_cf_pass: order is sufficiently close to p to compute cofactor 2606 1.1 christos * - params_cf_fail: order is too far away from p to compute cofactor 2607 1.1 christos * 2608 1.1 christos * For standards-compliant curves, cofactor is chosen as small as possible. 2609 1.1 christos * So you can see neither of these curves are fit for cryptographic use. 2610 1.1 christos * 2611 1.1 christos * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: 2612 1.1 christos * h <= 2**(t/8) where t is the security level of the curve, for which the lib 2613 1.1 christos * will always succeed in computing the cofactor. Neither of these curves 2614 1.1 christos * conform to that -- this is just robustness testing. 2615 1.1 christos */ 2616 1.1 christos static int cofactor_range_test(void) 2617 1.1 christos { 2618 1.1 christos EC_GROUP *group = NULL; 2619 1.1 christos BIGNUM *cf = NULL; 2620 1.1 christos int ret = 0; 2621 1.1 christos const unsigned char *b1 = (const unsigned char *)params_cf_fail; 2622 1.1 christos const unsigned char *b2 = (const unsigned char *)params_cf_pass; 2623 1.1 christos 2624 1.1 christos if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) 2625 1.1 christos || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) 2626 1.1 christos || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, 2627 1.3 christos sizeof(params_cf_pass))) 2628 1.1 christos || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) 2629 1.1 christos || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) 2630 1.1 christos goto err; 2631 1.1 christos ret = 1; 2632 1.3 christos err: 2633 1.1 christos BN_free(cf); 2634 1.1 christos EC_GROUP_free(group); 2635 1.1 christos return ret; 2636 1.1 christos } 2637 1.1 christos 2638 1.1 christos /*- 2639 1.1 christos * For named curves, test that: 2640 1.1 christos * - the lib correctly computes the cofactor if passed a NULL or zero cofactor 2641 1.1 christos * - a nonsensical cofactor throws an error (negative test) 2642 1.1 christos * - nonsensical orders throw errors (negative tests) 2643 1.1 christos */ 2644 1.1 christos static int cardinality_test(int n) 2645 1.1 christos { 2646 1.1 christos int ret = 0, is_binary = 0; 2647 1.1 christos int nid = curves[n].nid; 2648 1.1 christos BN_CTX *ctx = NULL; 2649 1.1 christos EC_GROUP *g1 = NULL, *g2 = NULL; 2650 1.1 christos EC_POINT *g2_gen = NULL; 2651 1.1 christos BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, 2652 1.1 christos *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; 2653 1.1 christos 2654 1.1 christos TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); 2655 1.1 christos 2656 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 2657 1.1 christos || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) { 2658 1.1 christos BN_CTX_free(ctx); 2659 1.1 christos return 0; 2660 1.1 christos } 2661 1.1 christos 2662 1.1 christos is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field); 2663 1.1 christos 2664 1.1 christos BN_CTX_start(ctx); 2665 1.1 christos g1_p = BN_CTX_get(ctx); 2666 1.1 christos g1_a = BN_CTX_get(ctx); 2667 1.1 christos g1_b = BN_CTX_get(ctx); 2668 1.1 christos g1_x = BN_CTX_get(ctx); 2669 1.1 christos g1_y = BN_CTX_get(ctx); 2670 1.1 christos g1_order = BN_CTX_get(ctx); 2671 1.1 christos g1_cf = BN_CTX_get(ctx); 2672 1.1 christos 2673 1.1 christos if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) 2674 1.1 christos /* pull out the explicit curve parameters */ 2675 1.1 christos || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) 2676 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(g1, 2677 1.3 christos EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) 2678 1.1 christos || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) 2679 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) 2680 1.3 christos /* construct g2 manually with g1 parameters */ 2681 1.1 christos #ifndef OPENSSL_NO_EC2M 2682 1.3 christos || !TEST_ptr(g2 = (is_binary) ? EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) : EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) 2683 1.1 christos #else 2684 1.1 christos || !TEST_int_eq(0, is_binary) 2685 1.1 christos || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) 2686 1.1 christos #endif 2687 1.1 christos || !TEST_ptr(g2_gen = EC_POINT_new(g2)) 2688 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) 2689 1.1 christos /* pass NULL cofactor: lib should compute it */ 2690 1.1 christos || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2691 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) 2692 1.1 christos || !TEST_BN_eq(g1_cf, g2_cf) 2693 1.1 christos /* pass zero cofactor: lib should compute it */ 2694 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2695 1.1 christos || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) 2696 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) 2697 1.1 christos || !TEST_BN_eq(g1_cf, g2_cf) 2698 1.1 christos /* negative test for invalid cofactor */ 2699 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2700 1.1 christos || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) 2701 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) 2702 1.1 christos /* negative test for NULL order */ 2703 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) 2704 1.1 christos /* negative test for zero order */ 2705 1.1 christos || !TEST_true(BN_set_word(g1_order, 0)) 2706 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2707 1.1 christos /* negative test for negative order */ 2708 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2709 1.1 christos || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) 2710 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2711 1.1 christos /* negative test for too large order */ 2712 1.1 christos || !TEST_true(BN_lshift(g1_order, g1_p, 2)) 2713 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) 2714 1.1 christos goto err; 2715 1.1 christos ret = 1; 2716 1.3 christos err: 2717 1.1 christos EC_POINT_free(g2_gen); 2718 1.1 christos EC_GROUP_free(g1); 2719 1.1 christos EC_GROUP_free(g2); 2720 1.1 christos BN_CTX_end(ctx); 2721 1.1 christos BN_CTX_free(ctx); 2722 1.1 christos return ret; 2723 1.1 christos } 2724 1.1 christos 2725 1.1 christos static int check_ec_key_field_public_range_test(int id) 2726 1.1 christos { 2727 1.1 christos int ret = 0, type = 0; 2728 1.1 christos const EC_POINT *pub = NULL; 2729 1.1 christos const EC_GROUP *group = NULL; 2730 1.1 christos const BIGNUM *field = NULL; 2731 1.1 christos BIGNUM *x = NULL, *y = NULL; 2732 1.1 christos EC_KEY *key = NULL; 2733 1.1 christos 2734 1.1 christos if (!TEST_ptr(x = BN_new()) 2735 1.3 christos || !TEST_ptr(y = BN_new()) 2736 1.3 christos || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) 2737 1.3 christos || !TEST_ptr(group = EC_KEY_get0_group(key)) 2738 1.3 christos || !TEST_ptr(field = EC_GROUP_get0_field(group)) 2739 1.3 christos || !TEST_int_gt(EC_KEY_generate_key(key), 0) 2740 1.3 christos || !TEST_int_gt(EC_KEY_check_key(key), 0) 2741 1.3 christos || !TEST_ptr(pub = EC_KEY_get0_public_key(key)) 2742 1.3 christos || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, 2743 1.3 christos NULL), 2744 1.3 christos 0)) 2745 1.1 christos goto err; 2746 1.1 christos 2747 1.1 christos /* 2748 1.1 christos * Make the public point out of range by adding the field (which will still 2749 1.1 christos * be the same point on the curve). The add is different for char2 fields. 2750 1.1 christos */ 2751 1.1 christos type = EC_GROUP_get_field_type(group); 2752 1.1 christos #ifndef OPENSSL_NO_EC2M 2753 1.1 christos if (type == NID_X9_62_characteristic_two_field) { 2754 1.1 christos /* test for binary curves */ 2755 1.1 christos if (!TEST_true(BN_GF2m_add(x, x, field))) 2756 1.1 christos goto err; 2757 1.1 christos } else 2758 1.1 christos #endif 2759 1.3 christos if (type == NID_X9_62_prime_field) { 2760 1.1 christos /* test for prime curves */ 2761 1.1 christos if (!TEST_true(BN_add(x, x, field))) 2762 1.1 christos goto err; 2763 1.1 christos } else { 2764 1.1 christos /* this should never happen */ 2765 1.1 christos TEST_error("Unsupported EC_METHOD field_type"); 2766 1.1 christos goto err; 2767 1.1 christos } 2768 1.1 christos if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) 2769 1.1 christos goto err; 2770 1.1 christos 2771 1.1 christos ret = 1; 2772 1.1 christos err: 2773 1.1 christos BN_free(x); 2774 1.1 christos BN_free(y); 2775 1.1 christos EC_KEY_free(key); 2776 1.1 christos return ret; 2777 1.1 christos } 2778 1.1 christos 2779 1.1 christos /* 2780 1.1 christos * Helper for ec_point_hex2point_test 2781 1.1 christos * 2782 1.1 christos * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given 2783 1.1 christos * (group,P) pair. 2784 1.1 christos * 2785 1.1 christos * If P is NULL use point at infinity. 2786 1.1 christos */ 2787 1.3 christos static ossl_inline int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, 2788 1.3 christos point_conversion_form_t form, 2789 1.3 christos BN_CTX *bnctx) 2790 1.1 christos { 2791 1.1 christos int ret = 0; 2792 1.1 christos EC_POINT *Q = NULL, *Pinf = NULL; 2793 1.1 christos char *hex = NULL; 2794 1.1 christos 2795 1.1 christos if (P == NULL) { 2796 1.1 christos /* If P is NULL use point at infinity. */ 2797 1.1 christos if (!TEST_ptr(Pinf = EC_POINT_new(group)) 2798 1.3 christos || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) 2799 1.1 christos goto err; 2800 1.1 christos P = Pinf; 2801 1.1 christos } 2802 1.1 christos 2803 1.1 christos if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) 2804 1.3 christos || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) 2805 1.3 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) 2806 1.1 christos goto err; 2807 1.1 christos 2808 1.1 christos /* 2809 1.1 christos * The next check is most likely superfluous, as EC_POINT_cmp should already 2810 1.1 christos * cover this. 2811 1.1 christos * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, 2812 1.1 christos * so we include it anyway! 2813 1.1 christos */ 2814 1.1 christos if (Pinf != NULL 2815 1.3 christos && !TEST_true(EC_POINT_is_at_infinity(group, Q))) 2816 1.1 christos goto err; 2817 1.1 christos 2818 1.1 christos ret = 1; 2819 1.1 christos 2820 1.3 christos err: 2821 1.1 christos EC_POINT_free(Pinf); 2822 1.1 christos OPENSSL_free(hex); 2823 1.1 christos EC_POINT_free(Q); 2824 1.1 christos 2825 1.1 christos return ret; 2826 1.1 christos } 2827 1.1 christos 2828 1.1 christos /* 2829 1.1 christos * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() 2830 1.1 christos */ 2831 1.1 christos static int ec_point_hex2point_test(int id) 2832 1.1 christos { 2833 1.1 christos int ret = 0, nid; 2834 1.1 christos EC_GROUP *group = NULL; 2835 1.1 christos const EC_POINT *G = NULL; 2836 1.1 christos EC_POINT *P = NULL; 2837 1.1 christos BN_CTX *bnctx = NULL; 2838 1.1 christos 2839 1.1 christos /* Do some setup */ 2840 1.1 christos nid = curves[id].nid; 2841 1.1 christos if (!TEST_ptr(bnctx = BN_CTX_new()) 2842 1.3 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) 2843 1.3 christos || !TEST_ptr(G = EC_GROUP_get0_generator(group)) 2844 1.3 christos || !TEST_ptr(P = EC_POINT_dup(G, group))) 2845 1.1 christos goto err; 2846 1.1 christos 2847 1.1 christos if (!TEST_true(ec_point_hex2point_test_helper(group, P, 2848 1.3 christos POINT_CONVERSION_COMPRESSED, 2849 1.3 christos bnctx)) 2850 1.3 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2851 1.3 christos POINT_CONVERSION_COMPRESSED, 2852 1.3 christos bnctx)) 2853 1.3 christos || !TEST_true(ec_point_hex2point_test_helper(group, P, 2854 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 2855 1.3 christos bnctx)) 2856 1.3 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2857 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 2858 1.3 christos bnctx)) 2859 1.3 christos || !TEST_true(ec_point_hex2point_test_helper(group, P, 2860 1.3 christos POINT_CONVERSION_HYBRID, 2861 1.3 christos bnctx)) 2862 1.3 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2863 1.3 christos POINT_CONVERSION_HYBRID, 2864 1.3 christos bnctx))) 2865 1.1 christos goto err; 2866 1.1 christos 2867 1.1 christos ret = 1; 2868 1.1 christos 2869 1.3 christos err: 2870 1.1 christos EC_POINT_free(P); 2871 1.1 christos EC_GROUP_free(group); 2872 1.1 christos BN_CTX_free(bnctx); 2873 1.1 christos 2874 1.1 christos return ret; 2875 1.1 christos } 2876 1.1 christos 2877 1.1 christos static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, 2878 1.3 christos unsigned char *gen, int gen_size) 2879 1.1 christos { 2880 1.1 christos int ret = 0, i_out; 2881 1.1 christos EVP_PKEY_CTX *pctx = NULL; 2882 1.1 christos EVP_PKEY *pkeyparam = NULL; 2883 1.1 christos OSSL_PARAM_BLD *bld = NULL; 2884 1.1 christos const char *field_name; 2885 1.1 christos OSSL_PARAM *params = NULL; 2886 1.1 christos const OSSL_PARAM *gettable; 2887 1.1 christos BIGNUM *p, *a, *b; 2888 1.1 christos BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL; 2889 1.1 christos BIGNUM *order_out = NULL, *cofactor_out = NULL; 2890 1.1 christos char name[80]; 2891 1.1 christos unsigned char buf[1024]; 2892 1.1 christos size_t buf_len, name_len; 2893 1.1 christos #ifndef OPENSSL_NO_EC2M 2894 1.1 christos unsigned int k1 = 0, k2 = 0, k3 = 0; 2895 1.1 christos const char *basis_name = NULL; 2896 1.1 christos #endif 2897 1.1 christos 2898 1.1 christos p = BN_CTX_get(ctx); 2899 1.1 christos a = BN_CTX_get(ctx); 2900 1.1 christos b = BN_CTX_get(ctx); 2901 1.1 christos 2902 1.1 christos if (!TEST_ptr(b) 2903 1.1 christos || !TEST_ptr(bld = OSSL_PARAM_BLD_new())) 2904 1.1 christos goto err; 2905 1.1 christos 2906 1.1 christos if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { 2907 1.1 christos field_name = SN_X9_62_prime_field; 2908 1.1 christos } else { 2909 1.1 christos field_name = SN_X9_62_characteristic_two_field; 2910 1.1 christos #ifndef OPENSSL_NO_EC2M 2911 1.1 christos if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { 2912 1.1 christos basis_name = SN_X9_62_tpBasis; 2913 1.1 christos if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1))) 2914 1.1 christos goto err; 2915 1.1 christos } else { 2916 1.1 christos basis_name = SN_X9_62_ppBasis; 2917 1.1 christos if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))) 2918 1.1 christos goto err; 2919 1.1 christos } 2920 1.1 christos #endif /* OPENSSL_NO_EC2M */ 2921 1.1 christos } 2922 1.1 christos if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) 2923 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, 2924 1.3 christos OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0)) 2925 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p)) 2926 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a)) 2927 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b))) 2928 1.1 christos goto err; 2929 1.1 christos 2930 1.1 christos if (EC_GROUP_get0_seed(group) != NULL) { 2931 1.1 christos if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, 2932 1.3 christos OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group), 2933 1.3 christos EC_GROUP_get_seed_len(group)))) 2934 1.1 christos goto err; 2935 1.1 christos } 2936 1.1 christos if (EC_GROUP_get0_cofactor(group) != NULL) { 2937 1.1 christos if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR, 2938 1.3 christos EC_GROUP_get0_cofactor(group)))) 2939 1.1 christos goto err; 2940 1.1 christos } 2941 1.1 christos 2942 1.1 christos if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, 2943 1.3 christos OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size)) 2944 1.1 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER, 2945 1.3 christos EC_GROUP_get0_order(group)))) 2946 1.1 christos goto err; 2947 1.1 christos 2948 1.1 christos if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) 2949 1.1 christos || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) 2950 1.1 christos || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) 2951 1.1 christos || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, 2952 1.3 christos EVP_PKEY_KEY_PARAMETERS, params), 2953 1.3 christos 0)) 2954 1.1 christos goto err; 2955 1.1 christos 2956 1.1 christos /*- Check that all the set values are retrievable -*/ 2957 1.1 christos 2958 1.1 christos /* There should be no match to a group name since the generator changed */ 2959 1.1 christos if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, 2960 1.3 christos OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name), 2961 1.3 christos &name_len))) 2962 1.1 christos goto err; 2963 1.1 christos 2964 1.1 christos /* The encoding should be explicit as it has no group */ 2965 1.1 christos if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, 2966 1.3 christos OSSL_PKEY_PARAM_EC_ENCODING, 2967 1.3 christos name, sizeof(name), &name_len)) 2968 1.1 christos || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT)) 2969 1.1 christos goto err; 2970 1.1 christos 2971 1.1 christos if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, 2972 1.3 christos OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name), 2973 1.3 christos &name_len)) 2974 1.1 christos || !TEST_str_eq(name, field_name)) 2975 1.1 christos goto err; 2976 1.1 christos 2977 1.1 christos if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, 2978 1.3 christos OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len)) 2979 1.1 christos || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size)) 2980 1.1 christos goto err; 2981 1.1 christos 2982 1.1 christos if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out)) 2983 1.1 christos || !TEST_BN_eq(p_out, p) 2984 1.1 christos || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A, 2985 1.3 christos &a_out)) 2986 1.1 christos || !TEST_BN_eq(a_out, a) 2987 1.1 christos || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B, 2988 1.3 christos &b_out)) 2989 1.1 christos || !TEST_BN_eq(b_out, b) 2990 1.1 christos || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER, 2991 1.3 christos &order_out)) 2992 1.1 christos || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group))) 2993 1.1 christos goto err; 2994 1.1 christos 2995 1.1 christos if (EC_GROUP_get0_cofactor(group) != NULL) { 2996 1.1 christos if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, 2997 1.3 christos OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out)) 2998 1.1 christos || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group))) 2999 1.1 christos goto err; 3000 1.1 christos } 3001 1.1 christos if (EC_GROUP_get0_seed(group) != NULL) { 3002 1.1 christos if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, 3003 1.3 christos OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len)) 3004 1.1 christos || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group), 3005 1.3 christos EC_GROUP_get_seed_len(group))) 3006 1.1 christos goto err; 3007 1.1 christos } 3008 1.1 christos 3009 1.1 christos if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { 3010 1.1 christos /* No extra fields should be set for a prime field */ 3011 1.1 christos if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3012 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) 3013 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3014 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) 3015 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3016 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) 3017 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3018 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) 3019 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3020 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) 3021 1.1 christos || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, 3022 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), 3023 1.3 christos &name_len))) 3024 1.1 christos goto err; 3025 1.1 christos } else { 3026 1.1 christos #ifndef OPENSSL_NO_EC2M 3027 1.1 christos if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, 3028 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) 3029 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), i_out) 3030 1.1 christos || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, 3031 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), 3032 1.3 christos &name_len)) 3033 1.1 christos || !TEST_str_eq(name, basis_name)) 3034 1.1 christos goto err; 3035 1.1 christos 3036 1.1 christos if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { 3037 1.1 christos if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, 3038 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) 3039 1.1 christos || !TEST_int_eq(k1, i_out) 3040 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3041 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) 3042 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3043 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) 3044 1.1 christos || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3045 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))) 3046 1.1 christos goto err; 3047 1.1 christos } else { 3048 1.1 christos if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, 3049 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) 3050 1.1 christos || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, 3051 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) 3052 1.1 christos || !TEST_int_eq(k1, i_out) 3053 1.1 christos || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, 3054 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) 3055 1.1 christos || !TEST_int_eq(k2, i_out) 3056 1.1 christos || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, 3057 1.3 christos OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) 3058 1.1 christos || !TEST_int_eq(k3, i_out)) 3059 1.1 christos goto err; 3060 1.1 christos } 3061 1.1 christos #endif /* OPENSSL_NO_EC2M */ 3062 1.1 christos } 3063 1.1 christos if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam)) 3064 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME)) 3065 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING)) 3066 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE)) 3067 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P)) 3068 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A)) 3069 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B)) 3070 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR)) 3071 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER)) 3072 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR)) 3073 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED)) 3074 1.1 christos #ifndef OPENSSL_NO_EC2M 3075 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M)) 3076 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE)) 3077 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS)) 3078 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1)) 3079 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2)) 3080 1.1 christos || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3)) 3081 1.1 christos #endif 3082 1.3 christos ) 3083 1.1 christos goto err; 3084 1.1 christos ret = 1; 3085 1.1 christos err: 3086 1.1 christos BN_free(order_out); 3087 1.1 christos BN_free(cofactor_out); 3088 1.1 christos BN_free(a_out); 3089 1.1 christos BN_free(b_out); 3090 1.1 christos BN_free(p_out); 3091 1.1 christos OSSL_PARAM_free(params); 3092 1.1 christos OSSL_PARAM_BLD_free(bld); 3093 1.1 christos EVP_PKEY_free(pkeyparam); 3094 1.1 christos EVP_PKEY_CTX_free(pctx); 3095 1.1 christos return ret; 3096 1.1 christos } 3097 1.1 christos 3098 1.1 christos /* 3099 1.1 christos * check the EC_METHOD respects the supplied EC_GROUP_set_generator G 3100 1.1 christos */ 3101 1.1 christos static int custom_generator_test(int id) 3102 1.1 christos { 3103 1.1 christos int ret = 0, nid, bsize; 3104 1.1 christos EC_GROUP *group = NULL; 3105 1.1 christos EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; 3106 1.1 christos BN_CTX *ctx = NULL; 3107 1.1 christos BIGNUM *k = NULL; 3108 1.1 christos unsigned char *b1 = NULL, *b2 = NULL; 3109 1.1 christos 3110 1.1 christos /* Do some setup */ 3111 1.1 christos nid = curves[id].nid; 3112 1.1 christos TEST_note("Curve %s", OBJ_nid2sn(nid)); 3113 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new())) 3114 1.1 christos return 0; 3115 1.1 christos 3116 1.1 christos BN_CTX_start(ctx); 3117 1.1 christos 3118 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) 3119 1.1 christos goto err; 3120 1.1 christos 3121 1.1 christos /* expected byte length of encoded points */ 3122 1.1 christos bsize = (EC_GROUP_get_degree(group) + 7) / 8; 3123 1.1 christos bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ 3124 1.1 christos 3125 1.1 christos if (!TEST_ptr(k = BN_CTX_get(ctx)) 3126 1.1 christos /* fetch a testing scalar k != 0,1 */ 3127 1.1 christos || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, 3128 1.3 christos BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) 3129 1.1 christos /* make k even */ 3130 1.1 christos || !TEST_true(BN_clear_bit(k, 0)) 3131 1.1 christos || !TEST_ptr(G2 = EC_POINT_new(group)) 3132 1.1 christos || !TEST_ptr(Q1 = EC_POINT_new(group)) 3133 1.1 christos /* Q1 := kG */ 3134 1.1 christos || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) 3135 1.1 christos /* pull out the bytes of that */ 3136 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3137 1.3 christos POINT_CONVERSION_UNCOMPRESSED, NULL, 3138 1.3 christos 0, ctx), 3139 1.3 christos bsize) 3140 1.1 christos || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) 3141 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3142 1.3 christos POINT_CONVERSION_UNCOMPRESSED, b1, 3143 1.3 christos bsize, ctx), 3144 1.3 christos bsize) 3145 1.1 christos /* new generator is G2 := 2G */ 3146 1.1 christos || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), 3147 1.3 christos ctx)) 3148 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, G2, 3149 1.3 christos EC_GROUP_get0_order(group), 3150 1.3 christos EC_GROUP_get0_cofactor(group))) 3151 1.1 christos || !TEST_ptr(Q2 = EC_POINT_new(group)) 3152 1.1 christos || !TEST_true(BN_rshift1(k, k)) 3153 1.1 christos /* Q2 := k/2 G2 */ 3154 1.1 christos || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) 3155 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q2, 3156 1.3 christos POINT_CONVERSION_UNCOMPRESSED, NULL, 3157 1.3 christos 0, ctx), 3158 1.3 christos bsize) 3159 1.1 christos || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) 3160 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q2, 3161 1.3 christos POINT_CONVERSION_UNCOMPRESSED, b2, 3162 1.3 christos bsize, ctx), 3163 1.3 christos bsize) 3164 1.1 christos /* Q1 = kG = k/2 G2 = Q2 should hold */ 3165 1.1 christos || !TEST_mem_eq(b1, bsize, b2, bsize)) 3166 1.1 christos goto err; 3167 1.1 christos 3168 1.1 christos if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize)) 3169 1.1 christos goto err; 3170 1.1 christos 3171 1.1 christos ret = 1; 3172 1.1 christos 3173 1.3 christos err: 3174 1.1 christos EC_POINT_free(Q1); 3175 1.1 christos EC_POINT_free(Q2); 3176 1.1 christos EC_POINT_free(G2); 3177 1.1 christos EC_GROUP_free(group); 3178 1.1 christos BN_CTX_end(ctx); 3179 1.1 christos BN_CTX_free(ctx); 3180 1.1 christos OPENSSL_free(b1); 3181 1.1 christos OPENSSL_free(b2); 3182 1.1 christos 3183 1.1 christos return ret; 3184 1.1 christos } 3185 1.1 christos 3186 1.1 christos /* 3187 1.1 christos * check creation of curves from explicit params through the public API 3188 1.1 christos */ 3189 1.1 christos static int custom_params_test(int id) 3190 1.1 christos { 3191 1.1 christos int ret = 0, nid, bsize; 3192 1.1 christos const char *curve_name = NULL; 3193 1.1 christos EC_GROUP *group = NULL, *altgroup = NULL; 3194 1.1 christos EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; 3195 1.1 christos const EC_POINT *Q = NULL; 3196 1.1 christos BN_CTX *ctx = NULL; 3197 1.1 christos BIGNUM *k = NULL; 3198 1.1 christos unsigned char *buf1 = NULL, *buf2 = NULL; 3199 1.1 christos const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL; 3200 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL; 3201 1.1 christos int is_prime = 0; 3202 1.1 christos EC_KEY *eckey1 = NULL, *eckey2 = NULL; 3203 1.1 christos EVP_PKEY *pkey1 = NULL, *pkey2 = NULL; 3204 1.1 christos EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL, *dctx = NULL; 3205 1.1 christos size_t sslen, t; 3206 1.3 christos unsigned char *pub1 = NULL, *pub2 = NULL; 3207 1.1 christos OSSL_PARAM_BLD *param_bld = NULL; 3208 1.1 christos OSSL_PARAM *params1 = NULL, *params2 = NULL; 3209 1.1 christos 3210 1.1 christos /* Do some setup */ 3211 1.1 christos nid = curves[id].nid; 3212 1.1 christos curve_name = OBJ_nid2sn(nid); 3213 1.1 christos TEST_note("Curve %s", curve_name); 3214 1.1 christos 3215 1.1 christos if (nid == NID_sm2) 3216 1.1 christos return TEST_skip("custom params not supported with SM2"); 3217 1.1 christos 3218 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new())) 3219 1.1 christos return 0; 3220 1.1 christos 3221 1.1 christos BN_CTX_start(ctx); 3222 1.1 christos if (!TEST_ptr(p = BN_CTX_get(ctx)) 3223 1.3 christos || !TEST_ptr(a = BN_CTX_get(ctx)) 3224 1.3 christos || !TEST_ptr(b = BN_CTX_get(ctx)) 3225 1.3 christos || !TEST_ptr(k = BN_CTX_get(ctx))) 3226 1.1 christos goto err; 3227 1.1 christos 3228 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) 3229 1.1 christos goto err; 3230 1.1 christos 3231 1.1 christos is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field; 3232 1.1 christos #ifdef OPENSSL_NO_EC2M 3233 1.1 christos if (!is_prime) { 3234 1.1 christos ret = TEST_skip("binary curves not supported in this build"); 3235 1.1 christos goto err; 3236 1.1 christos } 3237 1.1 christos #endif 3238 1.1 christos 3239 1.1 christos /* expected byte length of encoded points */ 3240 1.1 christos bsize = (EC_GROUP_get_degree(group) + 7) / 8; 3241 1.1 christos bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ 3242 1.1 christos 3243 1.1 christos /* extract parameters from built-in curve */ 3244 1.1 christos if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) 3245 1.3 christos || !TEST_ptr(G2 = EC_POINT_new(group)) 3246 1.3 christos /* new generator is G2 := 2G */ 3247 1.3 christos || !TEST_true(EC_POINT_dbl(group, G2, 3248 1.3 christos EC_GROUP_get0_generator(group), ctx)) 3249 1.3 christos /* pull out the bytes of that */ 3250 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, G2, 3251 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3252 1.3 christos NULL, 0, ctx), 3253 1.3 christos bsize) 3254 1.3 christos || !TEST_ptr(buf1 = OPENSSL_malloc(bsize)) 3255 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, G2, 3256 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3257 1.3 christos buf1, bsize, ctx), 3258 1.3 christos bsize) 3259 1.3 christos || !TEST_ptr(z = EC_GROUP_get0_order(group)) 3260 1.3 christos || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group))) 3261 1.1 christos goto err; 3262 1.1 christos 3263 1.1 christos /* create a new group using same params (but different generator) */ 3264 1.1 christos if (is_prime) { 3265 1.1 christos if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx))) 3266 1.1 christos goto err; 3267 1.1 christos } 3268 1.1 christos #ifndef OPENSSL_NO_EC2M 3269 1.1 christos else { 3270 1.1 christos if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 3271 1.1 christos goto err; 3272 1.1 christos } 3273 1.1 christos #endif 3274 1.1 christos 3275 1.1 christos /* set 2*G as the generator of altgroup */ 3276 1.1 christos EC_POINT_free(G2); /* discard G2 as it refers to the original group */ 3277 1.1 christos if (!TEST_ptr(G2 = EC_POINT_new(altgroup)) 3278 1.3 christos || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx)) 3279 1.3 christos || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1) 3280 1.3 christos || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof))) 3281 1.1 christos goto err; 3282 1.1 christos 3283 1.1 christos /* verify math checks out */ 3284 1.1 christos if (/* allocate temporary points on group and altgroup */ 3285 1.3 christos !TEST_ptr(Q1 = EC_POINT_new(group)) 3286 1.3 christos || !TEST_ptr(Q2 = EC_POINT_new(altgroup)) 3287 1.3 christos /* fetch a testing scalar k != 0,1 */ 3288 1.3 christos || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, 3289 1.3 christos BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) 3290 1.3 christos /* make k even */ 3291 1.3 christos || !TEST_true(BN_clear_bit(k, 0)) 3292 1.3 christos /* Q1 := kG on group */ 3293 1.3 christos || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) 3294 1.3 christos /* pull out the bytes of that */ 3295 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3296 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3297 1.3 christos NULL, 0, ctx), 3298 1.3 christos bsize) 3299 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3300 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3301 1.3 christos buf1, bsize, ctx), 3302 1.3 christos bsize) 3303 1.3 christos /* k := k/2 */ 3304 1.3 christos || !TEST_true(BN_rshift1(k, k)) 3305 1.3 christos /* Q2 := k/2 G2 on altgroup */ 3306 1.3 christos || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx)) 3307 1.3 christos /* pull out the bytes of that */ 3308 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, 3309 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3310 1.3 christos NULL, 0, ctx), 3311 1.3 christos bsize) 3312 1.3 christos || !TEST_ptr(buf2 = OPENSSL_malloc(bsize)) 3313 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, 3314 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3315 1.3 christos buf2, bsize, ctx), 3316 1.3 christos bsize) 3317 1.3 christos /* Q1 = kG = k/2 G2 = Q2 should hold */ 3318 1.3 christos || !TEST_mem_eq(buf1, bsize, buf2, bsize)) 3319 1.1 christos goto err; 3320 1.1 christos 3321 1.1 christos /* create two `EC_KEY`s on altgroup */ 3322 1.1 christos if (!TEST_ptr(eckey1 = EC_KEY_new()) 3323 1.3 christos || !TEST_true(EC_KEY_set_group(eckey1, altgroup)) 3324 1.3 christos || !TEST_true(EC_KEY_generate_key(eckey1)) 3325 1.3 christos || !TEST_ptr(eckey2 = EC_KEY_new()) 3326 1.3 christos || !TEST_true(EC_KEY_set_group(eckey2, altgroup)) 3327 1.3 christos || !TEST_true(EC_KEY_generate_key(eckey2))) 3328 1.1 christos goto err; 3329 1.1 christos 3330 1.1 christos /* retrieve priv1 for later */ 3331 1.1 christos if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1))) 3332 1.1 christos goto err; 3333 1.1 christos 3334 1.1 christos /* 3335 1.1 christos * retrieve bytes for pub1 for later 3336 1.1 christos * 3337 1.1 christos * We compute the pub key in the original group as we will later use it to 3338 1.1 christos * define a provider key in the built-in group. 3339 1.1 christos */ 3340 1.1 christos if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx)) 3341 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3342 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3343 1.3 christos NULL, 0, ctx), 3344 1.3 christos bsize) 3345 1.3 christos || !TEST_ptr(pub1 = OPENSSL_malloc(bsize)) 3346 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 3347 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3348 1.3 christos pub1, bsize, ctx), 3349 1.3 christos bsize)) 3350 1.1 christos goto err; 3351 1.1 christos 3352 1.1 christos /* retrieve bytes for pub2 for later */ 3353 1.1 christos if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2)) 3354 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, 3355 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3356 1.3 christos NULL, 0, ctx), 3357 1.3 christos bsize) 3358 1.3 christos || !TEST_ptr(pub2 = OPENSSL_malloc(bsize)) 3359 1.3 christos || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, 3360 1.3 christos POINT_CONVERSION_UNCOMPRESSED, 3361 1.3 christos pub2, bsize, ctx), 3362 1.3 christos bsize)) 3363 1.1 christos goto err; 3364 1.1 christos 3365 1.1 christos /* create two `EVP_PKEY`s from the `EC_KEY`s */ 3366 1.1 christos if (!TEST_ptr(pkey1 = EVP_PKEY_new()) 3367 1.3 christos || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1)) 3368 1.1 christos goto err; 3369 1.1 christos eckey1 = NULL; /* ownership passed to pkey1 */ 3370 1.1 christos if (!TEST_ptr(pkey2 = EVP_PKEY_new()) 3371 1.3 christos || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1)) 3372 1.1 christos goto err; 3373 1.1 christos eckey2 = NULL; /* ownership passed to pkey2 */ 3374 1.1 christos 3375 1.1 christos /* Compute keyexchange in both directions */ 3376 1.1 christos if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) 3377 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) 3378 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) 3379 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) 3380 1.3 christos || !TEST_int_gt(bsize, sslen) 3381 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) 3382 1.1 christos goto err; 3383 1.1 christos if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) 3384 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) 3385 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) 3386 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) 3387 1.3 christos || !TEST_int_gt(bsize, t) 3388 1.3 christos || !TEST_int_le(sslen, t) 3389 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) 3390 1.1 christos goto err; 3391 1.1 christos 3392 1.1 christos /* Both sides should expect the same shared secret */ 3393 1.1 christos if (!TEST_mem_eq(buf1, sslen, buf2, t)) 3394 1.1 christos goto err; 3395 1.1 christos 3396 1.1 christos /* Build parameters for provider-native keys */ 3397 1.1 christos if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) 3398 1.3 christos || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, 3399 1.3 christos OSSL_PKEY_PARAM_GROUP_NAME, 3400 1.3 christos curve_name, 0)) 3401 1.3 christos || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, 3402 1.3 christos OSSL_PKEY_PARAM_PUB_KEY, 3403 1.3 christos pub1, bsize)) 3404 1.3 christos || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld, 3405 1.3 christos OSSL_PKEY_PARAM_PRIV_KEY, 3406 1.3 christos priv1)) 3407 1.3 christos || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld))) 3408 1.1 christos goto err; 3409 1.1 christos 3410 1.1 christos OSSL_PARAM_BLD_free(param_bld); 3411 1.1 christos if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) 3412 1.3 christos || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, 3413 1.3 christos OSSL_PKEY_PARAM_GROUP_NAME, 3414 1.3 christos curve_name, 0)) 3415 1.3 christos || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, 3416 1.3 christos OSSL_PKEY_PARAM_PUB_KEY, 3417 1.3 christos pub2, bsize)) 3418 1.3 christos || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld))) 3419 1.1 christos goto err; 3420 1.1 christos 3421 1.1 christos /* create two new provider-native `EVP_PKEY`s */ 3422 1.1 christos EVP_PKEY_CTX_free(pctx2); 3423 1.1 christos if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) 3424 1.3 christos || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx2), 1) 3425 1.3 christos || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, 3426 1.3 christos params1), 3427 1.3 christos 1) 3428 1.3 christos || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, 3429 1.3 christos params2), 3430 1.3 christos 1)) 3431 1.1 christos goto err; 3432 1.1 christos 3433 1.1 christos /* compute keyexchange once more using the provider keys */ 3434 1.1 christos EVP_PKEY_CTX_free(pctx1); 3435 1.1 christos if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) 3436 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) 3437 1.3 christos || !TEST_ptr(dctx = EVP_PKEY_CTX_dup(pctx1)) 3438 1.3 christos || !TEST_int_eq(EVP_PKEY_derive_set_peer_ex(dctx, pkey2, 1), 1) 3439 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(dctx, NULL, &t), 1) 3440 1.3 christos || !TEST_int_gt(bsize, t) 3441 1.3 christos || !TEST_int_le(sslen, t) 3442 1.3 christos || !TEST_int_eq(EVP_PKEY_derive(dctx, buf1, &t), 1) 3443 1.3 christos /* compare with previous result */ 3444 1.3 christos || !TEST_mem_eq(buf1, t, buf2, sslen)) 3445 1.1 christos goto err; 3446 1.1 christos 3447 1.1 christos ret = 1; 3448 1.1 christos 3449 1.3 christos err: 3450 1.1 christos BN_CTX_end(ctx); 3451 1.1 christos BN_CTX_free(ctx); 3452 1.1 christos OSSL_PARAM_BLD_free(param_bld); 3453 1.1 christos OSSL_PARAM_free(params1); 3454 1.1 christos OSSL_PARAM_free(params2); 3455 1.1 christos EC_POINT_free(Q1); 3456 1.1 christos EC_POINT_free(Q2); 3457 1.1 christos EC_POINT_free(G2); 3458 1.1 christos EC_GROUP_free(group); 3459 1.1 christos EC_GROUP_free(altgroup); 3460 1.1 christos OPENSSL_free(buf1); 3461 1.1 christos OPENSSL_free(buf2); 3462 1.1 christos OPENSSL_free(pub1); 3463 1.1 christos OPENSSL_free(pub2); 3464 1.1 christos EC_KEY_free(eckey1); 3465 1.1 christos EC_KEY_free(eckey2); 3466 1.1 christos EVP_PKEY_free(pkey1); 3467 1.1 christos EVP_PKEY_free(pkey2); 3468 1.1 christos EVP_PKEY_CTX_free(pctx1); 3469 1.1 christos EVP_PKEY_CTX_free(pctx2); 3470 1.1 christos EVP_PKEY_CTX_free(dctx); 3471 1.1 christos 3472 1.1 christos return ret; 3473 1.1 christos } 3474 1.1 christos 3475 1.1 christos static int ec_d2i_publickey_test(void) 3476 1.1 christos { 3477 1.3 christos unsigned char buf[1000]; 3478 1.3 christos unsigned char *pubkey_enc = buf; 3479 1.3 christos const unsigned char *pk_enc = pubkey_enc; 3480 1.3 christos EVP_PKEY *gen_key = NULL, *decoded_key = NULL; 3481 1.3 christos EVP_PKEY_CTX *pctx = NULL; 3482 1.3 christos int pklen, ret = 0; 3483 1.3 christos OSSL_PARAM params[2]; 3484 1.3 christos 3485 1.3 christos if (!TEST_ptr(gen_key = EVP_EC_gen("P-256"))) 3486 1.3 christos goto err; 3487 1.3 christos 3488 1.3 christos if (!TEST_int_gt(pklen = i2d_PublicKey(gen_key, &pubkey_enc), 0)) 3489 1.3 christos goto err; 3490 1.3 christos 3491 1.3 christos params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, 3492 1.3 christos "P-256", 0); 3493 1.3 christos params[1] = OSSL_PARAM_construct_end(); 3494 1.3 christos 3495 1.3 christos if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) 3496 1.3 christos || !TEST_true(EVP_PKEY_fromdata_init(pctx)) 3497 1.3 christos || !TEST_true(EVP_PKEY_fromdata(pctx, &decoded_key, 3498 1.3 christos OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, 3499 1.3 christos params)) 3500 1.3 christos || !TEST_ptr(decoded_key) 3501 1.3 christos || !TEST_ptr(decoded_key = d2i_PublicKey(EVP_PKEY_EC, &decoded_key, 3502 1.3 christos &pk_enc, pklen))) 3503 1.3 christos goto err; 3504 1.3 christos 3505 1.3 christos if (!TEST_true(EVP_PKEY_eq(gen_key, decoded_key))) 3506 1.3 christos goto err; 3507 1.3 christos ret = 1; 3508 1.3 christos 3509 1.3 christos err: 3510 1.3 christos EVP_PKEY_CTX_free(pctx); 3511 1.3 christos EVP_PKEY_free(gen_key); 3512 1.3 christos EVP_PKEY_free(decoded_key); 3513 1.3 christos return ret; 3514 1.1 christos } 3515 1.1 christos 3516 1.1 christos int setup_tests(void) 3517 1.1 christos { 3518 1.1 christos crv_len = EC_get_builtin_curves(NULL, 0); 3519 1.1 christos if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) 3520 1.1 christos || !TEST_true(EC_get_builtin_curves(curves, crv_len))) 3521 1.1 christos return 0; 3522 1.1 christos 3523 1.1 christos ADD_TEST(parameter_test); 3524 1.1 christos ADD_TEST(ossl_parameter_test); 3525 1.1 christos ADD_TEST(cofactor_range_test); 3526 1.1 christos ADD_ALL_TESTS(cardinality_test, crv_len); 3527 1.1 christos ADD_TEST(prime_field_tests); 3528 1.1 christos #ifndef OPENSSL_NO_EC2M 3529 1.1 christos ADD_TEST(hybrid_point_encoding_test); 3530 1.1 christos ADD_TEST(char2_field_tests); 3531 1.1 christos ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); 3532 1.1 christos #endif 3533 1.1 christos ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); 3534 1.1 christos ADD_ALL_TESTS(internal_curve_test, crv_len); 3535 1.1 christos ADD_ALL_TESTS(internal_curve_test_method, crv_len); 3536 1.1 christos ADD_TEST(group_field_test); 3537 1.1 christos ADD_ALL_TESTS(check_named_curve_test, crv_len); 3538 1.1 christos ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len); 3539 1.1 christos ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); 3540 1.1 christos ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); 3541 1.1 christos ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); 3542 1.1 christos ADD_ALL_TESTS(custom_generator_test, crv_len); 3543 1.1 christos ADD_ALL_TESTS(custom_params_test, crv_len); 3544 1.1 christos ADD_TEST(ec_d2i_publickey_test); 3545 1.1 christos return 1; 3546 1.1 christos } 3547 1.1 christos 3548 1.1 christos void cleanup_tests(void) 3549 1.1 christos { 3550 1.1 christos OPENSSL_free(curves); 3551 1.1 christos } 3552
Indexes created Mon Mar 02 05:31:46 UTC 2026