1 1.1 christos /* 2 1.1 christos * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 1.1 christos * 5 1.1 christos * Licensed under the OpenSSL license (the "License"). You may not use 6 1.1 christos * this file except in compliance with the License. You can obtain a copy 7 1.1 christos * in the file LICENSE in the source distribution or at 8 1.1 christos * https://www.openssl.org/source/license.html 9 1.1 christos */ 10 1.1 christos 11 1.1 christos #include "internal/nelem.h" 12 1.1 christos #include "testutil.h" 13 1.1 christos 14 1.1 christos #ifndef OPENSSL_NO_EC 15 1.1 christos # include <openssl/ec.h> 16 1.1 christos # ifndef OPENSSL_NO_ENGINE 17 1.1 christos # include <openssl/engine.h> 18 1.1 christos # endif 19 1.1 christos # include <openssl/err.h> 20 1.1 christos # include <openssl/obj_mac.h> 21 1.1 christos # include <openssl/objects.h> 22 1.1 christos # include <openssl/rand.h> 23 1.1 christos # include <openssl/bn.h> 24 1.1 christos # include <openssl/opensslconf.h> 25 1.1 christos 26 1.1 christos static size_t crv_len = 0; 27 1.1 christos static EC_builtin_curve *curves = NULL; 28 1.1 christos 29 1.1 christos /* test multiplication with group order, long and negative scalars */ 30 1.1 christos static int group_order_tests(EC_GROUP *group) 31 1.1 christos { 32 1.1 christos BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; 33 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; 34 1.1 christos const EC_POINT *G = NULL; 35 1.1 christos BN_CTX *ctx = NULL; 36 1.1 christos int i = 0, r = 0; 37 1.1 christos 38 1.1 christos if (!TEST_ptr(n1 = BN_new()) 39 1.1 christos || !TEST_ptr(n2 = BN_new()) 40 1.1 christos || !TEST_ptr(order = BN_new()) 41 1.1 christos || !TEST_ptr(ctx = BN_CTX_new()) 42 1.1 christos || !TEST_ptr(G = EC_GROUP_get0_generator(group)) 43 1.1 christos || !TEST_ptr(P = EC_POINT_new(group)) 44 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 45 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 46 1.1 christos || !TEST_ptr(S = EC_POINT_new(group))) 47 1.1 christos goto err; 48 1.1 christos 49 1.1 christos if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) 50 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 51 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 52 1.1 christos || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) 53 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 54 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 55 1.1 christos || !TEST_true(EC_POINT_copy(P, G)) 56 1.1 christos || !TEST_true(BN_one(n1)) 57 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) 58 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 59 1.1 christos || !TEST_true(BN_sub(n1, order, n1)) 60 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) 61 1.1 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) 62 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) 63 1.1 christos goto err; 64 1.1 christos 65 1.1 christos for (i = 1; i <= 2; i++) { 66 1.1 christos const BIGNUM *scalars[6]; 67 1.1 christos const EC_POINT *points[6]; 68 1.1 christos 69 1.1 christos if (!TEST_true(BN_set_word(n1, i)) 70 1.1 christos /* 71 1.1 christos * If i == 1, P will be the predefined generator for which 72 1.1 christos * EC_GROUP_precompute_mult has set up precomputation. 73 1.1 christos */ 74 1.1 christos || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) 75 1.1 christos || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) 76 1.1 christos || !TEST_true(BN_one(n1)) 77 1.1 christos /* n1 = 1 - order */ 78 1.1 christos || !TEST_true(BN_sub(n1, n1, order)) 79 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) 80 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 81 1.1 christos 82 1.1 christos /* n2 = 1 + order */ 83 1.1 christos || !TEST_true(BN_add(n2, order, BN_value_one())) 84 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 85 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) 86 1.1 christos 87 1.1 christos /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ 88 1.1 christos || !TEST_true(BN_mul(n2, n1, n2, ctx)) 89 1.1 christos || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 90 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) 91 1.1 christos goto err; 92 1.1 christos 93 1.1 christos /* n2 = order^2 - 1 */ 94 1.1 christos BN_set_negative(n2, 0); 95 1.1 christos if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 96 1.1 christos /* Add P to verify the result. */ 97 1.1 christos || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) 98 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, Q)) 99 1.1 christos 100 1.1 christos /* Exercise EC_POINTs_mul, including corner cases. */ 101 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, P))) 102 1.1 christos goto err; 103 1.1 christos 104 1.1 christos scalars[0] = scalars[1] = BN_value_one(); 105 1.1 christos points[0] = points[1] = P; 106 1.1 christos 107 1.1 christos if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) 108 1.1 christos || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) 109 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) 110 1.1 christos goto err; 111 1.1 christos 112 1.1 christos scalars[0] = n1; 113 1.1 christos points[0] = Q; /* => infinity */ 114 1.1 christos scalars[1] = n2; 115 1.1 christos points[1] = P; /* => -P */ 116 1.1 christos scalars[2] = n1; 117 1.1 christos points[2] = Q; /* => infinity */ 118 1.1 christos scalars[3] = n2; 119 1.1 christos points[3] = Q; /* => infinity */ 120 1.1 christos scalars[4] = n1; 121 1.1 christos points[4] = P; /* => P */ 122 1.1 christos scalars[5] = n2; 123 1.1 christos points[5] = Q; /* => infinity */ 124 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) 125 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 126 1.1 christos goto err; 127 1.1 christos } 128 1.1 christos 129 1.1 christos r = 1; 130 1.1 christos err: 131 1.1 christos if (r == 0 && i != 0) 132 1.1 christos TEST_info(i == 1 ? "allowing precomputation" : 133 1.1 christos "without precomputation"); 134 1.1 christos EC_POINT_free(P); 135 1.1 christos EC_POINT_free(Q); 136 1.1 christos EC_POINT_free(R); 137 1.1 christos EC_POINT_free(S); 138 1.1 christos BN_free(n1); 139 1.1 christos BN_free(n2); 140 1.1 christos BN_free(order); 141 1.1 christos BN_CTX_free(ctx); 142 1.1 christos return r; 143 1.1 christos } 144 1.1 christos 145 1.1 christos static int prime_field_tests(void) 146 1.1 christos { 147 1.1 christos BN_CTX *ctx = NULL; 148 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; 149 1.1 christos EC_GROUP *group = NULL, *tmp = NULL; 150 1.1 christos EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, 151 1.1 christos *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; 152 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 153 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; 154 1.1 christos const EC_POINT *points[4]; 155 1.1 christos const BIGNUM *scalars[4]; 156 1.1 christos unsigned char buf[100]; 157 1.1 christos size_t len, r = 0; 158 1.1 christos int k; 159 1.1 christos 160 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 161 1.1 christos || !TEST_ptr(p = BN_new()) 162 1.1 christos || !TEST_ptr(a = BN_new()) 163 1.1 christos || !TEST_ptr(b = BN_new()) 164 1.1 christos || !TEST_true(BN_hex2bn(&p, "17")) 165 1.1 christos || !TEST_true(BN_hex2bn(&a, "1")) 166 1.1 christos || !TEST_true(BN_hex2bn(&b, "1")) 167 1.1 christos /* 168 1.1 christos * applications should use EC_GROUP_new_curve_GFp so 169 1.1 christos * that the library gets to choose the EC_METHOD 170 1.1 christos */ 171 1.1 christos || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method())) 172 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 173 1.1 christos || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group))) 174 1.1 christos || !TEST_true(EC_GROUP_copy(tmp, group))) 175 1.1 christos goto err; 176 1.1 christos EC_GROUP_free(group); 177 1.1 christos group = tmp; 178 1.1 christos tmp = NULL; 179 1.1 christos 180 1.1 christos if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) 181 1.1 christos goto err; 182 1.1 christos 183 1.1 christos TEST_info("Curve defined by Weierstrass equation"); 184 1.1 christos TEST_note(" y^2 = x^3 + a*x + b (mod p)"); 185 1.1 christos test_output_bignum("a", a); 186 1.1 christos test_output_bignum("b", b); 187 1.1 christos test_output_bignum("p", p); 188 1.1 christos 189 1.1 christos buf[0] = 0; 190 1.1 christos if (!TEST_ptr(P = EC_POINT_new(group)) 191 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 192 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 193 1.1 christos || !TEST_true(EC_POINT_set_to_infinity(group, P)) 194 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 195 1.1 christos || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) 196 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) 197 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 198 1.1 christos || !TEST_ptr(x = BN_new()) 199 1.1 christos || !TEST_ptr(y = BN_new()) 200 1.1 christos || !TEST_ptr(z = BN_new()) 201 1.1 christos || !TEST_ptr(yplusone = BN_new()) 202 1.1 christos || !TEST_true(BN_hex2bn(&x, "D")) 203 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) 204 1.1 christos goto err; 205 1.1 christos 206 1.1 christos if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { 207 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) 208 1.1 christos goto err; 209 1.1 christos TEST_info("Point is not on curve"); 210 1.1 christos test_output_bignum("x", x); 211 1.1 christos test_output_bignum("y", y); 212 1.1 christos goto err; 213 1.1 christos } 214 1.1 christos 215 1.1 christos TEST_note("A cyclic subgroup:"); 216 1.1 christos k = 100; 217 1.1 christos do { 218 1.1 christos if (!TEST_int_ne(k--, 0)) 219 1.1 christos goto err; 220 1.1 christos 221 1.1 christos if (EC_POINT_is_at_infinity(group, P)) { 222 1.1 christos TEST_note(" point at infinity"); 223 1.1 christos } else { 224 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, 225 1.1 christos ctx))) 226 1.1 christos goto err; 227 1.1 christos 228 1.1 christos test_output_bignum("x", x); 229 1.1 christos test_output_bignum("y", y); 230 1.1 christos } 231 1.1 christos 232 1.1 christos if (!TEST_true(EC_POINT_copy(R, P)) 233 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) 234 1.1 christos goto err; 235 1.1 christos 236 1.1 christos } while (!EC_POINT_is_at_infinity(group, P)); 237 1.1 christos 238 1.1 christos if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) 239 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 240 1.1 christos goto err; 241 1.1 christos 242 1.1 christos len = 243 1.1 christos EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, 244 1.1 christos sizeof(buf), ctx); 245 1.1 christos if (!TEST_size_t_ne(len, 0) 246 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 247 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 248 1.1 christos goto err; 249 1.1 christos test_output_memory("Generator as octet string, compressed form:", 250 1.1 christos buf, len); 251 1.1 christos 252 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, 253 1.1 christos buf, sizeof(buf), ctx); 254 1.1 christos if (!TEST_size_t_ne(len, 0) 255 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 256 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 257 1.1 christos goto err; 258 1.1 christos test_output_memory("Generator as octet string, uncompressed form:", 259 1.1 christos buf, len); 260 1.1 christos 261 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, 262 1.1 christos buf, sizeof(buf), ctx); 263 1.1 christos if (!TEST_size_t_ne(len, 0) 264 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 265 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 266 1.1 christos goto err; 267 1.1 christos test_output_memory("Generator as octet string, hybrid form:", 268 1.1 christos buf, len); 269 1.1 christos 270 1.1 christos if (!TEST_true(EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, 271 1.1 christos ctx))) 272 1.1 christos goto err; 273 1.1 christos TEST_info("A representation of the inverse of that generator in"); 274 1.1 christos TEST_note("Jacobian projective coordinates"); 275 1.1 christos test_output_bignum("x", x); 276 1.1 christos test_output_bignum("y", y); 277 1.1 christos test_output_bignum("z", z); 278 1.1 christos 279 1.1 christos if (!TEST_true(EC_POINT_invert(group, P, ctx)) 280 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 281 1.1 christos 282 1.1 christos /* 283 1.1 christos * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 284 1.1 christos * 2000) -- not a NIST curve, but commonly used 285 1.1 christos */ 286 1.1 christos 287 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" 288 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) 289 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 290 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" 291 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) 292 1.1 christos || !TEST_true(BN_hex2bn(&b, "1C97BEFC" 293 1.1 christos "54BD7A8B65ACF89F81D4D4ADC565FA45")) 294 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 295 1.1 christos || !TEST_true(BN_hex2bn(&x, "4A96B568" 296 1.1 christos "8EF573284664698968C38BB913CBFC82")) 297 1.1 christos || !TEST_true(BN_hex2bn(&y, "23a62855" 298 1.1 christos "3168947d59dcc912042351377ac5fb32")) 299 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 300 1.1 christos /* 301 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 302 1.1 christos * and therefore setting the coordinates should fail. 303 1.1 christos */ 304 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 305 1.1 christos ctx)) 306 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 307 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 308 1.1 christos || !TEST_true(BN_hex2bn(&z, "0100000000" 309 1.1 christos "000000000001F4C8F927AED3CA752257")) 310 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 311 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 312 1.1 christos goto err; 313 1.1 christos TEST_info("SEC2 curve secp160r1 -- Generator"); 314 1.1 christos test_output_bignum("x", x); 315 1.1 christos test_output_bignum("y", y); 316 1.1 christos /* G_y value taken from the standard: */ 317 1.1 christos if (!TEST_true(BN_hex2bn(&z, "23a62855" 318 1.1 christos "3168947d59dcc912042351377ac5fb32")) 319 1.1 christos || !TEST_BN_eq(y, z) 320 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 160) 321 1.1 christos || !group_order_tests(group) 322 1.1 christos || !TEST_ptr(P_160 = EC_GROUP_new(EC_GROUP_method_of(group))) 323 1.1 christos || !TEST_true(EC_GROUP_copy(P_160, group)) 324 1.1 christos 325 1.1 christos /* Curve P-192 (FIPS PUB 186-2, App. 6) */ 326 1.1 christos 327 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" 328 1.1 christos "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) 329 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 330 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" 331 1.1 christos "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) 332 1.1 christos || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" 333 1.1 christos "0FA7E9AB72243049FEB8DEECC146B9B1")) 334 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 335 1.1 christos || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" 336 1.1 christos "7CBF20EB43A18800F4FF0AFD82FF1012")) 337 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 338 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 339 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" 340 1.1 christos "FFFFFFFF99DEF836146BC9B1B4D22831")) 341 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 342 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 343 1.1 christos goto err; 344 1.1 christos 345 1.1 christos TEST_info("NIST curve P-192 -- Generator"); 346 1.1 christos test_output_bignum("x", x); 347 1.1 christos test_output_bignum("y", y); 348 1.1 christos /* G_y value taken from the standard: */ 349 1.1 christos if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" 350 1.1 christos "631011ED6B24CDD573F977A11E794811")) 351 1.1 christos || !TEST_BN_eq(y, z) 352 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 353 1.1 christos /* 354 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 355 1.1 christos * and therefore setting the coordinates should fail. 356 1.1 christos */ 357 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 358 1.1 christos ctx)) 359 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 192) 360 1.1 christos || !group_order_tests(group) 361 1.1 christos || !TEST_ptr(P_192 = EC_GROUP_new(EC_GROUP_method_of(group))) 362 1.1 christos || !TEST_true(EC_GROUP_copy(P_192, group)) 363 1.1 christos 364 1.1 christos /* Curve P-224 (FIPS PUB 186-2, App. 6) */ 365 1.1 christos 366 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" 367 1.1 christos "FFFFFFFF000000000000000000000001")) 368 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 369 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" 370 1.1 christos "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) 371 1.1 christos || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" 372 1.1 christos "5044B0B7D7BFD8BA270B39432355FFB4")) 373 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 374 1.1 christos || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" 375 1.1 christos "4A03C1D356C21122343280D6115C1D21")) 376 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 377 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 378 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" 379 1.1 christos "FFFF16A2E0B8F03E13DD29455C5C2A3D")) 380 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 381 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 382 1.1 christos goto err; 383 1.1 christos 384 1.1 christos TEST_info("NIST curve P-224 -- Generator"); 385 1.1 christos test_output_bignum("x", x); 386 1.1 christos test_output_bignum("y", y); 387 1.1 christos /* G_y value taken from the standard: */ 388 1.1 christos if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" 389 1.1 christos "CD4375A05A07476444D5819985007E34")) 390 1.1 christos || !TEST_BN_eq(y, z) 391 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 392 1.1 christos /* 393 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 394 1.1 christos * and therefore setting the coordinates should fail. 395 1.1 christos */ 396 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 397 1.1 christos ctx)) 398 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 224) 399 1.1 christos || !group_order_tests(group) 400 1.1 christos || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) 401 1.1 christos || !TEST_true(EC_GROUP_copy(P_224, group)) 402 1.1 christos 403 1.1 christos /* Curve P-256 (FIPS PUB 186-2, App. 6) */ 404 1.1 christos 405 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" 406 1.1 christos "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) 407 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 408 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" 409 1.1 christos "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) 410 1.1 christos || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" 411 1.1 christos "651D06B0CC53B0F63BCE3C3E27D2604B")) 412 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 413 1.1 christos 414 1.1 christos || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" 415 1.1 christos "77037D812DEB33A0F4A13945D898C296")) 416 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 417 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 418 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" 419 1.1 christos "BCE6FAADA7179E84F3B9CAC2FC632551")) 420 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 421 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 422 1.1 christos goto err; 423 1.1 christos 424 1.1 christos TEST_info("NIST curve P-256 -- Generator"); 425 1.1 christos test_output_bignum("x", x); 426 1.1 christos test_output_bignum("y", y); 427 1.1 christos /* G_y value taken from the standard: */ 428 1.1 christos if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" 429 1.1 christos "2BCE33576B315ECECBB6406837BF51F5")) 430 1.1 christos || !TEST_BN_eq(y, z) 431 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 432 1.1 christos /* 433 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 434 1.1 christos * and therefore setting the coordinates should fail. 435 1.1 christos */ 436 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 437 1.1 christos ctx)) 438 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 256) 439 1.1 christos || !group_order_tests(group) 440 1.1 christos || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) 441 1.1 christos || !TEST_true(EC_GROUP_copy(P_256, group)) 442 1.1 christos 443 1.1 christos /* Curve P-384 (FIPS PUB 186-2, App. 6) */ 444 1.1 christos 445 1.1 christos || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 446 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" 447 1.1 christos "FFFFFFFF0000000000000000FFFFFFFF")) 448 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 449 1.1 christos || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 450 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" 451 1.1 christos "FFFFFFFF0000000000000000FFFFFFFC")) 452 1.1 christos || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" 453 1.1 christos "181D9C6EFE8141120314088F5013875A" 454 1.1 christos "C656398D8A2ED19D2A85C8EDD3EC2AEF")) 455 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 456 1.1 christos 457 1.1 christos || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" 458 1.1 christos "6E1D3B628BA79B9859F741E082542A38" 459 1.1 christos "5502F25DBF55296C3A545E3872760AB7")) 460 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 461 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 462 1.1 christos || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 463 1.1 christos "FFFFFFFFFFFFFFFFC7634D81F4372DDF" 464 1.1 christos "581A0DB248B0A77AECEC196ACCC52973")) 465 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 466 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 467 1.1 christos goto err; 468 1.1 christos 469 1.1 christos TEST_info("NIST curve P-384 -- Generator"); 470 1.1 christos test_output_bignum("x", x); 471 1.1 christos test_output_bignum("y", y); 472 1.1 christos /* G_y value taken from the standard: */ 473 1.1 christos if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" 474 1.1 christos "F8F41DBD289A147CE9DA3113B5F0B8C0" 475 1.1 christos "0A60B1CE1D7E819D7A431D7C90EA0E5F")) 476 1.1 christos || !TEST_BN_eq(y, z) 477 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 478 1.1 christos /* 479 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 480 1.1 christos * and therefore setting the coordinates should fail. 481 1.1 christos */ 482 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 483 1.1 christos ctx)) 484 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 384) 485 1.1 christos || !group_order_tests(group) 486 1.1 christos || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) 487 1.1 christos || !TEST_true(EC_GROUP_copy(P_384, group)) 488 1.1 christos 489 1.1 christos /* Curve P-521 (FIPS PUB 186-2, App. 6) */ 490 1.1 christos || !TEST_true(BN_hex2bn(&p, "1FF" 491 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 492 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 493 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 494 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) 495 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 496 1.1 christos || !TEST_true(BN_hex2bn(&a, "1FF" 497 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 498 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 499 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 500 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) 501 1.1 christos || !TEST_true(BN_hex2bn(&b, "051" 502 1.1 christos "953EB9618E1C9A1F929A21A0B68540EE" 503 1.1 christos "A2DA725B99B315F3B8B489918EF109E1" 504 1.1 christos "56193951EC7E937B1652C0BD3BB1BF07" 505 1.1 christos "3573DF883D2C34F1EF451FD46B503F00")) 506 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 507 1.1 christos || !TEST_true(BN_hex2bn(&x, "C6" 508 1.1 christos "858E06B70404E9CD9E3ECB662395B442" 509 1.1 christos "9C648139053FB521F828AF606B4D3DBA" 510 1.1 christos "A14B5E77EFE75928FE1DC127A2FFA8DE" 511 1.1 christos "3348B3C1856A429BF97E7E31C2E5BD66")) 512 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 513 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 514 1.1 christos || !TEST_true(BN_hex2bn(&z, "1FF" 515 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 516 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" 517 1.1 christos "51868783BF2F966B7FCC0148F709A5D0" 518 1.1 christos "3BB5C9B8899C47AEBB6FB71E91386409")) 519 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) 520 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 521 1.1 christos goto err; 522 1.1 christos 523 1.1 christos TEST_info("NIST curve P-521 -- Generator"); 524 1.1 christos test_output_bignum("x", x); 525 1.1 christos test_output_bignum("y", y); 526 1.1 christos /* G_y value taken from the standard: */ 527 1.1 christos if (!TEST_true(BN_hex2bn(&z, "118" 528 1.1 christos "39296A789A3BC0045C8A5FB42C7D1BD9" 529 1.1 christos "98F54449579B446817AFBD17273E662C" 530 1.1 christos "97EE72995EF42640C550B9013FAD0761" 531 1.1 christos "353C7086A272C24088BE94769FD16650")) 532 1.1 christos || !TEST_BN_eq(y, z) 533 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 534 1.1 christos /* 535 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 536 1.1 christos * and therefore setting the coordinates should fail. 537 1.1 christos */ 538 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, 539 1.1 christos ctx)) 540 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(group), 521) 541 1.1 christos || !group_order_tests(group) 542 1.1 christos || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) 543 1.1 christos || !TEST_true(EC_GROUP_copy(P_521, group)) 544 1.1 christos 545 1.1 christos /* more tests using the last curve */ 546 1.1 christos 547 1.1 christos /* Restore the point that got mangled in the (x, y + 1) test. */ 548 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 549 1.1 christos || !TEST_true(EC_POINT_copy(Q, P)) 550 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q)) 551 1.1 christos || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) 552 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 553 1.1 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ 554 1.1 christos || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) 555 1.1 christos || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) 556 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ 557 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q))) 558 1.1 christos goto err; 559 1.1 christos points[0] = Q; 560 1.1 christos points[1] = Q; 561 1.1 christos points[2] = Q; 562 1.1 christos points[3] = Q; 563 1.1 christos 564 1.1 christos if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) 565 1.1 christos || !TEST_true(BN_add(y, z, BN_value_one())) 566 1.1 christos || !TEST_BN_even(y) 567 1.1 christos || !TEST_true(BN_rshift1(y, y))) 568 1.1 christos goto err; 569 1.1 christos scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 570 1.1 christos scalars[1] = y; 571 1.1 christos 572 1.1 christos TEST_note("combined multiplication ..."); 573 1.1 christos 574 1.1 christos /* z is still the group order */ 575 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 576 1.1 christos || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 577 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 578 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) 579 1.1 christos || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) 580 1.1 christos || !TEST_true(BN_add(z, z, y))) 581 1.1 christos goto err; 582 1.1 christos BN_set_negative(z, 1); 583 1.1 christos scalars[0] = y; 584 1.1 christos scalars[1] = z; /* z = -(order + y) */ 585 1.1 christos 586 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 587 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 588 1.1 christos || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) 589 1.1 christos || !TEST_true(BN_add(z, x, y))) 590 1.1 christos goto err; 591 1.1 christos BN_set_negative(z, 1); 592 1.1 christos scalars[0] = x; 593 1.1 christos scalars[1] = y; 594 1.1 christos scalars[2] = z; /* z = -(x+y) */ 595 1.1 christos 596 1.1 christos if (!TEST_ptr(scalar3 = BN_new())) 597 1.1 christos goto err; 598 1.1 christos BN_zero(scalar3); 599 1.1 christos scalars[3] = scalar3; 600 1.1 christos 601 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) 602 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 603 1.1 christos goto err; 604 1.1 christos 605 1.1 christos TEST_note(" ok\n"); 606 1.1 christos 607 1.1 christos 608 1.1 christos r = 1; 609 1.1 christos err: 610 1.1 christos BN_CTX_free(ctx); 611 1.1 christos BN_free(p); 612 1.1 christos BN_free(a); 613 1.1 christos BN_free(b); 614 1.1 christos EC_GROUP_free(group); 615 1.1 christos EC_GROUP_free(tmp); 616 1.1 christos EC_POINT_free(P); 617 1.1 christos EC_POINT_free(Q); 618 1.1 christos EC_POINT_free(R); 619 1.1 christos BN_free(x); 620 1.1 christos BN_free(y); 621 1.1 christos BN_free(z); 622 1.1 christos BN_free(yplusone); 623 1.1 christos BN_free(scalar3); 624 1.1 christos 625 1.1 christos EC_GROUP_free(P_160); 626 1.1 christos EC_GROUP_free(P_192); 627 1.1 christos EC_GROUP_free(P_224); 628 1.1 christos EC_GROUP_free(P_256); 629 1.1 christos EC_GROUP_free(P_384); 630 1.1 christos EC_GROUP_free(P_521); 631 1.1 christos return r; 632 1.1 christos } 633 1.1 christos 634 1.1 christos # ifndef OPENSSL_NO_EC2M 635 1.1 christos 636 1.1 christos static struct c2_curve_test { 637 1.1 christos const char *name; 638 1.1 christos const char *p; 639 1.1 christos const char *a; 640 1.1 christos const char *b; 641 1.1 christos const char *x; 642 1.1 christos const char *y; 643 1.1 christos int ybit; 644 1.1 christos const char *order; 645 1.1 christos const char *cof; 646 1.1 christos int degree; 647 1.1 christos } char2_curve_tests[] = { 648 1.1 christos /* Curve K-163 (FIPS PUB 186-2, App. 6) */ 649 1.1 christos { 650 1.1 christos "NIST curve K-163", 651 1.1 christos "0800000000000000000000000000000000000000C9", 652 1.1 christos "1", 653 1.1 christos "1", 654 1.1 christos "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8", 655 1.1 christos "0289070FB05D38FF58321F2E800536D538CCDAA3D9", 656 1.1 christos 1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163 657 1.1 christos }, 658 1.1 christos /* Curve B-163 (FIPS PUB 186-2, App. 6) */ 659 1.1 christos { 660 1.1 christos "NIST curve B-163", 661 1.1 christos "0800000000000000000000000000000000000000C9", 662 1.1 christos "1", 663 1.1 christos "020A601907B8C953CA1481EB10512F78744A3205FD", 664 1.1 christos "03F0EBA16286A2D57EA0991168D4994637E8343E36", 665 1.1 christos "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 666 1.1 christos 1, "040000000000000000000292FE77E70C12A4234C33", "2", 163 667 1.1 christos }, 668 1.1 christos /* Curve K-233 (FIPS PUB 186-2, App. 6) */ 669 1.1 christos { 670 1.1 christos "NIST curve K-233", 671 1.1 christos "020000000000000000000000000000000000000004000000000000000001", 672 1.1 christos "0", 673 1.1 christos "1", 674 1.1 christos "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126", 675 1.1 christos "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3", 676 1.1 christos 0, 677 1.1 christos "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 678 1.1 christos "4", 233 679 1.1 christos }, 680 1.1 christos /* Curve B-233 (FIPS PUB 186-2, App. 6) */ 681 1.1 christos { 682 1.1 christos "NIST curve B-233", 683 1.1 christos "020000000000000000000000000000000000000004000000000000000001", 684 1.1 christos "000000000000000000000000000000000000000000000000000000000001", 685 1.1 christos "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD", 686 1.1 christos "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B", 687 1.1 christos "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052", 688 1.1 christos 1, 689 1.1 christos "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 690 1.1 christos "2", 233 691 1.1 christos }, 692 1.1 christos /* Curve K-283 (FIPS PUB 186-2, App. 6) */ 693 1.1 christos { 694 1.1 christos "NIST curve K-283", 695 1.1 christos "08000000" 696 1.1 christos "00000000000000000000000000000000000000000000000000000000000010A1", 697 1.1 christos "0", 698 1.1 christos "1", 699 1.1 christos "0503213F" 700 1.1 christos "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836", 701 1.1 christos "01CCDA38" 702 1.1 christos "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259", 703 1.1 christos 0, 704 1.1 christos "01FFFFFF" 705 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61", 706 1.1 christos "4", 283 707 1.1 christos }, 708 1.1 christos /* Curve B-283 (FIPS PUB 186-2, App. 6) */ 709 1.1 christos { 710 1.1 christos "NIST curve B-283", 711 1.1 christos "08000000" 712 1.1 christos "00000000000000000000000000000000000000000000000000000000000010A1", 713 1.1 christos "00000000" 714 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 715 1.1 christos "027B680A" 716 1.1 christos "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5", 717 1.1 christos "05F93925" 718 1.1 christos "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053", 719 1.1 christos "03676854" 720 1.1 christos "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4", 721 1.1 christos 1, 722 1.1 christos "03FFFFFF" 723 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307", 724 1.1 christos "2", 283 725 1.1 christos }, 726 1.1 christos /* Curve K-409 (FIPS PUB 186-2, App. 6) */ 727 1.1 christos { 728 1.1 christos "NIST curve K-409", 729 1.1 christos "0200000000000000000000000000000000000000" 730 1.1 christos "0000000000000000000000000000000000000000008000000000000000000001", 731 1.1 christos "0", 732 1.1 christos "1", 733 1.1 christos "0060F05F658F49C1AD3AB1890F7184210EFD0987" 734 1.1 christos "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746", 735 1.1 christos "01E369050B7C4E42ACBA1DACBF04299C3460782F" 736 1.1 christos "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B", 737 1.1 christos 1, 738 1.1 christos "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 739 1.1 christos "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 740 1.1 christos "4", 409 741 1.1 christos }, 742 1.1 christos /* Curve B-409 (FIPS PUB 186-2, App. 6) */ 743 1.1 christos { 744 1.1 christos "NIST curve B-409", 745 1.1 christos "0200000000000000000000000000000000000000" 746 1.1 christos "0000000000000000000000000000000000000000008000000000000000000001", 747 1.1 christos "0000000000000000000000000000000000000000" 748 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 749 1.1 christos "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E" 750 1.1 christos "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F", 751 1.1 christos "015D4860D088DDB3496B0C6064756260441CDE4A" 752 1.1 christos "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7", 753 1.1 christos "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5" 754 1.1 christos "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706", 755 1.1 christos 1, 756 1.1 christos "0100000000000000000000000000000000000000" 757 1.1 christos "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173", 758 1.1 christos "2", 409 759 1.1 christos }, 760 1.1 christos /* Curve K-571 (FIPS PUB 186-2, App. 6) */ 761 1.1 christos { 762 1.1 christos "NIST curve K-571", 763 1.1 christos "800000000000000" 764 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 765 1.1 christos "0000000000000000000000000000000000000000000000000000000000000425", 766 1.1 christos "0", 767 1.1 christos "1", 768 1.1 christos "026EB7A859923FBC" 769 1.1 christos "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6" 770 1.1 christos "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972", 771 1.1 christos "0349DC807F4FBF37" 772 1.1 christos "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7" 773 1.1 christos "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3", 774 1.1 christos 0, 775 1.1 christos "0200000000000000" 776 1.1 christos "00000000000000000000000000000000000000000000000000000000131850E1" 777 1.1 christos "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001", 778 1.1 christos "4", 571 779 1.1 christos }, 780 1.1 christos /* Curve B-571 (FIPS PUB 186-2, App. 6) */ 781 1.1 christos { 782 1.1 christos "NIST curve B-571", 783 1.1 christos "800000000000000" 784 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 785 1.1 christos "0000000000000000000000000000000000000000000000000000000000000425", 786 1.1 christos "0000000000000000" 787 1.1 christos "0000000000000000000000000000000000000000000000000000000000000000" 788 1.1 christos "0000000000000000000000000000000000000000000000000000000000000001", 789 1.1 christos "02F40E7E2221F295" 790 1.1 christos "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933" 791 1.1 christos "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A", 792 1.1 christos "0303001D34B85629" 793 1.1 christos "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293" 794 1.1 christos "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19", 795 1.1 christos "037BF27342DA639B" 796 1.1 christos "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57" 797 1.1 christos "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B", 798 1.1 christos 1, 799 1.1 christos "03FFFFFFFFFFFFFF" 800 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18" 801 1.1 christos "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47", 802 1.1 christos "2", 571 803 1.1 christos } 804 1.1 christos }; 805 1.1 christos 806 1.1 christos static int char2_curve_test(int n) 807 1.1 christos { 808 1.1 christos int r = 0; 809 1.1 christos BN_CTX *ctx = NULL; 810 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL; 811 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL; 812 1.1 christos EC_GROUP *group = NULL, *variable = NULL; 813 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 814 1.1 christos const EC_POINT *points[3]; 815 1.1 christos const BIGNUM *scalars[3]; 816 1.1 christos struct c2_curve_test *const test = char2_curve_tests + n; 817 1.1 christos 818 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 819 1.1 christos || !TEST_ptr(p = BN_new()) 820 1.1 christos || !TEST_ptr(a = BN_new()) 821 1.1 christos || !TEST_ptr(b = BN_new()) 822 1.1 christos || !TEST_ptr(x = BN_new()) 823 1.1 christos || !TEST_ptr(y = BN_new()) 824 1.1 christos || !TEST_ptr(z = BN_new()) 825 1.1 christos || !TEST_ptr(yplusone = BN_new()) 826 1.1 christos || !TEST_true(BN_hex2bn(&p, test->p)) 827 1.1 christos || !TEST_true(BN_hex2bn(&a, test->a)) 828 1.1 christos || !TEST_true(BN_hex2bn(&b, test->b)) 829 1.1 christos || !TEST_true(group = EC_GROUP_new(EC_GF2m_simple_method())) 830 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 831 1.1 christos || !TEST_ptr(P = EC_POINT_new(group)) 832 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 833 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 834 1.1 christos || !TEST_true(BN_hex2bn(&x, test->x)) 835 1.1 christos || !TEST_true(BN_hex2bn(&y, test->y)) 836 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one()))) 837 1.1 christos goto err; 838 1.1 christos 839 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 840 1.1 christos # ifdef OPENSSL_EC_BIN_PT_COMP 841 1.1 christos /* 842 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 843 1.1 christos * and therefore setting the coordinates should fail. 844 1.1 christos */ 845 1.1 christos if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx)) 846 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 847 1.1 christos test->y_bit, 848 1.1 christos ctx)) 849 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 850 1.1 christos || !TEST_true(BN_hex2bn(&z, test->order)) 851 1.1 christos || !TEST_true(BN_hex2bn(&cof, test->cof)) 852 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)) 853 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) 854 1.1 christos goto err; 855 1.1 christos TEST_info("%s -- Generator", test->name); 856 1.1 christos test_output_bignum("x", x); 857 1.1 christos test_output_bignum("y", y); 858 1.1 christos /* G_y value taken from the standard: */ 859 1.1 christos if (!TEST_true(BN_hex2bn(&z, test->y)) 860 1.1 christos || !TEST_BN_eq(y, z)) 861 1.1 christos goto err; 862 1.1 christos # else 863 1.1 christos /* 864 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 865 1.1 christos * and therefore setting the coordinates should fail. 866 1.1 christos */ 867 1.1 christos if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx)) 868 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 869 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 870 1.1 christos || !TEST_true(BN_hex2bn(&z, test->order)) 871 1.1 christos || !TEST_true(BN_hex2bn(&cof, test->cof)) 872 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))) 873 1.1 christos goto err; 874 1.1 christos TEST_info("%s -- Generator:", test->name); 875 1.1 christos test_output_bignum("x", x); 876 1.1 christos test_output_bignum("y", y); 877 1.1 christos # endif 878 1.1 christos 879 1.1 christos if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree) 880 1.1 christos || !group_order_tests(group) 881 1.1 christos || !TEST_ptr(variable = EC_GROUP_new(EC_GROUP_method_of(group))) 882 1.1 christos || !TEST_true(EC_GROUP_copy(variable, group))) 883 1.1 christos goto err; 884 1.1 christos 885 1.1 christos /* more tests using the last curve */ 886 1.1 christos if (n == OSSL_NELEM(char2_curve_tests) - 1) { 887 1.1 christos if (!TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 888 1.1 christos || !TEST_true(EC_POINT_copy(Q, P)) 889 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q)) 890 1.1 christos || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) 891 1.1 christos || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) 892 1.1 christos || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ 893 1.1 christos || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) 894 1.1 christos || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) 895 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ 896 1.1 christos || !TEST_false(EC_POINT_is_at_infinity(group, Q))) 897 1.1 christos goto err; 898 1.1 christos 899 1.1 christos points[0] = Q; 900 1.1 christos points[1] = Q; 901 1.1 christos points[2] = Q; 902 1.1 christos 903 1.1 christos if (!TEST_true(BN_add(y, z, BN_value_one())) 904 1.1 christos || !TEST_BN_even(y) 905 1.1 christos || !TEST_true(BN_rshift1(y, y))) 906 1.1 christos goto err; 907 1.1 christos scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 908 1.1 christos scalars[1] = y; 909 1.1 christos 910 1.1 christos TEST_note("combined multiplication ..."); 911 1.1 christos 912 1.1 christos /* z is still the group order */ 913 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 914 1.1 christos || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 915 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) 916 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))) 917 1.1 christos goto err; 918 1.1 christos 919 1.1 christos if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) 920 1.1 christos || !TEST_true(BN_add(z, z, y))) 921 1.1 christos goto err; 922 1.1 christos BN_set_negative(z, 1); 923 1.1 christos scalars[0] = y; 924 1.1 christos scalars[1] = z; /* z = -(order + y) */ 925 1.1 christos 926 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 927 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 928 1.1 christos goto err; 929 1.1 christos 930 1.1 christos if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) 931 1.1 christos || !TEST_true(BN_add(z, x, y))) 932 1.1 christos goto err; 933 1.1 christos BN_set_negative(z, 1); 934 1.1 christos scalars[0] = x; 935 1.1 christos scalars[1] = y; 936 1.1 christos scalars[2] = z; /* z = -(x+y) */ 937 1.1 christos 938 1.1 christos if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) 939 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 940 1.1 christos goto err;; 941 1.1 christos } 942 1.1 christos 943 1.1 christos r = 1; 944 1.1 christos err: 945 1.1 christos BN_CTX_free(ctx); 946 1.1 christos BN_free(p); 947 1.1 christos BN_free(a); 948 1.1 christos BN_free(b); 949 1.1 christos BN_free(x); 950 1.1 christos BN_free(y); 951 1.1 christos BN_free(z); 952 1.1 christos BN_free(yplusone); 953 1.1 christos BN_free(cof); 954 1.1 christos EC_POINT_free(P); 955 1.1 christos EC_POINT_free(Q); 956 1.1 christos EC_POINT_free(R); 957 1.1 christos EC_GROUP_free(group); 958 1.1 christos EC_GROUP_free(variable); 959 1.1 christos return r; 960 1.1 christos } 961 1.1 christos 962 1.1 christos static int char2_field_tests(void) 963 1.1 christos { 964 1.1 christos BN_CTX *ctx = NULL; 965 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL; 966 1.1 christos EC_GROUP *group = NULL, *tmp = NULL; 967 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 968 1.1 christos BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL; 969 1.1 christos unsigned char buf[100]; 970 1.1 christos size_t len; 971 1.1 christos int k, r = 0; 972 1.1 christos 973 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 974 1.1 christos || !TEST_ptr(p = BN_new()) 975 1.1 christos || !TEST_ptr(a = BN_new()) 976 1.1 christos || !TEST_ptr(b = BN_new()) 977 1.1 christos || !TEST_true(BN_hex2bn(&p, "13")) 978 1.1 christos || !TEST_true(BN_hex2bn(&a, "3")) 979 1.1 christos || !TEST_true(BN_hex2bn(&b, "1"))) 980 1.1 christos goto err; 981 1.1 christos 982 1.1 christos group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use 983 1.1 christos * EC_GROUP_new_curve_GF2m 984 1.1 christos * so that the library gets 985 1.1 christos * to choose the EC_METHOD */ 986 1.1 christos if (!TEST_ptr(group) 987 1.1 christos || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) 988 1.1 christos || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group))) 989 1.1 christos || !TEST_true(EC_GROUP_copy(tmp, group))) 990 1.1 christos goto err; 991 1.1 christos EC_GROUP_free(group); 992 1.1 christos group = tmp; 993 1.1 christos tmp = NULL; 994 1.1 christos 995 1.1 christos if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) 996 1.1 christos goto err; 997 1.1 christos 998 1.1 christos TEST_info("Curve defined by Weierstrass equation"); 999 1.1 christos TEST_note(" y^2 + x*y = x^3 + a*x^2 + b (mod p)"); 1000 1.1 christos test_output_bignum("a", a); 1001 1.1 christos test_output_bignum("b", b); 1002 1.1 christos test_output_bignum("p", p); 1003 1.1 christos 1004 1.1 christos if (!TEST_ptr(P = EC_POINT_new(group)) 1005 1.1 christos || !TEST_ptr(Q = EC_POINT_new(group)) 1006 1.1 christos || !TEST_ptr(R = EC_POINT_new(group)) 1007 1.1 christos || !TEST_true(EC_POINT_set_to_infinity(group, P)) 1008 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 1009 1.1 christos goto err; 1010 1.1 christos 1011 1.1 christos buf[0] = 0; 1012 1.1 christos if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) 1013 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) 1014 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P)) 1015 1.1 christos || !TEST_ptr(x = BN_new()) 1016 1.1 christos || !TEST_ptr(y = BN_new()) 1017 1.1 christos || !TEST_ptr(z = BN_new()) 1018 1.1 christos || !TEST_ptr(cof = BN_new()) 1019 1.1 christos || !TEST_ptr(yplusone = BN_new()) 1020 1.1 christos || !TEST_true(BN_hex2bn(&x, "6")) 1021 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1022 1.1 christos # ifdef OPENSSL_EC_BIN_PT_COMP 1023 1.1 christos || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)) 1024 1.1 christos # else 1025 1.1 christos || !TEST_true(BN_hex2bn(&y, "8")) 1026 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, Q, x, y, ctx)) 1027 1.1 christos # endif 1028 1.1 christos ) 1029 1.1 christos goto err; 1030 1.1 christos if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { 1031 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1032 1.1 christos # ifdef OPENSSL_EC_BIN_PT_COMP 1033 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) 1034 1.1 christos goto err; 1035 1.1 christos # endif 1036 1.1 christos TEST_info("Point is not on curve"); 1037 1.1 christos test_output_bignum("x", x); 1038 1.1 christos test_output_bignum("y", y); 1039 1.1 christos goto err; 1040 1.1 christos } 1041 1.1 christos 1042 1.1 christos TEST_note("A cyclic subgroup:"); 1043 1.1 christos k = 100; 1044 1.1 christos do { 1045 1.1 christos if (!TEST_int_ne(k--, 0)) 1046 1.1 christos goto err; 1047 1.1 christos 1048 1.1 christos if (EC_POINT_is_at_infinity(group, P)) 1049 1.1 christos TEST_note(" point at infinity"); 1050 1.1 christos else { 1051 1.1 christos if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, 1052 1.1 christos ctx))) 1053 1.1 christos goto err; 1054 1.1 christos 1055 1.1 christos test_output_bignum("x", x); 1056 1.1 christos test_output_bignum("y", y); 1057 1.1 christos } 1058 1.1 christos 1059 1.1 christos if (!TEST_true(EC_POINT_copy(R, P)) 1060 1.1 christos || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) 1061 1.1 christos goto err; 1062 1.1 christos } 1063 1.1 christos while (!EC_POINT_is_at_infinity(group, P)); 1064 1.1 christos 1065 1.1 christos if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) 1066 1.1 christos || !TEST_true(EC_POINT_is_at_infinity(group, P))) 1067 1.1 christos goto err; 1068 1.1 christos 1069 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1070 1.1 christos # ifdef OPENSSL_EC_BIN_PT_COMP 1071 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, 1072 1.1 christos buf, sizeof(buf), ctx); 1073 1.1 christos if (!TEST_size_t_ne(len, 0) 1074 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1075 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1076 1.1 christos goto err; 1077 1.1 christos test_output_memory("Generator as octet string, compressed form:", 1078 1.1 christos buf, len); 1079 1.1 christos # endif 1080 1.1 christos 1081 1.1 christos len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, 1082 1.1 christos buf, sizeof(buf), ctx); 1083 1.1 christos if (!TEST_size_t_ne(len, 0) 1084 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1085 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1086 1.1 christos goto err; 1087 1.1 christos test_output_memory("Generator as octet string, uncompressed form:", 1088 1.1 christos buf, len); 1089 1.1 christos 1090 1.1 christos /* Change test based on whether binary point compression is enabled or not. */ 1091 1.1 christos # ifdef OPENSSL_EC_BIN_PT_COMP 1092 1.1 christos len = 1093 1.1 christos EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf), 1094 1.1 christos ctx); 1095 1.1 christos if (!TEST_size_t_ne(len, 0) 1096 1.1 christos || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) 1097 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) 1098 1.1 christos goto err; 1099 1.1 christos test_output_memory("Generator as octet string, hybrid form:", 1100 1.1 christos buf, len); 1101 1.1 christos # endif 1102 1.1 christos 1103 1.1 christos if (!TEST_true(EC_POINT_invert(group, P, ctx)) 1104 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))) 1105 1.1 christos goto err; 1106 1.1 christos 1107 1.1 christos TEST_note("\n"); 1108 1.1 christos 1109 1.1 christos r = 1; 1110 1.1 christos err: 1111 1.1 christos BN_CTX_free(ctx); 1112 1.1 christos BN_free(p); 1113 1.1 christos BN_free(a); 1114 1.1 christos BN_free(b); 1115 1.1 christos EC_GROUP_free(group); 1116 1.1 christos EC_GROUP_free(tmp); 1117 1.1 christos EC_POINT_free(P); 1118 1.1 christos EC_POINT_free(Q); 1119 1.1 christos EC_POINT_free(R); 1120 1.1 christos BN_free(x); 1121 1.1 christos BN_free(y); 1122 1.1 christos BN_free(z); 1123 1.1 christos BN_free(cof); 1124 1.1 christos BN_free(yplusone); 1125 1.1 christos return r; 1126 1.1 christos } 1127 1.1 christos 1128 1.1 christos static int hybrid_point_encoding_test(void) 1129 1.1 christos { 1130 1.1 christos BIGNUM *x = NULL, *y = NULL; 1131 1.1 christos EC_GROUP *group = NULL; 1132 1.1 christos EC_POINT *point = NULL; 1133 1.1 christos unsigned char *buf = NULL; 1134 1.1 christos size_t len; 1135 1.1 christos int r = 0; 1136 1.1 christos 1137 1.1 christos if (!TEST_true(BN_dec2bn(&x, "0")) 1138 1.1 christos || !TEST_true(BN_dec2bn(&y, "1")) 1139 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_sect571k1)) 1140 1.1 christos || !TEST_ptr(point = EC_POINT_new(group)) 1141 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(group, point, x, y, NULL)) 1142 1.1 christos || !TEST_size_t_ne(0, (len = EC_POINT_point2oct(group, 1143 1.1 christos point, 1144 1.1 christos POINT_CONVERSION_HYBRID, 1145 1.1 christos NULL, 1146 1.1 christos 0, 1147 1.1 christos NULL))) 1148 1.1 christos || !TEST_ptr(buf = OPENSSL_malloc(len)) 1149 1.1 christos || !TEST_size_t_eq(len, EC_POINT_point2oct(group, 1150 1.1 christos point, 1151 1.1 christos POINT_CONVERSION_HYBRID, 1152 1.1 christos buf, 1153 1.1 christos len, 1154 1.1 christos NULL))) 1155 1.1 christos goto err; 1156 1.1 christos 1157 1.1 christos r = 1; 1158 1.1 christos 1159 1.1 christos /* buf contains a valid hybrid point, check that we can decode it. */ 1160 1.1 christos if (!TEST_true(EC_POINT_oct2point(group, point, buf, len, NULL))) 1161 1.1 christos r = 0; 1162 1.1 christos 1163 1.1 christos /* Flip the y_bit and verify that the invalid encoding is rejected. */ 1164 1.1 christos buf[0] ^= 1; 1165 1.1 christos if (!TEST_false(EC_POINT_oct2point(group, point, buf, len, NULL))) 1166 1.1 christos r = 0; 1167 1.1 christos 1168 1.1 christos err: 1169 1.1 christos BN_free(x); 1170 1.1 christos BN_free(y); 1171 1.1 christos EC_GROUP_free(group); 1172 1.1 christos EC_POINT_free(point); 1173 1.1 christos OPENSSL_free(buf); 1174 1.1 christos return r; 1175 1.1 christos } 1176 1.1 christos #endif 1177 1.1 christos 1178 1.1 christos static int internal_curve_test(int n) 1179 1.1 christos { 1180 1.1 christos EC_GROUP *group = NULL; 1181 1.1 christos int nid = curves[n].nid; 1182 1.1 christos 1183 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { 1184 1.1 christos TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", 1185 1.1 christos OBJ_nid2sn(nid)); 1186 1.1 christos return 0; 1187 1.1 christos } 1188 1.1 christos if (!TEST_true(EC_GROUP_check(group, NULL))) { 1189 1.1 christos TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); 1190 1.1 christos EC_GROUP_free(group); 1191 1.1 christos return 0; 1192 1.1 christos } 1193 1.1 christos EC_GROUP_free(group); 1194 1.1 christos return 1; 1195 1.1 christos } 1196 1.1 christos 1197 1.1 christos static int internal_curve_test_method(int n) 1198 1.1 christos { 1199 1.1 christos int r, nid = curves[n].nid; 1200 1.1 christos EC_GROUP *group; 1201 1.1 christos 1202 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { 1203 1.1 christos TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); 1204 1.1 christos return 0; 1205 1.1 christos } 1206 1.1 christos r = group_order_tests(group); 1207 1.1 christos EC_GROUP_free(group); 1208 1.1 christos return r; 1209 1.1 christos } 1210 1.1 christos 1211 1.1 christos # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 1212 1.1 christos /* 1213 1.1 christos * nistp_test_params contains magic numbers for testing our optimized 1214 1.1 christos * implementations of several NIST curves with characteristic > 3. 1215 1.1 christos */ 1216 1.1 christos struct nistp_test_params { 1217 1.1 christos const EC_METHOD *(*meth) (void); 1218 1.1 christos int degree; 1219 1.1 christos /* 1220 1.1 christos * Qx, Qy and D are taken from 1221 1.1 christos * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf 1222 1.1 christos * Otherwise, values are standard curve parameters from FIPS 180-3 1223 1.1 christos */ 1224 1.1 christos const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; 1225 1.1 christos }; 1226 1.1 christos 1227 1.1 christos static const struct nistp_test_params nistp_tests_params[] = { 1228 1.1 christos { 1229 1.1 christos /* P-224 */ 1230 1.1 christos EC_GFp_nistp224_method, 1231 1.1 christos 224, 1232 1.1 christos /* p */ 1233 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", 1234 1.1 christos /* a */ 1235 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", 1236 1.1 christos /* b */ 1237 1.1 christos "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", 1238 1.1 christos /* Qx */ 1239 1.1 christos "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", 1240 1.1 christos /* Qy */ 1241 1.1 christos "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", 1242 1.1 christos /* Gx */ 1243 1.1 christos "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", 1244 1.1 christos /* Gy */ 1245 1.1 christos "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", 1246 1.1 christos /* order */ 1247 1.1 christos "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1248 1.1 christos /* d */ 1249 1.1 christos "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", 1250 1.1 christos }, 1251 1.1 christos { 1252 1.1 christos /* P-256 */ 1253 1.1 christos EC_GFp_nistp256_method, 1254 1.1 christos 256, 1255 1.1 christos /* p */ 1256 1.1 christos "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 1257 1.1 christos /* a */ 1258 1.1 christos "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 1259 1.1 christos /* b */ 1260 1.1 christos "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 1261 1.1 christos /* Qx */ 1262 1.1 christos "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", 1263 1.1 christos /* Qy */ 1264 1.1 christos "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", 1265 1.1 christos /* Gx */ 1266 1.1 christos "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 1267 1.1 christos /* Gy */ 1268 1.1 christos "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 1269 1.1 christos /* order */ 1270 1.1 christos "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 1271 1.1 christos /* d */ 1272 1.1 christos "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", 1273 1.1 christos }, 1274 1.1 christos { 1275 1.1 christos /* P-521 */ 1276 1.1 christos EC_GFp_nistp521_method, 1277 1.1 christos 521, 1278 1.1 christos /* p */ 1279 1.1 christos "1ff" 1280 1.1 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" 1281 1.1 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 1282 1.1 christos /* a */ 1283 1.1 christos "1ff" 1284 1.1 christos "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" 1285 1.1 christos "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", 1286 1.1 christos /* b */ 1287 1.1 christos "051" 1288 1.1 christos "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" 1289 1.1 christos "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", 1290 1.1 christos /* Qx */ 1291 1.1 christos "0098" 1292 1.1 christos "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" 1293 1.1 christos "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", 1294 1.1 christos /* Qy */ 1295 1.1 christos "0164" 1296 1.1 christos "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" 1297 1.1 christos "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", 1298 1.1 christos /* Gx */ 1299 1.1 christos "c6" 1300 1.1 christos "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" 1301 1.1 christos "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", 1302 1.1 christos /* Gy */ 1303 1.1 christos "118" 1304 1.1 christos "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" 1305 1.1 christos "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", 1306 1.1 christos /* order */ 1307 1.1 christos "1ff" 1308 1.1 christos "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" 1309 1.1 christos "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", 1310 1.1 christos /* d */ 1311 1.1 christos "0100" 1312 1.1 christos "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" 1313 1.1 christos "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", 1314 1.1 christos }, 1315 1.1 christos }; 1316 1.1 christos 1317 1.1 christos static int nistp_single_test(int idx) 1318 1.1 christos { 1319 1.1 christos const struct nistp_test_params *test = nistp_tests_params + idx; 1320 1.1 christos BN_CTX *ctx = NULL; 1321 1.1 christos BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; 1322 1.1 christos BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; 1323 1.1 christos EC_GROUP *NISTP = NULL; 1324 1.1 christos EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; 1325 1.1 christos int r = 0; 1326 1.1 christos 1327 1.1 christos TEST_note("NIST curve P-%d (optimised implementation):", 1328 1.1 christos test->degree); 1329 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 1330 1.1 christos || !TEST_ptr(p = BN_new()) 1331 1.1 christos || !TEST_ptr(a = BN_new()) 1332 1.1 christos || !TEST_ptr(b = BN_new()) 1333 1.1 christos || !TEST_ptr(x = BN_new()) 1334 1.1 christos || !TEST_ptr(y = BN_new()) 1335 1.1 christos || !TEST_ptr(m = BN_new()) 1336 1.1 christos || !TEST_ptr(n = BN_new()) 1337 1.1 christos || !TEST_ptr(order = BN_new()) 1338 1.1 christos || !TEST_ptr(yplusone = BN_new()) 1339 1.1 christos 1340 1.1 christos || !TEST_ptr(NISTP = EC_GROUP_new(test->meth())) 1341 1.1 christos || !TEST_true(BN_hex2bn(&p, test->p)) 1342 1.1 christos || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 1343 1.1 christos || !TEST_true(BN_hex2bn(&a, test->a)) 1344 1.1 christos || !TEST_true(BN_hex2bn(&b, test->b)) 1345 1.1 christos || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) 1346 1.1 christos || !TEST_ptr(G = EC_POINT_new(NISTP)) 1347 1.1 christos || !TEST_ptr(P = EC_POINT_new(NISTP)) 1348 1.1 christos || !TEST_ptr(Q = EC_POINT_new(NISTP)) 1349 1.1 christos || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) 1350 1.1 christos || !TEST_true(BN_hex2bn(&x, test->Qx)) 1351 1.1 christos || !TEST_true(BN_hex2bn(&y, test->Qy)) 1352 1.1 christos || !TEST_true(BN_add(yplusone, y, BN_value_one())) 1353 1.1 christos /* 1354 1.1 christos * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 1355 1.1 christos * and therefore setting the coordinates should fail. 1356 1.1 christos */ 1357 1.1 christos || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, 1358 1.1 christos yplusone, ctx)) 1359 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, 1360 1.1 christos ctx)) 1361 1.1 christos || !TEST_true(BN_hex2bn(&x, test->Gx)) 1362 1.1 christos || !TEST_true(BN_hex2bn(&y, test->Gy)) 1363 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) 1364 1.1 christos || !TEST_true(BN_hex2bn(&order, test->order)) 1365 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1366 1.1 christos || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) 1367 1.1 christos goto err; 1368 1.1 christos 1369 1.1 christos TEST_note("NIST test vectors ... "); 1370 1.1 christos if (!TEST_true(BN_hex2bn(&n, test->d))) 1371 1.1 christos goto err; 1372 1.1 christos /* fixed point multiplication */ 1373 1.1 christos EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1374 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1375 1.1 christos goto err; 1376 1.1 christos /* random point multiplication */ 1377 1.1 christos EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1378 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1379 1.1 christos 1380 1.1 christos /* set generator to P = 2*G, where G is the standard generator */ 1381 1.1 christos || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) 1382 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) 1383 1.1 christos /* set the scalar to m=n/2, where n is the NIST test scalar */ 1384 1.1 christos || !TEST_true(BN_rshift(m, n, 1))) 1385 1.1 christos goto err; 1386 1.1 christos 1387 1.1 christos /* test the non-standard generator */ 1388 1.1 christos /* fixed point multiplication */ 1389 1.1 christos EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1390 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1391 1.1 christos goto err; 1392 1.1 christos /* random point multiplication */ 1393 1.1 christos EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1394 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1395 1.1 christos 1396 1.1 christos /* 1397 1.1 christos * We have not performed precomputation so have_precompute mult should be 1398 1.1 christos * false 1399 1.1 christos */ 1400 1.1 christos || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) 1401 1.1 christos 1402 1.1 christos /* now repeat all tests with precomputation */ 1403 1.1 christos || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) 1404 1.1 christos || !TEST_true(EC_GROUP_have_precompute_mult(NISTP))) 1405 1.1 christos goto err; 1406 1.1 christos 1407 1.1 christos /* fixed point multiplication */ 1408 1.1 christos EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1409 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1410 1.1 christos goto err; 1411 1.1 christos /* random point multiplication */ 1412 1.1 christos EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1413 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1414 1.1 christos 1415 1.1 christos /* reset generator */ 1416 1.1 christos || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) 1417 1.1 christos goto err; 1418 1.1 christos /* fixed point multiplication */ 1419 1.1 christos EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1420 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1421 1.1 christos goto err; 1422 1.1 christos /* random point multiplication */ 1423 1.1 christos EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1424 1.1 christos if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) 1425 1.1 christos goto err; 1426 1.1 christos 1427 1.1 christos /* regression test for felem_neg bug */ 1428 1.1 christos if (!TEST_true(BN_set_word(m, 32)) 1429 1.1 christos || !TEST_true(BN_set_word(n, 31)) 1430 1.1 christos || !TEST_true(EC_POINT_copy(P, G)) 1431 1.1 christos || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) 1432 1.1 christos || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) 1433 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) 1434 1.1 christos goto err; 1435 1.1 christos 1436 1.1 christos r = group_order_tests(NISTP); 1437 1.1 christos err: 1438 1.1 christos EC_GROUP_free(NISTP); 1439 1.1 christos EC_POINT_free(G); 1440 1.1 christos EC_POINT_free(P); 1441 1.1 christos EC_POINT_free(Q); 1442 1.1 christos EC_POINT_free(Q_CHECK); 1443 1.1 christos BN_free(n); 1444 1.1 christos BN_free(m); 1445 1.1 christos BN_free(p); 1446 1.1 christos BN_free(a); 1447 1.1 christos BN_free(b); 1448 1.1 christos BN_free(x); 1449 1.1 christos BN_free(y); 1450 1.1 christos BN_free(order); 1451 1.1 christos BN_free(yplusone); 1452 1.1 christos BN_CTX_free(ctx); 1453 1.1 christos return r; 1454 1.1 christos } 1455 1.1 christos 1456 1.1 christos /* 1457 1.1 christos * Tests a point known to cause an incorrect underflow in an old version of 1458 1.1 christos * ecp_nist521.c 1459 1.1 christos */ 1460 1.1 christos static int underflow_test(void) 1461 1.1 christos { 1462 1.1 christos BN_CTX *ctx = NULL; 1463 1.1 christos EC_GROUP *grp = NULL; 1464 1.1 christos EC_POINT *P = NULL, *Q = NULL, *R = NULL; 1465 1.1 christos BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; 1466 1.1 christos BIGNUM *k = NULL; 1467 1.1 christos int testresult = 0; 1468 1.1 christos const char *x1str = 1469 1.1 christos "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" 1470 1.1 christos "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; 1471 1.1 christos const char *p521m1 = 1472 1.1 christos "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" 1473 1.1 christos "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; 1474 1.1 christos 1475 1.1 christos ctx = BN_CTX_new(); 1476 1.1 christos if (!TEST_ptr(ctx)) 1477 1.1 christos return 0; 1478 1.1 christos 1479 1.1 christos BN_CTX_start(ctx); 1480 1.1 christos x1 = BN_CTX_get(ctx); 1481 1.1 christos y1 = BN_CTX_get(ctx); 1482 1.1 christos z1 = BN_CTX_get(ctx); 1483 1.1 christos x2 = BN_CTX_get(ctx); 1484 1.1 christos y2 = BN_CTX_get(ctx); 1485 1.1 christos k = BN_CTX_get(ctx); 1486 1.1 christos if (!TEST_ptr(k)) 1487 1.1 christos goto err; 1488 1.1 christos 1489 1.1 christos grp = EC_GROUP_new_by_curve_name(NID_secp521r1); 1490 1.1 christos P = EC_POINT_new(grp); 1491 1.1 christos Q = EC_POINT_new(grp); 1492 1.1 christos R = EC_POINT_new(grp); 1493 1.1 christos if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) 1494 1.1 christos goto err; 1495 1.1 christos 1496 1.1 christos if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) 1497 1.1 christos || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) 1498 1.1 christos || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) 1499 1.1 christos || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) 1500 1.1 christos || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, 1501 1.1 christos y1, z1, ctx)) 1502 1.1 christos || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) 1503 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) 1504 1.1 christos || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) 1505 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) 1506 1.1 christos goto err; 1507 1.1 christos 1508 1.1 christos if (!TEST_int_eq(BN_cmp(x1, x2), 0) 1509 1.1 christos || !TEST_int_eq(BN_cmp(y1, y2), 0)) 1510 1.1 christos goto err; 1511 1.1 christos 1512 1.1 christos testresult = 1; 1513 1.1 christos 1514 1.1 christos err: 1515 1.1 christos BN_CTX_end(ctx); 1516 1.1 christos EC_POINT_free(P); 1517 1.1 christos EC_POINT_free(Q); 1518 1.1 christos EC_POINT_free(R); 1519 1.1 christos EC_GROUP_free(grp); 1520 1.1 christos BN_CTX_free(ctx); 1521 1.1 christos 1522 1.1 christos return testresult; 1523 1.1 christos } 1524 1.1 christos # endif 1525 1.1 christos 1526 1.1 christos static const unsigned char p521_named[] = { 1527 1.1 christos 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 1528 1.1 christos }; 1529 1.1 christos 1530 1.1 christos static const unsigned char p521_explicit[] = { 1531 1.1 christos 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, 1532 1.1 christos 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 1533 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1534 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1535 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1536 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1537 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1538 1.1 christos 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 1539 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1540 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1541 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1542 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1543 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1544 1.1 christos 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, 1545 1.1 christos 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, 1546 1.1 christos 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, 1547 1.1 christos 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, 1548 1.1 christos 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, 1549 1.1 christos 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, 1550 1.1 christos 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, 1551 1.1 christos 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, 1552 1.1 christos 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, 1553 1.1 christos 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, 1554 1.1 christos 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, 1555 1.1 christos 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, 1556 1.1 christos 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, 1557 1.1 christos 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 1558 1.1 christos 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 1559 1.1 christos 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 1560 1.1 christos 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 1561 1.1 christos 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 1562 1.1 christos 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, 1563 1.1 christos 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1564 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1565 1.1 christos 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, 1566 1.1 christos 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 1567 1.1 christos 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, 1568 1.1 christos 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, 1569 1.1 christos }; 1570 1.1 christos 1571 1.1 christos /* 1572 1.1 christos * Sometime we cannot compare nids for equality, as the built-in curve table 1573 1.1 christos * includes aliases with different names for the same curve. 1574 1.1 christos * 1575 1.1 christos * This function returns TRUE (1) if the checked nids are identical, or if they 1576 1.1 christos * alias to the same curve. FALSE (0) otherwise. 1577 1.1 christos */ 1578 1.1 christos static ossl_inline 1579 1.1 christos int are_ec_nids_compatible(int n1d, int n2d) 1580 1.1 christos { 1581 1.1 christos int ret = 0; 1582 1.1 christos switch (n1d) { 1583 1.1 christos # ifndef OPENSSL_NO_EC2M 1584 1.1 christos case NID_sect113r1: 1585 1.1 christos case NID_wap_wsg_idm_ecid_wtls4: 1586 1.1 christos ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); 1587 1.1 christos break; 1588 1.1 christos case NID_sect163k1: 1589 1.1 christos case NID_wap_wsg_idm_ecid_wtls3: 1590 1.1 christos ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); 1591 1.1 christos break; 1592 1.1 christos case NID_sect233k1: 1593 1.1 christos case NID_wap_wsg_idm_ecid_wtls10: 1594 1.1 christos ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); 1595 1.1 christos break; 1596 1.1 christos case NID_sect233r1: 1597 1.1 christos case NID_wap_wsg_idm_ecid_wtls11: 1598 1.1 christos ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); 1599 1.1 christos break; 1600 1.1 christos case NID_X9_62_c2pnb163v1: 1601 1.1 christos case NID_wap_wsg_idm_ecid_wtls5: 1602 1.1 christos ret = (n2d == NID_X9_62_c2pnb163v1 1603 1.1 christos || n2d == NID_wap_wsg_idm_ecid_wtls5); 1604 1.1 christos break; 1605 1.1 christos # endif /* OPENSSL_NO_EC2M */ 1606 1.1 christos case NID_secp112r1: 1607 1.1 christos case NID_wap_wsg_idm_ecid_wtls6: 1608 1.1 christos ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); 1609 1.1 christos break; 1610 1.1 christos case NID_secp160r2: 1611 1.1 christos case NID_wap_wsg_idm_ecid_wtls7: 1612 1.1 christos ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); 1613 1.1 christos break; 1614 1.1 christos # ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 1615 1.1 christos case NID_secp224r1: 1616 1.1 christos case NID_wap_wsg_idm_ecid_wtls12: 1617 1.1 christos ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); 1618 1.1 christos break; 1619 1.1 christos # else 1620 1.1 christos /* 1621 1.1 christos * For SEC P-224 we want to ensure that the SECP nid is returned, as 1622 1.1 christos * that is associated with a specialized method. 1623 1.1 christos */ 1624 1.1 christos case NID_wap_wsg_idm_ecid_wtls12: 1625 1.1 christos ret = (n2d == NID_secp224r1); 1626 1.1 christos break; 1627 1.1 christos # endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ 1628 1.1 christos 1629 1.1 christos default: 1630 1.1 christos ret = (n1d == n2d); 1631 1.1 christos } 1632 1.1 christos return ret; 1633 1.1 christos } 1634 1.1 christos 1635 1.1 christos /* 1636 1.1 christos * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" 1637 1.1 christos * EC_GROUP for built-in curves. 1638 1.1 christos * 1639 1.1 christos * Note that it is possible to retrieve an alternative alias that does not match 1640 1.1 christos * the original nid. 1641 1.1 christos * 1642 1.1 christos * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. 1643 1.1 christos */ 1644 1.1 christos static int check_named_curve_from_ecparameters(int id) 1645 1.1 christos { 1646 1.1 christos int ret = 0, nid, tnid; 1647 1.1 christos EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; 1648 1.1 christos const EC_POINT *group_gen = NULL; 1649 1.1 christos EC_POINT *other_gen = NULL; 1650 1.1 christos BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; 1651 1.1 christos BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; 1652 1.1 christos const BIGNUM *group_order = NULL; 1653 1.1 christos BIGNUM *other_order = NULL; 1654 1.1 christos BN_CTX *bn_ctx = NULL; 1655 1.1 christos static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; 1656 1.1 christos static size_t invalid_seed_len = sizeof(invalid_seed); 1657 1.1 christos ECPARAMETERS *params = NULL, *other_params = NULL; 1658 1.1 christos EC_GROUP *g_ary[8] = {NULL}; 1659 1.1 christos EC_GROUP **g_next = &g_ary[0]; 1660 1.1 christos ECPARAMETERS *p_ary[8] = {NULL}; 1661 1.1 christos ECPARAMETERS **p_next = &p_ary[0]; 1662 1.1 christos 1663 1.1 christos /* Do some setup */ 1664 1.1 christos nid = curves[id].nid; 1665 1.1 christos TEST_note("Curve %s", OBJ_nid2sn(nid)); 1666 1.1 christos if (!TEST_ptr(bn_ctx = BN_CTX_new())) 1667 1.1 christos return ret; 1668 1.1 christos BN_CTX_start(bn_ctx); 1669 1.1 christos 1670 1.1 christos if (/* Allocations */ 1671 1.1 christos !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) 1672 1.1 christos || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) 1673 1.1 christos || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) 1674 1.1 christos || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) 1675 1.1 christos || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) 1676 1.1 christos /* Generate reference group and params */ 1677 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) 1678 1.1 christos || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) 1679 1.1 christos || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) 1680 1.1 christos || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) 1681 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) 1682 1.1 christos /* compute `other_*` values */ 1683 1.1 christos || !TEST_ptr(tmpg = EC_GROUP_dup(group)) 1684 1.1 christos || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) 1685 1.1 christos || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) 1686 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, 1687 1.1 christos other_gen_x, other_gen_y, bn_ctx)) 1688 1.1 christos || !TEST_true(BN_copy(other_order, group_order)) 1689 1.1 christos || !TEST_true(BN_add_word(other_order, 1)) 1690 1.1 christos || !TEST_true(BN_copy(other_cofactor, group_cofactor)) 1691 1.1 christos || !TEST_true(BN_add_word(other_cofactor, 1))) 1692 1.1 christos goto err; 1693 1.1 christos 1694 1.1 christos EC_POINT_free(other_gen); 1695 1.1 christos other_gen = NULL; 1696 1.1 christos 1697 1.1 christos if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) 1698 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, 1699 1.1 christos other_gen_x, other_gen_y, 1700 1.1 christos bn_ctx))) 1701 1.1 christos goto err; 1702 1.1 christos 1703 1.1 christos /* 1704 1.1 christos * ########################### 1705 1.1 christos * # Actual tests start here # 1706 1.1 christos * ########################### 1707 1.1 christos */ 1708 1.1 christos 1709 1.1 christos /* 1710 1.1 christos * Creating a group from built-in explicit parameters returns a 1711 1.1 christos * "named" EC_GROUP 1712 1.1 christos */ 1713 1.1 christos if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) 1714 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) 1715 1.1 christos goto err; 1716 1.1 christos /* 1717 1.1 christos * We cannot always guarantee the names match, as the built-in table 1718 1.1 christos * contains aliases for the same curve with different names. 1719 1.1 christos */ 1720 1.1 christos if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { 1721 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 1722 1.1 christos goto err; 1723 1.1 christos } 1724 1.1 christos /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ 1725 1.1 christos if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) 1726 1.1 christos goto err; 1727 1.1 christos 1728 1.1 christos /* 1729 1.1 christos * An invalid seed in the parameters should be ignored: expect a "named" 1730 1.1 christos * group. 1731 1.1 christos */ 1732 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), 1733 1.1 christos invalid_seed_len) 1734 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1735 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1736 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1737 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1738 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1739 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 1740 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 1741 1.1 christos OPENSSL_EC_EXPLICIT_CURVE)) { 1742 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 1743 1.1 christos goto err; 1744 1.1 christos } 1745 1.1 christos 1746 1.1 christos /* 1747 1.1 christos * A null seed in the parameters should be ignored, as it is optional: 1748 1.1 christos * expect a "named" group. 1749 1.1 christos */ 1750 1.1 christos if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) 1751 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1752 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1753 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1754 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1755 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1756 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 1757 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 1758 1.1 christos OPENSSL_EC_EXPLICIT_CURVE)) { 1759 1.1 christos TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); 1760 1.1 christos goto err; 1761 1.1 christos } 1762 1.1 christos 1763 1.1 christos /* 1764 1.1 christos * Check that changing any of the generator parameters does not yield a 1765 1.1 christos * match with the built-in curves 1766 1.1 christos */ 1767 1.1 christos if (/* Other gen, same group order & cofactor */ 1768 1.1 christos !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, 1769 1.1 christos group_cofactor)) 1770 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1771 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1772 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1773 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1774 1.1 christos || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1775 1.1 christos /* Same gen & cofactor, different order */ 1776 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, 1777 1.1 christos group_cofactor)) 1778 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1779 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1780 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1781 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1782 1.1 christos || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1783 1.1 christos /* The order is not an optional field, so this should fail */ 1784 1.1 christos || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, 1785 1.1 christos group_cofactor)) 1786 1.1 christos /* Check that a wrong cofactor is ignored, and we still match */ 1787 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 1788 1.1 christos other_cofactor)) 1789 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1790 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1791 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1792 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1793 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1794 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 1795 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 1796 1.1 christos OPENSSL_EC_EXPLICIT_CURVE) 1797 1.1 christos /* Check that if the cofactor is not set then it still matches */ 1798 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 1799 1.1 christos NULL)) 1800 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1801 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1802 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1803 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1804 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1805 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 1806 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 1807 1.1 christos OPENSSL_EC_EXPLICIT_CURVE) 1808 1.1 christos /* check that restoring the generator passes */ 1809 1.1 christos || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, 1810 1.1 christos group_cofactor)) 1811 1.1 christos || !TEST_ptr(other_params = *p_next++ = 1812 1.1 christos EC_GROUP_get_ecparameters(tmpg, NULL)) 1813 1.1 christos || !TEST_ptr(tgroup = *g_next++ = 1814 1.1 christos EC_GROUP_new_from_ecparameters(other_params)) 1815 1.1 christos || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) 1816 1.1 christos || !TEST_true(are_ec_nids_compatible(nid, tnid)) 1817 1.1 christos || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), 1818 1.1 christos OPENSSL_EC_EXPLICIT_CURVE)) 1819 1.1 christos goto err; 1820 1.1 christos 1821 1.1 christos ret = 1; 1822 1.1 christos err: 1823 1.1 christos for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) 1824 1.1 christos EC_GROUP_free(*g_next); 1825 1.1 christos for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) 1826 1.1 christos ECPARAMETERS_free(*p_next); 1827 1.1 christos ECPARAMETERS_free(params); 1828 1.1 christos EC_POINT_free(other_gen); 1829 1.1 christos EC_GROUP_free(tmpg); 1830 1.1 christos EC_GROUP_free(group); 1831 1.1 christos BN_CTX_end(bn_ctx); 1832 1.1 christos BN_CTX_free(bn_ctx); 1833 1.1 christos return ret; 1834 1.1 christos } 1835 1.1 christos 1836 1.1 christos static int parameter_test(void) 1837 1.1 christos { 1838 1.1 christos EC_GROUP *group = NULL, *group2 = NULL; 1839 1.1 christos ECPARAMETERS *ecparameters = NULL; 1840 1.1 christos unsigned char *buf = NULL; 1841 1.1 christos int r = 0, len; 1842 1.1 christos 1843 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp112r1)) 1844 1.1 christos || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) 1845 1.1 christos || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) 1846 1.1 christos || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) 1847 1.1 christos goto err; 1848 1.1 christos 1849 1.1 christos EC_GROUP_free(group); 1850 1.1 christos group = NULL; 1851 1.1 christos 1852 1.1 christos /* Test the named curve encoding, which should be default. */ 1853 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) 1854 1.1 christos || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) 1855 1.1 christos || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) 1856 1.1 christos goto err; 1857 1.1 christos 1858 1.1 christos OPENSSL_free(buf); 1859 1.1 christos buf = NULL; 1860 1.1 christos 1861 1.1 christos /* 1862 1.1 christos * Test the explicit encoding. P-521 requires correctly zero-padding the 1863 1.1 christos * curve coefficients. 1864 1.1 christos */ 1865 1.1 christos EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); 1866 1.1 christos if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) 1867 1.1 christos || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) 1868 1.1 christos goto err; 1869 1.1 christos 1870 1.1 christos r = 1; 1871 1.1 christos err: 1872 1.1 christos EC_GROUP_free(group); 1873 1.1 christos EC_GROUP_free(group2); 1874 1.1 christos ECPARAMETERS_free(ecparameters); 1875 1.1 christos OPENSSL_free(buf); 1876 1.1 christos return r; 1877 1.1 christos } 1878 1.1 christos 1879 1.1 christos /*- 1880 1.1 christos * random 256-bit explicit parameters curve, cofactor absent 1881 1.1 christos * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) 1882 1.1 christos * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) 1883 1.1 christos */ 1884 1.1 christos static const unsigned char params_cf_pass[] = { 1885 1.1 christos 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, 1886 1.1 christos 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, 1887 1.1 christos 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, 1888 1.1 christos 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, 1889 1.1 christos 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, 1890 1.1 christos 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, 1891 1.1 christos 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, 1892 1.1 christos 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, 1893 1.1 christos 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, 1894 1.1 christos 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, 1895 1.1 christos 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, 1896 1.1 christos 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, 1897 1.1 christos 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, 1898 1.1 christos 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, 1899 1.1 christos 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, 1900 1.1 christos 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, 1901 1.1 christos 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, 1902 1.1 christos 0x14, 0xa8, 0x2f, 0x4f 1903 1.1 christos }; 1904 1.1 christos 1905 1.1 christos /*- 1906 1.1 christos * random 256-bit explicit parameters curve, cofactor absent 1907 1.1 christos * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) 1908 1.1 christos * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) 1909 1.1 christos */ 1910 1.1 christos static const unsigned char params_cf_fail[] = { 1911 1.1 christos 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, 1912 1.1 christos 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, 1913 1.1 christos 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, 1914 1.1 christos 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, 1915 1.1 christos 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, 1916 1.1 christos 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, 1917 1.1 christos 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, 1918 1.1 christos 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, 1919 1.1 christos 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, 1920 1.1 christos 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, 1921 1.1 christos 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, 1922 1.1 christos 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, 1923 1.1 christos 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, 1924 1.1 christos 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, 1925 1.1 christos 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, 1926 1.1 christos 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, 1927 1.1 christos 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, 1928 1.1 christos 0x34, 0xa2, 0x21, 0x01 1929 1.1 christos }; 1930 1.1 christos 1931 1.1 christos /*- 1932 1.1 christos * Test two random 256-bit explicit parameters curves with absent cofactor. 1933 1.1 christos * The two curves are chosen to roughly straddle the bounds at which the lib 1934 1.1 christos * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: 1935 1.1 christos * 1936 1.1 christos * - params_cf_pass: order is sufficiently close to p to compute cofactor 1937 1.1 christos * - params_cf_fail: order is too far away from p to compute cofactor 1938 1.1 christos * 1939 1.1 christos * For standards-compliant curves, cofactor is chosen as small as possible. 1940 1.1 christos * So you can see neither of these curves are fit for cryptographic use. 1941 1.1 christos * 1942 1.1 christos * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: 1943 1.1 christos * h <= 2**(t/8) where t is the security level of the curve, for which the lib 1944 1.1 christos * will always succeed in computing the cofactor. Neither of these curves 1945 1.1 christos * conform to that -- this is just robustness testing. 1946 1.1 christos */ 1947 1.1 christos static int cofactor_range_test(void) 1948 1.1 christos { 1949 1.1 christos EC_GROUP *group = NULL; 1950 1.1 christos BIGNUM *cf = NULL; 1951 1.1 christos int ret = 0; 1952 1.1 christos const unsigned char *b1 = (const unsigned char *)params_cf_fail; 1953 1.1 christos const unsigned char *b2 = (const unsigned char *)params_cf_pass; 1954 1.1 christos 1955 1.1 christos if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) 1956 1.1 christos || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) 1957 1.1 christos || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, 1958 1.1 christos sizeof(params_cf_pass))) 1959 1.1 christos || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) 1960 1.1 christos || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) 1961 1.1 christos goto err; 1962 1.1 christos ret = 1; 1963 1.1 christos err: 1964 1.1 christos BN_free(cf); 1965 1.1 christos EC_GROUP_free(group); 1966 1.1 christos return ret; 1967 1.1 christos } 1968 1.1 christos 1969 1.1 christos /*- 1970 1.1 christos * For named curves, test that: 1971 1.1 christos * - the lib correctly computes the cofactor if passed a NULL or zero cofactor 1972 1.1 christos * - a nonsensical cofactor throws an error (negative test) 1973 1.1 christos * - nonsensical orders throw errors (negative tests) 1974 1.1 christos */ 1975 1.1 christos static int cardinality_test(int n) 1976 1.1 christos { 1977 1.1 christos int ret = 0; 1978 1.1 christos int nid = curves[n].nid; 1979 1.1 christos BN_CTX *ctx = NULL; 1980 1.1 christos EC_GROUP *g1 = NULL, *g2 = NULL; 1981 1.1 christos EC_POINT *g2_gen = NULL; 1982 1.1 christos BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, 1983 1.1 christos *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; 1984 1.1 christos 1985 1.1 christos TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); 1986 1.1 christos 1987 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new()) 1988 1.1 christos || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid)) 1989 1.1 christos || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) { 1990 1.1 christos EC_GROUP_free(g1); 1991 1.1 christos EC_GROUP_free(g2); 1992 1.1 christos BN_CTX_free(ctx); 1993 1.1 christos return 0; 1994 1.1 christos } 1995 1.1 christos 1996 1.1 christos BN_CTX_start(ctx); 1997 1.1 christos g1_p = BN_CTX_get(ctx); 1998 1.1 christos g1_a = BN_CTX_get(ctx); 1999 1.1 christos g1_b = BN_CTX_get(ctx); 2000 1.1 christos g1_x = BN_CTX_get(ctx); 2001 1.1 christos g1_y = BN_CTX_get(ctx); 2002 1.1 christos g1_order = BN_CTX_get(ctx); 2003 1.1 christos g1_cf = BN_CTX_get(ctx); 2004 1.1 christos 2005 1.1 christos if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) 2006 1.1 christos /* pull out the explicit curve parameters */ 2007 1.1 christos || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) 2008 1.1 christos || !TEST_true(EC_POINT_get_affine_coordinates(g1, 2009 1.1 christos EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) 2010 1.1 christos || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) 2011 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) 2012 1.1 christos /* construct g2 manually with g1 parameters */ 2013 1.1 christos || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx)) 2014 1.1 christos || !TEST_ptr(g2_gen = EC_POINT_new(g2)) 2015 1.1 christos || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) 2016 1.1 christos /* pass NULL cofactor: lib should compute it */ 2017 1.1 christos || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2018 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) 2019 1.1 christos || !TEST_BN_eq(g1_cf, g2_cf) 2020 1.1 christos /* pass zero cofactor: lib should compute it */ 2021 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2022 1.1 christos || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) 2023 1.1 christos || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) 2024 1.1 christos || !TEST_BN_eq(g1_cf, g2_cf) 2025 1.1 christos /* negative test for invalid cofactor */ 2026 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2027 1.1 christos || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) 2028 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) 2029 1.1 christos /* negative test for NULL order */ 2030 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) 2031 1.1 christos /* negative test for zero order */ 2032 1.1 christos || !TEST_true(BN_set_word(g1_order, 0)) 2033 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2034 1.1 christos /* negative test for negative order */ 2035 1.1 christos || !TEST_true(BN_set_word(g2_cf, 0)) 2036 1.1 christos || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) 2037 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) 2038 1.1 christos /* negative test for too large order */ 2039 1.1 christos || !TEST_true(BN_lshift(g1_order, g1_p, 2)) 2040 1.1 christos || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) 2041 1.1 christos goto err; 2042 1.1 christos ret = 1; 2043 1.1 christos err: 2044 1.1 christos EC_POINT_free(g2_gen); 2045 1.1 christos EC_GROUP_free(g1); 2046 1.1 christos EC_GROUP_free(g2); 2047 1.1 christos BN_CTX_end(ctx); 2048 1.1 christos BN_CTX_free(ctx); 2049 1.1 christos return ret; 2050 1.1 christos } 2051 1.1 christos 2052 1.1 christos /* 2053 1.1 christos * Helper for ec_point_hex2point_test 2054 1.1 christos * 2055 1.1 christos * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given 2056 1.1 christos * (group,P) pair. 2057 1.1 christos * 2058 1.1 christos * If P is NULL use point at infinity. 2059 1.1 christos */ 2060 1.1 christos static ossl_inline 2061 1.1 christos int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, 2062 1.1 christos point_conversion_form_t form, 2063 1.1 christos BN_CTX *bnctx) 2064 1.1 christos { 2065 1.1 christos int ret = 0; 2066 1.1 christos EC_POINT *Q = NULL, *Pinf = NULL; 2067 1.1 christos char *hex = NULL; 2068 1.1 christos 2069 1.1 christos if (P == NULL) { 2070 1.1 christos /* If P is NULL use point at infinity. */ 2071 1.1 christos if (!TEST_ptr(Pinf = EC_POINT_new(group)) 2072 1.1 christos || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) 2073 1.1 christos goto err; 2074 1.1 christos P = Pinf; 2075 1.1 christos } 2076 1.1 christos 2077 1.1 christos if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) 2078 1.1 christos || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) 2079 1.1 christos || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) 2080 1.1 christos goto err; 2081 1.1 christos 2082 1.1 christos /* 2083 1.1 christos * The next check is most likely superfluous, as EC_POINT_cmp should already 2084 1.1 christos * cover this. 2085 1.1 christos * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, 2086 1.1 christos * so we include it anyway! 2087 1.1 christos */ 2088 1.1 christos if (Pinf != NULL 2089 1.1 christos && !TEST_true(EC_POINT_is_at_infinity(group, Q))) 2090 1.1 christos goto err; 2091 1.1 christos 2092 1.1 christos ret = 1; 2093 1.1 christos 2094 1.1 christos err: 2095 1.1 christos EC_POINT_free(Pinf); 2096 1.1 christos OPENSSL_free(hex); 2097 1.1 christos EC_POINT_free(Q); 2098 1.1 christos 2099 1.1 christos return ret; 2100 1.1 christos } 2101 1.1 christos 2102 1.1 christos /* 2103 1.1 christos * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() 2104 1.1 christos */ 2105 1.1 christos static int ec_point_hex2point_test(int id) 2106 1.1 christos { 2107 1.1 christos int ret = 0, nid; 2108 1.1 christos EC_GROUP *group = NULL; 2109 1.1 christos const EC_POINT *G = NULL; 2110 1.1 christos EC_POINT *P = NULL; 2111 1.1 christos BN_CTX * bnctx = NULL; 2112 1.1 christos 2113 1.1 christos /* Do some setup */ 2114 1.1 christos nid = curves[id].nid; 2115 1.1 christos if (!TEST_ptr(bnctx = BN_CTX_new()) 2116 1.1 christos || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) 2117 1.1 christos || !TEST_ptr(G = EC_GROUP_get0_generator(group)) 2118 1.1 christos || !TEST_ptr(P = EC_POINT_dup(G, group))) 2119 1.1 christos goto err; 2120 1.1 christos 2121 1.1 christos if (!TEST_true(ec_point_hex2point_test_helper(group, P, 2122 1.1 christos POINT_CONVERSION_COMPRESSED, 2123 1.1 christos bnctx)) 2124 1.1 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2125 1.1 christos POINT_CONVERSION_COMPRESSED, 2126 1.1 christos bnctx)) 2127 1.1 christos || !TEST_true(ec_point_hex2point_test_helper(group, P, 2128 1.1 christos POINT_CONVERSION_UNCOMPRESSED, 2129 1.1 christos bnctx)) 2130 1.1 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2131 1.1 christos POINT_CONVERSION_UNCOMPRESSED, 2132 1.1 christos bnctx)) 2133 1.1 christos || !TEST_true(ec_point_hex2point_test_helper(group, P, 2134 1.1 christos POINT_CONVERSION_HYBRID, 2135 1.1 christos bnctx)) 2136 1.1 christos || !TEST_true(ec_point_hex2point_test_helper(group, NULL, 2137 1.1 christos POINT_CONVERSION_HYBRID, 2138 1.1 christos bnctx))) 2139 1.1 christos goto err; 2140 1.1 christos 2141 1.1 christos ret = 1; 2142 1.1 christos 2143 1.1 christos err: 2144 1.1 christos EC_POINT_free(P); 2145 1.1 christos EC_GROUP_free(group); 2146 1.1 christos BN_CTX_free(bnctx); 2147 1.1 christos 2148 1.1 christos return ret; 2149 1.1 christos } 2150 1.1 christos 2151 1.1 christos /* 2152 1.1 christos * check the EC_METHOD respects the supplied EC_GROUP_set_generator G 2153 1.1 christos */ 2154 1.1 christos static int custom_generator_test(int id) 2155 1.1 christos { 2156 1.1 christos int ret = 0, nid, bsize; 2157 1.1 christos EC_GROUP *group = NULL; 2158 1.1 christos EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; 2159 1.1 christos BN_CTX *ctx = NULL; 2160 1.1 christos BIGNUM *k = NULL; 2161 1.1 christos unsigned char *b1 = NULL, *b2 = NULL; 2162 1.1 christos 2163 1.1 christos /* Do some setup */ 2164 1.1 christos nid = curves[id].nid; 2165 1.1 christos TEST_note("Curve %s", OBJ_nid2sn(nid)); 2166 1.1 christos if (!TEST_ptr(ctx = BN_CTX_new())) 2167 1.1 christos return 0; 2168 1.1 christos 2169 1.1 christos BN_CTX_start(ctx); 2170 1.1 christos 2171 1.1 christos if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) 2172 1.1 christos goto err; 2173 1.1 christos 2174 1.1 christos /* expected byte length of encoded points */ 2175 1.1 christos bsize = (EC_GROUP_get_degree(group) + 7) / 8; 2176 1.1 christos bsize = 2 * bsize + 1; 2177 1.1 christos 2178 1.1 christos if (!TEST_ptr(k = BN_CTX_get(ctx)) 2179 1.1 christos /* fetch a testing scalar k != 0,1 */ 2180 1.1 christos || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, 2181 1.1 christos BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) 2182 1.1 christos /* make k even */ 2183 1.1 christos || !TEST_true(BN_clear_bit(k, 0)) 2184 1.1 christos || !TEST_ptr(G2 = EC_POINT_new(group)) 2185 1.1 christos || !TEST_ptr(Q1 = EC_POINT_new(group)) 2186 1.1 christos /* Q1 := kG */ 2187 1.1 christos || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) 2188 1.1 christos /* pull out the bytes of that */ 2189 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 2190 1.1 christos POINT_CONVERSION_UNCOMPRESSED, NULL, 2191 1.1 christos 0, ctx), bsize) 2192 1.1 christos || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) 2193 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q1, 2194 1.1 christos POINT_CONVERSION_UNCOMPRESSED, b1, 2195 1.1 christos bsize, ctx), bsize) 2196 1.1 christos /* new generator is G2 := 2G */ 2197 1.1 christos || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), 2198 1.1 christos ctx)) 2199 1.1 christos || !TEST_true(EC_GROUP_set_generator(group, G2, 2200 1.1 christos EC_GROUP_get0_order(group), 2201 1.1 christos EC_GROUP_get0_cofactor(group))) 2202 1.1 christos || !TEST_ptr(Q2 = EC_POINT_new(group)) 2203 1.1 christos || !TEST_true(BN_rshift1(k, k)) 2204 1.1 christos /* Q2 := k/2 G2 */ 2205 1.1 christos || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) 2206 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q2, 2207 1.1 christos POINT_CONVERSION_UNCOMPRESSED, NULL, 2208 1.1 christos 0, ctx), bsize) 2209 1.1 christos || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) 2210 1.1 christos || !TEST_int_eq(EC_POINT_point2oct(group, Q2, 2211 1.1 christos POINT_CONVERSION_UNCOMPRESSED, b2, 2212 1.1 christos bsize, ctx), bsize) 2213 1.1 christos /* Q1 = kG = k/2 G2 = Q2 should hold */ 2214 1.1 christos || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0)) 2215 1.1 christos goto err; 2216 1.1 christos 2217 1.1 christos ret = 1; 2218 1.1 christos 2219 1.1 christos err: 2220 1.1 christos BN_CTX_end(ctx); 2221 1.1 christos EC_POINT_free(Q1); 2222 1.1 christos EC_POINT_free(Q2); 2223 1.1 christos EC_POINT_free(G2); 2224 1.1 christos EC_GROUP_free(group); 2225 1.1 christos BN_CTX_free(ctx); 2226 1.1 christos OPENSSL_free(b1); 2227 1.1 christos OPENSSL_free(b2); 2228 1.1 christos 2229 1.1 christos return ret; 2230 1.1 christos } 2231 1.1 christos 2232 1.1 christos #endif /* OPENSSL_NO_EC */ 2233 1.1 christos 2234 1.1 christos int setup_tests(void) 2235 1.1 christos { 2236 1.1 christos #ifndef OPENSSL_NO_EC 2237 1.1 christos crv_len = EC_get_builtin_curves(NULL, 0); 2238 1.1 christos if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) 2239 1.1 christos || !TEST_true(EC_get_builtin_curves(curves, crv_len))) 2240 1.1 christos return 0; 2241 1.1 christos 2242 1.1 christos ADD_TEST(parameter_test); 2243 1.1 christos ADD_TEST(cofactor_range_test); 2244 1.1 christos ADD_ALL_TESTS(cardinality_test, crv_len); 2245 1.1 christos ADD_TEST(prime_field_tests); 2246 1.1 christos # ifndef OPENSSL_NO_EC2M 2247 1.1 christos ADD_TEST(hybrid_point_encoding_test); 2248 1.1 christos ADD_TEST(char2_field_tests); 2249 1.1 christos ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); 2250 1.1 christos # endif 2251 1.1 christos # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 2252 1.1 christos ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); 2253 1.1 christos ADD_TEST(underflow_test); 2254 1.1 christos # endif 2255 1.1 christos ADD_ALL_TESTS(internal_curve_test, crv_len); 2256 1.1 christos ADD_ALL_TESTS(internal_curve_test_method, crv_len); 2257 1.1 christos 2258 1.1 christos ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); 2259 1.1 christos ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); 2260 1.1 christos ADD_ALL_TESTS(custom_generator_test, crv_len); 2261 1.1 christos #endif /* OPENSSL_NO_EC */ 2262 1.1 christos return 1; 2263 1.1 christos } 2264 1.1 christos 2265 1.1 christos void cleanup_tests(void) 2266 1.1 christos { 2267 1.1 christos #ifndef OPENSSL_NO_EC 2268 1.1 christos OPENSSL_free(curves); 2269 1.1 christos #endif 2270 1.1 christos } 2271
Indexes created Mon Mar 02 05:31:46 UTC 2026