b51a3b12071c36195bd31ede5214d90bcb07606f
[openssl.git] / test / ectest.c
1 /*
2  * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10
11 #include <string.h>
12 #include "internal/nelem.h"
13 #include "testutil.h"
14
15 #ifndef OPENSSL_NO_EC
16 # include <openssl/ec.h>
17 # ifndef OPENSSL_NO_ENGINE
18 #  include <openssl/engine.h>
19 # endif
20 # include <openssl/err.h>
21 # include <openssl/obj_mac.h>
22 # include <openssl/objects.h>
23 # include <openssl/rand.h>
24 # include <openssl/bn.h>
25 # include <openssl/opensslconf.h>
26
27 static size_t crv_len = 0;
28 static EC_builtin_curve *curves = NULL;
29
30 /* test multiplication with group order, long and negative scalars */
31 static int group_order_tests(EC_GROUP *group)
32 {
33     BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
34     EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
35     const EC_POINT *G = NULL;
36     BN_CTX *ctx = NULL;
37     int i = 0, r = 0;
38
39     if (!TEST_ptr(n1 = BN_new())
40         || !TEST_ptr(n2 = BN_new())
41         || !TEST_ptr(order = BN_new())
42         || !TEST_ptr(ctx = BN_CTX_new())
43         || !TEST_ptr(G = EC_GROUP_get0_generator(group))
44         || !TEST_ptr(P = EC_POINT_new(group))
45         || !TEST_ptr(Q = EC_POINT_new(group))
46         || !TEST_ptr(R = EC_POINT_new(group))
47         || !TEST_ptr(S = EC_POINT_new(group)))
48         goto err;
49
50     if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
51         || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
52         || !TEST_true(EC_POINT_is_at_infinity(group, Q))
53         || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
54         || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
55         || !TEST_true(EC_POINT_is_at_infinity(group, Q))
56         || !TEST_true(EC_POINT_copy(P, G))
57         || !TEST_true(BN_one(n1))
58         || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
59         || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
60         || !TEST_true(BN_sub(n1, order, n1))
61         || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
62         || !TEST_true(EC_POINT_invert(group, Q, ctx))
63         || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
64         goto err;
65
66     for (i = 1; i <= 2; i++) {
67         const BIGNUM *scalars[6];
68         const EC_POINT *points[6];
69
70         if (!TEST_true(BN_set_word(n1, i))
71             /*
72              * If i == 1, P will be the predefined generator for which
73              * EC_GROUP_precompute_mult has set up precomputation.
74              */
75             || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
76             || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
77             || !TEST_true(BN_one(n1))
78             /* n1 = 1 - order */
79             || !TEST_true(BN_sub(n1, n1, order))
80             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
81             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
82
83             /* n2 = 1 + order */
84             || !TEST_true(BN_add(n2, order, BN_value_one()))
85             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
86             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
87
88             /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
89             || !TEST_true(BN_mul(n2, n1, n2, ctx))
90             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
91             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
92             goto err;
93
94         /* n2 = order^2 - 1 */
95         BN_set_negative(n2, 0);
96         if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
97             /* Add P to verify the result. */
98             || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
99             || !TEST_true(EC_POINT_is_at_infinity(group, Q))
100
101             /* Exercise EC_POINTs_mul, including corner cases. */
102             || !TEST_false(EC_POINT_is_at_infinity(group, P)))
103             goto err;
104
105         scalars[0] = scalars[1] = BN_value_one();
106         points[0]  = points[1]  = P;
107
108         if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
109             || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
110             || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
111             goto err;
112
113         scalars[0] = n1;
114         points[0] = Q;          /* => infinity */
115         scalars[1] = n2;
116         points[1] = P;          /* => -P */
117         scalars[2] = n1;
118         points[2] = Q;          /* => infinity */
119         scalars[3] = n2;
120         points[3] = Q;          /* => infinity */
121         scalars[4] = n1;
122         points[4] = P;          /* => P */
123         scalars[5] = n2;
124         points[5] = Q;          /* => infinity */
125         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
126             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
127             goto err;
128     }
129
130     r = 1;
131 err:
132     if (r == 0 && i != 0)
133         TEST_info(i == 1 ? "allowing precomputation" :
134                            "without precomputation");
135     EC_POINT_free(P);
136     EC_POINT_free(Q);
137     EC_POINT_free(R);
138     EC_POINT_free(S);
139     BN_free(n1);
140     BN_free(n2);
141     BN_free(order);
142     BN_CTX_free(ctx);
143     return r;
144 }
145
146 static int prime_field_tests(void)
147 {
148     BN_CTX *ctx = NULL;
149     BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
150     EC_GROUP *group = NULL, *tmp = NULL;
151     EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL,
152              *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
153     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
154     BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
155     const EC_POINT *points[4];
156     const BIGNUM *scalars[4];
157     unsigned char buf[100];
158     size_t len, r = 0;
159     int k;
160
161     if (!TEST_ptr(ctx = BN_CTX_new())
162         || !TEST_ptr(p = BN_new())
163         || !TEST_ptr(a = BN_new())
164         || !TEST_ptr(b = BN_new())
165         || !TEST_true(BN_hex2bn(&p, "17"))
166         || !TEST_true(BN_hex2bn(&a, "1"))
167         || !TEST_true(BN_hex2bn(&b, "1"))
168         /*
169          * applications should use EC_GROUP_new_curve_GFp so
170          * that the library gets to choose the EC_METHOD
171          */
172         || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))
173         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
174         || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
175         || !TEST_true(EC_GROUP_copy(tmp, group)))
176         goto err;
177     EC_GROUP_free(group);
178     group = tmp;
179     tmp = NULL;
180
181     if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
182         goto err;
183
184     TEST_info("Curve defined by Weierstrass equation");
185     TEST_note("     y^2 = x^3 + a*x + b (mod p)");
186     test_output_bignum("a", a);
187     test_output_bignum("b", b);
188     test_output_bignum("p", p);
189
190     buf[0] = 0;
191     if (!TEST_ptr(P = EC_POINT_new(group))
192         || !TEST_ptr(Q = EC_POINT_new(group))
193         || !TEST_ptr(R = EC_POINT_new(group))
194         || !TEST_true(EC_POINT_set_to_infinity(group, P))
195         || !TEST_true(EC_POINT_is_at_infinity(group, P))
196         || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
197         || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
198         || !TEST_true(EC_POINT_is_at_infinity(group, P))
199         || !TEST_ptr(x = BN_new())
200         || !TEST_ptr(y = BN_new())
201         || !TEST_ptr(z = BN_new())
202         || !TEST_ptr(yplusone = BN_new())
203         || !TEST_true(BN_hex2bn(&x, "D"))
204         || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)))
205         goto err;
206
207     if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
208         if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
209             goto err;
210         TEST_info("Point is not on curve");
211         test_output_bignum("x", x);
212         test_output_bignum("y", y);
213         goto err;
214     }
215
216     TEST_note("A cyclic subgroup:");
217     k = 100;
218     do {
219         if (!TEST_int_ne(k--, 0))
220             goto err;
221
222         if (EC_POINT_is_at_infinity(group, P)) {
223             TEST_note("     point at infinity");
224         } else {
225             if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
226                                                            ctx)))
227                 goto err;
228
229             test_output_bignum("x", x);
230             test_output_bignum("y", y);
231         }
232
233         if (!TEST_true(EC_POINT_copy(R, P))
234             || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
235             goto err;
236
237     } while (!EC_POINT_is_at_infinity(group, P));
238
239     if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
240         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
241         goto err;
242
243     len =
244         EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
245                            sizeof(buf), ctx);
246     if (!TEST_size_t_ne(len, 0)
247         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
248         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
249         goto err;
250     test_output_memory("Generator as octet string, compressed form:",
251                        buf, len);
252
253     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
254                              buf, sizeof(buf), ctx);
255     if (!TEST_size_t_ne(len, 0)
256         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
257         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
258         goto err;
259     test_output_memory("Generator as octet string, uncompressed form:",
260                        buf, len);
261
262     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID,
263                              buf, sizeof(buf), ctx);
264     if (!TEST_size_t_ne(len, 0)
265         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
266         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
267         goto err;
268     test_output_memory("Generator as octet string, hybrid form:",
269                        buf, len);
270
271     if (!TEST_true(EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z,
272                                                             ctx)))
273         goto err;
274     TEST_info("A representation of the inverse of that generator in");
275     TEST_note("Jacobian projective coordinates");
276     test_output_bignum("x", x);
277     test_output_bignum("y", y);
278     test_output_bignum("z", z);
279
280     if (!TEST_true(EC_POINT_invert(group, P, ctx))
281         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
282
283     /*
284      * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
285      * 2000) -- not a NIST curve, but commonly used
286      */
287
288         || !TEST_true(BN_hex2bn(&p,                         "FFFFFFFF"
289                                     "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
290         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
291         || !TEST_true(BN_hex2bn(&a,                         "FFFFFFFF"
292                                     "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
293         || !TEST_true(BN_hex2bn(&b,                         "1C97BEFC"
294                                     "54BD7A8B65ACF89F81D4D4ADC565FA45"))
295         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
296         || !TEST_true(BN_hex2bn(&x,                         "4A96B568"
297                                     "8EF573284664698968C38BB913CBFC82"))
298         || !TEST_true(BN_hex2bn(&y,                         "23a62855"
299                                     "3168947d59dcc912042351377ac5fb32"))
300         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
301     /*
302      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
303      * and therefore setting the coordinates should fail.
304      */
305         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
306                                                        ctx))
307         || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
308         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
309         || !TEST_true(BN_hex2bn(&z,                       "0100000000"
310                                     "000000000001F4C8F927AED3CA752257"))
311         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
312         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
313         goto err;
314     TEST_info("SEC2 curve secp160r1 -- Generator");
315     test_output_bignum("x", x);
316     test_output_bignum("y", y);
317     /* G_y value taken from the standard: */
318     if (!TEST_true(BN_hex2bn(&z,                         "23a62855"
319                                  "3168947d59dcc912042351377ac5fb32"))
320         || !TEST_BN_eq(y, z)
321         || !TEST_int_eq(EC_GROUP_get_degree(group), 160)
322         || !group_order_tests(group)
323         || !TEST_ptr(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))
324         || !TEST_true(EC_GROUP_copy(P_160, group))
325
326     /* Curve P-192 (FIPS PUB 186-2, App. 6) */
327
328         || !TEST_true(BN_hex2bn(&p,                 "FFFFFFFFFFFFFFFF"
329                                     "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
330         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
331         || !TEST_true(BN_hex2bn(&a,                 "FFFFFFFFFFFFFFFF"
332                                     "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
333         || !TEST_true(BN_hex2bn(&b,                 "64210519E59C80E7"
334                                     "0FA7E9AB72243049FEB8DEECC146B9B1"))
335         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
336         || !TEST_true(BN_hex2bn(&x,                 "188DA80EB03090F6"
337                                     "7CBF20EB43A18800F4FF0AFD82FF1012"))
338         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
339         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
340         || !TEST_true(BN_hex2bn(&z,                 "FFFFFFFFFFFFFFFF"
341                                     "FFFFFFFF99DEF836146BC9B1B4D22831"))
342         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
343         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
344         goto err;
345
346     TEST_info("NIST curve P-192 -- Generator");
347     test_output_bignum("x", x);
348     test_output_bignum("y", y);
349     /* G_y value taken from the standard: */
350     if (!TEST_true(BN_hex2bn(&z,                 "07192B95FFC8DA78"
351                                  "631011ED6B24CDD573F977A11E794811"))
352         || !TEST_BN_eq(y, z)
353         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
354     /*
355      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
356      * and therefore setting the coordinates should fail.
357      */
358         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
359                                                        ctx))
360         || !TEST_int_eq(EC_GROUP_get_degree(group), 192)
361         || !group_order_tests(group)
362         || !TEST_ptr(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))
363         || !TEST_true(EC_GROUP_copy(P_192, group))
364
365     /* Curve P-224 (FIPS PUB 186-2, App. 6) */
366
367         || !TEST_true(BN_hex2bn(&p,         "FFFFFFFFFFFFFFFFFFFFFFFF"
368                                     "FFFFFFFF000000000000000000000001"))
369         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
370         || !TEST_true(BN_hex2bn(&a,         "FFFFFFFFFFFFFFFFFFFFFFFF"
371                                     "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
372         || !TEST_true(BN_hex2bn(&b,         "B4050A850C04B3ABF5413256"
373                                     "5044B0B7D7BFD8BA270B39432355FFB4"))
374         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
375         || !TEST_true(BN_hex2bn(&x,         "B70E0CBD6BB4BF7F321390B9"
376                                     "4A03C1D356C21122343280D6115C1D21"))
377         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
378         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
379         || !TEST_true(BN_hex2bn(&z,         "FFFFFFFFFFFFFFFFFFFFFFFF"
380                                     "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
381         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
382         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
383         goto err;
384
385     TEST_info("NIST curve P-224 -- Generator");
386     test_output_bignum("x", x);
387     test_output_bignum("y", y);
388     /* G_y value taken from the standard: */
389     if (!TEST_true(BN_hex2bn(&z,         "BD376388B5F723FB4C22DFE6"
390                                  "CD4375A05A07476444D5819985007E34"))
391         || !TEST_BN_eq(y, z)
392         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
393     /*
394      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
395      * and therefore setting the coordinates should fail.
396      */
397         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
398                                                        ctx))
399         || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
400         || !group_order_tests(group)
401         || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
402         || !TEST_true(EC_GROUP_copy(P_224, group))
403
404     /* Curve P-256 (FIPS PUB 186-2, App. 6) */
405
406         || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
407                                     "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
408         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
409         || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
410                                     "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
411         || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
412                                     "651D06B0CC53B0F63BCE3C3E27D2604B"))
413         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
414
415         || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
416                                     "77037D812DEB33A0F4A13945D898C296"))
417         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
418         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
419         || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
420                                     "BCE6FAADA7179E84F3B9CAC2FC632551"))
421         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
422         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
423         goto err;
424
425     TEST_info("NIST curve P-256 -- Generator");
426     test_output_bignum("x", x);
427     test_output_bignum("y", y);
428     /* G_y value taken from the standard: */
429     if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
430                                  "2BCE33576B315ECECBB6406837BF51F5"))
431         || !TEST_BN_eq(y, z)
432         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
433     /*
434      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
435      * and therefore setting the coordinates should fail.
436      */
437         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
438                                                        ctx))
439         || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
440         || !group_order_tests(group)
441         || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
442         || !TEST_true(EC_GROUP_copy(P_256, group))
443
444     /* Curve P-384 (FIPS PUB 186-2, App. 6) */
445
446         || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
447                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
448                                     "FFFFFFFF0000000000000000FFFFFFFF"))
449         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
450         || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
451                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
452                                     "FFFFFFFF0000000000000000FFFFFFFC"))
453         || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
454                                     "181D9C6EFE8141120314088F5013875A"
455                                     "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
456         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
457
458         || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
459                                     "6E1D3B628BA79B9859F741E082542A38"
460                                     "5502F25DBF55296C3A545E3872760AB7"))
461         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
462         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
463         || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
464                                     "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
465                                     "581A0DB248B0A77AECEC196ACCC52973"))
466         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
467         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
468         goto err;
469
470     TEST_info("NIST curve P-384 -- Generator");
471     test_output_bignum("x", x);
472     test_output_bignum("y", y);
473     /* G_y value taken from the standard: */
474     if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
475                                  "F8F41DBD289A147CE9DA3113B5F0B8C0"
476                                  "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
477         || !TEST_BN_eq(y, z)
478         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
479     /*
480      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
481      * and therefore setting the coordinates should fail.
482      */
483         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
484                                                        ctx))
485         || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
486         || !group_order_tests(group)
487         || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
488         || !TEST_true(EC_GROUP_copy(P_384, group))
489
490     /* Curve P-521 (FIPS PUB 186-2, App. 6) */
491         || !TEST_true(BN_hex2bn(&p,                              "1FF"
492                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
493                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
494                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
495                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
496         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
497         || !TEST_true(BN_hex2bn(&a,                              "1FF"
498                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
499                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
500                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
501                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
502         || !TEST_true(BN_hex2bn(&b,                              "051"
503                                     "953EB9618E1C9A1F929A21A0B68540EE"
504                                     "A2DA725B99B315F3B8B489918EF109E1"
505                                     "56193951EC7E937B1652C0BD3BB1BF07"
506                                     "3573DF883D2C34F1EF451FD46B503F00"))
507         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
508         || !TEST_true(BN_hex2bn(&x,                               "C6"
509                                     "858E06B70404E9CD9E3ECB662395B442"
510                                     "9C648139053FB521F828AF606B4D3DBA"
511                                     "A14B5E77EFE75928FE1DC127A2FFA8DE"
512                                     "3348B3C1856A429BF97E7E31C2E5BD66"))
513         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
514         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
515         || !TEST_true(BN_hex2bn(&z,                              "1FF"
516                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
517                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
518                                     "51868783BF2F966B7FCC0148F709A5D0"
519                                     "3BB5C9B8899C47AEBB6FB71E91386409"))
520         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
521         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
522         goto err;
523
524     TEST_info("NIST curve P-521 -- Generator");
525     test_output_bignum("x", x);
526     test_output_bignum("y", y);
527     /* G_y value taken from the standard: */
528     if (!TEST_true(BN_hex2bn(&z,                              "118"
529                                  "39296A789A3BC0045C8A5FB42C7D1BD9"
530                                  "98F54449579B446817AFBD17273E662C"
531                                  "97EE72995EF42640C550B9013FAD0761"
532                                  "353C7086A272C24088BE94769FD16650"))
533         || !TEST_BN_eq(y, z)
534         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
535     /*
536      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
537      * and therefore setting the coordinates should fail.
538      */
539         || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
540                                                        ctx))
541         || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
542         || !group_order_tests(group)
543         || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
544         || !TEST_true(EC_GROUP_copy(P_521, group))
545
546     /* more tests using the last curve */
547
548     /* Restore the point that got mangled in the (x, y + 1) test. */
549         || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
550         || !TEST_true(EC_POINT_copy(Q, P))
551         || !TEST_false(EC_POINT_is_at_infinity(group, Q))
552         || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
553         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
554         || !TEST_true(EC_POINT_invert(group, Q, ctx))       /* P = -2Q */
555         || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
556         || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
557         || !TEST_true(EC_POINT_is_at_infinity(group, R))    /* R = P + 2Q */
558         || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
559         goto err;
560     points[0] = Q;
561     points[1] = Q;
562     points[2] = Q;
563     points[3] = Q;
564
565     if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
566         || !TEST_true(BN_add(y, z, BN_value_one()))
567         || !TEST_BN_even(y)
568         || !TEST_true(BN_rshift1(y, y)))
569         goto err;
570     scalars[0] = y;         /* (group order + 1)/2, so y*Q + y*Q = Q */
571     scalars[1] = y;
572
573     TEST_note("combined multiplication ...");
574
575     /* z is still the group order */
576     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
577         || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
578         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
579         || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
580         || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
581         || !TEST_true(BN_add(z, z, y)))
582         goto err;
583     BN_set_negative(z, 1);
584     scalars[0] = y;
585     scalars[1] = z;         /* z = -(order + y) */
586
587     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
588         || !TEST_true(EC_POINT_is_at_infinity(group, P))
589         || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
590         || !TEST_true(BN_add(z, x, y)))
591         goto err;
592     BN_set_negative(z, 1);
593     scalars[0] = x;
594     scalars[1] = y;
595     scalars[2] = z;         /* z = -(x+y) */
596
597     if (!TEST_ptr(scalar3 = BN_new()))
598         goto err;
599     BN_zero(scalar3);
600     scalars[3] = scalar3;
601
602     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
603         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
604         goto err;
605
606     TEST_note(" ok\n");
607
608
609     r = 1;
610 err:
611     BN_CTX_free(ctx);
612     BN_free(p);
613     BN_free(a);
614     BN_free(b);
615     EC_GROUP_free(group);
616     EC_GROUP_free(tmp);
617     EC_POINT_free(P);
618     EC_POINT_free(Q);
619     EC_POINT_free(R);
620     BN_free(x);
621     BN_free(y);
622     BN_free(z);
623     BN_free(yplusone);
624     BN_free(scalar3);
625
626     EC_GROUP_free(P_160);
627     EC_GROUP_free(P_192);
628     EC_GROUP_free(P_224);
629     EC_GROUP_free(P_256);
630     EC_GROUP_free(P_384);
631     EC_GROUP_free(P_521);
632     return r;
633 }
634
635 # ifndef OPENSSL_NO_EC2M
636
637 static struct c2_curve_test {
638     const char *name;
639     const char *p;
640     const char *a;
641     const char *b;
642     const char *x;
643     const char *y;
644     int ybit;
645     const char *order;
646     const char *cof;
647     int degree;
648 } char2_curve_tests[] = {
649     /* Curve K-163 (FIPS PUB 186-2, App. 6) */
650     {
651         "NIST curve K-163",
652         "0800000000000000000000000000000000000000C9",
653         "1",
654         "1",
655         "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
656         "0289070FB05D38FF58321F2E800536D538CCDAA3D9",
657         1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163
658     },
659     /* Curve B-163 (FIPS PUB 186-2, App. 6) */
660     {
661         "NIST curve B-163",
662         "0800000000000000000000000000000000000000C9",
663         "1",
664         "020A601907B8C953CA1481EB10512F78744A3205FD",
665         "03F0EBA16286A2D57EA0991168D4994637E8343E36",
666         "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
667         1, "040000000000000000000292FE77E70C12A4234C33", "2", 163
668     },
669     /* Curve K-233 (FIPS PUB 186-2, App. 6) */
670     {
671         "NIST curve K-233",
672         "020000000000000000000000000000000000000004000000000000000001",
673         "0",
674         "1",
675         "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
676         "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
677         0,
678         "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
679         "4", 233
680     },
681     /* Curve B-233 (FIPS PUB 186-2, App. 6) */
682     {
683         "NIST curve B-233",
684         "020000000000000000000000000000000000000004000000000000000001",
685         "000000000000000000000000000000000000000000000000000000000001",
686         "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
687         "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
688         "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
689         1,
690         "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
691         "2", 233
692     },
693     /* Curve K-283 (FIPS PUB 186-2, App. 6) */
694     {
695         "NIST curve K-283",
696                                                                 "08000000"
697         "00000000000000000000000000000000000000000000000000000000000010A1",
698         "0",
699         "1",
700                                                                 "0503213F"
701         "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
702                                                                 "01CCDA38"
703         "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
704         0,
705                                                                 "01FFFFFF"
706         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
707         "4", 283
708     },
709     /* Curve B-283 (FIPS PUB 186-2, App. 6) */
710     {
711         "NIST curve B-283",
712                                                                 "08000000"
713         "00000000000000000000000000000000000000000000000000000000000010A1",
714                                                                 "00000000"
715         "0000000000000000000000000000000000000000000000000000000000000001",
716                                                                 "027B680A"
717         "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
718                                                                 "05F93925"
719         "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
720                                                                 "03676854"
721         "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
722         1,
723                                                                 "03FFFFFF"
724         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
725         "2", 283
726     },
727     /* Curve K-409 (FIPS PUB 186-2, App. 6) */
728     {
729         "NIST curve K-409",
730                                 "0200000000000000000000000000000000000000"
731         "0000000000000000000000000000000000000000008000000000000000000001",
732         "0",
733         "1",
734                                 "0060F05F658F49C1AD3AB1890F7184210EFD0987"
735         "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
736                                 "01E369050B7C4E42ACBA1DACBF04299C3460782F"
737         "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
738         1,
739                                 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
740         "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
741         "4", 409
742     },
743     /* Curve B-409 (FIPS PUB 186-2, App. 6) */
744     {
745         "NIST curve B-409",
746                                 "0200000000000000000000000000000000000000"
747         "0000000000000000000000000000000000000000008000000000000000000001",
748                                 "0000000000000000000000000000000000000000"
749         "0000000000000000000000000000000000000000000000000000000000000001",
750                                 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E"
751         "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
752                                 "015D4860D088DDB3496B0C6064756260441CDE4A"
753         "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
754                                 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5"
755         "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
756         1,
757                                 "0100000000000000000000000000000000000000"
758         "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
759         "2", 409
760     },
761     /* Curve K-571 (FIPS PUB 186-2, App. 6) */
762     {
763         "NIST curve K-571",
764                                                          "800000000000000"
765         "0000000000000000000000000000000000000000000000000000000000000000"
766         "0000000000000000000000000000000000000000000000000000000000000425",
767         "0",
768         "1",
769                                                         "026EB7A859923FBC"
770         "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6"
771         "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
772                                                         "0349DC807F4FBF37"
773         "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7"
774         "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
775         0,
776                                                         "0200000000000000"
777         "00000000000000000000000000000000000000000000000000000000131850E1"
778         "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
779         "4", 571
780     },
781     /* Curve B-571 (FIPS PUB 186-2, App. 6) */
782     {
783         "NIST curve B-571",
784                                                          "800000000000000"
785         "0000000000000000000000000000000000000000000000000000000000000000"
786         "0000000000000000000000000000000000000000000000000000000000000425",
787                                                         "0000000000000000"
788         "0000000000000000000000000000000000000000000000000000000000000000"
789         "0000000000000000000000000000000000000000000000000000000000000001",
790                                                         "02F40E7E2221F295"
791         "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933"
792         "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
793                                                         "0303001D34B85629"
794         "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293"
795         "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
796                                                         "037BF27342DA639B"
797         "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57"
798         "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
799         1,
800                                                         "03FFFFFFFFFFFFFF"
801         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18"
802         "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
803         "2", 571
804     }
805 };
806
807 static int char2_curve_test(int n)
808 {
809     int r = 0;
810     BN_CTX *ctx = NULL;
811     BIGNUM *p = NULL, *a = NULL, *b = NULL;
812     BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
813     EC_GROUP *group = NULL, *variable = NULL;
814     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
815     const EC_POINT *points[3];
816     const BIGNUM *scalars[3];
817     struct c2_curve_test *const test = char2_curve_tests + n;
818
819     if (!TEST_ptr(ctx = BN_CTX_new())
820         || !TEST_ptr(p = BN_new())
821         || !TEST_ptr(a = BN_new())
822         || !TEST_ptr(b = BN_new())
823         || !TEST_ptr(x = BN_new())
824         || !TEST_ptr(y = BN_new())
825         || !TEST_ptr(z = BN_new())
826         || !TEST_ptr(yplusone = BN_new())
827         || !TEST_true(BN_hex2bn(&p, test->p))
828         || !TEST_true(BN_hex2bn(&a, test->a))
829         || !TEST_true(BN_hex2bn(&b, test->b))
830         || !TEST_true(group = EC_GROUP_new(EC_GF2m_simple_method()))
831         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
832         || !TEST_ptr(P = EC_POINT_new(group))
833         || !TEST_ptr(Q = EC_POINT_new(group))
834         || !TEST_ptr(R = EC_POINT_new(group))
835         || !TEST_true(BN_hex2bn(&x, test->x))
836         || !TEST_true(BN_hex2bn(&y, test->y))
837         || !TEST_true(BN_add(yplusone, y, BN_value_one())))
838         goto err;
839
840 /* Change test based on whether binary point compression is enabled or not. */
841 # ifdef OPENSSL_EC_BIN_PT_COMP
842     /*
843      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
844      * and therefore setting the coordinates should fail.
845      */
846     if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
847         || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x,
848                                                           test->y_bit,
849                                                           ctx))
850         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
851         || !TEST_true(BN_hex2bn(&z, test->order))
852         || !TEST_true(BN_hex2bn(&cof, test->cof))
853         || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))
854         || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
855         goto err;
856     TEST_info("%s -- Generator", test->name);
857     test_output_bignum("x", x);
858     test_output_bignum("y", y);
859     /* G_y value taken from the standard: */
860     if (!TEST_true(BN_hex2bn(&z, test->y))
861         || !TEST_BN_eq(y, z))
862         goto err;
863 # else
864     /*
865      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
866      * and therefore setting the coordinates should fail.
867      */
868     if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
869         || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
870         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
871         || !TEST_true(BN_hex2bn(&z, test->order))
872         || !TEST_true(BN_hex2bn(&cof, test->cof))
873         || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)))
874         goto err;
875     TEST_info("%s -- Generator:", test->name);
876     test_output_bignum("x", x);
877     test_output_bignum("y", y);
878 # endif
879
880     if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree)
881         || !group_order_tests(group)
882         || !TEST_ptr(variable = EC_GROUP_new(EC_GROUP_method_of(group)))
883         || !TEST_true(EC_GROUP_copy(variable, group)))
884         goto err;
885
886     /* more tests using the last curve */
887     if (n == OSSL_NELEM(char2_curve_tests) - 1) {
888         if (!TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
889             || !TEST_true(EC_POINT_copy(Q, P))
890             || !TEST_false(EC_POINT_is_at_infinity(group, Q))
891             || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
892             || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
893             || !TEST_true(EC_POINT_invert(group, Q, ctx))       /* P = -2Q */
894             || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
895             || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
896             || !TEST_true(EC_POINT_is_at_infinity(group, R))   /* R = P + 2Q */
897             || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
898             goto err;
899
900         points[0] = Q;
901         points[1] = Q;
902         points[2] = Q;
903
904         if (!TEST_true(BN_add(y, z, BN_value_one()))
905             || !TEST_BN_even(y)
906             || !TEST_true(BN_rshift1(y, y)))
907             goto err;
908         scalars[0] = y;         /* (group order + 1)/2, so y*Q + y*Q = Q */
909         scalars[1] = y;
910
911         TEST_note("combined multiplication ...");
912
913         /* z is still the group order */
914         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
915             || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
916             || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
917             || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)))
918             goto err;
919
920         if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
921             || !TEST_true(BN_add(z, z, y)))
922             goto err;
923         BN_set_negative(z, 1);
924         scalars[0] = y;
925         scalars[1] = z;         /* z = -(order + y) */
926
927         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
928             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
929             goto err;
930
931         if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
932             || !TEST_true(BN_add(z, x, y)))
933             goto err;
934         BN_set_negative(z, 1);
935         scalars[0] = x;
936         scalars[1] = y;
937         scalars[2] = z;         /* z = -(x+y) */
938
939         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx))
940             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
941             goto err;;
942     }
943
944     r = 1;
945 err:
946     BN_CTX_free(ctx);
947     BN_free(p);
948     BN_free(a);
949     BN_free(b);
950     BN_free(x);
951     BN_free(y);
952     BN_free(z);
953     BN_free(yplusone);
954     BN_free(cof);
955     EC_POINT_free(P);
956     EC_POINT_free(Q);
957     EC_POINT_free(R);
958     EC_GROUP_free(group);
959     EC_GROUP_free(variable);
960     return r;
961 }
962
963 static int char2_field_tests(void)
964 {
965     BN_CTX *ctx = NULL;
966     BIGNUM *p = NULL, *a = NULL, *b = NULL;
967     EC_GROUP *group = NULL, *tmp = NULL;
968     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
969     BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
970     unsigned char buf[100];
971     size_t len;
972     int k, r = 0;
973
974     if (!TEST_ptr(ctx = BN_CTX_new())
975         || !TEST_ptr(p = BN_new())
976         || !TEST_ptr(a = BN_new())
977         || !TEST_ptr(b = BN_new())
978         || !TEST_true(BN_hex2bn(&p, "13"))
979         || !TEST_true(BN_hex2bn(&a, "3"))
980         || !TEST_true(BN_hex2bn(&b, "1")))
981         goto err;
982
983     group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use
984                                                     * EC_GROUP_new_curve_GF2m
985                                                     * so that the library gets
986                                                     * to choose the EC_METHOD */
987     if (!TEST_ptr(group)
988         || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
989         || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
990         || !TEST_true(EC_GROUP_copy(tmp, group)))
991         goto err;
992     EC_GROUP_free(group);
993     group = tmp;
994     tmp = NULL;
995
996     if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
997         goto err;
998
999     TEST_info("Curve defined by Weierstrass equation");
1000     TEST_note("     y^2 + x*y = x^3 + a*x^2 + b (mod p)");
1001     test_output_bignum("a", a);
1002     test_output_bignum("b", b);
1003     test_output_bignum("p", p);
1004
1005      if (!TEST_ptr(P = EC_POINT_new(group))
1006         || !TEST_ptr(Q = EC_POINT_new(group))
1007         || !TEST_ptr(R = EC_POINT_new(group))
1008         || !TEST_true(EC_POINT_set_to_infinity(group, P))
1009         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1010         goto err;
1011
1012     buf[0] = 0;
1013     if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
1014         || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
1015         || !TEST_true(EC_POINT_is_at_infinity(group, P))
1016         || !TEST_ptr(x = BN_new())
1017         || !TEST_ptr(y = BN_new())
1018         || !TEST_ptr(z = BN_new())
1019         || !TEST_ptr(cof = BN_new())
1020         || !TEST_ptr(yplusone = BN_new())
1021         || !TEST_true(BN_hex2bn(&x, "6"))
1022 /* Change test based on whether binary point compression is enabled or not. */
1023 #  ifdef OPENSSL_EC_BIN_PT_COMP
1024         || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))
1025 #  else
1026         || !TEST_true(BN_hex2bn(&y, "8"))
1027         || !TEST_true(EC_POINT_set_affine_coordinates(group, Q, x, y, ctx))
1028 #  endif
1029        )
1030         goto err;
1031     if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
1032 /* Change test based on whether binary point compression is enabled or not. */
1033 #  ifdef OPENSSL_EC_BIN_PT_COMP
1034         if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
1035             goto err;
1036 #  endif
1037         TEST_info("Point is not on curve");
1038         test_output_bignum("x", x);
1039         test_output_bignum("y", y);
1040         goto err;
1041     }
1042
1043     TEST_note("A cyclic subgroup:");
1044     k = 100;
1045     do {
1046         if (!TEST_int_ne(k--, 0))
1047             goto err;
1048
1049         if (EC_POINT_is_at_infinity(group, P))
1050             TEST_note("     point at infinity");
1051         else {
1052             if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
1053                                                            ctx)))
1054                 goto err;
1055
1056             test_output_bignum("x", x);
1057             test_output_bignum("y", y);
1058         }
1059
1060         if (!TEST_true(EC_POINT_copy(R, P))
1061             || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
1062             goto err;
1063     }
1064     while (!EC_POINT_is_at_infinity(group, P));
1065
1066     if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
1067         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1068         goto err;
1069
1070 /* Change test based on whether binary point compression is enabled or not. */
1071 #  ifdef OPENSSL_EC_BIN_PT_COMP
1072     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED,
1073                              buf, sizeof(buf), ctx);
1074     if (!TEST_size_t_ne(len, 0)
1075         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1076         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1077         goto err;
1078     test_output_memory("Generator as octet string, compressed form:",
1079                        buf, len);
1080 #  endif
1081
1082     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
1083                              buf, sizeof(buf), ctx);
1084     if (!TEST_size_t_ne(len, 0)
1085         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1086         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1087         goto err;
1088     test_output_memory("Generator as octet string, uncompressed form:",
1089                        buf, len);
1090
1091 /* Change test based on whether binary point compression is enabled or not. */
1092 #  ifdef OPENSSL_EC_BIN_PT_COMP
1093     len =
1094         EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf),
1095                            ctx);
1096     if (!TEST_size_t_ne(len, 0)
1097         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1098         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1099         goto err;
1100     test_output_memory("Generator as octet string, hybrid form:",
1101                        buf, len);
1102 #  endif
1103
1104     if (!TEST_true(EC_POINT_invert(group, P, ctx))
1105         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)))
1106         goto err;
1107
1108     TEST_note("\n");
1109
1110     r = 1;
1111 err:
1112     BN_CTX_free(ctx);
1113     BN_free(p);
1114     BN_free(a);
1115     BN_free(b);
1116     EC_GROUP_free(group);
1117     EC_GROUP_free(tmp);
1118     EC_POINT_free(P);
1119     EC_POINT_free(Q);
1120     EC_POINT_free(R);
1121     BN_free(x);
1122     BN_free(y);
1123     BN_free(z);
1124     BN_free(cof);
1125     BN_free(yplusone);
1126     return r;
1127 }
1128 # endif
1129
1130 static int internal_curve_test(int n)
1131 {
1132     EC_GROUP *group = NULL;
1133     int nid = curves[n].nid;
1134
1135     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1136         TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
1137                   OBJ_nid2sn(nid));
1138         return 0;
1139     }
1140     if (!TEST_true(EC_GROUP_check(group, NULL))) {
1141         TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
1142         EC_GROUP_free(group);
1143         return 0;
1144     }
1145     EC_GROUP_free(group);
1146     return 1;
1147 }
1148
1149 static int internal_curve_test_method(int n)
1150 {
1151     int r, nid = curves[n].nid;
1152     EC_GROUP *group;
1153
1154     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1155         TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
1156         return 0;
1157     }
1158     r = group_order_tests(group);
1159     EC_GROUP_free(group);
1160     return r;
1161 }
1162
1163 static int group_field_test(void)
1164 {
1165     int r = 1;
1166     BIGNUM *secp521r1_field = NULL;
1167     BIGNUM *sect163r2_field = NULL;
1168     EC_GROUP *secp521r1_group = NULL;
1169     EC_GROUP *sect163r2_group = NULL;
1170
1171     BN_hex2bn(&secp521r1_field,
1172                 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1173                 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1174                 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1175                 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
1176                 "FFFF");
1177
1178
1179     BN_hex2bn(&sect163r2_field,
1180                 "08000000000000000000000000000000"
1181                 "00000000C9");
1182
1183     secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
1184     if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group)))
1185       r = 0;
1186
1187     # ifndef OPENSSL_NO_EC2M
1188     sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2);
1189     if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group)))
1190       r = 0;
1191     # endif
1192
1193     EC_GROUP_free(secp521r1_group);
1194     EC_GROUP_free(sect163r2_group);
1195     BN_free(secp521r1_field);
1196     BN_free(sect163r2_field);
1197     return r;
1198 }
1199
1200 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1201 /*
1202  * nistp_test_params contains magic numbers for testing our optimized
1203  * implementations of several NIST curves with characteristic > 3.
1204  */
1205 struct nistp_test_params {
1206     const EC_METHOD *(*meth) (void);
1207     int degree;
1208     /*
1209      * Qx, Qy and D are taken from
1210      * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
1211      * Otherwise, values are standard curve parameters from FIPS 180-3
1212      */
1213     const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
1214 };
1215
1216 static const struct nistp_test_params nistp_tests_params[] = {
1217     {
1218      /* P-224 */
1219      EC_GFp_nistp224_method,
1220      224,
1221      /* p */
1222      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
1223      /* a */
1224      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
1225      /* b */
1226      "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
1227      /* Qx */
1228      "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
1229      /* Qy */
1230      "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
1231      /* Gx */
1232      "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
1233      /* Gy */
1234      "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
1235      /* order */
1236      "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
1237      /* d */
1238      "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
1239      },
1240     {
1241      /* P-256 */
1242      EC_GFp_nistp256_method,
1243      256,
1244      /* p */
1245      "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
1246      /* a */
1247      "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
1248      /* b */
1249      "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
1250      /* Qx */
1251      "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
1252      /* Qy */
1253      "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
1254      /* Gx */
1255      "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
1256      /* Gy */
1257      "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
1258      /* order */
1259      "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
1260      /* d */
1261      "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
1262      },
1263     {
1264      /* P-521 */
1265      EC_GFp_nistp521_method,
1266      521,
1267      /* p */
1268                                                                   "1ff"
1269      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1270      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
1271      /* a */
1272                                                                   "1ff"
1273      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1274      "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
1275      /* b */
1276                                                                   "051"
1277      "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
1278      "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
1279      /* Qx */
1280                                                                  "0098"
1281      "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
1282      "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
1283      /* Qy */
1284                                                                  "0164"
1285      "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
1286      "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
1287      /* Gx */
1288                                                                    "c6"
1289      "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
1290      "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
1291      /* Gy */
1292                                                                   "118"
1293      "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
1294      "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
1295      /* order */
1296                                                                   "1ff"
1297      "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
1298      "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
1299      /* d */
1300                                                                  "0100"
1301      "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
1302      "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
1303      },
1304 };
1305
1306 static int nistp_single_test(int idx)
1307 {
1308     const struct nistp_test_params *test = nistp_tests_params + idx;
1309     BN_CTX *ctx = NULL;
1310     BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
1311     BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
1312     EC_GROUP *NISTP = NULL;
1313     EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
1314     int r = 0;
1315
1316     TEST_note("NIST curve P-%d (optimised implementation):",
1317               test->degree);
1318     if (!TEST_ptr(ctx = BN_CTX_new())
1319         || !TEST_ptr(p = BN_new())
1320         || !TEST_ptr(a = BN_new())
1321         || !TEST_ptr(b = BN_new())
1322         || !TEST_ptr(x = BN_new())
1323         || !TEST_ptr(y = BN_new())
1324         || !TEST_ptr(m = BN_new())
1325         || !TEST_ptr(n = BN_new())
1326         || !TEST_ptr(order = BN_new())
1327         || !TEST_ptr(yplusone = BN_new())
1328
1329         || !TEST_ptr(NISTP = EC_GROUP_new(test->meth()))
1330         || !TEST_true(BN_hex2bn(&p, test->p))
1331         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
1332         || !TEST_true(BN_hex2bn(&a, test->a))
1333         || !TEST_true(BN_hex2bn(&b, test->b))
1334         || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
1335         || !TEST_ptr(G = EC_POINT_new(NISTP))
1336         || !TEST_ptr(P = EC_POINT_new(NISTP))
1337         || !TEST_ptr(Q = EC_POINT_new(NISTP))
1338         || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
1339         || !TEST_true(BN_hex2bn(&x, test->Qx))
1340         || !TEST_true(BN_hex2bn(&y, test->Qy))
1341         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1342     /*
1343      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
1344      * and therefore setting the coordinates should fail.
1345      */
1346         || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
1347                                                        yplusone, ctx))
1348         || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
1349                                                       ctx))
1350         || !TEST_true(BN_hex2bn(&x, test->Gx))
1351         || !TEST_true(BN_hex2bn(&y, test->Gy))
1352         || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
1353         || !TEST_true(BN_hex2bn(&order, test->order))
1354         || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
1355         || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
1356         goto err;
1357
1358     TEST_note("NIST test vectors ... ");
1359     if (!TEST_true(BN_hex2bn(&n, test->d)))
1360         goto err;
1361     /* fixed point multiplication */
1362     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1363     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1364         goto err;
1365     /* random point multiplication */
1366     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1367     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1368
1369         /* set generator to P = 2*G, where G is the standard generator */
1370         || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
1371         || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
1372         /* set the scalar to m=n/2, where n is the NIST test scalar */
1373         || !TEST_true(BN_rshift(m, n, 1)))
1374         goto err;
1375
1376     /* test the non-standard generator */
1377     /* fixed point multiplication */
1378     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1379     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1380         goto err;
1381     /* random point multiplication */
1382     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1383     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1384
1385     /*
1386      * We have not performed precomputation so have_precompute mult should be
1387      * false
1388      */
1389         || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
1390
1391     /* now repeat all tests with precomputation */
1392         || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
1393         || !TEST_true(EC_GROUP_have_precompute_mult(NISTP)))
1394         goto err;
1395
1396     /* fixed point multiplication */
1397     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1398     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1399         goto err;
1400     /* random point multiplication */
1401     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1402     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1403
1404     /* reset generator */
1405         || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
1406         goto err;
1407     /* fixed point multiplication */
1408     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1409     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1410         goto err;
1411     /* random point multiplication */
1412     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1413     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1414         goto err;
1415
1416     /* regression test for felem_neg bug */
1417     if (!TEST_true(BN_set_word(m, 32))
1418         || !TEST_true(BN_set_word(n, 31))
1419         || !TEST_true(EC_POINT_copy(P, G))
1420         || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
1421         || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
1422         || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
1423       goto err;
1424
1425     r = group_order_tests(NISTP);
1426 err:
1427     EC_GROUP_free(NISTP);
1428     EC_POINT_free(G);
1429     EC_POINT_free(P);
1430     EC_POINT_free(Q);
1431     EC_POINT_free(Q_CHECK);
1432     BN_free(n);
1433     BN_free(m);
1434     BN_free(p);
1435     BN_free(a);
1436     BN_free(b);
1437     BN_free(x);
1438     BN_free(y);
1439     BN_free(order);
1440     BN_free(yplusone);
1441     BN_CTX_free(ctx);
1442     return r;
1443 }
1444
1445 /*
1446  * Tests a point known to cause an incorrect underflow in an old version of
1447  * ecp_nist521.c
1448  */
1449 static int underflow_test(void)
1450 {
1451     BN_CTX *ctx = NULL;
1452     EC_GROUP *grp = NULL;
1453     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
1454     BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
1455     BIGNUM *k = NULL;
1456     int testresult = 0;
1457     const char *x1str =
1458         "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
1459         "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
1460     const char *p521m1 =
1461         "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1462         "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
1463
1464     ctx = BN_CTX_new();
1465     if (!TEST_ptr(ctx))
1466         return 0;
1467
1468     BN_CTX_start(ctx);
1469     x1 = BN_CTX_get(ctx);
1470     y1 = BN_CTX_get(ctx);
1471     z1 = BN_CTX_get(ctx);
1472     x2 = BN_CTX_get(ctx);
1473     y2 = BN_CTX_get(ctx);
1474     k = BN_CTX_get(ctx);
1475     if (!TEST_ptr(k))
1476         goto err;
1477
1478     grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
1479     P = EC_POINT_new(grp);
1480     Q = EC_POINT_new(grp);
1481     R = EC_POINT_new(grp);
1482     if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
1483         goto err;
1484
1485     if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
1486             || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
1487             || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
1488             || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
1489             || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
1490                                                                    y1, z1, ctx))
1491             || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
1492             || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
1493             || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
1494             || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
1495         goto err;
1496
1497     if (!TEST_int_eq(BN_cmp(x1, x2), 0)
1498             || !TEST_int_eq(BN_cmp(y1, y2), 0))
1499         goto err;
1500
1501     testresult = 1;
1502
1503  err:
1504     BN_CTX_end(ctx);
1505     EC_POINT_free(P);
1506     EC_POINT_free(Q);
1507     EC_POINT_free(R);
1508     EC_GROUP_free(grp);
1509     BN_CTX_free(ctx);
1510
1511     return testresult;
1512 }
1513 # endif
1514
1515 static const unsigned char p521_named[] = {
1516     0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
1517 };
1518
1519 static const unsigned char p521_explicit[] = {
1520     0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
1521     0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
1522     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1523     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1524     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1525     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1526     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1527     0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
1528     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1529     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1530     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1531     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1532     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1533     0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
1534     0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
1535     0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
1536     0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
1537     0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
1538     0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
1539     0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
1540     0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
1541     0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
1542     0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
1543     0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
1544     0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
1545     0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
1546     0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
1547     0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
1548     0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
1549     0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
1550     0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
1551     0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
1552     0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1553     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1554     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
1555     0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
1556     0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
1557     0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
1558 };
1559
1560 /*
1561  * This test validates a named curve's group parameters using
1562  * EC_GROUP_check_named_curve(). It also checks that modifying any of the
1563  * group parameters results in the curve not being valid.
1564  */
1565 static int check_named_curve_test(int id)
1566 {
1567     int ret = 0, nid, field_nid, has_seed;
1568     EC_GROUP *group = NULL, *gtest = NULL;
1569     const EC_POINT *group_gen = NULL;
1570     EC_POINT *other_gen = NULL;
1571     BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL;
1572     BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL;
1573     BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
1574     BIGNUM *other_order = NULL;
1575     const BIGNUM *group_order = NULL;
1576     BN_CTX *bn_ctx = NULL;
1577     static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
1578     static size_t invalid_seed_len = sizeof(invalid_seed);
1579
1580     /* Do some setup */
1581     nid = curves[id].nid;
1582     if (!TEST_ptr(bn_ctx = BN_CTX_new())
1583         || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
1584         || !TEST_ptr(gtest = EC_GROUP_dup(group))
1585         || !TEST_ptr(group_p = BN_new())
1586         || !TEST_ptr(group_a = BN_new())
1587         || !TEST_ptr(group_b = BN_new())
1588         || !TEST_ptr(group_cofactor = BN_new())
1589         || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
1590         || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
1591         || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
1592         || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL))
1593         || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
1594         || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
1595         || !TEST_ptr(other_order = BN_dup(group_order))
1596         || !TEST_true(BN_add_word(other_order, 1))
1597         || !TEST_ptr(other_a = BN_dup(group_a))
1598         || !TEST_true(BN_add_word(other_a, 1))
1599         || !TEST_ptr(other_b = BN_dup(group_b))
1600         || !TEST_true(BN_add_word(other_b, 1))
1601         || !TEST_ptr(other_cofactor = BN_dup(group_cofactor))
1602         || !TEST_true(BN_add_word(other_cofactor, 1)))
1603         goto err;
1604
1605     /* Determine if the built-in curve has a seed field set */
1606     has_seed = (EC_GROUP_get_seed_len(group) > 0);
1607     field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
1608     if (field_nid == NID_X9_62_characteristic_two_field) {
1609         if (!TEST_ptr(other_p = BN_dup(group_p))
1610             || !TEST_true(BN_lshift1(other_p, other_p)))
1611             goto err;
1612     } else {
1613         if (!TEST_ptr(other_p = BN_dup(group_p)))
1614             goto err;
1615         /*
1616          * Just choosing any arbitrary prime does not work..
1617          * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a
1618          * nist prime. So only select one of these as an alternate prime.
1619          */
1620         if (!TEST_ptr(BN_copy(other_p,
1621                               BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ?
1622                                       BN_get0_nist_prime_256() :
1623                                       BN_get0_nist_prime_192())))
1624             goto err;
1625     }
1626
1627     /* Passes because this is a valid curve */
1628     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)
1629         /* Only NIST curves pass */
1630         || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL),
1631                         EC_curve_nid2nist(nid) != NULL ? nid : NID_undef))
1632         goto err;
1633
1634     /* Fail if the curve name doesn't match the parameters */
1635     EC_GROUP_set_curve_name(group, nid + 1);
1636     ERR_set_mark();
1637     if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0))
1638         goto err;
1639     ERR_pop_to_mark();
1640
1641     /* Restore curve name and ensure it's passing */
1642     EC_GROUP_set_curve_name(group, nid);
1643     if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1644         goto err;
1645
1646     if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len),
1647                      invalid_seed_len))
1648         goto err;
1649
1650     if (has_seed) {
1651         /*
1652          * If the built-in curve has a seed and we set the seed to another value
1653          * then it will fail the check.
1654          */
1655         if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0))
1656             goto err;
1657     } else {
1658         /*
1659          * If the built-in curve does not have a seed then setting the seed will
1660          * pass the check (as the seed is optional).
1661          */
1662         if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1663             goto err;
1664     }
1665     /* Pass if the seed is unknown (as it is optional) */
1666     if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1)
1667         || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid))
1668         goto err;
1669
1670     /* Check that a duped group passes */
1671     if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1672         goto err;
1673
1674     /* check that changing any generator parameter fails */
1675     if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order,
1676                                           group_cofactor))
1677         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1678         || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order,
1679                                              group_cofactor))
1680         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1681         /* The order is not an optional field, so this should fail */
1682         || TEST_true(EC_GROUP_set_generator(gtest, group_gen, NULL,
1683                                             group_cofactor))
1684         || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1685                                              other_cofactor))
1686         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)
1687         /* Check that if the cofactor is not set then it still passes */
1688         || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1689                                              NULL))
1690         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)
1691         /* check that restoring the generator passes */
1692         || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order,
1693                                              group_cofactor))
1694         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1695         goto err;
1696
1697     /*
1698      * check that changing any curve parameter fails
1699      *
1700      * Setting arbitrary p, a or b might fail for some EC_GROUPs
1701      * depending on the internal EC_METHOD implementation, hence run
1702      * these tests conditionally to the success of EC_GROUP_set_curve().
1703      */
1704     ERR_set_mark();
1705     if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) {
1706         if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1707             goto err;
1708     } else {
1709         /* clear the error stack if EC_GROUP_set_curve() failed */
1710         ERR_pop_to_mark();
1711         ERR_set_mark();
1712     }
1713     if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) {
1714         if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1715             goto err;
1716     } else {
1717         /* clear the error stack if EC_GROUP_set_curve() failed */
1718         ERR_pop_to_mark();
1719         ERR_set_mark();
1720     }
1721     if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) {
1722         if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0))
1723             goto err;
1724     } else {
1725         /* clear the error stack if EC_GROUP_set_curve() failed */
1726         ERR_pop_to_mark();
1727         ERR_set_mark();
1728     }
1729     ERR_pop_to_mark();
1730
1731     /* Check that restoring the curve parameters passes */
1732     if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL))
1733         || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid))
1734         goto err;
1735
1736     ret = 1;
1737 err:
1738     BN_free(group_p);
1739     BN_free(other_p);
1740     BN_free(group_a);
1741     BN_free(other_a);
1742     BN_free(group_b);
1743     BN_free(other_b);
1744     BN_free(group_cofactor);
1745     BN_free(other_cofactor);
1746     BN_free(other_order);
1747     EC_POINT_free(other_gen);
1748     EC_GROUP_free(gtest);
1749     EC_GROUP_free(group);
1750     BN_CTX_free(bn_ctx);
1751     return ret;
1752 }
1753
1754 /*
1755  * This checks the lookup capability of EC_GROUP_check_named_curve()
1756  * when the given group was created with explicit parameters.
1757  *
1758  * It is possible to retrieve an alternative alias that does not match
1759  * the original nid in this case.
1760  */
1761 static int check_named_curve_lookup_test(int id)
1762 {
1763     int ret = 0, nid, rv = 0;
1764     EC_GROUP *g = NULL , *ga = NULL;
1765     ECPARAMETERS *p = NULL, *pa = NULL;
1766     BN_CTX *ctx = NULL;
1767
1768     /* Do some setup */
1769     nid = curves[id].nid;
1770     if (!TEST_ptr(ctx = BN_CTX_new())
1771         || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid))
1772         || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL)))
1773         goto err;
1774
1775     /* replace with group from explicit parameters */
1776     EC_GROUP_free(g);
1777     if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p)))
1778         goto err;
1779
1780     if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0))
1781         goto err;
1782     if (rv != nid) {
1783         /*
1784          * Found an alias:
1785          * fail if the returned nid is not an alias of the original group.
1786          *
1787          * The comparison here is done by comparing two explicit
1788          * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the
1789          * comparison happens with unnamed EC_GROUPs using the same
1790          * EC_METHODs.
1791          */
1792         if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv))
1793                 || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL)))
1794             goto err;
1795
1796         /* replace with group from explicit parameters, then compare */
1797         EC_GROUP_free(ga);
1798         if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa))
1799                 || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0))
1800             goto err;
1801     }
1802
1803     ret = 1;
1804
1805  err:
1806     EC_GROUP_free(g);
1807     EC_GROUP_free(ga);
1808     ECPARAMETERS_free(p);
1809     ECPARAMETERS_free(pa);
1810     BN_CTX_free(ctx);
1811
1812     return ret;
1813 }
1814
1815 static int parameter_test(void)
1816 {
1817     EC_GROUP *group = NULL, *group2 = NULL;
1818     ECPARAMETERS *ecparameters = NULL;
1819     unsigned char *buf = NULL;
1820     int r = 0, len;
1821
1822     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
1823         || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
1824         || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
1825         || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
1826         goto err;
1827
1828     EC_GROUP_free(group);
1829     group = NULL;
1830
1831     /* Test the named curve encoding, which should be default. */
1832     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
1833         || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1834         || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
1835         goto err;
1836
1837     OPENSSL_free(buf);
1838     buf = NULL;
1839
1840     /*
1841      * Test the explicit encoding. P-521 requires correctly zero-padding the
1842      * curve coefficients.
1843      */
1844     EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
1845     if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1846         || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
1847         goto err;
1848
1849     r = 1;
1850 err:
1851     EC_GROUP_free(group);
1852     EC_GROUP_free(group2);
1853     ECPARAMETERS_free(ecparameters);
1854     OPENSSL_free(buf);
1855     return r;
1856 }
1857
1858 /*-
1859  * For named curves, test that:
1860  * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
1861  * - a nonsensical cofactor throws an error (negative test)
1862  * - nonsensical orders throw errors (negative tests)
1863  */
1864 static int cardinality_test(int n)
1865 {
1866     int ret = 0;
1867     int nid = curves[n].nid;
1868     BN_CTX *ctx = NULL;
1869     EC_GROUP *g1 = NULL, *g2 = NULL;
1870     EC_POINT *g2_gen = NULL;
1871     BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
1872            *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
1873
1874    TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
1875
1876     if (!TEST_ptr(ctx = BN_CTX_new())
1877         || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
1878         || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
1879         EC_GROUP_free(g1);
1880         EC_GROUP_free(g2);
1881         BN_CTX_free(ctx);
1882         return 0;
1883     }
1884
1885     BN_CTX_start(ctx);
1886     g1_p = BN_CTX_get(ctx);
1887     g1_a = BN_CTX_get(ctx);
1888     g1_b = BN_CTX_get(ctx);
1889     g1_x = BN_CTX_get(ctx);
1890     g1_y = BN_CTX_get(ctx);
1891     g1_order = BN_CTX_get(ctx);
1892     g1_cf = BN_CTX_get(ctx);
1893
1894     if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
1895         /* pull out the explicit curve parameters */
1896         || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
1897         || !TEST_true(EC_POINT_get_affine_coordinates(g1,
1898                       EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
1899         || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
1900         || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
1901         /* construct g2 manually with g1 parameters */
1902         || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
1903         || !TEST_ptr(g2_gen = EC_POINT_new(g2))
1904         || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
1905         /* pass NULL cofactor: lib should compute it */
1906         || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1907         || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1908         || !TEST_BN_eq(g1_cf, g2_cf)
1909         /* pass zero cofactor: lib should compute it */
1910         || !TEST_true(BN_set_word(g2_cf, 0))
1911         || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1912         || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
1913         || !TEST_BN_eq(g1_cf, g2_cf)
1914         /* negative test for invalid cofactor */
1915         || !TEST_true(BN_set_word(g2_cf, 0))
1916         || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1917         || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
1918         /* negative test for NULL order */
1919         || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
1920         /* negative test for zero order */
1921         || !TEST_true(BN_set_word(g1_order, 0))
1922         || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1923         /* negative test for negative order */
1924         || !TEST_true(BN_set_word(g2_cf, 0))
1925         || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
1926         || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
1927         /* negative test for too large order */
1928         || !TEST_true(BN_lshift(g1_order, g1_p, 2))
1929         || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
1930         goto err;
1931     ret = 1;
1932  err:
1933     EC_POINT_free(g2_gen);
1934     EC_GROUP_free(g1);
1935     EC_GROUP_free(g2);
1936     BN_CTX_end(ctx);
1937     BN_CTX_free(ctx);
1938     return ret;
1939 }
1940
1941 static int check_ec_key_field_public_range_test(int id)
1942 {
1943     int ret = 0, type = 0;
1944     const EC_POINT *pub = NULL;
1945     const EC_GROUP *group = NULL;
1946     const EC_METHOD *meth = NULL;
1947     const BIGNUM *field = NULL;
1948     BIGNUM *x = NULL, *y = NULL;
1949     EC_KEY *key = NULL;
1950
1951     if (!(TEST_ptr(x = BN_new())
1952           && TEST_ptr(y = BN_new())
1953           && TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
1954           && TEST_ptr(group = EC_KEY_get0_group(key))
1955           && TEST_ptr(meth = EC_GROUP_method_of(group))
1956           && TEST_ptr(field = EC_GROUP_get0_field(group))
1957           && TEST_int_gt(EC_KEY_generate_key(key), 0)
1958           && TEST_int_gt(EC_KEY_check_key(key), 0)
1959           && TEST_ptr(pub = EC_KEY_get0_public_key(key))
1960           && TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y,
1961                                                          NULL), 0)))
1962         goto err;
1963
1964     /*
1965      * Make the public point out of range by adding the field (which will still
1966      * be the same point on the curve). The add is different for char2 fields.
1967      */
1968     type = EC_METHOD_get_field_type(meth);
1969 #ifndef OPENSSL_NO_EC2M
1970     if (type == NID_X9_62_characteristic_two_field) {
1971         /* test for binary curves */
1972         if (!TEST_true(BN_GF2m_add(x, x, field)))
1973             goto err;
1974     } else
1975 #endif
1976     if (type == NID_X9_62_prime_field) {
1977         /* test for prime curves */
1978         if (!TEST_true(BN_add(x, x, field)))
1979             goto err;
1980     } else {
1981         /* this should never happen */
1982         TEST_error("Unsupported EC_METHOD field_type");
1983         goto err;
1984     }
1985     if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0))
1986         goto err;
1987
1988     ret = 1;
1989 err:
1990     BN_free(x);
1991     BN_free(y);
1992     EC_KEY_free(key);
1993     return ret;
1994 }
1995 #endif /* OPENSSL_NO_EC */
1996
1997 int setup_tests(void)
1998 {
1999 #ifndef OPENSSL_NO_EC
2000     crv_len = EC_get_builtin_curves(NULL, 0);
2001     if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
2002         || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
2003         return 0;
2004
2005     ADD_TEST(parameter_test);
2006     ADD_ALL_TESTS(cardinality_test, crv_len);
2007     ADD_TEST(prime_field_tests);
2008 # ifndef OPENSSL_NO_EC2M
2009     ADD_TEST(char2_field_tests);
2010     ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
2011 # endif
2012 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
2013     ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
2014     ADD_TEST(underflow_test);
2015 # endif
2016     ADD_ALL_TESTS(internal_curve_test, crv_len);
2017     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
2018     ADD_TEST(group_field_test);
2019     ADD_ALL_TESTS(check_named_curve_test, crv_len);
2020     ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len);
2021     ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
2022 #endif /* OPENSSL_NO_EC */
2023     return 1;
2024 }
2025
2026 void cleanup_tests(void)
2027 {
2028 #ifndef OPENSSL_NO_EC
2029     OPENSSL_free(curves);
2030 #endif
2031 }