/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* https://www.openssl.org/source/license.html
*/
+/*
+ * We need access to the deprecated EC_POINTs_mul, EC_GROUP_precompute_mult,
+ * and EC_GROUP_have_precompute_mult for testing purposes
+ * when the deprecated calls are not hidden
+ */
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# define OPENSSL_SUPPRESS_DEPRECATED
+#endif
+
#include <string.h>
#include "internal/nelem.h"
#include "testutil.h"
if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
|| !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
+# ifndef OPENSSL_NO_DEPRECATED_3_0
|| !TEST_true(EC_GROUP_precompute_mult(group, ctx))
+# endif
|| !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
|| !TEST_true(EC_POINT_copy(P, G))
goto err;
for (i = 1; i <= 2; i++) {
+# ifndef OPENSSL_NO_DEPRECATED_3_0
const BIGNUM *scalars[6];
const EC_POINT *points[6];
+# endif
if (!TEST_true(BN_set_word(n1, i))
/*
/* Add P to verify the result. */
|| !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
-
- /* Exercise EC_POINTs_mul, including corner cases. */
|| !TEST_false(EC_POINT_is_at_infinity(group, P)))
goto err;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+ /* Exercise EC_POINTs_mul, including corner cases. */
scalars[0] = scalars[1] = BN_value_one();
points[0] = points[1] = P;
if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, P)))
goto err;
+# endif
}
r = 1;
{
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
- EC_GROUP *group = NULL, *tmp = NULL;
- EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL,
- *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
+ EC_GROUP *group = NULL;
EC_POINT *P = NULL, *Q = NULL, *R = NULL;
BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
const EC_POINT *points[4];
const BIGNUM *scalars[4];
+# endif
unsigned char buf[100];
size_t len, r = 0;
int k;
|| !TEST_true(BN_hex2bn(&p, "17"))
|| !TEST_true(BN_hex2bn(&a, "1"))
|| !TEST_true(BN_hex2bn(&b, "1"))
- /*
- * applications should use EC_GROUP_new_curve_GFp so
- * that the library gets to choose the EC_METHOD
- */
- || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))
- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
- || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(tmp, group)))
- goto err;
- EC_GROUP_free(group);
- group = tmp;
- tmp = NULL;
-
- if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
+ || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx))
+ || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
goto err;
TEST_info("Curve defined by Weierstrass equation");
test_output_memory("Generator as octet string, hybrid form:",
buf, len);
- if (!TEST_true(EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z,
- ctx)))
- goto err;
- TEST_info("A representation of the inverse of that generator in");
- TEST_note("Jacobian projective coordinates");
- test_output_bignum("x", x);
- test_output_bignum("y", y);
- test_output_bignum("z", z);
-
if (!TEST_true(EC_POINT_invert(group, P, ctx))
|| !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
|| !TEST_true(BN_hex2bn(&p, "FFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
|| !TEST_true(BN_hex2bn(&b, "1C97BEFC"
|| !TEST_BN_eq(y, z)
|| !TEST_int_eq(EC_GROUP_get_degree(group), 160)
|| !group_order_tests(group)
- || !TEST_ptr(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_160, group))
/* Curve P-192 (FIPS PUB 186-2, App. 6) */
|| !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
|| !TEST_true(BN_hex2bn(&b, "64210519E59C80E7"
ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 192)
|| !group_order_tests(group)
- || !TEST_ptr(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_192, group))
/* Curve P-224 (FIPS PUB 186-2, App. 6) */
|| !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFF000000000000000000000001"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
|| !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 224)
|| !group_order_tests(group)
- || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_224, group))
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
|| !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
"00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
"00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
|| !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 256)
|| !group_order_tests(group)
- || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_256, group))
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
|| !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
"FFFFFFFF0000000000000000FFFFFFFF"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
"FFFFFFFF0000000000000000FFFFFFFC"))
ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 384)
|| !group_order_tests(group)
- || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_384, group))
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
|| !TEST_true(BN_hex2bn(&p, "1FF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "1FF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 521)
|| !group_order_tests(group)
- || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(P_521, group))
/* more tests using the last curve */
|| !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
|| !TEST_false(EC_POINT_is_at_infinity(group, Q)))
goto err;
+
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+ TEST_note("combined multiplication ...");
points[0] = Q;
points[1] = Q;
points[2] = Q;
|| !TEST_BN_even(y)
|| !TEST_true(BN_rshift1(y, y)))
goto err;
+
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
- TEST_note("combined multiplication ...");
-
/* z is still the group order */
if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
|| !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, P)))
goto err;
-
+# endif
TEST_note(" ok\n");
-
-
r = 1;
err:
BN_CTX_free(ctx);
BN_free(a);
BN_free(b);
EC_GROUP_free(group);
- EC_GROUP_free(tmp);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(z);
BN_free(yplusone);
BN_free(scalar3);
-
- EC_GROUP_free(P_160);
- EC_GROUP_free(P_192);
- EC_GROUP_free(P_224);
- EC_GROUP_free(P_256);
- EC_GROUP_free(P_384);
- EC_GROUP_free(P_521);
return r;
}
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
- EC_GROUP *group = NULL, *variable = NULL;
+ EC_GROUP *group = NULL;
EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
const EC_POINT *points[3];
const BIGNUM *scalars[3];
+# endif
struct c2_curve_test *const test = char2_curve_tests + n;
if (!TEST_ptr(ctx = BN_CTX_new())
|| !TEST_true(BN_hex2bn(&p, test->p))
|| !TEST_true(BN_hex2bn(&a, test->a))
|| !TEST_true(BN_hex2bn(&b, test->b))
- || !TEST_true(group = EC_GROUP_new(EC_GF2m_simple_method()))
- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
+ || !TEST_true(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx))
|| !TEST_ptr(P = EC_POINT_new(group))
|| !TEST_ptr(Q = EC_POINT_new(group))
|| !TEST_ptr(R = EC_POINT_new(group))
# endif
if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree)
- || !group_order_tests(group)
- || !TEST_ptr(variable = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(variable, group)))
+ || !group_order_tests(group))
goto err;
/* more tests using the last curve */
|| !TEST_false(EC_POINT_is_at_infinity(group, Q)))
goto err;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+ TEST_note("combined multiplication ...");
points[0] = Q;
points[1] = Q;
points[2] = Q;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
- TEST_note("combined multiplication ...");
-
/* z is still the group order */
if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
|| !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx))
|| !TEST_true(EC_POINT_is_at_infinity(group, P)))
- goto err;;
+ goto err;
+# endif
}
r = 1;
EC_POINT_free(Q);
EC_POINT_free(R);
EC_GROUP_free(group);
- EC_GROUP_free(variable);
return r;
}
{
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
- EC_GROUP *group = NULL, *tmp = NULL;
+ EC_GROUP *group = NULL;
EC_POINT *P = NULL, *Q = NULL, *R = NULL;
BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
unsigned char buf[100];
|| !TEST_true(BN_hex2bn(&b, "1")))
goto err;
- group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use
- * EC_GROUP_new_curve_GF2m
- * so that the library gets
- * to choose the EC_METHOD */
- if (!TEST_ptr(group)
- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
- || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
- || !TEST_true(EC_GROUP_copy(tmp, group)))
- goto err;
- EC_GROUP_free(group);
- group = tmp;
- tmp = NULL;
-
- if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
+ if (!TEST_ptr(group = EC_GROUP_new_curve_GF2m(p, a, b, ctx))
+ || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
goto err;
TEST_info("Curve defined by Weierstrass equation");
BN_free(a);
BN_free(b);
EC_GROUP_free(group);
- EC_GROUP_free(tmp);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
return r;
}
-# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
/*
- * nistp_test_params contains magic numbers for testing our optimized
- * implementations of several NIST curves with characteristic > 3.
+ * nistp_test_params contains magic numbers for testing
+ * several NIST curves with characteristic > 3.
*/
struct nistp_test_params {
- const EC_METHOD *(*meth) (void);
+ const int nid;
int degree;
/*
* Qx, Qy and D are taken from
static const struct nistp_test_params nistp_tests_params[] = {
{
/* P-224 */
- EC_GFp_nistp224_method,
+ NID_secp224r1,
224,
/* p */
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
},
{
/* P-256 */
- EC_GFp_nistp256_method,
+ NID_X9_62_prime256v1,
256,
/* p */
"ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
},
{
/* P-521 */
- EC_GFp_nistp521_method,
+ NID_secp521r1,
521,
/* p */
"1ff"
|| !TEST_ptr(order = BN_new())
|| !TEST_ptr(yplusone = BN_new())
- || !TEST_ptr(NISTP = EC_GROUP_new(test->meth()))
+ || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid))
|| !TEST_true(BN_hex2bn(&p, test->p))
- || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, test->a))
|| !TEST_true(BN_hex2bn(&b, test->b))
|| !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
-
- /*
- * We have not performed precomputation so have_precompute mult should be
- * false
- */
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+ /* We have not performed precomp so this should be false */
|| !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
-
- /* now repeat all tests with precomputation */
+ /* now repeat all tests with precomputation */
|| !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
- || !TEST_true(EC_GROUP_have_precompute_mult(NISTP)))
+# endif
+ )
goto err;
/* fixed point multiplication */
|| !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
goto err;
- r = group_order_tests(NISTP);
+ r = 1;
err:
EC_GROUP_free(NISTP);
EC_POINT_free(G);
return r;
}
-/*
- * Tests a point known to cause an incorrect underflow in an old version of
- * ecp_nist521.c
- */
-static int underflow_test(void)
-{
- BN_CTX *ctx = NULL;
- EC_GROUP *grp = NULL;
- EC_POINT *P = NULL, *Q = NULL, *R = NULL;
- BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
- BIGNUM *k = NULL;
- int testresult = 0;
- const char *x1str =
- "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
- "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
- const char *p521m1 =
- "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
- "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
-
- ctx = BN_CTX_new();
- if (!TEST_ptr(ctx))
- return 0;
-
- BN_CTX_start(ctx);
- x1 = BN_CTX_get(ctx);
- y1 = BN_CTX_get(ctx);
- z1 = BN_CTX_get(ctx);
- x2 = BN_CTX_get(ctx);
- y2 = BN_CTX_get(ctx);
- k = BN_CTX_get(ctx);
- if (!TEST_ptr(k))
- goto err;
-
- grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
- P = EC_POINT_new(grp);
- Q = EC_POINT_new(grp);
- R = EC_POINT_new(grp);
- if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
- goto err;
-
- if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
- || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
- || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
- || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
- || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
- y1, z1, ctx))
- || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
- || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
- || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
- || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
- goto err;
-
- if (!TEST_int_eq(BN_cmp(x1, x2), 0)
- || !TEST_int_eq(BN_cmp(y1, y2), 0))
- goto err;
-
- testresult = 1;
-
- err:
- BN_CTX_end(ctx);
- EC_POINT_free(P);
- EC_POINT_free(Q);
- EC_POINT_free(R);
- EC_GROUP_free(grp);
- BN_CTX_free(ctx);
-
- return testresult;
-}
-# endif
-
static const unsigned char p521_named[] = {
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
};
/* Determine if the built-in curve has a seed field set */
has_seed = (EC_GROUP_get_seed_len(group) > 0);
- field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
+ field_nid = EC_GROUP_get_field_type(group);
if (field_nid == NID_X9_62_characteristic_two_field) {
if (!TEST_ptr(other_p = BN_dup(group_p))
|| !TEST_true(BN_lshift1(other_p, other_p)))
return r;
}
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
+ * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
+ */
+static const unsigned char params_cf_pass[] = {
+ 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
+ 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+ 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+ 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
+ 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+ 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+ 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
+ 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
+ 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
+ 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
+ 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
+ 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
+ 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
+ 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
+ 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
+ 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
+ 0x14, 0xa8, 0x2f, 0x4f
+};
+
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
+ * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
+ */
+static const unsigned char params_cf_fail[] = {
+ 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
+ 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+ 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+ 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
+ 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+ 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+ 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
+ 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
+ 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
+ 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
+ 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
+ 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
+ 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
+ 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
+ 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
+ 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
+ 0x34, 0xa2, 0x21, 0x01
+};
+
+/*-
+ * Test two random 256-bit explicit parameters curves with absent cofactor.
+ * The two curves are chosen to roughly straddle the bounds at which the lib
+ * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
+ *
+ * - params_cf_pass: order is sufficiently close to p to compute cofactor
+ * - params_cf_fail: order is too far away from p to compute cofactor
+ *
+ * For standards-compliant curves, cofactor is chosen as small as possible.
+ * So you can see neither of these curves are fit for cryptographic use.
+ *
+ * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
+ * h <= 2**(t/8) where t is the security level of the curve, for which the lib
+ * will always succeed in computing the cofactor. Neither of these curves
+ * conform to that -- this is just robustness testing.
+ */
+static int cofactor_range_test(void)
+{
+ EC_GROUP *group = NULL;
+ BIGNUM *cf = NULL;
+ int ret = 0;
+ const unsigned char *b1 = (const unsigned char *)params_cf_fail;
+ const unsigned char *b2 = (const unsigned char *)params_cf_pass;
+
+ if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
+ || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
+ || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
+ sizeof(params_cf_pass)))
+ || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
+ || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
+ goto err;
+ ret = 1;
+ err:
+ BN_free(cf);
+ EC_GROUP_free(group);
+ return ret;
+}
+
/*-
* For named curves, test that:
* - the lib correctly computes the cofactor if passed a NULL or zero cofactor
*/
static int cardinality_test(int n)
{
- int ret = 0;
+ int ret = 0, is_binary = 0;
int nid = curves[n].nid;
BN_CTX *ctx = NULL;
EC_GROUP *g1 = NULL, *g2 = NULL;
TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new())
- || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
- || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
- EC_GROUP_free(g1);
- EC_GROUP_free(g2);
+ || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) {
BN_CTX_free(ctx);
return 0;
}
+ is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field);
+
BN_CTX_start(ctx);
g1_p = BN_CTX_get(ctx);
g1_a = BN_CTX_get(ctx);
|| !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
|| !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
/* construct g2 manually with g1 parameters */
- || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
+# ifndef OPENSSL_NO_EC2M
+ || !TEST_ptr(g2 = (is_binary) ?
+ EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) :
+ EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
+# else
+ || !TEST_int_eq(0, is_binary)
+ || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx))
+# endif
|| !TEST_ptr(g2_gen = EC_POINT_new(g2))
|| !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
/* pass NULL cofactor: lib should compute it */
int ret = 0, type = 0;
const EC_POINT *pub = NULL;
const EC_GROUP *group = NULL;
- const EC_METHOD *meth = NULL;
const BIGNUM *field = NULL;
BIGNUM *x = NULL, *y = NULL;
EC_KEY *key = NULL;
|| !TEST_ptr(y = BN_new())
|| !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
|| !TEST_ptr(group = EC_KEY_get0_group(key))
- || !TEST_ptr(meth = EC_GROUP_method_of(group))
|| !TEST_ptr(field = EC_GROUP_get0_field(group))
|| !TEST_int_gt(EC_KEY_generate_key(key), 0)
|| !TEST_int_gt(EC_KEY_check_key(key), 0)
* Make the public point out of range by adding the field (which will still
* be the same point on the curve). The add is different for char2 fields.
*/
- type = EC_METHOD_get_field_type(meth);
+ type = EC_GROUP_get_field_type(group);
#ifndef OPENSSL_NO_EC2M
if (type == NID_X9_62_characteristic_two_field) {
/* test for binary curves */
EC_KEY_free(key);
return ret;
}
+
+/*
+ * Helper for ec_point_hex2point_test
+ *
+ * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
+ * (group,P) pair.
+ *
+ * If P is NULL use point at infinity.
+ */
+static ossl_inline
+int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
+ point_conversion_form_t form,
+ BN_CTX *bnctx)
+{
+ int ret = 0;
+ EC_POINT *Q = NULL, *Pinf = NULL;
+ char *hex = NULL;
+
+ if (P == NULL) {
+ /* If P is NULL use point at infinity. */
+ if (!TEST_ptr(Pinf = EC_POINT_new(group))
+ || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
+ goto err;
+ P = Pinf;
+ }
+
+ if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
+ || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
+ goto err;
+
+ /*
+ * The next check is most likely superfluous, as EC_POINT_cmp should already
+ * cover this.
+ * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
+ * so we include it anyway!
+ */
+ if (Pinf != NULL
+ && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EC_POINT_free(Pinf);
+ OPENSSL_free(hex);
+ EC_POINT_free(Q);
+
+ return ret;
+}
+
+/*
+ * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
+ */
+static int ec_point_hex2point_test(int id)
+{
+ int ret = 0, nid;
+ EC_GROUP *group = NULL;
+ const EC_POINT *G = NULL;
+ EC_POINT *P = NULL;
+ BN_CTX * bnctx = NULL;
+
+ /* Do some setup */
+ nid = curves[id].nid;
+ if (!TEST_ptr(bnctx = BN_CTX_new())
+ || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
+ || !TEST_ptr(G = EC_GROUP_get0_generator(group))
+ || !TEST_ptr(P = EC_POINT_dup(G, group)))
+ goto err;
+
+ if (!TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_COMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_COMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_UNCOMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_UNCOMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_HYBRID,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_HYBRID,
+ bnctx)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EC_POINT_free(P);
+ EC_GROUP_free(group);
+ BN_CTX_free(bnctx);
+
+ return ret;
+}
+
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
return 0;
ADD_TEST(parameter_test);
+ ADD_TEST(cofactor_range_test);
ADD_ALL_TESTS(cardinality_test, crv_len);
ADD_TEST(prime_field_tests);
# ifndef OPENSSL_NO_EC2M
ADD_TEST(char2_field_tests);
ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
# endif
-# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
- ADD_TEST(underflow_test);
-# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
ADD_TEST(group_field_test);
ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len);
ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
+ ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}