2945cd73b330889ea8278632f23a3768334ba942
[openssl.git] / test / ectest.c
1 /*
2  * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10
11 #include "internal/nelem.h"
12 #include "testutil.h"
13
14 #ifndef OPENSSL_NO_EC
15 # include <openssl/ec.h>
16 # ifndef OPENSSL_NO_ENGINE
17 #  include <openssl/engine.h>
18 # endif
19 # include <openssl/err.h>
20 # include <openssl/obj_mac.h>
21 # include <openssl/objects.h>
22 # include <openssl/rand.h>
23 # include <openssl/bn.h>
24 # include <openssl/opensslconf.h>
25
26 static size_t crv_len = 0;
27 static EC_builtin_curve *curves = NULL;
28
29 /* test multiplication with group order, long and negative scalars */
30 static int group_order_tests(EC_GROUP *group)
31 {
32     BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
33     EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
34     const EC_POINT *G = NULL;
35     BN_CTX *ctx = NULL;
36     int i = 0, r = 0;
37
38     if (!TEST_ptr(n1 = BN_new())
39         || !TEST_ptr(n2 = BN_new())
40         || !TEST_ptr(order = BN_new())
41         || !TEST_ptr(ctx = BN_CTX_new())
42         || !TEST_ptr(G = EC_GROUP_get0_generator(group))
43         || !TEST_ptr(P = EC_POINT_new(group))
44         || !TEST_ptr(Q = EC_POINT_new(group))
45         || !TEST_ptr(R = EC_POINT_new(group))
46         || !TEST_ptr(S = EC_POINT_new(group)))
47         goto err;
48
49     if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
50         || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
51         || !TEST_true(EC_POINT_is_at_infinity(group, Q))
52         || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
53         || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
54         || !TEST_true(EC_POINT_is_at_infinity(group, Q))
55         || !TEST_true(EC_POINT_copy(P, G))
56         || !TEST_true(BN_one(n1))
57         || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
58         || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
59         || !TEST_true(BN_sub(n1, order, n1))
60         || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
61         || !TEST_true(EC_POINT_invert(group, Q, ctx))
62         || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
63         goto err;
64
65     for (i = 1; i <= 2; i++) {
66         const BIGNUM *scalars[6];
67         const EC_POINT *points[6];
68
69         if (!TEST_true(BN_set_word(n1, i))
70             /*
71              * If i == 1, P will be the predefined generator for which
72              * EC_GROUP_precompute_mult has set up precomputation.
73              */
74             || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
75             || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
76             || !TEST_true(BN_one(n1))
77             /* n1 = 1 - order */
78             || !TEST_true(BN_sub(n1, n1, order))
79             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
80             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
81
82             /* n2 = 1 + order */
83             || !TEST_true(BN_add(n2, order, BN_value_one()))
84             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
85             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
86
87             /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
88             || !TEST_true(BN_mul(n2, n1, n2, ctx))
89             || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
90             || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
91             goto err;
92
93         /* n2 = order^2 - 1 */
94         BN_set_negative(n2, 0);
95         if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
96             /* Add P to verify the result. */
97             || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
98             || !TEST_true(EC_POINT_is_at_infinity(group, Q))
99
100             /* Exercise EC_POINTs_mul, including corner cases. */
101             || !TEST_false(EC_POINT_is_at_infinity(group, P)))
102             goto err;
103
104         scalars[0] = scalars[1] = BN_value_one();
105         points[0]  = points[1]  = P;
106
107         if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
108             || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
109             || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
110             goto err;
111
112         scalars[0] = n1;
113         points[0] = Q;          /* => infinity */
114         scalars[1] = n2;
115         points[1] = P;          /* => -P */
116         scalars[2] = n1;
117         points[2] = Q;          /* => infinity */
118         scalars[3] = n2;
119         points[3] = Q;          /* => infinity */
120         scalars[4] = n1;
121         points[4] = P;          /* => P */
122         scalars[5] = n2;
123         points[5] = Q;          /* => infinity */
124         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
125             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
126             goto err;
127     }
128
129     r = 1;
130 err:
131     if (r == 0 && i != 0)
132         TEST_info(i == 1 ? "allowing precomputation" :
133                            "without precomputation");
134     EC_POINT_free(P);
135     EC_POINT_free(Q);
136     EC_POINT_free(R);
137     EC_POINT_free(S);
138     BN_free(n1);
139     BN_free(n2);
140     BN_free(order);
141     BN_CTX_free(ctx);
142     return r;
143 }
144
145 static int prime_field_tests(void)
146 {
147     BN_CTX *ctx = NULL;
148     BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
149     EC_GROUP *group = NULL, *tmp = NULL;
150     EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL,
151              *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
152     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
153     BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
154     const EC_POINT *points[4];
155     const BIGNUM *scalars[4];
156     unsigned char buf[100];
157     size_t len, r = 0;
158     int k;
159
160     if (!TEST_ptr(ctx = BN_CTX_new())
161         || !TEST_ptr(p = BN_new())
162         || !TEST_ptr(a = BN_new())
163         || !TEST_ptr(b = BN_new())
164         || !TEST_true(BN_hex2bn(&p, "17"))
165         || !TEST_true(BN_hex2bn(&a, "1"))
166         || !TEST_true(BN_hex2bn(&b, "1"))
167         /*
168          * applications should use EC_GROUP_new_curve_GFp so
169          * that the library gets to choose the EC_METHOD
170          */
171         || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))
172         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
173         || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
174         || !TEST_true(EC_GROUP_copy(tmp, group)))
175         goto err;
176     EC_GROUP_free(group);
177     group = tmp;
178     tmp = NULL;
179
180     if (!TEST_true(EC_GROUP_get_curve_GFp(group, p, a, b, ctx)))
181         goto err;
182
183     TEST_info("Curve defined by Weierstrass equation");
184     TEST_note("     y^2 = x^3 + a*x + b (mod p)");
185     test_output_bignum("a", a);
186     test_output_bignum("b", b);
187     test_output_bignum("p", p);
188
189     buf[0] = 0;
190     if (!TEST_ptr(P = EC_POINT_new(group))
191         || !TEST_ptr(Q = EC_POINT_new(group))
192         || !TEST_ptr(R = EC_POINT_new(group))
193         || !TEST_true(EC_POINT_set_to_infinity(group, P))
194         || !TEST_true(EC_POINT_is_at_infinity(group, P))
195         || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
196         || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
197         || !TEST_true(EC_POINT_is_at_infinity(group, P))
198         || !TEST_ptr(x = BN_new())
199         || !TEST_ptr(y = BN_new())
200         || !TEST_ptr(z = BN_new())
201         || !TEST_ptr(yplusone = BN_new())
202         || !TEST_true(BN_hex2bn(&x, "D"))
203         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1,
204                                                               ctx)))
205         goto err;
206
207     if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
208         if (!TEST_true(EC_POINT_get_affine_coordinates_GFp(group, Q, x, y,
209                                                            ctx)))
210             goto err;
211         TEST_info("Point is not on curve");
212         test_output_bignum("x", x);
213         test_output_bignum("y", y);
214         goto err;
215     }
216
217     TEST_note("A cyclic subgroup:");
218     k = 100;
219     do {
220         if (!TEST_int_ne(k--, 0))
221             goto err;
222
223         if (EC_POINT_is_at_infinity(group, P)) {
224             TEST_note("     point at infinity");
225         } else {
226             if (!TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y,
227                                                                ctx)))
228                 goto err;
229
230             test_output_bignum("x", x);
231             test_output_bignum("y", y);
232         }
233
234         if (!TEST_true(EC_POINT_copy(R, P))
235             || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
236             goto err;
237
238     } while (!EC_POINT_is_at_infinity(group, P));
239
240     if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
241         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
242         goto err;
243
244     len =
245         EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
246                            sizeof(buf), ctx);
247     if (!TEST_size_t_ne(len, 0)
248         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
249         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
250         goto err;
251     test_output_memory("Generator as octet string, compressed form:",
252                        buf, len);
253
254     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
255                              buf, sizeof(buf), ctx);
256     if (!TEST_size_t_ne(len, 0)
257         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
258         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
259         goto err;
260     test_output_memory("Generator as octet string, uncompressed form:",
261                        buf, len);
262
263     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID,
264                              buf, sizeof(buf), ctx);
265     if (!TEST_size_t_ne(len, 0)
266         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
267         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
268         goto err;
269     test_output_memory("Generator as octet string, hybrid form:",
270                        buf, len);
271
272     if (!TEST_true(EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z,
273                                                             ctx)))
274         goto err;
275     TEST_info("A representation of the inverse of that generator in");
276     TEST_note("Jacobian projective coordinates");
277     test_output_bignum("x", x);
278     test_output_bignum("y", y);
279     test_output_bignum("z", z);
280
281     if (!TEST_true(EC_POINT_invert(group, P, ctx))
282         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
283
284     /*
285      * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
286      * 2000) -- not a NIST curve, but commonly used
287      */
288
289         || !TEST_true(BN_hex2bn(&p,                         "FFFFFFFF"
290                                     "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
291         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
292         || !TEST_true(BN_hex2bn(&a,                         "FFFFFFFF"
293                                     "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
294         || !TEST_true(BN_hex2bn(&b,                         "1C97BEFC"
295                                     "54BD7A8B65ACF89F81D4D4ADC565FA45"))
296         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
297         || !TEST_true(BN_hex2bn(&x,                         "4A96B568"
298                                     "8EF573284664698968C38BB913CBFC82"))
299         || !TEST_true(BN_hex2bn(&y,                         "23a62855"
300                                     "3168947d59dcc912042351377ac5fb32"))
301         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
302     /*
303      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
304      * and therefore setting the coordinates should fail.
305      */
306         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
307                                                            yplusone, ctx))
308         || !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
309         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
310         || !TEST_true(BN_hex2bn(&z,                       "0100000000"
311                                     "000000000001F4C8F927AED3CA752257"))
312         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
313         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
314         goto err;
315     TEST_info("SEC2 curve secp160r1 -- Generator");
316     test_output_bignum("x", x);
317     test_output_bignum("y", y);
318     /* G_y value taken from the standard: */
319     if (!TEST_true(BN_hex2bn(&z,                         "23a62855"
320                                  "3168947d59dcc912042351377ac5fb32"))
321         || !TEST_BN_eq(y, z)
322         || !TEST_int_eq(EC_GROUP_get_degree(group), 160)
323         || !group_order_tests(group)
324         || !TEST_ptr(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))
325         || !TEST_true(EC_GROUP_copy(P_160, group))
326
327     /* Curve P-192 (FIPS PUB 186-2, App. 6) */
328
329         || !TEST_true(BN_hex2bn(&p,                 "FFFFFFFFFFFFFFFF"
330                                     "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
331         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
332         || !TEST_true(BN_hex2bn(&a,                 "FFFFFFFFFFFFFFFF"
333                                     "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
334         || !TEST_true(BN_hex2bn(&b,                 "64210519E59C80E7"
335                                     "0FA7E9AB72243049FEB8DEECC146B9B1"))
336         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
337         || !TEST_true(BN_hex2bn(&x,                 "188DA80EB03090F6"
338                                     "7CBF20EB43A18800F4FF0AFD82FF1012"))
339         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
340                                                               ctx))
341         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
342         || !TEST_true(BN_hex2bn(&z,                 "FFFFFFFFFFFFFFFF"
343                                     "FFFFFFFF99DEF836146BC9B1B4D22831"))
344         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
345         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
346         goto err;
347
348     TEST_info("NIST curve P-192 -- Generator");
349     test_output_bignum("x", x);
350     test_output_bignum("y", y);
351     /* G_y value taken from the standard: */
352     if (!TEST_true(BN_hex2bn(&z,                 "07192B95FFC8DA78"
353                                  "631011ED6B24CDD573F977A11E794811"))
354         || !TEST_BN_eq(y, z)
355         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
356     /*
357      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
358      * and therefore setting the coordinates should fail.
359      */
360         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
361                                                            yplusone, ctx))
362         || !TEST_int_eq(EC_GROUP_get_degree(group), 192)
363         || !group_order_tests(group)
364         || !TEST_ptr(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))
365         || !TEST_true(EC_GROUP_copy(P_192, group))
366
367     /* Curve P-224 (FIPS PUB 186-2, App. 6) */
368
369         || !TEST_true(BN_hex2bn(&p,         "FFFFFFFFFFFFFFFFFFFFFFFF"
370                                     "FFFFFFFF000000000000000000000001"))
371         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
372         || !TEST_true(BN_hex2bn(&a,         "FFFFFFFFFFFFFFFFFFFFFFFF"
373                                     "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
374         || !TEST_true(BN_hex2bn(&b,         "B4050A850C04B3ABF5413256"
375                                     "5044B0B7D7BFD8BA270B39432355FFB4"))
376         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
377         || !TEST_true(BN_hex2bn(&x,         "B70E0CBD6BB4BF7F321390B9"
378                                     "4A03C1D356C21122343280D6115C1D21"))
379         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
380                                                               ctx))
381         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
382         || !TEST_true(BN_hex2bn(&z,         "FFFFFFFFFFFFFFFFFFFFFFFF"
383                                     "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
384         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
385         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
386         goto err;
387
388     TEST_info("NIST curve P-224 -- Generator");
389     test_output_bignum("x", x);
390     test_output_bignum("y", y);
391     /* G_y value taken from the standard: */
392     if (!TEST_true(BN_hex2bn(&z,         "BD376388B5F723FB4C22DFE6"
393                                  "CD4375A05A07476444D5819985007E34"))
394         || !TEST_BN_eq(y, z)
395         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
396     /*
397      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
398      * and therefore setting the coordinates should fail.
399      */
400         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
401                                                            yplusone, ctx))
402         || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
403         || !group_order_tests(group)
404         || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
405         || !TEST_true(EC_GROUP_copy(P_224, group))
406
407     /* Curve P-256 (FIPS PUB 186-2, App. 6) */
408
409         || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
410                                     "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
411         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
412         || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
413                                     "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
414         || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
415                                     "651D06B0CC53B0F63BCE3C3E27D2604B"))
416         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
417
418         || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
419                                     "77037D812DEB33A0F4A13945D898C296"))
420         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
421                                                               ctx))
422         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
423         || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
424                                     "BCE6FAADA7179E84F3B9CAC2FC632551"))
425         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
426         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
427         goto err;
428
429     TEST_info("NIST curve P-256 -- Generator");
430     test_output_bignum("x", x);
431     test_output_bignum("y", y);
432     /* G_y value taken from the standard: */
433     if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
434                                  "2BCE33576B315ECECBB6406837BF51F5"))
435         || !TEST_BN_eq(y, z)
436         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
437     /*
438      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
439      * and therefore setting the coordinates should fail.
440      */
441         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
442                                                            yplusone, ctx))
443         || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
444         || !group_order_tests(group)
445         || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
446         || !TEST_true(EC_GROUP_copy(P_256, group))
447
448     /* Curve P-384 (FIPS PUB 186-2, App. 6) */
449
450         || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
451                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
452                                     "FFFFFFFF0000000000000000FFFFFFFF"))
453         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
454         || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
455                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
456                                     "FFFFFFFF0000000000000000FFFFFFFC"))
457         || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
458                                     "181D9C6EFE8141120314088F5013875A"
459                                     "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
460         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
461
462         || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
463                                     "6E1D3B628BA79B9859F741E082542A38"
464                                     "5502F25DBF55296C3A545E3872760AB7"))
465         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
466                                                               ctx))
467         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
468         || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
469                                     "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
470                                     "581A0DB248B0A77AECEC196ACCC52973"))
471         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
472         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
473         goto err;
474
475     TEST_info("NIST curve P-384 -- Generator");
476     test_output_bignum("x", x);
477     test_output_bignum("y", y);
478     /* G_y value taken from the standard: */
479     if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
480                                  "F8F41DBD289A147CE9DA3113B5F0B8C0"
481                                  "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
482         || !TEST_BN_eq(y, z)
483         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
484     /*
485      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
486      * and therefore setting the coordinates should fail.
487      */
488         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
489                                                            yplusone, ctx))
490         || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
491         || !group_order_tests(group)
492         || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
493         || !TEST_true(EC_GROUP_copy(P_384, group))
494
495     /* Curve P-521 (FIPS PUB 186-2, App. 6) */
496         || !TEST_true(BN_hex2bn(&p,                              "1FF"
497                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
498                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
499                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
500                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
501         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
502         || !TEST_true(BN_hex2bn(&a,                              "1FF"
503                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
504                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
505                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
506                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
507         || !TEST_true(BN_hex2bn(&b,                              "051"
508                                     "953EB9618E1C9A1F929A21A0B68540EE"
509                                     "A2DA725B99B315F3B8B489918EF109E1"
510                                     "56193951EC7E937B1652C0BD3BB1BF07"
511                                     "3573DF883D2C34F1EF451FD46B503F00"))
512         || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
513         || !TEST_true(BN_hex2bn(&x,                               "C6"
514                                     "858E06B70404E9CD9E3ECB662395B442"
515                                     "9C648139053FB521F828AF606B4D3DBA"
516                                     "A14B5E77EFE75928FE1DC127A2FFA8DE"
517                                     "3348B3C1856A429BF97E7E31C2E5BD66"))
518         || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
519                                                               ctx))
520         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
521         || !TEST_true(BN_hex2bn(&z,                              "1FF"
522                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
523                                     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
524                                     "51868783BF2F966B7FCC0148F709A5D0"
525                                     "3BB5C9B8899C47AEBB6FB71E91386409"))
526         || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
527         || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
528         goto err;
529
530     TEST_info("NIST curve P-521 -- Generator");
531     test_output_bignum("x", x);
532     test_output_bignum("y", y);
533     /* G_y value taken from the standard: */
534     if (!TEST_true(BN_hex2bn(&z,                              "118"
535                                  "39296A789A3BC0045C8A5FB42C7D1BD9"
536                                  "98F54449579B446817AFBD17273E662C"
537                                  "97EE72995EF42640C550B9013FAD0761"
538                                  "353C7086A272C24088BE94769FD16650"))
539         || !TEST_BN_eq(y, z)
540         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
541     /*
542      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
543      * and therefore setting the coordinates should fail.
544      */
545         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
546                                                            yplusone, ctx))
547         || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
548         || !group_order_tests(group)
549         || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
550         || !TEST_true(EC_GROUP_copy(P_521, group))
551
552     /* more tests using the last curve */
553
554     /* Restore the point that got mangled in the (x, y + 1) test. */
555         || !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
556         || !TEST_true(EC_POINT_copy(Q, P))
557         || !TEST_false(EC_POINT_is_at_infinity(group, Q))
558         || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
559         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
560         || !TEST_true(EC_POINT_invert(group, Q, ctx))       /* P = -2Q */
561         || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
562         || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
563         || !TEST_true(EC_POINT_is_at_infinity(group, R))    /* R = P + 2Q */
564         || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
565         goto err;
566     points[0] = Q;
567     points[1] = Q;
568     points[2] = Q;
569     points[3] = Q;
570
571     if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
572         || !TEST_true(BN_add(y, z, BN_value_one()))
573         || !TEST_BN_even(y)
574         || !TEST_true(BN_rshift1(y, y)))
575         goto err;
576     scalars[0] = y;         /* (group order + 1)/2, so y*Q + y*Q = Q */
577     scalars[1] = y;
578
579     TEST_note("combined multiplication ...");
580
581     /* z is still the group order */
582     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
583         || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
584         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
585         || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
586         || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
587         || !TEST_true(BN_add(z, z, y)))
588         goto err;
589     BN_set_negative(z, 1);
590     scalars[0] = y;
591     scalars[1] = z;         /* z = -(order + y) */
592
593     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
594         || !TEST_true(EC_POINT_is_at_infinity(group, P))
595         || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
596         || !TEST_true(BN_add(z, x, y)))
597         goto err;
598     BN_set_negative(z, 1);
599     scalars[0] = x;
600     scalars[1] = y;
601     scalars[2] = z;         /* z = -(x+y) */
602
603     if (!TEST_ptr(scalar3 = BN_new()))
604         goto err;
605     BN_zero(scalar3);
606     scalars[3] = scalar3;
607
608     if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
609         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
610         goto err;
611
612     TEST_note(" ok\n");
613
614
615     r = 1;
616 err:
617     BN_CTX_free(ctx);
618     BN_free(p);
619     BN_free(a);
620     BN_free(b);
621     EC_GROUP_free(group);
622     EC_GROUP_free(tmp);
623     EC_POINT_free(P);
624     EC_POINT_free(Q);
625     EC_POINT_free(R);
626     BN_free(x);
627     BN_free(y);
628     BN_free(z);
629     BN_free(yplusone);
630     BN_free(scalar3);
631
632     EC_GROUP_free(P_160);
633     EC_GROUP_free(P_192);
634     EC_GROUP_free(P_224);
635     EC_GROUP_free(P_256);
636     EC_GROUP_free(P_384);
637     EC_GROUP_free(P_521);
638     return r;
639 }
640
641 # ifndef OPENSSL_NO_EC2M
642
643 static struct c2_curve_test {
644     const char *name;
645     const char *p;
646     const char *a;
647     const char *b;
648     const char *x;
649     const char *y;
650     int ybit;
651     const char *order;
652     const char *cof;
653     int degree;
654 } char2_curve_tests[] = {
655     /* Curve K-163 (FIPS PUB 186-2, App. 6) */
656     {
657         "NIST curve K-163",
658         "0800000000000000000000000000000000000000C9",
659         "1",
660         "1",
661         "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
662         "0289070FB05D38FF58321F2E800536D538CCDAA3D9",
663         1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163
664     },
665     /* Curve B-163 (FIPS PUB 186-2, App. 6) */
666     {
667         "NIST curve B-163",
668         "0800000000000000000000000000000000000000C9",
669         "1",
670         "020A601907B8C953CA1481EB10512F78744A3205FD",
671         "03F0EBA16286A2D57EA0991168D4994637E8343E36",
672         "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
673         1, "040000000000000000000292FE77E70C12A4234C33", "2", 163
674     },
675     /* Curve K-233 (FIPS PUB 186-2, App. 6) */
676     {
677         "NIST curve K-233",
678         "020000000000000000000000000000000000000004000000000000000001",
679         "0",
680         "1",
681         "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
682         "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
683         0,
684         "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
685         "4", 233
686     },
687     /* Curve B-233 (FIPS PUB 186-2, App. 6) */
688     {
689         "NIST curve B-233",
690         "020000000000000000000000000000000000000004000000000000000001",
691         "000000000000000000000000000000000000000000000000000000000001",
692         "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
693         "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
694         "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
695         1,
696         "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
697         "2", 233
698     },
699     /* Curve K-283 (FIPS PUB 186-2, App. 6) */
700     {
701         "NIST curve K-283",
702                                                                 "08000000"
703         "00000000000000000000000000000000000000000000000000000000000010A1",
704         "0",
705         "1",
706                                                                 "0503213F"
707         "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
708                                                                 "01CCDA38"
709         "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
710         0,
711                                                                 "01FFFFFF"
712         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
713         "4", 283
714     },
715     /* Curve B-283 (FIPS PUB 186-2, App. 6) */
716     {
717         "NIST curve B-283",
718                                                                 "08000000"
719         "00000000000000000000000000000000000000000000000000000000000010A1",
720                                                                 "00000000"
721         "0000000000000000000000000000000000000000000000000000000000000001",
722                                                                 "027B680A"
723         "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
724                                                                 "05F93925"
725         "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
726                                                                 "03676854"
727         "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
728         1,
729                                                                 "03FFFFFF"
730         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
731         "2", 283
732     },
733     /* Curve K-409 (FIPS PUB 186-2, App. 6) */
734     {
735         "NIST curve K-409",
736                                 "0200000000000000000000000000000000000000"
737         "0000000000000000000000000000000000000000008000000000000000000001",
738         "0",
739         "1",
740                                 "0060F05F658F49C1AD3AB1890F7184210EFD0987"
741         "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
742                                 "01E369050B7C4E42ACBA1DACBF04299C3460782F"
743         "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
744         1,
745                                 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
746         "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
747         "4", 409
748     },
749     /* Curve B-409 (FIPS PUB 186-2, App. 6) */
750     {
751         "NIST curve B-409",
752                                 "0200000000000000000000000000000000000000"
753         "0000000000000000000000000000000000000000008000000000000000000001",
754                                 "0000000000000000000000000000000000000000"
755         "0000000000000000000000000000000000000000000000000000000000000001",
756                                 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E"
757         "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
758                                 "015D4860D088DDB3496B0C6064756260441CDE4A"
759         "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
760                                 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5"
761         "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
762         1,
763                                 "0100000000000000000000000000000000000000"
764         "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
765         "2", 409
766     },
767     /* Curve K-571 (FIPS PUB 186-2, App. 6) */
768     {
769         "NIST curve K-571",
770                                                          "800000000000000"
771         "0000000000000000000000000000000000000000000000000000000000000000"
772         "0000000000000000000000000000000000000000000000000000000000000425",
773         "0",
774         "1",
775                                                         "026EB7A859923FBC"
776         "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6"
777         "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
778                                                         "0349DC807F4FBF37"
779         "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7"
780         "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
781         0,
782                                                         "0200000000000000"
783         "00000000000000000000000000000000000000000000000000000000131850E1"
784         "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
785         "4", 571
786     },
787     /* Curve B-571 (FIPS PUB 186-2, App. 6) */
788     {
789         "NIST curve B-571",
790                                                          "800000000000000"
791         "0000000000000000000000000000000000000000000000000000000000000000"
792         "0000000000000000000000000000000000000000000000000000000000000425",
793                                                         "0000000000000000"
794         "0000000000000000000000000000000000000000000000000000000000000000"
795         "0000000000000000000000000000000000000000000000000000000000000001",
796                                                         "02F40E7E2221F295"
797         "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933"
798         "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
799                                                         "0303001D34B85629"
800         "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293"
801         "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
802                                                         "037BF27342DA639B"
803         "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57"
804         "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
805         1,
806                                                         "03FFFFFFFFFFFFFF"
807         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18"
808         "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
809         "2", 571
810     }
811 };
812
813 static int char2_curve_test(int n)
814 {
815     int r = 0;
816     BN_CTX *ctx = NULL;
817     BIGNUM *p = NULL, *a = NULL, *b = NULL;
818     BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
819     EC_GROUP *group = NULL, *variable = NULL;
820     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
821     const EC_POINT *points[3];
822     const BIGNUM *scalars[3];
823     struct c2_curve_test *const test = char2_curve_tests + n;
824
825     if (!TEST_ptr(ctx = BN_CTX_new())
826         || !TEST_ptr(p = BN_new())
827         || !TEST_ptr(a = BN_new())
828         || !TEST_ptr(b = BN_new())
829         || !TEST_ptr(x = BN_new())
830         || !TEST_ptr(y = BN_new())
831         || !TEST_ptr(z = BN_new())
832         || !TEST_ptr(yplusone = BN_new())
833         || !TEST_true(BN_hex2bn(&p, test->p))
834         || !TEST_true(BN_hex2bn(&a, test->a))
835         || !TEST_true(BN_hex2bn(&b, test->b))
836         || !TEST_true(group = EC_GROUP_new(EC_GF2m_simple_method()))
837         || !TEST_true(EC_GROUP_set_curve_GF2m(group, p, a, b, ctx))
838         || !TEST_ptr(P = EC_POINT_new(group))
839         || !TEST_ptr(Q = EC_POINT_new(group))
840         || !TEST_ptr(R = EC_POINT_new(group))
841         || !TEST_true(BN_hex2bn(&x, test->x))
842         || !TEST_true(BN_hex2bn(&y, test->y))
843         || !TEST_true(BN_add(yplusone, y, BN_value_one())))
844         goto err;
845
846 /* Change test based on whether binary point compression is enabled or not. */
847 # ifdef OPENSSL_EC_BIN_PT_COMP
848     /*
849      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
850      * and therefore setting the coordinates should fail.
851      */
852     if (!TEST_false(EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone,
853                                                          ctx))
854         || !TEST_true(EC_POINT_set_compressed_coordinates_GF2m(group, P, x,
855                                                                test->y_bit,
856                                                                ctx))
857         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
858         || !TEST_true(BN_hex2bn(&z, test->order))
859         || !TEST_true(BN_hex2bn(&cof, test->cof))
860         || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))
861         || !TEST_true(EC_POINT_get_affine_coordinates_GF2m(group, P, x, y,
862                                                            ctx)))
863         goto err;
864     TEST_info("%s -- Generator", test->name);
865     test_output_bignum("x", x);
866     test_output_bignum("y", y);
867     /* G_y value taken from the standard: */
868     if (!TEST_true(BN_hex2bn(&z, test->y))
869         || !TEST_BN_eq(y, z))
870         goto err;
871 # else
872     /*
873      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
874      * and therefore setting the coordinates should fail.
875      */
876     if (!TEST_false(EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone,
877                     ctx))
878         || !TEST_true(EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx))
879         || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
880         || !TEST_true(BN_hex2bn(&z, test->order))
881         || !TEST_true(BN_hex2bn(&cof, test->cof))
882         || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)))
883         goto err;
884     TEST_info("%s -- Generator:", test->name);
885     test_output_bignum("x", x);
886     test_output_bignum("y", y);
887 # endif
888
889     if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree)
890         || !group_order_tests(group)
891         || !TEST_ptr(variable = EC_GROUP_new(EC_GROUP_method_of(group)))
892         || !TEST_true(EC_GROUP_copy(variable, group)))
893         goto err;
894
895     /* more tests using the last curve */
896     if (n == OSSL_NELEM(char2_curve_tests) - 1) {
897         if (!TEST_true(EC_POINT_set_affine_coordinates_GF2m(group, P, x, y,
898                                                                 ctx))
899             || !TEST_true(EC_POINT_copy(Q, P))
900             || !TEST_false(EC_POINT_is_at_infinity(group, Q))
901             || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
902             || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
903             || !TEST_true(EC_POINT_invert(group, Q, ctx))       /* P = -2Q */
904             || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
905             || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
906             || !TEST_true(EC_POINT_is_at_infinity(group, R))   /* R = P + 2Q */
907             || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
908             goto err;
909
910         points[0] = Q;
911         points[1] = Q;
912         points[2] = Q;
913
914         if (!TEST_true(BN_add(y, z, BN_value_one()))
915             || !TEST_BN_even(y)
916             || !TEST_true(BN_rshift1(y, y)))
917             goto err;
918         scalars[0] = y;         /* (group order + 1)/2, so y*Q + y*Q = Q */
919         scalars[1] = y;
920
921         TEST_note("combined multiplication ...");
922
923         /* z is still the group order */
924         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
925             || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
926             || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
927             || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)))
928             goto err;
929
930         if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
931             || !TEST_true(BN_add(z, z, y)))
932             goto err;
933         BN_set_negative(z, 1);
934         scalars[0] = y;
935         scalars[1] = z;         /* z = -(order + y) */
936
937         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
938             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
939             goto err;
940
941         if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
942             || !TEST_true(BN_add(z, x, y)))
943             goto err;
944         BN_set_negative(z, 1);
945         scalars[0] = x;
946         scalars[1] = y;
947         scalars[2] = z;         /* z = -(x+y) */
948
949         if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx))
950             || !TEST_true(EC_POINT_is_at_infinity(group, P)))
951             goto err;;
952     }
953
954     r = 1;
955 err:
956     BN_CTX_free(ctx);
957     BN_free(p);
958     BN_free(a);
959     BN_free(b);
960     BN_free(x);
961     BN_free(y);
962     BN_free(z);
963     BN_free(yplusone);
964     BN_free(cof);
965     EC_POINT_free(P);
966     EC_POINT_free(Q);
967     EC_POINT_free(R);
968     EC_GROUP_free(group);
969     EC_GROUP_free(variable);
970     return r;
971 }
972
973 static int char2_field_tests(void)
974 {
975     BN_CTX *ctx = NULL;
976     BIGNUM *p = NULL, *a = NULL, *b = NULL;
977     EC_GROUP *group = NULL, *tmp = NULL;
978     EC_POINT *P = NULL, *Q = NULL, *R = NULL;
979     BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
980     unsigned char buf[100];
981     size_t len;
982     int k, r = 0;
983
984     if (!TEST_ptr(ctx = BN_CTX_new())
985         || !TEST_ptr(p = BN_new())
986         || !TEST_ptr(a = BN_new())
987         || !TEST_ptr(b = BN_new())
988         || !TEST_true(BN_hex2bn(&p, "13"))
989         || !TEST_true(BN_hex2bn(&a, "3"))
990         || !TEST_true(BN_hex2bn(&b, "1")))
991         goto err;
992
993     group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use
994                                                     * EC_GROUP_new_curve_GF2m
995                                                     * so that the library gets
996                                                     * to choose the EC_METHOD */
997     if (!TEST_ptr(group)
998         || !TEST_true(EC_GROUP_set_curve_GF2m(group, p, a, b, ctx))
999         || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
1000         || !TEST_true(EC_GROUP_copy(tmp, group)))
1001         goto err;
1002     EC_GROUP_free(group);
1003     group = tmp;
1004     tmp = NULL;
1005
1006     if (!TEST_true(EC_GROUP_get_curve_GF2m(group, p, a, b, ctx)))
1007         goto err;
1008
1009     TEST_info("Curve defined by Weierstrass equation");
1010     TEST_note("     y^2 + x*y = x^3 + a*x^2 + b (mod p)");
1011     test_output_bignum("a", a);
1012     test_output_bignum("b", b);
1013     test_output_bignum("p", p);
1014
1015      if (!TEST_ptr(P = EC_POINT_new(group))
1016         || !TEST_ptr(Q = EC_POINT_new(group))
1017         || !TEST_ptr(R = EC_POINT_new(group))
1018         || !TEST_true(EC_POINT_set_to_infinity(group, P))
1019         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1020         goto err;
1021
1022     buf[0] = 0;
1023     if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
1024         || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
1025         || !TEST_true(EC_POINT_is_at_infinity(group, P))
1026         || !TEST_ptr(x = BN_new())
1027         || !TEST_ptr(y = BN_new())
1028         || !TEST_ptr(z = BN_new())
1029         || !TEST_ptr(cof = BN_new())
1030         || !TEST_ptr(yplusone = BN_new())
1031         || !TEST_true(BN_hex2bn(&x, "6"))
1032 /* Change test based on whether binary point compression is enabled or not. */
1033 #  ifdef OPENSSL_EC_BIN_PT_COMP
1034         || !TEST_true(EC_POINT_set_compressed_coordinates_GF2m(group, Q, x, 1,
1035                                                                ctx))
1036 #  else
1037         || !TEST_true(BN_hex2bn(&y, "8"))
1038         || !TEST_true(EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx))
1039 #  endif
1040        )
1041         goto err;
1042     if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
1043 /* Change test based on whether binary point compression is enabled or not. */
1044 #  ifdef OPENSSL_EC_BIN_PT_COMP
1045         if (!TEST_true(EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y,
1046                                                             ctx)))
1047             goto err;
1048 #  endif
1049         TEST_info("Point is not on curve");
1050         test_output_bignum("x", x);
1051         test_output_bignum("y", y);
1052         goto err;
1053     }
1054
1055     TEST_note("A cyclic subgroup:");
1056     k = 100;
1057     do {
1058         if (!TEST_int_ne(k--, 0))
1059             goto err;
1060
1061         if (EC_POINT_is_at_infinity(group, P))
1062             TEST_note("     point at infinity");
1063         else {
1064             if (!TEST_true(EC_POINT_get_affine_coordinates_GF2m(group, P, x, y,
1065                                                                 ctx)))
1066                 goto err;
1067
1068             test_output_bignum("x", x);
1069             test_output_bignum("y", y);
1070         }
1071
1072         if (!TEST_true(EC_POINT_copy(R, P))
1073             || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
1074             goto err;
1075     }
1076     while (!EC_POINT_is_at_infinity(group, P));
1077
1078     if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
1079         || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1080         goto err;
1081
1082 /* Change test based on whether binary point compression is enabled or not. */
1083 #  ifdef OPENSSL_EC_BIN_PT_COMP
1084     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED,
1085                              buf, sizeof(buf), ctx);
1086     if (!TEST_size_t_ne(len, 0)
1087         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1088         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1089         goto err;
1090     test_output_memory("Generator as octet string, compressed form:",
1091                        buf, len);
1092 #  endif
1093
1094     len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
1095                              buf, sizeof(buf), ctx);
1096     if (!TEST_size_t_ne(len, 0)
1097         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1098         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1099         goto err;
1100     test_output_memory("Generator as octet string, uncompressed form:",
1101                        buf, len);
1102
1103 /* Change test based on whether binary point compression is enabled or not. */
1104 #  ifdef OPENSSL_EC_BIN_PT_COMP
1105     len =
1106         EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf),
1107                            ctx);
1108     if (!TEST_size_t_ne(len, 0)
1109         || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1110         || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1111         goto err;
1112     test_output_memory("Generator as octet string, hybrid form:",
1113                        buf, len);
1114 #  endif
1115
1116     if (!TEST_true(EC_POINT_invert(group, P, ctx))
1117         || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)))
1118         goto err;
1119
1120     TEST_note("\n");
1121
1122     r = 1;
1123 err:
1124     BN_CTX_free(ctx);
1125     BN_free(p);
1126     BN_free(a);
1127     BN_free(b);
1128     EC_GROUP_free(group);
1129     EC_GROUP_free(tmp);
1130     EC_POINT_free(P);
1131     EC_POINT_free(Q);
1132     EC_POINT_free(R);
1133     BN_free(x);
1134     BN_free(y);
1135     BN_free(z);
1136     BN_free(cof);
1137     BN_free(yplusone);
1138     return r;
1139 }
1140 # endif
1141
1142 static int internal_curve_test(int n)
1143 {
1144     EC_GROUP *group = NULL;
1145     int nid = curves[n].nid;
1146
1147     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1148         TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
1149                   OBJ_nid2sn(nid));
1150         return 0;
1151     }
1152     if (!TEST_true(EC_GROUP_check(group, NULL))) {
1153         TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
1154         EC_GROUP_free(group);
1155         return 0;
1156     }
1157     EC_GROUP_free(group);
1158     return 1;
1159 }
1160
1161 static int internal_curve_test_method(int n)
1162 {
1163     int r, nid = curves[n].nid;
1164     EC_GROUP *group;
1165
1166     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1167         TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
1168         return 0;
1169     }
1170     r = group_order_tests(group);
1171     EC_GROUP_free(group);
1172     return r;
1173 }
1174
1175 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1176 /*
1177  * nistp_test_params contains magic numbers for testing our optimized
1178  * implementations of several NIST curves with characteristic > 3.
1179  */
1180 struct nistp_test_params {
1181     const EC_METHOD *(*meth) (void);
1182     int degree;
1183     /*
1184      * Qx, Qy and D are taken from
1185      * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
1186      * Otherwise, values are standard curve parameters from FIPS 180-3
1187      */
1188     const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
1189 };
1190
1191 static const struct nistp_test_params nistp_tests_params[] = {
1192     {
1193      /* P-224 */
1194      EC_GFp_nistp224_method,
1195      224,
1196      /* p */
1197      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
1198      /* a */
1199      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
1200      /* b */
1201      "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
1202      /* Qx */
1203      "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
1204      /* Qy */
1205      "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
1206      /* Gx */
1207      "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
1208      /* Gy */
1209      "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
1210      /* order */
1211      "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
1212      /* d */
1213      "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
1214      },
1215     {
1216      /* P-256 */
1217      EC_GFp_nistp256_method,
1218      256,
1219      /* p */
1220      "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
1221      /* a */
1222      "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
1223      /* b */
1224      "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
1225      /* Qx */
1226      "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
1227      /* Qy */
1228      "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
1229      /* Gx */
1230      "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
1231      /* Gy */
1232      "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
1233      /* order */
1234      "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
1235      /* d */
1236      "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
1237      },
1238     {
1239      /* P-521 */
1240      EC_GFp_nistp521_method,
1241      521,
1242      /* p */
1243                                                                   "1ff"
1244      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1245      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
1246      /* a */
1247                                                                   "1ff"
1248      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1249      "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
1250      /* b */
1251                                                                   "051"
1252      "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
1253      "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
1254      /* Qx */
1255                                                                  "0098"
1256      "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
1257      "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
1258      /* Qy */
1259                                                                  "0164"
1260      "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
1261      "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
1262      /* Gx */
1263                                                                    "c6"
1264      "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
1265      "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
1266      /* Gy */
1267                                                                   "118"
1268      "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
1269      "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
1270      /* order */
1271                                                                   "1ff"
1272      "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
1273      "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
1274      /* d */
1275                                                                  "0100"
1276      "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
1277      "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
1278      },
1279 };
1280
1281 static int nistp_single_test(int idx)
1282 {
1283     const struct nistp_test_params *test = nistp_tests_params + idx;
1284     BN_CTX *ctx = NULL;
1285     BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
1286     BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
1287     EC_GROUP *NISTP = NULL;
1288     EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
1289     int r = 0;
1290
1291     TEST_note("NIST curve P-%d (optimised implementation):",
1292               test->degree);
1293     if (!TEST_ptr(ctx = BN_CTX_new())
1294         || !TEST_ptr(p = BN_new())
1295         || !TEST_ptr(a = BN_new())
1296         || !TEST_ptr(b = BN_new())
1297         || !TEST_ptr(x = BN_new())
1298         || !TEST_ptr(y = BN_new())
1299         || !TEST_ptr(m = BN_new())
1300         || !TEST_ptr(n = BN_new())
1301         || !TEST_ptr(order = BN_new())
1302         || !TEST_ptr(yplusone = BN_new())
1303
1304         || !TEST_ptr(NISTP = EC_GROUP_new(test->meth()))
1305         || !TEST_true(BN_hex2bn(&p, test->p))
1306         || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
1307         || !TEST_true(BN_hex2bn(&a, test->a))
1308         || !TEST_true(BN_hex2bn(&b, test->b))
1309         || !TEST_true(EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
1310         || !TEST_ptr(G = EC_POINT_new(NISTP))
1311         || !TEST_ptr(P = EC_POINT_new(NISTP))
1312         || !TEST_ptr(Q = EC_POINT_new(NISTP))
1313         || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
1314         || !TEST_true(BN_hex2bn(&x, test->Qx))
1315         || !TEST_true(BN_hex2bn(&y, test->Qy))
1316         || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1317     /*
1318      * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
1319      * and therefore setting the coordinates should fail.
1320      */
1321         || !TEST_false(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x,
1322                                                            yplusone, ctx))
1323         || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y,
1324                                                           ctx))
1325         || !TEST_true(BN_hex2bn(&x, test->Gx))
1326         || !TEST_true(BN_hex2bn(&y, test->Gy))
1327         || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
1328         || !TEST_true(BN_hex2bn(&order, test->order))
1329         || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
1330         || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
1331         goto err;
1332
1333     TEST_note("NIST test vectors ... ");
1334     if (!TEST_true(BN_hex2bn(&n, test->d)))
1335         goto err;
1336     /* fixed point multiplication */
1337     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1338     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1339         goto err;
1340     /* random point multiplication */
1341     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1342     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1343
1344         /* set generator to P = 2*G, where G is the standard generator */
1345         || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
1346         || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
1347         /* set the scalar to m=n/2, where n is the NIST test scalar */
1348         || !TEST_true(BN_rshift(m, n, 1)))
1349         goto err;
1350
1351     /* test the non-standard generator */
1352     /* fixed point multiplication */
1353     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1354     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1355         goto err;
1356     /* random point multiplication */
1357     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1358     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1359
1360     /*
1361      * We have not performed precomputation so have_precompute mult should be
1362      * false
1363      */
1364         || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
1365
1366     /* now repeat all tests with precomputation */
1367         || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
1368         || !TEST_true(EC_GROUP_have_precompute_mult(NISTP)))
1369         goto err;
1370
1371     /* fixed point multiplication */
1372     EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1373     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1374         goto err;
1375     /* random point multiplication */
1376     EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1377     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1378
1379     /* reset generator */
1380         || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
1381         goto err;
1382     /* fixed point multiplication */
1383     EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1384     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1385         goto err;
1386     /* random point multiplication */
1387     EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1388     if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1389         goto err;
1390
1391     /* regression test for felem_neg bug */
1392     if (!TEST_true(BN_set_word(m, 32))
1393         || !TEST_true(BN_set_word(n, 31))
1394         || !TEST_true(EC_POINT_copy(P, G))
1395         || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
1396         || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
1397         || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
1398       goto err;
1399
1400     r = group_order_tests(NISTP);
1401 err:
1402     EC_GROUP_free(NISTP);
1403     EC_POINT_free(G);
1404     EC_POINT_free(P);
1405     EC_POINT_free(Q);
1406     EC_POINT_free(Q_CHECK);
1407     BN_free(n);
1408     BN_free(m);
1409     BN_free(p);
1410     BN_free(a);
1411     BN_free(b);
1412     BN_free(x);
1413     BN_free(y);
1414     BN_free(order);
1415     BN_free(yplusone);
1416     BN_CTX_free(ctx);
1417     return r;
1418 }
1419 # endif
1420
1421 static const unsigned char p521_named[] = {
1422     0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
1423 };
1424
1425 static const unsigned char p521_explicit[] = {
1426     0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
1427     0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
1428     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1429     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1430     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1431     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1432     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1433     0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
1434     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1435     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1436     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1437     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1438     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1439     0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
1440     0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
1441     0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
1442     0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
1443     0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
1444     0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
1445     0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
1446     0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
1447     0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
1448     0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
1449     0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
1450     0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
1451     0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
1452     0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
1453     0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
1454     0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
1455     0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
1456     0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
1457     0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
1458     0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1459     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1460     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
1461     0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
1462     0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
1463     0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
1464 };
1465
1466 static int parameter_test(void)
1467 {
1468     EC_GROUP *group = NULL, *group2 = NULL;
1469     ECPARAMETERS *ecparameters = NULL;
1470     unsigned char *buf = NULL;
1471     int r = 0, len;
1472
1473     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp112r1))
1474         || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
1475         || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
1476         || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
1477         goto err;
1478
1479     EC_GROUP_free(group);
1480     group = NULL;
1481
1482     /* Test the named curve encoding, which should be default. */
1483     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
1484         || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1485         || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
1486         goto err;
1487
1488     OPENSSL_free(buf);
1489     buf = NULL;
1490
1491     /*
1492      * Test the explicit encoding. P-521 requires correctly zero-padding the
1493      * curve coefficients.
1494      */
1495     EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
1496     if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1497         || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
1498         goto err;
1499
1500     r = 1;
1501 err:
1502     EC_GROUP_free(group);
1503     EC_GROUP_free(group2);
1504     ECPARAMETERS_free(ecparameters);
1505     OPENSSL_free(buf);
1506     return r;
1507 }
1508 #endif
1509
1510 int setup_tests(void)
1511 {
1512 #ifndef OPENSSL_NO_EC
1513     crv_len = EC_get_builtin_curves(NULL, 0);
1514     if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
1515         || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
1516         return 0;
1517
1518     ADD_TEST(parameter_test);
1519     ADD_TEST(prime_field_tests);
1520 # ifndef OPENSSL_NO_EC2M
1521     ADD_TEST(char2_field_tests);
1522     ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
1523 # endif
1524 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1525     ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
1526 # endif
1527     ADD_ALL_TESTS(internal_curve_test, crv_len);
1528     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
1529 #endif
1530     return 1;
1531 }
1532
1533 void cleanup_tests(void)
1534 {
1535 #ifndef OPENSSL_NO_EC
1536     OPENSSL_free(curves);
1537 #endif
1538 }