1 /* $OpenBSD: ectest.c,v 1.12 2021/04/20 17:35:21 tb Exp $ */ 2 /* crypto/ec/ectest.c */ 3 /* 4 * Originally written by Bodo Moeller for the OpenSSL project. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@openssl.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 /* ==================================================================== 60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 61 * 62 * Portions of the attached software ("Contribution") are developed by 63 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 64 * 65 * The Contribution is licensed pursuant to the OpenSSL open source 66 * license provided above. 67 * 68 * The elliptic curve binary polynomial software is originally written by 69 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. 70 * 71 */ 72 73 #include <stdio.h> 74 #include <stdlib.h> 75 #include <string.h> 76 #include <time.h> 77 78 #include <openssl/ec.h> 79 #ifndef OPENSSL_NO_ENGINE 80 #include <openssl/engine.h> 81 #endif 82 #include <openssl/err.h> 83 #include <openssl/obj_mac.h> 84 #include <openssl/objects.h> 85 #include <openssl/bn.h> 86 #include <openssl/opensslconf.h> 87 88 #define ABORT do { \ 89 fflush(stdout); \ 90 fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ 91 ERR_print_errors_fp(stderr); \ 92 exit(1); \ 93 } while (0) 94 95 #define TIMING_BASE_PT 0 96 #define TIMING_RAND_PT 1 97 #define TIMING_SIMUL 2 98 99 /* test multiplication with group order, long and negative scalars */ 100 static void 101 group_order_tests(EC_GROUP *group) 102 { 103 BIGNUM *n1, *n2, *order; 104 EC_POINT *P = EC_POINT_new(group); 105 EC_POINT *Q = EC_POINT_new(group); 106 BN_CTX *ctx = BN_CTX_new(); 107 108 n1 = BN_new(); 109 n2 = BN_new(); 110 order = BN_new(); 111 fprintf(stdout, "verify group order ..."); 112 fflush(stdout); 113 if (!EC_GROUP_get_order(group, order, ctx)) 114 ABORT; 115 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 116 ABORT; 117 if (!EC_POINT_is_at_infinity(group, Q)) 118 ABORT; 119 fprintf(stdout, "."); 120 fflush(stdout); 121 if (!EC_GROUP_precompute_mult(group, ctx)) 122 ABORT; 123 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 124 ABORT; 125 if (!EC_POINT_is_at_infinity(group, Q)) 126 ABORT; 127 fprintf(stdout, " ok\n"); 128 fprintf(stdout, "long/negative scalar tests ... "); 129 if (!BN_one(n1)) 130 ABORT; 131 /* n1 = 1 - order */ 132 if (!BN_sub(n1, n1, order)) 133 ABORT; 134 if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) 135 ABORT; 136 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 137 ABORT; 138 /* n2 = 1 + order */ 139 if (!BN_add(n2, order, BN_value_one())) 140 ABORT; 141 if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 142 ABORT; 143 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 144 ABORT; 145 /* n2 = (1 - order) * (1 + order) */ 146 if (!BN_mul(n2, n1, n2, ctx)) 147 ABORT; 148 if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 149 ABORT; 150 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 151 ABORT; 152 fprintf(stdout, "ok\n"); 153 EC_POINT_free(P); 154 EC_POINT_free(Q); 155 BN_free(n1); 156 BN_free(n2); 157 BN_free(order); 158 BN_CTX_free(ctx); 159 } 160 161 static void 162 prime_field_tests(void) 163 { 164 BN_CTX *ctx = NULL; 165 BIGNUM *p, *a, *b; 166 EC_GROUP *group; 167 EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; 168 EC_POINT *P, *Q, *R; 169 BIGNUM *x, *y, *z; 170 unsigned char buf[100]; 171 size_t i, len; 172 int k; 173 174 #if 1 /* optional */ 175 ctx = BN_CTX_new(); 176 if (!ctx) 177 ABORT; 178 #endif 179 180 p = BN_new(); 181 a = BN_new(); 182 b = BN_new(); 183 if (!p || !a || !b) 184 ABORT; 185 186 if (!BN_hex2bn(&p, "17")) 187 ABORT; 188 if (!BN_hex2bn(&a, "1")) 189 ABORT; 190 if (!BN_hex2bn(&b, "1")) 191 ABORT; 192 193 group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp 194 * so that the library gets to choose the EC_METHOD */ 195 if (!group) 196 ABORT; 197 198 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 199 ABORT; 200 201 { 202 EC_GROUP *tmp; 203 tmp = EC_GROUP_new(EC_GROUP_method_of(group)); 204 if (!tmp) 205 ABORT; 206 if (!EC_GROUP_copy(tmp, group)) 207 ABORT; 208 EC_GROUP_free(group); 209 group = tmp; 210 } 211 212 if (!EC_GROUP_get_curve(group, p, a, b, ctx)) 213 ABORT; 214 215 fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x"); 216 BN_print_fp(stdout, p); 217 fprintf(stdout, ")\n a = 0x"); 218 BN_print_fp(stdout, a); 219 fprintf(stdout, "\n b = 0x"); 220 BN_print_fp(stdout, b); 221 fprintf(stdout, "\n"); 222 223 P = EC_POINT_new(group); 224 Q = EC_POINT_new(group); 225 R = EC_POINT_new(group); 226 if (!P || !Q || !R) 227 ABORT; 228 229 if (!EC_POINT_set_to_infinity(group, P)) 230 ABORT; 231 if (!EC_POINT_is_at_infinity(group, P)) 232 ABORT; 233 234 buf[0] = 0; 235 if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) 236 ABORT; 237 238 if (!EC_POINT_add(group, P, P, Q, ctx)) 239 ABORT; 240 if (!EC_POINT_is_at_infinity(group, P)) 241 ABORT; 242 243 x = BN_new(); 244 y = BN_new(); 245 z = BN_new(); 246 if (!x || !y || !z) 247 ABORT; 248 249 if (!BN_hex2bn(&x, "D")) 250 ABORT; 251 if (!EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)) 252 ABORT; 253 if (!EC_POINT_is_on_curve(group, Q, ctx)) { 254 if (!EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)) 255 ABORT; 256 fprintf(stderr, "Point is not on curve: x = 0x"); 257 BN_print_fp(stderr, x); 258 fprintf(stderr, ", y = 0x"); 259 BN_print_fp(stderr, y); 260 fprintf(stderr, "\n"); 261 ABORT; 262 } 263 264 fprintf(stdout, "A cyclic subgroup:\n"); 265 k = 100; 266 do 267 { 268 if (k-- == 0) 269 ABORT; 270 271 if (EC_POINT_is_at_infinity(group, P)) 272 fprintf(stdout, " point at infinity\n"); 273 else { 274 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 275 ABORT; 276 277 fprintf(stdout, " x = 0x"); 278 BN_print_fp(stdout, x); 279 fprintf(stdout, ", y = 0x"); 280 BN_print_fp(stdout, y); 281 fprintf(stdout, "\n"); 282 } 283 284 if (!EC_POINT_copy(R, P)) 285 ABORT; 286 if (!EC_POINT_add(group, P, P, Q, ctx)) 287 ABORT; 288 289 #if 0 /* optional */ 290 { 291 EC_POINT *points[3]; 292 293 points[0] = R; 294 points[1] = Q; 295 points[2] = P; 296 if (!EC_POINTs_make_affine(group, 2, points, ctx)) 297 ABORT; 298 } 299 #endif 300 301 } 302 while (!EC_POINT_is_at_infinity(group, P)); 303 304 if (!EC_POINT_add(group, P, Q, R, ctx)) 305 ABORT; 306 if (!EC_POINT_is_at_infinity(group, P)) 307 ABORT; 308 309 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx); 310 if (len == 0) 311 ABORT; 312 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 313 ABORT; 314 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 315 ABORT; 316 fprintf(stdout, "Generator as octet string, compressed form:\n "); 317 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 318 319 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx); 320 if (len == 0) 321 ABORT; 322 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 323 ABORT; 324 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 325 ABORT; 326 fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n "); 327 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 328 329 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx); 330 if (len == 0) 331 ABORT; 332 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 333 ABORT; 334 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 335 ABORT; 336 fprintf(stdout, "\nGenerator as octet string, hybrid form:\n "); 337 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 338 339 if (!EC_POINT_get_Jprojective_coordinates(group, R, x, y, z, ctx)) 340 ABORT; 341 fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x"); 342 BN_print_fp(stdout, x); 343 fprintf(stdout, ", Y = 0x"); 344 BN_print_fp(stdout, y); 345 fprintf(stdout, ", Z = 0x"); 346 BN_print_fp(stdout, z); 347 fprintf(stdout, "\n"); 348 349 if (!EC_POINT_invert(group, P, ctx)) 350 ABORT; 351 if (0 != EC_POINT_cmp(group, P, R, ctx)) 352 ABORT; 353 354 355 /* Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 2000) 356 * -- not a NIST curve, but commonly used */ 357 358 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) 359 ABORT; 360 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 361 ABORT; 362 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) 363 ABORT; 364 if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) 365 ABORT; 366 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 367 ABORT; 368 369 if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) 370 ABORT; 371 if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) 372 ABORT; 373 if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) 374 ABORT; 375 if (!EC_POINT_is_on_curve(group, P, ctx)) 376 ABORT; 377 if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) 378 ABORT; 379 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 380 ABORT; 381 382 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 383 ABORT; 384 fprintf(stdout, "\nSEC2 curve secp160r1 -- Generator:\n x = 0x"); 385 BN_print_fp(stdout, x); 386 fprintf(stdout, "\n y = 0x"); 387 BN_print_fp(stdout, y); 388 fprintf(stdout, "\n"); 389 /* G_y value taken from the standard: */ 390 if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) 391 ABORT; 392 if (0 != BN_cmp(y, z)) 393 ABORT; 394 395 fprintf(stdout, "verify degree ..."); 396 if (EC_GROUP_get_degree(group) != 160) 397 ABORT; 398 fprintf(stdout, " ok\n"); 399 400 group_order_tests(group); 401 402 if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) 403 ABORT; 404 if (!EC_GROUP_copy(P_160, group)) 405 ABORT; 406 407 408 /* Curve P-192 (FIPS PUB 186-2, App. 6) */ 409 410 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) 411 ABORT; 412 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 413 ABORT; 414 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) 415 ABORT; 416 if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) 417 ABORT; 418 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 419 ABORT; 420 421 if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) 422 ABORT; 423 if (!EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 424 ABORT; 425 if (!EC_POINT_is_on_curve(group, P, ctx)) 426 ABORT; 427 if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) 428 ABORT; 429 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 430 ABORT; 431 432 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 433 ABORT; 434 fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x"); 435 BN_print_fp(stdout, x); 436 fprintf(stdout, "\n y = 0x"); 437 BN_print_fp(stdout, y); 438 fprintf(stdout, "\n"); 439 /* G_y value taken from the standard: */ 440 if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) 441 ABORT; 442 if (0 != BN_cmp(y, z)) 443 ABORT; 444 445 fprintf(stdout, "verify degree ..."); 446 if (EC_GROUP_get_degree(group) != 192) 447 ABORT; 448 fprintf(stdout, " ok\n"); 449 450 group_order_tests(group); 451 452 if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) 453 ABORT; 454 if (!EC_GROUP_copy(P_192, group)) 455 ABORT; 456 457 458 /* Curve P-224 (FIPS PUB 186-2, App. 6) */ 459 460 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) 461 ABORT; 462 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 463 ABORT; 464 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) 465 ABORT; 466 if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) 467 ABORT; 468 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 469 ABORT; 470 471 if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) 472 ABORT; 473 if (!EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 474 ABORT; 475 if (!EC_POINT_is_on_curve(group, P, ctx)) 476 ABORT; 477 if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) 478 ABORT; 479 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 480 ABORT; 481 482 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 483 ABORT; 484 fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x"); 485 BN_print_fp(stdout, x); 486 fprintf(stdout, "\n y = 0x"); 487 BN_print_fp(stdout, y); 488 fprintf(stdout, "\n"); 489 /* G_y value taken from the standard: */ 490 if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) 491 ABORT; 492 if (0 != BN_cmp(y, z)) 493 ABORT; 494 495 fprintf(stdout, "verify degree ..."); 496 if (EC_GROUP_get_degree(group) != 224) 497 ABORT; 498 fprintf(stdout, " ok\n"); 499 500 group_order_tests(group); 501 502 if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) 503 ABORT; 504 if (!EC_GROUP_copy(P_224, group)) 505 ABORT; 506 507 508 /* Curve P-256 (FIPS PUB 186-2, App. 6) */ 509 510 if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) 511 ABORT; 512 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 513 ABORT; 514 if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) 515 ABORT; 516 if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) 517 ABORT; 518 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 519 ABORT; 520 521 if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) 522 ABORT; 523 if (!EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 524 ABORT; 525 if (!EC_POINT_is_on_curve(group, P, ctx)) 526 ABORT; 527 if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" 528 "84F3B9CAC2FC632551")) ABORT; 529 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 530 ABORT; 531 532 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 533 ABORT; 534 fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x"); 535 BN_print_fp(stdout, x); 536 fprintf(stdout, "\n y = 0x"); 537 BN_print_fp(stdout, y); 538 fprintf(stdout, "\n"); 539 /* G_y value taken from the standard: */ 540 if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) 541 ABORT; 542 if (0 != BN_cmp(y, z)) 543 ABORT; 544 545 fprintf(stdout, "verify degree ..."); 546 if (EC_GROUP_get_degree(group) != 256) 547 ABORT; 548 fprintf(stdout, " ok\n"); 549 550 group_order_tests(group); 551 552 if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) 553 ABORT; 554 if (!EC_GROUP_copy(P_256, group)) 555 ABORT; 556 557 558 /* Curve P-384 (FIPS PUB 186-2, App. 6) */ 559 560 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 561 "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT; 562 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 563 ABORT; 564 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 565 "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT; 566 if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141" 567 "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT; 568 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 569 ABORT; 570 571 if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B" 572 "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT; 573 if (!EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) 574 ABORT; 575 if (!EC_POINT_is_on_curve(group, P, ctx)) 576 ABORT; 577 if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 578 "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT; 579 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 580 ABORT; 581 582 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 583 ABORT; 584 fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x"); 585 BN_print_fp(stdout, x); 586 fprintf(stdout, "\n y = 0x"); 587 BN_print_fp(stdout, y); 588 fprintf(stdout, "\n"); 589 /* G_y value taken from the standard: */ 590 if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14" 591 "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT; 592 if (0 != BN_cmp(y, z)) 593 ABORT; 594 595 fprintf(stdout, "verify degree ..."); 596 if (EC_GROUP_get_degree(group) != 384) 597 ABORT; 598 fprintf(stdout, " ok\n"); 599 600 group_order_tests(group); 601 602 if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) 603 ABORT; 604 if (!EC_GROUP_copy(P_384, group)) 605 ABORT; 606 607 608 /* Curve P-521 (FIPS PUB 186-2, App. 6) */ 609 610 if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 611 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 612 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT; 613 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 614 ABORT; 615 if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 616 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 617 "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT; 618 if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B" 619 "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573" 620 "DF883D2C34F1EF451FD46B503F00")) ABORT; 621 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 622 ABORT; 623 624 if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F" 625 "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B" 626 "3C1856A429BF97E7E31C2E5BD66")) ABORT; 627 if (!EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) 628 ABORT; 629 if (!EC_POINT_is_on_curve(group, P, ctx)) 630 ABORT; 631 if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 632 "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" 633 "C9B8899C47AEBB6FB71E91386409")) ABORT; 634 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 635 ABORT; 636 637 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 638 ABORT; 639 fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x"); 640 BN_print_fp(stdout, x); 641 fprintf(stdout, "\n y = 0x"); 642 BN_print_fp(stdout, y); 643 fprintf(stdout, "\n"); 644 /* G_y value taken from the standard: */ 645 if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579" 646 "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C" 647 "7086A272C24088BE94769FD16650")) ABORT; 648 if (0 != BN_cmp(y, z)) 649 ABORT; 650 651 fprintf(stdout, "verify degree ..."); 652 if (EC_GROUP_get_degree(group) != 521) 653 ABORT; 654 fprintf(stdout, " ok\n"); 655 656 group_order_tests(group); 657 658 if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) 659 ABORT; 660 if (!EC_GROUP_copy(P_521, group)) 661 ABORT; 662 663 664 /* more tests using the last curve */ 665 fprintf(stdout, "infinity tests ..."); 666 fflush(stdout); 667 if (!EC_POINT_copy(Q, P)) 668 ABORT; 669 if (EC_POINT_is_at_infinity(group, Q)) 670 ABORT; 671 /* P := 2P */ 672 if (!EC_POINT_dbl(group, P, P, ctx)) 673 ABORT; 674 if (!EC_POINT_is_on_curve(group, P, ctx)) 675 ABORT; 676 /* Q := -P */ 677 if (!EC_POINT_invert(group, Q, ctx)) 678 ABORT; 679 /* R := 2P - P = P */ 680 if (!EC_POINT_add(group, R, P, Q, ctx)) 681 ABORT; 682 /* R := R + Q = P - P = infty */ 683 if (!EC_POINT_add(group, R, R, Q, ctx)) 684 ABORT; 685 if (!EC_POINT_is_at_infinity(group, R)) 686 ABORT; 687 fprintf(stdout, " ok\n\n"); 688 689 if (ctx) 690 BN_CTX_free(ctx); 691 BN_free(p); 692 BN_free(a); 693 BN_free(b); 694 EC_GROUP_free(group); 695 EC_POINT_free(P); 696 EC_POINT_free(Q); 697 EC_POINT_free(R); 698 BN_free(x); 699 BN_free(y); 700 BN_free(z); 701 702 if (P_160) 703 EC_GROUP_free(P_160); 704 if (P_192) 705 EC_GROUP_free(P_192); 706 if (P_224) 707 EC_GROUP_free(P_224); 708 if (P_256) 709 EC_GROUP_free(P_256); 710 if (P_384) 711 EC_GROUP_free(P_384); 712 if (P_521) 713 EC_GROUP_free(P_521); 714 715 } 716 717 /* Change test based on whether binary point compression is enabled or not. */ 718 #ifdef OPENSSL_EC_BIN_PT_COMP 719 #define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 720 if (!BN_hex2bn(&x, _x)) ABORT; \ 721 if (!EC_POINT_set_compressed_coordinates(group, P, x, _y_bit, ctx)) ABORT; \ 722 if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ 723 if (!BN_hex2bn(&z, _order)) ABORT; \ 724 if (!BN_hex2bn(&cof, _cof)) ABORT; \ 725 if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ 726 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) ABORT; \ 727 fprintf(stdout, "\n%s -- Generator:\n x = 0x", _name); \ 728 BN_print_fp(stdout, x); \ 729 fprintf(stdout, "\n y = 0x"); \ 730 BN_print_fp(stdout, y); \ 731 fprintf(stdout, "\n"); \ 732 /* G_y value taken from the standard: */ \ 733 if (!BN_hex2bn(&z, _y)) ABORT; \ 734 if (0 != BN_cmp(y, z)) ABORT; 735 #else 736 #define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 737 if (!BN_hex2bn(&x, _x)) ABORT; \ 738 if (!BN_hex2bn(&y, _y)) ABORT; \ 739 if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) ABORT; \ 740 if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ 741 if (!BN_hex2bn(&z, _order)) ABORT; \ 742 if (!BN_hex2bn(&cof, _cof)) ABORT; \ 743 if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ 744 fprintf(stdout, "\n%s -- Generator:\n x = 0x", _name); \ 745 BN_print_fp(stdout, x); \ 746 fprintf(stdout, "\n y = 0x"); \ 747 BN_print_fp(stdout, y); \ 748 fprintf(stdout, "\n"); 749 #endif 750 751 #define CHAR2_CURVE_TEST(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 752 if (!BN_hex2bn(&p, _p)) ABORT; \ 753 if (!BN_hex2bn(&a, _a)) ABORT; \ 754 if (!BN_hex2bn(&b, _b)) ABORT; \ 755 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) ABORT; \ 756 CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 757 fprintf(stdout, "verify degree ..."); \ 758 if (EC_GROUP_get_degree(group) != _degree) ABORT; \ 759 fprintf(stdout, " ok\n"); \ 760 group_order_tests(group); \ 761 if (!(_variable = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; \ 762 if (!EC_GROUP_copy(_variable, group)) ABORT; \ 763 764 #ifndef OPENSSL_NO_EC2M 765 766 static void char2_field_tests(void) 767 { 768 BN_CTX *ctx = NULL; 769 BIGNUM *p, *a, *b; 770 EC_GROUP *group; 771 EC_GROUP *C2_K163 = NULL, *C2_K233 = NULL, *C2_K283 = NULL, *C2_K409 = NULL, *C2_K571 = NULL; 772 EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL; 773 EC_POINT *P, *Q, *R; 774 BIGNUM *x, *y, *z, *cof; 775 unsigned char buf[100]; 776 size_t i, len; 777 int k; 778 779 #if 1 /* optional */ 780 ctx = BN_CTX_new(); 781 if (!ctx) 782 ABORT; 783 #endif 784 785 p = BN_new(); 786 a = BN_new(); 787 b = BN_new(); 788 if (!p || !a || !b) 789 ABORT; 790 791 if (!BN_hex2bn(&p, "13")) 792 ABORT; 793 if (!BN_hex2bn(&a, "3")) 794 ABORT; 795 if (!BN_hex2bn(&b, "1")) 796 ABORT; 797 798 group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use EC_GROUP_new_curve_GF2m 799 * so that the library gets to choose the EC_METHOD */ 800 if (!group) 801 ABORT; 802 if (!EC_GROUP_set_curve(group, p, a, b, ctx)) 803 ABORT; 804 805 { 806 EC_GROUP *tmp; 807 tmp = EC_GROUP_new(EC_GROUP_method_of(group)); 808 if (!tmp) 809 ABORT; 810 if (!EC_GROUP_copy(tmp, group)) 811 ABORT; 812 EC_GROUP_free(group); 813 group = tmp; 814 } 815 816 if (!EC_GROUP_get_curve(group, p, a, b, ctx)) 817 ABORT; 818 819 fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 + x*y = x^3 + a*x^2 + b (mod 0x"); 820 BN_print_fp(stdout, p); 821 fprintf(stdout, ")\n a = 0x"); 822 BN_print_fp(stdout, a); 823 fprintf(stdout, "\n b = 0x"); 824 BN_print_fp(stdout, b); 825 fprintf(stdout, "\n(0x... means binary polynomial)\n"); 826 827 P = EC_POINT_new(group); 828 Q = EC_POINT_new(group); 829 R = EC_POINT_new(group); 830 if (!P || !Q || !R) 831 ABORT; 832 833 if (!EC_POINT_set_to_infinity(group, P)) 834 ABORT; 835 if (!EC_POINT_is_at_infinity(group, P)) 836 ABORT; 837 838 buf[0] = 0; 839 if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) 840 ABORT; 841 842 if (!EC_POINT_add(group, P, P, Q, ctx)) 843 ABORT; 844 if (!EC_POINT_is_at_infinity(group, P)) 845 ABORT; 846 847 x = BN_new(); 848 y = BN_new(); 849 z = BN_new(); 850 cof = BN_new(); 851 if (!x || !y || !z || !cof) 852 ABORT; 853 854 if (!BN_hex2bn(&x, "6")) 855 ABORT; 856 /* Change test based on whether binary point compression is enabled or not. */ 857 #ifdef OPENSSL_EC_BIN_PT_COMP 858 if (!EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)) 859 ABORT; 860 #else 861 if (!BN_hex2bn(&y, "8")) 862 ABORT; 863 if (!EC_POINT_set_affine_coordinates(group, Q, x, y, ctx)) 864 ABORT; 865 #endif 866 if (!EC_POINT_is_on_curve(group, Q, ctx)) { 867 /* Change test based on whether binary point compression is enabled or not. */ 868 #ifdef OPENSSL_EC_BIN_PT_COMP 869 if (!EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)) 870 ABORT; 871 #endif 872 fprintf(stderr, "Point is not on curve: x = 0x"); 873 BN_print_fp(stderr, x); 874 fprintf(stderr, ", y = 0x"); 875 BN_print_fp(stderr, y); 876 fprintf(stderr, "\n"); 877 ABORT; 878 } 879 880 fprintf(stdout, "A cyclic subgroup:\n"); 881 k = 100; 882 do 883 { 884 if (k-- == 0) 885 ABORT; 886 887 if (EC_POINT_is_at_infinity(group, P)) 888 fprintf(stdout, " point at infinity\n"); 889 else { 890 if (!EC_POINT_get_affine_coordinates(group, P, x, y, ctx)) 891 ABORT; 892 893 fprintf(stdout, " x = 0x"); 894 BN_print_fp(stdout, x); 895 fprintf(stdout, ", y = 0x"); 896 BN_print_fp(stdout, y); 897 fprintf(stdout, "\n"); 898 } 899 900 if (!EC_POINT_copy(R, P)) 901 ABORT; 902 if (!EC_POINT_add(group, P, P, Q, ctx)) 903 ABORT; 904 } 905 while (!EC_POINT_is_at_infinity(group, P)); 906 907 if (!EC_POINT_add(group, P, Q, R, ctx)) 908 ABORT; 909 if (!EC_POINT_is_at_infinity(group, P)) 910 ABORT; 911 912 /* Change test based on whether binary point compression is enabled or not. */ 913 #ifdef OPENSSL_EC_BIN_PT_COMP 914 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx); 915 if (len == 0) 916 ABORT; 917 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 918 ABORT; 919 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 920 ABORT; 921 fprintf(stdout, "Generator as octet string, compressed form:\n "); 922 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 923 #endif 924 925 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx); 926 if (len == 0) 927 ABORT; 928 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 929 ABORT; 930 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 931 ABORT; 932 fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n "); 933 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 934 935 /* Change test based on whether binary point compression is enabled or not. */ 936 #ifdef OPENSSL_EC_BIN_PT_COMP 937 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx); 938 if (len == 0) 939 ABORT; 940 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 941 ABORT; 942 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 943 ABORT; 944 fprintf(stdout, "\nGenerator as octet string, hybrid form:\n "); 945 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 946 #endif 947 948 fprintf(stdout, "\n"); 949 950 if (!EC_POINT_invert(group, P, ctx)) 951 ABORT; 952 if (0 != EC_POINT_cmp(group, P, R, ctx)) 953 ABORT; 954 955 956 /* Curve K-163 (FIPS PUB 186-2, App. 6) */ 957 CHAR2_CURVE_TEST 958 ( 959 "NIST curve K-163", 960 "0800000000000000000000000000000000000000C9", 961 "1", 962 "1", 963 "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8", 964 "0289070FB05D38FF58321F2E800536D538CCDAA3D9", 965 1, 966 "04000000000000000000020108A2E0CC0D99F8A5EF", 967 "2", 968 163, 969 C2_K163 970 ); 971 972 /* Curve B-163 (FIPS PUB 186-2, App. 6) */ 973 CHAR2_CURVE_TEST 974 ( 975 "NIST curve B-163", 976 "0800000000000000000000000000000000000000C9", 977 "1", 978 "020A601907B8C953CA1481EB10512F78744A3205FD", 979 "03F0EBA16286A2D57EA0991168D4994637E8343E36", 980 "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 981 1, 982 "040000000000000000000292FE77E70C12A4234C33", 983 "2", 984 163, 985 C2_B163 986 ); 987 988 /* Curve K-233 (FIPS PUB 186-2, App. 6) */ 989 CHAR2_CURVE_TEST 990 ( 991 "NIST curve K-233", 992 "020000000000000000000000000000000000000004000000000000000001", 993 "0", 994 "1", 995 "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126", 996 "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3", 997 0, 998 "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 999 "4", 1000 233, 1001 C2_K233 1002 ); 1003 1004 /* Curve B-233 (FIPS PUB 186-2, App. 6) */ 1005 CHAR2_CURVE_TEST 1006 ( 1007 "NIST curve B-233", 1008 "020000000000000000000000000000000000000004000000000000000001", 1009 "000000000000000000000000000000000000000000000000000000000001", 1010 "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD", 1011 "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B", 1012 "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052", 1013 1, 1014 "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 1015 "2", 1016 233, 1017 C2_B233 1018 ); 1019 1020 /* Curve K-283 (FIPS PUB 186-2, App. 6) */ 1021 CHAR2_CURVE_TEST 1022 ( 1023 "NIST curve K-283", 1024 "0800000000000000000000000000000000000000000000000000000000000000000010A1", 1025 "0", 1026 "1", 1027 "0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836", 1028 "01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259", 1029 0, 1030 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61", 1031 "4", 1032 283, 1033 C2_K283 1034 ); 1035 1036 /* Curve B-283 (FIPS PUB 186-2, App. 6) */ 1037 CHAR2_CURVE_TEST 1038 ( 1039 "NIST curve B-283", 1040 "0800000000000000000000000000000000000000000000000000000000000000000010A1", 1041 "000000000000000000000000000000000000000000000000000000000000000000000001", 1042 "027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5", 1043 "05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053", 1044 "03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4", 1045 1, 1046 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307", 1047 "2", 1048 283, 1049 C2_B283 1050 ); 1051 1052 /* Curve K-409 (FIPS PUB 186-2, App. 6) */ 1053 CHAR2_CURVE_TEST 1054 ( 1055 "NIST curve K-409", 1056 "02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001", 1057 "0", 1058 "1", 1059 "0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746", 1060 "01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B", 1061 1, 1062 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 1063 "4", 1064 409, 1065 C2_K409 1066 ); 1067 1068 /* Curve B-409 (FIPS PUB 186-2, App. 6) */ 1069 CHAR2_CURVE_TEST 1070 ( 1071 "NIST curve B-409", 1072 "02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001", 1073 "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", 1074 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F", 1075 "015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7", 1076 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706", 1077 1, 1078 "010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173", 1079 "2", 1080 409, 1081 C2_B409 1082 ); 1083 1084 /* Curve K-571 (FIPS PUB 186-2, App. 6) */ 1085 CHAR2_CURVE_TEST 1086 ( 1087 "NIST curve K-571", 1088 "80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425", 1089 "0", 1090 "1", 1091 "026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972", 1092 "0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3", 1093 0, 1094 "020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001", 1095 "4", 1096 571, 1097 C2_K571 1098 ); 1099 1100 /* Curve B-571 (FIPS PUB 186-2, App. 6) */ 1101 CHAR2_CURVE_TEST 1102 ( 1103 "NIST curve B-571", 1104 "80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425", 1105 "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", 1106 "02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A", 1107 "0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19", 1108 "037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B", 1109 1, 1110 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47", 1111 "2", 1112 571, 1113 C2_B571 1114 ); 1115 1116 /* more tests using the last curve */ 1117 fprintf(stdout, "infinity tests ..."); 1118 fflush(stdout); 1119 if (!EC_POINT_copy(Q, P)) 1120 ABORT; 1121 if (EC_POINT_is_at_infinity(group, Q)) 1122 ABORT; 1123 /* P := 2P */ 1124 if (!EC_POINT_dbl(group, P, P, ctx)) 1125 ABORT; 1126 if (!EC_POINT_is_on_curve(group, P, ctx)) 1127 ABORT; 1128 /* Q := -P */ 1129 if (!EC_POINT_invert(group, Q, ctx)) 1130 ABORT; 1131 /* R := 2P - P = P */ 1132 if (!EC_POINT_add(group, R, P, Q, ctx)) 1133 ABORT; 1134 /* R := R + Q = P - P = infty */ 1135 if (!EC_POINT_add(group, R, R, Q, ctx)) 1136 ABORT; 1137 if (!EC_POINT_is_at_infinity(group, R)) 1138 ABORT; 1139 fprintf(stdout, " ok\n\n"); 1140 1141 if (ctx) 1142 BN_CTX_free(ctx); 1143 BN_free(p); 1144 BN_free(a); 1145 BN_free(b); 1146 EC_GROUP_free(group); 1147 EC_POINT_free(P); 1148 EC_POINT_free(Q); 1149 EC_POINT_free(R); 1150 BN_free(x); 1151 BN_free(y); 1152 BN_free(z); 1153 BN_free(cof); 1154 1155 if (C2_K163) 1156 EC_GROUP_free(C2_K163); 1157 if (C2_B163) 1158 EC_GROUP_free(C2_B163); 1159 if (C2_K233) 1160 EC_GROUP_free(C2_K233); 1161 if (C2_B233) 1162 EC_GROUP_free(C2_B233); 1163 if (C2_K283) 1164 EC_GROUP_free(C2_K283); 1165 if (C2_B283) 1166 EC_GROUP_free(C2_B283); 1167 if (C2_K409) 1168 EC_GROUP_free(C2_K409); 1169 if (C2_B409) 1170 EC_GROUP_free(C2_B409); 1171 if (C2_K571) 1172 EC_GROUP_free(C2_K571); 1173 if (C2_B571) 1174 EC_GROUP_free(C2_B571); 1175 1176 } 1177 #endif 1178 1179 static void 1180 internal_curve_test(void) 1181 { 1182 EC_builtin_curve *curves = NULL; 1183 size_t crv_len = 0, n = 0; 1184 int ok = 1; 1185 1186 crv_len = EC_get_builtin_curves(NULL, 0); 1187 1188 curves = reallocarray(NULL, sizeof(EC_builtin_curve), crv_len); 1189 1190 if (curves == NULL) 1191 return; 1192 1193 if (!EC_get_builtin_curves(curves, crv_len)) { 1194 free(curves); 1195 return; 1196 } 1197 1198 fprintf(stdout, "testing internal curves: "); 1199 1200 for (n = 0; n < crv_len; n++) { 1201 EC_GROUP *group = NULL; 1202 int nid = curves[n].nid; 1203 if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) { 1204 ok = 0; 1205 fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with" 1206 " curve %s\n", OBJ_nid2sn(nid)); 1207 /* try next curve */ 1208 continue; 1209 } 1210 if (!EC_GROUP_check(group, NULL)) { 1211 ok = 0; 1212 fprintf(stdout, "\nEC_GROUP_check() failed with" 1213 " curve %s\n", OBJ_nid2sn(nid)); 1214 EC_GROUP_free(group); 1215 /* try the next curve */ 1216 continue; 1217 } 1218 fprintf(stdout, "."); 1219 fflush(stdout); 1220 EC_GROUP_free(group); 1221 } 1222 if (ok) 1223 fprintf(stdout, " ok\n\n"); 1224 else { 1225 fprintf(stdout, " failed\n\n"); 1226 ABORT; 1227 } 1228 free(curves); 1229 return; 1230 } 1231 1232 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 1233 /* nistp_test_params contains magic numbers for testing our optimized 1234 * implementations of several NIST curves with characteristic > 3. */ 1235 struct nistp_test_params { 1236 const EC_METHOD* (*meth) (); 1237 int degree; 1238 /* Qx, Qy and D are taken from 1239 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf 1240 * Otherwise, values are standard curve parameters from FIPS 180-3 */ 1241 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; 1242 }; 1243 1244 static const struct nistp_test_params nistp_tests_params[] = { { 1245 /* P-224 */ 1246 EC_GFp_nistp224_method, 1247 224, 1248 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", /* p */ 1249 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", /* a */ 1250 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", /* b */ 1251 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", /* Qx */ 1252 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", /* Qy */ 1253 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", /* Gx */ 1254 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", /* Gy */ 1255 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", /* order */ 1256 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", /* d */ 1257 }, 1258 { 1259 /* P-256 */ 1260 EC_GFp_nistp256_method, 1261 256, 1262 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */ 1263 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */ 1264 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */ 1265 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */ 1266 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */ 1267 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */ 1268 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */ 1269 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */ 1270 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */ 1271 }, 1272 { 1273 /* P-521 */ 1274 EC_GFp_nistp521_method, 1275 521, 1276 "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", /* p */ 1277 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", /* a */ 1278 "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", /* b */ 1279 "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", /* Qx */ 1280 "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", /* Qy */ 1281 "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", /* Gx */ 1282 "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", /* Gy */ 1283 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", /* order */ 1284 "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", /* d */ 1285 }, 1286 }; 1287 1288 void 1289 nistp_single_test(const struct nistp_test_params *test) 1290 { 1291 BN_CTX *ctx; 1292 BIGNUM *p, *a, *b, *x, *y, *n, *m, *order; 1293 EC_GROUP *NISTP; 1294 EC_POINT *G, *P, *Q, *Q_CHECK; 1295 1296 fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree); 1297 ctx = BN_CTX_new(); 1298 p = BN_new(); 1299 a = BN_new(); 1300 b = BN_new(); 1301 x = BN_new(); 1302 y = BN_new(); 1303 m = BN_new(); 1304 n = BN_new(); 1305 order = BN_new(); 1306 1307 NISTP = EC_GROUP_new(test->meth()); 1308 if (!NISTP) 1309 ABORT; 1310 if (!BN_hex2bn(&p, test->p)) 1311 ABORT; 1312 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 1313 ABORT; 1314 if (!BN_hex2bn(&a, test->a)) 1315 ABORT; 1316 if (!BN_hex2bn(&b, test->b)) 1317 ABORT; 1318 if (!EC_GROUP_set_curve(NISTP, p, a, b, ctx)) 1319 ABORT; 1320 G = EC_POINT_new(NISTP); 1321 P = EC_POINT_new(NISTP); 1322 Q = EC_POINT_new(NISTP); 1323 Q_CHECK = EC_POINT_new(NISTP); 1324 if (!BN_hex2bn(&x, test->Qx)) 1325 ABORT; 1326 if (!BN_hex2bn(&y, test->Qy)) 1327 ABORT; 1328 if (!EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, ctx)) 1329 ABORT; 1330 if (!BN_hex2bn(&x, test->Gx)) 1331 ABORT; 1332 if (!BN_hex2bn(&y, test->Gy)) 1333 ABORT; 1334 if (!EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) 1335 ABORT; 1336 if (!BN_hex2bn(&order, test->order)) 1337 ABORT; 1338 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1339 ABORT; 1340 1341 fprintf(stdout, "verify degree ... "); 1342 if (EC_GROUP_get_degree(NISTP) != test->degree) 1343 ABORT; 1344 fprintf(stdout, "ok\n"); 1345 1346 fprintf(stdout, "NIST test vectors ... "); 1347 if (!BN_hex2bn(&n, test->d)) 1348 ABORT; 1349 /* fixed point multiplication */ 1350 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1351 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1352 ABORT; 1353 /* random point multiplication */ 1354 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1355 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1356 ABORT; 1357 1358 /* set generator to P = 2*G, where G is the standard generator */ 1359 if (!EC_POINT_dbl(NISTP, P, G, ctx)) 1360 ABORT; 1361 if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) 1362 ABORT; 1363 /* set the scalar to m=n/2, where n is the NIST test scalar */ 1364 if (!BN_rshift(m, n, 1)) 1365 ABORT; 1366 1367 /* test the non-standard generator */ 1368 /* fixed point multiplication */ 1369 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1370 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1371 ABORT; 1372 /* random point multiplication */ 1373 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1374 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1375 ABORT; 1376 1377 /* now repeat all tests with precomputation */ 1378 if (!EC_GROUP_precompute_mult(NISTP, ctx)) 1379 ABORT; 1380 1381 /* fixed point multiplication */ 1382 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1383 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1384 ABORT; 1385 /* random point multiplication */ 1386 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1387 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1388 ABORT; 1389 1390 /* reset generator */ 1391 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1392 ABORT; 1393 /* fixed point multiplication */ 1394 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1395 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1396 ABORT; 1397 /* random point multiplication */ 1398 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1399 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1400 ABORT; 1401 1402 fprintf(stdout, "ok\n"); 1403 group_order_tests(NISTP); 1404 EC_GROUP_free(NISTP); 1405 EC_POINT_free(G); 1406 EC_POINT_free(P); 1407 EC_POINT_free(Q); 1408 EC_POINT_free(Q_CHECK); 1409 BN_free(n); 1410 BN_free(m); 1411 BN_free(p); 1412 BN_free(a); 1413 BN_free(b); 1414 BN_free(x); 1415 BN_free(y); 1416 BN_free(order); 1417 BN_CTX_free(ctx); 1418 } 1419 1420 void 1421 nistp_tests() 1422 { 1423 unsigned i; 1424 1425 for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++) { 1426 nistp_single_test(&nistp_tests_params[i]); 1427 } 1428 } 1429 #endif 1430 1431 int 1432 main(int argc, char *argv[]) 1433 { 1434 ERR_load_crypto_strings(); 1435 1436 prime_field_tests(); 1437 puts(""); 1438 #ifndef OPENSSL_NO_EC2M 1439 char2_field_tests(); 1440 #endif 1441 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 1442 nistp_tests(); 1443 #endif 1444 /* test the internal curves */ 1445 internal_curve_test(); 1446 1447 #ifndef OPENSSL_NO_ENGINE 1448 ENGINE_cleanup(); 1449 #endif 1450 CRYPTO_cleanup_all_ex_data(); 1451 ERR_free_strings(); 1452 ERR_remove_thread_state(NULL); 1453 CRYPTO_mem_leaks_fp(stderr); 1454 1455 return 0; 1456 } 1457