1 /* 2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* ==================================================================== 11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 12 * 13 * Portions of the attached software ("Contribution") are developed by 14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 15 * 16 * The Contribution is licensed pursuant to the OpenSSL open source 17 * license provided above. 18 * 19 * The elliptic curve binary polynomial software is originally written by 20 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. 21 * 22 */ 23 24 #include <stdio.h> 25 #include <stdlib.h> 26 #ifdef FLAT_INC 27 # include "e_os.h" 28 #else 29 # include "../e_os.h" 30 #endif 31 #include <string.h> 32 #include <time.h> 33 34 #ifdef OPENSSL_NO_EC 35 int main(int argc, char *argv[]) 36 { 37 puts("Elliptic curves are disabled."); 38 return 0; 39 } 40 #else 41 42 # include <openssl/ec.h> 43 # ifndef OPENSSL_NO_ENGINE 44 # include <openssl/engine.h> 45 # endif 46 # include <openssl/err.h> 47 # include <openssl/obj_mac.h> 48 # include <openssl/objects.h> 49 # include <openssl/rand.h> 50 # include <openssl/bn.h> 51 # include <openssl/opensslconf.h> 52 53 # if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12) 54 /* suppress "too big too optimize" warning */ 55 # pragma warning(disable:4959) 56 # endif 57 58 # define ABORT do { \ 59 fflush(stdout); \ 60 fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ 61 ERR_print_errors_fp(stderr); \ 62 EXIT(1); \ 63 } while (0) 64 65 # define TIMING_BASE_PT 0 66 # define TIMING_RAND_PT 1 67 # define TIMING_SIMUL 2 68 69 /* test multiplication with group order, long and negative scalars */ 70 static void group_order_tests(EC_GROUP *group) 71 { 72 BIGNUM *n1, *n2, *order; 73 EC_POINT *P = EC_POINT_new(group); 74 EC_POINT *Q = EC_POINT_new(group); 75 EC_POINT *R = EC_POINT_new(group); 76 EC_POINT *S = EC_POINT_new(group); 77 BN_CTX *ctx = BN_CTX_new(); 78 int i; 79 80 n1 = BN_new(); 81 n2 = BN_new(); 82 order = BN_new(); 83 fprintf(stdout, "verify group order ..."); 84 fflush(stdout); 85 if (!EC_GROUP_get_order(group, order, ctx)) 86 ABORT; 87 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 88 ABORT; 89 if (!EC_POINT_is_at_infinity(group, Q)) 90 ABORT; 91 fprintf(stdout, "."); 92 fflush(stdout); 93 if (!EC_GROUP_precompute_mult(group, ctx)) 94 ABORT; 95 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) 96 ABORT; 97 if (!EC_POINT_is_at_infinity(group, Q)) 98 ABORT; 99 fprintf(stdout, " ok\n"); 100 fprintf(stdout, "long/negative scalar tests "); 101 for (i = 1; i <= 2; i++) { 102 const BIGNUM *scalars[6]; 103 const EC_POINT *points[6]; 104 105 fprintf(stdout, i == 1 ? 106 "allowing precomputation ... " : 107 "without precomputation ... "); 108 if (!BN_set_word(n1, i)) 109 ABORT; 110 /* 111 * If i == 1, P will be the predefined generator for which 112 * EC_GROUP_precompute_mult has set up precomputation. 113 */ 114 if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) 115 ABORT; 116 117 if (!BN_one(n1)) 118 ABORT; 119 /* n1 = 1 - order */ 120 if (!BN_sub(n1, n1, order)) 121 ABORT; 122 if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) 123 ABORT; 124 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 125 ABORT; 126 127 /* n2 = 1 + order */ 128 if (!BN_add(n2, order, BN_value_one())) 129 ABORT; 130 if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 131 ABORT; 132 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 133 ABORT; 134 135 /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ 136 if (!BN_mul(n2, n1, n2, ctx)) 137 ABORT; 138 if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 139 ABORT; 140 if (0 != EC_POINT_cmp(group, Q, P, ctx)) 141 ABORT; 142 143 /* n2 = order^2 - 1 */ 144 BN_set_negative(n2, 0); 145 if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) 146 ABORT; 147 /* Add P to verify the result. */ 148 if (!EC_POINT_add(group, Q, Q, P, ctx)) 149 ABORT; 150 if (!EC_POINT_is_at_infinity(group, Q)) 151 ABORT; 152 153 /* Exercise EC_POINTs_mul, including corner cases. */ 154 if (EC_POINT_is_at_infinity(group, P)) 155 ABORT; 156 157 scalars[0] = scalars[1] = BN_value_one(); 158 points[0] = points[1] = P; 159 160 if (!EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) 161 ABORT; 162 if (!EC_POINT_dbl(group, S, points[0], ctx)) 163 ABORT; 164 if (0 != EC_POINT_cmp(group, R, S, ctx)) 165 ABORT; 166 167 scalars[0] = n1; 168 points[0] = Q; /* => infinity */ 169 scalars[1] = n2; 170 points[1] = P; /* => -P */ 171 scalars[2] = n1; 172 points[2] = Q; /* => infinity */ 173 scalars[3] = n2; 174 points[3] = Q; /* => infinity */ 175 scalars[4] = n1; 176 points[4] = P; /* => P */ 177 scalars[5] = n2; 178 points[5] = Q; /* => infinity */ 179 if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) 180 ABORT; 181 if (!EC_POINT_is_at_infinity(group, P)) 182 ABORT; 183 } 184 fprintf(stdout, "ok\n"); 185 186 EC_POINT_free(P); 187 EC_POINT_free(Q); 188 EC_POINT_free(R); 189 EC_POINT_free(S); 190 BN_free(n1); 191 BN_free(n2); 192 BN_free(order); 193 BN_CTX_free(ctx); 194 } 195 196 static void prime_field_tests(void) 197 { 198 BN_CTX *ctx = NULL; 199 BIGNUM *p, *a, *b; 200 EC_GROUP *group; 201 EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = 202 NULL, *P_384 = NULL, *P_521 = NULL; 203 EC_POINT *P, *Q, *R; 204 BIGNUM *x, *y, *z, *yplusone; 205 unsigned char buf[100]; 206 size_t i, len; 207 int k; 208 209 ctx = BN_CTX_new(); 210 if (!ctx) 211 ABORT; 212 213 p = BN_new(); 214 a = BN_new(); 215 b = BN_new(); 216 if (!p || !a || !b) 217 ABORT; 218 219 if (!BN_hex2bn(&p, "17")) 220 ABORT; 221 if (!BN_hex2bn(&a, "1")) 222 ABORT; 223 if (!BN_hex2bn(&b, "1")) 224 ABORT; 225 226 group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use 227 * EC_GROUP_new_curve_GFp so 228 * that the library gets to 229 * choose the EC_METHOD */ 230 if (!group) 231 ABORT; 232 233 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 234 ABORT; 235 236 { 237 EC_GROUP *tmp; 238 tmp = EC_GROUP_new(EC_GROUP_method_of(group)); 239 if (!tmp) 240 ABORT; 241 if (!EC_GROUP_copy(tmp, group)) 242 ABORT; 243 EC_GROUP_free(group); 244 group = tmp; 245 } 246 247 if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) 248 ABORT; 249 250 fprintf(stdout, 251 "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x"); 252 BN_print_fp(stdout, p); 253 fprintf(stdout, ")\n a = 0x"); 254 BN_print_fp(stdout, a); 255 fprintf(stdout, "\n b = 0x"); 256 BN_print_fp(stdout, b); 257 fprintf(stdout, "\n"); 258 259 P = EC_POINT_new(group); 260 Q = EC_POINT_new(group); 261 R = EC_POINT_new(group); 262 if (!P || !Q || !R) 263 ABORT; 264 265 if (!EC_POINT_set_to_infinity(group, P)) 266 ABORT; 267 if (!EC_POINT_is_at_infinity(group, P)) 268 ABORT; 269 270 buf[0] = 0; 271 if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) 272 ABORT; 273 274 if (!EC_POINT_add(group, P, P, Q, ctx)) 275 ABORT; 276 if (!EC_POINT_is_at_infinity(group, P)) 277 ABORT; 278 279 x = BN_new(); 280 y = BN_new(); 281 z = BN_new(); 282 yplusone = BN_new(); 283 if (x == NULL || y == NULL || z == NULL || yplusone == NULL) 284 ABORT; 285 286 if (!BN_hex2bn(&x, "D")) 287 ABORT; 288 if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) 289 ABORT; 290 if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { 291 if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) 292 ABORT; 293 fprintf(stderr, "Point is not on curve: x = 0x"); 294 BN_print_fp(stderr, x); 295 fprintf(stderr, ", y = 0x"); 296 BN_print_fp(stderr, y); 297 fprintf(stderr, "\n"); 298 ABORT; 299 } 300 301 fprintf(stdout, "A cyclic subgroup:\n"); 302 k = 100; 303 do { 304 if (k-- == 0) 305 ABORT; 306 307 if (EC_POINT_is_at_infinity(group, P)) 308 fprintf(stdout, " point at infinity\n"); 309 else { 310 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 311 ABORT; 312 313 fprintf(stdout, " x = 0x"); 314 BN_print_fp(stdout, x); 315 fprintf(stdout, ", y = 0x"); 316 BN_print_fp(stdout, y); 317 fprintf(stdout, "\n"); 318 } 319 320 if (!EC_POINT_copy(R, P)) 321 ABORT; 322 if (!EC_POINT_add(group, P, P, Q, ctx)) 323 ABORT; 324 325 } 326 while (!EC_POINT_is_at_infinity(group, P)); 327 328 if (!EC_POINT_add(group, P, Q, R, ctx)) 329 ABORT; 330 if (!EC_POINT_is_at_infinity(group, P)) 331 ABORT; 332 333 len = 334 EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, 335 sizeof(buf), ctx); 336 if (len == 0) 337 ABORT; 338 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 339 ABORT; 340 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 341 ABORT; 342 fprintf(stdout, "Generator as octet string, compressed form:\n "); 343 for (i = 0; i < len; i++) 344 fprintf(stdout, "%02X", buf[i]); 345 346 len = 347 EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, 348 sizeof(buf), ctx); 349 if (len == 0) 350 ABORT; 351 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 352 ABORT; 353 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 354 ABORT; 355 fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n "); 356 for (i = 0; i < len; i++) 357 fprintf(stdout, "%02X", buf[i]); 358 359 len = 360 EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf), 361 ctx); 362 if (len == 0) 363 ABORT; 364 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 365 ABORT; 366 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 367 ABORT; 368 fprintf(stdout, "\nGenerator as octet string, hybrid form:\n "); 369 for (i = 0; i < len; i++) 370 fprintf(stdout, "%02X", buf[i]); 371 372 if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) 373 ABORT; 374 fprintf(stdout, 375 "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x"); 376 BN_print_fp(stdout, x); 377 fprintf(stdout, ", Y = 0x"); 378 BN_print_fp(stdout, y); 379 fprintf(stdout, ", Z = 0x"); 380 BN_print_fp(stdout, z); 381 fprintf(stdout, "\n"); 382 383 if (!EC_POINT_invert(group, P, ctx)) 384 ABORT; 385 if (0 != EC_POINT_cmp(group, P, R, ctx)) 386 ABORT; 387 388 /* 389 * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 390 * 2000) -- not a NIST curve, but commonly used 391 */ 392 393 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) 394 ABORT; 395 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 396 ABORT; 397 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) 398 ABORT; 399 if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) 400 ABORT; 401 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 402 ABORT; 403 404 if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) 405 ABORT; 406 if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) 407 ABORT; 408 if (!BN_add(yplusone, y, BN_value_one())) 409 ABORT; 410 /* 411 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 412 * and therefore setting the coordinates should fail. 413 */ 414 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 415 ABORT; 416 if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) 417 ABORT; 418 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 419 ABORT; 420 if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) 421 ABORT; 422 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 423 ABORT; 424 425 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 426 ABORT; 427 fprintf(stdout, "\nSEC2 curve secp160r1 -- Generator:\n x = 0x"); 428 BN_print_fp(stdout, x); 429 fprintf(stdout, "\n y = 0x"); 430 BN_print_fp(stdout, y); 431 fprintf(stdout, "\n"); 432 /* G_y value taken from the standard: */ 433 if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) 434 ABORT; 435 if (0 != BN_cmp(y, z)) 436 ABORT; 437 438 fprintf(stdout, "verify degree ..."); 439 if (EC_GROUP_get_degree(group) != 160) 440 ABORT; 441 fprintf(stdout, " ok\n"); 442 443 group_order_tests(group); 444 445 if ((P_160 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 446 ABORT; 447 if (!EC_GROUP_copy(P_160, group)) 448 ABORT; 449 450 /* Curve P-192 (FIPS PUB 186-2, App. 6) */ 451 452 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) 453 ABORT; 454 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 455 ABORT; 456 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) 457 ABORT; 458 if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) 459 ABORT; 460 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 461 ABORT; 462 463 if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) 464 ABORT; 465 if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) 466 ABORT; 467 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 468 ABORT; 469 if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) 470 ABORT; 471 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 472 ABORT; 473 474 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 475 ABORT; 476 fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x"); 477 BN_print_fp(stdout, x); 478 fprintf(stdout, "\n y = 0x"); 479 BN_print_fp(stdout, y); 480 fprintf(stdout, "\n"); 481 /* G_y value taken from the standard: */ 482 if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) 483 ABORT; 484 if (0 != BN_cmp(y, z)) 485 ABORT; 486 487 if (!BN_add(yplusone, y, BN_value_one())) 488 ABORT; 489 /* 490 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 491 * and therefore setting the coordinates should fail. 492 */ 493 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 494 ABORT; 495 496 fprintf(stdout, "verify degree ..."); 497 if (EC_GROUP_get_degree(group) != 192) 498 ABORT; 499 fprintf(stdout, " ok\n"); 500 501 group_order_tests(group); 502 503 if ((P_192 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 504 ABORT; 505 if (!EC_GROUP_copy(P_192, group)) 506 ABORT; 507 508 /* Curve P-224 (FIPS PUB 186-2, App. 6) */ 509 510 if (!BN_hex2bn 511 (&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) 512 ABORT; 513 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 514 ABORT; 515 if (!BN_hex2bn 516 (&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) 517 ABORT; 518 if (!BN_hex2bn 519 (&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) 520 ABORT; 521 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 522 ABORT; 523 524 if (!BN_hex2bn 525 (&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) 526 ABORT; 527 if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) 528 ABORT; 529 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 530 ABORT; 531 if (!BN_hex2bn 532 (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) 533 ABORT; 534 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 535 ABORT; 536 537 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 538 ABORT; 539 fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x"); 540 BN_print_fp(stdout, x); 541 fprintf(stdout, "\n y = 0x"); 542 BN_print_fp(stdout, y); 543 fprintf(stdout, "\n"); 544 /* G_y value taken from the standard: */ 545 if (!BN_hex2bn 546 (&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) 547 ABORT; 548 if (0 != BN_cmp(y, z)) 549 ABORT; 550 551 if (!BN_add(yplusone, y, BN_value_one())) 552 ABORT; 553 /* 554 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 555 * and therefore setting the coordinates should fail. 556 */ 557 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 558 ABORT; 559 560 fprintf(stdout, "verify degree ..."); 561 if (EC_GROUP_get_degree(group) != 224) 562 ABORT; 563 fprintf(stdout, " ok\n"); 564 565 group_order_tests(group); 566 567 if ((P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 568 ABORT; 569 if (!EC_GROUP_copy(P_224, group)) 570 ABORT; 571 572 /* Curve P-256 (FIPS PUB 186-2, App. 6) */ 573 574 if (!BN_hex2bn 575 (&p, 576 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) 577 ABORT; 578 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 579 ABORT; 580 if (!BN_hex2bn 581 (&a, 582 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) 583 ABORT; 584 if (!BN_hex2bn 585 (&b, 586 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) 587 ABORT; 588 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 589 ABORT; 590 591 if (!BN_hex2bn 592 (&x, 593 "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) 594 ABORT; 595 if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) 596 ABORT; 597 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 598 ABORT; 599 if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" 600 "84F3B9CAC2FC632551")) 601 ABORT; 602 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 603 ABORT; 604 605 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 606 ABORT; 607 fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x"); 608 BN_print_fp(stdout, x); 609 fprintf(stdout, "\n y = 0x"); 610 BN_print_fp(stdout, y); 611 fprintf(stdout, "\n"); 612 /* G_y value taken from the standard: */ 613 if (!BN_hex2bn 614 (&z, 615 "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) 616 ABORT; 617 if (0 != BN_cmp(y, z)) 618 ABORT; 619 620 if (!BN_add(yplusone, y, BN_value_one())) 621 ABORT; 622 /* 623 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 624 * and therefore setting the coordinates should fail. 625 */ 626 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 627 ABORT; 628 629 fprintf(stdout, "verify degree ..."); 630 if (EC_GROUP_get_degree(group) != 256) 631 ABORT; 632 fprintf(stdout, " ok\n"); 633 634 group_order_tests(group); 635 636 if ((P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 637 ABORT; 638 if (!EC_GROUP_copy(P_256, group)) 639 ABORT; 640 641 /* Curve P-384 (FIPS PUB 186-2, App. 6) */ 642 643 if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 644 "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) 645 ABORT; 646 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 647 ABORT; 648 if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 649 "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) 650 ABORT; 651 if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141" 652 "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) 653 ABORT; 654 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 655 ABORT; 656 657 if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B" 658 "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) 659 ABORT; 660 if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) 661 ABORT; 662 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 663 ABORT; 664 if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 665 "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) 666 ABORT; 667 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 668 ABORT; 669 670 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 671 ABORT; 672 fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x"); 673 BN_print_fp(stdout, x); 674 fprintf(stdout, "\n y = 0x"); 675 BN_print_fp(stdout, y); 676 fprintf(stdout, "\n"); 677 /* G_y value taken from the standard: */ 678 if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14" 679 "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) 680 ABORT; 681 if (0 != BN_cmp(y, z)) 682 ABORT; 683 684 if (!BN_add(yplusone, y, BN_value_one())) 685 ABORT; 686 /* 687 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 688 * and therefore setting the coordinates should fail. 689 */ 690 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 691 ABORT; 692 693 fprintf(stdout, "verify degree ..."); 694 if (EC_GROUP_get_degree(group) != 384) 695 ABORT; 696 fprintf(stdout, " ok\n"); 697 698 group_order_tests(group); 699 700 if ((P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 701 ABORT; 702 if (!EC_GROUP_copy(P_384, group)) 703 ABORT; 704 705 /* Curve P-521 (FIPS PUB 186-2, App. 6) */ 706 707 if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 708 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 709 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) 710 ABORT; 711 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 712 ABORT; 713 if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 714 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 715 "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) 716 ABORT; 717 if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B" 718 "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573" 719 "DF883D2C34F1EF451FD46B503F00")) 720 ABORT; 721 if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) 722 ABORT; 723 724 if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F" 725 "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B" 726 "3C1856A429BF97E7E31C2E5BD66")) 727 ABORT; 728 if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) 729 ABORT; 730 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 731 ABORT; 732 if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 733 "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" 734 "C9B8899C47AEBB6FB71E91386409")) 735 ABORT; 736 if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) 737 ABORT; 738 739 if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) 740 ABORT; 741 fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x"); 742 BN_print_fp(stdout, x); 743 fprintf(stdout, "\n y = 0x"); 744 BN_print_fp(stdout, y); 745 fprintf(stdout, "\n"); 746 /* G_y value taken from the standard: */ 747 if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579" 748 "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C" 749 "7086A272C24088BE94769FD16650")) 750 ABORT; 751 if (0 != BN_cmp(y, z)) 752 ABORT; 753 754 if (!BN_add(yplusone, y, BN_value_one())) 755 ABORT; 756 /* 757 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 758 * and therefore setting the coordinates should fail. 759 */ 760 if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) 761 ABORT; 762 763 fprintf(stdout, "verify degree ..."); 764 if (EC_GROUP_get_degree(group) != 521) 765 ABORT; 766 fprintf(stdout, " ok\n"); 767 768 group_order_tests(group); 769 770 if ((P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) 771 ABORT; 772 if (!EC_GROUP_copy(P_521, group)) 773 ABORT; 774 775 /* more tests using the last curve */ 776 777 /* Restore the point that got mangled in the (x, y + 1) test. */ 778 if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) 779 ABORT; 780 781 if (!EC_POINT_copy(Q, P)) 782 ABORT; 783 if (EC_POINT_is_at_infinity(group, Q)) 784 ABORT; 785 if (!EC_POINT_dbl(group, P, P, ctx)) 786 ABORT; 787 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 788 ABORT; 789 if (!EC_POINT_invert(group, Q, ctx)) 790 ABORT; /* P = -2Q */ 791 792 if (!EC_POINT_add(group, R, P, Q, ctx)) 793 ABORT; 794 if (!EC_POINT_add(group, R, R, Q, ctx)) 795 ABORT; 796 if (!EC_POINT_is_at_infinity(group, R)) 797 ABORT; /* R = P + 2Q */ 798 799 { 800 const EC_POINT *points[4]; 801 const BIGNUM *scalars[4]; 802 BIGNUM *scalar3; 803 804 if (EC_POINT_is_at_infinity(group, Q)) 805 ABORT; 806 points[0] = Q; 807 points[1] = Q; 808 points[2] = Q; 809 points[3] = Q; 810 811 if (!EC_GROUP_get_order(group, z, ctx)) 812 ABORT; 813 if (!BN_add(y, z, BN_value_one())) 814 ABORT; 815 if (BN_is_odd(y)) 816 ABORT; 817 if (!BN_rshift1(y, y)) 818 ABORT; 819 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 820 scalars[1] = y; 821 822 fprintf(stdout, "combined multiplication ..."); 823 fflush(stdout); 824 825 /* z is still the group order */ 826 if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 827 ABORT; 828 if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 829 ABORT; 830 if (0 != EC_POINT_cmp(group, P, R, ctx)) 831 ABORT; 832 if (0 != EC_POINT_cmp(group, R, Q, ctx)) 833 ABORT; 834 835 fprintf(stdout, "."); 836 fflush(stdout); 837 838 if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) 839 ABORT; 840 if (!BN_add(z, z, y)) 841 ABORT; 842 BN_set_negative(z, 1); 843 scalars[0] = y; 844 scalars[1] = z; /* z = -(order + y) */ 845 846 if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 847 ABORT; 848 if (!EC_POINT_is_at_infinity(group, P)) 849 ABORT; 850 851 fprintf(stdout, "."); 852 fflush(stdout); 853 854 if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) 855 ABORT; 856 if (!BN_add(z, x, y)) 857 ABORT; 858 BN_set_negative(z, 1); 859 scalars[0] = x; 860 scalars[1] = y; 861 scalars[2] = z; /* z = -(x+y) */ 862 863 scalar3 = BN_new(); 864 if (!scalar3) 865 ABORT; 866 BN_zero(scalar3); 867 scalars[3] = scalar3; 868 869 if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) 870 ABORT; 871 if (!EC_POINT_is_at_infinity(group, P)) 872 ABORT; 873 874 fprintf(stdout, " ok\n\n"); 875 876 BN_free(scalar3); 877 } 878 879 BN_CTX_free(ctx); 880 BN_free(p); 881 BN_free(a); 882 BN_free(b); 883 EC_GROUP_free(group); 884 EC_POINT_free(P); 885 EC_POINT_free(Q); 886 EC_POINT_free(R); 887 BN_free(x); 888 BN_free(y); 889 BN_free(z); 890 BN_free(yplusone); 891 892 EC_GROUP_free(P_160); 893 EC_GROUP_free(P_192); 894 EC_GROUP_free(P_224); 895 EC_GROUP_free(P_256); 896 EC_GROUP_free(P_384); 897 EC_GROUP_free(P_521); 898 899 } 900 901 /* Change test based on whether binary point compression is enabled or not. */ 902 # ifdef OPENSSL_EC_BIN_PT_COMP 903 # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 904 if (!BN_hex2bn(&x, _x)) ABORT; \ 905 if (!BN_hex2bn(&y, _y)) ABORT; \ 906 if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ 907 /* \ 908 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ 909 * and therefore setting the coordinates should fail. \ 910 */ \ 911 if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ 912 if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ 913 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ 914 if (!BN_hex2bn(&z, _order)) ABORT; \ 915 if (!BN_hex2bn(&cof, _cof)) ABORT; \ 916 if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ 917 if (!EC_POINT_get_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ 918 fprintf(stdout, "\n%s -- Generator:\n x = 0x", _name); \ 919 BN_print_fp(stdout, x); \ 920 fprintf(stdout, "\n y = 0x"); \ 921 BN_print_fp(stdout, y); \ 922 fprintf(stdout, "\n"); \ 923 /* G_y value taken from the standard: */ \ 924 if (!BN_hex2bn(&z, _y)) ABORT; \ 925 if (0 != BN_cmp(y, z)) ABORT; 926 # else 927 # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 928 if (!BN_hex2bn(&x, _x)) ABORT; \ 929 if (!BN_hex2bn(&y, _y)) ABORT; \ 930 if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ 931 /* \ 932 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ 933 * and therefore setting the coordinates should fail. \ 934 */ \ 935 if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ 936 if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ 937 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ 938 if (!BN_hex2bn(&z, _order)) ABORT; \ 939 if (!BN_hex2bn(&cof, _cof)) ABORT; \ 940 if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ 941 fprintf(stdout, "\n%s -- Generator:\n x = 0x", _name); \ 942 BN_print_fp(stdout, x); \ 943 fprintf(stdout, "\n y = 0x"); \ 944 BN_print_fp(stdout, y); \ 945 fprintf(stdout, "\n"); 946 # endif 947 948 # define CHAR2_CURVE_TEST(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 949 if (!BN_hex2bn(&p, _p)) ABORT; \ 950 if (!BN_hex2bn(&a, _a)) ABORT; \ 951 if (!BN_hex2bn(&b, _b)) ABORT; \ 952 if (!EC_GROUP_set_curve_GF2m(group, p, a, b, ctx)) ABORT; \ 953 CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ 954 fprintf(stdout, "verify degree ..."); \ 955 if (EC_GROUP_get_degree(group) != _degree) ABORT; \ 956 fprintf(stdout, " ok\n"); \ 957 group_order_tests(group); \ 958 if ((_variable = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) ABORT; \ 959 if (!EC_GROUP_copy(_variable, group)) ABORT; \ 960 961 # ifndef OPENSSL_NO_EC2M 962 963 static void char2_field_tests(void) 964 { 965 BN_CTX *ctx = NULL; 966 BIGNUM *p, *a, *b; 967 EC_GROUP *group; 968 EC_GROUP *C2_K163 = NULL, *C2_K233 = NULL, *C2_K283 = NULL, *C2_K409 = 969 NULL, *C2_K571 = NULL; 970 EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = 971 NULL, *C2_B571 = NULL; 972 EC_POINT *P, *Q, *R; 973 BIGNUM *x, *y, *z, *cof, *yplusone; 974 unsigned char buf[100]; 975 size_t i, len; 976 int k; 977 978 ctx = BN_CTX_new(); 979 if (!ctx) 980 ABORT; 981 982 p = BN_new(); 983 a = BN_new(); 984 b = BN_new(); 985 if (p == NULL || a == NULL || b == NULL) 986 ABORT; 987 988 if (!BN_hex2bn(&p, "13")) 989 ABORT; 990 if (!BN_hex2bn(&a, "3")) 991 ABORT; 992 if (!BN_hex2bn(&b, "1")) 993 ABORT; 994 995 group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use 996 * EC_GROUP_new_curve_GF2m 997 * so that the library gets 998 * to choose the EC_METHOD */ 999 if (!group) 1000 ABORT; 1001 if (!EC_GROUP_set_curve_GF2m(group, p, a, b, ctx)) 1002 ABORT; 1003 1004 { 1005 EC_GROUP *tmp; 1006 tmp = EC_GROUP_new(EC_GROUP_method_of(group)); 1007 if (!tmp) 1008 ABORT; 1009 if (!EC_GROUP_copy(tmp, group)) 1010 ABORT; 1011 EC_GROUP_free(group); 1012 group = tmp; 1013 } 1014 1015 if (!EC_GROUP_get_curve_GF2m(group, p, a, b, ctx)) 1016 ABORT; 1017 1018 fprintf(stdout, 1019 "Curve defined by Weierstrass equation\n y^2 + x*y = x^3 + a*x^2 + b (mod 0x"); 1020 BN_print_fp(stdout, p); 1021 fprintf(stdout, ")\n a = 0x"); 1022 BN_print_fp(stdout, a); 1023 fprintf(stdout, "\n b = 0x"); 1024 BN_print_fp(stdout, b); 1025 fprintf(stdout, "\n(0x... means binary polynomial)\n"); 1026 1027 P = EC_POINT_new(group); 1028 Q = EC_POINT_new(group); 1029 R = EC_POINT_new(group); 1030 if (!P || !Q || !R) 1031 ABORT; 1032 1033 if (!EC_POINT_set_to_infinity(group, P)) 1034 ABORT; 1035 if (!EC_POINT_is_at_infinity(group, P)) 1036 ABORT; 1037 1038 buf[0] = 0; 1039 if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) 1040 ABORT; 1041 1042 if (!EC_POINT_add(group, P, P, Q, ctx)) 1043 ABORT; 1044 if (!EC_POINT_is_at_infinity(group, P)) 1045 ABORT; 1046 1047 x = BN_new(); 1048 y = BN_new(); 1049 z = BN_new(); 1050 cof = BN_new(); 1051 yplusone = BN_new(); 1052 if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL) 1053 ABORT; 1054 1055 if (!BN_hex2bn(&x, "6")) 1056 ABORT; 1057 /* Change test based on whether binary point compression is enabled or not. */ 1058 # ifdef OPENSSL_EC_BIN_PT_COMP 1059 if (!EC_POINT_set_compressed_coordinates_GF2m(group, Q, x, 1, ctx)) 1060 ABORT; 1061 # else 1062 if (!BN_hex2bn(&y, "8")) 1063 ABORT; 1064 if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx)) 1065 ABORT; 1066 # endif 1067 if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { 1068 /* Change test based on whether binary point compression is enabled or not. */ 1069 # ifdef OPENSSL_EC_BIN_PT_COMP 1070 if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx)) 1071 ABORT; 1072 # endif 1073 fprintf(stderr, "Point is not on curve: x = 0x"); 1074 BN_print_fp(stderr, x); 1075 fprintf(stderr, ", y = 0x"); 1076 BN_print_fp(stderr, y); 1077 fprintf(stderr, "\n"); 1078 ABORT; 1079 } 1080 1081 fprintf(stdout, "A cyclic subgroup:\n"); 1082 k = 100; 1083 do { 1084 if (k-- == 0) 1085 ABORT; 1086 1087 if (EC_POINT_is_at_infinity(group, P)) 1088 fprintf(stdout, " point at infinity\n"); 1089 else { 1090 if (!EC_POINT_get_affine_coordinates_GF2m(group, P, x, y, ctx)) 1091 ABORT; 1092 1093 fprintf(stdout, " x = 0x"); 1094 BN_print_fp(stdout, x); 1095 fprintf(stdout, ", y = 0x"); 1096 BN_print_fp(stdout, y); 1097 fprintf(stdout, "\n"); 1098 } 1099 1100 if (!EC_POINT_copy(R, P)) 1101 ABORT; 1102 if (!EC_POINT_add(group, P, P, Q, ctx)) 1103 ABORT; 1104 } 1105 while (!EC_POINT_is_at_infinity(group, P)); 1106 1107 if (!EC_POINT_add(group, P, Q, R, ctx)) 1108 ABORT; 1109 if (!EC_POINT_is_at_infinity(group, P)) 1110 ABORT; 1111 1112 /* Change test based on whether binary point compression is enabled or not. */ 1113 # ifdef OPENSSL_EC_BIN_PT_COMP 1114 len = 1115 EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, 1116 sizeof(buf), ctx); 1117 if (len == 0) 1118 ABORT; 1119 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 1120 ABORT; 1121 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 1122 ABORT; 1123 fprintf(stdout, "Generator as octet string, compressed form:\n "); 1124 for (i = 0; i < len; i++) 1125 fprintf(stdout, "%02X", buf[i]); 1126 # endif 1127 1128 len = 1129 EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, 1130 sizeof(buf), ctx); 1131 if (len == 0) 1132 ABORT; 1133 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 1134 ABORT; 1135 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 1136 ABORT; 1137 fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n "); 1138 for (i = 0; i < len; i++) 1139 fprintf(stdout, "%02X", buf[i]); 1140 1141 /* Change test based on whether binary point compression is enabled or not. */ 1142 # ifdef OPENSSL_EC_BIN_PT_COMP 1143 len = 1144 EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf), 1145 ctx); 1146 if (len == 0) 1147 ABORT; 1148 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) 1149 ABORT; 1150 if (0 != EC_POINT_cmp(group, P, Q, ctx)) 1151 ABORT; 1152 fprintf(stdout, "\nGenerator as octet string, hybrid form:\n "); 1153 for (i = 0; i < len; i++) 1154 fprintf(stdout, "%02X", buf[i]); 1155 # endif 1156 1157 fprintf(stdout, "\n"); 1158 1159 if (!EC_POINT_invert(group, P, ctx)) 1160 ABORT; 1161 if (0 != EC_POINT_cmp(group, P, R, ctx)) 1162 ABORT; 1163 1164 /* Curve K-163 (FIPS PUB 186-2, App. 6) */ 1165 CHAR2_CURVE_TEST 1166 ("NIST curve K-163", 1167 "0800000000000000000000000000000000000000C9", 1168 "1", 1169 "1", 1170 "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8", 1171 "0289070FB05D38FF58321F2E800536D538CCDAA3D9", 1172 1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163, C2_K163); 1173 1174 /* Curve B-163 (FIPS PUB 186-2, App. 6) */ 1175 CHAR2_CURVE_TEST 1176 ("NIST curve B-163", 1177 "0800000000000000000000000000000000000000C9", 1178 "1", 1179 "020A601907B8C953CA1481EB10512F78744A3205FD", 1180 "03F0EBA16286A2D57EA0991168D4994637E8343E36", 1181 "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 1182 1, "040000000000000000000292FE77E70C12A4234C33", "2", 163, C2_B163); 1183 1184 /* Curve K-233 (FIPS PUB 186-2, App. 6) */ 1185 CHAR2_CURVE_TEST 1186 ("NIST curve K-233", 1187 "020000000000000000000000000000000000000004000000000000000001", 1188 "0", 1189 "1", 1190 "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126", 1191 "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3", 1192 0, 1193 "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 1194 "4", 233, C2_K233); 1195 1196 /* Curve B-233 (FIPS PUB 186-2, App. 6) */ 1197 CHAR2_CURVE_TEST 1198 ("NIST curve B-233", 1199 "020000000000000000000000000000000000000004000000000000000001", 1200 "000000000000000000000000000000000000000000000000000000000001", 1201 "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD", 1202 "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B", 1203 "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052", 1204 1, 1205 "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 1206 "2", 233, C2_B233); 1207 1208 /* Curve K-283 (FIPS PUB 186-2, App. 6) */ 1209 CHAR2_CURVE_TEST 1210 ("NIST curve K-283", 1211 "0800000000000000000000000000000000000000000000000000000000000000000010A1", 1212 "0", 1213 "1", 1214 "0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836", 1215 "01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259", 1216 0, 1217 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61", 1218 "4", 283, C2_K283); 1219 1220 /* Curve B-283 (FIPS PUB 186-2, App. 6) */ 1221 CHAR2_CURVE_TEST 1222 ("NIST curve B-283", 1223 "0800000000000000000000000000000000000000000000000000000000000000000010A1", 1224 "000000000000000000000000000000000000000000000000000000000000000000000001", 1225 "027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5", 1226 "05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053", 1227 "03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4", 1228 1, 1229 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307", 1230 "2", 283, C2_B283); 1231 1232 /* Curve K-409 (FIPS PUB 186-2, App. 6) */ 1233 CHAR2_CURVE_TEST 1234 ("NIST curve K-409", 1235 "02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001", 1236 "0", 1237 "1", 1238 "0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746", 1239 "01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B", 1240 1, 1241 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 1242 "4", 409, C2_K409); 1243 1244 /* Curve B-409 (FIPS PUB 186-2, App. 6) */ 1245 CHAR2_CURVE_TEST 1246 ("NIST curve B-409", 1247 "02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001", 1248 "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", 1249 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F", 1250 "015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7", 1251 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706", 1252 1, 1253 "010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173", 1254 "2", 409, C2_B409); 1255 1256 /* Curve K-571 (FIPS PUB 186-2, App. 6) */ 1257 CHAR2_CURVE_TEST 1258 ("NIST curve K-571", 1259 "80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425", 1260 "0", 1261 "1", 1262 "026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972", 1263 "0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3", 1264 0, 1265 "020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001", 1266 "4", 571, C2_K571); 1267 1268 /* Curve B-571 (FIPS PUB 186-2, App. 6) */ 1269 CHAR2_CURVE_TEST 1270 ("NIST curve B-571", 1271 "80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425", 1272 "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", 1273 "02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A", 1274 "0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19", 1275 "037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B", 1276 1, 1277 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47", 1278 "2", 571, C2_B571); 1279 1280 /* more tests using the last curve */ 1281 1282 if (!EC_POINT_copy(Q, P)) 1283 ABORT; 1284 if (EC_POINT_is_at_infinity(group, Q)) 1285 ABORT; 1286 if (!EC_POINT_dbl(group, P, P, ctx)) 1287 ABORT; 1288 if (EC_POINT_is_on_curve(group, P, ctx) <= 0) 1289 ABORT; 1290 if (!EC_POINT_invert(group, Q, ctx)) 1291 ABORT; /* P = -2Q */ 1292 1293 if (!EC_POINT_add(group, R, P, Q, ctx)) 1294 ABORT; 1295 if (!EC_POINT_add(group, R, R, Q, ctx)) 1296 ABORT; 1297 if (!EC_POINT_is_at_infinity(group, R)) 1298 ABORT; /* R = P + 2Q */ 1299 1300 { 1301 const EC_POINT *points[3]; 1302 const BIGNUM *scalars[3]; 1303 1304 if (EC_POINT_is_at_infinity(group, Q)) 1305 ABORT; 1306 points[0] = Q; 1307 points[1] = Q; 1308 points[2] = Q; 1309 1310 if (!BN_add(y, z, BN_value_one())) 1311 ABORT; 1312 if (BN_is_odd(y)) 1313 ABORT; 1314 if (!BN_rshift1(y, y)) 1315 ABORT; 1316 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ 1317 scalars[1] = y; 1318 1319 fprintf(stdout, "combined multiplication ..."); 1320 fflush(stdout); 1321 1322 /* z is still the group order */ 1323 if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 1324 ABORT; 1325 if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) 1326 ABORT; 1327 if (0 != EC_POINT_cmp(group, P, R, ctx)) 1328 ABORT; 1329 if (0 != EC_POINT_cmp(group, R, Q, ctx)) 1330 ABORT; 1331 1332 fprintf(stdout, "."); 1333 fflush(stdout); 1334 1335 if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) 1336 ABORT; 1337 if (!BN_add(z, z, y)) 1338 ABORT; 1339 BN_set_negative(z, 1); 1340 scalars[0] = y; 1341 scalars[1] = z; /* z = -(order + y) */ 1342 1343 if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) 1344 ABORT; 1345 if (!EC_POINT_is_at_infinity(group, P)) 1346 ABORT; 1347 1348 fprintf(stdout, "."); 1349 fflush(stdout); 1350 1351 if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) 1352 ABORT; 1353 if (!BN_add(z, x, y)) 1354 ABORT; 1355 BN_set_negative(z, 1); 1356 scalars[0] = x; 1357 scalars[1] = y; 1358 scalars[2] = z; /* z = -(x+y) */ 1359 1360 if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) 1361 ABORT; 1362 if (!EC_POINT_is_at_infinity(group, P)) 1363 ABORT; 1364 1365 fprintf(stdout, " ok\n\n"); 1366 } 1367 1368 BN_CTX_free(ctx); 1369 BN_free(p); 1370 BN_free(a); 1371 BN_free(b); 1372 EC_GROUP_free(group); 1373 EC_POINT_free(P); 1374 EC_POINT_free(Q); 1375 EC_POINT_free(R); 1376 BN_free(x); 1377 BN_free(y); 1378 BN_free(z); 1379 BN_free(cof); 1380 BN_free(yplusone); 1381 1382 EC_GROUP_free(C2_K163); 1383 EC_GROUP_free(C2_B163); 1384 EC_GROUP_free(C2_K233); 1385 EC_GROUP_free(C2_B233); 1386 EC_GROUP_free(C2_K283); 1387 EC_GROUP_free(C2_B283); 1388 EC_GROUP_free(C2_K409); 1389 EC_GROUP_free(C2_B409); 1390 EC_GROUP_free(C2_K571); 1391 EC_GROUP_free(C2_B571); 1392 1393 } 1394 # endif 1395 1396 static void internal_curve_test(void) 1397 { 1398 EC_builtin_curve *curves = NULL; 1399 size_t crv_len = 0, n = 0; 1400 int ok = 1; 1401 1402 crv_len = EC_get_builtin_curves(NULL, 0); 1403 curves = OPENSSL_malloc(sizeof(*curves) * crv_len); 1404 if (curves == NULL) 1405 return; 1406 1407 if (!EC_get_builtin_curves(curves, crv_len)) { 1408 OPENSSL_free(curves); 1409 return; 1410 } 1411 1412 fprintf(stdout, "testing internal curves: "); 1413 1414 for (n = 0; n < crv_len; n++) { 1415 EC_GROUP *group = NULL; 1416 int nid = curves[n].nid; 1417 if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) { 1418 ok = 0; 1419 fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with" 1420 " curve %s\n", OBJ_nid2sn(nid)); 1421 /* try next curve */ 1422 continue; 1423 } 1424 if (!EC_GROUP_check(group, NULL)) { 1425 ok = 0; 1426 fprintf(stdout, "\nEC_GROUP_check() failed with" 1427 " curve %s\n", OBJ_nid2sn(nid)); 1428 EC_GROUP_free(group); 1429 /* try the next curve */ 1430 continue; 1431 } 1432 fprintf(stdout, "."); 1433 fflush(stdout); 1434 EC_GROUP_free(group); 1435 } 1436 if (ok) 1437 fprintf(stdout, " ok\n\n"); 1438 else { 1439 fprintf(stdout, " failed\n\n"); 1440 ABORT; 1441 } 1442 1443 /* Test all built-in curves and let the library choose the EC_METHOD */ 1444 for (n = 0; n < crv_len; n++) { 1445 EC_GROUP *group = NULL; 1446 int nid = curves[n].nid; 1447 /* 1448 * Skip for X25519 because low level operations such as EC_POINT_mul() 1449 * are not supported for this curve 1450 */ 1451 if (nid == NID_X25519) 1452 continue; 1453 fprintf(stdout, "%s:\n", OBJ_nid2sn(nid)); 1454 fflush(stdout); 1455 if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) { 1456 ABORT; 1457 } 1458 group_order_tests(group); 1459 EC_GROUP_free(group); 1460 } 1461 1462 OPENSSL_free(curves); 1463 return; 1464 } 1465 1466 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 1467 /* 1468 * nistp_test_params contains magic numbers for testing our optimized 1469 * implementations of several NIST curves with characteristic > 3. 1470 */ 1471 struct nistp_test_params { 1472 const EC_METHOD *(*meth) (); 1473 int degree; 1474 /* 1475 * Qx, Qy and D are taken from 1476 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf 1477 * Otherwise, values are standard curve parameters from FIPS 180-3 1478 */ 1479 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; 1480 }; 1481 1482 static const struct nistp_test_params nistp_tests_params[] = { 1483 { 1484 /* P-224 */ 1485 EC_GFp_nistp224_method, 1486 224, 1487 /* p */ 1488 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", 1489 /* a */ 1490 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", 1491 /* b */ 1492 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", 1493 /* Qx */ 1494 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", 1495 /* Qy */ 1496 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", 1497 /* Gx */ 1498 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", 1499 /* Gy */ 1500 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", 1501 /* order */ 1502 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1503 /* d */ 1504 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", 1505 }, 1506 { 1507 /* P-256 */ 1508 EC_GFp_nistp256_method, 1509 256, 1510 /* p */ 1511 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 1512 /* a */ 1513 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 1514 /* b */ 1515 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 1516 /* Qx */ 1517 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", 1518 /* Qy */ 1519 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", 1520 /* Gx */ 1521 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 1522 /* Gy */ 1523 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 1524 /* order */ 1525 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 1526 /* d */ 1527 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", 1528 }, 1529 { 1530 /* P-521 */ 1531 EC_GFp_nistp521_method, 1532 521, 1533 /* p */ 1534 "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 1535 /* a */ 1536 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", 1537 /* b */ 1538 "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", 1539 /* Qx */ 1540 "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", 1541 /* Qy */ 1542 "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", 1543 /* Gx */ 1544 "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", 1545 /* Gy */ 1546 "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", 1547 /* order */ 1548 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", 1549 /* d */ 1550 "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", 1551 }, 1552 }; 1553 1554 static void nistp_single_test(const struct nistp_test_params *test) 1555 { 1556 BN_CTX *ctx; 1557 BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone; 1558 EC_GROUP *NISTP; 1559 EC_POINT *G, *P, *Q, *Q_CHECK; 1560 1561 fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", 1562 test->degree); 1563 ctx = BN_CTX_new(); 1564 p = BN_new(); 1565 a = BN_new(); 1566 b = BN_new(); 1567 x = BN_new(); 1568 y = BN_new(); 1569 m = BN_new(); 1570 n = BN_new(); 1571 order = BN_new(); 1572 yplusone = BN_new(); 1573 1574 NISTP = EC_GROUP_new(test->meth()); 1575 if (!NISTP) 1576 ABORT; 1577 if (!BN_hex2bn(&p, test->p)) 1578 ABORT; 1579 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) 1580 ABORT; 1581 if (!BN_hex2bn(&a, test->a)) 1582 ABORT; 1583 if (!BN_hex2bn(&b, test->b)) 1584 ABORT; 1585 if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) 1586 ABORT; 1587 G = EC_POINT_new(NISTP); 1588 P = EC_POINT_new(NISTP); 1589 Q = EC_POINT_new(NISTP); 1590 Q_CHECK = EC_POINT_new(NISTP); 1591 if (!BN_hex2bn(&x, test->Qx)) 1592 ABORT; 1593 if (!BN_hex2bn(&y, test->Qy)) 1594 ABORT; 1595 if (!BN_add(yplusone, y, BN_value_one())) 1596 ABORT; 1597 /* 1598 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, 1599 * and therefore setting the coordinates should fail. 1600 */ 1601 if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx)) 1602 ABORT; 1603 if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) 1604 ABORT; 1605 if (!BN_hex2bn(&x, test->Gx)) 1606 ABORT; 1607 if (!BN_hex2bn(&y, test->Gy)) 1608 ABORT; 1609 if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) 1610 ABORT; 1611 if (!BN_hex2bn(&order, test->order)) 1612 ABORT; 1613 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1614 ABORT; 1615 1616 fprintf(stdout, "verify degree ... "); 1617 if (EC_GROUP_get_degree(NISTP) != test->degree) 1618 ABORT; 1619 fprintf(stdout, "ok\n"); 1620 1621 fprintf(stdout, "NIST test vectors ... "); 1622 if (!BN_hex2bn(&n, test->d)) 1623 ABORT; 1624 /* fixed point multiplication */ 1625 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1626 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1627 ABORT; 1628 /* random point multiplication */ 1629 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1630 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1631 ABORT; 1632 1633 /* set generator to P = 2*G, where G is the standard generator */ 1634 if (!EC_POINT_dbl(NISTP, P, G, ctx)) 1635 ABORT; 1636 if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) 1637 ABORT; 1638 /* set the scalar to m=n/2, where n is the NIST test scalar */ 1639 if (!BN_rshift(m, n, 1)) 1640 ABORT; 1641 1642 /* test the non-standard generator */ 1643 /* fixed point multiplication */ 1644 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1645 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1646 ABORT; 1647 /* random point multiplication */ 1648 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1649 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1650 ABORT; 1651 1652 /* 1653 * We have not performed precomputation so have_precompute mult should be 1654 * false 1655 */ 1656 if (EC_GROUP_have_precompute_mult(NISTP)) 1657 ABORT; 1658 1659 /* now repeat all tests with precomputation */ 1660 if (!EC_GROUP_precompute_mult(NISTP, ctx)) 1661 ABORT; 1662 if (!EC_GROUP_have_precompute_mult(NISTP)) 1663 ABORT; 1664 1665 /* fixed point multiplication */ 1666 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); 1667 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1668 ABORT; 1669 /* random point multiplication */ 1670 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); 1671 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1672 ABORT; 1673 1674 /* reset generator */ 1675 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) 1676 ABORT; 1677 /* fixed point multiplication */ 1678 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); 1679 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1680 ABORT; 1681 /* random point multiplication */ 1682 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); 1683 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) 1684 ABORT; 1685 1686 fprintf(stdout, "ok\n"); 1687 group_order_tests(NISTP); 1688 EC_GROUP_free(NISTP); 1689 EC_POINT_free(G); 1690 EC_POINT_free(P); 1691 EC_POINT_free(Q); 1692 EC_POINT_free(Q_CHECK); 1693 BN_free(n); 1694 BN_free(m); 1695 BN_free(p); 1696 BN_free(a); 1697 BN_free(b); 1698 BN_free(x); 1699 BN_free(y); 1700 BN_free(order); 1701 BN_free(yplusone); 1702 BN_CTX_free(ctx); 1703 } 1704 1705 static void nistp_tests() 1706 { 1707 unsigned i; 1708 1709 for (i = 0; i < OSSL_NELEM(nistp_tests_params); i++) { 1710 nistp_single_test(&nistp_tests_params[i]); 1711 } 1712 } 1713 # endif 1714 1715 static void parameter_test(void) 1716 { 1717 EC_GROUP *group, *group2; 1718 ECPARAMETERS *ecparameters; 1719 1720 fprintf(stderr, "\ntesting ecparameters conversion ..."); 1721 1722 group = EC_GROUP_new_by_curve_name(NID_secp112r1); 1723 if (!group) 1724 ABORT; 1725 1726 ecparameters = EC_GROUP_get_ecparameters(group, NULL); 1727 if (!ecparameters) 1728 ABORT; 1729 group2 = EC_GROUP_new_from_ecparameters(ecparameters); 1730 if (!group2) 1731 ABORT; 1732 if (EC_GROUP_cmp(group, group2, NULL)) 1733 ABORT; 1734 1735 fprintf(stderr, " ok\n"); 1736 1737 EC_GROUP_free(group); 1738 EC_GROUP_free(group2); 1739 ECPARAMETERS_free(ecparameters); 1740 } 1741 1742 static const char rnd_seed[] = 1743 "string to make the random number generator think it has entropy"; 1744 1745 int main(int argc, char *argv[]) 1746 { 1747 char *p; 1748 1749 p = getenv("OPENSSL_DEBUG_MEMORY"); 1750 if (p != NULL && strcmp(p, "on") == 0) 1751 CRYPTO_set_mem_debug(1); 1752 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 1753 1754 RAND_seed(rnd_seed, sizeof(rnd_seed)); /* or BN_generate_prime may fail */ 1755 1756 prime_field_tests(); 1757 puts(""); 1758 # ifndef OPENSSL_NO_EC2M 1759 char2_field_tests(); 1760 # endif 1761 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 1762 nistp_tests(); 1763 # endif 1764 /* test the internal curves */ 1765 internal_curve_test(); 1766 1767 parameter_test(); 1768 1769 #ifndef OPENSSL_NO_CRYPTO_MDEBUG 1770 if (CRYPTO_mem_leaks_fp(stderr) <= 0) 1771 return 1; 1772 #endif 1773 1774 return 0; 1775 } 1776 #endif 1777