2 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
14 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
15 * to the OpenSSL project.
17 * The ECC Code is licensed pursuant to the OpenSSL open source
18 * license provided below.
20 * The ECDH software is originally written by Douglas Stebila of
21 * Sun Microsystems Laboratories.
31 #include <openssl/opensslconf.h> /* for OPENSSL_NO_EC */
32 #include <openssl/crypto.h>
33 #include <openssl/bio.h>
34 #include <openssl/bn.h>
35 #include <openssl/objects.h>
36 #include <openssl/rand.h>
37 #include <openssl/sha.h>
38 #include <openssl/err.h>
41 int main(int argc
, char *argv
[])
43 printf("No ECDH support\n");
47 # include <openssl/ec.h>
49 static const char rnd_seed
[] =
50 "string to make the random number generator think it has entropy";
59 static const ecdh_kat_t ecdh_kats
[] = {
60 /* Keys and shared secrets from RFC 5114 */
61 { NID_X9_62_prime192v1
,
62 "323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
63 "631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
64 "AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE" },
66 "B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
67 "AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
68 "52272F50F46F4EDC9151569092F46DF2D96ECC3B6DC1714A4EA949FA" },
69 { NID_X9_62_prime256v1
,
70 "814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF",
71 "2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41",
72 "DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788" },
74 "D27335EA71664AF244DD14E9FD1260715DFD8A7965571C48D709EE7A7962A156"
75 "D706A90CBCB5DF2986F05FEADB9376F1",
76 "52D1791FDB4B70F89C0F00D456C2F7023B6125262C36A7DF1F80231121CCE3D3"
77 "9BE52E00C194A4132C4A6C768BCD94D2",
78 "5EA1FC4AF7256D2055981B110575E0A8CAE53160137D904C59D926EB1B8456E4"
79 "27AA8A4540884C37DE159A58028ABC0E" },
81 "0113F82DA825735E3D97276683B2B74277BAD27335EA71664AF2430CC4F33459"
82 "B9669EE78B3FFB9B8683015D344DCBFEF6FB9AF4C6C470BE254516CD3C1A1FB4"
84 "00CEE3480D8645A17D249F2776D28BAE616952D1791FDB4B70F7C3378732AA1B"
85 "22928448BCD1DC2496D435B01048066EBE4F72903C361B1A9DC1193DC2C9D089"
87 "00CDEA89621CFA46B132F9E4CFE2261CDE2D4368EB5656634C7CC98C7A00CDE5"
88 "4ED1866A0DD3E6126C9D2F845DAFF82CEB1DA08F5D87521BB0EBECA77911169C"
90 /* Keys and shared secrets from RFC 5903 */
91 { NID_X9_62_prime256v1
,
92 "C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433",
93 "C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53",
94 "D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE" },
96 "099F3C7034D4A2C699884D73A375A67F7624EF7C6B3C0F160647B67414DCE655"
97 "E35B538041E649EE3FAEF896783AB194",
98 "41CB0779B4BDB85D47846725FBEC3C9430FAB46CC8DC5060855CC9BDA0AA2942"
99 "E0308312916B8ED2960E4BD55A7448FC",
100 "11187331C279962D93D604243FD592CB9D0A926F422E47187521287E7156C5C4"
101 "D603135569B9E9D09CF5D4A270F59746" },
103 "0037ADE9319A89F4DABDB3EF411AACCCA5123C61ACAB57B5393DCE47608172A0"
104 "95AA85A30FE1C2952C6771D937BA9777F5957B2639BAB072462F68C27A57382D"
106 "0145BA99A847AF43793FDD0E872E7CDFA16BE30FDC780F97BCCC3F078380201E"
107 "9C677D600B343757A3BDBF2A3163E4C2F869CCA7458AA4A4EFFC311F5CB15168"
109 "01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
110 "D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
112 /* Keys and shared secrets from RFC 7027 */
113 { NID_brainpoolP256r1
,
114 "81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
115 "55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3",
116 "89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B" },
117 { NID_brainpoolP384r1
,
118 "1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD65D6"
119 "F15EB5D1EE1610DF870795143627D042",
120 "032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E01F"
121 "8BA5E0324309DB6A9831497ABAC96670",
122 "0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE239BB"
123 "ADF6403715C35D4FB2A5444F575D4F42" },
124 { NID_brainpoolP512r1
,
125 "16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59"
126 "B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422",
127 "230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CF"
128 "ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
129 "A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
130 "D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
133 /* Given private value and NID, create EC_KEY structure */
135 static EC_KEY
*mk_eckey(int nid
, const char *str
)
140 EC_POINT
*pub
= NULL
;
142 k
= EC_KEY_new_by_curve_name(nid
);
145 if(!BN_hex2bn(&priv
, str
))
149 if (!EC_KEY_set_private_key(k
, priv
))
151 grp
= EC_KEY_get0_group(k
);
152 pub
= EC_POINT_new(grp
);
155 if (!EC_POINT_mul(grp
, pub
, priv
, NULL
, NULL
, NULL
))
157 if (!EC_KEY_set_public_key(k
, pub
))
170 * Known answer test: compute shared secret and check it matches expected
174 static int ecdh_kat(BIO
*out
, const ecdh_kat_t
*kat
)
177 EC_KEY
*key1
= NULL
, *key2
= NULL
;
179 unsigned char *Ztmp
= NULL
, *Z
= NULL
;
180 size_t Ztmplen
, Zlen
;
181 BIO_puts(out
, "Testing ECDH shared secret with ");
182 BIO_puts(out
, OBJ_nid2sn(kat
->nid
));
183 if(!BN_hex2bn(&bnz
, kat
->Z
))
185 key1
= mk_eckey(kat
->nid
, kat
->da
);
186 key2
= mk_eckey(kat
->nid
, kat
->db
);
189 Ztmplen
= (EC_GROUP_get_degree(EC_KEY_get0_group(key1
)) + 7) / 8;
190 Zlen
= BN_num_bytes(bnz
);
193 if((Ztmp
= OPENSSL_zalloc(Ztmplen
)) == NULL
)
195 if((Z
= OPENSSL_zalloc(Ztmplen
)) == NULL
)
197 if(!BN_bn2binpad(bnz
, Z
, Ztmplen
))
199 if (!ECDH_compute_key(Ztmp
, Ztmplen
,
200 EC_KEY_get0_public_key(key2
), key1
, 0))
202 if (memcmp(Ztmp
, Z
, Ztmplen
))
204 memset(Ztmp
, 0, Ztmplen
);
205 if (!ECDH_compute_key(Ztmp
, Ztmplen
,
206 EC_KEY_get0_public_key(key1
), key2
, 0))
208 if (memcmp(Ztmp
, Z
, Ztmplen
))
218 BIO_puts(out
, " ok\n");
220 fprintf(stderr
, "Error in ECDH routines\n");
221 ERR_print_errors_fp(stderr
);
226 #include "ecdhtest_cavs.h"
229 * NIST SP800-56A co-factor ECDH tests.
230 * KATs taken from NIST documents with parameters:
232 * - (QCAVSx,QCAVSy) is the public key for CAVS.
233 * - dIUT is the private key for IUT.
234 * - (QIUTx,QIUTy) is the public key for IUT.
235 * - ZIUT is the shared secret KAT.
237 * CAVS: Cryptographic Algorithm Validation System
238 * IUT: Implementation Under Test
240 * This function tests two things:
242 * 1. dIUT * G = (QIUTx,QIUTy)
243 * i.e. public key for IUT computes correctly.
244 * 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT
245 * i.e. co-factor ECDH key computes correctly.
247 * returns zero on failure or unsupported curve. One otherwise.
249 static int ecdh_cavs_kat(BIO
*out
, const ecdh_cavs_kat_t
*kat
)
251 int rv
= 0, is_char_two
= 0;
253 EC_POINT
*pub
= NULL
;
254 const EC_GROUP
*group
= NULL
;
255 BIGNUM
*bnz
= NULL
, *x
= NULL
, *y
= NULL
;
256 unsigned char *Ztmp
= NULL
, *Z
= NULL
;
257 size_t Ztmplen
, Zlen
;
258 BIO_puts(out
, "Testing ECC CDH Primitive SP800-56A with ");
259 BIO_puts(out
, OBJ_nid2sn(kat
->nid
));
261 /* dIUT is IUT's private key */
262 if ((key1
= mk_eckey(kat
->nid
, kat
->dIUT
)) == NULL
)
264 /* these are cofactor ECDH KATs */
265 EC_KEY_set_flags(key1
, EC_FLAG_COFACTOR_ECDH
);
267 if ((group
= EC_KEY_get0_group(key1
)) == NULL
)
269 if ((pub
= EC_POINT_new(group
)) == NULL
)
272 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group
)) == NID_X9_62_characteristic_two_field
)
275 /* (QIUTx, QIUTy) is IUT's public key */
276 if(!BN_hex2bn(&x
, kat
->QIUTx
))
278 if(!BN_hex2bn(&y
, kat
->QIUTy
))
281 #ifdef OPENSSL_NO_EC2M
284 if (!EC_POINT_set_affine_coordinates_GF2m(group
, pub
, x
, y
, NULL
))
289 if (!EC_POINT_set_affine_coordinates_GFp(group
, pub
, x
, y
, NULL
))
292 /* dIUT * G = (QIUTx, QIUTy) should hold */
293 if (EC_POINT_cmp(group
, EC_KEY_get0_public_key(key1
), pub
, NULL
))
296 /* (QCAVSx, QCAVSy) is CAVS's public key */
297 if(!BN_hex2bn(&x
, kat
->QCAVSx
))
299 if(!BN_hex2bn(&y
, kat
->QCAVSy
))
302 #ifdef OPENSSL_NO_EC2M
305 if (!EC_POINT_set_affine_coordinates_GF2m(group
, pub
, x
, y
, NULL
))
310 if (!EC_POINT_set_affine_coordinates_GFp(group
, pub
, x
, y
, NULL
))
314 /* ZIUT is the shared secret */
315 if(!BN_hex2bn(&bnz
, kat
->ZIUT
))
317 Ztmplen
= (EC_GROUP_get_degree(EC_KEY_get0_group(key1
)) + 7) / 8;
318 Zlen
= BN_num_bytes(bnz
);
321 if((Ztmp
= OPENSSL_zalloc(Ztmplen
)) == NULL
)
323 if((Z
= OPENSSL_zalloc(Ztmplen
)) == NULL
)
325 if(!BN_bn2binpad(bnz
, Z
, Ztmplen
))
327 if (!ECDH_compute_key(Ztmp
, Ztmplen
, pub
, key1
, 0))
329 /* shared secrets should be identical */
330 if (memcmp(Ztmp
, Z
, Ztmplen
))
342 BIO_puts(out
, " ok\n");
345 fprintf(stderr
, "Error in ECC CDH routines\n");
346 ERR_print_errors_fp(stderr
);
351 int main(int argc
, char *argv
[])
355 EC_builtin_curve
*curves
= NULL
;
356 size_t crv_len
= 0, n
= 0;
359 CRYPTO_set_mem_debug(1);
360 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON
);
362 RAND_seed(rnd_seed
, sizeof rnd_seed
);
364 out
= BIO_new(BIO_s_file());
367 BIO_set_fp(out
, stdout
, BIO_NOCLOSE
| BIO_FP_TEXT
);
369 if ((ctx
= BN_CTX_new()) == NULL
)
372 /* get a list of all internal curves */
373 crv_len
= EC_get_builtin_curves(NULL
, 0);
374 curves
= OPENSSL_malloc(sizeof(*curves
) * crv_len
);
375 if (curves
== NULL
) goto err
;
377 if (!EC_get_builtin_curves(curves
, crv_len
)) goto err
;
379 /* NAMED CURVES TESTS: moved to evptests.txt */
382 for (n
= 0; n
< (sizeof(ecdh_kats
)/sizeof(ecdh_kat_t
)); n
++) {
383 if (!ecdh_kat(out
, &ecdh_kats
[n
]))
387 /* NIST SP800-56A co-factor ECDH KATs */
388 for (n
= 0; n
< (sizeof(ecdh_cavs_kats
)/sizeof(ecdh_cavs_kat_t
)); n
++) {
389 if (!ecdh_cavs_kat(out
, &ecdh_cavs_kats
[n
]))
396 ERR_print_errors_fp(stderr
);
397 OPENSSL_free(curves
);
401 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
402 if (CRYPTO_mem_leaks_fp(stderr
) <= 0)