[thirdparty/openssl.git] / test / ecdhtest.c

/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
 * to the OpenSSL project.
 *
 * The ECC Code is licensed pursuant to the OpenSSL open source
 * license provided below.
 *
 * The ECDH software is originally written by Douglas Stebila of
 * Sun Microsystems Laboratories.
 *
 */
/* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "../e_os.h"

#include <openssl/opensslconf.h> /* for OPENSSL_NO_EC */
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include <openssl/err.h>

#ifdef OPENSSL_NO_EC
int main(int argc, char *argv[])
{
    printf("No ECDH support\n");
    return (0);
}
#else
# include <openssl/ec.h>

static const char rnd_seed[] =
    "string to make the random number generator think it has entropy";

static const int KDF1_SHA1_len = 20;
static void *KDF1_SHA1(const void *in, size_t inlen, void *out,
                       size_t *outlen)
{
    if (*outlen < SHA_DIGEST_LENGTH)
        return NULL;
    *outlen = SHA_DIGEST_LENGTH;
    return SHA1(in, inlen, out);
}

static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
{
    EC_KEY *a = NULL;
    EC_KEY *b = NULL;
    BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL;
    char buf[12];
    unsigned char *abuf = NULL, *bbuf = NULL;
    int i, alen, blen, aout, bout, ret = 0;
    const EC_GROUP *group;

    a = EC_KEY_new_by_curve_name(nid);
    b = EC_KEY_new_by_curve_name(nid);
    if (a == NULL || b == NULL)
        goto err;

    group = EC_KEY_get0_group(a);

    if ((x_a = BN_new()) == NULL)
        goto err;
    if ((y_a = BN_new()) == NULL)
        goto err;
    if ((x_b = BN_new()) == NULL)
        goto err;
    if ((y_b = BN_new()) == NULL)
        goto err;

    BIO_puts(out, "Testing key generation with ");
    BIO_puts(out, text);
# ifdef NOISY
    BIO_puts(out, "\n");
# else
    (void)BIO_flush(out);
# endif

    if (!EC_KEY_generate_key(a))
        goto err;

    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
        NID_X9_62_prime_field) {
        if (!EC_POINT_get_affine_coordinates_GFp
            (group, EC_KEY_get0_public_key(a), x_a, y_a, ctx))
            goto err;
    }
# ifndef OPENSSL_NO_EC2M
    else {
        if (!EC_POINT_get_affine_coordinates_GF2m(group,
                                                  EC_KEY_get0_public_key(a),
                                                  x_a, y_a, ctx))
            goto err;
    }
# endif
# ifdef NOISY
    BIO_puts(out, "  pri 1=");
    BN_print(out, a->priv_key);
    BIO_puts(out, "\n  pub 1=");
    BN_print(out, x_a);
    BIO_puts(out, ",");
    BN_print(out, y_a);
    BIO_puts(out, "\n");
# else
    BIO_printf(out, " .");
    (void)BIO_flush(out);
# endif

    if (!EC_KEY_generate_key(b))
        goto err;

    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
        NID_X9_62_prime_field) {
        if (!EC_POINT_get_affine_coordinates_GFp
            (group, EC_KEY_get0_public_key(b), x_b, y_b, ctx))
            goto err;
    }
# ifndef OPENSSL_NO_EC2M
    else {
        if (!EC_POINT_get_affine_coordinates_GF2m(group,
                                                  EC_KEY_get0_public_key(b),
                                                  x_b, y_b, ctx))
            goto err;
    }
# endif

# ifdef NOISY
    BIO_puts(out, "  pri 2=");
    BN_print(out, b->priv_key);
    BIO_puts(out, "\n  pub 2=");
    BN_print(out, x_b);
    BIO_puts(out, ",");
    BN_print(out, y_b);
    BIO_puts(out, "\n");
# else
    BIO_printf(out, ".");
    (void)BIO_flush(out);
# endif

    alen = KDF1_SHA1_len;
    abuf = OPENSSL_malloc(alen);
    aout =
        ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1);

# ifdef NOISY
    BIO_puts(out, "  key1 =");
    for (i = 0; i < aout; i++) {
        sprintf(buf, "%02X", abuf[i]);
        BIO_puts(out, buf);
    }
    BIO_puts(out, "\n");
# else
    BIO_printf(out, ".");
    (void)BIO_flush(out);
# endif

    blen = KDF1_SHA1_len;
    bbuf = OPENSSL_malloc(blen);
    bout =
        ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1);

# ifdef NOISY
    BIO_puts(out, "  key2 =");
    for (i = 0; i < bout; i++) {
        sprintf(buf, "%02X", bbuf[i]);
        BIO_puts(out, buf);
    }
    BIO_puts(out, "\n");
# else
    BIO_printf(out, ".");
    (void)BIO_flush(out);
# endif

    if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
# ifndef NOISY
        BIO_printf(out, " failed\n\n");
        BIO_printf(out, "key a:\n");
        BIO_printf(out, "private key: ");
        BN_print(out, EC_KEY_get0_private_key(a));
        BIO_printf(out, "\n");
        BIO_printf(out, "public key (x,y): ");
        BN_print(out, x_a);
        BIO_printf(out, ",");
        BN_print(out, y_a);
        BIO_printf(out, "\nkey b:\n");
        BIO_printf(out, "private key: ");
        BN_print(out, EC_KEY_get0_private_key(b));
        BIO_printf(out, "\n");
        BIO_printf(out, "public key (x,y): ");
        BN_print(out, x_b);
        BIO_printf(out, ",");
        BN_print(out, y_b);
        BIO_printf(out, "\n");
        BIO_printf(out, "generated key a: ");
        for (i = 0; i < bout; i++) {
            sprintf(buf, "%02X", bbuf[i]);
            BIO_puts(out, buf);
        }
        BIO_printf(out, "\n");
        BIO_printf(out, "generated key b: ");
        for (i = 0; i < aout; i++) {
            sprintf(buf, "%02X", abuf[i]);
            BIO_puts(out, buf);
        }
        BIO_printf(out, "\n");
# endif
        fprintf(stderr, "Error in ECDH routines\n");
        ret = 0;
    } else {
# ifndef NOISY
        BIO_printf(out, " ok\n");
# endif
        ret = 1;
    }
 err:
    ERR_print_errors_fp(stderr);

    OPENSSL_free(abuf);
    OPENSSL_free(bbuf);
    BN_free(x_a);
    BN_free(y_a);
    BN_free(x_b);
    BN_free(y_b);
    EC_KEY_free(b);
    EC_KEY_free(a);
    return (ret);
}

/* Keys and shared secrets from RFC 7027 */

static const unsigned char bp256_da[] = {
    0x81, 0xDB, 0x1E, 0xE1, 0x00, 0x15, 0x0F, 0xF2, 0xEA, 0x33, 0x8D, 0x70,
    0x82, 0x71, 0xBE, 0x38, 0x30, 0x0C, 0xB5, 0x42, 0x41, 0xD7, 0x99, 0x50,
    0xF7, 0x7B, 0x06, 0x30, 0x39, 0x80, 0x4F, 0x1D
};

static const unsigned char bp256_db[] = {
    0x55, 0xE4, 0x0B, 0xC4, 0x1E, 0x37, 0xE3, 0xE2, 0xAD, 0x25, 0xC3, 0xC6,
    0x65, 0x45, 0x11, 0xFF, 0xA8, 0x47, 0x4A, 0x91, 0xA0, 0x03, 0x20, 0x87,
    0x59, 0x38, 0x52, 0xD3, 0xE7, 0xD7, 0x6B, 0xD3
};

static const unsigned char bp256_Z[] = {
    0x89, 0xAF, 0xC3, 0x9D, 0x41, 0xD3, 0xB3, 0x27, 0x81, 0x4B, 0x80, 0x94,
    0x0B, 0x04, 0x25, 0x90, 0xF9, 0x65, 0x56, 0xEC, 0x91, 0xE6, 0xAE, 0x79,
    0x39, 0xBC, 0xE3, 0x1F, 0x3A, 0x18, 0xBF, 0x2B
};

static const unsigned char bp384_da[] = {
    0x1E, 0x20, 0xF5, 0xE0, 0x48, 0xA5, 0x88, 0x6F, 0x1F, 0x15, 0x7C, 0x74,
    0xE9, 0x1B, 0xDE, 0x2B, 0x98, 0xC8, 0xB5, 0x2D, 0x58, 0xE5, 0x00, 0x3D,
    0x57, 0x05, 0x3F, 0xC4, 0xB0, 0xBD, 0x65, 0xD6, 0xF1, 0x5E, 0xB5, 0xD1,
    0xEE, 0x16, 0x10, 0xDF, 0x87, 0x07, 0x95, 0x14, 0x36, 0x27, 0xD0, 0x42
};

static const unsigned char bp384_db[] = {
    0x03, 0x26, 0x40, 0xBC, 0x60, 0x03, 0xC5, 0x92, 0x60, 0xF7, 0x25, 0x0C,
    0x3D, 0xB5, 0x8C, 0xE6, 0x47, 0xF9, 0x8E, 0x12, 0x60, 0xAC, 0xCE, 0x4A,
    0xCD, 0xA3, 0xDD, 0x86, 0x9F, 0x74, 0xE0, 0x1F, 0x8B, 0xA5, 0xE0, 0x32,
    0x43, 0x09, 0xDB, 0x6A, 0x98, 0x31, 0x49, 0x7A, 0xBA, 0xC9, 0x66, 0x70
};

static const unsigned char bp384_Z[] = {
    0x0B, 0xD9, 0xD3, 0xA7, 0xEA, 0x0B, 0x3D, 0x51, 0x9D, 0x09, 0xD8, 0xE4,
    0x8D, 0x07, 0x85, 0xFB, 0x74, 0x4A, 0x6B, 0x35, 0x5E, 0x63, 0x04, 0xBC,
    0x51, 0xC2, 0x29, 0xFB, 0xBC, 0xE2, 0x39, 0xBB, 0xAD, 0xF6, 0x40, 0x37,
    0x15, 0xC3, 0x5D, 0x4F, 0xB2, 0xA5, 0x44, 0x4F, 0x57, 0x5D, 0x4F, 0x42
};

static const unsigned char bp512_da[] = {
    0x16, 0x30, 0x2F, 0xF0, 0xDB, 0xBB, 0x5A, 0x8D, 0x73, 0x3D, 0xAB, 0x71,
    0x41, 0xC1, 0xB4, 0x5A, 0xCB, 0xC8, 0x71, 0x59, 0x39, 0x67, 0x7F, 0x6A,
    0x56, 0x85, 0x0A, 0x38, 0xBD, 0x87, 0xBD, 0x59, 0xB0, 0x9E, 0x80, 0x27,
    0x96, 0x09, 0xFF, 0x33, 0x3E, 0xB9, 0xD4, 0xC0, 0x61, 0x23, 0x1F, 0xB2,
    0x6F, 0x92, 0xEE, 0xB0, 0x49, 0x82, 0xA5, 0xF1, 0xD1, 0x76, 0x4C, 0xAD,
    0x57, 0x66, 0x54, 0x22
};

static const unsigned char bp512_db[] = {
    0x23, 0x0E, 0x18, 0xE1, 0xBC, 0xC8, 0x8A, 0x36, 0x2F, 0xA5, 0x4E, 0x4E,
    0xA3, 0x90, 0x20, 0x09, 0x29, 0x2F, 0x7F, 0x80, 0x33, 0x62, 0x4F, 0xD4,
    0x71, 0xB5, 0xD8, 0xAC, 0xE4, 0x9D, 0x12, 0xCF, 0xAB, 0xBC, 0x19, 0x96,
    0x3D, 0xAB, 0x8E, 0x2F, 0x1E, 0xBA, 0x00, 0xBF, 0xFB, 0x29, 0xE4, 0xD7,
    0x2D, 0x13, 0xF2, 0x22, 0x45, 0x62, 0xF4, 0x05, 0xCB, 0x80, 0x50, 0x36,
    0x66, 0xB2, 0x54, 0x29
};

static const unsigned char bp512_Z[] = {
    0xA7, 0x92, 0x70, 0x98, 0x65, 0x5F, 0x1F, 0x99, 0x76, 0xFA, 0x50, 0xA9,
    0xD5, 0x66, 0x86, 0x5D, 0xC5, 0x30, 0x33, 0x18, 0x46, 0x38, 0x1C, 0x87,
    0x25, 0x6B, 0xAF, 0x32, 0x26, 0x24, 0x4B, 0x76, 0xD3, 0x64, 0x03, 0xC0,
    0x24, 0xD7, 0xBB, 0xF0, 0xAA, 0x08, 0x03, 0xEA, 0xFF, 0x40, 0x5D, 0x3D,
    0x24, 0xF1, 0x1A, 0x9B, 0x5C, 0x0B, 0xEF, 0x67, 0x9F, 0xE1, 0x45, 0x4B,
    0x21, 0xC4, 0xCD, 0x1F
};

/* Given private value and NID, create EC_KEY structure */

static EC_KEY *mk_eckey(int nid, const unsigned char *p, size_t plen)
{
    int ok = 0;
    EC_KEY *k = NULL;
    BIGNUM *priv = NULL;
    EC_POINT *pub = NULL;
    const EC_GROUP *grp;
    k = EC_KEY_new_by_curve_name(nid);
    if (!k)
        goto err;
    priv = BN_bin2bn(p, plen, NULL);
    if (!priv)
        goto err;
    if (!EC_KEY_set_private_key(k, priv))
        goto err;
    grp = EC_KEY_get0_group(k);
    pub = EC_POINT_new(grp);
    if (!pub)
        goto err;
    if (!EC_POINT_mul(grp, pub, priv, NULL, NULL, NULL))
        goto err;
    if (!EC_KEY_set_public_key(k, pub))
        goto err;
    ok = 1;
 err:
    BN_clear_free(priv);
    EC_POINT_free(pub);
    if (ok)
        return k;
    EC_KEY_free(k);
    return NULL;
}

/*
 * Known answer test: compute shared secret and check it matches expected
 * value.
 */

static int ecdh_kat(BIO *out, const char *cname, int nid,
                    const unsigned char *k1, size_t k1_len,
                    const unsigned char *k2, size_t k2_len,
                    const unsigned char *Z, size_t Zlen)
{
    int rv = 0;
    EC_KEY *key1 = NULL, *key2 = NULL;
    unsigned char *Ztmp = NULL;
    size_t Ztmplen;
    BIO_puts(out, "Testing ECDH shared secret with ");
    BIO_puts(out, cname);
    key1 = mk_eckey(nid, k1, k1_len);
    key2 = mk_eckey(nid, k2, k2_len);
    if (!key1 || !key2)
        goto err;
    Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
    if (Ztmplen != Zlen)
        goto err;
    Ztmp = OPENSSL_malloc(Ztmplen);
    if (!ECDH_compute_key(Ztmp, Ztmplen,
                          EC_KEY_get0_public_key(key2), key1, 0))
        goto err;
    if (memcmp(Ztmp, Z, Zlen))
        goto err;
    memset(Ztmp, 0, Zlen);
    if (!ECDH_compute_key(Ztmp, Ztmplen,
                          EC_KEY_get0_public_key(key1), key2, 0))
        goto err;
    if (memcmp(Ztmp, Z, Zlen))
        goto err;
    rv = 1;
 err:
    EC_KEY_free(key1);
    EC_KEY_free(key2);
    OPENSSL_free(Ztmp);
    if (rv)
        BIO_puts(out, " ok\n");
    else {
        fprintf(stderr, "Error in ECDH routines\n");
        ERR_print_errors_fp(stderr);
    }
    return rv;
}

# define test_ecdh_kat(bio, curve, bits) \
        ecdh_kat(bio, curve, NID_brainpoolP##bits##r1, \
                bp##bits##_da, sizeof(bp##bits##_da), \
                bp##bits##_db, sizeof(bp##bits##_db), \
                bp##bits##_Z, sizeof(bp##bits##_Z))

int main(int argc, char *argv[])
{
    BN_CTX *ctx = NULL;
    int ret = 1;
    BIO *out;

    CRYPTO_set_mem_debug(1);
    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

    RAND_seed(rnd_seed, sizeof rnd_seed);

    out = BIO_new(BIO_s_file());
    if (out == NULL)
        EXIT(1);
    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);

    if ((ctx = BN_CTX_new()) == NULL)
        goto err;

    /* NIST PRIME CURVES TESTS */
    if (!test_ecdh_curve
        (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
        goto err;
    if (!test_ecdh_curve
        (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out))
        goto err;
# ifndef OPENSSL_NO_EC2M
    /* NIST BINARY CURVES TESTS */
    if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect233k1, "NIST Binary-Curve K-233", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect233r1, "NIST Binary-Curve B-233", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect283k1, "NIST Binary-Curve K-283", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect283r1, "NIST Binary-Curve B-283", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect409k1, "NIST Binary-Curve K-409", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out))
        goto err;
    if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
        goto err;
# endif
    if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
        goto err;
    if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
        goto err;
    if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
        goto err;

    ret = 0;

 err:
    ERR_print_errors_fp(stderr);
    BN_CTX_free(ctx);
    BIO_free(out);
    CRYPTO_cleanup_all_ex_data();
    ERR_remove_thread_state(NULL);
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
    CRYPTO_mem_leaks_fp(stderr);
#endif
    EXIT(ret);
}
#endif
Commit	Line	Data
e172d60d BM	1	/* ====================================================================
	2	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
	3	*
	4	* The Elliptic Curve Public-Key Crypto Library (ECC Code) included
	5	* herein is developed by SUN MICROSYSTEMS, INC., and is contributed
	6	* to the OpenSSL project.
	7	*
	8	* The ECC Code is licensed pursuant to the OpenSSL open source
	9	* license provided below.
	10	*
e172d60d BM	11	* The ECDH software is originally written by Douglas Stebila of
	12	* Sun Microsystems Laboratories.
	13	*
	14	*/
	15	/* ====================================================================
176f31dd	16	* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
e172d60d BM	17	*
	18	* Redistribution and use in source and binary forms, with or without
	19	* modification, are permitted provided that the following conditions
	20	* are met:
	21	*
	22	* 1. Redistributions of source code must retain the above copyright
0f113f3e	23	* notice, this list of conditions and the following disclaimer.
e172d60d BM	24	*
	25	* 2. Redistributions in binary form must reproduce the above copyright
	26	* notice, this list of conditions and the following disclaimer in
	27	* the documentation and/or other materials provided with the
	28	* distribution.
	29	*
	30	* 3. All advertising materials mentioning features or use of this
	31	* software must display the following acknowledgment:
	32	* "This product includes software developed by the OpenSSL Project
	33	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	34	*
	35	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	36	* endorse or promote products derived from this software without
	37	* prior written permission. For written permission, please contact
	38	* openssl-core@openssl.org.
	39	*
	40	* 5. Products derived from this software may not be called "OpenSSL"
	41	* nor may "OpenSSL" appear in their names without prior written
	42	* permission of the OpenSSL Project.
	43	*
	44	* 6. Redistributions of any form whatsoever must retain the following
	45	* acknowledgment:
	46	* "This product includes software developed by the OpenSSL Project
	47	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	48	*
	49	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	50	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	51	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	52	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	53	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	54	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	55	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	56	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	57	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	58	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	59	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	60	* OF THE POSSIBILITY OF SUCH DAMAGE.
	61	* ====================================================================
	62	*
	63	* This product includes cryptographic software written by Eric Young
	64	* (eay@cryptsoft.com). This product includes software written by Tim
	65	* Hudson (tjh@cryptsoft.com).
	66	*
	67	*/
	68
	69	#include <stdio.h>
	70	#include <stdlib.h>
	71	#include <string.h>
55f78baf RL	72
	73	#include "../e_os.h"
	74
10bf4fc2	75	#include <openssl/opensslconf.h> /* for OPENSSL_NO_EC */
e172d60d BM	76	#include <openssl/crypto.h>
	77	#include <openssl/bio.h>
	78	#include <openssl/bn.h>
e172d60d BM	79	#include <openssl/objects.h>
e172d60d BM	80	#include <openssl/rand.h>
176f31dd	81	#include <openssl/sha.h>
e172d60d BM	82	#include <openssl/err.h>
e172d60d BM	83
10bf4fc2	84	#ifdef OPENSSL_NO_EC
e172d60d BM	85	int main(int argc, char *argv[])
	86	{
	87	printf("No ECDH support\n");
0f113f3e	88	return (0);
e172d60d BM	89	}
e172d60d BM	90	#else
0f113f3e	91	# include <openssl/ec.h>
e172d60d	92
0f113f3e MC	93	static const char rnd_seed[] =
0f113f3e MC	94	"string to make the random number generator think it has entropy";
176f31dd BM	95
176f31dd BM	96	static const int KDF1_SHA1_len = 20;
0f113f3e MC	97	static void KDF1_SHA1(const void in, size_t inlen, void *out,
	98	size_t *outlen)
	99	{
0f113f3e MC	100	if (*outlen < SHA_DIGEST_LENGTH)
0f113f3e MC	101	return NULL;
474e469b	102	*outlen = SHA_DIGEST_LENGTH;
0f113f3e	103	return SHA1(in, inlen, out);
0f113f3e	104	}
176f31dd	105
9dd84053	106	static int test_ecdh_curve(int nid, const char text, BN_CTX ctx, BIO *out)
0f113f3e MC	107	{
	108	EC_KEY *a = NULL;
	109	EC_KEY *b = NULL;
	110	BIGNUM x_a = NULL, y_a = NULL, x_b = NULL, y_b = NULL;
	111	char buf[12];
	112	unsigned char abuf = NULL, bbuf = NULL;
	113	int i, alen, blen, aout, bout, ret = 0;
	114	const EC_GROUP *group;
	115
	116	a = EC_KEY_new_by_curve_name(nid);
	117	b = EC_KEY_new_by_curve_name(nid);
	118	if (a == NULL \|\| b == NULL)
	119	goto err;
	120
	121	group = EC_KEY_get0_group(a);
	122
	123	if ((x_a = BN_new()) == NULL)
	124	goto err;
	125	if ((y_a = BN_new()) == NULL)
	126	goto err;
	127	if ((x_b = BN_new()) == NULL)
	128	goto err;
	129	if ((y_b = BN_new()) == NULL)
	130	goto err;
	131
	132	BIO_puts(out, "Testing key generation with ");
	133	BIO_puts(out, text);
	134	# ifdef NOISY
	135	BIO_puts(out, "\n");
	136	# else
	137	(void)BIO_flush(out);
	138	# endif
	139
	140	if (!EC_KEY_generate_key(a))
	141	goto err;
	142
	143	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
	144	NID_X9_62_prime_field) {
	145	if (!EC_POINT_get_affine_coordinates_GFp
	146	(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx))
	147	goto err;
	148	}
	149	# ifndef OPENSSL_NO_EC2M
	150	else {
	151	if (!EC_POINT_get_affine_coordinates_GF2m(group,
	152	EC_KEY_get0_public_key(a),
	153	x_a, y_a, ctx))
	154	goto err;
	155	}
	156	# endif
	157	# ifdef NOISY
	158	BIO_puts(out, " pri 1=");
	159	BN_print(out, a->priv_key);
	160	BIO_puts(out, "\n pub 1=");
	161	BN_print(out, x_a);
	162	BIO_puts(out, ",");
	163	BN_print(out, y_a);
	164	BIO_puts(out, "\n");
	165	# else
	166	BIO_printf(out, " .");
	167	(void)BIO_flush(out);
	168	# endif
	169
	170	if (!EC_KEY_generate_key(b))
171	goto err;
172
173	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
174	NID_X9_62_prime_field) {
175	if (!EC_POINT_get_affine_coordinates_GFp
176	(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx))
177	goto err;
178	}
179	# ifndef OPENSSL_NO_EC2M
180	else {
181	if (!EC_POINT_get_affine_coordinates_GF2m(group,
182	EC_KEY_get0_public_key(b),
183	x_b, y_b, ctx))
184	goto err;
185	}
186	# endif
187
188	# ifdef NOISY
189	BIO_puts(out, " pri 2=");
190	BN_print(out, b->priv_key);
191	BIO_puts(out, "\n pub 2=");
192	BN_print(out, x_b);
193	BIO_puts(out, ",");
194	BN_print(out, y_b);
195	BIO_puts(out, "\n");
196	# else
197	BIO_printf(out, ".");
198	(void)BIO_flush(out);
199	# endif
200
201	alen = KDF1_SHA1_len;
b196e7d9	202	abuf = OPENSSL_malloc(alen);
0f113f3e MC	203	aout =
	204	ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1);
	205
	206	# ifdef NOISY
	207	BIO_puts(out, " key1 =");
	208	for (i = 0; i < aout; i++) {
	209	sprintf(buf, "%02X", abuf[i]);
	210	BIO_puts(out, buf);
	211	}
	212	BIO_puts(out, "\n");
	213	# else
	214	BIO_printf(out, ".");
	215	(void)BIO_flush(out);
	216	# endif
	217
	218	blen = KDF1_SHA1_len;
b196e7d9	219	bbuf = OPENSSL_malloc(blen);
0f113f3e MC	220	bout =
	221	ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1);
	222
	223	# ifdef NOISY
	224	BIO_puts(out, " key2 =");
	225	for (i = 0; i < bout; i++) {
	226	sprintf(buf, "%02X", bbuf[i]);
	227	BIO_puts(out, buf);
	228	}
	229	BIO_puts(out, "\n");
	230	# else
	231	BIO_printf(out, ".");
	232	(void)BIO_flush(out);
	233	# endif
	234
	235	if ((aout < 4) \|\| (bout != aout) \|\| (memcmp(abuf, bbuf, aout) != 0)) {
	236	# ifndef NOISY
	237	BIO_printf(out, " failed\n\n");
	238	BIO_printf(out, "key a:\n");
	239	BIO_printf(out, "private key: ");
	240	BN_print(out, EC_KEY_get0_private_key(a));
	241	BIO_printf(out, "\n");
	242	BIO_printf(out, "public key (x,y): ");
	243	BN_print(out, x_a);
	244	BIO_printf(out, ",");
	245	BN_print(out, y_a);
	246	BIO_printf(out, "\nkey b:\n");
	247	BIO_printf(out, "private key: ");
	248	BN_print(out, EC_KEY_get0_private_key(b));
	249	BIO_printf(out, "\n");
	250	BIO_printf(out, "public key (x,y): ");
	251	BN_print(out, x_b);
	252	BIO_printf(out, ",");
	253	BN_print(out, y_b);
	254	BIO_printf(out, "\n");
	255	BIO_printf(out, "generated key a: ");
	256	for (i = 0; i < bout; i++) {
	257	sprintf(buf, "%02X", bbuf[i]);
	258	BIO_puts(out, buf);
	259	}
	260	BIO_printf(out, "\n");
	261	BIO_printf(out, "generated key b: ");
	262	for (i = 0; i < aout; i++) {
	263	sprintf(buf, "%02X", abuf[i]);
	264	BIO_puts(out, buf);
	265	}
	266	BIO_printf(out, "\n");
	267	# endif
	268	fprintf(stderr, "Error in ECDH routines\n");
	269	ret = 0;
	270	} else {
	271	# ifndef NOISY
	272	BIO_printf(out, " ok\n");
	273	# endif
	274	ret = 1;
	275	}
	276	err:
	277	ERR_print_errors_fp(stderr);
	278
b548a1f1 RS	279	OPENSSL_free(abuf);
b548a1f1 RS	280	OPENSSL_free(bbuf);
23a1d5e9 RS	281	BN_free(x_a);
	282	BN_free(y_a);
	283	BN_free(x_b);
	284	BN_free(y_b);
8fdc3734 RS	285	EC_KEY_free(b);
8fdc3734 RS	286	EC_KEY_free(a);
0f113f3e MC	287	return (ret);
0f113f3e MC	288	}
e172d60d	289
da317b94 DSH	290	/* Keys and shared secrets from RFC 7027 */
	291
	292	static const unsigned char bp256_da[] = {
0f113f3e MC	293	0x81, 0xDB, 0x1E, 0xE1, 0x00, 0x15, 0x0F, 0xF2, 0xEA, 0x33, 0x8D, 0x70,
	294	0x82, 0x71, 0xBE, 0x38, 0x30, 0x0C, 0xB5, 0x42, 0x41, 0xD7, 0x99, 0x50,
	295	0xF7, 0x7B, 0x06, 0x30, 0x39, 0x80, 0x4F, 0x1D
da317b94 DSH	296	};
	297
	298	static const unsigned char bp256_db[] = {
0f113f3e MC	299	0x55, 0xE4, 0x0B, 0xC4, 0x1E, 0x37, 0xE3, 0xE2, 0xAD, 0x25, 0xC3, 0xC6,
	300	0x65, 0x45, 0x11, 0xFF, 0xA8, 0x47, 0x4A, 0x91, 0xA0, 0x03, 0x20, 0x87,
	301	0x59, 0x38, 0x52, 0xD3, 0xE7, 0xD7, 0x6B, 0xD3
da317b94 DSH	302	};
	303
	304	static const unsigned char bp256_Z[] = {
0f113f3e MC	305	0x89, 0xAF, 0xC3, 0x9D, 0x41, 0xD3, 0xB3, 0x27, 0x81, 0x4B, 0x80, 0x94,
	306	0x0B, 0x04, 0x25, 0x90, 0xF9, 0x65, 0x56, 0xEC, 0x91, 0xE6, 0xAE, 0x79,
	307	0x39, 0xBC, 0xE3, 0x1F, 0x3A, 0x18, 0xBF, 0x2B
da317b94 DSH	308	};
	309
	310	static const unsigned char bp384_da[] = {
0f113f3e MC	311	0x1E, 0x20, 0xF5, 0xE0, 0x48, 0xA5, 0x88, 0x6F, 0x1F, 0x15, 0x7C, 0x74,
	312	0xE9, 0x1B, 0xDE, 0x2B, 0x98, 0xC8, 0xB5, 0x2D, 0x58, 0xE5, 0x00, 0x3D,
	313	0x57, 0x05, 0x3F, 0xC4, 0xB0, 0xBD, 0x65, 0xD6, 0xF1, 0x5E, 0xB5, 0xD1,
	314	0xEE, 0x16, 0x10, 0xDF, 0x87, 0x07, 0x95, 0x14, 0x36, 0x27, 0xD0, 0x42
da317b94 DSH	315	};
	316
	317	static const unsigned char bp384_db[] = {
0f113f3e MC	318	0x03, 0x26, 0x40, 0xBC, 0x60, 0x03, 0xC5, 0x92, 0x60, 0xF7, 0x25, 0x0C,
	319	0x3D, 0xB5, 0x8C, 0xE6, 0x47, 0xF9, 0x8E, 0x12, 0x60, 0xAC, 0xCE, 0x4A,
	320	0xCD, 0xA3, 0xDD, 0x86, 0x9F, 0x74, 0xE0, 0x1F, 0x8B, 0xA5, 0xE0, 0x32,
	321	0x43, 0x09, 0xDB, 0x6A, 0x98, 0x31, 0x49, 0x7A, 0xBA, 0xC9, 0x66, 0x70
da317b94 DSH	322	};
	323
	324	static const unsigned char bp384_Z[] = {
0f113f3e MC	325	0x0B, 0xD9, 0xD3, 0xA7, 0xEA, 0x0B, 0x3D, 0x51, 0x9D, 0x09, 0xD8, 0xE4,
	326	0x8D, 0x07, 0x85, 0xFB, 0x74, 0x4A, 0x6B, 0x35, 0x5E, 0x63, 0x04, 0xBC,
	327	0x51, 0xC2, 0x29, 0xFB, 0xBC, 0xE2, 0x39, 0xBB, 0xAD, 0xF6, 0x40, 0x37,
	328	0x15, 0xC3, 0x5D, 0x4F, 0xB2, 0xA5, 0x44, 0x4F, 0x57, 0x5D, 0x4F, 0x42
da317b94 DSH	329	};
	330
	331	static const unsigned char bp512_da[] = {
0f113f3e MC	332	0x16, 0x30, 0x2F, 0xF0, 0xDB, 0xBB, 0x5A, 0x8D, 0x73, 0x3D, 0xAB, 0x71,
	333	0x41, 0xC1, 0xB4, 0x5A, 0xCB, 0xC8, 0x71, 0x59, 0x39, 0x67, 0x7F, 0x6A,
	334	0x56, 0x85, 0x0A, 0x38, 0xBD, 0x87, 0xBD, 0x59, 0xB0, 0x9E, 0x80, 0x27,
	335	0x96, 0x09, 0xFF, 0x33, 0x3E, 0xB9, 0xD4, 0xC0, 0x61, 0x23, 0x1F, 0xB2,
	336	0x6F, 0x92, 0xEE, 0xB0, 0x49, 0x82, 0xA5, 0xF1, 0xD1, 0x76, 0x4C, 0xAD,
	337	0x57, 0x66, 0x54, 0x22
da317b94 DSH	338	};
	339
	340	static const unsigned char bp512_db[] = {
0f113f3e MC	341	0x23, 0x0E, 0x18, 0xE1, 0xBC, 0xC8, 0x8A, 0x36, 0x2F, 0xA5, 0x4E, 0x4E,
	342	0xA3, 0x90, 0x20, 0x09, 0x29, 0x2F, 0x7F, 0x80, 0x33, 0x62, 0x4F, 0xD4,
	343	0x71, 0xB5, 0xD8, 0xAC, 0xE4, 0x9D, 0x12, 0xCF, 0xAB, 0xBC, 0x19, 0x96,
	344	0x3D, 0xAB, 0x8E, 0x2F, 0x1E, 0xBA, 0x00, 0xBF, 0xFB, 0x29, 0xE4, 0xD7,
	345	0x2D, 0x13, 0xF2, 0x22, 0x45, 0x62, 0xF4, 0x05, 0xCB, 0x80, 0x50, 0x36,
	346	0x66, 0xB2, 0x54, 0x29
da317b94 DSH	347	};
da317b94 DSH	348
da317b94	349	static const unsigned char bp512_Z[] = {
0f113f3e MC	350	0xA7, 0x92, 0x70, 0x98, 0x65, 0x5F, 0x1F, 0x99, 0x76, 0xFA, 0x50, 0xA9,
	351	0xD5, 0x66, 0x86, 0x5D, 0xC5, 0x30, 0x33, 0x18, 0x46, 0x38, 0x1C, 0x87,
	352	0x25, 0x6B, 0xAF, 0x32, 0x26, 0x24, 0x4B, 0x76, 0xD3, 0x64, 0x03, 0xC0,
	353	0x24, 0xD7, 0xBB, 0xF0, 0xAA, 0x08, 0x03, 0xEA, 0xFF, 0x40, 0x5D, 0x3D,
	354	0x24, 0xF1, 0x1A, 0x9B, 0x5C, 0x0B, 0xEF, 0x67, 0x9F, 0xE1, 0x45, 0x4B,
	355	0x21, 0xC4, 0xCD, 0x1F
da317b94 DSH	356	};
	357
	358	/* Given private value and NID, create EC_KEY structure */
	359
	360	static EC_KEY mk_eckey(int nid, const unsigned char p, size_t plen)
0f113f3e MC	361	{
	362	int ok = 0;
	363	EC_KEY *k = NULL;
	364	BIGNUM *priv = NULL;
	365	EC_POINT *pub = NULL;
	366	const EC_GROUP *grp;
	367	k = EC_KEY_new_by_curve_name(nid);
	368	if (!k)
	369	goto err;
	370	priv = BN_bin2bn(p, plen, NULL);
	371	if (!priv)
	372	goto err;
	373	if (!EC_KEY_set_private_key(k, priv))
	374	goto err;
	375	grp = EC_KEY_get0_group(k);
	376	pub = EC_POINT_new(grp);
	377	if (!pub)
	378	goto err;
	379	if (!EC_POINT_mul(grp, pub, priv, NULL, NULL, NULL))
	380	goto err;
	381	if (!EC_KEY_set_public_key(k, pub))
	382	goto err;
	383	ok = 1;
	384	err:
23a1d5e9	385	BN_clear_free(priv);
8fdc3734	386	EC_POINT_free(pub);
0f113f3e MC	387	if (ok)
0f113f3e MC	388	return k;
8fdc3734	389	EC_KEY_free(k);
0f113f3e MC	390	return NULL;
	391	}
	392
	393	/*
	394	* Known answer test: compute shared secret and check it matches expected
	395	* value.
da317b94 DSH	396	*/
	397
	398	static int ecdh_kat(BIO out, const char cname, int nid,
0f113f3e MC	399	const unsigned char *k1, size_t k1_len,
	400	const unsigned char *k2, size_t k2_len,
	401	const unsigned char *Z, size_t Zlen)
	402	{
	403	int rv = 0;
	404	EC_KEY key1 = NULL, key2 = NULL;
	405	unsigned char *Ztmp = NULL;
	406	size_t Ztmplen;
	407	BIO_puts(out, "Testing ECDH shared secret with ");
	408	BIO_puts(out, cname);
	409	key1 = mk_eckey(nid, k1, k1_len);
	410	key2 = mk_eckey(nid, k2, k2_len);
	411	if (!key1 \|\| !key2)
	412	goto err;
	413	Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
	414	if (Ztmplen != Zlen)
	415	goto err;
	416	Ztmp = OPENSSL_malloc(Ztmplen);
	417	if (!ECDH_compute_key(Ztmp, Ztmplen,
	418	EC_KEY_get0_public_key(key2), key1, 0))
	419	goto err;
	420	if (memcmp(Ztmp, Z, Zlen))
	421	goto err;
	422	memset(Ztmp, 0, Zlen);
	423	if (!ECDH_compute_key(Ztmp, Ztmplen,
	424	EC_KEY_get0_public_key(key1), key2, 0))
	425	goto err;
	426	if (memcmp(Ztmp, Z, Zlen))
	427	goto err;
	428	rv = 1;
	429	err:
8fdc3734 RS	430	EC_KEY_free(key1);
8fdc3734 RS	431	EC_KEY_free(key2);
b548a1f1	432	OPENSSL_free(Ztmp);
0f113f3e MC	433	if (rv)
	434	BIO_puts(out, " ok\n");
	435	else {
	436	fprintf(stderr, "Error in ECDH routines\n");
	437	ERR_print_errors_fp(stderr);
	438	}
	439	return rv;
	440	}
e172d60d	441
0f113f3e MC	442	# define test_ecdh_kat(bio, curve, bits) \
	443	ecdh_kat(bio, curve, NID_brainpoolP##bits##r1, \
	444	bp##bits##_da, sizeof(bp##bits##_da), \
	445	bp##bits##_db, sizeof(bp##bits##_db), \
	446	bp##bits##_Z, sizeof(bp##bits##_Z))
e172d60d	447
0f113f3e MC	448	int main(int argc, char *argv[])
	449	{
	450	BN_CTX *ctx = NULL;
	451	int ret = 1;
	452	BIO *out;
	453
bbd86bf5	454	CRYPTO_set_mem_debug(1);
0f113f3e MC	455	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
0f113f3e MC	456
0f113f3e MC	457	RAND_seed(rnd_seed, sizeof rnd_seed);
	458
	459	out = BIO_new(BIO_s_file());
	460	if (out == NULL)
	461	EXIT(1);
0f81f5f7	462	BIO_set_fp(out, stdout, BIO_NOCLOSE \| BIO_FP_TEXT);
0f113f3e MC	463
	464	if ((ctx = BN_CTX_new()) == NULL)
	465	goto err;
	466
	467	/* NIST PRIME CURVES TESTS */
	468	if (!test_ecdh_curve
	469	(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
	470	goto err;
	471	if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
	472	goto err;
	473	if (!test_ecdh_curve
	474	(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
	475	goto err;
	476	if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out))
	477	goto err;
	478	if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out))
	479	goto err;
	480	# ifndef OPENSSL_NO_EC2M
	481	/* NIST BINARY CURVES TESTS */
	482	if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out))
	483	goto err;
	484	if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out))
	485	goto err;
	486	if (!test_ecdh_curve(NID_sect233k1, "NIST Binary-Curve K-233", ctx, out))
	487	goto err;
	488	if (!test_ecdh_curve(NID_sect233r1, "NIST Binary-Curve B-233", ctx, out))
	489	goto err;
	490	if (!test_ecdh_curve(NID_sect283k1, "NIST Binary-Curve K-283", ctx, out))
	491	goto err;
	492	if (!test_ecdh_curve(NID_sect283r1, "NIST Binary-Curve B-283", ctx, out))
	493	goto err;
	494	if (!test_ecdh_curve(NID_sect409k1, "NIST Binary-Curve K-409", ctx, out))
	495	goto err;
	496	if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out))
	497	goto err;
	498	if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out))
	499	goto err;
	500	if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
	501	goto err;
	502	# endif
	503	if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
	504	goto err;
	505	if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
	506	goto err;
	507	if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
	508	goto err;
	509
	510	ret = 0;
	511
	512	err:
	513	ERR_print_errors_fp(stderr);
23a1d5e9	514	BN_CTX_free(ctx);
0f113f3e MC	515	BIO_free(out);
	516	CRYPTO_cleanup_all_ex_data();
	517	ERR_remove_thread_state(NULL);
c2e27310	518	#ifndef OPENSSL_NO_CRYPTO_MDEBUG
0f113f3e	519	CRYPTO_mem_leaks_fp(stderr);
bbd86bf5	520	#endif
0f113f3e	521	EXIT(ret);
0f113f3e	522	}
c787525a	523	#endif