]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/ectest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Following the license change, modify the boilerplates in util/, tools/
[thirdparty/openssl.git] / test / ectest.c
CommitLineData
35b73a1f 1/*
b0edda11 2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
62763f68 4 *
440e5d80
RS		 5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
62763f68 9 */
440e5d80 10
176db6dc 11#include "internal/nelem.h"
2db85ac9 12#include "testutil.h"
2f0ca54c 13
2db85ac9 14#ifndef OPENSSL_NO_EC
0f113f3e
MC		 15# include <openssl/ec.h>
16# ifndef OPENSSL_NO_ENGINE
17# include <openssl/engine.h>
18# endif
19# include <openssl/err.h>
20# include <openssl/obj_mac.h>
21# include <openssl/objects.h>
22# include <openssl/rand.h>
23# include <openssl/bn.h>
24# include <openssl/opensslconf.h>
25
2db85ac9
P		 26static size_t crv_len = 0;
27static EC_builtin_curve *curves = NULL;
652ae06b 28
04daec86 29/* test multiplication with group order, long and negative scalars */
2db85ac9 30static int group_order_tests(EC_GROUP *group)
0f113f3e 31{
2db85ac9
P		 32 BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
33 EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
66b0bca8 34 const EC_POINT *G = NULL;
2db85ac9
P		 35 BN_CTX *ctx = NULL;
36 int i = 0, r = 0;
37
38 if (!TEST_ptr(n1 = BN_new())
39 || !TEST_ptr(n2 = BN_new())
40 || !TEST_ptr(order = BN_new())
41 || !TEST_ptr(ctx = BN_CTX_new())
66b0bca8 42 || !TEST_ptr(G = EC_GROUP_get0_generator(group))
2db85ac9
P		 43 || !TEST_ptr(P = EC_POINT_new(group))
44 || !TEST_ptr(Q = EC_POINT_new(group))
45 || !TEST_ptr(R = EC_POINT_new(group))
46 || !TEST_ptr(S = EC_POINT_new(group)))
47 goto err;
48
49 if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
50 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
51 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
52 || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
53 || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
66b0bca8
BB		 54 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
55 || !TEST_true(EC_POINT_copy(P, G))
56 || !TEST_true(BN_one(n1))
57 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
58 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
59 || !TEST_true(BN_sub(n1, order, n1))
60 || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
61 || !TEST_true(EC_POINT_invert(group, Q, ctx))
62 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
2db85ac9
P		 63 goto err;
64
0f113f3e
MC		 65 for (i = 1; i <= 2; i++) {
66 const BIGNUM *scalars[6];
67 const EC_POINT *points[6];
68
2db85ac9
P		 69 if (!TEST_true(BN_set_word(n1, i))
70 /*
71 * If i == 1, P will be the predefined generator for which
72 * EC_GROUP_precompute_mult has set up precomputation.
73 */
74 || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
66b0bca8 75 || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
2db85ac9
P		 76 || !TEST_true(BN_one(n1))
77 /* n1 = 1 - order */
78 || !TEST_true(BN_sub(n1, n1, order))
79 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
80 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
81
82 /* n2 = 1 + order */
83 || !TEST_true(BN_add(n2, order, BN_value_one()))
84 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
85 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
86
87 /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
88 || !TEST_true(BN_mul(n2, n1, n2, ctx))
89 || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
90 || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
91 goto err;
0f113f3e
MC		 92
93 /* n2 = order^2 - 1 */
94 BN_set_negative(n2, 0);
2db85ac9
P		 95 if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
96 /* Add P to verify the result. */
97 || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
98 || !TEST_true(EC_POINT_is_at_infinity(group, Q))
99
100 /* Exercise EC_POINTs_mul, including corner cases. */
101 || !TEST_false(EC_POINT_is_at_infinity(group, P)))
102 goto err;
50e34aab
AP		 103
104 scalars[0] = scalars[1] = BN_value_one();
105 points[0] = points[1] = P;
106
2db85ac9
P		 107 if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
108 || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
109 || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
110 goto err;
50e34aab 111
0f113f3e
MC		 112 scalars[0] = n1;
113 points[0] = Q; /* => infinity */
114 scalars[1] = n2;
115 points[1] = P; /* => -P */
116 scalars[2] = n1;
117 points[2] = Q; /* => infinity */
118 scalars[3] = n2;
119 points[3] = Q; /* => infinity */
120 scalars[4] = n1;
121 points[4] = P; /* => P */
122 scalars[5] = n2;
123 points[5] = Q; /* => infinity */
2db85ac9
P		 124 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
125 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
126 goto err;
0f113f3e 127 }
0f113f3e 128
2db85ac9
P		 129 r = 1;
130err:
131 if (r == 0 && i != 0)
132 TEST_info(i == 1 ? "allowing precomputation" :
133 "without precomputation");
0f113f3e
MC		 134 EC_POINT_free(P);
135 EC_POINT_free(Q);
50e34aab
AP		 136 EC_POINT_free(R);
137 EC_POINT_free(S);
0f113f3e
MC		 138 BN_free(n1);
139 BN_free(n2);
140 BN_free(order);
141 BN_CTX_free(ctx);
2db85ac9 142 return r;
0f113f3e 143}
04daec86 144
2db85ac9 145static int prime_field_tests(void)
0f113f3e
MC		 146{
147 BN_CTX *ctx = NULL;
2db85ac9
P		 148 BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
149 EC_GROUP *group = NULL, *tmp = NULL;
150 EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL,
151 *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
152 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
153 BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
154 const EC_POINT *points[4];
155 const BIGNUM *scalars[4];
0f113f3e 156 unsigned char buf[100];
37916462 157 size_t len, r = 0;
0f113f3e
MC		 158 int k;
159
2db85ac9
P		 160 if (!TEST_ptr(ctx = BN_CTX_new())
161 || !TEST_ptr(p = BN_new())
162 || !TEST_ptr(a = BN_new())
163 || !TEST_ptr(b = BN_new())
164 || !TEST_true(BN_hex2bn(&p, "17"))
165 || !TEST_true(BN_hex2bn(&a, "1"))
166 || !TEST_true(BN_hex2bn(&b, "1"))
167 /*
168 * applications should use EC_GROUP_new_curve_GFp so
169 * that the library gets to choose the EC_METHOD
170 */
171 || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))
9cc570d4 172 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 173 || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
174 || !TEST_true(EC_GROUP_copy(tmp, group)))
175 goto err;
176 EC_GROUP_free(group);
177 group = tmp;
178 tmp = NULL;
179
9cc570d4 180 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
2db85ac9
P		 181 goto err;
182
37916462
P		 183 TEST_info("Curve defined by Weierstrass equation");
184 TEST_note(" y^2 = x^3 + a*x + b (mod p)");
185 test_output_bignum("a", a);
186 test_output_bignum("b", b);
187 test_output_bignum("p", p);
0f113f3e
MC		 188
189 buf[0] = 0;
2db85ac9
P		 190 if (!TEST_ptr(P = EC_POINT_new(group))
191 || !TEST_ptr(Q = EC_POINT_new(group))
192 || !TEST_ptr(R = EC_POINT_new(group))
193 || !TEST_true(EC_POINT_set_to_infinity(group, P))
194 || !TEST_true(EC_POINT_is_at_infinity(group, P))
195 || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
196 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
197 || !TEST_true(EC_POINT_is_at_infinity(group, P))
198 || !TEST_ptr(x = BN_new())
199 || !TEST_ptr(y = BN_new())
200 || !TEST_ptr(z = BN_new())
201 || !TEST_ptr(yplusone = BN_new())
202 || !TEST_true(BN_hex2bn(&x, "D"))
9cc570d4 203 || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx)))
2db85ac9
P		 204 goto err;
205
206 if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
9cc570d4 207 if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
2db85ac9 208 goto err;
37916462
P		 209 TEST_info("Point is not on curve");
210 test_output_bignum("x", x);
211 test_output_bignum("y", y);
2db85ac9 212 goto err;
0f113f3e
MC		 213 }
214
37916462 215 TEST_note("A cyclic subgroup:");
0f113f3e
MC		 216 k = 100;
217 do {
2db85ac9
P		 218 if (!TEST_int_ne(k--, 0))
219 goto err;
220
221 if (EC_POINT_is_at_infinity(group, P)) {
37916462 222 TEST_note(" point at infinity");
2db85ac9 223 } else {
9cc570d4
MC		 224 if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
225 ctx)))
2db85ac9
P		 226 goto err;
227
37916462
P		 228 test_output_bignum("x", x);
229 test_output_bignum("y", y);
0f113f3e
MC		 230 }
231
2db85ac9
P		 232 if (!TEST_true(EC_POINT_copy(R, P))
233 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
234 goto err;
0f113f3e 235
2db85ac9 236 } while (!EC_POINT_is_at_infinity(group, P));
0f113f3e 237
2db85ac9
P		 238 if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
239 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
240 goto err;
0f113f3e
MC		 241
242 len =
243 EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
cbe29648 244 sizeof(buf), ctx);
2db85ac9
P		 245 if (!TEST_size_t_ne(len, 0)
246 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
247 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
248 goto err;
37916462
P		 249 test_output_memory("Generator as octet string, compressed form:",
250 buf, len);
2db85ac9
P		 251
252 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
cbe29648 253 buf, sizeof(buf), ctx);
2db85ac9
P		 254 if (!TEST_size_t_ne(len, 0)
255 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
256 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
257 goto err;
37916462
P		 258 test_output_memory("Generator as octet string, uncompressed form:",
259 buf, len);
2db85ac9
P		 260
261 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID,
cbe29648 262 buf, sizeof(buf), ctx);
2db85ac9
P		 263 if (!TEST_size_t_ne(len, 0)
264 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
265 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
266 goto err;
37916462
P		 267 test_output_memory("Generator as octet string, hybrid form:",
268 buf, len);
2db85ac9
P		 269
270 if (!TEST_true(EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z,
271 ctx)))
272 goto err;
37916462
P		 273 TEST_info("A representation of the inverse of that generator in");
274 TEST_note("Jacobian projective coordinates");
275 test_output_bignum("x", x);
276 test_output_bignum("y", y);
277 test_output_bignum("z", z);
2db85ac9
P		 278
279 if (!TEST_true(EC_POINT_invert(group, P, ctx))
280 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
0f113f3e
MC		 281
282 /*
283 * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
284 * 2000) -- not a NIST curve, but commonly used
285 */
286
2db85ac9
P		 287 || !TEST_true(BN_hex2bn(&p, "FFFFFFFF"
288 "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
289 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
290 || !TEST_true(BN_hex2bn(&a, "FFFFFFFF"
291 "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
292 || !TEST_true(BN_hex2bn(&b, "1C97BEFC"
293 "54BD7A8B65ACF89F81D4D4ADC565FA45"))
9cc570d4 294 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 295 || !TEST_true(BN_hex2bn(&x, "4A96B568"
296 "8EF573284664698968C38BB913CBFC82"))
297 || !TEST_true(BN_hex2bn(&y, "23a62855"
298 "3168947d59dcc912042351377ac5fb32"))
299 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 300 /*
301 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
302 * and therefore setting the coordinates should fail.
303 */
9cc570d4
MC		 304 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
305 ctx))
306 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
2db85ac9
P		 307 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
308 || !TEST_true(BN_hex2bn(&z, "0100000000"
309 "000000000001F4C8F927AED3CA752257"))
310 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 311 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9 312 goto err;
37916462
P		 313 TEST_info("SEC2 curve secp160r1 -- Generator");
314 test_output_bignum("x", x);
315 test_output_bignum("y", y);
0f113f3e 316 /* G_y value taken from the standard: */
2db85ac9
P		 317 if (!TEST_true(BN_hex2bn(&z, "23a62855"
318 "3168947d59dcc912042351377ac5fb32"))
dc352c19 319 || !TEST_BN_eq(y, z)
2db85ac9
P		 320 || !TEST_int_eq(EC_GROUP_get_degree(group), 160)
321 || !group_order_tests(group)
322 || !TEST_ptr(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))
323 || !TEST_true(EC_GROUP_copy(P_160, group))
0f113f3e
MC		 324
325 /* Curve P-192 (FIPS PUB 186-2, App. 6) */
326
2db85ac9
P		 327 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF"
328 "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
329 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
330 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF"
331 "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
332 || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7"
333 "0FA7E9AB72243049FEB8DEECC146B9B1"))
9cc570d4 334 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 335 || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6"
336 "7CBF20EB43A18800F4FF0AFD82FF1012"))
9cc570d4 337 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
2db85ac9
P		 338 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
339 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF"
340 "FFFFFFFF99DEF836146BC9B1B4D22831"))
341 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 342 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9
P		 343 goto err;
344
37916462
P		 345 TEST_info("NIST curve P-192 -- Generator");
346 test_output_bignum("x", x);
347 test_output_bignum("y", y);
0f113f3e 348 /* G_y value taken from the standard: */
2db85ac9
P		 349 if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78"
350 "631011ED6B24CDD573F977A11E794811"))
dc352c19 351 || !TEST_BN_eq(y, z)
2db85ac9 352 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 353 /*
354 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
355 * and therefore setting the coordinates should fail.
356 */
9cc570d4
MC		 357 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
358 ctx))
2db85ac9
P		 359 || !TEST_int_eq(EC_GROUP_get_degree(group), 192)
360 || !group_order_tests(group)
361 || !TEST_ptr(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))
362 || !TEST_true(EC_GROUP_copy(P_192, group))
0f113f3e
MC		 363
364 /* Curve P-224 (FIPS PUB 186-2, App. 6) */
365
2db85ac9
P		 366 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
367 "FFFFFFFF000000000000000000000001"))
368 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
369 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
370 "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
371 || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
372 "5044B0B7D7BFD8BA270B39432355FFB4"))
9cc570d4 373 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 374 || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
375 "4A03C1D356C21122343280D6115C1D21"))
9cc570d4 376 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
2db85ac9
P		 377 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
378 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
379 "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
380 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 381 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9
P		 382 goto err;
383
37916462
P		 384 TEST_info("NIST curve P-224 -- Generator");
385 test_output_bignum("x", x);
386 test_output_bignum("y", y);
0f113f3e 387 /* G_y value taken from the standard: */
2db85ac9
P		 388 if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6"
389 "CD4375A05A07476444D5819985007E34"))
dc352c19 390 || !TEST_BN_eq(y, z)
2db85ac9 391 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 392 /*
393 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
394 * and therefore setting the coordinates should fail.
395 */
9cc570d4
MC		 396 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
397 ctx))
2db85ac9
P		 398 || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
399 || !group_order_tests(group)
400 || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
401 || !TEST_true(EC_GROUP_copy(P_224, group))
0f113f3e
MC		 402
403 /* Curve P-256 (FIPS PUB 186-2, App. 6) */
404
2db85ac9
P		 405 || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
406 "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
407 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
408 || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
409 "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
410 || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
411 "651D06B0CC53B0F63BCE3C3E27D2604B"))
9cc570d4 412 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 413
414 || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
415 "77037D812DEB33A0F4A13945D898C296"))
9cc570d4 416 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
2db85ac9
P		 417 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
418 || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
419 "BCE6FAADA7179E84F3B9CAC2FC632551"))
420 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 421 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9
P		 422 goto err;
423
37916462
P		 424 TEST_info("NIST curve P-256 -- Generator");
425 test_output_bignum("x", x);
426 test_output_bignum("y", y);
0f113f3e 427 /* G_y value taken from the standard: */
2db85ac9
P		 428 if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
429 "2BCE33576B315ECECBB6406837BF51F5"))
dc352c19 430 || !TEST_BN_eq(y, z)
2db85ac9 431 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 432 /*
433 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
434 * and therefore setting the coordinates should fail.
435 */
9cc570d4
MC		 436 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
437 ctx))
2db85ac9
P		 438 || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
439 || !group_order_tests(group)
440 || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
441 || !TEST_true(EC_GROUP_copy(P_256, group))
0f113f3e
MC		 442
443 /* Curve P-384 (FIPS PUB 186-2, App. 6) */
444
2db85ac9
P		 445 || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
446 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
447 "FFFFFFFF0000000000000000FFFFFFFF"))
448 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
449 || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
450 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
451 "FFFFFFFF0000000000000000FFFFFFFC"))
452 || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
453 "181D9C6EFE8141120314088F5013875A"
454 "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
9cc570d4 455 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 456
457 || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
458 "6E1D3B628BA79B9859F741E082542A38"
459 "5502F25DBF55296C3A545E3872760AB7"))
9cc570d4 460 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
2db85ac9
P		 461 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
462 || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
463 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
464 "581A0DB248B0A77AECEC196ACCC52973"))
465 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 466 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9
P		 467 goto err;
468
37916462
P		 469 TEST_info("NIST curve P-384 -- Generator");
470 test_output_bignum("x", x);
471 test_output_bignum("y", y);
0f113f3e 472 /* G_y value taken from the standard: */
2db85ac9
P		 473 if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
474 "F8F41DBD289A147CE9DA3113B5F0B8C0"
475 "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
dc352c19 476 || !TEST_BN_eq(y, z)
2db85ac9 477 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 478 /*
479 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
480 * and therefore setting the coordinates should fail.
481 */
9cc570d4
MC		 482 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
483 ctx))
2db85ac9
P		 484 || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
485 || !group_order_tests(group)
486 || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
487 || !TEST_true(EC_GROUP_copy(P_384, group))
0f113f3e
MC		 488
489 /* Curve P-521 (FIPS PUB 186-2, App. 6) */
2db85ac9
P		 490 || !TEST_true(BN_hex2bn(&p, "1FF"
491 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
492 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
493 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
494 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
495 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
496 || !TEST_true(BN_hex2bn(&a, "1FF"
497 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
498 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
499 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
500 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
501 || !TEST_true(BN_hex2bn(&b, "051"
502 "953EB9618E1C9A1F929A21A0B68540EE"
503 "A2DA725B99B315F3B8B489918EF109E1"
504 "56193951EC7E937B1652C0BD3BB1BF07"
505 "3573DF883D2C34F1EF451FD46B503F00"))
9cc570d4 506 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 507 || !TEST_true(BN_hex2bn(&x, "C6"
508 "858E06B70404E9CD9E3ECB662395B442"
509 "9C648139053FB521F828AF606B4D3DBA"
510 "A14B5E77EFE75928FE1DC127A2FFA8DE"
511 "3348B3C1856A429BF97E7E31C2E5BD66"))
9cc570d4 512 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
2db85ac9
P		 513 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
514 || !TEST_true(BN_hex2bn(&z, "1FF"
515 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
516 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
517 "51868783BF2F966B7FCC0148F709A5D0"
518 "3BB5C9B8899C47AEBB6FB71E91386409"))
519 || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
9cc570d4 520 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9
P		 521 goto err;
522
37916462
P		 523 TEST_info("NIST curve P-521 -- Generator");
524 test_output_bignum("x", x);
525 test_output_bignum("y", y);
0f113f3e 526 /* G_y value taken from the standard: */
2db85ac9
P		 527 if (!TEST_true(BN_hex2bn(&z, "118"
528 "39296A789A3BC0045C8A5FB42C7D1BD9"
529 "98F54449579B446817AFBD17273E662C"
530 "97EE72995EF42640C550B9013FAD0761"
531 "353C7086A272C24088BE94769FD16650"))
dc352c19 532 || !TEST_BN_eq(y, z)
2db85ac9 533 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 534 /*
535 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
536 * and therefore setting the coordinates should fail.
537 */
9cc570d4
MC		 538 || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
539 ctx))
2db85ac9
P		 540 || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
541 || !group_order_tests(group)
542 || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
543 || !TEST_true(EC_GROUP_copy(P_521, group))
0f113f3e
MC		 544
545 /* more tests using the last curve */
546
1e2012b7 547 /* Restore the point that got mangled in the (x, y + 1) test. */
9cc570d4 548 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
2db85ac9
P		 549 || !TEST_true(EC_POINT_copy(Q, P))
550 || !TEST_false(EC_POINT_is_at_infinity(group, Q))
551 || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
552 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
553 || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
554 || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
555 || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
556 || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
557 || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
558 goto err;
559 points[0] = Q;
560 points[1] = Q;
561 points[2] = Q;
562 points[3] = Q;
563
564 if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
565 || !TEST_true(BN_add(y, z, BN_value_one()))
dc352c19 566 || !TEST_BN_even(y)
2db85ac9
P		 567 || !TEST_true(BN_rshift1(y, y)))
568 goto err;
569 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
570 scalars[1] = y;
571
37916462 572 TEST_note("combined multiplication ...");
2db85ac9
P		 573
574 /* z is still the group order */
575 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
576 || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
577 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
578 || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
5ecff87d 579 || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
2db85ac9
P		 580 || !TEST_true(BN_add(z, z, y)))
581 goto err;
582 BN_set_negative(z, 1);
583 scalars[0] = y;
584 scalars[1] = z; /* z = -(order + y) */
585
586 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
587 || !TEST_true(EC_POINT_is_at_infinity(group, P))
5ecff87d 588 || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
2db85ac9
P		 589 || !TEST_true(BN_add(z, x, y)))
590 goto err;
591 BN_set_negative(z, 1);
592 scalars[0] = x;
593 scalars[1] = y;
594 scalars[2] = z; /* z = -(x+y) */
595
596 if (!TEST_ptr(scalar3 = BN_new()))
597 goto err;
598 BN_zero(scalar3);
599 scalars[3] = scalar3;
600
601 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
602 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
603 goto err;
604
37916462 605 TEST_note(" ok\n");
2db85ac9
P		 606
607
608 r = 1;
609err:
610 BN_CTX_free(ctx);
611 BN_free(p);
612 BN_free(a);
613 BN_free(b);
614 EC_GROUP_free(group);
615 EC_GROUP_free(tmp);
616 EC_POINT_free(P);
617 EC_POINT_free(Q);
618 EC_POINT_free(R);
619 BN_free(x);
620 BN_free(y);
621 BN_free(z);
622 BN_free(yplusone);
623 BN_free(scalar3);
624
625 EC_GROUP_free(P_160);
626 EC_GROUP_free(P_192);
627 EC_GROUP_free(P_224);
628 EC_GROUP_free(P_256);
629 EC_GROUP_free(P_384);
630 EC_GROUP_free(P_521);
631 return r;
632}
633
634# ifndef OPENSSL_NO_EC2M
0f113f3e 635
2db85ac9
P		 636static struct c2_curve_test {
637 const char *name;
638 const char *p;
639 const char *a;
640 const char *b;
641 const char *x;
642 const char *y;
643 int ybit;
644 const char *order;
645 const char *cof;
646 int degree;
647} char2_curve_tests[] = {
648 /* Curve K-163 (FIPS PUB 186-2, App. 6) */
649 {
650 "NIST curve K-163",
651 "0800000000000000000000000000000000000000C9",
652 "1",
653 "1",
654 "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
655 "0289070FB05D38FF58321F2E800536D538CCDAA3D9",
656 1, "04000000000000000000020108A2E0CC0D99F8A5EF", "2", 163
657 },
658 /* Curve B-163 (FIPS PUB 186-2, App. 6) */
659 {
660 "NIST curve B-163",
661 "0800000000000000000000000000000000000000C9",
662 "1",
663 "020A601907B8C953CA1481EB10512F78744A3205FD",
664 "03F0EBA16286A2D57EA0991168D4994637E8343E36",
665 "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
666 1, "040000000000000000000292FE77E70C12A4234C33", "2", 163
667 },
668 /* Curve K-233 (FIPS PUB 186-2, App. 6) */
669 {
670 "NIST curve K-233",
671 "020000000000000000000000000000000000000004000000000000000001",
672 "0",
673 "1",
674 "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
675 "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
676 0,
677 "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
678 "4", 233
679 },
680 /* Curve B-233 (FIPS PUB 186-2, App. 6) */
681 {
682 "NIST curve B-233",
683 "020000000000000000000000000000000000000004000000000000000001",
684 "000000000000000000000000000000000000000000000000000000000001",
685 "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
686 "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
687 "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
688 1,
689 "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
690 "2", 233
691 },
692 /* Curve K-283 (FIPS PUB 186-2, App. 6) */
693 {
694 "NIST curve K-283",
695 "08000000"
696 "00000000000000000000000000000000000000000000000000000000000010A1",
697 "0",
698 "1",
699 "0503213F"
700 "78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
701 "01CCDA38"
702 "0F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
703 0,
704 "01FFFFFF"
705 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
706 "4", 283
707 },
708 /* Curve B-283 (FIPS PUB 186-2, App. 6) */
709 {
710 "NIST curve B-283",
711 "08000000"
712 "00000000000000000000000000000000000000000000000000000000000010A1",
713 "00000000"
714 "0000000000000000000000000000000000000000000000000000000000000001",
715 "027B680A"
716 "C8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
717 "05F93925"
718 "8DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
719 "03676854"
720 "FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
721 1,
722 "03FFFFFF"
723 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
724 "2", 283
725 },
726 /* Curve K-409 (FIPS PUB 186-2, App. 6) */
727 {
728 "NIST curve K-409",
729 "0200000000000000000000000000000000000000"
730 "0000000000000000000000000000000000000000008000000000000000000001",
731 "0",
732 "1",
733 "0060F05F658F49C1AD3AB1890F7184210EFD0987"
734 "E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
735 "01E369050B7C4E42ACBA1DACBF04299C3460782F"
736 "918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
737 1,
738 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
739 "FFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
740 "4", 409
741 },
742 /* Curve B-409 (FIPS PUB 186-2, App. 6) */
743 {
744 "NIST curve B-409",
745 "0200000000000000000000000000000000000000"
746 "0000000000000000000000000000000000000000008000000000000000000001",
747 "0000000000000000000000000000000000000000"
748 "0000000000000000000000000000000000000000000000000000000000000001",
749 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422E"
750 "F1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
751 "015D4860D088DDB3496B0C6064756260441CDE4A"
752 "F1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
753 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5"
754 "A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
755 1,
756 "0100000000000000000000000000000000000000"
757 "00000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
758 "2", 409
759 },
760 /* Curve K-571 (FIPS PUB 186-2, App. 6) */
761 {
762 "NIST curve K-571",
763 "800000000000000"
764 "0000000000000000000000000000000000000000000000000000000000000000"
765 "0000000000000000000000000000000000000000000000000000000000000425",
766 "0",
767 "1",
768 "026EB7A859923FBC"
769 "82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E6"
770 "47DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
771 "0349DC807F4FBF37"
772 "4F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA7"
773 "4FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
774 0,
775 "0200000000000000"
776 "00000000000000000000000000000000000000000000000000000000131850E1"
777 "F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
778 "4", 571
779 },
780 /* Curve B-571 (FIPS PUB 186-2, App. 6) */
0f113f3e 781 {
2db85ac9
P		 782 "NIST curve B-571",
783 "800000000000000"
784 "0000000000000000000000000000000000000000000000000000000000000000"
785 "0000000000000000000000000000000000000000000000000000000000000425",
786 "0000000000000000"
787 "0000000000000000000000000000000000000000000000000000000000000000"
788 "0000000000000000000000000000000000000000000000000000000000000001",
789 "02F40E7E2221F295"
790 "DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA5933"
791 "2BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
792 "0303001D34B85629"
793 "6C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293"
794 "CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
795 "037BF27342DA639B"
796 "6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A57"
797 "6291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
798 1,
799 "03FFFFFFFFFFFFFF"
800 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18"
801 "FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
802 "2", 571
803 }
804};
805
806static int char2_curve_test(int n)
807{
808 int r = 0;
809 BN_CTX *ctx = NULL;
810 BIGNUM *p = NULL, *a = NULL, *b = NULL;
811 BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
812 EC_GROUP *group = NULL, *variable = NULL;
813 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
814 const EC_POINT *points[3];
815 const BIGNUM *scalars[3];
816 struct c2_curve_test *const test = char2_curve_tests + n;
817
818 if (!TEST_ptr(ctx = BN_CTX_new())
819 || !TEST_ptr(p = BN_new())
820 || !TEST_ptr(a = BN_new())
821 || !TEST_ptr(b = BN_new())
822 || !TEST_ptr(x = BN_new())
823 || !TEST_ptr(y = BN_new())
824 || !TEST_ptr(z = BN_new())
825 || !TEST_ptr(yplusone = BN_new())
826 || !TEST_true(BN_hex2bn(&p, test->p))
827 || !TEST_true(BN_hex2bn(&a, test->a))
828 || !TEST_true(BN_hex2bn(&b, test->b))
829 || !TEST_true(group = EC_GROUP_new(EC_GF2m_simple_method()))
9cc570d4 830 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 831 || !TEST_ptr(P = EC_POINT_new(group))
832 || !TEST_ptr(Q = EC_POINT_new(group))
833 || !TEST_ptr(R = EC_POINT_new(group))
834 || !TEST_true(BN_hex2bn(&x, test->x))
835 || !TEST_true(BN_hex2bn(&y, test->y))
836 || !TEST_true(BN_add(yplusone, y, BN_value_one())))
837 goto err;
838
839/* Change test based on whether binary point compression is enabled or not. */
840# ifdef OPENSSL_EC_BIN_PT_COMP
841 /*
842 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
843 * and therefore setting the coordinates should fail.
844 */
9cc570d4
MC		 845 if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
846 || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x,
847 test->y_bit,
848 ctx))
2db85ac9
P		 849 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
850 || !TEST_true(BN_hex2bn(&z, test->order))
851 || !TEST_true(BN_hex2bn(&cof, test->cof))
852 || !TEST_true(EC_GROUP_set_generator(group, P, z, cof))
9cc570d4 853 || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
2db85ac9 854 goto err;
37916462
P		 855 TEST_info("%s -- Generator", test->name);
856 test_output_bignum("x", x);
857 test_output_bignum("y", y);
2db85ac9
P		 858 /* G_y value taken from the standard: */
859 if (!TEST_true(BN_hex2bn(&z, test->y))
dc352c19 860 || !TEST_BN_eq(y, z))
2db85ac9
P		 861 goto err;
862# else
863 /*
864 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
865 * and therefore setting the coordinates should fail.
866 */
9cc570d4
MC		 867 if (!TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ctx))
868 || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
2db85ac9
P		 869 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
870 || !TEST_true(BN_hex2bn(&z, test->order))
871 || !TEST_true(BN_hex2bn(&cof, test->cof))
872 || !TEST_true(EC_GROUP_set_generator(group, P, z, cof)))
873 goto err;
37916462
P		 874 TEST_info("%s -- Generator:", test->name);
875 test_output_bignum("x", x);
876 test_output_bignum("y", y);
2db85ac9
P		 877# endif
878
879 if (!TEST_int_eq(EC_GROUP_get_degree(group), test->degree)
880 || !group_order_tests(group)
881 || !TEST_ptr(variable = EC_GROUP_new(EC_GROUP_method_of(group)))
882 || !TEST_true(EC_GROUP_copy(variable, group)))
883 goto err;
884
885 /* more tests using the last curve */
886 if (n == OSSL_NELEM(char2_curve_tests) - 1) {
9cc570d4 887 if (!TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
2db85ac9
P		 888 || !TEST_true(EC_POINT_copy(Q, P))
889 || !TEST_false(EC_POINT_is_at_infinity(group, Q))
890 || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
891 || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
892 || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
893 || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
894 || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
895 || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
896 || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
897 goto err;
0f113f3e 898
0f113f3e
MC		 899 points[0] = Q;
900 points[1] = Q;
901 points[2] = Q;
2db85ac9
P		 902
903 if (!TEST_true(BN_add(y, z, BN_value_one()))
dc352c19 904 || !TEST_BN_even(y)
2db85ac9
P		 905 || !TEST_true(BN_rshift1(y, y)))
906 goto err;
0f113f3e
MC		 907 scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
908 scalars[1] = y;
909
37916462 910 TEST_note("combined multiplication ...");
0f113f3e
MC		 911
912 /* z is still the group order */
2db85ac9
P		 913 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
914 || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
915 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
916 || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)))
917 goto err;
918
5ecff87d 919 if (!TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
2db85ac9
P		 920 || !TEST_true(BN_add(z, z, y)))
921 goto err;
0f113f3e
MC		 922 BN_set_negative(z, 1);
923 scalars[0] = y;
924 scalars[1] = z; /* z = -(order + y) */
925
2db85ac9
P		 926 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
927 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
928 goto err;
0f113f3e 929
5ecff87d 930 if (!TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
2db85ac9
P		 931 || !TEST_true(BN_add(z, x, y)))
932 goto err;
0f113f3e
MC		 933 BN_set_negative(z, 1);
934 scalars[0] = x;
935 scalars[1] = y;
936 scalars[2] = z; /* z = -(x+y) */
937
2db85ac9
P		 938 if (!TEST_true(EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx))
939 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
940 goto err;;
0f113f3e
MC		 941 }
942
2db85ac9
P		 943 r = 1;
944err:
23a1d5e9 945 BN_CTX_free(ctx);
0f113f3e
MC		 946 BN_free(p);
947 BN_free(a);
948 BN_free(b);
0f113f3e
MC		 949 BN_free(x);
950 BN_free(y);
951 BN_free(z);
1e2012b7 952 BN_free(yplusone);
2db85ac9
P		 953 BN_free(cof);
954 EC_POINT_free(P);
955 EC_POINT_free(Q);
956 EC_POINT_free(R);
957 EC_GROUP_free(group);
958 EC_GROUP_free(variable);
959 return r;
0f113f3e 960}
7793f30e 961
2db85ac9 962static int char2_field_tests(void)
0f113f3e
MC		 963{
964 BN_CTX *ctx = NULL;
2db85ac9
P		 965 BIGNUM *p = NULL, *a = NULL, *b = NULL;
966 EC_GROUP *group = NULL, *tmp = NULL;
967 EC_POINT *P = NULL, *Q = NULL, *R = NULL;
968 BIGNUM *x = NULL, *y = NULL, *z = NULL, *cof = NULL, *yplusone = NULL;
0f113f3e 969 unsigned char buf[100];
37916462 970 size_t len;
2db85ac9 971 int k, r = 0;
0f113f3e 972
2db85ac9
P		 973 if (!TEST_ptr(ctx = BN_CTX_new())
974 || !TEST_ptr(p = BN_new())
975 || !TEST_ptr(a = BN_new())
976 || !TEST_ptr(b = BN_new())
977 || !TEST_true(BN_hex2bn(&p, "13"))
978 || !TEST_true(BN_hex2bn(&a, "3"))
979 || !TEST_true(BN_hex2bn(&b, "1")))
980 goto err;
0f113f3e
MC		 981
982 group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use
983 * EC_GROUP_new_curve_GF2m
984 * so that the library gets
985 * to choose the EC_METHOD */
2db85ac9 986 if (!TEST_ptr(group)
9cc570d4 987 || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
2db85ac9
P		 988 || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
989 || !TEST_true(EC_GROUP_copy(tmp, group)))
990 goto err;
991 EC_GROUP_free(group);
992 group = tmp;
993 tmp = NULL;
994
9cc570d4 995 if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)))
2db85ac9
P		 996 goto err;
997
37916462
P		 998 TEST_info("Curve defined by Weierstrass equation");
999 TEST_note(" y^2 + x*y = x^3 + a*x^2 + b (mod p)");
1000 test_output_bignum("a", a);
1001 test_output_bignum("b", b);
1002 test_output_bignum("p", p);
2db85ac9
P		 1003
1004 if (!TEST_ptr(P = EC_POINT_new(group))
1005 || !TEST_ptr(Q = EC_POINT_new(group))
1006 || !TEST_ptr(R = EC_POINT_new(group))
1007 || !TEST_true(EC_POINT_set_to_infinity(group, P))
1008 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1009 goto err;
0f113f3e
MC		 1010
1011 buf[0] = 0;
2db85ac9
P		 1012 if (!TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx))
1013 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))
1014 || !TEST_true(EC_POINT_is_at_infinity(group, P))
1015 || !TEST_ptr(x = BN_new())
1016 || !TEST_ptr(y = BN_new())
1017 || !TEST_ptr(z = BN_new())
1018 || !TEST_ptr(cof = BN_new())
1019 || !TEST_ptr(yplusone = BN_new())
1020 || !TEST_true(BN_hex2bn(&x, "6"))
7793f30e 1021/* Change test based on whether binary point compression is enabled or not. */
0f113f3e 1022# ifdef OPENSSL_EC_BIN_PT_COMP
9cc570d4 1023 || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))
0f113f3e 1024# else
2db85ac9 1025 || !TEST_true(BN_hex2bn(&y, "8"))
9cc570d4 1026 || !TEST_true(EC_POINT_set_affine_coordinates(group, Q, x, y, ctx))
0f113f3e 1027# endif
2db85ac9
P		 1028 )
1029 goto err;
1030 if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) {
7793f30e 1031/* Change test based on whether binary point compression is enabled or not. */
0f113f3e 1032# ifdef OPENSSL_EC_BIN_PT_COMP
9cc570d4 1033 if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx)))
2db85ac9 1034 goto err;
0f113f3e 1035# endif
37916462
P		 1036 TEST_info("Point is not on curve");
1037 test_output_bignum("x", x);
1038 test_output_bignum("y", y);
2db85ac9 1039 goto err;
0f113f3e
MC		 1040 }
1041
37916462 1042 TEST_note("A cyclic subgroup:");
0f113f3e
MC		 1043 k = 100;
1044 do {
2db85ac9
P		 1045 if (!TEST_int_ne(k--, 0))
1046 goto err;
0f113f3e
MC		 1047
1048 if (EC_POINT_is_at_infinity(group, P))
37916462 1049 TEST_note(" point at infinity");
0f113f3e 1050 else {
9cc570d4
MC		 1051 if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
1052 ctx)))
2db85ac9
P		 1053 goto err;
1054
37916462
P		 1055 test_output_bignum("x", x);
1056 test_output_bignum("y", y);
0f113f3e
MC		 1057 }
1058
2db85ac9
P		 1059 if (!TEST_true(EC_POINT_copy(R, P))
1060 || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)))
1061 goto err;
0f113f3e
MC		 1062 }
1063 while (!EC_POINT_is_at_infinity(group, P));
1064
2db85ac9
P		 1065 if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx))
1066 || !TEST_true(EC_POINT_is_at_infinity(group, P)))
1067 goto err;
7793f30e
BM		 1068
1069/* Change test based on whether binary point compression is enabled or not. */
0f113f3e 1070# ifdef OPENSSL_EC_BIN_PT_COMP
2db85ac9 1071 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED,
cbe29648 1072 buf, sizeof(buf), ctx);
2db85ac9
P		 1073 if (!TEST_size_t_ne(len, 0)
1074 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1075 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1076 goto err;
37916462
P		 1077 test_output_memory("Generator as octet string, compressed form:",
1078 buf, len);
0f113f3e
MC		 1079# endif
1080
2db85ac9 1081 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
cbe29648 1082 buf, sizeof(buf), ctx);
2db85ac9
P		 1083 if (!TEST_size_t_ne(len, 0)
1084 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1085 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1086 goto err;
37916462
P		 1087 test_output_memory("Generator as octet string, uncompressed form:",
1088 buf, len);
7793f30e 1089
0f113f3e
MC		 1090/* Change test based on whether binary point compression is enabled or not. */
1091# ifdef OPENSSL_EC_BIN_PT_COMP
1092 len =
cbe29648 1093 EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof(buf),
0f113f3e 1094 ctx);
2db85ac9
P		 1095 if (!TEST_size_t_ne(len, 0)
1096 || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
1097 || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
1098 goto err;
37916462
P		 1099 test_output_memory("Generator as octet string, hybrid form:",
1100 buf, len);
0f113f3e
MC		 1101# endif
1102
2db85ac9
P		 1103 if (!TEST_true(EC_POINT_invert(group, P, ctx))
1104 || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)))
1105 goto err;
0f113f3e 1106
37916462 1107 TEST_note("\n");
0f113f3e 1108
2db85ac9
P		 1109 r = 1;
1110err:
23a1d5e9 1111 BN_CTX_free(ctx);
0f113f3e
MC		 1112 BN_free(p);
1113 BN_free(a);
1114 BN_free(b);
1115 EC_GROUP_free(group);
2db85ac9 1116 EC_GROUP_free(tmp);
0f113f3e
MC		 1117 EC_POINT_free(P);
1118 EC_POINT_free(Q);
1119 EC_POINT_free(R);
1120 BN_free(x);
1121 BN_free(y);
1122 BN_free(z);
1123 BN_free(cof);
1e2012b7 1124 BN_free(yplusone);
2db85ac9 1125 return r;
0f113f3e
MC		 1126}
1127# endif
7793f30e 1128
2db85ac9 1129static int internal_curve_test(int n)
0f113f3e 1130{
2db85ac9
P		 1131 EC_GROUP *group = NULL;
1132 int nid = curves[n].nid;
0f113f3e 1133
2db85ac9
P		 1134 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1135 TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
1136 OBJ_nid2sn(nid));
1137 return 0;
0f113f3e 1138 }
2db85ac9
P		 1139 if (!TEST_true(EC_GROUP_check(group, NULL))) {
1140 TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
0f113f3e 1141 EC_GROUP_free(group);
2db85ac9 1142 return 0;
0f113f3e 1143 }
2db85ac9
P		 1144 EC_GROUP_free(group);
1145 return 1;
1146}
920ed8c8 1147
2db85ac9
P		 1148static int internal_curve_test_method(int n)
1149{
1150 int r, nid = curves[n].nid;
1151 EC_GROUP *group;
920ed8c8 1152
2db85ac9
P		 1153 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
1154 TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
1155 return 0;
1156 }
1157 r = group_order_tests(group);
1158 EC_GROUP_free(group);
1159 return r;
0f113f3e
MC		 1160}
1161
1162# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1163/*
1164 * nistp_test_params contains magic numbers for testing our optimized
1165 * implementations of several NIST curves with characteristic > 3.
1166 */
1167struct nistp_test_params {
3f5abab9 1168 const EC_METHOD *(*meth) (void);
0f113f3e
MC		 1169 int degree;
1170 /*
1171 * Qx, Qy and D are taken from
79caf5d3 1172 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
0f113f3e
MC		 1173 * Otherwise, values are standard curve parameters from FIPS 180-3
1174 */
1175 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
1176};
1177
1178static const struct nistp_test_params nistp_tests_params[] = {
1179 {
1180 /* P-224 */
1181 EC_GFp_nistp224_method,
1182 224,
1183 /* p */
1184 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
1185 /* a */
1186 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
1187 /* b */
1188 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
1189 /* Qx */
1190 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
1191 /* Qy */
1192 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
1193 /* Gx */
1194 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
1195 /* Gy */
1196 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
1197 /* order */
1198 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
1199 /* d */
1200 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
1201 },
1202 {
1203 /* P-256 */
1204 EC_GFp_nistp256_method,
1205 256,
1206 /* p */
1207 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
1208 /* a */
1209 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
1210 /* b */
1211 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
1212 /* Qx */
1213 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
1214 /* Qy */
1215 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
1216 /* Gx */
1217 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
1218 /* Gy */
1219 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
1220 /* order */
1221 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
1222 /* d */
1223 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
1224 },
1225 {
1226 /* P-521 */
1227 EC_GFp_nistp521_method,
1228 521,
1229 /* p */
2db85ac9
P		 1230 "1ff"
1231 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1232 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
0f113f3e 1233 /* a */
2db85ac9
P		 1234 "1ff"
1235 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
1236 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
0f113f3e 1237 /* b */
2db85ac9
P		 1238 "051"
1239 "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
1240 "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
0f113f3e 1241 /* Qx */
2db85ac9
P		 1242 "0098"
1243 "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
1244 "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
0f113f3e 1245 /* Qy */
2db85ac9
P		 1246 "0164"
1247 "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
1248 "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
0f113f3e 1249 /* Gx */
2db85ac9
P		 1250 "c6"
1251 "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
1252 "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
0f113f3e 1253 /* Gy */
2db85ac9
P		 1254 "118"
1255 "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
1256 "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
0f113f3e 1257 /* order */
2db85ac9
P		 1258 "1ff"
1259 "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
1260 "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
0f113f3e 1261 /* d */
2db85ac9
P		 1262 "0100"
1263 "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
1264 "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
0f113f3e
MC		 1265 },
1266};
3e00b4c9 1267
2db85ac9 1268static int nistp_single_test(int idx)
0f113f3e 1269{
2db85ac9
P		 1270 const struct nistp_test_params *test = nistp_tests_params + idx;
1271 BN_CTX *ctx = NULL;
1272 BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
1273 BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
1274 EC_GROUP *NISTP = NULL;
1275 EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
1276 int r = 0;
0f113f3e 1277
37916462
P		 1278 TEST_note("NIST curve P-%d (optimised implementation):",
1279 test->degree);
2db85ac9
P		 1280 if (!TEST_ptr(ctx = BN_CTX_new())
1281 || !TEST_ptr(p = BN_new())
1282 || !TEST_ptr(a = BN_new())
1283 || !TEST_ptr(b = BN_new())
1284 || !TEST_ptr(x = BN_new())
1285 || !TEST_ptr(y = BN_new())
1286 || !TEST_ptr(m = BN_new())
1287 || !TEST_ptr(n = BN_new())
1288 || !TEST_ptr(order = BN_new())
1289 || !TEST_ptr(yplusone = BN_new())
1290
1291 || !TEST_ptr(NISTP = EC_GROUP_new(test->meth()))
1292 || !TEST_true(BN_hex2bn(&p, test->p))
1293 || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
1294 || !TEST_true(BN_hex2bn(&a, test->a))
1295 || !TEST_true(BN_hex2bn(&b, test->b))
9cc570d4 1296 || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
2db85ac9
P		 1297 || !TEST_ptr(G = EC_POINT_new(NISTP))
1298 || !TEST_ptr(P = EC_POINT_new(NISTP))
1299 || !TEST_ptr(Q = EC_POINT_new(NISTP))
1300 || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
1301 || !TEST_true(BN_hex2bn(&x, test->Qx))
1302 || !TEST_true(BN_hex2bn(&y, test->Qy))
1303 || !TEST_true(BN_add(yplusone, y, BN_value_one()))
1e2012b7
EK		 1304 /*
1305 * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
1306 * and therefore setting the coordinates should fail.
1307 */
9cc570d4
MC		 1308 || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
1309 yplusone, ctx))
1310 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
1311 ctx))
2db85ac9
P		 1312 || !TEST_true(BN_hex2bn(&x, test->Gx))
1313 || !TEST_true(BN_hex2bn(&y, test->Gy))
9cc570d4 1314 || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
2db85ac9
P		 1315 || !TEST_true(BN_hex2bn(&order, test->order))
1316 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
1317 || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
1318 goto err;
1319
37916462 1320 TEST_note("NIST test vectors ... ");
2db85ac9
P		 1321 if (!TEST_true(BN_hex2bn(&n, test->d)))
1322 goto err;
0f113f3e
MC		 1323 /* fixed point multiplication */
1324 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
2db85ac9
P		 1325 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1326 goto err;
0f113f3e
MC		 1327 /* random point multiplication */
1328 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
2db85ac9
P		 1329 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
1330
1331 /* set generator to P = 2*G, where G is the standard generator */
1332 || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
1333 || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
1334 /* set the scalar to m=n/2, where n is the NIST test scalar */
1335 || !TEST_true(BN_rshift(m, n, 1)))
1336 goto err;
0f113f3e
MC		 1337
1338 /* test the non-standard generator */
1339 /* fixed point multiplication */
1340 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
2db85ac9
P		 1341 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1342 goto err;
0f113f3e
MC		 1343 /* random point multiplication */
1344 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
2db85ac9 1345 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
0f113f3e 1346
8ce4e7e6
MC		 1347 /*
1348 * We have not performed precomputation so have_precompute mult should be
1349 * false
1350 */
2db85ac9 1351 || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
8ce4e7e6 1352
0f113f3e 1353 /* now repeat all tests with precomputation */
2db85ac9
P		 1354 || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
1355 || !TEST_true(EC_GROUP_have_precompute_mult(NISTP)))
1356 goto err;
0f113f3e
MC		 1357
1358 /* fixed point multiplication */
1359 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
2db85ac9
P		 1360 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1361 goto err;
0f113f3e
MC		 1362 /* random point multiplication */
1363 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
2db85ac9 1364 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
0f113f3e
MC		 1365
1366 /* reset generator */
2db85ac9
P		 1367 || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
1368 goto err;
0f113f3e
MC		 1369 /* fixed point multiplication */
1370 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
2db85ac9
P		 1371 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1372 goto err;
0f113f3e
MC		 1373 /* random point multiplication */
1374 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
2db85ac9
P		 1375 if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
1376 goto err;
0f113f3e 1377
dc55e4f7
DB		 1378 /* regression test for felem_neg bug */
1379 if (!TEST_true(BN_set_word(m, 32))
1380 || !TEST_true(BN_set_word(n, 31))
1381 || !TEST_true(EC_POINT_copy(P, G))
1382 || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
1383 || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
1384 || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
1385 goto err;
1386
2db85ac9
P		 1387 r = group_order_tests(NISTP);
1388err:
0f113f3e
MC		 1389 EC_GROUP_free(NISTP);
1390 EC_POINT_free(G);
1391 EC_POINT_free(P);
1392 EC_POINT_free(Q);
1393 EC_POINT_free(Q_CHECK);
1394 BN_free(n);
1395 BN_free(m);
1396 BN_free(p);
1397 BN_free(a);
1398 BN_free(b);
1399 BN_free(x);
1400 BN_free(y);
1401 BN_free(order);
1e2012b7 1402 BN_free(yplusone);
0f113f3e 1403 BN_CTX_free(ctx);
2db85ac9 1404 return r;
0f113f3e
MC		 1405}
1406# endif
7793f30e 1407
fc6f579a
DB		 1408static const unsigned char p521_named[] = {
1409 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
1410};
1411
1412static const unsigned char p521_explicit[] = {
1413 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
1414 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
1415 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1417 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1418 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1419 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1420 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
1421 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1422 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1423 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1425 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1426 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
1427 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
1428 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
1429 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
1430 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
1431 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
1432 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
1433 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
1434 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
1435 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
1436 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
1437 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
1438 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
1439 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
1440 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
1441 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
1442 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
1443 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
1444 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
1445 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1446 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1447 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
1448 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
1449 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
1450 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
1451};
1452
2db85ac9 1453static int parameter_test(void)
0110a470 1454{
2db85ac9
P		 1455 EC_GROUP *group = NULL, *group2 = NULL;
1456 ECPARAMETERS *ecparameters = NULL;
fc6f579a
DB		 1457 unsigned char *buf = NULL;
1458 int r = 0, len;
1459
1460 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp112r1))
1461 || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
1462 || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
1463 || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
1464 goto err;
1465
1466 EC_GROUP_free(group);
1467 group = NULL;
0110a470 1468
fc6f579a
DB		 1469 /* Test the named curve encoding, which should be default. */
1470 if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
1471 || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1472 || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
1473 goto err;
1474
1475 OPENSSL_free(buf);
1476 buf = NULL;
1477
1478 /*
1479 * Test the explicit encoding. P-521 requires correctly zero-padding the
1480 * curve coefficients.
1481 */
1482 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
1483 if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
1484 || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
1485 goto err;
0110a470 1486
fc6f579a
DB		 1487 r = 1;
1488err:
0110a470
KY		 1489 EC_GROUP_free(group);
1490 EC_GROUP_free(group2);
1491 ECPARAMETERS_free(ecparameters);
fc6f579a 1492 OPENSSL_free(buf);
2db85ac9 1493 return r;
0110a470 1494}
2db85ac9 1495#endif
7793f30e 1496
ad887416 1497int setup_tests(void)
0f113f3e 1498{
2db85ac9 1499#ifndef OPENSSL_NO_EC
2db85ac9
P		 1500 crv_len = EC_get_builtin_curves(NULL, 0);
1501 if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
1502 || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
ad887416 1503 return 0;
0f113f3e 1504
2db85ac9
P		 1505 ADD_TEST(parameter_test);
1506 ADD_TEST(prime_field_tests);
0f113f3e 1507# ifndef OPENSSL_NO_EC2M
2db85ac9
P		 1508 ADD_TEST(char2_field_tests);
1509 ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
0f113f3e
MC		 1510# endif
1511# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
2db85ac9 1512 ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
0f113f3e 1513# endif
2db85ac9
P		 1514 ADD_ALL_TESTS(internal_curve_test, crv_len);
1515 ADD_ALL_TESTS(internal_curve_test_method, crv_len);
ad887416
P		 1516#endif
1517 return 1;
1518}
0f113f3e 1519
ad887416
P		 1520void cleanup_tests(void)
1521{
f50b5f37 1522#ifndef OPENSSL_NO_EC
2db85ac9 1523 OPENSSL_free(curves);
f50b5f37 1524#endif
0f113f3e 1525}
A mirror of the official openssl repository