Rework EC documentation

This replaces the giant, poor quality and outdated EC_GROUP_copy.3,
EC_GROUP_new.3, and EC_POINT_new.3 manuals with seven new manuals
written from scratch.

* EC_GROUP_new_by_curve_name() is the entry point for builtin curves,
* EC_GROUP_new_curve_GFp() describes lower level API that should not
  usually be needed apart from a handful of accessors.
* EC_GROUP_check() contains two functions that applications should not
  need because either you know for certain something is an elliptic
  curve (so these checks are pointless) or you should not use it.
* EC_GROUP_get_curve_name() describes some low level ASN.1 footguns
  and corresponding getters.
* EC_POINT_new() contains the simple EC_POINT allocation and freeing API
* EC_POINT_get_affine_coordinates() contains the coordinate accessors
* EC_POINT_point2oct() is about encoding elliptic curve points

While all this is quite far from perfect, the diff is getting too big
and it will be easier to improve this in tree. It is definitely more
repetitive than I would like it to be.

Reviews, tweaks and general feedback are of course welcome.

discussed with jsing

13 files changed, 1998 insertions, 1242 deletions

diff --git a/src/lib/libcrypto/man/EC_GROUP_check.3 b/src/lib/libcrypto/man/EC_GROUP_check.3
new file mode 100644
index 0000000000..e000be212b
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_check.3
@@ -0,0 +1,157 @@
+.\" $OpenBSD: EC_GROUP_check.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_GROUP_CHECK 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_check_discriminant ,
+.Nm EC_GROUP_check
+.Nd partially check validity of
+.Vt EC_GROUP
+objects
+.Sh SYNOPSIS
+.In openssl/bn.h
+.In openssl/ec.h
+.Pp
+Deprecated:
+.Pp
+.Ft "int"
+.Fo EC_GROUP_check_discriminant
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft "int"
+.Fo EC_GROUP_check
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+These functions are deprecated.
+Only standardized curves built into the library should be used, see
+.Xr EC_GROUP_new_by_curve_name 3 .
+For builtin curves far more thorough checks than the minimal checks
+performed by these functions have been performed.
+.Pp
+These functions have an optional
+.Fa ctx
+argument which is used to avoid the cost of repeated allocation of
+auxiliary
+.Vt BIGNUM
+objects.
+.Pp
+.Fn EC_GROUP_check_discriminant
+can be called after
+.Xr EC_GROUP_new_curve_GFp 3
+to verify that
+.Fa group Ns 's
+parameters have non-zero discriminant 4a^3 + 27b^2 modulo p.
+Assuming that
+.Fa p
+is a prime number larger than three
+this implies that the Weierstrass equation defines an elliptic curve.
+.Pp
+.Fn EC_GROUP_check
+partially verifies that
+.Fa group
+represents an an elliptic curve and that
+.Fa generator
+is a point on the curve whose order divides
+.Fa order .
+It checks with
+.Fn EC_GROUP_check_discriminant
+that the discriminant is non-zero
+and then verifies that that
+.Fa order
+is non-zero and that the product
+.Fa generator No * Fa order
+is the point at infinity.
+This implies that
+.Fa order
+is an integer multiple of the
+.Fa generator Ns 's
+.Fa order .
+The verification that
+.Fa p
+is a prime
+and that
+.Fa order
+is the
+.Fa generator Ns 's
+order are skipped because they are too expensive.
+.Sh RETURN VALUES
+.Fn EC_GROUP_check_discriminant
+returns 1 on success and 0 on failure.
+Failure modes include that the discriminant is zero modulo
+.Fa p
+and memory allocation failure.
+.Pp
+.Fn EC_GROUP_check
+returns 1 on success and 0 on failure.
+.Sh ERRORS
+Diagnostics for
+.Fn EC_GROUP_check
+that can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3
+include:
+.Bl -tag -width Ds
+.It Dv EC_R_DISCRIMINANT_IS_ZERO Qq "discriminant is zero"
+.Fn EC_GROUP_check_discriminant
+failed because the discriminant is zero or for some other reason.
+.It Dv EC_R_UNDEFINED_GENERATOR Qq "undefined generator"
+no generator is set on
+.Fa group ,
+for example because a call to
+.Xr EC_GROUP_set_generator 3
+is missing.
+.It Dv EC_R_POINT_IS_NOT_ON_CURVE Qq "point is not on curve"
+a generator is set, but it is not a point on the curve represented by
+.Fa group .
+.It Dv EC_R_UNDEFINED_ORDER Qq "undefined order"
+the
+.Fa order
+set on
+.Fa group
+is zero.
+.It Dv EC_R_INVALID_GROUP_ORDER Qq "invalid group order"
+.Fa generator No * Fa order
+is not the point at infinity.
+.El
+.Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh HISTORY
+.Fn EC_GROUP_check
+and
+.Fn EC_GROUP_check_discriminant
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_copy.3 b/src/lib/libcrypto/man/EC_GROUP_copy.3
deleted file mode 100644
index 2e5e798236..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_copy.3
+++ /dev/null
@@ -1,492 +0,0 @@
-.\" $OpenBSD: EC_GROUP_copy.3,v 1.16 2025/03/08 16:40:59 tb Exp $
-.\" full merge up to: OpenSSL d900a015 Oct 8 14:40:42 2015 +0200
-.\" selective merge up to: OpenSSL 24c23e1f Aug 22 10:51:25 2019 +0530
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>,
-.\" Dr. Stephen Henson <steve@openssl.org>,
-.\" and Jayaram X Matta <jayaramx.matta@intel.com>.
-.\" Copyright (c) 2013, 2015, 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_COPY 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_copy ,
-.Nm EC_GROUP_dup ,
-.Nm EC_GROUP_set_generator ,
-.Nm EC_GROUP_get0_generator ,
-.Nm EC_GROUP_get_order ,
-.Nm EC_GROUP_order_bits ,
-.Nm EC_GROUP_get_cofactor ,
-.Nm EC_GROUP_set_curve_name ,
-.Nm EC_GROUP_get_curve_name ,
-.Nm EC_GROUP_set_asn1_flag ,
-.Nm EC_GROUP_get_asn1_flag ,
-.Nm EC_GROUP_set_point_conversion_form ,
-.Nm EC_GROUP_get_point_conversion_form ,
-.Nm EC_GROUP_get0_seed ,
-.Nm EC_GROUP_get_seed_len ,
-.Nm EC_GROUP_set_seed ,
-.Nm EC_GROUP_get_degree ,
-.Nm EC_GROUP_check ,
-.Nm EC_GROUP_check_discriminant ,
-.Nm EC_GROUP_cmp ,
-.Nm EC_GROUP_get_basis_type
-.Nd manipulate EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft int
-.Fo EC_GROUP_copy
-.Fa "EC_GROUP *dst"
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_dup
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_generator
-.Fa "EC_GROUP *group"
-.Fa "const EC_POINT *generator"
-.Fa "const BIGNUM *order"
-.Fa "const BIGNUM *cofactor"
-.Fc
-.Ft const EC_POINT *
-.Fo EC_GROUP_get0_generator
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_order
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *order"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_order_bits
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_cofactor
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *cofactor"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_curve_name
-.Fa "EC_GROUP *group"
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_name
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_asn1_flag
-.Fa "EC_GROUP *group"
-.Fa "int flag"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_asn1_flag
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_point_conversion_form
-.Fa "EC_GROUP *group"
-.Fa "point_conversion_form_t form"
-.Fc
-.Ft point_conversion_form_t
-.Fo EC_GROUP_get_point_conversion_form
-.Fa "const EC_GROUP *"
-.Fc
-.Ft unsigned char *
-.Fo EC_GROUP_get0_seed
-.Fa "const EC_GROUP *x"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_get_seed_len
-.Fa "const EC_GROUP *"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_set_seed
-.Fa "EC_GROUP *"
-.Fa "const unsigned char *"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_degree
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_check
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_check_discriminant
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_cmp
-.Fa "const EC_GROUP *a"
-.Fa "const EC_GROUP *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_basis_type
-.Fa "const EC_GROUP *"
-.Fc
-.Sh DESCRIPTION
-These functions operate on
-.Vt EC_GROUP
-objects created by the functions described in
-.Xr EC_GROUP_new 3 .
-.Pp
-.Fn EC_GROUP_copy
-copies the curve
-.Fa src
-into
-.Fa dst .
-Both
-.Fa src
-and
-.Fa dst
-must use the same
-.Vt EC_METHOD .
-.Pp
-.Fn EC_GROUP_dup
-creates a new
-.Vt EC_GROUP
-object and copies the content from
-.Fa src
-to the newly created
-.Vt EC_GROUP
-object.
-.Pp
-.Fn EC_GROUP_set_generator
-sets curve parameters that must be agreed by all participants using
-the curve.
-These parameters include the
-.Fa generator ,
-the
-.Fa order
-and the
-.Fa cofactor .
-The
-.Fa generator
-is a well defined point on the curve chosen for cryptographic
-operations.
-Integers used for point multiplications will be between 0 and
-.Fa order No - 1 .
-The
-.Fa order
-multiplied by the
-.Fa cofactor
-gives the number of points on the curve.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the identified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_order
-retrieves the order of the
-.Fa group
-and copies its value into
-.Fa order .
-It fails if the order of the
-.Fa group
-is not set or set to zero.
-.Pp
-.Fn EC_GROUP_get_cofactor
-retrieves the cofactor of the
-.Fa group
-and copies its value into
-.Fa cofactor .
-It fails if the cofactor of the
-.Fa group
-is not set or set to zero.
-.Pp
-The functions
-.Fn EC_GROUP_set_curve_name
-and
-.Fn EC_GROUP_get_curve_name
-set and get the NID for the curve, respectively (see
-.Xr EC_GROUP_new 3 ) .
-If a curve does not have a NID associated with it, then
-.Fn EC_GROUP_get_curve_name
-will return
-.Dv NID_undef .
-.Pp
-The asn1_flag value is used to determine whether the curve encoding
-uses explicit parameters or a named curve using an ASN.1 OID:
-many applications only support the latter form.
-If asn1_flag is the default value
-.Dv OPENSSL_EC_NAMED_CURVE ,
-then the named curve form is used and the parameters must have a
-corresponding named curve NID set.
-If asn1_flags is
-.Dv OPENSSL_EC_EXPLICIT_CURVE ,
-the parameters are explicitly encoded.
-The functions
-.Fn EC_GROUP_get_asn1_flag
-and
-.Fn EC_GROUP_set_asn1_flag
-get and set the status of the asn1_flag for the curve.
-.Pp
-The point_conversion_form for a curve controls how
-.Vt EC_POINT
-data is encoded as ASN.1 as defined in X9.62 (ECDSA).
-.Vt point_conversion_form_t
-is an enum defined as follows:
-.Bd -literal
-typedef enum {
-        /** the point is encoded as z||x, where the octet z specifies
-         *   which solution of the quadratic equation y is  */
-        POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x04  */
-        POINT_CONVERSION_UNCOMPRESSED = 4,
-        /** the point is encoded as z||x||y, where the octet z specifies
-         *  which solution of the quadratic equation y is  */
-        POINT_CONVERSION_HYBRID = 6
-} point_conversion_form_t;
-.Ed
-.Pp
-For
-.Dv POINT_CONVERSION_UNCOMPRESSED
-the point is encoded as an octet signifying the UNCOMPRESSED form
-has been used followed by the octets for x, followed by the octets
-for y.
-.Pp
-For any given x coordinate for a point on a curve it is possible to
-derive two possible y values.
-For
-.Dv POINT_CONVERSION_COMPRESSED
-the point is encoded as an octet signifying that the COMPRESSED
-form has been used AND which of the two possible solutions for y
-has been used, followed by the octets for x.
-.Pp
-For
-.Dv POINT_CONVERSION_HYBRID
-the point is encoded as an octet signifying the HYBRID form has
-been used AND which of the two possible solutions for y has been
-used, followed by the octets for x, followed by the octets for y.
-.Pp
-The functions
-.Fn EC_GROUP_set_point_conversion_form
-and
-.Fn EC_GROUP_get_point_conversion_form
-set and get the point_conversion_form for the curve, respectively.
-.Pp
-ANSI X9.62 (ECDSA standard) defines a method of generating the curve
-parameter b from a random number.
-This provides advantages in that a parameter obtained in this way is
-highly unlikely to be susceptible to special purpose attacks, or have
-any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in
-a verifiable fashion using that seed.
-The OpenSSL EC library does not use this seed value but does enable you
-to inspect it using
-.Fn EC_GROUP_get0_seed .
-This returns a pointer to a memory block containing the seed that was
-used.
-The length of the memory block can be obtained using
-.Fn EC_GROUP_get_seed_len .
-A number of the builtin curves within the library provide seed values
-that can be obtained.
-It is also possible to set a custom seed using
-.Fn EC_GROUP_set_seed
-and passing a pointer to a memory block, along with the length of
-the seed.
-Again, the EC library will not use this seed value, although it will be
-preserved in any ASN.1 based communications.
-.Pp
-.Fn EC_GROUP_get_degree
-gets the degree of the field.
-For Fp fields this will be the number of bits in p.
-For F2^m fields this will be the value m.
-.Pp
-The function
-.Fn EC_GROUP_check_discriminant
-calculates the discriminant for the curve and verifies that it is
-valid.
-For a curve defined over Fp the discriminant is given by the formula
-4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is simply b.
-In either case for the curve to be valid the discriminant must be
-non-zero.
-.Pp
-The function
-.Fn EC_GROUP_check
-performs a number of checks on a curve to verify that it is valid.
-Checks performed include verifying that the discriminant is non-zero;
-that a generator has been defined; that the generator is on the curve
-and has the correct order.
-.Pp
-.Fn EC_GROUP_cmp
-compares
-.Fa a
-and
-.Fa b
-to determine whether they represent the same curve or not.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0 and is only provided for compatibility.
-.Sh RETURN VALUES
-The following functions return 1 on success or 0 on error:
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_check ,
-and
-.Fn EC_GROUP_check_discriminant .
-.Pp
-.Fn EC_GROUP_dup
-returns a pointer to the duplicated curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the given curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get_order
-returns 0 if the order is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa order
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_order_bits
-returns the number of bits in the group order.
-.Pp
-.Fn EC_GROUP_get_cofactor
-returns 0 if the cofactor is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa cofactor
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_get_curve_name
-returns the curve name (NID) for the
-.Fa group
-or
-.Dv NID_undef
-if no curve name is associated.
-.Pp
-.Fn EC_GROUP_get_asn1_flag
-returns the ASN.1 flag for the specified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_point_conversion_form
-returns the point_conversion_form for the
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_degree
-returns the degree for the
-.Fa group
-or 0 if the operation is not supported
-by the underlying group implementation.
-.Pp
-.Fn EC_GROUP_get0_seed
-returns a pointer to the seed that was used to generate the parameter
-b, or
-.Dv NULL
-if the seed is not specified.
-.Fn EC_GROUP_get_seed_len
-returns the length of the seed or 0 if the seed is not specified.
-.Pp
-.Fn EC_GROUP_set_seed
-returns the length of the seed that has been set.
-If the supplied seed is
-.Dv NULL
-or the supplied seed length is 0, the return value will be 1.
-On error 0 is returned.
-.Pp
-.Fn EC_GROUP_cmp
-returns 0 if the curves are equal, 1 if they are not equal,
-or -1 on error.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0.
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3
-.Sh HISTORY
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_get0_generator ,
-.Fn EC_GROUP_get_order ,
-and
-.Fn EC_GROUP_get_cofactor
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_dup ,
-.Fn EC_GROUP_set_curve_name ,
-.Fn EC_GROUP_get_curve_name ,
-.Fn EC_GROUP_set_asn1_flag ,
-.Fn EC_GROUP_get_asn1_flag ,
-.Fn EC_GROUP_set_point_conversion_form ,
-.Fn EC_GROUP_get_point_conversion_form ,
-.Fn EC_GROUP_get0_seed ,
-.Fn EC_GROUP_get_seed_len ,
-.Fn EC_GROUP_set_seed ,
-.Fn EC_GROUP_get_degree ,
-.Fn EC_GROUP_check ,
-.Fn EC_GROUP_check_discriminant ,
-.Fn EC_GROUP_cmp ,
-and
-.Fn EC_GROUP_get_basis_type
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EC_GROUP_order_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
new file mode 100644
index 0000000000..9a131fddfe
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
@@ -0,0 +1,264 @@
+.\" $OpenBSD: EC_GROUP_get_curve_name.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_GROUP_GET_CURVE_NAME 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_get_curve_name ,
+.Nm EC_GROUP_set_curve_name ,
+.Nm EC_GROUP_get_asn1_flag ,
+.Nm EC_GROUP_set_asn1_flag ,
+.Nm EC_GROUP_get0_seed ,
+.Nm EC_GROUP_get_seed_len ,
+.Nm EC_GROUP_set_seed ,
+.Nm EC_GROUP_get_point_conversion_form ,
+.Nm EC_GROUP_set_point_conversion_form ,
+.Nm EC_GROUP_get_basis_type
+.Nd configure and inspect details of the ASN.1 encoding of
+.Vt EC_GROUP
+and related objects
+.Sh SYNOPSIS
+.In openssl/ec.h
+.Ft int
+.Fo EC_GROUP_get_curve_name
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft void
+.Fo EC_GROUP_set_curve_name
+.Fa "EC_GROUP *group"
+.Fa "int nid"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_asn1_flag
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft void
+.Fo EC_GROUP_set_asn1_flag
+.Fa "EC_GROUP *group"
+.Fa "int flag"
+.Fc
+.Ft "unsigned char *"
+.Fo EC_GROUP_get0_seed
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft size_t
+.Fo EC_GROUP_get_seed_len
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft size_t
+.Fo EC_GROUP_set_seed
+.Fa "EC_GROUP *group"
+.Fa "const unsigned char *seed"
+.Fa "size_t len"
+.Fc
+.Bd -literal
+typedef enum {
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+
+.Ed
+.Ft point_conversion_form_t
+.Fo EC_GROUP_get_point_conversion_form
+.Fa "const EC_GROUP *group"
+.Fc
+.Fo void
+.Ft EC_GROUP_set_point_conversion_form
+.Fa "EC_GROUP *group"
+.Fa "point_conversion_form_t form"
+.Fc
+.Pp
+Deprecated:
+.Ft int
+.Fo EC_GROUP_get_basis_type
+.Fa "const EC_GROUP *group"
+.Fc
+.Sh DESCRIPTION
+The functions in this manual affect or allow the inspection of
+the details of the ASN.1 encoding produced by the
+.Xr i2d_ECPKParameters 3
+family of functions.
+Modern applications use named curves and uncompressed point encoding,
+which are the default for
+.Xr EC_GROUP_new_by_curve_name 3 .
+.Pp
+In this library, Elliptic curve parameters are either encoded as a
+.Em named curve ,
+using an ASN.1 Object Identifier (OID) to refer to
+standardized parameters that need to be built into the library,
+or using
+.Em explicit curve parameters
+where the field, the curve equation, the base point's coordinates
+and other data are encoded explicitly.
+The
+.Em implicitly CA
+variant is not supported.
+.Pp
+.Fn EC_GROUP_get_curve_name
+gets the Numerical Identifier (NID) representation of the
+ASN.1 Object Identifier used for the named curve encoding of
+.Fa group .
+.Fn EC_GROUP_set_curve_name
+sets it to
+.Fa nid .
+.Pp
+.Fn EC_GROUP_get_asn1_flag
+retrieves the value of the
+.Fa asn1_flag
+member of
+.Fa group .
+If the bit corresponding to
+.Dv OPENSSL_EC_NAMED_CURVE
+is set, named curve encoding is used for
+.Fa group ,
+otherwise explicit encoding is used.
+.Fn EC_GROUP_set_asn1_flag
+sets the
+.Fa asn1_flag
+member of group to
+.Fa flag ,
+which should be either
+.Dv OPENSSL_EC_NAMED_CURVE
+to use named curve encoding or
+.Dv OPENSSL_EC_EXPLICIT_CURVE
+to use explicit encoding.
+.Pp
+The ASN.1 encoding of explicit curve parameters includes
+an optional seed value for parameters generated verifiably at random.
+If a seed value is set on
+.Fa group ,
+.Fn EC_GROUP_get0_seed
+returns a pointer to the internal byte string whose length is returned by
+.Fn EC_GROUP_get_seed_len .
+.Pp
+.Fn EC_GROUP_set_seed
+first clears any seed and length already stored in
+.Fa group .
+If
+.Fa seed
+is not
+.Dv NULL
+and
+.Fa len
+is not zero, it stores a copy of them in
+.Fa group .
+The
+.Fa seed
+should be a random byte string of
+.Fa len
+at least 20 bytes.
+The seed can be unset by passing
+.Dv NULL
+as a
+.Fa seed
+and a
+.Fa len
+of zero.
+The library does not perform any computation or validation with this seed,
+it only includes it in its ASN.1 encoded parameters,
+whether it contains a sensible value or not.
+.Pp
+Points on an elliptic curve, such as the generator or a public key,
+can be encoded in compressed form, uncompressed form,
+or in a hybrid form encompassing both, see
+.Xr EC_POINT_point2oct 3 .
+.Fn EC_GROUP_get_point_conversion_form
+retrieves the encoding used for points on
+.Fa group
+and
+.Fn EC_GROUP_set_point_conversion_form
+sets it to
+.Fa form .
+.Pp
+The deprecated
+.Fn EC_GROUP_get_basis_type
+only makes sense for curves over binary fields.
+It is provided for compatibility only.
+.Sh RETURN VALUES
+.Fn EC_GROUP_get_curve_name
+returns the NID to be used for named curve encoding of
+.Fa group
+or
+.Dv NID_undef
+if no NID is set.
+.Pp
+.Fn EC_GROUP_get_asn1_flag
+returns the value most recently set by
+.Fn EC_GROUP_set_asn1_flag
+on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get0_seed
+returns an internal pointer to the
+.Fa seed
+on
+.Fa group
+or
+.Dv NULL
+if none is set.
+.Pp
+.Fn EC_GROUP_get_seed_len
+returns the byte length of the seed set on
+.Fa group
+or zero if none is set.
+.Pp
+.Fn EC_GROUP_set_seed
+returns 0 on memory allocation failure.
+It returns
+.Fa len
+on success unless
+.Fa seed
+is
+.Dv NULL
+or
+.Fa len
+is zero, in which case it returns 1.
+.Pp
+.Fn EC_GROUP_get_point_conversion_form
+returns the point conversion form last set by
+.Fn EC_GROUP_set_point_conversion_form
+on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_basis_type
+always returns
+.Dv NID_undef .
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3 ,
+.Xr OBJ_obj2nid 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Sh BUGS
+Most of the setters cannot report errors and none of them perform proper
+input validation and accept most of the values passed in.
+This can result in invalid or nonsensical ASN.1 encoding produced by
+.Xr i2d_ECPKParameters 3
+and related functions.
diff --git a/src/lib/libcrypto/man/EC_GROUP_new.3 b/src/lib/libcrypto/man/EC_GROUP_new.3
deleted file mode 100644
index 83e3e4c870..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_new.3
+++ /dev/null
@@ -1,353 +0,0 @@
-.\"     $OpenBSD: EC_GROUP_new.3,v 1.18 2025/03/08 16:38:13 tb Exp $
-.\"     OpenSSL 6328d367 Sat Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_NEW 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_new ,
-.Nm EC_GROUP_free ,
-.Nm EC_GROUP_clear_free ,
-.Nm EC_GROUP_new_curve_GFp ,
-.Nm EC_GROUP_new_by_curve_name ,
-.Nm EC_GROUP_set_curve ,
-.Nm EC_GROUP_get_curve ,
-.Nm EC_GROUP_set_curve_GFp ,
-.Nm EC_GROUP_get_curve_GFp ,
-.Nm EC_get_builtin_curves ,
-.Nm EC_curve_nid2nist ,
-.Nm EC_curve_nist2nid
-.Nd create and destroy EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_GROUP *
-.Fo EC_GROUP_new
-.Fa "const EC_METHOD *meth"
-.Fc
-.Ft void
-.Fo EC_GROUP_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_clear_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_curve_GFp
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_by_curve_name
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve_GFp
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_GFp
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_get_builtin_curves
-.Fa "EC_builtin_curve *r"
-.Fa "size_t nitems"
-.Fc
-.Ft "const char *"
-.Fo EC_curve_nid2nist
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_curve_nist2nid
-.Fa "const char *name"
-.Fc
-.Sh DESCRIPTION
-The EC library provides functions for performing operations on
-elliptic curves in Weierstrass form.
-Such curves are defined over the prime field of order
-.Fa p
-and satisfy the Weierstrass equation with coefficients
-.Fa a
-and
-.Fa b
-.Pp
-.Dl y^2 = x^3 + ax + b
-.Pp
-An
-.Vt EC_GROUP
-structure is used to represent the definition of an elliptic curve.
-A new curve can be constructed by calling
-.Fn EC_GROUP_new ,
-using the implementation provided by
-.Fa meth .
-It is then necessary to call
-.Fn EC_GROUP_set_curve
-to set the curve parameters.
-.Pp
-.Fn EC_GROUP_set_curve
-sets the curve parameters
-.Fa p ,
-.Fa a ,
-and
-.Fa b ,
-where
-.Fa a
-and
-.Fa b
-represent the coefficients of the curve equation.
-.Pp
-.Fn EC_GROUP_set_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_set_curve .
-.Pp
-.Fn EC_GROUP_get_curve
-obtains the previously set curve parameters.
-.Pp
-.Fn EC_GROUP_get_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_get_curve .
-.Pp
-The function
-.Fn EC_GROUP_new_curve_GFp
-is a shortcut for calling
-.Fn EC_GROUP_new
-and
-.Fn EC_GROUP_set_curve .
-An appropriate default implementation method will be used.
-.Pp
-Whilst the library can be used to create any curve using the functions
-described above, there are also a number of predefined curves that are
-available.
-In order to obtain a list of all of the predefined curves, call the
-function
-.Fn EC_get_builtin_curves .
-The parameter
-.Fa r
-should be an array of
-.Vt EC_builtin_cure
-structures of size
-.Fa nitems .
-The function will populate the
-.Fa r
-array with information about the builtin curves.
-If
-.Fa nitems
-is less than the total number of curves available, then the first
-.Fa nitems
-curves will be returned.
-Otherwise the total number of curves will be provided.
-The return value is the total number of curves available (whether that
-number has been populated in
-.Fa r
-or not).
-Passing a
-.Dv NULL
-.Fa r ,
-or setting
-.Fa nitems
-to 0, will do nothing other than return the total number of curves
-available.
-The
-.Vt EC_builtin_curve
-structure is defined as follows:
-.Bd -literal
-typedef struct {
-        int nid;
-        const char *comment;
-} EC_builtin_curve;
-.Ed
-.Pp
-Each
-.Vt EC_builtin_curve
-item has a unique integer ID
-.Pq Fa nid
-and a human readable comment string describing the curve.
-.Pp
-In order to construct a builtin curve, use the function
-.Fn EC_GROUP_new_by_curve_name
-and provide the
-.Fa nid
-of the curve to be constructed.
-.Pp
-.Fn EC_GROUP_free
-frees the memory associated with the
-.Vt EC_GROUP .
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_GROUP_clear_free
-destroys any sensitive data held within the
-.Vt EC_GROUP
-and then frees its memory.
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-Some builtin curves can be identified by their NIST name
-in addition to a numerical identifier (NID).
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-translate between the two.
-The five built-in prime curves are:
-.Pp
-.Bl -column "NIST name" NID_X9_62_prime256v1 "deprecated in SP800-186" -compact
-.It No NIST Fa name Ta Em ASN.1 NID       Ta Em notes
-.It Qq P-192   Ta Dv NID_X9_62_prime192v1 Ta No deprecated in SP800-186
-.It Qq P-224   Ta Dv NID_secp224r1        Ta
-.It Qq P-256   Ta Dv NID_X9_62_prime256v1 Ta
-.It Qq P-384   Ta Dv NID_secp384r1        Ta
-.It Qq P-521   Ta Dv NID_secp521r1        Ta
-.El
-.Pp
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-also accept the ten binary curves defined in FIPS\& 186-4
-and deprecated in SP800-186,
-although they no longer correspond to builtin curves in LibreSSL.
-.Sh RETURN VALUES
-All
-.Fn EC_GROUP_new*
-functions return a pointer to the newly constructed group or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_get_builtin_curves
-returns the number of builtin curves that are available.
-.Pp
-.Fn EC_curve_nid2nist
-returns a string constant containing the NIST name if
-.Fa nid
-identifies a NIST curve or
-.Dv NULL
-otherwise.
-.Pp
-.Fn EC_curve_nist2nid
-returns the NID corresponding to the NIST curve
-.Fa name ,
-or
-.Dv NID_undef .
-.Pp
-.Fn EC_GROUP_set_curve ,
-.Fn EC_GROUP_get_curve ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
-.Xr ECDH_compute_key 3 ,
-.Xr ECDSA_SIG_new 3
-.Sh HISTORY
-.Fn EC_GROUP_new ,
-.Fn EC_GROUP_free ,
-.Fn EC_GROUP_clear_free ,
-.Fn EC_GROUP_new_curve_GFp ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_new_by_curve_name
-and
-.Fn EC_get_builtin_curves
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Fn EC_curve_nid2nist ,
-and
-.Fn EC_curve_nist2nid
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 5.8 .
-.Pp
-.Fn EC_GROUP_set_curve
-and
-.Fn EC_GROUP_get_curve
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
new file mode 100644
index 0000000000..128b30eda5
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
@@ -0,0 +1,310 @@
+.\" $OpenBSD: EC_GROUP_new_by_curve_name.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2024, 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_GROUP_NEW_BY_CURVE_NAME 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_new_by_curve_name ,
+.Nm EC_GROUP_free ,
+.Nm EC_GROUP_dup ,
+.Nm EC_GROUP_cmp ,
+.Nm EC_get_builtin_curves ,
+.Nm EC_curve_nid2nist ,
+.Nm EC_curve_nist2nid
+.Nd instantiate named curves built into libcrypto
+.Sh SYNOPSIS
+.In openssl/bn.h
+.In openssl/ec.h
+.In openssl/objects.h
+.Ft "EC_GROUP *"
+.Fo EC_GROUP_new_by_curve_name
+.Fa "int nid"
+.Fc
+.Ft void
+.Fo EC_GROUP_free
+.Fa "EC_GROUP *group"
+.Fc
+.Ft EC_GROUP *
+.Fo EC_GROUP_dup
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_cmp
+.Fa "const EC_GROUP *group1"
+.Fa "const EC_GROUP *group2"
+.Fa "BN_CTX *ctx"
+.Fc
+.Bd -literal
+typedef struct {
+        int nid;
+        const char *comment;
+} EC_builtin_curve;
+
+.Ed
+.Ft size_t
+.Fo EC_get_builtin_curves
+.Fa "EC_builtin_curve *curves"
+.Fa "size_t ncurves"
+.Fc
+.Ft int
+.Fo EC_curve_nist2nid
+.Fa "const char *name"
+.Fc
+.Ft "const char *"
+.Fo EC_curve_nid2nist
+.Fa "int nid"
+.Fc
+.Sh DESCRIPTION
+Most elliptic curves used in cryptographic protocols have a
+standardized representation as a
+.Em named curve ,
+where an ASN.1 Object Identifier (OID) is used instead of
+detailed domain parameters.
+This OID is represented internally by a Numerical Identifier (NID),
+and the parameters themselves must be built into the library.
+In the EC library the
+.Em curve name
+refers to this NID.
+.Pp
+.Fn EC_GROUP_new_by_curve_name
+returns a new
+.Vt EC_GROUP
+object representing the named curve corresponding to
+.Fa nid ,
+using the parameters built into the library.
+It is equivalent to passing the appropriate parameters to
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_GROUP_set_curve_name 3 ,
+.Xr EC_GROUP_set_generator 3
+and
+.Xr EC_GROUP_set_seed 3 .
+.Pp
+.Fn EC_GROUP_free
+frees
+.Fa group
+and all the memory associated with it.
+If
+.Fa group
+is
+.Dv NULL ,
+no action occurs.
+.Pp
+.Fn EC_GROUP_dup
+creates a deep copy of
+.Fa group .
+.Pp
+.Fn EC_GROUP_cmp
+is intended to determine whether
+.Fa group1
+and
+.Fa group2
+represent the same elliptic curve,
+making use of the optional
+.Fa ctx .
+If the curve name is set on both curves, they are compared as integers,
+then the prime field,
+the coefficients of the Weierstrass equation,
+the generators, their order and their cofactors are compared
+using
+.Xr BN_cmp 3
+or
+.Xr EC_POINT_cmp 3 ,
+respectively.
+.Pp
+.Fn EC_get_builtin_curves
+returns the number of builtin curves.
+If
+.Fa curves
+is
+.Dv NULL
+or
+.Fa ncurves
+is zero, it performs no other action.
+Otherwise, after reducing
+.Fa ncurves
+to the number of builtin curves if necessary,
+it copies the
+.Fa nid
+and a pointer to the
+.Fa comment
+of the first
+.Fa ncurves
+built-in curves to the array of
+.Vt EC_builtin_curve
+objects pointed to by
+.Fa curves
+and leaves the remainder of the array uninitialized.
+.Pp
+Some curves can be identified by their NIST name
+in addition to the numerical identifier (NID).
+.Fn EC_curve_nist2nid
+and
+.Fn EC_curve_nid2nist
+translate between the two.
+The builtin NIST curves over a prime field are:
+.Pp
+.Bl -column "NIST name" NID_X9_62_prime256v1 "deprecated in SP800-186" -compact
+.It No NIST Fa name Ta Em ASN.1 NID       Ta Em notes
+.It Qq P-224   Ta Dv NID_secp224r1        Ta
+.It Qq P-256   Ta Dv NID_X9_62_prime256v1 Ta also known as secp256r1
+.It Qq P-384   Ta Dv NID_secp384r1        Ta
+.It Qq P-521   Ta Dv NID_secp521r1        Ta
+.El
+.Pp
+.Fn EC_curve_nist2nid
+and
+.Fn EC_curve_nid2nist
+also accept the binary curves defined in FIPS\& 186-4
+and deprecated in SP800-186,
+as well as
+.Qq P-192
+and
+.Dv NID_X9_62_prime192v1 ,
+although all these no longer correspond to builtin curves in LibreSSL.
+.Sh RETURN VALUES
+.Fn EC_GROUP_new_by_curve_name
+returns a newly allocated group or
+.Dv NULL
+if there is no built-in group with NID
+.Fa nid ,
+or if memory allocation fails.
+.Pp
+.Fn EC_GROUP_dup
+returns a newly allocated group or
+.Dv NULL
+if memory allocation fails.
+.Pp
+.Fn EC_GROUP_cmp
+returns 1 if the groups are distinct, 0 if the groups are
+considered identical and \-1 on memory allocation error.
+.Pp
+.Fn EC_get_builtin_curves
+returns the number of builtin curves.
+.Pp
+.Fn EC_curve_nid2nist
+returns a string constant containing the NIST name if
+.Fa nid
+identifies a NIST curve or
+.Dv NULL
+otherwise.
+.Pp
+.Fn EC_curve_nist2nid
+returns the NID corresponding to the NIST curve
+.Fa name ,
+or
+.Dv NID_undef .
+.Sh EXAMPLES
+Print the list of builtin curves, their NIDs, their NIST name and
+a comment describing each curve:
+.Bd -literal
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <openssl/ec.h>
+
+int
+main(void)
+{
+        EC_builtin_curve *curves;
+        size_t ncurves, i;
+
+        if (pledge("stdio", NULL) == -1)
+                err(1, "pledge");
+
+        ncurves = EC_get_builtin_curves(NULL, 0);
+        if ((curves = calloc(ncurves, sizeof(*curves))) == NULL)
+                err(1, NULL);
+        (void)EC_get_builtin_curves(curves, ncurves);
+
+        printf("curve\etnid\etNIST\etcomment\en");
+        for (i = 0; i < ncurves; i++) {
+                const char *nist_name = EC_curve_nid2nist(curves[i].nid);
+
+                printf("%2zu\et%d\et%s\et%s\en", i, curves[i].nid,
+                    nist_name != NULL ? nist_name : "", curves[i].comment);
+        }
+
+        free(curves);
+
+        return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3 ,
+.Xr OBJ_nid2obj 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Pp
+.Rs
+.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
+.%U https://www.secg.org/sec2-v2.pdf
+.%D Jan 27, 2010
+.Re
+.Sh HISTORY
+.Fn EC_GROUP_free
+first appeared in OpenSSL 0.9.7 and has been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_GROUP_new_by_curve_name ,
+.Fn EC_GROUP_cmp ,
+.Fn EC_GROUP_dup ,
+and
+.Fn EC_get_builtin_curves
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Pp
+.Fn EC_curve_nid2nist
+and
+.Fn EC_curve_nist2nid
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 5.8 .
+.Sh BUGS
+.Fn EC_GROUP_cmp
+compares the coefficients of the Weierstrass equation as
+integers, not as elements of the prime field.
+It also treats the generator as mandatory while it is generally
+optional in the EC library.
+Aspects of the ASN.1 encoding controlled by the functions in
+.Xr EC_GROUP_get_asn1_flag 3 ,
+in particular seed, ASN.1 flag, and point conversion form,
+are ignored in the comparison.
+Group objects may therefore compare as equal and produce
+completely different ASN.1 encodings via
+.Xr i2d_ECPKParameters 3
+and related functions.
+In fact, either of these encodings might be valid or not,
+accepted or rejected by
+.Xr d2i_ECPKParameters 3 ,
+or the encoding might fail on one or both of the group objects.
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
new file mode 100644
index 0000000000..f13c969c28
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
@@ -0,0 +1,450 @@
+.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_GROUP_NEW_CURVE_GFP 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_new_curve_GFp ,
+.Nm EC_GROUP_set_curve ,
+.Nm EC_GROUP_get_curve ,
+.Nm EC_GROUP_set_generator ,
+.Nm EC_GROUP_get0_generator ,
+.Nm EC_GROUP_get_degree ,
+.Nm EC_GROUP_get_order ,
+.Nm EC_GROUP_order_bits ,
+.Nm EC_GROUP_get_cofactor ,
+.Nm EC_GROUP_clear_free ,
+.Nm EC_GROUP_set_curve_GFp ,
+.Nm EC_GROUP_get_curve_GFp
+.Nd define elliptic curves and retrieve information from them
+.Sh SYNOPSIS
+.In openssl/bn.h
+.In openssl/ec.h
+.Ft "EC_GROUP *"
+.Fo EC_GROUP_new_curve_GFp
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_generator
+.Fa "EC_GROUP *group"
+.Fa "const EC_POINT *generator"
+.Fa "const BIGNUM *order"
+.Fa "const BIGNUM *cofactor"
+.Fc
+.Ft "const EC_POINT *"
+.Fo EC_GROUP_get0_generator
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_degree
+.Fa "const EC_GROUP *"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_order
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *order"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_order_bits
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_cofactor
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *cofactor"
+.Fa "BN_CTX *ctx"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft void
+.Fo EC_GROUP_clear_free
+.Fa "EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve_GFp
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve_GFp
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+With the exception of the getters
+the functions in this manual should not be used.
+Use
+.Xr EC_GROUP_new_by_curve_name 3
+instead.
+.Pp
+The EC library uses
+.Vt EC_GROUP
+objects to represent
+elliptic curves in Weierstrass form.
+These curves are defined over the prime field of order
+.Fa p
+via the Weierstrass equation
+.Dl y^2 = x^3 + ax + b
+where
+.Fa a
+and
+.Fa b
+are such that the discriminant 4a^3 - 27b^2 is non-zero.
+.Pp
+The points on an elliptic curve form a group.
+Cryptographic applications usually depend on the choice of a
+.Fa generator
+whose multiples form a cyclic subgroup of a certain
+.Fa order .
+By Lagrange's theorem, the number of points on the elliptic curve is
+the product of
+.Fa order
+and another integer called the
+.Fa cofactor .
+Hasse's theorem is the inequality
+.Dl | Ns Fa order No * Fa cofactor No - (p + 1)| <= 2 sqrt(p)
+which implies an upper bound on
+.Fa order
+in terms of
+.Fa p
+and allows the computation of
+.Fa cofactor
+provided that
+.Fa order
+is large enough.
+.Pp
+.Fn EC_GROUP_new_curve_GFp
+instantiates a new
+.Vt EC_GROUP
+object over the prime field of size
+.Fa p
+with Weierstrass equation given by the coefficients
+.Fa a
+and
+.Fa b .
+The optional
+.Fa ctx
+is used to transform the other arguments into internal representation.
+It is the caller's responsibility to ensure that
+.Fa p
+is a prime number greater than three and that
+the discriminant is non-zero.
+This can be done with
+.Xr EC_GROUP_check_discriminant 3
+or as part of
+.Xr EC_GROUP_check 3
+after
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_set_curve
+sets the curve parameters of
+.Fa group
+to
+.Fa p ,
+.Fa a ,
+.Fa b
+using the optional
+.Fa ctx
+and the comments in
+.Fn EC_GROUP_new_curve_GFp
+apply.
+Existing
+.Fa generator ,
+.Fa order ,
+or
+.Fa cofactor
+on
+.Fa group
+are left unmodified and become most likely invalid.
+They must therefore be set to legitimate values using
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_get_curve
+copies the curve parameters of
+.Fa group
+into the caller-owned
+.Fa p ,
+.Fa a ,
+and
+.Fa b ,
+possibly making use of the
+.Fa ctx
+for conversion from internal representations.
+Except for
+.Fa group ,
+all arguments are optional.
+.Pp
+.Fn EC_GROUP_set_generator
+performs sanity checks based on Hasse's theorem
+and copies
+.Fa generator ,
+.Fa order
+and the optional
+.Fa cofactor
+into
+.Fa group ,
+replacing all existing entries.
+It is the caller's responsibility to ensure that
+.Fa generator
+is a point on the curve and that
+.Fa order
+is its order,
+which can partially be accomplished with a subsequent call to
+.Xr EC_GROUP_check 3 .
+If
+.Fa cofactor
+is
+.Dv NULL ,
+it can be computed on curves of cryptographic interest,
+in which case
+.Fa cofactor
+is set to the computed value, otherwise it is set to zero.
+.Pp
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa group Ns 's
+.Fa generator ,
+which may be
+.Dv NULL
+if no generator was set.
+.Pp
+.Fn EC_GROUP_get_degree
+returns the bit length of the prime
+.Fa p
+set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+copies the value of the
+.Fa group Ns 's
+.Fa order
+into the caller-owned
+.Fa order ,
+returning failure if the
+.Fa group Ns 's
+.Fa order
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+.Fn EC_GROUP_order_bits
+returns the number of bits in the
+.Fa group Ns 's
+.Fa order ,
+which is the result of calling
+.Xr BN_num_bits 3
+on
+.Fa order .
+Unlike
+.Fn EC_GROUP_get_order ,
+it does not fail if
+.Fa order
+is zero.
+.Pp
+.Fn EC_GROUP_get_cofactor
+copies the value of the
+.Fa group Ns 's
+.Fa cofactor
+into the caller-owned
+.Fa cofactor ,
+returning failure if the
+.Fa group Ns 's
+.Fa cofactor
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+The deprecated
+.Fn EC_GROUP_clear_free
+uses
+.Xr explicit_bzero 3
+and
+.Xr freezero 3
+to clear and free all data associated with
+.Fa group .
+If
+.Fa group
+is
+.Dv NULL ,
+no action occurs.
+Since there is no secret data in
+.Fa group ,
+this API is useless.
+In LibreSSL,
+.Xr EC_GROUP_free 3
+and
+.Fn EC_GROUP_clear_free
+behave identically.
+.Pp
+.Fn EC_GROUP_set_curve_GFp
+and
+.Fn EC_GROUP_get_curve_GFp
+are deprecated aliases for
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_get_curve ,
+respectively.
+.Sh RETURN VALUES
+.Fn EC_GROUP_new_curve_GFp
+returns a newly allocated group or
+.Dv NULL
+if memory allocation fails,
+or if some minimal sanity checks on
+.Fa p ,
+.Fa a ,
+and
+.Fa b
+fail.
+.Pp
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_set_curve_GFp
+return 1 on success and 0 on failure.
+Failure conditions include that
+.Fa p
+is smaller than or equal to three, or even, or
+memory allocation failure.
+.Pp
+.Fn EC_GROUP_get_curve
+and
+.Fn EC_GROUP_get_curve_GFp
+return 1 on success and 0 on memory allocation failure.
+.Pp
+.Fn EC_GROUP_set_generator
+returns 1 on success and 0 on memory allocation failure, or if
+.Fa order
+or
+.Fa cofactor
+are larger than Hasse's theorem allows.
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa generator
+or
+.Dv NULL
+if none was set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+returns 1 on success or 0 on memory allocation failure or if the
+.Fa group Ns 's
+order is set to
+.Fa zero .
+.Pp
+.Fn EC_GROUP_get_degree ,
+.Fn EC_GROUP_order_bits ,
+and
+.Fn EC_GROUP_get_cofactor
+return the number of bits in the
+.Fa group Ns 's
+.Fa p ,
+.Fa order ,
+and
+.Fa cofactor ,
+respectively.
+.Sh SEE ALSO
+.Xr BN_new 3 ,
+.Xr BN_num_bits 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Pp
+.Rs
+.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
+.%U https://www.secg.org/sec2-v2.pdf
+.%D Jan 27, 2010
+.Re
+.Sh HISTORY
+.Fn EC_GROUP_new_curve_GFp ,
+.Fn EC_GROUP_clear_free ,
+.Fn EC_GROUP_set_curve_GFp ,
+.Fn EC_GROUP_get_curve_GFp ,
+.Fn EC_GROUP_set_generator ,
+.Fn EC_GROUP_get0_generator ,
+.Fn EC_GROUP_get_order ,
+and
+.Fn EC_GROUP_get_cofactor
+first appeared in OpenSSL 0.9.7 and
+have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_GROUP_get_degree
+first appeared in OpenSSL 0.9.8 and
+has been available since
+.Ox 4.5 .
+.Pp
+.Fn EC_GROUP_set_curve ,
+.Fn EC_GROUP_get_curve ,
+and
+.Fn EC_GROUP_order_bits
+first appeared in OpenSSL 1.1.1 and
+have been available since
+.Ox 7.0
+.Sh BUGS
+Too many.
+The API is unergonomic and the design is very poor even by
+OpenSSL's standards.
+Naming is inconsistent, especially in regards to the _GFp suffix
+and the _get_ infix.
+Function signatures are inconsistent.
+In particular, functions that should have a
+.Vt BN_CTX
+argument don't have one and functions that don't need it have one.
diff --git a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3 b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
index 79c16ef014..5f5795d5cc 100644
--- a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.4 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.5 2025/04/25 19:57:12 tb Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: April 25 2025 $
 .Dt EC_KEY_METHOD_NEW 3
 .Os
 .Sh NAME
@@ -312,7 +312,16 @@ returns 1 for success or 0 for failure.
 returns the EC_KEY implementation used by the given
 .Fa key .
 .Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
 .Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
 .Xr ECDSA_sign 3
 .Sh HISTORY
 These functions first appeared in OpenSSL 1.1.0
diff --git a/src/lib/libcrypto/man/EC_KEY_new.3 b/src/lib/libcrypto/man/EC_KEY_new.3
index c24cb080ef..a2592a20ae 100644
--- a/src/lib/libcrypto/man/EC_KEY_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_new.3,v 1.21 2025/03/08 16:38:13 tb Exp $
+.\" $OpenBSD: EC_KEY_new.3,v 1.22 2025/04/25 19:57:12 tb Exp $
 .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500
 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: April 25 2025 $
 .Dt EC_KEY_NEW 3
 .Os
 .Sh NAME
@@ -234,7 +234,7 @@ and supplying the
 .Fa nid
 of the associated curve.
 Refer to
-.Xr EC_GROUP_new 3
+.Xr EC_GROUP_new_by_curve_name 3
 for a description of curve names.
 This function simply wraps calls to
 .Fn EC_KEY_new
@@ -357,7 +357,7 @@ The format of the external representation of the public key written by
 such as whether it is stored in a compressed form or not,
 is described by the point_conversion_form.
 See
-.Xr EC_GROUP_copy 3
+.Xr EC_POINT_point2oct 3
 for a description of point_conversion_form.
 .Pp
 When reading a private key encoded without an associated public key,
@@ -378,7 +378,7 @@ and
 get and set the point_conversion_form for the
 .Fa key .
 For a description of point_conversion_form refer to
-.Xr EC_GROUP_copy 3 .
+.Xr EC_POINT_point2oct 3 .
 .Pp
 .Fn EC_KEY_set_flags
 sets the flags in the
@@ -407,7 +407,7 @@ sets the asn1_flag on the underlying
 .Vt EC_GROUP
 object (if set).
 Refer to
-.Xr EC_GROUP_copy 3
+.Xr EC_GROUP_get_curve_name 3
 for further information on the asn1_flag.
 .Pp
 .Fn EC_KEY_precompute_mult
@@ -488,11 +488,14 @@ returns the point_conversion_form for the
 .Vt EC_KEY .
 .Sh SEE ALSO
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
 .Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_point2oct 3 ,
 .Xr ECDH_compute_key 3 ,
 .Xr ECDSA_SIG_new 3 ,
 .Xr EVP_PKEY_set1_EC_KEY 3
diff --git a/src/lib/libcrypto/man/EC_POINT_add.3 b/src/lib/libcrypto/man/EC_POINT_add.3
index cc35499c0e..9c75f0dcd3 100644
--- a/src/lib/libcrypto/man/EC_POINT_add.3
+++ b/src/lib/libcrypto/man/EC_POINT_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EC_POINT_add.3,v 1.15 2025/03/08 16:48:22 tb Exp $
+.\"     $OpenBSD: EC_POINT_add.3,v 1.16 2025/04/25 19:57:12 tb Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: April 25 2025 $
 .Dt EC_POINT_ADD 3
 .Os
 .Sh NAME
@@ -177,7 +177,7 @@ in which case the result is just
 .Dl q * m.
 .Pp
 See
-.Xr EC_GROUP_copy 3
+.Xr EC_GROUP_new_curve_GFp 3
 for information about the generator.
 .Sh RETURN VALUES
 The following functions return 1 on success or 0 on error:
@@ -197,11 +197,17 @@ returns 1 if the point is on the curve, 0 if not, or -1 on error.
 .Fn EC_POINT_cmp
 returns 1 if the points are not equal, 0 if they are, or -1 on error.
 .Sh SEE ALSO
+.Xr crypto 3 ,
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_KEY_new 3 ,
-.Xr EC_POINT_new 3
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3
 .Sh HISTORY
 .Fn EC_POINT_add ,
 .Fn EC_POINT_dbl ,
diff --git a/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3 b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
new file mode 100644
index 0000000000..b36d480530
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
@@ -0,0 +1,215 @@
+.\" $OpenBSD: EC_POINT_get_affine_coordinates.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_POINT_GET_AFFINE_COORDINATES 3
+.Os
+.Sh NAME
+.Nm EC_POINT_get_affine_coordinates ,
+.Nm EC_POINT_set_affine_coordinates ,
+.Nm EC_POINT_set_compressed_coordinates ,
+.Nm EC_POINT_set_to_infinity ,
+.Nm EC_POINT_get_affine_coordinates_GFp ,
+.Nm EC_POINT_set_affine_coordinates_GFp ,
+.Nm EC_POINT_set_compressed_coordinates_GFp
+.Nd get and set coordinates of elliptic curve points
+.Sh SYNOPSIS
+.In openssl/bn.h
+.In openssl/ec.h
+.Pp
+.Ft int
+.Fo EC_POINT_get_affine_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "BIGNUM *x"
+.Fa "BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_affine_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "const BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_compressed_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "int y_bit"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_to_infinity
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft int
+.Fo EC_POINT_get_affine_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "BIGNUM *x"
+.Fa "BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_affine_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "const BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_compressed_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "int y_bit"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+.Fn EC_POINT_get_affine_coordinates
+assumes that
+.Fa point
+is a point on
+.Fa group ,
+calculates its affine coordinates from its internal representation
+using the optional
+.Fa ctx ,
+and copies them into the optional user-provided
+.Fa x
+and
+.Fa y .
+.Pp
+.Fn EC_POINT_set_affine_coordinates
+assumes that
+.Fa x
+and
+.Fa y
+are the affine coordinates of a point on
+.Fa group ,
+converts them into internal representation and sets them on
+.Fa point
+using the optional
+.Fa ctx .
+The user-provided
+.Fa point
+should be the result of
+.Fn EC_POINT_new 3
+with an argument of
+.Fa group .
+It then verifies using
+.Xr EC_POINT_is_on_curve 3
+that
+.Fa x
+and
+.Fa y
+are indeed the affine coordinates of a point on
+.Fa group .
+.Pp
+.Fn EC_POINT_set_compressed_coordinates
+assumes that
+.Fa x
+is the x-coordinate and
+.Fa y_bit
+is the parity bit of a point on
+.Fa group
+and sets
+.Fa point
+to the corresponding point on
+.Fa group .
+It does this by solving the quadratic equation y^2 = x^3 + ax + b using
+.Xr BN_mod_sqrt 3
+and the optional
+.Fa ctx ,
+chooses the solution
+.Fa y
+with parity matching
+.Fa y_bit ,
+and passes
+.Fa x
+and
+.Fa y
+to
+.Fn EC_POINT_set_affine_coordinates .
+The user-provided
+.Fa point
+should be the result of
+.Fn EC_POINT_new
+with argument
+.Fa group .
+.Pp
+.Fn EC_POINT_set_to_infinity
+sets
+.Fa point
+to the internal representation of the point at infinity on
+.Fa group .
+.Pp
+.Fn EC_POINT_get_affine_coordinates_GFp
+is a deprecated alias for
+.Fn EC_POINT_get_affine_coordinates .
+Similarly for
+.Fn EC_POINT_set_affine_coordinates_GFp
+and
+.Fn EC_POINT_set_compressed_coordinates_GFp .
+.Sh RETURN VALUES
+All these functions return 1 on success and 0 on error.
+Error conditions include memory allocation failure,
+that
+.Fa point
+is incompatible with
+.Fa group ,
+and, for the coordinate setters, that the provided coordinates
+do not represent a point on
+.Fa group .
+.Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr BN_mod_sqrt 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh HISTORY
+.Fn EC_POINT_get_affine_coordinates_GFp ,
+.Fn EC_POINT_set_affine_coordinates_GFp ,
+.Fn EC_POINT_set_compressed_coordinates_GFp ,
+and
+.Fn EC_POINT_set_to_infinity
+first appeared in OpenSSL 0.9.7 and have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_POINT_get_affine_coordinates ,
+.Fn EC_POINT_set_affine_coordinates ,
+and
+.Fn EC_POINT_set_compressed_coordinates
+first appeared in OpenSSL 1.1.1 and have been available since
+.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_POINT_new.3 b/src/lib/libcrypto/man/EC_POINT_new.3
index db6280fce7..cfc988f294 100644
--- a/src/lib/libcrypto/man/EC_POINT_new.3
+++ b/src/lib/libcrypto/man/EC_POINT_new.3
@@ -1,54 +1,20 @@
-.\" $OpenBSD: EC_POINT_new.3,v 1.17 2025/03/08 17:04:07 tb Exp $
-.\" full merge up to: OpenSSL 50db8163 Jul 30 16:56:41 2018 +0100
+.\" $OpenBSD: EC_POINT_new.3,v 1.18 2025/04/25 19:57:12 tb Exp $
 .\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013, 2016 The OpenSSL Project.  All rights reserved.
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
 .\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: April 25 2025 $
 .Dt EC_POINT_NEW 3
 .Os
 .Sh NAME
@@ -56,163 +22,56 @@
 .Nm EC_POINT_free ,
 .Nm EC_POINT_clear_free ,
 .Nm EC_POINT_copy ,
-.Nm EC_POINT_dup ,
-.Nm EC_POINT_set_to_infinity ,
-.Nm EC_POINT_set_affine_coordinates ,
-.Nm EC_POINT_set_affine_coordinates_GFp ,
-.Nm EC_POINT_get_affine_coordinates ,
-.Nm EC_POINT_get_affine_coordinates_GFp ,
-.Nm EC_POINT_set_compressed_coordinates ,
-.Nm EC_POINT_set_compressed_coordinates_GFp ,
-.Nm EC_POINT_point2oct ,
-.Nm EC_POINT_oct2point ,
-.Nm EC_POINT_point2bn ,
-.Nm EC_POINT_bn2point ,
-.Nm EC_POINT_point2hex ,
-.Nm EC_POINT_hex2point
-.Nd create, destroy, and manipulate EC_POINT objects
+.Nm EC_POINT_dup
+.Nd allocate, free and copy elliptic curve points
 .Sh SYNOPSIS
 .In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_POINT *
+.Pp
+.Ft "EC_POINT *"
 .Fo EC_POINT_new
 .Fa "const EC_GROUP *group"
 .Fc
-.Ft void
+.Ft "void"
 .Fo EC_POINT_free
 .Fa "EC_POINT *point"
 .Fc
-.Ft void
+.Ft "void"
 .Fo EC_POINT_clear_free
 .Fa "EC_POINT *point"
 .Fc
-.Ft int
+.Ft "int"
 .Fo EC_POINT_copy
 .Fa "EC_POINT *dst"
 .Fa "const EC_POINT *src"
 .Fc
-.Ft EC_POINT *
+.Ft "EC_POINT *"
 .Fo EC_POINT_dup
-.Fa "const EC_POINT *src"
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_POINT_set_to_infinity
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *point"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_POINT_point2oct
+.Fa "const EC_POINT *point"
 .Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "point_conversion_form_t form"
-.Fa "unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_oct2point
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BIGNUM *
-.Fo EC_POINT_point2bn
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BIGNUM *"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_bn2point
-.Fa "const EC_GROUP *"
-.Fa "const BIGNUM *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
-.Fc
-.Ft char *
-.Fo EC_POINT_point2hex
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_hex2point
-.Fa "const EC_GROUP *"
-.Fa "const char *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
 .Fc
 .Sh DESCRIPTION
 An
 .Vt EC_POINT
-represents a point on a curve.
-A curve is represented by an
-.Vt EC_GROUP
-object created by the functions described in
-.Xr EC_GROUP_new 3 .
+object holds a point on the elliptic curve represented by an
+.Vt EC_GROUP .
+The details of the internal representation depend on the group
+and should never be an application's concern since the EC library
+has API to set a point's coordinates,
+.Xr EC_POINT_set_affine_coordinates 3 .
 .Pp
-A new point is constructed by calling the function
 .Fn EC_POINT_new
-and providing the
-.Fa group
-object that the point relates to.
+allocates and initializes an
+.Vt EC_POINT
+object to be used with the
+.Fa group .
+Before explicitly setting its coordinates, the returned
+.Vt EC_POINT
+is invalid.
 .Pp
 .Fn EC_POINT_free
-frees the memory associated with the
-.Vt EC_POINT .
+frees
+.Fa point
+and all memory associated with it.
 If
 .Fa point
 is a
@@ -220,236 +79,129 @@ is a
 pointer, no action occurs.
 .Pp
 .Fn EC_POINT_clear_free
-destroys any sensitive data held within the
-.Vt EC_POINT
-and then frees its memory.
-If
+is intended to destroy sensitive data held in
 .Fa point
-is a
-.Dv NULL
-pointer, no action occurs.
+in addition to freeing all memory associated with it.
+Since elliptic curve points usually hold public data, this
+is rarely needed.
+In LibreSSL,
+.Fn EC_POINT_free
+and
+.Fn EC_POINT_clear_free
+behave identically.
 .Pp
 .Fn EC_POINT_copy
-copies the point
+copies the internal representation of
 .Fa src
 into
 .Fa dst .
-Both
+If
 .Fa src
 and
 .Fa dst
-must use the same
-.Vt EC_METHOD .
-.Pp
-.Fn EC_POINT_dup
-creates a new
-.Vt EC_POINT
-object and copies the content from
+are identical, no action occurs.
+Both
 .Fa src
-to the newly created
-.Vt EC_POINT
-object.
-.Pp
-A valid point on a curve is the special point at infinity.
-A point is set to be at infinity by calling
-.Fn EC_POINT_set_to_infinity .
-.Pp
-The affine coordinates for a point describe a point in terms of its
-.Fa x
-and
-.Fa y
-position.
-The function
-.Fn EC_POINT_set_affine_coordinates
-sets the
-.Fa x
-and
-.Fa y
-coordinates for the point
-.Fa p
-defined over the curve given in
-.Fa group .
-The function
-.Fn EC_POINT_get_affine_coordinates
-sets
-.Fa x
-and
-.Fa y ,
-either of which may be
-.Dv NULL ,
-to the corresponding coordinates of
-.Fa p .
-.Pp
-The functions
-.Fn EC_POINT_set_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_affine_coordinates
-and the function
-.Fn EC_POINT_get_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_get_affine_coordinates .
-.Pp
-Points can also be described in terms of their compressed coordinates.
-For a point
-.Pq Fa x , y ,
-for any given value for
-.Fa x
-such that the point is on the curve, there will only ever be two
-possible values for
-.Fa y .
-Therefore, a point can be set using the
-.Fn EC_POINT_set_compressed_coordinates
-function where
-.Fa x
-is the x coordinate and
-.Fa y_bit
-is a value 0 or 1 to identify which of the two possible values for y
-should be used.
-.Pp
-The functions
-.Fn EC_POINT_set_compressed_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_compressed_coordinates .
-.Pp
-In addition
-.Vt EC_POINT Ns s
-can be converted to and from various external representations.
-Supported representations are octet strings,
-.Vt BIGNUM Ns s ,
-and hexadecimal.
-The format of the external representation is described by the
-point_conversion_form.
-See
-.Xr EC_GROUP_copy 3
-for a description of point_conversion_form.
-Octet strings are stored in a buffer along with an associated buffer
-length.
-A point held in a
-.Vt BIGNUM
-is calculated by converting the point to an octet string and then
-converting that octet string into a
-.Vt BIGNUM
-integer.
-Points in hexadecimal format are stored in a NUL terminated character
-string where each character is one of the printable values 0-9 or A-F
-(or a-f).
-.Pp
-The functions
-.Fn EC_POINT_point2oct ,
-.Fn EC_POINT_oct2point ,
-.Fn EC_POINT_point2bn ,
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
 and
-.Fn EC_POINT_hex2point
-convert from and to
-.Vt EC_POINT Ns s
-for the formats octet string,
-.Vt BIGNUM ,
-and hexadecimal, respectively.
-.Pp
-The function
-.Fn EC_POINT_point2oct
-must be supplied with a
-.Fa buf
-long enough to store the octet string.
-The return value provides the number of octets stored.
-Calling the function with a
-.Dv NULL
-.Fa buf
-will not perform the conversion but will still return the required
-buffer length.
+.Fa dst
+should be the result of
+.Fn EC_POINT_new
+with the same
+.Fa group
+argument, although
+.Fn EC_POINT_copy
+cannot check that.
 .Pp
-The function
-.Fn EC_POINT_point2hex
-will allocate sufficient memory to store the hexadecimal string.
-It is the caller's responsibility to free this memory with a subsequent
-call to
-.Xr free 3 .
+.Fn EC_POINT_dup
+creates a deep copy of
+.Fa point
+by combining
+.Fn EC_POINT_new
+with
+.Fn EC_GROUP_copy .
 .Sh RETURN VALUES
 .Fn EC_POINT_new
-and
-.Fn EC_POINT_dup
-return the newly allocated
+returns a newly allocated
 .Vt EC_POINT
 or
 .Dv NULL
-on error.
+on memory allocation failure.
 .Pp
-The following functions return 1 on success or 0 on error:
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-and
-.Fn EC_POINT_oct2point .
-.Pp
-.Fn EC_POINT_point2oct
-returns the length of the required buffer, or 0 on error.
-.Pp
-.Fn EC_POINT_point2bn
-returns the pointer to the
-.Vt BIGNUM
-supplied or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_POINT_bn2point
-returns the pointer to the
-.Vt EC_POINT
-supplied or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_POINT_point2hex
-returns a pointer to the hex string or
-.Dv NULL
-on error.
+.Fn EC_POINT_copy
+returns 1 on success or 0 on error.
+Error conditions include memory allocation failure and that
+.Fa dst
+is incompatible with the group on which
+.Fa src
+is defined.
 .Pp
-.Fn EC_POINT_hex2point
-returns the pointer to the
+.Fn EC_POINT_dup
+returns a newly allocated
 .Vt EC_POINT
-supplied or
+or
 .Dv NULL
-on error.
+on failure.
+Error conditions include memory allocation failure or that
+.Fa group
+is incompatible with
+.Fa src .
 .Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr crypto 3 ,
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_KEY_new 3 ,
 .Xr EC_POINT_add 3 ,
-.Xr ECDH_compute_key 3
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
 .Sh HISTORY
 .Fn EC_POINT_new ,
 .Fn EC_POINT_free ,
 .Fn EC_POINT_clear_free ,
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-.Fn EC_POINT_point2oct ,
 and
-.Fn EC_POINT_oct2point
+.Fn EC_POINT_copy
 first appeared in OpenSSL 0.9.7 and have been available since
 .Ox 3.2 .
 .Pp
-.Fn EC_POINT_dup ,
-.Fn EC_POINT_point2bn ,
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
-and
-.Fn EC_POINT_hex2point
-first appeared in OpenSSL 0.9.8 and have been available since
+.Fn EC_POINT_dup
+first appeared in OpenSSL 0.9.8 and has been available since
 .Ox 4.5 .
-.Pp
-.Fn EC_POINT_set_affine_coordinates ,
-.Fn EC_POINT_get_affine_coordinates ,
+.Sh BUGS
+A fundamental flaw in the OpenSSL API toolkit is that
+.Fn *_new
+functions usually create invalid objects that are tricky to
+turn into valid objects.
+A fundamental flaw in the EC library is that
+.Vt EC_POINT
+objects do not hold a reference to the group they live on
+despite the fact that
+.Fn EC_POINT_new
+has a
+.Fa group
+argument.
+This is difficult to fix because
+.Vt EC_GROUP
+objects are not reference counted and
+because of const qualifiers in the API.
+This is the root cause for various contortions in the EC library
+and API.
+This has security implications because not
+only does the library not know whether an
+.Fa EC_POINT
+object represents a valid point,
+even if it did know that it would not know on what curve.
+.Pp
+The signature of
+.Fn EC_GROUP_dup
+is bizarre and the order of
+.Fa point
 and
-.Fn EC_POINT_set_compressed_coordinates
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
+.Fa group
+is inconsistent with the rest of the EC API.
diff --git a/src/lib/libcrypto/man/EC_POINT_point2oct.3 b/src/lib/libcrypto/man/EC_POINT_point2oct.3
new file mode 100644
index 0000000000..d0663670ee
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_POINT_point2oct.3
@@ -0,0 +1,431 @@
+.\" $OpenBSD: EC_POINT_point2oct.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 25 2025 $
+.Dt EC_POINT_POINT2OCT 3
+.Os
+.Sh NAME
+.Nm EC_POINT_point2oct ,
+.Nm EC_POINT_oct2point ,
+.Nm EC_POINT_point2bn ,
+.Nm EC_POINT_bn2point ,
+.Nm EC_POINT_point2hex ,
+.Nm EC_POINT_hex2point
+.Nd encode and decode elliptic curve points
+.Sh SYNOPSIS
+.In openssl/bn.h
+.In openssl/ec.h
+.Bd -literal
+typedef enum {
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+
+.Ed
+.Ft size_t
+.Fo EC_POINT_point2oct
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "unsigned char *buf"
+.Fa "size_t len"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_oct2point
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const unsigned char *buf"
+.Fa "size_t len"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft "BIGNUM *"
+.Fo EC_POINT_point2bn
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "BIGNUM *bn"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft "EC_POINT *"
+.Fo EC_POINT_bn2point
+.Fa "const EC_GROUP *group"
+.Fa "const BIGNUM *bn"
+.Fa "EC_POINT *point"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft "char *"
+.Fo EC_POINT_point2hex
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft "EC_POINT *"
+.Fo EC_POINT_hex2point
+.Fa "const EC_GROUP *group"
+.Fa "const char *hex"
+.Fa "EC_POINT *point"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+The
+.Fa ctx
+argument of all functions in this manual is optional.
+.Pp
+An
+.Vt EC_POINT
+object represents a point on the elliptic curve given by an
+.Vt EC_GROUP
+object.
+It is either the point at infinity or it has a representation
+(x, y) in standard affine coordinates,
+in which case it satisfies the curve's Weierstrass equation
+.Dl y^2 = x^3 + ax + b
+in the prime field of size p.
+Thus, y is a square root of x^3 + ax + b.
+Since p > 3 is odd, p - y is another square root
+with different parity, unless y is zero.
+Point compression uses that x and the parity of y are enough
+to compute y using
+.Xr BN_mod_sqrt 3 .
+.Pp
+Field elements are represented as non-negative integers < p
+in big-endian 2-complement form, zero-padded on the left to the byte
+length l of p.
+If X and Y are the representations of x and y, respectively, and P is
+the parity bit of y, the three encodings of the point (x, y) are
+the byte strings:
+.Bl -column "EncodingX" "CompressedX" "UncompressedX" "Hybrid" -offset indent -compact
+.It Ta Em Compressed Ta Em Uncompressed Ta Em Hybrid
+.It Encoding Ta 2+P || X Ta 4 || X || Y Ta 6+P || X || Y
+.It Length Ta 1 + l Ta 1 + 2l Ta 1 + 2l
+.El
+where the first octet is the point conversion form
+combined with the parity bit in the compressed and hybrid encodings.
+The point at infinity is encoded as a single zero byte.
+.Pp
+.Fn EC_POINT_point2oct
+converts
+.Fa point
+into the octet string encoding of type
+.Fa form .
+It assumes without checking that
+.Fa point
+is a point on the elliptic curve represented by
+.Fa group
+and operates in two modes depending on the
+.Fa buf
+argument.
+If
+.Fa buf
+is
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the length of
+.Fa point Ns 's
+encoding of type
+.Fa form
+and ignores the
+.Fa len
+and
+.Fa ctx
+arguments.
+If
+.Fa buf
+is not
+.Dv NULL
+and its length
+.Fa len
+is sufficiently big,
+.Fn EC_POINT_point2oct 3
+writes the
+.Fa point Ns 's
+encoding of type
+.Fa form
+to
+.Fa buf
+and returns the number of bytes written.
+Unless
+.Fa point
+is the point at infinity, the coordinates to be encoded are calculated using
+.Xr EC_POINT_get_affine_coordinates 3 .
+.Pp
+.Fn EC_POINT_oct2point
+decodes the octet string representation of a point on
+.Fa group
+in
+.Fa buf
+of size
+.Fa len
+and, if it represents a point on
+.Fa group ,
+sets it on the caller-provided
+.Fa point
+using
+.Xr EC_POINT_set_to_infinity 3
+.Xr EC_POINT_set_compressed_coordinates 3 ,
+or
+.Xr EC_POINT_set_affine_coordinates 3 .
+For hybrid encoding the consistency of
+the parity bit in the leading octet is verified.
+.Pp
+.Fn EC_POINT_point2bn
+returns a
+.Vt BIGNUM
+containing the encoding of type
+.Fa form
+of the
+.Fa point
+on
+.Fa group .
+If
+.Fa bn
+is
+.Dv NULL ,
+this
+.Vt BIGNUM
+is newly allocated, otherwise the result is copied into
+.Fa bn
+and returned.
+.Fn EC_POINT_point2bn
+is equivalent to
+.Fn EC_POINT_point2oct
+followed by
+.Xr BN_bin2bn 3 .
+.Pp
+.Fn EC_POINT_bn2point
+assumes that
+.Fa bn
+contains the encoding of a point on
+.Fa group .
+If
+.Fa point
+is
+.Dv NULL ,
+the result is placed in a newly allocated
+.Vt EC_POINT ,
+otherwise the result is placed in
+.Fa point
+which is then returned.
+.Fn EC_POINT_bn2point
+is equivalent to
+.Xr BN_bn2bin 3
+followed by
+.Fn EC_POINT_oct2point .
+.Pp
+.Fn EC_POINT_point2hex
+returns a printable string containing the hexadecimal encoding of
+the point encoding of type
+.Fa form
+of the
+.Fa point
+on
+.Fa group .
+The string must be freed by the caller using
+.Xr free 3 .
+.Fn EC_POINT_point2hex
+is equivalent to
+.Fn EC_POINT_point2bn
+followed by
+.Fn BN_bn2hex 3 .
+.Pp
+.Fn EC_POINT_hex2point
+interprets
+.Fa hex
+as a hexadecimal encoding of the point encoding of a point on
+.Fa group .
+If
+.Fa point
+is
+.Dv NULL ,
+the result is returned in a newly allocated
+.Vt EC_POINT ,
+otherwise the result is copied into
+.Fa point ,
+which is then returned.
+.Fn EC_POINT_hex2point
+is equivalent to
+.Xr BN_hex2bn 3
+followed by
+.Fn EC_POINT_bn2point .
+.Sh RETURN VALUES
+If
+.Fa buf
+is
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the length needed to encode the
+.Fa point
+on
+.Fa group ,
+or 0 on error.
+If
+.Fa buf
+is not
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the number of bytes written to
+.Fa buf
+or 0 on error.
+Error conditions include that
+.Fa form
+is invalid,
+.Fa len
+is too small, and memory allocation failure.
+.Pp
+.Fn EC_POINT_oct2point
+returns 1 on success and 0 on error.
+Error conditions include invalid encoding,
+.Fa buf
+does not represent a point on
+.Fa group ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_point2bn
+returns a
+.Vt BIGNUM
+containing the encoding of
+.Fa point
+or
+.Dv NULL
+on error.
+The returned
+.Vt BIGNUM
+is either
+.Fa in_bn
+or a newly allocated one which must be freed by the caller.
+Error conditions include those of
+.Fn EC_POINT_point2oct ,
+.Xr BN_bn2bin 3 ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_bn2point
+returns an
+.Vt EC_POINT
+corresponding to the encoding in
+.Fa bn
+or
+.Dv NULL
+on error.
+The returned
+.Vt EC_POINT
+is either
+.Fa in_point
+or a newly allocated one which must be freed by the caller.
+Error conditions include those of
+.Xr BN_bn2bin 3 ,
+.Fn EC_POINT_oct2point ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_point2hex
+returns a newly allocated string or
+.Dv NULL
+on error.
+Error conditions include those of
+.Fn EC_POINT_point2bn
+or
+.Xr BN_bn2hex 3 .
+.Pp
+.Fn EC_POINT_hex2point
+returns an
+.Vt EC_POINT
+containing the decoded point on
+.Fa group
+or
+.Dv NULL
+on error.
+The returned
+.Vt EC_POINT
+is either
+.Fa in_point
+or a newly allocated one which must be freed by the caller.
+Error conditions are those of
+.Xr BN_hex2bn 3 ,
+or
+.Fn EC_POINT_bn2point .
+.Sh SEE ALSO
+.Xr BN_mod_sqrt 3 ,
+.Xr BN_new 3 ,
+.Xr BN_num_bits 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Sh HISTORY
+.Fn EC_POINT_point2oct
+and
+.Fn EC_POINT_oct2point
+first appeared in OpenSSL 0.9.7 and have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_POINT_point2bn ,
+.Fn EC_POINT_bn2point ,
+.Fn EC_POINT_point2hex ,
+and
+.Fn EC_POINT_hex2point
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Sh BUGS
+The
+.Vt point_conversion_form_t
+is not properly exposed in the API.
+There is no representation for the point at infinity nor is there
+an API interface for the parity bit,
+forcing applications to invent their own and do bit twiddling in buffers.
+.Pp
+The poorly chosen signatures of the functions in this manual result
+in an unergonomic API, particularly so for
+.Fn EC_POINT_point2oct
+and
+.Fn EC_POINT_oct2point .
+Due to fundamental misdesign in the EC library,
+points are not directly linked to the curve they live on.
+Adding checks that
+.Fa point
+lives on
+.Fa group
+is too expensive and intrusive, so it is and will continue to be easy
+to make the EC_POINT_point2* API output nonsense.
+.Pp
+.Fn EC_POINT_point2bn
+and
+.Fn EC_POINT_bn2point
+make no sense.
+They abuse
+.Vt BIGNUM
+as a vector type, which is in poor taste.
+.Pp
+.Fn EC_POINT_point2hex
+and
+.Fn EC_POINT_hex2point
+use a non-standard encoding format.
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 9f3d448432..b8dfe86d49 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.307 2025/03/08 17:12:55 tb Exp $
+# $OpenBSD: Makefile,v 1.308 2025/04/25 19:57:12 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -133,12 +133,16 @@ MAN=	\
         DSA_size.3 \
         ECDH_compute_key.3 \
         ECDSA_SIG_new.3 \
-        EC_GROUP_copy.3 \
-        EC_GROUP_new.3 \
+        EC_GROUP_check.3 \
+        EC_GROUP_get_curve_name.3 \
+        EC_GROUP_new_by_curve_name.3 \
+        EC_GROUP_new_curve_GFp.3 \
         EC_KEY_METHOD_new.3 \
         EC_KEY_new.3 \
         EC_POINT_add.3 \
+        EC_POINT_get_affine_coordinates.3 \
         EC_POINT_new.3 \
+        EC_POINT_point2oct.3 \
         ENGINE_new.3 \
         ERR.3 \
         ERR_GET_LIB.3 \