1 files changed, 160 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/EC_GROUP_check.3 b/src/lib/libcrypto/man/EC_GROUP_check.3
new file mode 100644
index 0000000000..146c3d255d
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_check.3
@@ -0,0 +1,160 @@
+.\" $OpenBSD: EC_GROUP_check.3,v 1.6 2025/07/04 05:16:56 jsg Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 4 2025 $
+.Dt EC_GROUP_CHECK 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_check_discriminant ,
+.Nm EC_GROUP_check
+.Nd partially check validity of
+.Vt EC_GROUP
+objects
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Pp
+Deprecated:
+.Pp
+.Ft int
+.Fo EC_GROUP_check_discriminant
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_check
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+These functions are deprecated.
+Only standardized curves built into the library should be used, see
+.Xr EC_GROUP_new_by_curve_name 3 .
+Builtin curves went through far more thorough checking than
+the minimal, incomplete tests performed by these functions.
+.Pp
+These functions have an optional
+.Fa ctx
+argument which is used to avoid the cost of repeated allocation of
+auxiliary
+.Vt BIGNUM
+objects.
+.Pp
+.Fn EC_GROUP_check_discriminant
+can be called after
+.Xr EC_GROUP_new_curve_GFp 3
+to verify that
+.Fa group Ns 's
+parameters have non-zero discriminant 4a^3 + 27b^2 modulo p.
+Assuming that
+.Fa p
+is a prime number larger than three
+this implies that the Weierstrass equation defines an elliptic curve.
+.Pp
+.Fn EC_GROUP_check
+partially verifies that
+.Fa group
+represents an elliptic curve and that
+.Fa generator
+is a point on the curve whose order divides
+.Fa order .
+It checks with
+.Fn EC_GROUP_check_discriminant
+that the discriminant is non-zero
+and then verifies that that
+.Fa order
+is non-zero and that the product
+.Fa generator No * Fa order
+is the point at infinity.
+This implies that the
+.Fa order
+set on
+.Fa group
+is an integer multiple of the
+.Fa generator Ns 's
+order.
+The verification that
+.Fa p
+is a prime
+and that
+.Fa order
+is equal to the
+.Fa generator Ns 's
+order are skipped because they are too expensive.
+.Sh RETURN VALUES
+.Fn EC_GROUP_check_discriminant
+returns 1 on success and 0 on failure.
+Failure modes include that the discriminant is zero modulo
+.Fa p
+and memory allocation failure.
+.Pp
+.Fn EC_GROUP_check
+returns 1 on success and 0 on failure.
+.Sh ERRORS
+Diagnostics for
+.Fn EC_GROUP_check
+that can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3
+include:
+.Bl -tag -width Ds
+.It Dv EC_R_DISCRIMINANT_IS_ZERO Qq "discriminant is zero"
+.Fn EC_GROUP_check_discriminant
+failed because the discriminant is zero or for some other reason.
+.It Dv EC_R_UNDEFINED_GENERATOR Qq "undefined generator"
+no generator is set on
+.Fa group ,
+for example because a call to
+.Xr EC_GROUP_set_generator 3
+is missing.
+.It Dv EC_R_POINT_IS_NOT_ON_CURVE Qq "point is not on curve"
+a generator is set, but it is not a point on the curve represented by
+.Fa group .
+.It Dv EC_R_UNDEFINED_ORDER Qq "undefined order"
+the
+.Fa order
+set on
+.Fa group
+is zero.
+.It Dv EC_R_INVALID_GROUP_ORDER Qq "invalid group order"
+.Fa generator No * Fa order
+is not the point at infinity.
+.El
+.Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh HISTORY
+.Fn EC_GROUP_check
+and
+.Fn EC_GROUP_check_discriminant
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .

diff --git a/src/lib/libcrypto/man/EC_GROUP_check.3 b/src/lib/libcrypto/man/EC_GROUP_check.3 new file mode 100644 index 0000000000..146c3d255d --- /dev/null +++ b/src/lib/libcrypto/man/EC_GROUP_check.3
@@ -0,0 +1,160 @@
	1	.\" $OpenBSD: EC_GROUP_check.3,v 1.6 2025/07/04 05:16:56 jsg Exp $
	2	.\"
	3	.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: July 4 2025 $
	18	.Dt EC_GROUP_CHECK 3
	19	.Os
	20	.Sh NAME
	21	.Nm EC_GROUP_check_discriminant ,
	22	.Nm EC_GROUP_check
	23	.Nd partially check validity of
	24	.Vt EC_GROUP
	25	objects
	26	.Sh SYNOPSIS
	27	.Lb libcrypto
	28	.In openssl/bn.h
	29	.In openssl/ec.h
	30	.Pp
	31	Deprecated:
	32	.Pp
	33	.Ft int
	34	.Fo EC_GROUP_check_discriminant
	35	.Fa "const EC_GROUP *group"
	36	.Fa "BN_CTX *ctx"
	37	.Fc
	38	.Ft int
	39	.Fo EC_GROUP_check
	40	.Fa "const EC_GROUP *group"
	41	.Fa "BN_CTX *ctx"
	42	.Fc
	43	.Sh DESCRIPTION
	44	These functions are deprecated.
	45	Only standardized curves built into the library should be used, see
	46	.Xr EC_GROUP_new_by_curve_name 3 .
	47	Builtin curves went through far more thorough checking than
	48	the minimal, incomplete tests performed by these functions.
	49	.Pp
	50	These functions have an optional
	51	.Fa ctx
	52	argument which is used to avoid the cost of repeated allocation of
	53	auxiliary
	54	.Vt BIGNUM
	55	objects.
	56	.Pp
	57	.Fn EC_GROUP_check_discriminant
	58	can be called after
	59	.Xr EC_GROUP_new_curve_GFp 3
	60	to verify that
	61	.Fa group Ns 's
	62	parameters have non-zero discriminant 4a^3 + 27b^2 modulo p.
	63	Assuming that
	64	.Fa p
	65	is a prime number larger than three
	66	this implies that the Weierstrass equation defines an elliptic curve.
	67	.Pp
	68	.Fn EC_GROUP_check
	69	partially verifies that
	70	.Fa group
	71	represents an elliptic curve and that
	72	.Fa generator
	73	is a point on the curve whose order divides
	74	.Fa order .
	75	It checks with
	76	.Fn EC_GROUP_check_discriminant
	77	that the discriminant is non-zero
	78	and then verifies that that
	79	.Fa order
	80	is non-zero and that the product
	81	.Fa generator No * Fa order
	82	is the point at infinity.
	83	This implies that the
	84	.Fa order
	85	set on
	86	.Fa group
	87	is an integer multiple of the
	88	.Fa generator Ns 's
	89	order.
	90	The verification that
	91	.Fa p
	92	is a prime
	93	and that
	94	.Fa order
	95	is equal to the
	96	.Fa generator Ns 's
	97	order are skipped because they are too expensive.
	98	.Sh RETURN VALUES
	99	.Fn EC_GROUP_check_discriminant
	100	returns 1 on success and 0 on failure.
	101	Failure modes include that the discriminant is zero modulo
	102	.Fa p
	103	and memory allocation failure.
	104	.Pp
	105	.Fn EC_GROUP_check
	106	returns 1 on success and 0 on failure.
	107	.Sh ERRORS
	108	Diagnostics for
	109	.Fn EC_GROUP_check
	110	that can be retrieved with
	111	.Xr ERR_get_error 3 ,
	112	.Xr ERR_GET_REASON 3 ,
	113	and
	114	.Xr ERR_reason_error_string 3
	115	include:
	116	.Bl -tag -width Ds
	117	.It Dv EC_R_DISCRIMINANT_IS_ZERO Qq "discriminant is zero"
	118	.Fn EC_GROUP_check_discriminant
	119	failed because the discriminant is zero or for some other reason.
	120	.It Dv EC_R_UNDEFINED_GENERATOR Qq "undefined generator"
	121	no generator is set on
	122	.Fa group ,
	123	for example because a call to
	124	.Xr EC_GROUP_set_generator 3
	125	is missing.
	126	.It Dv EC_R_POINT_IS_NOT_ON_CURVE Qq "point is not on curve"
	127	a generator is set, but it is not a point on the curve represented by
	128	.Fa group .
	129	.It Dv EC_R_UNDEFINED_ORDER Qq "undefined order"
	130	the
	131	.Fa order
	132	set on
	133	.Fa group
	134	is zero.
	135	.It Dv EC_R_INVALID_GROUP_ORDER Qq "invalid group order"
	136	.Fa generator No * Fa order
	137	is not the point at infinity.
	138	.El
	139	.Sh SEE ALSO
	140	.Xr BN_CTX_new 3 ,
	141	.Xr BN_is_zero 3 ,
	142	.Xr crypto 3 ,
	143	.Xr d2i_ECPKParameters 3 ,
	144	.Xr EC_GROUP_get_curve_name 3 ,
	145	.Xr EC_GROUP_new_by_curve_name 3 ,
	146	.Xr EC_GROUP_new_curve_GFp 3 ,
	147	.Xr EC_KEY_METHOD_new 3 ,
	148	.Xr EC_KEY_new 3 ,
	149	.Xr EC_POINT_add 3 ,
	150	.Xr EC_POINT_get_affine_coordinates 3 ,
	151	.Xr EC_POINT_new 3 ,
	152	.Xr EC_POINT_point2oct 3 ,
	153	.Xr ECDH_compute_key 3 ,
	154	.Xr ECDSA_SIG_new 3
	155	.Sh HISTORY
	156	.Fn EC_GROUP_check
	157	and
	158	.Fn EC_GROUP_check_discriminant
	159	first appeared in OpenSSL 0.9.8 and have been available since
	160	.Ox 4.5 .