1 files changed, 458 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
new file mode 100644
index 0000000000..038deff434
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
@@ -0,0 +1,458 @@
+.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.5 2025/06/13 18:34:00 schwarze Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 13 2025 $
+.Dt EC_GROUP_NEW_CURVE_GFP 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_new_curve_GFp ,
+.Nm EC_GROUP_set_curve ,
+.Nm EC_GROUP_get_curve ,
+.Nm EC_GROUP_set_generator ,
+.Nm EC_GROUP_get0_generator ,
+.Nm EC_GROUP_get_degree ,
+.Nm EC_GROUP_get_order ,
+.Nm EC_GROUP_order_bits ,
+.Nm EC_GROUP_get_cofactor ,
+.Nm EC_GROUP_clear_free ,
+.Nm EC_GROUP_set_curve_GFp ,
+.Nm EC_GROUP_get_curve_GFp
+.Nd define elliptic curves and retrieve information from them
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Ft EC_GROUP *
+.Fo EC_GROUP_new_curve_GFp
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_generator
+.Fa "EC_GROUP *group"
+.Fa "const EC_POINT *generator"
+.Fa "const BIGNUM *order"
+.Fa "const BIGNUM *cofactor"
+.Fc
+.Ft const EC_POINT *
+.Fo EC_GROUP_get0_generator
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_degree
+.Fa "const EC_GROUP *"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_order
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *order"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_order_bits
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_cofactor
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *cofactor"
+.Fa "BN_CTX *ctx"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft void
+.Fo EC_GROUP_clear_free
+.Fa "EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve_GFp
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve_GFp
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+With the exception of the getters
+the functions in this manual should not be used.
+Use
+.Xr EC_GROUP_new_by_curve_name 3
+instead.
+.Pp
+The EC library uses
+.Vt EC_GROUP
+objects to represent
+elliptic curves in Weierstrass form.
+These curves are defined over the prime field of order
+.Fa p
+via the Weierstrass equation
+.Pp
+.Dl y^2 = x^3 + ax + b
+.Pp
+where
+.Fa a
+and
+.Fa b
+are such that the discriminant 4a^3 - 27b^2 is non-zero.
+.Pp
+The points on an elliptic curve form a group.
+Cryptographic applications usually depend on the choice of a
+.Fa generator
+whose multiples form a cyclic subgroup of a certain
+.Fa order .
+By Lagrange's theorem, the number of points on the elliptic curve is
+the product of
+.Fa order
+and another integer called the
+.Fa cofactor .
+Hasse's theorem is the inequality
+.Pp
+.Dl | Ns Fa order No * Fa cofactor No - (p + 1)| <= 2 sqrt(p)
+.Pp
+which implies an upper bound on
+.Fa order
+in terms of
+.Fa p
+and allows the computation of
+.Fa cofactor
+provided that
+.Fa order
+is large enough.
+.Pp
+.Fn EC_GROUP_new_curve_GFp
+instantiates a new
+.Vt EC_GROUP
+object over the prime field of size
+.Fa p
+with Weierstrass equation given by the coefficients
+.Fa a
+and
+.Fa b .
+The optional
+.Fa ctx
+is used to transform the other arguments into internal representation.
+It is the caller's responsibility to ensure that
+.Fa p
+is a prime number greater than three and that
+the discriminant is non-zero.
+This can be done with
+.Xr EC_GROUP_check_discriminant 3
+or as part of
+.Xr EC_GROUP_check 3
+after
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_set_curve
+sets the curve parameters of
+.Fa group
+to
+.Fa p ,
+.Fa a ,
+.Fa b
+using the optional
+.Fa ctx
+and the comments in
+.Fn EC_GROUP_new_curve_GFp
+apply.
+Existing
+.Fa generator ,
+.Fa order ,
+or
+.Fa cofactor
+on
+.Fa group
+are left unmodified and become most likely invalid.
+They must therefore be set to legitimate values using
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_get_curve
+copies the curve parameters of
+.Fa group
+into the caller-owned
+.Fa p ,
+.Fa a ,
+and
+.Fa b ,
+possibly making use of the
+.Fa ctx
+for conversion from internal representations.
+Except for
+.Fa group ,
+all arguments are optional.
+.Pp
+.Fn EC_GROUP_set_generator
+performs sanity checks based on Hasse's theorem
+and copies
+.Fa generator ,
+.Fa order
+and the optional
+.Fa cofactor
+into
+.Fa group ,
+replacing all existing entries.
+It is the caller's responsibility to ensure that
+.Fa generator
+is a point on the curve and that
+.Fa order
+is its order,
+which can partially be accomplished with a subsequent call to
+.Xr EC_GROUP_check 3 .
+If
+.Fa cofactor
+is
+.Dv NULL ,
+it can be computed on curves of cryptographic interest,
+in which case
+.Fa cofactor
+is set to the computed value, otherwise it is set to zero.
+.Pp
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa group Ns 's
+.Fa generator ,
+which may be
+.Dv NULL
+if no generator was set.
+.Pp
+.Fn EC_GROUP_get_degree
+returns the bit length of the prime
+.Fa p
+set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+copies the value of the
+.Fa group Ns 's
+.Fa order
+into the caller-owned
+.Fa order ,
+returning failure if the
+.Fa group Ns 's
+.Fa order
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+.Fn EC_GROUP_order_bits
+returns the number of bits in the
+.Fa group Ns 's
+.Fa order ,
+which is the result of calling
+.Xr BN_num_bits 3
+on
+.Fa order .
+Unlike
+.Fn EC_GROUP_get_order ,
+it does not fail if
+.Fa order
+is zero.
+.Pp
+.Fn EC_GROUP_get_cofactor
+copies the value of the
+.Fa group Ns 's
+.Fa cofactor
+into the caller-owned
+.Fa cofactor ,
+returning failure if the
+.Fa group Ns 's
+.Fa cofactor
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+The deprecated
+.Fn EC_GROUP_clear_free
+uses
+.Xr explicit_bzero 3
+and
+.Xr freezero 3
+to clear and free all data associated with
+.Fa group .
+If
+.Fa group
+is
+.Dv NULL ,
+no action occurs.
+Since there is no secret data in
+.Fa group ,
+this API is useless.
+In LibreSSL,
+.Xr EC_GROUP_free 3
+and
+.Fn EC_GROUP_clear_free
+behave identically.
+.Pp
+.Fn EC_GROUP_set_curve_GFp
+and
+.Fn EC_GROUP_get_curve_GFp
+are deprecated aliases for
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_get_curve ,
+respectively.
+.Sh RETURN VALUES
+.Fn EC_GROUP_new_curve_GFp
+returns a newly allocated group or
+.Dv NULL
+if memory allocation fails,
+or if some minimal sanity checks on
+.Fa p ,
+.Fa a ,
+and
+.Fa b
+fail.
+.Pp
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_set_curve_GFp
+return 1 on success and 0 on failure.
+Failure conditions include that
+.Fa p
+is smaller than or equal to three, or even, or
+memory allocation failure.
+.Pp
+.Fn EC_GROUP_get_curve
+and
+.Fn EC_GROUP_get_curve_GFp
+return 1 on success and 0 on memory allocation failure.
+.Pp
+.Fn EC_GROUP_set_generator
+returns 1 on success and 0 on memory allocation failure, or if
+.Fa order
+or
+.Fa cofactor
+are larger than Hasse's theorem allows.
+.Pp
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa generator
+or
+.Dv NULL
+if none was set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+returns 1 on success or 0 on memory allocation failure or if the
+.Fa order
+is zero.
+.Pp
+.Fn EC_GROUP_get_cofactor
+returns 1 on success or 0 on memory allocation failure or if the
+.Fa cofactor
+is zero.
+.Pp
+.Fn EC_GROUP_get_degree ,
+and
+.Fn EC_GROUP_order_bits
+return the number of bits in the
+.Fa group Ns 's
+.Fa p ,
+and
+.Fa order ,
+respectively.
+.Sh SEE ALSO
+.Xr BN_new 3 ,
+.Xr BN_num_bits 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Pp
+.Rs
+.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
+.%U https://www.secg.org/sec2-v2.pdf
+.%D Jan 27, 2010
+.Re
+.Sh HISTORY
+.Fn EC_GROUP_new_curve_GFp ,
+.Fn EC_GROUP_clear_free ,
+.Fn EC_GROUP_set_curve_GFp ,
+.Fn EC_GROUP_get_curve_GFp ,
+.Fn EC_GROUP_set_generator ,
+.Fn EC_GROUP_get0_generator ,
+.Fn EC_GROUP_get_order ,
+and
+.Fn EC_GROUP_get_cofactor
+first appeared in OpenSSL 0.9.7 and
+have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_GROUP_get_degree
+first appeared in OpenSSL 0.9.8 and
+has been available since
+.Ox 4.5 .
+.Pp
+.Fn EC_GROUP_set_curve ,
+.Fn EC_GROUP_get_curve ,
+and
+.Fn EC_GROUP_order_bits
+first appeared in OpenSSL 1.1.1 and
+have been available since
+.Ox 7.0
+.Sh BUGS
+Too many.
+The API is unergonomic and the design is very poor even by
+OpenSSL's standards.
+Naming is inconsistent, especially in regard to the _GFp suffix
+and the _get_ infix.
+Function signatures are inconsistent.
+In particular, functions that should have a
+.Vt BN_CTX
+argument don't have one and functions that don't need it have one.

diff --git a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 new file mode 100644 index 0000000000..038deff434 --- /dev/null +++ b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
@@ -0,0 +1,458 @@
	1	.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.5 2025/06/13 18:34:00 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: June 13 2025 $
	18	.Dt EC_GROUP_NEW_CURVE_GFP 3
	19	.Os
	20	.Sh NAME
	21	.Nm EC_GROUP_new_curve_GFp ,
	22	.Nm EC_GROUP_set_curve ,
	23	.Nm EC_GROUP_get_curve ,
	24	.Nm EC_GROUP_set_generator ,
	25	.Nm EC_GROUP_get0_generator ,
	26	.Nm EC_GROUP_get_degree ,
	27	.Nm EC_GROUP_get_order ,
	28	.Nm EC_GROUP_order_bits ,
	29	.Nm EC_GROUP_get_cofactor ,
	30	.Nm EC_GROUP_clear_free ,
	31	.Nm EC_GROUP_set_curve_GFp ,
	32	.Nm EC_GROUP_get_curve_GFp
	33	.Nd define elliptic curves and retrieve information from them
	34	.Sh SYNOPSIS
	35	.Lb libcrypto
	36	.In openssl/bn.h
	37	.In openssl/ec.h
	38	.Ft EC_GROUP *
	39	.Fo EC_GROUP_new_curve_GFp
	40	.Fa "const BIGNUM *p"
	41	.Fa "const BIGNUM *a"
	42	.Fa "const BIGNUM *b"
	43	.Fa "BN_CTX *ctx"
	44	.Fc
	45	.Ft int
	46	.Fo EC_GROUP_set_curve
	47	.Fa "EC_GROUP *group"
	48	.Fa "const BIGNUM *p"
	49	.Fa "const BIGNUM *a"
	50	.Fa "const BIGNUM *b"
	51	.Fa "BN_CTX *ctx"
	52	.Fc
	53	.Ft int
	54	.Fo EC_GROUP_get_curve
	55	.Fa "const EC_GROUP *group"
	56	.Fa "BIGNUM *p"
	57	.Fa "BIGNUM *a"
	58	.Fa "BIGNUM *b"
	59	.Fa "BN_CTX *ctx"
	60	.Fc
	61	.Ft int
	62	.Fo EC_GROUP_set_generator
	63	.Fa "EC_GROUP *group"
	64	.Fa "const EC_POINT *generator"
	65	.Fa "const BIGNUM *order"
	66	.Fa "const BIGNUM *cofactor"
	67	.Fc
	68	.Ft const EC_POINT *
	69	.Fo EC_GROUP_get0_generator
	70	.Fa "const EC_GROUP *group"
	71	.Fc
	72	.Ft int
	73	.Fo EC_GROUP_get_degree
	74	.Fa "const EC_GROUP *"
	75	.Fc
	76	.Ft int
	77	.Fo EC_GROUP_get_order
	78	.Fa "const EC_GROUP *group"
	79	.Fa "BIGNUM *order"
	80	.Fa "BN_CTX *ctx"
	81	.Fc
	82	.Ft int
	83	.Fo EC_GROUP_order_bits
	84	.Fa "const EC_GROUP *group"
	85	.Fc
	86	.Ft int
	87	.Fo EC_GROUP_get_cofactor
	88	.Fa "const EC_GROUP *group"
	89	.Fa "BIGNUM *cofactor"
	90	.Fa "BN_CTX *ctx"
	91	.Fc
	92	.Pp
	93	Deprecated:
	94	.Pp
	95	.Ft void
	96	.Fo EC_GROUP_clear_free
	97	.Fa "EC_GROUP *group"
	98	.Fc
	99	.Ft int
	100	.Fo EC_GROUP_set_curve_GFp
	101	.Fa "EC_GROUP *group"
	102	.Fa "const BIGNUM *p"
	103	.Fa "const BIGNUM *a"
	104	.Fa "const BIGNUM *b"
	105	.Fa "BN_CTX *ctx"
	106	.Fc
	107	.Ft int
	108	.Fo EC_GROUP_get_curve_GFp
	109	.Fa "const EC_GROUP *group"
	110	.Fa "BIGNUM *p"
	111	.Fa "BIGNUM *a"
	112	.Fa "BIGNUM *b"
	113	.Fa "BN_CTX *ctx"
	114	.Fc
	115	.Sh DESCRIPTION
	116	With the exception of the getters
	117	the functions in this manual should not be used.
	118	Use
	119	.Xr EC_GROUP_new_by_curve_name 3
	120	instead.
	121	.Pp
	122	The EC library uses
	123	.Vt EC_GROUP
	124	objects to represent
	125	elliptic curves in Weierstrass form.
	126	These curves are defined over the prime field of order
	127	.Fa p
	128	via the Weierstrass equation
	129	.Pp
	130	.Dl y^2 = x^3 + ax + b
	131	.Pp
	132	where
	133	.Fa a
	134	and
	135	.Fa b
	136	are such that the discriminant 4a^3 - 27b^2 is non-zero.
	137	.Pp
	138	The points on an elliptic curve form a group.
	139	Cryptographic applications usually depend on the choice of a
	140	.Fa generator
	141	whose multiples form a cyclic subgroup of a certain
	142	.Fa order .
	143	By Lagrange's theorem, the number of points on the elliptic curve is
	144	the product of
	145	.Fa order
	146	and another integer called the
	147	.Fa cofactor .
	148	Hasse's theorem is the inequality
	149	.Pp
	150	.Dl \| Ns Fa order No * Fa cofactor No - (p + 1)\| <= 2 sqrt(p)
	151	.Pp
	152	which implies an upper bound on
	153	.Fa order
	154	in terms of
	155	.Fa p
	156	and allows the computation of
	157	.Fa cofactor
	158	provided that
	159	.Fa order
	160	is large enough.
	161	.Pp
	162	.Fn EC_GROUP_new_curve_GFp
	163	instantiates a new
	164	.Vt EC_GROUP
	165	object over the prime field of size
	166	.Fa p
	167	with Weierstrass equation given by the coefficients
	168	.Fa a
	169	and
	170	.Fa b .
	171	The optional
	172	.Fa ctx
	173	is used to transform the other arguments into internal representation.
	174	It is the caller's responsibility to ensure that
	175	.Fa p
	176	is a prime number greater than three and that
	177	the discriminant is non-zero.
	178	This can be done with
	179	.Xr EC_GROUP_check_discriminant 3
	180	or as part of
	181	.Xr EC_GROUP_check 3
	182	after
	183	.Fn EC_GROUP_set_generator .
	184	.Pp
	185	.Fn EC_GROUP_set_curve
	186	sets the curve parameters of
	187	.Fa group
	188	to
	189	.Fa p ,
	190	.Fa a ,
	191	.Fa b
	192	using the optional
	193	.Fa ctx
	194	and the comments in
	195	.Fn EC_GROUP_new_curve_GFp
	196	apply.
	197	Existing
	198	.Fa generator ,
	199	.Fa order ,
	200	or
	201	.Fa cofactor
	202	on
	203	.Fa group
	204	are left unmodified and become most likely invalid.
	205	They must therefore be set to legitimate values using
	206	.Fn EC_GROUP_set_generator .
	207	.Pp
	208	.Fn EC_GROUP_get_curve
	209	copies the curve parameters of
	210	.Fa group
	211	into the caller-owned
	212	.Fa p ,
	213	.Fa a ,
	214	and
	215	.Fa b ,
	216	possibly making use of the
	217	.Fa ctx
	218	for conversion from internal representations.
	219	Except for
	220	.Fa group ,
	221	all arguments are optional.
	222	.Pp
	223	.Fn EC_GROUP_set_generator
	224	performs sanity checks based on Hasse's theorem
	225	and copies
	226	.Fa generator ,
	227	.Fa order
	228	and the optional
	229	.Fa cofactor
	230	into
	231	.Fa group ,
	232	replacing all existing entries.
	233	It is the caller's responsibility to ensure that
	234	.Fa generator
	235	is a point on the curve and that
	236	.Fa order
	237	is its order,
	238	which can partially be accomplished with a subsequent call to
	239	.Xr EC_GROUP_check 3 .
	240	If
	241	.Fa cofactor
	242	is
	243	.Dv NULL ,
	244	it can be computed on curves of cryptographic interest,
	245	in which case
	246	.Fa cofactor
	247	is set to the computed value, otherwise it is set to zero.
	248	.Pp
	249	.Fn EC_GROUP_get0_generator
	250	returns an internal pointer to the
	251	.Fa group Ns 's
	252	.Fa generator ,
	253	which may be
	254	.Dv NULL
	255	if no generator was set.
	256	.Pp
	257	.Fn EC_GROUP_get_degree
	258	returns the bit length of the prime
	259	.Fa p
	260	set on
	261	.Fa group .
	262	.Pp
	263	.Fn EC_GROUP_get_order
	264	copies the value of the
	265	.Fa group Ns 's
	266	.Fa order
	267	into the caller-owned
	268	.Fa order ,
	269	returning failure if the
	270	.Fa group Ns 's
	271	.Fa order
	272	is zero.
	273	The
	274	.Fa ctx
	275	argument is ignored.
	276	.Pp
	277	.Fn EC_GROUP_order_bits
	278	returns the number of bits in the
	279	.Fa group Ns 's
	280	.Fa order ,
	281	which is the result of calling
	282	.Xr BN_num_bits 3
	283	on
	284	.Fa order .
	285	Unlike
	286	.Fn EC_GROUP_get_order ,
	287	it does not fail if
	288	.Fa order
	289	is zero.
	290	.Pp
	291	.Fn EC_GROUP_get_cofactor
	292	copies the value of the
	293	.Fa group Ns 's
	294	.Fa cofactor
	295	into the caller-owned
	296	.Fa cofactor ,
	297	returning failure if the
	298	.Fa group Ns 's
	299	.Fa cofactor
	300	is zero.
	301	The
	302	.Fa ctx
	303	argument is ignored.
	304	.Pp
	305	The deprecated
	306	.Fn EC_GROUP_clear_free
	307	uses
	308	.Xr explicit_bzero 3
	309	and
	310	.Xr freezero 3
	311	to clear and free all data associated with
	312	.Fa group .
	313	If
	314	.Fa group
	315	is
	316	.Dv NULL ,
	317	no action occurs.
	318	Since there is no secret data in
	319	.Fa group ,
	320	this API is useless.
	321	In LibreSSL,
	322	.Xr EC_GROUP_free 3
	323	and
	324	.Fn EC_GROUP_clear_free
	325	behave identically.
	326	.Pp
	327	.Fn EC_GROUP_set_curve_GFp
	328	and
	329	.Fn EC_GROUP_get_curve_GFp
	330	are deprecated aliases for
	331	.Fn EC_GROUP_set_curve
	332	and
	333	.Fn EC_GROUP_get_curve ,
	334	respectively.
	335	.Sh RETURN VALUES
	336	.Fn EC_GROUP_new_curve_GFp
	337	returns a newly allocated group or
	338	.Dv NULL
	339	if memory allocation fails,
	340	or if some minimal sanity checks on
	341	.Fa p ,
	342	.Fa a ,
	343	and
	344	.Fa b
	345	fail.
	346	.Pp
	347	.Fn EC_GROUP_set_curve
	348	and
	349	.Fn EC_GROUP_set_curve_GFp
	350	return 1 on success and 0 on failure.
	351	Failure conditions include that
	352	.Fa p
	353	is smaller than or equal to three, or even, or
	354	memory allocation failure.
	355	.Pp
	356	.Fn EC_GROUP_get_curve
	357	and
	358	.Fn EC_GROUP_get_curve_GFp
	359	return 1 on success and 0 on memory allocation failure.
	360	.Pp
	361	.Fn EC_GROUP_set_generator
	362	returns 1 on success and 0 on memory allocation failure, or if
	363	.Fa order
	364	or
	365	.Fa cofactor
	366	are larger than Hasse's theorem allows.
	367	.Pp
	368	.Fn EC_GROUP_get0_generator
	369	returns an internal pointer to the
	370	.Fa generator
	371	or
	372	.Dv NULL
	373	if none was set on
	374	.Fa group .
	375	.Pp
	376	.Fn EC_GROUP_get_order
	377	returns 1 on success or 0 on memory allocation failure or if the
	378	.Fa order
	379	is zero.
	380	.Pp
	381	.Fn EC_GROUP_get_cofactor
	382	returns 1 on success or 0 on memory allocation failure or if the
	383	.Fa cofactor
	384	is zero.
	385	.Pp
	386	.Fn EC_GROUP_get_degree ,
	387	and
	388	.Fn EC_GROUP_order_bits
	389	return the number of bits in the
	390	.Fa group Ns 's
	391	.Fa p ,
	392	and
	393	.Fa order ,
	394	respectively.
	395	.Sh SEE ALSO
	396	.Xr BN_new 3 ,
	397	.Xr BN_num_bits 3 ,
	398	.Xr crypto 3 ,
	399	.Xr d2i_ECPKParameters 3 ,
	400	.Xr EC_GROUP_check 3 ,
	401	.Xr EC_GROUP_get_curve_name 3 ,
	402	.Xr EC_GROUP_new_by_curve_name 3 ,
	403	.Xr EC_KEY_METHOD_new 3 ,
	404	.Xr EC_KEY_new 3 ,
	405	.Xr EC_POINT_add 3 ,
	406	.Xr EC_POINT_get_affine_coordinates 3 ,
	407	.Xr EC_POINT_new 3 ,
	408	.Xr EC_POINT_point2oct 3 ,
	409	.Xr ECDH_compute_key 3 ,
	410	.Xr ECDSA_SIG_new 3
	411	.Sh STANDARDS
	412	.Rs
	413	.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
	414	.%U https://www.secg.org/sec1-v2.pdf
	415	.%D May 21, 2009
	416	.Re
	417	.Pp
	418	.Rs
	419	.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
	420	.%U https://www.secg.org/sec2-v2.pdf
	421	.%D Jan 27, 2010
	422	.Re
	423	.Sh HISTORY
	424	.Fn EC_GROUP_new_curve_GFp ,
	425	.Fn EC_GROUP_clear_free ,
	426	.Fn EC_GROUP_set_curve_GFp ,
	427	.Fn EC_GROUP_get_curve_GFp ,
	428	.Fn EC_GROUP_set_generator ,
	429	.Fn EC_GROUP_get0_generator ,
	430	.Fn EC_GROUP_get_order ,
	431	and
	432	.Fn EC_GROUP_get_cofactor
	433	first appeared in OpenSSL 0.9.7 and
	434	have been available since
	435	.Ox 3.2 .
	436	.Pp
	437	.Fn EC_GROUP_get_degree
	438	first appeared in OpenSSL 0.9.8 and
	439	has been available since
	440	.Ox 4.5 .
	441	.Pp
	442	.Fn EC_GROUP_set_curve ,
	443	.Fn EC_GROUP_get_curve ,
	444	and
	445	.Fn EC_GROUP_order_bits
	446	first appeared in OpenSSL 1.1.1 and
	447	have been available since
	448	.Ox 7.0
	449	.Sh BUGS
	450	Too many.
	451	The API is unergonomic and the design is very poor even by
	452	OpenSSL's standards.
	453	Naming is inconsistent, especially in regard to the _GFp suffix
	454	and the _get_ infix.
	455	Function signatures are inconsistent.
	456	In particular, functions that should have a
	457	.Vt BN_CTX
	458	argument don't have one and functions that don't need it have one.