1 files changed, 189 insertions, 109 deletions
diff --git a/src/regress/lib/libcrypto/ec/ec_asn1_test.c b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
index 171014bda7..c53864cadd 100644
--- a/src/regress/lib/libcrypto/ec/ec_asn1_test.c
+++ b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1_test.c,v 1.6 2024/10/16 23:58:25 tb Exp $ */
+/* $OpenBSD: ec_asn1_test.c,v 1.7 2024/10/18 09:01:44 tb Exp $ */
 /*
 * Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -344,35 +344,6 @@ ec_group_roundtrip_builtin_curves(void)
 * From draft-ietf-lwig-curve-representation-23, Appendix E.3
 */
-static const struct {
-        const char *oid;
-        const char *sn;
-        const char *ln;
-        const char *p;
-        const char *a;
-        const char *b;
-        const char *order;
-        const char *cofactor;
-        const char *x;
-        const char *y;
-} wei25519 = {
-        .oid = "1.3.101.108",
-        .sn = "Wei25519",
-        .p =     "7fffffff" "ffffffff" "ffffffff" "ffffffff"
-                 "ffffffff" "ffffffff" "ffffffff" "ffffffed",
-        .a =     "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
-                 "aaaaaaaa" "aaaaaaaa" "aaaaaa98" "4914a144",
-        .b =     "7b425ed0" "97b425ed" "097b425e" "d097b425"
-                 "ed097b42" "5ed097b4" "260b5e9c" "7710c864",
-        .x =     "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
-                 "aaaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaad245a",
-        .y =     "20ae19a1" "b8a086b4" "e01edd2c" "7748d14c"
-                 "923d4d7e" "6d7c61b2" "29e9c5a2" "7eced3d9",
-        .order = "10000000" "00000000" "00000000" "00000000"
-                 "14def9de" "a2f79cd6" "5812631a" "5cf5d3ed",
-        .cofactor = "8",
-};
 const uint8_t ec_wei25519_pkparameters_named_curve[] = {
        0x06, 0x03, 0x2b, 0x65, 0x6c,
 };
@@ -409,100 +380,163 @@ const uint8_t ec_wei25519_pkparameters_parameters[] = {
        0x08,
 };
-static int
+struct curve {
-ec_weierstrass25519(void)
+        const char *oid;
+        const char *sn;
+        const char *ln;
+        const char *p;
+        const char *a;
+        const char *b;
+        const char *order;
+        const char *cofactor;
+        const char *x;
+        const char *y;
+        const char *named;
+        size_t named_len;
+        const char *param;
+        size_t param_len;
+};
+static const struct curve wei25519 = {
+        .oid = "1.3.101.108",
+        .sn = "Wei25519",
+        .p =     "7fffffff" "ffffffff" "ffffffff" "ffffffff"
+                 "ffffffff" "ffffffff" "ffffffff" "ffffffed",
+        .a =     "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
+                 "aaaaaaaa" "aaaaaaaa" "aaaaaa98" "4914a144",
+        .b =     "7b425ed0" "97b425ed" "097b425e" "d097b425"
+                 "ed097b42" "5ed097b4" "260b5e9c" "7710c864",
+        .x =     "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
+                 "aaaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaad245a",
+        .y =     "20ae19a1" "b8a086b4" "e01edd2c" "7748d14c"
+                 "923d4d7e" "6d7c61b2" "29e9c5a2" "7eced3d9",
+        .order = "10000000" "00000000" "00000000" "00000000"
+                 "14def9de" "a2f79cd6" "5812631a" "5cf5d3ed",
+        .cofactor = "8",
+        .named = ec_wei25519_pkparameters_named_curve,
+        .named_len = sizeof(ec_wei25519_pkparameters_named_curve),
+        .param = ec_wei25519_pkparameters_parameters,
+        .param_len = sizeof(ec_wei25519_pkparameters_parameters),
+};
+static EC_GROUP *
+ec_group_from_curve_method(const struct curve *curve, const EC_METHOD *method,
+    BN_CTX *ctx)
 {
-        EC_GROUP *group = NULL, *new_group = NULL;
+        EC_GROUP *group;
        EC_POINT *generator = NULL;
-        BN_CTX *ctx = NULL;
        BIGNUM *p, *a, *b;
-        BIGNUM *order, *cofactor, *guessed_cofactor, *x, *y;
+        BIGNUM *order, *x, *y;
-        const unsigned char *pder;
-        unsigned char *der = NULL;
-        long error;
-        int der_len = 0;
-        int nid;
-        int failed = 1;
-        ERR_clear_error();
-        if ((ctx = BN_CTX_new()) == NULL)
-                goto err;
        BN_CTX_start(ctx);
-        if ((nid = OBJ_create(wei25519.oid, wei25519.sn, NULL)) == NID_undef) {
-                fprintf(stderr, "FAIL: %s OBJ_create(wei25519)\n", __func__);
-                goto err;
-        }
        if ((p = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
        if ((a = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
        if ((b = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
        if ((order = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
-        if ((cofactor = BN_CTX_get(ctx)) == NULL)
-                errx(1, "BN_CTX_get");
-        if ((guessed_cofactor = BN_CTX_get(ctx)) == NULL)
-                errx(1, "BN_CTX_get");
        if ((x = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
        if ((y = BN_CTX_get(ctx)) == NULL)
                errx(1, "BN_CTX_get");
-        if (BN_hex2bn(&p, wei25519.p) == 0)
+        if (BN_hex2bn(&p, curve->p) == 0)
                errx(1, "BN_hex2bn(p)");
-        if (BN_hex2bn(&a, wei25519.a) == 0)
+        if (BN_hex2bn(&a, curve->a) == 0)
                errx(1, "BN_hex2bn(a)");
-        if (BN_hex2bn(&b, wei25519.b) == 0)
+        if (BN_hex2bn(&b, curve->b) == 0)
                errx(1, "BN_hex2bn(b)");
-        /*
+        if ((group = EC_GROUP_new(method)) == NULL)
-         * XXX - this uses the Montgomery method. Consider exercising the
+                errx(1, "EC_GROUP_new");
-         * simple method as well.
-         */
+        if (!EC_GROUP_set_curve(group, p, a, b, ctx))
-        if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
+                errx(1, "EC_GROUP_set_curve");
-                fprintf(stderr, "FAIL: %s EC_GROUP_new_curve_GFp", __func__);
-                goto err;
-        }
-        if (BN_hex2bn(&x, wei25519.x) == 0)
+        if (BN_hex2bn(&x, curve->x) == 0)
                errx(1, "BN_hex2bn(x)");
-        if (BN_hex2bn(&x, wei25519.x) == 0)
+        if (BN_hex2bn(&x, curve->x) == 0)
                errx(1, "BN_hex2bn(x)");
-        if (BN_hex2bn(&y, wei25519.y) == 0)
+        if (BN_hex2bn(&y, curve->y) == 0)
                errx(1, "BN_hex2bn(y)");
        if ((generator = EC_POINT_new(group)) == NULL)
                errx(1, "EC_POINT_new()");
        if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) {
-                fprintf(stderr, "FAIL: %s EC_POINT_set_affine_coordinates", __func__);
+                fprintf(stderr, "FAIL: %s EC_POINT_set_affine_coordinates",
+                    curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
-        if (BN_hex2bn(&order, wei25519.order) == 0)
+        if (BN_hex2bn(&order, curve->order) == 0)
                errx(1, "BN_hex2bn(order)");
-        if (BN_hex2bn(&cofactor, wei25519.cofactor) == 0)
-                errx(1, "BN_hex2bn(cofactor)");
        /* Don't set cofactor to exercise the cofactor guessing code. */
        if (!EC_GROUP_set_generator(group, generator, order, NULL)) {
-                fprintf(stderr, "FAIL: %s EC_GROUP_set_generator\n", __func__);
+                fprintf(stderr, "FAIL: %s EC_GROUP_set_generator\n", curve->sn);
+                ERR_print_errors_fp(stderr);
+                goto err;
+        }
+        EC_POINT_free(generator);
+        BN_CTX_end(ctx);
+        return group;
+ err:
+        BN_CTX_end(ctx);
+        EC_POINT_free(generator);
+        EC_GROUP_free(group);
+        return NULL;
+}
+static EC_GROUP *
+ec_group_new(const struct curve *curve, const EC_METHOD *method, BN_CTX *ctx)
+{
+        EC_GROUP *group = NULL;
+        BIGNUM *cofactor, *guessed_cofactor;
+        int nid;
+        BN_CTX_start(ctx);
+        if ((nid = OBJ_txt2nid(curve->oid)) == NID_undef)
+                nid = OBJ_create(curve->oid, curve->sn, curve->ln);
+        if (nid == NID_undef) {
+                fprintf(stderr, "FAIL: OBJ_create(%s)\n", curve->sn);
+                goto err;
+        }
+        if ((cofactor = BN_CTX_get(ctx)) == NULL)
+                errx(1, "BN_CTX_get");
+        if ((guessed_cofactor = BN_CTX_get(ctx)) == NULL)
+                errx(1, "BN_CTX_get");
+        if (BN_hex2bn(&cofactor, curve->cofactor) == 0)
+                errx(1, "BN_hex2bn(cofactor)");
+        if ((group = ec_group_from_curve_method(curve, method, ctx)) == NULL) {
+                fprintf(stderr, "FAIL: %s ec_group_from_curve_method\n", curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
        if (!EC_GROUP_get_cofactor(group, guessed_cofactor, ctx)) {
-                fprintf(stderr, "FAIL: %s EC_GROUP_get_cofactor\n", __func__);
+                fprintf(stderr, "FAIL: %s EC_GROUP_get_cofactor\n", curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
        if (BN_cmp(cofactor, guessed_cofactor) != 0) {
-                fprintf(stderr, "FAIL: %s cofactor: want ", __func__);
+                fprintf(stderr, "FAIL: %s cofactor: want ", curve->sn);
                BN_print_fp(stderr, cofactor);
                fprintf(stderr, ", got ");
                BN_print_fp(stderr, guessed_cofactor);
@@ -511,49 +545,80 @@ ec_weierstrass25519(void)
        }
        if (!EC_GROUP_check(group, ctx)) {
-                fprintf(stderr, "FAIL: %s EC_GROUP_check\n", __func__);
+                fprintf(stderr, "FAIL: %s EC_GROUP_check\n", curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
-        /* Explicit curve parameter encoding should work without NID set. */
+        EC_GROUP_set_curve_name(group, nid);
-        if (EC_GROUP_get_curve_name(group) != NID_undef) {
-                fprintf(stderr, "FAIL: %s unexpected curve name %d\n", __func__,
+        BN_CTX_end(ctx);
-                    EC_GROUP_get_curve_name(group));
-                ERR_print_errors_fp(stderr);
+        return group;
+ err:
+        BN_CTX_end(ctx);
+        EC_GROUP_free(group);
+        return NULL;
+}
+static int
+ec_group_non_builtin_curve(const struct curve *curve, const EC_METHOD *method,
+    BN_CTX *ctx)
+{
+        EC_GROUP *group = NULL, *new_group = NULL;
+        const unsigned char *pder;
+        unsigned char *der = NULL;
+        long error;
+        int der_len = 0;
+        int nid;
+        int failed = 1;
+        ERR_clear_error();
+        BN_CTX_start(ctx);
+        if ((group = ec_group_new(curve, method, ctx)) == NULL)
+                goto err;
+        if ((nid = EC_GROUP_get_curve_name(group)) == NID_undef) {
+                fprintf(stderr, "FAIL: no curve name set for %s\n", curve->sn);
                goto err;
        }
-        EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
+        EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
        der = NULL;
        if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {
-                fprintf(stderr, "FAIL: %s i2d_ECPKParameters (explicit)\n", __func__);
+                fprintf(stderr, "FAIL: %s i2d_ECPKParameters (named)\n",
+                    curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
-        if (compare_data("Weierstrass 25519 explicit", der, der_len,
+        if (compare_data("Weierstrass 25519 named curve", der, der_len,
-            ec_wei25519_pkparameters_parameters,
+            ec_wei25519_pkparameters_named_curve,
-            sizeof(ec_wei25519_pkparameters_parameters)) == -1)
+            sizeof(ec_wei25519_pkparameters_named_curve)) == -1)
                goto err;
        freezero(der, der_len);
        der = NULL;
-        EC_GROUP_set_curve_name(group, nid);
+        /* Explicit curve parameter encoding should work without NID set. */
-        EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+        EC_GROUP_set_curve_name(group, NID_undef);
+        EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
        der = NULL;
        if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {
-                fprintf(stderr, "FAIL: %s i2d_ECPKParameters (named)\n", __func__);
+                fprintf(stderr, "FAIL: i2d_ECPKParameters (explicit) %s\n",
+                    curve->sn);
                ERR_print_errors_fp(stderr);
                goto err;
        }
-        if (compare_data("Weierstrass 25519 named curve", der, der_len,
+        if (compare_data(curve->sn, der, der_len,
-            ec_wei25519_pkparameters_named_curve,
+            curve->param, curve->param_len) == -1)
-            sizeof(ec_wei25519_pkparameters_named_curve)) == -1)
                goto err;
        freezero(der, der_len);
@@ -561,51 +626,51 @@ ec_weierstrass25519(void)
        /* At this point we should have no error on the stack. */
        if (ERR_peek_last_error() != 0) {
-                fprintf(stderr, "FAIL: %s unexpected error %lu\n", __func__,
+                fprintf(stderr, "FAIL: %s unexpected error %lu\n", curve->sn,
                    ERR_peek_last_error());
                goto err;
        }
-        pder = ec_wei25519_pkparameters_named_curve;
+        pder = curve->named;
-        der_len = sizeof(ec_wei25519_pkparameters_named_curve);
+        der_len = curve->named_len;
        if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {
-                fprintf(stderr, "FAIL: %s managed to decode unknown named curve\n",
+                fprintf(stderr, "FAIL: managed to decode unknown named curve %s\n",
-                    __func__);
+                    curve->sn);
                goto err;
        }
        error = ERR_get_error();
        if (ERR_GET_REASON(error) != EC_R_UNKNOWN_GROUP) {
                fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",
-                    __func__, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
+                    curve->sn, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
                goto err;
        }
        ERR_clear_error();
-        pder = ec_wei25519_pkparameters_parameters;
+        pder = curve->param;
-        der_len = sizeof(ec_wei25519_pkparameters_parameters);
+        der_len = curve->param_len;
 #if 0
        if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {
-                fprintf(stderr, "FAIL: %s managed to decode non-builtin parameters\n",
+                fprintf(stderr, "FAIL: managed to decode non-builtin parameters %s\n",
-                    __func__);
+                    curve->sn);
                goto err;
        }
        error = ERR_peek_last_error();
        if (ERR_GET_REASON(error) != EC_R_PKPARAMETERS2GROUP_FAILURE) {
                fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",
-                    __func__, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
+                    curve->sn, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
                goto err;
        }
 #else
        if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) == NULL) {
-                fprintf(stderr, "FAIL: %s d2i_ECPKParameters(Wei25519)\n", __func__);
+                fprintf(stderr, "FAIL: d2i_ECPKParameters(%s)\n", curve->sn);
                goto err;
        }
-        if (EC_GROUP_cmp(group, new_group, ctx) != 0) {
+        if (method == EC_GFp_mont_method() &&
+            EC_GROUP_cmp(group, new_group, ctx) != 0) {
                fprintf(stderr, "FAIL: %s Weierstrass groups do not match!\n",
-                    __func__);
+                    curve->sn);
                goto err;
        }
 #endif
@@ -614,17 +679,32 @@ ec_weierstrass25519(void)
 err:
        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
        EC_GROUP_free(group);
        EC_GROUP_free(new_group);
-        EC_POINT_free(generator);
        freezero(der, der_len);
        return failed;
 }
+static int
+ec_group_non_builtin_curves(void)
+{
+        BN_CTX *ctx;
+        int failed = 0;
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+        failed |= ec_group_non_builtin_curve(&wei25519, EC_GFp_mont_method(), ctx);
+        failed |= ec_group_non_builtin_curve(&wei25519, EC_GFp_simple_method(), ctx);
+        BN_CTX_free(ctx);
+        return failed;
+}
 int
 main(int argc, char **argv)
 {
@@ -634,7 +714,7 @@ main(int argc, char **argv)
        failed |= ec_group_pkparameters_parameters_test();
        failed |= ec_group_pkparameters_correct_padding_test();
        failed |= ec_group_roundtrip_builtin_curves();
-        failed |= ec_weierstrass25519();
+        failed |= ec_group_non_builtin_curves();
        return (failed);
 }

diff --git a/src/regress/lib/libcrypto/ec/ec_asn1_test.c b/src/regress/lib/libcrypto/ec/ec_asn1_test.c index 171014bda7..c53864cadd 100644 --- a/src/regress/lib/libcrypto/ec/ec_asn1_test.c +++ b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_asn1_test.c,v 1.6 2024/10/16 23:58:25 tb Exp $ */	1	/* $OpenBSD: ec_asn1_test.c,v 1.7 2024/10/18 09:01:44 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -344,35 +344,6 @@ ec_group_roundtrip_builtin_curves(void)
344	* From draft-ietf-lwig-curve-representation-23, Appendix E.3	344	* From draft-ietf-lwig-curve-representation-23, Appendix E.3
345	*/	345	*/
346		346
347	static const struct {
348	const char *oid;
349	const char *sn;
350	const char *ln;
351	const char *p;
352	const char *a;
353	const char *b;
354	const char *order;
355	const char *cofactor;
356	const char *x;
357	const char *y;
358	} wei25519 = {
359	.oid = "1.3.101.108",
360	.sn = "Wei25519",
361	.p = "7fffffff" "ffffffff" "ffffffff" "ffffffff"
362	"ffffffff" "ffffffff" "ffffffff" "ffffffed",
363	.a = "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
364	"aaaaaaaa" "aaaaaaaa" "aaaaaa98" "4914a144",
365	.b = "7b425ed0" "97b425ed" "097b425e" "d097b425"
366	"ed097b42" "5ed097b4" "260b5e9c" "7710c864",
367	.x = "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
368	"aaaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaad245a",
369	.y = "20ae19a1" "b8a086b4" "e01edd2c" "7748d14c"
370	"923d4d7e" "6d7c61b2" "29e9c5a2" "7eced3d9",
371	.order = "10000000" "00000000" "00000000" "00000000"
372	"14def9de" "a2f79cd6" "5812631a" "5cf5d3ed",
373	.cofactor = "8",
374	};
375
376	const uint8_t ec_wei25519_pkparameters_named_curve[] = {	347	const uint8_t ec_wei25519_pkparameters_named_curve[] = {
377	0x06, 0x03, 0x2b, 0x65, 0x6c,	348	0x06, 0x03, 0x2b, 0x65, 0x6c,
378	};	349	};
@@ -409,100 +380,163 @@ const uint8_t ec_wei25519_pkparameters_parameters[] = {
409	0x08,	380	0x08,
410	};	381	};
411		382
412	static int	383	struct curve {
413	ec_weierstrass25519(void)	384	const char *oid;
		385	const char *sn;
		386	const char *ln;
		387	const char *p;
		388	const char *a;
		389	const char *b;
		390	const char *order;
		391	const char *cofactor;
		392	const char *x;
		393	const char *y;
		394	const char *named;
		395	size_t named_len;
		396	const char *param;
		397	size_t param_len;
		398	};
		399
		400	static const struct curve wei25519 = {
		401	.oid = "1.3.101.108",
		402	.sn = "Wei25519",
		403	.p = "7fffffff" "ffffffff" "ffffffff" "ffffffff"
		404	"ffffffff" "ffffffff" "ffffffff" "ffffffed",
		405	.a = "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
		406	"aaaaaaaa" "aaaaaaaa" "aaaaaa98" "4914a144",
		407	.b = "7b425ed0" "97b425ed" "097b425e" "d097b425"
		408	"ed097b42" "5ed097b4" "260b5e9c" "7710c864",
		409	.x = "2aaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaaaaaaa"
		410	"aaaaaaaa" "aaaaaaaa" "aaaaaaaa" "aaad245a",
		411	.y = "20ae19a1" "b8a086b4" "e01edd2c" "7748d14c"
		412	"923d4d7e" "6d7c61b2" "29e9c5a2" "7eced3d9",
		413	.order = "10000000" "00000000" "00000000" "00000000"
		414	"14def9de" "a2f79cd6" "5812631a" "5cf5d3ed",
		415	.cofactor = "8",
		416	.named = ec_wei25519_pkparameters_named_curve,
		417	.named_len = sizeof(ec_wei25519_pkparameters_named_curve),
		418	.param = ec_wei25519_pkparameters_parameters,
		419	.param_len = sizeof(ec_wei25519_pkparameters_parameters),
		420	};
		421
		422	static EC_GROUP *
		423	ec_group_from_curve_method(const struct curve curve, const EC_METHOD method,
		424	BN_CTX *ctx)
414	{	425	{
415	EC_GROUP group = NULL, new_group = NULL;	426	EC_GROUP *group;
416	EC_POINT *generator = NULL;	427	EC_POINT *generator = NULL;
417	BN_CTX *ctx = NULL;
418	BIGNUM p, a, *b;	428	BIGNUM p, a, *b;
419	BIGNUM order, cofactor, guessed_cofactor, x, *y;	429	BIGNUM order, x, *y;
420	const unsigned char *pder;
421	unsigned char *der = NULL;
422	long error;
423	int der_len = 0;
424	int nid;
425	int failed = 1;
426		430
427	ERR_clear_error();
428	if ((ctx = BN_CTX_new()) == NULL)
429	goto err;
430	BN_CTX_start(ctx);	431	BN_CTX_start(ctx);
431		432
432	if ((nid = OBJ_create(wei25519.oid, wei25519.sn, NULL)) == NID_undef) {
433	fprintf(stderr, "FAIL: %s OBJ_create(wei25519)\n", __func__);
434	goto err;
435	}
436
437	if ((p = BN_CTX_get(ctx)) == NULL)	433	if ((p = BN_CTX_get(ctx)) == NULL)
438	errx(1, "BN_CTX_get");	434	errx(1, "BN_CTX_get");
439	if ((a = BN_CTX_get(ctx)) == NULL)	435	if ((a = BN_CTX_get(ctx)) == NULL)
440	errx(1, "BN_CTX_get");	436	errx(1, "BN_CTX_get");
441	if ((b = BN_CTX_get(ctx)) == NULL)	437	if ((b = BN_CTX_get(ctx)) == NULL)
442	errx(1, "BN_CTX_get");	438	errx(1, "BN_CTX_get");
		439
443	if ((order = BN_CTX_get(ctx)) == NULL)	440	if ((order = BN_CTX_get(ctx)) == NULL)
444	errx(1, "BN_CTX_get");	441	errx(1, "BN_CTX_get");
445	if ((cofactor = BN_CTX_get(ctx)) == NULL)
446	errx(1, "BN_CTX_get");
447	if ((guessed_cofactor = BN_CTX_get(ctx)) == NULL)
448	errx(1, "BN_CTX_get");
449	if ((x = BN_CTX_get(ctx)) == NULL)	442	if ((x = BN_CTX_get(ctx)) == NULL)
450	errx(1, "BN_CTX_get");	443	errx(1, "BN_CTX_get");
451	if ((y = BN_CTX_get(ctx)) == NULL)	444	if ((y = BN_CTX_get(ctx)) == NULL)
452	errx(1, "BN_CTX_get");	445	errx(1, "BN_CTX_get");
453		446
454	if (BN_hex2bn(&p, wei25519.p) == 0)	447	if (BN_hex2bn(&p, curve->p) == 0)
455	errx(1, "BN_hex2bn(p)");	448	errx(1, "BN_hex2bn(p)");
456	if (BN_hex2bn(&a, wei25519.a) == 0)	449	if (BN_hex2bn(&a, curve->a) == 0)
457	errx(1, "BN_hex2bn(a)");	450	errx(1, "BN_hex2bn(a)");
458	if (BN_hex2bn(&b, wei25519.b) == 0)	451	if (BN_hex2bn(&b, curve->b) == 0)
459	errx(1, "BN_hex2bn(b)");	452	errx(1, "BN_hex2bn(b)");
460		453
461	/*	454	if ((group = EC_GROUP_new(method)) == NULL)
462	* XXX - this uses the Montgomery method. Consider exercising the	455	errx(1, "EC_GROUP_new");
463	* simple method as well.	456
464	*/	457	if (!EC_GROUP_set_curve(group, p, a, b, ctx))
465	if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {	458	errx(1, "EC_GROUP_set_curve");
466	fprintf(stderr, "FAIL: %s EC_GROUP_new_curve_GFp", __func__);
467	goto err;
468	}
469		459
470	if (BN_hex2bn(&x, wei25519.x) == 0)	460	if (BN_hex2bn(&x, curve->x) == 0)
471	errx(1, "BN_hex2bn(x)");	461	errx(1, "BN_hex2bn(x)");
472	if (BN_hex2bn(&x, wei25519.x) == 0)	462	if (BN_hex2bn(&x, curve->x) == 0)
473	errx(1, "BN_hex2bn(x)");	463	errx(1, "BN_hex2bn(x)");
474	if (BN_hex2bn(&y, wei25519.y) == 0)	464	if (BN_hex2bn(&y, curve->y) == 0)
475	errx(1, "BN_hex2bn(y)");	465	errx(1, "BN_hex2bn(y)");
476		466
477	if ((generator = EC_POINT_new(group)) == NULL)	467	if ((generator = EC_POINT_new(group)) == NULL)
478	errx(1, "EC_POINT_new()");	468	errx(1, "EC_POINT_new()");
479		469
480	if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) {	470	if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) {
481	fprintf(stderr, "FAIL: %s EC_POINT_set_affine_coordinates", __func__);	471	fprintf(stderr, "FAIL: %s EC_POINT_set_affine_coordinates",
		472	curve->sn);
482	ERR_print_errors_fp(stderr);	473	ERR_print_errors_fp(stderr);
483	goto err;	474	goto err;
484	}	475	}
485		476
486	if (BN_hex2bn(&order, wei25519.order) == 0)	477	if (BN_hex2bn(&order, curve->order) == 0)
487	errx(1, "BN_hex2bn(order)");	478	errx(1, "BN_hex2bn(order)");
488	if (BN_hex2bn(&cofactor, wei25519.cofactor) == 0)
489	errx(1, "BN_hex2bn(cofactor)");
490		479
491	/* Don't set cofactor to exercise the cofactor guessing code. */	480	/* Don't set cofactor to exercise the cofactor guessing code. */
492	if (!EC_GROUP_set_generator(group, generator, order, NULL)) {	481	if (!EC_GROUP_set_generator(group, generator, order, NULL)) {
493	fprintf(stderr, "FAIL: %s EC_GROUP_set_generator\n", __func__);	482	fprintf(stderr, "FAIL: %s EC_GROUP_set_generator\n", curve->sn);
		483	ERR_print_errors_fp(stderr);
		484	goto err;
		485	}
		486
		487	EC_POINT_free(generator);
		488
		489	BN_CTX_end(ctx);
		490
		491	return group;
		492
		493	err:
		494	BN_CTX_end(ctx);
		495
		496	EC_POINT_free(generator);
		497	EC_GROUP_free(group);
		498
		499	return NULL;
		500	}
		501
		502	static EC_GROUP *
		503	ec_group_new(const struct curve curve, const EC_METHOD method, BN_CTX *ctx)
		504	{
		505	EC_GROUP *group = NULL;
		506	BIGNUM cofactor, guessed_cofactor;
		507	int nid;
		508
		509	BN_CTX_start(ctx);
		510
		511	if ((nid = OBJ_txt2nid(curve->oid)) == NID_undef)
		512	nid = OBJ_create(curve->oid, curve->sn, curve->ln);
		513	if (nid == NID_undef) {
		514	fprintf(stderr, "FAIL: OBJ_create(%s)\n", curve->sn);
		515	goto err;
		516	}
		517
		518	if ((cofactor = BN_CTX_get(ctx)) == NULL)
		519	errx(1, "BN_CTX_get");
		520	if ((guessed_cofactor = BN_CTX_get(ctx)) == NULL)
		521	errx(1, "BN_CTX_get");
		522
		523	if (BN_hex2bn(&cofactor, curve->cofactor) == 0)
		524	errx(1, "BN_hex2bn(cofactor)");
		525
		526	if ((group = ec_group_from_curve_method(curve, method, ctx)) == NULL) {
		527	fprintf(stderr, "FAIL: %s ec_group_from_curve_method\n", curve->sn);
494	ERR_print_errors_fp(stderr);	528	ERR_print_errors_fp(stderr);
495	goto err;	529	goto err;
496	}	530	}
497		531
498	if (!EC_GROUP_get_cofactor(group, guessed_cofactor, ctx)) {	532	if (!EC_GROUP_get_cofactor(group, guessed_cofactor, ctx)) {
499	fprintf(stderr, "FAIL: %s EC_GROUP_get_cofactor\n", __func__);	533	fprintf(stderr, "FAIL: %s EC_GROUP_get_cofactor\n", curve->sn);
500	ERR_print_errors_fp(stderr);	534	ERR_print_errors_fp(stderr);
501	goto err;	535	goto err;
502	}	536	}
503		537
504	if (BN_cmp(cofactor, guessed_cofactor) != 0) {	538	if (BN_cmp(cofactor, guessed_cofactor) != 0) {
505	fprintf(stderr, "FAIL: %s cofactor: want ", __func__);	539	fprintf(stderr, "FAIL: %s cofactor: want ", curve->sn);
506	BN_print_fp(stderr, cofactor);	540	BN_print_fp(stderr, cofactor);
507	fprintf(stderr, ", got ");	541	fprintf(stderr, ", got ");
508	BN_print_fp(stderr, guessed_cofactor);	542	BN_print_fp(stderr, guessed_cofactor);
@@ -511,49 +545,80 @@ ec_weierstrass25519(void)
511	}	545	}
512		546
513	if (!EC_GROUP_check(group, ctx)) {	547	if (!EC_GROUP_check(group, ctx)) {
514	fprintf(stderr, "FAIL: %s EC_GROUP_check\n", __func__);	548	fprintf(stderr, "FAIL: %s EC_GROUP_check\n", curve->sn);
515	ERR_print_errors_fp(stderr);	549	ERR_print_errors_fp(stderr);
516	goto err;	550	goto err;
517	}	551	}
518		552
519	/* Explicit curve parameter encoding should work without NID set. */	553	EC_GROUP_set_curve_name(group, nid);
520	if (EC_GROUP_get_curve_name(group) != NID_undef) {	554
521	fprintf(stderr, "FAIL: %s unexpected curve name %d\n", __func__,	555	BN_CTX_end(ctx);
522	EC_GROUP_get_curve_name(group));	556
523	ERR_print_errors_fp(stderr);	557	return group;
		558
		559	err:
		560	BN_CTX_end(ctx);
		561
		562	EC_GROUP_free(group);
		563
		564	return NULL;
		565	}
		566
		567	static int
		568	ec_group_non_builtin_curve(const struct curve curve, const EC_METHOD method,
		569	BN_CTX *ctx)
		570	{
		571	EC_GROUP group = NULL, new_group = NULL;
		572	const unsigned char *pder;
		573	unsigned char *der = NULL;
		574	long error;
		575	int der_len = 0;
		576	int nid;
		577	int failed = 1;
		578
		579	ERR_clear_error();
		580	BN_CTX_start(ctx);
		581
		582	if ((group = ec_group_new(curve, method, ctx)) == NULL)
		583	goto err;
		584
		585	if ((nid = EC_GROUP_get_curve_name(group)) == NID_undef) {
		586	fprintf(stderr, "FAIL: no curve name set for %s\n", curve->sn);
524	goto err;	587	goto err;
525	}	588	}
526		589
527	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);	590	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
528		591
529	der = NULL;	592	der = NULL;
530	if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {	593	if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {
531	fprintf(stderr, "FAIL: %s i2d_ECPKParameters (explicit)\n", __func__);	594	fprintf(stderr, "FAIL: %s i2d_ECPKParameters (named)\n",
		595	curve->sn);
532	ERR_print_errors_fp(stderr);	596	ERR_print_errors_fp(stderr);
533	goto err;	597	goto err;
534	}	598	}
535		599
536	if (compare_data("Weierstrass 25519 explicit", der, der_len,	600	if (compare_data("Weierstrass 25519 named curve", der, der_len,
537	ec_wei25519_pkparameters_parameters,	601	ec_wei25519_pkparameters_named_curve,
538	sizeof(ec_wei25519_pkparameters_parameters)) == -1)	602	sizeof(ec_wei25519_pkparameters_named_curve)) == -1)
539	goto err;	603	goto err;
540		604
541	freezero(der, der_len);	605	freezero(der, der_len);
542	der = NULL;	606	der = NULL;
543		607
544	EC_GROUP_set_curve_name(group, nid);	608	/* Explicit curve parameter encoding should work without NID set. */
545	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);	609	EC_GROUP_set_curve_name(group, NID_undef);
		610	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
546		611
547	der = NULL;	612	der = NULL;
548	if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {	613	if ((der_len = i2d_ECPKParameters(group, &der)) <= 0) {
549	fprintf(stderr, "FAIL: %s i2d_ECPKParameters (named)\n", __func__);	614	fprintf(stderr, "FAIL: i2d_ECPKParameters (explicit) %s\n",
		615	curve->sn);
550	ERR_print_errors_fp(stderr);	616	ERR_print_errors_fp(stderr);
551	goto err;	617	goto err;
552	}	618	}
553		619
554	if (compare_data("Weierstrass 25519 named curve", der, der_len,	620	if (compare_data(curve->sn, der, der_len,
555	ec_wei25519_pkparameters_named_curve,	621	curve->param, curve->param_len) == -1)
556	sizeof(ec_wei25519_pkparameters_named_curve)) == -1)
557	goto err;	622	goto err;
558		623
559	freezero(der, der_len);	624	freezero(der, der_len);
@@ -561,51 +626,51 @@ ec_weierstrass25519(void)
561		626
562	/* At this point we should have no error on the stack. */	627	/* At this point we should have no error on the stack. */
563	if (ERR_peek_last_error() != 0) {	628	if (ERR_peek_last_error() != 0) {
564	fprintf(stderr, "FAIL: %s unexpected error %lu\n", __func__,	629	fprintf(stderr, "FAIL: %s unexpected error %lu\n", curve->sn,
565	ERR_peek_last_error());	630	ERR_peek_last_error());
566	goto err;	631	goto err;
567	}	632	}
568		633
569	pder = ec_wei25519_pkparameters_named_curve;	634	pder = curve->named;
570	der_len = sizeof(ec_wei25519_pkparameters_named_curve);	635	der_len = curve->named_len;
571	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {	636	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {
572	fprintf(stderr, "FAIL: %s managed to decode unknown named curve\n",	637	fprintf(stderr, "FAIL: managed to decode unknown named curve %s\n",
573	__func__);	638	curve->sn);
574	goto err;	639	goto err;
575	}	640	}
576		641
577	error = ERR_get_error();	642	error = ERR_get_error();
578	if (ERR_GET_REASON(error) != EC_R_UNKNOWN_GROUP) {	643	if (ERR_GET_REASON(error) != EC_R_UNKNOWN_GROUP) {
579	fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",	644	fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",
580	__func__, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));	645	curve->sn, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
581	goto err;	646	goto err;
582	}	647	}
583		648
584	ERR_clear_error();	649	ERR_clear_error();
585	pder = ec_wei25519_pkparameters_parameters;	650	pder = curve->param;
586	der_len = sizeof(ec_wei25519_pkparameters_parameters);	651	der_len = curve->param_len;
587
588	#if 0	652	#if 0
589	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {	653	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) != NULL) {
590	fprintf(stderr, "FAIL: %s managed to decode non-builtin parameters\n",	654	fprintf(stderr, "FAIL: managed to decode non-builtin parameters %s\n",
591	__func__);	655	curve->sn);
592	goto err;	656	goto err;
593	}	657	}
594		658
595	error = ERR_peek_last_error();	659	error = ERR_peek_last_error();
596	if (ERR_GET_REASON(error) != EC_R_PKPARAMETERS2GROUP_FAILURE) {	660	if (ERR_GET_REASON(error) != EC_R_PKPARAMETERS2GROUP_FAILURE) {
597	fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",	661	fprintf(stderr, "FAIL: %s unexpected error: want %d, got %d\n",
598	__func__, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));	662	curve->sn, EC_R_UNKNOWN_GROUP, ERR_GET_REASON(error));
599	goto err;	663	goto err;
600	}	664	}
601	#else	665	#else
602	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) == NULL) {	666	if ((new_group = d2i_ECPKParameters(NULL, &pder, der_len)) == NULL) {
603	fprintf(stderr, "FAIL: %s d2i_ECPKParameters(Wei25519)\n", __func__);	667	fprintf(stderr, "FAIL: d2i_ECPKParameters(%s)\n", curve->sn);
604	goto err;	668	goto err;
605	}	669	}
606	if (EC_GROUP_cmp(group, new_group, ctx) != 0) {	670	if (method == EC_GFp_mont_method() &&
		671	EC_GROUP_cmp(group, new_group, ctx) != 0) {
607	fprintf(stderr, "FAIL: %s Weierstrass groups do not match!\n",	672	fprintf(stderr, "FAIL: %s Weierstrass groups do not match!\n",
608	__func__);	673	curve->sn);
609	goto err;	674	goto err;
610	}	675	}
611	#endif	676	#endif
@@ -614,17 +679,32 @@ ec_weierstrass25519(void)
614		679
615	err:	680	err:
616	BN_CTX_end(ctx);	681	BN_CTX_end(ctx);
617	BN_CTX_free(ctx);
618		682
619	EC_GROUP_free(group);	683	EC_GROUP_free(group);
620	EC_GROUP_free(new_group);	684	EC_GROUP_free(new_group);
621	EC_POINT_free(generator);
622		685
623	freezero(der, der_len);	686	freezero(der, der_len);
624		687
625	return failed;	688	return failed;
626	}	689	}
627		690
		691	static int
		692	ec_group_non_builtin_curves(void)
		693	{
		694	BN_CTX *ctx;
		695	int failed = 0;
		696
		697	if ((ctx = BN_CTX_new()) == NULL)
		698	errx(1, "BN_CTX_new");
		699
		700	failed \|= ec_group_non_builtin_curve(&wei25519, EC_GFp_mont_method(), ctx);
		701	failed \|= ec_group_non_builtin_curve(&wei25519, EC_GFp_simple_method(), ctx);
		702
		703	BN_CTX_free(ctx);
		704
		705	return failed;
		706	}
		707
628	int	708	int
629	main(int argc, char **argv)	709	main(int argc, char **argv)
630	{	710	{
@@ -634,7 +714,7 @@ main(int argc, char **argv)
634	failed \|= ec_group_pkparameters_parameters_test();	714	failed \|= ec_group_pkparameters_parameters_test();
635	failed \|= ec_group_pkparameters_correct_padding_test();	715	failed \|= ec_group_pkparameters_correct_padding_test();
636	failed \|= ec_group_roundtrip_builtin_curves();	716	failed \|= ec_group_roundtrip_builtin_curves();
637	failed \|= ec_weierstrass25519();	717	failed \|= ec_group_non_builtin_curves();
638		718
639	return (failed);	719	return (failed);
640	}	720	}