1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
.\" $OpenBSD: EC_GROUP_check.3,v 1.2 2025/04/28 17:42:42 tb Exp $
.\"
.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 28 2025 $
.Dt EC_GROUP_CHECK 3
.Os
.Sh NAME
.Nm EC_GROUP_check_discriminant ,
.Nm EC_GROUP_check
.Nd partially check validity of
.Vt EC_GROUP
objects
.Sh SYNOPSIS
.In openssl/bn.h
.In openssl/ec.h
.Pp
Deprecated:
.Pp
.Ft "int"
.Fo EC_GROUP_check_discriminant
.Fa "const EC_GROUP *group"
.Fa "BN_CTX *ctx"
.Fc
.Ft "int"
.Fo EC_GROUP_check
.Fa "const EC_GROUP *group"
.Fa "BN_CTX *ctx"
.Fc
.Sh DESCRIPTION
These functions are deprecated.
Only standardized curves built into the library should be used, see
.Xr EC_GROUP_new_by_curve_name 3 .
Builtin curves went through far more thorough checking than
the minimal, incomplete tests performed by these functions.
.Pp
These functions have an optional
.Fa ctx
argument which is used to avoid the cost of repeated allocation of
auxiliary
.Vt BIGNUM
objects.
.Pp
.Fn EC_GROUP_check_discriminant
can be called after
.Xr EC_GROUP_new_curve_GFp 3
to verify that
.Fa group Ns 's
parameters have non-zero discriminant 4a^3 + 27b^2 modulo p.
Assuming that
.Fa p
is a prime number larger than three
this implies that the Weierstrass equation defines an elliptic curve.
.Pp
.Fn EC_GROUP_check
partially verifies that
.Fa group
represents an an elliptic curve and that
.Fa generator
is a point on the curve whose order divides
.Fa order .
It checks with
.Fn EC_GROUP_check_discriminant
that the discriminant is non-zero
and then verifies that that
.Fa order
is non-zero and that the product
.Fa generator No * Fa order
is the point at infinity.
This implies that
.Fa order
is an integer multiple of the
.Fa generator Ns 's
.Fa order .
The verification that
.Fa p
is a prime
and that
.Fa order
is the
.Fa generator Ns 's
order are skipped because they are too expensive.
.Sh RETURN VALUES
.Fn EC_GROUP_check_discriminant
returns 1 on success and 0 on failure.
Failure modes include that the discriminant is zero modulo
.Fa p
and memory allocation failure.
.Pp
.Fn EC_GROUP_check
returns 1 on success and 0 on failure.
.Sh ERRORS
Diagnostics for
.Fn EC_GROUP_check
that can be retrieved with
.Xr ERR_get_error 3 ,
.Xr ERR_GET_REASON 3 ,
and
.Xr ERR_reason_error_string 3
include:
.Bl -tag -width Ds
.It Dv EC_R_DISCRIMINANT_IS_ZERO Qq "discriminant is zero"
.Fn EC_GROUP_check_discriminant
failed because the discriminant is zero or for some other reason.
.It Dv EC_R_UNDEFINED_GENERATOR Qq "undefined generator"
no generator is set on
.Fa group ,
for example because a call to
.Xr EC_GROUP_set_generator 3
is missing.
.It Dv EC_R_POINT_IS_NOT_ON_CURVE Qq "point is not on curve"
a generator is set, but it is not a point on the curve represented by
.Fa group .
.It Dv EC_R_UNDEFINED_ORDER Qq "undefined order"
the
.Fa order
set on
.Fa group
is zero.
.It Dv EC_R_INVALID_GROUP_ORDER Qq "invalid group order"
.Fa generator No * Fa order
is not the point at infinity.
.El
.Sh SEE ALSO
.Xr BN_CTX_new 3 ,
.Xr BN_is_zero 3 ,
.Xr crypto 3 ,
.Xr d2i_ECPKParameters 3 ,
.Xr EC_GROUP_get_curve_name 3 ,
.Xr EC_GROUP_new_by_curve_name 3 ,
.Xr EC_GROUP_new_curve_GFp 3 ,
.Xr EC_KEY_METHOD_new 3 ,
.Xr EC_KEY_new 3 ,
.Xr EC_POINT_add 3 ,
.Xr EC_POINT_get_affine_coordinates 3 ,
.Xr EC_POINT_new 3 ,
.Xr EC_POINT_point2oct 3 ,
.Xr ECDH_compute_key 3 ,
.Xr ECDSA_SIG_new 3
.Sh HISTORY
.Fn EC_GROUP_check
and
.Fn EC_GROUP_check_discriminant
first appeared in OpenSSL 0.9.8 and have been available since
.Ox 4.5 .
|
