kris
/
boringssl
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
3578 Commity
12 Gałęzie
38 MiB
 
 
 
 
 
 
Drzewo: 8a55ce4954
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '8a55ce4954'
${ noResults }
boringssl/crypto/ec/ec_test.cc

537 wiersze
19 KiB
Czysty Wina Historia 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <stdio.h>

  16. #include <string.h>

  17. 

  18. #include <vector>

  19. 

  20. #include <openssl/bn.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/crypto.h>

  23. #include <openssl/ec_key.h>

  24. #include <openssl/err.h>

  25. #include <openssl/mem.h>

  26. #include <openssl/nid.h>

  27. 

  28. 

  29. // kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field

  30. // omitted.

  31. static const uint8_t kECKeyWithoutPublic[] = {

  32.   0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,

  33.   0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,

  34.   0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,

  35.   0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,

  36. };

  37. 

  38. // kECKeySpecifiedCurve is the above key with P-256's parameters explicitly

  39. // spelled out rather than using a named curve.

  40. static const uint8_t kECKeySpecifiedCurve[] = {

  41.     0x30, 0x82, 0x01, 0x22, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa,

  42.     0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb,

  43.     0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc,

  44.     0xc5, 0x30, 0x52, 0xb0, 0x77, 0xa0, 0x81, 0xfa, 0x30, 0x81, 0xf7, 0x02,

  45.     0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01,

  46.     0x01, 0x02, 0x21, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,

  47.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

  48.     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,

  49.     0x30, 0x5b, 0x04, 0x20, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,

  50.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

  51.     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc,

  52.     0x04, 0x20, 0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb,

  53.     0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53,

  54.     0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b, 0x03, 0x15,

  55.     0x00, 0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66, 0x78,

  56.     0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90, 0x04, 0x41, 0x04,

  57.     0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5,

  58.     0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0,

  59.     0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2,

  60.     0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16,

  61.     0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,

  62.     0x37, 0xbf, 0x51, 0xf5, 0x02, 0x21, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00,

  63.     0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc,

  64.     0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc,

  65.     0x63, 0x25, 0x51, 0x02, 0x01, 0x01,

  66. };

  67. 

  68. // kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where

  69. // the private key is one. The private key is incorrectly encoded without zero

  70. // padding.

  71. static const uint8_t kECKeyMissingZeros[] = {

  72.   0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a,

  73.   0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04,

  74.   0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63,

  75.   0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1,

  76.   0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f,

  77.   0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,

  78.   0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,

  79. };

  80. 

  81. // kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where

  82. // the private key is one. The private key is encoded with the required zero

  83. // padding.

  84. static const uint8_t kECKeyWithZeros[] = {

  85.   0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

  86.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

  87.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,

  88.   0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1,

  89.   0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,

  90.   0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d,

  91.   0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3,

  92.   0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e,

  93.   0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,

  94.   0x37, 0xbf, 0x51, 0xf5,

  95. };

  96. 

  97. // DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the

  98. // result or nullptr on error.

  99. static bssl::UniquePtr<EC_KEY> DecodeECPrivateKey(const uint8_t *in,

  100.                                                   size_t in_len) {

  101.   CBS cbs;

  102.   CBS_init(&cbs, in, in_len);

  103.   bssl::UniquePtr<EC_KEY> ret(EC_KEY_parse_private_key(&cbs, NULL));

  104.   if (!ret || CBS_len(&cbs) != 0) {

  105.     return nullptr;

  106.   }

  107.   return ret;

  108. }

  109. 

  110. // EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It

  111. // returns true on success or false on error.

  112. static bool EncodeECPrivateKey(std::vector<uint8_t> *out, const EC_KEY *key) {

  113.   bssl::ScopedCBB cbb;

  114.   uint8_t *der;

  115.   size_t der_len;

  116.   if (!CBB_init(cbb.get(), 0) ||

  117.       !EC_KEY_marshal_private_key(cbb.get(), key, EC_KEY_get_enc_flags(key)) ||

  118.       !CBB_finish(cbb.get(), &der, &der_len)) {

  119.     return false;

  120.   }

  121.   out->assign(der, der + der_len);

  122.   OPENSSL_free(der);

  123.   return true;

  124. }

  125. 

  126. static bool Testd2i_ECPrivateKey() {

  127.   bssl::UniquePtr<EC_KEY> key = DecodeECPrivateKey(kECKeyWithoutPublic,

  128.                                         sizeof(kECKeyWithoutPublic));

  129.   if (!key) {

  130.     fprintf(stderr, "Failed to parse private key.\n");

  131.     ERR_print_errors_fp(stderr);

  132.     return false;

  133.   }

  134. 

  135.   std::vector<uint8_t> out;

  136.   if (!EncodeECPrivateKey(&out, key.get())) {

  137.     fprintf(stderr, "Failed to serialize private key.\n");

  138.     ERR_print_errors_fp(stderr);

  139.     return false;

  140.   }

  141. 

  142.   if (std::vector<uint8_t>(kECKeyWithoutPublic,

  143.                            kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=

  144.       out) {

  145.     fprintf(stderr, "Serialisation of key doesn't match original.\n");

  146.     return false;

  147.   }

  148. 

  149.   const EC_POINT *pub_key = EC_KEY_get0_public_key(key.get());

  150.   if (pub_key == NULL) {

  151.     fprintf(stderr, "Public key missing.\n");

  152.     return false;

  153.   }

  154. 

  155.   bssl::UniquePtr<BIGNUM> x(BN_new());

  156.   bssl::UniquePtr<BIGNUM> y(BN_new());

  157.   if (!x || !y) {

  158.     return false;

  159.   }

  160.   if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),

  161.                                            pub_key, x.get(), y.get(), NULL)) {

  162.     fprintf(stderr, "Failed to get public key in affine coordinates.\n");

  163.     return false;

  164.   }

  165.   bssl::UniquePtr<char> x_hex(BN_bn2hex(x.get()));

  166.   bssl::UniquePtr<char> y_hex(BN_bn2hex(y.get()));

  167.   if (!x_hex || !y_hex) {

  168.     return false;

  169.   }

  170.   if (0 != strcmp(

  171.           x_hex.get(),

  172.           "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||

  173.       0 != strcmp(

  174.           y_hex.get(),

  175.           "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {

  176.     fprintf(stderr, "Incorrect public key: %s %s\n", x_hex.get(), y_hex.get());

  177.     return false;

  178.   }

  179. 

  180.   return true;

  181. }

  182. 

  183. static bool TestZeroPadding() {

  184.   // Check that the correct encoding round-trips.

  185.   bssl::UniquePtr<EC_KEY> key = DecodeECPrivateKey(kECKeyWithZeros,

  186.                                         sizeof(kECKeyWithZeros));

  187.   std::vector<uint8_t> out;

  188.   if (!key || !EncodeECPrivateKey(&out, key.get())) {

  189.     ERR_print_errors_fp(stderr);

  190.     return false;

  191.   }

  192. 

  193.   if (std::vector<uint8_t>(kECKeyWithZeros,

  194.                            kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {

  195.     fprintf(stderr, "Serialisation of key was incorrect.\n");

  196.     return false;

  197.   }

  198. 

  199.   // Keys without leading zeros also parse, but they encode correctly.

  200.   key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros));

  201.   if (!key || !EncodeECPrivateKey(&out, key.get())) {

  202.     ERR_print_errors_fp(stderr);

  203.     return false;

  204.   }

  205. 

  206.   if (std::vector<uint8_t>(kECKeyWithZeros,

  207.                            kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {

  208.     fprintf(stderr, "Serialisation of key was incorrect.\n");

  209.     return false;

  210.   }

  211. 

  212.   return true;

  213. }

  214. 

  215. static bool TestSpecifiedCurve() {

  216.   // Test keys with specified curves may be decoded.

  217.   bssl::UniquePtr<EC_KEY> key =

  218.       DecodeECPrivateKey(kECKeySpecifiedCurve, sizeof(kECKeySpecifiedCurve));

  219.   if (!key) {

  220.     ERR_print_errors_fp(stderr);

  221.     return false;

  222.   }

  223. 

  224.   // The group should have been interpreted as P-256.

  225.   if (EC_GROUP_get_curve_name(EC_KEY_get0_group(key.get())) !=

  226.       NID_X9_62_prime256v1) {

  227.     fprintf(stderr, "Curve name incorrect.\n");

  228.     return false;

  229.   }

  230. 

  231.   // Encoding the key should still use named form.

  232.   std::vector<uint8_t> out;

  233.   if (!EncodeECPrivateKey(&out, key.get())) {

  234.     ERR_print_errors_fp(stderr);

  235.     return false;

  236.   }

  237.   if (std::vector<uint8_t>(kECKeyWithoutPublic,

  238.                            kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=

  239.       out) {

  240.     fprintf(stderr, "Serialisation of key was incorrect.\n");

  241.     return false;

  242.   }

  243. 

  244.   return true;

  245. }

  246. 

  247. static bool TestSetAffine(const int nid) {

  248.   bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  249.   if (!key) {

  250.     return false;

  251.   }

  252. 

  253.   const EC_GROUP *const group = EC_KEY_get0_group(key.get());

  254. 

  255.   if (!EC_KEY_generate_key(key.get())) {

  256.     fprintf(stderr, "EC_KEY_generate_key failed with nid %d\n", nid);

  257.     ERR_print_errors_fp(stderr);

  258.     return false;

  259.   }

  260. 

  261.   if (!EC_POINT_is_on_curve(group, EC_KEY_get0_public_key(key.get()),

  262.                             nullptr)) {

  263.     fprintf(stderr, "generated point is not on curve with nid %d", nid);

  264.     ERR_print_errors_fp(stderr);

  265.     return false;

  266.   }

  267. 

  268.   bssl::UniquePtr<BIGNUM> x(BN_new());

  269.   bssl::UniquePtr<BIGNUM> y(BN_new());

  270.   if (!EC_POINT_get_affine_coordinates_GFp(group,

  271.                                            EC_KEY_get0_public_key(key.get()),

  272.                                            x.get(), y.get(), nullptr)) {

  273.     fprintf(stderr, "EC_POINT_get_affine_coordinates_GFp failed with nid %d\n",

  274.             nid);

  275.     ERR_print_errors_fp(stderr);

  276.     return false;

  277.   }

  278. 

  279.   auto point = bssl::UniquePtr<EC_POINT>(EC_POINT_new(group));

  280.   if (!point) {

  281.     return false;

  282.   }

  283. 

  284.   if (!EC_POINT_set_affine_coordinates_GFp(group, point.get(), x.get(), y.get(),

  285.                                            nullptr)) {

  286.     fprintf(stderr, "EC_POINT_set_affine_coordinates_GFp failed with nid %d\n",

  287.             nid);

  288.     ERR_print_errors_fp(stderr);

  289.     return false;

  290.   }

  291. 

  292.   // Subtract one from |y| to make the point no longer on the curve.

  293.   if (!BN_sub(y.get(), y.get(), BN_value_one())) {

  294.     return false;

  295.   }

  296. 

  297.   bssl::UniquePtr<EC_POINT> invalid_point(EC_POINT_new(group));

  298.   if (!invalid_point) {

  299.     return false;

  300.   }

  301. 

  302.   if (EC_POINT_set_affine_coordinates_GFp(group, invalid_point.get(), x.get(),

  303.                                           y.get(), nullptr)) {

  304.     fprintf(stderr,

  305.             "EC_POINT_set_affine_coordinates_GFp succeeded with invalid "

  306.             "coordinates with nid %d\n",

  307.             nid);

  308.     ERR_print_errors_fp(stderr);

  309.     return false;

  310.   }

  311. 

  312.   return true;

  313. }

  314. 

  315. static bool TestArbitraryCurve() {

  316.   // Make a P-256 key and extract the affine coordinates.

  317.   bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));

  318.   if (!key || !EC_KEY_generate_key(key.get())) {

  319.     return false;

  320.   }

  321. 

  322.   // Make an arbitrary curve which is identical to P-256.

  323.   static const uint8_t kP[] = {

  324.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,

  325.       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,

  326.       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,

  327.   };

  328.   static const uint8_t kA[] = {

  329.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,

  330.       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,

  331.       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc,

  332.   };

  333.   static const uint8_t kB[] = {

  334.       0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd,

  335.       0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53,

  336.       0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b,

  337.   };

  338.   static const uint8_t kX[] = {

  339.       0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6,

  340.       0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb,

  341.       0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96,

  342.   };

  343.   static const uint8_t kY[] = {

  344.       0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb,

  345.       0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31,

  346.       0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,

  347.   };

  348.   static const uint8_t kOrder[] = {

  349.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,

  350.       0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17,

  351.       0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51,

  352.   };

  353.   bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());

  354.   bssl::UniquePtr<BIGNUM> p(BN_bin2bn(kP, sizeof(kP), nullptr));

  355.   bssl::UniquePtr<BIGNUM> a(BN_bin2bn(kA, sizeof(kA), nullptr));

  356.   bssl::UniquePtr<BIGNUM> b(BN_bin2bn(kB, sizeof(kB), nullptr));

  357.   bssl::UniquePtr<BIGNUM> gx(BN_bin2bn(kX, sizeof(kX), nullptr));

  358.   bssl::UniquePtr<BIGNUM> gy(BN_bin2bn(kY, sizeof(kY), nullptr));

  359.   bssl::UniquePtr<BIGNUM> order(BN_bin2bn(kOrder, sizeof(kOrder), nullptr));

  360.   bssl::UniquePtr<BIGNUM> cofactor(BN_new());

  361.   if (!ctx || !p || !a || !b || !gx || !gy || !order || !cofactor ||

  362.       !BN_set_word(cofactor.get(), 1)) {

  363.     return false;

  364.   }

  365. 

  366.   bssl::UniquePtr<EC_GROUP> group(

  367.       EC_GROUP_new_curve_GFp(p.get(), a.get(), b.get(), ctx.get()));

  368.   if (!group) {

  369.     return false;

  370.   }

  371.   bssl::UniquePtr<EC_POINT> generator(EC_POINT_new(group.get()));

  372.   if (!generator ||

  373.       !EC_POINT_set_affine_coordinates_GFp(group.get(), generator.get(),

  374.                                            gx.get(), gy.get(), ctx.get()) ||

  375.       !EC_GROUP_set_generator(group.get(), generator.get(), order.get(),

  376.                               cofactor.get())) {

  377.     return false;

  378.   }

  379. 

  380.   // |group| should not have a curve name.

  381.   if (EC_GROUP_get_curve_name(group.get()) != NID_undef) {

  382.     return false;

  383.   }

  384. 

  385.   // Copy |key| to |key2| using |group|.

  386.   bssl::UniquePtr<EC_KEY> key2(EC_KEY_new());

  387.   bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group.get()));

  388.   bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new());

  389.   if (!key2 || !point || !x || !y ||

  390.       !EC_KEY_set_group(key2.get(), group.get()) ||

  391.       !EC_KEY_set_private_key(key2.get(), EC_KEY_get0_private_key(key.get())) ||

  392.       !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),

  393.                                            EC_KEY_get0_public_key(key.get()),

  394.                                            x.get(), y.get(), nullptr) ||

  395.       !EC_POINT_set_affine_coordinates_GFp(group.get(), point.get(), x.get(),

  396.                                            y.get(), nullptr) ||

  397.       !EC_KEY_set_public_key(key2.get(), point.get())) {

  398.     fprintf(stderr, "Could not copy key.\n");

  399.     return false;

  400.   }

  401. 

  402.   // The key must be valid according to the new group too.

  403.   if (!EC_KEY_check_key(key2.get())) {

  404.     fprintf(stderr, "Copied key is not valid.\n");

  405.     return false;

  406.   }

  407. 

  408.   return true;

  409. }

  410. 

  411. static bool TestAddingEqualPoints(int nid) {

  412.   bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  413.   if (!key) {

  414.     return false;

  415.   }

  416. 

  417.   const EC_GROUP *const group = EC_KEY_get0_group(key.get());

  418. 

  419.   if (!EC_KEY_generate_key(key.get())) {

  420.     fprintf(stderr, "EC_KEY_generate_key failed with nid %d\n", nid);

  421.     ERR_print_errors_fp(stderr);

  422.     return false;

  423.   }

  424. 

  425.   bssl::UniquePtr<EC_POINT> p1(EC_POINT_new(group));

  426.   bssl::UniquePtr<EC_POINT> p2(EC_POINT_new(group));

  427.   bssl::UniquePtr<EC_POINT> double_p1(EC_POINT_new(group));

  428.   bssl::UniquePtr<EC_POINT> p1_plus_p2(EC_POINT_new(group));

  429.   if (!p1 || !p2 || !double_p1 || !p1_plus_p2) {

  430.     return false;

  431.   }

  432. 

  433.   if (!EC_POINT_copy(p1.get(), EC_KEY_get0_public_key(key.get())) ||

  434.       !EC_POINT_copy(p2.get(), EC_KEY_get0_public_key(key.get()))) {

  435.     fprintf(stderr, "EC_POINT_COPY failed with nid %d\n", nid);

  436.     ERR_print_errors_fp(stderr);

  437.     return false;

  438.   }

  439. 

  440.   bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());

  441.   if (!ctx) {

  442.     return false;

  443.   }

  444. 

  445.   if (!EC_POINT_dbl(group, double_p1.get(), p1.get(), ctx.get()) ||

  446.       !EC_POINT_add(group, p1_plus_p2.get(), p1.get(), p2.get(), ctx.get())) {

  447.     fprintf(stderr, "Point operation failed with nid %d\n", nid);

  448.     ERR_print_errors_fp(stderr);

  449.     return false;

  450.   }

  451. 

  452.   if (EC_POINT_cmp(group, double_p1.get(), p1_plus_p2.get(), ctx.get()) != 0) {

  453.     fprintf(stderr, "A+A != 2A for nid %d", nid);

  454.     return false;

  455.   }

  456. 

  457.   return true;

  458. }

  459. 

  460. static bool TestMulZero(int nid) {

  461.   bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid));

  462.   if (!group) {

  463.     return false;

  464.   }

  465. 

  466.   bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group.get()));

  467.   bssl::UniquePtr<BIGNUM> zero(BN_new());

  468.   if (!point || !zero) {

  469.     return false;

  470.   }

  471. 

  472.   BN_zero(zero.get());

  473.   if (!EC_POINT_mul(group.get(), point.get(), zero.get(), nullptr, nullptr,

  474.                     nullptr)) {

  475.     return false;

  476.   }

  477. 

  478.   if (!EC_POINT_is_at_infinity(group.get(), point.get())) {

  479.     fprintf(stderr, "g * 0 did not return point at infinity.\n");

  480.     return false;

  481.   }

  482. 

  483.   // Test that zero times an arbitrary point is also infinity. The generator is

  484.   // used as the arbitrary point.

  485.   bssl::UniquePtr<EC_POINT> generator(EC_POINT_new(group.get()));

  486.   bssl::UniquePtr<BIGNUM> one(BN_new());

  487.   if (!generator ||

  488.       !one ||

  489.       !BN_one(one.get()) ||

  490.       !EC_POINT_mul(group.get(), generator.get(), one.get(), nullptr, nullptr,

  491.                     nullptr) ||

  492.       !EC_POINT_mul(group.get(), point.get(), nullptr, generator.get(),

  493.                     zero.get(), nullptr)) {

  494.     return false;

  495.   }

  496. 

  497.   if (!EC_POINT_is_at_infinity(group.get(), point.get())) {

  498.     fprintf(stderr, "p * 0 did not return point at infinity.\n");

  499.     return false;

  500.   }

  501. 

  502.   return true;

  503. }

  504. 

  505. static bool ForEachCurve(bool (*test_func)(int nid)) {

  506.   const size_t num_curves = EC_get_builtin_curves(nullptr, 0);

  507.   std::vector<EC_builtin_curve> curves(num_curves);

  508.   EC_get_builtin_curves(curves.data(), num_curves);

  509. 

  510.   for (const auto& curve : curves) {

  511.     if (!test_func(curve.nid)) {

  512.       fprintf(stderr, "Test failed for %s\n", curve.comment);

  513.       return false;

  514.     }

  515.   }

  516. 

  517.   return true;

  518. }

  519. 

  520. int main() {

  521.   CRYPTO_library_init();

  522. 

  523.   if (!Testd2i_ECPrivateKey() ||

  524.       !TestZeroPadding() ||

  525.       !TestSpecifiedCurve() ||

  526.       !ForEachCurve(TestSetAffine) ||

  527.       !ForEachCurve(TestAddingEqualPoints) ||

  528.       !ForEachCurve(TestMulZero) ||

  529.       !TestArbitraryCurve()) {

  530.     fprintf(stderr, "failed\n");

  531.     return 1;

  532.   }

  533. 

  534.   printf("PASS\n");

  535.   return 0;

  536. }