Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1749527083, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"e984410f26f338ce5de3738e69f082be", "commit": {"type":"commit", "time": 1568027778, "time_ofs": 180, "oid_tree": { "oid": "a86fb1472781349848f3ee60940e3cecbdfa6973", "alias": []}, "oid":{ "oid": "9a43a733801bd788848c9a8374305bcaed555019", "alias": []}, "msg": "[ec] Match built-in curves on EC_GROUP_new_from_ecparameters", "sig_commit": { "git_time": { "time": 1568027778, "offset": 180 }, "name": "Nicola Tuveri", "email": "nic.tuv@gmail.com", "md5": "0f1463251f0d945ac93a8ec7bae99db5" }, "sig_author": { "git_time": { "time": 1567868731, "offset": 180 }, "name": "Nicola Tuveri", "email": "nic.tuv@gmail.com", "md5": "0f1463251f0d945ac93a8ec7bae99db5" }}, "body": "[ec] Match built-in curves on EC_GROUP_new_from_ecparameters\n\nDescription\n-----------\n\nUpon `EC_GROUP_new_from_ecparameters()` check if the parameters match any\nof the built-in curves. If that is the case, return a new\n`EC_GROUP_new_by_curve_name()` object instead of the explicit parameters\n`EC_GROUP`.\n\nThis affects all users of `EC_GROUP_new_from_ecparameters()`:\n- direct calls to `EC_GROUP_new_from_ecparameters()`\n- direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit\n parameters argument\n- ASN.1 parsing of explicit parameters keys (as it eventually\n ends up calling `EC_GROUP_new_from_ecpkparameters()`)\n\nA parsed explicit parameter key will still be marked with the\n`OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless\nprogrammatically forced otherwise, if the key is eventually serialized\nthe output will still be encoded with explicit parameters, even if\ninternally it is treated as a named curve `EC_GROUP`.\n\nBefore this change, creating any `EC_GROUP` object using\n`EC_GROUP_new_from_ecparameters()`, yielded an object associated with\nthe default generic `EC_METHOD`, but this was never guaranteed in the\ndocumentation.\nAfter this commit, users of the library that intentionally want to\ncreate an `EC_GROUP` object using a specific `EC_METHOD` can still\nexplicitly call `EC_GROUP_new(foo_method)` and then manually set the\ncurve parameters using `EC_GROUP_set_*()`.\n\nMotivation\n----------\n\nThis has obvious performance benefits for the built-in curves with\nspecialized `EC_METHOD`s and subtle but important security benefits:\n- the specialized methods have better security hardening than the\n generic implementations\n- optional fields in the parameter encoding, like the `cofactor`, cannot\n be leveraged by an attacker to force execution of the less secure\n code-paths for single point scalar multiplication\n- in general, this leads to reducing the attack surface\n\nCheck the manuscript at https://arxiv.org/abs/1909.01785 for an in depth\nanalysis of the issues related to this commit.\n\nIt should be noted that `libssl` does not allow to negotiate explicit\nparameters (as per RFC 8422), so it is not directly affected by the\nconsequences of using explicit parameters that this commit fixes.\nOn the other hand, we detected external applications and users in the\nwild that use explicit parameters by default (and sometimes using 0 as\nthe cofactor value, which is technically not a valid value per the\nspecification, but is tolerated by parsers for wider compatibility given\nthat the field is optional).\nThese external users of `libcrypto` are exposed to these vulnerabilities\nand their security will benefit from this commit.\n\nRelated commits\n---------------\n\nWhile this commit is beneficial for users using built-in curves and\nexplicit parameters encoding for serialized keys, commit\nb783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the\n1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the\ninvalid cofactor values more in general also for other curves\n(CVE-2019-1547).\n\nThe following list covers commits in `master` that are related to the\nvulnerabilities presented in the manuscript motivating this commit:\n\n- d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too\n- 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.\n- b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it\n- 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats\n\nNote that the PRs that contributed the listed commits also include other\ncommits providing related testing and documentation, in addition to\nlinks to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and\n1.1.1 branches.\n\nThis commit includes a partial backport of\nhttps://github.com/openssl/openssl/pull/8555\n(commit 8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38)\nfor which the main author is Shane Lontis.\n\nResponsible Disclosure\n----------------------\n\nThis and the other issues presented in https://arxiv.org/abs/1909.01785\nwere reported by Cesar Pereida GarcĂ­a, Sohaib ul Hassan, Nicola Tuveri,\nIaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the\nNISEC group at Tampere University, FINLAND.\n\nThe OpenSSL Security Team evaluated the security risk for this\nvulnerability as low, and encouraged to propose fixes using public Pull\nRequests.\n\n_______________________________________________________________________________\n\nCo-authored-by: Shane Lontis \u003cshane.lontis@oracle.com\u003e\n\n(Backport from https://github.com/openssl/openssl/pull/9808)\n\nReviewed-by: Matt Caswell \u003cmatt@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/9809)\n" , "diff": "diff --git a/CHANGES b/CHANGES\nindex 1c87160..f422f50 100644\n--- a/CHANGES\n+++ b/CHANGES\n@@ -9,6 +9,17 @@\n \n Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]\n \n+ *) For built-in EC curves, ensure an EC_GROUP built from the curve name is\n+ used even when parsing explicit parameters, when loading a serialized key\n+ or calling `EC_GROUP_new_from_ecpkparameters()`/\n+ `EC_GROUP_new_from_ecparameters()`.\n+ This prevents bypass of security hardening and performance gains,\n+ especially for curves with specialized EC_METHODs.\n+ By default, if a key encoded with explicit parameters is loaded and later\n+ serialized, the output is still encoded with explicit parameters, even if\n+ internally a \u0022named\u0022 EC_GROUP is used for computation.\n+ [Nicola Tuveri]\n+\n *) Compute ECC cofactors if not provided during EC_GROUP construction. Before\n this change, EC_GROUP_set_generator would accept order and/or cofactor as\n NULL. After this change, only the cofactor parameter can be NULL. It also\ndiff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c\nindex 13c56a6..8d8dc95 100644\n--- a/crypto/ec/ec_asn1.c\n+++ b/crypto/ec/ec_asn1.c\n@@ -568,10 +568,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,\n EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)\n {\n int ok \u003d 0, tmp;\n- EC_GROUP *ret \u003d NULL;\n+ EC_GROUP *ret \u003d NULL, *dup \u003d NULL;\n BIGNUM *p \u003d NULL, *a \u003d NULL, *b \u003d NULL;\n EC_POINT *point \u003d NULL;\n long field_bits;\n+ int curve_name \u003d NID_undef;\n+ BN_CTX *ctx \u003d NULL;\n \n if (!params-\u003efieldID || !params-\u003efieldID-\u003efieldType ||\n !params-\u003efieldID-\u003ep.ptr) {\n@@ -789,18 +791,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)\n goto err;\n }\n \n+ /*\n+ * Check if the explicit parameters group just created matches one of the\n+ * built-in curves.\n+ *\n+ * We create a copy of the group just built, so that we can remove optional\n+ * fields for the lookup: we do this to avoid the possibility that one of\n+ * the optional parameters is used to force the library into using a less\n+ * performant and less secure EC_METHOD instead of the specialized one.\n+ * In any case, `seed` is not really used in any computation, while a\n+ * cofactor different from the one in the built-in table is just\n+ * mathematically wrong anyway and should not be used.\n+ */\n+ if ((ctx \u003d BN_CTX_new()) \u003d\u003d NULL) {\n+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);\n+ goto err;\n+ }\n+ if ((dup \u003d EC_GROUP_dup(ret)) \u003d\u003d NULL\n+ || EC_GROUP_set_seed(dup, NULL, 0) !\u003d 1\n+ || !EC_GROUP_set_generator(dup, point, a, NULL)) {\n+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);\n+ goto err;\n+ }\n+ if ((curve_name \u003d ec_curve_nid_from_params(dup, ctx)) !\u003d NID_undef) {\n+ /*\n+ * The input explicit parameters successfully matched one of the\n+ * built-in curves: often for built-in curves we have specialized\n+ * methods with better performance and hardening.\n+ *\n+ * In this case we replace the `EC_GROUP` created through explicit\n+ * parameters with one created from a named group.\n+ */\n+ EC_GROUP *named_group \u003d NULL;\n+\n+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128\n+ /*\n+ * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for\n+ * the same curve, we prefer the SECP nid when matching explicit\n+ * parameters as that is associated with a specialized EC_METHOD.\n+ */\n+ if (curve_name \u003d\u003d NID_wap_wsg_idm_ecid_wtls12)\n+ curve_name \u003d NID_secp224r1;\n+#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */\n+\n+ if ((named_group \u003d EC_GROUP_new_by_curve_name(curve_name)) \u003d\u003d NULL) {\n+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);\n+ goto err;\n+ }\n+ EC_GROUP_free(ret);\n+ ret \u003d named_group;\n+\n+ /*\n+ * Set the flag so that EC_GROUPs created from explicit parameters are\n+ * serialized using explicit parameters by default.\n+ */\n+ EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);\n+ }\n+\n ok \u003d 1;\n \n err:\n if (!ok) {\n- EC_GROUP_clear_free(ret);\n+ EC_GROUP_free(ret);\n ret \u003d NULL;\n }\n+ EC_GROUP_free(dup);\n \n BN_free(p);\n BN_free(a);\n BN_free(b);\n EC_POINT_free(point);\n+\n+ BN_CTX_free(ctx);\n+\n return ret;\n }\n \n@@ -861,7 +924,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)\n }\n \n if (a) {\n- EC_GROUP_clear_free(*a);\n+ EC_GROUP_free(*a);\n *a \u003d group;\n }\n \n@@ -909,7 +972,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)\n ret \u003d *a;\n \n if (priv_key-\u003eparameters) {\n- EC_GROUP_clear_free(ret-\u003egroup);\n+ EC_GROUP_free(ret-\u003egroup);\n ret-\u003egroup \u003d EC_GROUP_new_from_ecpkparameters(priv_key-\u003eparameters);\n }\n \ndiff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c\nindex bb1ce19..07acf26 100644\n--- a/crypto/ec/ec_curve.c\n+++ b/crypto/ec/ec_curve.c\n@@ -3197,3 +3197,115 @@ int EC_curve_nist2nid(const char *name)\n }\n return NID_undef;\n }\n+\n+#define NUM_BN_FIELDS 6\n+/*\n+ * Validates EC domain parameter data for known named curves.\n+ * This can be used when a curve is loaded explicitly (without a curve\n+ * name) or to validate that domain parameters have not been modified.\n+ *\n+ * Returns: The nid associated with the found named curve, or NID_undef\n+ * if not found. If there was an error it returns -1.\n+ */\n+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)\n+{\n+ int ret \u003d -1, nid, len, field_type, param_len;\n+ size_t i, seed_len;\n+ const unsigned char *seed, *params_seed, *params;\n+ unsigned char *param_bytes \u003d NULL;\n+ const EC_CURVE_DATA *data;\n+ const EC_POINT *generator \u003d NULL;\n+ const EC_METHOD *meth;\n+ const BIGNUM *cofactor \u003d NULL;\n+ /* An array of BIGNUMs for (p, a, b, x, y, order) */\n+ BIGNUM *bn[NUM_BN_FIELDS] \u003d {NULL, NULL, NULL, NULL, NULL, NULL};\n+\n+ meth \u003d EC_GROUP_method_of(group);\n+ if (meth \u003d\u003d NULL)\n+ return -1;\n+ /* Use the optional named curve nid as a search field */\n+ nid \u003d EC_GROUP_get_curve_name(group);\n+ field_type \u003d EC_METHOD_get_field_type(meth);\n+ seed_len \u003d EC_GROUP_get_seed_len(group);\n+ seed \u003d EC_GROUP_get0_seed(group);\n+ cofactor \u003d EC_GROUP_get0_cofactor(group);\n+\n+ BN_CTX_start(ctx);\n+\n+ /*\n+ * The built-in curves contains data fields (p, a, b, x, y, order) that are\n+ * all zero-padded to be the same size. The size of the padding is\n+ * determined by either the number of bytes in the field modulus (p) or the\n+ * EC group order, whichever is larger.\n+ */\n+ param_len \u003d BN_num_bytes(group-\u003eorder);\n+ len \u003d BN_num_bytes(group-\u003efield);\n+ if (len \u003e param_len)\n+ param_len \u003d len;\n+\n+ /* Allocate space to store the padded data for (p, a, b, x, y, order) */\n+ param_bytes \u003d OPENSSL_malloc(param_len * NUM_BN_FIELDS);\n+ if (param_bytes \u003d\u003d NULL)\n+ goto end;\n+\n+ /* Create the bignums */\n+ for (i \u003d 0; i \u003c NUM_BN_FIELDS; ++i) {\n+ if ((bn[i] \u003d BN_CTX_get(ctx)) \u003d\u003d NULL)\n+ goto end;\n+ }\n+ /*\n+ * Fill in the bn array with the same values as the internal curves\n+ * i.e. the values are p, a, b, x, y, order.\n+ */\n+ /* Get p, a \u0026 b */\n+ if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)\n+ \u0026\u0026 ((generator \u003d EC_GROUP_get0_generator(group)) !\u003d NULL)\n+ /* Get x \u0026 y */\n+ \u0026\u0026 EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)\n+ /* Get order */\n+ \u0026\u0026 EC_GROUP_get_order(group, bn[5], ctx)))\n+ goto end;\n+\n+ /*\n+ * Convert the bignum array to bytes that are joined together to form\n+ * a single buffer that contains data for all fields.\n+ * (p, a, b, x, y, order) are all zero padded to be the same size.\n+ */\n+ for (i \u003d 0; i \u003c NUM_BN_FIELDS; ++i) {\n+ if (BN_bn2binpad(bn[i], \u0026param_bytes[i*param_len], param_len) \u003c\u003d 0)\n+ goto end;\n+ }\n+\n+ for (i \u003d 0; i \u003c curve_list_length; i++) {\n+ const ec_list_element curve \u003d curve_list[i];\n+\n+ data \u003d curve.data;\n+ /* Get the raw order byte data */\n+ params_seed \u003d (const unsigned char *)(data + 1); /* skip header */\n+ params \u003d params_seed + data-\u003eseed_len;\n+\n+ /* Look for unique fields in the fixed curve data */\n+ if (data-\u003efield_type \u003d\u003d field_type\n+ \u0026\u0026 param_len \u003d\u003d data-\u003eparam_len\n+ \u0026\u0026 (nid \u003c\u003d 0 || nid \u003d\u003d curve.nid)\n+ /* check the optional cofactor (ignore if its zero) */\n+ \u0026\u0026 (BN_is_zero(cofactor)\n+ || BN_is_word(cofactor, (const BN_ULONG)curve.data-\u003ecofactor))\n+ /* Check the optional seed (ignore if its not set) */\n+ \u0026\u0026 (data-\u003eseed_len \u003d\u003d 0 || seed_len \u003d\u003d 0\n+ || ((size_t)data-\u003eseed_len \u003d\u003d seed_len\n+ \u0026\u0026 memcmp(params_seed, seed, seed_len) \u003d\u003d 0))\n+ /* Check that the groups params match the built-in curve params */\n+ \u0026\u0026 memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)\n+ \u003d\u003d 0) {\n+ ret \u003d curve.nid;\n+ goto end;\n+ }\n+ }\n+ /* Gets here if the group was not found */\n+ ret \u003d NID_undef;\n+end:\n+ OPENSSL_free(param_bytes);\n+ BN_CTX_end(ctx);\n+ return ret;\n+}\ndiff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h\nindex e4189d7..fbdb04e 100644\n--- a/crypto/ec/ec_lcl.h\n+++ b/crypto/ec/ec_lcl.h\n@@ -595,6 +595,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey);\n int ec_key_simple_generate_public_key(EC_KEY *eckey);\n int ec_key_simple_check_key(const EC_KEY *eckey);\n \n+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);\n+\n /* EC_METHOD definitions */\n \n struct ec_key_method_st {\ndiff --git a/test/ectest.c b/test/ectest.c\nindex ddc4ea1..ebd831c 100644\n--- a/test/ectest.c\n+++ b/test/ectest.c\n@@ -1519,6 +1519,271 @@ static const unsigned char p521_explicit[] \u003d {\n 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,\n };\n \n+/*\n+ * Sometime we cannot compare nids for equality, as the built-in curve table\n+ * includes aliases with different names for the same curve.\n+ *\n+ * This function returns TRUE (1) if the checked nids are identical, or if they\n+ * alias to the same curve. FALSE (0) otherwise.\n+ */\n+static ossl_inline\n+int are_ec_nids_compatible(int n1d, int n2d)\n+{\n+ int ret \u003d 0;\n+ switch (n1d) {\n+# ifndef OPENSSL_NO_EC2M\n+ case NID_sect113r1:\n+ case NID_wap_wsg_idm_ecid_wtls4:\n+ ret \u003d (n2d \u003d\u003d NID_sect113r1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls4);\n+ break;\n+ case NID_sect163k1:\n+ case NID_wap_wsg_idm_ecid_wtls3:\n+ ret \u003d (n2d \u003d\u003d NID_sect163k1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls3);\n+ break;\n+ case NID_sect233k1:\n+ case NID_wap_wsg_idm_ecid_wtls10:\n+ ret \u003d (n2d \u003d\u003d NID_sect233k1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls10);\n+ break;\n+ case NID_sect233r1:\n+ case NID_wap_wsg_idm_ecid_wtls11:\n+ ret \u003d (n2d \u003d\u003d NID_sect233r1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls11);\n+ break;\n+ case NID_X9_62_c2pnb163v1:\n+ case NID_wap_wsg_idm_ecid_wtls5:\n+ ret \u003d (n2d \u003d\u003d NID_X9_62_c2pnb163v1\n+ || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls5);\n+ break;\n+# endif /* OPENSSL_NO_EC2M */\n+ case NID_secp112r1:\n+ case NID_wap_wsg_idm_ecid_wtls6:\n+ ret \u003d (n2d \u003d\u003d NID_secp112r1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls6);\n+ break;\n+ case NID_secp160r2:\n+ case NID_wap_wsg_idm_ecid_wtls7:\n+ ret \u003d (n2d \u003d\u003d NID_secp160r2 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls7);\n+ break;\n+# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128\n+ case NID_secp224r1:\n+ case NID_wap_wsg_idm_ecid_wtls12:\n+ ret \u003d (n2d \u003d\u003d NID_secp224r1 || n2d \u003d\u003d NID_wap_wsg_idm_ecid_wtls12);\n+ break;\n+# else\n+ /*\n+ * For SEC P-224 we want to ensure that the SECP nid is returned, as\n+ * that is associated with a specialized method.\n+ */\n+ case NID_wap_wsg_idm_ecid_wtls12:\n+ ret \u003d (n2d \u003d\u003d NID_secp224r1);\n+ break;\n+# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */\n+\n+ default:\n+ ret \u003d (n1d \u003d\u003d n2d);\n+ }\n+ return ret;\n+}\n+\n+/*\n+ * This checks that EC_GROUP_bew_from_ecparameters() returns a \u0022named\u0022\n+ * EC_GROUP for built-in curves.\n+ *\n+ * Note that it is possible to retrieve an alternative alias that does not match\n+ * the original nid.\n+ *\n+ * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.\n+ */\n+static int check_named_curve_from_ecparameters(int id)\n+{\n+ int ret \u003d 0, nid, tnid;\n+ EC_GROUP *group \u003d NULL, *tgroup \u003d NULL, *tmpg \u003d NULL;\n+ const EC_POINT *group_gen \u003d NULL;\n+ EC_POINT *other_gen \u003d NULL;\n+ BIGNUM *group_cofactor \u003d NULL, *other_cofactor \u003d NULL;\n+ BIGNUM *other_gen_x \u003d NULL, *other_gen_y \u003d NULL;\n+ const BIGNUM *group_order \u003d NULL;\n+ BIGNUM *other_order \u003d NULL;\n+ BN_CTX *bn_ctx \u003d NULL;\n+ static const unsigned char invalid_seed[] \u003d \u0022THIS IS NOT A VALID SEED\u0022;\n+ static size_t invalid_seed_len \u003d sizeof(invalid_seed);\n+ ECPARAMETERS *params \u003d NULL, *other_params \u003d NULL;\n+ EC_GROUP *g_ary[8] \u003d {NULL};\n+ EC_GROUP **g_next \u003d \u0026g_ary[0];\n+ ECPARAMETERS *p_ary[8] \u003d {NULL};\n+ ECPARAMETERS **p_next \u003d \u0026p_ary[0];\n+\n+ /* Do some setup */\n+ nid \u003d curves[id].nid;\n+ TEST_note(\u0022Curve %s\u0022, OBJ_nid2sn(nid));\n+ if (!TEST_ptr(bn_ctx \u003d BN_CTX_new()))\n+ return ret;\n+ BN_CTX_start(bn_ctx);\n+\n+ if (/* Allocations */\n+ !TEST_ptr(group_cofactor \u003d BN_CTX_get(bn_ctx))\n+ || !TEST_ptr(other_gen_x \u003d BN_CTX_get(bn_ctx))\n+ || !TEST_ptr(other_gen_y \u003d BN_CTX_get(bn_ctx))\n+ || !TEST_ptr(other_order \u003d BN_CTX_get(bn_ctx))\n+ || !TEST_ptr(other_cofactor \u003d BN_CTX_get(bn_ctx))\n+ /* Generate reference group and params */\n+ || !TEST_ptr(group \u003d EC_GROUP_new_by_curve_name(nid))\n+ || !TEST_ptr(params \u003d EC_GROUP_get_ecparameters(group, NULL))\n+ || !TEST_ptr(group_gen \u003d EC_GROUP_get0_generator(group))\n+ || !TEST_ptr(group_order \u003d EC_GROUP_get0_order(group))\n+ || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))\n+ /* compute `other_*` values */\n+ || !TEST_ptr(tmpg \u003d EC_GROUP_dup(group))\n+ || !TEST_ptr(other_gen \u003d EC_POINT_dup(group_gen, group))\n+ || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))\n+ || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,\n+ other_gen_x, other_gen_y, bn_ctx))\n+ || !TEST_true(BN_copy(other_order, group_order))\n+ || !TEST_true(BN_add_word(other_order, 1))\n+ || !TEST_true(BN_copy(other_cofactor, group_cofactor))\n+ || !TEST_true(BN_add_word(other_cofactor, 1)))\n+ goto err;\n+\n+ EC_POINT_free(other_gen);\n+ other_gen \u003d NULL;\n+\n+ if (!TEST_ptr(other_gen \u003d EC_POINT_new(tmpg))\n+ || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,\n+ other_gen_x, other_gen_y,\n+ bn_ctx)))\n+ goto err;\n+\n+ /*\n+ * ###########################\n+ * # Actual tests start here #\n+ * ###########################\n+ */\n+\n+ /*\n+ * Creating a group from built-in explicit parameters returns a\n+ * \u0022named\u0022 EC_GROUP\n+ */\n+ if (!TEST_ptr(tgroup \u003d *g_next++ \u003d EC_GROUP_new_from_ecparameters(params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef))\n+ goto err;\n+ /*\n+ * We cannot always guarantee the names match, as the built-in table\n+ * contains aliases for the same curve with different names.\n+ */\n+ if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {\n+ TEST_info(\u0022nid \u003d %s, tnid \u003d %s\u0022, OBJ_nid2sn(nid), OBJ_nid2sn(tnid));\n+ goto err;\n+ }\n+ /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */\n+ if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))\n+ goto err;\n+\n+ /*\n+ * An invalid seed in the parameters should be ignored: expect a \u0022named\u0022\n+ * group.\n+ */\n+ if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),\n+ invalid_seed_len)\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ || !TEST_true(are_ec_nids_compatible(nid, tnid))\n+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),\n+ OPENSSL_EC_EXPLICIT_CURVE)) {\n+ TEST_info(\u0022nid \u003d %s, tnid \u003d %s\u0022, OBJ_nid2sn(nid), OBJ_nid2sn(tnid));\n+ goto err;\n+ }\n+\n+ /*\n+ * A null seed in the parameters should be ignored, as it is optional:\n+ * expect a \u0022named\u0022 group.\n+ */\n+ if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ || !TEST_true(are_ec_nids_compatible(nid, tnid))\n+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),\n+ OPENSSL_EC_EXPLICIT_CURVE)) {\n+ TEST_info(\u0022nid \u003d %s, tnid \u003d %s\u0022, OBJ_nid2sn(nid), OBJ_nid2sn(tnid));\n+ goto err;\n+ }\n+\n+ /*\n+ * Check that changing any of the generator parameters does not yield a\n+ * match with the built-in curves\n+ */\n+ if (/* Other gen, same group order \u0026 cofactor */\n+ !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,\n+ group_cofactor))\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_eq((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ /* Same gen \u0026 cofactor, different order */\n+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,\n+ group_cofactor))\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_eq((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ /* The order is not an optional field, so this should fail */\n+ || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,\n+ group_cofactor))\n+ /* Check that a wrong cofactor is ignored, and we still match */\n+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,\n+ other_cofactor))\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ || !TEST_true(are_ec_nids_compatible(nid, tnid))\n+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),\n+ OPENSSL_EC_EXPLICIT_CURVE)\n+ /* Check that if the cofactor is not set then it still matches */\n+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,\n+ NULL))\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ || !TEST_true(are_ec_nids_compatible(nid, tnid))\n+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),\n+ OPENSSL_EC_EXPLICIT_CURVE)\n+ /* check that restoring the generator passes */\n+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,\n+ group_cofactor))\n+ || !TEST_ptr(other_params \u003d *p_next++ \u003d\n+ EC_GROUP_get_ecparameters(tmpg, NULL))\n+ || !TEST_ptr(tgroup \u003d *g_next++ \u003d\n+ EC_GROUP_new_from_ecparameters(other_params))\n+ || !TEST_int_ne((tnid \u003d EC_GROUP_get_curve_name(tgroup)), NID_undef)\n+ || !TEST_true(are_ec_nids_compatible(nid, tnid))\n+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),\n+ OPENSSL_EC_EXPLICIT_CURVE))\n+ goto err;\n+\n+ ret \u003d 1;\n+err:\n+ for (g_next \u003d \u0026g_ary[0]; g_next \u003c g_ary + OSSL_NELEM(g_ary); g_next++)\n+ EC_GROUP_free(*g_next);\n+ for (p_next \u003d \u0026p_ary[0]; p_next \u003c p_ary + OSSL_NELEM(g_ary); p_next++)\n+ ECPARAMETERS_free(*p_next);\n+ ECPARAMETERS_free(params);\n+ EC_POINT_free(other_gen);\n+ EC_GROUP_free(tmpg);\n+ EC_GROUP_free(group);\n+ BN_CTX_end(bn_ctx);\n+ BN_CTX_free(bn_ctx);\n+ return ret;\n+}\n+\n static int parameter_test(void)\n {\n EC_GROUP *group \u003d NULL, *group2 \u003d NULL;\n@@ -1667,7 +1932,9 @@ int setup_tests(void)\n # endif\n ADD_ALL_TESTS(internal_curve_test, crv_len);\n ADD_ALL_TESTS(internal_curve_test_method, crv_len);\n-#endif\n+\n+ ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);\n+#endif /* OPENSSL_NO_EC */\n return 1;\n }\n \n","s":{"c":1749527083,"u": 61287}} ],"g": 63588,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}