NIST SP800-56A co-factor ECDH KATs

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

test/ecdhtest.c

@@ -432,8 +432,7 @@ static int ecdh_kat(BIO *out, const ecdh_kat_t *kat)
         goto err;
     if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
         goto err;
-    /* Z offset compensates for bn2bin stripping leading 0x00 bytes */
-    if(!BN_bn2bin(bnz, Z + Ztmplen - Zlen))
+    if(!BN_bn2binpad(bnz, Z, Ztmplen))
         goto err;
     if (!ECDH_compute_key(Ztmp, Ztmplen,
                           EC_KEY_get0_public_key(key2), key1, 0))
@@ -462,6 +461,105 @@ static int ecdh_kat(BIO *out, const ecdh_kat_t *kat)
     return rv;
 }
 
+#include "ecdhtest_cavs.h"
+
+static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat)
+{
+    int rv = 0, is_char_two = 0;
+    EC_KEY *key1 = NULL;
+    EC_POINT *pub = NULL;
+    const EC_GROUP *group = NULL;
+    BIGNUM *bnz = NULL, *x = NULL, *y = NULL;
+    unsigned char *Ztmp = NULL, *Z = NULL;
+    size_t Ztmplen, Zlen;
+    BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with ");
+    BIO_puts(out, OBJ_nid2sn(kat->nid));
+
+    /* dIUT is IUT's private key */
+    if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL)
+        goto err;
+    /* these are cofactor ECDH KATs */
+    EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH);
+
+    if ((group = EC_KEY_get0_group(key1)) == NULL)
+        goto err;
+    if ((pub = EC_POINT_new(group)) == NULL)
+        goto err;
+
+    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field)
+        is_char_two = 1;
+
+    /* (QIUTx, QIUTy) is IUT's public key */
+    if(!BN_hex2bn(&x, kat->QIUTx))
+        goto err;
+    if(!BN_hex2bn(&y, kat->QIUTy))
+        goto err;
+    if (is_char_two) {
+#ifndef OPENSSL_NO_EC2M
+        if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
+#endif
+            goto err;
+    }
+    else {
+        if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
+            goto err;
+    }
+    /* dIUT * G = (QIUTx, QIUTy) should hold */
+    if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL))
+        goto err;
+
+    /* (QCAVSx, QCAVSy) is CAVS's public key */
+    if(!BN_hex2bn(&x, kat->QCAVSx))
+        goto err;
+    if(!BN_hex2bn(&y, kat->QCAVSy))
+        goto err;
+    if (is_char_two) {
+#ifndef OPENSSL_NO_EC2M
+        if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
+#endif
+            goto err;
+    }
+    else {
+        if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
+            goto err;
+    }
+
+    /* ZIUT is the shared secret */
+    if(!BN_hex2bn(&bnz, kat->ZIUT))
+        goto err;
+    Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
+    Zlen = BN_num_bytes(bnz);
+    if (Zlen > Ztmplen)
+        goto err;
+    if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL)
+        goto err;
+    if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
+        goto err;
+    if(!BN_bn2binpad(bnz, Z, Ztmplen))
+        goto err;
+    if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0))
+        goto err;
+    /* shared secrets should be identical */
+    if (memcmp(Ztmp, Z, Ztmplen))
+        goto err;
+    rv = 1;
+ err:
+    EC_KEY_free(key1);
+    EC_POINT_free(pub);
+    BN_free(bnz);
+    BN_free(x);
+    BN_free(y);
+    OPENSSL_free(Ztmp);
+    OPENSSL_free(Z);
+    if (rv)
+        BIO_puts(out, " ok\n");
+    else {
+        fprintf(stderr, "Error in ECC CDH routines\n");
+        ERR_print_errors_fp(stderr);
+    }
+    return rv;
+}
+
 int main(int argc, char *argv[])
 {
     BN_CTX *ctx = NULL;
@@ -509,6 +607,12 @@ int main(int argc, char *argv[])
             goto err;
     }
 
+    /* NIST SP800-56A co-factor ECDH KATs */
+    for (n = 0; n < (sizeof(ecdh_cavs_kats)/sizeof(ecdh_cavs_kat_t)); n++) {
+        if (!ecdh_cavs_kat(out, &ecdh_cavs_kats[n]))
+            goto err;
+    }
+
     ret = 0;
 
  err: