xref: /openbsd/lib/libcrypto/man/EC_GROUP_copy.3 (revision 73471bf0)

.\" $OpenBSD: EC_GROUP_copy.3,v 1.12 2021/09/14 13:47:59 schwarze Exp $
.\" full merge up to: OpenSSL d900a015 Oct 8 14:40:42 2015 +0200
.\" selective merge up to: OpenSSL 24c23e1f Aug 22 10:51:25 2019 +0530
.\"
.\" This file was written by Matt Caswell <matt@openssl.org>,
.\" Dr. Stephen Henson <steve@openssl.org>,
.\" and Jayaram X Matta <jayaramx.matta@intel.com>.
.\" Copyright (c) 2013, 2015, 2019 The OpenSSL Project.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in
.\"    the documentation and/or other materials provided with the
.\"    distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\"    software must display the following acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\"    endorse or promote products derived from this software without
.\"    prior written permission. For written permission, please contact
.\"    openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\"    nor may "OpenSSL" appear in their names without prior written
.\"    permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\"    acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: September 14 2021 $
.Dt EC_GROUP_COPY 3
.Os
.Sh NAME
.Nm EC_GROUP_copy ,
.Nm EC_GROUP_dup ,
.Nm EC_GROUP_method_of ,
.Nm EC_GROUP_set_generator ,
.Nm EC_GROUP_get0_generator ,
.Nm EC_GROUP_get_order ,
.Nm EC_GROUP_order_bits ,
.Nm EC_GROUP_get_cofactor ,
.Nm EC_GROUP_set_curve_name ,
.Nm EC_GROUP_get_curve_name ,
.Nm EC_GROUP_set_asn1_flag ,
.Nm EC_GROUP_get_asn1_flag ,
.Nm EC_GROUP_set_point_conversion_form ,
.Nm EC_GROUP_get_point_conversion_form ,
.Nm EC_GROUP_get0_seed ,
.Nm EC_GROUP_get_seed_len ,
.Nm EC_GROUP_set_seed ,
.Nm EC_GROUP_get_degree ,
.Nm EC_GROUP_check ,
.Nm EC_GROUP_check_discriminant ,
.Nm EC_GROUP_cmp ,
.Nm EC_GROUP_get_basis_type ,
.Nm EC_GROUP_get_trinomial_basis ,
.Nm EC_GROUP_get_pentanomial_basis
.Nd manipulate EC_GROUP objects
.Sh SYNOPSIS
.In openssl/ec.h
.In openssl/bn.h
.Ft int
.Fo EC_GROUP_copy
.Fa "EC_GROUP *dst"
.Fa "const EC_GROUP *src"
.Fc
.Ft EC_GROUP *
.Fo EC_GROUP_dup
.Fa "const EC_GROUP *src"
.Fc
.Ft const EC_METHOD *
.Fo EC_GROUP_method_of
.Fa "const EC_GROUP *group"
.Fc
.Ft int
.Fo EC_GROUP_set_generator
.Fa "EC_GROUP *group"
.Fa "const EC_POINT *generator"
.Fa "const BIGNUM *order"
.Fa "const BIGNUM *cofactor"
.Fc
.Ft const EC_POINT *
.Fo EC_GROUP_get0_generator
.Fa "const EC_GROUP *group"
.Fc
.Ft int
.Fo EC_GROUP_get_order
.Fa "const EC_GROUP *group"
.Fa "BIGNUM *order"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo EC_GROUP_order_bits
.Fa "const EC_GROUP *group"
.Fc
.Ft int
.Fo EC_GROUP_get_cofactor
.Fa "const EC_GROUP *group"
.Fa "BIGNUM *cofactor"
.Fa "BN_CTX *ctx"
.Fc
.Ft void
.Fo EC_GROUP_set_curve_name
.Fa "EC_GROUP *group"
.Fa "int nid"
.Fc
.Ft int
.Fo EC_GROUP_get_curve_name
.Fa "const EC_GROUP *group"
.Fc
.Ft void
.Fo EC_GROUP_set_asn1_flag
.Fa "EC_GROUP *group"
.Fa "int flag"
.Fc
.Ft int
.Fo EC_GROUP_get_asn1_flag
.Fa "const EC_GROUP *group"
.Fc
.Ft void
.Fo EC_GROUP_set_point_conversion_form
.Fa "EC_GROUP *group"
.Fa "point_conversion_form_t form"
.Fc
.Ft point_conversion_form_t
.Fo EC_GROUP_get_point_conversion_form
.Fa "const EC_GROUP *"
.Fc
.Ft unsigned char *
.Fo EC_GROUP_get0_seed
.Fa "const EC_GROUP *x"
.Fc
.Ft size_t
.Fo EC_GROUP_get_seed_len
.Fa "const EC_GROUP *"
.Fc
.Ft size_t
.Fo EC_GROUP_set_seed
.Fa "EC_GROUP *"
.Fa "const unsigned char *"
.Fa "size_t len"
.Fc
.Ft int
.Fo EC_GROUP_get_degree
.Fa "const EC_GROUP *group"
.Fc
.Ft int
.Fo EC_GROUP_check
.Fa "const EC_GROUP *group"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo EC_GROUP_check_discriminant
.Fa "const EC_GROUP *group"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo EC_GROUP_cmp
.Fa "const EC_GROUP *a"
.Fa "const EC_GROUP *b"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo EC_GROUP_get_basis_type
.Fa "const EC_GROUP *"
.Fc
.Ft int
.Fo EC_GROUP_get_trinomial_basis
.Fa "const EC_GROUP *"
.Fa "unsigned int *k"
.Fc
.Ft int
.Fo EC_GROUP_get_pentanomial_basis
.Fa "const EC_GROUP *"
.Fa "unsigned int *k1"
.Fa "unsigned int *k2"
.Fa "unsigned int *k3"
.Fc
.Sh DESCRIPTION
These functions operate on
.Vt EC_GROUP
objects created by the functions described in
.Xr EC_GROUP_new 3 .
.Pp
.Fn EC_GROUP_copy
copies the curve
.Fa src
into
.Fa dst .
Both
.Fa src
and
.Fa dst
must use the same
.Vt EC_METHOD .
.Pp
.Fn EC_GROUP_dup
creates a new
.Vt EC_GROUP
object and copies the content from
.Fa src
to the newly created
.Vt EC_GROUP
object.
.Pp
.Fn EC_GROUP_method_of
obtains the
.Vt EC_METHOD
of
.Fa group .
.Pp
.Fn EC_GROUP_set_generator
sets curve parameters that must be agreed by all participants using
the curve.
These parameters include the
.Fa generator ,
the
.Fa order
and the
.Fa cofactor .
The
.Fa generator
is a well defined point on the curve chosen for cryptographic
operations.
Integers used for point multiplications will be between 0 and
.Fa order No - 1 .
The
.Fa order
multiplied by the
.Fa cofactor
gives the number of points on the curve.
.Pp
.Fn EC_GROUP_get0_generator
returns the generator for the identified
.Fa group .
.Pp
.Fn EC_GROUP_get_order
retrieves the order of the
.Fa group
and copies its value into
.Fa order .
It fails if the order of the
.Fa group
is not set or set to zero.
.Pp
.Fn EC_GROUP_get_cofactor
retrieves the cofactor of the
.Fa group
and copies its value into
.Fa cofactor .
It fails if the cofactor of the
.Fa group
is not set or set to zero.
.Pp
The functions
.Fn EC_GROUP_set_curve_name
and
.Fn EC_GROUP_get_curve_name
set and get the NID for the curve, respectively (see
.Xr EC_GROUP_new 3 ) .
If a curve does not have a NID associated with it, then
.Fn EC_GROUP_get_curve_name
will return
.Dv NID_undef .
.Pp
The asn1_flag value is used to determine whether the curve encoding
uses explicit parameters or a named curve using an ASN.1 OID:
many applications only support the latter form.
If asn1_flag is the default value
.Dv OPENSSL_EC_NAMED_CURVE ,
then the named curve form is used and the parameters must have a
corresponding named curve NID set.
If asn1_flags is
.Dv OPENSSL_EC_EXPLICIT_CURVE ,
the parameters are explicitly encoded.
The functions
.Fn EC_GROUP_get_asn1_flag
and
.Fn EC_GROUP_set_asn1_flag
get and set the status of the asn1_flag for the curve.
.Pp
The point_conversion_form for a curve controls how
.Vt EC_POINT
data is encoded as ASN.1 as defined in X9.62 (ECDSA).
.Vt point_conversion_form_t
is an enum defined as follows:
.Bd -literal
typedef enum {
	/** the point is encoded as z||x, where the octet z specifies
	 *   which solution of the quadratic equation y is  */
	POINT_CONVERSION_COMPRESSED = 2,
	/** the point is encoded as z||x||y, where z is the octet 0x04  */
	POINT_CONVERSION_UNCOMPRESSED = 4,
	/** the point is encoded as z||x||y, where the octet z specifies
         *  which solution of the quadratic equation y is  */
	POINT_CONVERSION_HYBRID = 6
} point_conversion_form_t;
.Ed
.Pp
For
.Dv POINT_CONVERSION_UNCOMPRESSED
the point is encoded as an octet signifying the UNCOMPRESSED form
has been used followed by the octets for x, followed by the octets
for y.
.Pp
For any given x coordinate for a point on a curve it is possible to
derive two possible y values.
For
.Dv POINT_CONVERSION_COMPRESSED
the point is encoded as an octet signifying that the COMPRESSED
form has been used AND which of the two possible solutions for y
has been used, followed by the octets for x.
.Pp
For
.Dv POINT_CONVERSION_HYBRID
the point is encoded as an octet signifying the HYBRID form has
been used AND which of the two possible solutions for y has been
used, followed by the octets for x, followed by the octets for y.
.Pp
The functions
.Fn EC_GROUP_set_point_conversion_form
and
.Fn EC_GROUP_get_point_conversion_form
set and get the point_conversion_form for the curve, respectively.
.Pp
ANSI X9.62 (ECDSA standard) defines a method of generating the curve
parameter b from a random number.
This provides advantages in that a parameter obtained in this way is
highly unlikely to be susceptible to special purpose attacks, or have
any trapdoors in it.
If the seed is present for a curve then the b parameter was generated in
a verifiable fashion using that seed.
The OpenSSL EC library does not use this seed value but does enable you
to inspect it using
.Fn EC_GROUP_get0_seed .
This returns a pointer to a memory block containing the seed that was
used.
The length of the memory block can be obtained using
.Fn EC_GROUP_get_seed_len .
A number of the builtin curves within the library provide seed values
that can be obtained.
It is also possible to set a custom seed using
.Fn EC_GROUP_set_seed
and passing a pointer to a memory block, along with the length of
the seed.
Again, the EC library will not use this seed value, although it will be
preserved in any ASN.1 based communications.
.Pp
.Fn EC_GROUP_get_degree
gets the degree of the field.
For Fp fields this will be the number of bits in p.
For F2^m fields this will be the value m.
.Pp
The function
.Fn EC_GROUP_check_discriminant
calculates the discriminant for the curve and verifies that it is
valid.
For a curve defined over Fp the discriminant is given by the formula
4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is simply b.
In either case for the curve to be valid the discriminant must be
non-zero.
.Pp
The function
.Fn EC_GROUP_check
performs a number of checks on a curve to verify that it is valid.
Checks performed include verifying that the discriminant is non-zero;
that a generator has been defined; that the generator is on the curve
and has the correct order.
.Pp
.Fn EC_GROUP_cmp
compares
.Fa a
and
.Fa b
to determine whether they represent the same curve or not.
.Pp
The functions
.Fn EC_GROUP_get_basis_type ,
.Fn EC_GROUP_get_trinomial_basis ,
and
.Fn EC_GROUP_get_pentanomial_basis
should only be called for curves defined over an F2^m field.
Addition and multiplication operations within an F2^m field are
performed using an irreducible polynomial function f(x).
This function is either a trinomial of the form:
.Pp
.Dl f(x) = x^m + x^k + 1 with m > k >= 1
.Pp
or a pentanomial of the form:
.Pp
.Dl f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1
.Pp
The function
.Fn EC_GROUP_get_basis_type
returns a NID identifying whether a trinomial or pentanomial is in
use for the field.
The function
.Fn EC_GROUP_get_trinomial_basis
must only be called where f(x) is of the trinomial form, and returns
the value of
.Fa k .
Similarly, the function
.Fn EC_GROUP_get_pentanomial_basis
must only be called where f(x) is of the pentanomial form, and
returns the values of
.Fa k1 ,
.Fa k2 ,
and
.Fa k3 .
.Sh RETURN VALUES
The following functions return 1 on success or 0 on error:
.Fn EC_GROUP_copy ,
.Fn EC_GROUP_set_generator ,
.Fn EC_GROUP_check ,
.Fn EC_GROUP_check_discriminant ,
.Fn EC_GROUP_get_trinomial_basis ,
and
.Fn EC_GROUP_get_pentanomial_basis .
.Pp
.Fn EC_GROUP_dup
returns a pointer to the duplicated curve or
.Dv NULL
on error.
.Pp
.Fn EC_GROUP_method_of
returns the
.Vt EC_METHOD
implementation in use for the given curve or
.Dv NULL
on error.
.Pp
.Fn EC_GROUP_get0_generator
returns the generator for the given curve or
.Dv NULL
on error.
.Pp
.Fn EC_GROUP_get_order
returns 0 if the order is not set or set to zero for the
.Fa group
or if copying into
.Fa order
fails, or 1 otherwise.
.Pp
.Fn EC_GROUP_order_bits
returns the number of bits in the group order.
.Pp
.Fn EC_GROUP_get_cofactor
returns 0 if the cofactor is not set or set to zero for the
.Fa group
or if copying into
.Fa cofactor
fails, or 1 otherwise.
.Pp
.Fn EC_GROUP_get_curve_name
returns the curve name (NID) for the
.Fa group
or
.Dv NID_undef
if no curve name is associated.
.Pp
.Fn EC_GROUP_get_asn1_flag
returns the ASN.1 flag for the specified
.Fa group .
.Pp
.Fn EC_GROUP_get_point_conversion_form
returns the point_conversion_form for the
.Fa group .
.Pp
.Fn EC_GROUP_get_degree
returns the degree for the
.Fa group
or 0 if the operation is not supported
by the underlying group implementation.
.Pp
.Fn EC_GROUP_get0_seed
returns a pointer to the seed that was used to generate the parameter
b, or
.Dv NULL
if the seed is not specified.
.Fn EC_GROUP_get_seed_len
returns the length of the seed or 0 if the seed is not specified.
.Pp
.Fn EC_GROUP_set_seed
returns the length of the seed that has been set.
If the supplied seed is
.Dv NULL
or the supplied seed length is 0, the return value will be 1.
On error 0 is returned.
.Pp
.Fn EC_GROUP_cmp
returns 0 if the curves are equal, 1 if they are not equal,
or -1 on error.
.Pp
.Fn EC_GROUP_get_basis_type
returns the values
.Dv NID_X9_62_tpBasis
or
.Dv NID_X9_62_ppBasis
as defined in
.In openssl/obj_mac.h
for a trinomial or pentanomial, respectively.
Alternatively in the event of an error a 0 is returned.
.Sh SEE ALSO
.Xr d2i_ECPKParameters 3 ,
.Xr EC_GFp_simple_method 3 ,
.Xr EC_GROUP_new 3 ,
.Xr EC_KEY_new 3 ,
.Xr EC_POINT_add 3 ,
.Xr EC_POINT_new 3
.Sh HISTORY
.Fn EC_GROUP_copy ,
.Fn EC_GROUP_method_of ,
.Fn EC_GROUP_set_generator ,
.Fn EC_GROUP_get0_generator ,
.Fn EC_GROUP_get_order ,
and
.Fn EC_GROUP_get_cofactor
first appeared in OpenSSL 0.9.7 and have been available since
.Ox 3.2 .
.Pp
.Fn EC_GROUP_dup ,
.Fn EC_GROUP_set_curve_name ,
.Fn EC_GROUP_get_curve_name ,
.Fn EC_GROUP_set_asn1_flag ,
.Fn EC_GROUP_get_asn1_flag ,
.Fn EC_GROUP_set_point_conversion_form ,
.Fn EC_GROUP_get_point_conversion_form ,
.Fn EC_GROUP_get0_seed ,
.Fn EC_GROUP_get_seed_len ,
.Fn EC_GROUP_set_seed ,
.Fn EC_GROUP_get_degree ,
.Fn EC_GROUP_check ,
.Fn EC_GROUP_check_discriminant ,
.Fn EC_GROUP_cmp ,
.Fn EC_GROUP_get_basis_type ,
.Fn EC_GROUP_get_trinomial_basis ,
and
.Fn EC_GROUP_get_pentanomial_basis
first appeared in OpenSSL 0.9.8 and has been available since
.Ox 4.5 .
.Pp
.Fn EC_GROUP_order_bits
first appeared in OpenSSL 1.1.0 and has been available since
.Ox 7.0 .