Bug 1306319 - Fix layer violations, r=kaie,ueno
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Fri, 30 Sep 2016 08:32:32 +0200
changeset 12718 0c845c900217050b8ee6e054655ea130d24480a4
parent 12717 ad2a42aed57a01cfc1d8b14fad8c782f52e17093
child 12719 803319e95365ea37b901f853c8f14f26c1a0ceca
push id1668
push userfranziskuskiefer@gmail.com
push dateFri, 14 Oct 2016 14:38:24 +0000
reviewerskaie, ueno
bugs1306319
Bug 1306319 - Fix layer violations, r=kaie,ueno try: -b do -p linux,linux64-gyp -u all -t all -e all
cmd/Makefile
cmd/ecperf/ecperf.c
cmd/ectest/Makefile
cmd/ectest/ectest.c
cmd/ectest/ectest.gyp
cmd/ectest/manifest.mn
cmd/ectest/testvecs.h
cmd/fbectest/Makefile
cmd/fbectest/fbectest.c
cmd/fbectest/fbectest.gyp
cmd/fbectest/manifest.mn
cmd/fbectest/testvecs.h
cmd/manifest.mn
cmd/pk11ectest/Makefile
cmd/pk11ectest/manifest.mn
cmd/pk11ectest/pk11ectest.c
cmd/pk11ectest/pk11ectest.gyp
cmd/pk11ectest/testvecs.h
lib/freebl/ecl/ecl-curve.h
nss.gyp
tests/ec/ectest.sh
--- a/cmd/Makefile
+++ b/cmd/Makefile
@@ -12,23 +12,23 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 ifdef BUILD_LIBPKIX_TESTS
 DIRS += libpkix
 endif
 
 ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
 BLTEST_SRCDIR =
 ECPERF_SRCDIR =
-ECTEST_SRCDIR =
+FREEBL_ECTEST_SRCDIR =
 FIPSTEST_SRCDIR =
 SHLIBSIGN_SRCDIR =
 else
 BLTEST_SRCDIR = bltest
 ECPERF_SRCDIR = ecperf
-ECTEST_SRCDIR = ectest
+FREEBL_ECTEST_SRCDIR = fbectest
 FIPSTEST_SRCDIR = fipstest
 SHLIBSIGN_SRCDIR = shlibsign
 endif
 
 LOWHASHTEST_SRCDIR=
 ifeq ($(FREEBL_LOWHASH),1)
 LOWHASHTEST_SRCDIR = lowhashtest  # Add the lowhashtest directory to DIRS.
 endif
--- a/cmd/ecperf/ecperf.c
+++ b/cmd/ecperf/ecperf.c
@@ -4,17 +4,16 @@
 
 #include "blapi.h"
 #include "ec.h"
 #include "ecl-curve.h"
 #include "prprf.h"
 #include "basicutil.h"
 #include "pkcs11.h"
 #include "nspr.h"
-#include "certt.h" /* TODO: remove when old curves are removed */
 #include <stdio.h>
 
 #define __PASTE(x, y) x##y
 
 /*
  * Get the NSS specific PKCS #11 function names.
  */
 #undef CK_PKCS11_FUNCTION_INFO
rename from cmd/ectest/Makefile
rename to cmd/fbectest/Makefile
rename from cmd/ectest/ectest.c
rename to cmd/fbectest/fbectest.c
--- a/cmd/ectest/ectest.c
+++ b/cmd/fbectest/fbectest.c
@@ -1,20 +1,20 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "blapi.h"
 #include "ec.h"
 #include "ecl-curve.h"
-#include "nss.h"
-#include "secutil.h"
+#include "prprf.h"
+#include "basicutil.h"
+#include "secder.h"
 #include "secitem.h"
 #include "nspr.h"
-#include "pk11pub.h"
 #include <stdio.h>
 
 typedef struct {
     ECCurveName curve;
     int iterations;
     char *privhex;
     char *our_pubhex;
     char *their_pubhex;
@@ -213,87 +213,16 @@ cleanup:
         PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE);
     }
     if (derived.data) {
         SECITEM_FreeItem(&derived, PR_FALSE);
     }
     return rv;
 }
 
-void
-PrintKey(PK11SymKey *symKey)
-{
-    char *name = PK11_GetSymKeyNickname(symKey);
-    int len = PK11_GetKeyLength(symKey);
-    int strength = PK11_GetKeyStrength(symKey, NULL);
-    SECItem *value = NULL;
-    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
-    (void)PK11_ExtractKeyValue(symKey);
-
-    value = PK11_GetKeyData(symKey);
-    printf("%s %3d   %4d   %s  ", name ? name : "no-name", len, strength,
-           type == CKK_GENERIC_SECRET ? "generic" : "ERROR! UNKNOWN KEY TYPE");
-    printBuf(value);
-
-    PORT_Free(name);
-}
-
-SECStatus
-ectest_curve_pkcs11(SECOidTag oid)
-{
-    SECKEYECParams pk_11_ecParams = { siBuffer, NULL, 0 };
-    SECKEYPublicKey *pubKey = NULL;
-    SECKEYPrivateKey *privKey = NULL;
-    SECOidData *oidData = NULL;
-    CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
-    PK11SymKey *symKey = NULL;
-    SECStatus rv = SECFailure;
-
-    oidData = SECOID_FindOIDByTag(oid);
-    if (oidData == NULL) {
-        printf(" >>> SECOID_FindOIDByTag failed.\n");
-        goto cleanup;
-    }
-    PORT_Assert(oidData->oid.len < 256);
-    SECITEM_AllocItem(NULL, &pk_11_ecParams, (2 + oidData->oid.len));
-    pk_11_ecParams.data[0] = SEC_ASN1_OBJECT_ID; /* we have to prepend 0x06 */
-    pk_11_ecParams.data[1] = oidData->oid.len;
-    memcpy(pk_11_ecParams.data + 2, oidData->oid.data, oidData->oid.len);
-
-    privKey = SECKEY_CreateECPrivateKey(&pk_11_ecParams, &pubKey, NULL);
-    if (!privKey || !pubKey) {
-        printf(" >>> SECKEY_CreateECPrivateKey failed.\n");
-        goto cleanup;
-    }
-
-    symKey = PK11_PubDeriveWithKDF(privKey, pubKey, PR_FALSE, NULL, NULL,
-                                   CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
-                                   CKD_NULL, NULL, NULL);
-    if (!symKey) {
-        printf(" >>> PK11_PubDeriveWithKDF failed.\n");
-        goto cleanup;
-    }
-    PrintKey(symKey);
-    rv = SECSuccess;
-
-cleanup:
-    if (privKey) {
-        SECKEY_DestroyPrivateKey(privKey);
-    }
-    if (pubKey) {
-        SECKEY_DestroyPublicKey(pubKey);
-    }
-    if (symKey) {
-        PK11_FreeSymKey(symKey);
-    }
-    SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
-
-    return rv;
-}
-
 SECStatus
 ectest_validate_point(ECDH_BAD *bad)
 {
     ECParams ecParams = { 0 };
     SECItem point = { siBuffer, NULL, 0 };
     SECStatus rv = SECFailure;
     PLArenaPool *arena = NULL;
 
@@ -308,127 +237,92 @@ ectest_validate_point(ECDH_BAD *bad)
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
 }
 
 void
 printUsage(char *prog)
 {
     printf("Usage: %s [-fp] [-nd]\n"
-           "\t-f: usefreebl\n"
-           "\t-p: usepkcs11\n"
            "\t-n: NIST curves\n"
            "\t-d: non-NIST curves\n"
-           "You have to specify at least f or p and n or d.\n"
+           "You have to specify at at least one of n or d.\n"
            "By default no tests are executed.\n",
            prog);
 }
 
 /* Performs tests of elliptic curve cryptography over prime fields If
  * tests fail, then it prints an error message, aborts, and returns an
  * error code. Otherwise, returns 0. */
 int
 main(int argv, char **argc)
 {
     SECStatus rv = SECSuccess;
     int numkats = 0;
     int i = 0;
-    int usepkcs11 = 0;
-    int usefreebl = 0;
     int nist = 0;
     int nonnist = 0;
-    SECOidTag nistOids[3] = { SEC_OID_SECG_EC_SECP256R1,
-                              SEC_OID_SECG_EC_SECP384R1,
-                              SEC_OID_SECG_EC_SECP521R1 };
 
     for (i = 1; i < argv; i++) {
-        if (PL_strcasecmp(argc[i], "-p") == 0) {
-            usepkcs11 = 1;
-        } else if (PL_strcasecmp(argc[i], "-f") == 0) {
-            usefreebl = 1;
-        } else if (PL_strcasecmp(argc[i], "-n") == 0) {
+        if (PL_strcasecmp(argc[i], "-n") == 0) {
             nist = 1;
         } else if (PL_strcasecmp(argc[i], "-d") == 0) {
             nonnist = 1;
         } else {
             printUsage(argc[0]);
             return 1;
         }
     }
-    if (!(usepkcs11 || usefreebl) || !(nist || nonnist)) {
+    if (!nist && !nonnist) {
         printUsage(argc[0]);
         return 1;
     }
 
-    rv = NSS_NoDB_Init(NULL);
+    rv = SECOID_Init();
     if (rv != SECSuccess) {
-        SECU_PrintError("Error:", "NSS_NoDB_Init");
+        SECU_PrintError("Error:", "SECOID_Init");
         goto cleanup;
     }
 
     /* Test P256, P384, P521 */
-    if (usefreebl) {
-        if (nist) {
-            while (ecdh_testvecs[numkats].curve != ECCurve_pastLastCurve) {
-                numkats++;
-            }
-            printf("1..%d\n", numkats);
-            for (i = 0; ecdh_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_ecdh_kat(&ecdh_testvecs[i]) != SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
-                }
-            }
+    if (nist) {
+        while (ecdh_testvecs[numkats].curve != ECCurve_pastLastCurve) {
+            numkats++;
         }
-
-        /* Test KAT for non-NIST curves */
-        if (nonnist) {
-            for (i = 0; nonnist_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_ecdh_kat(&nonnist_testvecs[i]) != SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
-                }
-            }
-            for (i = 0; nonnist_testvecs_bad_values[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_validate_point(&nonnist_testvecs_bad_values[i]) == SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
-                }
+        printf("1..%d\n", numkats);
+        for (i = 0; ecdh_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
+            if (ectest_ecdh_kat(&ecdh_testvecs[i]) != SECSuccess) {
+                printf("not okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
+                rv = SECFailure;
+            } else {
+                printf("okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
             }
         }
     }
 
-    /* Test PK11 for non-NIST curves */
-    if (usepkcs11) {
-        if (nonnist) {
-            if (ectest_curve_pkcs11(SEC_OID_CURVE25519) != SECSuccess) {
-                printf("not okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
+    /* Test KAT for non-NIST curves */
+    if (nonnist) {
+        for (i = 0; nonnist_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
+            if (ectest_ecdh_kat(&nonnist_testvecs[i]) != SECSuccess) {
+                printf("not okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
                 rv = SECFailure;
             } else {
-                printf("okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
+                printf("okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
             }
         }
-        if (nist) {
-            for (i = 0; i < 3; ++i) {
-                if (ectest_curve_pkcs11(nistOids[i]) != SECSuccess) {
-                    printf("not okay (OID %d) - PK11 test\n", nistOids[i]);
-                    rv = SECFailure;
-                } else {
-                    printf("okay (OID %d) - PK11 test\n", nistOids[i]);
-                }
+        for (i = 0; nonnist_testvecs_bad_values[i].curve != ECCurve_pastLastCurve; i++) {
+            if (ectest_validate_point(&nonnist_testvecs_bad_values[i]) == SECSuccess) {
+                printf("not okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
+                rv = SECFailure;
+            } else {
+                printf("okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
             }
         }
     }
 
 cleanup:
-    rv |= NSS_Shutdown();
+    rv |= SECOID_Shutdown();
 
     if (rv != SECSuccess) {
         printf("Error: exiting with error value\n");
     }
     return rv;
 }
rename from cmd/ectest/ectest.gyp
rename to cmd/fbectest/fbectest.gyp
--- a/cmd/ectest/ectest.gyp
+++ b/cmd/fbectest/fbectest.gyp
@@ -3,20 +3,20 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
   'includes': [
     '../../coreconf/config.gypi',
     '../../cmd/platlibs.gypi'
   ],
   'targets': [
     {
-      'target_name': 'ectest',
+      'target_name': 'fbectest',
       'type': 'executable',
       'sources': [
-        'ectest.c'
+        'fbectest.c'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3'
       ]
     }
   ],
   'target_defaults': {
rename from cmd/ectest/manifest.mn
rename to cmd/fbectest/manifest.mn
--- a/cmd/ectest/manifest.mn
+++ b/cmd/fbectest/manifest.mn
@@ -6,13 +6,13 @@
 DEPTH = ../..
 CORE_DEPTH = ../..
 
 # MODULE public and private header directories are implicitly REQUIRED.
 MODULE = nss
 
 INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
 
-CSRCS = ectest.c
+CSRCS = fbectest.c
 
-PROGRAM = ectest
+PROGRAM = fbectest
 
 USE_STATIC_LIBS = 1
rename from cmd/ectest/testvecs.h
rename to cmd/fbectest/testvecs.h
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -18,17 +18,17 @@ LIB_SRCDIRS = \
  lib \
  $(NULL)
 endif
 
 ifndef NSS_BUILD_UTIL_ONLY
 SOFTOKEN_SRCDIRS = \
  $(BLTEST_SRCDIR) \
  $(ECPERF_SRCDIR) \
- $(ECTEST_SRCDIR) \
+ $(FREEBL_ECTEST_SRCDIR) \
  $(FIPSTEST_SRCDIR)  \
  $(LOWHASHTEST_SRCDIR)  \
  $(SHLIBSIGN_SRCDIR) \
  $(NULL)
 endif
 
 ifndef NSS_BUILD_SOFTOKEN_ONLY
 ifndef NSS_BUILD_UTIL_ONLY
@@ -51,16 +51,17 @@ NSS_SRCDIRS = \
  ocspclnt  \
  ocspresp \
  oidcalc  \
  p7content  \
  p7env  \
  p7sign  \
  p7verify  \
  pk12util \
+ pk11ectest \
  pk11gcmtest \
  pk11mode \
  pk1sign  \
  pp  \
  pwdecrypt \
  rsaperf \
  sdrtest \
  selfserv  \
copy from cmd/ectest/Makefile
copy to cmd/pk11ectest/Makefile
copy from cmd/ectest/manifest.mn
copy to cmd/pk11ectest/manifest.mn
--- a/cmd/ectest/manifest.mn
+++ b/cmd/pk11ectest/manifest.mn
@@ -4,15 +4,13 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DEPTH = ../..
 CORE_DEPTH = ../..
 
 # MODULE public and private header directories are implicitly REQUIRED.
 MODULE = nss
 
-INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+CSRCS = pk11ectest.c
 
-CSRCS = ectest.c
-
-PROGRAM = ectest
+PROGRAM = pk11ectest
 
 USE_STATIC_LIBS = 1
copy from cmd/ectest/ectest.c
copy to cmd/pk11ectest/pk11ectest.c
--- a/cmd/ectest/ectest.c
+++ b/cmd/pk11ectest/pk11ectest.c
@@ -1,228 +1,35 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "blapi.h"
-#include "ec.h"
-#include "ecl-curve.h"
 #include "nss.h"
 #include "secutil.h"
 #include "secitem.h"
 #include "nspr.h"
 #include "pk11pub.h"
 #include <stdio.h>
 
-typedef struct {
-    ECCurveName curve;
-    int iterations;
-    char *privhex;
-    char *our_pubhex;
-    char *their_pubhex;
-    char *common_key;
-    char *name;
-    ECFieldType fieldType;
-} ECDH_KAT;
-
-typedef struct {
-    ECCurveName curve;
-    char *point;
-    char *name;
-    ECFieldType fieldType;
-} ECDH_BAD;
-
-#include "testvecs.h"
-
-/*
- * Initializes a SECItem from a hexadecimal string
- *
- */
-static SECItem *
-hexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
-{
-    int i = 0;
-    int byteval = 0;
-    int tmp = PORT_Strlen(str);
-
-    PORT_Assert(arena);
-    PORT_Assert(item);
-
-    if ((tmp % 2) != 0) {
-        return NULL;
-    }
-
-    item = SECITEM_AllocItem(arena, item, tmp / 2);
-    if (item == NULL) {
-        return NULL;
-    }
-
-    while (str[i]) {
-        if ((str[i] >= '0') && (str[i] <= '9')) {
-            tmp = str[i] - '0';
-        } else if ((str[i] >= 'a') && (str[i] <= 'f')) {
-            tmp = str[i] - 'a' + 10;
-        } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
-            tmp = str[i] - 'A' + 10;
-        } else {
-            /* item is in arena and gets freed by the caller */
-            return NULL;
-        }
-
-        byteval = byteval * 16 + tmp;
-        if ((i % 2) != 0) {
-            item->data[i / 2] = byteval;
-            byteval = 0;
-        }
-        i++;
-    }
-
-    return item;
-}
-
 void
 printBuf(const SECItem *item)
 {
     int i;
     if (!item || !item->len) {
         printf("(null)\n");
         return;
     }
 
     for (i = 0; i < item->len; i++) {
         printf("%02x", item->data[i]);
     }
     printf("\n");
 }
 
-/* Initialise test with basic curve populate with only the necessary things */
-SECStatus
-init_params(ECParams *ecParams, ECCurveName curve, PLArenaPool **arena,
-            ECFieldType type)
-{
-    if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve)) {
-        return SECFailure;
-    }
-    *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!*arena) {
-        return SECFailure;
-    }
-    ecParams->name = curve;
-    ecParams->type = ec_params_named;
-    ecParams->curveOID.data = NULL;
-    ecParams->curveOID.len = 0;
-    ecParams->curve.seed.data = NULL;
-    ecParams->curve.seed.len = 0;
-    ecParams->DEREncoding.data = NULL;
-    ecParams->DEREncoding.len = 0;
-    ecParams->arena = *arena;
-    ecParams->fieldID.size = ecCurve_map[curve]->size;
-    ecParams->fieldID.type = type;
-    ecParams->cofactor = ecCurve_map[curve]->cofactor;
-    ecParams->pointSize = ecCurve_map[curve]->pointSize;
-
-    return SECSuccess;
-}
-
-SECStatus
-ectest_ecdh_kat(ECDH_KAT *kat)
-{
-    ECCurveName curve = kat->curve;
-    ECParams ecParams = { 0 };
-    ECPrivateKey *ecPriv = NULL;
-    SECItem theirKey = { siBuffer, NULL, 0 };
-    SECStatus rv = SECFailure;
-    PLArenaPool *arena = NULL;
-    SECItem seed = { siBuffer, NULL, 0 };
-    SECItem answer = { siBuffer, NULL, 0 };
-    SECItem answer2 = { siBuffer, NULL, 0 };
-    SECItem derived = { siBuffer, NULL, 0 };
-    char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
-    int i;
-
-    rv = init_params(&ecParams, curve, &arena, kat->fieldType);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    hexString2SECItem(arena, &ecParams.fieldID.u.prime, ecCurve_map[curve]->irr);
-    hexString2SECItem(arena, &ecParams.curve.a, ecCurve_map[curve]->curvea);
-    hexString2SECItem(arena, &ecParams.curve.b, ecCurve_map[curve]->curveb);
-    genenc[0] = '0';
-    genenc[1] = '4';
-    genenc[2] = '\0';
-    PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->genx));
-    PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->geny));
-    strcat(genenc, ecCurve_map[curve]->genx);
-    strcat(genenc, ecCurve_map[curve]->geny);
-    hexString2SECItem(arena, &ecParams.base, genenc);
-    hexString2SECItem(arena, &ecParams.order, ecCurve_map[curve]->order);
-
-    if (kat->our_pubhex) {
-        hexString2SECItem(arena, &answer, kat->our_pubhex);
-    }
-    hexString2SECItem(arena, &seed, kat->privhex);
-    rv = EC_NewKeyFromSeed(&ecParams, &ecPriv, seed.data, seed.len);
-    if (rv != SECSuccess) {
-        rv = SECFailure;
-        goto cleanup;
-    }
-    if (kat->our_pubhex) {
-        if (SECITEM_CompareItem(&answer, &ecPriv->publicValue) != SECEqual) {
-            rv = SECFailure;
-            goto cleanup;
-        }
-    }
-
-    hexString2SECItem(arena, &theirKey, kat->their_pubhex);
-    hexString2SECItem(arena, &answer2, kat->common_key);
-
-    rv = EC_ValidatePublicKey(&ecParams, &theirKey);
-    if (rv != SECSuccess) {
-        printf("EC_ValidatePublicKey failed\n");
-        goto cleanup;
-    }
-
-    for (i = 0; i < kat->iterations; ++i) {
-        rv = ECDH_Derive(&theirKey, &ecParams, &ecPriv->privateValue, PR_TRUE, &derived);
-        if (rv != SECSuccess) {
-            rv = SECFailure;
-            goto cleanup;
-        }
-        rv = SECITEM_CopyItem(ecParams.arena, &theirKey, &ecPriv->privateValue);
-        if (rv != SECSuccess) {
-            goto cleanup;
-        }
-        rv = SECITEM_CopyItem(ecParams.arena, &ecPriv->privateValue, &derived);
-        if (rv != SECSuccess) {
-            goto cleanup;
-        }
-        SECITEM_FreeItem(&derived, PR_FALSE);
-    }
-
-    if (SECITEM_CompareItem(&answer2, &ecPriv->privateValue) != SECEqual) {
-        printf("expected: ");
-        printBuf(&answer2);
-        printf("derived:  ");
-        printBuf(&ecPriv->privateValue);
-        rv = SECFailure;
-        goto cleanup;
-    }
-
-cleanup:
-    PORT_FreeArena(arena, PR_FALSE);
-    if (ecPriv) {
-        PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE);
-    }
-    if (derived.data) {
-        SECITEM_FreeItem(&derived, PR_FALSE);
-    }
-    return rv;
-}
-
 void
 PrintKey(PK11SymKey *symKey)
 {
     char *name = PK11_GetSymKeyNickname(symKey);
     int len = PK11_GetKeyLength(symKey);
     int strength = PK11_GetKeyStrength(symKey, NULL);
     SECItem *value = NULL;
     CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
@@ -284,147 +91,77 @@ cleanup:
     if (symKey) {
         PK11_FreeSymKey(symKey);
     }
     SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
 
     return rv;
 }
 
-SECStatus
-ectest_validate_point(ECDH_BAD *bad)
-{
-    ECParams ecParams = { 0 };
-    SECItem point = { siBuffer, NULL, 0 };
-    SECStatus rv = SECFailure;
-    PLArenaPool *arena = NULL;
-
-    rv = init_params(&ecParams, bad->curve, &arena, bad->fieldType);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    hexString2SECItem(arena, &point, bad->point);
-    rv = EC_ValidatePublicKey(&ecParams, &point);
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
 void
 printUsage(char *prog)
 {
     printf("Usage: %s [-fp] [-nd]\n"
-           "\t-f: usefreebl\n"
-           "\t-p: usepkcs11\n"
            "\t-n: NIST curves\n"
            "\t-d: non-NIST curves\n"
-           "You have to specify at least f or p and n or d.\n"
+           "You have to specify at at least one of n or d.\n"
            "By default no tests are executed.\n",
            prog);
 }
 
 /* Performs tests of elliptic curve cryptography over prime fields If
  * tests fail, then it prints an error message, aborts, and returns an
  * error code. Otherwise, returns 0. */
 int
 main(int argv, char **argc)
 {
     SECStatus rv = SECSuccess;
-    int numkats = 0;
     int i = 0;
-    int usepkcs11 = 0;
-    int usefreebl = 0;
     int nist = 0;
     int nonnist = 0;
     SECOidTag nistOids[3] = { SEC_OID_SECG_EC_SECP256R1,
                               SEC_OID_SECG_EC_SECP384R1,
                               SEC_OID_SECG_EC_SECP521R1 };
 
     for (i = 1; i < argv; i++) {
-        if (PL_strcasecmp(argc[i], "-p") == 0) {
-            usepkcs11 = 1;
-        } else if (PL_strcasecmp(argc[i], "-f") == 0) {
-            usefreebl = 1;
-        } else if (PL_strcasecmp(argc[i], "-n") == 0) {
+        if (PL_strcasecmp(argc[i], "-n") == 0) {
             nist = 1;
         } else if (PL_strcasecmp(argc[i], "-d") == 0) {
             nonnist = 1;
         } else {
             printUsage(argc[0]);
             return 1;
         }
     }
-    if (!(usepkcs11 || usefreebl) || !(nist || nonnist)) {
+    if (!nist && !nonnist) {
         printUsage(argc[0]);
         return 1;
     }
 
     rv = NSS_NoDB_Init(NULL);
     if (rv != SECSuccess) {
         SECU_PrintError("Error:", "NSS_NoDB_Init");
         goto cleanup;
     }
 
-    /* Test P256, P384, P521 */
-    if (usefreebl) {
-        if (nist) {
-            while (ecdh_testvecs[numkats].curve != ECCurve_pastLastCurve) {
-                numkats++;
-            }
-            printf("1..%d\n", numkats);
-            for (i = 0; ecdh_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_ecdh_kat(&ecdh_testvecs[i]) != SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, ecdh_testvecs[i].name);
-                }
-            }
-        }
-
-        /* Test KAT for non-NIST curves */
-        if (nonnist) {
-            for (i = 0; nonnist_testvecs[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_ecdh_kat(&nonnist_testvecs[i]) != SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, nonnist_testvecs[i].name);
-                }
-            }
-            for (i = 0; nonnist_testvecs_bad_values[i].curve != ECCurve_pastLastCurve; i++) {
-                if (ectest_validate_point(&nonnist_testvecs_bad_values[i]) == SECSuccess) {
-                    printf("not okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
-                    rv = SECFailure;
-                } else {
-                    printf("okay %d - %s\n", i + 1, nonnist_testvecs_bad_values[i].name);
-                }
-            }
+    if (nonnist) {
+        if (ectest_curve_pkcs11(SEC_OID_CURVE25519) != SECSuccess) {
+            printf("not okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
+            rv = SECFailure;
+        } else {
+            printf("okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
         }
     }
-
-    /* Test PK11 for non-NIST curves */
-    if (usepkcs11) {
-        if (nonnist) {
-            if (ectest_curve_pkcs11(SEC_OID_CURVE25519) != SECSuccess) {
-                printf("not okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
+    if (nist) {
+        for (i = 0; i < 3; ++i) {
+            if (ectest_curve_pkcs11(nistOids[i]) != SECSuccess) {
+                printf("not okay (OID %d) - PK11 test\n", nistOids[i]);
                 rv = SECFailure;
             } else {
-                printf("okay (OID %d) - PK11 test\n", SEC_OID_CURVE25519);
-            }
-        }
-        if (nist) {
-            for (i = 0; i < 3; ++i) {
-                if (ectest_curve_pkcs11(nistOids[i]) != SECSuccess) {
-                    printf("not okay (OID %d) - PK11 test\n", nistOids[i]);
-                    rv = SECFailure;
-                } else {
-                    printf("okay (OID %d) - PK11 test\n", nistOids[i]);
-                }
+                printf("okay (OID %d) - PK11 test\n", nistOids[i]);
             }
         }
     }
 
 cleanup:
     rv |= NSS_Shutdown();
 
     if (rv != SECSuccess) {
copy from cmd/ectest/ectest.gyp
copy to cmd/pk11ectest/pk11ectest.gyp
--- a/cmd/ectest/ectest.gyp
+++ b/cmd/pk11ectest/pk11ectest.gyp
@@ -3,31 +3,28 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
   'includes': [
     '../../coreconf/config.gypi',
     '../../cmd/platlibs.gypi'
   ],
   'targets': [
     {
-      'target_name': 'ectest',
+      'target_name': 'pk11ectest',
       'type': 'executable',
       'sources': [
-        'ectest.c'
+        'pk11ectest.c'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3'
       ]
     }
   ],
   'target_defaults': {
-    'include_dirs': [
-      '../../nss/lib/softoken'
-    ],
     'defines': [
       'NSS_USE_STATIC_LIBS'
     ]
   },
   'variables': {
     'module': 'nss',
     'use_static_libs': 1
   }
copy from cmd/ectest/testvecs.h
copy to cmd/pk11ectest/testvecs.h
--- a/lib/freebl/ecl/ecl-curve.h
+++ b/lib/freebl/ecl/ecl-curve.h
@@ -1,23 +1,26 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "certt.h"
 #include "ecl-exp.h"
 #include <stdlib.h>
 
 #ifndef __ecl_curve_h_
 #define __ecl_curve_h_
 
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #error This source file is for Basic ECC only .
 #endif
 
+/* copied from certt.h */
+#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
+#define KU_KEY_AGREEMENT (0x08)     /* bit 4 */
+
 static const ECCurveParams ecCurve_NIST_P256 = {
     "NIST-P256", ECField_GFp, 256,
     "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
     "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
     "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
     "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
     "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
     "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
--- a/nss.gyp
+++ b/nss.gyp
@@ -138,29 +138,30 @@
             'cmd/btoa/btoa.gyp:btoa',
             'cmd/certcgi/certcgi.gyp:certcgi',
             'cmd/chktest/chktest.gyp:chktest',
             'cmd/crmftest/crmftest.gyp:crmftest',
             'cmd/dbtest/dbtest.gyp:dbtest',
             'cmd/derdump/derdump.gyp:derdump',
             'cmd/digest/digest.gyp:digest',
             'cmd/ecperf/ecperf.gyp:ecperf',
-            'cmd/ectest/ectest.gyp:ectest',
+            'cmd/fbectest/fbectest.gyp:fbectest',
             'cmd/fipstest/fipstest.gyp:fipstest',
             'cmd/httpserv/httpserv.gyp:httpserv',
             'cmd/listsuites/listsuites.gyp:listsuites',
             'cmd/makepqg/makepqg.gyp:makepqg',
             'cmd/multinit/multinit.gyp:multinit',
             'cmd/ocspclnt/ocspclnt.gyp:ocspclnt',
             'cmd/ocspresp/ocspresp.gyp:ocspresp',
             'cmd/oidcalc/oidcalc.gyp:oidcalc',
             'cmd/p7content/p7content.gyp:p7content',
             'cmd/p7env/p7env.gyp:p7env',
             'cmd/p7sign/p7sign.gyp:p7sign',
             'cmd/p7verify/p7verify.gyp:p7verify',
+            'cmd/pk11ectest/pk11ectest.gyp:pk11ectest',
             'cmd/pk11gcmtest/pk11gcmtest.gyp:pk11gcmtest',
             'cmd/pk11mode/pk11mode.gyp:pk11mode',
             'cmd/pk1sign/pk1sign.gyp:pk1sign',
             'cmd/pp/pp.gyp:pp',
             'cmd/rsaperf/rsaperf.gyp:rsaperf',
             'cmd/sdrtest/sdrtest.gyp:sdrtest',
             'cmd/selfserv/selfserv.gyp:selfserv',
             'cmd/shlibsign/mangle/mangle.gyp:mangle',
--- a/tests/ec/ectest.sh
+++ b/tests/ec/ectest.sh
@@ -24,17 +24,17 @@
 ectest_init()
 {
   SCRIPTNAME="ectest.sh"
   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
       cd ../common
       . ./init.sh
   fi
   SCRIPTNAME="ectest.sh"
-  html_head "ectest test"
+  html_head "freebl and pk11 ectest tests"
 }
 
 ectest_cleanup()
 {
   html "</TABLE><BR>"
   cd ${QADIR}
   . common/cleanup.sh
 }
@@ -66,17 +66,28 @@ ectest_genkeydb_test()
     html_failed "ec test certutil keygen - $curve"
   else
     html_passed "ec test certutil keygen - $curve"
   fi
 }
 
 ectest_init
 ectest_genkeydb_test
-ECTEST_OUT=$(ectest -f -p -n -d 2>&1)
-ECTEST_OUT=`echo $ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
 # TODO: expose individual tests and failures instead of overall
-if [ -n "$ECTEST_OUT" ] ; then
-  html_failed "ec freebl and pk11 test"
-else
-  html_passed "ec freebl and pk11 test"
+if [ -f ${BINDIR}/fbectest ]; then
+  FB_ECTEST_OUT=$(fbectest -n -d 2>&1)
+  FB_ECTEST_OUT=`echo $FB_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+  if [ -n "$FB_ECTEST_OUT" ] ; then
+    html_failed "freebl ec tests"
+  else
+    html_passed "freebl ec tests"
+  fi
+fi
+if [ -f ${BINDIR}/pk11ectest ]; then
+  PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1)
+  PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+  if [ -n "$PK11_ECTEST_OUT" ] ; then
+    html_failed "pk11 ec tests"
+  else
+    html_passed "pk11 ec tests"
+  fi
 fi
 ectest_cleanup