Add brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 EC group support

[sfarestam-iproov]

Issues:

Resolves #2939

Description of changes:

AWS-LC currently does not support Brainpool elliptic curves. This PR adds EC group support for the five Brainpool r1 prime curves defined in RFC 5639: brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, and brainpoolP512r1.

The implementation follows the same pattern as secp256k1 — generic Montgomery arithmetic via EC_GFp_mont_method(), with no hand-optimized assembly. The only structural addition is ec_group_set_a_mont() for setting an arbitrary Montgomery-form a coefficient, since Brainpool curves have a ≠ -3 (unlike NIST curves) and a ≠ 0 (unlike secp256k1). The existing ec_GFp_mont_dbl() already handles this case correctly via its a_is_minus3 == 0 code path.

NIDs (925, 927, 929, 931, 933) and OIDs were already registered in nid.h and obj_dat.h. All domain parameters are sourced from RFC 5639 Sections 3.3–3.7, with OIDs from Section 4.1.

This PR covers EC primitive support (key generation, ECDSA, ECDH). TLS negotiation support (RFC 7027 / RFC 8734) can follow in a separate PR.

Motivation: These curves are required by ICAO Doc 9303 (ePassport standard, 30+ countries), BSI TR-03116-4 (German federal regulation), and are blocking the pyca/cryptography project from accepting Brainpool improvements (pyca/cryptography#14905).

Call-outs:

• FIPS boundary: The code is in crypto/fipsmodule/ec/. If adding curves inside the FIPS module is a concern for recertification, the implementation can be moved to crypto/ec_extra/. Please advise on the preferred placement.
• Arbitrary a coefficient: Added a small helper ec_group_set_a_mont() (6 lines) to copy a Montgomery-form a value. This is the only new function beyond the existing curve template pattern.
• make_tables.go changes: Added a curveWithA wrapper type and writeCurveDataWithA() function to emit MontA constants for curves where a is not -3 or 0. The standard elliptic.CurveParams in Go doesn't carry an A field (it assumes a = -3).

Testing:

• BrainpoolKeygenSignVerify: generates a key, signs a digest with ECDSA, verifies the signature, and checks that a corrupted signature is rejected — for all 5 curves.
• ECPKParmatersBio: round-trip i2d_ECPKParameters_bio / d2i_ECPKParameters_bio for all 5 curves.
• GetNamedCurve: dispatches Brainpool curve names for file-based test vectors.
• Scalar base multiplication test vectors are not included in this PR (generating them requires a Go Brainpool library); they can be added as a follow-up.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: variable 'sig_len' is not initialized [cppcoreguidelines-init-variables]

crypto/fipsmodule/ec/ec_test.cc:2829:

- len;
+ len = 0;

[sfarestam-iproov]

Fixed — initialized to 0. Thanks.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 94.31818% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.19%. Comparing base (c0a3c85) to head (193a2a2).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
crypto/fipsmodule/ec/ec_test.cc	78.72%	10 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3286      +/-   ##
==========================================
+ Coverage   78.17%   78.19%   +0.02%     
==========================================
  Files         689      694       +5     
  Lines      123733   124070     +337     
  Branches    17197    17212      +15     
==========================================
+ Hits        96724    97020     +296     
- Misses      26091    26132      +41     
  Partials      918      918              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[nebeid]

Thank you @sfarestam-iproov for this contribution.

1. FIPS boundary placement — I'd lean toward moving this to crypto/ec_extra/ as you offered.

2. Known-answer test vectors — Unless I'm missing them, I don't see any KATs. The current tests (BrainpoolKeygenSignVerify, ECPKParmatersBio) are round-trip/self-consistency checks, which would pass even if the domain parameters were subtly off as long as they're internally consistent. Since hardcoded curve parameters are the core of this change, it'd be good to validate p/a/b/G/n and the generated tables against independent reference vectors (RFC 5639, Wycheproof, or another library). I'd suggest including these in this PR rather than as a follow-up.

[sfarestam-iproov]

Thank you for the review @nebeid — both changes are now addressed:

1. FIPS boundary placement (commit 4ee8115): Moved all 5 Brainpool DEFINE_METHOD_FUNCTION blocks from crypto/fipsmodule/ec/ec.c to crypto/ec_extra/ec_brainpool.c. The small helper functions (ec_group_init_static_mont, ec_group_set_a_mont) are duplicated in the new file rather than exposed via internal.h, to avoid widening the FIPS module's internal API surface.

2. Known-answer test vectors (commit 193a2a2): Added two independent validation layers:

• BrainpoolDomainParamsRFC5639 (ec_test.cc): Extracts p/a/b/Gx/Gy/n from each curve's EC_GROUP (converting out of Montgomery form) and compares against the hex reference values from RFC 5639 Sections 3.2–3.7. This catches subtly wrong precomputed constants that self-consistency tests would miss.

• WycheproofECDSABrainpool (evp_test.cc): Runs Wycheproof ECDSA verify vectors for all 5 curves (~22k lines of test vectors sourced from C2SP/wycheproof), validating that the precomputed multiplication tables produce correct point arithmetic. Follows the existing WycheproofECDSAsecp256k1 pattern.

[sfarestam-iproov]

CI fix in dc21069: DEFINE_METHOD_FUNCTION can't be used outside crypto/fipsmodule/ — in FIPS builds it expands to external BSS symbol references that only exist within the delocated bcm.o. Replaced with an equivalent CRYPTO_once-based lazy-init macro defined locally in ec_brainpool.c.