Add brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 EC group support

[sfarestam-iproov]

Issues:

Resolves #2939

Description of changes:

AWS-LC currently does not support Brainpool elliptic curves. This PR adds EC group support for the five Brainpool r1 prime curves defined in RFC 5639: brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, and brainpoolP512r1.

The implementation follows the same pattern as secp256k1 — generic Montgomery arithmetic via EC_GFp_mont_method(), with no hand-optimized assembly. The only structural addition is ec_group_set_a_mont() for setting an arbitrary Montgomery-form a coefficient, since Brainpool curves have a ≠ -3 (unlike NIST curves) and a ≠ 0 (unlike secp256k1). The existing ec_GFp_mont_dbl() already handles this case correctly via its a_is_minus3 == 0 code path.

NIDs (925, 927, 929, 931, 933) and OIDs were already registered in nid.h and obj_dat.h. All domain parameters are sourced from RFC 5639 Sections 3.3–3.7, with OIDs from Section 4.1.

This PR covers EC primitive support (key generation, ECDSA, ECDH). TLS negotiation support (RFC 7027 / RFC 8734) can follow in a separate PR.

Motivation: These curves are required by ICAO Doc 9303 (ePassport standard, 30+ countries), BSI TR-03116-4 (German federal regulation), and are blocking the pyca/cryptography project from accepting Brainpool improvements (pyca/cryptography#14905).

Call-outs:

• FIPS boundary: The code is in crypto/fipsmodule/ec/. If adding curves inside the FIPS module is a concern for recertification, the implementation can be moved to crypto/ec_extra/. Please advise on the preferred placement.
• Arbitrary a coefficient: Added a small helper ec_group_set_a_mont() (6 lines) to copy a Montgomery-form a value. This is the only new function beyond the existing curve template pattern.
• make_tables.go changes: Added a curveWithA wrapper type and writeCurveDataWithA() function to emit MontA constants for curves where a is not -3 or 0. The standard elliptic.CurveParams in Go doesn't carry an A field (it assumes a = -3).

Testing:

• BrainpoolKeygenSignVerify: generates a key, signs a digest with ECDSA, verifies the signature, and checks that a corrupted signature is rejected — for all 5 curves.
• ECPKParmatersBio: round-trip i2d_ECPKParameters_bio / d2i_ECPKParameters_bio for all 5 curves.
• GetNamedCurve: dispatches Brainpool curve names for file-based test vectors.
• Scalar base multiplication test vectors are not included in this PR (generating them requires a Go Brainpool library); they can be added as a follow-up.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: variable 'sig_len' is not initialized [cppcoreguidelines-init-variables]

crypto/fipsmodule/ec/ec_test.cc:2829:

- len;
+ len = 0;

[sfarestam-iproov]

Fixed — initialized to 0. Thanks.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 92.89617% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.20%. Comparing base (e8ea407) to head (df161b2).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
crypto/fipsmodule/ec/ec_test.cc	78.72%	10 Missing ⚠️
crypto/fipsmodule/evp/evp.c	50.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3286      +/-   ##
==========================================
+ Coverage   78.18%   78.20%   +0.02%     
==========================================
  Files         693      694       +1     
  Lines      123893   124075     +182     
  Branches    17205    17215      +10     
==========================================
+ Hits        96861    97030     +169     
- Misses      26114    26127      +13     
  Partials      918      918              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sfarestam-iproov]

The strongswan-x86_64 CI failure is caused by our changes and is now fixed in 43d698e.

Root cause: evp_pkey_tls_encodedpoint_ec_curve_supported() in crypto/fipsmodule/evp/evp.c had a hardcoded allowlist of only four NIST curves (P-224, P-256, P-384, P-521). strongswan's openssl plugin uses EVP_PKEY_get1_tls_encodedpoint() / EVP_PKEY_set1_tls_encodedpoint() for its DH key exchange implementation. Before this PR, EC_GROUP_new_by_curve_name(NID_brainpoolP256r1) returned NULL so strongswan skipped the test vector. With Brainpool support now present, strongswan detects the curve and attempts an ECDH exchange, but the public key export/import fails at the allowlist.

Fix: Added NID_secp256k1 and all five Brainpool NIDs to the allowlist. The underlying point encoding (EC_POINT_oct2point, EC_KEY_key2buf) is curve-agnostic — the restriction was just overly conservative. The actual ECDH computation path (EVP_PKEY_derive) has no curve restrictions.

Note: the clang (Windows) failure is unrelated — it's a flaky ALPS-Decline-Server-Old-DTLS-TLS12 test failing due to Windows socket exhaustion (system lacked sufficient buffer space).

[nebeid]

Thank you for widening the curve allowlist in evp_pkey_tls_encodedpoint_ec_curve_supported

Suggestion: add a direct unit test so this gate is guarded explicitly rather than incidentally. The existing ECTLSEncodedPoint test already does hardcoded per-curve set1/get1 round-trips for the NIST curves; extending it to cover secp256k1 and at least one Brainpool curve would pin the allowlist and prevent future drift.

[sfarestam-iproov]

Done in 18fe067 — extended the ECTLSEncodedPoint test to cover secp256k1 (Wycheproof ecdh_secp256k1_test.json tcId 1) and brainpoolP256r1 (RFC 7027 Section A.1). Both entries exercise the full set1 → EVP_PKEY_derive → get1 round-trip, pinning the allowlist.