]> git.zerfleddert.de Git - proxmark3-svn/blame - common/mbedtls/ecp_curves.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
update CI/.travis.yml (#929)
[proxmark3-svn] / common / mbedtls / ecp_curves.c
CommitLineData
700d8687
OM		 1/*
2 * Elliptic curves over GF(p): curve-specific data and functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24#if !defined(MBEDTLS_CONFIG_FILE)
25#include "mbedtls/config.h"
26#else
27#include MBEDTLS_CONFIG_FILE
28#endif
29
30#if defined(MBEDTLS_ECP_C)
31
32#include "mbedtls/ecp.h"
33
34#include <string.h>
35
36#if !defined(MBEDTLS_ECP_ALT)
37
38#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
39 !defined(inline) && !defined(__cplusplus)
40#define inline __inline
41#endif
42
43/*
44 * Conversion macros for embedded constants:
45 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
46 */
47#if defined(MBEDTLS_HAVE_INT32)
48
49#define BYTES_TO_T_UINT_4( a, b, c, d ) \
50 ( (mbedtls_mpi_uint) a << 0 ) | \
51 ( (mbedtls_mpi_uint) b << 8 ) | \
52 ( (mbedtls_mpi_uint) c << 16 ) | \
53 ( (mbedtls_mpi_uint) d << 24 )
54
55#define BYTES_TO_T_UINT_2( a, b ) \
56 BYTES_TO_T_UINT_4( a, b, 0, 0 )
57
58#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
59 BYTES_TO_T_UINT_4( a, b, c, d ), \
60 BYTES_TO_T_UINT_4( e, f, g, h )
61
62#else /* 64-bits */
63
64#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
65 ( (mbedtls_mpi_uint) a << 0 ) | \
66 ( (mbedtls_mpi_uint) b << 8 ) | \
67 ( (mbedtls_mpi_uint) c << 16 ) | \
68 ( (mbedtls_mpi_uint) d << 24 ) | \
69 ( (mbedtls_mpi_uint) e << 32 ) | \
70 ( (mbedtls_mpi_uint) f << 40 ) | \
71 ( (mbedtls_mpi_uint) g << 48 ) | \
72 ( (mbedtls_mpi_uint) h << 56 )
73
74#define BYTES_TO_T_UINT_4( a, b, c, d ) \
75 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
76
77#define BYTES_TO_T_UINT_2( a, b ) \
78 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
79
80#endif /* bits in mbedtls_mpi_uint */
81
82/*
83 * Note: the constants are in little-endian order
84 * to be directly usable in MPIs
85 */
86
3a5ffba7 87/*
88 * Domain parameters for secp128r1
89 */
90#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
91static const mbedtls_mpi_uint secp128r1_p[] = {
92 // 2^128 - 2^97 - 1 // TODO
93 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
94 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ),
95};
96static const mbedtls_mpi_uint secp128r1_a[] = {
97 // FFFFFFFDFFFFFFFF FFFFFFFFFFFFFFFC
98 BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
99 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ),
100};
101static const mbedtls_mpi_uint secp128r1_b[] = {
102 // E87579C11079F43D D824993C2CEE5ED3
103 BYTES_TO_T_UINT_8( 0xD3, 0x5E, 0xEE, 0x2C, 0x3C, 0x99, 0x24, 0xD8 ),
104 BYTES_TO_T_UINT_8( 0x3D, 0xF4, 0x79, 0x10, 0xC1, 0x79, 0x75, 0xE8 ),
105};
106static const mbedtls_mpi_uint secp128r1_gx[] = {
107 // 161FF7528B899B2D 0C28607CA52C5B86
108 BYTES_TO_T_UINT_8( 0x86, 0x5B, 0x2C, 0xA5, 0x7C, 0x60, 0x28, 0x0C ),
109 BYTES_TO_T_UINT_8( 0x2D, 0x9B, 0x89, 0x8B, 0x52, 0xF7, 0x1F, 0x16 ),
110};
111static const mbedtls_mpi_uint secp128r1_gy[] = {
112 // CF5AC8395BAFEB13 C02DA292DDED7A83
113 BYTES_TO_T_UINT_8( 0x83, 0x7A, 0xED, 0xDD, 0x92, 0xA2, 0x2D, 0xC0 ),
114 BYTES_TO_T_UINT_8( 0x13, 0xEB, 0xAF, 0x5B, 0x39, 0xC8, 0x5A, 0xCF ),
115};
116static const mbedtls_mpi_uint secp128r1_n[] = {
117 // FFFFFFFE00000000 75A30D1B9038A115
118 BYTES_TO_T_UINT_8( 0x15, 0xA1, 0x38, 0x90, 0x1B, 0x0D, 0xA3, 0x75 ),
119 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF ),
120};
121#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */
122
700d8687
OM		 123/*
124 * Domain parameters for secp192r1
125 */
126#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
127static const mbedtls_mpi_uint secp192r1_p[] = {
128 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
129 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
130 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
131};
132static const mbedtls_mpi_uint secp192r1_b[] = {
133 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
134 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
135 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
136};
137static const mbedtls_mpi_uint secp192r1_gx[] = {
138 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
139 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
140 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
141};
142static const mbedtls_mpi_uint secp192r1_gy[] = {
143 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
144 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
145 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
146};
147static const mbedtls_mpi_uint secp192r1_n[] = {
148 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
149 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
150 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
151};
152#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
153
154/*
155 * Domain parameters for secp224r1
156 */
157#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
158static const mbedtls_mpi_uint secp224r1_p[] = {
159 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
160 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
161 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
162 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
163};
164static const mbedtls_mpi_uint secp224r1_b[] = {
165 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
166 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
167 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
168 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
169};
170static const mbedtls_mpi_uint secp224r1_gx[] = {
171 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
172 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
173 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
174 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
175};
176static const mbedtls_mpi_uint secp224r1_gy[] = {
177 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
178 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
179 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
180 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
181};
182static const mbedtls_mpi_uint secp224r1_n[] = {
183 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
184 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
185 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
186 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
187};
188#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
189
190/*
191 * Domain parameters for secp256r1
192 */
193#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
194static const mbedtls_mpi_uint secp256r1_p[] = {
195 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
196 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
197 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
198 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
199};
200static const mbedtls_mpi_uint secp256r1_b[] = {
201 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
202 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
203 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
204 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
205};
206static const mbedtls_mpi_uint secp256r1_gx[] = {
207 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
208 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
209 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
210 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
211};
212static const mbedtls_mpi_uint secp256r1_gy[] = {
213 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
214 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
215 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
216 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
217};
218static const mbedtls_mpi_uint secp256r1_n[] = {
219 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
220 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
221 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
222 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
223};
224#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
225
226/*
227 * Domain parameters for secp384r1
228 */
229#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
230static const mbedtls_mpi_uint secp384r1_p[] = {
231 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
232 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
233 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
234 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
235 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
236 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
237};
238static const mbedtls_mpi_uint secp384r1_b[] = {
239 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
240 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
241 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
242 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
243 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
244 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
245};
246static const mbedtls_mpi_uint secp384r1_gx[] = {
247 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
248 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
249 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
250 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
251 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
252 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
253};
254static const mbedtls_mpi_uint secp384r1_gy[] = {
255 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
256 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
257 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
258 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
259 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
260 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
261};
262static const mbedtls_mpi_uint secp384r1_n[] = {
263 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
264 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
265 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
266 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
267 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
268 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
269};
270#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
271
272/*
273 * Domain parameters for secp521r1
274 */
275#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
276static const mbedtls_mpi_uint secp521r1_p[] = {
277 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
278 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
279 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
280 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
281 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
282 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
283 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
284 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
285 BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
286};
287static const mbedtls_mpi_uint secp521r1_b[] = {
288 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
289 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
290 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
291 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
292 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
293 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
294 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
295 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
296 BYTES_TO_T_UINT_2( 0x51, 0x00 ),
297};
298static const mbedtls_mpi_uint secp521r1_gx[] = {
299 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
300 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
301 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
302 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
303 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
304 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
305 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
306 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
307 BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
308};
309static const mbedtls_mpi_uint secp521r1_gy[] = {
310 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
311 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
312 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
313 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
314 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
315 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
316 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
317 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
318 BYTES_TO_T_UINT_2( 0x18, 0x01 ),
319};
320static const mbedtls_mpi_uint secp521r1_n[] = {
321 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
322 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
323 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
324 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
325 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
326 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
327 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
328 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
329 BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
330};
331#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
332
333#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
334static const mbedtls_mpi_uint secp192k1_p[] = {
335 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
336 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
337 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
338};
339static const mbedtls_mpi_uint secp192k1_a[] = {
340 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
341};
342static const mbedtls_mpi_uint secp192k1_b[] = {
343 BYTES_TO_T_UINT_2( 0x03, 0x00 ),
344};
345static const mbedtls_mpi_uint secp192k1_gx[] = {
346 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
347 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
348 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
349};
350static const mbedtls_mpi_uint secp192k1_gy[] = {
351 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
352 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
353 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
354};
355static const mbedtls_mpi_uint secp192k1_n[] = {
356 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
357 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
358 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
359};
360#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
361
362#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
363static const mbedtls_mpi_uint secp224k1_p[] = {
364 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
365 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
366 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
367 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
368};
369static const mbedtls_mpi_uint secp224k1_a[] = {
370 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
371};
372static const mbedtls_mpi_uint secp224k1_b[] = {
373 BYTES_TO_T_UINT_2( 0x05, 0x00 ),
374};
375static const mbedtls_mpi_uint secp224k1_gx[] = {
376 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
377 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
378 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
379 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
380};
381static const mbedtls_mpi_uint secp224k1_gy[] = {
382 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
383 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
384 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
385 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
386};
387static const mbedtls_mpi_uint secp224k1_n[] = {
388 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
389 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
390 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
391 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
392};
393#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
394
395#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
396static const mbedtls_mpi_uint secp256k1_p[] = {
397 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
398 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
399 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
400 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
401};
402static const mbedtls_mpi_uint secp256k1_a[] = {
403 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
404};
405static const mbedtls_mpi_uint secp256k1_b[] = {
406 BYTES_TO_T_UINT_2( 0x07, 0x00 ),
407};
408static const mbedtls_mpi_uint secp256k1_gx[] = {
409 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
410 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
411 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
412 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
413};
414static const mbedtls_mpi_uint secp256k1_gy[] = {
415 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
416 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
417 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
418 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
419};
420static const mbedtls_mpi_uint secp256k1_n[] = {
421 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
422 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
423 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
424 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
425};
426#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
427
428/*
429 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
430 */
431#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
432static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
433 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
434 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
435 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
436 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
437};
438static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
439 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
440 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
441 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
442 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
443};
444static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
445 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
446 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
447 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
448 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
449};
450static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
451 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
452 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
453 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
454 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
455};
456static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
457 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
458 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
459 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
460 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
461};
462static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
463 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
464 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
465 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
466 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
467};
468#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
469
470/*
471 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
472 */
473#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
474static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
475 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
476 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
477 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
478 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
479 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
480 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
481};
482static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
483 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
484 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
485 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
486 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
487 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
488 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
489};
490static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
491 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
492 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
493 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
494 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
495 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
496 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
497};
498static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
499 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
500 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
501 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
502 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
503 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
504 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
505};
506static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
507 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
508 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
509 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
510 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
511 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
512 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
513};
514static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
515 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
516 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
517 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
518 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
519 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
520 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
521};
522#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
523
524/*
525 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
526 */
527#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
528static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
529 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
530 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
531 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
532 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
533 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
534 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
535 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
536 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
537};
538static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
539 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
540 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
541 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
542 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
543 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
544 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
545 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
546 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
547};
548static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
549 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
550 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
551 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
552 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
553 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
554 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
555 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
556 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
557};
558static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
559 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
560 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
561 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
562 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
563 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
564 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
565 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
566 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
567};
568static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
569 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
570 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
571 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
572 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
573 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
574 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
575 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
576 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
577};
578static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
579 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
580 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
581 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
582 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
583 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
584 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
585 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
586 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
587};
588#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
589
590/*
591 * Create an MPI from embedded constants
592 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
593 */
594static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
595{
596 X->s = 1;
597 X->n = len / sizeof( mbedtls_mpi_uint );
598 X->p = (mbedtls_mpi_uint *) p;
599}
600
601/*
602 * Set an MPI to static value 1
603 */
604static inline void ecp_mpi_set1( mbedtls_mpi *X )
605{
606 static mbedtls_mpi_uint one[] = { 1 };
607 X->s = 1;
608 X->n = 1;
609 X->p = one;
610}
611
612/*
613 * Make group available from embedded constants
614 */
615static int ecp_group_load( mbedtls_ecp_group *grp,
616 const mbedtls_mpi_uint *p, size_t plen,
617 const mbedtls_mpi_uint *a, size_t alen,
618 const mbedtls_mpi_uint *b, size_t blen,
619 const mbedtls_mpi_uint *gx, size_t gxlen,
620 const mbedtls_mpi_uint *gy, size_t gylen,
621 const mbedtls_mpi_uint *n, size_t nlen)
622{
623 ecp_mpi_load( &grp->P, p, plen );
624 if( a != NULL )
625 ecp_mpi_load( &grp->A, a, alen );
626 ecp_mpi_load( &grp->B, b, blen );
627 ecp_mpi_load( &grp->N, n, nlen );
628
629 ecp_mpi_load( &grp->G.X, gx, gxlen );
630 ecp_mpi_load( &grp->G.Y, gy, gylen );
631 ecp_mpi_set1( &grp->G.Z );
632
633 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
634 grp->nbits = mbedtls_mpi_bitlen( &grp->N );
635
636 grp->h = 1;
637
638 return( 0 );
639}
640
641#if defined(MBEDTLS_ECP_NIST_OPTIM)
642/* Forward declarations */
643#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
644static int ecp_mod_p192( mbedtls_mpi * );
645#endif
646#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
647static int ecp_mod_p224( mbedtls_mpi * );
648#endif
649#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
650static int ecp_mod_p256( mbedtls_mpi * );
651#endif
652#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
653static int ecp_mod_p384( mbedtls_mpi * );
654#endif
655#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
656static int ecp_mod_p521( mbedtls_mpi * );
657#endif
658
659#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
660#else
661#define NIST_MODP( P )
662#endif /* MBEDTLS_ECP_NIST_OPTIM */
663
664/* Additional forward declarations */
665#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
666static int ecp_mod_p255( mbedtls_mpi * );
667#endif
668#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
669static int ecp_mod_p448( mbedtls_mpi * );
670#endif
671#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
672static int ecp_mod_p192k1( mbedtls_mpi * );
673#endif
674#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
675static int ecp_mod_p224k1( mbedtls_mpi * );
676#endif
677#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
678static int ecp_mod_p256k1( mbedtls_mpi * );
679#endif
680
681#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
682 G ## _p, sizeof( G ## _p ), \
683 G ## _a, sizeof( G ## _a ), \
684 G ## _b, sizeof( G ## _b ), \
685 G ## _gx, sizeof( G ## _gx ), \
686 G ## _gy, sizeof( G ## _gy ), \
687 G ## _n, sizeof( G ## _n ) )
688
689#define LOAD_GROUP( G ) ecp_group_load( grp, \
690 G ## _p, sizeof( G ## _p ), \
691 NULL, 0, \
692 G ## _b, sizeof( G ## _b ), \
693 G ## _gx, sizeof( G ## _gx ), \
694 G ## _gy, sizeof( G ## _gy ), \
695 G ## _n, sizeof( G ## _n ) )
696
697#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
698/*
699 * Specialized function for creating the Curve25519 group
700 */
701static int ecp_use_curve25519( mbedtls_ecp_group *grp )
702{
703 int ret;
704
705 /* Actually ( A + 2 ) / 4 */
706 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
707
708 /* P = 2^255 - 19 */
709 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
710 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
711 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
712 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
713
714 /* N = 2^252 + 27742317777372353535851937790883648493 */
715 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16,
716 "14DEF9DEA2F79CD65812631A5CF5D3ED" ) );
717 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
718
719 /* Y intentionally not set, since we use x/z coordinates.
720 * This is used as a marker to identify Montgomery curves! */
721 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
722 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
723 mbedtls_mpi_free( &grp->G.Y );
724
725 /* Actually, the required msb for private keys */
726 grp->nbits = 254;
727
728cleanup:
729 if( ret != 0 )
730 mbedtls_ecp_group_free( grp );
731
732 return( ret );
733}
734#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
735
736#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
737/*
738 * Specialized function for creating the Curve448 group
739 */
740static int ecp_use_curve448( mbedtls_ecp_group *grp )
741{
742 mbedtls_mpi Ns;
743 int ret;
744
745 mbedtls_mpi_init( &Ns );
746
747 /* Actually ( A + 2 ) / 4 */
748 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) );
749
750 /* P = 2^448 - 2^224 - 1 */
751 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
752 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
753 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
754 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
755 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
756 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
757
758 /* Y intentionally not set, since we use x/z coordinates.
759 * This is used as a marker to identify Montgomery curves! */
760 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
761 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
762 mbedtls_mpi_free( &grp->G.Y );
763
764 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
765 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
766 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16,
767 "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) );
768 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
769
770 /* Actually, the required msb for private keys */
771 grp->nbits = 447;
772
773cleanup:
774 mbedtls_mpi_free( &Ns );
775 if( ret != 0 )
776 mbedtls_ecp_group_free( grp );
777
778 return( ret );
779}
780#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
781
782/*
783 * Set a group using well-known domain parameters
784 */
785int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
786{
787 mbedtls_ecp_group_free( grp );
788
789 grp->id = id;
790
791 switch( id )
792 {
3a5ffba7 793#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
794 case MBEDTLS_ECP_DP_SECP128R1:
795 grp->modp = NULL;
796 return( LOAD_GROUP_A( secp128r1 ) );
797#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */
700d8687
OM		 798#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
799 case MBEDTLS_ECP_DP_SECP192R1:
800 NIST_MODP( p192 );
801 return( LOAD_GROUP( secp192r1 ) );
802#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
803
804#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
805 case MBEDTLS_ECP_DP_SECP224R1:
806 NIST_MODP( p224 );
807 return( LOAD_GROUP( secp224r1 ) );
808#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
809
810#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
811 case MBEDTLS_ECP_DP_SECP256R1:
812 NIST_MODP( p256 );
813 return( LOAD_GROUP( secp256r1 ) );
814#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
815
816#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
817 case MBEDTLS_ECP_DP_SECP384R1:
818 NIST_MODP( p384 );
819 return( LOAD_GROUP( secp384r1 ) );
820#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
821
822#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
823 case MBEDTLS_ECP_DP_SECP521R1:
824 NIST_MODP( p521 );
825 return( LOAD_GROUP( secp521r1 ) );
826#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
827
828#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
829 case MBEDTLS_ECP_DP_SECP192K1:
830 grp->modp = ecp_mod_p192k1;
831 return( LOAD_GROUP_A( secp192k1 ) );
832#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
833
834#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
835 case MBEDTLS_ECP_DP_SECP224K1:
836 grp->modp = ecp_mod_p224k1;
837 return( LOAD_GROUP_A( secp224k1 ) );
838#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
839
840#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
841 case MBEDTLS_ECP_DP_SECP256K1:
842 grp->modp = ecp_mod_p256k1;
843 return( LOAD_GROUP_A( secp256k1 ) );
844#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
845
846#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
847 case MBEDTLS_ECP_DP_BP256R1:
848 return( LOAD_GROUP_A( brainpoolP256r1 ) );
849#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
850
851#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
852 case MBEDTLS_ECP_DP_BP384R1:
853 return( LOAD_GROUP_A( brainpoolP384r1 ) );
854#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
855
856#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
857 case MBEDTLS_ECP_DP_BP512R1:
858 return( LOAD_GROUP_A( brainpoolP512r1 ) );
859#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
860
861#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
862 case MBEDTLS_ECP_DP_CURVE25519:
863 grp->modp = ecp_mod_p255;
864 return( ecp_use_curve25519( grp ) );
865#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
866
867#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
868 case MBEDTLS_ECP_DP_CURVE448:
869 grp->modp = ecp_mod_p448;
870 return( ecp_use_curve448( grp ) );
871#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
872
873 default:
874 mbedtls_ecp_group_free( grp );
875 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
876 }
877}
878
879#if defined(MBEDTLS_ECP_NIST_OPTIM)
880/*
881 * Fast reduction modulo the primes used by the NIST curves.
882 *
883 * These functions are critical for speed, but not needed for correct
884 * operations. So, we make the choice to heavily rely on the internals of our
885 * bignum library, which creates a tight coupling between these functions and
886 * our MPI implementation. However, the coupling between the ECP module and
887 * MPI remains loose, since these functions can be deactivated at will.
888 */
889
890#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
891/*
892 * Compared to the way things are presented in FIPS 186-3 D.2,
893 * we proceed in columns, from right (least significant chunk) to left,
894 * adding chunks to N in place, and keeping a carry for the next chunk.
895 * This avoids moving things around in memory, and uselessly adding zeros,
896 * compared to the more straightforward, line-oriented approach.
897 *
898 * For this prime we need to handle data in chunks of 64 bits.
899 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
900 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
901 */
902
903/* Add 64-bit chunks (dst += src) and update carry */
904static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
905{
906 unsigned char i;
907 mbedtls_mpi_uint c = 0;
908 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
909 {
910 *dst += c; c = ( *dst < c );
911 *dst += *src; c += ( *dst < *src );
912 }
913 *carry += c;
914}
915
916/* Add carry to a 64-bit chunk and update carry */
917static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
918{
919 unsigned char i;
920 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
921 {
922 *dst += *carry;
923 *carry = ( *dst < *carry );
924 }
925}
926
927#define WIDTH 8 / sizeof( mbedtls_mpi_uint )
928#define A( i ) N->p + i * WIDTH
929#define ADD( i ) add64( p, A( i ), &c )
930#define NEXT p += WIDTH; carry64( p, &c )
931#define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
932
933/*
934 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
935 */
936static int ecp_mod_p192( mbedtls_mpi *N )
937{
938 int ret;
939 mbedtls_mpi_uint c = 0;
940 mbedtls_mpi_uint *p, *end;
941
942 /* Make sure we have enough blocks so that A(5) is legal */
943 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
944
945 p = N->p;
946 end = p + N->n;
947
948 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
949 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
950 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
951
952cleanup:
953 return( ret );
954}
955
956#undef WIDTH
957#undef A
958#undef ADD
959#undef NEXT
960#undef LAST
961#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
962
963#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
964 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
965 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
966/*
967 * The reader is advised to first understand ecp_mod_p192() since the same
968 * general structure is used here, but with additional complications:
969 * (1) chunks of 32 bits, and (2) subtractions.
970 */
971
972/*
973 * For these primes, we need to handle data in chunks of 32 bits.
974 * This makes it more complicated if we use 64 bits limbs in MPI,
975 * which prevents us from using a uniform access method as for p192.
976 *
977 * So, we define a mini abstraction layer to access 32 bit chunks,
978 * load them in 'cur' for work, and store them back from 'cur' when done.
979 *
980 * While at it, also define the size of N in terms of 32-bit chunks.
981 */
982#define LOAD32 cur = A( i );
983
984#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
985
986#define MAX32 N->n
987#define A( j ) N->p[j]
988#define STORE32 N->p[i] = cur;
989
990#else /* 64-bit */
991
992#define MAX32 N->n * 2
993#define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
994#define STORE32 \
995 if( i % 2 ) { \
996 N->p[i/2] &= 0x00000000FFFFFFFF; \
997 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
998 } else { \
999 N->p[i/2] &= 0xFFFFFFFF00000000; \
1000 N->p[i/2] |= (mbedtls_mpi_uint) cur; \
1001 }
1002
1003#endif /* sizeof( mbedtls_mpi_uint ) */
1004
1005/*
1006 * Helpers for addition and subtraction of chunks, with signed carry.
1007 */
1008static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
1009{
1010 *dst += src;
1011 *carry += ( *dst < src );
1012}
1013
1014static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
1015{
1016 *carry -= ( *dst < src );
1017 *dst -= src;
1018}
1019
1020#define ADD( j ) add32( &cur, A( j ), &c );
1021#define SUB( j ) sub32( &cur, A( j ), &c );
1022
1023/*
1024 * Helpers for the main 'loop'
1025 * (see fix_negative for the motivation of C)
1026 */
1027#define INIT( b ) \
1028 int ret; \
1029 signed char c = 0, cc; \
1030 uint32_t cur; \
1031 size_t i = 0, bits = b; \
1032 mbedtls_mpi C; \
1033 mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
1034 \
1035 C.s = 1; \
1036 C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \
1037 C.p = Cp; \
1038 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
1039 \
1040 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \
1041 LOAD32;
1042
1043#define NEXT \
1044 STORE32; i++; LOAD32; \
1045 cc = c; c = 0; \
1046 if( cc < 0 ) \
1047 sub32( &cur, -cc, &c ); \
1048 else \
1049 add32( &cur, cc, &c ); \
1050
1051#define LAST \
1052 STORE32; i++; \
1053 cur = c > 0 ? c : 0; STORE32; \
1054 cur = 0; while( ++i < MAX32 ) { STORE32; } \
1055 if( c < 0 ) fix_negative( N, c, &C, bits );
1056
1057/*
1058 * If the result is negative, we get it in the form
1059 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
1060 */
1061static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
1062{
1063 int ret;
1064
1065 /* C = - c * 2^(bits + 32) */
1066#if !defined(MBEDTLS_HAVE_INT64)
1067 ((void) bits);
1068#else
1069 if( bits == 224 )
1070 C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
1071 else
1072#endif
1073 C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
1074
1075 /* N = - ( C - N ) */
1076 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
1077 N->s = -1;
1078
1079cleanup:
1080
1081 return( ret );
1082}
1083
1084#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
1085/*
1086 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1087 */
1088static int ecp_mod_p224( mbedtls_mpi *N )
1089{
1090 INIT( 224 );
1091
1092 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
1093 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
1094 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
1095 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
1096 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
1097 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
1098 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
1099
1100cleanup:
1101 return( ret );
1102}
1103#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
1104
1105#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
1106/*
1107 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1108 */
1109static int ecp_mod_p256( mbedtls_mpi *N )
1110{
1111 INIT( 256 );
1112
1113 ADD( 8 ); ADD( 9 );
1114 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1115
1116 ADD( 9 ); ADD( 10 );
1117 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1118
1119 ADD( 10 ); ADD( 11 );
1120 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1121
1122 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1123 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1124
1125 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1126 SUB( 9 ); SUB( 10 ); NEXT; // A4
1127
1128 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1129 SUB( 10 ); SUB( 11 ); NEXT; // A5
1130
1131 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1132 SUB( 8 ); SUB( 9 ); NEXT; // A6
1133
1134 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1135 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1136
1137cleanup:
1138 return( ret );
1139}
1140#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
1141
1142#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
1143/*
1144 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1145 */
1146static int ecp_mod_p384( mbedtls_mpi *N )
1147{
1148 INIT( 384 );
1149
1150 ADD( 12 ); ADD( 21 ); ADD( 20 );
1151 SUB( 23 ); NEXT; // A0
1152
1153 ADD( 13 ); ADD( 22 ); ADD( 23 );
1154 SUB( 12 ); SUB( 20 ); NEXT; // A2
1155
1156 ADD( 14 ); ADD( 23 );
1157 SUB( 13 ); SUB( 21 ); NEXT; // A2
1158
1159 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1160 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1161
1162 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1163 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1164
1165 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1166 SUB( 16 ); NEXT; // A5
1167
1168 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1169 SUB( 17 ); NEXT; // A6
1170
1171 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1172 SUB( 18 ); NEXT; // A7
1173
1174 ADD( 20 ); ADD( 17 ); ADD( 16 );
1175 SUB( 19 ); NEXT; // A8
1176
1177 ADD( 21 ); ADD( 18 ); ADD( 17 );
1178 SUB( 20 ); NEXT; // A9
1179
1180 ADD( 22 ); ADD( 19 ); ADD( 18 );
1181 SUB( 21 ); NEXT; // A10
1182
1183 ADD( 23 ); ADD( 20 ); ADD( 19 );
1184 SUB( 22 ); LAST; // A11
1185
1186cleanup:
1187 return( ret );
1188}
1189#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1190
1191#undef A
1192#undef LOAD32
1193#undef STORE32
1194#undef MAX32
1195#undef INIT
1196#undef NEXT
1197#undef LAST
1198
1199#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
1200 MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
1201 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1202
1203#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
1204/*
1205 * Here we have an actual Mersenne prime, so things are more straightforward.
1206 * However, chunks are aligned on a 'weird' boundary (521 bits).
1207 */
1208
1209/* Size of p521 in terms of mbedtls_mpi_uint */
1210#define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1211
1212/* Bits to keep in the most significant mbedtls_mpi_uint */
1213#define P521_MASK 0x01FF
1214
1215/*
1216 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1217 * Write N as A1 + 2^521 A0, return A0 + A1
1218 */
1219static int ecp_mod_p521( mbedtls_mpi *N )
1220{
1221 int ret;
1222 size_t i;
1223 mbedtls_mpi M;
1224 mbedtls_mpi_uint Mp[P521_WIDTH + 1];
1225 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
1226 * we need to hold bits 513 to 1056, which is 34 limbs, that is
1227 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1228
1229 if( N->n < P521_WIDTH )
1230 return( 0 );
1231
1232 /* M = A1 */
1233 M.s = 1;
1234 M.n = N->n - ( P521_WIDTH - 1 );
1235 if( M.n > P521_WIDTH + 1 )
1236 M.n = P521_WIDTH + 1;
1237 M.p = Mp;
1238 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1239 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1240
1241 /* N = A0 */
1242 N->p[P521_WIDTH - 1] &= P521_MASK;
1243 for( i = P521_WIDTH; i < N->n; i++ )
1244 N->p[i] = 0;
1245
1246 /* N = A0 + A1 */
1247 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1248
1249cleanup:
1250 return( ret );
1251}
1252
1253#undef P521_WIDTH
1254#undef P521_MASK
1255#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
1256
1257#endif /* MBEDTLS_ECP_NIST_OPTIM */
1258
1259#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
1260
1261/* Size of p255 in terms of mbedtls_mpi_uint */
1262#define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1263
1264/*
1265 * Fast quasi-reduction modulo p255 = 2^255 - 19
1266 * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1267 */
1268static int ecp_mod_p255( mbedtls_mpi *N )
1269{
1270 int ret;
1271 size_t i;
1272 mbedtls_mpi M;
1273 mbedtls_mpi_uint Mp[P255_WIDTH + 2];
1274
1275 if( N->n < P255_WIDTH )
1276 return( 0 );
1277
1278 /* M = A1 */
1279 M.s = 1;
1280 M.n = N->n - ( P255_WIDTH - 1 );
1281 if( M.n > P255_WIDTH + 1 )
1282 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1283 M.p = Mp;
1284 memset( Mp, 0, sizeof Mp );
1285 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1286 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1287 M.n++; /* Make room for multiplication by 19 */
1288
1289 /* N = A0 */
1290 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
1291 for( i = P255_WIDTH; i < N->n; i++ )
1292 N->p[i] = 0;
1293
1294 /* N = A0 + 19 * A1 */
1295 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
1296 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1297
1298cleanup:
1299 return( ret );
1300}
1301#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
1302
1303#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
1304
1305/* Size of p448 in terms of mbedtls_mpi_uint */
1306#define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
1307
1308/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
1309#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
1310#define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) )
1311#define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
1312#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
1313
1314/*
1315 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
1316 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
1317 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
1318 * implementation of Curve448, which uses its own special 56-bit limbs rather
1319 * than a generic bignum library. We could squeeze some extra speed out on
1320 * 32-bit machines by splitting N up into 32-bit limbs and doing the
1321 * arithmetic using the limbs directly as we do for the NIST primes above,
1322 * but for 64-bit targets it should use half the number of operations if we do
1323 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
1324 */
1325static int ecp_mod_p448( mbedtls_mpi *N )
1326{
1327 int ret;
1328 size_t i;
1329 mbedtls_mpi M, Q;
1330 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
1331
1332 if( N->n <= P448_WIDTH )
1333 return( 0 );
1334
1335 /* M = A1 */
1336 M.s = 1;
1337 M.n = N->n - ( P448_WIDTH );
1338 if( M.n > P448_WIDTH )
1339 /* Shouldn't be called with N larger than 2^896! */
1340 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1341 M.p = Mp;
1342 memset( Mp, 0, sizeof( Mp ) );
1343 memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
1344
1345 /* N = A0 */
1346 for( i = P448_WIDTH; i < N->n; i++ )
1347 N->p[i] = 0;
1348
1349 /* N += A1 */
1350 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1351
1352 /* Q = B1, N += B1 */
1353 Q = M;
1354 Q.p = Qp;
1355 memcpy( Qp, Mp, sizeof( Qp ) );
1356 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
1357 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
1358
1359 /* M = (B0 + B1) * 2^224, N += M */
1360 if( sizeof( mbedtls_mpi_uint ) > 4 )
1361 Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
1362 for( i = P224_WIDTH_MAX; i < M.n; ++i )
1363 Mp[i] = 0;
1364 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
1365 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
1366 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
1367 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1368
1369cleanup:
1370 return( ret );
1371}
1372#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
1373
1374#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
1375 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
1376 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1377/*
1378 * Fast quasi-reduction modulo P = 2^s - R,
1379 * with R about 33 bits, used by the Koblitz curves.
1380 *
1381 * Write N as A0 + 2^224 A1, return A0 + R * A1.
1382 * Actually do two passes, since R is big.
1383 */
1384#define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
1385#define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
1386static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
1387 size_t adjust, size_t shift, mbedtls_mpi_uint mask )
1388{
1389 int ret;
1390 size_t i;
1391 mbedtls_mpi M, R;
1392 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
1393
1394 if( N->n < p_limbs )
1395 return( 0 );
1396
1397 /* Init R */
1398 R.s = 1;
1399 R.p = Rp;
1400 R.n = P_KOBLITZ_R;
1401
1402 /* Common setup for M */
1403 M.s = 1;
1404 M.p = Mp;
1405
1406 /* M = A1 */
1407 M.n = N->n - ( p_limbs - adjust );
1408 if( M.n > p_limbs + adjust )
1409 M.n = p_limbs + adjust;
1410 memset( Mp, 0, sizeof Mp );
1411 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1412 if( shift != 0 )
1413 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1414 M.n += R.n; /* Make room for multiplication by R */
1415
1416 /* N = A0 */
1417 if( mask != 0 )
1418 N->p[p_limbs - 1] &= mask;
1419 for( i = p_limbs; i < N->n; i++ )
1420 N->p[i] = 0;
1421
1422 /* N = A0 + R * A1 */
1423 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1424 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1425
1426 /* Second pass */
1427
1428 /* M = A1 */
1429 M.n = N->n - ( p_limbs - adjust );
1430 if( M.n > p_limbs + adjust )
1431 M.n = p_limbs + adjust;
1432 memset( Mp, 0, sizeof Mp );
1433 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1434 if( shift != 0 )
1435 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1436 M.n += R.n; /* Make room for multiplication by R */
1437
1438 /* N = A0 */
1439 if( mask != 0 )
1440 N->p[p_limbs - 1] &= mask;
1441 for( i = p_limbs; i < N->n; i++ )
1442 N->p[i] = 0;
1443
1444 /* N = A0 + R * A1 */
1445 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1446 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1447
1448cleanup:
1449 return( ret );
1450}
1451#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
1452 MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
1453 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
1454
1455#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
1456/*
1457 * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1458 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1459 */
1460static int ecp_mod_p192k1( mbedtls_mpi *N )
1461{
1462 static mbedtls_mpi_uint Rp[] = {
1463 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1464
1465 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1466}
1467#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
1468
1469#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
1470/*
1471 * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1472 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1473 */
1474static int ecp_mod_p224k1( mbedtls_mpi *N )
1475{
1476 static mbedtls_mpi_uint Rp[] = {
1477 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1478
1479#if defined(MBEDTLS_HAVE_INT64)
1480 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1481#else
1482 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1483#endif
1484}
1485
1486#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
1487
1488#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1489/*
1490 * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1491 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1492 */
1493static int ecp_mod_p256k1( mbedtls_mpi *N )
1494{
1495 static mbedtls_mpi_uint Rp[] = {
1496 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1497 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1498}
1499#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
1500
1501#endif /* !MBEDTLS_ECP_ALT */
1502
1503#endif /* MBEDTLS_ECP_C */
Proxmark3 GIT tracking
Impressum, Datenschutz