]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Elliptic curves over GF(p): curve-specific data and functions | |
3 | * | |
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved | |
5 | * SPDX-License-Identifier: GPL-2.0 | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License along | |
18 | * with this program; if not, write to the Free Software Foundation, Inc., | |
19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
20 | * | |
21 | * This file is part of mbed TLS (https://tls.mbed.org) | |
22 | */ | |
23 | ||
24 | #if !defined(MBEDTLS_CONFIG_FILE) | |
25 | #include "mbedtls/config.h" | |
26 | #else | |
27 | #include MBEDTLS_CONFIG_FILE | |
28 | #endif | |
29 | ||
30 | #if defined(MBEDTLS_ECP_C) | |
31 | ||
32 | #include "mbedtls/ecp.h" | |
33 | ||
34 | #include <string.h> | |
35 | ||
36 | #if !defined(MBEDTLS_ECP_ALT) | |
37 | ||
38 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ | |
39 | !defined(inline) && !defined(__cplusplus) | |
40 | #define inline __inline | |
41 | #endif | |
42 | ||
43 | /* | |
44 | * Conversion macros for embedded constants: | |
45 | * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 | |
46 | */ | |
47 | #if defined(MBEDTLS_HAVE_INT32) | |
48 | ||
49 | #define BYTES_TO_T_UINT_4( a, b, c, d ) \ | |
50 | ( (mbedtls_mpi_uint) a << 0 ) | \ | |
51 | ( (mbedtls_mpi_uint) b << 8 ) | \ | |
52 | ( (mbedtls_mpi_uint) c << 16 ) | \ | |
53 | ( (mbedtls_mpi_uint) d << 24 ) | |
54 | ||
55 | #define BYTES_TO_T_UINT_2( a, b ) \ | |
56 | BYTES_TO_T_UINT_4( a, b, 0, 0 ) | |
57 | ||
58 | #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ | |
59 | BYTES_TO_T_UINT_4( a, b, c, d ), \ | |
60 | BYTES_TO_T_UINT_4( e, f, g, h ) | |
61 | ||
62 | #else /* 64-bits */ | |
63 | ||
64 | #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ | |
65 | ( (mbedtls_mpi_uint) a << 0 ) | \ | |
66 | ( (mbedtls_mpi_uint) b << 8 ) | \ | |
67 | ( (mbedtls_mpi_uint) c << 16 ) | \ | |
68 | ( (mbedtls_mpi_uint) d << 24 ) | \ | |
69 | ( (mbedtls_mpi_uint) e << 32 ) | \ | |
70 | ( (mbedtls_mpi_uint) f << 40 ) | \ | |
71 | ( (mbedtls_mpi_uint) g << 48 ) | \ | |
72 | ( (mbedtls_mpi_uint) h << 56 ) | |
73 | ||
74 | #define BYTES_TO_T_UINT_4( a, b, c, d ) \ | |
75 | BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) | |
76 | ||
77 | #define BYTES_TO_T_UINT_2( a, b ) \ | |
78 | BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) | |
79 | ||
80 | #endif /* bits in mbedtls_mpi_uint */ | |
81 | ||
82 | /* | |
83 | * Note: the constants are in little-endian order | |
84 | * to be directly usable in MPIs | |
85 | */ | |
86 | ||
87 | /* | |
88 | * Domain parameters for secp192r1 | |
89 | */ | |
90 | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) | |
91 | static const mbedtls_mpi_uint secp192r1_p[] = { | |
92 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
93 | BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
94 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
95 | }; | |
96 | static const mbedtls_mpi_uint secp192r1_b[] = { | |
97 | BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), | |
98 | BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), | |
99 | BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), | |
100 | }; | |
101 | static const mbedtls_mpi_uint secp192r1_gx[] = { | |
102 | BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), | |
103 | BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), | |
104 | BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), | |
105 | }; | |
106 | static const mbedtls_mpi_uint secp192r1_gy[] = { | |
107 | BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), | |
108 | BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), | |
109 | BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), | |
110 | }; | |
111 | static const mbedtls_mpi_uint secp192r1_n[] = { | |
112 | BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), | |
113 | BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), | |
114 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
115 | }; | |
116 | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ | |
117 | ||
118 | /* | |
119 | * Domain parameters for secp224r1 | |
120 | */ | |
121 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) | |
122 | static const mbedtls_mpi_uint secp224r1_p[] = { | |
123 | BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), | |
124 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), | |
125 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
126 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), | |
127 | }; | |
128 | static const mbedtls_mpi_uint secp224r1_b[] = { | |
129 | BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), | |
130 | BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), | |
131 | BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), | |
132 | BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), | |
133 | }; | |
134 | static const mbedtls_mpi_uint secp224r1_gx[] = { | |
135 | BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), | |
136 | BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), | |
137 | BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), | |
138 | BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), | |
139 | }; | |
140 | static const mbedtls_mpi_uint secp224r1_gy[] = { | |
141 | BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), | |
142 | BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), | |
143 | BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), | |
144 | BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), | |
145 | }; | |
146 | static const mbedtls_mpi_uint secp224r1_n[] = { | |
147 | BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), | |
148 | BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), | |
149 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
150 | BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), | |
151 | }; | |
152 | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ | |
153 | ||
154 | /* | |
155 | * Domain parameters for secp256r1 | |
156 | */ | |
157 | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) | |
158 | static const mbedtls_mpi_uint secp256r1_p[] = { | |
159 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
160 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), | |
161 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), | |
162 | BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), | |
163 | }; | |
164 | static const mbedtls_mpi_uint secp256r1_b[] = { | |
165 | BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), | |
166 | BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), | |
167 | BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), | |
168 | BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), | |
169 | }; | |
170 | static const mbedtls_mpi_uint secp256r1_gx[] = { | |
171 | BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), | |
172 | BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), | |
173 | BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), | |
174 | BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), | |
175 | }; | |
176 | static const mbedtls_mpi_uint secp256r1_gy[] = { | |
177 | BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), | |
178 | BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), | |
179 | BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), | |
180 | BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), | |
181 | }; | |
182 | static const mbedtls_mpi_uint secp256r1_n[] = { | |
183 | BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), | |
184 | BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), | |
185 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
186 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), | |
187 | }; | |
188 | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ | |
189 | ||
190 | /* | |
191 | * Domain parameters for secp384r1 | |
192 | */ | |
193 | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | |
194 | static const mbedtls_mpi_uint secp384r1_p[] = { | |
195 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), | |
196 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), | |
197 | BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
198 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
199 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
200 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
201 | }; | |
202 | static const mbedtls_mpi_uint secp384r1_b[] = { | |
203 | BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), | |
204 | BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), | |
205 | BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), | |
206 | BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), | |
207 | BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), | |
208 | BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), | |
209 | }; | |
210 | static const mbedtls_mpi_uint secp384r1_gx[] = { | |
211 | BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), | |
212 | BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), | |
213 | BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), | |
214 | BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), | |
215 | BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), | |
216 | BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), | |
217 | }; | |
218 | static const mbedtls_mpi_uint secp384r1_gy[] = { | |
219 | BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), | |
220 | BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), | |
221 | BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), | |
222 | BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), | |
223 | BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), | |
224 | BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), | |
225 | }; | |
226 | static const mbedtls_mpi_uint secp384r1_n[] = { | |
227 | BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), | |
228 | BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), | |
229 | BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), | |
230 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
231 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
232 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
233 | }; | |
234 | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ | |
235 | ||
236 | /* | |
237 | * Domain parameters for secp521r1 | |
238 | */ | |
239 | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) | |
240 | static const mbedtls_mpi_uint secp521r1_p[] = { | |
241 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
242 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
243 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
244 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
245 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
246 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
247 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
248 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
249 | BYTES_TO_T_UINT_2( 0xFF, 0x01 ), | |
250 | }; | |
251 | static const mbedtls_mpi_uint secp521r1_b[] = { | |
252 | BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), | |
253 | BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), | |
254 | BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), | |
255 | BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), | |
256 | BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), | |
257 | BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), | |
258 | BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), | |
259 | BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), | |
260 | BYTES_TO_T_UINT_2( 0x51, 0x00 ), | |
261 | }; | |
262 | static const mbedtls_mpi_uint secp521r1_gx[] = { | |
263 | BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), | |
264 | BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), | |
265 | BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), | |
266 | BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), | |
267 | BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), | |
268 | BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), | |
269 | BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), | |
270 | BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), | |
271 | BYTES_TO_T_UINT_2( 0xC6, 0x00 ), | |
272 | }; | |
273 | static const mbedtls_mpi_uint secp521r1_gy[] = { | |
274 | BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), | |
275 | BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), | |
276 | BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), | |
277 | BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), | |
278 | BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), | |
279 | BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), | |
280 | BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), | |
281 | BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), | |
282 | BYTES_TO_T_UINT_2( 0x18, 0x01 ), | |
283 | }; | |
284 | static const mbedtls_mpi_uint secp521r1_n[] = { | |
285 | BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), | |
286 | BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), | |
287 | BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), | |
288 | BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), | |
289 | BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
290 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
291 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
292 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
293 | BYTES_TO_T_UINT_2( 0xFF, 0x01 ), | |
294 | }; | |
295 | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ | |
296 | ||
297 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) | |
298 | static const mbedtls_mpi_uint secp192k1_p[] = { | |
299 | BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), | |
300 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
301 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
302 | }; | |
303 | static const mbedtls_mpi_uint secp192k1_a[] = { | |
304 | BYTES_TO_T_UINT_2( 0x00, 0x00 ), | |
305 | }; | |
306 | static const mbedtls_mpi_uint secp192k1_b[] = { | |
307 | BYTES_TO_T_UINT_2( 0x03, 0x00 ), | |
308 | }; | |
309 | static const mbedtls_mpi_uint secp192k1_gx[] = { | |
310 | BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), | |
311 | BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), | |
312 | BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), | |
313 | }; | |
314 | static const mbedtls_mpi_uint secp192k1_gy[] = { | |
315 | BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), | |
316 | BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), | |
317 | BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), | |
318 | }; | |
319 | static const mbedtls_mpi_uint secp192k1_n[] = { | |
320 | BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), | |
321 | BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), | |
322 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
323 | }; | |
324 | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ | |
325 | ||
326 | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) | |
327 | static const mbedtls_mpi_uint secp224k1_p[] = { | |
328 | BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), | |
329 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
330 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
331 | BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), | |
332 | }; | |
333 | static const mbedtls_mpi_uint secp224k1_a[] = { | |
334 | BYTES_TO_T_UINT_2( 0x00, 0x00 ), | |
335 | }; | |
336 | static const mbedtls_mpi_uint secp224k1_b[] = { | |
337 | BYTES_TO_T_UINT_2( 0x05, 0x00 ), | |
338 | }; | |
339 | static const mbedtls_mpi_uint secp224k1_gx[] = { | |
340 | BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), | |
341 | BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), | |
342 | BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), | |
343 | BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), | |
344 | }; | |
345 | static const mbedtls_mpi_uint secp224k1_gy[] = { | |
346 | BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), | |
347 | BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), | |
348 | BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), | |
349 | BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), | |
350 | }; | |
351 | static const mbedtls_mpi_uint secp224k1_n[] = { | |
352 | BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), | |
353 | BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), | |
354 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), | |
355 | BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), | |
356 | }; | |
357 | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ | |
358 | ||
359 | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) | |
360 | static const mbedtls_mpi_uint secp256k1_p[] = { | |
361 | BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), | |
362 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
363 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
364 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
365 | }; | |
366 | static const mbedtls_mpi_uint secp256k1_a[] = { | |
367 | BYTES_TO_T_UINT_2( 0x00, 0x00 ), | |
368 | }; | |
369 | static const mbedtls_mpi_uint secp256k1_b[] = { | |
370 | BYTES_TO_T_UINT_2( 0x07, 0x00 ), | |
371 | }; | |
372 | static const mbedtls_mpi_uint secp256k1_gx[] = { | |
373 | BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), | |
374 | BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), | |
375 | BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), | |
376 | BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), | |
377 | }; | |
378 | static const mbedtls_mpi_uint secp256k1_gy[] = { | |
379 | BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), | |
380 | BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), | |
381 | BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), | |
382 | BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), | |
383 | }; | |
384 | static const mbedtls_mpi_uint secp256k1_n[] = { | |
385 | BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), | |
386 | BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), | |
387 | BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
388 | BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), | |
389 | }; | |
390 | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ | |
391 | ||
392 | /* | |
393 | * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) | |
394 | */ | |
395 | #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) | |
396 | static const mbedtls_mpi_uint brainpoolP256r1_p[] = { | |
397 | BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), | |
398 | BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), | |
399 | BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), | |
400 | BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), | |
401 | }; | |
402 | static const mbedtls_mpi_uint brainpoolP256r1_a[] = { | |
403 | BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), | |
404 | BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), | |
405 | BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), | |
406 | BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), | |
407 | }; | |
408 | static const mbedtls_mpi_uint brainpoolP256r1_b[] = { | |
409 | BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), | |
410 | BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), | |
411 | BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), | |
412 | BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), | |
413 | }; | |
414 | static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { | |
415 | BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), | |
416 | BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), | |
417 | BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), | |
418 | BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), | |
419 | }; | |
420 | static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { | |
421 | BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), | |
422 | BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), | |
423 | BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), | |
424 | BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), | |
425 | }; | |
426 | static const mbedtls_mpi_uint brainpoolP256r1_n[] = { | |
427 | BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), | |
428 | BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), | |
429 | BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), | |
430 | BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), | |
431 | }; | |
432 | #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ | |
433 | ||
434 | /* | |
435 | * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) | |
436 | */ | |
437 | #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) | |
438 | static const mbedtls_mpi_uint brainpoolP384r1_p[] = { | |
439 | BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), | |
440 | BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), | |
441 | BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), | |
442 | BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), | |
443 | BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), | |
444 | BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), | |
445 | }; | |
446 | static const mbedtls_mpi_uint brainpoolP384r1_a[] = { | |
447 | BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), | |
448 | BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), | |
449 | BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), | |
450 | BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), | |
451 | BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), | |
452 | BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), | |
453 | }; | |
454 | static const mbedtls_mpi_uint brainpoolP384r1_b[] = { | |
455 | BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), | |
456 | BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), | |
457 | BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), | |
458 | BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), | |
459 | BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), | |
460 | BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), | |
461 | }; | |
462 | static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { | |
463 | BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), | |
464 | BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), | |
465 | BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), | |
466 | BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), | |
467 | BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), | |
468 | BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), | |
469 | }; | |
470 | static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { | |
471 | BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), | |
472 | BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), | |
473 | BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), | |
474 | BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), | |
475 | BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), | |
476 | BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), | |
477 | }; | |
478 | static const mbedtls_mpi_uint brainpoolP384r1_n[] = { | |
479 | BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), | |
480 | BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), | |
481 | BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), | |
482 | BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), | |
483 | BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), | |
484 | BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), | |
485 | }; | |
486 | #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ | |
487 | ||
488 | /* | |
489 | * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) | |
490 | */ | |
491 | #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) | |
492 | static const mbedtls_mpi_uint brainpoolP512r1_p[] = { | |
493 | BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), | |
494 | BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), | |
495 | BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), | |
496 | BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), | |
497 | BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), | |
498 | BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), | |
499 | BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), | |
500 | BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), | |
501 | }; | |
502 | static const mbedtls_mpi_uint brainpoolP512r1_a[] = { | |
503 | BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), | |
504 | BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), | |
505 | BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), | |
506 | BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), | |
507 | BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), | |
508 | BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), | |
509 | BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), | |
510 | BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), | |
511 | }; | |
512 | static const mbedtls_mpi_uint brainpoolP512r1_b[] = { | |
513 | BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), | |
514 | BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), | |
515 | BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), | |
516 | BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), | |
517 | BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), | |
518 | BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), | |
519 | BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), | |
520 | BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), | |
521 | }; | |
522 | static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { | |
523 | BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), | |
524 | BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), | |
525 | BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), | |
526 | BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), | |
527 | BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), | |
528 | BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), | |
529 | BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), | |
530 | BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), | |
531 | }; | |
532 | static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { | |
533 | BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), | |
534 | BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), | |
535 | BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), | |
536 | BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), | |
537 | BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), | |
538 | BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), | |
539 | BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), | |
540 | BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), | |
541 | }; | |
542 | static const mbedtls_mpi_uint brainpoolP512r1_n[] = { | |
543 | BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), | |
544 | BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), | |
545 | BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), | |
546 | BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), | |
547 | BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), | |
548 | BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), | |
549 | BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), | |
550 | BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), | |
551 | }; | |
552 | #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ | |
553 | ||
554 | /* | |
555 | * Create an MPI from embedded constants | |
556 | * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) | |
557 | */ | |
558 | static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) | |
559 | { | |
560 | X->s = 1; | |
561 | X->n = len / sizeof( mbedtls_mpi_uint ); | |
562 | X->p = (mbedtls_mpi_uint *) p; | |
563 | } | |
564 | ||
565 | /* | |
566 | * Set an MPI to static value 1 | |
567 | */ | |
568 | static inline void ecp_mpi_set1( mbedtls_mpi *X ) | |
569 | { | |
570 | static mbedtls_mpi_uint one[] = { 1 }; | |
571 | X->s = 1; | |
572 | X->n = 1; | |
573 | X->p = one; | |
574 | } | |
575 | ||
576 | /* | |
577 | * Make group available from embedded constants | |
578 | */ | |
579 | static int ecp_group_load( mbedtls_ecp_group *grp, | |
580 | const mbedtls_mpi_uint *p, size_t plen, | |
581 | const mbedtls_mpi_uint *a, size_t alen, | |
582 | const mbedtls_mpi_uint *b, size_t blen, | |
583 | const mbedtls_mpi_uint *gx, size_t gxlen, | |
584 | const mbedtls_mpi_uint *gy, size_t gylen, | |
585 | const mbedtls_mpi_uint *n, size_t nlen) | |
586 | { | |
587 | ecp_mpi_load( &grp->P, p, plen ); | |
588 | if( a != NULL ) | |
589 | ecp_mpi_load( &grp->A, a, alen ); | |
590 | ecp_mpi_load( &grp->B, b, blen ); | |
591 | ecp_mpi_load( &grp->N, n, nlen ); | |
592 | ||
593 | ecp_mpi_load( &grp->G.X, gx, gxlen ); | |
594 | ecp_mpi_load( &grp->G.Y, gy, gylen ); | |
595 | ecp_mpi_set1( &grp->G.Z ); | |
596 | ||
597 | grp->pbits = mbedtls_mpi_bitlen( &grp->P ); | |
598 | grp->nbits = mbedtls_mpi_bitlen( &grp->N ); | |
599 | ||
600 | grp->h = 1; | |
601 | ||
602 | return( 0 ); | |
603 | } | |
604 | ||
605 | #if defined(MBEDTLS_ECP_NIST_OPTIM) | |
606 | /* Forward declarations */ | |
607 | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) | |
608 | static int ecp_mod_p192( mbedtls_mpi * ); | |
609 | #endif | |
610 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) | |
611 | static int ecp_mod_p224( mbedtls_mpi * ); | |
612 | #endif | |
613 | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) | |
614 | static int ecp_mod_p256( mbedtls_mpi * ); | |
615 | #endif | |
616 | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | |
617 | static int ecp_mod_p384( mbedtls_mpi * ); | |
618 | #endif | |
619 | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) | |
620 | static int ecp_mod_p521( mbedtls_mpi * ); | |
621 | #endif | |
622 | ||
623 | #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; | |
624 | #else | |
625 | #define NIST_MODP( P ) | |
626 | #endif /* MBEDTLS_ECP_NIST_OPTIM */ | |
627 | ||
628 | /* Additional forward declarations */ | |
629 | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) | |
630 | static int ecp_mod_p255( mbedtls_mpi * ); | |
631 | #endif | |
632 | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) | |
633 | static int ecp_mod_p448( mbedtls_mpi * ); | |
634 | #endif | |
635 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) | |
636 | static int ecp_mod_p192k1( mbedtls_mpi * ); | |
637 | #endif | |
638 | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) | |
639 | static int ecp_mod_p224k1( mbedtls_mpi * ); | |
640 | #endif | |
641 | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) | |
642 | static int ecp_mod_p256k1( mbedtls_mpi * ); | |
643 | #endif | |
644 | ||
645 | #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ | |
646 | G ## _p, sizeof( G ## _p ), \ | |
647 | G ## _a, sizeof( G ## _a ), \ | |
648 | G ## _b, sizeof( G ## _b ), \ | |
649 | G ## _gx, sizeof( G ## _gx ), \ | |
650 | G ## _gy, sizeof( G ## _gy ), \ | |
651 | G ## _n, sizeof( G ## _n ) ) | |
652 | ||
653 | #define LOAD_GROUP( G ) ecp_group_load( grp, \ | |
654 | G ## _p, sizeof( G ## _p ), \ | |
655 | NULL, 0, \ | |
656 | G ## _b, sizeof( G ## _b ), \ | |
657 | G ## _gx, sizeof( G ## _gx ), \ | |
658 | G ## _gy, sizeof( G ## _gy ), \ | |
659 | G ## _n, sizeof( G ## _n ) ) | |
660 | ||
661 | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) | |
662 | /* | |
663 | * Specialized function for creating the Curve25519 group | |
664 | */ | |
665 | static int ecp_use_curve25519( mbedtls_ecp_group *grp ) | |
666 | { | |
667 | int ret; | |
668 | ||
669 | /* Actually ( A + 2 ) / 4 */ | |
670 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) ); | |
671 | ||
672 | /* P = 2^255 - 19 */ | |
673 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); | |
674 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) ); | |
675 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) ); | |
676 | grp->pbits = mbedtls_mpi_bitlen( &grp->P ); | |
677 | ||
678 | /* N = 2^252 + 27742317777372353535851937790883648493 */ | |
679 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16, | |
680 | "14DEF9DEA2F79CD65812631A5CF5D3ED" ) ); | |
681 | MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) ); | |
682 | ||
683 | /* Y intentionally not set, since we use x/z coordinates. | |
684 | * This is used as a marker to identify Montgomery curves! */ | |
685 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) ); | |
686 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) ); | |
687 | mbedtls_mpi_free( &grp->G.Y ); | |
688 | ||
689 | /* Actually, the required msb for private keys */ | |
690 | grp->nbits = 254; | |
691 | ||
692 | cleanup: | |
693 | if( ret != 0 ) | |
694 | mbedtls_ecp_group_free( grp ); | |
695 | ||
696 | return( ret ); | |
697 | } | |
698 | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ | |
699 | ||
700 | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) | |
701 | /* | |
702 | * Specialized function for creating the Curve448 group | |
703 | */ | |
704 | static int ecp_use_curve448( mbedtls_ecp_group *grp ) | |
705 | { | |
706 | mbedtls_mpi Ns; | |
707 | int ret; | |
708 | ||
709 | mbedtls_mpi_init( &Ns ); | |
710 | ||
711 | /* Actually ( A + 2 ) / 4 */ | |
712 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) ); | |
713 | ||
714 | /* P = 2^448 - 2^224 - 1 */ | |
715 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); | |
716 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) ); | |
717 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) ); | |
718 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) ); | |
719 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) ); | |
720 | grp->pbits = mbedtls_mpi_bitlen( &grp->P ); | |
721 | ||
722 | /* Y intentionally not set, since we use x/z coordinates. | |
723 | * This is used as a marker to identify Montgomery curves! */ | |
724 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) ); | |
725 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) ); | |
726 | mbedtls_mpi_free( &grp->G.Y ); | |
727 | ||
728 | /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */ | |
729 | MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) ); | |
730 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16, | |
731 | "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) ); | |
732 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) ); | |
733 | ||
734 | /* Actually, the required msb for private keys */ | |
735 | grp->nbits = 447; | |
736 | ||
737 | cleanup: | |
738 | mbedtls_mpi_free( &Ns ); | |
739 | if( ret != 0 ) | |
740 | mbedtls_ecp_group_free( grp ); | |
741 | ||
742 | return( ret ); | |
743 | } | |
744 | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ | |
745 | ||
746 | /* | |
747 | * Set a group using well-known domain parameters | |
748 | */ | |
749 | int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) | |
750 | { | |
751 | mbedtls_ecp_group_free( grp ); | |
752 | ||
753 | grp->id = id; | |
754 | ||
755 | switch( id ) | |
756 | { | |
757 | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) | |
758 | case MBEDTLS_ECP_DP_SECP192R1: | |
759 | NIST_MODP( p192 ); | |
760 | return( LOAD_GROUP( secp192r1 ) ); | |
761 | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ | |
762 | ||
763 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) | |
764 | case MBEDTLS_ECP_DP_SECP224R1: | |
765 | NIST_MODP( p224 ); | |
766 | return( LOAD_GROUP( secp224r1 ) ); | |
767 | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ | |
768 | ||
769 | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) | |
770 | case MBEDTLS_ECP_DP_SECP256R1: | |
771 | NIST_MODP( p256 ); | |
772 | return( LOAD_GROUP( secp256r1 ) ); | |
773 | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ | |
774 | ||
775 | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | |
776 | case MBEDTLS_ECP_DP_SECP384R1: | |
777 | NIST_MODP( p384 ); | |
778 | return( LOAD_GROUP( secp384r1 ) ); | |
779 | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ | |
780 | ||
781 | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) | |
782 | case MBEDTLS_ECP_DP_SECP521R1: | |
783 | NIST_MODP( p521 ); | |
784 | return( LOAD_GROUP( secp521r1 ) ); | |
785 | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ | |
786 | ||
787 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) | |
788 | case MBEDTLS_ECP_DP_SECP192K1: | |
789 | grp->modp = ecp_mod_p192k1; | |
790 | return( LOAD_GROUP_A( secp192k1 ) ); | |
791 | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ | |
792 | ||
793 | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) | |
794 | case MBEDTLS_ECP_DP_SECP224K1: | |
795 | grp->modp = ecp_mod_p224k1; | |
796 | return( LOAD_GROUP_A( secp224k1 ) ); | |
797 | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ | |
798 | ||
799 | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) | |
800 | case MBEDTLS_ECP_DP_SECP256K1: | |
801 | grp->modp = ecp_mod_p256k1; | |
802 | return( LOAD_GROUP_A( secp256k1 ) ); | |
803 | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ | |
804 | ||
805 | #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) | |
806 | case MBEDTLS_ECP_DP_BP256R1: | |
807 | return( LOAD_GROUP_A( brainpoolP256r1 ) ); | |
808 | #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ | |
809 | ||
810 | #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) | |
811 | case MBEDTLS_ECP_DP_BP384R1: | |
812 | return( LOAD_GROUP_A( brainpoolP384r1 ) ); | |
813 | #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ | |
814 | ||
815 | #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) | |
816 | case MBEDTLS_ECP_DP_BP512R1: | |
817 | return( LOAD_GROUP_A( brainpoolP512r1 ) ); | |
818 | #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ | |
819 | ||
820 | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) | |
821 | case MBEDTLS_ECP_DP_CURVE25519: | |
822 | grp->modp = ecp_mod_p255; | |
823 | return( ecp_use_curve25519( grp ) ); | |
824 | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ | |
825 | ||
826 | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) | |
827 | case MBEDTLS_ECP_DP_CURVE448: | |
828 | grp->modp = ecp_mod_p448; | |
829 | return( ecp_use_curve448( grp ) ); | |
830 | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ | |
831 | ||
832 | default: | |
833 | mbedtls_ecp_group_free( grp ); | |
834 | return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); | |
835 | } | |
836 | } | |
837 | ||
838 | #if defined(MBEDTLS_ECP_NIST_OPTIM) | |
839 | /* | |
840 | * Fast reduction modulo the primes used by the NIST curves. | |
841 | * | |
842 | * These functions are critical for speed, but not needed for correct | |
843 | * operations. So, we make the choice to heavily rely on the internals of our | |
844 | * bignum library, which creates a tight coupling between these functions and | |
845 | * our MPI implementation. However, the coupling between the ECP module and | |
846 | * MPI remains loose, since these functions can be deactivated at will. | |
847 | */ | |
848 | ||
849 | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) | |
850 | /* | |
851 | * Compared to the way things are presented in FIPS 186-3 D.2, | |
852 | * we proceed in columns, from right (least significant chunk) to left, | |
853 | * adding chunks to N in place, and keeping a carry for the next chunk. | |
854 | * This avoids moving things around in memory, and uselessly adding zeros, | |
855 | * compared to the more straightforward, line-oriented approach. | |
856 | * | |
857 | * For this prime we need to handle data in chunks of 64 bits. | |
858 | * Since this is always a multiple of our basic mbedtls_mpi_uint, we can | |
859 | * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. | |
860 | */ | |
861 | ||
862 | /* Add 64-bit chunks (dst += src) and update carry */ | |
863 | static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) | |
864 | { | |
865 | unsigned char i; | |
866 | mbedtls_mpi_uint c = 0; | |
867 | for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) | |
868 | { | |
869 | *dst += c; c = ( *dst < c ); | |
870 | *dst += *src; c += ( *dst < *src ); | |
871 | } | |
872 | *carry += c; | |
873 | } | |
874 | ||
875 | /* Add carry to a 64-bit chunk and update carry */ | |
876 | static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) | |
877 | { | |
878 | unsigned char i; | |
879 | for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) | |
880 | { | |
881 | *dst += *carry; | |
882 | *carry = ( *dst < *carry ); | |
883 | } | |
884 | } | |
885 | ||
886 | #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) | |
887 | #define A( i ) N->p + i * WIDTH | |
888 | #define ADD( i ) add64( p, A( i ), &c ) | |
889 | #define NEXT p += WIDTH; carry64( p, &c ) | |
890 | #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 | |
891 | ||
892 | /* | |
893 | * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) | |
894 | */ | |
895 | static int ecp_mod_p192( mbedtls_mpi *N ) | |
896 | { | |
897 | int ret; | |
898 | mbedtls_mpi_uint c = 0; | |
899 | mbedtls_mpi_uint *p, *end; | |
900 | ||
901 | /* Make sure we have enough blocks so that A(5) is legal */ | |
902 | MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); | |
903 | ||
904 | p = N->p; | |
905 | end = p + N->n; | |
906 | ||
907 | ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 | |
908 | ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 | |
909 | ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 | |
910 | ||
911 | cleanup: | |
912 | return( ret ); | |
913 | } | |
914 | ||
915 | #undef WIDTH | |
916 | #undef A | |
917 | #undef ADD | |
918 | #undef NEXT | |
919 | #undef LAST | |
920 | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ | |
921 | ||
922 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ | |
923 | defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ | |
924 | defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | |
925 | /* | |
926 | * The reader is advised to first understand ecp_mod_p192() since the same | |
927 | * general structure is used here, but with additional complications: | |
928 | * (1) chunks of 32 bits, and (2) subtractions. | |
929 | */ | |
930 | ||
931 | /* | |
932 | * For these primes, we need to handle data in chunks of 32 bits. | |
933 | * This makes it more complicated if we use 64 bits limbs in MPI, | |
934 | * which prevents us from using a uniform access method as for p192. | |
935 | * | |
936 | * So, we define a mini abstraction layer to access 32 bit chunks, | |
937 | * load them in 'cur' for work, and store them back from 'cur' when done. | |
938 | * | |
939 | * While at it, also define the size of N in terms of 32-bit chunks. | |
940 | */ | |
941 | #define LOAD32 cur = A( i ); | |
942 | ||
943 | #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ | |
944 | ||
945 | #define MAX32 N->n | |
946 | #define A( j ) N->p[j] | |
947 | #define STORE32 N->p[i] = cur; | |
948 | ||
949 | #else /* 64-bit */ | |
950 | ||
951 | #define MAX32 N->n * 2 | |
952 | #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] ) | |
953 | #define STORE32 \ | |
954 | if( i % 2 ) { \ | |
955 | N->p[i/2] &= 0x00000000FFFFFFFF; \ | |
956 | N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ | |
957 | } else { \ | |
958 | N->p[i/2] &= 0xFFFFFFFF00000000; \ | |
959 | N->p[i/2] |= (mbedtls_mpi_uint) cur; \ | |
960 | } | |
961 | ||
962 | #endif /* sizeof( mbedtls_mpi_uint ) */ | |
963 | ||
964 | /* | |
965 | * Helpers for addition and subtraction of chunks, with signed carry. | |
966 | */ | |
967 | static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) | |
968 | { | |
969 | *dst += src; | |
970 | *carry += ( *dst < src ); | |
971 | } | |
972 | ||
973 | static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) | |
974 | { | |
975 | *carry -= ( *dst < src ); | |
976 | *dst -= src; | |
977 | } | |
978 | ||
979 | #define ADD( j ) add32( &cur, A( j ), &c ); | |
980 | #define SUB( j ) sub32( &cur, A( j ), &c ); | |
981 | ||
982 | /* | |
983 | * Helpers for the main 'loop' | |
984 | * (see fix_negative for the motivation of C) | |
985 | */ | |
986 | #define INIT( b ) \ | |
987 | int ret; \ | |
988 | signed char c = 0, cc; \ | |
989 | uint32_t cur; \ | |
990 | size_t i = 0, bits = b; \ | |
991 | mbedtls_mpi C; \ | |
992 | mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \ | |
993 | \ | |
994 | C.s = 1; \ | |
995 | C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \ | |
996 | C.p = Cp; \ | |
997 | memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \ | |
998 | \ | |
999 | MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \ | |
1000 | LOAD32; | |
1001 | ||
1002 | #define NEXT \ | |
1003 | STORE32; i++; LOAD32; \ | |
1004 | cc = c; c = 0; \ | |
1005 | if( cc < 0 ) \ | |
1006 | sub32( &cur, -cc, &c ); \ | |
1007 | else \ | |
1008 | add32( &cur, cc, &c ); \ | |
1009 | ||
1010 | #define LAST \ | |
1011 | STORE32; i++; \ | |
1012 | cur = c > 0 ? c : 0; STORE32; \ | |
1013 | cur = 0; while( ++i < MAX32 ) { STORE32; } \ | |
1014 | if( c < 0 ) fix_negative( N, c, &C, bits ); | |
1015 | ||
1016 | /* | |
1017 | * If the result is negative, we get it in the form | |
1018 | * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' | |
1019 | */ | |
1020 | static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits ) | |
1021 | { | |
1022 | int ret; | |
1023 | ||
1024 | /* C = - c * 2^(bits + 32) */ | |
1025 | #if !defined(MBEDTLS_HAVE_INT64) | |
1026 | ((void) bits); | |
1027 | #else | |
1028 | if( bits == 224 ) | |
1029 | C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32; | |
1030 | else | |
1031 | #endif | |
1032 | C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c; | |
1033 | ||
1034 | /* N = - ( C - N ) */ | |
1035 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) ); | |
1036 | N->s = -1; | |
1037 | ||
1038 | cleanup: | |
1039 | ||
1040 | return( ret ); | |
1041 | } | |
1042 | ||
1043 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) | |
1044 | /* | |
1045 | * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) | |
1046 | */ | |
1047 | static int ecp_mod_p224( mbedtls_mpi *N ) | |
1048 | { | |
1049 | INIT( 224 ); | |
1050 | ||
1051 | SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 | |
1052 | SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 | |
1053 | SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 | |
1054 | SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 | |
1055 | SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 | |
1056 | SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 | |
1057 | SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 | |
1058 | ||
1059 | cleanup: | |
1060 | return( ret ); | |
1061 | } | |
1062 | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ | |
1063 | ||
1064 | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) | |
1065 | /* | |
1066 | * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) | |
1067 | */ | |
1068 | static int ecp_mod_p256( mbedtls_mpi *N ) | |
1069 | { | |
1070 | INIT( 256 ); | |
1071 | ||
1072 | ADD( 8 ); ADD( 9 ); | |
1073 | SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 | |
1074 | ||
1075 | ADD( 9 ); ADD( 10 ); | |
1076 | SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 | |
1077 | ||
1078 | ADD( 10 ); ADD( 11 ); | |
1079 | SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 | |
1080 | ||
1081 | ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); | |
1082 | SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 | |
1083 | ||
1084 | ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); | |
1085 | SUB( 9 ); SUB( 10 ); NEXT; // A4 | |
1086 | ||
1087 | ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); | |
1088 | SUB( 10 ); SUB( 11 ); NEXT; // A5 | |
1089 | ||
1090 | ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); | |
1091 | SUB( 8 ); SUB( 9 ); NEXT; // A6 | |
1092 | ||
1093 | ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); | |
1094 | SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 | |
1095 | ||
1096 | cleanup: | |
1097 | return( ret ); | |
1098 | } | |
1099 | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ | |
1100 | ||
1101 | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | |
1102 | /* | |
1103 | * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) | |
1104 | */ | |
1105 | static int ecp_mod_p384( mbedtls_mpi *N ) | |
1106 | { | |
1107 | INIT( 384 ); | |
1108 | ||
1109 | ADD( 12 ); ADD( 21 ); ADD( 20 ); | |
1110 | SUB( 23 ); NEXT; // A0 | |
1111 | ||
1112 | ADD( 13 ); ADD( 22 ); ADD( 23 ); | |
1113 | SUB( 12 ); SUB( 20 ); NEXT; // A2 | |
1114 | ||
1115 | ADD( 14 ); ADD( 23 ); | |
1116 | SUB( 13 ); SUB( 21 ); NEXT; // A2 | |
1117 | ||
1118 | ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); | |
1119 | SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 | |
1120 | ||
1121 | ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); | |
1122 | SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 | |
1123 | ||
1124 | ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); | |
1125 | SUB( 16 ); NEXT; // A5 | |
1126 | ||
1127 | ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); | |
1128 | SUB( 17 ); NEXT; // A6 | |
1129 | ||
1130 | ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); | |
1131 | SUB( 18 ); NEXT; // A7 | |
1132 | ||
1133 | ADD( 20 ); ADD( 17 ); ADD( 16 ); | |
1134 | SUB( 19 ); NEXT; // A8 | |
1135 | ||
1136 | ADD( 21 ); ADD( 18 ); ADD( 17 ); | |
1137 | SUB( 20 ); NEXT; // A9 | |
1138 | ||
1139 | ADD( 22 ); ADD( 19 ); ADD( 18 ); | |
1140 | SUB( 21 ); NEXT; // A10 | |
1141 | ||
1142 | ADD( 23 ); ADD( 20 ); ADD( 19 ); | |
1143 | SUB( 22 ); LAST; // A11 | |
1144 | ||
1145 | cleanup: | |
1146 | return( ret ); | |
1147 | } | |
1148 | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ | |
1149 | ||
1150 | #undef A | |
1151 | #undef LOAD32 | |
1152 | #undef STORE32 | |
1153 | #undef MAX32 | |
1154 | #undef INIT | |
1155 | #undef NEXT | |
1156 | #undef LAST | |
1157 | ||
1158 | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || | |
1159 | MBEDTLS_ECP_DP_SECP256R1_ENABLED || | |
1160 | MBEDTLS_ECP_DP_SECP384R1_ENABLED */ | |
1161 | ||
1162 | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) | |
1163 | /* | |
1164 | * Here we have an actual Mersenne prime, so things are more straightforward. | |
1165 | * However, chunks are aligned on a 'weird' boundary (521 bits). | |
1166 | */ | |
1167 | ||
1168 | /* Size of p521 in terms of mbedtls_mpi_uint */ | |
1169 | #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) | |
1170 | ||
1171 | /* Bits to keep in the most significant mbedtls_mpi_uint */ | |
1172 | #define P521_MASK 0x01FF | |
1173 | ||
1174 | /* | |
1175 | * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) | |
1176 | * Write N as A1 + 2^521 A0, return A0 + A1 | |
1177 | */ | |
1178 | static int ecp_mod_p521( mbedtls_mpi *N ) | |
1179 | { | |
1180 | int ret; | |
1181 | size_t i; | |
1182 | mbedtls_mpi M; | |
1183 | mbedtls_mpi_uint Mp[P521_WIDTH + 1]; | |
1184 | /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: | |
1185 | * we need to hold bits 513 to 1056, which is 34 limbs, that is | |
1186 | * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ | |
1187 | ||
1188 | if( N->n < P521_WIDTH ) | |
1189 | return( 0 ); | |
1190 | ||
1191 | /* M = A1 */ | |
1192 | M.s = 1; | |
1193 | M.n = N->n - ( P521_WIDTH - 1 ); | |
1194 | if( M.n > P521_WIDTH + 1 ) | |
1195 | M.n = P521_WIDTH + 1; | |
1196 | M.p = Mp; | |
1197 | memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); | |
1198 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); | |
1199 | ||
1200 | /* N = A0 */ | |
1201 | N->p[P521_WIDTH - 1] &= P521_MASK; | |
1202 | for( i = P521_WIDTH; i < N->n; i++ ) | |
1203 | N->p[i] = 0; | |
1204 | ||
1205 | /* N = A0 + A1 */ | |
1206 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); | |
1207 | ||
1208 | cleanup: | |
1209 | return( ret ); | |
1210 | } | |
1211 | ||
1212 | #undef P521_WIDTH | |
1213 | #undef P521_MASK | |
1214 | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ | |
1215 | ||
1216 | #endif /* MBEDTLS_ECP_NIST_OPTIM */ | |
1217 | ||
1218 | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) | |
1219 | ||
1220 | /* Size of p255 in terms of mbedtls_mpi_uint */ | |
1221 | #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) | |
1222 | ||
1223 | /* | |
1224 | * Fast quasi-reduction modulo p255 = 2^255 - 19 | |
1225 | * Write N as A0 + 2^255 A1, return A0 + 19 * A1 | |
1226 | */ | |
1227 | static int ecp_mod_p255( mbedtls_mpi *N ) | |
1228 | { | |
1229 | int ret; | |
1230 | size_t i; | |
1231 | mbedtls_mpi M; | |
1232 | mbedtls_mpi_uint Mp[P255_WIDTH + 2]; | |
1233 | ||
1234 | if( N->n < P255_WIDTH ) | |
1235 | return( 0 ); | |
1236 | ||
1237 | /* M = A1 */ | |
1238 | M.s = 1; | |
1239 | M.n = N->n - ( P255_WIDTH - 1 ); | |
1240 | if( M.n > P255_WIDTH + 1 ) | |
1241 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); | |
1242 | M.p = Mp; | |
1243 | memset( Mp, 0, sizeof Mp ); | |
1244 | memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); | |
1245 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); | |
1246 | M.n++; /* Make room for multiplication by 19 */ | |
1247 | ||
1248 | /* N = A0 */ | |
1249 | MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); | |
1250 | for( i = P255_WIDTH; i < N->n; i++ ) | |
1251 | N->p[i] = 0; | |
1252 | ||
1253 | /* N = A0 + 19 * A1 */ | |
1254 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); | |
1255 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); | |
1256 | ||
1257 | cleanup: | |
1258 | return( ret ); | |
1259 | } | |
1260 | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ | |
1261 | ||
1262 | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) | |
1263 | ||
1264 | /* Size of p448 in terms of mbedtls_mpi_uint */ | |
1265 | #define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) ) | |
1266 | ||
1267 | /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */ | |
1268 | #define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) ) | |
1269 | #define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) ) | |
1270 | #define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) ) | |
1271 | #define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 ) | |
1272 | ||
1273 | /* | |
1274 | * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1 | |
1275 | * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return | |
1276 | * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference | |
1277 | * implementation of Curve448, which uses its own special 56-bit limbs rather | |
1278 | * than a generic bignum library. We could squeeze some extra speed out on | |
1279 | * 32-bit machines by splitting N up into 32-bit limbs and doing the | |
1280 | * arithmetic using the limbs directly as we do for the NIST primes above, | |
1281 | * but for 64-bit targets it should use half the number of operations if we do | |
1282 | * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds. | |
1283 | */ | |
1284 | static int ecp_mod_p448( mbedtls_mpi *N ) | |
1285 | { | |
1286 | int ret; | |
1287 | size_t i; | |
1288 | mbedtls_mpi M, Q; | |
1289 | mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH]; | |
1290 | ||
1291 | if( N->n <= P448_WIDTH ) | |
1292 | return( 0 ); | |
1293 | ||
1294 | /* M = A1 */ | |
1295 | M.s = 1; | |
1296 | M.n = N->n - ( P448_WIDTH ); | |
1297 | if( M.n > P448_WIDTH ) | |
1298 | /* Shouldn't be called with N larger than 2^896! */ | |
1299 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); | |
1300 | M.p = Mp; | |
1301 | memset( Mp, 0, sizeof( Mp ) ); | |
1302 | memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) ); | |
1303 | ||
1304 | /* N = A0 */ | |
1305 | for( i = P448_WIDTH; i < N->n; i++ ) | |
1306 | N->p[i] = 0; | |
1307 | ||
1308 | /* N += A1 */ | |
1309 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); | |
1310 | ||
1311 | /* Q = B1, N += B1 */ | |
1312 | Q = M; | |
1313 | Q.p = Qp; | |
1314 | memcpy( Qp, Mp, sizeof( Qp ) ); | |
1315 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) ); | |
1316 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) ); | |
1317 | ||
1318 | /* M = (B0 + B1) * 2^224, N += M */ | |
1319 | if( sizeof( mbedtls_mpi_uint ) > 4 ) | |
1320 | Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS ); | |
1321 | for( i = P224_WIDTH_MAX; i < M.n; ++i ) | |
1322 | Mp[i] = 0; | |
1323 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) ); | |
1324 | M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */ | |
1325 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) ); | |
1326 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); | |
1327 | ||
1328 | cleanup: | |
1329 | return( ret ); | |
1330 | } | |
1331 | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ | |
1332 | ||
1333 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ | |
1334 | defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ | |
1335 | defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) | |
1336 | /* | |
1337 | * Fast quasi-reduction modulo P = 2^s - R, | |
1338 | * with R about 33 bits, used by the Koblitz curves. | |
1339 | * | |
1340 | * Write N as A0 + 2^224 A1, return A0 + R * A1. | |
1341 | * Actually do two passes, since R is big. | |
1342 | */ | |
1343 | #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P | |
1344 | #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R | |
1345 | static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, | |
1346 | size_t adjust, size_t shift, mbedtls_mpi_uint mask ) | |
1347 | { | |
1348 | int ret; | |
1349 | size_t i; | |
1350 | mbedtls_mpi M, R; | |
1351 | mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; | |
1352 | ||
1353 | if( N->n < p_limbs ) | |
1354 | return( 0 ); | |
1355 | ||
1356 | /* Init R */ | |
1357 | R.s = 1; | |
1358 | R.p = Rp; | |
1359 | R.n = P_KOBLITZ_R; | |
1360 | ||
1361 | /* Common setup for M */ | |
1362 | M.s = 1; | |
1363 | M.p = Mp; | |
1364 | ||
1365 | /* M = A1 */ | |
1366 | M.n = N->n - ( p_limbs - adjust ); | |
1367 | if( M.n > p_limbs + adjust ) | |
1368 | M.n = p_limbs + adjust; | |
1369 | memset( Mp, 0, sizeof Mp ); | |
1370 | memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); | |
1371 | if( shift != 0 ) | |
1372 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); | |
1373 | M.n += R.n; /* Make room for multiplication by R */ | |
1374 | ||
1375 | /* N = A0 */ | |
1376 | if( mask != 0 ) | |
1377 | N->p[p_limbs - 1] &= mask; | |
1378 | for( i = p_limbs; i < N->n; i++ ) | |
1379 | N->p[i] = 0; | |
1380 | ||
1381 | /* N = A0 + R * A1 */ | |
1382 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); | |
1383 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); | |
1384 | ||
1385 | /* Second pass */ | |
1386 | ||
1387 | /* M = A1 */ | |
1388 | M.n = N->n - ( p_limbs - adjust ); | |
1389 | if( M.n > p_limbs + adjust ) | |
1390 | M.n = p_limbs + adjust; | |
1391 | memset( Mp, 0, sizeof Mp ); | |
1392 | memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); | |
1393 | if( shift != 0 ) | |
1394 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); | |
1395 | M.n += R.n; /* Make room for multiplication by R */ | |
1396 | ||
1397 | /* N = A0 */ | |
1398 | if( mask != 0 ) | |
1399 | N->p[p_limbs - 1] &= mask; | |
1400 | for( i = p_limbs; i < N->n; i++ ) | |
1401 | N->p[i] = 0; | |
1402 | ||
1403 | /* N = A0 + R * A1 */ | |
1404 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); | |
1405 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); | |
1406 | ||
1407 | cleanup: | |
1408 | return( ret ); | |
1409 | } | |
1410 | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || | |
1411 | MBEDTLS_ECP_DP_SECP224K1_ENABLED) || | |
1412 | MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ | |
1413 | ||
1414 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) | |
1415 | /* | |
1416 | * Fast quasi-reduction modulo p192k1 = 2^192 - R, | |
1417 | * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 | |
1418 | */ | |
1419 | static int ecp_mod_p192k1( mbedtls_mpi *N ) | |
1420 | { | |
1421 | static mbedtls_mpi_uint Rp[] = { | |
1422 | BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; | |
1423 | ||
1424 | return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); | |
1425 | } | |
1426 | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ | |
1427 | ||
1428 | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) | |
1429 | /* | |
1430 | * Fast quasi-reduction modulo p224k1 = 2^224 - R, | |
1431 | * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 | |
1432 | */ | |
1433 | static int ecp_mod_p224k1( mbedtls_mpi *N ) | |
1434 | { | |
1435 | static mbedtls_mpi_uint Rp[] = { | |
1436 | BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; | |
1437 | ||
1438 | #if defined(MBEDTLS_HAVE_INT64) | |
1439 | return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); | |
1440 | #else | |
1441 | return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); | |
1442 | #endif | |
1443 | } | |
1444 | ||
1445 | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ | |
1446 | ||
1447 | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) | |
1448 | /* | |
1449 | * Fast quasi-reduction modulo p256k1 = 2^256 - R, | |
1450 | * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 | |
1451 | */ | |
1452 | static int ecp_mod_p256k1( mbedtls_mpi *N ) | |
1453 | { | |
1454 | static mbedtls_mpi_uint Rp[] = { | |
1455 | BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; | |
1456 | return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); | |
1457 | } | |
1458 | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ | |
1459 | ||
1460 | #endif /* !MBEDTLS_ECP_ALT */ | |
1461 | ||
1462 | #endif /* MBEDTLS_ECP_C */ |