/work/mbedtls-2.28.8/library/ecp_curves.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Elliptic curves over GF(p): curve-specific data and functions |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | #include "common.h" |
9 | | |
10 | | #if defined(MBEDTLS_ECP_C) |
11 | | |
12 | | #include "mbedtls/ecp.h" |
13 | | #include "mbedtls/platform_util.h" |
14 | | #include "mbedtls/error.h" |
15 | | #include "mbedtls/bn_mul.h" |
16 | | |
17 | | #include "ecp_invasive.h" |
18 | | |
19 | | #include <string.h> |
20 | | |
21 | | #if !defined(MBEDTLS_ECP_ALT) |
22 | | |
23 | | /* Parameter validation macros based on platform_util.h */ |
24 | | #define ECP_VALIDATE_RET(cond) \ |
25 | 0 | MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA) |
26 | | #define ECP_VALIDATE(cond) \ |
27 | | MBEDTLS_INTERNAL_VALIDATE(cond) |
28 | | |
29 | | #define ECP_MPI_INIT(s, n, p) { s, (n), (mbedtls_mpi_uint *) (p) } |
30 | | |
31 | | #define ECP_MPI_INIT_ARRAY(x) \ |
32 | | ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x) |
33 | | |
34 | | /* |
35 | | * Note: the constants are in little-endian order |
36 | | * to be directly usable in MPIs |
37 | | */ |
38 | | |
39 | | /* |
40 | | * Domain parameters for secp192r1 |
41 | | */ |
42 | | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) |
43 | | static const mbedtls_mpi_uint secp192r1_p[] = { |
44 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
45 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
46 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
47 | | }; |
48 | | static const mbedtls_mpi_uint secp192r1_b[] = { |
49 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE), |
50 | | MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F), |
51 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64), |
52 | | }; |
53 | | static const mbedtls_mpi_uint secp192r1_gx[] = { |
54 | | MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4), |
55 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C), |
56 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18), |
57 | | }; |
58 | | static const mbedtls_mpi_uint secp192r1_gy[] = { |
59 | | MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73), |
60 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63), |
61 | | MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07), |
62 | | }; |
63 | | static const mbedtls_mpi_uint secp192r1_n[] = { |
64 | | MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14), |
65 | | MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF), |
66 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
67 | | }; |
68 | | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ |
69 | | |
70 | | /* |
71 | | * Domain parameters for secp224r1 |
72 | | */ |
73 | | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) |
74 | | static const mbedtls_mpi_uint secp224r1_p[] = { |
75 | | MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), |
76 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF), |
77 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
78 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00), |
79 | | }; |
80 | | static const mbedtls_mpi_uint secp224r1_b[] = { |
81 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27), |
82 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50), |
83 | | MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C), |
84 | | MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4), |
85 | | }; |
86 | | static const mbedtls_mpi_uint secp224r1_gx[] = { |
87 | | MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34), |
88 | | MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A), |
89 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B), |
90 | | MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7), |
91 | | }; |
92 | | static const mbedtls_mpi_uint secp224r1_gy[] = { |
93 | | MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44), |
94 | | MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD), |
95 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5), |
96 | | MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD), |
97 | | }; |
98 | | static const mbedtls_mpi_uint secp224r1_n[] = { |
99 | | MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13), |
100 | | MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF), |
101 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
102 | | MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF), |
103 | | }; |
104 | | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ |
105 | | |
106 | | /* |
107 | | * Domain parameters for secp256r1 |
108 | | */ |
109 | | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) |
110 | | static const mbedtls_mpi_uint secp256r1_p[] = { |
111 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
112 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00), |
113 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), |
114 | | MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF), |
115 | | }; |
116 | | static const mbedtls_mpi_uint secp256r1_b[] = { |
117 | | MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B), |
118 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65), |
119 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3), |
120 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A), |
121 | | }; |
122 | | static const mbedtls_mpi_uint secp256r1_gx[] = { |
123 | | MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4), |
124 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77), |
125 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8), |
126 | | MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B), |
127 | | }; |
128 | | static const mbedtls_mpi_uint secp256r1_gy[] = { |
129 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB), |
130 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B), |
131 | | MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E), |
132 | | MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F), |
133 | | }; |
134 | | static const mbedtls_mpi_uint secp256r1_n[] = { |
135 | | MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3), |
136 | | MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC), |
137 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
138 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF), |
139 | | }; |
140 | | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ |
141 | | |
142 | | /* |
143 | | * Domain parameters for secp384r1 |
144 | | */ |
145 | | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) |
146 | | static const mbedtls_mpi_uint secp384r1_p[] = { |
147 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00), |
148 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF), |
149 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
150 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
151 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
152 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
153 | | }; |
154 | | static const mbedtls_mpi_uint secp384r1_b[] = { |
155 | | MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A), |
156 | | MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6), |
157 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03), |
158 | | MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18), |
159 | | MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98), |
160 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3), |
161 | | }; |
162 | | static const mbedtls_mpi_uint secp384r1_gx[] = { |
163 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A), |
164 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55), |
165 | | MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59), |
166 | | MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E), |
167 | | MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E), |
168 | | MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA), |
169 | | }; |
170 | | static const mbedtls_mpi_uint secp384r1_gy[] = { |
171 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A), |
172 | | MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A), |
173 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9), |
174 | | MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8), |
175 | | MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D), |
176 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36), |
177 | | }; |
178 | | static const mbedtls_mpi_uint secp384r1_n[] = { |
179 | | MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC), |
180 | | MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58), |
181 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7), |
182 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
183 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
184 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
185 | | }; |
186 | | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ |
187 | | |
188 | | /* |
189 | | * Domain parameters for secp521r1 |
190 | | */ |
191 | | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) |
192 | | static const mbedtls_mpi_uint secp521r1_p[] = { |
193 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
194 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
195 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
196 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
197 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
198 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
199 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
200 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
201 | | MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01), |
202 | | }; |
203 | | static const mbedtls_mpi_uint secp521r1_b[] = { |
204 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF), |
205 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35), |
206 | | MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16), |
207 | | MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56), |
208 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8), |
209 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2), |
210 | | MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92), |
211 | | MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95), |
212 | | MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00), |
213 | | }; |
214 | | static const mbedtls_mpi_uint secp521r1_gx[] = { |
215 | | MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9), |
216 | | MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33), |
217 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE), |
218 | | MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1), |
219 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8), |
220 | | MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C), |
221 | | MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E), |
222 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85), |
223 | | MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00), |
224 | | }; |
225 | | static const mbedtls_mpi_uint secp521r1_gy[] = { |
226 | | MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88), |
227 | | MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35), |
228 | | MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5), |
229 | | MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97), |
230 | | MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17), |
231 | | MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98), |
232 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C), |
233 | | MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39), |
234 | | MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01), |
235 | | }; |
236 | | static const mbedtls_mpi_uint secp521r1_n[] = { |
237 | | MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB), |
238 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B), |
239 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F), |
240 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51), |
241 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
242 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
243 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
244 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
245 | | MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01), |
246 | | }; |
247 | | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ |
248 | | |
249 | | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) |
250 | | static const mbedtls_mpi_uint secp192k1_p[] = { |
251 | | MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF), |
252 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
253 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
254 | | }; |
255 | | static const mbedtls_mpi_uint secp192k1_a[] = { |
256 | | MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00), |
257 | | }; |
258 | | static const mbedtls_mpi_uint secp192k1_b[] = { |
259 | | MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00), |
260 | | }; |
261 | | static const mbedtls_mpi_uint secp192k1_gx[] = { |
262 | | MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D), |
263 | | MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26), |
264 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB), |
265 | | }; |
266 | | static const mbedtls_mpi_uint secp192k1_gy[] = { |
267 | | MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40), |
268 | | MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84), |
269 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B), |
270 | | }; |
271 | | static const mbedtls_mpi_uint secp192k1_n[] = { |
272 | | MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F), |
273 | | MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF), |
274 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
275 | | }; |
276 | | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ |
277 | | |
278 | | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) |
279 | | static const mbedtls_mpi_uint secp224k1_p[] = { |
280 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF), |
281 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
282 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
283 | | MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF), |
284 | | }; |
285 | | static const mbedtls_mpi_uint secp224k1_a[] = { |
286 | | MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00), |
287 | | }; |
288 | | static const mbedtls_mpi_uint secp224k1_b[] = { |
289 | | MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00), |
290 | | }; |
291 | | static const mbedtls_mpi_uint secp224k1_gx[] = { |
292 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F), |
293 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69), |
294 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D), |
295 | | MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1), |
296 | | }; |
297 | | static const mbedtls_mpi_uint secp224k1_gy[] = { |
298 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2), |
299 | | MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7), |
300 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F), |
301 | | MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E), |
302 | | }; |
303 | | static const mbedtls_mpi_uint secp224k1_n[] = { |
304 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA), |
305 | | MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00), |
306 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), |
307 | | MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00), |
308 | | }; |
309 | | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ |
310 | | |
311 | | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
312 | | static const mbedtls_mpi_uint secp256k1_p[] = { |
313 | | MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF), |
314 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
315 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
316 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
317 | | }; |
318 | | static const mbedtls_mpi_uint secp256k1_a[] = { |
319 | | MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00), |
320 | | }; |
321 | | static const mbedtls_mpi_uint secp256k1_b[] = { |
322 | | MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00), |
323 | | }; |
324 | | static const mbedtls_mpi_uint secp256k1_gx[] = { |
325 | | MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59), |
326 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02), |
327 | | MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55), |
328 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79), |
329 | | }; |
330 | | static const mbedtls_mpi_uint secp256k1_gy[] = { |
331 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C), |
332 | | MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD), |
333 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D), |
334 | | MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48), |
335 | | }; |
336 | | static const mbedtls_mpi_uint secp256k1_n[] = { |
337 | | MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF), |
338 | | MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA), |
339 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
340 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF), |
341 | | }; |
342 | | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ |
343 | | |
344 | | /* |
345 | | * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) |
346 | | */ |
347 | | #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) |
348 | | static const mbedtls_mpi_uint brainpoolP256r1_p[] = { |
349 | | MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20), |
350 | | MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E), |
351 | | MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E), |
352 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9), |
353 | | }; |
354 | | static const mbedtls_mpi_uint brainpoolP256r1_a[] = { |
355 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9), |
356 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB), |
357 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE), |
358 | | MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D), |
359 | | }; |
360 | | static const mbedtls_mpi_uint brainpoolP256r1_b[] = { |
361 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B), |
362 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95), |
363 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3), |
364 | | MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26), |
365 | | }; |
366 | | static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { |
367 | | MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A), |
368 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9), |
369 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C), |
370 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B), |
371 | | }; |
372 | | static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { |
373 | | MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C), |
374 | | MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2), |
375 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97), |
376 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54), |
377 | | }; |
378 | | static const mbedtls_mpi_uint brainpoolP256r1_n[] = { |
379 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90), |
380 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C), |
381 | | MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E), |
382 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9), |
383 | | }; |
384 | | #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ |
385 | | |
386 | | /* |
387 | | * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) |
388 | | */ |
389 | | #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) |
390 | | static const mbedtls_mpi_uint brainpoolP384r1_p[] = { |
391 | | MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87), |
392 | | MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC), |
393 | | MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12), |
394 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15), |
395 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F), |
396 | | MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C), |
397 | | }; |
398 | | static const mbedtls_mpi_uint brainpoolP384r1_a[] = { |
399 | | MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04), |
400 | | MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A), |
401 | | MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13), |
402 | | MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2), |
403 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C), |
404 | | MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B), |
405 | | }; |
406 | | static const mbedtls_mpi_uint brainpoolP384r1_b[] = { |
407 | | MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A), |
408 | | MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C), |
409 | | MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E), |
410 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F), |
411 | | MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B), |
412 | | MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04), |
413 | | }; |
414 | | static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { |
415 | | MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF), |
416 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8), |
417 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB), |
418 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88), |
419 | | MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2), |
420 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D), |
421 | | }; |
422 | | static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { |
423 | | MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42), |
424 | | MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E), |
425 | | MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1), |
426 | | MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62), |
427 | | MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C), |
428 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A), |
429 | | }; |
430 | | static const mbedtls_mpi_uint brainpoolP384r1_n[] = { |
431 | | MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B), |
432 | | MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF), |
433 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F), |
434 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15), |
435 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F), |
436 | | MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C), |
437 | | }; |
438 | | #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ |
439 | | |
440 | | /* |
441 | | * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) |
442 | | */ |
443 | | #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) |
444 | | static const mbedtls_mpi_uint brainpoolP512r1_p[] = { |
445 | | MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28), |
446 | | MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28), |
447 | | MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE), |
448 | | MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D), |
449 | | MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6), |
450 | | MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB), |
451 | | MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F), |
452 | | MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA), |
453 | | }; |
454 | | static const mbedtls_mpi_uint brainpoolP512r1_a[] = { |
455 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7), |
456 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F), |
457 | | MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A), |
458 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D), |
459 | | MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8), |
460 | | MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94), |
461 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2), |
462 | | MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78), |
463 | | }; |
464 | | static const mbedtls_mpi_uint brainpoolP512r1_b[] = { |
465 | | MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28), |
466 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98), |
467 | | MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77), |
468 | | MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B), |
469 | | MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B), |
470 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8), |
471 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA), |
472 | | MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D), |
473 | | }; |
474 | | static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { |
475 | | MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B), |
476 | | MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C), |
477 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50), |
478 | | MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF), |
479 | | MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4), |
480 | | MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85), |
481 | | MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A), |
482 | | MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81), |
483 | | }; |
484 | | static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { |
485 | | MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78), |
486 | | MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1), |
487 | | MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B), |
488 | | MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2), |
489 | | MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0), |
490 | | MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2), |
491 | | MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0), |
492 | | MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D), |
493 | | }; |
494 | | static const mbedtls_mpi_uint brainpoolP512r1_n[] = { |
495 | | MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5), |
496 | | MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D), |
497 | | MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41), |
498 | | MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55), |
499 | | MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6), |
500 | | MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB), |
501 | | MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F), |
502 | | MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA), |
503 | | }; |
504 | | #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ |
505 | | |
506 | | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ |
507 | | defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ |
508 | | defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ |
509 | | defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ |
510 | | defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \ |
511 | | defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \ |
512 | | defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \ |
513 | | defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \ |
514 | | defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ |
515 | | defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ |
516 | | defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
517 | | /* For these curves, we build the group parameters dynamically. */ |
518 | | #define ECP_LOAD_GROUP |
519 | | #endif |
520 | | |
521 | | #if defined(ECP_LOAD_GROUP) |
522 | | /* |
523 | | * Create an MPI from embedded constants |
524 | | * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint)) |
525 | | */ |
526 | | static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len) |
527 | 0 | { |
528 | 0 | X->s = 1; |
529 | 0 | X->n = len / sizeof(mbedtls_mpi_uint); |
530 | 0 | X->p = (mbedtls_mpi_uint *) p; |
531 | 0 | } |
532 | | |
533 | | /* |
534 | | * Set an MPI to static value 1 |
535 | | */ |
536 | | static inline void ecp_mpi_set1(mbedtls_mpi *X) |
537 | 0 | { |
538 | 0 | static const mbedtls_mpi_uint one[] = { 1 }; |
539 | 0 | X->s = 1; |
540 | 0 | X->n = 1; |
541 | 0 | X->p = (mbedtls_mpi_uint *) one; /* X->p will not be modified so the cast is safe */ |
542 | 0 | } |
543 | | |
544 | | /* |
545 | | * Make group available from embedded constants |
546 | | */ |
547 | | static int ecp_group_load(mbedtls_ecp_group *grp, |
548 | | const mbedtls_mpi_uint *p, size_t plen, |
549 | | const mbedtls_mpi_uint *a, size_t alen, |
550 | | const mbedtls_mpi_uint *b, size_t blen, |
551 | | const mbedtls_mpi_uint *gx, size_t gxlen, |
552 | | const mbedtls_mpi_uint *gy, size_t gylen, |
553 | | const mbedtls_mpi_uint *n, size_t nlen) |
554 | 0 | { |
555 | 0 | ecp_mpi_load(&grp->P, p, plen); |
556 | 0 | if (a != NULL) { |
557 | 0 | ecp_mpi_load(&grp->A, a, alen); |
558 | 0 | } |
559 | 0 | ecp_mpi_load(&grp->B, b, blen); |
560 | 0 | ecp_mpi_load(&grp->N, n, nlen); |
561 | |
|
562 | 0 | ecp_mpi_load(&grp->G.X, gx, gxlen); |
563 | 0 | ecp_mpi_load(&grp->G.Y, gy, gylen); |
564 | 0 | ecp_mpi_set1(&grp->G.Z); |
565 | |
|
566 | 0 | grp->pbits = mbedtls_mpi_bitlen(&grp->P); |
567 | 0 | grp->nbits = mbedtls_mpi_bitlen(&grp->N); |
568 | |
|
569 | 0 | grp->h = 1; |
570 | |
|
571 | 0 | return 0; |
572 | 0 | } |
573 | | #endif /* ECP_LOAD_GROUP */ |
574 | | |
575 | | #if defined(MBEDTLS_ECP_NIST_OPTIM) |
576 | | /* Forward declarations */ |
577 | | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) |
578 | | static int ecp_mod_p192(mbedtls_mpi *); |
579 | | #endif |
580 | | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) |
581 | | static int ecp_mod_p224(mbedtls_mpi *); |
582 | | #endif |
583 | | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) |
584 | | static int ecp_mod_p256(mbedtls_mpi *); |
585 | | #endif |
586 | | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) |
587 | | static int ecp_mod_p384(mbedtls_mpi *); |
588 | | #endif |
589 | | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) |
590 | | static int ecp_mod_p521(mbedtls_mpi *); |
591 | | #endif |
592 | | |
593 | 0 | #define NIST_MODP(P) grp->modp = ecp_mod_ ## P; |
594 | | #else |
595 | | #define NIST_MODP(P) |
596 | | #endif /* MBEDTLS_ECP_NIST_OPTIM */ |
597 | | |
598 | | /* Additional forward declarations */ |
599 | | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) |
600 | | static int ecp_mod_p255(mbedtls_mpi *); |
601 | | #endif |
602 | | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) |
603 | | static int ecp_mod_p448(mbedtls_mpi *); |
604 | | #endif |
605 | | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) |
606 | | static int ecp_mod_p192k1(mbedtls_mpi *); |
607 | | #endif |
608 | | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) |
609 | | static int ecp_mod_p224k1(mbedtls_mpi *); |
610 | | #endif |
611 | | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
612 | | static int ecp_mod_p256k1(mbedtls_mpi *); |
613 | | #endif |
614 | | |
615 | | #if defined(ECP_LOAD_GROUP) |
616 | 0 | #define LOAD_GROUP_A(G) ecp_group_load(grp, \ |
617 | 0 | G ## _p, sizeof(G ## _p), \ |
618 | 0 | G ## _a, sizeof(G ## _a), \ |
619 | 0 | G ## _b, sizeof(G ## _b), \ |
620 | 0 | G ## _gx, sizeof(G ## _gx), \ |
621 | 0 | G ## _gy, sizeof(G ## _gy), \ |
622 | 0 | G ## _n, sizeof(G ## _n)) |
623 | | |
624 | 0 | #define LOAD_GROUP(G) ecp_group_load(grp, \ |
625 | 0 | G ## _p, sizeof(G ## _p), \ |
626 | 0 | NULL, 0, \ |
627 | 0 | G ## _b, sizeof(G ## _b), \ |
628 | 0 | G ## _gx, sizeof(G ## _gx), \ |
629 | 0 | G ## _gy, sizeof(G ## _gy), \ |
630 | 0 | G ## _n, sizeof(G ## _n)) |
631 | | #endif /* ECP_LOAD_GROUP */ |
632 | | |
633 | | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) |
634 | | /* Constants used by ecp_use_curve25519() */ |
635 | | static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42; |
636 | | static const unsigned char curve25519_part_of_n[] = { |
637 | | 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, |
638 | | 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED, |
639 | | }; |
640 | | |
641 | | /* |
642 | | * Specialized function for creating the Curve25519 group |
643 | | */ |
644 | | static int ecp_use_curve25519(mbedtls_ecp_group *grp) |
645 | 0 | { |
646 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
647 | | |
648 | | /* Actually ( A + 2 ) / 4 */ |
649 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24)); |
650 | | |
651 | | /* P = 2^255 - 19 */ |
652 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1)); |
653 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255)); |
654 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19)); |
655 | 0 | grp->pbits = mbedtls_mpi_bitlen(&grp->P); |
656 | | |
657 | | /* N = 2^252 + 27742317777372353535851937790883648493 */ |
658 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N, |
659 | 0 | curve25519_part_of_n, sizeof(curve25519_part_of_n))); |
660 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1)); |
661 | | |
662 | | /* Y intentionally not set, since we use x/z coordinates. |
663 | | * This is used as a marker to identify Montgomery curves! */ |
664 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9)); |
665 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1)); |
666 | 0 | mbedtls_mpi_free(&grp->G.Y); |
667 | | |
668 | | /* Actually, the required msb for private keys */ |
669 | 0 | grp->nbits = 254; |
670 | |
|
671 | 0 | cleanup: |
672 | 0 | if (ret != 0) { |
673 | 0 | mbedtls_ecp_group_free(grp); |
674 | 0 | } |
675 | |
|
676 | 0 | return ret; |
677 | 0 | } |
678 | | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ |
679 | | |
680 | | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) |
681 | | /* Constants used by ecp_use_curve448() */ |
682 | | static const mbedtls_mpi_sint curve448_a24 = 0x98AA; |
683 | | static const unsigned char curve448_part_of_n[] = { |
684 | | 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24, |
685 | | 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93, |
686 | | 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC, |
687 | | 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D, |
688 | | }; |
689 | | |
690 | | /* |
691 | | * Specialized function for creating the Curve448 group |
692 | | */ |
693 | | static int ecp_use_curve448(mbedtls_ecp_group *grp) |
694 | 0 | { |
695 | 0 | mbedtls_mpi Ns; |
696 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
697 | |
|
698 | 0 | mbedtls_mpi_init(&Ns); |
699 | | |
700 | | /* Actually ( A + 2 ) / 4 */ |
701 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24)); |
702 | | |
703 | | /* P = 2^448 - 2^224 - 1 */ |
704 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1)); |
705 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224)); |
706 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1)); |
707 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224)); |
708 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1)); |
709 | 0 | grp->pbits = mbedtls_mpi_bitlen(&grp->P); |
710 | | |
711 | | /* Y intentionally not set, since we use x/z coordinates. |
712 | | * This is used as a marker to identify Montgomery curves! */ |
713 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5)); |
714 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1)); |
715 | 0 | mbedtls_mpi_free(&grp->G.Y); |
716 | | |
717 | | /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */ |
718 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1)); |
719 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns, |
720 | 0 | curve448_part_of_n, sizeof(curve448_part_of_n))); |
721 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns)); |
722 | | |
723 | | /* Actually, the required msb for private keys */ |
724 | 0 | grp->nbits = 447; |
725 | |
|
726 | 0 | cleanup: |
727 | 0 | mbedtls_mpi_free(&Ns); |
728 | 0 | if (ret != 0) { |
729 | 0 | mbedtls_ecp_group_free(grp); |
730 | 0 | } |
731 | |
|
732 | 0 | return ret; |
733 | 0 | } |
734 | | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ |
735 | | |
736 | | /* |
737 | | * Set a group using well-known domain parameters |
738 | | */ |
739 | | int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) |
740 | 0 | { |
741 | 0 | ECP_VALIDATE_RET(grp != NULL); |
742 | 0 | mbedtls_ecp_group_free(grp); |
743 | |
|
744 | 0 | mbedtls_ecp_group_init(grp); |
745 | |
|
746 | 0 | grp->id = id; |
747 | |
|
748 | 0 | switch (id) { |
749 | 0 | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) |
750 | 0 | case MBEDTLS_ECP_DP_SECP192R1: |
751 | 0 | NIST_MODP(p192); |
752 | 0 | return LOAD_GROUP(secp192r1); |
753 | 0 | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ |
754 | | |
755 | 0 | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) |
756 | 0 | case MBEDTLS_ECP_DP_SECP224R1: |
757 | 0 | NIST_MODP(p224); |
758 | 0 | return LOAD_GROUP(secp224r1); |
759 | 0 | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ |
760 | | |
761 | 0 | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) |
762 | 0 | case MBEDTLS_ECP_DP_SECP256R1: |
763 | 0 | NIST_MODP(p256); |
764 | 0 | return LOAD_GROUP(secp256r1); |
765 | 0 | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ |
766 | | |
767 | 0 | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) |
768 | 0 | case MBEDTLS_ECP_DP_SECP384R1: |
769 | 0 | NIST_MODP(p384); |
770 | 0 | return LOAD_GROUP(secp384r1); |
771 | 0 | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ |
772 | | |
773 | 0 | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) |
774 | 0 | case MBEDTLS_ECP_DP_SECP521R1: |
775 | 0 | NIST_MODP(p521); |
776 | 0 | return LOAD_GROUP(secp521r1); |
777 | 0 | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ |
778 | | |
779 | 0 | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) |
780 | 0 | case MBEDTLS_ECP_DP_SECP192K1: |
781 | 0 | grp->modp = ecp_mod_p192k1; |
782 | 0 | return LOAD_GROUP_A(secp192k1); |
783 | 0 | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ |
784 | | |
785 | 0 | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) |
786 | 0 | case MBEDTLS_ECP_DP_SECP224K1: |
787 | 0 | grp->modp = ecp_mod_p224k1; |
788 | 0 | return LOAD_GROUP_A(secp224k1); |
789 | 0 | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ |
790 | | |
791 | 0 | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
792 | 0 | case MBEDTLS_ECP_DP_SECP256K1: |
793 | 0 | grp->modp = ecp_mod_p256k1; |
794 | 0 | return LOAD_GROUP_A(secp256k1); |
795 | 0 | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ |
796 | | |
797 | 0 | #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) |
798 | 0 | case MBEDTLS_ECP_DP_BP256R1: |
799 | 0 | return LOAD_GROUP_A(brainpoolP256r1); |
800 | 0 | #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ |
801 | | |
802 | 0 | #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) |
803 | 0 | case MBEDTLS_ECP_DP_BP384R1: |
804 | 0 | return LOAD_GROUP_A(brainpoolP384r1); |
805 | 0 | #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ |
806 | | |
807 | 0 | #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) |
808 | 0 | case MBEDTLS_ECP_DP_BP512R1: |
809 | 0 | return LOAD_GROUP_A(brainpoolP512r1); |
810 | 0 | #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ |
811 | | |
812 | 0 | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) |
813 | 0 | case MBEDTLS_ECP_DP_CURVE25519: |
814 | 0 | grp->modp = ecp_mod_p255; |
815 | 0 | return ecp_use_curve25519(grp); |
816 | 0 | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ |
817 | | |
818 | 0 | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) |
819 | 0 | case MBEDTLS_ECP_DP_CURVE448: |
820 | 0 | grp->modp = ecp_mod_p448; |
821 | 0 | return ecp_use_curve448(grp); |
822 | 0 | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ |
823 | | |
824 | 0 | default: |
825 | 0 | grp->id = MBEDTLS_ECP_DP_NONE; |
826 | 0 | return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; |
827 | 0 | } |
828 | 0 | } |
829 | | |
830 | | #if defined(MBEDTLS_ECP_NIST_OPTIM) |
831 | | /* |
832 | | * Fast reduction modulo the primes used by the NIST curves. |
833 | | * |
834 | | * These functions are critical for speed, but not needed for correct |
835 | | * operations. So, we make the choice to heavily rely on the internals of our |
836 | | * bignum library, which creates a tight coupling between these functions and |
837 | | * our MPI implementation. However, the coupling between the ECP module and |
838 | | * MPI remains loose, since these functions can be deactivated at will. |
839 | | */ |
840 | | |
841 | | #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) |
842 | | /* |
843 | | * Compared to the way things are presented in FIPS 186-3 D.2, |
844 | | * we proceed in columns, from right (least significant chunk) to left, |
845 | | * adding chunks to N in place, and keeping a carry for the next chunk. |
846 | | * This avoids moving things around in memory, and uselessly adding zeros, |
847 | | * compared to the more straightforward, line-oriented approach. |
848 | | * |
849 | | * For this prime we need to handle data in chunks of 64 bits. |
850 | | * Since this is always a multiple of our basic mbedtls_mpi_uint, we can |
851 | | * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. |
852 | | */ |
853 | | |
854 | | /* Add 64-bit chunks (dst += src) and update carry */ |
855 | | static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry) |
856 | 0 | { |
857 | 0 | unsigned char i; |
858 | 0 | mbedtls_mpi_uint c = 0; |
859 | 0 | for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) { |
860 | 0 | *dst += c; c = (*dst < c); |
861 | 0 | *dst += *src; c += (*dst < *src); |
862 | 0 | } |
863 | 0 | *carry += c; |
864 | 0 | } |
865 | | |
866 | | /* Add carry to a 64-bit chunk and update carry */ |
867 | | static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry) |
868 | 0 | { |
869 | 0 | unsigned char i; |
870 | 0 | for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) { |
871 | 0 | *dst += *carry; |
872 | 0 | *carry = (*dst < *carry); |
873 | 0 | } |
874 | 0 | } |
875 | | |
876 | 0 | #define WIDTH 8 / sizeof(mbedtls_mpi_uint) |
877 | 0 | #define A(i) N->p + (i) * WIDTH |
878 | 0 | #define ADD(i) add64(p, A(i), &c) |
879 | 0 | #define NEXT p += WIDTH; carry64(p, &c) |
880 | 0 | #define LAST p += WIDTH; *p = c; while (++p < end) *p = 0 |
881 | | |
882 | | /* |
883 | | * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) |
884 | | */ |
885 | | static int ecp_mod_p192(mbedtls_mpi *N) |
886 | 0 | { |
887 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
888 | 0 | mbedtls_mpi_uint c = 0; |
889 | 0 | mbedtls_mpi_uint *p, *end; |
890 | | |
891 | | /* Make sure we have enough blocks so that A(5) is legal */ |
892 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH)); |
893 | | |
894 | 0 | p = N->p; |
895 | 0 | end = p + N->n; |
896 | |
|
897 | 0 | ADD(3); ADD(5); NEXT; // A0 += A3 + A5 |
898 | 0 | ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5 |
899 | 0 | ADD(4); ADD(5); LAST; // A2 += A4 + A5 |
900 | |
|
901 | 0 | cleanup: |
902 | 0 | return ret; |
903 | 0 | } |
904 | | |
905 | | #undef WIDTH |
906 | | #undef A |
907 | | #undef ADD |
908 | | #undef NEXT |
909 | | #undef LAST |
910 | | #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ |
911 | | |
912 | | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ |
913 | | defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ |
914 | | defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) |
915 | | /* |
916 | | * The reader is advised to first understand ecp_mod_p192() since the same |
917 | | * general structure is used here, but with additional complications: |
918 | | * (1) chunks of 32 bits, and (2) subtractions. |
919 | | */ |
920 | | |
921 | | /* |
922 | | * For these primes, we need to handle data in chunks of 32 bits. |
923 | | * This makes it more complicated if we use 64 bits limbs in MPI, |
924 | | * which prevents us from using a uniform access method as for p192. |
925 | | * |
926 | | * So, we define a mini abstraction layer to access 32 bit chunks, |
927 | | * load them in 'cur' for work, and store them back from 'cur' when done. |
928 | | * |
929 | | * While at it, also define the size of N in terms of 32-bit chunks. |
930 | | */ |
931 | 0 | #define LOAD32 cur = A(i); |
932 | | |
933 | | #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ |
934 | | |
935 | | #define MAX32 N->n |
936 | | #define A(j) N->p[j] |
937 | | #define STORE32 N->p[i] = cur; |
938 | | |
939 | | #else /* 64-bit */ |
940 | | |
941 | 0 | #define MAX32 N->n * 2 |
942 | 0 | #define A(j) (j) % 2 ? (uint32_t) (N->p[(j)/2] >> 32) : \ |
943 | 0 | (uint32_t) (N->p[(j)/2]) |
944 | | #define STORE32 \ |
945 | 0 | if (i % 2) { \ |
946 | 0 | N->p[i/2] &= 0x00000000FFFFFFFF; \ |
947 | 0 | N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ |
948 | 0 | } else { \ |
949 | 0 | N->p[i/2] &= 0xFFFFFFFF00000000; \ |
950 | 0 | N->p[i/2] |= (mbedtls_mpi_uint) cur; \ |
951 | 0 | } |
952 | | |
953 | | #endif /* sizeof( mbedtls_mpi_uint ) */ |
954 | | |
955 | | /* |
956 | | * Helpers for addition and subtraction of chunks, with signed carry. |
957 | | */ |
958 | | static inline void add32(uint32_t *dst, uint32_t src, signed char *carry) |
959 | 0 | { |
960 | 0 | *dst += src; |
961 | 0 | *carry += (*dst < src); |
962 | 0 | } |
963 | | |
964 | | static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry) |
965 | 0 | { |
966 | 0 | *carry -= (*dst < src); |
967 | 0 | *dst -= src; |
968 | 0 | } |
969 | | |
970 | 0 | #define ADD(j) add32(&cur, A(j), &c); |
971 | 0 | #define SUB(j) sub32(&cur, A(j), &c); |
972 | | |
973 | | #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ |
974 | | #define biL (ciL << 3) /* bits in limb */ |
975 | | |
976 | | /* |
977 | | * Helpers for the main 'loop' |
978 | | */ |
979 | | #define INIT(b) \ |
980 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \ |
981 | 0 | signed char c = 0, cc; \ |
982 | 0 | uint32_t cur; \ |
983 | 0 | size_t i = 0, bits = (b); \ |
984 | 0 | /* N is the size of the product of two b-bit numbers, plus one */ \ |
985 | 0 | /* limb for fix_negative */ \ |
986 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, (b) * 2 / biL + 1)); \ |
987 | 0 | LOAD32; |
988 | | |
989 | | #define NEXT \ |
990 | 0 | STORE32; i++; LOAD32; \ |
991 | 0 | cc = c; c = 0; \ |
992 | 0 | if (cc < 0) \ |
993 | 0 | sub32(&cur, -cc, &c); \ |
994 | 0 | else \ |
995 | 0 | add32(&cur, cc, &c); \ |
996 | | |
997 | | #define LAST \ |
998 | 0 | STORE32; i++; \ |
999 | 0 | cur = c > 0 ? c : 0; STORE32; \ |
1000 | 0 | cur = 0; while (++i < MAX32) { STORE32; } \ |
1001 | 0 | if (c < 0) mbedtls_ecp_fix_negative(N, c, bits); |
1002 | | |
1003 | | /* |
1004 | | * If the result is negative, we get it in the form |
1005 | | * c * 2^bits + N, with c negative and N positive shorter than 'bits' |
1006 | | */ |
1007 | | MBEDTLS_STATIC_TESTABLE |
1008 | | void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits) |
1009 | 0 | { |
1010 | 0 | size_t i; |
1011 | | |
1012 | | /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so |
1013 | | * set the absolute value to 0xfff...fff - N. There is no carry |
1014 | | * since we're subtracting from all-bits-one. */ |
1015 | 0 | for (i = 0; i <= bits / 8 / sizeof(mbedtls_mpi_uint); i++) { |
1016 | 0 | N->p[i] = ~(mbedtls_mpi_uint) 0 - N->p[i]; |
1017 | 0 | } |
1018 | | /* Add 1, taking care of the carry. */ |
1019 | 0 | i = 0; |
1020 | 0 | do { |
1021 | 0 | ++N->p[i]; |
1022 | 0 | } while (N->p[i++] == 0 && i <= bits / 8 / sizeof(mbedtls_mpi_uint)); |
1023 | | /* Invert the sign. |
1024 | | * Now N = N0 - 2^bits where N0 is the initial value of N. */ |
1025 | 0 | N->s = -1; |
1026 | | |
1027 | | /* Add |c| * 2^bits to the absolute value. Since c and N are |
1028 | | * negative, this adds c * 2^bits. */ |
1029 | 0 | mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c; |
1030 | 0 | #if defined(MBEDTLS_HAVE_INT64) |
1031 | 0 | if (bits == 224) { |
1032 | 0 | msw <<= 32; |
1033 | 0 | } |
1034 | 0 | #endif |
1035 | 0 | N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw; |
1036 | 0 | } |
1037 | | |
1038 | | #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) |
1039 | | /* |
1040 | | * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) |
1041 | | */ |
1042 | | static int ecp_mod_p224(mbedtls_mpi *N) |
1043 | 0 | { |
1044 | 0 | INIT(224); |
1045 | |
|
1046 | 0 | SUB(7); SUB(11); NEXT; // A0 += -A7 - A11 |
1047 | 0 | SUB(8); SUB(12); NEXT; // A1 += -A8 - A12 |
1048 | 0 | SUB(9); SUB(13); NEXT; // A2 += -A9 - A13 |
1049 | 0 | SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 |
1050 | 0 | SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 |
1051 | 0 | SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 |
1052 | 0 | SUB(13); ADD(10); LAST; // A6 += -A13 + A10 |
1053 | |
|
1054 | 0 | cleanup: |
1055 | 0 | return ret; |
1056 | 0 | } |
1057 | | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ |
1058 | | |
1059 | | #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) |
1060 | | /* |
1061 | | * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) |
1062 | | */ |
1063 | | static int ecp_mod_p256(mbedtls_mpi *N) |
1064 | 0 | { |
1065 | 0 | INIT(256); |
1066 | |
|
1067 | 0 | ADD(8); ADD(9); |
1068 | 0 | SUB(11); SUB(12); SUB(13); SUB(14); NEXT; // A0 |
1069 | |
|
1070 | 0 | ADD(9); ADD(10); |
1071 | 0 | SUB(12); SUB(13); SUB(14); SUB(15); NEXT; // A1 |
1072 | |
|
1073 | 0 | ADD(10); ADD(11); |
1074 | 0 | SUB(13); SUB(14); SUB(15); NEXT; // A2 |
1075 | |
|
1076 | 0 | ADD(11); ADD(11); ADD(12); ADD(12); ADD(13); |
1077 | 0 | SUB(15); SUB(8); SUB(9); NEXT; // A3 |
1078 | |
|
1079 | 0 | ADD(12); ADD(12); ADD(13); ADD(13); ADD(14); |
1080 | 0 | SUB(9); SUB(10); NEXT; // A4 |
1081 | |
|
1082 | 0 | ADD(13); ADD(13); ADD(14); ADD(14); ADD(15); |
1083 | 0 | SUB(10); SUB(11); NEXT; // A5 |
1084 | |
|
1085 | 0 | ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13); |
1086 | 0 | SUB(8); SUB(9); NEXT; // A6 |
1087 | |
|
1088 | 0 | ADD(15); ADD(15); ADD(15); ADD(8); |
1089 | 0 | SUB(10); SUB(11); SUB(12); SUB(13); LAST; // A7 |
1090 | |
|
1091 | 0 | cleanup: |
1092 | 0 | return ret; |
1093 | 0 | } |
1094 | | #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ |
1095 | | |
1096 | | #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) |
1097 | | /* |
1098 | | * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) |
1099 | | */ |
1100 | | static int ecp_mod_p384(mbedtls_mpi *N) |
1101 | 0 | { |
1102 | 0 | INIT(384); |
1103 | |
|
1104 | 0 | ADD(12); ADD(21); ADD(20); |
1105 | 0 | SUB(23); NEXT; // A0 |
1106 | |
|
1107 | 0 | ADD(13); ADD(22); ADD(23); |
1108 | 0 | SUB(12); SUB(20); NEXT; // A2 |
1109 | |
|
1110 | 0 | ADD(14); ADD(23); |
1111 | 0 | SUB(13); SUB(21); NEXT; // A2 |
1112 | |
|
1113 | 0 | ADD(15); ADD(12); ADD(20); ADD(21); |
1114 | 0 | SUB(14); SUB(22); SUB(23); NEXT; // A3 |
1115 | |
|
1116 | 0 | ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22); |
1117 | 0 | SUB(15); SUB(23); SUB(23); NEXT; // A4 |
1118 | |
|
1119 | 0 | ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23); |
1120 | 0 | SUB(16); NEXT; // A5 |
1121 | |
|
1122 | 0 | ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22); |
1123 | 0 | SUB(17); NEXT; // A6 |
1124 | |
|
1125 | 0 | ADD(19); ADD(16); ADD(15); ADD(23); |
1126 | 0 | SUB(18); NEXT; // A7 |
1127 | |
|
1128 | 0 | ADD(20); ADD(17); ADD(16); |
1129 | 0 | SUB(19); NEXT; // A8 |
1130 | |
|
1131 | 0 | ADD(21); ADD(18); ADD(17); |
1132 | 0 | SUB(20); NEXT; // A9 |
1133 | |
|
1134 | 0 | ADD(22); ADD(19); ADD(18); |
1135 | 0 | SUB(21); NEXT; // A10 |
1136 | |
|
1137 | 0 | ADD(23); ADD(20); ADD(19); |
1138 | 0 | SUB(22); LAST; // A11 |
1139 | |
|
1140 | 0 | cleanup: |
1141 | 0 | return ret; |
1142 | 0 | } |
1143 | | #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ |
1144 | | |
1145 | | #undef A |
1146 | | #undef LOAD32 |
1147 | | #undef STORE32 |
1148 | | #undef MAX32 |
1149 | | #undef INIT |
1150 | | #undef NEXT |
1151 | | #undef LAST |
1152 | | |
1153 | | #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || |
1154 | | MBEDTLS_ECP_DP_SECP256R1_ENABLED || |
1155 | | MBEDTLS_ECP_DP_SECP384R1_ENABLED */ |
1156 | | |
1157 | | #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) |
1158 | | /* |
1159 | | * Here we have an actual Mersenne prime, so things are more straightforward. |
1160 | | * However, chunks are aligned on a 'weird' boundary (521 bits). |
1161 | | */ |
1162 | | |
1163 | | /* Size of p521 in terms of mbedtls_mpi_uint */ |
1164 | 0 | #define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1) |
1165 | | |
1166 | | /* Bits to keep in the most significant mbedtls_mpi_uint */ |
1167 | 0 | #define P521_MASK 0x01FF |
1168 | | |
1169 | | /* |
1170 | | * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) |
1171 | | * Write N as A1 + 2^521 A0, return A0 + A1 |
1172 | | */ |
1173 | | static int ecp_mod_p521(mbedtls_mpi *N) |
1174 | 0 | { |
1175 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1176 | 0 | size_t i; |
1177 | 0 | mbedtls_mpi M; |
1178 | 0 | mbedtls_mpi_uint Mp[P521_WIDTH + 1]; |
1179 | | /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: |
1180 | | * we need to hold bits 513 to 1056, which is 34 limbs, that is |
1181 | | * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ |
1182 | |
|
1183 | 0 | if (N->n < P521_WIDTH) { |
1184 | 0 | return 0; |
1185 | 0 | } |
1186 | | |
1187 | | /* M = A1 */ |
1188 | 0 | M.s = 1; |
1189 | 0 | M.n = N->n - (P521_WIDTH - 1); |
1190 | 0 | if (M.n > P521_WIDTH + 1) { |
1191 | 0 | M.n = P521_WIDTH + 1; |
1192 | 0 | } |
1193 | 0 | M.p = Mp; |
1194 | 0 | memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint)); |
1195 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint)))); |
1196 | | |
1197 | | /* N = A0 */ |
1198 | 0 | N->p[P521_WIDTH - 1] &= P521_MASK; |
1199 | 0 | for (i = P521_WIDTH; i < N->n; i++) { |
1200 | 0 | N->p[i] = 0; |
1201 | 0 | } |
1202 | | |
1203 | | /* N = A0 + A1 */ |
1204 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M)); |
1205 | | |
1206 | 0 | cleanup: |
1207 | 0 | return ret; |
1208 | 0 | } |
1209 | | |
1210 | | #undef P521_WIDTH |
1211 | | #undef P521_MASK |
1212 | | #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ |
1213 | | |
1214 | | #endif /* MBEDTLS_ECP_NIST_OPTIM */ |
1215 | | |
1216 | | #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) |
1217 | | |
1218 | | /* Size of p255 in terms of mbedtls_mpi_uint */ |
1219 | 0 | #define P255_WIDTH (255 / 8 / sizeof(mbedtls_mpi_uint) + 1) |
1220 | | |
1221 | | /* |
1222 | | * Fast quasi-reduction modulo p255 = 2^255 - 19 |
1223 | | * Write N as A0 + 2^255 A1, return A0 + 19 * A1 |
1224 | | */ |
1225 | | static int ecp_mod_p255(mbedtls_mpi *N) |
1226 | 0 | { |
1227 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1228 | 0 | size_t i; |
1229 | 0 | mbedtls_mpi M; |
1230 | 0 | mbedtls_mpi_uint Mp[P255_WIDTH + 2]; |
1231 | |
|
1232 | 0 | if (N->n < P255_WIDTH) { |
1233 | 0 | return 0; |
1234 | 0 | } |
1235 | | |
1236 | | /* M = A1 */ |
1237 | 0 | M.s = 1; |
1238 | 0 | M.n = N->n - (P255_WIDTH - 1); |
1239 | 0 | if (M.n > P255_WIDTH + 1) { |
1240 | 0 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
1241 | 0 | } |
1242 | 0 | M.p = Mp; |
1243 | 0 | memset(Mp, 0, sizeof(Mp)); |
1244 | 0 | memcpy(Mp, N->p + P255_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint)); |
1245 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 255 % (8 * sizeof(mbedtls_mpi_uint)))); |
1246 | 0 | M.n++; /* Make room for multiplication by 19 */ |
1247 | | |
1248 | | /* N = A0 */ |
1249 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(N, 255, 0)); |
1250 | 0 | for (i = P255_WIDTH; i < N->n; i++) { |
1251 | 0 | N->p[i] = 0; |
1252 | 0 | } |
1253 | | |
1254 | | /* N = A0 + 19 * A1 */ |
1255 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&M, &M, 19)); |
1256 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M)); |
1257 | | |
1258 | 0 | cleanup: |
1259 | 0 | return ret; |
1260 | 0 | } |
1261 | | #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ |
1262 | | |
1263 | | #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) |
1264 | | |
1265 | | /* Size of p448 in terms of mbedtls_mpi_uint */ |
1266 | 0 | #define P448_WIDTH (448 / 8 / sizeof(mbedtls_mpi_uint)) |
1267 | | |
1268 | | /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */ |
1269 | 0 | #define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y)) |
1270 | 0 | #define P224_WIDTH_MIN (28 / sizeof(mbedtls_mpi_uint)) |
1271 | 0 | #define P224_WIDTH_MAX DIV_ROUND_UP(28, sizeof(mbedtls_mpi_uint)) |
1272 | 0 | #define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224) |
1273 | | |
1274 | | /* |
1275 | | * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1 |
1276 | | * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return |
1277 | | * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference |
1278 | | * implementation of Curve448, which uses its own special 56-bit limbs rather |
1279 | | * than a generic bignum library. We could squeeze some extra speed out on |
1280 | | * 32-bit machines by splitting N up into 32-bit limbs and doing the |
1281 | | * arithmetic using the limbs directly as we do for the NIST primes above, |
1282 | | * but for 64-bit targets it should use half the number of operations if we do |
1283 | | * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds. |
1284 | | */ |
1285 | | static int ecp_mod_p448(mbedtls_mpi *N) |
1286 | 0 | { |
1287 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1288 | 0 | size_t i; |
1289 | 0 | mbedtls_mpi M, Q; |
1290 | 0 | mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH]; |
1291 | |
|
1292 | 0 | if (N->n <= P448_WIDTH) { |
1293 | 0 | return 0; |
1294 | 0 | } |
1295 | | |
1296 | | /* M = A1 */ |
1297 | 0 | M.s = 1; |
1298 | 0 | M.n = N->n - (P448_WIDTH); |
1299 | 0 | if (M.n > P448_WIDTH) { |
1300 | | /* Shouldn't be called with N larger than 2^896! */ |
1301 | 0 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
1302 | 0 | } |
1303 | 0 | M.p = Mp; |
1304 | 0 | memset(Mp, 0, sizeof(Mp)); |
1305 | 0 | memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint)); |
1306 | | |
1307 | | /* N = A0 */ |
1308 | 0 | for (i = P448_WIDTH; i < N->n; i++) { |
1309 | 0 | N->p[i] = 0; |
1310 | 0 | } |
1311 | | |
1312 | | /* N += A1 */ |
1313 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M)); |
1314 | | |
1315 | | /* Q = B1, N += B1 */ |
1316 | 0 | Q = M; |
1317 | 0 | Q.p = Qp; |
1318 | 0 | memcpy(Qp, Mp, sizeof(Qp)); |
1319 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224)); |
1320 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q)); |
1321 | | |
1322 | | /* M = (B0 + B1) * 2^224, N += M */ |
1323 | 0 | if (sizeof(mbedtls_mpi_uint) > 4) { |
1324 | 0 | Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS); |
1325 | 0 | } |
1326 | 0 | for (i = P224_WIDTH_MAX; i < M.n; ++i) { |
1327 | 0 | Mp[i] = 0; |
1328 | 0 | } |
1329 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q)); |
1330 | 0 | M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */ |
1331 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224)); |
1332 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M)); |
1333 | | |
1334 | 0 | cleanup: |
1335 | 0 | return ret; |
1336 | 0 | } |
1337 | | #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ |
1338 | | |
1339 | | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ |
1340 | | defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ |
1341 | | defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
1342 | | /* |
1343 | | * Fast quasi-reduction modulo P = 2^s - R, |
1344 | | * with R about 33 bits, used by the Koblitz curves. |
1345 | | * |
1346 | | * Write N as A0 + 2^224 A1, return A0 + R * A1. |
1347 | | * Actually do two passes, since R is big. |
1348 | | */ |
1349 | | #define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P |
1350 | 0 | #define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R |
1351 | | static inline int ecp_mod_koblitz(mbedtls_mpi *N, const mbedtls_mpi_uint *Rp, size_t p_limbs, |
1352 | | size_t adjust, size_t shift, mbedtls_mpi_uint mask) |
1353 | 0 | { |
1354 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1355 | 0 | size_t i; |
1356 | 0 | mbedtls_mpi M, R; |
1357 | 0 | mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; |
1358 | |
|
1359 | 0 | if (N->n < p_limbs) { |
1360 | 0 | return 0; |
1361 | 0 | } |
1362 | | |
1363 | | /* Init R */ |
1364 | 0 | R.s = 1; |
1365 | 0 | R.p = (mbedtls_mpi_uint *) Rp; /* R.p will not be modified so the cast is safe */ |
1366 | 0 | R.n = P_KOBLITZ_R; |
1367 | | |
1368 | | /* Common setup for M */ |
1369 | 0 | M.s = 1; |
1370 | 0 | M.p = Mp; |
1371 | | |
1372 | | /* M = A1 */ |
1373 | 0 | M.n = N->n - (p_limbs - adjust); |
1374 | 0 | if (M.n > p_limbs + adjust) { |
1375 | 0 | M.n = p_limbs + adjust; |
1376 | 0 | } |
1377 | 0 | memset(Mp, 0, sizeof(Mp)); |
1378 | 0 | memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint)); |
1379 | 0 | if (shift != 0) { |
1380 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift)); |
1381 | 0 | } |
1382 | 0 | M.n += R.n; /* Make room for multiplication by R */ |
1383 | | |
1384 | | /* N = A0 */ |
1385 | 0 | if (mask != 0) { |
1386 | 0 | N->p[p_limbs - 1] &= mask; |
1387 | 0 | } |
1388 | 0 | for (i = p_limbs; i < N->n; i++) { |
1389 | 0 | N->p[i] = 0; |
1390 | 0 | } |
1391 | | |
1392 | | /* N = A0 + R * A1 */ |
1393 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R)); |
1394 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M)); |
1395 | | |
1396 | | /* Second pass */ |
1397 | | |
1398 | | /* M = A1 */ |
1399 | 0 | M.n = N->n - (p_limbs - adjust); |
1400 | 0 | if (M.n > p_limbs + adjust) { |
1401 | 0 | M.n = p_limbs + adjust; |
1402 | 0 | } |
1403 | 0 | memset(Mp, 0, sizeof(Mp)); |
1404 | 0 | memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint)); |
1405 | 0 | if (shift != 0) { |
1406 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift)); |
1407 | 0 | } |
1408 | 0 | M.n += R.n; /* Make room for multiplication by R */ |
1409 | | |
1410 | | /* N = A0 */ |
1411 | 0 | if (mask != 0) { |
1412 | 0 | N->p[p_limbs - 1] &= mask; |
1413 | 0 | } |
1414 | 0 | for (i = p_limbs; i < N->n; i++) { |
1415 | 0 | N->p[i] = 0; |
1416 | 0 | } |
1417 | | |
1418 | | /* N = A0 + R * A1 */ |
1419 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R)); |
1420 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M)); |
1421 | | |
1422 | 0 | cleanup: |
1423 | 0 | return ret; |
1424 | 0 | } |
1425 | | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || |
1426 | | MBEDTLS_ECP_DP_SECP224K1_ENABLED) || |
1427 | | MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ |
1428 | | |
1429 | | #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) |
1430 | | /* |
1431 | | * Fast quasi-reduction modulo p192k1 = 2^192 - R, |
1432 | | * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 |
1433 | | */ |
1434 | | static int ecp_mod_p192k1(mbedtls_mpi *N) |
1435 | 0 | { |
1436 | 0 | static const mbedtls_mpi_uint Rp[] = { |
1437 | 0 | MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, |
1438 | 0 | 0x00) |
1439 | 0 | }; |
1440 | |
|
1441 | 0 | return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0, |
1442 | 0 | 0); |
1443 | 0 | } |
1444 | | #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ |
1445 | | |
1446 | | #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) |
1447 | | /* |
1448 | | * Fast quasi-reduction modulo p224k1 = 2^224 - R, |
1449 | | * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 |
1450 | | */ |
1451 | | static int ecp_mod_p224k1(mbedtls_mpi *N) |
1452 | 0 | { |
1453 | 0 | static const mbedtls_mpi_uint Rp[] = { |
1454 | 0 | MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, |
1455 | 0 | 0x00) |
1456 | 0 | }; |
1457 | |
|
1458 | 0 | #if defined(MBEDTLS_HAVE_INT64) |
1459 | 0 | return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF); |
1460 | | #else |
1461 | | return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0, |
1462 | | 0); |
1463 | | #endif |
1464 | 0 | } |
1465 | | |
1466 | | #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ |
1467 | | |
1468 | | #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) |
1469 | | /* |
1470 | | * Fast quasi-reduction modulo p256k1 = 2^256 - R, |
1471 | | * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 |
1472 | | */ |
1473 | | static int ecp_mod_p256k1(mbedtls_mpi *N) |
1474 | 0 | { |
1475 | 0 | static const mbedtls_mpi_uint Rp[] = { |
1476 | 0 | MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, |
1477 | 0 | 0x00) |
1478 | 0 | }; |
1479 | 0 | return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0, |
1480 | 0 | 0); |
1481 | 0 | } |
1482 | | #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ |
1483 | | |
1484 | | #endif /* !MBEDTLS_ECP_ALT */ |
1485 | | |
1486 | | #endif /* MBEDTLS_ECP_C */ |