Arcola
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Mark Radbourne
Embed:
(wiki syntax)
Show/hide line numbers
ecp_curves.c
00001 /* 00002 * Elliptic curves over GF(p): curve-specific data and functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_ECP_C) 00029 00030 #include "mbedtls/ecp.h" 00031 00032 #include <string.h> 00033 00034 #if !defined(MBEDTLS_ECP_ALT) 00035 00036 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00037 !defined(inline) && !defined(__cplusplus) 00038 #define inline __inline 00039 #endif 00040 00041 /* 00042 * Conversion macros for embedded constants: 00043 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 00044 */ 00045 #if defined(MBEDTLS_HAVE_INT32) 00046 00047 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00048 ( (mbedtls_mpi_uint) a << 0 ) | \ 00049 ( (mbedtls_mpi_uint) b << 8 ) | \ 00050 ( (mbedtls_mpi_uint) c << 16 ) | \ 00051 ( (mbedtls_mpi_uint) d << 24 ) 00052 00053 #define BYTES_TO_T_UINT_2( a, b ) \ 00054 BYTES_TO_T_UINT_4( a, b, 0, 0 ) 00055 00056 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00057 BYTES_TO_T_UINT_4( a, b, c, d ), \ 00058 BYTES_TO_T_UINT_4( e, f, g, h ) 00059 00060 #else /* 64-bits */ 00061 00062 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00063 ( (mbedtls_mpi_uint) a << 0 ) | \ 00064 ( (mbedtls_mpi_uint) b << 8 ) | \ 00065 ( (mbedtls_mpi_uint) c << 16 ) | \ 00066 ( (mbedtls_mpi_uint) d << 24 ) | \ 00067 ( (mbedtls_mpi_uint) e << 32 ) | \ 00068 ( (mbedtls_mpi_uint) f << 40 ) | \ 00069 ( (mbedtls_mpi_uint) g << 48 ) | \ 00070 ( (mbedtls_mpi_uint) h << 56 ) 00071 00072 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00073 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) 00074 00075 #define BYTES_TO_T_UINT_2( a, b ) \ 00076 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) 00077 00078 #endif /* bits in mbedtls_mpi_uint */ 00079 00080 /* 00081 * Note: the constants are in little-endian order 00082 * to be directly usable in MPIs 00083 */ 00084 00085 /* 00086 * Domain parameters for secp192r1 00087 */ 00088 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00089 static const mbedtls_mpi_uint secp192r1_p[] = { 00090 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00091 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00092 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00093 }; 00094 static const mbedtls_mpi_uint secp192r1_b[] = { 00095 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 00096 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 00097 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 00098 }; 00099 static const mbedtls_mpi_uint secp192r1_gx[] = { 00100 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 00101 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 00102 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 00103 }; 00104 static const mbedtls_mpi_uint secp192r1_gy[] = { 00105 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 00106 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 00107 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 00108 }; 00109 static const mbedtls_mpi_uint secp192r1_n[] = { 00110 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 00111 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 00112 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00113 }; 00114 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00115 00116 /* 00117 * Domain parameters for secp224r1 00118 */ 00119 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00120 static const mbedtls_mpi_uint secp224r1_p[] = { 00121 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00122 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00123 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00124 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00125 }; 00126 static const mbedtls_mpi_uint secp224r1_b[] = { 00127 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 00128 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 00129 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 00130 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 00131 }; 00132 static const mbedtls_mpi_uint secp224r1_gx[] = { 00133 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 00134 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 00135 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 00136 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 00137 }; 00138 static const mbedtls_mpi_uint secp224r1_gy[] = { 00139 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 00140 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 00141 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 00142 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 00143 }; 00144 static const mbedtls_mpi_uint secp224r1_n[] = { 00145 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 00146 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 00147 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00148 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00149 }; 00150 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00151 00152 /* 00153 * Domain parameters for secp256r1 00154 */ 00155 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00156 static const mbedtls_mpi_uint secp256r1_p[] = { 00157 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00158 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00159 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00160 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00161 }; 00162 static const mbedtls_mpi_uint secp256r1_b[] = { 00163 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 00164 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 00165 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 00166 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 00167 }; 00168 static const mbedtls_mpi_uint secp256r1_gx[] = { 00169 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 00170 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 00171 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 00172 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 00173 }; 00174 static const mbedtls_mpi_uint secp256r1_gy[] = { 00175 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 00176 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 00177 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 00178 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 00179 }; 00180 static const mbedtls_mpi_uint secp256r1_n[] = { 00181 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 00182 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 00183 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00184 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00185 }; 00186 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00187 00188 /* 00189 * Domain parameters for secp384r1 00190 */ 00191 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00192 static const mbedtls_mpi_uint secp384r1_p[] = { 00193 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00194 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00195 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00196 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00197 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00198 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00199 }; 00200 static const mbedtls_mpi_uint secp384r1_b[] = { 00201 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 00202 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 00203 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 00204 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 00205 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 00206 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 00207 }; 00208 static const mbedtls_mpi_uint secp384r1_gx[] = { 00209 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 00210 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 00211 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 00212 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 00213 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 00214 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 00215 }; 00216 static const mbedtls_mpi_uint secp384r1_gy[] = { 00217 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 00218 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 00219 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 00220 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 00221 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 00222 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 00223 }; 00224 static const mbedtls_mpi_uint secp384r1_n[] = { 00225 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 00226 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 00227 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 00228 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00229 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00230 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00231 }; 00232 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00233 00234 /* 00235 * Domain parameters for secp521r1 00236 */ 00237 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00238 static const mbedtls_mpi_uint secp521r1_p[] = { 00239 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00240 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00241 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00242 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00243 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00244 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00245 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00246 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00247 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00248 }; 00249 static const mbedtls_mpi_uint secp521r1_b[] = { 00250 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 00251 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 00252 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 00253 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 00254 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 00255 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 00256 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 00257 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 00258 BYTES_TO_T_UINT_2( 0x51, 0x00 ), 00259 }; 00260 static const mbedtls_mpi_uint secp521r1_gx[] = { 00261 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 00262 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 00263 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 00264 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 00265 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 00266 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 00267 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 00268 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 00269 BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 00270 }; 00271 static const mbedtls_mpi_uint secp521r1_gy[] = { 00272 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 00273 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 00274 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 00275 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 00276 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 00277 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 00278 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 00279 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 00280 BYTES_TO_T_UINT_2( 0x18, 0x01 ), 00281 }; 00282 static const mbedtls_mpi_uint secp521r1_n[] = { 00283 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 00284 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 00285 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 00286 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 00287 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00288 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00289 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00290 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00291 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00292 }; 00293 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00294 00295 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00296 static const mbedtls_mpi_uint secp192k1_p[] = { 00297 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00298 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00299 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00300 }; 00301 static const mbedtls_mpi_uint secp192k1_a[] = { 00302 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00303 }; 00304 static const mbedtls_mpi_uint secp192k1_b[] = { 00305 BYTES_TO_T_UINT_2( 0x03, 0x00 ), 00306 }; 00307 static const mbedtls_mpi_uint secp192k1_gx[] = { 00308 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 00309 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 00310 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 00311 }; 00312 static const mbedtls_mpi_uint secp192k1_gy[] = { 00313 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 00314 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 00315 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 00316 }; 00317 static const mbedtls_mpi_uint secp192k1_n[] = { 00318 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 00319 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 00320 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00321 }; 00322 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00323 00324 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00325 static const mbedtls_mpi_uint secp224k1_p[] = { 00326 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00327 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00328 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00329 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00330 }; 00331 static const mbedtls_mpi_uint secp224k1_a[] = { 00332 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00333 }; 00334 static const mbedtls_mpi_uint secp224k1_b[] = { 00335 BYTES_TO_T_UINT_2( 0x05, 0x00 ), 00336 }; 00337 static const mbedtls_mpi_uint secp224k1_gx[] = { 00338 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 00339 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 00340 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 00341 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 00342 }; 00343 static const mbedtls_mpi_uint secp224k1_gy[] = { 00344 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 00345 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 00346 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 00347 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 00348 }; 00349 static const mbedtls_mpi_uint secp224k1_n[] = { 00350 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 00351 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 00352 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00353 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 00354 }; 00355 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00356 00357 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00358 static const mbedtls_mpi_uint secp256k1_p[] = { 00359 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00360 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00361 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00362 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00363 }; 00364 static const mbedtls_mpi_uint secp256k1_a[] = { 00365 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00366 }; 00367 static const mbedtls_mpi_uint secp256k1_b[] = { 00368 BYTES_TO_T_UINT_2( 0x07, 0x00 ), 00369 }; 00370 static const mbedtls_mpi_uint secp256k1_gx[] = { 00371 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 00372 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 00373 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 00374 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 00375 }; 00376 static const mbedtls_mpi_uint secp256k1_gy[] = { 00377 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 00378 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 00379 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 00380 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 00381 }; 00382 static const mbedtls_mpi_uint secp256k1_n[] = { 00383 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 00384 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 00385 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00386 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00387 }; 00388 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00389 00390 /* 00391 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 00392 */ 00393 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00394 static const mbedtls_mpi_uint brainpoolP256r1_p[] = { 00395 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 00396 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 00397 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00398 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00399 }; 00400 static const mbedtls_mpi_uint brainpoolP256r1_a[] = { 00401 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 00402 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 00403 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 00404 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 00405 }; 00406 static const mbedtls_mpi_uint brainpoolP256r1_b[] = { 00407 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 00408 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 00409 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 00410 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 00411 }; 00412 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { 00413 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 00414 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 00415 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 00416 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 00417 }; 00418 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { 00419 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 00420 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 00421 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 00422 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 00423 }; 00424 static const mbedtls_mpi_uint brainpoolP256r1_n[] = { 00425 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 00426 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 00427 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00428 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00429 }; 00430 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00431 00432 /* 00433 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 00434 */ 00435 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00436 static const mbedtls_mpi_uint brainpoolP384r1_p[] = { 00437 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 00438 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 00439 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 00440 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00441 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00442 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00443 }; 00444 static const mbedtls_mpi_uint brainpoolP384r1_a[] = { 00445 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00446 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 00447 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 00448 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 00449 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 00450 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 00451 }; 00452 static const mbedtls_mpi_uint brainpoolP384r1_b[] = { 00453 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 00454 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 00455 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 00456 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 00457 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 00458 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00459 }; 00460 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { 00461 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 00462 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 00463 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 00464 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 00465 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 00466 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 00467 }; 00468 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { 00469 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 00470 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 00471 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 00472 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 00473 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 00474 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 00475 }; 00476 static const mbedtls_mpi_uint brainpoolP384r1_n[] = { 00477 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 00478 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 00479 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 00480 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00481 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00482 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00483 }; 00484 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00485 00486 /* 00487 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 00488 */ 00489 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00490 static const mbedtls_mpi_uint brainpoolP512r1_p[] = { 00491 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 00492 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 00493 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 00494 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 00495 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00496 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00497 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00498 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00499 }; 00500 static const mbedtls_mpi_uint brainpoolP512r1_a[] = { 00501 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 00502 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 00503 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 00504 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 00505 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 00506 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 00507 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 00508 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 00509 }; 00510 static const mbedtls_mpi_uint brainpoolP512r1_b[] = { 00511 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 00512 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 00513 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 00514 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 00515 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 00516 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 00517 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 00518 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 00519 }; 00520 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { 00521 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 00522 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 00523 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 00524 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 00525 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 00526 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 00527 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 00528 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 00529 }; 00530 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { 00531 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 00532 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 00533 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 00534 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 00535 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 00536 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 00537 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 00538 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 00539 }; 00540 static const mbedtls_mpi_uint brainpoolP512r1_n[] = { 00541 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 00542 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 00543 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 00544 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 00545 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00546 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00547 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00548 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00549 }; 00550 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00551 00552 /* 00553 * Create an MPI from embedded constants 00554 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) 00555 */ 00556 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) 00557 { 00558 X->s = 1; 00559 X->n = len / sizeof( mbedtls_mpi_uint ); 00560 X->p = (mbedtls_mpi_uint *) p; 00561 } 00562 00563 /* 00564 * Set an MPI to static value 1 00565 */ 00566 static inline void ecp_mpi_set1( mbedtls_mpi *X ) 00567 { 00568 static mbedtls_mpi_uint one[] = { 1 }; 00569 X->s = 1; 00570 X->n = 1; 00571 X->p = one; 00572 } 00573 00574 /* 00575 * Make group available from embedded constants 00576 */ 00577 static int ecp_group_load( mbedtls_ecp_group *grp, 00578 const mbedtls_mpi_uint *p, size_t plen, 00579 const mbedtls_mpi_uint *a, size_t alen, 00580 const mbedtls_mpi_uint *b, size_t blen, 00581 const mbedtls_mpi_uint *gx, size_t gxlen, 00582 const mbedtls_mpi_uint *gy, size_t gylen, 00583 const mbedtls_mpi_uint *n, size_t nlen) 00584 { 00585 ecp_mpi_load( &grp->P , p, plen ); 00586 if( a != NULL ) 00587 ecp_mpi_load( &grp->A , a, alen ); 00588 ecp_mpi_load( &grp->B , b, blen ); 00589 ecp_mpi_load( &grp->N , n, nlen ); 00590 00591 ecp_mpi_load( &grp->G .X , gx, gxlen ); 00592 ecp_mpi_load( &grp->G .Y , gy, gylen ); 00593 ecp_mpi_set1( &grp->G .Z ); 00594 00595 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00596 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 00597 00598 grp->h = 1; 00599 00600 return( 0 ); 00601 } 00602 00603 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00604 /* Forward declarations */ 00605 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00606 static int ecp_mod_p192( mbedtls_mpi * ); 00607 #endif 00608 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00609 static int ecp_mod_p224( mbedtls_mpi * ); 00610 #endif 00611 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00612 static int ecp_mod_p256( mbedtls_mpi * ); 00613 #endif 00614 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00615 static int ecp_mod_p384( mbedtls_mpi * ); 00616 #endif 00617 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00618 static int ecp_mod_p521( mbedtls_mpi * ); 00619 #endif 00620 00621 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 00622 #else 00623 #define NIST_MODP( P ) 00624 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 00625 00626 /* Additional forward declarations */ 00627 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00628 static int ecp_mod_p255( mbedtls_mpi * ); 00629 #endif 00630 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00631 static int ecp_mod_p192k1( mbedtls_mpi * ); 00632 #endif 00633 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00634 static int ecp_mod_p224k1( mbedtls_mpi * ); 00635 #endif 00636 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00637 static int ecp_mod_p256k1( mbedtls_mpi * ); 00638 #endif 00639 00640 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 00641 G ## _p, sizeof( G ## _p ), \ 00642 G ## _a, sizeof( G ## _a ), \ 00643 G ## _b, sizeof( G ## _b ), \ 00644 G ## _gx, sizeof( G ## _gx ), \ 00645 G ## _gy, sizeof( G ## _gy ), \ 00646 G ## _n, sizeof( G ## _n ) ) 00647 00648 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 00649 G ## _p, sizeof( G ## _p ), \ 00650 NULL, 0, \ 00651 G ## _b, sizeof( G ## _b ), \ 00652 G ## _gx, sizeof( G ## _gx ), \ 00653 G ## _gy, sizeof( G ## _gy ), \ 00654 G ## _n, sizeof( G ## _n ) ) 00655 00656 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00657 /* 00658 * Specialized function for creating the Curve25519 group 00659 */ 00660 static int ecp_use_curve25519( mbedtls_ecp_group *grp ) 00661 { 00662 int ret; 00663 00664 /* Actually ( A + 2 ) / 4 */ 00665 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A , 16, "01DB42" ) ); 00666 00667 /* P = 2^255 - 19 */ 00668 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P , 1 ) ); 00669 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 255 ) ); 00670 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 19 ) ); 00671 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00672 00673 /* Y intentionaly not set, since we use x/z coordinates. 00674 * This is used as a marker to identify Montgomery curves! */ 00675 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .X , 9 ) ); 00676 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .Z , 1 ) ); 00677 mbedtls_mpi_free( &grp->G .Y ); 00678 00679 /* Actually, the required msb for private keys */ 00680 grp->nbits = 254; 00681 00682 cleanup: 00683 if( ret != 0 ) 00684 mbedtls_ecp_group_free( grp ); 00685 00686 return( ret ); 00687 } 00688 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00689 00690 /* 00691 * Set a group using well-known domain parameters 00692 */ 00693 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) 00694 { 00695 mbedtls_ecp_group_free( grp ); 00696 00697 grp->id = id; 00698 00699 switch( id ) 00700 { 00701 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00702 case MBEDTLS_ECP_DP_SECP192R1 : 00703 NIST_MODP( p192 ); 00704 return( LOAD_GROUP( secp192r1 ) ); 00705 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00706 00707 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00708 case MBEDTLS_ECP_DP_SECP224R1 : 00709 NIST_MODP( p224 ); 00710 return( LOAD_GROUP( secp224r1 ) ); 00711 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00712 00713 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00714 case MBEDTLS_ECP_DP_SECP256R1 : 00715 NIST_MODP( p256 ); 00716 return( LOAD_GROUP( secp256r1 ) ); 00717 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00718 00719 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00720 case MBEDTLS_ECP_DP_SECP384R1 : 00721 NIST_MODP( p384 ); 00722 return( LOAD_GROUP( secp384r1 ) ); 00723 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00724 00725 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00726 case MBEDTLS_ECP_DP_SECP521R1 : 00727 NIST_MODP( p521 ); 00728 return( LOAD_GROUP( secp521r1 ) ); 00729 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00730 00731 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00732 case MBEDTLS_ECP_DP_SECP192K1 : 00733 grp->modp = ecp_mod_p192k1; 00734 return( LOAD_GROUP_A( secp192k1 ) ); 00735 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00736 00737 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00738 case MBEDTLS_ECP_DP_SECP224K1 : 00739 grp->modp = ecp_mod_p224k1; 00740 return( LOAD_GROUP_A( secp224k1 ) ); 00741 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00742 00743 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00744 case MBEDTLS_ECP_DP_SECP256K1 : 00745 grp->modp = ecp_mod_p256k1; 00746 return( LOAD_GROUP_A( secp256k1 ) ); 00747 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00748 00749 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00750 case MBEDTLS_ECP_DP_BP256R1 : 00751 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 00752 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00753 00754 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00755 case MBEDTLS_ECP_DP_BP384R1 : 00756 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 00757 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00758 00759 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00760 case MBEDTLS_ECP_DP_BP512R1 : 00761 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 00762 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00763 00764 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00765 case MBEDTLS_ECP_DP_CURVE25519 : 00766 grp->modp = ecp_mod_p255; 00767 return( ecp_use_curve25519( grp ) ); 00768 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00769 00770 default: 00771 mbedtls_ecp_group_free( grp ); 00772 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 00773 } 00774 } 00775 00776 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00777 /* 00778 * Fast reduction modulo the primes used by the NIST curves. 00779 * 00780 * These functions are critical for speed, but not needed for correct 00781 * operations. So, we make the choice to heavily rely on the internals of our 00782 * bignum library, which creates a tight coupling between these functions and 00783 * our MPI implementation. However, the coupling between the ECP module and 00784 * MPI remains loose, since these functions can be deactivated at will. 00785 */ 00786 00787 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00788 /* 00789 * Compared to the way things are presented in FIPS 186-3 D.2, 00790 * we proceed in columns, from right (least significant chunk) to left, 00791 * adding chunks to N in place, and keeping a carry for the next chunk. 00792 * This avoids moving things around in memory, and uselessly adding zeros, 00793 * compared to the more straightforward, line-oriented approach. 00794 * 00795 * For this prime we need to handle data in chunks of 64 bits. 00796 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can 00797 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. 00798 */ 00799 00800 /* Add 64-bit chunks (dst += src) and update carry */ 00801 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) 00802 { 00803 unsigned char i; 00804 mbedtls_mpi_uint c = 0; 00805 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) 00806 { 00807 *dst += c; c = ( *dst < c ); 00808 *dst += *src; c += ( *dst < *src ); 00809 } 00810 *carry += c; 00811 } 00812 00813 /* Add carry to a 64-bit chunk and update carry */ 00814 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) 00815 { 00816 unsigned char i; 00817 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) 00818 { 00819 *dst += *carry; 00820 *carry = ( *dst < *carry ); 00821 } 00822 } 00823 00824 #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) 00825 #define A( i ) N->p + i * WIDTH 00826 #define ADD( i ) add64( p, A( i ), &c ) 00827 #define NEXT p += WIDTH; carry64( p, &c ) 00828 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 00829 00830 /* 00831 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 00832 */ 00833 static int ecp_mod_p192( mbedtls_mpi *N ) 00834 { 00835 int ret; 00836 mbedtls_mpi_uint c = 0; 00837 mbedtls_mpi_uint *p, *end; 00838 00839 /* Make sure we have enough blocks so that A(5) is legal */ 00840 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); 00841 00842 p = N->p ; 00843 end = p + N->n ; 00844 00845 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 00846 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 00847 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 00848 00849 cleanup: 00850 return( ret ); 00851 } 00852 00853 #undef WIDTH 00854 #undef A 00855 #undef ADD 00856 #undef NEXT 00857 #undef LAST 00858 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00859 00860 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 00861 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 00862 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00863 /* 00864 * The reader is advised to first understand ecp_mod_p192() since the same 00865 * general structure is used here, but with additional complications: 00866 * (1) chunks of 32 bits, and (2) subtractions. 00867 */ 00868 00869 /* 00870 * For these primes, we need to handle data in chunks of 32 bits. 00871 * This makes it more complicated if we use 64 bits limbs in MPI, 00872 * which prevents us from using a uniform access method as for p192. 00873 * 00874 * So, we define a mini abstraction layer to access 32 bit chunks, 00875 * load them in 'cur' for work, and store them back from 'cur' when done. 00876 * 00877 * While at it, also define the size of N in terms of 32-bit chunks. 00878 */ 00879 #define LOAD32 cur = A( i ); 00880 00881 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ 00882 00883 #define MAX32 N->n 00884 #define A( j ) N->p[j] 00885 #define STORE32 N->p[i] = cur; 00886 00887 #else /* 64-bit */ 00888 00889 #define MAX32 N->n * 2 00890 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] ) 00891 #define STORE32 \ 00892 if( i % 2 ) { \ 00893 N->p[i/2] &= 0x00000000FFFFFFFF; \ 00894 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ 00895 } else { \ 00896 N->p[i/2] &= 0xFFFFFFFF00000000; \ 00897 N->p[i/2] |= (mbedtls_mpi_uint) cur; \ 00898 } 00899 00900 #endif /* sizeof( mbedtls_mpi_uint ) */ 00901 00902 /* 00903 * Helpers for addition and subtraction of chunks, with signed carry. 00904 */ 00905 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 00906 { 00907 *dst += src; 00908 *carry += ( *dst < src ); 00909 } 00910 00911 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 00912 { 00913 *carry -= ( *dst < src ); 00914 *dst -= src; 00915 } 00916 00917 #define ADD( j ) add32( &cur, A( j ), &c ); 00918 #define SUB( j ) sub32( &cur, A( j ), &c ); 00919 00920 /* 00921 * Helpers for the main 'loop' 00922 * (see fix_negative for the motivation of C) 00923 */ 00924 #define INIT( b ) \ 00925 int ret; \ 00926 signed char c = 0, cc; \ 00927 uint32_t cur; \ 00928 size_t i = 0, bits = b; \ 00929 mbedtls_mpi C; \ 00930 mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \ 00931 \ 00932 C.s = 1; \ 00933 C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \ 00934 C.p = Cp; \ 00935 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \ 00936 \ 00937 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \ 00938 LOAD32; 00939 00940 #define NEXT \ 00941 STORE32; i++; LOAD32; \ 00942 cc = c; c = 0; \ 00943 if( cc < 0 ) \ 00944 sub32( &cur, -cc, &c ); \ 00945 else \ 00946 add32( &cur, cc, &c ); \ 00947 00948 #define LAST \ 00949 STORE32; i++; \ 00950 cur = c > 0 ? c : 0; STORE32; \ 00951 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 00952 if( c < 0 ) fix_negative( N, c, &C, bits ); 00953 00954 /* 00955 * If the result is negative, we get it in the form 00956 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' 00957 */ 00958 static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits ) 00959 { 00960 int ret; 00961 00962 /* C = - c * 2^(bits + 32) */ 00963 #if !defined(MBEDTLS_HAVE_INT64) 00964 ((void) bits); 00965 #else 00966 if( bits == 224 ) 00967 C->p [ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32; 00968 else 00969 #endif 00970 C->p [ C->n - 1 ] = (mbedtls_mpi_uint) -c; 00971 00972 /* N = - ( C - N ) */ 00973 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) ); 00974 N->s = -1; 00975 00976 cleanup: 00977 00978 return( ret ); 00979 } 00980 00981 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00982 /* 00983 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 00984 */ 00985 static int ecp_mod_p224( mbedtls_mpi *N ) 00986 { 00987 INIT( 224 ); 00988 00989 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 00990 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 00991 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 00992 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 00993 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 00994 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 00995 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 00996 00997 cleanup: 00998 return( ret ); 00999 } 01000 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 01001 01002 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 01003 /* 01004 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 01005 */ 01006 static int ecp_mod_p256( mbedtls_mpi *N ) 01007 { 01008 INIT( 256 ); 01009 01010 ADD( 8 ); ADD( 9 ); 01011 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 01012 01013 ADD( 9 ); ADD( 10 ); 01014 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 01015 01016 ADD( 10 ); ADD( 11 ); 01017 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 01018 01019 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 01020 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 01021 01022 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 01023 SUB( 9 ); SUB( 10 ); NEXT; // A4 01024 01025 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 01026 SUB( 10 ); SUB( 11 ); NEXT; // A5 01027 01028 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 01029 SUB( 8 ); SUB( 9 ); NEXT; // A6 01030 01031 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 01032 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 01033 01034 cleanup: 01035 return( ret ); 01036 } 01037 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 01038 01039 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 01040 /* 01041 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 01042 */ 01043 static int ecp_mod_p384( mbedtls_mpi *N ) 01044 { 01045 INIT( 384 ); 01046 01047 ADD( 12 ); ADD( 21 ); ADD( 20 ); 01048 SUB( 23 ); NEXT; // A0 01049 01050 ADD( 13 ); ADD( 22 ); ADD( 23 ); 01051 SUB( 12 ); SUB( 20 ); NEXT; // A2 01052 01053 ADD( 14 ); ADD( 23 ); 01054 SUB( 13 ); SUB( 21 ); NEXT; // A2 01055 01056 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 01057 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 01058 01059 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 01060 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 01061 01062 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 01063 SUB( 16 ); NEXT; // A5 01064 01065 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 01066 SUB( 17 ); NEXT; // A6 01067 01068 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 01069 SUB( 18 ); NEXT; // A7 01070 01071 ADD( 20 ); ADD( 17 ); ADD( 16 ); 01072 SUB( 19 ); NEXT; // A8 01073 01074 ADD( 21 ); ADD( 18 ); ADD( 17 ); 01075 SUB( 20 ); NEXT; // A9 01076 01077 ADD( 22 ); ADD( 19 ); ADD( 18 ); 01078 SUB( 21 ); NEXT; // A10 01079 01080 ADD( 23 ); ADD( 20 ); ADD( 19 ); 01081 SUB( 22 ); LAST; // A11 01082 01083 cleanup: 01084 return( ret ); 01085 } 01086 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01087 01088 #undef A 01089 #undef LOAD32 01090 #undef STORE32 01091 #undef MAX32 01092 #undef INIT 01093 #undef NEXT 01094 #undef LAST 01095 01096 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || 01097 MBEDTLS_ECP_DP_SECP256R1_ENABLED || 01098 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01099 01100 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 01101 /* 01102 * Here we have an actual Mersenne prime, so things are more straightforward. 01103 * However, chunks are aligned on a 'weird' boundary (521 bits). 01104 */ 01105 01106 /* Size of p521 in terms of mbedtls_mpi_uint */ 01107 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01108 01109 /* Bits to keep in the most significant mbedtls_mpi_uint */ 01110 #define P521_MASK 0x01FF 01111 01112 /* 01113 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 01114 * Write N as A1 + 2^521 A0, return A0 + A1 01115 */ 01116 static int ecp_mod_p521( mbedtls_mpi *N ) 01117 { 01118 int ret; 01119 size_t i; 01120 mbedtls_mpi M; 01121 mbedtls_mpi_uint Mp[P521_WIDTH + 1]; 01122 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: 01123 * we need to hold bits 513 to 1056, which is 34 limbs, that is 01124 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 01125 01126 if( N->n < P521_WIDTH ) 01127 return( 0 ); 01128 01129 /* M = A1 */ 01130 M.s = 1; 01131 M.n = N->n - ( P521_WIDTH - 1 ); 01132 if( M.n > P521_WIDTH + 1 ) 01133 M.n = P521_WIDTH + 1; 01134 M.p = Mp; 01135 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01136 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01137 01138 /* N = A0 */ 01139 N->p [P521_WIDTH - 1] &= P521_MASK; 01140 for( i = P521_WIDTH; i < N->n ; i++ ) 01141 N->p [i] = 0; 01142 01143 /* N = A0 + A1 */ 01144 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01145 01146 cleanup: 01147 return( ret ); 01148 } 01149 01150 #undef P521_WIDTH 01151 #undef P521_MASK 01152 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 01153 01154 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 01155 01156 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 01157 01158 /* Size of p255 in terms of mbedtls_mpi_uint */ 01159 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01160 01161 /* 01162 * Fast quasi-reduction modulo p255 = 2^255 - 19 01163 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 01164 */ 01165 static int ecp_mod_p255( mbedtls_mpi *N ) 01166 { 01167 int ret; 01168 size_t i; 01169 mbedtls_mpi M; 01170 mbedtls_mpi_uint Mp[P255_WIDTH + 2]; 01171 01172 if( N->n < P255_WIDTH ) 01173 return( 0 ); 01174 01175 /* M = A1 */ 01176 M.s = 1; 01177 M.n = N->n - ( P255_WIDTH - 1 ); 01178 if( M.n > P255_WIDTH + 1 ) 01179 M.n = P255_WIDTH + 1; 01180 M.p = Mp; 01181 memset( Mp, 0, sizeof Mp ); 01182 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01183 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01184 M.n ++; /* Make room for multiplication by 19 */ 01185 01186 /* N = A0 */ 01187 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); 01188 for( i = P255_WIDTH; i < N->n ; i++ ) 01189 N->p [i] = 0; 01190 01191 /* N = A0 + 19 * A1 */ 01192 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); 01193 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01194 01195 cleanup: 01196 return( ret ); 01197 } 01198 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 01199 01200 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 01201 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 01202 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01203 /* 01204 * Fast quasi-reduction modulo P = 2^s - R, 01205 * with R about 33 bits, used by the Koblitz curves. 01206 * 01207 * Write N as A0 + 2^224 A1, return A0 + R * A1. 01208 * Actually do two passes, since R is big. 01209 */ 01210 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P 01211 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R 01212 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, 01213 size_t adjust, size_t shift, mbedtls_mpi_uint mask ) 01214 { 01215 int ret; 01216 size_t i; 01217 mbedtls_mpi M, R; 01218 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; 01219 01220 if( N->n < p_limbs ) 01221 return( 0 ); 01222 01223 /* Init R */ 01224 R.s = 1; 01225 R.p = Rp; 01226 R.n = P_KOBLITZ_R; 01227 01228 /* Common setup for M */ 01229 M.s = 1; 01230 M.p = Mp; 01231 01232 /* M = A1 */ 01233 M.n = N->n - ( p_limbs - adjust ); 01234 if( M.n > p_limbs + adjust ) 01235 M.n = p_limbs + adjust; 01236 memset( Mp, 0, sizeof Mp ); 01237 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01238 if( shift != 0 ) 01239 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01240 M.n += R.n ; /* Make room for multiplication by R */ 01241 01242 /* N = A0 */ 01243 if( mask != 0 ) 01244 N->p [p_limbs - 1] &= mask; 01245 for( i = p_limbs; i < N->n ; i++ ) 01246 N->p [i] = 0; 01247 01248 /* N = A0 + R * A1 */ 01249 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01250 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01251 01252 /* Second pass */ 01253 01254 /* M = A1 */ 01255 M.n = N->n - ( p_limbs - adjust ); 01256 if( M.n > p_limbs + adjust ) 01257 M.n = p_limbs + adjust; 01258 memset( Mp, 0, sizeof Mp ); 01259 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01260 if( shift != 0 ) 01261 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01262 M.n += R.n ; /* Make room for multiplication by R */ 01263 01264 /* N = A0 */ 01265 if( mask != 0 ) 01266 N->p [p_limbs - 1] &= mask; 01267 for( i = p_limbs; i < N->n ; i++ ) 01268 N->p [i] = 0; 01269 01270 /* N = A0 + R * A1 */ 01271 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01272 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01273 01274 cleanup: 01275 return( ret ); 01276 } 01277 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || 01278 MBEDTLS_ECP_DP_SECP224K1_ENABLED) || 01279 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ 01280 01281 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 01282 /* 01283 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 01284 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 01285 */ 01286 static int ecp_mod_p192k1( mbedtls_mpi *N ) 01287 { 01288 static mbedtls_mpi_uint Rp[] = { 01289 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01290 01291 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01292 } 01293 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 01294 01295 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 01296 /* 01297 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 01298 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 01299 */ 01300 static int ecp_mod_p224k1( mbedtls_mpi *N ) 01301 { 01302 static mbedtls_mpi_uint Rp[] = { 01303 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01304 01305 #if defined(MBEDTLS_HAVE_INT64) 01306 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 01307 #else 01308 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01309 #endif 01310 } 01311 01312 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 01313 01314 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01315 /* 01316 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 01317 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 01318 */ 01319 static int ecp_mod_p256k1( mbedtls_mpi *N ) 01320 { 01321 static mbedtls_mpi_uint Rp[] = { 01322 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01323 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01324 } 01325 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 01326 01327 #endif /* !MBEDTLS_ECP_ALT */ 01328 01329 #endif /* MBEDTLS_ECP_C */
Generated on Tue Jul 12 2022 17:25:41 by
1.7.2