sandbox
mbedtls ported to mbed-classic
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
ecp_curves.c
00001 /* 00002 * Elliptic curves over GF(p): curve-specific data and functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_ECP_C) 00029 00030 #include "mbedtls/ecp.h" 00031 00032 #include <string.h> 00033 00034 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00035 !defined(inline) && !defined(__cplusplus) 00036 #define inline __inline 00037 #endif 00038 00039 /* 00040 * Conversion macros for embedded constants: 00041 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 00042 */ 00043 #if defined(MBEDTLS_HAVE_INT32) 00044 00045 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00046 ( (mbedtls_mpi_uint) a << 0 ) | \ 00047 ( (mbedtls_mpi_uint) b << 8 ) | \ 00048 ( (mbedtls_mpi_uint) c << 16 ) | \ 00049 ( (mbedtls_mpi_uint) d << 24 ) 00050 00051 #define BYTES_TO_T_UINT_2( a, b ) \ 00052 BYTES_TO_T_UINT_4( a, b, 0, 0 ) 00053 00054 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00055 BYTES_TO_T_UINT_4( a, b, c, d ), \ 00056 BYTES_TO_T_UINT_4( e, f, g, h ) 00057 00058 #else /* 64-bits */ 00059 00060 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00061 ( (mbedtls_mpi_uint) a << 0 ) | \ 00062 ( (mbedtls_mpi_uint) b << 8 ) | \ 00063 ( (mbedtls_mpi_uint) c << 16 ) | \ 00064 ( (mbedtls_mpi_uint) d << 24 ) | \ 00065 ( (mbedtls_mpi_uint) e << 32 ) | \ 00066 ( (mbedtls_mpi_uint) f << 40 ) | \ 00067 ( (mbedtls_mpi_uint) g << 48 ) | \ 00068 ( (mbedtls_mpi_uint) h << 56 ) 00069 00070 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00071 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) 00072 00073 #define BYTES_TO_T_UINT_2( a, b ) \ 00074 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) 00075 00076 #endif /* bits in mbedtls_mpi_uint */ 00077 00078 /* 00079 * Note: the constants are in little-endian order 00080 * to be directly usable in MPIs 00081 */ 00082 00083 /* 00084 * Domain parameters for secp192r1 00085 */ 00086 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00087 static const mbedtls_mpi_uint secp192r1_p[] = { 00088 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00089 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00090 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00091 }; 00092 static const mbedtls_mpi_uint secp192r1_b[] = { 00093 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 00094 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 00095 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 00096 }; 00097 static const mbedtls_mpi_uint secp192r1_gx[] = { 00098 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 00099 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 00100 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 00101 }; 00102 static const mbedtls_mpi_uint secp192r1_gy[] = { 00103 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 00104 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 00105 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 00106 }; 00107 static const mbedtls_mpi_uint secp192r1_n[] = { 00108 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 00109 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 00110 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00111 }; 00112 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00113 00114 /* 00115 * Domain parameters for secp224r1 00116 */ 00117 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00118 static const mbedtls_mpi_uint secp224r1_p[] = { 00119 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00120 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00121 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00122 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00123 }; 00124 static const mbedtls_mpi_uint secp224r1_b[] = { 00125 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 00126 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 00127 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 00128 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 00129 }; 00130 static const mbedtls_mpi_uint secp224r1_gx[] = { 00131 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 00132 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 00133 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 00134 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 00135 }; 00136 static const mbedtls_mpi_uint secp224r1_gy[] = { 00137 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 00138 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 00139 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 00140 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 00141 }; 00142 static const mbedtls_mpi_uint secp224r1_n[] = { 00143 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 00144 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 00145 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00146 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00147 }; 00148 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00149 00150 /* 00151 * Domain parameters for secp256r1 00152 */ 00153 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00154 static const mbedtls_mpi_uint secp256r1_p[] = { 00155 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00156 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00157 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00158 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00159 }; 00160 static const mbedtls_mpi_uint secp256r1_b[] = { 00161 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 00162 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 00163 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 00164 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 00165 }; 00166 static const mbedtls_mpi_uint secp256r1_gx[] = { 00167 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 00168 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 00169 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 00170 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 00171 }; 00172 static const mbedtls_mpi_uint secp256r1_gy[] = { 00173 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 00174 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 00175 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 00176 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 00177 }; 00178 static const mbedtls_mpi_uint secp256r1_n[] = { 00179 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 00180 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 00181 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00182 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00183 }; 00184 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00185 00186 /* 00187 * Domain parameters for secp384r1 00188 */ 00189 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00190 static const mbedtls_mpi_uint secp384r1_p[] = { 00191 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00192 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00193 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00194 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00195 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00196 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00197 }; 00198 static const mbedtls_mpi_uint secp384r1_b[] = { 00199 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 00200 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 00201 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 00202 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 00203 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 00204 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 00205 }; 00206 static const mbedtls_mpi_uint secp384r1_gx[] = { 00207 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 00208 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 00209 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 00210 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 00211 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 00212 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 00213 }; 00214 static const mbedtls_mpi_uint secp384r1_gy[] = { 00215 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 00216 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 00217 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 00218 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 00219 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 00220 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 00221 }; 00222 static const mbedtls_mpi_uint secp384r1_n[] = { 00223 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 00224 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 00225 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 00226 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00227 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00228 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00229 }; 00230 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00231 00232 /* 00233 * Domain parameters for secp521r1 00234 */ 00235 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00236 static const mbedtls_mpi_uint secp521r1_p[] = { 00237 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00238 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00239 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00240 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00241 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00242 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00243 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00244 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00245 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00246 }; 00247 static const mbedtls_mpi_uint secp521r1_b[] = { 00248 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 00249 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 00250 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 00251 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 00252 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 00253 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 00254 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 00255 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 00256 BYTES_TO_T_UINT_2( 0x51, 0x00 ), 00257 }; 00258 static const mbedtls_mpi_uint secp521r1_gx[] = { 00259 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 00260 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 00261 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 00262 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 00263 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 00264 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 00265 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 00266 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 00267 BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 00268 }; 00269 static const mbedtls_mpi_uint secp521r1_gy[] = { 00270 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 00271 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 00272 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 00273 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 00274 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 00275 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 00276 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 00277 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 00278 BYTES_TO_T_UINT_2( 0x18, 0x01 ), 00279 }; 00280 static const mbedtls_mpi_uint secp521r1_n[] = { 00281 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 00282 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 00283 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 00284 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 00285 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00286 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00287 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00288 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00289 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00290 }; 00291 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00292 00293 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00294 static const mbedtls_mpi_uint secp192k1_p[] = { 00295 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00296 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00297 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00298 }; 00299 static const mbedtls_mpi_uint secp192k1_a[] = { 00300 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00301 }; 00302 static const mbedtls_mpi_uint secp192k1_b[] = { 00303 BYTES_TO_T_UINT_2( 0x03, 0x00 ), 00304 }; 00305 static const mbedtls_mpi_uint secp192k1_gx[] = { 00306 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 00307 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 00308 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 00309 }; 00310 static const mbedtls_mpi_uint secp192k1_gy[] = { 00311 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 00312 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 00313 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 00314 }; 00315 static const mbedtls_mpi_uint secp192k1_n[] = { 00316 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 00317 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 00318 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00319 }; 00320 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00321 00322 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00323 static const mbedtls_mpi_uint secp224k1_p[] = { 00324 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00325 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00326 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00327 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00328 }; 00329 static const mbedtls_mpi_uint secp224k1_a[] = { 00330 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00331 }; 00332 static const mbedtls_mpi_uint secp224k1_b[] = { 00333 BYTES_TO_T_UINT_2( 0x05, 0x00 ), 00334 }; 00335 static const mbedtls_mpi_uint secp224k1_gx[] = { 00336 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 00337 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 00338 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 00339 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 00340 }; 00341 static const mbedtls_mpi_uint secp224k1_gy[] = { 00342 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 00343 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 00344 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 00345 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 00346 }; 00347 static const mbedtls_mpi_uint secp224k1_n[] = { 00348 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 00349 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 00350 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00351 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 00352 }; 00353 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00354 00355 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00356 static const mbedtls_mpi_uint secp256k1_p[] = { 00357 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00358 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00359 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00360 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00361 }; 00362 static const mbedtls_mpi_uint secp256k1_a[] = { 00363 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00364 }; 00365 static const mbedtls_mpi_uint secp256k1_b[] = { 00366 BYTES_TO_T_UINT_2( 0x07, 0x00 ), 00367 }; 00368 static const mbedtls_mpi_uint secp256k1_gx[] = { 00369 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 00370 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 00371 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 00372 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 00373 }; 00374 static const mbedtls_mpi_uint secp256k1_gy[] = { 00375 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 00376 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 00377 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 00378 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 00379 }; 00380 static const mbedtls_mpi_uint secp256k1_n[] = { 00381 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 00382 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 00383 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00384 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00385 }; 00386 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00387 00388 /* 00389 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 00390 */ 00391 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00392 static const mbedtls_mpi_uint brainpoolP256r1_p[] = { 00393 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 00394 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 00395 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00396 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00397 }; 00398 static const mbedtls_mpi_uint brainpoolP256r1_a[] = { 00399 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 00400 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 00401 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 00402 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 00403 }; 00404 static const mbedtls_mpi_uint brainpoolP256r1_b[] = { 00405 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 00406 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 00407 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 00408 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 00409 }; 00410 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { 00411 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 00412 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 00413 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 00414 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 00415 }; 00416 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { 00417 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 00418 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 00419 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 00420 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 00421 }; 00422 static const mbedtls_mpi_uint brainpoolP256r1_n[] = { 00423 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 00424 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 00425 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00426 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00427 }; 00428 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00429 00430 /* 00431 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 00432 */ 00433 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00434 static const mbedtls_mpi_uint brainpoolP384r1_p[] = { 00435 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 00436 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 00437 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 00438 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00439 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00440 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00441 }; 00442 static const mbedtls_mpi_uint brainpoolP384r1_a[] = { 00443 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00444 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 00445 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 00446 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 00447 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 00448 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 00449 }; 00450 static const mbedtls_mpi_uint brainpoolP384r1_b[] = { 00451 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 00452 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 00453 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 00454 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 00455 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 00456 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00457 }; 00458 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { 00459 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 00460 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 00461 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 00462 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 00463 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 00464 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 00465 }; 00466 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { 00467 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 00468 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 00469 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 00470 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 00471 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 00472 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 00473 }; 00474 static const mbedtls_mpi_uint brainpoolP384r1_n[] = { 00475 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 00476 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 00477 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 00478 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00479 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00480 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00481 }; 00482 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00483 00484 /* 00485 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 00486 */ 00487 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00488 static const mbedtls_mpi_uint brainpoolP512r1_p[] = { 00489 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 00490 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 00491 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 00492 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 00493 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00494 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00495 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00496 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00497 }; 00498 static const mbedtls_mpi_uint brainpoolP512r1_a[] = { 00499 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 00500 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 00501 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 00502 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 00503 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 00504 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 00505 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 00506 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 00507 }; 00508 static const mbedtls_mpi_uint brainpoolP512r1_b[] = { 00509 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 00510 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 00511 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 00512 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 00513 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 00514 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 00515 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 00516 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 00517 }; 00518 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { 00519 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 00520 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 00521 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 00522 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 00523 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 00524 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 00525 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 00526 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 00527 }; 00528 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { 00529 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 00530 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 00531 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 00532 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 00533 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 00534 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 00535 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 00536 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 00537 }; 00538 static const mbedtls_mpi_uint brainpoolP512r1_n[] = { 00539 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 00540 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 00541 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 00542 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 00543 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00544 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00545 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00546 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00547 }; 00548 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00549 00550 /* 00551 * Create an MPI from embedded constants 00552 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) 00553 */ 00554 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) 00555 { 00556 X->s = 1; 00557 X->n = len / sizeof( mbedtls_mpi_uint ); 00558 X->p = (mbedtls_mpi_uint *) p; 00559 } 00560 00561 /* 00562 * Set an MPI to static value 1 00563 */ 00564 static inline void ecp_mpi_set1( mbedtls_mpi *X ) 00565 { 00566 static mbedtls_mpi_uint one[] = { 1 }; 00567 X->s = 1; 00568 X->n = 1; 00569 X->p = one; 00570 } 00571 00572 /* 00573 * Make group available from embedded constants 00574 */ 00575 static int ecp_group_load( mbedtls_ecp_group *grp, 00576 const mbedtls_mpi_uint *p, size_t plen, 00577 const mbedtls_mpi_uint *a, size_t alen, 00578 const mbedtls_mpi_uint *b, size_t blen, 00579 const mbedtls_mpi_uint *gx, size_t gxlen, 00580 const mbedtls_mpi_uint *gy, size_t gylen, 00581 const mbedtls_mpi_uint *n, size_t nlen) 00582 { 00583 ecp_mpi_load( &grp->P , p, plen ); 00584 if( a != NULL ) 00585 ecp_mpi_load( &grp->A , a, alen ); 00586 ecp_mpi_load( &grp->B , b, blen ); 00587 ecp_mpi_load( &grp->N , n, nlen ); 00588 00589 ecp_mpi_load( &grp->G .X , gx, gxlen ); 00590 ecp_mpi_load( &grp->G .Y , gy, gylen ); 00591 ecp_mpi_set1( &grp->G .Z ); 00592 00593 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00594 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 00595 00596 grp->h = 1; 00597 00598 return( 0 ); 00599 } 00600 00601 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00602 /* Forward declarations */ 00603 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00604 static int ecp_mod_p192( mbedtls_mpi * ); 00605 #endif 00606 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00607 static int ecp_mod_p224( mbedtls_mpi * ); 00608 #endif 00609 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00610 static int ecp_mod_p256( mbedtls_mpi * ); 00611 #endif 00612 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00613 static int ecp_mod_p384( mbedtls_mpi * ); 00614 #endif 00615 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00616 static int ecp_mod_p521( mbedtls_mpi * ); 00617 #endif 00618 00619 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 00620 #else 00621 #define NIST_MODP( P ) 00622 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 00623 00624 /* Additional forward declarations */ 00625 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00626 static int ecp_mod_p255( mbedtls_mpi * ); 00627 #endif 00628 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00629 static int ecp_mod_p192k1( mbedtls_mpi * ); 00630 #endif 00631 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00632 static int ecp_mod_p224k1( mbedtls_mpi * ); 00633 #endif 00634 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00635 static int ecp_mod_p256k1( mbedtls_mpi * ); 00636 #endif 00637 00638 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 00639 G ## _p, sizeof( G ## _p ), \ 00640 G ## _a, sizeof( G ## _a ), \ 00641 G ## _b, sizeof( G ## _b ), \ 00642 G ## _gx, sizeof( G ## _gx ), \ 00643 G ## _gy, sizeof( G ## _gy ), \ 00644 G ## _n, sizeof( G ## _n ) ) 00645 00646 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 00647 G ## _p, sizeof( G ## _p ), \ 00648 NULL, 0, \ 00649 G ## _b, sizeof( G ## _b ), \ 00650 G ## _gx, sizeof( G ## _gx ), \ 00651 G ## _gy, sizeof( G ## _gy ), \ 00652 G ## _n, sizeof( G ## _n ) ) 00653 00654 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00655 /* 00656 * Specialized function for creating the Curve25519 group 00657 */ 00658 static int ecp_use_curve25519( mbedtls_ecp_group *grp ) 00659 { 00660 int ret; 00661 00662 /* Actually ( A + 2 ) / 4 */ 00663 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A , 16, "01DB42" ) ); 00664 00665 /* P = 2^255 - 19 */ 00666 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P , 1 ) ); 00667 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 255 ) ); 00668 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 19 ) ); 00669 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00670 00671 /* Y intentionaly not set, since we use x/z coordinates. 00672 * This is used as a marker to identify Montgomery curves! */ 00673 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .X , 9 ) ); 00674 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .Z , 1 ) ); 00675 mbedtls_mpi_free( &grp->G .Y ); 00676 00677 /* Actually, the required msb for private keys */ 00678 grp->nbits = 254; 00679 00680 cleanup: 00681 if( ret != 0 ) 00682 mbedtls_ecp_group_free( grp ); 00683 00684 return( ret ); 00685 } 00686 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00687 00688 /* 00689 * Set a group using well-known domain parameters 00690 */ 00691 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) 00692 { 00693 mbedtls_ecp_group_free( grp ); 00694 00695 grp->id = id; 00696 00697 switch( id ) 00698 { 00699 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00700 case MBEDTLS_ECP_DP_SECP192R1 : 00701 NIST_MODP( p192 ); 00702 return( LOAD_GROUP( secp192r1 ) ); 00703 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00704 00705 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00706 case MBEDTLS_ECP_DP_SECP224R1 : 00707 NIST_MODP( p224 ); 00708 return( LOAD_GROUP( secp224r1 ) ); 00709 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00710 00711 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00712 case MBEDTLS_ECP_DP_SECP256R1 : 00713 NIST_MODP( p256 ); 00714 return( LOAD_GROUP( secp256r1 ) ); 00715 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00716 00717 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00718 case MBEDTLS_ECP_DP_SECP384R1 : 00719 NIST_MODP( p384 ); 00720 return( LOAD_GROUP( secp384r1 ) ); 00721 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00722 00723 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00724 case MBEDTLS_ECP_DP_SECP521R1 : 00725 NIST_MODP( p521 ); 00726 return( LOAD_GROUP( secp521r1 ) ); 00727 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00728 00729 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00730 case MBEDTLS_ECP_DP_SECP192K1 : 00731 grp->modp = ecp_mod_p192k1; 00732 return( LOAD_GROUP_A( secp192k1 ) ); 00733 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00734 00735 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00736 case MBEDTLS_ECP_DP_SECP224K1 : 00737 grp->modp = ecp_mod_p224k1; 00738 return( LOAD_GROUP_A( secp224k1 ) ); 00739 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00740 00741 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00742 case MBEDTLS_ECP_DP_SECP256K1 : 00743 grp->modp = ecp_mod_p256k1; 00744 return( LOAD_GROUP_A( secp256k1 ) ); 00745 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00746 00747 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00748 case MBEDTLS_ECP_DP_BP256R1 : 00749 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 00750 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00751 00752 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00753 case MBEDTLS_ECP_DP_BP384R1 : 00754 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 00755 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00756 00757 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00758 case MBEDTLS_ECP_DP_BP512R1 : 00759 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 00760 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00761 00762 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00763 case MBEDTLS_ECP_DP_CURVE25519 : 00764 grp->modp = ecp_mod_p255; 00765 return( ecp_use_curve25519( grp ) ); 00766 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00767 00768 default: 00769 mbedtls_ecp_group_free( grp ); 00770 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 00771 } 00772 } 00773 00774 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00775 /* 00776 * Fast reduction modulo the primes used by the NIST curves. 00777 * 00778 * These functions are critical for speed, but not needed for correct 00779 * operations. So, we make the choice to heavily rely on the internals of our 00780 * bignum library, which creates a tight coupling between these functions and 00781 * our MPI implementation. However, the coupling between the ECP module and 00782 * MPI remains loose, since these functions can be deactivated at will. 00783 */ 00784 00785 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00786 /* 00787 * Compared to the way things are presented in FIPS 186-3 D.2, 00788 * we proceed in columns, from right (least significant chunk) to left, 00789 * adding chunks to N in place, and keeping a carry for the next chunk. 00790 * This avoids moving things around in memory, and uselessly adding zeros, 00791 * compared to the more straightforward, line-oriented approach. 00792 * 00793 * For this prime we need to handle data in chunks of 64 bits. 00794 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can 00795 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. 00796 */ 00797 00798 /* Add 64-bit chunks (dst += src) and update carry */ 00799 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) 00800 { 00801 unsigned char i; 00802 mbedtls_mpi_uint c = 0; 00803 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) 00804 { 00805 *dst += c; c = ( *dst < c ); 00806 *dst += *src; c += ( *dst < *src ); 00807 } 00808 *carry += c; 00809 } 00810 00811 /* Add carry to a 64-bit chunk and update carry */ 00812 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) 00813 { 00814 unsigned char i; 00815 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) 00816 { 00817 *dst += *carry; 00818 *carry = ( *dst < *carry ); 00819 } 00820 } 00821 00822 #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) 00823 #define A( i ) N->p + i * WIDTH 00824 #define ADD( i ) add64( p, A( i ), &c ) 00825 #define NEXT p += WIDTH; carry64( p, &c ) 00826 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 00827 00828 /* 00829 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 00830 */ 00831 static int ecp_mod_p192( mbedtls_mpi *N ) 00832 { 00833 int ret; 00834 mbedtls_mpi_uint c = 0; 00835 mbedtls_mpi_uint *p, *end; 00836 00837 /* Make sure we have enough blocks so that A(5) is legal */ 00838 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); 00839 00840 p = N->p ; 00841 end = p + N->n ; 00842 00843 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 00844 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 00845 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 00846 00847 cleanup: 00848 return( ret ); 00849 } 00850 00851 #undef WIDTH 00852 #undef A 00853 #undef ADD 00854 #undef NEXT 00855 #undef LAST 00856 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00857 00858 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 00859 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 00860 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00861 /* 00862 * The reader is advised to first understand ecp_mod_p192() since the same 00863 * general structure is used here, but with additional complications: 00864 * (1) chunks of 32 bits, and (2) subtractions. 00865 */ 00866 00867 /* 00868 * For these primes, we need to handle data in chunks of 32 bits. 00869 * This makes it more complicated if we use 64 bits limbs in MPI, 00870 * which prevents us from using a uniform access method as for p192. 00871 * 00872 * So, we define a mini abstraction layer to access 32 bit chunks, 00873 * load them in 'cur' for work, and store them back from 'cur' when done. 00874 * 00875 * While at it, also define the size of N in terms of 32-bit chunks. 00876 */ 00877 #define LOAD32 cur = A( i ); 00878 00879 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ 00880 00881 #define MAX32 N->n 00882 #define A( j ) N->p[j] 00883 #define STORE32 N->p[i] = cur; 00884 00885 #else /* 64-bit */ 00886 00887 #define MAX32 N->n * 2 00888 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] ) 00889 #define STORE32 \ 00890 if( i % 2 ) { \ 00891 N->p[i/2] &= 0x00000000FFFFFFFF; \ 00892 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ 00893 } else { \ 00894 N->p[i/2] &= 0xFFFFFFFF00000000; \ 00895 N->p[i/2] |= (mbedtls_mpi_uint) cur; \ 00896 } 00897 00898 #endif /* sizeof( mbedtls_mpi_uint ) */ 00899 00900 /* 00901 * Helpers for addition and subtraction of chunks, with signed carry. 00902 */ 00903 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 00904 { 00905 *dst += src; 00906 *carry += ( *dst < src ); 00907 } 00908 00909 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 00910 { 00911 *carry -= ( *dst < src ); 00912 *dst -= src; 00913 } 00914 00915 #define ADD( j ) add32( &cur, A( j ), &c ); 00916 #define SUB( j ) sub32( &cur, A( j ), &c ); 00917 00918 /* 00919 * Helpers for the main 'loop' 00920 * (see fix_negative for the motivation of C) 00921 */ 00922 #define INIT( b ) \ 00923 int ret; \ 00924 signed char c = 0, cc; \ 00925 uint32_t cur; \ 00926 size_t i = 0, bits = b; \ 00927 mbedtls_mpi C; \ 00928 mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \ 00929 \ 00930 C.s = 1; \ 00931 C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \ 00932 C.p = Cp; \ 00933 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \ 00934 \ 00935 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \ 00936 LOAD32; 00937 00938 #define NEXT \ 00939 STORE32; i++; LOAD32; \ 00940 cc = c; c = 0; \ 00941 if( cc < 0 ) \ 00942 sub32( &cur, -cc, &c ); \ 00943 else \ 00944 add32( &cur, cc, &c ); \ 00945 00946 #define LAST \ 00947 STORE32; i++; \ 00948 cur = c > 0 ? c : 0; STORE32; \ 00949 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 00950 if( c < 0 ) fix_negative( N, c, &C, bits ); 00951 00952 /* 00953 * If the result is negative, we get it in the form 00954 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' 00955 */ 00956 static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits ) 00957 { 00958 int ret; 00959 00960 /* C = - c * 2^(bits + 32) */ 00961 #if !defined(MBEDTLS_HAVE_INT64) 00962 ((void) bits); 00963 #else 00964 if( bits == 224 ) 00965 C->p [ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32; 00966 else 00967 #endif 00968 C->p [ C->n - 1 ] = (mbedtls_mpi_uint) -c; 00969 00970 /* N = - ( C - N ) */ 00971 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) ); 00972 N->s = -1; 00973 00974 cleanup: 00975 00976 return( ret ); 00977 } 00978 00979 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00980 /* 00981 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 00982 */ 00983 static int ecp_mod_p224( mbedtls_mpi *N ) 00984 { 00985 INIT( 224 ); 00986 00987 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 00988 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 00989 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 00990 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 00991 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 00992 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 00993 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 00994 00995 cleanup: 00996 return( ret ); 00997 } 00998 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00999 01000 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 01001 /* 01002 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 01003 */ 01004 static int ecp_mod_p256( mbedtls_mpi *N ) 01005 { 01006 INIT( 256 ); 01007 01008 ADD( 8 ); ADD( 9 ); 01009 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 01010 01011 ADD( 9 ); ADD( 10 ); 01012 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 01013 01014 ADD( 10 ); ADD( 11 ); 01015 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 01016 01017 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 01018 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 01019 01020 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 01021 SUB( 9 ); SUB( 10 ); NEXT; // A4 01022 01023 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 01024 SUB( 10 ); SUB( 11 ); NEXT; // A5 01025 01026 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 01027 SUB( 8 ); SUB( 9 ); NEXT; // A6 01028 01029 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 01030 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 01031 01032 cleanup: 01033 return( ret ); 01034 } 01035 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 01036 01037 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 01038 /* 01039 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 01040 */ 01041 static int ecp_mod_p384( mbedtls_mpi *N ) 01042 { 01043 INIT( 384 ); 01044 01045 ADD( 12 ); ADD( 21 ); ADD( 20 ); 01046 SUB( 23 ); NEXT; // A0 01047 01048 ADD( 13 ); ADD( 22 ); ADD( 23 ); 01049 SUB( 12 ); SUB( 20 ); NEXT; // A2 01050 01051 ADD( 14 ); ADD( 23 ); 01052 SUB( 13 ); SUB( 21 ); NEXT; // A2 01053 01054 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 01055 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 01056 01057 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 01058 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 01059 01060 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 01061 SUB( 16 ); NEXT; // A5 01062 01063 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 01064 SUB( 17 ); NEXT; // A6 01065 01066 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 01067 SUB( 18 ); NEXT; // A7 01068 01069 ADD( 20 ); ADD( 17 ); ADD( 16 ); 01070 SUB( 19 ); NEXT; // A8 01071 01072 ADD( 21 ); ADD( 18 ); ADD( 17 ); 01073 SUB( 20 ); NEXT; // A9 01074 01075 ADD( 22 ); ADD( 19 ); ADD( 18 ); 01076 SUB( 21 ); NEXT; // A10 01077 01078 ADD( 23 ); ADD( 20 ); ADD( 19 ); 01079 SUB( 22 ); LAST; // A11 01080 01081 cleanup: 01082 return( ret ); 01083 } 01084 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01085 01086 #undef A 01087 #undef LOAD32 01088 #undef STORE32 01089 #undef MAX32 01090 #undef INIT 01091 #undef NEXT 01092 #undef LAST 01093 01094 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || 01095 MBEDTLS_ECP_DP_SECP256R1_ENABLED || 01096 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01097 01098 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 01099 /* 01100 * Here we have an actual Mersenne prime, so things are more straightforward. 01101 * However, chunks are aligned on a 'weird' boundary (521 bits). 01102 */ 01103 01104 /* Size of p521 in terms of mbedtls_mpi_uint */ 01105 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01106 01107 /* Bits to keep in the most significant mbedtls_mpi_uint */ 01108 #define P521_MASK 0x01FF 01109 01110 /* 01111 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 01112 * Write N as A1 + 2^521 A0, return A0 + A1 01113 */ 01114 static int ecp_mod_p521( mbedtls_mpi *N ) 01115 { 01116 int ret; 01117 size_t i; 01118 mbedtls_mpi M; 01119 mbedtls_mpi_uint Mp[P521_WIDTH + 1]; 01120 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: 01121 * we need to hold bits 513 to 1056, which is 34 limbs, that is 01122 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 01123 01124 if( N->n < P521_WIDTH ) 01125 return( 0 ); 01126 01127 /* M = A1 */ 01128 M.s = 1; 01129 M.n = N->n - ( P521_WIDTH - 1 ); 01130 if( M.n > P521_WIDTH + 1 ) 01131 M.n = P521_WIDTH + 1; 01132 M.p = Mp; 01133 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01134 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01135 01136 /* N = A0 */ 01137 N->p [P521_WIDTH - 1] &= P521_MASK; 01138 for( i = P521_WIDTH; i < N->n ; i++ ) 01139 N->p [i] = 0; 01140 01141 /* N = A0 + A1 */ 01142 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01143 01144 cleanup: 01145 return( ret ); 01146 } 01147 01148 #undef P521_WIDTH 01149 #undef P521_MASK 01150 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 01151 01152 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 01153 01154 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 01155 01156 /* Size of p255 in terms of mbedtls_mpi_uint */ 01157 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01158 01159 /* 01160 * Fast quasi-reduction modulo p255 = 2^255 - 19 01161 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 01162 */ 01163 static int ecp_mod_p255( mbedtls_mpi *N ) 01164 { 01165 int ret; 01166 size_t i; 01167 mbedtls_mpi M; 01168 mbedtls_mpi_uint Mp[P255_WIDTH + 2]; 01169 01170 if( N->n < P255_WIDTH ) 01171 return( 0 ); 01172 01173 /* M = A1 */ 01174 M.s = 1; 01175 M.n = N->n - ( P255_WIDTH - 1 ); 01176 if( M.n > P255_WIDTH + 1 ) 01177 M.n = P255_WIDTH + 1; 01178 M.p = Mp; 01179 memset( Mp, 0, sizeof Mp ); 01180 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01181 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01182 M.n ++; /* Make room for multiplication by 19 */ 01183 01184 /* N = A0 */ 01185 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); 01186 for( i = P255_WIDTH; i < N->n ; i++ ) 01187 N->p [i] = 0; 01188 01189 /* N = A0 + 19 * A1 */ 01190 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); 01191 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01192 01193 cleanup: 01194 return( ret ); 01195 } 01196 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 01197 01198 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 01199 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 01200 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01201 /* 01202 * Fast quasi-reduction modulo P = 2^s - R, 01203 * with R about 33 bits, used by the Koblitz curves. 01204 * 01205 * Write N as A0 + 2^224 A1, return A0 + R * A1. 01206 * Actually do two passes, since R is big. 01207 */ 01208 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P 01209 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R 01210 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, 01211 size_t adjust, size_t shift, mbedtls_mpi_uint mask ) 01212 { 01213 int ret; 01214 size_t i; 01215 mbedtls_mpi M, R; 01216 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; 01217 01218 if( N->n < p_limbs ) 01219 return( 0 ); 01220 01221 /* Init R */ 01222 R.s = 1; 01223 R.p = Rp; 01224 R.n = P_KOBLITZ_R; 01225 01226 /* Common setup for M */ 01227 M.s = 1; 01228 M.p = Mp; 01229 01230 /* M = A1 */ 01231 M.n = N->n - ( p_limbs - adjust ); 01232 if( M.n > p_limbs + adjust ) 01233 M.n = p_limbs + adjust; 01234 memset( Mp, 0, sizeof Mp ); 01235 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01236 if( shift != 0 ) 01237 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01238 M.n += R.n - adjust; /* Make room for multiplication by R */ 01239 01240 /* N = A0 */ 01241 if( mask != 0 ) 01242 N->p [p_limbs - 1] &= mask; 01243 for( i = p_limbs; i < N->n ; i++ ) 01244 N->p [i] = 0; 01245 01246 /* N = A0 + R * A1 */ 01247 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01248 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01249 01250 /* Second pass */ 01251 01252 /* M = A1 */ 01253 M.n = N->n - ( p_limbs - adjust ); 01254 if( M.n > p_limbs + adjust ) 01255 M.n = p_limbs + adjust; 01256 memset( Mp, 0, sizeof Mp ); 01257 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01258 if( shift != 0 ) 01259 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01260 M.n += R.n - adjust; /* Make room for multiplication by R */ 01261 01262 /* N = A0 */ 01263 if( mask != 0 ) 01264 N->p [p_limbs - 1] &= mask; 01265 for( i = p_limbs; i < N->n ; i++ ) 01266 N->p [i] = 0; 01267 01268 /* N = A0 + R * A1 */ 01269 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01270 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01271 01272 cleanup: 01273 return( ret ); 01274 } 01275 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || 01276 MBEDTLS_ECP_DP_SECP224K1_ENABLED) || 01277 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ 01278 01279 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 01280 /* 01281 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 01282 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 01283 */ 01284 static int ecp_mod_p192k1( mbedtls_mpi *N ) 01285 { 01286 static mbedtls_mpi_uint Rp[] = { 01287 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01288 01289 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01290 } 01291 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 01292 01293 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 01294 /* 01295 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 01296 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 01297 */ 01298 static int ecp_mod_p224k1( mbedtls_mpi *N ) 01299 { 01300 static mbedtls_mpi_uint Rp[] = { 01301 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01302 01303 #if defined(MBEDTLS_HAVE_INT64) 01304 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 01305 #else 01306 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01307 #endif 01308 } 01309 01310 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 01311 01312 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01313 /* 01314 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 01315 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 01316 */ 01317 static int ecp_mod_p256k1( mbedtls_mpi *N ) 01318 { 01319 static mbedtls_mpi_uint Rp[] = { 01320 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01321 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01322 } 01323 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 01324 01325 #endif /* MBEDTLS_ECP_C */
Generated on Tue Jul 12 2022 12:52:43 by
1.7.2