sandbox
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
ecp_curves.c
00001 /* 00002 * Elliptic curves over GF(p): curve-specific data and functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_ECP_C) 00029 00030 #include "mbedtls/ecp.h" 00031 00032 #include <string.h> 00033 00034 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00035 !defined(inline) && !defined(__cplusplus) 00036 #define inline __inline 00037 #endif 00038 00039 /* 00040 * Conversion macros for embedded constants: 00041 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 00042 */ 00043 #if defined(MBEDTLS_HAVE_INT32) 00044 00045 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00046 ( (mbedtls_mpi_uint) a << 0 ) | \ 00047 ( (mbedtls_mpi_uint) b << 8 ) | \ 00048 ( (mbedtls_mpi_uint) c << 16 ) | \ 00049 ( (mbedtls_mpi_uint) d << 24 ) 00050 00051 #define BYTES_TO_T_UINT_2( a, b ) \ 00052 BYTES_TO_T_UINT_4( a, b, 0, 0 ) 00053 00054 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00055 BYTES_TO_T_UINT_4( a, b, c, d ), \ 00056 BYTES_TO_T_UINT_4( e, f, g, h ) 00057 00058 #else /* 64-bits */ 00059 00060 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00061 ( (mbedtls_mpi_uint) a << 0 ) | \ 00062 ( (mbedtls_mpi_uint) b << 8 ) | \ 00063 ( (mbedtls_mpi_uint) c << 16 ) | \ 00064 ( (mbedtls_mpi_uint) d << 24 ) | \ 00065 ( (mbedtls_mpi_uint) e << 32 ) | \ 00066 ( (mbedtls_mpi_uint) f << 40 ) | \ 00067 ( (mbedtls_mpi_uint) g << 48 ) | \ 00068 ( (mbedtls_mpi_uint) h << 56 ) 00069 00070 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00071 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) 00072 00073 #define BYTES_TO_T_UINT_2( a, b ) \ 00074 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) 00075 00076 #endif /* bits in mbedtls_mpi_uint */ 00077 00078 /* 00079 * Note: the constants are in little-endian order 00080 * to be directly usable in MPIs 00081 */ 00082 00083 /* 00084 * Domain parameters for secp192r1 00085 */ 00086 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00087 static const mbedtls_mpi_uint secp192r1_p[] = { 00088 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00089 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00090 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00091 }; 00092 static const mbedtls_mpi_uint secp192r1_b[] = { 00093 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 00094 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 00095 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 00096 }; 00097 static const mbedtls_mpi_uint secp192r1_gx[] = { 00098 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 00099 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 00100 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 00101 }; 00102 static const mbedtls_mpi_uint secp192r1_gy[] = { 00103 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 00104 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 00105 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 00106 }; 00107 static const mbedtls_mpi_uint secp192r1_n[] = { 00108 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 00109 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 00110 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00111 }; 00112 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00113 00114 /* 00115 * Domain parameters for secp224r1 00116 */ 00117 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00118 static const mbedtls_mpi_uint secp224r1_p[] = { 00119 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00120 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00121 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00122 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00123 }; 00124 static const mbedtls_mpi_uint secp224r1_b[] = { 00125 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 00126 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 00127 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 00128 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 00129 }; 00130 static const mbedtls_mpi_uint secp224r1_gx[] = { 00131 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 00132 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 00133 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 00134 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 00135 }; 00136 static const mbedtls_mpi_uint secp224r1_gy[] = { 00137 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 00138 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 00139 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 00140 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 00141 }; 00142 static const mbedtls_mpi_uint secp224r1_n[] = { 00143 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 00144 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 00145 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00146 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00147 }; 00148 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00149 00150 /* 00151 * Domain parameters for secp256r1 00152 */ 00153 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00154 static const mbedtls_mpi_uint secp256r1_p[] = { 00155 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00156 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00157 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00158 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00159 }; 00160 static const mbedtls_mpi_uint secp256r1_b[] = { 00161 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 00162 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 00163 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 00164 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 00165 }; 00166 static const mbedtls_mpi_uint secp256r1_gx[] = { 00167 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 00168 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 00169 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 00170 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 00171 }; 00172 static const mbedtls_mpi_uint secp256r1_gy[] = { 00173 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 00174 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 00175 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 00176 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 00177 }; 00178 static const mbedtls_mpi_uint secp256r1_n[] = { 00179 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 00180 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 00181 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00182 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00183 }; 00184 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00185 00186 /* 00187 * Domain parameters for secp384r1 00188 */ 00189 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00190 static const mbedtls_mpi_uint secp384r1_p[] = { 00191 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00192 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00193 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00194 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00195 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00196 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00197 }; 00198 static const mbedtls_mpi_uint secp384r1_b[] = { 00199 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 00200 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 00201 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 00202 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 00203 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 00204 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 00205 }; 00206 static const mbedtls_mpi_uint secp384r1_gx[] = { 00207 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 00208 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 00209 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 00210 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 00211 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 00212 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 00213 }; 00214 static const mbedtls_mpi_uint secp384r1_gy[] = { 00215 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 00216 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 00217 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 00218 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 00219 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 00220 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 00221 }; 00222 static const mbedtls_mpi_uint secp384r1_n[] = { 00223 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 00224 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 00225 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 00226 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00227 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00228 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00229 }; 00230 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00231 00232 /* 00233 * Domain parameters for secp521r1 00234 */ 00235 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00236 static const mbedtls_mpi_uint secp521r1_p[] = { 00237 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00238 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00239 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00240 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00241 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00242 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00243 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00244 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00245 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00246 }; 00247 static const mbedtls_mpi_uint secp521r1_b[] = { 00248 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 00249 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 00250 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 00251 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 00252 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 00253 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 00254 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 00255 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 00256 BYTES_TO_T_UINT_2( 0x51, 0x00 ), 00257 }; 00258 static const mbedtls_mpi_uint secp521r1_gx[] = { 00259 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 00260 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 00261 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 00262 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 00263 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 00264 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 00265 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 00266 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 00267 BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 00268 }; 00269 static const mbedtls_mpi_uint secp521r1_gy[] = { 00270 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 00271 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 00272 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 00273 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 00274 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 00275 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 00276 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 00277 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 00278 BYTES_TO_T_UINT_2( 0x18, 0x01 ), 00279 }; 00280 static const mbedtls_mpi_uint secp521r1_n[] = { 00281 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 00282 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 00283 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 00284 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 00285 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00286 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00287 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00288 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00289 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00290 }; 00291 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00292 00293 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00294 static const mbedtls_mpi_uint secp192k1_p[] = { 00295 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00296 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00297 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00298 }; 00299 static const mbedtls_mpi_uint secp192k1_a[] = { 00300 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00301 }; 00302 static const mbedtls_mpi_uint secp192k1_b[] = { 00303 BYTES_TO_T_UINT_2( 0x03, 0x00 ), 00304 }; 00305 static const mbedtls_mpi_uint secp192k1_gx[] = { 00306 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 00307 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 00308 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 00309 }; 00310 static const mbedtls_mpi_uint secp192k1_gy[] = { 00311 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 00312 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 00313 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 00314 }; 00315 static const mbedtls_mpi_uint secp192k1_n[] = { 00316 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 00317 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 00318 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00319 }; 00320 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00321 00322 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00323 static const mbedtls_mpi_uint secp224k1_p[] = { 00324 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00325 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00326 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00327 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00328 }; 00329 static const mbedtls_mpi_uint secp224k1_a[] = { 00330 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00331 }; 00332 static const mbedtls_mpi_uint secp224k1_b[] = { 00333 BYTES_TO_T_UINT_2( 0x05, 0x00 ), 00334 }; 00335 static const mbedtls_mpi_uint secp224k1_gx[] = { 00336 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 00337 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 00338 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 00339 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 00340 }; 00341 static const mbedtls_mpi_uint secp224k1_gy[] = { 00342 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 00343 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 00344 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 00345 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 00346 }; 00347 static const mbedtls_mpi_uint secp224k1_n[] = { 00348 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 00349 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 00350 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00351 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 00352 }; 00353 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00354 00355 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00356 static const mbedtls_mpi_uint secp256k1_p[] = { 00357 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00358 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00359 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00360 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00361 }; 00362 static const mbedtls_mpi_uint secp256k1_a[] = { 00363 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00364 }; 00365 static const mbedtls_mpi_uint secp256k1_b[] = { 00366 BYTES_TO_T_UINT_2( 0x07, 0x00 ), 00367 }; 00368 static const mbedtls_mpi_uint secp256k1_gx[] = { 00369 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 00370 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 00371 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 00372 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 00373 }; 00374 static const mbedtls_mpi_uint secp256k1_gy[] = { 00375 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 00376 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 00377 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 00378 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 00379 }; 00380 static const mbedtls_mpi_uint secp256k1_n[] = { 00381 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 00382 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 00383 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00384 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00385 }; 00386 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00387 00388 /* 00389 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 00390 */ 00391 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00392 static const mbedtls_mpi_uint brainpoolP256r1_p[] = { 00393 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 00394 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 00395 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00396 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00397 }; 00398 static const mbedtls_mpi_uint brainpoolP256r1_a[] = { 00399 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 00400 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 00401 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 00402 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 00403 }; 00404 static const mbedtls_mpi_uint brainpoolP256r1_b[] = { 00405 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 00406 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 00407 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 00408 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 00409 }; 00410 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { 00411 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 00412 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 00413 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 00414 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 00415 }; 00416 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { 00417 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 00418 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 00419 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 00420 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 00421 }; 00422 static const mbedtls_mpi_uint brainpoolP256r1_n[] = { 00423 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 00424 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 00425 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00426 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00427 }; 00428 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00429 00430 /* 00431 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 00432 */ 00433 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00434 static const mbedtls_mpi_uint brainpoolP384r1_p[] = { 00435 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 00436 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 00437 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 00438 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00439 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00440 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00441 }; 00442 static const mbedtls_mpi_uint brainpoolP384r1_a[] = { 00443 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00444 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 00445 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 00446 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 00447 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 00448 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 00449 }; 00450 static const mbedtls_mpi_uint brainpoolP384r1_b[] = { 00451 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 00452 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 00453 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 00454 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 00455 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 00456 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00457 }; 00458 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { 00459 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 00460 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 00461 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 00462 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 00463 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 00464 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 00465 }; 00466 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { 00467 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 00468 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 00469 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 00470 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 00471 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 00472 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 00473 }; 00474 static const mbedtls_mpi_uint brainpoolP384r1_n[] = { 00475 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 00476 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 00477 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 00478 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00479 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00480 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00481 }; 00482 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00483 00484 /* 00485 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 00486 */ 00487 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00488 static const mbedtls_mpi_uint brainpoolP512r1_p[] = { 00489 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 00490 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 00491 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 00492 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 00493 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00494 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00495 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00496 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00497 }; 00498 static const mbedtls_mpi_uint brainpoolP512r1_a[] = { 00499 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 00500 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 00501 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 00502 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 00503 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 00504 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 00505 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 00506 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 00507 }; 00508 static const mbedtls_mpi_uint brainpoolP512r1_b[] = { 00509 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 00510 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 00511 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 00512 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 00513 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 00514 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 00515 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 00516 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 00517 }; 00518 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { 00519 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 00520 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 00521 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 00522 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 00523 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 00524 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 00525 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 00526 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 00527 }; 00528 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { 00529 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 00530 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 00531 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 00532 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 00533 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 00534 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 00535 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 00536 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 00537 }; 00538 static const mbedtls_mpi_uint brainpoolP512r1_n[] = { 00539 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 00540 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 00541 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 00542 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 00543 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00544 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00545 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00546 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00547 }; 00548 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00549 00550 /* 00551 * Create an MPI from embedded constants 00552 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) 00553 */ 00554 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) 00555 { 00556 X->s = 1; 00557 X->n = len / sizeof( mbedtls_mpi_uint ); 00558 X->p = (mbedtls_mpi_uint *) p; 00559 } 00560 00561 /* 00562 * Set an MPI to static value 1 00563 */ 00564 static inline void ecp_mpi_set1( mbedtls_mpi *X ) 00565 { 00566 static mbedtls_mpi_uint one[] = { 1 }; 00567 X->s = 1; 00568 X->n = 1; 00569 X->p = one; 00570 } 00571 00572 /* 00573 * Make group available from embedded constants 00574 */ 00575 static int ecp_group_load( mbedtls_ecp_group *grp, 00576 const mbedtls_mpi_uint *p, size_t plen, 00577 const mbedtls_mpi_uint *a, size_t alen, 00578 const mbedtls_mpi_uint *b, size_t blen, 00579 const mbedtls_mpi_uint *gx, size_t gxlen, 00580 const mbedtls_mpi_uint *gy, size_t gylen, 00581 const mbedtls_mpi_uint *n, size_t nlen) 00582 { 00583 ecp_mpi_load( &grp->P , p, plen ); 00584 if( a != NULL ) 00585 ecp_mpi_load( &grp->A , a, alen ); 00586 ecp_mpi_load( &grp->B , b, blen ); 00587 ecp_mpi_load( &grp->N , n, nlen ); 00588 00589 ecp_mpi_load( &grp->G .X , gx, gxlen ); 00590 ecp_mpi_load( &grp->G .Y , gy, gylen ); 00591 ecp_mpi_set1( &grp->G .Z ); 00592 00593 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00594 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 00595 00596 grp->h = 1; 00597 00598 return( 0 ); 00599 } 00600 00601 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00602 /* Forward declarations */ 00603 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00604 static int ecp_mod_p192( mbedtls_mpi * ); 00605 #endif 00606 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00607 static int ecp_mod_p224( mbedtls_mpi * ); 00608 #endif 00609 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00610 static int ecp_mod_p256( mbedtls_mpi * ); 00611 #endif 00612 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00613 static int ecp_mod_p384( mbedtls_mpi * ); 00614 #endif 00615 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00616 static int ecp_mod_p521( mbedtls_mpi * ); 00617 #endif 00618 00619 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 00620 #else 00621 #define NIST_MODP( P ) 00622 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 00623 00624 /* Additional forward declarations */ 00625 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00626 static int ecp_mod_p255( mbedtls_mpi * ); 00627 #endif 00628 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00629 static int ecp_mod_p192k1( mbedtls_mpi * ); 00630 #endif 00631 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00632 static int ecp_mod_p224k1( mbedtls_mpi * ); 00633 #endif 00634 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00635 static int ecp_mod_p256k1( mbedtls_mpi * ); 00636 #endif 00637 00638 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 00639 G ## _p, sizeof( G ## _p ), \ 00640 G ## _a, sizeof( G ## _a ), \ 00641 G ## _b, sizeof( G ## _b ), \ 00642 G ## _gx, sizeof( G ## _gx ), \ 00643 G ## _gy, sizeof( G ## _gy ), \ 00644 G ## _n, sizeof( G ## _n ) ) 00645 00646 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 00647 G ## _p, sizeof( G ## _p ), \ 00648 NULL, 0, \ 00649 G ## _b, sizeof( G ## _b ), \ 00650 G ## _gx, sizeof( G ## _gx ), \ 00651 G ## _gy, sizeof( G ## _gy ), \ 00652 G ## _n, sizeof( G ## _n ) ) 00653 00654 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00655 /* 00656 * Specialized function for creating the Curve25519 group 00657 */ 00658 static int ecp_use_curve25519( mbedtls_ecp_group *grp ) 00659 { 00660 int ret; 00661 00662 /* Actually ( A + 2 ) / 4 */ 00663 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A , 16, "01DB42" ) ); 00664 00665 /* P = 2^255 - 19 */ 00666 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P , 1 ) ); 00667 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 255 ) ); 00668 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 19 ) ); 00669 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00670 00671 /* Y intentionaly not set, since we use x/z coordinates. 00672 * This is used as a marker to identify Montgomery curves! */ 00673 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .X , 9 ) ); 00674 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .Z , 1 ) ); 00675 mbedtls_mpi_free( &grp->G .Y ); 00676 00677 /* Actually, the required msb for private keys */ 00678 grp->nbits = 254; 00679 00680 cleanup: 00681 if( ret != 0 ) 00682 mbedtls_ecp_group_free( grp ); 00683 00684 return( ret ); 00685 } 00686 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00687 00688 /* 00689 * Set a group using well-known domain parameters 00690 */ 00691 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) 00692 { 00693 mbedtls_ecp_group_free( grp ); 00694 00695 grp->id = id; 00696 00697 switch( id ) 00698 { 00699 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00700 case MBEDTLS_ECP_DP_SECP192R1 : 00701 NIST_MODP( p192 ); 00702 return( LOAD_GROUP( secp192r1 ) ); 00703 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00704 00705 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00706 case MBEDTLS_ECP_DP_SECP224R1 : 00707 NIST_MODP( p224 ); 00708 return( LOAD_GROUP( secp224r1 ) ); 00709 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00710 00711 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00712 case MBEDTLS_ECP_DP_SECP256R1 : 00713 NIST_MODP( p256 ); 00714 return( LOAD_GROUP( secp256r1 ) ); 00715 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00716 00717 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00718 case MBEDTLS_ECP_DP_SECP384R1 : 00719 NIST_MODP( p384 ); 00720 return( LOAD_GROUP( secp384r1 ) ); 00721 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00722 00723 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00724 case MBEDTLS_ECP_DP_SECP521R1 : 00725 NIST_MODP( p521 ); 00726 return( LOAD_GROUP( secp521r1 ) ); 00727 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00728 00729 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00730 case MBEDTLS_ECP_DP_SECP192K1 : 00731 grp->modp = ecp_mod_p192k1; 00732 return( LOAD_GROUP_A( secp192k1 ) ); 00733 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00734 00735 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00736 case MBEDTLS_ECP_DP_SECP224K1 : 00737 grp->modp = ecp_mod_p224k1; 00738 return( LOAD_GROUP_A( secp224k1 ) ); 00739 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00740 00741 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00742 case MBEDTLS_ECP_DP_SECP256K1 : 00743 grp->modp = ecp_mod_p256k1; 00744 return( LOAD_GROUP_A( secp256k1 ) ); 00745 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00746 00747 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00748 case MBEDTLS_ECP_DP_BP256R1 : 00749 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 00750 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00751 00752 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00753 case MBEDTLS_ECP_DP_BP384R1 : 00754 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 00755 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00756 00757 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00758 case MBEDTLS_ECP_DP_BP512R1 : 00759 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 00760 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00761 00762 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00763 case MBEDTLS_ECP_DP_CURVE25519 : 00764 grp->modp = ecp_mod_p255; 00765 return( ecp_use_curve25519( grp ) ); 00766 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00767 00768 default: 00769 mbedtls_ecp_group_free( grp ); 00770 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 00771 } 00772 } 00773 00774 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00775 /* 00776 * Fast reduction modulo the primes used by the NIST curves. 00777 * 00778 * These functions are critical for speed, but not needed for correct 00779 * operations. So, we make the choice to heavily rely on the internals of our 00780 * bignum library, which creates a tight coupling between these functions and 00781 * our MPI implementation. However, the coupling between the ECP module and 00782 * MPI remains loose, since these functions can be deactivated at will. 00783 */ 00784 00785 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00786 /* 00787 * Compared to the way things are presented in FIPS 186-3 D.2, 00788 * we proceed in columns, from right (least significant chunk) to left, 00789 * adding chunks to N in place, and keeping a carry for the next chunk. 00790 * This avoids moving things around in memory, and uselessly adding zeros, 00791 * compared to the more straightforward, line-oriented approach. 00792 * 00793 * For this prime we need to handle data in chunks of 64 bits. 00794 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can 00795 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. 00796 */ 00797 00798 /* Add 64-bit chunks (dst += src) and update carry */ 00799 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) 00800 { 00801 unsigned char i; 00802 mbedtls_mpi_uint c = 0; 00803 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) 00804 { 00805 *dst += c; c = ( *dst < c ); 00806 *dst += *src; c += ( *dst < *src ); 00807 } 00808 *carry += c; 00809 } 00810 00811 /* Add carry to a 64-bit chunk and update carry */ 00812 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) 00813 { 00814 unsigned char i; 00815 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) 00816 { 00817 *dst += *carry; 00818 *carry = ( *dst < *carry ); 00819 } 00820 } 00821 00822 #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) 00823 #define A( i ) N->p + i * WIDTH 00824 #define ADD( i ) add64( p, A( i ), &c ) 00825 #define NEXT p += WIDTH; carry64( p, &c ) 00826 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 00827 00828 /* 00829 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 00830 */ 00831 static int ecp_mod_p192( mbedtls_mpi *N ) 00832 { 00833 int ret; 00834 mbedtls_mpi_uint c = 0; 00835 mbedtls_mpi_uint *p, *end; 00836 00837 /* Make sure we have enough blocks so that A(5) is legal */ 00838 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); 00839 00840 p = N->p ; 00841 end = p + N->n ; 00842 00843 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 00844 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 00845 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 00846 00847 cleanup: 00848 return( ret ); 00849 } 00850 00851 #undef WIDTH 00852 #undef A 00853 #undef ADD 00854 #undef NEXT 00855 #undef LAST 00856 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00857 00858 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 00859 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 00860 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00861 /* 00862 * The reader is advised to first understand ecp_mod_p192() since the same 00863 * general structure is used here, but with additional complications: 00864 * (1) chunks of 32 bits, and (2) subtractions. 00865 */ 00866 00867 /* 00868 * For these primes, we need to handle data in chunks of 32 bits. 00869 * This makes it more complicated if we use 64 bits limbs in MPI, 00870 * which prevents us from using a uniform access method as for p192. 00871 * 00872 * So, we define a mini abstraction layer to access 32 bit chunks, 00873 * load them in 'cur' for work, and store them back from 'cur' when done. 00874 * 00875 * While at it, also define the size of N in terms of 32-bit chunks. 00876 */ 00877 #define LOAD32 cur = A( i ); 00878 00879 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ 00880 00881 #define MAX32 N->n 00882 #define A( j ) N->p[j] 00883 #define STORE32 N->p[i] = cur; 00884 00885 #else /* 64-bit */ 00886 00887 #define MAX32 N->n * 2 00888 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] ) 00889 #define STORE32 \ 00890 if( i % 2 ) { \ 00891 N->p[i/2] &= 0x00000000FFFFFFFF; \ 00892 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ 00893 } else { \ 00894 N->p[i/2] &= 0xFFFFFFFF00000000; \ 00895 N->p[i/2] |= (mbedtls_mpi_uint) cur; \ 00896 } 00897 00898 #endif /* sizeof( mbedtls_mpi_uint ) */ 00899 00900 /* 00901 * Helpers for addition and subtraction of chunks, with signed carry. 00902 */ 00903 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 00904 { 00905 *dst += src; 00906 *carry += ( *dst < src ); 00907 } 00908 00909 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 00910 { 00911 *carry -= ( *dst < src ); 00912 *dst -= src; 00913 } 00914 00915 #define ADD( j ) add32( &cur, A( j ), &c ); 00916 #define SUB( j ) sub32( &cur, A( j ), &c ); 00917 00918 /* 00919 * Helpers for the main 'loop' 00920 * (see fix_negative for the motivation of C) 00921 */ 00922 #define INIT( b ) \ 00923 int ret; \ 00924 signed char c = 0, cc; \ 00925 uint32_t cur; \ 00926 size_t i = 0, bits = b; \ 00927 mbedtls_mpi C; \ 00928 mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \ 00929 \ 00930 C.s = 1; \ 00931 C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \ 00932 C.p = Cp; \ 00933 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \ 00934 \ 00935 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \ 00936 LOAD32; 00937 00938 #define NEXT \ 00939 STORE32; i++; LOAD32; \ 00940 cc = c; c = 0; \ 00941 if( cc < 0 ) \ 00942 sub32( &cur, -cc, &c ); \ 00943 else \ 00944 add32( &cur, cc, &c ); \ 00945 00946 #define LAST \ 00947 STORE32; i++; \ 00948 cur = c > 0 ? c : 0; STORE32; \ 00949 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 00950 if( c < 0 ) fix_negative( N, c, &C, bits ); 00951 00952 /* 00953 * If the result is negative, we get it in the form 00954 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' 00955 */ 00956 static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits ) 00957 { 00958 int ret; 00959 00960 /* C = - c * 2^(bits + 32) */ 00961 #if !defined(MBEDTLS_HAVE_INT64) 00962 ((void) bits); 00963 #else 00964 if( bits == 224 ) 00965 C->p [ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32; 00966 else 00967 #endif 00968 C->p [ C->n - 1 ] = (mbedtls_mpi_uint) -c; 00969 00970 /* N = - ( C - N ) */ 00971 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) ); 00972 N->s = -1; 00973 00974 cleanup: 00975 00976 return( ret ); 00977 } 00978 00979 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00980 /* 00981 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 00982 */ 00983 static int ecp_mod_p224( mbedtls_mpi *N ) 00984 { 00985 INIT( 224 ); 00986 00987 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 00988 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 00989 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 00990 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 00991 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 00992 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 00993 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 00994 00995 cleanup: 00996 return( ret ); 00997 } 00998 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00999 01000 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 01001 /* 01002 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 01003 */ 01004 static int ecp_mod_p256( mbedtls_mpi *N ) 01005 { 01006 INIT( 256 ); 01007 01008 ADD( 8 ); ADD( 9 ); 01009 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 01010 01011 ADD( 9 ); ADD( 10 ); 01012 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 01013 01014 ADD( 10 ); ADD( 11 ); 01015 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 01016 01017 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 01018 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 01019 01020 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 01021 SUB( 9 ); SUB( 10 ); NEXT; // A4 01022 01023 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 01024 SUB( 10 ); SUB( 11 ); NEXT; // A5 01025 01026 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 01027 SUB( 8 ); SUB( 9 ); NEXT; // A6 01028 01029 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 01030 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 01031 01032 cleanup: 01033 return( ret ); 01034 } 01035 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 01036 01037 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 01038 /* 01039 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 01040 */ 01041 static int ecp_mod_p384( mbedtls_mpi *N ) 01042 { 01043 INIT( 384 ); 01044 01045 ADD( 12 ); ADD( 21 ); ADD( 20 ); 01046 SUB( 23 ); NEXT; // A0 01047 01048 ADD( 13 ); ADD( 22 ); ADD( 23 ); 01049 SUB( 12 ); SUB( 20 ); NEXT; // A2 01050 01051 ADD( 14 ); ADD( 23 ); 01052 SUB( 13 ); SUB( 21 ); NEXT; // A2 01053 01054 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 01055 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 01056 01057 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 01058 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 01059 01060 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 01061 SUB( 16 ); NEXT; // A5 01062 01063 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 01064 SUB( 17 ); NEXT; // A6 01065 01066 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 01067 SUB( 18 ); NEXT; // A7 01068 01069 ADD( 20 ); ADD( 17 ); ADD( 16 ); 01070 SUB( 19 ); NEXT; // A8 01071 01072 ADD( 21 ); ADD( 18 ); ADD( 17 ); 01073 SUB( 20 ); NEXT; // A9 01074 01075 ADD( 22 ); ADD( 19 ); ADD( 18 ); 01076 SUB( 21 ); NEXT; // A10 01077 01078 ADD( 23 ); ADD( 20 ); ADD( 19 ); 01079 SUB( 22 ); LAST; // A11 01080 01081 cleanup: 01082 return( ret ); 01083 } 01084 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01085 01086 #undef A 01087 #undef LOAD32 01088 #undef STORE32 01089 #undef MAX32 01090 #undef INIT 01091 #undef NEXT 01092 #undef LAST 01093 01094 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || 01095 MBEDTLS_ECP_DP_SECP256R1_ENABLED || 01096 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01097 01098 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 01099 /* 01100 * Here we have an actual Mersenne prime, so things are more straightforward. 01101 * However, chunks are aligned on a 'weird' boundary (521 bits). 01102 */ 01103 01104 /* Size of p521 in terms of mbedtls_mpi_uint */ 01105 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01106 01107 /* Bits to keep in the most significant mbedtls_mpi_uint */ 01108 #define P521_MASK 0x01FF 01109 01110 /* 01111 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 01112 * Write N as A1 + 2^521 A0, return A0 + A1 01113 */ 01114 static int ecp_mod_p521( mbedtls_mpi *N ) 01115 { 01116 int ret; 01117 size_t i; 01118 mbedtls_mpi M; 01119 mbedtls_mpi_uint Mp[P521_WIDTH + 1]; 01120 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: 01121 * we need to hold bits 513 to 1056, which is 34 limbs, that is 01122 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 01123 01124 if( N->n < P521_WIDTH ) 01125 return( 0 ); 01126 01127 /* M = A1 */ 01128 M.s = 1; 01129 M.n = N->n - ( P521_WIDTH - 1 ); 01130 if( M.n > P521_WIDTH + 1 ) 01131 M.n = P521_WIDTH + 1; 01132 M.p = Mp; 01133 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01134 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01135 01136 /* N = A0 */ 01137 N->p [P521_WIDTH - 1] &= P521_MASK; 01138 for( i = P521_WIDTH; i < N->n ; i++ ) 01139 N->p [i] = 0; 01140 01141 /* N = A0 + A1 */ 01142 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01143 01144 cleanup: 01145 return( ret ); 01146 } 01147 01148 #undef P521_WIDTH 01149 #undef P521_MASK 01150 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 01151 01152 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 01153 01154 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 01155 01156 /* Size of p255 in terms of mbedtls_mpi_uint */ 01157 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01158 01159 /* 01160 * Fast quasi-reduction modulo p255 = 2^255 - 19 01161 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 01162 */ 01163 static int ecp_mod_p255( mbedtls_mpi *N ) 01164 { 01165 int ret; 01166 size_t i; 01167 mbedtls_mpi M; 01168 mbedtls_mpi_uint Mp[P255_WIDTH + 2]; 01169 01170 if( N->n < P255_WIDTH ) 01171 return( 0 ); 01172 01173 /* M = A1 */ 01174 M.s = 1; 01175 M.n = N->n - ( P255_WIDTH - 1 ); 01176 if( M.n > P255_WIDTH + 1 ) 01177 M.n = P255_WIDTH + 1; 01178 M.p = Mp; 01179 memset( Mp, 0, sizeof Mp ); 01180 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01181 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01182 M.n ++; /* Make room for multiplication by 19 */ 01183 01184 /* N = A0 */ 01185 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); 01186 for( i = P255_WIDTH; i < N->n ; i++ ) 01187 N->p [i] = 0; 01188 01189 /* N = A0 + 19 * A1 */ 01190 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); 01191 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01192 01193 cleanup: 01194 return( ret ); 01195 } 01196 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 01197 01198 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 01199 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 01200 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01201 /* 01202 * Fast quasi-reduction modulo P = 2^s - R, 01203 * with R about 33 bits, used by the Koblitz curves. 01204 * 01205 * Write N as A0 + 2^224 A1, return A0 + R * A1. 01206 * Actually do two passes, since R is big. 01207 */ 01208 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P 01209 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R 01210 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, 01211 size_t adjust, size_t shift, mbedtls_mpi_uint mask ) 01212 { 01213 int ret; 01214 size_t i; 01215 mbedtls_mpi M, R; 01216 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; 01217 01218 if( N->n < p_limbs ) 01219 return( 0 ); 01220 01221 /* Init R */ 01222 R.s = 1; 01223 R.p = Rp; 01224 R.n = P_KOBLITZ_R; 01225 01226 /* Common setup for M */ 01227 M.s = 1; 01228 M.p = Mp; 01229 01230 /* M = A1 */ 01231 M.n = N->n - ( p_limbs - adjust ); 01232 if( M.n > p_limbs + adjust ) 01233 M.n = p_limbs + adjust; 01234 memset( Mp, 0, sizeof Mp ); 01235 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01236 if( shift != 0 ) 01237 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01238 M.n += R.n - adjust; /* Make room for multiplication by R */ 01239 01240 /* N = A0 */ 01241 if( mask != 0 ) 01242 N->p [p_limbs - 1] &= mask; 01243 for( i = p_limbs; i < N->n ; i++ ) 01244 N->p [i] = 0; 01245 01246 /* N = A0 + R * A1 */ 01247 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01248 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01249 01250 /* Second pass */ 01251 01252 /* M = A1 */ 01253 M.n = N->n - ( p_limbs - adjust ); 01254 if( M.n > p_limbs + adjust ) 01255 M.n = p_limbs + adjust; 01256 memset( Mp, 0, sizeof Mp ); 01257 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01258 if( shift != 0 ) 01259 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01260 M.n += R.n - adjust; /* Make room for multiplication by R */ 01261 01262 /* N = A0 */ 01263 if( mask != 0 ) 01264 N->p [p_limbs - 1] &= mask; 01265 for( i = p_limbs; i < N->n ; i++ ) 01266 N->p [i] = 0; 01267 01268 /* N = A0 + R * A1 */ 01269 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01270 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01271 01272 cleanup: 01273 return( ret ); 01274 } 01275 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || 01276 MBEDTLS_ECP_DP_SECP224K1_ENABLED) || 01277 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ 01278 01279 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 01280 /* 01281 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 01282 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 01283 */ 01284 static int ecp_mod_p192k1( mbedtls_mpi *N ) 01285 { 01286 static mbedtls_mpi_uint Rp[] = { 01287 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01288 01289 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01290 } 01291 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 01292 01293 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 01294 /* 01295 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 01296 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 01297 */ 01298 static int ecp_mod_p224k1( mbedtls_mpi *N ) 01299 { 01300 static mbedtls_mpi_uint Rp[] = { 01301 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01302 01303 #if defined(MBEDTLS_HAVE_INT64) 01304 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 01305 #else 01306 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01307 #endif 01308 } 01309 01310 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 01311 01312 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01313 /* 01314 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 01315 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 01316 */ 01317 static int ecp_mod_p256k1( mbedtls_mpi *N ) 01318 { 01319 static mbedtls_mpi_uint Rp[] = { 01320 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01321 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01322 } 01323 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 01324 01325 #endif /* MBEDTLS_ECP_C */
Generated on Tue Jul 12 2022 12:52:43 by
1.7.2