Hannes Tschofenig
/
aes-gcm-test-program
Example program to test AES-GCM functionality. Used for a workshop
Embed:
(wiki syntax)
Show/hide line numbers
ecp_curves.c
00001 /* 00002 * Elliptic curves over GF(p): curve-specific data and functions 00003 * 00004 * Copyright (C) 2006-2014, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 00026 #if !defined(POLARSSL_CONFIG_FILE) 00027 #include "polarssl/config.h" 00028 #else 00029 #include POLARSSL_CONFIG_FILE 00030 #endif 00031 00032 #if defined(POLARSSL_ECP_C) 00033 00034 #include "polarssl/ecp.h" 00035 00036 #if defined(_MSC_VER) && !defined(inline) 00037 #define inline _inline 00038 #else 00039 #if defined(__ARMCC_VERSION) && !defined(inline) 00040 #define inline __inline 00041 #endif /* __ARMCC_VERSION */ 00042 #endif /*_MSC_VER */ 00043 00044 /* 00045 * Conversion macros for embedded constants: 00046 * build lists of t_uint's from lists of unsigned char's grouped by 8, 4 or 2 00047 */ 00048 #if defined(POLARSSL_HAVE_INT8) 00049 00050 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00051 a, b, c, d, e, f, g, h 00052 00053 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00054 a, b, c, d 00055 00056 #define BYTES_TO_T_UINT_2( a, b ) \ 00057 a, b 00058 00059 #elif defined(POLARSSL_HAVE_INT16) 00060 00061 #define BYTES_TO_T_UINT_2( a, b ) \ 00062 ( (t_uint) a << 0 ) | \ 00063 ( (t_uint) b << 8 ) 00064 00065 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00066 BYTES_TO_T_UINT_2( a, b ), \ 00067 BYTES_TO_T_UINT_2( c, d ) 00068 00069 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00070 BYTES_TO_T_UINT_2( a, b ), \ 00071 BYTES_TO_T_UINT_2( c, d ), \ 00072 BYTES_TO_T_UINT_2( e, f ), \ 00073 BYTES_TO_T_UINT_2( g, h ) 00074 00075 #elif defined(POLARSSL_HAVE_INT32) 00076 00077 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00078 ( (t_uint) a << 0 ) | \ 00079 ( (t_uint) b << 8 ) | \ 00080 ( (t_uint) c << 16 ) | \ 00081 ( (t_uint) d << 24 ) 00082 00083 #define BYTES_TO_T_UINT_2( a, b ) \ 00084 BYTES_TO_T_UINT_4( a, b, 0, 0 ) 00085 00086 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00087 BYTES_TO_T_UINT_4( a, b, c, d ), \ 00088 BYTES_TO_T_UINT_4( e, f, g, h ) 00089 00090 #else /* 64-bits */ 00091 00092 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00093 ( (t_uint) a << 0 ) | \ 00094 ( (t_uint) b << 8 ) | \ 00095 ( (t_uint) c << 16 ) | \ 00096 ( (t_uint) d << 24 ) | \ 00097 ( (t_uint) e << 32 ) | \ 00098 ( (t_uint) f << 40 ) | \ 00099 ( (t_uint) g << 48 ) | \ 00100 ( (t_uint) h << 56 ) 00101 00102 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00103 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) 00104 00105 #define BYTES_TO_T_UINT_2( a, b ) \ 00106 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) 00107 00108 #endif /* bits in t_uint */ 00109 00110 /* 00111 * Note: the constants are in little-endian order 00112 * to be directly usable in MPIs 00113 */ 00114 00115 /* 00116 * Domain parameters for secp192r1 00117 */ 00118 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) 00119 static const t_uint secp192r1_p[] = { 00120 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00121 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00122 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00123 }; 00124 static const t_uint secp192r1_b[] = { 00125 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 00126 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 00127 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 00128 }; 00129 static const t_uint secp192r1_gx[] = { 00130 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 00131 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 00132 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 00133 }; 00134 static const t_uint secp192r1_gy[] = { 00135 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 00136 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 00137 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 00138 }; 00139 static const t_uint secp192r1_n[] = { 00140 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 00141 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 00142 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00143 }; 00144 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */ 00145 00146 /* 00147 * Domain parameters for secp224r1 00148 */ 00149 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) 00150 static const t_uint secp224r1_p[] = { 00151 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00152 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00153 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00154 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00155 }; 00156 static const t_uint secp224r1_b[] = { 00157 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 00158 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 00159 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 00160 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 00161 }; 00162 static const t_uint secp224r1_gx[] = { 00163 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 00164 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 00165 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 00166 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 00167 }; 00168 static const t_uint secp224r1_gy[] = { 00169 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 00170 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 00171 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 00172 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 00173 }; 00174 static const t_uint secp224r1_n[] = { 00175 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 00176 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 00177 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00178 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00179 }; 00180 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */ 00181 00182 /* 00183 * Domain parameters for secp256r1 00184 */ 00185 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) 00186 static const t_uint secp256r1_p[] = { 00187 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00188 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00189 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00190 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00191 }; 00192 static const t_uint secp256r1_b[] = { 00193 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 00194 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 00195 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 00196 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 00197 }; 00198 static const t_uint secp256r1_gx[] = { 00199 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 00200 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 00201 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 00202 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 00203 }; 00204 static const t_uint secp256r1_gy[] = { 00205 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 00206 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 00207 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 00208 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 00209 }; 00210 static const t_uint secp256r1_n[] = { 00211 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 00212 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 00213 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00214 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00215 }; 00216 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */ 00217 00218 /* 00219 * Domain parameters for secp384r1 00220 */ 00221 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) 00222 static const t_uint secp384r1_p[] = { 00223 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00224 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00225 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00226 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00227 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00228 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00229 }; 00230 static const t_uint secp384r1_b[] = { 00231 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 00232 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 00233 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 00234 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 00235 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 00236 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 00237 }; 00238 static const t_uint secp384r1_gx[] = { 00239 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 00240 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 00241 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 00242 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 00243 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 00244 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 00245 }; 00246 static const t_uint secp384r1_gy[] = { 00247 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 00248 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 00249 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 00250 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 00251 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 00252 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 00253 }; 00254 static const t_uint secp384r1_n[] = { 00255 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 00256 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 00257 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 00258 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00259 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00260 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00261 }; 00262 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */ 00263 00264 /* 00265 * Domain parameters for secp521r1 00266 */ 00267 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) 00268 static const t_uint secp521r1_p[] = { 00269 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00270 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00271 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00272 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00273 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00274 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00275 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00276 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00277 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00278 }; 00279 static const t_uint secp521r1_b[] = { 00280 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 00281 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 00282 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 00283 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 00284 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 00285 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 00286 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 00287 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 00288 BYTES_TO_T_UINT_2( 0x51, 0x00 ), 00289 }; 00290 static const t_uint secp521r1_gx[] = { 00291 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 00292 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 00293 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 00294 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 00295 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 00296 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 00297 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 00298 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 00299 BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 00300 }; 00301 static const t_uint secp521r1_gy[] = { 00302 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 00303 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 00304 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 00305 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 00306 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 00307 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 00308 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 00309 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 00310 BYTES_TO_T_UINT_2( 0x18, 0x01 ), 00311 }; 00312 static const t_uint secp521r1_n[] = { 00313 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 00314 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 00315 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 00316 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 00317 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00318 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00319 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00320 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00321 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00322 }; 00323 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */ 00324 00325 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) 00326 static const t_uint secp192k1_p[] = { 00327 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00328 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00329 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00330 }; 00331 static const t_uint secp192k1_a[] = { 00332 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00333 }; 00334 static const t_uint secp192k1_b[] = { 00335 BYTES_TO_T_UINT_2( 0x03, 0x00 ), 00336 }; 00337 static const t_uint secp192k1_gx[] = { 00338 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 00339 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 00340 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 00341 }; 00342 static const t_uint secp192k1_gy[] = { 00343 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 00344 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 00345 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 00346 }; 00347 static const t_uint secp192k1_n[] = { 00348 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 00349 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 00350 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00351 }; 00352 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */ 00353 00354 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) 00355 static const t_uint secp224k1_p[] = { 00356 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00357 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00358 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00359 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00360 }; 00361 static const t_uint secp224k1_a[] = { 00362 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00363 }; 00364 static const t_uint secp224k1_b[] = { 00365 BYTES_TO_T_UINT_2( 0x05, 0x00 ), 00366 }; 00367 static const t_uint secp224k1_gx[] = { 00368 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 00369 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 00370 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 00371 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 00372 }; 00373 static const t_uint secp224k1_gy[] = { 00374 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 00375 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 00376 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 00377 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 00378 }; 00379 static const t_uint secp224k1_n[] = { 00380 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 00381 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 00382 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00383 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 00384 }; 00385 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */ 00386 00387 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) 00388 static const t_uint secp256k1_p[] = { 00389 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00390 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00391 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00392 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00393 }; 00394 static const t_uint secp256k1_a[] = { 00395 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00396 }; 00397 static const t_uint secp256k1_b[] = { 00398 BYTES_TO_T_UINT_2( 0x07, 0x00 ), 00399 }; 00400 static const t_uint secp256k1_gx[] = { 00401 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 00402 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 00403 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 00404 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 00405 }; 00406 static const t_uint secp256k1_gy[] = { 00407 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 00408 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 00409 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 00410 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 00411 }; 00412 static const t_uint secp256k1_n[] = { 00413 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 00414 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 00415 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00416 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00417 }; 00418 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */ 00419 00420 /* 00421 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 00422 */ 00423 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED) 00424 static const t_uint brainpoolP256r1_p[] = { 00425 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 00426 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 00427 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00428 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00429 }; 00430 static const t_uint brainpoolP256r1_a[] = { 00431 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 00432 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 00433 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 00434 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 00435 }; 00436 static const t_uint brainpoolP256r1_b[] = { 00437 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 00438 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 00439 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 00440 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 00441 }; 00442 static const t_uint brainpoolP256r1_gx[] = { 00443 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 00444 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 00445 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 00446 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 00447 }; 00448 static const t_uint brainpoolP256r1_gy[] = { 00449 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 00450 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 00451 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 00452 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 00453 }; 00454 static const t_uint brainpoolP256r1_n[] = { 00455 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 00456 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 00457 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00458 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00459 }; 00460 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */ 00461 00462 /* 00463 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 00464 */ 00465 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED) 00466 static const t_uint brainpoolP384r1_p[] = { 00467 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 00468 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 00469 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 00470 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00471 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00472 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00473 }; 00474 static const t_uint brainpoolP384r1_a[] = { 00475 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00476 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 00477 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 00478 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 00479 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 00480 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 00481 }; 00482 static const t_uint brainpoolP384r1_b[] = { 00483 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 00484 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 00485 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 00486 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 00487 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 00488 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00489 }; 00490 static const t_uint brainpoolP384r1_gx[] = { 00491 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 00492 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 00493 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 00494 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 00495 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 00496 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 00497 }; 00498 static const t_uint brainpoolP384r1_gy[] = { 00499 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 00500 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 00501 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 00502 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 00503 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 00504 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 00505 }; 00506 static const t_uint brainpoolP384r1_n[] = { 00507 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 00508 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 00509 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 00510 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00511 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00512 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00513 }; 00514 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */ 00515 00516 /* 00517 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 00518 */ 00519 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED) 00520 static const t_uint brainpoolP512r1_p[] = { 00521 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 00522 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 00523 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 00524 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 00525 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00526 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00527 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00528 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00529 }; 00530 static const t_uint brainpoolP512r1_a[] = { 00531 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 00532 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 00533 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 00534 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 00535 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 00536 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 00537 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 00538 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 00539 }; 00540 static const t_uint brainpoolP512r1_b[] = { 00541 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 00542 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 00543 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 00544 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 00545 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 00546 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 00547 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 00548 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 00549 }; 00550 static const t_uint brainpoolP512r1_gx[] = { 00551 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 00552 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 00553 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 00554 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 00555 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 00556 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 00557 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 00558 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 00559 }; 00560 static const t_uint brainpoolP512r1_gy[] = { 00561 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 00562 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 00563 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 00564 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 00565 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 00566 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 00567 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 00568 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 00569 }; 00570 static const t_uint brainpoolP512r1_n[] = { 00571 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 00572 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 00573 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 00574 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 00575 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00576 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00577 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00578 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00579 }; 00580 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */ 00581 00582 /* 00583 * Create an MPI from embedded constants 00584 * (assumes len is an exact multiple of sizeof t_uint) 00585 */ 00586 static inline void ecp_mpi_load( mpi *X, const t_uint *p, size_t len ) 00587 { 00588 X->s = 1; 00589 X->n = len / sizeof( t_uint ); 00590 X->p = (t_uint *) p; 00591 } 00592 00593 /* 00594 * Set an MPI to static value 1 00595 */ 00596 static inline void ecp_mpi_set1( mpi *X ) 00597 { 00598 static t_uint one[] = { 1 }; 00599 X->s = 1; 00600 X->n = 1; 00601 X->p = one; 00602 } 00603 00604 /* 00605 * Make group available from embedded constants 00606 */ 00607 static int ecp_group_load( ecp_group *grp, 00608 const t_uint *p, size_t plen, 00609 const t_uint *a, size_t alen, 00610 const t_uint *b, size_t blen, 00611 const t_uint *gx, size_t gxlen, 00612 const t_uint *gy, size_t gylen, 00613 const t_uint *n, size_t nlen) 00614 { 00615 ecp_mpi_load( &grp->P , p, plen ); 00616 if( a != NULL ) 00617 ecp_mpi_load( &grp->A , a, alen ); 00618 ecp_mpi_load( &grp->B , b, blen ); 00619 ecp_mpi_load( &grp->N , n, nlen ); 00620 00621 ecp_mpi_load( &grp->G .X , gx, gxlen ); 00622 ecp_mpi_load( &grp->G .Y , gy, gylen ); 00623 ecp_mpi_set1( &grp->G .Z ); 00624 00625 grp->pbits = mpi_msb( &grp->P ); 00626 grp->nbits = mpi_msb( &grp->N ); 00627 00628 grp->h = 1; 00629 00630 return( 0 ); 00631 } 00632 00633 #if defined(POLARSSL_ECP_NIST_OPTIM) 00634 /* Forward declarations */ 00635 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) 00636 static int ecp_mod_p192( mpi * ); 00637 #endif 00638 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) 00639 static int ecp_mod_p224( mpi * ); 00640 #endif 00641 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) 00642 static int ecp_mod_p256( mpi * ); 00643 #endif 00644 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) 00645 static int ecp_mod_p384( mpi * ); 00646 #endif 00647 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) 00648 static int ecp_mod_p521( mpi * ); 00649 #endif 00650 00651 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 00652 #else 00653 #define NIST_MODP( P ) 00654 #endif /* POLARSSL_ECP_NIST_OPTIM */ 00655 00656 /* Additional forward declarations */ 00657 #if defined(POLARSSL_ECP_DP_M255_ENABLED) 00658 static int ecp_mod_p255( mpi * ); 00659 #endif 00660 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) 00661 static int ecp_mod_p192k1( mpi * ); 00662 #endif 00663 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) 00664 static int ecp_mod_p224k1( mpi * ); 00665 #endif 00666 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) 00667 static int ecp_mod_p256k1( mpi * ); 00668 #endif 00669 00670 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 00671 G ## _p, sizeof( G ## _p ), \ 00672 G ## _a, sizeof( G ## _a ), \ 00673 G ## _b, sizeof( G ## _b ), \ 00674 G ## _gx, sizeof( G ## _gx ), \ 00675 G ## _gy, sizeof( G ## _gy ), \ 00676 G ## _n, sizeof( G ## _n ) ) 00677 00678 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 00679 G ## _p, sizeof( G ## _p ), \ 00680 NULL, 0, \ 00681 G ## _b, sizeof( G ## _b ), \ 00682 G ## _gx, sizeof( G ## _gx ), \ 00683 G ## _gy, sizeof( G ## _gy ), \ 00684 G ## _n, sizeof( G ## _n ) ) 00685 00686 #if defined(POLARSSL_ECP_DP_M255_ENABLED) 00687 /* 00688 * Specialized function for creating the Curve25519 group 00689 */ 00690 static int ecp_use_curve25519( ecp_group *grp ) 00691 { 00692 int ret; 00693 00694 /* Actually ( A + 2 ) / 4 */ 00695 MPI_CHK( mpi_read_string( &grp->A , 16, "01DB42" ) ); 00696 00697 /* P = 2^255 - 19 */ 00698 MPI_CHK( mpi_lset( &grp->P , 1 ) ); 00699 MPI_CHK( mpi_shift_l( &grp->P , 255 ) ); 00700 MPI_CHK( mpi_sub_int( &grp->P , &grp->P , 19 ) ); 00701 grp->pbits = mpi_msb( &grp->P ); 00702 00703 /* Y intentionaly not set, since we use x/z coordinates. 00704 * This is used as a marker to identify Montgomery curves! */ 00705 MPI_CHK( mpi_lset( &grp->G .X , 9 ) ); 00706 MPI_CHK( mpi_lset( &grp->G .Z , 1 ) ); 00707 mpi_free( &grp->G .Y ); 00708 00709 /* Actually, the required msb for private keys */ 00710 grp->nbits = 254; 00711 00712 cleanup: 00713 if( ret != 0 ) 00714 ecp_group_free( grp ); 00715 00716 return( ret ); 00717 } 00718 #endif /* POLARSSL_ECP_DP_M255_ENABLED */ 00719 00720 /* 00721 * Set a group using well-known domain parameters 00722 */ 00723 int ecp_use_known_dp( ecp_group *grp, ecp_group_id id ) 00724 { 00725 ecp_group_free( grp ); 00726 00727 grp->id = id; 00728 00729 switch( id ) 00730 { 00731 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) 00732 case POLARSSL_ECP_DP_SECP192R1 : 00733 NIST_MODP( p192 ); 00734 return( LOAD_GROUP( secp192r1 ) ); 00735 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */ 00736 00737 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) 00738 case POLARSSL_ECP_DP_SECP224R1 : 00739 NIST_MODP( p224 ); 00740 return( LOAD_GROUP( secp224r1 ) ); 00741 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */ 00742 00743 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) 00744 case POLARSSL_ECP_DP_SECP256R1 : 00745 NIST_MODP( p256 ); 00746 return( LOAD_GROUP( secp256r1 ) ); 00747 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */ 00748 00749 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) 00750 case POLARSSL_ECP_DP_SECP384R1 : 00751 NIST_MODP( p384 ); 00752 return( LOAD_GROUP( secp384r1 ) ); 00753 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */ 00754 00755 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) 00756 case POLARSSL_ECP_DP_SECP521R1 : 00757 NIST_MODP( p521 ); 00758 return( LOAD_GROUP( secp521r1 ) ); 00759 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */ 00760 00761 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) 00762 case POLARSSL_ECP_DP_SECP192K1 : 00763 grp->modp = ecp_mod_p192k1; 00764 return( LOAD_GROUP_A( secp192k1 ) ); 00765 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */ 00766 00767 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) 00768 case POLARSSL_ECP_DP_SECP224K1 : 00769 grp->modp = ecp_mod_p224k1; 00770 return( LOAD_GROUP_A( secp224k1 ) ); 00771 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */ 00772 00773 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) 00774 case POLARSSL_ECP_DP_SECP256K1 : 00775 grp->modp = ecp_mod_p256k1; 00776 return( LOAD_GROUP_A( secp256k1 ) ); 00777 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */ 00778 00779 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED) 00780 case POLARSSL_ECP_DP_BP256R1 : 00781 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 00782 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */ 00783 00784 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED) 00785 case POLARSSL_ECP_DP_BP384R1 : 00786 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 00787 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */ 00788 00789 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED) 00790 case POLARSSL_ECP_DP_BP512R1 : 00791 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 00792 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */ 00793 00794 #if defined(POLARSSL_ECP_DP_M255_ENABLED) 00795 case POLARSSL_ECP_DP_M255 : 00796 grp->modp = ecp_mod_p255; 00797 return( ecp_use_curve25519( grp ) ); 00798 #endif /* POLARSSL_ECP_DP_M255_ENABLED */ 00799 00800 default: 00801 ecp_group_free( grp ); 00802 return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ); 00803 } 00804 } 00805 00806 #if defined(POLARSSL_ECP_NIST_OPTIM) 00807 /* 00808 * Fast reduction modulo the primes used by the NIST curves. 00809 * 00810 * These functions are critical for speed, but not needed for correct 00811 * operations. So, we make the choice to heavily rely on the internals of our 00812 * bignum library, which creates a tight coupling between these functions and 00813 * our MPI implementation. However, the coupling between the ECP module and 00814 * MPI remains loose, since these functions can be deactivated at will. 00815 */ 00816 00817 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) 00818 /* 00819 * Compared to the way things are presented in FIPS 186-3 D.2, 00820 * we proceed in columns, from right (least significant chunk) to left, 00821 * adding chunks to N in place, and keeping a carry for the next chunk. 00822 * This avoids moving things around in memory, and uselessly adding zeros, 00823 * compared to the more straightforward, line-oriented approach. 00824 * 00825 * For this prime we need to handle data in chunks of 64 bits. 00826 * Since this is always a multiple of our basic t_uint, we can 00827 * use a t_uint * to designate such a chunk, and small loops to handle it. 00828 */ 00829 00830 /* Add 64-bit chunks (dst += src) and update carry */ 00831 static inline void add64( t_uint *dst, t_uint *src, t_uint *carry ) 00832 { 00833 unsigned char i; 00834 t_uint c = 0; 00835 for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++, src++ ) 00836 { 00837 *dst += c; c = ( *dst < c ); 00838 *dst += *src; c += ( *dst < *src ); 00839 } 00840 *carry += c; 00841 } 00842 00843 /* Add carry to a 64-bit chunk and update carry */ 00844 static inline void carry64( t_uint *dst, t_uint *carry ) 00845 { 00846 unsigned char i; 00847 for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++ ) 00848 { 00849 *dst += *carry; 00850 *carry = ( *dst < *carry ); 00851 } 00852 } 00853 00854 #define WIDTH 8 / sizeof( t_uint ) 00855 #define A( i ) N->p + i * WIDTH 00856 #define ADD( i ) add64( p, A( i ), &c ) 00857 #define NEXT p += WIDTH; carry64( p, &c ) 00858 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 00859 00860 /* 00861 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 00862 */ 00863 static int ecp_mod_p192( mpi *N ) 00864 { 00865 int ret; 00866 t_uint c = 0; 00867 t_uint *p, *end; 00868 00869 /* Make sure we have enough blocks so that A(5) is legal */ 00870 MPI_CHK( mpi_grow( N, 6 * WIDTH ) ); 00871 00872 p = N->p ; 00873 end = p + N->n ; 00874 00875 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 00876 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 00877 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 00878 00879 cleanup: 00880 return( ret ); 00881 } 00882 00883 #undef WIDTH 00884 #undef A 00885 #undef ADD 00886 #undef NEXT 00887 #undef LAST 00888 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */ 00889 00890 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) || \ 00891 defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) || \ 00892 defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) 00893 /* 00894 * The reader is advised to first understand ecp_mod_p192() since the same 00895 * general structure is used here, but with additional complications: 00896 * (1) chunks of 32 bits, and (2) subtractions. 00897 */ 00898 00899 /* 00900 * For these primes, we need to handle data in chunks of 32 bits. 00901 * This makes it more complicated if we use 64 bits limbs in MPI, 00902 * which prevents us from using a uniform access method as for p192. 00903 * 00904 * So, we define a mini abstraction layer to access 32 bit chunks, 00905 * load them in 'cur' for work, and store them back from 'cur' when done. 00906 * 00907 * While at it, also define the size of N in terms of 32-bit chunks. 00908 */ 00909 #define LOAD32 cur = A( i ); 00910 00911 #if defined(POLARSSL_HAVE_INT8) /* 8 bit */ 00912 00913 #define MAX32 N->n / 4 00914 #define A( j ) (uint32_t)( N->p[4*j+0] ) | \ 00915 ( N->p[4*j+1] << 8 ) | \ 00916 ( N->p[4*j+2] << 16 ) | \ 00917 ( N->p[4*j+3] << 24 ) 00918 #define STORE32 N->p[4*i+0] = (t_uint)( cur ); \ 00919 N->p[4*i+1] = (t_uint)( cur >> 8 ); \ 00920 N->p[4*i+2] = (t_uint)( cur >> 16 ); \ 00921 N->p[4*i+3] = (t_uint)( cur >> 24 ); 00922 00923 #elif defined(POLARSSL_HAVE_INT16) /* 16 bit */ 00924 00925 #define MAX32 N->n / 2 00926 #define A( j ) (uint32_t)( N->p[2*j] ) | ( N->p[2*j+1] << 16 ) 00927 #define STORE32 N->p[2*i+0] = (t_uint)( cur ); \ 00928 N->p[2*i+1] = (t_uint)( cur >> 16 ); 00929 00930 #elif defined(POLARSSL_HAVE_INT32) /* 32 bit */ 00931 00932 #define MAX32 N->n 00933 #define A( j ) N->p[j] 00934 #define STORE32 N->p[i] = cur; 00935 00936 #else /* 64-bit */ 00937 00938 #define MAX32 N->n * 2 00939 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] ) 00940 #define STORE32 \ 00941 if( i % 2 ) { \ 00942 N->p[i/2] &= 0x00000000FFFFFFFF; \ 00943 N->p[i/2] |= ((t_uint) cur) << 32; \ 00944 } else { \ 00945 N->p[i/2] &= 0xFFFFFFFF00000000; \ 00946 N->p[i/2] |= (t_uint) cur; \ 00947 } 00948 00949 #endif /* sizeof( t_uint ) */ 00950 00951 /* 00952 * Helpers for addition and subtraction of chunks, with signed carry. 00953 */ 00954 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 00955 { 00956 *dst += src; 00957 *carry += ( *dst < src ); 00958 } 00959 00960 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 00961 { 00962 *carry -= ( *dst < src ); 00963 *dst -= src; 00964 } 00965 00966 #define ADD( j ) add32( &cur, A( j ), &c ); 00967 #define SUB( j ) sub32( &cur, A( j ), &c ); 00968 00969 /* 00970 * Helpers for the main 'loop' 00971 * (see fix_negative for the motivation of C) 00972 */ 00973 #define INIT( b ) \ 00974 int ret; \ 00975 signed char c = 0, cc; \ 00976 uint32_t cur; \ 00977 size_t i = 0, bits = b; \ 00978 mpi C; \ 00979 t_uint Cp[ b / 8 / sizeof( t_uint) + 1 ]; \ 00980 \ 00981 C.s = 1; \ 00982 C.n = b / 8 / sizeof( t_uint) + 1; \ 00983 C.p = Cp; \ 00984 memset( Cp, 0, C.n * sizeof( t_uint ) ); \ 00985 \ 00986 MPI_CHK( mpi_grow( N, b * 2 / 8 / sizeof( t_uint ) ) ); \ 00987 LOAD32; 00988 00989 #define NEXT \ 00990 STORE32; i++; LOAD32; \ 00991 cc = c; c = 0; \ 00992 if( cc < 0 ) \ 00993 sub32( &cur, -cc, &c ); \ 00994 else \ 00995 add32( &cur, cc, &c ); \ 00996 00997 #define LAST \ 00998 STORE32; i++; \ 00999 cur = c > 0 ? c : 0; STORE32; \ 01000 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 01001 if( c < 0 ) fix_negative( N, c, &C, bits ); 01002 01003 /* 01004 * If the result is negative, we get it in the form 01005 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' 01006 */ 01007 static inline int fix_negative( mpi *N, signed char c, mpi *C, size_t bits ) 01008 { 01009 int ret; 01010 01011 /* C = - c * 2^(bits + 32) */ 01012 #if !defined(POLARSSL_HAVE_INT64) 01013 ((void) bits); 01014 #else 01015 if( bits == 224 ) 01016 C->p [ C->n - 1 ] = ((t_uint) -c) << 32; 01017 else 01018 #endif 01019 C->p [ C->n - 1 ] = (t_uint) -c; 01020 01021 /* N = - ( C - N ) */ 01022 MPI_CHK( mpi_sub_abs( N, C, N ) ); 01023 N->s = -1; 01024 01025 cleanup: 01026 01027 return( ret ); 01028 } 01029 01030 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) 01031 /* 01032 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 01033 */ 01034 static int ecp_mod_p224( mpi *N ) 01035 { 01036 INIT( 224 ); 01037 01038 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 01039 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 01040 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 01041 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 01042 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 01043 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 01044 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 01045 01046 cleanup: 01047 return( ret ); 01048 } 01049 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */ 01050 01051 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) 01052 /* 01053 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 01054 */ 01055 static int ecp_mod_p256( mpi *N ) 01056 { 01057 INIT( 256 ); 01058 01059 ADD( 8 ); ADD( 9 ); 01060 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 01061 01062 ADD( 9 ); ADD( 10 ); 01063 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 01064 01065 ADD( 10 ); ADD( 11 ); 01066 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 01067 01068 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 01069 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 01070 01071 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 01072 SUB( 9 ); SUB( 10 ); NEXT; // A4 01073 01074 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 01075 SUB( 10 ); SUB( 11 ); NEXT; // A5 01076 01077 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 01078 SUB( 8 ); SUB( 9 ); NEXT; // A6 01079 01080 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 01081 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 01082 01083 cleanup: 01084 return( ret ); 01085 } 01086 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */ 01087 01088 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) 01089 /* 01090 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 01091 */ 01092 static int ecp_mod_p384( mpi *N ) 01093 { 01094 INIT( 384 ); 01095 01096 ADD( 12 ); ADD( 21 ); ADD( 20 ); 01097 SUB( 23 ); NEXT; // A0 01098 01099 ADD( 13 ); ADD( 22 ); ADD( 23 ); 01100 SUB( 12 ); SUB( 20 ); NEXT; // A2 01101 01102 ADD( 14 ); ADD( 23 ); 01103 SUB( 13 ); SUB( 21 ); NEXT; // A2 01104 01105 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 01106 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 01107 01108 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 01109 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 01110 01111 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 01112 SUB( 16 ); NEXT; // A5 01113 01114 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 01115 SUB( 17 ); NEXT; // A6 01116 01117 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 01118 SUB( 18 ); NEXT; // A7 01119 01120 ADD( 20 ); ADD( 17 ); ADD( 16 ); 01121 SUB( 19 ); NEXT; // A8 01122 01123 ADD( 21 ); ADD( 18 ); ADD( 17 ); 01124 SUB( 20 ); NEXT; // A9 01125 01126 ADD( 22 ); ADD( 19 ); ADD( 18 ); 01127 SUB( 21 ); NEXT; // A10 01128 01129 ADD( 23 ); ADD( 20 ); ADD( 19 ); 01130 SUB( 22 ); LAST; // A11 01131 01132 cleanup: 01133 return( ret ); 01134 } 01135 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */ 01136 01137 #undef A 01138 #undef LOAD32 01139 #undef STORE32 01140 #undef MAX32 01141 #undef INIT 01142 #undef NEXT 01143 #undef LAST 01144 01145 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED || 01146 POLARSSL_ECP_DP_SECP256R1_ENABLED || 01147 POLARSSL_ECP_DP_SECP384R1_ENABLED */ 01148 01149 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) 01150 /* 01151 * Here we have an actual Mersenne prime, so things are more straightforward. 01152 * However, chunks are aligned on a 'weird' boundary (521 bits). 01153 */ 01154 01155 /* Size of p521 in terms of t_uint */ 01156 #define P521_WIDTH ( 521 / 8 / sizeof( t_uint ) + 1 ) 01157 01158 /* Bits to keep in the most significant t_uint */ 01159 #if defined(POLARSSL_HAVE_INT8) 01160 #define P521_MASK 0x01 01161 #else 01162 #define P521_MASK 0x01FF 01163 #endif 01164 01165 /* 01166 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 01167 * Write N as A1 + 2^521 A0, return A0 + A1 01168 */ 01169 static int ecp_mod_p521( mpi *N ) 01170 { 01171 int ret; 01172 size_t i; 01173 mpi M; 01174 t_uint Mp[P521_WIDTH + 1]; 01175 /* Worst case for the size of M is when t_uint is 16 bits: 01176 * we need to hold bits 513 to 1056, which is 34 limbs, that is 01177 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 01178 01179 if( N->n < P521_WIDTH ) 01180 return( 0 ); 01181 01182 /* M = A1 */ 01183 M.s = 1; 01184 M.n = N->n - ( P521_WIDTH - 1 ); 01185 if( M.n > P521_WIDTH + 1 ) 01186 M.n = P521_WIDTH + 1; 01187 M.p = Mp; 01188 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( t_uint ) ); 01189 MPI_CHK( mpi_shift_r( &M, 521 % ( 8 * sizeof( t_uint ) ) ) ); 01190 01191 /* N = A0 */ 01192 N->p [P521_WIDTH - 1] &= P521_MASK; 01193 for( i = P521_WIDTH; i < N->n ; i++ ) 01194 N->p [i] = 0; 01195 01196 /* N = A0 + A1 */ 01197 MPI_CHK( mpi_add_abs( N, N, &M ) ); 01198 01199 cleanup: 01200 return( ret ); 01201 } 01202 01203 #undef P521_WIDTH 01204 #undef P521_MASK 01205 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */ 01206 01207 #endif /* POLARSSL_ECP_NIST_OPTIM */ 01208 01209 #if defined(POLARSSL_ECP_DP_M255_ENABLED) 01210 01211 /* Size of p255 in terms of t_uint */ 01212 #define P255_WIDTH ( 255 / 8 / sizeof( t_uint ) + 1 ) 01213 01214 /* 01215 * Fast quasi-reduction modulo p255 = 2^255 - 19 01216 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 01217 */ 01218 static int ecp_mod_p255( mpi *N ) 01219 { 01220 int ret; 01221 size_t i; 01222 mpi M; 01223 t_uint Mp[P255_WIDTH + 2]; 01224 01225 if( N->n < P255_WIDTH ) 01226 return( 0 ); 01227 01228 /* M = A1 */ 01229 M.s = 1; 01230 M.n = N->n - ( P255_WIDTH - 1 ); 01231 if( M.n > P255_WIDTH + 1 ) 01232 M.n = P255_WIDTH + 1; 01233 M.p = Mp; 01234 memset( Mp, 0, sizeof Mp ); 01235 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) ); 01236 MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) ); 01237 M.n ++; /* Make room for multiplication by 19 */ 01238 01239 /* N = A0 */ 01240 MPI_CHK( mpi_set_bit( N, 255, 0 ) ); 01241 for( i = P255_WIDTH; i < N->n ; i++ ) 01242 N->p [i] = 0; 01243 01244 /* N = A0 + 19 * A1 */ 01245 MPI_CHK( mpi_mul_int( &M, &M, 19 ) ); 01246 MPI_CHK( mpi_add_abs( N, N, &M ) ); 01247 01248 cleanup: 01249 return( ret ); 01250 } 01251 #endif /* POLARSSL_ECP_DP_M255_ENABLED */ 01252 01253 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) || \ 01254 defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) || \ 01255 defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) 01256 /* 01257 * Fast quasi-reduction modulo P = 2^s - R, 01258 * with R about 33 bits, used by the Koblitz curves. 01259 * 01260 * Write N as A0 + 2^224 A1, return A0 + R * A1. 01261 * Actually do two passes, since R is big. 01262 */ 01263 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( t_uint ) ) // Max limbs in P 01264 #define P_KOBLITZ_R ( 8 / sizeof( t_uint ) ) // Limbs in R 01265 static inline int ecp_mod_koblitz( mpi *N, t_uint *Rp, size_t p_limbs, 01266 size_t adjust, size_t shift, t_uint mask ) 01267 { 01268 int ret; 01269 size_t i; 01270 mpi M, R; 01271 t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; 01272 01273 if( N->n < p_limbs ) 01274 return( 0 ); 01275 01276 /* Init R */ 01277 R.s = 1; 01278 R.p = Rp; 01279 R.n = P_KOBLITZ_R; 01280 01281 /* Common setup for M */ 01282 M.s = 1; 01283 M.p = Mp; 01284 01285 /* M = A1 */ 01286 M.n = N->n - ( p_limbs - adjust ); 01287 if( M.n > p_limbs + adjust ) 01288 M.n = p_limbs + adjust; 01289 memset( Mp, 0, sizeof Mp ); 01290 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); 01291 if (shift != 0 ) 01292 MPI_CHK( mpi_shift_r( &M, shift ) ); 01293 M.n += R.n - adjust; /* Make room for multiplication by R */ 01294 01295 /* N = A0 */ 01296 if (mask != 0 ) 01297 N->p [p_limbs - 1] &= mask; 01298 for( i = p_limbs; i < N->n ; i++ ) 01299 N->p [i] = 0; 01300 01301 /* N = A0 + R * A1 */ 01302 MPI_CHK( mpi_mul_mpi( &M, &M, &R ) ); 01303 MPI_CHK( mpi_add_abs( N, N, &M ) ); 01304 01305 /* Second pass */ 01306 01307 /* M = A1 */ 01308 M.n = N->n - ( p_limbs - adjust ); 01309 if( M.n > p_limbs + adjust ) 01310 M.n = p_limbs + adjust; 01311 memset( Mp, 0, sizeof Mp ); 01312 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); 01313 if (shift != 0 ) 01314 MPI_CHK( mpi_shift_r( &M, shift ) ); 01315 M.n += R.n - adjust; /* Make room for multiplication by R */ 01316 01317 /* N = A0 */ 01318 if (mask != 0 ) 01319 N->p [p_limbs - 1] &= mask; 01320 for( i = p_limbs; i < N->n ; i++ ) 01321 N->p [i] = 0; 01322 01323 /* N = A0 + R * A1 */ 01324 MPI_CHK( mpi_mul_mpi( &M, &M, &R ) ); 01325 MPI_CHK( mpi_add_abs( N, N, &M ) ); 01326 01327 cleanup: 01328 return( ret ); 01329 } 01330 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED) || 01331 POLARSSL_ECP_DP_SECP224K1_ENABLED) || 01332 POLARSSL_ECP_DP_SECP256K1_ENABLED) */ 01333 01334 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) 01335 /* 01336 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 01337 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 01338 */ 01339 static int ecp_mod_p192k1( mpi *N ) 01340 { 01341 static t_uint Rp[] = { 01342 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01343 01344 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( t_uint ), 0, 0, 0 ) ); 01345 } 01346 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */ 01347 01348 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) 01349 /* 01350 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 01351 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 01352 */ 01353 static int ecp_mod_p224k1( mpi *N ) 01354 { 01355 static t_uint Rp[] = { 01356 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01357 01358 #if defined(POLARSSL_HAVE_INT64) 01359 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 01360 #else 01361 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( t_uint ), 0, 0, 0 ) ); 01362 #endif 01363 } 01364 01365 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */ 01366 01367 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) 01368 /* 01369 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 01370 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 01371 */ 01372 static int ecp_mod_p256k1( mpi *N ) 01373 { 01374 static t_uint Rp[] = { 01375 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01376 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( t_uint ), 0, 0, 0 ) ); 01377 } 01378 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */ 01379 01380 #endif /* POLARSSL_ECP_C */ 01381 01382
Generated on Tue Jul 12 2022 19:40:15 by 1.7.2