Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
ecp_curves.c
00001 /* 00002 * Elliptic curves over GF(p): curve-specific data and functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_ECP_C) 00029 00030 #include "mbedtls/ecp.h" 00031 #include "mbedtls/platform_util.h" 00032 00033 #include <string.h> 00034 00035 #if !defined(MBEDTLS_ECP_ALT) 00036 00037 /* Parameter validation macros based on platform_util.h */ 00038 #define ECP_VALIDATE_RET( cond ) \ 00039 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) 00040 #define ECP_VALIDATE( cond ) \ 00041 MBEDTLS_INTERNAL_VALIDATE( cond ) 00042 00043 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00044 !defined(inline) && !defined(__cplusplus) 00045 #define inline __inline 00046 #endif 00047 00048 /* 00049 * Conversion macros for embedded constants: 00050 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 00051 */ 00052 #if defined(MBEDTLS_HAVE_INT32) 00053 00054 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00055 ( (mbedtls_mpi_uint) (a) << 0 ) | \ 00056 ( (mbedtls_mpi_uint) (b) << 8 ) | \ 00057 ( (mbedtls_mpi_uint) (c) << 16 ) | \ 00058 ( (mbedtls_mpi_uint) (d) << 24 ) 00059 00060 #define BYTES_TO_T_UINT_2( a, b ) \ 00061 BYTES_TO_T_UINT_4( a, b, 0, 0 ) 00062 00063 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00064 BYTES_TO_T_UINT_4( a, b, c, d ), \ 00065 BYTES_TO_T_UINT_4( e, f, g, h ) 00066 00067 #else /* 64-bits */ 00068 00069 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ 00070 ( (mbedtls_mpi_uint) (a) << 0 ) | \ 00071 ( (mbedtls_mpi_uint) (b) << 8 ) | \ 00072 ( (mbedtls_mpi_uint) (c) << 16 ) | \ 00073 ( (mbedtls_mpi_uint) (d) << 24 ) | \ 00074 ( (mbedtls_mpi_uint) (e) << 32 ) | \ 00075 ( (mbedtls_mpi_uint) (f) << 40 ) | \ 00076 ( (mbedtls_mpi_uint) (g) << 48 ) | \ 00077 ( (mbedtls_mpi_uint) (h) << 56 ) 00078 00079 #define BYTES_TO_T_UINT_4( a, b, c, d ) \ 00080 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) 00081 00082 #define BYTES_TO_T_UINT_2( a, b ) \ 00083 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) 00084 00085 #endif /* bits in mbedtls_mpi_uint */ 00086 00087 /* 00088 * Note: the constants are in little-endian order 00089 * to be directly usable in MPIs 00090 */ 00091 00092 /* 00093 * Domain parameters for secp192r1 00094 */ 00095 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00096 static const mbedtls_mpi_uint secp192r1_p[] = { 00097 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00098 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00099 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00100 }; 00101 static const mbedtls_mpi_uint secp192r1_b[] = { 00102 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 00103 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 00104 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 00105 }; 00106 static const mbedtls_mpi_uint secp192r1_gx[] = { 00107 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 00108 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 00109 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 00110 }; 00111 static const mbedtls_mpi_uint secp192r1_gy[] = { 00112 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 00113 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 00114 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 00115 }; 00116 static const mbedtls_mpi_uint secp192r1_n[] = { 00117 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 00118 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 00119 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00120 }; 00121 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00122 00123 /* 00124 * Domain parameters for secp224r1 00125 */ 00126 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00127 static const mbedtls_mpi_uint secp224r1_p[] = { 00128 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00129 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00130 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00131 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00132 }; 00133 static const mbedtls_mpi_uint secp224r1_b[] = { 00134 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 00135 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 00136 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 00137 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 00138 }; 00139 static const mbedtls_mpi_uint secp224r1_gx[] = { 00140 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 00141 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 00142 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 00143 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 00144 }; 00145 static const mbedtls_mpi_uint secp224r1_gy[] = { 00146 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 00147 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 00148 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 00149 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 00150 }; 00151 static const mbedtls_mpi_uint secp224r1_n[] = { 00152 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 00153 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 00154 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00155 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00156 }; 00157 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00158 00159 /* 00160 * Domain parameters for secp256r1 00161 */ 00162 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00163 static const mbedtls_mpi_uint secp256r1_p[] = { 00164 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00165 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00166 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00167 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00168 }; 00169 static const mbedtls_mpi_uint secp256r1_b[] = { 00170 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 00171 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 00172 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 00173 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 00174 }; 00175 static const mbedtls_mpi_uint secp256r1_gx[] = { 00176 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 00177 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 00178 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 00179 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 00180 }; 00181 static const mbedtls_mpi_uint secp256r1_gy[] = { 00182 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 00183 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 00184 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 00185 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 00186 }; 00187 static const mbedtls_mpi_uint secp256r1_n[] = { 00188 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 00189 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 00190 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00191 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00192 }; 00193 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00194 00195 /* 00196 * Domain parameters for secp384r1 00197 */ 00198 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00199 static const mbedtls_mpi_uint secp384r1_p[] = { 00200 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 00201 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 00202 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00203 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00204 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00205 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00206 }; 00207 static const mbedtls_mpi_uint secp384r1_b[] = { 00208 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 00209 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 00210 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 00211 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 00212 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 00213 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 00214 }; 00215 static const mbedtls_mpi_uint secp384r1_gx[] = { 00216 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 00217 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 00218 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 00219 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 00220 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 00221 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 00222 }; 00223 static const mbedtls_mpi_uint secp384r1_gy[] = { 00224 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 00225 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 00226 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 00227 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 00228 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 00229 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 00230 }; 00231 static const mbedtls_mpi_uint secp384r1_n[] = { 00232 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 00233 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 00234 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 00235 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00236 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00237 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00238 }; 00239 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00240 00241 /* 00242 * Domain parameters for secp521r1 00243 */ 00244 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00245 static const mbedtls_mpi_uint secp521r1_p[] = { 00246 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00247 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00248 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00249 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00250 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00251 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00252 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00253 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00254 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00255 }; 00256 static const mbedtls_mpi_uint secp521r1_b[] = { 00257 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 00258 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 00259 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 00260 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 00261 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 00262 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 00263 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 00264 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 00265 BYTES_TO_T_UINT_2( 0x51, 0x00 ), 00266 }; 00267 static const mbedtls_mpi_uint secp521r1_gx[] = { 00268 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 00269 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 00270 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 00271 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 00272 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 00273 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 00274 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 00275 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 00276 BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 00277 }; 00278 static const mbedtls_mpi_uint secp521r1_gy[] = { 00279 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 00280 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 00281 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 00282 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 00283 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 00284 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 00285 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 00286 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 00287 BYTES_TO_T_UINT_2( 0x18, 0x01 ), 00288 }; 00289 static const mbedtls_mpi_uint secp521r1_n[] = { 00290 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 00291 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 00292 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 00293 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 00294 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00295 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00296 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00297 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00298 BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 00299 }; 00300 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00301 00302 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00303 static const mbedtls_mpi_uint secp192k1_p[] = { 00304 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00305 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00306 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00307 }; 00308 static const mbedtls_mpi_uint secp192k1_a[] = { 00309 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00310 }; 00311 static const mbedtls_mpi_uint secp192k1_b[] = { 00312 BYTES_TO_T_UINT_2( 0x03, 0x00 ), 00313 }; 00314 static const mbedtls_mpi_uint secp192k1_gx[] = { 00315 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 00316 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 00317 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 00318 }; 00319 static const mbedtls_mpi_uint secp192k1_gy[] = { 00320 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 00321 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 00322 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 00323 }; 00324 static const mbedtls_mpi_uint secp192k1_n[] = { 00325 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 00326 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 00327 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00328 }; 00329 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00330 00331 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00332 static const mbedtls_mpi_uint secp224k1_p[] = { 00333 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00334 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00335 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00336 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 00337 }; 00338 static const mbedtls_mpi_uint secp224k1_a[] = { 00339 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00340 }; 00341 static const mbedtls_mpi_uint secp224k1_b[] = { 00342 BYTES_TO_T_UINT_2( 0x05, 0x00 ), 00343 }; 00344 static const mbedtls_mpi_uint secp224k1_gx[] = { 00345 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 00346 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 00347 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 00348 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 00349 }; 00350 static const mbedtls_mpi_uint secp224k1_gy[] = { 00351 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 00352 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 00353 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 00354 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 00355 }; 00356 static const mbedtls_mpi_uint secp224k1_n[] = { 00357 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 00358 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 00359 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 00360 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 00361 }; 00362 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00363 00364 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00365 static const mbedtls_mpi_uint secp256k1_p[] = { 00366 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 00367 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00368 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00369 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00370 }; 00371 static const mbedtls_mpi_uint secp256k1_a[] = { 00372 BYTES_TO_T_UINT_2( 0x00, 0x00 ), 00373 }; 00374 static const mbedtls_mpi_uint secp256k1_b[] = { 00375 BYTES_TO_T_UINT_2( 0x07, 0x00 ), 00376 }; 00377 static const mbedtls_mpi_uint secp256k1_gx[] = { 00378 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 00379 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 00380 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 00381 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 00382 }; 00383 static const mbedtls_mpi_uint secp256k1_gy[] = { 00384 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 00385 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 00386 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 00387 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 00388 }; 00389 static const mbedtls_mpi_uint secp256k1_n[] = { 00390 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 00391 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 00392 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00393 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 00394 }; 00395 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00396 00397 /* 00398 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 00399 */ 00400 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00401 static const mbedtls_mpi_uint brainpoolP256r1_p[] = { 00402 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 00403 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 00404 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00405 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00406 }; 00407 static const mbedtls_mpi_uint brainpoolP256r1_a[] = { 00408 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 00409 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 00410 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 00411 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 00412 }; 00413 static const mbedtls_mpi_uint brainpoolP256r1_b[] = { 00414 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 00415 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 00416 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 00417 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 00418 }; 00419 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { 00420 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 00421 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 00422 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 00423 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 00424 }; 00425 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { 00426 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 00427 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 00428 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 00429 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 00430 }; 00431 static const mbedtls_mpi_uint brainpoolP256r1_n[] = { 00432 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 00433 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 00434 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 00435 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 00436 }; 00437 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00438 00439 /* 00440 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 00441 */ 00442 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00443 static const mbedtls_mpi_uint brainpoolP384r1_p[] = { 00444 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 00445 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 00446 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 00447 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00448 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00449 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00450 }; 00451 static const mbedtls_mpi_uint brainpoolP384r1_a[] = { 00452 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00453 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 00454 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 00455 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 00456 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 00457 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 00458 }; 00459 static const mbedtls_mpi_uint brainpoolP384r1_b[] = { 00460 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 00461 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 00462 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 00463 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 00464 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 00465 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 00466 }; 00467 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { 00468 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 00469 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 00470 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 00471 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 00472 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 00473 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 00474 }; 00475 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { 00476 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 00477 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 00478 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 00479 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 00480 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 00481 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 00482 }; 00483 static const mbedtls_mpi_uint brainpoolP384r1_n[] = { 00484 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 00485 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 00486 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 00487 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 00488 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 00489 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 00490 }; 00491 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00492 00493 /* 00494 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 00495 */ 00496 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00497 static const mbedtls_mpi_uint brainpoolP512r1_p[] = { 00498 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 00499 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 00500 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 00501 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 00502 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00503 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00504 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00505 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00506 }; 00507 static const mbedtls_mpi_uint brainpoolP512r1_a[] = { 00508 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 00509 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 00510 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 00511 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 00512 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 00513 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 00514 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 00515 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 00516 }; 00517 static const mbedtls_mpi_uint brainpoolP512r1_b[] = { 00518 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 00519 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 00520 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 00521 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 00522 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 00523 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 00524 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 00525 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 00526 }; 00527 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { 00528 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 00529 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 00530 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 00531 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 00532 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 00533 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 00534 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 00535 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 00536 }; 00537 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { 00538 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 00539 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 00540 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 00541 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 00542 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 00543 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 00544 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 00545 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 00546 }; 00547 static const mbedtls_mpi_uint brainpoolP512r1_n[] = { 00548 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 00549 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 00550 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 00551 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 00552 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 00553 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 00554 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 00555 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 00556 }; 00557 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00558 00559 /* 00560 * Create an MPI from embedded constants 00561 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) 00562 */ 00563 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) 00564 { 00565 X->s = 1; 00566 X->n = len / sizeof( mbedtls_mpi_uint ); 00567 X->p = (mbedtls_mpi_uint *) p; 00568 } 00569 00570 /* 00571 * Set an MPI to static value 1 00572 */ 00573 static inline void ecp_mpi_set1( mbedtls_mpi *X ) 00574 { 00575 static mbedtls_mpi_uint one[] = { 1 }; 00576 X->s = 1; 00577 X->n = 1; 00578 X->p = one; 00579 } 00580 00581 /* 00582 * Make group available from embedded constants 00583 */ 00584 static int ecp_group_load( mbedtls_ecp_group *grp, 00585 const mbedtls_mpi_uint *p, size_t plen, 00586 const mbedtls_mpi_uint *a, size_t alen, 00587 const mbedtls_mpi_uint *b, size_t blen, 00588 const mbedtls_mpi_uint *gx, size_t gxlen, 00589 const mbedtls_mpi_uint *gy, size_t gylen, 00590 const mbedtls_mpi_uint *n, size_t nlen) 00591 { 00592 ecp_mpi_load( &grp->P , p, plen ); 00593 if( a != NULL ) 00594 ecp_mpi_load( &grp->A , a, alen ); 00595 ecp_mpi_load( &grp->B , b, blen ); 00596 ecp_mpi_load( &grp->N , n, nlen ); 00597 00598 ecp_mpi_load( &grp->G .X , gx, gxlen ); 00599 ecp_mpi_load( &grp->G .Y , gy, gylen ); 00600 ecp_mpi_set1( &grp->G .Z ); 00601 00602 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00603 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 00604 00605 grp->h = 1; 00606 00607 return( 0 ); 00608 } 00609 00610 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00611 /* Forward declarations */ 00612 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00613 static int ecp_mod_p192( mbedtls_mpi * ); 00614 #endif 00615 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00616 static int ecp_mod_p224( mbedtls_mpi * ); 00617 #endif 00618 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00619 static int ecp_mod_p256( mbedtls_mpi * ); 00620 #endif 00621 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00622 static int ecp_mod_p384( mbedtls_mpi * ); 00623 #endif 00624 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00625 static int ecp_mod_p521( mbedtls_mpi * ); 00626 #endif 00627 00628 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 00629 #else 00630 #define NIST_MODP( P ) 00631 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 00632 00633 /* Additional forward declarations */ 00634 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00635 static int ecp_mod_p255( mbedtls_mpi * ); 00636 #endif 00637 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 00638 static int ecp_mod_p448( mbedtls_mpi * ); 00639 #endif 00640 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00641 static int ecp_mod_p192k1( mbedtls_mpi * ); 00642 #endif 00643 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00644 static int ecp_mod_p224k1( mbedtls_mpi * ); 00645 #endif 00646 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00647 static int ecp_mod_p256k1( mbedtls_mpi * ); 00648 #endif 00649 00650 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 00651 G ## _p, sizeof( G ## _p ), \ 00652 G ## _a, sizeof( G ## _a ), \ 00653 G ## _b, sizeof( G ## _b ), \ 00654 G ## _gx, sizeof( G ## _gx ), \ 00655 G ## _gy, sizeof( G ## _gy ), \ 00656 G ## _n, sizeof( G ## _n ) ) 00657 00658 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 00659 G ## _p, sizeof( G ## _p ), \ 00660 NULL, 0, \ 00661 G ## _b, sizeof( G ## _b ), \ 00662 G ## _gx, sizeof( G ## _gx ), \ 00663 G ## _gy, sizeof( G ## _gy ), \ 00664 G ## _n, sizeof( G ## _n ) ) 00665 00666 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00667 /* 00668 * Specialized function for creating the Curve25519 group 00669 */ 00670 static int ecp_use_curve25519( mbedtls_ecp_group *grp ) 00671 { 00672 int ret; 00673 00674 /* Actually ( A + 2 ) / 4 */ 00675 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A , 16, "01DB42" ) ); 00676 00677 /* P = 2^255 - 19 */ 00678 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P , 1 ) ); 00679 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 255 ) ); 00680 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 19 ) ); 00681 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00682 00683 /* N = 2^252 + 27742317777372353535851937790883648493 */ 00684 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N , 16, 00685 "14DEF9DEA2F79CD65812631A5CF5D3ED" ) ); 00686 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N , 252, 1 ) ); 00687 00688 /* Y intentionally not set, since we use x/z coordinates. 00689 * This is used as a marker to identify Montgomery curves! */ 00690 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .X , 9 ) ); 00691 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .Z , 1 ) ); 00692 mbedtls_mpi_free( &grp->G .Y ); 00693 00694 /* Actually, the required msb for private keys */ 00695 grp->nbits = 254; 00696 00697 cleanup: 00698 if( ret != 0 ) 00699 mbedtls_ecp_group_free( grp ); 00700 00701 return( ret ); 00702 } 00703 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00704 00705 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 00706 /* 00707 * Specialized function for creating the Curve448 group 00708 */ 00709 static int ecp_use_curve448( mbedtls_ecp_group *grp ) 00710 { 00711 mbedtls_mpi Ns; 00712 int ret; 00713 00714 mbedtls_mpi_init( &Ns ); 00715 00716 /* Actually ( A + 2 ) / 4 */ 00717 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A , 16, "98AA" ) ); 00718 00719 /* P = 2^448 - 2^224 - 1 */ 00720 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P , 1 ) ); 00721 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 224 ) ); 00722 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 1 ) ); 00723 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P , 224 ) ); 00724 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P , &grp->P , 1 ) ); 00725 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 00726 00727 /* Y intentionally not set, since we use x/z coordinates. 00728 * This is used as a marker to identify Montgomery curves! */ 00729 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .X , 5 ) ); 00730 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G .Z , 1 ) ); 00731 mbedtls_mpi_free( &grp->G .Y ); 00732 00733 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */ 00734 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N , 446, 1 ) ); 00735 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16, 00736 "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) ); 00737 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N , &grp->N , &Ns ) ); 00738 00739 /* Actually, the required msb for private keys */ 00740 grp->nbits = 447; 00741 00742 cleanup: 00743 mbedtls_mpi_free( &Ns ); 00744 if( ret != 0 ) 00745 mbedtls_ecp_group_free( grp ); 00746 00747 return( ret ); 00748 } 00749 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 00750 00751 /* 00752 * Set a group using well-known domain parameters 00753 */ 00754 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) 00755 { 00756 ECP_VALIDATE_RET( grp != NULL ); 00757 mbedtls_ecp_group_free( grp ); 00758 00759 grp->id = id; 00760 00761 switch( id ) 00762 { 00763 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00764 case MBEDTLS_ECP_DP_SECP192R1: 00765 NIST_MODP( p192 ); 00766 return( LOAD_GROUP( secp192r1 ) ); 00767 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00768 00769 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 00770 case MBEDTLS_ECP_DP_SECP224R1: 00771 NIST_MODP( p224 ); 00772 return( LOAD_GROUP( secp224r1 ) ); 00773 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 00774 00775 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 00776 case MBEDTLS_ECP_DP_SECP256R1: 00777 NIST_MODP( p256 ); 00778 return( LOAD_GROUP( secp256r1 ) ); 00779 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 00780 00781 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00782 case MBEDTLS_ECP_DP_SECP384R1: 00783 NIST_MODP( p384 ); 00784 return( LOAD_GROUP( secp384r1 ) ); 00785 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 00786 00787 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 00788 case MBEDTLS_ECP_DP_SECP521R1: 00789 NIST_MODP( p521 ); 00790 return( LOAD_GROUP( secp521r1 ) ); 00791 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 00792 00793 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 00794 case MBEDTLS_ECP_DP_SECP192K1: 00795 grp->modp = ecp_mod_p192k1; 00796 return( LOAD_GROUP_A( secp192k1 ) ); 00797 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 00798 00799 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 00800 case MBEDTLS_ECP_DP_SECP224K1: 00801 grp->modp = ecp_mod_p224k1; 00802 return( LOAD_GROUP_A( secp224k1 ) ); 00803 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 00804 00805 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 00806 case MBEDTLS_ECP_DP_SECP256K1: 00807 grp->modp = ecp_mod_p256k1; 00808 return( LOAD_GROUP_A( secp256k1 ) ); 00809 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 00810 00811 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 00812 case MBEDTLS_ECP_DP_BP256R1: 00813 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 00814 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 00815 00816 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 00817 case MBEDTLS_ECP_DP_BP384R1: 00818 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 00819 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 00820 00821 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 00822 case MBEDTLS_ECP_DP_BP512R1: 00823 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 00824 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 00825 00826 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 00827 case MBEDTLS_ECP_DP_CURVE25519: 00828 grp->modp = ecp_mod_p255; 00829 return( ecp_use_curve25519( grp ) ); 00830 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 00831 00832 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 00833 case MBEDTLS_ECP_DP_CURVE448: 00834 grp->modp = ecp_mod_p448; 00835 return( ecp_use_curve448( grp ) ); 00836 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 00837 00838 default: 00839 grp->id = MBEDTLS_ECP_DP_NONE; 00840 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 00841 } 00842 } 00843 00844 #if defined(MBEDTLS_ECP_NIST_OPTIM) 00845 /* 00846 * Fast reduction modulo the primes used by the NIST curves. 00847 * 00848 * These functions are critical for speed, but not needed for correct 00849 * operations. So, we make the choice to heavily rely on the internals of our 00850 * bignum library, which creates a tight coupling between these functions and 00851 * our MPI implementation. However, the coupling between the ECP module and 00852 * MPI remains loose, since these functions can be deactivated at will. 00853 */ 00854 00855 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 00856 /* 00857 * Compared to the way things are presented in FIPS 186-3 D.2, 00858 * we proceed in columns, from right (least significant chunk) to left, 00859 * adding chunks to N in place, and keeping a carry for the next chunk. 00860 * This avoids moving things around in memory, and uselessly adding zeros, 00861 * compared to the more straightforward, line-oriented approach. 00862 * 00863 * For this prime we need to handle data in chunks of 64 bits. 00864 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can 00865 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. 00866 */ 00867 00868 /* Add 64-bit chunks (dst += src) and update carry */ 00869 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) 00870 { 00871 unsigned char i; 00872 mbedtls_mpi_uint c = 0; 00873 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) 00874 { 00875 *dst += c; c = ( *dst < c ); 00876 *dst += *src; c += ( *dst < *src ); 00877 } 00878 *carry += c; 00879 } 00880 00881 /* Add carry to a 64-bit chunk and update carry */ 00882 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) 00883 { 00884 unsigned char i; 00885 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) 00886 { 00887 *dst += *carry; 00888 *carry = ( *dst < *carry ); 00889 } 00890 } 00891 00892 #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) 00893 #define A( i ) N->p + (i) * WIDTH 00894 #define ADD( i ) add64( p, A( i ), &c ) 00895 #define NEXT p += WIDTH; carry64( p, &c ) 00896 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 00897 00898 /* 00899 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 00900 */ 00901 static int ecp_mod_p192( mbedtls_mpi *N ) 00902 { 00903 int ret; 00904 mbedtls_mpi_uint c = 0; 00905 mbedtls_mpi_uint *p, *end; 00906 00907 /* Make sure we have enough blocks so that A(5) is legal */ 00908 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); 00909 00910 p = N->p ; 00911 end = p + N->n ; 00912 00913 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 00914 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 00915 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 00916 00917 cleanup: 00918 return( ret ); 00919 } 00920 00921 #undef WIDTH 00922 #undef A 00923 #undef ADD 00924 #undef NEXT 00925 #undef LAST 00926 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 00927 00928 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 00929 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 00930 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 00931 /* 00932 * The reader is advised to first understand ecp_mod_p192() since the same 00933 * general structure is used here, but with additional complications: 00934 * (1) chunks of 32 bits, and (2) subtractions. 00935 */ 00936 00937 /* 00938 * For these primes, we need to handle data in chunks of 32 bits. 00939 * This makes it more complicated if we use 64 bits limbs in MPI, 00940 * which prevents us from using a uniform access method as for p192. 00941 * 00942 * So, we define a mini abstraction layer to access 32 bit chunks, 00943 * load them in 'cur' for work, and store them back from 'cur' when done. 00944 * 00945 * While at it, also define the size of N in terms of 32-bit chunks. 00946 */ 00947 #define LOAD32 cur = A( i ); 00948 00949 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ 00950 00951 #define MAX32 N->n 00952 #define A( j ) N->p[j] 00953 #define STORE32 N->p[i] = cur; 00954 00955 #else /* 64-bit */ 00956 00957 #define MAX32 N->n * 2 00958 #define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \ 00959 (uint32_t)( N->p[(j)/2] ) 00960 #define STORE32 \ 00961 if( i % 2 ) { \ 00962 N->p[i/2] &= 0x00000000FFFFFFFF; \ 00963 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ 00964 } else { \ 00965 N->p[i/2] &= 0xFFFFFFFF00000000; \ 00966 N->p[i/2] |= (mbedtls_mpi_uint) cur; \ 00967 } 00968 00969 #endif /* sizeof( mbedtls_mpi_uint ) */ 00970 00971 /* 00972 * Helpers for addition and subtraction of chunks, with signed carry. 00973 */ 00974 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 00975 { 00976 *dst += src; 00977 *carry += ( *dst < src ); 00978 } 00979 00980 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 00981 { 00982 *carry -= ( *dst < src ); 00983 *dst -= src; 00984 } 00985 00986 #define ADD( j ) add32( &cur, A( j ), &c ); 00987 #define SUB( j ) sub32( &cur, A( j ), &c ); 00988 00989 /* 00990 * Helpers for the main 'loop' 00991 * (see fix_negative for the motivation of C) 00992 */ 00993 #define INIT( b ) \ 00994 int ret; \ 00995 signed char c = 0, cc; \ 00996 uint32_t cur; \ 00997 size_t i = 0, bits = (b); \ 00998 mbedtls_mpi C; \ 00999 mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \ 01000 \ 01001 C.s = 1; \ 01002 C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1; \ 01003 C.p = Cp; \ 01004 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \ 01005 \ 01006 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 / \ 01007 sizeof( mbedtls_mpi_uint ) ) ); \ 01008 LOAD32; 01009 01010 #define NEXT \ 01011 STORE32; i++; LOAD32; \ 01012 cc = c; c = 0; \ 01013 if( cc < 0 ) \ 01014 sub32( &cur, -cc, &c ); \ 01015 else \ 01016 add32( &cur, cc, &c ); \ 01017 01018 #define LAST \ 01019 STORE32; i++; \ 01020 cur = c > 0 ? c : 0; STORE32; \ 01021 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 01022 if( c < 0 ) fix_negative( N, c, &C, bits ); 01023 01024 /* 01025 * If the result is negative, we get it in the form 01026 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits' 01027 */ 01028 static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits ) 01029 { 01030 int ret; 01031 01032 /* C = - c * 2^(bits + 32) */ 01033 #if !defined(MBEDTLS_HAVE_INT64) 01034 ((void) bits); 01035 #else 01036 if( bits == 224 ) 01037 C->p [ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32; 01038 else 01039 #endif 01040 C->p [ C->n - 1 ] = (mbedtls_mpi_uint) -c; 01041 01042 /* N = - ( C - N ) */ 01043 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) ); 01044 N->s = -1; 01045 01046 cleanup: 01047 01048 return( ret ); 01049 } 01050 01051 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 01052 /* 01053 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 01054 */ 01055 static int ecp_mod_p224( mbedtls_mpi *N ) 01056 { 01057 INIT( 224 ); 01058 01059 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 01060 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 01061 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 01062 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 01063 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 01064 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 01065 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 01066 01067 cleanup: 01068 return( ret ); 01069 } 01070 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 01071 01072 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 01073 /* 01074 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 01075 */ 01076 static int ecp_mod_p256( mbedtls_mpi *N ) 01077 { 01078 INIT( 256 ); 01079 01080 ADD( 8 ); ADD( 9 ); 01081 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 01082 01083 ADD( 9 ); ADD( 10 ); 01084 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 01085 01086 ADD( 10 ); ADD( 11 ); 01087 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 01088 01089 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 01090 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 01091 01092 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 01093 SUB( 9 ); SUB( 10 ); NEXT; // A4 01094 01095 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 01096 SUB( 10 ); SUB( 11 ); NEXT; // A5 01097 01098 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 01099 SUB( 8 ); SUB( 9 ); NEXT; // A6 01100 01101 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 01102 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 01103 01104 cleanup: 01105 return( ret ); 01106 } 01107 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 01108 01109 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 01110 /* 01111 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 01112 */ 01113 static int ecp_mod_p384( mbedtls_mpi *N ) 01114 { 01115 INIT( 384 ); 01116 01117 ADD( 12 ); ADD( 21 ); ADD( 20 ); 01118 SUB( 23 ); NEXT; // A0 01119 01120 ADD( 13 ); ADD( 22 ); ADD( 23 ); 01121 SUB( 12 ); SUB( 20 ); NEXT; // A2 01122 01123 ADD( 14 ); ADD( 23 ); 01124 SUB( 13 ); SUB( 21 ); NEXT; // A2 01125 01126 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 01127 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 01128 01129 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 01130 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 01131 01132 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 01133 SUB( 16 ); NEXT; // A5 01134 01135 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 01136 SUB( 17 ); NEXT; // A6 01137 01138 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 01139 SUB( 18 ); NEXT; // A7 01140 01141 ADD( 20 ); ADD( 17 ); ADD( 16 ); 01142 SUB( 19 ); NEXT; // A8 01143 01144 ADD( 21 ); ADD( 18 ); ADD( 17 ); 01145 SUB( 20 ); NEXT; // A9 01146 01147 ADD( 22 ); ADD( 19 ); ADD( 18 ); 01148 SUB( 21 ); NEXT; // A10 01149 01150 ADD( 23 ); ADD( 20 ); ADD( 19 ); 01151 SUB( 22 ); LAST; // A11 01152 01153 cleanup: 01154 return( ret ); 01155 } 01156 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01157 01158 #undef A 01159 #undef LOAD32 01160 #undef STORE32 01161 #undef MAX32 01162 #undef INIT 01163 #undef NEXT 01164 #undef LAST 01165 01166 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || 01167 MBEDTLS_ECP_DP_SECP256R1_ENABLED || 01168 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 01169 01170 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 01171 /* 01172 * Here we have an actual Mersenne prime, so things are more straightforward. 01173 * However, chunks are aligned on a 'weird' boundary (521 bits). 01174 */ 01175 01176 /* Size of p521 in terms of mbedtls_mpi_uint */ 01177 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01178 01179 /* Bits to keep in the most significant mbedtls_mpi_uint */ 01180 #define P521_MASK 0x01FF 01181 01182 /* 01183 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 01184 * Write N as A1 + 2^521 A0, return A0 + A1 01185 */ 01186 static int ecp_mod_p521( mbedtls_mpi *N ) 01187 { 01188 int ret; 01189 size_t i; 01190 mbedtls_mpi M; 01191 mbedtls_mpi_uint Mp[P521_WIDTH + 1]; 01192 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: 01193 * we need to hold bits 513 to 1056, which is 34 limbs, that is 01194 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 01195 01196 if( N->n < P521_WIDTH ) 01197 return( 0 ); 01198 01199 /* M = A1 */ 01200 M.s = 1; 01201 M.n = N->n - ( P521_WIDTH - 1 ); 01202 if( M.n > P521_WIDTH + 1 ) 01203 M.n = P521_WIDTH + 1; 01204 M.p = Mp; 01205 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01206 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01207 01208 /* N = A0 */ 01209 N->p [P521_WIDTH - 1] &= P521_MASK; 01210 for( i = P521_WIDTH; i < N->n ; i++ ) 01211 N->p [i] = 0; 01212 01213 /* N = A0 + A1 */ 01214 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01215 01216 cleanup: 01217 return( ret ); 01218 } 01219 01220 #undef P521_WIDTH 01221 #undef P521_MASK 01222 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 01223 01224 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 01225 01226 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 01227 01228 /* Size of p255 in terms of mbedtls_mpi_uint */ 01229 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 01230 01231 /* 01232 * Fast quasi-reduction modulo p255 = 2^255 - 19 01233 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 01234 */ 01235 static int ecp_mod_p255( mbedtls_mpi *N ) 01236 { 01237 int ret; 01238 size_t i; 01239 mbedtls_mpi M; 01240 mbedtls_mpi_uint Mp[P255_WIDTH + 2]; 01241 01242 if( N->n < P255_WIDTH ) 01243 return( 0 ); 01244 01245 /* M = A1 */ 01246 M.s = 1; 01247 M.n = N->n - ( P255_WIDTH - 1 ); 01248 if( M.n > P255_WIDTH + 1 ) 01249 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 01250 M.p = Mp; 01251 memset( Mp, 0, sizeof Mp ); 01252 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 01253 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 01254 M.n ++; /* Make room for multiplication by 19 */ 01255 01256 /* N = A0 */ 01257 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); 01258 for( i = P255_WIDTH; i < N->n ; i++ ) 01259 N->p [i] = 0; 01260 01261 /* N = A0 + 19 * A1 */ 01262 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); 01263 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01264 01265 cleanup: 01266 return( ret ); 01267 } 01268 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 01269 01270 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 01271 01272 /* Size of p448 in terms of mbedtls_mpi_uint */ 01273 #define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) ) 01274 01275 /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */ 01276 #define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) ) 01277 #define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) ) 01278 #define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) ) 01279 #define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 ) 01280 01281 /* 01282 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1 01283 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return 01284 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference 01285 * implementation of Curve448, which uses its own special 56-bit limbs rather 01286 * than a generic bignum library. We could squeeze some extra speed out on 01287 * 32-bit machines by splitting N up into 32-bit limbs and doing the 01288 * arithmetic using the limbs directly as we do for the NIST primes above, 01289 * but for 64-bit targets it should use half the number of operations if we do 01290 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds. 01291 */ 01292 static int ecp_mod_p448( mbedtls_mpi *N ) 01293 { 01294 int ret; 01295 size_t i; 01296 mbedtls_mpi M, Q; 01297 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH]; 01298 01299 if( N->n <= P448_WIDTH ) 01300 return( 0 ); 01301 01302 /* M = A1 */ 01303 M.s = 1; 01304 M.n = N->n - ( P448_WIDTH ); 01305 if( M.n > P448_WIDTH ) 01306 /* Shouldn't be called with N larger than 2^896! */ 01307 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 01308 M.p = Mp; 01309 memset( Mp, 0, sizeof( Mp ) ); 01310 memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) ); 01311 01312 /* N = A0 */ 01313 for( i = P448_WIDTH; i < N->n ; i++ ) 01314 N->p [i] = 0; 01315 01316 /* N += A1 */ 01317 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); 01318 01319 /* Q = B1, N += B1 */ 01320 Q = M; 01321 Q.p = Qp; 01322 memcpy( Qp, Mp, sizeof( Qp ) ); 01323 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) ); 01324 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) ); 01325 01326 /* M = (B0 + B1) * 2^224, N += M */ 01327 if( sizeof( mbedtls_mpi_uint ) > 4 ) 01328 Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS ); 01329 for( i = P224_WIDTH_MAX; i < M.n ; ++i ) 01330 Mp[i] = 0; 01331 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) ); 01332 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */ 01333 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) ); 01334 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); 01335 01336 cleanup: 01337 return( ret ); 01338 } 01339 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 01340 01341 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 01342 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 01343 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01344 /* 01345 * Fast quasi-reduction modulo P = 2^s - R, 01346 * with R about 33 bits, used by the Koblitz curves. 01347 * 01348 * Write N as A0 + 2^224 A1, return A0 + R * A1. 01349 * Actually do two passes, since R is big. 01350 */ 01351 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P 01352 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R 01353 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, 01354 size_t adjust, size_t shift, mbedtls_mpi_uint mask ) 01355 { 01356 int ret; 01357 size_t i; 01358 mbedtls_mpi M, R; 01359 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; 01360 01361 if( N->n < p_limbs ) 01362 return( 0 ); 01363 01364 /* Init R */ 01365 R.s = 1; 01366 R.p = Rp; 01367 R.n = P_KOBLITZ_R; 01368 01369 /* Common setup for M */ 01370 M.s = 1; 01371 M.p = Mp; 01372 01373 /* M = A1 */ 01374 M.n = N->n - ( p_limbs - adjust ); 01375 if( M.n > p_limbs + adjust ) 01376 M.n = p_limbs + adjust; 01377 memset( Mp, 0, sizeof Mp ); 01378 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01379 if( shift != 0 ) 01380 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01381 M.n += R.n ; /* Make room for multiplication by R */ 01382 01383 /* N = A0 */ 01384 if( mask != 0 ) 01385 N->p [p_limbs - 1] &= mask; 01386 for( i = p_limbs; i < N->n ; i++ ) 01387 N->p [i] = 0; 01388 01389 /* N = A0 + R * A1 */ 01390 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01391 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01392 01393 /* Second pass */ 01394 01395 /* M = A1 */ 01396 M.n = N->n - ( p_limbs - adjust ); 01397 if( M.n > p_limbs + adjust ) 01398 M.n = p_limbs + adjust; 01399 memset( Mp, 0, sizeof Mp ); 01400 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 01401 if( shift != 0 ) 01402 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 01403 M.n += R.n ; /* Make room for multiplication by R */ 01404 01405 /* N = A0 */ 01406 if( mask != 0 ) 01407 N->p [p_limbs - 1] &= mask; 01408 for( i = p_limbs; i < N->n ; i++ ) 01409 N->p [i] = 0; 01410 01411 /* N = A0 + R * A1 */ 01412 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 01413 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 01414 01415 cleanup: 01416 return( ret ); 01417 } 01418 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || 01419 MBEDTLS_ECP_DP_SECP224K1_ENABLED) || 01420 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ 01421 01422 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 01423 /* 01424 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 01425 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 01426 */ 01427 static int ecp_mod_p192k1( mbedtls_mpi *N ) 01428 { 01429 static mbedtls_mpi_uint Rp[] = { 01430 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01431 01432 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01433 } 01434 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 01435 01436 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 01437 /* 01438 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 01439 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 01440 */ 01441 static int ecp_mod_p224k1( mbedtls_mpi *N ) 01442 { 01443 static mbedtls_mpi_uint Rp[] = { 01444 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01445 01446 #if defined(MBEDTLS_HAVE_INT64) 01447 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 01448 #else 01449 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01450 #endif 01451 } 01452 01453 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 01454 01455 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 01456 /* 01457 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 01458 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 01459 */ 01460 static int ecp_mod_p256k1( mbedtls_mpi *N ) 01461 { 01462 static mbedtls_mpi_uint Rp[] = { 01463 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; 01464 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); 01465 } 01466 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 01467 01468 #endif /* !MBEDTLS_ECP_ALT */ 01469 01470 #endif /* MBEDTLS_ECP_C */
Generated on Tue Jul 12 2022 13:54:18 by
1.7.2