This Trac instance is not used for development anymore!

We migrated our development workflow to git and Gitea.
To test the future redirection, replace trac by ariadne in the page URL.

source: ps/trunk/build/premake/premake5/contrib/mbedtls/library/ecp_curves.c

Last change on this file was 20366, checked in by Itms, 7 years ago

Alpha 12 version of Premake 5, including prebuilt binary for Windows.
Directly taken from https://premake.github.io/.

Refs #3729.
File size: 51.2 KB
Line 
1/*
2 * Elliptic curves over GF(p): curve-specific data and functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_ECP_C)
29
30#include "mbedtls/ecp.h"
31
32#include <string.h>
33
34#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
35 !defined(inline) && !defined(__cplusplus)
36#define inline __inline
37#endif
38
39/*
40 * Conversion macros for embedded constants:
41 * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
42 */
43#if defined(MBEDTLS_HAVE_INT32)
44
45#define BYTES_TO_T_UINT_4( a, b, c, d ) \
46 ( (mbedtls_mpi_uint) a << 0 ) | \
47 ( (mbedtls_mpi_uint) b << 8 ) | \
48 ( (mbedtls_mpi_uint) c << 16 ) | \
49 ( (mbedtls_mpi_uint) d << 24 )
50
51#define BYTES_TO_T_UINT_2( a, b ) \
52 BYTES_TO_T_UINT_4( a, b, 0, 0 )
53
54#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
55 BYTES_TO_T_UINT_4( a, b, c, d ), \
56 BYTES_TO_T_UINT_4( e, f, g, h )
57
58#else /* 64-bits */
59
60#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
61 ( (mbedtls_mpi_uint) a << 0 ) | \
62 ( (mbedtls_mpi_uint) b << 8 ) | \
63 ( (mbedtls_mpi_uint) c << 16 ) | \
64 ( (mbedtls_mpi_uint) d << 24 ) | \
65 ( (mbedtls_mpi_uint) e << 32 ) | \
66 ( (mbedtls_mpi_uint) f << 40 ) | \
67 ( (mbedtls_mpi_uint) g << 48 ) | \
68 ( (mbedtls_mpi_uint) h << 56 )
69
70#define BYTES_TO_T_UINT_4( a, b, c, d ) \
71 BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
72
73#define BYTES_TO_T_UINT_2( a, b ) \
74 BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
75
76#endif /* bits in mbedtls_mpi_uint */
77
78/*
79 * Note: the constants are in little-endian order
80 * to be directly usable in MPIs
81 */
82
83/*
84 * Domain parameters for secp192r1
85 */
86#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
87static const mbedtls_mpi_uint secp192r1_p[] = {
88 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
89 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
90 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
91};
92static const mbedtls_mpi_uint secp192r1_b[] = {
93 BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
94 BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
95 BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
96};
97static const mbedtls_mpi_uint secp192r1_gx[] = {
98 BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
99 BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
100 BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
101};
102static const mbedtls_mpi_uint secp192r1_gy[] = {
103 BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
104 BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
105 BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
106};
107static const mbedtls_mpi_uint secp192r1_n[] = {
108 BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
109 BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
110 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
111};
112#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
113
114/*
115 * Domain parameters for secp224r1
116 */
117#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
118static const mbedtls_mpi_uint secp224r1_p[] = {
119 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
120 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
121 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
122 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
123};
124static const mbedtls_mpi_uint secp224r1_b[] = {
125 BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
126 BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
127 BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
128 BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
129};
130static const mbedtls_mpi_uint secp224r1_gx[] = {
131 BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
132 BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
133 BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
134 BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
135};
136static const mbedtls_mpi_uint secp224r1_gy[] = {
137 BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
138 BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
139 BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
140 BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
141};
142static const mbedtls_mpi_uint secp224r1_n[] = {
143 BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
144 BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
145 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
146 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
147};
148#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
149
150/*
151 * Domain parameters for secp256r1
152 */
153#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
154static const mbedtls_mpi_uint secp256r1_p[] = {
155 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
156 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
157 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
158 BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
159};
160static const mbedtls_mpi_uint secp256r1_b[] = {
161 BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
162 BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
163 BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
164 BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
165};
166static const mbedtls_mpi_uint secp256r1_gx[] = {
167 BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
168 BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
169 BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
170 BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
171};
172static const mbedtls_mpi_uint secp256r1_gy[] = {
173 BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
174 BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
175 BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
176 BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
177};
178static const mbedtls_mpi_uint secp256r1_n[] = {
179 BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
180 BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
181 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
182 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
183};
184#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
185
186/*
187 * Domain parameters for secp384r1
188 */
189#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
190static const mbedtls_mpi_uint secp384r1_p[] = {
191 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
192 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
193 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
194 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
195 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
196 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
197};
198static const mbedtls_mpi_uint secp384r1_b[] = {
199 BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
200 BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
201 BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
202 BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
203 BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
204 BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
205};
206static const mbedtls_mpi_uint secp384r1_gx[] = {
207 BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
208 BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
209 BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
210 BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
211 BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
212 BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
213};
214static const mbedtls_mpi_uint secp384r1_gy[] = {
215 BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
216 BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
217 BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
218 BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
219 BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
220 BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
221};
222static const mbedtls_mpi_uint secp384r1_n[] = {
223 BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
224 BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
225 BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
226 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
227 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
228 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
229};
230#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
231
232/*
233 * Domain parameters for secp521r1
234 */
235#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
236static const mbedtls_mpi_uint secp521r1_p[] = {
237 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
238 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
239 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
240 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
241 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
242 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
243 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
244 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
245 BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
246};
247static const mbedtls_mpi_uint secp521r1_b[] = {
248 BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
249 BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
250 BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
251 BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
252 BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
253 BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
254 BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
255 BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
256 BYTES_TO_T_UINT_2( 0x51, 0x00 ),
257};
258static const mbedtls_mpi_uint secp521r1_gx[] = {
259 BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
260 BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
261 BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
262 BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
263 BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
264 BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
265 BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
266 BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
267 BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
268};
269static const mbedtls_mpi_uint secp521r1_gy[] = {
270 BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
271 BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
272 BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
273 BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
274 BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
275 BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
276 BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
277 BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
278 BYTES_TO_T_UINT_2( 0x18, 0x01 ),
279};
280static const mbedtls_mpi_uint secp521r1_n[] = {
281 BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
282 BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
283 BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
284 BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
285 BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
286 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
287 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
288 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
289 BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
290};
291#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
292
293#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
294static const mbedtls_mpi_uint secp192k1_p[] = {
295 BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
296 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
297 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
298};
299static const mbedtls_mpi_uint secp192k1_a[] = {
300 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
301};
302static const mbedtls_mpi_uint secp192k1_b[] = {
303 BYTES_TO_T_UINT_2( 0x03, 0x00 ),
304};
305static const mbedtls_mpi_uint secp192k1_gx[] = {
306 BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
307 BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
308 BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
309};
310static const mbedtls_mpi_uint secp192k1_gy[] = {
311 BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
312 BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
313 BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
314};
315static const mbedtls_mpi_uint secp192k1_n[] = {
316 BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
317 BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
318 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
319};
320#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
321
322#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
323static const mbedtls_mpi_uint secp224k1_p[] = {
324 BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
325 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
326 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
327 BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
328};
329static const mbedtls_mpi_uint secp224k1_a[] = {
330 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
331};
332static const mbedtls_mpi_uint secp224k1_b[] = {
333 BYTES_TO_T_UINT_2( 0x05, 0x00 ),
334};
335static const mbedtls_mpi_uint secp224k1_gx[] = {
336 BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
337 BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
338 BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
339 BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
340};
341static const mbedtls_mpi_uint secp224k1_gy[] = {
342 BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
343 BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
344 BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
345 BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
346};
347static const mbedtls_mpi_uint secp224k1_n[] = {
348 BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
349 BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
350 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
351 BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
352};
353#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
354
355#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
356static const mbedtls_mpi_uint secp256k1_p[] = {
357 BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
358 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
359 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
360 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
361};
362static const mbedtls_mpi_uint secp256k1_a[] = {
363 BYTES_TO_T_UINT_2( 0x00, 0x00 ),
364};
365static const mbedtls_mpi_uint secp256k1_b[] = {
366 BYTES_TO_T_UINT_2( 0x07, 0x00 ),
367};
368static const mbedtls_mpi_uint secp256k1_gx[] = {
369 BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
370 BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
371 BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
372 BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
373};
374static const mbedtls_mpi_uint secp256k1_gy[] = {
375 BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
376 BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
377 BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
378 BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
379};
380static const mbedtls_mpi_uint secp256k1_n[] = {
381 BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
382 BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
383 BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
384 BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
385};
386#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
387
388/*
389 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
390 */
391#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
392static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
393 BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
394 BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
395 BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
396 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
397};
398static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
399 BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
400 BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
401 BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
402 BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
403};
404static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
405 BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
406 BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
407 BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
408 BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
409};
410static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
411 BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
412 BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
413 BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
414 BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
415};
416static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
417 BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
418 BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
419 BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
420 BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
421};
422static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
423 BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
424 BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
425 BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
426 BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
427};
428#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
429
430/*
431 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
432 */
433#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
434static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
435 BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
436 BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
437 BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
438 BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
439 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
440 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
441};
442static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
443 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
444 BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
445 BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
446 BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
447 BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
448 BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
449};
450static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
451 BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
452 BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
453 BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
454 BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
455 BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
456 BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
457};
458static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
459 BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
460 BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
461 BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
462 BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
463 BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
464 BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
465};
466static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
467 BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
468 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
469 BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
470 BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
471 BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
472 BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
473};
474static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
475 BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
476 BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
477 BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
478 BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
479 BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
480 BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
481};
482#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
483
484/*
485 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
486 */
487#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
488static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
489 BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
490 BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
491 BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
492 BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
493 BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
494 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
495 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
496 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
497};
498static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
499 BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
500 BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
501 BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
502 BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
503 BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
504 BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
505 BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
506 BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
507};
508static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
509 BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
510 BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
511 BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
512 BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
513 BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
514 BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
515 BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
516 BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
517};
518static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
519 BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
520 BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
521 BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
522 BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
523 BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
524 BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
525 BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
526 BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
527};
528static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
529 BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
530 BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
531 BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
532 BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
533 BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
534 BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
535 BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
536 BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
537};
538static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
539 BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
540 BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
541 BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
542 BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
543 BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
544 BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
545 BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
546 BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
547};
548#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
549
550/*
551 * Create an MPI from embedded constants
552 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
553 */
554static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
555{
556 X->s = 1;
557 X->n = len / sizeof( mbedtls_mpi_uint );
558 X->p = (mbedtls_mpi_uint *) p;
559}
560
561/*
562 * Set an MPI to static value 1
563 */
564static inline void ecp_mpi_set1( mbedtls_mpi *X )
565{
566 static mbedtls_mpi_uint one[] = { 1 };
567 X->s = 1;
568 X->n = 1;
569 X->p = one;
570}
571
572/*
573 * Make group available from embedded constants
574 */
575static int ecp_group_load( mbedtls_ecp_group *grp,
576 const mbedtls_mpi_uint *p, size_t plen,
577 const mbedtls_mpi_uint *a, size_t alen,
578 const mbedtls_mpi_uint *b, size_t blen,
579 const mbedtls_mpi_uint *gx, size_t gxlen,
580 const mbedtls_mpi_uint *gy, size_t gylen,
581 const mbedtls_mpi_uint *n, size_t nlen)
582{
583 ecp_mpi_load( &grp->P, p, plen );
584 if( a != NULL )
585 ecp_mpi_load( &grp->A, a, alen );
586 ecp_mpi_load( &grp->B, b, blen );
587 ecp_mpi_load( &grp->N, n, nlen );
588
589 ecp_mpi_load( &grp->G.X, gx, gxlen );
590 ecp_mpi_load( &grp->G.Y, gy, gylen );
591 ecp_mpi_set1( &grp->G.Z );
592
593 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
594 grp->nbits = mbedtls_mpi_bitlen( &grp->N );
595
596 grp->h = 1;
597
598 return( 0 );
599}
600
601#if defined(MBEDTLS_ECP_NIST_OPTIM)
602/* Forward declarations */
603#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
604static int ecp_mod_p192( mbedtls_mpi * );
605#endif
606#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
607static int ecp_mod_p224( mbedtls_mpi * );
608#endif
609#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
610static int ecp_mod_p256( mbedtls_mpi * );
611#endif
612#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
613static int ecp_mod_p384( mbedtls_mpi * );
614#endif
615#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
616static int ecp_mod_p521( mbedtls_mpi * );
617#endif
618
619#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
620#else
621#define NIST_MODP( P )
622#endif /* MBEDTLS_ECP_NIST_OPTIM */
623
624/* Additional forward declarations */
625#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
626static int ecp_mod_p255( mbedtls_mpi * );
627#endif
628#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
629static int ecp_mod_p192k1( mbedtls_mpi * );
630#endif
631#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
632static int ecp_mod_p224k1( mbedtls_mpi * );
633#endif
634#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
635static int ecp_mod_p256k1( mbedtls_mpi * );
636#endif
637
638#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
639 G ## _p, sizeof( G ## _p ), \
640 G ## _a, sizeof( G ## _a ), \
641 G ## _b, sizeof( G ## _b ), \
642 G ## _gx, sizeof( G ## _gx ), \
643 G ## _gy, sizeof( G ## _gy ), \
644 G ## _n, sizeof( G ## _n ) )
645
646#define LOAD_GROUP( G ) ecp_group_load( grp, \
647 G ## _p, sizeof( G ## _p ), \
648 NULL, 0, \
649 G ## _b, sizeof( G ## _b ), \
650 G ## _gx, sizeof( G ## _gx ), \
651 G ## _gy, sizeof( G ## _gy ), \
652 G ## _n, sizeof( G ## _n ) )
653
654#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
655/*
656 * Specialized function for creating the Curve25519 group
657 */
658static int ecp_use_curve25519( mbedtls_ecp_group *grp )
659{
660 int ret;
661
662 /* Actually ( A + 2 ) / 4 */
663 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
664
665 /* P = 2^255 - 19 */
666 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
667 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
668 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
669 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
670
671 /* Y intentionaly not set, since we use x/z coordinates.
672 * This is used as a marker to identify Montgomery curves! */
673 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
674 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
675 mbedtls_mpi_free( &grp->G.Y );
676
677 /* Actually, the required msb for private keys */
678 grp->nbits = 254;
679
680cleanup:
681 if( ret != 0 )
682 mbedtls_ecp_group_free( grp );
683
684 return( ret );
685}
686#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
687
688/*
689 * Set a group using well-known domain parameters
690 */
691int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
692{
693 mbedtls_ecp_group_free( grp );
694
695 grp->id = id;
696
697 switch( id )
698 {
699#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
700 case MBEDTLS_ECP_DP_SECP192R1:
701 NIST_MODP( p192 );
702 return( LOAD_GROUP( secp192r1 ) );
703#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
704
705#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
706 case MBEDTLS_ECP_DP_SECP224R1:
707 NIST_MODP( p224 );
708 return( LOAD_GROUP( secp224r1 ) );
709#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
710
711#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
712 case MBEDTLS_ECP_DP_SECP256R1:
713 NIST_MODP( p256 );
714 return( LOAD_GROUP( secp256r1 ) );
715#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
716
717#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
718 case MBEDTLS_ECP_DP_SECP384R1:
719 NIST_MODP( p384 );
720 return( LOAD_GROUP( secp384r1 ) );
721#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
722
723#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
724 case MBEDTLS_ECP_DP_SECP521R1:
725 NIST_MODP( p521 );
726 return( LOAD_GROUP( secp521r1 ) );
727#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
728
729#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
730 case MBEDTLS_ECP_DP_SECP192K1:
731 grp->modp = ecp_mod_p192k1;
732 return( LOAD_GROUP_A( secp192k1 ) );
733#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
734
735#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
736 case MBEDTLS_ECP_DP_SECP224K1:
737 grp->modp = ecp_mod_p224k1;
738 return( LOAD_GROUP_A( secp224k1 ) );
739#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
740
741#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
742 case MBEDTLS_ECP_DP_SECP256K1:
743 grp->modp = ecp_mod_p256k1;
744 return( LOAD_GROUP_A( secp256k1 ) );
745#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
746
747#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
748 case MBEDTLS_ECP_DP_BP256R1:
749 return( LOAD_GROUP_A( brainpoolP256r1 ) );
750#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
751
752#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
753 case MBEDTLS_ECP_DP_BP384R1:
754 return( LOAD_GROUP_A( brainpoolP384r1 ) );
755#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
756
757#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
758 case MBEDTLS_ECP_DP_BP512R1:
759 return( LOAD_GROUP_A( brainpoolP512r1 ) );
760#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
761
762#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
763 case MBEDTLS_ECP_DP_CURVE25519:
764 grp->modp = ecp_mod_p255;
765 return( ecp_use_curve25519( grp ) );
766#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
767
768 default:
769 mbedtls_ecp_group_free( grp );
770 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
771 }
772}
773
774#if defined(MBEDTLS_ECP_NIST_OPTIM)
775/*
776 * Fast reduction modulo the primes used by the NIST curves.
777 *
778 * These functions are critical for speed, but not needed for correct
779 * operations. So, we make the choice to heavily rely on the internals of our
780 * bignum library, which creates a tight coupling between these functions and
781 * our MPI implementation. However, the coupling between the ECP module and
782 * MPI remains loose, since these functions can be deactivated at will.
783 */
784
785#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
786/*
787 * Compared to the way things are presented in FIPS 186-3 D.2,
788 * we proceed in columns, from right (least significant chunk) to left,
789 * adding chunks to N in place, and keeping a carry for the next chunk.
790 * This avoids moving things around in memory, and uselessly adding zeros,
791 * compared to the more straightforward, line-oriented approach.
792 *
793 * For this prime we need to handle data in chunks of 64 bits.
794 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
795 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
796 */
797
798/* Add 64-bit chunks (dst += src) and update carry */
799static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
800{
801 unsigned char i;
802 mbedtls_mpi_uint c = 0;
803 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
804 {
805 *dst += c; c = ( *dst < c );
806 *dst += *src; c += ( *dst < *src );
807 }
808 *carry += c;
809}
810
811/* Add carry to a 64-bit chunk and update carry */
812static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
813{
814 unsigned char i;
815 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
816 {
817 *dst += *carry;
818 *carry = ( *dst < *carry );
819 }
820}
821
822#define WIDTH 8 / sizeof( mbedtls_mpi_uint )
823#define A( i ) N->p + i * WIDTH
824#define ADD( i ) add64( p, A( i ), &c )
825#define NEXT p += WIDTH; carry64( p, &c )
826#define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
827
828/*
829 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
830 */
831static int ecp_mod_p192( mbedtls_mpi *N )
832{
833 int ret;
834 mbedtls_mpi_uint c = 0;
835 mbedtls_mpi_uint *p, *end;
836
837 /* Make sure we have enough blocks so that A(5) is legal */
838 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
839
840 p = N->p;
841 end = p + N->n;
842
843 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
844 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
845 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
846
847cleanup:
848 return( ret );
849}
850
851#undef WIDTH
852#undef A
853#undef ADD
854#undef NEXT
855#undef LAST
856#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
857
858#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
859 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
860 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
861/*
862 * The reader is advised to first understand ecp_mod_p192() since the same
863 * general structure is used here, but with additional complications:
864 * (1) chunks of 32 bits, and (2) subtractions.
865 */
866
867/*
868 * For these primes, we need to handle data in chunks of 32 bits.
869 * This makes it more complicated if we use 64 bits limbs in MPI,
870 * which prevents us from using a uniform access method as for p192.
871 *
872 * So, we define a mini abstraction layer to access 32 bit chunks,
873 * load them in 'cur' for work, and store them back from 'cur' when done.
874 *
875 * While at it, also define the size of N in terms of 32-bit chunks.
876 */
877#define LOAD32 cur = A( i );
878
879#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
880
881#define MAX32 N->n
882#define A( j ) N->p[j]
883#define STORE32 N->p[i] = cur;
884
885#else /* 64-bit */
886
887#define MAX32 N->n * 2
888#define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
889#define STORE32 \
890 if( i % 2 ) { \
891 N->p[i/2] &= 0x00000000FFFFFFFF; \
892 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
893 } else { \
894 N->p[i/2] &= 0xFFFFFFFF00000000; \
895 N->p[i/2] |= (mbedtls_mpi_uint) cur; \
896 }
897
898#endif /* sizeof( mbedtls_mpi_uint ) */
899
900/*
901 * Helpers for addition and subtraction of chunks, with signed carry.
902 */
903static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
904{
905 *dst += src;
906 *carry += ( *dst < src );
907}
908
909static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
910{
911 *carry -= ( *dst < src );
912 *dst -= src;
913}
914
915#define ADD( j ) add32( &cur, A( j ), &c );
916#define SUB( j ) sub32( &cur, A( j ), &c );
917
918/*
919 * Helpers for the main 'loop'
920 * (see fix_negative for the motivation of C)
921 */
922#define INIT( b ) \
923 int ret; \
924 signed char c = 0, cc; \
925 uint32_t cur; \
926 size_t i = 0, bits = b; \
927 mbedtls_mpi C; \
928 mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
929 \
930 C.s = 1; \
931 C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1; \
932 C.p = Cp; \
933 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
934 \
935 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \
936 LOAD32;
937
938#define NEXT \
939 STORE32; i++; LOAD32; \
940 cc = c; c = 0; \
941 if( cc < 0 ) \
942 sub32( &cur, -cc, &c ); \
943 else \
944 add32( &cur, cc, &c ); \
945
946#define LAST \
947 STORE32; i++; \
948 cur = c > 0 ? c : 0; STORE32; \
949 cur = 0; while( ++i < MAX32 ) { STORE32; } \
950 if( c < 0 ) fix_negative( N, c, &C, bits );
951
952/*
953 * If the result is negative, we get it in the form
954 * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
955 */
956static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
957{
958 int ret;
959
960 /* C = - c * 2^(bits + 32) */
961#if !defined(MBEDTLS_HAVE_INT64)
962 ((void) bits);
963#else
964 if( bits == 224 )
965 C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
966 else
967#endif
968 C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
969
970 /* N = - ( C - N ) */
971 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
972 N->s = -1;
973
974cleanup:
975
976 return( ret );
977}
978
979#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
980/*
981 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
982 */
983static int ecp_mod_p224( mbedtls_mpi *N )
984{
985 INIT( 224 );
986
987 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
988 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
989 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
990 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
991 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
992 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
993 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
994
995cleanup:
996 return( ret );
997}
998#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
999
1000#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
1001/*
1002 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1003 */
1004static int ecp_mod_p256( mbedtls_mpi *N )
1005{
1006 INIT( 256 );
1007
1008 ADD( 8 ); ADD( 9 );
1009 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1010
1011 ADD( 9 ); ADD( 10 );
1012 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1013
1014 ADD( 10 ); ADD( 11 );
1015 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1016
1017 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1018 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1019
1020 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1021 SUB( 9 ); SUB( 10 ); NEXT; // A4
1022
1023 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1024 SUB( 10 ); SUB( 11 ); NEXT; // A5
1025
1026 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1027 SUB( 8 ); SUB( 9 ); NEXT; // A6
1028
1029 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1030 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1031
1032cleanup:
1033 return( ret );
1034}
1035#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
1036
1037#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
1038/*
1039 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1040 */
1041static int ecp_mod_p384( mbedtls_mpi *N )
1042{
1043 INIT( 384 );
1044
1045 ADD( 12 ); ADD( 21 ); ADD( 20 );
1046 SUB( 23 ); NEXT; // A0
1047
1048 ADD( 13 ); ADD( 22 ); ADD( 23 );
1049 SUB( 12 ); SUB( 20 ); NEXT; // A2
1050
1051 ADD( 14 ); ADD( 23 );
1052 SUB( 13 ); SUB( 21 ); NEXT; // A2
1053
1054 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1055 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1056
1057 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1058 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1059
1060 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1061 SUB( 16 ); NEXT; // A5
1062
1063 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1064 SUB( 17 ); NEXT; // A6
1065
1066 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1067 SUB( 18 ); NEXT; // A7
1068
1069 ADD( 20 ); ADD( 17 ); ADD( 16 );
1070 SUB( 19 ); NEXT; // A8
1071
1072 ADD( 21 ); ADD( 18 ); ADD( 17 );
1073 SUB( 20 ); NEXT; // A9
1074
1075 ADD( 22 ); ADD( 19 ); ADD( 18 );
1076 SUB( 21 ); NEXT; // A10
1077
1078 ADD( 23 ); ADD( 20 ); ADD( 19 );
1079 SUB( 22 ); LAST; // A11
1080
1081cleanup:
1082 return( ret );
1083}
1084#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1085
1086#undef A
1087#undef LOAD32
1088#undef STORE32
1089#undef MAX32
1090#undef INIT
1091#undef NEXT
1092#undef LAST
1093
1094#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
1095 MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
1096 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1097
1098#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
1099/*
1100 * Here we have an actual Mersenne prime, so things are more straightforward.
1101 * However, chunks are aligned on a 'weird' boundary (521 bits).
1102 */
1103
1104/* Size of p521 in terms of mbedtls_mpi_uint */
1105#define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1106
1107/* Bits to keep in the most significant mbedtls_mpi_uint */
1108#define P521_MASK 0x01FF
1109
1110/*
1111 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1112 * Write N as A1 + 2^521 A0, return A0 + A1
1113 */
1114static int ecp_mod_p521( mbedtls_mpi *N )
1115{
1116 int ret;
1117 size_t i;
1118 mbedtls_mpi M;
1119 mbedtls_mpi_uint Mp[P521_WIDTH + 1];
1120 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
1121 * we need to hold bits 513 to 1056, which is 34 limbs, that is
1122 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1123
1124 if( N->n < P521_WIDTH )
1125 return( 0 );
1126
1127 /* M = A1 */
1128 M.s = 1;
1129 M.n = N->n - ( P521_WIDTH - 1 );
1130 if( M.n > P521_WIDTH + 1 )
1131 M.n = P521_WIDTH + 1;
1132 M.p = Mp;
1133 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1134 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1135
1136 /* N = A0 */
1137 N->p[P521_WIDTH - 1] &= P521_MASK;
1138 for( i = P521_WIDTH; i < N->n; i++ )
1139 N->p[i] = 0;
1140
1141 /* N = A0 + A1 */
1142 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1143
1144cleanup:
1145 return( ret );
1146}
1147
1148#undef P521_WIDTH
1149#undef P521_MASK
1150#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
1151
1152#endif /* MBEDTLS_ECP_NIST_OPTIM */
1153
1154#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
1155
1156/* Size of p255 in terms of mbedtls_mpi_uint */
1157#define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1158
1159/*
1160 * Fast quasi-reduction modulo p255 = 2^255 - 19
1161 * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1162 */
1163static int ecp_mod_p255( mbedtls_mpi *N )
1164{
1165 int ret;
1166 size_t i;
1167 mbedtls_mpi M;
1168 mbedtls_mpi_uint Mp[P255_WIDTH + 2];
1169
1170 if( N->n < P255_WIDTH )
1171 return( 0 );
1172
1173 /* M = A1 */
1174 M.s = 1;
1175 M.n = N->n - ( P255_WIDTH - 1 );
1176 if( M.n > P255_WIDTH + 1 )
1177 M.n = P255_WIDTH + 1;
1178 M.p = Mp;
1179 memset( Mp, 0, sizeof Mp );
1180 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1181 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1182 M.n++; /* Make room for multiplication by 19 */
1183
1184 /* N = A0 */
1185 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
1186 for( i = P255_WIDTH; i < N->n; i++ )
1187 N->p[i] = 0;
1188
1189 /* N = A0 + 19 * A1 */
1190 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
1191 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1192
1193cleanup:
1194 return( ret );
1195}
1196#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
1197
1198#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
1199 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
1200 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1201/*
1202 * Fast quasi-reduction modulo P = 2^s - R,
1203 * with R about 33 bits, used by the Koblitz curves.
1204 *
1205 * Write N as A0 + 2^224 A1, return A0 + R * A1.
1206 * Actually do two passes, since R is big.
1207 */
1208#define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
1209#define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
1210static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
1211 size_t adjust, size_t shift, mbedtls_mpi_uint mask )
1212{
1213 int ret;
1214 size_t i;
1215 mbedtls_mpi M, R;
1216 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
1217
1218 if( N->n < p_limbs )
1219 return( 0 );
1220
1221 /* Init R */
1222 R.s = 1;
1223 R.p = Rp;
1224 R.n = P_KOBLITZ_R;
1225
1226 /* Common setup for M */
1227 M.s = 1;
1228 M.p = Mp;
1229
1230 /* M = A1 */
1231 M.n = N->n - ( p_limbs - adjust );
1232 if( M.n > p_limbs + adjust )
1233 M.n = p_limbs + adjust;
1234 memset( Mp, 0, sizeof Mp );
1235 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1236 if( shift != 0 )
1237 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1238 M.n += R.n - adjust; /* Make room for multiplication by R */
1239
1240 /* N = A0 */
1241 if( mask != 0 )
1242 N->p[p_limbs - 1] &= mask;
1243 for( i = p_limbs; i < N->n; i++ )
1244 N->p[i] = 0;
1245
1246 /* N = A0 + R * A1 */
1247 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1248 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1249
1250 /* Second pass */
1251
1252 /* M = A1 */
1253 M.n = N->n - ( p_limbs - adjust );
1254 if( M.n > p_limbs + adjust )
1255 M.n = p_limbs + adjust;
1256 memset( Mp, 0, sizeof Mp );
1257 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1258 if( shift != 0 )
1259 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1260 M.n += R.n - adjust; /* Make room for multiplication by R */
1261
1262 /* N = A0 */
1263 if( mask != 0 )
1264 N->p[p_limbs - 1] &= mask;
1265 for( i = p_limbs; i < N->n; i++ )
1266 N->p[i] = 0;
1267
1268 /* N = A0 + R * A1 */
1269 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1270 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1271
1272cleanup:
1273 return( ret );
1274}
1275#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
1276 MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
1277 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
1278
1279#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
1280/*
1281 * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1282 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1283 */
1284static int ecp_mod_p192k1( mbedtls_mpi *N )
1285{
1286 static mbedtls_mpi_uint Rp[] = {
1287 BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1288
1289 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1290}
1291#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
1292
1293#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
1294/*
1295 * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1296 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1297 */
1298static int ecp_mod_p224k1( mbedtls_mpi *N )
1299{
1300 static mbedtls_mpi_uint Rp[] = {
1301 BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1302
1303#if defined(MBEDTLS_HAVE_INT64)
1304 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1305#else
1306 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1307#endif
1308}
1309
1310#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
1311
1312#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1313/*
1314 * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1315 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1316 */
1317static int ecp_mod_p256k1( mbedtls_mpi *N )
1318{
1319 static mbedtls_mpi_uint Rp[] = {
1320 BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1321 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
1322}
1323#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
1324
1325#endif /* MBEDTLS_ECP_C */
Note: See TracBrowser for help on using the repository browser.