1 /* 2 * Elliptic curves over GF(p): curve-specific data and functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_ECP_C) 23 24 #include "mbedtls/ecp.h" 25 #include "mbedtls/platform_util.h" 26 #include "mbedtls/error.h" 27 #include "mbedtls/bn_mul.h" 28 29 #include "ecp_invasive.h" 30 31 #include <string.h> 32 33 #if !defined(MBEDTLS_ECP_ALT) 34 35 /* Parameter validation macros based on platform_util.h */ 36 #define ECP_VALIDATE_RET( cond ) \ 37 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) 38 #define ECP_VALIDATE( cond ) \ 39 MBEDTLS_INTERNAL_VALIDATE( cond ) 40 41 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 42 !defined(inline) && !defined(__cplusplus) 43 #define inline __inline 44 #endif 45 46 #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} 47 48 #define ECP_MPI_INIT_ARRAY(x) \ 49 ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x) 50 51 /* 52 * Note: the constants are in little-endian order 53 * to be directly usable in MPIs 54 */ 55 56 /* 57 * Domain parameters for secp192r1 58 */ 59 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 60 static const mbedtls_mpi_uint secp192r1_p[] = { 61 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 62 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 63 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 64 }; 65 static const mbedtls_mpi_uint secp192r1_b[] = { 66 MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), 67 MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), 68 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), 69 }; 70 static const mbedtls_mpi_uint secp192r1_gx[] = { 71 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), 72 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), 73 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), 74 }; 75 static const mbedtls_mpi_uint secp192r1_gy[] = { 76 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), 77 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), 78 MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), 79 }; 80 static const mbedtls_mpi_uint secp192r1_n[] = { 81 MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), 82 MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), 83 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 84 }; 85 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 86 87 /* 88 * Domain parameters for secp224r1 89 */ 90 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 91 static const mbedtls_mpi_uint secp224r1_p[] = { 92 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 93 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 94 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 95 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 96 }; 97 static const mbedtls_mpi_uint secp224r1_b[] = { 98 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), 99 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), 100 MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), 101 MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), 102 }; 103 static const mbedtls_mpi_uint secp224r1_gx[] = { 104 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), 105 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), 106 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), 107 MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), 108 }; 109 static const mbedtls_mpi_uint secp224r1_gy[] = { 110 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), 111 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), 112 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), 113 MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), 114 }; 115 static const mbedtls_mpi_uint secp224r1_n[] = { 116 MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), 117 MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), 118 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 119 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 120 }; 121 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 122 123 /* 124 * Domain parameters for secp256r1 125 */ 126 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 127 static const mbedtls_mpi_uint secp256r1_p[] = { 128 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 129 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 130 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 131 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 132 }; 133 static const mbedtls_mpi_uint secp256r1_b[] = { 134 MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), 135 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), 136 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), 137 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), 138 }; 139 static const mbedtls_mpi_uint secp256r1_gx[] = { 140 MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), 141 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), 142 MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), 143 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), 144 }; 145 static const mbedtls_mpi_uint secp256r1_gy[] = { 146 MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), 147 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), 148 MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), 149 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), 150 }; 151 static const mbedtls_mpi_uint secp256r1_n[] = { 152 MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), 153 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), 154 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 155 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 156 }; 157 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 158 159 /* 160 * Domain parameters for secp384r1 161 */ 162 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 163 static const mbedtls_mpi_uint secp384r1_p[] = { 164 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), 165 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 166 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 167 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 168 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 169 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 170 }; 171 static const mbedtls_mpi_uint secp384r1_b[] = { 172 MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), 173 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), 174 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), 175 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), 176 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), 177 MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), 178 }; 179 static const mbedtls_mpi_uint secp384r1_gx[] = { 180 MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), 181 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), 182 MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), 183 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), 184 MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), 185 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), 186 }; 187 static const mbedtls_mpi_uint secp384r1_gy[] = { 188 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), 189 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), 190 MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), 191 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), 192 MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), 193 MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), 194 }; 195 static const mbedtls_mpi_uint secp384r1_n[] = { 196 MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), 197 MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), 198 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), 199 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 200 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 201 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 202 }; 203 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 204 205 /* 206 * Domain parameters for secp521r1 207 */ 208 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 209 static const mbedtls_mpi_uint secp521r1_p[] = { 210 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 211 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 212 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 213 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 214 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 215 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 216 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 217 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 218 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 219 }; 220 static const mbedtls_mpi_uint secp521r1_b[] = { 221 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), 222 MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), 223 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), 224 MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), 225 MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), 226 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), 227 MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), 228 MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), 229 MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ), 230 }; 231 static const mbedtls_mpi_uint secp521r1_gx[] = { 232 MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), 233 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), 234 MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), 235 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), 236 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), 237 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), 238 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), 239 MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), 240 MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ), 241 }; 242 static const mbedtls_mpi_uint secp521r1_gy[] = { 243 MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), 244 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), 245 MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), 246 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), 247 MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), 248 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), 249 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), 250 MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), 251 MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ), 252 }; 253 static const mbedtls_mpi_uint secp521r1_n[] = { 254 MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), 255 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), 256 MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), 257 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), 258 MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 259 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 260 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 261 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 262 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ), 263 }; 264 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 265 266 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 267 static const mbedtls_mpi_uint secp192k1_p[] = { 268 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 269 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 270 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 271 }; 272 static const mbedtls_mpi_uint secp192k1_a[] = { 273 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), 274 }; 275 static const mbedtls_mpi_uint secp192k1_b[] = { 276 MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ), 277 }; 278 static const mbedtls_mpi_uint secp192k1_gx[] = { 279 MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), 280 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), 281 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), 282 }; 283 static const mbedtls_mpi_uint secp192k1_gy[] = { 284 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), 285 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), 286 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), 287 }; 288 static const mbedtls_mpi_uint secp192k1_n[] = { 289 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), 290 MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), 291 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 292 }; 293 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 294 295 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 296 static const mbedtls_mpi_uint secp224k1_p[] = { 297 MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 298 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 299 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 300 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), 301 }; 302 static const mbedtls_mpi_uint secp224k1_a[] = { 303 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), 304 }; 305 static const mbedtls_mpi_uint secp224k1_b[] = { 306 MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ), 307 }; 308 static const mbedtls_mpi_uint secp224k1_gx[] = { 309 MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), 310 MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), 311 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), 312 MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), 313 }; 314 static const mbedtls_mpi_uint secp224k1_gy[] = { 315 MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), 316 MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), 317 MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), 318 MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), 319 }; 320 static const mbedtls_mpi_uint secp224k1_n[] = { 321 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), 322 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), 323 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), 324 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), 325 }; 326 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 327 328 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 329 static const mbedtls_mpi_uint secp256k1_p[] = { 330 MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 331 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 332 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 333 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 334 }; 335 static const mbedtls_mpi_uint secp256k1_a[] = { 336 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), 337 }; 338 static const mbedtls_mpi_uint secp256k1_b[] = { 339 MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ), 340 }; 341 static const mbedtls_mpi_uint secp256k1_gx[] = { 342 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), 343 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), 344 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), 345 MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), 346 }; 347 static const mbedtls_mpi_uint secp256k1_gy[] = { 348 MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), 349 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), 350 MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), 351 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), 352 }; 353 static const mbedtls_mpi_uint secp256k1_n[] = { 354 MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), 355 MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), 356 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 357 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 358 }; 359 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 360 361 /* 362 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) 363 */ 364 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 365 static const mbedtls_mpi_uint brainpoolP256r1_p[] = { 366 MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), 367 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), 368 MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 369 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 370 }; 371 static const mbedtls_mpi_uint brainpoolP256r1_a[] = { 372 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), 373 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), 374 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), 375 MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), 376 }; 377 static const mbedtls_mpi_uint brainpoolP256r1_b[] = { 378 MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), 379 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), 380 MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), 381 MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), 382 }; 383 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { 384 MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), 385 MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), 386 MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), 387 MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), 388 }; 389 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { 390 MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), 391 MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), 392 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), 393 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), 394 }; 395 static const mbedtls_mpi_uint brainpoolP256r1_n[] = { 396 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), 397 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), 398 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), 399 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), 400 }; 401 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 402 403 /* 404 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) 405 */ 406 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 407 static const mbedtls_mpi_uint brainpoolP384r1_p[] = { 408 MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), 409 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), 410 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), 411 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 412 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 413 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 414 }; 415 static const mbedtls_mpi_uint brainpoolP384r1_a[] = { 416 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 417 MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), 418 MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), 419 MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), 420 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), 421 MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), 422 }; 423 static const mbedtls_mpi_uint brainpoolP384r1_b[] = { 424 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), 425 MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), 426 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), 427 MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), 428 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), 429 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), 430 }; 431 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { 432 MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), 433 MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), 434 MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), 435 MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), 436 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), 437 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), 438 }; 439 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { 440 MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), 441 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), 442 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), 443 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), 444 MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), 445 MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), 446 }; 447 static const mbedtls_mpi_uint brainpoolP384r1_n[] = { 448 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), 449 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), 450 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), 451 MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), 452 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), 453 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), 454 }; 455 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 456 457 /* 458 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) 459 */ 460 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 461 static const mbedtls_mpi_uint brainpoolP512r1_p[] = { 462 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), 463 MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), 464 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), 465 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), 466 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 467 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 468 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 469 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 470 }; 471 static const mbedtls_mpi_uint brainpoolP512r1_a[] = { 472 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), 473 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), 474 MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), 475 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), 476 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), 477 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), 478 MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), 479 MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), 480 }; 481 static const mbedtls_mpi_uint brainpoolP512r1_b[] = { 482 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), 483 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), 484 MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), 485 MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), 486 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), 487 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), 488 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), 489 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), 490 }; 491 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { 492 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), 493 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), 494 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), 495 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), 496 MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), 497 MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), 498 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), 499 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), 500 }; 501 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { 502 MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), 503 MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), 504 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), 505 MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), 506 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), 507 MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), 508 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), 509 MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), 510 }; 511 static const mbedtls_mpi_uint brainpoolP512r1_n[] = { 512 MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), 513 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), 514 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), 515 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), 516 MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), 517 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), 518 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), 519 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), 520 }; 521 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 522 523 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ 524 defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 525 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 526 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ 527 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \ 528 defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \ 529 defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \ 530 defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \ 531 defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 532 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 533 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 534 /* For these curves, we build the group parameters dynamically. */ 535 #define ECP_LOAD_GROUP 536 #endif 537 538 #if defined(ECP_LOAD_GROUP) 539 /* 540 * Domain parameters for SM2 (GM/T 0003 Part 5) 541 */ 542 #if defined(MBEDTLS_ECP_DP_SM2_ENABLED) 543 static const mbedtls_mpi_uint sm2_p[] = { 544 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 545 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 546 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 547 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 548 }; 549 static const mbedtls_mpi_uint sm2_a[] = { 550 MBEDTLS_BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 551 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), 552 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 553 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 554 }; 555 static const mbedtls_mpi_uint sm2_b[] = { 556 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x0E, 0x94, 0x4D, 0x41, 0xBD, 0xBC, 0xDD ), 557 MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x8F, 0xAB, 0x15, 0xF5, 0x89, 0x97, 0xF3 ), 558 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x09, 0x65, 0xCF, 0x4B, 0x9E, 0x5A, 0x4D ), 559 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x5E, 0x9F, 0x9D, 0x9E, 0xFA, 0xE9, 0x28 ), 560 }; 561 static const mbedtls_mpi_uint sm2_gx[] = { 562 MBEDTLS_BYTES_TO_T_UINT_8( 0xC7, 0x74, 0x4C, 0x33, 0x89, 0x45, 0x5A, 0x71 ), 563 MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x0B, 0x66, 0xF2, 0xBF, 0x0B, 0xE3, 0x8F ), 564 MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0x39, 0x6A, 0x46, 0x04, 0x99, 0x5F ), 565 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x81, 0x19, 0x1F, 0x2C, 0xAE, 0xC4, 0x32 ), 566 }; 567 static const mbedtls_mpi_uint sm2_gy[] = { 568 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xF0, 0x39, 0x21, 0xE5, 0x32, 0xDF, 0x02 ), 569 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x47, 0x2A, 0xC6, 0x7C, 0x87, 0xA9, 0xD0 ), 570 MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0x21, 0x69, 0x6B, 0xE3, 0xCE, 0xBD, 0x59 ), 571 MBEDTLS_BYTES_TO_T_UINT_8( 0x9C, 0x77, 0xF6, 0xF4, 0xA2, 0x36, 0x37, 0xBC ), 572 }; 573 static const mbedtls_mpi_uint sm2_n[] = { 574 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x41, 0xD5, 0x39, 0x09, 0xF4, 0xBB, 0x53 ), 575 MBEDTLS_BYTES_TO_T_UINT_8( 0x2B, 0x05, 0xC6, 0x21, 0x6B, 0xDF, 0x03, 0x72 ), 576 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), 577 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), 578 }; 579 #endif /* MBEDTLS_ECP_DP_SM2_ENABLED */ 580 /* 581 * Create an MPI from embedded constants 582 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint) 583 */ 584 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len ) 585 { 586 X->s = 1; 587 X->n = len / sizeof( mbedtls_mpi_uint ); 588 X->p = (mbedtls_mpi_uint *) p; 589 } 590 591 /* 592 * Set an MPI to static value 1 593 */ 594 static inline void ecp_mpi_set1( mbedtls_mpi *X ) 595 { 596 static mbedtls_mpi_uint one[] = { 1 }; 597 X->s = 1; 598 X->n = 1; 599 X->p = one; 600 } 601 602 /* 603 * Make group available from embedded constants 604 */ 605 static int ecp_group_load( mbedtls_ecp_group *grp, 606 const mbedtls_mpi_uint *p, size_t plen, 607 const mbedtls_mpi_uint *a, size_t alen, 608 const mbedtls_mpi_uint *b, size_t blen, 609 const mbedtls_mpi_uint *gx, size_t gxlen, 610 const mbedtls_mpi_uint *gy, size_t gylen, 611 const mbedtls_mpi_uint *n, size_t nlen) 612 { 613 ecp_mpi_load( &grp->P, p, plen ); 614 if( a != NULL ) 615 ecp_mpi_load( &grp->A, a, alen ); 616 ecp_mpi_load( &grp->B, b, blen ); 617 ecp_mpi_load( &grp->N, n, nlen ); 618 619 ecp_mpi_load( &grp->G.X, gx, gxlen ); 620 ecp_mpi_load( &grp->G.Y, gy, gylen ); 621 ecp_mpi_set1( &grp->G.Z ); 622 623 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 624 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 625 626 grp->h = 1; 627 628 return( 0 ); 629 } 630 #endif /* ECP_LOAD_GROUP */ 631 632 #if defined(MBEDTLS_ECP_NIST_OPTIM) 633 /* Forward declarations */ 634 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 635 static int ecp_mod_p192( mbedtls_mpi * ); 636 #endif 637 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 638 static int ecp_mod_p224( mbedtls_mpi * ); 639 #endif 640 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 641 static int ecp_mod_p256( mbedtls_mpi * ); 642 #endif 643 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 644 static int ecp_mod_p384( mbedtls_mpi * ); 645 #endif 646 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 647 static int ecp_mod_p521( mbedtls_mpi * ); 648 #endif 649 650 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P; 651 #else 652 #define NIST_MODP( P ) 653 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 654 655 /* Additional forward declarations */ 656 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 657 static int ecp_mod_p255( mbedtls_mpi * ); 658 #endif 659 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 660 static int ecp_mod_p448( mbedtls_mpi * ); 661 #endif 662 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 663 static int ecp_mod_p192k1( mbedtls_mpi * ); 664 #endif 665 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 666 static int ecp_mod_p224k1( mbedtls_mpi * ); 667 #endif 668 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 669 static int ecp_mod_p256k1( mbedtls_mpi * ); 670 #endif 671 672 #if defined(ECP_LOAD_GROUP) 673 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \ 674 G ## _p, sizeof( G ## _p ), \ 675 G ## _a, sizeof( G ## _a ), \ 676 G ## _b, sizeof( G ## _b ), \ 677 G ## _gx, sizeof( G ## _gx ), \ 678 G ## _gy, sizeof( G ## _gy ), \ 679 G ## _n, sizeof( G ## _n ) ) 680 681 #define LOAD_GROUP( G ) ecp_group_load( grp, \ 682 G ## _p, sizeof( G ## _p ), \ 683 NULL, 0, \ 684 G ## _b, sizeof( G ## _b ), \ 685 G ## _gx, sizeof( G ## _gx ), \ 686 G ## _gy, sizeof( G ## _gy ), \ 687 G ## _n, sizeof( G ## _n ) ) 688 #endif /* ECP_LOAD_GROUP */ 689 690 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 691 /* Constants used by ecp_use_curve25519() */ 692 static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42; 693 static const unsigned char curve25519_part_of_n[] = { 694 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, 695 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED, 696 }; 697 698 /* 699 * Specialized function for creating the Curve25519 group 700 */ 701 static int ecp_use_curve25519( mbedtls_ecp_group *grp ) 702 { 703 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 704 705 /* Actually ( A + 2 ) / 4 */ 706 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) ); 707 708 /* P = 2^255 - 19 */ 709 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); 710 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) ); 711 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) ); 712 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 713 714 /* N = 2^252 + 27742317777372353535851937790883648493 */ 715 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N, 716 curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) ); 717 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) ); 718 719 /* Y intentionally not set, since we use x/z coordinates. 720 * This is used as a marker to identify Montgomery curves! */ 721 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) ); 722 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) ); 723 mbedtls_mpi_free( &grp->G.Y ); 724 725 /* Actually, the required msb for private keys */ 726 grp->nbits = 254; 727 728 cleanup: 729 if( ret != 0 ) 730 mbedtls_ecp_group_free( grp ); 731 732 return( ret ); 733 } 734 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 735 736 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 737 /* Constants used by ecp_use_curve448() */ 738 static const mbedtls_mpi_sint curve448_a24 = 0x98AA; 739 static const unsigned char curve448_part_of_n[] = { 740 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24, 741 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93, 742 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC, 743 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D, 744 }; 745 746 /* 747 * Specialized function for creating the Curve448 group 748 */ 749 static int ecp_use_curve448( mbedtls_ecp_group *grp ) 750 { 751 mbedtls_mpi Ns; 752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 753 754 mbedtls_mpi_init( &Ns ); 755 756 /* Actually ( A + 2 ) / 4 */ 757 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) ); 758 759 /* P = 2^448 - 2^224 - 1 */ 760 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); 761 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) ); 762 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) ); 763 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) ); 764 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) ); 765 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 766 767 /* Y intentionally not set, since we use x/z coordinates. 768 * This is used as a marker to identify Montgomery curves! */ 769 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) ); 770 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) ); 771 mbedtls_mpi_free( &grp->G.Y ); 772 773 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */ 774 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) ); 775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns, 776 curve448_part_of_n, sizeof( curve448_part_of_n ) ) ); 777 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) ); 778 779 /* Actually, the required msb for private keys */ 780 grp->nbits = 447; 781 782 cleanup: 783 mbedtls_mpi_free( &Ns ); 784 if( ret != 0 ) 785 mbedtls_ecp_group_free( grp ); 786 787 return( ret ); 788 } 789 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 790 791 /* 792 * Set a group using well-known domain parameters 793 */ 794 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) 795 { 796 ECP_VALIDATE_RET( grp != NULL ); 797 mbedtls_ecp_group_free( grp ); 798 799 grp->id = id; 800 801 switch( id ) 802 { 803 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 804 case MBEDTLS_ECP_DP_SECP192R1: 805 NIST_MODP( p192 ); 806 return( LOAD_GROUP( secp192r1 ) ); 807 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 808 809 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 810 case MBEDTLS_ECP_DP_SECP224R1: 811 NIST_MODP( p224 ); 812 return( LOAD_GROUP( secp224r1 ) ); 813 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 814 815 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 816 case MBEDTLS_ECP_DP_SECP256R1: 817 NIST_MODP( p256 ); 818 return( LOAD_GROUP( secp256r1 ) ); 819 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 820 821 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 822 case MBEDTLS_ECP_DP_SECP384R1: 823 NIST_MODP( p384 ); 824 return( LOAD_GROUP( secp384r1 ) ); 825 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 826 827 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 828 case MBEDTLS_ECP_DP_SECP521R1: 829 NIST_MODP( p521 ); 830 return( LOAD_GROUP( secp521r1 ) ); 831 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 832 833 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 834 case MBEDTLS_ECP_DP_SECP192K1: 835 grp->modp = ecp_mod_p192k1; 836 return( LOAD_GROUP_A( secp192k1 ) ); 837 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 838 839 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 840 case MBEDTLS_ECP_DP_SECP224K1: 841 grp->modp = ecp_mod_p224k1; 842 return( LOAD_GROUP_A( secp224k1 ) ); 843 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 844 845 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 846 case MBEDTLS_ECP_DP_SECP256K1: 847 grp->modp = ecp_mod_p256k1; 848 return( LOAD_GROUP_A( secp256k1 ) ); 849 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 850 851 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 852 case MBEDTLS_ECP_DP_BP256R1: 853 return( LOAD_GROUP_A( brainpoolP256r1 ) ); 854 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ 855 856 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 857 case MBEDTLS_ECP_DP_BP384R1: 858 return( LOAD_GROUP_A( brainpoolP384r1 ) ); 859 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ 860 861 #if defined(MBEDTLS_ECP_DP_SM2_ENABLED) 862 case MBEDTLS_ECP_DP_SM2: 863 return( LOAD_GROUP_A( sm2 ) ); 864 #endif /* MBEDTLS_ECP_DP_SM2_ENABLED */ 865 866 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 867 case MBEDTLS_ECP_DP_BP512R1: 868 return( LOAD_GROUP_A( brainpoolP512r1 ) ); 869 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ 870 871 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 872 case MBEDTLS_ECP_DP_CURVE25519: 873 grp->modp = ecp_mod_p255; 874 return( ecp_use_curve25519( grp ) ); 875 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 876 877 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 878 case MBEDTLS_ECP_DP_CURVE448: 879 grp->modp = ecp_mod_p448; 880 return( ecp_use_curve448( grp ) ); 881 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 882 883 default: 884 grp->id = MBEDTLS_ECP_DP_NONE; 885 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); 886 } 887 } 888 889 #if defined(MBEDTLS_ECP_NIST_OPTIM) 890 /* 891 * Fast reduction modulo the primes used by the NIST curves. 892 * 893 * These functions are critical for speed, but not needed for correct 894 * operations. So, we make the choice to heavily rely on the internals of our 895 * bignum library, which creates a tight coupling between these functions and 896 * our MPI implementation. However, the coupling between the ECP module and 897 * MPI remains loose, since these functions can be deactivated at will. 898 */ 899 900 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 901 /* 902 * Compared to the way things are presented in FIPS 186-3 D.2, 903 * we proceed in columns, from right (least significant chunk) to left, 904 * adding chunks to N in place, and keeping a carry for the next chunk. 905 * This avoids moving things around in memory, and uselessly adding zeros, 906 * compared to the more straightforward, line-oriented approach. 907 * 908 * For this prime we need to handle data in chunks of 64 bits. 909 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can 910 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it. 911 */ 912 913 /* Add 64-bit chunks (dst += src) and update carry */ 914 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry ) 915 { 916 unsigned char i; 917 mbedtls_mpi_uint c = 0; 918 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ ) 919 { 920 *dst += c; c = ( *dst < c ); 921 *dst += *src; c += ( *dst < *src ); 922 } 923 *carry += c; 924 } 925 926 /* Add carry to a 64-bit chunk and update carry */ 927 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry ) 928 { 929 unsigned char i; 930 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ ) 931 { 932 *dst += *carry; 933 *carry = ( *dst < *carry ); 934 } 935 } 936 937 #define WIDTH 8 / sizeof( mbedtls_mpi_uint ) 938 #define A( i ) N->p + (i) * WIDTH 939 #define ADD( i ) add64( p, A( i ), &c ) 940 #define NEXT p += WIDTH; carry64( p, &c ) 941 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0 942 943 /* 944 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) 945 */ 946 static int ecp_mod_p192( mbedtls_mpi *N ) 947 { 948 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 949 mbedtls_mpi_uint c = 0; 950 mbedtls_mpi_uint *p, *end; 951 952 /* Make sure we have enough blocks so that A(5) is legal */ 953 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) ); 954 955 p = N->p; 956 end = p + N->n; 957 958 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5 959 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5 960 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5 961 962 cleanup: 963 return( ret ); 964 } 965 966 #undef WIDTH 967 #undef A 968 #undef ADD 969 #undef NEXT 970 #undef LAST 971 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ 972 973 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 974 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 975 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 976 /* 977 * The reader is advised to first understand ecp_mod_p192() since the same 978 * general structure is used here, but with additional complications: 979 * (1) chunks of 32 bits, and (2) subtractions. 980 */ 981 982 /* 983 * For these primes, we need to handle data in chunks of 32 bits. 984 * This makes it more complicated if we use 64 bits limbs in MPI, 985 * which prevents us from using a uniform access method as for p192. 986 * 987 * So, we define a mini abstraction layer to access 32 bit chunks, 988 * load them in 'cur' for work, and store them back from 'cur' when done. 989 * 990 * While at it, also define the size of N in terms of 32-bit chunks. 991 */ 992 #define LOAD32 cur = A( i ); 993 994 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ 995 996 #define MAX32 N->n 997 #define A( j ) N->p[j] 998 #define STORE32 N->p[i] = cur; 999 1000 #else /* 64-bit */ 1001 1002 #define MAX32 N->n * 2 1003 #define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \ 1004 (uint32_t)( N->p[(j)/2] ) 1005 #define STORE32 \ 1006 if( i % 2 ) { \ 1007 N->p[i/2] &= 0x00000000FFFFFFFF; \ 1008 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \ 1009 } else { \ 1010 N->p[i/2] &= 0xFFFFFFFF00000000; \ 1011 N->p[i/2] |= (mbedtls_mpi_uint) cur; \ 1012 } 1013 1014 #endif /* sizeof( mbedtls_mpi_uint ) */ 1015 1016 /* 1017 * Helpers for addition and subtraction of chunks, with signed carry. 1018 */ 1019 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry ) 1020 { 1021 *dst += src; 1022 *carry += ( *dst < src ); 1023 } 1024 1025 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) 1026 { 1027 *carry -= ( *dst < src ); 1028 *dst -= src; 1029 } 1030 1031 #define ADD( j ) add32( &cur, A( j ), &c ); 1032 #define SUB( j ) sub32( &cur, A( j ), &c ); 1033 1034 #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ 1035 #define biL (ciL << 3) /* bits in limb */ 1036 1037 /* 1038 * Helpers for the main 'loop' 1039 */ 1040 #define INIT( b ) \ 1041 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \ 1042 signed char c = 0, cc; \ 1043 uint32_t cur; \ 1044 size_t i = 0, bits = (b); \ 1045 /* N is the size of the product of two b-bit numbers, plus one */ \ 1046 /* limb for fix_negative */ \ 1047 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, ( b ) * 2 / biL + 1 ) ); \ 1048 LOAD32; 1049 1050 #define NEXT \ 1051 STORE32; i++; LOAD32; \ 1052 cc = c; c = 0; \ 1053 if( cc < 0 ) \ 1054 sub32( &cur, -cc, &c ); \ 1055 else \ 1056 add32( &cur, cc, &c ); \ 1057 1058 #define LAST \ 1059 STORE32; i++; \ 1060 cur = c > 0 ? c : 0; STORE32; \ 1061 cur = 0; while( ++i < MAX32 ) { STORE32; } \ 1062 if( c < 0 ) mbedtls_ecp_fix_negative( N, c, bits ); 1063 1064 /* 1065 * If the result is negative, we get it in the form 1066 * c * 2^bits + N, with c negative and N positive shorter than 'bits' 1067 */ 1068 MBEDTLS_STATIC_TESTABLE 1069 void mbedtls_ecp_fix_negative( mbedtls_mpi *N, signed char c, size_t bits ) 1070 { 1071 size_t i; 1072 1073 /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so 1074 * set the absolute value to 0xfff...fff - N. There is no carry 1075 * since we're subtracting from all-bits-one. */ 1076 for( i = 0; i <= bits / 8 / sizeof( mbedtls_mpi_uint ); i++ ) 1077 { 1078 N->p[i] = ~(mbedtls_mpi_uint)0 - N->p[i]; 1079 } 1080 /* Add 1, taking care of the carry. */ 1081 i = 0; 1082 do 1083 ++N->p[i]; 1084 while( N->p[i++] == 0 && i <= bits / 8 / sizeof( mbedtls_mpi_uint ) ); 1085 /* Invert the sign. 1086 * Now N = N0 - 2^bits where N0 is the initial value of N. */ 1087 N->s = -1; 1088 1089 /* Add |c| * 2^bits to the absolute value. Since c and N are 1090 * negative, this adds c * 2^bits. */ 1091 mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c; 1092 #if defined(MBEDTLS_HAVE_INT64) 1093 if( bits == 224 ) 1094 msw <<= 32; 1095 #endif 1096 N->p[bits / 8 / sizeof( mbedtls_mpi_uint)] += msw; 1097 } 1098 1099 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 1100 /* 1101 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) 1102 */ 1103 static int ecp_mod_p224( mbedtls_mpi *N ) 1104 { 1105 INIT( 224 ); 1106 1107 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11 1108 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12 1109 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13 1110 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 1111 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 1112 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 1113 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10 1114 1115 cleanup: 1116 return( ret ); 1117 } 1118 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ 1119 1120 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 1121 /* 1122 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) 1123 */ 1124 static int ecp_mod_p256( mbedtls_mpi *N ) 1125 { 1126 INIT( 256 ); 1127 1128 ADD( 8 ); ADD( 9 ); 1129 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0 1130 1131 ADD( 9 ); ADD( 10 ); 1132 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1 1133 1134 ADD( 10 ); ADD( 11 ); 1135 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2 1136 1137 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 ); 1138 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3 1139 1140 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 ); 1141 SUB( 9 ); SUB( 10 ); NEXT; // A4 1142 1143 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 ); 1144 SUB( 10 ); SUB( 11 ); NEXT; // A5 1145 1146 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 ); 1147 SUB( 8 ); SUB( 9 ); NEXT; // A6 1148 1149 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 ); 1150 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7 1151 1152 cleanup: 1153 return( ret ); 1154 } 1155 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 1156 1157 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 1158 /* 1159 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4) 1160 */ 1161 static int ecp_mod_p384( mbedtls_mpi *N ) 1162 { 1163 INIT( 384 ); 1164 1165 ADD( 12 ); ADD( 21 ); ADD( 20 ); 1166 SUB( 23 ); NEXT; // A0 1167 1168 ADD( 13 ); ADD( 22 ); ADD( 23 ); 1169 SUB( 12 ); SUB( 20 ); NEXT; // A2 1170 1171 ADD( 14 ); ADD( 23 ); 1172 SUB( 13 ); SUB( 21 ); NEXT; // A2 1173 1174 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 ); 1175 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3 1176 1177 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 ); 1178 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4 1179 1180 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 ); 1181 SUB( 16 ); NEXT; // A5 1182 1183 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 ); 1184 SUB( 17 ); NEXT; // A6 1185 1186 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 ); 1187 SUB( 18 ); NEXT; // A7 1188 1189 ADD( 20 ); ADD( 17 ); ADD( 16 ); 1190 SUB( 19 ); NEXT; // A8 1191 1192 ADD( 21 ); ADD( 18 ); ADD( 17 ); 1193 SUB( 20 ); NEXT; // A9 1194 1195 ADD( 22 ); ADD( 19 ); ADD( 18 ); 1196 SUB( 21 ); NEXT; // A10 1197 1198 ADD( 23 ); ADD( 20 ); ADD( 19 ); 1199 SUB( 22 ); LAST; // A11 1200 1201 cleanup: 1202 return( ret ); 1203 } 1204 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 1205 1206 #undef A 1207 #undef LOAD32 1208 #undef STORE32 1209 #undef MAX32 1210 #undef INIT 1211 #undef NEXT 1212 #undef LAST 1213 1214 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || 1215 MBEDTLS_ECP_DP_SECP256R1_ENABLED || 1216 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 1217 1218 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 1219 /* 1220 * Here we have an actual Mersenne prime, so things are more straightforward. 1221 * However, chunks are aligned on a 'weird' boundary (521 bits). 1222 */ 1223 1224 /* Size of p521 in terms of mbedtls_mpi_uint */ 1225 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 1226 1227 /* Bits to keep in the most significant mbedtls_mpi_uint */ 1228 #define P521_MASK 0x01FF 1229 1230 /* 1231 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) 1232 * Write N as A1 + 2^521 A0, return A0 + A1 1233 */ 1234 static int ecp_mod_p521( mbedtls_mpi *N ) 1235 { 1236 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1237 size_t i; 1238 mbedtls_mpi M; 1239 mbedtls_mpi_uint Mp[P521_WIDTH + 1]; 1240 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: 1241 * we need to hold bits 513 to 1056, which is 34 limbs, that is 1242 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ 1243 1244 if( N->n < P521_WIDTH ) 1245 return( 0 ); 1246 1247 /* M = A1 */ 1248 M.s = 1; 1249 M.n = N->n - ( P521_WIDTH - 1 ); 1250 if( M.n > P521_WIDTH + 1 ) 1251 M.n = P521_WIDTH + 1; 1252 M.p = Mp; 1253 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 1254 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 1255 1256 /* N = A0 */ 1257 N->p[P521_WIDTH - 1] &= P521_MASK; 1258 for( i = P521_WIDTH; i < N->n; i++ ) 1259 N->p[i] = 0; 1260 1261 /* N = A0 + A1 */ 1262 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 1263 1264 cleanup: 1265 return( ret ); 1266 } 1267 1268 #undef P521_WIDTH 1269 #undef P521_MASK 1270 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 1271 1272 #endif /* MBEDTLS_ECP_NIST_OPTIM */ 1273 1274 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 1275 1276 /* Size of p255 in terms of mbedtls_mpi_uint */ 1277 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 ) 1278 1279 /* 1280 * Fast quasi-reduction modulo p255 = 2^255 - 19 1281 * Write N as A0 + 2^255 A1, return A0 + 19 * A1 1282 */ 1283 static int ecp_mod_p255( mbedtls_mpi *N ) 1284 { 1285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1286 size_t i; 1287 mbedtls_mpi M; 1288 mbedtls_mpi_uint Mp[P255_WIDTH + 2]; 1289 1290 if( N->n < P255_WIDTH ) 1291 return( 0 ); 1292 1293 /* M = A1 */ 1294 M.s = 1; 1295 M.n = N->n - ( P255_WIDTH - 1 ); 1296 if( M.n > P255_WIDTH + 1 ) 1297 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1298 M.p = Mp; 1299 memset( Mp, 0, sizeof Mp ); 1300 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) ); 1301 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) ); 1302 M.n++; /* Make room for multiplication by 19 */ 1303 1304 /* N = A0 */ 1305 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) ); 1306 for( i = P255_WIDTH; i < N->n; i++ ) 1307 N->p[i] = 0; 1308 1309 /* N = A0 + 19 * A1 */ 1310 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) ); 1311 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 1312 1313 cleanup: 1314 return( ret ); 1315 } 1316 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ 1317 1318 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 1319 1320 /* Size of p448 in terms of mbedtls_mpi_uint */ 1321 #define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) ) 1322 1323 /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */ 1324 #define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) ) 1325 #define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) ) 1326 #define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) ) 1327 #define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 ) 1328 1329 /* 1330 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1 1331 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return 1332 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference 1333 * implementation of Curve448, which uses its own special 56-bit limbs rather 1334 * than a generic bignum library. We could squeeze some extra speed out on 1335 * 32-bit machines by splitting N up into 32-bit limbs and doing the 1336 * arithmetic using the limbs directly as we do for the NIST primes above, 1337 * but for 64-bit targets it should use half the number of operations if we do 1338 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds. 1339 */ 1340 static int ecp_mod_p448( mbedtls_mpi *N ) 1341 { 1342 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1343 size_t i; 1344 mbedtls_mpi M, Q; 1345 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH]; 1346 1347 if( N->n <= P448_WIDTH ) 1348 return( 0 ); 1349 1350 /* M = A1 */ 1351 M.s = 1; 1352 M.n = N->n - ( P448_WIDTH ); 1353 if( M.n > P448_WIDTH ) 1354 /* Shouldn't be called with N larger than 2^896! */ 1355 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); 1356 M.p = Mp; 1357 memset( Mp, 0, sizeof( Mp ) ); 1358 memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) ); 1359 1360 /* N = A0 */ 1361 for( i = P448_WIDTH; i < N->n; i++ ) 1362 N->p[i] = 0; 1363 1364 /* N += A1 */ 1365 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); 1366 1367 /* Q = B1, N += B1 */ 1368 Q = M; 1369 Q.p = Qp; 1370 memcpy( Qp, Mp, sizeof( Qp ) ); 1371 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) ); 1372 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) ); 1373 1374 /* M = (B0 + B1) * 2^224, N += M */ 1375 if( sizeof( mbedtls_mpi_uint ) > 4 ) 1376 Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS ); 1377 for( i = P224_WIDTH_MAX; i < M.n; ++i ) 1378 Mp[i] = 0; 1379 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) ); 1380 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */ 1381 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) ); 1382 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) ); 1383 1384 cleanup: 1385 return( ret ); 1386 } 1387 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */ 1388 1389 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 1390 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 1391 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 1392 /* 1393 * Fast quasi-reduction modulo P = 2^s - R, 1394 * with R about 33 bits, used by the Koblitz curves. 1395 * 1396 * Write N as A0 + 2^224 A1, return A0 + R * A1. 1397 * Actually do two passes, since R is big. 1398 */ 1399 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P 1400 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R 1401 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, 1402 size_t adjust, size_t shift, mbedtls_mpi_uint mask ) 1403 { 1404 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1405 size_t i; 1406 mbedtls_mpi M, R; 1407 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; 1408 1409 if( N->n < p_limbs ) 1410 return( 0 ); 1411 1412 /* Init R */ 1413 R.s = 1; 1414 R.p = Rp; 1415 R.n = P_KOBLITZ_R; 1416 1417 /* Common setup for M */ 1418 M.s = 1; 1419 M.p = Mp; 1420 1421 /* M = A1 */ 1422 M.n = N->n - ( p_limbs - adjust ); 1423 if( M.n > p_limbs + adjust ) 1424 M.n = p_limbs + adjust; 1425 memset( Mp, 0, sizeof Mp ); 1426 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 1427 if( shift != 0 ) 1428 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 1429 M.n += R.n; /* Make room for multiplication by R */ 1430 1431 /* N = A0 */ 1432 if( mask != 0 ) 1433 N->p[p_limbs - 1] &= mask; 1434 for( i = p_limbs; i < N->n; i++ ) 1435 N->p[i] = 0; 1436 1437 /* N = A0 + R * A1 */ 1438 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 1439 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 1440 1441 /* Second pass */ 1442 1443 /* M = A1 */ 1444 M.n = N->n - ( p_limbs - adjust ); 1445 if( M.n > p_limbs + adjust ) 1446 M.n = p_limbs + adjust; 1447 memset( Mp, 0, sizeof Mp ); 1448 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) ); 1449 if( shift != 0 ) 1450 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) ); 1451 M.n += R.n; /* Make room for multiplication by R */ 1452 1453 /* N = A0 */ 1454 if( mask != 0 ) 1455 N->p[p_limbs - 1] &= mask; 1456 for( i = p_limbs; i < N->n; i++ ) 1457 N->p[i] = 0; 1458 1459 /* N = A0 + R * A1 */ 1460 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) ); 1461 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) ); 1462 1463 cleanup: 1464 return( ret ); 1465 } 1466 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) || 1467 MBEDTLS_ECP_DP_SECP224K1_ENABLED) || 1468 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */ 1469 1470 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 1471 /* 1472 * Fast quasi-reduction modulo p192k1 = 2^192 - R, 1473 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 1474 */ 1475 static int ecp_mod_p192k1( mbedtls_mpi *N ) 1476 { 1477 static mbedtls_mpi_uint Rp[] = { 1478 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 1479 0x00 ) }; 1480 1481 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 1482 0 ) ); 1483 } 1484 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ 1485 1486 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 1487 /* 1488 * Fast quasi-reduction modulo p224k1 = 2^224 - R, 1489 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 1490 */ 1491 static int ecp_mod_p224k1( mbedtls_mpi *N ) 1492 { 1493 static mbedtls_mpi_uint Rp[] = { 1494 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 1495 0x00 ) }; 1496 1497 #if defined(MBEDTLS_HAVE_INT64) 1498 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); 1499 #else 1500 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 1501 0 ) ); 1502 #endif 1503 } 1504 1505 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ 1506 1507 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 1508 /* 1509 * Fast quasi-reduction modulo p256k1 = 2^256 - R, 1510 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 1511 */ 1512 static int ecp_mod_p256k1( mbedtls_mpi *N ) 1513 { 1514 static mbedtls_mpi_uint Rp[] = { 1515 MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 1516 0x00 ) }; 1517 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 1518 0 ) ); 1519 } 1520 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ 1521 1522 #endif /* !MBEDTLS_ECP_ALT */ 1523 1524 #endif /* MBEDTLS_ECP_C */ 1525