1 /*
2 * Elliptic curves over GF(p): curve-specific data and functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52
53 #if defined(MBEDTLS_ECP_C)
54
55 #include "mbedtls/ecp.h"
56 #include "mbedtls/platform_util.h"
57 #include "mbedtls/bn_mul.h"
58
59 #include <string.h>
60
61 #if !defined(MBEDTLS_ECP_ALT)
62
63 /* Parameter validation macros based on platform_util.h */
64 #define ECP_VALIDATE_RET( cond ) \
65 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
66 #define ECP_VALIDATE( cond ) \
67 MBEDTLS_INTERNAL_VALIDATE( cond )
68
69 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
70 !defined(inline) && !defined(__cplusplus)
71 #define inline __inline
72 #endif
73
74 #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
75
76 #define ECP_MPI_INIT_ARRAY(x) \
77 ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
78
79 /*
80 * Note: the constants are in little-endian order
81 * to be directly usable in MPIs
82 */
83
84 /*
85 * Domain parameters for secp192r1
86 */
87 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
88 static const mbedtls_mpi_uint secp192r1_p[] = {
89 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
90 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
91 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
92 };
93 static const mbedtls_mpi_uint secp192r1_b[] = {
94 MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
95 MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
96 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
97 };
98 static const mbedtls_mpi_uint secp192r1_gx[] = {
99 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
100 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
101 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
102 };
103 static const mbedtls_mpi_uint secp192r1_gy[] = {
104 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
105 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
106 MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
107 };
108 static const mbedtls_mpi_uint secp192r1_n[] = {
109 MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
110 MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
111 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
112 };
113 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
114
115 /*
116 * Domain parameters for secp224r1
117 */
118 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
119 static const mbedtls_mpi_uint secp224r1_p[] = {
120 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
121 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
122 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
123 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
124 };
125 static const mbedtls_mpi_uint secp224r1_b[] = {
126 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
127 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
128 MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
129 MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
130 };
131 static const mbedtls_mpi_uint secp224r1_gx[] = {
132 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
133 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
134 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
135 MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
136 };
137 static const mbedtls_mpi_uint secp224r1_gy[] = {
138 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
139 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
140 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
141 MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
142 };
143 static const mbedtls_mpi_uint secp224r1_n[] = {
144 MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
145 MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
146 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
147 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
148 };
149 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
150
151 /*
152 * Domain parameters for secp256r1
153 */
154 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
155 static const mbedtls_mpi_uint secp256r1_p[] = {
156 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
157 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
158 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
159 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
160 };
161 static const mbedtls_mpi_uint secp256r1_b[] = {
162 MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
163 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
164 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
165 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
166 };
167 static const mbedtls_mpi_uint secp256r1_gx[] = {
168 MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
169 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
170 MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
171 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
172 };
173 static const mbedtls_mpi_uint secp256r1_gy[] = {
174 MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
175 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
176 MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
177 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
178 };
179 static const mbedtls_mpi_uint secp256r1_n[] = {
180 MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
181 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
182 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
183 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
184 };
185 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
186
187 /*
188 * Domain parameters for secp384r1
189 */
190 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
191 static const mbedtls_mpi_uint secp384r1_p[] = {
192 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
193 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
194 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
195 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
196 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
197 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
198 };
199 static const mbedtls_mpi_uint secp384r1_b[] = {
200 MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
201 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
202 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
203 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
204 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
205 MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
206 };
207 static const mbedtls_mpi_uint secp384r1_gx[] = {
208 MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
209 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
210 MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
211 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
212 MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
213 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
214 };
215 static const mbedtls_mpi_uint secp384r1_gy[] = {
216 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
217 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
218 MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
219 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
220 MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
221 MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
222 };
223 static const mbedtls_mpi_uint secp384r1_n[] = {
224 MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
225 MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
226 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
227 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
228 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
229 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
230 };
231 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
232
233 /*
234 * Domain parameters for secp521r1
235 */
236 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
237 static const mbedtls_mpi_uint secp521r1_p[] = {
238 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
239 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
240 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
241 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
242 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
243 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
244 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
245 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
246 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
247 };
248 static const mbedtls_mpi_uint secp521r1_b[] = {
249 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
250 MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
251 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
252 MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
253 MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
254 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
255 MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
256 MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
257 MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ),
258 };
259 static const mbedtls_mpi_uint secp521r1_gx[] = {
260 MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
261 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
262 MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
263 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
264 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
265 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
266 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
267 MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
268 MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
269 };
270 static const mbedtls_mpi_uint secp521r1_gy[] = {
271 MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
272 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
273 MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
274 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
275 MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
276 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
277 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
278 MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
279 MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ),
280 };
281 static const mbedtls_mpi_uint secp521r1_n[] = {
282 MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
283 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
284 MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
285 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
286 MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
287 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
288 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
289 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
290 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
291 };
292 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
293
294 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
295 static const mbedtls_mpi_uint secp192k1_p[] = {
296 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
297 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
298 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
299 };
300 static const mbedtls_mpi_uint secp192k1_a[] = {
301 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
302 };
303 static const mbedtls_mpi_uint secp192k1_b[] = {
304 MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ),
305 };
306 static const mbedtls_mpi_uint secp192k1_gx[] = {
307 MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
308 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
309 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
310 };
311 static const mbedtls_mpi_uint secp192k1_gy[] = {
312 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
313 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
314 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
315 };
316 static const mbedtls_mpi_uint secp192k1_n[] = {
317 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
318 MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
319 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
320 };
321 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
322
323 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
324 static const mbedtls_mpi_uint secp224k1_p[] = {
325 MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
326 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
327 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
328 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
329 };
330 static const mbedtls_mpi_uint secp224k1_a[] = {
331 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
332 };
333 static const mbedtls_mpi_uint secp224k1_b[] = {
334 MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ),
335 };
336 static const mbedtls_mpi_uint secp224k1_gx[] = {
337 MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
338 MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
339 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
340 MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
341 };
342 static const mbedtls_mpi_uint secp224k1_gy[] = {
343 MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
344 MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
345 MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
346 MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
347 };
348 static const mbedtls_mpi_uint secp224k1_n[] = {
349 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
350 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
351 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
352 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
353 };
354 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
355
356 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
357 static const mbedtls_mpi_uint secp256k1_p[] = {
358 MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
359 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
360 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
361 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
362 };
363 static const mbedtls_mpi_uint secp256k1_a[] = {
364 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
365 };
366 static const mbedtls_mpi_uint secp256k1_b[] = {
367 MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ),
368 };
369 static const mbedtls_mpi_uint secp256k1_gx[] = {
370 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
371 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
372 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
373 MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
374 };
375 static const mbedtls_mpi_uint secp256k1_gy[] = {
376 MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
377 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
378 MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
379 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
380 };
381 static const mbedtls_mpi_uint secp256k1_n[] = {
382 MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
383 MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
384 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
385 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
386 };
387 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
388
389 /*
390 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
391 */
392 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
393 static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
394 MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
395 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
396 MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
397 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
398 };
399 static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
400 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
401 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
402 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
403 MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
404 };
405 static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
406 MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
407 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
408 MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
409 MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
410 };
411 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
412 MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
413 MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
414 MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
415 MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
416 };
417 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
418 MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
419 MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
420 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
421 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
422 };
423 static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
424 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
425 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
426 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
427 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
428 };
429 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
430
431 /*
432 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
433 */
434 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
435 static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
436 MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
437 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
438 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
439 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
440 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
441 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
442 };
443 static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
444 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
445 MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
446 MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
447 MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
448 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
449 MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
450 };
451 static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
452 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
453 MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
454 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
455 MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
456 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
457 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
458 };
459 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
460 MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
461 MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
462 MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
463 MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
464 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
465 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
466 };
467 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
468 MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
469 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
470 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
471 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
472 MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
473 MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
474 };
475 static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
476 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
477 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
478 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
479 MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
480 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
481 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
482 };
483 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
484
485 /*
486 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
487 */
488 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
489 static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
490 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
491 MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
492 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
493 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
494 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
495 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
496 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
497 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
498 };
499 static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
500 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
501 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
502 MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
503 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
504 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
505 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
506 MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
507 MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
508 };
509 static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
510 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
511 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
512 MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
513 MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
514 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
515 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
516 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
517 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
518 };
519 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
520 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
521 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
522 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
523 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
524 MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
525 MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
526 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
527 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
528 };
529 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
530 MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
531 MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
532 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
533 MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
534 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
535 MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
536 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
537 MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
538 };
539 static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
540 MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
541 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
542 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
543 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
544 MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
545 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
546 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
547 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
548 };
549 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
550
551 /*
552 * Create an MPI from embedded constants
553 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
554 */
ecp_mpi_load(mbedtls_mpi * X,const mbedtls_mpi_uint * p,size_t len)555 static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
556 {
557 X->s = 1;
558 X->n = len / sizeof( mbedtls_mpi_uint );
559 X->p = (mbedtls_mpi_uint *) p;
560 }
561
562 /*
563 * Set an MPI to static value 1
564 */
ecp_mpi_set1(mbedtls_mpi * X)565 static inline void ecp_mpi_set1( mbedtls_mpi *X )
566 {
567 static mbedtls_mpi_uint one[] = { 1 };
568 X->s = 1;
569 X->n = 1;
570 X->p = one;
571 }
572
573 /*
574 * Make group available from embedded constants
575 */
ecp_group_load(mbedtls_ecp_group * grp,const mbedtls_mpi_uint * p,size_t plen,const mbedtls_mpi_uint * a,size_t alen,const mbedtls_mpi_uint * b,size_t blen,const mbedtls_mpi_uint * gx,size_t gxlen,const mbedtls_mpi_uint * gy,size_t gylen,const mbedtls_mpi_uint * n,size_t nlen)576 static int ecp_group_load( mbedtls_ecp_group *grp,
577 const mbedtls_mpi_uint *p, size_t plen,
578 const mbedtls_mpi_uint *a, size_t alen,
579 const mbedtls_mpi_uint *b, size_t blen,
580 const mbedtls_mpi_uint *gx, size_t gxlen,
581 const mbedtls_mpi_uint *gy, size_t gylen,
582 const mbedtls_mpi_uint *n, size_t nlen)
583 {
584 ecp_mpi_load( &grp->P, p, plen );
585 if( a != NULL )
586 ecp_mpi_load( &grp->A, a, alen );
587 ecp_mpi_load( &grp->B, b, blen );
588 ecp_mpi_load( &grp->N, n, nlen );
589
590 ecp_mpi_load( &grp->G.X, gx, gxlen );
591 ecp_mpi_load( &grp->G.Y, gy, gylen );
592 ecp_mpi_set1( &grp->G.Z );
593
594 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
595 grp->nbits = mbedtls_mpi_bitlen( &grp->N );
596
597 grp->h = 1;
598
599 return( 0 );
600 }
601
602 #if defined(MBEDTLS_ECP_NIST_OPTIM)
603 /* Forward declarations */
604 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
605 static int ecp_mod_p192( mbedtls_mpi * );
606 #endif
607 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
608 static int ecp_mod_p224( mbedtls_mpi * );
609 #endif
610 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
611 static int ecp_mod_p256( mbedtls_mpi * );
612 #endif
613 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
614 static int ecp_mod_p384( mbedtls_mpi * );
615 #endif
616 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
617 static int ecp_mod_p521( mbedtls_mpi * );
618 #endif
619
620 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
621 #else
622 #define NIST_MODP( P )
623 #endif /* MBEDTLS_ECP_NIST_OPTIM */
624
625 /* Additional forward declarations */
626 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
627 static int ecp_mod_p255( mbedtls_mpi * );
628 #endif
629 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
630 static int ecp_mod_p448( mbedtls_mpi * );
631 #endif
632 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
633 static int ecp_mod_p192k1( mbedtls_mpi * );
634 #endif
635 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
636 static int ecp_mod_p224k1( mbedtls_mpi * );
637 #endif
638 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
639 static int ecp_mod_p256k1( mbedtls_mpi * );
640 #endif
641
642 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \
643 G ## _p, sizeof( G ## _p ), \
644 G ## _a, sizeof( G ## _a ), \
645 G ## _b, sizeof( G ## _b ), \
646 G ## _gx, sizeof( G ## _gx ), \
647 G ## _gy, sizeof( G ## _gy ), \
648 G ## _n, sizeof( G ## _n ) )
649
650 #define LOAD_GROUP( G ) ecp_group_load( grp, \
651 G ## _p, sizeof( G ## _p ), \
652 NULL, 0, \
653 G ## _b, sizeof( G ## _b ), \
654 G ## _gx, sizeof( G ## _gx ), \
655 G ## _gy, sizeof( G ## _gy ), \
656 G ## _n, sizeof( G ## _n ) )
657
658 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
659 /* Constants used by ecp_use_curve25519() */
660 static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
661 static const unsigned char curve25519_part_of_n[] = {
662 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
663 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
664 };
665
666 /*
667 * Specialized function for creating the Curve25519 group
668 */
ecp_use_curve25519(mbedtls_ecp_group * grp)669 static int ecp_use_curve25519( mbedtls_ecp_group *grp )
670 {
671 int ret;
672
673 /* Actually ( A + 2 ) / 4 */
674 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) );
675
676 /* P = 2^255 - 19 */
677 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
678 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
679 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
680 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
681
682 /* N = 2^252 + 27742317777372353535851937790883648493 */
683 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N,
684 curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) );
685 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
686
687 /* Y intentionally not set, since we use x/z coordinates.
688 * This is used as a marker to identify Montgomery curves! */
689 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
690 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
691 mbedtls_mpi_free( &grp->G.Y );
692
693 /* Actually, the required msb for private keys */
694 grp->nbits = 254;
695
696 cleanup:
697 if( ret != 0 )
698 mbedtls_ecp_group_free( grp );
699
700 return( ret );
701 }
702 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
703
704 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
705 /* Constants used by ecp_use_curve448() */
706 static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
707 static const unsigned char curve448_part_of_n[] = {
708 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
709 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
710 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
711 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
712 };
713
714 /*
715 * Specialized function for creating the Curve448 group
716 */
ecp_use_curve448(mbedtls_ecp_group * grp)717 static int ecp_use_curve448( mbedtls_ecp_group *grp )
718 {
719 mbedtls_mpi Ns;
720 int ret;
721
722 mbedtls_mpi_init( &Ns );
723
724 /* Actually ( A + 2 ) / 4 */
725 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) );
726
727 /* P = 2^448 - 2^224 - 1 */
728 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
729 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
730 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
731 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
732 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
733 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
734
735 /* Y intentionally not set, since we use x/z coordinates.
736 * This is used as a marker to identify Montgomery curves! */
737 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
738 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
739 mbedtls_mpi_free( &grp->G.Y );
740
741 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
742 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
743 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
744 curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
745 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
746
747 /* Actually, the required msb for private keys */
748 grp->nbits = 447;
749
750 cleanup:
751 mbedtls_mpi_free( &Ns );
752 if( ret != 0 )
753 mbedtls_ecp_group_free( grp );
754
755 return( ret );
756 }
757 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
758
759 /*
760 * Set a group using well-known domain parameters
761 */
mbedtls_ecp_group_load(mbedtls_ecp_group * grp,mbedtls_ecp_group_id id)762 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
763 {
764 ECP_VALIDATE_RET( grp != NULL );
765 mbedtls_ecp_group_free( grp );
766
767 grp->id = id;
768
769 switch( id )
770 {
771 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
772 case MBEDTLS_ECP_DP_SECP192R1:
773 NIST_MODP( p192 );
774 return( LOAD_GROUP( secp192r1 ) );
775 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
776
777 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
778 case MBEDTLS_ECP_DP_SECP224R1:
779 NIST_MODP( p224 );
780 return( LOAD_GROUP( secp224r1 ) );
781 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
782
783 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
784 case MBEDTLS_ECP_DP_SECP256R1:
785 NIST_MODP( p256 );
786 return( LOAD_GROUP( secp256r1 ) );
787 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
788
789 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
790 case MBEDTLS_ECP_DP_SECP384R1:
791 NIST_MODP( p384 );
792 return( LOAD_GROUP( secp384r1 ) );
793 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
794
795 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
796 case MBEDTLS_ECP_DP_SECP521R1:
797 NIST_MODP( p521 );
798 return( LOAD_GROUP( secp521r1 ) );
799 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
800
801 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
802 case MBEDTLS_ECP_DP_SECP192K1:
803 grp->modp = ecp_mod_p192k1;
804 return( LOAD_GROUP_A( secp192k1 ) );
805 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
806
807 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
808 case MBEDTLS_ECP_DP_SECP224K1:
809 grp->modp = ecp_mod_p224k1;
810 return( LOAD_GROUP_A( secp224k1 ) );
811 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
812
813 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
814 case MBEDTLS_ECP_DP_SECP256K1:
815 grp->modp = ecp_mod_p256k1;
816 return( LOAD_GROUP_A( secp256k1 ) );
817 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
818
819 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
820 case MBEDTLS_ECP_DP_BP256R1:
821 return( LOAD_GROUP_A( brainpoolP256r1 ) );
822 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
823
824 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
825 case MBEDTLS_ECP_DP_BP384R1:
826 return( LOAD_GROUP_A( brainpoolP384r1 ) );
827 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
828
829 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
830 case MBEDTLS_ECP_DP_BP512R1:
831 return( LOAD_GROUP_A( brainpoolP512r1 ) );
832 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
833
834 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
835 case MBEDTLS_ECP_DP_CURVE25519:
836 grp->modp = ecp_mod_p255;
837 return( ecp_use_curve25519( grp ) );
838 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
839
840 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
841 case MBEDTLS_ECP_DP_CURVE448:
842 grp->modp = ecp_mod_p448;
843 return( ecp_use_curve448( grp ) );
844 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
845
846 default:
847 mbedtls_ecp_group_free( grp );
848 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
849 }
850 }
851
852 #if defined(MBEDTLS_ECP_NIST_OPTIM)
853 /*
854 * Fast reduction modulo the primes used by the NIST curves.
855 *
856 * These functions are critical for speed, but not needed for correct
857 * operations. So, we make the choice to heavily rely on the internals of our
858 * bignum library, which creates a tight coupling between these functions and
859 * our MPI implementation. However, the coupling between the ECP module and
860 * MPI remains loose, since these functions can be deactivated at will.
861 */
862
863 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
864 /*
865 * Compared to the way things are presented in FIPS 186-3 D.2,
866 * we proceed in columns, from right (least significant chunk) to left,
867 * adding chunks to N in place, and keeping a carry for the next chunk.
868 * This avoids moving things around in memory, and uselessly adding zeros,
869 * compared to the more straightforward, line-oriented approach.
870 *
871 * For this prime we need to handle data in chunks of 64 bits.
872 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
873 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
874 */
875
876 /* Add 64-bit chunks (dst += src) and update carry */
add64(mbedtls_mpi_uint * dst,mbedtls_mpi_uint * src,mbedtls_mpi_uint * carry)877 static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
878 {
879 unsigned char i;
880 mbedtls_mpi_uint c = 0;
881 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
882 {
883 *dst += c; c = ( *dst < c );
884 *dst += *src; c += ( *dst < *src );
885 }
886 *carry += c;
887 }
888
889 /* Add carry to a 64-bit chunk and update carry */
carry64(mbedtls_mpi_uint * dst,mbedtls_mpi_uint * carry)890 static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
891 {
892 unsigned char i;
893 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
894 {
895 *dst += *carry;
896 *carry = ( *dst < *carry );
897 }
898 }
899
900 #define WIDTH 8 / sizeof( mbedtls_mpi_uint )
901 #define A( i ) N->p + (i) * WIDTH
902 #define ADD( i ) add64( p, A( i ), &c )
903 #define NEXT p += WIDTH; carry64( p, &c )
904 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
905
906 /*
907 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
908 */
ecp_mod_p192(mbedtls_mpi * N)909 static int ecp_mod_p192( mbedtls_mpi *N )
910 {
911 int ret;
912 mbedtls_mpi_uint c = 0;
913 mbedtls_mpi_uint *p, *end;
914
915 /* Make sure we have enough blocks so that A(5) is legal */
916 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
917
918 p = N->p;
919 end = p + N->n;
920
921 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
922 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
923 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
924
925 cleanup:
926 return( ret );
927 }
928
929 #undef WIDTH
930 #undef A
931 #undef ADD
932 #undef NEXT
933 #undef LAST
934 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
935
936 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
937 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
938 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
939 /*
940 * The reader is advised to first understand ecp_mod_p192() since the same
941 * general structure is used here, but with additional complications:
942 * (1) chunks of 32 bits, and (2) subtractions.
943 */
944
945 /*
946 * For these primes, we need to handle data in chunks of 32 bits.
947 * This makes it more complicated if we use 64 bits limbs in MPI,
948 * which prevents us from using a uniform access method as for p192.
949 *
950 * So, we define a mini abstraction layer to access 32 bit chunks,
951 * load them in 'cur' for work, and store them back from 'cur' when done.
952 *
953 * While at it, also define the size of N in terms of 32-bit chunks.
954 */
955 #define LOAD32 cur = A( i );
956
957 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
958
959 #define MAX32 N->n
960 #define A( j ) N->p[j]
961 #define STORE32 N->p[i] = cur;
962
963 #else /* 64-bit */
964
965 #define MAX32 N->n * 2
966 #define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
967 (uint32_t)( N->p[(j)/2] )
968 #define STORE32 \
969 if( i % 2 ) { \
970 N->p[i/2] &= 0x00000000FFFFFFFF; \
971 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
972 } else { \
973 N->p[i/2] &= 0xFFFFFFFF00000000; \
974 N->p[i/2] |= (mbedtls_mpi_uint) cur; \
975 }
976
977 #endif /* sizeof( mbedtls_mpi_uint ) */
978
979 /*
980 * Helpers for addition and subtraction of chunks, with signed carry.
981 */
add32(uint32_t * dst,uint32_t src,signed char * carry)982 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
983 {
984 *dst += src;
985 *carry += ( *dst < src );
986 }
987
sub32(uint32_t * dst,uint32_t src,signed char * carry)988 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
989 {
990 *carry -= ( *dst < src );
991 *dst -= src;
992 }
993
994 #define ADD( j ) add32( &cur, A( j ), &c );
995 #define SUB( j ) sub32( &cur, A( j ), &c );
996
997 /*
998 * Helpers for the main 'loop'
999 * (see fix_negative for the motivation of C)
1000 */
1001 #define INIT( b ) \
1002 int ret; \
1003 signed char c = 0, cc; \
1004 uint32_t cur; \
1005 size_t i = 0, bits = (b); \
1006 mbedtls_mpi C; \
1007 mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
1008 \
1009 C.s = 1; \
1010 C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1; \
1011 C.p = Cp; \
1012 memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
1013 \
1014 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 / \
1015 sizeof( mbedtls_mpi_uint ) ) ); \
1016 LOAD32;
1017
1018 #define NEXT \
1019 STORE32; i++; LOAD32; \
1020 cc = c; c = 0; \
1021 if( cc < 0 ) \
1022 sub32( &cur, -cc, &c ); \
1023 else \
1024 add32( &cur, cc, &c ); \
1025
1026 #define LAST \
1027 STORE32; i++; \
1028 cur = c > 0 ? c : 0; STORE32; \
1029 cur = 0; while( ++i < MAX32 ) { STORE32; } \
1030 if( c < 0 ) MBEDTLS_MPI_CHK( fix_negative( N, c, &C, bits ) );
1031
1032 /*
1033 * If the result is negative, we get it in the form
1034 * c * 2^bits + N, with c negative and N positive shorter than 'bits'
1035 */
fix_negative(mbedtls_mpi * N,signed char c,mbedtls_mpi * C,size_t bits)1036 static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
1037 {
1038 int ret;
1039
1040 /* C = - c * 2^bits */
1041 #if !defined(MBEDTLS_HAVE_INT64)
1042 ((void) bits);
1043 #else
1044 if( bits == 224 )
1045 C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
1046 else
1047 #endif
1048 C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
1049
1050 /* N = - ( C - N ) */
1051 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
1052 N->s = -1;
1053
1054 cleanup:
1055
1056 return( ret );
1057 }
1058
1059 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
1060 /*
1061 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1062 */
ecp_mod_p224(mbedtls_mpi * N)1063 static int ecp_mod_p224( mbedtls_mpi *N )
1064 {
1065 INIT( 224 );
1066
1067 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
1068 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
1069 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
1070 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
1071 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
1072 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
1073 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
1074
1075 cleanup:
1076 return( ret );
1077 }
1078 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
1079
1080 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
1081 /*
1082 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1083 */
ecp_mod_p256(mbedtls_mpi * N)1084 static int ecp_mod_p256( mbedtls_mpi *N )
1085 {
1086 INIT( 256 );
1087
1088 ADD( 8 ); ADD( 9 );
1089 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1090
1091 ADD( 9 ); ADD( 10 );
1092 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1093
1094 ADD( 10 ); ADD( 11 );
1095 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1096
1097 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1098 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1099
1100 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1101 SUB( 9 ); SUB( 10 ); NEXT; // A4
1102
1103 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1104 SUB( 10 ); SUB( 11 ); NEXT; // A5
1105
1106 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1107 SUB( 8 ); SUB( 9 ); NEXT; // A6
1108
1109 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1110 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1111
1112 cleanup:
1113 return( ret );
1114 }
1115 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
1116
1117 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
1118 /*
1119 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1120 */
ecp_mod_p384(mbedtls_mpi * N)1121 static int ecp_mod_p384( mbedtls_mpi *N )
1122 {
1123 INIT( 384 );
1124
1125 ADD( 12 ); ADD( 21 ); ADD( 20 );
1126 SUB( 23 ); NEXT; // A0
1127
1128 ADD( 13 ); ADD( 22 ); ADD( 23 );
1129 SUB( 12 ); SUB( 20 ); NEXT; // A2
1130
1131 ADD( 14 ); ADD( 23 );
1132 SUB( 13 ); SUB( 21 ); NEXT; // A2
1133
1134 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1135 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1136
1137 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1138 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1139
1140 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1141 SUB( 16 ); NEXT; // A5
1142
1143 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1144 SUB( 17 ); NEXT; // A6
1145
1146 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1147 SUB( 18 ); NEXT; // A7
1148
1149 ADD( 20 ); ADD( 17 ); ADD( 16 );
1150 SUB( 19 ); NEXT; // A8
1151
1152 ADD( 21 ); ADD( 18 ); ADD( 17 );
1153 SUB( 20 ); NEXT; // A9
1154
1155 ADD( 22 ); ADD( 19 ); ADD( 18 );
1156 SUB( 21 ); NEXT; // A10
1157
1158 ADD( 23 ); ADD( 20 ); ADD( 19 );
1159 SUB( 22 ); LAST; // A11
1160
1161 cleanup:
1162 return( ret );
1163 }
1164 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1165
1166 #undef A
1167 #undef LOAD32
1168 #undef STORE32
1169 #undef MAX32
1170 #undef INIT
1171 #undef NEXT
1172 #undef LAST
1173
1174 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
1175 MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
1176 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1177
1178 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
1179 /*
1180 * Here we have an actual Mersenne prime, so things are more straightforward.
1181 * However, chunks are aligned on a 'weird' boundary (521 bits).
1182 */
1183
1184 /* Size of p521 in terms of mbedtls_mpi_uint */
1185 #define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1186
1187 /* Bits to keep in the most significant mbedtls_mpi_uint */
1188 #define P521_MASK 0x01FF
1189
1190 /*
1191 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1192 * Write N as A1 + 2^521 A0, return A0 + A1
1193 */
ecp_mod_p521(mbedtls_mpi * N)1194 static int ecp_mod_p521( mbedtls_mpi *N )
1195 {
1196 int ret;
1197 size_t i;
1198 mbedtls_mpi M;
1199 mbedtls_mpi_uint Mp[P521_WIDTH + 1];
1200 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
1201 * we need to hold bits 513 to 1056, which is 34 limbs, that is
1202 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1203
1204 if( N->n < P521_WIDTH )
1205 return( 0 );
1206
1207 /* M = A1 */
1208 M.s = 1;
1209 M.n = N->n - ( P521_WIDTH - 1 );
1210 if( M.n > P521_WIDTH + 1 )
1211 M.n = P521_WIDTH + 1;
1212 M.p = Mp;
1213 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1214 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1215
1216 /* N = A0 */
1217 N->p[P521_WIDTH - 1] &= P521_MASK;
1218 for( i = P521_WIDTH; i < N->n; i++ )
1219 N->p[i] = 0;
1220
1221 /* N = A0 + A1 */
1222 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1223
1224 cleanup:
1225 return( ret );
1226 }
1227
1228 #undef P521_WIDTH
1229 #undef P521_MASK
1230 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
1231
1232 #endif /* MBEDTLS_ECP_NIST_OPTIM */
1233
1234 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
1235
1236 /* Size of p255 in terms of mbedtls_mpi_uint */
1237 #define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1238
1239 /*
1240 * Fast quasi-reduction modulo p255 = 2^255 - 19
1241 * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1242 */
ecp_mod_p255(mbedtls_mpi * N)1243 static int ecp_mod_p255( mbedtls_mpi *N )
1244 {
1245 int ret;
1246 size_t i;
1247 mbedtls_mpi M;
1248 mbedtls_mpi_uint Mp[P255_WIDTH + 2];
1249
1250 if( N->n < P255_WIDTH )
1251 return( 0 );
1252
1253 /* M = A1 */
1254 M.s = 1;
1255 M.n = N->n - ( P255_WIDTH - 1 );
1256 if( M.n > P255_WIDTH + 1 )
1257 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1258 M.p = Mp;
1259 memset( Mp, 0, sizeof Mp );
1260 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1261 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1262 M.n++; /* Make room for multiplication by 19 */
1263
1264 /* N = A0 */
1265 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
1266 for( i = P255_WIDTH; i < N->n; i++ )
1267 N->p[i] = 0;
1268
1269 /* N = A0 + 19 * A1 */
1270 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
1271 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1272
1273 cleanup:
1274 return( ret );
1275 }
1276 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
1277
1278 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
1279
1280 /* Size of p448 in terms of mbedtls_mpi_uint */
1281 #define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
1282
1283 /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
1284 #define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
1285 #define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) )
1286 #define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
1287 #define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
1288
1289 /*
1290 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
1291 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
1292 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
1293 * implementation of Curve448, which uses its own special 56-bit limbs rather
1294 * than a generic bignum library. We could squeeze some extra speed out on
1295 * 32-bit machines by splitting N up into 32-bit limbs and doing the
1296 * arithmetic using the limbs directly as we do for the NIST primes above,
1297 * but for 64-bit targets it should use half the number of operations if we do
1298 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
1299 */
ecp_mod_p448(mbedtls_mpi * N)1300 static int ecp_mod_p448( mbedtls_mpi *N )
1301 {
1302 int ret;
1303 size_t i;
1304 mbedtls_mpi M, Q;
1305 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
1306
1307 if( N->n <= P448_WIDTH )
1308 return( 0 );
1309
1310 /* M = A1 */
1311 M.s = 1;
1312 M.n = N->n - ( P448_WIDTH );
1313 if( M.n > P448_WIDTH )
1314 /* Shouldn't be called with N larger than 2^896! */
1315 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1316 M.p = Mp;
1317 memset( Mp, 0, sizeof( Mp ) );
1318 memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
1319
1320 /* N = A0 */
1321 for( i = P448_WIDTH; i < N->n; i++ )
1322 N->p[i] = 0;
1323
1324 /* N += A1 */
1325 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1326
1327 /* Q = B1, N += B1 */
1328 Q = M;
1329 Q.p = Qp;
1330 memcpy( Qp, Mp, sizeof( Qp ) );
1331 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
1332 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
1333
1334 /* M = (B0 + B1) * 2^224, N += M */
1335 if( sizeof( mbedtls_mpi_uint ) > 4 )
1336 Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
1337 for( i = P224_WIDTH_MAX; i < M.n; ++i )
1338 Mp[i] = 0;
1339 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
1340 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
1341 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
1342 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1343
1344 cleanup:
1345 return( ret );
1346 }
1347 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
1348
1349 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
1350 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
1351 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1352 /*
1353 * Fast quasi-reduction modulo P = 2^s - R,
1354 * with R about 33 bits, used by the Koblitz curves.
1355 *
1356 * Write N as A0 + 2^224 A1, return A0 + R * A1.
1357 * Actually do two passes, since R is big.
1358 */
1359 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
1360 #define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
ecp_mod_koblitz(mbedtls_mpi * N,mbedtls_mpi_uint * Rp,size_t p_limbs,size_t adjust,size_t shift,mbedtls_mpi_uint mask)1361 static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
1362 size_t adjust, size_t shift, mbedtls_mpi_uint mask )
1363 {
1364 int ret;
1365 size_t i;
1366 mbedtls_mpi M, R;
1367 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
1368
1369 if( N->n < p_limbs )
1370 return( 0 );
1371
1372 /* Init R */
1373 R.s = 1;
1374 R.p = Rp;
1375 R.n = P_KOBLITZ_R;
1376
1377 /* Common setup for M */
1378 M.s = 1;
1379 M.p = Mp;
1380
1381 /* M = A1 */
1382 M.n = N->n - ( p_limbs - adjust );
1383 if( M.n > p_limbs + adjust )
1384 M.n = p_limbs + adjust;
1385 memset( Mp, 0, sizeof Mp );
1386 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1387 if( shift != 0 )
1388 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1389 M.n += R.n; /* Make room for multiplication by R */
1390
1391 /* N = A0 */
1392 if( mask != 0 )
1393 N->p[p_limbs - 1] &= mask;
1394 for( i = p_limbs; i < N->n; i++ )
1395 N->p[i] = 0;
1396
1397 /* N = A0 + R * A1 */
1398 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1399 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1400
1401 /* Second pass */
1402
1403 /* M = A1 */
1404 M.n = N->n - ( p_limbs - adjust );
1405 if( M.n > p_limbs + adjust )
1406 M.n = p_limbs + adjust;
1407 memset( Mp, 0, sizeof Mp );
1408 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1409 if( shift != 0 )
1410 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1411 M.n += R.n; /* Make room for multiplication by R */
1412
1413 /* N = A0 */
1414 if( mask != 0 )
1415 N->p[p_limbs - 1] &= mask;
1416 for( i = p_limbs; i < N->n; i++ )
1417 N->p[i] = 0;
1418
1419 /* N = A0 + R * A1 */
1420 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1421 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1422
1423 cleanup:
1424 return( ret );
1425 }
1426 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
1427 MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
1428 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
1429
1430 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
1431 /*
1432 * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1433 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1434 */
ecp_mod_p192k1(mbedtls_mpi * N)1435 static int ecp_mod_p192k1( mbedtls_mpi *N )
1436 {
1437 static mbedtls_mpi_uint Rp[] = {
1438 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
1439 0x00 ) };
1440
1441 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1442 0 ) );
1443 }
1444 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
1445
1446 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
1447 /*
1448 * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1449 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1450 */
ecp_mod_p224k1(mbedtls_mpi * N)1451 static int ecp_mod_p224k1( mbedtls_mpi *N )
1452 {
1453 static mbedtls_mpi_uint Rp[] = {
1454 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
1455 0x00 ) };
1456
1457 #if defined(MBEDTLS_HAVE_INT64)
1458 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1459 #else
1460 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1461 0 ) );
1462 #endif
1463 }
1464
1465 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
1466
1467 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1468 /*
1469 * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1470 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1471 */
ecp_mod_p256k1(mbedtls_mpi * N)1472 static int ecp_mod_p256k1( mbedtls_mpi *N )
1473 {
1474 static mbedtls_mpi_uint Rp[] = {
1475 MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
1476 0x00 ) };
1477 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1478 0 ) );
1479 }
1480 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
1481
1482 #endif /* !MBEDTLS_ECP_ALT */
1483
1484 #endif /* MBEDTLS_ECP_C */
1485