1 /*
2 * Elliptic curves over GF(p): curve-specific data and functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_ECP_C)
11
12 #include "mbedtls/ecp.h"
13 #include "mbedtls/platform_util.h"
14 #include "mbedtls/error.h"
15 #include "mbedtls/bn_mul.h"
16
17 #include "ecp_invasive.h"
18
19 #include <string.h>
20
21 #if !defined(MBEDTLS_ECP_ALT)
22
23 /* Parameter validation macros based on platform_util.h */
24 #define ECP_VALIDATE_RET(cond) \
25 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
26 #define ECP_VALIDATE(cond) \
27 MBEDTLS_INTERNAL_VALIDATE(cond)
28
29 #define ECP_MPI_INIT(s, n, p) { s, (n), (mbedtls_mpi_uint *) (p) }
30
31 #define ECP_MPI_INIT_ARRAY(x) \
32 ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
33
34 /*
35 * Note: the constants are in little-endian order
36 * to be directly usable in MPIs
37 */
38
39 /*
40 * Domain parameters for secp192r1
41 */
42 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
43 static const mbedtls_mpi_uint secp192r1_p[] = {
44 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
45 MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
46 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
47 };
48 static const mbedtls_mpi_uint secp192r1_b[] = {
49 MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
50 MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
51 MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
52 };
53 static const mbedtls_mpi_uint secp192r1_gx[] = {
54 MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
55 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
56 MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
57 };
58 static const mbedtls_mpi_uint secp192r1_gy[] = {
59 MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
60 MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
61 MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
62 };
63 static const mbedtls_mpi_uint secp192r1_n[] = {
64 MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
65 MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
66 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
67 };
68 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
69
70 /*
71 * Domain parameters for secp224r1
72 */
73 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
74 static const mbedtls_mpi_uint secp224r1_p[] = {
75 MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
76 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
77 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
78 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
79 };
80 static const mbedtls_mpi_uint secp224r1_b[] = {
81 MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
82 MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
83 MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
84 MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
85 };
86 static const mbedtls_mpi_uint secp224r1_gx[] = {
87 MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
88 MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
89 MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
90 MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
91 };
92 static const mbedtls_mpi_uint secp224r1_gy[] = {
93 MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
94 MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
95 MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
96 MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
97 };
98 static const mbedtls_mpi_uint secp224r1_n[] = {
99 MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
100 MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
101 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
102 MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
103 };
104 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
105
106 /*
107 * Domain parameters for secp256r1
108 */
109 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
110 static const mbedtls_mpi_uint secp256r1_p[] = {
111 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
112 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
113 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
114 MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
115 };
116 static const mbedtls_mpi_uint secp256r1_b[] = {
117 MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
118 MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
119 MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
120 MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
121 };
122 static const mbedtls_mpi_uint secp256r1_gx[] = {
123 MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
124 MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
125 MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
126 MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
127 };
128 static const mbedtls_mpi_uint secp256r1_gy[] = {
129 MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
130 MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
131 MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
132 MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
133 };
134 static const mbedtls_mpi_uint secp256r1_n[] = {
135 MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
136 MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
137 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
138 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
139 };
140 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
141
142 /*
143 * Domain parameters for secp384r1
144 */
145 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
146 static const mbedtls_mpi_uint secp384r1_p[] = {
147 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
148 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
149 MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
150 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
151 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
152 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
153 };
154 static const mbedtls_mpi_uint secp384r1_b[] = {
155 MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
156 MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
157 MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
158 MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
159 MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
160 MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
161 };
162 static const mbedtls_mpi_uint secp384r1_gx[] = {
163 MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
164 MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
165 MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
166 MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
167 MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
168 MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
169 };
170 static const mbedtls_mpi_uint secp384r1_gy[] = {
171 MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
172 MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
173 MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
174 MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
175 MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
176 MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
177 };
178 static const mbedtls_mpi_uint secp384r1_n[] = {
179 MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
180 MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
181 MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
182 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
183 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
184 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
185 };
186 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
187
188 /*
189 * Domain parameters for secp521r1
190 */
191 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
192 static const mbedtls_mpi_uint secp521r1_p[] = {
193 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
194 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
195 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
196 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
197 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
198 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
199 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
200 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
201 MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
202 };
203 static const mbedtls_mpi_uint secp521r1_b[] = {
204 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
205 MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
206 MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
207 MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
208 MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
209 MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
210 MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
211 MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
212 MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
213 };
214 static const mbedtls_mpi_uint secp521r1_gx[] = {
215 MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
216 MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
217 MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
218 MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
219 MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
220 MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
221 MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
222 MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
223 MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
224 };
225 static const mbedtls_mpi_uint secp521r1_gy[] = {
226 MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
227 MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
228 MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
229 MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
230 MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
231 MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
232 MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
233 MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
234 MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
235 };
236 static const mbedtls_mpi_uint secp521r1_n[] = {
237 MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
238 MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
239 MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
240 MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
241 MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
242 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
243 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
244 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
245 MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
246 };
247 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
248
249 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
250 static const mbedtls_mpi_uint secp192k1_p[] = {
251 MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
252 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
253 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
254 };
255 static const mbedtls_mpi_uint secp192k1_a[] = {
256 MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
257 };
258 static const mbedtls_mpi_uint secp192k1_b[] = {
259 MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
260 };
261 static const mbedtls_mpi_uint secp192k1_gx[] = {
262 MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
263 MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
264 MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
265 };
266 static const mbedtls_mpi_uint secp192k1_gy[] = {
267 MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
268 MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
269 MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
270 };
271 static const mbedtls_mpi_uint secp192k1_n[] = {
272 MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
273 MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
274 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
275 };
276 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
277
278 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
279 static const mbedtls_mpi_uint secp224k1_p[] = {
280 MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
281 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
282 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
283 MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
284 };
285 static const mbedtls_mpi_uint secp224k1_a[] = {
286 MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
287 };
288 static const mbedtls_mpi_uint secp224k1_b[] = {
289 MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
290 };
291 static const mbedtls_mpi_uint secp224k1_gx[] = {
292 MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
293 MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
294 MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
295 MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
296 };
297 static const mbedtls_mpi_uint secp224k1_gy[] = {
298 MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
299 MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
300 MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
301 MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
302 };
303 static const mbedtls_mpi_uint secp224k1_n[] = {
304 MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
305 MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
306 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
307 MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
308 };
309 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
310
311 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
312 static const mbedtls_mpi_uint secp256k1_p[] = {
313 MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
314 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
315 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
316 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
317 };
318 static const mbedtls_mpi_uint secp256k1_a[] = {
319 MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
320 };
321 static const mbedtls_mpi_uint secp256k1_b[] = {
322 MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
323 };
324 static const mbedtls_mpi_uint secp256k1_gx[] = {
325 MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
326 MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
327 MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
328 MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
329 };
330 static const mbedtls_mpi_uint secp256k1_gy[] = {
331 MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
332 MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
333 MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
334 MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
335 };
336 static const mbedtls_mpi_uint secp256k1_n[] = {
337 MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
338 MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
339 MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
340 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
341 };
342 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
343
344 /*
345 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
346 */
347 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
348 static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
349 MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
350 MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
351 MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
352 MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
353 };
354 static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
355 MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
356 MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
357 MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
358 MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
359 };
360 static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
361 MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
362 MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
363 MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
364 MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
365 };
366 static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
367 MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
368 MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
369 MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
370 MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
371 };
372 static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
373 MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
374 MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
375 MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
376 MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
377 };
378 static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
379 MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
380 MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
381 MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
382 MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
383 };
384 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
385
386 /*
387 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
388 */
389 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
390 static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
391 MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
392 MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
393 MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
394 MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
395 MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
396 MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
397 };
398 static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
399 MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
400 MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
401 MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
402 MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
403 MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
404 MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
405 };
406 static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
407 MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
408 MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
409 MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
410 MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
411 MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
412 MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
413 };
414 static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
415 MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
416 MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
417 MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
418 MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
419 MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
420 MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
421 };
422 static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
423 MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
424 MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
425 MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
426 MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
427 MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
428 MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
429 };
430 static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
431 MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
432 MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
433 MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
434 MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
435 MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
436 MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
437 };
438 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
439
440 /*
441 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
442 */
443 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
444 static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
445 MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
446 MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
447 MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
448 MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
449 MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
450 MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
451 MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
452 MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
453 };
454 static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
455 MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
456 MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
457 MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
458 MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
459 MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
460 MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
461 MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
462 MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
463 };
464 static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
465 MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
466 MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
467 MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
468 MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
469 MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
470 MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
471 MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
472 MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
473 };
474 static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
475 MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
476 MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
477 MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
478 MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
479 MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
480 MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
481 MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
482 MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
483 };
484 static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
485 MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
486 MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
487 MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
488 MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
489 MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
490 MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
491 MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
492 MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
493 };
494 static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
495 MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
496 MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
497 MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
498 MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
499 MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
500 MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
501 MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
502 MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
503 };
504 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
505
506 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
507 defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
508 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
509 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
510 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
511 defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
512 defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
513 defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
514 defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
515 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
516 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
517 /* For these curves, we build the group parameters dynamically. */
518 #define ECP_LOAD_GROUP
519 #endif
520
521 #if defined(ECP_LOAD_GROUP)
522 /*
523 * Create an MPI from embedded constants
524 * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
525 */
ecp_mpi_load(mbedtls_mpi * X,const mbedtls_mpi_uint * p,size_t len)526 static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
527 {
528 X->s = 1;
529 X->n = len / sizeof(mbedtls_mpi_uint);
530 X->p = (mbedtls_mpi_uint *) p;
531 }
532
533 /*
534 * Set an MPI to static value 1
535 */
ecp_mpi_set1(mbedtls_mpi * X)536 static inline void ecp_mpi_set1(mbedtls_mpi *X)
537 {
538 static mbedtls_mpi_uint one[] = { 1 };
539 X->s = 1;
540 X->n = 1;
541 X->p = one;
542 }
543
544 /*
545 * Make group available from embedded constants
546 */
ecp_group_load(mbedtls_ecp_group * grp,const mbedtls_mpi_uint * p,size_t plen,const mbedtls_mpi_uint * a,size_t alen,const mbedtls_mpi_uint * b,size_t blen,const mbedtls_mpi_uint * gx,size_t gxlen,const mbedtls_mpi_uint * gy,size_t gylen,const mbedtls_mpi_uint * n,size_t nlen)547 static int ecp_group_load(mbedtls_ecp_group *grp,
548 const mbedtls_mpi_uint *p, size_t plen,
549 const mbedtls_mpi_uint *a, size_t alen,
550 const mbedtls_mpi_uint *b, size_t blen,
551 const mbedtls_mpi_uint *gx, size_t gxlen,
552 const mbedtls_mpi_uint *gy, size_t gylen,
553 const mbedtls_mpi_uint *n, size_t nlen)
554 {
555 ecp_mpi_load(&grp->P, p, plen);
556 if (a != NULL) {
557 ecp_mpi_load(&grp->A, a, alen);
558 }
559 ecp_mpi_load(&grp->B, b, blen);
560 ecp_mpi_load(&grp->N, n, nlen);
561
562 ecp_mpi_load(&grp->G.X, gx, gxlen);
563 ecp_mpi_load(&grp->G.Y, gy, gylen);
564 ecp_mpi_set1(&grp->G.Z);
565
566 grp->pbits = mbedtls_mpi_bitlen(&grp->P);
567 grp->nbits = mbedtls_mpi_bitlen(&grp->N);
568
569 grp->h = 1;
570
571 return 0;
572 }
573 #endif /* ECP_LOAD_GROUP */
574
575 #if defined(MBEDTLS_ECP_NIST_OPTIM)
576 /* Forward declarations */
577 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
578 static int ecp_mod_p192(mbedtls_mpi *);
579 #endif
580 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
581 static int ecp_mod_p224(mbedtls_mpi *);
582 #endif
583 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
584 static int ecp_mod_p256(mbedtls_mpi *);
585 #endif
586 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
587 static int ecp_mod_p384(mbedtls_mpi *);
588 #endif
589 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
590 static int ecp_mod_p521(mbedtls_mpi *);
591 #endif
592
593 #define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
594 #else
595 #define NIST_MODP(P)
596 #endif /* MBEDTLS_ECP_NIST_OPTIM */
597
598 /* Additional forward declarations */
599 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
600 static int ecp_mod_p255(mbedtls_mpi *);
601 #endif
602 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
603 static int ecp_mod_p448(mbedtls_mpi *);
604 #endif
605 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
606 static int ecp_mod_p192k1(mbedtls_mpi *);
607 #endif
608 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
609 static int ecp_mod_p224k1(mbedtls_mpi *);
610 #endif
611 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
612 static int ecp_mod_p256k1(mbedtls_mpi *);
613 #endif
614
615 #if defined(ECP_LOAD_GROUP)
616 #define LOAD_GROUP_A(G) ecp_group_load(grp, \
617 G ## _p, sizeof(G ## _p), \
618 G ## _a, sizeof(G ## _a), \
619 G ## _b, sizeof(G ## _b), \
620 G ## _gx, sizeof(G ## _gx), \
621 G ## _gy, sizeof(G ## _gy), \
622 G ## _n, sizeof(G ## _n))
623
624 #define LOAD_GROUP(G) ecp_group_load(grp, \
625 G ## _p, sizeof(G ## _p), \
626 NULL, 0, \
627 G ## _b, sizeof(G ## _b), \
628 G ## _gx, sizeof(G ## _gx), \
629 G ## _gy, sizeof(G ## _gy), \
630 G ## _n, sizeof(G ## _n))
631 #endif /* ECP_LOAD_GROUP */
632
633 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
634 /* Constants used by ecp_use_curve25519() */
635 static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
636 static const unsigned char curve25519_part_of_n[] = {
637 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
638 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
639 };
640
641 /*
642 * Specialized function for creating the Curve25519 group
643 */
ecp_use_curve25519(mbedtls_ecp_group * grp)644 static int ecp_use_curve25519(mbedtls_ecp_group *grp)
645 {
646 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
647
648 /* Actually ( A + 2 ) / 4 */
649 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
650
651 /* P = 2^255 - 19 */
652 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
653 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255));
654 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19));
655 grp->pbits = mbedtls_mpi_bitlen(&grp->P);
656
657 /* N = 2^252 + 27742317777372353535851937790883648493 */
658 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N,
659 curve25519_part_of_n, sizeof(curve25519_part_of_n)));
660 MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1));
661
662 /* Y intentionally not set, since we use x/z coordinates.
663 * This is used as a marker to identify Montgomery curves! */
664 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
665 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
666 mbedtls_mpi_free(&grp->G.Y);
667
668 /* Actually, the required msb for private keys */
669 grp->nbits = 254;
670
671 cleanup:
672 if (ret != 0) {
673 mbedtls_ecp_group_free(grp);
674 }
675
676 return ret;
677 }
678 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
679
680 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
681 /* Constants used by ecp_use_curve448() */
682 static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
683 static const unsigned char curve448_part_of_n[] = {
684 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
685 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
686 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
687 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
688 };
689
690 /*
691 * Specialized function for creating the Curve448 group
692 */
ecp_use_curve448(mbedtls_ecp_group * grp)693 static int ecp_use_curve448(mbedtls_ecp_group *grp)
694 {
695 mbedtls_mpi Ns;
696 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
697
698 mbedtls_mpi_init(&Ns);
699
700 /* Actually ( A + 2 ) / 4 */
701 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
702
703 /* P = 2^448 - 2^224 - 1 */
704 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
705 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
706 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
707 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
708 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
709 grp->pbits = mbedtls_mpi_bitlen(&grp->P);
710
711 /* Y intentionally not set, since we use x/z coordinates.
712 * This is used as a marker to identify Montgomery curves! */
713 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
714 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
715 mbedtls_mpi_free(&grp->G.Y);
716
717 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
718 MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1));
719 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns,
720 curve448_part_of_n, sizeof(curve448_part_of_n)));
721 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns));
722
723 /* Actually, the required msb for private keys */
724 grp->nbits = 447;
725
726 cleanup:
727 mbedtls_mpi_free(&Ns);
728 if (ret != 0) {
729 mbedtls_ecp_group_free(grp);
730 }
731
732 return ret;
733 }
734 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
735
736 /*
737 * Set a group using well-known domain parameters
738 */
mbedtls_ecp_group_load(mbedtls_ecp_group * grp,mbedtls_ecp_group_id id)739 int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
740 {
741 ECP_VALIDATE_RET(grp != NULL);
742 mbedtls_ecp_group_free(grp);
743
744 mbedtls_ecp_group_init(grp);
745
746 grp->id = id;
747
748 switch (id) {
749 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
750 case MBEDTLS_ECP_DP_SECP192R1:
751 NIST_MODP(p192);
752 return LOAD_GROUP(secp192r1);
753 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
754
755 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
756 case MBEDTLS_ECP_DP_SECP224R1:
757 NIST_MODP(p224);
758 return LOAD_GROUP(secp224r1);
759 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
760
761 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
762 case MBEDTLS_ECP_DP_SECP256R1:
763 NIST_MODP(p256);
764 return LOAD_GROUP(secp256r1);
765 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
766
767 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
768 case MBEDTLS_ECP_DP_SECP384R1:
769 NIST_MODP(p384);
770 return LOAD_GROUP(secp384r1);
771 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
772
773 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
774 case MBEDTLS_ECP_DP_SECP521R1:
775 NIST_MODP(p521);
776 return LOAD_GROUP(secp521r1);
777 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
778
779 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
780 case MBEDTLS_ECP_DP_SECP192K1:
781 grp->modp = ecp_mod_p192k1;
782 return LOAD_GROUP_A(secp192k1);
783 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
784
785 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
786 case MBEDTLS_ECP_DP_SECP224K1:
787 grp->modp = ecp_mod_p224k1;
788 return LOAD_GROUP_A(secp224k1);
789 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
790
791 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
792 case MBEDTLS_ECP_DP_SECP256K1:
793 grp->modp = ecp_mod_p256k1;
794 return LOAD_GROUP_A(secp256k1);
795 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
796
797 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
798 case MBEDTLS_ECP_DP_BP256R1:
799 return LOAD_GROUP_A(brainpoolP256r1);
800 #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
801
802 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
803 case MBEDTLS_ECP_DP_BP384R1:
804 return LOAD_GROUP_A(brainpoolP384r1);
805 #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
806
807 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
808 case MBEDTLS_ECP_DP_BP512R1:
809 return LOAD_GROUP_A(brainpoolP512r1);
810 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
811
812 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
813 case MBEDTLS_ECP_DP_CURVE25519:
814 grp->modp = ecp_mod_p255;
815 return ecp_use_curve25519(grp);
816 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
817
818 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
819 case MBEDTLS_ECP_DP_CURVE448:
820 grp->modp = ecp_mod_p448;
821 return ecp_use_curve448(grp);
822 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
823
824 default:
825 grp->id = MBEDTLS_ECP_DP_NONE;
826 return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
827 }
828 }
829
830 #if defined(MBEDTLS_ECP_NIST_OPTIM)
831 /*
832 * Fast reduction modulo the primes used by the NIST curves.
833 *
834 * These functions are critical for speed, but not needed for correct
835 * operations. So, we make the choice to heavily rely on the internals of our
836 * bignum library, which creates a tight coupling between these functions and
837 * our MPI implementation. However, the coupling between the ECP module and
838 * MPI remains loose, since these functions can be deactivated at will.
839 */
840
841 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
842 /*
843 * Compared to the way things are presented in FIPS 186-3 D.2,
844 * we proceed in columns, from right (least significant chunk) to left,
845 * adding chunks to N in place, and keeping a carry for the next chunk.
846 * This avoids moving things around in memory, and uselessly adding zeros,
847 * compared to the more straightforward, line-oriented approach.
848 *
849 * For this prime we need to handle data in chunks of 64 bits.
850 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
851 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
852 */
853
854 /* Add 64-bit chunks (dst += src) and update carry */
add64(mbedtls_mpi_uint * dst,mbedtls_mpi_uint * src,mbedtls_mpi_uint * carry)855 static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
856 {
857 unsigned char i;
858 mbedtls_mpi_uint c = 0;
859 for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
860 *dst += c; c = (*dst < c);
861 *dst += *src; c += (*dst < *src);
862 }
863 *carry += c;
864 }
865
866 /* Add carry to a 64-bit chunk and update carry */
carry64(mbedtls_mpi_uint * dst,mbedtls_mpi_uint * carry)867 static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
868 {
869 unsigned char i;
870 for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
871 *dst += *carry;
872 *carry = (*dst < *carry);
873 }
874 }
875
876 #define WIDTH 8 / sizeof(mbedtls_mpi_uint)
877 #define A(i) N->p + (i) * WIDTH
878 #define ADD(i) add64(p, A(i), &c)
879 #define NEXT p += WIDTH; carry64(p, &c)
880 #define LAST p += WIDTH; *p = c; while (++p < end) *p = 0
881
882 /*
883 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
884 */
ecp_mod_p192(mbedtls_mpi * N)885 static int ecp_mod_p192(mbedtls_mpi *N)
886 {
887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
888 mbedtls_mpi_uint c = 0;
889 mbedtls_mpi_uint *p, *end;
890
891 /* Make sure we have enough blocks so that A(5) is legal */
892 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
893
894 p = N->p;
895 end = p + N->n;
896
897 ADD(3); ADD(5); NEXT; // A0 += A3 + A5
898 ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
899 ADD(4); ADD(5); LAST; // A2 += A4 + A5
900
901 cleanup:
902 return ret;
903 }
904
905 #undef WIDTH
906 #undef A
907 #undef ADD
908 #undef NEXT
909 #undef LAST
910 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
911
912 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
913 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
914 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
915 /*
916 * The reader is advised to first understand ecp_mod_p192() since the same
917 * general structure is used here, but with additional complications:
918 * (1) chunks of 32 bits, and (2) subtractions.
919 */
920
921 /*
922 * For these primes, we need to handle data in chunks of 32 bits.
923 * This makes it more complicated if we use 64 bits limbs in MPI,
924 * which prevents us from using a uniform access method as for p192.
925 *
926 * So, we define a mini abstraction layer to access 32 bit chunks,
927 * load them in 'cur' for work, and store them back from 'cur' when done.
928 *
929 * While at it, also define the size of N in terms of 32-bit chunks.
930 */
931 #define LOAD32 cur = A(i);
932
933 #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
934
935 #define MAX32 N->n
936 #define A(j) N->p[j]
937 #define STORE32 N->p[i] = cur;
938
939 #else /* 64-bit */
940
941 #define MAX32 N->n * 2
942 #define A(j) (j) % 2 ? (uint32_t) (N->p[(j)/2] >> 32) : \
943 (uint32_t) (N->p[(j)/2])
944 #define STORE32 \
945 if (i % 2) { \
946 N->p[i/2] &= 0x00000000FFFFFFFF; \
947 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
948 } else { \
949 N->p[i/2] &= 0xFFFFFFFF00000000; \
950 N->p[i/2] |= (mbedtls_mpi_uint) cur; \
951 }
952
953 #endif /* sizeof( mbedtls_mpi_uint ) */
954
955 /*
956 * Helpers for addition and subtraction of chunks, with signed carry.
957 */
add32(uint32_t * dst,uint32_t src,signed char * carry)958 static inline void add32(uint32_t *dst, uint32_t src, signed char *carry)
959 {
960 *dst += src;
961 *carry += (*dst < src);
962 }
963
sub32(uint32_t * dst,uint32_t src,signed char * carry)964 static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry)
965 {
966 *carry -= (*dst < src);
967 *dst -= src;
968 }
969
970 #define ADD(j) add32(&cur, A(j), &c);
971 #define SUB(j) sub32(&cur, A(j), &c);
972
973 #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
974 #define biL (ciL << 3) /* bits in limb */
975
976 /*
977 * Helpers for the main 'loop'
978 */
979 #define INIT(b) \
980 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \
981 signed char c = 0, cc; \
982 uint32_t cur; \
983 size_t i = 0, bits = (b); \
984 /* N is the size of the product of two b-bit numbers, plus one */ \
985 /* limb for fix_negative */ \
986 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, (b) * 2 / biL + 1)); \
987 LOAD32;
988
989 #define NEXT \
990 STORE32; i++; LOAD32; \
991 cc = c; c = 0; \
992 if (cc < 0) \
993 sub32(&cur, -cc, &c); \
994 else \
995 add32(&cur, cc, &c); \
996
997 #define LAST \
998 STORE32; i++; \
999 cur = c > 0 ? c : 0; STORE32; \
1000 cur = 0; while (++i < MAX32) { STORE32; } \
1001 if (c < 0) mbedtls_ecp_fix_negative(N, c, bits);
1002
1003 /*
1004 * If the result is negative, we get it in the form
1005 * c * 2^bits + N, with c negative and N positive shorter than 'bits'
1006 */
1007 MBEDTLS_STATIC_TESTABLE
mbedtls_ecp_fix_negative(mbedtls_mpi * N,signed char c,size_t bits)1008 void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits)
1009 {
1010 size_t i;
1011
1012 /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
1013 * set the absolute value to 0xfff...fff - N. There is no carry
1014 * since we're subtracting from all-bits-one. */
1015 for (i = 0; i <= bits / 8 / sizeof(mbedtls_mpi_uint); i++) {
1016 N->p[i] = ~(mbedtls_mpi_uint) 0 - N->p[i];
1017 }
1018 /* Add 1, taking care of the carry. */
1019 i = 0;
1020 do {
1021 ++N->p[i];
1022 } while (N->p[i++] == 0 && i <= bits / 8 / sizeof(mbedtls_mpi_uint));
1023 /* Invert the sign.
1024 * Now N = N0 - 2^bits where N0 is the initial value of N. */
1025 N->s = -1;
1026
1027 /* Add |c| * 2^bits to the absolute value. Since c and N are
1028 * negative, this adds c * 2^bits. */
1029 mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
1030 #if defined(MBEDTLS_HAVE_INT64)
1031 if (bits == 224) {
1032 msw <<= 32;
1033 }
1034 #endif
1035 N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw;
1036 }
1037
1038 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
1039 /*
1040 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1041 */
ecp_mod_p224(mbedtls_mpi * N)1042 static int ecp_mod_p224(mbedtls_mpi *N)
1043 {
1044 INIT(224);
1045
1046 SUB(7); SUB(11); NEXT; // A0 += -A7 - A11
1047 SUB(8); SUB(12); NEXT; // A1 += -A8 - A12
1048 SUB(9); SUB(13); NEXT; // A2 += -A9 - A13
1049 SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11
1050 SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12
1051 SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13
1052 SUB(13); ADD(10); LAST; // A6 += -A13 + A10
1053
1054 cleanup:
1055 return ret;
1056 }
1057 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
1058
1059 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
1060 /*
1061 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1062 */
ecp_mod_p256(mbedtls_mpi * N)1063 static int ecp_mod_p256(mbedtls_mpi *N)
1064 {
1065 INIT(256);
1066
1067 ADD(8); ADD(9);
1068 SUB(11); SUB(12); SUB(13); SUB(14); NEXT; // A0
1069
1070 ADD(9); ADD(10);
1071 SUB(12); SUB(13); SUB(14); SUB(15); NEXT; // A1
1072
1073 ADD(10); ADD(11);
1074 SUB(13); SUB(14); SUB(15); NEXT; // A2
1075
1076 ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
1077 SUB(15); SUB(8); SUB(9); NEXT; // A3
1078
1079 ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
1080 SUB(9); SUB(10); NEXT; // A4
1081
1082 ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
1083 SUB(10); SUB(11); NEXT; // A5
1084
1085 ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
1086 SUB(8); SUB(9); NEXT; // A6
1087
1088 ADD(15); ADD(15); ADD(15); ADD(8);
1089 SUB(10); SUB(11); SUB(12); SUB(13); LAST; // A7
1090
1091 cleanup:
1092 return ret;
1093 }
1094 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
1095
1096 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
1097 /*
1098 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1099 */
ecp_mod_p384(mbedtls_mpi * N)1100 static int ecp_mod_p384(mbedtls_mpi *N)
1101 {
1102 INIT(384);
1103
1104 ADD(12); ADD(21); ADD(20);
1105 SUB(23); NEXT; // A0
1106
1107 ADD(13); ADD(22); ADD(23);
1108 SUB(12); SUB(20); NEXT; // A2
1109
1110 ADD(14); ADD(23);
1111 SUB(13); SUB(21); NEXT; // A2
1112
1113 ADD(15); ADD(12); ADD(20); ADD(21);
1114 SUB(14); SUB(22); SUB(23); NEXT; // A3
1115
1116 ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
1117 SUB(15); SUB(23); SUB(23); NEXT; // A4
1118
1119 ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
1120 SUB(16); NEXT; // A5
1121
1122 ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
1123 SUB(17); NEXT; // A6
1124
1125 ADD(19); ADD(16); ADD(15); ADD(23);
1126 SUB(18); NEXT; // A7
1127
1128 ADD(20); ADD(17); ADD(16);
1129 SUB(19); NEXT; // A8
1130
1131 ADD(21); ADD(18); ADD(17);
1132 SUB(20); NEXT; // A9
1133
1134 ADD(22); ADD(19); ADD(18);
1135 SUB(21); NEXT; // A10
1136
1137 ADD(23); ADD(20); ADD(19);
1138 SUB(22); LAST; // A11
1139
1140 cleanup:
1141 return ret;
1142 }
1143 #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1144
1145 #undef A
1146 #undef LOAD32
1147 #undef STORE32
1148 #undef MAX32
1149 #undef INIT
1150 #undef NEXT
1151 #undef LAST
1152
1153 #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
1154 MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
1155 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1156
1157 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
1158 /*
1159 * Here we have an actual Mersenne prime, so things are more straightforward.
1160 * However, chunks are aligned on a 'weird' boundary (521 bits).
1161 */
1162
1163 /* Size of p521 in terms of mbedtls_mpi_uint */
1164 #define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
1165
1166 /* Bits to keep in the most significant mbedtls_mpi_uint */
1167 #define P521_MASK 0x01FF
1168
1169 /*
1170 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1171 * Write N as A1 + 2^521 A0, return A0 + A1
1172 */
ecp_mod_p521(mbedtls_mpi * N)1173 static int ecp_mod_p521(mbedtls_mpi *N)
1174 {
1175 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1176 size_t i;
1177 mbedtls_mpi M;
1178 mbedtls_mpi_uint Mp[P521_WIDTH + 1];
1179 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
1180 * we need to hold bits 513 to 1056, which is 34 limbs, that is
1181 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1182
1183 if (N->n < P521_WIDTH) {
1184 return 0;
1185 }
1186
1187 /* M = A1 */
1188 M.s = 1;
1189 M.n = N->n - (P521_WIDTH - 1);
1190 if (M.n > P521_WIDTH + 1) {
1191 M.n = P521_WIDTH + 1;
1192 }
1193 M.p = Mp;
1194 memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
1195 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
1196
1197 /* N = A0 */
1198 N->p[P521_WIDTH - 1] &= P521_MASK;
1199 for (i = P521_WIDTH; i < N->n; i++) {
1200 N->p[i] = 0;
1201 }
1202
1203 /* N = A0 + A1 */
1204 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
1205
1206 cleanup:
1207 return ret;
1208 }
1209
1210 #undef P521_WIDTH
1211 #undef P521_MASK
1212 #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
1213
1214 #endif /* MBEDTLS_ECP_NIST_OPTIM */
1215
1216 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
1217
1218 /* Size of p255 in terms of mbedtls_mpi_uint */
1219 #define P255_WIDTH (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
1220
1221 /*
1222 * Fast quasi-reduction modulo p255 = 2^255 - 19
1223 * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1224 */
ecp_mod_p255(mbedtls_mpi * N)1225 static int ecp_mod_p255(mbedtls_mpi *N)
1226 {
1227 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1228 size_t i;
1229 mbedtls_mpi M;
1230 mbedtls_mpi_uint Mp[P255_WIDTH + 2];
1231
1232 if (N->n < P255_WIDTH) {
1233 return 0;
1234 }
1235
1236 /* M = A1 */
1237 M.s = 1;
1238 M.n = N->n - (P255_WIDTH - 1);
1239 if (M.n > P255_WIDTH + 1) {
1240 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1241 }
1242 M.p = Mp;
1243 memset(Mp, 0, sizeof(Mp));
1244 memcpy(Mp, N->p + P255_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
1245 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 255 % (8 * sizeof(mbedtls_mpi_uint))));
1246 M.n++; /* Make room for multiplication by 19 */
1247
1248 /* N = A0 */
1249 MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(N, 255, 0));
1250 for (i = P255_WIDTH; i < N->n; i++) {
1251 N->p[i] = 0;
1252 }
1253
1254 /* N = A0 + 19 * A1 */
1255 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&M, &M, 19));
1256 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
1257
1258 cleanup:
1259 return ret;
1260 }
1261 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
1262
1263 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
1264
1265 /* Size of p448 in terms of mbedtls_mpi_uint */
1266 #define P448_WIDTH (448 / 8 / sizeof(mbedtls_mpi_uint))
1267
1268 /* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
1269 #define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
1270 #define P224_WIDTH_MIN (28 / sizeof(mbedtls_mpi_uint))
1271 #define P224_WIDTH_MAX DIV_ROUND_UP(28, sizeof(mbedtls_mpi_uint))
1272 #define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
1273
1274 /*
1275 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
1276 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
1277 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
1278 * implementation of Curve448, which uses its own special 56-bit limbs rather
1279 * than a generic bignum library. We could squeeze some extra speed out on
1280 * 32-bit machines by splitting N up into 32-bit limbs and doing the
1281 * arithmetic using the limbs directly as we do for the NIST primes above,
1282 * but for 64-bit targets it should use half the number of operations if we do
1283 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
1284 */
ecp_mod_p448(mbedtls_mpi * N)1285 static int ecp_mod_p448(mbedtls_mpi *N)
1286 {
1287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1288 size_t i;
1289 mbedtls_mpi M, Q;
1290 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
1291
1292 if (N->n <= P448_WIDTH) {
1293 return 0;
1294 }
1295
1296 /* M = A1 */
1297 M.s = 1;
1298 M.n = N->n - (P448_WIDTH);
1299 if (M.n > P448_WIDTH) {
1300 /* Shouldn't be called with N larger than 2^896! */
1301 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1302 }
1303 M.p = Mp;
1304 memset(Mp, 0, sizeof(Mp));
1305 memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
1306
1307 /* N = A0 */
1308 for (i = P448_WIDTH; i < N->n; i++) {
1309 N->p[i] = 0;
1310 }
1311
1312 /* N += A1 */
1313 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
1314
1315 /* Q = B1, N += B1 */
1316 Q = M;
1317 Q.p = Qp;
1318 memcpy(Qp, Mp, sizeof(Qp));
1319 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
1320 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
1321
1322 /* M = (B0 + B1) * 2^224, N += M */
1323 if (sizeof(mbedtls_mpi_uint) > 4) {
1324 Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
1325 }
1326 for (i = P224_WIDTH_MAX; i < M.n; ++i) {
1327 Mp[i] = 0;
1328 }
1329 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
1330 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
1331 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
1332 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
1333
1334 cleanup:
1335 return ret;
1336 }
1337 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
1338
1339 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
1340 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
1341 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1342 /*
1343 * Fast quasi-reduction modulo P = 2^s - R,
1344 * with R about 33 bits, used by the Koblitz curves.
1345 *
1346 * Write N as A0 + 2^224 A1, return A0 + R * A1.
1347 * Actually do two passes, since R is big.
1348 */
1349 #define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P
1350 #define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R
ecp_mod_koblitz(mbedtls_mpi * N,mbedtls_mpi_uint * Rp,size_t p_limbs,size_t adjust,size_t shift,mbedtls_mpi_uint mask)1351 static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
1352 size_t adjust, size_t shift, mbedtls_mpi_uint mask)
1353 {
1354 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1355 size_t i;
1356 mbedtls_mpi M, R;
1357 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
1358
1359 if (N->n < p_limbs) {
1360 return 0;
1361 }
1362
1363 /* Init R */
1364 R.s = 1;
1365 R.p = Rp;
1366 R.n = P_KOBLITZ_R;
1367
1368 /* Common setup for M */
1369 M.s = 1;
1370 M.p = Mp;
1371
1372 /* M = A1 */
1373 M.n = N->n - (p_limbs - adjust);
1374 if (M.n > p_limbs + adjust) {
1375 M.n = p_limbs + adjust;
1376 }
1377 memset(Mp, 0, sizeof(Mp));
1378 memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
1379 if (shift != 0) {
1380 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
1381 }
1382 M.n += R.n; /* Make room for multiplication by R */
1383
1384 /* N = A0 */
1385 if (mask != 0) {
1386 N->p[p_limbs - 1] &= mask;
1387 }
1388 for (i = p_limbs; i < N->n; i++) {
1389 N->p[i] = 0;
1390 }
1391
1392 /* N = A0 + R * A1 */
1393 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
1394 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
1395
1396 /* Second pass */
1397
1398 /* M = A1 */
1399 M.n = N->n - (p_limbs - adjust);
1400 if (M.n > p_limbs + adjust) {
1401 M.n = p_limbs + adjust;
1402 }
1403 memset(Mp, 0, sizeof(Mp));
1404 memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
1405 if (shift != 0) {
1406 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
1407 }
1408 M.n += R.n; /* Make room for multiplication by R */
1409
1410 /* N = A0 */
1411 if (mask != 0) {
1412 N->p[p_limbs - 1] &= mask;
1413 }
1414 for (i = p_limbs; i < N->n; i++) {
1415 N->p[i] = 0;
1416 }
1417
1418 /* N = A0 + R * A1 */
1419 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
1420 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
1421
1422 cleanup:
1423 return ret;
1424 }
1425 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
1426 MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
1427 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
1428
1429 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
1430 /*
1431 * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1432 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1433 */
ecp_mod_p192k1(mbedtls_mpi * N)1434 static int ecp_mod_p192k1(mbedtls_mpi *N)
1435 {
1436 static mbedtls_mpi_uint Rp[] = {
1437 MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
1438 0x00)
1439 };
1440
1441 return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
1442 0);
1443 }
1444 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
1445
1446 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
1447 /*
1448 * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1449 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1450 */
ecp_mod_p224k1(mbedtls_mpi * N)1451 static int ecp_mod_p224k1(mbedtls_mpi *N)
1452 {
1453 static mbedtls_mpi_uint Rp[] = {
1454 MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
1455 0x00)
1456 };
1457
1458 #if defined(MBEDTLS_HAVE_INT64)
1459 return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
1460 #else
1461 return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
1462 0);
1463 #endif
1464 }
1465
1466 #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
1467
1468 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1469 /*
1470 * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1471 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1472 */
ecp_mod_p256k1(mbedtls_mpi * N)1473 static int ecp_mod_p256k1(mbedtls_mpi *N)
1474 {
1475 static mbedtls_mpi_uint Rp[] = {
1476 MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
1477 0x00)
1478 };
1479 return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
1480 0);
1481 }
1482 #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
1483
1484 #endif /* !MBEDTLS_ECP_ALT */
1485
1486 #endif /* MBEDTLS_ECP_C */
1487