TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 039e02df2716a0ed886b56e1e07b7ac1d8597228 / . / lib / libmbedtls / mbedtls / library / ecp_curves.c
blob: ea43e1f249611c71a936a6e2b343e404274e8fdf [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Elliptic curves over GF(p): curve-specific data and functions
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]18 */
19
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]20#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]21
22#if defined(MBEDTLS_ECP_C)
23
24#include "mbedtls/ecp.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]25#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]26#include "mbedtls/error.h"
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]27#include "mbedtls/bn_mul.h"
28
29#include "ecp_invasive.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]30
31#include <string.h>
32
33#if !defined(MBEDTLS_ECP_ALT)
34
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]35/* Parameter validation macros based on platform_util.h */
36#define ECP_VALIDATE_RET( cond ) \
37 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
38#define ECP_VALIDATE( cond ) \
39 MBEDTLS_INTERNAL_VALIDATE( cond )
40
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]41#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
42 !defined(inline) && !defined(__cplusplus)
43#define inline __inline
44#endif
45
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]46#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]47
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]48#define ECP_MPI_INIT_ARRAY(x) \
49 ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]50
51/*
52 * Note: the constants are in little-endian order
53 * to be directly usable in MPIs
54 */
55
56/*
57 * Domain parameters for secp192r1
58 */
59#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
60static const mbedtls_mpi_uint secp192r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]61 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
62 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
63 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]64};
65static const mbedtls_mpi_uint secp192r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]66 MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
67 MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
68 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]69};
70static const mbedtls_mpi_uint secp192r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]71 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
72 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
73 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]74};
75static const mbedtls_mpi_uint secp192r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]76 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
77 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
78 MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]79};
80static const mbedtls_mpi_uint secp192r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]81 MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
82 MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
83 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]84};
85#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
86
87/*
88 * Domain parameters for secp224r1
89 */
90#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
91static const mbedtls_mpi_uint secp224r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]92 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
93 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
94 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
95 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]96};
97static const mbedtls_mpi_uint secp224r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]98 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
99 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
100 MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
101 MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]102};
103static const mbedtls_mpi_uint secp224r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]104 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
105 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
106 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
107 MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]108};
109static const mbedtls_mpi_uint secp224r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]110 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
111 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
112 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
113 MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]114};
115static const mbedtls_mpi_uint secp224r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]116 MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
117 MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
118 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
119 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]120};
121#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
122
123/*
124 * Domain parameters for secp256r1
125 */
126#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
127static const mbedtls_mpi_uint secp256r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]128 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
129 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
130 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
131 MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]132};
133static const mbedtls_mpi_uint secp256r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]134 MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
135 MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
136 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
137 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]138};
139static const mbedtls_mpi_uint secp256r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]140 MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
141 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
142 MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
143 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]144};
145static const mbedtls_mpi_uint secp256r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]146 MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
147 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
148 MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
149 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]150};
151static const mbedtls_mpi_uint secp256r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]152 MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
153 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
154 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
155 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]156};
157#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
158
159/*
160 * Domain parameters for secp384r1
161 */
162#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
163static const mbedtls_mpi_uint secp384r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]164 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
165 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
166 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
167 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
168 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
169 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]170};
171static const mbedtls_mpi_uint secp384r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]172 MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
173 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
174 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
175 MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
176 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
177 MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]178};
179static const mbedtls_mpi_uint secp384r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]180 MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
181 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
182 MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
183 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
184 MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
185 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]186};
187static const mbedtls_mpi_uint secp384r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]188 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
189 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
190 MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
191 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
192 MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
193 MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]194};
195static const mbedtls_mpi_uint secp384r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]196 MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
197 MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
198 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
199 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
200 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
201 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]202};
203#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
204
205/*
206 * Domain parameters for secp521r1
207 */
208#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
209static const mbedtls_mpi_uint secp521r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]210 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
211 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
212 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
213 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
214 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
215 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
216 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
217 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
218 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]219};
220static const mbedtls_mpi_uint secp521r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]221 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
222 MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
223 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
224 MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
225 MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
226 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
227 MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
228 MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
229 MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]230};
231static const mbedtls_mpi_uint secp521r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]232 MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
233 MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
234 MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
235 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
236 MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
237 MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
238 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
239 MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
240 MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]241};
242static const mbedtls_mpi_uint secp521r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]243 MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
244 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
245 MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
246 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
247 MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
248 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
249 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
250 MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
251 MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]252};
253static const mbedtls_mpi_uint secp521r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]254 MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
255 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
256 MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
257 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
258 MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
259 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
260 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
261 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
262 MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]263};
264#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
265
266#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
267static const mbedtls_mpi_uint secp192k1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]268 MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
269 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
270 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]271};
272static const mbedtls_mpi_uint secp192k1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]273 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]274};
275static const mbedtls_mpi_uint secp192k1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]276 MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]277};
278static const mbedtls_mpi_uint secp192k1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]279 MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
280 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
281 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]282};
283static const mbedtls_mpi_uint secp192k1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]284 MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
285 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
286 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]287};
288static const mbedtls_mpi_uint secp192k1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]289 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
290 MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
291 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]292};
293#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
294
295#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
296static const mbedtls_mpi_uint secp224k1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]297 MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
298 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
299 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
300 MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]301};
302static const mbedtls_mpi_uint secp224k1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]303 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]304};
305static const mbedtls_mpi_uint secp224k1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]306 MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]307};
308static const mbedtls_mpi_uint secp224k1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]309 MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
310 MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
311 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
312 MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]313};
314static const mbedtls_mpi_uint secp224k1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]315 MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
316 MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
317 MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
318 MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]319};
320static const mbedtls_mpi_uint secp224k1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]321 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
322 MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
323 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
324 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]325};
326#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
327
328#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
329static const mbedtls_mpi_uint secp256k1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]330 MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
331 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
332 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
333 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]334};
335static const mbedtls_mpi_uint secp256k1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]336 MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]337};
338static const mbedtls_mpi_uint secp256k1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]339 MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]340};
341static const mbedtls_mpi_uint secp256k1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]342 MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
343 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
344 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
345 MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]346};
347static const mbedtls_mpi_uint secp256k1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]348 MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
349 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
350 MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
351 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]352};
353static const mbedtls_mpi_uint secp256k1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]354 MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
355 MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
356 MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
357 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]358};
359#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
360
361/*
362 * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
363 */
364#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
365static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]366 MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
367 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
368 MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
369 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]370};
371static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]372 MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
373 MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
374 MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
375 MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]376};
377static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]378 MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
379 MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
380 MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
381 MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]382};
383static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]384 MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
385 MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
386 MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
387 MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]388};
389static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]390 MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
391 MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
392 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
393 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]394};
395static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]396 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
397 MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
398 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
399 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]400};
401#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
402
403/*
404 * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
405 */
406#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
407static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]408 MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
409 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
410 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
411 MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
412 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
413 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]414};
415static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]416 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
417 MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
418 MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
419 MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
420 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
421 MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]422};
423static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]424 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
425 MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
426 MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
427 MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
428 MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
429 MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]430};
431static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]432 MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
433 MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
434 MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
435 MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
436 MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
437 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]438};
439static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]440 MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
441 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
442 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
443 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
444 MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
445 MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]446};
447static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]448 MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
449 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
450 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
451 MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
452 MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
453 MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]454};
455#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
456
457/*
458 * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
459 */
460#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
461static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]462 MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
463 MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
464 MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
465 MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
466 MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
467 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
468 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
469 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]470};
471static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]472 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
473 MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
474 MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
475 MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
476 MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
477 MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
478 MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
479 MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]480};
481static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]482 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
483 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
484 MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
485 MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
486 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
487 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
488 MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
489 MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]490};
491static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]492 MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
493 MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
494 MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
495 MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
496 MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
497 MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
498 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
499 MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]500};
501static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]502 MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
503 MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
504 MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
505 MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
506 MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
507 MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
508 MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
509 MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]510};
511static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]512 MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
513 MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
514 MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
515 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
516 MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
517 MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
518 MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
519 MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]520};
521#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
522
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]523#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
524 defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
525 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
526 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
527 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
528 defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
529 defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
530 defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
531 defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
532 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
533 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
534/* For these curves, we build the group parameters dynamically. */
535#define ECP_LOAD_GROUP
536#endif
537
538#if defined(ECP_LOAD_GROUP)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]539/*
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]540 * Domain parameters for SM2 (GM/T 0003 Part 5)
541 */
542#if defined(MBEDTLS_ECP_DP_SM2_ENABLED)
543static const mbedtls_mpi_uint sm2_p[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]544 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
545 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
546 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
547 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]548};
549static const mbedtls_mpi_uint sm2_a[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]550 MBEDTLS_BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
551 MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
552 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
553 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]554};
555static const mbedtls_mpi_uint sm2_b[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]556 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x0E, 0x94, 0x4D, 0x41, 0xBD, 0xBC, 0xDD ),
557 MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x8F, 0xAB, 0x15, 0xF5, 0x89, 0x97, 0xF3 ),
558 MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x09, 0x65, 0xCF, 0x4B, 0x9E, 0x5A, 0x4D ),
559 MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x5E, 0x9F, 0x9D, 0x9E, 0xFA, 0xE9, 0x28 ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]560};
561static const mbedtls_mpi_uint sm2_gx[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]562 MBEDTLS_BYTES_TO_T_UINT_8( 0xC7, 0x74, 0x4C, 0x33, 0x89, 0x45, 0x5A, 0x71 ),
563 MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x0B, 0x66, 0xF2, 0xBF, 0x0B, 0xE3, 0x8F ),
564 MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0x39, 0x6A, 0x46, 0x04, 0x99, 0x5F ),
565 MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x81, 0x19, 0x1F, 0x2C, 0xAE, 0xC4, 0x32 ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]566};
567static const mbedtls_mpi_uint sm2_gy[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]568 MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xF0, 0x39, 0x21, 0xE5, 0x32, 0xDF, 0x02 ),
569 MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x47, 0x2A, 0xC6, 0x7C, 0x87, 0xA9, 0xD0 ),
570 MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0x21, 0x69, 0x6B, 0xE3, 0xCE, 0xBD, 0x59 ),
571 MBEDTLS_BYTES_TO_T_UINT_8( 0x9C, 0x77, 0xF6, 0xF4, 0xA2, 0x36, 0x37, 0xBC ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]572};
573static const mbedtls_mpi_uint sm2_n[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]574 MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x41, 0xD5, 0x39, 0x09, 0xF4, 0xBB, 0x53 ),
575 MBEDTLS_BYTES_TO_T_UINT_8( 0x2B, 0x05, 0xC6, 0x21, 0x6B, 0xDF, 0x03, 0x72 ),
576 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
577 MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]578};
579#endif /* MBEDTLS_ECP_DP_SM2_ENABLED */
580/*
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]581 * Create an MPI from embedded constants
582 * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
583 */
584static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
585{
586 X->s = 1;
587 X->n = len / sizeof( mbedtls_mpi_uint );
588 X->p = (mbedtls_mpi_uint *) p;
589}
590
591/*
592 * Set an MPI to static value 1
593 */
594static inline void ecp_mpi_set1( mbedtls_mpi *X )
595{
596 static mbedtls_mpi_uint one[] = { 1 };
597 X->s = 1;
598 X->n = 1;
599 X->p = one;
600}
601
602/*
603 * Make group available from embedded constants
604 */
605static int ecp_group_load( mbedtls_ecp_group *grp,
606 const mbedtls_mpi_uint *p, size_t plen,
607 const mbedtls_mpi_uint *a, size_t alen,
608 const mbedtls_mpi_uint *b, size_t blen,
609 const mbedtls_mpi_uint *gx, size_t gxlen,
610 const mbedtls_mpi_uint *gy, size_t gylen,
611 const mbedtls_mpi_uint *n, size_t nlen)
612{
613 ecp_mpi_load( &grp->P, p, plen );
614 if( a != NULL )
615 ecp_mpi_load( &grp->A, a, alen );
616 ecp_mpi_load( &grp->B, b, blen );
617 ecp_mpi_load( &grp->N, n, nlen );
618
619 ecp_mpi_load( &grp->G.X, gx, gxlen );
620 ecp_mpi_load( &grp->G.Y, gy, gylen );
621 ecp_mpi_set1( &grp->G.Z );
622
623 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
624 grp->nbits = mbedtls_mpi_bitlen( &grp->N );
625
626 grp->h = 1;
627
628 return( 0 );
629}
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]630#endif /* ECP_LOAD_GROUP */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]631
632#if defined(MBEDTLS_ECP_NIST_OPTIM)
633/* Forward declarations */
634#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
635static int ecp_mod_p192( mbedtls_mpi * );
636#endif
637#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
638static int ecp_mod_p224( mbedtls_mpi * );
639#endif
640#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
641static int ecp_mod_p256( mbedtls_mpi * );
642#endif
643#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
644static int ecp_mod_p384( mbedtls_mpi * );
645#endif
646#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
647static int ecp_mod_p521( mbedtls_mpi * );
648#endif
649
650#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
651#else
652#define NIST_MODP( P )
653#endif /* MBEDTLS_ECP_NIST_OPTIM */
654
655/* Additional forward declarations */
656#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
657static int ecp_mod_p255( mbedtls_mpi * );
658#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]659#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
660static int ecp_mod_p448( mbedtls_mpi * );
661#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]662#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
663static int ecp_mod_p192k1( mbedtls_mpi * );
664#endif
665#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
666static int ecp_mod_p224k1( mbedtls_mpi * );
667#endif
668#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
669static int ecp_mod_p256k1( mbedtls_mpi * );
670#endif
671
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]672#if defined(ECP_LOAD_GROUP)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]673#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
674 G ## _p, sizeof( G ## _p ), \
675 G ## _a, sizeof( G ## _a ), \
676 G ## _b, sizeof( G ## _b ), \
677 G ## _gx, sizeof( G ## _gx ), \
678 G ## _gy, sizeof( G ## _gy ), \
679 G ## _n, sizeof( G ## _n ) )
680
681#define LOAD_GROUP( G ) ecp_group_load( grp, \
682 G ## _p, sizeof( G ## _p ), \
683 NULL, 0, \
684 G ## _b, sizeof( G ## _b ), \
685 G ## _gx, sizeof( G ## _gx ), \
686 G ## _gy, sizeof( G ## _gy ), \
687 G ## _n, sizeof( G ## _n ) )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]688#endif /* ECP_LOAD_GROUP */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]689
690#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]691/* Constants used by ecp_use_curve25519() */
692static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
693static const unsigned char curve25519_part_of_n[] = {
694 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
695 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
696};
697
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]698/*
699 * Specialized function for creating the Curve25519 group
700 */
701static int ecp_use_curve25519( mbedtls_ecp_group *grp )
702{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]703 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]704
705 /* Actually ( A + 2 ) / 4 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]706 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]707
708 /* P = 2^255 - 19 */
709 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
710 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
711 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
712 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
713
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]714 /* N = 2^252 + 27742317777372353535851937790883648493 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]715 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N,
716 curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]717 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
718
719 /* Y intentionally not set, since we use x/z coordinates.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]720 * This is used as a marker to identify Montgomery curves! */
721 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
722 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
723 mbedtls_mpi_free( &grp->G.Y );
724
725 /* Actually, the required msb for private keys */
726 grp->nbits = 254;
727
728cleanup:
729 if( ret != 0 )
730 mbedtls_ecp_group_free( grp );
731
732 return( ret );
733}
734#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
735
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]736#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]737/* Constants used by ecp_use_curve448() */
738static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
739static const unsigned char curve448_part_of_n[] = {
740 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
741 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
742 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
743 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
744};
745
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]746/*
747 * Specialized function for creating the Curve448 group
748 */
749static int ecp_use_curve448( mbedtls_ecp_group *grp )
750{
751 mbedtls_mpi Ns;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]753
754 mbedtls_mpi_init( &Ns );
755
756 /* Actually ( A + 2 ) / 4 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]757 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]758
759 /* P = 2^448 - 2^224 - 1 */
760 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
761 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
762 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
763 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
764 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
765 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
766
767 /* Y intentionally not set, since we use x/z coordinates.
768 * This is used as a marker to identify Montgomery curves! */
769 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
770 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
771 mbedtls_mpi_free( &grp->G.Y );
772
773 /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
774 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
776 curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]777 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
778
779 /* Actually, the required msb for private keys */
780 grp->nbits = 447;
781
782cleanup:
783 mbedtls_mpi_free( &Ns );
784 if( ret != 0 )
785 mbedtls_ecp_group_free( grp );
786
787 return( ret );
788}
789#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
790
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]791/*
792 * Set a group using well-known domain parameters
793 */
794int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
795{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]796 ECP_VALIDATE_RET( grp != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]797 mbedtls_ecp_group_free( grp );
798
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame^]799 mbedtls_ecp_group_init( grp );
800
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]801 grp->id = id;
802
803 switch( id )
804 {
805#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
806 case MBEDTLS_ECP_DP_SECP192R1:
807 NIST_MODP( p192 );
808 return( LOAD_GROUP( secp192r1 ) );
809#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
810
811#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
812 case MBEDTLS_ECP_DP_SECP224R1:
813 NIST_MODP( p224 );
814 return( LOAD_GROUP( secp224r1 ) );
815#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
816
817#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
818 case MBEDTLS_ECP_DP_SECP256R1:
819 NIST_MODP( p256 );
820 return( LOAD_GROUP( secp256r1 ) );
821#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
822
823#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
824 case MBEDTLS_ECP_DP_SECP384R1:
825 NIST_MODP( p384 );
826 return( LOAD_GROUP( secp384r1 ) );
827#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
828
829#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
830 case MBEDTLS_ECP_DP_SECP521R1:
831 NIST_MODP( p521 );
832 return( LOAD_GROUP( secp521r1 ) );
833#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
834
835#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
836 case MBEDTLS_ECP_DP_SECP192K1:
837 grp->modp = ecp_mod_p192k1;
838 return( LOAD_GROUP_A( secp192k1 ) );
839#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
840
841#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
842 case MBEDTLS_ECP_DP_SECP224K1:
843 grp->modp = ecp_mod_p224k1;
844 return( LOAD_GROUP_A( secp224k1 ) );
845#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
846
847#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
848 case MBEDTLS_ECP_DP_SECP256K1:
849 grp->modp = ecp_mod_p256k1;
850 return( LOAD_GROUP_A( secp256k1 ) );
851#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
852
853#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
854 case MBEDTLS_ECP_DP_BP256R1:
855 return( LOAD_GROUP_A( brainpoolP256r1 ) );
856#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
857
858#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
859 case MBEDTLS_ECP_DP_BP384R1:
860 return( LOAD_GROUP_A( brainpoolP384r1 ) );
861#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
862
Jerome Forissier9fc24422021-01-22 16:30:41 +0100[diff] [blame]863#if defined(MBEDTLS_ECP_DP_SM2_ENABLED)
864 case MBEDTLS_ECP_DP_SM2:
865 return( LOAD_GROUP_A( sm2 ) );
866#endif /* MBEDTLS_ECP_DP_SM2_ENABLED */
867
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]868#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
869 case MBEDTLS_ECP_DP_BP512R1:
870 return( LOAD_GROUP_A( brainpoolP512r1 ) );
871#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
872
873#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
874 case MBEDTLS_ECP_DP_CURVE25519:
875 grp->modp = ecp_mod_p255;
876 return( ecp_use_curve25519( grp ) );
877#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
878
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]879#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
880 case MBEDTLS_ECP_DP_CURVE448:
881 grp->modp = ecp_mod_p448;
882 return( ecp_use_curve448( grp ) );
883#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
884
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]885 default:
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]886 grp->id = MBEDTLS_ECP_DP_NONE;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]887 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
888 }
889}
890
891#if defined(MBEDTLS_ECP_NIST_OPTIM)
892/*
893 * Fast reduction modulo the primes used by the NIST curves.
894 *
895 * These functions are critical for speed, but not needed for correct
896 * operations. So, we make the choice to heavily rely on the internals of our
897 * bignum library, which creates a tight coupling between these functions and
898 * our MPI implementation. However, the coupling between the ECP module and
899 * MPI remains loose, since these functions can be deactivated at will.
900 */
901
902#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
903/*
904 * Compared to the way things are presented in FIPS 186-3 D.2,
905 * we proceed in columns, from right (least significant chunk) to left,
906 * adding chunks to N in place, and keeping a carry for the next chunk.
907 * This avoids moving things around in memory, and uselessly adding zeros,
908 * compared to the more straightforward, line-oriented approach.
909 *
910 * For this prime we need to handle data in chunks of 64 bits.
911 * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
912 * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
913 */
914
915/* Add 64-bit chunks (dst += src) and update carry */
916static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
917{
918 unsigned char i;
919 mbedtls_mpi_uint c = 0;
920 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
921 {
922 *dst += c; c = ( *dst < c );
923 *dst += *src; c += ( *dst < *src );
924 }
925 *carry += c;
926}
927
928/* Add carry to a 64-bit chunk and update carry */
929static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
930{
931 unsigned char i;
932 for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
933 {
934 *dst += *carry;
935 *carry = ( *dst < *carry );
936 }
937}
938
939#define WIDTH 8 / sizeof( mbedtls_mpi_uint )
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]940#define A( i ) N->p + (i) * WIDTH
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]941#define ADD( i ) add64( p, A( i ), &c )
942#define NEXT p += WIDTH; carry64( p, &c )
943#define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
944
945/*
946 * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
947 */
948static int ecp_mod_p192( mbedtls_mpi *N )
949{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]950 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]951 mbedtls_mpi_uint c = 0;
952 mbedtls_mpi_uint *p, *end;
953
954 /* Make sure we have enough blocks so that A(5) is legal */
955 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
956
957 p = N->p;
958 end = p + N->n;
959
960 ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
961 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
962 ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
963
964cleanup:
965 return( ret );
966}
967
968#undef WIDTH
969#undef A
970#undef ADD
971#undef NEXT
972#undef LAST
973#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
974
975#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
976 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
977 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
978/*
979 * The reader is advised to first understand ecp_mod_p192() since the same
980 * general structure is used here, but with additional complications:
981 * (1) chunks of 32 bits, and (2) subtractions.
982 */
983
984/*
985 * For these primes, we need to handle data in chunks of 32 bits.
986 * This makes it more complicated if we use 64 bits limbs in MPI,
987 * which prevents us from using a uniform access method as for p192.
988 *
989 * So, we define a mini abstraction layer to access 32 bit chunks,
990 * load them in 'cur' for work, and store them back from 'cur' when done.
991 *
992 * While at it, also define the size of N in terms of 32-bit chunks.
993 */
994#define LOAD32 cur = A( i );
995
996#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
997
998#define MAX32 N->n
999#define A( j ) N->p[j]
1000#define STORE32 N->p[i] = cur;
1001
1002#else /* 64-bit */
1003
1004#define MAX32 N->n * 2
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]1005#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
1006 (uint32_t)( N->p[(j)/2] )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1007#define STORE32 \
1008 if( i % 2 ) { \
1009 N->p[i/2] &= 0x00000000FFFFFFFF; \
1010 N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
1011 } else { \
1012 N->p[i/2] &= 0xFFFFFFFF00000000; \
1013 N->p[i/2] |= (mbedtls_mpi_uint) cur; \
1014 }
1015
1016#endif /* sizeof( mbedtls_mpi_uint ) */
1017
1018/*
1019 * Helpers for addition and subtraction of chunks, with signed carry.
1020 */
1021static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
1022{
1023 *dst += src;
1024 *carry += ( *dst < src );
1025}
1026
1027static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
1028{
1029 *carry -= ( *dst < src );
1030 *dst -= src;
1031}
1032
1033#define ADD( j ) add32( &cur, A( j ), &c );
1034#define SUB( j ) sub32( &cur, A( j ), &c );
1035
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1036#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
1037#define biL (ciL << 3) /* bits in limb */
1038
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1039/*
1040 * Helpers for the main 'loop'
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1041 */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]1042#define INIT( b ) \
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1043 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]1044 signed char c = 0, cc; \
1045 uint32_t cur; \
1046 size_t i = 0, bits = (b); \
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1047 /* N is the size of the product of two b-bit numbers, plus one */ \
1048 /* limb for fix_negative */ \
1049 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, ( b ) * 2 / biL + 1 ) ); \
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1050 LOAD32;
1051
1052#define NEXT \
1053 STORE32; i++; LOAD32; \
1054 cc = c; c = 0; \
1055 if( cc < 0 ) \
1056 sub32( &cur, -cc, &c ); \
1057 else \
1058 add32( &cur, cc, &c ); \
1059
1060#define LAST \
1061 STORE32; i++; \
1062 cur = c > 0 ? c : 0; STORE32; \
1063 cur = 0; while( ++i < MAX32 ) { STORE32; } \
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1064 if( c < 0 ) mbedtls_ecp_fix_negative( N, c, bits );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1065
1066/*
1067 * If the result is negative, we get it in the form
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1068 * c * 2^bits + N, with c negative and N positive shorter than 'bits'
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1069 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1070MBEDTLS_STATIC_TESTABLE
1071void mbedtls_ecp_fix_negative( mbedtls_mpi *N, signed char c, size_t bits )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1072{
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1073 size_t i;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1074
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1075 /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
1076 * set the absolute value to 0xfff...fff - N. There is no carry
1077 * since we're subtracting from all-bits-one. */
1078 for( i = 0; i <= bits / 8 / sizeof( mbedtls_mpi_uint ); i++ )
1079 {
1080 N->p[i] = ~(mbedtls_mpi_uint)0 - N->p[i];
1081 }
1082 /* Add 1, taking care of the carry. */
1083 i = 0;
1084 do
1085 ++N->p[i];
1086 while( N->p[i++] == 0 && i <= bits / 8 / sizeof( mbedtls_mpi_uint ) );
1087 /* Invert the sign.
1088 * Now N = N0 - 2^bits where N0 is the initial value of N. */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1089 N->s = -1;
1090
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1091 /* Add |c| * 2^bits to the absolute value. Since c and N are
1092 * negative, this adds c * 2^bits. */
1093 mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
1094#if defined(MBEDTLS_HAVE_INT64)
1095 if( bits == 224 )
1096 msw <<= 32;
1097#endif
1098 N->p[bits / 8 / sizeof( mbedtls_mpi_uint)] += msw;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1099}
1100
1101#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
1102/*
1103 * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1104 */
1105static int ecp_mod_p224( mbedtls_mpi *N )
1106{
1107 INIT( 224 );
1108
1109 SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
1110 SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
1111 SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
1112 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
1113 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
1114 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
1115 SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
1116
1117cleanup:
1118 return( ret );
1119}
1120#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
1121
1122#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
1123/*
1124 * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1125 */
1126static int ecp_mod_p256( mbedtls_mpi *N )
1127{
1128 INIT( 256 );
1129
1130 ADD( 8 ); ADD( 9 );
1131 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1132
1133 ADD( 9 ); ADD( 10 );
1134 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1135
1136 ADD( 10 ); ADD( 11 );
1137 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1138
1139 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1140 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1141
1142 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1143 SUB( 9 ); SUB( 10 ); NEXT; // A4
1144
1145 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1146 SUB( 10 ); SUB( 11 ); NEXT; // A5
1147
1148 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1149 SUB( 8 ); SUB( 9 ); NEXT; // A6
1150
1151 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1152 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1153
1154cleanup:
1155 return( ret );
1156}
1157#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
1158
1159#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
1160/*
1161 * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1162 */
1163static int ecp_mod_p384( mbedtls_mpi *N )
1164{
1165 INIT( 384 );
1166
1167 ADD( 12 ); ADD( 21 ); ADD( 20 );
1168 SUB( 23 ); NEXT; // A0
1169
1170 ADD( 13 ); ADD( 22 ); ADD( 23 );
1171 SUB( 12 ); SUB( 20 ); NEXT; // A2
1172
1173 ADD( 14 ); ADD( 23 );
1174 SUB( 13 ); SUB( 21 ); NEXT; // A2
1175
1176 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1177 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1178
1179 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1180 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1181
1182 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1183 SUB( 16 ); NEXT; // A5
1184
1185 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1186 SUB( 17 ); NEXT; // A6
1187
1188 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1189 SUB( 18 ); NEXT; // A7
1190
1191 ADD( 20 ); ADD( 17 ); ADD( 16 );
1192 SUB( 19 ); NEXT; // A8
1193
1194 ADD( 21 ); ADD( 18 ); ADD( 17 );
1195 SUB( 20 ); NEXT; // A9
1196
1197 ADD( 22 ); ADD( 19 ); ADD( 18 );
1198 SUB( 21 ); NEXT; // A10
1199
1200 ADD( 23 ); ADD( 20 ); ADD( 19 );
1201 SUB( 22 ); LAST; // A11
1202
1203cleanup:
1204 return( ret );
1205}
1206#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1207
1208#undef A
1209#undef LOAD32
1210#undef STORE32
1211#undef MAX32
1212#undef INIT
1213#undef NEXT
1214#undef LAST
1215
1216#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
1217 MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
1218 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
1219
1220#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
1221/*
1222 * Here we have an actual Mersenne prime, so things are more straightforward.
1223 * However, chunks are aligned on a 'weird' boundary (521 bits).
1224 */
1225
1226/* Size of p521 in terms of mbedtls_mpi_uint */
1227#define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1228
1229/* Bits to keep in the most significant mbedtls_mpi_uint */
1230#define P521_MASK 0x01FF
1231
1232/*
1233 * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1234 * Write N as A1 + 2^521 A0, return A0 + A1
1235 */
1236static int ecp_mod_p521( mbedtls_mpi *N )
1237{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1238 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1239 size_t i;
1240 mbedtls_mpi M;
1241 mbedtls_mpi_uint Mp[P521_WIDTH + 1];
1242 /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
1243 * we need to hold bits 513 to 1056, which is 34 limbs, that is
1244 * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1245
1246 if( N->n < P521_WIDTH )
1247 return( 0 );
1248
1249 /* M = A1 */
1250 M.s = 1;
1251 M.n = N->n - ( P521_WIDTH - 1 );
1252 if( M.n > P521_WIDTH + 1 )
1253 M.n = P521_WIDTH + 1;
1254 M.p = Mp;
1255 memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1256 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1257
1258 /* N = A0 */
1259 N->p[P521_WIDTH - 1] &= P521_MASK;
1260 for( i = P521_WIDTH; i < N->n; i++ )
1261 N->p[i] = 0;
1262
1263 /* N = A0 + A1 */
1264 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1265
1266cleanup:
1267 return( ret );
1268}
1269
1270#undef P521_WIDTH
1271#undef P521_MASK
1272#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
1273
1274#endif /* MBEDTLS_ECP_NIST_OPTIM */
1275
1276#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
1277
1278/* Size of p255 in terms of mbedtls_mpi_uint */
1279#define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
1280
1281/*
1282 * Fast quasi-reduction modulo p255 = 2^255 - 19
1283 * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1284 */
1285static int ecp_mod_p255( mbedtls_mpi *N )
1286{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1288 size_t i;
1289 mbedtls_mpi M;
1290 mbedtls_mpi_uint Mp[P255_WIDTH + 2];
1291
1292 if( N->n < P255_WIDTH )
1293 return( 0 );
1294
1295 /* M = A1 */
1296 M.s = 1;
1297 M.n = N->n - ( P255_WIDTH - 1 );
1298 if( M.n > P255_WIDTH + 1 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1299 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1300 M.p = Mp;
1301 memset( Mp, 0, sizeof Mp );
1302 memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
1303 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
1304 M.n++; /* Make room for multiplication by 19 */
1305
1306 /* N = A0 */
1307 MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
1308 for( i = P255_WIDTH; i < N->n; i++ )
1309 N->p[i] = 0;
1310
1311 /* N = A0 + 19 * A1 */
1312 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
1313 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1314
1315cleanup:
1316 return( ret );
1317}
1318#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
1319
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1320#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
1321
1322/* Size of p448 in terms of mbedtls_mpi_uint */
1323#define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
1324
1325/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
1326#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
1327#define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) )
1328#define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
1329#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
1330
1331/*
1332 * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
1333 * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
1334 * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
1335 * implementation of Curve448, which uses its own special 56-bit limbs rather
1336 * than a generic bignum library. We could squeeze some extra speed out on
1337 * 32-bit machines by splitting N up into 32-bit limbs and doing the
1338 * arithmetic using the limbs directly as we do for the NIST primes above,
1339 * but for 64-bit targets it should use half the number of operations if we do
1340 * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
1341 */
1342static int ecp_mod_p448( mbedtls_mpi *N )
1343{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1345 size_t i;
1346 mbedtls_mpi M, Q;
1347 mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
1348
1349 if( N->n <= P448_WIDTH )
1350 return( 0 );
1351
1352 /* M = A1 */
1353 M.s = 1;
1354 M.n = N->n - ( P448_WIDTH );
1355 if( M.n > P448_WIDTH )
1356 /* Shouldn't be called with N larger than 2^896! */
1357 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1358 M.p = Mp;
1359 memset( Mp, 0, sizeof( Mp ) );
1360 memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
1361
1362 /* N = A0 */
1363 for( i = P448_WIDTH; i < N->n; i++ )
1364 N->p[i] = 0;
1365
1366 /* N += A1 */
1367 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1368
1369 /* Q = B1, N += B1 */
1370 Q = M;
1371 Q.p = Qp;
1372 memcpy( Qp, Mp, sizeof( Qp ) );
1373 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
1374 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
1375
1376 /* M = (B0 + B1) * 2^224, N += M */
1377 if( sizeof( mbedtls_mpi_uint ) > 4 )
1378 Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
1379 for( i = P224_WIDTH_MAX; i < M.n; ++i )
1380 Mp[i] = 0;
1381 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
1382 M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
1383 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
1384 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
1385
1386cleanup:
1387 return( ret );
1388}
1389#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
1390
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1391#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
1392 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
1393 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1394/*
1395 * Fast quasi-reduction modulo P = 2^s - R,
1396 * with R about 33 bits, used by the Koblitz curves.
1397 *
1398 * Write N as A0 + 2^224 A1, return A0 + R * A1.
1399 * Actually do two passes, since R is big.
1400 */
1401#define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
1402#define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
1403static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
1404 size_t adjust, size_t shift, mbedtls_mpi_uint mask )
1405{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1406 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1407 size_t i;
1408 mbedtls_mpi M, R;
1409 mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
1410
1411 if( N->n < p_limbs )
1412 return( 0 );
1413
1414 /* Init R */
1415 R.s = 1;
1416 R.p = Rp;
1417 R.n = P_KOBLITZ_R;
1418
1419 /* Common setup for M */
1420 M.s = 1;
1421 M.p = Mp;
1422
1423 /* M = A1 */
1424 M.n = N->n - ( p_limbs - adjust );
1425 if( M.n > p_limbs + adjust )
1426 M.n = p_limbs + adjust;
1427 memset( Mp, 0, sizeof Mp );
1428 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1429 if( shift != 0 )
1430 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1431 M.n += R.n; /* Make room for multiplication by R */
1432
1433 /* N = A0 */
1434 if( mask != 0 )
1435 N->p[p_limbs - 1] &= mask;
1436 for( i = p_limbs; i < N->n; i++ )
1437 N->p[i] = 0;
1438
1439 /* N = A0 + R * A1 */
1440 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1441 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1442
1443 /* Second pass */
1444
1445 /* M = A1 */
1446 M.n = N->n - ( p_limbs - adjust );
1447 if( M.n > p_limbs + adjust )
1448 M.n = p_limbs + adjust;
1449 memset( Mp, 0, sizeof Mp );
1450 memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
1451 if( shift != 0 )
1452 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
1453 M.n += R.n; /* Make room for multiplication by R */
1454
1455 /* N = A0 */
1456 if( mask != 0 )
1457 N->p[p_limbs - 1] &= mask;
1458 for( i = p_limbs; i < N->n; i++ )
1459 N->p[i] = 0;
1460
1461 /* N = A0 + R * A1 */
1462 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
1463 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
1464
1465cleanup:
1466 return( ret );
1467}
1468#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
1469 MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
1470 MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
1471
1472#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
1473/*
1474 * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1475 * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1476 */
1477static int ecp_mod_p192k1( mbedtls_mpi *N )
1478{
1479 static mbedtls_mpi_uint Rp[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1480 MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
1481 0x00 ) };
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1482
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1483 return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1484 0 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1485}
1486#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
1487
1488#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
1489/*
1490 * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1491 * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1492 */
1493static int ecp_mod_p224k1( mbedtls_mpi *N )
1494{
1495 static mbedtls_mpi_uint Rp[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1496 MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
1497 0x00 ) };
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1498
1499#if defined(MBEDTLS_HAVE_INT64)
1500 return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1501#else
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1502 return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1503 0 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1504#endif
1505}
1506
1507#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
1508
1509#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
1510/*
1511 * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1512 * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1513 */
1514static int ecp_mod_p256k1( mbedtls_mpi *N )
1515{
1516 static mbedtls_mpi_uint Rp[] = {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1517 MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
1518 0x00 ) };
1519 return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
1520 0 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1521}
1522#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
1523
1524#endif /* !MBEDTLS_ECP_ALT */
1525
1526#endif /* MBEDTLS_ECP_C */