Blame - library/ecp_curves.c - mirror/mbed-tls

blob: 00bb895092c21da7a12f289f052db23d4160d451 [file] [log] [blame]

Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1	/*
				2	* Elliptic curves over GF(p): curve-specific data and functions
				3	*
Bence Szépkúti	a2947ac	2020-08-19 16:37:36 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Bence Szépkúti	f744bd7	2020-06-05 13:02:18 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
				6	*
				7	* This file is provided under the Apache License 2.0, or the
				8	* GNU General Public License v2.0 or later.
				9	*
				10	* **********
				11	* Apache License 2.0:
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	12	*
				13	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				14	* not use this file except in compliance with the License.
				15	* You may obtain a copy of the License at
				16	*
				17	* http://www.apache.org/licenses/LICENSE-2.0
				18	*
				19	* Unless required by applicable law or agreed to in writing, software
				20	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				21	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				22	* See the License for the specific language governing permissions and
				23	* limitations under the License.
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	24	*
Bence Szépkúti	f744bd7	2020-06-05 13:02:18 +0200	[diff] [blame]	25	* **********
				26	*
				27	* **********
				28	* GNU General Public License v2.0 or later:
				29	*
				30	* This program is free software; you can redistribute it and/or modify
				31	* it under the terms of the GNU General Public License as published by
				32	* the Free Software Foundation; either version 2 of the License, or
				33	* (at your option) any later version.
				34	*
				35	* This program is distributed in the hope that it will be useful,
				36	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				37	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				38	* GNU General Public License for more details.
				39	*
				40	* You should have received a copy of the GNU General Public License along
				41	* with this program; if not, write to the Free Software Foundation, Inc.,
				42	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				43	*
				44	* **********
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	45	*/
				46
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	47	#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	48	#include "mbedtls/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	49	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	50	#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	51	#endif
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	52
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	53	#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	54
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	55	#include "mbedtls/ecp.h"
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	56	#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	57
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	58	#include <string.h>
				59
Janos Follath	b069753	2016-08-18 12:38:46 +0100	[diff] [blame]	60	#if !defined(MBEDTLS_ECP_ALT)
				61
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	62	/* Parameter validation macros based on platform_util.h */
				63	#define ECP_VALIDATE_RET( cond ) \
				64	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
				65	#define ECP_VALIDATE( cond ) \
				66	MBEDTLS_INTERNAL_VALIDATE( cond )
				67
Manuel Pégourié-Gonnard	0223ab9	2015-10-05 11:40:01 +0100	[diff] [blame]	68	#if ( defined(__ARMCC_VERSION) \|\| defined(_MSC_VER) ) && \
				69	!defined(inline) && !defined(__cplusplus)
Paul Bakker	498fd35	2013-12-02 22:17:24 +0100	[diff] [blame]	70	#define inline __inline
Manuel Pégourié-Gonnard	20af64d	2015-07-07 18:33:39 +0200	[diff] [blame]	71	#endif
Paul Bakker	498fd35	2013-12-02 22:17:24 +0100	[diff] [blame]	72
Manuel Pégourié-Gonnard	baee5d4	2013-12-06 13:38:41 +0100	[diff] [blame]	73	/*
				74	* Conversion macros for embedded constants:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	75	* build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
Manuel Pégourié-Gonnard	baee5d4	2013-12-06 13:38:41 +0100	[diff] [blame]	76	*/
Manuel Pégourié-Gonnard	7b53889	2015-04-09 17:00:17 +0200	[diff] [blame]	77	#if defined(MBEDTLS_HAVE_INT32)
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	78
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	79	#define BYTES_TO_T_UINT_4( a, b, c, d ) \
				80	( (mbedtls_mpi_uint) (a) << 0 ) \| \
				81	( (mbedtls_mpi_uint) (b) << 8 ) \| \
				82	( (mbedtls_mpi_uint) (c) << 16 ) \| \
				83	( (mbedtls_mpi_uint) (d) << 24 )
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	84
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	85	#define BYTES_TO_T_UINT_2( a, b ) \
				86	BYTES_TO_T_UINT_4( a, b, 0, 0 )
				87
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	88	#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
Manuel Pégourié-Gonnard	69ab354	2013-12-12 15:50:08 +0100	[diff] [blame]	89	BYTES_TO_T_UINT_4( a, b, c, d ), \
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	90	BYTES_TO_T_UINT_4( e, f, g, h )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	91
				92	#else /* 64-bits */
				93
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	94	#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	95	( (mbedtls_mpi_uint) (a) << 0 ) \| \
				96	( (mbedtls_mpi_uint) (b) << 8 ) \| \
				97	( (mbedtls_mpi_uint) (c) << 16 ) \| \
				98	( (mbedtls_mpi_uint) (d) << 24 ) \| \
				99	( (mbedtls_mpi_uint) (e) << 32 ) \| \
				100	( (mbedtls_mpi_uint) (f) << 40 ) \| \
				101	( (mbedtls_mpi_uint) (g) << 48 ) \| \
				102	( (mbedtls_mpi_uint) (h) << 56 )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	103
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	104	#define BYTES_TO_T_UINT_4( a, b, c, d ) \
				105	BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
				106
				107	#define BYTES_TO_T_UINT_2( a, b ) \
				108	BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
				109
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	110	#endif /* bits in mbedtls_mpi_uint */
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	111
Manuel Pégourié-Gonnard	6ec1535	2021-06-23 12:25:48 +0200	[diff] [blame]	112	#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
				113
				114	#define ECP_MPI_INIT_ARRAY(x) \
				115	ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
				116
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	117	/*
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	118	* Note: the constants are in little-endian order
				119	* to be directly usable in MPIs
				120	*/
				121
				122	/*
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	123	* Domain parameters for secp192r1
				124	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	125	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				126	static const mbedtls_mpi_uint secp192r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	127	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				128	BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				129	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	130	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	131	static const mbedtls_mpi_uint secp192r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	132	BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
				133	BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
				134	BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	135	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	136	static const mbedtls_mpi_uint secp192r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	137	BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
				138	BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
				139	BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	140	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	141	static const mbedtls_mpi_uint secp192r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	142	BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
				143	BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
				144	BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	145	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	146	static const mbedtls_mpi_uint secp192r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	147	BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
				148	BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
				149	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	150	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	151	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	152
				153	/*
				154	* Domain parameters for secp224r1
				155	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	156	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				157	static const mbedtls_mpi_uint secp224r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	158	BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				159	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
				160	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				161	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	162	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	163	static const mbedtls_mpi_uint secp224r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	164	BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
				165	BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
				166	BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	167	BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	168	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	169	static const mbedtls_mpi_uint secp224r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	170	BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
				171	BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
				172	BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	173	BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	174	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	175	static const mbedtls_mpi_uint secp224r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	176	BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
				177	BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
				178	BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	179	BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	180	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	181	static const mbedtls_mpi_uint secp224r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	182	BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
				183	BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
				184	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	185	BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	186	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	187	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	188
				189	/*
				190	* Domain parameters for secp256r1
				191	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	192	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				193	static const mbedtls_mpi_uint secp256r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	194	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				195	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
				196	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				197	BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	198	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	199	static const mbedtls_mpi_uint secp256r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	200	BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
				201	BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
				202	BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
				203	BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	204	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	205	static const mbedtls_mpi_uint secp256r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	206	BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
				207	BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
				208	BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
				209	BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	210	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	211	static const mbedtls_mpi_uint secp256r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	212	BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
				213	BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
				214	BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
				215	BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	216	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	217	static const mbedtls_mpi_uint secp256r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	218	BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
				219	BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
				220	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				221	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	222	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	223	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	224
				225	/*
				226	* Domain parameters for secp384r1
				227	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	228	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				229	static const mbedtls_mpi_uint secp384r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	230	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
				231	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
				232	BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				233	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				234	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				235	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	236	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	237	static const mbedtls_mpi_uint secp384r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	238	BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
				239	BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
				240	BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
				241	BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
				242	BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
				243	BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	244	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	245	static const mbedtls_mpi_uint secp384r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	246	BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
				247	BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
				248	BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
				249	BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
				250	BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
				251	BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	252	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	253	static const mbedtls_mpi_uint secp384r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	254	BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
				255	BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
				256	BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
				257	BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
				258	BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
				259	BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	260	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	261	static const mbedtls_mpi_uint secp384r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	262	BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
				263	BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
				264	BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
				265	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				266	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				267	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	268	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	269	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	270
				271	/*
				272	* Domain parameters for secp521r1
				273	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	274	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				275	static const mbedtls_mpi_uint secp521r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	276	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				277	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				278	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				279	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				280	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				281	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				282	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				283	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	284	BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	285	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	286	static const mbedtls_mpi_uint secp521r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	287	BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
				288	BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
				289	BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
				290	BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
				291	BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
				292	BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
				293	BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
				294	BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	295	BYTES_TO_T_UINT_2( 0x51, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	296	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	297	static const mbedtls_mpi_uint secp521r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	298	BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
				299	BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
				300	BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
				301	BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
				302	BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
				303	BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
				304	BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
				305	BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	306	BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	307	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	308	static const mbedtls_mpi_uint secp521r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	309	BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
				310	BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
				311	BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
				312	BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
				313	BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
				314	BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
				315	BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
				316	BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	317	BYTES_TO_T_UINT_2( 0x18, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	318	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	319	static const mbedtls_mpi_uint secp521r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	320	BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
				321	BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
				322	BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
				323	BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
				324	BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				325	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				326	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				327	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	328	BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	329	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	330	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	331
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	332	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				333	static const mbedtls_mpi_uint secp192k1_p[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	334	BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				335	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				336	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				337	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	338	static const mbedtls_mpi_uint secp192k1_a[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	339	BYTES_TO_T_UINT_2( 0x00, 0x00 ),
				340	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	341	static const mbedtls_mpi_uint secp192k1_b[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	342	BYTES_TO_T_UINT_2( 0x03, 0x00 ),
				343	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	344	static const mbedtls_mpi_uint secp192k1_gx[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	345	BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
				346	BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
				347	BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
				348	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	349	static const mbedtls_mpi_uint secp192k1_gy[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	350	BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
				351	BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
				352	BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
				353	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	354	static const mbedtls_mpi_uint secp192k1_n[] = {
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	355	BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
				356	BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
				357	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				358	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	359	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	360
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	361	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				362	static const mbedtls_mpi_uint secp224k1_p[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	363	BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				364	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				365	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				366	BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
				367	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	368	static const mbedtls_mpi_uint secp224k1_a[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	369	BYTES_TO_T_UINT_2( 0x00, 0x00 ),
				370	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	371	static const mbedtls_mpi_uint secp224k1_b[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	372	BYTES_TO_T_UINT_2( 0x05, 0x00 ),
				373	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	374	static const mbedtls_mpi_uint secp224k1_gx[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	375	BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
				376	BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
				377	BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
				378	BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
				379	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	380	static const mbedtls_mpi_uint secp224k1_gy[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	381	BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
				382	BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
				383	BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
				384	BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
				385	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	386	static const mbedtls_mpi_uint secp224k1_n[] = {
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	387	BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
				388	BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
				389	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				390	BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
				391	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	392	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	393
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	394	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				395	static const mbedtls_mpi_uint secp256k1_p[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	396	BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				397	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				398	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				399	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				400	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	401	static const mbedtls_mpi_uint secp256k1_a[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	402	BYTES_TO_T_UINT_2( 0x00, 0x00 ),
				403	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	404	static const mbedtls_mpi_uint secp256k1_b[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	405	BYTES_TO_T_UINT_2( 0x07, 0x00 ),
				406	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	407	static const mbedtls_mpi_uint secp256k1_gx[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	408	BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
				409	BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
				410	BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
				411	BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
				412	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	413	static const mbedtls_mpi_uint secp256k1_gy[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	414	BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
				415	BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
				416	BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
				417	BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
				418	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	419	static const mbedtls_mpi_uint secp256k1_n[] = {
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	420	BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
				421	BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
				422	BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				423	BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				424	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	425	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	426
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	427	/*
				428	* Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
				429	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	430	#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
				431	static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	432	BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
				433	BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
				434	BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
				435	BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	436	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	437	static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	438	BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
				439	BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
				440	BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
				441	BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	442	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	443	static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	444	BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
				445	BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
				446	BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
				447	BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	448	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	449	static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	450	BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
				451	BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
				452	BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
				453	BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	454	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	455	static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	456	BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
				457	BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
				458	BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
				459	BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	460	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	461	static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	462	BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
				463	BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
				464	BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
				465	BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	466	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	467	#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	468
				469	/*
				470	* Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
				471	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	472	#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
				473	static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	474	BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
				475	BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
				476	BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
				477	BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
				478	BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
				479	BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	480	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	481	static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	482	BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
				483	BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
				484	BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
				485	BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
				486	BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
				487	BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	488	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	489	static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	490	BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
				491	BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
				492	BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
				493	BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
				494	BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
				495	BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	496	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	497	static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	498	BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
				499	BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
				500	BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
				501	BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
				502	BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
				503	BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	504	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	505	static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	506	BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
				507	BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
				508	BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
				509	BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
				510	BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
				511	BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	512	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	513	static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	514	BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
				515	BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
				516	BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
				517	BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
				518	BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
				519	BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	520	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	521	#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	522
				523	/*
				524	* Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
				525	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	526	#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
				527	static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	528	BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
				529	BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
				530	BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
				531	BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
				532	BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
				533	BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
				534	BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
				535	BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	536	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	537	static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	538	BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
				539	BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
				540	BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
				541	BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
				542	BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
				543	BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
				544	BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
				545	BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	546	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	547	static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	548	BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
				549	BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
				550	BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
				551	BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
				552	BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
				553	BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
				554	BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
				555	BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	556	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	557	static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	558	BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
				559	BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
				560	BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
				561	BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
				562	BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
				563	BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
				564	BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
				565	BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	566	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	567	static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	568	BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
				569	BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
				570	BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
				571	BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
				572	BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
				573	BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
				574	BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
				575	BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	576	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	577	static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
Manuel Pégourié-Gonnard	95b45b7	2013-12-11 12:03:23 +0100	[diff] [blame]	578	BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
				579	BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
				580	BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
				581	BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
				582	BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
				583	BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
				584	BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
				585	BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	586	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	587	#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	588
				589	/*
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	590	* Create an MPI from embedded constants
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	591	* (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	592	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	593	static inline void ecp_mpi_load( mbedtls_mpi X, const mbedtls_mpi_uint p, size_t len )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	594	{
				595	X->s = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	596	X->n = len / sizeof( mbedtls_mpi_uint );
				597	X->p = (mbedtls_mpi_uint *) p;
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	598	}
				599
				600	/*
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	601	* Set an MPI to static value 1
				602	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	603	static inline void ecp_mpi_set1( mbedtls_mpi *X )
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	604	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	605	static mbedtls_mpi_uint one[] = { 1 };
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	606	X->s = 1;
				607	X->n = 1;
				608	X->p = one;
				609	}
				610
				611	/*
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	612	* Make group available from embedded constants
				613	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	614	static int ecp_group_load( mbedtls_ecp_group *grp,
				615	const mbedtls_mpi_uint *p, size_t plen,
				616	const mbedtls_mpi_uint *a, size_t alen,
				617	const mbedtls_mpi_uint *b, size_t blen,
				618	const mbedtls_mpi_uint *gx, size_t gxlen,
				619	const mbedtls_mpi_uint *gy, size_t gylen,
				620	const mbedtls_mpi_uint *n, size_t nlen)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	621	{
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	622	ecp_mpi_load( &grp->P, p, plen );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	623	if( a != NULL )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	624	ecp_mpi_load( &grp->A, a, alen );
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	625	ecp_mpi_load( &grp->B, b, blen );
				626	ecp_mpi_load( &grp->N, n, nlen );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	627
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	628	ecp_mpi_load( &grp->G.X, gx, gxlen );
				629	ecp_mpi_load( &grp->G.Y, gy, gylen );
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	630	ecp_mpi_set1( &grp->G.Z );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	631
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	632	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
				633	grp->nbits = mbedtls_mpi_bitlen( &grp->N );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	634
Manuel Pégourié-Gonnard	1f82b04	2013-12-06 12:51:50 +0100	[diff] [blame]	635	grp->h = 1;
				636
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	637	return( 0 );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	638	}
				639
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	640	#if defined(MBEDTLS_ECP_NIST_OPTIM)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	641	/* Forward declarations */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	642	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				643	static int ecp_mod_p192( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	644	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	645	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				646	static int ecp_mod_p224( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	647	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	648	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				649	static int ecp_mod_p256( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	650	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	651	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				652	static int ecp_mod_p384( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	653	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	654	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				655	static int ecp_mod_p521( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	656	#endif
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	657
				658	#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
				659	#else
				660	#define NIST_MODP( P )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	661	#endif /* MBEDTLS_ECP_NIST_OPTIM */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	662
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	663	/* Additional forward declarations */
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	664	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	665	static int ecp_mod_p255( mbedtls_mpi * );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	666	#endif
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	667	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				668	static int ecp_mod_p448( mbedtls_mpi * );
				669	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	670	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				671	static int ecp_mod_p192k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	672	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	673	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				674	static int ecp_mod_p224k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	675	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	676	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				677	static int ecp_mod_p256k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	678	#endif
				679
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	680	#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
				681	G ## _p, sizeof( G ## _p ), \
				682	G ## _a, sizeof( G ## _a ), \
				683	G ## _b, sizeof( G ## _b ), \
				684	G ## _gx, sizeof( G ## _gx ), \
				685	G ## _gy, sizeof( G ## _gy ), \
				686	G ## _n, sizeof( G ## _n ) )
				687
				688	#define LOAD_GROUP( G ) ecp_group_load( grp, \
				689	G ## _p, sizeof( G ## _p ), \
				690	NULL, 0, \
				691	G ## _b, sizeof( G ## _b ), \
				692	G ## _gx, sizeof( G ## _gx ), \
				693	G ## _gy, sizeof( G ## _gy ), \
				694	G ## _n, sizeof( G ## _n ) )
				695
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	696	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	697	/* Constants used by ecp_use_curve25519() */
				698	static const unsigned char curve25519_a24[] = { 0x01, 0xDB, 0x42 };
				699	static const unsigned char curve25519_part_of_n[] = {
				700	0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
				701	0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
				702	};
				703
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	704	/*
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	705	* Specialized function for creating the Curve25519 group
				706	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	707	static int ecp_use_curve25519( mbedtls_ecp_group *grp )
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	708	{
				709	int ret;
				710
				711	/* Actually ( A + 2 ) / 4 */
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	712	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->A,
				713	curve25519_a24, sizeof( curve25519_a24 ) ) );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	714
				715	/* P = 2^255 - 19 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	716	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
				717	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
				718	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	719	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	720
Nicholas Wilson	54fc34e	2016-05-16 15:15:45 +0100	[diff] [blame]	721	/* N = 2^252 + 27742317777372353535851937790883648493 */
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	722	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N,
				723	curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) );
Nicholas Wilson	54fc34e	2016-05-16 15:15:45 +0100	[diff] [blame]	724	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
				725
Manuel Pégourié-Gonnard	18b7843	2018-03-28 11:14:06 +0200	[diff] [blame]	726	/* Y intentionally not set, since we use x/z coordinates.
Manuel Pégourié-Gonnard	312d2e8	2013-12-04 11:08:01 +0100	[diff] [blame]	727	* This is used as a marker to identify Montgomery curves! */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	728	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
				729	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
				730	mbedtls_mpi_free( &grp->G.Y );
Manuel Pégourié-Gonnard	312d2e8	2013-12-04 11:08:01 +0100	[diff] [blame]	731
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	732	/* Actually, the required msb for private keys */
				733	grp->nbits = 254;
				734
				735	cleanup:
				736	if( ret != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	737	mbedtls_ecp_group_free( grp );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	738
				739	return( ret );
				740	}
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	741	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	742
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	743	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	744	/* Constants used by ecp_use_curve448() */
				745	static const unsigned char curve448_a24[] = { 0x98, 0xAA };
				746	static const unsigned char curve448_part_of_n[] = {
				747	0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
				748	0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
				749	0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
				750	0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
				751	};
				752
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	753	/*
				754	* Specialized function for creating the Curve448 group
				755	*/
				756	static int ecp_use_curve448( mbedtls_ecp_group *grp )
				757	{
				758	mbedtls_mpi Ns;
				759	int ret;
				760
				761	mbedtls_mpi_init( &Ns );
				762
				763	/* Actually ( A + 2 ) / 4 */
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	764	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->A,
				765	curve448_a24, sizeof( curve448_a24 ) ) );
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	766
				767	/* P = 2^448 - 2^224 - 1 */
				768	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
				769	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
				770	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
				771	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
				772	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
				773	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
				774
				775	/* Y intentionally not set, since we use x/z coordinates.
				776	* This is used as a marker to identify Montgomery curves! */
				777	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
				778	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
				779	mbedtls_mpi_free( &grp->G.Y );
				780
				781	/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
				782	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	783	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
				784	curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	785	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
				786
				787	/* Actually, the required msb for private keys */
				788	grp->nbits = 447;
				789
				790	cleanup:
				791	mbedtls_mpi_free( &Ns );
				792	if( ret != 0 )
				793	mbedtls_ecp_group_free( grp );
				794
				795	return( ret );
				796	}
				797	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				798
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	799	/*
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	800	* Set a group using well-known domain parameters
				801	*/
Manuel Pégourié-Gonnard	e3a062b	2015-05-11 18:46:47 +0200	[diff] [blame]	802	int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	803	{
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	804	ECP_VALIDATE_RET( grp != NULL );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	805	mbedtls_ecp_group_free( grp );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	806
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	807	grp->id = id;
				808
				809	switch( id )
				810	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	811	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				812	case MBEDTLS_ECP_DP_SECP192R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	813	NIST_MODP( p192 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	814	return( LOAD_GROUP( secp192r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	815	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	816
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	817	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				818	case MBEDTLS_ECP_DP_SECP224R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	819	NIST_MODP( p224 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	820	return( LOAD_GROUP( secp224r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	821	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	822
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	823	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				824	case MBEDTLS_ECP_DP_SECP256R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	825	NIST_MODP( p256 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	826	return( LOAD_GROUP( secp256r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	827	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	828
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	829	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				830	case MBEDTLS_ECP_DP_SECP384R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	831	NIST_MODP( p384 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	832	return( LOAD_GROUP( secp384r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	833	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	834
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	835	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				836	case MBEDTLS_ECP_DP_SECP521R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	837	NIST_MODP( p521 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	838	return( LOAD_GROUP( secp521r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	839	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	840
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	841	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				842	case MBEDTLS_ECP_DP_SECP192K1:
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	843	grp->modp = ecp_mod_p192k1;
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	844	return( LOAD_GROUP_A( secp192k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	845	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	846
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	847	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				848	case MBEDTLS_ECP_DP_SECP224K1:
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	849	grp->modp = ecp_mod_p224k1;
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	850	return( LOAD_GROUP_A( secp224k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	851	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	852
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	853	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				854	case MBEDTLS_ECP_DP_SECP256K1:
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	855	grp->modp = ecp_mod_p256k1;
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	856	return( LOAD_GROUP_A( secp256k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	857	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	858
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	859	#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
				860	case MBEDTLS_ECP_DP_BP256R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	861	return( LOAD_GROUP_A( brainpoolP256r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	862	#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	863
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	864	#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
				865	case MBEDTLS_ECP_DP_BP384R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	866	return( LOAD_GROUP_A( brainpoolP384r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	867	#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	868
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	869	#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
				870	case MBEDTLS_ECP_DP_BP512R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	871	return( LOAD_GROUP_A( brainpoolP512r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	872	#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	873
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	874	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
				875	case MBEDTLS_ECP_DP_CURVE25519:
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	876	grp->modp = ecp_mod_p255;
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	877	return( ecp_use_curve25519( grp ) );
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	878	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	879
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	880	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				881	case MBEDTLS_ECP_DP_CURVE448:
				882	grp->modp = ecp_mod_p448;
				883	return( ecp_use_curve448( grp ) );
				884	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				885
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	886	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	887	mbedtls_ecp_group_free( grp );
				888	return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	889	}
				890	}
				891
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	892	#if defined(MBEDTLS_ECP_NIST_OPTIM)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	893	/*
				894	* Fast reduction modulo the primes used by the NIST curves.
				895	*
				896	* These functions are critical for speed, but not needed for correct
				897	* operations. So, we make the choice to heavily rely on the internals of our
				898	* bignum library, which creates a tight coupling between these functions and
				899	* our MPI implementation. However, the coupling between the ECP module and
				900	* MPI remains loose, since these functions can be deactivated at will.
				901	*/
				902
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	903	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	904	/*
				905	* Compared to the way things are presented in FIPS 186-3 D.2,
				906	* we proceed in columns, from right (least significant chunk) to left,
				907	* adding chunks to N in place, and keeping a carry for the next chunk.
				908	* This avoids moving things around in memory, and uselessly adding zeros,
				909	* compared to the more straightforward, line-oriented approach.
				910	*
				911	* For this prime we need to handle data in chunks of 64 bits.
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	912	* Since this is always a multiple of our basic mbedtls_mpi_uint, we can
				913	* use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	914	*/
				915
				916	/* Add 64-bit chunks (dst += src) and update carry */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	917	static inline void add64( mbedtls_mpi_uint dst, mbedtls_mpi_uint src, mbedtls_mpi_uint *carry )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	918	{
				919	unsigned char i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	920	mbedtls_mpi_uint c = 0;
				921	for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	922	{
				923	dst += c; c = ( dst < c );
				924	dst += src; c += ( dst < src );
				925	}
				926	*carry += c;
				927	}
				928
				929	/* Add carry to a 64-bit chunk and update carry */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	930	static inline void carry64( mbedtls_mpi_uint dst, mbedtls_mpi_uint carry )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	931	{
				932	unsigned char i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	933	for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	934	{
				935	dst += carry;
				936	carry = ( dst < *carry );
				937	}
				938	}
				939
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	940	#define WIDTH 8 / sizeof( mbedtls_mpi_uint )
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	941	#define A( i ) N->p + (i) * WIDTH
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	942	#define ADD( i ) add64( p, A( i ), &c )
				943	#define NEXT p += WIDTH; carry64( p, &c )
				944	#define LAST p += WIDTH; p = c; while( ++p < end ) p = 0
				945
				946	/*
				947	* Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
				948	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	949	static int ecp_mod_p192( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	950	{
				951	int ret;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	952	mbedtls_mpi_uint c = 0;
				953	mbedtls_mpi_uint p, end;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	954
				955	/* Make sure we have enough blocks so that A(5) is legal */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	956	MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	957
				958	p = N->p;
				959	end = p + N->n;
				960
				961	ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
				962	ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
				963	ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
				964
				965	cleanup:
				966	return( ret );
				967	}
				968
				969	#undef WIDTH
				970	#undef A
				971	#undef ADD
				972	#undef NEXT
				973	#undef LAST
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	974	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	975
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	976	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) \|\| \
				977	defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) \|\| \
				978	defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	979	/*
				980	* The reader is advised to first understand ecp_mod_p192() since the same
				981	* general structure is used here, but with additional complications:
				982	* (1) chunks of 32 bits, and (2) subtractions.
				983	*/
				984
				985	/*
				986	* For these primes, we need to handle data in chunks of 32 bits.
				987	* This makes it more complicated if we use 64 bits limbs in MPI,
				988	* which prevents us from using a uniform access method as for p192.
				989	*
				990	* So, we define a mini abstraction layer to access 32 bit chunks,
				991	* load them in 'cur' for work, and store them back from 'cur' when done.
				992	*
				993	* While at it, also define the size of N in terms of 32-bit chunks.
				994	*/
				995	#define LOAD32 cur = A( i );
				996
Manuel Pégourié-Gonnard	7b53889	2015-04-09 17:00:17 +0200	[diff] [blame]	997	#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	998
				999	#define MAX32 N->n
				1000	#define A( j ) N->p[j]
				1001	#define STORE32 N->p[i] = cur;
				1002
				1003	#else /* 64-bit */
				1004
				1005	#define MAX32 N->n * 2
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	1006	#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
				1007	(uint32_t)( N->p[(j)/2] )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1008	#define STORE32 \
				1009	if( i % 2 ) { \
				1010	N->p[i/2] &= 0x00000000FFFFFFFF; \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1011	N->p[i/2] \|= ((mbedtls_mpi_uint) cur) << 32; \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1012	} else { \
				1013	N->p[i/2] &= 0xFFFFFFFF00000000; \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1014	N->p[i/2] \|= (mbedtls_mpi_uint) cur; \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1015	}
				1016
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1017	#endif /* sizeof( mbedtls_mpi_uint ) */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1018
				1019	/*
				1020	* Helpers for addition and subtraction of chunks, with signed carry.
				1021	*/
				1022	static inline void add32( uint32_t dst, uint32_t src, signed char carry )
				1023	{
				1024	*dst += src;
				1025	carry += ( dst < src );
				1026	}
				1027
				1028	static inline void sub32( uint32_t dst, uint32_t src, signed char carry )
				1029	{
				1030	carry -= ( dst < src );
				1031	*dst -= src;
				1032	}
				1033
				1034	#define ADD( j ) add32( &cur, A( j ), &c );
				1035	#define SUB( j ) sub32( &cur, A( j ), &c );
				1036
				1037	/*
				1038	* Helpers for the main 'loop'
				1039	* (see fix_negative for the motivation of C)
				1040	*/
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	1041	#define INIT( b ) \
				1042	int ret; \
				1043	signed char c = 0, cc; \
				1044	uint32_t cur; \
				1045	size_t i = 0, bits = (b); \
				1046	mbedtls_mpi C; \
				1047	mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
				1048	\
				1049	C.s = 1; \
				1050	C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1; \
				1051	C.p = Cp; \
				1052	memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
				1053	\
				1054	MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 / \
				1055	sizeof( mbedtls_mpi_uint ) ) ); \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1056	LOAD32;
				1057
				1058	#define NEXT \
				1059	STORE32; i++; LOAD32; \
				1060	cc = c; c = 0; \
				1061	if( cc < 0 ) \
				1062	sub32( &cur, -cc, &c ); \
				1063	else \
				1064	add32( &cur, cc, &c ); \
				1065
				1066	#define LAST \
				1067	STORE32; i++; \
				1068	cur = c > 0 ? c : 0; STORE32; \
				1069	cur = 0; while( ++i < MAX32 ) { STORE32; } \
Gilles Peskine	7d6326d	2020-07-23 01:14:34 +0200	[diff] [blame]	1070	if( c < 0 ) MBEDTLS_MPI_CHK( fix_negative( N, c, &C, bits ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1071
				1072	/*
				1073	* If the result is negative, we get it in the form
Gilles Peskine	2c8cfcf	2021-04-03 21:40:11 +0200	[diff] [blame]	1074	* c * 2^bits + N, with c negative and N positive shorter than 'bits'
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1075	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1076	static inline int fix_negative( mbedtls_mpi N, signed char c, mbedtls_mpi C, size_t bits )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1077	{
				1078	int ret;
				1079
Gilles Peskine	2c8cfcf	2021-04-03 21:40:11 +0200	[diff] [blame]	1080	/* C = - c * 2^bits */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1081	#if !defined(MBEDTLS_HAVE_INT64)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1082	((void) bits);
				1083	#else
				1084	if( bits == 224 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1085	C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1086	else
				1087	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1088	C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1089
				1090	/* N = - ( C - N ) */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1091	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1092	N->s = -1;
				1093
				1094	cleanup:
				1095
				1096	return( ret );
				1097	}
				1098
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1099	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1100	/*
				1101	* Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
				1102	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1103	static int ecp_mod_p224( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1104	{
				1105	INIT( 224 );
				1106
				1107	SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
				1108	SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
				1109	SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
				1110	SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
				1111	SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
				1112	SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
				1113	SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
				1114
				1115	cleanup:
				1116	return( ret );
				1117	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1118	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1119
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1120	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1121	/*
				1122	* Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
				1123	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1124	static int ecp_mod_p256( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1125	{
				1126	INIT( 256 );
				1127
				1128	ADD( 8 ); ADD( 9 );
				1129	SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
				1130
				1131	ADD( 9 ); ADD( 10 );
				1132	SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
				1133
				1134	ADD( 10 ); ADD( 11 );
				1135	SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
				1136
				1137	ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
				1138	SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
				1139
				1140	ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
				1141	SUB( 9 ); SUB( 10 ); NEXT; // A4
				1142
				1143	ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
				1144	SUB( 10 ); SUB( 11 ); NEXT; // A5
				1145
				1146	ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
				1147	SUB( 8 ); SUB( 9 ); NEXT; // A6
				1148
				1149	ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
				1150	SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
				1151
				1152	cleanup:
				1153	return( ret );
				1154	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1155	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1156
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1157	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1158	/*
				1159	* Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
				1160	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1161	static int ecp_mod_p384( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1162	{
				1163	INIT( 384 );
				1164
				1165	ADD( 12 ); ADD( 21 ); ADD( 20 );
				1166	SUB( 23 ); NEXT; // A0
				1167
				1168	ADD( 13 ); ADD( 22 ); ADD( 23 );
				1169	SUB( 12 ); SUB( 20 ); NEXT; // A2
				1170
				1171	ADD( 14 ); ADD( 23 );
				1172	SUB( 13 ); SUB( 21 ); NEXT; // A2
				1173
				1174	ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
				1175	SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
				1176
				1177	ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
				1178	SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
				1179
				1180	ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
				1181	SUB( 16 ); NEXT; // A5
				1182
				1183	ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
				1184	SUB( 17 ); NEXT; // A6
				1185
				1186	ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
				1187	SUB( 18 ); NEXT; // A7
				1188
				1189	ADD( 20 ); ADD( 17 ); ADD( 16 );
				1190	SUB( 19 ); NEXT; // A8
				1191
				1192	ADD( 21 ); ADD( 18 ); ADD( 17 );
				1193	SUB( 20 ); NEXT; // A9
				1194
				1195	ADD( 22 ); ADD( 19 ); ADD( 18 );
				1196	SUB( 21 ); NEXT; // A10
				1197
				1198	ADD( 23 ); ADD( 20 ); ADD( 19 );
				1199	SUB( 22 ); LAST; // A11
				1200
				1201	cleanup:
				1202	return( ret );
				1203	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1204	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1205
				1206	#undef A
				1207	#undef LOAD32
				1208	#undef STORE32
				1209	#undef MAX32
				1210	#undef INIT
				1211	#undef NEXT
				1212	#undef LAST
				1213
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1214	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED \|\|
				1215	MBEDTLS_ECP_DP_SECP256R1_ENABLED \|\|
				1216	MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1217
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1218	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1219	/*
				1220	* Here we have an actual Mersenne prime, so things are more straightforward.
				1221	* However, chunks are aligned on a 'weird' boundary (521 bits).
				1222	*/
				1223
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1224	/* Size of p521 in terms of mbedtls_mpi_uint */
				1225	#define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1226
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1227	/* Bits to keep in the most significant mbedtls_mpi_uint */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1228	#define P521_MASK 0x01FF
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1229
				1230	/*
				1231	* Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
				1232	* Write N as A1 + 2^521 A0, return A0 + A1
				1233	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1234	static int ecp_mod_p521( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1235	{
				1236	int ret;
				1237	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1238	mbedtls_mpi M;
				1239	mbedtls_mpi_uint Mp[P521_WIDTH + 1];
				1240	/* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1241	* we need to hold bits 513 to 1056, which is 34 limbs, that is
				1242	* P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
				1243
				1244	if( N->n < P521_WIDTH )
				1245	return( 0 );
				1246
				1247	/* M = A1 */
				1248	M.s = 1;
				1249	M.n = N->n - ( P521_WIDTH - 1 );
				1250	if( M.n > P521_WIDTH + 1 )
				1251	M.n = P521_WIDTH + 1;
				1252	M.p = Mp;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1253	memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
				1254	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1255
				1256	/* N = A0 */
				1257	N->p[P521_WIDTH - 1] &= P521_MASK;
				1258	for( i = P521_WIDTH; i < N->n; i++ )
				1259	N->p[i] = 0;
				1260
				1261	/* N = A0 + A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1262	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1263
				1264	cleanup:
				1265	return( ret );
				1266	}
				1267
				1268	#undef P521_WIDTH
				1269	#undef P521_MASK
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1270	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1271
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1272	#endif /* MBEDTLS_ECP_NIST_OPTIM */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1273
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	1274	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1275
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1276	/* Size of p255 in terms of mbedtls_mpi_uint */
				1277	#define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1278
				1279	/*
				1280	* Fast quasi-reduction modulo p255 = 2^255 - 19
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1281	* Write N as A0 + 2^255 A1, return A0 + 19 * A1
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1282	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1283	static int ecp_mod_p255( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1284	{
				1285	int ret;
				1286	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1287	mbedtls_mpi M;
				1288	mbedtls_mpi_uint Mp[P255_WIDTH + 2];
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1289
				1290	if( N->n < P255_WIDTH )
				1291	return( 0 );
				1292
				1293	/* M = A1 */
				1294	M.s = 1;
				1295	M.n = N->n - ( P255_WIDTH - 1 );
				1296	if( M.n > P255_WIDTH + 1 )
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	1297	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1298	M.p = Mp;
				1299	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1300	memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
				1301	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1302	M.n++; /* Make room for multiplication by 19 */
				1303
				1304	/* N = A0 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1305	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1306	for( i = P255_WIDTH; i < N->n; i++ )
				1307	N->p[i] = 0;
				1308
				1309	/* N = A0 + 19 * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1310	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
				1311	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1312
				1313	cleanup:
				1314	return( ret );
				1315	}
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	1316	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1317
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	1318	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				1319
				1320	/* Size of p448 in terms of mbedtls_mpi_uint */
				1321	#define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
				1322
				1323	/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
				1324	#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
				1325	#define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) )
				1326	#define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
				1327	#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
				1328
				1329	/*
				1330	* Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
				1331	* Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
				1332	* A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
				1333	* implementation of Curve448, which uses its own special 56-bit limbs rather
				1334	* than a generic bignum library. We could squeeze some extra speed out on
				1335	* 32-bit machines by splitting N up into 32-bit limbs and doing the
				1336	* arithmetic using the limbs directly as we do for the NIST primes above,
				1337	* but for 64-bit targets it should use half the number of operations if we do
				1338	* the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
				1339	*/
				1340	static int ecp_mod_p448( mbedtls_mpi *N )
				1341	{
				1342	int ret;
				1343	size_t i;
				1344	mbedtls_mpi M, Q;
				1345	mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
				1346
				1347	if( N->n <= P448_WIDTH )
				1348	return( 0 );
				1349
				1350	/* M = A1 */
				1351	M.s = 1;
				1352	M.n = N->n - ( P448_WIDTH );
				1353	if( M.n > P448_WIDTH )
				1354	/* Shouldn't be called with N larger than 2^896! */
				1355	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
				1356	M.p = Mp;
				1357	memset( Mp, 0, sizeof( Mp ) );
				1358	memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
				1359
				1360	/* N = A0 */
				1361	for( i = P448_WIDTH; i < N->n; i++ )
				1362	N->p[i] = 0;
				1363
				1364	/* N += A1 */
				1365	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
				1366
				1367	/* Q = B1, N += B1 */
				1368	Q = M;
				1369	Q.p = Qp;
				1370	memcpy( Qp, Mp, sizeof( Qp ) );
				1371	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
				1372	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
				1373
				1374	/* M = (B0 + B1) * 2^224, N += M */
				1375	if( sizeof( mbedtls_mpi_uint ) > 4 )
				1376	Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
				1377	for( i = P224_WIDTH_MAX; i < M.n; ++i )
				1378	Mp[i] = 0;
				1379	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
				1380	M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
				1381	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
				1382	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
				1383
				1384	cleanup:
				1385	return( ret );
				1386	}
				1387	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				1388
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1389	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) \|\| \
				1390	defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) \|\| \
				1391	defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1392	/*
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1393	* Fast quasi-reduction modulo P = 2^s - R,
				1394	* with R about 33 bits, used by the Koblitz curves.
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1395	*
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1396	* Write N as A0 + 2^224 A1, return A0 + R * A1.
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1397	* Actually do two passes, since R is big.
				1398	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1399	#define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
				1400	#define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
				1401	static inline int ecp_mod_koblitz( mbedtls_mpi N, mbedtls_mpi_uint Rp, size_t p_limbs,
				1402	size_t adjust, size_t shift, mbedtls_mpi_uint mask )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1403	{
				1404	int ret;
				1405	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1406	mbedtls_mpi M, R;
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1407	mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1408
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1409	if( N->n < p_limbs )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1410	return( 0 );
				1411
				1412	/* Init R */
				1413	R.s = 1;
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1414	R.p = Rp;
				1415	R.n = P_KOBLITZ_R;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1416
				1417	/* Common setup for M */
				1418	M.s = 1;
				1419	M.p = Mp;
				1420
				1421	/* M = A1 */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1422	M.n = N->n - ( p_limbs - adjust );
				1423	if( M.n > p_limbs + adjust )
				1424	M.n = p_limbs + adjust;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1425	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1426	memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1427	if( shift != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1428	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1429	M.n += R.n; /* Make room for multiplication by R */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1430
				1431	/* N = A0 */
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1432	if( mask != 0 )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1433	N->p[p_limbs - 1] &= mask;
				1434	for( i = p_limbs; i < N->n; i++ )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1435	N->p[i] = 0;
				1436
				1437	/* N = A0 + R * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1438	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
				1439	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1440
				1441	/* Second pass */
				1442
				1443	/* M = A1 */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1444	M.n = N->n - ( p_limbs - adjust );
				1445	if( M.n > p_limbs + adjust )
				1446	M.n = p_limbs + adjust;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1447	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1448	memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1449	if( shift != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1450	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1451	M.n += R.n; /* Make room for multiplication by R */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1452
				1453	/* N = A0 */
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1454	if( mask != 0 )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1455	N->p[p_limbs - 1] &= mask;
				1456	for( i = p_limbs; i < N->n; i++ )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1457	N->p[i] = 0;
				1458
				1459	/* N = A0 + R * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1460	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
				1461	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1462
				1463	cleanup:
				1464	return( ret );
				1465	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1466	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) \|\|
				1467	MBEDTLS_ECP_DP_SECP224K1_ENABLED) \|\|
				1468	MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1469
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1470	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1471	/*
				1472	* Fast quasi-reduction modulo p192k1 = 2^192 - R,
				1473	* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
				1474	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1475	static int ecp_mod_p192k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1476	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1477	static mbedtls_mpi_uint Rp[] = {
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1478	BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
				1479
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1480	return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1481	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1482	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1483
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1484	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1485	/*
				1486	* Fast quasi-reduction modulo p224k1 = 2^224 - R,
				1487	* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
				1488	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1489	static int ecp_mod_p224k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1490	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1491	static mbedtls_mpi_uint Rp[] = {
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1492	BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
				1493
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1494	#if defined(MBEDTLS_HAVE_INT64)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1495	return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
				1496	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1497	return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1498	#endif
				1499	}
				1500
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1501	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1502
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1503	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1504	/*
				1505	* Fast quasi-reduction modulo p256k1 = 2^256 - R,
				1506	* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
				1507	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1508	static int ecp_mod_p256k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1509	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1510	static mbedtls_mpi_uint Rp[] = {
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1511	BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1512	return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1513	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1514	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1515
Janos Follath	b069753	2016-08-18 12:38:46 +0100	[diff] [blame]	1516	#endif /* !MBEDTLS_ECP_ALT */
				1517
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1518	#endif /* MBEDTLS_ECP_C */