Blame - library/ecp_curves.c - mirror/mbed-tls

blob: afa3b6324e3dd1992c1e156365bac7459625e608 [file] [log] [blame]

Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1	/*
				2	* Elliptic curves over GF(p): curve-specific data and functions
				3	*
Bence Szépkúti	a2947ac	2020-08-19 16:37:36 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Bence Szépkúti	f744bd7	2020-06-05 13:02:18 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
				6	*
				7	* This file is provided under the Apache License 2.0, or the
				8	* GNU General Public License v2.0 or later.
				9	*
				10	* **********
				11	* Apache License 2.0:
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	12	*
				13	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				14	* not use this file except in compliance with the License.
				15	* You may obtain a copy of the License at
				16	*
				17	* http://www.apache.org/licenses/LICENSE-2.0
				18	*
				19	* Unless required by applicable law or agreed to in writing, software
				20	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				21	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				22	* See the License for the specific language governing permissions and
				23	* limitations under the License.
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	24	*
Bence Szépkúti	f744bd7	2020-06-05 13:02:18 +0200	[diff] [blame]	25	* **********
				26	*
				27	* **********
				28	* GNU General Public License v2.0 or later:
				29	*
				30	* This program is free software; you can redistribute it and/or modify
				31	* it under the terms of the GNU General Public License as published by
				32	* the Free Software Foundation; either version 2 of the License, or
				33	* (at your option) any later version.
				34	*
				35	* This program is distributed in the hope that it will be useful,
				36	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				37	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				38	* GNU General Public License for more details.
				39	*
				40	* You should have received a copy of the GNU General Public License along
				41	* with this program; if not, write to the Free Software Foundation, Inc.,
				42	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				43	*
				44	* **********
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	45	*/
				46
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	47	#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	48	#include "mbedtls/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	49	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	50	#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	51	#endif
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	52
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	53	#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	54
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	55	#include "mbedtls/ecp.h"
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	56	#include "mbedtls/platform_util.h"
Janos Follath	7d34e2e	2021-06-24 14:48:38 +0100	[diff] [blame]	57	#include "mbedtls/bn_mul.h"
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	58
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	59	#include <string.h>
				60
Janos Follath	b069753	2016-08-18 12:38:46 +0100	[diff] [blame]	61	#if !defined(MBEDTLS_ECP_ALT)
				62
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	63	/* Parameter validation macros based on platform_util.h */
				64	#define ECP_VALIDATE_RET( cond ) \
				65	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
				66	#define ECP_VALIDATE( cond ) \
				67	MBEDTLS_INTERNAL_VALIDATE( cond )
				68
Manuel Pégourié-Gonnard	0223ab9	2015-10-05 11:40:01 +0100	[diff] [blame]	69	#if ( defined(__ARMCC_VERSION) \|\| defined(_MSC_VER) ) && \
				70	!defined(inline) && !defined(__cplusplus)
Paul Bakker	498fd35	2013-12-02 22:17:24 +0100	[diff] [blame]	71	#define inline __inline
Manuel Pégourié-Gonnard	20af64d	2015-07-07 18:33:39 +0200	[diff] [blame]	72	#endif
Paul Bakker	498fd35	2013-12-02 22:17:24 +0100	[diff] [blame]	73
Manuel Pégourié-Gonnard	6ec1535	2021-06-23 12:25:48 +0200	[diff] [blame]	74	#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
				75
				76	#define ECP_MPI_INIT_ARRAY(x) \
				77	ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
				78
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	79	/*
Manuel Pégourié-Gonnard	14a96c5	2013-12-11 12:15:28 +0100	[diff] [blame]	80	* Note: the constants are in little-endian order
				81	* to be directly usable in MPIs
				82	*/
				83
				84	/*
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	85	* Domain parameters for secp192r1
				86	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	87	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				88	static const mbedtls_mpi_uint secp192r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	89	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				90	MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				91	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	92	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	93	static const mbedtls_mpi_uint secp192r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	94	MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
				95	MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
				96	MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	97	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	98	static const mbedtls_mpi_uint secp192r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	99	MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
				100	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
				101	MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	102	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	103	static const mbedtls_mpi_uint secp192r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	104	MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
				105	MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
				106	MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	107	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	108	static const mbedtls_mpi_uint secp192r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	109	MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
				110	MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
				111	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	112	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	113	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	114
				115	/*
				116	* Domain parameters for secp224r1
				117	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	118	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				119	static const mbedtls_mpi_uint secp224r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	120	MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				121	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
				122	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				123	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	124	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	125	static const mbedtls_mpi_uint secp224r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	126	MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
				127	MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
				128	MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
				129	MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	130	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	131	static const mbedtls_mpi_uint secp224r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	132	MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
				133	MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
				134	MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
				135	MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	136	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	137	static const mbedtls_mpi_uint secp224r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	138	MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
				139	MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
				140	MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
				141	MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	142	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	143	static const mbedtls_mpi_uint secp224r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	144	MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
				145	MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
				146	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				147	MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	148	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	149	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	150
				151	/*
				152	* Domain parameters for secp256r1
				153	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	154	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				155	static const mbedtls_mpi_uint secp256r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	156	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				157	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
				158	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				159	MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	160	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	161	static const mbedtls_mpi_uint secp256r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	162	MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
				163	MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
				164	MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
				165	MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	166	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	167	static const mbedtls_mpi_uint secp256r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	168	MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
				169	MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
				170	MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
				171	MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	172	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	173	static const mbedtls_mpi_uint secp256r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	174	MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
				175	MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
				176	MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
				177	MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	178	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	179	static const mbedtls_mpi_uint secp256r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	180	MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
				181	MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
				182	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				183	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	184	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	185	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	186
				187	/*
				188	* Domain parameters for secp384r1
				189	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	190	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				191	static const mbedtls_mpi_uint secp384r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	192	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
				193	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
				194	MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				195	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				196	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				197	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	198	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	199	static const mbedtls_mpi_uint secp384r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	200	MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
				201	MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
				202	MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
				203	MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
				204	MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
				205	MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	206	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	207	static const mbedtls_mpi_uint secp384r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	208	MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
				209	MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
				210	MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
				211	MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
				212	MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
				213	MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	214	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	215	static const mbedtls_mpi_uint secp384r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	216	MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
				217	MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
				218	MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
				219	MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
				220	MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
				221	MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	222	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	223	static const mbedtls_mpi_uint secp384r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	224	MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
				225	MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
				226	MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
				227	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				228	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				229	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	230	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	231	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	232
				233	/*
				234	* Domain parameters for secp521r1
				235	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	236	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				237	static const mbedtls_mpi_uint secp521r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	238	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				239	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				240	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				241	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				242	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				243	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				244	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				245	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				246	MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	247	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	248	static const mbedtls_mpi_uint secp521r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	249	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
				250	MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
				251	MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
				252	MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
				253	MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
				254	MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
				255	MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
				256	MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
				257	MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	258	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	259	static const mbedtls_mpi_uint secp521r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	260	MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
				261	MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
				262	MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
				263	MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
				264	MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
				265	MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
				266	MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
				267	MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
				268	MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	269	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	270	static const mbedtls_mpi_uint secp521r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	271	MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
				272	MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
				273	MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
				274	MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
				275	MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
				276	MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
				277	MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
				278	MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
				279	MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	280	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	281	static const mbedtls_mpi_uint secp521r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	282	MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
				283	MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
				284	MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
				285	MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
				286	MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				287	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				288	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				289	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				290	MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	291	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	292	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	293
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	294	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				295	static const mbedtls_mpi_uint secp192k1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	296	MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				297	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				298	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	299	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	300	static const mbedtls_mpi_uint secp192k1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	301	MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	302	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	303	static const mbedtls_mpi_uint secp192k1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	304	MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	305	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	306	static const mbedtls_mpi_uint secp192k1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	307	MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
				308	MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
				309	MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	310	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	311	static const mbedtls_mpi_uint secp192k1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	312	MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
				313	MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
				314	MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	315	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	316	static const mbedtls_mpi_uint secp192k1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	317	MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
				318	MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
				319	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	320	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	321	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	322
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	323	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				324	static const mbedtls_mpi_uint secp224k1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	325	MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				326	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				327	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				328	MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	329	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	330	static const mbedtls_mpi_uint secp224k1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	331	MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	332	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	333	static const mbedtls_mpi_uint secp224k1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	334	MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	335	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	336	static const mbedtls_mpi_uint secp224k1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	337	MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
				338	MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
				339	MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
				340	MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	341	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	342	static const mbedtls_mpi_uint secp224k1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	343	MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
				344	MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
				345	MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
				346	MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	347	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	348	static const mbedtls_mpi_uint secp224k1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	349	MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
				350	MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
				351	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
				352	MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	353	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	354	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	355
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	356	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				357	static const mbedtls_mpi_uint secp256k1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	358	MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
				359	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				360	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				361	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	362	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	363	static const mbedtls_mpi_uint secp256k1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	364	MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	365	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	366	static const mbedtls_mpi_uint secp256k1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	367	MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	368	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	369	static const mbedtls_mpi_uint secp256k1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	370	MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
				371	MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
				372	MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
				373	MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	374	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	375	static const mbedtls_mpi_uint secp256k1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	376	MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
				377	MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
				378	MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
				379	MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	380	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	381	static const mbedtls_mpi_uint secp256k1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	382	MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
				383	MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
				384	MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
				385	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	386	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	387	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	388
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	389	/*
				390	* Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
				391	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	392	#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
				393	static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	394	MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
				395	MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
				396	MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
				397	MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	398	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	399	static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	400	MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
				401	MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
				402	MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
				403	MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	404	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	405	static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	406	MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
				407	MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
				408	MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
				409	MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	410	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	411	static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	412	MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
				413	MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
				414	MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
				415	MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	416	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	417	static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	418	MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
				419	MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
				420	MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
				421	MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	422	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	423	static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	424	MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
				425	MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
				426	MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
				427	MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	428	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	429	#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	430
				431	/*
				432	* Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
				433	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	434	#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
				435	static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	436	MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
				437	MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
				438	MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
				439	MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
				440	MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
				441	MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	442	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	443	static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	444	MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
				445	MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
				446	MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
				447	MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
				448	MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
				449	MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	450	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	451	static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	452	MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
				453	MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
				454	MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
				455	MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
				456	MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
				457	MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	458	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	459	static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	460	MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
				461	MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
				462	MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
				463	MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
				464	MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
				465	MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	466	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	467	static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	468	MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
				469	MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
				470	MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
				471	MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
				472	MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
				473	MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	474	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	475	static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	476	MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
				477	MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
				478	MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
				479	MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
				480	MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
				481	MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	482	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	483	#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	484
				485	/*
				486	* Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
				487	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	488	#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
				489	static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	490	MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
				491	MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
				492	MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
				493	MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
				494	MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
				495	MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
				496	MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
				497	MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	498	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	499	static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	500	MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
				501	MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
				502	MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
				503	MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
				504	MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
				505	MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
				506	MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
				507	MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	508	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	509	static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	510	MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
				511	MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
				512	MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
				513	MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
				514	MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
				515	MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
				516	MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
				517	MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	518	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	519	static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	520	MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
				521	MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
				522	MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
				523	MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
				524	MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
				525	MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
				526	MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
				527	MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	528	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	529	static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	530	MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
				531	MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
				532	MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
				533	MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
				534	MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
				535	MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
				536	MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
				537	MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	538	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	539	static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	540	MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
				541	MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
				542	MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
				543	MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
				544	MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
				545	MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
				546	MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
				547	MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	548	};
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	549	#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	550
				551	/*
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	552	* Create an MPI from embedded constants
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	553	* (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	554	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	555	static inline void ecp_mpi_load( mbedtls_mpi X, const mbedtls_mpi_uint p, size_t len )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	556	{
				557	X->s = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	558	X->n = len / sizeof( mbedtls_mpi_uint );
				559	X->p = (mbedtls_mpi_uint *) p;
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	560	}
				561
				562	/*
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	563	* Set an MPI to static value 1
				564	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	565	static inline void ecp_mpi_set1( mbedtls_mpi *X )
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	566	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	567	static mbedtls_mpi_uint one[] = { 1 };
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	568	X->s = 1;
				569	X->n = 1;
				570	X->p = one;
				571	}
				572
				573	/*
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	574	* Make group available from embedded constants
				575	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	576	static int ecp_group_load( mbedtls_ecp_group *grp,
				577	const mbedtls_mpi_uint *p, size_t plen,
				578	const mbedtls_mpi_uint *a, size_t alen,
				579	const mbedtls_mpi_uint *b, size_t blen,
				580	const mbedtls_mpi_uint *gx, size_t gxlen,
				581	const mbedtls_mpi_uint *gy, size_t gylen,
				582	const mbedtls_mpi_uint *n, size_t nlen)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	583	{
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	584	ecp_mpi_load( &grp->P, p, plen );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	585	if( a != NULL )
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	586	ecp_mpi_load( &grp->A, a, alen );
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	587	ecp_mpi_load( &grp->B, b, blen );
				588	ecp_mpi_load( &grp->N, n, nlen );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	589
Manuel Pégourié-Gonnard	731d08b	2013-12-06 12:16:10 +0100	[diff] [blame]	590	ecp_mpi_load( &grp->G.X, gx, gxlen );
				591	ecp_mpi_load( &grp->G.Y, gy, gylen );
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	592	ecp_mpi_set1( &grp->G.Z );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	593
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	594	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
				595	grp->nbits = mbedtls_mpi_bitlen( &grp->N );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	596
Manuel Pégourié-Gonnard	1f82b04	2013-12-06 12:51:50 +0100	[diff] [blame]	597	grp->h = 1;
				598
Manuel Pégourié-Gonnard	73cc01d	2013-12-06 12:41:30 +0100	[diff] [blame]	599	return( 0 );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	600	}
				601
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	602	#if defined(MBEDTLS_ECP_NIST_OPTIM)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	603	/* Forward declarations */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	604	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				605	static int ecp_mod_p192( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	606	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	607	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				608	static int ecp_mod_p224( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	609	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	610	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				611	static int ecp_mod_p256( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	612	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	613	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				614	static int ecp_mod_p384( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	615	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	616	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				617	static int ecp_mod_p521( mbedtls_mpi * );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	618	#endif
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	619
				620	#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
				621	#else
				622	#define NIST_MODP( P )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	623	#endif /* MBEDTLS_ECP_NIST_OPTIM */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	624
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	625	/* Additional forward declarations */
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	626	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	627	static int ecp_mod_p255( mbedtls_mpi * );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	628	#endif
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	629	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				630	static int ecp_mod_p448( mbedtls_mpi * );
				631	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	632	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				633	static int ecp_mod_p192k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	634	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	635	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				636	static int ecp_mod_p224k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	637	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	638	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				639	static int ecp_mod_p256k1( mbedtls_mpi * );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	640	#endif
				641
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	642	#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
				643	G ## _p, sizeof( G ## _p ), \
				644	G ## _a, sizeof( G ## _a ), \
				645	G ## _b, sizeof( G ## _b ), \
				646	G ## _gx, sizeof( G ## _gx ), \
				647	G ## _gy, sizeof( G ## _gy ), \
				648	G ## _n, sizeof( G ## _n ) )
				649
				650	#define LOAD_GROUP( G ) ecp_group_load( grp, \
				651	G ## _p, sizeof( G ## _p ), \
				652	NULL, 0, \
				653	G ## _b, sizeof( G ## _b ), \
				654	G ## _gx, sizeof( G ## _gx ), \
				655	G ## _gy, sizeof( G ## _gy ), \
				656	G ## _n, sizeof( G ## _n ) )
				657
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	658	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	659	/* Constants used by ecp_use_curve25519() */
Janos Follath	b741e8d	2021-06-24 15:00:33 +0100	[diff] [blame]	660	static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	661	static const unsigned char curve25519_part_of_n[] = {
				662	0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
				663	0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
				664	};
				665
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	666	/*
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	667	* Specialized function for creating the Curve25519 group
				668	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	669	static int ecp_use_curve25519( mbedtls_ecp_group *grp )
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	670	{
				671	int ret;
				672
				673	/* Actually ( A + 2 ) / 4 */
Janos Follath	b741e8d	2021-06-24 15:00:33 +0100	[diff] [blame]	674	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	675
				676	/* P = 2^255 - 19 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	677	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
				678	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
				679	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	680	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	681
Nicholas Wilson	54fc34e	2016-05-16 15:15:45 +0100	[diff] [blame]	682	/* N = 2^252 + 27742317777372353535851937790883648493 */
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	683	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N,
				684	curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) );
Nicholas Wilson	54fc34e	2016-05-16 15:15:45 +0100	[diff] [blame]	685	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
				686
Manuel Pégourié-Gonnard	18b7843	2018-03-28 11:14:06 +0200	[diff] [blame]	687	/* Y intentionally not set, since we use x/z coordinates.
Manuel Pégourié-Gonnard	312d2e8	2013-12-04 11:08:01 +0100	[diff] [blame]	688	* This is used as a marker to identify Montgomery curves! */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	689	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
				690	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
				691	mbedtls_mpi_free( &grp->G.Y );
Manuel Pégourié-Gonnard	312d2e8	2013-12-04 11:08:01 +0100	[diff] [blame]	692
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	693	/* Actually, the required msb for private keys */
				694	grp->nbits = 254;
				695
				696	cleanup:
				697	if( ret != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	698	mbedtls_ecp_group_free( grp );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	699
				700	return( ret );
				701	}
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	702	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	703
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	704	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	705	/* Constants used by ecp_use_curve448() */
Janos Follath	b741e8d	2021-06-24 15:00:33 +0100	[diff] [blame]	706	static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	707	static const unsigned char curve448_part_of_n[] = {
				708	0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
				709	0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
				710	0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
				711	0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
				712	};
				713
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	714	/*
				715	* Specialized function for creating the Curve448 group
				716	*/
				717	static int ecp_use_curve448( mbedtls_ecp_group *grp )
				718	{
				719	mbedtls_mpi Ns;
				720	int ret;
				721
				722	mbedtls_mpi_init( &Ns );
				723
				724	/* Actually ( A + 2 ) / 4 */
Janos Follath	b741e8d	2021-06-24 15:00:33 +0100	[diff] [blame]	725	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) );
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	726
				727	/* P = 2^448 - 2^224 - 1 */
				728	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
				729	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
				730	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
				731	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
				732	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
				733	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
				734
				735	/* Y intentionally not set, since we use x/z coordinates.
				736	* This is used as a marker to identify Montgomery curves! */
				737	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
				738	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
				739	mbedtls_mpi_free( &grp->G.Y );
				740
				741	/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
				742	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
Manuel Pégourié-Gonnard	89ce7d2	2021-06-23 12:43:34 +0200	[diff] [blame]	743	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
				744	curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	745	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
				746
				747	/* Actually, the required msb for private keys */
				748	grp->nbits = 447;
				749
				750	cleanup:
				751	mbedtls_mpi_free( &Ns );
				752	if( ret != 0 )
				753	mbedtls_ecp_group_free( grp );
				754
				755	return( ret );
				756	}
				757	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				758
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	759	/*
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	760	* Set a group using well-known domain parameters
				761	*/
Manuel Pégourié-Gonnard	e3a062b	2015-05-11 18:46:47 +0200	[diff] [blame]	762	int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	763	{
Hanno Becker	4f8e8e5	2018-12-14 15:08:03 +0000	[diff] [blame]	764	ECP_VALIDATE_RET( grp != NULL );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	765	mbedtls_ecp_group_free( grp );
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	766
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	767	grp->id = id;
				768
				769	switch( id )
				770	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	771	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
				772	case MBEDTLS_ECP_DP_SECP192R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	773	NIST_MODP( p192 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	774	return( LOAD_GROUP( secp192r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	775	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	776
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	777	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
				778	case MBEDTLS_ECP_DP_SECP224R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	779	NIST_MODP( p224 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	780	return( LOAD_GROUP( secp224r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	781	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	782
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	783	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
				784	case MBEDTLS_ECP_DP_SECP256R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	785	NIST_MODP( p256 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	786	return( LOAD_GROUP( secp256r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	787	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	788
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	789	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
				790	case MBEDTLS_ECP_DP_SECP384R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	791	NIST_MODP( p384 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	792	return( LOAD_GROUP( secp384r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	793	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	794
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	795	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
				796	case MBEDTLS_ECP_DP_SECP521R1:
Manuel Pégourié-Gonnard	3ee9000	2013-12-02 17:14:48 +0100	[diff] [blame]	797	NIST_MODP( p521 );
Manuel Pégourié-Gonnard	9854fe9	2013-12-02 16:30:43 +0100	[diff] [blame]	798	return( LOAD_GROUP( secp521r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	799	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	800
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	801	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
				802	case MBEDTLS_ECP_DP_SECP192K1:
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	803	grp->modp = ecp_mod_p192k1;
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	804	return( LOAD_GROUP_A( secp192k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	805	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	ea499a7	2014-01-11 15:58:47 +0100	[diff] [blame]	806
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	807	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
				808	case MBEDTLS_ECP_DP_SECP224K1:
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	809	grp->modp = ecp_mod_p224k1;
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	810	return( LOAD_GROUP_A( secp224k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	811	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	18e3ec9	2014-01-11 15:22:07 +0100	[diff] [blame]	812
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	813	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
				814	case MBEDTLS_ECP_DP_SECP256K1:
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	815	grp->modp = ecp_mod_p256k1;
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	816	return( LOAD_GROUP_A( secp256k1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	817	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	f51c8fc	2014-01-10 18:17:18 +0100	[diff] [blame]	818
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	819	#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
				820	case MBEDTLS_ECP_DP_BP256R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	821	return( LOAD_GROUP_A( brainpoolP256r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	822	#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	823
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	824	#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
				825	case MBEDTLS_ECP_DP_BP384R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	826	return( LOAD_GROUP_A( brainpoolP384r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	827	#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	828
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	829	#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
				830	case MBEDTLS_ECP_DP_BP512R1:
Manuel Pégourié-Gonnard	81e1b10	2013-12-06 13:28:05 +0100	[diff] [blame]	831	return( LOAD_GROUP_A( brainpoolP512r1 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	832	#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	833
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	834	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
				835	case MBEDTLS_ECP_DP_CURVE25519:
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	836	grp->modp = ecp_mod_p255;
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	837	return( ecp_use_curve25519( grp ) );
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	838	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	6615366	2013-12-03 14:12:26 +0100	[diff] [blame]	839
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	840	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				841	case MBEDTLS_ECP_DP_CURVE448:
				842	grp->modp = ecp_mod_p448;
				843	return( ecp_use_curve448( grp ) );
				844	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				845
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	846	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	847	mbedtls_ecp_group_free( grp );
				848	return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	849	}
				850	}
				851
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	852	#if defined(MBEDTLS_ECP_NIST_OPTIM)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	853	/*
				854	* Fast reduction modulo the primes used by the NIST curves.
				855	*
				856	* These functions are critical for speed, but not needed for correct
				857	* operations. So, we make the choice to heavily rely on the internals of our
				858	* bignum library, which creates a tight coupling between these functions and
				859	* our MPI implementation. However, the coupling between the ECP module and
				860	* MPI remains loose, since these functions can be deactivated at will.
				861	*/
				862
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	863	#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	864	/*
				865	* Compared to the way things are presented in FIPS 186-3 D.2,
				866	* we proceed in columns, from right (least significant chunk) to left,
				867	* adding chunks to N in place, and keeping a carry for the next chunk.
				868	* This avoids moving things around in memory, and uselessly adding zeros,
				869	* compared to the more straightforward, line-oriented approach.
				870	*
				871	* For this prime we need to handle data in chunks of 64 bits.
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	872	* Since this is always a multiple of our basic mbedtls_mpi_uint, we can
				873	* use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	874	*/
				875
				876	/* Add 64-bit chunks (dst += src) and update carry */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	877	static inline void add64( mbedtls_mpi_uint dst, mbedtls_mpi_uint src, mbedtls_mpi_uint *carry )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	878	{
				879	unsigned char i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	880	mbedtls_mpi_uint c = 0;
				881	for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	882	{
				883	dst += c; c = ( dst < c );
				884	dst += src; c += ( dst < src );
				885	}
				886	*carry += c;
				887	}
				888
				889	/* Add carry to a 64-bit chunk and update carry */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	890	static inline void carry64( mbedtls_mpi_uint dst, mbedtls_mpi_uint carry )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	891	{
				892	unsigned char i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	893	for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	894	{
				895	dst += carry;
				896	carry = ( dst < *carry );
				897	}
				898	}
				899
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	900	#define WIDTH 8 / sizeof( mbedtls_mpi_uint )
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	901	#define A( i ) N->p + (i) * WIDTH
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	902	#define ADD( i ) add64( p, A( i ), &c )
				903	#define NEXT p += WIDTH; carry64( p, &c )
				904	#define LAST p += WIDTH; p = c; while( ++p < end ) p = 0
				905
				906	/*
				907	* Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
				908	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	909	static int ecp_mod_p192( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	910	{
				911	int ret;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	912	mbedtls_mpi_uint c = 0;
				913	mbedtls_mpi_uint p, end;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	914
				915	/* Make sure we have enough blocks so that A(5) is legal */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	916	MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	917
				918	p = N->p;
				919	end = p + N->n;
				920
				921	ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
				922	ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
				923	ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
				924
				925	cleanup:
				926	return( ret );
				927	}
				928
				929	#undef WIDTH
				930	#undef A
				931	#undef ADD
				932	#undef NEXT
				933	#undef LAST
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	934	#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	935
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	936	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) \|\| \
				937	defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) \|\| \
				938	defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	939	/*
				940	* The reader is advised to first understand ecp_mod_p192() since the same
				941	* general structure is used here, but with additional complications:
				942	* (1) chunks of 32 bits, and (2) subtractions.
				943	*/
				944
				945	/*
				946	* For these primes, we need to handle data in chunks of 32 bits.
				947	* This makes it more complicated if we use 64 bits limbs in MPI,
				948	* which prevents us from using a uniform access method as for p192.
				949	*
				950	* So, we define a mini abstraction layer to access 32 bit chunks,
				951	* load them in 'cur' for work, and store them back from 'cur' when done.
				952	*
				953	* While at it, also define the size of N in terms of 32-bit chunks.
				954	*/
				955	#define LOAD32 cur = A( i );
				956
Manuel Pégourié-Gonnard	7b53889	2015-04-09 17:00:17 +0200	[diff] [blame]	957	#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	958
				959	#define MAX32 N->n
				960	#define A( j ) N->p[j]
				961	#define STORE32 N->p[i] = cur;
				962
				963	#else /* 64-bit */
				964
				965	#define MAX32 N->n * 2
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	966	#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
				967	(uint32_t)( N->p[(j)/2] )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	968	#define STORE32 \
				969	if( i % 2 ) { \
				970	N->p[i/2] &= 0x00000000FFFFFFFF; \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	971	N->p[i/2] \|= ((mbedtls_mpi_uint) cur) << 32; \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	972	} else { \
				973	N->p[i/2] &= 0xFFFFFFFF00000000; \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	974	N->p[i/2] \|= (mbedtls_mpi_uint) cur; \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	975	}
				976
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	977	#endif /* sizeof( mbedtls_mpi_uint ) */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	978
				979	/*
				980	* Helpers for addition and subtraction of chunks, with signed carry.
				981	*/
				982	static inline void add32( uint32_t dst, uint32_t src, signed char carry )
				983	{
				984	*dst += src;
				985	carry += ( dst < src );
				986	}
				987
				988	static inline void sub32( uint32_t dst, uint32_t src, signed char carry )
				989	{
				990	carry -= ( dst < src );
				991	*dst -= src;
				992	}
				993
				994	#define ADD( j ) add32( &cur, A( j ), &c );
				995	#define SUB( j ) sub32( &cur, A( j ), &c );
				996
				997	/*
				998	* Helpers for the main 'loop'
				999	* (see fix_negative for the motivation of C)
				1000	*/
Hanno Becker	d6028a1	2018-10-15 12:01:35 +0100	[diff] [blame]	1001	#define INIT( b ) \
				1002	int ret; \
				1003	signed char c = 0, cc; \
				1004	uint32_t cur; \
				1005	size_t i = 0, bits = (b); \
				1006	mbedtls_mpi C; \
				1007	mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
				1008	\
				1009	C.s = 1; \
				1010	C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1; \
				1011	C.p = Cp; \
				1012	memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
				1013	\
				1014	MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 / \
				1015	sizeof( mbedtls_mpi_uint ) ) ); \
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1016	LOAD32;
				1017
				1018	#define NEXT \
				1019	STORE32; i++; LOAD32; \
				1020	cc = c; c = 0; \
				1021	if( cc < 0 ) \
				1022	sub32( &cur, -cc, &c ); \
				1023	else \
				1024	add32( &cur, cc, &c ); \
				1025
				1026	#define LAST \
				1027	STORE32; i++; \
				1028	cur = c > 0 ? c : 0; STORE32; \
				1029	cur = 0; while( ++i < MAX32 ) { STORE32; } \
Gilles Peskine	7d6326d	2020-07-23 01:14:34 +0200	[diff] [blame]	1030	if( c < 0 ) MBEDTLS_MPI_CHK( fix_negative( N, c, &C, bits ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1031
				1032	/*
				1033	* If the result is negative, we get it in the form
Gilles Peskine	2c8cfcf	2021-04-03 21:40:11 +0200	[diff] [blame]	1034	* c * 2^bits + N, with c negative and N positive shorter than 'bits'
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1035	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1036	static inline int fix_negative( mbedtls_mpi N, signed char c, mbedtls_mpi C, size_t bits )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1037	{
				1038	int ret;
				1039
Gilles Peskine	2c8cfcf	2021-04-03 21:40:11 +0200	[diff] [blame]	1040	/* C = - c * 2^bits */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1041	#if !defined(MBEDTLS_HAVE_INT64)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1042	((void) bits);
				1043	#else
				1044	if( bits == 224 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1045	C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1046	else
				1047	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1048	C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1049
				1050	/* N = - ( C - N ) */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1051	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1052	N->s = -1;
				1053
				1054	cleanup:
				1055
				1056	return( ret );
				1057	}
				1058
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1059	#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1060	/*
				1061	* Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
				1062	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1063	static int ecp_mod_p224( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1064	{
				1065	INIT( 224 );
				1066
				1067	SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
				1068	SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
				1069	SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
				1070	SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
				1071	SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
				1072	SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
				1073	SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
				1074
				1075	cleanup:
				1076	return( ret );
				1077	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1078	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1079
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1080	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1081	/*
				1082	* Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
				1083	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1084	static int ecp_mod_p256( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1085	{
				1086	INIT( 256 );
				1087
				1088	ADD( 8 ); ADD( 9 );
				1089	SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
				1090
				1091	ADD( 9 ); ADD( 10 );
				1092	SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
				1093
				1094	ADD( 10 ); ADD( 11 );
				1095	SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
				1096
				1097	ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
				1098	SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
				1099
				1100	ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
				1101	SUB( 9 ); SUB( 10 ); NEXT; // A4
				1102
				1103	ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
				1104	SUB( 10 ); SUB( 11 ); NEXT; // A5
				1105
				1106	ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
				1107	SUB( 8 ); SUB( 9 ); NEXT; // A6
				1108
				1109	ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
				1110	SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
				1111
				1112	cleanup:
				1113	return( ret );
				1114	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1115	#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1116
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1117	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1118	/*
				1119	* Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
				1120	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1121	static int ecp_mod_p384( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1122	{
				1123	INIT( 384 );
				1124
				1125	ADD( 12 ); ADD( 21 ); ADD( 20 );
				1126	SUB( 23 ); NEXT; // A0
				1127
				1128	ADD( 13 ); ADD( 22 ); ADD( 23 );
				1129	SUB( 12 ); SUB( 20 ); NEXT; // A2
				1130
				1131	ADD( 14 ); ADD( 23 );
				1132	SUB( 13 ); SUB( 21 ); NEXT; // A2
				1133
				1134	ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
				1135	SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
				1136
				1137	ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
				1138	SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
				1139
				1140	ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
				1141	SUB( 16 ); NEXT; // A5
				1142
				1143	ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
				1144	SUB( 17 ); NEXT; // A6
				1145
				1146	ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
				1147	SUB( 18 ); NEXT; // A7
				1148
				1149	ADD( 20 ); ADD( 17 ); ADD( 16 );
				1150	SUB( 19 ); NEXT; // A8
				1151
				1152	ADD( 21 ); ADD( 18 ); ADD( 17 );
				1153	SUB( 20 ); NEXT; // A9
				1154
				1155	ADD( 22 ); ADD( 19 ); ADD( 18 );
				1156	SUB( 21 ); NEXT; // A10
				1157
				1158	ADD( 23 ); ADD( 20 ); ADD( 19 );
				1159	SUB( 22 ); LAST; // A11
				1160
				1161	cleanup:
				1162	return( ret );
				1163	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1164	#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1165
				1166	#undef A
				1167	#undef LOAD32
				1168	#undef STORE32
				1169	#undef MAX32
				1170	#undef INIT
				1171	#undef NEXT
				1172	#undef LAST
				1173
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1174	#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED \|\|
				1175	MBEDTLS_ECP_DP_SECP256R1_ENABLED \|\|
				1176	MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1177
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1178	#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1179	/*
				1180	* Here we have an actual Mersenne prime, so things are more straightforward.
				1181	* However, chunks are aligned on a 'weird' boundary (521 bits).
				1182	*/
				1183
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1184	/* Size of p521 in terms of mbedtls_mpi_uint */
				1185	#define P521_WIDTH ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1186
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1187	/* Bits to keep in the most significant mbedtls_mpi_uint */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1188	#define P521_MASK 0x01FF
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1189
				1190	/*
				1191	* Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
				1192	* Write N as A1 + 2^521 A0, return A0 + A1
				1193	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1194	static int ecp_mod_p521( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1195	{
				1196	int ret;
				1197	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1198	mbedtls_mpi M;
				1199	mbedtls_mpi_uint Mp[P521_WIDTH + 1];
				1200	/* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1201	* we need to hold bits 513 to 1056, which is 34 limbs, that is
				1202	* P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
				1203
				1204	if( N->n < P521_WIDTH )
				1205	return( 0 );
				1206
				1207	/* M = A1 */
				1208	M.s = 1;
				1209	M.n = N->n - ( P521_WIDTH - 1 );
				1210	if( M.n > P521_WIDTH + 1 )
				1211	M.n = P521_WIDTH + 1;
				1212	M.p = Mp;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1213	memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
				1214	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1215
				1216	/* N = A0 */
				1217	N->p[P521_WIDTH - 1] &= P521_MASK;
				1218	for( i = P521_WIDTH; i < N->n; i++ )
				1219	N->p[i] = 0;
				1220
				1221	/* N = A0 + A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1222	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1223
				1224	cleanup:
				1225	return( ret );
				1226	}
				1227
				1228	#undef P521_WIDTH
				1229	#undef P521_MASK
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1230	#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1231
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1232	#endif /* MBEDTLS_ECP_NIST_OPTIM */
Manuel Pégourié-Gonnard	32b04c1	2013-12-02 15:49:09 +0100	[diff] [blame]	1233
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	1234	#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1235
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1236	/* Size of p255 in terms of mbedtls_mpi_uint */
				1237	#define P255_WIDTH ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1238
				1239	/*
				1240	* Fast quasi-reduction modulo p255 = 2^255 - 19
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1241	* Write N as A0 + 2^255 A1, return A0 + 19 * A1
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1242	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1243	static int ecp_mod_p255( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1244	{
				1245	int ret;
				1246	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1247	mbedtls_mpi M;
				1248	mbedtls_mpi_uint Mp[P255_WIDTH + 2];
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1249
				1250	if( N->n < P255_WIDTH )
				1251	return( 0 );
				1252
				1253	/* M = A1 */
				1254	M.s = 1;
				1255	M.n = N->n - ( P255_WIDTH - 1 );
				1256	if( M.n > P255_WIDTH + 1 )
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	1257	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1258	M.p = Mp;
				1259	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1260	memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
				1261	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1262	M.n++; /* Make room for multiplication by 19 */
				1263
				1264	/* N = A0 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1265	MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1266	for( i = P255_WIDTH; i < N->n; i++ )
				1267	N->p[i] = 0;
				1268
				1269	/* N = A0 + 19 * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1270	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
				1271	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1272
				1273	cleanup:
				1274	return( ret );
				1275	}
Manuel Pégourié-Gonnard	0789433	2015-06-23 00:18:41 +0200	[diff] [blame]	1276	#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
Manuel Pégourié-Gonnard	3d7053a	2013-12-04 20:51:13 +0100	[diff] [blame]	1277
Nicholas Wilson	08f3ef1	2015-11-10 13:10:01 +0000	[diff] [blame]	1278	#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
				1279
				1280	/* Size of p448 in terms of mbedtls_mpi_uint */
				1281	#define P448_WIDTH ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
				1282
				1283	/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
				1284	#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
				1285	#define P224_WIDTH_MIN ( 28 / sizeof( mbedtls_mpi_uint ) )
				1286	#define P224_WIDTH_MAX DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
				1287	#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
				1288
				1289	/*
				1290	* Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
				1291	* Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
				1292	* A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
				1293	* implementation of Curve448, which uses its own special 56-bit limbs rather
				1294	* than a generic bignum library. We could squeeze some extra speed out on
				1295	* 32-bit machines by splitting N up into 32-bit limbs and doing the
				1296	* arithmetic using the limbs directly as we do for the NIST primes above,
				1297	* but for 64-bit targets it should use half the number of operations if we do
				1298	* the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
				1299	*/
				1300	static int ecp_mod_p448( mbedtls_mpi *N )
				1301	{
				1302	int ret;
				1303	size_t i;
				1304	mbedtls_mpi M, Q;
				1305	mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
				1306
				1307	if( N->n <= P448_WIDTH )
				1308	return( 0 );
				1309
				1310	/* M = A1 */
				1311	M.s = 1;
				1312	M.n = N->n - ( P448_WIDTH );
				1313	if( M.n > P448_WIDTH )
				1314	/* Shouldn't be called with N larger than 2^896! */
				1315	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
				1316	M.p = Mp;
				1317	memset( Mp, 0, sizeof( Mp ) );
				1318	memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
				1319
				1320	/* N = A0 */
				1321	for( i = P448_WIDTH; i < N->n; i++ )
				1322	N->p[i] = 0;
				1323
				1324	/* N += A1 */
				1325	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
				1326
				1327	/* Q = B1, N += B1 */
				1328	Q = M;
				1329	Q.p = Qp;
				1330	memcpy( Qp, Mp, sizeof( Qp ) );
				1331	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
				1332	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
				1333
				1334	/* M = (B0 + B1) * 2^224, N += M */
				1335	if( sizeof( mbedtls_mpi_uint ) > 4 )
				1336	Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
				1337	for( i = P224_WIDTH_MAX; i < M.n; ++i )
				1338	Mp[i] = 0;
				1339	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
				1340	M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
				1341	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
				1342	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
				1343
				1344	cleanup:
				1345	return( ret );
				1346	}
				1347	#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
				1348
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1349	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) \|\| \
				1350	defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) \|\| \
				1351	defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1352	/*
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1353	* Fast quasi-reduction modulo P = 2^s - R,
				1354	* with R about 33 bits, used by the Koblitz curves.
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1355	*
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1356	* Write N as A0 + 2^224 A1, return A0 + R * A1.
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1357	* Actually do two passes, since R is big.
				1358	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1359	#define P_KOBLITZ_MAX ( 256 / 8 / sizeof( mbedtls_mpi_uint ) ) // Max limbs in P
				1360	#define P_KOBLITZ_R ( 8 / sizeof( mbedtls_mpi_uint ) ) // Limbs in R
				1361	static inline int ecp_mod_koblitz( mbedtls_mpi N, mbedtls_mpi_uint Rp, size_t p_limbs,
				1362	size_t adjust, size_t shift, mbedtls_mpi_uint mask )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1363	{
				1364	int ret;
				1365	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1366	mbedtls_mpi M, R;
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1367	mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1368
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1369	if( N->n < p_limbs )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1370	return( 0 );
				1371
				1372	/* Init R */
				1373	R.s = 1;
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1374	R.p = Rp;
				1375	R.n = P_KOBLITZ_R;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1376
				1377	/* Common setup for M */
				1378	M.s = 1;
				1379	M.p = Mp;
				1380
				1381	/* M = A1 */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1382	M.n = N->n - ( p_limbs - adjust );
				1383	if( M.n > p_limbs + adjust )
				1384	M.n = p_limbs + adjust;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1385	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1386	memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1387	if( shift != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1388	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1389	M.n += R.n; /* Make room for multiplication by R */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1390
				1391	/* N = A0 */
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1392	if( mask != 0 )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1393	N->p[p_limbs - 1] &= mask;
				1394	for( i = p_limbs; i < N->n; i++ )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1395	N->p[i] = 0;
				1396
				1397	/* N = A0 + R * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1398	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
				1399	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1400
				1401	/* Second pass */
				1402
				1403	/* M = A1 */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1404	M.n = N->n - ( p_limbs - adjust );
				1405	if( M.n > p_limbs + adjust )
				1406	M.n = p_limbs + adjust;
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1407	memset( Mp, 0, sizeof Mp );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1408	memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1409	if( shift != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1410	MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
Janos Follath	7dadc2f	2017-01-27 16:05:20 +0000	[diff] [blame]	1411	M.n += R.n; /* Make room for multiplication by R */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1412
				1413	/* N = A0 */
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1414	if( mask != 0 )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1415	N->p[p_limbs - 1] &= mask;
				1416	for( i = p_limbs; i < N->n; i++ )
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1417	N->p[i] = 0;
				1418
				1419	/* N = A0 + R * A1 */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1420	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
				1421	MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1422
				1423	cleanup:
				1424	return( ret );
				1425	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1426	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) \|\|
				1427	MBEDTLS_ECP_DP_SECP224K1_ENABLED) \|\|
				1428	MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1429
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1430	#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1431	/*
				1432	* Fast quasi-reduction modulo p192k1 = 2^192 - R,
				1433	* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
				1434	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1435	static int ecp_mod_p192k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1436	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1437	static mbedtls_mpi_uint Rp[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	1438	MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
				1439	0x00 ) };
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1440
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	1441	return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
				1442	0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1443	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1444	#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1445
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1446	#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1447	/*
				1448	* Fast quasi-reduction modulo p224k1 = 2^224 - R,
				1449	* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
				1450	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1451	static int ecp_mod_p224k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1452	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1453	static mbedtls_mpi_uint Rp[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	1454	MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
				1455	0x00 ) };
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1456
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1457	#if defined(MBEDTLS_HAVE_INT64)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1458	return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
				1459	#else
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	1460	return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
				1461	0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1462	#endif
				1463	}
				1464
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1465	#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1466
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1467	#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1468	/*
				1469	* Fast quasi-reduction modulo p256k1 = 2^256 - R,
				1470	* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
				1471	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1472	static int ecp_mod_p256k1( mbedtls_mpi *N )
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1473	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1474	static mbedtls_mpi_uint Rp[] = {
Janos Follath	9a64d3e	2021-06-25 12:43:26 +0100	[diff] [blame]	1475	MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
				1476	0x00 ) };
				1477	return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
				1478	0 ) );
Manuel Pégourié-Gonnard	9af7d3a	2014-01-18 17:28:59 +0100	[diff] [blame]	1479	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1480	#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
Manuel Pégourié-Gonnard	8887d8d	2014-01-17 23:17:10 +0100	[diff] [blame]	1481
Janos Follath	b069753	2016-08-18 12:38:46 +0100	[diff] [blame]	1482	#endif /* !MBEDTLS_ECP_ALT */
				1483
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1484	#endif /* MBEDTLS_ECP_C */