48 #if defined(POLARSSL_ECP_C)
52 #if defined(POLARSSL_MEMORY_C)
55 #define polarssl_malloc malloc
56 #define polarssl_free free
62 #if defined(_MSC_VER) && !defined(inline)
63 #define inline _inline
65 #if defined(__ARMCC_VERSION) && !defined(inline)
66 #define inline __inline
70 #if defined(POLARSSL_SELF_TEST)
75 unsigned long add_count, dbl_count;
87 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
90 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
93 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
96 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
99 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
102 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
105 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
108 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
119 return ecp_supported_curves;
133 if( curve_info->
grp_id == grp_id )
134 return( curve_info );
151 if( curve_info->
tls_id == tls_id )
152 return( curve_info );
226 for( i = 0; i < grp->
T_size; i++ )
297 const char *x,
const char *y )
313 int format,
size_t *olen,
314 unsigned char *buf,
size_t buflen )
341 *olen = 2 * plen + 1;
369 const unsigned char *buf,
size_t ilen ) {
373 if( ilen == 1 && buf[0] == 0x00 )
378 if( ilen != 2 * plen + 1 || buf[0] != 0x04 )
396 const unsigned char **buf,
size_t buf_len )
398 unsigned char data_len;
399 const unsigned char *buf_start;
407 data_len = *(*buf)++;
408 if( data_len < 1 || data_len > buf_len - 1 )
427 int format,
size_t *olen,
428 unsigned char *buf,
size_t blen )
439 olen, buf + 1, blen - 1) ) != 0 )
445 buf[0] = (
unsigned char) *olen;
454 static int ecp_group_read_string_gen(
ecp_group *grp,
int radix,
455 const char *p,
const char *a,
const char *b,
456 const char *gx,
const char *gy,
const char *n)
480 const char *p,
const char *b,
481 const char *gx,
const char *gy,
const char *n)
485 MPI_CHK( ecp_group_read_string_gen( grp, radix, p,
"00", b, gx, gy, n ) );
498 #define SECP192R1_P \
499 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"
500 #define SECP192R1_B \
501 "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1"
502 #define SECP192R1_GX \
503 "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012"
504 #define SECP192R1_GY \
505 "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811"
506 #define SECP192R1_N \
507 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831"
512 #define SECP224R1_P \
513 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001"
514 #define SECP224R1_B \
515 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4"
516 #define SECP224R1_GX \
517 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21"
518 #define SECP224R1_GY \
519 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34"
520 #define SECP224R1_N \
521 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"
526 #define SECP256R1_P \
527 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"
528 #define SECP256R1_B \
529 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"
530 #define SECP256R1_GX \
531 "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"
532 #define SECP256R1_GY \
533 "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"
534 #define SECP256R1_N \
535 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"
540 #define SECP384R1_P \
541 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
542 "FFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"
543 #define SECP384R1_B \
544 "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE814112" \
545 "0314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF"
546 #define SECP384R1_GX \
547 "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B98" \
548 "59F741E082542A385502F25DBF55296C3A545E3872760AB7"
549 #define SECP384R1_GY \
550 "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147C" \
551 "E9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"
552 #define SECP384R1_N \
553 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
554 "C7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"
559 #define SECP521R1_P \
560 "000001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
561 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
562 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
563 #define SECP521R1_B \
564 "00000051953EB9618E1C9A1F929A21A0B68540EEA2DA725B" \
565 "99B315F3B8B489918EF109E156193951EC7E937B1652C0BD" \
566 "3BB1BF073573DF883D2C34F1EF451FD46B503F00"
567 #define SECP521R1_GX \
568 "000000C6858E06B70404E9CD9E3ECB662395B4429C648139" \
569 "053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127" \
570 "A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66"
571 #define SECP521R1_GY \
572 "0000011839296A789A3BC0045C8A5FB42C7D1BD998F54449" \
573 "579B446817AFBD17273E662C97EE72995EF42640C550B901" \
574 "3FAD0761353C7086A272C24088BE94769FD16650"
575 #define SECP521R1_N \
576 "000001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
577 "FFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148" \
578 "F709A5D03BB5C9B8899C47AEBB6FB71E91386409"
584 "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377"
586 "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9"
588 "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6"
590 "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262"
592 "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997"
594 "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7"
600 "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711" \
601 "23ACD3A729901D1A71874700133107EC53"
603 "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F9" \
604 "0F8AA5814A503AD4EB04A8C7DD22CE2826"
606 "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62" \
607 "D57CB4390295DBC9943AB78696FA504C11"
609 "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10" \
610 "E8E826E03436D646AAEF87B2E247D4AF1E"
612 "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129" \
613 "280E4646217791811142820341263C5315"
615 "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425" \
616 "A7CF3AB6AF6B7FC3103B883202E9046565"
622 "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \
623 "717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3"
625 "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863" \
626 "BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA"
628 "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117" \
629 "A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723"
631 "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009" \
632 "8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822"
634 "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81" \
635 "11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892"
637 "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \
638 "70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069"
640 #if defined(POLARSSL_ECP_NIST_OPTIM)
642 static int ecp_mod_p192(
mpi * );
643 static int ecp_mod_p224(
mpi * );
644 static int ecp_mod_p256(
mpi * );
645 static int ecp_mod_p384(
mpi * );
646 static int ecp_mod_p521(
mpi * );
658 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
660 #if defined(POLARSSL_ECP_NIST_OPTIM)
661 grp->
modp = ecp_mod_p192;
664 SECP192R1_P, SECP192R1_B,
665 SECP192R1_GX, SECP192R1_GY, SECP192R1_N ) );
668 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
670 #if defined(POLARSSL_ECP_NIST_OPTIM)
671 grp->
modp = ecp_mod_p224;
674 SECP224R1_P, SECP224R1_B,
675 SECP224R1_GX, SECP224R1_GY, SECP224R1_N ) );
678 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
680 #if defined(POLARSSL_ECP_NIST_OPTIM)
681 grp->
modp = ecp_mod_p256;
684 SECP256R1_P, SECP256R1_B,
685 SECP256R1_GX, SECP256R1_GY, SECP256R1_N ) );
688 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
690 #if defined(POLARSSL_ECP_NIST_OPTIM)
691 grp->
modp = ecp_mod_p384;
694 SECP384R1_P, SECP384R1_B,
695 SECP384R1_GX, SECP384R1_GY, SECP384R1_N ) );
698 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
700 #if defined(POLARSSL_ECP_NIST_OPTIM)
701 grp->
modp = ecp_mod_p521;
704 SECP521R1_P, SECP521R1_B,
705 SECP521R1_GX, SECP521R1_GY, SECP521R1_N ) );
708 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
710 return( ecp_group_read_string_gen( grp, 16,
711 BP256R1_P, BP256R1_A, BP256R1_B,
712 BP256R1_GX, BP256R1_GY, BP256R1_N ) );
715 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
717 return( ecp_group_read_string_gen( grp, 16,
718 BP384R1_P, BP384R1_A, BP384R1_B,
719 BP384R1_GX, BP384R1_GY, BP384R1_N ) );
722 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
724 return( ecp_group_read_string_gen( grp, 16,
725 BP512R1_P, BP512R1_A, BP512R1_B,
726 BP512R1_GX, BP512R1_GY, BP512R1_N ) );
772 unsigned char *buf,
size_t blen )
794 buf[0] = curve_info->
tls_id >> 8;
795 buf[1] = curve_info->
tls_id & 0xFF;
810 if( grp->
modp == NULL )
847 #define MOD_MUL( N ) MPI_CHK( ecp_modp( &N, grp ) )
853 #define MOD_SUB( N ) \
854 while( N.s < 0 && mpi_cmp_int( &N, 0 ) != 0 ) \
855 MPI_CHK( mpi_add_mpi( &N, &N, &grp->P ) )
862 #define MOD_ADD( N ) \
863 while( mpi_cmp_mpi( &N, &grp->P ) >= 0 ) \
864 MPI_CHK( mpi_sub_abs( &N, &N, &grp->P ) )
913 static int ecp_normalize_many(
const ecp_group *grp,
921 return( ecp_normalize( grp, T ) );
927 for( i = 0; i < t_len; i++ )
934 for( i = 1; i < t_len; i++ )
945 for( i = t_len - 1; ; i-- )
976 for( i = 0; i < t_len; i++ )
995 mpi T1, T2, T3, X3, Y3, Z3;
997 #if defined(POLARSSL_SELF_TEST)
1056 mpi T1, T2, T3, T4, X, Y, Z;
1058 #if defined(POLARSSL_SELF_TEST)
1076 if( ret == 0 && sign < 0)
1114 ret = ecp_double_jac( grp, R, P );
1157 MPI_CHK( ecp_add_mixed( grp, R, P, Q , 1 ) );
1158 MPI_CHK( ecp_normalize( grp, R ) );
1172 MPI_CHK( ecp_add_mixed( grp, R, P, Q, -1 ) );
1173 MPI_CHK( ecp_normalize( grp, R ) );
1205 static int ecp_w_naf_fixed(
signed char x[],
size_t k,
1206 unsigned char w,
const mpi *m )
1209 unsigned int i, u, mask, carry;
1215 mask = ( 1 << w ) - 1;
1216 carry = 1 << ( w - 1 );
1218 for( i = 0; i < k; i++ )
1222 if( ( u & 1 ) == 0 && i > 0 )
1246 static int ecp_precompute(
const ecp_group *grp,
1260 for( i = 1; i < t_len; i++ )
1261 MPI_CHK( ecp_add_mixed( grp, &T[i], &T[i-1], &PP, +1 ) );
1266 MPI_CHK( ecp_normalize_many( grp, T + 1, t_len - 1 ) );
1281 int (*f_rng)(
void *,
unsigned char *,
size_t),
void *p_rng )
1285 size_t p_size = (grp->
pbits + 7) / 8;
1323 #define MAX_PRE_LEN ( 1 << (POLARSSL_ECP_WINDOW_SIZE - 1) )
1330 #define MAX_NAF_LEN ( POLARSSL_ECP_MAX_BITS / 2 + 1 )
1347 int (*f_rng)(
void *,
unsigned char *,
size_t),
void *p_rng )
1350 unsigned char w, m_is_odd, p_eq_g;
1351 size_t pre_len = 1, naf_len, i, j;
1352 signed char naf[ MAX_NAF_LEN ];
1378 w = grp->
nbits >= 512 ? 6 :
1379 grp->
nbits >= 224 ? 5 :
1390 if( w < 2 || w >= grp->
nbits )
1393 pre_len <<= ( w - 1 );
1394 naf_len = grp->
nbits / w + 1;
1400 if( ! p_eq_g || grp->
T == NULL )
1409 for( i = 0; i < pre_len; i++ )
1412 MPI_CHK( ecp_precompute( grp, T, pre_len, P ) );
1425 if( pre_len != grp->
T_size )
1444 MPI_CHK( ecp_w_naf_fixed( naf, naf_len, w, &M ) );
1460 ecp_randomize_coordinates( grp, &Q, f_rng, p_rng );
1464 MPI_CHK( ecp_add_mixed( grp, &Q, &Q, &T[ - naf[i] - 1 ], -1 ) );
1468 MPI_CHK( ecp_add_mixed( grp, &Q, &Q, &T[ naf[i] ], +1 ) );
1475 for( j = 0; j < w; j++ )
1477 MPI_CHK( ecp_double_jac( grp, &Q, &Q ) );
1491 if( T != NULL && ! p_eq_g )
1493 for( i = 0; i < pre_len; i++ )
1567 int (*f_rng)(
void *,
unsigned char *,
size_t),
1571 size_t n_size = (grp->
nbits + 7) / 8;
1588 return(
ecp_mul( grp, Q, d, &grp->
G, f_rng, p_rng ) );
1591 #if defined(POLARSSL_ECP_NIST_OPTIM)
1602 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
1620 for( i = 0; i < 8 /
sizeof(
t_uint ); i++, dst++, src++ )
1622 *dst += c; c = ( *dst < c );
1623 *dst += *src; c += ( *dst < *src );
1629 static inline void carry64(
t_uint *dst,
t_uint *carry )
1632 for( i = 0; i < 8 /
sizeof(
t_uint ); i++, dst++ )
1635 *carry = ( *dst < *carry );
1639 #define WIDTH 8 / sizeof( t_uint )
1640 #define A( i ) N->p + i * WIDTH
1641 #define ADD( i ) add64( p, A( i ), &c )
1642 #define NEXT p += WIDTH; carry64( p, &c )
1643 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
1648 static int ecp_mod_p192(
mpi *N )
1660 ADD( 3 ); ADD( 5 ); NEXT;
1661 ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT;
1662 ADD( 4 ); ADD( 5 ); LAST;
1675 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) || \
1676 defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) || \
1677 defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
1694 #define LOAD32 cur = A( i );
1696 #if defined(POLARSSL_HAVE_INT8)
1698 #define MAX32 N->n / 4
1699 #define A( j ) (uint32_t)( N->p[4*j+0] ) | \
1700 ( N->p[4*j+1] << 8 ) | \
1701 ( N->p[4*j+2] << 16 ) | \
1702 ( N->p[4*j+3] << 24 )
1703 #define STORE32 N->p[4*i+0] = (uint8_t)( cur ); \
1704 N->p[4*i+1] = (uint8_t)( cur >> 8 ); \
1705 N->p[4*i+2] = (uint8_t)( cur >> 16 ); \
1706 N->p[4*i+3] = (uint8_t)( cur >> 24 );
1708 #elif defined(POLARSSL_HAVE_INT16)
1710 #define MAX32 N->n / 2
1711 #define A( j ) (uint32_t)( N->p[2*j] ) | ( N->p[2*j+1] << 16 )
1712 #define STORE32 N->p[2*i+0] = (uint16_t)( cur ); \
1713 N->p[2*i+1] = (uint16_t)( cur >> 16 );
1715 #elif defined(POLARSSL_HAVE_INT32)
1718 #define A( j ) N->p[j]
1719 #define STORE32 N->p[i] = cur;
1723 #define MAX32 N->n * 2
1724 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
1727 N->p[i/2] &= 0x00000000FFFFFFFF; \
1728 N->p[i/2] |= ((uint64_t) cur) << 32; \
1730 N->p[i/2] &= 0xFFFFFFFF00000000; \
1731 N->p[i/2] |= (uint64_t) cur; \
1739 static inline void add32( uint32_t *dst, uint32_t src,
signed char *carry )
1742 *carry += ( *dst < src );
1745 static inline void sub32( uint32_t *dst, uint32_t src,
signed char *carry )
1747 *carry -= ( *dst < src );
1751 #define ADD( j ) add32( &cur, A( j ), &c );
1752 #define SUB( j ) sub32( &cur, A( j ), &c );
1760 signed char c = 0, cc; \
1762 size_t i = 0, bits = b; \
1764 t_uint Cp[ b / 8 / sizeof( t_uint) + 1 ]; \
1767 C.n = b / 8 / sizeof( t_uint) + 1; \
1769 memset( Cp, 0, C.n * sizeof( t_uint ) ); \
1771 MPI_CHK( mpi_grow( N, b * 2 / 8 / sizeof( t_uint ) ) ); \
1775 STORE32; i++; LOAD32; \
1778 sub32( &cur, -cc, &c ); \
1780 add32( &cur, cc, &c ); \
1784 cur = c > 0 ? c : 0; STORE32; \
1785 cur = 0; while( ++i < MAX32 ) { STORE32; } \
1786 if( c < 0 ) fix_negative( N, c, &C, bits );
1792 static inline int fix_negative(
mpi *N,
signed char c,
mpi *C,
size_t bits )
1797 #if !defined(POLARSSL_HAVE_INT64)
1801 C->
p[ C->
n - 1 ] = ((
t_uint) -c) << 32;
1815 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
1819 static int ecp_mod_p224(
mpi *N )
1823 SUB( 7 ); SUB( 11 ); NEXT;
1824 SUB( 8 ); SUB( 12 ); NEXT;
1825 SUB( 9 ); SUB( 13 ); NEXT;
1826 SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT;
1827 SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT;
1828 SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT;
1829 SUB( 13 ); ADD( 10 ); LAST;
1836 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
1840 static int ecp_mod_p256(
mpi *N )
1845 SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT;
1847 ADD( 9 ); ADD( 10 );
1848 SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT;
1850 ADD( 10 ); ADD( 11 );
1851 SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT;
1853 ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1854 SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT;
1856 ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1857 SUB( 9 ); SUB( 10 ); NEXT;
1859 ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1860 SUB( 10 ); SUB( 11 ); NEXT;
1862 ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1863 SUB( 8 ); SUB( 9 ); NEXT;
1865 ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1866 SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST;
1873 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
1877 static int ecp_mod_p384(
mpi *N )
1881 ADD( 12 ); ADD( 21 ); ADD( 20 );
1884 ADD( 13 ); ADD( 22 ); ADD( 23 );
1885 SUB( 12 ); SUB( 20 ); NEXT;
1887 ADD( 14 ); ADD( 23 );
1888 SUB( 13 ); SUB( 21 ); NEXT;
1890 ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1891 SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT;
1893 ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1894 SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT;
1896 ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1899 ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1902 ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1905 ADD( 20 ); ADD( 17 ); ADD( 16 );
1908 ADD( 21 ); ADD( 18 ); ADD( 17 );
1911 ADD( 22 ); ADD( 19 ); ADD( 18 );
1914 ADD( 23 ); ADD( 20 ); ADD( 19 );
1934 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
1941 #define P521_WIDTH ( 521 / 8 / sizeof( t_uint ) + 1 )
1944 #if defined(POLARSSL_HAVE_INT8)
1945 #define P521_MASK 0x01
1947 #define P521_MASK 0x01FF
1954 static int ecp_mod_p521(
mpi *N )
1959 t_uint Mp[P521_WIDTH + 1];
1964 if( N->
n < P521_WIDTH )
1969 M.
n = N->
n - ( P521_WIDTH - 1 );
1970 if( M.
n > P521_WIDTH + 1 )
1971 M.
n = P521_WIDTH + 1;
1973 memcpy( Mp, N->
p + P521_WIDTH - 1, M.
n *
sizeof(
t_uint ) );
1977 N->
p[P521_WIDTH - 1] &= P521_MASK;
1978 for( i = P521_WIDTH; i < N->
n; i++ )
1994 #if defined(POLARSSL_SELF_TEST)
2006 unsigned long add_c_prev, dbl_c_prev;
2008 const char *exponents[] =
2010 "000000000000000000000000000000000000000000000000",
2011 "000000000000000000000000000000000000000000000001",
2012 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
2013 "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25",
2014 "400000000000000000000000000000000000000000000000",
2015 "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
2016 "555555555555555555555555555555555555555555555555",
2025 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
2032 printf(
" ECP test #1 (constant op_count, base point G): " );
2043 for( i = 1; i <
sizeof( exponents ) /
sizeof( exponents[0] ); i++ )
2045 add_c_prev = add_count;
2046 dbl_c_prev = dbl_count;
2053 if( add_count != add_c_prev || dbl_count != dbl_c_prev )
2056 printf(
"failed (%zu)\n", i );
2064 printf(
"passed\n" );
2067 printf(
" ECP test #2 (constant op_count, other point): " );
2075 for( i = 1; i <
sizeof( exponents ) /
sizeof( exponents[0] ); i++ )
2077 add_c_prev = add_count;
2078 dbl_c_prev = dbl_count;
2085 if( add_count != add_c_prev || dbl_count != dbl_c_prev )
2088 printf(
"failed (%zu)\n", i );
2096 printf(
"passed\n" );
2100 if( ret < 0 && verbose != 0 )
2101 printf(
"Unexpected error, return code = %08X\n", ret );
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ECP_TLS_NAMED_CURVE
ECCurveType's named_curve.
int ecp_sub(const ecp_group *grp, ecp_point *R, const ecp_point *P, const ecp_point *Q)
Subtraction: R = P - Q.
int ecp_check_privkey(const ecp_group *grp, const mpi *d)
Check that an mpi is a valid private key for this curve.
#define POLARSSL_ERR_ECP_BAD_INPUT_DATA
Bad input parameters to function.
void ecp_keypair_init(ecp_keypair *key)
Initialize a key pair (as an invalid one)
int ecp_group_copy(ecp_group *dst, const ecp_group *src)
Copy the contents of a group object.
void *(* polarssl_malloc)(size_t len)
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
const ecp_curve_info * ecp_curve_list(void)
Return the list of supported curves with associated info.
int ecp_self_test(int verbose)
Checkup routine.
Elliptic curves over GF(p)
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
int mpi_sub_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned subtraction: X = |A| - |B|.
#define POLARSSL_ERR_ECP_MALLOC_FAILED
Memory allocation failed.
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Configuration options (set of defines)
int mpi_add_int(mpi *X, const mpi *A, t_sint b)
Signed addition: X = A + b.
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
int ecp_mul(ecp_group *grp, ecp_point *R, const mpi *m, const ecp_point *P, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Multiplication by an integer: R = m * P (Not thread-safe to use same group in multiple threads) ...
int ecp_point_read_binary(const ecp_group *grp, ecp_point *P, const unsigned char *buf, size_t ilen)
Import a point from unsigned binary data.
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE
Requested curve not available.
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
#define POLARSSL_ECP_WINDOW_SIZE
Maximum NAF width used.
int mpi_shift_r(mpi *X, size_t count)
Right-shift: X >>= count.
#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL
The buffer is too small to write to.
int mpi_add_mpi(mpi *X, const mpi *A, const mpi *B)
Signed addition: X = A + B.
ECP point structure (jacobian coordinates)
int ecp_is_zero(ecp_point *pt)
Tell if a point is zero.
void ecp_point_init(ecp_point *pt)
Initialize a point (as zero)
void(* polarssl_free)(void *ptr)
const ecp_curve_info * ecp_curve_info_from_grp_id(ecp_group_id grp_id)
Get curve information from an internal group identifier.
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
int ecp_point_read_string(ecp_point *P, int radix, const char *x, const char *y)
Import a non-zero point from two ASCII strings.
void mpi_free(mpi *X)
Unallocate one MPI.
int mpi_mul_int(mpi *X, const mpi *A, t_sint b)
Baseline multiplication: X = A * b Note: b is an unsigned integer type, thus Negative values of b are...
void ecp_group_free(ecp_group *grp)
Free the components of an ECP group.
int mpi_grow(mpi *X, size_t nblimbs)
Enlarge to the specified number of limbs.
Curve information for use by other modules.
int ecp_tls_write_point(const ecp_group *grp, const ecp_point *pt, int format, size_t *olen, unsigned char *buf, size_t blen)
Export a point as a TLS ECPoint record.
int ecp_gen_keypair(ecp_group *grp, mpi *d, ecp_point *Q, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate a keypair.
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant '1' bit'.
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
int mpi_add_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned addition: X = |A| + |B|.
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
int ecp_copy(ecp_point *P, const ecp_point *Q)
Copy the contents of point Q into P.
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
int ecp_tls_write_group(const ecp_group *grp, size_t *olen, unsigned char *buf, size_t blen)
Write the TLS ECParameters record for a group.
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
int ecp_point_write_binary(const ecp_group *grp, const ecp_point *P, int format, size_t *olen, unsigned char *buf, size_t buflen)
Export a point into unsigned binary data.
void ecp_group_init(ecp_group *grp)
Initialize a group (to something meaningless)
#define POLARSSL_ERR_ECP_RANDOM_FAILED
Generation of random value, such as (ephemeral) key, failed.
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int mpi_get_bit(const mpi *X, size_t pos)
Get a specific bit from X.
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int ecp_tls_read_group(ecp_group *grp, const unsigned char **buf, size_t len)
Set a group from a TLS ECParameters record.
int ecp_check_pubkey(const ecp_group *grp, const ecp_point *pt)
Check that a point is a valid public key on this curve.
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
int ecp_add(const ecp_group *grp, ecp_point *R, const ecp_point *P, const ecp_point *Q)
Addition: R = P + Q.
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
int ecp_set_zero(ecp_point *pt)
Set a point to zero.
int mpi_sub_mpi(mpi *X, const mpi *A, const mpi *B)
Signed subtraction: X = A - B.
#define POLARSSL_ERR_ECP_INVALID_KEY
Invalid private or public key.
void ecp_keypair_free(ecp_keypair *key)
Free the components of a key pair.
int ecp_tls_read_point(const ecp_group *grp, ecp_point *pt, const unsigned char **buf, size_t len)
Import a point from a TLS ECPoint record.
int ecp_group_read_string(ecp_group *grp, int radix, const char *p, const char *b, const char *gx, const char *gy, const char *n)
Import an ECP group from null-terminated ASCII strings.
void ecp_point_free(ecp_point *pt)
Free the components of a point.