edhoc 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (672) hide show
  1. package/binding.gyp +64 -0
  2. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_decode.h +35 -0
  3. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_encode.h +35 -0
  4. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_types.h +34 -0
  5. package/external/libedhoc/backends/cbor/include/backend_cbor_ead_decode.h +35 -0
  6. package/external/libedhoc/backends/cbor/include/backend_cbor_ead_encode.h +35 -0
  7. package/external/libedhoc/backends/cbor/include/backend_cbor_edhoc_types.h +97 -0
  8. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_decode.h +35 -0
  9. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_encode.h +35 -0
  10. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_types.h +37 -0
  11. package/external/libedhoc/backends/cbor/include/backend_cbor_id_cred_x_decode.h +35 -0
  12. package/external/libedhoc/backends/cbor/include/backend_cbor_id_cred_x_encode.h +35 -0
  13. package/external/libedhoc/backends/cbor/include/backend_cbor_info_decode.h +35 -0
  14. package/external/libedhoc/backends/cbor/include/backend_cbor_info_encode.h +35 -0
  15. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_decode.h +35 -0
  16. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_encode.h +35 -0
  17. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_types.h +34 -0
  18. package/external/libedhoc/backends/cbor/include/backend_cbor_message_1_decode.h +35 -0
  19. package/external/libedhoc/backends/cbor/include/backend_cbor_message_1_encode.h +35 -0
  20. package/external/libedhoc/backends/cbor/include/backend_cbor_message_2_decode.h +35 -0
  21. package/external/libedhoc/backends/cbor/include/backend_cbor_message_2_encode.h +35 -0
  22. package/external/libedhoc/backends/cbor/include/backend_cbor_message_3_decode.h +35 -0
  23. package/external/libedhoc/backends/cbor/include/backend_cbor_message_3_encode.h +35 -0
  24. package/external/libedhoc/backends/cbor/include/backend_cbor_message_4_decode.h +35 -0
  25. package/external/libedhoc/backends/cbor/include/backend_cbor_message_4_encode.h +35 -0
  26. package/external/libedhoc/backends/cbor/include/backend_cbor_message_error_decode.h +35 -0
  27. package/external/libedhoc/backends/cbor/include/backend_cbor_message_error_encode.h +35 -0
  28. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_2_decode.h +35 -0
  29. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_2_encode.h +35 -0
  30. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_3_decode.h +35 -0
  31. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_3_encode.h +35 -0
  32. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_4_decode.h +35 -0
  33. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_4_encode.h +35 -0
  34. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_decode.h +35 -0
  35. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_encode.h +35 -0
  36. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_types.h +38 -0
  37. package/external/libedhoc/backends/cbor/include/backend_cbor_x509_types.h +170 -0
  38. package/external/libedhoc/backends/cbor/src/backend_cbor_bstr_type_decode.c +59 -0
  39. package/external/libedhoc/backends/cbor/src/backend_cbor_bstr_type_encode.c +59 -0
  40. package/external/libedhoc/backends/cbor/src/backend_cbor_ead_decode.c +74 -0
  41. package/external/libedhoc/backends/cbor/src/backend_cbor_ead_encode.c +74 -0
  42. package/external/libedhoc/backends/cbor/src/backend_cbor_enc_structure_decode.c +62 -0
  43. package/external/libedhoc/backends/cbor/src/backend_cbor_enc_structure_encode.c +62 -0
  44. package/external/libedhoc/backends/cbor/src/backend_cbor_id_cred_x_decode.c +141 -0
  45. package/external/libedhoc/backends/cbor/src/backend_cbor_id_cred_x_encode.c +141 -0
  46. package/external/libedhoc/backends/cbor/src/backend_cbor_info_decode.c +61 -0
  47. package/external/libedhoc/backends/cbor/src/backend_cbor_info_encode.c +61 -0
  48. package/external/libedhoc/backends/cbor/src/backend_cbor_int_type_decode.c +59 -0
  49. package/external/libedhoc/backends/cbor/src/backend_cbor_int_type_encode.c +59 -0
  50. package/external/libedhoc/backends/cbor/src/backend_cbor_message_1_decode.c +112 -0
  51. package/external/libedhoc/backends/cbor/src/backend_cbor_message_1_encode.c +112 -0
  52. package/external/libedhoc/backends/cbor/src/backend_cbor_message_2_decode.c +59 -0
  53. package/external/libedhoc/backends/cbor/src/backend_cbor_message_2_encode.c +59 -0
  54. package/external/libedhoc/backends/cbor/src/backend_cbor_message_3_decode.c +59 -0
  55. package/external/libedhoc/backends/cbor/src/backend_cbor_message_3_encode.c +59 -0
  56. package/external/libedhoc/backends/cbor/src/backend_cbor_message_4_decode.c +59 -0
  57. package/external/libedhoc/backends/cbor/src/backend_cbor_message_4_encode.c +59 -0
  58. package/external/libedhoc/backends/cbor/src/backend_cbor_message_error_decode.c +93 -0
  59. package/external/libedhoc/backends/cbor/src/backend_cbor_message_error_encode.c +93 -0
  60. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_2_decode.c +193 -0
  61. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_2_encode.c +194 -0
  62. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_3_decode.c +189 -0
  63. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_3_encode.c +189 -0
  64. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_4_decode.c +88 -0
  65. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_4_encode.c +88 -0
  66. package/external/libedhoc/backends/cbor/src/backend_cbor_sig_structure_decode.c +63 -0
  67. package/external/libedhoc/backends/cbor/src/backend_cbor_sig_structure_encode.c +63 -0
  68. package/external/libedhoc/externals/compact25519/src/c25519/c25519.c +126 -0
  69. package/external/libedhoc/externals/compact25519/src/c25519/c25519.h +49 -0
  70. package/external/libedhoc/externals/compact25519/src/c25519/ed25519.c +323 -0
  71. package/external/libedhoc/externals/compact25519/src/c25519/ed25519.h +84 -0
  72. package/external/libedhoc/externals/compact25519/src/c25519/edsign.c +171 -0
  73. package/external/libedhoc/externals/compact25519/src/c25519/edsign.h +53 -0
  74. package/external/libedhoc/externals/compact25519/src/c25519/f25519.c +330 -0
  75. package/external/libedhoc/externals/compact25519/src/c25519/f25519.h +98 -0
  76. package/external/libedhoc/externals/compact25519/src/c25519/fprime.c +226 -0
  77. package/external/libedhoc/externals/compact25519/src/c25519/fprime.h +81 -0
  78. package/external/libedhoc/externals/compact25519/src/c25519/sha512.c +230 -0
  79. package/external/libedhoc/externals/compact25519/src/c25519/sha512.h +54 -0
  80. package/external/libedhoc/externals/compact25519/src/compact_ed25519.c +46 -0
  81. package/external/libedhoc/externals/compact25519/src/compact_ed25519.h +110 -0
  82. package/external/libedhoc/externals/compact25519/src/compact_wipe.c +12 -0
  83. package/external/libedhoc/externals/compact25519/src/compact_wipe.h +14 -0
  84. package/external/libedhoc/externals/compact25519/src/compact_x25519.c +68 -0
  85. package/external/libedhoc/externals/compact25519/src/compact_x25519.h +101 -0
  86. package/external/libedhoc/externals/compact25519/test/pcg_random.h +25 -0
  87. package/external/libedhoc/externals/compact25519/test/run-all.c +178 -0
  88. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/Hacl_Curve25519.h +21 -0
  89. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/everest.h +234 -0
  90. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib/FStar_UInt128.h +124 -0
  91. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h +280 -0
  92. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib.h +29 -0
  93. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/c_endianness.h +204 -0
  94. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/builtin.h +16 -0
  95. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/callconv.h +46 -0
  96. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/compat.h +34 -0
  97. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/debug.h +57 -0
  98. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/target.h +102 -0
  99. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/types.h +61 -0
  100. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/wasmsupport.h +5 -0
  101. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/Hacl_Curve25519.h +21 -0
  102. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/inttypes.h +36 -0
  103. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/stdbool.h +31 -0
  104. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/x25519.h +190 -0
  105. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/Hacl_Curve25519.c +760 -0
  106. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/Hacl_Curve25519_joined.c +50 -0
  107. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/everest.c +102 -0
  108. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/kremlib/FStar_UInt128_extracted.c +413 -0
  109. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c +100 -0
  110. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/legacy/Hacl_Curve25519.c +805 -0
  111. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/x25519.c +186 -0
  112. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.c +1514 -0
  113. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.h +135 -0
  114. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m_driver_entrypoints.c +312 -0
  115. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m_driver_entrypoints.h +219 -0
  116. package/external/libedhoc/externals/mbedtls/configs/config-ccm-psk-dtls1_2.h +92 -0
  117. package/external/libedhoc/externals/mbedtls/configs/config-ccm-psk-tls1_2.h +83 -0
  118. package/external/libedhoc/externals/mbedtls/configs/config-no-entropy.h +73 -0
  119. package/external/libedhoc/externals/mbedtls/configs/config-suite-b.h +106 -0
  120. package/external/libedhoc/externals/mbedtls/configs/config-symmetric-only.h +77 -0
  121. package/external/libedhoc/externals/mbedtls/configs/config-thread.h +76 -0
  122. package/external/libedhoc/externals/mbedtls/configs/crypto-config-ccm-aes-sha256.h +25 -0
  123. package/external/libedhoc/externals/mbedtls/configs/crypto_config_profile_medium.h +136 -0
  124. package/external/libedhoc/externals/mbedtls/configs/tfm_mbedcrypto_config_profile_medium.h +609 -0
  125. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_encdec.h +54 -0
  126. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_hashing.h +30 -0
  127. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_mainpage.h +19 -0
  128. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_rng.h +27 -0
  129. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_ssltls.h +37 -0
  130. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_tcpip.h +32 -0
  131. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_x509.h +31 -0
  132. package/external/libedhoc/externals/mbedtls/include/mbedtls/aes.h +627 -0
  133. package/external/libedhoc/externals/mbedtls/include/mbedtls/aria.h +341 -0
  134. package/external/libedhoc/externals/mbedtls/include/mbedtls/asn1.h +641 -0
  135. package/external/libedhoc/externals/mbedtls/include/mbedtls/asn1write.h +389 -0
  136. package/external/libedhoc/externals/mbedtls/include/mbedtls/base64.h +82 -0
  137. package/external/libedhoc/externals/mbedtls/include/mbedtls/bignum.h +1084 -0
  138. package/external/libedhoc/externals/mbedtls/include/mbedtls/build_info.h +146 -0
  139. package/external/libedhoc/externals/mbedtls/include/mbedtls/camellia.h +303 -0
  140. package/external/libedhoc/externals/mbedtls/include/mbedtls/ccm.h +518 -0
  141. package/external/libedhoc/externals/mbedtls/include/mbedtls/chacha20.h +202 -0
  142. package/external/libedhoc/externals/mbedtls/include/mbedtls/chachapoly.h +342 -0
  143. package/external/libedhoc/externals/mbedtls/include/mbedtls/check_config.h +1206 -0
  144. package/external/libedhoc/externals/mbedtls/include/mbedtls/cipher.h +1183 -0
  145. package/external/libedhoc/externals/mbedtls/include/mbedtls/cmac.h +246 -0
  146. package/external/libedhoc/externals/mbedtls/include/mbedtls/compat-2.x.h +46 -0
  147. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h +183 -0
  148. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h +877 -0
  149. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h +334 -0
  150. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h +142 -0
  151. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_ssl.h +76 -0
  152. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_x509.h +25 -0
  153. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_psa.h +55 -0
  154. package/external/libedhoc/externals/mbedtls/include/mbedtls/constant_time.h +36 -0
  155. package/external/libedhoc/externals/mbedtls/include/mbedtls/ctr_drbg.h +564 -0
  156. package/external/libedhoc/externals/mbedtls/include/mbedtls/debug.h +308 -0
  157. package/external/libedhoc/externals/mbedtls/include/mbedtls/des.h +385 -0
  158. package/external/libedhoc/externals/mbedtls/include/mbedtls/dhm.h +972 -0
  159. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecdh.h +441 -0
  160. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecdsa.h +671 -0
  161. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecjpake.h +298 -0
  162. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecp.h +1362 -0
  163. package/external/libedhoc/externals/mbedtls/include/mbedtls/entropy.h +273 -0
  164. package/external/libedhoc/externals/mbedtls/include/mbedtls/error.h +201 -0
  165. package/external/libedhoc/externals/mbedtls/include/mbedtls/gcm.h +370 -0
  166. package/external/libedhoc/externals/mbedtls/include/mbedtls/hkdf.h +124 -0
  167. package/external/libedhoc/externals/mbedtls/include/mbedtls/hmac_drbg.h +434 -0
  168. package/external/libedhoc/externals/mbedtls/include/mbedtls/lms.h +440 -0
  169. package/external/libedhoc/externals/mbedtls/include/mbedtls/mbedtls_config.h +4116 -0
  170. package/external/libedhoc/externals/mbedtls/include/mbedtls/md.h +640 -0
  171. package/external/libedhoc/externals/mbedtls/include/mbedtls/md5.h +190 -0
  172. package/external/libedhoc/externals/mbedtls/include/mbedtls/memory_buffer_alloc.h +142 -0
  173. package/external/libedhoc/externals/mbedtls/include/mbedtls/net_sockets.h +299 -0
  174. package/external/libedhoc/externals/mbedtls/include/mbedtls/nist_kw.h +166 -0
  175. package/external/libedhoc/externals/mbedtls/include/mbedtls/oid.h +722 -0
  176. package/external/libedhoc/externals/mbedtls/include/mbedtls/pem.h +160 -0
  177. package/external/libedhoc/externals/mbedtls/include/mbedtls/pk.h +1091 -0
  178. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs12.h +186 -0
  179. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs5.h +197 -0
  180. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs7.h +241 -0
  181. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform.h +485 -0
  182. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform_time.h +79 -0
  183. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform_util.h +201 -0
  184. package/external/libedhoc/externals/mbedtls/include/mbedtls/poly1305.h +168 -0
  185. package/external/libedhoc/externals/mbedtls/include/mbedtls/private_access.h +20 -0
  186. package/external/libedhoc/externals/mbedtls/include/mbedtls/psa_util.h +104 -0
  187. package/external/libedhoc/externals/mbedtls/include/mbedtls/ripemd160.h +136 -0
  188. package/external/libedhoc/externals/mbedtls/include/mbedtls/rsa.h +1143 -0
  189. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha1.h +219 -0
  190. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha256.h +198 -0
  191. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha3.h +172 -0
  192. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha512.h +208 -0
  193. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl.h +5369 -0
  194. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_cache.h +187 -0
  195. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_ciphersuites.h +616 -0
  196. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_cookie.h +106 -0
  197. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_ticket.h +181 -0
  198. package/external/libedhoc/externals/mbedtls/include/mbedtls/threading.h +105 -0
  199. package/external/libedhoc/externals/mbedtls/include/mbedtls/timing.h +94 -0
  200. package/external/libedhoc/externals/mbedtls/include/mbedtls/version.h +78 -0
  201. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509.h +550 -0
  202. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_crl.h +184 -0
  203. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_crt.h +1196 -0
  204. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_csr.h +319 -0
  205. package/external/libedhoc/externals/mbedtls/include/psa/build_info.h +20 -0
  206. package/external/libedhoc/externals/mbedtls/include/psa/crypto.h +4685 -0
  207. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_auto_enabled.h +21 -0
  208. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h +91 -0
  209. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_config_synonyms.h +45 -0
  210. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_composites.h +210 -0
  211. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_key_derivation.h +118 -0
  212. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_primitives.h +114 -0
  213. package/external/libedhoc/externals/mbedtls/include/psa/crypto_compat.h +153 -0
  214. package/external/libedhoc/externals/mbedtls/include/psa/crypto_config.h +153 -0
  215. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_common.h +44 -0
  216. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_composites.h +151 -0
  217. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_key_derivation.h +52 -0
  218. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_primitives.h +105 -0
  219. package/external/libedhoc/externals/mbedtls/include/psa/crypto_extra.h +2064 -0
  220. package/external/libedhoc/externals/mbedtls/include/psa/crypto_legacy.h +88 -0
  221. package/external/libedhoc/externals/mbedtls/include/psa/crypto_platform.h +92 -0
  222. package/external/libedhoc/externals/mbedtls/include/psa/crypto_se_driver.h +1383 -0
  223. package/external/libedhoc/externals/mbedtls/include/psa/crypto_sizes.h +1282 -0
  224. package/external/libedhoc/externals/mbedtls/include/psa/crypto_struct.h +460 -0
  225. package/external/libedhoc/externals/mbedtls/include/psa/crypto_types.h +453 -0
  226. package/external/libedhoc/externals/mbedtls/include/psa/crypto_values.h +2756 -0
  227. package/external/libedhoc/externals/mbedtls/library/aes.c +2315 -0
  228. package/external/libedhoc/externals/mbedtls/library/aesce.c +503 -0
  229. package/external/libedhoc/externals/mbedtls/library/aesce.h +121 -0
  230. package/external/libedhoc/externals/mbedtls/library/aesni.c +802 -0
  231. package/external/libedhoc/externals/mbedtls/library/aesni.h +158 -0
  232. package/external/libedhoc/externals/mbedtls/library/alignment.h +509 -0
  233. package/external/libedhoc/externals/mbedtls/library/aria.c +991 -0
  234. package/external/libedhoc/externals/mbedtls/library/asn1parse.c +467 -0
  235. package/external/libedhoc/externals/mbedtls/library/asn1write.c +436 -0
  236. package/external/libedhoc/externals/mbedtls/library/base64.c +299 -0
  237. package/external/libedhoc/externals/mbedtls/library/base64_internal.h +45 -0
  238. package/external/libedhoc/externals/mbedtls/library/bignum.c +2806 -0
  239. package/external/libedhoc/externals/mbedtls/library/bignum_core.c +894 -0
  240. package/external/libedhoc/externals/mbedtls/library/bignum_core.h +763 -0
  241. package/external/libedhoc/externals/mbedtls/library/bignum_mod.c +394 -0
  242. package/external/libedhoc/externals/mbedtls/library/bignum_mod.h +452 -0
  243. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw.c +276 -0
  244. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw.h +416 -0
  245. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw_invasive.h +34 -0
  246. package/external/libedhoc/externals/mbedtls/library/bn_mul.h +1094 -0
  247. package/external/libedhoc/externals/mbedtls/library/camellia.c +1044 -0
  248. package/external/libedhoc/externals/mbedtls/library/ccm.c +712 -0
  249. package/external/libedhoc/externals/mbedtls/library/chacha20.c +497 -0
  250. package/external/libedhoc/externals/mbedtls/library/chachapoly.c +478 -0
  251. package/external/libedhoc/externals/mbedtls/library/check_crypto_config.h +141 -0
  252. package/external/libedhoc/externals/mbedtls/library/cipher.c +1664 -0
  253. package/external/libedhoc/externals/mbedtls/library/cipher_wrap.c +2422 -0
  254. package/external/libedhoc/externals/mbedtls/library/cipher_wrap.h +132 -0
  255. package/external/libedhoc/externals/mbedtls/library/cmac.c +1067 -0
  256. package/external/libedhoc/externals/mbedtls/library/common.h +325 -0
  257. package/external/libedhoc/externals/mbedtls/library/constant_time.c +261 -0
  258. package/external/libedhoc/externals/mbedtls/library/constant_time_impl.h +554 -0
  259. package/external/libedhoc/externals/mbedtls/library/constant_time_internal.h +579 -0
  260. package/external/libedhoc/externals/mbedtls/library/ctr_drbg.c +881 -0
  261. package/external/libedhoc/externals/mbedtls/library/debug.c +465 -0
  262. package/external/libedhoc/externals/mbedtls/library/des.c +1042 -0
  263. package/external/libedhoc/externals/mbedtls/library/dhm.c +712 -0
  264. package/external/libedhoc/externals/mbedtls/library/ecdh.c +685 -0
  265. package/external/libedhoc/externals/mbedtls/library/ecdsa.c +867 -0
  266. package/external/libedhoc/externals/mbedtls/library/ecjpake.c +1216 -0
  267. package/external/libedhoc/externals/mbedtls/library/ecp.c +3631 -0
  268. package/external/libedhoc/externals/mbedtls/library/ecp_curves.c +5467 -0
  269. package/external/libedhoc/externals/mbedtls/library/ecp_curves_new.c +6043 -0
  270. package/external/libedhoc/externals/mbedtls/library/ecp_internal_alt.h +287 -0
  271. package/external/libedhoc/externals/mbedtls/library/ecp_invasive.h +325 -0
  272. package/external/libedhoc/externals/mbedtls/library/entropy.c +676 -0
  273. package/external/libedhoc/externals/mbedtls/library/entropy_poll.c +229 -0
  274. package/external/libedhoc/externals/mbedtls/library/entropy_poll.h +64 -0
  275. package/external/libedhoc/externals/mbedtls/library/error.c +878 -0
  276. package/external/libedhoc/externals/mbedtls/library/gcm.c +1168 -0
  277. package/external/libedhoc/externals/mbedtls/library/hkdf.c +161 -0
  278. package/external/libedhoc/externals/mbedtls/library/hmac_drbg.c +633 -0
  279. package/external/libedhoc/externals/mbedtls/library/lmots.c +821 -0
  280. package/external/libedhoc/externals/mbedtls/library/lmots.h +311 -0
  281. package/external/libedhoc/externals/mbedtls/library/lms.c +779 -0
  282. package/external/libedhoc/externals/mbedtls/library/md.c +1108 -0
  283. package/external/libedhoc/externals/mbedtls/library/md5.c +426 -0
  284. package/external/libedhoc/externals/mbedtls/library/md_psa.h +63 -0
  285. package/external/libedhoc/externals/mbedtls/library/md_wrap.h +46 -0
  286. package/external/libedhoc/externals/mbedtls/library/memory_buffer_alloc.c +745 -0
  287. package/external/libedhoc/externals/mbedtls/library/mps_common.h +181 -0
  288. package/external/libedhoc/externals/mbedtls/library/mps_error.h +89 -0
  289. package/external/libedhoc/externals/mbedtls/library/mps_reader.c +538 -0
  290. package/external/libedhoc/externals/mbedtls/library/mps_reader.h +366 -0
  291. package/external/libedhoc/externals/mbedtls/library/mps_trace.c +112 -0
  292. package/external/libedhoc/externals/mbedtls/library/mps_trace.h +154 -0
  293. package/external/libedhoc/externals/mbedtls/library/net_sockets.c +696 -0
  294. package/external/libedhoc/externals/mbedtls/library/nist_kw.c +725 -0
  295. package/external/libedhoc/externals/mbedtls/library/oid.c +1154 -0
  296. package/external/libedhoc/externals/mbedtls/library/padlock.c +155 -0
  297. package/external/libedhoc/externals/mbedtls/library/padlock.h +111 -0
  298. package/external/libedhoc/externals/mbedtls/library/pem.c +520 -0
  299. package/external/libedhoc/externals/mbedtls/library/pk.c +970 -0
  300. package/external/libedhoc/externals/mbedtls/library/pk_internal.h +118 -0
  301. package/external/libedhoc/externals/mbedtls/library/pk_wrap.c +1834 -0
  302. package/external/libedhoc/externals/mbedtls/library/pk_wrap.h +156 -0
  303. package/external/libedhoc/externals/mbedtls/library/pkcs12.c +447 -0
  304. package/external/libedhoc/externals/mbedtls/library/pkcs5.c +496 -0
  305. package/external/libedhoc/externals/mbedtls/library/pkcs7.c +773 -0
  306. package/external/libedhoc/externals/mbedtls/library/pkparse.c +1845 -0
  307. package/external/libedhoc/externals/mbedtls/library/pkwrite.c +836 -0
  308. package/external/libedhoc/externals/mbedtls/library/pkwrite.h +112 -0
  309. package/external/libedhoc/externals/mbedtls/library/platform.c +402 -0
  310. package/external/libedhoc/externals/mbedtls/library/platform_util.c +285 -0
  311. package/external/libedhoc/externals/mbedtls/library/poly1305.c +492 -0
  312. package/external/libedhoc/externals/mbedtls/library/psa_crypto.c +8432 -0
  313. package/external/libedhoc/externals/mbedtls/library/psa_crypto_aead.c +653 -0
  314. package/external/libedhoc/externals/mbedtls/library/psa_crypto_aead.h +499 -0
  315. package/external/libedhoc/externals/mbedtls/library/psa_crypto_cipher.c +590 -0
  316. package/external/libedhoc/externals/mbedtls/library/psa_crypto_cipher.h +293 -0
  317. package/external/libedhoc/externals/mbedtls/library/psa_crypto_client.c +67 -0
  318. package/external/libedhoc/externals/mbedtls/library/psa_crypto_core.h +838 -0
  319. package/external/libedhoc/externals/mbedtls/library/psa_crypto_core_common.h +52 -0
  320. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers.h +2871 -0
  321. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers_no_static.c +256 -0
  322. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers_no_static.h +31 -0
  323. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ecp.c +561 -0
  324. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ecp.h +267 -0
  325. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ffdh.c +295 -0
  326. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ffdh.h +132 -0
  327. package/external/libedhoc/externals/mbedtls/library/psa_crypto_hash.c +470 -0
  328. package/external/libedhoc/externals/mbedtls/library/psa_crypto_hash.h +211 -0
  329. package/external/libedhoc/externals/mbedtls/library/psa_crypto_invasive.h +70 -0
  330. package/external/libedhoc/externals/mbedtls/library/psa_crypto_its.h +131 -0
  331. package/external/libedhoc/externals/mbedtls/library/psa_crypto_mac.c +496 -0
  332. package/external/libedhoc/externals/mbedtls/library/psa_crypto_mac.h +264 -0
  333. package/external/libedhoc/externals/mbedtls/library/psa_crypto_pake.c +571 -0
  334. package/external/libedhoc/externals/mbedtls/library/psa_crypto_pake.h +159 -0
  335. package/external/libedhoc/externals/mbedtls/library/psa_crypto_random_impl.h +192 -0
  336. package/external/libedhoc/externals/mbedtls/library/psa_crypto_rsa.c +727 -0
  337. package/external/libedhoc/externals/mbedtls/library/psa_crypto_rsa.h +317 -0
  338. package/external/libedhoc/externals/mbedtls/library/psa_crypto_se.c +373 -0
  339. package/external/libedhoc/externals/mbedtls/library/psa_crypto_se.h +185 -0
  340. package/external/libedhoc/externals/mbedtls/library/psa_crypto_slot_management.c +559 -0
  341. package/external/libedhoc/externals/mbedtls/library/psa_crypto_slot_management.h +213 -0
  342. package/external/libedhoc/externals/mbedtls/library/psa_crypto_storage.c +481 -0
  343. package/external/libedhoc/externals/mbedtls/library/psa_crypto_storage.h +384 -0
  344. package/external/libedhoc/externals/mbedtls/library/psa_its_file.c +259 -0
  345. package/external/libedhoc/externals/mbedtls/library/psa_util.c +160 -0
  346. package/external/libedhoc/externals/mbedtls/library/psa_util_internal.h +96 -0
  347. package/external/libedhoc/externals/mbedtls/library/ripemd160.c +490 -0
  348. package/external/libedhoc/externals/mbedtls/library/rsa.c +2640 -0
  349. package/external/libedhoc/externals/mbedtls/library/rsa_alt_helpers.c +447 -0
  350. package/external/libedhoc/externals/mbedtls/library/rsa_alt_helpers.h +208 -0
  351. package/external/libedhoc/externals/mbedtls/library/sha1.c +480 -0
  352. package/external/libedhoc/externals/mbedtls/library/sha256.c +946 -0
  353. package/external/libedhoc/externals/mbedtls/library/sha3.c +626 -0
  354. package/external/libedhoc/externals/mbedtls/library/sha512.c +1111 -0
  355. package/external/libedhoc/externals/mbedtls/library/ssl_cache.c +410 -0
  356. package/external/libedhoc/externals/mbedtls/library/ssl_ciphersuites.c +2050 -0
  357. package/external/libedhoc/externals/mbedtls/library/ssl_client.c +1017 -0
  358. package/external/libedhoc/externals/mbedtls/library/ssl_client.h +22 -0
  359. package/external/libedhoc/externals/mbedtls/library/ssl_cookie.c +380 -0
  360. package/external/libedhoc/externals/mbedtls/library/ssl_debug_helpers.h +78 -0
  361. package/external/libedhoc/externals/mbedtls/library/ssl_debug_helpers_generated.c +234 -0
  362. package/external/libedhoc/externals/mbedtls/library/ssl_misc.h +2847 -0
  363. package/external/libedhoc/externals/mbedtls/library/ssl_msg.c +6155 -0
  364. package/external/libedhoc/externals/mbedtls/library/ssl_ticket.c +540 -0
  365. package/external/libedhoc/externals/mbedtls/library/ssl_tls.c +9577 -0
  366. package/external/libedhoc/externals/mbedtls/library/ssl_tls12_client.c +3607 -0
  367. package/external/libedhoc/externals/mbedtls/library/ssl_tls12_server.c +4403 -0
  368. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_client.c +3046 -0
  369. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_generic.c +1740 -0
  370. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_invasive.h +23 -0
  371. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_keys.c +1897 -0
  372. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_keys.h +651 -0
  373. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_server.c +3146 -0
  374. package/external/libedhoc/externals/mbedtls/library/threading.c +181 -0
  375. package/external/libedhoc/externals/mbedtls/library/timing.c +154 -0
  376. package/external/libedhoc/externals/mbedtls/library/version.c +32 -0
  377. package/external/libedhoc/externals/mbedtls/library/version_features.c +826 -0
  378. package/external/libedhoc/externals/mbedtls/library/x509.c +1776 -0
  379. package/external/libedhoc/externals/mbedtls/library/x509_create.c +557 -0
  380. package/external/libedhoc/externals/mbedtls/library/x509_crl.c +712 -0
  381. package/external/libedhoc/externals/mbedtls/library/x509_crt.c +3292 -0
  382. package/external/libedhoc/externals/mbedtls/library/x509_csr.c +574 -0
  383. package/external/libedhoc/externals/mbedtls/library/x509write.c +174 -0
  384. package/external/libedhoc/externals/mbedtls/library/x509write_crt.c +681 -0
  385. package/external/libedhoc/externals/mbedtls/library/x509write_csr.c +331 -0
  386. package/external/libedhoc/externals/mbedtls/programs/aes/crypt_and_hash.c +573 -0
  387. package/external/libedhoc/externals/mbedtls/programs/cipher/cipher_aead_demo.c +259 -0
  388. package/external/libedhoc/externals/mbedtls/programs/fuzz/common.c +105 -0
  389. package/external/libedhoc/externals/mbedtls/programs/fuzz/common.h +25 -0
  390. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_client.c +195 -0
  391. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_dtlsclient.c +138 -0
  392. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_dtlsserver.c +183 -0
  393. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_pkcs7.c +20 -0
  394. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_privkey.c +106 -0
  395. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_pubkey.c +86 -0
  396. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_server.c +218 -0
  397. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509crl.c +41 -0
  398. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509crt.c +41 -0
  399. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509csr.c +41 -0
  400. package/external/libedhoc/externals/mbedtls/programs/fuzz/onefile.c +69 -0
  401. package/external/libedhoc/externals/mbedtls/programs/hash/generic_sum.c +209 -0
  402. package/external/libedhoc/externals/mbedtls/programs/hash/hello.c +45 -0
  403. package/external/libedhoc/externals/mbedtls/programs/hash/md_hmac_demo.c +136 -0
  404. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_client.c +274 -0
  405. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_genprime.c +161 -0
  406. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_server.c +296 -0
  407. package/external/libedhoc/externals/mbedtls/programs/pkey/ecdh_curve25519.c +189 -0
  408. package/external/libedhoc/externals/mbedtls/programs/pkey/ecdsa.c +217 -0
  409. package/external/libedhoc/externals/mbedtls/programs/pkey/gen_key.c +419 -0
  410. package/external/libedhoc/externals/mbedtls/programs/pkey/key_app.c +316 -0
  411. package/external/libedhoc/externals/mbedtls/programs/pkey/key_app_writer.c +435 -0
  412. package/external/libedhoc/externals/mbedtls/programs/pkey/mpi_demo.c +84 -0
  413. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_decrypt.c +153 -0
  414. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_encrypt.c +154 -0
  415. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_sign.c +155 -0
  416. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_verify.c +128 -0
  417. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_decrypt.c +172 -0
  418. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_encrypt.c +149 -0
  419. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_genkey.c +141 -0
  420. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_sign.c +155 -0
  421. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_sign_pss.c +161 -0
  422. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_verify.c +131 -0
  423. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_verify_pss.c +136 -0
  424. package/external/libedhoc/externals/mbedtls/programs/psa/aead_demo.c +281 -0
  425. package/external/libedhoc/externals/mbedtls/programs/psa/crypto_examples.c +321 -0
  426. package/external/libedhoc/externals/mbedtls/programs/psa/hmac_demo.c +159 -0
  427. package/external/libedhoc/externals/mbedtls/programs/psa/key_ladder_demo.c +691 -0
  428. package/external/libedhoc/externals/mbedtls/programs/psa/psa_constant_names.c +310 -0
  429. package/external/libedhoc/externals/mbedtls/programs/psa/psa_constant_names_generated.c +474 -0
  430. package/external/libedhoc/externals/mbedtls/programs/random/gen_entropy.c +75 -0
  431. package/external/libedhoc/externals/mbedtls/programs/random/gen_random_ctr_drbg.c +107 -0
  432. package/external/libedhoc/externals/mbedtls/programs/ssl/dtls_client.c +342 -0
  433. package/external/libedhoc/externals/mbedtls/programs/ssl/dtls_server.c +408 -0
  434. package/external/libedhoc/externals/mbedtls/programs/ssl/mini_client.c +274 -0
  435. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_client1.c +288 -0
  436. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_client2.c +3118 -0
  437. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_context_info.c +1009 -0
  438. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_fork_server.c +381 -0
  439. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_mail_client.c +804 -0
  440. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_pthread_server.c +489 -0
  441. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_server.c +362 -0
  442. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_server2.c +4268 -0
  443. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_common_source.c +375 -0
  444. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_lib.c +601 -0
  445. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_lib.h +306 -0
  446. package/external/libedhoc/externals/mbedtls/programs/test/benchmark.c +1284 -0
  447. package/external/libedhoc/externals/mbedtls/programs/test/cmake_package/cmake_package.c +27 -0
  448. package/external/libedhoc/externals/mbedtls/programs/test/cmake_package_install/cmake_package_install.c +28 -0
  449. package/external/libedhoc/externals/mbedtls/programs/test/cmake_subproject/cmake_subproject.c +28 -0
  450. package/external/libedhoc/externals/mbedtls/programs/test/dlopen.c +92 -0
  451. package/external/libedhoc/externals/mbedtls/programs/test/query_compile_time_config.c +66 -0
  452. package/external/libedhoc/externals/mbedtls/programs/test/query_config.c +5137 -0
  453. package/external/libedhoc/externals/mbedtls/programs/test/query_config.h +34 -0
  454. package/external/libedhoc/externals/mbedtls/programs/test/query_included_headers.c +29 -0
  455. package/external/libedhoc/externals/mbedtls/programs/test/selftest.c +583 -0
  456. package/external/libedhoc/externals/mbedtls/programs/test/udp_proxy.c +967 -0
  457. package/external/libedhoc/externals/mbedtls/programs/test/zeroize.c +72 -0
  458. package/external/libedhoc/externals/mbedtls/programs/util/pem2der.c +265 -0
  459. package/external/libedhoc/externals/mbedtls/programs/util/strerror.c +61 -0
  460. package/external/libedhoc/externals/mbedtls/programs/wince_main.c +31 -0
  461. package/external/libedhoc/externals/mbedtls/programs/x509/cert_app.c +456 -0
  462. package/external/libedhoc/externals/mbedtls/programs/x509/cert_req.c +509 -0
  463. package/external/libedhoc/externals/mbedtls/programs/x509/cert_write.c +1012 -0
  464. package/external/libedhoc/externals/mbedtls/programs/x509/crl_app.c +132 -0
  465. package/external/libedhoc/externals/mbedtls/programs/x509/load_roots.c +165 -0
  466. package/external/libedhoc/externals/mbedtls/programs/x509/req_app.c +132 -0
  467. package/external/libedhoc/externals/mbedtls/tests/configs/tls13-only.h +31 -0
  468. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-for-test.h +89 -0
  469. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-malloc-0-null.h +22 -0
  470. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-zeroize-memset.h +17 -0
  471. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/aes_alt.h +23 -0
  472. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/aria_alt.h +16 -0
  473. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/camellia_alt.h +16 -0
  474. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ccm_alt.h +16 -0
  475. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/chacha20_alt.h +16 -0
  476. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/chachapoly_alt.h +18 -0
  477. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/cmac_alt.h +15 -0
  478. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/des_alt.h +22 -0
  479. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/dhm_alt.h +16 -0
  480. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ecjpake_alt.h +15 -0
  481. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ecp_alt.h +22 -0
  482. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/gcm_alt.h +16 -0
  483. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/md5_alt.h +16 -0
  484. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/nist_kw_alt.h +15 -0
  485. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/platform_alt.h +16 -0
  486. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/poly1305_alt.h +16 -0
  487. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ripemd160_alt.h +16 -0
  488. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/rsa_alt.h +16 -0
  489. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha1_alt.h +16 -0
  490. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha256_alt.h +16 -0
  491. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha512_alt.h +16 -0
  492. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/threading_alt.h +14 -0
  493. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/timing_alt.h +19 -0
  494. package/external/libedhoc/externals/mbedtls/tests/include/alt-extra/psa/crypto.h +7 -0
  495. package/external/libedhoc/externals/mbedtls/tests/include/baremetal-override/time.h +6 -0
  496. package/external/libedhoc/externals/mbedtls/tests/include/spe/crypto_spe.h +131 -0
  497. package/external/libedhoc/externals/mbedtls/tests/include/test/arguments.h +26 -0
  498. package/external/libedhoc/externals/mbedtls/tests/include/test/asn1_helpers.h +38 -0
  499. package/external/libedhoc/externals/mbedtls/tests/include/test/bignum_helpers.h +106 -0
  500. package/external/libedhoc/externals/mbedtls/tests/include/test/certs.h +234 -0
  501. package/external/libedhoc/externals/mbedtls/tests/include/test/constant_flow.h +71 -0
  502. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/aead.h +121 -0
  503. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/asymmetric_encryption.h +67 -0
  504. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/cipher.h +130 -0
  505. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/config_test_driver.h +44 -0
  506. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/crypto_config_test_driver_extension.h +430 -0
  507. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/hash.h +64 -0
  508. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/key_agreement.h +62 -0
  509. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/key_management.h +123 -0
  510. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/mac.h +125 -0
  511. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/pake.h +75 -0
  512. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/signature.h +112 -0
  513. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/test_driver.h +32 -0
  514. package/external/libedhoc/externals/mbedtls/tests/include/test/fake_external_rng_for_test.h +40 -0
  515. package/external/libedhoc/externals/mbedtls/tests/include/test/helpers.h +268 -0
  516. package/external/libedhoc/externals/mbedtls/tests/include/test/macros.h +250 -0
  517. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_crypto_helpers.h +398 -0
  518. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_exercise_key.h +223 -0
  519. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_helpers.h +24 -0
  520. package/external/libedhoc/externals/mbedtls/tests/include/test/random.h +91 -0
  521. package/external/libedhoc/externals/mbedtls/tests/include/test/ssl_helpers.h +628 -0
  522. package/external/libedhoc/externals/mbedtls/tests/src/asn1_helpers.c +62 -0
  523. package/external/libedhoc/externals/mbedtls/tests/src/bignum_helpers.c +145 -0
  524. package/external/libedhoc/externals/mbedtls/tests/src/certs.c +480 -0
  525. package/external/libedhoc/externals/mbedtls/tests/src/drivers/hash.c +199 -0
  526. package/external/libedhoc/externals/mbedtls/tests/src/drivers/platform_builtin_keys.c +78 -0
  527. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_aead.c +462 -0
  528. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_asymmetric_encryption.c +151 -0
  529. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_cipher.c +424 -0
  530. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_key_agreement.c +147 -0
  531. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_key_management.c +783 -0
  532. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_mac.c +422 -0
  533. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_pake.c +202 -0
  534. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_signature.c +405 -0
  535. package/external/libedhoc/externals/mbedtls/tests/src/fake_external_rng_for_test.c +45 -0
  536. package/external/libedhoc/externals/mbedtls/tests/src/helpers.c +353 -0
  537. package/external/libedhoc/externals/mbedtls/tests/src/psa_crypto_helpers.c +196 -0
  538. package/external/libedhoc/externals/mbedtls/tests/src/psa_exercise_key.c +989 -0
  539. package/external/libedhoc/externals/mbedtls/tests/src/random.c +136 -0
  540. package/external/libedhoc/externals/mbedtls/tests/src/test_certs.h +1226 -0
  541. package/external/libedhoc/externals/mbedtls/tests/src/test_helpers/ssl_helpers.c +2292 -0
  542. package/external/libedhoc/externals/mbedtls/tests/src/threading_helpers.c +210 -0
  543. package/external/libedhoc/externals/zcbor/include/zcbor_common.h +422 -0
  544. package/external/libedhoc/externals/zcbor/include/zcbor_debug.h +69 -0
  545. package/external/libedhoc/externals/zcbor/include/zcbor_decode.h +358 -0
  546. package/external/libedhoc/externals/zcbor/include/zcbor_encode.h +296 -0
  547. package/external/libedhoc/externals/zcbor/include/zcbor_tags.h +94 -0
  548. package/external/libedhoc/externals/zcbor/samples/hello_world/src/main.c +41 -0
  549. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_decode.h +39 -0
  550. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_encode.h +39 -0
  551. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_types.h +47 -0
  552. package/external/libedhoc/externals/zcbor/samples/pet/src/main.c +128 -0
  553. package/external/libedhoc/externals/zcbor/samples/pet/src/pet_decode.c +69 -0
  554. package/external/libedhoc/externals/zcbor/samples/pet/src/pet_encode.c +70 -0
  555. package/external/libedhoc/externals/zcbor/src/zcbor_common.c +257 -0
  556. package/external/libedhoc/externals/zcbor/src/zcbor_decode.c +1107 -0
  557. package/external/libedhoc/externals/zcbor/src/zcbor_encode.c +722 -0
  558. package/external/libedhoc/externals/zcbor/tests/decode/test1_suit_old_formats/src/main.c +368 -0
  559. package/external/libedhoc/externals/zcbor/tests/decode/test2_suit/src/main.c +189 -0
  560. package/external/libedhoc/externals/zcbor/tests/decode/test3_simple/src/main.c +529 -0
  561. package/external/libedhoc/externals/zcbor/tests/decode/test5_corner_cases/src/main.c +2010 -0
  562. package/external/libedhoc/externals/zcbor/tests/decode/test7_suit9_simple/src/main.c +134 -0
  563. package/external/libedhoc/externals/zcbor/tests/decode/test8_suit12/src/main.c +863 -0
  564. package/external/libedhoc/externals/zcbor/tests/decode/test9_manifest14/src/main.c +364 -0
  565. package/external/libedhoc/externals/zcbor/tests/encode/test1_suit/src/main.c +453 -0
  566. package/external/libedhoc/externals/zcbor/tests/encode/test2_simple/src/main.c +123 -0
  567. package/external/libedhoc/externals/zcbor/tests/encode/test3_corner_cases/src/main.c +1527 -0
  568. package/external/libedhoc/externals/zcbor/tests/encode/test4_senml/src/main.c +66 -0
  569. package/external/libedhoc/externals/zcbor/tests/fuzz/fuzz_manifest12.c +136 -0
  570. package/external/libedhoc/externals/zcbor/tests/fuzz/fuzz_pet.c +12 -0
  571. package/external/libedhoc/externals/zcbor/tests/fuzz/main_entry.c +60 -0
  572. package/external/libedhoc/externals/zcbor/tests/fuzz/main_entry.h +5 -0
  573. package/external/libedhoc/externals/zcbor/tests/unit/test1_unit_tests/src/main.c +1044 -0
  574. package/external/libedhoc/externals/zcbor/tests/unit/test3_float16/src/main.c +202 -0
  575. package/external/libedhoc/include/edhoc.h +393 -0
  576. package/external/libedhoc/include/edhoc_context.h +318 -0
  577. package/external/libedhoc/include/edhoc_credentials.h +217 -0
  578. package/external/libedhoc/include/edhoc_crypto.h +331 -0
  579. package/external/libedhoc/include/edhoc_ead.h +99 -0
  580. package/external/libedhoc/include/edhoc_macros.h +51 -0
  581. package/external/libedhoc/include/edhoc_values.h +181 -0
  582. package/external/libedhoc/library/edhoc.c +219 -0
  583. package/external/libedhoc/library/edhoc_exporter.c +543 -0
  584. package/external/libedhoc/library/edhoc_message_1.c +439 -0
  585. package/external/libedhoc/library/edhoc_message_2.c +2994 -0
  586. package/external/libedhoc/library/edhoc_message_3.c +2658 -0
  587. package/external/libedhoc/library/edhoc_message_4.c +826 -0
  588. package/external/libedhoc/library/edhoc_message_error.c +238 -0
  589. package/external/libedhoc/tests/include/cipher_suite_negotiation/test_edhoc_cipher_suite_negotiation.h +37 -0
  590. package/external/libedhoc/tests/include/cipher_suites/cipher_suite_0.h +134 -0
  591. package/external/libedhoc/tests/include/cipher_suites/cipher_suite_2.h +140 -0
  592. package/external/libedhoc/tests/include/cipher_suites/test_cipher_suite_0.h +48 -0
  593. package/external/libedhoc/tests/include/cipher_suites/test_cipher_suite_2.h +48 -0
  594. package/external/libedhoc/tests/include/edhoc_trace_1/authentication_credentials_1.h +60 -0
  595. package/external/libedhoc/tests/include/edhoc_trace_1/test_edhoc_handshake_1.h +208 -0
  596. package/external/libedhoc/tests/include/edhoc_trace_1/test_edhoc_handshake_ead_1.h +59 -0
  597. package/external/libedhoc/tests/include/edhoc_trace_1/test_vector_1.h +738 -0
  598. package/external/libedhoc/tests/include/edhoc_trace_2/authentication_credentials_2.h +60 -0
  599. package/external/libedhoc/tests/include/edhoc_trace_2/test_edhoc_handshake_2.h +199 -0
  600. package/external/libedhoc/tests/include/edhoc_trace_2/test_vector_2.h +525 -0
  601. package/external/libedhoc/tests/include/error_message/test_edhoc_error_message.h +48 -0
  602. package/external/libedhoc/tests/include/x509_chain_cs_0/authentication_credentials_x5chain_cs_0.h +92 -0
  603. package/external/libedhoc/tests/include/x509_chain_cs_0/test_edhoc_handshake_x5chain_cs_0.h +96 -0
  604. package/external/libedhoc/tests/include/x509_chain_cs_0/test_vector_x5chain_cs_0.h +140 -0
  605. package/external/libedhoc/tests/include/x509_chain_cs_2/authentication_credentials_x5chain_cs_2.h +58 -0
  606. package/external/libedhoc/tests/include/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2.h +56 -0
  607. package/external/libedhoc/tests/include/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2_ead.h +57 -0
  608. package/external/libedhoc/tests/include/x509_chain_cs_2/test_vector_x5chain_cs_2.h +169 -0
  609. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/authentication_credentials_x5chain_cs_2_static_dh.h +59 -0
  610. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/test_edhoc_handshake_x5chain_cs_2_static_dh_ead.h +57 -0
  611. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/test_vector_x5chain_cs_2_static_dh.h +163 -0
  612. package/external/libedhoc/tests/include/x509_hash_cs_2/authentication_credentials_x5t_cs_2.h +60 -0
  613. package/external/libedhoc/tests/include/x509_hash_cs_2/test_edhoc_handshake_x5t_cs_2_ead.h +57 -0
  614. package/external/libedhoc/tests/include/x509_hash_cs_2/test_vector_x5t_cs_2.h +181 -0
  615. package/external/libedhoc/tests/src/cipher_suite_negotiation/test_edhoc_cipher_suite_negotiation.c +544 -0
  616. package/external/libedhoc/tests/src/cipher_suites/cipher_suite_0.c +447 -0
  617. package/external/libedhoc/tests/src/cipher_suites/cipher_suite_2.c +600 -0
  618. package/external/libedhoc/tests/src/cipher_suites/test_cipher_suite_0.c +475 -0
  619. package/external/libedhoc/tests/src/cipher_suites/test_cipher_suite_2.c +473 -0
  620. package/external/libedhoc/tests/src/edhoc_trace_1/authentication_credentials_1.c +252 -0
  621. package/external/libedhoc/tests/src/edhoc_trace_1/test_edhoc_handshake_1.c +1829 -0
  622. package/external/libedhoc/tests/src/edhoc_trace_1/test_edhoc_handshake_ead_1.c +1247 -0
  623. package/external/libedhoc/tests/src/edhoc_trace_2/authentication_credentials_2.c +170 -0
  624. package/external/libedhoc/tests/src/edhoc_trace_2/test_edhoc_handshake_2.c +1783 -0
  625. package/external/libedhoc/tests/src/error_message/test_edhoc_error_message.c +226 -0
  626. package/external/libedhoc/tests/src/tests.c +228 -0
  627. package/external/libedhoc/tests/src/x509_chain_cs_0/authentication_credentials_x5chain_cs_0.c +332 -0
  628. package/external/libedhoc/tests/src/x509_chain_cs_0/test_edhoc_handshake_x5chain_cs_0.c +936 -0
  629. package/external/libedhoc/tests/src/x509_chain_cs_2/authentication_credentials_x5chain_cs_2.c +166 -0
  630. package/external/libedhoc/tests/src/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2.c +587 -0
  631. package/external/libedhoc/tests/src/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2_ead.c +917 -0
  632. package/external/libedhoc/tests/src/x509_chain_cs_2_static_dh/authentication_credentials_x5chain_cs_2_static_dh.c +186 -0
  633. package/external/libedhoc/tests/src/x509_chain_cs_2_static_dh/test_edhoc_handshake_x5chain_cs_2_static_dh_ead.c +743 -0
  634. package/external/libedhoc/tests/src/x509_hash_cs_2/authentication_credentials_x5t_cs_2.c +261 -0
  635. package/external/libedhoc/tests/src/x509_hash_cs_2/test_edhoc_handshake_x5t_cs_2_ead.c +854 -0
  636. package/include/EdhocComposeAsyncWorker.h +61 -0
  637. package/include/EdhocCredentialManager.h +100 -0
  638. package/include/EdhocCryptoManager.h +504 -0
  639. package/include/EdhocEadManager.h +151 -0
  640. package/include/EdhocExportAsyncWorker.h +71 -0
  641. package/include/EdhocProcessAsyncWorker.h +76 -0
  642. package/include/LibEDHOC.h +304 -0
  643. package/include/Suites.h +27 -0
  644. package/include/UserContext.h +79 -0
  645. package/include/Utils.h +110 -0
  646. package/package.json +5 -5
  647. package/prebuilds/win32-ia32/edhoc.node +0 -0
  648. package/prebuilds/win32-x64/edhoc.node +0 -0
  649. package/src/EdhocComposeAsyncWorker.cpp +88 -0
  650. package/src/EdhocCredentialManager.cpp +360 -0
  651. package/src/EdhocCryptoManager.cpp +967 -0
  652. package/src/EdhocEadManager.cpp +156 -0
  653. package/src/EdhocExportAsyncWorker.cpp +82 -0
  654. package/src/EdhocProcessAsyncWorker.cpp +74 -0
  655. package/src/LibEDHOC.cpp +369 -0
  656. package/src/Suites.cpp +153 -0
  657. package/src/Utils.cpp +115 -0
  658. package/dist/bindings.d.ts +0 -5
  659. package/dist/bindings.d.ts.map +0 -1
  660. package/dist/bindings.js +0 -10
  661. package/dist/credentials.d.ts +0 -16
  662. package/dist/credentials.d.ts.map +0 -1
  663. package/dist/credentials.js +0 -84
  664. package/dist/crypto.d.ts +0 -22
  665. package/dist/crypto.d.ts.map +0 -1
  666. package/dist/crypto.js +0 -177
  667. package/dist/edhoc.d.ts +0 -346
  668. package/dist/edhoc.d.ts.map +0 -1
  669. package/dist/edhoc.js +0 -76
  670. package/dist/index.d.ts +0 -4
  671. package/dist/index.d.ts.map +0 -1
  672. package/dist/index.js +0 -19
package/external/libedhoc/externals/mbedtls/library/ecp.c ADDED
@@ -0,0 +1,3631 @@
1
+ /*
2
+ * Elliptic curves over GF(p): generic functions
3
+ *
4
+ * Copyright The Mbed TLS Contributors
5
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
+ */
7
+
8
+ /*
9
+ * References:
10
+ *
11
+ * SEC1 https://www.secg.org/sec1-v2.pdf
12
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
13
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
14
+ * RFC 4492 for the related TLS structures and constants
15
+ * - https://www.rfc-editor.org/rfc/rfc4492
16
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
17
+ * - https://www.rfc-editor.org/rfc/rfc7748
18
+ *
19
+ * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
20
+ *
21
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
22
+ * for elliptic curve cryptosystems. In : Cryptographic Hardware and
23
+ * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
24
+ * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
25
+ *
26
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
27
+ * render ECC resistant against Side Channel Attacks. IACR Cryptology
28
+ * ePrint Archive, 2004, vol. 2004, p. 342.
29
+ * <http://eprint.iacr.org/2004/342.pdf>
30
+ */
31
+
32
+ #include "common.h"
33
+
34
+ /**
35
+ * \brief Function level alternative implementation.
36
+ *
37
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
38
+ * replace certain functions in this module. The alternative implementations are
39
+ * typically hardware accelerators and need to activate the hardware before the
40
+ * computation starts and deactivate it after it finishes. The
41
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
42
+ * this purpose.
43
+ *
44
+ * To preserve the correct functionality the following conditions must hold:
45
+ *
46
+ * - The alternative implementation must be activated by
47
+ * mbedtls_internal_ecp_init() before any of the replaceable functions is
48
+ * called.
49
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
50
+ * implementation is activated.
51
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
52
+ * implementation is activated.
53
+ * - Public functions must not return while the alternative implementation is
54
+ * activated.
55
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
56
+ * before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
57
+ * \endcode ensures that the alternative implementation supports the current
58
+ * group.
59
+ */
60
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
61
+ #endif
62
+
63
+ #if defined(MBEDTLS_ECP_LIGHT)
64
+
65
+ #include "mbedtls/ecp.h"
66
+ #include "mbedtls/threading.h"
67
+ #include "mbedtls/platform_util.h"
68
+ #include "mbedtls/error.h"
69
+
70
+ #include "bn_mul.h"
71
+ #include "ecp_invasive.h"
72
+
73
+ #include <string.h>
74
+
75
+ #if !defined(MBEDTLS_ECP_ALT)
76
+
77
+ #include "mbedtls/platform.h"
78
+
79
+ #include "ecp_internal_alt.h"
80
+
81
+ #if defined(MBEDTLS_SELF_TEST)
82
+ /*
83
+ * Counts of point addition and doubling, and field multiplications.
84
+ * Used to test resistance of point multiplication to simple timing attacks.
85
+ */
86
+ #if defined(MBEDTLS_ECP_C)
87
+ static unsigned long add_count, dbl_count;
88
+ #endif /* MBEDTLS_ECP_C */
89
+ static unsigned long mul_count;
90
+ #endif
91
+
92
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
93
+ /*
94
+ * Maximum number of "basic operations" to be done in a row.
95
+ *
96
+ * Default value 0 means that ECC operations will not yield.
97
+ * Note that regardless of the value of ecp_max_ops, always at
98
+ * least one step is performed before yielding.
99
+ *
100
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
101
+ * as it will interrupt computation at all possible points.
102
+ */
103
+ static unsigned ecp_max_ops = 0;
104
+
105
+ /*
106
+ * Set ecp_max_ops
107
+ */
108
+ void mbedtls_ecp_set_max_ops(unsigned max_ops)
109
+ {
110
+ ecp_max_ops = max_ops;
111
+ }
112
+
113
+ /*
114
+ * Check if restart is enabled
115
+ */
116
+ int mbedtls_ecp_restart_is_enabled(void)
117
+ {
118
+ return ecp_max_ops != 0;
119
+ }
120
+
121
+ /*
122
+ * Restart sub-context for ecp_mul_comb()
123
+ */
124
+ struct mbedtls_ecp_restart_mul {
125
+ mbedtls_ecp_point R; /* current intermediate result */
126
+ size_t i; /* current index in various loops, 0 outside */
127
+ mbedtls_ecp_point *T; /* table for precomputed points */
128
+ unsigned char T_size; /* number of points in table T */
129
+ enum { /* what were we doing last time we returned? */
130
+ ecp_rsm_init = 0, /* nothing so far, dummy initial state */
131
+ ecp_rsm_pre_dbl, /* precompute 2^n multiples */
132
+ ecp_rsm_pre_norm_dbl, /* normalize precomputed 2^n multiples */
133
+ ecp_rsm_pre_add, /* precompute remaining points by adding */
134
+ ecp_rsm_pre_norm_add, /* normalize all precomputed points */
135
+ ecp_rsm_comb_core, /* ecp_mul_comb_core() */
136
+ ecp_rsm_final_norm, /* do the final normalization */
137
+ } state;
138
+ };
139
+
140
+ /*
141
+ * Init restart_mul sub-context
142
+ */
143
+ static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
144
+ {
145
+ mbedtls_ecp_point_init(&ctx->R);
146
+ ctx->i = 0;
147
+ ctx->T = NULL;
148
+ ctx->T_size = 0;
149
+ ctx->state = ecp_rsm_init;
150
+ }
151
+
152
+ /*
153
+ * Free the components of a restart_mul sub-context
154
+ */
155
+ static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
156
+ {
157
+ unsigned char i;
158
+
159
+ if (ctx == NULL) {
160
+ return;
161
+ }
162
+
163
+ mbedtls_ecp_point_free(&ctx->R);
164
+
165
+ if (ctx->T != NULL) {
166
+ for (i = 0; i < ctx->T_size; i++) {
167
+ mbedtls_ecp_point_free(ctx->T + i);
168
+ }
169
+ mbedtls_free(ctx->T);
170
+ }
171
+
172
+ ecp_restart_rsm_init(ctx);
173
+ }
174
+
175
+ /*
176
+ * Restart context for ecp_muladd()
177
+ */
178
+ struct mbedtls_ecp_restart_muladd {
179
+ mbedtls_ecp_point mP; /* mP value */
180
+ mbedtls_ecp_point R; /* R intermediate result */
181
+ enum { /* what should we do next? */
182
+ ecp_rsma_mul1 = 0, /* first multiplication */
183
+ ecp_rsma_mul2, /* second multiplication */
184
+ ecp_rsma_add, /* addition */
185
+ ecp_rsma_norm, /* normalization */
186
+ } state;
187
+ };
188
+
189
+ /*
190
+ * Init restart_muladd sub-context
191
+ */
192
+ static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
193
+ {
194
+ mbedtls_ecp_point_init(&ctx->mP);
195
+ mbedtls_ecp_point_init(&ctx->R);
196
+ ctx->state = ecp_rsma_mul1;
197
+ }
198
+
199
+ /*
200
+ * Free the components of a restart_muladd sub-context
201
+ */
202
+ static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
203
+ {
204
+ if (ctx == NULL) {
205
+ return;
206
+ }
207
+
208
+ mbedtls_ecp_point_free(&ctx->mP);
209
+ mbedtls_ecp_point_free(&ctx->R);
210
+
211
+ ecp_restart_ma_init(ctx);
212
+ }
213
+
214
+ /*
215
+ * Initialize a restart context
216
+ */
217
+ void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
218
+ {
219
+ ctx->ops_done = 0;
220
+ ctx->depth = 0;
221
+ ctx->rsm = NULL;
222
+ ctx->ma = NULL;
223
+ }
224
+
225
+ /*
226
+ * Free the components of a restart context
227
+ */
228
+ void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
229
+ {
230
+ if (ctx == NULL) {
231
+ return;
232
+ }
233
+
234
+ ecp_restart_rsm_free(ctx->rsm);
235
+ mbedtls_free(ctx->rsm);
236
+
237
+ ecp_restart_ma_free(ctx->ma);
238
+ mbedtls_free(ctx->ma);
239
+
240
+ mbedtls_ecp_restart_init(ctx);
241
+ }
242
+
243
+ /*
244
+ * Check if we can do the next step
245
+ */
246
+ int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
247
+ mbedtls_ecp_restart_ctx *rs_ctx,
248
+ unsigned ops)
249
+ {
250
+ if (rs_ctx != NULL && ecp_max_ops != 0) {
251
+ /* scale depending on curve size: the chosen reference is 256-bit,
252
+ * and multiplication is quadratic. Round to the closest integer. */
253
+ if (grp->pbits >= 512) {
254
+ ops *= 4;
255
+ } else if (grp->pbits >= 384) {
256
+ ops *= 2;
257
+ }
258
+
259
+ /* Avoid infinite loops: always allow first step.
260
+ * Because of that, however, it's not generally true
261
+ * that ops_done <= ecp_max_ops, so the check
262
+ * ops_done > ecp_max_ops below is mandatory. */
263
+ if ((rs_ctx->ops_done != 0) &&
264
+ (rs_ctx->ops_done > ecp_max_ops ||
265
+ ops > ecp_max_ops - rs_ctx->ops_done)) {
266
+ return MBEDTLS_ERR_ECP_IN_PROGRESS;
267
+ }
268
+
269
+ /* update running count */
270
+ rs_ctx->ops_done += ops;
271
+ }
272
+
273
+ return 0;
274
+ }
275
+
276
+ /* Call this when entering a function that needs its own sub-context */
277
+ #define ECP_RS_ENTER(SUB) do { \
278
+ /* reset ops count for this call if top-level */ \
279
+ if (rs_ctx != NULL && rs_ctx->depth++ == 0) \
280
+ rs_ctx->ops_done = 0; \
281
+ \
282
+ /* set up our own sub-context if needed */ \
283
+ if (mbedtls_ecp_restart_is_enabled() && \
284
+ rs_ctx != NULL && rs_ctx->SUB == NULL) \
285
+ { \
286
+ rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB)); \
287
+ if (rs_ctx->SUB == NULL) \
288
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED; \
289
+ \
290
+ ecp_restart_## SUB ##_init(rs_ctx->SUB); \
291
+ } \
292
+ } while (0)
293
+
294
+ /* Call this when leaving a function that needs its own sub-context */
295
+ #define ECP_RS_LEAVE(SUB) do { \
296
+ /* clear our sub-context when not in progress (done or error) */ \
297
+ if (rs_ctx != NULL && rs_ctx->SUB != NULL && \
298
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS) \
299
+ { \
300
+ ecp_restart_## SUB ##_free(rs_ctx->SUB); \
301
+ mbedtls_free(rs_ctx->SUB); \
302
+ rs_ctx->SUB = NULL; \
303
+ } \
304
+ \
305
+ if (rs_ctx != NULL) \
306
+ rs_ctx->depth--; \
307
+ } while (0)
308
+
309
+ #else /* MBEDTLS_ECP_RESTARTABLE */
310
+
311
+ #define ECP_RS_ENTER(sub) (void) rs_ctx;
312
+ #define ECP_RS_LEAVE(sub) (void) rs_ctx;
313
+
314
+ #endif /* MBEDTLS_ECP_RESTARTABLE */
315
+
316
+ #if defined(MBEDTLS_ECP_C)
317
+ static void mpi_init_many(mbedtls_mpi *arr, size_t size)
318
+ {
319
+ while (size--) {
320
+ mbedtls_mpi_init(arr++);
321
+ }
322
+ }
323
+
324
+ static void mpi_free_many(mbedtls_mpi *arr, size_t size)
325
+ {
326
+ while (size--) {
327
+ mbedtls_mpi_free(arr++);
328
+ }
329
+ }
330
+ #endif /* MBEDTLS_ECP_C */
331
+
332
+ /*
333
+ * List of supported curves:
334
+ * - internal ID
335
+ * - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
336
+ * - size in bits
337
+ * - readable name
338
+ *
339
+ * Curves are listed in order: largest curves first, and for a given size,
340
+ * fastest curves first.
341
+ *
342
+ * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
343
+ */
344
+ static const mbedtls_ecp_curve_info ecp_supported_curves[] =
345
+ {
346
+ #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
347
+ { MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
348
+ #endif
349
+ #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
350
+ { MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" },
351
+ #endif
352
+ #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
353
+ { MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
354
+ #endif
355
+ #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
356
+ { MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" },
357
+ #endif
358
+ #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
359
+ { MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
360
+ #endif
361
+ #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
362
+ { MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" },
363
+ #endif
364
+ #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
365
+ { MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" },
366
+ #endif
367
+ #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
368
+ { MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
369
+ #endif
370
+ #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
371
+ { MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" },
372
+ #endif
373
+ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
374
+ { MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" },
375
+ #endif
376
+ #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
377
+ { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" },
378
+ #endif
379
+ #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
380
+ { MBEDTLS_ECP_DP_CURVE25519, 29, 256, "x25519" },
381
+ #endif
382
+ #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
383
+ { MBEDTLS_ECP_DP_CURVE448, 30, 448, "x448" },
384
+ #endif
385
+ { MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
386
+ };
387
+
388
+ #define ECP_NB_CURVES sizeof(ecp_supported_curves) / \
389
+ sizeof(ecp_supported_curves[0])
390
+
391
+ static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
392
+
393
+ /*
394
+ * List of supported curves and associated info
395
+ */
396
+ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
397
+ {
398
+ return ecp_supported_curves;
399
+ }
400
+
401
+ /*
402
+ * List of supported curves, group ID only
403
+ */
404
+ const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
405
+ {
406
+ static int init_done = 0;
407
+
408
+ if (!init_done) {
409
+ size_t i = 0;
410
+ const mbedtls_ecp_curve_info *curve_info;
411
+
412
+ for (curve_info = mbedtls_ecp_curve_list();
413
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
414
+ curve_info++) {
415
+ ecp_supported_grp_id[i++] = curve_info->grp_id;
416
+ }
417
+ ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
418
+
419
+ init_done = 1;
420
+ }
421
+
422
+ return ecp_supported_grp_id;
423
+ }
424
+
425
+ /*
426
+ * Get the curve info for the internal identifier
427
+ */
428
+ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
429
+ {
430
+ const mbedtls_ecp_curve_info *curve_info;
431
+
432
+ for (curve_info = mbedtls_ecp_curve_list();
433
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
434
+ curve_info++) {
435
+ if (curve_info->grp_id == grp_id) {
436
+ return curve_info;
437
+ }
438
+ }
439
+
440
+ return NULL;
441
+ }
442
+
443
+ /*
444
+ * Get the curve info from the TLS identifier
445
+ */
446
+ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
447
+ {
448
+ const mbedtls_ecp_curve_info *curve_info;
449
+
450
+ for (curve_info = mbedtls_ecp_curve_list();
451
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
452
+ curve_info++) {
453
+ if (curve_info->tls_id == tls_id) {
454
+ return curve_info;
455
+ }
456
+ }
457
+
458
+ return NULL;
459
+ }
460
+
461
+ /*
462
+ * Get the curve info from the name
463
+ */
464
+ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
465
+ {
466
+ const mbedtls_ecp_curve_info *curve_info;
467
+
468
+ if (name == NULL) {
469
+ return NULL;
470
+ }
471
+
472
+ for (curve_info = mbedtls_ecp_curve_list();
473
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
474
+ curve_info++) {
475
+ if (strcmp(curve_info->name, name) == 0) {
476
+ return curve_info;
477
+ }
478
+ }
479
+
480
+ return NULL;
481
+ }
482
+
483
+ /*
484
+ * Get the type of a curve
485
+ */
486
+ mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
487
+ {
488
+ if (grp->G.X.p == NULL) {
489
+ return MBEDTLS_ECP_TYPE_NONE;
490
+ }
491
+
492
+ if (grp->G.Y.p == NULL) {
493
+ return MBEDTLS_ECP_TYPE_MONTGOMERY;
494
+ } else {
495
+ return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
496
+ }
497
+ }
498
+
499
+ /*
500
+ * Initialize (the components of) a point
501
+ */
502
+ void mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
503
+ {
504
+ mbedtls_mpi_init(&pt->X);
505
+ mbedtls_mpi_init(&pt->Y);
506
+ mbedtls_mpi_init(&pt->Z);
507
+ }
508
+
509
+ /*
510
+ * Initialize (the components of) a group
511
+ */
512
+ void mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
513
+ {
514
+ grp->id = MBEDTLS_ECP_DP_NONE;
515
+ mbedtls_mpi_init(&grp->P);
516
+ mbedtls_mpi_init(&grp->A);
517
+ mbedtls_mpi_init(&grp->B);
518
+ mbedtls_ecp_point_init(&grp->G);
519
+ mbedtls_mpi_init(&grp->N);
520
+ grp->pbits = 0;
521
+ grp->nbits = 0;
522
+ grp->h = 0;
523
+ grp->modp = NULL;
524
+ grp->t_pre = NULL;
525
+ grp->t_post = NULL;
526
+ grp->t_data = NULL;
527
+ grp->T = NULL;
528
+ grp->T_size = 0;
529
+ }
530
+
531
+ /*
532
+ * Initialize (the components of) a key pair
533
+ */
534
+ void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
535
+ {
536
+ mbedtls_ecp_group_init(&key->grp);
537
+ mbedtls_mpi_init(&key->d);
538
+ mbedtls_ecp_point_init(&key->Q);
539
+ }
540
+
541
+ /*
542
+ * Unallocate (the components of) a point
543
+ */
544
+ void mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
545
+ {
546
+ if (pt == NULL) {
547
+ return;
548
+ }
549
+
550
+ mbedtls_mpi_free(&(pt->X));
551
+ mbedtls_mpi_free(&(pt->Y));
552
+ mbedtls_mpi_free(&(pt->Z));
553
+ }
554
+
555
+ /*
556
+ * Check that the comb table (grp->T) is static initialized.
557
+ */
558
+ static int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
559
+ {
560
+ #if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
561
+ return grp->T != NULL && grp->T_size == 0;
562
+ #else
563
+ (void) grp;
564
+ return 0;
565
+ #endif
566
+ }
567
+
568
+ /*
569
+ * Unallocate (the components of) a group
570
+ */
571
+ void mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
572
+ {
573
+ size_t i;
574
+
575
+ if (grp == NULL) {
576
+ return;
577
+ }
578
+
579
+ if (grp->h != 1) {
580
+ mbedtls_mpi_free(&grp->A);
581
+ mbedtls_mpi_free(&grp->B);
582
+ mbedtls_ecp_point_free(&grp->G);
583
+
584
+ #if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
585
+ mbedtls_mpi_free(&grp->N);
586
+ mbedtls_mpi_free(&grp->P);
587
+ #endif
588
+ }
589
+
590
+ if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
591
+ for (i = 0; i < grp->T_size; i++) {
592
+ mbedtls_ecp_point_free(&grp->T[i]);
593
+ }
594
+ mbedtls_free(grp->T);
595
+ }
596
+
597
+ mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
598
+ }
599
+
600
+ /*
601
+ * Unallocate (the components of) a key pair
602
+ */
603
+ void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
604
+ {
605
+ if (key == NULL) {
606
+ return;
607
+ }
608
+
609
+ mbedtls_ecp_group_free(&key->grp);
610
+ mbedtls_mpi_free(&key->d);
611
+ mbedtls_ecp_point_free(&key->Q);
612
+ }
613
+
614
+ /*
615
+ * Copy the contents of a point
616
+ */
617
+ int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
618
+ {
619
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
620
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
621
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
622
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
623
+
624
+ cleanup:
625
+ return ret;
626
+ }
627
+
628
+ /*
629
+ * Copy the contents of a group object
630
+ */
631
+ int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
632
+ {
633
+ return mbedtls_ecp_group_load(dst, src->id);
634
+ }
635
+
636
+ /*
637
+ * Set point to zero
638
+ */
639
+ int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
640
+ {
641
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
642
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
643
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
644
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
645
+
646
+ cleanup:
647
+ return ret;
648
+ }
649
+
650
+ /*
651
+ * Tell if a point is zero
652
+ */
653
+ int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
654
+ {
655
+ return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
656
+ }
657
+
658
+ /*
659
+ * Compare two points lazily
660
+ */
661
+ int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
662
+ const mbedtls_ecp_point *Q)
663
+ {
664
+ if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
665
+ mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
666
+ mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
667
+ return 0;
668
+ }
669
+
670
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
671
+ }
672
+
673
+ /*
674
+ * Import a non-zero point from ASCII strings
675
+ */
676
+ int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
677
+ const char *x, const char *y)
678
+ {
679
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
680
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
681
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
682
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
683
+
684
+ cleanup:
685
+ return ret;
686
+ }
687
+
688
+ /*
689
+ * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
690
+ */
691
+ int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
692
+ const mbedtls_ecp_point *P,
693
+ int format, size_t *olen,
694
+ unsigned char *buf, size_t buflen)
695
+ {
696
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
697
+ size_t plen;
698
+ if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
699
+ format != MBEDTLS_ECP_PF_COMPRESSED) {
700
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
701
+ }
702
+
703
+ plen = mbedtls_mpi_size(&grp->P);
704
+
705
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
706
+ (void) format; /* Montgomery curves always use the same point format */
707
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
708
+ *olen = plen;
709
+ if (buflen < *olen) {
710
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
711
+ }
712
+
713
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
714
+ }
715
+ #endif
716
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
717
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
718
+ /*
719
+ * Common case: P == 0
720
+ */
721
+ if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
722
+ if (buflen < 1) {
723
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
724
+ }
725
+
726
+ buf[0] = 0x00;
727
+ *olen = 1;
728
+
729
+ return 0;
730
+ }
731
+
732
+ if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
733
+ *olen = 2 * plen + 1;
734
+
735
+ if (buflen < *olen) {
736
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
737
+ }
738
+
739
+ buf[0] = 0x04;
740
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
741
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
742
+ } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
743
+ *olen = plen + 1;
744
+
745
+ if (buflen < *olen) {
746
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
747
+ }
748
+
749
+ buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
750
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
751
+ }
752
+ }
753
+ #endif
754
+
755
+ cleanup:
756
+ return ret;
757
+ }
758
+
759
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
760
+ static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
761
+ const mbedtls_mpi *X,
762
+ mbedtls_mpi *Y,
763
+ int parity_bit);
764
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
765
+
766
+ /*
767
+ * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
768
+ */
769
+ int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
770
+ mbedtls_ecp_point *pt,
771
+ const unsigned char *buf, size_t ilen)
772
+ {
773
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
774
+ size_t plen;
775
+ if (ilen < 1) {
776
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
777
+ }
778
+
779
+ plen = mbedtls_mpi_size(&grp->P);
780
+
781
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
782
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
783
+ if (plen != ilen) {
784
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
785
+ }
786
+
787
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
788
+ mbedtls_mpi_free(&pt->Y);
789
+
790
+ if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
791
+ /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
792
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
793
+ }
794
+
795
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
796
+ }
797
+ #endif
798
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
799
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
800
+ if (buf[0] == 0x00) {
801
+ if (ilen == 1) {
802
+ return mbedtls_ecp_set_zero(pt);
803
+ } else {
804
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
805
+ }
806
+ }
807
+
808
+ if (ilen < 1 + plen) {
809
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
810
+ }
811
+
812
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
813
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
814
+
815
+ if (buf[0] == 0x04) {
816
+ /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
817
+ if (ilen != 1 + plen * 2) {
818
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
819
+ }
820
+ return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
821
+ } else if (buf[0] == 0x02 || buf[0] == 0x03) {
822
+ /* format == MBEDTLS_ECP_PF_COMPRESSED */
823
+ if (ilen != 1 + plen) {
824
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
825
+ }
826
+ return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
827
+ (buf[0] & 1));
828
+ } else {
829
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
830
+ }
831
+ }
832
+ #endif
833
+
834
+ cleanup:
835
+ return ret;
836
+ }
837
+
838
+ /*
839
+ * Import a point from a TLS ECPoint record (RFC 4492)
840
+ * struct {
841
+ * opaque point <1..2^8-1>;
842
+ * } ECPoint;
843
+ */
844
+ int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
845
+ mbedtls_ecp_point *pt,
846
+ const unsigned char **buf, size_t buf_len)
847
+ {
848
+ unsigned char data_len;
849
+ const unsigned char *buf_start;
850
+ /*
851
+ * We must have at least two bytes (1 for length, at least one for data)
852
+ */
853
+ if (buf_len < 2) {
854
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
855
+ }
856
+
857
+ data_len = *(*buf)++;
858
+ if (data_len < 1 || data_len > buf_len - 1) {
859
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
860
+ }
861
+
862
+ /*
863
+ * Save buffer start for read_binary and update buf
864
+ */
865
+ buf_start = *buf;
866
+ *buf += data_len;
867
+
868
+ return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
869
+ }
870
+
871
+ /*
872
+ * Export a point as a TLS ECPoint record (RFC 4492)
873
+ * struct {
874
+ * opaque point <1..2^8-1>;
875
+ * } ECPoint;
876
+ */
877
+ int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
878
+ int format, size_t *olen,
879
+ unsigned char *buf, size_t blen)
880
+ {
881
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882
+ if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
883
+ format != MBEDTLS_ECP_PF_COMPRESSED) {
884
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
885
+ }
886
+
887
+ /*
888
+ * buffer length must be at least one, for our length byte
889
+ */
890
+ if (blen < 1) {
891
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
892
+ }
893
+
894
+ if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
895
+ olen, buf + 1, blen - 1)) != 0) {
896
+ return ret;
897
+ }
898
+
899
+ /*
900
+ * write length to the first byte and update total length
901
+ */
902
+ buf[0] = (unsigned char) *olen;
903
+ ++*olen;
904
+
905
+ return 0;
906
+ }
907
+
908
+ /*
909
+ * Set a group from an ECParameters record (RFC 4492)
910
+ */
911
+ int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
912
+ const unsigned char **buf, size_t len)
913
+ {
914
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
915
+ mbedtls_ecp_group_id grp_id;
916
+ if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
917
+ return ret;
918
+ }
919
+
920
+ return mbedtls_ecp_group_load(grp, grp_id);
921
+ }
922
+
923
+ /*
924
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
925
+ * mbedtls_ecp_group_id.
926
+ */
927
+ int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
928
+ const unsigned char **buf, size_t len)
929
+ {
930
+ uint16_t tls_id;
931
+ const mbedtls_ecp_curve_info *curve_info;
932
+ /*
933
+ * We expect at least three bytes (see below)
934
+ */
935
+ if (len < 3) {
936
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
937
+ }
938
+
939
+ /*
940
+ * First byte is curve_type; only named_curve is handled
941
+ */
942
+ if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
943
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
944
+ }
945
+
946
+ /*
947
+ * Next two bytes are the namedcurve value
948
+ */
949
+ tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
950
+ *buf += 2;
951
+
952
+ if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
953
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
954
+ }
955
+
956
+ *grp = curve_info->grp_id;
957
+
958
+ return 0;
959
+ }
960
+
961
+ /*
962
+ * Write the ECParameters record corresponding to a group (RFC 4492)
963
+ */
964
+ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
965
+ unsigned char *buf, size_t blen)
966
+ {
967
+ const mbedtls_ecp_curve_info *curve_info;
968
+ if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
969
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
970
+ }
971
+
972
+ /*
973
+ * We are going to write 3 bytes (see below)
974
+ */
975
+ *olen = 3;
976
+ if (blen < *olen) {
977
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
978
+ }
979
+
980
+ /*
981
+ * First byte is curve_type, always named_curve
982
+ */
983
+ *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
984
+
985
+ /*
986
+ * Next two bytes are the namedcurve value
987
+ */
988
+ MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
989
+
990
+ return 0;
991
+ }
992
+
993
+ /*
994
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
995
+ * See the documentation of struct mbedtls_ecp_group.
996
+ *
997
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
998
+ */
999
+ static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
1000
+ {
1001
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002
+
1003
+ if (grp->modp == NULL) {
1004
+ return mbedtls_mpi_mod_mpi(N, N, &grp->P);
1005
+ }
1006
+
1007
+ /* N->s < 0 is a much faster test, which fails only if N is 0 */
1008
+ if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
1009
+ mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
1010
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1011
+ }
1012
+
1013
+ MBEDTLS_MPI_CHK(grp->modp(N));
1014
+
1015
+ /* N->s < 0 is a much faster test, which fails only if N is 0 */
1016
+ while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
1017
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
1018
+ }
1019
+
1020
+ while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
1021
+ /* we known P, N and the result are positive */
1022
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
1023
+ }
1024
+
1025
+ cleanup:
1026
+ return ret;
1027
+ }
1028
+
1029
+ /*
1030
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
1031
+ *
1032
+ * In order to guarantee that, we need to ensure that operands of
1033
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
1034
+ * bring the result back to this range.
1035
+ *
1036
+ * The following macros are shortcuts for doing that.
1037
+ */
1038
+
1039
+ /*
1040
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
1041
+ */
1042
+ #if defined(MBEDTLS_SELF_TEST)
1043
+ #define INC_MUL_COUNT mul_count++;
1044
+ #else
1045
+ #define INC_MUL_COUNT
1046
+ #endif
1047
+
1048
+ #define MOD_MUL(N) \
1049
+ do \
1050
+ { \
1051
+ MBEDTLS_MPI_CHK(ecp_modp(&(N), grp)); \
1052
+ INC_MUL_COUNT \
1053
+ } while (0)
1054
+
1055
+ static inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
1056
+ mbedtls_mpi *X,
1057
+ const mbedtls_mpi *A,
1058
+ const mbedtls_mpi *B)
1059
+ {
1060
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1061
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
1062
+ MOD_MUL(*X);
1063
+ cleanup:
1064
+ return ret;
1065
+ }
1066
+
1067
+ /*
1068
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
1069
+ * N->s < 0 is a very fast test, which fails only if N is 0
1070
+ */
1071
+ #define MOD_SUB(N) \
1072
+ do { \
1073
+ while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0) \
1074
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P)); \
1075
+ } while (0)
1076
+
1077
+ #if (defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
1078
+ !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
1079
+ defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
1080
+ defined(MBEDTLS_ECP_ADD_MIXED_ALT))) || \
1081
+ (defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) && \
1082
+ !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
1083
+ defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)))
1084
+ static inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
1085
+ mbedtls_mpi *X,
1086
+ const mbedtls_mpi *A,
1087
+ const mbedtls_mpi *B)
1088
+ {
1089
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1090
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
1091
+ MOD_SUB(X);
1092
+ cleanup:
1093
+ return ret;
1094
+ }
1095
+ #endif /* All functions referencing mbedtls_mpi_sub_mod() are alt-implemented without fallback */
1096
+
1097
+ /*
1098
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
1099
+ * We known P, N and the result are positive, so sub_abs is correct, and
1100
+ * a bit faster.
1101
+ */
1102
+ #define MOD_ADD(N) \
1103
+ while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0) \
1104
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
1105
+
1106
+ static inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
1107
+ mbedtls_mpi *X,
1108
+ const mbedtls_mpi *A,
1109
+ const mbedtls_mpi *B)
1110
+ {
1111
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1112
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
1113
+ MOD_ADD(X);
1114
+ cleanup:
1115
+ return ret;
1116
+ }
1117
+
1118
+ static inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
1119
+ mbedtls_mpi *X,
1120
+ const mbedtls_mpi *A,
1121
+ mbedtls_mpi_uint c)
1122
+ {
1123
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1124
+
1125
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
1126
+ MOD_ADD(X);
1127
+ cleanup:
1128
+ return ret;
1129
+ }
1130
+
1131
+ static inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
1132
+ mbedtls_mpi *X,
1133
+ const mbedtls_mpi *A,
1134
+ mbedtls_mpi_uint c)
1135
+ {
1136
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1137
+
1138
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
1139
+ MOD_SUB(X);
1140
+ cleanup:
1141
+ return ret;
1142
+ }
1143
+
1144
+ #define MPI_ECP_SUB_INT(X, A, c) \
1145
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
1146
+
1147
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
1148
+ !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
1149
+ defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
1150
+ defined(MBEDTLS_ECP_ADD_MIXED_ALT))
1151
+ static inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
1152
+ mbedtls_mpi *X,
1153
+ size_t count)
1154
+ {
1155
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1156
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
1157
+ MOD_ADD(X);
1158
+ cleanup:
1159
+ return ret;
1160
+ }
1161
+ #endif \
1162
+ /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
1163
+
1164
+ /*
1165
+ * Macro wrappers around ECP modular arithmetic
1166
+ *
1167
+ * Currently, these wrappers are defined via the bignum module.
1168
+ */
1169
+
1170
+ #define MPI_ECP_ADD(X, A, B) \
1171
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
1172
+
1173
+ #define MPI_ECP_SUB(X, A, B) \
1174
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
1175
+
1176
+ #define MPI_ECP_MUL(X, A, B) \
1177
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
1178
+
1179
+ #define MPI_ECP_SQR(X, A) \
1180
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
1181
+
1182
+ #define MPI_ECP_MUL_INT(X, A, c) \
1183
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
1184
+
1185
+ #define MPI_ECP_INV(dst, src) \
1186
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
1187
+
1188
+ #define MPI_ECP_MOV(X, A) \
1189
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
1190
+
1191
+ #define MPI_ECP_SHIFT_L(X, count) \
1192
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
1193
+
1194
+ #define MPI_ECP_LSET(X, c) \
1195
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
1196
+
1197
+ #define MPI_ECP_CMP_INT(X, c) \
1198
+ mbedtls_mpi_cmp_int(X, c)
1199
+
1200
+ #define MPI_ECP_CMP(X, Y) \
1201
+ mbedtls_mpi_cmp_mpi(X, Y)
1202
+
1203
+ /* Needs f_rng, p_rng to be defined. */
1204
+ #define MPI_ECP_RAND(X) \
1205
+ MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
1206
+
1207
+ /* Conditional negation
1208
+ * Needs grp and a temporary MPI tmp to be defined. */
1209
+ #define MPI_ECP_COND_NEG(X, cond) \
1210
+ do \
1211
+ { \
1212
+ unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0; \
1213
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X))); \
1214
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp, \
1215
+ nonzero & cond)); \
1216
+ } while (0)
1217
+
1218
+ #define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
1219
+
1220
+ #define MPI_ECP_VALID(X) \
1221
+ ((X)->p != NULL)
1222
+
1223
+ #define MPI_ECP_COND_ASSIGN(X, Y, cond) \
1224
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
1225
+
1226
+ #define MPI_ECP_COND_SWAP(X, Y, cond) \
1227
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
1228
+
1229
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
1230
+
1231
+ /*
1232
+ * Computes the right-hand side of the Short Weierstrass equation
1233
+ * RHS = X^3 + A X + B
1234
+ */
1235
+ static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
1236
+ mbedtls_mpi *rhs,
1237
+ const mbedtls_mpi *X)
1238
+ {
1239
+ int ret;
1240
+
1241
+ /* Compute X^3 + A X + B as X (X^2 + A) + B */
1242
+ MPI_ECP_SQR(rhs, X);
1243
+
1244
+ /* Special case for A = -3 */
1245
+ if (mbedtls_ecp_group_a_is_minus_3(grp)) {
1246
+ MPI_ECP_SUB_INT(rhs, rhs, 3);
1247
+ } else {
1248
+ MPI_ECP_ADD(rhs, rhs, &grp->A);
1249
+ }
1250
+
1251
+ MPI_ECP_MUL(rhs, rhs, X);
1252
+ MPI_ECP_ADD(rhs, rhs, &grp->B);
1253
+
1254
+ cleanup:
1255
+ return ret;
1256
+ }
1257
+
1258
+ /*
1259
+ * Derive Y from X and a parity bit
1260
+ */
1261
+ static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
1262
+ const mbedtls_mpi *X,
1263
+ mbedtls_mpi *Y,
1264
+ int parity_bit)
1265
+ {
1266
+ /* w = y^2 = x^3 + ax + b
1267
+ * y = sqrt(w) = w^((p+1)/4) mod p (for prime p where p = 3 mod 4)
1268
+ *
1269
+ * Note: this method for extracting square root does not validate that w
1270
+ * was indeed a square so this function will return garbage in Y if X
1271
+ * does not correspond to a point on the curve.
1272
+ */
1273
+
1274
+ /* Check prerequisite p = 3 mod 4 */
1275
+ if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
1276
+ mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
1277
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1278
+ }
1279
+
1280
+ int ret;
1281
+ mbedtls_mpi exp;
1282
+ mbedtls_mpi_init(&exp);
1283
+
1284
+ /* use Y to store intermediate result, actually w above */
1285
+ MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
1286
+
1287
+ /* w = y^2 */ /* Y contains y^2 intermediate result */
1288
+ /* exp = ((p+1)/4) */
1289
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
1290
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
1291
+ /* sqrt(w) = w^((p+1)/4) mod p (for prime p where p = 3 mod 4) */
1292
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
1293
+
1294
+ /* check parity bit match or else invert Y */
1295
+ /* This quick inversion implementation is valid because Y != 0 for all
1296
+ * Short Weierstrass curves supported by mbedtls, as each supported curve
1297
+ * has an order that is a large prime, so each supported curve does not
1298
+ * have any point of order 2, and a point with Y == 0 would be of order 2 */
1299
+ if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
1300
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
1301
+ }
1302
+
1303
+ cleanup:
1304
+
1305
+ mbedtls_mpi_free(&exp);
1306
+ return ret;
1307
+ }
1308
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
1309
+
1310
+ #if defined(MBEDTLS_ECP_C)
1311
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
1312
+ /*
1313
+ * For curves in short Weierstrass form, we do all the internal operations in
1314
+ * Jacobian coordinates.
1315
+ *
1316
+ * For multiplication, we'll use a comb method with countermeasures against
1317
+ * SPA, hence timing attacks.
1318
+ */
1319
+
1320
+ /*
1321
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1 (GECC 3.2.1)
1322
+ * Cost: 1N := 1I + 3M + 1S
1323
+ */
1324
+ static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
1325
+ {
1326
+ if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
1327
+ return 0;
1328
+ }
1329
+
1330
+ #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
1331
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
1332
+ return mbedtls_internal_ecp_normalize_jac(grp, pt);
1333
+ }
1334
+ #endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
1335
+
1336
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
1337
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1338
+ #else
1339
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1340
+ mbedtls_mpi T;
1341
+ mbedtls_mpi_init(&T);
1342
+
1343
+ MPI_ECP_INV(&T, &pt->Z); /* T <- 1 / Z */
1344
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &T); /* Y' <- Y*T = Y / Z */
1345
+ MPI_ECP_SQR(&T, &T); /* T <- T^2 = 1 / Z^2 */
1346
+ MPI_ECP_MUL(&pt->X, &pt->X, &T); /* X <- X * T = X / Z^2 */
1347
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &T); /* Y'' <- Y' * T = Y / Z^3 */
1348
+
1349
+ MPI_ECP_LSET(&pt->Z, 1);
1350
+
1351
+ cleanup:
1352
+
1353
+ mbedtls_mpi_free(&T);
1354
+
1355
+ return ret;
1356
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
1357
+ }
1358
+
1359
+ /*
1360
+ * Normalize jacobian coordinates of an array of (pointers to) points,
1361
+ * using Montgomery's trick to perform only one inversion mod P.
1362
+ * (See for example Cohen's "A Course in Computational Algebraic Number
1363
+ * Theory", Algorithm 10.3.4.)
1364
+ *
1365
+ * Warning: fails (returning an error) if one of the points is zero!
1366
+ * This should never happen, see choice of w in ecp_mul_comb().
1367
+ *
1368
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
1369
+ */
1370
+ static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
1371
+ mbedtls_ecp_point *T[], size_t T_size)
1372
+ {
1373
+ if (T_size < 2) {
1374
+ return ecp_normalize_jac(grp, *T);
1375
+ }
1376
+
1377
+ #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
1378
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
1379
+ return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size);
1380
+ }
1381
+ #endif
1382
+
1383
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
1384
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1385
+ #else
1386
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1387
+ size_t i;
1388
+ mbedtls_mpi *c, t;
1389
+
1390
+ if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
1391
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
1392
+ }
1393
+
1394
+ mbedtls_mpi_init(&t);
1395
+
1396
+ mpi_init_many(c, T_size);
1397
+ /*
1398
+ * c[i] = Z_0 * ... * Z_i, i = 0,..,n := T_size-1
1399
+ */
1400
+ MPI_ECP_MOV(&c[0], &T[0]->Z);
1401
+ for (i = 1; i < T_size; i++) {
1402
+ MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
1403
+ }
1404
+
1405
+ /*
1406
+ * c[n] = 1 / (Z_0 * ... * Z_n) mod P
1407
+ */
1408
+ MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
1409
+
1410
+ for (i = T_size - 1;; i--) {
1411
+ /* At the start of iteration i (note that i decrements), we have
1412
+ * - c[j] = Z_0 * .... * Z_j for j < i,
1413
+ * - c[j] = 1 / (Z_0 * .... * Z_j) for j == i,
1414
+ *
1415
+ * This is maintained via
1416
+ * - c[i-1] <- c[i] * Z_i
1417
+ *
1418
+ * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
1419
+ * to do the actual normalization. For i==0, we already have
1420
+ * c[0] = 1 / Z_0.
1421
+ */
1422
+
1423
+ if (i > 0) {
1424
+ /* Compute 1/Z_i and establish invariant for the next iteration. */
1425
+ MPI_ECP_MUL(&t, &c[i], &c[i-1]);
1426
+ MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
1427
+ } else {
1428
+ MPI_ECP_MOV(&t, &c[0]);
1429
+ }
1430
+
1431
+ /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
1432
+ MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
1433
+ MPI_ECP_SQR(&t, &t);
1434
+ MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
1435
+ MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
1436
+
1437
+ /*
1438
+ * Post-precessing: reclaim some memory by shrinking coordinates
1439
+ * - not storing Z (always 1)
1440
+ * - shrinking other coordinates, but still keeping the same number of
1441
+ * limbs as P, as otherwise it will too likely be regrown too fast.
1442
+ */
1443
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
1444
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
1445
+
1446
+ MPI_ECP_LSET(&T[i]->Z, 1);
1447
+
1448
+ if (i == 0) {
1449
+ break;
1450
+ }
1451
+ }
1452
+
1453
+ cleanup:
1454
+
1455
+ mbedtls_mpi_free(&t);
1456
+ mpi_free_many(c, T_size);
1457
+ mbedtls_free(c);
1458
+
1459
+ return ret;
1460
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
1461
+ }
1462
+
1463
+ /*
1464
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
1465
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
1466
+ */
1467
+ static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
1468
+ mbedtls_ecp_point *Q,
1469
+ unsigned char inv)
1470
+ {
1471
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1472
+ mbedtls_mpi tmp;
1473
+ mbedtls_mpi_init(&tmp);
1474
+
1475
+ MPI_ECP_COND_NEG(&Q->Y, inv);
1476
+
1477
+ cleanup:
1478
+ mbedtls_mpi_free(&tmp);
1479
+ return ret;
1480
+ }
1481
+
1482
+ /*
1483
+ * Point doubling R = 2 P, Jacobian coordinates
1484
+ *
1485
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
1486
+ *
1487
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
1488
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
1489
+ *
1490
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
1491
+ *
1492
+ * Cost: 1D := 3M + 4S (A == 0)
1493
+ * 4M + 4S (A == -3)
1494
+ * 3M + 6S + 1a otherwise
1495
+ */
1496
+ static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1497
+ const mbedtls_ecp_point *P,
1498
+ mbedtls_mpi tmp[4])
1499
+ {
1500
+ #if defined(MBEDTLS_SELF_TEST)
1501
+ dbl_count++;
1502
+ #endif
1503
+
1504
+ #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
1505
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
1506
+ return mbedtls_internal_ecp_double_jac(grp, R, P);
1507
+ }
1508
+ #endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
1509
+
1510
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
1511
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1512
+ #else
1513
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1514
+
1515
+ /* Special case for A = -3 */
1516
+ if (mbedtls_ecp_group_a_is_minus_3(grp)) {
1517
+ /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
1518
+ MPI_ECP_SQR(&tmp[1], &P->Z);
1519
+ MPI_ECP_ADD(&tmp[2], &P->X, &tmp[1]);
1520
+ MPI_ECP_SUB(&tmp[3], &P->X, &tmp[1]);
1521
+ MPI_ECP_MUL(&tmp[1], &tmp[2], &tmp[3]);
1522
+ MPI_ECP_MUL_INT(&tmp[0], &tmp[1], 3);
1523
+ } else {
1524
+ /* tmp[0] <- M = 3.X^2 + A.Z^4 */
1525
+ MPI_ECP_SQR(&tmp[1], &P->X);
1526
+ MPI_ECP_MUL_INT(&tmp[0], &tmp[1], 3);
1527
+
1528
+ /* Optimize away for "koblitz" curves with A = 0 */
1529
+ if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
1530
+ /* M += A.Z^4 */
1531
+ MPI_ECP_SQR(&tmp[1], &P->Z);
1532
+ MPI_ECP_SQR(&tmp[2], &tmp[1]);
1533
+ MPI_ECP_MUL(&tmp[1], &tmp[2], &grp->A);
1534
+ MPI_ECP_ADD(&tmp[0], &tmp[0], &tmp[1]);
1535
+ }
1536
+ }
1537
+
1538
+ /* tmp[1] <- S = 4.X.Y^2 */
1539
+ MPI_ECP_SQR(&tmp[2], &P->Y);
1540
+ MPI_ECP_SHIFT_L(&tmp[2], 1);
1541
+ MPI_ECP_MUL(&tmp[1], &P->X, &tmp[2]);
1542
+ MPI_ECP_SHIFT_L(&tmp[1], 1);
1543
+
1544
+ /* tmp[3] <- U = 8.Y^4 */
1545
+ MPI_ECP_SQR(&tmp[3], &tmp[2]);
1546
+ MPI_ECP_SHIFT_L(&tmp[3], 1);
1547
+
1548
+ /* tmp[2] <- T = M^2 - 2.S */
1549
+ MPI_ECP_SQR(&tmp[2], &tmp[0]);
1550
+ MPI_ECP_SUB(&tmp[2], &tmp[2], &tmp[1]);
1551
+ MPI_ECP_SUB(&tmp[2], &tmp[2], &tmp[1]);
1552
+
1553
+ /* tmp[1] <- S = M(S - T) - U */
1554
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &tmp[2]);
1555
+ MPI_ECP_MUL(&tmp[1], &tmp[1], &tmp[0]);
1556
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &tmp[3]);
1557
+
1558
+ /* tmp[3] <- U = 2.Y.Z */
1559
+ MPI_ECP_MUL(&tmp[3], &P->Y, &P->Z);
1560
+ MPI_ECP_SHIFT_L(&tmp[3], 1);
1561
+
1562
+ /* Store results */
1563
+ MPI_ECP_MOV(&R->X, &tmp[2]);
1564
+ MPI_ECP_MOV(&R->Y, &tmp[1]);
1565
+ MPI_ECP_MOV(&R->Z, &tmp[3]);
1566
+
1567
+ cleanup:
1568
+
1569
+ return ret;
1570
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
1571
+ }
1572
+
1573
+ /*
1574
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
1575
+ *
1576
+ * The coordinates of Q must be normalized (= affine),
1577
+ * but those of P don't need to. R is not normalized.
1578
+ *
1579
+ * P,Q,R may alias, but only at the level of EC points: they must be either
1580
+ * equal as pointers, or disjoint (including the coordinate data buffers).
1581
+ * Fine-grained aliasing at the level of coordinates is not supported.
1582
+ *
1583
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
1584
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
1585
+ * - at each step, P, Q and R are multiples of the base point, the factor
1586
+ * being less than its order, so none of them is zero;
1587
+ * - Q is an odd multiple of the base point, P an even multiple,
1588
+ * due to the choice of precomputed points in the modified comb method.
1589
+ * So branches for these cases do not leak secret information.
1590
+ *
1591
+ * Cost: 1A := 8M + 3S
1592
+ */
1593
+ static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1594
+ const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
1595
+ mbedtls_mpi tmp[4])
1596
+ {
1597
+ #if defined(MBEDTLS_SELF_TEST)
1598
+ add_count++;
1599
+ #endif
1600
+
1601
+ #if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
1602
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
1603
+ return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
1604
+ }
1605
+ #endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
1606
+
1607
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
1608
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1609
+ #else
1610
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1611
+
1612
+ /* NOTE: Aliasing between input and output is allowed, so one has to make
1613
+ * sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
1614
+ * longer read from. */
1615
+ mbedtls_mpi * const X = &R->X;
1616
+ mbedtls_mpi * const Y = &R->Y;
1617
+ mbedtls_mpi * const Z = &R->Z;
1618
+
1619
+ if (!MPI_ECP_VALID(&Q->Z)) {
1620
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1621
+ }
1622
+
1623
+ /*
1624
+ * Trivial cases: P == 0 or Q == 0 (case 1)
1625
+ */
1626
+ if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
1627
+ return mbedtls_ecp_copy(R, Q);
1628
+ }
1629
+
1630
+ if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
1631
+ return mbedtls_ecp_copy(R, P);
1632
+ }
1633
+
1634
+ /*
1635
+ * Make sure Q coordinates are normalized
1636
+ */
1637
+ if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
1638
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1639
+ }
1640
+
1641
+ MPI_ECP_SQR(&tmp[0], &P->Z);
1642
+ MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
1643
+ MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
1644
+ MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
1645
+ MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
1646
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
1647
+
1648
+ /* Special cases (2) and (3) */
1649
+ if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
1650
+ if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
1651
+ ret = ecp_double_jac(grp, R, P, tmp);
1652
+ goto cleanup;
1653
+ } else {
1654
+ ret = mbedtls_ecp_set_zero(R);
1655
+ goto cleanup;
1656
+ }
1657
+ }
1658
+
1659
+ /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
1660
+ MPI_ECP_MUL(Z, &P->Z, &tmp[0]);
1661
+ MPI_ECP_SQR(&tmp[2], &tmp[0]);
1662
+ MPI_ECP_MUL(&tmp[3], &tmp[2], &tmp[0]);
1663
+ MPI_ECP_MUL(&tmp[2], &tmp[2], &P->X);
1664
+
1665
+ MPI_ECP_MOV(&tmp[0], &tmp[2]);
1666
+ MPI_ECP_SHIFT_L(&tmp[0], 1);
1667
+
1668
+ /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
1669
+ MPI_ECP_SQR(X, &tmp[1]);
1670
+ MPI_ECP_SUB(X, X, &tmp[0]);
1671
+ MPI_ECP_SUB(X, X, &tmp[3]);
1672
+ MPI_ECP_SUB(&tmp[2], &tmp[2], X);
1673
+ MPI_ECP_MUL(&tmp[2], &tmp[2], &tmp[1]);
1674
+ MPI_ECP_MUL(&tmp[3], &tmp[3], &P->Y);
1675
+ /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
1676
+ MPI_ECP_SUB(Y, &tmp[2], &tmp[3]);
1677
+
1678
+ cleanup:
1679
+
1680
+ return ret;
1681
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
1682
+ }
1683
+
1684
+ /*
1685
+ * Randomize jacobian coordinates:
1686
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
1687
+ * This is sort of the reverse operation of ecp_normalize_jac().
1688
+ *
1689
+ * This countermeasure was first suggested in [2].
1690
+ */
1691
+ static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
1692
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1693
+ {
1694
+ #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
1695
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
1696
+ return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
1697
+ }
1698
+ #endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
1699
+
1700
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
1701
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
1702
+ #else
1703
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1704
+ mbedtls_mpi l;
1705
+
1706
+ mbedtls_mpi_init(&l);
1707
+
1708
+ /* Generate l such that 1 < l < p */
1709
+ MPI_ECP_RAND(&l);
1710
+
1711
+ /* Z' = l * Z */
1712
+ MPI_ECP_MUL(&pt->Z, &pt->Z, &l);
1713
+
1714
+ /* Y' = l * Y */
1715
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &l);
1716
+
1717
+ /* X' = l^2 * X */
1718
+ MPI_ECP_SQR(&l, &l);
1719
+ MPI_ECP_MUL(&pt->X, &pt->X, &l);
1720
+
1721
+ /* Y'' = l^2 * Y' = l^3 * Y */
1722
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &l);
1723
+
1724
+ cleanup:
1725
+ mbedtls_mpi_free(&l);
1726
+
1727
+ if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
1728
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
1729
+ }
1730
+ return ret;
1731
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
1732
+ }
1733
+
1734
+ /*
1735
+ * Check and define parameters used by the comb method (see below for details)
1736
+ */
1737
+ #if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
1738
+ #error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
1739
+ #endif
1740
+
1741
+ /* d = ceil( n / w ) */
1742
+ #define COMB_MAX_D (MBEDTLS_ECP_MAX_BITS + 1) / 2
1743
+
1744
+ /* number of precomputed points */
1745
+ #define COMB_MAX_PRE (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
1746
+
1747
+ /*
1748
+ * Compute the representation of m that will be used with our comb method.
1749
+ *
1750
+ * The basic comb method is described in GECC 3.44 for example. We use a
1751
+ * modified version that provides resistance to SPA by avoiding zero
1752
+ * digits in the representation as in [3]. We modify the method further by
1753
+ * requiring that all K_i be odd, which has the small cost that our
1754
+ * representation uses one more K_i, due to carries, but saves on the size of
1755
+ * the precomputed table.
1756
+ *
1757
+ * Summary of the comb method and its modifications:
1758
+ *
1759
+ * - The goal is to compute m*P for some w*d-bit integer m.
1760
+ *
1761
+ * - The basic comb method splits m into the w-bit integers
1762
+ * x[0] .. x[d-1] where x[i] consists of the bits in m whose
1763
+ * index has residue i modulo d, and computes m * P as
1764
+ * S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
1765
+ * S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
1766
+ *
1767
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
1768
+ * .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
1769
+ * thereby successively converting it into a form where all summands
1770
+ * are nonzero, at the cost of negative summands. This is the basic idea of [3].
1771
+ *
1772
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
1773
+ * .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
1774
+ * and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
1775
+ * Performing and iterating this procedure for those x[i] that are even
1776
+ * (keeping track of carry), we can transform the original sum into one of the form
1777
+ * S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
1778
+ * with all x'[i] odd. It is therefore only necessary to know S at odd indices,
1779
+ * which is why we are only computing half of it in the first place in
1780
+ * ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
1781
+ *
1782
+ * - For the sake of compactness, only the seven low-order bits of x[i]
1783
+ * are used to represent its absolute value (K_i in the paper), and the msb
1784
+ * of x[i] encodes the sign (s_i in the paper): it is set if and only if
1785
+ * if s_i == -1;
1786
+ *
1787
+ * Calling conventions:
1788
+ * - x is an array of size d + 1
1789
+ * - w is the size, ie number of teeth, of the comb, and must be between
1790
+ * 2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
1791
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
1792
+ * (the result will be incorrect if these assumptions are not satisfied)
1793
+ */
1794
+ static void ecp_comb_recode_core(unsigned char x[], size_t d,
1795
+ unsigned char w, const mbedtls_mpi *m)
1796
+ {
1797
+ size_t i, j;
1798
+ unsigned char c, cc, adjust;
1799
+
1800
+ memset(x, 0, d+1);
1801
+
1802
+ /* First get the classical comb values (except for x_d = 0) */
1803
+ for (i = 0; i < d; i++) {
1804
+ for (j = 0; j < w; j++) {
1805
+ x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
1806
+ }
1807
+ }
1808
+
1809
+ /* Now make sure x_1 .. x_d are odd */
1810
+ c = 0;
1811
+ for (i = 1; i <= d; i++) {
1812
+ /* Add carry and update it */
1813
+ cc = x[i] & c;
1814
+ x[i] = x[i] ^ c;
1815
+ c = cc;
1816
+
1817
+ /* Adjust if needed, avoiding branches */
1818
+ adjust = 1 - (x[i] & 0x01);
1819
+ c |= x[i] & (x[i-1] * adjust);
1820
+ x[i] = x[i] ^ (x[i-1] * adjust);
1821
+ x[i-1] |= adjust << 7;
1822
+ }
1823
+ }
1824
+
1825
+ /*
1826
+ * Precompute points for the adapted comb method
1827
+ *
1828
+ * Assumption: T must be able to hold 2^{w - 1} elements.
1829
+ *
1830
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
1831
+ * sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
1832
+ *
1833
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
1834
+ *
1835
+ * Note: Even comb values (those where P would be omitted from the
1836
+ * sum defining T[i] above) are not needed in our adaption
1837
+ * the comb method. See ecp_comb_recode_core().
1838
+ *
1839
+ * This function currently works in four steps:
1840
+ * (1) [dbl] Computation of intermediate T[i] for 2-power values of i
1841
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
1842
+ * (3) [add] Computation of all T[i]
1843
+ * (4) [norm_add] Normalization of all T[i]
1844
+ *
1845
+ * Step 1 can be interrupted but not the others; together with the final
1846
+ * coordinate normalization they are the largest steps done at once, depending
1847
+ * on the window size. Here are operation counts for P-256:
1848
+ *
1849
+ * step (2) (3) (4)
1850
+ * w = 5 142 165 208
1851
+ * w = 4 136 77 160
1852
+ * w = 3 130 33 136
1853
+ * w = 2 124 11 124
1854
+ *
1855
+ * So if ECC operations are blocking for too long even with a low max_ops
1856
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
1857
+ * to minimize maximum blocking time.
1858
+ */
1859
+ static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
1860
+ mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
1861
+ unsigned char w, size_t d,
1862
+ mbedtls_ecp_restart_ctx *rs_ctx)
1863
+ {
1864
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1865
+ unsigned char i;
1866
+ size_t j = 0;
1867
+ const unsigned char T_size = 1U << (w - 1);
1868
+ mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
1869
+
1870
+ mbedtls_mpi tmp[4];
1871
+
1872
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
1873
+
1874
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1875
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1876
+ if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
1877
+ goto dbl;
1878
+ }
1879
+ if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
1880
+ goto norm_dbl;
1881
+ }
1882
+ if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
1883
+ goto add;
1884
+ }
1885
+ if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
1886
+ goto norm_add;
1887
+ }
1888
+ }
1889
+ #else
1890
+ (void) rs_ctx;
1891
+ #endif
1892
+
1893
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1894
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1895
+ rs_ctx->rsm->state = ecp_rsm_pre_dbl;
1896
+
1897
+ /* initial state for the loop */
1898
+ rs_ctx->rsm->i = 0;
1899
+ }
1900
+
1901
+ dbl:
1902
+ #endif
1903
+ /*
1904
+ * Set T[0] = P and
1905
+ * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
1906
+ */
1907
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
1908
+
1909
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1910
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
1911
+ j = rs_ctx->rsm->i;
1912
+ } else
1913
+ #endif
1914
+ j = 0;
1915
+
1916
+ for (; j < d * (w - 1); j++) {
1917
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
1918
+
1919
+ i = 1U << (j / d);
1920
+ cur = T + i;
1921
+
1922
+ if (j % d == 0) {
1923
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
1924
+ }
1925
+
1926
+ MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
1927
+ }
1928
+
1929
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1930
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1931
+ rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
1932
+ }
1933
+
1934
+ norm_dbl:
1935
+ #endif
1936
+ /*
1937
+ * Normalize current elements in T to allow them to be used in
1938
+ * ecp_add_mixed() below, which requires one normalized input.
1939
+ *
1940
+ * As T has holes, use an auxiliary array of pointers to elements in T.
1941
+ *
1942
+ */
1943
+ j = 0;
1944
+ for (i = 1; i < T_size; i <<= 1) {
1945
+ TT[j++] = T + i;
1946
+ }
1947
+
1948
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
1949
+
1950
+ MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
1951
+
1952
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1953
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1954
+ rs_ctx->rsm->state = ecp_rsm_pre_add;
1955
+ }
1956
+
1957
+ add:
1958
+ #endif
1959
+ /*
1960
+ * Compute the remaining ones using the minimal number of additions
1961
+ * Be careful to update T[2^l] only after using it!
1962
+ */
1963
+ MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
1964
+
1965
+ for (i = 1; i < T_size; i <<= 1) {
1966
+ j = i;
1967
+ while (j--) {
1968
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
1969
+ }
1970
+ }
1971
+
1972
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
1973
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
1974
+ rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
1975
+ }
1976
+
1977
+ norm_add:
1978
+ #endif
1979
+ /*
1980
+ * Normalize final elements in T. Even though there are no holes now, we
1981
+ * still need the auxiliary array for homogeneity with the previous
1982
+ * call. Also, skip T[0] which is already normalised, being a copy of P.
1983
+ */
1984
+ for (j = 0; j + 1 < T_size; j++) {
1985
+ TT[j] = T + j + 1;
1986
+ }
1987
+
1988
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
1989
+
1990
+ MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
1991
+
1992
+ /* Free Z coordinate (=1 after normalization) to save RAM.
1993
+ * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
1994
+ * since from this point onwards, they are only accessed indirectly
1995
+ * via the getter function ecp_select_comb() which does set the
1996
+ * target's Z coordinate to 1. */
1997
+ for (i = 0; i < T_size; i++) {
1998
+ mbedtls_mpi_free(&T[i].Z);
1999
+ }
2000
+
2001
+ cleanup:
2002
+
2003
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2004
+
2005
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2006
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
2007
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2008
+ if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
2009
+ rs_ctx->rsm->i = j;
2010
+ }
2011
+ }
2012
+ #endif
2013
+
2014
+ return ret;
2015
+ }
2016
+
2017
+ /*
2018
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
2019
+ *
2020
+ * See ecp_comb_recode_core() for background
2021
+ */
2022
+ static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2023
+ const mbedtls_ecp_point T[], unsigned char T_size,
2024
+ unsigned char i)
2025
+ {
2026
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2027
+ unsigned char ii, j;
2028
+
2029
+ /* Ignore the "sign" bit and scale down */
2030
+ ii = (i & 0x7Fu) >> 1;
2031
+
2032
+ /* Read the whole table to thwart cache-based timing attacks */
2033
+ for (j = 0; j < T_size; j++) {
2034
+ MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
2035
+ MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
2036
+ }
2037
+
2038
+ /* Safely invert result if i is "negative" */
2039
+ MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
2040
+
2041
+ MPI_ECP_LSET(&R->Z, 1);
2042
+
2043
+ cleanup:
2044
+ return ret;
2045
+ }
2046
+
2047
+ /*
2048
+ * Core multiplication algorithm for the (modified) comb method.
2049
+ * This part is actually common with the basic comb method (GECC 3.44)
2050
+ *
2051
+ * Cost: d A + d D + 1 R
2052
+ */
2053
+ static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2054
+ const mbedtls_ecp_point T[], unsigned char T_size,
2055
+ const unsigned char x[], size_t d,
2056
+ int (*f_rng)(void *, unsigned char *, size_t),
2057
+ void *p_rng,
2058
+ mbedtls_ecp_restart_ctx *rs_ctx)
2059
+ {
2060
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2061
+ mbedtls_ecp_point Txi;
2062
+ mbedtls_mpi tmp[4];
2063
+ size_t i;
2064
+
2065
+ mbedtls_ecp_point_init(&Txi);
2066
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2067
+
2068
+ #if !defined(MBEDTLS_ECP_RESTARTABLE)
2069
+ (void) rs_ctx;
2070
+ #endif
2071
+
2072
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2073
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
2074
+ rs_ctx->rsm->state != ecp_rsm_comb_core) {
2075
+ rs_ctx->rsm->i = 0;
2076
+ rs_ctx->rsm->state = ecp_rsm_comb_core;
2077
+ }
2078
+
2079
+ /* new 'if' instead of nested for the sake of the 'else' branch */
2080
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
2081
+ /* restore current index (R already pointing to rs_ctx->rsm->R) */
2082
+ i = rs_ctx->rsm->i;
2083
+ } else
2084
+ #endif
2085
+ {
2086
+ /* Start with a non-zero point and randomize its coordinates */
2087
+ i = d;
2088
+ MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
2089
+ if (f_rng != 0) {
2090
+ MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
2091
+ }
2092
+ }
2093
+
2094
+ while (i != 0) {
2095
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
2096
+ --i;
2097
+
2098
+ MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
2099
+ MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
2100
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
2101
+ }
2102
+
2103
+ cleanup:
2104
+
2105
+ mbedtls_ecp_point_free(&Txi);
2106
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2107
+
2108
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2109
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
2110
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2111
+ rs_ctx->rsm->i = i;
2112
+ /* no need to save R, already pointing to rs_ctx->rsm->R */
2113
+ }
2114
+ #endif
2115
+
2116
+ return ret;
2117
+ }
2118
+
2119
+ /*
2120
+ * Recode the scalar to get constant-time comb multiplication
2121
+ *
2122
+ * As the actual scalar recoding needs an odd scalar as a starting point,
2123
+ * this wrapper ensures that by replacing m by N - m if necessary, and
2124
+ * informs the caller that the result of multiplication will be negated.
2125
+ *
2126
+ * This works because we only support large prime order for Short Weierstrass
2127
+ * curves, so N is always odd hence either m or N - m is.
2128
+ *
2129
+ * See ecp_comb_recode_core() for background.
2130
+ */
2131
+ static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
2132
+ const mbedtls_mpi *m,
2133
+ unsigned char k[COMB_MAX_D + 1],
2134
+ size_t d,
2135
+ unsigned char w,
2136
+ unsigned char *parity_trick)
2137
+ {
2138
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2139
+ mbedtls_mpi M, mm;
2140
+
2141
+ mbedtls_mpi_init(&M);
2142
+ mbedtls_mpi_init(&mm);
2143
+
2144
+ /* N is always odd (see above), just make extra sure */
2145
+ if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
2146
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2147
+ }
2148
+
2149
+ /* do we need the parity trick? */
2150
+ *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
2151
+
2152
+ /* execute parity fix in constant time */
2153
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
2154
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
2155
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
2156
+
2157
+ /* actual scalar recoding */
2158
+ ecp_comb_recode_core(k, d, w, &M);
2159
+
2160
+ cleanup:
2161
+ mbedtls_mpi_free(&mm);
2162
+ mbedtls_mpi_free(&M);
2163
+
2164
+ return ret;
2165
+ }
2166
+
2167
+ /*
2168
+ * Perform comb multiplication (for short Weierstrass curves)
2169
+ * once the auxiliary table has been pre-computed.
2170
+ *
2171
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
2172
+ * if that is the case we'll need to recover m * P at the end.
2173
+ */
2174
+ static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
2175
+ mbedtls_ecp_point *R,
2176
+ const mbedtls_mpi *m,
2177
+ const mbedtls_ecp_point *T,
2178
+ unsigned char T_size,
2179
+ unsigned char w,
2180
+ size_t d,
2181
+ int (*f_rng)(void *, unsigned char *, size_t),
2182
+ void *p_rng,
2183
+ mbedtls_ecp_restart_ctx *rs_ctx)
2184
+ {
2185
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2186
+ unsigned char parity_trick;
2187
+ unsigned char k[COMB_MAX_D + 1];
2188
+ mbedtls_ecp_point *RR = R;
2189
+
2190
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2191
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2192
+ RR = &rs_ctx->rsm->R;
2193
+
2194
+ if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
2195
+ goto final_norm;
2196
+ }
2197
+ }
2198
+ #endif
2199
+
2200
+ MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
2201
+ &parity_trick));
2202
+ MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
2203
+ f_rng, p_rng, rs_ctx));
2204
+ MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
2205
+
2206
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2207
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2208
+ rs_ctx->rsm->state = ecp_rsm_final_norm;
2209
+ }
2210
+
2211
+ final_norm:
2212
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
2213
+ #endif
2214
+ /*
2215
+ * Knowledge of the jacobian coordinates may leak the last few bits of the
2216
+ * scalar [1], and since our MPI implementation isn't constant-flow,
2217
+ * inversion (used for coordinate normalization) may leak the full value
2218
+ * of its input via side-channels [2].
2219
+ *
2220
+ * [1] https://eprint.iacr.org/2003/191
2221
+ * [2] https://eprint.iacr.org/2020/055
2222
+ *
2223
+ * Avoid the leak by randomizing coordinates before we normalize them.
2224
+ */
2225
+ if (f_rng != 0) {
2226
+ MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
2227
+ }
2228
+
2229
+ MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
2230
+
2231
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2232
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
2233
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
2234
+ }
2235
+ #endif
2236
+
2237
+ cleanup:
2238
+ return ret;
2239
+ }
2240
+
2241
+ /*
2242
+ * Pick window size based on curve size and whether we optimize for base point
2243
+ */
2244
+ static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
2245
+ unsigned char p_eq_g)
2246
+ {
2247
+ unsigned char w;
2248
+
2249
+ /*
2250
+ * Minimize the number of multiplications, that is minimize
2251
+ * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
2252
+ * (see costs of the various parts, with 1S = 1M)
2253
+ */
2254
+ w = grp->nbits >= 384 ? 5 : 4;
2255
+
2256
+ /*
2257
+ * If P == G, pre-compute a bit more, since this may be re-used later.
2258
+ * Just adding one avoids upping the cost of the first mul too much,
2259
+ * and the memory cost too.
2260
+ */
2261
+ if (p_eq_g) {
2262
+ w++;
2263
+ }
2264
+
2265
+ /*
2266
+ * If static comb table may not be used (!p_eq_g) or static comb table does
2267
+ * not exists, make sure w is within bounds.
2268
+ * (The last test is useful only for very small curves in the test suite.)
2269
+ *
2270
+ * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
2271
+ * static comb table, because the size of static comb table is fixed when
2272
+ * it is generated.
2273
+ */
2274
+ #if (MBEDTLS_ECP_WINDOW_SIZE < 6)
2275
+ if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
2276
+ w = MBEDTLS_ECP_WINDOW_SIZE;
2277
+ }
2278
+ #endif
2279
+ if (w >= grp->nbits) {
2280
+ w = 2;
2281
+ }
2282
+
2283
+ return w;
2284
+ }
2285
+
2286
+ /*
2287
+ * Multiplication using the comb method - for curves in short Weierstrass form
2288
+ *
2289
+ * This function is mainly responsible for administrative work:
2290
+ * - managing the restart context if enabled
2291
+ * - managing the table of precomputed points (passed between the below two
2292
+ * functions): allocation, computation, ownership transfer, freeing.
2293
+ *
2294
+ * It delegates the actual arithmetic work to:
2295
+ * ecp_precompute_comb() and ecp_mul_comb_with_precomp()
2296
+ *
2297
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
2298
+ */
2299
+ static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2300
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2301
+ int (*f_rng)(void *, unsigned char *, size_t),
2302
+ void *p_rng,
2303
+ mbedtls_ecp_restart_ctx *rs_ctx)
2304
+ {
2305
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2306
+ unsigned char w, p_eq_g, i;
2307
+ size_t d;
2308
+ unsigned char T_size = 0, T_ok = 0;
2309
+ mbedtls_ecp_point *T = NULL;
2310
+
2311
+ ECP_RS_ENTER(rsm);
2312
+
2313
+ /* Is P the base point ? */
2314
+ #if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
2315
+ p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
2316
+ MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
2317
+ #else
2318
+ p_eq_g = 0;
2319
+ #endif
2320
+
2321
+ /* Pick window size and deduce related sizes */
2322
+ w = ecp_pick_window_size(grp, p_eq_g);
2323
+ T_size = 1U << (w - 1);
2324
+ d = (grp->nbits + w - 1) / w;
2325
+
2326
+ /* Pre-computed table: do we have it already for the base point? */
2327
+ if (p_eq_g && grp->T != NULL) {
2328
+ /* second pointer to the same table, will be deleted on exit */
2329
+ T = grp->T;
2330
+ T_ok = 1;
2331
+ } else
2332
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2333
+ /* Pre-computed table: do we have one in progress? complete? */
2334
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
2335
+ /* transfer ownership of T from rsm to local function */
2336
+ T = rs_ctx->rsm->T;
2337
+ rs_ctx->rsm->T = NULL;
2338
+ rs_ctx->rsm->T_size = 0;
2339
+
2340
+ /* This effectively jumps to the call to mul_comb_after_precomp() */
2341
+ T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
2342
+ } else
2343
+ #endif
2344
+ /* Allocate table if we didn't have any */
2345
+ {
2346
+ T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
2347
+ if (T == NULL) {
2348
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
2349
+ goto cleanup;
2350
+ }
2351
+
2352
+ for (i = 0; i < T_size; i++) {
2353
+ mbedtls_ecp_point_init(&T[i]);
2354
+ }
2355
+
2356
+ T_ok = 0;
2357
+ }
2358
+
2359
+ /* Compute table (or finish computing it) if not done already */
2360
+ if (!T_ok) {
2361
+ MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
2362
+
2363
+ if (p_eq_g) {
2364
+ /* almost transfer ownership of T to the group, but keep a copy of
2365
+ * the pointer to use for calling the next function more easily */
2366
+ grp->T = T;
2367
+ grp->T_size = T_size;
2368
+ }
2369
+ }
2370
+
2371
+ /* Actual comb multiplication using precomputed points */
2372
+ MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
2373
+ T, T_size, w, d,
2374
+ f_rng, p_rng, rs_ctx));
2375
+
2376
+ cleanup:
2377
+
2378
+ /* does T belong to the group? */
2379
+ if (T == grp->T) {
2380
+ T = NULL;
2381
+ }
2382
+
2383
+ /* does T belong to the restart context? */
2384
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2385
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
2386
+ /* transfer ownership of T from local function to rsm */
2387
+ rs_ctx->rsm->T_size = T_size;
2388
+ rs_ctx->rsm->T = T;
2389
+ T = NULL;
2390
+ }
2391
+ #endif
2392
+
2393
+ /* did T belong to us? then let's destroy it! */
2394
+ if (T != NULL) {
2395
+ for (i = 0; i < T_size; i++) {
2396
+ mbedtls_ecp_point_free(&T[i]);
2397
+ }
2398
+ mbedtls_free(T);
2399
+ }
2400
+
2401
+ /* prevent caller from using invalid value */
2402
+ int should_free_R = (ret != 0);
2403
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2404
+ /* don't free R while in progress in case R == P */
2405
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2406
+ should_free_R = 0;
2407
+ }
2408
+ #endif
2409
+ if (should_free_R) {
2410
+ mbedtls_ecp_point_free(R);
2411
+ }
2412
+
2413
+ ECP_RS_LEAVE(rsm);
2414
+
2415
+ return ret;
2416
+ }
2417
+
2418
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2419
+
2420
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2421
+ /*
2422
+ * For Montgomery curves, we do all the internal arithmetic in projective
2423
+ * coordinates. Import/export of points uses only the x coordinates, which is
2424
+ * internally represented as X / Z.
2425
+ *
2426
+ * For scalar multiplication, we'll use a Montgomery ladder.
2427
+ */
2428
+
2429
+ /*
2430
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
2431
+ * Cost: 1M + 1I
2432
+ */
2433
+ static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
2434
+ {
2435
+ #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
2436
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
2437
+ return mbedtls_internal_ecp_normalize_mxz(grp, P);
2438
+ }
2439
+ #endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
2440
+
2441
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
2442
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2443
+ #else
2444
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2445
+ MPI_ECP_INV(&P->Z, &P->Z);
2446
+ MPI_ECP_MUL(&P->X, &P->X, &P->Z);
2447
+ MPI_ECP_LSET(&P->Z, 1);
2448
+
2449
+ cleanup:
2450
+ return ret;
2451
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
2452
+ }
2453
+
2454
+ /*
2455
+ * Randomize projective x/z coordinates:
2456
+ * (X, Z) -> (l X, l Z) for random l
2457
+ * This is sort of the reverse operation of ecp_normalize_mxz().
2458
+ *
2459
+ * This countermeasure was first suggested in [2].
2460
+ * Cost: 2M
2461
+ */
2462
+ static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
2463
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
2464
+ {
2465
+ #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
2466
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
2467
+ return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
2468
+ }
2469
+ #endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
2470
+
2471
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
2472
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2473
+ #else
2474
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2475
+ mbedtls_mpi l;
2476
+ mbedtls_mpi_init(&l);
2477
+
2478
+ /* Generate l such that 1 < l < p */
2479
+ MPI_ECP_RAND(&l);
2480
+
2481
+ MPI_ECP_MUL(&P->X, &P->X, &l);
2482
+ MPI_ECP_MUL(&P->Z, &P->Z, &l);
2483
+
2484
+ cleanup:
2485
+ mbedtls_mpi_free(&l);
2486
+
2487
+ if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2488
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
2489
+ }
2490
+ return ret;
2491
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
2492
+ }
2493
+
2494
+ /*
2495
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
2496
+ * for Montgomery curves in x/z coordinates.
2497
+ *
2498
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
2499
+ * with
2500
+ * d = X1
2501
+ * P = (X2, Z2)
2502
+ * Q = (X3, Z3)
2503
+ * R = (X4, Z4)
2504
+ * S = (X5, Z5)
2505
+ * and eliminating temporary variables tO, ..., t4.
2506
+ *
2507
+ * Cost: 5M + 4S
2508
+ */
2509
+ static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
2510
+ mbedtls_ecp_point *R, mbedtls_ecp_point *S,
2511
+ const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
2512
+ const mbedtls_mpi *d,
2513
+ mbedtls_mpi T[4])
2514
+ {
2515
+ #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
2516
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
2517
+ return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
2518
+ }
2519
+ #endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
2520
+
2521
+ #if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
2522
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2523
+ #else
2524
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2525
+
2526
+ MPI_ECP_ADD(&T[0], &P->X, &P->Z); /* Pp := PX + PZ */
2527
+ MPI_ECP_SUB(&T[1], &P->X, &P->Z); /* Pm := PX - PZ */
2528
+ MPI_ECP_ADD(&T[2], &Q->X, &Q->Z); /* Qp := QX + XZ */
2529
+ MPI_ECP_SUB(&T[3], &Q->X, &Q->Z); /* Qm := QX - QZ */
2530
+ MPI_ECP_MUL(&T[3], &T[3], &T[0]); /* Qm * Pp */
2531
+ MPI_ECP_MUL(&T[2], &T[2], &T[1]); /* Qp * Pm */
2532
+ MPI_ECP_SQR(&T[0], &T[0]); /* Pp^2 */
2533
+ MPI_ECP_SQR(&T[1], &T[1]); /* Pm^2 */
2534
+ MPI_ECP_MUL(&R->X, &T[0], &T[1]); /* Pp^2 * Pm^2 */
2535
+ MPI_ECP_SUB(&T[0], &T[0], &T[1]); /* Pp^2 - Pm^2 */
2536
+ MPI_ECP_MUL(&R->Z, &grp->A, &T[0]); /* A * (Pp^2 - Pm^2) */
2537
+ MPI_ECP_ADD(&R->Z, &T[1], &R->Z); /* [ A * (Pp^2-Pm^2) ] + Pm^2 */
2538
+ MPI_ECP_ADD(&S->X, &T[3], &T[2]); /* Qm*Pp + Qp*Pm */
2539
+ MPI_ECP_SQR(&S->X, &S->X); /* (Qm*Pp + Qp*Pm)^2 */
2540
+ MPI_ECP_SUB(&S->Z, &T[3], &T[2]); /* Qm*Pp - Qp*Pm */
2541
+ MPI_ECP_SQR(&S->Z, &S->Z); /* (Qm*Pp - Qp*Pm)^2 */
2542
+ MPI_ECP_MUL(&S->Z, d, &S->Z); /* d * ( Qm*Pp - Qp*Pm )^2 */
2543
+ MPI_ECP_MUL(&R->Z, &T[0], &R->Z); /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
2544
+
2545
+ cleanup:
2546
+
2547
+ return ret;
2548
+ #endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
2549
+ }
2550
+
2551
+ /*
2552
+ * Multiplication with Montgomery ladder in x/z coordinates,
2553
+ * for curves in Montgomery form
2554
+ */
2555
+ static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2556
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2557
+ int (*f_rng)(void *, unsigned char *, size_t),
2558
+ void *p_rng)
2559
+ {
2560
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2561
+ size_t i;
2562
+ unsigned char b;
2563
+ mbedtls_ecp_point RP;
2564
+ mbedtls_mpi PX;
2565
+ mbedtls_mpi tmp[4];
2566
+ mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
2567
+
2568
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2569
+
2570
+ if (f_rng == NULL) {
2571
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2572
+ }
2573
+
2574
+ /* Save PX and read from P before writing to R, in case P == R */
2575
+ MPI_ECP_MOV(&PX, &P->X);
2576
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
2577
+
2578
+ /* Set R to zero in modified x/z coordinates */
2579
+ MPI_ECP_LSET(&R->X, 1);
2580
+ MPI_ECP_LSET(&R->Z, 0);
2581
+ mbedtls_mpi_free(&R->Y);
2582
+
2583
+ /* RP.X might be slightly larger than P, so reduce it */
2584
+ MOD_ADD(&RP.X);
2585
+
2586
+ /* Randomize coordinates of the starting point */
2587
+ MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
2588
+
2589
+ /* Loop invariant: R = result so far, RP = R + P */
2590
+ i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
2591
+ while (i-- > 0) {
2592
+ b = mbedtls_mpi_get_bit(m, i);
2593
+ /*
2594
+ * if (b) R = 2R + P else R = 2R,
2595
+ * which is:
2596
+ * if (b) double_add( RP, R, RP, R )
2597
+ * else double_add( R, RP, R, RP )
2598
+ * but using safe conditional swaps to avoid leaks
2599
+ */
2600
+ MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
2601
+ MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
2602
+ MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
2603
+ MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
2604
+ MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
2605
+ }
2606
+
2607
+ /*
2608
+ * Knowledge of the projective coordinates may leak the last few bits of the
2609
+ * scalar [1], and since our MPI implementation isn't constant-flow,
2610
+ * inversion (used for coordinate normalization) may leak the full value
2611
+ * of its input via side-channels [2].
2612
+ *
2613
+ * [1] https://eprint.iacr.org/2003/191
2614
+ * [2] https://eprint.iacr.org/2020/055
2615
+ *
2616
+ * Avoid the leak by randomizing coordinates before we normalize them.
2617
+ */
2618
+ MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
2619
+ MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
2620
+
2621
+ cleanup:
2622
+ mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
2623
+
2624
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2625
+ return ret;
2626
+ }
2627
+
2628
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
2629
+
2630
+ /*
2631
+ * Restartable multiplication R = m * P
2632
+ *
2633
+ * This internal function can be called without an RNG in case where we know
2634
+ * the inputs are not sensitive.
2635
+ */
2636
+ static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2637
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2638
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
2639
+ mbedtls_ecp_restart_ctx *rs_ctx)
2640
+ {
2641
+ int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2642
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2643
+ char is_grp_capable = 0;
2644
+ #endif
2645
+
2646
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2647
+ /* reset ops count for this call if top-level */
2648
+ if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
2649
+ rs_ctx->ops_done = 0;
2650
+ }
2651
+ #else
2652
+ (void) rs_ctx;
2653
+ #endif
2654
+
2655
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2656
+ if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
2657
+ MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
2658
+ }
2659
+ #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2660
+
2661
+ int restarting = 0;
2662
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2663
+ restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
2664
+ #endif
2665
+ /* skip argument check when restarting */
2666
+ if (!restarting) {
2667
+ /* check_privkey is free */
2668
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
2669
+
2670
+ /* Common sanity checks */
2671
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
2672
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2673
+ }
2674
+
2675
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2676
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2677
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
2678
+ MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
2679
+ }
2680
+ #endif
2681
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2682
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
2683
+ MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
2684
+ }
2685
+ #endif
2686
+
2687
+ cleanup:
2688
+
2689
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2690
+ if (is_grp_capable) {
2691
+ mbedtls_internal_ecp_free(grp);
2692
+ }
2693
+ #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2694
+
2695
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2696
+ if (rs_ctx != NULL) {
2697
+ rs_ctx->depth--;
2698
+ }
2699
+ #endif
2700
+
2701
+ return ret;
2702
+ }
2703
+
2704
+ /*
2705
+ * Restartable multiplication R = m * P
2706
+ */
2707
+ int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2708
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2709
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
2710
+ mbedtls_ecp_restart_ctx *rs_ctx)
2711
+ {
2712
+ if (f_rng == NULL) {
2713
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2714
+ }
2715
+
2716
+ return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
2717
+ }
2718
+
2719
+ /*
2720
+ * Multiplication R = m * P
2721
+ */
2722
+ int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2723
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2724
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
2725
+ {
2726
+ return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
2727
+ }
2728
+ #endif /* MBEDTLS_ECP_C */
2729
+
2730
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2731
+ /*
2732
+ * Check that an affine point is valid as a public key,
2733
+ * short weierstrass curves (SEC1 3.2.3.1)
2734
+ */
2735
+ static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
2736
+ {
2737
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2738
+ mbedtls_mpi YY, RHS;
2739
+
2740
+ /* pt coordinates must be normalized for our checks */
2741
+ if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
2742
+ mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
2743
+ mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
2744
+ mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
2745
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
2746
+ }
2747
+
2748
+ mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
2749
+
2750
+ /*
2751
+ * YY = Y^2
2752
+ * RHS = X^3 + A X + B
2753
+ */
2754
+ MPI_ECP_SQR(&YY, &pt->Y);
2755
+ MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
2756
+
2757
+ if (MPI_ECP_CMP(&YY, &RHS) != 0) {
2758
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2759
+ }
2760
+
2761
+ cleanup:
2762
+
2763
+ mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
2764
+
2765
+ return ret;
2766
+ }
2767
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2768
+
2769
+ #if defined(MBEDTLS_ECP_C)
2770
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
2771
+ /*
2772
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
2773
+ * NOT constant-time - ONLY for short Weierstrass!
2774
+ */
2775
+ static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
2776
+ mbedtls_ecp_point *R,
2777
+ const mbedtls_mpi *m,
2778
+ const mbedtls_ecp_point *P,
2779
+ mbedtls_ecp_restart_ctx *rs_ctx)
2780
+ {
2781
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2782
+ mbedtls_mpi tmp;
2783
+ mbedtls_mpi_init(&tmp);
2784
+
2785
+ if (mbedtls_mpi_cmp_int(m, 0) == 0) {
2786
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2787
+ MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
2788
+ } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
2789
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2790
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
2791
+ } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
2792
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
2793
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
2794
+ MPI_ECP_NEG(&R->Y);
2795
+ } else {
2796
+ MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
2797
+ NULL, NULL, rs_ctx));
2798
+ }
2799
+
2800
+ cleanup:
2801
+ mbedtls_mpi_free(&tmp);
2802
+
2803
+ return ret;
2804
+ }
2805
+
2806
+ /*
2807
+ * Restartable linear combination
2808
+ * NOT constant-time
2809
+ */
2810
+ int mbedtls_ecp_muladd_restartable(
2811
+ mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2812
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2813
+ const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
2814
+ mbedtls_ecp_restart_ctx *rs_ctx)
2815
+ {
2816
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2817
+ mbedtls_ecp_point mP;
2818
+ mbedtls_ecp_point *pmP = &mP;
2819
+ mbedtls_ecp_point *pR = R;
2820
+ mbedtls_mpi tmp[4];
2821
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2822
+ char is_grp_capable = 0;
2823
+ #endif
2824
+ if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
2825
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
2826
+ }
2827
+
2828
+ mbedtls_ecp_point_init(&mP);
2829
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2830
+
2831
+ ECP_RS_ENTER(ma);
2832
+
2833
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2834
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2835
+ /* redirect intermediate results to restart context */
2836
+ pmP = &rs_ctx->ma->mP;
2837
+ pR = &rs_ctx->ma->R;
2838
+
2839
+ /* jump to next operation */
2840
+ if (rs_ctx->ma->state == ecp_rsma_mul2) {
2841
+ goto mul2;
2842
+ }
2843
+ if (rs_ctx->ma->state == ecp_rsma_add) {
2844
+ goto add;
2845
+ }
2846
+ if (rs_ctx->ma->state == ecp_rsma_norm) {
2847
+ goto norm;
2848
+ }
2849
+ }
2850
+ #endif /* MBEDTLS_ECP_RESTARTABLE */
2851
+
2852
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
2853
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2854
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2855
+ rs_ctx->ma->state = ecp_rsma_mul2;
2856
+ }
2857
+
2858
+ mul2:
2859
+ #endif
2860
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR, n, Q, rs_ctx));
2861
+
2862
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2863
+ if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
2864
+ MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
2865
+ }
2866
+ #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2867
+
2868
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2869
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2870
+ rs_ctx->ma->state = ecp_rsma_add;
2871
+ }
2872
+
2873
+ add:
2874
+ #endif
2875
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
2876
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
2877
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2878
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2879
+ rs_ctx->ma->state = ecp_rsma_norm;
2880
+ }
2881
+
2882
+ norm:
2883
+ #endif
2884
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
2885
+ MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
2886
+
2887
+ #if defined(MBEDTLS_ECP_RESTARTABLE)
2888
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
2889
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
2890
+ }
2891
+ #endif
2892
+
2893
+ cleanup:
2894
+
2895
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
2896
+
2897
+ #if defined(MBEDTLS_ECP_INTERNAL_ALT)
2898
+ if (is_grp_capable) {
2899
+ mbedtls_internal_ecp_free(grp);
2900
+ }
2901
+ #endif /* MBEDTLS_ECP_INTERNAL_ALT */
2902
+
2903
+ mbedtls_ecp_point_free(&mP);
2904
+
2905
+ ECP_RS_LEAVE(ma);
2906
+
2907
+ return ret;
2908
+ }
2909
+
2910
+ /*
2911
+ * Linear combination
2912
+ * NOT constant-time
2913
+ */
2914
+ int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
2915
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
2916
+ const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
2917
+ {
2918
+ return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
2919
+ }
2920
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
2921
+ #endif /* MBEDTLS_ECP_C */
2922
+
2923
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
2924
+ #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
2925
+ #define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
2926
+ #define ECP_MPI_INIT_ARRAY(x) \
2927
+ ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
2928
+ /*
2929
+ * Constants for the two points other than 0, 1, -1 (mod p) in
2930
+ * https://cr.yp.to/ecdh.html#validate
2931
+ * See ecp_check_pubkey_x25519().
2932
+ */
2933
+ static const mbedtls_mpi_uint x25519_bad_point_1[] = {
2934
+ MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
2935
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
2936
+ MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
2937
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
2938
+ };
2939
+ static const mbedtls_mpi_uint x25519_bad_point_2[] = {
2940
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
2941
+ MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
2942
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
2943
+ MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
2944
+ };
2945
+ static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
2946
+ x25519_bad_point_1);
2947
+ static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
2948
+ x25519_bad_point_2);
2949
+ #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
2950
+
2951
+ /*
2952
+ * Check that the input point is not one of the low-order points.
2953
+ * This is recommended by the "May the Fourth" paper:
2954
+ * https://eprint.iacr.org/2017/806.pdf
2955
+ * Those points are never sent by an honest peer.
2956
+ */
2957
+ static int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
2958
+ const mbedtls_ecp_group_id grp_id)
2959
+ {
2960
+ int ret;
2961
+ mbedtls_mpi XmP;
2962
+
2963
+ mbedtls_mpi_init(&XmP);
2964
+
2965
+ /* Reduce X mod P so that we only need to check values less than P.
2966
+ * We know X < 2^256 so we can proceed by subtraction. */
2967
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
2968
+ while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
2969
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
2970
+ }
2971
+
2972
+ /* Check against the known bad values that are less than P. For Curve448
2973
+ * these are 0, 1 and -1. For Curve25519 we check the values less than P
2974
+ * from the following list: https://cr.yp.to/ecdh.html#validate */
2975
+ if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) { /* takes care of 0 and 1 */
2976
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2977
+ goto cleanup;
2978
+ }
2979
+
2980
+ #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
2981
+ if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
2982
+ if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
2983
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2984
+ goto cleanup;
2985
+ }
2986
+
2987
+ if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
2988
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
2989
+ goto cleanup;
2990
+ }
2991
+ }
2992
+ #else
2993
+ (void) grp_id;
2994
+ #endif
2995
+
2996
+ /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
2997
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
2998
+ if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
2999
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3000
+ goto cleanup;
3001
+ }
3002
+
3003
+ ret = 0;
3004
+
3005
+ cleanup:
3006
+ mbedtls_mpi_free(&XmP);
3007
+
3008
+ return ret;
3009
+ }
3010
+
3011
+ /*
3012
+ * Check validity of a public key for Montgomery curves with x-only schemes
3013
+ */
3014
+ static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
3015
+ {
3016
+ /* [Curve25519 p. 5] Just check X is the correct number of bytes */
3017
+ /* Allow any public value, if it's too big then we'll just reduce it mod p
3018
+ * (RFC 7748 sec. 5 para. 3). */
3019
+ if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
3020
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3021
+ }
3022
+
3023
+ /* Implicit in all standards (as they don't consider negative numbers):
3024
+ * X must be non-negative. This is normally ensured by the way it's
3025
+ * encoded for transmission, but let's be extra sure. */
3026
+ if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
3027
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3028
+ }
3029
+
3030
+ return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
3031
+ }
3032
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3033
+
3034
+ /*
3035
+ * Check that a point is valid as a public key
3036
+ */
3037
+ int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
3038
+ const mbedtls_ecp_point *pt)
3039
+ {
3040
+ /* Must use affine coordinates */
3041
+ if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
3042
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3043
+ }
3044
+
3045
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3046
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3047
+ return ecp_check_pubkey_mx(grp, pt);
3048
+ }
3049
+ #endif
3050
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3051
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3052
+ return ecp_check_pubkey_sw(grp, pt);
3053
+ }
3054
+ #endif
3055
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3056
+ }
3057
+
3058
+ /*
3059
+ * Check that an mbedtls_mpi is valid as a private key
3060
+ */
3061
+ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
3062
+ const mbedtls_mpi *d)
3063
+ {
3064
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3065
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3066
+ /* see RFC 7748 sec. 5 para. 5 */
3067
+ if (mbedtls_mpi_get_bit(d, 0) != 0 ||
3068
+ mbedtls_mpi_get_bit(d, 1) != 0 ||
3069
+ mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */
3070
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3071
+ }
3072
+
3073
+ /* see [Curve25519] page 5 */
3074
+ if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
3075
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3076
+ }
3077
+
3078
+ return 0;
3079
+ }
3080
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3081
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3082
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3083
+ /* see SEC1 3.2 */
3084
+ if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
3085
+ mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
3086
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3087
+ } else {
3088
+ return 0;
3089
+ }
3090
+ }
3091
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3092
+
3093
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3094
+ }
3095
+
3096
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3097
+ MBEDTLS_STATIC_TESTABLE
3098
+ int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
3099
+ mbedtls_mpi *d,
3100
+ int (*f_rng)(void *, unsigned char *, size_t),
3101
+ void *p_rng)
3102
+ {
3103
+ int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3104
+ size_t n_random_bytes = high_bit / 8 + 1;
3105
+
3106
+ /* [Curve25519] page 5 */
3107
+ /* Generate a (high_bit+1)-bit random number by generating just enough
3108
+ * random bytes, then shifting out extra bits from the top (necessary
3109
+ * when (high_bit+1) is not a multiple of 8). */
3110
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
3111
+ f_rng, p_rng));
3112
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
3113
+
3114
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
3115
+
3116
+ /* Make sure the last two bits are unset for Curve448, three bits for
3117
+ Curve25519 */
3118
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
3119
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
3120
+ if (high_bit == 254) {
3121
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
3122
+ }
3123
+
3124
+ cleanup:
3125
+ return ret;
3126
+ }
3127
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3128
+
3129
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3130
+ static int mbedtls_ecp_gen_privkey_sw(
3131
+ const mbedtls_mpi *N, mbedtls_mpi *d,
3132
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3133
+ {
3134
+ int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
3135
+ switch (ret) {
3136
+ case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
3137
+ return MBEDTLS_ERR_ECP_RANDOM_FAILED;
3138
+ default:
3139
+ return ret;
3140
+ }
3141
+ }
3142
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3143
+
3144
+ /*
3145
+ * Generate a private key
3146
+ */
3147
+ int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
3148
+ mbedtls_mpi *d,
3149
+ int (*f_rng)(void *, unsigned char *, size_t),
3150
+ void *p_rng)
3151
+ {
3152
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3153
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3154
+ return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
3155
+ }
3156
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3157
+
3158
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3159
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3160
+ return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
3161
+ }
3162
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3163
+
3164
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3165
+ }
3166
+
3167
+ #if defined(MBEDTLS_ECP_C)
3168
+ /*
3169
+ * Generate a keypair with configurable base point
3170
+ */
3171
+ int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
3172
+ const mbedtls_ecp_point *G,
3173
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
3174
+ int (*f_rng)(void *, unsigned char *, size_t),
3175
+ void *p_rng)
3176
+ {
3177
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3178
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
3179
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
3180
+
3181
+ cleanup:
3182
+ return ret;
3183
+ }
3184
+
3185
+ /*
3186
+ * Generate key pair, wrapper for conventional base point
3187
+ */
3188
+ int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
3189
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
3190
+ int (*f_rng)(void *, unsigned char *, size_t),
3191
+ void *p_rng)
3192
+ {
3193
+ return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
3194
+ }
3195
+
3196
+ /*
3197
+ * Generate a keypair, prettier wrapper
3198
+ */
3199
+ int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
3200
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3201
+ {
3202
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3203
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
3204
+ return ret;
3205
+ }
3206
+
3207
+ return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
3208
+ }
3209
+ #endif /* MBEDTLS_ECP_C */
3210
+
3211
+ #define ECP_CURVE25519_KEY_SIZE 32
3212
+ #define ECP_CURVE448_KEY_SIZE 56
3213
+ /*
3214
+ * Read a private key.
3215
+ */
3216
+ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
3217
+ const unsigned char *buf, size_t buflen)
3218
+ {
3219
+ int ret = 0;
3220
+
3221
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
3222
+ return ret;
3223
+ }
3224
+
3225
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
3226
+
3227
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3228
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3229
+ /*
3230
+ * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
3231
+ */
3232
+ if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
3233
+ if (buflen != ECP_CURVE25519_KEY_SIZE) {
3234
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3235
+ }
3236
+
3237
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
3238
+
3239
+ /* Set the three least significant bits to 0 */
3240
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
3241
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
3242
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
3243
+
3244
+ /* Set the most significant bit to 0 */
3245
+ MBEDTLS_MPI_CHK(
3246
+ mbedtls_mpi_set_bit(&key->d,
3247
+ ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
3248
+ );
3249
+
3250
+ /* Set the second most significant bit to 1 */
3251
+ MBEDTLS_MPI_CHK(
3252
+ mbedtls_mpi_set_bit(&key->d,
3253
+ ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
3254
+ );
3255
+ } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
3256
+ if (buflen != ECP_CURVE448_KEY_SIZE) {
3257
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
3258
+ }
3259
+
3260
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
3261
+
3262
+ /* Set the two least significant bits to 0 */
3263
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
3264
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
3265
+
3266
+ /* Set the most significant bit to 1 */
3267
+ MBEDTLS_MPI_CHK(
3268
+ mbedtls_mpi_set_bit(&key->d,
3269
+ ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
3270
+ );
3271
+ }
3272
+ }
3273
+ #endif
3274
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3275
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3276
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
3277
+ }
3278
+ #endif
3279
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
3280
+
3281
+ cleanup:
3282
+
3283
+ if (ret != 0) {
3284
+ mbedtls_mpi_free(&key->d);
3285
+ }
3286
+
3287
+ return ret;
3288
+ }
3289
+
3290
+ /*
3291
+ * Write a private key.
3292
+ */
3293
+ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
3294
+ unsigned char *buf, size_t buflen)
3295
+ {
3296
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
3297
+
3298
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3299
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
3300
+ if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
3301
+ if (buflen < ECP_CURVE25519_KEY_SIZE) {
3302
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3303
+ }
3304
+
3305
+ } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
3306
+ if (buflen < ECP_CURVE448_KEY_SIZE) {
3307
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3308
+ }
3309
+ }
3310
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
3311
+ }
3312
+ #endif
3313
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3314
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
3315
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
3316
+ }
3317
+
3318
+ #endif
3319
+ cleanup:
3320
+
3321
+ return ret;
3322
+ }
3323
+
3324
+ #if defined(MBEDTLS_ECP_C)
3325
+ /*
3326
+ * Check a public-private key pair
3327
+ */
3328
+ int mbedtls_ecp_check_pub_priv(
3329
+ const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
3330
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
3331
+ {
3332
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3333
+ mbedtls_ecp_point Q;
3334
+ mbedtls_ecp_group grp;
3335
+ if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
3336
+ pub->grp.id != prv->grp.id ||
3337
+ mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
3338
+ mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
3339
+ mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
3340
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3341
+ }
3342
+
3343
+ mbedtls_ecp_point_init(&Q);
3344
+ mbedtls_ecp_group_init(&grp);
3345
+
3346
+ /* mbedtls_ecp_mul() needs a non-const group... */
3347
+ mbedtls_ecp_group_copy(&grp, &prv->grp);
3348
+
3349
+ /* Also checks d is valid */
3350
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
3351
+
3352
+ if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
3353
+ mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
3354
+ mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
3355
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3356
+ goto cleanup;
3357
+ }
3358
+
3359
+ cleanup:
3360
+ mbedtls_ecp_point_free(&Q);
3361
+ mbedtls_ecp_group_free(&grp);
3362
+
3363
+ return ret;
3364
+ }
3365
+ #endif /* MBEDTLS_ECP_C */
3366
+
3367
+ /*
3368
+ * Export generic key-pair parameters.
3369
+ */
3370
+ int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
3371
+ mbedtls_mpi *d, mbedtls_ecp_point *Q)
3372
+ {
3373
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3374
+
3375
+ if ((ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
3376
+ return ret;
3377
+ }
3378
+
3379
+ if ((ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
3380
+ return ret;
3381
+ }
3382
+
3383
+ if ((ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
3384
+ return ret;
3385
+ }
3386
+
3387
+ return 0;
3388
+ }
3389
+
3390
+ #if defined(MBEDTLS_SELF_TEST)
3391
+
3392
+ #if defined(MBEDTLS_ECP_C)
3393
+ /*
3394
+ * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
3395
+ *
3396
+ * This is the linear congruential generator from numerical recipes,
3397
+ * except we only use the low byte as the output. See
3398
+ * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
3399
+ */
3400
+ static int self_test_rng(void *ctx, unsigned char *out, size_t len)
3401
+ {
3402
+ static uint32_t state = 42;
3403
+
3404
+ (void) ctx;
3405
+
3406
+ for (size_t i = 0; i < len; i++) {
3407
+ state = state * 1664525u + 1013904223u;
3408
+ out[i] = (unsigned char) state;
3409
+ }
3410
+
3411
+ return 0;
3412
+ }
3413
+
3414
+ /* Adjust the exponent to be a valid private point for the specified curve.
3415
+ * This is sometimes necessary because we use a single set of exponents
3416
+ * for all curves but the validity of values depends on the curve. */
3417
+ static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
3418
+ mbedtls_mpi *m)
3419
+ {
3420
+ int ret = 0;
3421
+ switch (grp->id) {
3422
+ /* If Curve25519 is available, then that's what we use for the
3423
+ * Montgomery test, so we don't need the adjustment code. */
3424
+ #if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
3425
+ #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
3426
+ case MBEDTLS_ECP_DP_CURVE448:
3427
+ /* Move highest bit from 254 to N-1. Setting bit N-1 is
3428
+ * necessary to enforce the highest-bit-set constraint. */
3429
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
3430
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
3431
+ /* Copy second-highest bit from 253 to N-2. This is not
3432
+ * necessary but improves the test variety a bit. */
3433
+ MBEDTLS_MPI_CHK(
3434
+ mbedtls_mpi_set_bit(m, grp->nbits - 1,
3435
+ mbedtls_mpi_get_bit(m, 253)));
3436
+ break;
3437
+ #endif
3438
+ #endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
3439
+ default:
3440
+ /* Non-Montgomery curves and Curve25519 need no adjustment. */
3441
+ (void) grp;
3442
+ (void) m;
3443
+ goto cleanup;
3444
+ }
3445
+ cleanup:
3446
+ return ret;
3447
+ }
3448
+
3449
+ /* Calculate R = m.P for each m in exponents. Check that the number of
3450
+ * basic operations doesn't depend on the value of m. */
3451
+ static int self_test_point(int verbose,
3452
+ mbedtls_ecp_group *grp,
3453
+ mbedtls_ecp_point *R,
3454
+ mbedtls_mpi *m,
3455
+ const mbedtls_ecp_point *P,
3456
+ const char *const *exponents,
3457
+ size_t n_exponents)
3458
+ {
3459
+ int ret = 0;
3460
+ size_t i = 0;
3461
+ unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
3462
+ add_count = 0;
3463
+ dbl_count = 0;
3464
+ mul_count = 0;
3465
+
3466
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
3467
+ MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
3468
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
3469
+
3470
+ for (i = 1; i < n_exponents; i++) {
3471
+ add_c_prev = add_count;
3472
+ dbl_c_prev = dbl_count;
3473
+ mul_c_prev = mul_count;
3474
+ add_count = 0;
3475
+ dbl_count = 0;
3476
+ mul_count = 0;
3477
+
3478
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
3479
+ MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
3480
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
3481
+
3482
+ if (add_count != add_c_prev ||
3483
+ dbl_count != dbl_c_prev ||
3484
+ mul_count != mul_c_prev) {
3485
+ ret = 1;
3486
+ break;
3487
+ }
3488
+ }
3489
+
3490
+ cleanup:
3491
+ if (verbose != 0) {
3492
+ if (ret != 0) {
3493
+ mbedtls_printf("failed (%u)\n", (unsigned int) i);
3494
+ } else {
3495
+ mbedtls_printf("passed\n");
3496
+ }
3497
+ }
3498
+ return ret;
3499
+ }
3500
+ #endif /* MBEDTLS_ECP_C */
3501
+
3502
+ /*
3503
+ * Checkup routine
3504
+ */
3505
+ int mbedtls_ecp_self_test(int verbose)
3506
+ {
3507
+ #if defined(MBEDTLS_ECP_C)
3508
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3509
+ mbedtls_ecp_group grp;
3510
+ mbedtls_ecp_point R, P;
3511
+ mbedtls_mpi m;
3512
+
3513
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3514
+ /* Exponents especially adapted for secp192k1, which has the lowest
3515
+ * order n of all supported curves (secp192r1 is in a slightly larger
3516
+ * field but the order of its base point is slightly smaller). */
3517
+ const char *sw_exponents[] =
3518
+ {
3519
+ "000000000000000000000000000000000000000000000001", /* one */
3520
+ "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
3521
+ "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
3522
+ "400000000000000000000000000000000000000000000000", /* one and zeros */
3523
+ "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
3524
+ "555555555555555555555555555555555555555555555555", /* 101010... */
3525
+ };
3526
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3527
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3528
+ const char *m_exponents[] =
3529
+ {
3530
+ /* Valid private values for Curve25519. In a build with Curve448
3531
+ * but not Curve25519, they will be adjusted in
3532
+ * self_test_adjust_exponent(). */
3533
+ "4000000000000000000000000000000000000000000000000000000000000000",
3534
+ "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
3535
+ "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
3536
+ "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
3537
+ "5555555555555555555555555555555555555555555555555555555555555550",
3538
+ "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
3539
+ };
3540
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3541
+
3542
+ mbedtls_ecp_group_init(&grp);
3543
+ mbedtls_ecp_point_init(&R);
3544
+ mbedtls_ecp_point_init(&P);
3545
+ mbedtls_mpi_init(&m);
3546
+
3547
+ #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
3548
+ /* Use secp192r1 if available, or any available curve */
3549
+ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
3550
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
3551
+ #else
3552
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
3553
+ #endif
3554
+
3555
+ if (verbose != 0) {
3556
+ mbedtls_printf(" ECP SW test #1 (constant op_count, base point G): ");
3557
+ }
3558
+ /* Do a dummy multiplication first to trigger precomputation */
3559
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
3560
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
3561
+ ret = self_test_point(verbose,
3562
+ &grp, &R, &m, &grp.G,
3563
+ sw_exponents,
3564
+ sizeof(sw_exponents) / sizeof(sw_exponents[0]));
3565
+ if (ret != 0) {
3566
+ goto cleanup;
3567
+ }
3568
+
3569
+ if (verbose != 0) {
3570
+ mbedtls_printf(" ECP SW test #2 (constant op_count, other point): ");
3571
+ }
3572
+ /* We computed P = 2G last time, use it */
3573
+ ret = self_test_point(verbose,
3574
+ &grp, &R, &m, &P,
3575
+ sw_exponents,
3576
+ sizeof(sw_exponents) / sizeof(sw_exponents[0]));
3577
+ if (ret != 0) {
3578
+ goto cleanup;
3579
+ }
3580
+
3581
+ mbedtls_ecp_group_free(&grp);
3582
+ mbedtls_ecp_point_free(&R);
3583
+ #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
3584
+
3585
+ #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
3586
+ if (verbose != 0) {
3587
+ mbedtls_printf(" ECP Montgomery test (constant op_count): ");
3588
+ }
3589
+ #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
3590
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
3591
+ #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
3592
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
3593
+ #else
3594
+ #error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
3595
+ #endif
3596
+ ret = self_test_point(verbose,
3597
+ &grp, &R, &m, &grp.G,
3598
+ m_exponents,
3599
+ sizeof(m_exponents) / sizeof(m_exponents[0]));
3600
+ if (ret != 0) {
3601
+ goto cleanup;
3602
+ }
3603
+ #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
3604
+
3605
+ cleanup:
3606
+
3607
+ if (ret < 0 && verbose != 0) {
3608
+ mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
3609
+ }
3610
+
3611
+ mbedtls_ecp_group_free(&grp);
3612
+ mbedtls_ecp_point_free(&R);
3613
+ mbedtls_ecp_point_free(&P);
3614
+ mbedtls_mpi_free(&m);
3615
+
3616
+ if (verbose != 0) {
3617
+ mbedtls_printf("\n");
3618
+ }
3619
+
3620
+ return ret;
3621
+ #else /* MBEDTLS_ECP_C */
3622
+ (void) verbose;
3623
+ return 0;
3624
+ #endif /* MBEDTLS_ECP_C */
3625
+ }
3626
+
3627
+ #endif /* MBEDTLS_SELF_TEST */
3628
+
3629
+ #endif /* !MBEDTLS_ECP_ALT */
3630
+
3631
+ #endif /* MBEDTLS_ECP_LIGHT */