summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authortb <>2023-04-25 19:53:30 +0000
committertb <>2023-04-25 19:53:30 +0000
commit82b040aef9cef17610a89204220ee3cb1012fb20 (patch)
treee9be44ea96c7294efcc800d9cb419edbab4fe999 /src/lib
parentaa0643f4294a31c69cf4097f866cd5cb11e48c1e (diff)
downloadopenbsd-82b040aef9cef17610a89204220ee3cb1012fb20.tar.gz
openbsd-82b040aef9cef17610a89204220ee3cb1012fb20.tar.bz2
openbsd-82b040aef9cef17610a89204220ee3cb1012fb20.zip
GF2m bites the dust. It won't be missed.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/Makefile6
-rw-r--r--src/lib/libcrypto/bn/bn.h63
-rw-r--r--src/lib/libcrypto/bn/bn_gf2m.c1268
-rw-r--r--src/lib/libcrypto/ec/ec.h87
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c449
-rw-r--r--src/lib/libcrypto/ec/ec2_oct.c402
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c723
-rw-r--r--src/lib/libcrypto/ec/ec_asn1.c194
-rw-r--r--src/lib/libcrypto/ec/ec_curve.c1416
-rw-r--r--src/lib/libcrypto/ec/ec_cvt.c11
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c36
-rw-r--r--src/lib/libcrypto/ec/ec_oct.c11
12 files changed, 11 insertions, 4655 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 14a2287843..01cf96801d 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.115 2023/04/25 19:01:01 tb Exp $ 1# $OpenBSD: Makefile,v 1.116 2023/04/25 19:53:30 tb Exp $
2 2
3LIB= crypto 3LIB= crypto
4LIBREBUILD=y 4LIBREBUILD=y
@@ -187,7 +187,6 @@ SRCS+= bn_div.c
187SRCS+= bn_err.c 187SRCS+= bn_err.c
188SRCS+= bn_exp.c 188SRCS+= bn_exp.c
189SRCS+= bn_gcd.c 189SRCS+= bn_gcd.c
190#SRCS+= bn_gf2m.c
191SRCS+= bn_isqrt.c 190SRCS+= bn_isqrt.c
192SRCS+= bn_kron.c 191SRCS+= bn_kron.c
193SRCS+= bn_lib.c 192SRCS+= bn_lib.c
@@ -333,9 +332,6 @@ SRCS+= dso_null.c
333SRCS+= dso_openssl.c 332SRCS+= dso_openssl.c
334 333
335# ec/ 334# ec/
336#SRCS+= ec2_mult.c
337#SRCS+= ec2_oct.c
338#SRCS+= ec2_smpl.c
339SRCS+= ec_ameth.c 335SRCS+= ec_ameth.c
340SRCS+= ec_asn1.c 336SRCS+= ec_asn1.c
341SRCS+= ec_check.c 337SRCS+= ec_check.c
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 52e3d078ab..b15e6311f9 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn.h,v 1.68 2023/04/25 17:42:07 tb Exp $ */ 1/* $OpenBSD: bn.h,v 1.69 2023/04/25 19:53:30 tb Exp $ */
2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -505,67 +505,6 @@ void BN_set_params(int mul, int high, int low, int mont);
505int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */ 505int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
506#endif 506#endif
507 507
508#ifndef OPENSSL_NO_EC2M
509
510/* Functions for arithmetic over binary polynomials represented by BIGNUMs.
511 *
512 * The BIGNUM::neg property of BIGNUMs representing binary polynomials is
513 * ignored.
514 *
515 * Note that input arguments are not const so that their bit arrays can
516 * be expanded to the appropriate size if needed.
517 */
518
519int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/
520#define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
521int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/
522int
523BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
524 const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */
525int
526BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
527 BN_CTX *ctx); /* r = (a * a) mod p */
528int
529BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p,
530 BN_CTX *ctx); /* r = (1 / b) mod p */
531int
532BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
533 const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */
534int
535BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
536 const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */
537int
538BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
539 BN_CTX *ctx); /* r = sqrt(a) mod p */
540int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
541 BN_CTX *ctx); /* r^2 + r = a mod p */
542#define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
543/* Some functions allow for representation of the irreducible polynomials
544 * as an unsigned int[], say p. The irreducible f(t) is then of the form:
545 * t^p[0] + t^p[1] + ... + t^p[k]
546 * where m = p[0] > p[1] > ... > p[k] = 0.
547 */
548int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]);
549/* r = a mod p */
550int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
551 const int p[], BN_CTX *ctx); /* r = (a * b) mod p */
552int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
553 BN_CTX *ctx); /* r = (a * a) mod p */
554int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[],
555 BN_CTX *ctx); /* r = (1 / b) mod p */
556int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
557 const int p[], BN_CTX *ctx); /* r = (a / b) mod p */
558int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
559 const int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */
560int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
561 const int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */
562int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
563 const int p[], BN_CTX *ctx); /* r^2 + r = a mod p */
564int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);
565int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
566
567#endif
568
569/* Primes from RFC 2409 */ 508/* Primes from RFC 2409 */
570BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); 509BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
571BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); 510BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
deleted file mode 100644
index 62ac2a5151..0000000000
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ /dev/null
@@ -1,1268 +0,0 @@
1/* $OpenBSD: bn_gf2m.c,v 1.32 2023/03/27 10:25:02 tb Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * In addition, Sun covenants to all licensees who provide a reciprocal
13 * covenant with respect to their own patents if any, not to sue under
14 * current and future patent claims necessarily infringed by the making,
15 * using, practicing, selling, offering for sale and/or otherwise
16 * disposing of the ECC Code as delivered hereunder (or portions thereof),
17 * provided that such covenant shall not apply:
18 * 1) for code that a licensee deletes from the ECC Code;
19 * 2) separates from the ECC Code; or
20 * 3) for infringements caused by:
21 * i) the modification of the ECC Code or
22 * ii) the combination of the ECC Code with other software or
23 * devices where such combination causes the infringement.
24 *
25 * The software is originally written by Sheueling Chang Shantz and
26 * Douglas Stebila of Sun Microsystems Laboratories.
27 *
28 */
29
30/* NOTE: This file is licensed pursuant to the OpenSSL license below
31 * and may be modified; but after modifications, the above covenant
32 * may no longer apply! In such cases, the corresponding paragraph
33 * ["In addition, Sun covenants ... causes the infringement."] and
34 * this note can be edited out; but please keep the Sun copyright
35 * notice and attribution. */
36
37/* ====================================================================
38 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
39 *
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
42 * are met:
43 *
44 * 1. Redistributions of source code must retain the above copyright
45 * notice, this list of conditions and the following disclaimer.
46 *
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in
49 * the documentation and/or other materials provided with the
50 * distribution.
51 *
52 * 3. All advertising materials mentioning features or use of this
53 * software must display the following acknowledgment:
54 * "This product includes software developed by the OpenSSL Project
55 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
56 *
57 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
58 * endorse or promote products derived from this software without
59 * prior written permission. For written permission, please contact
60 * openssl-core@openssl.org.
61 *
62 * 5. Products derived from this software may not be called "OpenSSL"
63 * nor may "OpenSSL" appear in their names without prior written
64 * permission of the OpenSSL Project.
65 *
66 * 6. Redistributions of any form whatsoever must retain the following
67 * acknowledgment:
68 * "This product includes software developed by the OpenSSL Project
69 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
70 *
71 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
72 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
73 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
74 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
75 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
76 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
77 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
78 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
80 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
82 * OF THE POSSIBILITY OF SUCH DAMAGE.
83 * ====================================================================
84 *
85 * This product includes cryptographic software written by Eric Young
86 * (eay@cryptsoft.com). This product includes software written by Tim
87 * Hudson (tjh@cryptsoft.com).
88 *
89 */
90
91#include <limits.h>
92#include <stdio.h>
93
94#include <openssl/opensslconf.h>
95
96#include <openssl/err.h>
97
98#include "bn_local.h"
99
100#ifndef OPENSSL_NO_EC2M
101
102/* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */
103#define MAX_ITERATIONS 50
104
105static const BN_ULONG SQR_tb[16] =
106 { 0, 1, 4, 5, 16, 17, 20, 21,
10764, 65, 68, 69, 80, 81, 84, 85 };
108/* Platform-specific macros to accelerate squaring. */
109#ifdef _LP64
110#define SQR1(w) \
111 SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
112 SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
113 SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
114 SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
115#define SQR0(w) \
116 SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
117 SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
118 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
119 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
120#else
121#define SQR1(w) \
122 SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
123 SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
124#define SQR0(w) \
125 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
126 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
127#endif
128
129#if !defined(OPENSSL_BN_ASM_GF2m)
130/* Product of two polynomials a, b each with degree < BN_BITS2 - 1,
131 * result is a polynomial r with degree < 2 * BN_BITS - 1
132 * The caller MUST ensure that the variables have the right amount
133 * of space allocated.
134 */
135static void
136bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
137{
138#ifndef _LP64
139 BN_ULONG h, l, s;
140 BN_ULONG tab[8], top2b = a >> 30;
141 BN_ULONG a1, a2, a4;
142
143 a1 = a & (0x3FFFFFFF);
144 a2 = a1 << 1;
145 a4 = a2 << 1;
146
147 tab[0] = 0;
148 tab[1] = a1;
149 tab[2] = a2;
150 tab[3] = a1 ^ a2;
151 tab[4] = a4;
152 tab[5] = a1 ^ a4;
153 tab[6] = a2 ^ a4;
154 tab[7] = a1 ^ a2 ^ a4;
155
156 s = tab[b & 0x7];
157 l = s;
158 s = tab[b >> 3 & 0x7];
159 l ^= s << 3;
160 h = s >> 29;
161 s = tab[b >> 6 & 0x7];
162 l ^= s << 6;
163 h ^= s >> 26;
164 s = tab[b >> 9 & 0x7];
165 l ^= s << 9;
166 h ^= s >> 23;
167 s = tab[b >> 12 & 0x7];
168 l ^= s << 12;
169 h ^= s >> 20;
170 s = tab[b >> 15 & 0x7];
171 l ^= s << 15;
172 h ^= s >> 17;
173 s = tab[b >> 18 & 0x7];
174 l ^= s << 18;
175 h ^= s >> 14;
176 s = tab[b >> 21 & 0x7];
177 l ^= s << 21;
178 h ^= s >> 11;
179 s = tab[b >> 24 & 0x7];
180 l ^= s << 24;
181 h ^= s >> 8;
182 s = tab[b >> 27 & 0x7];
183 l ^= s << 27;
184 h ^= s >> 5;
185 s = tab[b >> 30];
186 l ^= s << 30;
187 h ^= s >> 2;
188
189 /* compensate for the top two bits of a */
190 if (top2b & 01) {
191 l ^= b << 30;
192 h ^= b >> 2;
193 }
194 if (top2b & 02) {
195 l ^= b << 31;
196 h ^= b >> 1;
197 }
198
199 *r1 = h;
200 *r0 = l;
201#else
202 BN_ULONG h, l, s;
203 BN_ULONG tab[16], top3b = a >> 61;
204 BN_ULONG a1, a2, a4, a8;
205
206 a1 = a & (0x1FFFFFFFFFFFFFFFULL);
207 a2 = a1 << 1;
208 a4 = a2 << 1;
209 a8 = a4 << 1;
210
211 tab[0] = 0;
212 tab[1] = a1;
213 tab[2] = a2;
214 tab[3] = a1 ^ a2;
215 tab[4] = a4;
216 tab[5] = a1 ^ a4;
217 tab[6] = a2 ^ a4;
218 tab[7] = a1 ^ a2 ^ a4;
219 tab[8] = a8;
220 tab[9] = a1 ^ a8;
221 tab[10] = a2 ^ a8;
222 tab[11] = a1 ^ a2 ^ a8;
223 tab[12] = a4 ^ a8;
224 tab[13] = a1 ^ a4 ^ a8;
225 tab[14] = a2 ^ a4 ^ a8;
226 tab[15] = a1 ^ a2 ^ a4 ^ a8;
227
228 s = tab[b & 0xF];
229 l = s;
230 s = tab[b >> 4 & 0xF];
231 l ^= s << 4;
232 h = s >> 60;
233 s = tab[b >> 8 & 0xF];
234 l ^= s << 8;
235 h ^= s >> 56;
236 s = tab[b >> 12 & 0xF];
237 l ^= s << 12;
238 h ^= s >> 52;
239 s = tab[b >> 16 & 0xF];
240 l ^= s << 16;
241 h ^= s >> 48;
242 s = tab[b >> 20 & 0xF];
243 l ^= s << 20;
244 h ^= s >> 44;
245 s = tab[b >> 24 & 0xF];
246 l ^= s << 24;
247 h ^= s >> 40;
248 s = tab[b >> 28 & 0xF];
249 l ^= s << 28;
250 h ^= s >> 36;
251 s = tab[b >> 32 & 0xF];
252 l ^= s << 32;
253 h ^= s >> 32;
254 s = tab[b >> 36 & 0xF];
255 l ^= s << 36;
256 h ^= s >> 28;
257 s = tab[b >> 40 & 0xF];
258 l ^= s << 40;
259 h ^= s >> 24;
260 s = tab[b >> 44 & 0xF];
261 l ^= s << 44;
262 h ^= s >> 20;
263 s = tab[b >> 48 & 0xF];
264 l ^= s << 48;
265 h ^= s >> 16;
266 s = tab[b >> 52 & 0xF];
267 l ^= s << 52;
268 h ^= s >> 12;
269 s = tab[b >> 56 & 0xF];
270 l ^= s << 56;
271 h ^= s >> 8;
272 s = tab[b >> 60];
273 l ^= s << 60;
274 h ^= s >> 4;
275
276 /* compensate for the top three bits of a */
277 if (top3b & 01) {
278 l ^= b << 61;
279 h ^= b >> 3;
280 }
281 if (top3b & 02) {
282 l ^= b << 62;
283 h ^= b >> 2;
284 }
285 if (top3b & 04) {
286 l ^= b << 63;
287 h ^= b >> 1;
288 }
289
290 *r1 = h;
291 *r0 = l;
292#endif
293}
294
295/* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
296 * result is a polynomial r with degree < 4 * BN_BITS2 - 1
297 * The caller MUST ensure that the variables have the right amount
298 * of space allocated.
299 */
300static void
301bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0,
302 const BN_ULONG b1, const BN_ULONG b0)
303{
304 BN_ULONG m1, m0;
305
306 /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
307 bn_GF2m_mul_1x1(r + 3, r + 2, a1, b1);
308 bn_GF2m_mul_1x1(r + 1, r, a0, b0);
309 bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
310 /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
311 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
312 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
313}
314#else
315void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
316 BN_ULONG b0);
317#endif
318
319/* Add polynomials a and b and store result in r; r could be a or b, a and b
320 * could be equal; r is the bitwise XOR of a and b.
321 */
322int
323BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
324{
325 int i;
326 const BIGNUM *at, *bt;
327
328
329 if (a->top < b->top) {
330 at = b;
331 bt = a;
332 } else {
333 at = a;
334 bt = b;
335 }
336
337 if (!bn_wexpand(r, at->top))
338 return 0;
339
340 for (i = 0; i < bt->top; i++) {
341 r->d[i] = at->d[i] ^ bt->d[i];
342 }
343 for (; i < at->top; i++) {
344 r->d[i] = at->d[i];
345 }
346
347 r->top = at->top;
348 bn_correct_top(r);
349
350 return 1;
351}
352
353
354/* Some functions allow for representation of the irreducible polynomials
355 * as an int[], say p. The irreducible f(t) is then of the form:
356 * t^p[0] + t^p[1] + ... + t^p[k]
357 * where m = p[0] > p[1] > ... > p[k] = 0.
358 */
359
360
361/* Performs modular reduction of a and store result in r. r could be a. */
362int
363BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
364{
365 int j, k;
366 int n, dN, d0, d1;
367 BN_ULONG zz, *z;
368
369
370 if (!p[0]) {
371 /* reduction mod 1 => return 0 */
372 BN_zero(r);
373 return 1;
374 }
375
376 /* Since the algorithm does reduction in the r value, if a != r, copy
377 * the contents of a into r so we can do reduction in r.
378 */
379 if (a != r) {
380 if (!bn_wexpand(r, a->top))
381 return 0;
382 for (j = 0; j < a->top; j++) {
383 r->d[j] = a->d[j];
384 }
385 r->top = a->top;
386 }
387 z = r->d;
388
389 /* start reduction */
390 dN = p[0] / BN_BITS2;
391 for (j = r->top - 1; j > dN; ) {
392 zz = z[j];
393 if (z[j] == 0) {
394 j--;
395 continue;
396 }
397 z[j] = 0;
398
399 for (k = 1; p[k] != 0; k++) {
400 /* reducing component t^p[k] */
401 n = p[0] - p[k];
402 d0 = n % BN_BITS2;
403 d1 = BN_BITS2 - d0;
404 n /= BN_BITS2;
405 z[j - n] ^= (zz >> d0);
406 if (d0)
407 z[j - n - 1] ^= (zz << d1);
408 }
409
410 /* reducing component t^0 */
411 n = dN;
412 d0 = p[0] % BN_BITS2;
413 d1 = BN_BITS2 - d0;
414 z[j - n] ^= (zz >> d0);
415 if (d0)
416 z[j - n - 1] ^= (zz << d1);
417 }
418
419 /* final round of reduction */
420 while (j == dN) {
421
422 d0 = p[0] % BN_BITS2;
423 zz = z[dN] >> d0;
424 if (zz == 0)
425 break;
426 d1 = BN_BITS2 - d0;
427
428 /* clear up the top d1 bits */
429 if (d0)
430 z[dN] = (z[dN] << d1) >> d1;
431 else
432 z[dN] = 0;
433 z[0] ^= zz; /* reduction t^0 component */
434
435 for (k = 1; p[k] != 0; k++) {
436 BN_ULONG tmp_ulong;
437
438 /* reducing component t^p[k]*/
439 n = p[k] / BN_BITS2;
440 d0 = p[k] % BN_BITS2;
441 d1 = BN_BITS2 - d0;
442 z[n] ^= (zz << d0);
443 if (d0 && (tmp_ulong = zz >> d1))
444 z[n + 1] ^= tmp_ulong;
445 }
446
447
448 }
449
450 bn_correct_top(r);
451 return 1;
452}
453
454/* Performs modular reduction of a by p and store result in r. r could be a.
455 *
456 * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
457 * function is only provided for convenience; for best performance, use the
458 * BN_GF2m_mod_arr function.
459 */
460int
461BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
462{
463 int ret = 0;
464 const int max = BN_num_bits(p) + 1;
465 int *arr = NULL;
466
467 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
468 goto err;
469 ret = BN_GF2m_poly2arr(p, arr, max);
470 if (!ret || ret > max) {
471 BNerror(BN_R_INVALID_LENGTH);
472 goto err;
473 }
474 ret = BN_GF2m_mod_arr(r, a, arr);
475
476 err:
477 free(arr);
478 return ret;
479}
480
481
482/* Compute the product of two polynomials a and b, reduce modulo p, and store
483 * the result in r. r could be a or b; a could be b.
484 */
485int
486BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[],
487 BN_CTX *ctx)
488{
489 int zlen, i, j, k, ret = 0;
490 BIGNUM *s;
491 BN_ULONG x1, x0, y1, y0, zz[4];
492
493
494 if (a == b) {
495 return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
496 }
497
498 BN_CTX_start(ctx);
499 if ((s = BN_CTX_get(ctx)) == NULL)
500 goto err;
501
502 zlen = a->top + b->top + 4;
503 if (!bn_wexpand(s, zlen))
504 goto err;
505 s->top = zlen;
506
507 for (i = 0; i < zlen; i++)
508 s->d[i] = 0;
509
510 for (j = 0; j < b->top; j += 2) {
511 y0 = b->d[j];
512 y1 = ((j + 1) == b->top) ? 0 : b->d[j + 1];
513 for (i = 0; i < a->top; i += 2) {
514 x0 = a->d[i];
515 x1 = ((i + 1) == a->top) ? 0 : a->d[i + 1];
516 bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
517 for (k = 0; k < 4; k++)
518 s->d[i + j + k] ^= zz[k];
519 }
520 }
521
522 bn_correct_top(s);
523 if (BN_GF2m_mod_arr(r, s, p))
524 ret = 1;
525
526err:
527 BN_CTX_end(ctx);
528 return ret;
529}
530
531/* Compute the product of two polynomials a and b, reduce modulo p, and store
532 * the result in r. r could be a or b; a could equal b.
533 *
534 * This function calls down to the BN_GF2m_mod_mul_arr implementation; this wrapper
535 * function is only provided for convenience; for best performance, use the
536 * BN_GF2m_mod_mul_arr function.
537 */
538int
539BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p,
540 BN_CTX *ctx)
541{
542 int ret = 0;
543 const int max = BN_num_bits(p) + 1;
544 int *arr = NULL;
545
546 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
547 goto err;
548 ret = BN_GF2m_poly2arr(p, arr, max);
549 if (!ret || ret > max) {
550 BNerror(BN_R_INVALID_LENGTH);
551 goto err;
552 }
553 ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
554
555err:
556 free(arr);
557 return ret;
558}
559
560
561/* Square a, reduce the result mod p, and store it in a. r could be a. */
562int
563BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx)
564{
565 int i, ret = 0;
566 BIGNUM *s;
567
568 BN_CTX_start(ctx);
569 if ((s = BN_CTX_get(ctx)) == NULL)
570 goto err;
571 if (!bn_wexpand(s, 2 * a->top))
572 goto err;
573
574 for (i = a->top - 1; i >= 0; i--) {
575 s->d[2 * i + 1] = SQR1(a->d[i]);
576 s->d[2 * i] = SQR0(a->d[i]);
577 }
578
579 s->top = 2 * a->top;
580 bn_correct_top(s);
581 if (!BN_GF2m_mod_arr(r, s, p))
582 goto err;
583 ret = 1;
584
585err:
586 BN_CTX_end(ctx);
587 return ret;
588}
589
590/* Square a, reduce the result mod p, and store it in a. r could be a.
591 *
592 * This function calls down to the BN_GF2m_mod_sqr_arr implementation; this wrapper
593 * function is only provided for convenience; for best performance, use the
594 * BN_GF2m_mod_sqr_arr function.
595 */
596int
597BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
598{
599 int ret = 0;
600 const int max = BN_num_bits(p) + 1;
601 int *arr = NULL;
602
603 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
604 goto err;
605 ret = BN_GF2m_poly2arr(p, arr, max);
606 if (!ret || ret > max) {
607 BNerror(BN_R_INVALID_LENGTH);
608 goto err;
609 }
610 ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
611
612err:
613 free(arr);
614 return ret;
615}
616
617
618/* Invert a, reduce modulo p, and store the result in r. r could be a.
619 * Uses Modified Almost Inverse Algorithm (Algorithm 10) from
620 * Hankerson, D., Hernandez, J.L., and Menezes, A. "Software Implementation
621 * of Elliptic Curve Cryptography Over Binary Fields".
622 */
623int
624BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
625{
626 BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
627 int ret = 0;
628
629
630 BN_CTX_start(ctx);
631
632 if ((b = BN_CTX_get(ctx)) == NULL)
633 goto err;
634 if ((c = BN_CTX_get(ctx)) == NULL)
635 goto err;
636 if ((u = BN_CTX_get(ctx)) == NULL)
637 goto err;
638 if ((v = BN_CTX_get(ctx)) == NULL)
639 goto err;
640
641 if (!BN_GF2m_mod(u, a, p))
642 goto err;
643 if (BN_is_zero(u))
644 goto err;
645
646 if (!bn_copy(v, p))
647 goto err;
648#if 0
649 if (!BN_one(b))
650 goto err;
651
652 while (1) {
653 while (!BN_is_odd(u)) {
654 if (BN_is_zero(u))
655 goto err;
656 if (!BN_rshift1(u, u))
657 goto err;
658 if (BN_is_odd(b)) {
659 if (!BN_GF2m_add(b, b, p))
660 goto err;
661 }
662 if (!BN_rshift1(b, b))
663 goto err;
664 }
665
666 if (BN_abs_is_word(u, 1))
667 break;
668
669 if (BN_num_bits(u) < BN_num_bits(v)) {
670 tmp = u;
671 u = v;
672 v = tmp;
673 tmp = b;
674 b = c;
675 c = tmp;
676 }
677
678 if (!BN_GF2m_add(u, u, v))
679 goto err;
680 if (!BN_GF2m_add(b, b, c))
681 goto err;
682 }
683#else
684 {
685 int i, ubits = BN_num_bits(u),
686 vbits = BN_num_bits(v), /* v is copy of p */
687 top = p->top;
688 BN_ULONG *udp, *bdp, *vdp, *cdp;
689
690 if (!bn_wexpand(u, top))
691 goto err;
692 udp = u->d;
693 for (i = u->top; i < top; i++)
694 udp[i] = 0;
695 u->top = top;
696 if (!bn_wexpand(b, top))
697 goto err;
698 bdp = b->d;
699 bdp[0] = 1;
700 for (i = 1; i < top; i++)
701 bdp[i] = 0;
702 b->top = top;
703 if (!bn_wexpand(c, top))
704 goto err;
705 cdp = c->d;
706 for (i = 0; i < top; i++)
707 cdp[i] = 0;
708 c->top = top;
709 vdp = v->d; /* It pays off to "cache" *->d pointers, because
710 * it allows optimizer to be more aggressive.
711 * But we don't have to "cache" p->d, because *p
712 * is declared 'const'... */
713 while (1) {
714 while (ubits && !(udp[0]&1)) {
715 BN_ULONG u0, u1, b0, b1, mask;
716
717 u0 = udp[0];
718 b0 = bdp[0];
719 mask = (BN_ULONG)0 - (b0 & 1);
720 b0 ^= p->d[0] & mask;
721 for (i = 0; i < top - 1; i++) {
722 u1 = udp[i + 1];
723 udp[i] = ((u0 >> 1) |
724 (u1 << (BN_BITS2 - 1))) & BN_MASK2;
725 u0 = u1;
726 b1 = bdp[i + 1] ^ (p->d[i + 1] & mask);
727 bdp[i] = ((b0 >> 1) |
728 (b1 << (BN_BITS2 - 1))) & BN_MASK2;
729 b0 = b1;
730 }
731 udp[i] = u0 >> 1;
732 bdp[i] = b0 >> 1;
733 ubits--;
734 }
735
736 if (ubits <= BN_BITS2) {
737 /* See if poly was reducible. */
738 if (udp[0] == 0)
739 goto err;
740 if (udp[0] == 1)
741 break;
742 }
743
744 if (ubits < vbits) {
745 i = ubits;
746 ubits = vbits;
747 vbits = i;
748 tmp = u;
749 u = v;
750 v = tmp;
751 tmp = b;
752 b = c;
753 c = tmp;
754 udp = vdp;
755 vdp = v->d;
756 bdp = cdp;
757 cdp = c->d;
758 }
759 for (i = 0; i < top; i++) {
760 udp[i] ^= vdp[i];
761 bdp[i] ^= cdp[i];
762 }
763 if (ubits == vbits) {
764 BN_ULONG ul;
765 int utop = (ubits - 1) / BN_BITS2;
766
767 while ((ul = udp[utop]) == 0 && utop)
768 utop--;
769 ubits = utop*BN_BITS2 + BN_num_bits_word(ul);
770 }
771 }
772 bn_correct_top(b);
773 }
774#endif
775
776 if (!bn_copy(r, b))
777 goto err;
778 ret = 1;
779
780err:
781 BN_CTX_end(ctx);
782 return ret;
783}
784
785/* Invert xx, reduce modulo p, and store the result in r. r could be xx.
786 *
787 * This function calls down to the BN_GF2m_mod_inv implementation; this wrapper
788 * function is only provided for convenience; for best performance, use the
789 * BN_GF2m_mod_inv function.
790 */
791int
792BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[], BN_CTX *ctx)
793{
794 BIGNUM *field;
795 int ret = 0;
796
797 BN_CTX_start(ctx);
798 if ((field = BN_CTX_get(ctx)) == NULL)
799 goto err;
800 if (!BN_GF2m_arr2poly(p, field))
801 goto err;
802
803 ret = BN_GF2m_mod_inv(r, xx, field, ctx);
804
805err:
806 BN_CTX_end(ctx);
807 return ret;
808}
809
810
811#ifndef OPENSSL_SUN_GF2M_DIV
812/* Divide y by x, reduce modulo p, and store the result in r. r could be x
813 * or y, x could equal y.
814 */
815int
816BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p,
817 BN_CTX *ctx)
818{
819 BIGNUM *xinv = NULL;
820 int ret = 0;
821
822
823 BN_CTX_start(ctx);
824 if ((xinv = BN_CTX_get(ctx)) == NULL)
825 goto err;
826
827 if (!BN_GF2m_mod_inv(xinv, x, p, ctx))
828 goto err;
829 if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx))
830 goto err;
831 ret = 1;
832
833err:
834 BN_CTX_end(ctx);
835 return ret;
836}
837#else
838/* Divide y by x, reduce modulo p, and store the result in r. r could be x
839 * or y, x could equal y.
840 * Uses algorithm Modular_Division_GF(2^m) from
841 * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to
842 * the Great Divide".
843 */
844int
845BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p,
846 BN_CTX *ctx)
847{
848 BIGNUM *a, *b, *u, *v;
849 int ret = 0;
850
851
852 BN_CTX_start(ctx);
853
854 if ((a = BN_CTX_get(ctx)) == NULL)
855 goto err;
856 if ((b = BN_CTX_get(ctx)) == NULL)
857 goto err;
858 if ((u = BN_CTX_get(ctx)) == NULL)
859 goto err;
860 if ((v = BN_CTX_get(ctx)) == NULL)
861 goto err;
862
863 /* reduce x and y mod p */
864 if (!BN_GF2m_mod(u, y, p))
865 goto err;
866 if (!BN_GF2m_mod(a, x, p))
867 goto err;
868 if (!bn_copy(b, p))
869 goto err;
870
871 while (!BN_is_odd(a)) {
872 if (!BN_rshift1(a, a))
873 goto err;
874 if (BN_is_odd(u))
875 if (!BN_GF2m_add(u, u, p))
876 goto err;
877 if (!BN_rshift1(u, u))
878 goto err;
879 }
880
881 do {
882 if (BN_GF2m_cmp(b, a) > 0) {
883 if (!BN_GF2m_add(b, b, a))
884 goto err;
885 if (!BN_GF2m_add(v, v, u))
886 goto err;
887 do {
888 if (!BN_rshift1(b, b))
889 goto err;
890 if (BN_is_odd(v))
891 if (!BN_GF2m_add(v, v, p))
892 goto err;
893 if (!BN_rshift1(v, v))
894 goto err;
895 } while (!BN_is_odd(b));
896 } else if (BN_abs_is_word(a, 1))
897 break;
898 else {
899 if (!BN_GF2m_add(a, a, b))
900 goto err;
901 if (!BN_GF2m_add(u, u, v))
902 goto err;
903 do {
904 if (!BN_rshift1(a, a))
905 goto err;
906 if (BN_is_odd(u))
907 if (!BN_GF2m_add(u, u, p))
908 goto err;
909 if (!BN_rshift1(u, u))
910 goto err;
911 } while (!BN_is_odd(a));
912 }
913 } while (1);
914
915 if (!bn_copy(r, u))
916 goto err;
917 ret = 1;
918
919err:
920 BN_CTX_end(ctx);
921 return ret;
922}
923#endif
924
925/* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
926 * or yy, xx could equal yy.
927 *
928 * This function calls down to the BN_GF2m_mod_div implementation; this wrapper
929 * function is only provided for convenience; for best performance, use the
930 * BN_GF2m_mod_div function.
931 */
932int
933BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
934 const int p[], BN_CTX *ctx)
935{
936 BIGNUM *field;
937 int ret = 0;
938
939
940 BN_CTX_start(ctx);
941 if ((field = BN_CTX_get(ctx)) == NULL)
942 goto err;
943 if (!BN_GF2m_arr2poly(p, field))
944 goto err;
945
946 ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
947
948err:
949 BN_CTX_end(ctx);
950 return ret;
951}
952
953
954/* Compute the bth power of a, reduce modulo p, and store
955 * the result in r. r could be a.
956 * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363.
957 */
958int
959BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[],
960 BN_CTX *ctx)
961{
962 int ret = 0, i, n;
963 BIGNUM *u;
964
965
966 if (BN_is_zero(b))
967 return BN_one(r);
968
969 if (BN_abs_is_word(b, 1))
970 return bn_copy(r, a);
971
972 BN_CTX_start(ctx);
973 if ((u = BN_CTX_get(ctx)) == NULL)
974 goto err;
975
976 if (!BN_GF2m_mod_arr(u, a, p))
977 goto err;
978
979 n = BN_num_bits(b) - 1;
980 for (i = n - 1; i >= 0; i--) {
981 if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx))
982 goto err;
983 if (BN_is_bit_set(b, i)) {
984 if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx))
985 goto err;
986 }
987 }
988 if (!bn_copy(r, u))
989 goto err;
990 ret = 1;
991
992err:
993 BN_CTX_end(ctx);
994 return ret;
995}
996
997/* Compute the bth power of a, reduce modulo p, and store
998 * the result in r. r could be a.
999 *
1000 * This function calls down to the BN_GF2m_mod_exp_arr implementation; this wrapper
1001 * function is only provided for convenience; for best performance, use the
1002 * BN_GF2m_mod_exp_arr function.
1003 */
1004int
1005BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p,
1006 BN_CTX *ctx)
1007{
1008 int ret = 0;
1009 const int max = BN_num_bits(p) + 1;
1010 int *arr = NULL;
1011
1012 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
1013 goto err;
1014 ret = BN_GF2m_poly2arr(p, arr, max);
1015 if (!ret || ret > max) {
1016 BNerror(BN_R_INVALID_LENGTH);
1017 goto err;
1018 }
1019 ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
1020
1021err:
1022 free(arr);
1023 return ret;
1024}
1025
1026/* Compute the square root of a, reduce modulo p, and store
1027 * the result in r. r could be a.
1028 * Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
1029 */
1030int
1031BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx)
1032{
1033 int ret = 0;
1034 BIGNUM *u;
1035
1036
1037 if (!p[0]) {
1038 /* reduction mod 1 => return 0 */
1039 BN_zero(r);
1040 return 1;
1041 }
1042
1043 BN_CTX_start(ctx);
1044 if ((u = BN_CTX_get(ctx)) == NULL)
1045 goto err;
1046
1047 if (!BN_set_bit(u, p[0] - 1))
1048 goto err;
1049 ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
1050
1051err:
1052 BN_CTX_end(ctx);
1053 return ret;
1054}
1055
1056/* Compute the square root of a, reduce modulo p, and store
1057 * the result in r. r could be a.
1058 *
1059 * This function calls down to the BN_GF2m_mod_sqrt_arr implementation; this wrapper
1060 * function is only provided for convenience; for best performance, use the
1061 * BN_GF2m_mod_sqrt_arr function.
1062 */
1063int
1064BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
1065{
1066 int ret = 0;
1067 const int max = BN_num_bits(p) + 1;
1068 int *arr = NULL;
1069 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
1070 goto err;
1071 ret = BN_GF2m_poly2arr(p, arr, max);
1072 if (!ret || ret > max) {
1073 BNerror(BN_R_INVALID_LENGTH);
1074 goto err;
1075 }
1076 ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
1077
1078err:
1079 free(arr);
1080 return ret;
1081}
1082
1083/* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
1084 * Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
1085 */
1086int
1087BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
1088 BN_CTX *ctx)
1089{
1090 int ret = 0, count = 0, j;
1091 BIGNUM *a, *z, *rho, *w, *w2, *tmp;
1092
1093
1094 if (!p[0]) {
1095 /* reduction mod 1 => return 0 */
1096 BN_zero(r);
1097 return 1;
1098 }
1099
1100 BN_CTX_start(ctx);
1101 if ((a = BN_CTX_get(ctx)) == NULL)
1102 goto err;
1103 if ((z = BN_CTX_get(ctx)) == NULL)
1104 goto err;
1105 if ((w = BN_CTX_get(ctx)) == NULL)
1106 goto err;
1107
1108 if (!BN_GF2m_mod_arr(a, a_, p))
1109 goto err;
1110
1111 if (BN_is_zero(a)) {
1112 BN_zero(r);
1113 ret = 1;
1114 goto err;
1115 }
1116
1117 if (p[0] & 0x1) /* m is odd */
1118 {
1119 /* compute half-trace of a */
1120 if (!bn_copy(z, a))
1121 goto err;
1122 for (j = 1; j <= (p[0] - 1) / 2; j++) {
1123 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1124 goto err;
1125 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1126 goto err;
1127 if (!BN_GF2m_add(z, z, a))
1128 goto err;
1129 }
1130
1131 }
1132 else /* m is even */
1133 {
1134 if ((rho = BN_CTX_get(ctx)) == NULL)
1135 goto err;
1136 if ((w2 = BN_CTX_get(ctx)) == NULL)
1137 goto err;
1138 if ((tmp = BN_CTX_get(ctx)) == NULL)
1139 goto err;
1140 do {
1141 if (!BN_rand(rho, p[0], 0, 0))
1142 goto err;
1143 if (!BN_GF2m_mod_arr(rho, rho, p))
1144 goto err;
1145 BN_zero(z);
1146 if (!bn_copy(w, rho))
1147 goto err;
1148 for (j = 1; j <= p[0] - 1; j++) {
1149 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1150 goto err;
1151 if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx))
1152 goto err;
1153 if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx))
1154 goto err;
1155 if (!BN_GF2m_add(z, z, tmp))
1156 goto err;
1157 if (!BN_GF2m_add(w, w2, rho))
1158 goto err;
1159 }
1160 count++;
1161 } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
1162 if (BN_is_zero(w)) {
1163 BNerror(BN_R_TOO_MANY_ITERATIONS);
1164 goto err;
1165 }
1166 }
1167
1168 if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx))
1169 goto err;
1170 if (!BN_GF2m_add(w, z, w))
1171 goto err;
1172 if (BN_GF2m_cmp(w, a)) {
1173 BNerror(BN_R_NO_SOLUTION);
1174 goto err;
1175 }
1176
1177 if (!bn_copy(r, z))
1178 goto err;
1179
1180 ret = 1;
1181
1182err:
1183 BN_CTX_end(ctx);
1184 return ret;
1185}
1186
1187/* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
1188 *
1189 * This function calls down to the BN_GF2m_mod_solve_quad_arr implementation; this wrapper
1190 * function is only provided for convenience; for best performance, use the
1191 * BN_GF2m_mod_solve_quad_arr function.
1192 */
1193int
1194BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
1195{
1196 int ret = 0;
1197 const int max = BN_num_bits(p) + 1;
1198 int *arr = NULL;
1199
1200 if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL)
1201 goto err;
1202 ret = BN_GF2m_poly2arr(p, arr, max);
1203 if (!ret || ret > max) {
1204 BNerror(BN_R_INVALID_LENGTH);
1205 goto err;
1206 }
1207 ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
1208
1209err:
1210 free(arr);
1211 return ret;
1212}
1213
1214/* Convert the bit-string representation of a polynomial
1215 * ( \sum_{i=0}^n a_i * x^i) into an array of integers corresponding
1216 * to the bits with non-zero coefficient. Array is terminated with -1.
1217 * Up to max elements of the array will be filled. Return value is total
1218 * number of array elements that would be filled if array was large enough.
1219 */
1220int
1221BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
1222{
1223 int i, j, k = 0;
1224 BN_ULONG mask;
1225
1226 if (BN_is_zero(a))
1227 return 0;
1228
1229 for (i = a->top - 1; i >= 0; i--) {
1230 if (!a->d[i])
1231 /* skip word if a->d[i] == 0 */
1232 continue;
1233 mask = BN_TBIT;
1234 for (j = BN_BITS2 - 1; j >= 0; j--) {
1235 if (a->d[i] & mask) {
1236 if (k < max)
1237 p[k] = BN_BITS2 * i + j;
1238 k++;
1239 }
1240 mask >>= 1;
1241 }
1242 }
1243
1244 if (k < max)
1245 p[k] = -1;
1246 k++;
1247
1248 return k;
1249}
1250
1251/* Convert the coefficient array representation of a polynomial to a
1252 * bit-string. The array must be terminated by -1.
1253 */
1254int
1255BN_GF2m_arr2poly(const int p[], BIGNUM *a)
1256{
1257 int i;
1258
1259 BN_zero(a);
1260 for (i = 0; p[i] != -1; i++) {
1261 if (BN_set_bit(a, p[i]) == 0)
1262 return 0;
1263 }
1264
1265 return 1;
1266}
1267
1268#endif
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index a0dbbe6ce7..1afbe0ad16 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec.h,v 1.37 2023/04/25 19:28:22 tb Exp $ */ 1/* $OpenBSD: ec.h,v 1.38 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -143,18 +143,6 @@ const EC_METHOD *EC_GFp_simple_method(void);
143 */ 143 */
144const EC_METHOD *EC_GFp_mont_method(void); 144const EC_METHOD *EC_GFp_mont_method(void);
145 145
146#ifndef OPENSSL_NO_EC2M
147/********************************************************************/
148/* EC_METHOD for curves over GF(2^m) */
149/********************************************************************/
150
151/** Returns the basic GF2m ec method
152 * \return EC_METHOD object
153 */
154const EC_METHOD *EC_GF2m_simple_method(void);
155
156#endif
157
158 146
159/********************************************************************/ 147/********************************************************************/
160/* EC_GROUP functions */ 148/* EC_GROUP functions */
@@ -284,28 +272,6 @@ int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, co
284 * \return 1 on success and 0 if an error occurred 272 * \return 1 on success and 0 if an error occurred
285 */ 273 */
286int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); 274int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
287
288#ifndef OPENSSL_NO_EC2M
289/** Sets the parameter of a ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b
290 * \param group EC_GROUP object
291 * \param p BIGNUM with the polynomial defining the underlying field
292 * \param a BIGNUM with parameter a of the equation
293 * \param b BIGNUM with parameter b of the equation
294 * \param ctx BN_CTX object (optional)
295 * \return 1 on success and 0 if an error occurred
296 */
297int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
298
299/** Gets the parameter of the ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b
300 * \param group EC_GROUP object
301 * \param p BIGNUM for the polynomial defining the underlying field
302 * \param a BIGNUM for parameter a of the equation
303 * \param b BIGNUM for parameter b of the equation
304 * \param ctx BN_CTX object (optional)
305 * \return 1 on success and 0 if an error occurred
306 */
307int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
308#endif
309#endif 275#endif
310 276
311/** Returns the number of bits needed to represent a field element 277/** Returns the number of bits needed to represent a field element
@@ -348,17 +314,6 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
348 * \return newly created EC_GROUP object with the specified parameters 314 * \return newly created EC_GROUP object with the specified parameters
349 */ 315 */
350EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 316EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
351#ifndef OPENSSL_NO_EC2M
352/** Creates a new EC_GROUP object with the specified parameters defined
353 * over GF2m (defined by the equation y^2 + x*y = x^3 + a*x^2 + b)
354 * \param p BIGNUM with the polynomial defining the underlying field
355 * \param a BIGNUM with the parameter a of the equation
356 * \param b BIGNUM with the parameter b of the equation
357 * \param ctx BN_CTX object (optional)
358 * \return newly created EC_GROUP object with the specified parameters
359 */
360EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
361#endif
362/** Creates a EC_GROUP object with a curve specified by a NID 317/** Creates a EC_GROUP object with a curve specified by a NID
363 * \param nid NID of the OID of the curve name 318 * \param nid NID of the OID of the curve name
364 * \return newly created EC_GROUP object with specified curve or NULL 319 * \return newly created EC_GROUP object with specified curve or NULL
@@ -507,41 +462,6 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
507 */ 462 */
508int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, 463int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
509 const BIGNUM *x, int y_bit, BN_CTX *ctx); 464 const BIGNUM *x, int y_bit, BN_CTX *ctx);
510
511#ifndef OPENSSL_NO_EC2M
512/** Sets the affine coordinates of a EC_POINT over GF2m
513 * \param group underlying EC_GROUP object
514 * \param p EC_POINT object
515 * \param x BIGNUM with the x-coordinate
516 * \param y BIGNUM with the y-coordinate
517 * \param ctx BN_CTX object (optional)
518 * \return 1 on success and 0 if an error occurred
519 */
520int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
521 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
522
523/** Gets the affine coordinates of a EC_POINT over GF2m
524 * \param group underlying EC_GROUP object
525 * \param p EC_POINT object
526 * \param x BIGNUM for the x-coordinate
527 * \param y BIGNUM for the y-coordinate
528 * \param ctx BN_CTX object (optional)
529 * \return 1 on success and 0 if an error occurred
530 */
531int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
532 const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
533
534/** Sets the x9.62 compressed coordinates of a EC_POINT over GF2m
535 * \param group underlying EC_GROUP object
536 * \param p EC_POINT object
537 * \param x BIGNUM with x-coordinate
538 * \param y_bit integer with the y-Bit (either 0 or 1)
539 * \param ctx BN_CTX object (optional)
540 * \return 1 on success and 0 if an error occurred
541 */
542int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
543 const BIGNUM *x, int y_bit, BN_CTX *ctx);
544#endif /* OPENSSL_NO_EC2M */
545#endif /* !LIBRESSL_INTERNAL */ 465#endif /* !LIBRESSL_INTERNAL */
546 466
547/** Encodes a EC_POINT object to a octet string 467/** Encodes a EC_POINT object to a octet string
@@ -682,11 +602,6 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
682/* EC_GROUP_get_basis_type() returns the NID of the basis type 602/* EC_GROUP_get_basis_type() returns the NID of the basis type
683 * used to represent the field elements */ 603 * used to represent the field elements */
684int EC_GROUP_get_basis_type(const EC_GROUP *); 604int EC_GROUP_get_basis_type(const EC_GROUP *);
685#ifndef OPENSSL_NO_EC2M
686int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
687int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
688 unsigned int *k2, unsigned int *k3);
689#endif
690 605
691#define OPENSSL_EC_EXPLICIT_CURVE 0x000 606#define OPENSSL_EC_EXPLICIT_CURVE 0x000
692#define OPENSSL_EC_NAMED_CURVE 0x001 607#define OPENSSL_EC_NAMED_CURVE 0x001
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
deleted file mode 100644
index d7cbd933f2..0000000000
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ /dev/null
@@ -1,449 +0,0 @@
1/* $OpenBSD: ec2_mult.c,v 1.17 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "bn_local.h"
75#include "ec_local.h"
76
77#ifndef OPENSSL_NO_EC2M
78
79
80/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective
81 * coordinates.
82 * Uses algorithm Mdouble in appendix of
83 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
84 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
85 * modified to not require precomputation of c=b^{2^{m-1}}.
86 */
87static int
88gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
89{
90 BIGNUM *t1;
91 int ret = 0;
92
93 /* Since Mdouble is static we can guarantee that ctx != NULL. */
94 BN_CTX_start(ctx);
95 if ((t1 = BN_CTX_get(ctx)) == NULL)
96 goto err;
97
98 if (!group->meth->field_sqr(group, x, x, ctx))
99 goto err;
100 if (!group->meth->field_sqr(group, t1, z, ctx))
101 goto err;
102 if (!group->meth->field_mul(group, z, x, t1, ctx))
103 goto err;
104 if (!group->meth->field_sqr(group, x, x, ctx))
105 goto err;
106 if (!group->meth->field_sqr(group, t1, t1, ctx))
107 goto err;
108 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx))
109 goto err;
110 if (!BN_GF2m_add(x, x, t1))
111 goto err;
112
113 ret = 1;
114
115 err:
116 BN_CTX_end(ctx);
117 return ret;
118}
119
120/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery
121 * projective coordinates.
122 * Uses algorithm Madd in appendix of
123 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
124 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
125 */
126static int
127gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
128 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
129{
130 BIGNUM *t1, *t2;
131 int ret = 0;
132
133 /* Since Madd is static we can guarantee that ctx != NULL. */
134 BN_CTX_start(ctx);
135 if ((t1 = BN_CTX_get(ctx)) == NULL)
136 goto err;
137 if ((t2 = BN_CTX_get(ctx)) == NULL)
138 goto err;
139
140 if (!bn_copy(t1, x))
141 goto err;
142 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
143 goto err;
144 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
145 goto err;
146 if (!group->meth->field_mul(group, t2, x1, z1, ctx))
147 goto err;
148 if (!BN_GF2m_add(z1, z1, x1))
149 goto err;
150 if (!group->meth->field_sqr(group, z1, z1, ctx))
151 goto err;
152 if (!group->meth->field_mul(group, x1, z1, t1, ctx))
153 goto err;
154 if (!BN_GF2m_add(x1, x1, t2))
155 goto err;
156
157 ret = 1;
158
159 err:
160 BN_CTX_end(ctx);
161 return ret;
162}
163
164/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
165 * using Montgomery point multiplication algorithm Mxy() in appendix of
166 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
167 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
168 * Returns:
169 * 0 on error
170 * 1 if return value should be the point at infinity
171 * 2 otherwise
172 */
173static int
174gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
175 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
176{
177 BIGNUM *t3, *t4, *t5;
178 int ret = 0;
179
180 if (BN_is_zero(z1)) {
181 BN_zero(x2);
182 BN_zero(z2);
183 return 1;
184 }
185 if (BN_is_zero(z2)) {
186 if (!bn_copy(x2, x))
187 return 0;
188 if (!BN_GF2m_add(z2, x, y))
189 return 0;
190 return 2;
191 }
192 /* Since Mxy is static we can guarantee that ctx != NULL. */
193 BN_CTX_start(ctx);
194 if ((t3 = BN_CTX_get(ctx)) == NULL)
195 goto err;
196 if ((t4 = BN_CTX_get(ctx)) == NULL)
197 goto err;
198 if ((t5 = BN_CTX_get(ctx)) == NULL)
199 goto err;
200
201 if (!BN_one(t5))
202 goto err;
203
204 if (!group->meth->field_mul(group, t3, z1, z2, ctx))
205 goto err;
206
207 if (!group->meth->field_mul(group, z1, z1, x, ctx))
208 goto err;
209 if (!BN_GF2m_add(z1, z1, x1))
210 goto err;
211 if (!group->meth->field_mul(group, z2, z2, x, ctx))
212 goto err;
213 if (!group->meth->field_mul(group, x1, z2, x1, ctx))
214 goto err;
215 if (!BN_GF2m_add(z2, z2, x2))
216 goto err;
217
218 if (!group->meth->field_mul(group, z2, z2, z1, ctx))
219 goto err;
220 if (!group->meth->field_sqr(group, t4, x, ctx))
221 goto err;
222 if (!BN_GF2m_add(t4, t4, y))
223 goto err;
224 if (!group->meth->field_mul(group, t4, t4, t3, ctx))
225 goto err;
226 if (!BN_GF2m_add(t4, t4, z2))
227 goto err;
228
229 if (!group->meth->field_mul(group, t3, t3, x, ctx))
230 goto err;
231 if (!group->meth->field_div(group, t3, t5, t3, ctx))
232 goto err;
233 if (!group->meth->field_mul(group, t4, t3, t4, ctx))
234 goto err;
235 if (!group->meth->field_mul(group, x2, x1, t3, ctx))
236 goto err;
237 if (!BN_GF2m_add(z2, x2, x))
238 goto err;
239
240 if (!group->meth->field_mul(group, z2, z2, t4, ctx))
241 goto err;
242 if (!BN_GF2m_add(z2, z2, y))
243 goto err;
244
245 ret = 2;
246
247 err:
248 BN_CTX_end(ctx);
249 return ret;
250}
251
252
253/* Computes scalar*point and stores the result in r.
254 * point can not equal r.
255 * Uses a modified algorithm 2P of
256 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
257 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
258 *
259 * To protect against side-channel attack the function uses constant time swap,
260 * avoiding conditional branches.
261 */
262static int
263ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
264 const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
265{
266 BIGNUM *x1, *x2, *z1, *z2;
267 int ret = 0, i;
268 BN_ULONG mask, word;
269
270 if (r == point) {
271 ECerror(EC_R_INVALID_ARGUMENT);
272 return 0;
273 }
274 /* if result should be point at infinity */
275 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
276 EC_POINT_is_at_infinity(group, point) > 0) {
277 return EC_POINT_set_to_infinity(group, r);
278 }
279 /* only support affine coordinates */
280 if (!point->Z_is_one)
281 return 0;
282
283 /* Since point_multiply is static we can guarantee that ctx != NULL. */
284 BN_CTX_start(ctx);
285 if ((x1 = BN_CTX_get(ctx)) == NULL)
286 goto err;
287 if ((z1 = BN_CTX_get(ctx)) == NULL)
288 goto err;
289
290 x2 = &r->X;
291 z2 = &r->Y;
292
293 if (!bn_wexpand(x1, group->field.top))
294 goto err;
295 if (!bn_wexpand(z1, group->field.top))
296 goto err;
297 if (!bn_wexpand(x2, group->field.top))
298 goto err;
299 if (!bn_wexpand(z2, group->field.top))
300 goto err;
301
302 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
303 goto err; /* x1 = x */
304 if (!BN_one(z1))
305 goto err; /* z1 = 1 */
306 if (!group->meth->field_sqr(group, z2, x1, ctx))
307 goto err; /* z2 = x1^2 = x^2 */
308 if (!group->meth->field_sqr(group, x2, z2, ctx))
309 goto err;
310 if (!BN_GF2m_add(x2, x2, &group->b))
311 goto err; /* x2 = x^4 + b */
312
313 /* find top most bit and go one past it */
314 i = scalar->top - 1;
315 mask = BN_TBIT;
316 word = scalar->d[i];
317 while (!(word & mask))
318 mask >>= 1;
319 mask >>= 1;
320 /* if top most bit was at word break, go to next word */
321 if (!mask) {
322 i--;
323 mask = BN_TBIT;
324 }
325 for (; i >= 0; i--) {
326 word = scalar->d[i];
327 while (mask) {
328 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
329 goto err;
330 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
331 goto err;
332 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
333 goto err;
334 if (!gf2m_Mdouble(group, x1, z1, ctx))
335 goto err;
336 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
337 goto err;
338 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
339 goto err;
340 mask >>= 1;
341 }
342 mask = BN_TBIT;
343 }
344
345 /* convert out of "projective" coordinates */
346 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
347 if (i == 0)
348 goto err;
349 else if (i == 1) {
350 if (!EC_POINT_set_to_infinity(group, r))
351 goto err;
352 } else {
353 if (!BN_one(&r->Z))
354 goto err;
355 r->Z_is_one = 1;
356 }
357
358 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
359 BN_set_negative(&r->X, 0);
360 BN_set_negative(&r->Y, 0);
361
362 ret = 1;
363
364 err:
365 BN_CTX_end(ctx);
366 return ret;
367}
368
369
370/* Computes the sum
371 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
372 * gracefully ignoring NULL scalar values.
373 */
374int
375ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
376 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
377{
378 EC_POINT *p = NULL;
379 EC_POINT *acc = NULL;
380 size_t i;
381 int ret = 0;
382
383 /*
384 * This implementation is more efficient than the wNAF implementation
385 * for 2 or fewer points. Use the ec_wNAF_mul implementation for 3
386 * or more points, or if we can perform a fast multiplication based
387 * on precomputation.
388 */
389 if ((scalar && (num > 1)) || (num > 2) ||
390 (num == 0 && EC_GROUP_have_precompute_mult(group))) {
391 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
392 goto err;
393 }
394 if ((p = EC_POINT_new(group)) == NULL)
395 goto err;
396 if ((acc = EC_POINT_new(group)) == NULL)
397 goto err;
398
399 if (!EC_POINT_set_to_infinity(group, acc))
400 goto err;
401
402 if (scalar) {
403 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx))
404 goto err;
405 if (BN_is_negative(scalar))
406 if (!group->meth->invert(group, p, ctx))
407 goto err;
408 if (!group->meth->add(group, acc, acc, p, ctx))
409 goto err;
410 }
411 for (i = 0; i < num; i++) {
412 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx))
413 goto err;
414 if (BN_is_negative(scalars[i]))
415 if (!group->meth->invert(group, p, ctx))
416 goto err;
417 if (!group->meth->add(group, acc, acc, p, ctx))
418 goto err;
419 }
420
421 if (!EC_POINT_copy(r, acc))
422 goto err;
423
424 ret = 1;
425
426 err:
427 EC_POINT_free(p);
428 EC_POINT_free(acc);
429
430 return ret;
431}
432
433
434/* Precomputation for point multiplication: fall back to wNAF methods
435 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
436
437int
438ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
439{
440 return ec_wNAF_precompute_mult(group, ctx);
441}
442
443int
444ec_GF2m_have_precompute_mult(const EC_GROUP *group)
445{
446 return ec_wNAF_have_precompute_mult(group);
447}
448
449#endif
diff --git a/src/lib/libcrypto/ec/ec2_oct.c b/src/lib/libcrypto/ec/ec2_oct.c
deleted file mode 100644
index 6cb7259824..0000000000
--- a/src/lib/libcrypto/ec/ec2_oct.c
+++ /dev/null
@@ -1,402 +0,0 @@
1/* $OpenBSD: ec2_oct.c,v 1.20 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "ec_local.h"
75
76#ifndef OPENSSL_NO_EC2M
77
78/* Calculates and sets the affine coordinates of an EC_POINT from the given
79 * compressed coordinates. Uses algorithm 2.3.4 of SEC 1.
80 * Note that the simple implementation only uses affine coordinates.
81 *
82 * The method is from the following publication:
83 *
84 * Harper, Menezes, Vanstone:
85 * "Public-Key Cryptosystems with Very Small Key Lengths",
86 * EUROCRYPT '92, Springer-Verlag LNCS 658,
87 * published February 1993
88 *
89 * US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe
90 * the same method, but claim no priority date earlier than July 29, 1994
91 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
92 */
93int
94ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
95 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
96{
97 BIGNUM *tmp, *x, *y, *z;
98 int z0;
99 int ret = 0;
100
101 /* clear error queue */
102 ERR_clear_error();
103
104 y_bit = (y_bit != 0) ? 1 : 0;
105
106 BN_CTX_start(ctx);
107
108 if ((tmp = BN_CTX_get(ctx)) == NULL)
109 goto err;
110 if ((x = BN_CTX_get(ctx)) == NULL)
111 goto err;
112 if ((y = BN_CTX_get(ctx)) == NULL)
113 goto err;
114 if ((z = BN_CTX_get(ctx)) == NULL)
115 goto err;
116
117 if (!BN_GF2m_mod_arr(x, x_, group->poly))
118 goto err;
119 if (BN_is_zero(x)) {
120 if (y_bit != 0) {
121 ECerror(EC_R_INVALID_COMPRESSED_POINT);
122 goto err;
123 }
124 if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx))
125 goto err;
126 } else {
127 if (!group->meth->field_sqr(group, tmp, x, ctx))
128 goto err;
129 if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx))
130 goto err;
131 if (!BN_GF2m_add(tmp, &group->a, tmp))
132 goto err;
133 if (!BN_GF2m_add(tmp, x, tmp))
134 goto err;
135 if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) {
136 unsigned long err = ERR_peek_last_error();
137
138 if (ERR_GET_LIB(err) == ERR_LIB_BN &&
139 ERR_GET_REASON(err) == BN_R_NO_SOLUTION) {
140 ERR_clear_error();
141 ECerror(EC_R_INVALID_COMPRESSED_POINT);
142 } else
143 ECerror(ERR_R_BN_LIB);
144 goto err;
145 }
146 z0 = (BN_is_odd(z)) ? 1 : 0;
147 if (!group->meth->field_mul(group, y, x, z, ctx))
148 goto err;
149 if (z0 != y_bit) {
150 if (!BN_GF2m_add(y, y, x))
151 goto err;
152 }
153 }
154
155 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
156 goto err;
157
158 ret = 1;
159
160 err:
161 BN_CTX_end(ctx);
162
163 return ret;
164}
165
166
167/* Converts an EC_POINT to an octet string.
168 * If buf is NULL, the encoded length will be returned.
169 * If the length len of buf is smaller than required an error will be returned.
170 */
171size_t
172ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
173 point_conversion_form_t form,
174 unsigned char *buf, size_t len, BN_CTX *ctx)
175{
176 BIGNUM *x, *y, *yxi;
177 size_t field_len, i, skip;
178 size_t ret;
179
180 if (form != POINT_CONVERSION_COMPRESSED &&
181 form != POINT_CONVERSION_UNCOMPRESSED &&
182 form != POINT_CONVERSION_HYBRID) {
183 ECerror(EC_R_INVALID_FORM);
184 return 0;
185 }
186
187 if (EC_POINT_is_at_infinity(group, point) > 0) {
188 /* encodes to a single 0 octet */
189 if (buf != NULL) {
190 if (len < 1) {
191 ECerror(EC_R_BUFFER_TOO_SMALL);
192 return 0;
193 }
194 buf[0] = 0;
195 }
196 return 1;
197 }
198
199 BN_CTX_start(ctx);
200
201 /* ret := required output buffer length */
202 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
203 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
204 1 + 2 * field_len;
205
206 /* if 'buf' is NULL, just return required length */
207 if (buf != NULL) {
208 if (len < ret) {
209 ECerror(EC_R_BUFFER_TOO_SMALL);
210 goto err;
211 }
212
213 if ((x = BN_CTX_get(ctx)) == NULL)
214 goto err;
215 if ((y = BN_CTX_get(ctx)) == NULL)
216 goto err;
217 if ((yxi = BN_CTX_get(ctx)) == NULL)
218 goto err;
219
220 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
221 goto err;
222
223 buf[0] = form;
224 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x)) {
225 if (!group->meth->field_div(group, yxi, y, x, ctx))
226 goto err;
227 if (BN_is_odd(yxi))
228 buf[0]++;
229 }
230 i = 1;
231
232 skip = field_len - BN_num_bytes(x);
233 if (skip > field_len) {
234 ECerror(ERR_R_INTERNAL_ERROR);
235 goto err;
236 }
237 while (skip > 0) {
238 buf[i++] = 0;
239 skip--;
240 }
241 skip = BN_bn2bin(x, buf + i);
242 i += skip;
243 if (i != 1 + field_len) {
244 ECerror(ERR_R_INTERNAL_ERROR);
245 goto err;
246 }
247 if (form == POINT_CONVERSION_UNCOMPRESSED ||
248 form == POINT_CONVERSION_HYBRID) {
249 skip = field_len - BN_num_bytes(y);
250 if (skip > field_len) {
251 ECerror(ERR_R_INTERNAL_ERROR);
252 goto err;
253 }
254 while (skip > 0) {
255 buf[i++] = 0;
256 skip--;
257 }
258 skip = BN_bn2bin(y, buf + i);
259 i += skip;
260 }
261 if (i != ret) {
262 ECerror(ERR_R_INTERNAL_ERROR);
263 goto err;
264 }
265 }
266
267 err:
268 BN_CTX_end(ctx);
269
270 return ret;
271}
272
273/*
274 * Converts an octet string representation to an EC_POINT.
275 * Note that the simple implementation only uses affine coordinates.
276 */
277int
278ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
279 const unsigned char *buf, size_t len, BN_CTX *ctx)
280{
281 point_conversion_form_t form;
282 int y_bit;
283 BIGNUM *x, *y, *yxi;
284 size_t field_len, enc_len;
285 int ret = 0;
286
287 if (len == 0) {
288 ECerror(EC_R_BUFFER_TOO_SMALL);
289 return 0;
290 }
291
292 /*
293 * The first octet is the point conversion octet PC, see X9.62, page 4
294 * and section 4.4.2. It must be:
295 * 0x00 for the point at infinity
296 * 0x02 or 0x03 for compressed form
297 * 0x04 for uncompressed form
298 * 0x06 or 0x07 for hybrid form.
299 * For compressed or hybrid forms, we store the last bit of buf[0] as
300 * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*.
301 * We error if buf[0] contains any but the above values.
302 */
303 y_bit = buf[0] & 1;
304 form = buf[0] & ~1U;
305
306 if (form != 0 && form != POINT_CONVERSION_COMPRESSED &&
307 form != POINT_CONVERSION_UNCOMPRESSED &&
308 form != POINT_CONVERSION_HYBRID) {
309 ECerror(EC_R_INVALID_ENCODING);
310 return 0;
311 }
312 if (form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) {
313 if (y_bit != 0) {
314 ECerror(EC_R_INVALID_ENCODING);
315 return 0;
316 }
317 }
318
319 /* The point at infinity is represented by a single zero octet. */
320 if (form == 0) {
321 if (len != 1) {
322 ECerror(EC_R_INVALID_ENCODING);
323 return 0;
324 }
325 return EC_POINT_set_to_infinity(group, point);
326 }
327
328 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
329 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
330 1 + 2 * field_len;
331
332 if (len != enc_len) {
333 ECerror(EC_R_INVALID_ENCODING);
334 return 0;
335 }
336
337 BN_CTX_start(ctx);
338
339 if ((x = BN_CTX_get(ctx)) == NULL)
340 goto err;
341 if ((y = BN_CTX_get(ctx)) == NULL)
342 goto err;
343 if ((yxi = BN_CTX_get(ctx)) == NULL)
344 goto err;
345
346 if (!BN_bin2bn(buf + 1, field_len, x))
347 goto err;
348 if (BN_ucmp(x, &group->field) >= 0) {
349 ECerror(EC_R_INVALID_ENCODING);
350 goto err;
351 }
352 if (form == POINT_CONVERSION_COMPRESSED) {
353 /*
354 * EC_POINT_set_compressed_coordinates checks that the
355 * point is on the curve as required by X9.62.
356 */
357 if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx))
358 goto err;
359 } else {
360 if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
361 goto err;
362 if (BN_ucmp(y, &group->field) >= 0) {
363 ECerror(EC_R_INVALID_ENCODING);
364 goto err;
365 }
366 if (form == POINT_CONVERSION_HYBRID) {
367 /*
368 * Check that the form in the encoding was set
369 * correctly according to X9.62 4.4.2.a, 4(c),
370 * see also first paragraph of X9.62 4.4.1.b.
371 */
372 if (BN_is_zero(x)) {
373 if (y_bit != 0) {
374 ECerror(EC_R_INVALID_ENCODING);
375 goto err;
376 }
377 } else {
378 if (!group->meth->field_div(group, yxi, y, x,
379 ctx))
380 goto err;
381 if (y_bit != BN_is_odd(yxi)) {
382 ECerror(EC_R_INVALID_ENCODING);
383 goto err;
384 }
385 }
386 }
387 /*
388 * EC_POINT_set_affine_coordinates checks that the
389 * point is on the curve as required by X9.62.
390 */
391 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
392 goto err;
393 }
394
395 ret = 1;
396
397 err:
398 BN_CTX_end(ctx);
399
400 return ret;
401}
402#endif
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
deleted file mode 100644
index 850159cb25..0000000000
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ /dev/null
@@ -1,723 +0,0 @@
1/* $OpenBSD: ec2_smpl.c,v 1.35 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "ec_local.h"
75
76#ifndef OPENSSL_NO_EC2M
77
78/*
79 * Initialize a GF(2^m)-based EC_GROUP structure.
80 * Note that all other members are handled by EC_GROUP_new.
81 */
82static int
83ec_GF2m_simple_group_init(EC_GROUP *group)
84{
85 BN_init(&group->field);
86 BN_init(&group->a);
87 BN_init(&group->b);
88 return 1;
89}
90
91/*
92 * Clear and free a GF(2^m)-based EC_GROUP structure.
93 * Note that all other members are handled by EC_GROUP_free.
94 */
95static void
96ec_GF2m_simple_group_finish(EC_GROUP *group)
97{
98 BN_free(&group->field);
99 BN_free(&group->a);
100 BN_free(&group->b);
101 group->poly[0] = 0;
102 group->poly[1] = 0;
103 group->poly[2] = 0;
104 group->poly[3] = 0;
105 group->poly[4] = 0;
106 group->poly[5] = -1;
107}
108
109/*
110 * Copy a GF(2^m)-based EC_GROUP structure.
111 * Note that all other members are handled by EC_GROUP_copy.
112 */
113static int
114ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
115{
116 int i;
117
118 if (!bn_copy(&dest->field, &src->field))
119 return 0;
120 if (!bn_copy(&dest->a, &src->a))
121 return 0;
122 if (!bn_copy(&dest->b, &src->b))
123 return 0;
124 dest->poly[0] = src->poly[0];
125 dest->poly[1] = src->poly[1];
126 dest->poly[2] = src->poly[2];
127 dest->poly[3] = src->poly[3];
128 dest->poly[4] = src->poly[4];
129 dest->poly[5] = src->poly[5];
130 if (!bn_expand(&dest->a, dest->poly[0]))
131 return 0;
132 if (!bn_expand(&dest->b, dest->poly[0]))
133 return 0;
134 for (i = dest->a.top; i < dest->a.dmax; i++)
135 dest->a.d[i] = 0;
136 for (i = dest->b.top; i < dest->b.dmax; i++)
137 dest->b.d[i] = 0;
138 return 1;
139}
140
141/* Set the curve parameters of an EC_GROUP structure. */
142static int
143ec_GF2m_simple_group_set_curve(EC_GROUP *group,
144 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
145{
146 int ret = 0, i;
147
148 /* group->field */
149 if (!bn_copy(&group->field, p))
150 goto err;
151 i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;
152 if ((i != 5) && (i != 3)) {
153 ECerror(EC_R_UNSUPPORTED_FIELD);
154 goto err;
155 }
156 /* group->a */
157 if (!BN_GF2m_mod_arr(&group->a, a, group->poly))
158 goto err;
159 if (!bn_expand(&group->a, group->poly[0]))
160 goto err;
161 for (i = group->a.top; i < group->a.dmax; i++)
162 group->a.d[i] = 0;
163
164 /* group->b */
165 if (!BN_GF2m_mod_arr(&group->b, b, group->poly))
166 goto err;
167 if (!bn_expand(&group->b, group->poly[0]))
168 goto err;
169 for (i = group->b.top; i < group->b.dmax; i++)
170 group->b.d[i] = 0;
171
172 ret = 1;
173 err:
174 return ret;
175}
176
177/*
178 * Get the curve parameters of an EC_GROUP structure.
179 * If p, a, or b are NULL then there values will not be set but the method will return with success.
180 */
181static int
182ec_GF2m_simple_group_get_curve(const EC_GROUP *group,
183 BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
184{
185 int ret = 0;
186
187 if (p != NULL) {
188 if (!bn_copy(p, &group->field))
189 return 0;
190 }
191 if (a != NULL) {
192 if (!bn_copy(a, &group->a))
193 goto err;
194 }
195 if (b != NULL) {
196 if (!bn_copy(b, &group->b))
197 goto err;
198 }
199 ret = 1;
200
201 err:
202 return ret;
203}
204
205/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */
206static int
207ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
208{
209 return BN_num_bits(&group->field) - 1;
210}
211
212/*
213 * Checks the discriminant of the curve.
214 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
215 */
216static int
217ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
218{
219 BIGNUM *b;
220 int ret = 0;
221
222 BN_CTX_start(ctx);
223
224 if ((b = BN_CTX_get(ctx)) == NULL)
225 goto err;
226
227 if (!BN_GF2m_mod_arr(b, &group->b, group->poly))
228 goto err;
229
230 /*
231 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
232 * curve <=> b != 0 (mod p)
233 */
234 if (BN_is_zero(b))
235 goto err;
236
237 ret = 1;
238
239 err:
240 BN_CTX_end(ctx);
241
242 return ret;
243}
244
245/* Initializes an EC_POINT. */
246static int
247ec_GF2m_simple_point_init(EC_POINT *point)
248{
249 BN_init(&point->X);
250 BN_init(&point->Y);
251 BN_init(&point->Z);
252 return 1;
253}
254
255/* Clears and frees an EC_POINT. */
256static void
257ec_GF2m_simple_point_finish(EC_POINT *point)
258{
259 BN_free(&point->X);
260 BN_free(&point->Y);
261 BN_free(&point->Z);
262 point->Z_is_one = 0;
263}
264
265/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */
266static int
267ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
268{
269 if (!bn_copy(&dest->X, &src->X))
270 return 0;
271 if (!bn_copy(&dest->Y, &src->Y))
272 return 0;
273 if (!bn_copy(&dest->Z, &src->Z))
274 return 0;
275 dest->Z_is_one = src->Z_is_one;
276
277 return 1;
278}
279
280/*
281 * Set an EC_POINT to the point at infinity.
282 * A point at infinity is represented by having Z=0.
283 */
284static int
285ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
286{
287 point->Z_is_one = 0;
288 BN_zero(&point->Z);
289 return 1;
290}
291
292/*
293 * Set the coordinates of an EC_POINT using affine coordinates.
294 * Note that the simple implementation only uses affine coordinates.
295 */
296static int
297ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
298 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
299{
300 int ret = 0;
301 if (x == NULL || y == NULL) {
302 ECerror(ERR_R_PASSED_NULL_PARAMETER);
303 return 0;
304 }
305 if (!bn_copy(&point->X, x))
306 goto err;
307 BN_set_negative(&point->X, 0);
308 if (!bn_copy(&point->Y, y))
309 goto err;
310 BN_set_negative(&point->Y, 0);
311 if (!bn_copy(&point->Z, BN_value_one()))
312 goto err;
313 BN_set_negative(&point->Z, 0);
314 point->Z_is_one = 1;
315 ret = 1;
316
317 err:
318 return ret;
319}
320
321/*
322 * Gets the affine coordinates of an EC_POINT.
323 * Note that the simple implementation only uses affine coordinates.
324 */
325static int
326ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
327 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
328{
329 int ret = 0;
330
331 if (EC_POINT_is_at_infinity(group, point) > 0) {
332 ECerror(EC_R_POINT_AT_INFINITY);
333 return 0;
334 }
335 if (BN_cmp(&point->Z, BN_value_one())) {
336 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
337 return 0;
338 }
339 if (x != NULL) {
340 if (!bn_copy(x, &point->X))
341 goto err;
342 BN_set_negative(x, 0);
343 }
344 if (y != NULL) {
345 if (!bn_copy(y, &point->Y))
346 goto err;
347 BN_set_negative(y, 0);
348 }
349 ret = 1;
350
351 err:
352 return ret;
353}
354
355/*
356 * Computes a + b and stores the result in r. r could be a or b, a could be b.
357 * Uses algorithm A.10.2 of IEEE P1363.
358 */
359static int
360ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
361 const EC_POINT *b, BN_CTX *ctx)
362{
363 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
364 int ret = 0;
365
366 if (EC_POINT_is_at_infinity(group, a) > 0) {
367 if (!EC_POINT_copy(r, b))
368 return 0;
369 return 1;
370 }
371 if (EC_POINT_is_at_infinity(group, b) > 0) {
372 if (!EC_POINT_copy(r, a))
373 return 0;
374 return 1;
375 }
376
377 BN_CTX_start(ctx);
378
379 if ((x0 = BN_CTX_get(ctx)) == NULL)
380 goto err;
381 if ((y0 = BN_CTX_get(ctx)) == NULL)
382 goto err;
383 if ((x1 = BN_CTX_get(ctx)) == NULL)
384 goto err;
385 if ((y1 = BN_CTX_get(ctx)) == NULL)
386 goto err;
387 if ((x2 = BN_CTX_get(ctx)) == NULL)
388 goto err;
389 if ((y2 = BN_CTX_get(ctx)) == NULL)
390 goto err;
391 if ((s = BN_CTX_get(ctx)) == NULL)
392 goto err;
393 if ((t = BN_CTX_get(ctx)) == NULL)
394 goto err;
395
396 if (a->Z_is_one) {
397 if (!bn_copy(x0, &a->X))
398 goto err;
399 if (!bn_copy(y0, &a->Y))
400 goto err;
401 } else {
402 if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx))
403 goto err;
404 }
405 if (b->Z_is_one) {
406 if (!bn_copy(x1, &b->X))
407 goto err;
408 if (!bn_copy(y1, &b->Y))
409 goto err;
410 } else {
411 if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx))
412 goto err;
413 }
414
415 if (BN_GF2m_cmp(x0, x1)) {
416 if (!BN_GF2m_add(t, x0, x1))
417 goto err;
418 if (!BN_GF2m_add(s, y0, y1))
419 goto err;
420 if (!group->meth->field_div(group, s, s, t, ctx))
421 goto err;
422 if (!group->meth->field_sqr(group, x2, s, ctx))
423 goto err;
424 if (!BN_GF2m_add(x2, x2, &group->a))
425 goto err;
426 if (!BN_GF2m_add(x2, x2, s))
427 goto err;
428 if (!BN_GF2m_add(x2, x2, t))
429 goto err;
430 } else {
431 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
432 if (!EC_POINT_set_to_infinity(group, r))
433 goto err;
434 ret = 1;
435 goto err;
436 }
437 if (!group->meth->field_div(group, s, y1, x1, ctx))
438 goto err;
439 if (!BN_GF2m_add(s, s, x1))
440 goto err;
441
442 if (!group->meth->field_sqr(group, x2, s, ctx))
443 goto err;
444 if (!BN_GF2m_add(x2, x2, s))
445 goto err;
446 if (!BN_GF2m_add(x2, x2, &group->a))
447 goto err;
448 }
449
450 if (!BN_GF2m_add(y2, x1, x2))
451 goto err;
452 if (!group->meth->field_mul(group, y2, y2, s, ctx))
453 goto err;
454 if (!BN_GF2m_add(y2, y2, x2))
455 goto err;
456 if (!BN_GF2m_add(y2, y2, y1))
457 goto err;
458
459 if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx))
460 goto err;
461
462 ret = 1;
463
464 err:
465 BN_CTX_end(ctx);
466
467 return ret;
468}
469
470/*
471 * Computes 2 * a and stores the result in r. r could be a.
472 * Uses algorithm A.10.2 of IEEE P1363.
473 */
474static int
475ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
476 BN_CTX *ctx)
477{
478 return ec_GF2m_simple_add(group, r, a, a, ctx);
479}
480
481static int
482ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
483{
484 if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y))
485 /* point is its own inverse */
486 return 1;
487
488 if (!EC_POINT_make_affine(group, point, ctx))
489 return 0;
490 return BN_GF2m_add(&point->Y, &point->X, &point->Y);
491}
492
493/* Indicates whether the given point is the point at infinity. */
494static int
495ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
496{
497 return BN_is_zero(&point->Z);
498}
499
500/*
501 * Determines whether the given EC_POINT is an actual point on the curve defined
502 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
503 * y^2 + x*y = x^3 + a*x^2 + b.
504 */
505static int
506ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
507{
508 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
509 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
510 BIGNUM *lh, *y2;
511 int ret = -1;
512
513 if (EC_POINT_is_at_infinity(group, point) > 0)
514 return 1;
515
516 field_mul = group->meth->field_mul;
517 field_sqr = group->meth->field_sqr;
518
519 /* only support affine coordinates */
520 if (!point->Z_is_one)
521 return -1;
522
523 BN_CTX_start(ctx);
524
525 if ((y2 = BN_CTX_get(ctx)) == NULL)
526 goto err;
527 if ((lh = BN_CTX_get(ctx)) == NULL)
528 goto err;
529
530 /*
531 * We have a curve defined by a Weierstrass equation y^2 + x*y = x^3
532 * + a*x^2 + b. <=> x^3 + a*x^2 + x*y + b + y^2 = 0 <=> ((x + a) * x
533 * + y ) * x + b + y^2 = 0
534 */
535 if (!BN_GF2m_add(lh, &point->X, &group->a))
536 goto err;
537 if (!field_mul(group, lh, lh, &point->X, ctx))
538 goto err;
539 if (!BN_GF2m_add(lh, lh, &point->Y))
540 goto err;
541 if (!field_mul(group, lh, lh, &point->X, ctx))
542 goto err;
543 if (!BN_GF2m_add(lh, lh, &group->b))
544 goto err;
545 if (!field_sqr(group, y2, &point->Y, ctx))
546 goto err;
547 if (!BN_GF2m_add(lh, lh, y2))
548 goto err;
549
550 ret = BN_is_zero(lh);
551
552 err:
553 BN_CTX_end(ctx);
554
555 return ret;
556}
557
558/*
559 * Indicates whether two points are equal.
560 * Return values:
561 * -1 error
562 * 0 equal (in affine coordinates)
563 * 1 not equal
564 */
565static int
566ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
567 const EC_POINT *b, BN_CTX *ctx)
568{
569 BIGNUM *aX, *aY, *bX, *bY;
570 int ret = -1;
571
572 if (EC_POINT_is_at_infinity(group, a) > 0)
573 return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1;
574
575 if (EC_POINT_is_at_infinity(group, b) > 0)
576 return 1;
577
578 if (a->Z_is_one && b->Z_is_one)
579 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
580
581 BN_CTX_start(ctx);
582
583 if ((aX = BN_CTX_get(ctx)) == NULL)
584 goto err;
585 if ((aY = BN_CTX_get(ctx)) == NULL)
586 goto err;
587 if ((bX = BN_CTX_get(ctx)) == NULL)
588 goto err;
589 if ((bY = BN_CTX_get(ctx)) == NULL)
590 goto err;
591
592 if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx))
593 goto err;
594 if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx))
595 goto err;
596 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
597
598 err:
599 BN_CTX_end(ctx);
600
601 return ret;
602}
603
604/* Forces the given EC_POINT to internally use affine coordinates. */
605static int
606ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
607{
608 BIGNUM *x, *y;
609 int ret = 0;
610
611 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point) > 0)
612 return 1;
613
614 BN_CTX_start(ctx);
615
616 if ((x = BN_CTX_get(ctx)) == NULL)
617 goto err;
618 if ((y = BN_CTX_get(ctx)) == NULL)
619 goto err;
620
621 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
622 goto err;
623 if (!bn_copy(&point->X, x))
624 goto err;
625 if (!bn_copy(&point->Y, y))
626 goto err;
627 if (!BN_one(&point->Z))
628 goto err;
629
630 ret = 1;
631
632 err:
633 BN_CTX_end(ctx);
634
635 return ret;
636}
637
638/* Forces each of the EC_POINTs in the given array to use affine coordinates. */
639static int
640ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
641 EC_POINT *points[], BN_CTX *ctx)
642{
643 size_t i;
644
645 for (i = 0; i < num; i++) {
646 if (!group->meth->make_affine(group, points[i], ctx))
647 return 0;
648 }
649
650 return 1;
651}
652
653/* Wrapper to simple binary polynomial field multiplication implementation. */
654static int
655ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
656 const BIGNUM *b, BN_CTX *ctx)
657{
658 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
659}
660
661/* Wrapper to simple binary polynomial field squaring implementation. */
662static int
663ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
664 BN_CTX *ctx)
665{
666 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
667}
668
669/* Wrapper to simple binary polynomial field division implementation. */
670static int
671ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
672 const BIGNUM *b, BN_CTX *ctx)
673{
674 return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
675}
676
677static const EC_METHOD ec_GF2m_simple_method = {
678 .field_type = NID_X9_62_characteristic_two_field,
679 .group_init = ec_GF2m_simple_group_init,
680 .group_finish = ec_GF2m_simple_group_finish,
681 .group_copy = ec_GF2m_simple_group_copy,
682 .group_set_curve = ec_GF2m_simple_group_set_curve,
683 .group_get_curve = ec_GF2m_simple_group_get_curve,
684 .group_get_degree = ec_GF2m_simple_group_get_degree,
685 .group_order_bits = ec_group_simple_order_bits,
686 .group_check_discriminant = ec_GF2m_simple_group_check_discriminant,
687 .point_init = ec_GF2m_simple_point_init,
688 .point_finish = ec_GF2m_simple_point_finish,
689 .point_copy = ec_GF2m_simple_point_copy,
690 .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity,
691 .point_set_affine_coordinates =
692 ec_GF2m_simple_point_set_affine_coordinates,
693 .point_get_affine_coordinates =
694 ec_GF2m_simple_point_get_affine_coordinates,
695 .point_set_compressed_coordinates =
696 ec_GF2m_simple_set_compressed_coordinates,
697 .point2oct = ec_GF2m_simple_point2oct,
698 .oct2point = ec_GF2m_simple_oct2point,
699 .add = ec_GF2m_simple_add,
700 .dbl = ec_GF2m_simple_dbl,
701 .invert = ec_GF2m_simple_invert,
702 .is_at_infinity = ec_GF2m_simple_is_at_infinity,
703 .is_on_curve = ec_GF2m_simple_is_on_curve,
704 .point_cmp = ec_GF2m_simple_cmp,
705 .make_affine = ec_GF2m_simple_make_affine,
706 .points_make_affine = ec_GF2m_simple_points_make_affine,
707 .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
708 .mul_single_ct = ec_GFp_simple_mul_single_ct,
709 .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
710 .precompute_mult = ec_GF2m_precompute_mult,
711 .have_precompute_mult = ec_GF2m_have_precompute_mult,
712 .field_mul = ec_GF2m_simple_field_mul,
713 .field_sqr = ec_GF2m_simple_field_sqr,
714 .field_div = ec_GF2m_simple_field_div,
715 .blind_coordinates = NULL,
716};
717
718const EC_METHOD *
719EC_GF2m_simple_method(void)
720{
721 return &ec_GF2m_simple_method;
722}
723#endif
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index fb6a8e84c1..c62ba226f0 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_asn1.c,v 1.41 2023/03/08 05:45:31 jsing Exp $ */ 1/* $OpenBSD: ec_asn1.c,v 1.42 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project. 3 * Written by Nils Larsch for the OpenSSL project.
4 */ 4 */
@@ -89,49 +89,6 @@ EC_GROUP_get_basis_type(const EC_GROUP *group)
89 return 0; 89 return 0;
90} 90}
91 91
92#ifndef OPENSSL_NO_EC2M
93int
94EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
95{
96 if (group == NULL)
97 return 0;
98
99 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
100 NID_X9_62_characteristic_two_field
101 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) {
102 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
103 return 0;
104 }
105 if (k)
106 *k = group->poly[1];
107
108 return 1;
109}
110
111int
112EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
113 unsigned int *k2, unsigned int *k3)
114{
115 if (group == NULL)
116 return 0;
117
118 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
119 NID_X9_62_characteristic_two_field
120 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) {
121 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
122 return 0;
123 }
124 if (k1)
125 *k1 = group->poly[3];
126 if (k2)
127 *k2 = group->poly[2];
128 if (k3)
129 *k3 = group->poly[1];
130
131 return 1;
132}
133#endif
134
135/* some structures needed for the asn1 encoding */ 92/* some structures needed for the asn1 encoding */
136typedef struct x9_62_pentanomial_st { 93typedef struct x9_62_pentanomial_st {
137 long k1; 94 long k1;
@@ -719,77 +676,10 @@ ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
719 ECerror(ERR_R_ASN1_LIB); 676 ECerror(ERR_R_ASN1_LIB);
720 goto err; 677 goto err;
721 } 678 }
722 } else /* nid == NID_X9_62_characteristic_two_field */ 679 } else {
723#ifdef OPENSSL_NO_EC2M
724 {
725 ECerror(EC_R_GF2M_NOT_SUPPORTED); 680 ECerror(EC_R_GF2M_NOT_SUPPORTED);
726 goto err; 681 goto err;
727 } 682 }
728#else
729 {
730 int field_type;
731 X9_62_CHARACTERISTIC_TWO *char_two;
732
733 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
734 char_two = field->p.char_two;
735
736 if (char_two == NULL) {
737 ECerror(ERR_R_MALLOC_FAILURE);
738 goto err;
739 }
740 char_two->m = (long) EC_GROUP_get_degree(group);
741
742 field_type = EC_GROUP_get_basis_type(group);
743
744 if (field_type == 0) {
745 ECerror(ERR_R_EC_LIB);
746 goto err;
747 }
748 /* set base type OID */
749 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) {
750 ECerror(ERR_R_OBJ_LIB);
751 goto err;
752 }
753 if (field_type == NID_X9_62_tpBasis) {
754 unsigned int k;
755
756 if (!EC_GROUP_get_trinomial_basis(group, &k))
757 goto err;
758
759 char_two->p.tpBasis = ASN1_INTEGER_new();
760 if (!char_two->p.tpBasis) {
761 ECerror(ERR_R_MALLOC_FAILURE);
762 goto err;
763 }
764 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long) k)) {
765 ECerror(ERR_R_ASN1_LIB);
766 goto err;
767 }
768 } else if (field_type == NID_X9_62_ppBasis) {
769 unsigned int k1, k2, k3;
770
771 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
772 goto err;
773
774 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
775 if (!char_two->p.ppBasis) {
776 ECerror(ERR_R_MALLOC_FAILURE);
777 goto err;
778 }
779 /* set k? values */
780 char_two->p.ppBasis->k1 = (long) k1;
781 char_two->p.ppBasis->k2 = (long) k2;
782 char_two->p.ppBasis->k3 = (long) k3;
783 } else { /* field_type == NID_X9_62_onBasis */
784 /* for ONB the parameters are (asn1) NULL */
785 char_two->p.onBasis = ASN1_NULL_new();
786 if (!char_two->p.onBasis) {
787 ECerror(ERR_R_MALLOC_FAILURE);
788 goto err;
789 }
790 }
791 }
792#endif
793 683
794 ok = 1; 684 ok = 1;
795 685
@@ -1067,86 +957,10 @@ ec_asn1_parameters2group(const ECPARAMETERS *params)
1067 } 957 }
1068 /* get the field parameters */ 958 /* get the field parameters */
1069 tmp = OBJ_obj2nid(params->fieldID->fieldType); 959 tmp = OBJ_obj2nid(params->fieldID->fieldType);
1070 if (tmp == NID_X9_62_characteristic_two_field) 960 if (tmp == NID_X9_62_characteristic_two_field) {
1071#ifdef OPENSSL_NO_EC2M
1072 {
1073 ECerror(EC_R_GF2M_NOT_SUPPORTED); 961 ECerror(EC_R_GF2M_NOT_SUPPORTED);
1074 goto err; 962 goto err;
1075 } 963 } else if (tmp == NID_X9_62_prime_field) {
1076#else
1077 {
1078 X9_62_CHARACTERISTIC_TWO *char_two;
1079
1080 char_two = params->fieldID->p.char_two;
1081
1082 field_bits = char_two->m;
1083 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
1084 ECerror(EC_R_FIELD_TOO_LARGE);
1085 goto err;
1086 }
1087 if ((p = BN_new()) == NULL) {
1088 ECerror(ERR_R_MALLOC_FAILURE);
1089 goto err;
1090 }
1091 /* get the base type */
1092 tmp = OBJ_obj2nid(char_two->type);
1093
1094 if (tmp == NID_X9_62_tpBasis) {
1095 long tmp_long;
1096
1097 if (!char_two->p.tpBasis) {
1098 ECerror(EC_R_ASN1_ERROR);
1099 goto err;
1100 }
1101 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
1102
1103 if (!(char_two->m > tmp_long && tmp_long > 0)) {
1104 ECerror(EC_R_INVALID_TRINOMIAL_BASIS);
1105 goto err;
1106 }
1107 /* create the polynomial */
1108 if (!BN_set_bit(p, (int) char_two->m))
1109 goto err;
1110 if (!BN_set_bit(p, (int) tmp_long))
1111 goto err;
1112 if (!BN_set_bit(p, 0))
1113 goto err;
1114 } else if (tmp == NID_X9_62_ppBasis) {
1115 X9_62_PENTANOMIAL *penta;
1116
1117 penta = char_two->p.ppBasis;
1118 if (!penta) {
1119 ECerror(EC_R_ASN1_ERROR);
1120 goto err;
1121 }
1122 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) {
1123 ECerror(EC_R_INVALID_PENTANOMIAL_BASIS);
1124 goto err;
1125 }
1126 /* create the polynomial */
1127 if (!BN_set_bit(p, (int) char_two->m))
1128 goto err;
1129 if (!BN_set_bit(p, (int) penta->k1))
1130 goto err;
1131 if (!BN_set_bit(p, (int) penta->k2))
1132 goto err;
1133 if (!BN_set_bit(p, (int) penta->k3))
1134 goto err;
1135 if (!BN_set_bit(p, 0))
1136 goto err;
1137 } else if (tmp == NID_X9_62_onBasis) {
1138 ECerror(EC_R_NOT_IMPLEMENTED);
1139 goto err;
1140 } else { /* error */
1141 ECerror(EC_R_ASN1_ERROR);
1142 goto err;
1143 }
1144
1145 /* create the EC_GROUP structure */
1146 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
1147 }
1148#endif
1149 else if (tmp == NID_X9_62_prime_field) {
1150 /* we have a curve over a prime field */ 964 /* we have a curve over a prime field */
1151 /* extract the prime number */ 965 /* extract the prime number */
1152 if (!params->fieldID->p.prime) { 966 if (!params->fieldID->p.prime) {
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index 324abe8ee1..898e233429 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_curve.c,v 1.26 2023/03/04 14:53:23 jsing Exp $ */ 1/* $OpenBSD: ec_curve.c,v 1.27 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project. 3 * Written by Nils Larsch for the OpenSSL project.
4 */ 4 */
@@ -861,1353 +861,6 @@ static const struct {
861 } 861 }
862}; 862};
863 863
864#ifndef OPENSSL_NO_EC2M
865
866/* characteristic two curves */
867static const struct {
868 EC_CURVE_DATA h;
869 unsigned char data[20 + 15 * 6];
870}
871 _EC_SECG_CHAR2_113R1 = {
872 {
873 NID_X9_62_characteristic_two_field, 20, 15, 2
874 },
875 {
876 0x10, 0xE7, 0x23, 0xAB, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, /* seed */
877 0x56, 0x15, 0x17, 0x56, 0xFE, 0xBF, 0x8F, 0xCB, 0x49, 0xA9,
878
879 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
880 0x00, 0x00, 0x00, 0x02, 0x01,
881 0x00, 0x30, 0x88, 0x25, 0x0C, 0xA6, 0xE7, 0xC7, 0xFE, 0x64, /* a */
882 0x9C, 0xE8, 0x58, 0x20, 0xF7,
883 0x00, 0xE8, 0xBE, 0xE4, 0xD3, 0xE2, 0x26, 0x07, 0x44, 0x18, /* b */
884 0x8B, 0xE0, 0xE9, 0xC7, 0x23,
885 0x00, 0x9D, 0x73, 0x61, 0x6F, 0x35, 0xF4, 0xAB, 0x14, 0x07, /* x */
886 0xD7, 0x35, 0x62, 0xC1, 0x0F,
887 0x00, 0xA5, 0x28, 0x30, 0x27, 0x79, 0x58, 0xEE, 0x84, 0xD1, /* y */
888 0x31, 0x5E, 0xD3, 0x18, 0x86,
889 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0xCC, /* order */
890 0xEC, 0x8A, 0x39, 0xE5, 0x6F
891 }
892};
893
894static const struct {
895 EC_CURVE_DATA h;
896 unsigned char data[20 + 15 * 6];
897}
898 _EC_SECG_CHAR2_113R2 = {
899 {
900 NID_X9_62_characteristic_two_field, 20, 15, 2
901 },
902 {
903 0x10, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE, /* seed */
904 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x5D,
905
906 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
907 0x00, 0x00, 0x00, 0x02, 0x01,
908 0x00, 0x68, 0x99, 0x18, 0xDB, 0xEC, 0x7E, 0x5A, 0x0D, 0xD6, /* a */
909 0xDF, 0xC0, 0xAA, 0x55, 0xC7,
910 0x00, 0x95, 0xE9, 0xA9, 0xEC, 0x9B, 0x29, 0x7B, 0xD4, 0xBF, /* b */
911 0x36, 0xE0, 0x59, 0x18, 0x4F,
912 0x01, 0xA5, 0x7A, 0x6A, 0x7B, 0x26, 0xCA, 0x5E, 0xF5, 0x2F, /* x */
913 0xCD, 0xB8, 0x16, 0x47, 0x97,
914 0x00, 0xB3, 0xAD, 0xC9, 0x4E, 0xD1, 0xFE, 0x67, 0x4C, 0x06, /* y */
915 0xE6, 0x95, 0xBA, 0xBA, 0x1D,
916 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x78, /* order */
917 0x9B, 0x24, 0x96, 0xAF, 0x93
918 }
919};
920
921static const struct {
922 EC_CURVE_DATA h;
923 unsigned char data[20 + 17 * 6];
924}
925 _EC_SECG_CHAR2_131R1 = {
926 {
927 NID_X9_62_characteristic_two_field, 20, 17, 2
928 },
929 {
930 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x98, /* seed */
931 0x5B, 0xD3, 0xAD, 0xBA, 0xDA, 0x21, 0xB4, 0x3A, 0x97, 0xE2,
932
933 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
934 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
935 0x07, 0xA1, 0x1B, 0x09, 0xA7, 0x6B, 0x56, 0x21, 0x44, 0x41, /* a */
936 0x8F, 0xF3, 0xFF, 0x8C, 0x25, 0x70, 0xB8,
937 0x02, 0x17, 0xC0, 0x56, 0x10, 0x88, 0x4B, 0x63, 0xB9, 0xC6, /* b */
938 0xC7, 0x29, 0x16, 0x78, 0xF9, 0xD3, 0x41,
939 0x00, 0x81, 0xBA, 0xF9, 0x1F, 0xDF, 0x98, 0x33, 0xC4, 0x0F, /* x */
940 0x9C, 0x18, 0x13, 0x43, 0x63, 0x83, 0x99,
941 0x07, 0x8C, 0x6E, 0x7E, 0xA3, 0x8C, 0x00, 0x1F, 0x73, 0xC8, /* y */
942 0x13, 0x4B, 0x1B, 0x4E, 0xF9, 0xE1, 0x50,
943 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31, /* order */
944 0x23, 0x95, 0x3A, 0x94, 0x64, 0xB5, 0x4D
945 }
946};
947
948static const struct {
949 EC_CURVE_DATA h;
950 unsigned char data[20 + 17 * 6];
951}
952 _EC_SECG_CHAR2_131R2 = {
953 {
954 NID_X9_62_characteristic_two_field, 20, 17, 2
955 },
956 {
957 0x98, 0x5B, 0xD3, 0xAD, 0xBA, 0xD4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
958 0x87, 0x56, 0x15, 0x17, 0x5A, 0x21, 0xB4, 0x3A, 0x97, 0xE3,
959
960 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
961 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
962 0x03, 0xE5, 0xA8, 0x89, 0x19, 0xD7, 0xCA, 0xFC, 0xBF, 0x41, /* a */
963 0x5F, 0x07, 0xC2, 0x17, 0x65, 0x73, 0xB2,
964 0x04, 0xB8, 0x26, 0x6A, 0x46, 0xC5, 0x56, 0x57, 0xAC, 0x73, /* b */
965 0x4C, 0xE3, 0x8F, 0x01, 0x8F, 0x21, 0x92,
966 0x03, 0x56, 0xDC, 0xD8, 0xF2, 0xF9, 0x50, 0x31, 0xAD, 0x65, /* x */
967 0x2D, 0x23, 0x95, 0x1B, 0xB3, 0x66, 0xA8,
968 0x06, 0x48, 0xF0, 0x6D, 0x86, 0x79, 0x40, 0xA5, 0x36, 0x6D, /* y */
969 0x9E, 0x26, 0x5D, 0xE9, 0xEB, 0x24, 0x0F,
970 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x69, /* order */
971 0x54, 0xA2, 0x33, 0x04, 0x9B, 0xA9, 0x8F
972 }
973};
974
975static const struct {
976 EC_CURVE_DATA h;
977 unsigned char data[0 + 21 * 6];
978}
979 _EC_NIST_CHAR2_163K = {
980 {
981 NID_X9_62_characteristic_two_field, 0, 21, 2
982 },
983 { /* no seed */
984 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
985 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
986 0xC9,
987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
989 0x01,
990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992 0x01,
993 0x02, 0xFE, 0x13, 0xC0, 0x53, 0x7B, 0xBC, 0x11, 0xAC, 0xAA, /* x */
994 0x07, 0xD7, 0x93, 0xDE, 0x4E, 0x6D, 0x5E, 0x5C, 0x94, 0xEE,
995 0xE8,
996 0x02, 0x89, 0x07, 0x0F, 0xB0, 0x5D, 0x38, 0xFF, 0x58, 0x32, /* y */
997 0x1F, 0x2E, 0x80, 0x05, 0x36, 0xD5, 0x38, 0xCC, 0xDA, 0xA3,
998 0xD9,
999 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1000 0x02, 0x01, 0x08, 0xA2, 0xE0, 0xCC, 0x0D, 0x99, 0xF8, 0xA5,
1001 0xEF
1002 }
1003};
1004
1005static const struct {
1006 EC_CURVE_DATA h;
1007 unsigned char data[0 + 21 * 6];
1008}
1009 _EC_SECG_CHAR2_163R1 = {
1010 {
1011 NID_X9_62_characteristic_two_field, 0, 21, 2
1012 },
1013 { /* no seed */
1014 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1016 0xC9,
1017 0x07, 0xB6, 0x88, 0x2C, 0xAA, 0xEF, 0xA8, 0x4F, 0x95, 0x54, /* a */
1018 0xFF, 0x84, 0x28, 0xBD, 0x88, 0xE2, 0x46, 0xD2, 0x78, 0x2A,
1019 0xE2,
1020 0x07, 0x13, 0x61, 0x2D, 0xCD, 0xDC, 0xB4, 0x0A, 0xAB, 0x94, /* b */
1021 0x6B, 0xDA, 0x29, 0xCA, 0x91, 0xF7, 0x3A, 0xF9, 0x58, 0xAF,
1022 0xD9,
1023 0x03, 0x69, 0x97, 0x96, 0x97, 0xAB, 0x43, 0x89, 0x77, 0x89, /* x */
1024 0x56, 0x67, 0x89, 0x56, 0x7F, 0x78, 0x7A, 0x78, 0x76, 0xA6,
1025 0x54,
1026 0x00, 0x43, 0x5E, 0xDB, 0x42, 0xEF, 0xAF, 0xB2, 0x98, 0x9D, /* y */
1027 0x51, 0xFE, 0xFC, 0xE3, 0xC8, 0x09, 0x88, 0xF4, 0x1F, 0xF8,
1028 0x83,
1029 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1030 0xFF, 0x48, 0xAA, 0xB6, 0x89, 0xC2, 0x9C, 0xA7, 0x10, 0x27,
1031 0x9B
1032 }
1033};
1034
1035static const struct {
1036 EC_CURVE_DATA h;
1037 unsigned char data[0 + 21 * 6];
1038}
1039 _EC_NIST_CHAR2_163B = {
1040 {
1041 NID_X9_62_characteristic_two_field, 0, 21, 2
1042 },
1043 { /* no seed */
1044 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1046 0xC9,
1047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1048 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1049 0x01,
1050 0x02, 0x0A, 0x60, 0x19, 0x07, 0xB8, 0xC9, 0x53, 0xCA, 0x14, /* b */
1051 0x81, 0xEB, 0x10, 0x51, 0x2F, 0x78, 0x74, 0x4A, 0x32, 0x05,
1052 0xFD,
1053 0x03, 0xF0, 0xEB, 0xA1, 0x62, 0x86, 0xA2, 0xD5, 0x7E, 0xA0, /* x */
1054 0x99, 0x11, 0x68, 0xD4, 0x99, 0x46, 0x37, 0xE8, 0x34, 0x3E,
1055 0x36,
1056 0x00, 0xD5, 0x1F, 0xBC, 0x6C, 0x71, 0xA0, 0x09, 0x4F, 0xA2, /* y */
1057 0xCD, 0xD5, 0x45, 0xB1, 0x1C, 0x5C, 0x0C, 0x79, 0x73, 0x24,
1058 0xF1,
1059 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1060 0x02, 0x92, 0xFE, 0x77, 0xE7, 0x0C, 0x12, 0xA4, 0x23, 0x4C,
1061 0x33
1062 }
1063};
1064
1065static const struct {
1066 EC_CURVE_DATA h;
1067 unsigned char data[20 + 25 * 6];
1068}
1069 _EC_SECG_CHAR2_193R1 = {
1070 {
1071 NID_X9_62_characteristic_two_field, 20, 25, 2
1072 },
1073 {
1074 0x10, 0x3F, 0xAE, 0xC7, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, /* seed */
1075 0x61, 0x51, 0x75, 0x77, 0x7F, 0xC5, 0xB1, 0x91, 0xEF, 0x30,
1076
1077 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1079 0x00, 0x00, 0x00, 0x80, 0x01,
1080 0x00, 0x17, 0x85, 0x8F, 0xEB, 0x7A, 0x98, 0x97, 0x51, 0x69, /* a */
1081 0xE1, 0x71, 0xF7, 0x7B, 0x40, 0x87, 0xDE, 0x09, 0x8A, 0xC8,
1082 0xA9, 0x11, 0xDF, 0x7B, 0x01,
1083 0x00, 0xFD, 0xFB, 0x49, 0xBF, 0xE6, 0xC3, 0xA8, 0x9F, 0xAC, /* b */
1084 0xAD, 0xAA, 0x7A, 0x1E, 0x5B, 0xBC, 0x7C, 0xC1, 0xC2, 0xE5,
1085 0xD8, 0x31, 0x47, 0x88, 0x14,
1086 0x01, 0xF4, 0x81, 0xBC, 0x5F, 0x0F, 0xF8, 0x4A, 0x74, 0xAD, /* x */
1087 0x6C, 0xDF, 0x6F, 0xDE, 0xF4, 0xBF, 0x61, 0x79, 0x62, 0x53,
1088 0x72, 0xD8, 0xC0, 0xC5, 0xE1,
1089 0x00, 0x25, 0xE3, 0x99, 0xF2, 0x90, 0x37, 0x12, 0xCC, 0xF3, /* y */
1090 0xEA, 0x9E, 0x3A, 0x1A, 0xD1, 0x7F, 0xB0, 0xB3, 0x20, 0x1B,
1091 0x6A, 0xF7, 0xCE, 0x1B, 0x05,
1092 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1093 0x00, 0x00, 0x00, 0xC7, 0xF3, 0x4A, 0x77, 0x8F, 0x44, 0x3A,
1094 0xCC, 0x92, 0x0E, 0xBA, 0x49
1095 }
1096};
1097
1098static const struct {
1099 EC_CURVE_DATA h;
1100 unsigned char data[20 + 25 * 6];
1101}
1102 _EC_SECG_CHAR2_193R2 = {
1103 {
1104 NID_X9_62_characteristic_two_field, 20, 25, 2
1105 },
1106 {
1107 0x10, 0xB7, 0xB4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, /* seed */
1108 0x17, 0x51, 0x37, 0xC8, 0xA1, 0x6F, 0xD0, 0xDA, 0x22, 0x11,
1109
1110 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1111 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1112 0x00, 0x00, 0x00, 0x80, 0x01,
1113 0x01, 0x63, 0xF3, 0x5A, 0x51, 0x37, 0xC2, 0xCE, 0x3E, 0xA6, /* a */
1114 0xED, 0x86, 0x67, 0x19, 0x0B, 0x0B, 0xC4, 0x3E, 0xCD, 0x69,
1115 0x97, 0x77, 0x02, 0x70, 0x9B,
1116 0x00, 0xC9, 0xBB, 0x9E, 0x89, 0x27, 0xD4, 0xD6, 0x4C, 0x37, /* b */
1117 0x7E, 0x2A, 0xB2, 0x85, 0x6A, 0x5B, 0x16, 0xE3, 0xEF, 0xB7,
1118 0xF6, 0x1D, 0x43, 0x16, 0xAE,
1119 0x00, 0xD9, 0xB6, 0x7D, 0x19, 0x2E, 0x03, 0x67, 0xC8, 0x03, /* x */
1120 0xF3, 0x9E, 0x1A, 0x7E, 0x82, 0xCA, 0x14, 0xA6, 0x51, 0x35,
1121 0x0A, 0xAE, 0x61, 0x7E, 0x8F,
1122 0x01, 0xCE, 0x94, 0x33, 0x56, 0x07, 0xC3, 0x04, 0xAC, 0x29, /* y */
1123 0xE7, 0xDE, 0xFB, 0xD9, 0xCA, 0x01, 0xF5, 0x96, 0xF9, 0x27,
1124 0x22, 0x4C, 0xDE, 0xCF, 0x6C,
1125 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1126 0x00, 0x00, 0x01, 0x5A, 0xAB, 0x56, 0x1B, 0x00, 0x54, 0x13,
1127 0xCC, 0xD4, 0xEE, 0x99, 0xD5
1128 }
1129};
1130
1131static const struct {
1132 EC_CURVE_DATA h;
1133 unsigned char data[0 + 30 * 6];
1134}
1135 _EC_NIST_CHAR2_233K = {
1136 {
1137 NID_X9_62_characteristic_two_field, 0, 30, 4
1138 },
1139 { /* no seed */
1140 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1142 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1143
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1147
1148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1151
1152 0x01, 0x72, 0x32, 0xBA, 0x85, 0x3A, 0x7E, 0x73, 0x1A, 0xF1, /* x */
1153 0x29, 0xF2, 0x2F, 0xF4, 0x14, 0x95, 0x63, 0xA4, 0x19, 0xC2,
1154 0x6B, 0xF5, 0x0A, 0x4C, 0x9D, 0x6E, 0xEF, 0xAD, 0x61, 0x26,
1155
1156 0x01, 0xDB, 0x53, 0x7D, 0xEC, 0xE8, 0x19, 0xB7, 0xF7, 0x0F, /* y */
1157 0x55, 0x5A, 0x67, 0xC4, 0x27, 0xA8, 0xCD, 0x9B, 0xF1, 0x8A,
1158 0xEB, 0x9B, 0x56, 0xE0, 0xC1, 0x10, 0x56, 0xFA, 0xE6, 0xA3,
1159
1160 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1161 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x9D, 0x5B, 0xB9, 0x15,
1162 0xBC, 0xD4, 0x6E, 0xFB, 0x1A, 0xD5, 0xF1, 0x73, 0xAB, 0xDF
1163 }
1164};
1165
1166static const struct {
1167 EC_CURVE_DATA h;
1168 unsigned char data[20 + 30 * 6];
1169}
1170 _EC_NIST_CHAR2_233B = {
1171 {
1172 NID_X9_62_characteristic_two_field, 20, 30, 2
1173 },
1174 {
1175 0x74, 0xD5, 0x9F, 0xF0, 0x7F, 0x6B, 0x41, 0x3D, 0x0E, 0xA1, /* seed */
1176 0x4B, 0x34, 0x4B, 0x20, 0xA2, 0xDB, 0x04, 0x9B, 0x50, 0xC3,
1177
1178 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1181
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1185
1186 0x00, 0x66, 0x64, 0x7E, 0xDE, 0x6C, 0x33, 0x2C, 0x7F, 0x8C, /* b */
1187 0x09, 0x23, 0xBB, 0x58, 0x21, 0x3B, 0x33, 0x3B, 0x20, 0xE9,
1188 0xCE, 0x42, 0x81, 0xFE, 0x11, 0x5F, 0x7D, 0x8F, 0x90, 0xAD,
1189
1190 0x00, 0xFA, 0xC9, 0xDF, 0xCB, 0xAC, 0x83, 0x13, 0xBB, 0x21, /* x */
1191 0x39, 0xF1, 0xBB, 0x75, 0x5F, 0xEF, 0x65, 0xBC, 0x39, 0x1F,
1192 0x8B, 0x36, 0xF8, 0xF8, 0xEB, 0x73, 0x71, 0xFD, 0x55, 0x8B,
1193
1194 0x01, 0x00, 0x6A, 0x08, 0xA4, 0x19, 0x03, 0x35, 0x06, 0x78, /* y */
1195 0xE5, 0x85, 0x28, 0xBE, 0xBF, 0x8A, 0x0B, 0xEF, 0xF8, 0x67,
1196 0xA7, 0xCA, 0x36, 0x71, 0x6F, 0x7E, 0x01, 0xF8, 0x10, 0x52,
1197
1198 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xE9, 0x74, 0xE7, 0x2F,
1200 0x8A, 0x69, 0x22, 0x03, 0x1D, 0x26, 0x03, 0xCF, 0xE0, 0xD7
1201 }
1202};
1203
1204static const struct {
1205 EC_CURVE_DATA h;
1206 unsigned char data[0 + 30 * 6];
1207}
1208 _EC_SECG_CHAR2_239K1 = {
1209 {
1210 NID_X9_62_characteristic_two_field, 0, 30, 4
1211 },
1212 { /* no seed */
1213 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1216
1217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220
1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1224
1225 0x29, 0xA0, 0xB6, 0xA8, 0x87, 0xA9, 0x83, 0xE9, 0x73, 0x09, /* x */
1226 0x88, 0xA6, 0x87, 0x27, 0xA8, 0xB2, 0xD1, 0x26, 0xC4, 0x4C,
1227 0xC2, 0xCC, 0x7B, 0x2A, 0x65, 0x55, 0x19, 0x30, 0x35, 0xDC,
1228
1229 0x76, 0x31, 0x08, 0x04, 0xF1, 0x2E, 0x54, 0x9B, 0xDB, 0x01, /* y */
1230 0x1C, 0x10, 0x30, 0x89, 0xE7, 0x35, 0x10, 0xAC, 0xB2, 0x75,
1231 0xFC, 0x31, 0x2A, 0x5D, 0xC6, 0xB7, 0x65, 0x53, 0xF0, 0xCA,
1232
1233 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x79, 0xFE, 0xC6, 0x7C,
1235 0xB6, 0xE9, 0x1F, 0x1C, 0x1D, 0xA8, 0x00, 0xE4, 0x78, 0xA5
1236 }
1237};
1238
1239static const struct {
1240 EC_CURVE_DATA h;
1241 unsigned char data[0 + 36 * 6];
1242}
1243 _EC_NIST_CHAR2_283K = {
1244 {
1245 NID_X9_62_characteristic_two_field, 0, 36, 4
1246 },
1247 { /* no seed */
1248 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1259 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1260 0x05, 0x03, 0x21, 0x3F, 0x78, 0xCA, 0x44, 0x88, 0x3F, 0x1A, /* x */
1261 0x3B, 0x81, 0x62, 0xF1, 0x88, 0xE5, 0x53, 0xCD, 0x26, 0x5F,
1262 0x23, 0xC1, 0x56, 0x7A, 0x16, 0x87, 0x69, 0x13, 0xB0, 0xC2,
1263 0xAC, 0x24, 0x58, 0x49, 0x28, 0x36,
1264 0x01, 0xCC, 0xDA, 0x38, 0x0F, 0x1C, 0x9E, 0x31, 0x8D, 0x90, /* y */
1265 0xF9, 0x5D, 0x07, 0xE5, 0x42, 0x6F, 0xE8, 0x7E, 0x45, 0xC0,
1266 0xE8, 0x18, 0x46, 0x98, 0xE4, 0x59, 0x62, 0x36, 0x4E, 0x34,
1267 0x11, 0x61, 0x77, 0xDD, 0x22, 0x59,
1268 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1269 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xAE,
1270 0x2E, 0xD0, 0x75, 0x77, 0x26, 0x5D, 0xFF, 0x7F, 0x94, 0x45,
1271 0x1E, 0x06, 0x1E, 0x16, 0x3C, 0x61
1272 }
1273};
1274
1275static const struct {
1276 EC_CURVE_DATA h;
1277 unsigned char data[20 + 36 * 6];
1278}
1279 _EC_NIST_CHAR2_283B = {
1280 {
1281 NID_X9_62_characteristic_two_field, 20, 36, 2
1282 },
1283 {
1284 0x77, 0xE2, 0xB0, 0x73, 0x70, 0xEB, 0x0F, 0x83, 0x2A, 0x6D, /* no seed */
1285 0xD5, 0xB6, 0x2D, 0xFC, 0x88, 0xCD, 0x06, 0xBB, 0x84, 0xBE,
1286
1287 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1288 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1289 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1290 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1294 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1295 0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, /* b */
1296 0xAF, 0x8A, 0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76,
1297 0x45, 0x30, 0x9F, 0xA2, 0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26,
1298 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5,
1299 0x05, 0xF9, 0x39, 0x25, 0x8D, 0xB7, 0xDD, 0x90, 0xE1, 0x93, /* x */
1300 0x4F, 0x8C, 0x70, 0xB0, 0xDF, 0xEC, 0x2E, 0xED, 0x25, 0xB8,
1301 0x55, 0x7E, 0xAC, 0x9C, 0x80, 0xE2, 0xE1, 0x98, 0xF8, 0xCD,
1302 0xBE, 0xCD, 0x86, 0xB1, 0x20, 0x53,
1303 0x03, 0x67, 0x68, 0x54, 0xFE, 0x24, 0x14, 0x1C, 0xB9, 0x8F, /* y */
1304 0xE6, 0xD4, 0xB2, 0x0D, 0x02, 0xB4, 0x51, 0x6F, 0xF7, 0x02,
1305 0x35, 0x0E, 0xDD, 0xB0, 0x82, 0x67, 0x79, 0xC8, 0x13, 0xF0,
1306 0xDF, 0x45, 0xBE, 0x81, 0x12, 0xF4,
1307 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1308 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEF, 0x90,
1309 0x39, 0x96, 0x60, 0xFC, 0x93, 0x8A, 0x90, 0x16, 0x5B, 0x04,
1310 0x2A, 0x7C, 0xEF, 0xAD, 0xB3, 0x07
1311 }
1312};
1313
1314static const struct {
1315 EC_CURVE_DATA h;
1316 unsigned char data[0 + 52 * 6];
1317}
1318 _EC_NIST_CHAR2_409K = {
1319 {
1320 NID_X9_62_characteristic_two_field, 0, 52, 4
1321 },
1322 { /* no seed */
1323 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1327 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0x00, 0x01,
1329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1334 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1340 0x00, 0x01,
1341 0x00, 0x60, 0xF0, 0x5F, 0x65, 0x8F, 0x49, 0xC1, 0xAD, 0x3A, /* x */
1342 0xB1, 0x89, 0x0F, 0x71, 0x84, 0x21, 0x0E, 0xFD, 0x09, 0x87,
1343 0xE3, 0x07, 0xC8, 0x4C, 0x27, 0xAC, 0xCF, 0xB8, 0xF9, 0xF6,
1344 0x7C, 0xC2, 0xC4, 0x60, 0x18, 0x9E, 0xB5, 0xAA, 0xAA, 0x62,
1345 0xEE, 0x22, 0x2E, 0xB1, 0xB3, 0x55, 0x40, 0xCF, 0xE9, 0x02,
1346 0x37, 0x46,
1347 0x01, 0xE3, 0x69, 0x05, 0x0B, 0x7C, 0x4E, 0x42, 0xAC, 0xBA, /* y */
1348 0x1D, 0xAC, 0xBF, 0x04, 0x29, 0x9C, 0x34, 0x60, 0x78, 0x2F,
1349 0x91, 0x8E, 0xA4, 0x27, 0xE6, 0x32, 0x51, 0x65, 0xE9, 0xEA,
1350 0x10, 0xE3, 0xDA, 0x5F, 0x6C, 0x42, 0xE9, 0xC5, 0x52, 0x15,
1351 0xAA, 0x9C, 0xA2, 0x7A, 0x58, 0x63, 0xEC, 0x48, 0xD8, 0xE0,
1352 0x28, 0x6B,
1353 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1354 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1355 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0x5F, 0x83, 0xB2,
1356 0xD4, 0xEA, 0x20, 0x40, 0x0E, 0xC4, 0x55, 0x7D, 0x5E, 0xD3,
1357 0xE3, 0xE7, 0xCA, 0x5B, 0x4B, 0x5C, 0x83, 0xB8, 0xE0, 0x1E,
1358 0x5F, 0xCF
1359 }
1360};
1361
1362static const struct {
1363 EC_CURVE_DATA h;
1364 unsigned char data[20 + 52 * 6];
1365}
1366 _EC_NIST_CHAR2_409B = {
1367 {
1368 NID_X9_62_characteristic_two_field, 20, 52, 2
1369 },
1370 {
1371 0x40, 0x99, 0xB5, 0xA4, 0x57, 0xF9, 0xD6, 0x9F, 0x79, 0x21, /* seed */
1372 0x3D, 0x09, 0x4C, 0x4B, 0xCD, 0x4D, 0x42, 0x62, 0x21, 0x0B,
1373
1374 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1375 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1378 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1379 0x00, 0x01,
1380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1385 0x00, 0x01,
1386 0x00, 0x21, 0xA5, 0xC2, 0xC8, 0xEE, 0x9F, 0xEB, 0x5C, 0x4B, /* b */
1387 0x9A, 0x75, 0x3B, 0x7B, 0x47, 0x6B, 0x7F, 0xD6, 0x42, 0x2E,
1388 0xF1, 0xF3, 0xDD, 0x67, 0x47, 0x61, 0xFA, 0x99, 0xD6, 0xAC,
1389 0x27, 0xC8, 0xA9, 0xA1, 0x97, 0xB2, 0x72, 0x82, 0x2F, 0x6C,
1390 0xD5, 0x7A, 0x55, 0xAA, 0x4F, 0x50, 0xAE, 0x31, 0x7B, 0x13,
1391 0x54, 0x5F,
1392 0x01, 0x5D, 0x48, 0x60, 0xD0, 0x88, 0xDD, 0xB3, 0x49, 0x6B, /* x */
1393 0x0C, 0x60, 0x64, 0x75, 0x62, 0x60, 0x44, 0x1C, 0xDE, 0x4A,
1394 0xF1, 0x77, 0x1D, 0x4D, 0xB0, 0x1F, 0xFE, 0x5B, 0x34, 0xE5,
1395 0x97, 0x03, 0xDC, 0x25, 0x5A, 0x86, 0x8A, 0x11, 0x80, 0x51,
1396 0x56, 0x03, 0xAE, 0xAB, 0x60, 0x79, 0x4E, 0x54, 0xBB, 0x79,
1397 0x96, 0xA7,
1398 0x00, 0x61, 0xB1, 0xCF, 0xAB, 0x6B, 0xE5, 0xF3, 0x2B, 0xBF, /* y */
1399 0xA7, 0x83, 0x24, 0xED, 0x10, 0x6A, 0x76, 0x36, 0xB9, 0xC5,
1400 0xA7, 0xBD, 0x19, 0x8D, 0x01, 0x58, 0xAA, 0x4F, 0x54, 0x88,
1401 0xD0, 0x8F, 0x38, 0x51, 0x4F, 0x1F, 0xDF, 0x4B, 0x4F, 0x40,
1402 0xD2, 0x18, 0x1B, 0x36, 0x81, 0xC3, 0x64, 0xBA, 0x02, 0x73,
1403 0xC7, 0x06,
1404 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xE2, 0xAA, 0xD6,
1407 0xA6, 0x12, 0xF3, 0x33, 0x07, 0xBE, 0x5F, 0xA4, 0x7C, 0x3C,
1408 0x9E, 0x05, 0x2F, 0x83, 0x81, 0x64, 0xCD, 0x37, 0xD9, 0xA2,
1409 0x11, 0x73
1410 }
1411};
1412
1413static const struct {
1414 EC_CURVE_DATA h;
1415 unsigned char data[0 + 72 * 6];
1416}
1417 _EC_NIST_CHAR2_571K = {
1418 {
1419 NID_X9_62_characteristic_two_field, 0, 72, 4
1420 },
1421 { /* no seed */
1422 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1423 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1429 0x04, 0x25,
1430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1437 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1445 0x00, 0x01,
1446 0x02, 0x6E, 0xB7, 0xA8, 0x59, 0x92, 0x3F, 0xBC, 0x82, 0x18, /* x */
1447 0x96, 0x31, 0xF8, 0x10, 0x3F, 0xE4, 0xAC, 0x9C, 0xA2, 0x97,
1448 0x00, 0x12, 0xD5, 0xD4, 0x60, 0x24, 0x80, 0x48, 0x01, 0x84,
1449 0x1C, 0xA4, 0x43, 0x70, 0x95, 0x84, 0x93, 0xB2, 0x05, 0xE6,
1450 0x47, 0xDA, 0x30, 0x4D, 0xB4, 0xCE, 0xB0, 0x8C, 0xBB, 0xD1,
1451 0xBA, 0x39, 0x49, 0x47, 0x76, 0xFB, 0x98, 0x8B, 0x47, 0x17,
1452 0x4D, 0xCA, 0x88, 0xC7, 0xE2, 0x94, 0x52, 0x83, 0xA0, 0x1C,
1453 0x89, 0x72,
1454 0x03, 0x49, 0xDC, 0x80, 0x7F, 0x4F, 0xBF, 0x37, 0x4F, 0x4A, /* y */
1455 0xEA, 0xDE, 0x3B, 0xCA, 0x95, 0x31, 0x4D, 0xD5, 0x8C, 0xEC,
1456 0x9F, 0x30, 0x7A, 0x54, 0xFF, 0xC6, 0x1E, 0xFC, 0x00, 0x6D,
1457 0x8A, 0x2C, 0x9D, 0x49, 0x79, 0xC0, 0xAC, 0x44, 0xAE, 0xA7,
1458 0x4F, 0xBE, 0xBB, 0xB9, 0xF7, 0x72, 0xAE, 0xDC, 0xB6, 0x20,
1459 0xB0, 0x1A, 0x7B, 0xA7, 0xAF, 0x1B, 0x32, 0x04, 0x30, 0xC8,
1460 0x59, 0x19, 0x84, 0xF6, 0x01, 0xCD, 0x4C, 0x14, 0x3E, 0xF1,
1461 0xC7, 0xA3,
1462 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x18, 0x50, 0xE1,
1466 0xF1, 0x9A, 0x63, 0xE4, 0xB3, 0x91, 0xA8, 0xDB, 0x91, 0x7F,
1467 0x41, 0x38, 0xB6, 0x30, 0xD8, 0x4B, 0xE5, 0xD6, 0x39, 0x38,
1468 0x1E, 0x91, 0xDE, 0xB4, 0x5C, 0xFE, 0x77, 0x8F, 0x63, 0x7C,
1469 0x10, 0x01
1470 }
1471};
1472
1473static const struct {
1474 EC_CURVE_DATA h;
1475 unsigned char data[20 + 72 * 6];
1476}
1477 _EC_NIST_CHAR2_571B = {
1478 {
1479 NID_X9_62_characteristic_two_field, 20, 72, 2
1480 },
1481 {
1482 0x2A, 0xA0, 0x58, 0xF7, 0x3A, 0x0E, 0x33, 0xAB, 0x48, 0x6B, /* seed */
1483 0x0F, 0x61, 0x04, 0x10, 0xC5, 0x3A, 0x7F, 0x13, 0x23, 0x10,
1484
1485 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1486 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1492 0x04, 0x25,
1493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x01,
1501 0x02, 0xF4, 0x0E, 0x7E, 0x22, 0x21, 0xF2, 0x95, 0xDE, 0x29, /* b */
1502 0x71, 0x17, 0xB7, 0xF3, 0xD6, 0x2F, 0x5C, 0x6A, 0x97, 0xFF,
1503 0xCB, 0x8C, 0xEF, 0xF1, 0xCD, 0x6B, 0xA8, 0xCE, 0x4A, 0x9A,
1504 0x18, 0xAD, 0x84, 0xFF, 0xAB, 0xBD, 0x8E, 0xFA, 0x59, 0x33,
1505 0x2B, 0xE7, 0xAD, 0x67, 0x56, 0xA6, 0x6E, 0x29, 0x4A, 0xFD,
1506 0x18, 0x5A, 0x78, 0xFF, 0x12, 0xAA, 0x52, 0x0E, 0x4D, 0xE7,
1507 0x39, 0xBA, 0xCA, 0x0C, 0x7F, 0xFE, 0xFF, 0x7F, 0x29, 0x55,
1508 0x72, 0x7A,
1509 0x03, 0x03, 0x00, 0x1D, 0x34, 0xB8, 0x56, 0x29, 0x6C, 0x16, /* x */
1510 0xC0, 0xD4, 0x0D, 0x3C, 0xD7, 0x75, 0x0A, 0x93, 0xD1, 0xD2,
1511 0x95, 0x5F, 0xA8, 0x0A, 0xA5, 0xF4, 0x0F, 0xC8, 0xDB, 0x7B,
1512 0x2A, 0xBD, 0xBD, 0xE5, 0x39, 0x50, 0xF4, 0xC0, 0xD2, 0x93,
1513 0xCD, 0xD7, 0x11, 0xA3, 0x5B, 0x67, 0xFB, 0x14, 0x99, 0xAE,
1514 0x60, 0x03, 0x86, 0x14, 0xF1, 0x39, 0x4A, 0xBF, 0xA3, 0xB4,
1515 0xC8, 0x50, 0xD9, 0x27, 0xE1, 0xE7, 0x76, 0x9C, 0x8E, 0xEC,
1516 0x2D, 0x19,
1517 0x03, 0x7B, 0xF2, 0x73, 0x42, 0xDA, 0x63, 0x9B, 0x6D, 0xCC, /* y */
1518 0xFF, 0xFE, 0xB7, 0x3D, 0x69, 0xD7, 0x8C, 0x6C, 0x27, 0xA6,
1519 0x00, 0x9C, 0xBB, 0xCA, 0x19, 0x80, 0xF8, 0x53, 0x39, 0x21,
1520 0xE8, 0xA6, 0x84, 0x42, 0x3E, 0x43, 0xBA, 0xB0, 0x8A, 0x57,
1521 0x62, 0x91, 0xAF, 0x8F, 0x46, 0x1B, 0xB2, 0xA8, 0xB3, 0x53,
1522 0x1D, 0x2F, 0x04, 0x85, 0xC1, 0x9B, 0x16, 0xE2, 0xF1, 0x51,
1523 0x6E, 0x23, 0xDD, 0x3C, 0x1A, 0x48, 0x27, 0xAF, 0x1B, 0x8A,
1524 0xC1, 0x5B,
1525 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1526 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1527 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1528 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE6, 0x61, 0xCE, 0x18,
1529 0xFF, 0x55, 0x98, 0x73, 0x08, 0x05, 0x9B, 0x18, 0x68, 0x23,
1530 0x85, 0x1E, 0xC7, 0xDD, 0x9C, 0xA1, 0x16, 0x1D, 0xE9, 0x3D,
1531 0x51, 0x74, 0xD6, 0x6E, 0x83, 0x82, 0xE9, 0xBB, 0x2F, 0xE8,
1532 0x4E, 0x47
1533 }
1534};
1535
1536static const struct {
1537 EC_CURVE_DATA h;
1538 unsigned char data[20 + 21 * 6];
1539}
1540 _EC_X9_62_CHAR2_163V1 = {
1541 {
1542 NID_X9_62_characteristic_two_field, 20, 21, 2
1543 },
1544 {
1545 0xD2, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE,
1546 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x54, /* seed */
1547
1548 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1550 0x07,
1551 0x07, 0x25, 0x46, 0xB5, 0x43, 0x52, 0x34, 0xA4, 0x22, 0xE0, /* a */
1552 0x78, 0x96, 0x75, 0xF4, 0x32, 0xC8, 0x94, 0x35, 0xDE, 0x52,
1553 0x42,
1554 0x00, 0xC9, 0x51, 0x7D, 0x06, 0xD5, 0x24, 0x0D, 0x3C, 0xFF, /* b */
1555 0x38, 0xC7, 0x4B, 0x20, 0xB6, 0xCD, 0x4D, 0x6F, 0x9D, 0xD4,
1556 0xD9,
1557 0x07, 0xAF, 0x69, 0x98, 0x95, 0x46, 0x10, 0x3D, 0x79, 0x32, /* x */
1558 0x9F, 0xCC, 0x3D, 0x74, 0x88, 0x0F, 0x33, 0xBB, 0xE8, 0x03,
1559 0xCB,
1560 0x01, 0xEC, 0x23, 0x21, 0x1B, 0x59, 0x66, 0xAD, 0xEA, 0x1D, /* y */
1561 0x3F, 0x87, 0xF7, 0xEA, 0x58, 0x48, 0xAE, 0xF0, 0xB7, 0xCA,
1562 0x9F,
1563 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1564 0x01, 0xE6, 0x0F, 0xC8, 0x82, 0x1C, 0xC7, 0x4D, 0xAE, 0xAF,
1565 0xC1
1566 }
1567};
1568
1569static const struct {
1570 EC_CURVE_DATA h;
1571 unsigned char data[20 + 21 * 6];
1572}
1573 _EC_X9_62_CHAR2_163V2 = {
1574 {
1575 NID_X9_62_characteristic_two_field, 20, 21, 2
1576 },
1577 {
1578 0x53, 0x81, 0x4C, 0x05, 0x0D, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1579 0x87, 0x56, 0x15, 0x17, 0x58, 0x0C, 0xA4, 0xE2, 0x9F, 0xFD,
1580
1581 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1583 0x07,
1584 0x01, 0x08, 0xB3, 0x9E, 0x77, 0xC4, 0xB1, 0x08, 0xBE, 0xD9, /* a */
1585 0x81, 0xED, 0x0E, 0x89, 0x0E, 0x11, 0x7C, 0x51, 0x1C, 0xF0,
1586 0x72,
1587 0x06, 0x67, 0xAC, 0xEB, 0x38, 0xAF, 0x4E, 0x48, 0x8C, 0x40, /* b */
1588 0x74, 0x33, 0xFF, 0xAE, 0x4F, 0x1C, 0x81, 0x16, 0x38, 0xDF,
1589 0x20,
1590 0x00, 0x24, 0x26, 0x6E, 0x4E, 0xB5, 0x10, 0x6D, 0x0A, 0x96, /* x */
1591 0x4D, 0x92, 0xC4, 0x86, 0x0E, 0x26, 0x71, 0xDB, 0x9B, 0x6C,
1592 0xC5,
1593 0x07, 0x9F, 0x68, 0x4D, 0xDF, 0x66, 0x84, 0xC5, 0xCD, 0x25, /* y */
1594 0x8B, 0x38, 0x90, 0x02, 0x1B, 0x23, 0x86, 0xDF, 0xD1, 0x9F,
1595 0xC5,
1596 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1597 0xFD, 0xF6, 0x4D, 0xE1, 0x15, 0x1A, 0xDB, 0xB7, 0x8F, 0x10,
1598 0xA7
1599 }
1600};
1601
1602static const struct {
1603 EC_CURVE_DATA h;
1604 unsigned char data[20 + 21 * 6];
1605}
1606 _EC_X9_62_CHAR2_163V3 = {
1607 {
1608 NID_X9_62_characteristic_two_field, 20, 21, 2
1609 },
1610 {
1611 0x50, 0xCB, 0xF1, 0xD9, 0x5C, 0xA9, 0x4D, 0x69, 0x6E, 0x67, /* seed */
1612 0x68, 0x75, 0x61, 0x51, 0x75, 0xF1, 0x6A, 0x36, 0xA3, 0xB8,
1613
1614 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1615 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1616 0x07,
1617 0x07, 0xA5, 0x26, 0xC6, 0x3D, 0x3E, 0x25, 0xA2, 0x56, 0xA0, /* a */
1618 0x07, 0x69, 0x9F, 0x54, 0x47, 0xE3, 0x2A, 0xE4, 0x56, 0xB5,
1619 0x0E,
1620 0x03, 0xF7, 0x06, 0x17, 0x98, 0xEB, 0x99, 0xE2, 0x38, 0xFD, /* b */
1621 0x6F, 0x1B, 0xF9, 0x5B, 0x48, 0xFE, 0xEB, 0x48, 0x54, 0x25,
1622 0x2B,
1623 0x02, 0xF9, 0xF8, 0x7B, 0x7C, 0x57, 0x4D, 0x0B, 0xDE, 0xCF, /* x */
1624 0x8A, 0x22, 0xE6, 0x52, 0x47, 0x75, 0xF9, 0x8C, 0xDE, 0xBD,
1625 0xCB,
1626 0x05, 0xB9, 0x35, 0x59, 0x0C, 0x15, 0x5E, 0x17, 0xEA, 0x48, /* y */
1627 0xEB, 0x3F, 0xF3, 0x71, 0x8B, 0x89, 0x3D, 0xF5, 0x9A, 0x05,
1628 0xD0,
1629 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1630 0xFE, 0x1A, 0xEE, 0x14, 0x0F, 0x11, 0x0A, 0xFF, 0x96, 0x13,
1631 0x09
1632 }
1633};
1634
1635static const struct {
1636 EC_CURVE_DATA h;
1637 unsigned char data[0 + 23 * 6];
1638}
1639 _EC_X9_62_CHAR2_176V1 = {
1640 {
1641 NID_X9_62_characteristic_two_field, 0, 23, 0xFF6E
1642 },
1643 { /* no seed */
1644 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
1646 0x00, 0x00, 0x07,
1647 0x00, 0xE4, 0xE6, 0xDB, 0x29, 0x95, 0x06, 0x5C, 0x40, 0x7D, /* a */
1648 0x9D, 0x39, 0xB8, 0xD0, 0x96, 0x7B, 0x96, 0x70, 0x4B, 0xA8,
1649 0xE9, 0xC9, 0x0B,
1650 0x00, 0x5D, 0xDA, 0x47, 0x0A, 0xBE, 0x64, 0x14, 0xDE, 0x8E, /* b */
1651 0xC1, 0x33, 0xAE, 0x28, 0xE9, 0xBB, 0xD7, 0xFC, 0xEC, 0x0A,
1652 0xE0, 0xFF, 0xF2,
1653 0x00, 0x8D, 0x16, 0xC2, 0x86, 0x67, 0x98, 0xB6, 0x00, 0xF9, /* x */
1654 0xF0, 0x8B, 0xB4, 0xA8, 0xE8, 0x60, 0xF3, 0x29, 0x8C, 0xE0,
1655 0x4A, 0x57, 0x98,
1656 0x00, 0x6F, 0xA4, 0x53, 0x9C, 0x2D, 0xAD, 0xDD, 0xD6, 0xBA, /* y */
1657 0xB5, 0x16, 0x7D, 0x61, 0xB4, 0x36, 0xE1, 0xD9, 0x2B, 0xB1,
1658 0x6A, 0x56, 0x2C,
1659 0x00, 0x00, 0x01, 0x00, 0x92, 0x53, 0x73, 0x97, 0xEC, 0xA4, /* order */
1660 0xF6, 0x14, 0x57, 0x99, 0xD6, 0x2B, 0x0A, 0x19, 0xCE, 0x06,
1661 0xFE, 0x26, 0xAD
1662 }
1663};
1664
1665static const struct {
1666 EC_CURVE_DATA h;
1667 unsigned char data[20 + 24 * 6];
1668}
1669 _EC_X9_62_CHAR2_191V1 = {
1670 {
1671 NID_X9_62_characteristic_two_field, 20, 24, 2
1672 },
1673 {
1674 0x4E, 0x13, 0xCA, 0x54, 0x27, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1675 0x87, 0x56, 0x15, 0x17, 0x55, 0x2F, 0x27, 0x9A, 0x8C, 0x84,
1676
1677 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1679 0x00, 0x00, 0x02, 0x01,
1680 0x28, 0x66, 0x53, 0x7B, 0x67, 0x67, 0x52, 0x63, 0x6A, 0x68, /* a */
1681 0xF5, 0x65, 0x54, 0xE1, 0x26, 0x40, 0x27, 0x6B, 0x64, 0x9E,
1682 0xF7, 0x52, 0x62, 0x67,
1683 0x2E, 0x45, 0xEF, 0x57, 0x1F, 0x00, 0x78, 0x6F, 0x67, 0xB0, /* b */
1684 0x08, 0x1B, 0x94, 0x95, 0xA3, 0xD9, 0x54, 0x62, 0xF5, 0xDE,
1685 0x0A, 0xA1, 0x85, 0xEC,
1686 0x36, 0xB3, 0xDA, 0xF8, 0xA2, 0x32, 0x06, 0xF9, 0xC4, 0xF2, /* x */
1687 0x99, 0xD7, 0xB2, 0x1A, 0x9C, 0x36, 0x91, 0x37, 0xF2, 0xC8,
1688 0x4A, 0xE1, 0xAA, 0x0D,
1689 0x76, 0x5B, 0xE7, 0x34, 0x33, 0xB3, 0xF9, 0x5E, 0x33, 0x29, /* y */
1690 0x32, 0xE7, 0x0E, 0xA2, 0x45, 0xCA, 0x24, 0x18, 0xEA, 0x0E,
1691 0xF9, 0x80, 0x18, 0xFB,
1692 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1693 0x00, 0x00, 0x04, 0xA2, 0x0E, 0x90, 0xC3, 0x90, 0x67, 0xC8,
1694 0x93, 0xBB, 0xB9, 0xA5
1695 }
1696};
1697
1698static const struct {
1699 EC_CURVE_DATA h;
1700 unsigned char data[20 + 24 * 6];
1701}
1702 _EC_X9_62_CHAR2_191V2 = {
1703 {
1704 NID_X9_62_characteristic_two_field, 20, 24, 4
1705 },
1706 {
1707 0x08, 0x71, 0xEF, 0x2F, 0xEF, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1708 0x87, 0x56, 0x15, 0x17, 0x58, 0xBE, 0xE0, 0xD9, 0x5C, 0x15,
1709
1710 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1712 0x00, 0x00, 0x02, 0x01,
1713 0x40, 0x10, 0x28, 0x77, 0x4D, 0x77, 0x77, 0xC7, 0xB7, 0x66, /* a */
1714 0x6D, 0x13, 0x66, 0xEA, 0x43, 0x20, 0x71, 0x27, 0x4F, 0x89,
1715 0xFF, 0x01, 0xE7, 0x18,
1716 0x06, 0x20, 0x04, 0x8D, 0x28, 0xBC, 0xBD, 0x03, 0xB6, 0x24, /* b */
1717 0x9C, 0x99, 0x18, 0x2B, 0x7C, 0x8C, 0xD1, 0x97, 0x00, 0xC3,
1718 0x62, 0xC4, 0x6A, 0x01,
1719 0x38, 0x09, 0xB2, 0xB7, 0xCC, 0x1B, 0x28, 0xCC, 0x5A, 0x87, /* x */
1720 0x92, 0x6A, 0xAD, 0x83, 0xFD, 0x28, 0x78, 0x9E, 0x81, 0xE2,
1721 0xC9, 0xE3, 0xBF, 0x10,
1722 0x17, 0x43, 0x43, 0x86, 0x62, 0x6D, 0x14, 0xF3, 0xDB, 0xF0, /* y */
1723 0x17, 0x60, 0xD9, 0x21, 0x3A, 0x3E, 0x1C, 0xF3, 0x7A, 0xEC,
1724 0x43, 0x7D, 0x66, 0x8A,
1725 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1726 0x00, 0x00, 0x50, 0x50, 0x8C, 0xB8, 0x9F, 0x65, 0x28, 0x24,
1727 0xE0, 0x6B, 0x81, 0x73
1728 }
1729};
1730
1731static const struct {
1732 EC_CURVE_DATA h;
1733 unsigned char data[20 + 24 * 6];
1734}
1735 _EC_X9_62_CHAR2_191V3 = {
1736 {
1737 NID_X9_62_characteristic_two_field, 20, 24, 6
1738 },
1739 {
1740 0xE0, 0x53, 0x51, 0x2D, 0xC6, 0x84, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1741 0x87, 0x56, 0x15, 0x17, 0x50, 0x67, 0xAE, 0x78, 0x6D, 0x1F,
1742
1743 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x02, 0x01,
1746 0x6C, 0x01, 0x07, 0x47, 0x56, 0x09, 0x91, 0x22, 0x22, 0x10, /* a */
1747 0x56, 0x91, 0x1C, 0x77, 0xD7, 0x7E, 0x77, 0xA7, 0x77, 0xE7,
1748 0xE7, 0xE7, 0x7F, 0xCB,
1749 0x71, 0xFE, 0x1A, 0xF9, 0x26, 0xCF, 0x84, 0x79, 0x89, 0xEF, /* b */
1750 0xEF, 0x8D, 0xB4, 0x59, 0xF6, 0x63, 0x94, 0xD9, 0x0F, 0x32,
1751 0xAD, 0x3F, 0x15, 0xE8,
1752 0x37, 0x5D, 0x4C, 0xE2, 0x4F, 0xDE, 0x43, 0x44, 0x89, 0xDE, /* x */
1753 0x87, 0x46, 0xE7, 0x17, 0x86, 0x01, 0x50, 0x09, 0xE6, 0x6E,
1754 0x38, 0xA9, 0x26, 0xDD,
1755 0x54, 0x5A, 0x39, 0x17, 0x61, 0x96, 0x57, 0x5D, 0x98, 0x59, /* y */
1756 0x99, 0x36, 0x6E, 0x6A, 0xD3, 0x4C, 0xE0, 0xA7, 0x7C, 0xD7,
1757 0x12, 0x7B, 0x06, 0xBE,
1758 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1759 0x55, 0x55, 0x61, 0x0C, 0x0B, 0x19, 0x68, 0x12, 0xBF, 0xB6,
1760 0x28, 0x8A, 0x3E, 0xA3
1761 }
1762};
1763
1764static const struct {
1765 EC_CURVE_DATA h;
1766 unsigned char data[0 + 27 * 6];
1767}
1768 _EC_X9_62_CHAR2_208W1 = {
1769 {
1770 NID_X9_62_characteristic_two_field, 0, 27, 0xFE48
1771 },
1772 { /* no seed */
1773 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0xC8, 0x61, 0x9E, 0xD4, 0x5A, 0x62, 0xE6, 0x21, 0x2E, /* b */
1780 0x11, 0x60, 0x34, 0x9E, 0x2B, 0xFA, 0x84, 0x44, 0x39, 0xFA,
1781 0xFC, 0x2A, 0x3F, 0xD1, 0x63, 0x8F, 0x9E,
1782 0x00, 0x89, 0xFD, 0xFB, 0xE4, 0xAB, 0xE1, 0x93, 0xDF, 0x95, /* x */
1783 0x59, 0xEC, 0xF0, 0x7A, 0xC0, 0xCE, 0x78, 0x55, 0x4E, 0x27,
1784 0x84, 0xEB, 0x8C, 0x1E, 0xD1, 0xA5, 0x7A,
1785 0x00, 0x0F, 0x55, 0xB5, 0x1A, 0x06, 0xE7, 0x8E, 0x9A, 0xC3, /* y */
1786 0x8A, 0x03, 0x5F, 0xF5, 0x20, 0xD8, 0xB0, 0x17, 0x81, 0xBE,
1787 0xB1, 0xA6, 0xBB, 0x08, 0x61, 0x7D, 0xE3,
1788 0x00, 0x00, 0x01, 0x01, 0xBA, 0xF9, 0x5C, 0x97, 0x23, 0xC5, /* order */
1789 0x7B, 0x6C, 0x21, 0xDA, 0x2E, 0xFF, 0x2D, 0x5E, 0xD5, 0x88,
1790 0xBD, 0xD5, 0x71, 0x7E, 0x21, 0x2F, 0x9D
1791 }
1792};
1793
1794static const struct {
1795 EC_CURVE_DATA h;
1796 unsigned char data[20 + 30 * 6];
1797}
1798 _EC_X9_62_CHAR2_239V1 = {
1799 {
1800 NID_X9_62_characteristic_two_field, 20, 30, 4
1801 },
1802 {
1803 0xD3, 0x4B, 0x9A, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1804 0x51, 0x75, 0xCA, 0x71, 0xB9, 0x20, 0xBF, 0xEF, 0xB0, 0x5D,
1805
1806 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1809
1810 0x32, 0x01, 0x08, 0x57, 0x07, 0x7C, 0x54, 0x31, 0x12, 0x3A, /* a */
1811 0x46, 0xB8, 0x08, 0x90, 0x67, 0x56, 0xF5, 0x43, 0x42, 0x3E,
1812 0x8D, 0x27, 0x87, 0x75, 0x78, 0x12, 0x57, 0x78, 0xAC, 0x76,
1813
1814 0x79, 0x04, 0x08, 0xF2, 0xEE, 0xDA, 0xF3, 0x92, 0xB0, 0x12, /* b */
1815 0xED, 0xEF, 0xB3, 0x39, 0x2F, 0x30, 0xF4, 0x32, 0x7C, 0x0C,
1816 0xA3, 0xF3, 0x1F, 0xC3, 0x83, 0xC4, 0x22, 0xAA, 0x8C, 0x16,
1817
1818 0x57, 0x92, 0x70, 0x98, 0xFA, 0x93, 0x2E, 0x7C, 0x0A, 0x96, /* x */
1819 0xD3, 0xFD, 0x5B, 0x70, 0x6E, 0xF7, 0xE5, 0xF5, 0xC1, 0x56,
1820 0xE1, 0x6B, 0x7E, 0x7C, 0x86, 0x03, 0x85, 0x52, 0xE9, 0x1D,
1821
1822 0x61, 0xD8, 0xEE, 0x50, 0x77, 0xC3, 0x3F, 0xEC, 0xF6, 0xF1, /* y */
1823 0xA1, 0x6B, 0x26, 0x8D, 0xE4, 0x69, 0xC3, 0xC7, 0x74, 0x4E,
1824 0xA9, 0xA9, 0x71, 0x64, 0x9F, 0xC7, 0xA9, 0x61, 0x63, 0x05,
1825
1826 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1827 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x4D, 0x42, 0xFF, 0xE1,
1828 0x49, 0x2A, 0x49, 0x93, 0xF1, 0xCA, 0xD6, 0x66, 0xE4, 0x47
1829 }
1830};
1831
1832static const struct {
1833 EC_CURVE_DATA h;
1834 unsigned char data[20 + 30 * 6];
1835}
1836 _EC_X9_62_CHAR2_239V2 = {
1837 {
1838 NID_X9_62_characteristic_two_field, 20, 30, 6
1839 },
1840 {
1841 0x2A, 0xA6, 0x98, 0x2F, 0xDF, 0xA4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1842 0x87, 0x56, 0x15, 0x17, 0x5D, 0x26, 0x67, 0x27, 0x27, 0x7D,
1843
1844 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1846 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1847
1848 0x42, 0x30, 0x01, 0x77, 0x57, 0xA7, 0x67, 0xFA, 0xE4, 0x23, /* a */
1849 0x98, 0x56, 0x9B, 0x74, 0x63, 0x25, 0xD4, 0x53, 0x13, 0xAF,
1850 0x07, 0x66, 0x26, 0x64, 0x79, 0xB7, 0x56, 0x54, 0xE6, 0x5F,
1851
1852 0x50, 0x37, 0xEA, 0x65, 0x41, 0x96, 0xCF, 0xF0, 0xCD, 0x82, /* b */
1853 0xB2, 0xC1, 0x4A, 0x2F, 0xCF, 0x2E, 0x3F, 0xF8, 0x77, 0x52,
1854 0x85, 0xB5, 0x45, 0x72, 0x2F, 0x03, 0xEA, 0xCD, 0xB7, 0x4B,
1855
1856 0x28, 0xF9, 0xD0, 0x4E, 0x90, 0x00, 0x69, 0xC8, 0xDC, 0x47, /* x */
1857 0xA0, 0x85, 0x34, 0xFE, 0x76, 0xD2, 0xB9, 0x00, 0xB7, 0xD7,
1858 0xEF, 0x31, 0xF5, 0x70, 0x9F, 0x20, 0x0C, 0x4C, 0xA2, 0x05,
1859
1860 0x56, 0x67, 0x33, 0x4C, 0x45, 0xAF, 0xF3, 0xB5, 0xA0, 0x3B, /* y */
1861 0xAD, 0x9D, 0xD7, 0x5E, 0x2C, 0x71, 0xA9, 0x93, 0x62, 0x56,
1862 0x7D, 0x54, 0x53, 0xF7, 0xFA, 0x6E, 0x22, 0x7E, 0xC8, 0x33,
1863
1864 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1865 0x55, 0x55, 0x55, 0x55, 0x55, 0x3C, 0x6F, 0x28, 0x85, 0x25,
1866 0x9C, 0x31, 0xE3, 0xFC, 0xDF, 0x15, 0x46, 0x24, 0x52, 0x2D
1867 }
1868};
1869
1870static const struct {
1871 EC_CURVE_DATA h;
1872 unsigned char data[20 + 30 * 6];
1873}
1874 _EC_X9_62_CHAR2_239V3 = {
1875 {
1876 NID_X9_62_characteristic_two_field, 20, 30, 0xA
1877 },
1878 {
1879 0x9E, 0x07, 0x6F, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1880 0x51, 0x75, 0xE1, 0x1E, 0x9F, 0xDD, 0x77, 0xF9, 0x20, 0x41,
1881
1882 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1883 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1884 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1885
1886 0x01, 0x23, 0x87, 0x74, 0x66, 0x6A, 0x67, 0x76, 0x6D, 0x66, /* a */
1887 0x76, 0xF7, 0x78, 0xE6, 0x76, 0xB6, 0x69, 0x99, 0x17, 0x66,
1888 0x66, 0xE6, 0x87, 0x66, 0x6D, 0x87, 0x66, 0xC6, 0x6A, 0x9F,
1889
1890 0x6A, 0x94, 0x19, 0x77, 0xBA, 0x9F, 0x6A, 0x43, 0x51, 0x99, /* b */
1891 0xAC, 0xFC, 0x51, 0x06, 0x7E, 0xD5, 0x87, 0xF5, 0x19, 0xC5,
1892 0xEC, 0xB5, 0x41, 0xB8, 0xE4, 0x41, 0x11, 0xDE, 0x1D, 0x40,
1893
1894 0x70, 0xF6, 0xE9, 0xD0, 0x4D, 0x28, 0x9C, 0x4E, 0x89, 0x91, /* x */
1895 0x3C, 0xE3, 0x53, 0x0B, 0xFD, 0xE9, 0x03, 0x97, 0x7D, 0x42,
1896 0xB1, 0x46, 0xD5, 0x39, 0xBF, 0x1B, 0xDE, 0x4E, 0x9C, 0x92,
1897
1898 0x2E, 0x5A, 0x0E, 0xAF, 0x6E, 0x5E, 0x13, 0x05, 0xB9, 0x00, /* y */
1899 0x4D, 0xCE, 0x5C, 0x0E, 0xD7, 0xFE, 0x59, 0xA3, 0x56, 0x08,
1900 0xF3, 0x38, 0x37, 0xC8, 0x16, 0xD8, 0x0B, 0x79, 0xF4, 0x61,
1901
1902 0x0C, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, /* order */
1903 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xAC, 0x49, 0x12, 0xD2, 0xD9,
1904 0xDF, 0x90, 0x3E, 0xF9, 0x88, 0x8B, 0x8A, 0x0E, 0x4C, 0xFF
1905 }
1906};
1907
1908static const struct {
1909 EC_CURVE_DATA h;
1910 unsigned char data[0 + 35 * 6];
1911}
1912 _EC_X9_62_CHAR2_272W1 = {
1913 {
1914 NID_X9_62_characteristic_two_field, 0, 35, 0xFF06
1915 },
1916 { /* no seed */
1917 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
1920 0x00, 0x00, 0x00, 0x00, 0x0B,
1921 0x00, 0x91, 0xA0, 0x91, 0xF0, 0x3B, 0x5F, 0xBA, 0x4A, 0xB2, /* a */
1922 0xCC, 0xF4, 0x9C, 0x4E, 0xDD, 0x22, 0x0F, 0xB0, 0x28, 0x71,
1923 0x2D, 0x42, 0xBE, 0x75, 0x2B, 0x2C, 0x40, 0x09, 0x4D, 0xBA,
1924 0xCD, 0xB5, 0x86, 0xFB, 0x20,
1925 0x00, 0x71, 0x67, 0xEF, 0xC9, 0x2B, 0xB2, 0xE3, 0xCE, 0x7C, /* b */
1926 0x8A, 0xAA, 0xFF, 0x34, 0xE1, 0x2A, 0x9C, 0x55, 0x70, 0x03,
1927 0xD7, 0xC7, 0x3A, 0x6F, 0xAF, 0x00, 0x3F, 0x99, 0xF6, 0xCC,
1928 0x84, 0x82, 0xE5, 0x40, 0xF7,
1929 0x00, 0x61, 0x08, 0xBA, 0xBB, 0x2C, 0xEE, 0xBC, 0xF7, 0x87, /* x */
1930 0x05, 0x8A, 0x05, 0x6C, 0xBE, 0x0C, 0xFE, 0x62, 0x2D, 0x77,
1931 0x23, 0xA2, 0x89, 0xE0, 0x8A, 0x07, 0xAE, 0x13, 0xEF, 0x0D,
1932 0x10, 0xD1, 0x71, 0xDD, 0x8D,
1933 0x00, 0x10, 0xC7, 0x69, 0x57, 0x16, 0x85, 0x1E, 0xEF, 0x6B, /* y */
1934 0xA7, 0xF6, 0x87, 0x2E, 0x61, 0x42, 0xFB, 0xD2, 0x41, 0xB8,
1935 0x30, 0xFF, 0x5E, 0xFC, 0xAC, 0xEC, 0xCA, 0xB0, 0x5E, 0x02,
1936 0x00, 0x5D, 0xDE, 0x9D, 0x23,
1937 0x00, 0x00, 0x01, 0x00, 0xFA, 0xF5, 0x13, 0x54, 0xE0, 0xE3, /* order */
1938 0x9E, 0x48, 0x92, 0xDF, 0x6E, 0x31, 0x9C, 0x72, 0xC8, 0x16,
1939 0x16, 0x03, 0xFA, 0x45, 0xAA, 0x7B, 0x99, 0x8A, 0x16, 0x7B,
1940 0x8F, 0x1E, 0x62, 0x95, 0x21
1941 }
1942};
1943
1944static const struct {
1945 EC_CURVE_DATA h;
1946 unsigned char data[0 + 39 * 6];
1947}
1948 _EC_X9_62_CHAR2_304W1 = {
1949 {
1950 NID_X9_62_characteristic_two_field, 0, 39, 0xFE2E
1951 },
1952 { /* no seed */
1953 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1954 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x07,
1957 0x00, 0xFD, 0x0D, 0x69, 0x31, 0x49, 0xA1, 0x18, 0xF6, 0x51, /* a */
1958 0xE6, 0xDC, 0xE6, 0x80, 0x20, 0x85, 0x37, 0x7E, 0x5F, 0x88,
1959 0x2D, 0x1B, 0x51, 0x0B, 0x44, 0x16, 0x00, 0x74, 0xC1, 0x28,
1960 0x80, 0x78, 0x36, 0x5A, 0x03, 0x96, 0xC8, 0xE6, 0x81,
1961 0x00, 0xBD, 0xDB, 0x97, 0xE5, 0x55, 0xA5, 0x0A, 0x90, 0x8E, /* b */
1962 0x43, 0xB0, 0x1C, 0x79, 0x8E, 0xA5, 0xDA, 0xA6, 0x78, 0x8F,
1963 0x1E, 0xA2, 0x79, 0x4E, 0xFC, 0xF5, 0x71, 0x66, 0xB8, 0xC1,
1964 0x40, 0x39, 0x60, 0x1E, 0x55, 0x82, 0x73, 0x40, 0xBE,
1965 0x00, 0x19, 0x7B, 0x07, 0x84, 0x5E, 0x9B, 0xE2, 0xD9, 0x6A, /* x */
1966 0xDB, 0x0F, 0x5F, 0x3C, 0x7F, 0x2C, 0xFF, 0xBD, 0x7A, 0x3E,
1967 0xB8, 0xB6, 0xFE, 0xC3, 0x5C, 0x7F, 0xD6, 0x7F, 0x26, 0xDD,
1968 0xF6, 0x28, 0x5A, 0x64, 0x4F, 0x74, 0x0A, 0x26, 0x14,
1969 0x00, 0xE1, 0x9F, 0xBE, 0xB7, 0x6E, 0x0D, 0xA1, 0x71, 0x51, /* y */
1970 0x7E, 0xCF, 0x40, 0x1B, 0x50, 0x28, 0x9B, 0xF0, 0x14, 0x10,
1971 0x32, 0x88, 0x52, 0x7A, 0x9B, 0x41, 0x6A, 0x10, 0x5E, 0x80,
1972 0x26, 0x0B, 0x54, 0x9F, 0xDC, 0x1B, 0x92, 0xC0, 0x3B,
1973 0x00, 0x00, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, /* order */
1974 0x80, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, 0x80,
1975 0x01, 0x02, 0x2D, 0x5C, 0x91, 0xDD, 0x17, 0x3F, 0x8F, 0xB5,
1976 0x61, 0xDA, 0x68, 0x99, 0x16, 0x44, 0x43, 0x05, 0x1D
1977 }
1978};
1979
1980static const struct {
1981 EC_CURVE_DATA h;
1982 unsigned char data[20 + 45 * 6];
1983}
1984 _EC_X9_62_CHAR2_359V1 = {
1985 {
1986 NID_X9_62_characteristic_two_field, 20, 45, 0x4C
1987 },
1988 {
1989 0x2B, 0x35, 0x49, 0x20, 0xB7, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1990 0x87, 0x56, 0x15, 0x17, 0x58, 0x5B, 0xA1, 0x33, 0x2D, 0xC6,
1991
1992 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
1996 0x00, 0x00, 0x00, 0x00, 0x01,
1997 0x56, 0x67, 0x67, 0x6A, 0x65, 0x4B, 0x20, 0x75, 0x4F, 0x35, /* a */
1998 0x6E, 0xA9, 0x20, 0x17, 0xD9, 0x46, 0x56, 0x7C, 0x46, 0x67,
1999 0x55, 0x56, 0xF1, 0x95, 0x56, 0xA0, 0x46, 0x16, 0xB5, 0x67,
2000 0xD2, 0x23, 0xA5, 0xE0, 0x56, 0x56, 0xFB, 0x54, 0x90, 0x16,
2001 0xA9, 0x66, 0x56, 0xA5, 0x57,
2002 0x24, 0x72, 0xE2, 0xD0, 0x19, 0x7C, 0x49, 0x36, 0x3F, 0x1F, /* b */
2003 0xE7, 0xF5, 0xB6, 0xDB, 0x07, 0x5D, 0x52, 0xB6, 0x94, 0x7D,
2004 0x13, 0x5D, 0x8C, 0xA4, 0x45, 0x80, 0x5D, 0x39, 0xBC, 0x34,
2005 0x56, 0x26, 0x08, 0x96, 0x87, 0x74, 0x2B, 0x63, 0x29, 0xE7,
2006 0x06, 0x80, 0x23, 0x19, 0x88,
2007 0x3C, 0x25, 0x8E, 0xF3, 0x04, 0x77, 0x67, 0xE7, 0xED, 0xE0, /* x */
2008 0xF1, 0xFD, 0xAA, 0x79, 0xDA, 0xEE, 0x38, 0x41, 0x36, 0x6A,
2009 0x13, 0x2E, 0x16, 0x3A, 0xCE, 0xD4, 0xED, 0x24, 0x01, 0xDF,
2010 0x9C, 0x6B, 0xDC, 0xDE, 0x98, 0xE8, 0xE7, 0x07, 0xC0, 0x7A,
2011 0x22, 0x39, 0xB1, 0xB0, 0x97,
2012 0x53, 0xD7, 0xE0, 0x85, 0x29, 0x54, 0x70, 0x48, 0x12, 0x1E, /* y */
2013 0x9C, 0x95, 0xF3, 0x79, 0x1D, 0xD8, 0x04, 0x96, 0x39, 0x48,
2014 0xF3, 0x4F, 0xAE, 0x7B, 0xF4, 0x4E, 0xA8, 0x23, 0x65, 0xDC,
2015 0x78, 0x68, 0xFE, 0x57, 0xE4, 0xAE, 0x2D, 0xE2, 0x11, 0x30,
2016 0x5A, 0x40, 0x71, 0x04, 0xBD,
2017 0x01, 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, /* order */
2018 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, 0xAF,
2019 0x28, 0x6B, 0xC9, 0xFB, 0x8F, 0x6B, 0x85, 0xC5, 0x56, 0x89,
2020 0x2C, 0x20, 0xA7, 0xEB, 0x96, 0x4F, 0xE7, 0x71, 0x9E, 0x74,
2021 0xF4, 0x90, 0x75, 0x8D, 0x3B
2022 }
2023};
2024
2025static const struct {
2026 EC_CURVE_DATA h;
2027 unsigned char data[0 + 47 * 6];
2028}
2029 _EC_X9_62_CHAR2_368W1 = {
2030 {
2031 NID_X9_62_characteristic_two_field, 0, 47, 0xFF70
2032 },
2033 { /* no seed */
2034 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2036 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
2038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
2039 0x00, 0xE0, 0xD2, 0xEE, 0x25, 0x09, 0x52, 0x06, 0xF5, 0xE2, /* a */
2040 0xA4, 0xF9, 0xED, 0x22, 0x9F, 0x1F, 0x25, 0x6E, 0x79, 0xA0,
2041 0xE2, 0xB4, 0x55, 0x97, 0x0D, 0x8D, 0x0D, 0x86, 0x5B, 0xD9,
2042 0x47, 0x78, 0xC5, 0x76, 0xD6, 0x2F, 0x0A, 0xB7, 0x51, 0x9C,
2043 0xCD, 0x2A, 0x1A, 0x90, 0x6A, 0xE3, 0x0D,
2044 0x00, 0xFC, 0x12, 0x17, 0xD4, 0x32, 0x0A, 0x90, 0x45, 0x2C, /* b */
2045 0x76, 0x0A, 0x58, 0xED, 0xCD, 0x30, 0xC8, 0xDD, 0x06, 0x9B,
2046 0x3C, 0x34, 0x45, 0x38, 0x37, 0xA3, 0x4E, 0xD5, 0x0C, 0xB5,
2047 0x49, 0x17, 0xE1, 0xC2, 0x11, 0x2D, 0x84, 0xD1, 0x64, 0xF4,
2048 0x44, 0xF8, 0xF7, 0x47, 0x86, 0x04, 0x6A,
2049 0x00, 0x10, 0x85, 0xE2, 0x75, 0x53, 0x81, 0xDC, 0xCC, 0xE3, /* x */
2050 0xC1, 0x55, 0x7A, 0xFA, 0x10, 0xC2, 0xF0, 0xC0, 0xC2, 0x82,
2051 0x56, 0x46, 0xC5, 0xB3, 0x4A, 0x39, 0x4C, 0xBC, 0xFA, 0x8B,
2052 0xC1, 0x6B, 0x22, 0xE7, 0xE7, 0x89, 0xE9, 0x27, 0xBE, 0x21,
2053 0x6F, 0x02, 0xE1, 0xFB, 0x13, 0x6A, 0x5F,
2054 0x00, 0x7B, 0x3E, 0xB1, 0xBD, 0xDC, 0xBA, 0x62, 0xD5, 0xD8, /* y */
2055 0xB2, 0x05, 0x9B, 0x52, 0x57, 0x97, 0xFC, 0x73, 0x82, 0x2C,
2056 0x59, 0x05, 0x9C, 0x62, 0x3A, 0x45, 0xFF, 0x38, 0x43, 0xCE,
2057 0xE8, 0xF8, 0x7C, 0xD1, 0x85, 0x5A, 0xDA, 0xA8, 0x1E, 0x2A,
2058 0x07, 0x50, 0xB8, 0x0F, 0xDA, 0x23, 0x10,
2059 0x00, 0x00, 0x01, 0x00, 0x90, 0x51, 0x2D, 0xA9, 0xAF, 0x72, /* order */
2060 0xB0, 0x83, 0x49, 0xD9, 0x8A, 0x5D, 0xD4, 0xC7, 0xB0, 0x53,
2061 0x2E, 0xCA, 0x51, 0xCE, 0x03, 0xE2, 0xD1, 0x0F, 0x3B, 0x7A,
2062 0xC5, 0x79, 0xBD, 0x87, 0xE9, 0x09, 0xAE, 0x40, 0xA6, 0xF1,
2063 0x31, 0xE9, 0xCF, 0xCE, 0x5B, 0xD9, 0x67
2064 }
2065};
2066
2067static const struct {
2068 EC_CURVE_DATA h;
2069 unsigned char data[0 + 54 * 6];
2070}
2071 _EC_X9_62_CHAR2_431R1 = {
2072 {
2073 NID_X9_62_characteristic_two_field, 0, 54, 0x2760
2074 },
2075 { /* no seed */
2076 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2077 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2080 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2081 0x00, 0x00, 0x00, 0x01,
2082 0x1A, 0x82, 0x7E, 0xF0, 0x0D, 0xD6, 0xFC, 0x0E, 0x23, 0x4C, /* a */
2083 0xAF, 0x04, 0x6C, 0x6A, 0x5D, 0x8A, 0x85, 0x39, 0x5B, 0x23,
2084 0x6C, 0xC4, 0xAD, 0x2C, 0xF3, 0x2A, 0x0C, 0xAD, 0xBD, 0xC9,
2085 0xDD, 0xF6, 0x20, 0xB0, 0xEB, 0x99, 0x06, 0xD0, 0x95, 0x7F,
2086 0x6C, 0x6F, 0xEA, 0xCD, 0x61, 0x54, 0x68, 0xDF, 0x10, 0x4D,
2087 0xE2, 0x96, 0xCD, 0x8F,
2088 0x10, 0xD9, 0xB4, 0xA3, 0xD9, 0x04, 0x7D, 0x8B, 0x15, 0x43, /* b */
2089 0x59, 0xAB, 0xFB, 0x1B, 0x7F, 0x54, 0x85, 0xB0, 0x4C, 0xEB,
2090 0x86, 0x82, 0x37, 0xDD, 0xC9, 0xDE, 0xDA, 0x98, 0x2A, 0x67,
2091 0x9A, 0x5A, 0x91, 0x9B, 0x62, 0x6D, 0x4E, 0x50, 0xA8, 0xDD,
2092 0x73, 0x1B, 0x10, 0x7A, 0x99, 0x62, 0x38, 0x1F, 0xB5, 0xD8,
2093 0x07, 0xBF, 0x26, 0x18,
2094 0x12, 0x0F, 0xC0, 0x5D, 0x3C, 0x67, 0xA9, 0x9D, 0xE1, 0x61, /* x */
2095 0xD2, 0xF4, 0x09, 0x26, 0x22, 0xFE, 0xCA, 0x70, 0x1B, 0xE4,
2096 0xF5, 0x0F, 0x47, 0x58, 0x71, 0x4E, 0x8A, 0x87, 0xBB, 0xF2,
2097 0xA6, 0x58, 0xEF, 0x8C, 0x21, 0xE7, 0xC5, 0xEF, 0xE9, 0x65,
2098 0x36, 0x1F, 0x6C, 0x29, 0x99, 0xC0, 0xC2, 0x47, 0xB0, 0xDB,
2099 0xD7, 0x0C, 0xE6, 0xB7,
2100 0x20, 0xD0, 0xAF, 0x89, 0x03, 0xA9, 0x6F, 0x8D, 0x5F, 0xA2, /* y */
2101 0xC2, 0x55, 0x74, 0x5D, 0x3C, 0x45, 0x1B, 0x30, 0x2C, 0x93,
2102 0x46, 0xD9, 0xB7, 0xE4, 0x85, 0xE7, 0xBC, 0xE4, 0x1F, 0x6B,
2103 0x59, 0x1F, 0x3E, 0x8F, 0x6A, 0xDD, 0xCB, 0xB0, 0xBC, 0x4C,
2104 0x2F, 0x94, 0x7A, 0x7D, 0xE1, 0xA8, 0x9B, 0x62, 0x5D, 0x6A,
2105 0x59, 0x8B, 0x37, 0x60,
2106 0x00, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, /* order */
2107 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03,
2108 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x23,
2109 0xC3, 0x13, 0xFA, 0xB5, 0x05, 0x89, 0x70, 0x3B, 0x5E, 0xC6,
2110 0x8D, 0x35, 0x87, 0xFE, 0xC6, 0x0D, 0x16, 0x1C, 0xC1, 0x49,
2111 0xC1, 0xAD, 0x4A, 0x91
2112 }
2113};
2114
2115static const struct {
2116 EC_CURVE_DATA h;
2117 unsigned char data[0 + 15 * 6];
2118}
2119 _EC_WTLS_1 = {
2120 {
2121 NID_X9_62_characteristic_two_field, 0, 15, 2
2122 },
2123 { /* no seed */
2124 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2125 0x00, 0x00, 0x00, 0x02, 0x01,
2126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2127 0x00, 0x00, 0x00, 0x00, 0x01,
2128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2129 0x00, 0x00, 0x00, 0x00, 0x01,
2130 0x01, 0x66, 0x79, 0x79, 0xA4, 0x0B, 0xA4, 0x97, 0xE5, 0xD5, /* x */
2131 0xC2, 0x70, 0x78, 0x06, 0x17,
2132 0x00, 0xF4, 0x4B, 0x4A, 0xF1, 0xEC, 0xC2, 0x63, 0x0E, 0x08, /* y */
2133 0x78, 0x5C, 0xEB, 0xCC, 0x15,
2134 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xBF, /* order */
2135 0x91, 0xAF, 0x6D, 0xEA, 0x73
2136 }
2137};
2138
2139/* IPsec curves */
2140/* NOTE: The of curves over a extension field of non prime degree
2141 * is not recommended (Weil-descent).
2142 * As the group order is not a prime this curve is not suitable
2143 * for ECDSA.
2144 */
2145static const struct {
2146 EC_CURVE_DATA h;
2147 unsigned char data[0 + 20 * 6];
2148}
2149 _EC_IPSEC_155_ID3 = {
2150 {
2151 NID_X9_62_characteristic_two_field, 0, 20, 3
2152 },
2153 { /* no seed */
2154 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2155 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2156
2157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2159
2160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x33, 0x8f,
2162
2163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
2164 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
2165
2166 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
2167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc8,
2168
2169 0x02, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, /* order */
2170 0xC7, 0xF3, 0xC7, 0x88, 0x1B, 0xD0, 0x86, 0x8F, 0xA8, 0x6C
2171 }
2172};
2173
2174/* NOTE: The of curves over a extension field of non prime degree
2175 * is not recommended (Weil-descent).
2176 * As the group order is not a prime this curve is not suitable
2177 * for ECDSA.
2178 */
2179static const struct {
2180 EC_CURVE_DATA h;
2181 unsigned char data[0 + 24 * 6];
2182}
2183 _EC_IPSEC_185_ID4 = {
2184 {
2185 NID_X9_62_characteristic_two_field, 0, 24, 2
2186 },
2187 { /* no seed */
2188 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2189 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
2190 0x00, 0x00, 0x00, 0x01,
2191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2193 0x00, 0x00, 0x00, 0x00,
2194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2196 0x00, 0x00, 0x1e, 0xe9,
2197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
2198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2199 0x00, 0x00, 0x00, 0x18,
2200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
2201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2202 0x00, 0x00, 0x00, 0x0d,
2203 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
2204 0xFF, 0xFF, 0xED, 0xF9, 0x7C, 0x44, 0xDB, 0x9F, 0x24, 0x20,
2205 0xBA, 0xFC, 0xA7, 0x5E
2206 }
2207};
2208
2209#endif
2210
2211/* These curves were added by Annie Yousar <a.yousar@informatik.hu-berlin.de> 864/* These curves were added by Annie Yousar <a.yousar@informatik.hu-berlin.de>
2212 * For the definition of RFC 5639 curves see 865 * For the definition of RFC 5639 curves see
2213 * https://www.ietf.org/rfc/rfc5639.txt 866 * https://www.ietf.org/rfc/rfc5639.txt
@@ -3196,69 +1849,11 @@ static const ec_list_element curve_list[] = {
3196 {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"}, 1849 {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"},
3197 {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"}, 1850 {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"},
3198 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field"}, 1851 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field"},
3199#ifndef OPENSSL_NO_EC2M
3200 /* characteristic two field curves */
3201 /* NIST/SECG curves */
3202 {NID_sect113r1, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
3203 {NID_sect113r2, &_EC_SECG_CHAR2_113R2.h, 0, "SECG curve over a 113 bit binary field"},
3204 {NID_sect131r1, &_EC_SECG_CHAR2_131R1.h, 0, "SECG/WTLS curve over a 131 bit binary field"},
3205 {NID_sect131r2, &_EC_SECG_CHAR2_131R2.h, 0, "SECG curve over a 131 bit binary field"},
3206 {NID_sect163k1, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
3207 {NID_sect163r1, &_EC_SECG_CHAR2_163R1.h, 0, "SECG curve over a 163 bit binary field"},
3208 {NID_sect163r2, &_EC_NIST_CHAR2_163B.h, 0, "NIST/SECG curve over a 163 bit binary field"},
3209 {NID_sect193r1, &_EC_SECG_CHAR2_193R1.h, 0, "SECG curve over a 193 bit binary field"},
3210 {NID_sect193r2, &_EC_SECG_CHAR2_193R2.h, 0, "SECG curve over a 193 bit binary field"},
3211 {NID_sect233k1, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3212 {NID_sect233r1, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3213 {NID_sect239k1, &_EC_SECG_CHAR2_239K1.h, 0, "SECG curve over a 239 bit binary field"},
3214 {NID_sect283k1, &_EC_NIST_CHAR2_283K.h, 0, "NIST/SECG curve over a 283 bit binary field"},
3215 {NID_sect283r1, &_EC_NIST_CHAR2_283B.h, 0, "NIST/SECG curve over a 283 bit binary field"},
3216 {NID_sect409k1, &_EC_NIST_CHAR2_409K.h, 0, "NIST/SECG curve over a 409 bit binary field"},
3217 {NID_sect409r1, &_EC_NIST_CHAR2_409B.h, 0, "NIST/SECG curve over a 409 bit binary field"},
3218 {NID_sect571k1, &_EC_NIST_CHAR2_571K.h, 0, "NIST/SECG curve over a 571 bit binary field"},
3219 {NID_sect571r1, &_EC_NIST_CHAR2_571B.h, 0, "NIST/SECG curve over a 571 bit binary field"},
3220 /* X9.62 curves */
3221 {NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
3222 {NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2.h, 0, "X9.62 curve over a 163 bit binary field"},
3223 {NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3.h, 0, "X9.62 curve over a 163 bit binary field"},
3224 {NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1.h, 0, "X9.62 curve over a 176 bit binary field"},
3225 {NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1.h, 0, "X9.62 curve over a 191 bit binary field"},
3226 {NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2.h, 0, "X9.62 curve over a 191 bit binary field"},
3227 {NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3.h, 0, "X9.62 curve over a 191 bit binary field"},
3228 {NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1.h, 0, "X9.62 curve over a 208 bit binary field"},
3229 {NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1.h, 0, "X9.62 curve over a 239 bit binary field"},
3230 {NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2.h, 0, "X9.62 curve over a 239 bit binary field"},
3231 {NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3.h, 0, "X9.62 curve over a 239 bit binary field"},
3232 {NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1.h, 0, "X9.62 curve over a 272 bit binary field"},
3233 {NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1.h, 0, "X9.62 curve over a 304 bit binary field"},
3234 {NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1.h, 0, "X9.62 curve over a 359 bit binary field"},
3235 {NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1.h, 0, "X9.62 curve over a 368 bit binary field"},
3236 {NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0, "X9.62 curve over a 431 bit binary field"},
3237 /*
3238 * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
3239 * from X9.62]
3240 */
3241 {NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0, "WTLS curve over a 113 bit binary field"},
3242 {NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
3243 {NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
3244 {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
3245#endif
3246 {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"}, 1852 {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"},
3247 {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"}, 1853 {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"},
3248 {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"}, 1854 {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"},
3249 {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"}, 1855 {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"},
3250#ifndef OPENSSL_NO_EC2M
3251 {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3252 {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3253#endif
3254 {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"}, 1856 {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"},
3255#ifndef OPENSSL_NO_EC2M
3256 /* IPSec curves */
3257 {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
3258 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
3259 {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
3260 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
3261#endif
3262 /* RFC 5639 curves */ 1857 /* RFC 5639 curves */
3263 {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 1858 {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
3264 {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 1859 {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
@@ -3339,15 +1934,6 @@ ec_group_new_from_data(const ec_list_element curve)
3339 goto err; 1934 goto err;
3340 } 1935 }
3341 } 1936 }
3342#ifndef OPENSSL_NO_EC2M
3343 else { /* field_type ==
3344 * NID_X9_62_characteristic_two_field */
3345 if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
3346 ECerror(ERR_R_EC_LIB);
3347 goto err;
3348 }
3349 }
3350#endif
3351 1937
3352 if ((P = EC_POINT_new(group)) == NULL) { 1938 if ((P = EC_POINT_new(group)) == NULL) {
3353 ECerror(ERR_R_EC_LIB); 1939 ECerror(ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
index 30e843e682..90e7400739 100644
--- a/src/lib/libcrypto/ec/ec_cvt.c
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_cvt.c,v 1.10 2023/03/08 07:15:42 jsing Exp $ */ 1/* $OpenBSD: ec_cvt.c,v 1.11 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -100,12 +100,3 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
100{ 100{
101 return ec_group_new_curve(EC_GFp_mont_method(), p, a, b, ctx); 101 return ec_group_new_curve(EC_GFp_mont_method(), p, a, b, ctx);
102} 102}
103
104#ifndef OPENSSL_NO_EC2M
105EC_GROUP *
106EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
107 BN_CTX *ctx)
108{
109 return ec_group_new_curve(EC_GF2m_simple_method(), p, a, b, ctx);
110}
111#endif
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 683c49fef7..f560aa9991 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_lib.c,v 1.55 2023/04/13 07:44:12 tb Exp $ */ 1/* $OpenBSD: ec_lib.c,v 1.56 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -549,22 +549,6 @@ EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
549 return EC_GROUP_get_curve(group, p, a, b, ctx); 549 return EC_GROUP_get_curve(group, p, a, b, ctx);
550} 550}
551 551
552#ifndef OPENSSL_NO_EC2M
553int
554EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
555 const BIGNUM *b, BN_CTX *ctx)
556{
557 return EC_GROUP_set_curve(group, p, a, b, ctx);
558}
559
560int
561EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
562 BIGNUM *b, BN_CTX *ctx)
563{
564 return EC_GROUP_get_curve(group, p, a, b, ctx);
565}
566#endif
567
568int 552int
569EC_GROUP_get_degree(const EC_GROUP *group) 553EC_GROUP_get_degree(const EC_GROUP *group)
570{ 554{
@@ -1072,15 +1056,6 @@ EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
1072 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); 1056 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
1073} 1057}
1074 1058
1075#ifndef OPENSSL_NO_EC2M
1076int
1077EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
1078 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
1079{
1080 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
1081}
1082#endif
1083
1084int 1059int
1085EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, 1060EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
1086 BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in) 1061 BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in)
@@ -1117,15 +1092,6 @@ EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point
1117 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); 1092 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
1118} 1093}
1119 1094
1120#ifndef OPENSSL_NO_EC2M
1121int
1122EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
1123 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
1124{
1125 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
1126}
1127#endif
1128
1129int 1095int
1130EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, 1096EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1131 const EC_POINT *b, BN_CTX *ctx_in) 1097 const EC_POINT *b, BN_CTX *ctx_in)
diff --git a/src/lib/libcrypto/ec/ec_oct.c b/src/lib/libcrypto/ec/ec_oct.c
index b1c9e6a634..ee2ae0f4fc 100644
--- a/src/lib/libcrypto/ec/ec_oct.c
+++ b/src/lib/libcrypto/ec/ec_oct.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_oct.c,v 1.11 2023/04/11 18:58:20 jsing Exp $ */ 1/* $OpenBSD: ec_oct.c,v 1.12 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -107,15 +107,6 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
107 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); 107 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
108} 108}
109 109
110#ifndef OPENSSL_NO_EC2M
111int
112EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
113 const BIGNUM *x, int y_bit, BN_CTX *ctx)
114{
115 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
116}
117#endif
118
119size_t 110size_t
120EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, 111EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
121 point_conversion_form_t form, unsigned char *buf, size_t len, 112 point_conversion_form_t form, unsigned char *buf, size_t len,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 00:52:44 +0000