summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ec')
-rw-r--r--src/lib/libcrypto/ec/ec.h87
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c449
-rw-r--r--src/lib/libcrypto/ec/ec2_oct.c402
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c723
-rw-r--r--src/lib/libcrypto/ec/ec_asn1.c194
-rw-r--r--src/lib/libcrypto/ec/ec_curve.c1416
-rw-r--r--src/lib/libcrypto/ec/ec_cvt.c11
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c36
-rw-r--r--src/lib/libcrypto/ec/ec_oct.c11
9 files changed, 9 insertions, 3320 deletions
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index a0dbbe6ce7..1afbe0ad16 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec.h,v 1.37 2023/04/25 19:28:22 tb Exp $ */ 1/* $OpenBSD: ec.h,v 1.38 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -143,18 +143,6 @@ const EC_METHOD *EC_GFp_simple_method(void);
143 */ 143 */
144const EC_METHOD *EC_GFp_mont_method(void); 144const EC_METHOD *EC_GFp_mont_method(void);
145 145
146#ifndef OPENSSL_NO_EC2M
147/********************************************************************/
148/* EC_METHOD for curves over GF(2^m) */
149/********************************************************************/
150
151/** Returns the basic GF2m ec method
152 * \return EC_METHOD object
153 */
154const EC_METHOD *EC_GF2m_simple_method(void);
155
156#endif
157
158 146
159/********************************************************************/ 147/********************************************************************/
160/* EC_GROUP functions */ 148/* EC_GROUP functions */
@@ -284,28 +272,6 @@ int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, co
284 * \return 1 on success and 0 if an error occurred 272 * \return 1 on success and 0 if an error occurred
285 */ 273 */
286int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); 274int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
287
288#ifndef OPENSSL_NO_EC2M
289/** Sets the parameter of a ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b
290 * \param group EC_GROUP object
291 * \param p BIGNUM with the polynomial defining the underlying field
292 * \param a BIGNUM with parameter a of the equation
293 * \param b BIGNUM with parameter b of the equation
294 * \param ctx BN_CTX object (optional)
295 * \return 1 on success and 0 if an error occurred
296 */
297int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
298
299/** Gets the parameter of the ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b
300 * \param group EC_GROUP object
301 * \param p BIGNUM for the polynomial defining the underlying field
302 * \param a BIGNUM for parameter a of the equation
303 * \param b BIGNUM for parameter b of the equation
304 * \param ctx BN_CTX object (optional)
305 * \return 1 on success and 0 if an error occurred
306 */
307int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
308#endif
309#endif 275#endif
310 276
311/** Returns the number of bits needed to represent a field element 277/** Returns the number of bits needed to represent a field element
@@ -348,17 +314,6 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
348 * \return newly created EC_GROUP object with the specified parameters 314 * \return newly created EC_GROUP object with the specified parameters
349 */ 315 */
350EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 316EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
351#ifndef OPENSSL_NO_EC2M
352/** Creates a new EC_GROUP object with the specified parameters defined
353 * over GF2m (defined by the equation y^2 + x*y = x^3 + a*x^2 + b)
354 * \param p BIGNUM with the polynomial defining the underlying field
355 * \param a BIGNUM with the parameter a of the equation
356 * \param b BIGNUM with the parameter b of the equation
357 * \param ctx BN_CTX object (optional)
358 * \return newly created EC_GROUP object with the specified parameters
359 */
360EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
361#endif
362/** Creates a EC_GROUP object with a curve specified by a NID 317/** Creates a EC_GROUP object with a curve specified by a NID
363 * \param nid NID of the OID of the curve name 318 * \param nid NID of the OID of the curve name
364 * \return newly created EC_GROUP object with specified curve or NULL 319 * \return newly created EC_GROUP object with specified curve or NULL
@@ -507,41 +462,6 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
507 */ 462 */
508int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, 463int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
509 const BIGNUM *x, int y_bit, BN_CTX *ctx); 464 const BIGNUM *x, int y_bit, BN_CTX *ctx);
510
511#ifndef OPENSSL_NO_EC2M
512/** Sets the affine coordinates of a EC_POINT over GF2m
513 * \param group underlying EC_GROUP object
514 * \param p EC_POINT object
515 * \param x BIGNUM with the x-coordinate
516 * \param y BIGNUM with the y-coordinate
517 * \param ctx BN_CTX object (optional)
518 * \return 1 on success and 0 if an error occurred
519 */
520int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
521 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
522
523/** Gets the affine coordinates of a EC_POINT over GF2m
524 * \param group underlying EC_GROUP object
525 * \param p EC_POINT object
526 * \param x BIGNUM for the x-coordinate
527 * \param y BIGNUM for the y-coordinate
528 * \param ctx BN_CTX object (optional)
529 * \return 1 on success and 0 if an error occurred
530 */
531int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
532 const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
533
534/** Sets the x9.62 compressed coordinates of a EC_POINT over GF2m
535 * \param group underlying EC_GROUP object
536 * \param p EC_POINT object
537 * \param x BIGNUM with x-coordinate
538 * \param y_bit integer with the y-Bit (either 0 or 1)
539 * \param ctx BN_CTX object (optional)
540 * \return 1 on success and 0 if an error occurred
541 */
542int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
543 const BIGNUM *x, int y_bit, BN_CTX *ctx);
544#endif /* OPENSSL_NO_EC2M */
545#endif /* !LIBRESSL_INTERNAL */ 465#endif /* !LIBRESSL_INTERNAL */
546 466
547/** Encodes a EC_POINT object to a octet string 467/** Encodes a EC_POINT object to a octet string
@@ -682,11 +602,6 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
682/* EC_GROUP_get_basis_type() returns the NID of the basis type 602/* EC_GROUP_get_basis_type() returns the NID of the basis type
683 * used to represent the field elements */ 603 * used to represent the field elements */
684int EC_GROUP_get_basis_type(const EC_GROUP *); 604int EC_GROUP_get_basis_type(const EC_GROUP *);
685#ifndef OPENSSL_NO_EC2M
686int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
687int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
688 unsigned int *k2, unsigned int *k3);
689#endif
690 605
691#define OPENSSL_EC_EXPLICIT_CURVE 0x000 606#define OPENSSL_EC_EXPLICIT_CURVE 0x000
692#define OPENSSL_EC_NAMED_CURVE 0x001 607#define OPENSSL_EC_NAMED_CURVE 0x001
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
deleted file mode 100644
index d7cbd933f2..0000000000
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ /dev/null
@@ -1,449 +0,0 @@
1/* $OpenBSD: ec2_mult.c,v 1.17 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "bn_local.h"
75#include "ec_local.h"
76
77#ifndef OPENSSL_NO_EC2M
78
79
80/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective
81 * coordinates.
82 * Uses algorithm Mdouble in appendix of
83 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
84 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
85 * modified to not require precomputation of c=b^{2^{m-1}}.
86 */
87static int
88gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
89{
90 BIGNUM *t1;
91 int ret = 0;
92
93 /* Since Mdouble is static we can guarantee that ctx != NULL. */
94 BN_CTX_start(ctx);
95 if ((t1 = BN_CTX_get(ctx)) == NULL)
96 goto err;
97
98 if (!group->meth->field_sqr(group, x, x, ctx))
99 goto err;
100 if (!group->meth->field_sqr(group, t1, z, ctx))
101 goto err;
102 if (!group->meth->field_mul(group, z, x, t1, ctx))
103 goto err;
104 if (!group->meth->field_sqr(group, x, x, ctx))
105 goto err;
106 if (!group->meth->field_sqr(group, t1, t1, ctx))
107 goto err;
108 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx))
109 goto err;
110 if (!BN_GF2m_add(x, x, t1))
111 goto err;
112
113 ret = 1;
114
115 err:
116 BN_CTX_end(ctx);
117 return ret;
118}
119
120/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery
121 * projective coordinates.
122 * Uses algorithm Madd in appendix of
123 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
124 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
125 */
126static int
127gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
128 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
129{
130 BIGNUM *t1, *t2;
131 int ret = 0;
132
133 /* Since Madd is static we can guarantee that ctx != NULL. */
134 BN_CTX_start(ctx);
135 if ((t1 = BN_CTX_get(ctx)) == NULL)
136 goto err;
137 if ((t2 = BN_CTX_get(ctx)) == NULL)
138 goto err;
139
140 if (!bn_copy(t1, x))
141 goto err;
142 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
143 goto err;
144 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
145 goto err;
146 if (!group->meth->field_mul(group, t2, x1, z1, ctx))
147 goto err;
148 if (!BN_GF2m_add(z1, z1, x1))
149 goto err;
150 if (!group->meth->field_sqr(group, z1, z1, ctx))
151 goto err;
152 if (!group->meth->field_mul(group, x1, z1, t1, ctx))
153 goto err;
154 if (!BN_GF2m_add(x1, x1, t2))
155 goto err;
156
157 ret = 1;
158
159 err:
160 BN_CTX_end(ctx);
161 return ret;
162}
163
164/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
165 * using Montgomery point multiplication algorithm Mxy() in appendix of
166 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
167 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
168 * Returns:
169 * 0 on error
170 * 1 if return value should be the point at infinity
171 * 2 otherwise
172 */
173static int
174gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
175 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
176{
177 BIGNUM *t3, *t4, *t5;
178 int ret = 0;
179
180 if (BN_is_zero(z1)) {
181 BN_zero(x2);
182 BN_zero(z2);
183 return 1;
184 }
185 if (BN_is_zero(z2)) {
186 if (!bn_copy(x2, x))
187 return 0;
188 if (!BN_GF2m_add(z2, x, y))
189 return 0;
190 return 2;
191 }
192 /* Since Mxy is static we can guarantee that ctx != NULL. */
193 BN_CTX_start(ctx);
194 if ((t3 = BN_CTX_get(ctx)) == NULL)
195 goto err;
196 if ((t4 = BN_CTX_get(ctx)) == NULL)
197 goto err;
198 if ((t5 = BN_CTX_get(ctx)) == NULL)
199 goto err;
200
201 if (!BN_one(t5))
202 goto err;
203
204 if (!group->meth->field_mul(group, t3, z1, z2, ctx))
205 goto err;
206
207 if (!group->meth->field_mul(group, z1, z1, x, ctx))
208 goto err;
209 if (!BN_GF2m_add(z1, z1, x1))
210 goto err;
211 if (!group->meth->field_mul(group, z2, z2, x, ctx))
212 goto err;
213 if (!group->meth->field_mul(group, x1, z2, x1, ctx))
214 goto err;
215 if (!BN_GF2m_add(z2, z2, x2))
216 goto err;
217
218 if (!group->meth->field_mul(group, z2, z2, z1, ctx))
219 goto err;
220 if (!group->meth->field_sqr(group, t4, x, ctx))
221 goto err;
222 if (!BN_GF2m_add(t4, t4, y))
223 goto err;
224 if (!group->meth->field_mul(group, t4, t4, t3, ctx))
225 goto err;
226 if (!BN_GF2m_add(t4, t4, z2))
227 goto err;
228
229 if (!group->meth->field_mul(group, t3, t3, x, ctx))
230 goto err;
231 if (!group->meth->field_div(group, t3, t5, t3, ctx))
232 goto err;
233 if (!group->meth->field_mul(group, t4, t3, t4, ctx))
234 goto err;
235 if (!group->meth->field_mul(group, x2, x1, t3, ctx))
236 goto err;
237 if (!BN_GF2m_add(z2, x2, x))
238 goto err;
239
240 if (!group->meth->field_mul(group, z2, z2, t4, ctx))
241 goto err;
242 if (!BN_GF2m_add(z2, z2, y))
243 goto err;
244
245 ret = 2;
246
247 err:
248 BN_CTX_end(ctx);
249 return ret;
250}
251
252
253/* Computes scalar*point and stores the result in r.
254 * point can not equal r.
255 * Uses a modified algorithm 2P of
256 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
257 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
258 *
259 * To protect against side-channel attack the function uses constant time swap,
260 * avoiding conditional branches.
261 */
262static int
263ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
264 const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
265{
266 BIGNUM *x1, *x2, *z1, *z2;
267 int ret = 0, i;
268 BN_ULONG mask, word;
269
270 if (r == point) {
271 ECerror(EC_R_INVALID_ARGUMENT);
272 return 0;
273 }
274 /* if result should be point at infinity */
275 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
276 EC_POINT_is_at_infinity(group, point) > 0) {
277 return EC_POINT_set_to_infinity(group, r);
278 }
279 /* only support affine coordinates */
280 if (!point->Z_is_one)
281 return 0;
282
283 /* Since point_multiply is static we can guarantee that ctx != NULL. */
284 BN_CTX_start(ctx);
285 if ((x1 = BN_CTX_get(ctx)) == NULL)
286 goto err;
287 if ((z1 = BN_CTX_get(ctx)) == NULL)
288 goto err;
289
290 x2 = &r->X;
291 z2 = &r->Y;
292
293 if (!bn_wexpand(x1, group->field.top))
294 goto err;
295 if (!bn_wexpand(z1, group->field.top))
296 goto err;
297 if (!bn_wexpand(x2, group->field.top))
298 goto err;
299 if (!bn_wexpand(z2, group->field.top))
300 goto err;
301
302 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
303 goto err; /* x1 = x */
304 if (!BN_one(z1))
305 goto err; /* z1 = 1 */
306 if (!group->meth->field_sqr(group, z2, x1, ctx))
307 goto err; /* z2 = x1^2 = x^2 */
308 if (!group->meth->field_sqr(group, x2, z2, ctx))
309 goto err;
310 if (!BN_GF2m_add(x2, x2, &group->b))
311 goto err; /* x2 = x^4 + b */
312
313 /* find top most bit and go one past it */
314 i = scalar->top - 1;
315 mask = BN_TBIT;
316 word = scalar->d[i];
317 while (!(word & mask))
318 mask >>= 1;
319 mask >>= 1;
320 /* if top most bit was at word break, go to next word */
321 if (!mask) {
322 i--;
323 mask = BN_TBIT;
324 }
325 for (; i >= 0; i--) {
326 word = scalar->d[i];
327 while (mask) {
328 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
329 goto err;
330 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
331 goto err;
332 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
333 goto err;
334 if (!gf2m_Mdouble(group, x1, z1, ctx))
335 goto err;
336 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
337 goto err;
338 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
339 goto err;
340 mask >>= 1;
341 }
342 mask = BN_TBIT;
343 }
344
345 /* convert out of "projective" coordinates */
346 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
347 if (i == 0)
348 goto err;
349 else if (i == 1) {
350 if (!EC_POINT_set_to_infinity(group, r))
351 goto err;
352 } else {
353 if (!BN_one(&r->Z))
354 goto err;
355 r->Z_is_one = 1;
356 }
357
358 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
359 BN_set_negative(&r->X, 0);
360 BN_set_negative(&r->Y, 0);
361
362 ret = 1;
363
364 err:
365 BN_CTX_end(ctx);
366 return ret;
367}
368
369
370/* Computes the sum
371 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
372 * gracefully ignoring NULL scalar values.
373 */
374int
375ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
376 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
377{
378 EC_POINT *p = NULL;
379 EC_POINT *acc = NULL;
380 size_t i;
381 int ret = 0;
382
383 /*
384 * This implementation is more efficient than the wNAF implementation
385 * for 2 or fewer points. Use the ec_wNAF_mul implementation for 3
386 * or more points, or if we can perform a fast multiplication based
387 * on precomputation.
388 */
389 if ((scalar && (num > 1)) || (num > 2) ||
390 (num == 0 && EC_GROUP_have_precompute_mult(group))) {
391 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
392 goto err;
393 }
394 if ((p = EC_POINT_new(group)) == NULL)
395 goto err;
396 if ((acc = EC_POINT_new(group)) == NULL)
397 goto err;
398
399 if (!EC_POINT_set_to_infinity(group, acc))
400 goto err;
401
402 if (scalar) {
403 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx))
404 goto err;
405 if (BN_is_negative(scalar))
406 if (!group->meth->invert(group, p, ctx))
407 goto err;
408 if (!group->meth->add(group, acc, acc, p, ctx))
409 goto err;
410 }
411 for (i = 0; i < num; i++) {
412 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx))
413 goto err;
414 if (BN_is_negative(scalars[i]))
415 if (!group->meth->invert(group, p, ctx))
416 goto err;
417 if (!group->meth->add(group, acc, acc, p, ctx))
418 goto err;
419 }
420
421 if (!EC_POINT_copy(r, acc))
422 goto err;
423
424 ret = 1;
425
426 err:
427 EC_POINT_free(p);
428 EC_POINT_free(acc);
429
430 return ret;
431}
432
433
434/* Precomputation for point multiplication: fall back to wNAF methods
435 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
436
437int
438ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
439{
440 return ec_wNAF_precompute_mult(group, ctx);
441}
442
443int
444ec_GF2m_have_precompute_mult(const EC_GROUP *group)
445{
446 return ec_wNAF_have_precompute_mult(group);
447}
448
449#endif
diff --git a/src/lib/libcrypto/ec/ec2_oct.c b/src/lib/libcrypto/ec/ec2_oct.c
deleted file mode 100644
index 6cb7259824..0000000000
--- a/src/lib/libcrypto/ec/ec2_oct.c
+++ /dev/null
@@ -1,402 +0,0 @@
1/* $OpenBSD: ec2_oct.c,v 1.20 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "ec_local.h"
75
76#ifndef OPENSSL_NO_EC2M
77
78/* Calculates and sets the affine coordinates of an EC_POINT from the given
79 * compressed coordinates. Uses algorithm 2.3.4 of SEC 1.
80 * Note that the simple implementation only uses affine coordinates.
81 *
82 * The method is from the following publication:
83 *
84 * Harper, Menezes, Vanstone:
85 * "Public-Key Cryptosystems with Very Small Key Lengths",
86 * EUROCRYPT '92, Springer-Verlag LNCS 658,
87 * published February 1993
88 *
89 * US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe
90 * the same method, but claim no priority date earlier than July 29, 1994
91 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
92 */
93int
94ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
95 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
96{
97 BIGNUM *tmp, *x, *y, *z;
98 int z0;
99 int ret = 0;
100
101 /* clear error queue */
102 ERR_clear_error();
103
104 y_bit = (y_bit != 0) ? 1 : 0;
105
106 BN_CTX_start(ctx);
107
108 if ((tmp = BN_CTX_get(ctx)) == NULL)
109 goto err;
110 if ((x = BN_CTX_get(ctx)) == NULL)
111 goto err;
112 if ((y = BN_CTX_get(ctx)) == NULL)
113 goto err;
114 if ((z = BN_CTX_get(ctx)) == NULL)
115 goto err;
116
117 if (!BN_GF2m_mod_arr(x, x_, group->poly))
118 goto err;
119 if (BN_is_zero(x)) {
120 if (y_bit != 0) {
121 ECerror(EC_R_INVALID_COMPRESSED_POINT);
122 goto err;
123 }
124 if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx))
125 goto err;
126 } else {
127 if (!group->meth->field_sqr(group, tmp, x, ctx))
128 goto err;
129 if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx))
130 goto err;
131 if (!BN_GF2m_add(tmp, &group->a, tmp))
132 goto err;
133 if (!BN_GF2m_add(tmp, x, tmp))
134 goto err;
135 if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) {
136 unsigned long err = ERR_peek_last_error();
137
138 if (ERR_GET_LIB(err) == ERR_LIB_BN &&
139 ERR_GET_REASON(err) == BN_R_NO_SOLUTION) {
140 ERR_clear_error();
141 ECerror(EC_R_INVALID_COMPRESSED_POINT);
142 } else
143 ECerror(ERR_R_BN_LIB);
144 goto err;
145 }
146 z0 = (BN_is_odd(z)) ? 1 : 0;
147 if (!group->meth->field_mul(group, y, x, z, ctx))
148 goto err;
149 if (z0 != y_bit) {
150 if (!BN_GF2m_add(y, y, x))
151 goto err;
152 }
153 }
154
155 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
156 goto err;
157
158 ret = 1;
159
160 err:
161 BN_CTX_end(ctx);
162
163 return ret;
164}
165
166
167/* Converts an EC_POINT to an octet string.
168 * If buf is NULL, the encoded length will be returned.
169 * If the length len of buf is smaller than required an error will be returned.
170 */
171size_t
172ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
173 point_conversion_form_t form,
174 unsigned char *buf, size_t len, BN_CTX *ctx)
175{
176 BIGNUM *x, *y, *yxi;
177 size_t field_len, i, skip;
178 size_t ret;
179
180 if (form != POINT_CONVERSION_COMPRESSED &&
181 form != POINT_CONVERSION_UNCOMPRESSED &&
182 form != POINT_CONVERSION_HYBRID) {
183 ECerror(EC_R_INVALID_FORM);
184 return 0;
185 }
186
187 if (EC_POINT_is_at_infinity(group, point) > 0) {
188 /* encodes to a single 0 octet */
189 if (buf != NULL) {
190 if (len < 1) {
191 ECerror(EC_R_BUFFER_TOO_SMALL);
192 return 0;
193 }
194 buf[0] = 0;
195 }
196 return 1;
197 }
198
199 BN_CTX_start(ctx);
200
201 /* ret := required output buffer length */
202 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
203 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
204 1 + 2 * field_len;
205
206 /* if 'buf' is NULL, just return required length */
207 if (buf != NULL) {
208 if (len < ret) {
209 ECerror(EC_R_BUFFER_TOO_SMALL);
210 goto err;
211 }
212
213 if ((x = BN_CTX_get(ctx)) == NULL)
214 goto err;
215 if ((y = BN_CTX_get(ctx)) == NULL)
216 goto err;
217 if ((yxi = BN_CTX_get(ctx)) == NULL)
218 goto err;
219
220 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
221 goto err;
222
223 buf[0] = form;
224 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x)) {
225 if (!group->meth->field_div(group, yxi, y, x, ctx))
226 goto err;
227 if (BN_is_odd(yxi))
228 buf[0]++;
229 }
230 i = 1;
231
232 skip = field_len - BN_num_bytes(x);
233 if (skip > field_len) {
234 ECerror(ERR_R_INTERNAL_ERROR);
235 goto err;
236 }
237 while (skip > 0) {
238 buf[i++] = 0;
239 skip--;
240 }
241 skip = BN_bn2bin(x, buf + i);
242 i += skip;
243 if (i != 1 + field_len) {
244 ECerror(ERR_R_INTERNAL_ERROR);
245 goto err;
246 }
247 if (form == POINT_CONVERSION_UNCOMPRESSED ||
248 form == POINT_CONVERSION_HYBRID) {
249 skip = field_len - BN_num_bytes(y);
250 if (skip > field_len) {
251 ECerror(ERR_R_INTERNAL_ERROR);
252 goto err;
253 }
254 while (skip > 0) {
255 buf[i++] = 0;
256 skip--;
257 }
258 skip = BN_bn2bin(y, buf + i);
259 i += skip;
260 }
261 if (i != ret) {
262 ECerror(ERR_R_INTERNAL_ERROR);
263 goto err;
264 }
265 }
266
267 err:
268 BN_CTX_end(ctx);
269
270 return ret;
271}
272
273/*
274 * Converts an octet string representation to an EC_POINT.
275 * Note that the simple implementation only uses affine coordinates.
276 */
277int
278ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
279 const unsigned char *buf, size_t len, BN_CTX *ctx)
280{
281 point_conversion_form_t form;
282 int y_bit;
283 BIGNUM *x, *y, *yxi;
284 size_t field_len, enc_len;
285 int ret = 0;
286
287 if (len == 0) {
288 ECerror(EC_R_BUFFER_TOO_SMALL);
289 return 0;
290 }
291
292 /*
293 * The first octet is the point conversion octet PC, see X9.62, page 4
294 * and section 4.4.2. It must be:
295 * 0x00 for the point at infinity
296 * 0x02 or 0x03 for compressed form
297 * 0x04 for uncompressed form
298 * 0x06 or 0x07 for hybrid form.
299 * For compressed or hybrid forms, we store the last bit of buf[0] as
300 * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*.
301 * We error if buf[0] contains any but the above values.
302 */
303 y_bit = buf[0] & 1;
304 form = buf[0] & ~1U;
305
306 if (form != 0 && form != POINT_CONVERSION_COMPRESSED &&
307 form != POINT_CONVERSION_UNCOMPRESSED &&
308 form != POINT_CONVERSION_HYBRID) {
309 ECerror(EC_R_INVALID_ENCODING);
310 return 0;
311 }
312 if (form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) {
313 if (y_bit != 0) {
314 ECerror(EC_R_INVALID_ENCODING);
315 return 0;
316 }
317 }
318
319 /* The point at infinity is represented by a single zero octet. */
320 if (form == 0) {
321 if (len != 1) {
322 ECerror(EC_R_INVALID_ENCODING);
323 return 0;
324 }
325 return EC_POINT_set_to_infinity(group, point);
326 }
327
328 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
329 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
330 1 + 2 * field_len;
331
332 if (len != enc_len) {
333 ECerror(EC_R_INVALID_ENCODING);
334 return 0;
335 }
336
337 BN_CTX_start(ctx);
338
339 if ((x = BN_CTX_get(ctx)) == NULL)
340 goto err;
341 if ((y = BN_CTX_get(ctx)) == NULL)
342 goto err;
343 if ((yxi = BN_CTX_get(ctx)) == NULL)
344 goto err;
345
346 if (!BN_bin2bn(buf + 1, field_len, x))
347 goto err;
348 if (BN_ucmp(x, &group->field) >= 0) {
349 ECerror(EC_R_INVALID_ENCODING);
350 goto err;
351 }
352 if (form == POINT_CONVERSION_COMPRESSED) {
353 /*
354 * EC_POINT_set_compressed_coordinates checks that the
355 * point is on the curve as required by X9.62.
356 */
357 if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx))
358 goto err;
359 } else {
360 if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
361 goto err;
362 if (BN_ucmp(y, &group->field) >= 0) {
363 ECerror(EC_R_INVALID_ENCODING);
364 goto err;
365 }
366 if (form == POINT_CONVERSION_HYBRID) {
367 /*
368 * Check that the form in the encoding was set
369 * correctly according to X9.62 4.4.2.a, 4(c),
370 * see also first paragraph of X9.62 4.4.1.b.
371 */
372 if (BN_is_zero(x)) {
373 if (y_bit != 0) {
374 ECerror(EC_R_INVALID_ENCODING);
375 goto err;
376 }
377 } else {
378 if (!group->meth->field_div(group, yxi, y, x,
379 ctx))
380 goto err;
381 if (y_bit != BN_is_odd(yxi)) {
382 ECerror(EC_R_INVALID_ENCODING);
383 goto err;
384 }
385 }
386 }
387 /*
388 * EC_POINT_set_affine_coordinates checks that the
389 * point is on the curve as required by X9.62.
390 */
391 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
392 goto err;
393 }
394
395 ret = 1;
396
397 err:
398 BN_CTX_end(ctx);
399
400 return ret;
401}
402#endif
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
deleted file mode 100644
index 850159cb25..0000000000
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ /dev/null
@@ -1,723 +0,0 @@
1/* $OpenBSD: ec2_smpl.c,v 1.35 2023/04/11 18:58:20 jsing Exp $ */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/opensslconf.h>
71
72#include <openssl/err.h>
73
74#include "ec_local.h"
75
76#ifndef OPENSSL_NO_EC2M
77
78/*
79 * Initialize a GF(2^m)-based EC_GROUP structure.
80 * Note that all other members are handled by EC_GROUP_new.
81 */
82static int
83ec_GF2m_simple_group_init(EC_GROUP *group)
84{
85 BN_init(&group->field);
86 BN_init(&group->a);
87 BN_init(&group->b);
88 return 1;
89}
90
91/*
92 * Clear and free a GF(2^m)-based EC_GROUP structure.
93 * Note that all other members are handled by EC_GROUP_free.
94 */
95static void
96ec_GF2m_simple_group_finish(EC_GROUP *group)
97{
98 BN_free(&group->field);
99 BN_free(&group->a);
100 BN_free(&group->b);
101 group->poly[0] = 0;
102 group->poly[1] = 0;
103 group->poly[2] = 0;
104 group->poly[3] = 0;
105 group->poly[4] = 0;
106 group->poly[5] = -1;
107}
108
109/*
110 * Copy a GF(2^m)-based EC_GROUP structure.
111 * Note that all other members are handled by EC_GROUP_copy.
112 */
113static int
114ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
115{
116 int i;
117
118 if (!bn_copy(&dest->field, &src->field))
119 return 0;
120 if (!bn_copy(&dest->a, &src->a))
121 return 0;
122 if (!bn_copy(&dest->b, &src->b))
123 return 0;
124 dest->poly[0] = src->poly[0];
125 dest->poly[1] = src->poly[1];
126 dest->poly[2] = src->poly[2];
127 dest->poly[3] = src->poly[3];
128 dest->poly[4] = src->poly[4];
129 dest->poly[5] = src->poly[5];
130 if (!bn_expand(&dest->a, dest->poly[0]))
131 return 0;
132 if (!bn_expand(&dest->b, dest->poly[0]))
133 return 0;
134 for (i = dest->a.top; i < dest->a.dmax; i++)
135 dest->a.d[i] = 0;
136 for (i = dest->b.top; i < dest->b.dmax; i++)
137 dest->b.d[i] = 0;
138 return 1;
139}
140
141/* Set the curve parameters of an EC_GROUP structure. */
142static int
143ec_GF2m_simple_group_set_curve(EC_GROUP *group,
144 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
145{
146 int ret = 0, i;
147
148 /* group->field */
149 if (!bn_copy(&group->field, p))
150 goto err;
151 i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;
152 if ((i != 5) && (i != 3)) {
153 ECerror(EC_R_UNSUPPORTED_FIELD);
154 goto err;
155 }
156 /* group->a */
157 if (!BN_GF2m_mod_arr(&group->a, a, group->poly))
158 goto err;
159 if (!bn_expand(&group->a, group->poly[0]))
160 goto err;
161 for (i = group->a.top; i < group->a.dmax; i++)
162 group->a.d[i] = 0;
163
164 /* group->b */
165 if (!BN_GF2m_mod_arr(&group->b, b, group->poly))
166 goto err;
167 if (!bn_expand(&group->b, group->poly[0]))
168 goto err;
169 for (i = group->b.top; i < group->b.dmax; i++)
170 group->b.d[i] = 0;
171
172 ret = 1;
173 err:
174 return ret;
175}
176
177/*
178 * Get the curve parameters of an EC_GROUP structure.
179 * If p, a, or b are NULL then there values will not be set but the method will return with success.
180 */
181static int
182ec_GF2m_simple_group_get_curve(const EC_GROUP *group,
183 BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
184{
185 int ret = 0;
186
187 if (p != NULL) {
188 if (!bn_copy(p, &group->field))
189 return 0;
190 }
191 if (a != NULL) {
192 if (!bn_copy(a, &group->a))
193 goto err;
194 }
195 if (b != NULL) {
196 if (!bn_copy(b, &group->b))
197 goto err;
198 }
199 ret = 1;
200
201 err:
202 return ret;
203}
204
205/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */
206static int
207ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
208{
209 return BN_num_bits(&group->field) - 1;
210}
211
212/*
213 * Checks the discriminant of the curve.
214 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
215 */
216static int
217ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
218{
219 BIGNUM *b;
220 int ret = 0;
221
222 BN_CTX_start(ctx);
223
224 if ((b = BN_CTX_get(ctx)) == NULL)
225 goto err;
226
227 if (!BN_GF2m_mod_arr(b, &group->b, group->poly))
228 goto err;
229
230 /*
231 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
232 * curve <=> b != 0 (mod p)
233 */
234 if (BN_is_zero(b))
235 goto err;
236
237 ret = 1;
238
239 err:
240 BN_CTX_end(ctx);
241
242 return ret;
243}
244
245/* Initializes an EC_POINT. */
246static int
247ec_GF2m_simple_point_init(EC_POINT *point)
248{
249 BN_init(&point->X);
250 BN_init(&point->Y);
251 BN_init(&point->Z);
252 return 1;
253}
254
255/* Clears and frees an EC_POINT. */
256static void
257ec_GF2m_simple_point_finish(EC_POINT *point)
258{
259 BN_free(&point->X);
260 BN_free(&point->Y);
261 BN_free(&point->Z);
262 point->Z_is_one = 0;
263}
264
265/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */
266static int
267ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
268{
269 if (!bn_copy(&dest->X, &src->X))
270 return 0;
271 if (!bn_copy(&dest->Y, &src->Y))
272 return 0;
273 if (!bn_copy(&dest->Z, &src->Z))
274 return 0;
275 dest->Z_is_one = src->Z_is_one;
276
277 return 1;
278}
279
280/*
281 * Set an EC_POINT to the point at infinity.
282 * A point at infinity is represented by having Z=0.
283 */
284static int
285ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
286{
287 point->Z_is_one = 0;
288 BN_zero(&point->Z);
289 return 1;
290}
291
292/*
293 * Set the coordinates of an EC_POINT using affine coordinates.
294 * Note that the simple implementation only uses affine coordinates.
295 */
296static int
297ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
298 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
299{
300 int ret = 0;
301 if (x == NULL || y == NULL) {
302 ECerror(ERR_R_PASSED_NULL_PARAMETER);
303 return 0;
304 }
305 if (!bn_copy(&point->X, x))
306 goto err;
307 BN_set_negative(&point->X, 0);
308 if (!bn_copy(&point->Y, y))
309 goto err;
310 BN_set_negative(&point->Y, 0);
311 if (!bn_copy(&point->Z, BN_value_one()))
312 goto err;
313 BN_set_negative(&point->Z, 0);
314 point->Z_is_one = 1;
315 ret = 1;
316
317 err:
318 return ret;
319}
320
321/*
322 * Gets the affine coordinates of an EC_POINT.
323 * Note that the simple implementation only uses affine coordinates.
324 */
325static int
326ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
327 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
328{
329 int ret = 0;
330
331 if (EC_POINT_is_at_infinity(group, point) > 0) {
332 ECerror(EC_R_POINT_AT_INFINITY);
333 return 0;
334 }
335 if (BN_cmp(&point->Z, BN_value_one())) {
336 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
337 return 0;
338 }
339 if (x != NULL) {
340 if (!bn_copy(x, &point->X))
341 goto err;
342 BN_set_negative(x, 0);
343 }
344 if (y != NULL) {
345 if (!bn_copy(y, &point->Y))
346 goto err;
347 BN_set_negative(y, 0);
348 }
349 ret = 1;
350
351 err:
352 return ret;
353}
354
355/*
356 * Computes a + b and stores the result in r. r could be a or b, a could be b.
357 * Uses algorithm A.10.2 of IEEE P1363.
358 */
359static int
360ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
361 const EC_POINT *b, BN_CTX *ctx)
362{
363 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
364 int ret = 0;
365
366 if (EC_POINT_is_at_infinity(group, a) > 0) {
367 if (!EC_POINT_copy(r, b))
368 return 0;
369 return 1;
370 }
371 if (EC_POINT_is_at_infinity(group, b) > 0) {
372 if (!EC_POINT_copy(r, a))
373 return 0;
374 return 1;
375 }
376
377 BN_CTX_start(ctx);
378
379 if ((x0 = BN_CTX_get(ctx)) == NULL)
380 goto err;
381 if ((y0 = BN_CTX_get(ctx)) == NULL)
382 goto err;
383 if ((x1 = BN_CTX_get(ctx)) == NULL)
384 goto err;
385 if ((y1 = BN_CTX_get(ctx)) == NULL)
386 goto err;
387 if ((x2 = BN_CTX_get(ctx)) == NULL)
388 goto err;
389 if ((y2 = BN_CTX_get(ctx)) == NULL)
390 goto err;
391 if ((s = BN_CTX_get(ctx)) == NULL)
392 goto err;
393 if ((t = BN_CTX_get(ctx)) == NULL)
394 goto err;
395
396 if (a->Z_is_one) {
397 if (!bn_copy(x0, &a->X))
398 goto err;
399 if (!bn_copy(y0, &a->Y))
400 goto err;
401 } else {
402 if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx))
403 goto err;
404 }
405 if (b->Z_is_one) {
406 if (!bn_copy(x1, &b->X))
407 goto err;
408 if (!bn_copy(y1, &b->Y))
409 goto err;
410 } else {
411 if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx))
412 goto err;
413 }
414
415 if (BN_GF2m_cmp(x0, x1)) {
416 if (!BN_GF2m_add(t, x0, x1))
417 goto err;
418 if (!BN_GF2m_add(s, y0, y1))
419 goto err;
420 if (!group->meth->field_div(group, s, s, t, ctx))
421 goto err;
422 if (!group->meth->field_sqr(group, x2, s, ctx))
423 goto err;
424 if (!BN_GF2m_add(x2, x2, &group->a))
425 goto err;
426 if (!BN_GF2m_add(x2, x2, s))
427 goto err;
428 if (!BN_GF2m_add(x2, x2, t))
429 goto err;
430 } else {
431 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
432 if (!EC_POINT_set_to_infinity(group, r))
433 goto err;
434 ret = 1;
435 goto err;
436 }
437 if (!group->meth->field_div(group, s, y1, x1, ctx))
438 goto err;
439 if (!BN_GF2m_add(s, s, x1))
440 goto err;
441
442 if (!group->meth->field_sqr(group, x2, s, ctx))
443 goto err;
444 if (!BN_GF2m_add(x2, x2, s))
445 goto err;
446 if (!BN_GF2m_add(x2, x2, &group->a))
447 goto err;
448 }
449
450 if (!BN_GF2m_add(y2, x1, x2))
451 goto err;
452 if (!group->meth->field_mul(group, y2, y2, s, ctx))
453 goto err;
454 if (!BN_GF2m_add(y2, y2, x2))
455 goto err;
456 if (!BN_GF2m_add(y2, y2, y1))
457 goto err;
458
459 if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx))
460 goto err;
461
462 ret = 1;
463
464 err:
465 BN_CTX_end(ctx);
466
467 return ret;
468}
469
470/*
471 * Computes 2 * a and stores the result in r. r could be a.
472 * Uses algorithm A.10.2 of IEEE P1363.
473 */
474static int
475ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
476 BN_CTX *ctx)
477{
478 return ec_GF2m_simple_add(group, r, a, a, ctx);
479}
480
481static int
482ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
483{
484 if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y))
485 /* point is its own inverse */
486 return 1;
487
488 if (!EC_POINT_make_affine(group, point, ctx))
489 return 0;
490 return BN_GF2m_add(&point->Y, &point->X, &point->Y);
491}
492
493/* Indicates whether the given point is the point at infinity. */
494static int
495ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
496{
497 return BN_is_zero(&point->Z);
498}
499
500/*
501 * Determines whether the given EC_POINT is an actual point on the curve defined
502 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
503 * y^2 + x*y = x^3 + a*x^2 + b.
504 */
505static int
506ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
507{
508 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
509 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
510 BIGNUM *lh, *y2;
511 int ret = -1;
512
513 if (EC_POINT_is_at_infinity(group, point) > 0)
514 return 1;
515
516 field_mul = group->meth->field_mul;
517 field_sqr = group->meth->field_sqr;
518
519 /* only support affine coordinates */
520 if (!point->Z_is_one)
521 return -1;
522
523 BN_CTX_start(ctx);
524
525 if ((y2 = BN_CTX_get(ctx)) == NULL)
526 goto err;
527 if ((lh = BN_CTX_get(ctx)) == NULL)
528 goto err;
529
530 /*
531 * We have a curve defined by a Weierstrass equation y^2 + x*y = x^3
532 * + a*x^2 + b. <=> x^3 + a*x^2 + x*y + b + y^2 = 0 <=> ((x + a) * x
533 * + y ) * x + b + y^2 = 0
534 */
535 if (!BN_GF2m_add(lh, &point->X, &group->a))
536 goto err;
537 if (!field_mul(group, lh, lh, &point->X, ctx))
538 goto err;
539 if (!BN_GF2m_add(lh, lh, &point->Y))
540 goto err;
541 if (!field_mul(group, lh, lh, &point->X, ctx))
542 goto err;
543 if (!BN_GF2m_add(lh, lh, &group->b))
544 goto err;
545 if (!field_sqr(group, y2, &point->Y, ctx))
546 goto err;
547 if (!BN_GF2m_add(lh, lh, y2))
548 goto err;
549
550 ret = BN_is_zero(lh);
551
552 err:
553 BN_CTX_end(ctx);
554
555 return ret;
556}
557
558/*
559 * Indicates whether two points are equal.
560 * Return values:
561 * -1 error
562 * 0 equal (in affine coordinates)
563 * 1 not equal
564 */
565static int
566ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
567 const EC_POINT *b, BN_CTX *ctx)
568{
569 BIGNUM *aX, *aY, *bX, *bY;
570 int ret = -1;
571
572 if (EC_POINT_is_at_infinity(group, a) > 0)
573 return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1;
574
575 if (EC_POINT_is_at_infinity(group, b) > 0)
576 return 1;
577
578 if (a->Z_is_one && b->Z_is_one)
579 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
580
581 BN_CTX_start(ctx);
582
583 if ((aX = BN_CTX_get(ctx)) == NULL)
584 goto err;
585 if ((aY = BN_CTX_get(ctx)) == NULL)
586 goto err;
587 if ((bX = BN_CTX_get(ctx)) == NULL)
588 goto err;
589 if ((bY = BN_CTX_get(ctx)) == NULL)
590 goto err;
591
592 if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx))
593 goto err;
594 if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx))
595 goto err;
596 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
597
598 err:
599 BN_CTX_end(ctx);
600
601 return ret;
602}
603
604/* Forces the given EC_POINT to internally use affine coordinates. */
605static int
606ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
607{
608 BIGNUM *x, *y;
609 int ret = 0;
610
611 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point) > 0)
612 return 1;
613
614 BN_CTX_start(ctx);
615
616 if ((x = BN_CTX_get(ctx)) == NULL)
617 goto err;
618 if ((y = BN_CTX_get(ctx)) == NULL)
619 goto err;
620
621 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
622 goto err;
623 if (!bn_copy(&point->X, x))
624 goto err;
625 if (!bn_copy(&point->Y, y))
626 goto err;
627 if (!BN_one(&point->Z))
628 goto err;
629
630 ret = 1;
631
632 err:
633 BN_CTX_end(ctx);
634
635 return ret;
636}
637
638/* Forces each of the EC_POINTs in the given array to use affine coordinates. */
639static int
640ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
641 EC_POINT *points[], BN_CTX *ctx)
642{
643 size_t i;
644
645 for (i = 0; i < num; i++) {
646 if (!group->meth->make_affine(group, points[i], ctx))
647 return 0;
648 }
649
650 return 1;
651}
652
653/* Wrapper to simple binary polynomial field multiplication implementation. */
654static int
655ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
656 const BIGNUM *b, BN_CTX *ctx)
657{
658 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
659}
660
661/* Wrapper to simple binary polynomial field squaring implementation. */
662static int
663ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
664 BN_CTX *ctx)
665{
666 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
667}
668
669/* Wrapper to simple binary polynomial field division implementation. */
670static int
671ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
672 const BIGNUM *b, BN_CTX *ctx)
673{
674 return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
675}
676
677static const EC_METHOD ec_GF2m_simple_method = {
678 .field_type = NID_X9_62_characteristic_two_field,
679 .group_init = ec_GF2m_simple_group_init,
680 .group_finish = ec_GF2m_simple_group_finish,
681 .group_copy = ec_GF2m_simple_group_copy,
682 .group_set_curve = ec_GF2m_simple_group_set_curve,
683 .group_get_curve = ec_GF2m_simple_group_get_curve,
684 .group_get_degree = ec_GF2m_simple_group_get_degree,
685 .group_order_bits = ec_group_simple_order_bits,
686 .group_check_discriminant = ec_GF2m_simple_group_check_discriminant,
687 .point_init = ec_GF2m_simple_point_init,
688 .point_finish = ec_GF2m_simple_point_finish,
689 .point_copy = ec_GF2m_simple_point_copy,
690 .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity,
691 .point_set_affine_coordinates =
692 ec_GF2m_simple_point_set_affine_coordinates,
693 .point_get_affine_coordinates =
694 ec_GF2m_simple_point_get_affine_coordinates,
695 .point_set_compressed_coordinates =
696 ec_GF2m_simple_set_compressed_coordinates,
697 .point2oct = ec_GF2m_simple_point2oct,
698 .oct2point = ec_GF2m_simple_oct2point,
699 .add = ec_GF2m_simple_add,
700 .dbl = ec_GF2m_simple_dbl,
701 .invert = ec_GF2m_simple_invert,
702 .is_at_infinity = ec_GF2m_simple_is_at_infinity,
703 .is_on_curve = ec_GF2m_simple_is_on_curve,
704 .point_cmp = ec_GF2m_simple_cmp,
705 .make_affine = ec_GF2m_simple_make_affine,
706 .points_make_affine = ec_GF2m_simple_points_make_affine,
707 .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
708 .mul_single_ct = ec_GFp_simple_mul_single_ct,
709 .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
710 .precompute_mult = ec_GF2m_precompute_mult,
711 .have_precompute_mult = ec_GF2m_have_precompute_mult,
712 .field_mul = ec_GF2m_simple_field_mul,
713 .field_sqr = ec_GF2m_simple_field_sqr,
714 .field_div = ec_GF2m_simple_field_div,
715 .blind_coordinates = NULL,
716};
717
718const EC_METHOD *
719EC_GF2m_simple_method(void)
720{
721 return &ec_GF2m_simple_method;
722}
723#endif
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index fb6a8e84c1..c62ba226f0 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_asn1.c,v 1.41 2023/03/08 05:45:31 jsing Exp $ */ 1/* $OpenBSD: ec_asn1.c,v 1.42 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project. 3 * Written by Nils Larsch for the OpenSSL project.
4 */ 4 */
@@ -89,49 +89,6 @@ EC_GROUP_get_basis_type(const EC_GROUP *group)
89 return 0; 89 return 0;
90} 90}
91 91
92#ifndef OPENSSL_NO_EC2M
93int
94EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
95{
96 if (group == NULL)
97 return 0;
98
99 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
100 NID_X9_62_characteristic_two_field
101 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) {
102 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
103 return 0;
104 }
105 if (k)
106 *k = group->poly[1];
107
108 return 1;
109}
110
111int
112EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
113 unsigned int *k2, unsigned int *k3)
114{
115 if (group == NULL)
116 return 0;
117
118 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
119 NID_X9_62_characteristic_two_field
120 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) {
121 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
122 return 0;
123 }
124 if (k1)
125 *k1 = group->poly[3];
126 if (k2)
127 *k2 = group->poly[2];
128 if (k3)
129 *k3 = group->poly[1];
130
131 return 1;
132}
133#endif
134
135/* some structures needed for the asn1 encoding */ 92/* some structures needed for the asn1 encoding */
136typedef struct x9_62_pentanomial_st { 93typedef struct x9_62_pentanomial_st {
137 long k1; 94 long k1;
@@ -719,77 +676,10 @@ ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
719 ECerror(ERR_R_ASN1_LIB); 676 ECerror(ERR_R_ASN1_LIB);
720 goto err; 677 goto err;
721 } 678 }
722 } else /* nid == NID_X9_62_characteristic_two_field */ 679 } else {
723#ifdef OPENSSL_NO_EC2M
724 {
725 ECerror(EC_R_GF2M_NOT_SUPPORTED); 680 ECerror(EC_R_GF2M_NOT_SUPPORTED);
726 goto err; 681 goto err;
727 } 682 }
728#else
729 {
730 int field_type;
731 X9_62_CHARACTERISTIC_TWO *char_two;
732
733 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
734 char_two = field->p.char_two;
735
736 if (char_two == NULL) {
737 ECerror(ERR_R_MALLOC_FAILURE);
738 goto err;
739 }
740 char_two->m = (long) EC_GROUP_get_degree(group);
741
742 field_type = EC_GROUP_get_basis_type(group);
743
744 if (field_type == 0) {
745 ECerror(ERR_R_EC_LIB);
746 goto err;
747 }
748 /* set base type OID */
749 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) {
750 ECerror(ERR_R_OBJ_LIB);
751 goto err;
752 }
753 if (field_type == NID_X9_62_tpBasis) {
754 unsigned int k;
755
756 if (!EC_GROUP_get_trinomial_basis(group, &k))
757 goto err;
758
759 char_two->p.tpBasis = ASN1_INTEGER_new();
760 if (!char_two->p.tpBasis) {
761 ECerror(ERR_R_MALLOC_FAILURE);
762 goto err;
763 }
764 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long) k)) {
765 ECerror(ERR_R_ASN1_LIB);
766 goto err;
767 }
768 } else if (field_type == NID_X9_62_ppBasis) {
769 unsigned int k1, k2, k3;
770
771 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
772 goto err;
773
774 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
775 if (!char_two->p.ppBasis) {
776 ECerror(ERR_R_MALLOC_FAILURE);
777 goto err;
778 }
779 /* set k? values */
780 char_two->p.ppBasis->k1 = (long) k1;
781 char_two->p.ppBasis->k2 = (long) k2;
782 char_two->p.ppBasis->k3 = (long) k3;
783 } else { /* field_type == NID_X9_62_onBasis */
784 /* for ONB the parameters are (asn1) NULL */
785 char_two->p.onBasis = ASN1_NULL_new();
786 if (!char_two->p.onBasis) {
787 ECerror(ERR_R_MALLOC_FAILURE);
788 goto err;
789 }
790 }
791 }
792#endif
793 683
794 ok = 1; 684 ok = 1;
795 685
@@ -1067,86 +957,10 @@ ec_asn1_parameters2group(const ECPARAMETERS *params)
1067 } 957 }
1068 /* get the field parameters */ 958 /* get the field parameters */
1069 tmp = OBJ_obj2nid(params->fieldID->fieldType); 959 tmp = OBJ_obj2nid(params->fieldID->fieldType);
1070 if (tmp == NID_X9_62_characteristic_two_field) 960 if (tmp == NID_X9_62_characteristic_two_field) {
1071#ifdef OPENSSL_NO_EC2M
1072 {
1073 ECerror(EC_R_GF2M_NOT_SUPPORTED); 961 ECerror(EC_R_GF2M_NOT_SUPPORTED);
1074 goto err; 962 goto err;
1075 } 963 } else if (tmp == NID_X9_62_prime_field) {
1076#else
1077 {
1078 X9_62_CHARACTERISTIC_TWO *char_two;
1079
1080 char_two = params->fieldID->p.char_two;
1081
1082 field_bits = char_two->m;
1083 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
1084 ECerror(EC_R_FIELD_TOO_LARGE);
1085 goto err;
1086 }
1087 if ((p = BN_new()) == NULL) {
1088 ECerror(ERR_R_MALLOC_FAILURE);
1089 goto err;
1090 }
1091 /* get the base type */
1092 tmp = OBJ_obj2nid(char_two->type);
1093
1094 if (tmp == NID_X9_62_tpBasis) {
1095 long tmp_long;
1096
1097 if (!char_two->p.tpBasis) {
1098 ECerror(EC_R_ASN1_ERROR);
1099 goto err;
1100 }
1101 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
1102
1103 if (!(char_two->m > tmp_long && tmp_long > 0)) {
1104 ECerror(EC_R_INVALID_TRINOMIAL_BASIS);
1105 goto err;
1106 }
1107 /* create the polynomial */
1108 if (!BN_set_bit(p, (int) char_two->m))
1109 goto err;
1110 if (!BN_set_bit(p, (int) tmp_long))
1111 goto err;
1112 if (!BN_set_bit(p, 0))
1113 goto err;
1114 } else if (tmp == NID_X9_62_ppBasis) {
1115 X9_62_PENTANOMIAL *penta;
1116
1117 penta = char_two->p.ppBasis;
1118 if (!penta) {
1119 ECerror(EC_R_ASN1_ERROR);
1120 goto err;
1121 }
1122 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) {
1123 ECerror(EC_R_INVALID_PENTANOMIAL_BASIS);
1124 goto err;
1125 }
1126 /* create the polynomial */
1127 if (!BN_set_bit(p, (int) char_two->m))
1128 goto err;
1129 if (!BN_set_bit(p, (int) penta->k1))
1130 goto err;
1131 if (!BN_set_bit(p, (int) penta->k2))
1132 goto err;
1133 if (!BN_set_bit(p, (int) penta->k3))
1134 goto err;
1135 if (!BN_set_bit(p, 0))
1136 goto err;
1137 } else if (tmp == NID_X9_62_onBasis) {
1138 ECerror(EC_R_NOT_IMPLEMENTED);
1139 goto err;
1140 } else { /* error */
1141 ECerror(EC_R_ASN1_ERROR);
1142 goto err;
1143 }
1144
1145 /* create the EC_GROUP structure */
1146 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
1147 }
1148#endif
1149 else if (tmp == NID_X9_62_prime_field) {
1150 /* we have a curve over a prime field */ 964 /* we have a curve over a prime field */
1151 /* extract the prime number */ 965 /* extract the prime number */
1152 if (!params->fieldID->p.prime) { 966 if (!params->fieldID->p.prime) {
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index 324abe8ee1..898e233429 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_curve.c,v 1.26 2023/03/04 14:53:23 jsing Exp $ */ 1/* $OpenBSD: ec_curve.c,v 1.27 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Written by Nils Larsch for the OpenSSL project. 3 * Written by Nils Larsch for the OpenSSL project.
4 */ 4 */
@@ -861,1353 +861,6 @@ static const struct {
861 } 861 }
862}; 862};
863 863
864#ifndef OPENSSL_NO_EC2M
865
866/* characteristic two curves */
867static const struct {
868 EC_CURVE_DATA h;
869 unsigned char data[20 + 15 * 6];
870}
871 _EC_SECG_CHAR2_113R1 = {
872 {
873 NID_X9_62_characteristic_two_field, 20, 15, 2
874 },
875 {
876 0x10, 0xE7, 0x23, 0xAB, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, /* seed */
877 0x56, 0x15, 0x17, 0x56, 0xFE, 0xBF, 0x8F, 0xCB, 0x49, 0xA9,
878
879 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
880 0x00, 0x00, 0x00, 0x02, 0x01,
881 0x00, 0x30, 0x88, 0x25, 0x0C, 0xA6, 0xE7, 0xC7, 0xFE, 0x64, /* a */
882 0x9C, 0xE8, 0x58, 0x20, 0xF7,
883 0x00, 0xE8, 0xBE, 0xE4, 0xD3, 0xE2, 0x26, 0x07, 0x44, 0x18, /* b */
884 0x8B, 0xE0, 0xE9, 0xC7, 0x23,
885 0x00, 0x9D, 0x73, 0x61, 0x6F, 0x35, 0xF4, 0xAB, 0x14, 0x07, /* x */
886 0xD7, 0x35, 0x62, 0xC1, 0x0F,
887 0x00, 0xA5, 0x28, 0x30, 0x27, 0x79, 0x58, 0xEE, 0x84, 0xD1, /* y */
888 0x31, 0x5E, 0xD3, 0x18, 0x86,
889 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0xCC, /* order */
890 0xEC, 0x8A, 0x39, 0xE5, 0x6F
891 }
892};
893
894static const struct {
895 EC_CURVE_DATA h;
896 unsigned char data[20 + 15 * 6];
897}
898 _EC_SECG_CHAR2_113R2 = {
899 {
900 NID_X9_62_characteristic_two_field, 20, 15, 2
901 },
902 {
903 0x10, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE, /* seed */
904 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x5D,
905
906 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
907 0x00, 0x00, 0x00, 0x02, 0x01,
908 0x00, 0x68, 0x99, 0x18, 0xDB, 0xEC, 0x7E, 0x5A, 0x0D, 0xD6, /* a */
909 0xDF, 0xC0, 0xAA, 0x55, 0xC7,
910 0x00, 0x95, 0xE9, 0xA9, 0xEC, 0x9B, 0x29, 0x7B, 0xD4, 0xBF, /* b */
911 0x36, 0xE0, 0x59, 0x18, 0x4F,
912 0x01, 0xA5, 0x7A, 0x6A, 0x7B, 0x26, 0xCA, 0x5E, 0xF5, 0x2F, /* x */
913 0xCD, 0xB8, 0x16, 0x47, 0x97,
914 0x00, 0xB3, 0xAD, 0xC9, 0x4E, 0xD1, 0xFE, 0x67, 0x4C, 0x06, /* y */
915 0xE6, 0x95, 0xBA, 0xBA, 0x1D,
916 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x78, /* order */
917 0x9B, 0x24, 0x96, 0xAF, 0x93
918 }
919};
920
921static const struct {
922 EC_CURVE_DATA h;
923 unsigned char data[20 + 17 * 6];
924}
925 _EC_SECG_CHAR2_131R1 = {
926 {
927 NID_X9_62_characteristic_two_field, 20, 17, 2
928 },
929 {
930 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x98, /* seed */
931 0x5B, 0xD3, 0xAD, 0xBA, 0xDA, 0x21, 0xB4, 0x3A, 0x97, 0xE2,
932
933 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
934 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
935 0x07, 0xA1, 0x1B, 0x09, 0xA7, 0x6B, 0x56, 0x21, 0x44, 0x41, /* a */
936 0x8F, 0xF3, 0xFF, 0x8C, 0x25, 0x70, 0xB8,
937 0x02, 0x17, 0xC0, 0x56, 0x10, 0x88, 0x4B, 0x63, 0xB9, 0xC6, /* b */
938 0xC7, 0x29, 0x16, 0x78, 0xF9, 0xD3, 0x41,
939 0x00, 0x81, 0xBA, 0xF9, 0x1F, 0xDF, 0x98, 0x33, 0xC4, 0x0F, /* x */
940 0x9C, 0x18, 0x13, 0x43, 0x63, 0x83, 0x99,
941 0x07, 0x8C, 0x6E, 0x7E, 0xA3, 0x8C, 0x00, 0x1F, 0x73, 0xC8, /* y */
942 0x13, 0x4B, 0x1B, 0x4E, 0xF9, 0xE1, 0x50,
943 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31, /* order */
944 0x23, 0x95, 0x3A, 0x94, 0x64, 0xB5, 0x4D
945 }
946};
947
948static const struct {
949 EC_CURVE_DATA h;
950 unsigned char data[20 + 17 * 6];
951}
952 _EC_SECG_CHAR2_131R2 = {
953 {
954 NID_X9_62_characteristic_two_field, 20, 17, 2
955 },
956 {
957 0x98, 0x5B, 0xD3, 0xAD, 0xBA, 0xD4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
958 0x87, 0x56, 0x15, 0x17, 0x5A, 0x21, 0xB4, 0x3A, 0x97, 0xE3,
959
960 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
961 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
962 0x03, 0xE5, 0xA8, 0x89, 0x19, 0xD7, 0xCA, 0xFC, 0xBF, 0x41, /* a */
963 0x5F, 0x07, 0xC2, 0x17, 0x65, 0x73, 0xB2,
964 0x04, 0xB8, 0x26, 0x6A, 0x46, 0xC5, 0x56, 0x57, 0xAC, 0x73, /* b */
965 0x4C, 0xE3, 0x8F, 0x01, 0x8F, 0x21, 0x92,
966 0x03, 0x56, 0xDC, 0xD8, 0xF2, 0xF9, 0x50, 0x31, 0xAD, 0x65, /* x */
967 0x2D, 0x23, 0x95, 0x1B, 0xB3, 0x66, 0xA8,
968 0x06, 0x48, 0xF0, 0x6D, 0x86, 0x79, 0x40, 0xA5, 0x36, 0x6D, /* y */
969 0x9E, 0x26, 0x5D, 0xE9, 0xEB, 0x24, 0x0F,
970 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x69, /* order */
971 0x54, 0xA2, 0x33, 0x04, 0x9B, 0xA9, 0x8F
972 }
973};
974
975static const struct {
976 EC_CURVE_DATA h;
977 unsigned char data[0 + 21 * 6];
978}
979 _EC_NIST_CHAR2_163K = {
980 {
981 NID_X9_62_characteristic_two_field, 0, 21, 2
982 },
983 { /* no seed */
984 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
985 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
986 0xC9,
987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
989 0x01,
990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992 0x01,
993 0x02, 0xFE, 0x13, 0xC0, 0x53, 0x7B, 0xBC, 0x11, 0xAC, 0xAA, /* x */
994 0x07, 0xD7, 0x93, 0xDE, 0x4E, 0x6D, 0x5E, 0x5C, 0x94, 0xEE,
995 0xE8,
996 0x02, 0x89, 0x07, 0x0F, 0xB0, 0x5D, 0x38, 0xFF, 0x58, 0x32, /* y */
997 0x1F, 0x2E, 0x80, 0x05, 0x36, 0xD5, 0x38, 0xCC, 0xDA, 0xA3,
998 0xD9,
999 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1000 0x02, 0x01, 0x08, 0xA2, 0xE0, 0xCC, 0x0D, 0x99, 0xF8, 0xA5,
1001 0xEF
1002 }
1003};
1004
1005static const struct {
1006 EC_CURVE_DATA h;
1007 unsigned char data[0 + 21 * 6];
1008}
1009 _EC_SECG_CHAR2_163R1 = {
1010 {
1011 NID_X9_62_characteristic_two_field, 0, 21, 2
1012 },
1013 { /* no seed */
1014 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1016 0xC9,
1017 0x07, 0xB6, 0x88, 0x2C, 0xAA, 0xEF, 0xA8, 0x4F, 0x95, 0x54, /* a */
1018 0xFF, 0x84, 0x28, 0xBD, 0x88, 0xE2, 0x46, 0xD2, 0x78, 0x2A,
1019 0xE2,
1020 0x07, 0x13, 0x61, 0x2D, 0xCD, 0xDC, 0xB4, 0x0A, 0xAB, 0x94, /* b */
1021 0x6B, 0xDA, 0x29, 0xCA, 0x91, 0xF7, 0x3A, 0xF9, 0x58, 0xAF,
1022 0xD9,
1023 0x03, 0x69, 0x97, 0x96, 0x97, 0xAB, 0x43, 0x89, 0x77, 0x89, /* x */
1024 0x56, 0x67, 0x89, 0x56, 0x7F, 0x78, 0x7A, 0x78, 0x76, 0xA6,
1025 0x54,
1026 0x00, 0x43, 0x5E, 0xDB, 0x42, 0xEF, 0xAF, 0xB2, 0x98, 0x9D, /* y */
1027 0x51, 0xFE, 0xFC, 0xE3, 0xC8, 0x09, 0x88, 0xF4, 0x1F, 0xF8,
1028 0x83,
1029 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1030 0xFF, 0x48, 0xAA, 0xB6, 0x89, 0xC2, 0x9C, 0xA7, 0x10, 0x27,
1031 0x9B
1032 }
1033};
1034
1035static const struct {
1036 EC_CURVE_DATA h;
1037 unsigned char data[0 + 21 * 6];
1038}
1039 _EC_NIST_CHAR2_163B = {
1040 {
1041 NID_X9_62_characteristic_two_field, 0, 21, 2
1042 },
1043 { /* no seed */
1044 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1046 0xC9,
1047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1048 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1049 0x01,
1050 0x02, 0x0A, 0x60, 0x19, 0x07, 0xB8, 0xC9, 0x53, 0xCA, 0x14, /* b */
1051 0x81, 0xEB, 0x10, 0x51, 0x2F, 0x78, 0x74, 0x4A, 0x32, 0x05,
1052 0xFD,
1053 0x03, 0xF0, 0xEB, 0xA1, 0x62, 0x86, 0xA2, 0xD5, 0x7E, 0xA0, /* x */
1054 0x99, 0x11, 0x68, 0xD4, 0x99, 0x46, 0x37, 0xE8, 0x34, 0x3E,
1055 0x36,
1056 0x00, 0xD5, 0x1F, 0xBC, 0x6C, 0x71, 0xA0, 0x09, 0x4F, 0xA2, /* y */
1057 0xCD, 0xD5, 0x45, 0xB1, 0x1C, 0x5C, 0x0C, 0x79, 0x73, 0x24,
1058 0xF1,
1059 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1060 0x02, 0x92, 0xFE, 0x77, 0xE7, 0x0C, 0x12, 0xA4, 0x23, 0x4C,
1061 0x33
1062 }
1063};
1064
1065static const struct {
1066 EC_CURVE_DATA h;
1067 unsigned char data[20 + 25 * 6];
1068}
1069 _EC_SECG_CHAR2_193R1 = {
1070 {
1071 NID_X9_62_characteristic_two_field, 20, 25, 2
1072 },
1073 {
1074 0x10, 0x3F, 0xAE, 0xC7, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, /* seed */
1075 0x61, 0x51, 0x75, 0x77, 0x7F, 0xC5, 0xB1, 0x91, 0xEF, 0x30,
1076
1077 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1079 0x00, 0x00, 0x00, 0x80, 0x01,
1080 0x00, 0x17, 0x85, 0x8F, 0xEB, 0x7A, 0x98, 0x97, 0x51, 0x69, /* a */
1081 0xE1, 0x71, 0xF7, 0x7B, 0x40, 0x87, 0xDE, 0x09, 0x8A, 0xC8,
1082 0xA9, 0x11, 0xDF, 0x7B, 0x01,
1083 0x00, 0xFD, 0xFB, 0x49, 0xBF, 0xE6, 0xC3, 0xA8, 0x9F, 0xAC, /* b */
1084 0xAD, 0xAA, 0x7A, 0x1E, 0x5B, 0xBC, 0x7C, 0xC1, 0xC2, 0xE5,
1085 0xD8, 0x31, 0x47, 0x88, 0x14,
1086 0x01, 0xF4, 0x81, 0xBC, 0x5F, 0x0F, 0xF8, 0x4A, 0x74, 0xAD, /* x */
1087 0x6C, 0xDF, 0x6F, 0xDE, 0xF4, 0xBF, 0x61, 0x79, 0x62, 0x53,
1088 0x72, 0xD8, 0xC0, 0xC5, 0xE1,
1089 0x00, 0x25, 0xE3, 0x99, 0xF2, 0x90, 0x37, 0x12, 0xCC, 0xF3, /* y */
1090 0xEA, 0x9E, 0x3A, 0x1A, 0xD1, 0x7F, 0xB0, 0xB3, 0x20, 0x1B,
1091 0x6A, 0xF7, 0xCE, 0x1B, 0x05,
1092 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1093 0x00, 0x00, 0x00, 0xC7, 0xF3, 0x4A, 0x77, 0x8F, 0x44, 0x3A,
1094 0xCC, 0x92, 0x0E, 0xBA, 0x49
1095 }
1096};
1097
1098static const struct {
1099 EC_CURVE_DATA h;
1100 unsigned char data[20 + 25 * 6];
1101}
1102 _EC_SECG_CHAR2_193R2 = {
1103 {
1104 NID_X9_62_characteristic_two_field, 20, 25, 2
1105 },
1106 {
1107 0x10, 0xB7, 0xB4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, /* seed */
1108 0x17, 0x51, 0x37, 0xC8, 0xA1, 0x6F, 0xD0, 0xDA, 0x22, 0x11,
1109
1110 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1111 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1112 0x00, 0x00, 0x00, 0x80, 0x01,
1113 0x01, 0x63, 0xF3, 0x5A, 0x51, 0x37, 0xC2, 0xCE, 0x3E, 0xA6, /* a */
1114 0xED, 0x86, 0x67, 0x19, 0x0B, 0x0B, 0xC4, 0x3E, 0xCD, 0x69,
1115 0x97, 0x77, 0x02, 0x70, 0x9B,
1116 0x00, 0xC9, 0xBB, 0x9E, 0x89, 0x27, 0xD4, 0xD6, 0x4C, 0x37, /* b */
1117 0x7E, 0x2A, 0xB2, 0x85, 0x6A, 0x5B, 0x16, 0xE3, 0xEF, 0xB7,
1118 0xF6, 0x1D, 0x43, 0x16, 0xAE,
1119 0x00, 0xD9, 0xB6, 0x7D, 0x19, 0x2E, 0x03, 0x67, 0xC8, 0x03, /* x */
1120 0xF3, 0x9E, 0x1A, 0x7E, 0x82, 0xCA, 0x14, 0xA6, 0x51, 0x35,
1121 0x0A, 0xAE, 0x61, 0x7E, 0x8F,
1122 0x01, 0xCE, 0x94, 0x33, 0x56, 0x07, 0xC3, 0x04, 0xAC, 0x29, /* y */
1123 0xE7, 0xDE, 0xFB, 0xD9, 0xCA, 0x01, 0xF5, 0x96, 0xF9, 0x27,
1124 0x22, 0x4C, 0xDE, 0xCF, 0x6C,
1125 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1126 0x00, 0x00, 0x01, 0x5A, 0xAB, 0x56, 0x1B, 0x00, 0x54, 0x13,
1127 0xCC, 0xD4, 0xEE, 0x99, 0xD5
1128 }
1129};
1130
1131static const struct {
1132 EC_CURVE_DATA h;
1133 unsigned char data[0 + 30 * 6];
1134}
1135 _EC_NIST_CHAR2_233K = {
1136 {
1137 NID_X9_62_characteristic_two_field, 0, 30, 4
1138 },
1139 { /* no seed */
1140 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1142 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1143
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1147
1148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1151
1152 0x01, 0x72, 0x32, 0xBA, 0x85, 0x3A, 0x7E, 0x73, 0x1A, 0xF1, /* x */
1153 0x29, 0xF2, 0x2F, 0xF4, 0x14, 0x95, 0x63, 0xA4, 0x19, 0xC2,
1154 0x6B, 0xF5, 0x0A, 0x4C, 0x9D, 0x6E, 0xEF, 0xAD, 0x61, 0x26,
1155
1156 0x01, 0xDB, 0x53, 0x7D, 0xEC, 0xE8, 0x19, 0xB7, 0xF7, 0x0F, /* y */
1157 0x55, 0x5A, 0x67, 0xC4, 0x27, 0xA8, 0xCD, 0x9B, 0xF1, 0x8A,
1158 0xEB, 0x9B, 0x56, 0xE0, 0xC1, 0x10, 0x56, 0xFA, 0xE6, 0xA3,
1159
1160 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1161 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x9D, 0x5B, 0xB9, 0x15,
1162 0xBC, 0xD4, 0x6E, 0xFB, 0x1A, 0xD5, 0xF1, 0x73, 0xAB, 0xDF
1163 }
1164};
1165
1166static const struct {
1167 EC_CURVE_DATA h;
1168 unsigned char data[20 + 30 * 6];
1169}
1170 _EC_NIST_CHAR2_233B = {
1171 {
1172 NID_X9_62_characteristic_two_field, 20, 30, 2
1173 },
1174 {
1175 0x74, 0xD5, 0x9F, 0xF0, 0x7F, 0x6B, 0x41, 0x3D, 0x0E, 0xA1, /* seed */
1176 0x4B, 0x34, 0x4B, 0x20, 0xA2, 0xDB, 0x04, 0x9B, 0x50, 0xC3,
1177
1178 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1181
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1185
1186 0x00, 0x66, 0x64, 0x7E, 0xDE, 0x6C, 0x33, 0x2C, 0x7F, 0x8C, /* b */
1187 0x09, 0x23, 0xBB, 0x58, 0x21, 0x3B, 0x33, 0x3B, 0x20, 0xE9,
1188 0xCE, 0x42, 0x81, 0xFE, 0x11, 0x5F, 0x7D, 0x8F, 0x90, 0xAD,
1189
1190 0x00, 0xFA, 0xC9, 0xDF, 0xCB, 0xAC, 0x83, 0x13, 0xBB, 0x21, /* x */
1191 0x39, 0xF1, 0xBB, 0x75, 0x5F, 0xEF, 0x65, 0xBC, 0x39, 0x1F,
1192 0x8B, 0x36, 0xF8, 0xF8, 0xEB, 0x73, 0x71, 0xFD, 0x55, 0x8B,
1193
1194 0x01, 0x00, 0x6A, 0x08, 0xA4, 0x19, 0x03, 0x35, 0x06, 0x78, /* y */
1195 0xE5, 0x85, 0x28, 0xBE, 0xBF, 0x8A, 0x0B, 0xEF, 0xF8, 0x67,
1196 0xA7, 0xCA, 0x36, 0x71, 0x6F, 0x7E, 0x01, 0xF8, 0x10, 0x52,
1197
1198 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xE9, 0x74, 0xE7, 0x2F,
1200 0x8A, 0x69, 0x22, 0x03, 0x1D, 0x26, 0x03, 0xCF, 0xE0, 0xD7
1201 }
1202};
1203
1204static const struct {
1205 EC_CURVE_DATA h;
1206 unsigned char data[0 + 30 * 6];
1207}
1208 _EC_SECG_CHAR2_239K1 = {
1209 {
1210 NID_X9_62_characteristic_two_field, 0, 30, 4
1211 },
1212 { /* no seed */
1213 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1216
1217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220
1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1224
1225 0x29, 0xA0, 0xB6, 0xA8, 0x87, 0xA9, 0x83, 0xE9, 0x73, 0x09, /* x */
1226 0x88, 0xA6, 0x87, 0x27, 0xA8, 0xB2, 0xD1, 0x26, 0xC4, 0x4C,
1227 0xC2, 0xCC, 0x7B, 0x2A, 0x65, 0x55, 0x19, 0x30, 0x35, 0xDC,
1228
1229 0x76, 0x31, 0x08, 0x04, 0xF1, 0x2E, 0x54, 0x9B, 0xDB, 0x01, /* y */
1230 0x1C, 0x10, 0x30, 0x89, 0xE7, 0x35, 0x10, 0xAC, 0xB2, 0x75,
1231 0xFC, 0x31, 0x2A, 0x5D, 0xC6, 0xB7, 0x65, 0x53, 0xF0, 0xCA,
1232
1233 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x79, 0xFE, 0xC6, 0x7C,
1235 0xB6, 0xE9, 0x1F, 0x1C, 0x1D, 0xA8, 0x00, 0xE4, 0x78, 0xA5
1236 }
1237};
1238
1239static const struct {
1240 EC_CURVE_DATA h;
1241 unsigned char data[0 + 36 * 6];
1242}
1243 _EC_NIST_CHAR2_283K = {
1244 {
1245 NID_X9_62_characteristic_two_field, 0, 36, 4
1246 },
1247 { /* no seed */
1248 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1259 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1260 0x05, 0x03, 0x21, 0x3F, 0x78, 0xCA, 0x44, 0x88, 0x3F, 0x1A, /* x */
1261 0x3B, 0x81, 0x62, 0xF1, 0x88, 0xE5, 0x53, 0xCD, 0x26, 0x5F,
1262 0x23, 0xC1, 0x56, 0x7A, 0x16, 0x87, 0x69, 0x13, 0xB0, 0xC2,
1263 0xAC, 0x24, 0x58, 0x49, 0x28, 0x36,
1264 0x01, 0xCC, 0xDA, 0x38, 0x0F, 0x1C, 0x9E, 0x31, 0x8D, 0x90, /* y */
1265 0xF9, 0x5D, 0x07, 0xE5, 0x42, 0x6F, 0xE8, 0x7E, 0x45, 0xC0,
1266 0xE8, 0x18, 0x46, 0x98, 0xE4, 0x59, 0x62, 0x36, 0x4E, 0x34,
1267 0x11, 0x61, 0x77, 0xDD, 0x22, 0x59,
1268 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1269 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xAE,
1270 0x2E, 0xD0, 0x75, 0x77, 0x26, 0x5D, 0xFF, 0x7F, 0x94, 0x45,
1271 0x1E, 0x06, 0x1E, 0x16, 0x3C, 0x61
1272 }
1273};
1274
1275static const struct {
1276 EC_CURVE_DATA h;
1277 unsigned char data[20 + 36 * 6];
1278}
1279 _EC_NIST_CHAR2_283B = {
1280 {
1281 NID_X9_62_characteristic_two_field, 20, 36, 2
1282 },
1283 {
1284 0x77, 0xE2, 0xB0, 0x73, 0x70, 0xEB, 0x0F, 0x83, 0x2A, 0x6D, /* no seed */
1285 0xD5, 0xB6, 0x2D, 0xFC, 0x88, 0xCD, 0x06, 0xBB, 0x84, 0xBE,
1286
1287 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1288 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1289 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1290 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1294 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1295 0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, /* b */
1296 0xAF, 0x8A, 0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76,
1297 0x45, 0x30, 0x9F, 0xA2, 0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26,
1298 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5,
1299 0x05, 0xF9, 0x39, 0x25, 0x8D, 0xB7, 0xDD, 0x90, 0xE1, 0x93, /* x */
1300 0x4F, 0x8C, 0x70, 0xB0, 0xDF, 0xEC, 0x2E, 0xED, 0x25, 0xB8,
1301 0x55, 0x7E, 0xAC, 0x9C, 0x80, 0xE2, 0xE1, 0x98, 0xF8, 0xCD,
1302 0xBE, 0xCD, 0x86, 0xB1, 0x20, 0x53,
1303 0x03, 0x67, 0x68, 0x54, 0xFE, 0x24, 0x14, 0x1C, 0xB9, 0x8F, /* y */
1304 0xE6, 0xD4, 0xB2, 0x0D, 0x02, 0xB4, 0x51, 0x6F, 0xF7, 0x02,
1305 0x35, 0x0E, 0xDD, 0xB0, 0x82, 0x67, 0x79, 0xC8, 0x13, 0xF0,
1306 0xDF, 0x45, 0xBE, 0x81, 0x12, 0xF4,
1307 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1308 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEF, 0x90,
1309 0x39, 0x96, 0x60, 0xFC, 0x93, 0x8A, 0x90, 0x16, 0x5B, 0x04,
1310 0x2A, 0x7C, 0xEF, 0xAD, 0xB3, 0x07
1311 }
1312};
1313
1314static const struct {
1315 EC_CURVE_DATA h;
1316 unsigned char data[0 + 52 * 6];
1317}
1318 _EC_NIST_CHAR2_409K = {
1319 {
1320 NID_X9_62_characteristic_two_field, 0, 52, 4
1321 },
1322 { /* no seed */
1323 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1327 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0x00, 0x01,
1329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1334 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1340 0x00, 0x01,
1341 0x00, 0x60, 0xF0, 0x5F, 0x65, 0x8F, 0x49, 0xC1, 0xAD, 0x3A, /* x */
1342 0xB1, 0x89, 0x0F, 0x71, 0x84, 0x21, 0x0E, 0xFD, 0x09, 0x87,
1343 0xE3, 0x07, 0xC8, 0x4C, 0x27, 0xAC, 0xCF, 0xB8, 0xF9, 0xF6,
1344 0x7C, 0xC2, 0xC4, 0x60, 0x18, 0x9E, 0xB5, 0xAA, 0xAA, 0x62,
1345 0xEE, 0x22, 0x2E, 0xB1, 0xB3, 0x55, 0x40, 0xCF, 0xE9, 0x02,
1346 0x37, 0x46,
1347 0x01, 0xE3, 0x69, 0x05, 0x0B, 0x7C, 0x4E, 0x42, 0xAC, 0xBA, /* y */
1348 0x1D, 0xAC, 0xBF, 0x04, 0x29, 0x9C, 0x34, 0x60, 0x78, 0x2F,
1349 0x91, 0x8E, 0xA4, 0x27, 0xE6, 0x32, 0x51, 0x65, 0xE9, 0xEA,
1350 0x10, 0xE3, 0xDA, 0x5F, 0x6C, 0x42, 0xE9, 0xC5, 0x52, 0x15,
1351 0xAA, 0x9C, 0xA2, 0x7A, 0x58, 0x63, 0xEC, 0x48, 0xD8, 0xE0,
1352 0x28, 0x6B,
1353 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1354 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1355 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0x5F, 0x83, 0xB2,
1356 0xD4, 0xEA, 0x20, 0x40, 0x0E, 0xC4, 0x55, 0x7D, 0x5E, 0xD3,
1357 0xE3, 0xE7, 0xCA, 0x5B, 0x4B, 0x5C, 0x83, 0xB8, 0xE0, 0x1E,
1358 0x5F, 0xCF
1359 }
1360};
1361
1362static const struct {
1363 EC_CURVE_DATA h;
1364 unsigned char data[20 + 52 * 6];
1365}
1366 _EC_NIST_CHAR2_409B = {
1367 {
1368 NID_X9_62_characteristic_two_field, 20, 52, 2
1369 },
1370 {
1371 0x40, 0x99, 0xB5, 0xA4, 0x57, 0xF9, 0xD6, 0x9F, 0x79, 0x21, /* seed */
1372 0x3D, 0x09, 0x4C, 0x4B, 0xCD, 0x4D, 0x42, 0x62, 0x21, 0x0B,
1373
1374 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1375 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1378 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1379 0x00, 0x01,
1380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1385 0x00, 0x01,
1386 0x00, 0x21, 0xA5, 0xC2, 0xC8, 0xEE, 0x9F, 0xEB, 0x5C, 0x4B, /* b */
1387 0x9A, 0x75, 0x3B, 0x7B, 0x47, 0x6B, 0x7F, 0xD6, 0x42, 0x2E,
1388 0xF1, 0xF3, 0xDD, 0x67, 0x47, 0x61, 0xFA, 0x99, 0xD6, 0xAC,
1389 0x27, 0xC8, 0xA9, 0xA1, 0x97, 0xB2, 0x72, 0x82, 0x2F, 0x6C,
1390 0xD5, 0x7A, 0x55, 0xAA, 0x4F, 0x50, 0xAE, 0x31, 0x7B, 0x13,
1391 0x54, 0x5F,
1392 0x01, 0x5D, 0x48, 0x60, 0xD0, 0x88, 0xDD, 0xB3, 0x49, 0x6B, /* x */
1393 0x0C, 0x60, 0x64, 0x75, 0x62, 0x60, 0x44, 0x1C, 0xDE, 0x4A,
1394 0xF1, 0x77, 0x1D, 0x4D, 0xB0, 0x1F, 0xFE, 0x5B, 0x34, 0xE5,
1395 0x97, 0x03, 0xDC, 0x25, 0x5A, 0x86, 0x8A, 0x11, 0x80, 0x51,
1396 0x56, 0x03, 0xAE, 0xAB, 0x60, 0x79, 0x4E, 0x54, 0xBB, 0x79,
1397 0x96, 0xA7,
1398 0x00, 0x61, 0xB1, 0xCF, 0xAB, 0x6B, 0xE5, 0xF3, 0x2B, 0xBF, /* y */
1399 0xA7, 0x83, 0x24, 0xED, 0x10, 0x6A, 0x76, 0x36, 0xB9, 0xC5,
1400 0xA7, 0xBD, 0x19, 0x8D, 0x01, 0x58, 0xAA, 0x4F, 0x54, 0x88,
1401 0xD0, 0x8F, 0x38, 0x51, 0x4F, 0x1F, 0xDF, 0x4B, 0x4F, 0x40,
1402 0xD2, 0x18, 0x1B, 0x36, 0x81, 0xC3, 0x64, 0xBA, 0x02, 0x73,
1403 0xC7, 0x06,
1404 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xE2, 0xAA, 0xD6,
1407 0xA6, 0x12, 0xF3, 0x33, 0x07, 0xBE, 0x5F, 0xA4, 0x7C, 0x3C,
1408 0x9E, 0x05, 0x2F, 0x83, 0x81, 0x64, 0xCD, 0x37, 0xD9, 0xA2,
1409 0x11, 0x73
1410 }
1411};
1412
1413static const struct {
1414 EC_CURVE_DATA h;
1415 unsigned char data[0 + 72 * 6];
1416}
1417 _EC_NIST_CHAR2_571K = {
1418 {
1419 NID_X9_62_characteristic_two_field, 0, 72, 4
1420 },
1421 { /* no seed */
1422 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1423 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1429 0x04, 0x25,
1430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1437 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1445 0x00, 0x01,
1446 0x02, 0x6E, 0xB7, 0xA8, 0x59, 0x92, 0x3F, 0xBC, 0x82, 0x18, /* x */
1447 0x96, 0x31, 0xF8, 0x10, 0x3F, 0xE4, 0xAC, 0x9C, 0xA2, 0x97,
1448 0x00, 0x12, 0xD5, 0xD4, 0x60, 0x24, 0x80, 0x48, 0x01, 0x84,
1449 0x1C, 0xA4, 0x43, 0x70, 0x95, 0x84, 0x93, 0xB2, 0x05, 0xE6,
1450 0x47, 0xDA, 0x30, 0x4D, 0xB4, 0xCE, 0xB0, 0x8C, 0xBB, 0xD1,
1451 0xBA, 0x39, 0x49, 0x47, 0x76, 0xFB, 0x98, 0x8B, 0x47, 0x17,
1452 0x4D, 0xCA, 0x88, 0xC7, 0xE2, 0x94, 0x52, 0x83, 0xA0, 0x1C,
1453 0x89, 0x72,
1454 0x03, 0x49, 0xDC, 0x80, 0x7F, 0x4F, 0xBF, 0x37, 0x4F, 0x4A, /* y */
1455 0xEA, 0xDE, 0x3B, 0xCA, 0x95, 0x31, 0x4D, 0xD5, 0x8C, 0xEC,
1456 0x9F, 0x30, 0x7A, 0x54, 0xFF, 0xC6, 0x1E, 0xFC, 0x00, 0x6D,
1457 0x8A, 0x2C, 0x9D, 0x49, 0x79, 0xC0, 0xAC, 0x44, 0xAE, 0xA7,
1458 0x4F, 0xBE, 0xBB, 0xB9, 0xF7, 0x72, 0xAE, 0xDC, 0xB6, 0x20,
1459 0xB0, 0x1A, 0x7B, 0xA7, 0xAF, 0x1B, 0x32, 0x04, 0x30, 0xC8,
1460 0x59, 0x19, 0x84, 0xF6, 0x01, 0xCD, 0x4C, 0x14, 0x3E, 0xF1,
1461 0xC7, 0xA3,
1462 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x18, 0x50, 0xE1,
1466 0xF1, 0x9A, 0x63, 0xE4, 0xB3, 0x91, 0xA8, 0xDB, 0x91, 0x7F,
1467 0x41, 0x38, 0xB6, 0x30, 0xD8, 0x4B, 0xE5, 0xD6, 0x39, 0x38,
1468 0x1E, 0x91, 0xDE, 0xB4, 0x5C, 0xFE, 0x77, 0x8F, 0x63, 0x7C,
1469 0x10, 0x01
1470 }
1471};
1472
1473static const struct {
1474 EC_CURVE_DATA h;
1475 unsigned char data[20 + 72 * 6];
1476}
1477 _EC_NIST_CHAR2_571B = {
1478 {
1479 NID_X9_62_characteristic_two_field, 20, 72, 2
1480 },
1481 {
1482 0x2A, 0xA0, 0x58, 0xF7, 0x3A, 0x0E, 0x33, 0xAB, 0x48, 0x6B, /* seed */
1483 0x0F, 0x61, 0x04, 0x10, 0xC5, 0x3A, 0x7F, 0x13, 0x23, 0x10,
1484
1485 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1486 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1492 0x04, 0x25,
1493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x01,
1501 0x02, 0xF4, 0x0E, 0x7E, 0x22, 0x21, 0xF2, 0x95, 0xDE, 0x29, /* b */
1502 0x71, 0x17, 0xB7, 0xF3, 0xD6, 0x2F, 0x5C, 0x6A, 0x97, 0xFF,
1503 0xCB, 0x8C, 0xEF, 0xF1, 0xCD, 0x6B, 0xA8, 0xCE, 0x4A, 0x9A,
1504 0x18, 0xAD, 0x84, 0xFF, 0xAB, 0xBD, 0x8E, 0xFA, 0x59, 0x33,
1505 0x2B, 0xE7, 0xAD, 0x67, 0x56, 0xA6, 0x6E, 0x29, 0x4A, 0xFD,
1506 0x18, 0x5A, 0x78, 0xFF, 0x12, 0xAA, 0x52, 0x0E, 0x4D, 0xE7,
1507 0x39, 0xBA, 0xCA, 0x0C, 0x7F, 0xFE, 0xFF, 0x7F, 0x29, 0x55,
1508 0x72, 0x7A,
1509 0x03, 0x03, 0x00, 0x1D, 0x34, 0xB8, 0x56, 0x29, 0x6C, 0x16, /* x */
1510 0xC0, 0xD4, 0x0D, 0x3C, 0xD7, 0x75, 0x0A, 0x93, 0xD1, 0xD2,
1511 0x95, 0x5F, 0xA8, 0x0A, 0xA5, 0xF4, 0x0F, 0xC8, 0xDB, 0x7B,
1512 0x2A, 0xBD, 0xBD, 0xE5, 0x39, 0x50, 0xF4, 0xC0, 0xD2, 0x93,
1513 0xCD, 0xD7, 0x11, 0xA3, 0x5B, 0x67, 0xFB, 0x14, 0x99, 0xAE,
1514 0x60, 0x03, 0x86, 0x14, 0xF1, 0x39, 0x4A, 0xBF, 0xA3, 0xB4,
1515 0xC8, 0x50, 0xD9, 0x27, 0xE1, 0xE7, 0x76, 0x9C, 0x8E, 0xEC,
1516 0x2D, 0x19,
1517 0x03, 0x7B, 0xF2, 0x73, 0x42, 0xDA, 0x63, 0x9B, 0x6D, 0xCC, /* y */
1518 0xFF, 0xFE, 0xB7, 0x3D, 0x69, 0xD7, 0x8C, 0x6C, 0x27, 0xA6,
1519 0x00, 0x9C, 0xBB, 0xCA, 0x19, 0x80, 0xF8, 0x53, 0x39, 0x21,
1520 0xE8, 0xA6, 0x84, 0x42, 0x3E, 0x43, 0xBA, 0xB0, 0x8A, 0x57,
1521 0x62, 0x91, 0xAF, 0x8F, 0x46, 0x1B, 0xB2, 0xA8, 0xB3, 0x53,
1522 0x1D, 0x2F, 0x04, 0x85, 0xC1, 0x9B, 0x16, 0xE2, 0xF1, 0x51,
1523 0x6E, 0x23, 0xDD, 0x3C, 0x1A, 0x48, 0x27, 0xAF, 0x1B, 0x8A,
1524 0xC1, 0x5B,
1525 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1526 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1527 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1528 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE6, 0x61, 0xCE, 0x18,
1529 0xFF, 0x55, 0x98, 0x73, 0x08, 0x05, 0x9B, 0x18, 0x68, 0x23,
1530 0x85, 0x1E, 0xC7, 0xDD, 0x9C, 0xA1, 0x16, 0x1D, 0xE9, 0x3D,
1531 0x51, 0x74, 0xD6, 0x6E, 0x83, 0x82, 0xE9, 0xBB, 0x2F, 0xE8,
1532 0x4E, 0x47
1533 }
1534};
1535
1536static const struct {
1537 EC_CURVE_DATA h;
1538 unsigned char data[20 + 21 * 6];
1539}
1540 _EC_X9_62_CHAR2_163V1 = {
1541 {
1542 NID_X9_62_characteristic_two_field, 20, 21, 2
1543 },
1544 {
1545 0xD2, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE,
1546 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x54, /* seed */
1547
1548 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1550 0x07,
1551 0x07, 0x25, 0x46, 0xB5, 0x43, 0x52, 0x34, 0xA4, 0x22, 0xE0, /* a */
1552 0x78, 0x96, 0x75, 0xF4, 0x32, 0xC8, 0x94, 0x35, 0xDE, 0x52,
1553 0x42,
1554 0x00, 0xC9, 0x51, 0x7D, 0x06, 0xD5, 0x24, 0x0D, 0x3C, 0xFF, /* b */
1555 0x38, 0xC7, 0x4B, 0x20, 0xB6, 0xCD, 0x4D, 0x6F, 0x9D, 0xD4,
1556 0xD9,
1557 0x07, 0xAF, 0x69, 0x98, 0x95, 0x46, 0x10, 0x3D, 0x79, 0x32, /* x */
1558 0x9F, 0xCC, 0x3D, 0x74, 0x88, 0x0F, 0x33, 0xBB, 0xE8, 0x03,
1559 0xCB,
1560 0x01, 0xEC, 0x23, 0x21, 0x1B, 0x59, 0x66, 0xAD, 0xEA, 0x1D, /* y */
1561 0x3F, 0x87, 0xF7, 0xEA, 0x58, 0x48, 0xAE, 0xF0, 0xB7, 0xCA,
1562 0x9F,
1563 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1564 0x01, 0xE6, 0x0F, 0xC8, 0x82, 0x1C, 0xC7, 0x4D, 0xAE, 0xAF,
1565 0xC1
1566 }
1567};
1568
1569static const struct {
1570 EC_CURVE_DATA h;
1571 unsigned char data[20 + 21 * 6];
1572}
1573 _EC_X9_62_CHAR2_163V2 = {
1574 {
1575 NID_X9_62_characteristic_two_field, 20, 21, 2
1576 },
1577 {
1578 0x53, 0x81, 0x4C, 0x05, 0x0D, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1579 0x87, 0x56, 0x15, 0x17, 0x58, 0x0C, 0xA4, 0xE2, 0x9F, 0xFD,
1580
1581 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1583 0x07,
1584 0x01, 0x08, 0xB3, 0x9E, 0x77, 0xC4, 0xB1, 0x08, 0xBE, 0xD9, /* a */
1585 0x81, 0xED, 0x0E, 0x89, 0x0E, 0x11, 0x7C, 0x51, 0x1C, 0xF0,
1586 0x72,
1587 0x06, 0x67, 0xAC, 0xEB, 0x38, 0xAF, 0x4E, 0x48, 0x8C, 0x40, /* b */
1588 0x74, 0x33, 0xFF, 0xAE, 0x4F, 0x1C, 0x81, 0x16, 0x38, 0xDF,
1589 0x20,
1590 0x00, 0x24, 0x26, 0x6E, 0x4E, 0xB5, 0x10, 0x6D, 0x0A, 0x96, /* x */
1591 0x4D, 0x92, 0xC4, 0x86, 0x0E, 0x26, 0x71, 0xDB, 0x9B, 0x6C,
1592 0xC5,
1593 0x07, 0x9F, 0x68, 0x4D, 0xDF, 0x66, 0x84, 0xC5, 0xCD, 0x25, /* y */
1594 0x8B, 0x38, 0x90, 0x02, 0x1B, 0x23, 0x86, 0xDF, 0xD1, 0x9F,
1595 0xC5,
1596 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1597 0xFD, 0xF6, 0x4D, 0xE1, 0x15, 0x1A, 0xDB, 0xB7, 0x8F, 0x10,
1598 0xA7
1599 }
1600};
1601
1602static const struct {
1603 EC_CURVE_DATA h;
1604 unsigned char data[20 + 21 * 6];
1605}
1606 _EC_X9_62_CHAR2_163V3 = {
1607 {
1608 NID_X9_62_characteristic_two_field, 20, 21, 2
1609 },
1610 {
1611 0x50, 0xCB, 0xF1, 0xD9, 0x5C, 0xA9, 0x4D, 0x69, 0x6E, 0x67, /* seed */
1612 0x68, 0x75, 0x61, 0x51, 0x75, 0xF1, 0x6A, 0x36, 0xA3, 0xB8,
1613
1614 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1615 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1616 0x07,
1617 0x07, 0xA5, 0x26, 0xC6, 0x3D, 0x3E, 0x25, 0xA2, 0x56, 0xA0, /* a */
1618 0x07, 0x69, 0x9F, 0x54, 0x47, 0xE3, 0x2A, 0xE4, 0x56, 0xB5,
1619 0x0E,
1620 0x03, 0xF7, 0x06, 0x17, 0x98, 0xEB, 0x99, 0xE2, 0x38, 0xFD, /* b */
1621 0x6F, 0x1B, 0xF9, 0x5B, 0x48, 0xFE, 0xEB, 0x48, 0x54, 0x25,
1622 0x2B,
1623 0x02, 0xF9, 0xF8, 0x7B, 0x7C, 0x57, 0x4D, 0x0B, 0xDE, 0xCF, /* x */
1624 0x8A, 0x22, 0xE6, 0x52, 0x47, 0x75, 0xF9, 0x8C, 0xDE, 0xBD,
1625 0xCB,
1626 0x05, 0xB9, 0x35, 0x59, 0x0C, 0x15, 0x5E, 0x17, 0xEA, 0x48, /* y */
1627 0xEB, 0x3F, 0xF3, 0x71, 0x8B, 0x89, 0x3D, 0xF5, 0x9A, 0x05,
1628 0xD0,
1629 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1630 0xFE, 0x1A, 0xEE, 0x14, 0x0F, 0x11, 0x0A, 0xFF, 0x96, 0x13,
1631 0x09
1632 }
1633};
1634
1635static const struct {
1636 EC_CURVE_DATA h;
1637 unsigned char data[0 + 23 * 6];
1638}
1639 _EC_X9_62_CHAR2_176V1 = {
1640 {
1641 NID_X9_62_characteristic_two_field, 0, 23, 0xFF6E
1642 },
1643 { /* no seed */
1644 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
1646 0x00, 0x00, 0x07,
1647 0x00, 0xE4, 0xE6, 0xDB, 0x29, 0x95, 0x06, 0x5C, 0x40, 0x7D, /* a */
1648 0x9D, 0x39, 0xB8, 0xD0, 0x96, 0x7B, 0x96, 0x70, 0x4B, 0xA8,
1649 0xE9, 0xC9, 0x0B,
1650 0x00, 0x5D, 0xDA, 0x47, 0x0A, 0xBE, 0x64, 0x14, 0xDE, 0x8E, /* b */
1651 0xC1, 0x33, 0xAE, 0x28, 0xE9, 0xBB, 0xD7, 0xFC, 0xEC, 0x0A,
1652 0xE0, 0xFF, 0xF2,
1653 0x00, 0x8D, 0x16, 0xC2, 0x86, 0x67, 0x98, 0xB6, 0x00, 0xF9, /* x */
1654 0xF0, 0x8B, 0xB4, 0xA8, 0xE8, 0x60, 0xF3, 0x29, 0x8C, 0xE0,
1655 0x4A, 0x57, 0x98,
1656 0x00, 0x6F, 0xA4, 0x53, 0x9C, 0x2D, 0xAD, 0xDD, 0xD6, 0xBA, /* y */
1657 0xB5, 0x16, 0x7D, 0x61, 0xB4, 0x36, 0xE1, 0xD9, 0x2B, 0xB1,
1658 0x6A, 0x56, 0x2C,
1659 0x00, 0x00, 0x01, 0x00, 0x92, 0x53, 0x73, 0x97, 0xEC, 0xA4, /* order */
1660 0xF6, 0x14, 0x57, 0x99, 0xD6, 0x2B, 0x0A, 0x19, 0xCE, 0x06,
1661 0xFE, 0x26, 0xAD
1662 }
1663};
1664
1665static const struct {
1666 EC_CURVE_DATA h;
1667 unsigned char data[20 + 24 * 6];
1668}
1669 _EC_X9_62_CHAR2_191V1 = {
1670 {
1671 NID_X9_62_characteristic_two_field, 20, 24, 2
1672 },
1673 {
1674 0x4E, 0x13, 0xCA, 0x54, 0x27, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1675 0x87, 0x56, 0x15, 0x17, 0x55, 0x2F, 0x27, 0x9A, 0x8C, 0x84,
1676
1677 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1679 0x00, 0x00, 0x02, 0x01,
1680 0x28, 0x66, 0x53, 0x7B, 0x67, 0x67, 0x52, 0x63, 0x6A, 0x68, /* a */
1681 0xF5, 0x65, 0x54, 0xE1, 0x26, 0x40, 0x27, 0x6B, 0x64, 0x9E,
1682 0xF7, 0x52, 0x62, 0x67,
1683 0x2E, 0x45, 0xEF, 0x57, 0x1F, 0x00, 0x78, 0x6F, 0x67, 0xB0, /* b */
1684 0x08, 0x1B, 0x94, 0x95, 0xA3, 0xD9, 0x54, 0x62, 0xF5, 0xDE,
1685 0x0A, 0xA1, 0x85, 0xEC,
1686 0x36, 0xB3, 0xDA, 0xF8, 0xA2, 0x32, 0x06, 0xF9, 0xC4, 0xF2, /* x */
1687 0x99, 0xD7, 0xB2, 0x1A, 0x9C, 0x36, 0x91, 0x37, 0xF2, 0xC8,
1688 0x4A, 0xE1, 0xAA, 0x0D,
1689 0x76, 0x5B, 0xE7, 0x34, 0x33, 0xB3, 0xF9, 0x5E, 0x33, 0x29, /* y */
1690 0x32, 0xE7, 0x0E, 0xA2, 0x45, 0xCA, 0x24, 0x18, 0xEA, 0x0E,
1691 0xF9, 0x80, 0x18, 0xFB,
1692 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1693 0x00, 0x00, 0x04, 0xA2, 0x0E, 0x90, 0xC3, 0x90, 0x67, 0xC8,
1694 0x93, 0xBB, 0xB9, 0xA5
1695 }
1696};
1697
1698static const struct {
1699 EC_CURVE_DATA h;
1700 unsigned char data[20 + 24 * 6];
1701}
1702 _EC_X9_62_CHAR2_191V2 = {
1703 {
1704 NID_X9_62_characteristic_two_field, 20, 24, 4
1705 },
1706 {
1707 0x08, 0x71, 0xEF, 0x2F, 0xEF, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1708 0x87, 0x56, 0x15, 0x17, 0x58, 0xBE, 0xE0, 0xD9, 0x5C, 0x15,
1709
1710 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1712 0x00, 0x00, 0x02, 0x01,
1713 0x40, 0x10, 0x28, 0x77, 0x4D, 0x77, 0x77, 0xC7, 0xB7, 0x66, /* a */
1714 0x6D, 0x13, 0x66, 0xEA, 0x43, 0x20, 0x71, 0x27, 0x4F, 0x89,
1715 0xFF, 0x01, 0xE7, 0x18,
1716 0x06, 0x20, 0x04, 0x8D, 0x28, 0xBC, 0xBD, 0x03, 0xB6, 0x24, /* b */
1717 0x9C, 0x99, 0x18, 0x2B, 0x7C, 0x8C, 0xD1, 0x97, 0x00, 0xC3,
1718 0x62, 0xC4, 0x6A, 0x01,
1719 0x38, 0x09, 0xB2, 0xB7, 0xCC, 0x1B, 0x28, 0xCC, 0x5A, 0x87, /* x */
1720 0x92, 0x6A, 0xAD, 0x83, 0xFD, 0x28, 0x78, 0x9E, 0x81, 0xE2,
1721 0xC9, 0xE3, 0xBF, 0x10,
1722 0x17, 0x43, 0x43, 0x86, 0x62, 0x6D, 0x14, 0xF3, 0xDB, 0xF0, /* y */
1723 0x17, 0x60, 0xD9, 0x21, 0x3A, 0x3E, 0x1C, 0xF3, 0x7A, 0xEC,
1724 0x43, 0x7D, 0x66, 0x8A,
1725 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1726 0x00, 0x00, 0x50, 0x50, 0x8C, 0xB8, 0x9F, 0x65, 0x28, 0x24,
1727 0xE0, 0x6B, 0x81, 0x73
1728 }
1729};
1730
1731static const struct {
1732 EC_CURVE_DATA h;
1733 unsigned char data[20 + 24 * 6];
1734}
1735 _EC_X9_62_CHAR2_191V3 = {
1736 {
1737 NID_X9_62_characteristic_two_field, 20, 24, 6
1738 },
1739 {
1740 0xE0, 0x53, 0x51, 0x2D, 0xC6, 0x84, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1741 0x87, 0x56, 0x15, 0x17, 0x50, 0x67, 0xAE, 0x78, 0x6D, 0x1F,
1742
1743 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x02, 0x01,
1746 0x6C, 0x01, 0x07, 0x47, 0x56, 0x09, 0x91, 0x22, 0x22, 0x10, /* a */
1747 0x56, 0x91, 0x1C, 0x77, 0xD7, 0x7E, 0x77, 0xA7, 0x77, 0xE7,
1748 0xE7, 0xE7, 0x7F, 0xCB,
1749 0x71, 0xFE, 0x1A, 0xF9, 0x26, 0xCF, 0x84, 0x79, 0x89, 0xEF, /* b */
1750 0xEF, 0x8D, 0xB4, 0x59, 0xF6, 0x63, 0x94, 0xD9, 0x0F, 0x32,
1751 0xAD, 0x3F, 0x15, 0xE8,
1752 0x37, 0x5D, 0x4C, 0xE2, 0x4F, 0xDE, 0x43, 0x44, 0x89, 0xDE, /* x */
1753 0x87, 0x46, 0xE7, 0x17, 0x86, 0x01, 0x50, 0x09, 0xE6, 0x6E,
1754 0x38, 0xA9, 0x26, 0xDD,
1755 0x54, 0x5A, 0x39, 0x17, 0x61, 0x96, 0x57, 0x5D, 0x98, 0x59, /* y */
1756 0x99, 0x36, 0x6E, 0x6A, 0xD3, 0x4C, 0xE0, 0xA7, 0x7C, 0xD7,
1757 0x12, 0x7B, 0x06, 0xBE,
1758 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1759 0x55, 0x55, 0x61, 0x0C, 0x0B, 0x19, 0x68, 0x12, 0xBF, 0xB6,
1760 0x28, 0x8A, 0x3E, 0xA3
1761 }
1762};
1763
1764static const struct {
1765 EC_CURVE_DATA h;
1766 unsigned char data[0 + 27 * 6];
1767}
1768 _EC_X9_62_CHAR2_208W1 = {
1769 {
1770 NID_X9_62_characteristic_two_field, 0, 27, 0xFE48
1771 },
1772 { /* no seed */
1773 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0xC8, 0x61, 0x9E, 0xD4, 0x5A, 0x62, 0xE6, 0x21, 0x2E, /* b */
1780 0x11, 0x60, 0x34, 0x9E, 0x2B, 0xFA, 0x84, 0x44, 0x39, 0xFA,
1781 0xFC, 0x2A, 0x3F, 0xD1, 0x63, 0x8F, 0x9E,
1782 0x00, 0x89, 0xFD, 0xFB, 0xE4, 0xAB, 0xE1, 0x93, 0xDF, 0x95, /* x */
1783 0x59, 0xEC, 0xF0, 0x7A, 0xC0, 0xCE, 0x78, 0x55, 0x4E, 0x27,
1784 0x84, 0xEB, 0x8C, 0x1E, 0xD1, 0xA5, 0x7A,
1785 0x00, 0x0F, 0x55, 0xB5, 0x1A, 0x06, 0xE7, 0x8E, 0x9A, 0xC3, /* y */
1786 0x8A, 0x03, 0x5F, 0xF5, 0x20, 0xD8, 0xB0, 0x17, 0x81, 0xBE,
1787 0xB1, 0xA6, 0xBB, 0x08, 0x61, 0x7D, 0xE3,
1788 0x00, 0x00, 0x01, 0x01, 0xBA, 0xF9, 0x5C, 0x97, 0x23, 0xC5, /* order */
1789 0x7B, 0x6C, 0x21, 0xDA, 0x2E, 0xFF, 0x2D, 0x5E, 0xD5, 0x88,
1790 0xBD, 0xD5, 0x71, 0x7E, 0x21, 0x2F, 0x9D
1791 }
1792};
1793
1794static const struct {
1795 EC_CURVE_DATA h;
1796 unsigned char data[20 + 30 * 6];
1797}
1798 _EC_X9_62_CHAR2_239V1 = {
1799 {
1800 NID_X9_62_characteristic_two_field, 20, 30, 4
1801 },
1802 {
1803 0xD3, 0x4B, 0x9A, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1804 0x51, 0x75, 0xCA, 0x71, 0xB9, 0x20, 0xBF, 0xEF, 0xB0, 0x5D,
1805
1806 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1809
1810 0x32, 0x01, 0x08, 0x57, 0x07, 0x7C, 0x54, 0x31, 0x12, 0x3A, /* a */
1811 0x46, 0xB8, 0x08, 0x90, 0x67, 0x56, 0xF5, 0x43, 0x42, 0x3E,
1812 0x8D, 0x27, 0x87, 0x75, 0x78, 0x12, 0x57, 0x78, 0xAC, 0x76,
1813
1814 0x79, 0x04, 0x08, 0xF2, 0xEE, 0xDA, 0xF3, 0x92, 0xB0, 0x12, /* b */
1815 0xED, 0xEF, 0xB3, 0x39, 0x2F, 0x30, 0xF4, 0x32, 0x7C, 0x0C,
1816 0xA3, 0xF3, 0x1F, 0xC3, 0x83, 0xC4, 0x22, 0xAA, 0x8C, 0x16,
1817
1818 0x57, 0x92, 0x70, 0x98, 0xFA, 0x93, 0x2E, 0x7C, 0x0A, 0x96, /* x */
1819 0xD3, 0xFD, 0x5B, 0x70, 0x6E, 0xF7, 0xE5, 0xF5, 0xC1, 0x56,
1820 0xE1, 0x6B, 0x7E, 0x7C, 0x86, 0x03, 0x85, 0x52, 0xE9, 0x1D,
1821
1822 0x61, 0xD8, 0xEE, 0x50, 0x77, 0xC3, 0x3F, 0xEC, 0xF6, 0xF1, /* y */
1823 0xA1, 0x6B, 0x26, 0x8D, 0xE4, 0x69, 0xC3, 0xC7, 0x74, 0x4E,
1824 0xA9, 0xA9, 0x71, 0x64, 0x9F, 0xC7, 0xA9, 0x61, 0x63, 0x05,
1825
1826 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1827 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x4D, 0x42, 0xFF, 0xE1,
1828 0x49, 0x2A, 0x49, 0x93, 0xF1, 0xCA, 0xD6, 0x66, 0xE4, 0x47
1829 }
1830};
1831
1832static const struct {
1833 EC_CURVE_DATA h;
1834 unsigned char data[20 + 30 * 6];
1835}
1836 _EC_X9_62_CHAR2_239V2 = {
1837 {
1838 NID_X9_62_characteristic_two_field, 20, 30, 6
1839 },
1840 {
1841 0x2A, 0xA6, 0x98, 0x2F, 0xDF, 0xA4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1842 0x87, 0x56, 0x15, 0x17, 0x5D, 0x26, 0x67, 0x27, 0x27, 0x7D,
1843
1844 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1846 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1847
1848 0x42, 0x30, 0x01, 0x77, 0x57, 0xA7, 0x67, 0xFA, 0xE4, 0x23, /* a */
1849 0x98, 0x56, 0x9B, 0x74, 0x63, 0x25, 0xD4, 0x53, 0x13, 0xAF,
1850 0x07, 0x66, 0x26, 0x64, 0x79, 0xB7, 0x56, 0x54, 0xE6, 0x5F,
1851
1852 0x50, 0x37, 0xEA, 0x65, 0x41, 0x96, 0xCF, 0xF0, 0xCD, 0x82, /* b */
1853 0xB2, 0xC1, 0x4A, 0x2F, 0xCF, 0x2E, 0x3F, 0xF8, 0x77, 0x52,
1854 0x85, 0xB5, 0x45, 0x72, 0x2F, 0x03, 0xEA, 0xCD, 0xB7, 0x4B,
1855
1856 0x28, 0xF9, 0xD0, 0x4E, 0x90, 0x00, 0x69, 0xC8, 0xDC, 0x47, /* x */
1857 0xA0, 0x85, 0x34, 0xFE, 0x76, 0xD2, 0xB9, 0x00, 0xB7, 0xD7,
1858 0xEF, 0x31, 0xF5, 0x70, 0x9F, 0x20, 0x0C, 0x4C, 0xA2, 0x05,
1859
1860 0x56, 0x67, 0x33, 0x4C, 0x45, 0xAF, 0xF3, 0xB5, 0xA0, 0x3B, /* y */
1861 0xAD, 0x9D, 0xD7, 0x5E, 0x2C, 0x71, 0xA9, 0x93, 0x62, 0x56,
1862 0x7D, 0x54, 0x53, 0xF7, 0xFA, 0x6E, 0x22, 0x7E, 0xC8, 0x33,
1863
1864 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1865 0x55, 0x55, 0x55, 0x55, 0x55, 0x3C, 0x6F, 0x28, 0x85, 0x25,
1866 0x9C, 0x31, 0xE3, 0xFC, 0xDF, 0x15, 0x46, 0x24, 0x52, 0x2D
1867 }
1868};
1869
1870static const struct {
1871 EC_CURVE_DATA h;
1872 unsigned char data[20 + 30 * 6];
1873}
1874 _EC_X9_62_CHAR2_239V3 = {
1875 {
1876 NID_X9_62_characteristic_two_field, 20, 30, 0xA
1877 },
1878 {
1879 0x9E, 0x07, 0x6F, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1880 0x51, 0x75, 0xE1, 0x1E, 0x9F, 0xDD, 0x77, 0xF9, 0x20, 0x41,
1881
1882 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1883 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1884 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1885
1886 0x01, 0x23, 0x87, 0x74, 0x66, 0x6A, 0x67, 0x76, 0x6D, 0x66, /* a */
1887 0x76, 0xF7, 0x78, 0xE6, 0x76, 0xB6, 0x69, 0x99, 0x17, 0x66,
1888 0x66, 0xE6, 0x87, 0x66, 0x6D, 0x87, 0x66, 0xC6, 0x6A, 0x9F,
1889
1890 0x6A, 0x94, 0x19, 0x77, 0xBA, 0x9F, 0x6A, 0x43, 0x51, 0x99, /* b */
1891 0xAC, 0xFC, 0x51, 0x06, 0x7E, 0xD5, 0x87, 0xF5, 0x19, 0xC5,
1892 0xEC, 0xB5, 0x41, 0xB8, 0xE4, 0x41, 0x11, 0xDE, 0x1D, 0x40,
1893
1894 0x70, 0xF6, 0xE9, 0xD0, 0x4D, 0x28, 0x9C, 0x4E, 0x89, 0x91, /* x */
1895 0x3C, 0xE3, 0x53, 0x0B, 0xFD, 0xE9, 0x03, 0x97, 0x7D, 0x42,
1896 0xB1, 0x46, 0xD5, 0x39, 0xBF, 0x1B, 0xDE, 0x4E, 0x9C, 0x92,
1897
1898 0x2E, 0x5A, 0x0E, 0xAF, 0x6E, 0x5E, 0x13, 0x05, 0xB9, 0x00, /* y */
1899 0x4D, 0xCE, 0x5C, 0x0E, 0xD7, 0xFE, 0x59, 0xA3, 0x56, 0x08,
1900 0xF3, 0x38, 0x37, 0xC8, 0x16, 0xD8, 0x0B, 0x79, 0xF4, 0x61,
1901
1902 0x0C, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, /* order */
1903 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xAC, 0x49, 0x12, 0xD2, 0xD9,
1904 0xDF, 0x90, 0x3E, 0xF9, 0x88, 0x8B, 0x8A, 0x0E, 0x4C, 0xFF
1905 }
1906};
1907
1908static const struct {
1909 EC_CURVE_DATA h;
1910 unsigned char data[0 + 35 * 6];
1911}
1912 _EC_X9_62_CHAR2_272W1 = {
1913 {
1914 NID_X9_62_characteristic_two_field, 0, 35, 0xFF06
1915 },
1916 { /* no seed */
1917 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
1920 0x00, 0x00, 0x00, 0x00, 0x0B,
1921 0x00, 0x91, 0xA0, 0x91, 0xF0, 0x3B, 0x5F, 0xBA, 0x4A, 0xB2, /* a */
1922 0xCC, 0xF4, 0x9C, 0x4E, 0xDD, 0x22, 0x0F, 0xB0, 0x28, 0x71,
1923 0x2D, 0x42, 0xBE, 0x75, 0x2B, 0x2C, 0x40, 0x09, 0x4D, 0xBA,
1924 0xCD, 0xB5, 0x86, 0xFB, 0x20,
1925 0x00, 0x71, 0x67, 0xEF, 0xC9, 0x2B, 0xB2, 0xE3, 0xCE, 0x7C, /* b */
1926 0x8A, 0xAA, 0xFF, 0x34, 0xE1, 0x2A, 0x9C, 0x55, 0x70, 0x03,
1927 0xD7, 0xC7, 0x3A, 0x6F, 0xAF, 0x00, 0x3F, 0x99, 0xF6, 0xCC,
1928 0x84, 0x82, 0xE5, 0x40, 0xF7,
1929 0x00, 0x61, 0x08, 0xBA, 0xBB, 0x2C, 0xEE, 0xBC, 0xF7, 0x87, /* x */
1930 0x05, 0x8A, 0x05, 0x6C, 0xBE, 0x0C, 0xFE, 0x62, 0x2D, 0x77,
1931 0x23, 0xA2, 0x89, 0xE0, 0x8A, 0x07, 0xAE, 0x13, 0xEF, 0x0D,
1932 0x10, 0xD1, 0x71, 0xDD, 0x8D,
1933 0x00, 0x10, 0xC7, 0x69, 0x57, 0x16, 0x85, 0x1E, 0xEF, 0x6B, /* y */
1934 0xA7, 0xF6, 0x87, 0x2E, 0x61, 0x42, 0xFB, 0xD2, 0x41, 0xB8,
1935 0x30, 0xFF, 0x5E, 0xFC, 0xAC, 0xEC, 0xCA, 0xB0, 0x5E, 0x02,
1936 0x00, 0x5D, 0xDE, 0x9D, 0x23,
1937 0x00, 0x00, 0x01, 0x00, 0xFA, 0xF5, 0x13, 0x54, 0xE0, 0xE3, /* order */
1938 0x9E, 0x48, 0x92, 0xDF, 0x6E, 0x31, 0x9C, 0x72, 0xC8, 0x16,
1939 0x16, 0x03, 0xFA, 0x45, 0xAA, 0x7B, 0x99, 0x8A, 0x16, 0x7B,
1940 0x8F, 0x1E, 0x62, 0x95, 0x21
1941 }
1942};
1943
1944static const struct {
1945 EC_CURVE_DATA h;
1946 unsigned char data[0 + 39 * 6];
1947}
1948 _EC_X9_62_CHAR2_304W1 = {
1949 {
1950 NID_X9_62_characteristic_two_field, 0, 39, 0xFE2E
1951 },
1952 { /* no seed */
1953 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1954 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x07,
1957 0x00, 0xFD, 0x0D, 0x69, 0x31, 0x49, 0xA1, 0x18, 0xF6, 0x51, /* a */
1958 0xE6, 0xDC, 0xE6, 0x80, 0x20, 0x85, 0x37, 0x7E, 0x5F, 0x88,
1959 0x2D, 0x1B, 0x51, 0x0B, 0x44, 0x16, 0x00, 0x74, 0xC1, 0x28,
1960 0x80, 0x78, 0x36, 0x5A, 0x03, 0x96, 0xC8, 0xE6, 0x81,
1961 0x00, 0xBD, 0xDB, 0x97, 0xE5, 0x55, 0xA5, 0x0A, 0x90, 0x8E, /* b */
1962 0x43, 0xB0, 0x1C, 0x79, 0x8E, 0xA5, 0xDA, 0xA6, 0x78, 0x8F,
1963 0x1E, 0xA2, 0x79, 0x4E, 0xFC, 0xF5, 0x71, 0x66, 0xB8, 0xC1,
1964 0x40, 0x39, 0x60, 0x1E, 0x55, 0x82, 0x73, 0x40, 0xBE,
1965 0x00, 0x19, 0x7B, 0x07, 0x84, 0x5E, 0x9B, 0xE2, 0xD9, 0x6A, /* x */
1966 0xDB, 0x0F, 0x5F, 0x3C, 0x7F, 0x2C, 0xFF, 0xBD, 0x7A, 0x3E,
1967 0xB8, 0xB6, 0xFE, 0xC3, 0x5C, 0x7F, 0xD6, 0x7F, 0x26, 0xDD,
1968 0xF6, 0x28, 0x5A, 0x64, 0x4F, 0x74, 0x0A, 0x26, 0x14,
1969 0x00, 0xE1, 0x9F, 0xBE, 0xB7, 0x6E, 0x0D, 0xA1, 0x71, 0x51, /* y */
1970 0x7E, 0xCF, 0x40, 0x1B, 0x50, 0x28, 0x9B, 0xF0, 0x14, 0x10,
1971 0x32, 0x88, 0x52, 0x7A, 0x9B, 0x41, 0x6A, 0x10, 0x5E, 0x80,
1972 0x26, 0x0B, 0x54, 0x9F, 0xDC, 0x1B, 0x92, 0xC0, 0x3B,
1973 0x00, 0x00, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, /* order */
1974 0x80, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, 0x80,
1975 0x01, 0x02, 0x2D, 0x5C, 0x91, 0xDD, 0x17, 0x3F, 0x8F, 0xB5,
1976 0x61, 0xDA, 0x68, 0x99, 0x16, 0x44, 0x43, 0x05, 0x1D
1977 }
1978};
1979
1980static const struct {
1981 EC_CURVE_DATA h;
1982 unsigned char data[20 + 45 * 6];
1983}
1984 _EC_X9_62_CHAR2_359V1 = {
1985 {
1986 NID_X9_62_characteristic_two_field, 20, 45, 0x4C
1987 },
1988 {
1989 0x2B, 0x35, 0x49, 0x20, 0xB7, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1990 0x87, 0x56, 0x15, 0x17, 0x58, 0x5B, 0xA1, 0x33, 0x2D, 0xC6,
1991
1992 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
1996 0x00, 0x00, 0x00, 0x00, 0x01,
1997 0x56, 0x67, 0x67, 0x6A, 0x65, 0x4B, 0x20, 0x75, 0x4F, 0x35, /* a */
1998 0x6E, 0xA9, 0x20, 0x17, 0xD9, 0x46, 0x56, 0x7C, 0x46, 0x67,
1999 0x55, 0x56, 0xF1, 0x95, 0x56, 0xA0, 0x46, 0x16, 0xB5, 0x67,
2000 0xD2, 0x23, 0xA5, 0xE0, 0x56, 0x56, 0xFB, 0x54, 0x90, 0x16,
2001 0xA9, 0x66, 0x56, 0xA5, 0x57,
2002 0x24, 0x72, 0xE2, 0xD0, 0x19, 0x7C, 0x49, 0x36, 0x3F, 0x1F, /* b */
2003 0xE7, 0xF5, 0xB6, 0xDB, 0x07, 0x5D, 0x52, 0xB6, 0x94, 0x7D,
2004 0x13, 0x5D, 0x8C, 0xA4, 0x45, 0x80, 0x5D, 0x39, 0xBC, 0x34,
2005 0x56, 0x26, 0x08, 0x96, 0x87, 0x74, 0x2B, 0x63, 0x29, 0xE7,
2006 0x06, 0x80, 0x23, 0x19, 0x88,
2007 0x3C, 0x25, 0x8E, 0xF3, 0x04, 0x77, 0x67, 0xE7, 0xED, 0xE0, /* x */
2008 0xF1, 0xFD, 0xAA, 0x79, 0xDA, 0xEE, 0x38, 0x41, 0x36, 0x6A,
2009 0x13, 0x2E, 0x16, 0x3A, 0xCE, 0xD4, 0xED, 0x24, 0x01, 0xDF,
2010 0x9C, 0x6B, 0xDC, 0xDE, 0x98, 0xE8, 0xE7, 0x07, 0xC0, 0x7A,
2011 0x22, 0x39, 0xB1, 0xB0, 0x97,
2012 0x53, 0xD7, 0xE0, 0x85, 0x29, 0x54, 0x70, 0x48, 0x12, 0x1E, /* y */
2013 0x9C, 0x95, 0xF3, 0x79, 0x1D, 0xD8, 0x04, 0x96, 0x39, 0x48,
2014 0xF3, 0x4F, 0xAE, 0x7B, 0xF4, 0x4E, 0xA8, 0x23, 0x65, 0xDC,
2015 0x78, 0x68, 0xFE, 0x57, 0xE4, 0xAE, 0x2D, 0xE2, 0x11, 0x30,
2016 0x5A, 0x40, 0x71, 0x04, 0xBD,
2017 0x01, 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, /* order */
2018 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, 0xAF,
2019 0x28, 0x6B, 0xC9, 0xFB, 0x8F, 0x6B, 0x85, 0xC5, 0x56, 0x89,
2020 0x2C, 0x20, 0xA7, 0xEB, 0x96, 0x4F, 0xE7, 0x71, 0x9E, 0x74,
2021 0xF4, 0x90, 0x75, 0x8D, 0x3B
2022 }
2023};
2024
2025static const struct {
2026 EC_CURVE_DATA h;
2027 unsigned char data[0 + 47 * 6];
2028}
2029 _EC_X9_62_CHAR2_368W1 = {
2030 {
2031 NID_X9_62_characteristic_two_field, 0, 47, 0xFF70
2032 },
2033 { /* no seed */
2034 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2036 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
2038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
2039 0x00, 0xE0, 0xD2, 0xEE, 0x25, 0x09, 0x52, 0x06, 0xF5, 0xE2, /* a */
2040 0xA4, 0xF9, 0xED, 0x22, 0x9F, 0x1F, 0x25, 0x6E, 0x79, 0xA0,
2041 0xE2, 0xB4, 0x55, 0x97, 0x0D, 0x8D, 0x0D, 0x86, 0x5B, 0xD9,
2042 0x47, 0x78, 0xC5, 0x76, 0xD6, 0x2F, 0x0A, 0xB7, 0x51, 0x9C,
2043 0xCD, 0x2A, 0x1A, 0x90, 0x6A, 0xE3, 0x0D,
2044 0x00, 0xFC, 0x12, 0x17, 0xD4, 0x32, 0x0A, 0x90, 0x45, 0x2C, /* b */
2045 0x76, 0x0A, 0x58, 0xED, 0xCD, 0x30, 0xC8, 0xDD, 0x06, 0x9B,
2046 0x3C, 0x34, 0x45, 0x38, 0x37, 0xA3, 0x4E, 0xD5, 0x0C, 0xB5,
2047 0x49, 0x17, 0xE1, 0xC2, 0x11, 0x2D, 0x84, 0xD1, 0x64, 0xF4,
2048 0x44, 0xF8, 0xF7, 0x47, 0x86, 0x04, 0x6A,
2049 0x00, 0x10, 0x85, 0xE2, 0x75, 0x53, 0x81, 0xDC, 0xCC, 0xE3, /* x */
2050 0xC1, 0x55, 0x7A, 0xFA, 0x10, 0xC2, 0xF0, 0xC0, 0xC2, 0x82,
2051 0x56, 0x46, 0xC5, 0xB3, 0x4A, 0x39, 0x4C, 0xBC, 0xFA, 0x8B,
2052 0xC1, 0x6B, 0x22, 0xE7, 0xE7, 0x89, 0xE9, 0x27, 0xBE, 0x21,
2053 0x6F, 0x02, 0xE1, 0xFB, 0x13, 0x6A, 0x5F,
2054 0x00, 0x7B, 0x3E, 0xB1, 0xBD, 0xDC, 0xBA, 0x62, 0xD5, 0xD8, /* y */
2055 0xB2, 0x05, 0x9B, 0x52, 0x57, 0x97, 0xFC, 0x73, 0x82, 0x2C,
2056 0x59, 0x05, 0x9C, 0x62, 0x3A, 0x45, 0xFF, 0x38, 0x43, 0xCE,
2057 0xE8, 0xF8, 0x7C, 0xD1, 0x85, 0x5A, 0xDA, 0xA8, 0x1E, 0x2A,
2058 0x07, 0x50, 0xB8, 0x0F, 0xDA, 0x23, 0x10,
2059 0x00, 0x00, 0x01, 0x00, 0x90, 0x51, 0x2D, 0xA9, 0xAF, 0x72, /* order */
2060 0xB0, 0x83, 0x49, 0xD9, 0x8A, 0x5D, 0xD4, 0xC7, 0xB0, 0x53,
2061 0x2E, 0xCA, 0x51, 0xCE, 0x03, 0xE2, 0xD1, 0x0F, 0x3B, 0x7A,
2062 0xC5, 0x79, 0xBD, 0x87, 0xE9, 0x09, 0xAE, 0x40, 0xA6, 0xF1,
2063 0x31, 0xE9, 0xCF, 0xCE, 0x5B, 0xD9, 0x67
2064 }
2065};
2066
2067static const struct {
2068 EC_CURVE_DATA h;
2069 unsigned char data[0 + 54 * 6];
2070}
2071 _EC_X9_62_CHAR2_431R1 = {
2072 {
2073 NID_X9_62_characteristic_two_field, 0, 54, 0x2760
2074 },
2075 { /* no seed */
2076 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2077 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2080 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2081 0x00, 0x00, 0x00, 0x01,
2082 0x1A, 0x82, 0x7E, 0xF0, 0x0D, 0xD6, 0xFC, 0x0E, 0x23, 0x4C, /* a */
2083 0xAF, 0x04, 0x6C, 0x6A, 0x5D, 0x8A, 0x85, 0x39, 0x5B, 0x23,
2084 0x6C, 0xC4, 0xAD, 0x2C, 0xF3, 0x2A, 0x0C, 0xAD, 0xBD, 0xC9,
2085 0xDD, 0xF6, 0x20, 0xB0, 0xEB, 0x99, 0x06, 0xD0, 0x95, 0x7F,
2086 0x6C, 0x6F, 0xEA, 0xCD, 0x61, 0x54, 0x68, 0xDF, 0x10, 0x4D,
2087 0xE2, 0x96, 0xCD, 0x8F,
2088 0x10, 0xD9, 0xB4, 0xA3, 0xD9, 0x04, 0x7D, 0x8B, 0x15, 0x43, /* b */
2089 0x59, 0xAB, 0xFB, 0x1B, 0x7F, 0x54, 0x85, 0xB0, 0x4C, 0xEB,
2090 0x86, 0x82, 0x37, 0xDD, 0xC9, 0xDE, 0xDA, 0x98, 0x2A, 0x67,
2091 0x9A, 0x5A, 0x91, 0x9B, 0x62, 0x6D, 0x4E, 0x50, 0xA8, 0xDD,
2092 0x73, 0x1B, 0x10, 0x7A, 0x99, 0x62, 0x38, 0x1F, 0xB5, 0xD8,
2093 0x07, 0xBF, 0x26, 0x18,
2094 0x12, 0x0F, 0xC0, 0x5D, 0x3C, 0x67, 0xA9, 0x9D, 0xE1, 0x61, /* x */
2095 0xD2, 0xF4, 0x09, 0x26, 0x22, 0xFE, 0xCA, 0x70, 0x1B, 0xE4,
2096 0xF5, 0x0F, 0x47, 0x58, 0x71, 0x4E, 0x8A, 0x87, 0xBB, 0xF2,
2097 0xA6, 0x58, 0xEF, 0x8C, 0x21, 0xE7, 0xC5, 0xEF, 0xE9, 0x65,
2098 0x36, 0x1F, 0x6C, 0x29, 0x99, 0xC0, 0xC2, 0x47, 0xB0, 0xDB,
2099 0xD7, 0x0C, 0xE6, 0xB7,
2100 0x20, 0xD0, 0xAF, 0x89, 0x03, 0xA9, 0x6F, 0x8D, 0x5F, 0xA2, /* y */
2101 0xC2, 0x55, 0x74, 0x5D, 0x3C, 0x45, 0x1B, 0x30, 0x2C, 0x93,
2102 0x46, 0xD9, 0xB7, 0xE4, 0x85, 0xE7, 0xBC, 0xE4, 0x1F, 0x6B,
2103 0x59, 0x1F, 0x3E, 0x8F, 0x6A, 0xDD, 0xCB, 0xB0, 0xBC, 0x4C,
2104 0x2F, 0x94, 0x7A, 0x7D, 0xE1, 0xA8, 0x9B, 0x62, 0x5D, 0x6A,
2105 0x59, 0x8B, 0x37, 0x60,
2106 0x00, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, /* order */
2107 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03,
2108 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x23,
2109 0xC3, 0x13, 0xFA, 0xB5, 0x05, 0x89, 0x70, 0x3B, 0x5E, 0xC6,
2110 0x8D, 0x35, 0x87, 0xFE, 0xC6, 0x0D, 0x16, 0x1C, 0xC1, 0x49,
2111 0xC1, 0xAD, 0x4A, 0x91
2112 }
2113};
2114
2115static const struct {
2116 EC_CURVE_DATA h;
2117 unsigned char data[0 + 15 * 6];
2118}
2119 _EC_WTLS_1 = {
2120 {
2121 NID_X9_62_characteristic_two_field, 0, 15, 2
2122 },
2123 { /* no seed */
2124 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2125 0x00, 0x00, 0x00, 0x02, 0x01,
2126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2127 0x00, 0x00, 0x00, 0x00, 0x01,
2128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2129 0x00, 0x00, 0x00, 0x00, 0x01,
2130 0x01, 0x66, 0x79, 0x79, 0xA4, 0x0B, 0xA4, 0x97, 0xE5, 0xD5, /* x */
2131 0xC2, 0x70, 0x78, 0x06, 0x17,
2132 0x00, 0xF4, 0x4B, 0x4A, 0xF1, 0xEC, 0xC2, 0x63, 0x0E, 0x08, /* y */
2133 0x78, 0x5C, 0xEB, 0xCC, 0x15,
2134 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xBF, /* order */
2135 0x91, 0xAF, 0x6D, 0xEA, 0x73
2136 }
2137};
2138
2139/* IPsec curves */
2140/* NOTE: The of curves over a extension field of non prime degree
2141 * is not recommended (Weil-descent).
2142 * As the group order is not a prime this curve is not suitable
2143 * for ECDSA.
2144 */
2145static const struct {
2146 EC_CURVE_DATA h;
2147 unsigned char data[0 + 20 * 6];
2148}
2149 _EC_IPSEC_155_ID3 = {
2150 {
2151 NID_X9_62_characteristic_two_field, 0, 20, 3
2152 },
2153 { /* no seed */
2154 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2155 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2156
2157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2159
2160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x33, 0x8f,
2162
2163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
2164 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
2165
2166 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
2167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc8,
2168
2169 0x02, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, /* order */
2170 0xC7, 0xF3, 0xC7, 0x88, 0x1B, 0xD0, 0x86, 0x8F, 0xA8, 0x6C
2171 }
2172};
2173
2174/* NOTE: The of curves over a extension field of non prime degree
2175 * is not recommended (Weil-descent).
2176 * As the group order is not a prime this curve is not suitable
2177 * for ECDSA.
2178 */
2179static const struct {
2180 EC_CURVE_DATA h;
2181 unsigned char data[0 + 24 * 6];
2182}
2183 _EC_IPSEC_185_ID4 = {
2184 {
2185 NID_X9_62_characteristic_two_field, 0, 24, 2
2186 },
2187 { /* no seed */
2188 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2189 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
2190 0x00, 0x00, 0x00, 0x01,
2191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2193 0x00, 0x00, 0x00, 0x00,
2194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2196 0x00, 0x00, 0x1e, 0xe9,
2197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
2198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2199 0x00, 0x00, 0x00, 0x18,
2200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
2201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2202 0x00, 0x00, 0x00, 0x0d,
2203 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
2204 0xFF, 0xFF, 0xED, 0xF9, 0x7C, 0x44, 0xDB, 0x9F, 0x24, 0x20,
2205 0xBA, 0xFC, 0xA7, 0x5E
2206 }
2207};
2208
2209#endif
2210
2211/* These curves were added by Annie Yousar <a.yousar@informatik.hu-berlin.de> 864/* These curves were added by Annie Yousar <a.yousar@informatik.hu-berlin.de>
2212 * For the definition of RFC 5639 curves see 865 * For the definition of RFC 5639 curves see
2213 * https://www.ietf.org/rfc/rfc5639.txt 866 * https://www.ietf.org/rfc/rfc5639.txt
@@ -3196,69 +1849,11 @@ static const ec_list_element curve_list[] = {
3196 {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"}, 1849 {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"},
3197 {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"}, 1850 {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"},
3198 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field"}, 1851 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field"},
3199#ifndef OPENSSL_NO_EC2M
3200 /* characteristic two field curves */
3201 /* NIST/SECG curves */
3202 {NID_sect113r1, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
3203 {NID_sect113r2, &_EC_SECG_CHAR2_113R2.h, 0, "SECG curve over a 113 bit binary field"},
3204 {NID_sect131r1, &_EC_SECG_CHAR2_131R1.h, 0, "SECG/WTLS curve over a 131 bit binary field"},
3205 {NID_sect131r2, &_EC_SECG_CHAR2_131R2.h, 0, "SECG curve over a 131 bit binary field"},
3206 {NID_sect163k1, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
3207 {NID_sect163r1, &_EC_SECG_CHAR2_163R1.h, 0, "SECG curve over a 163 bit binary field"},
3208 {NID_sect163r2, &_EC_NIST_CHAR2_163B.h, 0, "NIST/SECG curve over a 163 bit binary field"},
3209 {NID_sect193r1, &_EC_SECG_CHAR2_193R1.h, 0, "SECG curve over a 193 bit binary field"},
3210 {NID_sect193r2, &_EC_SECG_CHAR2_193R2.h, 0, "SECG curve over a 193 bit binary field"},
3211 {NID_sect233k1, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3212 {NID_sect233r1, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3213 {NID_sect239k1, &_EC_SECG_CHAR2_239K1.h, 0, "SECG curve over a 239 bit binary field"},
3214 {NID_sect283k1, &_EC_NIST_CHAR2_283K.h, 0, "NIST/SECG curve over a 283 bit binary field"},
3215 {NID_sect283r1, &_EC_NIST_CHAR2_283B.h, 0, "NIST/SECG curve over a 283 bit binary field"},
3216 {NID_sect409k1, &_EC_NIST_CHAR2_409K.h, 0, "NIST/SECG curve over a 409 bit binary field"},
3217 {NID_sect409r1, &_EC_NIST_CHAR2_409B.h, 0, "NIST/SECG curve over a 409 bit binary field"},
3218 {NID_sect571k1, &_EC_NIST_CHAR2_571K.h, 0, "NIST/SECG curve over a 571 bit binary field"},
3219 {NID_sect571r1, &_EC_NIST_CHAR2_571B.h, 0, "NIST/SECG curve over a 571 bit binary field"},
3220 /* X9.62 curves */
3221 {NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
3222 {NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2.h, 0, "X9.62 curve over a 163 bit binary field"},
3223 {NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3.h, 0, "X9.62 curve over a 163 bit binary field"},
3224 {NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1.h, 0, "X9.62 curve over a 176 bit binary field"},
3225 {NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1.h, 0, "X9.62 curve over a 191 bit binary field"},
3226 {NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2.h, 0, "X9.62 curve over a 191 bit binary field"},
3227 {NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3.h, 0, "X9.62 curve over a 191 bit binary field"},
3228 {NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1.h, 0, "X9.62 curve over a 208 bit binary field"},
3229 {NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1.h, 0, "X9.62 curve over a 239 bit binary field"},
3230 {NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2.h, 0, "X9.62 curve over a 239 bit binary field"},
3231 {NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3.h, 0, "X9.62 curve over a 239 bit binary field"},
3232 {NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1.h, 0, "X9.62 curve over a 272 bit binary field"},
3233 {NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1.h, 0, "X9.62 curve over a 304 bit binary field"},
3234 {NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1.h, 0, "X9.62 curve over a 359 bit binary field"},
3235 {NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1.h, 0, "X9.62 curve over a 368 bit binary field"},
3236 {NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0, "X9.62 curve over a 431 bit binary field"},
3237 /*
3238 * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
3239 * from X9.62]
3240 */
3241 {NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0, "WTLS curve over a 113 bit binary field"},
3242 {NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
3243 {NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
3244 {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
3245#endif
3246 {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"}, 1852 {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"},
3247 {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"}, 1853 {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"},
3248 {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"}, 1854 {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"},
3249 {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"}, 1855 {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"},
3250#ifndef OPENSSL_NO_EC2M
3251 {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3252 {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
3253#endif
3254 {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"}, 1856 {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"},
3255#ifndef OPENSSL_NO_EC2M
3256 /* IPSec curves */
3257 {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
3258 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
3259 {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
3260 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
3261#endif
3262 /* RFC 5639 curves */ 1857 /* RFC 5639 curves */
3263 {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 1858 {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
3264 {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 1859 {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
@@ -3339,15 +1934,6 @@ ec_group_new_from_data(const ec_list_element curve)
3339 goto err; 1934 goto err;
3340 } 1935 }
3341 } 1936 }
3342#ifndef OPENSSL_NO_EC2M
3343 else { /* field_type ==
3344 * NID_X9_62_characteristic_two_field */
3345 if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
3346 ECerror(ERR_R_EC_LIB);
3347 goto err;
3348 }
3349 }
3350#endif
3351 1937
3352 if ((P = EC_POINT_new(group)) == NULL) { 1938 if ((P = EC_POINT_new(group)) == NULL) {
3353 ECerror(ERR_R_EC_LIB); 1939 ECerror(ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
index 30e843e682..90e7400739 100644
--- a/src/lib/libcrypto/ec/ec_cvt.c
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_cvt.c,v 1.10 2023/03/08 07:15:42 jsing Exp $ */ 1/* $OpenBSD: ec_cvt.c,v 1.11 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -100,12 +100,3 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
100{ 100{
101 return ec_group_new_curve(EC_GFp_mont_method(), p, a, b, ctx); 101 return ec_group_new_curve(EC_GFp_mont_method(), p, a, b, ctx);
102} 102}
103
104#ifndef OPENSSL_NO_EC2M
105EC_GROUP *
106EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
107 BN_CTX *ctx)
108{
109 return ec_group_new_curve(EC_GF2m_simple_method(), p, a, b, ctx);
110}
111#endif
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 683c49fef7..f560aa9991 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_lib.c,v 1.55 2023/04/13 07:44:12 tb Exp $ */ 1/* $OpenBSD: ec_lib.c,v 1.56 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -549,22 +549,6 @@ EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
549 return EC_GROUP_get_curve(group, p, a, b, ctx); 549 return EC_GROUP_get_curve(group, p, a, b, ctx);
550} 550}
551 551
552#ifndef OPENSSL_NO_EC2M
553int
554EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
555 const BIGNUM *b, BN_CTX *ctx)
556{
557 return EC_GROUP_set_curve(group, p, a, b, ctx);
558}
559
560int
561EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
562 BIGNUM *b, BN_CTX *ctx)
563{
564 return EC_GROUP_get_curve(group, p, a, b, ctx);
565}
566#endif
567
568int 552int
569EC_GROUP_get_degree(const EC_GROUP *group) 553EC_GROUP_get_degree(const EC_GROUP *group)
570{ 554{
@@ -1072,15 +1056,6 @@ EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
1072 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); 1056 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
1073} 1057}
1074 1058
1075#ifndef OPENSSL_NO_EC2M
1076int
1077EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
1078 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
1079{
1080 return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
1081}
1082#endif
1083
1084int 1059int
1085EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, 1060EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
1086 BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in) 1061 BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in)
@@ -1117,15 +1092,6 @@ EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point
1117 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); 1092 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
1118} 1093}
1119 1094
1120#ifndef OPENSSL_NO_EC2M
1121int
1122EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
1123 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
1124{
1125 return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
1126}
1127#endif
1128
1129int 1095int
1130EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, 1096EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1131 const EC_POINT *b, BN_CTX *ctx_in) 1097 const EC_POINT *b, BN_CTX *ctx_in)
diff --git a/src/lib/libcrypto/ec/ec_oct.c b/src/lib/libcrypto/ec/ec_oct.c
index b1c9e6a634..ee2ae0f4fc 100644
--- a/src/lib/libcrypto/ec/ec_oct.c
+++ b/src/lib/libcrypto/ec/ec_oct.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_oct.c,v 1.11 2023/04/11 18:58:20 jsing Exp $ */ 1/* $OpenBSD: ec_oct.c,v 1.12 2023/04/25 19:53:30 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
@@ -107,15 +107,6 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
107 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); 107 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
108} 108}
109 109
110#ifndef OPENSSL_NO_EC2M
111int
112EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
113 const BIGNUM *x, int y_bit, BN_CTX *ctx)
114{
115 return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
116}
117#endif
118
119size_t 110size_t
120EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, 111EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
121 point_conversion_form_t form, unsigned char *buf, size_t len, 112 point_conversion_form_t form, unsigned char *buf, size_t len,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 13:45:14 +0000