PageRenderTime 56ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/ctaocrypt/src/ecc.c

https://github.com/andersmalm/cyassl
C | 1537 lines | 1043 code | 228 blank | 266 comment | 646 complexity | fe067ba0b0cb666b4dd33f69234d94f7 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. /* ecc.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
    4. 

  4.  *
    5. 

  5.  * This file is part of CyaSSL.
    6. 

  6.  *
    7. 

  7.  * CyaSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * CyaSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
    20. 

  20.  */
    21. 

  21. 

  22. 

  23. #ifdef HAVE_CONFIG_H
    24. 

  24.     #include <config.h>
    25. 

  25. #endif
    26. 

  26. 

  27. /* in case user set HAVE_ECC there */
    28. 

  28. #include <cyassl/ctaocrypt/settings.h>
    29. 

  29. 

  30. #ifdef HAVE_ECC
    31. 

  31. 

  32. #include <cyassl/ctaocrypt/ecc.h>
    33. 

  33. #include <cyassl/ctaocrypt/asn.h>
    34. 

  34. #include <cyassl/ctaocrypt/error.h>
    35. 

  35. 

  36. 

  37. /* map
    38. 

    39. 

  39.    ptmul -> mulmod
    40. 

    41. 

  41. */
    42. 

  42. 

  43. #define ECC112
    44. 

  44. #define ECC128
    45. 

  45. #define ECC160
    46. 

  46. #define ECC192
    47. 

  47. #define ECC224
    48. 

  48. #define ECC256
    49. 

  49. #define ECC384
    50. 

  50. #define ECC521
    51. 

  51. 

  52. 

  53. 

  54. /* This holds the key settings.  ***MUST*** be organized by size from
    55. 

  55.    smallest to largest. */
    56. 

  56. 

  57. const ecc_set_type ecc_sets[] = {
    58. 

  58. #ifdef ECC112
    59. 

  59. {
    60. 

  60.         14,
    61. 

  61.         "SECP112R1",
    62. 

  62.         "DB7C2ABF62E35E668076BEAD208B",
    63. 

  63.         "659EF8BA043916EEDE8911702B22",
    64. 

  64.         "DB7C2ABF62E35E7628DFAC6561C5",
    65. 

  65.         "09487239995A5EE76B55F9C2F098",
    66. 

  66.         "A89CE5AF8724C0A23E0E0FF77500"
    67. 

  67. },
    68. 

  68. #endif
    69. 

  69. #ifdef ECC128
    70. 

  70. {
    71. 

  71.         16,
    72. 

  72.         "SECP128R1",
    73. 

  73.         "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
    74. 

  74.         "E87579C11079F43DD824993C2CEE5ED3",
    75. 

  75.         "FFFFFFFE0000000075A30D1B9038A115",
    76. 

  76.         "161FF7528B899B2D0C28607CA52C5B86",
    77. 

  77.         "CF5AC8395BAFEB13C02DA292DDED7A83",
    78. 

  78. },
    79. 

  79. #endif
    80. 

  80. #ifdef ECC160
    81. 

  81. {
    82. 

  82.         20,
    83. 

  83.         "SECP160R1",
    84. 

  84.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
    85. 

  85.         "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
    86. 

  86.         "0100000000000000000001F4C8F927AED3CA752257",
    87. 

  87.         "4A96B5688EF573284664698968C38BB913CBFC82",
    88. 

  88.         "23A628553168947D59DCC912042351377AC5FB32",
    89. 

  89. },
    90. 

  90. #endif
    91. 

  91. #ifdef ECC192
    92. 

  92. {
    93. 

  93.         24,
    94. 

  94.         "ECC-192",
    95. 

  95.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
    96. 

  96.         "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
    97. 

  97.         "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
    98. 

  98.         "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
    99. 

  99.         "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
    100. 

  100. },
    101. 

  101. #endif
    102. 

  102. #ifdef ECC224
    103. 

  103. {
    104. 

  104.         28,
    105. 

  105.         "ECC-224",
    106. 

  106.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
    107. 

  107.         "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
    108. 

  108.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
    109. 

  109.         "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
    110. 

  110.         "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
    111. 

  111. },
    112. 

  112. #endif
    113. 

  113. #ifdef ECC256
    114. 

  114. {
    115. 

  115.         32,
    116. 

  116.         "ECC-256",
    117. 

  117.         "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
    118. 

  118.         "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
    119. 

  119.         "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
    120. 

  120.         "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
    121. 

  121.         "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
    122. 

  122. },
    123. 

  123. #endif
    124. 

  124. #ifdef ECC384
    125. 

  125. {
    126. 

  126.         48,
    127. 

  127.         "ECC-384",
    128. 

  128.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
    129. 

  129.         "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
    130. 

  130.         "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
    131. 

  131.         "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
    132. 

  132.         "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
    133. 

  133. },
    134. 

  134. #endif
    135. 

  135. #ifdef ECC521
    136. 

  136. {
    137. 

  137.         66,
    138. 

  138.         "ECC-521",
    139. 

  139.         "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
    140. 

  140.         "51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
    141. 

  141.         "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
    142. 

  142.         "C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
    143. 

  143.         "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
    144. 

  144. },
    145. 

  145. #endif
    146. 

  146. {
    147. 

  147.    0,
    148. 

  148.    NULL, NULL, NULL, NULL, NULL, NULL
    149. 

  149. }
    150. 

  150. };
    151. 

  151. 

  152. 

  153. ecc_point* ecc_new_point(void);
    154. 

  154. void ecc_del_point(ecc_point* p);
    155. 

  155. int  ecc_map(ecc_point*, mp_int*, mp_digit*);
    156. 

  156. int  ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R,
    157. 

  157.                               mp_int* modulus, mp_digit* mp);
    158. 

  158. int  ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* modulus,
    159. 

  159.                               mp_digit* mp);
    160. 

  160. 

  161. 

  162. /* helper for either lib */
    163. 

  163. static int get_digit_count(mp_int* a)
    164. 

  164. {
    165. 

  165.     if (a == NULL)
    166. 

  166.         return 0;
    167. 

  167. 

  168.     return a->used;
    169. 

  169. }
    170. 

  170. 

  171. /* helper for either lib */
    172. 

  172. static unsigned long get_digit(mp_int* a, int n)
    173. 

  173. {
    174. 

  174.     if (a == NULL)
    175. 

  175.         return 0;
    176. 

  176. 

  177.     return (n >= a->used || n < 0) ? 0 : a->dp[n];
    178. 

  178. }
    179. 

  179. 

  180. 

  181. /**
    182. 

  182.    Add two ECC points
    183. 

  183.    P        The point to add
    184. 

  184.    Q        The point to add
    185. 

  185.    R        [out] The destination of the double
    186. 

  186.    modulus  The modulus of the field the ECC curve is in
    187. 

  187.    mp       The "b" value from montgomery_setup()
    188. 

  188.    return   MP_OKAY on success
    189. 

  189. */
    190. 

  190. int ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R,
    191. 

  191.                              mp_int* modulus, mp_digit* mp)
    192. 

  192. {
    193. 

  193.    mp_int t1;
    194. 

  194.    mp_int t2;
    195. 

  195.    mp_int x;
    196. 

  196.    mp_int y;
    197. 

  197.    mp_int z;
    198. 

  198.    int    err;
    199. 

  199. 

  200.    if (P == NULL || Q == NULL || R == NULL || modulus == NULL || mp == NULL)
    201. 

  201.        return ECC_BAD_ARG_E;
    202. 

  202. 

  203.    if ((err = mp_init_multi(&t1, &t2, &x, &y, &z, NULL)) != MP_OKAY) {
    204. 

  204.       return err;
    205. 

  205.    }
    206. 

  206.    
    207. 

  207.    /* should we dbl instead? */
    208. 

  208.    err = mp_sub(modulus, &Q->y, &t1);
    209. 

  209. 

  210.    if (err == MP_OKAY) {
    211. 

  211.        if ( (mp_cmp(&P->x, &Q->x) == MP_EQ) && 
    212. 

  212.             (get_digit_count(&Q->z) && mp_cmp(&P->z, &Q->z) == MP_EQ) &&
    213. 

  213.             (mp_cmp(&P->y, &Q->y) == MP_EQ || mp_cmp(&P->y, &t1) == MP_EQ)) {
    214. 

  214.                 mp_clear(&t1);
    215. 

  215.                 mp_clear(&t2);
    216. 

  216.                 mp_clear(&x);
    217. 

  217.                 mp_clear(&y);
    218. 

  218.                 mp_clear(&z);
    219. 

  219. 

  220.                 return ecc_projective_dbl_point(P, R, modulus, mp);
    221. 

  221.        }
    222. 

  222.    }
    223. 

  223. 

  224.    if (err == MP_OKAY)
    225. 

  225.        err = mp_copy(&P->x, &x);
    226. 

  226.    if (err == MP_OKAY)
    227. 

  227.        err = mp_copy(&P->y, &y);
    228. 

  228.    if (err == MP_OKAY)
    229. 

  229.        err = mp_copy(&P->z, &z);
    230. 

  230. 

  231.    /* if Z is one then these are no-operations */
    232. 

  232.    if (err == MP_OKAY) {
    233. 

  233.        if (get_digit_count(&Q->z)) {
    234. 

  234.            /* T1 = Z' * Z' */
    235. 

  235.            err = mp_sqr(&Q->z, &t1);
    236. 

  236.            if (err == MP_OKAY)
    237. 

  237.                err = mp_montgomery_reduce(&t1, modulus, *mp);
    238. 

  238. 

  239.            /* X = X * T1 */
    240. 

  240.            if (err == MP_OKAY)
    241. 

  241.                err = mp_mul(&t1, &x, &x);
    242. 

  242.            if (err == MP_OKAY)
    243. 

  243.                err = mp_montgomery_reduce(&x, modulus, *mp);
    244. 

  244. 

  245.            /* T1 = Z' * T1 */
    246. 

  246.            if (err == MP_OKAY)
    247. 

  247.                err = mp_mul(&Q->z, &t1, &t1);
    248. 

  248.            if (err == MP_OKAY)
    249. 

  249.                err = mp_montgomery_reduce(&t1, modulus, *mp);
    250. 

  250. 

  251.            /* Y = Y * T1 */
    252. 

  252.            if (err == MP_OKAY)
    253. 

  253.                err = mp_mul(&t1, &y, &y);
    254. 

  254.            if (err == MP_OKAY)
    255. 

  255.                err = mp_montgomery_reduce(&y, modulus, *mp);
    256. 

  256.        }
    257. 

  257.    }
    258. 

  258. 

  259.    /* T1 = Z*Z */
    260. 

  260.    if (err == MP_OKAY)
    261. 

  261.        err = mp_sqr(&z, &t1);
    262. 

  262.    if (err == MP_OKAY)
    263. 

  263.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    264. 

  264. 

  265.    /* T2 = X' * T1 */
    266. 

  266.    if (err == MP_OKAY)
    267. 

  267.        err = mp_mul(&Q->x, &t1, &t2);
    268. 

  268.    if (err == MP_OKAY)
    269. 

  269.        err = mp_montgomery_reduce(&t2, modulus, *mp);
    270. 

  270. 

  271.    /* T1 = Z * T1 */
    272. 

  272.    if (err == MP_OKAY)
    273. 

  273.        err = mp_mul(&z, &t1, &t1);
    274. 

  274.    if (err == MP_OKAY)
    275. 

  275.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    276. 

  276. 

  277.    /* T1 = Y' * T1 */
    278. 

  278.    if (err == MP_OKAY)
    279. 

  279.        err = mp_mul(&Q->y, &t1, &t1);
    280. 

  280.    if (err == MP_OKAY)
    281. 

  281.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    282. 

  282. 

  283.    /* Y = Y - T1 */
    284. 

  284.    if (err == MP_OKAY)
    285. 

  285.        err = mp_sub(&y, &t1, &y);
    286. 

  286.    if (err == MP_OKAY) {
    287. 

  287.        if (mp_cmp_d(&y, 0) == MP_LT)
    288. 

  288.            err = mp_add(&y, modulus, &y);
    289. 

  289.    }
    290. 

  290.    /* T1 = 2T1 */
    291. 

  291.    if (err == MP_OKAY)
    292. 

  292.        err = mp_add(&t1, &t1, &t1);
    293. 

  293.    if (err == MP_OKAY) {
    294. 

  294.        if (mp_cmp(&t1, modulus) != MP_LT)
    295. 

  295.            err = mp_sub(&t1, modulus, &t1);
    296. 

  296.    }
    297. 

  297.    /* T1 = Y + T1 */
    298. 

  298.    if (err == MP_OKAY)
    299. 

  299.        err = mp_add(&t1, &y, &t1);
    300. 

  300.    if (err == MP_OKAY) {
    301. 

  301.        if (mp_cmp(&t1, modulus) != MP_LT)
    302. 

  302.            err = mp_sub(&t1, modulus, &t1);
    303. 

  303.    }
    304. 

  304.    /* X = X - T2 */
    305. 

  305.    if (err == MP_OKAY)
    306. 

  306.        err = mp_sub(&x, &t2, &x);
    307. 

  307.    if (err == MP_OKAY) {
    308. 

  308.        if (mp_cmp_d(&x, 0) == MP_LT)
    309. 

  309.            err = mp_add(&x, modulus, &x);
    310. 

  310.    }
    311. 

  311.    /* T2 = 2T2 */
    312. 

  312.    if (err == MP_OKAY)
    313. 

  313.        err = mp_add(&t2, &t2, &t2);
    314. 

  314.    if (err == MP_OKAY) {
    315. 

  315.        if (mp_cmp(&t2, modulus) != MP_LT)
    316. 

  316.            err = mp_sub(&t2, modulus, &t2);
    317. 

  317.    }
    318. 

  318.    /* T2 = X + T2 */
    319. 

  319.    if (err == MP_OKAY)
    320. 

  320.        err = mp_add(&t2, &x, &t2);
    321. 

  321.    if (err == MP_OKAY) {
    322. 

  322.        if (mp_cmp(&t2, modulus) != MP_LT)
    323. 

  323.            err = mp_sub(&t2, modulus, &t2);
    324. 

  324.    }
    325. 

  325. 

  326.    if (err == MP_OKAY) {
    327. 

  327.        if (get_digit_count(&Q->z)) {
    328. 

  328.            /* Z = Z * Z' */
    329. 

  329.            err = mp_mul(&z, &Q->z, &z);
    330. 

  330.            if (err == MP_OKAY)
    331. 

  331.                err = mp_montgomery_reduce(&z, modulus, *mp);
    332. 

  332.        }
    333. 

  333.    }
    334. 

  334. 

  335.    /* Z = Z * X */
    336. 

  336.    if (err == MP_OKAY)
    337. 

  337.        err = mp_mul(&z, &x, &z);
    338. 

  338.    if (err == MP_OKAY)
    339. 

  339.        err = mp_montgomery_reduce(&z, modulus, *mp);
    340. 

  340. 

  341.    /* T1 = T1 * X  */
    342. 

  342.    if (err == MP_OKAY)
    343. 

  343.        err = mp_mul(&t1, &x, &t1);
    344. 

  344.    if (err == MP_OKAY)
    345. 

  345.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    346. 

  346. 

  347.    /* X = X * X */
    348. 

  348.    if (err == MP_OKAY)
    349. 

  349.        err = mp_sqr(&x, &x);
    350. 

  350.    if (err == MP_OKAY)
    351. 

  351.        err = mp_montgomery_reduce(&x, modulus, *mp);
    352. 

  352.    
    353. 

  353.    /* T2 = T2 * x */
    354. 

  354.    if (err == MP_OKAY)
    355. 

  355.        err = mp_mul(&t2, &x, &t2);
    356. 

  356.    if (err == MP_OKAY)
    357. 

  357.        err = mp_montgomery_reduce(&t2, modulus, *mp);
    358. 

  358. 

  359.    /* T1 = T1 * X  */
    360. 

  360.    if (err == MP_OKAY)
    361. 

  361.        err = mp_mul(&t1, &x, &t1);
    362. 

  362.    if (err == MP_OKAY)
    363. 

  363.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    364. 

  364.  
    365. 

  365.    /* X = Y*Y */
    366. 

  366.    if (err == MP_OKAY)
    367. 

  367.        err = mp_sqr(&y, &x);
    368. 

  368.    if (err == MP_OKAY)
    369. 

  369.        err = mp_montgomery_reduce(&x, modulus, *mp);
    370. 

  370. 

  371.    /* X = X - T2 */
    372. 

  372.    if (err == MP_OKAY)
    373. 

  373.        err = mp_sub(&x, &t2, &x);
    374. 

  374.    if (err == MP_OKAY) {
    375. 

  375.        if (mp_cmp_d(&x, 0) == MP_LT)
    376. 

  376.            err = mp_add(&x, modulus, &x);
    377. 

  377.    }
    378. 

  378.    /* T2 = T2 - X */
    379. 

  379.    if (err == MP_OKAY)
    380. 

  380.        err = mp_sub(&t2, &x, &t2);
    381. 

  381.    if (err == MP_OKAY) {
    382. 

  382.        if (mp_cmp_d(&t2, 0) == MP_LT)
    383. 

  383.            err = mp_add(&t2, modulus, &t2);
    384. 

  384.    } 
    385. 

  385.    /* T2 = T2 - X */
    386. 

  386.    if (err == MP_OKAY)
    387. 

  387.        err = mp_sub(&t2, &x, &t2);
    388. 

  388.    if (err == MP_OKAY) {
    389. 

  389.        if (mp_cmp_d(&t2, 0) == MP_LT)
    390. 

  390.            err = mp_add(&t2, modulus, &t2);
    391. 

  391.    }
    392. 

  392.    /* T2 = T2 * Y */
    393. 

  393.    if (err == MP_OKAY)
    394. 

  394.        err = mp_mul(&t2, &y, &t2);
    395. 

  395.    if (err == MP_OKAY)
    396. 

  396.        err = mp_montgomery_reduce(&t2, modulus, *mp);
    397. 

  397. 

  398.    /* Y = T2 - T1 */
    399. 

  399.    if (err == MP_OKAY)
    400. 

  400.        err = mp_sub(&t2, &t1, &y);
    401. 

  401.    if (err == MP_OKAY) {
    402. 

  402.        if (mp_cmp_d(&y, 0) == MP_LT)
    403. 

  403.            err = mp_add(&y, modulus, &y);
    404. 

  404.    }
    405. 

  405.    /* Y = Y/2 */
    406. 

  406.    if (err == MP_OKAY) {
    407. 

  407.        if (mp_isodd(&y))
    408. 

  408.            err = mp_add(&y, modulus, &y);
    409. 

  409.    }
    410. 

  410.    if (err == MP_OKAY)
    411. 

  411.        err = mp_div_2(&y, &y);
    412. 

  412. 

  413.    if (err == MP_OKAY)
    414. 

  414.        err = mp_copy(&x, &R->x);
    415. 

  415.    if (err == MP_OKAY)
    416. 

  416.        err = mp_copy(&y, &R->y);
    417. 

  417.    if (err == MP_OKAY)
    418. 

  418.        err = mp_copy(&z, &R->z);
    419. 

  419. 

  420.    /* clean up */
    421. 

  421.    mp_clear(&t1);
    422. 

  422.    mp_clear(&t2);
    423. 

  423.    mp_clear(&x);
    424. 

  424.    mp_clear(&y);
    425. 

  425.    mp_clear(&z);
    426. 

  426. 

  427.    return err;
    428. 

  428. }
    429. 

  429. 

  430. 

  431. /**
    432. 

  432.    Double an ECC point
    433. 

  433.    P   The point to double
    434. 

  434.    R   [out] The destination of the double
    435. 

  435.    modulus  The modulus of the field the ECC curve is in
    436. 

  436.    mp       The "b" value from montgomery_setup()
    437. 

  437.    return   MP_OKAY on success
    438. 

  438. */
    439. 

  439. int ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mp_int* modulus,
    440. 

  440.                              mp_digit* mp)
    441. 

  441. {
    442. 

  442.    mp_int t1;
    443. 

  443.    mp_int t2;
    444. 

  444.    int    err;
    445. 

  445. 

  446.    if (P == NULL || R == NULL || modulus == NULL || mp == NULL)
    447. 

  447.        return ECC_BAD_ARG_E;
    448. 

  448. 

  449.    if ((err = mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
    450. 

  450.       return err;
    451. 

  451.    }
    452. 

  452. 

  453.    if (P != R) {
    454. 

  454.       err = mp_copy(&P->x, &R->x);
    455. 

  455.       if (err == MP_OKAY)
    456. 

  456.           err = mp_copy(&P->y, &R->y);
    457. 

  457.       if (err == MP_OKAY)
    458. 

  458.           err = mp_copy(&P->z, &R->z);
    459. 

  459.    }
    460. 

  460. 

  461.    /* t1 = Z * Z */
    462. 

  462.    if (err == MP_OKAY)
    463. 

  463.        err = mp_sqr(&R->z, &t1);
    464. 

  464.    if (err == MP_OKAY)
    465. 

  465.        err = mp_montgomery_reduce(&t1, modulus, *mp);
    466. 

  466. 

  467.    /* Z = Y * Z */
    468. 

  468.    if (err == MP_OKAY)
    469. 

  469.        err = mp_mul(&R->z, &R->y, &R->z);
    470. 

  470.    if (err == MP_OKAY)
    471. 

  471.        err = mp_montgomery_reduce(&R->z, modulus, *mp);
    472. 

  472. 

  473.    /* Z = 2Z */
    474. 

  474.    if (err == MP_OKAY)
    475. 

  475.        err = mp_add(&R->z, &R->z, &R->z);
    476. 

  476.    if (err == MP_OKAY) {
    477. 

  477.        if (mp_cmp(&R->z, modulus) != MP_LT)
    478. 

  478.            err = mp_sub(&R->z, modulus, &R->z);
    479. 

  479.    }
    480. 

  480. 

  481.    /* T2 = X - T1 */
    482. 

  482.    if (err == MP_OKAY)
    483. 

  483.        err = mp_sub(&R->x, &t1, &t2);
    484. 

  484.    if (err == MP_OKAY) {
    485. 

  485.        if (mp_cmp_d(&t2, 0) == MP_LT)
    486. 

  486.            err = mp_add(&t2, modulus, &t2);
    487. 

  487.    }
    488. 

  488.    /* T1 = X + T1 */
    489. 

  489.    if (err == MP_OKAY)
    490. 

  490.        err = mp_add(&t1, &R->x, &t1);
    491. 

  491.    if (err == MP_OKAY) {
    492. 

  492.        if (mp_cmp(&t1, modulus) != MP_LT)
    493. 

  493.            err = mp_sub(&t1, modulus, &t1);
    494. 

  494.    }
    495. 

  495.    /* T2 = T1 * T2 */
    496. 

  496.    if (err == MP_OKAY)
    497. 

  497.        err = mp_mul(&t1, &t2, &t2);
    498. 

  498.    if (err == MP_OKAY)
    499. 

  499.        err = mp_montgomery_reduce(&t2, modulus, *mp);
    500. 

  500. 

  501.    /* T1 = 2T2 */
    502. 

  502.    if (err == MP_OKAY)
    503. 

  503.        err = mp_add(&t2, &t2, &t1);
    504. 

  504.    if (err == MP_OKAY) {
    505. 

  505.        if (mp_cmp(&t1, modulus) != MP_LT)
    506. 

  506.            err = mp_sub(&t1, modulus, &t1);
    507. 

  507.    }
    508. 

  508.    /* T1 = T1 + T2 */
    509. 

  509.    if (err == MP_OKAY)
    510. 

  510.        err = mp_add(&t1, &t2, &t1);
    511. 

  511.    if (err == MP_OKAY) {
    512. 

  512.        if (mp_cmp(&t1, modulus) != MP_LT)
    513. 

  513.            err = mp_sub(&t1, modulus, &t1);
    514. 

  514.    }
    515. 

  515.    /* Y = 2Y */
    516. 

  516.    if (err == MP_OKAY)
    517. 

  517.        err = mp_add(&R->y, &R->y, &R->y);
    518. 

  518.    if (err == MP_OKAY) {
    519. 

  519.        if (mp_cmp(&R->y, modulus) != MP_LT)
    520. 

  520.            err = mp_sub(&R->y, modulus, &R->y);
    521. 

  521.    }
    522. 

  522.    /* Y = Y * Y */
    523. 

  523.    if (err == MP_OKAY)
    524. 

  524.        err = mp_sqr(&R->y, &R->y);
    525. 

  525.    if (err == MP_OKAY)
    526. 

  526.        err = mp_montgomery_reduce(&R->y, modulus, *mp);
    527. 

  527.    
    528. 

  528.    /* T2 = Y * Y */
    529. 

  529.    if (err == MP_OKAY)
    530. 

  530.        err = mp_sqr(&R->y, &t2);
    531. 

  531.    if (err == MP_OKAY)
    532. 

  532.        err = mp_montgomery_reduce(&t2, modulus, *mp);
    533. 

  533. 

  534.    /* T2 = T2/2 */
    535. 

  535.    if (err == MP_OKAY) {
    536. 

  536.        if (mp_isodd(&t2))
    537. 

  537.            err = mp_add(&t2, modulus, &t2);
    538. 

  538.    }
    539. 

  539.    if (err == MP_OKAY)
    540. 

  540.        err = mp_div_2(&t2, &t2);
    541. 

  541.    
    542. 

  542.    /* Y = Y * X */
    543. 

  543.    if (err == MP_OKAY)
    544. 

  544.        err = mp_mul(&R->y, &R->x, &R->y);
    545. 

  545.    if (err == MP_OKAY)
    546. 

  546.        err = mp_montgomery_reduce(&R->y, modulus, *mp);
    547. 

  547. 

  548.    /* X  = T1 * T1 */
    549. 

  549.    if (err == MP_OKAY)
    550. 

  550.        err = mp_sqr(&t1, &R->x);
    551. 

  551.    if (err == MP_OKAY)
    552. 

  552.        err = mp_montgomery_reduce(&R->x, modulus, *mp);
    553. 

  553. 

  554.    /* X = X - Y */
    555. 

  555.    if (err == MP_OKAY)
    556. 

  556.        err = mp_sub(&R->x, &R->y, &R->x);
    557. 

  557.    if (err == MP_OKAY) {
    558. 

  558.        if (mp_cmp_d(&R->x, 0) == MP_LT)
    559. 

  559.            err = mp_add(&R->x, modulus, &R->x);
    560. 

  560.    }
    561. 

  561.    /* X = X - Y */
    562. 

  562.    if (err == MP_OKAY)
    563. 

  563.        err = mp_sub(&R->x, &R->y, &R->x);
    564. 

  564.    if (err == MP_OKAY) {
    565. 

  565.        if (mp_cmp_d(&R->x, 0) == MP_LT)
    566. 

  566.            err = mp_add(&R->x, modulus, &R->x);
    567. 

  567.    }
    568. 

  568.    /* Y = Y - X */     
    569. 

  569.    if (err == MP_OKAY)
    570. 

  570.        err = mp_sub(&R->y, &R->x, &R->y);
    571. 

  571.    if (err == MP_OKAY) {
    572. 

  572.        if (mp_cmp_d(&R->y, 0) == MP_LT)
    573. 

  573.            err = mp_add(&R->y, modulus, &R->y);
    574. 

  574.    }
    575. 

  575.    /* Y = Y * T1 */
    576. 

  576.    if (err == MP_OKAY)
    577. 

  577.        err = mp_mul(&R->y, &t1, &R->y);
    578. 

  578.    if (err == MP_OKAY)
    579. 

  579.        err = mp_montgomery_reduce(&R->y, modulus, *mp);
    580. 

  580. 

  581.    /* Y = Y - T2 */
    582. 

  582.    if (err == MP_OKAY)
    583. 

  583.        err = mp_sub(&R->y, &t2, &R->y);
    584. 

  584.    if (err == MP_OKAY) {
    585. 

  585.        if (mp_cmp_d(&R->y, 0) == MP_LT)
    586. 

  586.            err = mp_add(&R->y, modulus, &R->y);
    587. 

  587.    }
    588. 

  588. 

  589.    /* clean up */ 
    590. 

  590.    mp_clear(&t1);
    591. 

  591.    mp_clear(&t2);
    592. 

  592. 

  593.    return err;
    594. 

  594. }
    595. 

  595. 

  596. 

  597. /**
    598. 

  598.   Map a projective jacbobian point back to affine space
    599. 

  599.   P        [in/out] The point to map
    600. 

  600.   modulus  The modulus of the field the ECC curve is in
    601. 

  601.   mp       The "b" value from montgomery_setup()
    602. 

  602.   return   MP_OKAY on success
    603. 

  603. */
    604. 

  604. int ecc_map(ecc_point* P, mp_int* modulus, mp_digit* mp)
    605. 

  605. {
    606. 

  606.    mp_int t1;
    607. 

  607.    mp_int t2;
    608. 

  608.    int    err;
    609. 

  609. 

  610.    if (P == NULL || mp == NULL || modulus == NULL)
    611. 

  611.        return ECC_BAD_ARG_E;
    612. 

  612. 

  613.    if ((err = mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
    614. 

  614.       return MEMORY_E;
    615. 

  615.    }
    616. 

  616. 

  617.    /* first map z back to normal */
    618. 

  618.    err = mp_montgomery_reduce(&P->z, modulus, *mp);
    619. 

  619. 

  620.    /* get 1/z */
    621. 

  621.    if (err == MP_OKAY)
    622. 

  622.        err = mp_invmod(&P->z, modulus, &t1);
    623. 

  623.  
    624. 

  624.    /* get 1/z^2 and 1/z^3 */
    625. 

  625.    if (err == MP_OKAY)
    626. 

  626.        err = mp_sqr(&t1, &t2);
    627. 

  627.    if (err == MP_OKAY)
    628. 

  628.        err = mp_mod(&t2, modulus, &t2);
    629. 

  629.    if (err == MP_OKAY)
    630. 

  630.        err = mp_mul(&t1, &t2, &t1);
    631. 

  631.    if (err == MP_OKAY)
    632. 

  632.        err = mp_mod(&t1, modulus, &t1);
    633. 

  633. 

  634.    /* multiply against x/y */
    635. 

  635.    if (err == MP_OKAY)
    636. 

  636.        err = mp_mul(&P->x, &t2, &P->x);
    637. 

  637.    if (err == MP_OKAY)
    638. 

  638.        err = mp_montgomery_reduce(&P->x, modulus, *mp);
    639. 

  639.    if (err == MP_OKAY)
    640. 

  640.        err = mp_mul(&P->y, &t1, &P->y);
    641. 

  641.    if (err == MP_OKAY)
    642. 

  642.        err = mp_montgomery_reduce(&P->y, modulus, *mp);
    643. 

  643.    
    644. 

  644.    if (err == MP_OKAY)
    645. 

  645.        mp_set(&P->z, 1);
    646. 

  646. 

  647.    /* clean up */
    648. 

  648.    mp_clear(&t1);
    649. 

  649.    mp_clear(&t2);
    650. 

  650. 

  651.    return err;
    652. 

  652. }
    653. 

  653. 

  654. 

  655. #ifndef ECC_TIMING_RESISTANT
    656. 

  656. 

  657. /* size of sliding window, don't change this! */
    658. 

  658. #define WINSIZE 4
    659. 

  659. 

  660. /**
    661. 

  661.    Perform a point multiplication 
    662. 

  662.    k    The scalar to multiply by
    663. 

  663.    G    The base point
    664. 

  664.    R    [out] Destination for kG
    665. 

  665.    modulus  The modulus of the field the ECC curve is in
    666. 

  666.    map      Boolean whether to map back to affine or not
    667. 

  667.                 (1==map, 0 == leave in projective)
    668. 

  668.    return MP_OKAY on success
    669. 

  669. */
    670. 

  670. static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
    671. 

  671.                       int map)
    672. 

  672. {
    673. 

  673.    ecc_point *tG, *M[8];
    674. 

  674.    int           i, j, err;
    675. 

  675.    mp_int        mu;
    676. 

  676.    mp_digit      mp;
    677. 

  677.    unsigned long buf;
    678. 

  678.    int           first, bitbuf, bitcpy, bitcnt, mode, digidx;
    679. 

  679. 

  680.    if (k == NULL || G == NULL || R == NULL || modulus == NULL)
    681. 

  681.        return ECC_BAD_ARG_E;
    682. 

  682. 

  683.    /* init montgomery reduction */
    684. 

  684.    if ((err = mp_montgomery_setup(modulus, &mp)) != MP_OKAY) {
    685. 

  685.       return err;
    686. 

  686.    }
    687. 

  687.    if ((err = mp_init(&mu)) != MP_OKAY) {
    688. 

  688.       return err;
    689. 

  689.    }
    690. 

  690.    if ((err = mp_montgomery_calc_normalization(&mu, modulus)) != MP_OKAY) {
    691. 

  691.       mp_clear(&mu);
    692. 

  692.       return err;
    693. 

  693.    }
    694. 

  694.   
    695. 

  695.   /* alloc ram for window temps */
    696. 

  696.   for (i = 0; i < 8; i++) {
    697. 

  697.       M[i] = ecc_new_point();
    698. 

  698.       if (M[i] == NULL) {
    699. 

  699.          for (j = 0; j < i; j++) {
    700. 

  700.              ecc_del_point(M[j]);
    701. 

  701.          }
    702. 

  702.          mp_clear(&mu);
    703. 

  703.          return MEMORY_E;
    704. 

  704.       }
    705. 

  705.   }
    706. 

  706. 

  707.    /* make a copy of G incase R==G */
    708. 

  708.    tG = ecc_new_point();
    709. 

  709.    if (tG == NULL)
    710. 

  710.        err = MEMORY_E;
    711. 

  711. 

  712.    /* tG = G  and convert to montgomery */
    713. 

  713.    if (err == MP_OKAY) {
    714. 

  714.        if (mp_cmp_d(&mu, 1) == MP_EQ) {
    715. 

  715.            err = mp_copy(&G->x, &tG->x);
    716. 

  716.            if (err == MP_OKAY)
    717. 

  717.                err = mp_copy(&G->y, &tG->y);
    718. 

  718.            if (err == MP_OKAY)
    719. 

  719.                err = mp_copy(&G->z, &tG->z);
    720. 

  720.        } else {
    721. 

  721.            err = mp_mulmod(&G->x, &mu, modulus, &tG->x);
    722. 

  722.            if (err == MP_OKAY)
    723. 

  723.                err = mp_mulmod(&G->y, &mu, modulus, &tG->y);
    724. 

  724.            if (err == MP_OKAY)
    725. 

  725.                err = mp_mulmod(&G->z, &mu, modulus, &tG->z);
    726. 

  726.        }
    727. 

  727.    }
    728. 

  728.    mp_clear(&mu);
    729. 

  729.    
    730. 

  730.    /* calc the M tab, which holds kG for k==8..15 */
    731. 

  731.    /* M[0] == 8G */
    732. 

  732.    if (err == MP_OKAY)
    733. 

  733.        err = ecc_projective_dbl_point(tG, M[0], modulus, &mp);
    734. 

  734.    if (err == MP_OKAY)
    735. 

  735.        err = ecc_projective_dbl_point(M[0], M[0], modulus, &mp);
    736. 

  736.    if (err == MP_OKAY)
    737. 

  737.        err = ecc_projective_dbl_point(M[0], M[0], modulus, &mp);
    738. 

  738. 

  739.    /* now find (8+k)G for k=1..7 */
    740. 

  740.    if (err == MP_OKAY)
    741. 

  741.        for (j = 9; j < 16; j++) {
    742. 

  742.            err = ecc_projective_add_point(M[j-9], tG, M[j-8], modulus, &mp);
    743. 

  743.            if (err != MP_OKAY) break;
    744. 

  744.        }
    745. 

  745. 

  746.    /* setup sliding window */
    747. 

  747.    if (err == MP_OKAY) {
    748. 

  748.        mode   = 0;
    749. 

  749.        bitcnt = 1;
    750. 

  750.        buf    = 0;
    751. 

  751.        digidx = get_digit_count(k) - 1;
    752. 

  752.        bitcpy = bitbuf = 0;
    753. 

  753.        first  = 1;
    754. 

  754. 

  755.        /* perform ops */
    756. 

  756.        for (;;) {
    757. 

  757.            /* grab next digit as required */
    758. 

  758.            if (--bitcnt == 0) {
    759. 

  759.                if (digidx == -1) {
    760. 

  760.                    break;
    761. 

  761.                }
    762. 

  762.                buf    = get_digit(k, digidx);
    763. 

  763.                bitcnt = (int) DIGIT_BIT; 
    764. 

  764.                --digidx;
    765. 

  765.            }
    766. 

  766. 

  767.            /* grab the next msb from the ltiplicand */
    768. 

  768.            i = (int)(buf >> (DIGIT_BIT - 1)) & 1;
    769. 

  769.            buf <<= 1;
    770. 

  770. 

  771.            /* skip leading zero bits */
    772. 

  772.            if (mode == 0 && i == 0)
    773. 

  773.                continue;
    774. 

  774. 

  775.            /* if the bit is zero and mode == 1 then we double */
    776. 

  776.            if (mode == 1 && i == 0) {
    777. 

  777.                err = ecc_projective_dbl_point(R, R, modulus, &mp);
    778. 

  778.                if (err != MP_OKAY) break;
    779. 

  779.                continue;
    780. 

  780.            }
    781. 

  781. 

  782.            /* else we add it to the window */
    783. 

  783.            bitbuf |= (i << (WINSIZE - ++bitcpy));
    784. 

  784.            mode = 2;
    785. 

  785. 

  786.            if (bitcpy == WINSIZE) {
    787. 

  787.                /* if this is the first window we do a simple copy */
    788. 

  788.                if (first == 1) {
    789. 

  789.                    /* R = kG [k = first window] */
    790. 

  790.                    err = mp_copy(&M[bitbuf-8]->x, &R->x);
    791. 

  791.                    if (err != MP_OKAY) break;
    792. 

  792. 

  793.                    err = mp_copy(&M[bitbuf-8]->y, &R->y);
    794. 

  794.                    if (err != MP_OKAY) break;
    795. 

  795. 

  796.                    err = mp_copy(&M[bitbuf-8]->z, &R->z);
    797. 

  797.                    first = 0;
    798. 

  798.                } else {
    799. 

  799.                    /* normal window */
    800. 

  800.                    /* ok window is filled so double as required and add  */
    801. 

  801.                    /* double first */
    802. 

  802.                    for (j = 0; j < WINSIZE; j++) {
    803. 

  803.                        err = ecc_projective_dbl_point(R, R, modulus, &mp);
    804. 

  804.                        if (err != MP_OKAY) break;
    805. 

  805.                    }
    806. 

  806.                    if (err != MP_OKAY) break;  /* out of first for(;;) */
    807. 

  807. 

  808.                    /* then add, bitbuf will be 8..15 [8..2^WINSIZE] guaranted */
    809. 

  809.                    err = ecc_projective_add_point(R,M[bitbuf-8],R,modulus,&mp);
    810. 

  810.                }
    811. 

  811.                if (err != MP_OKAY) break;
    812. 

  812.                /* empty window and reset */
    813. 

  813.                bitcpy = bitbuf = 0;
    814. 

  814.                mode = 1;
    815. 

  815.            }
    816. 

  816.        }
    817. 

  817.    }
    818. 

  818. 

  819.    /* if bits remain then double/add */
    820. 

  820.    if (err == MP_OKAY) {
    821. 

  821.        if (mode == 2 && bitcpy > 0) {
    822. 

  822.            /* double then add */
    823. 

  823.            for (j = 0; j < bitcpy; j++) {
    824. 

  824.                /* only double if we have had at least one add first */
    825. 

  825.                if (first == 0) {
    826. 

  826.                    err = ecc_projective_dbl_point(R, R, modulus, &mp);
    827. 

  827.                    if (err != MP_OKAY) break;
    828. 

  828.                }
    829. 

  829. 

  830.                bitbuf <<= 1;
    831. 

  831.                if ((bitbuf & (1 << WINSIZE)) != 0) {
    832. 

  832.                    if (first == 1) {
    833. 

  833.                        /* first add, so copy */
    834. 

  834.                        err = mp_copy(&tG->x, &R->x);
    835. 

  835.                        if (err != MP_OKAY) break;
    836. 

  836. 

  837.                        err = mp_copy(&tG->y, &R->y);
    838. 

  838.                        if (err != MP_OKAY) break;
    839. 

  839. 

  840.                        err = mp_copy(&tG->z, &R->z);
    841. 

  841.                        if (err != MP_OKAY) break;
    842. 

  842.                        first = 0;
    843. 

  843.                    } else {
    844. 

  844.                        /* then add */
    845. 

  845.                        err = ecc_projective_add_point(R, tG, R, modulus, &mp);
    846. 

  846.                        if (err != MP_OKAY) break;
    847. 

  847.                    }
    848. 

  848.                }
    849. 

  849.            }
    850. 

  850.        }
    851. 

  851.    }
    852. 

  852. 

  853.    /* map R back from projective space */
    854. 

  854.    if (err == MP_OKAY && map)
    855. 

  855.        err = ecc_map(R, modulus, &mp);
    856. 

  856. 

  857.    mp_clear(&mu);
    858. 

  858.    ecc_del_point(tG);
    859. 

  859.    for (i = 0; i < 8; i++) {
    860. 

  860.        ecc_del_point(M[i]);
    861. 

  861.    }
    862. 

  862.    return err;
    863. 

  863. }
    864. 

  864. 

  865. #undef WINSIZE
    866. 

  866. #endif /* ECC_TIMING_RESISTANT */
    867. 

  867. 

  868. 

  869. /**
    870. 

  870.    Allocate a new ECC point
    871. 

  871.    return A newly allocated point or NULL on error 
    872. 

  872. */
    873. 

  873. ecc_point* ecc_new_point(void)
    874. 

  874. {
    875. 

  875.    ecc_point* p;
    876. 

  876.    p = (ecc_point*)XMALLOC(sizeof(ecc_point), 0, DYNAMIC_TYPE_BIGINT);
    877. 

  877.    if (p == NULL) {
    878. 

  878.       return NULL;
    879. 

  879.    }
    880. 

  880.    XMEMSET(p, 0, sizeof(ecc_point));
    881. 

  881.    if (mp_init_multi(&p->x, &p->y, &p->z, NULL, NULL, NULL) != MP_OKAY) {
    882. 

  882.       XFREE(p, 0, DYNAMIC_TYPE_BIGINT);
    883. 

  883.       return NULL;
    884. 

  884.    }
    885. 

  885.    return p;
    886. 

  886. }
    887. 

  887. 

  888. /** Free an ECC point from memory
    889. 

  889.   p   The point to free
    890. 

  890. */
    891. 

  891. void ecc_del_point(ecc_point* p)
    892. 

  892. {
    893. 

  893.    /* prevents free'ing null arguments */
    894. 

  894.    if (p != NULL) {
    895. 

  895.       mp_clear(&p->x);
    896. 

  896.       mp_clear(&p->y);
    897. 

  897.       mp_clear(&p->z);
    898. 

  898.       XFREE(p, 0, DYNAMIC_TYPE_BIGINT);
    899. 

  899.    }
    900. 

  900. }
    901. 

  901. 

  902. 

  903. /** Returns whether an ECC idx is valid or not
    904. 

  904.   n      The idx number to check
    905. 

  905.   return 1 if valid, 0 if not
    906. 

  906. */  
    907. 

  907. static int ecc_is_valid_idx(int n)
    908. 

  908. {
    909. 

  909.    int x;
    910. 

  910. 

  911.    for (x = 0; ecc_sets[x].size != 0; x++)
    912. 

  912.        ;
    913. 

  913.    /* -1 is a valid index --- indicating that the domain params
    914. 

  914.       were supplied by the user */
    915. 

  915.    if ((n >= -1) && (n < x)) {
    916. 

  916.       return 1;
    917. 

  917.    }
    918. 

  918.    return 0;
    919. 

  919. }
    920. 

  920. 

  921. 

  922. /**
    923. 

  923.   Create an ECC shared secret between two keys
    924. 

  924.   private_key      The private ECC key
    925. 

  925.   public_key       The public key
    926. 

  926.   out              [out] Destination of the shared secret
    927. 

  927.                    Conforms to EC-DH from ANSI X9.63
    928. 

  928.   outlen           [in/out] The max size and resulting size of the shared secret
    929. 

  929.   return           MP_OKAY if successful
    930. 

  930. */
    931. 

  931. int ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
    932. 

  932.                       word32* outlen)
    933. 

  933. {
    934. 

  934.    word32         x = 0;
    935. 

  935.    ecc_point*     result;
    936. 

  936.    mp_int         prime;
    937. 

  937.    int            err;
    938. 

  938. 

  939.    if (private_key == NULL || public_key == NULL || out == NULL ||
    940. 

  940.                                                     outlen == NULL)
    941. 

  941.        return BAD_FUNC_ARG;
    942. 

  942. 

  943.    /* type valid? */
    944. 

  944.    if (private_key->type != ECC_PRIVATEKEY) {
    945. 

  945.       return ECC_BAD_ARG_E;
    946. 

  946.    }
    947. 

  947. 

  948.    if (ecc_is_valid_idx(private_key->idx) == 0 ||
    949. 

  949.        ecc_is_valid_idx(public_key->idx)  == 0)
    950. 

  950.       return ECC_BAD_ARG_E;
    951. 

  951. 

  952.    if (XSTRNCMP(private_key->dp->name, public_key->dp->name, ECC_MAXNAME) != 0)
    953. 

  953.       return ECC_BAD_ARG_E;
    954. 

  954. 

  955.    /* make new point */
    956. 

  956.    result = ecc_new_point();
    957. 

  957.    if (result == NULL) {
    958. 

  958.       return MEMORY_E;
    959. 

  959.    }
    960. 

  960. 

  961.    if ((err = mp_init(&prime)) != MP_OKAY) {
    962. 

  962.       ecc_del_point(result);
    963. 

  963.       return err;
    964. 

  964.    }
    965. 

  965. 

  966.    err = mp_read_radix(&prime, (char *)private_key->dp->prime, 16);
    967. 

  967. 

  968.    if (err == MP_OKAY)
    969. 

  969.        err = ecc_mulmod(&private_key->k, &public_key->pubkey, result, &prime,1);
    970. 

  970. 

  971.    if (err == MP_OKAY) {
    972. 

  972.        x = mp_unsigned_bin_size(&prime);
    973. 

  973.        if (*outlen < x)
    974. 

  974.           err = BUFFER_E;
    975. 

  975.    }
    976. 

  976. 

  977.    if (err == MP_OKAY) {
    978. 

  978.        XMEMSET(out, 0, x);
    979. 

  979.        err = mp_to_unsigned_bin(&result->x,out + (x -
    980. 

  980.                                             mp_unsigned_bin_size(&result->x)));
    981. 

  981.        *outlen = x;
    982. 

  982.    }
    983. 

  983. 

  984.    mp_clear(&prime);
    985. 

  985.    ecc_del_point(result);
    986. 

  986. 

  987.    return err;
    988. 

  988. }
    989. 

  989. 

  990. 

  991. int ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp);
    992. 

  992. 

  993. /**
    994. 

  994.   Make a new ECC key 
    995. 

  995.   rng          An active RNG state
    996. 

  996.   keysize      The keysize for the new key (in octets from 20 to 65 bytes)
    997. 

  997.   key          [out] Destination of the newly created key
    998. 

  998.   return       MP_OKAY if successful,
    999. 

  999.                        upon error all allocated memory will be freed
    1000. 

  1000. */
    1001. 

  1001. int ecc_make_key(RNG* rng, int keysize, ecc_key* key)
    1002. 

  1002. {
    1003. 

  1003.    int x, err;
    1004. 

  1004. 

  1005.    /* find key size */
    1006. 

  1006.    for (x = 0; (keysize > ecc_sets[x].size) && (ecc_sets[x].size != 0); x++)
    1007. 

  1007.        ;
    1008. 

  1008.    keysize = ecc_sets[x].size;
    1009. 

  1009. 

  1010.    if (keysize > ECC_MAXSIZE || ecc_sets[x].size == 0) {
    1011. 

  1011.       return BAD_FUNC_ARG;
    1012. 

  1012.    }
    1013. 

  1013.    err = ecc_make_key_ex(rng, key, &ecc_sets[x]);
    1014. 

  1014.    key->idx = x;
    1015. 

  1015. 

  1016.    return err;
    1017. 

  1017. }
    1018. 

  1018. 

  1019. int ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp)
    1020. 

  1020. {
    1021. 

  1021.    int            err;
    1022. 

  1022.    ecc_point*     base;
    1023. 

  1023.    mp_int         prime;
    1024. 

  1024.    mp_int         order;
    1025. 

  1025.    byte           buf[ECC_MAXSIZE];
    1026. 

  1026.    int            keysize;
    1027. 

  1027. 

  1028.    if (key == NULL || rng == NULL || dp == NULL)
    1029. 

  1029.        return ECC_BAD_ARG_E;
    1030. 

  1030. 

  1031.    key->idx = -1;
    1032. 

  1032.    key->dp  = dp;
    1033. 

  1033.    keysize  = dp->size;
    1034. 

  1034. 

  1035.    /* allocate ram */
    1036. 

  1036.    base = NULL;
    1037. 

  1037. 

  1038.    /* make up random string */
    1039. 

  1039.    RNG_GenerateBlock(rng, buf, keysize);
    1040. 

  1040.    buf[0] |= 0x0c;
    1041. 

  1041. 

  1042.    /* setup the key variables */
    1043. 

  1043.    if ((err = mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z,
    1044. 

  1044.                             &key->k, &prime, &order)) != MP_OKAY)
    1045. 

  1045.        return MEMORY_E;
    1046. 

  1046. 

  1047.    base = ecc_new_point();
    1048. 

  1048.    if (base == NULL)
    1049. 

  1049.       err = MEMORY_E;
    1050. 

  1050. 

  1051.    /* read in the specs for this key */
    1052. 

  1052.    if (err == MP_OKAY) 
    1053. 

  1053.        err = mp_read_radix(&prime,   (char *)key->dp->prime, 16);
    1054. 

  1054.    if (err == MP_OKAY) 
    1055. 

  1055.        err = mp_read_radix(&order,   (char *)key->dp->order, 16);
    1056. 

  1056.    if (err == MP_OKAY) 
    1057. 

  1057.        err = mp_read_radix(&base->x, (char *)key->dp->Gx, 16);
    1058. 

  1058.    if (err == MP_OKAY) 
    1059. 

  1059.        err = mp_read_radix(&base->y, (char *)key->dp->Gy, 16);
    1060. 

  1060.    
    1061. 

  1061.    if (err == MP_OKAY) 
    1062. 

  1062.        mp_set(&base->z, 1);
    1063. 

  1063.    if (err == MP_OKAY) 
    1064. 

  1064.        err = mp_read_unsigned_bin(&key->k, (byte*)buf, keysize);
    1065. 

  1065. 

  1066.    /* the key should be smaller than the order of base point */
    1067. 

  1067.    if (err == MP_OKAY) { 
    1068. 

  1068.        if (mp_cmp(&key->k, &order) != MP_LT)
    1069. 

  1069.            err = mp_mod(&key->k, &order, &key->k);
    1070. 

  1070.    }
    1071. 

  1071.    /* make the public key */
    1072. 

  1072.    if (err == MP_OKAY)
    1073. 

  1073.        err = ecc_mulmod(&key->k, base, &key->pubkey, &prime, 1);
    1074. 

  1074.    if (err == MP_OKAY)
    1075. 

  1075.        key->type = ECC_PRIVATEKEY;
    1076. 

  1076. 

  1077.    if (err != MP_OKAY) {
    1078. 

  1078.        /* clean up */
    1079. 

  1079.        mp_clear(&key->pubkey.x);
    1080. 

  1080.        mp_clear(&key->pubkey.y);
    1081. 

  1081.        mp_clear(&key->pubkey.z);
    1082. 

  1082.        mp_clear(&key->k);
    1083. 

  1083.    }
    1084. 

  1084.    ecc_del_point(base);
    1085. 

  1085.    mp_clear(&prime);
    1086. 

  1086.    mp_clear(&order);
    1087. 

  1087. #ifdef ECC_CLEAN_STACK
    1088. 

  1088.    XMEMSET(buff, 0, ECC_MAXSIZE);
    1089. 

  1089. #endif
    1090. 

  1090.    return err;
    1091. 

  1091. }
    1092. 

  1092. 

  1093. 

  1094. /* Setup dynamic pointers is using normal math for proper freeing */
    1095. 

  1095. void ecc_init(ecc_key* key)
    1096. 

  1096. {
    1097. 

  1097.     (void)key;
    1098. 

  1098. #ifndef USE_FAST_MATH
    1099. 

  1099.     key->pubkey.x.dp = NULL;
    1100. 

  1100.     key->pubkey.y.dp = NULL;
    1101. 

  1101.     key->pubkey.z.dp = NULL;
    1102. 

  1102. 

  1103.     key->k.dp = NULL;
    1104. 

  1104. #endif
    1105. 

  1105. }
    1106. 

  1106. 

  1107. 

  1108. /**
    1109. 

  1109.   Sign a message digest
    1110. 

  1110.   in        The message digest to sign
    1111. 

  1111.   inlen     The length of the digest
    1112. 

  1112.   out       [out] The destination for the signature
    1113. 

  1113.   outlen    [in/out] The max size and resulting size of the signature
    1114. 

  1114.   key       A private ECC key
    1115. 

  1115.   return    MP_OKAY if successful
    1116. 

  1116. */
    1117. 

  1117. int ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, 
    1118. 

  1118.                   RNG* rng, ecc_key* key)
    1119. 

  1119. {
    1120. 

  1120.    mp_int        r;
    1121. 

  1121.    mp_int        s;
    1122. 

  1122.    mp_int        e;
    1123. 

  1123.    mp_int        p;
    1124. 

  1124.    int           err;
    1125. 

  1125. 

  1126.    if (in == NULL || out == NULL || outlen == NULL || key == NULL || rng ==NULL)
    1127. 

  1127.        return ECC_BAD_ARG_E;
    1128. 

  1128. 

  1129.    /* is this a private key? */
    1130. 

  1130.    if (key->type != ECC_PRIVATEKEY) {
    1131. 

  1131.       return ECC_BAD_ARG_E;
    1132. 

  1132.    }
    1133. 

  1133.    
    1134. 

  1134.    /* is the IDX valid ?  */
    1135. 

  1135.    if (ecc_is_valid_idx(key->idx) != 1) {
    1136. 

  1136.       return ECC_BAD_ARG_E;
    1137. 

  1137.    }
    1138. 

  1138. 

  1139.    /* get the hash and load it as a bignum into 'e' */
    1140. 

  1140.    /* init the bignums */
    1141. 

  1141.    if ((err = mp_init_multi(&r, &s, &p, &e, NULL, NULL)) != MP_OKAY) { 
    1142. 

  1142.       return err;
    1143. 

  1143.    }
    1144. 

  1144.    err = mp_read_radix(&p, (char *)key->dp->order, 16);
    1145. 

  1145. 

  1146.    if (err == MP_OKAY) {
    1147. 

  1147.        int truncLen = (int)inlen;
    1148. 

  1148.        if (truncLen > ecc_size(key))
    1149. 

  1149.            truncLen = ecc_size(key);
    1150. 

  1150.        err = mp_read_unsigned_bin(&e, (byte*)in, truncLen);
    1151. 

  1151.    }
    1152. 

  1152. 

  1153.    /* make up a key and export the public copy */
    1154. 

  1154.    if (err == MP_OKAY) {
    1155. 

  1155.        ecc_key pubkey;
    1156. 

  1156.        ecc_init(&pubkey);
    1157. 

  1157.        for (;;) {
    1158. 

  1158.            err = ecc_make_key_ex(rng, &pubkey, key->dp);
    1159. 

  1159.            if (err != MP_OKAY) break;
    1160. 

  1160. 

  1161.            /* find r = x1 mod n */
    1162. 

  1162.            err = mp_mod(&pubkey.pubkey.x, &p, &r);
    1163. 

  1163.            if (err != MP_OKAY) break;
    1164. 

  1164. 

  1165.            if (mp_iszero(&r) == MP_YES)
    1166. 

  1166.                ecc_free(&pubkey);
    1167. 

  1167.            else { 
    1168. 

  1168.                /* find s = (e + xr)/k */
    1169. 

  1169.                err = mp_invmod(&pubkey.k, &p, &pubkey.k);
    1170. 

  1170.                if (err != MP_OKAY) break;
    1171. 

  1171. 

  1172.                err = mp_mulmod(&key->k, &r, &p, &s);   /* s = xr */
    1173. 

  1173.                if (err != MP_OKAY) break;
    1174. 

  1174.            
    1175. 

  1175.                err = mp_add(&e, &s, &s);               /* s = e +  xr */
    1176. 

  1176.                if (err != MP_OKAY) break;
    1177. 

  1177. 

  1178.                err = mp_mod(&s, &p, &s);               /* s = e +  xr */
    1179. 

  1179.                if (err != MP_OKAY) break;
    1180. 

  1180. 

  1181.                err = mp_mulmod(&s, &pubkey.k, &p, &s); /* s = (e + xr)/k */
    1182. 

  1182.                if (err != MP_OKAY) break;
    1183. 

  1183. 

  1184.                ecc_free(&pubkey);
    1185. 

  1185.                if (mp_iszero(&s) == MP_NO)
    1186. 

  1186.                    break;
    1187. 

  1187.             }
    1188. 

  1188.        }
    1189. 

  1189.        ecc_free(&pubkey);
    1190. 

  1190.    }
    1191. 

  1191. 

  1192.    /* store as SEQUENCE { r, s -- integer } */
    1193. 

  1193.    if (err == MP_OKAY)
    1194. 

  1194.        err = StoreECC_DSA_Sig(out, outlen, &r, &s);
    1195. 

  1195. 

  1196.    mp_clear(&r);
    1197. 

  1197.    mp_clear(&s);
    1198. 

  1198.    mp_clear(&p);
    1199. 

  1199.    mp_clear(&e);
    1200. 

  1200. 

  1201.    return err;
    1202. 

  1202. }
    1203. 

  1203. 

  1204. 

  1205. /**
    1206. 

  1206.   Free an ECC key from memory
    1207. 

  1207.   key   The key you wish to free
    1208. 

  1208. */
    1209. 

  1209. void ecc_free(ecc_key* key)
    1210. 

  1210. {
    1211. 

  1211.    if (key == NULL)
    1212. 

  1212.        return;
    1213. 

  1213. 

  1214.    mp_clear(&key->pubkey.x);
    1215. 

  1215.    mp_clear(&key->pubkey.y);
    1216. 

  1216.    mp_clear(&key->pubkey.z);
    1217. 

  1217.    mp_clear(&key->k);
    1218. 

  1218. }
    1219. 

  1219. 

  1220. 

  1221. /* verify 
    1222. 

  1222.  *
    1223. 

  1223.  * w  = s^-1 mod n
    1224. 

  1224.  * u1 = xw 
    1225. 

  1225.  * u2 = rw
    1226. 

  1226.  * X = u1*G + u2*Q
    1227. 

  1227.  * v = X_x1 mod n
    1228. 

  1228.  * accept if v == r
    1229. 

  1229.  */
    1230. 

  1230. 

  1231. /**
    1232. 

  1232.    Verify an ECC signature
    1233. 

  1233.    sig         The signature to verify
    1234. 

  1234.    siglen      The length of the signature (octets)
    1235. 

  1235.    hash        The hash (message digest) that was signed
    1236. 

  1236.    hashlen     The length of the hash (octets)
    1237. 

  1237.    stat        Result of signature, 1==valid, 0==invalid
    1238. 

  1238.    key         The corresponding public ECC key
    1239. 

  1239.    return      MP_OKAY if successful (even if the signature is not valid)
    1240. 

  1240. */
    1241. 

  1241. int ecc_verify_hash(const byte* sig, word32 siglen, byte* hash, word32 hashlen, 
    1242. 

  1242.                     int* stat, ecc_key* key)
    1243. 

  1243. {
    1244. 

  1244.    ecc_point    *mG, *mQ;
    1245. 

  1245.    mp_int        r;
    1246. 

  1246.    mp_int        s;
    1247. 

  1247.    mp_int        v;
    1248. 

  1248.    mp_int        w;
    1249. 

  1249.    mp_int        u1;
    1250. 

  1250.    mp_int        u2;
    1251. 

  1251.    mp_int        e;
    1252. 

  1252.    mp_int        p;
    1253. 

  1253.    mp_int        m;
    1254. 

  1254.    mp_digit      mp;
    1255. 

  1255.    int           err;
    1256. 

  1256. 

  1257.    if (sig == NULL || hash == NULL || stat == NULL || key == NULL)
    1258. 

  1258.        return ECC_BAD_ARG_E; 
    1259. 

  1259. 

  1260.    /* default to invalid signature */
    1261. 

  1261.    *stat = 0;
    1262. 

  1262. 

  1263.    /* is the IDX valid ?  */
    1264. 

  1264.    if (ecc_is_valid_idx(key->idx) != 1) {
    1265. 

  1265.       return ECC_BAD_ARG_E;
    1266. 

  1266.    }
    1267. 

  1267. 

  1268.    /* allocate ints */
    1269. 

  1269.    if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e)) != MP_OKAY) {
    1270. 

  1270.       return MEMORY_E;
    1271. 

  1271.    }
    1272. 

  1272. 

  1273.    if ((err = mp_init(&m)) != MP_OKAY) {
    1274. 

  1274.       mp_clear(&v);
    1275. 

  1275.       mp_clear(&w);
    1276. 

  1276.       mp_clear(&u1);
    1277. 

  1277.       mp_clear(&u2);
    1278. 

  1278.       mp_clear(&p);
    1279. 

  1279.       mp_clear(&e);
    1280. 

  1280.       return MEMORY_E;
    1281. 

  1281.    }
    1282. 

  1282. 

  1283.    /* allocate points */
    1284. 

  1284.    mG = ecc_new_point();
    1285. 

  1285.    mQ = ecc_new_point();
    1286. 

  1286.    if (mQ  == NULL || mG == NULL)
    1287. 

  1287.       err = MEMORY_E;
    1288. 

  1288. 

  1289.    /* Note, DecodeECC_DSA_Sig() calls mp_init() on r and s.
    1290. 

  1290.     * If either of those don't allocate correctly, none of
    1291. 

  1291.     * the rest of this function will execute, and everything
    1292. 

  1292.     * gets cleaned up at the end. */
    1293. 

  1293.    XMEMSET(&r, 0, sizeof(r));
    1294. 

  1294.    XMEMSET(&s, 0, sizeof(s));
    1295. 

  1295.    if (err == MP_OKAY) 
    1296. 

  1296.        err = DecodeECC_DSA_Sig(sig, siglen, &r, &s);
    1297. 

  1297. 

  1298.    /* get the order */
    1299. 

  1299.    if (err == MP_OKAY)
    1300. 

  1300.        err = mp_read_radix(&p, (char *)key->dp->order, 16);
    1301. 

  1301. 

  1302.    /* get the modulus */
    1303. 

  1303.    if (err == MP_OKAY)
    1304. 

  1304.        err = mp_read_radix(&m, (char *)key->dp->prime, 16);
    1305. 

  1305. 

  1306.    /* check for zero */
    1307. 

  1307.    if (err == MP_OKAY) {
    1308. 

  1308.        if (mp_iszero(&r) || mp_iszero(&s) || mp_cmp(&r, &p) != MP_LT ||
    1309. 

  1309.                                              mp_cmp(&s, &p) != MP_LT)
    1310. 

  1310.            err = MP_ZERO_E; 
    1311. 

  1311.    }
    1312. 

  1312.    /* read hash */
    1313. 

  1313.    if (err == MP_OKAY) {
    1314. 

  1314.        int truncLen = (int)hashlen;
    1315. 

  1315.        if (truncLen > ecc_size(key))
    1316. 

  1316.            truncLen = ecc_size(key);
    1317. 

  1317.        err = mp_read_unsigned_bin(&e, (byte*)hash, truncLen);
    1318. 

  1318.    }
    1319. 

  1319. 

  1320.    /*  w  = s^-1 mod n */
    1321. 

  1321.    if (err == MP_OKAY)
    1322. 

  1322.        err = mp_invmod(&s, &p, &w);
    1323. 

  1323. 

  1324.    /* u1 = ew */
    1325. 

  1325.    if (err == MP_OKAY)
    1326. 

  1326.        err = mp_mulmod(&e, &w, &p, &u1);
    1327. 

  1327. 

  1328.    /* u2 = rw */
    1329. 

  1329.    if (err == MP_OKAY)
    1330. 

  1330.        err = mp_mulmod(&r, &w, &p, &u2);
    1331. 

  1331. 

  1332.    /* find mG and mQ */
    1333. 

  1333.    if (err == MP_OKAY)
    1334. 

  1334.        err = mp_read_radix(&mG->x, (char *)key->dp->Gx, 16);
    1335. 

  1335. 

  1336.    if (err == MP_OKAY)
    1337. 

  1337.        err = mp_read_radix(&mG->y, (char *)key->dp->Gy, 16);
    1338. 

  1338.    if (err == MP_OKAY)
    1339. 

  1339.        mp_set(&mG->z, 1);
    1340. 

  1340. 

  1341.    if (err == MP_OKAY)
    1342. 

  1342.        err = mp_copy(&key->pubkey.x, &mQ->x);
    1343. 

  1343.    if (err == MP_OKAY)
    1344. 

  1344.        err = mp_copy(&key->pubkey.y, &mQ->y);
    1345. 

  1345.    if (err == MP_OKAY)
    1346. 

  1346.        err = mp_copy(&key->pubkey.z, &mQ->z);
    1347. 

  1347. 

  1348. #ifndef ECC_SHAMIR
    1349. 

  1349.        /* compute u1*mG + u2*mQ = mG */
    1350. 

  1350.        if (err == MP_OKAY)
    1351. 

  1351.            err = ecc_mulmod(&u1, mG, mG, &m, 0);
    1352. 

  1352.        if (err == MP_OKAY)
    1353. 

  1353.            err = ecc_mulmod(&u2, mQ, mQ, &m, 0);
    1354. 

  1354.   
    1355. 

  1355.        /* find the montgomery mp */
    1356. 

  1356.        if (err == MP_OKAY)
    1357. 

  1357.            err = mp_montgomery_setup(&m, &mp);
    1358. 

  1358. 

  1359.        /* add them */
    1360. 

  1360.        if (err == MP_OKAY)
    1361. 

  1361.            err = ecc_projective_add_point(mQ, mG, mG, &m, &mp);
    1362. 

  1362.    
    1363. 

  1363.        /* reduce */
    1364. 

  1364.        if (err == MP_OKAY)
    1365. 

  1365.            err = ecc_map(mG, &m, &mp);
    1366. 

  1366. #else
    1367. 

  1367.        /* use Shamir's trick to compute u1*mG + u2*mQ using half the doubles */
    1368. 

  1368.        if (err == MP_OKAY)
    1369. 

  1369.            err = ecc_mul2add(mG, &u1, mQ, &u2, mG, &m);
    1370. 

  1370. #endif /* ECC_SHAMIR */ 
    1371. 

  1371. 

  1372.    /* v = X_x1 mod n */
    1373. 

  1373.    if (err == MP_OKAY)
    1374. 

  1374.        err = mp_mod(&mG->x, &p, &v);
    1375. 

  1375. 

  1376.    /* does v == r */
    1377. 

  1377.    if (err == MP_OKAY) {
    1378. 

  1378.        if (mp_cmp(&v, &r) == MP_EQ)
    1379. 

  1379.            *stat = 1;
    1380. 

  1380.    }
    1381. 

  1381. 

  1382.    ecc_del_point(mG);
    1383. 

  1383.    ecc_del_point(mQ);
    1384. 

  1384. 

  1385.    mp_clear(&r);
    1386. 

  1386.    mp_clear(&s);
    1387. 

  1387.    mp_clear(&v);
    1388. 

  1388.    mp_clear(&w);
    1389. 

  1389.    mp_clear(&u1);
    1390. 

  1390.    mp_clear(&u2);
    1391. 

  1391.    mp_clear(&p);
    1392. 

  1392.    mp_clear(&e);
    1393. 

  1393.    mp_clear(&m);
    1394. 

  1394. 

  1395.    return err;
    1396. 

  1396. }
    1397. 

  1397. 

  1398. 

  1399. /* export public ECC key in ANSI X9.63 format */
    1400. 

  1400. int ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
    1401. 

  1401. {
    1402. 

  1402.    byte   buf[ECC_BUFSIZE];
    1403. 

  1403.    word32 numlen;
    1404. 

  1404. 

  1405.    if (key == NULL || out == NULL || outLen == NULL)
    1406. 

  1406.        return ECC_BAD_ARG_E;
    1407. 

  1407. 

  1408.    if (ecc_is_valid_idx(key->idx) == 0) {
    1409. 

  1409.       return ECC_BAD_ARG_E;
    1410. 

  1410.    }
    1411. 

  1411.    numlen = key->dp->size;
    1412. 

  1412. 

  1413.    if (*outLen < (1 + 2*numlen)) {
    1414. 

  1414.       *outLen = 1 + 2*numlen;
    1415. 

  1415.       return BUFFER_E;
    1416. 

  1416.    }
    1417. 

  1417. 

  1418.    /* store byte 0x04 */
    1419. 

  1419.    out[0] = 0x04;
    1420. 

  1420. 

  1421.    /* pad and store x */
    1422. 

  1422.    XMEMSET(buf, 0, sizeof(buf));
    1423. 

  1423.    mp_to_unsigned_bin(&key->pubkey.x,
    1424. 

  1424.                       buf + (numlen - mp_unsigned_bin_size(&key->pubkey.x)));
    1425. 

  1425.    XMEMCPY(out+1, buf, numlen);
    1426. 

  1426. 

  1427.    /* pad and store y */
    1428. 

  1428.    XMEMSET(buf, 0, sizeof(buf));
    1429. 

  1429.    mp_to_unsigned_bin(&key->pubkey.y,
    1430. 

  1430.                       buf + (numlen - mp_unsigned_bin_size(&key->pubkey.y)));
    1431. 

  1431.    XMEMCPY(out+1+numlen, buf, numlen);
    1432. 

  1432. 

  1433.    *outLen = 1 + 2*numlen;
    1434. 

  1434. 

  1435.    return 0;
    1436. 

  1436. }
    1437. 

  1437. 

  1438. 

  1439. /* import public ECC key in ANSI X9.63 format */
    1440. 

  1440. int ecc_import_x963(const byte* in, word32 inLen, ecc_key* key)
    1441. 

  1441. {
    1442. 

  1442.    int x, err;
    1443. 

  1443. 

  1444.    
    1445. 

  1445.    if (in == NULL || key == NULL)
    1446. 

  1446.        return ECC_BAD_ARG_E;
    1447. 

  1447. 

  1448.    /* must be odd */
    1449. 

  1449.    if ((inLen & 1) == 0) {
    1450. 

  1450.       return ECC_BAD_ARG_E;
    1451. 

  1451.    }
    1452. 

  1452. 

  1453.    /* init key */
    1454. 

  1454.    if (mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
    1455. 

  1455.                      NULL, NULL) != MP_OKAY) {
    1456. 

  1456.       return MEMORY_E;
    1457. 

  1457.    }
    1458. 

  1458.    err = MP_OKAY;
    1459. 

  1459. 

  1460.    /* check for 4, 6 or 7 */
    1461. 

  1461.    if (in[0] != 4 && in[0] != 6 && in[0] != 7) {
    1462. 

  1462.       err = ASN_PARSE_E;
    1463. 

  1463.    }
    1464. 

  1464. 

  1465.    /* read data */
    1466. 

  1466.    if (err == MP_OKAY) 
    1467. 

  1467.        err = mp_read_unsigned_bin(&key->pubkey.x, (byte*)in+1, (inLen-1)>>1);
    1468. 

  1468. 

  1469.    if (err == MP_OKAY) 
    1470. 

  1470.        err = mp_read_unsigned_bin(&key->pubkey.y, (byte*)in+1+((inLen-1)>>1),
    1471. 

  1471.                                   (inLen-1)>>1);
    1472. 

  1472.    
    1473. 

  1473.    if (err == MP_OKAY) 
    1474. 

  1474.        mp_set(&key->pubkey.z, 1);
    1475. 

  1475. 

  1476.    if (err == MP_OKAY) {
    1477. 

  1477.      /* determine the idx */
    1478. 

  1478.       for (x = 0; ecc_sets[x].size != 0; x++) {
    1479. 

  1479.          if ((unsigned)ecc_sets[x].size >= ((inLen-1)>>1)) {
    1480. 

  1480.             break;
    1481. 

  1481.          }
    1482. 

  1482.       }
    1483. 

  1483.       if (ecc_sets[x].size == 0) {
    1484. 

  1484.          err = ASN_PARSE_E;
    1485. 

  1485.       } else {
    1486. 

  1486.           /* set the idx */
    1487. 

  1487.           key->idx  = x;
    1488. 

  1488.           key->dp = &ecc_sets[x];
    1489. 

  1489.           key->type = ECC_PUBLICKEY;
    1490. 

  1490.       }
    1491. 

  1491.    }
    1492. 

  1492. 

  1493.    if (err != MP_OKAY) {
    1494. 

  1494.        mp_clear(&key->pubkey.x);
    1495. 

  1495.        mp_clear(&key->pubkey.y);
    1496. 

  1496.        mp_clear(&key->pubkey.z);
    1497. 

  1497.        mp_clear(&key->k);
    1498. 

  1498.    }
    1499. 

  1499. 

  1500.    return err;
    1501. 

  1501. }
    1502. 

  1502. 

  1503. 

  1504. /* ecc private key import, public key in ANSI X9.63 format, private raw */
    1505. 

  1505. int ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
    1506. 

  1506.                            word32 pubSz, ecc_key* key)
    1507. 

  1507. {
    1508. 

  1508.     int ret = ecc_import_x963(pub, pubSz, key);
    1509. 

  1509.     if (ret != 0)
    1510. 

  1510.         return ret;
    1511. 

  1511. 

  1512.     key->type = ECC_PRIVATEKEY;
    1513. 

  1513. 

  1514.     return mp_read_unsigned_bin(&key->k, priv, privSz);
    1515. 

  1515. }
    1516. 

  1516. 

  1517. 

  1518. /* key size in octets */
    1519. 

  1519. int ecc_size(ecc_key* key)
    1520. 

  1520. {
    1521. 

  1521.     if (key == NULL) return 0;
    1522. 

  1522. 

  1523.     return key->dp->size;
    1524. 

  1524. }
    1525. 

  1525. 

  1526. 

  1527. /* signature size in octets */
    1528. 

  1528. int ecc_sig_size(ecc_key* key)
    1529. 

  1529. {
    1530. 

  1530.     int sz = ecc_size(key);
    1531. 

  1531.     if (sz < 0)
    1532. 

  1532.         return sz;
    1533. 

  1533. 

  1534.     return sz * 2 + SIG_HEADER_SZ;
    1535. 

  1535. }
    1536. 

  1536. 

  1537. #endif /* HAVE_ECC */
    1538. 

  1538.