ec_curve.c

definitions of popular elliptic curves to be used with openssl

	"F0AB7519CCD2A1A906AE30D",
	"FC1217D4320A90452C760A58EDCD30C8DD069B3C34453837A34ED50CB54917E1C2112"
	"D84D164F444F8F74786046A",
	"1085E2755381DCCCE3C1557AFA10C2F0C0C2825646C5B34A394CBCFA8BC16B22E7E78"
	"9E927BE216F02E1FB136A5F",
	"7B3EB1BDDCBA62D5D8B2059B525797FC73822C59059C623A45FF3843CEE8F87CD1855"
	"ADAA81E2A0750B80FDA2310",
	"00010090512DA9AF72B08349D98A5DD4C7B0532ECA51CE03E2D10F3B7AC579BD87E90"
	"9AE40A6F131E9CFCE5BD967", 0xFF70,
	NULL, 0,
	"X9.62 curve over a 368 bit binary field"
	};

static const EC_CURVE_DATA _EC_X9_62_CHAR2_431R1 = {
	NID_X9_62_characteristic_two_field,
	"800000000000000000000000000000000000000000000000000000000000000000000"
	"000000001000000000000000000000000000001",
	"1A827EF00DD6FC0E234CAF046C6A5D8A85395B236CC4AD2CF32A0CADBDC9DDF620B0E"
	"B9906D0957F6C6FEACD615468DF104DE296CD8F",
	"10D9B4A3D9047D8B154359ABFB1B7F5485B04CEB868237DDC9DEDA982A679A5A919B6"
	"26D4E50A8DD731B107A9962381FB5D807BF2618",
	"120FC05D3C67A99DE161D2F4092622FECA701BE4F50F4758714E8A87BBF2A658EF8C2"
	"1E7C5EFE965361F6C2999C0C247B0DBD70CE6B7",
	"20D0AF8903A96F8D5FA2C255745D3C451B302C9346D9B7E485E7BCE41F6B591F3E8F6"
	"ADDCBB0BC4C2F947A7DE1A89B625D6A598B3760",
	"0340340340340340340340340340340340340340340340340340340323C313FAB5058"
	"9703B5EC68D3587FEC60D161CC149C1AD4A91", 0x2760,
	NULL, 0,
	"X9.62 curve over a 431 bit binary field"
	};

static const EC_CURVE_DATA _EC_WTLS_1 = {
	NID_X9_62_characteristic_two_field,
	"020000000000000000000000000201",
	"1",
	"1",
	"01667979A40BA497E5D5C270780617",
	"00F44B4AF1ECC2630E08785CEBCC15",
	"00FFFFFFFFFFFFFFFDBF91AF6DEA73", 2,
	NULL, 0,
	"WTLS curve over a 113 bit binary field"
	};

/* IPSec curves */
/* NOTE: The of curves over a extension field of non prime degree
 * is not recommended (Weil-descent).
 * As the group order is not a prime this curve is not suitable
 * for ECDSA.
 */
static const EC_CURVE_DATA _EC_IPSEC_155_ID3 = {
	NID_X9_62_characteristic_two_field,
	"0800000000000000000000004000000000000001",
	"0",
	"07338f",
	"7b",
	"1c8",
	"2AAAAAAAAAAAAAAAAAAC7F3C7881BD0868FA86C",3,
	NULL, 0,
	"\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
	"\tNot suitable for ECDSA.\n\tQuestionable extension field!"
	};

/* NOTE: The of curves over a extension field of non prime degree
 * is not recommended (Weil-descent).
 * As the group order is not a prime this curve is not suitable
 * for ECDSA.
 */
static const EC_CURVE_DATA _EC_IPSEC_185_ID4 = {
	NID_X9_62_characteristic_two_field,
	"020000000000000000000000000000200000000000000001",
	"0",
	"1ee9",
	"18",
	"0d",
	"FFFFFFFFFFFFFFFFFFFFFFEDF97C44DB9F2420BAFCA75E",2,
	NULL, 0,
	"\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
	"\tNot suitable for ECDSA.\n\tQuestionable extension field!"
	};

typedef struct _ec_list_element_st {
	int	nid;
	const EC_CURVE_DATA *data;
	} ec_list_element;

static const ec_list_element curve_list[] = {
	/* prime field curves */	
	/* secg curves */
	{ NID_secp112r1, &_EC_SECG_PRIME_112R1},
	{ NID_secp112r2, &_EC_SECG_PRIME_112R2},
	{ NID_secp128r1, &_EC_SECG_PRIME_128R1},
	{ NID_secp128r2, &_EC_SECG_PRIME_128R2},
	{ NID_secp160k1, &_EC_SECG_PRIME_160K1},
	{ NID_secp160r1, &_EC_SECG_PRIME_160R1},
	{ NID_secp160r2, &_EC_SECG_PRIME_160R2},
	/* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
	{ NID_secp192k1, &_EC_SECG_PRIME_192K1},
	{ NID_secp224k1, &_EC_SECG_PRIME_224K1},
	{ NID_secp224r1, &_EC_NIST_PRIME_224},
	{ NID_secp256k1, &_EC_SECG_PRIME_256K1},
	/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
	{ NID_secp384r1, &_EC_NIST_PRIME_384},
	{ NID_secp521r1, &_EC_NIST_PRIME_521},
	/* X9.62 curves */
	{ NID_X9_62_prime192v1, &_EC_NIST_PRIME_192},
	{ NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2},
	{ NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3},
	{ NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1},
	{ NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2},
	{ NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3},
	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1},
	/* characteristic two field curves */
	/* NIST/SECG curves */
	{ NID_sect113r1, &_EC_SECG_CHAR2_113R1},
	{ NID_sect113r2, &_EC_SECG_CHAR2_113R2},
	{ NID_sect131r1, &_EC_SECG_CHAR2_131R1},
	{ NID_sect131r2, &_EC_SECG_CHAR2_131R2},
	{ NID_sect163k1, &_EC_NIST_CHAR2_163K },
	{ NID_sect163r1, &_EC_SECG_CHAR2_163R1},
	{ NID_sect163r2, &_EC_NIST_CHAR2_163B },
	{ NID_sect193r1, &_EC_SECG_CHAR2_193R1},
	{ NID_sect193r2, &_EC_SECG_CHAR2_193R2},
	{ NID_sect233k1, &_EC_NIST_CHAR2_233K },
	{ NID_sect233r1, &_EC_NIST_CHAR2_233B },
	{ NID_sect239k1, &_EC_SECG_CHAR2_239K1},
	{ NID_sect283k1, &_EC_NIST_CHAR2_283K },
	{ NID_sect283r1, &_EC_NIST_CHAR2_283B },
	{ NID_sect409k1, &_EC_NIST_CHAR2_409K },
	{ NID_sect409r1, &_EC_NIST_CHAR2_409B },
	{ NID_sect571k1, &_EC_NIST_CHAR2_571K },
	{ NID_sect571r1, &_EC_NIST_CHAR2_571B },
	/* X9.62 curves */
	{ NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1},
	{ NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2},
	{ NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3},
	{ NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1},
	{ NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1},
	{ NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2},
	{ NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3},
	{ NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1},
	{ NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1},
	{ NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2},
	{ NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3},
	{ NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1},
	{ NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1},
	{ NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1},
	{ NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1},
	{ NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1},
	/* the WAP/WTLS curves
	 * [unlike SECG, spec has its own OIDs for curves from X9.62] */
	{ NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1},
	{ NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K},
	{ NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1},
	{ NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1},
	{ NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1},
	{ NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2},
	{ NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8},
	{ NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9 },
	{ NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K},
	{ NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B},
	{ NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12},
	/* IPSec curves */
	{ NID_ipsec3, &_EC_IPSEC_155_ID3},
	{ NID_ipsec4, &_EC_IPSEC_185_ID4},
};

static size_t curve_list_length = sizeof(curve_list)/sizeof(ec_list_element);

static EC_GROUP *ec_group_new_from_data(const EC_CURVE_DATA *data)
	{
	EC_GROUP *group=NULL;
	EC_POINT *P=NULL;
	BN_CTX	 *ctx=NULL;
	BIGNUM 	 *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
	int	 ok=0;

	if ((ctx = BN_CTX_new()) == NULL)
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
		goto err;
		}
	if ((p = BN_new()) == NULL || (a = BN_new()) == NULL || 
		(b = BN_new()) == NULL || (x = BN_new()) == NULL ||
		(y = BN_new()) == NULL || (order = BN_new()) == NULL)
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
		goto err;
		}
	
	if (!BN_hex2bn(&p, data->p) || !BN_hex2bn(&a, data->a)
		|| !BN_hex2bn(&b, data->b))
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
		goto err;
		}

	if (data->field_type == NID_X9_62_prime_field)
		{
		if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
			{
			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
			goto err;
			}
		}
		else
		{ /* field_type == NID_X9_62_characteristic_two_field */
		if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
			{
			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
			goto err;
			}
		}

	if ((P = EC_POINT_new(group)) == NULL)
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
		goto err;
		}
	
	if (!BN_hex2bn(&x, data->x) || !BN_hex2bn(&y, data->y))
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
		goto err;
		}
	if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx))
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
		goto err;
		}
	if (!BN_hex2bn(&order, data->order) || !BN_set_word(x, data->cofactor))
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
		goto err;
		}
	if (!EC_GROUP_set_generator(group, P, order, x))
		{
		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
		goto err;
		}
	if (data->seed)
		{
		if (!EC_GROUP_set_seed(group, data->seed, data->seed_len))
			{
			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
			goto err;
			}
		}
	ok=1;
err:
	if (!ok)
		{
		EC_GROUP_free(group);
		group = NULL;
		}
	if (P)
		EC_POINT_free(P);
	if (ctx)
		BN_CTX_free(ctx);
	if (p)
		BN_free(p);
	if (a)
		BN_free(a);
	if (b)
		BN_free(b);
	if (order)
		BN_free(order);
	if (x)
		BN_free(x);
	if (y)
		BN_free(y);
	return group;
	}

EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
	{
	size_t i;
	EC_GROUP *ret = NULL;

	if (nid <= 0)
		return NULL;

	for (i=0; i<curve_list_length; i++)
		if (curve_list[i].nid == nid)
			{
			ret = ec_group_new_from_data(curve_list[i].data);
			break;
			}

	if (ret == NULL)
		{
		ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
		return NULL;
		}

	EC_GROUP_set_curve_name(ret, nid);

	return ret;
	}

size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
	{
	size_t	i, min;

	if (r == NULL || nitems == 0)
		return curve_list_length;

	min = nitems < curve_list_length ? nitems : curve_list_length;

	for (i = 0; i < min; i++)
		{
		r[i].nid = curve_list[i].nid;
		r[i].comment = curve_list[i].data->comment;
		}

	return curve_list_length;
	}