1/* Originally written by Bodo Moeller for the OpenSSL project.
2 * ====================================================================
3 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55/* ====================================================================
56 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
57 *
58 * Portions of the attached software ("Contribution") are developed by
59 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
60 *
61 * The Contribution is licensed pursuant to the OpenSSL open source
62 * license provided above.
63 *
64 * The elliptic curve binary polynomial software is originally written by
65 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
66 * Laboratories. */
67
68#ifndef OPENSSL_HEADER_EC_INTERNAL_H
69#define OPENSSL_HEADER_EC_INTERNAL_H
70
71#include <openssl/base.h>
72
73#include <openssl/bn.h>
74#include <openssl/ex_data.h>
75#include <openssl/thread.h>
76#include <openssl/type_check.h>
77
78#include "../bn/internal.h"
79
80#if defined(__cplusplus)
81extern "C" {
82#endif
83
84
85// Cap the size of all field elements and scalars, including custom curves, to
86// 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to
87// be the largest fields anyone plausibly uses.
88#define EC_MAX_BYTES 66
89#define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES)
90
91OPENSSL_STATIC_ASSERT(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS,
92 "bn_*_small functions not usable");
93
94// An EC_SCALAR is an integer fully reduced modulo the order. Only the first
95// |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP|
96// and must not be mixed between groups.
97typedef union {
98 // bytes is the representation of the scalar in little-endian order.
99 uint8_t bytes[EC_MAX_BYTES];
100 BN_ULONG words[EC_MAX_WORDS];
101} EC_SCALAR;
102
103// An EC_FELEM represents a field element. Only the first |field->width| words
104// are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed
105// between groups. Additionally, the representation (whether or not elements are
106// represented in Montgomery-form) may vary between |EC_METHOD|s.
107typedef union {
108 // bytes is the representation of the field element in little-endian order.
109 uint8_t bytes[EC_MAX_BYTES];
110 BN_ULONG words[EC_MAX_WORDS];
111} EC_FELEM;
112
113// An EC_RAW_POINT represents an elliptic curve point. Unlike |EC_POINT|, it is
114// a plain struct which can be stack-allocated and needs no cleanup. It is
115// specific to an |EC_GROUP| and must not be mixed between groups.
116typedef struct {
117 EC_FELEM X, Y, Z;
118 // X, Y, and Z are Jacobian projective coordinates. They represent
119 // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise.
120} EC_RAW_POINT;
121
122struct ec_method_st {
123 int (*group_init)(EC_GROUP *);
124 void (*group_finish)(EC_GROUP *);
125 int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
126 const BIGNUM *b, BN_CTX *);
127
128 // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates
129 // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success
130 // and zero if |p| is the point at infinity.
131 //
132 // Note: unlike |EC_FELEM|s used as intermediate values internal to the
133 // |EC_METHOD|, |*x| and |*y| are not encoded in Montgomery form.
134 int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_RAW_POINT *p,
135 EC_FELEM *x, EC_FELEM *y);
136
137 // add sets |r| to |a| + |b|.
138 void (*add)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a,
139 const EC_RAW_POINT *b);
140 // dbl sets |r| to |a| + |a|.
141 void (*dbl)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a);
142
143 // mul sets |r| to |scalar|*|p|.
144 void (*mul)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *p,
145 const EC_SCALAR *scalar);
146 // mul_base sets |r| to |scalar|*generator.
147 void (*mul_base)(const EC_GROUP *group, EC_RAW_POINT *r,
148 const EC_SCALAR *scalar);
149 // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes
150 // that the inputs are public so there is no concern about leaking their
151 // values through timing.
152 void (*mul_public)(const EC_GROUP *group, EC_RAW_POINT *r,
153 const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
154 const EC_SCALAR *p_scalar);
155
156 // felem_mul and felem_sqr implement multiplication and squaring,
157 // respectively, so that the generic |EC_POINT_add| and |EC_POINT_dbl|
158 // implementations can work both with |EC_GFp_mont_method| and the tuned
159 // operations.
160 //
161 // TODO(davidben): This constrains |EC_FELEM|'s internal representation, adds
162 // many indirect calls in the middle of the generic code, and a bunch of
163 // conversions. If p224-64.c were easily convertable to Montgomery form, we
164 // could say |EC_FELEM| is always in Montgomery form. If we routed the rest of
165 // simple.c to |EC_METHOD|, we could give |EC_POINT| an |EC_METHOD|-specific
166 // representation and say |EC_FELEM| is purely a |EC_GFp_mont_method| type.
167 void (*felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
168 const EC_FELEM *b);
169 void (*felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a);
170
171 int (*bignum_to_felem)(const EC_GROUP *group, EC_FELEM *out,
172 const BIGNUM *in);
173 int (*felem_to_bignum)(const EC_GROUP *group, BIGNUM *out,
174 const EC_FELEM *in);
175
176 // scalar_inv_montgomery sets |out| to |in|^-1, where both input and output
177 // are in Montgomery form.
178 void (*scalar_inv_montgomery)(const EC_GROUP *group, EC_SCALAR *out,
179 const EC_SCALAR *in);
180
181 // scalar_inv_montgomery_vartime performs the same computation as
182 // |scalar_inv_montgomery|. It further assumes that the inputs are public so
183 // there is no concern about leaking their values through timing.
184 int (*scalar_inv_montgomery_vartime)(const EC_GROUP *group, EC_SCALAR *out,
185 const EC_SCALAR *in);
186
187 // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
188 // order, with |r|. It returns one if the values match and zero if |p| is the
189 // point at infinity of the values do not match.
190 int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_RAW_POINT *p,
191 const EC_SCALAR *r);
192} /* EC_METHOD */;
193
194const EC_METHOD *EC_GFp_mont_method(void);
195
196struct ec_group_st {
197 const EC_METHOD *meth;
198
199 // Unlike all other |EC_POINT|s, |generator| does not own |generator->group|
200 // to avoid a reference cycle.
201 EC_POINT *generator;
202 BIGNUM order;
203
204 int curve_name; // optional NID for named curve
205
206 BN_MONT_CTX *order_mont; // data for ECDSA inverse
207
208 // The following members are handled by the method functions,
209 // even if they appear generic
210
211 BIGNUM field; // For curves over GF(p), this is the modulus.
212
213 EC_FELEM a, b; // Curve coefficients.
214
215 // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point
216 // arithmetic is optimized for -3.
217 int a_is_minus3;
218
219 // field_greater_than_order is one if |field| is greate than |order| and zero
220 // otherwise.
221 int field_greater_than_order;
222
223 // field_minus_order, if |field_greater_than_order| is true, is |field| minus
224 // |order| represented as an |EC_FELEM|. Otherwise, it is zero.
225 //
226 // Note: unlike |EC_FELEM|s used as intermediate values internal to the
227 // |EC_METHOD|, this value is not encoded in Montgomery form.
228 EC_FELEM field_minus_order;
229
230 CRYPTO_refcount_t references;
231
232 BN_MONT_CTX *mont; // Montgomery structure.
233
234 EC_FELEM one; // The value one.
235} /* EC_GROUP */;
236
237struct ec_point_st {
238 // group is an owning reference to |group|, unless this is
239 // |group->generator|.
240 EC_GROUP *group;
241 // raw is the group-specific point data. Functions that take |EC_POINT|
242 // typically check consistency with |EC_GROUP| while functions that take
243 // |EC_RAW_POINT| do not. Thus accesses to this field should be externally
244 // checked for consistency.
245 EC_RAW_POINT raw;
246} /* EC_POINT */;
247
248EC_GROUP *ec_group_new(const EC_METHOD *meth);
249
250// ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success
251// and zero if |in| is out of range.
252int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in);
253
254// ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and
255// zero on allocation failure.
256int ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in);
257
258// ec_felem_neg sets |out| to -|a|.
259void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a);
260
261// ec_felem_add sets |out| to |a| + |b|.
262void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,
263 const EC_FELEM *b);
264
265// ec_felem_add sets |out| to |a| - |b|.
266void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,
267 const EC_FELEM *b);
268
269// ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros
270// otherwise.
271BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a);
272
273// ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones
274// and |b| if |mask| is all zeros.
275void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,
276 const EC_FELEM *a, const EC_FELEM *b);
277
278// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. It
279// treats |a| and |b| as public and does *not* run in constant time.
280int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b);
281
282// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to
283// |*out|. It returns one on success and zero if |in| is out of range.
284OPENSSL_EXPORT int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
285 const BIGNUM *in);
286
287// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
288// 1 to |group->order| - 1. It returns one on success and zero on error.
289int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
290 const uint8_t additional_data[32]);
291
292// ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero
293// otherwise. Both values are treated as public.
294int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
295 const EC_SCALAR *b);
296
297// ec_scalar_is_zero returns one if |a| is zero and zero otherwise.
298int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a);
299
300// ec_scalar_add sets |r| to |a| + |b|.
301void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
302 const EC_SCALAR *b);
303
304// ec_scalar_to_montgomery sets |r| to |a| in Montgomery form.
305void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
306 const EC_SCALAR *a);
307
308// ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form.
309void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
310 const EC_SCALAR *a);
311
312// ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are
313// in Montgomery form.
314void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
315 const EC_SCALAR *a, const EC_SCALAR *b);
316
317// ec_scalar_mul_montgomery sets |r| to |a|^-1 where inputs and outputs are in
318// Montgomery form.
319void ec_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
320 const EC_SCALAR *a);
321
322// ec_scalar_inv_montgomery_vartime performs the same actions as
323// |ec_scalar_inv_montgomery|, but in variable time.
324int ec_scalar_inv_montgomery_vartime(const EC_GROUP *group, EC_SCALAR *r,
325 const EC_SCALAR *a);
326
327// ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered
328// secret.
329int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
330 const EC_RAW_POINT *p, const EC_SCALAR *scalar);
331
332// ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is
333// treated as secret.
334int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
335 const EC_SCALAR *scalar);
336
337// ec_point_mul_scalar_public performs the same computation as
338// ec_point_mul_scalar. It further assumes that the inputs are public so
339// there is no concern about leaking their values through timing.
340OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group,
341 EC_RAW_POINT *r,
342 const EC_SCALAR *g_scalar,
343 const EC_RAW_POINT *p,
344 const EC_SCALAR *p_scalar);
345
346// ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
347// order, with |r|. It returns one if the values match and zero if |p| is the
348// point at infinity of the values do not match.
349int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
350 const EC_SCALAR *r);
351
352// ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo
353// |group->order|. It returns one on success and zero if |p| is the point at
354// infinity.
355int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
356 const EC_RAW_POINT *p);
357
358// ec_point_get_affine_coordinate_bytes writes |p|'s affine coordinates to
359// |out_x| and |out_y|, each of which must have at must |max_out| bytes. It sets
360// |*out_len| to the number of bytes written in each buffer. Coordinates are
361// written big-endian and zero-padded to the size of the field.
362//
363// Either of |out_x| or |out_y| may be NULL to omit that coordinate. This
364// function returns one on success and zero on failure.
365int ec_point_get_affine_coordinate_bytes(const EC_GROUP *group, uint8_t *out_x,
366 uint8_t *out_y, size_t *out_len,
367 size_t max_out, const EC_RAW_POINT *p);
368
369// ec_field_element_to_scalar reduces |r| modulo |group->order|. |r| must
370// previously have been reduced modulo |group->field|.
371int ec_field_element_to_scalar(const EC_GROUP *group, BIGNUM *r);
372
373void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
374 const EC_RAW_POINT *p, const EC_SCALAR *scalar);
375void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
376 const EC_SCALAR *scalar);
377
378// ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of
379// |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of
380// which will be either zero or odd with an absolute value less than 2^w
381// satisfying
382// scalar = \sum_j out[j]*2^j
383// where at most one of any w+1 consecutive digits is non-zero
384// with the exception that the most significant digit may be only
385// w-1 zeros away from that next non-zero digit.
386void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
387 const EC_SCALAR *scalar, size_t bits, int w);
388
389void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
390 const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
391 const EC_SCALAR *p_scalar);
392
393// method functions in simple.c
394int ec_GFp_simple_group_init(EC_GROUP *);
395void ec_GFp_simple_group_finish(EC_GROUP *);
396int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
397 const BIGNUM *b, BN_CTX *);
398int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
399 BIGNUM *b);
400void ec_GFp_simple_point_init(EC_RAW_POINT *);
401void ec_GFp_simple_point_copy(EC_RAW_POINT *, const EC_RAW_POINT *);
402void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_RAW_POINT *);
403int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_RAW_POINT *,
404 const BIGNUM *x,
405 const BIGNUM *y);
406void ec_GFp_mont_add(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a,
407 const EC_RAW_POINT *b);
408void ec_GFp_mont_dbl(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a);
409void ec_GFp_simple_invert(const EC_GROUP *, EC_RAW_POINT *);
410int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_RAW_POINT *);
411int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_RAW_POINT *);
412int ec_GFp_simple_cmp(const EC_GROUP *, const EC_RAW_POINT *a,
413 const EC_RAW_POINT *b);
414void ec_simple_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
415 const EC_SCALAR *a);
416
417int ec_GFp_simple_mont_inv_mod_ord_vartime(const EC_GROUP *group, EC_SCALAR *r,
418 const EC_SCALAR *a);
419
420int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
421 const EC_SCALAR *r);
422
423// method functions in montgomery.c
424int ec_GFp_mont_group_init(EC_GROUP *);
425int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
426 const BIGNUM *b, BN_CTX *);
427void ec_GFp_mont_group_finish(EC_GROUP *);
428void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
429 const EC_FELEM *b);
430void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a);
431
432int ec_GFp_mont_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out,
433 const BIGNUM *in);
434int ec_GFp_mont_felem_to_bignum(const EC_GROUP *group, BIGNUM *out,
435 const EC_FELEM *in);
436
437void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit, uint8_t in);
438
439const EC_METHOD *EC_GFp_nistp224_method(void);
440const EC_METHOD *EC_GFp_nistp256_method(void);
441
442// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
443// x86-64 optimized P256. See http://eprint.iacr.org/2013/816.
444const EC_METHOD *EC_GFp_nistz256_method(void);
445
446// An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM|
447// representation. It exists to support the |EC_KEY_get0_private_key| API.
448typedef struct {
449 BIGNUM bignum;
450 EC_SCALAR scalar;
451} EC_WRAPPED_SCALAR;
452
453struct ec_key_st {
454 EC_GROUP *group;
455
456 EC_POINT *pub_key;
457 EC_WRAPPED_SCALAR *priv_key;
458
459 // fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
460 // This is only for the FIPS power-on tests.
461 BIGNUM *fixed_k;
462
463 unsigned int enc_flag;
464 point_conversion_form_t conv_form;
465
466 CRYPTO_refcount_t references;
467
468 ECDSA_METHOD *ecdsa_meth;
469
470 CRYPTO_EX_DATA ex_data;
471} /* EC_KEY */;
472
473struct built_in_curve {
474 int nid;
475 const uint8_t *oid;
476 uint8_t oid_len;
477 // comment is a human-readable string describing the curve.
478 const char *comment;
479 // param_len is the number of bytes needed to store a field element.
480 uint8_t param_len;
481 // params points to an array of 6*|param_len| bytes which hold the field
482 // elements of the following (in big-endian order): prime, a, b, generator x,
483 // generator y, order.
484 const uint8_t *params;
485 const EC_METHOD *method;
486};
487
488#define OPENSSL_NUM_BUILT_IN_CURVES 4
489
490struct built_in_curves {
491 struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES];
492};
493
494// OPENSSL_built_in_curves returns a pointer to static information about
495// standard curves. The array is terminated with an entry where |nid| is
496// |NID_undef|.
497const struct built_in_curves *OPENSSL_built_in_curves(void);
498
499#if defined(__cplusplus)
500} // extern C
501#endif
502
503#endif // OPENSSL_HEADER_EC_INTERNAL_H
504