From 07de466869c00d62bd540f95d8a61bcba8e7acd4 Mon Sep 17 00:00:00 2001 From: Elliot Saba Date: Mon, 4 Jul 2022 03:40:40 -0700 Subject: [PATCH] [release-1.6] Backport MbedTLS security patches (#45848) * [release-1.6] Backport MbedTLS security patches A few MbedTLS security patches should be backported to our LTS release. In the future, we should lock ourselves to MbedTLS LTS releases so that we can take advantage of their backporting as well. * Bump mbedtls version and checksums --- deps/checksums/mbedtls | 64 +- deps/mbedtls.mk | 23 +- .../mbedtls-security-advisory-2021-07-1.patch | 301 ++++ .../mbedtls-security-advisory-2021-07-2.patch | 1377 +++++++++++++++++ .../mbedtls-security-advisory-2021-12.patch | 25 + stdlib/MbedTLS_jll/Project.toml | 2 +- 6 files changed, 1758 insertions(+), 34 deletions(-) create mode 100644 deps/patches/mbedtls-security-advisory-2021-07-1.patch create mode 100644 deps/patches/mbedtls-security-advisory-2021-07-2.patch create mode 100644 deps/patches/mbedtls-security-advisory-2021-12.patch diff --git a/deps/checksums/mbedtls b/deps/checksums/mbedtls index b736ae1c690b4a..267e6fd1dd28a6 100644 --- a/deps/checksums/mbedtls +++ b/deps/checksums/mbedtls @@ -1,34 +1,34 @@ -MbedTLS.v2.24.0+1.aarch64-apple-darwin.tar.gz/md5/63178c9516d47e07905b538993e2de0a -MbedTLS.v2.24.0+1.aarch64-apple-darwin.tar.gz/sha512/d2c6456c55054b26223083c8286fb92b5161d9b75b5e6e0fedeccaf95490a17576602cf5df728bdf367fb45dbe71cde15260c690d8fce7cc22651bbd416fc6b6 -MbedTLS.v2.24.0+1.aarch64-linux-gnu.tar.gz/md5/2fee5b47f2b4c99c3124919613acc111 -MbedTLS.v2.24.0+1.aarch64-linux-gnu.tar.gz/sha512/7147823424d773024b4bc0cf4fbcd3a188af01a15cd93421c1946c9972ffc3417f4b8e1b671f80a13878f579473d8500aec1d5f74a9d6fdf6ed707de41deeb87 -MbedTLS.v2.24.0+1.aarch64-linux-musl.tar.gz/md5/d92a7e134cb4d4ce65a7d307c6252d83 -MbedTLS.v2.24.0+1.aarch64-linux-musl.tar.gz/sha512/6c8ade10420b1f6ff9e7734a653b932e041d1ff6a1360209aaf2498beb4c1a7b7c5019c9f205ba87077c8181c45097012ed758af828ad4ea510ff5288a879975 -MbedTLS.v2.24.0+1.armv6l-linux-gnueabihf.tar.gz/md5/bd30d16b25e503e4604ba65d7a15d9d6 -MbedTLS.v2.24.0+1.armv6l-linux-gnueabihf.tar.gz/sha512/58f821563241750f96e9ee0d03fceec50471d5e16bc70754759c01f18e9148d1a6750f947ca08f7eb6234e154bff022177cffd73f43fd52231ec5f8d1de2bf10 -MbedTLS.v2.24.0+1.armv6l-linux-musleabihf.tar.gz/md5/62b54065945595921eb16d894ddad13a -MbedTLS.v2.24.0+1.armv6l-linux-musleabihf.tar.gz/sha512/41790b50dc8ed9a82106c7885948c13f0e3fa2eb0275a3c939cd9ee59fa027c790ebfe4df26df2c97a971a1a889cb81b82fee94533c855d0d8a7e07540825431 -MbedTLS.v2.24.0+1.armv7l-linux-gnueabihf.tar.gz/md5/3584feb530503683cd32d28d99ac1fb2 -MbedTLS.v2.24.0+1.armv7l-linux-gnueabihf.tar.gz/sha512/1373fa258ee69d11771868fead86a6cf550362a47e34c4a6a2ecc3e76400104a7228220ad5333c52dc1a658e6e9316659cc076c8262f02a6e06cc92296586495 -MbedTLS.v2.24.0+1.armv7l-linux-musleabihf.tar.gz/md5/6a3a986a4dc8c258886b1af6fa7ed6cd -MbedTLS.v2.24.0+1.armv7l-linux-musleabihf.tar.gz/sha512/cc7cfb0eef06a68f662428025da70c19297ed2c052579da1f6380e836d729a222d736923f3a605a81a6c88e9d07ecaee653b5003a9f0ef1042f7ceae7a05c0ca -MbedTLS.v2.24.0+1.i686-linux-gnu.tar.gz/md5/a21258724fd9830ad845df925230fc98 -MbedTLS.v2.24.0+1.i686-linux-gnu.tar.gz/sha512/14df3ce37e792823f6132842ac47da3c740a011e52c3abf66123509c3da872a6b91003442e0a99ea2a3b8fa2d375fa1ac26ae62bfa2a73297aefbc221552a2b6 -MbedTLS.v2.24.0+1.i686-linux-musl.tar.gz/md5/9a8fc61aefa6f2a59b73fa1eb7605a47 -MbedTLS.v2.24.0+1.i686-linux-musl.tar.gz/sha512/513bc8f83cd13c85d6641d372b2e75dc983f3626d83e2ae24bf2afd9b08ce758edbcaebc8766da048e615b66aee493220df8520798030cf02107b5daf7d028b4 -MbedTLS.v2.24.0+1.i686-w64-mingw32.tar.gz/md5/c11c0834f23cc24fa3a0d8578c98f384 -MbedTLS.v2.24.0+1.i686-w64-mingw32.tar.gz/sha512/d750ca2005d8f0d5e9c06eec381dcd4271a2776b833b543b375e338e8d9077573d880467aacee5789d414a9ef7a06e63c5a45fb5d604459057ed25e23df3a8ba -MbedTLS.v2.24.0+1.powerpc64le-linux-gnu.tar.gz/md5/cd985543dc1b80e471849fead1121440 -MbedTLS.v2.24.0+1.powerpc64le-linux-gnu.tar.gz/sha512/92fcd67604291d76e52a0e37c9edb76789fad53b521d38a45035a78c2435150489854ca1e6d443bfeec99ee6fe33dcaa901c47076a936dd62b6a2c20ca961293 -MbedTLS.v2.24.0+1.x86_64-apple-darwin.tar.gz/md5/e5797b1b47fc23e9ddbdb6feff46e928 -MbedTLS.v2.24.0+1.x86_64-apple-darwin.tar.gz/sha512/de2c7a759abdd6e4fcb19603be7c3ece32451e4c5a36b28f11a0dd34f4705e79d799f620a8783de28d4ddb312adace65057b0c8a78007e8ea61dbe5738a16f44 -MbedTLS.v2.24.0+1.x86_64-linux-gnu.tar.gz/md5/93e8be223370fb3dc44c8f8f51e0aef3 -MbedTLS.v2.24.0+1.x86_64-linux-gnu.tar.gz/sha512/f3fba7d6f38e9ae9896d2f7a6194aaf547cc303631d914fd718fb06ba771ea0d3cf89edad3cc1b6fdc7978a8ba6b90f347dab94da526bc7f5c76c76d9275ed3b -MbedTLS.v2.24.0+1.x86_64-linux-musl.tar.gz/md5/6350f1dc3987f2d2f563b7b02a3bb508 -MbedTLS.v2.24.0+1.x86_64-linux-musl.tar.gz/sha512/2071bf8420e8142f86d3459e43e3fc0badf5bf6a2db3436750504f890734b5c6f92a751abc1cbba8fee596804bf53fa3c14353ab6dc8850e27216b67f28fe905 -MbedTLS.v2.24.0+1.x86_64-unknown-freebsd.tar.gz/md5/4fe5764a2c4d471392cf633dfd114f51 -MbedTLS.v2.24.0+1.x86_64-unknown-freebsd.tar.gz/sha512/9908e90d9a16c987f8ef945b07a40c5a73d0f78716bba170e0db84daf2888efe877e229ecc395c3c37bc8bdf87dba2eeceb52d49b650743661214601c5f22484 -MbedTLS.v2.24.0+1.x86_64-w64-mingw32.tar.gz/md5/392247046d060a2cff4ceeaad2f534fb -MbedTLS.v2.24.0+1.x86_64-w64-mingw32.tar.gz/sha512/9d2feb78170826a470a41d63b5dcc18093261e7f9751d11297e2d8462ecd0abb1fdb16df20e9223b8ab6ed06a19bfd539433f37ee9f44bdd20b0a578f87166f3 mbedtls-2.24.0.tar.gz/md5/9d1adcec4aa6729ae1dc56c3a24cb7d2 mbedtls-2.24.0.tar.gz/sha512/a51e80cedfa5c1772c79cba2dacd33f551516debf083803f7a5c1f4817c928e3bfb343fbe0c2e70ed591d0eba8fdc1bc46d11de7c3d12f50826de8f2f2ece279 +MbedTLS.v2.24.0+4.aarch64-apple-darwin.tar.gz/md5/4569a485b86ea4531cd8ef7a0f044ce6 +MbedTLS.v2.24.0+4.aarch64-apple-darwin.tar.gz/sha512/31078eff977b45ff40ae101924af65694dc0e70e6a3fb1aac0ab62045e0c7ebe50c0b85df27a48b02430cd8f9b6b56b07c8ff68a4966307b1869f0b8f57ea080 +MbedTLS.v2.24.0+4.aarch64-linux-gnu.tar.gz/md5/11400a06c3373fdbf984d26b33ac47fd +MbedTLS.v2.24.0+4.aarch64-linux-gnu.tar.gz/sha512/2b646dce93029a20629d2c958b1bfa6413329b995156ce45884372a97f1ed2ff5a27a96fcef32757f21e875283614b3483b845c107bb3c56166260af47613b22 +MbedTLS.v2.24.0+4.aarch64-linux-musl.tar.gz/md5/f32638984793dd4bb8789333eafa66e6 +MbedTLS.v2.24.0+4.aarch64-linux-musl.tar.gz/sha512/3269acc4e0d3e9e65ecc0fd752d9fdfe7cb5e370611f4a715aed74b5a1aabefc6ecc4a4d71c55e0f1d0364bb00a570194e52e7af91d844228e6b5b9500ba253f +MbedTLS.v2.24.0+4.armv6l-linux-gnueabihf.tar.gz/md5/8ad16b5c1a6102ddf4dbbef125b368fa +MbedTLS.v2.24.0+4.armv6l-linux-gnueabihf.tar.gz/sha512/d153e6e5d3090638d3212cc0adbc73df7d4749ddaf6de8ceb3156b26aef4835da2737e1f1d5b91bb29a1ebe5ff232dc93d51847029323c93310d5bb3d69bfbcb +MbedTLS.v2.24.0+4.armv6l-linux-musleabihf.tar.gz/md5/bd6d8ad4f42d8c1398ac3d7a5cee5389 +MbedTLS.v2.24.0+4.armv6l-linux-musleabihf.tar.gz/sha512/1840ff6cb59e097f6cdf0a70bcc3f7155342f798eb5d6e78562e6b45fc93cd183490a3e17231af6a4c2743f516b2bc897e22c6d792882ad7930984b59f9a7215 +MbedTLS.v2.24.0+4.armv7l-linux-gnueabihf.tar.gz/md5/2f91e3945dec75e58c593c0d0e04dca9 +MbedTLS.v2.24.0+4.armv7l-linux-gnueabihf.tar.gz/sha512/ff1a1df04ff89e2f9d278bd99b764f71da8c9eec8cd06feb4d48f58321c29bcb27e3bb5bdfd9fad313b22b8c7b55ebd9d2ed8a668bf807e4eb8a1be8c7a834d2 +MbedTLS.v2.24.0+4.armv7l-linux-musleabihf.tar.gz/md5/7fc7e8b68767c1b43c4f4d3a42050943 +MbedTLS.v2.24.0+4.armv7l-linux-musleabihf.tar.gz/sha512/d1ac843a6916b1f8e1c048a7347e3a14c46d1e81becb0ee62d25de6de32cda43c22546d93b1c922f3ceee5c5a5c7f07453e078f5d741bab0f6b6a0eb420c0ce1 +MbedTLS.v2.24.0+4.i686-linux-gnu.tar.gz/md5/969b6f461fc1b7bc7dd6265dfa63131a +MbedTLS.v2.24.0+4.i686-linux-gnu.tar.gz/sha512/ae0c2d3a0fa1b0eecf33356176c1a2bdf5ada09dae7afda6ef1d512c4ad42d17eac0f709539c22b3594bff2128f24e308a5b390e53af93ec50e2780ef079902e +MbedTLS.v2.24.0+4.i686-linux-musl.tar.gz/md5/0541dcd8779aedafdf4e3f6390ac4a6b +MbedTLS.v2.24.0+4.i686-linux-musl.tar.gz/sha512/299544cf4d7f94095bae946e2029307077b60cbdb77919650f8965d7c955ce8e8dfcdde287cbaa27d40e5e02cc8a669f0c5903e18e576478a6a956a95ae527fe +MbedTLS.v2.24.0+4.i686-w64-mingw32.tar.gz/md5/ec2140c28f5f7c156b8395034a1dcef0 +MbedTLS.v2.24.0+4.i686-w64-mingw32.tar.gz/sha512/7dbf759281bc9945a83314c7a941875c5f3dd29ab0657f44a04dc6f8dab00b5496e4cffa1400317b6381542351266c9563eb0bba7a44eb9fdb51e65e0b3b07d2 +MbedTLS.v2.24.0+4.powerpc64le-linux-gnu.tar.gz/md5/425be7f5cddab06e2f55162804357fe9 +MbedTLS.v2.24.0+4.powerpc64le-linux-gnu.tar.gz/sha512/4350f86366c39e5f464fa73672d570a245189427aa7afefa72f82d6c3a825a710eb55a961007747f2a8f62d60ef3f35b0fc50c6023f444eed42f261a3556f825 +MbedTLS.v2.24.0+4.x86_64-apple-darwin.tar.gz/md5/184a1894ffdb536be46bdb74abd281d4 +MbedTLS.v2.24.0+4.x86_64-apple-darwin.tar.gz/sha512/8d7011b5f71756cec44deea8dd32497d485a0ae4beb57583a45143e9d6e0f3db7bf2d8178f7c0b59e86f3dddce901e1fcc4fd3ba0d31f232d968bbbbe5f5fdd8 +MbedTLS.v2.24.0+4.x86_64-linux-gnu.tar.gz/md5/b4f4793e8d717f69ab437b649aa84218 +MbedTLS.v2.24.0+4.x86_64-linux-gnu.tar.gz/sha512/7ac6c551c1a7563a59e5d4d8fe9286bc3ab29c58aab510e27a84d7b304c6f3ea1e875999a158dd0dd639cc63e77b11e915c4ac5b5596ca6fda4b17274725998b +MbedTLS.v2.24.0+4.x86_64-linux-musl.tar.gz/md5/1d5f06af710f8e0009550763e5698123 +MbedTLS.v2.24.0+4.x86_64-linux-musl.tar.gz/sha512/cff4c596b9498d7e7e0cedcd17c6021fa161614d183c767209faef2926a31b2859ce237502ef774ac3e3bc37006c6651b9fd912360e19099d1c70cfafa2ed4fe +MbedTLS.v2.24.0+4.x86_64-unknown-freebsd.tar.gz/md5/f65a6c7d7fbe4db90622300add4522c0 +MbedTLS.v2.24.0+4.x86_64-unknown-freebsd.tar.gz/sha512/0f5e67293d5d7818ed68028cbd4207ebcb058829199b3a0b442e9672e079ab74c689b9399a3a09ea87a9818a85adc9623235557818f89a28ae9b48be33fb16bb +MbedTLS.v2.24.0+4.x86_64-w64-mingw32.tar.gz/md5/91161dd9cf7eb60f46c8c538c22f29db +MbedTLS.v2.24.0+4.x86_64-w64-mingw32.tar.gz/sha512/732e72fed17fb40537edee9600c5b8459f31c667819eacfb3e6c87960b913044282b017f1ad472c5ef8bc91e2bbccee7b5ca56f6d082c39c4090d04f37954839 diff --git a/deps/mbedtls.mk b/deps/mbedtls.mk index 83085ed2d27098..e59519008232aa 100644 --- a/deps/mbedtls.mk +++ b/deps/mbedtls.mk @@ -39,8 +39,29 @@ $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied: $(SRCCACHE)/$(MBE patch -p1 -f < $(SRCDIR)/patches/mbedtls-cmake-findpy.patch echo 1 > $@ +$(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-1.patch-applied: $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied + # Apply backported set of patches for MbedTLS security issue first fixed in 2.27.0 + cd $(SRCCACHE)/$(MBEDTLS_SRC) && \ + patch -p1 -f < $(SRCDIR)/patches/mbedtls-security-advisory-2021-07-1.patch + echo 1 > $@ + +$(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-2.patch-applied: $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-1.patch-applied + # Apply backported set of patches for MbedTLS security issue first fixed in 2.27.0 + cd $(SRCCACHE)/$(MBEDTLS_SRC) && \ + patch -p1 -f < $(SRCDIR)/patches/mbedtls-security-advisory-2021-07-2.patch + echo 1 > $@ + +$(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-12.patch-applied: $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-2.patch-applied + # Apply backported set of patches for MbedTLS security issue first fixed in 2.28.0 + cd $(SRCCACHE)/$(MBEDTLS_SRC) && \ + patch -p1 -f < $(SRCDIR)/patches/mbedtls-security-advisory-2021-12.patch + echo 1 > $@ + $(BUILDDIR)/$(MBEDTLS_SRC)/build-configured: \ - $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied + $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-cmake-findpy.patch-applied \ + $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-1.patch-applied \ + $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-07-2.patch-applied \ + $(SRCCACHE)/$(MBEDTLS_SRC)/mbedtls-security-advisory-2021-12.patch-applied $(BUILDDIR)/$(MBEDTLS_SRC)/build-configured: $(SRCCACHE)/$(MBEDTLS_SRC)/source-extracted mkdir -p $(dir $@) diff --git a/deps/patches/mbedtls-security-advisory-2021-07-1.patch b/deps/patches/mbedtls-security-advisory-2021-07-1.patch new file mode 100644 index 00000000000000..6c4d95b49c6d90 --- /dev/null +++ b/deps/patches/mbedtls-security-advisory-2021-07-1.patch @@ -0,0 +1,301 @@ +commit 0d11b3b4a56ba3055f2c977375f9149c6da9b823 +Author: Manuel Pégourié-Gonnard +Date: Tue Mar 9 11:22:20 2021 +0100 + + Use constant-time look-up for modular exponentiation + + Signed-off-by: Manuel Pégourié-Gonnard + + Avoid using == for sensitive comparisons + + mbedtls_mpi_cf_bool_eq() is a verbatim copy of mbedtls_ssl_cf_bool_eq() + + Deduplication will be part of a future task. + + Signed-off-by: Manuel Pégourié-Gonnard + + Use bit operations for mpi_safe_cond_assign() + + - copied limbs + - sign + - cleared limbs + + Signed-off-by: Manuel Pégourié-Gonnard + + Use bit operations for mpi_safe_cond_swap() + + Unrelated to RSA (only used in ECP), but while improving one + mbedtls_safe_cond_xxx function, let's improve the other as well. + + Signed-off-by: Manuel Pégourié-Gonnard + + Avoid UB caused by conversion to int + + Signed-off-by: Manuel Pégourié-Gonnard + + Simplify sign selection + + Signed-off-by: Manuel Pégourié-Gonnard + + Silence MSVC type conversion warnings + + Signed-off-by: Manuel Pégourié-Gonnard + +diff --git a/library/bignum.c b/library/bignum.c +index 9325632b4..f8754284d 100644 +--- a/library/bignum.c ++++ b/library/bignum.c +@@ -237,6 +237,36 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ) + memcpy( Y, &T, sizeof( mbedtls_mpi ) ); + } + ++/** ++ * Select between two sign values in constant-time. ++ * ++ * This is functionally equivalent to second ? a : b but uses only bit ++ * operations in order to avoid branches. ++ * ++ * \param[in] a The first sign; must be either +1 or -1. ++ * \param[in] b The second sign; must be either +1 or -1. ++ * \param[in] second Must be either 1 (return b) or 0 (return a). ++ * ++ * \return The selected sign value. ++ */ ++static int mpi_safe_cond_select_sign( int a, int b, unsigned char second ) ++{ ++ /* In order to avoid questions about what we can reasonnably assume about ++ * the representations of signed integers, move everything to unsigned ++ * by taking advantage of the fact that a and b are either +1 or -1. */ ++ unsigned ua = a + 1; ++ unsigned ub = b + 1; ++ ++ /* second was 0 or 1, mask is 0 or 2 as are ua and ub */ ++ const unsigned mask = second << 1; ++ ++ /* select ua or ub */ ++ unsigned ur = ( ua & ~mask ) | ( ub & mask ); ++ ++ /* ur is now 0 or 2, convert back to -1 or +1 */ ++ return( (int) ur - 1 ); ++} ++ + /* + * Conditionally assign dest = src, without leaking information + * about whether the assignment was made or not. +@@ -249,8 +279,23 @@ static void mpi_safe_cond_assign( size_t n, + unsigned char assign ) + { + size_t i; ++ ++ /* MSVC has a warning about unary minus on unsigned integer types, ++ * but this is well-defined and precisely what we want to do here. */ ++#if defined(_MSC_VER) ++#pragma warning( push ) ++#pragma warning( disable : 4146 ) ++#endif ++ ++ /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ ++ const mbedtls_mpi_uint mask = -assign; ++ ++#if defined(_MSC_VER) ++#pragma warning( pop ) ++#endif ++ + for( i = 0; i < n; i++ ) +- dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign; ++ dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); + } + + /* +@@ -262,20 +307,34 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned + { + int ret = 0; + size_t i; ++ mbedtls_mpi_uint limb_mask; + MPI_VALIDATE_RET( X != NULL ); + MPI_VALIDATE_RET( Y != NULL ); + ++ /* MSVC has a warning about unary minus on unsigned integer types, ++ * but this is well-defined and precisely what we want to do here. */ ++#if defined(_MSC_VER) ++#pragma warning( push ) ++#pragma warning( disable : 4146 ) ++#endif ++ + /* make sure assign is 0 or 1 in a time-constant manner */ + assign = (assign | (unsigned char)-assign) >> 7; ++ /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ ++ limb_mask = -assign; ++ ++#if defined(_MSC_VER) ++#pragma warning( pop ) ++#endif + + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); + +- X->s = X->s * ( 1 - assign ) + Y->s * assign; ++ X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign ); + + mpi_safe_cond_assign( Y->n, X->p, Y->p, assign ); + + for( i = Y->n; i < X->n; i++ ) +- X->p[i] *= ( 1 - assign ); ++ X->p[i] &= ~limb_mask; + + cleanup: + return( ret ); +@@ -291,6 +350,7 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw + { + int ret, s; + size_t i; ++ mbedtls_mpi_uint limb_mask; + mbedtls_mpi_uint tmp; + MPI_VALIDATE_RET( X != NULL ); + MPI_VALIDATE_RET( Y != NULL ); +@@ -298,22 +358,35 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw + if( X == Y ) + return( 0 ); + ++ /* MSVC has a warning about unary minus on unsigned integer types, ++ * but this is well-defined and precisely what we want to do here. */ ++#if defined(_MSC_VER) ++#pragma warning( push ) ++#pragma warning( disable : 4146 ) ++#endif ++ + /* make sure swap is 0 or 1 in a time-constant manner */ + swap = (swap | (unsigned char)-swap) >> 7; ++ /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ ++ limb_mask = -swap; ++ ++#if defined(_MSC_VER) ++#pragma warning( pop ) ++#endif + + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); + + s = X->s; +- X->s = X->s * ( 1 - swap ) + Y->s * swap; +- Y->s = Y->s * ( 1 - swap ) + s * swap; ++ X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap ); ++ Y->s = mpi_safe_cond_select_sign( Y->s, s, swap ); + + + for( i = 0; i < X->n; i++ ) + { + tmp = X->p[i]; +- X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap; +- Y->p[i] = Y->p[i] * ( 1 - swap ) + tmp * swap; ++ X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask ); ++ Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask ); + } + + cleanup: +@@ -2089,6 +2162,71 @@ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, + mpi_montmul( A, &U, N, mm, T ); + } + ++/* ++ * Constant-flow boolean "equal" comparison: ++ * return x == y ++ * ++ * This function can be used to write constant-time code by replacing branches ++ * with bit operations - it can be used in conjunction with ++ * mbedtls_ssl_cf_mask_from_bit(). ++ * ++ * This function is implemented without using comparison operators, as those ++ * might be translated to branches by some compilers on some platforms. ++ */ ++static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y ) ++{ ++ /* diff = 0 if x == y, non-zero otherwise */ ++ const size_t diff = x ^ y; ++ ++ /* MSVC has a warning about unary minus on unsigned integer types, ++ * but this is well-defined and precisely what we want to do here. */ ++#if defined(_MSC_VER) ++#pragma warning( push ) ++#pragma warning( disable : 4146 ) ++#endif ++ ++ /* diff_msb's most significant bit is equal to x != y */ ++ const size_t diff_msb = ( diff | -diff ); ++ ++#if defined(_MSC_VER) ++#pragma warning( pop ) ++#endif ++ ++ /* diff1 = (x != y) ? 1 : 0 */ ++ const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); ++ ++ return( 1 ^ diff1 ); ++} ++ ++/** ++ * Select an MPI from a table without leaking the index. ++ * ++ * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it ++ * reads the entire table in order to avoid leaking the value of idx to an ++ * attacker able to observe memory access patterns. ++ * ++ * \param[out] R Where to write the selected MPI. ++ * \param[in] T The table to read from. ++ * \param[in] T_size The number of elements in the table. ++ * \param[in] idx The index of the element to select; ++ * this must satisfy 0 <= idx < T_size. ++ * ++ * \return \c 0 on success, or a negative error code. ++ */ ++static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx ) ++{ ++ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ++ ++ for( size_t i = 0; i < T_size; i++ ) ++ { ++ MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i], ++ (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) ); ++ } ++ ++cleanup: ++ return( ret ); ++} ++ + /* + * Sliding-window exponentiation: X = A^E mod N (HAC 14.85) + */ +@@ -2101,7 +2239,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, + size_t i, j, nblimbs; + size_t bufsize, nbits; + mbedtls_mpi_uint ei, mm, state; +- mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos; ++ mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; + int neg; + + MPI_VALIDATE_RET( X != NULL ); +@@ -2121,6 +2259,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, + mpi_montg_init( &mm, N ); + mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T ); + mbedtls_mpi_init( &Apos ); ++ mbedtls_mpi_init( &WW ); + memset( W, 0, sizeof( W ) ); + + i = mbedtls_mpi_bitlen( E ); +@@ -2261,7 +2400,8 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, + /* + * X = X * W[wbits] R^-1 mod N + */ +- mpi_montmul( X, &W[wbits], N, mm, &T ); ++ MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) ); ++ mpi_montmul( X, &WW, N, mm, &T ); + + state--; + nbits = 0; +@@ -2299,6 +2439,7 @@ cleanup: + mbedtls_mpi_free( &W[i] ); + + mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos ); ++ mbedtls_mpi_free( &WW ); + + if( _RR == NULL || _RR->p == NULL ) + mbedtls_mpi_free( &RR ); diff --git a/deps/patches/mbedtls-security-advisory-2021-07-2.patch b/deps/patches/mbedtls-security-advisory-2021-07-2.patch new file mode 100644 index 00000000000000..9b2a289038478d --- /dev/null +++ b/deps/patches/mbedtls-security-advisory-2021-07-2.patch @@ -0,0 +1,1377 @@ +commit c8e7f13258d5966807b44a797047812765ec7a4a +Author: Manuel Pégourié-Gonnard +Date: Wed Jun 23 10:14:58 2021 +0200 + + Reject low-order points on Curve25519 early + + We were already rejecting them at the end, due to the fact that with the + usual (x, z) formulas they lead to the result (0, 0) so when we want to + normalize at the end, trying to compute the modular inverse of z will + give an error. + + If we wanted to support those points, we'd a special case in + ecp_normalize_mxz(). But it's actually permitted by all sources + (RFC 7748 say we MAY reject 0 as a result) and recommended by some to + reject those points (either to ensure contributory behaviour, or to + protect against timing attack when the underlying field arithmetic is + not constant-time). + + Since our field arithmetic is indeed not constant-time, let's reject + those points before they get mixed with sensitive data (in + ecp_mul_mxz()), in order to avoid exploitable leaks caused by the + special cases they would trigger. (See the "May the Fourth" paper + https://eprint.iacr.org/2017/806.pdf) + + Signed-off-by: Manuel Pégourié-Gonnard + + Add test for check_pubkey for x25519 + + Signed-off-by: Manuel Pégourié-Gonnard + + Use a more compact encoding of bad points + + Base 10 is horrible, base 256 is much better. + + Signed-off-by: Manuel Pégourié-Gonnard + + Use more compact encoding of Montgomery curve constants + + Base 256 beats base 16. + + Signed-off-by: Manuel Pégourié-Gonnard + + Avoid complaints about undeclared non-static symbols + + Clang was complaining and check-names.sh too + + This only duplicates macros, so no impact on code size. In 3.0 we can + probably avoid the duplication by using an internal header under + library/ but this won't work for 2.16. + + Signed-off-by: Manuel Pégourié-Gonnard + + Prevent memory leak in ecp_check_pubkey_x25519() + + Signed-off-by: Janos Follath + + Remove redundant ecp_check_pub() tests + + Signed-off-by: Janos Follath + + Move mpi constant macros to bn_mul.h + + Signed-off-by: Janos Follath + + Use mbedtls_mpi_lset() more + + Signed-off-by: Janos Follath + + Add DoS test case for ecp_check_pub + + A test case for which the loop would take practically forever if it was + reached. The point would be to validate that the loop is not reached. + The test case should cause the CI to time out if starting with the + current code, ecp_check_pubkey_mx() was changed to call + ecp_check_pubkey_x25519() first and run the mbedtls_mpi_size(() test + afterwards, which would make no semantic difference in terms of memory + contents when the function returns, but would open the way for a DoS. + + Signed-off-by: Janos Follath + + Reject low-order points on Curve448 early + + We were already rejecting them at the end, due to the fact that with the + usual (x, z) formulas they lead to the result (0, 0) so when we want to + normalize at the end, trying to compute the modular inverse of z will + give an error. + + If we wanted to support those points, we'd a special case in + ecp_normalize_mxz(). But it's actually permitted by all sources (RFC + 7748 say we MAY reject 0 as a result) and recommended by some to reject + those points (either to ensure contributory behaviour, or to protect + against timing attack when the underlying field arithmetic is not + constant-time). + + Since our field arithmetic is indeed not constant-time, let's reject + those points before they get mixed with sensitive data (in + ecp_mul_mxz()), in order to avoid exploitable leaks caused by the + special cases they would trigger. (See the "May the Fourth" paper + https://eprint.iacr.org/2017/806.pdf) + + Signed-off-by: Janos Follath + + Add ecp_check_pub tests for Curve 448 + + Signed-off-by: Janos Follath + + Fix ecp_check_pub() test cases + + Negative x coordinate was tested with the value -1. It happens to be one + of the low order points both for Curve25519 and Curve448 and might be + rejected because of that and not because it is negative. Make sure that + x < 0 is the only plausible reason for the point to be rejected. + + Signed-off-by: Janos Follath + + Add prefix to BYTES_TO_T_UINT_* + + These macros were moved into a header and now check-names.sh is failing. + Add an MBEDTLS_ prefix to the macro names to make it pass. + + Signed-off-by: Janos Follath + +diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h +index 17d057f3a..a0fa67740 100644 +--- a/include/mbedtls/bn_mul.h ++++ b/include/mbedtls/bn_mul.h +@@ -44,6 +44,46 @@ + + #include "mbedtls/bignum.h" + ++ ++/* ++ * Conversion macros for embedded constants: ++ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 ++ */ ++#if defined(MBEDTLS_HAVE_INT32) ++ ++#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \ ++ ( (mbedtls_mpi_uint) (a) << 0 ) | \ ++ ( (mbedtls_mpi_uint) (b) << 8 ) | \ ++ ( (mbedtls_mpi_uint) (c) << 16 ) | \ ++ ( (mbedtls_mpi_uint) (d) << 24 ) ++ ++#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \ ++ MBEDTLS_BYTES_TO_T_UINT_4( a, b, 0, 0 ) ++ ++#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ ++ MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ), \ ++ MBEDTLS_BYTES_TO_T_UINT_4( e, f, g, h ) ++ ++#else /* 64-bits */ ++ ++#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ ++ ( (mbedtls_mpi_uint) (a) << 0 ) | \ ++ ( (mbedtls_mpi_uint) (b) << 8 ) | \ ++ ( (mbedtls_mpi_uint) (c) << 16 ) | \ ++ ( (mbedtls_mpi_uint) (d) << 24 ) | \ ++ ( (mbedtls_mpi_uint) (e) << 32 ) | \ ++ ( (mbedtls_mpi_uint) (f) << 40 ) | \ ++ ( (mbedtls_mpi_uint) (g) << 48 ) | \ ++ ( (mbedtls_mpi_uint) (h) << 56 ) ++ ++#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \ ++ MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) ++ ++#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \ ++ MBEDTLS_BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) ++ ++#endif /* bits in mbedtls_mpi_uint */ ++ + #if defined(MBEDTLS_HAVE_ASM) + + #ifndef asm +diff --git a/library/ecp.c b/library/ecp.c +index 5d00de5cf..f79a68f69 100644 +--- a/library/ecp.c ++++ b/library/ecp.c +@@ -76,6 +76,7 @@ + #include "mbedtls/threading.h" + #include "mbedtls/platform_util.h" + #include "mbedtls/error.h" ++#include "mbedtls/bn_mul.h" + + #include + +@@ -2912,6 +2913,95 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, + #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ + + #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) ++#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) ++#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} ++#define ECP_MPI_INIT_ARRAY(x) \ ++ ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x) ++/* ++ * Constants for the two points other than 0, 1, -1 (mod p) in ++ * https://cr.yp.to/ecdh.html#validate ++ * See ecp_check_pubkey_x25519(). ++ */ ++static const mbedtls_mpi_uint x25519_bad_point_1[] = { ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ), ++}; ++static const mbedtls_mpi_uint x25519_bad_point_2[] = { ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ), ++}; ++static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY( ++ x25519_bad_point_1 ); ++static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY( ++ x25519_bad_point_2 ); ++#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ ++ ++/* ++ * Check that the input point is not one of the low-order points. ++ * This is recommended by the "May the Fourth" paper: ++ * https://eprint.iacr.org/2017/806.pdf ++ * Those points are never sent by an honest peer. ++ */ ++static int ecp_check_bad_points_mx( const mbedtls_mpi *X, const mbedtls_mpi *P, ++ const mbedtls_ecp_group_id grp_id ) ++{ ++ int ret; ++ mbedtls_mpi XmP; ++ ++ mbedtls_mpi_init( &XmP ); ++ ++ /* Reduce X mod P so that we only need to check values less than P. ++ * We know X < 2^256 so we can proceed by subtraction. */ ++ MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &XmP, X ) ); ++ while( mbedtls_mpi_cmp_mpi( &XmP, P ) >= 0 ) ++ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &XmP, &XmP, P ) ); ++ ++ /* Check against the known bad values that are less than P. For Curve448 ++ * these are 0, 1 and -1. For Curve25519 we check the values less than P ++ * from the following list: https://cr.yp.to/ecdh.html#validate */ ++ if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */ ++ { ++ ret = MBEDTLS_ERR_ECP_INVALID_KEY; ++ goto cleanup; ++ } ++ ++#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) ++ if( grp_id == MBEDTLS_ECP_DP_CURVE25519 ) ++ { ++ if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_1 ) == 0 ) ++ { ++ ret = MBEDTLS_ERR_ECP_INVALID_KEY; ++ goto cleanup; ++ } ++ ++ if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_2 ) == 0 ) ++ { ++ ret = MBEDTLS_ERR_ECP_INVALID_KEY; ++ goto cleanup; ++ } ++ } ++#endif ++ ++ /* Final check: check if XmP + 1 is P (final because it changes XmP!) */ ++ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) ); ++ if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 ) ++ { ++ ret = MBEDTLS_ERR_ECP_INVALID_KEY; ++ goto cleanup; ++ } ++ ++ ret = 0; ++ ++cleanup: ++ mbedtls_mpi_free( &XmP ); ++ ++ return( ret ); ++} ++ + /* + * Check validity of a public key for Montgomery curves with x-only schemes + */ +@@ -2923,7 +3013,13 @@ static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_ + if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 ) + return( MBEDTLS_ERR_ECP_INVALID_KEY ); + +- return( 0 ); ++ /* Implicit in all standards (as they don't consider negative numbers): ++ * X must be non-negative. This is normally ensured by the way it's ++ * encoded for transmission, but let's be extra sure. */ ++ if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 ) ++ return( MBEDTLS_ERR_ECP_INVALID_KEY ); ++ ++ return( ecp_check_bad_points_mx( &pt->X, &grp->P, grp->id ) ); + } + #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ + +diff --git a/library/ecp_curves.c b/library/ecp_curves.c +index 05df307cb..136609b78 100644 +--- a/library/ecp_curves.c ++++ b/library/ecp_curves.c +@@ -24,6 +24,7 @@ + #include "mbedtls/ecp.h" + #include "mbedtls/platform_util.h" + #include "mbedtls/error.h" ++#include "mbedtls/bn_mul.h" + + #include + +@@ -40,44 +41,10 @@ + #define inline __inline + #endif + +-/* +- * Conversion macros for embedded constants: +- * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2 +- */ +-#if defined(MBEDTLS_HAVE_INT32) +- +-#define BYTES_TO_T_UINT_4( a, b, c, d ) \ +- ( (mbedtls_mpi_uint) (a) << 0 ) | \ +- ( (mbedtls_mpi_uint) (b) << 8 ) | \ +- ( (mbedtls_mpi_uint) (c) << 16 ) | \ +- ( (mbedtls_mpi_uint) (d) << 24 ) +- +-#define BYTES_TO_T_UINT_2( a, b ) \ +- BYTES_TO_T_UINT_4( a, b, 0, 0 ) +- +-#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ +- BYTES_TO_T_UINT_4( a, b, c, d ), \ +- BYTES_TO_T_UINT_4( e, f, g, h ) +- +-#else /* 64-bits */ +- +-#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \ +- ( (mbedtls_mpi_uint) (a) << 0 ) | \ +- ( (mbedtls_mpi_uint) (b) << 8 ) | \ +- ( (mbedtls_mpi_uint) (c) << 16 ) | \ +- ( (mbedtls_mpi_uint) (d) << 24 ) | \ +- ( (mbedtls_mpi_uint) (e) << 32 ) | \ +- ( (mbedtls_mpi_uint) (f) << 40 ) | \ +- ( (mbedtls_mpi_uint) (g) << 48 ) | \ +- ( (mbedtls_mpi_uint) (h) << 56 ) ++#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} + +-#define BYTES_TO_T_UINT_4( a, b, c, d ) \ +- BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 ) +- +-#define BYTES_TO_T_UINT_2( a, b ) \ +- BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 ) +- +-#endif /* bits in mbedtls_mpi_uint */ ++#define ECP_MPI_INIT_ARRAY(x) \ ++ ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x) + + /* + * Note: the constants are in little-endian order +@@ -89,29 +56,29 @@ + */ + #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) + static const mbedtls_mpi_uint secp192r1_p[] = { +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp192r1_b[] = { +- BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), +- BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), +- BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ), + }; + static const mbedtls_mpi_uint secp192r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), +- BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), +- BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ), + }; + static const mbedtls_mpi_uint secp192r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), +- BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), +- BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ), + }; + static const mbedtls_mpi_uint secp192r1_n[] = { +- BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), +- BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ + +@@ -120,34 +87,34 @@ static const mbedtls_mpi_uint secp192r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) + static const mbedtls_mpi_uint secp224r1_p[] = { +- BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), + }; + static const mbedtls_mpi_uint secp224r1_b[] = { +- BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), +- BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), +- BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), +- BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ), + }; + static const mbedtls_mpi_uint secp224r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), +- BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), +- BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), +- BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ), + }; + static const mbedtls_mpi_uint secp224r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), +- BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), +- BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), +- BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ), + }; + static const mbedtls_mpi_uint secp224r1_n[] = { +- BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), +- BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ + +@@ -156,34 +123,34 @@ static const mbedtls_mpi_uint secp224r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + static const mbedtls_mpi_uint secp256r1_p[] = { +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), +- BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp256r1_b[] = { +- BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), +- BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), +- BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), +- BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ), + }; + static const mbedtls_mpi_uint secp256r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), +- BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), +- BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), +- BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ), + }; + static const mbedtls_mpi_uint secp256r1_gy[] = { +- BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), +- BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), +- BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), +- BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ), + }; + static const mbedtls_mpi_uint secp256r1_n[] = { +- BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), +- BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + +@@ -192,44 +159,44 @@ static const mbedtls_mpi_uint secp256r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + static const mbedtls_mpi_uint secp384r1_p[] = { +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp384r1_b[] = { +- BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), +- BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), +- BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), +- BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), +- BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), +- BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ), + }; + static const mbedtls_mpi_uint secp384r1_gx[] = { +- BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), +- BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), +- BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), +- BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), +- BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), +- BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ), + }; + static const mbedtls_mpi_uint secp384r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), +- BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), +- BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), +- BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), +- BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), +- BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ), + }; + static const mbedtls_mpi_uint secp384r1_n[] = { +- BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), +- BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), +- BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + +@@ -238,154 +205,154 @@ static const mbedtls_mpi_uint secp384r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + static const mbedtls_mpi_uint secp521r1_p[] = { +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_2( 0xFF, 0x01 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ), + }; + static const mbedtls_mpi_uint secp521r1_b[] = { +- BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), +- BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), +- BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), +- BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), +- BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), +- BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), +- BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), +- BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), +- BYTES_TO_T_UINT_2( 0x51, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ), + }; + static const mbedtls_mpi_uint secp521r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), +- BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), +- BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), +- BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), +- BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), +- BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), +- BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), +- BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), +- BYTES_TO_T_UINT_2( 0xC6, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ), + }; + static const mbedtls_mpi_uint secp521r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), +- BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), +- BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), +- BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), +- BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), +- BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), +- BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), +- BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), +- BYTES_TO_T_UINT_2( 0x18, 0x01 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ), + }; + static const mbedtls_mpi_uint secp521r1_n[] = { +- BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), +- BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), +- BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), +- BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), +- BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_2( 0xFF, 0x01 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ), + }; + #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ + + #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) + static const mbedtls_mpi_uint secp192k1_p[] = { +- BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp192k1_a[] = { +- BYTES_TO_T_UINT_2( 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), + }; + static const mbedtls_mpi_uint secp192k1_b[] = { +- BYTES_TO_T_UINT_2( 0x03, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ), + }; + static const mbedtls_mpi_uint secp192k1_gx[] = { +- BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), +- BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), +- BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ), + }; + static const mbedtls_mpi_uint secp192k1_gy[] = { +- BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), +- BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), +- BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ), + }; + static const mbedtls_mpi_uint secp192k1_n[] = { +- BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), +- BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ + + #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) + static const mbedtls_mpi_uint secp224k1_p[] = { +- BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp224k1_a[] = { +- BYTES_TO_T_UINT_2( 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), + }; + static const mbedtls_mpi_uint secp224k1_b[] = { +- BYTES_TO_T_UINT_2( 0x05, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ), + }; + static const mbedtls_mpi_uint secp224k1_gx[] = { +- BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), +- BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), +- BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), +- BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ), + }; + static const mbedtls_mpi_uint secp224k1_gy[] = { +- BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), +- BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), +- BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), +- BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ), ++ MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ), + }; + static const mbedtls_mpi_uint secp224k1_n[] = { +- BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), +- BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), +- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ), + }; + #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ + + #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) + static const mbedtls_mpi_uint secp256k1_p[] = { +- BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + static const mbedtls_mpi_uint secp256k1_a[] = { +- BYTES_TO_T_UINT_2( 0x00, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ), + }; + static const mbedtls_mpi_uint secp256k1_b[] = { +- BYTES_TO_T_UINT_2( 0x07, 0x00 ), ++ MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ), + }; + static const mbedtls_mpi_uint secp256k1_gx[] = { +- BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), +- BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), +- BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), +- BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ), + }; + static const mbedtls_mpi_uint secp256k1_gy[] = { +- BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), +- BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), +- BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), +- BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ), + }; + static const mbedtls_mpi_uint secp256k1_n[] = { +- BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), +- BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), +- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), +- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + }; + #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ + +@@ -394,40 +361,40 @@ static const mbedtls_mpi_uint secp256k1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) + static const mbedtls_mpi_uint brainpoolP256r1_p[] = { +- BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), +- BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), +- BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), +- BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), + }; + static const mbedtls_mpi_uint brainpoolP256r1_a[] = { +- BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), +- BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), +- BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), +- BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ), + }; + static const mbedtls_mpi_uint brainpoolP256r1_b[] = { +- BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), +- BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), +- BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), +- BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ), + }; + static const mbedtls_mpi_uint brainpoolP256r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), +- BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), +- BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), +- BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ), + }; + static const mbedtls_mpi_uint brainpoolP256r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), +- BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), +- BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), +- BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ), + }; + static const mbedtls_mpi_uint brainpoolP256r1_n[] = { +- BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), +- BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), +- BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), +- BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ), + }; + #endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ + +@@ -436,52 +403,52 @@ static const mbedtls_mpi_uint brainpoolP256r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) + static const mbedtls_mpi_uint brainpoolP384r1_p[] = { +- BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), +- BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), +- BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), +- BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), +- BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), +- BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), + }; + static const mbedtls_mpi_uint brainpoolP384r1_a[] = { +- BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), +- BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), +- BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), +- BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), +- BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), +- BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ), + }; + static const mbedtls_mpi_uint brainpoolP384r1_b[] = { +- BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), +- BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), +- BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), +- BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), +- BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), +- BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ), + }; + static const mbedtls_mpi_uint brainpoolP384r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), +- BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), +- BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), +- BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), +- BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), +- BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ), + }; + static const mbedtls_mpi_uint brainpoolP384r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), +- BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), +- BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), +- BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), +- BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), +- BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ), + }; + static const mbedtls_mpi_uint brainpoolP384r1_n[] = { +- BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), +- BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), +- BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), +- BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), +- BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), +- BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ), + }; + #endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ + +@@ -490,64 +457,64 @@ static const mbedtls_mpi_uint brainpoolP384r1_n[] = { + */ + #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) + static const mbedtls_mpi_uint brainpoolP512r1_p[] = { +- BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), +- BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), +- BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), +- BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), +- BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), +- BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), +- BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), +- BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), + }; + static const mbedtls_mpi_uint brainpoolP512r1_a[] = { +- BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), +- BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), +- BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), +- BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), +- BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), +- BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), +- BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), +- BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ), + }; + static const mbedtls_mpi_uint brainpoolP512r1_b[] = { +- BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), +- BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), +- BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), +- BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), +- BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), +- BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), +- BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), +- BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ), + }; + static const mbedtls_mpi_uint brainpoolP512r1_gx[] = { +- BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), +- BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), +- BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), +- BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), +- BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), +- BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), +- BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), +- BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ), + }; + static const mbedtls_mpi_uint brainpoolP512r1_gy[] = { +- BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), +- BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), +- BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), +- BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), +- BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), +- BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), +- BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), +- BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ), + }; + static const mbedtls_mpi_uint brainpoolP512r1_n[] = { +- BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), +- BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), +- BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), +- BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), +- BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), +- BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), +- BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), +- BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ), ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ), + }; + #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ + +@@ -678,6 +645,13 @@ static int ecp_mod_p256k1( mbedtls_mpi * ); + #endif /* ECP_LOAD_GROUP */ + + #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) ++/* Constants used by ecp_use_curve25519() */ ++static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42; ++static const unsigned char curve25519_part_of_n[] = { ++ 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, ++ 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED, ++}; ++ + /* + * Specialized function for creating the Curve25519 group + */ +@@ -686,7 +660,7 @@ static int ecp_use_curve25519( mbedtls_ecp_group *grp ) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* Actually ( A + 2 ) / 4 */ +- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) ); ++ MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) ); + + /* P = 2^255 - 19 */ + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); +@@ -695,8 +669,8 @@ static int ecp_use_curve25519( mbedtls_ecp_group *grp ) + grp->pbits = mbedtls_mpi_bitlen( &grp->P ); + + /* N = 2^252 + 27742317777372353535851937790883648493 */ +- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16, +- "14DEF9DEA2F79CD65812631A5CF5D3ED" ) ); ++ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N, ++ curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) ); + + /* Y intentionally not set, since we use x/z coordinates. +@@ -717,6 +691,15 @@ cleanup: + #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */ + + #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ++/* Constants used by ecp_use_curve448() */ ++static const mbedtls_mpi_sint curve448_a24 = 0x98AA; ++static const unsigned char curve448_part_of_n[] = { ++ 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24, ++ 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93, ++ 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC, ++ 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D, ++}; ++ + /* + * Specialized function for creating the Curve448 group + */ +@@ -728,7 +711,7 @@ static int ecp_use_curve448( mbedtls_ecp_group *grp ) + mbedtls_mpi_init( &Ns ); + + /* Actually ( A + 2 ) / 4 */ +- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) ); ++ MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) ); + + /* P = 2^448 - 2^224 - 1 */ + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) ); +@@ -746,8 +729,8 @@ static int ecp_use_curve448( mbedtls_ecp_group *grp ) + + /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */ + MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) ); +- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16, +- "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) ); ++ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns, ++ curve448_part_of_n, sizeof( curve448_part_of_n ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) ); + + /* Actually, the required msb for private keys */ +@@ -1441,9 +1424,11 @@ cleanup: + static int ecp_mod_p192k1( mbedtls_mpi *N ) + { + static mbedtls_mpi_uint Rp[] = { +- BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, ++ 0x00 ) }; + +- return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); ++ return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, ++ 0 ) ); + } + #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ + +@@ -1455,12 +1440,14 @@ static int ecp_mod_p192k1( mbedtls_mpi *N ) + static int ecp_mod_p224k1( mbedtls_mpi *N ) + { + static mbedtls_mpi_uint Rp[] = { +- BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; ++ MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, ++ 0x00 ) }; + + #if defined(MBEDTLS_HAVE_INT64) + return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) ); + #else +- return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); ++ return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, ++ 0 ) ); + #endif + } + +@@ -1474,8 +1461,10 @@ static int ecp_mod_p224k1( mbedtls_mpi *N ) + static int ecp_mod_p256k1( mbedtls_mpi *N ) + { + static mbedtls_mpi_uint Rp[] = { +- BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) }; +- return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) ); ++ MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, ++ 0x00 ) }; ++ return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, ++ 0 ) ); + } + #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ + +diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data +index 408a9b7fe..d9b46c8e6 100644 +--- a/tests/suites/test_suite_ecp.data ++++ b/tests/suites/test_suite_ecp.data +@@ -36,13 +36,133 @@ ECP curve info #8 + depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED + mbedtls_ecp_curve_info:MBEDTLS_ECP_DP_SECP192R1:19:192:"secp192r1" + +-ECP check pubkey Montgomery #1 (too big) ++ECP check pubkey Curve25519 #1 (biggest) ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0 ++ ++ECP check pubkey Curve25519 #2 (too big) + depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED + ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"010000000000000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY + +-ECP check pubkey Montgomery #2 (biggest) ++ECP check pubkey Curve25519 #3 (DoS big) + depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +-ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0 ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"0100000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve25519 y ignored ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"2":"-1":"1":0 ++ ++ECP check pubkey Curve25519 z is not 1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"2":"0":"2":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve25519 x negative ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"-2":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #2 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"1":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #3 (let's call this u) ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #4 (let's call this v) ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #5 p-1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #6 p ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #7 p+1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #8 p+u ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"80b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebcd":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #9 p+v ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"d7119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c4c":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #10 2p-1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd9":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #11 2p ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffda":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++# see https://cr.yp.to/ecdh.html#validate ++ECP check pubkey Curve25519 low-order point #12 2p+1 ++depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdb":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 #1 (biggest) ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0 ++ ++ECP check pubkey Curve448 #2 (too big) ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 #3 (DoS big) ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"0100000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 y ignored ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"2":"-1":"1":0 ++ ++ECP check pubkey Curve448 z is not 1 ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"2":"0":"2":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 x negative ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"-2":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 low-order point #1 ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"0":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 low-order point #2 ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"1":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 low-order point #3 p-1 ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 low-order point #4 p ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY ++ ++ECP check pubkey Curve448 low-order point #5 p+1 ++depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ++ecp_check_pub:MBEDTLS_ECP_DP_CURVE448:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY + + ECP check pubkey Koblitz #1 (point not on curve) + depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED +@@ -440,15 +560,15 @@ ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2 + + ECP point multiplication Curve25519 (element of order 2: origin) #3 + depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +-ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"00":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ++ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"00":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY + + ECP point multiplication Curve25519 (element of order 4: 1) #4 + depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +-ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"01":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ++ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"01":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY + + ECP point multiplication Curve25519 (element of order 8) #5 + depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +-ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ++ecp_test_mul:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"B8495F16056286FDB1329CEB8D09DA6AC49FF1FAE35616AEB8413B7C7AEBE0":"00":"01":"00":"01":"00":MBEDTLS_ERR_ECP_INVALID_KEY + + ECP point multiplication rng fail secp256r1 + depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/deps/patches/mbedtls-security-advisory-2021-12.patch b/deps/patches/mbedtls-security-advisory-2021-12.patch new file mode 100644 index 00000000000000..52204bc987ee51 --- /dev/null +++ b/deps/patches/mbedtls-security-advisory-2021-12.patch @@ -0,0 +1,25 @@ +commit 6f0354fb7d3d04be928704eb2802fd5ba83213de +Author: 吴敬辉 <11137405@vivo.com> +Date: Mon Nov 29 10:46:35 2021 +0800 + + [session] fix a session copy bug + fix a possible double reference on 'ticket' + when peer_cert/peer_cert_digest calloc failed. + + Signed-off-by: 吴敬辉 <11137405@vivo.com> + +diff --git a/library/ssl_tls.c b/library/ssl_tls.c +index 7062d53b7..49cdbae66 100644 +--- a/library/ssl_tls.c ++++ b/library/ssl_tls.c +@@ -187,6 +187,10 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, + mbedtls_ssl_session_free( dst ); + memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); + ++#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) ++ dst->ticket = NULL; ++#endif ++ + #if defined(MBEDTLS_X509_CRT_PARSE_C) + + #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) diff --git a/stdlib/MbedTLS_jll/Project.toml b/stdlib/MbedTLS_jll/Project.toml index 67a81e88bdd351..3afb8a545df058 100644 --- a/stdlib/MbedTLS_jll/Project.toml +++ b/stdlib/MbedTLS_jll/Project.toml @@ -1,6 +1,6 @@ name = "MbedTLS_jll" uuid = "c8ffd9c3-330d-5841-b78e-0817d7145fa1" -version = "2.24.0+1" +version = "2.24.0+4" [deps] Libdl = "8f399da3-3557-5675-b5ff-fb832c97cbdb"