tls: reorder P256 functions to make more sense

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2021-04-27 01:21:26 +0200
committer: Denys Vlasenko <vda.linux@googlemail.com> 2021-04-27 01:21:26 +0200
commit: a2bc52dd447816a887e508c6a1210ec43b38b03d (patch)
tree: 7cd088aee4c6c6a9f135aab3b5d32f657badb185
parent: e52e43c72f9dce8bc524a8e6770e6abe3e97db09 (diff)
download: busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.tar.gz
busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.tar.bz2
busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.zip
1 files changed, 179 insertions, 179 deletions
diff --git a/networking/tls_sp_c32.c b/networking/tls_sp_c32.c
index 1f140315e..8059f6e10 100644
--- a/networking/tls_sp_c32.c
+++ b/networking/tls_sp_c32.c
@@ -220,106 +220,6 @@ static void sp_256_rshift1_10(sp_digit* r, sp_digit* a)
        r[9] = a[9] >> 1;
 }
-/* Multiply a number by Montogmery normalizer mod modulus (prime).
- *
- * r  The resulting Montgomery form number.
- * a  The number to convert.
- */
-static void sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a)
-{
-        int64_t t[8];
-        int64_t a32[8];
-        int64_t o;
-        a32[0] = a[0];
-        a32[0] |= a[1] << 26;
-        a32[0] &= 0xffffffff;
-        a32[1] = (sp_digit)(a[1] >> 6);
-        a32[1] |= a[2] << 20;
-        a32[1] &= 0xffffffff;
-        a32[2] = (sp_digit)(a[2] >> 12);
-        a32[2] |= a[3] << 14;
-        a32[2] &= 0xffffffff;
-        a32[3] = (sp_digit)(a[3] >> 18);
-        a32[3] |= a[4] << 8;
-        a32[3] &= 0xffffffff;
-        a32[4] = (sp_digit)(a[4] >> 24);
-        a32[4] |= a[5] << 2;
-        a32[4] |= a[6] << 28;
-        a32[4] &= 0xffffffff;
-        a32[5] = (sp_digit)(a[6] >> 4);
-        a32[5] |= a[7] << 22;
-        a32[5] &= 0xffffffff;
-        a32[6] = (sp_digit)(a[7] >> 10);
-        a32[6] |= a[8] << 16;
-        a32[6] &= 0xffffffff;
-        a32[7] = (sp_digit)(a[8] >> 16);
-        a32[7] |= a[9] << 10;
-        a32[7] &= 0xffffffff;
-        /*  1  1  0 -1 -1 -1 -1  0 */
-        t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
-        /*  0  1  1  0 -1 -1 -1 -1 */
-        t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
-        /*  0  0  1  1  0 -1 -1 -1 */
-        t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
-        /* -1 -1  0  2  2  1  0 -1 */
-        t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
-        /*  0 -1 -1  0  2  2  1  0 */
-        t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
-        /*  0  0 -1 -1  0  2  2  1 */
-        t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
-        /* -1 -1  0  0  0  1  3  2 */
-        t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
-        /*  1  0 -1 -1 -1 -1  0  3 */
-        t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
-        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
-        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
-        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
-        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
-        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
-        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
-        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
-        o     = t[7] >> 32; t[7] &= 0xffffffff;
-        t[0] += o;
-        t[3] -= o;
-        t[6] -= o;
-        t[7] += o;
-        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
-        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
-        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
-        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
-        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
-        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
-        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
-        r[0] = (sp_digit)(t[0]) & 0x3ffffff;
-        r[1] = (sp_digit)(t[0] >> 26);
-        r[1] |= t[1] << 6;
-        r[1] &= 0x3ffffff;
-        r[2] = (sp_digit)(t[1] >> 20);
-        r[2] |= t[2] << 12;
-        r[2] &= 0x3ffffff;
-        r[3] = (sp_digit)(t[2] >> 14);
-        r[3] |= t[3] << 18;
-        r[3] &= 0x3ffffff;
-        r[4] = (sp_digit)(t[3] >> 8);
-        r[4] |= t[4] << 24;
-        r[4] &= 0x3ffffff;
-        r[5] = (sp_digit)(t[4] >> 2) & 0x3ffffff;
-        r[6] = (sp_digit)(t[4] >> 28);
-        r[6] |= t[5] << 4;
-        r[6] &= 0x3ffffff;
-        r[7] = (sp_digit)(t[5] >> 22);
-        r[7] |= t[6] << 10;
-        r[7] &= 0x3ffffff;
-        r[8] = (sp_digit)(t[6] >> 16);
-        r[8] |= t[7] << 16;
-        r[8] &= 0x3ffffff;
-        r[9] = (sp_digit)(t[7] >> 10);
-}
 /* Mul a by scalar b and add into r. (r += a * b) */
 static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a, sp_digit b)
 {
@@ -335,6 +235,58 @@ static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a, sp_digit b)
        r[10] += t;
 }
+/* Multiply a and b into r. (r = a * b) */
+static void sp_256_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+        int i, j, k;
+        int64_t c;
+        c = ((int64_t)a[9]) * b[9];
+        r[19] = (sp_digit)(c >> 26);
+        c = (c & 0x3ffffff) << 26;
+        for (k = 17; k >= 0; k--) {
+                for (i = 9; i >= 0; i--) {
+                        j = k - i;
+                        if (j >= 10)
+                                break;
+                        if (j < 0)
+                                continue;
+                        c += ((int64_t)a[i]) * b[j];
+                }
+                r[k + 2] += c >> 52;
+                r[k + 1] = (c >> 26) & 0x3ffffff;
+                c = (c & 0x3ffffff) << 26;
+        }
+        r[0] = (sp_digit)(c >> 26);
+}
+/* Square a and put result in r. (r = a * a) */
+static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
+{
+        int i, j, k;
+        int64_t c;
+        c = ((int64_t)a[9]) * a[9];
+        r[19] = (sp_digit)(c >> 26);
+        c = (c & 0x3ffffff) << 26;
+        for (k = 17; k >= 0; k--) {
+                for (i = 9; i >= 0; i--) {
+                        j = k - i;
+                        if (j >= 10 || i <= j)
+                                break;
+                        if (j < 0)
+                                continue;
+                        c += ((int64_t)a[i]) * a[j] * 2;
+                }
+                if (i == j)
+                        c += ((int64_t)a[i]) * a[i];
+                r[k + 2] += c >> 52;
+                r[k + 1] = (c >> 26) & 0x3ffffff;
+                c = (c & 0x3ffffff) << 26;
+        }
+        r[0] = (sp_digit)(c >> 26);
+}
 /* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m) */
 static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
 {
@@ -344,25 +296,6 @@ static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
        sp_256_rshift1_10(r, r);
 }
-/* Shift the result in the high 256 bits down to the bottom. */
-static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
-{
-        int i;
-        sp_digit n, s;
-        s = a[10];
-        n = a[9] >> 22;
-        for (i = 0; i < 9; i++) {
-                n += (s & 0x3ffffff) << 4;
-                r[i] = n & 0x3ffffff;
-                n >>= 26;
-                s = a[11 + i] + (s >> 26);
-        }
-        n += s << 4;
-        r[9] = n;
-        memset(&r[10], 0, sizeof(*r) * 10);
-}
 /* Add two Montgomery form numbers (r = a + b % m) */
 static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
                const sp_digit* m)
@@ -374,6 +307,16 @@ static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b
        sp_256_norm_10(r);
 }
+/* Subtract two Montgomery form numbers (r = a - b % m) */
+static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+                const sp_digit* m)
+{
+        sp_256_sub_10(r, a, b);
+        if (r[9] >> 22)
+                sp_256_add_10(r, r, m);
+        sp_256_norm_10(r);
+}
 /* Double a Montgomery form number (r = a + a % m) */
 static void sp_256_mont_dbl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
 {
@@ -399,14 +342,23 @@ static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m
        sp_256_norm_10(r);
 }
-/* Subtract two Montgomery form numbers (r = a - b % m) */
+/* Shift the result in the high 256 bits down to the bottom. */
-static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
-                const sp_digit* m)
 {
-        sp_256_sub_10(r, a, b);
+        int i;
-        if (r[9] >> 22)
+        sp_digit n, s;
-                sp_256_add_10(r, r, m);
-        sp_256_norm_10(r);
+        s = a[10];
+        n = a[9] >> 22;
+        for (i = 0; i < 9; i++) {
+                n += (s & 0x3ffffff) << 4;
+                r[i] = n & 0x3ffffff;
+                n >>= 26;
+                s = a[11 + i] + (s >> 26);
+        }
+        n += s << 4;
+        r[9] = n;
+        memset(&r[10], 0, sizeof(*r) * 10);
 }
 /* Reduce the number back to 256 bits using Montgomery reduction.
@@ -449,31 +401,6 @@ static void sp_256_mont_reduce_10(sp_digit* a, const sp_digit* m, sp_digit mp)
        sp_256_norm_10(a);
 }
-/* Multiply a and b into r. (r = a * b) */
-static void sp_256_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
-{
-        int i, j, k;
-        int64_t c;
-        c = ((int64_t)a[9]) * b[9];
-        r[19] = (sp_digit)(c >> 26);
-        c = (c & 0x3ffffff) << 26;
-        for (k = 17; k >= 0; k--) {
-                for (i = 9; i >= 0; i--) {
-                        j = k - i;
-                        if (j >= 10)
-                                break;
-                        if (j < 0)
-                                continue;
-                        c += ((int64_t)a[i]) * b[j];
-                }
-                r[k + 2] += c >> 52;
-                r[k + 1] = (c >> 26) & 0x3ffffff;
-                c = (c & 0x3ffffff) << 26;
-        }
-        r[0] = (sp_digit)(c >> 26);
-}
 /* Multiply two Montogmery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
@@ -490,33 +417,6 @@ static void sp_256_mont_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b
        sp_256_mont_reduce_10(r, m, mp);
 }
-/* Square a and put result in r. (r = a * a) */
-static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
-{
-        int i, j, k;
-        int64_t c;
-        c = ((int64_t)a[9]) * a[9];
-        r[19] = (sp_digit)(c >> 26);
-        c = (c & 0x3ffffff) << 26;
-        for (k = 17; k >= 0; k--) {
-                for (i = 9; i >= 0; i--) {
-                        j = k - i;
-                        if (j >= 10 || i <= j)
-                                break;
-                        if (j < 0)
-                                continue;
-                        c += ((int64_t)a[i]) * a[j] * 2;
-                }
-                if (i == j)
-                        c += ((int64_t)a[i]) * a[i];
-                r[k + 2] += c >> 52;
-                r[k + 1] = (c >> 26) & 0x3ffffff;
-                c = (c & 0x3ffffff) << 26;
-        }
-        r[0] = (sp_digit)(c >> 26);
-}
 /* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
@@ -564,6 +464,106 @@ static void sp_256_mont_inv_10(sp_digit* r, sp_digit* a)
        memcpy(r, t, sizeof(sp_digit) * 10);
 }
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ */
+static void sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a)
+{
+        int64_t t[8];
+        int64_t a32[8];
+        int64_t o;
+        a32[0] = a[0];
+        a32[0] |= a[1] << 26;
+        a32[0] &= 0xffffffff;
+        a32[1] = (sp_digit)(a[1] >> 6);
+        a32[1] |= a[2] << 20;
+        a32[1] &= 0xffffffff;
+        a32[2] = (sp_digit)(a[2] >> 12);
+        a32[2] |= a[3] << 14;
+        a32[2] &= 0xffffffff;
+        a32[3] = (sp_digit)(a[3] >> 18);
+        a32[3] |= a[4] << 8;
+        a32[3] &= 0xffffffff;
+        a32[4] = (sp_digit)(a[4] >> 24);
+        a32[4] |= a[5] << 2;
+        a32[4] |= a[6] << 28;
+        a32[4] &= 0xffffffff;
+        a32[5] = (sp_digit)(a[6] >> 4);
+        a32[5] |= a[7] << 22;
+        a32[5] &= 0xffffffff;
+        a32[6] = (sp_digit)(a[7] >> 10);
+        a32[6] |= a[8] << 16;
+        a32[6] &= 0xffffffff;
+        a32[7] = (sp_digit)(a[8] >> 16);
+        a32[7] |= a[9] << 10;
+        a32[7] &= 0xffffffff;
+        /*  1  1  0 -1 -1 -1 -1  0 */
+        t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+        /*  0  1  1  0 -1 -1 -1 -1 */
+        t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+        /*  0  0  1  1  0 -1 -1 -1 */
+        t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+        /* -1 -1  0  2  2  1  0 -1 */
+        t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+        /*  0 -1 -1  0  2  2  1  0 */
+        t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+        /*  0  0 -1 -1  0  2  2  1 */
+        t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+        /* -1 -1  0  0  0  1  3  2 */
+        t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+        /*  1  0 -1 -1 -1 -1  0  3 */
+        t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        o     = t[7] >> 32; t[7] &= 0xffffffff;
+        t[0] += o;
+        t[3] -= o;
+        t[6] -= o;
+        t[7] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        r[0] = (sp_digit)(t[0]) & 0x3ffffff;
+        r[1] = (sp_digit)(t[0] >> 26);
+        r[1] |= t[1] << 6;
+        r[1] &= 0x3ffffff;
+        r[2] = (sp_digit)(t[1] >> 20);
+        r[2] |= t[2] << 12;
+        r[2] &= 0x3ffffff;
+        r[3] = (sp_digit)(t[2] >> 14);
+        r[3] |= t[3] << 18;
+        r[3] &= 0x3ffffff;
+        r[4] = (sp_digit)(t[3] >> 8);
+        r[4] |= t[4] << 24;
+        r[4] &= 0x3ffffff;
+        r[5] = (sp_digit)(t[4] >> 2) & 0x3ffffff;
+        r[6] = (sp_digit)(t[4] >> 28);
+        r[6] |= t[5] << 4;
+        r[6] &= 0x3ffffff;
+        r[7] = (sp_digit)(t[5] >> 22);
+        r[7] |= t[6] << 10;
+        r[7] &= 0x3ffffff;
+        r[8] = (sp_digit)(t[6] >> 16);
+        r[8] |= t[7] << 16;
+        r[8] &= 0x3ffffff;
+        r[9] = (sp_digit)(t[7] >> 10);
+}
 /* Map the Montgomery form projective co-ordinate point to an affine point.
 *
 * r  Resulting affine co-ordinate point.
@@ -808,7 +808,7 @@ static void sp_256_ecc_mulmod_base_10(sp_point* r, sp_digit* k /*, int map*/)
 * pub2x32 Point to multiply.
 * out32   Buffer to hold X ordinate.
 */
-static void sp_ecc_secret_gen_256(sp_digit priv[10], const uint8_t *pub2x32, uint8_t* out32)
+static void sp_ecc_secret_gen_256(const sp_digit priv[10], const uint8_t *pub2x32, uint8_t* out32)
 {
        sp_point point[1];
author	Denys Vlasenko <vda.linux@googlemail.com>	2021-04-27 01:21:26 +0200
committer	Denys Vlasenko <vda.linux@googlemail.com>	2021-04-27 01:21:26 +0200
commit	a2bc52dd447816a887e508c6a1210ec43b38b03d (patch)
tree	7cd088aee4c6c6a9f135aab3b5d32f657badb185
parent	e52e43c72f9dce8bc524a8e6770e6abe3e97db09 (diff)
download	busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.tar.gz busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.tar.bz2 busybox-w32-a2bc52dd447816a887e508c6a1210ec43b38b03d.zip

diff --git a/networking/tls_sp_c32.c b/networking/tls_sp_c32.c index 1f140315e..8059f6e10 100644 --- a/networking/tls_sp_c32.c +++ b/networking/tls_sp_c32.c
@@ -220,106 +220,6 @@ static void sp_256_rshift1_10(sp_digit* r, sp_digit* a)
220	r[9] = a[9] >> 1;	220	r[9] = a[9] >> 1;
221	}	221	}
222		222
223	/* Multiply a number by Montogmery normalizer mod modulus (prime).
224	*
225	* r The resulting Montgomery form number.
226	* a The number to convert.
227	*/
228	static void sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a)
229	{
230	int64_t t[8];
231	int64_t a32[8];
232	int64_t o;
233
234	a32[0] = a[0];
235	a32[0] \|= a[1] << 26;
236	a32[0] &= 0xffffffff;
237	a32[1] = (sp_digit)(a[1] >> 6);
238	a32[1] \|= a[2] << 20;
239	a32[1] &= 0xffffffff;
240	a32[2] = (sp_digit)(a[2] >> 12);
241	a32[2] \|= a[3] << 14;
242	a32[2] &= 0xffffffff;
243	a32[3] = (sp_digit)(a[3] >> 18);
244	a32[3] \|= a[4] << 8;
245	a32[3] &= 0xffffffff;
246	a32[4] = (sp_digit)(a[4] >> 24);
247	a32[4] \|= a[5] << 2;
248	a32[4] \|= a[6] << 28;
249	a32[4] &= 0xffffffff;
250	a32[5] = (sp_digit)(a[6] >> 4);
251	a32[5] \|= a[7] << 22;
252	a32[5] &= 0xffffffff;
253	a32[6] = (sp_digit)(a[7] >> 10);
254	a32[6] \|= a[8] << 16;
255	a32[6] &= 0xffffffff;
256	a32[7] = (sp_digit)(a[8] >> 16);
257	a32[7] \|= a[9] << 10;
258	a32[7] &= 0xffffffff;
259
260	/* 1 1 0 -1 -1 -1 -1 0 */
261	t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
262	/* 0 1 1 0 -1 -1 -1 -1 */
263	t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
264	/* 0 0 1 1 0 -1 -1 -1 */
265	t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
266	/* -1 -1 0 2 2 1 0 -1 */
267	t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
268	/* 0 -1 -1 0 2 2 1 0 */
269	t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
270	/* 0 0 -1 -1 0 2 2 1 */
271	t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
272	/* -1 -1 0 0 0 1 3 2 */
273	t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
274	/* 1 0 -1 -1 -1 -1 0 3 */
275	t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
276
277	t[1] += t[0] >> 32; t[0] &= 0xffffffff;
278	t[2] += t[1] >> 32; t[1] &= 0xffffffff;
279	t[3] += t[2] >> 32; t[2] &= 0xffffffff;
280	t[4] += t[3] >> 32; t[3] &= 0xffffffff;
281	t[5] += t[4] >> 32; t[4] &= 0xffffffff;
282	t[6] += t[5] >> 32; t[5] &= 0xffffffff;
283	t[7] += t[6] >> 32; t[6] &= 0xffffffff;
284	o = t[7] >> 32; t[7] &= 0xffffffff;
285	t[0] += o;
286	t[3] -= o;
287	t[6] -= o;
288	t[7] += o;
289	t[1] += t[0] >> 32; t[0] &= 0xffffffff;
290	t[2] += t[1] >> 32; t[1] &= 0xffffffff;
291	t[3] += t[2] >> 32; t[2] &= 0xffffffff;
292	t[4] += t[3] >> 32; t[3] &= 0xffffffff;
293	t[5] += t[4] >> 32; t[4] &= 0xffffffff;
294	t[6] += t[5] >> 32; t[5] &= 0xffffffff;
295	t[7] += t[6] >> 32; t[6] &= 0xffffffff;
296
297	r[0] = (sp_digit)(t[0]) & 0x3ffffff;
298	r[1] = (sp_digit)(t[0] >> 26);
299	r[1] \|= t[1] << 6;
300	r[1] &= 0x3ffffff;
301	r[2] = (sp_digit)(t[1] >> 20);
302	r[2] \|= t[2] << 12;
303	r[2] &= 0x3ffffff;
304	r[3] = (sp_digit)(t[2] >> 14);
305	r[3] \|= t[3] << 18;
306	r[3] &= 0x3ffffff;
307	r[4] = (sp_digit)(t[3] >> 8);
308	r[4] \|= t[4] << 24;
309	r[4] &= 0x3ffffff;
310	r[5] = (sp_digit)(t[4] >> 2) & 0x3ffffff;
311	r[6] = (sp_digit)(t[4] >> 28);
312	r[6] \|= t[5] << 4;
313	r[6] &= 0x3ffffff;
314	r[7] = (sp_digit)(t[5] >> 22);
315	r[7] \|= t[6] << 10;
316	r[7] &= 0x3ffffff;
317	r[8] = (sp_digit)(t[6] >> 16);
318	r[8] \|= t[7] << 16;
319	r[8] &= 0x3ffffff;
320	r[9] = (sp_digit)(t[7] >> 10);
321	}
322
323	/* Mul a by scalar b and add into r. (r += a * b) */	223	/* Mul a by scalar b and add into r. (r += a * b) */
324	static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a, sp_digit b)	224	static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a, sp_digit b)
325	{	225	{
@@ -335,6 +235,58 @@ static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a, sp_digit b)
335	r[10] += t;	235	r[10] += t;
336	}	236	}
337		237
		238	/* Multiply a and b into r. (r = a * b) */
		239	static void sp_256_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
		240	{
		241	int i, j, k;
		242	int64_t c;
		243
		244	c = ((int64_t)a[9]) * b[9];
		245	r[19] = (sp_digit)(c >> 26);
		246	c = (c & 0x3ffffff) << 26;
		247	for (k = 17; k >= 0; k--) {
		248	for (i = 9; i >= 0; i--) {
		249	j = k - i;
		250	if (j >= 10)
		251	break;
		252	if (j < 0)
		253	continue;
		254	c += ((int64_t)a[i]) * b[j];
		255	}
		256	r[k + 2] += c >> 52;
		257	r[k + 1] = (c >> 26) & 0x3ffffff;
		258	c = (c & 0x3ffffff) << 26;
		259	}
		260	r[0] = (sp_digit)(c >> 26);
		261	}
		262
		263	/* Square a and put result in r. (r = a * a) */
		264	static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
		265	{
		266	int i, j, k;
		267	int64_t c;
		268
		269	c = ((int64_t)a[9]) * a[9];
		270	r[19] = (sp_digit)(c >> 26);
		271	c = (c & 0x3ffffff) << 26;
		272	for (k = 17; k >= 0; k--) {
		273	for (i = 9; i >= 0; i--) {
		274	j = k - i;
		275	if (j >= 10 \|\| i <= j)
		276	break;
		277	if (j < 0)
		278	continue;
		279	c += ((int64_t)a[i]) * a[j] * 2;
		280	}
		281	if (i == j)
		282	c += ((int64_t)a[i]) * a[i];
		283	r[k + 2] += c >> 52;
		284	r[k + 1] = (c >> 26) & 0x3ffffff;
		285	c = (c & 0x3ffffff) << 26;
		286	}
		287	r[0] = (sp_digit)(c >> 26);
		288	}
		289
338	/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m) */	290	/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m) */
339	static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)	291	static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
340	{	292	{
@@ -344,25 +296,6 @@ static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
344	sp_256_rshift1_10(r, r);	296	sp_256_rshift1_10(r, r);
345	}	297	}
346		298
347	/* Shift the result in the high 256 bits down to the bottom. */
348	static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
349	{
350	int i;
351	sp_digit n, s;
352
353	s = a[10];
354	n = a[9] >> 22;
355	for (i = 0; i < 9; i++) {
356	n += (s & 0x3ffffff) << 4;
357	r[i] = n & 0x3ffffff;
358	n >>= 26;
359	s = a[11 + i] + (s >> 26);
360	}
361	n += s << 4;
362	r[9] = n;
363	memset(&r[10], 0, sizeof(r) 10);
364	}
365
366	/* Add two Montgomery form numbers (r = a + b % m) */	299	/* Add two Montgomery form numbers (r = a + b % m) */
367	static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b,	300	static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
368	const sp_digit* m)	301	const sp_digit* m)
@@ -374,6 +307,16 @@ static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b
374	sp_256_norm_10(r);	307	sp_256_norm_10(r);
375	}	308	}
376		309
		310	/* Subtract two Montgomery form numbers (r = a - b % m) */
		311	static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
		312	const sp_digit* m)
		313	{
		314	sp_256_sub_10(r, a, b);
		315	if (r[9] >> 22)
		316	sp_256_add_10(r, r, m);
		317	sp_256_norm_10(r);
		318	}
		319
377	/* Double a Montgomery form number (r = a + a % m) */	320	/* Double a Montgomery form number (r = a + a % m) */
378	static void sp_256_mont_dbl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)	321	static void sp_256_mont_dbl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
379	{	322	{
@@ -399,14 +342,23 @@ static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m
399	sp_256_norm_10(r);	342	sp_256_norm_10(r);
400	}	343	}
401		344
402	/* Subtract two Montgomery form numbers (r = a - b % m) */	345	/* Shift the result in the high 256 bits down to the bottom. */
403	static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,	346	static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
404	const sp_digit* m)
405	{	347	{
406	sp_256_sub_10(r, a, b);	348	int i;
407	if (r[9] >> 22)	349	sp_digit n, s;
408	sp_256_add_10(r, r, m);	350
409	sp_256_norm_10(r);	351	s = a[10];
		352	n = a[9] >> 22;
		353	for (i = 0; i < 9; i++) {
		354	n += (s & 0x3ffffff) << 4;
		355	r[i] = n & 0x3ffffff;
		356	n >>= 26;
		357	s = a[11 + i] + (s >> 26);
		358	}
		359	n += s << 4;
		360	r[9] = n;
		361	memset(&r[10], 0, sizeof(r) 10);
410	}	362	}
411		363
412	/* Reduce the number back to 256 bits using Montgomery reduction.	364	/* Reduce the number back to 256 bits using Montgomery reduction.
@@ -449,31 +401,6 @@ static void sp_256_mont_reduce_10(sp_digit* a, const sp_digit* m, sp_digit mp)
449	sp_256_norm_10(a);	401	sp_256_norm_10(a);
450	}	402	}
451		403
452	/* Multiply a and b into r. (r = a * b) */
453	static void sp_256_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
454	{
455	int i, j, k;
456	int64_t c;
457
458	c = ((int64_t)a[9]) * b[9];
459	r[19] = (sp_digit)(c >> 26);
460	c = (c & 0x3ffffff) << 26;
461	for (k = 17; k >= 0; k--) {
462	for (i = 9; i >= 0; i--) {
463	j = k - i;
464	if (j >= 10)
465	break;
466	if (j < 0)
467	continue;
468	c += ((int64_t)a[i]) * b[j];
469	}
470	r[k + 2] += c >> 52;
471	r[k + 1] = (c >> 26) & 0x3ffffff;
472	c = (c & 0x3ffffff) << 26;
473	}
474	r[0] = (sp_digit)(c >> 26);
475	}
476
477	/* Multiply two Montogmery form numbers mod the modulus (prime).	404	/* Multiply two Montogmery form numbers mod the modulus (prime).
478	* (r = a * b mod m)	405	* (r = a * b mod m)
479	*	406	*
@@ -490,33 +417,6 @@ static void sp_256_mont_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b
490	sp_256_mont_reduce_10(r, m, mp);	417	sp_256_mont_reduce_10(r, m, mp);
491	}	418	}
492		419
493	/* Square a and put result in r. (r = a * a) */
494	static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
495	{
496	int i, j, k;
497	int64_t c;
498
499	c = ((int64_t)a[9]) * a[9];
500	r[19] = (sp_digit)(c >> 26);
501	c = (c & 0x3ffffff) << 26;
502	for (k = 17; k >= 0; k--) {
503	for (i = 9; i >= 0; i--) {
504	j = k - i;
505	if (j >= 10 \|\| i <= j)
506	break;
507	if (j < 0)
508	continue;
509	c += ((int64_t)a[i]) * a[j] * 2;
510	}
511	if (i == j)
512	c += ((int64_t)a[i]) * a[i];
513	r[k + 2] += c >> 52;
514	r[k + 1] = (c >> 26) & 0x3ffffff;
515	c = (c & 0x3ffffff) << 26;
516	}
517	r[0] = (sp_digit)(c >> 26);
518	}
519
520	/* Square the Montgomery form number. (r = a * a mod m)	420	/* Square the Montgomery form number. (r = a * a mod m)
521	*	421	*
522	* r Result of squaring.	422	* r Result of squaring.
@@ -564,6 +464,106 @@ static void sp_256_mont_inv_10(sp_digit* r, sp_digit* a)
564	memcpy(r, t, sizeof(sp_digit) * 10);	464	memcpy(r, t, sizeof(sp_digit) * 10);
565	}	465	}
566		466
		467	/* Multiply a number by Montogmery normalizer mod modulus (prime).
		468	*
		469	* r The resulting Montgomery form number.
		470	* a The number to convert.
		471	*/
		472	static void sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a)
		473	{
		474	int64_t t[8];
		475	int64_t a32[8];
		476	int64_t o;
		477
		478	a32[0] = a[0];
		479	a32[0] \|= a[1] << 26;
		480	a32[0] &= 0xffffffff;
		481	a32[1] = (sp_digit)(a[1] >> 6);
		482	a32[1] \|= a[2] << 20;
		483	a32[1] &= 0xffffffff;
		484	a32[2] = (sp_digit)(a[2] >> 12);
		485	a32[2] \|= a[3] << 14;
		486	a32[2] &= 0xffffffff;
		487	a32[3] = (sp_digit)(a[3] >> 18);
		488	a32[3] \|= a[4] << 8;
		489	a32[3] &= 0xffffffff;
		490	a32[4] = (sp_digit)(a[4] >> 24);
		491	a32[4] \|= a[5] << 2;
		492	a32[4] \|= a[6] << 28;
		493	a32[4] &= 0xffffffff;
		494	a32[5] = (sp_digit)(a[6] >> 4);
		495	a32[5] \|= a[7] << 22;
		496	a32[5] &= 0xffffffff;
		497	a32[6] = (sp_digit)(a[7] >> 10);
		498	a32[6] \|= a[8] << 16;
		499	a32[6] &= 0xffffffff;
		500	a32[7] = (sp_digit)(a[8] >> 16);
		501	a32[7] \|= a[9] << 10;
		502	a32[7] &= 0xffffffff;
		503
		504	/* 1 1 0 -1 -1 -1 -1 0 */
		505	t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
		506	/* 0 1 1 0 -1 -1 -1 -1 */
		507	t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
		508	/* 0 0 1 1 0 -1 -1 -1 */
		509	t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
		510	/* -1 -1 0 2 2 1 0 -1 */
		511	t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
		512	/* 0 -1 -1 0 2 2 1 0 */
		513	t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
		514	/* 0 0 -1 -1 0 2 2 1 */
		515	t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
		516	/* -1 -1 0 0 0 1 3 2 */
		517	t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
		518	/* 1 0 -1 -1 -1 -1 0 3 */
		519	t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
		520
		521	t[1] += t[0] >> 32; t[0] &= 0xffffffff;
		522	t[2] += t[1] >> 32; t[1] &= 0xffffffff;
		523	t[3] += t[2] >> 32; t[2] &= 0xffffffff;
		524	t[4] += t[3] >> 32; t[3] &= 0xffffffff;
		525	t[5] += t[4] >> 32; t[4] &= 0xffffffff;
		526	t[6] += t[5] >> 32; t[5] &= 0xffffffff;
		527	t[7] += t[6] >> 32; t[6] &= 0xffffffff;
		528	o = t[7] >> 32; t[7] &= 0xffffffff;
		529	t[0] += o;
		530	t[3] -= o;
		531	t[6] -= o;
		532	t[7] += o;
		533	t[1] += t[0] >> 32; t[0] &= 0xffffffff;
		534	t[2] += t[1] >> 32; t[1] &= 0xffffffff;
		535	t[3] += t[2] >> 32; t[2] &= 0xffffffff;
		536	t[4] += t[3] >> 32; t[3] &= 0xffffffff;
		537	t[5] += t[4] >> 32; t[4] &= 0xffffffff;
		538	t[6] += t[5] >> 32; t[5] &= 0xffffffff;
		539	t[7] += t[6] >> 32; t[6] &= 0xffffffff;
		540
		541	r[0] = (sp_digit)(t[0]) & 0x3ffffff;
		542	r[1] = (sp_digit)(t[0] >> 26);
		543	r[1] \|= t[1] << 6;
		544	r[1] &= 0x3ffffff;
		545	r[2] = (sp_digit)(t[1] >> 20);
		546	r[2] \|= t[2] << 12;
		547	r[2] &= 0x3ffffff;
		548	r[3] = (sp_digit)(t[2] >> 14);
		549	r[3] \|= t[3] << 18;
		550	r[3] &= 0x3ffffff;
		551	r[4] = (sp_digit)(t[3] >> 8);
		552	r[4] \|= t[4] << 24;
		553	r[4] &= 0x3ffffff;
		554	r[5] = (sp_digit)(t[4] >> 2) & 0x3ffffff;
		555	r[6] = (sp_digit)(t[4] >> 28);
		556	r[6] \|= t[5] << 4;
		557	r[6] &= 0x3ffffff;
		558	r[7] = (sp_digit)(t[5] >> 22);
		559	r[7] \|= t[6] << 10;
		560	r[7] &= 0x3ffffff;
		561	r[8] = (sp_digit)(t[6] >> 16);
		562	r[8] \|= t[7] << 16;
		563	r[8] &= 0x3ffffff;
		564	r[9] = (sp_digit)(t[7] >> 10);
		565	}
		566
567	/* Map the Montgomery form projective co-ordinate point to an affine point.	567	/* Map the Montgomery form projective co-ordinate point to an affine point.
568	*	568	*
569	* r Resulting affine co-ordinate point.	569	* r Resulting affine co-ordinate point.
@@ -808,7 +808,7 @@ static void sp_256_ecc_mulmod_base_10(sp_point* r, sp_digit* k /, int map/)
808	* pub2x32 Point to multiply.	808	* pub2x32 Point to multiply.
809	* out32 Buffer to hold X ordinate.	809	* out32 Buffer to hold X ordinate.
810	*/	810	*/
811	static void sp_ecc_secret_gen_256(sp_digit priv[10], const uint8_t pub2x32, uint8_t out32)	811	static void sp_ecc_secret_gen_256(const sp_digit priv[10], const uint8_t pub2x32, uint8_t out32)
812	{	812	{
813	sp_point point[1];	813	sp_point point[1];
814		814