summaryrefslogtreecommitdiff
path: root/src/lib/libc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/mlkem/mlkem1024.c5
-rw-r--r--src/lib/libcrypto/mlkem/mlkem768.c5
2 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem1024.c
index d016a1de15..b3cacc828b 100644
--- a/src/lib/libcrypto/mlkem/mlkem1024.c
+++ b/src/lib/libcrypto/mlkem/mlkem1024.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mlkem1024.c,v 1.3 2024/12/17 17:06:10 beck Exp $ */ 1/* $OpenBSD: mlkem1024.c,v 1.4 2024/12/18 10:55:21 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2024, Google Inc. 3 * Copyright (c) 2024, Google Inc.
4 * Copyright (c) 2024, Bob Beck <beck@obtuse.com> 4 * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -188,7 +188,7 @@ reduce_once(uint16_t x)
188 * value to transit through a general-purpose register). On AArch64, this 188 * value to transit through a general-purpose register). On AArch64, this
189 * is a difference of 2x. 189 * is a difference of 2x.
190 * 190 *
191 * We usually add value barriers to selects because Clang turns 191 * We usually add value barriers to selects because Clang turns
192 * consecutive selects with the same condition into a branch instead of 192 * consecutive selects with the same condition into a branch instead of
193 * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it 193 * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it
194 * seems to be safe so far but see 194 * seems to be safe so far but see
@@ -477,6 +477,7 @@ scalar_centered_binomial_distribution_eta_2_with_prf(scalar *out,
477 uint16_t value = (byte & 1) + ((byte >> 1) & 1); 477 uint16_t value = (byte & 1) + ((byte >> 1) & 1);
478 478
479 value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); 479 value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
480
480 /* 481 /*
481 * Add |kPrime| if |value| underflowed. See |reduce_once| for a 482 * Add |kPrime| if |value| underflowed. See |reduce_once| for a
482 * discussion on why the value barrier is omitted. While this 483 * discussion on why the value barrier is omitted. While this
diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c
index 4f8affaf60..040118cafc 100644
--- a/src/lib/libcrypto/mlkem/mlkem768.c
+++ b/src/lib/libcrypto/mlkem/mlkem768.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mlkem768.c,v 1.4 2024/12/17 17:06:10 beck Exp $ */ 1/* $OpenBSD: mlkem768.c,v 1.5 2024/12/18 10:55:21 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2024, Google Inc. 3 * Copyright (c) 2024, Google Inc.
4 * Copyright (c) 2024, Bob Beck <beck@obtuse.com> 4 * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -187,7 +187,7 @@ reduce_once(uint16_t x)
187 * value to transit through a general-purpose register). On AArch64, this 187 * value to transit through a general-purpose register). On AArch64, this
188 * is a difference of 2x. 188 * is a difference of 2x.
189 * 189 *
190 * We usually add value barriers to selects because Clang turns 190 * We usually add value barriers to selects because Clang turns
191 * consecutive selects with the same condition into a branch instead of 191 * consecutive selects with the same condition into a branch instead of
192 * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it 192 * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it
193 * seems to be safe so far but see 193 * seems to be safe so far but see
@@ -476,6 +476,7 @@ scalar_centered_binomial_distribution_eta_2_with_prf(scalar *out,
476 uint16_t value = (byte & 1) + ((byte >> 1) & 1); 476 uint16_t value = (byte & 1) + ((byte >> 1) & 1);
477 477
478 value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); 478 value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
479
479 /* 480 /*
480 * Add |kPrime| if |value| underflowed. See |reduce_once| for a 481 * Add |kPrime| if |value| underflowed. See |reduce_once| for a
481 * discussion on why the value barrier is omitted. While this 482 * discussion on why the value barrier is omitted. While this
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 13:15:06 +0000