summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/curve25519/curve25519.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/curve25519/curve25519.c')
-rw-r--r--src/lib/libcrypto/curve25519/curve25519.c243
1 files changed, 127 insertions, 116 deletions
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 4e644c4280..0aa3d2855b 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: curve25519.c,v 1.16 2023/07/08 15:12:49 beck Exp $ */ 1/* $OpenBSD: curve25519.c,v 1.18 2025/07/29 10:52:20 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2015, Google Inc. 3 * Copyright (c) 2015, Google Inc.
4 * 4 *
@@ -3781,6 +3781,17 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
3781 } 3781 }
3782} 3782}
3783 3783
3784/*
3785 * int64_lshift21 returns |a << 21| but is defined when shifting bits into the
3786 * sign bit. This works around a language flaw in C.
3787 *
3788 * XXX: This is a hack to avoid undefined behavior when shifting into the sign bit.
3789 * We match BoringSSL's implementation here.
3790 */
3791static inline int64_t int64_lshift21(int64_t a) {
3792 return (int64_t)((uint64_t)a << 21);
3793}
3794
3784/* The set of scalars is \Z/l 3795/* The set of scalars is \Z/l
3785 * where l = 2^252 + 27742317777372353535851937790883648493. */ 3796 * where l = 2^252 + 27742317777372353535851937790883648493. */
3786 3797
@@ -3885,38 +3896,38 @@ x25519_sc_reduce(uint8_t *s) {
3885 3896
3886 carry6 = (s6 + (1 << 20)) >> 21; 3897 carry6 = (s6 + (1 << 20)) >> 21;
3887 s7 += carry6; 3898 s7 += carry6;
3888 s6 -= carry6 << 21; 3899 s6 -= int64_lshift21(carry6);
3889 carry8 = (s8 + (1 << 20)) >> 21; 3900 carry8 = (s8 + (1 << 20)) >> 21;
3890 s9 += carry8; 3901 s9 += carry8;
3891 s8 -= carry8 << 21; 3902 s8 -= int64_lshift21(carry8);
3892 carry10 = (s10 + (1 << 20)) >> 21; 3903 carry10 = (s10 + (1 << 20)) >> 21;
3893 s11 += carry10; 3904 s11 += carry10;
3894 s10 -= carry10 << 21; 3905 s10 -= int64_lshift21(carry10);
3895 carry12 = (s12 + (1 << 20)) >> 21; 3906 carry12 = (s12 + (1 << 20)) >> 21;
3896 s13 += carry12; 3907 s13 += carry12;
3897 s12 -= carry12 << 21; 3908 s12 -= int64_lshift21(carry12);
3898 carry14 = (s14 + (1 << 20)) >> 21; 3909 carry14 = (s14 + (1 << 20)) >> 21;
3899 s15 += carry14; 3910 s15 += carry14;
3900 s14 -= carry14 << 21; 3911 s14 -= int64_lshift21(carry14);
3901 carry16 = (s16 + (1 << 20)) >> 21; 3912 carry16 = (s16 + (1 << 20)) >> 21;
3902 s17 += carry16; 3913 s17 += carry16;
3903 s16 -= carry16 << 21; 3914 s16 -= int64_lshift21(carry16);
3904 3915
3905 carry7 = (s7 + (1 << 20)) >> 21; 3916 carry7 = (s7 + (1 << 20)) >> 21;
3906 s8 += carry7; 3917 s8 += carry7;
3907 s7 -= carry7 << 21; 3918 s7 -= int64_lshift21(carry7);
3908 carry9 = (s9 + (1 << 20)) >> 21; 3919 carry9 = (s9 + (1 << 20)) >> 21;
3909 s10 += carry9; 3920 s10 += carry9;
3910 s9 -= carry9 << 21; 3921 s9 -= int64_lshift21(carry9);
3911 carry11 = (s11 + (1 << 20)) >> 21; 3922 carry11 = (s11 + (1 << 20)) >> 21;
3912 s12 += carry11; 3923 s12 += carry11;
3913 s11 -= carry11 << 21; 3924 s11 -= int64_lshift21(carry11);
3914 carry13 = (s13 + (1 << 20)) >> 21; 3925 carry13 = (s13 + (1 << 20)) >> 21;
3915 s14 += carry13; 3926 s14 += carry13;
3916 s13 -= carry13 << 21; 3927 s13 -= int64_lshift21(carry13);
3917 carry15 = (s15 + (1 << 20)) >> 21; 3928 carry15 = (s15 + (1 << 20)) >> 21;
3918 s16 += carry15; 3929 s16 += carry15;
3919 s15 -= carry15 << 21; 3930 s15 -= int64_lshift21(carry15);
3920 3931
3921 s5 += s17 * 666643; 3932 s5 += s17 * 666643;
3922 s6 += s17 * 470296; 3933 s6 += s17 * 470296;
@@ -3968,41 +3979,41 @@ x25519_sc_reduce(uint8_t *s) {
3968 3979
3969 carry0 = (s0 + (1 << 20)) >> 21; 3980 carry0 = (s0 + (1 << 20)) >> 21;
3970 s1 += carry0; 3981 s1 += carry0;
3971 s0 -= carry0 << 21; 3982 s0 -= int64_lshift21(carry0);
3972 carry2 = (s2 + (1 << 20)) >> 21; 3983 carry2 = (s2 + (1 << 20)) >> 21;
3973 s3 += carry2; 3984 s3 += carry2;
3974 s2 -= carry2 << 21; 3985 s2 -= int64_lshift21(carry2);
3975 carry4 = (s4 + (1 << 20)) >> 21; 3986 carry4 = (s4 + (1 << 20)) >> 21;
3976 s5 += carry4; 3987 s5 += carry4;
3977 s4 -= carry4 << 21; 3988 s4 -= int64_lshift21(carry4);
3978 carry6 = (s6 + (1 << 20)) >> 21; 3989 carry6 = (s6 + (1 << 20)) >> 21;
3979 s7 += carry6; 3990 s7 += carry6;
3980 s6 -= carry6 << 21; 3991 s6 -= int64_lshift21(carry6);
3981 carry8 = (s8 + (1 << 20)) >> 21; 3992 carry8 = (s8 + (1 << 20)) >> 21;
3982 s9 += carry8; 3993 s9 += carry8;
3983 s8 -= carry8 << 21; 3994 s8 -= int64_lshift21(carry8);
3984 carry10 = (s10 + (1 << 20)) >> 21; 3995 carry10 = (s10 + (1 << 20)) >> 21;
3985 s11 += carry10; 3996 s11 += carry10;
3986 s10 -= carry10 << 21; 3997 s10 -= int64_lshift21(carry10);
3987 3998
3988 carry1 = (s1 + (1 << 20)) >> 21; 3999 carry1 = (s1 + (1 << 20)) >> 21;
3989 s2 += carry1; 4000 s2 += carry1;
3990 s1 -= carry1 << 21; 4001 s1 -= int64_lshift21(carry1);
3991 carry3 = (s3 + (1 << 20)) >> 21; 4002 carry3 = (s3 + (1 << 20)) >> 21;
3992 s4 += carry3; 4003 s4 += carry3;
3993 s3 -= carry3 << 21; 4004 s3 -= int64_lshift21(carry3);
3994 carry5 = (s5 + (1 << 20)) >> 21; 4005 carry5 = (s5 + (1 << 20)) >> 21;
3995 s6 += carry5; 4006 s6 += carry5;
3996 s5 -= carry5 << 21; 4007 s5 -= int64_lshift21(carry5);
3997 carry7 = (s7 + (1 << 20)) >> 21; 4008 carry7 = (s7 + (1 << 20)) >> 21;
3998 s8 += carry7; 4009 s8 += carry7;
3999 s7 -= carry7 << 21; 4010 s7 -= int64_lshift21(carry7);
4000 carry9 = (s9 + (1 << 20)) >> 21; 4011 carry9 = (s9 + (1 << 20)) >> 21;
4001 s10 += carry9; 4012 s10 += carry9;
4002 s9 -= carry9 << 21; 4013 s9 -= int64_lshift21(carry9);
4003 carry11 = (s11 + (1 << 20)) >> 21; 4014 carry11 = (s11 + (1 << 20)) >> 21;
4004 s12 += carry11; 4015 s12 += carry11;
4005 s11 -= carry11 << 21; 4016 s11 -= int64_lshift21(carry11);
4006 4017
4007 s0 += s12 * 666643; 4018 s0 += s12 * 666643;
4008 s1 += s12 * 470296; 4019 s1 += s12 * 470296;
@@ -4014,40 +4025,40 @@ x25519_sc_reduce(uint8_t *s) {
4014 4025
4015 carry0 = s0 >> 21; 4026 carry0 = s0 >> 21;
4016 s1 += carry0; 4027 s1 += carry0;
4017 s0 -= carry0 << 21; 4028 s0 -= int64_lshift21(carry0);
4018 carry1 = s1 >> 21; 4029 carry1 = s1 >> 21;
4019 s2 += carry1; 4030 s2 += carry1;
4020 s1 -= carry1 << 21; 4031 s1 -= int64_lshift21(carry1);
4021 carry2 = s2 >> 21; 4032 carry2 = s2 >> 21;
4022 s3 += carry2; 4033 s3 += carry2;
4023 s2 -= carry2 << 21; 4034 s2 -= int64_lshift21(carry2);
4024 carry3 = s3 >> 21; 4035 carry3 = s3 >> 21;
4025 s4 += carry3; 4036 s4 += carry3;
4026 s3 -= carry3 << 21; 4037 s3 -= int64_lshift21(carry3);
4027 carry4 = s4 >> 21; 4038 carry4 = s4 >> 21;
4028 s5 += carry4; 4039 s5 += carry4;
4029 s4 -= carry4 << 21; 4040 s4 -= int64_lshift21(carry4);
4030 carry5 = s5 >> 21; 4041 carry5 = s5 >> 21;
4031 s6 += carry5; 4042 s6 += carry5;
4032 s5 -= carry5 << 21; 4043 s5 -= int64_lshift21(carry5);
4033 carry6 = s6 >> 21; 4044 carry6 = s6 >> 21;
4034 s7 += carry6; 4045 s7 += carry6;
4035 s6 -= carry6 << 21; 4046 s6 -= int64_lshift21(carry6);
4036 carry7 = s7 >> 21; 4047 carry7 = s7 >> 21;
4037 s8 += carry7; 4048 s8 += carry7;
4038 s7 -= carry7 << 21; 4049 s7 -= int64_lshift21(carry7);
4039 carry8 = s8 >> 21; 4050 carry8 = s8 >> 21;
4040 s9 += carry8; 4051 s9 += carry8;
4041 s8 -= carry8 << 21; 4052 s8 -= int64_lshift21(carry8);
4042 carry9 = s9 >> 21; 4053 carry9 = s9 >> 21;
4043 s10 += carry9; 4054 s10 += carry9;
4044 s9 -= carry9 << 21; 4055 s9 -= int64_lshift21(carry9);
4045 carry10 = s10 >> 21; 4056 carry10 = s10 >> 21;
4046 s11 += carry10; 4057 s11 += carry10;
4047 s10 -= carry10 << 21; 4058 s10 -= int64_lshift21(carry10);
4048 carry11 = s11 >> 21; 4059 carry11 = s11 >> 21;
4049 s12 += carry11; 4060 s12 += carry11;
4050 s11 -= carry11 << 21; 4061 s11 -= int64_lshift21(carry11);
4051 4062
4052 s0 += s12 * 666643; 4063 s0 += s12 * 666643;
4053 s1 += s12 * 470296; 4064 s1 += s12 * 470296;
@@ -4059,37 +4070,37 @@ x25519_sc_reduce(uint8_t *s) {
4059 4070
4060 carry0 = s0 >> 21; 4071 carry0 = s0 >> 21;
4061 s1 += carry0; 4072 s1 += carry0;
4062 s0 -= carry0 << 21; 4073 s0 -= int64_lshift21(carry0);
4063 carry1 = s1 >> 21; 4074 carry1 = s1 >> 21;
4064 s2 += carry1; 4075 s2 += carry1;
4065 s1 -= carry1 << 21; 4076 s1 -= int64_lshift21(carry1);
4066 carry2 = s2 >> 21; 4077 carry2 = s2 >> 21;
4067 s3 += carry2; 4078 s3 += carry2;
4068 s2 -= carry2 << 21; 4079 s2 -= int64_lshift21(carry2);
4069 carry3 = s3 >> 21; 4080 carry3 = s3 >> 21;
4070 s4 += carry3; 4081 s4 += carry3;
4071 s3 -= carry3 << 21; 4082 s3 -= int64_lshift21(carry3);
4072 carry4 = s4 >> 21; 4083 carry4 = s4 >> 21;
4073 s5 += carry4; 4084 s5 += carry4;
4074 s4 -= carry4 << 21; 4085 s4 -= int64_lshift21(carry4);
4075 carry5 = s5 >> 21; 4086 carry5 = s5 >> 21;
4076 s6 += carry5; 4087 s6 += carry5;
4077 s5 -= carry5 << 21; 4088 s5 -= int64_lshift21(carry5);
4078 carry6 = s6 >> 21; 4089 carry6 = s6 >> 21;
4079 s7 += carry6; 4090 s7 += carry6;
4080 s6 -= carry6 << 21; 4091 s6 -= int64_lshift21(carry6);
4081 carry7 = s7 >> 21; 4092 carry7 = s7 >> 21;
4082 s8 += carry7; 4093 s8 += carry7;
4083 s7 -= carry7 << 21; 4094 s7 -= int64_lshift21(carry7);
4084 carry8 = s8 >> 21; 4095 carry8 = s8 >> 21;
4085 s9 += carry8; 4096 s9 += carry8;
4086 s8 -= carry8 << 21; 4097 s8 -= int64_lshift21(carry8);
4087 carry9 = s9 >> 21; 4098 carry9 = s9 >> 21;
4088 s10 += carry9; 4099 s10 += carry9;
4089 s9 -= carry9 << 21; 4100 s9 -= int64_lshift21(carry9);
4090 carry10 = s10 >> 21; 4101 carry10 = s10 >> 21;
4091 s11 += carry10; 4102 s11 += carry10;
4092 s10 -= carry10 << 21; 4103 s10 -= int64_lshift21(carry10);
4093 4104
4094 s[0] = s0 >> 0; 4105 s[0] = s0 >> 0;
4095 s[1] = s0 >> 8; 4106 s[1] = s0 >> 8;
@@ -4257,74 +4268,74 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4257 4268
4258 carry0 = (s0 + (1 << 20)) >> 21; 4269 carry0 = (s0 + (1 << 20)) >> 21;
4259 s1 += carry0; 4270 s1 += carry0;
4260 s0 -= carry0 << 21; 4271 s0 -= int64_lshift21(carry0);
4261 carry2 = (s2 + (1 << 20)) >> 21; 4272 carry2 = (s2 + (1 << 20)) >> 21;
4262 s3 += carry2; 4273 s3 += carry2;
4263 s2 -= carry2 << 21; 4274 s2 -= int64_lshift21(carry2);
4264 carry4 = (s4 + (1 << 20)) >> 21; 4275 carry4 = (s4 + (1 << 20)) >> 21;
4265 s5 += carry4; 4276 s5 += carry4;
4266 s4 -= carry4 << 21; 4277 s4 -= int64_lshift21(carry4);
4267 carry6 = (s6 + (1 << 20)) >> 21; 4278 carry6 = (s6 + (1 << 20)) >> 21;
4268 s7 += carry6; 4279 s7 += carry6;
4269 s6 -= carry6 << 21; 4280 s6 -= int64_lshift21(carry6);
4270 carry8 = (s8 + (1 << 20)) >> 21; 4281 carry8 = (s8 + (1 << 20)) >> 21;
4271 s9 += carry8; 4282 s9 += carry8;
4272 s8 -= carry8 << 21; 4283 s8 -= int64_lshift21(carry8);
4273 carry10 = (s10 + (1 << 20)) >> 21; 4284 carry10 = (s10 + (1 << 20)) >> 21;
4274 s11 += carry10; 4285 s11 += carry10;
4275 s10 -= carry10 << 21; 4286 s10 -= int64_lshift21(carry10);
4276 carry12 = (s12 + (1 << 20)) >> 21; 4287 carry12 = (s12 + (1 << 20)) >> 21;
4277 s13 += carry12; 4288 s13 += carry12;
4278 s12 -= carry12 << 21; 4289 s12 -= int64_lshift21(carry12);
4279 carry14 = (s14 + (1 << 20)) >> 21; 4290 carry14 = (s14 + (1 << 20)) >> 21;
4280 s15 += carry14; 4291 s15 += carry14;
4281 s14 -= carry14 << 21; 4292 s14 -= int64_lshift21(carry14);
4282 carry16 = (s16 + (1 << 20)) >> 21; 4293 carry16 = (s16 + (1 << 20)) >> 21;
4283 s17 += carry16; 4294 s17 += carry16;
4284 s16 -= carry16 << 21; 4295 s16 -= int64_lshift21(carry16);
4285 carry18 = (s18 + (1 << 20)) >> 21; 4296 carry18 = (s18 + (1 << 20)) >> 21;
4286 s19 += carry18; 4297 s19 += carry18;
4287 s18 -= carry18 << 21; 4298 s18 -= int64_lshift21(carry18);
4288 carry20 = (s20 + (1 << 20)) >> 21; 4299 carry20 = (s20 + (1 << 20)) >> 21;
4289 s21 += carry20; 4300 s21 += carry20;
4290 s20 -= carry20 << 21; 4301 s20 -= int64_lshift21(carry20);
4291 carry22 = (s22 + (1 << 20)) >> 21; 4302 carry22 = (s22 + (1 << 20)) >> 21;
4292 s23 += carry22; 4303 s23 += carry22;
4293 s22 -= carry22 << 21; 4304 s22 -= int64_lshift21(carry22);
4294 4305
4295 carry1 = (s1 + (1 << 20)) >> 21; 4306 carry1 = (s1 + (1 << 20)) >> 21;
4296 s2 += carry1; 4307 s2 += carry1;
4297 s1 -= carry1 << 21; 4308 s1 -= int64_lshift21(carry1);
4298 carry3 = (s3 + (1 << 20)) >> 21; 4309 carry3 = (s3 + (1 << 20)) >> 21;
4299 s4 += carry3; 4310 s4 += carry3;
4300 s3 -= carry3 << 21; 4311 s3 -= int64_lshift21(carry3);
4301 carry5 = (s5 + (1 << 20)) >> 21; 4312 carry5 = (s5 + (1 << 20)) >> 21;
4302 s6 += carry5; 4313 s6 += carry5;
4303 s5 -= carry5 << 21; 4314 s5 -= int64_lshift21(carry5);
4304 carry7 = (s7 + (1 << 20)) >> 21; 4315 carry7 = (s7 + (1 << 20)) >> 21;
4305 s8 += carry7; 4316 s8 += carry7;
4306 s7 -= carry7 << 21; 4317 s7 -= int64_lshift21(carry7);
4307 carry9 = (s9 + (1 << 20)) >> 21; 4318 carry9 = (s9 + (1 << 20)) >> 21;
4308 s10 += carry9; 4319 s10 += carry9;
4309 s9 -= carry9 << 21; 4320 s9 -= int64_lshift21(carry9);
4310 carry11 = (s11 + (1 << 20)) >> 21; 4321 carry11 = (s11 + (1 << 20)) >> 21;
4311 s12 += carry11; 4322 s12 += carry11;
4312 s11 -= carry11 << 21; 4323 s11 -= int64_lshift21(carry11);
4313 carry13 = (s13 + (1 << 20)) >> 21; 4324 carry13 = (s13 + (1 << 20)) >> 21;
4314 s14 += carry13; 4325 s14 += carry13;
4315 s13 -= carry13 << 21; 4326 s13 -= int64_lshift21(carry13);
4316 carry15 = (s15 + (1 << 20)) >> 21; 4327 carry15 = (s15 + (1 << 20)) >> 21;
4317 s16 += carry15; 4328 s16 += carry15;
4318 s15 -= carry15 << 21; 4329 s15 -= int64_lshift21(carry15);
4319 carry17 = (s17 + (1 << 20)) >> 21; 4330 carry17 = (s17 + (1 << 20)) >> 21;
4320 s18 += carry17; 4331 s18 += carry17;
4321 s17 -= carry17 << 21; 4332 s17 -= int64_lshift21(carry17);
4322 carry19 = (s19 + (1 << 20)) >> 21; 4333 carry19 = (s19 + (1 << 20)) >> 21;
4323 s20 += carry19; 4334 s20 += carry19;
4324 s19 -= carry19 << 21; 4335 s19 -= int64_lshift21(carry19);
4325 carry21 = (s21 + (1 << 20)) >> 21; 4336 carry21 = (s21 + (1 << 20)) >> 21;
4326 s22 += carry21; 4337 s22 += carry21;
4327 s21 -= carry21 << 21; 4338 s21 -= int64_lshift21(carry21);
4328 4339
4329 s11 += s23 * 666643; 4340 s11 += s23 * 666643;
4330 s12 += s23 * 470296; 4341 s12 += s23 * 470296;
@@ -4376,38 +4387,38 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4376 4387
4377 carry6 = (s6 + (1 << 20)) >> 21; 4388 carry6 = (s6 + (1 << 20)) >> 21;
4378 s7 += carry6; 4389 s7 += carry6;
4379 s6 -= carry6 << 21; 4390 s6 -= int64_lshift21(carry6);
4380 carry8 = (s8 + (1 << 20)) >> 21; 4391 carry8 = (s8 + (1 << 20)) >> 21;
4381 s9 += carry8; 4392 s9 += carry8;
4382 s8 -= carry8 << 21; 4393 s8 -= int64_lshift21(carry8);
4383 carry10 = (s10 + (1 << 20)) >> 21; 4394 carry10 = (s10 + (1 << 20)) >> 21;
4384 s11 += carry10; 4395 s11 += carry10;
4385 s10 -= carry10 << 21; 4396 s10 -= int64_lshift21(carry10);
4386 carry12 = (s12 + (1 << 20)) >> 21; 4397 carry12 = (s12 + (1 << 20)) >> 21;
4387 s13 += carry12; 4398 s13 += carry12;
4388 s12 -= carry12 << 21; 4399 s12 -= int64_lshift21(carry12);
4389 carry14 = (s14 + (1 << 20)) >> 21; 4400 carry14 = (s14 + (1 << 20)) >> 21;
4390 s15 += carry14; 4401 s15 += carry14;
4391 s14 -= carry14 << 21; 4402 s14 -= int64_lshift21(carry14);
4392 carry16 = (s16 + (1 << 20)) >> 21; 4403 carry16 = (s16 + (1 << 20)) >> 21;
4393 s17 += carry16; 4404 s17 += carry16;
4394 s16 -= carry16 << 21; 4405 s16 -= int64_lshift21(carry16);
4395 4406
4396 carry7 = (s7 + (1 << 20)) >> 21; 4407 carry7 = (s7 + (1 << 20)) >> 21;
4397 s8 += carry7; 4408 s8 += carry7;
4398 s7 -= carry7 << 21; 4409 s7 -= int64_lshift21(carry7);
4399 carry9 = (s9 + (1 << 20)) >> 21; 4410 carry9 = (s9 + (1 << 20)) >> 21;
4400 s10 += carry9; 4411 s10 += carry9;
4401 s9 -= carry9 << 21; 4412 s9 -= int64_lshift21(carry9);
4402 carry11 = (s11 + (1 << 20)) >> 21; 4413 carry11 = (s11 + (1 << 20)) >> 21;
4403 s12 += carry11; 4414 s12 += carry11;
4404 s11 -= carry11 << 21; 4415 s11 -= int64_lshift21(carry11);
4405 carry13 = (s13 + (1 << 20)) >> 21; 4416 carry13 = (s13 + (1 << 20)) >> 21;
4406 s14 += carry13; 4417 s14 += carry13;
4407 s13 -= carry13 << 21; 4418 s13 -= int64_lshift21(carry13);
4408 carry15 = (s15 + (1 << 20)) >> 21; 4419 carry15 = (s15 + (1 << 20)) >> 21;
4409 s16 += carry15; 4420 s16 += carry15;
4410 s15 -= carry15 << 21; 4421 s15 -= int64_lshift21(carry15);
4411 4422
4412 s5 += s17 * 666643; 4423 s5 += s17 * 666643;
4413 s6 += s17 * 470296; 4424 s6 += s17 * 470296;
@@ -4459,41 +4470,41 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4459 4470
4460 carry0 = (s0 + (1 << 20)) >> 21; 4471 carry0 = (s0 + (1 << 20)) >> 21;
4461 s1 += carry0; 4472 s1 += carry0;
4462 s0 -= carry0 << 21; 4473 s0 -= int64_lshift21(carry0);
4463 carry2 = (s2 + (1 << 20)) >> 21; 4474 carry2 = (s2 + (1 << 20)) >> 21;
4464 s3 += carry2; 4475 s3 += carry2;
4465 s2 -= carry2 << 21; 4476 s2 -= int64_lshift21(carry2);
4466 carry4 = (s4 + (1 << 20)) >> 21; 4477 carry4 = (s4 + (1 << 20)) >> 21;
4467 s5 += carry4; 4478 s5 += carry4;
4468 s4 -= carry4 << 21; 4479 s4 -= int64_lshift21(carry4);
4469 carry6 = (s6 + (1 << 20)) >> 21; 4480 carry6 = (s6 + (1 << 20)) >> 21;
4470 s7 += carry6; 4481 s7 += carry6;
4471 s6 -= carry6 << 21; 4482 s6 -= int64_lshift21(carry6);
4472 carry8 = (s8 + (1 << 20)) >> 21; 4483 carry8 = (s8 + (1 << 20)) >> 21;
4473 s9 += carry8; 4484 s9 += carry8;
4474 s8 -= carry8 << 21; 4485 s8 -= int64_lshift21(carry8);
4475 carry10 = (s10 + (1 << 20)) >> 21; 4486 carry10 = (s10 + (1 << 20)) >> 21;
4476 s11 += carry10; 4487 s11 += carry10;
4477 s10 -= carry10 << 21; 4488 s10 -= int64_lshift21(carry10);
4478 4489
4479 carry1 = (s1 + (1 << 20)) >> 21; 4490 carry1 = (s1 + (1 << 20)) >> 21;
4480 s2 += carry1; 4491 s2 += carry1;
4481 s1 -= carry1 << 21; 4492 s1 -= int64_lshift21(carry1);
4482 carry3 = (s3 + (1 << 20)) >> 21; 4493 carry3 = (s3 + (1 << 20)) >> 21;
4483 s4 += carry3; 4494 s4 += carry3;
4484 s3 -= carry3 << 21; 4495 s3 -= int64_lshift21(carry3);
4485 carry5 = (s5 + (1 << 20)) >> 21; 4496 carry5 = (s5 + (1 << 20)) >> 21;
4486 s6 += carry5; 4497 s6 += carry5;
4487 s5 -= carry5 << 21; 4498 s5 -= int64_lshift21(carry5);
4488 carry7 = (s7 + (1 << 20)) >> 21; 4499 carry7 = (s7 + (1 << 20)) >> 21;
4489 s8 += carry7; 4500 s8 += carry7;
4490 s7 -= carry7 << 21; 4501 s7 -= int64_lshift21(carry7);
4491 carry9 = (s9 + (1 << 20)) >> 21; 4502 carry9 = (s9 + (1 << 20)) >> 21;
4492 s10 += carry9; 4503 s10 += carry9;
4493 s9 -= carry9 << 21; 4504 s9 -= int64_lshift21(carry9);
4494 carry11 = (s11 + (1 << 20)) >> 21; 4505 carry11 = (s11 + (1 << 20)) >> 21;
4495 s12 += carry11; 4506 s12 += carry11;
4496 s11 -= carry11 << 21; 4507 s11 -= int64_lshift21(carry11);
4497 4508
4498 s0 += s12 * 666643; 4509 s0 += s12 * 666643;
4499 s1 += s12 * 470296; 4510 s1 += s12 * 470296;
@@ -4505,40 +4516,40 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4505 4516
4506 carry0 = s0 >> 21; 4517 carry0 = s0 >> 21;
4507 s1 += carry0; 4518 s1 += carry0;
4508 s0 -= carry0 << 21; 4519 s0 -= int64_lshift21(carry0);
4509 carry1 = s1 >> 21; 4520 carry1 = s1 >> 21;
4510 s2 += carry1; 4521 s2 += carry1;
4511 s1 -= carry1 << 21; 4522 s1 -= int64_lshift21(carry1);
4512 carry2 = s2 >> 21; 4523 carry2 = s2 >> 21;
4513 s3 += carry2; 4524 s3 += carry2;
4514 s2 -= carry2 << 21; 4525 s2 -= int64_lshift21(carry2);
4515 carry3 = s3 >> 21; 4526 carry3 = s3 >> 21;
4516 s4 += carry3; 4527 s4 += carry3;
4517 s3 -= carry3 << 21; 4528 s3 -= int64_lshift21(carry3);
4518 carry4 = s4 >> 21; 4529 carry4 = s4 >> 21;
4519 s5 += carry4; 4530 s5 += carry4;
4520 s4 -= carry4 << 21; 4531 s4 -= int64_lshift21(carry4);
4521 carry5 = s5 >> 21; 4532 carry5 = s5 >> 21;
4522 s6 += carry5; 4533 s6 += carry5;
4523 s5 -= carry5 << 21; 4534 s5 -= int64_lshift21(carry5);
4524 carry6 = s6 >> 21; 4535 carry6 = s6 >> 21;
4525 s7 += carry6; 4536 s7 += carry6;
4526 s6 -= carry6 << 21; 4537 s6 -= int64_lshift21(carry6);
4527 carry7 = s7 >> 21; 4538 carry7 = s7 >> 21;
4528 s8 += carry7; 4539 s8 += carry7;
4529 s7 -= carry7 << 21; 4540 s7 -= int64_lshift21(carry7);
4530 carry8 = s8 >> 21; 4541 carry8 = s8 >> 21;
4531 s9 += carry8; 4542 s9 += carry8;
4532 s8 -= carry8 << 21; 4543 s8 -= int64_lshift21(carry8);
4533 carry9 = s9 >> 21; 4544 carry9 = s9 >> 21;
4534 s10 += carry9; 4545 s10 += carry9;
4535 s9 -= carry9 << 21; 4546 s9 -= int64_lshift21(carry9);
4536 carry10 = s10 >> 21; 4547 carry10 = s10 >> 21;
4537 s11 += carry10; 4548 s11 += carry10;
4538 s10 -= carry10 << 21; 4549 s10 -= int64_lshift21(carry10);
4539 carry11 = s11 >> 21; 4550 carry11 = s11 >> 21;
4540 s12 += carry11; 4551 s12 += carry11;
4541 s11 -= carry11 << 21; 4552 s11 -= int64_lshift21(carry11);
4542 4553
4543 s0 += s12 * 666643; 4554 s0 += s12 * 666643;
4544 s1 += s12 * 470296; 4555 s1 += s12 * 470296;
@@ -4550,37 +4561,37 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4550 4561
4551 carry0 = s0 >> 21; 4562 carry0 = s0 >> 21;
4552 s1 += carry0; 4563 s1 += carry0;
4553 s0 -= carry0 << 21; 4564 s0 -= int64_lshift21(carry0);
4554 carry1 = s1 >> 21; 4565 carry1 = s1 >> 21;
4555 s2 += carry1; 4566 s2 += carry1;
4556 s1 -= carry1 << 21; 4567 s1 -= int64_lshift21(carry1);
4557 carry2 = s2 >> 21; 4568 carry2 = s2 >> 21;
4558 s3 += carry2; 4569 s3 += carry2;
4559 s2 -= carry2 << 21; 4570 s2 -= int64_lshift21(carry2);
4560 carry3 = s3 >> 21; 4571 carry3 = s3 >> 21;
4561 s4 += carry3; 4572 s4 += carry3;
4562 s3 -= carry3 << 21; 4573 s3 -= int64_lshift21(carry3);
4563 carry4 = s4 >> 21; 4574 carry4 = s4 >> 21;
4564 s5 += carry4; 4575 s5 += carry4;
4565 s4 -= carry4 << 21; 4576 s4 -= int64_lshift21(carry4);
4566 carry5 = s5 >> 21; 4577 carry5 = s5 >> 21;
4567 s6 += carry5; 4578 s6 += carry5;
4568 s5 -= carry5 << 21; 4579 s5 -= int64_lshift21(carry5);
4569 carry6 = s6 >> 21; 4580 carry6 = s6 >> 21;
4570 s7 += carry6; 4581 s7 += carry6;
4571 s6 -= carry6 << 21; 4582 s6 -= int64_lshift21(carry6);
4572 carry7 = s7 >> 21; 4583 carry7 = s7 >> 21;
4573 s8 += carry7; 4584 s8 += carry7;
4574 s7 -= carry7 << 21; 4585 s7 -= int64_lshift21(carry7);
4575 carry8 = s8 >> 21; 4586 carry8 = s8 >> 21;
4576 s9 += carry8; 4587 s9 += carry8;
4577 s8 -= carry8 << 21; 4588 s8 -= int64_lshift21(carry8);
4578 carry9 = s9 >> 21; 4589 carry9 = s9 >> 21;
4579 s10 += carry9; 4590 s10 += carry9;
4580 s9 -= carry9 << 21; 4591 s9 -= int64_lshift21(carry9);
4581 carry10 = s10 >> 21; 4592 carry10 = s10 >> 21;
4582 s11 += carry10; 4593 s11 += carry10;
4583 s10 -= carry10 << 21; 4594 s10 -= int64_lshift21(carry10);
4584 4595
4585 s[0] = s0 >> 0; 4596 s[0] = s0 >> 0;
4586 s[1] = s0 >> 8; 4597 s[1] = s0 >> 8;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 14:19:37 +0000