summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec/ecp_nistp224.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/ec/ecp_nistp224.c72
1 files changed, 36 insertions, 36 deletions
diff --git a/src/lib/libcrypto/ec/ecp_nistp224.c b/src/lib/libcrypto/ec/ecp_nistp224.c
index 10ade9dbb5..4ed45df896 100644
--- a/src/lib/libcrypto/ec/ecp_nistp224.c
+++ b/src/lib/libcrypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ecp_nistp224.c,v 1.25 2021/04/20 17:28:18 tb Exp $ */ 1/* $OpenBSD: ecp_nistp224.c,v 1.26 2021/04/20 17:38:02 tb Exp $ */
2/* 2/*
3 * Written by Emilia Kasper (Google) for the OpenSSL project. 3 * Written by Emilia Kasper (Google) for the OpenSSL project.
4 */ 4 */
@@ -278,7 +278,7 @@ EC_GFp_nistp224_method(void)
278} 278}
279 279
280/* Helper functions to convert field elements to/from internal representation */ 280/* Helper functions to convert field elements to/from internal representation */
281static void 281static void
282bin28_to_felem(felem out, const u8 in[28]) 282bin28_to_felem(felem out, const u8 in[28])
283{ 283{
284 out[0] = *((const uint64_t *) (in)) & 0x00ffffffffffffff; 284 out[0] = *((const uint64_t *) (in)) & 0x00ffffffffffffff;
@@ -287,7 +287,7 @@ bin28_to_felem(felem out, const u8 in[28])
287 out[3] = (*((const uint64_t *) (in + 21))) & 0x00ffffffffffffff; 287 out[3] = (*((const uint64_t *) (in + 21))) & 0x00ffffffffffffff;
288} 288}
289 289
290static void 290static void
291felem_to_bin28(u8 out[28], const felem in) 291felem_to_bin28(u8 out[28], const felem in)
292{ 292{
293 unsigned i; 293 unsigned i;
@@ -300,7 +300,7 @@ felem_to_bin28(u8 out[28], const felem in)
300} 300}
301 301
302/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ 302/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
303static void 303static void
304flip_endian(u8 * out, const u8 * in, unsigned len) 304flip_endian(u8 * out, const u8 * in, unsigned len)
305{ 305{
306 unsigned i; 306 unsigned i;
@@ -309,7 +309,7 @@ flip_endian(u8 * out, const u8 * in, unsigned len)
309} 309}
310 310
311/* From OpenSSL BIGNUM to internal representation */ 311/* From OpenSSL BIGNUM to internal representation */
312static int 312static int
313BN_to_felem(felem out, const BIGNUM * bn) 313BN_to_felem(felem out, const BIGNUM * bn)
314{ 314{
315 felem_bytearray b_in; 315 felem_bytearray b_in;
@@ -353,7 +353,7 @@ felem_to_BN(BIGNUM * out, const felem in)
353 * 353 *
354 */ 354 */
355 355
356static void 356static void
357felem_one(felem out) 357felem_one(felem out)
358{ 358{
359 out[0] = 1; 359 out[0] = 1;
@@ -362,7 +362,7 @@ felem_one(felem out)
362 out[3] = 0; 362 out[3] = 0;
363} 363}
364 364
365static void 365static void
366felem_assign(felem out, const felem in) 366felem_assign(felem out, const felem in)
367{ 367{
368 out[0] = in[0]; 368 out[0] = in[0];
@@ -372,7 +372,7 @@ felem_assign(felem out, const felem in)
372} 372}
373 373
374/* Sum two field elements: out += in */ 374/* Sum two field elements: out += in */
375static void 375static void
376felem_sum(felem out, const felem in) 376felem_sum(felem out, const felem in)
377{ 377{
378 out[0] += in[0]; 378 out[0] += in[0];
@@ -383,7 +383,7 @@ felem_sum(felem out, const felem in)
383 383
384/* Get negative value: out = -in */ 384/* Get negative value: out = -in */
385/* Assumes in[i] < 2^57 */ 385/* Assumes in[i] < 2^57 */
386static void 386static void
387felem_neg(felem out, const felem in) 387felem_neg(felem out, const felem in)
388{ 388{
389 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2); 389 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
@@ -400,7 +400,7 @@ felem_neg(felem out, const felem in)
400 400
401/* Subtract field elements: out -= in */ 401/* Subtract field elements: out -= in */
402/* Assumes in[i] < 2^57 */ 402/* Assumes in[i] < 2^57 */
403static void 403static void
404felem_diff(felem out, const felem in) 404felem_diff(felem out, const felem in)
405{ 405{
406 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2); 406 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
@@ -422,7 +422,7 @@ felem_diff(felem out, const felem in)
422 422
423/* Subtract in unreduced 128-bit mode: out -= in */ 423/* Subtract in unreduced 128-bit mode: out -= in */
424/* Assumes in[i] < 2^119 */ 424/* Assumes in[i] < 2^119 */
425static void 425static void
426widefelem_diff(widefelem out, const widefelem in) 426widefelem_diff(widefelem out, const widefelem in)
427{ 427{
428 static const widelimb two120 = ((widelimb) 1) << 120; 428 static const widelimb two120 = ((widelimb) 1) << 120;
@@ -451,7 +451,7 @@ widefelem_diff(widefelem out, const widefelem in)
451 451
452/* Subtract in mixed mode: out128 -= in64 */ 452/* Subtract in mixed mode: out128 -= in64 */
453/* in[i] < 2^63 */ 453/* in[i] < 2^63 */
454static void 454static void
455felem_diff_128_64(widefelem out, const felem in) 455felem_diff_128_64(widefelem out, const felem in)
456{ 456{
457 static const widelimb two64p8 = (((widelimb) 1) << 64) + 457 static const widelimb two64p8 = (((widelimb) 1) << 64) +
@@ -475,7 +475,7 @@ felem_diff_128_64(widefelem out, const felem in)
475 475
476/* Multiply a field element by a scalar: out = out * scalar 476/* Multiply a field element by a scalar: out = out * scalar
477 * The scalars we actually use are small, so results fit without overflow */ 477 * The scalars we actually use are small, so results fit without overflow */
478static void 478static void
479felem_scalar(felem out, const limb scalar) 479felem_scalar(felem out, const limb scalar)
480{ 480{
481 out[0] *= scalar; 481 out[0] *= scalar;
@@ -486,7 +486,7 @@ felem_scalar(felem out, const limb scalar)
486 486
487/* Multiply an unreduced field element by a scalar: out = out * scalar 487/* Multiply an unreduced field element by a scalar: out = out * scalar
488 * The scalars we actually use are small, so results fit without overflow */ 488 * The scalars we actually use are small, so results fit without overflow */
489static void 489static void
490widefelem_scalar(widefelem out, const widelimb scalar) 490widefelem_scalar(widefelem out, const widelimb scalar)
491{ 491{
492 out[0] *= scalar; 492 out[0] *= scalar;
@@ -499,7 +499,7 @@ widefelem_scalar(widefelem out, const widelimb scalar)
499} 499}
500 500
501/* Square a field element: out = in^2 */ 501/* Square a field element: out = in^2 */
502static void 502static void
503felem_square(widefelem out, const felem in) 503felem_square(widefelem out, const felem in)
504{ 504{
505 limb tmp0, tmp1, tmp2; 505 limb tmp0, tmp1, tmp2;
@@ -517,7 +517,7 @@ felem_square(widefelem out, const felem in)
517} 517}
518 518
519/* Multiply two field elements: out = in1 * in2 */ 519/* Multiply two field elements: out = in1 * in2 */
520static void 520static void
521felem_mul(widefelem out, const felem in1, const felem in2) 521felem_mul(widefelem out, const felem in1, const felem in2)
522{ 522{
523 out[0] = ((widelimb) in1[0]) * in2[0]; 523 out[0] = ((widelimb) in1[0]) * in2[0];
@@ -535,7 +535,7 @@ felem_mul(widefelem out, const felem in1, const felem in2)
535/* Reduce seven 128-bit coefficients to four 64-bit coefficients. 535/* Reduce seven 128-bit coefficients to four 64-bit coefficients.
536 * Requires in[i] < 2^126, 536 * Requires in[i] < 2^126,
537 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */ 537 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
538static void 538static void
539felem_reduce(felem out, const widefelem in) 539felem_reduce(felem out, const widefelem in)
540{ 540{
541 static const widelimb two127p15 = (((widelimb) 1) << 127) + 541 static const widelimb two127p15 = (((widelimb) 1) << 127) +
@@ -599,7 +599,7 @@ felem_reduce(felem out, const widefelem in)
599 out[3] = output[3]; 599 out[3] = output[3];
600} 600}
601 601
602static void 602static void
603felem_square_reduce(felem out, const felem in) 603felem_square_reduce(felem out, const felem in)
604{ 604{
605 widefelem tmp; 605 widefelem tmp;
@@ -607,7 +607,7 @@ felem_square_reduce(felem out, const felem in)
607 felem_reduce(out, tmp); 607 felem_reduce(out, tmp);
608} 608}
609 609
610static void 610static void
611felem_mul_reduce(felem out, const felem in1, const felem in2) 611felem_mul_reduce(felem out, const felem in1, const felem in2)
612{ 612{
613 widefelem tmp; 613 widefelem tmp;
@@ -617,7 +617,7 @@ felem_mul_reduce(felem out, const felem in1, const felem in2)
617 617
618/* Reduce to unique minimal representation. 618/* Reduce to unique minimal representation.
619 * Requires 0 <= in < 2*p (always call felem_reduce first) */ 619 * Requires 0 <= in < 2*p (always call felem_reduce first) */
620static void 620static void
621felem_contract(felem out, const felem in) 621felem_contract(felem out, const felem in)
622{ 622{
623 static const int64_t two56 = ((limb) 1) << 56; 623 static const int64_t two56 = ((limb) 1) << 56;
@@ -674,7 +674,7 @@ felem_contract(felem out, const felem in)
674 * We know that field elements are reduced to in < 2^225, 674 * We know that field elements are reduced to in < 2^225,
675 * so we only need to check three cases: 0, 2^224 - 2^96 + 1, 675 * so we only need to check three cases: 0, 2^224 - 2^96 + 1,
676 * and 2^225 - 2^97 + 2 */ 676 * and 2^225 - 2^97 + 2 */
677static limb 677static limb
678felem_is_zero(const felem in) 678felem_is_zero(const felem in)
679{ 679{
680 limb zero, two224m96p1, two225m97p2; 680 limb zero, two224m96p1, two225m97p2;
@@ -690,7 +690,7 @@ felem_is_zero(const felem in)
690 return (zero | two224m96p1 | two225m97p2); 690 return (zero | two224m96p1 | two225m97p2);
691} 691}
692 692
693static limb 693static limb
694felem_is_zero_int(const felem in) 694felem_is_zero_int(const felem in)
695{ 695{
696 return (int) (felem_is_zero(in) & ((limb) 1)); 696 return (int) (felem_is_zero(in) & ((limb) 1));
@@ -698,7 +698,7 @@ felem_is_zero_int(const felem in)
698 698
699/* Invert a field element */ 699/* Invert a field element */
700/* Computation chain copied from djb's code */ 700/* Computation chain copied from djb's code */
701static void 701static void
702felem_inv(felem out, const felem in) 702felem_inv(felem out, const felem in)
703{ 703{
704 felem ftmp, ftmp2, ftmp3, ftmp4; 704 felem ftmp, ftmp2, ftmp3, ftmp4;
@@ -897,7 +897,7 @@ point_double(felem x_out, felem y_out, felem z_out,
897 * (while not equal to the point at infinity). 897 * (while not equal to the point at infinity).
898 * This case never happens during single point multiplication, 898 * This case never happens during single point multiplication,
899 * so there is no timing leak for ECDH or ECDSA signing. */ 899 * so there is no timing leak for ECDH or ECDSA signing. */
900static void 900static void
901point_add(felem x3, felem y3, felem z3, 901point_add(felem x3, felem y3, felem z3,
902 const felem x1, const felem y1, const felem z1, 902 const felem x1, const felem y1, const felem z1,
903 const int mixed, const felem x2, const felem y2, const felem z2) 903 const int mixed, const felem x2, const felem y2, const felem z2)
@@ -1057,7 +1057,7 @@ point_add(felem x3, felem y3, felem z3,
1057 1057
1058/* select_point selects the |idx|th point from a precomputation table and 1058/* select_point selects the |idx|th point from a precomputation table and
1059 * copies it to out. */ 1059 * copies it to out. */
1060static void 1060static void
1061select_point(const u64 idx, unsigned int size, const felem pre_comp[ /* size */ ][3], felem out[3]) 1061select_point(const u64 idx, unsigned int size, const felem pre_comp[ /* size */ ][3], felem out[3])
1062{ 1062{
1063 unsigned i, j; 1063 unsigned i, j;
@@ -1078,7 +1078,7 @@ select_point(const u64 idx, unsigned int size, const felem pre_comp[ /* size */
1078} 1078}
1079 1079
1080/* get_bit returns the |i|th bit in |in| */ 1080/* get_bit returns the |i|th bit in |in| */
1081static char 1081static char
1082get_bit(const felem_bytearray in, unsigned i) 1082get_bit(const felem_bytearray in, unsigned i)
1083{ 1083{
1084 if (i >= 224) 1084 if (i >= 224)
@@ -1091,7 +1091,7 @@ get_bit(const felem_bytearray in, unsigned i)
1091 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple 1091 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1092 * of the generator, using certain (large) precomputed multiples in g_pre_comp. 1092 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1093 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */ 1093 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1094static void 1094static void
1095batch_mul(felem x_out, felem y_out, felem z_out, 1095batch_mul(felem x_out, felem y_out, felem z_out,
1096 const felem_bytearray scalars[], const unsigned num_points, const u8 * g_scalar, 1096 const felem_bytearray scalars[], const unsigned num_points, const u8 * g_scalar,
1097 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[2][16][3]) 1097 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[2][16][3])
@@ -1211,7 +1211,7 @@ nistp224_pre_comp_dup(void *src_)
1211 return src_; 1211 return src_;
1212} 1212}
1213 1213
1214static void 1214static void
1215nistp224_pre_comp_free(void *pre_) 1215nistp224_pre_comp_free(void *pre_)
1216{ 1216{
1217 int i; 1217 int i;
@@ -1227,7 +1227,7 @@ nistp224_pre_comp_free(void *pre_)
1227 free(pre); 1227 free(pre);
1228} 1228}
1229 1229
1230static void 1230static void
1231nistp224_pre_comp_clear_free(void *pre_) 1231nistp224_pre_comp_clear_free(void *pre_)
1232{ 1232{
1233 int i; 1233 int i;
@@ -1247,7 +1247,7 @@ nistp224_pre_comp_clear_free(void *pre_)
1247/* OPENSSL EC_METHOD FUNCTIONS 1247/* OPENSSL EC_METHOD FUNCTIONS
1248 */ 1248 */
1249 1249
1250int 1250int
1251ec_GFp_nistp224_group_init(EC_GROUP * group) 1251ec_GFp_nistp224_group_init(EC_GROUP * group)
1252{ 1252{
1253 int ret; 1253 int ret;
@@ -1256,7 +1256,7 @@ ec_GFp_nistp224_group_init(EC_GROUP * group)
1256 return ret; 1256 return ret;
1257} 1257}
1258 1258
1259int 1259int
1260ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p, 1260ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p,
1261 const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) 1261 const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1262{ 1262{
@@ -1290,7 +1290,7 @@ ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p,
1290 1290
1291/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns 1291/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1292 * (X', Y') = (X/Z^2, Y/Z^3) */ 1292 * (X', Y') = (X/Z^2, Y/Z^3) */
1293int 1293int
1294ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP * group, 1294ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP * group,
1295 const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx) 1295 const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
1296{ 1296{
@@ -1330,7 +1330,7 @@ ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP * group,
1330 return 1; 1330 return 1;
1331} 1331}
1332 1332
1333static void 1333static void
1334make_points_affine(size_t num, felem points[ /* num */ ][3], felem tmp_felems[ /* num+1 */ ]) 1334make_points_affine(size_t num, felem points[ /* num */ ][3], felem tmp_felems[ /* num+1 */ ])
1335{ 1335{
1336 /* 1336 /*
@@ -1353,7 +1353,7 @@ make_points_affine(size_t num, felem points[ /* num */ ][3], felem tmp_felems[ /
1353 1353
1354/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values 1354/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1355 * Result is stored in r (r can equal one of the inputs). */ 1355 * Result is stored in r (r can equal one of the inputs). */
1356int 1356int
1357ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r, 1357ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r,
1358 const BIGNUM * scalar, size_t num, const EC_POINT * points[], 1358 const BIGNUM * scalar, size_t num, const EC_POINT * points[],
1359 const BIGNUM * scalars[], BN_CTX * ctx) 1359 const BIGNUM * scalars[], BN_CTX * ctx)
@@ -1548,7 +1548,7 @@ ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r,
1548 return ret; 1548 return ret;
1549} 1549}
1550 1550
1551int 1551int
1552ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx) 1552ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1553{ 1553{
1554 int ret = 0; 1554 int ret = 0;
@@ -1675,7 +1675,7 @@ ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1675 return ret; 1675 return ret;
1676} 1676}
1677 1677
1678int 1678int
1679ec_GFp_nistp224_have_precompute_mult(const EC_GROUP * group) 1679ec_GFp_nistp224_have_precompute_mult(const EC_GROUP * group)
1680{ 1680{
1681 if (EC_EX_DATA_get_data(group->extra_data, nistp224_pre_comp_dup, 1681 if (EC_EX_DATA_get_data(group->extra_data, nistp224_pre_comp_dup,