提交 094c071c 编写于 作者: M Matt Caswell

Convert to C90 from C99

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
上级 bb6e60ad
......@@ -69,15 +69,14 @@ void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {
}
void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {
assert(b<1<<28);
const uint32_t *a = as->limb;
uint32_t *c = cs->limb;
uint64_t accum0 = 0, accum8 = 0;
uint32_t mask = (1ull<<28)-1;
uint32_t mask = (1<<28)-1;
int i;
assert(b<1<<28);
FOR_LIMB(i,0,8,{
accum0 += widemul(b, a[i]);
accum8 += widemul(b, a[i+8]);
......
......@@ -3,36 +3,44 @@
*/
#define GF_HEADROOM 2
#define LIMB(x) (x##ull)&((1ull<<28)-1), (x##ull)>>28
#define LIMB(x) (x)&((1<<28)-1), (x)>>28
#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \
{{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}
#define LIMB_PLACE_VALUE(i) 28
void gf_add_RAW (gf out, const gf a, const gf b) {
for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = a->limb[i] + b->limb[i];
}
}
void gf_sub_RAW (gf out, const gf a, const gf b) {
for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = a->limb[i] - b->limb[i];
}
}
void gf_bias (gf a, int amt) {
uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt;
for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
void gf_bias (gf a, int amt) {
unsigned int i;
uint32_t co1 = ((1<<28)-1)*amt, co2 = co1-amt;
for (i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1;
}
}
void gf_weak_reduce (gf a) {
uint32_t mask = (1ull<<28) - 1;
uint32_t mask = (1<<28) - 1;
uint32_t tmp = a->limb[15] >> 28;
unsigned int i;
a->limb[8] += tmp;
for (unsigned int i=15; i>0; i--) {
for (i=15; i>0; i--) {
a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>28);
}
a->limb[0] = (a->limb[0] & mask) + tmp;
......
......@@ -149,6 +149,8 @@ constant_time_lookup (
memset(out, 0, elem_bytes);
for (j=0; j<n_table; j++, big_i-=big_one) {
big_register_t br_mask = br_is_zero(big_i);
word_t mask;
for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {
if (elem_bytes % sizeof(big_register_t)) {
/* unaligned */
......@@ -160,7 +162,7 @@ constant_time_lookup (
}
}
word_t mask = word_is_zero(idx^j);
mask = word_is_zero(idx^j);
if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {
for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {
if (elem_bytes % sizeof(word_t)) {
......@@ -203,11 +205,11 @@ constant_time_select (
unsigned char *a = (unsigned char *)a_;
const unsigned char *bTrue = (const unsigned char *)bTrue_;
const unsigned char *bFalse = (const unsigned char *)bFalse_;
word_t k;
big_register_t br_mask = br_set_to_mask(mask);
alignment_bytes |= elem_bytes;
word_t k;
big_register_t br_mask = br_set_to_mask(mask);
for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {
if (alignment_bytes % sizeof(big_register_t)) {
/* unaligned */
......
......@@ -36,11 +36,6 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{
const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 };
#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR
const gf RISTRETTO_FACTOR = {{{
0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7
}}};
#define TWISTED_D ((EDWARDS_D)-1)
......@@ -65,13 +60,15 @@ const curve448_precomputed_s *curve448_precomputed_base =
/** Inverse. */
static void
gf_invert(gf y, const gf x, int assert_nonzero) {
mask_t ret;
gf t1, t2;
gf_sqr(t1, x); // o^2
mask_t ret = gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o
gf_sqr(t1, x); /* o^2 */
ret = gf_isr(t2, t1); /* +-1/sqrt(o^2) = +-1/o */
(void)ret;
if (assert_nonzero) assert(ret);
gf_sqr(t1, t2);
gf_mul(t2, t1, x); // not direct to y in case of alias.
gf_mul(t2, t1, x); /* not direct to y in case of alias. */
gf_copy(y, t2);
}
......@@ -219,11 +216,13 @@ sub_pniels_from_pt (
}
decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) {
mask_t succ;
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
gf_mul ( b, q->y, p->x );
mask_t succ = gf_eq(a,b);
succ = gf_eq(a,b);
return mask_to_bool(succ);
}
......@@ -231,10 +230,12 @@ decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_
decaf_bool_t curve448_point_valid (
const curve448_point_t p
) {
mask_t out;
gf a,b,c;
gf_mul(a,p->x,p->y);
gf_mul(b,p->z,p->t);
mask_t out = gf_eq(a,b);
out = gf_eq(a,b);
gf_sqr(a,p->x);
gf_sqr(b,p->y);
gf_sub(a,b,a);
......@@ -265,18 +266,18 @@ void curve448_precomputed_scalarmul (
int i;
unsigned j,k;
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
niels_t ni;
curve448_scalar_t scalar1x;
curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
curve448_scalar_halve(scalar1x,scalar1x);
niels_t ni;
for (i=s-1; i>=0; i--) {
if (i != (int)s-1) point_double_internal(out,out,0);
for (j=0; j<n; j++) {
int tab = 0;
mask_t invert;
for (k=0; k<t; k++) {
unsigned int bit = i + s*(k + j*t);
......@@ -285,7 +286,7 @@ void curve448_precomputed_scalarmul (
}
}
mask_t invert = (tab>>(t-1))-1;
invert = (tab>>(t-1))-1;
tab ^= invert;
tab &= (1<<(t-1)) - 1;
......@@ -356,12 +357,15 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
mask_t low;
mask_t succ;
memcpy(enc2,enc,sizeof(enc2));
mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);
low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);
enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;
mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
succ = gf_deserialize(p->y, enc2, 1, 0);
#if 0 == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);
#endif
......@@ -413,23 +417,25 @@ decaf_error_t decaf_x448 (
const uint8_t scalar[X_PRIVATE_BYTES]
) {
gf x1, x2, z2, x3, z3, t1, t2;
int t;
mask_t swap = 0;
mask_t nz;
ignore_result(gf_deserialize(x1,base,1,0));
gf_copy(x2,ONE);
gf_copy(z2,ZERO);
gf_copy(x3,x1);
gf_copy(z3,ONE);
int t;
mask_t swap = 0;
for (t = X_PRIVATE_BITS-1; t>=0; t--) {
uint8_t sb = scalar[t/8];
mask_t k_t;
/* Scalar conditioning */
if (t/8==0) sb &= -(uint8_t)COFACTOR;
else if (t == X_PRIVATE_BITS-1) sb = -1;
mask_t k_t = (sb>>(t%8)) & 1;
k_t = (sb>>(t%8)) & 1;
k_t = -k_t; /* set to all 0s or all 1s */
swap ^= k_t;
......@@ -465,7 +471,7 @@ decaf_error_t decaf_x448 (
gf_invert(z2,z2,0);
gf_mul(x1,x2,z2);
gf_serialize(out,x1,1);
mask_t nz = ~gf_eq(x1,ZERO);
nz = ~gf_eq(x1,ZERO);
OPENSSL_cleanse(x1,sizeof(x1));
OPENSSL_cleanse(x2,sizeof(x2));
......@@ -525,20 +531,22 @@ void decaf_x448_derive_public_key (
) {
/* Scalar conditioning */
uint8_t scalar2[X_PRIVATE_BYTES];
curve448_scalar_t the_scalar;
curve448_point_t p;
unsigned int i;
memcpy(scalar2,scalar,sizeof(scalar2));
scalar2[0] &= -(uint8_t)COFACTOR;
scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
curve448_scalar_t the_scalar;
curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
for (i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
curve448_scalar_halve(the_scalar,the_scalar);
}
curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
curve448_point_destroy(p);
......@@ -559,7 +567,12 @@ static int recode_wnaf (
) {
unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3;
int position = table_size - 1; /* at the end */
uint64_t current = scalar->limb[0] & 0xFFFF;
uint32_t mask = (1<<(table_bits+1))-1;
unsigned int w;
const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
unsigned int n, i;
/* place the end marker */
control[position].power = -1;
control[position].addend = 0;
......@@ -569,12 +582,7 @@ static int recode_wnaf (
* in the actual code that uses it, all for an expected reduction of like 1/5 op.
* Probably not worth it.
*/
uint64_t current = scalar->limb[0] & 0xFFFF;
uint32_t mask = (1<<(table_bits+1))-1;
unsigned int w;
const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) {
if (w < (DECAF_448_SCALAR_BITS-1)/16+1) {
/* Refill the 16 high bits of current */
......@@ -582,9 +590,10 @@ static int recode_wnaf (
}
while (current & 0xFFFF) {
assert(position >= 0);
uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos;
int32_t delta = odd & mask;
assert(position >= 0);
if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1));
current -= delta << pos;
control[position].power = pos + 16*(w-1);
......@@ -596,8 +605,7 @@ static int recode_wnaf (
assert(current==0);
position++;
unsigned int n = table_size - position;
unsigned int i;
n = table_size - position;
for (i=0; i<n; i++) {
control[i] = control[i+position];
}
......@@ -612,12 +620,13 @@ prepare_wnaf_table(
) {
curve448_point_t tmp;
int i;
pniels_t twop;
pt_to_pniels(output[0], working);
if (tbits == 0) return;
curve448_point_double(tmp,working);
pniels_t twop;
pt_to_pniels(twop, tmp);
add_pniels_to_pt(tmp, output[0],0);
......@@ -643,16 +652,15 @@ void curve448_base_double_scalarmul_non_secret (
) {
const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3];
struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3];
struct smvt_control control_var[DECAF_448_SCALAR_BITS/(DECAF_WNAF_VAR_TABLE_BITS+1)+3];
struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(DECAF_WNAF_FIXED_TABLE_BITS+1)+3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
pniels_t precmp_var[1<<table_bits_var];
pniels_t precmp_var[1<<DECAF_WNAF_VAR_TABLE_BITS];
int contp=0, contv=0, i;
prepare_wnaf_table(precmp_var, base2, table_bits_var);
int contp=0, contv=0, i = control_var[0].power;
i = control_var[0].power;
if (i < 0) {
curve448_point_copy(combo, curve448_point_identity);
......
......@@ -62,9 +62,10 @@ static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen,
static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
uint8_t hibit = (1<<0)>>1;
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<0)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
......@@ -82,10 +83,10 @@ static decaf_error_t hash_init_with_dom(
size_t context_len
) {
const char *dom_s = "SigEd448";
const uint8_t dom[2] = {
2 + word_is_zero(prehashed) + word_is_zero(for_prehash),
(uint8_t)context_len
};
uint8_t dom[2];
dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
dom[1] = (uint8_t)context_len;
if (context_len > UINT8_MAX)
return DECAF_FAILURE;
......@@ -130,14 +131,16 @@ decaf_error_t decaf_ed448_derive_public_key (
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
curve448_scalar_t secret_scalar;
unsigned int c;
curve448_point_t p;
if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
DECAF_EDDSA_448_PRIVATE_BYTES)) {
return DECAF_FAILURE;
}
clamp(secret_scalar_ser);
curve448_scalar_t secret_scalar;
curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
......@@ -146,11 +149,10 @@ decaf_error_t decaf_ed448_derive_public_key (
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
for (c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(secret_scalar,secret_scalar);
}
curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,secret_scalar);
curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
......@@ -176,6 +178,10 @@ decaf_error_t decaf_ed448_sign (
curve448_scalar_t secret_scalar;
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
decaf_error_t ret = DECAF_FAILURE;
curve448_scalar_t nonce_scalar;
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
unsigned int c;
curve448_scalar_t challenge_scalar;
if (hashctx == NULL)
return DECAF_FAILURE;
......@@ -205,7 +211,6 @@ decaf_error_t decaf_ed448_sign (
}
/* Decode the nonce */
curve448_scalar_t nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
......@@ -214,24 +219,23 @@ decaf_error_t decaf_ed448_sign (
curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
OPENSSL_cleanse(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
curve448_scalar_t nonce_scalar_2;
curve448_point_t p;
curve448_scalar_halve(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(nonce_scalar_2,nonce_scalar_2);
}
curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,nonce_scalar_2);
curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
curve448_point_destroy(p);
curve448_scalar_destroy(nonce_scalar_2);
}
curve448_scalar_t challenge_scalar;
{
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
......@@ -290,12 +294,15 @@ decaf_error_t decaf_ed448_verify (
) {
curve448_point_t pk_point, r_point;
decaf_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point,pubkey);
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
unsigned int c;
if (DECAF_SUCCESS != error) { return error; }
error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
curve448_scalar_t challenge_scalar;
{
/* Compute the challenge */
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
......@@ -319,15 +326,14 @@ decaf_error_t decaf_ed448_verify (
OPENSSL_cleanse(challenge,sizeof(challenge));
}
curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, challenge_scalar);
curve448_scalar_t response_scalar;
curve448_scalar_decode_long(
response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES
);
for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
for (c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
curve448_scalar_add(response_scalar,response_scalar,response_scalar);
}
......
......@@ -96,8 +96,8 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint
#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)
#define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};
static const gf ZERO = {{{0}}}, ONE = {{{1}}};
#endif /* __P448_F_FIELD_H__ */
......@@ -19,14 +19,16 @@ static const gf MODULUS = {FIELD_LITERAL(
/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
unsigned int j=0, fill=0;
dword_t buffer = 0;
unsigned int i;
gf red;
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0;
dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
UNROLL for (i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
......@@ -60,7 +62,10 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui
dword_t buffer = 0;
dsword_t scarry = 0;
const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
unsigned int i;
mask_t succ;
UNROLL for (i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
uint8_t sj = serial[j];
if (j==nbytes-1) sj &= ~hi_nmask;
......@@ -73,20 +78,25 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}
/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
dsword_t scarry;
word_t scarry_0;
dword_t carry = 0;
unsigned int i;
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */
/* now the total is less than 2p */
/* compute total_value - p. No need to reduce mod p. */
dsword_t scarry = 0;
for (unsigned int i=0; i<NLIMBS; i++) {
scarry = 0;
for (i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
......@@ -98,11 +108,10 @@ void gf_strong_reduce (gf a) {
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));
word_t scarry_0 = scarry;
dword_t carry = 0;
scarry_0 = scarry;
/* add it back */
for (unsigned int i=0; i<NLIMBS; i++) {
for (i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
......@@ -127,10 +136,13 @@ void gf_add (gf d, const gf a, const gf b) {
/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
mask_t ret=0;
unsigned int i;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
for (unsigned int i=0; i<NLIMBS; i++) {
for (i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}
......
......@@ -39,21 +39,21 @@ static ossl_inline void gf_sqrn (
#define gf_add_nr gf_add_RAW
/** Subtract mod p. Bias by 2 and don't reduce */
static inline void gf_sub_nr ( gf c, const gf a, const gf b ) {
static ossl_inline void gf_sub_nr ( gf c, const gf a, const gf b ) {
gf_sub_RAW(c,a,b);
gf_bias(c, 2);
if (GF_HEADROOM < 3) gf_weak_reduce(c);
}
/** Subtract mod p. Bias by amt but don't reduce. */
static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {
static ossl_inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {
gf_sub_RAW(c,a,b);
gf_bias(c, amt);
if (GF_HEADROOM < amt+1) gf_weak_reduce(c);
}
/** Mul by signed int. Not constant-time WRT the sign of that int. */
static inline void gf_mulw(gf c, const gf a, int32_t w) {
static ossl_inline void gf_mulw(gf c, const gf a, int32_t w) {
if (w>0) {
gf_mulw_unsigned(c, a, w);
} else {
......@@ -63,19 +63,19 @@ static inline void gf_mulw(gf c, const gf a, int32_t w) {
}
/** Constant time, x = is_z ? z : y */
static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {
static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {
constant_time_select(x,y,z,sizeof(gf),is_z,0);
}
/** Constant time, if (neg) x=-x; */
static inline void gf_cond_neg(gf x, mask_t neg) {
static ossl_inline void gf_cond_neg(gf x, mask_t neg) {
gf y;
gf_sub(y,ZERO,x);
gf_cond_sel(x,x,y,neg);
}
/** Constant time, if (swap) (x,y) = (y,x); */
static inline void
static ossl_inline void
gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) {
constant_time_cond_swap(x,y,sizeof(gf_s),swap);
}
......@@ -89,4 +89,4 @@ static ossl_inline void gf_div_qnr(gf_s *__restrict__ out, const gf x) {
}
#endif // __GF_H__
#endif /* __GF_H__ */
......@@ -182,7 +182,7 @@ void curve448_scalar_halve (
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
static inline void curve448_scalar_copy (
static ossl_inline void curve448_scalar_copy (
curve448_scalar_t out,
const curve448_scalar_t a
) {
......@@ -196,7 +196,7 @@ static inline void curve448_scalar_copy (
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
static inline void curve448_point_copy (
static ossl_inline void curve448_point_copy (
curve448_point_t a,
const curve448_point_t b
) {
......
......@@ -17,7 +17,7 @@
#include "constant_time.h"
#include "point_448.h"
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5;
static const curve448_scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
......@@ -41,12 +41,14 @@ static void sc_subx(
) {
decaf_dsword_t chain = 0;
unsigned int i;
decaf_word_t borrow;
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
......@@ -146,8 +148,9 @@ decaf_error_t curve448_scalar_decode(
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
decaf_dsword_t accum = 0;
scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
......@@ -169,13 +172,13 @@ void curve448_scalar_decode_long(
const unsigned char *ser,
size_t ser_len
) {
size_t i;
curve448_scalar_t t1, t2;
if (ser_len == 0) {
curve448_scalar_copy(s, curve448_scalar_zero);
return;
}
size_t i;
curve448_scalar_t t1, t2;
i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES);
if (i==ser_len) i -= DECAF_448_SCALAR_BYTES;
......
......@@ -51,9 +51,9 @@
/* Scalar limbs are keyed off of the API word size instead of the arch word size. */
#if DECAF_WORD_BITS == 64
#define SC_LIMB(x) (x##ull)
#define SC_LIMB(x) (x)
#elif DECAF_WORD_BITS == 32
#define SC_LIMB(x) ((uint32_t)x##ull),(x##ull>>32)
#define SC_LIMB(x) ((uint32_t)x),(x>>32)
#else
#error "For now, libdecaf only supports 32- and 64-bit architectures."
#endif
......@@ -192,9 +192,11 @@ static ossl_inline decaf_bool_t mask_to_bool (mask_t m) {
static ossl_inline mask_t bool_to_mask (decaf_bool_t m) {
/* On most arches this will be optimized to a simple cast. */
mask_t ret = 0;
unsigned int i;
unsigned int limit = sizeof(decaf_bool_t)/sizeof(mask_t);
if (limit < 1) limit = 1;
for (unsigned int i=0; i<limit; i++) {
for (i=0; i<limit; i++) {
ret |= ~ word_is_zero(m >> (i*8*sizeof(word_t)));
}
return ret;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册