diff options
| author | Matt Caswell <matt@openssl.org> | 2018-01-18 12:55:23 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-02-20 12:59:30 +0000 |
| commit | 094c071cbf3bca19eee73ccb8dfc0f7498f5d8e1 (patch) | |
| tree | 44c29c291ced1cf7142111fe328e642e279fd146 | |
| parent | bb6e60adc5d02d903cbbf92cf7b1d7152fb4a905 (diff) | |
Convert to C90 from C99
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
| -rw-r--r-- | crypto/ec/curve448/arch_32/f_impl.c | 9 | ||||
| -rw-r--r-- | crypto/ec/curve448/arch_32/f_impl.h | 24 | ||||
| -rw-r--r-- | crypto/ec/curve448/constant_time.h | 8 | ||||
| -rw-r--r-- | crypto/ec/curve448/curve448.c | 88 | ||||
| -rw-r--r-- | crypto/ec/curve448/eddsa.c | 50 | ||||
| -rw-r--r-- | crypto/ec/curve448/f_field.h | 4 | ||||
| -rw-r--r-- | crypto/ec/curve448/f_generic.c | 38 | ||||
| -rw-r--r-- | crypto/ec/curve448/field.h | 14 | ||||
| -rw-r--r-- | crypto/ec/curve448/point_448.h | 4 | ||||
| -rw-r--r-- | crypto/ec/curve448/scalar.c | 15 | ||||
| -rw-r--r-- | crypto/ec/curve448/word.h | 8 |
11 files changed, 151 insertions, 111 deletions
diff --git a/crypto/ec/curve448/arch_32/f_impl.c b/crypto/ec/curve448/arch_32/f_impl.c index 0770bd9962..8e4250bb60 100644 --- a/crypto/ec/curve448/arch_32/f_impl.c +++ b/crypto/ec/curve448/arch_32/f_impl.c @@ -69,15 +69,14 @@ void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) { } void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) { - assert(b<1<<28); - const uint32_t *a = as->limb; uint32_t *c = cs->limb; - uint64_t accum0 = 0, accum8 = 0; - uint32_t mask = (1ull<<28)-1; - + uint32_t mask = (1<<28)-1; int i; + + assert(b<1<<28); + FOR_LIMB(i,0,8,{ accum0 += widemul(b, a[i]); accum8 += widemul(b, a[i+8]); diff --git a/crypto/ec/curve448/arch_32/f_impl.h b/crypto/ec/curve448/arch_32/f_impl.h index c3687888c0..f1be6386c2 100644 --- a/crypto/ec/curve448/arch_32/f_impl.h +++ b/crypto/ec/curve448/arch_32/f_impl.h @@ -3,36 +3,44 @@ */ #define GF_HEADROOM 2 -#define LIMB(x) (x##ull)&((1ull<<28)-1), (x##ull)>>28 +#define LIMB(x) (x)&((1<<28)-1), (x)>>28 #define FIELD_LITERAL(a,b,c,d,e,f,g,h) \ {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}} #define LIMB_PLACE_VALUE(i) 28 void gf_add_RAW (gf out, const gf a, const gf b) { - for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) { + unsigned int i; + + for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) { out->limb[i] = a->limb[i] + b->limb[i]; } } void gf_sub_RAW (gf out, const gf a, const gf b) { - for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) { + unsigned int i; + + for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) { out->limb[i] = a->limb[i] - b->limb[i]; } } -void gf_bias (gf a, int amt) { - uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt; - for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) { +void gf_bias (gf a, int amt) { + unsigned int i; + uint32_t co1 = ((1<<28)-1)*amt, co2 = co1-amt; + + for (i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) { a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1; } } void gf_weak_reduce (gf a) { - uint32_t mask = (1ull<<28) - 1; + uint32_t mask = (1<<28) - 1; uint32_t tmp = a->limb[15] >> 28; + unsigned int i; + a->limb[8] += tmp; - for (unsigned int i=15; i>0; i--) { + for (i=15; i>0; i--) { a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>28); } a->limb[0] = (a->limb[0] & mask) + tmp; diff --git a/crypto/ec/curve448/constant_time.h b/crypto/ec/curve448/constant_time.h index 41cd404d3c..f8c02e7e82 100644 --- a/crypto/ec/curve448/constant_time.h +++ b/crypto/ec/curve448/constant_time.h @@ -149,6 +149,8 @@ constant_time_lookup ( memset(out, 0, elem_bytes); for (j=0; j<n_table; j++, big_i-=big_one) { big_register_t br_mask = br_is_zero(big_i); + word_t mask; + for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) { if (elem_bytes % sizeof(big_register_t)) { /* unaligned */ @@ -160,7 +162,7 @@ constant_time_lookup ( } } - word_t mask = word_is_zero(idx^j); + mask = word_is_zero(idx^j); if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) { for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) { if (elem_bytes % sizeof(word_t)) { @@ -203,11 +205,11 @@ constant_time_select ( unsigned char *a = (unsigned char *)a_; const unsigned char *bTrue = (const unsigned char *)bTrue_; const unsigned char *bFalse = (const unsigned char *)bFalse_; + word_t k; + big_register_t br_mask = br_set_to_mask(mask); alignment_bytes |= elem_bytes; - word_t k; - big_register_t br_mask = br_set_to_mask(mask); for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) { if (alignment_bytes % sizeof(big_register_t)) { /* unaligned */ diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index d5b684b3bd..37d3972b45 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -36,11 +36,6 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{ const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 }; -#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR -const gf RISTRETTO_FACTOR = {{{ - 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7 -}}}; - #define TWISTED_D ((EDWARDS_D)-1) @@ -65,13 +60,15 @@ const curve448_precomputed_s *curve448_precomputed_base = /** Inverse. */ static void gf_invert(gf y, const gf x, int assert_nonzero) { + mask_t ret; + gf t1, t2; - gf_sqr(t1, x); // o^2 - mask_t ret = gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o + gf_sqr(t1, x); /* o^2 */ + ret = gf_isr(t2, t1); /* +-1/sqrt(o^2) = +-1/o */ (void)ret; if (assert_nonzero) assert(ret); gf_sqr(t1, t2); - gf_mul(t2, t1, x); // not direct to y in case of alias. + gf_mul(t2, t1, x); /* not direct to y in case of alias. */ gf_copy(y, t2); } @@ -219,11 +216,13 @@ sub_pniels_from_pt ( } decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) { + mask_t succ; + /* equality mod 2-torsion compares x/y */ gf a, b; gf_mul ( a, p->y, q->x ); gf_mul ( b, q->y, p->x ); - mask_t succ = gf_eq(a,b); + succ = gf_eq(a,b); return mask_to_bool(succ); } @@ -231,10 +230,12 @@ decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_ decaf_bool_t curve448_point_valid ( const curve448_point_t p ) { + mask_t out; + gf a,b,c; gf_mul(a,p->x,p->y); gf_mul(b,p->z,p->t); - mask_t out = gf_eq(a,b); + out = gf_eq(a,b); gf_sqr(a,p->x); gf_sqr(b,p->y); gf_sub(a,b,a); @@ -265,18 +266,18 @@ void curve448_precomputed_scalarmul ( int i; unsigned j,k; const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S; + niels_t ni; curve448_scalar_t scalar1x; curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment); curve448_scalar_halve(scalar1x,scalar1x); - niels_t ni; - for (i=s-1; i>=0; i--) { if (i != (int)s-1) point_double_internal(out,out,0); for (j=0; j<n; j++) { int tab = 0; + mask_t invert; for (k=0; k<t; k++) { unsigned int bit = i + s*(k + j*t); @@ -285,7 +286,7 @@ void curve448_precomputed_scalarmul ( } } - mask_t invert = (tab>>(t-1))-1; + invert = (tab>>(t-1))-1; tab ^= invert; tab &= (1<<(t-1)) - 1; @@ -356,12 +357,15 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio ( const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES] ) { uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES]; + mask_t low; + mask_t succ; + memcpy(enc2,enc,sizeof(enc2)); - mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80); + low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80); enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80; - mask_t succ = gf_deserialize(p->y, enc2, 1, 0); + succ = gf_deserialize(p->y, enc2, 1, 0); #if 0 == 0 succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]); #endif @@ -413,23 +417,25 @@ decaf_error_t decaf_x448 ( const uint8_t scalar[X_PRIVATE_BYTES] ) { gf x1, x2, z2, x3, z3, t1, t2; + int t; + mask_t swap = 0; + mask_t nz; + ignore_result(gf_deserialize(x1,base,1,0)); gf_copy(x2,ONE); gf_copy(z2,ZERO); gf_copy(x3,x1); gf_copy(z3,ONE); - int t; - mask_t swap = 0; - for (t = X_PRIVATE_BITS-1; t>=0; t--) { uint8_t sb = scalar[t/8]; + mask_t k_t; /* Scalar conditioning */ if (t/8==0) sb &= -(uint8_t)COFACTOR; else if (t == X_PRIVATE_BITS-1) sb = -1; - mask_t k_t = (sb>>(t%8)) & 1; + k_t = (sb>>(t%8)) & 1; k_t = -k_t; /* set to all 0s or all 1s */ swap ^= k_t; @@ -465,7 +471,7 @@ decaf_error_t decaf_x448 ( gf_invert(z2,z2,0); gf_mul(x1,x2,z2); gf_serialize(out,x1,1); - mask_t nz = ~gf_eq(x1,ZERO); + nz = ~gf_eq(x1,ZERO); OPENSSL_cleanse(x1,sizeof(x1)); OPENSSL_cleanse(x2,sizeof(x2)); @@ -525,20 +531,22 @@ void decaf_x448_derive_public_key ( ) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; + curve448_scalar_t the_scalar; + curve448_point_t p; + unsigned int i; + memcpy(scalar2,scalar,sizeof(scalar2)); scalar2[0] &= -(uint8_t)COFACTOR; scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8)); scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8); - curve448_scalar_t the_scalar; curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2)); /* Compensate for the encoding ratio */ - for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) { + for (i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) { curve448_scalar_halve(the_scalar,the_scalar); } - curve448_point_t p; curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar); curve448_point_mul_by_ratio_and_encode_like_x448(out,p); curve448_point_destroy(p); @@ -559,7 +567,12 @@ static int recode_wnaf ( ) { unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3; int position = table_size - 1; /* at the end */ - + uint64_t current = scalar->limb[0] & 0xFFFF; + uint32_t mask = (1<<(table_bits+1))-1; + unsigned int w; + const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2; + unsigned int n, i; + /* place the end marker */ control[position].power = -1; control[position].addend = 0; @@ -569,12 +582,7 @@ static int recode_wnaf ( * in the actual code that uses it, all for an expected reduction of like 1/5 op. * Probably not worth it. */ - - uint64_t current = scalar->limb[0] & 0xFFFF; - uint32_t mask = (1<<(table_bits+1))-1; - unsigned int w; - const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2; for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) { if (w < (DECAF_448_SCALAR_BITS-1)/16+1) { /* Refill the 16 high bits of current */ @@ -582,9 +590,10 @@ static int recode_wnaf ( } while (current & 0xFFFF) { - assert(position >= 0); uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos; int32_t delta = odd & mask; + + assert(position >= 0); if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1)); current -= delta << pos; control[position].power = pos + 16*(w-1); @@ -596,8 +605,7 @@ static int recode_wnaf ( assert(current==0); position++; - unsigned int n = table_size - position; - unsigned int i; + n = table_size - position; for (i=0; i<n; i++) { control[i] = control[i+position]; } @@ -612,12 +620,13 @@ prepare_wnaf_table( ) { curve448_point_t tmp; int i; + pniels_t twop; + pt_to_pniels(output[0], working); if (tbits == 0) return; curve448_point_double(tmp,working); - pniels_t twop; pt_to_pniels(twop, tmp); add_pniels_to_pt(tmp, output[0],0); @@ -643,16 +652,15 @@ void curve448_base_double_scalarmul_non_secret ( ) { const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS, table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS; - struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3]; - struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3]; - + struct smvt_control control_var[DECAF_448_SCALAR_BITS/(DECAF_WNAF_VAR_TABLE_BITS+1)+3]; + struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(DECAF_WNAF_FIXED_TABLE_BITS+1)+3]; int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre); int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var); - - pniels_t precmp_var[1<<table_bits_var]; + pniels_t precmp_var[1<<DECAF_WNAF_VAR_TABLE_BITS]; + int contp=0, contv=0, i; + prepare_wnaf_table(precmp_var, base2, table_bits_var); - - int contp=0, contv=0, i = control_var[0].power; + i = control_var[0].power; if (i < 0) { curve448_point_copy(combo, curve448_point_identity); diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 241bffd7c7..5aeec24e08 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -62,9 +62,10 @@ static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen, static void clamp ( uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES] ) { + uint8_t hibit = (1<<0)>>1; + /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; - uint8_t hibit = (1<<0)>>1; if (hibit == 0) { secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; @@ -82,10 +83,10 @@ static decaf_error_t hash_init_with_dom( size_t context_len ) { const char *dom_s = "SigEd448"; - const uint8_t dom[2] = { - 2 + word_is_zero(prehashed) + word_is_zero(for_prehash), - (uint8_t)context_len - }; + uint8_t dom[2]; + + dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash); + dom[1] = (uint8_t)context_len; if (context_len > UINT8_MAX) return DECAF_FAILURE; @@ -130,14 +131,16 @@ decaf_error_t decaf_ed448_derive_public_key ( ) { /* only this much used for keygen */ uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; - + curve448_scalar_t secret_scalar; + unsigned int c; + curve448_point_t p; + if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, DECAF_EDDSA_448_PRIVATE_BYTES)) { return DECAF_FAILURE; } clamp(secret_scalar_ser); - - curve448_scalar_t secret_scalar; + curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser)); /* Since we are going to mul_by_cofactor during encoding, divide by it here. @@ -146,11 +149,10 @@ decaf_error_t decaf_ed448_derive_public_key ( * the decaf base point is on Etwist_d, and when converted it effectively * picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1. */ - for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(secret_scalar,secret_scalar); } - curve448_point_t p; curve448_precomputed_scalarmul(p,curve448_precomputed_base,secret_scalar); curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); @@ -176,6 +178,10 @@ decaf_error_t decaf_ed448_sign ( curve448_scalar_t secret_scalar; EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); decaf_error_t ret = DECAF_FAILURE; + curve448_scalar_t nonce_scalar; + uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0}; + unsigned int c; + curve448_scalar_t challenge_scalar; if (hashctx == NULL) return DECAF_FAILURE; @@ -205,7 +211,6 @@ decaf_error_t decaf_ed448_sign ( } /* Decode the nonce */ - curve448_scalar_t nonce_scalar; { uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES]; @@ -214,24 +219,23 @@ decaf_error_t decaf_ed448_sign ( curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); OPENSSL_cleanse(nonce, sizeof(nonce)); } - - uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0}; + { /* Scalarmul to create the nonce-point */ curve448_scalar_t nonce_scalar_2; + curve448_point_t p; + curve448_scalar_halve(nonce_scalar_2,nonce_scalar); - for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(nonce_scalar_2,nonce_scalar_2); } - - curve448_point_t p; + curve448_precomputed_scalarmul(p,curve448_precomputed_base,nonce_scalar_2); curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); curve448_point_destroy(p); curve448_scalar_destroy(nonce_scalar_2); } - - curve448_scalar_t challenge_scalar; + { uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES]; @@ -290,12 +294,15 @@ decaf_error_t decaf_ed448_verify ( ) { curve448_point_t pk_point, r_point; decaf_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point,pubkey); + curve448_scalar_t challenge_scalar; + curve448_scalar_t response_scalar; + unsigned int c; + if (DECAF_SUCCESS != error) { return error; } error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point,signature); if (DECAF_SUCCESS != error) { return error; } - curve448_scalar_t challenge_scalar; { /* Compute the challenge */ EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); @@ -319,15 +326,14 @@ decaf_error_t decaf_ed448_verify ( OPENSSL_cleanse(challenge,sizeof(challenge)); } curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, challenge_scalar); - - curve448_scalar_t response_scalar; + curve448_scalar_decode_long( response_scalar, &signature[DECAF_EDDSA_448_PUBLIC_BYTES], DECAF_EDDSA_448_PRIVATE_BYTES ); - for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) { + for (c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) { curve448_scalar_add(response_scalar,response_scalar,response_scalar); } diff --git a/crypto/ec/curve448/f_field.h b/crypto/ec/curve448/f_field.h index 0a1987bb0e..1bc8b3010d 100644 --- a/crypto/ec/curve448/f_field.h +++ b/crypto/ec/curve448/f_field.h @@ -96,8 +96,8 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint #ifndef LIMBPERM #define LIMBPERM(i) (i) #endif -#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1) +#define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1) -static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}}; +static const gf ZERO = {{{0}}}, ONE = {{{1}}}; #endif /* __P448_F_FIELD_H__ */ diff --git a/crypto/ec/curve448/f_generic.c b/crypto/ec/curve448/f_generic.c index b8ba0a691d..98d4dc0a24 100644 --- a/crypto/ec/curve448/f_generic.c +++ b/crypto/ec/curve448/f_generic.c @@ -19,14 +19,16 @@ static const gf MODULUS = {FIELD_LITERAL( /** Serialize to wire format. */ void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) { + unsigned int j=0, fill=0; + dword_t buffer = 0; + unsigned int i; gf red; + gf_copy(red, x); gf_strong_reduce(red); if (!with_hibit) { assert(gf_hibit(red) == 0); } - - unsigned int j=0, fill=0; - dword_t buffer = 0; - UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) { + + UNROLL for (i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) { if (fill < 8 && j < NLIMBS) { buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill; fill += LIMB_PLACE_VALUE(LIMBPERM(j)); @@ -60,7 +62,10 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui dword_t buffer = 0; dsword_t scarry = 0; const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES; - UNROLL for (unsigned int i=0; i<NLIMBS; i++) { + unsigned int i; + mask_t succ; + + UNROLL for (i=0; i<NLIMBS; i++) { UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) { uint8_t sj = serial[j]; if (j==nbytes-1) sj &= ~hi_nmask; @@ -73,20 +78,25 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i)); scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t)); } - mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x); + succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x); return succ & word_is_zero(buffer) & ~word_is_zero(scarry); } /** Reduce to canonical form. */ void gf_strong_reduce (gf a) { + dsword_t scarry; + word_t scarry_0; + dword_t carry = 0; + unsigned int i; + /* first, clear high */ gf_weak_reduce(a); /* Determined to have negligible perf impact. */ /* now the total is less than 2p */ /* compute total_value - p. No need to reduce mod p. */ - dsword_t scarry = 0; - for (unsigned int i=0; i<NLIMBS; i++) { + scarry = 0; + for (i=0; i<NLIMBS; i++) { scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]; a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i)); scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i)); @@ -98,11 +108,10 @@ void gf_strong_reduce (gf a) { */ assert(word_is_zero(scarry) | word_is_zero(scarry+1)); - word_t scarry_0 = scarry; - dword_t carry = 0; + scarry_0 = scarry; /* add it back */ - for (unsigned int i=0; i<NLIMBS; i++) { + for (i=0; i<NLIMBS; i++) { carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]); a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i)); carry >>= LIMB_PLACE_VALUE(LIMBPERM(i)); @@ -127,10 +136,13 @@ void gf_add (gf d, const gf a, const gf b) { /** Compare a==b */ mask_t gf_eq(const gf a, const gf b) { gf c; + mask_t ret=0; + unsigned int i; + gf_sub(c,a,b); gf_strong_reduce(c); - mask_t ret=0; - for (unsigned int i=0; i<NLIMBS; i++) { + + for (i=0; i<NLIMBS; i++) { ret |= c->limb[LIMBPERM(i)]; } diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index 672ee3623e..1b64b47eac 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -39,21 +39,21 @@ static ossl_inline void gf_sqrn ( #define gf_add_nr gf_add_RAW /** Subtract mod p. Bias by 2 and don't reduce */ -static inline void gf_sub_nr ( gf c, const gf a, const gf b ) { +static ossl_inline void gf_sub_nr ( gf c, const gf a, const gf b ) { gf_sub_RAW(c,a,b); gf_bias(c, 2); if (GF_HEADROOM < 3) gf_weak_reduce(c); } /** Subtract mod p. Bias by amt but don't reduce. */ -static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { +static ossl_inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { gf_sub_RAW(c,a,b); gf_bias(c, amt); if (GF_HEADROOM < amt+1) gf_weak_reduce(c); } /** Mul by signed int. Not constant-time WRT the sign of that int. */ -static inline void gf_mulw(gf c, const gf a, int32_t w) { +static ossl_inline void gf_mulw(gf c, const gf a, int32_t w) { if (w>0) { gf_mulw_unsigned(c, a, w); } else { @@ -63,19 +63,19 @@ static inline void gf_mulw(gf c, const gf a, int32_t w) { } /** Constant time, x = is_z ? z : y */ -static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { +static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { constant_time_select(x,y,z,sizeof(gf),is_z,0); } /** Constant time, if (neg) x=-x; */ -static inline void gf_cond_neg(gf x, mask_t neg) { +static ossl_inline void gf_cond_neg(gf x, mask_t neg) { gf y; gf_sub(y,ZERO,x); gf_cond_sel(x,x,y,neg); } /** Constant time, if (swap) (x,y) = (y,x); */ -static inline void +static ossl_inline void gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) { constant_time_cond_swap(x,y,sizeof(gf_s),swap); } @@ -89,4 +89,4 @@ static ossl_inline void gf_div_qnr(gf_s *__restrict__ out, const gf x) { } -#endif // __GF_H__ +#endif /* __GF_H__ */ diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index b2ccf5a8ad..4be7027b2b 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -182,7 +182,7 @@ void curve448_scalar_halve ( * @param [in] a A scalar. * @param [out] out Will become a copy of a. */ -static inline void curve448_scalar_copy ( +static ossl_inline void curve448_scalar_copy ( curve448_scalar_t out, const curve448_scalar_t a ) { @@ -196,7 +196,7 @@ static inline void curve448_scalar_copy ( * @param [out] a A copy of the point. * @param [in] b Any point. */ -static inline void curve448_point_copy ( +static ossl_inline void curve448_point_copy ( curve448_point_t a, const curve448_point_t b ) { diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c index 967b1a60e3..e7dfca5a5d 100644 --- a/crypto/ec/curve448/scalar.c +++ b/crypto/ec/curve448/scalar.c @@ -17,7 +17,7 @@ #include "constant_time.h" #include "point_448.h" -static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull; +static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5; static const curve448_scalar_t sc_p = {{{ SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff) }}}, sc_r2 = {{{ @@ -41,12 +41,14 @@ static void sc_subx( ) { decaf_dsword_t chain = 0; unsigned int i; + decaf_word_t borrow; + for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) { chain = (chain + accum[i]) - sub->limb[i]; out->limb[i] = chain; chain >>= WBITS; } - decaf_word_t borrow = chain+extra; /* = 0 or -1 */ + borrow = chain+extra; /* = 0 or -1 */ chain = 0; for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) { @@ -146,8 +148,9 @@ decaf_error_t curve448_scalar_decode( const unsigned char ser[DECAF_448_SCALAR_BYTES] ) { unsigned int i; - scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES); decaf_dsword_t accum = 0; + + scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES); for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) { accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS; } @@ -169,13 +172,13 @@ void curve448_scalar_decode_long( const unsigned char *ser, size_t ser_len ) { + size_t i; + curve448_scalar_t t1, t2; + if (ser_len == 0) { curve448_scalar_copy(s, curve448_scalar_zero); return; } - - size_t i; - curve448_scalar_t t1, t2; i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES); if (i==ser_len) i -= DECAF_448_SCALAR_BYTES; diff --git a/crypto/ec/curve448/word.h b/crypto/ec/curve448/word.h index c70d413ffe..9f62654b6e 100644 --- a/crypto/ec/curve448/word.h +++ b/crypto/ec/curve448/word.h @@ -51,9 +51,9 @@ /* Scalar limbs are keyed off of the API word size instead of the arch word size. */ #if DECAF_WORD_BITS == 64 - #define SC_LIMB(x) (x##ull) + #define SC_LIMB(x) (x) #elif DECAF_WORD_BITS == 32 - #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull>>32) + #define SC_LIMB(x) ((uint32_t)x),(x>>32) #else #error "For now, libdecaf only supports 32- and 64-bit architectures." #endif @@ -192,9 +192,11 @@ static ossl_inline decaf_bool_t mask_to_bool (mask_t m) { static ossl_inline mask_t bool_to_mask (decaf_bool_t m) { /* On most arches this will be optimized to a simple cast. */ mask_t ret = 0; + unsigned int i; + unsigned int limit = sizeof(decaf_bool_t)/sizeof(mask_t); if (limit < 1) limit = 1; - for (unsigned int i=0; i<limit; i++) { + for (i=0; i<limit; i++) { ret |= ~ word_is_zero(m >> (i*8*sizeof(word_t))); } return ret; |