Replace DECAF_WARN_UNUSED with __owur

Most of these were in point_448.h. While I was at it I spotted some unused
declarations, so I deleted those too.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)

2 files changed, 7 insertions, 180 deletions

diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h
index 7997cfd6f4..cce9d37edc 100644
--- a/crypto/ec/curve448/curve448utils.h
+++ b/crypto/ec/curve448/curve448utils.h
@@ -27,7 +27,6 @@ extern "C" {
 #endif
 #define DECAF_API_VIS __attribute__((visibility("default")))
 #define DECAF_NOINLINE  __attribute__((noinline))
-#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))
 #define DECAF_NONNULL __attribute__((nonnull))
 /** @endcond */
 
diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h
index 31b4bb5f79..a359b31f6c 100644
--- a/crypto/ec/curve448/point_448.h
+++ b/crypto/ec/curve448/point_448.h
@@ -100,10 +100,10 @@ extern const struct curve448_precomputed_s *curve448_precomputed_base DECAF_API_
  * @retval DECAF_FAILURE The scalar was greater than the modulus,
  * and has been reduced modulo that modulus.
  */
-decaf_error_t curve448_scalar_decode (
+__owur decaf_error_t curve448_scalar_decode (
     curve448_scalar_t out,
     const unsigned char ser[DECAF_448_SCALAR_BYTES]
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Read a scalar from wire format or from bytes.  Reduces mod
@@ -143,18 +143,6 @@ void curve448_scalar_add (
 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
- * @brief Compare two scalars.
- * @param [in] a One scalar.
- * @param [in] b Another scalar.
- * @retval DECAF_TRUE The scalars are equal.
- * @retval DECAF_FALSE The scalars are not equal.
- */    
-decaf_bool_t curve448_scalar_eq (
-    const curve448_scalar_t a,
-    const curve448_scalar_t b
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
-
-/**
  * @brief Subtract two scalars.  The scalars may use the same memory.
  * @param [in] a One scalar.
  * @param [in] b Another scalar.
@@ -189,17 +177,6 @@ void curve448_scalar_halve (
 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
- * @brief Invert a scalar.  When passed zero, return 0.  The input and output may alias.
- * @param [in] a A scalar.
- * @param [out] out 1/a.
- * @return DECAF_SUCCESS The input is nonzero.
- */  
-decaf_error_t curve448_scalar_invert (
-    curve448_scalar_t out,
-    const curve448_scalar_t a
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
-
-/**
  * @brief Copy a scalar.  The scalars may use the same memory, in which
  * case this function does nothing.
  * @param [in] a A scalar.
@@ -213,16 +190,6 @@ static inline void DECAF_NONNULL curve448_scalar_copy (
 }
 
 /**
- * @brief Set a scalar to an unsigned 64-bit integer.
- * @param [in] a An integer.
- * @param [out] out Will become equal to a.
- */  
-void curve448_scalar_set_unsigned (
-    curve448_scalar_t out,
-    uint64_t a
-) DECAF_API_VIS DECAF_NONNULL;
-
-/**
  * @brief Copy a point.  The input and output may alias,
  * in which case this function does nothing.
  *
@@ -245,10 +212,10 @@ static inline void DECAF_NONNULL curve448_point_copy (
  * @retval DECAF_TRUE The points are equal.
  * @retval DECAF_FALSE The points are not equal.
  */
-decaf_bool_t curve448_point_eq (
+__owur decaf_bool_t curve448_point_eq (
     const curve448_point_t a,
     const curve448_point_t b
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Double a point.  Equivalent to
@@ -274,11 +241,11 @@ void curve448_point_double (
  * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
  * point is in a small subgroup.
  */
-decaf_error_t decaf_x448 (
+__owur decaf_error_t decaf_x448 (
     uint8_t out[DECAF_X448_PUBLIC_BYTES],
     const uint8_t base[DECAF_X448_PUBLIC_BYTES],
     const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;
+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply a point by DECAF_X448_ENCODE_RATIO,
@@ -323,21 +290,6 @@ void decaf_x448_derive_public_key (
     const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
-/* FUTURE: uint8_t curve448_encode_like_curve448) */
-
-/**
- * @brief Precompute a table for fast scalar multiplication.
- * Some implementations do not include precomputed points; for
- * those implementations, this implementation simply copies the
- * point.
- *
- * @param [out] a A precomputed table of multiples of the point.
- * @param [in] b Any point.
- */
-void curve448_precompute (
-    curve448_precomputed_s *a,
-    const curve448_point_t b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply a precomputed base point by a scalar:
@@ -380,141 +332,17 @@ void curve448_base_double_scalarmul_non_secret (
 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
- * @brief Constant-time decision between two scalars.  If pick_b
- * is zero, out = a; else out = b.
- *
- * @param [out] out The output.  It may be the same as either input.
- * @param [in] a Any scalar.
- * @param [in] b Any scalar.
- * @param [in] pick_b If nonzero, choose scalar b.
- */
-void curve448_scalar_cond_sel (
-    curve448_scalar_t out,
-    const curve448_scalar_t a,
-    const curve448_scalar_t b,
-    decaf_word_t pick_b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
-
-/**
  * @brief Test that a point is valid, for debugging purposes.
  *
  * @param [in] to_test The point to test.
  * @retval DECAF_TRUE The point is valid.
  * @retval DECAF_FALSE The point is invalid.
  */
-decaf_bool_t curve448_point_valid (
+__owur decaf_bool_t curve448_point_valid (
     const curve448_point_t to_test
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
-
-
-/**
- * @brief Almost-Elligator-like hash to curve.
- *
- * Call this function with the output of a hash to make a hash to the curve.
- *
- * This function runs Elligator2 on the curve448 Jacobi quartic model.  It then
- * uses the isogeny to put the result in twisted Edwards form.  As a result,
- * it is safe (cannot produce points of order 4), and would be compatible with
- * hypothetical other implementations of Decaf using a Montgomery or untwisted
- * Edwards model.
- *
- * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
- *   A factor of 2 due to the isogeny.
- *   A factor of 2 because we quotient out the 2-torsion.
- *
- * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.
- *
- * Negating the input (mod q) results in the same point.  Inverting the input
- * (mod q) results in the negative point.  This is the same as Elligator.
- *
- * This function isn't quite indifferentiable from a random oracle.
- * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. 
- * Furthermore, calling it twice with independent seeds and adding the results
- * is indifferentiable from a random oracle.
- *
- * @param [in] hashed_data Output of some hash function.
- * @param [out] pt The data hashed to the curve.
- */
-void
-curve448_point_from_hash_nonuniform (
-    curve448_point_t pt,
-    const unsigned char hashed_data[DECAF_448_HASH_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
-
-/**
- * @brief Indifferentiable hash function encoding to curve.
- *
- * Equivalent to calling curve448_point_from_hash_nonuniform twice and adding.
- *
- * @param [in] hashed_data Output of some hash function.
- * @param [out] pt The data hashed to the curve.
- */ 
-void curve448_point_from_hash_uniform (
-    curve448_point_t pt,
-    const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]
 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
 
 /**
- * @brief Inverse of elligator-like hash to curve.
- *
- * This function writes to the buffer, to make it so that
- * curve448_point_from_hash_nonuniform(buffer) = pt if
- * possible.  Since there may be multiple preimages, the
- * "which" parameter chooses between them.  To ensure uniform
- * inverse sampling, this function succeeds or fails
- * independently for different "which" values.
- *
- * This function isn't guaranteed to find every possible
- * preimage, but it finds all except a small finite number.
- * In particular, when the number of bits in the modulus isn't
- * a multiple of 8 (i.e. for curve25519), it sets the high bits
- * independently, which enables the generated data to be uniform.
- * But it doesn't add p, so you'll never get exactly p from this
- * function.  This might change in the future, especially if
- * we ever support eg Brainpool curves, where this could cause
- * real nonuniformity.
- *
- * @param [out] recovered_hash Encoded data.
- * @param [in] pt The point to encode.
- * @param [in] which A value determining which inverse point
- * to return.
- *
- * @retval DECAF_SUCCESS The inverse succeeded.
- * @retval DECAF_FAILURE The inverse failed.
- */
-decaf_error_t
-curve448_invert_elligator_nonuniform (
-    unsigned char recovered_hash[DECAF_448_HASH_BYTES],
-    const curve448_point_t pt,
-    uint32_t which
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
-
-/**
- * @brief Inverse of elligator-like hash to curve.
- *
- * This function writes to the buffer, to make it so that
- * curve448_point_from_hash_uniform(buffer) = pt if
- * possible.  Since there may be multiple preimages, the
- * "which" parameter chooses between them.  To ensure uniform
- * inverse sampling, this function succeeds or fails
- * independently for different "which" values.
- *
- * @param [out] recovered_hash Encoded data.
- * @param [in] pt The point to encode.
- * @param [in] which A value determining which inverse point
- * to return.
- *
- * @retval DECAF_SUCCESS The inverse succeeded.
- * @retval DECAF_FAILURE The inverse failed.
- */
-decaf_error_t
-curve448_invert_elligator_uniform (
-    unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],
-    const curve448_point_t pt,
-    uint32_t which
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
-
-/**
  * @brief Overwrite scalar with zeros.
  */
 void curve448_scalar_destroy (