unsigned num_bytes;
/* BN_bn2bin eats leading zeroes */
- memset(b_out, 0, sizeof b_out);
+ memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof b_out) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
felem_scalar(inx2, in, 2);
felem_scalar(inx4, in, 4);
- /*-
- * We have many cases were we want to do
- * in[x] * in[y] +
- * in[y] * in[x]
- * This is obviously just
- * 2 * in[x] * in[y]
- * However, rather than do the doubling on the 128 bit result, we
- * double one of the inputs to the multiplication by reading from
- * |inx2| */
+ /*-
+ * We have many cases were we want to do
+ * in[x] * in[y] +
+ * in[y] * in[x]
+ * This is obviously just
+ * 2 * in[x] * in[y]
+ * However, rather than do the doubling on the 128 bit result, we
+ * double one of the inputs to the multiplication by reading from
+ * |inx2|
+ */
out[0] = ((uint128_t) in[0]) * in[0];
out[1] = ((uint128_t) in[0]) * inx2[1];
out[2] = ((uint128_t) in[0]) * inx2[2] + ((uint128_t) in[1]) * in[1];
out[3] = ((uint128_t) in[0]) * inx2[3] + ((uint128_t) in[1]) * inx2[2];
out[4] = ((uint128_t) in[0]) * inx2[4] +
- ((uint128_t) in[1]) * inx2[3] + ((uint128_t) in[2]) * in[2];
+ ((uint128_t) in[1]) * inx2[3] + ((uint128_t) in[2]) * in[2];
out[5] = ((uint128_t) in[0]) * inx2[5] +
- ((uint128_t) in[1]) * inx2[4] + ((uint128_t) in[2]) * inx2[3];
+ ((uint128_t) in[1]) * inx2[4] + ((uint128_t) in[2]) * inx2[3];
out[6] = ((uint128_t) in[0]) * inx2[6] +
- ((uint128_t) in[1]) * inx2[5] +
- ((uint128_t) in[2]) * inx2[4] + ((uint128_t) in[3]) * in[3];
+ ((uint128_t) in[1]) * inx2[5] +
+ ((uint128_t) in[2]) * inx2[4] + ((uint128_t) in[3]) * in[3];
out[7] = ((uint128_t) in[0]) * inx2[7] +
- ((uint128_t) in[1]) * inx2[6] +
- ((uint128_t) in[2]) * inx2[5] + ((uint128_t) in[3]) * inx2[4];
+ ((uint128_t) in[1]) * inx2[6] +
+ ((uint128_t) in[2]) * inx2[5] + ((uint128_t) in[3]) * inx2[4];
out[8] = ((uint128_t) in[0]) * inx2[8] +
- ((uint128_t) in[1]) * inx2[7] +
- ((uint128_t) in[2]) * inx2[6] +
- ((uint128_t) in[3]) * inx2[5] + ((uint128_t) in[4]) * in[4];
+ ((uint128_t) in[1]) * inx2[7] +
+ ((uint128_t) in[2]) * inx2[6] +
+ ((uint128_t) in[3]) * inx2[5] + ((uint128_t) in[4]) * in[4];
/*
* The remaining limbs fall above 2^521, with the first falling at 2^522.
/* 9 */
out[0] += ((uint128_t) in[1]) * inx4[8] +
- ((uint128_t) in[2]) * inx4[7] +
- ((uint128_t) in[3]) * inx4[6] + ((uint128_t) in[4]) * inx4[5];
+ ((uint128_t) in[2]) * inx4[7] +
+ ((uint128_t) in[3]) * inx4[6] + ((uint128_t) in[4]) * inx4[5];
/* 10 */
out[1] += ((uint128_t) in[2]) * inx4[8] +
- ((uint128_t) in[3]) * inx4[7] +
- ((uint128_t) in[4]) * inx4[6] + ((uint128_t) in[5]) * inx2[5];
+ ((uint128_t) in[3]) * inx4[7] +
+ ((uint128_t) in[4]) * inx4[6] + ((uint128_t) in[5]) * inx2[5];
/* 11 */
out[2] += ((uint128_t) in[3]) * inx4[8] +
- ((uint128_t) in[4]) * inx4[7] + ((uint128_t) in[5]) * inx4[6];
+ ((uint128_t) in[4]) * inx4[7] + ((uint128_t) in[5]) * inx4[6];
/* 12 */
out[3] += ((uint128_t) in[4]) * inx4[8] +
- ((uint128_t) in[5]) * inx4[7] + ((uint128_t) in[6]) * inx2[6];
+ ((uint128_t) in[5]) * inx4[7] + ((uint128_t) in[6]) * inx2[6];
/* 13 */
out[4] += ((uint128_t) in[5]) * inx4[8] + ((uint128_t) in[6]) * inx4[7];
out[0] = ((uint128_t) in1[0]) * in2[0];
- out[1] = ((uint128_t) in1[0]) * in2[1] + ((uint128_t) in1[1]) * in2[0];
+ out[1] = ((uint128_t) in1[0]) * in2[1] +
+ ((uint128_t) in1[1]) * in2[0];
out[2] = ((uint128_t) in1[0]) * in2[2] +
- ((uint128_t) in1[1]) * in2[1] + ((uint128_t) in1[2]) * in2[0];
+ ((uint128_t) in1[1]) * in2[1] +
+ ((uint128_t) in1[2]) * in2[0];
out[3] = ((uint128_t) in1[0]) * in2[3] +
- ((uint128_t) in1[1]) * in2[2] +
- ((uint128_t) in1[2]) * in2[1] + ((uint128_t) in1[3]) * in2[0];
+ ((uint128_t) in1[1]) * in2[2] +
+ ((uint128_t) in1[2]) * in2[1] +
+ ((uint128_t) in1[3]) * in2[0];
out[4] = ((uint128_t) in1[0]) * in2[4] +
- ((uint128_t) in1[1]) * in2[3] +
- ((uint128_t) in1[2]) * in2[2] +
- ((uint128_t) in1[3]) * in2[1] + ((uint128_t) in1[4]) * in2[0];
+ ((uint128_t) in1[1]) * in2[3] +
+ ((uint128_t) in1[2]) * in2[2] +
+ ((uint128_t) in1[3]) * in2[1] +
+ ((uint128_t) in1[4]) * in2[0];
out[5] = ((uint128_t) in1[0]) * in2[5] +
- ((uint128_t) in1[1]) * in2[4] +
- ((uint128_t) in1[2]) * in2[3] +
- ((uint128_t) in1[3]) * in2[2] +
- ((uint128_t) in1[4]) * in2[1] + ((uint128_t) in1[5]) * in2[0];
+ ((uint128_t) in1[1]) * in2[4] +
+ ((uint128_t) in1[2]) * in2[3] +
+ ((uint128_t) in1[3]) * in2[2] +
+ ((uint128_t) in1[4]) * in2[1] +
+ ((uint128_t) in1[5]) * in2[0];
out[6] = ((uint128_t) in1[0]) * in2[6] +
- ((uint128_t) in1[1]) * in2[5] +
- ((uint128_t) in1[2]) * in2[4] +
- ((uint128_t) in1[3]) * in2[3] +
- ((uint128_t) in1[4]) * in2[2] +
- ((uint128_t) in1[5]) * in2[1] + ((uint128_t) in1[6]) * in2[0];
+ ((uint128_t) in1[1]) * in2[5] +
+ ((uint128_t) in1[2]) * in2[4] +
+ ((uint128_t) in1[3]) * in2[3] +
+ ((uint128_t) in1[4]) * in2[2] +
+ ((uint128_t) in1[5]) * in2[1] +
+ ((uint128_t) in1[6]) * in2[0];
out[7] = ((uint128_t) in1[0]) * in2[7] +
- ((uint128_t) in1[1]) * in2[6] +
- ((uint128_t) in1[2]) * in2[5] +
- ((uint128_t) in1[3]) * in2[4] +
- ((uint128_t) in1[4]) * in2[3] +
- ((uint128_t) in1[5]) * in2[2] +
- ((uint128_t) in1[6]) * in2[1] + ((uint128_t) in1[7]) * in2[0];
+ ((uint128_t) in1[1]) * in2[6] +
+ ((uint128_t) in1[2]) * in2[5] +
+ ((uint128_t) in1[3]) * in2[4] +
+ ((uint128_t) in1[4]) * in2[3] +
+ ((uint128_t) in1[5]) * in2[2] +
+ ((uint128_t) in1[6]) * in2[1] +
+ ((uint128_t) in1[7]) * in2[0];
out[8] = ((uint128_t) in1[0]) * in2[8] +
- ((uint128_t) in1[1]) * in2[7] +
- ((uint128_t) in1[2]) * in2[6] +
- ((uint128_t) in1[3]) * in2[5] +
- ((uint128_t) in1[4]) * in2[4] +
- ((uint128_t) in1[5]) * in2[3] +
- ((uint128_t) in1[6]) * in2[2] +
- ((uint128_t) in1[7]) * in2[1] + ((uint128_t) in1[8]) * in2[0];
+ ((uint128_t) in1[1]) * in2[7] +
+ ((uint128_t) in1[2]) * in2[6] +
+ ((uint128_t) in1[3]) * in2[5] +
+ ((uint128_t) in1[4]) * in2[4] +
+ ((uint128_t) in1[5]) * in2[3] +
+ ((uint128_t) in1[6]) * in2[2] +
+ ((uint128_t) in1[7]) * in2[1] +
+ ((uint128_t) in1[8]) * in2[0];
/* See comment in felem_square about the use of in2x2 here */
out[0] += ((uint128_t) in1[1]) * in2x2[8] +
- ((uint128_t) in1[2]) * in2x2[7] +
- ((uint128_t) in1[3]) * in2x2[6] +
- ((uint128_t) in1[4]) * in2x2[5] +
- ((uint128_t) in1[5]) * in2x2[4] +
- ((uint128_t) in1[6]) * in2x2[3] +
- ((uint128_t) in1[7]) * in2x2[2] + ((uint128_t) in1[8]) * in2x2[1];
+ ((uint128_t) in1[2]) * in2x2[7] +
+ ((uint128_t) in1[3]) * in2x2[6] +
+ ((uint128_t) in1[4]) * in2x2[5] +
+ ((uint128_t) in1[5]) * in2x2[4] +
+ ((uint128_t) in1[6]) * in2x2[3] +
+ ((uint128_t) in1[7]) * in2x2[2] +
+ ((uint128_t) in1[8]) * in2x2[1];
out[1] += ((uint128_t) in1[2]) * in2x2[8] +
- ((uint128_t) in1[3]) * in2x2[7] +
- ((uint128_t) in1[4]) * in2x2[6] +
- ((uint128_t) in1[5]) * in2x2[5] +
- ((uint128_t) in1[6]) * in2x2[4] +
- ((uint128_t) in1[7]) * in2x2[3] + ((uint128_t) in1[8]) * in2x2[2];
+ ((uint128_t) in1[3]) * in2x2[7] +
+ ((uint128_t) in1[4]) * in2x2[6] +
+ ((uint128_t) in1[5]) * in2x2[5] +
+ ((uint128_t) in1[6]) * in2x2[4] +
+ ((uint128_t) in1[7]) * in2x2[3] +
+ ((uint128_t) in1[8]) * in2x2[2];
out[2] += ((uint128_t) in1[3]) * in2x2[8] +
- ((uint128_t) in1[4]) * in2x2[7] +
- ((uint128_t) in1[5]) * in2x2[6] +
- ((uint128_t) in1[6]) * in2x2[5] +
- ((uint128_t) in1[7]) * in2x2[4] + ((uint128_t) in1[8]) * in2x2[3];
+ ((uint128_t) in1[4]) * in2x2[7] +
+ ((uint128_t) in1[5]) * in2x2[6] +
+ ((uint128_t) in1[6]) * in2x2[5] +
+ ((uint128_t) in1[7]) * in2x2[4] +
+ ((uint128_t) in1[8]) * in2x2[3];
out[3] += ((uint128_t) in1[4]) * in2x2[8] +
- ((uint128_t) in1[5]) * in2x2[7] +
- ((uint128_t) in1[6]) * in2x2[6] +
- ((uint128_t) in1[7]) * in2x2[5] + ((uint128_t) in1[8]) * in2x2[4];
+ ((uint128_t) in1[5]) * in2x2[7] +
+ ((uint128_t) in1[6]) * in2x2[6] +
+ ((uint128_t) in1[7]) * in2x2[5] +
+ ((uint128_t) in1[8]) * in2x2[4];
out[4] += ((uint128_t) in1[5]) * in2x2[8] +
- ((uint128_t) in1[6]) * in2x2[7] +
- ((uint128_t) in1[7]) * in2x2[6] + ((uint128_t) in1[8]) * in2x2[5];
+ ((uint128_t) in1[6]) * in2x2[7] +
+ ((uint128_t) in1[7]) * in2x2[6] +
+ ((uint128_t) in1[8]) * in2x2[5];
out[5] += ((uint128_t) in1[6]) * in2x2[8] +
- ((uint128_t) in1[7]) * in2x2[7] + ((uint128_t) in1[8]) * in2x2[6];
+ ((uint128_t) in1[7]) * in2x2[7] +
+ ((uint128_t) in1[8]) * in2x2[6];
out[6] += ((uint128_t) in1[7]) * in2x2[8] +
- ((uint128_t) in1[8]) * in2x2[7];
+ ((uint128_t) in1[8]) * in2x2[7];
out[7] += ((uint128_t) in1[8]) * in2x2[8];
}
out[1] += ((limb) in[0]) >> 58;
out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
- /*-
- * out[1] < 2^58 + 2^6 + 2^58
- * = 2^59 + 2^6
- */
+ /*-
+ * out[1] < 2^58 + 2^6 + 2^58
+ * = 2^59 + 2^6
+ */
out[2] += ((limb) (in[0] >> 64)) >> 52;
out[2] += ((limb) in[1]) >> 58;
out[8] += ((limb) in[7]) >> 58;
out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
- /*-
- * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
- * < 2^59 + 2^13
- */
+ /*-
+ * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
+ * < 2^59 + 2^13
+ */
overflow1 = ((limb) (in[7] >> 64)) >> 52;
overflow1 += ((limb) in[8]) >> 58;
out[1] += out[0] >> 58;
out[0] &= bottom58bits;
- /*-
- * out[0] < 2^58
- * out[1] < 2^59 + 2^6 + 2^13 + 2^2
- * < 2^59 + 2^14
- */
+ /*-
+ * out[0] < 2^58
+ * out[1] < 2^59 + 2^6 + 2^13 + 2^2
+ * < 2^59 + 2^14
+ */
}
static void felem_square_reduce(felem out, const felem in)
* Tables for other points have table[i] = iG for i in 0 .. 16. */
/* gmul is the table of precomputed base points */
-static const felem gmul[16][3] = { {{0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, 0, 0, 0, 0, 0, 0, 0, 0}},
+static const felem gmul[16][3] = {
+{{0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, 0, 0, 0, 0, 0, 0, 0, 0}},
{{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334,
0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8,
0x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404},
{
unsigned i, j;
limb *outlimbs = &out[0][0];
- memset(outlimbs, 0, 3 * sizeof(felem));
+
+ memset(out, 0, sizeof(out));
for (i = 0; i < size; i++) {
const limb *inlimbs = &pre_comp[i][0][0];
u8 sign, digit;
/* set nq to the point at infinity */
- memset(nq, 0, 3 * sizeof(felem));
+ memset(nq, 0, sizeof(nq));
/*
* Loop over all scalars msb-to-lsb, interleaving additions of multiples
static NISTP521_PRE_COMP *nistp521_pre_comp_new()
{
- NISTP521_PRE_COMP *ret = NULL;
- ret = (NISTP521_PRE_COMP *) OPENSSL_malloc(sizeof(NISTP521_PRE_COMP));
+ NISTP521_PRE_COMP *ret = OPENSSL_malloc(sizeof(*ret));
+
if (!ret) {
ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
return ret;
if (i > 0)
return;
- OPENSSL_cleanse(pre, sizeof(*pre));
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre, sizeof(*pre));
}
/******************************************************************************/
ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
EC_R_POINT_AT_INFINITY);
return 0;
}
- if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
- (!BN_to_felem(z1, &point->Z)))
+ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) ||
+ (!BN_to_felem(z1, point->Z)))
return 0;
felem_inv(z2, z1);
felem_square(tmp, z2);
BIGNUM *x, *y, *z, *tmp_scalar;
felem_bytearray g_secret;
felem_bytearray *secrets = NULL;
- felem(*pre_comp)[17][3] = NULL;
+ felem (*pre_comp)[17][3] = NULL;
felem *tmp_felems = NULL;
felem_bytearray tmp;
unsigned i, num_bytes;
*/
mixed = 1;
}
- secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
- pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(felem));
+ secrets = OPENSSL_malloc(sizeof(*secrets) * num_points);
+ pre_comp = OPENSSL_malloc(sizeof(*pre_comp) * num_points);
if (mixed)
tmp_felems =
- OPENSSL_malloc((num_points * 17 + 1) * sizeof(felem));
+ OPENSSL_malloc(sizeof(*tmp_felemts) * (num_points * 17 + 1));
if ((secrets == NULL) || (pre_comp == NULL)
|| (mixed && (tmp_felems == NULL))) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_MALLOC_FAILURE);
* we treat NULL scalars as 0, and NULL points as points at infinity,
* i.e., they contribute nothing to the linear combination
*/
- memset(secrets, 0, num_points * sizeof(felem_bytearray));
- memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem));
+ memset(secrets, 0, sizeof(*secrets) * num_points);
+ memset(pre_comp, 0, sizseof(*pre_comp) * num_points);
for (i = 0; i < num_points; ++i) {
if (i == num)
/*
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
- if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
+ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(p_scalar, tmp);
flip_endian(secrets[i], tmp, num_bytes);
/* precompute multiples */
- if ((!BN_to_felem(x_out, &p->X)) ||
- (!BN_to_felem(y_out, &p->Y)) ||
- (!BN_to_felem(z_out, &p->Z)))
+ if ((!BN_to_felem(x_out, p->X)) ||
+ (!BN_to_felem(y_out, p->Y)) ||
+ (!BN_to_felem(z_out, p->Z)))
goto err;
memcpy(pre_comp[i][1][0], x_out, sizeof(felem));
memcpy(pre_comp[i][1][1], y_out, sizeof(felem));
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
- if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
+ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
err:
BN_CTX_end(ctx);
- if (generator != NULL)
- EC_POINT_free(generator);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- if (secrets != NULL)
- OPENSSL_free(secrets);
- if (pre_comp != NULL)
- OPENSSL_free(pre_comp);
- if (tmp_felems != NULL)
- OPENSSL_free(tmp_felems);
+ EC_POINT_free(generator);
+ BN_CTX_free(new_ctx);
+ OPENSSL_free(secrets);
+ OPENSSL_free(pre_comp);
+ OPENSSL_free(tmp_felems);
return ret;
}
ret = 1;
goto err;
}
- if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) ||
- (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) ||
- (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z)))
+ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) ||
+ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) ||
+ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z)))
goto err;
/* compute 2^130*G, 2^260*G, 2^390*G */
for (i = 1; i <= 4; i <<= 1) {
pre = NULL;
err:
BN_CTX_end(ctx);
- if (generator != NULL)
- EC_POINT_free(generator);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- if (pre)
- nistp521_pre_comp_free(pre);
+ EC_POINT_free(generator);
+ BN_CTX_free(new_ctx);
+ nistp521_pre_comp_free(pre);
return ret;
}
projects / openssl.git / blobdiff