Remove duplicated 448 in the names of various things
authorMatt Caswell <matt@openssl.org>
Wed, 6 Dec 2017 13:06:13 +0000 (13:06 +0000)
committerMatt Caswell <matt@openssl.org>
Tue, 20 Feb 2018 12:59:30 +0000 (12:59 +0000)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)

crypto/ec/curve448/curve448.c
crypto/ec/curve448/ed448.h
crypto/ec/curve448/eddsa.c
crypto/ec/curve448/point_448.h
crypto/ec/curve448/scalar.c

index f28bce1..920705b 100644 (file)
@@ -267,7 +267,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out,
 
             for (k = 0; k < t; k++) {
                 unsigned int bit = i + s * (k + j * t);
-                if (bit < C448_448_SCALAR_BITS) {
+                if (bit < C448_SCALAR_BITS) {
                     tab |=
                         (scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k;
                 }
@@ -294,7 +294,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out,
 }
 
 void curve448_point_mul_by_ratio_and_encode_like_eddsa(
-                                    uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES],
+                                    uint8_t enc[EDDSA_448_PUBLIC_BYTES],
                                     const curve448_point_t p)
 {
 
@@ -329,9 +329,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
     gf_mul(x, y, z);
 
     /* Encode */
-    enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
+    enc[EDDSA_448_PRIVATE_BYTES - 1] = 0;
     gf_serialize(enc, x, 1);
-    enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
+    enc[EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
 
     OPENSSL_cleanse(x, sizeof(x));
     OPENSSL_cleanse(y, sizeof(y));
@@ -342,20 +342,20 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
 
 c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
                                 curve448_point_t p,
-                                const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES])
+                                const uint8_t enc[EDDSA_448_PUBLIC_BYTES])
 {
-    uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES];
+    uint8_t enc2[EDDSA_448_PUBLIC_BYTES];
     mask_t low;
     mask_t succ;
 
     memcpy(enc2, enc, sizeof(enc2));
 
-    low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
-    enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
+    low = ~word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
+    enc2[EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
 
     succ = gf_deserialize(p->y, enc2, 1, 0);
 #if 0 == 0
-    succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]);
+    succ &= word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1]);
 #endif
 
     gf_sqr(p->x, p->y);
@@ -399,9 +399,9 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
     return c448_succeed_if(mask_to_bool(succ));
 }
 
-c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES],
-                       const uint8_t base[X_PUBLIC_BYTES],
-                       const uint8_t scalar[X_PRIVATE_BYTES])
+c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES],
+                      const uint8_t base[X_PUBLIC_BYTES],
+                      const uint8_t scalar[X_PRIVATE_BYTES])
 {
     gf x1, x2, z2, x3, z3, t1, t2;
     int t;
@@ -486,8 +486,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t
     curve448_point_destroy(q);
 }
 
-void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
-                                 const uint8_t scalar[X_PRIVATE_BYTES])
+void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
+                            const uint8_t scalar[X_PRIVATE_BYTES])
 {
     /* Scalar conditioning */
     uint8_t scalar2[X_PRIVATE_BYTES];
@@ -504,7 +504,7 @@ void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
     curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2));
 
     /* Compensate for the encoding ratio */
-    for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) {
+    for (i = 1; i < X448_ENCODE_RATIO; i <<= 1) {
         curve448_scalar_halve(the_scalar, the_scalar);
     }
     curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar);
@@ -522,7 +522,7 @@ static int recode_wnaf(struct smvt_control *control,
                        const curve448_scalar_t scalar,
                        unsigned int table_bits)
 {
-    unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3;
+    unsigned int table_size = C448_SCALAR_BITS / (table_bits + 1) + 3;
     int position = table_size - 1; /* at the end */
     uint64_t current = scalar->limb[0] & 0xFFFF;
     uint32_t mask = (1 << (table_bits + 1)) - 1;
@@ -541,8 +541,8 @@ static int recode_wnaf(struct smvt_control *control,
      * 1/5 op. Probably not worth it.
      */
 
-    for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) {
-        if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) {
+    for (w = 1; w < (C448_SCALAR_BITS - 1) / 16 + 3; w++) {
+        if (w < (C448_SCALAR_BITS - 1) / 16 + 1) {
             /* Refill the 16 high bits of current */
             current += (uint32_t)((scalar->limb[w / B_OVER_16]
                        >> (16 * (w %  B_OVER_16))) << 16);
@@ -612,9 +612,9 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,
 {
     const int table_bits_var = C448_WNAF_VAR_TABLE_BITS,
         table_bits_pre = C448_WNAF_FIXED_TABLE_BITS;
-    struct smvt_control control_var[C448_448_SCALAR_BITS /
+    struct smvt_control control_var[C448_SCALAR_BITS /
                                     (C448_WNAF_VAR_TABLE_BITS + 1) + 3];
-    struct smvt_control control_pre[C448_448_SCALAR_BITS /
+    struct smvt_control control_pre[C448_SCALAR_BITS /
                                     (C448_WNAF_FIXED_TABLE_BITS + 1) + 3];
     int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
     int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
@@ -697,12 +697,12 @@ void curve448_point_destroy(curve448_point_t point)
 int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
          const uint8_t peer_public_value[56])
 {
-    return c448_x448(out_shared_key, peer_public_value, private_key)
-        == C448_SUCCESS;
+    return x448_int(out_shared_key, peer_public_value, private_key)
+           == C448_SUCCESS;
 }
 
 void X448_public_from_private(uint8_t out_public_value[56],
                               const uint8_t private_key[56])
 {
-    c448_x448_derive_public_key(out_public_value, private_key);
+    x448_derive_public_key(out_public_value, private_key);
 }
index abad0db..ca53877 100644 (file)
@@ -20,20 +20,20 @@ extern "C" {
 #endif
 
 /* Number of bytes in an EdDSA public key. */
-# define C448_EDDSA_448_PUBLIC_BYTES 57
+# define EDDSA_448_PUBLIC_BYTES 57
 
 /* Number of bytes in an EdDSA private key. */
-# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES
+# define EDDSA_448_PRIVATE_BYTES EDDSA_448_PUBLIC_BYTES
 
 /* Number of bytes in an EdDSA private key. */
-# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \
-                                         C448_EDDSA_448_PRIVATE_BYTES)
+# define EDDSA_448_SIGNATURE_BYTES (EDDSA_448_PUBLIC_BYTES + \
+                                    EDDSA_448_PRIVATE_BYTES)
 
 /* EdDSA encoding ratio. */
-# define C448_448_EDDSA_ENCODE_RATIO 4
+# define C448_EDDSA_ENCODE_RATIO 4
 
 /* EdDSA decoding ratio. */
-# define C448_448_EDDSA_DECODE_RATIO (4 / 4)
+# define C448_EDDSA_DECODE_RATIO (4 / 4)
 
 /*
  * EdDSA key generation.  This function uses a different (non-Decaf) encoding.
@@ -42,8 +42,8 @@ extern "C" {
  * privkey (in): The private key.
  */
 c448_error_t c448_ed448_derive_public_key(
-                        uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES],
-                        const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]);
+                        uint8_t pubkey [EDDSA_448_PUBLIC_BYTES],
+                        const uint8_t privkey [EDDSA_448_PRIVATE_BYTES]);
 
 /*
  * EdDSA signing.
@@ -64,9 +64,9 @@ c448_error_t c448_ed448_derive_public_key(
  * it harder to screw this up, but this C code gives you no seat belt.
  */
 c448_error_t c448_ed448_sign(
-                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
-                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                         const uint8_t *message, size_t message_len,
                         uint8_t prehashed, const uint8_t *context,
                         size_t context_len)
@@ -90,9 +90,9 @@ c448_error_t c448_ed448_sign(
  * it harder to screw this up, but this C code gives you no seat belt.
  */
 c448_error_t c448_ed448_sign_prehash(
-                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
-                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                         const uint8_t hash[64],
                         const uint8_t *context,
                         size_t context_len)
@@ -118,9 +118,9 @@ c448_error_t c448_ed448_sign_prehash(
  * it harder to screw this up, but this C code gives you no seat belt.
  */
 c448_error_t c448_ed448_verify(const uint8_t
-                                 signature[C448_EDDSA_448_SIGNATURE_BYTES],
+                                 signature[EDDSA_448_SIGNATURE_BYTES],
                                  const uint8_t
-                                 pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                                 pubkey[EDDSA_448_PUBLIC_BYTES],
                                  const uint8_t *message, size_t message_len,
                                  uint8_t prehashed, const uint8_t *context,
                                  uint8_t context_len)
@@ -145,8 +145,8 @@ c448_error_t c448_ed448_verify(const uint8_t
  * it harder to screw this up, but this C code gives you no seat belt.
  */
 c448_error_t c448_ed448_verify_prehash(
-                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                     const uint8_t hash[64],
                     const uint8_t *context,
                     uint8_t context_len)
@@ -154,7 +154,7 @@ c448_error_t c448_ed448_verify_prehash(
 
 /*
  * EdDSA point encoding.  Used internally, exposed externally.
- * Multiplies by C448_448_EDDSA_ENCODE_RATIO first.
+ * Multiplies by C448_EDDSA_ENCODE_RATIO first.
  *
  * The multiplication is required because the EdDSA encoding represents
  * the cofactor information, but the Decaf encoding ignores it (which
@@ -162,25 +162,25 @@ c448_error_t c448_ed448_verify_prehash(
  * EdDSA, the cofactor info must get cleared, because the intermediate
  * representation doesn't track it.
  *
- * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when
- * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding.  The product of
+ * The way we handle this is to multiply by C448_EDDSA_DECODE_RATIO when
+ * decoding, and by C448_EDDSA_ENCODE_RATIO when encoding.  The product of
  * these ratios is always exactly the cofactor 4, so the cofactor ends up
  * cleared one way or another.  But exactly how that shakes out depends on the
  * base points specified in RFC 8032.
  *
  * The upshot is that if you pass the Decaf/Ristretto base point to
- * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the
+ * this function, you will get C448_EDDSA_ENCODE_RATIO times the
  * EdDSA base point.
  *
  * enc (out): The encoded point.
  * p (in): The point.
  */
 void curve448_point_mul_by_ratio_and_encode_like_eddsa(
-                                    uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES],
+                                    uint8_t enc [EDDSA_448_PUBLIC_BYTES],
                                     const curve448_point_t p);
 
 /*
- * EdDSA point decoding.  Multiplies by C448_448_EDDSA_DECODE_RATIO, and
+ * EdDSA point decoding.  Multiplies by C448_EDDSA_DECODE_RATIO, and
  * ignores cofactor information.
  *
  * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
@@ -190,7 +190,7 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
  */
 c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
                             curve448_point_t p,
-                            const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]);
+                            const uint8_t enc[EDDSA_448_PUBLIC_BYTES]);
 
 /*
  * EdDSA to ECDH private key conversion
@@ -201,8 +201,8 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
  * ed (in): The EdDSA private key
  */
 c448_error_t c448_ed448_convert_private_key_to_x448(
-                            uint8_t x[C448_X448_PRIVATE_BYTES],
-                            const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]);
+                            uint8_t x[X448_PRIVATE_BYTES],
+                            const uint8_t ed[EDDSA_448_PRIVATE_BYTES]);
 
 #ifdef __cplusplus
 } /* extern "C" */
index d76c15d..aa182cd 100644 (file)
@@ -39,18 +39,18 @@ static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
     return C448_SUCCESS;
 }
 
-static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES])
+static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
 {
     uint8_t hibit = (1 << 0) >> 1;
 
     /* Blarg */
     secret_scalar_ser[0] &= -COFACTOR;
     if (hibit == 0) {
-        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
-        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
+        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
+        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
     } else {
-        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
-        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
+        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
+        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
     }
 }
 
@@ -79,27 +79,27 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
 
 /* In this file because it uses the hash */
 c448_error_t c448_ed448_convert_private_key_to_x448(
-                            uint8_t x[C448_X448_PRIVATE_BYTES],
-                            const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES])
+                            uint8_t x[X448_PRIVATE_BYTES],
+                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
 {
     /* pass the private key through oneshot_hash function */
-    /* and keep the first C448_X448_PRIVATE_BYTES bytes */
-    return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed,
-                        C448_EDDSA_448_PRIVATE_BYTES);
+    /* and keep the first X448_PRIVATE_BYTES bytes */
+    return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
+                        EDDSA_448_PRIVATE_BYTES);
 }
 
 c448_error_t c448_ed448_derive_public_key(
-                        uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
-                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES])
+                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
+                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
 {
     /* only this much used for keygen */
-    uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
+    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
     curve448_scalar_t secret_scalar;
     unsigned int c;
     curve448_point_t p;
 
     if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
-                      C448_EDDSA_448_PRIVATE_BYTES))
+                      EDDSA_448_PRIVATE_BYTES))
         return C448_FAILURE;
 
     clamp(secret_scalar_ser);
@@ -115,7 +115,7 @@ c448_error_t c448_ed448_derive_public_key(
      * converted it effectively picks up a factor of 2 from the isogenies.  So
      * we might start at 2 instead of 1.
      */
-    for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1)
+    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
         curve448_scalar_halve(secret_scalar, secret_scalar);
 
     curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
@@ -131,9 +131,9 @@ c448_error_t c448_ed448_derive_public_key(
 }
 
 c448_error_t c448_ed448_sign(
-                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
-                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                         const uint8_t *message, size_t message_len,
                         uint8_t prehashed, const uint8_t *context,
                         size_t context_len)
@@ -142,7 +142,7 @@ c448_error_t c448_ed448_sign(
     EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
     c448_error_t ret = C448_FAILURE;
     curve448_scalar_t nonce_scalar;
-    uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 };
+    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
     unsigned int c;
     curve448_scalar_t challenge_scalar;
 
@@ -152,12 +152,12 @@ c448_error_t c448_ed448_sign(
     {
         /* Schedule the secret key */
         struct {
-            uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
-            uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES];
+            uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
+            uint8_t seed[EDDSA_448_PRIVATE_BYTES];
         } __attribute__ ((packed)) expanded;
 
         if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
-                          C448_EDDSA_448_PRIVATE_BYTES))
+                          EDDSA_448_PRIVATE_BYTES))
             goto err;
         clamp(expanded.secret_scalar_ser);
         curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
@@ -175,7 +175,7 @@ c448_error_t c448_ed448_sign(
 
     /* Decode the nonce */
     {
-        uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES];
+        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
 
         if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
             goto err;
@@ -189,7 +189,7 @@ c448_error_t c448_ed448_sign(
         curve448_point_t p;
 
         curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
-        for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) {
+        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
             curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
         }
 
@@ -201,12 +201,12 @@ c448_error_t c448_ed448_sign(
     }
 
     {
-        uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
+        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
 
         /* Compute the challenge */
         if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
             || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
-            || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
+            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
             || !EVP_DigestUpdate(hashctx, message, message_len)
             || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
             goto err;
@@ -219,9 +219,9 @@ c448_error_t c448_ed448_sign(
     curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
     curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
 
-    OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES);
+    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
     memcpy(signature, nonce_point, sizeof(nonce_point));
-    curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES],
+    curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
                            challenge_scalar);
 
     curve448_scalar_destroy(secret_scalar);
@@ -235,9 +235,9 @@ c448_error_t c448_ed448_sign(
 }
 
 c448_error_t c448_ed448_sign_prehash(
-                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
-                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                         const uint8_t hash[64], const uint8_t *context,
                         size_t context_len)
 {
@@ -246,8 +246,8 @@ c448_error_t c448_ed448_sign_prehash(
 }
 
 c448_error_t c448_ed448_verify(
-                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                     const uint8_t *message, size_t message_len,
                     uint8_t prehashed, const uint8_t *context,
                     uint8_t context_len)
@@ -270,13 +270,13 @@ c448_error_t c448_ed448_verify(
     {
         /* Compute the challenge */
         EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
-        uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
+        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
 
         if (hashctx == NULL
             || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
             || !EVP_DigestUpdate(hashctx, signature,
-                                 C448_EDDSA_448_PUBLIC_BYTES)
-            || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
+                                 EDDSA_448_PUBLIC_BYTES)
+            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
             || !EVP_DigestUpdate(hashctx, message, message_len)
             || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
             EVP_MD_CTX_free(hashctx);
@@ -292,10 +292,10 @@ c448_error_t c448_ed448_verify(
                         challenge_scalar);
 
     curve448_scalar_decode_long(response_scalar,
-                                &signature[C448_EDDSA_448_PUBLIC_BYTES],
-                                C448_EDDSA_448_PRIVATE_BYTES);
+                                &signature[EDDSA_448_PUBLIC_BYTES],
+                                EDDSA_448_PRIVATE_BYTES);
 
-    for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1)
+    for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
         curve448_scalar_add(response_scalar, response_scalar, response_scalar);
 
     /* pk_point = -c(x(P)) + (cx + k)G = kG */
@@ -306,8 +306,8 @@ c448_error_t c448_ed448_verify(
 }
 
 c448_error_t c448_ed448_verify_prehash(
-                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
-                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                     const uint8_t hash[64], const uint8_t *context,
                     uint8_t context_len)
 {
index 72a5e80..92949e3 100644 (file)
 extern "C" {
 #endif
 
-# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
+# define C448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
 
 /* The number of bits in a scalar */
-# define C448_448_SCALAR_BITS 446
+# define C448_SCALAR_BITS 446
 
 /* Number of bytes in a serialized scalar. */
-# define C448_448_SCALAR_BYTES 56
+# define C448_SCALAR_BYTES 56
 
 /* X448 encoding ratio. */
-# define C448_X448_ENCODE_RATIO 2
+# define X448_ENCODE_RATIO 2
 
 /* Number of bytes in an x448 public key */
-# define C448_X448_PUBLIC_BYTES 56
+# define X448_PUBLIC_BYTES 56
 
 /* Number of bytes in an x448 private key */
-# define C448_X448_PRIVATE_BYTES 56
+# define X448_PRIVATE_BYTES 56
 
 /* Twisted Edwards extended homogeneous coordinates */
 typedef struct curve448_point_s {
@@ -50,7 +50,7 @@ typedef struct curve448_precomputed_s curve448_precomputed_s;
 
 /* Scalar is stored packed, because we don't need the speed. */
 typedef struct curve448_scalar_s {
-    c448_word_t limb[C448_448_SCALAR_LIMBS];
+    c448_word_t limb[C448_SCALAR_LIMBS];
 } curve448_scalar_t[1];
 
 /* A scalar equal to 1. */
@@ -78,7 +78,7 @@ extern const struct curve448_precomputed_s *curve448_precomputed_base;
  */
 __owur c448_error_t curve448_scalar_decode(
                             curve448_scalar_t out,
-                            const unsigned char ser[C448_448_SCALAR_BYTES]);
+                            const unsigned char ser[C448_SCALAR_BYTES]);
 
 /*
  * Read a scalar from wire format or from bytes.  Reduces mod scalar prime.
@@ -96,7 +96,7 @@ void curve448_scalar_decode_long(curve448_scalar_t out,
  * ser (out): Serialized form of a scalar.
  * s (in): Deserialized scalar.
  */
-void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
                             const curve448_scalar_t s);
 
 /*
@@ -198,12 +198,12 @@ void curve448_point_double(curve448_point_t two_a, const curve448_point_t a);
  * C448_FAILURE: The scalarmul didn't succeed, because the base point is in a
  * small subgroup.
  */
-__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],
-                              const uint8_t base[C448_X448_PUBLIC_BYTES],
-                              const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
+__owur c448_error_t x448_int(uint8_t out[X448_PUBLIC_BYTES],
+                             const uint8_t base[X448_PUBLIC_BYTES],
+                             const uint8_t scalar[X448_PRIVATE_BYTES]);
 
 /*
- * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748.
+ * Multiply a point by X448_ENCODE_RATIO, then encode it like RFC 7748.
  *
  * This function is mainly used internally, but is exported in case
  * it will be useful.
@@ -215,14 +215,14 @@ __owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],
  *
  * As it happens, this aligns with the base point definitions; that is,
  * if you pass the Decaf/Ristretto base point to this function, the result
- * will be C448_X448_ENCODE_RATIO times the X448
+ * will be X448_ENCODE_RATIO times the X448
  * base point.
  *
  * out (out): The scaled and encoded point.
  * p (in): The point to be scaled and encoded.
  */
 void curve448_point_mul_by_ratio_and_encode_like_x448(
-                                        uint8_t out[C448_X448_PUBLIC_BYTES],
+                                        uint8_t out[X448_PUBLIC_BYTES],
                                         const curve448_point_t p);
 
 /*
@@ -232,9 +232,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(
  * out (out): The scaled point base*scalar
  * scalar (in): The scalar to multiply by.
  */
-void c448_x448_derive_public_key(
-                                uint8_t out[C448_X448_PUBLIC_BYTES],
-                                const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
+void x448_derive_public_key(uint8_t out[X448_PUBLIC_BYTES],
+                            const uint8_t scalar[X448_PRIVATE_BYTES]);
 
 /*
  * Multiply a precomputed base point by a scalar: out = scalar*base.
index a93964e..3c61ed6 100644 (file)
@@ -47,7 +47,7 @@ const curve448_scalar_t  curve448_scalar_zero = {{{0}}};
  * Must have extra <= 1
  */
 static void sc_subx(curve448_scalar_t out,
-                    const c448_word_t accum[C448_448_SCALAR_LIMBS],
+                    const c448_word_t accum[C448_SCALAR_LIMBS],
                     const curve448_scalar_t sub,
                     const curve448_scalar_t p, c448_word_t extra)
 {
@@ -55,7 +55,7 @@ static void sc_subx(curve448_scalar_t out,
     unsigned int i;
     c448_word_t borrow;
 
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         chain = (chain + accum[i]) - sub->limb[i];
         out->limb[i] = chain;
         chain >>= WBITS;
@@ -63,7 +63,7 @@ static void sc_subx(curve448_scalar_t out,
     borrow = chain + extra;     /* = 0 or -1 */
 
     chain = 0;
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
         out->limb[i] = chain;
         chain >>= WBITS;
@@ -74,15 +74,15 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a,
                        const curve448_scalar_t b)
 {
     unsigned int i, j;
-    c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 };
+    c448_word_t accum[C448_SCALAR_LIMBS + 1] = { 0 };
     c448_word_t hi_carry = 0;
 
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         c448_word_t mand = a->limb[i];
         const c448_word_t *mier = b->limb;
 
         c448_dword_t chain = 0;
-        for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+        for (j = 0; j < C448_SCALAR_LIMBS; j++) {
             chain += ((c448_dword_t) mand) * mier[j] + accum[j];
             accum[j] = chain;
             chain >>= WBITS;
@@ -92,7 +92,7 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a,
         mand = accum[0] * MONTGOMERY_FACTOR;
         chain = 0;
         mier = sc_p->limb;
-        for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+        for (j = 0; j < C448_SCALAR_LIMBS; j++) {
             chain += (c448_dword_t) mand *mier[j] + accum[j];
             if (j)
                 accum[j - 1] = chain;
@@ -126,7 +126,7 @@ void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a,
     c448_dword_t chain = 0;
     unsigned int i;
 
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         chain = (chain + a->limb[i]) + b->limb[i];
         out->limb[i] = chain;
         chain >>= WBITS;
@@ -140,7 +140,7 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s,
 {
     unsigned int i, j, k = 0;
 
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         c448_word_t out = 0;
 
         for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++)
@@ -151,13 +151,13 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s,
 
 c448_error_t curve448_scalar_decode(
                                 curve448_scalar_t s,
-                                const unsigned char ser[C448_448_SCALAR_BYTES])
+                                const unsigned char ser[C448_SCALAR_BYTES])
 {
     unsigned int i;
     c448_dsword_t accum = 0;
 
-    scalar_decode_short(s, ser, C448_448_SCALAR_BYTES);
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++)
+    scalar_decode_short(s, ser, C448_SCALAR_BYTES);
+    for (i = 0; i < C448_SCALAR_LIMBS; i++)
         accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
     /* Here accum == 0 or -1 */
 
@@ -182,9 +182,9 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
         return;
     }
 
-    i = ser_len - (ser_len % C448_448_SCALAR_BYTES);
+    i = ser_len - (ser_len % C448_SCALAR_BYTES);
     if (i == ser_len)
-        i -= C448_448_SCALAR_BYTES;
+        i -= C448_SCALAR_BYTES;
 
     scalar_decode_short(t1, &ser[i], ser_len - i);
 
@@ -197,7 +197,7 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
     }
 
     while (i) {
-        i -= C448_448_SCALAR_BYTES;
+        i -= C448_SCALAR_BYTES;
         sc_montmul(t1, t1, sc_r2);
         ignore_result(curve448_scalar_decode(t2, ser + i));
         curve448_scalar_add(t1, t1, t2);
@@ -208,12 +208,12 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
     curve448_scalar_destroy(t2);
 }
 
-void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
                             const curve448_scalar_t s)
 {
     unsigned int i, j, k = 0;
 
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         for (j = 0; j < sizeof(c448_word_t); j++, k++)
             ser[k] = s->limb[i] >> (8 * j);
     }
@@ -224,12 +224,12 @@ void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a)
     c448_word_t mask = -(a->limb[0] & 1);
     c448_dword_t chain = 0;
     unsigned int i;
-    for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+    for (i = 0; i < C448_SCALAR_LIMBS; i++) {
         chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
         out->limb[i] = chain;
         chain >>= C448_WORD_BITS;
     }
-    for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++)
+    for (i = 0; i < C448_SCALAR_LIMBS - 1; i++)
         out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1);
     out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1);
 }