From: Matt Caswell Date: Thu, 18 Jan 2018 12:55:23 +0000 (+0000) Subject: Convert to C90 from C99 X-Git-Tag: OpenSSL_1_1_1-pre2~100 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=094c071cbf3bca19eee73ccb8dfc0f7498f5d8e1 Convert to C90 from C99 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- diff --git a/crypto/ec/curve448/arch_32/f_impl.c b/crypto/ec/curve448/arch_32/f_impl.c index 0770bd9962..8e4250bb60 100644 --- a/crypto/ec/curve448/arch_32/f_impl.c +++ b/crypto/ec/curve448/arch_32/f_impl.c @@ -69,15 +69,14 @@ void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) { } void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) { - assert(b<1<<28); - const uint32_t *a = as->limb; uint32_t *c = cs->limb; - uint64_t accum0 = 0, accum8 = 0; - uint32_t mask = (1ull<<28)-1; - + uint32_t mask = (1<<28)-1; int i; + + assert(b<1<<28); + FOR_LIMB(i,0,8,{ accum0 += widemul(b, a[i]); accum8 += widemul(b, a[i+8]); diff --git a/crypto/ec/curve448/arch_32/f_impl.h b/crypto/ec/curve448/arch_32/f_impl.h index c3687888c0..f1be6386c2 100644 --- a/crypto/ec/curve448/arch_32/f_impl.h +++ b/crypto/ec/curve448/arch_32/f_impl.h @@ -3,36 +3,44 @@ */ #define GF_HEADROOM 2 -#define LIMB(x) (x##ull)&((1ull<<28)-1), (x##ull)>>28 +#define LIMB(x) (x)&((1<<28)-1), (x)>>28 #define FIELD_LITERAL(a,b,c,d,e,f,g,h) \ {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}} #define LIMB_PLACE_VALUE(i) 28 void gf_add_RAW (gf out, const gf a, const gf b) { - for (unsigned int i=0; ilimb[0]); i++) { + unsigned int i; + + for (i=0; ilimb[0]); i++) { out->limb[i] = a->limb[i] + b->limb[i]; } } void gf_sub_RAW (gf out, const gf a, const gf b) { - for (unsigned int i=0; ilimb[0]); i++) { + unsigned int i; + + for (i=0; ilimb[0]); i++) { out->limb[i] = a->limb[i] - b->limb[i]; } } -void gf_bias (gf a, int amt) { - uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt; - for (unsigned int i=0; ilimb[0]); i++) { +void gf_bias (gf a, int amt) { + unsigned int i; + uint32_t co1 = ((1<<28)-1)*amt, co2 = co1-amt; + + for (i=0; ilimb[0]); i++) { a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1; } } void gf_weak_reduce (gf a) { - uint32_t mask = (1ull<<28) - 1; + uint32_t mask = (1<<28) - 1; uint32_t tmp = a->limb[15] >> 28; + unsigned int i; + a->limb[8] += tmp; - for (unsigned int i=15; i>0; i--) { + for (i=15; i>0; i--) { a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>28); } a->limb[0] = (a->limb[0] & mask) + tmp; diff --git a/crypto/ec/curve448/constant_time.h b/crypto/ec/curve448/constant_time.h index 41cd404d3c..f8c02e7e82 100644 --- a/crypto/ec/curve448/constant_time.h +++ b/crypto/ec/curve448/constant_time.h @@ -149,6 +149,8 @@ constant_time_lookup ( memset(out, 0, elem_bytes); for (j=0; j= sizeof(word_t)) { for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) { if (elem_bytes % sizeof(word_t)) { @@ -203,11 +205,11 @@ constant_time_select ( unsigned char *a = (unsigned char *)a_; const unsigned char *bTrue = (const unsigned char *)bTrue_; const unsigned char *bFalse = (const unsigned char *)bFalse_; + word_t k; + big_register_t br_mask = br_set_to_mask(mask); alignment_bytes |= elem_bytes; - word_t k; - big_register_t br_mask = br_set_to_mask(mask); for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) { if (alignment_bytes % sizeof(big_register_t)) { /* unaligned */ diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index d5b684b3bd..37d3972b45 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -36,11 +36,6 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{ const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 }; -#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR -const gf RISTRETTO_FACTOR = {{{ - 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7 -}}}; - #define TWISTED_D ((EDWARDS_D)-1) @@ -65,13 +60,15 @@ const curve448_precomputed_s *curve448_precomputed_base = /** Inverse. */ static void gf_invert(gf y, const gf x, int assert_nonzero) { + mask_t ret; + gf t1, t2; - gf_sqr(t1, x); // o^2 - mask_t ret = gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o + gf_sqr(t1, x); /* o^2 */ + ret = gf_isr(t2, t1); /* +-1/sqrt(o^2) = +-1/o */ (void)ret; if (assert_nonzero) assert(ret); gf_sqr(t1, t2); - gf_mul(t2, t1, x); // not direct to y in case of alias. + gf_mul(t2, t1, x); /* not direct to y in case of alias. */ gf_copy(y, t2); } @@ -219,11 +216,13 @@ sub_pniels_from_pt ( } decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) { + mask_t succ; + /* equality mod 2-torsion compares x/y */ gf a, b; gf_mul ( a, p->y, q->x ); gf_mul ( b, q->y, p->x ); - mask_t succ = gf_eq(a,b); + succ = gf_eq(a,b); return mask_to_bool(succ); } @@ -231,10 +230,12 @@ decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_ decaf_bool_t curve448_point_valid ( const curve448_point_t p ) { + mask_t out; + gf a,b,c; gf_mul(a,p->x,p->y); gf_mul(b,p->z,p->t); - mask_t out = gf_eq(a,b); + out = gf_eq(a,b); gf_sqr(a,p->x); gf_sqr(b,p->y); gf_sub(a,b,a); @@ -265,18 +266,18 @@ void curve448_precomputed_scalarmul ( int i; unsigned j,k; const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S; + niels_t ni; curve448_scalar_t scalar1x; curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment); curve448_scalar_halve(scalar1x,scalar1x); - niels_t ni; - for (i=s-1; i>=0; i--) { if (i != (int)s-1) point_double_internal(out,out,0); for (j=0; j>(t-1))-1; + invert = (tab>>(t-1))-1; tab ^= invert; tab &= (1<<(t-1)) - 1; @@ -356,12 +357,15 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio ( const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES] ) { uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES]; + mask_t low; + mask_t succ; + memcpy(enc2,enc,sizeof(enc2)); - mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80); + low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80); enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80; - mask_t succ = gf_deserialize(p->y, enc2, 1, 0); + succ = gf_deserialize(p->y, enc2, 1, 0); #if 0 == 0 succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]); #endif @@ -413,23 +417,25 @@ decaf_error_t decaf_x448 ( const uint8_t scalar[X_PRIVATE_BYTES] ) { gf x1, x2, z2, x3, z3, t1, t2; + int t; + mask_t swap = 0; + mask_t nz; + ignore_result(gf_deserialize(x1,base,1,0)); gf_copy(x2,ONE); gf_copy(z2,ZERO); gf_copy(x3,x1); gf_copy(z3,ONE); - int t; - mask_t swap = 0; - for (t = X_PRIVATE_BITS-1; t>=0; t--) { uint8_t sb = scalar[t/8]; + mask_t k_t; /* Scalar conditioning */ if (t/8==0) sb &= -(uint8_t)COFACTOR; else if (t == X_PRIVATE_BITS-1) sb = -1; - mask_t k_t = (sb>>(t%8)) & 1; + k_t = (sb>>(t%8)) & 1; k_t = -k_t; /* set to all 0s or all 1s */ swap ^= k_t; @@ -465,7 +471,7 @@ decaf_error_t decaf_x448 ( gf_invert(z2,z2,0); gf_mul(x1,x2,z2); gf_serialize(out,x1,1); - mask_t nz = ~gf_eq(x1,ZERO); + nz = ~gf_eq(x1,ZERO); OPENSSL_cleanse(x1,sizeof(x1)); OPENSSL_cleanse(x2,sizeof(x2)); @@ -525,20 +531,22 @@ void decaf_x448_derive_public_key ( ) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; + curve448_scalar_t the_scalar; + curve448_point_t p; + unsigned int i; + memcpy(scalar2,scalar,sizeof(scalar2)); scalar2[0] &= -(uint8_t)COFACTOR; scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8)); scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8); - curve448_scalar_t the_scalar; curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2)); /* Compensate for the encoding ratio */ - for (unsigned i=1; ilimb[0] & 0xFFFF; + uint32_t mask = (1<<(table_bits+1))-1; + unsigned int w; + const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2; + unsigned int n, i; + /* place the end marker */ control[position].power = -1; control[position].addend = 0; @@ -569,12 +582,7 @@ static int recode_wnaf ( * in the actual code that uses it, all for an expected reduction of like 1/5 op. * Probably not worth it. */ - - uint64_t current = scalar->limb[0] & 0xFFFF; - uint32_t mask = (1<<(table_bits+1))-1; - unsigned int w; - const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2; for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) { if (w < (DECAF_448_SCALAR_BITS-1)/16+1) { /* Refill the 16 high bits of current */ @@ -582,9 +590,10 @@ static int recode_wnaf ( } while (current & 0xFFFF) { - assert(position >= 0); uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos; int32_t delta = odd & mask; + + assert(position >= 0); if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1)); current -= delta << pos; control[position].power = pos + 16*(w-1); @@ -596,8 +605,7 @@ static int recode_wnaf ( assert(current==0); position++; - unsigned int n = table_size - position; - unsigned int i; + n = table_size - position; for (i=0; i>1; + /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; - uint8_t hibit = (1<<0)>>1; if (hibit == 0) { secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; @@ -82,10 +83,10 @@ static decaf_error_t hash_init_with_dom( size_t context_len ) { const char *dom_s = "SigEd448"; - const uint8_t dom[2] = { - 2 + word_is_zero(prehashed) + word_is_zero(for_prehash), - (uint8_t)context_len - }; + uint8_t dom[2]; + + dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash); + dom[1] = (uint8_t)context_len; if (context_len > UINT8_MAX) return DECAF_FAILURE; @@ -130,14 +131,16 @@ decaf_error_t decaf_ed448_derive_public_key ( ) { /* only this much used for keygen */ uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; - + curve448_scalar_t secret_scalar; + unsigned int c; + curve448_point_t p; + if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, DECAF_EDDSA_448_PRIVATE_BYTES)) { return DECAF_FAILURE; } clamp(secret_scalar_ser); - - curve448_scalar_t secret_scalar; + curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser)); /* Since we are going to mul_by_cofactor during encoding, divide by it here. @@ -146,11 +149,10 @@ decaf_error_t decaf_ed448_derive_public_key ( * the decaf base point is on Etwist_d, and when converted it effectively * picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1. */ - for (unsigned int c=1; climb[LIMBPERM(j)]) << fill; fill += LIMB_PLACE_VALUE(LIMBPERM(j)); @@ -60,7 +62,10 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui dword_t buffer = 0; dsword_t scarry = 0; const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES; - UNROLL for (unsigned int i=0; i>= LIMB_PLACE_VALUE(LIMBPERM(i)); scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t)); } - mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x); + succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x); return succ & word_is_zero(buffer) & ~word_is_zero(scarry); } /** Reduce to canonical form. */ void gf_strong_reduce (gf a) { + dsword_t scarry; + word_t scarry_0; + dword_t carry = 0; + unsigned int i; + /* first, clear high */ gf_weak_reduce(a); /* Determined to have negligible perf impact. */ /* now the total is less than 2p */ /* compute total_value - p. No need to reduce mod p. */ - dsword_t scarry = 0; - for (unsigned int i=0; ilimb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]; a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i)); scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i)); @@ -98,11 +108,10 @@ void gf_strong_reduce (gf a) { */ assert(word_is_zero(scarry) | word_is_zero(scarry+1)); - word_t scarry_0 = scarry; - dword_t carry = 0; + scarry_0 = scarry; /* add it back */ - for (unsigned int i=0; ilimb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]); a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i)); carry >>= LIMB_PLACE_VALUE(LIMBPERM(i)); @@ -127,10 +136,13 @@ void gf_add (gf d, const gf a, const gf b) { /** Compare a==b */ mask_t gf_eq(const gf a, const gf b) { gf c; + mask_t ret=0; + unsigned int i; + gf_sub(c,a,b); gf_strong_reduce(c); - mask_t ret=0; - for (unsigned int i=0; ilimb[LIMBPERM(i)]; } diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index 672ee3623e..1b64b47eac 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -39,21 +39,21 @@ static ossl_inline void gf_sqrn ( #define gf_add_nr gf_add_RAW /** Subtract mod p. Bias by 2 and don't reduce */ -static inline void gf_sub_nr ( gf c, const gf a, const gf b ) { +static ossl_inline void gf_sub_nr ( gf c, const gf a, const gf b ) { gf_sub_RAW(c,a,b); gf_bias(c, 2); if (GF_HEADROOM < 3) gf_weak_reduce(c); } /** Subtract mod p. Bias by amt but don't reduce. */ -static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { +static ossl_inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { gf_sub_RAW(c,a,b); gf_bias(c, amt); if (GF_HEADROOM < amt+1) gf_weak_reduce(c); } /** Mul by signed int. Not constant-time WRT the sign of that int. */ -static inline void gf_mulw(gf c, const gf a, int32_t w) { +static ossl_inline void gf_mulw(gf c, const gf a, int32_t w) { if (w>0) { gf_mulw_unsigned(c, a, w); } else { @@ -63,19 +63,19 @@ static inline void gf_mulw(gf c, const gf a, int32_t w) { } /** Constant time, x = is_z ? z : y */ -static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { +static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { constant_time_select(x,y,z,sizeof(gf),is_z,0); } /** Constant time, if (neg) x=-x; */ -static inline void gf_cond_neg(gf x, mask_t neg) { +static ossl_inline void gf_cond_neg(gf x, mask_t neg) { gf y; gf_sub(y,ZERO,x); gf_cond_sel(x,x,y,neg); } /** Constant time, if (swap) (x,y) = (y,x); */ -static inline void +static ossl_inline void gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) { constant_time_cond_swap(x,y,sizeof(gf_s),swap); } @@ -89,4 +89,4 @@ static ossl_inline void gf_div_qnr(gf_s *__restrict__ out, const gf x) { } -#endif // __GF_H__ +#endif /* __GF_H__ */ diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index b2ccf5a8ad..4be7027b2b 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -182,7 +182,7 @@ void curve448_scalar_halve ( * @param [in] a A scalar. * @param [out] out Will become a copy of a. */ -static inline void curve448_scalar_copy ( +static ossl_inline void curve448_scalar_copy ( curve448_scalar_t out, const curve448_scalar_t a ) { @@ -196,7 +196,7 @@ static inline void curve448_scalar_copy ( * @param [out] a A copy of the point. * @param [in] b Any point. */ -static inline void curve448_point_copy ( +static ossl_inline void curve448_point_copy ( curve448_point_t a, const curve448_point_t b ) { diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c index 967b1a60e3..e7dfca5a5d 100644 --- a/crypto/ec/curve448/scalar.c +++ b/crypto/ec/curve448/scalar.c @@ -17,7 +17,7 @@ #include "constant_time.h" #include "point_448.h" -static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull; +static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5; static const curve448_scalar_t sc_p = {{{ SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff) }}}, sc_r2 = {{{ @@ -41,12 +41,14 @@ static void sc_subx( ) { decaf_dsword_t chain = 0; unsigned int i; + decaf_word_t borrow; + for (i=0; ilimb[i]; out->limb[i] = chain; chain >>= WBITS; } - decaf_word_t borrow = chain+extra; /* = 0 or -1 */ + borrow = chain+extra; /* = 0 or -1 */ chain = 0; for (i=0; ilimb[i] - sc_p->limb[i]) >> WBITS; } @@ -169,13 +172,13 @@ void curve448_scalar_decode_long( const unsigned char *ser, size_t ser_len ) { + size_t i; + curve448_scalar_t t1, t2; + if (ser_len == 0) { curve448_scalar_copy(s, curve448_scalar_zero); return; } - - size_t i; - curve448_scalar_t t1, t2; i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES); if (i==ser_len) i -= DECAF_448_SCALAR_BYTES; diff --git a/crypto/ec/curve448/word.h b/crypto/ec/curve448/word.h index c70d413ffe..9f62654b6e 100644 --- a/crypto/ec/curve448/word.h +++ b/crypto/ec/curve448/word.h @@ -51,9 +51,9 @@ /* Scalar limbs are keyed off of the API word size instead of the arch word size. */ #if DECAF_WORD_BITS == 64 - #define SC_LIMB(x) (x##ull) + #define SC_LIMB(x) (x) #elif DECAF_WORD_BITS == 32 - #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull>>32) + #define SC_LIMB(x) ((uint32_t)x),(x>>32) #else #error "For now, libdecaf only supports 32- and 64-bit architectures." #endif @@ -192,9 +192,11 @@ static ossl_inline decaf_bool_t mask_to_bool (mask_t m) { static ossl_inline mask_t bool_to_mask (decaf_bool_t m) { /* On most arches this will be optimized to a simple cast. */ mask_t ret = 0; + unsigned int i; + unsigned int limit = sizeof(decaf_bool_t)/sizeof(mask_t); if (limit < 1) limit = 1; - for (unsigned int i=0; i> (i*8*sizeof(word_t))); } return ret;