diff options
Diffstat (limited to 'src/crypto/fipsmodule/ec/p256-x86_64.c')
-rw-r--r-- | src/crypto/fipsmodule/ec/p256-x86_64.c | 118 |
1 files changed, 59 insertions, 59 deletions
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64.c b/src/crypto/fipsmodule/ec/p256-x86_64.c index de80dca0..8b516773 100644 --- a/src/crypto/fipsmodule/ec/p256-x86_64.c +++ b/src/crypto/fipsmodule/ec/p256-x86_64.c @@ -12,13 +12,13 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* Developers and authors: - * Shay Gueron (1, 2), and Vlad Krasnov (1) - * (1) Intel Corporation, Israel Development Center - * (2) University of Haifa - * Reference: - * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with - * 256 Bit Primes" */ +// Developers and authors: +// Shay Gueron (1, 2), and Vlad Krasnov (1) +// (1) Intel Corporation, Israel Development Center +// (2) University of Haifa +// Reference: +// S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with +// 256 Bit Primes" #include <openssl/ec.h> @@ -42,16 +42,16 @@ typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; -/* One converted into the Montgomery domain */ +// One converted into the Montgomery domain static const BN_ULONG ONE[P256_LIMBS] = { TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000), TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe), }; -/* Precomputed tables for the default generator */ +// Precomputed tables for the default generator #include "p256-x86_64-table.h" -/* Recode window to a signed digit, see util-64.c for details */ +// Recode window to a signed digit, see util-64.c for details static unsigned booth_recode_w5(unsigned in) { unsigned s, d; @@ -74,11 +74,11 @@ static unsigned booth_recode_w7(unsigned in) { return (d << 1) + (s & 1); } -/* copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is - * if |move| is zero. - * - * WARNING: this breaks the usual convention of constant-time functions - * returning masks. */ +// copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is +// if |move| is zero. +// +// WARNING: this breaks the usual convention of constant-time functions +// returning masks. static void copy_conditional(BN_ULONG dst[P256_LIMBS], const BN_ULONG src[P256_LIMBS], BN_ULONG move) { BN_ULONG mask1 = ((BN_ULONG)0) - move; @@ -96,32 +96,32 @@ static void copy_conditional(BN_ULONG dst[P256_LIMBS], } } -/* is_not_zero returns one iff in != 0 and zero otherwise. - * - * WARNING: this breaks the usual convention of constant-time functions - * returning masks. - * - * (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64) - * (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f) - * ) - * - * (declare-fun x () (_ BitVec 64)) - * - * (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001))) - * (check-sat) - * - * (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000))) - * (check-sat) - * */ +// is_not_zero returns one iff in != 0 and zero otherwise. +// +// WARNING: this breaks the usual convention of constant-time functions +// returning masks. +// +// (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64) +// (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f) +// ) +// +// (declare-fun x () (_ BitVec 64)) +// +// (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001))) +// (check-sat) +// +// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000))) +// (check-sat) +// static BN_ULONG is_not_zero(BN_ULONG in) { in |= (0 - in); in >>= BN_BITS2 - 1; return in; } -/* ecp_nistz256_mod_inverse_mont sets |r| to (|in| * 2^-256)^-1 * 2^256 mod p. - * That is, |r| is the modular inverse of |in| for input and output in the - * Montgomery domain. */ +// ecp_nistz256_mod_inverse_mont sets |r| to (|in| * 2^-256)^-1 * 2^256 mod p. +// That is, |r| is the modular inverse of |in| for input and output in the +// Montgomery domain. static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS], const BN_ULONG in[P256_LIMBS]) { /* The poly is ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff @@ -136,29 +136,29 @@ static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS], int i; ecp_nistz256_sqr_mont(res, in); - ecp_nistz256_mul_mont(p2, res, in); /* 3*p */ + ecp_nistz256_mul_mont(p2, res, in); // 3*p ecp_nistz256_sqr_mont(res, p2); ecp_nistz256_sqr_mont(res, res); - ecp_nistz256_mul_mont(p4, res, p2); /* f*p */ + ecp_nistz256_mul_mont(p4, res, p2); // f*p ecp_nistz256_sqr_mont(res, p4); ecp_nistz256_sqr_mont(res, res); ecp_nistz256_sqr_mont(res, res); ecp_nistz256_sqr_mont(res, res); - ecp_nistz256_mul_mont(p8, res, p4); /* ff*p */ + ecp_nistz256_mul_mont(p8, res, p4); // ff*p ecp_nistz256_sqr_mont(res, p8); for (i = 0; i < 7; i++) { ecp_nistz256_sqr_mont(res, res); } - ecp_nistz256_mul_mont(p16, res, p8); /* ffff*p */ + ecp_nistz256_mul_mont(p16, res, p8); // ffff*p ecp_nistz256_sqr_mont(res, p16); for (i = 0; i < 15; i++) { ecp_nistz256_sqr_mont(res, res); } - ecp_nistz256_mul_mont(p32, res, p16); /* ffffffff*p */ + ecp_nistz256_mul_mont(p32, res, p16); // ffffffff*p ecp_nistz256_sqr_mont(res, p32); for (i = 0; i < 31; i++) { @@ -201,8 +201,8 @@ static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS], ecp_nistz256_mul_mont(r, res, in); } -/* ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and - * returns one if it fits. Otherwise it returns zero. */ +// ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and +// returns one if it fits. Otherwise it returns zero. static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], const BIGNUM *in) { if (in->top > P256_LIMBS) { @@ -214,7 +214,7 @@ static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], return 1; } -/* r = p * p_scalar */ +// r = p * p_scalar static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { @@ -224,9 +224,9 @@ static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, static const unsigned kWindowSize = 5; static const unsigned kMask = (1 << (5 /* kWindowSize */ + 1)) - 1; - /* A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should - * add no more than 63 bytes of overhead. Thus, |table| should require - * ~1599 ((96 * 16) + 63) bytes of stack space. */ + // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should + // add no more than 63 bytes of overhead. Thus, |table| should require + // ~1599 ((96 * 16) + 63) bytes of stack space. alignas(64) P256_POINT table[16]; uint8_t p_str[33]; @@ -279,9 +279,9 @@ static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, p_str[j] = 0; } - /* table[0] is implicitly (0,0,0) (the point at infinity), therefore it is - * not stored. All other values are actually stored with an offset of -1 in - * table. */ + // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is + // not stored. All other values are actually stored with an offset of -1 in + // table. P256_POINT *row = table; if (!ecp_nistz256_bignum_to_field_elem(row[1 - 1].X, &p->X) || @@ -341,7 +341,7 @@ static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, ecp_nistz256_point_double(r, r); } - /* Final window */ + // Final window wvalue = p_str[0]; wvalue = (wvalue << 1) & kMask; @@ -426,7 +426,7 @@ static int ecp_nistz256_points_mul( p_str[i] = 0; } - /* First window */ + // First window unsigned wvalue = (p_str[0] << 1) & kMask; unsigned index = kWindowSize; @@ -439,9 +439,9 @@ static int ecp_nistz256_points_mul( ecp_nistz256_neg(p.p.Z, p.p.Y); copy_conditional(p.p.Y, p.p.Z, wvalue & 1); - /* Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p| - * is infinity and |ONE| otherwise. |p| was computed from the table, so it - * is infinity iff |wvalue >> 1| is zero. */ + // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p| + // is infinity and |ONE| otherwise. |p| was computed from the table, so it + // is infinity iff |wvalue >> 1| is zero. OPENSSL_memset(p.p.Z, 0, sizeof(p.p.Z)); copy_conditional(p.p.Z, ONE, is_not_zero(wvalue >> 1)); @@ -478,7 +478,7 @@ static int ecp_nistz256_points_mul( } } - /* Not constant-time, but we're only operating on the public output. */ + // Not constant-time, but we're only operating on the public output. if (!bn_set_words(&r->X, p.p.X, P256_LIMBS) || !bn_set_words(&r->Y, p.p.Y, P256_LIMBS) || !bn_set_words(&r->Z, p.p.Z, P256_LIMBS)) { @@ -516,10 +516,10 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, const EC_POINT *point, ecp_nistz256_mod_inverse_mont(z_inv3, point_z); ecp_nistz256_sqr_mont(z_inv2, z_inv3); - /* Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate - * and then calling |ecp_nistz256_from_mont| again to convert the |y| - * coordinate below, convert the common factor |z_inv2| once now, saving one - * reduction. */ + // Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate + // and then calling |ecp_nistz256_from_mont| again to convert the |y| + // coordinate below, convert the common factor |z_inv2| once now, saving one + // reduction. ecp_nistz256_from_mont(z_inv2, z_inv2); if (x != NULL) { |