-/*
- * f25519.c: arithmetic modulo 2^255 - 19
- */
-/*
- * This file is Free Software. It has been modified to as part of its
- * incorporation into secnet.
- *
- * Copyright 2017 Mark Wooding
- *
- * You may redistribute this file and/or modify it under the terms of
- * the permissive licence shown below.
- *
- * You may redistribute secnet as a whole and/or modify it under the
- * terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 3, or (at your option) any
- * later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see
- * https://www.gnu.org/licenses/gpl.html.
- */
-/*
- * Imported from Catacomb, and modified for Secnet (2017-04-30):
- *
- * * Use `fake-mLib-bits.h' in place of the real <mLib/bits.h>.
- *
- * * Remove the 16/32-bit implementation, since C99 always has 64-bit
- * arithmetic.
- *
- * * Remove the test rig code: a replacement is in a separate source file.
- *
- * * Disable some of the operations which aren't needed for X25519.
- * (They're used for Ed25519, which we don't need.)
- *
- * The file's original comment headers are preserved below.
- */
/* -*-c-*-
*
* Arithmetic modulo 2^255 - 19
/*----- Licensing notice --------------------------------------------------*
*
- * This file is part of Catacomb.
+ * This file is part of secnet.
+ * See README for full list of copyright holders.
+ *
+ * secnet is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version d of the License, or
+ * (at your option) any later version.
+ *
+ * secnet is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 3 along with secnet; if not, see
+ * https://www.gnu.org/licenses/gpl.html.
+ *
+ * This file was originally part of Catacomb, but has been automatically
+ * modified for incorporation into secnet: see `import-catacomb-crypto'
+ * for details.
*
* Catacomb is free software; you can redistribute it and/or modify
* it under the terms of the GNU Library General Public License as
void f25519_load(f25519 *z, const octet xv[32])
{
+
uint32 xw0 = LOAD32_L(xv + 0), xw1 = LOAD32_L(xv + 4),
xw2 = LOAD32_L(xv + 8), xw3 = LOAD32_L(xv + 12),
xw4 = LOAD32_L(xv + 16), xw5 = LOAD32_L(xv + 20),
void f25519_store(octet zv[32], const f25519 *x)
{
+
piece PIECES(x), PIECES(y), c, d;
uint32 zw0, zw1, zw2, zw3, zw4, zw5, zw6, zw7;
mask32 m;
z->P[8] = x->P[8] - y->P[8]; z->P[9] = x->P[9] - y->P[9];
}
-#ifndef F25519_TRIM_X25519
-
/* --- @f25519_neg@ --- *
*
* Arguments: @f25519 *z@ = where to put the result (may alias @x@)
z->P[8] = -x->P[8]; z->P[9] = -x->P[9];
}
-#endif
-
/*----- Constant-time utilities -------------------------------------------*/
-#ifndef F25519_TRIM_X25519
-
/* --- @f25519_pick2@ --- *
*
* Arguments: @f25519 *z@ = where to put the result (may alias @x@ or @y@)
}
}
-#endif
-
/* --- @f25519_condswap@ --- *
*
* Arguments: @f25519 *x, *y@ = two operands
CONDSWAP(x->P[9], y->P[9], mm);
}
-#ifndef F25519_TRIM_X25519
-
/* --- @f25519_condneg@ --- *
*
* Arguments: @f25519 *z@ = where to put the result (may alias @x@)
#undef CONDNEG
}
-#endif
-
/*----- Multiplication ----------------------------------------------------*/
/* Let B = 2^63 - 1 be the largest value such that +B and -B can be
void f25519_mulconst(f25519 *z, const f25519 *x, long a)
{
+
piece PIECES(x);
dblpiece PIECES(z), aa = a;
void f25519_mul(f25519 *z, const f25519 *x, const f25519 *y)
{
+
piece PIECES(x), PIECES(y);
dblpiece PIECES(z);
unsigned i;
void f25519_sqr(f25519 *z, const f25519 *x)
{
+
piece PIECES(x);
dblpiece PIECES(z);
unsigned i;
#undef SQRN
}
-#ifndef F25519_TRIM_X25519
-
/* --- @f25519_quosqrt@ --- *
*
* Arguments: @f25519 *z@ = where to put the result (may alias @x@ or @y@)
*/
static const piece sqrtm1_pieces[NPIECE] = {
-#if F25519_IMPL == 26
-32595792, -7943725, 9377950, 3500415, 12389472,
-272473, -25146209, -2005654, 326686, 11406482
-#elif F25519_IMPL == 10
- 176, -88, 161, 157, -485, -196, -231, -220, -416,
- -169, -255, 50, 189, -89, -266, -32, 202, -511,
- 423, 357, 248, -249, 80, 288, 50, 174
-#endif
};
#define SQRTM1 ((const f25519 *)sqrtm1_pieces)
f25519_store(b1, &u);
f25519_mul(&u, &beta, SQRTM1);
- m = -ct_memeq(b0, xb, 32);
+ m = -consttime_memeq(b0, xb, 32);
rc = PICK2(0, rc, m);
f25519_pick2(z, &beta, &u, m);
- m = -ct_memeq(b1, xb, 32);
+ m = -consttime_memeq(b1, xb, 32);
rc = PICK2(0, rc, m);
/* And we're done. */
return (rc);
}
-#endif
-
/*----- That's all, folks -------------------------------------------------*/
~mdw / secnet / blobdiff