Coverage Report

Created: 2025-06-13 06:58

/src/openssl32/crypto/ec/curve448/field.h
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright 2014 Cryptography Research, Inc.
4
 *
5
 * Licensed under the Apache License 2.0 (the "License").  You may not use
6
 * this file except in compliance with the License.  You can obtain a copy
7
 * in the file LICENSE in the source distribution or at
8
 * https://www.openssl.org/source/license.html
9
 *
10
 * Originally written by Mike Hamburg
11
 */
12
13
#ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H
14
# define OSSL_CRYPTO_EC_CURVE448_FIELD_H
15
16
# include "internal/constant_time.h"
17
# include <string.h>
18
# include <assert.h>
19
# include "word.h"
20
21
5.31M
# define NLIMBS (64/sizeof(word_t))
22
6.89k
# define X_SER_BYTES 56
23
131
# define SER_BYTES 56
24
25
# if defined(__GNUC__) || defined(__clang__)
26
#  define INLINE_UNUSED __inline__ __attribute__((__unused__,__always_inline__))
27
#  define RESTRICT __restrict__
28
#  define ALIGNED __attribute__((__aligned__(16)))
29
# else
30
#  define INLINE_UNUSED ossl_inline
31
#  define RESTRICT
32
#  define ALIGNED
33
# endif
34
35
typedef struct gf_s {
36
    word_t limb[NLIMBS];
37
} ALIGNED gf_s, gf[1];
38
39
/* RFC 7748 support */
40
156
# define X_PUBLIC_BYTES  X_SER_BYTES
41
156
# define X_PRIVATE_BYTES X_PUBLIC_BYTES
42
5.88k
# define X_PRIVATE_BITS  448
43
44
static INLINE_UNUSED void gf_copy(gf out, const gf a)
45
5.25k
{
46
5.25k
    *out = *a;
47
5.25k
}
curve448.c:gf_copy
Line
Count
Source
45
4.75k
{
46
4.75k
    *out = *a;
47
4.75k
}
Unexecuted instantiation: curve448_tables.c:gf_copy
Unexecuted instantiation: eddsa.c:gf_copy
f_generic.c:gf_copy
Line
Count
Source
45
493
{
46
493
    *out = *a;
47
493
}
Unexecuted instantiation: scalar.c:gf_copy
Unexecuted instantiation: f_impl64.c:gf_copy
48
49
static INLINE_UNUSED void gf_add_RAW(gf out, const gf a, const gf b);
50
static INLINE_UNUSED void gf_sub_RAW(gf out, const gf a, const gf b);
51
static INLINE_UNUSED void gf_bias(gf inout, int amount);
52
static INLINE_UNUSED void gf_weak_reduce(gf inout);
53
54
void gf_strong_reduce(gf inout);
55
void gf_add(gf out, const gf a, const gf b);
56
void gf_sub(gf out, const gf a, const gf b);
57
void ossl_gf_mul(gf_s * RESTRICT out, const gf a, const gf b);
58
void ossl_gf_mulw_unsigned(gf_s * RESTRICT out, const gf a, uint32_t b);
59
void ossl_gf_sqr(gf_s * RESTRICT out, const gf a);
60
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0.  Return true if successful */
61
mask_t gf_eq(const gf x, const gf y);
62
mask_t gf_lobit(const gf x);
63
mask_t gf_hibit(const gf x);
64
65
void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit);
66
mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
67
                      uint8_t hi_nmask);
68
69
70
53.2k
# define LIMBPERM(i) (i)
71
# if (ARCH_WORD_BITS == 32)
72
#  include "arch_32/f_impl.h"    /* Bring in the inline implementations */
73
#  define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
74
# elif (ARCH_WORD_BITS == 64)
75
#  include "arch_64/f_impl.h"    /* Bring in the inline implementations */
76
15.5k
#  define LIMB_MASK(i) (((1ULL)<<LIMB_PLACE_VALUE(i))-1)
77
# endif
78
79
static const gf ZERO = {{{0}}}, ONE = {{{1}}};
80
81
/* Square x, n times. */
82
static ossl_inline void gf_sqrn(gf_s * RESTRICT y, const gf x, int n)
83
1.87k
{
84
1.87k
    gf tmp;
85
86
1.87k
    assert(n > 0);
87
1.87k
    if (n & 1) {
88
1.63k
        ossl_gf_sqr(y, x);
89
1.63k
        n--;
90
1.63k
    } else {
91
234
        ossl_gf_sqr(tmp, x);
92
234
        ossl_gf_sqr(y, tmp);
93
234
        n -= 2;
94
234
    }
95
52.4k
    for (; n; n -= 2) {
96
50.5k
        ossl_gf_sqr(tmp, y);
97
50.5k
        ossl_gf_sqr(y, tmp);
98
50.5k
    }
99
1.87k
}
Unexecuted instantiation: curve448.c:gf_sqrn
Unexecuted instantiation: curve448_tables.c:gf_sqrn
Unexecuted instantiation: eddsa.c:gf_sqrn
f_generic.c:gf_sqrn
Line
Count
Source
83
1.87k
{
84
1.87k
    gf tmp;
85
86
1.87k
    assert(n > 0);
87
1.87k
    if (n & 1) {
88
1.63k
        ossl_gf_sqr(y, x);
89
1.63k
        n--;
90
1.63k
    } else {
91
234
        ossl_gf_sqr(tmp, x);
92
234
        ossl_gf_sqr(y, tmp);
93
234
        n -= 2;
94
234
    }
95
52.4k
    for (; n; n -= 2) {
96
50.5k
        ossl_gf_sqr(tmp, y);
97
50.5k
        ossl_gf_sqr(y, tmp);
98
50.5k
    }
99
1.87k
}
Unexecuted instantiation: scalar.c:gf_sqrn
Unexecuted instantiation: f_impl64.c:gf_sqrn
100
101
147k
# define gf_add_nr gf_add_RAW
102
103
/* Subtract mod p.  Bias by 2 and don't reduce  */
104
static ossl_inline void gf_sub_nr(gf c, const gf a, const gf b)
105
95.0k
{
106
95.0k
    gf_sub_RAW(c, a, b);
107
95.0k
    gf_bias(c, 2);
108
95.0k
    if (GF_HEADROOM < 3)
109
0
        gf_weak_reduce(c);
110
95.0k
}
curve448.c:gf_sub_nr
Line
Count
Source
105
95.0k
{
106
95.0k
    gf_sub_RAW(c, a, b);
107
95.0k
    gf_bias(c, 2);
108
95.0k
    if (GF_HEADROOM < 3)
109
0
        gf_weak_reduce(c);
110
95.0k
}
Unexecuted instantiation: curve448_tables.c:gf_sub_nr
Unexecuted instantiation: eddsa.c:gf_sub_nr
Unexecuted instantiation: f_generic.c:gf_sub_nr
Unexecuted instantiation: scalar.c:gf_sub_nr
Unexecuted instantiation: f_impl64.c:gf_sub_nr
111
112
/* Subtract mod p. Bias by amt but don't reduce.  */
113
static ossl_inline void gf_subx_nr(gf c, const gf a, const gf b, int amt)
114
52.1k
{
115
52.1k
    gf_sub_RAW(c, a, b);
116
52.1k
    gf_bias(c, amt);
117
52.1k
    if (GF_HEADROOM < amt + 1)
118
0
        gf_weak_reduce(c);
119
52.1k
}
curve448.c:gf_subx_nr
Line
Count
Source
114
52.1k
{
115
52.1k
    gf_sub_RAW(c, a, b);
116
52.1k
    gf_bias(c, amt);
117
52.1k
    if (GF_HEADROOM < amt + 1)
118
0
        gf_weak_reduce(c);
119
52.1k
}
Unexecuted instantiation: curve448_tables.c:gf_subx_nr
Unexecuted instantiation: eddsa.c:gf_subx_nr
Unexecuted instantiation: f_generic.c:gf_subx_nr
Unexecuted instantiation: scalar.c:gf_subx_nr
Unexecuted instantiation: f_impl64.c:gf_subx_nr
120
121
/* Mul by signed int.  Not constant-time WRT the sign of that int. */
122
static ossl_inline void gf_mulw(gf c, const gf a, int32_t w)
123
6.55k
{
124
6.55k
    if (w > 0) {
125
5.82k
        ossl_gf_mulw_unsigned(c, a, w);
126
5.82k
    } else {
127
731
        ossl_gf_mulw_unsigned(c, a, -w);
128
731
        gf_sub(c, ZERO, c);
129
731
    }
130
6.55k
}
curve448.c:gf_mulw
Line
Count
Source
123
6.55k
{
124
6.55k
    if (w > 0) {
125
5.82k
        ossl_gf_mulw_unsigned(c, a, w);
126
5.82k
    } else {
127
731
        ossl_gf_mulw_unsigned(c, a, -w);
128
731
        gf_sub(c, ZERO, c);
129
731
    }
130
6.55k
}
Unexecuted instantiation: curve448_tables.c:gf_mulw
Unexecuted instantiation: eddsa.c:gf_mulw
Unexecuted instantiation: f_generic.c:gf_mulw
Unexecuted instantiation: scalar.c:gf_mulw
Unexecuted instantiation: f_impl64.c:gf_mulw
131
132
/* Constant time, x = is_z ? z : y */
133
static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z)
134
9.38k
{
135
9.38k
    size_t i;
136
137
84.4k
    for (i = 0; i < NLIMBS; i++) {
138
#if ARCH_WORD_BITS == 32
139
        x[0].limb[i] = constant_time_select_32(is_z, z[0].limb[i],
140
                                               y[0].limb[i]);
141
#else
142
        /* Must be 64 bit */
143
75.1k
        x[0].limb[i] = constant_time_select_64(is_z, z[0].limb[i],
144
75.1k
                                               y[0].limb[i]);
145
75.1k
#endif
146
75.1k
    }
147
9.38k
}
curve448.c:gf_cond_sel
Line
Count
Source
134
9.38k
{
135
9.38k
    size_t i;
136
137
84.4k
    for (i = 0; i < NLIMBS; i++) {
138
#if ARCH_WORD_BITS == 32
139
        x[0].limb[i] = constant_time_select_32(is_z, z[0].limb[i],
140
                                               y[0].limb[i]);
141
#else
142
        /* Must be 64 bit */
143
75.1k
        x[0].limb[i] = constant_time_select_64(is_z, z[0].limb[i],
144
75.1k
                                               y[0].limb[i]);
145
75.1k
#endif
146
75.1k
    }
147
9.38k
}
Unexecuted instantiation: curve448_tables.c:gf_cond_sel
Unexecuted instantiation: eddsa.c:gf_cond_sel
Unexecuted instantiation: f_generic.c:gf_cond_sel
Unexecuted instantiation: scalar.c:gf_cond_sel
Unexecuted instantiation: f_impl64.c:gf_cond_sel
148
149
/* Constant time, if (neg) x=-x; */
150
static ossl_inline void gf_cond_neg(gf x, mask_t neg)
151
9.38k
{
152
9.38k
    gf y;
153
154
9.38k
    gf_sub(y, ZERO, x);
155
9.38k
    gf_cond_sel(x, x, y, neg);
156
9.38k
}
curve448.c:gf_cond_neg
Line
Count
Source
151
9.38k
{
152
9.38k
    gf y;
153
154
9.38k
    gf_sub(y, ZERO, x);
155
9.38k
    gf_cond_sel(x, x, y, neg);
156
9.38k
}
Unexecuted instantiation: curve448_tables.c:gf_cond_neg
Unexecuted instantiation: eddsa.c:gf_cond_neg
Unexecuted instantiation: f_generic.c:gf_cond_neg
Unexecuted instantiation: scalar.c:gf_cond_neg
Unexecuted instantiation: f_impl64.c:gf_cond_neg
157
158
/* Constant time, if (swap) (x,y) = (y,x); */
159
static ossl_inline void gf_cond_swap(gf x, gf_s * RESTRICT y, mask_t swap)
160
20.9k
{
161
20.9k
    size_t i;
162
163
188k
    for (i = 0; i < NLIMBS; i++) {
164
#if ARCH_WORD_BITS == 32
165
        constant_time_cond_swap_32(swap, &(x[0].limb[i]), &(y->limb[i]));
166
#else
167
        /* Must be 64 bit */
168
167k
        constant_time_cond_swap_64(swap, &(x[0].limb[i]), &(y->limb[i]));
169
167k
#endif
170
167k
    }
171
20.9k
}
curve448.c:gf_cond_swap
Line
Count
Source
160
20.9k
{
161
20.9k
    size_t i;
162
163
188k
    for (i = 0; i < NLIMBS; i++) {
164
#if ARCH_WORD_BITS == 32
165
        constant_time_cond_swap_32(swap, &(x[0].limb[i]), &(y->limb[i]));
166
#else
167
        /* Must be 64 bit */
168
167k
        constant_time_cond_swap_64(swap, &(x[0].limb[i]), &(y->limb[i]));
169
167k
#endif
170
167k
    }
171
20.9k
}
Unexecuted instantiation: curve448_tables.c:gf_cond_swap
Unexecuted instantiation: eddsa.c:gf_cond_swap
Unexecuted instantiation: f_generic.c:gf_cond_swap
Unexecuted instantiation: scalar.c:gf_cond_swap
Unexecuted instantiation: f_impl64.c:gf_cond_swap
172
173
#endif                          /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */